npm - @tinycloud/node-sdk - Versions diffs - 2.3.0-beta.3 → 2.3.0-beta.4 - Mend

@tinycloud/node-sdk 2.3.0-beta.3 → 2.3.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/core.cjs.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/core.ts","../src/storage/MemorySessionStorage.ts","../src/storage/FileSessionStorage.ts","../src/authorization/NodeUserAuthorization.ts","../src/authorization/strategies.ts","../src/TinyCloudNode.ts","../src/DelegatedAccess.ts","../src/keys/WasmKeyProvider.ts","../src/delegateToHelpers.ts","../src/NodeSecretsService.ts","../src/delegation.ts"],"sourcesContent":["/*\n @tinycloud/node-sdk/core\n \n Platform-agnostic entry point for TinyCloud node-sdk.\n \n This entry point excludes Node.js-specific modules that depend on\n * @tinycloud/node-sdk-wasm (PrivateKeySigner, NodeWasmBindings), making it\n * safe to import in browser builds without webpack aliases or shims.\n \n Browser consumers (e.g., @tinycloud/web-sdk) should import from this\n * entry point instead of the root \"@tinycloud/node-sdk\".\n \n @packageDocumentation\n /\n\n// Re-export core values\nexport { TinyCloud } from \"@tinycloud/sdk-core\";\n\n// Re-export core types\nexport type {\n TinyCloudConfig,\n ISigner,\n ISessionStorage,\n IUserAuthorization,\n ClientSession,\n Extension,\n SignInOptions,\n PersistedSessionData,\n TinyCloudSession,\n INotificationHandler,\n IENSResolver,\n IWasmBindings,\n ISessionManager,\n ISpaceCreationHandler,\n SpaceCreationContext,\n CanonicalAddress,\n DidCacheKeyOptions,\n DidEqualsOptions,\n PkhDidParts,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export core values for extensibility\nexport {\n SilentNotificationHandler,\n AutoApproveSpaceCreationHandler,\n defaultSpaceCreationHandler,\n IdentityParseError,\n addressStorageKey,\n canonicalizeAddress,\n canonicalizeDid,\n canonicalizeDidUrl,\n didCacheKey,\n didEquals,\n isEvmAddress,\n makePkhSpaceId,\n parsePkhDid,\n pkhDid,\n principalDid,\n principalDidEquals,\n} from \"@tinycloud/sdk-core\";\n\n// Storage implementations\nexport { MemorySessionStorage } from \"./storage/MemorySessionStorage\";\nexport { FileSessionStorage } from \"./storage/FileSessionStorage\";\n\n// Authorization\nexport {\n NodeUserAuthorization,\n NodeUserAuthorizationConfig,\n} from \"./authorization/NodeUserAuthorization\";\n\n// Sign strategies — value exports\nexport { defaultSignStrategy } from \"./authorization/strategies\";\n\n// Sign strategies — type exports (re-exported from sdk-core + Node.js-specific types)\nexport type {\n SignRequest,\n SignResponse,\n SignCallback,\n AutoSignStrategy,\n AutoRejectStrategy,\n CallbackStrategy,\n NodeEventEmitterStrategy,\n SignStrategy,\n} from \"./authorization/strategies\";\n\n// High-level API\nexport {\n TinyCloudNode,\n type TinyCloudNodeConfig,\n type DelegateToOptions,\n type DelegateToResult,\n type RuntimePermissionGrantOptions,\n} from \"./TinyCloudNode\";\n\n// Capability-chain primitives (spec: .claude/specs/capability-chain.md).\n// Re-exported here so TinyCloudWeb and other consumers can pass\n// `PermissionEntry[]` to `delegateTo` and catch the error classes without\n// also importing from `@tinycloud/sdk-core`.\nexport {\n type PermissionEntry,\n type Manifest,\n type ManifestDefaults,\n type ManifestSecretActions,\n type ComposeManifestOptions,\n type ComposedManifestRequest,\n type ManifestRegistryRecord,\n type ResolvedCapabilities,\n type ResolvedDelegate,\n type ResourceCapability,\n type SpaceAbilitiesMap,\n ACCOUNT_REGISTRY_PATH,\n ACCOUNT_REGISTRY_SPACE,\n DEFAULT_MANIFEST_SPACE,\n DEFAULT_MANIFEST_VERSION,\n VAULT_PERMISSION_SERVICE,\n PermissionNotInManifestError,\n SessionExpiredError,\n ManifestValidationError,\n composeManifestRequest,\n resolveManifest,\n validateManifest,\n loadManifest,\n isCapabilitySubset,\n expandActionShortNames,\n expandPermissionEntries,\n expandPermissionEntry,\n parseExpiry,\n resourceCapabilitiesToSpaceAbilitiesMap,\n} from \"@tinycloud/sdk-core\";\n\n// Delegation\nexport { DelegatedAccess } from \"./DelegatedAccess\";\nexport {\n serializeDelegation,\n deserializeDelegation,\n} from \"./delegation\";\nexport type { PortableDelegation } from \"./delegation\";\n\n// Re-export KV service values\nexport {\n DEFAULT_SIGNED_READ_URL_EXPIRY_MS,\n KVService,\n PrefixedKVService,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export KV service types\nexport type {\n IKVService,\n KVServiceConfig,\n KVCreateSignedReadUrlOptions,\n KVResponse,\n KVSignedReadUrlResponse,\n IPrefixedKVService,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export SQL service values\nexport { SQLService, SQLAction, DatabaseHandle } from \"@tinycloud/sdk-core\";\n\n// Re-export SQL service types\nexport type {\n ISQLService,\n IDatabaseHandle,\n SQLServiceConfig,\n SqlValue,\n SqlStatement,\n QueryOptions,\n ExecuteOptions,\n BatchOptions,\n QueryResponse,\n ExecuteResponse,\n BatchResponse,\n SQLActionType,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export DuckDB service values\nexport { DuckDbService, DuckDbDatabaseHandle, DuckDbAction } from \"@tinycloud/sdk-core\";\n\n// Re-export DuckDB service types\nexport type {\n IDuckDbService,\n IDuckDbDatabaseHandle,\n DuckDbServiceConfig,\n DuckDbQueryOptions,\n DuckDbExecuteOptions,\n DuckDbBatchOptions,\n DuckDbOptions,\n DuckDbValue,\n DuckDbStatement,\n DuckDbQueryResponse,\n DuckDbExecuteResponse,\n DuckDbBatchResponse,\n DuckDbActionType,\n SchemaInfo,\n TableInfo,\n ColumnInfo,\n ViewInfo,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export Vault and Secrets service values\nexport {\n DataVaultService,\n VaultHeaders,\n VaultPublicSpaceKVActions,\n createVaultCrypto,\n SecretsService,\n SECRET_NAME_RE,\n canonicalizeSecretScope,\n resolveSecretListPrefix,\n resolveSecretPath,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export Vault and Secrets service types\nexport type {\n IDataVaultService,\n VaultCrypto,\n WasmVaultFunctions,\n DataVaultConfig,\n VaultPutOptions,\n VaultGetOptions,\n VaultListOptions,\n VaultGrantOptions,\n VaultEntry,\n VaultError,\n ISecretsService,\n SecretPayload,\n SecretsError,\n ResolvedSecretPath,\n SecretScopeOptions,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export v2 Delegation service values\nexport {\n DelegationManager,\n SharingService,\n createSharingService,\n DelegationErrorCodes,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export v2 Delegation types\nexport type {\n DelegationManagerConfig,\n ISharingService,\n SharingServiceConfig,\n EncodedShareData,\n ReceiveOptions,\n ShareAccess,\n Delegation,\n CreateDelegationParams,\n DelegationResult,\n DelegationError,\n DelegationErrorCode,\n JWK,\n KeyType,\n KeyInfo,\n CapabilityEntry,\n DelegationRecord,\n SpaceOwnership,\n SpaceInfo,\n ShareSchema,\n ShareLink,\n ShareLinkData,\n IngestOptions,\n GenerateShareParams,\n DelegationChain,\n DelegationChainV2,\n DelegationDirection,\n DelegationFilters,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export CapabilityKeyRegistry values (v2)\nexport {\n CapabilityKeyRegistry,\n createCapabilityKeyRegistry,\n CapabilityKeyRegistryErrorCodes,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export CapabilityKeyRegistry types (v2)\nexport type {\n ICapabilityKeyRegistry,\n StoredDelegationChain,\n CapabilityKeyRegistryErrorCode,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export SpaceService values (v2)\nexport {\n SpaceService,\n SpaceErrorCodes,\n createSpaceService,\n parseSpaceUri,\n buildSpaceUri,\n makePublicSpaceId,\n Space,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export SpaceService types (v2)\nexport type {\n ISpaceService,\n SpaceServiceConfig,\n SpaceErrorCode,\n ISpace,\n SpaceConfig,\n ISpaceScopedDelegations,\n ISpaceScopedSharing,\n} from \"@tinycloud/sdk-core\";\n\n// Protocol version checking\nexport {\n ProtocolMismatchError,\n VersionCheckError,\n UnsupportedFeatureError,\n checkNodeInfo,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export ServiceContext value for advanced usage\nexport { ServiceContext } from \"@tinycloud/sdk-core\";\n\n// Re-export ServiceContext types for advanced usage\nexport type {\n ServiceContextConfig,\n ServiceSession,\n InvokeFunction,\n FetchFunction,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export KeyProvider interface from sdk-core\nexport type { KeyProvider } from \"@tinycloud/sdk-core\";\n\n// Key management for node-sdk\nexport {\n WasmKeyProvider,\n WasmKeyProviderConfig,\n createWasmKeyProvider,\n} from \"./keys/WasmKeyProvider\";\n","import { ISessionStorage, PersistedSessionData } from \"@tinycloud/sdk-core\";\n\n/\n In-memory session storage for Node.js.\n \n Sessions are stored in memory and lost when the process exits.\n * Suitable for:\n * - Development and testing\n * - Stateless server deployments\n * - Short-lived processes\n \n @example\n * ```typescript\n * const storage = new MemorySessionStorage();\n * await storage.save(\"0x123...\", sessionData);\n * const session = await storage.load(\"0x123...\");\n * ```\n /\nexport class MemorySessionStorage implements ISessionStorage {\n private sessions: Map<string, PersistedSessionData> = new Map();\n\n /\n Save a session for an address.\n /\n async save(address: string, session: PersistedSessionData): Promise<void> {\n const normalizedAddress = address.toLowerCase();\n this.sessions.set(normalizedAddress, session);\n }\n\n /\n Load a session for an address.\n /\n async load(address: string): Promise<PersistedSessionData \| null> {\n const normalizedAddress = address.toLowerCase();\n const session = this.sessions.get(normalizedAddress);\n\n if (!session) {\n return null;\n }\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n this.sessions.delete(normalizedAddress);\n return null;\n }\n\n return session;\n }\n\n /\n Clear a session for an address.\n /\n async clear(address: string): Promise<void> {\n const normalizedAddress = address.toLowerCase();\n this.sessions.delete(normalizedAddress);\n }\n\n /\n Check if a session exists for an address.\n /\n exists(address: string): boolean {\n const normalizedAddress = address.toLowerCase();\n const session = this.sessions.get(normalizedAddress);\n\n if (!session) {\n return false;\n }\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n this.sessions.delete(normalizedAddress);\n return false;\n }\n\n return true;\n }\n\n /\n Memory storage is always available.\n /\n isAvailable(): boolean {\n return true;\n }\n\n /\n Clear all sessions.\n /\n clearAll(): void {\n this.sessions.clear();\n }\n\n /\n Get the number of stored sessions.\n /\n size(): number {\n return this.sessions.size;\n }\n}\n","import { ISessionStorage, PersistedSessionData, validatePersistedSessionData } from \"@tinycloud/sdk-core\";\nimport { readFileSync, writeFileSync, existsSync, mkdirSync, unlinkSync } from \"fs\";\nimport { dirname, join } from \"path\";\n\n/\n File-based session storage for Node.js.\n \n Sessions are persisted to the file system and survive process restarts.\n * Suitable for:\n * - CLI applications\n * - Long-running server processes\n * - Development environments\n \n @example\n * ```typescript\n * const storage = new FileSessionStorage(\"/tmp/tinycloud-sessions\");\n * await storage.save(\"0x123...\", sessionData);\n * // Session persists across process restarts\n * ```\n /\nexport class FileSessionStorage implements ISessionStorage {\n private readonly baseDir: string;\n\n /\n Create a new FileSessionStorage.\n \n @param baseDir - Directory to store session files (default: ~/.tinycloud/sessions)\n /\n constructor(baseDir?: string) {\n this.baseDir = baseDir \|\| this.getDefaultDir();\n this.ensureDirectoryExists();\n }\n\n /\n Get the default session storage directory.\n /\n private getDefaultDir(): string {\n const home = process.env.HOME \|\| process.env.USERPROFILE \|\| \"/tmp\";\n return join(home, \".tinycloud\", \"sessions\");\n }\n\n /\n Ensure the storage directory exists.\n /\n private ensureDirectoryExists(): void {\n if (!existsSync(this.baseDir)) {\n mkdirSync(this.baseDir, { recursive: true });\n }\n }\n\n /\n Get the file path for an address.\n /\n private getFilePath(address: string): string {\n const normalizedAddress = address.toLowerCase();\n // Use a hash of the address to avoid filesystem issues\n const filename = `${normalizedAddress.replace(\"0x\", \"\")}.json`;\n return join(this.baseDir, filename);\n }\n\n /\n Save a session for an address.\n /\n async save(address: string, session: PersistedSessionData): Promise<void> {\n const filePath = this.getFilePath(address);\n const data = JSON.stringify(session, null, 2);\n writeFileSync(filePath, data, \"utf-8\");\n }\n\n /\n Load a session for an address.\n /\n async load(address: string): Promise<PersistedSessionData \| null> {\n const filePath = this.getFilePath(address);\n\n if (!existsSync(filePath)) {\n return null;\n }\n\n try {\n const data = readFileSync(filePath, \"utf-8\");\n const parsed = JSON.parse(data);\n\n // Validate loaded data against schema\n const validation = validatePersistedSessionData(parsed);\n if (!validation.ok) {\n console.warn(`Invalid session data for ${address}:`, validation.error.message);\n // Clean up invalid session\n unlinkSync(filePath);\n return null;\n }\n\n const session = validation.data;\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n // Clean up expired session\n unlinkSync(filePath);\n return null;\n }\n\n return session;\n } catch (error) {\n // Invalid JSON or read error - remove the file\n try {\n unlinkSync(filePath);\n } catch {\n // Ignore cleanup errors\n }\n return null;\n }\n }\n\n /\n Clear a session for an address.\n /\n async clear(address: string): Promise<void> {\n const filePath = this.getFilePath(address);\n if (existsSync(filePath)) {\n unlinkSync(filePath);\n }\n }\n\n /\n Check if a session exists for an address.\n /\n exists(address: string): boolean {\n const filePath = this.getFilePath(address);\n if (!existsSync(filePath)) {\n return false;\n }\n\n try {\n const data = readFileSync(filePath, \"utf-8\");\n const session: PersistedSessionData = JSON.parse(data);\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n // Clean up expired session\n unlinkSync(filePath);\n return false;\n }\n\n return true;\n } catch {\n return false;\n }\n }\n\n /\n Check if file system storage is available.\n /\n isAvailable(): boolean {\n try {\n this.ensureDirectoryExists();\n return existsSync(this.baseDir);\n } catch {\n return false;\n }\n }\n}\n","import { EventEmitter } from \"events\";\nimport {\n IUserAuthorization,\n ISigner,\n ISessionStorage,\n ClientSession,\n Extension,\n PersistedSessionData,\n TinyCloudSession,\n SiweConfig,\n SignInOptions,\n fetchPeerId,\n submitHostDelegation,\n activateSessionWithHost,\n checkNodeInfo,\n ISpaceCreationHandler,\n AutoApproveSpaceCreationHandler,\n IWasmBindings,\n ISessionManager,\n Manifest,\n ComposedManifestRequest,\n AbilitiesMap,\n DEFAULT_MANIFEST_SPACE,\n ENCRYPTION_PERMISSION_SERVICE,\n composeManifestRequest,\n resourceCapabilitiesToAbilitiesMap,\n resourceCapabilitiesToSpaceAbilitiesMap,\n resolveTinyCloudHosts,\n EXPIRY,\n canonicalizeAddress,\n makePkhSpaceId,\n pkhDid,\n} from \"@tinycloud/sdk-core\";\nimport {\n SignStrategy,\n SignRequest,\n SignResponse,\n defaultSignStrategy,\n} from \"./strategies\";\nimport { MemorySessionStorage } from \"../storage/MemorySessionStorage\";\n\n/\n Configuration for NodeUserAuthorization.\n /\nexport interface NodeUserAuthorizationConfig {\n /* The signer used for signing messages /\n signer: ISigner;\n /* Sign strategy for handling sign requests /\n signStrategy?: SignStrategy;\n /* Session storage implementation /\n sessionStorage?: ISessionStorage;\n /* Domain for SIWE messages /\n domain: string;\n /* URI for SIWE messages (default: domain) /\n uri?: string;\n /* Statement included in SIWE messages /\n statement?: string;\n /* Space prefix for new sessions /\n spacePrefix?: string;\n /* Default actions for sessions /\n defaultActions?: Record<string, Record<string, string[]>>;\n /* Session expiration time in milliseconds (default: 1 hour) /\n sessionExpirationMs?: number;\n /* Automatically create space if it doesn't exist (default: false) /\n autoCreateSpace?: boolean;\n /* Custom space creation handler. If provided, takes precedence over autoCreateSpace. /\n spaceCreationHandler?: ISpaceCreationHandler;\n /* Explicit TinyCloud server endpoints. When omitted, signIn resolves the user's host. /\n tinycloudHosts?: string[];\n /* TinyCloud location registry URL. Default: https://registry.tinycloud.xyz. /\n tinycloudRegistryUrl?: string \| null;\n /* Fallback TinyCloud hosts. Default: hosted TinyCloud node. /\n tinycloudFallbackHosts?: string[] \| null;\n /* Whether to include public space capabilities in the session (default: true) /\n enablePublicSpace?: boolean;\n /* WASM bindings for cryptographic operations. Required. /\n wasmBindings: IWasmBindings;\n /\n SIWE nonce override. If omitted, the WASM layer generates a random nonce.\n * If `siweConfig.nonce` is also provided, `siweConfig.nonce` wins.\n /\n nonce?: string;\n /* Optional SIWE configuration overrides (e.g., nonce for server-provided nonces) /\n siweConfig?: SiweConfig;\n /\n App manifest used to drive the SIWE recap at sign-in.\n \n When set, `signIn` resolves the manifest (via\n * {@link resolveManifest}), unions the app's own permissions with\n * every `delegations[].permissions` list, converts to the WASM\n abilities shape, and uses that map as the session's granted\n * capabilities — instead of `defaultActions`.\n \n This is what makes manifest-declared pre-delegations usable: the\n * session key's recap covers both the app's runtime needs and the\n * downstream delegation targets, so `delegateTo` can issue the\n * sub-delegation via the session-key UCAN path without a wallet\n * prompt.\n \n When omitted, `signIn` falls back to `defaultActions` for\n * backwards compatibility.\n /\n manifest?: Manifest \| Manifest[];\n /* Pre-composed manifest request. Takes precedence over `manifest`. /\n capabilityRequest?: ComposedManifestRequest;\n /* Include implicit account registry permissions when composing `manifest`. Default true. /\n includeAccountRegistryPermissions?: boolean;\n}\n\n/\n Node.js implementation of IUserAuthorization.\n \n Supports multiple sign strategies for different use cases:\n * - auto-sign: Automatically approve all sign requests (trusted backends)\n * - auto-reject: Reject all sign requests (read-only mode)\n * - callback: Delegate to a custom callback function (CLI prompts)\n * - event-emitter: Emit sign requests as events (async workflows)\n \n @example\n * ```typescript\n * // Auto-sign for backend services\n * const auth = new NodeUserAuthorization({\n * signer: new PrivateKeySigner(process.env.PRIVATE_KEY),\n * signStrategy: { type: 'auto-sign' },\n * domain: 'api.myapp.com',\n * });\n \n // Callback for CLI prompts\n * const auth = new NodeUserAuthorization({\n * signer,\n * signStrategy: {\n * type: 'callback',\n * handler: async (req) => {\n * const approved = await promptUser(`Sign for ${req.address}?`);\n * return { approved };\n * }\n * },\n * domain: 'cli.myapp.com',\n * });\n * ```\n /\nexport class NodeUserAuthorization implements IUserAuthorization {\n private readonly signer: ISigner;\n private readonly signStrategy: SignStrategy;\n private readonly sessionStorage: ISessionStorage;\n private readonly domain: string;\n private readonly uri: string;\n private readonly statement?: string;\n private readonly spacePrefix: string;\n private readonly defaultActions: Record<string, Record<string, string[]>>;\n private readonly sessionExpirationMs: number;\n private readonly autoCreateSpace: boolean;\n private readonly spaceCreationHandler?: ISpaceCreationHandler;\n private tinycloudHosts?: string[];\n private readonly tinycloudRegistryUrl?: string \| null;\n private readonly tinycloudFallbackHosts?: string[] \| null;\n private readonly enablePublicSpace: boolean;\n private readonly nonce?: string;\n private readonly siweConfig?: SiweConfig;\n private readonly wasm: IWasmBindings;\n /\n Stored manifest, if one was provided at construction time. Used by\n * {@link signIn} to derive the session's granted capabilities instead\n * of falling back to {@link defaultActions}.\n /\n private _manifest?: Manifest \| Manifest[];\n private _capabilityRequest?: ComposedManifestRequest;\n private readonly includeAccountRegistryPermissions: boolean;\n\n private sessionManager: ISessionManager;\n private extensions: Extension[] = [];\n private _session?: ClientSession;\n private _tinyCloudSession?: TinyCloudSession;\n private _address?: string;\n private _chainId?: number;\n private _nodeFeatures: string[] = [];\n\n constructor(config: NodeUserAuthorizationConfig) {\n this.wasm = config.wasmBindings;\n\n this.signer = config.signer;\n this.signStrategy = config.signStrategy ?? defaultSignStrategy;\n this.sessionStorage = config.sessionStorage ?? new MemorySessionStorage();\n this.domain = config.domain;\n this.uri = config.uri ?? `https://${config.domain}`;\n this.statement = config.statement;\n this.spacePrefix = config.spacePrefix ?? \"default\";\n this.defaultActions = config.defaultActions ?? {\n kv: {\n \"\": [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n ],\n },\n sql: {\n \"\": [\n \"tinycloud.sql/read\",\n \"tinycloud.sql/write\",\n \"tinycloud.sql/admin\",\n \"tinycloud.sql/export\",\n ],\n },\n duckdb: {\n \"\": [\n \"tinycloud.duckdb/read\",\n \"tinycloud.duckdb/write\",\n \"tinycloud.duckdb/admin\",\n \"tinycloud.duckdb/describe\",\n \"tinycloud.duckdb/export\",\n \"tinycloud.duckdb/import\",\n \"tinycloud.duckdb/execute\",\n ],\n },\n capabilities: {\n \"\": [\"tinycloud.capabilities/read\"],\n },\n hooks: {\n \"\": [\n \"tinycloud.hooks/subscribe\",\n \"tinycloud.hooks/register\",\n \"tinycloud.hooks/list\",\n \"tinycloud.hooks/unregister\",\n ],\n },\n };\n this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;\n this.autoCreateSpace = config.autoCreateSpace ?? false;\n this.spaceCreationHandler = config.spaceCreationHandler;\n this.tinycloudHosts = config.tinycloudHosts;\n this.tinycloudRegistryUrl = config.tinycloudRegistryUrl;\n this.tinycloudFallbackHosts = config.tinycloudFallbackHosts;\n this.enablePublicSpace = config.enablePublicSpace ?? true;\n this.nonce = config.nonce;\n this.siweConfig = config.siweConfig;\n this.includeAccountRegistryPermissions =\n config.includeAccountRegistryPermissions ?? true;\n this._manifest = config.manifest;\n this._capabilityRequest = config.capabilityRequest;\n\n // Initialize session manager via WASM bindings\n this.sessionManager = this.wasm.createSessionManager();\n }\n\n /\n Return the manifest currently driving sign-in behavior, or\n * `undefined` if none is set. Used by TinyCloudWeb/TinyCloudNode\n * internals to surface the manifest for requestPermissions flows\n * without forcing the caller to track it separately.\n /\n get manifest(): Manifest \| Manifest[] \| undefined {\n return this._manifest;\n }\n\n get capabilityRequest(): ComposedManifestRequest \| undefined {\n return this.getCapabilityRequest();\n }\n\n get hosts(): string[] {\n return this.tinycloudHosts ? [...this.tinycloudHosts] : [];\n }\n\n /\n Install or replace the stored manifest. Takes effect on the next\n * `signIn()` call — the current session (if any) is not touched.\n /\n setManifest(manifest: Manifest \| Manifest[] \| undefined): void {\n this._manifest = manifest;\n this._capabilityRequest = undefined;\n }\n\n setCapabilityRequest(request: ComposedManifestRequest \| undefined): void {\n this._capabilityRequest = request;\n }\n\n /\n The current active session (web-core compatible).\n /\n get session(): ClientSession \| undefined {\n return this._session;\n }\n\n /\n The current TinyCloud session with full delegation data.\n * Includes spaceId, delegationHeader, and delegationCid.\n /\n get tinyCloudSession(): TinyCloudSession \| undefined {\n return this._tinyCloudSession;\n }\n\n /\n Rehydrate the auth-layer session from previously-persisted delegation\n * data. Used by {@link TinyCloudNode.restoreSession} so that downstream\n * surfaces that read from `tinyCloudSession` (notably\n * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work\n * without re-running the full sign-in flow.\n \n Caller must supply the same fields that `signIn` would have written —\n * `siwe` is the load-bearing one because `extractSiweExpiration` returns\n * undefined for missing SIWEs and the SDK then treats the session as\n * expired-at-epoch-zero.\n /\n setRestoredTinyCloudSession(session: TinyCloudSession): void {\n const address = canonicalizeAddress(session.address);\n this._tinyCloudSession = { ...session, address };\n this._address = address;\n this._chainId = session.chainId;\n }\n\n private async resolveTinyCloudHostsForSignIn(\n address: string,\n chainId: number,\n ): Promise<void> {\n if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {\n return;\n }\n\n const subject = pkhDid(address, chainId);\n const resolved = await resolveTinyCloudHosts(subject, {\n registryUrl: this.tinycloudRegistryUrl,\n fallbackHosts: this.tinycloudFallbackHosts,\n });\n this.tinycloudHosts = resolved.hosts;\n }\n\n private requireTinyCloudHosts(): string[] {\n if (!this.tinycloudHosts \|\| this.tinycloudHosts.length === 0) {\n throw new Error(\"TinyCloud hosts have not been resolved. Call signIn() first.\");\n }\n return this.tinycloudHosts;\n }\n\n private get primaryTinyCloudHost(): string {\n return this.requireTinyCloudHosts()[0];\n }\n\n get nodeFeatures(): string[] {\n return this._nodeFeatures;\n }\n\n /\n Compute the `abilities` map the WASM `prepareSession` call should\n * see at sign-in time.\n \n When a manifest is installed, we resolve it and union together:\n * - the app's own `resources` (what it needs at runtime)\n * - every `additionalDelegates[].permissions` list (what it will\n re-delegate to other DIDs post sign-in)\n \n into the short-service / path / full-URN-actions shape the WASM\n * layer expects. This is the key invariant that lets\n * {@link TinyCloudNode.delegateTo} issue manifest-declared\n * delegations via the session key (no wallet prompt): the session's\n * own recap already covers every action those delegations need.\n \n When no manifest is installed, we fall back to the\n * {@link defaultActions} table so existing callers see no change.\n \n This is a pure function of `this._manifest` + `this.defaultActions`\n * — the manifest resolution performs no I/O and throws a\n * {@link ManifestValidationError} on structural problems (missing\n * id/name, unparseable expiry, etc), which will surface at sign-in\n * rather than being silently swallowed.\n \n @internal\n /\n private getCapabilityRequest(): ComposedManifestRequest \| undefined {\n if (this._capabilityRequest !== undefined) {\n return this._capabilityRequest;\n }\n if (this._manifest === undefined) {\n return undefined;\n }\n this._capabilityRequest = composeManifestRequest(\n Array.isArray(this._manifest) ? this._manifest : [this._manifest],\n {\n includeAccountRegistryPermissions:\n this.includeAccountRegistryPermissions,\n }\n );\n return this._capabilityRequest;\n }\n\n private resolveSpaceName(space: string, address: string, chainId: number): string {\n if (space.startsWith(\"tinycloud:\")) {\n return space;\n }\n return makePkhSpaceId(address, chainId, space);\n }\n\n private defaultEncryptionNetworkId(address: string, chainId: number): string {\n return `urn:tinycloud:encryption:${pkhDid(address, chainId)}:default`;\n }\n\n private resolveSignInCapabilities(\n address: string,\n chainId: number,\n ): {\n abilities: AbilitiesMap;\n spaceId: string;\n spaceAbilities?: Record<string, AbilitiesMap>;\n rawAbilities?: Record<string, string[]>;\n } {\n const request = this.getCapabilityRequest();\n if (request === undefined) {\n const defaultNetworkId = this.defaultEncryptionNetworkId(address, chainId);\n const secretsSpaceId = makePkhSpaceId(address, chainId, \"secrets\");\n return {\n abilities: this.defaultActions,\n spaceId: makePkhSpaceId(address, chainId, this.spacePrefix),\n spaceAbilities: {\n [secretsSpaceId]: {\n kv: {\n \"vault/secrets/\": [\n \"tinycloud.kv/get\",\n \"tinycloud.kv/put\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n ],\n },\n },\n },\n rawAbilities: {\n [defaultNetworkId]: [\n \"tinycloud.encryption/decrypt\",\n \"tinycloud.encryption/network.create\",\n ],\n },\n };\n }\n\n const rawAbilities: Record<string, string[]> = {};\n const spaceResources = request.resources.filter((entry) => {\n if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {\n return true;\n }\n const existing = rawAbilities[entry.path];\n if (existing === undefined) {\n rawAbilities[entry.path] = [...entry.actions];\n } else {\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n }\n return false;\n });\n\n const primarySpaceName =\n spaceResources.find((entry) => entry.space !== \"account\")?.space ??\n DEFAULT_MANIFEST_SPACE;\n const primarySpaceId = this.resolveSpaceName(\n primarySpaceName,\n address,\n chainId,\n );\n\n const bySpace = resourceCapabilitiesToSpaceAbilitiesMap(spaceResources);\n const spaceAbilities: Record<string, AbilitiesMap> = {};\n for (const [space, abilities] of Object.entries(bySpace)) {\n spaceAbilities[this.resolveSpaceName(space, address, chainId)] = abilities;\n }\n\n return {\n abilities:\n spaceAbilities[primarySpaceId] ??\n resourceCapabilitiesToAbilitiesMap([]),\n spaceId: primarySpaceId,\n spaceAbilities,\n rawAbilities:\n Object.keys(rawAbilities).length > 0 ? rawAbilities : undefined,\n };\n }\n\n /\n Build SIWE overrides from the top-level nonce and siweConfig.\n * - Top-level `nonce` is seeded first so `siweConfig.nonce` wins if both are set.\n * - statement is prepended to the default statement\n * - resources are appended to the default resources\n * - uri triggers a warning (overwriting delegation target)\n * - all other fields override directly\n * - per-call nonce overrides siweConfig.nonce when provided\n /\n private buildSiweOverrides(options?: SignInOptions): Record<string, unknown> {\n const base: Record<string, unknown> = { uri: this.uri };\n if (this.nonce !== undefined) {\n base.nonce = this.nonce;\n }\n\n if (!this.siweConfig && !options?.nonce) {\n return base;\n }\n\n const { statement, resources, uri, ...rest } = this.siweConfig ?? {};\n const overrides: Record<string, unknown> = { ...base, ...rest };\n\n if (statement) {\n overrides.statement = this.statement\n ? `${statement} ${this.statement}`\n : statement;\n }\n\n if (resources && resources.length > 0) {\n overrides.resources = resources;\n }\n\n if (uri) {\n console.warn(\n \"[tinycloud] siweConfig.uri is overwriting the delegation target URI. \" +\n \"This may break delegation chain validation if the URI does not match the session key DID.\",\n );\n overrides.uri = uri;\n }\n\n if (options?.nonce) {\n overrides.nonce = options.nonce;\n }\n\n return overrides;\n }\n\n /\n Add an extension to the authorization flow.\n /\n extend(extension: Extension): void {\n this.extensions.push(extension);\n }\n\n /\n Get the space ID for the current session.\n /\n getSpaceId(): string \| undefined {\n return this._tinyCloudSession?.spaceId;\n }\n\n /\n Create the space on the TinyCloud server (host delegation).\n * This registers the user as the owner of the space.\n /\n private async hostSpace(targetSpaceId?: string): Promise<boolean> {\n if (!this._tinyCloudSession \|\| !this._address \|\| !this._chainId) {\n throw new Error(\"Must be signed in to host space\");\n }\n\n const host = this.primaryTinyCloudHost;\n const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;\n\n // Get peer ID from TinyCloud server\n const peerId = await fetchPeerId(host, spaceId);\n\n // Generate host SIWE message\n const siwe = this.wasm.generateHostSIWEMessage({\n address: this._address,\n chainId: this._chainId,\n domain: this.domain,\n issuedAt: new Date().toISOString(),\n spaceId,\n peerId,\n });\n\n // Sign the message\n const signature = await this.signMessage(siwe);\n\n // Convert to delegation headers and submit\n const headers = this.wasm.siweToDelegationHeaders({ siwe, signature });\n const result = await submitHostDelegation(host, headers);\n\n return result.success;\n }\n\n /\n Create a specific space on the server via host delegation.\n * Used for lazy creation of additional spaces (e.g., public).\n /\n async hostPublicSpace(spaceId: string): Promise<boolean> {\n return this.hostSpace(spaceId);\n }\n\n /\n Create a specific owned space on the server via host delegation.\n * Used by manifest registry setup for the account space.\n /\n async hostOwnedSpace(spaceId: string): Promise<boolean> {\n return this.hostSpace(spaceId);\n }\n\n /\n Ensure the user's space exists on the TinyCloud server.\n * Creates the space if it doesn't exist and autoCreateSpace is enabled.\n * If autoCreateSpace is false and space doesn't exist, silently returns\n * (user may be using delegations to access other spaces).\n \n @throws Error if space creation fails\n /\n async ensureSpaceExists(): Promise<void> {\n if (!this._tinyCloudSession) {\n throw new Error(\"Must be signed in to ensure space exists\");\n }\n\n const host = this.primaryTinyCloudHost;\n const primarySpaceId = this._tinyCloudSession.spaceId;\n\n // Try to activate the session\n const result = await activateSessionWithHost(\n host,\n this._tinyCloudSession.delegationHeader,\n );\n\n // Determine the effective space creation handler:\n // 1. Explicit spaceCreationHandler takes precedence\n // 2. autoCreateSpace: true uses AutoApproveSpaceCreationHandler\n // 3. Otherwise, no handler (space creation skipped silently)\n const handler: ISpaceCreationHandler \| undefined =\n this.spaceCreationHandler ??\n (this.autoCreateSpace\n ? new AutoApproveSpaceCreationHandler()\n : undefined);\n\n const creationContext = {\n spaceId: primarySpaceId,\n address: this._address!,\n chainId: this._chainId!,\n host,\n };\n\n if (result.success) {\n // Check if primary space was actually activated or just skipped\n const primarySkipped = result.skipped?.includes(primarySpaceId);\n\n if (!primarySkipped) {\n // Primary space exists and session is activated\n return;\n }\n\n // Primary space was skipped (doesn't exist yet)\n if (!handler) {\n return;\n }\n\n const confirmed = await handler.confirmSpaceCreation(creationContext);\n if (!confirmed) {\n return;\n }\n\n // Create the primary space\n try {\n const created = await this.hostSpace();\n if (!created) {\n const err = new Error(`Failed to create space: ${primarySpaceId}`);\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n } catch (error) {\n handler.onSpaceCreationFailed?.(\n creationContext,\n error instanceof Error ? error : new Error(String(error)),\n );\n throw error;\n }\n\n // Small delay to allow space creation to propagate\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n // Retry activation\n const retryResult = await activateSessionWithHost(\n host,\n this._tinyCloudSession.delegationHeader,\n );\n\n if (!retryResult.success) {\n const err = new Error(\n `Failed to activate session after creating space: ${retryResult.error}`,\n );\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n\n handler.onSpaceCreated?.(creationContext);\n return;\n }\n\n // Handle 404 (backwards compat with older servers)\n if (result.status === 404) {\n if (!handler) {\n return;\n }\n\n const confirmed = await handler.confirmSpaceCreation(creationContext);\n if (!confirmed) {\n return;\n }\n\n try {\n const created = await this.hostSpace();\n if (!created) {\n const err = new Error(`Failed to create space: ${primarySpaceId}`);\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n } catch (error) {\n handler.onSpaceCreationFailed?.(\n creationContext,\n error instanceof Error ? error : new Error(String(error)),\n );\n throw error;\n }\n\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n const retryResult = await activateSessionWithHost(\n host,\n this._tinyCloudSession.delegationHeader,\n );\n\n if (!retryResult.success) {\n const err = new Error(\n `Failed to activate session after creating space: ${retryResult.error}`,\n );\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n\n handler.onSpaceCreated?.(creationContext);\n return;\n }\n\n throw new Error(`Failed to activate session: ${result.error}`);\n }\n\n /\n Sign in and create a new session.\n \n This follows the correct SIWE-ReCap flow:\n * 1. Create session key and get JWK\n * 2. Call prepareSession() which generates the SIWE with ReCap capabilities\n * 3. Sign the SIWE string from prepareSession\n * 4. Call completeSessionSetup() with the prepared session + signature\n \n @param options - Optional per-call SIWE overrides for this sign-in only\n /\n async signIn(options?: SignInOptions): Promise<ClientSession> {\n // Get signer address and chain ID\n this._address = canonicalizeAddress(await this.signer.getAddress());\n this._chainId = await this.signer.getChainId();\n\n const address = this._address;\n const chainId = this._chainId;\n\n await this.resolveTinyCloudHostsForSignIn(address, chainId);\n\n // Create a session key\n const keyId = `session-${Date.now()}`;\n this.sessionManager.renameSessionKeyId(\"default\", keyId);\n\n // Get JWK for session key\n const jwkString = this.sessionManager.jwk(keyId);\n if (!jwkString) {\n throw new Error(\"Failed to create session key\");\n }\n const jwk = JSON.parse(jwkString);\n\n const capabilityPlan = this.resolveSignInCapabilities(address, chainId);\n const spaceId = capabilityPlan.spaceId;\n\n const now = new Date();\n const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);\n\n // Prepare session - this creates the SIWE message with ReCap capabilities.\n //\n // When a manifest is installed, `resolveSignInAbilities()` returns\n // the union of app permissions + every manifest-declared\n // delegation's permissions in the shape `prepareSession` accepts.\n // Otherwise it returns `defaultActions` unchanged (legacy path).\n const prepared = this.wasm.prepareSession({\n abilities: capabilityPlan.abilities,\n ...(capabilityPlan.spaceAbilities !== undefined\n ? { spaceAbilities: capabilityPlan.spaceAbilities }\n : {}),\n ...(capabilityPlan.rawAbilities !== undefined\n ? { rawAbilities: capabilityPlan.rawAbilities }\n : {}),\n address,\n chainId,\n domain: this.domain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId,\n jwk,\n ...this.buildSiweOverrides(options),\n });\n\n // Sign the SIWE message from prepareSession (NOT a separately generated SIWE)\n const signature = await this.requestSignature({\n address,\n chainId,\n message: prepared.siwe,\n type: \"siwe\",\n });\n\n // Complete session setup with the prepared session + signature\n const session = this.wasm.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Create client session (web-core compatible)\n const clientSession: ClientSession = {\n address,\n walletAddress: address,\n chainId,\n sessionKey: keyId,\n siwe: prepared.siwe,\n signature,\n };\n\n // Compute additional spaces as metadata (not in the delegation itself).\n // The public space delegation is created lazily via ensurePublicSpace(),\n // not at signIn time, to avoid creating spaces the user may never use.\n const spacesMetadata: Record<string, string> \| undefined = this\n .enablePublicSpace\n ? { public: makePkhSpaceId(address, chainId, \"public\") }\n : undefined;\n\n // Create TinyCloud session with full delegation data\n // Use sessionManager.getDID(keyId) for verificationMethod to get properly formatted DID URL\n // The prepared.verificationMethod from Rust WASM has a bug that doubles the DID fragment\n const tinyCloudSession: TinyCloudSession = {\n address,\n chainId,\n sessionKey: keyId,\n spaceId,\n spaces: spacesMetadata,\n delegationCid: session.delegationCid,\n delegationHeader: session.delegationHeader,\n verificationMethod: this.sessionManager.getDID(keyId),\n jwk,\n siwe: prepared.siwe,\n signature,\n };\n\n // Persist session with TinyCloud-specific data\n const persistedData: PersistedSessionData = {\n address,\n chainId,\n sessionKey: JSON.stringify(jwk),\n siwe: prepared.siwe,\n signature,\n tinycloudSession: {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId,\n spaces: spacesMetadata,\n verificationMethod: this.sessionManager.getDID(keyId),\n },\n expiresAt: expirationTime.toISOString(),\n createdAt: now.toISOString(),\n version: \"1.0\",\n };\n await this.sessionStorage.save(address, persistedData);\n\n // Set current session\n this._session = clientSession;\n this._tinyCloudSession = tinyCloudSession;\n this._address = address;\n this._chainId = chainId;\n\n // Verify SDK-node protocol compatibility and discover supported features\n const nodeInfo = await checkNodeInfo(\n this.primaryTinyCloudHost,\n this.wasm.protocolVersion(),\n );\n this._nodeFeatures = nodeInfo.features;\n\n // Call extension hooks\n for (const ext of this.extensions) {\n if (ext.afterSignIn) {\n await ext.afterSignIn(clientSession);\n }\n }\n\n // Ensure space exists (creates if needed when autoCreateSpace is true)\n await this.ensureSpaceExists();\n\n return clientSession;\n }\n\n /\n Sign out and clear the current session.\n /\n async signOut(): Promise<void> {\n if (this._address) {\n await this.clearPersistedSession(this._address);\n }\n this._session = undefined;\n }\n\n /\n Get the current wallet/signer address.\n /\n address(): string \| undefined {\n return this._address;\n }\n\n /\n Get the current chain ID.\n /\n chainId(): number \| undefined {\n return this._chainId;\n }\n\n /\n Sign a message with the connected signer.\n /\n async signMessage(message: string): Promise<string> {\n if (!this._address) {\n this._address = canonicalizeAddress(await this.signer.getAddress());\n }\n if (!this._chainId) {\n this._chainId = await this.signer.getChainId();\n }\n\n return this.requestSignature({\n address: this._address,\n chainId: this._chainId,\n message,\n type: \"message\",\n });\n }\n\n /\n Prepare a session for external signing.\n \n Use this method when you need to sign the SIWE message externally (e.g., via\n * a hardware wallet, multi-sig, or external service). After obtaining the signature,\n * call `signInWithPreparedSession()` to complete the sign-in.\n \n @example\n * ```typescript\n * const { prepared, keyId, jwk } = await auth.prepareSessionForSigning();\n * const signature = await externalSigner.signMessage(prepared.siwe);\n * const session = await auth.signInWithPreparedSession(prepared, signature, keyId, jwk);\n * ```\n /\n async prepareSessionForSigning(): Promise<{\n prepared: {\n siwe: string;\n jwk: Record<string, unknown>;\n spaceId: string;\n verificationMethod: string;\n };\n keyId: string;\n jwk: Record<string, unknown>;\n address: string;\n chainId: number;\n }> {\n const address = canonicalizeAddress(await this.signer.getAddress());\n const chainId = await this.signer.getChainId();\n\n // Create a session key\n const keyId = `session-${Date.now()}`;\n this.sessionManager.renameSessionKeyId(\"default\", keyId);\n\n // Get JWK for session key\n const jwkString = this.sessionManager.jwk(keyId);\n if (!jwkString) {\n throw new Error(\"Failed to create session key\");\n }\n const jwk = JSON.parse(jwkString);\n\n const capabilityPlan = this.resolveSignInCapabilities(address, chainId);\n const spaceId = capabilityPlan.spaceId;\n\n const now = new Date();\n const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);\n\n // Prepare session - this creates the SIWE message with ReCap capabilities.\n //\n // When a manifest is installed, `resolveSignInAbilities()` returns\n // the union of app permissions + every manifest-declared\n // delegation's permissions in the shape `prepareSession` accepts.\n // Otherwise it returns `defaultActions` unchanged (legacy path).\n const prepared = this.wasm.prepareSession({\n abilities: capabilityPlan.abilities,\n ...(capabilityPlan.spaceAbilities !== undefined\n ? { spaceAbilities: capabilityPlan.spaceAbilities }\n : {}),\n ...(capabilityPlan.rawAbilities !== undefined\n ? { rawAbilities: capabilityPlan.rawAbilities }\n : {}),\n address,\n chainId,\n domain: this.domain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId,\n jwk,\n ...this.buildSiweOverrides(),\n });\n\n return {\n prepared,\n keyId,\n jwk,\n address,\n chainId,\n };\n }\n\n /\n Complete sign-in with a prepared session and signature.\n \n Use this method after obtaining a signature for the SIWE message from\n * `prepareSessionForSigning()`. The signature MUST be over `prepared.siwe`.\n \n @param prepared - The prepared session from `prepareSessionForSigning()`\n * @param signature - The signature over `prepared.siwe`\n * @param keyId - The session key ID from `prepareSessionForSigning()`\n * @param jwk - The JWK from `prepareSessionForSigning()`\n /\n async signInWithPreparedSession(\n prepared: {\n siwe: string;\n jwk: Record<string, unknown>;\n spaceId: string;\n verificationMethod: string;\n },\n signature: string,\n keyId: string,\n jwk: Record<string, unknown>,\n ): Promise<ClientSession> {\n // Complete session setup with the prepared session + signature\n const session = this.wasm.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Parse address and chainId from the prepared session\n // The SIWE message contains this info, but we need to extract it\n // For now, we'll get it from the signer since it should match\n const address = canonicalizeAddress(await this.signer.getAddress());\n const chainId = await this.signer.getChainId();\n\n await this.resolveTinyCloudHostsForSignIn(address, chainId);\n\n // Create client session (web-core compatible)\n const clientSession: ClientSession = {\n address,\n walletAddress: address,\n chainId,\n sessionKey: keyId,\n siwe: prepared.siwe,\n signature,\n };\n\n // Compute additional spaces as metadata (not in the delegation itself).\n const spacesMetadata: Record<string, string> \| undefined = this\n .enablePublicSpace\n ? { public: makePkhSpaceId(address, chainId, \"public\") }\n : undefined;\n\n // Create TinyCloud session with full delegation data\n // Use sessionManager.getDID(keyId) for properly formatted DID URL\n const tinyCloudSession: TinyCloudSession = {\n address,\n chainId,\n sessionKey: keyId,\n spaceId: prepared.spaceId,\n spaces: spacesMetadata,\n delegationCid: session.delegationCid,\n delegationHeader: session.delegationHeader,\n verificationMethod: this.sessionManager.getDID(keyId),\n jwk,\n siwe: prepared.siwe,\n signature,\n };\n\n // Extract expiration from SIWE message (parse the string)\n const expirationMatch = prepared.siwe.match(/Expiration Time: (.+)/);\n const issuedAtMatch = prepared.siwe.match(/Issued At: (.+)/);\n const expiresAt =\n expirationMatch?.[1] ??\n new Date(Date.now() + this.sessionExpirationMs).toISOString();\n const createdAt = issuedAtMatch?.[1] ?? new Date().toISOString();\n\n // Persist session with TinyCloud-specific data\n const persistedData: PersistedSessionData = {\n address,\n chainId,\n sessionKey: JSON.stringify(jwk),\n siwe: prepared.siwe,\n signature,\n tinycloudSession: {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: prepared.spaceId,\n spaces: spacesMetadata,\n verificationMethod: this.sessionManager.getDID(keyId),\n },\n expiresAt,\n createdAt,\n version: \"1.0\",\n };\n await this.sessionStorage.save(address, persistedData);\n\n // Set current session\n this._session = clientSession;\n this._tinyCloudSession = tinyCloudSession;\n this._address = address;\n this._chainId = chainId;\n\n // Verify SDK-node protocol compatibility and discover supported features\n const nodeInfo = await checkNodeInfo(\n this.primaryTinyCloudHost,\n this.wasm.protocolVersion(),\n );\n this._nodeFeatures = nodeInfo.features;\n\n // Call extension hooks\n for (const ext of this.extensions) {\n if (ext.afterSignIn) {\n await ext.afterSignIn(clientSession);\n }\n }\n\n // Ensure space exists (creates if needed when autoCreateSpace is true)\n await this.ensureSpaceExists();\n\n return clientSession;\n }\n\n /\n Clear persisted session data.\n /\n async clearPersistedSession(address?: string): Promise<void> {\n const targetAddress = address ?? this._address;\n if (targetAddress) {\n await this.sessionStorage.clear(targetAddress);\n }\n }\n\n /\n Check if a session is persisted for an address.\n /\n isSessionPersisted(address: string): boolean {\n return this.sessionStorage.exists(address);\n }\n\n /\n Request a signature based on the configured strategy.\n /\n private async requestSignature(request: SignRequest): Promise<string> {\n switch (this.signStrategy.type) {\n case \"auto-sign\":\n return this.signer.signMessage(request.message);\n\n case \"auto-reject\":\n throw new Error(\"Sign request rejected by auto-reject strategy\");\n\n case \"callback\": {\n const response = await this.signStrategy.handler(request);\n if (!response.approved) {\n throw new Error(\n response.reason ?? \"Sign request rejected by callback\",\n );\n }\n // If callback provides signature, use it; otherwise sign with signer\n return (\n response.signature ?? (await this.signer.signMessage(request.message))\n );\n }\n\n case \"event-emitter\": {\n return this.requestSignatureViaEmitter(\n request,\n this.signStrategy.emitter,\n this.signStrategy.timeout ?? 60000,\n );\n }\n\n default:\n throw new Error(\n `Unknown sign strategy: ${(this.signStrategy as any).type}`,\n );\n }\n }\n\n /\n Request signature via event emitter with timeout.\n /\n private requestSignatureViaEmitter(\n request: SignRequest,\n emitter: EventEmitter,\n timeout: number,\n ): Promise<string> {\n return new Promise((resolve, reject) => {\n const timeoutId = setTimeout(() => {\n reject(new Error(\"Sign request timed out\"));\n }, timeout);\n\n const respond = async (response: SignResponse) => {\n clearTimeout(timeoutId);\n if (!response.approved) {\n reject(\n new Error(response.reason ?? \"Sign request rejected via emitter\"),\n );\n } else {\n // If response provides signature, use it; otherwise sign with signer\n const signature =\n response.signature ??\n (await this.signer.signMessage(request.message));\n resolve(signature);\n }\n };\n\n emitter.emit(\"sign-request\", request, respond);\n });\n }\n}\n","/\n Node.js-specific SignStrategy types for TinyCloud authorization.\n \n This module re-exports common types from sdk-core and provides\n * Node.js-specific implementations (e.g., NodeEventEmitterStrategy\n * using Node's EventEmitter instead of browser EventTarget).\n \n @packageDocumentation\n /\n\nimport { EventEmitter } from \"events\";\n\n// Import types for local use in SignStrategy union\nimport type {\n AutoSignStrategy,\n AutoRejectStrategy,\n CallbackStrategy,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export common types from sdk-core (type-only — erased at runtime in sdk-core dist)\nexport type {\n SignRequest,\n SignResponse,\n SignCallback,\n AutoSignStrategy,\n AutoRejectStrategy,\n CallbackStrategy,\n} from \"@tinycloud/sdk-core\";\n\n/\n Node.js event emitter strategy: emits sign requests as events.\n \n Uses Node.js EventEmitter for compatibility with Node.js applications.\n * For browser environments, use the EventEmitterStrategy from sdk-core\n * which uses EventTarget.\n \n Events emitted:\n * - 'sign-request': When a sign request is received\n \n Use cases:\n * - Async approval workflows in Node.js\n * - External signing services\n * - Multi-step authorization flows\n \n @example\n * ```typescript\n * const emitter = new EventEmitter();\n * const strategy: NodeEventEmitterStrategy = { type: 'event-emitter', emitter };\n \n emitter.on('sign-request', async (req, respond) => {\n * const approved = await externalApprovalService.check(req);\n * respond({ approved, signature: approved ? await sign(req.message) : undefined });\n * });\n * ```\n /\nexport interface NodeEventEmitterStrategy {\n type: \"event-emitter\";\n emitter: EventEmitter;\n /* Timeout in milliseconds for waiting on event response (default: 60000) /\n timeout?: number;\n}\n\n/\n Node.js sign strategy union type.\n \n Determines how sign requests are handled in NodeUserAuthorization.\n * Uses Node.js EventEmitter for the event-emitter strategy.\n /\nexport type SignStrategy =\n \| AutoSignStrategy\n \| AutoRejectStrategy\n \| CallbackStrategy\n \| NodeEventEmitterStrategy;\n\n/\n Default sign strategy is auto-sign for convenience.\n * This is the Node.js-specific version typed with SignStrategy.\n /\nexport const defaultSignStrategy: SignStrategy = { type: \"auto-sign\" };\n","/\n TinyCloudNode - High-level API for Node.js users.\n \n Each user has their own TinyCloudNode instance with their own key.\n * This class provides a simplified interface for:\n * - Signing in and managing sessions\n * - Key-value storage operations on own space\n * - Creating and using delegations\n \n @example\n * ```typescript\n * const alice = new TinyCloudNode({\n * privateKey: process.env.ALICE_PRIVATE_KEY,\n * host: \"https://node.tinycloud.xyz\",\n * prefix: \"myapp\",\n * });\n \n await alice.signIn();\n * await alice.kv.put(\"greeting\", \"Hello, world!\");\n \n // Delegate access to Bob\n * const delegation = await alice.createDelegation({\n * path: \"shared/\",\n * actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\"],\n * delegateDID: bob.did,\n * });\n \n // Bob uses the delegation\n * const access = await bob.useDelegation(delegation);\n * const data = await access.kv.get(\"shared/data\");\n * ```\n /\n\nimport {\n TinyCloud,\n TinyCloudSession,\n activateSessionWithHost,\n KVService,\n IKVService,\n SQLService,\n ISQLService,\n DuckDbService,\n IDuckDbService,\n HooksService,\n DataVaultService,\n IDataVaultService,\n EncryptionService,\n SecretsService,\n ISecretsService,\n IEncryptionService,\n IHooksService,\n createVaultCrypto,\n ServiceSession,\n ServiceContext,\n ISessionStorage,\n ISigner,\n type InvokeAnyFunction,\n type InvokeFunction,\n INotificationHandler,\n SilentNotificationHandler,\n IENSResolver,\n IWasmBindings,\n ISessionManager,\n ISpaceCreationHandler,\n SignInOptions,\n // v2 services\n DelegationManager,\n SpaceService,\n ISpaceService,\n ISpace,\n CapabilityKeyRegistry,\n ICapabilityKeyRegistry,\n SharingService,\n ISharingService,\n // v2 types\n SiweConfig,\n Delegation,\n CreateDelegationParams,\n KeyInfo,\n JWK,\n DelegationResult,\n CreateDelegationWasmParams,\n CreateDelegationWasmResult,\n type DelegatedResource,\n UnsupportedFeatureError,\n makePublicSpaceId,\n ACCOUNT_REGISTRY_SPACE,\n type ComposedManifestRequest,\n type ResolvedDelegate,\n // Capability-chain delegation\n type PermissionEntry,\n ENCRYPTION_PERMISSION_SERVICE,\n PermissionNotInManifestError,\n SessionExpiredError,\n expandPermissionEntries as expandPermissionEntriesCore,\n isCapabilitySubset,\n parseRecapCapabilities,\n // Manifest-driven sign-in\n type Manifest,\n type AbilitiesMap,\n resourceCapabilitiesToAbilitiesMap,\n SERVICE_LONG_TO_SHORT,\n EXPIRY,\n canonicalHashHex,\n canonicalizeEncryptionJson,\n verifyDidKeyEd25519Signature,\n canonicalizeAddress,\n pkhDid,\n principalDidEquals,\n type BuildDecryptInvocationInput,\n type BuiltDecryptInvocation,\n type CanonicalJson,\n type DecryptResponseBody,\n type DecryptTransport,\n type EncryptionCrypto,\n type NetworkDescriptor,\n} from \"@tinycloud/sdk-core\";\nimport { NodeUserAuthorization } from \"./authorization/NodeUserAuthorization\";\nimport { FileSessionStorage } from \"./storage/FileSessionStorage\";\nimport { MemorySessionStorage } from \"./storage/MemorySessionStorage\";\nimport { PortableDelegation } from \"./delegation\";\nimport { DelegatedAccess } from \"./DelegatedAccess\";\nimport { WasmKeyProvider } from \"./keys/WasmKeyProvider\";\nimport {\n legacyParamsToPermissionEntries,\n resolveExpiryMs,\n extractSiweExpiration,\n} from \"./delegateToHelpers\";\nimport { NodeSecretsService } from \"./NodeSecretsService\";\n\n/* Default TinyCloud host /\nconst DEFAULT_HOST = \"https://node.tinycloud.xyz\";\nconst DEFAULT_ENCRYPTION_NETWORK_NAME = \"default\";\nconst NETWORK_CREATE_ACTION = \"tinycloud.encryption/network.create\";\nconst DECRYPT_ACTION = \"tinycloud.encryption/decrypt\";\nconst NETWORK_ADMIN_TYPE = \"tinycloud.encryption.network-admin/v1\";\n\n/\n Default lifetime of a SIWE session when {@link TinyCloudNodeConfig.sessionExpirationMs}\n * is not set. Sourced from the shared SESSION tier so all sign-in code\n * paths land on the same number — see `@tinycloud/sdk-core/expiry.ts`\n * for the tier rationale.\n /\nconst DEFAULT_SESSION_EXPIRATION_MS = EXPIRY.SESSION_MS;\n\nfunction didPrincipalMatches(actual: string, expected: string): boolean {\n try {\n return principalDidEquals(actual, expected);\n } catch {\n return actual === expected;\n }\n}\n\n/\n Configuration for TinyCloudNode.\n * All fields are optional - TinyCloudNode can work with zero configuration.\n /\nexport interface TinyCloudNodeConfig {\n /* Hex-encoded private key (with or without 0x prefix). Optional - only needed for wallet mode and signIn() /\n privateKey?: string;\n /* Custom signer implementation. If provided, takes precedence over privateKey. /\n signer?: ISigner;\n /* Explicit TinyCloud server URL. When omitted, signIn resolves the user's host. /\n host?: string;\n /* TinyCloud location registry URL. Default: https://registry.tinycloud.xyz. /\n tinycloudRegistryUrl?: string \| null;\n /* Fallback TinyCloud hosts. Default: hosted TinyCloud node. /\n tinycloudFallbackHosts?: string[] \| null;\n /* Space prefix for this user's space. Optional - only needed for signIn() /\n prefix?: string;\n /* Domain for SIWE messages (default: derived from host) /\n domain?: string;\n /* Session expiration time in milliseconds (default: 1 hour) /\n sessionExpirationMs?: number;\n /* Whether to automatically create space if it doesn't exist (default: false) /\n autoCreateSpace?: boolean;\n /* Custom session storage implementation (default: MemorySessionStorage) /\n sessionStorage?: ISessionStorage;\n /* Whether to include public space capabilities in the session (default: true).\n * When true, signIn() automatically includes capabilities for the user's public space,\n * accessible via spaces.get('public').kv /\n enablePublicSpace?: boolean;\n /* Custom WASM bindings (default: @tinycloud/node-sdk-wasm). Used by browser wrapper. /\n wasmBindings?: IWasmBindings;\n /* Notification handler for sign-in/sign-out/error events (default: SilentNotificationHandler) /\n notificationHandler?: INotificationHandler;\n /* ENS resolver for resolving .eth names in delegation methods /\n ensResolver?: IENSResolver;\n /* Custom space creation handler (default: auto-approve when autoCreateSpace is true) /\n spaceCreationHandler?: ISpaceCreationHandler;\n /\n SIWE nonce override. If omitted, the WASM layer generates a random nonce.\n * If `siweConfig.nonce` is also provided, `siweConfig.nonce` wins.\n /\n nonce?: string;\n /* Optional SIWE configuration overrides (e.g., nonce for server-provided nonces) /\n siweConfig?: SiweConfig;\n /\n App manifest driving the SIWE recap at sign-in.\n \n When set, `signIn()` resolves the manifest, unions the app's own\n * permissions with every manifest-declared delegation's permissions,\n * and uses that union as the session's granted capabilities — NOT\n * the legacy `defaultActions` table. This is what makes\n * `delegateTo(manifestDeclaredDid, permissions)` work without a\n * wallet prompt: the session key's recap already covers the\n * delegation target's needs at sign-in time.\n \n When omitted, `signIn()` falls back to `defaultActions` for\n * backwards compatibility with callers that pre-date the manifest\n * flow.\n /\n manifest?: Manifest \| Manifest[];\n /* Pre-composed manifest request. Takes precedence over `manifest`. /\n capabilityRequest?: ComposedManifestRequest;\n /* Include implicit account registry permissions when composing `manifest`. Default true. /\n includeAccountRegistryPermissions?: boolean;\n}\n\n/\n Options for {@link TinyCloudNode.delegateTo}.\n \n `expiry` accepts either an ms-format duration string (e.g. `\"7d\"`, `\"1h\"`)\n * or a raw number of milliseconds. When omitted, the default is 1 hour.\n \n `forceWalletSign` bypasses the derivability check and sends the\n * delegation through the legacy wallet-signed SIWE path, which always\n * triggers a wallet prompt. Used for testing, for explicit wallet\n * confirmation flows, and by the legacy `createDelegation` fallback.\n /\nexport interface DelegateToOptions {\n /* Override expiry. ms-format string (\"7d\", \"1h\") or raw milliseconds. /\n expiry?: string \| number;\n /* Force the wallet-signed SIWE path even if the caps are derivable. Default false. /\n forceWalletSign?: boolean;\n}\n\n/\n Result of {@link TinyCloudNode.delegateTo}.\n \n `prompted` indicates whether a wallet prompt was shown — `true` for the\n * legacy wallet path (always), `false` for the session-key UCAN path (never).\n * Callers wiring single-prompt sign-in flows use this to assert that their\n * capability chain was derivable.\n /\nexport interface DelegateToResult {\n delegation: PortableDelegation;\n prompted: boolean;\n}\n\n/\n Options for runtime permission escalation.\n /\nexport interface RuntimePermissionGrantOptions {\n /* Override expiry. ms-format string (\"7d\", \"1h\") or raw milliseconds. /\n expiry?: string \| number;\n}\n\ninterface RuntimePermissionOperation {\n spaceId?: string;\n resource?: string;\n service: string;\n path: string;\n action: string;\n}\n\ninterface RuntimePermissionGrant {\n session: ServiceSession;\n delegation: PortableDelegation;\n operations: RuntimePermissionOperation[];\n expiresAt: Date;\n}\n\ntype CanonicalizableEncryptionJson = CanonicalJson;\ntype NetworkInvocationFact = object;\n\nfunction base64UrlEncode(bytes: Uint8Array): string {\n const alphabet = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\";\n let output = \"\";\n for (let i = 0; i < bytes.length; i += 3) {\n const a = bytes[i];\n const b = bytes[i + 1];\n const c = bytes[i + 2];\n const triplet = (a << 16) \| ((b ?? 0) << 8) \| (c ?? 0);\n output += alphabet[(triplet >> 18) & 63];\n output += alphabet[(triplet >> 12) & 63];\n if (i + 1 < bytes.length) output += alphabet[(triplet >> 6) & 63];\n if (i + 2 < bytes.length) output += alphabet[triplet & 63];\n }\n return output;\n}\n\nfunction base64UrlDecode(value: string): Uint8Array {\n const alphabet = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\";\n const bytes: number[] = [];\n let buffer = 0;\n let bits = 0;\n for (const char of value) {\n const index = alphabet.indexOf(char);\n if (index < 0) {\n throw new Error(\"invalid base64url input\");\n }\n buffer = (buffer << 6) \| index;\n bits += 6;\n if (bits >= 8) {\n bits -= 8;\n bytes.push((buffer >> bits) & 0xff);\n }\n }\n return new Uint8Array(bytes);\n}\n\nasync function signJwtInputWithJwk(\n signingInput: string,\n jwk: object,\n): Promise<Uint8Array> {\n const bytes = new TextEncoder().encode(signingInput);\n try {\n const subtle = globalThis.crypto?.subtle;\n if (!subtle) {\n throw new Error(\"WebCrypto subtle API is unavailable\");\n }\n const key = await subtle.importKey(\n \"jwk\",\n jwk as any,\n { name: \"Ed25519\" },\n false,\n [\"sign\"],\n );\n return new Uint8Array(await subtle.sign({ name: \"Ed25519\" }, key, bytes));\n } catch {\n const nodeCrypto = await import(\"node:crypto\");\n const key = nodeCrypto.createPrivateKey({ key: jwk as any, format: \"jwk\" });\n return new Uint8Array(nodeCrypto.sign(null, Buffer.from(bytes), key));\n }\n}\n\nasync function rewriteInvocationAudience(\n authorization: string,\n audience: string,\n jwk: object,\n): Promise<string> {\n const [headerPart, payloadPart] = authorization.split(\".\");\n if (!headerPart \|\| !payloadPart) {\n throw new Error(\"invalid invocation authorization\");\n }\n const header = JSON.parse(new TextDecoder().decode(base64UrlDecode(headerPart)));\n const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadPart)));\n payload.aud = audience;\n const signingInput = `${base64UrlEncode(\n new TextEncoder().encode(JSON.stringify(header)),\n )}.${base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)))}`;\n const signature = await signJwtInputWithJwk(signingInput, jwk);\n return `${signingInput}.${base64UrlEncode(signature)}`;\n}\n\nfunction authorizationHeader(headers: Record<string, string> \| [string, string][]): string {\n if (Array.isArray(headers)) {\n const entry = headers.find(([name]) => name.toLowerCase() === \"authorization\");\n if (!entry) {\n throw new Error(\"network invocation did not include an Authorization header\");\n }\n return entry[1];\n }\n const value = headers.Authorization ?? headers.authorization;\n if (!value) {\n throw new Error(\"network invocation did not include an Authorization header\");\n }\n return value;\n}\n\n/\n High-level TinyCloud API for Node.js environments.\n \n Each user creates their own TinyCloudNode instance with their private key.\n * The instance manages the user's session and provides access to their space.\n /\n/* @internal /\nexport interface NodeDefaults {\n createWasmBindings: () => IWasmBindings;\n createSigner: (privateKey: string, chainId?: number) => ISigner;\n}\n\nexport class TinyCloudNode {\n /* @internal Registered by importing @tinycloud/node-sdk (not /core) /\n private static nodeDefaults?: NodeDefaults;\n\n /* @internal Register Node.js-specific defaults (NodeWasmBindings, PrivateKeySigner) /\n static registerNodeDefaults(defaults: NodeDefaults): void {\n TinyCloudNode.nodeDefaults = defaults;\n }\n\n private config: TinyCloudNodeConfig;\n private readonly explicitHost?: string;\n private signer: ISigner \| null = null;\n private auth: NodeUserAuthorization \| null = null;\n private tc: TinyCloud \| null = null;\n private _address?: string;\n private _chainId: number = 1;\n private wasmBindings: IWasmBindings;\n private sessionManager: ISessionManager;\n private _serviceContext?: ServiceContext;\n private _kv?: KVService;\n private _sql?: SQLService;\n private _duckdb?: DuckDbService;\n private _hooks?: HooksService;\n private _vault?: DataVaultService;\n private _encryption?: EncryptionService;\n private _baseSecrets?: ISecretsService;\n private _secrets?: ISecretsService;\n /* Cached public KV with proper delegation (set by ensurePublicSpace) /\n private _publicKV?: KVService;\n\n /* Session key ID - always available /\n private sessionKeyId: string;\n /* Session key JWK as object - always available /\n private sessionKeyJwk: object;\n\n /* Notification handler for user-facing events /\n private notificationHandler: INotificationHandler;\n\n // v2 services (initialized in constructor)\n private _capabilityRegistry: CapabilityKeyRegistry;\n private _keyProvider: WasmKeyProvider;\n private _sharingService: SharingService;\n // These are initialized after signIn()\n private _delegationManager?: DelegationManager;\n private _spaceService?: SpaceService;\n private runtimePermissionGrants: RuntimePermissionGrant[] = [];\n\n /\n TinyCloudSession captured by {@link restoreSession} when there's no\n * auth-layer signer available (session-only mode used by OpenKey-backed\n * CLI restores, public-space replays, …). Read by\n * {@link currentTinyCloudSession} as a fallback for `auth.tinyCloudSession`.\n /\n private _restoredTcSession?: TinyCloudSession;\n\n private get nodeFeatures(): string[] {\n return this.auth?.nodeFeatures ?? [];\n }\n\n /* SIWE domain — uses config override or defaults to app.tinycloud.xyz /\n private get siweDomain(): string {\n return this.config.domain ?? 'app.tinycloud.xyz';\n }\n\n private readonly invokeWithRuntimePermissions: InvokeFunction = (\n session,\n service,\n path,\n action,\n facts,\n ) => {\n return this.wasmBindings.invoke(\n this.selectInvocationSession(session, service, path, action),\n service,\n path,\n action,\n facts,\n );\n };\n\n private readonly invokeAnyWithRuntimePermissions: InvokeAnyFunction = (\n session,\n entries,\n facts,\n ) => {\n if (!this.wasmBindings.invokeAny) {\n throw new Error(\"WASM binding does not support invokeAny\");\n }\n const grant = this.findGrantForOperations(\n entries.flatMap((entry) => {\n const operation = this.operationFromInvokeAnyEntry(entry);\n return operation ? [operation] : [];\n }),\n );\n return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);\n };\n\n /\n Create a new TinyCloudNode instance.\n \n All configuration is optional. Without a privateKey, the instance operates\n * in \"session-only\" mode where it can receive delegations but cannot create\n * its own space via signIn().\n \n @param config - Configuration options (all optional)\n \n @example\n * ```typescript\n * // Session-only mode - can receive delegations\n * const bob = new TinyCloudNode();\n * console.log(bob.did); // did:key:z6Mk... - available immediately\n \n // Wallet mode - can create own space\n * const alice = new TinyCloudNode({\n * privateKey: process.env.ALICE_PRIVATE_KEY,\n * prefix: \"myapp\",\n * });\n * await alice.signIn();\n * ```\n /\n constructor(config: TinyCloudNodeConfig = {}) {\n this.explicitHost = config.host;\n\n // Store config with default host\n this.config = {\n ...config,\n host: config.host ?? DEFAULT_HOST,\n };\n\n // Initialize WASM bindings (uses registered Node defaults if not provided)\n if (config.wasmBindings) {\n this.wasmBindings = config.wasmBindings;\n } else if (TinyCloudNode.nodeDefaults) {\n this.wasmBindings = TinyCloudNode.nodeDefaults.createWasmBindings();\n } else {\n throw new Error(\n \"wasmBindings must be provided in config. \" +\n \"Import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults.\"\n );\n }\n\n // Always create session manager and session key immediately\n this.sessionManager = this.wasmBindings.createSessionManager();\n\n // Try to use \"default\" key, create if it doesn't exist\n const defaultKeyId = \"default\";\n let jwkStr = this.sessionManager.jwk(defaultKeyId);\n if (jwkStr) {\n // Key already exists, reuse it\n this.sessionKeyId = defaultKeyId;\n } else {\n // Create new key\n this.sessionKeyId = this.sessionManager.createSessionKey(defaultKeyId);\n jwkStr = this.sessionManager.jwk(this.sessionKeyId);\n }\n\n if (!jwkStr) {\n throw new Error(\"Failed to get session key JWK\");\n }\n this.sessionKeyJwk = JSON.parse(jwkStr);\n\n // Initialize capability registry for all users (needed for tracking received delegations)\n this._capabilityRegistry = new CapabilityKeyRegistry();\n\n // Initialize KeyProvider for SharingService\n this._keyProvider = new WasmKeyProvider({\n sessionManager: this.sessionManager,\n });\n\n // Initialize notification handler\n this.notificationHandler = config.notificationHandler ?? new SilentNotificationHandler();\n\n // Initialize SharingService for receive-only access (no session required)\n // This allows session-only users to receive sharing links without signIn()\n // Full capabilities (generate) are added after signIn()\n this._sharingService = new SharingService({\n hosts: [this.config.host!],\n // session: undefined - not needed for receive()\n invoke: this.invokeWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n keyProvider: this._keyProvider,\n registry: this._capabilityRegistry,\n // delegationManager: undefined - not needed for receive()\n createKVService: (config) => {\n // Use pathPrefix as the KV service prefix for sharing links\n // Strip trailing slash to match DelegatedAccess behavior\n const prefix = config.pathPrefix?.replace(/\\/$/, '');\n const kvService = new KVService({ prefix });\n // Create a new service context for the KV service\n const kvContext = new ServiceContext({\n invoke: config.invoke,\n fetch: config.fetch ?? globalThis.fetch.bind(globalThis),\n hosts: config.hosts,\n });\n kvContext.setSession(config.session);\n kvService.initialize(kvContext);\n return kvService;\n },\n });\n\n // Set up wallet/auth if signer or privateKey is provided\n if (config.signer) {\n this.signer = config.signer;\n this.setupAuth(config);\n } else if (config.privateKey) {\n if (!TinyCloudNode.nodeDefaults) {\n throw new Error(\n \"privateKey requires PrivateKeySigner. Either provide a signer in config, \" +\n \"or import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults.\"\n );\n }\n this.signer = TinyCloudNode.nodeDefaults.createSigner(config.privateKey, this._chainId);\n this.setupAuth(config);\n }\n }\n\n /\n Set up authorization handler and TinyCloud instance.\n * @internal\n /\n private setupAuth(config: TinyCloudNodeConfig): void {\n this.auth = new NodeUserAuthorization({\n signer: this.signer!,\n signStrategy: { type: \"auto-sign\" },\n wasmBindings: this.wasmBindings,\n sessionStorage: config.sessionStorage ?? new MemorySessionStorage(),\n domain: this.siweDomain,\n spacePrefix: config.prefix,\n sessionExpirationMs: config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,\n tinycloudHosts: this.explicitHost ? [this.explicitHost] : undefined,\n tinycloudRegistryUrl: config.tinycloudRegistryUrl,\n tinycloudFallbackHosts: config.tinycloudFallbackHosts,\n autoCreateSpace: config.autoCreateSpace,\n enablePublicSpace: config.enablePublicSpace ?? true,\n spaceCreationHandler: config.spaceCreationHandler,\n nonce: config.nonce,\n siweConfig: config.siweConfig,\n manifest: config.manifest,\n capabilityRequest: config.capabilityRequest,\n includeAccountRegistryPermissions: config.includeAccountRegistryPermissions,\n });\n\n this.tc = new TinyCloud(this.auth, {\n invokeAny: this.invokeAnyWithRuntimePermissions,\n });\n }\n\n private syncResolvedHostFromAuth(): void {\n const host = this.auth?.hosts[0];\n if (host) {\n this.config.host = host;\n }\n }\n\n /\n Install or replace the manifest that drives the SIWE recap at\n * sign-in. Takes effect on the next `signIn()` call — the current\n * session (if any) is not touched. Wire this up from a higher\n * layer (e.g. TinyCloudWeb.setManifest) so the manifest is kept\n * in sync across the stack.\n /\n setManifest(manifest: Manifest \| Manifest[] \| undefined): void {\n if (!this.auth) {\n // Session-only mode has no auth handler, so there's nothing to\n // update. The caller almost certainly wanted wallet mode — fail\n // loudly rather than silently dropping the manifest.\n throw new Error(\n \"setManifest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config.\",\n );\n }\n this.config.manifest = manifest;\n this.config.capabilityRequest = undefined;\n this.auth.setManifest(manifest);\n }\n\n setCapabilityRequest(request: ComposedManifestRequest \| undefined): void {\n if (!this.auth) {\n throw new Error(\n \"setCapabilityRequest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config.\",\n );\n }\n this.config.capabilityRequest = request;\n this.config.manifest = request?.manifests;\n this.auth.setCapabilityRequest(request);\n }\n\n /\n Return the manifest currently installed on the auth handler,\n * or `undefined` if none is set.\n /\n get manifest(): Manifest \| Manifest[] \| undefined {\n return this.auth?.manifest;\n }\n\n get capabilityRequest(): ComposedManifestRequest \| undefined {\n return this.auth?.capabilityRequest;\n }\n\n get hosts(): string[] {\n const authHosts = this.auth?.hosts ?? [];\n return authHosts.length > 0 ? authHosts : [this.config.host!];\n }\n\n /\n Get the primary identity DID for this user.\n * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})\n * - If session-only mode: returns session key DID (did:key:z6Mk...)\n \n Use this for delegations - it always returns the appropriate identity.\n /\n get did(): string {\n // If wallet is connected and signed in, return PKH (persistent identity)\n if (this._address) {\n return pkhDid(this._address, this._chainId);\n }\n // Session-only mode: return session key DID (ephemeral identity)\n return this.sessionManager.getDID(this.sessionKeyId);\n }\n\n /\n Get the session key DID. Always available.\n * Format: did:key:z6Mk...#z6Mk...\n \n Use this when you specifically need the session key, not the user identity.\n /\n get sessionDid(): string {\n return this.sessionManager.getDID(this.sessionKeyId);\n }\n\n /\n Get the Ethereum address for this user.\n /\n get address(): string \| undefined {\n return this.auth?.address() ?? this._address;\n }\n\n /\n Check if this instance is in session-only mode (no wallet).\n * In session-only mode, the instance can receive delegations but cannot\n * create its own space via signIn().\n /\n get isSessionOnly(): boolean {\n return this.signer === null;\n }\n\n /\n Get the space ID for this user.\n * Available after signIn().\n /\n get spaceId(): string \| undefined {\n return this.auth?.tinyCloudSession?.spaceId;\n }\n\n /\n Get the current TinyCloud session.\n * Available after signIn().\n /\n get session(): TinyCloudSession \| undefined {\n return this.auth?.tinyCloudSession;\n }\n\n /\n Sign in and create a new session.\n * This creates the user's space if it doesn't exist.\n * Requires wallet mode (privateKey in config).\n \n @param options - Optional per-call SIWE overrides for this sign-in only\n /\n async signIn(options?: SignInOptions): Promise<void> {\n if (!this.signer \|\| !this.tc) {\n throw new Error(\n \"Cannot signIn() in session-only mode. Provide a privateKey in config to create your own space.\"\n );\n }\n\n // Ensure WASM is ready (critical for browser where WASM loads asynchronously)\n await this.wasmBindings.ensureInitialized?.();\n\n this._address = canonicalizeAddress(await this.signer.getAddress());\n this._chainId = await this.signer.getChainId();\n\n // Reset services so they get recreated with new session\n this._kv = undefined;\n this._sql = undefined;\n this._duckdb = undefined;\n this._hooks = undefined;\n this._vault = undefined;\n this._encryption = undefined;\n this._baseSecrets = undefined;\n this._secrets = undefined;\n this._spaceService = undefined;\n this._serviceContext = undefined;\n this.runtimePermissionGrants = [];\n\n await this.tc.signIn(options);\n this.syncResolvedHostFromAuth();\n\n // Initialize service context with session\n this.initializeServices();\n\n if (this.config.manifest === undefined && this.config.capabilityRequest === undefined) {\n await this.ensureOwnedSpaceHosted(this.ownedSpaceId(\"secrets\"));\n }\n\n await this.writeManifestRegistryRecords();\n\n this.notificationHandler.success(\"Successfully signed in\");\n }\n\n private ownedSpaceId(name: string): string {\n if (!this._address) {\n throw new Error(\"Cannot resolve owned space before sign-in\");\n }\n return this.wasmBindings.makeSpaceId(this._address, this._chainId, name);\n }\n\n private async writeManifestRegistryRecords(): Promise<void> {\n const request = this.capabilityRequest;\n if (!request \|\| request.registryRecords.length === 0) {\n return;\n }\n if (!this.auth \|\| !this.signer) {\n throw new Error(\"Manifest registry write requires wallet mode\");\n }\n\n const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);\n await this.ensureOwnedSpaceHosted(accountSpaceId);\n\n const accountKV = this.spaces.get(accountSpaceId).kv;\n for (const record of request.registryRecords) {\n const result = await accountKV.put(record.key, {\n app_id: record.app_id,\n manifests: record.manifests,\n updated_at: new Date().toISOString(),\n });\n if (!result.ok) {\n throw new Error(\n `Failed to write manifest registry record ${record.key}: ${result.error.message}`,\n );\n }\n }\n }\n\n private async ensureOwnedSpaceHosted(spaceId: string): Promise<void> {\n if (!this.auth) {\n throw new Error(\"Owned space hosting requires wallet mode\");\n }\n\n const session = this.auth.tinyCloudSession;\n if (!session) {\n throw new Error(\"Owned space hosting requires an active session\");\n }\n\n const host = this.hosts[0] ?? this.config.host;\n if (!host) {\n throw new Error(\"Owned space hosting requires a TinyCloud host\");\n }\n\n const activation = await activateSessionWithHost(host, session.delegationHeader);\n if (activation.success && !activation.skipped?.includes(spaceId)) {\n return;\n }\n\n if (!activation.success && activation.status !== 404) {\n throw new Error(\n `Failed to check owned space ${spaceId}: ${activation.error ?? activation.status}`,\n );\n }\n\n const created = await (this.auth as NodeUserAuthorization).hostOwnedSpace(spaceId);\n if (!created) {\n throw new Error(`Failed to create owned space: ${spaceId}`);\n }\n\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n const retry = await activateSessionWithHost(host, session.delegationHeader);\n if (!retry.success \|\| retry.skipped?.includes(spaceId)) {\n throw new Error(\n `Failed to activate session after creating owned space ${spaceId}: ${\n retry.error ?? \"space was skipped\"\n }`,\n );\n }\n }\n\n /\n Restore a previously established session from stored delegation data.\n \n This is used by the CLI to restore a session that was created via the\n * browser-based delegation flow (OpenKey `/delegate` page). Instead of\n * signing in with a private key, it injects the delegation data directly.\n \n @param sessionData - The stored delegation data from the browser flow\n /\n async restoreSession(sessionData: {\n delegationHeader: { Authorization: string };\n delegationCid: string;\n spaceId: string;\n jwk: object;\n verificationMethod: string;\n address?: string;\n chainId?: number;\n /\n The SIWE message that authorized this session. Required for\n * downstream operations that need the session's expiry (e.g.\n * {@link grantRuntimePermissions}). When omitted the SDK can still\n * invoke services with the existing delegation, but anything that\n * reads `auth.tinyCloudSession.siwe` will treat the session as\n * expired-at-epoch-zero.\n /\n siwe?: string;\n /\n The wallet/OpenKey signature over `siwe`. Optional because the\n * runtime doesn't re-verify it — it's persisted alongside the SIWE\n * for callers that need to round-trip the full session shape.\n /\n signature?: string;\n }): Promise<void> {\n // Ensure WASM is ready (critical for browser where WASM loads asynchronously)\n await this.wasmBindings.ensureInitialized?.();\n\n // Reset services so they get recreated with new session\n this._kv = undefined;\n this._sql = undefined;\n this._duckdb = undefined;\n this._hooks = undefined;\n this._vault = undefined;\n this._encryption = undefined;\n this._baseSecrets = undefined;\n this._secrets = undefined;\n this._spaceService = undefined;\n this._serviceContext = undefined;\n this.runtimePermissionGrants = [];\n\n const restoredAddress = sessionData.address\n ? canonicalizeAddress(sessionData.address)\n : undefined;\n if (restoredAddress) {\n this._address = restoredAddress;\n }\n if (sessionData.chainId) {\n this._chainId = sessionData.chainId;\n }\n\n // Create service context\n this._serviceContext = new ServiceContext({\n invoke: this.invokeWithRuntimePermissions,\n invokeAny: this.invokeAnyWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n hosts: [this.config.host!],\n });\n\n // Create and register KV service\n this._kv = new KVService({});\n this._kv.initialize(this._serviceContext);\n this._serviceContext.registerService('kv', this._kv);\n\n // Create and register SQL service\n this._sql = new SQLService({});\n this._sql.initialize(this._serviceContext);\n this._serviceContext.registerService('sql', this._sql);\n\n // Create and register DuckDB service\n this._duckdb = new DuckDbService({});\n this._duckdb.initialize(this._serviceContext);\n this._serviceContext.registerService('duckdb', this._duckdb);\n\n this._hooks = new HooksService({});\n this._hooks.initialize(this._serviceContext);\n this._serviceContext.registerService('hooks', this._hooks);\n\n // Set session on context\n const serviceSession: ServiceSession = {\n delegationHeader: sessionData.delegationHeader,\n delegationCid: sessionData.delegationCid,\n spaceId: sessionData.spaceId,\n verificationMethod: sessionData.verificationMethod,\n jwk: sessionData.jwk,\n };\n this._serviceContext.setSession(serviceSession);\n\n // Create and register Vault service (matches initializeServices behavior)\n this._vault = this.createVaultService(sessionData.spaceId, this._kv!);\n this._vault.initialize(this._serviceContext);\n this._serviceContext.registerService('vault', this._vault);\n\n // Initialize v2 services\n this.initializeV2Services(serviceSession);\n\n // Rehydrate a TinyCloudSession on whatever surface is available. In\n // wallet mode the auth layer holds it; in session-only mode (OpenKey,\n // public-space restore, …) `this.auth` is null and we fall back to\n // `_restoredTcSession` on the node itself. Both surfaces are read by\n // {@link currentTinyCloudSession} so callers don't have to care.\n //\n // Required for `useRuntimeDelegation` / `hasRuntimePermissions` /\n // `getRuntimePermissionDelegations` to work after a session restore —\n // without this they bail with `SessionExpiredError(new Date(0))`.\n if (sessionData.siwe && restoredAddress && sessionData.chainId) {\n const tcSession: TinyCloudSession = {\n address: restoredAddress,\n chainId: sessionData.chainId,\n sessionKey: JSON.stringify(sessionData.jwk),\n spaceId: sessionData.spaceId,\n delegationCid: sessionData.delegationCid,\n delegationHeader: sessionData.delegationHeader,\n verificationMethod: sessionData.verificationMethod,\n jwk: sessionData.jwk as { [k: string]: unknown },\n siwe: sessionData.siwe,\n signature: sessionData.signature ?? \"\",\n };\n if (this.auth) {\n this.auth.setRestoredTinyCloudSession(tcSession);\n } else {\n this._restoredTcSession = tcSession;\n }\n }\n }\n\n /\n Resolve the currently-active TinyCloudSession, preferring the auth\n * layer's value (wallet mode) and falling back to the node-level\n * rehydration set by {@link restoreSession} (session-only mode).\n /\n private currentTinyCloudSession(): TinyCloudSession \| undefined {\n return this.auth?.tinyCloudSession ?? this._restoredTcSession;\n }\n\n /\n Connect a wallet to upgrade from session-only mode to wallet mode.\n \n This allows a user who started in session-only mode to later connect\n * a wallet and gain the ability to create their own space.\n \n Note: This does NOT automatically sign in. Call signIn() after connecting\n * the wallet to create your space.\n \n @param privateKey - The Ethereum private key (hex string, no 0x prefix)\n * @param options - Optional configuration\n * @param options.prefix - Space name prefix (defaults to \"default\")\n \n @example\n * ```typescript\n * // Start in session-only mode\n * const node = new TinyCloudNode({ host: \"https://node.tinycloud.xyz\" });\n * console.log(node.did); // did:key:z6Mk... (session key)\n \n // Later, connect a wallet\n * node.connectWallet(privateKey);\n * await node.signIn();\n * console.log(node.did); // did:pkh:eip155:1:0x... (PKH)\n * ```\n /\n connectWallet(privateKey: string, options?: { prefix?: string; sessionStorage?: ISessionStorage }): void {\n if (this.signer) {\n throw new Error(\"Wallet already connected. Cannot connect another wallet.\");\n }\n\n const prefix = options?.prefix ?? \"default\";\n\n // Create signer from private key\n if (!TinyCloudNode.nodeDefaults) {\n throw new Error(\n \"connectWallet() requires PrivateKeySigner. Use connectSigner() instead, \" +\n \"or import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults.\"\n );\n }\n this.signer = TinyCloudNode.nodeDefaults.createSigner(privateKey);\n\n // Create authorization handler\n this.auth = new NodeUserAuthorization({\n signer: this.signer,\n signStrategy: { type: \"auto-sign\" },\n wasmBindings: this.wasmBindings,\n sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),\n domain: this.siweDomain,\n spacePrefix: prefix,\n sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,\n tinycloudHosts: this.explicitHost ? [this.explicitHost] : undefined,\n tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,\n tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,\n autoCreateSpace: this.config.autoCreateSpace,\n enablePublicSpace: this.config.enablePublicSpace ?? true,\n spaceCreationHandler: this.config.spaceCreationHandler,\n nonce: this.config.nonce,\n siweConfig: this.config.siweConfig,\n manifest: this.config.manifest,\n capabilityRequest: this.config.capabilityRequest,\n includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions,\n });\n\n // Create TinyCloud instance\n this.tc = new TinyCloud(this.auth, {\n invokeAny: this.invokeAnyWithRuntimePermissions,\n });\n\n // Update config with prefix\n this.config.prefix = prefix;\n }\n\n /\n Connect any ISigner to upgrade from session-only mode to wallet mode.\n \n Same as connectWallet() but accepts any ISigner implementation instead\n * of a raw private key string. Use this for browser wallets, hardware wallets,\n * or custom signing backends.\n \n Note: This does NOT automatically sign in. Call signIn() after connecting.\n \n @param signer - Any ISigner implementation\n * @param options - Optional configuration\n * @param options.prefix - Space name prefix (defaults to \"default\")\n /\n connectSigner(signer: ISigner, options?: { prefix?: string; sessionStorage?: ISessionStorage }): void {\n if (this.signer) {\n throw new Error(\"Signer already connected. Cannot connect another signer.\");\n }\n\n const prefix = options?.prefix ?? \"default\";\n\n this.signer = signer;\n\n this.auth = new NodeUserAuthorization({\n signer: this.signer,\n signStrategy: { type: \"auto-sign\" },\n wasmBindings: this.wasmBindings,\n sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),\n domain: this.siweDomain,\n spacePrefix: prefix,\n sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,\n tinycloudHosts: this.explicitHost ? [this.explicitHost] : undefined,\n tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,\n tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,\n autoCreateSpace: this.config.autoCreateSpace,\n enablePublicSpace: this.config.enablePublicSpace ?? true,\n spaceCreationHandler: this.config.spaceCreationHandler,\n nonce: this.config.nonce,\n siweConfig: this.config.siweConfig,\n manifest: this.config.manifest,\n capabilityRequest: this.config.capabilityRequest,\n includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions,\n });\n\n this.tc = new TinyCloud(this.auth, {\n invokeAny: this.invokeAnyWithRuntimePermissions,\n });\n this.config.prefix = prefix;\n }\n\n /\n Initialize the service context and KV service after sign-in.\n * @internal\n /\n private initializeServices(): void {\n const session = this.currentTinyCloudSession();\n if (!session) {\n return;\n }\n\n // Initialize TinyCloud core services (needed for publicKV, ensurePublicSpace)\n this.tc!.initializeServices(this.invokeWithRuntimePermissions, [this.config.host!]);\n\n // Create service context\n this._serviceContext = new ServiceContext({\n invoke: this.invokeWithRuntimePermissions,\n invokeAny: this.invokeAnyWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n hosts: [this.config.host!],\n });\n\n // Create and register KV service\n this._kv = new KVService({});\n this._kv.initialize(this._serviceContext);\n this._serviceContext.registerService('kv', this._kv);\n\n // Create and register SQL service (if supported)\n const features = this.nodeFeatures;\n if (features.length === 0 \|\| features.includes(\"sql\")) {\n this._sql = new SQLService({});\n this._sql.initialize(this._serviceContext);\n this._serviceContext.registerService('sql', this._sql);\n }\n\n // Create and register DuckDB service (if supported)\n if (features.length === 0 \|\| features.includes(\"duckdb\")) {\n this._duckdb = new DuckDbService({});\n this._duckdb.initialize(this._serviceContext);\n this._serviceContext.registerService('duckdb', this._duckdb);\n }\n\n this._hooks = new HooksService({});\n this._hooks.initialize(this._serviceContext);\n this._serviceContext.registerService('hooks', this._hooks);\n\n // Set session on context\n const serviceSession: ServiceSession = {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n };\n this._serviceContext.setSession(serviceSession);\n (this.tc!.serviceContext as ServiceContext).setSession(serviceSession);\n\n // Create and register Vault service\n this._vault = this.createVaultService(session.spaceId, this._kv!);\n this._vault.initialize(this._serviceContext);\n this._serviceContext.registerService('vault', this._vault);\n\n // Initialize v2 services\n this.initializeV2Services(serviceSession);\n }\n\n private createSpaceScopedKVService(spaceId: string): KVService {\n const kvService = new KVService({});\n if (this._serviceContext) {\n const spaceScopedContext = new ServiceContext({\n invoke: this._serviceContext.invoke,\n fetch: this._serviceContext.fetch,\n hosts: this._serviceContext.hosts,\n });\n const session = this._serviceContext.session;\n if (session) {\n spaceScopedContext.setSession({ ...session, spaceId });\n }\n kvService.initialize(spaceScopedContext);\n }\n return kvService;\n }\n\n getDefaultEncryptionNetworkId(name = DEFAULT_ENCRYPTION_NETWORK_NAME): string {\n return `urn:tinycloud:encryption:${this.did}:${name}`;\n }\n\n private requireServiceSession(): ServiceSession {\n const session = this._serviceContext?.session;\n if (!session) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return session;\n }\n\n private createEncryptionCrypto(): EncryptionCrypto {\n const wasm = this.wasmBindings;\n const columnEncrypt = (key: Uint8Array, plaintext: Uint8Array): Uint8Array => {\n const encrypted = wasm.vault_encrypt(key, plaintext);\n const out = new Uint8Array(1 + encrypted.length);\n out[0] = 0x01;\n out.set(encrypted, 1);\n return out;\n };\n const columnDecrypt = (key: Uint8Array, blob: Uint8Array): Uint8Array => {\n if (blob[0] !== 0x01) {\n return blob;\n }\n return wasm.vault_decrypt(key, blob.slice(1));\n };\n return {\n sha256: (data) => wasm.vault_sha256(data),\n randomBytes: (length) => wasm.vault_random_bytes(length),\n x25519FromSeed: (seed) => wasm.vault_x25519_from_seed(seed),\n x25519Dh: (privateKey, publicKey) =>\n wasm.vault_x25519_dh(privateKey, publicKey),\n authEncrypt: (key, plaintext) => wasm.vault_encrypt(key, plaintext),\n authDecrypt: (key, ciphertext) => wasm.vault_decrypt(key, ciphertext),\n sealToNetworkKey: (networkPublicKey, symmetricKey) => {\n const seed = wasm.vault_random_bytes(32);\n const ephemeral = wasm.vault_x25519_from_seed(seed);\n const shared = wasm.vault_x25519_dh(\n ephemeral.privateKey,\n networkPublicKey,\n );\n const encrypted = columnEncrypt(shared, symmetricKey);\n const out = new Uint8Array(ephemeral.publicKey.length + encrypted.length);\n out.set(ephemeral.publicKey, 0);\n out.set(encrypted, ephemeral.publicKey.length);\n return out;\n },\n openWithReceiverKey: (receiverPrivateKey, wrappedKey) => {\n const peerPublic = wrappedKey.slice(0, 32);\n const ciphertext = wrappedKey.slice(32);\n const shared = wasm.vault_x25519_dh(receiverPrivateKey, peerPublic);\n return columnDecrypt(shared, ciphertext);\n },\n verifyNodeSignature: (nodeId, message, signature) =>\n verifyDidKeyEd25519Signature(nodeId, message, signature),\n };\n }\n\n private async fetchNodeId(): Promise<string> {\n const response = await fetch(`${this.config.host}/info`);\n if (!response.ok) {\n throw new Error(`Failed to fetch node info: HTTP ${response.status}`);\n }\n const info = (await response.json()) as { nodeId?: unknown };\n if (typeof info.nodeId !== \"string\" \|\| info.nodeId.length === 0) {\n throw new Error(\"Node /info response did not include nodeId\");\n }\n return info.nodeId;\n }\n\n private async signRawNetworkAuthorization(input: {\n targetNode: string;\n networkId: string;\n action: string;\n facts: NetworkInvocationFact;\n }): Promise<{ authorization: string; invocationCid: string }> {\n if (!this.wasmBindings.invokeAny) {\n throw new Error(\"WASM binding does not support raw-resource invokeAny\");\n }\n if (!this.wasmBindings.computeCid) {\n throw new Error(\"WASM binding does not support invocation CID computation\");\n }\n const session = this.requireServiceSession();\n const headers = this.invokeAnyWithRuntimePermissions(\n session,\n [\n {\n resource: input.networkId,\n service: \"encryption\",\n path: input.networkId,\n action: input.action,\n },\n ],\n [input.facts as Record<string, unknown>],\n );\n const authorization = authorizationHeader(headers);\n const audienceBound = await rewriteInvocationAudience(\n authorization,\n input.targetNode,\n session.jwk,\n );\n return {\n authorization: audienceBound,\n invocationCid: this.wasmBindings.computeCid(\n new TextEncoder().encode(audienceBound),\n 0x55n,\n ),\n };\n }\n\n private createEncryptionService(): EncryptionService {\n const crypto = this.createEncryptionCrypto();\n const transport: DecryptTransport = {\n postDecrypt: async ({ networkId, authorization, canonicalBody }) => {\n const response = await fetch(\n `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}/decrypt`,\n {\n method: \"POST\",\n headers: {\n Authorization: authorization,\n \"Content-Type\": \"application/json\",\n },\n body: canonicalBody,\n },\n );\n if (!response.ok) {\n throw new Error(\n `decrypt failed ${response.status}: ${await response.text()}`,\n );\n }\n return (await response.json()) as DecryptResponseBody;\n },\n };\n return new EncryptionService({\n crypto,\n signer: {\n signDecryptInvocation: async (\n input: BuildDecryptInvocationInput,\n ): Promise<BuiltDecryptInvocation> => {\n const signed = await this.signRawNetworkAuthorization({\n targetNode: input.targetNode,\n networkId: input.networkId,\n action: DECRYPT_ACTION,\n facts: input.facts,\n });\n return {\n ...signed,\n canonicalBody: canonicalizeEncryptionJson(\n input.body as unknown as CanonicalizableEncryptionJson,\n ),\n };\n },\n },\n transport,\n node: {\n fetchByNetworkId: (networkId) => this.getEncryptionNetwork(networkId),\n },\n wellKnown: {\n fetchWellKnown: async (principal, discoveryKey) => {\n if (!this._address \|\| !didPrincipalMatches(principal, this.did)) {\n return null;\n }\n if (!this.config.host) {\n return null;\n }\n const publicSpaceId = makePublicSpaceId(this._address, this._chainId);\n const result = await TinyCloud.readPublicSpace<\n NetworkDescriptor \| { descriptor?: NetworkDescriptor }\n >(this.config.host, publicSpaceId, discoveryKey);\n if (!result.ok) {\n return null;\n }\n const body = result.data as\n \| NetworkDescriptor\n \| { descriptor?: NetworkDescriptor };\n return \"descriptor\" in body && body.descriptor\n ? body.descriptor\n : (body as NetworkDescriptor);\n },\n },\n });\n }\n\n private getEncryptionService(): EncryptionService {\n if (!this._serviceContext) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n if (!this._encryption) {\n this._encryption = this.createEncryptionService();\n this._encryption.initialize(this._serviceContext);\n this._serviceContext.registerService(\"encryption\", this._encryption);\n }\n return this._encryption;\n }\n\n private createVaultService(spaceId: string, kv: IKVService): DataVaultService {\n const wasm = this.wasmBindings;\n const vaultCrypto = createVaultCrypto({\n vault_encrypt: wasm.vault_encrypt, vault_decrypt: wasm.vault_decrypt, vault_derive_key: wasm.vault_derive_key,\n vault_x25519_from_seed: wasm.vault_x25519_from_seed, vault_x25519_dh: wasm.vault_x25519_dh,\n vault_random_bytes: wasm.vault_random_bytes, vault_sha256: wasm.vault_sha256,\n });\n const self = this;\n return new DataVaultService({\n spaceId,\n crypto: vaultCrypto,\n encryption: {\n networkId: this.getDefaultEncryptionNetworkId(),\n service: this.getEncryptionService(),\n decryptCapabilityProof: () => ({\n proofs: [this.requireServiceSession().delegationCid],\n }),\n },\n tc: {\n kv,\n ensurePublicSpace: async () => {\n try {\n await self.ensurePublicSpace();\n return { ok: true as const, data: undefined };\n } catch (error) {\n return { ok: false as const, error: { code: \"STORAGE_ERROR\", message: error instanceof Error ? error.message : String(error), service: \"vault\" } };\n }\n },\n get publicKV() { return self._publicKV ?? self.tc!.publicKV; },\n readPublicSpace: <T>(host: string, targetSpaceId: string, key: string) =>\n TinyCloud.readPublicSpace<T>(host, targetSpaceId, key),\n makePublicSpaceId: TinyCloud.makePublicSpaceId,\n did: this.did,\n address: this._address ?? \"\",\n chainId: this._chainId,\n hosts: [this.config.host!],\n },\n });\n }\n\n /\n Initialize the v2 delegation system services.\n * @internal\n /\n private initializeV2Services(serviceSession: ServiceSession): void {\n // Initialize CapabilityKeyRegistry\n this._capabilityRegistry = new CapabilityKeyRegistry();\n\n const tcSession = this.auth?.tinyCloudSession;\n // Register the session key with its capabilities\n if (tcSession && this._address) {\n const sessionKey: KeyInfo = {\n id: tcSession.sessionKey,\n did: tcSession.verificationMethod,\n type: \"session\",\n // Cast jwk from generic object to JWK - we know it has the required structure\n jwk: tcSession.jwk as JWK,\n priority: 0, // Session keys have highest priority\n };\n\n // Create root delegation for the session\n const rootDelegation: Delegation = {\n cid: tcSession.delegationCid,\n delegateDID: tcSession.verificationMethod,\n spaceId: tcSession.spaceId,\n path: \"\", // Root access\n actions: [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n \"tinycloud.sql/read\",\n \"tinycloud.sql/write\",\n \"tinycloud.sql/admin\",\n \"tinycloud.sql/\",\n \"tinycloud.duckdb/read\",\n \"tinycloud.duckdb/write\",\n \"tinycloud.duckdb/admin\",\n \"tinycloud.duckdb/describe\",\n \"tinycloud.duckdb/export\",\n \"tinycloud.duckdb/import\",\n \"tinycloud.duckdb/\",\n ],\n expiry: this.getSessionExpiry(),\n isRevoked: false,\n allowSubDelegation: true,\n };\n\n // Register root delegations\n const delegations = [rootDelegation];\n\n // If session includes additional spaces (e.g., public), register delegations for those too\n if (tcSession.spaces) {\n for (const [spaceName, spaceId] of Object.entries(tcSession.spaces)) {\n delegations.push({\n cid: tcSession.delegationCid,\n delegateDID: tcSession.verificationMethod,\n spaceId,\n path: \"\",\n actions: [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n \"tinycloud.sql/read\",\n \"tinycloud.sql/write\",\n \"tinycloud.sql/admin\",\n \"tinycloud.sql/\",\n \"tinycloud.duckdb/read\",\n \"tinycloud.duckdb/write\",\n \"tinycloud.duckdb/admin\",\n \"tinycloud.duckdb/describe\",\n \"tinycloud.duckdb/export\",\n \"tinycloud.duckdb/import\",\n \"tinycloud.duckdb/\",\n ],\n expiry: this.getSessionExpiry(),\n isRevoked: false,\n allowSubDelegation: true,\n });\n }\n }\n\n this._capabilityRegistry.registerKey(sessionKey, delegations);\n }\n\n // Initialize DelegationManager\n this._delegationManager = new DelegationManager({\n hosts: [this.config.host!],\n session: serviceSession,\n invoke: this.invokeWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n });\n\n // Initialize SpaceService\n this._spaceService = new SpaceService({\n hosts: [this.config.host!],\n session: serviceSession,\n invoke: this.wasmBindings.invoke,\n fetch: globalThis.fetch.bind(globalThis),\n capabilityRegistry: this._capabilityRegistry,\n userDid: this.did,\n createKVService: (spaceId: string) => {\n return this.createSpaceScopedKVService(spaceId);\n },\n createVaultService: (spaceId: string) => {\n const kvService = this.createSpaceScopedKVService(spaceId);\n const vaultService = this.createVaultService(spaceId, kvService);\n if (this._serviceContext) {\n vaultService.initialize(this._serviceContext);\n }\n return vaultService;\n },\n // Enable space.delegations.create() via SIWE-based delegation\n createDelegation: async (params) => {\n try {\n // Use the existing createDelegation method which calls /delegate with SIWE\n const portableDelegation = await this.createDelegation({\n delegateDID: params.delegateDID,\n path: params.path,\n actions: params.actions,\n disableSubDelegation: params.disableSubDelegation,\n expiryMs: params.expiry\n ? params.expiry.getTime() - Date.now()\n : undefined,\n });\n\n // Convert PortableDelegation to Delegation type for Space API\n const delegation: Delegation = {\n cid: portableDelegation.cid,\n delegateDID: portableDelegation.delegateDID,\n delegatorDID: this.did,\n spaceId: portableDelegation.spaceId,\n path: portableDelegation.path,\n actions: portableDelegation.actions,\n expiry: portableDelegation.expiry,\n isRevoked: false,\n allowSubDelegation: !portableDelegation.disableSubDelegation,\n createdAt: new Date(),\n authHeader: portableDelegation.delegationHeader.Authorization,\n };\n\n return { ok: true, data: delegation };\n } catch (error) {\n return {\n ok: false,\n error: {\n code: \"CREATION_FAILED\",\n message: error instanceof Error ? error.message : String(error),\n service: \"delegation\",\n },\n };\n }\n },\n });\n\n // Update SharingService with full capabilities (session + createDelegation)\n // SharingService was initialized in constructor for receive-only access\n this._sharingService.updateConfig({\n session: serviceSession,\n delegationManager: this._delegationManager,\n sessionExpiry: this.getSessionExpiry(),\n // WASM-based delegation creation (preferred - no server roundtrip)\n createDelegationWasm: (params) => this.createDelegationWrapper(params),\n // Root delegation for long-lived share links (bypasses session expiry)\n // In node-sdk we have direct signer access, so no popup needed\n onRootDelegationNeeded: this.signer\n ? async (params) => this.createRootDelegationForSharing(params)\n : undefined,\n });\n\n // Wire up SharingService to SpaceService for space.sharing.generate()\n this._spaceService.updateConfig({\n sharingService: this._sharingService,\n });\n }\n\n /\n Get the session expiry time.\n * @internal\n /\n private getSessionExpiry(): Date {\n // Default to 1 hour from now if not explicitly set\n const expirationMs = this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS;\n return new Date(Date.now() + expirationMs);\n }\n\n /\n Wrapper for the WASM createDelegation function.\n \n The WASM call now takes a multi-resource `abilities` map\n * (matching `prepareSession`'s shape) and emits ONE UCAN that\n * covers every `(service, path, actions)` entry. We mirror the raw\n * result back through `CreateDelegationWasmResult`, converting the\n * seconds-since-epoch `expiry` to a Date and normalizing the\n * `delegateDid` → `delegateDID` case.\n \n Both SharingService (single-entry) and\n * {@link TinyCloudNode.delegateTo} (multi-entry) drive this through\n * the same code path so there's exactly one place that touches the\n * WASM boundary.\n \n @internal\n /\n private createDelegationWrapper(params: CreateDelegationWasmParams): CreateDelegationWasmResult {\n // Convert ServiceSession to the format WASM expects\n const wasmSession = {\n delegationHeader: params.session.delegationHeader,\n delegationCid: params.session.delegationCid,\n jwk: params.session.jwk,\n spaceId: params.session.spaceId,\n verificationMethod: params.session.verificationMethod,\n };\n\n const result = this.wasmBindings.createDelegation(\n wasmSession,\n params.delegateDID,\n params.spaceId,\n params.abilities,\n params.expirationSecs,\n params.notBeforeSecs\n );\n\n return {\n delegation: result.delegation,\n cid: result.cid,\n // Rust serde `rename_all = \"camelCase\"` emits `delegateDid`\n // (lowercase d); the TypeScript interface uses `delegateDID`\n // (historical, matches Delegation.delegateDID). Normalize here.\n delegateDID: result.delegateDid ?? result.delegateDID,\n expiry: new Date(result.expiry 1000),\n resources: result.resources,\n };\n }\n\n /*\n Create a direct root delegation from the wallet to a share key.\n * This bypasses the session delegation chain, allowing share links\n * with expiry longer than the current session.\n * @internal\n /\n private async createRootDelegationForSharing(params: {\n shareKeyDID: string;\n spaceId: string;\n path: string;\n actions: string[];\n requestedExpiry: Date;\n }): Promise<Delegation \| undefined> {\n if (!this.signer) {\n return undefined;\n }\n\n const session = this.currentTinyCloudSession();\n if (!session) {\n return undefined;\n }\n\n try {\n const host = this.config.host!;\n const now = new Date();\n\n // Build abilities for the share key\n const abilities: Record<string, Record<string, string[]>> = {\n kv: {\n [params.path]: params.actions,\n },\n };\n\n // Prepare a direct delegation to the share key (no parents = root delegation)\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: params.requestedExpiry.toISOString(),\n spaceId: params.spaceId,\n delegateUri: params.shareKeyDID,\n });\n\n // Sign with the signer (no popup in node-sdk)\n const signature = await this.signer.signMessage(prepared.siwe);\n\n const delegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate the delegation with the server\n const activateResult = await activateSessionWithHost(\n host,\n delegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n return undefined;\n }\n\n return {\n cid: delegationSession.delegationCid,\n delegateDID: params.shareKeyDID,\n delegatorDID: pkhDid(session.address, session.chainId),\n spaceId: params.spaceId,\n path: params.path,\n actions: params.actions,\n expiry: params.requestedExpiry,\n isRevoked: false,\n allowSubDelegation: true,\n createdAt: now,\n authHeader: delegationSession.delegationHeader.Authorization,\n };\n } catch {\n return undefined;\n }\n }\n\n /\n Track a received delegation in the capability registry.\n * @internal\n /\n private trackReceivedDelegation(delegation: PortableDelegation, jwk: JWK): void {\n if (!this._capabilityRegistry) {\n return;\n }\n\n const keyInfo: KeyInfo = {\n id: `received:${delegation.cid}`,\n did: this.sessionDid,\n type: \"ingested\",\n jwk,\n priority: 2,\n };\n\n // Convert PortableDelegation to Delegation type\n const delegationRecord: Delegation = {\n cid: delegation.cid,\n delegateDID: delegation.delegateDID,\n spaceId: delegation.spaceId,\n path: delegation.path,\n actions: delegation.actions,\n expiry: delegation.expiry,\n isRevoked: false,\n allowSubDelegation: !delegation.disableSubDelegation,\n };\n\n this._capabilityRegistry.ingestKey(keyInfo, delegationRecord);\n }\n\n /\n Key-value storage operations on this user's space.\n /\n get kv(): IKVService {\n if (!this._kv) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._kv;\n }\n\n /\n SQL database operations on this user's space.\n /\n get sql(): ISQLService {\n if (!this._sql) {\n const features = this.nodeFeatures;\n if (features.length > 0 && !features.includes(\"sql\")) {\n throw new UnsupportedFeatureError(\"sql\", this.config.host!, features);\n }\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._sql;\n }\n\n /\n Get an SQL service scoped to a specific space.\n \n Mirrors {@link SpaceService}'s per-space KV factory: clones the active\n * service context and overrides its session's spaceId so that subsequent\n * `sql/<dbName>/<action>` invocations route to that space. Useful when\n * the caller already holds a delegation covering the target space (e.g.\n * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})\n * but the SDK's per-space SQL surface isn't otherwise exposed.\n \n Does NOT auto-create the space.\n \n @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).\n /\n sqlForSpace(spaceId: string): ISQLService {\n if (!this._serviceContext \|\| !this._serviceContext.session) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n const sql = new SQLService({});\n const spaceScopedContext = new ServiceContext({\n invoke: this._serviceContext.invoke,\n fetch: this._serviceContext.fetch,\n hosts: this._serviceContext.hosts,\n });\n spaceScopedContext.setSession({ ...this._serviceContext.session, spaceId });\n sql.initialize(spaceScopedContext);\n return sql;\n }\n\n /\n DuckDB database operations on this user's space.\n /\n get duckdb(): IDuckDbService {\n if (!this._duckdb) {\n const features = this.nodeFeatures;\n if (features.length > 0 && !features.includes(\"duckdb\")) {\n throw new UnsupportedFeatureError(\"duckdb\", this.config.host!, features);\n }\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._duckdb;\n }\n\n /\n Data Vault operations - client-side encrypted KV storage.\n * Call `vault.unlock(signer)` after signIn() to derive encryption keys.\n /\n get vault(): IDataVaultService {\n if (!this._vault) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._vault;\n }\n\n /\n Network-scoped encryption/decrypt service.\n /\n get encryption(): IEncryptionService {\n return this.getEncryptionService();\n }\n\n async getEncryptionNetwork(\n nameOrNetworkId = this.getDefaultEncryptionNetworkId(),\n ): Promise<NetworkDescriptor \| null> {\n const networkId = nameOrNetworkId.startsWith(\"urn:tinycloud:encryption:\")\n ? nameOrNetworkId\n : this.getDefaultEncryptionNetworkId(nameOrNetworkId);\n const response = await fetch(\n `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}`,\n );\n if (response.status === 404) {\n return null;\n }\n if (!response.ok) {\n throw new Error(\n `Failed to fetch encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`,\n );\n }\n const body = (await response.json()) as {\n descriptor?: NetworkDescriptor;\n } \| NetworkDescriptor;\n return \"descriptor\" in body && body.descriptor ? body.descriptor : body as NetworkDescriptor;\n }\n\n async createEncryptionNetwork(\n name = DEFAULT_ENCRYPTION_NETWORK_NAME,\n ): Promise<NetworkDescriptor> {\n const targetNode = await this.fetchNodeId();\n const ownerDid = this.did;\n const networkId = this.getDefaultEncryptionNetworkId(name);\n const body = {\n name,\n ownerDid,\n threshold: { n: 1, t: 1 },\n };\n const crypto = this.createEncryptionCrypto();\n const facts = {\n type: NETWORK_ADMIN_TYPE,\n targetNode,\n networkId,\n bodyHash: canonicalHashHex(\n crypto.sha256,\n body as unknown as CanonicalizableEncryptionJson,\n ),\n action: NETWORK_CREATE_ACTION,\n };\n const signed = await this.signRawNetworkAuthorization({\n targetNode,\n networkId,\n action: NETWORK_CREATE_ACTION,\n facts,\n });\n const response = await fetch(`${this.config.host}/encryption/networks`, {\n method: \"POST\",\n headers: {\n Authorization: signed.authorization,\n \"Content-Type\": \"application/json\",\n },\n body: canonicalizeEncryptionJson(\n body as unknown as CanonicalizableEncryptionJson,\n ),\n });\n if (!response.ok) {\n throw new Error(\n `Failed to create encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`,\n );\n }\n const created = (await response.json()) as { descriptor: NetworkDescriptor };\n return created.descriptor;\n }\n\n async ensureEncryptionNetwork(\n name = DEFAULT_ENCRYPTION_NETWORK_NAME,\n ): Promise<NetworkDescriptor> {\n const existing = await this.getEncryptionNetwork(name);\n if (existing) {\n return existing;\n }\n return this.createEncryptionNetwork(name);\n }\n\n /\n App-facing secrets API backed by the `secrets` space vault.\n /\n get secrets(): ISecretsService {\n if (!this._spaceService) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n if (!this._secrets) {\n this._secrets = new NodeSecretsService({\n getService: () => this.getBaseSecrets(),\n getManifest: () => this.manifest,\n hasPermissions: (permissions) => this.hasRuntimePermissions(permissions),\n grantPermissions: (additional) => this.grantRuntimePermissions(additional),\n canEscalate: () => this.signer !== undefined && this.tc !== undefined,\n getEncryptionNetworkId: () => this.getDefaultEncryptionNetworkId(),\n getUnlockSigner: () => this.signer ?? undefined,\n });\n }\n return this._secrets;\n }\n\n private getBaseSecrets(): ISecretsService {\n if (!this._spaceService) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n if (!this._baseSecrets) {\n this._baseSecrets = new SecretsService(() => this.space(\"secrets\").vault);\n }\n return this._baseSecrets;\n }\n\n /\n Hooks write stream subscription API.\n /\n get hooks(): IHooksService {\n if (!this._hooks) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._hooks;\n }\n\n // ===========================================================================\n // v2 Service Accessors\n // ===========================================================================\n\n /\n Get the CapabilityKeyRegistry for managing keys and their capabilities.\n \n The registry tracks keys (session, main, ingested) and their associated\n * delegations, enabling automatic key selection for operations.\n \n @example\n * ```typescript\n * const registry = alice.capabilityRegistry;\n \n // Get the best key for an operation\n * const key = registry.getKeyForCapability(\n * \"tinycloud://my-space/kv/data\",\n * \"tinycloud.kv/get\"\n * );\n \n // List all capabilities\n * const capabilities = registry.getAllCapabilities();\n * ```\n /\n get capabilityRegistry(): ICapabilityKeyRegistry {\n if (!this._capabilityRegistry) {\n throw new Error(\"CapabilityKeyRegistry not initialized.\");\n }\n return this._capabilityRegistry;\n }\n\n /\n Access received delegations (recipient view).\n \n Use this to see what delegations have been received via useDelegation().\n \n @example\n * ```typescript\n * // List all received delegations\n * const received = bob.delegations.list();\n * console.log(\"I have access to:\", received.length, \"spaces\");\n \n // Get a specific delegation by CID\n * const delegation = bob.delegations.get(cid);\n * ```\n /\n get delegations(): {\n /* List all received delegations /\n list: () => Delegation[];\n /* Get a delegation by CID /\n get: (cid: string) => Delegation \| undefined;\n } {\n const registry = this._capabilityRegistry;\n if (!registry) {\n return {\n list: () => [],\n get: () => undefined,\n };\n }\n\n return {\n list: () => registry.getAllCapabilities().map((entry) => entry.delegation),\n get: (cid: string) => {\n const capabilities = registry.getAllCapabilities();\n const entry = capabilities.find((e) => e.delegation.cid === cid);\n return entry?.delegation;\n },\n };\n }\n\n /\n Check whether the current session or an approved runtime delegation covers\n * every requested permission.\n /\n hasRuntimePermissions(permissions: PermissionEntry[]): boolean {\n const session = this.currentTinyCloudSession();\n if (!session \|\| !Array.isArray(permissions) \|\| permissions.length === 0) {\n return false;\n }\n\n const expanded = this.expandPermissionEntries(permissions);\n if (this.sessionCoversPermissionEntries(session, expanded)) {\n return true;\n }\n\n return this.findRuntimeGrantsForPermissionEntries(expanded, session).length > 0;\n }\n\n /\n Return installed runtime permission delegations. When `permissions` is\n * provided, only delegations currently covering those permissions are\n * returned. Base-session manifest permissions are not represented here.\n /\n getRuntimePermissionDelegations(\n permissions?: PermissionEntry[],\n ): PortableDelegation[] {\n this.pruneExpiredRuntimePermissionGrants();\n if (permissions === undefined) {\n return this.runtimePermissionGrants.map((grant) => grant.delegation);\n }\n\n const session = this.currentTinyCloudSession();\n if (!session \|\| !Array.isArray(permissions) \|\| permissions.length === 0) {\n return [];\n }\n const expanded = this.expandPermissionEntries(permissions);\n return this.findRuntimeGrantsForPermissionEntries(expanded, session).map(\n (grant) => grant.delegation,\n );\n }\n\n /\n Install a portable runtime permission delegation into this SDK instance so\n * matching service calls and downstream `delegateTo()` calls can use it.\n /\n async useRuntimeDelegation(delegation: PortableDelegation): Promise<void> {\n const session = this.currentTinyCloudSession();\n if (!session) {\n throw new SessionExpiredError(new Date(0));\n }\n if (delegation.expiry.getTime() <= Date.now()) {\n throw new SessionExpiredError(delegation.expiry);\n }\n\n const expectedDids = [session.verificationMethod, this.sessionDid];\n if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {\n throw new Error(\n `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`,\n );\n }\n\n const targetHost = delegation.host ?? this.config.host!;\n const activateResult = await activateSessionWithHost(\n targetHost,\n delegation.delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate runtime permission delegation: ${activateResult.error}`,\n );\n }\n\n this.runtimePermissionGrants = this.runtimePermissionGrants.filter(\n (grant) => grant.delegation.cid !== delegation.cid,\n );\n this.runtimePermissionGrants.push(\n this.runtimeGrantFromDelegation(delegation, session),\n );\n }\n\n /\n Store additional permissions as narrow delegations to the current session\n * key. Future service invocations automatically use a stored delegation when\n * its `(space, service, path, action)` covers the request.\n /\n async grantRuntimePermissions(\n permissions: PermissionEntry[],\n options?: RuntimePermissionGrantOptions,\n ): Promise<PortableDelegation[]> {\n if (!Array.isArray(permissions) \|\| permissions.length === 0) {\n throw new Error(\"grantRuntimePermissions requires a non-empty permissions array\");\n }\n const session = this.currentTinyCloudSession();\n if (!session) {\n throw new SessionExpiredError(new Date(0));\n }\n\n const sessionExpiry = extractSiweExpiration(session.siwe);\n if (sessionExpiry !== undefined) {\n const marginMs = TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;\n if (sessionExpiry.getTime() <= Date.now() + marginMs) {\n throw new SessionExpiredError(sessionExpiry);\n }\n }\n\n const expanded = this.expandPermissionEntries(permissions);\n if (this.sessionCoversPermissionEntries(session, expanded)) {\n return [];\n }\n\n const existingGrants = this.findRuntimeGrantsForPermissionEntries(expanded, session);\n if (existingGrants.length > 0) {\n return existingGrants.map((grant) => grant.delegation);\n }\n if (!this.signer) {\n throw new Error(\n \"grantRuntimePermissions requires wallet mode with a signer or privateKey.\",\n );\n }\n\n const rawEntries = expanded.filter((entry) =>\n this.isEncryptionPermissionEntry(entry)\n );\n const spaceEntries = expanded.filter((entry) =>\n !this.isEncryptionPermissionEntry(entry)\n );\n\n const bySpace = new Map<string, PermissionEntry[]>();\n for (const entry of spaceEntries) {\n const spaceId = this.resolvePermissionSpace(entry.space, session);\n const current = bySpace.get(spaceId) ?? [];\n current.push(entry);\n bySpace.set(spaceId, current);\n }\n if (bySpace.size === 0 && rawEntries.length > 0) {\n bySpace.set(session.spaceId, []);\n }\n\n const now = new Date();\n const requestedExpiryMs = resolveExpiryMs(options?.expiry);\n let expiresAt = new Date(now.getTime() + requestedExpiryMs);\n if (sessionExpiry !== undefined && sessionExpiry < expiresAt) {\n expiresAt = sessionExpiry;\n }\n\n const delegations: PortableDelegation[] = [];\n let rawEntriesAttached = false;\n for (const [spaceId, entries] of bySpace) {\n const rawForDelegation = !rawEntriesAttached ? rawEntries : [];\n if (rawForDelegation.length > 0) {\n rawEntriesAttached = true;\n }\n const delegatedEntries = [...entries, ...rawForDelegation];\n const abilities = this.permissionsToAbilities(entries);\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n ...(rawForDelegation.length > 0\n ? { rawAbilities: this.permissionsToRawAbilities(rawForDelegation) }\n : {}),\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expiresAt.toISOString(),\n spaceId,\n jwk: session.jwk,\n });\n\n const signature = await this.signer.signMessage(prepared.siwe);\n const delegatedSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegatedSession.delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate runtime permission delegation: ${activateResult.error}`,\n );\n }\n\n const delegation = this.runtimeDelegationFromSession(\n delegatedSession,\n delegatedEntries,\n spaceId,\n session,\n expiresAt,\n );\n this.runtimePermissionGrants.push({\n session: {\n delegationHeader: delegatedSession.delegationHeader,\n delegationCid: delegatedSession.delegationCid,\n spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n delegation,\n operations: this.permissionOperations(delegatedEntries, spaceId),\n expiresAt,\n });\n delegations.push(delegation);\n }\n\n return delegations;\n }\n\n /\n Get the DelegationManager for delegation CRUD operations.\n \n This is the v2 delegation service providing a cleaner API than\n * the legacy createDelegation/useDelegation methods.\n \n @example\n * ```typescript\n * const delegations = alice.delegationManager;\n \n // Create a delegation\n * const result = await delegations.create({\n * delegateDID: bob.did,\n * path: \"shared/\",\n * actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\"],\n * expiry: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours\n * });\n \n // List delegations\n * const listResult = await delegations.list();\n \n // Revoke a delegation\n * await delegations.revoke(delegationCid);\n * ```\n /\n get delegationManager(): DelegationManager {\n if (!this._delegationManager) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._delegationManager;\n }\n\n /\n Get the SpaceService for managing spaces.\n \n The SpaceService provides access to owned and delegated spaces,\n * including space creation, listing, and scoped operations.\n \n @example\n * ```typescript\n * const spaces = alice.spaces;\n \n // List all accessible spaces\n * const result = await spaces.list();\n \n // Create a new space\n * const createResult = await spaces.create('photos');\n \n // Get a space object for operations\n * const mySpace = spaces.get('default');\n * await mySpace.kv.put('key', 'value');\n \n // Check if a space exists\n * const exists = await spaces.exists('photos');\n * ```\n /\n get spaces(): ISpaceService {\n if (!this._spaceService) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._spaceService;\n }\n\n /\n Alias for `spaces` - get the SpaceService.\n * @see spaces\n /\n get spaceService(): ISpaceService {\n return this.spaces;\n }\n\n /\n Get a Space object by short name or full URI.\n /\n space(nameOrUri: string): ISpace {\n return this.spaces.get(nameOrUri);\n }\n\n /\n Get the SharingService for creating and receiving v2 sharing links.\n \n The SharingService creates sharing links with embedded private keys,\n * allowing recipients to exercise delegations without prior session setup.\n \n @example\n * ```typescript\n * const sharing = alice.sharing;\n \n // Generate a sharing link\n * const result = await sharing.generate({\n * path: \"/kv/documents/report.pdf\",\n * actions: [\"tinycloud.kv/get\"],\n * expiry: new Date(Date.now() + 24 * 60 * 60 * 1000),\n * });\n \n if (result.ok) {\n * console.log(\"Share URL:\", result.data.url);\n * // Send the URL to the recipient\n * }\n \n // Receive a sharing link\n * const receiveResult = await sharing.receive(shareUrl);\n * if (receiveResult.ok) {\n * // Use the pre-configured KV service\n * const data = await receiveResult.data.kv.get(\"report.pdf\");\n * }\n * ```\n /\n get sharing(): ISharingService {\n // SharingService is initialized in constructor for receive-only access\n // Full capabilities (generate) are added after signIn()\n return this._sharingService;\n }\n\n /\n Alias for `sharing` - get the SharingService.\n * @see sharing\n /\n get sharingService(): ISharingService {\n return this.sharing;\n }\n\n // ===========================================================================\n // Public Space Methods\n // ===========================================================================\n\n /\n Ensure the user's public space exists and is accessible.\n * Creates the space and activates a session delegation for it.\n * This is the trigger for lazy public space creation — call it\n * before writing to spaces.get('public').kv.\n /\n async ensurePublicSpace() {\n if (!this.auth \|\| !this.session \|\| !this.signer) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n const publicSpaceId = this.session.spaces?.public;\n if (!publicSpaceId) {\n throw new Error(\"Public space not enabled. Set enablePublicSpace: true in config.\");\n }\n\n // Create the public space on the server (host SIWE)\n await (this.auth as NodeUserAuthorization).hostPublicSpace(publicSpaceId);\n\n // Create a session delegation for the public space using the session key JWK.\n // This mirrors the primary session flow (prepareSession with jwk), ensuring\n // the delegation targets the session key — not the PKH DID — so that\n // invoke() requests signed by the session key are properly authorized.\n const kvActions = [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n ];\n const abilities = { kv: { \"\": kvActions } };\n const now = new Date();\n // EPHEMERAL tier — this sub-delegation is auto-derived from the\n // session and re-issued whenever the SDK touches the public space,\n // so a short lifetime bounds replay without forcing user re-prompts.\n const expiryMs = EXPIRY.EPHEMERAL_MS;\n const expirationTime = new Date(now.getTime() + expiryMs);\n\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(this.session.address),\n chainId: this.session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: publicSpaceId,\n jwk: this.session.jwk,\n parents: [this.session.delegationCid],\n });\n\n const signature = await this.signer.signMessage(prepared.siwe);\n\n const delegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate public space delegation: ${activateResult.error}`);\n }\n\n // Register the delegation in the capability registry so\n // spaces.get('public').kv operations are authorized\n if (this._capabilityRegistry && this.session) {\n const sessionKey: KeyInfo = {\n id: this.session.sessionKey,\n did: this.session.verificationMethod,\n type: \"session\",\n jwk: this.session.jwk as JWK,\n priority: 0,\n };\n this._capabilityRegistry.registerKey(sessionKey, [{\n cid: delegationSession.delegationCid,\n delegateDID: this.session.verificationMethod,\n spaceId: publicSpaceId,\n path: \"\",\n actions: kvActions,\n expiry: expirationTime,\n isRevoked: false,\n allowSubDelegation: true,\n }]);\n }\n\n // Cache a properly authorized public KV service using the new delegation\n if (this._serviceContext) {\n const publicKV = new KVService({ prefix: \"\" });\n const publicContext = new ServiceContext({\n invoke: this.invokeWithRuntimePermissions,\n fetch: this._serviceContext.fetch,\n hosts: this._serviceContext.hosts,\n });\n publicContext.setSession({\n delegationHeader: delegationSession.delegationHeader,\n delegationCid: delegationSession.delegationCid,\n spaceId: publicSpaceId,\n verificationMethod: this.session.verificationMethod,\n jwk: this.session.jwk,\n });\n publicKV.initialize(publicContext);\n this._publicKV = publicKV;\n }\n }\n\n /\n Get a KVService scoped to the user's own public space.\n * Writes require authentication (owner/delegate).\n /\n get publicKV(): IKVService {\n if (this._publicKV) {\n return this._publicKV;\n }\n if (!this.tc) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this.tc.publicKV;\n }\n\n // ===========================================================================\n // v2 Delegation Convenience Methods\n // ===========================================================================\n\n /\n Create a delegation using the v2 DelegationManager.\n \n This is a convenience method that wraps DelegationManager.create().\n * For more control, use `this.delegationManager` directly.\n \n @param params - Delegation parameters\n * @returns Result containing the created Delegation\n \n @example\n * ```typescript\n * const result = await alice.delegate({\n * delegateDID: bob.did,\n * path: \"shared/\",\n * actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\"],\n * expiry: new Date(Date.now() + 24 * 60 * 60 * 1000),\n * });\n \n if (result.ok) {\n * console.log(\"Delegation created:\", result.data.cid);\n * }\n * ```\n /\n async delegate(params: CreateDelegationParams): Promise<DelegationResult<Delegation>> {\n return this.delegationManager.create(params);\n }\n\n /\n Revoke a delegation using the v2 DelegationManager.\n \n @param cid - The CID of the delegation to revoke\n * @returns Result indicating success or failure\n /\n async revokeDelegation(cid: string): Promise<DelegationResult<void>> {\n return this.delegationManager.revoke(cid);\n }\n\n /\n List all delegations for the current session's space.\n \n @returns Result containing an array of Delegations\n /\n async listDelegations(): Promise<DelegationResult<Delegation[]>> {\n return this.delegationManager.list();\n }\n\n /\n Check if the current session has permission for a path and action.\n \n @param path - The resource path to check\n * @param action - The action to check (e.g., \"tinycloud.kv/get\")\n * @returns Result containing boolean permission status\n /\n async checkPermission(path: string, action: string): Promise<DelegationResult<boolean>> {\n return this.delegationManager.checkPermission(path, action);\n }\n\n // ===========================================================================\n // Capability-chain delegation (spec: .claude/specs/capability-chain.md)\n // ===========================================================================\n\n /\n Safety margin before the session's own expiry at which {@link delegateTo}\n * will refuse to issue a derived delegation. Prevents issuing sub-delegations\n * that would be invalid by the time the recipient used them. Spec: 60 seconds.\n \n @internal\n /\n private static readonly SESSION_EXPIRY_SAFETY_MARGIN_MS = 60_000;\n\n /\n Issue a delegation using the capability-chain flow.\n \n When every requested permission is a subset of the current\n * session's recap, or of one installed runtime permission delegation,\n * the delegation is signed by the session key via WASM — no wallet\n * prompt. When at least one is NOT derivable, a\n * {@link PermissionNotInManifestError} is raised (carrying the\n * missing entries) so the caller can trigger an escalation flow\n * (e.g. `TinyCloudWeb.requestPermissions`). Passing\n * `forceWalletSign: true` bypasses the derivability check and\n * always uses the wallet-signed SIWE path — used by the legacy\n * `createDelegation` fallback and by callers that want explicit\n * wallet confirmation.\n \n Multi-entry delegations are now emitted as one signed UCAN:\n * the underlying WASM `createDelegation` takes a full\n * `HashMap<Service, HashMap<Path, Vec<Ability>>>` abilities map\n * and produces a single attenuation carrying every\n * `(service, path, actions)` entry. The returned\n * {@link DelegateToResult.delegation} is that single blob, and\n * apps can POST it to their backend exactly like a single-entry\n * delegation (the server verifies all granted resources from one\n * UCAN).\n \n For single-entry requests the `PortableDelegation.path` and\n * `.actions` fields mirror the one granted entry. For\n * multi-entry requests they mirror the first entry (stable\n * lexicographic order from the Rust side); consumers that need\n * the full picture read `PortableDelegation.resources`.\n \n @throws {@link SessionExpiredError} when there is no session or\n * the current session has expired (or will within the 60s\n * safety margin).\n * @throws {@link PermissionNotInManifestError} when any requested\n * entry is not a subset of the granted session capabilities and\n * `forceWalletSign` is not set.\n /\n async delegateTo(\n did: string,\n permissions: PermissionEntry[],\n options?: DelegateToOptions,\n ): Promise<DelegateToResult> {\n // 1. Session validity check — fail fast with a clear error class so\n // callers can catch and trigger a fresh sign-in.\n const session = this.currentTinyCloudSession();\n if (!session) {\n throw new SessionExpiredError(new Date(0));\n }\n const sessionExpiry = extractSiweExpiration(session.siwe);\n if (sessionExpiry !== undefined) {\n const now = Date.now();\n const marginMs = TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;\n if (sessionExpiry.getTime() <= now + marginMs) {\n throw new SessionExpiredError(sessionExpiry);\n }\n }\n\n // 2. Input validation. Empty arrays and non-arrays both fail here so\n // downstream code can safely assume at least one entry.\n if (!Array.isArray(permissions) \|\| permissions.length === 0) {\n throw new Error(\n \"delegateTo requires a non-empty permissions array\",\n );\n }\n\n // 3. Defensively expand any short-form action names into full URNs\n // for every entry so the subset check and downstream WASM call\n // both see canonical form. This also deep-copies the entries so\n // we don't mutate caller-owned data.\n const expandedEntries = this.expandPermissionEntries(permissions);\n\n // 4. Compute expiration. `options.expiry` overrides the default 1h.\n // ms-format (\"7d\") or raw millisecond count both accepted. Cap\n // at the session's own expiry so we never emit a UCAN whose\n // validity exceeds the parent chain.\n const now = new Date();\n const expiryMs = resolveExpiryMs(options?.expiry);\n const expirationTime = new Date(now.getTime() + expiryMs);\n let effectiveExpiration = expirationTime;\n if (sessionExpiry !== undefined && sessionExpiry < expirationTime) {\n effectiveExpiration = sessionExpiry;\n }\n\n // 5. forceWalletSign short-circuit → always legacy path. The\n // legacy wallet path currently handles one `(space, path)` at\n // a time, so we only support single-entry when forced. Callers\n // that need multi-entry wallet-signed delegations should issue\n // them via the legacy `createDelegation` which loops internally\n // (or just not pass `forceWalletSign: true`).\n if (options?.forceWalletSign) {\n if (expandedEntries.length > 1) {\n throw new Error(\n \"delegateTo with forceWalletSign=true supports at most one \" +\n \"PermissionEntry. Multi-entry requests must go through the \" +\n \"session-key UCAN path (drop forceWalletSign) or the legacy \" +\n \"createDelegation method.\",\n );\n }\n const delegation = await this.createDelegationLegacyWalletPath(\n did,\n expandedEntries[0],\n effectiveExpiration,\n );\n return { delegation, prompted: true };\n }\n\n // 6. Derivability check across ALL entries. If any entry is not a\n // subset of the granted session capabilities, the whole call\n // fails with a typed error carrying the missing entries — we do\n // NOT partially issue and drop the failing ones, because that\n // would produce a delegation the caller didn't ask for.\n //\n // `parseRecapCapabilities` is a thin wrapper around the\n // injected WASM binding; the binding is required because\n // `IWasmBindings` declares `parseRecapFromSiwe` as mandatory.\n // If the runtime binding hasn't been updated, this call will\n // surface a clear TypeError rather than silently falling\n // through.\n const granted = parseRecapCapabilities(\n (siwe: string) => this.wasmBindings.parseRecapFromSiwe(siwe),\n session.siwe,\n );\n const { subset, missing } = isCapabilitySubset(expandedEntries, granted);\n\n if (!subset) {\n const runtimeGrant = this.findGrantForOperations(\n this.permissionEntriesToOperations(expandedEntries, session),\n );\n if (runtimeGrant) {\n const marginMs = TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;\n if (runtimeGrant.expiresAt.getTime() <= Date.now() + marginMs) {\n throw new SessionExpiredError(runtimeGrant.expiresAt);\n }\n const runtimeExpiration =\n runtimeGrant.expiresAt < effectiveExpiration\n ? runtimeGrant.expiresAt\n : effectiveExpiration;\n const delegation = await this.createDelegationViaRuntimeGrant(\n did,\n expandedEntries,\n runtimeExpiration,\n runtimeGrant,\n );\n return { delegation, prompted: false };\n }\n throw new PermissionNotInManifestError(missing, granted);\n }\n\n // 7. Subset path — sign ONE sub-delegation with the session key\n // via WASM that carries every requested entry. No wallet\n // prompt. `createDelegationViaWasmPath` builds the\n // multi-resource abilities map and returns a single\n // PortableDelegation whose `.resources` field lists every\n // granted entry.\n const delegation = await this.createDelegationViaWasmPath(\n did,\n expandedEntries,\n effectiveExpiration,\n session,\n );\n return { delegation, prompted: false };\n }\n\n /\n Materialize one manifest-declared delegation using the current session key.\n * Delivery is intentionally out of band; callers decide how to transmit the\n * returned UCAN to the delegate.\n /\n async materializeDelegation(\n did: string,\n request: ComposedManifestRequest \| undefined = this.capabilityRequest,\n ): Promise<DelegateToResult & { target: ResolvedDelegate }> {\n if (!request) {\n throw new Error(\n \"materializeDelegation requires a composed manifest request\",\n );\n }\n const target = request.delegationTargets.find((entry) =>\n didPrincipalMatches(entry.did, did),\n );\n if (!target) {\n throw new Error(`No manifest delegation target found for DID ${did}`);\n }\n const result = await this.delegateTo(target.did, target.permissions, {\n expiry: target.expiryMs,\n });\n return { ...result, target };\n }\n\n /\n Materialize every delegation target declared by the composed manifest\n * request. This does not deliver the delegations anywhere.\n /\n async materializeDelegations(\n request: ComposedManifestRequest \| undefined = this.capabilityRequest,\n ): Promise<Array<DelegateToResult & { target: ResolvedDelegate }>> {\n if (!request) {\n throw new Error(\n \"materializeDelegations requires a composed manifest request\",\n );\n }\n const out: Array<DelegateToResult & { target: ResolvedDelegate }> = [];\n for (const target of request.delegationTargets) {\n out.push(await this.materializeDelegation(target.did, request));\n }\n return out;\n }\n\n /\n Issue a delegation via the session-key UCAN WASM path.\n \n The caller has already verified every entry is derivable from\n * the current session; we build one multi-resource abilities map\n * and emit one signed UCAN covering them all.\n \n Non-encryption entries must share the same target space. Encryption\n * entries are raw network URNs and do not participate in space grouping.\n \n @internal\n /\n private async createDelegationViaWasmPath(\n did: string,\n entries: PermissionEntry[],\n expirationTime: Date,\n session: TinyCloudSession,\n ): Promise<PortableDelegation> {\n if (entries.length === 0) {\n throw new Error(\n \"createDelegationViaWasmPath requires a non-empty entries array\",\n );\n }\n\n // Translate non-raw manifest `space` fields into the server-side\n // spaceId. Encryption entries target raw network URNs, not spaces.\n const resolvedSpaces = new Set<string>();\n for (const entry of entries) {\n if (this.isEncryptionPermissionEntry(entry)) {\n continue;\n }\n const spaceId = this.resolvePermissionSpace(entry.space, session);\n resolvedSpaces.add(spaceId);\n }\n if (resolvedSpaces.size > 1) {\n throw new Error(\n `delegateTo: all permission entries must target the same space, got ${resolvedSpaces.size}: ${JSON.stringify([...resolvedSpaces])}`,\n );\n }\n const spaceId = resolvedSpaces.size === 1\n ? [...resolvedSpaces][0]\n : session.spaceId;\n\n // Convert entries to the WASM abilities shape. Each entry's\n // `service` is the long form (e.g. \"tinycloud.kv\") which we\n // translate to the short form keyed by the abilities map. Raw\n // encryption network entries stay in this map because the Rust\n // create_delegation boundary special-cases network URNs into raw\n // resources while preserving the legacy spaceId parameter.\n // Multiple entries on the same (service, path) merge and dedupe\n // their action lists — unusual in practice (the subset check\n // should have pruned dupes already) but cheap and safe.\n const abilities: AbilitiesMap = {};\n for (const entry of entries) {\n const shortService = SERVICE_LONG_TO_SHORT[entry.service];\n if (shortService === undefined) {\n throw new Error(\n `delegateTo: unknown service '${entry.service}' — no short-form mapping`,\n );\n }\n if (abilities[shortService] === undefined) {\n abilities[shortService] = {};\n }\n const pathsMap = abilities[shortService];\n const existing = pathsMap[entry.path];\n if (existing === undefined) {\n pathsMap[entry.path] = [...entry.actions];\n } else {\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n }\n }\n\n // Build ServiceSession from TinyCloudSession. This mirrors how\n // SharingService hands sessions to createDelegationWrapper.\n const serviceSession: ServiceSession = {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n jwk: session.jwk,\n spaceId,\n verificationMethod: session.verificationMethod,\n };\n\n const expirationSecs = Math.floor(expirationTime.getTime() / 1000);\n const result = this.createDelegationWrapper({\n session: serviceSession,\n delegateDID: did,\n spaceId,\n abilities,\n expirationSecs,\n });\n\n // Translate the WASM result into a PortableDelegation. We don't\n // have a structured delegation header from the WASM path, so we\n // synthesize one from the serialized delegation (the recipient\n // decodes it via `deserializeDelegation`).\n //\n // The flat `.path` and `.actions` fields mirror the first\n // resource — stable because the Rust side sorts by\n // (service, path) before signing. Consumers that need the full\n // multi-resource picture read `.resources`.\n const primary = result.resources[0];\n // Use the raw JWT without a \"Bearer \" prefix. The host's HeaderEncode\n // decoder passes the header value directly to Ucan::decode(), which\n // expects a bare JWT string. The wallet-signed CACAO path also uses\n // raw base64 without any prefix. Adding \"Bearer \" causes a parse\n // failure that surfaces as a 401 from the host.\n const delegationHeader = { Authorization: result.delegation };\n\n // Activate the delegation with the host so downstream consumers (e.g.\n // a backend calling useDelegation) can find it by CID when building\n // their invoker SIWE. The host validates the UCAN's parent chain\n // (session key → wallet SIWE) to confirm authority.\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate delegation with host: ${activateResult.error}`,\n );\n }\n\n return {\n cid: result.cid,\n delegationHeader,\n spaceId,\n path: primary.path,\n actions: primary.actions,\n resources: result.resources,\n disableSubDelegation: false,\n expiry: result.expiry,\n delegateDID: did,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n }\n\n private async createDelegationViaRuntimeGrant(\n did: string,\n entries: PermissionEntry[],\n expirationTime: Date,\n grant: RuntimePermissionGrant,\n ): Promise<PortableDelegation> {\n const result = this.createDelegationWrapper({\n session: grant.session,\n delegateDID: did,\n spaceId: grant.session.spaceId,\n abilities: this.permissionsToAbilities(entries),\n expirationSecs: Math.floor(expirationTime.getTime() / 1000),\n });\n\n const primary = result.resources[0];\n const delegationHeader = { Authorization: result.delegation };\n const targetHost = grant.delegation.host ?? this.config.host!;\n const activateResult = await activateSessionWithHost(\n targetHost,\n delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate delegation with host: ${activateResult.error}`,\n );\n }\n\n return {\n cid: result.cid,\n delegationHeader,\n spaceId: grant.session.spaceId,\n path: primary.path,\n actions: primary.actions,\n resources: result.resources,\n disableSubDelegation: false,\n expiry: result.expiry,\n delegateDID: did,\n ownerAddress: grant.delegation.ownerAddress,\n chainId: grant.delegation.chainId,\n host: targetHost,\n };\n }\n\n private resolvePermissionSpace(\n space: string \| undefined,\n session: TinyCloudSession,\n ): string {\n if (space === undefined) {\n return this.wasmBindings.makeSpaceId(\n session.address,\n session.chainId,\n \"applications\",\n );\n }\n if (space === \"default\") {\n return session.spaceId;\n }\n if (space.startsWith(\"tinycloud:\")) {\n return space;\n }\n return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);\n }\n\n private expandPermissionEntries(\n permissions: PermissionEntry[],\n ): PermissionEntry[] {\n return expandPermissionEntriesCore(permissions);\n }\n\n private shortServiceName(service: string): string {\n const short = SERVICE_LONG_TO_SHORT[service];\n if (short === undefined) {\n throw new Error(\n `unknown service '${service}' — no short-form mapping`,\n );\n }\n return short;\n }\n\n private permissionsToAbilities(entries: PermissionEntry[]): AbilitiesMap {\n const abilities: AbilitiesMap = {};\n for (const entry of entries) {\n const service = this.shortServiceName(entry.service);\n abilities[service] ??= {};\n const existing = abilities[service][entry.path] ?? [];\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n abilities[service][entry.path] = existing;\n }\n return abilities;\n }\n\n private isEncryptionPermissionEntry(entry: PermissionEntry): boolean {\n return entry.service === ENCRYPTION_PERMISSION_SERVICE &&\n entry.path.startsWith(\"urn:tinycloud:encryption:\");\n }\n\n private permissionsToRawAbilities(\n entries: PermissionEntry[],\n ): Record<string, string[]> {\n const rawAbilities: Record<string, string[]> = {};\n for (const entry of entries) {\n if (!this.isEncryptionPermissionEntry(entry)) {\n continue;\n }\n const existing = rawAbilities[entry.path] ?? [];\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n rawAbilities[entry.path] = existing;\n }\n return rawAbilities;\n }\n\n private permissionOperations(\n entries: PermissionEntry[],\n spaceId: string,\n ): RuntimePermissionOperation[] {\n return entries.flatMap((entry) => {\n const service = this.shortServiceName(entry.service);\n return entry.actions.map((action) => ({\n ...(this.isEncryptionNetworkOperation(service, entry.path)\n ? { resource: entry.path }\n : { spaceId }),\n service,\n path: entry.path,\n action,\n }));\n });\n }\n\n private sessionCoversPermissionEntries(\n session: TinyCloudSession,\n entries: PermissionEntry[],\n ): boolean {\n try {\n const granted = parseRecapCapabilities(\n (siwe: string) => this.wasmBindings.parseRecapFromSiwe(siwe),\n session.siwe,\n );\n return isCapabilitySubset(entries, granted).subset;\n } catch {\n return false;\n }\n }\n\n private permissionEntriesToOperations(\n entries: PermissionEntry[],\n session: TinyCloudSession,\n ): RuntimePermissionOperation[] {\n return entries.flatMap((entry) => {\n const spaceId = this.resolvePermissionSpace(entry.space, session);\n const service = this.shortServiceName(entry.service);\n return entry.actions.map((action) => ({\n ...(this.isEncryptionNetworkOperation(service, entry.path)\n ? { resource: entry.path }\n : { spaceId }),\n service,\n path: entry.path,\n action,\n }));\n });\n }\n\n private findRuntimeGrantsForPermissionEntries(\n entries: PermissionEntry[],\n session: TinyCloudSession,\n ): RuntimePermissionGrant[] {\n const grants: RuntimePermissionGrant[] = [];\n const operations = this.permissionEntriesToOperations(entries, session);\n if (operations.length === 0) {\n return grants;\n }\n\n for (const operation of operations) {\n const grant = this.findGrantForOperation(operation);\n if (!grant) {\n return [];\n }\n if (!grants.includes(grant)) {\n grants.push(grant);\n }\n }\n return grants;\n }\n\n private runtimeDelegationFromSession(\n delegatedSession: {\n delegationHeader: { Authorization: string };\n delegationCid: string;\n },\n entries: PermissionEntry[],\n spaceId: string,\n session: TinyCloudSession,\n expiresAt: Date,\n ): PortableDelegation {\n const resources = this.delegatedResourcesForEntries(entries, spaceId);\n const primary = resources[0];\n return {\n cid: delegatedSession.delegationCid,\n delegationHeader: delegatedSession.delegationHeader,\n spaceId,\n path: primary.path,\n actions: primary.actions,\n resources,\n disableSubDelegation: false,\n expiry: expiresAt,\n delegateDID: session.verificationMethod,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n }\n\n private runtimeGrantFromDelegation(\n delegation: PortableDelegation,\n session: TinyCloudSession,\n ): RuntimePermissionGrant {\n const operations = this.operationsFromDelegation(delegation);\n return {\n session: {\n delegationHeader: delegation.delegationHeader,\n delegationCid: delegation.cid,\n spaceId: delegation.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n delegation,\n operations,\n expiresAt: delegation.expiry,\n };\n }\n\n private installRuntimeGrantFromServiceSession(\n delegation: PortableDelegation,\n session: ServiceSession,\n expiresAt: Date,\n ): void {\n const operations = this.operationsFromDelegation(delegation);\n if (operations.length === 0) {\n return;\n }\n this.runtimePermissionGrants = this.runtimePermissionGrants.filter(\n (grant) =>\n grant.delegation.cid !== delegation.cid &&\n grant.session.delegationCid !== session.delegationCid,\n );\n this.runtimePermissionGrants.push({\n session,\n delegation,\n operations,\n expiresAt,\n });\n }\n\n private delegatedResourcesForEntries(\n entries: PermissionEntry[],\n spaceId: string,\n ): DelegatedResource[] {\n return entries.map((entry) => ({\n service: this.shortServiceName(entry.service),\n space: this.isEncryptionPermissionEntry(entry) ? \"encryption\" : spaceId,\n path: entry.path,\n actions: [...entry.actions],\n }));\n }\n\n private operationsFromDelegation(\n delegation: PortableDelegation,\n ): RuntimePermissionOperation[] {\n const resources =\n delegation.resources !== undefined && delegation.resources.length > 0\n ? delegation.resources\n : this.flatDelegationResources(delegation);\n\n return resources.flatMap((resource) => {\n const service = this.invocationServiceName(resource.service);\n return resource.actions.map((action) => ({\n ...(this.isEncryptionNetworkOperation(service, resource.path)\n ? { resource: resource.path }\n : { spaceId: resource.space }),\n service,\n path: resource.path,\n action,\n }));\n });\n }\n\n private flatDelegationResources(\n delegation: PortableDelegation,\n ): DelegatedResource[] {\n const byService = new Map<string, string[]>();\n for (const action of delegation.actions) {\n const service = this.shortServiceName(action.split(\"/\")[0]);\n const actions = byService.get(service) ?? [];\n actions.push(action);\n byService.set(service, actions);\n }\n return [...byService.entries()].map(([service, actions]) => ({\n service,\n space: delegation.spaceId,\n path: delegation.path,\n actions,\n }));\n }\n\n private selectInvocationSession(\n fallback: ServiceSession,\n service: string,\n path: string,\n action: string,\n ): ServiceSession {\n const grant = this.findGrantForOperation({\n spaceId: fallback.spaceId,\n service: this.invocationServiceName(service),\n path,\n action,\n });\n return grant?.session ?? fallback;\n }\n\n private findGrantForOperations(\n operations: RuntimePermissionOperation[],\n ): RuntimePermissionGrant \| undefined {\n if (operations.length === 0) {\n return undefined;\n }\n this.pruneExpiredRuntimePermissionGrants();\n return this.runtimePermissionGrants.find((grant) => {\n return operations.every((operation) =>\n grant.operations.some((granted) =>\n this.operationCovers(granted, operation),\n ),\n );\n });\n }\n\n private findGrantForOperation(\n operation: RuntimePermissionOperation,\n ): RuntimePermissionGrant \| undefined {\n return this.findGrantForOperations([operation]);\n }\n\n private pruneExpiredRuntimePermissionGrants(): void {\n const now = Date.now();\n this.runtimePermissionGrants = this.runtimePermissionGrants.filter(\n (grant) => grant.expiresAt.getTime() > now,\n );\n }\n\n private operationCovers(\n granted: RuntimePermissionOperation,\n requested: RuntimePermissionOperation,\n ): boolean {\n if (granted.service !== requested.service \|\|\n !this.actionContains(granted.action, requested.action)\n ) {\n return false;\n }\n\n if (granted.resource !== undefined \|\| requested.resource !== undefined) {\n return granted.resource !== undefined &&\n requested.resource !== undefined &&\n granted.resource === requested.resource &&\n this.pathContains(granted.path, requested.path);\n }\n\n return granted.spaceId !== undefined &&\n requested.spaceId !== undefined &&\n granted.spaceId === requested.spaceId &&\n this.pathContains(granted.path, requested.path);\n }\n\n private actionContains(grantedAction: string, requestedAction: string): boolean {\n if (grantedAction === requestedAction) {\n return true;\n }\n if (grantedAction.endsWith(\"/\")) {\n const prefix = grantedAction.slice(0, -2);\n return requestedAction.startsWith(`${prefix}/`);\n }\n return false;\n }\n\n private invocationServiceName(service: string): string {\n return service.startsWith(\"tinycloud.\")\n ? this.shortServiceName(service)\n : service;\n }\n\n private isEncryptionNetworkOperation(service: string, path: string): boolean {\n return service === \"encryption\" &&\n path.startsWith(\"urn:tinycloud:encryption:\");\n }\n\n private operationFromInvokeAnyEntry(entry: {\n spaceId?: string;\n resource?: string;\n service: string;\n path: string;\n action: string;\n }): RuntimePermissionOperation \| undefined {\n const service = this.invocationServiceName(entry.service);\n if (typeof entry.resource === \"string\") {\n return {\n resource: entry.resource,\n service,\n path: entry.path,\n action: entry.action,\n };\n }\n if (this.isEncryptionNetworkOperation(service, entry.path)) {\n return {\n resource: entry.path,\n service,\n path: entry.path,\n action: entry.action,\n };\n }\n if (typeof entry.spaceId === \"string\") {\n return {\n spaceId: entry.spaceId,\n service,\n path: entry.path,\n action: entry.action,\n };\n }\n return undefined;\n }\n\n private pathContains(grantedPath: string, requestedPath: string): boolean {\n if (grantedPath === \"\" \|\| grantedPath === \"/\") {\n return true;\n }\n if (grantedPath.endsWith(\"/*\")) {\n return requestedPath.startsWith(grantedPath.slice(0, -3));\n }\n if (grantedPath.endsWith(\"/\")) {\n const prefix = grantedPath.slice(0, -2);\n if (!requestedPath.startsWith(prefix)) {\n return false;\n }\n const remainder = requestedPath.slice(prefix.length);\n return !remainder.includes(\"/\") \|\| remainder === \"/\";\n }\n if (grantedPath.endsWith(\"/\")) {\n return requestedPath.startsWith(grantedPath);\n }\n return grantedPath === requestedPath;\n }\n\n /*\n Issue a delegation via the legacy wallet-signed SIWE path for a single\n * {@link PermissionEntry}. Shares the implementation with the public\n * `createDelegation` method via {@link createDelegationWalletPath} so\n * both entry points hit exactly the same SIWE / signer / public-space\n * logic without mutual recursion.\n \n @internal\n /\n private async createDelegationLegacyWalletPath(\n delegateDID: string,\n entry: PermissionEntry,\n expirationTime: Date,\n ): Promise<PortableDelegation> {\n const session = this.auth?.tinyCloudSession;\n const spaceIdOverride =\n session === undefined \|\| entry.space === \"default\"\n ? undefined\n : this.resolvePermissionSpace(entry.space, session);\n return this.createDelegationWalletPath({\n path: entry.path,\n actions: entry.actions,\n delegateDID,\n includePublicSpace: true,\n expiryMs: Math.max(0, expirationTime.getTime() - Date.now()),\n spaceIdOverride,\n });\n }\n\n /\n Create a delegation from this user to another user.\n \n The delegation grants the recipient access to a specific path and actions\n * within this user's space.\n \n @param params - Delegation parameters\n * @returns A portable delegation that can be sent to the recipient\n /\n async createDelegation(params: {\n /* Path within the space to delegate access to /\n path: string;\n /* Actions to allow (e.g., [\"tinycloud.kv/get\", \"tinycloud.kv/put\"]) /\n actions: string[];\n /* DID of the recipient (from their TinyCloudNode.did) /\n delegateDID: string;\n /* Whether to prevent the recipient from creating sub-delegations (default: false) /\n disableSubDelegation?: boolean;\n /* Expiration time in milliseconds from now (default: 1 hour) /\n expiryMs?: number;\n /* Override space ID (for creating delegations to non-primary spaces like public) /\n spaceIdOverride?: string;\n /* Include a companion delegation for the user's public space (default: true) /\n includePublicSpace?: boolean;\n }): Promise<PortableDelegation> {\n // Legacy compatibility shim.\n //\n // Route through delegateTo so that callers whose requested capabilities\n // are a subset of their current session get the session-key UCAN path\n // (no wallet prompt). Fall back to the legacy wallet-sign path on\n // PermissionNotInManifestError, preserving today's behaviour for\n // callers that request scope outside their session.\n //\n // SessionExpiredError propagates — an expired session can't be fixed\n // by re-signing the SIWE, the caller needs to run signIn() again.\n if (!this.signer) {\n throw new Error(\"Cannot createDelegation() in session-only mode. Requires wallet mode.\");\n }\n if (!this.auth?.tinyCloudSession) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Resolve ENS names to PKH DIDs up front so both paths see the resolved\n // DID. The wallet path mutates params further below; we do it here so\n // the fast path (delegateTo) also picks up the resolved DID.\n let resolvedDelegateDID = params.delegateDID;\n if (resolvedDelegateDID.endsWith('.eth') && this.config.ensResolver) {\n const address = await this.config.ensResolver.resolveAddress(resolvedDelegateDID);\n if (!address) throw new Error(`Could not resolve ENS name: ${resolvedDelegateDID}`);\n resolvedDelegateDID = pkhDid(address, 1);\n }\n\n // Legacy params lump multiple services' actions under one path. We\n // now emit ONE multi-resource UCAN for any number of entries via\n // the fast path, so there's no longer a \"single-entry only\" gate\n // here — the fast path handles N entries and returns a single\n // PortableDelegation whose `.resources` describes the full set.\n //\n // Fall back to the wallet path when the capabilities aren't\n // derivable from the current session (PermissionNotInManifestError)\n // so legacy callers requesting scope outside their session continue\n // to see a wallet prompt, matching today's behaviour.\n const entries = legacyParamsToPermissionEntries(\n params.actions,\n params.path,\n params.spaceIdOverride,\n );\n try {\n const result = await this.delegateTo(\n resolvedDelegateDID,\n entries,\n params.expiryMs !== undefined ? { expiry: params.expiryMs } : undefined,\n );\n return result.delegation;\n } catch (err) {\n if (err instanceof PermissionNotInManifestError) {\n // Expected — fall through to the wallet path below. Legacy\n // callers that request scope outside their current session\n // continue to see a wallet prompt, matching today's behaviour.\n } else {\n // SessionExpiredError and any other error class must propagate.\n // An expired session can't be rescued by re-signing the SIWE\n // here — the caller needs to run signIn() again.\n throw err;\n }\n }\n\n // Legacy wallet-signed SIWE path — same implementation as before the\n // delegateTo refactor. Callers that request scope outside their\n // current session land here and see the familiar wallet prompt.\n return this.createDelegationWalletPath({\n ...params,\n delegateDID: resolvedDelegateDID,\n });\n }\n\n /\n Legacy wallet-signed SIWE delegation path. Lifted from the original\n * `createDelegation` body verbatim so both the legacy public method and\n * `delegateTo({ forceWalletSign: true })` hit the same code.\n \n @internal\n /\n private async createDelegationWalletPath(params: {\n path: string;\n actions: string[];\n delegateDID: string;\n disableSubDelegation?: boolean;\n expiryMs?: number;\n spaceIdOverride?: string;\n includePublicSpace?: boolean;\n }): Promise<PortableDelegation> {\n if (!this.signer) {\n throw new Error(\"Cannot createDelegation() in session-only mode. Requires wallet mode.\");\n }\n const session = this.auth?.tinyCloudSession;\n if (!session) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Build abilities for the delegation\n const abilities: Record<string, Record<string, string[]>> = {};\n const kvActions = params.actions.filter(a => a.startsWith(\"tinycloud.kv/\"));\n const sqlActions = params.actions.filter(a => a.startsWith(\"tinycloud.sql/\"));\n const duckdbActions = params.actions.filter(a => a.startsWith(\"tinycloud.duckdb/\"));\n if (kvActions.length > 0) {\n abilities.kv = { [params.path]: kvActions };\n }\n if (sqlActions.length > 0) {\n abilities.sql = { [params.path]: sqlActions };\n }\n if (duckdbActions.length > 0) {\n abilities.duckdb = { [params.path]: duckdbActions };\n }\n\n const now = new Date();\n const expiryMs = params.expiryMs ?? 60 60 * 1000; // Default 1 hour\n const expirationTime = new Date(now.getTime() + expiryMs);\n\n // Prepare the delegation session with:\n // - delegateUri: target the recipient's DID directly (for user-to-user delegation)\n // - parents: reference our session CID for chain validation\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: params.spaceIdOverride ?? session.spaceId,\n delegateUri: params.delegateDID,\n parents: [session.delegationCid],\n });\n\n // Sign the SIWE message with this user's signer\n const signature = await this.signer.signMessage(prepared.siwe);\n\n // Complete the session setup\n const delegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate the delegation with the server\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate delegation: ${activateResult.error}`);\n }\n\n const result: PortableDelegation = {\n cid: delegationSession.delegationCid,\n delegationHeader: delegationSession.delegationHeader,\n spaceId: params.spaceIdOverride ?? session.spaceId,\n path: params.path,\n actions: params.actions,\n disableSubDelegation: params.disableSubDelegation ?? false,\n expiry: expirationTime,\n delegateDID: params.delegateDID,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n\n // Auto-create public-space delegation for vault key publishing\n const hasKvActions = params.actions.some(a => a.startsWith(\"tinycloud.kv/\"));\n if (hasKvActions && params.includePublicSpace !== false) {\n const publicSpaceId = makePublicSpaceId(\n this.wasmBindings.ensureEip55(session.address), session.chainId\n );\n const publicAbilities: Record<string, Record<string, string[]>> = {\n kv: { \"\": [\"tinycloud.kv/get\", \"tinycloud.kv/put\", \"tinycloud.kv/metadata\"] },\n };\n const publicPrepared = this.wasmBindings.prepareSession({\n abilities: publicAbilities,\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: publicSpaceId,\n delegateUri: params.delegateDID,\n parents: [session.delegationCid],\n });\n const publicSignature = await this.signer.signMessage(publicPrepared.siwe);\n const publicSession = this.wasmBindings.completeSessionSetup({\n ...publicPrepared,\n signature: publicSignature,\n });\n\n const publicActivateResult = await activateSessionWithHost(\n this.config.host!,\n publicSession.delegationHeader\n );\n\n if (publicActivateResult.success) {\n result.publicDelegation = {\n cid: publicSession.delegationCid,\n delegationHeader: publicSession.delegationHeader,\n spaceId: publicSpaceId,\n path: \"\",\n actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\", \"tinycloud.kv/metadata\"],\n disableSubDelegation: params.disableSubDelegation ?? false,\n expiry: expirationTime,\n delegateDID: params.delegateDID,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n }\n }\n\n return result;\n }\n\n /*\n Use a delegation received from another user.\n \n This creates a new session key for this user that chains from the\n * received delegation, allowing operations on the delegator's space.\n \n Works in both modes:\n * - Wallet mode: Creates a SIWE sub-delegation from PKH to session key\n * - Session-only mode: Uses the delegation directly (must target session key DID)\n \n @param delegation - The PortableDelegation to use (from createDelegation or transport)\n * @returns A DelegatedAccess instance for performing operations\n /\n async useDelegation(delegation: PortableDelegation): Promise<DelegatedAccess> {\n const delegationHeader = delegation.delegationHeader;\n\n // Use the host from the delegation if provided, otherwise fall back to config\n const targetHost = delegation.host ?? this.config.host!;\n\n // Session-only mode: use the delegation directly\n // The delegation must target this user's session key DID\n if (this.isSessionOnly) {\n // Verify the delegation targets our session key DID\n const myDid = this.did; // In session-only mode, this is the session key DID\n if (!didPrincipalMatches(delegation.delegateDID, myDid)) {\n throw new Error(\n `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. ` +\n `The delegation must target this user's DID.`\n );\n }\n\n // Create a session using the delegation directly\n // In session-only mode, we use the received delegation as-is\n const session: TinyCloudSession = {\n address: delegation.ownerAddress,\n chainId: delegation.chainId,\n sessionKey: JSON.stringify(this.sessionKeyJwk),\n spaceId: delegation.spaceId,\n delegationCid: delegation.cid,\n delegationHeader,\n verificationMethod: this.sessionDid,\n jwk: this.sessionKeyJwk as unknown as JWK,\n siwe: \"\", // Not used in session-only mode\n signature: \"\", // Not used in session-only mode\n };\n\n // Track received delegation in registry\n this.trackReceivedDelegation(delegation, this.sessionKeyJwk as unknown as JWK);\n this.installRuntimeGrantFromServiceSession(\n delegation,\n {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n delegation.expiry,\n );\n\n return new DelegatedAccess(session, delegation, targetHost, this.wasmBindings.invoke);\n }\n\n // Wallet mode: create a SIWE sub-delegation\n const mySession = this.auth?.tinyCloudSession;\n if (!mySession) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Use our existing session key - the delegation targets our DID from signIn\n // We must use the same key that the delegation was created for\n const jwk = mySession.jwk;\n\n // Build abilities from the delegation\n const abilities: Record<string, Record<string, string[]>> = {};\n const kvActions = delegation.actions.filter(a => a.startsWith(\"tinycloud.kv/\"));\n const sqlActions = delegation.actions.filter(a => a.startsWith(\"tinycloud.sql/\"));\n const duckdbActions = delegation.actions.filter(a => a.startsWith(\"tinycloud.duckdb/\"));\n const encryptionActions = delegation.actions.filter(a =>\n a.startsWith(\"tinycloud.encryption/\"),\n );\n const rawAbilities: Record<string, string[]> = {};\n if (kvActions.length > 0) {\n abilities.kv = { [delegation.path]: kvActions };\n }\n if (sqlActions.length > 0) {\n abilities.sql = { [delegation.path]: sqlActions };\n }\n if (duckdbActions.length > 0) {\n abilities.duckdb = { [delegation.path]: duckdbActions };\n }\n if (\n encryptionActions.length > 0 &&\n delegation.path.startsWith(\"urn:tinycloud:encryption:\")\n ) {\n rawAbilities[delegation.path] = encryptionActions;\n }\n\n const now = new Date();\n // Use delegation expiry or 1 hour, whichever is sooner\n const maxExpiry = new Date(now.getTime() + 60 60 * 1000);\n const expirationTime = delegation.expiry < maxExpiry ? delegation.expiry : maxExpiry;\n\n // Prepare the session with:\n // - THIS user's address (we are the invoker)\n // - The delegation owner's space (where we're accessing data)\n // - Our existing session key (must match the DID the delegation targets)\n // - Parent reference to the received delegation\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(mySession.address),\n chainId: mySession.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: delegation.spaceId,\n jwk,\n parents: [delegation.cid],\n ...(Object.keys(rawAbilities).length > 0 ? { rawAbilities } : {}),\n });\n\n // Sign with THIS user's signer\n const signature = await this.signer!.signMessage(prepared.siwe);\n\n // Complete the session setup\n const invokerSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate with server\n const activateResult = await activateSessionWithHost(\n targetHost,\n invokerSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate delegated session: ${activateResult.error}`);\n }\n\n // Create TinyCloudSession for the delegated access\n const session: TinyCloudSession = {\n address: mySession.address,\n chainId: mySession.chainId,\n sessionKey: mySession.sessionKey,\n spaceId: delegation.spaceId,\n delegationCid: invokerSession.delegationCid,\n delegationHeader: invokerSession.delegationHeader,\n verificationMethod: mySession.verificationMethod,\n jwk,\n siwe: prepared.siwe,\n signature,\n };\n\n // Track received delegation in registry\n this.trackReceivedDelegation(delegation, jwk as unknown as JWK);\n this.installRuntimeGrantFromServiceSession(\n delegation,\n {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n expirationTime,\n );\n\n return new DelegatedAccess(session, delegation, targetHost, this.wasmBindings.invoke);\n }\n\n /*\n Create a sub-delegation from a received delegation.\n \n This allows further delegating access that was received from another user,\n * if the original delegation allows sub-delegation.\n \n @param parentDelegation - The delegation received from another user\n * @param params - Sub-delegation parameters (must be within parent's scope)\n * @returns A portable delegation for the sub-delegate\n /\n async createSubDelegation(\n parentDelegation: PortableDelegation,\n params: {\n /* Path within the delegated path to sub-delegate /\n path: string;\n /* Actions to allow (must be subset of parent's actions) /\n actions: string[];\n /* DID of the recipient /\n delegateDID: string;\n /* Whether to prevent the recipient from creating further sub-delegations /\n disableSubDelegation?: boolean;\n /* Expiration time in milliseconds from now (must be before parent's expiry) /\n expiryMs?: number;\n }\n ): Promise<PortableDelegation> {\n if (!this.signer) {\n throw new Error(\"Cannot createSubDelegation() in session-only mode. Requires wallet mode.\");\n }\n if (!this._address) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Validate sub-delegation is allowed\n if (parentDelegation.disableSubDelegation) {\n throw new Error(\"Parent delegation does not allow sub-delegation\");\n }\n\n // Validate path is within parent's path\n if (!params.path.startsWith(parentDelegation.path)) {\n throw new Error(\n `Sub-delegation path \"${params.path}\" must be within parent path \"${parentDelegation.path}\"`\n );\n }\n\n // Validate actions are subset of parent's actions\n const parentActions = new Set(parentDelegation.actions);\n for (const action of params.actions) {\n if (!parentActions.has(action)) {\n throw new Error(\n `Sub-delegation action \"${action}\" is not in parent's actions: ${parentDelegation.actions.join(\", \")}`\n );\n }\n }\n\n // Calculate expiry - cap at parent's expiry\n const now = new Date();\n const expiryMs = params.expiryMs ?? 60 60 * 1000;\n const requestedExpiry = new Date(now.getTime() + expiryMs);\n // Sub-delegation cannot outlive parent, so cap at parent's expiry\n const actualExpiry =\n requestedExpiry > parentDelegation.expiry ? parentDelegation.expiry : requestedExpiry;\n\n // Build abilities for the sub-delegation\n const abilities: Record<string, Record<string, string[]>> = {};\n const kvActions = params.actions.filter(a => a.startsWith(\"tinycloud.kv/\"));\n const sqlActions = params.actions.filter(a => a.startsWith(\"tinycloud.sql/\"));\n const duckdbActions = params.actions.filter(a => a.startsWith(\"tinycloud.duckdb/\"));\n if (kvActions.length > 0) {\n abilities.kv = { [params.path]: kvActions };\n }\n if (sqlActions.length > 0) {\n abilities.sql = { [params.path]: sqlActions };\n }\n if (duckdbActions.length > 0) {\n abilities.duckdb = { [params.path]: duckdbActions };\n }\n\n // Use parent's host or fall back to config\n const targetHost = parentDelegation.host ?? this.config.host!;\n\n // Prepare the sub-delegation session\n // Uses THIS user's address (who received the delegation and is now sub-delegating)\n // Targets the recipient's PKH DID (delegateUri)\n // References the parent delegation as the chain\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(this._address),\n chainId: this._chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: actualExpiry.toISOString(),\n spaceId: parentDelegation.spaceId,\n delegateUri: params.delegateDID,\n parents: [parentDelegation.cid],\n });\n\n // Sign with THIS user's signer\n const signature = await this.signer.signMessage(prepared.siwe);\n\n // Complete the session setup\n const subDelegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate the sub-delegation with the server\n const activateResult = await activateSessionWithHost(\n targetHost,\n subDelegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate sub-delegation: ${activateResult.error}`);\n }\n\n // Return the portable sub-delegation\n return {\n cid: subDelegationSession.delegationCid,\n delegationHeader: subDelegationSession.delegationHeader,\n spaceId: parentDelegation.spaceId,\n path: params.path,\n actions: params.actions,\n disableSubDelegation: params.disableSubDelegation ?? false,\n expiry: actualExpiry,\n delegateDID: params.delegateDID,\n ownerAddress: parentDelegation.ownerAddress!,\n chainId: parentDelegation.chainId!,\n host: targetHost,\n };\n }\n}\n","import {\n TinyCloudSession,\n KVService,\n IKVService,\n HooksService,\n IHooksService,\n SQLService,\n ISQLService,\n DuckDbService,\n IDuckDbService,\n ServiceSession,\n ServiceContext,\n} from \"@tinycloud/sdk-core\";\nimport type { InvokeFunction } from \"@tinycloud/sdk-services\";\nimport { PortableDelegation } from \"./delegation\";\n\n/*\n The handles needed to rehydrate this delegation activation in a fresh\n * `TinyCloudNode` via `TinyCloudNode.restoreSession(...)` in another process\n * or after a restart.\n \n In wallet mode, `delegationHeader` and `delegationCid` are bound to the\n * session key that ran `useDelegation`. They are NOT intrinsic to the\n * portable delegation — they expire with the server-side session (typically\n * ~1h). To keep a restored node alive longer, re-run `useDelegation` with\n * the original portable delegation and call `restoreSession` again with the\n * fresh `RestorableSession`.\n /\nexport interface RestorableSession {\n delegationHeader: { Authorization: string };\n delegationCid: string;\n spaceId: string;\n jwk: object;\n verificationMethod: string;\n address: string;\n chainId: number;\n}\n\n/\n Provides access to a space via a received delegation.\n \n This is returned by TinyCloudNode.useDelegation() and provides\n * KV operations on the delegated space.\n /\nexport class DelegatedAccess {\n private session: TinyCloudSession;\n private _delegation: PortableDelegation;\n private host: string;\n private _serviceContext: ServiceContext;\n private _kv: KVService;\n private _sql: SQLService;\n private _duckdb: DuckDbService;\n private _hooks: HooksService;\n\n constructor(\n session: TinyCloudSession,\n delegation: PortableDelegation,\n host: string,\n invoke: InvokeFunction,\n ) {\n this.session = session;\n this._delegation = delegation;\n this.host = host;\n\n // Create service context\n this._serviceContext = new ServiceContext({\n invoke,\n fetch: globalThis.fetch.bind(globalThis),\n hosts: [host],\n });\n\n // Create and initialize KV service with path prefix from delegation\n // Strip trailing slash to avoid double-slash in paths\n const prefix = this._delegation.path.replace(/\\/$/, '');\n this._kv = new KVService({ prefix });\n this._kv.initialize(this._serviceContext);\n this._serviceContext.registerService('kv', this._kv);\n\n // Create and initialize SQL service with same delegation context\n this._sql = new SQLService({});\n this._sql.initialize(this._serviceContext);\n this._serviceContext.registerService('sql', this._sql);\n\n // Create and initialize DuckDB service with same delegation context\n this._duckdb = new DuckDbService({});\n this._duckdb.initialize(this._serviceContext);\n this._serviceContext.registerService('duckdb', this._duckdb);\n\n // Create and initialize Hooks service with same delegation context\n this._hooks = new HooksService({});\n this._hooks.initialize(this._serviceContext);\n this._serviceContext.registerService('hooks', this._hooks);\n\n // Set session on context\n const serviceSession: ServiceSession = {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n };\n this._serviceContext.setSession(serviceSession);\n }\n\n /\n Get the delegation this access was created from.\n /\n get delegation(): PortableDelegation {\n return this._delegation;\n }\n\n /\n The space ID this access is for.\n /\n get spaceId(): string {\n return this._delegation.spaceId;\n }\n\n /\n The path this access is scoped to.\n /\n get path(): string {\n return this._delegation.path;\n }\n\n /\n KV operations on the delegated space.\n /\n get kv(): IKVService {\n return this._kv;\n }\n\n /\n SQL operations on the delegated space.\n /\n get sql(): ISQLService {\n return this._sql;\n }\n\n /\n DuckDB operations on the delegated space.\n /\n get duckdb(): IDuckDbService {\n return this._duckdb;\n }\n\n /\n Hooks write-stream subscriptions on the delegated space.\n /\n get hooks(): IHooksService {\n return this._hooks;\n }\n\n /\n Export the handles needed to rehydrate this activated delegation via\n * `TinyCloudNode.restoreSession(...)` in another process or after a\n * restart.\n \n See `RestorableSession` for lifetime caveats.\n /\n get restorable(): RestorableSession {\n return {\n delegationHeader: this.session.delegationHeader,\n delegationCid: this.session.delegationCid,\n spaceId: this.session.spaceId,\n jwk: this.session.jwk,\n verificationMethod: this.session.verificationMethod,\n address: this.session.address,\n chainId: this.session.chainId,\n };\n }\n}\n","/\n WasmKeyProvider - KeyProvider implementation using WASM session manager.\n \n This provider wraps the SessionManager from node-sdk-wasm to provide\n * cryptographic key operations required by the SharingService.\n \n @packageDocumentation\n /\n\nimport type { KeyProvider, JWK, ISessionManager } from \"@tinycloud/sdk-core\";\n\n/\n Extended session manager with optional key listing support.\n * The base ISessionManager doesn't include listSessionKeys(),\n * but concrete implementations (e.g., TCWSessionManager) may provide it.\n /\ninterface SessionManagerWithListing extends ISessionManager {\n listSessionKeys?(): string[];\n}\n\n/\n Configuration for WasmKeyProvider.\n /\nexport interface WasmKeyProviderConfig {\n /\n The WASM session manager instance.\n * Must be created before constructing the KeyProvider.\n /\n sessionManager: SessionManagerWithListing;\n}\n\n/\n KeyProvider implementation that wraps the WASM session manager.\n \n This allows the SharingService to create new session keys for sharing links\n * using the same cryptographic operations as the main session management.\n \n @example\n * ```typescript\n * // sessionManager from wasmBindings.createSessionManager()\n * import { WasmKeyProvider } from \"@tinycloud/node-sdk\";\n \n const sessionManager = new SessionManager();\n * const keyProvider = new WasmKeyProvider({ sessionManager });\n \n // Create a session key for a sharing link\n * const keyId = await keyProvider.createSessionKey(\"share:abc123\");\n * const jwk = keyProvider.getJWK(keyId);\n * const did = await keyProvider.getDID(keyId);\n * ```\n /\nexport class WasmKeyProvider implements KeyProvider {\n private sessionManager: SessionManagerWithListing;\n\n /\n Create a new WasmKeyProvider.\n \n @param config - Configuration with the WASM session manager\n /\n constructor(config: WasmKeyProviderConfig) {\n this.sessionManager = config.sessionManager;\n }\n\n /\n Generate a new session key with the given name.\n \n This creates a new Ed25519 key pair in the WASM session manager.\n * The key can then be used for signing delegations in sharing links.\n \n @param name - A unique name/ID for the key (e.g., \"share:timestamp:random\")\n * @returns The key ID (same as the name provided)\n /\n async createSessionKey(name: string): Promise<string> {\n // The WASM session manager's createSessionKey returns the key_id\n // and stores the key internally\n return this.sessionManager.createSessionKey(name);\n }\n\n /\n Get the JWK (JSON Web Key) for a key.\n \n Returns the full JWK including the private key (d parameter),\n * which is required for signing and for embedding in sharing links.\n \n @param keyId - The key ID to retrieve\n * @returns The JWK object with public and private key components\n * @throws Error if the key is not found\n /\n getJWK(keyId: string): JWK {\n // The WASM session manager returns the JWK as a JSON string\n const jwkJson = this.sessionManager.jwk(keyId);\n if (!jwkJson) {\n throw new Error(`Key not found: ${keyId}`);\n }\n // Parse the JSON string to get the JWK object\n return JSON.parse(jwkJson) as JWK;\n }\n\n /\n Get the DID (Decentralized Identifier) for a key.\n \n Returns the did:key format DID derived from the key's public key.\n * This DID can be used as the delegatee in delegations.\n \n @param keyId - The key ID to retrieve\n * @returns The DID in did:key format (e.g., \"did:key:z6Mk...\")\n /\n async getDID(keyId: string): Promise<string> {\n // The WASM session manager has a synchronous getDID method\n return this.sessionManager.getDID(keyId);\n }\n\n /\n List all session keys currently held by the provider.\n \n @returns Array of key IDs\n /\n listKeys(): string[] {\n const keys = this.sessionManager.listSessionKeys?.();\n return Array.isArray(keys) ? keys : [];\n }\n\n /\n Check if a key exists in the provider.\n \n @param keyId - The key ID to check\n * @returns True if the key exists\n /\n hasKey(keyId: string): boolean {\n const jwk = this.sessionManager.jwk(keyId);\n return jwk !== undefined;\n }\n}\n\n/\n Create a new WasmKeyProvider instance.\n \n @param sessionManager - The WASM session manager\n * @returns A new WasmKeyProvider instance\n /\nexport function createWasmKeyProvider(sessionManager: SessionManagerWithListing): WasmKeyProvider {\n return new WasmKeyProvider({ sessionManager });\n}\n","/\n Internal helpers for TinyCloudNode.delegateTo and the legacy\n * createDelegation compatibility shim. Exported from their own module so\n * they are easy to unit-test without spinning up a full TinyCloudNode.\n \n None of these are part of the public API — the module path is not\n * re-exported from `@tinycloud/node-sdk` or `@tinycloud/node-sdk/core`.\n \n @packageDocumentation\n /\n\nimport {\n type PermissionEntry,\n parseExpiry,\n SiweMessage,\n EXPIRY,\n} from \"@tinycloud/sdk-core\";\n\n/\n Convert legacy `createDelegation` params into one {@link PermissionEntry}\n * per service. Groups action URNs by their `tinycloud.<service>` prefix and\n * emits one entry per group. Actions whose prefix is not `tinycloud.` are\n dropped (preserving the wallet-path behaviour, which also ignores\n * unrecognised URN prefixes).\n \n Used by the legacy compatibility shim in `createDelegation` to hand off\n * to `delegateTo` on the fast (subset) path.\n /\nexport function legacyParamsToPermissionEntries(\n actions: readonly string[],\n path: string,\n spaceIdOverride: string \| undefined,\n): PermissionEntry[] {\n const byService = new Map<string, string[]>();\n for (const a of actions) {\n // Action URNs look like `tinycloud.kv/get`, `tinycloud.sql/read`, etc.\n // Split on the first `/` to get the service namespace.\n const slashIdx = a.indexOf(\"/\");\n if (slashIdx === -1) {\n continue;\n }\n const service = a.slice(0, slashIdx);\n if (!service.startsWith(\"tinycloud.\")) {\n continue;\n }\n const list = byService.get(service);\n if (list === undefined) {\n byService.set(service, [a]);\n } else {\n list.push(a);\n }\n }\n const space = spaceIdOverride ?? \"default\";\n const entries: PermissionEntry[] = [];\n for (const [service, actionList] of byService) {\n entries.push({\n service,\n space,\n path,\n actions: actionList,\n });\n }\n return entries;\n}\n\n/\n Default lifetime for a delegation when no explicit expiry is provided.\n * Sourced from the SESSION tier — runtime grants are always capped at the\n * parent session's expiry, so they can't usefully be longer than SESSION\n * even if a caller asks. See `@tinycloud/sdk-core/expiry.ts`.\n /\nexport const DEFAULT_DELEGATION_EXPIRY_MS = EXPIRY.SESSION_MS;\n\n/\n Resolve the `expiry` option of {@link DelegateToOptions} into a concrete\n * millisecond duration from now. Default is {@link DEFAULT_DELEGATION_EXPIRY_MS}\n * (7 days).\n \n Accepts:\n * - `undefined` → {@link DEFAULT_DELEGATION_EXPIRY_MS}\n * - `number` → raw milliseconds (must be positive + finite)\n * - `string` → parsed via {@link parseExpiry} (ms-format, e.g. `\"7d\"`)\n /\nexport function resolveExpiryMs(expiry: string \| number \| undefined): number {\n if (expiry === undefined) {\n return DEFAULT_DELEGATION_EXPIRY_MS;\n }\n if (typeof expiry === \"number\") {\n if (!Number.isFinite(expiry) \|\| expiry <= 0) {\n throw new Error(\n `delegateTo expiry must be a positive finite number (got ${expiry})`,\n );\n }\n return expiry;\n }\n // string — parseExpiry throws ManifestValidationError on bad input.\n return parseExpiry(expiry);\n}\n\n/\n Extract the `expirationTime` field of a signed SIWE message as a `Date`.\n \n Returns `undefined` only when the SIWE genuinely has no `Expiration Time`\n * line (RFC-4501 permits it). Propagates parse errors — the SDK always\n * produces signed SIWEs during sign-in, so an unparseable `session.siwe`\n * means something is actively wrong and we do not want to silently skip\n * the expiry check.\n /\nexport function extractSiweExpiration(siwe: string): Date \| undefined {\n const parsed = new SiweMessage(siwe);\n if (parsed.expirationTime === undefined \|\| parsed.expirationTime === null) {\n return undefined;\n }\n const d = new Date(parsed.expirationTime);\n if (Number.isNaN(d.getTime())) {\n throw new Error(\n `Session SIWE has unparseable expirationTime: ${parsed.expirationTime}`,\n );\n }\n return d;\n}\n","import {\n ErrorCodes,\n resolveSecretListPrefix,\n resolveSecretPath,\n expandPermissionEntries,\n resolveManifest,\n type IDataVaultService,\n type ISecretsService,\n type Manifest,\n type PermissionEntry,\n type Result,\n type SecretScopeOptions,\n type ServiceError,\n type VaultError,\n} from \"@tinycloud/sdk-core\";\n\nconst SECRETS_SPACE = \"secrets\";\ntype SecretAction = \"get\" \| \"put\" \| \"del\" \| \"list\";\n\nfunction ok(): Result<void, ServiceError> {\n return { ok: true, data: undefined };\n}\n\nfunction secretsError(\n code: string,\n message: string,\n cause?: Error,\n): Result<never, ServiceError> {\n return {\n ok: false,\n error: {\n code,\n service: \"secrets\",\n message,\n ...(cause ? { cause } : {}),\n },\n };\n}\n\nfunction displayActionUrn(action: SecretAction): string {\n switch (action) {\n case \"get\":\n return \"tinycloud.kv/get\";\n case \"put\":\n return \"tinycloud.kv/put\";\n case \"del\":\n return \"tinycloud.kv/del\";\n case \"list\":\n return \"tinycloud.kv/list\";\n }\n}\n\nfunction secretActionName(action: SecretAction): \"get\" \| \"put\" \| \"del\" \| \"list\" {\n return action;\n}\n\nfunction secretPermissionEntries(\n name: string,\n options: SecretScopeOptions \| undefined,\n action: SecretAction,\n encryptionNetworkId?: string,\n): PermissionEntry[] {\n const entries: PermissionEntry[] = [];\n const path =\n action === \"list\"\n ? resolveSecretListPrefix(options)\n : resolveSecretPath(name, options).permissionPaths.vault;\n\n entries.push({\n service: \"tinycloud.kv\",\n space: SECRETS_SPACE,\n path,\n actions: [secretActionName(action)],\n skipPrefix: true,\n });\n\n if (action === \"get\" && encryptionNetworkId !== undefined) {\n entries.push({\n service: \"tinycloud.encryption\",\n path: encryptionNetworkId,\n actions: [\"decrypt\"],\n skipPrefix: true,\n });\n }\n\n return entries;\n}\n\nexport interface NodeSecretsServiceConfig {\n getService: () => ISecretsService;\n getManifest: () => Manifest \| Manifest[] \| undefined;\n hasPermissions?: (permissions: PermissionEntry[]) => boolean;\n grantPermissions: (additional: PermissionEntry[]) => Promise<unknown>;\n canEscalate: () => boolean;\n getEncryptionNetworkId?: () => string;\n getUnlockSigner?: () => unknown;\n}\n\nexport class NodeSecretsService implements ISecretsService {\n private unlockSigner?: unknown;\n private shouldRestoreUnlock = false;\n\n constructor(private readonly config: NodeSecretsServiceConfig) {}\n\n get vault(): IDataVaultService {\n return this.service.vault;\n }\n\n get isUnlocked(): boolean {\n return this.service.isUnlocked;\n }\n\n async unlock(signer?: unknown): Promise<Result<void, VaultError>> {\n const effectiveSigner = signer ?? this.config.getUnlockSigner?.();\n if (effectiveSigner !== undefined) {\n this.unlockSigner = effectiveSigner;\n }\n const result = await this.service.unlock(effectiveSigner);\n if (result.ok) {\n this.shouldRestoreUnlock = true;\n }\n return result;\n }\n\n lock(): void {\n this.shouldRestoreUnlock = false;\n this.service.lock();\n }\n\n async get(name: string, options?: SecretScopeOptions): ReturnType<ISecretsService[\"get\"]> {\n const permission = await this.ensurePermission(name, options, \"get\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.get(name)\n : this.service.get(name, options);\n }\n\n async put(\n name: string,\n value: string,\n options?: SecretScopeOptions,\n ): ReturnType<ISecretsService[\"put\"]> {\n const permission = await this.ensurePermission(name, options, \"put\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.put(name, value)\n : this.service.put(name, value, options);\n }\n\n async delete(\n name: string,\n options?: SecretScopeOptions,\n ): ReturnType<ISecretsService[\"delete\"]> {\n const permission = await this.ensurePermission(name, options, \"del\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.delete(name)\n : this.service.delete(name, options);\n }\n\n async list(options?: SecretScopeOptions): ReturnType<ISecretsService[\"list\"]> {\n const permission = await this.ensurePermission(\"\", options, \"list\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.list()\n : this.service.list(options);\n }\n\n private get service(): ISecretsService {\n return this.config.getService();\n }\n\n private async ensurePermission(\n name: string,\n options: SecretScopeOptions \| undefined,\n action: SecretAction,\n ): Promise<Result<void, ServiceError \| VaultError>> {\n const target = name \|\| \"secrets\";\n let permissionEntries: PermissionEntry[];\n try {\n permissionEntries = secretPermissionEntries(\n name,\n options,\n action,\n action === \"get\" ? this.config.getEncryptionNetworkId?.() : undefined,\n );\n } catch (error) {\n return secretsError(\n ErrorCodes.INVALID_INPUT,\n error instanceof Error ? error.message : String(error),\n error instanceof Error ? error : undefined,\n );\n }\n\n if (this.hasPermission(permissionEntries)) {\n return ok();\n }\n\n if (!this.config.canEscalate()) {\n return secretsError(\n ErrorCodes.PERMISSION_DENIED,\n `Cannot autosign ${displayActionUrn(action)} for ${target}; TinyCloudNode needs wallet mode with a signer or privateKey.`,\n );\n }\n\n try {\n await this.config.grantPermissions(permissionEntries);\n return this.restoreUnlockAfterEscalation();\n } catch (error) {\n return secretsError(\n ErrorCodes.PERMISSION_DENIED,\n error instanceof Error\n ? error.message\n : `Autosign escalation for ${displayActionUrn(action)} on ${target} failed.`,\n error instanceof Error ? error : undefined,\n );\n }\n }\n\n private async restoreUnlockAfterEscalation(): Promise<\n Result<void, ServiceError \| VaultError>\n > {\n if (!this.shouldRestoreUnlock) {\n return ok();\n }\n return this.service.unlock(this.unlockSigner);\n }\n\n private hasPermission(\n permissionEntries: PermissionEntry[],\n ): boolean {\n if (this.config.hasPermissions?.(permissionEntries)) {\n return true;\n }\n\n const manifest = this.config.getManifest();\n if (manifest === undefined) {\n return false;\n }\n\n const manifests = Array.isArray(manifest) ? manifest : [manifest];\n const requestedEntries = expandPermissionEntries(permissionEntries);\n return requestedEntries.every((entry) =>\n manifests.some((candidate) => {\n const resolved = resolveManifest(candidate);\n return resolved.resources.some(\n (resource) =>\n resource.service === entry.service &&\n resource.space === entry.space &&\n resource.path === entry.path &&\n entry.actions.every((action) => resource.actions.includes(action)),\n );\n }),\n );\n }\n\n}\n","import { Delegation, DelegatedResource } from \"@tinycloud/sdk-core\";\n\n/\n A portable delegation that can be transported between users.\n * Extends the base Delegation type with fields required for transport.\n \n @remarks\n * PortableDelegation adds transport fields to Delegation:\n * - `delegationHeader`: Structured authorization header for API calls\n * - `ownerAddress`: Space owner's address for session creation\n * - `chainId`: Chain ID for session creation\n * - `host`: Optional server URL\n * - `resources`: Multi-resource grant breakdown (present when the\n * delegation was issued via the multi-resource WASM path, i.e. one\n * UCAN covering multiple `(service, path, actions)` entries). The\n * flat `path` + `actions` fields mirror the first entry for\n * single-resource callers; consumers that need the full picture\n * read `resources`.\n /\nexport interface PortableDelegation extends Omit<Delegation, \"isRevoked\"> {\n /* The authorization header for this delegation (structured format) /\n delegationHeader: { Authorization: string };\n\n /* The address of the space owner /\n ownerAddress: string;\n\n /* The chain ID /\n chainId: number;\n\n /* TinyCloud server URL where this delegation was created /\n host?: string;\n\n /* Whether the recipient is prevented from creating sub-delegations /\n disableSubDelegation?: boolean;\n\n /* Companion delegation for the user's public space (auto-created when includePublicSpace is true) /\n publicDelegation?: PortableDelegation;\n\n /\n Full multi-resource grant breakdown. Present when the delegation\n * was issued via the multi-resource WASM path; each entry describes\n * one `(service, space, path, actions)` grant carried by the single\n * underlying UCAN. When absent, only the flat `path` + `actions`\n * fields are authoritative (legacy single-resource shape).\n /\n resources?: DelegatedResource[];\n}\n\n/\n Serialize a PortableDelegation for transport (e.g., over network).\n /\nexport function serializeDelegation(delegation: PortableDelegation): string {\n return JSON.stringify({\n ...delegation,\n expiry: delegation.expiry.toISOString(),\n });\n}\n\n/\n Deserialize a PortableDelegation from transport.\n */\nexport function deserializeDelegation(data: string): PortableDelegation {\n const parsed = JSON.parse(data);\n return {\n ...parsed,\n cid: parsed.cid,\n expiry: new Date(parsed.expiry),\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAgBA,IAAAA,mBAA0B;AA0B1B,IAAAA,mBAiBO;;;ACzCA,IAAM,uBAAN,MAAsD;AAAA,EAAtD;AACL,SAAQ,WAA8C,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA,EAK9D,MAAM,KAAK,SAAiB,SAA8C;AACxE,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,SAAK,SAAS,IAAI,mBAAmB,OAAO;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAAuD;AAChE,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,UAAM,UAAU,KAAK,SAAS,IAAI,iBAAiB;AAEnD,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAGA,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,YAAY,oBAAI,KAAK,GAAG;AAC1B,WAAK,SAAS,OAAO,iBAAiB;AACtC,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,SAAgC;AAC1C,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,SAAK,SAAS,OAAO,iBAAiB;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,SAA0B;AAC/B,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,UAAM,UAAU,KAAK,SAAS,IAAI,iBAAiB;AAEnD,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAGA,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,YAAY,oBAAI,KAAK,GAAG;AAC1B,WAAK,SAAS,OAAO,iBAAiB;AACtC,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,cAAuB;AACrB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,WAAiB;AACf,SAAK,SAAS,MAAM;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKA,OAAe;AACb,WAAO,KAAK,SAAS;AAAA,EACvB;AACF;;;ACnGA,sBAAoF;AACpF,gBAA+E;AAC/E,kBAA8B;AAkBvB,IAAM,qBAAN,MAAoD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzD,YAAY,SAAkB;AAC5B,SAAK,UAAU,WAAW,KAAK,cAAc;AAC7C,SAAK,sBAAsB;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAwB;AAC9B,UAAM,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,eAAe;AAC5D,eAAO,kBAAK,MAAM,cAAc,UAAU;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAA8B;AACpC,QAAI,KAAC,sBAAW,KAAK,OAAO,GAAG;AAC7B,+BAAU,KAAK,SAAS,EAAE,WAAW,KAAK,CAAC;AAAA,IAC7C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,SAAyB;AAC3C,UAAM,oBAAoB,QAAQ,YAAY;AAE9C,UAAM,WAAW,GAAG,kBAAkB,QAAQ,MAAM,EAAE,CAAC;AACvD,eAAO,kBAAK,KAAK,SAAS,QAAQ;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAAiB,SAA8C;AACxE,UAAM,WAAW,KAAK,YAAY,OAAO;AACzC,UAAM,OAAO,KAAK,UAAU,SAAS,MAAM,CAAC;AAC5C,iCAAc,UAAU,MAAM,OAAO;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAAuD;AAChE,UAAM,WAAW,KAAK,YAAY,OAAO;AAEzC,QAAI,KAAC,sBAAW,QAAQ,GAAG;AACzB,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,WAAO,wBAAa,UAAU,OAAO;AAC3C,YAAM,SAAS,KAAK,MAAM,IAAI;AAG9B,YAAM,iBAAa,8CAA6B,MAAM;AACtD,UAAI,CAAC,WAAW,IAAI;AAClB,gBAAQ,KAAK,4BAA4B,OAAO,KAAK,WAAW,MAAM,OAAO;AAE7E,kCAAW,QAAQ;AACnB,eAAO;AAAA,MACT;AAEA,YAAM,UAAU,WAAW;AAG3B,YAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,UAAI,YAAY,oBAAI,KAAK,GAAG;AAE1B,kCAAW,QAAQ;AACnB,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AAEd,UAAI;AACF,kCAAW,QAAQ;AAAA,MACrB,QAAQ;AAAA,MAER;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,SAAgC;AAC1C,UAAM,WAAW,KAAK,YAAY,OAAO;AACzC,YAAI,sBAAW,QAAQ,GAAG;AACxB,gCAAW,QAAQ;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,SAA0B;AAC/B,UAAM,WAAW,KAAK,YAAY,OAAO;AACzC,QAAI,KAAC,sBAAW,QAAQ,GAAG;AACzB,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,WAAO,wBAAa,UAAU,OAAO;AAC3C,YAAM,UAAgC,KAAK,MAAM,IAAI;AAGrD,YAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,UAAI,YAAY,oBAAI,KAAK,GAAG;AAE1B,kCAAW,QAAQ;AACnB,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAuB;AACrB,QAAI;AACF,WAAK,sBAAsB;AAC3B,iBAAO,sBAAW,KAAK,OAAO;AAAA,IAChC,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;ACjKA,IAAAC,mBA+BO;;;AC8CA,IAAM,sBAAoC,EAAE,MAAM,YAAY;;;AD+D9D,IAAM,wBAAN,MAA0D;AAAA,EAoC/D,YAAY,QAAqC;AAPjD,SAAQ,aAA0B,CAAC;AAKnC,SAAQ,gBAA0B,CAAC;AAGjC,SAAK,OAAO,OAAO;AAEnB,SAAK,SAAS,OAAO;AACrB,SAAK,eAAe,OAAO,gBAAgB;AAC3C,SAAK,iBAAiB,OAAO,kBAAkB,IAAI,qBAAqB;AACxE,SAAK,SAAS,OAAO;AACrB,SAAK,MAAM,OAAO,OAAO,WAAW,OAAO,MAAM;AACjD,SAAK,YAAY,OAAO;AACxB,SAAK,cAAc,OAAO,eAAe;AACzC,SAAK,iBAAiB,OAAO,kBAAkB;AAAA,MAC7C,IAAI;AAAA,QACF,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MACA,KAAK;AAAA,QACH,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MACA,cAAc;AAAA,QACZ,IAAI,CAAC,6BAA6B;AAAA,MACpC;AAAA,MACA,OAAO;AAAA,QACL,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,SAAK,sBAAsB,OAAO,uBAAuB,wBAAO;AAChE,SAAK,kBAAkB,OAAO,mBAAmB;AACjD,SAAK,uBAAuB,OAAO;AACnC,SAAK,iBAAiB,OAAO;AAC7B,SAAK,uBAAuB,OAAO;AACnC,SAAK,yBAAyB,OAAO;AACrC,SAAK,oBAAoB,OAAO,qBAAqB;AACrD,SAAK,QAAQ,OAAO;AACpB,SAAK,aAAa,OAAO;AACzB,SAAK,oCACH,OAAO,qCAAqC;AAC9C,SAAK,YAAY,OAAO;AACxB,SAAK,qBAAqB,OAAO;AAGjC,SAAK,iBAAiB,KAAK,KAAK,qBAAqB;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,IAAI,WAA8C;AAChD,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,IAAI,oBAAyD;AAC3D,WAAO,KAAK,qBAAqB;AAAA,EACnC;AAAA,EAEA,IAAI,QAAkB;AACpB,WAAO,KAAK,iBAAiB,CAAC,GAAG,KAAK,cAAc,IAAI,CAAC;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,UAAmD;AAC7D,SAAK,YAAY;AACjB,SAAK,qBAAqB;AAAA,EAC5B;AAAA,EAEA,qBAAqB,SAAoD;AACvE,SAAK,qBAAqB;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAqC;AACvC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,mBAAiD;AACnD,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,4BAA4B,SAAiC;AAC3D,UAAM,cAAU,sCAAoB,QAAQ,OAAO;AACnD,SAAK,oBAAoB,EAAE,GAAG,SAAS,QAAQ;AAC/C,SAAK,WAAW;AAChB,SAAK,WAAW,QAAQ;AAAA,EAC1B;AAAA,EAEA,MAAc,+BACZ,SACA,SACe;AACf,QAAI,KAAK,kBAAkB,KAAK,eAAe,SAAS,GAAG;AACzD;AAAA,IACF;AAEA,UAAM,cAAU,yBAAO,SAAS,OAAO;AACvC,UAAM,WAAW,UAAM,wCAAsB,SAAS;AAAA,MACpD,aAAa,KAAK;AAAA,MAClB,eAAe,KAAK;AAAA,IACtB,CAAC;AACD,SAAK,iBAAiB,SAAS;AAAA,EACjC;AAAA,EAEQ,wBAAkC;AACxC,QAAI,CAAC,KAAK,kBAAkB,KAAK,eAAe,WAAW,GAAG;AAC5D,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,IAAY,uBAA+B;AACzC,WAAO,KAAK,sBAAsB,EAAE,CAAC;AAAA,EACvC;AAAA,EAEA,IAAI,eAAyB;AAC3B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BQ,uBAA4D;AAClE,QAAI,KAAK,uBAAuB,QAAW;AACzC,aAAO,KAAK;AAAA,IACd;AACA,QAAI,KAAK,cAAc,QAAW;AAChC,aAAO;AAAA,IACT;AACA,SAAK,yBAAqB;AAAA,MACxB,MAAM,QAAQ,KAAK,SAAS,IAAI,KAAK,YAAY,CAAC,KAAK,SAAS;AAAA,MAChE;AAAA,QACE,mCACE,KAAK;AAAA,MACT;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,iBAAiB,OAAe,SAAiB,SAAyB;AAChF,QAAI,MAAM,WAAW,YAAY,GAAG;AAClC,aAAO;AAAA,IACT;AACA,eAAO,iCAAe,SAAS,SAAS,KAAK;AAAA,EAC/C;AAAA,EAEQ,2BAA2B,SAAiB,SAAyB;AAC3E,WAAO,gCAA4B,yBAAO,SAAS,OAAO,CAAC;AAAA,EAC7D;AAAA,EAEQ,0BACN,SACA,SAMA;AACA,UAAM,UAAU,KAAK,qBAAqB;AAC1C,QAAI,YAAY,QAAW;AACzB,YAAM,mBAAmB,KAAK,2BAA2B,SAAS,OAAO;AACzE,YAAM,qBAAiB,iCAAe,SAAS,SAAS,SAAS;AACjE,aAAO;AAAA,QACL,WAAW,KAAK;AAAA,QAChB,aAAS,iCAAe,SAAS,SAAS,KAAK,WAAW;AAAA,QAC1D,gBAAgB;AAAA,UACd,CAAC,cAAc,GAAG;AAAA,YAChB,IAAI;AAAA,cACF,kBAAkB;AAAA,gBAChB;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,QACA,cAAc;AAAA,UACZ,CAAC,gBAAgB,GAAG;AAAA,YAClB;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,eAAyC,CAAC;AAChD,UAAM,iBAAiB,QAAQ,UAAU,OAAO,CAAC,UAAU;AACzD,UAAI,MAAM,YAAY,gDAA+B;AACnD,eAAO;AAAA,MACT;AACA,YAAM,WAAW,aAAa,MAAM,IAAI;AACxC,UAAI,aAAa,QAAW;AAC1B,qBAAa,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,OAAO;AAAA,MAC9C,OAAO;AACL,cAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,mBAAW,UAAU,MAAM,SAAS;AAClC,cAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,qBAAS,KAAK,MAAM;AACpB,iBAAK,IAAI,MAAM;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AACA,aAAO;AAAA,IACT,CAAC;AAED,UAAM,mBACJ,eAAe,KAAK,CAAC,UAAU,MAAM,UAAU,SAAS,GAAG,SAC3D;AACF,UAAM,iBAAiB,KAAK;AAAA,MAC1B;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,UAAM,cAAU,0DAAwC,cAAc;AACtE,UAAM,iBAA+C,CAAC;AACtD,eAAW,CAAC,OAAO,SAAS,KAAK,OAAO,QAAQ,OAAO,GAAG;AACxD,qBAAe,KAAK,iBAAiB,OAAO,SAAS,OAAO,CAAC,IAAI;AAAA,IACnE;AAEA,WAAO;AAAA,MACL,WACE,eAAe,cAAc,SAC7B,qDAAmC,CAAC,CAAC;AAAA,MACvC,SAAS;AAAA,MACT;AAAA,MACA,cACE,OAAO,KAAK,YAAY,EAAE,SAAS,IAAI,eAAe;AAAA,IAC1D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,mBAAmB,SAAkD;AAC3E,UAAM,OAAgC,EAAE,KAAK,KAAK,IAAI;AACtD,QAAI,KAAK,UAAU,QAAW;AAC5B,WAAK,QAAQ,KAAK;AAAA,IACpB;AAEA,QAAI,CAAC,KAAK,cAAc,CAAC,SAAS,OAAO;AACvC,aAAO;AAAA,IACT;AAEA,UAAM,EAAE,WAAW,WAAW,KAAK,GAAG,KAAK,IAAI,KAAK,cAAc,CAAC;AACnE,UAAM,YAAqC,EAAE,GAAG,MAAM,GAAG,KAAK;AAE9D,QAAI,WAAW;AACb,gBAAU,YAAY,KAAK,YACvB,GAAG,SAAS,IAAI,KAAK,SAAS,KAC9B;AAAA,IACN;AAEA,QAAI,aAAa,UAAU,SAAS,GAAG;AACrC,gBAAU,YAAY;AAAA,IACxB;AAEA,QAAI,KAAK;AACP,cAAQ;AAAA,QACN;AAAA,MAEF;AACA,gBAAU,MAAM;AAAA,IAClB;AAEA,QAAI,SAAS,OAAO;AAClB,gBAAU,QAAQ,QAAQ;AAAA,IAC5B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,WAA4B;AACjC,SAAK,WAAW,KAAK,SAAS;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,aAAiC;AAC/B,WAAO,KAAK,mBAAmB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,UAAU,eAA0C;AAChE,QAAI,CAAC,KAAK,qBAAqB,CAAC,KAAK,YAAY,CAAC,KAAK,UAAU;AAC/D,YAAM,IAAI,MAAM,iCAAiC;AAAA,IACnD;AAEA,UAAM,OAAO,KAAK;AAClB,UAAM,UAAU,iBAAiB,KAAK,kBAAkB;AAGxD,UAAM,SAAS,UAAM,8BAAY,MAAM,OAAO;AAG9C,UAAM,OAAO,KAAK,KAAK,wBAAwB;AAAA,MAC7C,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,MACd,QAAQ,KAAK;AAAA,MACb,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,MACjC;AAAA,MACA;AAAA,IACF,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,YAAY,IAAI;AAG7C,UAAM,UAAU,KAAK,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC;AACrE,UAAM,SAAS,UAAM,uCAAqB,MAAM,OAAO;AAEvD,WAAO,OAAO;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,SAAmC;AACvD,WAAO,KAAK,UAAU,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,SAAmC;AACtD,WAAO,KAAK,UAAU,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,oBAAmC;AACvC,QAAI,CAAC,KAAK,mBAAmB;AAC3B,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,UAAM,OAAO,KAAK;AAClB,UAAM,iBAAiB,KAAK,kBAAkB;AAG9C,UAAM,SAAS,UAAM;AAAA,MACnB;AAAA,MACA,KAAK,kBAAkB;AAAA,IACzB;AAMA,UAAM,UACJ,KAAK,yBACJ,KAAK,kBACF,IAAI,iDAAgC,IACpC;AAEN,UAAM,kBAAkB;AAAA,MACtB,SAAS;AAAA,MACT,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,MACd;AAAA,IACF;AAEA,QAAI,OAAO,SAAS;AAElB,YAAM,iBAAiB,OAAO,SAAS,SAAS,cAAc;AAE9D,UAAI,CAAC,gBAAgB;AAEnB;AAAA,MACF;AAGA,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,YAAY,MAAM,QAAQ,qBAAqB,eAAe;AACpE,UAAI,CAAC,WAAW;AACd;AAAA,MACF;AAGA,UAAI;AACF,cAAM,UAAU,MAAM,KAAK,UAAU;AACrC,YAAI,CAAC,SAAS;AACZ,gBAAM,MAAM,IAAI,MAAM,2BAA2B,cAAc,EAAE;AACjE,kBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,gBAAM;AAAA,QACR;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ;AAAA,UACN;AAAA,UACA,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,QAC1D;AACA,cAAM;AAAA,MACR;AAGA,YAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAG,CAAC;AAGvD,YAAM,cAAc,UAAM;AAAA,QACxB;AAAA,QACA,KAAK,kBAAkB;AAAA,MACzB;AAEA,UAAI,CAAC,YAAY,SAAS;AACxB,cAAM,MAAM,IAAI;AAAA,UACd,oDAAoD,YAAY,KAAK;AAAA,QACvE;AACA,gBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,cAAM;AAAA,MACR;AAEA,cAAQ,iBAAiB,eAAe;AACxC;AAAA,IACF;AAGA,QAAI,OAAO,WAAW,KAAK;AACzB,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,YAAY,MAAM,QAAQ,qBAAqB,eAAe;AACpE,UAAI,CAAC,WAAW;AACd;AAAA,MACF;AAEA,UAAI;AACF,cAAM,UAAU,MAAM,KAAK,UAAU;AACrC,YAAI,CAAC,SAAS;AACZ,gBAAM,MAAM,IAAI,MAAM,2BAA2B,cAAc,EAAE;AACjE,kBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,gBAAM;AAAA,QACR;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ;AAAA,UACN;AAAA,UACA,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,QAC1D;AACA,cAAM;AAAA,MACR;AAEA,YAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAG,CAAC;AAEvD,YAAM,cAAc,UAAM;AAAA,QACxB;AAAA,QACA,KAAK,kBAAkB;AAAA,MACzB;AAEA,UAAI,CAAC,YAAY,SAAS;AACxB,cAAM,MAAM,IAAI;AAAA,UACd,oDAAoD,YAAY,KAAK;AAAA,QACvE;AACA,gBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,cAAM;AAAA,MACR;AAEA,cAAQ,iBAAiB,eAAe;AACxC;AAAA,IACF;AAEA,UAAM,IAAI,MAAM,+BAA+B,OAAO,KAAK,EAAE;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,OAAO,SAAiD;AAE5D,SAAK,eAAW,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,SAAK,WAAW,MAAM,KAAK,OAAO,WAAW;AAE7C,UAAM,UAAU,KAAK;AACrB,UAAM,UAAU,KAAK;AAErB,UAAM,KAAK,+BAA+B,SAAS,OAAO;AAG1D,UAAM,QAAQ,WAAW,KAAK,IAAI,CAAC;AACnC,SAAK,eAAe,mBAAmB,WAAW,KAAK;AAGvD,UAAM,YAAY,KAAK,eAAe,IAAI,KAAK;AAC/C,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,UAAM,MAAM,KAAK,MAAM,SAAS;AAEhC,UAAM,iBAAiB,KAAK,0BAA0B,SAAS,OAAO;AACtE,UAAM,UAAU,eAAe;AAE/B,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,mBAAmB;AAQxE,UAAM,WAAW,KAAK,KAAK,eAAe;AAAA,MACxC,WAAW,eAAe;AAAA,MAC1B,GAAI,eAAe,mBAAmB,SAClC,EAAE,gBAAgB,eAAe,eAAe,IAChD,CAAC;AAAA,MACL,GAAI,eAAe,iBAAiB,SAChC,EAAE,cAAc,eAAe,aAAa,IAC5C,CAAC;AAAA,MACL;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C;AAAA,MACA;AAAA,MACA,GAAG,KAAK,mBAAmB,OAAO;AAAA,IACpC,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,iBAAiB;AAAA,MAC5C;AAAA,MACA;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,MAAM;AAAA,IACR,CAAC;AAGD,UAAM,UAAU,KAAK,KAAK,qBAAqB;AAAA,MAC7C,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,gBAA+B;AAAA,MACnC;AAAA,MACA,eAAe;AAAA,MACf;AAAA,MACA,YAAY;AAAA,MACZ,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAKA,UAAM,iBAAqD,KACxD,oBACC,EAAE,YAAQ,iCAAe,SAAS,SAAS,QAAQ,EAAE,IACrD;AAKJ,UAAM,mBAAqC;AAAA,MACzC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ;AAAA,MACA,QAAQ;AAAA,MACR,eAAe,QAAQ;AAAA,MACvB,kBAAkB,QAAQ;AAAA,MAC1B,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACpD;AAAA,MACA,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,UAAM,gBAAsC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,YAAY,KAAK,UAAU,GAAG;AAAA,MAC9B,MAAM,SAAS;AAAA,MACf;AAAA,MACA,kBAAkB;AAAA,QAChB,kBAAkB,QAAQ;AAAA,QAC1B,eAAe,QAAQ;AAAA,QACvB;AAAA,QACA,QAAQ;AAAA,QACR,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACtD;AAAA,MACA,WAAW,eAAe,YAAY;AAAA,MACtC,WAAW,IAAI,YAAY;AAAA,MAC3B,SAAS;AAAA,IACX;AACA,UAAM,KAAK,eAAe,KAAK,SAAS,aAAa;AAGrD,SAAK,WAAW;AAChB,SAAK,oBAAoB;AACzB,SAAK,WAAW;AAChB,SAAK,WAAW;AAGhB,UAAM,WAAW,UAAM;AAAA,MACrB,KAAK;AAAA,MACL,KAAK,KAAK,gBAAgB;AAAA,IAC5B;AACA,SAAK,gBAAgB,SAAS;AAG9B,eAAW,OAAO,KAAK,YAAY;AACjC,UAAI,IAAI,aAAa;AACnB,cAAM,IAAI,YAAY,aAAa;AAAA,MACrC;AAAA,IACF;AAGA,UAAM,KAAK,kBAAkB;AAE7B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,QAAI,KAAK,UAAU;AACjB,YAAM,KAAK,sBAAsB,KAAK,QAAQ;AAAA,IAChD;AACA,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,UAA8B;AAC5B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,UAA8B;AAC5B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,SAAkC;AAClD,QAAI,CAAC,KAAK,UAAU;AAClB,WAAK,eAAW,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAAA,IACpE;AACA,QAAI,CAAC,KAAK,UAAU;AAClB,WAAK,WAAW,MAAM,KAAK,OAAO,WAAW;AAAA,IAC/C;AAEA,WAAO,KAAK,iBAAiB;AAAA,MAC3B,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,MACd;AAAA,MACA,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,2BAWH;AACD,UAAM,cAAU,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,UAAM,UAAU,MAAM,KAAK,OAAO,WAAW;AAG7C,UAAM,QAAQ,WAAW,KAAK,IAAI,CAAC;AACnC,SAAK,eAAe,mBAAmB,WAAW,KAAK;AAGvD,UAAM,YAAY,KAAK,eAAe,IAAI,KAAK;AAC/C,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,UAAM,MAAM,KAAK,MAAM,SAAS;AAEhC,UAAM,iBAAiB,KAAK,0BAA0B,SAAS,OAAO;AACtE,UAAM,UAAU,eAAe;AAE/B,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,mBAAmB;AAQxE,UAAM,WAAW,KAAK,KAAK,eAAe;AAAA,MACxC,WAAW,eAAe;AAAA,MAC1B,GAAI,eAAe,mBAAmB,SAClC,EAAE,gBAAgB,eAAe,eAAe,IAChD,CAAC;AAAA,MACL,GAAI,eAAe,iBAAiB,SAChC,EAAE,cAAc,eAAe,aAAa,IAC5C,CAAC;AAAA,MACL;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C;AAAA,MACA;AAAA,MACA,GAAG,KAAK,mBAAmB;AAAA,IAC7B,CAAC;AAED,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,0BACJ,UAMA,WACA,OACA,KACwB;AAExB,UAAM,UAAU,KAAK,KAAK,qBAAqB;AAAA,MAC7C,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAKD,UAAM,cAAU,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,UAAM,UAAU,MAAM,KAAK,OAAO,WAAW;AAE7C,UAAM,KAAK,+BAA+B,SAAS,OAAO;AAG1D,UAAM,gBAA+B;AAAA,MACnC;AAAA,MACA,eAAe;AAAA,MACf;AAAA,MACA,YAAY;AAAA,MACZ,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,UAAM,iBAAqD,KACxD,oBACC,EAAE,YAAQ,iCAAe,SAAS,SAAS,QAAQ,EAAE,IACrD;AAIJ,UAAM,mBAAqC;AAAA,MACzC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,SAAS,SAAS;AAAA,MAClB,QAAQ;AAAA,MACR,eAAe,QAAQ;AAAA,MACvB,kBAAkB,QAAQ;AAAA,MAC1B,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACpD;AAAA,MACA,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,UAAM,kBAAkB,SAAS,KAAK,MAAM,uBAAuB;AACnE,UAAM,gBAAgB,SAAS,KAAK,MAAM,iBAAiB;AAC3D,UAAM,YACJ,kBAAkB,CAAC,KACnB,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,mBAAmB,EAAE,YAAY;AAC9D,UAAM,YAAY,gBAAgB,CAAC,MAAK,oBAAI,KAAK,GAAE,YAAY;AAG/D,UAAM,gBAAsC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,YAAY,KAAK,UAAU,GAAG;AAAA,MAC9B,MAAM,SAAS;AAAA,MACf;AAAA,MACA,kBAAkB;AAAA,QAChB,kBAAkB,QAAQ;AAAA,QAC1B,eAAe,QAAQ;AAAA,QACvB,SAAS,SAAS;AAAA,QAClB,QAAQ;AAAA,QACR,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACtD;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS;AAAA,IACX;AACA,UAAM,KAAK,eAAe,KAAK,SAAS,aAAa;AAGrD,SAAK,WAAW;AAChB,SAAK,oBAAoB;AACzB,SAAK,WAAW;AAChB,SAAK,WAAW;AAGhB,UAAM,WAAW,UAAM;AAAA,MACrB,KAAK;AAAA,MACL,KAAK,KAAK,gBAAgB;AAAA,IAC5B;AACA,SAAK,gBAAgB,SAAS;AAG9B,eAAW,OAAO,KAAK,YAAY;AACjC,UAAI,IAAI,aAAa;AACnB,cAAM,IAAI,YAAY,aAAa;AAAA,MACrC;AAAA,IACF;AAGA,UAAM,KAAK,kBAAkB;AAE7B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,SAAiC;AAC3D,UAAM,gBAAgB,WAAW,KAAK;AACtC,QAAI,eAAe;AACjB,YAAM,KAAK,eAAe,MAAM,aAAa;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAmB,SAA0B;AAC3C,WAAO,KAAK,eAAe,OAAO,OAAO;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAiB,SAAuC;AACpE,YAAQ,KAAK,aAAa,MAAM;AAAA,MAC9B,KAAK;AACH,eAAO,KAAK,OAAO,YAAY,QAAQ,OAAO;AAAA,MAEhD,KAAK;AACH,cAAM,IAAI,MAAM,+CAA+C;AAAA,MAEjE,KAAK,YAAY;AACf,cAAM,WAAW,MAAM,KAAK,aAAa,QAAQ,OAAO;AACxD,YAAI,CAAC,SAAS,UAAU;AACtB,gBAAM,IAAI;AAAA,YACR,SAAS,UAAU;AAAA,UACrB;AAAA,QACF;AAEA,eACE,SAAS,aAAc,MAAM,KAAK,OAAO,YAAY,QAAQ,OAAO;AAAA,MAExE;AAAA,MAEA,KAAK,iBAAiB;AACpB,eAAO,KAAK;AAAA,UACV;AAAA,UACA,KAAK,aAAa;AAAA,UAClB,KAAK,aAAa,WAAW;AAAA,QAC/B;AAAA,MACF;AAAA,MAEA;AACE,cAAM,IAAI;AAAA,UACR,0BAA2B,KAAK,aAAqB,IAAI;AAAA,QAC3D;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,2BACN,SACA,SACA,SACiB;AACjB,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,YAAM,YAAY,WAAW,MAAM;AACjC,eAAO,IAAI,MAAM,wBAAwB,CAAC;AAAA,MAC5C,GAAG,OAAO;AAEV,YAAM,UAAU,OAAO,aAA2B;AAChD,qBAAa,SAAS;AACtB,YAAI,CAAC,SAAS,UAAU;AACtB;AAAA,YACE,IAAI,MAAM,SAAS,UAAU,mCAAmC;AAAA,UAClE;AAAA,QACF,OAAO;AAEL,gBAAM,YACJ,SAAS,aACR,MAAM,KAAK,OAAO,YAAY,QAAQ,OAAO;AAChD,kBAAQ,SAAS;AAAA,QACnB;AAAA,MACF;AAEA,cAAQ,KAAK,gBAAgB,SAAS,OAAO;AAAA,IAC/C,CAAC;AAAA,EACH;AACF;;;AEtqCA,IAAAC,mBAmFO;;;ACpHP,IAAAC,mBAYO;AAgCA,IAAM,kBAAN,MAAsB;AAAA,EAU3B,YACE,SACA,YACA,MACA,QACA;AACA,SAAK,UAAU;AACf,SAAK,cAAc;AACnB,SAAK,OAAO;AAGZ,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC;AAAA,MACA,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,OAAO,CAAC,IAAI;AAAA,IACd,CAAC;AAID,UAAM,SAAS,KAAK,YAAY,KAAK,QAAQ,OAAO,EAAE;AACtD,SAAK,MAAM,IAAI,2BAAU,EAAE,OAAO,CAAC;AACnC,SAAK,IAAI,WAAW,KAAK,eAAe;AACxC,SAAK,gBAAgB,gBAAgB,MAAM,KAAK,GAAG;AAGnD,SAAK,OAAO,IAAI,4BAAW,CAAC,CAAC;AAC7B,SAAK,KAAK,WAAW,KAAK,eAAe;AACzC,SAAK,gBAAgB,gBAAgB,OAAO,KAAK,IAAI;AAGrD,SAAK,UAAU,IAAI,+BAAc,CAAC,CAAC;AACnC,SAAK,QAAQ,WAAW,KAAK,eAAe;AAC5C,SAAK,gBAAgB,gBAAgB,UAAU,KAAK,OAAO;AAG3D,SAAK,SAAS,IAAI,8BAAa,CAAC,CAAC;AACjC,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,QAAQ;AAAA,MAC1B,eAAe,QAAQ;AAAA,MACvB,SAAS,QAAQ;AAAA,MACjB,oBAAoB,QAAQ;AAAA,MAC5B,KAAK,QAAQ;AAAA,IACf;AACA,SAAK,gBAAgB,WAAW,cAAc;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,aAAiC;AACnC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,OAAe;AACjB,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,KAAiB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAmB;AACrB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,SAAyB;AAC3B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,QAAuB;AACzB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,IAAI,aAAgC;AAClC,WAAO;AAAA,MACL,kBAAkB,KAAK,QAAQ;AAAA,MAC/B,eAAe,KAAK,QAAQ;AAAA,MAC5B,SAAS,KAAK,QAAQ;AAAA,MACtB,KAAK,KAAK,QAAQ;AAAA,MAClB,oBAAoB,KAAK,QAAQ;AAAA,MACjC,SAAS,KAAK,QAAQ;AAAA,MACtB,SAAS,KAAK,QAAQ;AAAA,IACxB;AAAA,EACF;AACF;;;ACxHO,IAAM,kBAAN,MAA6C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlD,YAAY,QAA+B;AACzC,SAAK,iBAAiB,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAiB,MAA+B;AAGpD,WAAO,KAAK,eAAe,iBAAiB,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,OAAO,OAAoB;AAEzB,UAAM,UAAU,KAAK,eAAe,IAAI,KAAK;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,kBAAkB,KAAK,EAAE;AAAA,IAC3C;AAEA,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAAO,OAAgC;AAE3C,WAAO,KAAK,eAAe,OAAO,KAAK;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAqB;AACnB,UAAM,OAAO,KAAK,eAAe,kBAAkB;AACnD,WAAO,MAAM,QAAQ,IAAI,IAAI,OAAO,CAAC;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,OAAwB;AAC7B,UAAM,MAAM,KAAK,eAAe,IAAI,KAAK;AACzC,WAAO,QAAQ;AAAA,EACjB;AACF;AAQO,SAAS,sBAAsB,gBAA4D;AAChG,SAAO,IAAI,gBAAgB,EAAE,eAAe,CAAC;AAC/C;;;ACnIA,IAAAC,mBAKO;AAYA,SAAS,gCACd,SACA,MACA,iBACmB;AACnB,QAAM,YAAY,oBAAI,IAAsB;AAC5C,aAAW,KAAK,SAAS;AAGvB,UAAM,WAAW,EAAE,QAAQ,GAAG;AAC9B,QAAI,aAAa,IAAI;AACnB;AAAA,IACF;AACA,UAAM,UAAU,EAAE,MAAM,GAAG,QAAQ;AACnC,QAAI,CAAC,QAAQ,WAAW,YAAY,GAAG;AACrC;AAAA,IACF;AACA,UAAM,OAAO,UAAU,IAAI,OAAO;AAClC,QAAI,SAAS,QAAW;AACtB,gBAAU,IAAI,SAAS,CAAC,CAAC,CAAC;AAAA,IAC5B,OAAO;AACL,WAAK,KAAK,CAAC;AAAA,IACb;AAAA,EACF;AACA,QAAM,QAAQ,mBAAmB;AACjC,QAAM,UAA6B,CAAC;AACpC,aAAW,CAAC,SAAS,UAAU,KAAK,WAAW;AAC7C,YAAQ,KAAK;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAQO,IAAM,+BAA+B,wBAAO;AAY5C,SAAS,gBAAgB,QAA6C;AAC3E,MAAI,WAAW,QAAW;AACxB,WAAO;AAAA,EACT;AACA,MAAI,OAAO,WAAW,UAAU;AAC9B,QAAI,CAAC,OAAO,SAAS,MAAM,KAAK,UAAU,GAAG;AAC3C,YAAM,IAAI;AAAA,QACR,2DAA2D,MAAM;AAAA,MACnE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,aAAO,8BAAY,MAAM;AAC3B;AAWO,SAAS,sBAAsB,MAAgC;AACpE,QAAM,SAAS,IAAI,6BAAY,IAAI;AACnC,MAAI,OAAO,mBAAmB,UAAa,OAAO,mBAAmB,MAAM;AACzE,WAAO;AAAA,EACT;AACA,QAAM,IAAI,IAAI,KAAK,OAAO,cAAc;AACxC,MAAI,OAAO,MAAM,EAAE,QAAQ,CAAC,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR,gDAAgD,OAAO,cAAc;AAAA,IACvE;AAAA,EACF;AACA,SAAO;AACT;;;ACxHA,IAAAC,mBAcO;AAEP,IAAM,gBAAgB;AAGtB,SAAS,KAAiC;AACxC,SAAO,EAAE,IAAI,MAAM,MAAM,OAAU;AACrC;AAEA,SAAS,aACP,MACA,SACA,OAC6B;AAC7B,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,OAAO;AAAA,MACL;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IAC3B;AAAA,EACF;AACF;AAEA,SAAS,iBAAiB,QAA8B;AACtD,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAEA,SAAS,iBAAiB,QAAsD;AAC9E,SAAO;AACT;AAEA,SAAS,wBACP,MACA,SACA,QACA,qBACmB;AACnB,QAAM,UAA6B,CAAC;AACpC,QAAM,OACJ,WAAW,aACP,0CAAwB,OAAO,QAC/B,oCAAkB,MAAM,OAAO,EAAE,gBAAgB;AAEvD,UAAQ,KAAK;AAAA,IACX,SAAS;AAAA,IACT,OAAO;AAAA,IACP;AAAA,IACA,SAAS,CAAC,iBAAiB,MAAM,CAAC;AAAA,IAClC,YAAY;AAAA,EACd,CAAC;AAED,MAAI,WAAW,SAAS,wBAAwB,QAAW;AACzD,YAAQ,KAAK;AAAA,MACX,SAAS;AAAA,MACT,MAAM;AAAA,MACN,SAAS,CAAC,SAAS;AAAA,MACnB,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAYO,IAAM,qBAAN,MAAoD;AAAA,EAIzD,YAA6B,QAAkC;AAAlC;AAF7B,SAAQ,sBAAsB;AAAA,EAEkC;AAAA,EAEhE,IAAI,QAA2B;AAC7B,WAAO,KAAK,QAAQ;AAAA,EACtB;AAAA,EAEA,IAAI,aAAsB;AACxB,WAAO,KAAK,QAAQ;AAAA,EACtB;AAAA,EAEA,MAAM,OAAO,QAAqD;AAChE,UAAM,kBAAkB,UAAU,KAAK,OAAO,kBAAkB;AAChE,QAAI,oBAAoB,QAAW;AACjC,WAAK,eAAe;AAAA,IACtB;AACA,UAAM,SAAS,MAAM,KAAK,QAAQ,OAAO,eAAe;AACxD,QAAI,OAAO,IAAI;AACb,WAAK,sBAAsB;AAAA,IAC7B;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAa;AACX,SAAK,sBAAsB;AAC3B,SAAK,QAAQ,KAAK;AAAA,EACpB;AAAA,EAEA,MAAM,IAAI,MAAc,SAAkE;AACxF,UAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,SAAS,KAAK;AACnE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,IAAI,IAAI,IACrB,KAAK,QAAQ,IAAI,MAAM,OAAO;AAAA,EACpC;AAAA,EAEA,MAAM,IACJ,MACA,OACA,SACoC;AACpC,UAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,SAAS,KAAK;AACnE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,IAAI,MAAM,KAAK,IAC5B,KAAK,QAAQ,IAAI,MAAM,OAAO,OAAO;AAAA,EAC3C;AAAA,EAEA,MAAM,OACJ,MACA,SACuC;AACvC,UAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,SAAS,KAAK;AACnE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,OAAO,IAAI,IACxB,KAAK,QAAQ,OAAO,MAAM,OAAO;AAAA,EACvC;AAAA,EAEA,MAAM,KAAK,SAAmE;AAC5E,UAAM,aAAa,MAAM,KAAK,iBAAiB,IAAI,SAAS,MAAM;AAClE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,KAAK,IAClB,KAAK,QAAQ,KAAK,OAAO;AAAA,EAC/B;AAAA,EAEA,IAAY,UAA2B;AACrC,WAAO,KAAK,OAAO,WAAW;AAAA,EAChC;AAAA,EAEA,MAAc,iBACZ,MACA,SACA,QACkD;AAClD,UAAM,SAAS,QAAQ;AACvB,QAAI;AACJ,QAAI;AACF,0BAAoB;AAAA,QAClB;AAAA,QACA;AAAA,QACA;AAAA,QACA,WAAW,QAAQ,KAAK,OAAO,yBAAyB,IAAI;AAAA,MAC9D;AAAA,IACF,SAAS,OAAO;AACd,aAAO;AAAA,QACL,4BAAW;AAAA,QACX,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QACrD,iBAAiB,QAAQ,QAAQ;AAAA,MACnC;AAAA,IACF;AAEA,QAAI,KAAK,cAAc,iBAAiB,GAAG;AACzC,aAAO,GAAG;AAAA,IACZ;AAEA,QAAI,CAAC,KAAK,OAAO,YAAY,GAAG;AAC9B,aAAO;AAAA,QACL,4BAAW;AAAA,QACX,mBAAmB,iBAAiB,MAAM,CAAC,QAAQ,MAAM;AAAA,MAC3D;AAAA,IACF;AAEA,QAAI;AACF,YAAM,KAAK,OAAO,iBAAiB,iBAAiB;AACpD,aAAO,KAAK,6BAA6B;AAAA,IAC3C,SAAS,OAAO;AACd,aAAO;AAAA,QACL,4BAAW;AAAA,QACX,iBAAiB,QACb,MAAM,UACN,2BAA2B,iBAAiB,MAAM,CAAC,OAAO,MAAM;AAAA,QACpE,iBAAiB,QAAQ,QAAQ;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,+BAEZ;AACA,QAAI,CAAC,KAAK,qBAAqB;AAC7B,aAAO,GAAG;AAAA,IACZ;AACA,WAAO,KAAK,QAAQ,OAAO,KAAK,YAAY;AAAA,EAC9C;AAAA,EAEQ,cACN,mBACS;AACT,QAAI,KAAK,OAAO,iBAAiB,iBAAiB,GAAG;AACnD,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,KAAK,OAAO,YAAY;AACzC,QAAI,aAAa,QAAW;AAC1B,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC,QAAQ;AAChE,UAAM,uBAAmB,0CAAwB,iBAAiB;AAClE,WAAO,iBAAiB;AAAA,MAAM,CAAC,UAC7B,UAAU,KAAK,CAAC,cAAc;AAC5B,cAAM,eAAW,kCAAgB,SAAS;AAC1C,eAAO,SAAS,UAAU;AAAA,UACxB,CAAC,aACC,SAAS,YAAY,MAAM,WAC3B,SAAS,UAAU,MAAM,SACzB,SAAS,SAAS,MAAM,QACxB,MAAM,QAAQ,MAAM,CAAC,WAAW,SAAS,QAAQ,SAAS,MAAM,CAAC;AAAA,QACrE;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEF;;;AJ7HA,IAAM,eAAe;AACrB,IAAM,kCAAkC;AACxC,IAAM,wBAAwB;AAC9B,IAAM,iBAAiB;AACvB,IAAM,qBAAqB;AAQ3B,IAAM,gCAAgC,wBAAO;AAE7C,SAAS,oBAAoB,QAAgB,UAA2B;AACtE,MAAI;AACF,eAAO,qCAAmB,QAAQ,QAAQ;AAAA,EAC5C,QAAQ;AACN,WAAO,WAAW;AAAA,EACpB;AACF;AA6HA,SAAS,gBAAgB,OAA2B;AAClD,QAAM,WAAW;AACjB,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,GAAG;AACxC,UAAM,IAAI,MAAM,CAAC;AACjB,UAAM,IAAI,MAAM,IAAI,CAAC;AACrB,UAAM,IAAI,MAAM,IAAI,CAAC;AACrB,UAAM,UAAW,KAAK,MAAQ,KAAK,MAAM,KAAM,KAAK;AACpD,cAAU,SAAU,WAAW,KAAM,EAAE;AACvC,cAAU,SAAU,WAAW,KAAM,EAAE;AACvC,QAAI,IAAI,IAAI,MAAM,OAAQ,WAAU,SAAU,WAAW,IAAK,EAAE;AAChE,QAAI,IAAI,IAAI,MAAM,OAAQ,WAAU,SAAS,UAAU,EAAE;AAAA,EAC3D;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAA2B;AAClD,QAAM,WAAW;AACjB,QAAM,QAAkB,CAAC;AACzB,MAAI,SAAS;AACb,MAAI,OAAO;AACX,aAAW,QAAQ,OAAO;AACxB,UAAM,QAAQ,SAAS,QAAQ,IAAI;AACnC,QAAI,QAAQ,GAAG;AACb,YAAM,IAAI,MAAM,yBAAyB;AAAA,IAC3C;AACA,aAAU,UAAU,IAAK;AACzB,YAAQ;AACR,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,YAAM,KAAM,UAAU,OAAQ,GAAI;AAAA,IACpC;AAAA,EACF;AACA,SAAO,IAAI,WAAW,KAAK;AAC7B;AAEA,eAAe,oBACb,cACA,KACqB;AACrB,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,YAAY;AACnD,MAAI;AACF,UAAM,SAAS,WAAW,QAAQ;AAClC,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,UAAU;AAAA,MAClB;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AACA,WAAO,IAAI,WAAW,MAAM,OAAO,KAAK,EAAE,MAAM,UAAU,GAAG,KAAK,KAAK,CAAC;AAAA,EAC1E,QAAQ;AACN,UAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,UAAM,MAAM,WAAW,iBAAiB,EAAE,KAAK,KAAY,QAAQ,MAAM,CAAC;AAC1E,WAAO,IAAI,WAAW,WAAW,KAAK,MAAM,OAAO,KAAK,KAAK,GAAG,GAAG,CAAC;AAAA,EACtE;AACF;AAEA,eAAe,0BACb,eACA,UACA,KACiB;AACjB,QAAM,CAAC,YAAY,WAAW,IAAI,cAAc,MAAM,GAAG;AACzD,MAAI,CAAC,cAAc,CAAC,aAAa;AAC/B,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,gBAAgB,UAAU,CAAC,CAAC;AAC/E,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,gBAAgB,WAAW,CAAC,CAAC;AACjF,UAAQ,MAAM;AACd,QAAM,eAAe,GAAG;AAAA,IACtB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,MAAM,CAAC;AAAA,EACjD,CAAC,IAAI,gBAAgB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC,CAAC,CAAC;AACvE,QAAM,YAAY,MAAM,oBAAoB,cAAc,GAAG;AAC7D,SAAO,GAAG,YAAY,IAAI,gBAAgB,SAAS,CAAC;AACtD;AAEA,SAAS,oBAAoB,SAA8D;AACzF,MAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,UAAM,QAAQ,QAAQ,KAAK,CAAC,CAAC,IAAI,MAAM,KAAK,YAAY,MAAM,eAAe;AAC7E,QAAI,CAAC,OAAO;AACV,YAAM,IAAI,MAAM,4DAA4D;AAAA,IAC9E;AACA,WAAO,MAAM,CAAC;AAAA,EAChB;AACA,QAAM,QAAQ,QAAQ,iBAAiB,QAAQ;AAC/C,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AACA,SAAO;AACT;AAcO,IAAM,iBAAN,MAAM,eAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwHzB,YAAY,SAA8B,CAAC,GAAG;AA7G9C,SAAQ,SAAyB;AACjC,SAAQ,OAAqC;AAC7C,SAAQ,KAAuB;AAE/B,SAAQ,WAAmB;AA8B3B,SAAQ,0BAAoD,CAAC;AAmB7D,SAAiB,+BAA+C,CAC9D,SACA,SACA,MACA,QACA,UACG;AACH,aAAO,KAAK,aAAa;AAAA,QACvB,KAAK,wBAAwB,SAAS,SAAS,MAAM,MAAM;AAAA,QAC3D;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,SAAiB,kCAAqD,CACpE,SACA,SACA,UACG;AACH,UAAI,CAAC,KAAK,aAAa,WAAW;AAChC,cAAM,IAAI,MAAM,yCAAyC;AAAA,MAC3D;AACA,YAAM,QAAQ,KAAK;AAAA,QACjB,QAAQ,QAAQ,CAAC,UAAU;AACzB,gBAAM,YAAY,KAAK,4BAA4B,KAAK;AACxD,iBAAO,YAAY,CAAC,SAAS,IAAI,CAAC;AAAA,QACpC,CAAC;AAAA,MACH;AACA,aAAO,KAAK,aAAa,UAAU,OAAO,WAAW,SAAS,SAAS,KAAK;AAAA,IAC9E;AA0BE,SAAK,eAAe,OAAO;AAG3B,SAAK,SAAS;AAAA,MACZ,GAAG;AAAA,MACH,MAAM,OAAO,QAAQ;AAAA,IACvB;AAGA,QAAI,OAAO,cAAc;AACvB,WAAK,eAAe,OAAO;AAAA,IAC7B,WAAW,eAAc,cAAc;AACrC,WAAK,eAAe,eAAc,aAAa,mBAAmB;AAAA,IACpE,OAAO;AACL,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AAGA,SAAK,iBAAiB,KAAK,aAAa,qBAAqB;AAG7D,UAAM,eAAe;AACrB,QAAI,SAAS,KAAK,eAAe,IAAI,YAAY;AACjD,QAAI,QAAQ;AAEV,WAAK,eAAe;AAAA,IACtB,OAAO;AAEL,WAAK,eAAe,KAAK,eAAe,iBAAiB,YAAY;AACrE,eAAS,KAAK,eAAe,IAAI,KAAK,YAAY;AAAA,IACpD;AAEA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,+BAA+B;AAAA,IACjD;AACA,SAAK,gBAAgB,KAAK,MAAM,MAAM;AAGtC,SAAK,sBAAsB,IAAI,uCAAsB;AAGrD,SAAK,eAAe,IAAI,gBAAgB;AAAA,MACtC,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAGD,SAAK,sBAAsB,OAAO,uBAAuB,IAAI,2CAA0B;AAKvF,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA;AAAA,MAEzB,QAAQ,KAAK;AAAA,MACb,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,aAAa,KAAK;AAAA,MAClB,UAAU,KAAK;AAAA;AAAA,MAEf,iBAAiB,CAACC,YAAW;AAG3B,cAAM,SAASA,QAAO,YAAY,QAAQ,OAAO,EAAE;AACnD,cAAM,YAAY,IAAI,2BAAU,EAAE,OAAO,CAAC;AAE1C,cAAM,YAAY,IAAI,gCAAe;AAAA,UACnC,QAAQA,QAAO;AAAA,UACf,OAAOA,QAAO,SAAS,WAAW,MAAM,KAAK,UAAU;AAAA,UACvD,OAAOA,QAAO;AAAA,QAChB,CAAC;AACD,kBAAU,WAAWA,QAAO,OAAO;AACnC,kBAAU,WAAW,SAAS;AAC9B,eAAO;AAAA,MACT;AAAA,IACF,CAAC;AAGD,QAAI,OAAO,QAAQ;AACjB,WAAK,SAAS,OAAO;AACrB,WAAK,UAAU,MAAM;AAAA,IACvB,WAAW,OAAO,YAAY;AAC5B,UAAI,CAAC,eAAc,cAAc;AAC/B,cAAM,IAAI;AAAA,UACR;AAAA,QAEF;AAAA,MACF;AACA,WAAK,SAAS,eAAc,aAAa,aAAa,OAAO,YAAY,KAAK,QAAQ;AACtF,WAAK,UAAU,MAAM;AAAA,IACvB;AAAA,EACF;AAAA;AAAA,EAjNA,OAAO,qBAAqB,UAA8B;AACxD,mBAAc,eAAe;AAAA,EAC/B;AAAA,EAgDA,IAAY,eAAyB;AACnC,WAAO,KAAK,MAAM,gBAAgB,CAAC;AAAA,EACrC;AAAA;AAAA,EAGA,IAAY,aAAqB;AAC/B,WAAO,KAAK,OAAO,UAAU;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EA8JQ,UAAU,QAAmC;AACnD,SAAK,OAAO,IAAI,sBAAsB;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,cAAc,EAAE,MAAM,YAAY;AAAA,MAClC,cAAc,KAAK;AAAA,MACnB,gBAAgB,OAAO,kBAAkB,IAAI,qBAAqB;AAAA,MAClE,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,MACpB,qBAAqB,OAAO,uBAAuB;AAAA,MACnD,gBAAgB,KAAK,eAAe,CAAC,KAAK,YAAY,IAAI;AAAA,MAC1D,sBAAsB,OAAO;AAAA,MAC7B,wBAAwB,OAAO;AAAA,MAC/B,iBAAiB,OAAO;AAAA,MACxB,mBAAmB,OAAO,qBAAqB;AAAA,MAC/C,sBAAsB,OAAO;AAAA,MAC7B,OAAO,OAAO;AAAA,MACd,YAAY,OAAO;AAAA,MACnB,UAAU,OAAO;AAAA,MACjB,mBAAmB,OAAO;AAAA,MAC1B,mCAAmC,OAAO;AAAA,IAC5C,CAAC;AAED,SAAK,KAAK,IAAI,2BAAU,KAAK,MAAM;AAAA,MACjC,WAAW,KAAK;AAAA,IAClB,CAAC;AAAA,EACH;AAAA,EAEQ,2BAAiC;AACvC,UAAM,OAAO,KAAK,MAAM,MAAM,CAAC;AAC/B,QAAI,MAAM;AACR,WAAK,OAAO,OAAO;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAY,UAAmD;AAC7D,QAAI,CAAC,KAAK,MAAM;AAId,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,OAAO,WAAW;AACvB,SAAK,OAAO,oBAAoB;AAChC,SAAK,KAAK,YAAY,QAAQ;AAAA,EAChC;AAAA,EAEA,qBAAqB,SAAoD;AACvE,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,OAAO,oBAAoB;AAChC,SAAK,OAAO,WAAW,SAAS;AAChC,SAAK,KAAK,qBAAqB,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,WAA8C;AAChD,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA,EAEA,IAAI,oBAAyD;AAC3D,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA,EAEA,IAAI,QAAkB;AACpB,UAAM,YAAY,KAAK,MAAM,SAAS,CAAC;AACvC,WAAO,UAAU,SAAS,IAAI,YAAY,CAAC,KAAK,OAAO,IAAK;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,IAAI,MAAc;AAEhB,QAAI,KAAK,UAAU;AACjB,iBAAO,yBAAO,KAAK,UAAU,KAAK,QAAQ;AAAA,IAC5C;AAEA,WAAO,KAAK,eAAe,OAAO,KAAK,YAAY;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,IAAI,aAAqB;AACvB,WAAO,KAAK,eAAe,OAAO,KAAK,YAAY;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAA8B;AAChC,WAAO,KAAK,MAAM,QAAQ,KAAK,KAAK;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,gBAAyB;AAC3B,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,UAA8B;AAChC,WAAO,KAAK,MAAM,kBAAkB;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,UAAwC;AAC1C,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,SAAwC;AACnD,QAAI,CAAC,KAAK,UAAU,CAAC,KAAK,IAAI;AAC5B,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAGA,UAAM,KAAK,aAAa,oBAAoB;AAE5C,SAAK,eAAW,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,SAAK,WAAW,MAAM,KAAK,OAAO,WAAW;AAG7C,SAAK,MAAM;AACX,SAAK,OAAO;AACZ,SAAK,UAAU;AACf,SAAK,SAAS;AACd,SAAK,SAAS;AACd,SAAK,cAAc;AACnB,SAAK,eAAe;AACpB,SAAK,WAAW;AAChB,SAAK,gBAAgB;AACrB,SAAK,kBAAkB;AACvB,SAAK,0BAA0B,CAAC;AAEhC,UAAM,KAAK,GAAG,OAAO,OAAO;AAC5B,SAAK,yBAAyB;AAG9B,SAAK,mBAAmB;AAExB,QAAI,KAAK,OAAO,aAAa,UAAa,KAAK,OAAO,sBAAsB,QAAW;AACrF,YAAM,KAAK,uBAAuB,KAAK,aAAa,SAAS,CAAC;AAAA,IAChE;AAEA,UAAM,KAAK,6BAA6B;AAExC,SAAK,oBAAoB,QAAQ,wBAAwB;AAAA,EAC3D;AAAA,EAEQ,aAAa,MAAsB;AACzC,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC7D;AACA,WAAO,KAAK,aAAa,YAAY,KAAK,UAAU,KAAK,UAAU,IAAI;AAAA,EACzE;AAAA,EAEA,MAAc,+BAA8C;AAC1D,UAAM,UAAU,KAAK;AACrB,QAAI,CAAC,WAAW,QAAQ,gBAAgB,WAAW,GAAG;AACpD;AAAA,IACF;AACA,QAAI,CAAC,KAAK,QAAQ,CAAC,KAAK,QAAQ;AAC9B,YAAM,IAAI,MAAM,8CAA8C;AAAA,IAChE;AAEA,UAAM,iBAAiB,KAAK,aAAa,uCAAsB;AAC/D,UAAM,KAAK,uBAAuB,cAAc;AAEhD,UAAM,YAAY,KAAK,OAAO,IAAI,cAAc,EAAE;AAClD,eAAW,UAAU,QAAQ,iBAAiB;AAC5C,YAAM,SAAS,MAAM,UAAU,IAAI,OAAO,KAAK;AAAA,QAC7C,QAAQ,OAAO;AAAA,QACf,WAAW,OAAO;AAAA,QAClB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACrC,CAAC;AACD,UAAI,CAAC,OAAO,IAAI;AACd,cAAM,IAAI;AAAA,UACR,4CAA4C,OAAO,GAAG,KAAK,OAAO,MAAM,OAAO;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,uBAAuB,SAAgC;AACnE,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,gDAAgD;AAAA,IAClE;AAEA,UAAM,OAAO,KAAK,MAAM,CAAC,KAAK,KAAK,OAAO;AAC1C,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,UAAM,aAAa,UAAM,0CAAwB,MAAM,QAAQ,gBAAgB;AAC/E,QAAI,WAAW,WAAW,CAAC,WAAW,SAAS,SAAS,OAAO,GAAG;AAChE;AAAA,IACF;AAEA,QAAI,CAAC,WAAW,WAAW,WAAW,WAAW,KAAK;AACpD,YAAM,IAAI;AAAA,QACR,+BAA+B,OAAO,KAAK,WAAW,SAAS,WAAW,MAAM;AAAA,MAClF;AAAA,IACF;AAEA,UAAM,UAAU,MAAO,KAAK,KAA+B,eAAe,OAAO;AACjF,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,iCAAiC,OAAO,EAAE;AAAA,IAC5D;AAEA,UAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAG,CAAC;AAEvD,UAAM,QAAQ,UAAM,0CAAwB,MAAM,QAAQ,gBAAgB;AAC1E,QAAI,CAAC,MAAM,WAAW,MAAM,SAAS,SAAS,OAAO,GAAG;AACtD,YAAM,IAAI;AAAA,QACR,yDAAyD,OAAO,KAC9D,MAAM,SAAS,mBACjB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,eAAe,aAuBH;AAEhB,UAAM,KAAK,aAAa,oBAAoB;AAG5C,SAAK,MAAM;AACX,SAAK,OAAO;AACZ,SAAK,UAAU;AACf,SAAK,SAAS;AACd,SAAK,SAAS;AACd,SAAK,cAAc;AACnB,SAAK,eAAe;AACpB,SAAK,WAAW;AAChB,SAAK,gBAAgB;AACrB,SAAK,kBAAkB;AACvB,SAAK,0BAA0B,CAAC;AAEhC,UAAM,kBAAkB,YAAY,cAChC,sCAAoB,YAAY,OAAO,IACvC;AACJ,QAAI,iBAAiB;AACnB,WAAK,WAAW;AAAA,IAClB;AACA,QAAI,YAAY,SAAS;AACvB,WAAK,WAAW,YAAY;AAAA,IAC9B;AAGA,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,WAAW,KAAK;AAAA,MAChB,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,IAC3B,CAAC;AAGD,SAAK,MAAM,IAAI,2BAAU,CAAC,CAAC;AAC3B,SAAK,IAAI,WAAW,KAAK,eAAe;AACxC,SAAK,gBAAgB,gBAAgB,MAAM,KAAK,GAAG;AAGnD,SAAK,OAAO,IAAI,4BAAW,CAAC,CAAC;AAC7B,SAAK,KAAK,WAAW,KAAK,eAAe;AACzC,SAAK,gBAAgB,gBAAgB,OAAO,KAAK,IAAI;AAGrD,SAAK,UAAU,IAAI,+BAAc,CAAC,CAAC;AACnC,SAAK,QAAQ,WAAW,KAAK,eAAe;AAC5C,SAAK,gBAAgB,gBAAgB,UAAU,KAAK,OAAO;AAE3D,SAAK,SAAS,IAAI,8BAAa,CAAC,CAAC;AACjC,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,YAAY;AAAA,MAC9B,eAAe,YAAY;AAAA,MAC3B,SAAS,YAAY;AAAA,MACrB,oBAAoB,YAAY;AAAA,MAChC,KAAK,YAAY;AAAA,IACnB;AACA,SAAK,gBAAgB,WAAW,cAAc;AAG9C,SAAK,SAAS,KAAK,mBAAmB,YAAY,SAAS,KAAK,GAAI;AACpE,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,SAAK,qBAAqB,cAAc;AAWxC,QAAI,YAAY,QAAQ,mBAAmB,YAAY,SAAS;AAC9D,YAAM,YAA8B;AAAA,QAClC,SAAS;AAAA,QACT,SAAS,YAAY;AAAA,QACrB,YAAY,KAAK,UAAU,YAAY,GAAG;AAAA,QAC1C,SAAS,YAAY;AAAA,QACrB,eAAe,YAAY;AAAA,QAC3B,kBAAkB,YAAY;AAAA,QAC9B,oBAAoB,YAAY;AAAA,QAChC,KAAK,YAAY;AAAA,QACjB,MAAM,YAAY;AAAA,QAClB,WAAW,YAAY,aAAa;AAAA,MACtC;AACA,UAAI,KAAK,MAAM;AACb,aAAK,KAAK,4BAA4B,SAAS;AAAA,MACjD,OAAO;AACL,aAAK,qBAAqB;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,0BAAwD;AAC9D,WAAO,KAAK,MAAM,oBAAoB,KAAK;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,cAAc,YAAoB,SAAuE;AACvG,QAAI,KAAK,QAAQ;AACf,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,SAAS,SAAS,UAAU;AAGlC,QAAI,CAAC,eAAc,cAAc;AAC/B,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,SAAK,SAAS,eAAc,aAAa,aAAa,UAAU;AAGhE,SAAK,OAAO,IAAI,sBAAsB;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,cAAc,EAAE,MAAM,YAAY;AAAA,MAClC,cAAc,KAAK;AAAA,MACnB,gBAAgB,SAAS,kBAAkB,KAAK,OAAO,kBAAkB,IAAI,qBAAqB;AAAA,MAClG,QAAQ,KAAK;AAAA,MACb,aAAa;AAAA,MACb,qBAAqB,KAAK,OAAO,uBAAuB;AAAA,MACxD,gBAAgB,KAAK,eAAe,CAAC,KAAK,YAAY,IAAI;AAAA,MAC1D,sBAAsB,KAAK,OAAO;AAAA,MAClC,wBAAwB,KAAK,OAAO;AAAA,MACpC,iBAAiB,KAAK,OAAO;AAAA,MAC7B,mBAAmB,KAAK,OAAO,qBAAqB;AAAA,MACpD,sBAAsB,KAAK,OAAO;AAAA,MAClC,OAAO,KAAK,OAAO;AAAA,MACnB,YAAY,KAAK,OAAO;AAAA,MACxB,UAAU,KAAK,OAAO;AAAA,MACtB,mBAAmB,KAAK,OAAO;AAAA,MAC/B,mCAAmC,KAAK,OAAO;AAAA,IACjD,CAAC;AAGD,SAAK,KAAK,IAAI,2BAAU,KAAK,MAAM;AAAA,MACjC,WAAW,KAAK;AAAA,IAClB,CAAC;AAGD,SAAK,OAAO,SAAS;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,cAAc,QAAiB,SAAuE;AACpG,QAAI,KAAK,QAAQ;AACf,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,SAAS,SAAS,UAAU;AAElC,SAAK,SAAS;AAEd,SAAK,OAAO,IAAI,sBAAsB;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,cAAc,EAAE,MAAM,YAAY;AAAA,MAClC,cAAc,KAAK;AAAA,MACnB,gBAAgB,SAAS,kBAAkB,KAAK,OAAO,kBAAkB,IAAI,qBAAqB;AAAA,MAClG,QAAQ,KAAK;AAAA,MACb,aAAa;AAAA,MACb,qBAAqB,KAAK,OAAO,uBAAuB;AAAA,MACxD,gBAAgB,KAAK,eAAe,CAAC,KAAK,YAAY,IAAI;AAAA,MAC1D,sBAAsB,KAAK,OAAO;AAAA,MAClC,wBAAwB,KAAK,OAAO;AAAA,MACpC,iBAAiB,KAAK,OAAO;AAAA,MAC7B,mBAAmB,KAAK,OAAO,qBAAqB;AAAA,MACpD,sBAAsB,KAAK,OAAO;AAAA,MAClC,OAAO,KAAK,OAAO;AAAA,MACnB,YAAY,KAAK,OAAO;AAAA,MACxB,UAAU,KAAK,OAAO;AAAA,MACtB,mBAAmB,KAAK,OAAO;AAAA,MAC/B,mCAAmC,KAAK,OAAO;AAAA,IACjD,CAAC;AAED,SAAK,KAAK,IAAI,2BAAU,KAAK,MAAM;AAAA,MACjC,WAAW,KAAK;AAAA,IAClB,CAAC;AACD,SAAK,OAAO,SAAS;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,qBAA2B;AACjC,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ;AAAA,IACF;AAGA,SAAK,GAAI,mBAAmB,KAAK,8BAA8B,CAAC,KAAK,OAAO,IAAK,CAAC;AAGlF,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,WAAW,KAAK;AAAA,MAChB,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,IAC3B,CAAC;AAGD,SAAK,MAAM,IAAI,2BAAU,CAAC,CAAC;AAC3B,SAAK,IAAI,WAAW,KAAK,eAAe;AACxC,SAAK,gBAAgB,gBAAgB,MAAM,KAAK,GAAG;AAGnD,UAAM,WAAW,KAAK;AACtB,QAAI,SAAS,WAAW,KAAK,SAAS,SAAS,KAAK,GAAG;AACrD,WAAK,OAAO,IAAI,4BAAW,CAAC,CAAC;AAC7B,WAAK,KAAK,WAAW,KAAK,eAAe;AACzC,WAAK,gBAAgB,gBAAgB,OAAO,KAAK,IAAI;AAAA,IACvD;AAGA,QAAI,SAAS,WAAW,KAAK,SAAS,SAAS,QAAQ,GAAG;AACxD,WAAK,UAAU,IAAI,+BAAc,CAAC,CAAC;AACnC,WAAK,QAAQ,WAAW,KAAK,eAAe;AAC5C,WAAK,gBAAgB,gBAAgB,UAAU,KAAK,OAAO;AAAA,IAC7D;AAEA,SAAK,SAAS,IAAI,8BAAa,CAAC,CAAC;AACjC,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,QAAQ;AAAA,MAC1B,eAAe,QAAQ;AAAA,MACvB,SAAS,QAAQ;AAAA,MACjB,oBAAoB,QAAQ;AAAA,MAC5B,KAAK,QAAQ;AAAA,IACf;AACA,SAAK,gBAAgB,WAAW,cAAc;AAC9C,IAAC,KAAK,GAAI,eAAkC,WAAW,cAAc;AAGrE,SAAK,SAAS,KAAK,mBAAmB,QAAQ,SAAS,KAAK,GAAI;AAChE,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,SAAK,qBAAqB,cAAc;AAAA,EAC1C;AAAA,EAEQ,2BAA2B,SAA4B;AAC7D,UAAM,YAAY,IAAI,2BAAU,CAAC,CAAC;AAClC,QAAI,KAAK,iBAAiB;AACxB,YAAM,qBAAqB,IAAI,gCAAe;AAAA,QAC5C,QAAQ,KAAK,gBAAgB;AAAA,QAC7B,OAAO,KAAK,gBAAgB;AAAA,QAC5B,OAAO,KAAK,gBAAgB;AAAA,MAC9B,CAAC;AACD,YAAM,UAAU,KAAK,gBAAgB;AACrC,UAAI,SAAS;AACX,2BAAmB,WAAW,EAAE,GAAG,SAAS,QAAQ,CAAC;AAAA,MACvD;AACA,gBAAU,WAAW,kBAAkB;AAAA,IACzC;AACA,WAAO;AAAA,EACT;AAAA,EAEA,8BAA8B,OAAO,iCAAyC;AAC5E,WAAO,4BAA4B,KAAK,GAAG,IAAI,IAAI;AAAA,EACrD;AAAA,EAEQ,wBAAwC;AAC9C,UAAM,UAAU,KAAK,iBAAiB;AACtC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,yBAA2C;AACjD,UAAM,OAAO,KAAK;AAClB,UAAM,gBAAgB,CAAC,KAAiB,cAAsC;AAC5E,YAAM,YAAY,KAAK,cAAc,KAAK,SAAS;AACnD,YAAM,MAAM,IAAI,WAAW,IAAI,UAAU,MAAM;AAC/C,UAAI,CAAC,IAAI;AACT,UAAI,IAAI,WAAW,CAAC;AACpB,aAAO;AAAA,IACT;AACA,UAAM,gBAAgB,CAAC,KAAiB,SAAiC;AACvE,UAAI,KAAK,CAAC,MAAM,GAAM;AACpB,eAAO;AAAA,MACT;AACA,aAAO,KAAK,cAAc,KAAK,KAAK,MAAM,CAAC,CAAC;AAAA,IAC9C;AACA,WAAO;AAAA,MACL,QAAQ,CAAC,SAAS,KAAK,aAAa,IAAI;AAAA,MACxC,aAAa,CAAC,WAAW,KAAK,mBAAmB,MAAM;AAAA,MACvD,gBAAgB,CAAC,SAAS,KAAK,uBAAuB,IAAI;AAAA,MAC1D,UAAU,CAAC,YAAY,cACrB,KAAK,gBAAgB,YAAY,SAAS;AAAA,MAC5C,aAAa,CAAC,KAAK,cAAc,KAAK,cAAc,KAAK,SAAS;AAAA,MAClE,aAAa,CAAC,KAAK,eAAe,KAAK,cAAc,KAAK,UAAU;AAAA,MACpE,kBAAkB,CAAC,kBAAkB,iBAAiB;AACpD,cAAM,OAAO,KAAK,mBAAmB,EAAE;AACvC,cAAM,YAAY,KAAK,uBAAuB,IAAI;AAClD,cAAM,SAAS,KAAK;AAAA,UAClB,UAAU;AAAA,UACV;AAAA,QACF;AACA,cAAM,YAAY,cAAc,QAAQ,YAAY;AACpD,cAAM,MAAM,IAAI,WAAW,UAAU,UAAU,SAAS,UAAU,MAAM;AACxE,YAAI,IAAI,UAAU,WAAW,CAAC;AAC9B,YAAI,IAAI,WAAW,UAAU,UAAU,MAAM;AAC7C,eAAO;AAAA,MACT;AAAA,MACA,qBAAqB,CAAC,oBAAoB,eAAe;AACvD,cAAM,aAAa,WAAW,MAAM,GAAG,EAAE;AACzC,cAAM,aAAa,WAAW,MAAM,EAAE;AACtC,cAAM,SAAS,KAAK,gBAAgB,oBAAoB,UAAU;AAClE,eAAO,cAAc,QAAQ,UAAU;AAAA,MACzC;AAAA,MACA,qBAAqB,CAAC,QAAQ,SAAS,kBACrC,+CAA6B,QAAQ,SAAS,SAAS;AAAA,IAC3D;AAAA,EACF;AAAA,EAEA,MAAc,cAA+B;AAC3C,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,IAAI,OAAO;AACvD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MAAM,mCAAmC,SAAS,MAAM,EAAE;AAAA,IACtE;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,QAAI,OAAO,KAAK,WAAW,YAAY,KAAK,OAAO,WAAW,GAAG;AAC/D,YAAM,IAAI,MAAM,4CAA4C;AAAA,IAC9D;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAc,4BAA4B,OAKoB;AAC5D,QAAI,CAAC,KAAK,aAAa,WAAW;AAChC,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AACA,QAAI,CAAC,KAAK,aAAa,YAAY;AACjC,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AACA,UAAM,UAAU,KAAK,sBAAsB;AAC3C,UAAM,UAAU,KAAK;AAAA,MACnB;AAAA,MACA;AAAA,QACE;AAAA,UACE,UAAU,MAAM;AAAA,UAChB,SAAS;AAAA,UACT,MAAM,MAAM;AAAA,UACZ,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AAAA,MACA,CAAC,MAAM,KAAgC;AAAA,IACzC;AACA,UAAM,gBAAgB,oBAAoB,OAAO;AACjD,UAAM,gBAAgB,MAAM;AAAA,MAC1B;AAAA,MACA,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AACA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,eAAe,KAAK,aAAa;AAAA,QAC/B,IAAI,YAAY,EAAE,OAAO,aAAa;AAAA,QACtC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,0BAA6C;AACnD,UAAM,SAAS,KAAK,uBAAuB;AAC3C,UAAM,YAA8B;AAAA,MAClC,aAAa,OAAO,EAAE,WAAW,eAAe,cAAc,MAAM;AAClE,cAAM,WAAW,MAAM;AAAA,UACrB,GAAG,KAAK,OAAO,IAAI,wBAAwB,mBAAmB,SAAS,CAAC;AAAA,UACxE;AAAA,YACE,QAAQ;AAAA,YACR,SAAS;AAAA,cACP,eAAe;AAAA,cACf,gBAAgB;AAAA,YAClB;AAAA,YACA,MAAM;AAAA,UACR;AAAA,QACF;AACA,YAAI,CAAC,SAAS,IAAI;AAChB,gBAAM,IAAI;AAAA,YACR,kBAAkB,SAAS,MAAM,KAAK,MAAM,SAAS,KAAK,CAAC;AAAA,UAC7D;AAAA,QACF;AACA,eAAQ,MAAM,SAAS,KAAK;AAAA,MAC9B;AAAA,IACF;AACA,WAAO,IAAI,mCAAkB;AAAA,MAC3B;AAAA,MACA,QAAQ;AAAA,QACN,uBAAuB,OACrB,UACoC;AACpC,gBAAM,SAAS,MAAM,KAAK,4BAA4B;AAAA,YACpD,YAAY,MAAM;AAAA,YAClB,WAAW,MAAM;AAAA,YACjB,QAAQ;AAAA,YACR,OAAO,MAAM;AAAA,UACf,CAAC;AACD,iBAAO;AAAA,YACL,GAAG;AAAA,YACH,mBAAe;AAAA,cACb,MAAM;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,MACA;AAAA,MACA,MAAM;AAAA,QACJ,kBAAkB,CAAC,cAAc,KAAK,qBAAqB,SAAS;AAAA,MACtE;AAAA,MACA,WAAW;AAAA,QACT,gBAAgB,OAAO,WAAW,iBAAiB;AACjD,cAAI,CAAC,KAAK,YAAY,CAAC,oBAAoB,WAAW,KAAK,GAAG,GAAG;AAC/D,mBAAO;AAAA,UACT;AACA,cAAI,CAAC,KAAK,OAAO,MAAM;AACrB,mBAAO;AAAA,UACT;AACA,gBAAM,oBAAgB,oCAAkB,KAAK,UAAU,KAAK,QAAQ;AACpE,gBAAM,SAAS,MAAM,2BAAU,gBAE7B,KAAK,OAAO,MAAM,eAAe,YAAY;AAC/C,cAAI,CAAC,OAAO,IAAI;AACd,mBAAO;AAAA,UACT;AACA,gBAAM,OAAO,OAAO;AAGpB,iBAAO,gBAAgB,QAAQ,KAAK,aAChC,KAAK,aACJ;AAAA,QACP;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,uBAA0C;AAChD,QAAI,CAAC,KAAK,iBAAiB;AACzB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,aAAa;AACrB,WAAK,cAAc,KAAK,wBAAwB;AAChD,WAAK,YAAY,WAAW,KAAK,eAAe;AAChD,WAAK,gBAAgB,gBAAgB,cAAc,KAAK,WAAW;AAAA,IACrE;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,mBAAmB,SAAiB,IAAkC;AAC5E,UAAM,OAAO,KAAK;AAClB,UAAM,kBAAc,oCAAkB;AAAA,MACpC,eAAe,KAAK;AAAA,MAAe,eAAe,KAAK;AAAA,MAAe,kBAAkB,KAAK;AAAA,MAC7F,wBAAwB,KAAK;AAAA,MAAwB,iBAAiB,KAAK;AAAA,MAC3E,oBAAoB,KAAK;AAAA,MAAoB,cAAc,KAAK;AAAA,IAClE,CAAC;AACD,UAAM,OAAO;AACb,WAAO,IAAI,kCAAiB;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,MACR,YAAY;AAAA,QACV,WAAW,KAAK,8BAA8B;AAAA,QAC9C,SAAS,KAAK,qBAAqB;AAAA,QACnC,wBAAwB,OAAO;AAAA,UAC7B,QAAQ,CAAC,KAAK,sBAAsB,EAAE,aAAa;AAAA,QACrD;AAAA,MACF;AAAA,MACA,IAAI;AAAA,QACF;AAAA,QACA,mBAAmB,YAAY;AAC7B,cAAI;AACF,kBAAM,KAAK,kBAAkB;AAC7B,mBAAO,EAAE,IAAI,MAAe,MAAM,OAAU;AAAA,UAC9C,SAAS,OAAO;AACd,mBAAO,EAAE,IAAI,OAAgB,OAAO,EAAE,MAAM,iBAAiB,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,GAAG,SAAS,QAAQ,EAAE;AAAA,UACnJ;AAAA,QACF;AAAA,QACA,IAAI,WAAW;AAAE,iBAAO,KAAK,aAAa,KAAK,GAAI;AAAA,QAAU;AAAA,QAC7D,iBAAiB,CAAI,MAAc,eAAuB,QACxD,2BAAU,gBAAmB,MAAM,eAAe,GAAG;AAAA,QACvD,mBAAmB,2BAAU;AAAA,QAC7B,KAAK,KAAK;AAAA,QACV,SAAS,KAAK,YAAY;AAAA,QAC1B,SAAS,KAAK;AAAA,QACd,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,MAC3B;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,qBAAqB,gBAAsC;AAEjE,SAAK,sBAAsB,IAAI,uCAAsB;AAErD,UAAM,YAAY,KAAK,MAAM;AAE7B,QAAI,aAAa,KAAK,UAAU;AAC9B,YAAM,aAAsB;AAAA,QAC1B,IAAI,UAAU;AAAA,QACd,KAAK,UAAU;AAAA,QACf,MAAM;AAAA;AAAA,QAEN,KAAK,UAAU;AAAA,QACf,UAAU;AAAA;AAAA,MACZ;AAGA,YAAM,iBAA6B;AAAA,QACjC,KAAK,UAAU;AAAA,QACf,aAAa,UAAU;AAAA,QACvB,SAAS,UAAU;AAAA,QACnB,MAAM;AAAA;AAAA,QACN,SAAS;AAAA,UACP;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA,QAAQ,KAAK,iBAAiB;AAAA,QAC9B,WAAW;AAAA,QACX,oBAAoB;AAAA,MACtB;AAGA,YAAM,cAAc,CAAC,cAAc;AAGnC,UAAI,UAAU,QAAQ;AACpB,mBAAW,CAAC,WAAW,OAAO,KAAK,OAAO,QAAQ,UAAU,MAAM,GAAG;AACnE,sBAAY,KAAK;AAAA,YACf,KAAK,UAAU;AAAA,YACf,aAAa,UAAU;AAAA,YACvB;AAAA,YACA,MAAM;AAAA,YACN,SAAS;AAAA,cACP;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AAAA,YACA,QAAQ,KAAK,iBAAiB;AAAA,YAC9B,WAAW;AAAA,YACX,oBAAoB;AAAA,UACtB,CAAC;AAAA,QACH;AAAA,MACF;AAEA,WAAK,oBAAoB,YAAY,YAAY,WAAW;AAAA,IAC9D;AAGA,SAAK,qBAAqB,IAAI,mCAAkB;AAAA,MAC9C,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,MACzB,SAAS;AAAA,MACT,QAAQ,KAAK;AAAA,MACb,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,IACzC,CAAC;AAGD,SAAK,gBAAgB,IAAI,8BAAa;AAAA,MACpC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,MACzB,SAAS;AAAA,MACT,QAAQ,KAAK,aAAa;AAAA,MAC1B,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,oBAAoB,KAAK;AAAA,MACzB,SAAS,KAAK;AAAA,MACd,iBAAiB,CAAC,YAAoB;AACpC,eAAO,KAAK,2BAA2B,OAAO;AAAA,MAChD;AAAA,MACA,oBAAoB,CAAC,YAAoB;AACvC,cAAM,YAAY,KAAK,2BAA2B,OAAO;AACzD,cAAM,eAAe,KAAK,mBAAmB,SAAS,SAAS;AAC/D,YAAI,KAAK,iBAAiB;AACxB,uBAAa,WAAW,KAAK,eAAe;AAAA,QAC9C;AACA,eAAO;AAAA,MACT;AAAA;AAAA,MAEA,kBAAkB,OAAO,WAAW;AAClC,YAAI;AAEF,gBAAM,qBAAqB,MAAM,KAAK,iBAAiB;AAAA,YACrD,aAAa,OAAO;AAAA,YACpB,MAAM,OAAO;AAAA,YACb,SAAS,OAAO;AAAA,YAChB,sBAAsB,OAAO;AAAA,YAC7B,UAAU,OAAO,SACb,OAAO,OAAO,QAAQ,IAAI,KAAK,IAAI,IACnC;AAAA,UACN,CAAC;AAGD,gBAAM,aAAyB;AAAA,YAC7B,KAAK,mBAAmB;AAAA,YACxB,aAAa,mBAAmB;AAAA,YAChC,cAAc,KAAK;AAAA,YACnB,SAAS,mBAAmB;AAAA,YAC5B,MAAM,mBAAmB;AAAA,YACzB,SAAS,mBAAmB;AAAA,YAC5B,QAAQ,mBAAmB;AAAA,YAC3B,WAAW;AAAA,YACX,oBAAoB,CAAC,mBAAmB;AAAA,YACxC,WAAW,oBAAI,KAAK;AAAA,YACpB,YAAY,mBAAmB,iBAAiB;AAAA,UAClD;AAEA,iBAAO,EAAE,IAAI,MAAM,MAAM,WAAW;AAAA,QACtC,SAAS,OAAO;AACd,iBAAO;AAAA,YACL,IAAI;AAAA,YACJ,OAAO;AAAA,cACL,MAAM;AAAA,cACN,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,cAC9D,SAAS;AAAA,YACX;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAC;AAID,SAAK,gBAAgB,aAAa;AAAA,MAChC,SAAS;AAAA,MACT,mBAAmB,KAAK;AAAA,MACxB,eAAe,KAAK,iBAAiB;AAAA;AAAA,MAErC,sBAAsB,CAAC,WAAW,KAAK,wBAAwB,MAAM;AAAA;AAAA;AAAA,MAGrE,wBAAwB,KAAK,SACzB,OAAO,WAAW,KAAK,+BAA+B,MAAM,IAC5D;AAAA,IACN,CAAC;AAGD,SAAK,cAAc,aAAa;AAAA,MAC9B,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,mBAAyB;AAE/B,UAAM,eAAe,KAAK,OAAO,uBAAuB;AACxD,WAAO,IAAI,KAAK,KAAK,IAAI,IAAI,YAAY;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBQ,wBAAwB,QAAgE;AAE9F,UAAM,cAAc;AAAA,MAClB,kBAAkB,OAAO,QAAQ;AAAA,MACjC,eAAe,OAAO,QAAQ;AAAA,MAC9B,KAAK,OAAO,QAAQ;AAAA,MACpB,SAAS,OAAO,QAAQ;AAAA,MACxB,oBAAoB,OAAO,QAAQ;AAAA,IACrC;AAEA,UAAM,SAAS,KAAK,aAAa;AAAA,MAC/B;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL,YAAY,OAAO;AAAA,MACnB,KAAK,OAAO;AAAA;AAAA;AAAA;AAAA,MAIZ,aAAa,OAAO,eAAe,OAAO;AAAA,MAC1C,QAAQ,IAAI,KAAK,OAAO,SAAS,GAAI;AAAA,MACrC,WAAW,OAAO;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,+BAA+B,QAMT;AAClC,QAAI,CAAC,KAAK,QAAQ;AAChB,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,OAAO,KAAK,OAAO;AACzB,YAAM,MAAM,oBAAI,KAAK;AAGrB,YAAM,YAAsD;AAAA,QAC1D,IAAI;AAAA,UACF,CAAC,OAAO,IAAI,GAAG,OAAO;AAAA,QACxB;AAAA,MACF;AAGA,YAAM,WAAW,KAAK,aAAa,eAAe;AAAA,QAChD;AAAA,QACA,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QACtD,SAAS,QAAQ;AAAA,QACjB,QAAQ,KAAK;AAAA,QACb,UAAU,IAAI,YAAY;AAAA,QAC1B,gBAAgB,OAAO,gBAAgB,YAAY;AAAA,QACnD,SAAS,OAAO;AAAA,QAChB,aAAa,OAAO;AAAA,MACtB,CAAC;AAGD,YAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAE7D,YAAM,oBAAoB,KAAK,aAAa,qBAAqB;AAAA,QAC/D,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAGD,YAAM,iBAAiB,UAAM;AAAA,QAC3B;AAAA,QACA,kBAAkB;AAAA,MACpB;AAEA,UAAI,CAAC,eAAe,SAAS;AAC3B,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,QACL,KAAK,kBAAkB;AAAA,QACvB,aAAa,OAAO;AAAA,QACpB,kBAAc,yBAAO,QAAQ,SAAS,QAAQ,OAAO;AAAA,QACrD,SAAS,OAAO;AAAA,QAChB,MAAM,OAAO;AAAA,QACb,SAAS,OAAO;AAAA,QAChB,QAAQ,OAAO;AAAA,QACf,WAAW;AAAA,QACX,oBAAoB;AAAA,QACpB,WAAW;AAAA,QACX,YAAY,kBAAkB,iBAAiB;AAAA,MACjD;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,wBAAwB,YAAgC,KAAgB;AAC9E,QAAI,CAAC,KAAK,qBAAqB;AAC7B;AAAA,IACF;AAEA,UAAM,UAAmB;AAAA,MACvB,IAAI,YAAY,WAAW,GAAG;AAAA,MAC9B,KAAK,KAAK;AAAA,MACV,MAAM;AAAA,MACN;AAAA,MACA,UAAU;AAAA,IACZ;AAGA,UAAM,mBAA+B;AAAA,MACnC,KAAK,WAAW;AAAA,MAChB,aAAa,WAAW;AAAA,MACxB,SAAS,WAAW;AAAA,MACpB,MAAM,WAAW;AAAA,MACjB,SAAS,WAAW;AAAA,MACpB,QAAQ,WAAW;AAAA,MACnB,WAAW;AAAA,MACX,oBAAoB,CAAC,WAAW;AAAA,IAClC;AAEA,SAAK,oBAAoB,UAAU,SAAS,gBAAgB;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,KAAiB;AACnB,QAAI,CAAC,KAAK,KAAK;AACb,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAmB;AACrB,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,WAAW,KAAK;AACtB,UAAI,SAAS,SAAS,KAAK,CAAC,SAAS,SAAS,KAAK,GAAG;AACpD,cAAM,IAAI,yCAAwB,OAAO,KAAK,OAAO,MAAO,QAAQ;AAAA,MACtE;AACA,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,YAAY,SAA8B;AACxC,QAAI,CAAC,KAAK,mBAAmB,CAAC,KAAK,gBAAgB,SAAS;AAC1D,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAEA,UAAM,MAAM,IAAI,4BAAW,CAAC,CAAC;AAC7B,UAAM,qBAAqB,IAAI,gCAAe;AAAA,MAC5C,QAAQ,KAAK,gBAAgB;AAAA,MAC7B,OAAO,KAAK,gBAAgB;AAAA,MAC5B,OAAO,KAAK,gBAAgB;AAAA,IAC9B,CAAC;AACD,uBAAmB,WAAW,EAAE,GAAG,KAAK,gBAAgB,SAAS,QAAQ,CAAC;AAC1E,QAAI,WAAW,kBAAkB;AACjC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,SAAyB;AAC3B,QAAI,CAAC,KAAK,SAAS;AACjB,YAAM,WAAW,KAAK;AACtB,UAAI,SAAS,SAAS,KAAK,CAAC,SAAS,SAAS,QAAQ,GAAG;AACvD,cAAM,IAAI,yCAAwB,UAAU,KAAK,OAAO,MAAO,QAAQ;AAAA,MACzE;AACA,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,QAA2B;AAC7B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,aAAiC;AACnC,WAAO,KAAK,qBAAqB;AAAA,EACnC;AAAA,EAEA,MAAM,qBACJ,kBAAkB,KAAK,8BAA8B,GAClB;AACnC,UAAM,YAAY,gBAAgB,WAAW,2BAA2B,IACpE,kBACA,KAAK,8BAA8B,eAAe;AACtD,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,KAAK,OAAO,IAAI,wBAAwB,mBAAmB,SAAS,CAAC;AAAA,IAC1E;AACA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AACA,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,sCAAsC,SAAS,UAAU,SAAS,MAAM,IAAI,MAAM,SAAS,KAAK,CAAC;AAAA,MACnG;AAAA,IACF;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAGlC,WAAO,gBAAgB,QAAQ,KAAK,aAAa,KAAK,aAAa;AAAA,EACrE;AAAA,EAEA,MAAM,wBACJ,OAAO,iCACqB;AAC5B,UAAM,aAAa,MAAM,KAAK,YAAY;AAC1C,UAAM,WAAW,KAAK;AACtB,UAAM,YAAY,KAAK,8BAA8B,IAAI;AACzD,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA,WAAW,EAAE,GAAG,GAAG,GAAG,EAAE;AAAA,IAC1B;AACA,UAAM,SAAS,KAAK,uBAAuB;AAC3C,UAAM,QAAQ;AAAA,MACZ,MAAM;AAAA,MACN;AAAA,MACA;AAAA,MACA,cAAU;AAAA,QACR,OAAO;AAAA,QACP;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,IACV;AACA,UAAM,SAAS,MAAM,KAAK,4BAA4B;AAAA,MACpD;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,IAAI,wBAAwB;AAAA,MACtE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,eAAe,OAAO;AAAA,QACtB,gBAAgB;AAAA,MAClB;AAAA,MACA,UAAM;AAAA,QACJ;AAAA,MACF;AAAA,IACF,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,uCAAuC,SAAS,UAAU,SAAS,MAAM,IAAI,MAAM,SAAS,KAAK,CAAC;AAAA,MACpG;AAAA,IACF;AACA,UAAM,UAAW,MAAM,SAAS,KAAK;AACrC,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,wBACJ,OAAO,iCACqB;AAC5B,UAAM,WAAW,MAAM,KAAK,qBAAqB,IAAI;AACrD,QAAI,UAAU;AACZ,aAAO;AAAA,IACT;AACA,WAAO,KAAK,wBAAwB,IAAI;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAA2B;AAC7B,QAAI,CAAC,KAAK,eAAe;AACvB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,UAAU;AAClB,WAAK,WAAW,IAAI,mBAAmB;AAAA,QACrC,YAAY,MAAM,KAAK,eAAe;AAAA,QACtC,aAAa,MAAM,KAAK;AAAA,QACxB,gBAAgB,CAAC,gBAAgB,KAAK,sBAAsB,WAAW;AAAA,QACvE,kBAAkB,CAAC,eAAe,KAAK,wBAAwB,UAAU;AAAA,QACzE,aAAa,MAAM,KAAK,WAAW,UAAa,KAAK,OAAO;AAAA,QAC5D,wBAAwB,MAAM,KAAK,8BAA8B;AAAA,QACjE,iBAAiB,MAAM,KAAK,UAAU;AAAA,MACxC,CAAC;AAAA,IACH;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,iBAAkC;AACxC,QAAI,CAAC,KAAK,eAAe;AACvB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,cAAc;AACtB,WAAK,eAAe,IAAI,gCAAe,MAAM,KAAK,MAAM,SAAS,EAAE,KAAK;AAAA,IAC1E;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,QAAuB;AACzB,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,IAAI,qBAA6C;AAC/C,QAAI,CAAC,KAAK,qBAAqB;AAC7B,YAAM,IAAI,MAAM,wCAAwC;AAAA,IAC1D;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,IAAI,cAKF;AACA,UAAM,WAAW,KAAK;AACtB,QAAI,CAAC,UAAU;AACb,aAAO;AAAA,QACL,MAAM,MAAM,CAAC;AAAA,QACb,KAAK,MAAM;AAAA,MACb;AAAA,IACF;AAEA,WAAO;AAAA,MACL,MAAM,MAAM,SAAS,mBAAmB,EAAE,IAAI,CAAC,UAAU,MAAM,UAAU;AAAA,MACzE,KAAK,CAAC,QAAgB;AACpB,cAAM,eAAe,SAAS,mBAAmB;AACjD,cAAM,QAAQ,aAAa,KAAK,CAAC,MAAM,EAAE,WAAW,QAAQ,GAAG;AAC/D,eAAO,OAAO;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,aAAyC;AAC7D,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,WAAW,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AACvE,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,KAAK,wBAAwB,WAAW;AACzD,QAAI,KAAK,+BAA+B,SAAS,QAAQ,GAAG;AAC1D,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,sCAAsC,UAAU,OAAO,EAAE,SAAS;AAAA,EAChF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gCACE,aACsB;AACtB,SAAK,oCAAoC;AACzC,QAAI,gBAAgB,QAAW;AAC7B,aAAO,KAAK,wBAAwB,IAAI,CAAC,UAAU,MAAM,UAAU;AAAA,IACrE;AAEA,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,WAAW,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AACvE,aAAO,CAAC;AAAA,IACV;AACA,UAAM,WAAW,KAAK,wBAAwB,WAAW;AACzD,WAAO,KAAK,sCAAsC,UAAU,OAAO,EAAE;AAAA,MACnE,CAAC,UAAU,MAAM;AAAA,IACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,qBAAqB,YAA+C;AACxE,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,qCAAoB,oBAAI,KAAK,CAAC,CAAC;AAAA,IAC3C;AACA,QAAI,WAAW,OAAO,QAAQ,KAAK,KAAK,IAAI,GAAG;AAC7C,YAAM,IAAI,qCAAoB,WAAW,MAAM;AAAA,IACjD;AAEA,UAAM,eAAe,CAAC,QAAQ,oBAAoB,KAAK,UAAU;AACjE,QAAI,CAAC,aAAa,KAAK,CAAC,QAAQ,oBAAoB,WAAW,aAAa,GAAG,CAAC,GAAG;AACjF,YAAM,IAAI;AAAA,QACR,8BAA8B,WAAW,WAAW,4BAA4B,QAAQ,kBAAkB;AAAA,MAC5G;AAAA,IACF;AAEA,UAAM,aAAa,WAAW,QAAQ,KAAK,OAAO;AAClD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA,WAAW;AAAA,IACb;AACA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR,qDAAqD,eAAe,KAAK;AAAA,MAC3E;AAAA,IACF;AAEA,SAAK,0BAA0B,KAAK,wBAAwB;AAAA,MAC1D,CAAC,UAAU,MAAM,WAAW,QAAQ,WAAW;AAAA,IACjD;AACA,SAAK,wBAAwB;AAAA,MAC3B,KAAK,2BAA2B,YAAY,OAAO;AAAA,IACrD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,wBACJ,aACA,SAC+B;AAC/B,QAAI,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AAC3D,YAAM,IAAI,MAAM,gEAAgE;AAAA,IAClF;AACA,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,qCAAoB,oBAAI,KAAK,CAAC,CAAC;AAAA,IAC3C;AAEA,UAAM,gBAAgB,sBAAsB,QAAQ,IAAI;AACxD,QAAI,kBAAkB,QAAW;AAC/B,YAAM,WAAW,eAAc;AAC/B,UAAI,cAAc,QAAQ,KAAK,KAAK,IAAI,IAAI,UAAU;AACpD,cAAM,IAAI,qCAAoB,aAAa;AAAA,MAC7C;AAAA,IACF;AAEA,UAAM,WAAW,KAAK,wBAAwB,WAAW;AACzD,QAAI,KAAK,+BAA+B,SAAS,QAAQ,GAAG;AAC1D,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,iBAAiB,KAAK,sCAAsC,UAAU,OAAO;AACnF,QAAI,eAAe,SAAS,GAAG;AAC7B,aAAO,eAAe,IAAI,CAAC,UAAU,MAAM,UAAU;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,SAAS;AAAA,MAAO,CAAC,UAClC,KAAK,4BAA4B,KAAK;AAAA,IACxC;AACA,UAAM,eAAe,SAAS;AAAA,MAAO,CAAC,UACpC,CAAC,KAAK,4BAA4B,KAAK;AAAA,IACzC;AAEA,UAAM,UAAU,oBAAI,IAA+B;AACnD,eAAW,SAAS,cAAc;AAChC,YAAM,UAAU,KAAK,uBAAuB,MAAM,OAAO,OAAO;AAChE,YAAM,UAAU,QAAQ,IAAI,OAAO,KAAK,CAAC;AACzC,cAAQ,KAAK,KAAK;AAClB,cAAQ,IAAI,SAAS,OAAO;AAAA,IAC9B;AACA,QAAI,QAAQ,SAAS,KAAK,WAAW,SAAS,GAAG;AAC/C,cAAQ,IAAI,QAAQ,SAAS,CAAC,CAAC;AAAA,IACjC;AAEA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,oBAAoB,gBAAgB,SAAS,MAAM;AACzD,QAAI,YAAY,IAAI,KAAK,IAAI,QAAQ,IAAI,iBAAiB;AAC1D,QAAI,kBAAkB,UAAa,gBAAgB,WAAW;AAC5D,kBAAY;AAAA,IACd;AAEA,UAAM,cAAoC,CAAC;AAC3C,QAAI,qBAAqB;AACzB,eAAW,CAAC,SAAS,OAAO,KAAK,SAAS;AACxC,YAAM,mBAAmB,CAAC,qBAAqB,aAAa,CAAC;AAC7D,UAAI,iBAAiB,SAAS,GAAG;AAC/B,6BAAqB;AAAA,MACvB;AACA,YAAM,mBAAmB,CAAC,GAAG,SAAS,GAAG,gBAAgB;AACzD,YAAM,YAAY,KAAK,uBAAuB,OAAO;AACrD,YAAM,WAAW,KAAK,aAAa,eAAe;AAAA,QAChD;AAAA,QACA,GAAI,iBAAiB,SAAS,IAC1B,EAAE,cAAc,KAAK,0BAA0B,gBAAgB,EAAE,IACjE,CAAC;AAAA,QACL,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QACtD,SAAS,QAAQ;AAAA,QACjB,QAAQ,KAAK;AAAA,QACb,UAAU,IAAI,YAAY;AAAA,QAC1B,gBAAgB,UAAU,YAAY;AAAA,QACtC;AAAA,QACA,KAAK,QAAQ;AAAA,MACf,CAAC;AAED,YAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAC7D,YAAM,mBAAmB,KAAK,aAAa,qBAAqB;AAAA,QAC9D,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAED,YAAM,iBAAiB,UAAM;AAAA,QAC3B,KAAK,OAAO;AAAA,QACZ,iBAAiB;AAAA,MACnB;AACA,UAAI,CAAC,eAAe,SAAS;AAC3B,cAAM,IAAI;AAAA,UACR,qDAAqD,eAAe,KAAK;AAAA,QAC3E;AAAA,MACF;AAEA,YAAM,aAAa,KAAK;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,WAAK,wBAAwB,KAAK;AAAA,QAChC,SAAS;AAAA,UACP,kBAAkB,iBAAiB;AAAA,UACnC,eAAe,iBAAiB;AAAA,UAChC;AAAA,UACA,oBAAoB,QAAQ;AAAA,UAC5B,KAAK,QAAQ;AAAA,QACf;AAAA,QACA;AAAA,QACA,YAAY,KAAK,qBAAqB,kBAAkB,OAAO;AAAA,QAC/D;AAAA,MACF,CAAC;AACD,kBAAY,KAAK,UAAU;AAAA,IAC7B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,IAAI,oBAAuC;AACzC,QAAI,CAAC,KAAK,oBAAoB;AAC5B,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,IAAI,SAAwB;AAC1B,QAAI,CAAC,KAAK,eAAe;AACvB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,eAA8B;AAChC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAA2B;AAC/B,WAAO,KAAK,OAAO,IAAI,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,IAAI,UAA2B;AAG7B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,iBAAkC;AACpC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,oBAAoB;AACxB,QAAI,CAAC,KAAK,QAAQ,CAAC,KAAK,WAAW,CAAC,KAAK,QAAQ;AAC/C,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAEA,UAAM,gBAAgB,KAAK,QAAQ,QAAQ;AAC3C,QAAI,CAAC,eAAe;AAClB,YAAM,IAAI,MAAM,kEAAkE;AAAA,IACpF;AAGA,UAAO,KAAK,KAA+B,gBAAgB,aAAa;AAMxE,UAAM,YAAY;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,UAAM,YAAY,EAAE,IAAI,EAAE,IAAI,UAAU,EAAE;AAC1C,UAAM,MAAM,oBAAI,KAAK;AAIrB,UAAM,WAAW,wBAAO;AACxB,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AAExD,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,KAAK,QAAQ,OAAO;AAAA,MAC3D,SAAS,KAAK,QAAQ;AAAA,MACtB,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C,SAAS;AAAA,MACT,KAAK,KAAK,QAAQ;AAAA,MAClB,SAAS,CAAC,KAAK,QAAQ,aAAa;AAAA,IACtC,CAAC;AAED,UAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAE7D,UAAM,oBAAoB,KAAK,aAAa,qBAAqB;AAAA,MAC/D,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,UAAM,iBAAiB,UAAM;AAAA,MAC3B,KAAK,OAAO;AAAA,MACZ,kBAAkB;AAAA,IACpB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,+CAA+C,eAAe,KAAK,EAAE;AAAA,IACvF;AAIA,QAAI,KAAK,uBAAuB,KAAK,SAAS;AAC5C,YAAM,aAAsB;AAAA,QAC1B,IAAI,KAAK,QAAQ;AAAA,QACjB,KAAK,KAAK,QAAQ;AAAA,QAClB,MAAM;AAAA,QACN,KAAK,KAAK,QAAQ;AAAA,QAClB,UAAU;AAAA,MACZ;AACA,WAAK,oBAAoB,YAAY,YAAY,CAAC;AAAA,QAChD,KAAK,kBAAkB;AAAA,QACvB,aAAa,KAAK,QAAQ;AAAA,QAC1B,SAAS;AAAA,QACT,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,WAAW;AAAA,QACX,oBAAoB;AAAA,MACtB,CAAC,CAAC;AAAA,IACJ;AAGA,QAAI,KAAK,iBAAiB;AACxB,YAAM,WAAW,IAAI,2BAAU,EAAE,QAAQ,GAAG,CAAC;AAC7C,YAAM,gBAAgB,IAAI,gCAAe;AAAA,QACvC,QAAQ,KAAK;AAAA,QACb,OAAO,KAAK,gBAAgB;AAAA,QAC5B,OAAO,KAAK,gBAAgB;AAAA,MAC9B,CAAC;AACD,oBAAc,WAAW;AAAA,QACvB,kBAAkB,kBAAkB;AAAA,QACpC,eAAe,kBAAkB;AAAA,QACjC,SAAS;AAAA,QACT,oBAAoB,KAAK,QAAQ;AAAA,QACjC,KAAK,KAAK,QAAQ;AAAA,MACpB,CAAC;AACD,eAAS,WAAW,aAAa;AACjC,WAAK,YAAY;AAAA,IACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,WAAuB;AACzB,QAAI,KAAK,WAAW;AAClB,aAAO,KAAK;AAAA,IACd;AACA,QAAI,CAAC,KAAK,IAAI;AACZ,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK,GAAG;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA6BA,MAAM,SAAS,QAAuE;AACpF,WAAO,KAAK,kBAAkB,OAAO,MAAM;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAiB,KAA8C;AACnE,WAAO,KAAK,kBAAkB,OAAO,GAAG;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAA2D;AAC/D,WAAO,KAAK,kBAAkB,KAAK;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,gBAAgB,MAAc,QAAoD;AACtF,WAAO,KAAK,kBAAkB,gBAAgB,MAAM,MAAM;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqDA,MAAM,WACJ,KACA,aACA,SAC2B;AAG3B,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,qCAAoB,oBAAI,KAAK,CAAC,CAAC;AAAA,IAC3C;AACA,UAAM,gBAAgB,sBAAsB,QAAQ,IAAI;AACxD,QAAI,kBAAkB,QAAW;AAC/B,YAAMC,OAAM,KAAK,IAAI;AACrB,YAAM,WAAW,eAAc;AAC/B,UAAI,cAAc,QAAQ,KAAKA,OAAM,UAAU;AAC7C,cAAM,IAAI,qCAAoB,aAAa;AAAA,MAC7C;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AAC3D,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAMA,UAAM,kBAAkB,KAAK,wBAAwB,WAAW;AAMhE,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,gBAAgB,SAAS,MAAM;AAChD,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AACxD,QAAI,sBAAsB;AAC1B,QAAI,kBAAkB,UAAa,gBAAgB,gBAAgB;AACjE,4BAAsB;AAAA,IACxB;AAQA,QAAI,SAAS,iBAAiB;AAC5B,UAAI,gBAAgB,SAAS,GAAG;AAC9B,cAAM,IAAI;AAAA,UACR;AAAA,QAIF;AAAA,MACF;AACA,YAAMC,cAAa,MAAM,KAAK;AAAA,QAC5B;AAAA,QACA,gBAAgB,CAAC;AAAA,QACjB;AAAA,MACF;AACA,aAAO,EAAE,YAAAA,aAAY,UAAU,KAAK;AAAA,IACtC;AAcA,UAAM,cAAU;AAAA,MACd,CAAC,SAAiB,KAAK,aAAa,mBAAmB,IAAI;AAAA,MAC3D,QAAQ;AAAA,IACV;AACA,UAAM,EAAE,QAAQ,QAAQ,QAAI,qCAAmB,iBAAiB,OAAO;AAEvE,QAAI,CAAC,QAAQ;AACX,YAAM,eAAe,KAAK;AAAA,QACxB,KAAK,8BAA8B,iBAAiB,OAAO;AAAA,MAC7D;AACA,UAAI,cAAc;AAChB,cAAM,WAAW,eAAc;AAC/B,YAAI,aAAa,UAAU,QAAQ,KAAK,KAAK,IAAI,IAAI,UAAU;AAC7D,gBAAM,IAAI,qCAAoB,aAAa,SAAS;AAAA,QACtD;AACA,cAAM,oBACJ,aAAa,YAAY,sBACrB,aAAa,YACb;AACN,cAAMA,cAAa,MAAM,KAAK;AAAA,UAC5B;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,eAAO,EAAE,YAAAA,aAAY,UAAU,MAAM;AAAA,MACvC;AACA,YAAM,IAAI,8CAA6B,SAAS,OAAO;AAAA,IACzD;AAQA,UAAM,aAAa,MAAM,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,EAAE,YAAY,UAAU,MAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,sBACJ,KACA,UAA+C,KAAK,mBACM;AAC1D,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,kBAAkB;AAAA,MAAK,CAAC,UAC7C,oBAAoB,MAAM,KAAK,GAAG;AAAA,IACpC;AACA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,+CAA+C,GAAG,EAAE;AAAA,IACtE;AACA,UAAM,SAAS,MAAM,KAAK,WAAW,OAAO,KAAK,OAAO,aAAa;AAAA,MACnE,QAAQ,OAAO;AAAA,IACjB,CAAC;AACD,WAAO,EAAE,GAAG,QAAQ,OAAO;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,uBACJ,UAA+C,KAAK,mBACa;AACjE,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,MAA8D,CAAC;AACrE,eAAW,UAAU,QAAQ,mBAAmB;AAC9C,UAAI,KAAK,MAAM,KAAK,sBAAsB,OAAO,KAAK,OAAO,CAAC;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAc,4BACZ,KACA,SACA,gBACA,SAC6B;AAC7B,QAAI,QAAQ,WAAW,GAAG;AACxB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAIA,UAAM,iBAAiB,oBAAI,IAAY;AACvC,eAAW,SAAS,SAAS;AAC3B,UAAI,KAAK,4BAA4B,KAAK,GAAG;AAC3C;AAAA,MACF;AACA,YAAMC,WAAU,KAAK,uBAAuB,MAAM,OAAO,OAAO;AAChE,qBAAe,IAAIA,QAAO;AAAA,IAC5B;AACA,QAAI,eAAe,OAAO,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,sEAAsE,eAAe,IAAI,KAAK,KAAK,UAAU,CAAC,GAAG,cAAc,CAAC,CAAC;AAAA,MACnI;AAAA,IACF;AACA,UAAM,UAAU,eAAe,SAAS,IACpC,CAAC,GAAG,cAAc,EAAE,CAAC,IACrB,QAAQ;AAWZ,UAAM,YAA0B,CAAC;AACjC,eAAW,SAAS,SAAS;AAC3B,YAAM,eAAe,uCAAsB,MAAM,OAAO;AACxD,UAAI,iBAAiB,QAAW;AAC9B,cAAM,IAAI;AAAA,UACR,gCAAgC,MAAM,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,UAAI,UAAU,YAAY,MAAM,QAAW;AACzC,kBAAU,YAAY,IAAI,CAAC;AAAA,MAC7B;AACA,YAAM,WAAW,UAAU,YAAY;AACvC,YAAM,WAAW,SAAS,MAAM,IAAI;AACpC,UAAI,aAAa,QAAW;AAC1B,iBAAS,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,OAAO;AAAA,MAC1C,OAAO;AACL,cAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,mBAAW,UAAU,MAAM,SAAS;AAClC,cAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,qBAAS,KAAK,MAAM;AACpB,iBAAK,IAAI,MAAM;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAIA,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,QAAQ;AAAA,MAC1B,eAAe,QAAQ;AAAA,MACvB,KAAK,QAAQ;AAAA,MACb;AAAA,MACA,oBAAoB,QAAQ;AAAA,IAC9B;AAEA,UAAM,iBAAiB,KAAK,MAAM,eAAe,QAAQ,IAAI,GAAI;AACjE,UAAM,SAAS,KAAK,wBAAwB;AAAA,MAC1C,SAAS;AAAA,MACT,aAAa;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAWD,UAAM,UAAU,OAAO,UAAU,CAAC;AAMlC,UAAM,mBAAmB,EAAE,eAAe,OAAO,WAAW;AAM5D,UAAM,iBAAiB,UAAM;AAAA,MAC3B,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AACA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR,4CAA4C,eAAe,KAAK;AAAA,MAClE;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK,OAAO;AAAA,MACZ;AAAA,MACA;AAAA,MACA,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,WAAW,OAAO;AAAA,MAClB,sBAAsB;AAAA,MACtB,QAAQ,OAAO;AAAA,MACf,aAAa;AAAA,MACb,cAAc,QAAQ;AAAA,MACtB,SAAS,QAAQ;AAAA,MACjB,MAAM,KAAK,OAAO;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAc,gCACZ,KACA,SACA,gBACA,OAC6B;AAC7B,UAAM,SAAS,KAAK,wBAAwB;AAAA,MAC1C,SAAS,MAAM;AAAA,MACf,aAAa;AAAA,MACb,SAAS,MAAM,QAAQ;AAAA,MACvB,WAAW,KAAK,uBAAuB,OAAO;AAAA,MAC9C,gBAAgB,KAAK,MAAM,eAAe,QAAQ,IAAI,GAAI;AAAA,IAC5D,CAAC;AAED,UAAM,UAAU,OAAO,UAAU,CAAC;AAClC,UAAM,mBAAmB,EAAE,eAAe,OAAO,WAAW;AAC5D,UAAM,aAAa,MAAM,WAAW,QAAQ,KAAK,OAAO;AACxD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA;AAAA,IACF;AACA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR,4CAA4C,eAAe,KAAK;AAAA,MAClE;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK,OAAO;AAAA,MACZ;AAAA,MACA,SAAS,MAAM,QAAQ;AAAA,MACvB,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,WAAW,OAAO;AAAA,MAClB,sBAAsB;AAAA,MACtB,QAAQ,OAAO;AAAA,MACf,aAAa;AAAA,MACb,cAAc,MAAM,WAAW;AAAA,MAC/B,SAAS,MAAM,WAAW;AAAA,MAC1B,MAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEQ,uBACN,OACA,SACQ;AACR,QAAI,UAAU,QAAW;AACvB,aAAO,KAAK,aAAa;AAAA,QACvB,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,QAAI,UAAU,WAAW;AACvB,aAAO,QAAQ;AAAA,IACjB;AACA,QAAI,MAAM,WAAW,YAAY,GAAG;AAClC,aAAO;AAAA,IACT;AACA,WAAO,KAAK,aAAa,YAAY,QAAQ,SAAS,QAAQ,SAAS,KAAK;AAAA,EAC9E;AAAA,EAEQ,wBACN,aACmB;AACnB,eAAO,iBAAAC,yBAA4B,WAAW;AAAA,EAChD;AAAA,EAEQ,iBAAiB,SAAyB;AAChD,UAAM,QAAQ,uCAAsB,OAAO;AAC3C,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI;AAAA,QACR,oBAAoB,OAAO;AAAA,MAC7B;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,uBAAuB,SAA0C;AACvE,UAAM,YAA0B,CAAC;AACjC,eAAW,SAAS,SAAS;AAC3B,YAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO;AACnD,kDAAuB,CAAC;AACxB,YAAM,WAAW,UAAU,OAAO,EAAE,MAAM,IAAI,KAAK,CAAC;AACpD,YAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,iBAAW,UAAU,MAAM,SAAS;AAClC,YAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,mBAAS,KAAK,MAAM;AACpB,eAAK,IAAI,MAAM;AAAA,QACjB;AAAA,MACF;AACA,gBAAU,OAAO,EAAE,MAAM,IAAI,IAAI;AAAA,IACnC;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,4BAA4B,OAAiC;AACnE,WAAO,MAAM,YAAY,kDACvB,MAAM,KAAK,WAAW,2BAA2B;AAAA,EACrD;AAAA,EAEQ,0BACN,SAC0B;AAC1B,UAAM,eAAyC,CAAC;AAChD,eAAW,SAAS,SAAS;AAC3B,UAAI,CAAC,KAAK,4BAA4B,KAAK,GAAG;AAC5C;AAAA,MACF;AACA,YAAM,WAAW,aAAa,MAAM,IAAI,KAAK,CAAC;AAC9C,YAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,iBAAW,UAAU,MAAM,SAAS;AAClC,YAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,mBAAS,KAAK,MAAM;AACpB,eAAK,IAAI,MAAM;AAAA,QACjB;AAAA,MACF;AACA,mBAAa,MAAM,IAAI,IAAI;AAAA,IAC7B;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,qBACN,SACA,SAC8B;AAC9B,WAAO,QAAQ,QAAQ,CAAC,UAAU;AAChC,YAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO;AACnD,aAAO,MAAM,QAAQ,IAAI,CAAC,YAAY;AAAA,QACpC,GAAI,KAAK,6BAA6B,SAAS,MAAM,IAAI,IACrD,EAAE,UAAU,MAAM,KAAK,IACvB,EAAE,QAAQ;AAAA,QACd;AAAA,QACA,MAAM,MAAM;AAAA,QACZ;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AAAA,EAEQ,+BACN,SACA,SACS;AACT,QAAI;AACF,YAAM,cAAU;AAAA,QACd,CAAC,SAAiB,KAAK,aAAa,mBAAmB,IAAI;AAAA,QAC3D,QAAQ;AAAA,MACV;AACA,iBAAO,qCAAmB,SAAS,OAAO,EAAE;AAAA,IAC9C,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,8BACN,SACA,SAC8B;AAC9B,WAAO,QAAQ,QAAQ,CAAC,UAAU;AAChC,YAAM,UAAU,KAAK,uBAAuB,MAAM,OAAO,OAAO;AAChE,YAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO;AACnD,aAAO,MAAM,QAAQ,IAAI,CAAC,YAAY;AAAA,QACpC,GAAI,KAAK,6BAA6B,SAAS,MAAM,IAAI,IACrD,EAAE,UAAU,MAAM,KAAK,IACvB,EAAE,QAAQ;AAAA,QACd;AAAA,QACA,MAAM,MAAM;AAAA,QACZ;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AAAA,EAEQ,sCACN,SACA,SAC0B;AAC1B,UAAM,SAAmC,CAAC;AAC1C,UAAM,aAAa,KAAK,8BAA8B,SAAS,OAAO;AACtE,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,IACT;AAEA,eAAW,aAAa,YAAY;AAClC,YAAM,QAAQ,KAAK,sBAAsB,SAAS;AAClD,UAAI,CAAC,OAAO;AACV,eAAO,CAAC;AAAA,MACV;AACA,UAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,eAAO,KAAK,KAAK;AAAA,MACnB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,6BACN,kBAIA,SACA,SACA,SACA,WACoB;AACpB,UAAM,YAAY,KAAK,6BAA6B,SAAS,OAAO;AACpE,UAAM,UAAU,UAAU,CAAC;AAC3B,WAAO;AAAA,MACL,KAAK,iBAAiB;AAAA,MACtB,kBAAkB,iBAAiB;AAAA,MACnC;AAAA,MACA,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB;AAAA,MACA,sBAAsB;AAAA,MACtB,QAAQ;AAAA,MACR,aAAa,QAAQ;AAAA,MACrB,cAAc,QAAQ;AAAA,MACtB,SAAS,QAAQ;AAAA,MACjB,MAAM,KAAK,OAAO;AAAA,IACpB;AAAA,EACF;AAAA,EAEQ,2BACN,YACA,SACwB;AACxB,UAAM,aAAa,KAAK,yBAAyB,UAAU;AAC3D,WAAO;AAAA,MACL,SAAS;AAAA,QACP,kBAAkB,WAAW;AAAA,QAC7B,eAAe,WAAW;AAAA,QAC1B,SAAS,WAAW;AAAA,QACpB,oBAAoB,QAAQ;AAAA,QAC5B,KAAK,QAAQ;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW,WAAW;AAAA,IACxB;AAAA,EACF;AAAA,EAEQ,sCACN,YACA,SACA,WACM;AACN,UAAM,aAAa,KAAK,yBAAyB,UAAU;AAC3D,QAAI,WAAW,WAAW,GAAG;AAC3B;AAAA,IACF;AACA,SAAK,0BAA0B,KAAK,wBAAwB;AAAA,MAC1D,CAAC,UACC,MAAM,WAAW,QAAQ,WAAW,OACpC,MAAM,QAAQ,kBAAkB,QAAQ;AAAA,IAC5C;AACA,SAAK,wBAAwB,KAAK;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,6BACN,SACA,SACqB;AACrB,WAAO,QAAQ,IAAI,CAAC,WAAW;AAAA,MAC7B,SAAS,KAAK,iBAAiB,MAAM,OAAO;AAAA,MAC5C,OAAO,KAAK,4BAA4B,KAAK,IAAI,eAAe;AAAA,MAChE,MAAM,MAAM;AAAA,MACZ,SAAS,CAAC,GAAG,MAAM,OAAO;AAAA,IAC5B,EAAE;AAAA,EACJ;AAAA,EAEQ,yBACN,YAC8B;AAC9B,UAAM,YACJ,WAAW,cAAc,UAAa,WAAW,UAAU,SAAS,IAChE,WAAW,YACX,KAAK,wBAAwB,UAAU;AAE7C,WAAO,UAAU,QAAQ,CAAC,aAAa;AACrC,YAAM,UAAU,KAAK,sBAAsB,SAAS,OAAO;AAC3D,aAAO,SAAS,QAAQ,IAAI,CAAC,YAAY;AAAA,QACvC,GAAI,KAAK,6BAA6B,SAAS,SAAS,IAAI,IACxD,EAAE,UAAU,SAAS,KAAK,IAC1B,EAAE,SAAS,SAAS,MAAM;AAAA,QAC9B;AAAA,QACA,MAAM,SAAS;AAAA,QACf;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AAAA,EAEQ,wBACN,YACqB;AACrB,UAAM,YAAY,oBAAI,IAAsB;AAC5C,eAAW,UAAU,WAAW,SAAS;AACvC,YAAM,UAAU,KAAK,iBAAiB,OAAO,MAAM,GAAG,EAAE,CAAC,CAAC;AAC1D,YAAM,UAAU,UAAU,IAAI,OAAO,KAAK,CAAC;AAC3C,cAAQ,KAAK,MAAM;AACnB,gBAAU,IAAI,SAAS,OAAO;AAAA,IAChC;AACA,WAAO,CAAC,GAAG,UAAU,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,SAAS,OAAO,OAAO;AAAA,MAC3D;AAAA,MACA,OAAO,WAAW;AAAA,MAClB,MAAM,WAAW;AAAA,MACjB;AAAA,IACF,EAAE;AAAA,EACJ;AAAA,EAEQ,wBACN,UACA,SACA,MACA,QACgB;AAChB,UAAM,QAAQ,KAAK,sBAAsB;AAAA,MACvC,SAAS,SAAS;AAAA,MAClB,SAAS,KAAK,sBAAsB,OAAO;AAAA,MAC3C;AAAA,MACA;AAAA,IACF,CAAC;AACD,WAAO,OAAO,WAAW;AAAA,EAC3B;AAAA,EAEQ,uBACN,YACoC;AACpC,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,IACT;AACA,SAAK,oCAAoC;AACzC,WAAO,KAAK,wBAAwB,KAAK,CAAC,UAAU;AAClD,aAAO,WAAW;AAAA,QAAM,CAAC,cACvB,MAAM,WAAW;AAAA,UAAK,CAAC,YACrB,KAAK,gBAAgB,SAAS,SAAS;AAAA,QACzC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,sBACN,WACoC;AACpC,WAAO,KAAK,uBAAuB,CAAC,SAAS,CAAC;AAAA,EAChD;AAAA,EAEQ,sCAA4C;AAClD,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,0BAA0B,KAAK,wBAAwB;AAAA,MAC1D,CAAC,UAAU,MAAM,UAAU,QAAQ,IAAI;AAAA,IACzC;AAAA,EACF;AAAA,EAEQ,gBACN,SACA,WACS;AACT,QAAI,QAAQ,YAAY,UAAU,WAChC,CAAC,KAAK,eAAe,QAAQ,QAAQ,UAAU,MAAM,GACrD;AACA,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,aAAa,UAAa,UAAU,aAAa,QAAW;AACtE,aAAO,QAAQ,aAAa,UAC1B,UAAU,aAAa,UACvB,QAAQ,aAAa,UAAU,YAC/B,KAAK,aAAa,QAAQ,MAAM,UAAU,IAAI;AAAA,IAClD;AAEA,WAAO,QAAQ,YAAY,UACzB,UAAU,YAAY,UACtB,QAAQ,YAAY,UAAU,WAC9B,KAAK,aAAa,QAAQ,MAAM,UAAU,IAAI;AAAA,EAClD;AAAA,EAEQ,eAAe,eAAuB,iBAAkC;AAC9E,QAAI,kBAAkB,iBAAiB;AACrC,aAAO;AAAA,IACT;AACA,QAAI,cAAc,SAAS,IAAI,GAAG;AAChC,YAAM,SAAS,cAAc,MAAM,GAAG,EAAE;AACxC,aAAO,gBAAgB,WAAW,GAAG,MAAM,GAAG;AAAA,IAChD;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,sBAAsB,SAAyB;AACrD,WAAO,QAAQ,WAAW,YAAY,IAClC,KAAK,iBAAiB,OAAO,IAC7B;AAAA,EACN;AAAA,EAEQ,6BAA6B,SAAiB,MAAuB;AAC3E,WAAO,YAAY,gBACjB,KAAK,WAAW,2BAA2B;AAAA,EAC/C;AAAA,EAEQ,4BAA4B,OAMO;AACzC,UAAM,UAAU,KAAK,sBAAsB,MAAM,OAAO;AACxD,QAAI,OAAO,MAAM,aAAa,UAAU;AACtC,aAAO;AAAA,QACL,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,QAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AACA,QAAI,KAAK,6BAA6B,SAAS,MAAM,IAAI,GAAG;AAC1D,aAAO;AAAA,QACL,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,QAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AACA,QAAI,OAAO,MAAM,YAAY,UAAU;AACrC,aAAO;AAAA,QACL,SAAS,MAAM;AAAA,QACf;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,QAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,aAAqB,eAAgC;AACxE,QAAI,gBAAgB,MAAM,gBAAgB,KAAK;AAC7C,aAAO;AAAA,IACT;AACA,QAAI,YAAY,SAAS,KAAK,GAAG;AAC/B,aAAO,cAAc,WAAW,YAAY,MAAM,GAAG,EAAE,CAAC;AAAA,IAC1D;AACA,QAAI,YAAY,SAAS,IAAI,GAAG;AAC9B,YAAM,SAAS,YAAY,MAAM,GAAG,EAAE;AACtC,UAAI,CAAC,cAAc,WAAW,MAAM,GAAG;AACrC,eAAO;AAAA,MACT;AACA,YAAM,YAAY,cAAc,MAAM,OAAO,MAAM;AACnD,aAAO,CAAC,UAAU,SAAS,GAAG,KAAK,cAAc;AAAA,IACnD;AACA,QAAI,YAAY,SAAS,GAAG,GAAG;AAC7B,aAAO,cAAc,WAAW,WAAW;AAAA,IAC7C;AACA,WAAO,gBAAgB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,iCACZ,aACA,OACA,gBAC6B;AAC7B,UAAM,UAAU,KAAK,MAAM;AAC3B,UAAM,kBACJ,YAAY,UAAa,MAAM,UAAU,YACrC,SACA,KAAK,uBAAuB,MAAM,OAAO,OAAO;AACtD,WAAO,KAAK,2BAA2B;AAAA,MACrC,MAAM,MAAM;AAAA,MACZ,SAAS,MAAM;AAAA,MACf;AAAA,MACA,oBAAoB;AAAA,MACpB,UAAU,KAAK,IAAI,GAAG,eAAe,QAAQ,IAAI,KAAK,IAAI,CAAC;AAAA,MAC3D;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAiB,QAeS;AAW9B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AACA,QAAI,CAAC,KAAK,MAAM,kBAAkB;AAChC,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAKA,QAAI,sBAAsB,OAAO;AACjC,QAAI,oBAAoB,SAAS,MAAM,KAAK,KAAK,OAAO,aAAa;AACnE,YAAM,UAAU,MAAM,KAAK,OAAO,YAAY,eAAe,mBAAmB;AAChF,UAAI,CAAC,QAAS,OAAM,IAAI,MAAM,+BAA+B,mBAAmB,EAAE;AAClF,gCAAsB,yBAAO,SAAS,CAAC;AAAA,IACzC;AAYA,UAAM,UAAU;AAAA,MACd,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,QAAI;AACF,YAAM,SAAS,MAAM,KAAK;AAAA,QACxB;AAAA,QACA;AAAA,QACA,OAAO,aAAa,SAAY,EAAE,QAAQ,OAAO,SAAS,IAAI;AAAA,MAChE;AACA,aAAO,OAAO;AAAA,IAChB,SAAS,KAAK;AACZ,UAAI,eAAe,+CAA8B;AAAA,MAIjD,OAAO;AAIL,cAAM;AAAA,MACR;AAAA,IACF;AAKA,WAAO,KAAK,2BAA2B;AAAA,MACrC,GAAG;AAAA,MACH,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,2BAA2B,QAQT;AAC9B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AACA,UAAM,UAAU,KAAK,MAAM;AAC3B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAGA,UAAM,YAAsD,CAAC;AAC7D,UAAM,YAAY,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,eAAe,CAAC;AAC1E,UAAM,aAAa,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,gBAAgB,CAAC;AAC5E,UAAM,gBAAgB,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,mBAAmB,CAAC;AAClF,QAAI,UAAU,SAAS,GAAG;AACxB,gBAAU,KAAK,EAAE,CAAC,OAAO,IAAI,GAAG,UAAU;AAAA,IAC5C;AACA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,MAAM,EAAE,CAAC,OAAO,IAAI,GAAG,WAAW;AAAA,IAC9C;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,gBAAU,SAAS,EAAE,CAAC,OAAO,IAAI,GAAG,cAAc;AAAA,IACpD;AAEA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,OAAO,YAAY,KAAK,KAAK;AAC9C,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AAKxD,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,MACtD,SAAS,QAAQ;AAAA,MACjB,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C,SAAS,OAAO,mBAAmB,QAAQ;AAAA,MAC3C,aAAa,OAAO;AAAA,MACpB,SAAS,CAAC,QAAQ,aAAa;AAAA,IACjC,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAG7D,UAAM,oBAAoB,KAAK,aAAa,qBAAqB;AAAA,MAC/D,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,iBAAiB,UAAM;AAAA,MAC3B,KAAK,OAAO;AAAA,MACZ,kBAAkB;AAAA,IACpB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,kCAAkC,eAAe,KAAK,EAAE;AAAA,IAC1E;AAEA,UAAM,SAA6B;AAAA,MACjC,KAAK,kBAAkB;AAAA,MACvB,kBAAkB,kBAAkB;AAAA,MACpC,SAAS,OAAO,mBAAmB,QAAQ;AAAA,MAC3C,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,sBAAsB,OAAO,wBAAwB;AAAA,MACrD,QAAQ;AAAA,MACR,aAAa,OAAO;AAAA,MACpB,cAAc,QAAQ;AAAA,MACtB,SAAS,QAAQ;AAAA,MACjB,MAAM,KAAK,OAAO;AAAA,IACpB;AAGA,UAAM,eAAe,OAAO,QAAQ,KAAK,OAAK,EAAE,WAAW,eAAe,CAAC;AAC3E,QAAI,gBAAgB,OAAO,uBAAuB,OAAO;AACvD,YAAM,oBAAgB;AAAA,QACpB,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QAAG,QAAQ;AAAA,MAC1D;AACA,YAAM,kBAA4D;AAAA,QAChE,IAAI,EAAE,IAAI,CAAC,oBAAoB,oBAAoB,uBAAuB,EAAE;AAAA,MAC9E;AACA,YAAM,iBAAiB,KAAK,aAAa,eAAe;AAAA,QACtD,WAAW;AAAA,QACX,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QACtD,SAAS,QAAQ;AAAA,QACjB,QAAQ,KAAK;AAAA,QACb,UAAU,IAAI,YAAY;AAAA,QAC1B,gBAAgB,eAAe,YAAY;AAAA,QAC3C,SAAS;AAAA,QACT,aAAa,OAAO;AAAA,QACpB,SAAS,CAAC,QAAQ,aAAa;AAAA,MACjC,CAAC;AACD,YAAM,kBAAkB,MAAM,KAAK,OAAO,YAAY,eAAe,IAAI;AACzE,YAAM,gBAAgB,KAAK,aAAa,qBAAqB;AAAA,QAC3D,GAAG;AAAA,QACH,WAAW;AAAA,MACb,CAAC;AAED,YAAM,uBAAuB,UAAM;AAAA,QACjC,KAAK,OAAO;AAAA,QACZ,cAAc;AAAA,MAChB;AAEA,UAAI,qBAAqB,SAAS;AAChC,eAAO,mBAAmB;AAAA,UACxB,KAAK,cAAc;AAAA,UACnB,kBAAkB,cAAc;AAAA,UAChC,SAAS;AAAA,UACT,MAAM;AAAA,UACN,SAAS,CAAC,oBAAoB,oBAAoB,uBAAuB;AAAA,UACzE,sBAAsB,OAAO,wBAAwB;AAAA,UACrD,QAAQ;AAAA,UACR,aAAa,OAAO;AAAA,UACpB,cAAc,QAAQ;AAAA,UACtB,SAAS,QAAQ;AAAA,UACjB,MAAM,KAAK,OAAO;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,cAAc,YAA0D;AAC5E,UAAM,mBAAmB,WAAW;AAGpC,UAAM,aAAa,WAAW,QAAQ,KAAK,OAAO;AAIlD,QAAI,KAAK,eAAe;AAEtB,YAAM,QAAQ,KAAK;AACnB,UAAI,CAAC,oBAAoB,WAAW,aAAa,KAAK,GAAG;AACvD,cAAM,IAAI;AAAA,UACR,sBAAsB,WAAW,WAAW,2BAA2B,KAAK;AAAA,QAE9E;AAAA,MACF;AAIA,YAAMC,WAA4B;AAAA,QAChC,SAAS,WAAW;AAAA,QACpB,SAAS,WAAW;AAAA,QACpB,YAAY,KAAK,UAAU,KAAK,aAAa;AAAA,QAC7C,SAAS,WAAW;AAAA,QACpB,eAAe,WAAW;AAAA,QAC1B;AAAA,QACA,oBAAoB,KAAK;AAAA,QACzB,KAAK,KAAK;AAAA,QACV,MAAM;AAAA;AAAA,QACN,WAAW;AAAA;AAAA,MACb;AAGA,WAAK,wBAAwB,YAAY,KAAK,aAA+B;AAC7E,WAAK;AAAA,QACH;AAAA,QACA;AAAA,UACE,kBAAkBA,SAAQ;AAAA,UAC1B,eAAeA,SAAQ;AAAA,UACvB,SAASA,SAAQ;AAAA,UACjB,oBAAoBA,SAAQ;AAAA,UAC5B,KAAKA,SAAQ;AAAA,QACf;AAAA,QACA,WAAW;AAAA,MACb;AAEA,aAAO,IAAI,gBAAgBA,UAAS,YAAY,YAAY,KAAK,aAAa,MAAM;AAAA,IACtF;AAGA,UAAM,YAAY,KAAK,MAAM;AAC7B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAIA,UAAM,MAAM,UAAU;AAGtB,UAAM,YAAsD,CAAC;AAC7D,UAAM,YAAY,WAAW,QAAQ,OAAO,OAAK,EAAE,WAAW,eAAe,CAAC;AAC9E,UAAM,aAAa,WAAW,QAAQ,OAAO,OAAK,EAAE,WAAW,gBAAgB,CAAC;AAChF,UAAM,gBAAgB,WAAW,QAAQ,OAAO,OAAK,EAAE,WAAW,mBAAmB,CAAC;AACtF,UAAM,oBAAoB,WAAW,QAAQ;AAAA,MAAO,OAClD,EAAE,WAAW,uBAAuB;AAAA,IACtC;AACA,UAAM,eAAyC,CAAC;AAChD,QAAI,UAAU,SAAS,GAAG;AACxB,gBAAU,KAAK,EAAE,CAAC,WAAW,IAAI,GAAG,UAAU;AAAA,IAChD;AACA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,MAAM,EAAE,CAAC,WAAW,IAAI,GAAG,WAAW;AAAA,IAClD;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,gBAAU,SAAS,EAAE,CAAC,WAAW,IAAI,GAAG,cAAc;AAAA,IACxD;AACA,QACE,kBAAkB,SAAS,KAC3B,WAAW,KAAK,WAAW,2BAA2B,GACtD;AACA,mBAAa,WAAW,IAAI,IAAI;AAAA,IAClC;AAEA,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,YAAY,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,KAAK,GAAI;AACzD,UAAM,iBAAiB,WAAW,SAAS,YAAY,WAAW,SAAS;AAO3E,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,UAAU,OAAO;AAAA,MACxD,SAAS,UAAU;AAAA,MACnB,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C,SAAS,WAAW;AAAA,MACpB;AAAA,MACA,SAAS,CAAC,WAAW,GAAG;AAAA,MACxB,GAAI,OAAO,KAAK,YAAY,EAAE,SAAS,IAAI,EAAE,aAAa,IAAI,CAAC;AAAA,IACjE,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,OAAQ,YAAY,SAAS,IAAI;AAG9D,UAAM,iBAAiB,KAAK,aAAa,qBAAqB;AAAA,MAC5D,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA,eAAe;AAAA,IACjB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,yCAAyC,eAAe,KAAK,EAAE;AAAA,IACjF;AAGA,UAAM,UAA4B;AAAA,MAChC,SAAS,UAAU;AAAA,MACnB,SAAS,UAAU;AAAA,MACnB,YAAY,UAAU;AAAA,MACtB,SAAS,WAAW;AAAA,MACpB,eAAe,eAAe;AAAA,MAC9B,kBAAkB,eAAe;AAAA,MACjC,oBAAoB,UAAU;AAAA,MAC9B;AAAA,MACA,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,SAAK,wBAAwB,YAAY,GAAqB;AAC9D,SAAK;AAAA,MACH;AAAA,MACA;AAAA,QACE,kBAAkB,QAAQ;AAAA,QAC1B,eAAe,QAAQ;AAAA,QACvB,SAAS,QAAQ;AAAA,QACjB,oBAAoB,QAAQ;AAAA,QAC5B,KAAK,QAAQ;AAAA,MACf;AAAA,MACA;AAAA,IACF;AAEA,WAAO,IAAI,gBAAgB,SAAS,YAAY,YAAY,KAAK,aAAa,MAAM;AAAA,EACtF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,oBACJ,kBACA,QAY6B;AAC7B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,0EAA0E;AAAA,IAC5F;AACA,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAGA,QAAI,iBAAiB,sBAAsB;AACzC,YAAM,IAAI,MAAM,iDAAiD;AAAA,IACnE;AAGA,QAAI,CAAC,OAAO,KAAK,WAAW,iBAAiB,IAAI,GAAG;AAClD,YAAM,IAAI;AAAA,QACR,wBAAwB,OAAO,IAAI,iCAAiC,iBAAiB,IAAI;AAAA,MAC3F;AAAA,IACF;AAGA,UAAM,gBAAgB,IAAI,IAAI,iBAAiB,OAAO;AACtD,eAAW,UAAU,OAAO,SAAS;AACnC,UAAI,CAAC,cAAc,IAAI,MAAM,GAAG;AAC9B,cAAM,IAAI;AAAA,UACR,0BAA0B,MAAM,iCAAiC,iBAAiB,QAAQ,KAAK,IAAI,CAAC;AAAA,QACtG;AAAA,MACF;AAAA,IACF;AAGA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,OAAO,YAAY,KAAK,KAAK;AAC9C,UAAM,kBAAkB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AAEzD,UAAM,eACJ,kBAAkB,iBAAiB,SAAS,iBAAiB,SAAS;AAGxE,UAAM,YAAsD,CAAC;AAC7D,UAAM,YAAY,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,eAAe,CAAC;AAC1E,UAAM,aAAa,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,gBAAgB,CAAC;AAC5E,UAAM,gBAAgB,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,mBAAmB,CAAC;AAClF,QAAI,UAAU,SAAS,GAAG;AACxB,gBAAU,KAAK,EAAE,CAAC,OAAO,IAAI,GAAG,UAAU;AAAA,IAC5C;AACA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,MAAM,EAAE,CAAC,OAAO,IAAI,GAAG,WAAW;AAAA,IAC9C;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,gBAAU,SAAS,EAAE,CAAC,OAAO,IAAI,GAAG,cAAc;AAAA,IACpD;AAGA,UAAM,aAAa,iBAAiB,QAAQ,KAAK,OAAO;AAMxD,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,KAAK,QAAQ;AAAA,MACpD,SAAS,KAAK;AAAA,MACd,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,aAAa,YAAY;AAAA,MACzC,SAAS,iBAAiB;AAAA,MAC1B,aAAa,OAAO;AAAA,MACpB,SAAS,CAAC,iBAAiB,GAAG;AAAA,IAChC,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAG7D,UAAM,uBAAuB,KAAK,aAAa,qBAAqB;AAAA,MAClE,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA,qBAAqB;AAAA,IACvB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,sCAAsC,eAAe,KAAK,EAAE;AAAA,IAC9E;AAGA,WAAO;AAAA,MACL,KAAK,qBAAqB;AAAA,MAC1B,kBAAkB,qBAAqB;AAAA,MACvC,SAAS,iBAAiB;AAAA,MAC1B,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,sBAAsB,OAAO,wBAAwB;AAAA,MACrD,QAAQ;AAAA,MACR,aAAa,OAAO;AAAA,MACpB,cAAc,iBAAiB;AAAA,MAC/B,SAAS,iBAAiB;AAAA,MAC1B,MAAM;AAAA,IACR;AAAA,EACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAvhHa,eAgrEa,kCAAkC;AAhrErD,IAAM,gBAAN;;;AL5RP,IAAAC,mBA8BO;;;AU9EA,SAAS,oBAAoB,YAAwC;AAC1E,SAAO,KAAK,UAAU;AAAA,IACpB,GAAG;AAAA,IACH,QAAQ,WAAW,OAAO,YAAY;AAAA,EACxC,CAAC;AACH;AAKO,SAAS,sBAAsB,MAAkC;AACtE,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,SAAO;AAAA,IACL,GAAG;AAAA,IACH,KAAK,OAAO;AAAA,IACZ,QAAQ,IAAI,KAAK,OAAO,MAAM;AAAA,EAChC;AACF;;;AVwEA,IAAAC,oBAIO;AAaP,IAAAA,oBAAsD;AAmBtD,IAAAA,oBAAkE;AAwBlE,IAAAA,oBAUO;AAsBP,IAAAA,oBAKO;AAkCP,IAAAA,oBAIO;AAUP,IAAAA,oBAQO;AAcP,IAAAA,oBAKO;AAGP,IAAAA,oBAA+B;","names":["import_sdk_core","import_sdk_core","import_sdk_core","import_sdk_core","import_sdk_core","import_sdk_core","config","now","delegation","spaceId","expandPermissionEntriesCore","session","import_sdk_core","import_sdk_core"]}
1	+ {"version":3,"sources":["../src/core.ts","../src/storage/MemorySessionStorage.ts","../src/storage/FileSessionStorage.ts","../src/authorization/NodeUserAuthorization.ts","../src/authorization/strategies.ts","../src/TinyCloudNode.ts","../src/DelegatedAccess.ts","../src/keys/WasmKeyProvider.ts","../src/delegateToHelpers.ts","../src/NodeSecretsService.ts","../src/delegation.ts"],"sourcesContent":["/*\n @tinycloud/node-sdk/core\n \n Platform-agnostic entry point for TinyCloud node-sdk.\n \n This entry point excludes Node.js-specific modules that depend on\n * @tinycloud/node-sdk-wasm (PrivateKeySigner, NodeWasmBindings), making it\n * safe to import in browser builds without webpack aliases or shims.\n \n Browser consumers (e.g., @tinycloud/web-sdk) should import from this\n * entry point instead of the root \"@tinycloud/node-sdk\".\n \n @packageDocumentation\n /\n\n// Re-export core values\nexport { TinyCloud } from \"@tinycloud/sdk-core\";\n\n// Re-export core types\nexport type {\n TinyCloudConfig,\n ISigner,\n ISessionStorage,\n IUserAuthorization,\n ClientSession,\n Extension,\n SignInOptions,\n PersistedSessionData,\n TinyCloudSession,\n INotificationHandler,\n IENSResolver,\n IWasmBindings,\n ISessionManager,\n ISpaceCreationHandler,\n SpaceCreationContext,\n CanonicalAddress,\n CanonicalParsedNetworkId,\n DidCacheKeyOptions,\n DidEqualsOptions,\n PkhDidParts,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export core values for extensibility\nexport {\n SilentNotificationHandler,\n AutoApproveSpaceCreationHandler,\n defaultSpaceCreationHandler,\n IdentityParseError,\n addressStorageKey,\n canonicalizeAddress,\n canonicalizeDid,\n canonicalizeDidUrl,\n canonicalizeNetworkId,\n didCacheKey,\n didEquals,\n isEvmAddress,\n makePkhSpaceId,\n parsePkhDid,\n pkhDid,\n principalDid,\n principalDidEquals,\n parseCanonicalNetworkId,\n} from \"@tinycloud/sdk-core\";\n\n// Storage implementations\nexport { MemorySessionStorage } from \"./storage/MemorySessionStorage\";\nexport { FileSessionStorage } from \"./storage/FileSessionStorage\";\n\n// Authorization\nexport {\n NodeUserAuthorization,\n NodeUserAuthorizationConfig,\n} from \"./authorization/NodeUserAuthorization\";\n\n// Sign strategies — value exports\nexport { defaultSignStrategy } from \"./authorization/strategies\";\n\n// Sign strategies — type exports (re-exported from sdk-core + Node.js-specific types)\nexport type {\n SignRequest,\n SignResponse,\n SignCallback,\n AutoSignStrategy,\n AutoRejectStrategy,\n CallbackStrategy,\n NodeEventEmitterStrategy,\n SignStrategy,\n} from \"./authorization/strategies\";\n\n// High-level API\nexport {\n TinyCloudNode,\n type TinyCloudNodeConfig,\n type DelegateToOptions,\n type DelegateToResult,\n type RuntimePermissionGrantOptions,\n} from \"./TinyCloudNode\";\n\n// Capability-chain primitives (spec: .claude/specs/capability-chain.md).\n// Re-exported here so TinyCloudWeb and other consumers can pass\n// `PermissionEntry[]` to `delegateTo` and catch the error classes without\n// also importing from `@tinycloud/sdk-core`.\nexport {\n type PermissionEntry,\n type Manifest,\n type ManifestDefaults,\n type ManifestSecretActions,\n type ComposeManifestOptions,\n type ComposedManifestRequest,\n type ManifestRegistryRecord,\n type ResolvedCapabilities,\n type ResolvedDelegate,\n type ResourceCapability,\n type SpaceAbilitiesMap,\n ACCOUNT_REGISTRY_PATH,\n ACCOUNT_REGISTRY_SPACE,\n DEFAULT_MANIFEST_SPACE,\n DEFAULT_MANIFEST_VERSION,\n VAULT_PERMISSION_SERVICE,\n PermissionNotInManifestError,\n SessionExpiredError,\n ManifestValidationError,\n composeManifestRequest,\n resolveManifest,\n validateManifest,\n loadManifest,\n isCapabilitySubset,\n expandActionShortNames,\n expandPermissionEntries,\n expandPermissionEntry,\n parseExpiry,\n resourceCapabilitiesToSpaceAbilitiesMap,\n} from \"@tinycloud/sdk-core\";\n\n// Delegation\nexport { DelegatedAccess } from \"./DelegatedAccess\";\nexport { serializeDelegation, deserializeDelegation } from \"./delegation\";\nexport type { PortableDelegation } from \"./delegation\";\n\n// Re-export KV service values\nexport {\n DEFAULT_SIGNED_READ_URL_EXPIRY_MS,\n KVService,\n PrefixedKVService,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export KV service types\nexport type {\n IKVService,\n KVServiceConfig,\n KVCreateSignedReadUrlOptions,\n KVResponse,\n KVSignedReadUrlResponse,\n IPrefixedKVService,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export SQL service values\nexport { SQLService, SQLAction, DatabaseHandle } from \"@tinycloud/sdk-core\";\n\n// Re-export SQL service types\nexport type {\n ISQLService,\n IDatabaseHandle,\n SQLServiceConfig,\n SqlValue,\n SqlStatement,\n QueryOptions,\n ExecuteOptions,\n BatchOptions,\n QueryResponse,\n ExecuteResponse,\n BatchResponse,\n SQLActionType,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export DuckDB service values\nexport {\n DuckDbService,\n DuckDbDatabaseHandle,\n DuckDbAction,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export DuckDB service types\nexport type {\n IDuckDbService,\n IDuckDbDatabaseHandle,\n DuckDbServiceConfig,\n DuckDbQueryOptions,\n DuckDbExecuteOptions,\n DuckDbBatchOptions,\n DuckDbOptions,\n DuckDbValue,\n DuckDbStatement,\n DuckDbQueryResponse,\n DuckDbExecuteResponse,\n DuckDbBatchResponse,\n DuckDbActionType,\n SchemaInfo,\n TableInfo,\n ColumnInfo,\n ViewInfo,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export Vault and Secrets service values\nexport {\n DataVaultService,\n VaultHeaders,\n VaultPublicSpaceKVActions,\n createVaultCrypto,\n SecretsService,\n SECRET_NAME_RE,\n canonicalizeSecretScope,\n resolveSecretListPrefix,\n resolveSecretPath,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export Vault and Secrets service types\nexport type {\n IDataVaultService,\n VaultCrypto,\n WasmVaultFunctions,\n DataVaultConfig,\n VaultPutOptions,\n VaultGetOptions,\n VaultListOptions,\n VaultGrantOptions,\n VaultEntry,\n VaultError,\n ISecretsService,\n SecretPayload,\n SecretsError,\n ResolvedSecretPath,\n SecretScopeOptions,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export v2 Delegation service values\nexport {\n DelegationManager,\n SharingService,\n createSharingService,\n DelegationErrorCodes,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export v2 Delegation types\nexport type {\n DelegationManagerConfig,\n ISharingService,\n SharingServiceConfig,\n EncodedShareData,\n ReceiveOptions,\n ShareAccess,\n Delegation,\n CreateDelegationParams,\n DelegationResult,\n DelegationError,\n DelegationErrorCode,\n JWK,\n KeyType,\n KeyInfo,\n CapabilityEntry,\n DelegationRecord,\n SpaceOwnership,\n SpaceInfo,\n ShareSchema,\n ShareLink,\n ShareLinkData,\n IngestOptions,\n GenerateShareParams,\n DelegationChain,\n DelegationChainV2,\n DelegationDirection,\n DelegationFilters,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export CapabilityKeyRegistry values (v2)\nexport {\n CapabilityKeyRegistry,\n createCapabilityKeyRegistry,\n CapabilityKeyRegistryErrorCodes,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export CapabilityKeyRegistry types (v2)\nexport type {\n ICapabilityKeyRegistry,\n StoredDelegationChain,\n CapabilityKeyRegistryErrorCode,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export SpaceService values (v2)\nexport {\n SpaceService,\n SpaceErrorCodes,\n createSpaceService,\n parseSpaceUri,\n buildSpaceUri,\n makePublicSpaceId,\n Space,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export SpaceService types (v2)\nexport type {\n ISpaceService,\n SpaceServiceConfig,\n SpaceErrorCode,\n ISpace,\n SpaceConfig,\n ISpaceScopedDelegations,\n ISpaceScopedSharing,\n} from \"@tinycloud/sdk-core\";\n\n// Protocol version checking\nexport {\n ProtocolMismatchError,\n VersionCheckError,\n UnsupportedFeatureError,\n checkNodeInfo,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export ServiceContext value for advanced usage\nexport { ServiceContext } from \"@tinycloud/sdk-core\";\n\n// Re-export ServiceContext types for advanced usage\nexport type {\n ServiceContextConfig,\n ServiceSession,\n InvokeFunction,\n FetchFunction,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export KeyProvider interface from sdk-core\nexport type { KeyProvider } from \"@tinycloud/sdk-core\";\n\n// Key management for node-sdk\nexport {\n WasmKeyProvider,\n WasmKeyProviderConfig,\n createWasmKeyProvider,\n} from \"./keys/WasmKeyProvider\";\n","import { ISessionStorage, PersistedSessionData } from \"@tinycloud/sdk-core\";\n\n/\n In-memory session storage for Node.js.\n \n Sessions are stored in memory and lost when the process exits.\n * Suitable for:\n * - Development and testing\n * - Stateless server deployments\n * - Short-lived processes\n \n @example\n * ```typescript\n * const storage = new MemorySessionStorage();\n * await storage.save(\"0x123...\", sessionData);\n * const session = await storage.load(\"0x123...\");\n * ```\n /\nexport class MemorySessionStorage implements ISessionStorage {\n private sessions: Map<string, PersistedSessionData> = new Map();\n\n /\n Save a session for an address.\n /\n async save(address: string, session: PersistedSessionData): Promise<void> {\n const normalizedAddress = address.toLowerCase();\n this.sessions.set(normalizedAddress, session);\n }\n\n /\n Load a session for an address.\n /\n async load(address: string): Promise<PersistedSessionData \| null> {\n const normalizedAddress = address.toLowerCase();\n const session = this.sessions.get(normalizedAddress);\n\n if (!session) {\n return null;\n }\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n this.sessions.delete(normalizedAddress);\n return null;\n }\n\n return session;\n }\n\n /\n Clear a session for an address.\n /\n async clear(address: string): Promise<void> {\n const normalizedAddress = address.toLowerCase();\n this.sessions.delete(normalizedAddress);\n }\n\n /\n Check if a session exists for an address.\n /\n exists(address: string): boolean {\n const normalizedAddress = address.toLowerCase();\n const session = this.sessions.get(normalizedAddress);\n\n if (!session) {\n return false;\n }\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n this.sessions.delete(normalizedAddress);\n return false;\n }\n\n return true;\n }\n\n /\n Memory storage is always available.\n /\n isAvailable(): boolean {\n return true;\n }\n\n /\n Clear all sessions.\n /\n clearAll(): void {\n this.sessions.clear();\n }\n\n /\n Get the number of stored sessions.\n /\n size(): number {\n return this.sessions.size;\n }\n}\n","import { ISessionStorage, PersistedSessionData, validatePersistedSessionData } from \"@tinycloud/sdk-core\";\nimport { readFileSync, writeFileSync, existsSync, mkdirSync, unlinkSync } from \"fs\";\nimport { dirname, join } from \"path\";\n\n/\n File-based session storage for Node.js.\n \n Sessions are persisted to the file system and survive process restarts.\n * Suitable for:\n * - CLI applications\n * - Long-running server processes\n * - Development environments\n \n @example\n * ```typescript\n * const storage = new FileSessionStorage(\"/tmp/tinycloud-sessions\");\n * await storage.save(\"0x123...\", sessionData);\n * // Session persists across process restarts\n * ```\n /\nexport class FileSessionStorage implements ISessionStorage {\n private readonly baseDir: string;\n\n /\n Create a new FileSessionStorage.\n \n @param baseDir - Directory to store session files (default: ~/.tinycloud/sessions)\n /\n constructor(baseDir?: string) {\n this.baseDir = baseDir \|\| this.getDefaultDir();\n this.ensureDirectoryExists();\n }\n\n /\n Get the default session storage directory.\n /\n private getDefaultDir(): string {\n const home = process.env.HOME \|\| process.env.USERPROFILE \|\| \"/tmp\";\n return join(home, \".tinycloud\", \"sessions\");\n }\n\n /\n Ensure the storage directory exists.\n /\n private ensureDirectoryExists(): void {\n if (!existsSync(this.baseDir)) {\n mkdirSync(this.baseDir, { recursive: true });\n }\n }\n\n /\n Get the file path for an address.\n /\n private getFilePath(address: string): string {\n const normalizedAddress = address.toLowerCase();\n // Use a hash of the address to avoid filesystem issues\n const filename = `${normalizedAddress.replace(\"0x\", \"\")}.json`;\n return join(this.baseDir, filename);\n }\n\n /\n Save a session for an address.\n /\n async save(address: string, session: PersistedSessionData): Promise<void> {\n const filePath = this.getFilePath(address);\n const data = JSON.stringify(session, null, 2);\n writeFileSync(filePath, data, \"utf-8\");\n }\n\n /\n Load a session for an address.\n /\n async load(address: string): Promise<PersistedSessionData \| null> {\n const filePath = this.getFilePath(address);\n\n if (!existsSync(filePath)) {\n return null;\n }\n\n try {\n const data = readFileSync(filePath, \"utf-8\");\n const parsed = JSON.parse(data);\n\n // Validate loaded data against schema\n const validation = validatePersistedSessionData(parsed);\n if (!validation.ok) {\n console.warn(`Invalid session data for ${address}:`, validation.error.message);\n // Clean up invalid session\n unlinkSync(filePath);\n return null;\n }\n\n const session = validation.data;\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n // Clean up expired session\n unlinkSync(filePath);\n return null;\n }\n\n return session;\n } catch (error) {\n // Invalid JSON or read error - remove the file\n try {\n unlinkSync(filePath);\n } catch {\n // Ignore cleanup errors\n }\n return null;\n }\n }\n\n /\n Clear a session for an address.\n /\n async clear(address: string): Promise<void> {\n const filePath = this.getFilePath(address);\n if (existsSync(filePath)) {\n unlinkSync(filePath);\n }\n }\n\n /\n Check if a session exists for an address.\n /\n exists(address: string): boolean {\n const filePath = this.getFilePath(address);\n if (!existsSync(filePath)) {\n return false;\n }\n\n try {\n const data = readFileSync(filePath, \"utf-8\");\n const session: PersistedSessionData = JSON.parse(data);\n\n // Check if session is expired\n const expiresAt = new Date(session.expiresAt);\n if (expiresAt < new Date()) {\n // Clean up expired session\n unlinkSync(filePath);\n return false;\n }\n\n return true;\n } catch {\n return false;\n }\n }\n\n /\n Check if file system storage is available.\n /\n isAvailable(): boolean {\n try {\n this.ensureDirectoryExists();\n return existsSync(this.baseDir);\n } catch {\n return false;\n }\n }\n}\n","import { EventEmitter } from \"events\";\nimport {\n IUserAuthorization,\n ISigner,\n ISessionStorage,\n ClientSession,\n Extension,\n PersistedSessionData,\n TinyCloudSession,\n SiweConfig,\n SignInOptions,\n fetchPeerId,\n submitHostDelegation,\n activateSessionWithHost,\n checkNodeInfo,\n ISpaceCreationHandler,\n AutoApproveSpaceCreationHandler,\n IWasmBindings,\n ISessionManager,\n Manifest,\n ComposedManifestRequest,\n AbilitiesMap,\n DEFAULT_MANIFEST_SPACE,\n ENCRYPTION_PERMISSION_SERVICE,\n composeManifestRequest,\n resourceCapabilitiesToAbilitiesMap,\n resourceCapabilitiesToSpaceAbilitiesMap,\n resolveTinyCloudHosts,\n EXPIRY,\n canonicalizeAddress,\n makePkhSpaceId,\n pkhDid,\n} from \"@tinycloud/sdk-core\";\nimport {\n SignStrategy,\n SignRequest,\n SignResponse,\n defaultSignStrategy,\n} from \"./strategies\";\nimport { MemorySessionStorage } from \"../storage/MemorySessionStorage\";\n\n/\n Configuration for NodeUserAuthorization.\n /\nexport interface NodeUserAuthorizationConfig {\n /* The signer used for signing messages /\n signer: ISigner;\n /* Sign strategy for handling sign requests /\n signStrategy?: SignStrategy;\n /* Session storage implementation /\n sessionStorage?: ISessionStorage;\n /* Domain for SIWE messages /\n domain: string;\n /* URI for SIWE messages (default: domain) /\n uri?: string;\n /* Statement included in SIWE messages /\n statement?: string;\n /* Space prefix for new sessions /\n spacePrefix?: string;\n /* Default actions for sessions /\n defaultActions?: Record<string, Record<string, string[]>>;\n /* Session expiration time in milliseconds (default: 1 hour) /\n sessionExpirationMs?: number;\n /* Automatically create space if it doesn't exist (default: false) /\n autoCreateSpace?: boolean;\n /* Custom space creation handler. If provided, takes precedence over autoCreateSpace. /\n spaceCreationHandler?: ISpaceCreationHandler;\n /* Explicit TinyCloud server endpoints. When omitted, signIn resolves the user's host. /\n tinycloudHosts?: string[];\n /* TinyCloud location registry URL. Default: https://registry.tinycloud.xyz. /\n tinycloudRegistryUrl?: string \| null;\n /* Fallback TinyCloud hosts. Default: hosted TinyCloud node. /\n tinycloudFallbackHosts?: string[] \| null;\n /* Whether to include public space capabilities in the session (default: true) /\n enablePublicSpace?: boolean;\n /* WASM bindings for cryptographic operations. Required. /\n wasmBindings: IWasmBindings;\n /\n SIWE nonce override. If omitted, the WASM layer generates a random nonce.\n * If `siweConfig.nonce` is also provided, `siweConfig.nonce` wins.\n /\n nonce?: string;\n /* Optional SIWE configuration overrides (e.g., nonce for server-provided nonces) /\n siweConfig?: SiweConfig;\n /\n App manifest used to drive the SIWE recap at sign-in.\n \n When set, `signIn` resolves the manifest (via\n * {@link resolveManifest}), unions the app's own permissions with\n * every `delegations[].permissions` list, converts to the WASM\n abilities shape, and uses that map as the session's granted\n * capabilities — instead of `defaultActions`.\n \n This is what makes manifest-declared pre-delegations usable: the\n * session key's recap covers both the app's runtime needs and the\n * downstream delegation targets, so `delegateTo` can issue the\n * sub-delegation via the session-key UCAN path without a wallet\n * prompt.\n \n When omitted, `signIn` falls back to `defaultActions` for\n * backwards compatibility.\n /\n manifest?: Manifest \| Manifest[];\n /* Pre-composed manifest request. Takes precedence over `manifest`. /\n capabilityRequest?: ComposedManifestRequest;\n /* Include implicit account registry permissions when composing `manifest`. Default true. /\n includeAccountRegistryPermissions?: boolean;\n}\n\n/\n Node.js implementation of IUserAuthorization.\n \n Supports multiple sign strategies for different use cases:\n * - auto-sign: Automatically approve all sign requests (trusted backends)\n * - auto-reject: Reject all sign requests (read-only mode)\n * - callback: Delegate to a custom callback function (CLI prompts)\n * - event-emitter: Emit sign requests as events (async workflows)\n \n @example\n * ```typescript\n * // Auto-sign for backend services\n * const auth = new NodeUserAuthorization({\n * signer: new PrivateKeySigner(process.env.PRIVATE_KEY),\n * signStrategy: { type: 'auto-sign' },\n * domain: 'api.myapp.com',\n * });\n \n // Callback for CLI prompts\n * const auth = new NodeUserAuthorization({\n * signer,\n * signStrategy: {\n * type: 'callback',\n * handler: async (req) => {\n * const approved = await promptUser(`Sign for ${req.address}?`);\n * return { approved };\n * }\n * },\n * domain: 'cli.myapp.com',\n * });\n * ```\n /\nexport class NodeUserAuthorization implements IUserAuthorization {\n private readonly signer: ISigner;\n private readonly signStrategy: SignStrategy;\n private readonly sessionStorage: ISessionStorage;\n private readonly domain: string;\n private readonly uri: string;\n private readonly statement?: string;\n private readonly spacePrefix: string;\n private readonly defaultActions: Record<string, Record<string, string[]>>;\n private readonly sessionExpirationMs: number;\n private readonly autoCreateSpace: boolean;\n private readonly spaceCreationHandler?: ISpaceCreationHandler;\n private tinycloudHosts?: string[];\n private readonly tinycloudRegistryUrl?: string \| null;\n private readonly tinycloudFallbackHosts?: string[] \| null;\n private readonly enablePublicSpace: boolean;\n private readonly nonce?: string;\n private readonly siweConfig?: SiweConfig;\n private readonly wasm: IWasmBindings;\n /\n Stored manifest, if one was provided at construction time. Used by\n * {@link signIn} to derive the session's granted capabilities instead\n * of falling back to {@link defaultActions}.\n /\n private _manifest?: Manifest \| Manifest[];\n private _capabilityRequest?: ComposedManifestRequest;\n private readonly includeAccountRegistryPermissions: boolean;\n\n private sessionManager: ISessionManager;\n private extensions: Extension[] = [];\n private _session?: ClientSession;\n private _tinyCloudSession?: TinyCloudSession;\n private _address?: string;\n private _chainId?: number;\n private _nodeFeatures: string[] = [];\n\n constructor(config: NodeUserAuthorizationConfig) {\n this.wasm = config.wasmBindings;\n\n this.signer = config.signer;\n this.signStrategy = config.signStrategy ?? defaultSignStrategy;\n this.sessionStorage = config.sessionStorage ?? new MemorySessionStorage();\n this.domain = config.domain;\n this.uri = config.uri ?? `https://${config.domain}`;\n this.statement = config.statement;\n this.spacePrefix = config.spacePrefix ?? \"default\";\n this.defaultActions = config.defaultActions ?? {\n kv: {\n \"\": [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n ],\n },\n sql: {\n \"\": [\n \"tinycloud.sql/read\",\n \"tinycloud.sql/write\",\n \"tinycloud.sql/admin\",\n \"tinycloud.sql/export\",\n ],\n },\n duckdb: {\n \"\": [\n \"tinycloud.duckdb/read\",\n \"tinycloud.duckdb/write\",\n \"tinycloud.duckdb/admin\",\n \"tinycloud.duckdb/describe\",\n \"tinycloud.duckdb/export\",\n \"tinycloud.duckdb/import\",\n \"tinycloud.duckdb/execute\",\n ],\n },\n capabilities: {\n \"\": [\"tinycloud.capabilities/read\"],\n },\n hooks: {\n \"\": [\n \"tinycloud.hooks/subscribe\",\n \"tinycloud.hooks/register\",\n \"tinycloud.hooks/list\",\n \"tinycloud.hooks/unregister\",\n ],\n },\n };\n this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;\n this.autoCreateSpace = config.autoCreateSpace ?? false;\n this.spaceCreationHandler = config.spaceCreationHandler;\n this.tinycloudHosts = config.tinycloudHosts;\n this.tinycloudRegistryUrl = config.tinycloudRegistryUrl;\n this.tinycloudFallbackHosts = config.tinycloudFallbackHosts;\n this.enablePublicSpace = config.enablePublicSpace ?? true;\n this.nonce = config.nonce;\n this.siweConfig = config.siweConfig;\n this.includeAccountRegistryPermissions =\n config.includeAccountRegistryPermissions ?? true;\n this._manifest = config.manifest;\n this._capabilityRequest = config.capabilityRequest;\n\n // Initialize session manager via WASM bindings\n this.sessionManager = this.wasm.createSessionManager();\n }\n\n /\n Return the manifest currently driving sign-in behavior, or\n * `undefined` if none is set. Used by TinyCloudWeb/TinyCloudNode\n * internals to surface the manifest for requestPermissions flows\n * without forcing the caller to track it separately.\n /\n get manifest(): Manifest \| Manifest[] \| undefined {\n return this._manifest;\n }\n\n get capabilityRequest(): ComposedManifestRequest \| undefined {\n return this.getCapabilityRequest();\n }\n\n get hosts(): string[] {\n return this.tinycloudHosts ? [...this.tinycloudHosts] : [];\n }\n\n /\n Install or replace the stored manifest. Takes effect on the next\n * `signIn()` call — the current session (if any) is not touched.\n /\n setManifest(manifest: Manifest \| Manifest[] \| undefined): void {\n this._manifest = manifest;\n this._capabilityRequest = undefined;\n }\n\n setCapabilityRequest(request: ComposedManifestRequest \| undefined): void {\n this._capabilityRequest = request;\n }\n\n /\n The current active session (web-core compatible).\n /\n get session(): ClientSession \| undefined {\n return this._session;\n }\n\n /\n The current TinyCloud session with full delegation data.\n * Includes spaceId, delegationHeader, and delegationCid.\n /\n get tinyCloudSession(): TinyCloudSession \| undefined {\n return this._tinyCloudSession;\n }\n\n /\n Rehydrate the auth-layer session from previously-persisted delegation\n * data. Used by {@link TinyCloudNode.restoreSession} so that downstream\n * surfaces that read from `tinyCloudSession` (notably\n * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work\n * without re-running the full sign-in flow.\n \n Caller must supply the same fields that `signIn` would have written —\n * `siwe` is the load-bearing one because `extractSiweExpiration` returns\n * undefined for missing SIWEs and the SDK then treats the session as\n * expired-at-epoch-zero.\n /\n setRestoredTinyCloudSession(session: TinyCloudSession): void {\n const address = canonicalizeAddress(session.address);\n this._tinyCloudSession = { ...session, address };\n this._address = address;\n this._chainId = session.chainId;\n }\n\n private async resolveTinyCloudHostsForSignIn(\n address: string,\n chainId: number,\n ): Promise<void> {\n if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {\n return;\n }\n\n const subject = pkhDid(address, chainId);\n const resolved = await resolveTinyCloudHosts(subject, {\n registryUrl: this.tinycloudRegistryUrl,\n fallbackHosts: this.tinycloudFallbackHosts,\n });\n this.tinycloudHosts = resolved.hosts;\n }\n\n private requireTinyCloudHosts(): string[] {\n if (!this.tinycloudHosts \|\| this.tinycloudHosts.length === 0) {\n throw new Error(\"TinyCloud hosts have not been resolved. Call signIn() first.\");\n }\n return this.tinycloudHosts;\n }\n\n private get primaryTinyCloudHost(): string {\n return this.requireTinyCloudHosts()[0];\n }\n\n get nodeFeatures(): string[] {\n return this._nodeFeatures;\n }\n\n /\n Compute the `abilities` map the WASM `prepareSession` call should\n * see at sign-in time.\n \n When a manifest is installed, we resolve it and union together:\n * - the app's own `resources` (what it needs at runtime)\n * - every `additionalDelegates[].permissions` list (what it will\n re-delegate to other DIDs post sign-in)\n \n into the short-service / path / full-URN-actions shape the WASM\n * layer expects. This is the key invariant that lets\n * {@link TinyCloudNode.delegateTo} issue manifest-declared\n * delegations via the session key (no wallet prompt): the session's\n * own recap already covers every action those delegations need.\n \n When no manifest is installed, we fall back to the\n * {@link defaultActions} table so existing callers see no change.\n \n This is a pure function of `this._manifest` + `this.defaultActions`\n * — the manifest resolution performs no I/O and throws a\n * {@link ManifestValidationError} on structural problems (missing\n * id/name, unparseable expiry, etc), which will surface at sign-in\n * rather than being silently swallowed.\n \n @internal\n /\n private getCapabilityRequest(): ComposedManifestRequest \| undefined {\n if (this._capabilityRequest !== undefined) {\n return this._capabilityRequest;\n }\n if (this._manifest === undefined) {\n return undefined;\n }\n this._capabilityRequest = composeManifestRequest(\n Array.isArray(this._manifest) ? this._manifest : [this._manifest],\n {\n includeAccountRegistryPermissions:\n this.includeAccountRegistryPermissions,\n }\n );\n return this._capabilityRequest;\n }\n\n private resolveSpaceName(space: string, address: string, chainId: number): string {\n if (space.startsWith(\"tinycloud:\")) {\n return space;\n }\n return makePkhSpaceId(address, chainId, space);\n }\n\n private defaultEncryptionNetworkId(address: string, chainId: number): string {\n return `urn:tinycloud:encryption:${pkhDid(address, chainId)}:default`;\n }\n\n private resolveSignInCapabilities(\n address: string,\n chainId: number,\n ): {\n abilities: AbilitiesMap;\n spaceId: string;\n spaceAbilities?: Record<string, AbilitiesMap>;\n rawAbilities?: Record<string, string[]>;\n } {\n const request = this.getCapabilityRequest();\n if (request === undefined) {\n const defaultNetworkId = this.defaultEncryptionNetworkId(address, chainId);\n const secretsSpaceId = makePkhSpaceId(address, chainId, \"secrets\");\n return {\n abilities: this.defaultActions,\n spaceId: makePkhSpaceId(address, chainId, this.spacePrefix),\n spaceAbilities: {\n [secretsSpaceId]: {\n kv: {\n \"vault/secrets/\": [\n \"tinycloud.kv/get\",\n \"tinycloud.kv/put\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n ],\n },\n },\n },\n rawAbilities: {\n [defaultNetworkId]: [\n \"tinycloud.encryption/decrypt\",\n \"tinycloud.encryption/network.create\",\n ],\n },\n };\n }\n\n const rawAbilities: Record<string, string[]> = {};\n const spaceResources = request.resources.filter((entry) => {\n if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {\n return true;\n }\n const existing = rawAbilities[entry.path];\n if (existing === undefined) {\n rawAbilities[entry.path] = [...entry.actions];\n } else {\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n }\n return false;\n });\n\n const primarySpaceName =\n spaceResources.find((entry) => entry.space !== \"account\")?.space ??\n DEFAULT_MANIFEST_SPACE;\n const primarySpaceId = this.resolveSpaceName(\n primarySpaceName,\n address,\n chainId,\n );\n\n const bySpace = resourceCapabilitiesToSpaceAbilitiesMap(spaceResources);\n const spaceAbilities: Record<string, AbilitiesMap> = {};\n for (const [space, abilities] of Object.entries(bySpace)) {\n spaceAbilities[this.resolveSpaceName(space, address, chainId)] = abilities;\n }\n\n return {\n abilities:\n spaceAbilities[primarySpaceId] ??\n resourceCapabilitiesToAbilitiesMap([]),\n spaceId: primarySpaceId,\n spaceAbilities,\n rawAbilities:\n Object.keys(rawAbilities).length > 0 ? rawAbilities : undefined,\n };\n }\n\n /\n Build SIWE overrides from the top-level nonce and siweConfig.\n * - Top-level `nonce` is seeded first so `siweConfig.nonce` wins if both are set.\n * - statement is prepended to the default statement\n * - resources are appended to the default resources\n * - uri triggers a warning (overwriting delegation target)\n * - all other fields override directly\n * - per-call nonce overrides siweConfig.nonce when provided\n /\n private buildSiweOverrides(options?: SignInOptions): Record<string, unknown> {\n const base: Record<string, unknown> = { uri: this.uri };\n if (this.nonce !== undefined) {\n base.nonce = this.nonce;\n }\n\n if (!this.siweConfig && !options?.nonce) {\n return base;\n }\n\n const { statement, resources, uri, ...rest } = this.siweConfig ?? {};\n const overrides: Record<string, unknown> = { ...base, ...rest };\n\n if (statement) {\n overrides.statement = this.statement\n ? `${statement} ${this.statement}`\n : statement;\n }\n\n if (resources && resources.length > 0) {\n overrides.resources = resources;\n }\n\n if (uri) {\n console.warn(\n \"[tinycloud] siweConfig.uri is overwriting the delegation target URI. \" +\n \"This may break delegation chain validation if the URI does not match the session key DID.\",\n );\n overrides.uri = uri;\n }\n\n if (options?.nonce) {\n overrides.nonce = options.nonce;\n }\n\n return overrides;\n }\n\n /\n Add an extension to the authorization flow.\n /\n extend(extension: Extension): void {\n this.extensions.push(extension);\n }\n\n /\n Get the space ID for the current session.\n /\n getSpaceId(): string \| undefined {\n return this._tinyCloudSession?.spaceId;\n }\n\n /\n Create the space on the TinyCloud server (host delegation).\n * This registers the user as the owner of the space.\n /\n private async hostSpace(targetSpaceId?: string): Promise<boolean> {\n if (!this._tinyCloudSession \|\| !this._address \|\| !this._chainId) {\n throw new Error(\"Must be signed in to host space\");\n }\n\n const host = this.primaryTinyCloudHost;\n const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;\n\n // Get peer ID from TinyCloud server\n const peerId = await fetchPeerId(host, spaceId);\n\n // Generate host SIWE message\n const siwe = this.wasm.generateHostSIWEMessage({\n address: this._address,\n chainId: this._chainId,\n domain: this.domain,\n issuedAt: new Date().toISOString(),\n spaceId,\n peerId,\n });\n\n // Sign the message\n const signature = await this.signMessage(siwe);\n\n // Convert to delegation headers and submit\n const headers = this.wasm.siweToDelegationHeaders({ siwe, signature });\n const result = await submitHostDelegation(host, headers);\n\n return result.success;\n }\n\n /\n Create a specific space on the server via host delegation.\n * Used for lazy creation of additional spaces (e.g., public).\n /\n async hostPublicSpace(spaceId: string): Promise<boolean> {\n return this.hostSpace(spaceId);\n }\n\n /\n Create a specific owned space on the server via host delegation.\n * Used by manifest registry setup for the account space.\n /\n async hostOwnedSpace(spaceId: string): Promise<boolean> {\n return this.hostSpace(spaceId);\n }\n\n /\n Ensure the user's space exists on the TinyCloud server.\n * Creates the space if it doesn't exist and autoCreateSpace is enabled.\n * If autoCreateSpace is false and space doesn't exist, silently returns\n * (user may be using delegations to access other spaces).\n \n @throws Error if space creation fails\n /\n async ensureSpaceExists(): Promise<void> {\n if (!this._tinyCloudSession) {\n throw new Error(\"Must be signed in to ensure space exists\");\n }\n\n const host = this.primaryTinyCloudHost;\n const primarySpaceId = this._tinyCloudSession.spaceId;\n\n // Try to activate the session\n const result = await activateSessionWithHost(\n host,\n this._tinyCloudSession.delegationHeader,\n );\n\n // Determine the effective space creation handler:\n // 1. Explicit spaceCreationHandler takes precedence\n // 2. autoCreateSpace: true uses AutoApproveSpaceCreationHandler\n // 3. Otherwise, no handler (space creation skipped silently)\n const handler: ISpaceCreationHandler \| undefined =\n this.spaceCreationHandler ??\n (this.autoCreateSpace\n ? new AutoApproveSpaceCreationHandler()\n : undefined);\n\n const creationContext = {\n spaceId: primarySpaceId,\n address: this._address!,\n chainId: this._chainId!,\n host,\n };\n\n if (result.success) {\n // Check if primary space was actually activated or just skipped\n const primarySkipped = result.skipped?.includes(primarySpaceId);\n\n if (!primarySkipped) {\n // Primary space exists and session is activated\n return;\n }\n\n // Primary space was skipped (doesn't exist yet)\n if (!handler) {\n return;\n }\n\n const confirmed = await handler.confirmSpaceCreation(creationContext);\n if (!confirmed) {\n return;\n }\n\n // Create the primary space\n try {\n const created = await this.hostSpace();\n if (!created) {\n const err = new Error(`Failed to create space: ${primarySpaceId}`);\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n } catch (error) {\n handler.onSpaceCreationFailed?.(\n creationContext,\n error instanceof Error ? error : new Error(String(error)),\n );\n throw error;\n }\n\n // Small delay to allow space creation to propagate\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n // Retry activation\n const retryResult = await activateSessionWithHost(\n host,\n this._tinyCloudSession.delegationHeader,\n );\n\n if (!retryResult.success) {\n const err = new Error(\n `Failed to activate session after creating space: ${retryResult.error}`,\n );\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n\n handler.onSpaceCreated?.(creationContext);\n return;\n }\n\n // Handle 404 (backwards compat with older servers)\n if (result.status === 404) {\n if (!handler) {\n return;\n }\n\n const confirmed = await handler.confirmSpaceCreation(creationContext);\n if (!confirmed) {\n return;\n }\n\n try {\n const created = await this.hostSpace();\n if (!created) {\n const err = new Error(`Failed to create space: ${primarySpaceId}`);\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n } catch (error) {\n handler.onSpaceCreationFailed?.(\n creationContext,\n error instanceof Error ? error : new Error(String(error)),\n );\n throw error;\n }\n\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n const retryResult = await activateSessionWithHost(\n host,\n this._tinyCloudSession.delegationHeader,\n );\n\n if (!retryResult.success) {\n const err = new Error(\n `Failed to activate session after creating space: ${retryResult.error}`,\n );\n handler.onSpaceCreationFailed?.(creationContext, err);\n throw err;\n }\n\n handler.onSpaceCreated?.(creationContext);\n return;\n }\n\n throw new Error(`Failed to activate session: ${result.error}`);\n }\n\n /\n Sign in and create a new session.\n \n This follows the correct SIWE-ReCap flow:\n * 1. Create session key and get JWK\n * 2. Call prepareSession() which generates the SIWE with ReCap capabilities\n * 3. Sign the SIWE string from prepareSession\n * 4. Call completeSessionSetup() with the prepared session + signature\n \n @param options - Optional per-call SIWE overrides for this sign-in only\n /\n async signIn(options?: SignInOptions): Promise<ClientSession> {\n // Get signer address and chain ID\n this._address = canonicalizeAddress(await this.signer.getAddress());\n this._chainId = await this.signer.getChainId();\n\n const address = this._address;\n const chainId = this._chainId;\n\n await this.resolveTinyCloudHostsForSignIn(address, chainId);\n\n // Create a session key\n const keyId = `session-${Date.now()}`;\n this.sessionManager.renameSessionKeyId(\"default\", keyId);\n\n // Get JWK for session key\n const jwkString = this.sessionManager.jwk(keyId);\n if (!jwkString) {\n throw new Error(\"Failed to create session key\");\n }\n const jwk = JSON.parse(jwkString);\n\n const capabilityPlan = this.resolveSignInCapabilities(address, chainId);\n const spaceId = capabilityPlan.spaceId;\n\n const now = new Date();\n const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);\n\n // Prepare session - this creates the SIWE message with ReCap capabilities.\n //\n // When a manifest is installed, `resolveSignInAbilities()` returns\n // the union of app permissions + every manifest-declared\n // delegation's permissions in the shape `prepareSession` accepts.\n // Otherwise it returns `defaultActions` unchanged (legacy path).\n const prepared = this.wasm.prepareSession({\n abilities: capabilityPlan.abilities,\n ...(capabilityPlan.spaceAbilities !== undefined\n ? { spaceAbilities: capabilityPlan.spaceAbilities }\n : {}),\n ...(capabilityPlan.rawAbilities !== undefined\n ? { rawAbilities: capabilityPlan.rawAbilities }\n : {}),\n address,\n chainId,\n domain: this.domain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId,\n jwk,\n ...this.buildSiweOverrides(options),\n });\n\n // Sign the SIWE message from prepareSession (NOT a separately generated SIWE)\n const signature = await this.requestSignature({\n address,\n chainId,\n message: prepared.siwe,\n type: \"siwe\",\n });\n\n // Complete session setup with the prepared session + signature\n const session = this.wasm.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Create client session (web-core compatible)\n const clientSession: ClientSession = {\n address,\n walletAddress: address,\n chainId,\n sessionKey: keyId,\n siwe: prepared.siwe,\n signature,\n };\n\n // Compute additional spaces as metadata (not in the delegation itself).\n // The public space delegation is created lazily via ensurePublicSpace(),\n // not at signIn time, to avoid creating spaces the user may never use.\n const spacesMetadata: Record<string, string> \| undefined = this\n .enablePublicSpace\n ? { public: makePkhSpaceId(address, chainId, \"public\") }\n : undefined;\n\n // Create TinyCloud session with full delegation data\n // Use sessionManager.getDID(keyId) for verificationMethod to get properly formatted DID URL\n // The prepared.verificationMethod from Rust WASM has a bug that doubles the DID fragment\n const tinyCloudSession: TinyCloudSession = {\n address,\n chainId,\n sessionKey: keyId,\n spaceId,\n spaces: spacesMetadata,\n delegationCid: session.delegationCid,\n delegationHeader: session.delegationHeader,\n verificationMethod: this.sessionManager.getDID(keyId),\n jwk,\n siwe: prepared.siwe,\n signature,\n };\n\n // Persist session with TinyCloud-specific data\n const persistedData: PersistedSessionData = {\n address,\n chainId,\n sessionKey: JSON.stringify(jwk),\n siwe: prepared.siwe,\n signature,\n tinycloudSession: {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId,\n spaces: spacesMetadata,\n verificationMethod: this.sessionManager.getDID(keyId),\n },\n expiresAt: expirationTime.toISOString(),\n createdAt: now.toISOString(),\n version: \"1.0\",\n };\n await this.sessionStorage.save(address, persistedData);\n\n // Set current session\n this._session = clientSession;\n this._tinyCloudSession = tinyCloudSession;\n this._address = address;\n this._chainId = chainId;\n\n // Verify SDK-node protocol compatibility and discover supported features\n const nodeInfo = await checkNodeInfo(\n this.primaryTinyCloudHost,\n this.wasm.protocolVersion(),\n );\n this._nodeFeatures = nodeInfo.features;\n\n // Call extension hooks\n for (const ext of this.extensions) {\n if (ext.afterSignIn) {\n await ext.afterSignIn(clientSession);\n }\n }\n\n // Ensure space exists (creates if needed when autoCreateSpace is true)\n await this.ensureSpaceExists();\n\n return clientSession;\n }\n\n /\n Sign out and clear the current session.\n /\n async signOut(): Promise<void> {\n if (this._address) {\n await this.clearPersistedSession(this._address);\n }\n this._session = undefined;\n }\n\n /\n Get the current wallet/signer address.\n /\n address(): string \| undefined {\n return this._address;\n }\n\n /\n Get the current chain ID.\n /\n chainId(): number \| undefined {\n return this._chainId;\n }\n\n /\n Sign a message with the connected signer.\n /\n async signMessage(message: string): Promise<string> {\n if (!this._address) {\n this._address = canonicalizeAddress(await this.signer.getAddress());\n }\n if (!this._chainId) {\n this._chainId = await this.signer.getChainId();\n }\n\n return this.requestSignature({\n address: this._address,\n chainId: this._chainId,\n message,\n type: \"message\",\n });\n }\n\n /\n Prepare a session for external signing.\n \n Use this method when you need to sign the SIWE message externally (e.g., via\n * a hardware wallet, multi-sig, or external service). After obtaining the signature,\n * call `signInWithPreparedSession()` to complete the sign-in.\n \n @example\n * ```typescript\n * const { prepared, keyId, jwk } = await auth.prepareSessionForSigning();\n * const signature = await externalSigner.signMessage(prepared.siwe);\n * const session = await auth.signInWithPreparedSession(prepared, signature, keyId, jwk);\n * ```\n /\n async prepareSessionForSigning(): Promise<{\n prepared: {\n siwe: string;\n jwk: Record<string, unknown>;\n spaceId: string;\n verificationMethod: string;\n };\n keyId: string;\n jwk: Record<string, unknown>;\n address: string;\n chainId: number;\n }> {\n const address = canonicalizeAddress(await this.signer.getAddress());\n const chainId = await this.signer.getChainId();\n\n // Create a session key\n const keyId = `session-${Date.now()}`;\n this.sessionManager.renameSessionKeyId(\"default\", keyId);\n\n // Get JWK for session key\n const jwkString = this.sessionManager.jwk(keyId);\n if (!jwkString) {\n throw new Error(\"Failed to create session key\");\n }\n const jwk = JSON.parse(jwkString);\n\n const capabilityPlan = this.resolveSignInCapabilities(address, chainId);\n const spaceId = capabilityPlan.spaceId;\n\n const now = new Date();\n const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);\n\n // Prepare session - this creates the SIWE message with ReCap capabilities.\n //\n // When a manifest is installed, `resolveSignInAbilities()` returns\n // the union of app permissions + every manifest-declared\n // delegation's permissions in the shape `prepareSession` accepts.\n // Otherwise it returns `defaultActions` unchanged (legacy path).\n const prepared = this.wasm.prepareSession({\n abilities: capabilityPlan.abilities,\n ...(capabilityPlan.spaceAbilities !== undefined\n ? { spaceAbilities: capabilityPlan.spaceAbilities }\n : {}),\n ...(capabilityPlan.rawAbilities !== undefined\n ? { rawAbilities: capabilityPlan.rawAbilities }\n : {}),\n address,\n chainId,\n domain: this.domain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId,\n jwk,\n ...this.buildSiweOverrides(),\n });\n\n return {\n prepared,\n keyId,\n jwk,\n address,\n chainId,\n };\n }\n\n /\n Complete sign-in with a prepared session and signature.\n \n Use this method after obtaining a signature for the SIWE message from\n * `prepareSessionForSigning()`. The signature MUST be over `prepared.siwe`.\n \n @param prepared - The prepared session from `prepareSessionForSigning()`\n * @param signature - The signature over `prepared.siwe`\n * @param keyId - The session key ID from `prepareSessionForSigning()`\n * @param jwk - The JWK from `prepareSessionForSigning()`\n /\n async signInWithPreparedSession(\n prepared: {\n siwe: string;\n jwk: Record<string, unknown>;\n spaceId: string;\n verificationMethod: string;\n },\n signature: string,\n keyId: string,\n jwk: Record<string, unknown>,\n ): Promise<ClientSession> {\n // Complete session setup with the prepared session + signature\n const session = this.wasm.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Parse address and chainId from the prepared session\n // The SIWE message contains this info, but we need to extract it\n // For now, we'll get it from the signer since it should match\n const address = canonicalizeAddress(await this.signer.getAddress());\n const chainId = await this.signer.getChainId();\n\n await this.resolveTinyCloudHostsForSignIn(address, chainId);\n\n // Create client session (web-core compatible)\n const clientSession: ClientSession = {\n address,\n walletAddress: address,\n chainId,\n sessionKey: keyId,\n siwe: prepared.siwe,\n signature,\n };\n\n // Compute additional spaces as metadata (not in the delegation itself).\n const spacesMetadata: Record<string, string> \| undefined = this\n .enablePublicSpace\n ? { public: makePkhSpaceId(address, chainId, \"public\") }\n : undefined;\n\n // Create TinyCloud session with full delegation data\n // Use sessionManager.getDID(keyId) for properly formatted DID URL\n const tinyCloudSession: TinyCloudSession = {\n address,\n chainId,\n sessionKey: keyId,\n spaceId: prepared.spaceId,\n spaces: spacesMetadata,\n delegationCid: session.delegationCid,\n delegationHeader: session.delegationHeader,\n verificationMethod: this.sessionManager.getDID(keyId),\n jwk,\n siwe: prepared.siwe,\n signature,\n };\n\n // Extract expiration from SIWE message (parse the string)\n const expirationMatch = prepared.siwe.match(/Expiration Time: (.+)/);\n const issuedAtMatch = prepared.siwe.match(/Issued At: (.+)/);\n const expiresAt =\n expirationMatch?.[1] ??\n new Date(Date.now() + this.sessionExpirationMs).toISOString();\n const createdAt = issuedAtMatch?.[1] ?? new Date().toISOString();\n\n // Persist session with TinyCloud-specific data\n const persistedData: PersistedSessionData = {\n address,\n chainId,\n sessionKey: JSON.stringify(jwk),\n siwe: prepared.siwe,\n signature,\n tinycloudSession: {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: prepared.spaceId,\n spaces: spacesMetadata,\n verificationMethod: this.sessionManager.getDID(keyId),\n },\n expiresAt,\n createdAt,\n version: \"1.0\",\n };\n await this.sessionStorage.save(address, persistedData);\n\n // Set current session\n this._session = clientSession;\n this._tinyCloudSession = tinyCloudSession;\n this._address = address;\n this._chainId = chainId;\n\n // Verify SDK-node protocol compatibility and discover supported features\n const nodeInfo = await checkNodeInfo(\n this.primaryTinyCloudHost,\n this.wasm.protocolVersion(),\n );\n this._nodeFeatures = nodeInfo.features;\n\n // Call extension hooks\n for (const ext of this.extensions) {\n if (ext.afterSignIn) {\n await ext.afterSignIn(clientSession);\n }\n }\n\n // Ensure space exists (creates if needed when autoCreateSpace is true)\n await this.ensureSpaceExists();\n\n return clientSession;\n }\n\n /\n Clear persisted session data.\n /\n async clearPersistedSession(address?: string): Promise<void> {\n const targetAddress = address ?? this._address;\n if (targetAddress) {\n await this.sessionStorage.clear(targetAddress);\n }\n }\n\n /\n Check if a session is persisted for an address.\n /\n isSessionPersisted(address: string): boolean {\n return this.sessionStorage.exists(address);\n }\n\n /\n Request a signature based on the configured strategy.\n /\n private async requestSignature(request: SignRequest): Promise<string> {\n switch (this.signStrategy.type) {\n case \"auto-sign\":\n return this.signer.signMessage(request.message);\n\n case \"auto-reject\":\n throw new Error(\"Sign request rejected by auto-reject strategy\");\n\n case \"callback\": {\n const response = await this.signStrategy.handler(request);\n if (!response.approved) {\n throw new Error(\n response.reason ?? \"Sign request rejected by callback\",\n );\n }\n // If callback provides signature, use it; otherwise sign with signer\n return (\n response.signature ?? (await this.signer.signMessage(request.message))\n );\n }\n\n case \"event-emitter\": {\n return this.requestSignatureViaEmitter(\n request,\n this.signStrategy.emitter,\n this.signStrategy.timeout ?? 60000,\n );\n }\n\n default:\n throw new Error(\n `Unknown sign strategy: ${(this.signStrategy as any).type}`,\n );\n }\n }\n\n /\n Request signature via event emitter with timeout.\n /\n private requestSignatureViaEmitter(\n request: SignRequest,\n emitter: EventEmitter,\n timeout: number,\n ): Promise<string> {\n return new Promise((resolve, reject) => {\n const timeoutId = setTimeout(() => {\n reject(new Error(\"Sign request timed out\"));\n }, timeout);\n\n const respond = async (response: SignResponse) => {\n clearTimeout(timeoutId);\n if (!response.approved) {\n reject(\n new Error(response.reason ?? \"Sign request rejected via emitter\"),\n );\n } else {\n // If response provides signature, use it; otherwise sign with signer\n const signature =\n response.signature ??\n (await this.signer.signMessage(request.message));\n resolve(signature);\n }\n };\n\n emitter.emit(\"sign-request\", request, respond);\n });\n }\n}\n","/\n Node.js-specific SignStrategy types for TinyCloud authorization.\n \n This module re-exports common types from sdk-core and provides\n * Node.js-specific implementations (e.g., NodeEventEmitterStrategy\n * using Node's EventEmitter instead of browser EventTarget).\n \n @packageDocumentation\n /\n\nimport { EventEmitter } from \"events\";\n\n// Import types for local use in SignStrategy union\nimport type {\n AutoSignStrategy,\n AutoRejectStrategy,\n CallbackStrategy,\n} from \"@tinycloud/sdk-core\";\n\n// Re-export common types from sdk-core (type-only — erased at runtime in sdk-core dist)\nexport type {\n SignRequest,\n SignResponse,\n SignCallback,\n AutoSignStrategy,\n AutoRejectStrategy,\n CallbackStrategy,\n} from \"@tinycloud/sdk-core\";\n\n/\n Node.js event emitter strategy: emits sign requests as events.\n \n Uses Node.js EventEmitter for compatibility with Node.js applications.\n * For browser environments, use the EventEmitterStrategy from sdk-core\n * which uses EventTarget.\n \n Events emitted:\n * - 'sign-request': When a sign request is received\n \n Use cases:\n * - Async approval workflows in Node.js\n * - External signing services\n * - Multi-step authorization flows\n \n @example\n * ```typescript\n * const emitter = new EventEmitter();\n * const strategy: NodeEventEmitterStrategy = { type: 'event-emitter', emitter };\n \n emitter.on('sign-request', async (req, respond) => {\n * const approved = await externalApprovalService.check(req);\n * respond({ approved, signature: approved ? await sign(req.message) : undefined });\n * });\n * ```\n /\nexport interface NodeEventEmitterStrategy {\n type: \"event-emitter\";\n emitter: EventEmitter;\n /* Timeout in milliseconds for waiting on event response (default: 60000) /\n timeout?: number;\n}\n\n/\n Node.js sign strategy union type.\n \n Determines how sign requests are handled in NodeUserAuthorization.\n * Uses Node.js EventEmitter for the event-emitter strategy.\n /\nexport type SignStrategy =\n \| AutoSignStrategy\n \| AutoRejectStrategy\n \| CallbackStrategy\n \| NodeEventEmitterStrategy;\n\n/\n Default sign strategy is auto-sign for convenience.\n * This is the Node.js-specific version typed with SignStrategy.\n /\nexport const defaultSignStrategy: SignStrategy = { type: \"auto-sign\" };\n","/\n TinyCloudNode - High-level API for Node.js users.\n \n Each user has their own TinyCloudNode instance with their own key.\n * This class provides a simplified interface for:\n * - Signing in and managing sessions\n * - Key-value storage operations on own space\n * - Creating and using delegations\n \n @example\n * ```typescript\n * const alice = new TinyCloudNode({\n * privateKey: process.env.ALICE_PRIVATE_KEY,\n * host: \"https://node.tinycloud.xyz\",\n * prefix: \"myapp\",\n * });\n \n await alice.signIn();\n * await alice.kv.put(\"greeting\", \"Hello, world!\");\n \n // Delegate access to Bob\n * const delegation = await alice.createDelegation({\n * path: \"shared/\",\n * actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\"],\n * delegateDID: bob.did,\n * });\n \n // Bob uses the delegation\n * const access = await bob.useDelegation(delegation);\n * const data = await access.kv.get(\"shared/data\");\n * ```\n /\n\nimport {\n TinyCloud,\n TinyCloudSession,\n activateSessionWithHost,\n KVService,\n IKVService,\n SQLService,\n ISQLService,\n DuckDbService,\n IDuckDbService,\n HooksService,\n DataVaultService,\n IDataVaultService,\n EncryptionService,\n SecretsService,\n ISecretsService,\n IEncryptionService,\n IHooksService,\n createVaultCrypto,\n ServiceSession,\n ServiceContext,\n ISessionStorage,\n ISigner,\n type InvokeAnyFunction,\n type InvokeFunction,\n INotificationHandler,\n SilentNotificationHandler,\n IENSResolver,\n IWasmBindings,\n ISessionManager,\n ISpaceCreationHandler,\n SignInOptions,\n // v2 services\n DelegationManager,\n SpaceService,\n ISpaceService,\n ISpace,\n CapabilityKeyRegistry,\n ICapabilityKeyRegistry,\n SharingService,\n ISharingService,\n // v2 types\n SiweConfig,\n Delegation,\n CreateDelegationParams,\n KeyInfo,\n JWK,\n DelegationResult,\n CreateDelegationWasmParams,\n CreateDelegationWasmResult,\n type DelegatedResource,\n UnsupportedFeatureError,\n makePublicSpaceId,\n ACCOUNT_REGISTRY_SPACE,\n type ComposedManifestRequest,\n type ResolvedDelegate,\n // Capability-chain delegation\n type PermissionEntry,\n ENCRYPTION_PERMISSION_SERVICE,\n PermissionNotInManifestError,\n SessionExpiredError,\n expandPermissionEntries as expandPermissionEntriesCore,\n isCapabilitySubset,\n parseRecapCapabilities,\n // Manifest-driven sign-in\n type Manifest,\n type AbilitiesMap,\n resourceCapabilitiesToAbilitiesMap,\n SERVICE_LONG_TO_SHORT,\n EXPIRY,\n canonicalHashHex,\n canonicalizeEncryptionJson,\n verifyDidKeyEd25519Signature,\n canonicalizeAddress,\n pkhDid,\n principalDidEquals,\n type BuildDecryptInvocationInput,\n type BuiltDecryptInvocation,\n type CanonicalJson,\n type DecryptResponseBody,\n type DecryptTransport,\n type EncryptionCrypto,\n type NetworkDescriptor,\n} from \"@tinycloud/sdk-core\";\nimport { NodeUserAuthorization } from \"./authorization/NodeUserAuthorization\";\nimport { FileSessionStorage } from \"./storage/FileSessionStorage\";\nimport { MemorySessionStorage } from \"./storage/MemorySessionStorage\";\nimport { PortableDelegation } from \"./delegation\";\nimport { DelegatedAccess } from \"./DelegatedAccess\";\nimport { WasmKeyProvider } from \"./keys/WasmKeyProvider\";\nimport {\n legacyParamsToPermissionEntries,\n resolveExpiryMs,\n extractSiweExpiration,\n} from \"./delegateToHelpers\";\nimport { NodeSecretsService } from \"./NodeSecretsService\";\n\n/* Default TinyCloud host /\nconst DEFAULT_HOST = \"https://node.tinycloud.xyz\";\nconst DEFAULT_ENCRYPTION_NETWORK_NAME = \"default\";\nconst NETWORK_CREATE_ACTION = \"tinycloud.encryption/network.create\";\nconst DECRYPT_ACTION = \"tinycloud.encryption/decrypt\";\nconst NETWORK_ADMIN_TYPE = \"tinycloud.encryption.network-admin/v1\";\n\n/\n Default lifetime of a SIWE session when {@link TinyCloudNodeConfig.sessionExpirationMs}\n * is not set. Sourced from the shared SESSION tier so all sign-in code\n * paths land on the same number — see `@tinycloud/sdk-core/expiry.ts`\n * for the tier rationale.\n /\nconst DEFAULT_SESSION_EXPIRATION_MS = EXPIRY.SESSION_MS;\n\nfunction didPrincipalMatches(actual: string, expected: string): boolean {\n try {\n return principalDidEquals(actual, expected);\n } catch {\n return actual === expected;\n }\n}\n\n/\n Configuration for TinyCloudNode.\n * All fields are optional - TinyCloudNode can work with zero configuration.\n /\nexport interface TinyCloudNodeConfig {\n /* Hex-encoded private key (with or without 0x prefix). Optional - only needed for wallet mode and signIn() /\n privateKey?: string;\n /* Custom signer implementation. If provided, takes precedence over privateKey. /\n signer?: ISigner;\n /* Explicit TinyCloud server URL. When omitted, signIn resolves the user's host. /\n host?: string;\n /* TinyCloud location registry URL. Default: https://registry.tinycloud.xyz. /\n tinycloudRegistryUrl?: string \| null;\n /* Fallback TinyCloud hosts. Default: hosted TinyCloud node. /\n tinycloudFallbackHosts?: string[] \| null;\n /* Space prefix for this user's space. Optional - only needed for signIn() /\n prefix?: string;\n /* Domain for SIWE messages (default: derived from host) /\n domain?: string;\n /* Session expiration time in milliseconds (default: 1 hour) /\n sessionExpirationMs?: number;\n /* Whether to automatically create space if it doesn't exist (default: false) /\n autoCreateSpace?: boolean;\n /* Custom session storage implementation (default: MemorySessionStorage) /\n sessionStorage?: ISessionStorage;\n /* Whether to include public space capabilities in the session (default: true).\n * When true, signIn() automatically includes capabilities for the user's public space,\n * accessible via spaces.get('public').kv /\n enablePublicSpace?: boolean;\n /* Custom WASM bindings (default: @tinycloud/node-sdk-wasm). Used by browser wrapper. /\n wasmBindings?: IWasmBindings;\n /* Notification handler for sign-in/sign-out/error events (default: SilentNotificationHandler) /\n notificationHandler?: INotificationHandler;\n /* ENS resolver for resolving .eth names in delegation methods /\n ensResolver?: IENSResolver;\n /* Custom space creation handler (default: auto-approve when autoCreateSpace is true) /\n spaceCreationHandler?: ISpaceCreationHandler;\n /\n SIWE nonce override. If omitted, the WASM layer generates a random nonce.\n * If `siweConfig.nonce` is also provided, `siweConfig.nonce` wins.\n /\n nonce?: string;\n /* Optional SIWE configuration overrides (e.g., nonce for server-provided nonces) /\n siweConfig?: SiweConfig;\n /\n App manifest driving the SIWE recap at sign-in.\n \n When set, `signIn()` resolves the manifest, unions the app's own\n * permissions with every manifest-declared delegation's permissions,\n * and uses that union as the session's granted capabilities — NOT\n * the legacy `defaultActions` table. This is what makes\n * `delegateTo(manifestDeclaredDid, permissions)` work without a\n * wallet prompt: the session key's recap already covers the\n * delegation target's needs at sign-in time.\n \n When omitted, `signIn()` falls back to `defaultActions` for\n * backwards compatibility with callers that pre-date the manifest\n * flow.\n /\n manifest?: Manifest \| Manifest[];\n /* Pre-composed manifest request. Takes precedence over `manifest`. /\n capabilityRequest?: ComposedManifestRequest;\n /* Include implicit account registry permissions when composing `manifest`. Default true. /\n includeAccountRegistryPermissions?: boolean;\n}\n\n/\n Options for {@link TinyCloudNode.delegateTo}.\n \n `expiry` accepts either an ms-format duration string (e.g. `\"7d\"`, `\"1h\"`)\n * or a raw number of milliseconds. When omitted, the default is 1 hour.\n \n `forceWalletSign` bypasses the derivability check and sends the\n * delegation through the legacy wallet-signed SIWE path, which always\n * triggers a wallet prompt. Used for testing, for explicit wallet\n * confirmation flows, and by the legacy `createDelegation` fallback.\n /\nexport interface DelegateToOptions {\n /* Override expiry. ms-format string (\"7d\", \"1h\") or raw milliseconds. /\n expiry?: string \| number;\n /* Force the wallet-signed SIWE path even if the caps are derivable. Default false. /\n forceWalletSign?: boolean;\n}\n\n/\n Result of {@link TinyCloudNode.delegateTo}.\n \n `prompted` indicates whether a wallet prompt was shown — `true` for the\n * legacy wallet path (always), `false` for the session-key UCAN path (never).\n * Callers wiring single-prompt sign-in flows use this to assert that their\n * capability chain was derivable.\n /\nexport interface DelegateToResult {\n delegation: PortableDelegation;\n prompted: boolean;\n}\n\n/\n Options for runtime permission escalation.\n /\nexport interface RuntimePermissionGrantOptions {\n /* Override expiry. ms-format string (\"7d\", \"1h\") or raw milliseconds. /\n expiry?: string \| number;\n}\n\ninterface RuntimePermissionOperation {\n spaceId?: string;\n resource?: string;\n service: string;\n path: string;\n action: string;\n}\n\ninterface RuntimePermissionGrant {\n session: ServiceSession;\n delegation: PortableDelegation;\n operations: RuntimePermissionOperation[];\n expiresAt: Date;\n}\n\ntype CanonicalizableEncryptionJson = CanonicalJson;\ntype NetworkInvocationFact = object;\n\nfunction base64UrlEncode(bytes: Uint8Array): string {\n const alphabet = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\";\n let output = \"\";\n for (let i = 0; i < bytes.length; i += 3) {\n const a = bytes[i];\n const b = bytes[i + 1];\n const c = bytes[i + 2];\n const triplet = (a << 16) \| ((b ?? 0) << 8) \| (c ?? 0);\n output += alphabet[(triplet >> 18) & 63];\n output += alphabet[(triplet >> 12) & 63];\n if (i + 1 < bytes.length) output += alphabet[(triplet >> 6) & 63];\n if (i + 2 < bytes.length) output += alphabet[triplet & 63];\n }\n return output;\n}\n\nfunction base64UrlDecode(value: string): Uint8Array {\n const alphabet = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_\";\n const bytes: number[] = [];\n let buffer = 0;\n let bits = 0;\n for (const char of value) {\n const index = alphabet.indexOf(char);\n if (index < 0) {\n throw new Error(\"invalid base64url input\");\n }\n buffer = (buffer << 6) \| index;\n bits += 6;\n if (bits >= 8) {\n bits -= 8;\n bytes.push((buffer >> bits) & 0xff);\n }\n }\n return new Uint8Array(bytes);\n}\n\nasync function signJwtInputWithJwk(\n signingInput: string,\n jwk: object,\n): Promise<Uint8Array> {\n const bytes = new TextEncoder().encode(signingInput);\n try {\n const subtle = globalThis.crypto?.subtle;\n if (!subtle) {\n throw new Error(\"WebCrypto subtle API is unavailable\");\n }\n const key = await subtle.importKey(\n \"jwk\",\n jwk as any,\n { name: \"Ed25519\" },\n false,\n [\"sign\"],\n );\n return new Uint8Array(await subtle.sign({ name: \"Ed25519\" }, key, bytes));\n } catch {\n const nodeCrypto = await import(\"node:crypto\");\n const key = nodeCrypto.createPrivateKey({ key: jwk as any, format: \"jwk\" });\n return new Uint8Array(nodeCrypto.sign(null, Buffer.from(bytes), key));\n }\n}\n\nasync function rewriteInvocationAudience(\n authorization: string,\n audience: string,\n jwk: object,\n): Promise<string> {\n const [headerPart, payloadPart] = authorization.split(\".\");\n if (!headerPart \|\| !payloadPart) {\n throw new Error(\"invalid invocation authorization\");\n }\n const header = JSON.parse(new TextDecoder().decode(base64UrlDecode(headerPart)));\n const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadPart)));\n payload.aud = audience;\n const signingInput = `${base64UrlEncode(\n new TextEncoder().encode(JSON.stringify(header)),\n )}.${base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)))}`;\n const signature = await signJwtInputWithJwk(signingInput, jwk);\n return `${signingInput}.${base64UrlEncode(signature)}`;\n}\n\nfunction authorizationHeader(headers: Record<string, string> \| [string, string][]): string {\n if (Array.isArray(headers)) {\n const entry = headers.find(([name]) => name.toLowerCase() === \"authorization\");\n if (!entry) {\n throw new Error(\"network invocation did not include an Authorization header\");\n }\n return entry[1];\n }\n const value = headers.Authorization ?? headers.authorization;\n if (!value) {\n throw new Error(\"network invocation did not include an Authorization header\");\n }\n return value;\n}\n\n/\n High-level TinyCloud API for Node.js environments.\n \n Each user creates their own TinyCloudNode instance with their private key.\n * The instance manages the user's session and provides access to their space.\n /\n/* @internal /\nexport interface NodeDefaults {\n createWasmBindings: () => IWasmBindings;\n createSigner: (privateKey: string, chainId?: number) => ISigner;\n}\n\nexport class TinyCloudNode {\n /* @internal Registered by importing @tinycloud/node-sdk (not /core) /\n private static nodeDefaults?: NodeDefaults;\n\n /* @internal Register Node.js-specific defaults (NodeWasmBindings, PrivateKeySigner) /\n static registerNodeDefaults(defaults: NodeDefaults): void {\n TinyCloudNode.nodeDefaults = defaults;\n }\n\n private config: TinyCloudNodeConfig;\n private readonly explicitHost?: string;\n private signer: ISigner \| null = null;\n private auth: NodeUserAuthorization \| null = null;\n private tc: TinyCloud \| null = null;\n private _address?: string;\n private _chainId: number = 1;\n private wasmBindings: IWasmBindings;\n private sessionManager: ISessionManager;\n private _serviceContext?: ServiceContext;\n private _kv?: KVService;\n private _sql?: SQLService;\n private _duckdb?: DuckDbService;\n private _hooks?: HooksService;\n private _vault?: DataVaultService;\n private _encryption?: EncryptionService;\n private _baseSecrets?: ISecretsService;\n private _secrets?: ISecretsService;\n /* Cached public KV with proper delegation (set by ensurePublicSpace) /\n private _publicKV?: KVService;\n\n /* Session key ID - always available /\n private sessionKeyId: string;\n /* Session key JWK as object - always available /\n private sessionKeyJwk: object;\n\n /* Notification handler for user-facing events /\n private notificationHandler: INotificationHandler;\n\n // v2 services (initialized in constructor)\n private _capabilityRegistry: CapabilityKeyRegistry;\n private _keyProvider: WasmKeyProvider;\n private _sharingService: SharingService;\n // These are initialized after signIn()\n private _delegationManager?: DelegationManager;\n private _spaceService?: SpaceService;\n private runtimePermissionGrants: RuntimePermissionGrant[] = [];\n\n /\n TinyCloudSession captured by {@link restoreSession} when there's no\n * auth-layer signer available (session-only mode used by OpenKey-backed\n * CLI restores, public-space replays, …). Read by\n * {@link currentTinyCloudSession} as a fallback for `auth.tinyCloudSession`.\n /\n private _restoredTcSession?: TinyCloudSession;\n\n private get nodeFeatures(): string[] {\n return this.auth?.nodeFeatures ?? [];\n }\n\n /* SIWE domain — uses config override or defaults to app.tinycloud.xyz /\n private get siweDomain(): string {\n return this.config.domain ?? 'app.tinycloud.xyz';\n }\n\n private readonly invokeWithRuntimePermissions: InvokeFunction = (\n session,\n service,\n path,\n action,\n facts,\n ) => {\n return this.wasmBindings.invoke(\n this.selectInvocationSession(session, service, path, action),\n service,\n path,\n action,\n facts,\n );\n };\n\n private readonly invokeAnyWithRuntimePermissions: InvokeAnyFunction = (\n session,\n entries,\n facts,\n ) => {\n if (!this.wasmBindings.invokeAny) {\n throw new Error(\"WASM binding does not support invokeAny\");\n }\n const grant = this.findGrantForOperations(\n entries.flatMap((entry) => {\n const operation = this.operationFromInvokeAnyEntry(entry);\n return operation ? [operation] : [];\n }),\n );\n return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);\n };\n\n /\n Create a new TinyCloudNode instance.\n \n All configuration is optional. Without a privateKey, the instance operates\n * in \"session-only\" mode where it can receive delegations but cannot create\n * its own space via signIn().\n \n @param config - Configuration options (all optional)\n \n @example\n * ```typescript\n * // Session-only mode - can receive delegations\n * const bob = new TinyCloudNode();\n * console.log(bob.did); // did:key:z6Mk... - available immediately\n \n // Wallet mode - can create own space\n * const alice = new TinyCloudNode({\n * privateKey: process.env.ALICE_PRIVATE_KEY,\n * prefix: \"myapp\",\n * });\n * await alice.signIn();\n * ```\n /\n constructor(config: TinyCloudNodeConfig = {}) {\n this.explicitHost = config.host;\n\n // Store config with default host\n this.config = {\n ...config,\n host: config.host ?? DEFAULT_HOST,\n };\n\n // Initialize WASM bindings (uses registered Node defaults if not provided)\n if (config.wasmBindings) {\n this.wasmBindings = config.wasmBindings;\n } else if (TinyCloudNode.nodeDefaults) {\n this.wasmBindings = TinyCloudNode.nodeDefaults.createWasmBindings();\n } else {\n throw new Error(\n \"wasmBindings must be provided in config. \" +\n \"Import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults.\"\n );\n }\n\n // Always create session manager and session key immediately\n this.sessionManager = this.wasmBindings.createSessionManager();\n\n // Try to use \"default\" key, create if it doesn't exist\n const defaultKeyId = \"default\";\n let jwkStr = this.sessionManager.jwk(defaultKeyId);\n if (jwkStr) {\n // Key already exists, reuse it\n this.sessionKeyId = defaultKeyId;\n } else {\n // Create new key\n this.sessionKeyId = this.sessionManager.createSessionKey(defaultKeyId);\n jwkStr = this.sessionManager.jwk(this.sessionKeyId);\n }\n\n if (!jwkStr) {\n throw new Error(\"Failed to get session key JWK\");\n }\n this.sessionKeyJwk = JSON.parse(jwkStr);\n\n // Initialize capability registry for all users (needed for tracking received delegations)\n this._capabilityRegistry = new CapabilityKeyRegistry();\n\n // Initialize KeyProvider for SharingService\n this._keyProvider = new WasmKeyProvider({\n sessionManager: this.sessionManager,\n });\n\n // Initialize notification handler\n this.notificationHandler = config.notificationHandler ?? new SilentNotificationHandler();\n\n // Initialize SharingService for receive-only access (no session required)\n // This allows session-only users to receive sharing links without signIn()\n // Full capabilities (generate) are added after signIn()\n this._sharingService = new SharingService({\n hosts: [this.config.host!],\n // session: undefined - not needed for receive()\n invoke: this.invokeWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n keyProvider: this._keyProvider,\n registry: this._capabilityRegistry,\n // delegationManager: undefined - not needed for receive()\n createKVService: (config) => {\n // Use pathPrefix as the KV service prefix for sharing links\n // Strip trailing slash to match DelegatedAccess behavior\n const prefix = config.pathPrefix?.replace(/\\/$/, '');\n const kvService = new KVService({ prefix });\n // Create a new service context for the KV service\n const kvContext = new ServiceContext({\n invoke: config.invoke,\n fetch: config.fetch ?? globalThis.fetch.bind(globalThis),\n hosts: config.hosts,\n });\n kvContext.setSession(config.session);\n kvService.initialize(kvContext);\n return kvService;\n },\n });\n\n // Set up wallet/auth if signer or privateKey is provided\n if (config.signer) {\n this.signer = config.signer;\n this.setupAuth(config);\n } else if (config.privateKey) {\n if (!TinyCloudNode.nodeDefaults) {\n throw new Error(\n \"privateKey requires PrivateKeySigner. Either provide a signer in config, \" +\n \"or import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults.\"\n );\n }\n this.signer = TinyCloudNode.nodeDefaults.createSigner(config.privateKey, this._chainId);\n this.setupAuth(config);\n }\n }\n\n /\n Set up authorization handler and TinyCloud instance.\n * @internal\n /\n private setupAuth(config: TinyCloudNodeConfig): void {\n this.auth = new NodeUserAuthorization({\n signer: this.signer!,\n signStrategy: { type: \"auto-sign\" },\n wasmBindings: this.wasmBindings,\n sessionStorage: config.sessionStorage ?? new MemorySessionStorage(),\n domain: this.siweDomain,\n spacePrefix: config.prefix,\n sessionExpirationMs: config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,\n tinycloudHosts: this.explicitHost ? [this.explicitHost] : undefined,\n tinycloudRegistryUrl: config.tinycloudRegistryUrl,\n tinycloudFallbackHosts: config.tinycloudFallbackHosts,\n autoCreateSpace: config.autoCreateSpace,\n enablePublicSpace: config.enablePublicSpace ?? true,\n spaceCreationHandler: config.spaceCreationHandler,\n nonce: config.nonce,\n siweConfig: config.siweConfig,\n manifest: config.manifest,\n capabilityRequest: config.capabilityRequest,\n includeAccountRegistryPermissions: config.includeAccountRegistryPermissions,\n });\n\n this.tc = new TinyCloud(this.auth, {\n invokeAny: this.invokeAnyWithRuntimePermissions,\n });\n }\n\n private syncResolvedHostFromAuth(): void {\n const host = this.auth?.hosts[0];\n if (host) {\n this.config.host = host;\n }\n }\n\n /\n Install or replace the manifest that drives the SIWE recap at\n * sign-in. Takes effect on the next `signIn()` call — the current\n * session (if any) is not touched. Wire this up from a higher\n * layer (e.g. TinyCloudWeb.setManifest) so the manifest is kept\n * in sync across the stack.\n /\n setManifest(manifest: Manifest \| Manifest[] \| undefined): void {\n if (!this.auth) {\n // Session-only mode has no auth handler, so there's nothing to\n // update. The caller almost certainly wanted wallet mode — fail\n // loudly rather than silently dropping the manifest.\n throw new Error(\n \"setManifest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config.\",\n );\n }\n this.config.manifest = manifest;\n this.config.capabilityRequest = undefined;\n this.auth.setManifest(manifest);\n }\n\n setCapabilityRequest(request: ComposedManifestRequest \| undefined): void {\n if (!this.auth) {\n throw new Error(\n \"setCapabilityRequest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config.\",\n );\n }\n this.config.capabilityRequest = request;\n this.config.manifest = request?.manifests;\n this.auth.setCapabilityRequest(request);\n }\n\n /\n Return the manifest currently installed on the auth handler,\n * or `undefined` if none is set.\n /\n get manifest(): Manifest \| Manifest[] \| undefined {\n return this.auth?.manifest;\n }\n\n get capabilityRequest(): ComposedManifestRequest \| undefined {\n return this.auth?.capabilityRequest;\n }\n\n get hosts(): string[] {\n const authHosts = this.auth?.hosts ?? [];\n return authHosts.length > 0 ? authHosts : [this.config.host!];\n }\n\n /\n Get the primary identity DID for this user.\n * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})\n * - If session-only mode: returns session key DID (did:key:z6Mk...)\n \n Use this for delegations - it always returns the appropriate identity.\n /\n get did(): string {\n // If wallet is connected and signed in, return PKH (persistent identity)\n if (this._address) {\n return pkhDid(this._address, this._chainId);\n }\n // Session-only mode: return session key DID (ephemeral identity)\n return this.sessionManager.getDID(this.sessionKeyId);\n }\n\n /\n Get the session key DID. Always available.\n * Format: did:key:z6Mk...#z6Mk...\n \n Use this when you specifically need the session key, not the user identity.\n /\n get sessionDid(): string {\n return this.sessionManager.getDID(this.sessionKeyId);\n }\n\n /\n Get the Ethereum address for this user.\n /\n get address(): string \| undefined {\n return this.auth?.address() ?? this._address;\n }\n\n /\n Check if this instance is in session-only mode (no wallet).\n * In session-only mode, the instance can receive delegations but cannot\n * create its own space via signIn().\n /\n get isSessionOnly(): boolean {\n return this.signer === null;\n }\n\n /\n Get the space ID for this user.\n * Available after signIn().\n /\n get spaceId(): string \| undefined {\n return this.auth?.tinyCloudSession?.spaceId;\n }\n\n /\n Get the current TinyCloud session.\n * Available after signIn().\n /\n get session(): TinyCloudSession \| undefined {\n return this.auth?.tinyCloudSession;\n }\n\n /\n Sign in and create a new session.\n * This creates the user's space if it doesn't exist.\n * Requires wallet mode (privateKey in config).\n \n @param options - Optional per-call SIWE overrides for this sign-in only\n /\n async signIn(options?: SignInOptions): Promise<void> {\n if (!this.signer \|\| !this.tc) {\n throw new Error(\n \"Cannot signIn() in session-only mode. Provide a privateKey in config to create your own space.\"\n );\n }\n\n // Ensure WASM is ready (critical for browser where WASM loads asynchronously)\n await this.wasmBindings.ensureInitialized?.();\n\n this._address = canonicalizeAddress(await this.signer.getAddress());\n this._chainId = await this.signer.getChainId();\n\n // Reset services so they get recreated with new session\n this._kv = undefined;\n this._sql = undefined;\n this._duckdb = undefined;\n this._hooks = undefined;\n this._vault = undefined;\n this._encryption = undefined;\n this._baseSecrets = undefined;\n this._secrets = undefined;\n this._spaceService = undefined;\n this._serviceContext = undefined;\n this.runtimePermissionGrants = [];\n\n await this.tc.signIn(options);\n this.syncResolvedHostFromAuth();\n\n // Initialize service context with session\n this.initializeServices();\n\n if (this.config.manifest === undefined && this.config.capabilityRequest === undefined) {\n await this.ensureOwnedSpaceHosted(this.ownedSpaceId(\"secrets\"));\n }\n\n await this.writeManifestRegistryRecords();\n\n this.notificationHandler.success(\"Successfully signed in\");\n }\n\n private ownedSpaceId(name: string): string {\n if (!this._address) {\n throw new Error(\"Cannot resolve owned space before sign-in\");\n }\n return this.wasmBindings.makeSpaceId(this._address, this._chainId, name);\n }\n\n private async writeManifestRegistryRecords(): Promise<void> {\n const request = this.capabilityRequest;\n if (!request \|\| request.registryRecords.length === 0) {\n return;\n }\n if (!this.auth \|\| !this.signer) {\n throw new Error(\"Manifest registry write requires wallet mode\");\n }\n\n const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);\n await this.ensureOwnedSpaceHosted(accountSpaceId);\n\n const accountKV = this.spaces.get(accountSpaceId).kv;\n for (const record of request.registryRecords) {\n const result = await accountKV.put(record.key, {\n app_id: record.app_id,\n manifests: record.manifests,\n updated_at: new Date().toISOString(),\n });\n if (!result.ok) {\n throw new Error(\n `Failed to write manifest registry record ${record.key}: ${result.error.message}`,\n );\n }\n }\n }\n\n private async ensureOwnedSpaceHosted(spaceId: string): Promise<void> {\n if (!this.auth) {\n throw new Error(\"Owned space hosting requires wallet mode\");\n }\n\n const session = this.auth.tinyCloudSession;\n if (!session) {\n throw new Error(\"Owned space hosting requires an active session\");\n }\n\n const host = this.hosts[0] ?? this.config.host;\n if (!host) {\n throw new Error(\"Owned space hosting requires a TinyCloud host\");\n }\n\n const activation = await activateSessionWithHost(host, session.delegationHeader);\n if (activation.success && !activation.skipped?.includes(spaceId)) {\n return;\n }\n\n if (!activation.success && activation.status !== 404) {\n throw new Error(\n `Failed to check owned space ${spaceId}: ${activation.error ?? activation.status}`,\n );\n }\n\n const created = await (this.auth as NodeUserAuthorization).hostOwnedSpace(spaceId);\n if (!created) {\n throw new Error(`Failed to create owned space: ${spaceId}`);\n }\n\n await new Promise((resolve) => setTimeout(resolve, 100));\n\n const retry = await activateSessionWithHost(host, session.delegationHeader);\n if (!retry.success \|\| retry.skipped?.includes(spaceId)) {\n throw new Error(\n `Failed to activate session after creating owned space ${spaceId}: ${\n retry.error ?? \"space was skipped\"\n }`,\n );\n }\n }\n\n /\n Restore a previously established session from stored delegation data.\n \n This is used by the CLI to restore a session that was created via the\n * browser-based delegation flow (OpenKey `/delegate` page). Instead of\n * signing in with a private key, it injects the delegation data directly.\n \n @param sessionData - The stored delegation data from the browser flow\n /\n async restoreSession(sessionData: {\n delegationHeader: { Authorization: string };\n delegationCid: string;\n spaceId: string;\n jwk: object;\n verificationMethod: string;\n address?: string;\n chainId?: number;\n /\n The SIWE message that authorized this session. Required for\n * downstream operations that need the session's expiry (e.g.\n * {@link grantRuntimePermissions}). When omitted the SDK can still\n * invoke services with the existing delegation, but anything that\n * reads `auth.tinyCloudSession.siwe` will treat the session as\n * expired-at-epoch-zero.\n /\n siwe?: string;\n /\n The wallet/OpenKey signature over `siwe`. Optional because the\n * runtime doesn't re-verify it — it's persisted alongside the SIWE\n * for callers that need to round-trip the full session shape.\n /\n signature?: string;\n }): Promise<void> {\n // Ensure WASM is ready (critical for browser where WASM loads asynchronously)\n await this.wasmBindings.ensureInitialized?.();\n\n // Reset services so they get recreated with new session\n this._kv = undefined;\n this._sql = undefined;\n this._duckdb = undefined;\n this._hooks = undefined;\n this._vault = undefined;\n this._encryption = undefined;\n this._baseSecrets = undefined;\n this._secrets = undefined;\n this._spaceService = undefined;\n this._serviceContext = undefined;\n this.runtimePermissionGrants = [];\n\n const restoredAddress = sessionData.address\n ? canonicalizeAddress(sessionData.address)\n : undefined;\n if (restoredAddress) {\n this._address = restoredAddress;\n }\n if (sessionData.chainId) {\n this._chainId = sessionData.chainId;\n }\n\n // Create service context\n this._serviceContext = new ServiceContext({\n invoke: this.invokeWithRuntimePermissions,\n invokeAny: this.invokeAnyWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n hosts: [this.config.host!],\n });\n\n // Create and register KV service\n this._kv = new KVService({});\n this._kv.initialize(this._serviceContext);\n this._serviceContext.registerService('kv', this._kv);\n\n // Create and register SQL service\n this._sql = new SQLService({});\n this._sql.initialize(this._serviceContext);\n this._serviceContext.registerService('sql', this._sql);\n\n // Create and register DuckDB service\n this._duckdb = new DuckDbService({});\n this._duckdb.initialize(this._serviceContext);\n this._serviceContext.registerService('duckdb', this._duckdb);\n\n this._hooks = new HooksService({});\n this._hooks.initialize(this._serviceContext);\n this._serviceContext.registerService('hooks', this._hooks);\n\n // Set session on context\n const serviceSession: ServiceSession = {\n delegationHeader: sessionData.delegationHeader,\n delegationCid: sessionData.delegationCid,\n spaceId: sessionData.spaceId,\n verificationMethod: sessionData.verificationMethod,\n jwk: sessionData.jwk,\n };\n this._serviceContext.setSession(serviceSession);\n\n // Create and register Vault service (matches initializeServices behavior)\n this._vault = this.createVaultService(sessionData.spaceId, this._kv!);\n this._vault.initialize(this._serviceContext);\n this._serviceContext.registerService('vault', this._vault);\n\n // Initialize v2 services\n this.initializeV2Services(serviceSession);\n\n // Rehydrate a TinyCloudSession on whatever surface is available. In\n // wallet mode the auth layer holds it; in session-only mode (OpenKey,\n // public-space restore, …) `this.auth` is null and we fall back to\n // `_restoredTcSession` on the node itself. Both surfaces are read by\n // {@link currentTinyCloudSession} so callers don't have to care.\n //\n // Required for `useRuntimeDelegation` / `hasRuntimePermissions` /\n // `getRuntimePermissionDelegations` to work after a session restore —\n // without this they bail with `SessionExpiredError(new Date(0))`.\n if (sessionData.siwe && restoredAddress && sessionData.chainId) {\n const tcSession: TinyCloudSession = {\n address: restoredAddress,\n chainId: sessionData.chainId,\n sessionKey: JSON.stringify(sessionData.jwk),\n spaceId: sessionData.spaceId,\n delegationCid: sessionData.delegationCid,\n delegationHeader: sessionData.delegationHeader,\n verificationMethod: sessionData.verificationMethod,\n jwk: sessionData.jwk as { [k: string]: unknown },\n siwe: sessionData.siwe,\n signature: sessionData.signature ?? \"\",\n };\n if (this.auth) {\n this.auth.setRestoredTinyCloudSession(tcSession);\n } else {\n this._restoredTcSession = tcSession;\n }\n }\n }\n\n /\n Resolve the currently-active TinyCloudSession, preferring the auth\n * layer's value (wallet mode) and falling back to the node-level\n * rehydration set by {@link restoreSession} (session-only mode).\n /\n private currentTinyCloudSession(): TinyCloudSession \| undefined {\n return this.auth?.tinyCloudSession ?? this._restoredTcSession;\n }\n\n /\n Connect a wallet to upgrade from session-only mode to wallet mode.\n \n This allows a user who started in session-only mode to later connect\n * a wallet and gain the ability to create their own space.\n \n Note: This does NOT automatically sign in. Call signIn() after connecting\n * the wallet to create your space.\n \n @param privateKey - The Ethereum private key (hex string, no 0x prefix)\n * @param options - Optional configuration\n * @param options.prefix - Space name prefix (defaults to \"default\")\n \n @example\n * ```typescript\n * // Start in session-only mode\n * const node = new TinyCloudNode({ host: \"https://node.tinycloud.xyz\" });\n * console.log(node.did); // did:key:z6Mk... (session key)\n \n // Later, connect a wallet\n * node.connectWallet(privateKey);\n * await node.signIn();\n * console.log(node.did); // did:pkh:eip155:1:0x... (PKH)\n * ```\n /\n connectWallet(privateKey: string, options?: { prefix?: string; sessionStorage?: ISessionStorage }): void {\n if (this.signer) {\n throw new Error(\"Wallet already connected. Cannot connect another wallet.\");\n }\n\n const prefix = options?.prefix ?? \"default\";\n\n // Create signer from private key\n if (!TinyCloudNode.nodeDefaults) {\n throw new Error(\n \"connectWallet() requires PrivateKeySigner. Use connectSigner() instead, \" +\n \"or import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults.\"\n );\n }\n this.signer = TinyCloudNode.nodeDefaults.createSigner(privateKey);\n\n // Create authorization handler\n this.auth = new NodeUserAuthorization({\n signer: this.signer,\n signStrategy: { type: \"auto-sign\" },\n wasmBindings: this.wasmBindings,\n sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),\n domain: this.siweDomain,\n spacePrefix: prefix,\n sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,\n tinycloudHosts: this.explicitHost ? [this.explicitHost] : undefined,\n tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,\n tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,\n autoCreateSpace: this.config.autoCreateSpace,\n enablePublicSpace: this.config.enablePublicSpace ?? true,\n spaceCreationHandler: this.config.spaceCreationHandler,\n nonce: this.config.nonce,\n siweConfig: this.config.siweConfig,\n manifest: this.config.manifest,\n capabilityRequest: this.config.capabilityRequest,\n includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions,\n });\n\n // Create TinyCloud instance\n this.tc = new TinyCloud(this.auth, {\n invokeAny: this.invokeAnyWithRuntimePermissions,\n });\n\n // Update config with prefix\n this.config.prefix = prefix;\n }\n\n /\n Connect any ISigner to upgrade from session-only mode to wallet mode.\n \n Same as connectWallet() but accepts any ISigner implementation instead\n * of a raw private key string. Use this for browser wallets, hardware wallets,\n * or custom signing backends.\n \n Note: This does NOT automatically sign in. Call signIn() after connecting.\n \n @param signer - Any ISigner implementation\n * @param options - Optional configuration\n * @param options.prefix - Space name prefix (defaults to \"default\")\n /\n connectSigner(signer: ISigner, options?: { prefix?: string; sessionStorage?: ISessionStorage }): void {\n if (this.signer) {\n throw new Error(\"Signer already connected. Cannot connect another signer.\");\n }\n\n const prefix = options?.prefix ?? \"default\";\n\n this.signer = signer;\n\n this.auth = new NodeUserAuthorization({\n signer: this.signer,\n signStrategy: { type: \"auto-sign\" },\n wasmBindings: this.wasmBindings,\n sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),\n domain: this.siweDomain,\n spacePrefix: prefix,\n sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,\n tinycloudHosts: this.explicitHost ? [this.explicitHost] : undefined,\n tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,\n tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,\n autoCreateSpace: this.config.autoCreateSpace,\n enablePublicSpace: this.config.enablePublicSpace ?? true,\n spaceCreationHandler: this.config.spaceCreationHandler,\n nonce: this.config.nonce,\n siweConfig: this.config.siweConfig,\n manifest: this.config.manifest,\n capabilityRequest: this.config.capabilityRequest,\n includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions,\n });\n\n this.tc = new TinyCloud(this.auth, {\n invokeAny: this.invokeAnyWithRuntimePermissions,\n });\n this.config.prefix = prefix;\n }\n\n /\n Initialize the service context and KV service after sign-in.\n * @internal\n /\n private initializeServices(): void {\n const session = this.currentTinyCloudSession();\n if (!session) {\n return;\n }\n\n // Initialize TinyCloud core services (needed for publicKV, ensurePublicSpace)\n this.tc!.initializeServices(this.invokeWithRuntimePermissions, [this.config.host!]);\n\n // Create service context\n this._serviceContext = new ServiceContext({\n invoke: this.invokeWithRuntimePermissions,\n invokeAny: this.invokeAnyWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n hosts: [this.config.host!],\n });\n\n // Create and register KV service\n this._kv = new KVService({});\n this._kv.initialize(this._serviceContext);\n this._serviceContext.registerService('kv', this._kv);\n\n // Create and register SQL service (if supported)\n const features = this.nodeFeatures;\n if (features.length === 0 \|\| features.includes(\"sql\")) {\n this._sql = new SQLService({});\n this._sql.initialize(this._serviceContext);\n this._serviceContext.registerService('sql', this._sql);\n }\n\n // Create and register DuckDB service (if supported)\n if (features.length === 0 \|\| features.includes(\"duckdb\")) {\n this._duckdb = new DuckDbService({});\n this._duckdb.initialize(this._serviceContext);\n this._serviceContext.registerService('duckdb', this._duckdb);\n }\n\n this._hooks = new HooksService({});\n this._hooks.initialize(this._serviceContext);\n this._serviceContext.registerService('hooks', this._hooks);\n\n // Set session on context\n const serviceSession: ServiceSession = {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n };\n this._serviceContext.setSession(serviceSession);\n (this.tc!.serviceContext as ServiceContext).setSession(serviceSession);\n\n // Create and register Vault service\n this._vault = this.createVaultService(session.spaceId, this._kv!);\n this._vault.initialize(this._serviceContext);\n this._serviceContext.registerService('vault', this._vault);\n\n // Initialize v2 services\n this.initializeV2Services(serviceSession);\n }\n\n private createSpaceScopedKVService(spaceId: string): KVService {\n const kvService = new KVService({});\n if (this._serviceContext) {\n const spaceScopedContext = new ServiceContext({\n invoke: this._serviceContext.invoke,\n fetch: this._serviceContext.fetch,\n hosts: this._serviceContext.hosts,\n });\n const session = this._serviceContext.session;\n if (session) {\n spaceScopedContext.setSession({ ...session, spaceId });\n }\n kvService.initialize(spaceScopedContext);\n }\n return kvService;\n }\n\n getDefaultEncryptionNetworkId(name = DEFAULT_ENCRYPTION_NETWORK_NAME): string {\n return `urn:tinycloud:encryption:${this.did}:${name}`;\n }\n\n private requireServiceSession(): ServiceSession {\n const session = this._serviceContext?.session;\n if (!session) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return session;\n }\n\n private createEncryptionCrypto(): EncryptionCrypto {\n const wasm = this.wasmBindings;\n const columnEncrypt = (key: Uint8Array, plaintext: Uint8Array): Uint8Array => {\n const encrypted = wasm.vault_encrypt(key, plaintext);\n const out = new Uint8Array(1 + encrypted.length);\n out[0] = 0x01;\n out.set(encrypted, 1);\n return out;\n };\n const columnDecrypt = (key: Uint8Array, blob: Uint8Array): Uint8Array => {\n if (blob[0] !== 0x01) {\n return blob;\n }\n return wasm.vault_decrypt(key, blob.slice(1));\n };\n return {\n sha256: (data) => wasm.vault_sha256(data),\n randomBytes: (length) => wasm.vault_random_bytes(length),\n x25519FromSeed: (seed) => wasm.vault_x25519_from_seed(seed),\n x25519Dh: (privateKey, publicKey) =>\n wasm.vault_x25519_dh(privateKey, publicKey),\n authEncrypt: (key, plaintext) => wasm.vault_encrypt(key, plaintext),\n authDecrypt: (key, ciphertext) => wasm.vault_decrypt(key, ciphertext),\n sealToNetworkKey: (networkPublicKey, symmetricKey) => {\n const seed = wasm.vault_random_bytes(32);\n const ephemeral = wasm.vault_x25519_from_seed(seed);\n const shared = wasm.vault_x25519_dh(\n ephemeral.privateKey,\n networkPublicKey,\n );\n const encrypted = columnEncrypt(shared, symmetricKey);\n const out = new Uint8Array(ephemeral.publicKey.length + encrypted.length);\n out.set(ephemeral.publicKey, 0);\n out.set(encrypted, ephemeral.publicKey.length);\n return out;\n },\n openWithReceiverKey: (receiverPrivateKey, wrappedKey) => {\n const peerPublic = wrappedKey.slice(0, 32);\n const ciphertext = wrappedKey.slice(32);\n const shared = wasm.vault_x25519_dh(receiverPrivateKey, peerPublic);\n return columnDecrypt(shared, ciphertext);\n },\n verifyNodeSignature: (nodeId, message, signature) =>\n verifyDidKeyEd25519Signature(nodeId, message, signature),\n };\n }\n\n private async fetchNodeId(): Promise<string> {\n const response = await fetch(`${this.config.host}/info`);\n if (!response.ok) {\n throw new Error(`Failed to fetch node info: HTTP ${response.status}`);\n }\n const info = (await response.json()) as { nodeId?: unknown };\n if (typeof info.nodeId !== \"string\" \|\| info.nodeId.length === 0) {\n throw new Error(\"Node /info response did not include nodeId\");\n }\n return info.nodeId;\n }\n\n private async signRawNetworkAuthorization(input: {\n targetNode: string;\n networkId: string;\n action: string;\n facts: NetworkInvocationFact;\n }): Promise<{ authorization: string; invocationCid: string }> {\n if (!this.wasmBindings.invokeAny) {\n throw new Error(\"WASM binding does not support raw-resource invokeAny\");\n }\n if (!this.wasmBindings.computeCid) {\n throw new Error(\"WASM binding does not support invocation CID computation\");\n }\n const session = this.requireServiceSession();\n const headers = this.invokeAnyWithRuntimePermissions(\n session,\n [\n {\n resource: input.networkId,\n service: \"encryption\",\n path: input.networkId,\n action: input.action,\n },\n ],\n [input.facts as Record<string, unknown>],\n );\n const authorization = authorizationHeader(headers);\n const audienceBound = await rewriteInvocationAudience(\n authorization,\n input.targetNode,\n session.jwk,\n );\n return {\n authorization: audienceBound,\n invocationCid: this.wasmBindings.computeCid(\n new TextEncoder().encode(audienceBound),\n 0x55n,\n ),\n };\n }\n\n private createEncryptionService(): EncryptionService {\n const crypto = this.createEncryptionCrypto();\n const transport: DecryptTransport = {\n postDecrypt: async ({ networkId, authorization, canonicalBody }) => {\n const response = await fetch(\n `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}/decrypt`,\n {\n method: \"POST\",\n headers: {\n Authorization: authorization,\n \"Content-Type\": \"application/json\",\n },\n body: canonicalBody,\n },\n );\n if (!response.ok) {\n throw new Error(\n `decrypt failed ${response.status}: ${await response.text()}`,\n );\n }\n return (await response.json()) as DecryptResponseBody;\n },\n };\n return new EncryptionService({\n crypto,\n signer: {\n signDecryptInvocation: async (\n input: BuildDecryptInvocationInput,\n ): Promise<BuiltDecryptInvocation> => {\n const signed = await this.signRawNetworkAuthorization({\n targetNode: input.targetNode,\n networkId: input.networkId,\n action: DECRYPT_ACTION,\n facts: input.facts,\n });\n return {\n ...signed,\n canonicalBody: canonicalizeEncryptionJson(\n input.body as unknown as CanonicalizableEncryptionJson,\n ),\n };\n },\n },\n transport,\n node: {\n fetchByNetworkId: (networkId) => this.getEncryptionNetwork(networkId),\n },\n wellKnown: {\n fetchWellKnown: async (principal, discoveryKey) => {\n if (!this._address \|\| !didPrincipalMatches(principal, this.did)) {\n return null;\n }\n if (!this.config.host) {\n return null;\n }\n const publicSpaceId = makePublicSpaceId(this._address, this._chainId);\n const result = await TinyCloud.readPublicSpace<\n NetworkDescriptor \| { descriptor?: NetworkDescriptor }\n >(this.config.host, publicSpaceId, discoveryKey);\n if (!result.ok) {\n return null;\n }\n const body = result.data as\n \| NetworkDescriptor\n \| { descriptor?: NetworkDescriptor };\n return \"descriptor\" in body && body.descriptor\n ? body.descriptor\n : (body as NetworkDescriptor);\n },\n },\n });\n }\n\n private getEncryptionService(): EncryptionService {\n if (!this._serviceContext) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n if (!this._encryption) {\n this._encryption = this.createEncryptionService();\n this._encryption.initialize(this._serviceContext);\n this._serviceContext.registerService(\"encryption\", this._encryption);\n }\n return this._encryption;\n }\n\n private createVaultService(spaceId: string, kv: IKVService): DataVaultService {\n const wasm = this.wasmBindings;\n const vaultCrypto = createVaultCrypto({\n vault_encrypt: wasm.vault_encrypt, vault_decrypt: wasm.vault_decrypt, vault_derive_key: wasm.vault_derive_key,\n vault_x25519_from_seed: wasm.vault_x25519_from_seed, vault_x25519_dh: wasm.vault_x25519_dh,\n vault_random_bytes: wasm.vault_random_bytes, vault_sha256: wasm.vault_sha256,\n });\n const self = this;\n return new DataVaultService({\n spaceId,\n crypto: vaultCrypto,\n encryption: {\n networkId: this.getDefaultEncryptionNetworkId(),\n service: this.getEncryptionService(),\n decryptCapabilityProof: () => ({\n proofs: [this.requireServiceSession().delegationCid],\n }),\n },\n tc: {\n kv,\n ensurePublicSpace: async () => {\n try {\n await self.ensurePublicSpace();\n return { ok: true as const, data: undefined };\n } catch (error) {\n return { ok: false as const, error: { code: \"STORAGE_ERROR\", message: error instanceof Error ? error.message : String(error), service: \"vault\" } };\n }\n },\n get publicKV() { return self._publicKV ?? self.tc!.publicKV; },\n readPublicSpace: <T>(host: string, targetSpaceId: string, key: string) =>\n TinyCloud.readPublicSpace<T>(host, targetSpaceId, key),\n makePublicSpaceId: TinyCloud.makePublicSpaceId,\n did: this.did,\n address: this._address ?? \"\",\n chainId: this._chainId,\n hosts: [this.config.host!],\n },\n });\n }\n\n /\n Initialize the v2 delegation system services.\n * @internal\n /\n private initializeV2Services(serviceSession: ServiceSession): void {\n // Initialize CapabilityKeyRegistry\n this._capabilityRegistry = new CapabilityKeyRegistry();\n\n const tcSession = this.auth?.tinyCloudSession;\n // Register the session key with its capabilities\n if (tcSession && this._address) {\n const sessionKey: KeyInfo = {\n id: tcSession.sessionKey,\n did: tcSession.verificationMethod,\n type: \"session\",\n // Cast jwk from generic object to JWK - we know it has the required structure\n jwk: tcSession.jwk as JWK,\n priority: 0, // Session keys have highest priority\n };\n\n // Create root delegation for the session\n const rootDelegation: Delegation = {\n cid: tcSession.delegationCid,\n delegateDID: tcSession.verificationMethod,\n spaceId: tcSession.spaceId,\n path: \"\", // Root access\n actions: [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n \"tinycloud.sql/read\",\n \"tinycloud.sql/write\",\n \"tinycloud.sql/admin\",\n \"tinycloud.sql/\",\n \"tinycloud.duckdb/read\",\n \"tinycloud.duckdb/write\",\n \"tinycloud.duckdb/admin\",\n \"tinycloud.duckdb/describe\",\n \"tinycloud.duckdb/export\",\n \"tinycloud.duckdb/import\",\n \"tinycloud.duckdb/\",\n ],\n expiry: this.getSessionExpiry(),\n isRevoked: false,\n allowSubDelegation: true,\n };\n\n // Register root delegations\n const delegations = [rootDelegation];\n\n // If session includes additional spaces (e.g., public), register delegations for those too\n if (tcSession.spaces) {\n for (const [spaceName, spaceId] of Object.entries(tcSession.spaces)) {\n delegations.push({\n cid: tcSession.delegationCid,\n delegateDID: tcSession.verificationMethod,\n spaceId,\n path: \"\",\n actions: [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n \"tinycloud.sql/read\",\n \"tinycloud.sql/write\",\n \"tinycloud.sql/admin\",\n \"tinycloud.sql/\",\n \"tinycloud.duckdb/read\",\n \"tinycloud.duckdb/write\",\n \"tinycloud.duckdb/admin\",\n \"tinycloud.duckdb/describe\",\n \"tinycloud.duckdb/export\",\n \"tinycloud.duckdb/import\",\n \"tinycloud.duckdb/\",\n ],\n expiry: this.getSessionExpiry(),\n isRevoked: false,\n allowSubDelegation: true,\n });\n }\n }\n\n this._capabilityRegistry.registerKey(sessionKey, delegations);\n }\n\n // Initialize DelegationManager\n this._delegationManager = new DelegationManager({\n hosts: [this.config.host!],\n session: serviceSession,\n invoke: this.invokeWithRuntimePermissions,\n fetch: globalThis.fetch.bind(globalThis),\n });\n\n // Initialize SpaceService\n this._spaceService = new SpaceService({\n hosts: [this.config.host!],\n session: serviceSession,\n invoke: this.wasmBindings.invoke,\n fetch: globalThis.fetch.bind(globalThis),\n capabilityRegistry: this._capabilityRegistry,\n userDid: this.did,\n createKVService: (spaceId: string) => {\n return this.createSpaceScopedKVService(spaceId);\n },\n createVaultService: (spaceId: string) => {\n const kvService = this.createSpaceScopedKVService(spaceId);\n const vaultService = this.createVaultService(spaceId, kvService);\n if (this._serviceContext) {\n vaultService.initialize(this._serviceContext);\n }\n return vaultService;\n },\n // Enable space.delegations.create() via SIWE-based delegation\n createDelegation: async (params) => {\n try {\n // Use the existing createDelegation method which calls /delegate with SIWE\n const portableDelegation = await this.createDelegation({\n delegateDID: params.delegateDID,\n path: params.path,\n actions: params.actions,\n disableSubDelegation: params.disableSubDelegation,\n expiryMs: params.expiry\n ? params.expiry.getTime() - Date.now()\n : undefined,\n });\n\n // Convert PortableDelegation to Delegation type for Space API\n const delegation: Delegation = {\n cid: portableDelegation.cid,\n delegateDID: portableDelegation.delegateDID,\n delegatorDID: this.did,\n spaceId: portableDelegation.spaceId,\n path: portableDelegation.path,\n actions: portableDelegation.actions,\n expiry: portableDelegation.expiry,\n isRevoked: false,\n allowSubDelegation: !portableDelegation.disableSubDelegation,\n createdAt: new Date(),\n authHeader: portableDelegation.delegationHeader.Authorization,\n };\n\n return { ok: true, data: delegation };\n } catch (error) {\n return {\n ok: false,\n error: {\n code: \"CREATION_FAILED\",\n message: error instanceof Error ? error.message : String(error),\n service: \"delegation\",\n },\n };\n }\n },\n });\n\n // Update SharingService with full capabilities (session + createDelegation)\n // SharingService was initialized in constructor for receive-only access\n this._sharingService.updateConfig({\n session: serviceSession,\n delegationManager: this._delegationManager,\n sessionExpiry: this.getSessionExpiry(),\n // WASM-based delegation creation (preferred - no server roundtrip)\n createDelegationWasm: (params) => this.createDelegationWrapper(params),\n // Root delegation for long-lived share links (bypasses session expiry)\n // In node-sdk we have direct signer access, so no popup needed\n onRootDelegationNeeded: this.signer\n ? async (params) => this.createRootDelegationForSharing(params)\n : undefined,\n });\n\n // Wire up SharingService to SpaceService for space.sharing.generate()\n this._spaceService.updateConfig({\n sharingService: this._sharingService,\n });\n }\n\n /\n Get the session expiry time.\n * @internal\n /\n private getSessionExpiry(): Date {\n // Default to 1 hour from now if not explicitly set\n const expirationMs = this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS;\n return new Date(Date.now() + expirationMs);\n }\n\n /\n Wrapper for the WASM createDelegation function.\n \n The WASM call now takes a multi-resource `abilities` map\n * (matching `prepareSession`'s shape) and emits ONE UCAN that\n * covers every `(service, path, actions)` entry. We mirror the raw\n * result back through `CreateDelegationWasmResult`, converting the\n * seconds-since-epoch `expiry` to a Date and normalizing the\n * `delegateDid` → `delegateDID` case.\n \n Both SharingService (single-entry) and\n * {@link TinyCloudNode.delegateTo} (multi-entry) drive this through\n * the same code path so there's exactly one place that touches the\n * WASM boundary.\n \n @internal\n /\n private createDelegationWrapper(params: CreateDelegationWasmParams): CreateDelegationWasmResult {\n // Convert ServiceSession to the format WASM expects\n const wasmSession = {\n delegationHeader: params.session.delegationHeader,\n delegationCid: params.session.delegationCid,\n jwk: params.session.jwk,\n spaceId: params.session.spaceId,\n verificationMethod: params.session.verificationMethod,\n };\n\n const result = this.wasmBindings.createDelegation(\n wasmSession,\n params.delegateDID,\n params.spaceId,\n params.abilities,\n params.expirationSecs,\n params.notBeforeSecs\n );\n\n return {\n delegation: result.delegation,\n cid: result.cid,\n // Rust serde `rename_all = \"camelCase\"` emits `delegateDid`\n // (lowercase d); the TypeScript interface uses `delegateDID`\n // (historical, matches Delegation.delegateDID). Normalize here.\n delegateDID: result.delegateDid ?? result.delegateDID,\n expiry: new Date(result.expiry 1000),\n resources: result.resources,\n };\n }\n\n /*\n Create a direct root delegation from the wallet to a share key.\n * This bypasses the session delegation chain, allowing share links\n * with expiry longer than the current session.\n * @internal\n /\n private async createRootDelegationForSharing(params: {\n shareKeyDID: string;\n spaceId: string;\n path: string;\n actions: string[];\n requestedExpiry: Date;\n }): Promise<Delegation \| undefined> {\n if (!this.signer) {\n return undefined;\n }\n\n const session = this.currentTinyCloudSession();\n if (!session) {\n return undefined;\n }\n\n try {\n const host = this.config.host!;\n const now = new Date();\n\n // Build abilities for the share key\n const abilities: Record<string, Record<string, string[]>> = {\n kv: {\n [params.path]: params.actions,\n },\n };\n\n // Prepare a direct delegation to the share key (no parents = root delegation)\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: params.requestedExpiry.toISOString(),\n spaceId: params.spaceId,\n delegateUri: params.shareKeyDID,\n });\n\n // Sign with the signer (no popup in node-sdk)\n const signature = await this.signer.signMessage(prepared.siwe);\n\n const delegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate the delegation with the server\n const activateResult = await activateSessionWithHost(\n host,\n delegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n return undefined;\n }\n\n return {\n cid: delegationSession.delegationCid,\n delegateDID: params.shareKeyDID,\n delegatorDID: pkhDid(session.address, session.chainId),\n spaceId: params.spaceId,\n path: params.path,\n actions: params.actions,\n expiry: params.requestedExpiry,\n isRevoked: false,\n allowSubDelegation: true,\n createdAt: now,\n authHeader: delegationSession.delegationHeader.Authorization,\n };\n } catch {\n return undefined;\n }\n }\n\n /\n Track a received delegation in the capability registry.\n * @internal\n /\n private trackReceivedDelegation(delegation: PortableDelegation, jwk: JWK): void {\n if (!this._capabilityRegistry) {\n return;\n }\n\n const keyInfo: KeyInfo = {\n id: `received:${delegation.cid}`,\n did: this.sessionDid,\n type: \"ingested\",\n jwk,\n priority: 2,\n };\n\n // Convert PortableDelegation to Delegation type\n const delegationRecord: Delegation = {\n cid: delegation.cid,\n delegateDID: delegation.delegateDID,\n spaceId: delegation.spaceId,\n path: delegation.path,\n actions: delegation.actions,\n expiry: delegation.expiry,\n isRevoked: false,\n allowSubDelegation: !delegation.disableSubDelegation,\n };\n\n this._capabilityRegistry.ingestKey(keyInfo, delegationRecord);\n }\n\n /\n Key-value storage operations on this user's space.\n /\n get kv(): IKVService {\n if (!this._kv) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._kv;\n }\n\n /\n SQL database operations on this user's space.\n /\n get sql(): ISQLService {\n if (!this._sql) {\n const features = this.nodeFeatures;\n if (features.length > 0 && !features.includes(\"sql\")) {\n throw new UnsupportedFeatureError(\"sql\", this.config.host!, features);\n }\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._sql;\n }\n\n /\n Get an SQL service scoped to a specific space.\n \n Mirrors {@link SpaceService}'s per-space KV factory: clones the active\n * service context and overrides its session's spaceId so that subsequent\n * `sql/<dbName>/<action>` invocations route to that space. Useful when\n * the caller already holds a delegation covering the target space (e.g.\n * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})\n * but the SDK's per-space SQL surface isn't otherwise exposed.\n \n Does NOT auto-create the space.\n \n @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).\n /\n sqlForSpace(spaceId: string): ISQLService {\n if (!this._serviceContext \|\| !this._serviceContext.session) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n const sql = new SQLService({});\n const spaceScopedContext = new ServiceContext({\n invoke: this._serviceContext.invoke,\n fetch: this._serviceContext.fetch,\n hosts: this._serviceContext.hosts,\n });\n spaceScopedContext.setSession({ ...this._serviceContext.session, spaceId });\n sql.initialize(spaceScopedContext);\n return sql;\n }\n\n /\n DuckDB database operations on this user's space.\n /\n get duckdb(): IDuckDbService {\n if (!this._duckdb) {\n const features = this.nodeFeatures;\n if (features.length > 0 && !features.includes(\"duckdb\")) {\n throw new UnsupportedFeatureError(\"duckdb\", this.config.host!, features);\n }\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._duckdb;\n }\n\n /\n Data Vault operations - client-side encrypted KV storage.\n * Call `vault.unlock(signer)` after signIn() to derive encryption keys.\n /\n get vault(): IDataVaultService {\n if (!this._vault) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._vault;\n }\n\n /\n Network-scoped encryption/decrypt service.\n /\n get encryption(): IEncryptionService {\n return this.getEncryptionService();\n }\n\n async getEncryptionNetwork(\n nameOrNetworkId = this.getDefaultEncryptionNetworkId(),\n ): Promise<NetworkDescriptor \| null> {\n const networkId = nameOrNetworkId.startsWith(\"urn:tinycloud:encryption:\")\n ? nameOrNetworkId\n : this.getDefaultEncryptionNetworkId(nameOrNetworkId);\n const response = await fetch(\n `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}`,\n );\n if (response.status === 404) {\n return null;\n }\n if (!response.ok) {\n throw new Error(\n `Failed to fetch encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`,\n );\n }\n const body = (await response.json()) as {\n descriptor?: NetworkDescriptor;\n } \| NetworkDescriptor;\n return \"descriptor\" in body && body.descriptor ? body.descriptor : body as NetworkDescriptor;\n }\n\n async createEncryptionNetwork(\n name = DEFAULT_ENCRYPTION_NETWORK_NAME,\n ): Promise<NetworkDescriptor> {\n const targetNode = await this.fetchNodeId();\n const ownerDid = this.did;\n const networkId = this.getDefaultEncryptionNetworkId(name);\n const body = {\n name,\n ownerDid,\n threshold: { n: 1, t: 1 },\n };\n const crypto = this.createEncryptionCrypto();\n const facts = {\n type: NETWORK_ADMIN_TYPE,\n targetNode,\n networkId,\n bodyHash: canonicalHashHex(\n crypto.sha256,\n body as unknown as CanonicalizableEncryptionJson,\n ),\n action: NETWORK_CREATE_ACTION,\n };\n const signed = await this.signRawNetworkAuthorization({\n targetNode,\n networkId,\n action: NETWORK_CREATE_ACTION,\n facts,\n });\n const response = await fetch(`${this.config.host}/encryption/networks`, {\n method: \"POST\",\n headers: {\n Authorization: signed.authorization,\n \"Content-Type\": \"application/json\",\n },\n body: canonicalizeEncryptionJson(\n body as unknown as CanonicalizableEncryptionJson,\n ),\n });\n if (!response.ok) {\n throw new Error(\n `Failed to create encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`,\n );\n }\n const created = (await response.json()) as { descriptor: NetworkDescriptor };\n return created.descriptor;\n }\n\n async ensureEncryptionNetwork(\n name = DEFAULT_ENCRYPTION_NETWORK_NAME,\n ): Promise<NetworkDescriptor> {\n const existing = await this.getEncryptionNetwork(name);\n if (existing) {\n return existing;\n }\n return this.createEncryptionNetwork(name);\n }\n\n /\n App-facing secrets API backed by the `secrets` space vault.\n /\n get secrets(): ISecretsService {\n if (!this._spaceService) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n if (!this._secrets) {\n this._secrets = new NodeSecretsService({\n getService: () => this.getBaseSecrets(),\n getManifest: () => this.manifest,\n hasPermissions: (permissions) => this.hasRuntimePermissions(permissions),\n grantPermissions: (additional) => this.grantRuntimePermissions(additional),\n canEscalate: () => this.signer !== undefined && this.tc !== undefined,\n getEncryptionNetworkId: () => this.getDefaultEncryptionNetworkId(),\n getUnlockSigner: () => this.signer ?? undefined,\n });\n }\n return this._secrets;\n }\n\n private getBaseSecrets(): ISecretsService {\n if (!this._spaceService) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n if (!this._baseSecrets) {\n this._baseSecrets = new SecretsService(() => this.space(\"secrets\").vault);\n }\n return this._baseSecrets;\n }\n\n /\n Hooks write stream subscription API.\n /\n get hooks(): IHooksService {\n if (!this._hooks) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._hooks;\n }\n\n // ===========================================================================\n // v2 Service Accessors\n // ===========================================================================\n\n /\n Get the CapabilityKeyRegistry for managing keys and their capabilities.\n \n The registry tracks keys (session, main, ingested) and their associated\n * delegations, enabling automatic key selection for operations.\n \n @example\n * ```typescript\n * const registry = alice.capabilityRegistry;\n \n // Get the best key for an operation\n * const key = registry.getKeyForCapability(\n * \"tinycloud://my-space/kv/data\",\n * \"tinycloud.kv/get\"\n * );\n \n // List all capabilities\n * const capabilities = registry.getAllCapabilities();\n * ```\n /\n get capabilityRegistry(): ICapabilityKeyRegistry {\n if (!this._capabilityRegistry) {\n throw new Error(\"CapabilityKeyRegistry not initialized.\");\n }\n return this._capabilityRegistry;\n }\n\n /\n Access received delegations (recipient view).\n \n Use this to see what delegations have been received via useDelegation().\n \n @example\n * ```typescript\n * // List all received delegations\n * const received = bob.delegations.list();\n * console.log(\"I have access to:\", received.length, \"spaces\");\n \n // Get a specific delegation by CID\n * const delegation = bob.delegations.get(cid);\n * ```\n /\n get delegations(): {\n /* List all received delegations /\n list: () => Delegation[];\n /* Get a delegation by CID /\n get: (cid: string) => Delegation \| undefined;\n } {\n const registry = this._capabilityRegistry;\n if (!registry) {\n return {\n list: () => [],\n get: () => undefined,\n };\n }\n\n return {\n list: () => registry.getAllCapabilities().map((entry) => entry.delegation),\n get: (cid: string) => {\n const capabilities = registry.getAllCapabilities();\n const entry = capabilities.find((e) => e.delegation.cid === cid);\n return entry?.delegation;\n },\n };\n }\n\n /\n Check whether the current session or an approved runtime delegation covers\n * every requested permission.\n /\n hasRuntimePermissions(permissions: PermissionEntry[]): boolean {\n const session = this.currentTinyCloudSession();\n if (!session \|\| !Array.isArray(permissions) \|\| permissions.length === 0) {\n return false;\n }\n\n const expanded = this.expandPermissionEntries(permissions);\n if (this.sessionCoversPermissionEntries(session, expanded)) {\n return true;\n }\n\n return this.findRuntimeGrantsForPermissionEntries(expanded, session).length > 0;\n }\n\n /\n Return installed runtime permission delegations. When `permissions` is\n * provided, only delegations currently covering those permissions are\n * returned. Base-session manifest permissions are not represented here.\n /\n getRuntimePermissionDelegations(\n permissions?: PermissionEntry[],\n ): PortableDelegation[] {\n this.pruneExpiredRuntimePermissionGrants();\n if (permissions === undefined) {\n return this.runtimePermissionGrants.map((grant) => grant.delegation);\n }\n\n const session = this.currentTinyCloudSession();\n if (!session \|\| !Array.isArray(permissions) \|\| permissions.length === 0) {\n return [];\n }\n const expanded = this.expandPermissionEntries(permissions);\n return this.findRuntimeGrantsForPermissionEntries(expanded, session).map(\n (grant) => grant.delegation,\n );\n }\n\n /\n Install a portable runtime permission delegation into this SDK instance so\n * matching service calls and downstream `delegateTo()` calls can use it.\n /\n async useRuntimeDelegation(delegation: PortableDelegation): Promise<void> {\n const session = this.currentTinyCloudSession();\n if (!session) {\n throw new SessionExpiredError(new Date(0));\n }\n if (delegation.expiry.getTime() <= Date.now()) {\n throw new SessionExpiredError(delegation.expiry);\n }\n\n const expectedDids = [session.verificationMethod, this.sessionDid];\n if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {\n throw new Error(\n `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`,\n );\n }\n\n const targetHost = delegation.host ?? this.config.host!;\n const activateResult = await activateSessionWithHost(\n targetHost,\n delegation.delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate runtime permission delegation: ${activateResult.error}`,\n );\n }\n\n this.runtimePermissionGrants = this.runtimePermissionGrants.filter(\n (grant) => grant.delegation.cid !== delegation.cid,\n );\n this.runtimePermissionGrants.push(\n this.runtimeGrantFromDelegation(delegation, session),\n );\n }\n\n /\n Store additional permissions as narrow delegations to the current session\n * key. Future service invocations automatically use a stored delegation when\n * its `(space, service, path, action)` covers the request.\n /\n async grantRuntimePermissions(\n permissions: PermissionEntry[],\n options?: RuntimePermissionGrantOptions,\n ): Promise<PortableDelegation[]> {\n if (!Array.isArray(permissions) \|\| permissions.length === 0) {\n throw new Error(\"grantRuntimePermissions requires a non-empty permissions array\");\n }\n const session = this.currentTinyCloudSession();\n if (!session) {\n throw new SessionExpiredError(new Date(0));\n }\n\n const sessionExpiry = extractSiweExpiration(session.siwe);\n if (sessionExpiry !== undefined) {\n const marginMs = TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;\n if (sessionExpiry.getTime() <= Date.now() + marginMs) {\n throw new SessionExpiredError(sessionExpiry);\n }\n }\n\n const expanded = this.expandPermissionEntries(permissions);\n if (this.sessionCoversPermissionEntries(session, expanded)) {\n return [];\n }\n\n const existingGrants = this.findRuntimeGrantsForPermissionEntries(expanded, session);\n if (existingGrants.length > 0) {\n return existingGrants.map((grant) => grant.delegation);\n }\n if (!this.signer) {\n throw new Error(\n \"grantRuntimePermissions requires wallet mode with a signer or privateKey.\",\n );\n }\n\n const rawEntries = expanded.filter((entry) =>\n this.isEncryptionPermissionEntry(entry)\n );\n const spaceEntries = expanded.filter((entry) =>\n !this.isEncryptionPermissionEntry(entry)\n );\n\n const bySpace = new Map<string, PermissionEntry[]>();\n for (const entry of spaceEntries) {\n const spaceId = this.resolvePermissionSpace(entry.space, session);\n const current = bySpace.get(spaceId) ?? [];\n current.push(entry);\n bySpace.set(spaceId, current);\n }\n if (bySpace.size === 0 && rawEntries.length > 0) {\n bySpace.set(session.spaceId, []);\n }\n\n const now = new Date();\n const requestedExpiryMs = resolveExpiryMs(options?.expiry);\n let expiresAt = new Date(now.getTime() + requestedExpiryMs);\n if (sessionExpiry !== undefined && sessionExpiry < expiresAt) {\n expiresAt = sessionExpiry;\n }\n\n const delegations: PortableDelegation[] = [];\n let rawEntriesAttached = false;\n for (const [spaceId, entries] of bySpace) {\n const rawForDelegation = !rawEntriesAttached ? rawEntries : [];\n if (rawForDelegation.length > 0) {\n rawEntriesAttached = true;\n }\n const delegatedEntries = [...entries, ...rawForDelegation];\n const abilities = this.permissionsToAbilities(entries);\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n ...(rawForDelegation.length > 0\n ? { rawAbilities: this.permissionsToRawAbilities(rawForDelegation) }\n : {}),\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expiresAt.toISOString(),\n spaceId,\n jwk: session.jwk,\n });\n\n const signature = await this.signer.signMessage(prepared.siwe);\n const delegatedSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegatedSession.delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate runtime permission delegation: ${activateResult.error}`,\n );\n }\n\n const delegation = this.runtimeDelegationFromSession(\n delegatedSession,\n delegatedEntries,\n spaceId,\n session,\n expiresAt,\n );\n this.runtimePermissionGrants.push({\n session: {\n delegationHeader: delegatedSession.delegationHeader,\n delegationCid: delegatedSession.delegationCid,\n spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n delegation,\n operations: this.permissionOperations(delegatedEntries, spaceId),\n expiresAt,\n });\n delegations.push(delegation);\n }\n\n return delegations;\n }\n\n /\n Get the DelegationManager for delegation CRUD operations.\n \n This is the v2 delegation service providing a cleaner API than\n * the legacy createDelegation/useDelegation methods.\n \n @example\n * ```typescript\n * const delegations = alice.delegationManager;\n \n // Create a delegation\n * const result = await delegations.create({\n * delegateDID: bob.did,\n * path: \"shared/\",\n * actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\"],\n * expiry: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours\n * });\n \n // List delegations\n * const listResult = await delegations.list();\n \n // Revoke a delegation\n * await delegations.revoke(delegationCid);\n * ```\n /\n get delegationManager(): DelegationManager {\n if (!this._delegationManager) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._delegationManager;\n }\n\n /\n Get the SpaceService for managing spaces.\n \n The SpaceService provides access to owned and delegated spaces,\n * including space creation, listing, and scoped operations.\n \n @example\n * ```typescript\n * const spaces = alice.spaces;\n \n // List all accessible spaces\n * const result = await spaces.list();\n \n // Create a new space\n * const createResult = await spaces.create('photos');\n \n // Get a space object for operations\n * const mySpace = spaces.get('default');\n * await mySpace.kv.put('key', 'value');\n \n // Check if a space exists\n * const exists = await spaces.exists('photos');\n * ```\n /\n get spaces(): ISpaceService {\n if (!this._spaceService) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this._spaceService;\n }\n\n /\n Alias for `spaces` - get the SpaceService.\n * @see spaces\n /\n get spaceService(): ISpaceService {\n return this.spaces;\n }\n\n /\n Get a Space object by short name or full URI.\n /\n space(nameOrUri: string): ISpace {\n return this.spaces.get(nameOrUri);\n }\n\n /\n Get the SharingService for creating and receiving v2 sharing links.\n \n The SharingService creates sharing links with embedded private keys,\n * allowing recipients to exercise delegations without prior session setup.\n \n @example\n * ```typescript\n * const sharing = alice.sharing;\n \n // Generate a sharing link\n * const result = await sharing.generate({\n * path: \"/kv/documents/report.pdf\",\n * actions: [\"tinycloud.kv/get\"],\n * expiry: new Date(Date.now() + 24 * 60 * 60 * 1000),\n * });\n \n if (result.ok) {\n * console.log(\"Share URL:\", result.data.url);\n * // Send the URL to the recipient\n * }\n \n // Receive a sharing link\n * const receiveResult = await sharing.receive(shareUrl);\n * if (receiveResult.ok) {\n * // Use the pre-configured KV service\n * const data = await receiveResult.data.kv.get(\"report.pdf\");\n * }\n * ```\n /\n get sharing(): ISharingService {\n // SharingService is initialized in constructor for receive-only access\n // Full capabilities (generate) are added after signIn()\n return this._sharingService;\n }\n\n /\n Alias for `sharing` - get the SharingService.\n * @see sharing\n /\n get sharingService(): ISharingService {\n return this.sharing;\n }\n\n // ===========================================================================\n // Public Space Methods\n // ===========================================================================\n\n /\n Ensure the user's public space exists and is accessible.\n * Creates the space and activates a session delegation for it.\n * This is the trigger for lazy public space creation — call it\n * before writing to spaces.get('public').kv.\n /\n async ensurePublicSpace() {\n if (!this.auth \|\| !this.session \|\| !this.signer) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n const publicSpaceId = this.session.spaces?.public;\n if (!publicSpaceId) {\n throw new Error(\"Public space not enabled. Set enablePublicSpace: true in config.\");\n }\n\n // Create the public space on the server (host SIWE)\n await (this.auth as NodeUserAuthorization).hostPublicSpace(publicSpaceId);\n\n // Create a session delegation for the public space using the session key JWK.\n // This mirrors the primary session flow (prepareSession with jwk), ensuring\n // the delegation targets the session key — not the PKH DID — so that\n // invoke() requests signed by the session key are properly authorized.\n const kvActions = [\n \"tinycloud.kv/put\",\n \"tinycloud.kv/get\",\n \"tinycloud.kv/del\",\n \"tinycloud.kv/list\",\n \"tinycloud.kv/metadata\",\n ];\n const abilities = { kv: { \"\": kvActions } };\n const now = new Date();\n // EPHEMERAL tier — this sub-delegation is auto-derived from the\n // session and re-issued whenever the SDK touches the public space,\n // so a short lifetime bounds replay without forcing user re-prompts.\n const expiryMs = EXPIRY.EPHEMERAL_MS;\n const expirationTime = new Date(now.getTime() + expiryMs);\n\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(this.session.address),\n chainId: this.session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: publicSpaceId,\n jwk: this.session.jwk,\n parents: [this.session.delegationCid],\n });\n\n const signature = await this.signer.signMessage(prepared.siwe);\n\n const delegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate public space delegation: ${activateResult.error}`);\n }\n\n // Register the delegation in the capability registry so\n // spaces.get('public').kv operations are authorized\n if (this._capabilityRegistry && this.session) {\n const sessionKey: KeyInfo = {\n id: this.session.sessionKey,\n did: this.session.verificationMethod,\n type: \"session\",\n jwk: this.session.jwk as JWK,\n priority: 0,\n };\n this._capabilityRegistry.registerKey(sessionKey, [{\n cid: delegationSession.delegationCid,\n delegateDID: this.session.verificationMethod,\n spaceId: publicSpaceId,\n path: \"\",\n actions: kvActions,\n expiry: expirationTime,\n isRevoked: false,\n allowSubDelegation: true,\n }]);\n }\n\n // Cache a properly authorized public KV service using the new delegation\n if (this._serviceContext) {\n const publicKV = new KVService({ prefix: \"\" });\n const publicContext = new ServiceContext({\n invoke: this.invokeWithRuntimePermissions,\n fetch: this._serviceContext.fetch,\n hosts: this._serviceContext.hosts,\n });\n publicContext.setSession({\n delegationHeader: delegationSession.delegationHeader,\n delegationCid: delegationSession.delegationCid,\n spaceId: publicSpaceId,\n verificationMethod: this.session.verificationMethod,\n jwk: this.session.jwk,\n });\n publicKV.initialize(publicContext);\n this._publicKV = publicKV;\n }\n }\n\n /\n Get a KVService scoped to the user's own public space.\n * Writes require authentication (owner/delegate).\n /\n get publicKV(): IKVService {\n if (this._publicKV) {\n return this._publicKV;\n }\n if (!this.tc) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n return this.tc.publicKV;\n }\n\n // ===========================================================================\n // v2 Delegation Convenience Methods\n // ===========================================================================\n\n /\n Create a delegation using the v2 DelegationManager.\n \n This is a convenience method that wraps DelegationManager.create().\n * For more control, use `this.delegationManager` directly.\n \n @param params - Delegation parameters\n * @returns Result containing the created Delegation\n \n @example\n * ```typescript\n * const result = await alice.delegate({\n * delegateDID: bob.did,\n * path: \"shared/\",\n * actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\"],\n * expiry: new Date(Date.now() + 24 * 60 * 60 * 1000),\n * });\n \n if (result.ok) {\n * console.log(\"Delegation created:\", result.data.cid);\n * }\n * ```\n /\n async delegate(params: CreateDelegationParams): Promise<DelegationResult<Delegation>> {\n return this.delegationManager.create(params);\n }\n\n /\n Revoke a delegation using the v2 DelegationManager.\n \n @param cid - The CID of the delegation to revoke\n * @returns Result indicating success or failure\n /\n async revokeDelegation(cid: string): Promise<DelegationResult<void>> {\n return this.delegationManager.revoke(cid);\n }\n\n /\n List all delegations for the current session's space.\n \n @returns Result containing an array of Delegations\n /\n async listDelegations(): Promise<DelegationResult<Delegation[]>> {\n return this.delegationManager.list();\n }\n\n /\n Check if the current session has permission for a path and action.\n \n @param path - The resource path to check\n * @param action - The action to check (e.g., \"tinycloud.kv/get\")\n * @returns Result containing boolean permission status\n /\n async checkPermission(path: string, action: string): Promise<DelegationResult<boolean>> {\n return this.delegationManager.checkPermission(path, action);\n }\n\n // ===========================================================================\n // Capability-chain delegation (spec: .claude/specs/capability-chain.md)\n // ===========================================================================\n\n /\n Safety margin before the session's own expiry at which {@link delegateTo}\n * will refuse to issue a derived delegation. Prevents issuing sub-delegations\n * that would be invalid by the time the recipient used them. Spec: 60 seconds.\n \n @internal\n /\n private static readonly SESSION_EXPIRY_SAFETY_MARGIN_MS = 60_000;\n\n /\n Issue a delegation using the capability-chain flow.\n \n When every requested permission is a subset of the current\n * session's recap, or of one installed runtime permission delegation,\n * the delegation is signed by the session key via WASM — no wallet\n * prompt. When at least one is NOT derivable, a\n * {@link PermissionNotInManifestError} is raised (carrying the\n * missing entries) so the caller can trigger an escalation flow\n * (e.g. `TinyCloudWeb.requestPermissions`). Passing\n * `forceWalletSign: true` bypasses the derivability check and\n * always uses the wallet-signed SIWE path — used by the legacy\n * `createDelegation` fallback and by callers that want explicit\n * wallet confirmation.\n \n Multi-entry delegations are now emitted as one signed UCAN:\n * the underlying WASM `createDelegation` takes a full\n * `HashMap<Service, HashMap<Path, Vec<Ability>>>` abilities map\n * and produces a single attenuation carrying every\n * `(service, path, actions)` entry. The returned\n * {@link DelegateToResult.delegation} is that single blob, and\n * apps can POST it to their backend exactly like a single-entry\n * delegation (the server verifies all granted resources from one\n * UCAN).\n \n For single-entry requests the `PortableDelegation.path` and\n * `.actions` fields mirror the one granted entry. For\n * multi-entry requests they mirror the first entry (stable\n * lexicographic order from the Rust side); consumers that need\n * the full picture read `PortableDelegation.resources`.\n \n @throws {@link SessionExpiredError} when there is no session or\n * the current session has expired (or will within the 60s\n * safety margin).\n * @throws {@link PermissionNotInManifestError} when any requested\n * entry is not a subset of the granted session capabilities and\n * `forceWalletSign` is not set.\n /\n async delegateTo(\n did: string,\n permissions: PermissionEntry[],\n options?: DelegateToOptions,\n ): Promise<DelegateToResult> {\n // 1. Session validity check — fail fast with a clear error class so\n // callers can catch and trigger a fresh sign-in.\n const session = this.currentTinyCloudSession();\n if (!session) {\n throw new SessionExpiredError(new Date(0));\n }\n const sessionExpiry = extractSiweExpiration(session.siwe);\n if (sessionExpiry !== undefined) {\n const now = Date.now();\n const marginMs = TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;\n if (sessionExpiry.getTime() <= now + marginMs) {\n throw new SessionExpiredError(sessionExpiry);\n }\n }\n\n // 2. Input validation. Empty arrays and non-arrays both fail here so\n // downstream code can safely assume at least one entry.\n if (!Array.isArray(permissions) \|\| permissions.length === 0) {\n throw new Error(\n \"delegateTo requires a non-empty permissions array\",\n );\n }\n\n // 3. Defensively expand any short-form action names into full URNs\n // for every entry so the subset check and downstream WASM call\n // both see canonical form. This also deep-copies the entries so\n // we don't mutate caller-owned data.\n const expandedEntries = this.expandPermissionEntries(permissions);\n\n // 4. Compute expiration. `options.expiry` overrides the default 1h.\n // ms-format (\"7d\") or raw millisecond count both accepted. Cap\n // at the session's own expiry so we never emit a UCAN whose\n // validity exceeds the parent chain.\n const now = new Date();\n const expiryMs = resolveExpiryMs(options?.expiry);\n const expirationTime = new Date(now.getTime() + expiryMs);\n let effectiveExpiration = expirationTime;\n if (sessionExpiry !== undefined && sessionExpiry < expirationTime) {\n effectiveExpiration = sessionExpiry;\n }\n\n // 5. forceWalletSign short-circuit → always legacy path. The\n // legacy wallet path currently handles one `(space, path)` at\n // a time, so we only support single-entry when forced. Callers\n // that need multi-entry wallet-signed delegations should issue\n // them via the legacy `createDelegation` which loops internally\n // (or just not pass `forceWalletSign: true`).\n if (options?.forceWalletSign) {\n if (expandedEntries.length > 1) {\n throw new Error(\n \"delegateTo with forceWalletSign=true supports at most one \" +\n \"PermissionEntry. Multi-entry requests must go through the \" +\n \"session-key UCAN path (drop forceWalletSign) or the legacy \" +\n \"createDelegation method.\",\n );\n }\n const delegation = await this.createDelegationLegacyWalletPath(\n did,\n expandedEntries[0],\n effectiveExpiration,\n );\n return { delegation, prompted: true };\n }\n\n // 6. Derivability check across ALL entries. If any entry is not a\n // subset of the granted session capabilities, the whole call\n // fails with a typed error carrying the missing entries — we do\n // NOT partially issue and drop the failing ones, because that\n // would produce a delegation the caller didn't ask for.\n //\n // `parseRecapCapabilities` is a thin wrapper around the\n // injected WASM binding; the binding is required because\n // `IWasmBindings` declares `parseRecapFromSiwe` as mandatory.\n // If the runtime binding hasn't been updated, this call will\n // surface a clear TypeError rather than silently falling\n // through.\n const granted = parseRecapCapabilities(\n (siwe: string) => this.wasmBindings.parseRecapFromSiwe(siwe),\n session.siwe,\n );\n const { subset, missing } = isCapabilitySubset(expandedEntries, granted);\n\n if (!subset) {\n const runtimeGrant = this.findGrantForOperations(\n this.permissionEntriesToOperations(expandedEntries, session),\n );\n if (runtimeGrant) {\n const marginMs = TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;\n if (runtimeGrant.expiresAt.getTime() <= Date.now() + marginMs) {\n throw new SessionExpiredError(runtimeGrant.expiresAt);\n }\n const runtimeExpiration =\n runtimeGrant.expiresAt < effectiveExpiration\n ? runtimeGrant.expiresAt\n : effectiveExpiration;\n const delegation = await this.createDelegationViaRuntimeGrant(\n did,\n expandedEntries,\n runtimeExpiration,\n runtimeGrant,\n );\n return { delegation, prompted: false };\n }\n throw new PermissionNotInManifestError(missing, granted);\n }\n\n // 7. Subset path — sign ONE sub-delegation with the session key\n // via WASM that carries every requested entry. No wallet\n // prompt. `createDelegationViaWasmPath` builds the\n // multi-resource abilities map and returns a single\n // PortableDelegation whose `.resources` field lists every\n // granted entry.\n const delegation = await this.createDelegationViaWasmPath(\n did,\n expandedEntries,\n effectiveExpiration,\n session,\n );\n return { delegation, prompted: false };\n }\n\n /\n Materialize one manifest-declared delegation using the current session key.\n * Delivery is intentionally out of band; callers decide how to transmit the\n * returned UCAN to the delegate.\n /\n async materializeDelegation(\n did: string,\n request: ComposedManifestRequest \| undefined = this.capabilityRequest,\n ): Promise<DelegateToResult & { target: ResolvedDelegate }> {\n if (!request) {\n throw new Error(\n \"materializeDelegation requires a composed manifest request\",\n );\n }\n const target = request.delegationTargets.find((entry) =>\n didPrincipalMatches(entry.did, did),\n );\n if (!target) {\n throw new Error(`No manifest delegation target found for DID ${did}`);\n }\n const result = await this.delegateTo(target.did, target.permissions, {\n expiry: target.expiryMs,\n });\n return { ...result, target };\n }\n\n /\n Materialize every delegation target declared by the composed manifest\n * request. This does not deliver the delegations anywhere.\n /\n async materializeDelegations(\n request: ComposedManifestRequest \| undefined = this.capabilityRequest,\n ): Promise<Array<DelegateToResult & { target: ResolvedDelegate }>> {\n if (!request) {\n throw new Error(\n \"materializeDelegations requires a composed manifest request\",\n );\n }\n const out: Array<DelegateToResult & { target: ResolvedDelegate }> = [];\n for (const target of request.delegationTargets) {\n out.push(await this.materializeDelegation(target.did, request));\n }\n return out;\n }\n\n /\n Issue a delegation via the session-key UCAN WASM path.\n \n The caller has already verified every entry is derivable from\n * the current session; we build one multi-resource abilities map\n * and emit one signed UCAN covering them all.\n \n Non-encryption entries must share the same target space. Encryption\n * entries are raw network URNs and do not participate in space grouping.\n \n @internal\n /\n private async createDelegationViaWasmPath(\n did: string,\n entries: PermissionEntry[],\n expirationTime: Date,\n session: TinyCloudSession,\n ): Promise<PortableDelegation> {\n if (entries.length === 0) {\n throw new Error(\n \"createDelegationViaWasmPath requires a non-empty entries array\",\n );\n }\n\n // Translate non-raw manifest `space` fields into the server-side\n // spaceId. Encryption entries target raw network URNs, not spaces.\n const resolvedSpaces = new Set<string>();\n for (const entry of entries) {\n if (this.isEncryptionPermissionEntry(entry)) {\n continue;\n }\n const spaceId = this.resolvePermissionSpace(entry.space, session);\n resolvedSpaces.add(spaceId);\n }\n if (resolvedSpaces.size > 1) {\n throw new Error(\n `delegateTo: all permission entries must target the same space, got ${resolvedSpaces.size}: ${JSON.stringify([...resolvedSpaces])}`,\n );\n }\n const spaceId = resolvedSpaces.size === 1\n ? [...resolvedSpaces][0]\n : session.spaceId;\n\n // Convert entries to the WASM abilities shape. Each entry's\n // `service` is the long form (e.g. \"tinycloud.kv\") which we\n // translate to the short form keyed by the abilities map. Raw\n // encryption network entries stay in this map because the Rust\n // create_delegation boundary special-cases network URNs into raw\n // resources while preserving the legacy spaceId parameter.\n // Multiple entries on the same (service, path) merge and dedupe\n // their action lists — unusual in practice (the subset check\n // should have pruned dupes already) but cheap and safe.\n const abilities: AbilitiesMap = {};\n for (const entry of entries) {\n const shortService = SERVICE_LONG_TO_SHORT[entry.service];\n if (shortService === undefined) {\n throw new Error(\n `delegateTo: unknown service '${entry.service}' — no short-form mapping`,\n );\n }\n if (abilities[shortService] === undefined) {\n abilities[shortService] = {};\n }\n const pathsMap = abilities[shortService];\n const existing = pathsMap[entry.path];\n if (existing === undefined) {\n pathsMap[entry.path] = [...entry.actions];\n } else {\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n }\n }\n\n // Build ServiceSession from TinyCloudSession. This mirrors how\n // SharingService hands sessions to createDelegationWrapper.\n const serviceSession: ServiceSession = {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n jwk: session.jwk,\n spaceId,\n verificationMethod: session.verificationMethod,\n };\n\n const expirationSecs = Math.floor(expirationTime.getTime() / 1000);\n const result = this.createDelegationWrapper({\n session: serviceSession,\n delegateDID: did,\n spaceId,\n abilities,\n expirationSecs,\n });\n\n // Translate the WASM result into a PortableDelegation. We don't\n // have a structured delegation header from the WASM path, so we\n // synthesize one from the serialized delegation (the recipient\n // decodes it via `deserializeDelegation`).\n //\n // The flat `.path` and `.actions` fields mirror the first\n // resource — stable because the Rust side sorts by\n // (service, path) before signing. Consumers that need the full\n // multi-resource picture read `.resources`.\n const primary = result.resources[0];\n // Use the raw JWT without a \"Bearer \" prefix. The host's HeaderEncode\n // decoder passes the header value directly to Ucan::decode(), which\n // expects a bare JWT string. The wallet-signed CACAO path also uses\n // raw base64 without any prefix. Adding \"Bearer \" causes a parse\n // failure that surfaces as a 401 from the host.\n const delegationHeader = { Authorization: result.delegation };\n\n // Activate the delegation with the host so downstream consumers (e.g.\n // a backend calling useDelegation) can find it by CID when building\n // their invoker SIWE. The host validates the UCAN's parent chain\n // (session key → wallet SIWE) to confirm authority.\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate delegation with host: ${activateResult.error}`,\n );\n }\n\n return {\n cid: result.cid,\n delegationHeader,\n spaceId,\n path: primary.path,\n actions: primary.actions,\n resources: result.resources,\n disableSubDelegation: false,\n expiry: result.expiry,\n delegateDID: did,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n }\n\n private async createDelegationViaRuntimeGrant(\n did: string,\n entries: PermissionEntry[],\n expirationTime: Date,\n grant: RuntimePermissionGrant,\n ): Promise<PortableDelegation> {\n const result = this.createDelegationWrapper({\n session: grant.session,\n delegateDID: did,\n spaceId: grant.session.spaceId,\n abilities: this.permissionsToAbilities(entries),\n expirationSecs: Math.floor(expirationTime.getTime() / 1000),\n });\n\n const primary = result.resources[0];\n const delegationHeader = { Authorization: result.delegation };\n const targetHost = grant.delegation.host ?? this.config.host!;\n const activateResult = await activateSessionWithHost(\n targetHost,\n delegationHeader,\n );\n if (!activateResult.success) {\n throw new Error(\n `Failed to activate delegation with host: ${activateResult.error}`,\n );\n }\n\n return {\n cid: result.cid,\n delegationHeader,\n spaceId: grant.session.spaceId,\n path: primary.path,\n actions: primary.actions,\n resources: result.resources,\n disableSubDelegation: false,\n expiry: result.expiry,\n delegateDID: did,\n ownerAddress: grant.delegation.ownerAddress,\n chainId: grant.delegation.chainId,\n host: targetHost,\n };\n }\n\n private resolvePermissionSpace(\n space: string \| undefined,\n session: TinyCloudSession,\n ): string {\n if (space === undefined) {\n return this.wasmBindings.makeSpaceId(\n session.address,\n session.chainId,\n \"applications\",\n );\n }\n if (space === \"default\") {\n return session.spaceId;\n }\n if (space.startsWith(\"tinycloud:\")) {\n return space;\n }\n return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);\n }\n\n private expandPermissionEntries(\n permissions: PermissionEntry[],\n ): PermissionEntry[] {\n return expandPermissionEntriesCore(permissions);\n }\n\n private shortServiceName(service: string): string {\n const short = SERVICE_LONG_TO_SHORT[service];\n if (short === undefined) {\n throw new Error(\n `unknown service '${service}' — no short-form mapping`,\n );\n }\n return short;\n }\n\n private permissionsToAbilities(entries: PermissionEntry[]): AbilitiesMap {\n const abilities: AbilitiesMap = {};\n for (const entry of entries) {\n const service = this.shortServiceName(entry.service);\n abilities[service] ??= {};\n const existing = abilities[service][entry.path] ?? [];\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n abilities[service][entry.path] = existing;\n }\n return abilities;\n }\n\n private isEncryptionPermissionEntry(entry: PermissionEntry): boolean {\n return entry.service === ENCRYPTION_PERMISSION_SERVICE &&\n entry.path.startsWith(\"urn:tinycloud:encryption:\");\n }\n\n private permissionsToRawAbilities(\n entries: PermissionEntry[],\n ): Record<string, string[]> {\n const rawAbilities: Record<string, string[]> = {};\n for (const entry of entries) {\n if (!this.isEncryptionPermissionEntry(entry)) {\n continue;\n }\n const existing = rawAbilities[entry.path] ?? [];\n const seen = new Set(existing);\n for (const action of entry.actions) {\n if (!seen.has(action)) {\n existing.push(action);\n seen.add(action);\n }\n }\n rawAbilities[entry.path] = existing;\n }\n return rawAbilities;\n }\n\n private permissionOperations(\n entries: PermissionEntry[],\n spaceId: string,\n ): RuntimePermissionOperation[] {\n return entries.flatMap((entry) => {\n const service = this.shortServiceName(entry.service);\n return entry.actions.map((action) => ({\n ...(this.isEncryptionNetworkOperation(service, entry.path)\n ? { resource: entry.path }\n : { spaceId }),\n service,\n path: entry.path,\n action,\n }));\n });\n }\n\n private sessionCoversPermissionEntries(\n session: TinyCloudSession,\n entries: PermissionEntry[],\n ): boolean {\n try {\n const granted = parseRecapCapabilities(\n (siwe: string) => this.wasmBindings.parseRecapFromSiwe(siwe),\n session.siwe,\n );\n return isCapabilitySubset(entries, granted).subset;\n } catch {\n return false;\n }\n }\n\n private permissionEntriesToOperations(\n entries: PermissionEntry[],\n session: TinyCloudSession,\n ): RuntimePermissionOperation[] {\n return entries.flatMap((entry) => {\n const spaceId = this.resolvePermissionSpace(entry.space, session);\n const service = this.shortServiceName(entry.service);\n return entry.actions.map((action) => ({\n ...(this.isEncryptionNetworkOperation(service, entry.path)\n ? { resource: entry.path }\n : { spaceId }),\n service,\n path: entry.path,\n action,\n }));\n });\n }\n\n private findRuntimeGrantsForPermissionEntries(\n entries: PermissionEntry[],\n session: TinyCloudSession,\n ): RuntimePermissionGrant[] {\n const grants: RuntimePermissionGrant[] = [];\n const operations = this.permissionEntriesToOperations(entries, session);\n if (operations.length === 0) {\n return grants;\n }\n\n for (const operation of operations) {\n const grant = this.findGrantForOperation(operation);\n if (!grant) {\n return [];\n }\n if (!grants.includes(grant)) {\n grants.push(grant);\n }\n }\n return grants;\n }\n\n private runtimeDelegationFromSession(\n delegatedSession: {\n delegationHeader: { Authorization: string };\n delegationCid: string;\n },\n entries: PermissionEntry[],\n spaceId: string,\n session: TinyCloudSession,\n expiresAt: Date,\n ): PortableDelegation {\n const resources = this.delegatedResourcesForEntries(entries, spaceId);\n const primary = resources[0];\n return {\n cid: delegatedSession.delegationCid,\n delegationHeader: delegatedSession.delegationHeader,\n spaceId,\n path: primary.path,\n actions: primary.actions,\n resources,\n disableSubDelegation: false,\n expiry: expiresAt,\n delegateDID: session.verificationMethod,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n }\n\n private runtimeGrantFromDelegation(\n delegation: PortableDelegation,\n session: TinyCloudSession,\n ): RuntimePermissionGrant {\n const operations = this.operationsFromDelegation(delegation);\n return {\n session: {\n delegationHeader: delegation.delegationHeader,\n delegationCid: delegation.cid,\n spaceId: delegation.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n delegation,\n operations,\n expiresAt: delegation.expiry,\n };\n }\n\n private installRuntimeGrantFromServiceSession(\n delegation: PortableDelegation,\n session: ServiceSession,\n expiresAt: Date,\n ): void {\n const operations = this.operationsFromDelegation(delegation);\n if (operations.length === 0) {\n return;\n }\n this.runtimePermissionGrants = this.runtimePermissionGrants.filter(\n (grant) =>\n grant.delegation.cid !== delegation.cid &&\n grant.session.delegationCid !== session.delegationCid,\n );\n this.runtimePermissionGrants.push({\n session,\n delegation,\n operations,\n expiresAt,\n });\n }\n\n private delegatedResourcesForEntries(\n entries: PermissionEntry[],\n spaceId: string,\n ): DelegatedResource[] {\n return entries.map((entry) => ({\n service: this.shortServiceName(entry.service),\n space: this.isEncryptionPermissionEntry(entry) ? \"encryption\" : spaceId,\n path: entry.path,\n actions: [...entry.actions],\n }));\n }\n\n private operationsFromDelegation(\n delegation: PortableDelegation,\n ): RuntimePermissionOperation[] {\n const resources =\n delegation.resources !== undefined && delegation.resources.length > 0\n ? delegation.resources\n : this.flatDelegationResources(delegation);\n\n return resources.flatMap((resource) => {\n const service = this.invocationServiceName(resource.service);\n return resource.actions.map((action) => ({\n ...(this.isEncryptionNetworkOperation(service, resource.path)\n ? { resource: resource.path }\n : { spaceId: resource.space }),\n service,\n path: resource.path,\n action,\n }));\n });\n }\n\n private flatDelegationResources(\n delegation: PortableDelegation,\n ): DelegatedResource[] {\n const byService = new Map<string, string[]>();\n for (const action of delegation.actions) {\n const service = this.shortServiceName(action.split(\"/\")[0]);\n const actions = byService.get(service) ?? [];\n actions.push(action);\n byService.set(service, actions);\n }\n return [...byService.entries()].map(([service, actions]) => ({\n service,\n space: delegation.spaceId,\n path: delegation.path,\n actions,\n }));\n }\n\n private selectInvocationSession(\n fallback: ServiceSession,\n service: string,\n path: string,\n action: string,\n ): ServiceSession {\n const grant = this.findGrantForOperation({\n spaceId: fallback.spaceId,\n service: this.invocationServiceName(service),\n path,\n action,\n });\n return grant?.session ?? fallback;\n }\n\n private findGrantForOperations(\n operations: RuntimePermissionOperation[],\n ): RuntimePermissionGrant \| undefined {\n if (operations.length === 0) {\n return undefined;\n }\n this.pruneExpiredRuntimePermissionGrants();\n return this.runtimePermissionGrants.find((grant) => {\n return operations.every((operation) =>\n grant.operations.some((granted) =>\n this.operationCovers(granted, operation),\n ),\n );\n });\n }\n\n private findGrantForOperation(\n operation: RuntimePermissionOperation,\n ): RuntimePermissionGrant \| undefined {\n return this.findGrantForOperations([operation]);\n }\n\n private pruneExpiredRuntimePermissionGrants(): void {\n const now = Date.now();\n this.runtimePermissionGrants = this.runtimePermissionGrants.filter(\n (grant) => grant.expiresAt.getTime() > now,\n );\n }\n\n private operationCovers(\n granted: RuntimePermissionOperation,\n requested: RuntimePermissionOperation,\n ): boolean {\n if (granted.service !== requested.service \|\|\n !this.actionContains(granted.action, requested.action)\n ) {\n return false;\n }\n\n if (granted.resource !== undefined \|\| requested.resource !== undefined) {\n return granted.resource !== undefined &&\n requested.resource !== undefined &&\n granted.resource === requested.resource &&\n this.pathContains(granted.path, requested.path);\n }\n\n return granted.spaceId !== undefined &&\n requested.spaceId !== undefined &&\n granted.spaceId === requested.spaceId &&\n this.pathContains(granted.path, requested.path);\n }\n\n private actionContains(grantedAction: string, requestedAction: string): boolean {\n if (grantedAction === requestedAction) {\n return true;\n }\n if (grantedAction.endsWith(\"/\")) {\n const prefix = grantedAction.slice(0, -2);\n return requestedAction.startsWith(`${prefix}/`);\n }\n return false;\n }\n\n private invocationServiceName(service: string): string {\n return service.startsWith(\"tinycloud.\")\n ? this.shortServiceName(service)\n : service;\n }\n\n private isEncryptionNetworkOperation(service: string, path: string): boolean {\n return service === \"encryption\" &&\n path.startsWith(\"urn:tinycloud:encryption:\");\n }\n\n private operationFromInvokeAnyEntry(entry: {\n spaceId?: string;\n resource?: string;\n service: string;\n path: string;\n action: string;\n }): RuntimePermissionOperation \| undefined {\n const service = this.invocationServiceName(entry.service);\n if (typeof entry.resource === \"string\") {\n return {\n resource: entry.resource,\n service,\n path: entry.path,\n action: entry.action,\n };\n }\n if (this.isEncryptionNetworkOperation(service, entry.path)) {\n return {\n resource: entry.path,\n service,\n path: entry.path,\n action: entry.action,\n };\n }\n if (typeof entry.spaceId === \"string\") {\n return {\n spaceId: entry.spaceId,\n service,\n path: entry.path,\n action: entry.action,\n };\n }\n return undefined;\n }\n\n private pathContains(grantedPath: string, requestedPath: string): boolean {\n if (grantedPath === \"\" \|\| grantedPath === \"/\") {\n return true;\n }\n if (grantedPath.endsWith(\"/*\")) {\n return requestedPath.startsWith(grantedPath.slice(0, -3));\n }\n if (grantedPath.endsWith(\"/\")) {\n const prefix = grantedPath.slice(0, -2);\n if (!requestedPath.startsWith(prefix)) {\n return false;\n }\n const remainder = requestedPath.slice(prefix.length);\n return !remainder.includes(\"/\") \|\| remainder === \"/\";\n }\n if (grantedPath.endsWith(\"/\")) {\n return requestedPath.startsWith(grantedPath);\n }\n return grantedPath === requestedPath;\n }\n\n /*\n Issue a delegation via the legacy wallet-signed SIWE path for a single\n * {@link PermissionEntry}. Shares the implementation with the public\n * `createDelegation` method via {@link createDelegationWalletPath} so\n * both entry points hit exactly the same SIWE / signer / public-space\n * logic without mutual recursion.\n \n @internal\n /\n private async createDelegationLegacyWalletPath(\n delegateDID: string,\n entry: PermissionEntry,\n expirationTime: Date,\n ): Promise<PortableDelegation> {\n const session = this.auth?.tinyCloudSession;\n const spaceIdOverride =\n session === undefined \|\| entry.space === \"default\"\n ? undefined\n : this.resolvePermissionSpace(entry.space, session);\n return this.createDelegationWalletPath({\n path: entry.path,\n actions: entry.actions,\n delegateDID,\n includePublicSpace: true,\n expiryMs: Math.max(0, expirationTime.getTime() - Date.now()),\n spaceIdOverride,\n });\n }\n\n /\n Create a delegation from this user to another user.\n \n The delegation grants the recipient access to a specific path and actions\n * within this user's space.\n \n @param params - Delegation parameters\n * @returns A portable delegation that can be sent to the recipient\n /\n async createDelegation(params: {\n /* Path within the space to delegate access to /\n path: string;\n /* Actions to allow (e.g., [\"tinycloud.kv/get\", \"tinycloud.kv/put\"]) /\n actions: string[];\n /* DID of the recipient (from their TinyCloudNode.did) /\n delegateDID: string;\n /* Whether to prevent the recipient from creating sub-delegations (default: false) /\n disableSubDelegation?: boolean;\n /* Expiration time in milliseconds from now (default: 1 hour) /\n expiryMs?: number;\n /* Override space ID (for creating delegations to non-primary spaces like public) /\n spaceIdOverride?: string;\n /* Include a companion delegation for the user's public space (default: true) /\n includePublicSpace?: boolean;\n }): Promise<PortableDelegation> {\n // Legacy compatibility shim.\n //\n // Route through delegateTo so that callers whose requested capabilities\n // are a subset of their current session get the session-key UCAN path\n // (no wallet prompt). Fall back to the legacy wallet-sign path on\n // PermissionNotInManifestError, preserving today's behaviour for\n // callers that request scope outside their session.\n //\n // SessionExpiredError propagates — an expired session can't be fixed\n // by re-signing the SIWE, the caller needs to run signIn() again.\n if (!this.signer) {\n throw new Error(\"Cannot createDelegation() in session-only mode. Requires wallet mode.\");\n }\n if (!this.auth?.tinyCloudSession) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Resolve ENS names to PKH DIDs up front so both paths see the resolved\n // DID. The wallet path mutates params further below; we do it here so\n // the fast path (delegateTo) also picks up the resolved DID.\n let resolvedDelegateDID = params.delegateDID;\n if (resolvedDelegateDID.endsWith('.eth') && this.config.ensResolver) {\n const address = await this.config.ensResolver.resolveAddress(resolvedDelegateDID);\n if (!address) throw new Error(`Could not resolve ENS name: ${resolvedDelegateDID}`);\n resolvedDelegateDID = pkhDid(address, 1);\n }\n\n // Legacy params lump multiple services' actions under one path. We\n // now emit ONE multi-resource UCAN for any number of entries via\n // the fast path, so there's no longer a \"single-entry only\" gate\n // here — the fast path handles N entries and returns a single\n // PortableDelegation whose `.resources` describes the full set.\n //\n // Fall back to the wallet path when the capabilities aren't\n // derivable from the current session (PermissionNotInManifestError)\n // so legacy callers requesting scope outside their session continue\n // to see a wallet prompt, matching today's behaviour.\n const entries = legacyParamsToPermissionEntries(\n params.actions,\n params.path,\n params.spaceIdOverride,\n );\n try {\n const result = await this.delegateTo(\n resolvedDelegateDID,\n entries,\n params.expiryMs !== undefined ? { expiry: params.expiryMs } : undefined,\n );\n return result.delegation;\n } catch (err) {\n if (err instanceof PermissionNotInManifestError) {\n // Expected — fall through to the wallet path below. Legacy\n // callers that request scope outside their current session\n // continue to see a wallet prompt, matching today's behaviour.\n } else {\n // SessionExpiredError and any other error class must propagate.\n // An expired session can't be rescued by re-signing the SIWE\n // here — the caller needs to run signIn() again.\n throw err;\n }\n }\n\n // Legacy wallet-signed SIWE path — same implementation as before the\n // delegateTo refactor. Callers that request scope outside their\n // current session land here and see the familiar wallet prompt.\n return this.createDelegationWalletPath({\n ...params,\n delegateDID: resolvedDelegateDID,\n });\n }\n\n /\n Legacy wallet-signed SIWE delegation path. Lifted from the original\n * `createDelegation` body verbatim so both the legacy public method and\n * `delegateTo({ forceWalletSign: true })` hit the same code.\n \n @internal\n /\n private async createDelegationWalletPath(params: {\n path: string;\n actions: string[];\n delegateDID: string;\n disableSubDelegation?: boolean;\n expiryMs?: number;\n spaceIdOverride?: string;\n includePublicSpace?: boolean;\n }): Promise<PortableDelegation> {\n if (!this.signer) {\n throw new Error(\"Cannot createDelegation() in session-only mode. Requires wallet mode.\");\n }\n const session = this.auth?.tinyCloudSession;\n if (!session) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Build abilities for the delegation\n const abilities: Record<string, Record<string, string[]>> = {};\n const kvActions = params.actions.filter(a => a.startsWith(\"tinycloud.kv/\"));\n const sqlActions = params.actions.filter(a => a.startsWith(\"tinycloud.sql/\"));\n const duckdbActions = params.actions.filter(a => a.startsWith(\"tinycloud.duckdb/\"));\n if (kvActions.length > 0) {\n abilities.kv = { [params.path]: kvActions };\n }\n if (sqlActions.length > 0) {\n abilities.sql = { [params.path]: sqlActions };\n }\n if (duckdbActions.length > 0) {\n abilities.duckdb = { [params.path]: duckdbActions };\n }\n\n const now = new Date();\n const expiryMs = params.expiryMs ?? 60 60 * 1000; // Default 1 hour\n const expirationTime = new Date(now.getTime() + expiryMs);\n\n // Prepare the delegation session with:\n // - delegateUri: target the recipient's DID directly (for user-to-user delegation)\n // - parents: reference our session CID for chain validation\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: params.spaceIdOverride ?? session.spaceId,\n delegateUri: params.delegateDID,\n parents: [session.delegationCid],\n });\n\n // Sign the SIWE message with this user's signer\n const signature = await this.signer.signMessage(prepared.siwe);\n\n // Complete the session setup\n const delegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate the delegation with the server\n const activateResult = await activateSessionWithHost(\n this.config.host!,\n delegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate delegation: ${activateResult.error}`);\n }\n\n const result: PortableDelegation = {\n cid: delegationSession.delegationCid,\n delegationHeader: delegationSession.delegationHeader,\n spaceId: params.spaceIdOverride ?? session.spaceId,\n path: params.path,\n actions: params.actions,\n disableSubDelegation: params.disableSubDelegation ?? false,\n expiry: expirationTime,\n delegateDID: params.delegateDID,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n\n // Auto-create public-space delegation for vault key publishing\n const hasKvActions = params.actions.some(a => a.startsWith(\"tinycloud.kv/\"));\n if (hasKvActions && params.includePublicSpace !== false) {\n const publicSpaceId = makePublicSpaceId(\n this.wasmBindings.ensureEip55(session.address), session.chainId\n );\n const publicAbilities: Record<string, Record<string, string[]>> = {\n kv: { \"\": [\"tinycloud.kv/get\", \"tinycloud.kv/put\", \"tinycloud.kv/metadata\"] },\n };\n const publicPrepared = this.wasmBindings.prepareSession({\n abilities: publicAbilities,\n address: this.wasmBindings.ensureEip55(session.address),\n chainId: session.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: publicSpaceId,\n delegateUri: params.delegateDID,\n parents: [session.delegationCid],\n });\n const publicSignature = await this.signer.signMessage(publicPrepared.siwe);\n const publicSession = this.wasmBindings.completeSessionSetup({\n ...publicPrepared,\n signature: publicSignature,\n });\n\n const publicActivateResult = await activateSessionWithHost(\n this.config.host!,\n publicSession.delegationHeader\n );\n\n if (publicActivateResult.success) {\n result.publicDelegation = {\n cid: publicSession.delegationCid,\n delegationHeader: publicSession.delegationHeader,\n spaceId: publicSpaceId,\n path: \"\",\n actions: [\"tinycloud.kv/get\", \"tinycloud.kv/put\", \"tinycloud.kv/metadata\"],\n disableSubDelegation: params.disableSubDelegation ?? false,\n expiry: expirationTime,\n delegateDID: params.delegateDID,\n ownerAddress: session.address,\n chainId: session.chainId,\n host: this.config.host,\n };\n }\n }\n\n return result;\n }\n\n /*\n Use a delegation received from another user.\n \n This creates a new session key for this user that chains from the\n * received delegation, allowing operations on the delegator's space.\n \n Works in both modes:\n * - Wallet mode: Creates a SIWE sub-delegation from PKH to session key\n * - Session-only mode: Uses the delegation directly (must target session key DID)\n \n @param delegation - The PortableDelegation to use (from createDelegation or transport)\n * @returns A DelegatedAccess instance for performing operations\n /\n async useDelegation(delegation: PortableDelegation): Promise<DelegatedAccess> {\n const delegationHeader = delegation.delegationHeader;\n\n // Use the host from the delegation if provided, otherwise fall back to config\n const targetHost = delegation.host ?? this.config.host!;\n\n // Session-only mode: use the delegation directly\n // The delegation must target this user's session key DID\n if (this.isSessionOnly) {\n // Verify the delegation targets our session key DID\n const myDid = this.did; // In session-only mode, this is the session key DID\n if (!didPrincipalMatches(delegation.delegateDID, myDid)) {\n throw new Error(\n `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. ` +\n `The delegation must target this user's DID.`\n );\n }\n\n // Create a session using the delegation directly\n // In session-only mode, we use the received delegation as-is\n const session: TinyCloudSession = {\n address: delegation.ownerAddress,\n chainId: delegation.chainId,\n sessionKey: JSON.stringify(this.sessionKeyJwk),\n spaceId: delegation.spaceId,\n delegationCid: delegation.cid,\n delegationHeader,\n verificationMethod: this.sessionDid,\n jwk: this.sessionKeyJwk as unknown as JWK,\n siwe: \"\", // Not used in session-only mode\n signature: \"\", // Not used in session-only mode\n };\n\n // Track received delegation in registry\n this.trackReceivedDelegation(delegation, this.sessionKeyJwk as unknown as JWK);\n this.installRuntimeGrantFromServiceSession(\n delegation,\n {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n delegation.expiry,\n );\n\n return new DelegatedAccess(session, delegation, targetHost, this.wasmBindings.invoke);\n }\n\n // Wallet mode: create a SIWE sub-delegation\n const mySession = this.auth?.tinyCloudSession;\n if (!mySession) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Use our existing session key - the delegation targets our DID from signIn\n // We must use the same key that the delegation was created for\n const jwk = mySession.jwk;\n\n // Build abilities from the delegation\n const abilities: Record<string, Record<string, string[]>> = {};\n const kvActions = delegation.actions.filter(a => a.startsWith(\"tinycloud.kv/\"));\n const sqlActions = delegation.actions.filter(a => a.startsWith(\"tinycloud.sql/\"));\n const duckdbActions = delegation.actions.filter(a => a.startsWith(\"tinycloud.duckdb/\"));\n const encryptionActions = delegation.actions.filter(a =>\n a.startsWith(\"tinycloud.encryption/\"),\n );\n const rawAbilities: Record<string, string[]> = {};\n if (kvActions.length > 0) {\n abilities.kv = { [delegation.path]: kvActions };\n }\n if (sqlActions.length > 0) {\n abilities.sql = { [delegation.path]: sqlActions };\n }\n if (duckdbActions.length > 0) {\n abilities.duckdb = { [delegation.path]: duckdbActions };\n }\n if (\n encryptionActions.length > 0 &&\n delegation.path.startsWith(\"urn:tinycloud:encryption:\")\n ) {\n rawAbilities[delegation.path] = encryptionActions;\n }\n\n const now = new Date();\n // Use delegation expiry or 1 hour, whichever is sooner\n const maxExpiry = new Date(now.getTime() + 60 60 * 1000);\n const expirationTime = delegation.expiry < maxExpiry ? delegation.expiry : maxExpiry;\n\n // Prepare the session with:\n // - THIS user's address (we are the invoker)\n // - The delegation owner's space (where we're accessing data)\n // - Our existing session key (must match the DID the delegation targets)\n // - Parent reference to the received delegation\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(mySession.address),\n chainId: mySession.chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: expirationTime.toISOString(),\n spaceId: delegation.spaceId,\n jwk,\n parents: [delegation.cid],\n ...(Object.keys(rawAbilities).length > 0 ? { rawAbilities } : {}),\n });\n\n // Sign with THIS user's signer\n const signature = await this.signer!.signMessage(prepared.siwe);\n\n // Complete the session setup\n const invokerSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate with server\n const activateResult = await activateSessionWithHost(\n targetHost,\n invokerSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate delegated session: ${activateResult.error}`);\n }\n\n // Create TinyCloudSession for the delegated access\n const session: TinyCloudSession = {\n address: mySession.address,\n chainId: mySession.chainId,\n sessionKey: mySession.sessionKey,\n spaceId: delegation.spaceId,\n delegationCid: invokerSession.delegationCid,\n delegationHeader: invokerSession.delegationHeader,\n verificationMethod: mySession.verificationMethod,\n jwk,\n siwe: prepared.siwe,\n signature,\n };\n\n // Track received delegation in registry\n this.trackReceivedDelegation(delegation, jwk as unknown as JWK);\n this.installRuntimeGrantFromServiceSession(\n delegation,\n {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n },\n expirationTime,\n );\n\n return new DelegatedAccess(session, delegation, targetHost, this.wasmBindings.invoke);\n }\n\n /*\n Create a sub-delegation from a received delegation.\n \n This allows further delegating access that was received from another user,\n * if the original delegation allows sub-delegation.\n \n @param parentDelegation - The delegation received from another user\n * @param params - Sub-delegation parameters (must be within parent's scope)\n * @returns A portable delegation for the sub-delegate\n /\n async createSubDelegation(\n parentDelegation: PortableDelegation,\n params: {\n /* Path within the delegated path to sub-delegate /\n path: string;\n /* Actions to allow (must be subset of parent's actions) /\n actions: string[];\n /* DID of the recipient /\n delegateDID: string;\n /* Whether to prevent the recipient from creating further sub-delegations /\n disableSubDelegation?: boolean;\n /* Expiration time in milliseconds from now (must be before parent's expiry) /\n expiryMs?: number;\n }\n ): Promise<PortableDelegation> {\n if (!this.signer) {\n throw new Error(\"Cannot createSubDelegation() in session-only mode. Requires wallet mode.\");\n }\n if (!this._address) {\n throw new Error(\"Not signed in. Call signIn() first.\");\n }\n\n // Validate sub-delegation is allowed\n if (parentDelegation.disableSubDelegation) {\n throw new Error(\"Parent delegation does not allow sub-delegation\");\n }\n\n // Validate path is within parent's path\n if (!params.path.startsWith(parentDelegation.path)) {\n throw new Error(\n `Sub-delegation path \"${params.path}\" must be within parent path \"${parentDelegation.path}\"`\n );\n }\n\n // Validate actions are subset of parent's actions\n const parentActions = new Set(parentDelegation.actions);\n for (const action of params.actions) {\n if (!parentActions.has(action)) {\n throw new Error(\n `Sub-delegation action \"${action}\" is not in parent's actions: ${parentDelegation.actions.join(\", \")}`\n );\n }\n }\n\n // Calculate expiry - cap at parent's expiry\n const now = new Date();\n const expiryMs = params.expiryMs ?? 60 60 * 1000;\n const requestedExpiry = new Date(now.getTime() + expiryMs);\n // Sub-delegation cannot outlive parent, so cap at parent's expiry\n const actualExpiry =\n requestedExpiry > parentDelegation.expiry ? parentDelegation.expiry : requestedExpiry;\n\n // Build abilities for the sub-delegation\n const abilities: Record<string, Record<string, string[]>> = {};\n const kvActions = params.actions.filter(a => a.startsWith(\"tinycloud.kv/\"));\n const sqlActions = params.actions.filter(a => a.startsWith(\"tinycloud.sql/\"));\n const duckdbActions = params.actions.filter(a => a.startsWith(\"tinycloud.duckdb/\"));\n if (kvActions.length > 0) {\n abilities.kv = { [params.path]: kvActions };\n }\n if (sqlActions.length > 0) {\n abilities.sql = { [params.path]: sqlActions };\n }\n if (duckdbActions.length > 0) {\n abilities.duckdb = { [params.path]: duckdbActions };\n }\n\n // Use parent's host or fall back to config\n const targetHost = parentDelegation.host ?? this.config.host!;\n\n // Prepare the sub-delegation session\n // Uses THIS user's address (who received the delegation and is now sub-delegating)\n // Targets the recipient's PKH DID (delegateUri)\n // References the parent delegation as the chain\n const prepared = this.wasmBindings.prepareSession({\n abilities,\n address: this.wasmBindings.ensureEip55(this._address),\n chainId: this._chainId,\n domain: this.siweDomain,\n issuedAt: now.toISOString(),\n expirationTime: actualExpiry.toISOString(),\n spaceId: parentDelegation.spaceId,\n delegateUri: params.delegateDID,\n parents: [parentDelegation.cid],\n });\n\n // Sign with THIS user's signer\n const signature = await this.signer.signMessage(prepared.siwe);\n\n // Complete the session setup\n const subDelegationSession = this.wasmBindings.completeSessionSetup({\n ...prepared,\n signature,\n });\n\n // Activate the sub-delegation with the server\n const activateResult = await activateSessionWithHost(\n targetHost,\n subDelegationSession.delegationHeader\n );\n\n if (!activateResult.success) {\n throw new Error(`Failed to activate sub-delegation: ${activateResult.error}`);\n }\n\n // Return the portable sub-delegation\n return {\n cid: subDelegationSession.delegationCid,\n delegationHeader: subDelegationSession.delegationHeader,\n spaceId: parentDelegation.spaceId,\n path: params.path,\n actions: params.actions,\n disableSubDelegation: params.disableSubDelegation ?? false,\n expiry: actualExpiry,\n delegateDID: params.delegateDID,\n ownerAddress: parentDelegation.ownerAddress!,\n chainId: parentDelegation.chainId!,\n host: targetHost,\n };\n }\n}\n","import {\n TinyCloudSession,\n KVService,\n IKVService,\n HooksService,\n IHooksService,\n SQLService,\n ISQLService,\n DuckDbService,\n IDuckDbService,\n ServiceSession,\n ServiceContext,\n} from \"@tinycloud/sdk-core\";\nimport type { InvokeFunction } from \"@tinycloud/sdk-services\";\nimport { PortableDelegation } from \"./delegation\";\n\n/*\n The handles needed to rehydrate this delegation activation in a fresh\n * `TinyCloudNode` via `TinyCloudNode.restoreSession(...)` in another process\n * or after a restart.\n \n In wallet mode, `delegationHeader` and `delegationCid` are bound to the\n * session key that ran `useDelegation`. They are NOT intrinsic to the\n * portable delegation — they expire with the server-side session (typically\n * ~1h). To keep a restored node alive longer, re-run `useDelegation` with\n * the original portable delegation and call `restoreSession` again with the\n * fresh `RestorableSession`.\n /\nexport interface RestorableSession {\n delegationHeader: { Authorization: string };\n delegationCid: string;\n spaceId: string;\n jwk: object;\n verificationMethod: string;\n address: string;\n chainId: number;\n}\n\n/\n Provides access to a space via a received delegation.\n \n This is returned by TinyCloudNode.useDelegation() and provides\n * KV operations on the delegated space.\n /\nexport class DelegatedAccess {\n private session: TinyCloudSession;\n private _delegation: PortableDelegation;\n private host: string;\n private _serviceContext: ServiceContext;\n private _kv: KVService;\n private _sql: SQLService;\n private _duckdb: DuckDbService;\n private _hooks: HooksService;\n\n constructor(\n session: TinyCloudSession,\n delegation: PortableDelegation,\n host: string,\n invoke: InvokeFunction,\n ) {\n this.session = session;\n this._delegation = delegation;\n this.host = host;\n\n // Create service context\n this._serviceContext = new ServiceContext({\n invoke,\n fetch: globalThis.fetch.bind(globalThis),\n hosts: [host],\n });\n\n // Create and initialize KV service with path prefix from delegation\n // Strip trailing slash to avoid double-slash in paths\n const prefix = this._delegation.path.replace(/\\/$/, '');\n this._kv = new KVService({ prefix });\n this._kv.initialize(this._serviceContext);\n this._serviceContext.registerService('kv', this._kv);\n\n // Create and initialize SQL service with same delegation context\n this._sql = new SQLService({});\n this._sql.initialize(this._serviceContext);\n this._serviceContext.registerService('sql', this._sql);\n\n // Create and initialize DuckDB service with same delegation context\n this._duckdb = new DuckDbService({});\n this._duckdb.initialize(this._serviceContext);\n this._serviceContext.registerService('duckdb', this._duckdb);\n\n // Create and initialize Hooks service with same delegation context\n this._hooks = new HooksService({});\n this._hooks.initialize(this._serviceContext);\n this._serviceContext.registerService('hooks', this._hooks);\n\n // Set session on context\n const serviceSession: ServiceSession = {\n delegationHeader: session.delegationHeader,\n delegationCid: session.delegationCid,\n spaceId: session.spaceId,\n verificationMethod: session.verificationMethod,\n jwk: session.jwk,\n };\n this._serviceContext.setSession(serviceSession);\n }\n\n /\n Get the delegation this access was created from.\n /\n get delegation(): PortableDelegation {\n return this._delegation;\n }\n\n /\n The space ID this access is for.\n /\n get spaceId(): string {\n return this._delegation.spaceId;\n }\n\n /\n The path this access is scoped to.\n /\n get path(): string {\n return this._delegation.path;\n }\n\n /\n KV operations on the delegated space.\n /\n get kv(): IKVService {\n return this._kv;\n }\n\n /\n SQL operations on the delegated space.\n /\n get sql(): ISQLService {\n return this._sql;\n }\n\n /\n DuckDB operations on the delegated space.\n /\n get duckdb(): IDuckDbService {\n return this._duckdb;\n }\n\n /\n Hooks write-stream subscriptions on the delegated space.\n /\n get hooks(): IHooksService {\n return this._hooks;\n }\n\n /\n Export the handles needed to rehydrate this activated delegation via\n * `TinyCloudNode.restoreSession(...)` in another process or after a\n * restart.\n \n See `RestorableSession` for lifetime caveats.\n /\n get restorable(): RestorableSession {\n return {\n delegationHeader: this.session.delegationHeader,\n delegationCid: this.session.delegationCid,\n spaceId: this.session.spaceId,\n jwk: this.session.jwk,\n verificationMethod: this.session.verificationMethod,\n address: this.session.address,\n chainId: this.session.chainId,\n };\n }\n}\n","/\n WasmKeyProvider - KeyProvider implementation using WASM session manager.\n \n This provider wraps the SessionManager from node-sdk-wasm to provide\n * cryptographic key operations required by the SharingService.\n \n @packageDocumentation\n /\n\nimport type { KeyProvider, JWK, ISessionManager } from \"@tinycloud/sdk-core\";\n\n/\n Extended session manager with optional key listing support.\n * The base ISessionManager doesn't include listSessionKeys(),\n * but concrete implementations (e.g., TCWSessionManager) may provide it.\n /\ninterface SessionManagerWithListing extends ISessionManager {\n listSessionKeys?(): string[];\n}\n\n/\n Configuration for WasmKeyProvider.\n /\nexport interface WasmKeyProviderConfig {\n /\n The WASM session manager instance.\n * Must be created before constructing the KeyProvider.\n /\n sessionManager: SessionManagerWithListing;\n}\n\n/\n KeyProvider implementation that wraps the WASM session manager.\n \n This allows the SharingService to create new session keys for sharing links\n * using the same cryptographic operations as the main session management.\n \n @example\n * ```typescript\n * // sessionManager from wasmBindings.createSessionManager()\n * import { WasmKeyProvider } from \"@tinycloud/node-sdk\";\n \n const sessionManager = new SessionManager();\n * const keyProvider = new WasmKeyProvider({ sessionManager });\n \n // Create a session key for a sharing link\n * const keyId = await keyProvider.createSessionKey(\"share:abc123\");\n * const jwk = keyProvider.getJWK(keyId);\n * const did = await keyProvider.getDID(keyId);\n * ```\n /\nexport class WasmKeyProvider implements KeyProvider {\n private sessionManager: SessionManagerWithListing;\n\n /\n Create a new WasmKeyProvider.\n \n @param config - Configuration with the WASM session manager\n /\n constructor(config: WasmKeyProviderConfig) {\n this.sessionManager = config.sessionManager;\n }\n\n /\n Generate a new session key with the given name.\n \n This creates a new Ed25519 key pair in the WASM session manager.\n * The key can then be used for signing delegations in sharing links.\n \n @param name - A unique name/ID for the key (e.g., \"share:timestamp:random\")\n * @returns The key ID (same as the name provided)\n /\n async createSessionKey(name: string): Promise<string> {\n // The WASM session manager's createSessionKey returns the key_id\n // and stores the key internally\n return this.sessionManager.createSessionKey(name);\n }\n\n /\n Get the JWK (JSON Web Key) for a key.\n \n Returns the full JWK including the private key (d parameter),\n * which is required for signing and for embedding in sharing links.\n \n @param keyId - The key ID to retrieve\n * @returns The JWK object with public and private key components\n * @throws Error if the key is not found\n /\n getJWK(keyId: string): JWK {\n // The WASM session manager returns the JWK as a JSON string\n const jwkJson = this.sessionManager.jwk(keyId);\n if (!jwkJson) {\n throw new Error(`Key not found: ${keyId}`);\n }\n // Parse the JSON string to get the JWK object\n return JSON.parse(jwkJson) as JWK;\n }\n\n /\n Get the DID (Decentralized Identifier) for a key.\n \n Returns the did:key format DID derived from the key's public key.\n * This DID can be used as the delegatee in delegations.\n \n @param keyId - The key ID to retrieve\n * @returns The DID in did:key format (e.g., \"did:key:z6Mk...\")\n /\n async getDID(keyId: string): Promise<string> {\n // The WASM session manager has a synchronous getDID method\n return this.sessionManager.getDID(keyId);\n }\n\n /\n List all session keys currently held by the provider.\n \n @returns Array of key IDs\n /\n listKeys(): string[] {\n const keys = this.sessionManager.listSessionKeys?.();\n return Array.isArray(keys) ? keys : [];\n }\n\n /\n Check if a key exists in the provider.\n \n @param keyId - The key ID to check\n * @returns True if the key exists\n /\n hasKey(keyId: string): boolean {\n const jwk = this.sessionManager.jwk(keyId);\n return jwk !== undefined;\n }\n}\n\n/\n Create a new WasmKeyProvider instance.\n \n @param sessionManager - The WASM session manager\n * @returns A new WasmKeyProvider instance\n /\nexport function createWasmKeyProvider(sessionManager: SessionManagerWithListing): WasmKeyProvider {\n return new WasmKeyProvider({ sessionManager });\n}\n","/\n Internal helpers for TinyCloudNode.delegateTo and the legacy\n * createDelegation compatibility shim. Exported from their own module so\n * they are easy to unit-test without spinning up a full TinyCloudNode.\n \n None of these are part of the public API — the module path is not\n * re-exported from `@tinycloud/node-sdk` or `@tinycloud/node-sdk/core`.\n \n @packageDocumentation\n /\n\nimport {\n type PermissionEntry,\n parseExpiry,\n SiweMessage,\n EXPIRY,\n} from \"@tinycloud/sdk-core\";\n\n/\n Convert legacy `createDelegation` params into one {@link PermissionEntry}\n * per service. Groups action URNs by their `tinycloud.<service>` prefix and\n * emits one entry per group. Actions whose prefix is not `tinycloud.` are\n dropped (preserving the wallet-path behaviour, which also ignores\n * unrecognised URN prefixes).\n \n Used by the legacy compatibility shim in `createDelegation` to hand off\n * to `delegateTo` on the fast (subset) path.\n /\nexport function legacyParamsToPermissionEntries(\n actions: readonly string[],\n path: string,\n spaceIdOverride: string \| undefined,\n): PermissionEntry[] {\n const byService = new Map<string, string[]>();\n for (const a of actions) {\n // Action URNs look like `tinycloud.kv/get`, `tinycloud.sql/read`, etc.\n // Split on the first `/` to get the service namespace.\n const slashIdx = a.indexOf(\"/\");\n if (slashIdx === -1) {\n continue;\n }\n const service = a.slice(0, slashIdx);\n if (!service.startsWith(\"tinycloud.\")) {\n continue;\n }\n const list = byService.get(service);\n if (list === undefined) {\n byService.set(service, [a]);\n } else {\n list.push(a);\n }\n }\n const space = spaceIdOverride ?? \"default\";\n const entries: PermissionEntry[] = [];\n for (const [service, actionList] of byService) {\n entries.push({\n service,\n space,\n path,\n actions: actionList,\n });\n }\n return entries;\n}\n\n/\n Default lifetime for a delegation when no explicit expiry is provided.\n * Sourced from the SESSION tier — runtime grants are always capped at the\n * parent session's expiry, so they can't usefully be longer than SESSION\n * even if a caller asks. See `@tinycloud/sdk-core/expiry.ts`.\n /\nexport const DEFAULT_DELEGATION_EXPIRY_MS = EXPIRY.SESSION_MS;\n\n/\n Resolve the `expiry` option of {@link DelegateToOptions} into a concrete\n * millisecond duration from now. Default is {@link DEFAULT_DELEGATION_EXPIRY_MS}\n * (7 days).\n \n Accepts:\n * - `undefined` → {@link DEFAULT_DELEGATION_EXPIRY_MS}\n * - `number` → raw milliseconds (must be positive + finite)\n * - `string` → parsed via {@link parseExpiry} (ms-format, e.g. `\"7d\"`)\n /\nexport function resolveExpiryMs(expiry: string \| number \| undefined): number {\n if (expiry === undefined) {\n return DEFAULT_DELEGATION_EXPIRY_MS;\n }\n if (typeof expiry === \"number\") {\n if (!Number.isFinite(expiry) \|\| expiry <= 0) {\n throw new Error(\n `delegateTo expiry must be a positive finite number (got ${expiry})`,\n );\n }\n return expiry;\n }\n // string — parseExpiry throws ManifestValidationError on bad input.\n return parseExpiry(expiry);\n}\n\n/\n Extract the `expirationTime` field of a signed SIWE message as a `Date`.\n \n Returns `undefined` only when the SIWE genuinely has no `Expiration Time`\n * line (RFC-4501 permits it). Propagates parse errors — the SDK always\n * produces signed SIWEs during sign-in, so an unparseable `session.siwe`\n * means something is actively wrong and we do not want to silently skip\n * the expiry check.\n /\nexport function extractSiweExpiration(siwe: string): Date \| undefined {\n const parsed = new SiweMessage(siwe);\n if (parsed.expirationTime === undefined \|\| parsed.expirationTime === null) {\n return undefined;\n }\n const d = new Date(parsed.expirationTime);\n if (Number.isNaN(d.getTime())) {\n throw new Error(\n `Session SIWE has unparseable expirationTime: ${parsed.expirationTime}`,\n );\n }\n return d;\n}\n","import {\n ErrorCodes,\n resolveSecretListPrefix,\n resolveSecretPath,\n expandPermissionEntries,\n resolveManifest,\n type IDataVaultService,\n type ISecretsService,\n type Manifest,\n type PermissionEntry,\n type Result,\n type SecretScopeOptions,\n type ServiceError,\n type VaultError,\n} from \"@tinycloud/sdk-core\";\n\nconst SECRETS_SPACE = \"secrets\";\ntype SecretAction = \"get\" \| \"put\" \| \"del\" \| \"list\";\n\nfunction ok(): Result<void, ServiceError> {\n return { ok: true, data: undefined };\n}\n\nfunction secretsError(\n code: string,\n message: string,\n cause?: Error,\n): Result<never, ServiceError> {\n return {\n ok: false,\n error: {\n code,\n service: \"secrets\",\n message,\n ...(cause ? { cause } : {}),\n },\n };\n}\n\nfunction displayActionUrn(action: SecretAction): string {\n switch (action) {\n case \"get\":\n return \"tinycloud.kv/get\";\n case \"put\":\n return \"tinycloud.kv/put\";\n case \"del\":\n return \"tinycloud.kv/del\";\n case \"list\":\n return \"tinycloud.kv/list\";\n }\n}\n\nfunction secretActionName(action: SecretAction): \"get\" \| \"put\" \| \"del\" \| \"list\" {\n return action;\n}\n\nfunction secretPermissionEntries(\n name: string,\n options: SecretScopeOptions \| undefined,\n action: SecretAction,\n encryptionNetworkId?: string,\n): PermissionEntry[] {\n const entries: PermissionEntry[] = [];\n const path =\n action === \"list\"\n ? resolveSecretListPrefix(options)\n : resolveSecretPath(name, options).permissionPaths.vault;\n\n entries.push({\n service: \"tinycloud.kv\",\n space: SECRETS_SPACE,\n path,\n actions: [secretActionName(action)],\n skipPrefix: true,\n });\n\n if (action === \"get\" && encryptionNetworkId !== undefined) {\n entries.push({\n service: \"tinycloud.encryption\",\n path: encryptionNetworkId,\n actions: [\"decrypt\"],\n skipPrefix: true,\n });\n }\n\n return entries;\n}\n\nexport interface NodeSecretsServiceConfig {\n getService: () => ISecretsService;\n getManifest: () => Manifest \| Manifest[] \| undefined;\n hasPermissions?: (permissions: PermissionEntry[]) => boolean;\n grantPermissions: (additional: PermissionEntry[]) => Promise<unknown>;\n canEscalate: () => boolean;\n getEncryptionNetworkId?: () => string;\n getUnlockSigner?: () => unknown;\n}\n\nexport class NodeSecretsService implements ISecretsService {\n private unlockSigner?: unknown;\n private shouldRestoreUnlock = false;\n\n constructor(private readonly config: NodeSecretsServiceConfig) {}\n\n get vault(): IDataVaultService {\n return this.service.vault;\n }\n\n get isUnlocked(): boolean {\n return this.service.isUnlocked;\n }\n\n async unlock(signer?: unknown): Promise<Result<void, VaultError>> {\n const effectiveSigner = signer ?? this.config.getUnlockSigner?.();\n if (effectiveSigner !== undefined) {\n this.unlockSigner = effectiveSigner;\n }\n const result = await this.service.unlock(effectiveSigner);\n if (result.ok) {\n this.shouldRestoreUnlock = true;\n }\n return result;\n }\n\n lock(): void {\n this.shouldRestoreUnlock = false;\n this.service.lock();\n }\n\n async get(name: string, options?: SecretScopeOptions): ReturnType<ISecretsService[\"get\"]> {\n const permission = await this.ensurePermission(name, options, \"get\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.get(name)\n : this.service.get(name, options);\n }\n\n async put(\n name: string,\n value: string,\n options?: SecretScopeOptions,\n ): ReturnType<ISecretsService[\"put\"]> {\n const permission = await this.ensurePermission(name, options, \"put\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.put(name, value)\n : this.service.put(name, value, options);\n }\n\n async delete(\n name: string,\n options?: SecretScopeOptions,\n ): ReturnType<ISecretsService[\"delete\"]> {\n const permission = await this.ensurePermission(name, options, \"del\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.delete(name)\n : this.service.delete(name, options);\n }\n\n async list(options?: SecretScopeOptions): ReturnType<ISecretsService[\"list\"]> {\n const permission = await this.ensurePermission(\"\", options, \"list\");\n if (!permission.ok) return permission;\n return options === undefined\n ? this.service.list()\n : this.service.list(options);\n }\n\n private get service(): ISecretsService {\n return this.config.getService();\n }\n\n private async ensurePermission(\n name: string,\n options: SecretScopeOptions \| undefined,\n action: SecretAction,\n ): Promise<Result<void, ServiceError \| VaultError>> {\n const target = name \|\| \"secrets\";\n let permissionEntries: PermissionEntry[];\n try {\n permissionEntries = secretPermissionEntries(\n name,\n options,\n action,\n action === \"get\" ? this.config.getEncryptionNetworkId?.() : undefined,\n );\n } catch (error) {\n return secretsError(\n ErrorCodes.INVALID_INPUT,\n error instanceof Error ? error.message : String(error),\n error instanceof Error ? error : undefined,\n );\n }\n\n if (this.hasPermission(permissionEntries)) {\n return ok();\n }\n\n if (!this.config.canEscalate()) {\n return secretsError(\n ErrorCodes.PERMISSION_DENIED,\n `Cannot autosign ${displayActionUrn(action)} for ${target}; TinyCloudNode needs wallet mode with a signer or privateKey.`,\n );\n }\n\n try {\n await this.config.grantPermissions(permissionEntries);\n return this.restoreUnlockAfterEscalation();\n } catch (error) {\n return secretsError(\n ErrorCodes.PERMISSION_DENIED,\n error instanceof Error\n ? error.message\n : `Autosign escalation for ${displayActionUrn(action)} on ${target} failed.`,\n error instanceof Error ? error : undefined,\n );\n }\n }\n\n private async restoreUnlockAfterEscalation(): Promise<\n Result<void, ServiceError \| VaultError>\n > {\n if (!this.shouldRestoreUnlock) {\n return ok();\n }\n return this.service.unlock(this.unlockSigner);\n }\n\n private hasPermission(\n permissionEntries: PermissionEntry[],\n ): boolean {\n if (this.config.hasPermissions?.(permissionEntries)) {\n return true;\n }\n\n const manifest = this.config.getManifest();\n if (manifest === undefined) {\n return false;\n }\n\n const manifests = Array.isArray(manifest) ? manifest : [manifest];\n const requestedEntries = expandPermissionEntries(permissionEntries);\n return requestedEntries.every((entry) =>\n manifests.some((candidate) => {\n const resolved = resolveManifest(candidate);\n return resolved.resources.some(\n (resource) =>\n resource.service === entry.service &&\n resource.space === entry.space &&\n resource.path === entry.path &&\n entry.actions.every((action) => resource.actions.includes(action)),\n );\n }),\n );\n }\n\n}\n","import { Delegation, DelegatedResource } from \"@tinycloud/sdk-core\";\n\n/\n A portable delegation that can be transported between users.\n * Extends the base Delegation type with fields required for transport.\n \n @remarks\n * PortableDelegation adds transport fields to Delegation:\n * - `delegationHeader`: Structured authorization header for API calls\n * - `ownerAddress`: Space owner's address for session creation\n * - `chainId`: Chain ID for session creation\n * - `host`: Optional server URL\n * - `resources`: Multi-resource grant breakdown (present when the\n * delegation was issued via the multi-resource WASM path, i.e. one\n * UCAN covering multiple `(service, path, actions)` entries). The\n * flat `path` + `actions` fields mirror the first entry for\n * single-resource callers; consumers that need the full picture\n * read `resources`.\n /\nexport interface PortableDelegation extends Omit<Delegation, \"isRevoked\"> {\n /* The authorization header for this delegation (structured format) /\n delegationHeader: { Authorization: string };\n\n /* The address of the space owner /\n ownerAddress: string;\n\n /* The chain ID /\n chainId: number;\n\n /* TinyCloud server URL where this delegation was created /\n host?: string;\n\n /* Whether the recipient is prevented from creating sub-delegations /\n disableSubDelegation?: boolean;\n\n /* Companion delegation for the user's public space (auto-created when includePublicSpace is true) /\n publicDelegation?: PortableDelegation;\n\n /\n Full multi-resource grant breakdown. Present when the delegation\n * was issued via the multi-resource WASM path; each entry describes\n * one `(service, space, path, actions)` grant carried by the single\n * underlying UCAN. When absent, only the flat `path` + `actions`\n * fields are authoritative (legacy single-resource shape).\n /\n resources?: DelegatedResource[];\n}\n\n/\n Serialize a PortableDelegation for transport (e.g., over network).\n /\nexport function serializeDelegation(delegation: PortableDelegation): string {\n return JSON.stringify({\n ...delegation,\n expiry: delegation.expiry.toISOString(),\n });\n}\n\n/\n Deserialize a PortableDelegation from transport.\n */\nexport function deserializeDelegation(data: string): PortableDelegation {\n const parsed = JSON.parse(data);\n return {\n ...parsed,\n cid: parsed.cid,\n expiry: new Date(parsed.expiry),\n };\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAgBA,IAAAA,mBAA0B;AA2B1B,IAAAA,mBAmBO;;;AC5CA,IAAM,uBAAN,MAAsD;AAAA,EAAtD;AACL,SAAQ,WAA8C,oBAAI,IAAI;AAAA;AAAA;AAAA;AAAA;AAAA,EAK9D,MAAM,KAAK,SAAiB,SAA8C;AACxE,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,SAAK,SAAS,IAAI,mBAAmB,OAAO;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAAuD;AAChE,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,UAAM,UAAU,KAAK,SAAS,IAAI,iBAAiB;AAEnD,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAGA,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,YAAY,oBAAI,KAAK,GAAG;AAC1B,WAAK,SAAS,OAAO,iBAAiB;AACtC,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,SAAgC;AAC1C,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,SAAK,SAAS,OAAO,iBAAiB;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,SAA0B;AAC/B,UAAM,oBAAoB,QAAQ,YAAY;AAC9C,UAAM,UAAU,KAAK,SAAS,IAAI,iBAAiB;AAEnD,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAGA,UAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,QAAI,YAAY,oBAAI,KAAK,GAAG;AAC1B,WAAK,SAAS,OAAO,iBAAiB;AACtC,aAAO;AAAA,IACT;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,cAAuB;AACrB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,WAAiB;AACf,SAAK,SAAS,MAAM;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKA,OAAe;AACb,WAAO,KAAK,SAAS;AAAA,EACvB;AACF;;;ACnGA,sBAAoF;AACpF,gBAA+E;AAC/E,kBAA8B;AAkBvB,IAAM,qBAAN,MAAoD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQzD,YAAY,SAAkB;AAC5B,SAAK,UAAU,WAAW,KAAK,cAAc;AAC7C,SAAK,sBAAsB;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKQ,gBAAwB;AAC9B,UAAM,OAAO,QAAQ,IAAI,QAAQ,QAAQ,IAAI,eAAe;AAC5D,eAAO,kBAAK,MAAM,cAAc,UAAU;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAA8B;AACpC,QAAI,KAAC,sBAAW,KAAK,OAAO,GAAG;AAC7B,+BAAU,KAAK,SAAS,EAAE,WAAW,KAAK,CAAC;AAAA,IAC7C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,YAAY,SAAyB;AAC3C,UAAM,oBAAoB,QAAQ,YAAY;AAE9C,UAAM,WAAW,GAAG,kBAAkB,QAAQ,MAAM,EAAE,CAAC;AACvD,eAAO,kBAAK,KAAK,SAAS,QAAQ;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAAiB,SAA8C;AACxE,UAAM,WAAW,KAAK,YAAY,OAAO;AACzC,UAAM,OAAO,KAAK,UAAU,SAAS,MAAM,CAAC;AAC5C,iCAAc,UAAU,MAAM,OAAO;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAAuD;AAChE,UAAM,WAAW,KAAK,YAAY,OAAO;AAEzC,QAAI,KAAC,sBAAW,QAAQ,GAAG;AACzB,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,WAAO,wBAAa,UAAU,OAAO;AAC3C,YAAM,SAAS,KAAK,MAAM,IAAI;AAG9B,YAAM,iBAAa,8CAA6B,MAAM;AACtD,UAAI,CAAC,WAAW,IAAI;AAClB,gBAAQ,KAAK,4BAA4B,OAAO,KAAK,WAAW,MAAM,OAAO;AAE7E,kCAAW,QAAQ;AACnB,eAAO;AAAA,MACT;AAEA,YAAM,UAAU,WAAW;AAG3B,YAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,UAAI,YAAY,oBAAI,KAAK,GAAG;AAE1B,kCAAW,QAAQ;AACnB,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,IACT,SAAS,OAAO;AAEd,UAAI;AACF,kCAAW,QAAQ;AAAA,MACrB,QAAQ;AAAA,MAER;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAM,SAAgC;AAC1C,UAAM,WAAW,KAAK,YAAY,OAAO;AACzC,YAAI,sBAAW,QAAQ,GAAG;AACxB,gCAAW,QAAQ;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,SAA0B;AAC/B,UAAM,WAAW,KAAK,YAAY,OAAO;AACzC,QAAI,KAAC,sBAAW,QAAQ,GAAG;AACzB,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,WAAO,wBAAa,UAAU,OAAO;AAC3C,YAAM,UAAgC,KAAK,MAAM,IAAI;AAGrD,YAAM,YAAY,IAAI,KAAK,QAAQ,SAAS;AAC5C,UAAI,YAAY,oBAAI,KAAK,GAAG;AAE1B,kCAAW,QAAQ;AACnB,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAuB;AACrB,QAAI;AACF,WAAK,sBAAsB;AAC3B,iBAAO,sBAAW,KAAK,OAAO;AAAA,IAChC,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AACF;;;ACjKA,IAAAC,mBA+BO;;;AC8CA,IAAM,sBAAoC,EAAE,MAAM,YAAY;;;AD+D9D,IAAM,wBAAN,MAA0D;AAAA,EAoC/D,YAAY,QAAqC;AAPjD,SAAQ,aAA0B,CAAC;AAKnC,SAAQ,gBAA0B,CAAC;AAGjC,SAAK,OAAO,OAAO;AAEnB,SAAK,SAAS,OAAO;AACrB,SAAK,eAAe,OAAO,gBAAgB;AAC3C,SAAK,iBAAiB,OAAO,kBAAkB,IAAI,qBAAqB;AACxE,SAAK,SAAS,OAAO;AACrB,SAAK,MAAM,OAAO,OAAO,WAAW,OAAO,MAAM;AACjD,SAAK,YAAY,OAAO;AACxB,SAAK,cAAc,OAAO,eAAe;AACzC,SAAK,iBAAiB,OAAO,kBAAkB;AAAA,MAC7C,IAAI;AAAA,QACF,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MACA,KAAK;AAAA,QACH,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,QACN,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,MACA,cAAc;AAAA,QACZ,IAAI,CAAC,6BAA6B;AAAA,MACpC;AAAA,MACA,OAAO;AAAA,QACL,IAAI;AAAA,UACF;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAAA,IACF;AACA,SAAK,sBAAsB,OAAO,uBAAuB,wBAAO;AAChE,SAAK,kBAAkB,OAAO,mBAAmB;AACjD,SAAK,uBAAuB,OAAO;AACnC,SAAK,iBAAiB,OAAO;AAC7B,SAAK,uBAAuB,OAAO;AACnC,SAAK,yBAAyB,OAAO;AACrC,SAAK,oBAAoB,OAAO,qBAAqB;AACrD,SAAK,QAAQ,OAAO;AACpB,SAAK,aAAa,OAAO;AACzB,SAAK,oCACH,OAAO,qCAAqC;AAC9C,SAAK,YAAY,OAAO;AACxB,SAAK,qBAAqB,OAAO;AAGjC,SAAK,iBAAiB,KAAK,KAAK,qBAAqB;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,IAAI,WAA8C;AAChD,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,IAAI,oBAAyD;AAC3D,WAAO,KAAK,qBAAqB;AAAA,EACnC;AAAA,EAEA,IAAI,QAAkB;AACpB,WAAO,KAAK,iBAAiB,CAAC,GAAG,KAAK,cAAc,IAAI,CAAC;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,UAAmD;AAC7D,SAAK,YAAY;AACjB,SAAK,qBAAqB;AAAA,EAC5B;AAAA,EAEA,qBAAqB,SAAoD;AACvE,SAAK,qBAAqB;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAqC;AACvC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,mBAAiD;AACnD,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,4BAA4B,SAAiC;AAC3D,UAAM,cAAU,sCAAoB,QAAQ,OAAO;AACnD,SAAK,oBAAoB,EAAE,GAAG,SAAS,QAAQ;AAC/C,SAAK,WAAW;AAChB,SAAK,WAAW,QAAQ;AAAA,EAC1B;AAAA,EAEA,MAAc,+BACZ,SACA,SACe;AACf,QAAI,KAAK,kBAAkB,KAAK,eAAe,SAAS,GAAG;AACzD;AAAA,IACF;AAEA,UAAM,cAAU,yBAAO,SAAS,OAAO;AACvC,UAAM,WAAW,UAAM,wCAAsB,SAAS;AAAA,MACpD,aAAa,KAAK;AAAA,MAClB,eAAe,KAAK;AAAA,IACtB,CAAC;AACD,SAAK,iBAAiB,SAAS;AAAA,EACjC;AAAA,EAEQ,wBAAkC;AACxC,QAAI,CAAC,KAAK,kBAAkB,KAAK,eAAe,WAAW,GAAG;AAC5D,YAAM,IAAI,MAAM,8DAA8D;AAAA,IAChF;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,IAAY,uBAA+B;AACzC,WAAO,KAAK,sBAAsB,EAAE,CAAC;AAAA,EACvC;AAAA,EAEA,IAAI,eAAyB;AAC3B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA4BQ,uBAA4D;AAClE,QAAI,KAAK,uBAAuB,QAAW;AACzC,aAAO,KAAK;AAAA,IACd;AACA,QAAI,KAAK,cAAc,QAAW;AAChC,aAAO;AAAA,IACT;AACA,SAAK,yBAAqB;AAAA,MACxB,MAAM,QAAQ,KAAK,SAAS,IAAI,KAAK,YAAY,CAAC,KAAK,SAAS;AAAA,MAChE;AAAA,QACE,mCACE,KAAK;AAAA,MACT;AAAA,IACF;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,iBAAiB,OAAe,SAAiB,SAAyB;AAChF,QAAI,MAAM,WAAW,YAAY,GAAG;AAClC,aAAO;AAAA,IACT;AACA,eAAO,iCAAe,SAAS,SAAS,KAAK;AAAA,EAC/C;AAAA,EAEQ,2BAA2B,SAAiB,SAAyB;AAC3E,WAAO,gCAA4B,yBAAO,SAAS,OAAO,CAAC;AAAA,EAC7D;AAAA,EAEQ,0BACN,SACA,SAMA;AACA,UAAM,UAAU,KAAK,qBAAqB;AAC1C,QAAI,YAAY,QAAW;AACzB,YAAM,mBAAmB,KAAK,2BAA2B,SAAS,OAAO;AACzE,YAAM,qBAAiB,iCAAe,SAAS,SAAS,SAAS;AACjE,aAAO;AAAA,QACL,WAAW,KAAK;AAAA,QAChB,aAAS,iCAAe,SAAS,SAAS,KAAK,WAAW;AAAA,QAC1D,gBAAgB;AAAA,UACd,CAAC,cAAc,GAAG;AAAA,YAChB,IAAI;AAAA,cACF,kBAAkB;AAAA,gBAChB;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,gBACA;AAAA,cACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAAA,QACA,cAAc;AAAA,UACZ,CAAC,gBAAgB,GAAG;AAAA,YAClB;AAAA,YACA;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAEA,UAAM,eAAyC,CAAC;AAChD,UAAM,iBAAiB,QAAQ,UAAU,OAAO,CAAC,UAAU;AACzD,UAAI,MAAM,YAAY,gDAA+B;AACnD,eAAO;AAAA,MACT;AACA,YAAM,WAAW,aAAa,MAAM,IAAI;AACxC,UAAI,aAAa,QAAW;AAC1B,qBAAa,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,OAAO;AAAA,MAC9C,OAAO;AACL,cAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,mBAAW,UAAU,MAAM,SAAS;AAClC,cAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,qBAAS,KAAK,MAAM;AACpB,iBAAK,IAAI,MAAM;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AACA,aAAO;AAAA,IACT,CAAC;AAED,UAAM,mBACJ,eAAe,KAAK,CAAC,UAAU,MAAM,UAAU,SAAS,GAAG,SAC3D;AACF,UAAM,iBAAiB,KAAK;AAAA,MAC1B;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAEA,UAAM,cAAU,0DAAwC,cAAc;AACtE,UAAM,iBAA+C,CAAC;AACtD,eAAW,CAAC,OAAO,SAAS,KAAK,OAAO,QAAQ,OAAO,GAAG;AACxD,qBAAe,KAAK,iBAAiB,OAAO,SAAS,OAAO,CAAC,IAAI;AAAA,IACnE;AAEA,WAAO;AAAA,MACL,WACE,eAAe,cAAc,SAC7B,qDAAmC,CAAC,CAAC;AAAA,MACvC,SAAS;AAAA,MACT;AAAA,MACA,cACE,OAAO,KAAK,YAAY,EAAE,SAAS,IAAI,eAAe;AAAA,IAC1D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWQ,mBAAmB,SAAkD;AAC3E,UAAM,OAAgC,EAAE,KAAK,KAAK,IAAI;AACtD,QAAI,KAAK,UAAU,QAAW;AAC5B,WAAK,QAAQ,KAAK;AAAA,IACpB;AAEA,QAAI,CAAC,KAAK,cAAc,CAAC,SAAS,OAAO;AACvC,aAAO;AAAA,IACT;AAEA,UAAM,EAAE,WAAW,WAAW,KAAK,GAAG,KAAK,IAAI,KAAK,cAAc,CAAC;AACnE,UAAM,YAAqC,EAAE,GAAG,MAAM,GAAG,KAAK;AAE9D,QAAI,WAAW;AACb,gBAAU,YAAY,KAAK,YACvB,GAAG,SAAS,IAAI,KAAK,SAAS,KAC9B;AAAA,IACN;AAEA,QAAI,aAAa,UAAU,SAAS,GAAG;AACrC,gBAAU,YAAY;AAAA,IACxB;AAEA,QAAI,KAAK;AACP,cAAQ;AAAA,QACN;AAAA,MAEF;AACA,gBAAU,MAAM;AAAA,IAClB;AAEA,QAAI,SAAS,OAAO;AAClB,gBAAU,QAAQ,QAAQ;AAAA,IAC5B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,WAA4B;AACjC,SAAK,WAAW,KAAK,SAAS;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,aAAiC;AAC/B,WAAO,KAAK,mBAAmB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,UAAU,eAA0C;AAChE,QAAI,CAAC,KAAK,qBAAqB,CAAC,KAAK,YAAY,CAAC,KAAK,UAAU;AAC/D,YAAM,IAAI,MAAM,iCAAiC;AAAA,IACnD;AAEA,UAAM,OAAO,KAAK;AAClB,UAAM,UAAU,iBAAiB,KAAK,kBAAkB;AAGxD,UAAM,SAAS,UAAM,8BAAY,MAAM,OAAO;AAG9C,UAAM,OAAO,KAAK,KAAK,wBAAwB;AAAA,MAC7C,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,MACd,QAAQ,KAAK;AAAA,MACb,WAAU,oBAAI,KAAK,GAAE,YAAY;AAAA,MACjC;AAAA,MACA;AAAA,IACF,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,YAAY,IAAI;AAG7C,UAAM,UAAU,KAAK,KAAK,wBAAwB,EAAE,MAAM,UAAU,CAAC;AACrE,UAAM,SAAS,UAAM,uCAAqB,MAAM,OAAO;AAEvD,WAAO,OAAO;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,SAAmC;AACvD,WAAO,KAAK,UAAU,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,eAAe,SAAmC;AACtD,WAAO,KAAK,UAAU,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,oBAAmC;AACvC,QAAI,CAAC,KAAK,mBAAmB;AAC3B,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,UAAM,OAAO,KAAK;AAClB,UAAM,iBAAiB,KAAK,kBAAkB;AAG9C,UAAM,SAAS,UAAM;AAAA,MACnB;AAAA,MACA,KAAK,kBAAkB;AAAA,IACzB;AAMA,UAAM,UACJ,KAAK,yBACJ,KAAK,kBACF,IAAI,iDAAgC,IACpC;AAEN,UAAM,kBAAkB;AAAA,MACtB,SAAS;AAAA,MACT,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,MACd;AAAA,IACF;AAEA,QAAI,OAAO,SAAS;AAElB,YAAM,iBAAiB,OAAO,SAAS,SAAS,cAAc;AAE9D,UAAI,CAAC,gBAAgB;AAEnB;AAAA,MACF;AAGA,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,YAAY,MAAM,QAAQ,qBAAqB,eAAe;AACpE,UAAI,CAAC,WAAW;AACd;AAAA,MACF;AAGA,UAAI;AACF,cAAM,UAAU,MAAM,KAAK,UAAU;AACrC,YAAI,CAAC,SAAS;AACZ,gBAAM,MAAM,IAAI,MAAM,2BAA2B,cAAc,EAAE;AACjE,kBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,gBAAM;AAAA,QACR;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ;AAAA,UACN;AAAA,UACA,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,QAC1D;AACA,cAAM;AAAA,MACR;AAGA,YAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAG,CAAC;AAGvD,YAAM,cAAc,UAAM;AAAA,QACxB;AAAA,QACA,KAAK,kBAAkB;AAAA,MACzB;AAEA,UAAI,CAAC,YAAY,SAAS;AACxB,cAAM,MAAM,IAAI;AAAA,UACd,oDAAoD,YAAY,KAAK;AAAA,QACvE;AACA,gBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,cAAM;AAAA,MACR;AAEA,cAAQ,iBAAiB,eAAe;AACxC;AAAA,IACF;AAGA,QAAI,OAAO,WAAW,KAAK;AACzB,UAAI,CAAC,SAAS;AACZ;AAAA,MACF;AAEA,YAAM,YAAY,MAAM,QAAQ,qBAAqB,eAAe;AACpE,UAAI,CAAC,WAAW;AACd;AAAA,MACF;AAEA,UAAI;AACF,cAAM,UAAU,MAAM,KAAK,UAAU;AACrC,YAAI,CAAC,SAAS;AACZ,gBAAM,MAAM,IAAI,MAAM,2BAA2B,cAAc,EAAE;AACjE,kBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,gBAAM;AAAA,QACR;AAAA,MACF,SAAS,OAAO;AACd,gBAAQ;AAAA,UACN;AAAA,UACA,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,OAAO,KAAK,CAAC;AAAA,QAC1D;AACA,cAAM;AAAA,MACR;AAEA,YAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAG,CAAC;AAEvD,YAAM,cAAc,UAAM;AAAA,QACxB;AAAA,QACA,KAAK,kBAAkB;AAAA,MACzB;AAEA,UAAI,CAAC,YAAY,SAAS;AACxB,cAAM,MAAM,IAAI;AAAA,UACd,oDAAoD,YAAY,KAAK;AAAA,QACvE;AACA,gBAAQ,wBAAwB,iBAAiB,GAAG;AACpD,cAAM;AAAA,MACR;AAEA,cAAQ,iBAAiB,eAAe;AACxC;AAAA,IACF;AAEA,UAAM,IAAI,MAAM,+BAA+B,OAAO,KAAK,EAAE;AAAA,EAC/D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,OAAO,SAAiD;AAE5D,SAAK,eAAW,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,SAAK,WAAW,MAAM,KAAK,OAAO,WAAW;AAE7C,UAAM,UAAU,KAAK;AACrB,UAAM,UAAU,KAAK;AAErB,UAAM,KAAK,+BAA+B,SAAS,OAAO;AAG1D,UAAM,QAAQ,WAAW,KAAK,IAAI,CAAC;AACnC,SAAK,eAAe,mBAAmB,WAAW,KAAK;AAGvD,UAAM,YAAY,KAAK,eAAe,IAAI,KAAK;AAC/C,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,UAAM,MAAM,KAAK,MAAM,SAAS;AAEhC,UAAM,iBAAiB,KAAK,0BAA0B,SAAS,OAAO;AACtE,UAAM,UAAU,eAAe;AAE/B,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,mBAAmB;AAQxE,UAAM,WAAW,KAAK,KAAK,eAAe;AAAA,MACxC,WAAW,eAAe;AAAA,MAC1B,GAAI,eAAe,mBAAmB,SAClC,EAAE,gBAAgB,eAAe,eAAe,IAChD,CAAC;AAAA,MACL,GAAI,eAAe,iBAAiB,SAChC,EAAE,cAAc,eAAe,aAAa,IAC5C,CAAC;AAAA,MACL;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C;AAAA,MACA;AAAA,MACA,GAAG,KAAK,mBAAmB,OAAO;AAAA,IACpC,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,iBAAiB;AAAA,MAC5C;AAAA,MACA;AAAA,MACA,SAAS,SAAS;AAAA,MAClB,MAAM;AAAA,IACR,CAAC;AAGD,UAAM,UAAU,KAAK,KAAK,qBAAqB;AAAA,MAC7C,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,gBAA+B;AAAA,MACnC;AAAA,MACA,eAAe;AAAA,MACf;AAAA,MACA,YAAY;AAAA,MACZ,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAKA,UAAM,iBAAqD,KACxD,oBACC,EAAE,YAAQ,iCAAe,SAAS,SAAS,QAAQ,EAAE,IACrD;AAKJ,UAAM,mBAAqC;AAAA,MACzC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ;AAAA,MACA,QAAQ;AAAA,MACR,eAAe,QAAQ;AAAA,MACvB,kBAAkB,QAAQ;AAAA,MAC1B,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACpD;AAAA,MACA,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,UAAM,gBAAsC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,YAAY,KAAK,UAAU,GAAG;AAAA,MAC9B,MAAM,SAAS;AAAA,MACf;AAAA,MACA,kBAAkB;AAAA,QAChB,kBAAkB,QAAQ;AAAA,QAC1B,eAAe,QAAQ;AAAA,QACvB;AAAA,QACA,QAAQ;AAAA,QACR,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACtD;AAAA,MACA,WAAW,eAAe,YAAY;AAAA,MACtC,WAAW,IAAI,YAAY;AAAA,MAC3B,SAAS;AAAA,IACX;AACA,UAAM,KAAK,eAAe,KAAK,SAAS,aAAa;AAGrD,SAAK,WAAW;AAChB,SAAK,oBAAoB;AACzB,SAAK,WAAW;AAChB,SAAK,WAAW;AAGhB,UAAM,WAAW,UAAM;AAAA,MACrB,KAAK;AAAA,MACL,KAAK,KAAK,gBAAgB;AAAA,IAC5B;AACA,SAAK,gBAAgB,SAAS;AAG9B,eAAW,OAAO,KAAK,YAAY;AACjC,UAAI,IAAI,aAAa;AACnB,cAAM,IAAI,YAAY,aAAa;AAAA,MACrC;AAAA,IACF;AAGA,UAAM,KAAK,kBAAkB;AAE7B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAyB;AAC7B,QAAI,KAAK,UAAU;AACjB,YAAM,KAAK,sBAAsB,KAAK,QAAQ;AAAA,IAChD;AACA,SAAK,WAAW;AAAA,EAClB;AAAA;AAAA;AAAA;AAAA,EAKA,UAA8B;AAC5B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,UAA8B;AAC5B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,SAAkC;AAClD,QAAI,CAAC,KAAK,UAAU;AAClB,WAAK,eAAW,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAAA,IACpE;AACA,QAAI,CAAC,KAAK,UAAU;AAClB,WAAK,WAAW,MAAM,KAAK,OAAO,WAAW;AAAA,IAC/C;AAEA,WAAO,KAAK,iBAAiB;AAAA,MAC3B,SAAS,KAAK;AAAA,MACd,SAAS,KAAK;AAAA,MACd;AAAA,MACA,MAAM;AAAA,IACR,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,MAAM,2BAWH;AACD,UAAM,cAAU,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,UAAM,UAAU,MAAM,KAAK,OAAO,WAAW;AAG7C,UAAM,QAAQ,WAAW,KAAK,IAAI,CAAC;AACnC,SAAK,eAAe,mBAAmB,WAAW,KAAK;AAGvD,UAAM,YAAY,KAAK,eAAe,IAAI,KAAK;AAC/C,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,8BAA8B;AAAA,IAChD;AACA,UAAM,MAAM,KAAK,MAAM,SAAS;AAEhC,UAAM,iBAAiB,KAAK,0BAA0B,SAAS,OAAO;AACtE,UAAM,UAAU,eAAe;AAE/B,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,mBAAmB;AAQxE,UAAM,WAAW,KAAK,KAAK,eAAe;AAAA,MACxC,WAAW,eAAe;AAAA,MAC1B,GAAI,eAAe,mBAAmB,SAClC,EAAE,gBAAgB,eAAe,eAAe,IAChD,CAAC;AAAA,MACL,GAAI,eAAe,iBAAiB,SAChC,EAAE,cAAc,eAAe,aAAa,IAC5C,CAAC;AAAA,MACL;AAAA,MACA;AAAA,MACA,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C;AAAA,MACA;AAAA,MACA,GAAG,KAAK,mBAAmB;AAAA,IAC7B,CAAC;AAED,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,0BACJ,UAMA,WACA,OACA,KACwB;AAExB,UAAM,UAAU,KAAK,KAAK,qBAAqB;AAAA,MAC7C,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAKD,UAAM,cAAU,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,UAAM,UAAU,MAAM,KAAK,OAAO,WAAW;AAE7C,UAAM,KAAK,+BAA+B,SAAS,OAAO;AAG1D,UAAM,gBAA+B;AAAA,MACnC;AAAA,MACA,eAAe;AAAA,MACf;AAAA,MACA,YAAY;AAAA,MACZ,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,UAAM,iBAAqD,KACxD,oBACC,EAAE,YAAQ,iCAAe,SAAS,SAAS,QAAQ,EAAE,IACrD;AAIJ,UAAM,mBAAqC;AAAA,MACzC;AAAA,MACA;AAAA,MACA,YAAY;AAAA,MACZ,SAAS,SAAS;AAAA,MAClB,QAAQ;AAAA,MACR,eAAe,QAAQ;AAAA,MACvB,kBAAkB,QAAQ;AAAA,MAC1B,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACpD;AAAA,MACA,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,UAAM,kBAAkB,SAAS,KAAK,MAAM,uBAAuB;AACnE,UAAM,gBAAgB,SAAS,KAAK,MAAM,iBAAiB;AAC3D,UAAM,YACJ,kBAAkB,CAAC,KACnB,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,mBAAmB,EAAE,YAAY;AAC9D,UAAM,YAAY,gBAAgB,CAAC,MAAK,oBAAI,KAAK,GAAE,YAAY;AAG/D,UAAM,gBAAsC;AAAA,MAC1C;AAAA,MACA;AAAA,MACA,YAAY,KAAK,UAAU,GAAG;AAAA,MAC9B,MAAM,SAAS;AAAA,MACf;AAAA,MACA,kBAAkB;AAAA,QAChB,kBAAkB,QAAQ;AAAA,QAC1B,eAAe,QAAQ;AAAA,QACvB,SAAS,SAAS;AAAA,QAClB,QAAQ;AAAA,QACR,oBAAoB,KAAK,eAAe,OAAO,KAAK;AAAA,MACtD;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS;AAAA,IACX;AACA,UAAM,KAAK,eAAe,KAAK,SAAS,aAAa;AAGrD,SAAK,WAAW;AAChB,SAAK,oBAAoB;AACzB,SAAK,WAAW;AAChB,SAAK,WAAW;AAGhB,UAAM,WAAW,UAAM;AAAA,MACrB,KAAK;AAAA,MACL,KAAK,KAAK,gBAAgB;AAAA,IAC5B;AACA,SAAK,gBAAgB,SAAS;AAG9B,eAAW,OAAO,KAAK,YAAY;AACjC,UAAI,IAAI,aAAa;AACnB,cAAM,IAAI,YAAY,aAAa;AAAA,MACrC;AAAA,IACF;AAGA,UAAM,KAAK,kBAAkB;AAE7B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,SAAiC;AAC3D,UAAM,gBAAgB,WAAW,KAAK;AACtC,QAAI,eAAe;AACjB,YAAM,KAAK,eAAe,MAAM,aAAa;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAmB,SAA0B;AAC3C,WAAO,KAAK,eAAe,OAAO,OAAO;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,iBAAiB,SAAuC;AACpE,YAAQ,KAAK,aAAa,MAAM;AAAA,MAC9B,KAAK;AACH,eAAO,KAAK,OAAO,YAAY,QAAQ,OAAO;AAAA,MAEhD,KAAK;AACH,cAAM,IAAI,MAAM,+CAA+C;AAAA,MAEjE,KAAK,YAAY;AACf,cAAM,WAAW,MAAM,KAAK,aAAa,QAAQ,OAAO;AACxD,YAAI,CAAC,SAAS,UAAU;AACtB,gBAAM,IAAI;AAAA,YACR,SAAS,UAAU;AAAA,UACrB;AAAA,QACF;AAEA,eACE,SAAS,aAAc,MAAM,KAAK,OAAO,YAAY,QAAQ,OAAO;AAAA,MAExE;AAAA,MAEA,KAAK,iBAAiB;AACpB,eAAO,KAAK;AAAA,UACV;AAAA,UACA,KAAK,aAAa;AAAA,UAClB,KAAK,aAAa,WAAW;AAAA,QAC/B;AAAA,MACF;AAAA,MAEA;AACE,cAAM,IAAI;AAAA,UACR,0BAA2B,KAAK,aAAqB,IAAI;AAAA,QAC3D;AAAA,IACJ;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,2BACN,SACA,SACA,SACiB;AACjB,WAAO,IAAI,QAAQ,CAAC,SAAS,WAAW;AACtC,YAAM,YAAY,WAAW,MAAM;AACjC,eAAO,IAAI,MAAM,wBAAwB,CAAC;AAAA,MAC5C,GAAG,OAAO;AAEV,YAAM,UAAU,OAAO,aAA2B;AAChD,qBAAa,SAAS;AACtB,YAAI,CAAC,SAAS,UAAU;AACtB;AAAA,YACE,IAAI,MAAM,SAAS,UAAU,mCAAmC;AAAA,UAClE;AAAA,QACF,OAAO;AAEL,gBAAM,YACJ,SAAS,aACR,MAAM,KAAK,OAAO,YAAY,QAAQ,OAAO;AAChD,kBAAQ,SAAS;AAAA,QACnB;AAAA,MACF;AAEA,cAAQ,KAAK,gBAAgB,SAAS,OAAO;AAAA,IAC/C,CAAC;AAAA,EACH;AACF;;;AEtqCA,IAAAC,mBAmFO;;;ACpHP,IAAAC,mBAYO;AAgCA,IAAM,kBAAN,MAAsB;AAAA,EAU3B,YACE,SACA,YACA,MACA,QACA;AACA,SAAK,UAAU;AACf,SAAK,cAAc;AACnB,SAAK,OAAO;AAGZ,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC;AAAA,MACA,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,OAAO,CAAC,IAAI;AAAA,IACd,CAAC;AAID,UAAM,SAAS,KAAK,YAAY,KAAK,QAAQ,OAAO,EAAE;AACtD,SAAK,MAAM,IAAI,2BAAU,EAAE,OAAO,CAAC;AACnC,SAAK,IAAI,WAAW,KAAK,eAAe;AACxC,SAAK,gBAAgB,gBAAgB,MAAM,KAAK,GAAG;AAGnD,SAAK,OAAO,IAAI,4BAAW,CAAC,CAAC;AAC7B,SAAK,KAAK,WAAW,KAAK,eAAe;AACzC,SAAK,gBAAgB,gBAAgB,OAAO,KAAK,IAAI;AAGrD,SAAK,UAAU,IAAI,+BAAc,CAAC,CAAC;AACnC,SAAK,QAAQ,WAAW,KAAK,eAAe;AAC5C,SAAK,gBAAgB,gBAAgB,UAAU,KAAK,OAAO;AAG3D,SAAK,SAAS,IAAI,8BAAa,CAAC,CAAC;AACjC,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,QAAQ;AAAA,MAC1B,eAAe,QAAQ;AAAA,MACvB,SAAS,QAAQ;AAAA,MACjB,oBAAoB,QAAQ;AAAA,MAC5B,KAAK,QAAQ;AAAA,IACf;AACA,SAAK,gBAAgB,WAAW,cAAc;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,aAAiC;AACnC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAkB;AACpB,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,OAAe;AACjB,WAAO,KAAK,YAAY;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,KAAiB;AACnB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAmB;AACrB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,SAAyB;AAC3B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,QAAuB;AACzB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,IAAI,aAAgC;AAClC,WAAO;AAAA,MACL,kBAAkB,KAAK,QAAQ;AAAA,MAC/B,eAAe,KAAK,QAAQ;AAAA,MAC5B,SAAS,KAAK,QAAQ;AAAA,MACtB,KAAK,KAAK,QAAQ;AAAA,MAClB,oBAAoB,KAAK,QAAQ;AAAA,MACjC,SAAS,KAAK,QAAQ;AAAA,MACtB,SAAS,KAAK,QAAQ;AAAA,IACxB;AAAA,EACF;AACF;;;ACxHO,IAAM,kBAAN,MAA6C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQlD,YAAY,QAA+B;AACzC,SAAK,iBAAiB,OAAO;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAiB,MAA+B;AAGpD,WAAO,KAAK,eAAe,iBAAiB,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,OAAO,OAAoB;AAEzB,UAAM,UAAU,KAAK,eAAe,IAAI,KAAK;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,kBAAkB,KAAK,EAAE;AAAA,IAC3C;AAEA,WAAO,KAAK,MAAM,OAAO;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,OAAO,OAAgC;AAE3C,WAAO,KAAK,eAAe,OAAO,KAAK;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAqB;AACnB,UAAM,OAAO,KAAK,eAAe,kBAAkB;AACnD,WAAO,MAAM,QAAQ,IAAI,IAAI,OAAO,CAAC;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,OAAwB;AAC7B,UAAM,MAAM,KAAK,eAAe,IAAI,KAAK;AACzC,WAAO,QAAQ;AAAA,EACjB;AACF;AAQO,SAAS,sBAAsB,gBAA4D;AAChG,SAAO,IAAI,gBAAgB,EAAE,eAAe,CAAC;AAC/C;;;ACnIA,IAAAC,mBAKO;AAYA,SAAS,gCACd,SACA,MACA,iBACmB;AACnB,QAAM,YAAY,oBAAI,IAAsB;AAC5C,aAAW,KAAK,SAAS;AAGvB,UAAM,WAAW,EAAE,QAAQ,GAAG;AAC9B,QAAI,aAAa,IAAI;AACnB;AAAA,IACF;AACA,UAAM,UAAU,EAAE,MAAM,GAAG,QAAQ;AACnC,QAAI,CAAC,QAAQ,WAAW,YAAY,GAAG;AACrC;AAAA,IACF;AACA,UAAM,OAAO,UAAU,IAAI,OAAO;AAClC,QAAI,SAAS,QAAW;AACtB,gBAAU,IAAI,SAAS,CAAC,CAAC,CAAC;AAAA,IAC5B,OAAO;AACL,WAAK,KAAK,CAAC;AAAA,IACb;AAAA,EACF;AACA,QAAM,QAAQ,mBAAmB;AACjC,QAAM,UAA6B,CAAC;AACpC,aAAW,CAAC,SAAS,UAAU,KAAK,WAAW;AAC7C,YAAQ,KAAK;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,MACA,SAAS;AAAA,IACX,CAAC;AAAA,EACH;AACA,SAAO;AACT;AAQO,IAAM,+BAA+B,wBAAO;AAY5C,SAAS,gBAAgB,QAA6C;AAC3E,MAAI,WAAW,QAAW;AACxB,WAAO;AAAA,EACT;AACA,MAAI,OAAO,WAAW,UAAU;AAC9B,QAAI,CAAC,OAAO,SAAS,MAAM,KAAK,UAAU,GAAG;AAC3C,YAAM,IAAI;AAAA,QACR,2DAA2D,MAAM;AAAA,MACnE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,aAAO,8BAAY,MAAM;AAC3B;AAWO,SAAS,sBAAsB,MAAgC;AACpE,QAAM,SAAS,IAAI,6BAAY,IAAI;AACnC,MAAI,OAAO,mBAAmB,UAAa,OAAO,mBAAmB,MAAM;AACzE,WAAO;AAAA,EACT;AACA,QAAM,IAAI,IAAI,KAAK,OAAO,cAAc;AACxC,MAAI,OAAO,MAAM,EAAE,QAAQ,CAAC,GAAG;AAC7B,UAAM,IAAI;AAAA,MACR,gDAAgD,OAAO,cAAc;AAAA,IACvE;AAAA,EACF;AACA,SAAO;AACT;;;ACxHA,IAAAC,mBAcO;AAEP,IAAM,gBAAgB;AAGtB,SAAS,KAAiC;AACxC,SAAO,EAAE,IAAI,MAAM,MAAM,OAAU;AACrC;AAEA,SAAS,aACP,MACA,SACA,OAC6B;AAC7B,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,OAAO;AAAA,MACL;AAAA,MACA,SAAS;AAAA,MACT;AAAA,MACA,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,IAC3B;AAAA,EACF;AACF;AAEA,SAAS,iBAAiB,QAA8B;AACtD,UAAQ,QAAQ;AAAA,IACd,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,IACT,KAAK;AACH,aAAO;AAAA,EACX;AACF;AAEA,SAAS,iBAAiB,QAAsD;AAC9E,SAAO;AACT;AAEA,SAAS,wBACP,MACA,SACA,QACA,qBACmB;AACnB,QAAM,UAA6B,CAAC;AACpC,QAAM,OACJ,WAAW,aACP,0CAAwB,OAAO,QAC/B,oCAAkB,MAAM,OAAO,EAAE,gBAAgB;AAEvD,UAAQ,KAAK;AAAA,IACX,SAAS;AAAA,IACT,OAAO;AAAA,IACP;AAAA,IACA,SAAS,CAAC,iBAAiB,MAAM,CAAC;AAAA,IAClC,YAAY;AAAA,EACd,CAAC;AAED,MAAI,WAAW,SAAS,wBAAwB,QAAW;AACzD,YAAQ,KAAK;AAAA,MACX,SAAS;AAAA,MACT,MAAM;AAAA,MACN,SAAS,CAAC,SAAS;AAAA,MACnB,YAAY;AAAA,IACd,CAAC;AAAA,EACH;AAEA,SAAO;AACT;AAYO,IAAM,qBAAN,MAAoD;AAAA,EAIzD,YAA6B,QAAkC;AAAlC;AAF7B,SAAQ,sBAAsB;AAAA,EAEkC;AAAA,EAEhE,IAAI,QAA2B;AAC7B,WAAO,KAAK,QAAQ;AAAA,EACtB;AAAA,EAEA,IAAI,aAAsB;AACxB,WAAO,KAAK,QAAQ;AAAA,EACtB;AAAA,EAEA,MAAM,OAAO,QAAqD;AAChE,UAAM,kBAAkB,UAAU,KAAK,OAAO,kBAAkB;AAChE,QAAI,oBAAoB,QAAW;AACjC,WAAK,eAAe;AAAA,IACtB;AACA,UAAM,SAAS,MAAM,KAAK,QAAQ,OAAO,eAAe;AACxD,QAAI,OAAO,IAAI;AACb,WAAK,sBAAsB;AAAA,IAC7B;AACA,WAAO;AAAA,EACT;AAAA,EAEA,OAAa;AACX,SAAK,sBAAsB;AAC3B,SAAK,QAAQ,KAAK;AAAA,EACpB;AAAA,EAEA,MAAM,IAAI,MAAc,SAAkE;AACxF,UAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,SAAS,KAAK;AACnE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,IAAI,IAAI,IACrB,KAAK,QAAQ,IAAI,MAAM,OAAO;AAAA,EACpC;AAAA,EAEA,MAAM,IACJ,MACA,OACA,SACoC;AACpC,UAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,SAAS,KAAK;AACnE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,IAAI,MAAM,KAAK,IAC5B,KAAK,QAAQ,IAAI,MAAM,OAAO,OAAO;AAAA,EAC3C;AAAA,EAEA,MAAM,OACJ,MACA,SACuC;AACvC,UAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,SAAS,KAAK;AACnE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,OAAO,IAAI,IACxB,KAAK,QAAQ,OAAO,MAAM,OAAO;AAAA,EACvC;AAAA,EAEA,MAAM,KAAK,SAAmE;AAC5E,UAAM,aAAa,MAAM,KAAK,iBAAiB,IAAI,SAAS,MAAM;AAClE,QAAI,CAAC,WAAW,GAAI,QAAO;AAC3B,WAAO,YAAY,SACf,KAAK,QAAQ,KAAK,IAClB,KAAK,QAAQ,KAAK,OAAO;AAAA,EAC/B;AAAA,EAEA,IAAY,UAA2B;AACrC,WAAO,KAAK,OAAO,WAAW;AAAA,EAChC;AAAA,EAEA,MAAc,iBACZ,MACA,SACA,QACkD;AAClD,UAAM,SAAS,QAAQ;AACvB,QAAI;AACJ,QAAI;AACF,0BAAoB;AAAA,QAClB;AAAA,QACA;AAAA,QACA;AAAA,QACA,WAAW,QAAQ,KAAK,OAAO,yBAAyB,IAAI;AAAA,MAC9D;AAAA,IACF,SAAS,OAAO;AACd,aAAO;AAAA,QACL,4BAAW;AAAA,QACX,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,QACrD,iBAAiB,QAAQ,QAAQ;AAAA,MACnC;AAAA,IACF;AAEA,QAAI,KAAK,cAAc,iBAAiB,GAAG;AACzC,aAAO,GAAG;AAAA,IACZ;AAEA,QAAI,CAAC,KAAK,OAAO,YAAY,GAAG;AAC9B,aAAO;AAAA,QACL,4BAAW;AAAA,QACX,mBAAmB,iBAAiB,MAAM,CAAC,QAAQ,MAAM;AAAA,MAC3D;AAAA,IACF;AAEA,QAAI;AACF,YAAM,KAAK,OAAO,iBAAiB,iBAAiB;AACpD,aAAO,KAAK,6BAA6B;AAAA,IAC3C,SAAS,OAAO;AACd,aAAO;AAAA,QACL,4BAAW;AAAA,QACX,iBAAiB,QACb,MAAM,UACN,2BAA2B,iBAAiB,MAAM,CAAC,OAAO,MAAM;AAAA,QACpE,iBAAiB,QAAQ,QAAQ;AAAA,MACnC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,+BAEZ;AACA,QAAI,CAAC,KAAK,qBAAqB;AAC7B,aAAO,GAAG;AAAA,IACZ;AACA,WAAO,KAAK,QAAQ,OAAO,KAAK,YAAY;AAAA,EAC9C;AAAA,EAEQ,cACN,mBACS;AACT,QAAI,KAAK,OAAO,iBAAiB,iBAAiB,GAAG;AACnD,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,KAAK,OAAO,YAAY;AACzC,QAAI,aAAa,QAAW;AAC1B,aAAO;AAAA,IACT;AAEA,UAAM,YAAY,MAAM,QAAQ,QAAQ,IAAI,WAAW,CAAC,QAAQ;AAChE,UAAM,uBAAmB,0CAAwB,iBAAiB;AAClE,WAAO,iBAAiB;AAAA,MAAM,CAAC,UAC7B,UAAU,KAAK,CAAC,cAAc;AAC5B,cAAM,eAAW,kCAAgB,SAAS;AAC1C,eAAO,SAAS,UAAU;AAAA,UACxB,CAAC,aACC,SAAS,YAAY,MAAM,WAC3B,SAAS,UAAU,MAAM,SACzB,SAAS,SAAS,MAAM,QACxB,MAAM,QAAQ,MAAM,CAAC,WAAW,SAAS,QAAQ,SAAS,MAAM,CAAC;AAAA,QACrE;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEF;;;AJ7HA,IAAM,eAAe;AACrB,IAAM,kCAAkC;AACxC,IAAM,wBAAwB;AAC9B,IAAM,iBAAiB;AACvB,IAAM,qBAAqB;AAQ3B,IAAM,gCAAgC,wBAAO;AAE7C,SAAS,oBAAoB,QAAgB,UAA2B;AACtE,MAAI;AACF,eAAO,qCAAmB,QAAQ,QAAQ;AAAA,EAC5C,QAAQ;AACN,WAAO,WAAW;AAAA,EACpB;AACF;AA6HA,SAAS,gBAAgB,OAA2B;AAClD,QAAM,WAAW;AACjB,MAAI,SAAS;AACb,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,GAAG;AACxC,UAAM,IAAI,MAAM,CAAC;AACjB,UAAM,IAAI,MAAM,IAAI,CAAC;AACrB,UAAM,IAAI,MAAM,IAAI,CAAC;AACrB,UAAM,UAAW,KAAK,MAAQ,KAAK,MAAM,KAAM,KAAK;AACpD,cAAU,SAAU,WAAW,KAAM,EAAE;AACvC,cAAU,SAAU,WAAW,KAAM,EAAE;AACvC,QAAI,IAAI,IAAI,MAAM,OAAQ,WAAU,SAAU,WAAW,IAAK,EAAE;AAChE,QAAI,IAAI,IAAI,MAAM,OAAQ,WAAU,SAAS,UAAU,EAAE;AAAA,EAC3D;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,OAA2B;AAClD,QAAM,WAAW;AACjB,QAAM,QAAkB,CAAC;AACzB,MAAI,SAAS;AACb,MAAI,OAAO;AACX,aAAW,QAAQ,OAAO;AACxB,UAAM,QAAQ,SAAS,QAAQ,IAAI;AACnC,QAAI,QAAQ,GAAG;AACb,YAAM,IAAI,MAAM,yBAAyB;AAAA,IAC3C;AACA,aAAU,UAAU,IAAK;AACzB,YAAQ;AACR,QAAI,QAAQ,GAAG;AACb,cAAQ;AACR,YAAM,KAAM,UAAU,OAAQ,GAAI;AAAA,IACpC;AAAA,EACF;AACA,SAAO,IAAI,WAAW,KAAK;AAC7B;AAEA,eAAe,oBACb,cACA,KACqB;AACrB,QAAM,QAAQ,IAAI,YAAY,EAAE,OAAO,YAAY;AACnD,MAAI;AACF,UAAM,SAAS,WAAW,QAAQ;AAClC,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,UAAM,MAAM,MAAM,OAAO;AAAA,MACvB;AAAA,MACA;AAAA,MACA,EAAE,MAAM,UAAU;AAAA,MAClB;AAAA,MACA,CAAC,MAAM;AAAA,IACT;AACA,WAAO,IAAI,WAAW,MAAM,OAAO,KAAK,EAAE,MAAM,UAAU,GAAG,KAAK,KAAK,CAAC;AAAA,EAC1E,QAAQ;AACN,UAAM,aAAa,MAAM,OAAO,QAAa;AAC7C,UAAM,MAAM,WAAW,iBAAiB,EAAE,KAAK,KAAY,QAAQ,MAAM,CAAC;AAC1E,WAAO,IAAI,WAAW,WAAW,KAAK,MAAM,OAAO,KAAK,KAAK,GAAG,GAAG,CAAC;AAAA,EACtE;AACF;AAEA,eAAe,0BACb,eACA,UACA,KACiB;AACjB,QAAM,CAAC,YAAY,WAAW,IAAI,cAAc,MAAM,GAAG;AACzD,MAAI,CAAC,cAAc,CAAC,aAAa;AAC/B,UAAM,IAAI,MAAM,kCAAkC;AAAA,EACpD;AACA,QAAM,SAAS,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,gBAAgB,UAAU,CAAC,CAAC;AAC/E,QAAM,UAAU,KAAK,MAAM,IAAI,YAAY,EAAE,OAAO,gBAAgB,WAAW,CAAC,CAAC;AACjF,UAAQ,MAAM;AACd,QAAM,eAAe,GAAG;AAAA,IACtB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,MAAM,CAAC;AAAA,EACjD,CAAC,IAAI,gBAAgB,IAAI,YAAY,EAAE,OAAO,KAAK,UAAU,OAAO,CAAC,CAAC,CAAC;AACvE,QAAM,YAAY,MAAM,oBAAoB,cAAc,GAAG;AAC7D,SAAO,GAAG,YAAY,IAAI,gBAAgB,SAAS,CAAC;AACtD;AAEA,SAAS,oBAAoB,SAA8D;AACzF,MAAI,MAAM,QAAQ,OAAO,GAAG;AAC1B,UAAM,QAAQ,QAAQ,KAAK,CAAC,CAAC,IAAI,MAAM,KAAK,YAAY,MAAM,eAAe;AAC7E,QAAI,CAAC,OAAO;AACV,YAAM,IAAI,MAAM,4DAA4D;AAAA,IAC9E;AACA,WAAO,MAAM,CAAC;AAAA,EAChB;AACA,QAAM,QAAQ,QAAQ,iBAAiB,QAAQ;AAC/C,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,MAAM,4DAA4D;AAAA,EAC9E;AACA,SAAO;AACT;AAcO,IAAM,iBAAN,MAAM,eAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwHzB,YAAY,SAA8B,CAAC,GAAG;AA7G9C,SAAQ,SAAyB;AACjC,SAAQ,OAAqC;AAC7C,SAAQ,KAAuB;AAE/B,SAAQ,WAAmB;AA8B3B,SAAQ,0BAAoD,CAAC;AAmB7D,SAAiB,+BAA+C,CAC9D,SACA,SACA,MACA,QACA,UACG;AACH,aAAO,KAAK,aAAa;AAAA,QACvB,KAAK,wBAAwB,SAAS,SAAS,MAAM,MAAM;AAAA,QAC3D;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,SAAiB,kCAAqD,CACpE,SACA,SACA,UACG;AACH,UAAI,CAAC,KAAK,aAAa,WAAW;AAChC,cAAM,IAAI,MAAM,yCAAyC;AAAA,MAC3D;AACA,YAAM,QAAQ,KAAK;AAAA,QACjB,QAAQ,QAAQ,CAAC,UAAU;AACzB,gBAAM,YAAY,KAAK,4BAA4B,KAAK;AACxD,iBAAO,YAAY,CAAC,SAAS,IAAI,CAAC;AAAA,QACpC,CAAC;AAAA,MACH;AACA,aAAO,KAAK,aAAa,UAAU,OAAO,WAAW,SAAS,SAAS,KAAK;AAAA,IAC9E;AA0BE,SAAK,eAAe,OAAO;AAG3B,SAAK,SAAS;AAAA,MACZ,GAAG;AAAA,MACH,MAAM,OAAO,QAAQ;AAAA,IACvB;AAGA,QAAI,OAAO,cAAc;AACvB,WAAK,eAAe,OAAO;AAAA,IAC7B,WAAW,eAAc,cAAc;AACrC,WAAK,eAAe,eAAc,aAAa,mBAAmB;AAAA,IACpE,OAAO;AACL,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AAGA,SAAK,iBAAiB,KAAK,aAAa,qBAAqB;AAG7D,UAAM,eAAe;AACrB,QAAI,SAAS,KAAK,eAAe,IAAI,YAAY;AACjD,QAAI,QAAQ;AAEV,WAAK,eAAe;AAAA,IACtB,OAAO;AAEL,WAAK,eAAe,KAAK,eAAe,iBAAiB,YAAY;AACrE,eAAS,KAAK,eAAe,IAAI,KAAK,YAAY;AAAA,IACpD;AAEA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,+BAA+B;AAAA,IACjD;AACA,SAAK,gBAAgB,KAAK,MAAM,MAAM;AAGtC,SAAK,sBAAsB,IAAI,uCAAsB;AAGrD,SAAK,eAAe,IAAI,gBAAgB;AAAA,MACtC,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAGD,SAAK,sBAAsB,OAAO,uBAAuB,IAAI,2CAA0B;AAKvF,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA;AAAA,MAEzB,QAAQ,KAAK;AAAA,MACb,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,aAAa,KAAK;AAAA,MAClB,UAAU,KAAK;AAAA;AAAA,MAEf,iBAAiB,CAACC,YAAW;AAG3B,cAAM,SAASA,QAAO,YAAY,QAAQ,OAAO,EAAE;AACnD,cAAM,YAAY,IAAI,2BAAU,EAAE,OAAO,CAAC;AAE1C,cAAM,YAAY,IAAI,gCAAe;AAAA,UACnC,QAAQA,QAAO;AAAA,UACf,OAAOA,QAAO,SAAS,WAAW,MAAM,KAAK,UAAU;AAAA,UACvD,OAAOA,QAAO;AAAA,QAChB,CAAC;AACD,kBAAU,WAAWA,QAAO,OAAO;AACnC,kBAAU,WAAW,SAAS;AAC9B,eAAO;AAAA,MACT;AAAA,IACF,CAAC;AAGD,QAAI,OAAO,QAAQ;AACjB,WAAK,SAAS,OAAO;AACrB,WAAK,UAAU,MAAM;AAAA,IACvB,WAAW,OAAO,YAAY;AAC5B,UAAI,CAAC,eAAc,cAAc;AAC/B,cAAM,IAAI;AAAA,UACR;AAAA,QAEF;AAAA,MACF;AACA,WAAK,SAAS,eAAc,aAAa,aAAa,OAAO,YAAY,KAAK,QAAQ;AACtF,WAAK,UAAU,MAAM;AAAA,IACvB;AAAA,EACF;AAAA;AAAA,EAjNA,OAAO,qBAAqB,UAA8B;AACxD,mBAAc,eAAe;AAAA,EAC/B;AAAA,EAgDA,IAAY,eAAyB;AACnC,WAAO,KAAK,MAAM,gBAAgB,CAAC;AAAA,EACrC;AAAA;AAAA,EAGA,IAAY,aAAqB;AAC/B,WAAO,KAAK,OAAO,UAAU;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EA8JQ,UAAU,QAAmC;AACnD,SAAK,OAAO,IAAI,sBAAsB;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,cAAc,EAAE,MAAM,YAAY;AAAA,MAClC,cAAc,KAAK;AAAA,MACnB,gBAAgB,OAAO,kBAAkB,IAAI,qBAAqB;AAAA,MAClE,QAAQ,KAAK;AAAA,MACb,aAAa,OAAO;AAAA,MACpB,qBAAqB,OAAO,uBAAuB;AAAA,MACnD,gBAAgB,KAAK,eAAe,CAAC,KAAK,YAAY,IAAI;AAAA,MAC1D,sBAAsB,OAAO;AAAA,MAC7B,wBAAwB,OAAO;AAAA,MAC/B,iBAAiB,OAAO;AAAA,MACxB,mBAAmB,OAAO,qBAAqB;AAAA,MAC/C,sBAAsB,OAAO;AAAA,MAC7B,OAAO,OAAO;AAAA,MACd,YAAY,OAAO;AAAA,MACnB,UAAU,OAAO;AAAA,MACjB,mBAAmB,OAAO;AAAA,MAC1B,mCAAmC,OAAO;AAAA,IAC5C,CAAC;AAED,SAAK,KAAK,IAAI,2BAAU,KAAK,MAAM;AAAA,MACjC,WAAW,KAAK;AAAA,IAClB,CAAC;AAAA,EACH;AAAA,EAEQ,2BAAiC;AACvC,UAAM,OAAO,KAAK,MAAM,MAAM,CAAC;AAC/B,QAAI,MAAM;AACR,WAAK,OAAO,OAAO;AAAA,IACrB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,YAAY,UAAmD;AAC7D,QAAI,CAAC,KAAK,MAAM;AAId,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,OAAO,WAAW;AACvB,SAAK,OAAO,oBAAoB;AAChC,SAAK,KAAK,YAAY,QAAQ;AAAA,EAChC;AAAA,EAEA,qBAAqB,SAAoD;AACvE,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,SAAK,OAAO,oBAAoB;AAChC,SAAK,OAAO,WAAW,SAAS;AAChC,SAAK,KAAK,qBAAqB,OAAO;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,WAA8C;AAChD,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA,EAEA,IAAI,oBAAyD;AAC3D,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA,EAEA,IAAI,QAAkB;AACpB,UAAM,YAAY,KAAK,MAAM,SAAS,CAAC;AACvC,WAAO,UAAU,SAAS,IAAI,YAAY,CAAC,KAAK,OAAO,IAAK;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,IAAI,MAAc;AAEhB,QAAI,KAAK,UAAU;AACjB,iBAAO,yBAAO,KAAK,UAAU,KAAK,QAAQ;AAAA,IAC5C;AAEA,WAAO,KAAK,eAAe,OAAO,KAAK,YAAY;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,IAAI,aAAqB;AACvB,WAAO,KAAK,eAAe,OAAO,KAAK,YAAY;AAAA,EACrD;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAA8B;AAChC,WAAO,KAAK,MAAM,QAAQ,KAAK,KAAK;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,gBAAyB;AAC3B,WAAO,KAAK,WAAW;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,UAA8B;AAChC,WAAO,KAAK,MAAM,kBAAkB;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,UAAwC;AAC1C,WAAO,KAAK,MAAM;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,SAAwC;AACnD,QAAI,CAAC,KAAK,UAAU,CAAC,KAAK,IAAI;AAC5B,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAGA,UAAM,KAAK,aAAa,oBAAoB;AAE5C,SAAK,eAAW,sCAAoB,MAAM,KAAK,OAAO,WAAW,CAAC;AAClE,SAAK,WAAW,MAAM,KAAK,OAAO,WAAW;AAG7C,SAAK,MAAM;AACX,SAAK,OAAO;AACZ,SAAK,UAAU;AACf,SAAK,SAAS;AACd,SAAK,SAAS;AACd,SAAK,cAAc;AACnB,SAAK,eAAe;AACpB,SAAK,WAAW;AAChB,SAAK,gBAAgB;AACrB,SAAK,kBAAkB;AACvB,SAAK,0BAA0B,CAAC;AAEhC,UAAM,KAAK,GAAG,OAAO,OAAO;AAC5B,SAAK,yBAAyB;AAG9B,SAAK,mBAAmB;AAExB,QAAI,KAAK,OAAO,aAAa,UAAa,KAAK,OAAO,sBAAsB,QAAW;AACrF,YAAM,KAAK,uBAAuB,KAAK,aAAa,SAAS,CAAC;AAAA,IAChE;AAEA,UAAM,KAAK,6BAA6B;AAExC,SAAK,oBAAoB,QAAQ,wBAAwB;AAAA,EAC3D;AAAA,EAEQ,aAAa,MAAsB;AACzC,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,MAAM,2CAA2C;AAAA,IAC7D;AACA,WAAO,KAAK,aAAa,YAAY,KAAK,UAAU,KAAK,UAAU,IAAI;AAAA,EACzE;AAAA,EAEA,MAAc,+BAA8C;AAC1D,UAAM,UAAU,KAAK;AACrB,QAAI,CAAC,WAAW,QAAQ,gBAAgB,WAAW,GAAG;AACpD;AAAA,IACF;AACA,QAAI,CAAC,KAAK,QAAQ,CAAC,KAAK,QAAQ;AAC9B,YAAM,IAAI,MAAM,8CAA8C;AAAA,IAChE;AAEA,UAAM,iBAAiB,KAAK,aAAa,uCAAsB;AAC/D,UAAM,KAAK,uBAAuB,cAAc;AAEhD,UAAM,YAAY,KAAK,OAAO,IAAI,cAAc,EAAE;AAClD,eAAW,UAAU,QAAQ,iBAAiB;AAC5C,YAAM,SAAS,MAAM,UAAU,IAAI,OAAO,KAAK;AAAA,QAC7C,QAAQ,OAAO;AAAA,QACf,WAAW,OAAO;AAAA,QAClB,aAAY,oBAAI,KAAK,GAAE,YAAY;AAAA,MACrC,CAAC;AACD,UAAI,CAAC,OAAO,IAAI;AACd,cAAM,IAAI;AAAA,UACR,4CAA4C,OAAO,GAAG,KAAK,OAAO,MAAM,OAAO;AAAA,QACjF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAc,uBAAuB,SAAgC;AACnE,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,IAAI,MAAM,0CAA0C;AAAA,IAC5D;AAEA,UAAM,UAAU,KAAK,KAAK;AAC1B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,gDAAgD;AAAA,IAClE;AAEA,UAAM,OAAO,KAAK,MAAM,CAAC,KAAK,KAAK,OAAO;AAC1C,QAAI,CAAC,MAAM;AACT,YAAM,IAAI,MAAM,+CAA+C;AAAA,IACjE;AAEA,UAAM,aAAa,UAAM,0CAAwB,MAAM,QAAQ,gBAAgB;AAC/E,QAAI,WAAW,WAAW,CAAC,WAAW,SAAS,SAAS,OAAO,GAAG;AAChE;AAAA,IACF;AAEA,QAAI,CAAC,WAAW,WAAW,WAAW,WAAW,KAAK;AACpD,YAAM,IAAI;AAAA,QACR,+BAA+B,OAAO,KAAK,WAAW,SAAS,WAAW,MAAM;AAAA,MAClF;AAAA,IACF;AAEA,UAAM,UAAU,MAAO,KAAK,KAA+B,eAAe,OAAO;AACjF,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,iCAAiC,OAAO,EAAE;AAAA,IAC5D;AAEA,UAAM,IAAI,QAAQ,CAAC,YAAY,WAAW,SAAS,GAAG,CAAC;AAEvD,UAAM,QAAQ,UAAM,0CAAwB,MAAM,QAAQ,gBAAgB;AAC1E,QAAI,CAAC,MAAM,WAAW,MAAM,SAAS,SAAS,OAAO,GAAG;AACtD,YAAM,IAAI;AAAA,QACR,yDAAyD,OAAO,KAC9D,MAAM,SAAS,mBACjB;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,eAAe,aAuBH;AAEhB,UAAM,KAAK,aAAa,oBAAoB;AAG5C,SAAK,MAAM;AACX,SAAK,OAAO;AACZ,SAAK,UAAU;AACf,SAAK,SAAS;AACd,SAAK,SAAS;AACd,SAAK,cAAc;AACnB,SAAK,eAAe;AACpB,SAAK,WAAW;AAChB,SAAK,gBAAgB;AACrB,SAAK,kBAAkB;AACvB,SAAK,0BAA0B,CAAC;AAEhC,UAAM,kBAAkB,YAAY,cAChC,sCAAoB,YAAY,OAAO,IACvC;AACJ,QAAI,iBAAiB;AACnB,WAAK,WAAW;AAAA,IAClB;AACA,QAAI,YAAY,SAAS;AACvB,WAAK,WAAW,YAAY;AAAA,IAC9B;AAGA,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,WAAW,KAAK;AAAA,MAChB,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,IAC3B,CAAC;AAGD,SAAK,MAAM,IAAI,2BAAU,CAAC,CAAC;AAC3B,SAAK,IAAI,WAAW,KAAK,eAAe;AACxC,SAAK,gBAAgB,gBAAgB,MAAM,KAAK,GAAG;AAGnD,SAAK,OAAO,IAAI,4BAAW,CAAC,CAAC;AAC7B,SAAK,KAAK,WAAW,KAAK,eAAe;AACzC,SAAK,gBAAgB,gBAAgB,OAAO,KAAK,IAAI;AAGrD,SAAK,UAAU,IAAI,+BAAc,CAAC,CAAC;AACnC,SAAK,QAAQ,WAAW,KAAK,eAAe;AAC5C,SAAK,gBAAgB,gBAAgB,UAAU,KAAK,OAAO;AAE3D,SAAK,SAAS,IAAI,8BAAa,CAAC,CAAC;AACjC,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,YAAY;AAAA,MAC9B,eAAe,YAAY;AAAA,MAC3B,SAAS,YAAY;AAAA,MACrB,oBAAoB,YAAY;AAAA,MAChC,KAAK,YAAY;AAAA,IACnB;AACA,SAAK,gBAAgB,WAAW,cAAc;AAG9C,SAAK,SAAS,KAAK,mBAAmB,YAAY,SAAS,KAAK,GAAI;AACpE,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,SAAK,qBAAqB,cAAc;AAWxC,QAAI,YAAY,QAAQ,mBAAmB,YAAY,SAAS;AAC9D,YAAM,YAA8B;AAAA,QAClC,SAAS;AAAA,QACT,SAAS,YAAY;AAAA,QACrB,YAAY,KAAK,UAAU,YAAY,GAAG;AAAA,QAC1C,SAAS,YAAY;AAAA,QACrB,eAAe,YAAY;AAAA,QAC3B,kBAAkB,YAAY;AAAA,QAC9B,oBAAoB,YAAY;AAAA,QAChC,KAAK,YAAY;AAAA,QACjB,MAAM,YAAY;AAAA,QAClB,WAAW,YAAY,aAAa;AAAA,MACtC;AACA,UAAI,KAAK,MAAM;AACb,aAAK,KAAK,4BAA4B,SAAS;AAAA,MACjD,OAAO;AACL,aAAK,qBAAqB;AAAA,MAC5B;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOQ,0BAAwD;AAC9D,WAAO,KAAK,MAAM,oBAAoB,KAAK;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,cAAc,YAAoB,SAAuE;AACvG,QAAI,KAAK,QAAQ;AACf,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,SAAS,SAAS,UAAU;AAGlC,QAAI,CAAC,eAAc,cAAc;AAC/B,YAAM,IAAI;AAAA,QACR;AAAA,MAEF;AAAA,IACF;AACA,SAAK,SAAS,eAAc,aAAa,aAAa,UAAU;AAGhE,SAAK,OAAO,IAAI,sBAAsB;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,cAAc,EAAE,MAAM,YAAY;AAAA,MAClC,cAAc,KAAK;AAAA,MACnB,gBAAgB,SAAS,kBAAkB,KAAK,OAAO,kBAAkB,IAAI,qBAAqB;AAAA,MAClG,QAAQ,KAAK;AAAA,MACb,aAAa;AAAA,MACb,qBAAqB,KAAK,OAAO,uBAAuB;AAAA,MACxD,gBAAgB,KAAK,eAAe,CAAC,KAAK,YAAY,IAAI;AAAA,MAC1D,sBAAsB,KAAK,OAAO;AAAA,MAClC,wBAAwB,KAAK,OAAO;AAAA,MACpC,iBAAiB,KAAK,OAAO;AAAA,MAC7B,mBAAmB,KAAK,OAAO,qBAAqB;AAAA,MACpD,sBAAsB,KAAK,OAAO;AAAA,MAClC,OAAO,KAAK,OAAO;AAAA,MACnB,YAAY,KAAK,OAAO;AAAA,MACxB,UAAU,KAAK,OAAO;AAAA,MACtB,mBAAmB,KAAK,OAAO;AAAA,MAC/B,mCAAmC,KAAK,OAAO;AAAA,IACjD,CAAC;AAGD,SAAK,KAAK,IAAI,2BAAU,KAAK,MAAM;AAAA,MACjC,WAAW,KAAK;AAAA,IAClB,CAAC;AAGD,SAAK,OAAO,SAAS;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,cAAc,QAAiB,SAAuE;AACpG,QAAI,KAAK,QAAQ;AACf,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AAEA,UAAM,SAAS,SAAS,UAAU;AAElC,SAAK,SAAS;AAEd,SAAK,OAAO,IAAI,sBAAsB;AAAA,MACpC,QAAQ,KAAK;AAAA,MACb,cAAc,EAAE,MAAM,YAAY;AAAA,MAClC,cAAc,KAAK;AAAA,MACnB,gBAAgB,SAAS,kBAAkB,KAAK,OAAO,kBAAkB,IAAI,qBAAqB;AAAA,MAClG,QAAQ,KAAK;AAAA,MACb,aAAa;AAAA,MACb,qBAAqB,KAAK,OAAO,uBAAuB;AAAA,MACxD,gBAAgB,KAAK,eAAe,CAAC,KAAK,YAAY,IAAI;AAAA,MAC1D,sBAAsB,KAAK,OAAO;AAAA,MAClC,wBAAwB,KAAK,OAAO;AAAA,MACpC,iBAAiB,KAAK,OAAO;AAAA,MAC7B,mBAAmB,KAAK,OAAO,qBAAqB;AAAA,MACpD,sBAAsB,KAAK,OAAO;AAAA,MAClC,OAAO,KAAK,OAAO;AAAA,MACnB,YAAY,KAAK,OAAO;AAAA,MACxB,UAAU,KAAK,OAAO;AAAA,MACtB,mBAAmB,KAAK,OAAO;AAAA,MAC/B,mCAAmC,KAAK,OAAO;AAAA,IACjD,CAAC;AAED,SAAK,KAAK,IAAI,2BAAU,KAAK,MAAM;AAAA,MACjC,WAAW,KAAK;AAAA,IAClB,CAAC;AACD,SAAK,OAAO,SAAS;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,qBAA2B;AACjC,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ;AAAA,IACF;AAGA,SAAK,GAAI,mBAAmB,KAAK,8BAA8B,CAAC,KAAK,OAAO,IAAK,CAAC;AAGlF,SAAK,kBAAkB,IAAI,gCAAe;AAAA,MACxC,QAAQ,KAAK;AAAA,MACb,WAAW,KAAK;AAAA,MAChB,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,IAC3B,CAAC;AAGD,SAAK,MAAM,IAAI,2BAAU,CAAC,CAAC;AAC3B,SAAK,IAAI,WAAW,KAAK,eAAe;AACxC,SAAK,gBAAgB,gBAAgB,MAAM,KAAK,GAAG;AAGnD,UAAM,WAAW,KAAK;AACtB,QAAI,SAAS,WAAW,KAAK,SAAS,SAAS,KAAK,GAAG;AACrD,WAAK,OAAO,IAAI,4BAAW,CAAC,CAAC;AAC7B,WAAK,KAAK,WAAW,KAAK,eAAe;AACzC,WAAK,gBAAgB,gBAAgB,OAAO,KAAK,IAAI;AAAA,IACvD;AAGA,QAAI,SAAS,WAAW,KAAK,SAAS,SAAS,QAAQ,GAAG;AACxD,WAAK,UAAU,IAAI,+BAAc,CAAC,CAAC;AACnC,WAAK,QAAQ,WAAW,KAAK,eAAe;AAC5C,WAAK,gBAAgB,gBAAgB,UAAU,KAAK,OAAO;AAAA,IAC7D;AAEA,SAAK,SAAS,IAAI,8BAAa,CAAC,CAAC;AACjC,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,QAAQ;AAAA,MAC1B,eAAe,QAAQ;AAAA,MACvB,SAAS,QAAQ;AAAA,MACjB,oBAAoB,QAAQ;AAAA,MAC5B,KAAK,QAAQ;AAAA,IACf;AACA,SAAK,gBAAgB,WAAW,cAAc;AAC9C,IAAC,KAAK,GAAI,eAAkC,WAAW,cAAc;AAGrE,SAAK,SAAS,KAAK,mBAAmB,QAAQ,SAAS,KAAK,GAAI;AAChE,SAAK,OAAO,WAAW,KAAK,eAAe;AAC3C,SAAK,gBAAgB,gBAAgB,SAAS,KAAK,MAAM;AAGzD,SAAK,qBAAqB,cAAc;AAAA,EAC1C;AAAA,EAEQ,2BAA2B,SAA4B;AAC7D,UAAM,YAAY,IAAI,2BAAU,CAAC,CAAC;AAClC,QAAI,KAAK,iBAAiB;AACxB,YAAM,qBAAqB,IAAI,gCAAe;AAAA,QAC5C,QAAQ,KAAK,gBAAgB;AAAA,QAC7B,OAAO,KAAK,gBAAgB;AAAA,QAC5B,OAAO,KAAK,gBAAgB;AAAA,MAC9B,CAAC;AACD,YAAM,UAAU,KAAK,gBAAgB;AACrC,UAAI,SAAS;AACX,2BAAmB,WAAW,EAAE,GAAG,SAAS,QAAQ,CAAC;AAAA,MACvD;AACA,gBAAU,WAAW,kBAAkB;AAAA,IACzC;AACA,WAAO;AAAA,EACT;AAAA,EAEA,8BAA8B,OAAO,iCAAyC;AAC5E,WAAO,4BAA4B,KAAK,GAAG,IAAI,IAAI;AAAA,EACrD;AAAA,EAEQ,wBAAwC;AAC9C,UAAM,UAAU,KAAK,iBAAiB;AACtC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,yBAA2C;AACjD,UAAM,OAAO,KAAK;AAClB,UAAM,gBAAgB,CAAC,KAAiB,cAAsC;AAC5E,YAAM,YAAY,KAAK,cAAc,KAAK,SAAS;AACnD,YAAM,MAAM,IAAI,WAAW,IAAI,UAAU,MAAM;AAC/C,UAAI,CAAC,IAAI;AACT,UAAI,IAAI,WAAW,CAAC;AACpB,aAAO;AAAA,IACT;AACA,UAAM,gBAAgB,CAAC,KAAiB,SAAiC;AACvE,UAAI,KAAK,CAAC,MAAM,GAAM;AACpB,eAAO;AAAA,MACT;AACA,aAAO,KAAK,cAAc,KAAK,KAAK,MAAM,CAAC,CAAC;AAAA,IAC9C;AACA,WAAO;AAAA,MACL,QAAQ,CAAC,SAAS,KAAK,aAAa,IAAI;AAAA,MACxC,aAAa,CAAC,WAAW,KAAK,mBAAmB,MAAM;AAAA,MACvD,gBAAgB,CAAC,SAAS,KAAK,uBAAuB,IAAI;AAAA,MAC1D,UAAU,CAAC,YAAY,cACrB,KAAK,gBAAgB,YAAY,SAAS;AAAA,MAC5C,aAAa,CAAC,KAAK,cAAc,KAAK,cAAc,KAAK,SAAS;AAAA,MAClE,aAAa,CAAC,KAAK,eAAe,KAAK,cAAc,KAAK,UAAU;AAAA,MACpE,kBAAkB,CAAC,kBAAkB,iBAAiB;AACpD,cAAM,OAAO,KAAK,mBAAmB,EAAE;AACvC,cAAM,YAAY,KAAK,uBAAuB,IAAI;AAClD,cAAM,SAAS,KAAK;AAAA,UAClB,UAAU;AAAA,UACV;AAAA,QACF;AACA,cAAM,YAAY,cAAc,QAAQ,YAAY;AACpD,cAAM,MAAM,IAAI,WAAW,UAAU,UAAU,SAAS,UAAU,MAAM;AACxE,YAAI,IAAI,UAAU,WAAW,CAAC;AAC9B,YAAI,IAAI,WAAW,UAAU,UAAU,MAAM;AAC7C,eAAO;AAAA,MACT;AAAA,MACA,qBAAqB,CAAC,oBAAoB,eAAe;AACvD,cAAM,aAAa,WAAW,MAAM,GAAG,EAAE;AACzC,cAAM,aAAa,WAAW,MAAM,EAAE;AACtC,cAAM,SAAS,KAAK,gBAAgB,oBAAoB,UAAU;AAClE,eAAO,cAAc,QAAQ,UAAU;AAAA,MACzC;AAAA,MACA,qBAAqB,CAAC,QAAQ,SAAS,kBACrC,+CAA6B,QAAQ,SAAS,SAAS;AAAA,IAC3D;AAAA,EACF;AAAA,EAEA,MAAc,cAA+B;AAC3C,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,IAAI,OAAO;AACvD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI,MAAM,mCAAmC,SAAS,MAAM,EAAE;AAAA,IACtE;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAClC,QAAI,OAAO,KAAK,WAAW,YAAY,KAAK,OAAO,WAAW,GAAG;AAC/D,YAAM,IAAI,MAAM,4CAA4C;AAAA,IAC9D;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEA,MAAc,4BAA4B,OAKoB;AAC5D,QAAI,CAAC,KAAK,aAAa,WAAW;AAChC,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACxE;AACA,QAAI,CAAC,KAAK,aAAa,YAAY;AACjC,YAAM,IAAI,MAAM,0DAA0D;AAAA,IAC5E;AACA,UAAM,UAAU,KAAK,sBAAsB;AAC3C,UAAM,UAAU,KAAK;AAAA,MACnB;AAAA,MACA;AAAA,QACE;AAAA,UACE,UAAU,MAAM;AAAA,UAChB,SAAS;AAAA,UACT,MAAM,MAAM;AAAA,UACZ,QAAQ,MAAM;AAAA,QAChB;AAAA,MACF;AAAA,MACA,CAAC,MAAM,KAAgC;AAAA,IACzC;AACA,UAAM,gBAAgB,oBAAoB,OAAO;AACjD,UAAM,gBAAgB,MAAM;AAAA,MAC1B;AAAA,MACA,MAAM;AAAA,MACN,QAAQ;AAAA,IACV;AACA,WAAO;AAAA,MACL,eAAe;AAAA,MACf,eAAe,KAAK,aAAa;AAAA,QAC/B,IAAI,YAAY,EAAE,OAAO,aAAa;AAAA,QACtC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,0BAA6C;AACnD,UAAM,SAAS,KAAK,uBAAuB;AAC3C,UAAM,YAA8B;AAAA,MAClC,aAAa,OAAO,EAAE,WAAW,eAAe,cAAc,MAAM;AAClE,cAAM,WAAW,MAAM;AAAA,UACrB,GAAG,KAAK,OAAO,IAAI,wBAAwB,mBAAmB,SAAS,CAAC;AAAA,UACxE;AAAA,YACE,QAAQ;AAAA,YACR,SAAS;AAAA,cACP,eAAe;AAAA,cACf,gBAAgB;AAAA,YAClB;AAAA,YACA,MAAM;AAAA,UACR;AAAA,QACF;AACA,YAAI,CAAC,SAAS,IAAI;AAChB,gBAAM,IAAI;AAAA,YACR,kBAAkB,SAAS,MAAM,KAAK,MAAM,SAAS,KAAK,CAAC;AAAA,UAC7D;AAAA,QACF;AACA,eAAQ,MAAM,SAAS,KAAK;AAAA,MAC9B;AAAA,IACF;AACA,WAAO,IAAI,mCAAkB;AAAA,MAC3B;AAAA,MACA,QAAQ;AAAA,QACN,uBAAuB,OACrB,UACoC;AACpC,gBAAM,SAAS,MAAM,KAAK,4BAA4B;AAAA,YACpD,YAAY,MAAM;AAAA,YAClB,WAAW,MAAM;AAAA,YACjB,QAAQ;AAAA,YACR,OAAO,MAAM;AAAA,UACf,CAAC;AACD,iBAAO;AAAA,YACL,GAAG;AAAA,YACH,mBAAe;AAAA,cACb,MAAM;AAAA,YACR;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,MACA;AAAA,MACA,MAAM;AAAA,QACJ,kBAAkB,CAAC,cAAc,KAAK,qBAAqB,SAAS;AAAA,MACtE;AAAA,MACA,WAAW;AAAA,QACT,gBAAgB,OAAO,WAAW,iBAAiB;AACjD,cAAI,CAAC,KAAK,YAAY,CAAC,oBAAoB,WAAW,KAAK,GAAG,GAAG;AAC/D,mBAAO;AAAA,UACT;AACA,cAAI,CAAC,KAAK,OAAO,MAAM;AACrB,mBAAO;AAAA,UACT;AACA,gBAAM,oBAAgB,oCAAkB,KAAK,UAAU,KAAK,QAAQ;AACpE,gBAAM,SAAS,MAAM,2BAAU,gBAE7B,KAAK,OAAO,MAAM,eAAe,YAAY;AAC/C,cAAI,CAAC,OAAO,IAAI;AACd,mBAAO;AAAA,UACT;AACA,gBAAM,OAAO,OAAO;AAGpB,iBAAO,gBAAgB,QAAQ,KAAK,aAChC,KAAK,aACJ;AAAA,QACP;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,uBAA0C;AAChD,QAAI,CAAC,KAAK,iBAAiB;AACzB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,aAAa;AACrB,WAAK,cAAc,KAAK,wBAAwB;AAChD,WAAK,YAAY,WAAW,KAAK,eAAe;AAChD,WAAK,gBAAgB,gBAAgB,cAAc,KAAK,WAAW;AAAA,IACrE;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,mBAAmB,SAAiB,IAAkC;AAC5E,UAAM,OAAO,KAAK;AAClB,UAAM,kBAAc,oCAAkB;AAAA,MACpC,eAAe,KAAK;AAAA,MAAe,eAAe,KAAK;AAAA,MAAe,kBAAkB,KAAK;AAAA,MAC7F,wBAAwB,KAAK;AAAA,MAAwB,iBAAiB,KAAK;AAAA,MAC3E,oBAAoB,KAAK;AAAA,MAAoB,cAAc,KAAK;AAAA,IAClE,CAAC;AACD,UAAM,OAAO;AACb,WAAO,IAAI,kCAAiB;AAAA,MAC1B;AAAA,MACA,QAAQ;AAAA,MACR,YAAY;AAAA,QACV,WAAW,KAAK,8BAA8B;AAAA,QAC9C,SAAS,KAAK,qBAAqB;AAAA,QACnC,wBAAwB,OAAO;AAAA,UAC7B,QAAQ,CAAC,KAAK,sBAAsB,EAAE,aAAa;AAAA,QACrD;AAAA,MACF;AAAA,MACA,IAAI;AAAA,QACF;AAAA,QACA,mBAAmB,YAAY;AAC7B,cAAI;AACF,kBAAM,KAAK,kBAAkB;AAC7B,mBAAO,EAAE,IAAI,MAAe,MAAM,OAAU;AAAA,UAC9C,SAAS,OAAO;AACd,mBAAO,EAAE,IAAI,OAAgB,OAAO,EAAE,MAAM,iBAAiB,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK,GAAG,SAAS,QAAQ,EAAE;AAAA,UACnJ;AAAA,QACF;AAAA,QACA,IAAI,WAAW;AAAE,iBAAO,KAAK,aAAa,KAAK,GAAI;AAAA,QAAU;AAAA,QAC7D,iBAAiB,CAAI,MAAc,eAAuB,QACxD,2BAAU,gBAAmB,MAAM,eAAe,GAAG;AAAA,QACvD,mBAAmB,2BAAU;AAAA,QAC7B,KAAK,KAAK;AAAA,QACV,SAAS,KAAK,YAAY;AAAA,QAC1B,SAAS,KAAK;AAAA,QACd,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,MAC3B;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,qBAAqB,gBAAsC;AAEjE,SAAK,sBAAsB,IAAI,uCAAsB;AAErD,UAAM,YAAY,KAAK,MAAM;AAE7B,QAAI,aAAa,KAAK,UAAU;AAC9B,YAAM,aAAsB;AAAA,QAC1B,IAAI,UAAU;AAAA,QACd,KAAK,UAAU;AAAA,QACf,MAAM;AAAA;AAAA,QAEN,KAAK,UAAU;AAAA,QACf,UAAU;AAAA;AAAA,MACZ;AAGA,YAAM,iBAA6B;AAAA,QACjC,KAAK,UAAU;AAAA,QACf,aAAa,UAAU;AAAA,QACvB,SAAS,UAAU;AAAA,QACnB,MAAM;AAAA;AAAA,QACN,SAAS;AAAA,UACP;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AAAA,QACA,QAAQ,KAAK,iBAAiB;AAAA,QAC9B,WAAW;AAAA,QACX,oBAAoB;AAAA,MACtB;AAGA,YAAM,cAAc,CAAC,cAAc;AAGnC,UAAI,UAAU,QAAQ;AACpB,mBAAW,CAAC,WAAW,OAAO,KAAK,OAAO,QAAQ,UAAU,MAAM,GAAG;AACnE,sBAAY,KAAK;AAAA,YACf,KAAK,UAAU;AAAA,YACf,aAAa,UAAU;AAAA,YACvB;AAAA,YACA,MAAM;AAAA,YACN,SAAS;AAAA,cACP;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,cACA;AAAA,YACF;AAAA,YACA,QAAQ,KAAK,iBAAiB;AAAA,YAC9B,WAAW;AAAA,YACX,oBAAoB;AAAA,UACtB,CAAC;AAAA,QACH;AAAA,MACF;AAEA,WAAK,oBAAoB,YAAY,YAAY,WAAW;AAAA,IAC9D;AAGA,SAAK,qBAAqB,IAAI,mCAAkB;AAAA,MAC9C,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,MACzB,SAAS;AAAA,MACT,QAAQ,KAAK;AAAA,MACb,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,IACzC,CAAC;AAGD,SAAK,gBAAgB,IAAI,8BAAa;AAAA,MACpC,OAAO,CAAC,KAAK,OAAO,IAAK;AAAA,MACzB,SAAS;AAAA,MACT,QAAQ,KAAK,aAAa;AAAA,MAC1B,OAAO,WAAW,MAAM,KAAK,UAAU;AAAA,MACvC,oBAAoB,KAAK;AAAA,MACzB,SAAS,KAAK;AAAA,MACd,iBAAiB,CAAC,YAAoB;AACpC,eAAO,KAAK,2BAA2B,OAAO;AAAA,MAChD;AAAA,MACA,oBAAoB,CAAC,YAAoB;AACvC,cAAM,YAAY,KAAK,2BAA2B,OAAO;AACzD,cAAM,eAAe,KAAK,mBAAmB,SAAS,SAAS;AAC/D,YAAI,KAAK,iBAAiB;AACxB,uBAAa,WAAW,KAAK,eAAe;AAAA,QAC9C;AACA,eAAO;AAAA,MACT;AAAA;AAAA,MAEA,kBAAkB,OAAO,WAAW;AAClC,YAAI;AAEF,gBAAM,qBAAqB,MAAM,KAAK,iBAAiB;AAAA,YACrD,aAAa,OAAO;AAAA,YACpB,MAAM,OAAO;AAAA,YACb,SAAS,OAAO;AAAA,YAChB,sBAAsB,OAAO;AAAA,YAC7B,UAAU,OAAO,SACb,OAAO,OAAO,QAAQ,IAAI,KAAK,IAAI,IACnC;AAAA,UACN,CAAC;AAGD,gBAAM,aAAyB;AAAA,YAC7B,KAAK,mBAAmB;AAAA,YACxB,aAAa,mBAAmB;AAAA,YAChC,cAAc,KAAK;AAAA,YACnB,SAAS,mBAAmB;AAAA,YAC5B,MAAM,mBAAmB;AAAA,YACzB,SAAS,mBAAmB;AAAA,YAC5B,QAAQ,mBAAmB;AAAA,YAC3B,WAAW;AAAA,YACX,oBAAoB,CAAC,mBAAmB;AAAA,YACxC,WAAW,oBAAI,KAAK;AAAA,YACpB,YAAY,mBAAmB,iBAAiB;AAAA,UAClD;AAEA,iBAAO,EAAE,IAAI,MAAM,MAAM,WAAW;AAAA,QACtC,SAAS,OAAO;AACd,iBAAO;AAAA,YACL,IAAI;AAAA,YACJ,OAAO;AAAA,cACL,MAAM;AAAA,cACN,SAAS,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAAA,cAC9D,SAAS;AAAA,YACX;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF,CAAC;AAID,SAAK,gBAAgB,aAAa;AAAA,MAChC,SAAS;AAAA,MACT,mBAAmB,KAAK;AAAA,MACxB,eAAe,KAAK,iBAAiB;AAAA;AAAA,MAErC,sBAAsB,CAAC,WAAW,KAAK,wBAAwB,MAAM;AAAA;AAAA;AAAA,MAGrE,wBAAwB,KAAK,SACzB,OAAO,WAAW,KAAK,+BAA+B,MAAM,IAC5D;AAAA,IACN,CAAC;AAGD,SAAK,cAAc,aAAa;AAAA,MAC9B,gBAAgB,KAAK;AAAA,IACvB,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,mBAAyB;AAE/B,UAAM,eAAe,KAAK,OAAO,uBAAuB;AACxD,WAAO,IAAI,KAAK,KAAK,IAAI,IAAI,YAAY;AAAA,EAC3C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAmBQ,wBAAwB,QAAgE;AAE9F,UAAM,cAAc;AAAA,MAClB,kBAAkB,OAAO,QAAQ;AAAA,MACjC,eAAe,OAAO,QAAQ;AAAA,MAC9B,KAAK,OAAO,QAAQ;AAAA,MACpB,SAAS,OAAO,QAAQ;AAAA,MACxB,oBAAoB,OAAO,QAAQ;AAAA,IACrC;AAEA,UAAM,SAAS,KAAK,aAAa;AAAA,MAC/B;AAAA,MACA,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AAEA,WAAO;AAAA,MACL,YAAY,OAAO;AAAA,MACnB,KAAK,OAAO;AAAA;AAAA;AAAA;AAAA,MAIZ,aAAa,OAAO,eAAe,OAAO;AAAA,MAC1C,QAAQ,IAAI,KAAK,OAAO,SAAS,GAAI;AAAA,MACrC,WAAW,OAAO;AAAA,IACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,+BAA+B,QAMT;AAClC,QAAI,CAAC,KAAK,QAAQ;AAChB,aAAO;AAAA,IACT;AAEA,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAEA,QAAI;AACF,YAAM,OAAO,KAAK,OAAO;AACzB,YAAM,MAAM,oBAAI,KAAK;AAGrB,YAAM,YAAsD;AAAA,QAC1D,IAAI;AAAA,UACF,CAAC,OAAO,IAAI,GAAG,OAAO;AAAA,QACxB;AAAA,MACF;AAGA,YAAM,WAAW,KAAK,aAAa,eAAe;AAAA,QAChD;AAAA,QACA,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QACtD,SAAS,QAAQ;AAAA,QACjB,QAAQ,KAAK;AAAA,QACb,UAAU,IAAI,YAAY;AAAA,QAC1B,gBAAgB,OAAO,gBAAgB,YAAY;AAAA,QACnD,SAAS,OAAO;AAAA,QAChB,aAAa,OAAO;AAAA,MACtB,CAAC;AAGD,YAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAE7D,YAAM,oBAAoB,KAAK,aAAa,qBAAqB;AAAA,QAC/D,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAGD,YAAM,iBAAiB,UAAM;AAAA,QAC3B;AAAA,QACA,kBAAkB;AAAA,MACpB;AAEA,UAAI,CAAC,eAAe,SAAS;AAC3B,eAAO;AAAA,MACT;AAEA,aAAO;AAAA,QACL,KAAK,kBAAkB;AAAA,QACvB,aAAa,OAAO;AAAA,QACpB,kBAAc,yBAAO,QAAQ,SAAS,QAAQ,OAAO;AAAA,QACrD,SAAS,OAAO;AAAA,QAChB,MAAM,OAAO;AAAA,QACb,SAAS,OAAO;AAAA,QAChB,QAAQ,OAAO;AAAA,QACf,WAAW;AAAA,QACX,oBAAoB;AAAA,QACpB,WAAW;AAAA,QACX,YAAY,kBAAkB,iBAAiB;AAAA,MACjD;AAAA,IACF,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,wBAAwB,YAAgC,KAAgB;AAC9E,QAAI,CAAC,KAAK,qBAAqB;AAC7B;AAAA,IACF;AAEA,UAAM,UAAmB;AAAA,MACvB,IAAI,YAAY,WAAW,GAAG;AAAA,MAC9B,KAAK,KAAK;AAAA,MACV,MAAM;AAAA,MACN;AAAA,MACA,UAAU;AAAA,IACZ;AAGA,UAAM,mBAA+B;AAAA,MACnC,KAAK,WAAW;AAAA,MAChB,aAAa,WAAW;AAAA,MACxB,SAAS,WAAW;AAAA,MACpB,MAAM,WAAW;AAAA,MACjB,SAAS,WAAW;AAAA,MACpB,QAAQ,WAAW;AAAA,MACnB,WAAW;AAAA,MACX,oBAAoB,CAAC,WAAW;AAAA,IAClC;AAEA,SAAK,oBAAoB,UAAU,SAAS,gBAAgB;AAAA,EAC9D;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,KAAiB;AACnB,QAAI,CAAC,KAAK,KAAK;AACb,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,MAAmB;AACrB,QAAI,CAAC,KAAK,MAAM;AACd,YAAM,WAAW,KAAK;AACtB,UAAI,SAAS,SAAS,KAAK,CAAC,SAAS,SAAS,KAAK,GAAG;AACpD,cAAM,IAAI,yCAAwB,OAAO,KAAK,OAAO,MAAO,QAAQ;AAAA,MACtE;AACA,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgBA,YAAY,SAA8B;AACxC,QAAI,CAAC,KAAK,mBAAmB,CAAC,KAAK,gBAAgB,SAAS;AAC1D,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAEA,UAAM,MAAM,IAAI,4BAAW,CAAC,CAAC;AAC7B,UAAM,qBAAqB,IAAI,gCAAe;AAAA,MAC5C,QAAQ,KAAK,gBAAgB;AAAA,MAC7B,OAAO,KAAK,gBAAgB;AAAA,MAC5B,OAAO,KAAK,gBAAgB;AAAA,IAC9B,CAAC;AACD,uBAAmB,WAAW,EAAE,GAAG,KAAK,gBAAgB,SAAS,QAAQ,CAAC;AAC1E,QAAI,WAAW,kBAAkB;AACjC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,SAAyB;AAC3B,QAAI,CAAC,KAAK,SAAS;AACjB,YAAM,WAAW,KAAK;AACtB,UAAI,SAAS,SAAS,KAAK,CAAC,SAAS,SAAS,QAAQ,GAAG;AACvD,cAAM,IAAI,yCAAwB,UAAU,KAAK,OAAO,MAAO,QAAQ;AAAA,MACzE;AACA,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,QAA2B;AAC7B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,aAAiC;AACnC,WAAO,KAAK,qBAAqB;AAAA,EACnC;AAAA,EAEA,MAAM,qBACJ,kBAAkB,KAAK,8BAA8B,GAClB;AACnC,UAAM,YAAY,gBAAgB,WAAW,2BAA2B,IACpE,kBACA,KAAK,8BAA8B,eAAe;AACtD,UAAM,WAAW,MAAM;AAAA,MACrB,GAAG,KAAK,OAAO,IAAI,wBAAwB,mBAAmB,SAAS,CAAC;AAAA,IAC1E;AACA,QAAI,SAAS,WAAW,KAAK;AAC3B,aAAO;AAAA,IACT;AACA,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,sCAAsC,SAAS,UAAU,SAAS,MAAM,IAAI,MAAM,SAAS,KAAK,CAAC;AAAA,MACnG;AAAA,IACF;AACA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAGlC,WAAO,gBAAgB,QAAQ,KAAK,aAAa,KAAK,aAAa;AAAA,EACrE;AAAA,EAEA,MAAM,wBACJ,OAAO,iCACqB;AAC5B,UAAM,aAAa,MAAM,KAAK,YAAY;AAC1C,UAAM,WAAW,KAAK;AACtB,UAAM,YAAY,KAAK,8BAA8B,IAAI;AACzD,UAAM,OAAO;AAAA,MACX;AAAA,MACA;AAAA,MACA,WAAW,EAAE,GAAG,GAAG,GAAG,EAAE;AAAA,IAC1B;AACA,UAAM,SAAS,KAAK,uBAAuB;AAC3C,UAAM,QAAQ;AAAA,MACZ,MAAM;AAAA,MACN;AAAA,MACA;AAAA,MACA,cAAU;AAAA,QACR,OAAO;AAAA,QACP;AAAA,MACF;AAAA,MACA,QAAQ;AAAA,IACV;AACA,UAAM,SAAS,MAAM,KAAK,4BAA4B;AAAA,MACpD;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR;AAAA,IACF,CAAC;AACD,UAAM,WAAW,MAAM,MAAM,GAAG,KAAK,OAAO,IAAI,wBAAwB;AAAA,MACtE,QAAQ;AAAA,MACR,SAAS;AAAA,QACP,eAAe,OAAO;AAAA,QACtB,gBAAgB;AAAA,MAClB;AAAA,MACA,UAAM;AAAA,QACJ;AAAA,MACF;AAAA,IACF,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,IAAI;AAAA,QACR,uCAAuC,SAAS,UAAU,SAAS,MAAM,IAAI,MAAM,SAAS,KAAK,CAAC;AAAA,MACpG;AAAA,IACF;AACA,UAAM,UAAW,MAAM,SAAS,KAAK;AACrC,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,wBACJ,OAAO,iCACqB;AAC5B,UAAM,WAAW,MAAM,KAAK,qBAAqB,IAAI;AACrD,QAAI,UAAU;AACZ,aAAO;AAAA,IACT;AACA,WAAO,KAAK,wBAAwB,IAAI;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAA2B;AAC7B,QAAI,CAAC,KAAK,eAAe;AACvB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,UAAU;AAClB,WAAK,WAAW,IAAI,mBAAmB;AAAA,QACrC,YAAY,MAAM,KAAK,eAAe;AAAA,QACtC,aAAa,MAAM,KAAK;AAAA,QACxB,gBAAgB,CAAC,gBAAgB,KAAK,sBAAsB,WAAW;AAAA,QACvE,kBAAkB,CAAC,eAAe,KAAK,wBAAwB,UAAU;AAAA,QACzE,aAAa,MAAM,KAAK,WAAW,UAAa,KAAK,OAAO;AAAA,QAC5D,wBAAwB,MAAM,KAAK,8BAA8B;AAAA,QACjE,iBAAiB,MAAM,KAAK,UAAU;AAAA,MACxC,CAAC;AAAA,IACH;AACA,WAAO,KAAK;AAAA,EACd;AAAA,EAEQ,iBAAkC;AACxC,QAAI,CAAC,KAAK,eAAe;AACvB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,cAAc;AACtB,WAAK,eAAe,IAAI,gCAAe,MAAM,KAAK,MAAM,SAAS,EAAE,KAAK;AAAA,IAC1E;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,QAAuB;AACzB,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,IAAI,qBAA6C;AAC/C,QAAI,CAAC,KAAK,qBAAqB;AAC7B,YAAM,IAAI,MAAM,wCAAwC;AAAA,IAC1D;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,IAAI,cAKF;AACA,UAAM,WAAW,KAAK;AACtB,QAAI,CAAC,UAAU;AACb,aAAO;AAAA,QACL,MAAM,MAAM,CAAC;AAAA,QACb,KAAK,MAAM;AAAA,MACb;AAAA,IACF;AAEA,WAAO;AAAA,MACL,MAAM,MAAM,SAAS,mBAAmB,EAAE,IAAI,CAAC,UAAU,MAAM,UAAU;AAAA,MACzE,KAAK,CAAC,QAAgB;AACpB,cAAM,eAAe,SAAS,mBAAmB;AACjD,cAAM,QAAQ,aAAa,KAAK,CAAC,MAAM,EAAE,WAAW,QAAQ,GAAG;AAC/D,eAAO,OAAO;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,sBAAsB,aAAyC;AAC7D,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,WAAW,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AACvE,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,KAAK,wBAAwB,WAAW;AACzD,QAAI,KAAK,+BAA+B,SAAS,QAAQ,GAAG;AAC1D,aAAO;AAAA,IACT;AAEA,WAAO,KAAK,sCAAsC,UAAU,OAAO,EAAE,SAAS;AAAA,EAChF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gCACE,aACsB;AACtB,SAAK,oCAAoC;AACzC,QAAI,gBAAgB,QAAW;AAC7B,aAAO,KAAK,wBAAwB,IAAI,CAAC,UAAU,MAAM,UAAU;AAAA,IACrE;AAEA,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,WAAW,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AACvE,aAAO,CAAC;AAAA,IACV;AACA,UAAM,WAAW,KAAK,wBAAwB,WAAW;AACzD,WAAO,KAAK,sCAAsC,UAAU,OAAO,EAAE;AAAA,MACnE,CAAC,UAAU,MAAM;AAAA,IACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,qBAAqB,YAA+C;AACxE,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,qCAAoB,oBAAI,KAAK,CAAC,CAAC;AAAA,IAC3C;AACA,QAAI,WAAW,OAAO,QAAQ,KAAK,KAAK,IAAI,GAAG;AAC7C,YAAM,IAAI,qCAAoB,WAAW,MAAM;AAAA,IACjD;AAEA,UAAM,eAAe,CAAC,QAAQ,oBAAoB,KAAK,UAAU;AACjE,QAAI,CAAC,aAAa,KAAK,CAAC,QAAQ,oBAAoB,WAAW,aAAa,GAAG,CAAC,GAAG;AACjF,YAAM,IAAI;AAAA,QACR,8BAA8B,WAAW,WAAW,4BAA4B,QAAQ,kBAAkB;AAAA,MAC5G;AAAA,IACF;AAEA,UAAM,aAAa,WAAW,QAAQ,KAAK,OAAO;AAClD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA,WAAW;AAAA,IACb;AACA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR,qDAAqD,eAAe,KAAK;AAAA,MAC3E;AAAA,IACF;AAEA,SAAK,0BAA0B,KAAK,wBAAwB;AAAA,MAC1D,CAAC,UAAU,MAAM,WAAW,QAAQ,WAAW;AAAA,IACjD;AACA,SAAK,wBAAwB;AAAA,MAC3B,KAAK,2BAA2B,YAAY,OAAO;AAAA,IACrD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,wBACJ,aACA,SAC+B;AAC/B,QAAI,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AAC3D,YAAM,IAAI,MAAM,gEAAgE;AAAA,IAClF;AACA,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,qCAAoB,oBAAI,KAAK,CAAC,CAAC;AAAA,IAC3C;AAEA,UAAM,gBAAgB,sBAAsB,QAAQ,IAAI;AACxD,QAAI,kBAAkB,QAAW;AAC/B,YAAM,WAAW,eAAc;AAC/B,UAAI,cAAc,QAAQ,KAAK,KAAK,IAAI,IAAI,UAAU;AACpD,cAAM,IAAI,qCAAoB,aAAa;AAAA,MAC7C;AAAA,IACF;AAEA,UAAM,WAAW,KAAK,wBAAwB,WAAW;AACzD,QAAI,KAAK,+BAA+B,SAAS,QAAQ,GAAG;AAC1D,aAAO,CAAC;AAAA,IACV;AAEA,UAAM,iBAAiB,KAAK,sCAAsC,UAAU,OAAO;AACnF,QAAI,eAAe,SAAS,GAAG;AAC7B,aAAO,eAAe,IAAI,CAAC,UAAU,MAAM,UAAU;AAAA,IACvD;AACA,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAEA,UAAM,aAAa,SAAS;AAAA,MAAO,CAAC,UAClC,KAAK,4BAA4B,KAAK;AAAA,IACxC;AACA,UAAM,eAAe,SAAS;AAAA,MAAO,CAAC,UACpC,CAAC,KAAK,4BAA4B,KAAK;AAAA,IACzC;AAEA,UAAM,UAAU,oBAAI,IAA+B;AACnD,eAAW,SAAS,cAAc;AAChC,YAAM,UAAU,KAAK,uBAAuB,MAAM,OAAO,OAAO;AAChE,YAAM,UAAU,QAAQ,IAAI,OAAO,KAAK,CAAC;AACzC,cAAQ,KAAK,KAAK;AAClB,cAAQ,IAAI,SAAS,OAAO;AAAA,IAC9B;AACA,QAAI,QAAQ,SAAS,KAAK,WAAW,SAAS,GAAG;AAC/C,cAAQ,IAAI,QAAQ,SAAS,CAAC,CAAC;AAAA,IACjC;AAEA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,oBAAoB,gBAAgB,SAAS,MAAM;AACzD,QAAI,YAAY,IAAI,KAAK,IAAI,QAAQ,IAAI,iBAAiB;AAC1D,QAAI,kBAAkB,UAAa,gBAAgB,WAAW;AAC5D,kBAAY;AAAA,IACd;AAEA,UAAM,cAAoC,CAAC;AAC3C,QAAI,qBAAqB;AACzB,eAAW,CAAC,SAAS,OAAO,KAAK,SAAS;AACxC,YAAM,mBAAmB,CAAC,qBAAqB,aAAa,CAAC;AAC7D,UAAI,iBAAiB,SAAS,GAAG;AAC/B,6BAAqB;AAAA,MACvB;AACA,YAAM,mBAAmB,CAAC,GAAG,SAAS,GAAG,gBAAgB;AACzD,YAAM,YAAY,KAAK,uBAAuB,OAAO;AACrD,YAAM,WAAW,KAAK,aAAa,eAAe;AAAA,QAChD;AAAA,QACA,GAAI,iBAAiB,SAAS,IAC1B,EAAE,cAAc,KAAK,0BAA0B,gBAAgB,EAAE,IACjE,CAAC;AAAA,QACL,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QACtD,SAAS,QAAQ;AAAA,QACjB,QAAQ,KAAK;AAAA,QACb,UAAU,IAAI,YAAY;AAAA,QAC1B,gBAAgB,UAAU,YAAY;AAAA,QACtC;AAAA,QACA,KAAK,QAAQ;AAAA,MACf,CAAC;AAED,YAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAC7D,YAAM,mBAAmB,KAAK,aAAa,qBAAqB;AAAA,QAC9D,GAAG;AAAA,QACH;AAAA,MACF,CAAC;AAED,YAAM,iBAAiB,UAAM;AAAA,QAC3B,KAAK,OAAO;AAAA,QACZ,iBAAiB;AAAA,MACnB;AACA,UAAI,CAAC,eAAe,SAAS;AAC3B,cAAM,IAAI;AAAA,UACR,qDAAqD,eAAe,KAAK;AAAA,QAC3E;AAAA,MACF;AAEA,YAAM,aAAa,KAAK;AAAA,QACtB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AACA,WAAK,wBAAwB,KAAK;AAAA,QAChC,SAAS;AAAA,UACP,kBAAkB,iBAAiB;AAAA,UACnC,eAAe,iBAAiB;AAAA,UAChC;AAAA,UACA,oBAAoB,QAAQ;AAAA,UAC5B,KAAK,QAAQ;AAAA,QACf;AAAA,QACA;AAAA,QACA,YAAY,KAAK,qBAAqB,kBAAkB,OAAO;AAAA,QAC/D;AAAA,MACF,CAAC;AACD,kBAAY,KAAK,UAAU;AAAA,IAC7B;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA2BA,IAAI,oBAAuC;AACzC,QAAI,CAAC,KAAK,oBAAoB;AAC5B,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,IAAI,SAAwB;AAC1B,QAAI,CAAC,KAAK,eAAe;AACvB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,eAA8B;AAChC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAA2B;AAC/B,WAAO,KAAK,OAAO,IAAI,SAAS;AAAA,EAClC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAgCA,IAAI,UAA2B;AAG7B,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,iBAAkC;AACpC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,oBAAoB;AACxB,QAAI,CAAC,KAAK,QAAQ,CAAC,KAAK,WAAW,CAAC,KAAK,QAAQ;AAC/C,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAEA,UAAM,gBAAgB,KAAK,QAAQ,QAAQ;AAC3C,QAAI,CAAC,eAAe;AAClB,YAAM,IAAI,MAAM,kEAAkE;AAAA,IACpF;AAGA,UAAO,KAAK,KAA+B,gBAAgB,aAAa;AAMxE,UAAM,YAAY;AAAA,MAChB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,UAAM,YAAY,EAAE,IAAI,EAAE,IAAI,UAAU,EAAE;AAC1C,UAAM,MAAM,oBAAI,KAAK;AAIrB,UAAM,WAAW,wBAAO;AACxB,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AAExD,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,KAAK,QAAQ,OAAO;AAAA,MAC3D,SAAS,KAAK,QAAQ;AAAA,MACtB,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C,SAAS;AAAA,MACT,KAAK,KAAK,QAAQ;AAAA,MAClB,SAAS,CAAC,KAAK,QAAQ,aAAa;AAAA,IACtC,CAAC;AAED,UAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAE7D,UAAM,oBAAoB,KAAK,aAAa,qBAAqB;AAAA,MAC/D,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAED,UAAM,iBAAiB,UAAM;AAAA,MAC3B,KAAK,OAAO;AAAA,MACZ,kBAAkB;AAAA,IACpB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,+CAA+C,eAAe,KAAK,EAAE;AAAA,IACvF;AAIA,QAAI,KAAK,uBAAuB,KAAK,SAAS;AAC5C,YAAM,aAAsB;AAAA,QAC1B,IAAI,KAAK,QAAQ;AAAA,QACjB,KAAK,KAAK,QAAQ;AAAA,QAClB,MAAM;AAAA,QACN,KAAK,KAAK,QAAQ;AAAA,QAClB,UAAU;AAAA,MACZ;AACA,WAAK,oBAAoB,YAAY,YAAY,CAAC;AAAA,QAChD,KAAK,kBAAkB;AAAA,QACvB,aAAa,KAAK,QAAQ;AAAA,QAC1B,SAAS;AAAA,QACT,MAAM;AAAA,QACN,SAAS;AAAA,QACT,QAAQ;AAAA,QACR,WAAW;AAAA,QACX,oBAAoB;AAAA,MACtB,CAAC,CAAC;AAAA,IACJ;AAGA,QAAI,KAAK,iBAAiB;AACxB,YAAM,WAAW,IAAI,2BAAU,EAAE,QAAQ,GAAG,CAAC;AAC7C,YAAM,gBAAgB,IAAI,gCAAe;AAAA,QACvC,QAAQ,KAAK;AAAA,QACb,OAAO,KAAK,gBAAgB;AAAA,QAC5B,OAAO,KAAK,gBAAgB;AAAA,MAC9B,CAAC;AACD,oBAAc,WAAW;AAAA,QACvB,kBAAkB,kBAAkB;AAAA,QACpC,eAAe,kBAAkB;AAAA,QACjC,SAAS;AAAA,QACT,oBAAoB,KAAK,QAAQ;AAAA,QACjC,KAAK,KAAK,QAAQ;AAAA,MACpB,CAAC;AACD,eAAS,WAAW,aAAa;AACjC,WAAK,YAAY;AAAA,IACnB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,IAAI,WAAuB;AACzB,QAAI,KAAK,WAAW;AAClB,aAAO,KAAK;AAAA,IACd;AACA,QAAI,CAAC,KAAK,IAAI;AACZ,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AACA,WAAO,KAAK,GAAG;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA6BA,MAAM,SAAS,QAAuE;AACpF,WAAO,KAAK,kBAAkB,OAAO,MAAM;AAAA,EAC7C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAiB,KAA8C;AACnE,WAAO,KAAK,kBAAkB,OAAO,GAAG;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,kBAA2D;AAC/D,WAAO,KAAK,kBAAkB,KAAK;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,gBAAgB,MAAc,QAAoD;AACtF,WAAO,KAAK,kBAAkB,gBAAgB,MAAM,MAAM;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqDA,MAAM,WACJ,KACA,aACA,SAC2B;AAG3B,UAAM,UAAU,KAAK,wBAAwB;AAC7C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,qCAAoB,oBAAI,KAAK,CAAC,CAAC;AAAA,IAC3C;AACA,UAAM,gBAAgB,sBAAsB,QAAQ,IAAI;AACxD,QAAI,kBAAkB,QAAW;AAC/B,YAAMC,OAAM,KAAK,IAAI;AACrB,YAAM,WAAW,eAAc;AAC/B,UAAI,cAAc,QAAQ,KAAKA,OAAM,UAAU;AAC7C,cAAM,IAAI,qCAAoB,aAAa;AAAA,MAC7C;AAAA,IACF;AAIA,QAAI,CAAC,MAAM,QAAQ,WAAW,KAAK,YAAY,WAAW,GAAG;AAC3D,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAMA,UAAM,kBAAkB,KAAK,wBAAwB,WAAW;AAMhE,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,gBAAgB,SAAS,MAAM;AAChD,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AACxD,QAAI,sBAAsB;AAC1B,QAAI,kBAAkB,UAAa,gBAAgB,gBAAgB;AACjE,4BAAsB;AAAA,IACxB;AAQA,QAAI,SAAS,iBAAiB;AAC5B,UAAI,gBAAgB,SAAS,GAAG;AAC9B,cAAM,IAAI;AAAA,UACR;AAAA,QAIF;AAAA,MACF;AACA,YAAMC,cAAa,MAAM,KAAK;AAAA,QAC5B;AAAA,QACA,gBAAgB,CAAC;AAAA,QACjB;AAAA,MACF;AACA,aAAO,EAAE,YAAAA,aAAY,UAAU,KAAK;AAAA,IACtC;AAcA,UAAM,cAAU;AAAA,MACd,CAAC,SAAiB,KAAK,aAAa,mBAAmB,IAAI;AAAA,MAC3D,QAAQ;AAAA,IACV;AACA,UAAM,EAAE,QAAQ,QAAQ,QAAI,qCAAmB,iBAAiB,OAAO;AAEvE,QAAI,CAAC,QAAQ;AACX,YAAM,eAAe,KAAK;AAAA,QACxB,KAAK,8BAA8B,iBAAiB,OAAO;AAAA,MAC7D;AACA,UAAI,cAAc;AAChB,cAAM,WAAW,eAAc;AAC/B,YAAI,aAAa,UAAU,QAAQ,KAAK,KAAK,IAAI,IAAI,UAAU;AAC7D,gBAAM,IAAI,qCAAoB,aAAa,SAAS;AAAA,QACtD;AACA,cAAM,oBACJ,aAAa,YAAY,sBACrB,aAAa,YACb;AACN,cAAMA,cAAa,MAAM,KAAK;AAAA,UAC5B;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,eAAO,EAAE,YAAAA,aAAY,UAAU,MAAM;AAAA,MACvC;AACA,YAAM,IAAI,8CAA6B,SAAS,OAAO;AAAA,IACzD;AAQA,UAAM,aAAa,MAAM,KAAK;AAAA,MAC5B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AACA,WAAO,EAAE,YAAY,UAAU,MAAM;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,sBACJ,KACA,UAA+C,KAAK,mBACM;AAC1D,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,SAAS,QAAQ,kBAAkB;AAAA,MAAK,CAAC,UAC7C,oBAAoB,MAAM,KAAK,GAAG;AAAA,IACpC;AACA,QAAI,CAAC,QAAQ;AACX,YAAM,IAAI,MAAM,+CAA+C,GAAG,EAAE;AAAA,IACtE;AACA,UAAM,SAAS,MAAM,KAAK,WAAW,OAAO,KAAK,OAAO,aAAa;AAAA,MACnE,QAAQ,OAAO;AAAA,IACjB,CAAC;AACD,WAAO,EAAE,GAAG,QAAQ,OAAO;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,uBACJ,UAA+C,KAAK,mBACa;AACjE,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,UAAM,MAA8D,CAAC;AACrE,eAAW,UAAU,QAAQ,mBAAmB;AAC9C,UAAI,KAAK,MAAM,KAAK,sBAAsB,OAAO,KAAK,OAAO,CAAC;AAAA,IAChE;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,MAAc,4BACZ,KACA,SACA,gBACA,SAC6B;AAC7B,QAAI,QAAQ,WAAW,GAAG;AACxB,YAAM,IAAI;AAAA,QACR;AAAA,MACF;AAAA,IACF;AAIA,UAAM,iBAAiB,oBAAI,IAAY;AACvC,eAAW,SAAS,SAAS;AAC3B,UAAI,KAAK,4BAA4B,KAAK,GAAG;AAC3C;AAAA,MACF;AACA,YAAMC,WAAU,KAAK,uBAAuB,MAAM,OAAO,OAAO;AAChE,qBAAe,IAAIA,QAAO;AAAA,IAC5B;AACA,QAAI,eAAe,OAAO,GAAG;AAC3B,YAAM,IAAI;AAAA,QACR,sEAAsE,eAAe,IAAI,KAAK,KAAK,UAAU,CAAC,GAAG,cAAc,CAAC,CAAC;AAAA,MACnI;AAAA,IACF;AACA,UAAM,UAAU,eAAe,SAAS,IACpC,CAAC,GAAG,cAAc,EAAE,CAAC,IACrB,QAAQ;AAWZ,UAAM,YAA0B,CAAC;AACjC,eAAW,SAAS,SAAS;AAC3B,YAAM,eAAe,uCAAsB,MAAM,OAAO;AACxD,UAAI,iBAAiB,QAAW;AAC9B,cAAM,IAAI;AAAA,UACR,gCAAgC,MAAM,OAAO;AAAA,QAC/C;AAAA,MACF;AACA,UAAI,UAAU,YAAY,MAAM,QAAW;AACzC,kBAAU,YAAY,IAAI,CAAC;AAAA,MAC7B;AACA,YAAM,WAAW,UAAU,YAAY;AACvC,YAAM,WAAW,SAAS,MAAM,IAAI;AACpC,UAAI,aAAa,QAAW;AAC1B,iBAAS,MAAM,IAAI,IAAI,CAAC,GAAG,MAAM,OAAO;AAAA,MAC1C,OAAO;AACL,cAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,mBAAW,UAAU,MAAM,SAAS;AAClC,cAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,qBAAS,KAAK,MAAM;AACpB,iBAAK,IAAI,MAAM;AAAA,UACjB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAIA,UAAM,iBAAiC;AAAA,MACrC,kBAAkB,QAAQ;AAAA,MAC1B,eAAe,QAAQ;AAAA,MACvB,KAAK,QAAQ;AAAA,MACb;AAAA,MACA,oBAAoB,QAAQ;AAAA,IAC9B;AAEA,UAAM,iBAAiB,KAAK,MAAM,eAAe,QAAQ,IAAI,GAAI;AACjE,UAAM,SAAS,KAAK,wBAAwB;AAAA,MAC1C,SAAS;AAAA,MACT,aAAa;AAAA,MACb;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAWD,UAAM,UAAU,OAAO,UAAU,CAAC;AAMlC,UAAM,mBAAmB,EAAE,eAAe,OAAO,WAAW;AAM5D,UAAM,iBAAiB,UAAM;AAAA,MAC3B,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AACA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR,4CAA4C,eAAe,KAAK;AAAA,MAClE;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK,OAAO;AAAA,MACZ;AAAA,MACA;AAAA,MACA,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,WAAW,OAAO;AAAA,MAClB,sBAAsB;AAAA,MACtB,QAAQ,OAAO;AAAA,MACf,aAAa;AAAA,MACb,cAAc,QAAQ;AAAA,MACtB,SAAS,QAAQ;AAAA,MACjB,MAAM,KAAK,OAAO;AAAA,IACpB;AAAA,EACF;AAAA,EAEA,MAAc,gCACZ,KACA,SACA,gBACA,OAC6B;AAC7B,UAAM,SAAS,KAAK,wBAAwB;AAAA,MAC1C,SAAS,MAAM;AAAA,MACf,aAAa;AAAA,MACb,SAAS,MAAM,QAAQ;AAAA,MACvB,WAAW,KAAK,uBAAuB,OAAO;AAAA,MAC9C,gBAAgB,KAAK,MAAM,eAAe,QAAQ,IAAI,GAAI;AAAA,IAC5D,CAAC;AAED,UAAM,UAAU,OAAO,UAAU,CAAC;AAClC,UAAM,mBAAmB,EAAE,eAAe,OAAO,WAAW;AAC5D,UAAM,aAAa,MAAM,WAAW,QAAQ,KAAK,OAAO;AACxD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA;AAAA,IACF;AACA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR,4CAA4C,eAAe,KAAK;AAAA,MAClE;AAAA,IACF;AAEA,WAAO;AAAA,MACL,KAAK,OAAO;AAAA,MACZ;AAAA,MACA,SAAS,MAAM,QAAQ;AAAA,MACvB,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,WAAW,OAAO;AAAA,MAClB,sBAAsB;AAAA,MACtB,QAAQ,OAAO;AAAA,MACf,aAAa;AAAA,MACb,cAAc,MAAM,WAAW;AAAA,MAC/B,SAAS,MAAM,WAAW;AAAA,MAC1B,MAAM;AAAA,IACR;AAAA,EACF;AAAA,EAEQ,uBACN,OACA,SACQ;AACR,QAAI,UAAU,QAAW;AACvB,aAAO,KAAK,aAAa;AAAA,QACvB,QAAQ;AAAA,QACR,QAAQ;AAAA,QACR;AAAA,MACF;AAAA,IACF;AACA,QAAI,UAAU,WAAW;AACvB,aAAO,QAAQ;AAAA,IACjB;AACA,QAAI,MAAM,WAAW,YAAY,GAAG;AAClC,aAAO;AAAA,IACT;AACA,WAAO,KAAK,aAAa,YAAY,QAAQ,SAAS,QAAQ,SAAS,KAAK;AAAA,EAC9E;AAAA,EAEQ,wBACN,aACmB;AACnB,eAAO,iBAAAC,yBAA4B,WAAW;AAAA,EAChD;AAAA,EAEQ,iBAAiB,SAAyB;AAChD,UAAM,QAAQ,uCAAsB,OAAO;AAC3C,QAAI,UAAU,QAAW;AACvB,YAAM,IAAI;AAAA,QACR,oBAAoB,OAAO;AAAA,MAC7B;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,uBAAuB,SAA0C;AACvE,UAAM,YAA0B,CAAC;AACjC,eAAW,SAAS,SAAS;AAC3B,YAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO;AACnD,kDAAuB,CAAC;AACxB,YAAM,WAAW,UAAU,OAAO,EAAE,MAAM,IAAI,KAAK,CAAC;AACpD,YAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,iBAAW,UAAU,MAAM,SAAS;AAClC,YAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,mBAAS,KAAK,MAAM;AACpB,eAAK,IAAI,MAAM;AAAA,QACjB;AAAA,MACF;AACA,gBAAU,OAAO,EAAE,MAAM,IAAI,IAAI;AAAA,IACnC;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,4BAA4B,OAAiC;AACnE,WAAO,MAAM,YAAY,kDACvB,MAAM,KAAK,WAAW,2BAA2B;AAAA,EACrD;AAAA,EAEQ,0BACN,SAC0B;AAC1B,UAAM,eAAyC,CAAC;AAChD,eAAW,SAAS,SAAS;AAC3B,UAAI,CAAC,KAAK,4BAA4B,KAAK,GAAG;AAC5C;AAAA,MACF;AACA,YAAM,WAAW,aAAa,MAAM,IAAI,KAAK,CAAC;AAC9C,YAAM,OAAO,IAAI,IAAI,QAAQ;AAC7B,iBAAW,UAAU,MAAM,SAAS;AAClC,YAAI,CAAC,KAAK,IAAI,MAAM,GAAG;AACrB,mBAAS,KAAK,MAAM;AACpB,eAAK,IAAI,MAAM;AAAA,QACjB;AAAA,MACF;AACA,mBAAa,MAAM,IAAI,IAAI;AAAA,IAC7B;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,qBACN,SACA,SAC8B;AAC9B,WAAO,QAAQ,QAAQ,CAAC,UAAU;AAChC,YAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO;AACnD,aAAO,MAAM,QAAQ,IAAI,CAAC,YAAY;AAAA,QACpC,GAAI,KAAK,6BAA6B,SAAS,MAAM,IAAI,IACrD,EAAE,UAAU,MAAM,KAAK,IACvB,EAAE,QAAQ;AAAA,QACd;AAAA,QACA,MAAM,MAAM;AAAA,QACZ;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AAAA,EAEQ,+BACN,SACA,SACS;AACT,QAAI;AACF,YAAM,cAAU;AAAA,QACd,CAAC,SAAiB,KAAK,aAAa,mBAAmB,IAAI;AAAA,QAC3D,QAAQ;AAAA,MACV;AACA,iBAAO,qCAAmB,SAAS,OAAO,EAAE;AAAA,IAC9C,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA,EAEQ,8BACN,SACA,SAC8B;AAC9B,WAAO,QAAQ,QAAQ,CAAC,UAAU;AAChC,YAAM,UAAU,KAAK,uBAAuB,MAAM,OAAO,OAAO;AAChE,YAAM,UAAU,KAAK,iBAAiB,MAAM,OAAO;AACnD,aAAO,MAAM,QAAQ,IAAI,CAAC,YAAY;AAAA,QACpC,GAAI,KAAK,6BAA6B,SAAS,MAAM,IAAI,IACrD,EAAE,UAAU,MAAM,KAAK,IACvB,EAAE,QAAQ;AAAA,QACd;AAAA,QACA,MAAM,MAAM;AAAA,QACZ;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AAAA,EAEQ,sCACN,SACA,SAC0B;AAC1B,UAAM,SAAmC,CAAC;AAC1C,UAAM,aAAa,KAAK,8BAA8B,SAAS,OAAO;AACtE,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,IACT;AAEA,eAAW,aAAa,YAAY;AAClC,YAAM,QAAQ,KAAK,sBAAsB,SAAS;AAClD,UAAI,CAAC,OAAO;AACV,eAAO,CAAC;AAAA,MACV;AACA,UAAI,CAAC,OAAO,SAAS,KAAK,GAAG;AAC3B,eAAO,KAAK,KAAK;AAAA,MACnB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,6BACN,kBAIA,SACA,SACA,SACA,WACoB;AACpB,UAAM,YAAY,KAAK,6BAA6B,SAAS,OAAO;AACpE,UAAM,UAAU,UAAU,CAAC;AAC3B,WAAO;AAAA,MACL,KAAK,iBAAiB;AAAA,MACtB,kBAAkB,iBAAiB;AAAA,MACnC;AAAA,MACA,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB;AAAA,MACA,sBAAsB;AAAA,MACtB,QAAQ;AAAA,MACR,aAAa,QAAQ;AAAA,MACrB,cAAc,QAAQ;AAAA,MACtB,SAAS,QAAQ;AAAA,MACjB,MAAM,KAAK,OAAO;AAAA,IACpB;AAAA,EACF;AAAA,EAEQ,2BACN,YACA,SACwB;AACxB,UAAM,aAAa,KAAK,yBAAyB,UAAU;AAC3D,WAAO;AAAA,MACL,SAAS;AAAA,QACP,kBAAkB,WAAW;AAAA,QAC7B,eAAe,WAAW;AAAA,QAC1B,SAAS,WAAW;AAAA,QACpB,oBAAoB,QAAQ;AAAA,QAC5B,KAAK,QAAQ;AAAA,MACf;AAAA,MACA;AAAA,MACA;AAAA,MACA,WAAW,WAAW;AAAA,IACxB;AAAA,EACF;AAAA,EAEQ,sCACN,YACA,SACA,WACM;AACN,UAAM,aAAa,KAAK,yBAAyB,UAAU;AAC3D,QAAI,WAAW,WAAW,GAAG;AAC3B;AAAA,IACF;AACA,SAAK,0BAA0B,KAAK,wBAAwB;AAAA,MAC1D,CAAC,UACC,MAAM,WAAW,QAAQ,WAAW,OACpC,MAAM,QAAQ,kBAAkB,QAAQ;AAAA,IAC5C;AACA,SAAK,wBAAwB,KAAK;AAAA,MAChC;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,6BACN,SACA,SACqB;AACrB,WAAO,QAAQ,IAAI,CAAC,WAAW;AAAA,MAC7B,SAAS,KAAK,iBAAiB,MAAM,OAAO;AAAA,MAC5C,OAAO,KAAK,4BAA4B,KAAK,IAAI,eAAe;AAAA,MAChE,MAAM,MAAM;AAAA,MACZ,SAAS,CAAC,GAAG,MAAM,OAAO;AAAA,IAC5B,EAAE;AAAA,EACJ;AAAA,EAEQ,yBACN,YAC8B;AAC9B,UAAM,YACJ,WAAW,cAAc,UAAa,WAAW,UAAU,SAAS,IAChE,WAAW,YACX,KAAK,wBAAwB,UAAU;AAE7C,WAAO,UAAU,QAAQ,CAAC,aAAa;AACrC,YAAM,UAAU,KAAK,sBAAsB,SAAS,OAAO;AAC3D,aAAO,SAAS,QAAQ,IAAI,CAAC,YAAY;AAAA,QACvC,GAAI,KAAK,6BAA6B,SAAS,SAAS,IAAI,IACxD,EAAE,UAAU,SAAS,KAAK,IAC1B,EAAE,SAAS,SAAS,MAAM;AAAA,QAC9B;AAAA,QACA,MAAM,SAAS;AAAA,QACf;AAAA,MACF,EAAE;AAAA,IACJ,CAAC;AAAA,EACH;AAAA,EAEQ,wBACN,YACqB;AACrB,UAAM,YAAY,oBAAI,IAAsB;AAC5C,eAAW,UAAU,WAAW,SAAS;AACvC,YAAM,UAAU,KAAK,iBAAiB,OAAO,MAAM,GAAG,EAAE,CAAC,CAAC;AAC1D,YAAM,UAAU,UAAU,IAAI,OAAO,KAAK,CAAC;AAC3C,cAAQ,KAAK,MAAM;AACnB,gBAAU,IAAI,SAAS,OAAO;AAAA,IAChC;AACA,WAAO,CAAC,GAAG,UAAU,QAAQ,CAAC,EAAE,IAAI,CAAC,CAAC,SAAS,OAAO,OAAO;AAAA,MAC3D;AAAA,MACA,OAAO,WAAW;AAAA,MAClB,MAAM,WAAW;AAAA,MACjB;AAAA,IACF,EAAE;AAAA,EACJ;AAAA,EAEQ,wBACN,UACA,SACA,MACA,QACgB;AAChB,UAAM,QAAQ,KAAK,sBAAsB;AAAA,MACvC,SAAS,SAAS;AAAA,MAClB,SAAS,KAAK,sBAAsB,OAAO;AAAA,MAC3C;AAAA,MACA;AAAA,IACF,CAAC;AACD,WAAO,OAAO,WAAW;AAAA,EAC3B;AAAA,EAEQ,uBACN,YACoC;AACpC,QAAI,WAAW,WAAW,GAAG;AAC3B,aAAO;AAAA,IACT;AACA,SAAK,oCAAoC;AACzC,WAAO,KAAK,wBAAwB,KAAK,CAAC,UAAU;AAClD,aAAO,WAAW;AAAA,QAAM,CAAC,cACvB,MAAM,WAAW;AAAA,UAAK,CAAC,YACrB,KAAK,gBAAgB,SAAS,SAAS;AAAA,QACzC;AAAA,MACF;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEQ,sBACN,WACoC;AACpC,WAAO,KAAK,uBAAuB,CAAC,SAAS,CAAC;AAAA,EAChD;AAAA,EAEQ,sCAA4C;AAClD,UAAM,MAAM,KAAK,IAAI;AACrB,SAAK,0BAA0B,KAAK,wBAAwB;AAAA,MAC1D,CAAC,UAAU,MAAM,UAAU,QAAQ,IAAI;AAAA,IACzC;AAAA,EACF;AAAA,EAEQ,gBACN,SACA,WACS;AACT,QAAI,QAAQ,YAAY,UAAU,WAChC,CAAC,KAAK,eAAe,QAAQ,QAAQ,UAAU,MAAM,GACrD;AACA,aAAO;AAAA,IACT;AAEA,QAAI,QAAQ,aAAa,UAAa,UAAU,aAAa,QAAW;AACtE,aAAO,QAAQ,aAAa,UAC1B,UAAU,aAAa,UACvB,QAAQ,aAAa,UAAU,YAC/B,KAAK,aAAa,QAAQ,MAAM,UAAU,IAAI;AAAA,IAClD;AAEA,WAAO,QAAQ,YAAY,UACzB,UAAU,YAAY,UACtB,QAAQ,YAAY,UAAU,WAC9B,KAAK,aAAa,QAAQ,MAAM,UAAU,IAAI;AAAA,EAClD;AAAA,EAEQ,eAAe,eAAuB,iBAAkC;AAC9E,QAAI,kBAAkB,iBAAiB;AACrC,aAAO;AAAA,IACT;AACA,QAAI,cAAc,SAAS,IAAI,GAAG;AAChC,YAAM,SAAS,cAAc,MAAM,GAAG,EAAE;AACxC,aAAO,gBAAgB,WAAW,GAAG,MAAM,GAAG;AAAA,IAChD;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,sBAAsB,SAAyB;AACrD,WAAO,QAAQ,WAAW,YAAY,IAClC,KAAK,iBAAiB,OAAO,IAC7B;AAAA,EACN;AAAA,EAEQ,6BAA6B,SAAiB,MAAuB;AAC3E,WAAO,YAAY,gBACjB,KAAK,WAAW,2BAA2B;AAAA,EAC/C;AAAA,EAEQ,4BAA4B,OAMO;AACzC,UAAM,UAAU,KAAK,sBAAsB,MAAM,OAAO;AACxD,QAAI,OAAO,MAAM,aAAa,UAAU;AACtC,aAAO;AAAA,QACL,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,QAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AACA,QAAI,KAAK,6BAA6B,SAAS,MAAM,IAAI,GAAG;AAC1D,aAAO;AAAA,QACL,UAAU,MAAM;AAAA,QAChB;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,QAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AACA,QAAI,OAAO,MAAM,YAAY,UAAU;AACrC,aAAO;AAAA,QACL,SAAS,MAAM;AAAA,QACf;AAAA,QACA,MAAM,MAAM;AAAA,QACZ,QAAQ,MAAM;AAAA,MAChB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA,EAEQ,aAAa,aAAqB,eAAgC;AACxE,QAAI,gBAAgB,MAAM,gBAAgB,KAAK;AAC7C,aAAO;AAAA,IACT;AACA,QAAI,YAAY,SAAS,KAAK,GAAG;AAC/B,aAAO,cAAc,WAAW,YAAY,MAAM,GAAG,EAAE,CAAC;AAAA,IAC1D;AACA,QAAI,YAAY,SAAS,IAAI,GAAG;AAC9B,YAAM,SAAS,YAAY,MAAM,GAAG,EAAE;AACtC,UAAI,CAAC,cAAc,WAAW,MAAM,GAAG;AACrC,eAAO;AAAA,MACT;AACA,YAAM,YAAY,cAAc,MAAM,OAAO,MAAM;AACnD,aAAO,CAAC,UAAU,SAAS,GAAG,KAAK,cAAc;AAAA,IACnD;AACA,QAAI,YAAY,SAAS,GAAG,GAAG;AAC7B,aAAO,cAAc,WAAW,WAAW;AAAA,IAC7C;AACA,WAAO,gBAAgB;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,iCACZ,aACA,OACA,gBAC6B;AAC7B,UAAM,UAAU,KAAK,MAAM;AAC3B,UAAM,kBACJ,YAAY,UAAa,MAAM,UAAU,YACrC,SACA,KAAK,uBAAuB,MAAM,OAAO,OAAO;AACtD,WAAO,KAAK,2BAA2B;AAAA,MACrC,MAAM,MAAM;AAAA,MACZ,SAAS,MAAM;AAAA,MACf;AAAA,MACA,oBAAoB;AAAA,MACpB,UAAU,KAAK,IAAI,GAAG,eAAe,QAAQ,IAAI,KAAK,IAAI,CAAC;AAAA,MAC3D;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAM,iBAAiB,QAeS;AAW9B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AACA,QAAI,CAAC,KAAK,MAAM,kBAAkB;AAChC,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAKA,QAAI,sBAAsB,OAAO;AACjC,QAAI,oBAAoB,SAAS,MAAM,KAAK,KAAK,OAAO,aAAa;AACnE,YAAM,UAAU,MAAM,KAAK,OAAO,YAAY,eAAe,mBAAmB;AAChF,UAAI,CAAC,QAAS,OAAM,IAAI,MAAM,+BAA+B,mBAAmB,EAAE;AAClF,gCAAsB,yBAAO,SAAS,CAAC;AAAA,IACzC;AAYA,UAAM,UAAU;AAAA,MACd,OAAO;AAAA,MACP,OAAO;AAAA,MACP,OAAO;AAAA,IACT;AACA,QAAI;AACF,YAAM,SAAS,MAAM,KAAK;AAAA,QACxB;AAAA,QACA;AAAA,QACA,OAAO,aAAa,SAAY,EAAE,QAAQ,OAAO,SAAS,IAAI;AAAA,MAChE;AACA,aAAO,OAAO;AAAA,IAChB,SAAS,KAAK;AACZ,UAAI,eAAe,+CAA8B;AAAA,MAIjD,OAAO;AAIL,cAAM;AAAA,MACR;AAAA,IACF;AAKA,WAAO,KAAK,2BAA2B;AAAA,MACrC,GAAG;AAAA,MACH,aAAa;AAAA,IACf,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAc,2BAA2B,QAQT;AAC9B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,uEAAuE;AAAA,IACzF;AACA,UAAM,UAAU,KAAK,MAAM;AAC3B,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAGA,UAAM,YAAsD,CAAC;AAC7D,UAAM,YAAY,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,eAAe,CAAC;AAC1E,UAAM,aAAa,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,gBAAgB,CAAC;AAC5E,UAAM,gBAAgB,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,mBAAmB,CAAC;AAClF,QAAI,UAAU,SAAS,GAAG;AACxB,gBAAU,KAAK,EAAE,CAAC,OAAO,IAAI,GAAG,UAAU;AAAA,IAC5C;AACA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,MAAM,EAAE,CAAC,OAAO,IAAI,GAAG,WAAW;AAAA,IAC9C;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,gBAAU,SAAS,EAAE,CAAC,OAAO,IAAI,GAAG,cAAc;AAAA,IACpD;AAEA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,OAAO,YAAY,KAAK,KAAK;AAC9C,UAAM,iBAAiB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AAKxD,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,MACtD,SAAS,QAAQ;AAAA,MACjB,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C,SAAS,OAAO,mBAAmB,QAAQ;AAAA,MAC3C,aAAa,OAAO;AAAA,MACpB,SAAS,CAAC,QAAQ,aAAa;AAAA,IACjC,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAG7D,UAAM,oBAAoB,KAAK,aAAa,qBAAqB;AAAA,MAC/D,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,iBAAiB,UAAM;AAAA,MAC3B,KAAK,OAAO;AAAA,MACZ,kBAAkB;AAAA,IACpB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,kCAAkC,eAAe,KAAK,EAAE;AAAA,IAC1E;AAEA,UAAM,SAA6B;AAAA,MACjC,KAAK,kBAAkB;AAAA,MACvB,kBAAkB,kBAAkB;AAAA,MACpC,SAAS,OAAO,mBAAmB,QAAQ;AAAA,MAC3C,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,sBAAsB,OAAO,wBAAwB;AAAA,MACrD,QAAQ;AAAA,MACR,aAAa,OAAO;AAAA,MACpB,cAAc,QAAQ;AAAA,MACtB,SAAS,QAAQ;AAAA,MACjB,MAAM,KAAK,OAAO;AAAA,IACpB;AAGA,UAAM,eAAe,OAAO,QAAQ,KAAK,OAAK,EAAE,WAAW,eAAe,CAAC;AAC3E,QAAI,gBAAgB,OAAO,uBAAuB,OAAO;AACvD,YAAM,oBAAgB;AAAA,QACpB,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QAAG,QAAQ;AAAA,MAC1D;AACA,YAAM,kBAA4D;AAAA,QAChE,IAAI,EAAE,IAAI,CAAC,oBAAoB,oBAAoB,uBAAuB,EAAE;AAAA,MAC9E;AACA,YAAM,iBAAiB,KAAK,aAAa,eAAe;AAAA,QACtD,WAAW;AAAA,QACX,SAAS,KAAK,aAAa,YAAY,QAAQ,OAAO;AAAA,QACtD,SAAS,QAAQ;AAAA,QACjB,QAAQ,KAAK;AAAA,QACb,UAAU,IAAI,YAAY;AAAA,QAC1B,gBAAgB,eAAe,YAAY;AAAA,QAC3C,SAAS;AAAA,QACT,aAAa,OAAO;AAAA,QACpB,SAAS,CAAC,QAAQ,aAAa;AAAA,MACjC,CAAC;AACD,YAAM,kBAAkB,MAAM,KAAK,OAAO,YAAY,eAAe,IAAI;AACzE,YAAM,gBAAgB,KAAK,aAAa,qBAAqB;AAAA,QAC3D,GAAG;AAAA,QACH,WAAW;AAAA,MACb,CAAC;AAED,YAAM,uBAAuB,UAAM;AAAA,QACjC,KAAK,OAAO;AAAA,QACZ,cAAc;AAAA,MAChB;AAEA,UAAI,qBAAqB,SAAS;AAChC,eAAO,mBAAmB;AAAA,UACxB,KAAK,cAAc;AAAA,UACnB,kBAAkB,cAAc;AAAA,UAChC,SAAS;AAAA,UACT,MAAM;AAAA,UACN,SAAS,CAAC,oBAAoB,oBAAoB,uBAAuB;AAAA,UACzE,sBAAsB,OAAO,wBAAwB;AAAA,UACrD,QAAQ;AAAA,UACR,aAAa,OAAO;AAAA,UACpB,cAAc,QAAQ;AAAA,UACtB,SAAS,QAAQ;AAAA,UACjB,MAAM,KAAK,OAAO;AAAA,QACpB;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,MAAM,cAAc,YAA0D;AAC5E,UAAM,mBAAmB,WAAW;AAGpC,UAAM,aAAa,WAAW,QAAQ,KAAK,OAAO;AAIlD,QAAI,KAAK,eAAe;AAEtB,YAAM,QAAQ,KAAK;AACnB,UAAI,CAAC,oBAAoB,WAAW,aAAa,KAAK,GAAG;AACvD,cAAM,IAAI;AAAA,UACR,sBAAsB,WAAW,WAAW,2BAA2B,KAAK;AAAA,QAE9E;AAAA,MACF;AAIA,YAAMC,WAA4B;AAAA,QAChC,SAAS,WAAW;AAAA,QACpB,SAAS,WAAW;AAAA,QACpB,YAAY,KAAK,UAAU,KAAK,aAAa;AAAA,QAC7C,SAAS,WAAW;AAAA,QACpB,eAAe,WAAW;AAAA,QAC1B;AAAA,QACA,oBAAoB,KAAK;AAAA,QACzB,KAAK,KAAK;AAAA,QACV,MAAM;AAAA;AAAA,QACN,WAAW;AAAA;AAAA,MACb;AAGA,WAAK,wBAAwB,YAAY,KAAK,aAA+B;AAC7E,WAAK;AAAA,QACH;AAAA,QACA;AAAA,UACE,kBAAkBA,SAAQ;AAAA,UAC1B,eAAeA,SAAQ;AAAA,UACvB,SAASA,SAAQ;AAAA,UACjB,oBAAoBA,SAAQ;AAAA,UAC5B,KAAKA,SAAQ;AAAA,QACf;AAAA,QACA,WAAW;AAAA,MACb;AAEA,aAAO,IAAI,gBAAgBA,UAAS,YAAY,YAAY,KAAK,aAAa,MAAM;AAAA,IACtF;AAGA,UAAM,YAAY,KAAK,MAAM;AAC7B,QAAI,CAAC,WAAW;AACd,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAIA,UAAM,MAAM,UAAU;AAGtB,UAAM,YAAsD,CAAC;AAC7D,UAAM,YAAY,WAAW,QAAQ,OAAO,OAAK,EAAE,WAAW,eAAe,CAAC;AAC9E,UAAM,aAAa,WAAW,QAAQ,OAAO,OAAK,EAAE,WAAW,gBAAgB,CAAC;AAChF,UAAM,gBAAgB,WAAW,QAAQ,OAAO,OAAK,EAAE,WAAW,mBAAmB,CAAC;AACtF,UAAM,oBAAoB,WAAW,QAAQ;AAAA,MAAO,OAClD,EAAE,WAAW,uBAAuB;AAAA,IACtC;AACA,UAAM,eAAyC,CAAC;AAChD,QAAI,UAAU,SAAS,GAAG;AACxB,gBAAU,KAAK,EAAE,CAAC,WAAW,IAAI,GAAG,UAAU;AAAA,IAChD;AACA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,MAAM,EAAE,CAAC,WAAW,IAAI,GAAG,WAAW;AAAA,IAClD;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,gBAAU,SAAS,EAAE,CAAC,WAAW,IAAI,GAAG,cAAc;AAAA,IACxD;AACA,QACE,kBAAkB,SAAS,KAC3B,WAAW,KAAK,WAAW,2BAA2B,GACtD;AACA,mBAAa,WAAW,IAAI,IAAI;AAAA,IAClC;AAEA,UAAM,MAAM,oBAAI,KAAK;AAErB,UAAM,YAAY,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,KAAK,GAAI;AACzD,UAAM,iBAAiB,WAAW,SAAS,YAAY,WAAW,SAAS;AAO3E,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,UAAU,OAAO;AAAA,MACxD,SAAS,UAAU;AAAA,MACnB,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,eAAe,YAAY;AAAA,MAC3C,SAAS,WAAW;AAAA,MACpB;AAAA,MACA,SAAS,CAAC,WAAW,GAAG;AAAA,MACxB,GAAI,OAAO,KAAK,YAAY,EAAE,SAAS,IAAI,EAAE,aAAa,IAAI,CAAC;AAAA,IACjE,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,OAAQ,YAAY,SAAS,IAAI;AAG9D,UAAM,iBAAiB,KAAK,aAAa,qBAAqB;AAAA,MAC5D,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA,eAAe;AAAA,IACjB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,yCAAyC,eAAe,KAAK,EAAE;AAAA,IACjF;AAGA,UAAM,UAA4B;AAAA,MAChC,SAAS,UAAU;AAAA,MACnB,SAAS,UAAU;AAAA,MACnB,YAAY,UAAU;AAAA,MACtB,SAAS,WAAW;AAAA,MACpB,eAAe,eAAe;AAAA,MAC9B,kBAAkB,eAAe;AAAA,MACjC,oBAAoB,UAAU;AAAA,MAC9B;AAAA,MACA,MAAM,SAAS;AAAA,MACf;AAAA,IACF;AAGA,SAAK,wBAAwB,YAAY,GAAqB;AAC9D,SAAK;AAAA,MACH;AAAA,MACA;AAAA,QACE,kBAAkB,QAAQ;AAAA,QAC1B,eAAe,QAAQ;AAAA,QACvB,SAAS,QAAQ;AAAA,QACjB,oBAAoB,QAAQ;AAAA,QAC5B,KAAK,QAAQ;AAAA,MACf;AAAA,MACA;AAAA,IACF;AAEA,WAAO,IAAI,gBAAgB,SAAS,YAAY,YAAY,KAAK,aAAa,MAAM;AAAA,EACtF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,MAAM,oBACJ,kBACA,QAY6B;AAC7B,QAAI,CAAC,KAAK,QAAQ;AAChB,YAAM,IAAI,MAAM,0EAA0E;AAAA,IAC5F;AACA,QAAI,CAAC,KAAK,UAAU;AAClB,YAAM,IAAI,MAAM,qCAAqC;AAAA,IACvD;AAGA,QAAI,iBAAiB,sBAAsB;AACzC,YAAM,IAAI,MAAM,iDAAiD;AAAA,IACnE;AAGA,QAAI,CAAC,OAAO,KAAK,WAAW,iBAAiB,IAAI,GAAG;AAClD,YAAM,IAAI;AAAA,QACR,wBAAwB,OAAO,IAAI,iCAAiC,iBAAiB,IAAI;AAAA,MAC3F;AAAA,IACF;AAGA,UAAM,gBAAgB,IAAI,IAAI,iBAAiB,OAAO;AACtD,eAAW,UAAU,OAAO,SAAS;AACnC,UAAI,CAAC,cAAc,IAAI,MAAM,GAAG;AAC9B,cAAM,IAAI;AAAA,UACR,0BAA0B,MAAM,iCAAiC,iBAAiB,QAAQ,KAAK,IAAI,CAAC;AAAA,QACtG;AAAA,MACF;AAAA,IACF;AAGA,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,WAAW,OAAO,YAAY,KAAK,KAAK;AAC9C,UAAM,kBAAkB,IAAI,KAAK,IAAI,QAAQ,IAAI,QAAQ;AAEzD,UAAM,eACJ,kBAAkB,iBAAiB,SAAS,iBAAiB,SAAS;AAGxE,UAAM,YAAsD,CAAC;AAC7D,UAAM,YAAY,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,eAAe,CAAC;AAC1E,UAAM,aAAa,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,gBAAgB,CAAC;AAC5E,UAAM,gBAAgB,OAAO,QAAQ,OAAO,OAAK,EAAE,WAAW,mBAAmB,CAAC;AAClF,QAAI,UAAU,SAAS,GAAG;AACxB,gBAAU,KAAK,EAAE,CAAC,OAAO,IAAI,GAAG,UAAU;AAAA,IAC5C;AACA,QAAI,WAAW,SAAS,GAAG;AACzB,gBAAU,MAAM,EAAE,CAAC,OAAO,IAAI,GAAG,WAAW;AAAA,IAC9C;AACA,QAAI,cAAc,SAAS,GAAG;AAC5B,gBAAU,SAAS,EAAE,CAAC,OAAO,IAAI,GAAG,cAAc;AAAA,IACpD;AAGA,UAAM,aAAa,iBAAiB,QAAQ,KAAK,OAAO;AAMxD,UAAM,WAAW,KAAK,aAAa,eAAe;AAAA,MAChD;AAAA,MACA,SAAS,KAAK,aAAa,YAAY,KAAK,QAAQ;AAAA,MACpD,SAAS,KAAK;AAAA,MACd,QAAQ,KAAK;AAAA,MACb,UAAU,IAAI,YAAY;AAAA,MAC1B,gBAAgB,aAAa,YAAY;AAAA,MACzC,SAAS,iBAAiB;AAAA,MAC1B,aAAa,OAAO;AAAA,MACpB,SAAS,CAAC,iBAAiB,GAAG;AAAA,IAChC,CAAC;AAGD,UAAM,YAAY,MAAM,KAAK,OAAO,YAAY,SAAS,IAAI;AAG7D,UAAM,uBAAuB,KAAK,aAAa,qBAAqB;AAAA,MAClE,GAAG;AAAA,MACH;AAAA,IACF,CAAC;AAGD,UAAM,iBAAiB,UAAM;AAAA,MAC3B;AAAA,MACA,qBAAqB;AAAA,IACvB;AAEA,QAAI,CAAC,eAAe,SAAS;AAC3B,YAAM,IAAI,MAAM,sCAAsC,eAAe,KAAK,EAAE;AAAA,IAC9E;AAGA,WAAO;AAAA,MACL,KAAK,qBAAqB;AAAA,MAC1B,kBAAkB,qBAAqB;AAAA,MACvC,SAAS,iBAAiB;AAAA,MAC1B,MAAM,OAAO;AAAA,MACb,SAAS,OAAO;AAAA,MAChB,sBAAsB,OAAO,wBAAwB;AAAA,MACrD,QAAQ;AAAA,MACR,aAAa,OAAO;AAAA,MACpB,cAAc,iBAAiB;AAAA,MAC/B,SAAS,iBAAiB;AAAA,MAC1B,MAAM;AAAA,IACR;AAAA,EACF;AACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAvhHa,eAgrEa,kCAAkC;AAhrErD,IAAM,gBAAN;;;ALzRP,IAAAC,mBA8BO;;;AUjFA,SAAS,oBAAoB,YAAwC;AAC1E,SAAO,KAAK,UAAU;AAAA,IACpB,GAAG;AAAA,IACH,QAAQ,WAAW,OAAO,YAAY;AAAA,EACxC,CAAC;AACH;AAKO,SAAS,sBAAsB,MAAkC;AACtE,QAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,SAAO;AAAA,IACL,GAAG;AAAA,IACH,KAAK,OAAO;AAAA,IACZ,QAAQ,IAAI,KAAK,OAAO,MAAM;AAAA,EAChC;AACF;;;AVwEA,IAAAC,oBAIO;AAaP,IAAAA,oBAAsD;AAmBtD,IAAAA,oBAIO;AAwBP,IAAAA,oBAUO;AAsBP,IAAAA,oBAKO;AAkCP,IAAAA,oBAIO;AAUP,IAAAA,oBAQO;AAcP,IAAAA,oBAKO;AAGP,IAAAA,oBAA+B;","names":["import_sdk_core","import_sdk_core","import_sdk_core","import_sdk_core","import_sdk_core","import_sdk_core","config","now","delegation","spaceId","expandPermissionEntriesCore","session","import_sdk_core","import_sdk_core"]}