@tnid/encryption 0.0.4

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Michael Edlinger
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,148 @@
+# @tnid/encryption
+
+Format-preserving encryption for TNIDs - hide timestamp information by encrypting V0 TNIDs to V1.
+
+## Why Encrypt TNIDs?
+
+V0 TNIDs contain a timestamp (like UUIDv7), which reveals when the ID was created. This can leak information you may not want to expose publicly, such as:
+
+- When a user account was created
+- The order in which records were created
+- Approximate creation rates
+
+By encrypting V0 to V1, you get a valid high-entropy V1 TNID that hides this information while remaining decryptable on the backend.
+
+## Installation
+
+```bash
+# npm
+npm install @tnid/encryption @tnid/core
+
+# pnpm
+pnpm add @tnid/encryption @tnid/core
+
+# bun
+bun add @tnid/encryption @tnid/core
+
+# deno
+deno add npm:@tnid/encryption npm:@tnid/core
+```
+
+## Platform Support
+
+Requires `globalThis.crypto` (Web Crypto API):
+
+- Node.js 20+
+- Deno 1.0+
+- Bun 1.0+
+- Modern browsers (ES2020+)
+
+## Quick Start
+
+```typescript
+import { Tnid, TnidType } from "@tnid/core";
+import { EncryptionKey, encryptV0ToV1, decryptV1ToV0 } from "@tnid/encryption";
+
+const UserId = Tnid("user");
+type UserId = TnidType<typeof UserId>;
+
+// Create an encryption key (16 bytes / 128 bits)
+const key = EncryptionKey.fromHex("0102030405060708090a0b0c0d0e0f10");
+
+// Create a time-ordered V0 ID
+const v0 = UserId.new_v0();
+
+// Encrypt to V1 before sending to client
+const v1 = await encryptV0ToV1(v0, key);
+
+// Decrypt on the backend to recover the original
+const decrypted = await decryptV1ToV0(v1, key);
+// decrypted === v0
+```
+
+## How It Works
+
+The encryption uses Format-Preserving Encryption (FPE) with AES-128 in FF1 mode (NIST SP 800-38G). This encrypts the 100 Payload bits while preserving:
+
+- The TNID name (unchanged)
+- The UUID version/variant bits (valid UUIDv8)
+- The overall 128-bit structure
+
+The TNID variant changes from V0 to V1, making the encrypted ID indistinguishable from a randomly generated V1 TNID.
+
+## API Reference
+
+### `EncryptionKey`
+
+A 128-bit (16 byte) encryption key.
+
+```typescript
+// From 32-character hex string
+const key = EncryptionKey.fromHex("0102030405060708090a0b0c0d0e0f10");
+
+// From raw bytes
+const key = EncryptionKey.fromBytes(
+  new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16])
+);
+
+// Get key bytes (returns a copy)
+const bytes: Uint8Array = key.asBytes();
+```
+
+### `encryptV0ToV1(tnid, key)`
+
+Encrypts a V0 TNID to V1, hiding timestamp information.
+
+```typescript
+const v1 = await encryptV0ToV1("user.Br2flcNDfF6LYICnT", key);
+```
+
+- **Input**: V0 TNID string
+- **Output**: V1 TNID string (same name, encrypted payload)
+- **Idempotent**: If input is already V1, returns it unchanged
+- **Throws**: `EncryptionError` if input is invalid or unsupported variant
+
+### `decryptV1ToV0(tnid, key)`
+
+Decrypts a V1 TNID back to V0, recovering timestamp information.
+
+```typescript
+const v0 = await decryptV1ToV0("user.X3Wxwp0wOy4OZp_rP", key);
+```
+
+- **Input**: V1 TNID string (encrypted)
+- **Output**: V0 TNID string (original with timestamp)
+- **Idempotent**: If input is already V0, returns it unchanged
+- **Throws**: `EncryptionError` if input is invalid or unsupported variant
+
+### Error Classes
+
+```typescript
+import { EncryptionKeyError, EncryptionError } from "@tnid/encryption";
+
+// EncryptionKeyError - invalid key format
+try {
+  EncryptionKey.fromHex("invalid");
+} catch (e) {
+  if (e instanceof EncryptionKeyError) {
+    console.log("Invalid key:", e.message);
+  }
+}
+
+// EncryptionError - encryption/decryption failed
+try {
+  await encryptV0ToV1("invalid-tnid", key);
+} catch (e) {
+  if (e instanceof EncryptionError) {
+    console.log("Encryption failed:", e.message);
+  }
+}
+```
+
+## Note
+
+The encryption functionality is not part of the TNID specification. Encrypted TNIDs are standard V1 TNIDs and remain fully compatible with any TNID implementation.
+
+## License
+
+MIT

package/esm/_dnt.shims.d.ts

@@ -0,0 +1,2 @@
+export declare const dntGlobalThis: Omit<typeof globalThis, never>;
+//# sourceMappingURL=_dnt.shims.d.ts.map

package/esm/_dnt.shims.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"_dnt.shims.d.ts","sourceRoot":"","sources":["../src/_dnt.shims.ts"],"names":[],"mappings":"AAEA,eAAO,MAAM,aAAa,gCAA2C,CAAC"}

package/esm/_dnt.shims.js

@@ -0,0 +1,57 @@
+const dntGlobals = {};
+export const dntGlobalThis = createMergeProxy(globalThis, dntGlobals);
+function createMergeProxy(baseObj, extObj) {
+    return new Proxy(baseObj, {
+        get(_target, prop, _receiver) {
+            if (prop in extObj) {
+                return extObj[prop];
+            }
+            else {
+                return baseObj[prop];
+            }
+        },
+        set(_target, prop, value) {
+            if (prop in extObj) {
+                delete extObj[prop];
+            }
+            baseObj[prop] = value;
+            return true;
+        },
+        deleteProperty(_target, prop) {
+            let success = false;
+            if (prop in extObj) {
+                delete extObj[prop];
+                success = true;
+            }
+            if (prop in baseObj) {
+                delete baseObj[prop];
+                success = true;
+            }
+            return success;
+        },
+        ownKeys(_target) {
+            const baseKeys = Reflect.ownKeys(baseObj);
+            const extKeys = Reflect.ownKeys(extObj);
+            const extKeysSet = new Set(extKeys);
+            return [...baseKeys.filter((k) => !extKeysSet.has(k)), ...extKeys];
+        },
+        defineProperty(_target, prop, desc) {
+            if (prop in extObj) {
+                delete extObj[prop];
+            }
+            Reflect.defineProperty(baseObj, prop, desc);
+            return true;
+        },
+        getOwnPropertyDescriptor(_target, prop) {
+            if (prop in extObj) {
+                return Reflect.getOwnPropertyDescriptor(extObj, prop);
+            }
+            else {
+                return Reflect.getOwnPropertyDescriptor(baseObj, prop);
+            }
+        },
+        has(_target, prop) {
+            return prop in extObj || prop in baseObj;
+        },
+    });
+}

package/esm/aes.d.ts

@@ -0,0 +1,25 @@
+/**
+ * AES-128 block cipher wrapper using Web Crypto API.
+ *
+ * FF1 requires raw AES block cipher (AES-ECB), which Web Crypto doesn't expose.
+ * We simulate AES-ECB using AES-CBC with a zero IV for single-block operations.
+ */
+/**
+ * AES-128 block cipher for FF1.
+ * Caches the imported CryptoKey for efficiency.
+ */
+export declare class Aes128 {
+    private keyPromise;
+    constructor(keyBytes: Uint8Array);
+    /**
+     * Encrypts a single 16-byte block using AES-128.
+     * Uses AES-CBC with zero IV, which is equivalent to AES-ECB for single blocks.
+     */
+    encryptBlock(block: Uint8Array): Promise<Uint8Array>;
+    /**
+     * AES-CBC-MAC: Chain multiple blocks using CBC mode.
+     * Returns the final encrypted block (the MAC).
+     */
+    cbcMac(blocks: Uint8Array[]): Promise<Uint8Array>;
+}
+//# sourceMappingURL=aes.d.ts.map

package/esm/aes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aes.d.ts","sourceRoot":"","sources":["../src/aes.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH;;;GAGG;AACH,qBAAa,MAAM;IACjB,OAAO,CAAC,UAAU,CAAqB;gBAE3B,QAAQ,EAAE,UAAU;IAchC;;;OAGG;IACG,YAAY,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;IAmB1D;;;OAGG;IACG,MAAM,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,UAAU,CAAC;CAgBxD"}

package/esm/aes.js

@@ -0,0 +1,62 @@
+/**
+ * AES-128 block cipher wrapper using Web Crypto API.
+ *
+ * FF1 requires raw AES block cipher (AES-ECB), which Web Crypto doesn't expose.
+ * We simulate AES-ECB using AES-CBC with a zero IV for single-block operations.
+ */
+// Web Crypto API accessor (same pattern as @tnid/core)
+// deno-lint-ignore no-explicit-any
+import * as dntShim from "./_dnt.shims.js";
+const crypto = dntShim.dntGlobalThis.crypto;
+/**
+ * AES-128 block cipher for FF1.
+ * Caches the imported CryptoKey for efficiency.
+ */
+export class Aes128 {
+    constructor(keyBytes) {
+        Object.defineProperty(this, "keyPromise", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        if (keyBytes.length !== 16) {
+            throw new Error(`AES-128 key must be 16 bytes, got ${keyBytes.length}`);
+        }
+        // Import key once and cache the promise
+        this.keyPromise = crypto.subtle.importKey("raw", keyBytes, { name: "AES-CBC" }, false, ["encrypt"]);
+    }
+    /**
+     * Encrypts a single 16-byte block using AES-128.
+     * Uses AES-CBC with zero IV, which is equivalent to AES-ECB for single blocks.
+     */
+    async encryptBlock(block) {
+        if (block.length !== 16) {
+            throw new Error(`AES block must be 16 bytes, got ${block.length}`);
+        }
+        const key = await this.keyPromise;
+        const iv = new Uint8Array(16); // Zero IV
+        // AES-CBC with zero IV for single block = AES-ECB
+        const result = await crypto.subtle.encrypt({ name: "AES-CBC", iv }, key, block);
+        // Result includes padding; we only need the first 16 bytes
+        return new Uint8Array(result, 0, 16);
+    }
+    /**
+     * AES-CBC-MAC: Chain multiple blocks using CBC mode.
+     * Returns the final encrypted block (the MAC).
+     */
+    async cbcMac(blocks) {
+        let state = new Uint8Array(16); // Start with zero block
+        for (const block of blocks) {
+            // XOR state with block
+            const xored = new Uint8Array(16);
+            for (let i = 0; i < 16; i++) {
+                xored[i] = state[i] ^ block[i];
+            }
+            // Encrypt and copy to new array to satisfy TypeScript
+            const encrypted = await this.encryptBlock(xored);
+            state = new Uint8Array(encrypted);
+        }
+        return state;
+    }
+}

package/esm/bits.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Bit manipulation for TNID encryption.
+ *
+ * These functions extract and expand the 100 Payload bits that are
+ * encrypted/decrypted, matching the Rust implementation exactly.
+ */
+export declare const RIGHT_SECRET_DATA_SECTION_MASK = 1152921504606846975n;
+export declare const MIDDLE_SECRET_DATA_SECTION_MASK = 75539416981840613867520n;
+export declare const LEFT_SECRET_DATA_SECTION_MASK = 324518552449500907168526845870080n;
+export declare const COMPLETE_SECRET_DATA_MASK: bigint;
+export declare const SECRET_DATA_BIT_NUM = 100;
+export declare const HEX_DIGIT_COUNT = 25;
+/**
+ * Extracts Payload bits (excludes Name bits, UUID-specific bits, and TNID Variant bits).
+ *
+ * Compacts the Payload bits from the three sections into a single 100-bit value.
+ * The returned bigint will have its lowest 100 bits populated with data,
+ * and the highest bits set to zero.
+ */
+export declare function extractSecretDataBits(id: bigint): bigint;
+/**
+ * Expands compacted Payload bits back into their positions.
+ *
+ * This is the inverse of extractSecretDataBits.
+ * `bits` should have its lowest 100 bits populated with Payload data.
+ */
+export declare function expandSecretDataBits(bits: bigint): bigint;
+/**
+ * Convert 100-bit value to 25 hex digits (each 0-15).
+ * Most significant digit first.
+ */
+export declare function toHexDigits(data: bigint): number[];
+/**
+ * Convert 25 hex digits back to 100-bit value.
+ */
+export declare function fromHexDigits(digits: number[]): bigint;
+/**
+ * Get the TNID variant from a 128-bit ID value.
+ */
+export declare function getVariant(id: bigint): "v0" | "v1" | "v2" | "v3";
+/**
+ * Change the variant bits in a 128-bit ID.
+ */
+export declare function setVariant(id: bigint, variant: "v0" | "v1"): bigint;
+//# sourceMappingURL=bits.d.ts.map

package/esm/bits.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bits.d.ts","sourceRoot":"","sources":["../src/bits.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,eAAO,MAAM,8BAA8B,uBAA0C,CAAC;AAGtF,eAAO,MAAM,+BAA+B,2BAA0C,CAAC;AAGvF,eAAO,MAAM,6BAA6B,qCAA0C,CAAC;AAGrF,eAAO,MAAM,yBAAyB,QAGP,CAAC;AAGhC,eAAO,MAAM,mBAAmB,MAAM,CAAC;AAGvC,eAAO,MAAM,eAAe,KAAK,CAAC;AAElC;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAaxD;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAezD;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAOlD;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAMtD;AAOD;;GAEG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAchE;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,IAAI,GAAG,MAAM,CAInE"}

package/esm/bits.js

@@ -0,0 +1,109 @@
+/**
+ * Bit manipulation for TNID encryption.
+ *
+ * These functions extract and expand the 100 Payload bits that are
+ * encrypted/decrypted, matching the Rust implementation exactly.
+ */
+// Mask for the right-most Payload bits section (bits 0-51, 52 bits)
+export const RIGHT_SECRET_DATA_SECTION_MASK = 0x00000000000000000fffffffffffffffn;
+// Mask for the middle Payload bits section (bits 64-75, 12 bits)
+export const MIDDLE_SECRET_DATA_SECTION_MASK = 0x0000000000000fff0000000000000000n;
+// Mask for the left-most Payload bits section (bits 80-107, 28 bits)
+export const LEFT_SECRET_DATA_SECTION_MASK = 0x00000fffffff00000000000000000000n;
+// Complete mask for all Payload bits (100 bits)
+export const COMPLETE_SECRET_DATA_MASK = RIGHT_SECRET_DATA_SECTION_MASK |
+    MIDDLE_SECRET_DATA_SECTION_MASK |
+    LEFT_SECRET_DATA_SECTION_MASK;
+// Number of Payload bits
+export const SECRET_DATA_BIT_NUM = 100;
+// Number of hex digits for FF1 (100 bits / 4 bits per hex digit)
+export const HEX_DIGIT_COUNT = 25;
+/**
+ * Extracts Payload bits (excludes Name bits, UUID-specific bits, and TNID Variant bits).
+ *
+ * Compacts the Payload bits from the three sections into a single 100-bit value.
+ * The returned bigint will have its lowest 100 bits populated with data,
+ * and the highest bits set to zero.
+ */
+export function extractSecretDataBits(id) {
+    // Right section stays in place
+    let extracted = id & RIGHT_SECRET_DATA_SECTION_MASK;
+    // Middle section: shift right by 4 to compact
+    const BETWEEN_MIDDLE_RIGHT = 4n;
+    extracted = extracted | ((id & MIDDLE_SECRET_DATA_SECTION_MASK) >> BETWEEN_MIDDLE_RIGHT);
+    // Left section: shift right by 8 to compact
+    const BETWEEN_LEFT_MIDDLE = BETWEEN_MIDDLE_RIGHT + 4n;
+    extracted = extracted | ((id & LEFT_SECRET_DATA_SECTION_MASK) >> BETWEEN_LEFT_MIDDLE);
+    return extracted;
+}
+/**
+ * Expands compacted Payload bits back into their positions.
+ *
+ * This is the inverse of extractSecretDataBits.
+ * `bits` should have its lowest 100 bits populated with Payload data.
+ */
+export function expandSecretDataBits(bits) {
+    // Right section stays in place
+    let expanded = bits & RIGHT_SECRET_DATA_SECTION_MASK;
+    // Middle section shifts left
+    const BETWEEN_MIDDLE_RIGHT = 4n;
+    const middleMask = MIDDLE_SECRET_DATA_SECTION_MASK >> BETWEEN_MIDDLE_RIGHT;
+    expanded = expanded | ((bits & middleMask) << BETWEEN_MIDDLE_RIGHT);
+    // Left section shifts left
+    const BETWEEN_LEFT_MIDDLE = BETWEEN_MIDDLE_RIGHT + 4n;
+    const leftMask = LEFT_SECRET_DATA_SECTION_MASK >> BETWEEN_LEFT_MIDDLE;
+    expanded = expanded | ((bits & leftMask) << BETWEEN_LEFT_MIDDLE);
+    return expanded;
+}
+/**
+ * Convert 100-bit value to 25 hex digits (each 0-15).
+ * Most significant digit first.
+ */
+export function toHexDigits(data) {
+    const hexDigits = new Array(HEX_DIGIT_COUNT);
+    for (let i = 0; i < HEX_DIGIT_COUNT; i++) {
+        const shift = BigInt((HEX_DIGIT_COUNT - 1 - i) * 4);
+        hexDigits[i] = Number((data >> shift) & 0xfn);
+    }
+    return hexDigits;
+}
+/**
+ * Convert 25 hex digits back to 100-bit value.
+ */
+export function fromHexDigits(digits) {
+    let result = 0n;
+    for (const digit of digits) {
+        result = (result << 4n) | BigInt(digit);
+    }
+    return result;
+}
+// Variant bit positions (bits 60-61 in the 128-bit TNID)
+const VARIANT_MASK = 3n << 60n;
+const V0_VARIANT = 0n << 60n;
+const V1_VARIANT = 1n << 60n;
+/**
+ * Get the TNID variant from a 128-bit ID value.
+ */
+export function getVariant(id) {
+    const variantBits = (id >> 60n) & 3n;
+    switch (variantBits) {
+        case 0n:
+            return "v0";
+        case 1n:
+            return "v1";
+        case 2n:
+            return "v2";
+        case 3n:
+            return "v3";
+        default:
+            throw new Error("Unreachable");
+    }
+}
+/**
+ * Change the variant bits in a 128-bit ID.
+ */
+export function setVariant(id, variant) {
+    const cleared = id & ~VARIANT_MASK;
+    const variantBits = variant === "v0" ? V0_VARIANT : V1_VARIANT;
+    return cleared | variantBits;
+}

package/esm/encryption.d.ts

@@ -0,0 +1,56 @@
+/**
+ * TNID encryption using FF1 Format-Preserving Encryption.
+ *
+ * Provides functions to convert V0 (time-ordered) TNIDs to V1 (random-looking)
+ * TNIDs and vice versa, hiding timestamp information while remaining reversible.
+ */
+/**
+ * Error when creating an EncryptionKey.
+ */
+export declare class EncryptionKeyError extends Error {
+    constructor(message: string);
+}
+/**
+ * Error when encrypting or decrypting a TNID.
+ */
+export declare class EncryptionError extends Error {
+    constructor(message: string);
+}
+/**
+ * A 128-bit (16 byte) encryption key for TNID encryption.
+ */
+export declare class EncryptionKey {
+    private readonly bytes;
+    private constructor();
+    /**
+     * Creates a new encryption key from raw bytes.
+     */
+    static fromBytes(bytes: Uint8Array): EncryptionKey;
+    /**
+     * Creates an encryption key from a 32-character hex string.
+     */
+    static fromHex(hex: string): EncryptionKey;
+    /**
+     * Returns the key as a byte array.
+     */
+    asBytes(): Uint8Array;
+}
+/**
+ * Encrypts a V0 TNID to V1, hiding timestamp information.
+ *
+ * @param tnid The V0 TNID string to encrypt
+ * @param key The encryption key
+ * @returns The encrypted V1 TNID string
+ * @throws EncryptionError if the TNID is not V0 or is invalid
+ */
+export declare function encryptV0ToV1(tnid: string, key: EncryptionKey): Promise<string>;
+/**
+ * Decrypts a V1 TNID back to V0, recovering timestamp information.
+ *
+ * @param tnid The V1 TNID string to decrypt
+ * @param key The encryption key (must match the one used for encryption)
+ * @returns The decrypted V0 TNID string
+ * @throws EncryptionError if the TNID is not V1 or is invalid
+ */
+export declare function decryptV1ToV0(tnid: string, key: EncryptionKey): Promise<string>;
+//# sourceMappingURL=encryption.d.ts.map

package/esm/encryption.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.d.ts","sourceRoot":"","sources":["../src/encryption.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAmBH;;GAEG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAa;IAEnC,OAAO;IAIP;;OAEG;IACH,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,GAAG,aAAa;IASlD;;OAEG;IACH,MAAM,CAAC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,aAAa;IAsB1C;;OAEG;IACH,OAAO,IAAI,UAAU;CAGtB;AA6DD;;;;;;;GAOG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAmCrF;AAED;;;;;;;GAOG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAmCrF"}