@ttctl/core 0.0.0 → 0.1.0-rc.1

package/dist/transport.d.ts

@@ -0,0 +1,408 @@
+import type { BrowserProfile } from "node-wreq";
+import { TtctlError } from "./auth/errors.js";
+import type { GraphQLRequest, ToptalSurface } from "./types.js";
+/**
+ * Thrown when an impersonated surface returns HTTP 403.
+ *
+ * Empirically, Chrome TLS impersonation alone passes Cloudflare on the
+ * surfaces TTCtl currently uses (`talent-profile`, `scheduler`) — see
+ * `hq/engineering/adr/ADR-005-auth-model.md`. A 403 here therefore
+ * means Cloudflare has flipped a feature flag (e.g. activated a Turnstile
+ * challenge or a new bot-management heuristic) that we don't currently
+ * handle. There is no documented manual workaround; the user is asked to
+ * file an issue so we can investigate.
+ *
+ * Refined under issue #77 to extend `TtctlError`. Carries the stable
+ * `code = 'CF_403_CLEARANCE'` and a short `recovery` hint that the CLI /
+ * MCP surfaces render alongside the existing multi-line `message`.
+ *
+ * See also `Cf403PersistentError` (defined for future use when an explicit
+ * retry-with-fresh-clearance heuristic is added — currently TTCtl cannot
+ * distinguish "clearance expired" from "persistent block" at runtime, so
+ * `Cf403Error` is the only class actually thrown by the transport).
+ */
+export declare class Cf403Error extends TtctlError {
+    readonly surface: ToptalSurface;
+    readonly endpoint: string;
+    readonly name = "Cf403Error";
+    readonly code = "CF_403_CLEARANCE";
+    readonly recovery: string;
+    constructor(surface: ToptalSurface, endpoint: string);
+    static formatMessage(surface: ToptalSurface, endpoint: string): string;
+}
+/**
+ * Thrown when Cloudflare is *persistently* blocking an impersonated surface
+ * — i.e. clearance refresh and re-attempts have failed and the only
+ * remaining recovery is the cookie-jar break-glass path documented in
+ * `SECURITY.md`.
+ *
+ * **Currently defined for future use.** TTCtl's transport has no automated
+ * retry-with-fresh-clearance heuristic, so a single 403 cannot be
+ * distinguished from a persistent block at runtime. The transport throws
+ * the more general `Cf403Error`. When a future iteration adds retry +
+ * clearance refresh, that layer will re-classify a confirmed-persistent
+ * block to `Cf403PersistentError`. See issue #77 § Out of Scope.
+ */
+export declare class Cf403PersistentError extends TtctlError {
+    readonly surface: ToptalSurface;
+    readonly endpoint: string;
+    readonly name = "Cf403PersistentError";
+    readonly code = "CF_403_PERSISTENT";
+    readonly recovery: string;
+    constructor(surface: ToptalSurface, endpoint: string, message?: string);
+}
+/**
+ * Thrown when the scheduler bearer token has expired.
+ *
+ * **Scaffolded for post-v1 scheduler-surface coverage.** TTCtl currently
+ * has no scheduler operations wired in; transport routes scheduler →
+ * impersonated, but no service module issues scheduler GraphQL calls. When
+ * scheduler coverage lands (post-v1), this class will be thrown by the
+ * scheduler service module on bearer-expiry detection.
+ *
+ * `autoRecover = true` signals to the transport layer that an automated
+ * re-mint via `GetTopSchedulerToken` should be attempted once before
+ * surfacing this error. The auto-recovery contract is intentionally
+ * defined here so callers can plan against it; the actual re-mint
+ * orchestration ships with the scheduler surface implementation.
+ */
+export declare class SchedulerBearerExpired extends TtctlError {
+    readonly name = "SchedulerBearerExpired";
+    readonly code = "SCHEDULER_BEARER_EXPIRED";
+    readonly recovery = "Scheduler bearer token expired; will be re-minted automatically on next call.";
+    readonly autoRecover = true;
+    constructor(message?: string);
+}
+/**
+ * Thrown when a transport receives an HTTP 3xx redirect carrying a
+ * `Location` header.
+ *
+ * TTCtl talks to fixed GraphQL endpoints; none of them legitimately
+ * redirect. A 3xx is therefore an anomaly — most plausibly Cloudflare or
+ * Toptal's edge flipping an infrastructure flag (mirror of the
+ * {@link Cf403Error} case), or a misconfigured DNS / edge change.
+ *
+ * Defense-in-depth posture (issue #268): every transport entry point has a
+ * no-follow redirect policy — `redirect: "manual"` pinned explicitly on
+ * `node-wreq`, and structurally on `undici` (its `request()` on the
+ * default dispatcher never follows redirects; redirect following is an
+ * opt-in interceptor TTCtl does not install). A 3xx is therefore returned
+ * verbatim rather than followed, and {@link executeWithResilience}
+ * inspects the status and throws this typed error rather than handing the
+ * redirect body back to a caller that would not know how to interpret it.
+ *
+ * Refusing to follow is the security-relevant property: a followed
+ * cross-origin redirect would leak the request body (operation name +
+ * variables) to the redirect target even though `node-wreq` strips the
+ * `authorization` header on cross-origin hops. Pinning `node-wreq`'s
+ * policy keeps that guarantee from depending on a transitive library
+ * default (it ships `redirect: "follow"` by default).
+ *
+ * Carries `surface`, `endpoint`, `status`, and `location` — the
+ * `Location` header value is a URL, not a credential, so it is safe to
+ * surface in the message and in diagnostic traces for operator triage.
+ */
+export declare class RedirectError extends TtctlError {
+    readonly surface: ToptalSurface;
+    readonly endpoint: string;
+    readonly status: number;
+    readonly location: string;
+    readonly name = "RedirectError";
+    readonly code = "REDIRECT_REFUSED";
+    readonly recovery: string;
+    constructor(surface: ToptalSurface, endpoint: string, status: number, location: string);
+    static formatMessage(surface: ToptalSurface, endpoint: string, status: number, location: string): string;
+}
+/**
+ * Return the `Location` value if `status` + `headers` describe an HTTP
+ * redirect — a {@link REDIRECT_STATUS_CODES} status carrying a `Location`
+ * header — and `undefined` otherwise.
+ *
+ * Shared by {@link executeWithResilience} and the photo-upload path's
+ * hand-rolled `node-wreq` fetch (`multipartImpersonatedFetch` in
+ * `services/profile/basic/index.ts`) so every transport path enforces the
+ * same no-follow posture (issue #268). A 3xx WITHOUT a `Location` header
+ * is not a redirect — there is nothing to follow — so it returns
+ * `undefined` and the caller returns the response verbatim.
+ *
+ * The caller decides what to do with a positive result: throw a
+ * {@link RedirectError}. Detection and reaction are split so each call
+ * site can emit its own diagnostic-trace record before throwing, matching
+ * how each already handles the {@link Cf403Error} case.
+ */
+export declare function getRedirectLocation(status: number, headers: Record<string, string>): string | undefined;
+/**
+ * TLS-impersonation profile. Pinned as a coupled pair with `USER_AGENT` —
+ * see the `tls-fingerprinting` skill on identity-catalog freshness: WAFs
+ * cross-validate the User-Agent string against the JA4 hash, so the profile
+ * and UA must both name the same Chrome version. Bump them together when
+ * `node-wreq` publishes a newer profile.
+ *
+ * Currently `chrome_145` because that is the freshest profile published in
+ * `node-wreq@2.2.1`. The Rust upstream `wreq` crate has `chrome_146` in
+ * its release-candidate stream but the Node bindings have not yet shipped a
+ * matching release. Track upstream and bump.
+ */
+export declare const IMPERSONATE_PROFILE: BrowserProfile;
+export interface TransportRequest {
+    surface: ToptalSurface;
+    body: GraphQLRequest;
+    /**
+     * Bearer-style session token captured from `EmailPasswordSignIn`'s
+     * `SignInPayload.token`. When present, sent as
+     * `Authorization: Token token=<X>` — the canonical Rails
+     * `ActionController::HttpAuthentication::Token` format that Toptal's
+     * GraphQL services use to authenticate. Empirically validated as the
+     * sole auth mechanism on both the mobile gateway and the
+     * Cloudflare-protected `talent-profile` surface (see issue #59 and
+     * `hq/engineering/adr/ADR-005-auth-model.md`).
+     */
+    authToken?: string;
+    /**
+     * Caller-supplied abort signal. When the signal aborts, an in-flight
+     * request is cancelled and any pending retry backoff sleep returns
+     * immediately. Wired through to the MCP server's per-tool-call
+     * cancellation so a client that revokes a tool invocation actually
+     * tears down the upstream socket (issue #229).
+     *
+     * The transport composes this signal with a per-attempt internal
+     * timeout (default 30 s, overridable via `TTCTL_TRANSPORT_TIMEOUT_MS`)
+     * via `AbortSignal.any`, so a wedged Cloudflare connection times out
+     * even when no caller signal is supplied.
+     */
+    signal?: AbortSignal;
+}
+export interface TransportResponse {
+    status: number;
+    headers: Record<string, string>;
+    body: unknown;
+}
+/**
+ * Token redaction marker used by {@link buildDryRunPreview} when an
+ * `authToken` is present on the source request. Exposed as a constant so
+ * tests assert on the exact wire shape and so future code never reaches
+ * for the bearer literal by mistake.
+ */
+export declare const DRY_RUN_REDACTED_AUTHORIZATION: "Token token=<redacted>";
+/**
+ * Structured "would-have-sent" preview returned by mutation entry points
+ * when invoked with `dryRun: true` (issue #52). Mirrors the shape an
+ * actual {@link stockTransport} or {@link impersonatedTransport} call
+ * would build internally, with the bearer token replaced by
+ * {@link DRY_RUN_REDACTED_AUTHORIZATION} so the preview can be safely
+ * emitted to stdout / piped to `jq` without leaking session credentials.
+ *
+ * The variable shape, operation name, and surface match the request that
+ * WOULD have been sent had `dryRun` been false — including any
+ * placeholder fields (e.g. `profileId`) that would have been resolved via
+ * a sibling read call at execution time. Mutation entry points
+ * substitute placeholder strings rather than firing the read side, so
+ * the dry-run path has zero network I/O — every transport (read or
+ * write) stays uncalled. See `set()` in `services/profile/basic/index.ts`
+ * for the canonical pattern.
+ *
+ * Wire shape (`{ operation, variables, transport, surface, headers }`)
+ * is locked under the v0.4 envelope contract (#128) — see
+ * {@link DryRunEnvelope} on the CLI side.
+ */
+export interface DryRunPreview {
+    /**
+     * Logical surface that would have been called. Drives the transport
+     * choice (stock vs impersonated) and is surfaced verbatim in the wire
+     * payload for downstream tooling.
+     */
+    surface: ToptalSurface;
+    /**
+     * Transport classification — `"stock"` for the mobile gateway,
+     * `"impersonated"` for Cloudflare-protected surfaces. Derived from
+     * {@link SURFACES_REQUIRING_IMPERSONATION} so the preview always
+     * reflects the actual transport that would have been used.
+     */
+    transport: "stock" | "impersonated";
+    /**
+     * Concrete URL for the surface — read off {@link SURFACE_ENDPOINTS}.
+     * Useful for piping into curl-style replay tooling (post-AC future
+     * work; tracked in #52 § Out of Scope).
+     */
+    endpoint: string;
+    /** GraphQL operation name (e.g. `"UPDATE_BASIC_INFO"`). */
+    operationName: string;
+    /**
+     * GraphQL variables payload that would have been sent. Mutation entry
+     * points substitute placeholder strings for fields that would be
+     * resolved via sibling read calls at execution time — callers reading
+     * the preview should NOT treat placeholder values as real ids.
+     */
+    variables: Record<string, unknown>;
+    /**
+     * Headers as they would be sent on the wire, with the `authorization`
+     * value replaced by {@link DRY_RUN_REDACTED_AUTHORIZATION} when an
+     * `authToken` was set on the source request. All other headers
+     * (accept, accept-language, content-type, origin, referer, etc.)
+     * surface verbatim — they carry no session-bound material.
+     */
+    headers: Record<string, string>;
+}
+/**
+ * Build a {@link DryRunPreview} from a {@link TransportRequest} without
+ * invoking any transport. Pure — no I/O, no allocations beyond the
+ * returned object.
+ *
+ * The headers projection mirrors what {@link stockTransport} and
+ * {@link impersonatedTransport} would have set (`COMMON_HEADERS` plus
+ * `authorization` when `authToken` is present), with the bearer value
+ * redacted to {@link DRY_RUN_REDACTED_AUTHORIZATION}. The transport
+ * classification is derived from
+ * {@link SURFACES_REQUIRING_IMPERSONATION} so changes to that set
+ * propagate automatically.
+ *
+ * Mutation entry points call this AFTER they've populated their
+ * `body.variables` with placeholder substitutions for any fields that
+ * would have been resolved at execution time (e.g. `profileId`) —
+ * keeping the read-side transport call out of the dry-run path entirely.
+ * See `set()` in `services/profile/basic/index.ts` for the pattern.
+ */
+export declare function buildDryRunPreview(req: TransportRequest): DryRunPreview;
+/**
+ * Choose transport per surface. The mobile gateway accepts stock TLS;
+ * `talent-profile` and `scheduler` require Chrome TLS-fingerprint impersonation
+ * to clear Cloudflare's bot-management.
+ */
+export declare function callSurface(req: TransportRequest): Promise<TransportResponse>;
+/**
+ * Stock HTTP via undici. Used for the mobile gateway endpoint, which doesn't
+ * gate on TLS fingerprint.
+ *
+ * Resilience (#229): wraps the network call in a retry loop that handles
+ * HTTP 429 (with `Retry-After` honoring) and 5xx with bounded exponential
+ * backoff, applies a per-attempt timeout, and propagates the caller's
+ * `AbortSignal` so an MCP client cancel actually tears down the in-flight
+ * request. Final failures surface as a typed {@link TransportError}.
+ */
+export declare function stockTransport(req: TransportRequest): Promise<TransportResponse>;
+/**
+ * Impersonated HTTP via `node-wreq` (Rust + BoringSSL). Used for the
+ * Cloudflare-protected `talent-profile` and `scheduler` surfaces.
+ *
+ * The `browser` option drives node-wreq's TLS ClientHello and HTTP/2
+ * SETTINGS frame to match the bundled Chrome profile (see `IMPERSONATE_PROFILE`).
+ * Empirically this fingerprint alone clears Cloudflare on the surfaces TTCtl
+ * uses; no `cf_clearance` cookie is required in the happy path.
+ *
+ * Header-tuple ordering is left as a future tightening — currently we pass
+ * a plain `Record<string, string>` matching `stockTransport`'s shape so the
+ * two transports stay symmetric. JA4H header-name ordering is a secondary
+ * detection vector relative to JA4 / Akamai HTTP/2; revisit if empirical
+ * blocks indicate it matters.
+ *
+ * Resilience (#229): wraps the network call in the same retry / timeout /
+ * abort loop as {@link stockTransport}. `Cf403Error` propagates as a
+ * non-retryable typed error — the 403 is signalled to Cloudflare's
+ * bot-management WAF, not a transient condition.
+ */
+export declare function impersonatedTransport(req: TransportRequest): Promise<TransportResponse>;
+/**
+ * One file slot in a GraphQL multipart request — the binary content plus the
+ * filename and (optional) content-type the server will see in the
+ * `Content-Disposition` of the corresponding form part. The variable path
+ * the file binds to is supplied separately via the `map` argument of
+ * {@link buildGraphQLMultipart}, keeping this struct purely about file
+ * material.
+ */
+export interface MultipartFile {
+    filename: string;
+    content: Buffer | Uint8Array;
+    contentType?: string;
+}
+/**
+ * Multipart variant of {@link TransportRequest} for GraphQL operations that
+ * carry one or more `Upload`-typed variables. The caller supplies the file
+ * material and a `map` describing where each file slots into the
+ * `variables` tree (per the GraphQL multipart request spec —
+ * https://github.com/jaydenseric/graphql-multipart-request-spec).
+ *
+ * The `body` carries the operation envelope as in JSON requests; the
+ * variables it sends include `null` placeholders at the file slots, and the
+ * `map` form field tells the server how to reconstitute them from the
+ * trailing file parts.
+ */
+export interface MultipartTransportRequest {
+    surface: ToptalSurface;
+    body: GraphQLRequest;
+    authToken?: string;
+    /**
+     * Files keyed by an arbitrary slot label. The label is what the spec
+     * calls the "file part name" — appears as the form-part name (`"0"`,
+     * `"1"`, …) and as the key in `map` that points to the variable path(s)
+     * the file binds to.
+     */
+    files: Record<string, MultipartFile>;
+    /**
+     * GraphQL multipart map: `slotLabel → [variablePath, ...]`. Variable
+     * paths are dotted strings (e.g. `"variables.input.file"`). The same file
+     * may bind to multiple variable paths (the spec allows it) but TTCtl's
+     * services use a 1:1 mapping today.
+     */
+    map: Record<string, string[]>;
+    /**
+     * Caller-supplied abort signal. See {@link TransportRequest.signal} for
+     * full semantics — wired identically into the multipart upload path so
+     * an MCP `cancel` request actually tears down the file upload mid-flight.
+     */
+    signal?: AbortSignal;
+}
+/**
+ * Build a `globalThis.FormData` payload conforming to the GraphQL multipart
+ * request spec (https://github.com/jaydenseric/graphql-multipart-request-spec).
+ * The wire layout is:
+ *
+ * ```
+ * --boundary
+ * Content-Disposition: form-data; name="operations"
+ * <JSON-encoded { operationName, query, variables }>
+ *
+ * --boundary
+ * Content-Disposition: form-data; name="map"
+ * <JSON-encoded { "0": ["variables.input.file"], ... }>
+ *
+ * --boundary
+ * Content-Disposition: form-data; name="0"; filename="<filename>"
+ * Content-Type: <contentType>
+ * <binary>
+ *
+ * --boundary--
+ * ```
+ *
+ * `node-wreq`'s `BodyInit` accepts `FormData` directly (verified against
+ * `node-wreq@2.2.1`'s `dist/types/shared.d.ts` — `BodyInit` includes
+ * `FormData`). When the body is a `FormData`, the runtime sets the
+ * `Content-Type: multipart/form-data; boundary=...` header automatically;
+ * the caller should NOT pre-set a JSON content-type or it will be
+ * overwritten with the boundary-aware multipart one.
+ *
+ * Pure function — no I/O. Tests construct expected `FormData` instances
+ * and inspect the entries via `for-of` iteration.
+ */
+export declare function buildGraphQLMultipart(body: GraphQLRequest, files: Record<string, MultipartFile>, map: Record<string, string[]>): FormData;
+/**
+ * Multipart variant of {@link impersonatedTransport}. Sends a
+ * GraphQL-multipart-spec request through the impersonated transport so
+ * file-upload mutations (`uploadResume`, `uploadPortfolioCover`,
+ * `uploadPortfolioFile`) clear Cloudflare on the `talent-profile` surface.
+ *
+ * Why a separate function rather than overloading `impersonatedTransport`:
+ * the JSON path sets `content-type: application/json` and stringifies the
+ * body; the multipart path lets the runtime supply the multipart
+ * content-type with its own boundary and passes the `FormData` through
+ * unchanged. The two paths have different body wire formats and different
+ * header expectations, so they are kept as separate functions for clarity.
+ *
+ * Errors:
+ * - `Cf403Error` on HTTP 403 (Cloudflare bot-management has tightened — see
+ *   the `Cf403Error` doc-comment for the recovery hint).
+ * - All other transport-level failures propagate as the underlying
+ *   `node-wreq` error; service callers wrap them in their domain-specific
+ *   `*Error` with `code: 'NETWORK_ERROR'`.
+ */
+export declare function impersonatedMultipartTransport(req: MultipartTransportRequest): Promise<TransportResponse>;
+//# sourceMappingURL=transport.d.ts.map

package/dist/transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"transport.d.ts","sourceRoot":"","sources":["../src/transport.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAGhD,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAa9C,OAAO,KAAK,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,qBAAa,UAAW,SAAQ,UAAU;aAQtB,OAAO,EAAE,aAAa;aACtB,QAAQ,EAAE,MAAM;IARlC,SAAkB,IAAI,gBAAgB;IACtC,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,SAEwE;gBAGvE,OAAO,EAAE,aAAa,EACtB,QAAQ,EAAE,MAAM;IAKlC,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;CAWvE;AAED;;;;;;;;;;;;GAYG;AACH,qBAAa,oBAAqB,SAAQ,UAAU;aAShC,OAAO,EAAE,aAAa;aACtB,QAAQ,EAAE,MAAM;IATlC,SAAkB,IAAI,0BAA0B;IAChD,QAAQ,CAAC,IAAI,uBAAuB;IACpC,QAAQ,CAAC,QAAQ,SAGwD;gBAGvD,OAAO,EAAE,aAAa,EACtB,QAAQ,EAAE,MAAM,EAChC,OAAO,GAAE,MAA8E;CAI1F;AAED;;;;;;;;;;;;;;GAcG;AACH,qBAAa,sBAAuB,SAAQ,UAAU;IACpD,SAAkB,IAAI,4BAA4B;IAClD,QAAQ,CAAC,IAAI,8BAA8B;IAC3C,QAAQ,CAAC,QAAQ,mFAAmF;IACpG,SAAkB,WAAW,QAAQ;gBAEzB,OAAO,GAAE,MAA0C;CAGhE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,qBAAa,aAAc,SAAQ,UAAU;aAUzB,OAAO,EAAE,aAAa;aACtB,QAAQ,EAAE,MAAM;aAChB,MAAM,EAAE,MAAM;aACd,QAAQ,EAAE,MAAM;IAZlC,SAAkB,IAAI,mBAAmB;IACzC,QAAQ,CAAC,IAAI,sBAAsB;IACnC,QAAQ,CAAC,QAAQ,SAIW;gBAGV,OAAO,EAAE,aAAa,EACtB,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,EACd,QAAQ,EAAE,MAAM;IAKlC,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM;CAYzG;AA2BD;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,GAAG,SAAS,CAGvG;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB,EAAE,cAA6B,CAAC;AAsBhE,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,aAAa,CAAC;IACvB,IAAI,EAAE,cAAc,CAAC;IACrB;;;;;;;;;OASG;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;;;;;;;OAWG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAChC,IAAI,EAAE,OAAO,CAAC;CACf;AAED;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,EAAG,wBAAiC,CAAC;AAEhF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,WAAW,aAAa;IAC5B;;;;OAIG;IACH,OAAO,EAAE,aAAa,CAAC;IACvB;;;;;OAKG;IACH,SAAS,EAAE,OAAO,GAAG,cAAc,CAAC;IACpC;;;;OAIG;IACH,QAAQ,EAAE,MAAM,CAAC;IACjB,2DAA2D;IAC3D,aAAa,EAAE,MAAM,CAAC;IACtB;;;;;OAKG;IACH,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACjC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,gBAAgB,GAAG,aAAa,CAevE;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAKnF;AAED;;;;;;;;;GASG;AACH,wBAAsB,cAAc,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAsDtF;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,qBAAqB,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAsE7F;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,yBAAyB;IACxC,OAAO,EAAE,aAAa,CAAC;IACvB,IAAI,EAAE,cAAc,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IACrC;;;;;OAKG;IACH,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC9B;;;;OAIG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,wBAAgB,qBAAqB,CACnC,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAAC,EACpC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,GAC5B,QAAQ,CAWV;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,8BAA8B,CAAC,GAAG,EAAE,yBAAyB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA0E/G"}