@tinyrack/tinyauth-server 0.0.7

package/dist/services/oauth-connect.service.js

@@ -0,0 +1,592 @@
+import { decodeJwt } from 'jose';
+import z from 'zod';
+import { isEmailAllowed } from "../lib/email-pattern.js";
+import { generatePKCE } from "../lib/pkce.js";
+import { e, TinyAuthError } from "../schemas/error.js";
+/**
+ * Token response from OAuth provider
+ * Standard OAuth 2.0 token response structure
+ */
+const OAuthTokensSchema = z.object({
+    access_token: z.string(),
+    refresh_token: z.string().optional(),
+    expires_in: z.number().optional(),
+    token_type: z.string(),
+    id_token: z.string().optional(),
+});
+// Note: This service uses fastify.config for identity_providers (OAuth providers config)
+// but user-related config lookups have been removed since users are now synced to DB.
+export class OAuthConnectService {
+    config;
+    userService;
+    mikro;
+    termsService;
+    constructor(config, userService, mikro, termsService) {
+        this.config = config;
+        this.userService = userService;
+        this.mikro = mikro;
+        this.termsService = termsService;
+    }
+    /**
+     * Process an OAuth callback: validate session, exchange tokens, and
+     * determine the appropriate next action (redirect, login, link, terms).
+     * Pure business logic — no session writes or HTTP responses.
+     */
+    async processOAuthCallback(params) {
+        const { provider, code, state, oauthSession, userSub, requestUrl } = params;
+        // Validate state parameter
+        if (oauthSession.state !== state) {
+            throw new e.OAuthStateMismatch.Error();
+        }
+        // Validate provider matches
+        if (oauthSession.providerId !== provider) {
+            throw new e.OAuthProviderNotFound.Error();
+        }
+        // Exchange code for tokens
+        const tokens = await this.exchangeCodeForTokens(provider, code, oauthSession.codeVerifier);
+        // Fetch user info from provider
+        const userInfo = await this.fetchUserInfo(provider, tokens.access_token, tokens.id_token);
+        // Handle link mode
+        if (oauthSession.mode === 'link') {
+            if (!userSub) {
+                throw new e.Unauthorized.Error();
+            }
+            await this.linkOAuthAccount(userSub, provider, tokens, userInfo);
+            const returnUrl = oauthSession.returnUrl || '/profile';
+            return { action: 'link_complete', returnUrl };
+        }
+        // Check if this would be a new user
+        const isNewUser = await this.isNewOAuthUser(provider, userInfo);
+        // For new users, check registration enabled and email allowlist
+        if (isNewUser) {
+            const { enabled, allowed_email_patterns } = this.config.registration;
+            if (!enabled ||
+                (allowed_email_patterns.length > 0 &&
+                    !isEmailAllowed(userInfo.email, allowed_email_patterns))) {
+                const errorUrl = new URL('/login', this.config.server.public_origin);
+                errorUrl.searchParams.set('oauth_error', 'registration_email_not_allowed');
+                if (oauthSession.returnUrl) {
+                    errorUrl.searchParams.set('redirect', oauthSession.returnUrl);
+                }
+                return { action: 'error_redirect', url: errorUrl.toString() };
+            }
+        }
+        // Load terms once and reuse
+        const allTerms = await this.termsService.getGlobalTerms();
+        const explicitTerms = await this.termsService.getExplicitTerms(allTerms);
+        if (isNewUser && explicitTerms.length > 0) {
+            // New user with explicit terms: persist to DB
+            const pendingToken = await this.mikro.pendingOAuthRegistration.createPendingRegistration({
+                providerId: provider,
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token,
+                expiresIn: tokens.expires_in,
+                tokenType: tokens.token_type,
+                userInfo: {
+                    id: userInfo.id,
+                    email: userInfo.email,
+                    email_verified: userInfo.email_verified,
+                    name: userInfo.name,
+                    picture: userInfo.picture,
+                },
+                returnUrl: oauthSession.returnUrl,
+                expiresAt: new Date(Date.now() + 60 * 60 * 1000),
+            });
+            const termsUrl = new URL('/terms', `${this.config.server.public_origin}`);
+            termsUrl.searchParams.set('mode', 'complete_registration');
+            termsUrl.searchParams.set('registration_token', pendingToken);
+            if (oauthSession.returnUrl) {
+                termsUrl.searchParams.set('redirect', oauthSession.returnUrl);
+            }
+            return { action: 'terms_redirect', url: termsUrl.toString() };
+        }
+        // Login/Register mode: authenticate with OAuth
+        try {
+            const result = await this.authenticateWithOAuth(provider, tokens, userInfo);
+            // Check if existing user needs to see terms page
+            if (!result.isNewUser && explicitTerms.length > 0) {
+                const pendingTerms = await this.termsService.getPendingRequiredTerms(result.user.sub);
+                const explicitTermIds = new Set(explicitTerms.map((t) => t.id));
+                const shouldRedirectToTerms = pendingTerms.some((id) => explicitTermIds.has(id));
+                if (shouldRedirectToTerms) {
+                    const url = new URL(requestUrl);
+                    const termsUrl = new URL('/terms', `${url.protocol}//${url.host}`);
+                    if (oauthSession.returnUrl) {
+                        termsUrl.searchParams.set('redirect', oauthSession.returnUrl);
+                    }
+                    return {
+                        action: 'login_terms_redirect',
+                        userSub: result.user.sub,
+                        termsUrl: termsUrl.toString(),
+                    };
+                }
+            }
+            return {
+                action: 'login_complete',
+                userSub: result.user.sub,
+                returnUrl: oauthSession.returnUrl,
+            };
+        }
+        catch (err) {
+            if (err instanceof TinyAuthError &&
+                err.code === 'REGISTRATION_EMAIL_NOT_ALLOWED') {
+                const errorUrl = new URL('/login', this.config.server.public_origin);
+                errorUrl.searchParams.set('oauth_error', 'registration_email_not_allowed');
+                if (oauthSession.returnUrl) {
+                    errorUrl.searchParams.set('redirect', oauthSession.returnUrl);
+                }
+                return { action: 'error_redirect', url: errorUrl.toString() };
+            }
+            throw err;
+        }
+    }
+    /**
+     * Get all enabled OAuth providers
+     */
+    getEnabledProviders() {
+        const providers = [];
+        for (const provider of this.config.identity_providers) {
+            if (provider.enabled) {
+                providers.push({
+                    id: provider.id,
+                    display_name: provider.display_name,
+                    icon_url: provider.icon_url,
+                });
+            }
+        }
+        return providers;
+    }
+    /**
+     * Get OAuth provider config by id
+     */
+    getProvider(id) {
+        const provider = this.config.identity_providers.find((providerConfig) => providerConfig.id === id);
+        if (!provider?.enabled) {
+            throw new e.OAuthProviderNotFound.Error();
+        }
+        return provider;
+    }
+    /**
+     * Generate authorization URL with state and PKCE
+     */
+    async generateAuthorizationUrl(providerId, mode, returnUrl) {
+        const provider = this.getProvider(providerId);
+        const pkce = await generatePKCE();
+        const state = crypto.randomUUID();
+        const params = new URLSearchParams({
+            client_id: provider.client_id,
+            redirect_uri: `${this.config.server.public_origin}/api/oauth/${providerId}/callback`,
+            response_type: 'code',
+            scope: provider.scopes.join(' '),
+            state,
+            code_challenge: pkce.challenge,
+            code_challenge_method: pkce.method,
+        });
+        // Add response_mode if specified (e.g., 'form_post' for Apple)
+        if (provider.response_mode) {
+            params.set('response_mode', provider.response_mode);
+        }
+        const url = `${provider.authorization_url}?${params.toString()}`;
+        const sessionData = {
+            state,
+            codeVerifier: pkce.verifier,
+            providerId,
+            mode,
+            returnUrl,
+        };
+        return { url, sessionData };
+    }
+    /**
+     * Exchange authorization code for tokens
+     */
+    async exchangeCodeForTokens(providerId, code, codeVerifier) {
+        const provider = this.getProvider(providerId);
+        const params = new URLSearchParams({
+            grant_type: 'authorization_code',
+            code,
+            redirect_uri: `${this.config.server.public_origin}/api/oauth/${providerId}/callback`,
+            client_id: provider.client_id,
+            client_secret: provider.client_secret,
+            code_verifier: codeVerifier,
+        });
+        const response = await fetch(provider.token_url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/x-www-form-urlencoded',
+                Accept: 'application/json',
+            },
+            body: params.toString(),
+        });
+        if (!response.ok) {
+            throw new e.OAuthTokenExchangeFailed.Error();
+        }
+        const json = await response.json();
+        const tokens = OAuthTokensSchema.parse(json);
+        return tokens;
+    }
+    /**
+     * Fetch user info from OAuth provider.
+     * For providers without a userinfo endpoint (e.g. Apple), decodes the ID token.
+     */
+    async fetchUserInfo(providerId, accessToken, idToken) {
+        const provider = this.getProvider(providerId);
+        // Providers without a userinfo endpoint (e.g. Apple) use the ID token
+        if (!provider.userinfo_url) {
+            return this.extractUserInfoFromIdToken(provider, idToken);
+        }
+        const response = await fetch(provider.userinfo_url, {
+            headers: {
+                Authorization: `Bearer ${accessToken}`,
+                Accept: 'application/json',
+            },
+        });
+        if (!response.ok) {
+            throw new e.OAuthUserInfoFailed.Error();
+        }
+        const data = z.record(z.string(), z.unknown()).parse(await response.json());
+        return this.mapUserInfo(provider, data);
+    }
+    /**
+     * Extract user info from an ID token JWT (used by Apple).
+     * Decodes without verification since the token was received directly
+     * from the provider's token endpoint over TLS.
+     */
+    extractUserInfoFromIdToken(provider, idToken) {
+        if (!idToken) {
+            throw new e.OAuthUserInfoFailed.Error();
+        }
+        const claims = decodeJwt(idToken);
+        const data = claims;
+        return this.mapUserInfo(provider, data);
+    }
+    /**
+     * Map provider-specific field names to normalized OAuthUserInfo
+     * using the provider's userinfo_mapping configuration.
+     */
+    mapUserInfo(provider, data) {
+        const mapping = provider.userinfo_mapping;
+        // Extract user ID
+        const id = String(data[mapping.id] ?? '');
+        if (!id) {
+            throw new e.OAuthUserInfoFailed.Error();
+        }
+        // Extract email
+        const email = String(data[mapping.email] ?? '');
+        const emailVerified = mapping.email_verified
+            ? Boolean(data[mapping.email_verified])
+            : true; // Default to true for OAuth providers
+        if (!email) {
+            throw new e.OAuthUserInfoFailed.Error();
+        }
+        const name = mapping.name ? String(data[mapping.name] ?? '') : undefined;
+        const picture = mapping.picture
+            ? String(data[mapping.picture] ?? '')
+            : undefined;
+        return {
+            id,
+            email,
+            email_verified: emailVerified,
+            name: name || undefined,
+            picture: picture || undefined,
+        };
+    }
+    /**
+     * Authenticate with OAuth - login or register user
+     */
+    async authenticateWithOAuth(providerId, tokens, userInfo) {
+        const provider = this.getProvider(providerId);
+        // Reject if the OAuth provider has not verified the user's email
+        if (!userInfo.email_verified) {
+            throw new e.OAuthEmailNotVerified.Error();
+        }
+        // Check if OAuth account is already linked
+        const existingOAuth = await this.mikro.userOAuth.findByProviderUserId(providerId, userInfo.id);
+        if (existingOAuth) {
+            // Update tokens and return existing user
+            await this.mikro.userOAuth.updateTokens(existingOAuth, {
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token || '',
+                expiresAt: tokens.expires_in
+                    ? new Date(Date.now() + tokens.expires_in * 1000)
+                    : null,
+            });
+            // Load user entity from Ref
+            const user = await existingOAuth.user.load({
+                populate: ['password_hash'],
+            });
+            if (!user) {
+                throw new e.UserNotFound.Error();
+            }
+            return {
+                isNewUser: false,
+                user: await this.userService.getSessionUserBySub(user.sub),
+            };
+        }
+        // Check if user with same email exists in database
+        // Config users are now synced to DB, so we only need to check the database
+        const existingUser = await this.mikro.user.findOne({
+            email: userInfo.email,
+        });
+        if (existingUser) {
+            // Handle email conflict based on strategy
+            if (provider.email_conflict_strategy === 'require_link') {
+                throw new e.OAuthEmailConflict.Error();
+            }
+            // auto_link strategy - link to existing user if email is verified
+            if (!existingUser.email_verified) {
+                // Mark email as verified since OAuth provider verified it
+                existingUser.email_verified = true;
+            }
+            // Link OAuth account (only for database-managed users)
+            // Config-managed users can still be linked since they're in DB now
+            await this.mikro.userOAuth.linkAccount({
+                userSub: existingUser.sub,
+                providerName: providerId,
+                providerUserId: userInfo.id,
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token || '',
+                expiresAt: tokens.expires_in
+                    ? new Date(Date.now() + tokens.expires_in * 1000)
+                    : null,
+            });
+            await this.mikro.em.flush();
+            return {
+                isNewUser: false,
+                user: await this.userService.getSessionUserBySub(existingUser.sub),
+            };
+        }
+        // Check if registration is enabled and email is allowed
+        if (!this.config.registration.enabled) {
+            throw new e.RegistrationDisabled.Error();
+        }
+        if (this.config.registration.allowed_email_patterns.length > 0 &&
+            !isEmailAllowed(userInfo.email, this.config.registration.allowed_email_patterns)) {
+            throw new e.RegistrationEmailNotAllowed.Error();
+        }
+        // Create new user with OAuth
+        const newUser = this.mikro.user.create({
+            email: userInfo.email,
+            password_hash: null, // No password for OAuth-only users
+        });
+        newUser.email_verified = true; // OAuth provider verified the email
+        this.mikro.em.persist(newUser);
+        // Link OAuth account
+        await this.mikro.userOAuth.linkAccount({
+            userSub: newUser.sub,
+            providerName: providerId,
+            providerUserId: userInfo.id,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token || '',
+            expiresAt: tokens.expires_in
+                ? new Date(Date.now() + tokens.expires_in * 1000)
+                : null,
+        });
+        await this.mikro.em.flush();
+        // Record implicit consents automatically for OAuth users
+        // Explicit terms consent is handled in /terms page if any explicit terms exist
+        await this.termsService.recordImplicitConsents({
+            userSub: newUser.sub,
+        });
+        return {
+            isNewUser: true,
+            user: await this.userService.getSessionUserBySub(newUser.sub),
+        };
+    }
+    /**
+     * Check if a user would be new (not existing) for OAuth authentication
+     * Used to determine if we should defer registration until terms consent
+     */
+    async isNewOAuthUser(providerId, userInfo) {
+        // Check if OAuth account is already linked
+        const existingOAuth = await this.mikro.userOAuth.findByProviderUserId(providerId, userInfo.id);
+        if (existingOAuth) {
+            return false;
+        }
+        // Check if user with same email exists in database
+        const existingUser = await this.mikro.user.findOne({
+            email: userInfo.email,
+        });
+        return !existingUser;
+    }
+    /**
+     * Complete OAuth registration with terms consent
+     * Called after user agrees to terms on /terms page
+     * This creates the user in DB only after consent is given (GDPR compliant)
+     */
+    async completeOAuthRegistration(params) {
+        const { providerId, tokens, userInfo, consents } = params;
+        // Reject if the OAuth provider has not verified the user's email
+        if (!userInfo.email_verified) {
+            throw new e.OAuthEmailNotVerified.Error();
+        }
+        // Double-check that user doesn't exist (in case of race condition)
+        const existingOAuth = await this.mikro.userOAuth.findByProviderUserId(providerId, userInfo.id);
+        if (existingOAuth) {
+            // User was created in the meantime, just return existing user
+            const user = await existingOAuth.user.load({
+                populate: ['password_hash'],
+            });
+            if (!user) {
+                throw new e.UserNotFound.Error();
+            }
+            return {
+                isNewUser: false,
+                user: await this.userService.getSessionUserBySub(user.sub),
+            };
+        }
+        // Check if user with same email exists
+        const existingUser = await this.mikro.user.findOne({
+            email: userInfo.email,
+        });
+        if (existingUser) {
+            // Handle as auto_link - link OAuth to existing user
+            const provider = this.getProvider(providerId);
+            if (provider.email_conflict_strategy === 'require_link') {
+                throw new e.OAuthEmailConflict.Error();
+            }
+            if (!existingUser.email_verified) {
+                existingUser.email_verified = true;
+            }
+            await this.mikro.userOAuth.linkAccount({
+                userSub: existingUser.sub,
+                providerName: providerId,
+                providerUserId: userInfo.id,
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token || '',
+                expiresAt: tokens.expires_in
+                    ? new Date(Date.now() + tokens.expires_in * 1000)
+                    : null,
+            });
+            // Record all consents for existing user (load terms once)
+            const terms = await this.termsService.getGlobalTerms();
+            await this.termsService.recordConsents({
+                userSub: existingUser.sub,
+                consents,
+                terms,
+            });
+            await this.termsService.recordImplicitConsents({
+                userSub: existingUser.sub,
+                terms,
+            });
+            await this.mikro.em.flush();
+            return {
+                isNewUser: false,
+                user: await this.userService.getSessionUserBySub(existingUser.sub),
+            };
+        }
+        // Check if registration is enabled and email is allowed
+        if (!this.config.registration.enabled) {
+            throw new e.RegistrationDisabled.Error();
+        }
+        if (this.config.registration.allowed_email_patterns.length > 0 &&
+            !isEmailAllowed(userInfo.email, this.config.registration.allowed_email_patterns)) {
+            throw new e.RegistrationEmailNotAllowed.Error();
+        }
+        // Create new user with OAuth
+        const newUser = this.mikro.user.create({
+            email: userInfo.email,
+            password_hash: null,
+        });
+        newUser.email_verified = true;
+        this.mikro.em.persist(newUser);
+        // Link OAuth account
+        await this.mikro.userOAuth.linkAccount({
+            userSub: newUser.sub,
+            providerName: providerId,
+            providerUserId: userInfo.id,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token || '',
+            expiresAt: tokens.expires_in
+                ? new Date(Date.now() + tokens.expires_in * 1000)
+                : null,
+        });
+        await this.mikro.em.flush();
+        // Record all consents (load terms once)
+        const terms = await this.termsService.getGlobalTerms();
+        await this.termsService.recordConsents({
+            userSub: newUser.sub,
+            consents,
+            terms,
+        });
+        await this.termsService.recordImplicitConsents({
+            userSub: newUser.sub,
+            terms,
+        });
+        return {
+            isNewUser: true,
+            user: await this.userService.getSessionUserBySub(newUser.sub),
+        };
+    }
+    /**
+     * Link OAuth account to existing user
+     */
+    async linkOAuthAccount(userSub, providerId, tokens, userInfo) {
+        // Check if OAuth account is already linked to another user
+        const existingOAuth = await this.mikro.userOAuth.findByProviderUserId(providerId, userInfo.id);
+        if (existingOAuth && existingOAuth.user.sub !== userSub) {
+            throw new e.OAuthAccountAlreadyLinked.Error();
+        }
+        // Get user
+        const user = await this.mikro.user.findOneOrFail({ sub: userSub }, { failHandler: () => new e.UserNotFound.Error() });
+        // Check if already linked
+        const existingLink = await this.mikro.userOAuth.findByUserAndProvider(userSub, providerId);
+        if (existingLink) {
+            // Update tokens
+            await this.mikro.userOAuth.updateTokens(existingLink, {
+                accessToken: tokens.access_token,
+                refreshToken: tokens.refresh_token || '',
+                expiresAt: tokens.expires_in
+                    ? new Date(Date.now() + tokens.expires_in * 1000)
+                    : null,
+            });
+            return;
+        }
+        // Link OAuth account
+        await this.mikro.userOAuth.linkAccount({
+            userSub: user.sub,
+            providerName: providerId,
+            providerUserId: userInfo.id,
+            accessToken: tokens.access_token,
+            refreshToken: tokens.refresh_token || '',
+            expiresAt: tokens.expires_in
+                ? new Date(Date.now() + tokens.expires_in * 1000)
+                : null,
+        });
+    }
+    /**
+     * Unlink OAuth account from user
+     */
+    async unlinkOAuthAccount(userSub, providerId) {
+        // Get user from database (config users are now synced to DB)
+        const user = await this.mikro.user.findOneOrFail({ sub: userSub }, {
+            failHandler: () => new e.UserNotFound.Error(),
+            populate: ['password_hash'],
+        });
+        // Check if OAuth account is linked
+        const oauthAccount = await this.mikro.userOAuth.findByUserAndProvider(userSub, providerId);
+        if (!oauthAccount) {
+            throw new e.OAuthAccountNotLinked.Error();
+        }
+        // Check if this is the last auth method
+        const oauthCount = await this.mikro.userOAuth.countByUser(userSub);
+        const hasPassword = user.hasPassword();
+        // If only one OAuth and no password, can't unlink
+        if (oauthCount <= 1 && !hasPassword) {
+            throw new e.CannotUnlinkLastAuthMethod.Error();
+        }
+        await this.mikro.userOAuth.unlinkAccount(userSub, providerId);
+    }
+    /**
+     * Get all OAuth accounts linked to a user
+     */
+    async getLinkedAccounts(userSub) {
+        // Get user from database (config users are now synced to DB)
+        await this.mikro.user.findOneOrFail({ sub: userSub }, { failHandler: () => new e.UserNotFound.Error() });
+        const oauthAccounts = await this.mikro.userOAuth.findByUser(userSub);
+        return oauthAccounts.map((account) => ({
+            provider_name: account.provider_name,
+            linked_at: account.created_at,
+        }));
+    }
+}
+//# sourceMappingURL=oauth-connect.service.js.map

package/dist/services/oauth-connect.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-connect.service.js","sourceRoot":"","sources":["../../src/services/oauth-connect.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AACjC,OAAO,CAAC,MAAM,KAAK,CAAC;AAKpB,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,CAAC,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAwBvD;;;GAGG;AACH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;IACxB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACpC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IACjC,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;IACtB,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAChC,CAAC,CAAC;AAsDH,yFAAyF;AACzF,sFAAsF;AAEtF,MAAM,OAAO,mBAAmB;IACb,MAAM,CAAwB;IAC9B,WAAW,CAAc;IACzB,KAAK,CAAe;IACpB,YAAY,CAAe;IAC5C,YACE,MAA6B,EAC7B,WAAwB,EACxB,KAAmB,EACnB,YAA0B;QAE1B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,YAAY,GAAG,YAAY,CAAC;IACnC,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,oBAAoB,CAAC,MAOjC;QACC,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;QAE5E,2BAA2B;QAC3B,IAAI,YAAY,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;YACjC,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;QACzC,CAAC;QAED,4BAA4B;QAC5B,IAAI,YAAY,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;YACzC,MAAM,IAAI,CAAC,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC5C,CAAC;QAED,2BAA2B;QAC3B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAC7C,QAAQ,EACR,IAAI,EACJ,YAAY,CAAC,YAAY,CAC1B,CAAC;QAEF,gCAAgC;QAChC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CACvC,QAAQ,EACR,MAAM,CAAC,YAAY,EACnB,MAAM,CAAC,QAAQ,CAChB,CAAC;QAEF,mBAAmB;QACnB,IAAI,YAAY,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YACjC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACnC,CAAC;YAED,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YAEjE,MAAM,SAAS,GAAG,YAAY,CAAC,SAAS,IAAI,UAAU,CAAC;YACvD,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,SAAS,EAAE,CAAC;QAChD,CAAC;QAED,oCAAoC;QACpC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAEhE,gEAAgE;QAChE,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,EAAE,OAAO,EAAE,sBAAsB,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YACrE,IACE,CAAC,OAAO;gBACR,CAAC,sBAAsB,CAAC,MAAM,GAAG,CAAC;oBAChC,CAAC,cAAc,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC,EAC1D,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;gBACrE,QAAQ,CAAC,YAAY,CAAC,GAAG,CACvB,aAAa,EACb,gCAAgC,CACjC,CAAC;gBACF,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;oBAC3B,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;gBAChE,CAAC;gBACD,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC;YAChE,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;QAC1D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAEzE,IAAI,SAAS,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,8CAA8C;YAC9C,MAAM,YAAY,GAChB,MAAM,IAAI,CAAC,KAAK,CAAC,wBAAwB,CAAC,yBAAyB,CAAC;gBAClE,UAAU,EAAE,QAAQ;gBACpB,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa;gBAClC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC5B,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC5B,QAAQ,EAAE;oBACR,EAAE,EAAE,QAAQ,CAAC,EAAE;oBACf,KAAK,EAAE,QAAQ,CAAC,KAAK;oBACrB,cAAc,EAAE,QAAQ,CAAC,cAAc;oBACvC,IAAI,EAAE,QAAQ,CAAC,IAAI;oBACnB,OAAO,EAAE,QAAQ,CAAC,OAAO;iBAC1B;gBACD,SAAS,EAAE,YAAY,CAAC,SAAS;gBACjC,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;aACjD,CAAC,CAAC;YAEL,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC,CAAC;YAC1E,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC;YAC3D,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,oBAAoB,EAAE,YAAY,CAAC,CAAC;YAC9D,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;gBAC3B,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;YAChE,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC;QAChE,CAAC;QAED,+CAA+C;QAC/C,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAC7C,QAAQ,EACR,MAAM,EACN,QAAQ,CACT,CAAC;YAEF,iDAAiD;YACjD,IAAI,CAAC,MAAM,CAAC,SAAS,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,uBAAuB,CAClE,MAAM,CAAC,IAAI,CAAC,GAAG,CAChB,CAAC;gBACF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAChE,MAAM,qBAAqB,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CACrD,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,CACxB,CAAC;gBAEF,IAAI,qBAAqB,EAAE,CAAC;oBAC1B,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;oBAChC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,GAAG,GAAG,CAAC,QAAQ,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;oBACnE,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;wBAC3B,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;oBAChE,CAAC;oBACD,OAAO;wBACL,MAAM,EAAE,sBAAsB;wBAC9B,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG;wBACxB,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE;qBAC9B,CAAC;gBACJ,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,gBAAgB;gBACxB,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG;gBACxB,SAAS,EAAE,YAAY,CAAC,SAAS;aAClC,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IACE,GAAG,YAAY,aAAa;gBAC5B,GAAG,CAAC,IAAI,KAAK,gCAAgC,EAC7C,CAAC;gBACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;gBACrE,QAAQ,CAAC,YAAY,CAAC,GAAG,CACvB,aAAa,EACb,gCAAgC,CACjC,CAAC;gBACF,IAAI,YAAY,CAAC,SAAS,EAAE,CAAC;oBAC3B,QAAQ,CAAC,YAAY,CAAC,GAAG,CAAC,UAAU,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;gBAChE,CAAC;gBACD,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,QAAQ,CAAC,QAAQ,EAAE,EAAE,CAAC;YAChE,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED;;OAEG;IACI,mBAAmB;QAKxB,MAAM,SAAS,GAIV,EAAE,CAAC;QAER,KAAK,MAAM,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACtD,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBACrB,SAAS,CAAC,IAAI,CAAC;oBACb,EAAE,EAAE,QAAQ,CAAC,EAAE;oBACf,YAAY,EAAE,QAAQ,CAAC,YAAY;oBACnC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;iBAC5B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACI,WAAW,CAAC,EAAU;QAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC,IAAI,CAClD,CAAC,cAAc,EAAE,EAAE,CAAC,cAAc,CAAC,EAAE,KAAK,EAAE,CAC7C,CAAC;QAEF,IAAI,CAAC,QAAQ,EAAE,OAAO,EAAE,CAAC;YACvB,MAAM,IAAI,CAAC,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC5C,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,wBAAwB,CACnC,UAAkB,EAClB,IAAwC,EACxC,SAAkB;QAKlB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAC9C,MAAM,IAAI,GAAG,MAAM,YAAY,EAAE,CAAC;QAClC,MAAM,KAAK,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;QAElC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,YAAY,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,cAAc,UAAU,WAAW;YACpF,aAAa,EAAE,MAAM;YACrB,KAAK,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;YAChC,KAAK;YACL,cAAc,EAAE,IAAI,CAAC,SAAS;YAC9B,qBAAqB,EAAE,IAAI,CAAC,MAAM;SACnC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,IAAI,QAAQ,CAAC,aAAa,EAAE,CAAC;YAC3B,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC;QACtD,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,QAAQ,CAAC,iBAAiB,IAAI,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QAEjE,MAAM,WAAW,GAAqB;YACpC,KAAK;YACL,YAAY,EAAE,IAAI,CAAC,QAAQ;YAC3B,UAAU;YACV,IAAI;YACJ,SAAS;SACV,CAAC;QAEF,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,qBAAqB,CAChC,UAAkB,EAClB,IAAY,EACZ,YAAoB;QAEpB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAE9C,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;YACjC,UAAU,EAAE,oBAAoB;YAChC,IAAI;YACJ,YAAY,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,cAAc,UAAU,WAAW;YACpF,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,aAAa,EAAE,QAAQ,CAAC,aAAa;YACrC,aAAa,EAAE,YAAY;SAC5B,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,SAAS,EAAE;YAC/C,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,mCAAmC;gBACnD,MAAM,EAAE,kBAAkB;aAC3B;YACD,IAAI,EAAE,MAAM,CAAC,QAAQ,EAAE;SACxB,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,CAAC,wBAAwB,CAAC,KAAK,EAAE,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,GAAY,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,aAAa,CACxB,UAAkB,EAClB,WAAmB,EACnB,OAAgB;QAEhB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAE9C,sEAAsE;QACtE,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,0BAA0B,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC5D,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,QAAQ,CAAC,YAAY,EAAE;YAClD,OAAO,EAAE;gBACP,aAAa,EAAE,UAAU,WAAW,EAAE;gBACtC,MAAM,EAAE,kBAAkB;aAC3B;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;QAC5E,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED;;;;OAIG;IACK,0BAA0B,CAChC,QAAgC,EAChC,OAAgB;QAEhB,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC;QAClC,MAAM,IAAI,GAAG,MAAiC,CAAC;QAC/C,OAAO,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC1C,CAAC;IAED;;;OAGG;IACK,WAAW,CACjB,QAAgC,EAChC,IAA6B;QAE7B,MAAM,OAAO,GAAG,QAAQ,CAAC,gBAAgB,CAAC;QAE1C,kBAAkB;QAClB,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;QAC1C,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;QAED,gBAAgB;QAChB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,aAAa,GAAG,OAAO,CAAC,cAAc;YAC1C,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;YACvC,CAAC,CAAC,IAAI,CAAC,CAAC,sCAAsC;QAEhD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,CAAC,CAAC,mBAAmB,CAAC,KAAK,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACzE,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO;YAC7B,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACrC,CAAC,CAAC,SAAS,CAAC;QAEd,OAAO;YACL,EAAE;YACF,KAAK;YACL,cAAc,EAAE,aAAa;YAC7B,IAAI,EAAE,IAAI,IAAI,SAAS;YACvB,OAAO,EAAE,OAAO,IAAI,SAAS;SAC9B,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,qBAAqB,CAChC,UAAkB,EAClB,MAAmB,EACnB,QAAuB;QAEvB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAE9C,iEAAiE;QACjE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC5C,CAAC;QAED,2CAA2C;QAC3C,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,oBAAoB,CACnE,UAAU,EACV,QAAQ,CAAC,EAAE,CACZ,CAAC;QAEF,IAAI,aAAa,EAAE,CAAC;YAClB,yCAAyC;YACzC,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,aAAa,EAAE;gBACrD,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;gBACxC,SAAS,EAAE,MAAM,CAAC,UAAU;oBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;oBACjD,CAAC,CAAC,IAAI;aACT,CAAC,CAAC;YAEH,4BAA4B;YAC5B,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;gBACzC,QAAQ,EAAE,CAAC,eAAe,CAAC;aAC5B,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACnC,CAAC;YAED,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC;aAC3D,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,2EAA2E;QAC3E,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;YACjD,KAAK,EAAE,QAAQ,CAAC,KAAK;SACtB,CAAC,CAAC;QAEH,IAAI,YAAY,EAAE,CAAC;YACjB,0CAA0C;YAC1C,IAAI,QAAQ,CAAC,uBAAuB,KAAK,cAAc,EAAE,CAAC;gBACxD,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;YACzC,CAAC;YAED,kEAAkE;YAClE,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;gBACjC,0DAA0D;gBAC1D,YAAY,CAAC,cAAc,GAAG,IAAI,CAAC;YACrC,CAAC;YAED,uDAAuD;YACvD,mEAAmE;YACnE,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC;gBACrC,OAAO,EAAE,YAAY,CAAC,GAAG;gBACzB,YAAY,EAAE,UAAU;gBACxB,cAAc,EAAE,QAAQ,CAAC,EAAE;gBAC3B,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;gBACxC,SAAS,EAAE,MAAM,CAAC,UAAU;oBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;oBACjD,CAAC,CAAC,IAAI;aACT,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAE5B,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC;aACnE,CAAC;QACJ,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,CAAC,oBAAoB,CAAC,KAAK,EAAE,CAAC;QAC3C,CAAC;QACD,IACE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAAC,MAAM,GAAG,CAAC;YAC1D,CAAC,cAAc,CACb,QAAQ,CAAC,KAAK,EACd,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAChD,EACD,CAAC;YACD,MAAM,IAAI,CAAC,CAAC,2BAA2B,CAAC,KAAK,EAAE,CAAC;QAClD,CAAC;QAED,6BAA6B;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;YACrC,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,aAAa,EAAE,IAAI,EAAE,mCAAmC;SACzD,CAAC,CAAC;QACH,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAAC,oCAAoC;QAEnE,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAE/B,qBAAqB;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC;YACrC,OAAO,EAAE,OAAO,CAAC,GAAG;YACpB,YAAY,EAAE,UAAU;YACxB,cAAc,EAAE,QAAQ,CAAC,EAAE;YAC3B,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;YACxC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;gBACjD,CAAC,CAAC,IAAI;SACT,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,yDAAyD;QACzD,+EAA+E;QAC/E,MAAM,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC;YAC7C,OAAO,EAAE,OAAO,CAAC,GAAG;SACrB,CAAC,CAAC;QAEH,OAAO;YACL,SAAS,EAAE,IAAI;YACf,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC;SAC9D,CAAC;IACJ,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,cAAc,CACzB,UAAkB,EAClB,QAAuB;QAEvB,2CAA2C;QAC3C,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,oBAAoB,CACnE,UAAU,EACV,QAAQ,CAAC,EAAE,CACZ,CAAC;QAEF,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,KAAK,CAAC;QACf,CAAC;QAED,mDAAmD;QACnD,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;YACjD,KAAK,EAAE,QAAQ,CAAC,KAAK;SACtB,CAAC,CAAC;QAEH,OAAO,CAAC,YAAY,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,yBAAyB,CAAC,MAKtC;QACC,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,MAAM,CAAC;QAE1D,iEAAiE;QACjE,IAAI,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC;YAC7B,MAAM,IAAI,CAAC,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC5C,CAAC;QAED,mEAAmE;QACnE,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,oBAAoB,CACnE,UAAU,EACV,QAAQ,CAAC,EAAE,CACZ,CAAC;QAEF,IAAI,aAAa,EAAE,CAAC;YAClB,8DAA8D;YAC9D,MAAM,IAAI,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC;gBACzC,QAAQ,EAAE,CAAC,eAAe,CAAC;aAC5B,CAAC,CAAC;YACH,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;YACnC,CAAC;YAED,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC;aAC3D,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC;YACjD,KAAK,EAAE,QAAQ,CAAC,KAAK;SACtB,CAAC,CAAC;QAEH,IAAI,YAAY,EAAE,CAAC;YACjB,oDAAoD;YACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;YAE9C,IAAI,QAAQ,CAAC,uBAAuB,KAAK,cAAc,EAAE,CAAC;gBACxD,MAAM,IAAI,CAAC,CAAC,kBAAkB,CAAC,KAAK,EAAE,CAAC;YACzC,CAAC;YAED,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;gBACjC,YAAY,CAAC,cAAc,GAAG,IAAI,CAAC;YACrC,CAAC;YAED,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC;gBACrC,OAAO,EAAE,YAAY,CAAC,GAAG;gBACzB,YAAY,EAAE,UAAU;gBACxB,cAAc,EAAE,QAAQ,CAAC,EAAE;gBAC3B,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;gBACxC,SAAS,EAAE,MAAM,CAAC,UAAU;oBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;oBACjD,CAAC,CAAC,IAAI;aACT,CAAC,CAAC;YAEH,0DAA0D;YAC1D,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;YACvD,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC;gBACrC,OAAO,EAAE,YAAY,CAAC,GAAG;gBACzB,QAAQ;gBACR,KAAK;aACN,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC;gBAC7C,OAAO,EAAE,YAAY,CAAC,GAAG;gBACzB,KAAK;aACN,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;YAE5B,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC;aACnE,CAAC;QACJ,CAAC;QAED,wDAAwD;QACxD,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YACtC,MAAM,IAAI,CAAC,CAAC,oBAAoB,CAAC,KAAK,EAAE,CAAC;QAC3C,CAAC;QACD,IACE,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAAC,MAAM,GAAG,CAAC;YAC1D,CAAC,cAAc,CACb,QAAQ,CAAC,KAAK,EACd,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,sBAAsB,CAChD,EACD,CAAC;YACD,MAAM,IAAI,CAAC,CAAC,2BAA2B,CAAC,KAAK,EAAE,CAAC;QAClD,CAAC;QAED,6BAA6B;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;YACrC,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,aAAa,EAAE,IAAI;SACpB,CAAC,CAAC;QACH,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC;QAE9B,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAE/B,qBAAqB;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC;YACrC,OAAO,EAAE,OAAO,CAAC,GAAG;YACpB,YAAY,EAAE,UAAU;YACxB,cAAc,EAAE,QAAQ,CAAC,EAAE;YAC3B,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;YACxC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;gBACjD,CAAC,CAAC,IAAI;SACT,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,CAAC;QAE5B,wCAAwC;QACxC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;QACvD,MAAM,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC;YACrC,OAAO,EAAE,OAAO,CAAC,GAAG;YACpB,QAAQ;YACR,KAAK;SACN,CAAC,CAAC;QACH,MAAM,IAAI,CAAC,YAAY,CAAC,sBAAsB,CAAC;YAC7C,OAAO,EAAE,OAAO,CAAC,GAAG;YACpB,KAAK;SACN,CAAC,CAAC;QAEH,OAAO;YACL,SAAS,EAAE,IAAI;YACf,IAAI,EAAE,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC,OAAO,CAAC,GAAG,CAAC;SAC9D,CAAC;IACJ,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,gBAAgB,CAC3B,OAAe,EACf,UAAkB,EAClB,MAAmB,EACnB,QAAuB;QAEvB,2DAA2D;QAC3D,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,oBAAoB,CACnE,UAAU,EACV,QAAQ,CAAC,EAAE,CACZ,CAAC;QAEF,IAAI,aAAa,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;YACxD,MAAM,IAAI,CAAC,CAAC,yBAAyB,CAAC,KAAK,EAAE,CAAC;QAChD,CAAC;QAED,WAAW;QACX,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAC9C,EAAE,GAAG,EAAE,OAAO,EAAE,EAChB,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,CAClD,CAAC;QAEF,0BAA0B;QAC1B,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,qBAAqB,CACnE,OAAO,EACP,UAAU,CACX,CAAC;QAEF,IAAI,YAAY,EAAE,CAAC;YACjB,gBAAgB;YAChB,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,YAAY,EAAE;gBACpD,WAAW,EAAE,MAAM,CAAC,YAAY;gBAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;gBACxC,SAAS,EAAE,MAAM,CAAC,UAAU;oBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;oBACjD,CAAC,CAAC,IAAI;aACT,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,qBAAqB;QACrB,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC;YACrC,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,YAAY,EAAE,UAAU;YACxB,cAAc,EAAE,QAAQ,CAAC,EAAE;YAC3B,WAAW,EAAE,MAAM,CAAC,YAAY;YAChC,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;YACxC,SAAS,EAAE,MAAM,CAAC,UAAU;gBAC1B,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC;gBACjD,CAAC,CAAC,IAAI;SACT,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,kBAAkB,CAC7B,OAAe,EACf,UAAkB;QAElB,6DAA6D;QAC7D,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAC9C,EAAE,GAAG,EAAE,OAAO,EAAE,EAChB;YACE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE;YAC7C,QAAQ,EAAE,CAAC,eAAe,CAAC;SAC5B,CACF,CAAC;QAEF,mCAAmC;QACnC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,qBAAqB,CACnE,OAAO,EACP,UAAU,CACX,CAAC;QAEF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,CAAC,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC5C,CAAC;QAED,wCAAwC;QACxC,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACnE,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAEvC,kDAAkD;QAClD,IAAI,UAAU,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACpC,MAAM,IAAI,CAAC,CAAC,0BAA0B,CAAC,KAAK,EAAE,CAAC;QACjD,CAAC;QAED,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAChE,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,iBAAiB,CAC5B,OAAe;QAEf,6DAA6D;QAC7D,MAAM,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CACjC,EAAE,GAAG,EAAE,OAAO,EAAE,EAChB,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,CAClD,CAAC;QAEF,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QAErE,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YACrC,aAAa,EAAE,OAAO,CAAC,aAAa;YACpC,SAAS,EAAE,OAAO,CAAC,UAAU;SAC9B,CAAC,CAAC,CAAC;IACN,CAAC;CACF"}