@usehercules/convex 0.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +478 -0
- package/dist/_generated/component.d.ts +184 -0
- package/dist/_generated/component.d.ts.map +1 -0
- package/dist/_generated/component.js +11 -0
- package/dist/_generated/component.js.map +1 -0
- package/dist/checker/cli.d.ts +3 -0
- package/dist/checker/cli.d.ts.map +1 -0
- package/dist/checker/cli.js +71 -0
- package/dist/checker/cli.js.map +1 -0
- package/dist/checker/index.d.ts +28 -0
- package/dist/checker/index.d.ts.map +1 -0
- package/dist/checker/index.js +1928 -0
- package/dist/checker/index.js.map +1 -0
- package/dist/client/access-admin.d.ts +818 -0
- package/dist/client/access-admin.d.ts.map +1 -0
- package/dist/client/access-admin.js +1830 -0
- package/dist/client/access-admin.js.map +1 -0
- package/dist/client/http.d.ts +19 -0
- package/dist/client/http.d.ts.map +1 -0
- package/dist/client/http.js +76 -0
- package/dist/client/http.js.map +1 -0
- package/dist/client/index.d.ts +440 -0
- package/dist/client/index.d.ts.map +1 -0
- package/dist/client/index.js +654 -0
- package/dist/client/index.js.map +1 -0
- package/dist/component/authz.d.ts +114 -0
- package/dist/component/authz.d.ts.map +1 -0
- package/dist/component/authz.js +168 -0
- package/dist/component/authz.js.map +1 -0
- package/dist/component/checks.d.ts +86 -0
- package/dist/component/checks.d.ts.map +1 -0
- package/dist/component/checks.js +184 -0
- package/dist/component/checks.js.map +1 -0
- package/dist/component/convex.config.d.ts +3 -0
- package/dist/component/convex.config.d.ts.map +1 -0
- package/dist/component/convex.config.js +3 -0
- package/dist/component/convex.config.js.map +1 -0
- package/dist/component/effective.d.ts +82 -0
- package/dist/component/effective.d.ts.map +1 -0
- package/dist/component/effective.js +757 -0
- package/dist/component/effective.js.map +1 -0
- package/dist/component/queries.d.ts +170 -0
- package/dist/component/queries.d.ts.map +1 -0
- package/dist/component/queries.js +633 -0
- package/dist/component/queries.js.map +1 -0
- package/dist/component/schema.d.ts +258 -0
- package/dist/component/schema.d.ts.map +1 -0
- package/dist/component/schema.js +222 -0
- package/dist/component/schema.js.map +1 -0
- package/dist/component/sync.d.ts +85 -0
- package/dist/component/sync.d.ts.map +1 -0
- package/dist/component/sync.js +851 -0
- package/dist/component/sync.js.map +1 -0
- package/dist/shared/projection-protocol.d.ts +1624 -0
- package/dist/shared/projection-protocol.d.ts.map +1 -0
- package/dist/shared/projection-protocol.js +561 -0
- package/dist/shared/projection-protocol.js.map +1 -0
- package/dist/shared/sync.d.ts +24 -0
- package/dist/shared/sync.d.ts.map +1 -0
- package/dist/shared/sync.js +18 -0
- package/dist/shared/sync.js.map +1 -0
- package/dist/shared/token.d.ts +5 -0
- package/dist/shared/token.d.ts.map +1 -0
- package/dist/shared/token.js +19 -0
- package/dist/shared/token.js.map +1 -0
- package/package.json +89 -0
|
@@ -0,0 +1,633 @@
|
|
|
1
|
+
import { queryGeneric, } from "convex/server";
|
|
2
|
+
import { paginator } from "convex-helpers/server/pagination";
|
|
3
|
+
import { v } from "convex/values";
|
|
4
|
+
import { evaluatePermissionDecision } from "./checks";
|
|
5
|
+
import { collectPrincipalIds, enumeratePermissions, evaluateEffectiveAccess, } from "./effective";
|
|
6
|
+
import { parseTokenIdentifier } from "../shared/token";
|
|
7
|
+
import schema from "./schema";
|
|
8
|
+
const DEFAULT_SCOPE_SENTINEL = "__hercules_default_scope__";
|
|
9
|
+
// Public within the component boundary (parent-facing API; see checks.ts).
|
|
10
|
+
const query = queryGeneric;
|
|
11
|
+
// The external RoleSummary surface still reports `roleKind: "system" | "custom"`
|
|
12
|
+
// (client/index.ts + the generated component shape). v3 roles carry `source`
|
|
13
|
+
// (system | iam | tenant) instead of the old `kind`. A tenant (org-authored)
|
|
14
|
+
// role is "custom"; reusable catalog roles (system or iam) are "system".
|
|
15
|
+
function roleKindFromSource(source) {
|
|
16
|
+
return source === "tenant" ? "custom" : "system";
|
|
17
|
+
}
|
|
18
|
+
export const getDeploymentEntryStatus = query({
|
|
19
|
+
args: { tokenIdentifier: v.optional(v.string()) },
|
|
20
|
+
handler: async (ctx, args) => {
|
|
21
|
+
if (!args.tokenIdentifier) {
|
|
22
|
+
return { kind: "fallback", reason: "identity_missing" };
|
|
23
|
+
}
|
|
24
|
+
const state = await ctx.db.query("sync_state").unique();
|
|
25
|
+
if (!state) {
|
|
26
|
+
return { kind: "fallback", reason: "mirror_not_ready" };
|
|
27
|
+
}
|
|
28
|
+
const token = parseTokenIdentifier(args.tokenIdentifier);
|
|
29
|
+
if (!token) {
|
|
30
|
+
return {
|
|
31
|
+
kind: "fallback",
|
|
32
|
+
reason: "identity_invalid",
|
|
33
|
+
stateVersion: state.sourceVersion,
|
|
34
|
+
};
|
|
35
|
+
}
|
|
36
|
+
if (token.issuer !== state.expectedIssuer) {
|
|
37
|
+
return {
|
|
38
|
+
kind: "fallback",
|
|
39
|
+
reason: "unexpected_issuer",
|
|
40
|
+
stateVersion: state.sourceVersion,
|
|
41
|
+
};
|
|
42
|
+
}
|
|
43
|
+
const scope = await ctx.db
|
|
44
|
+
.query("scopes")
|
|
45
|
+
.withIndex("by_kind", (q) => q.eq("kind", "default"))
|
|
46
|
+
.unique();
|
|
47
|
+
if (!scope || scope.status !== "active") {
|
|
48
|
+
return {
|
|
49
|
+
kind: "fallback",
|
|
50
|
+
reason: "default_scope_missing",
|
|
51
|
+
stateVersion: state.sourceVersion,
|
|
52
|
+
};
|
|
53
|
+
}
|
|
54
|
+
const principal = await ctx.db
|
|
55
|
+
.query("principals")
|
|
56
|
+
.withIndex("by_scope_auth_user", (q) => q.eq("accessScopeId", scope.accessScopeId).eq("herculesAuthUserId", token.subject))
|
|
57
|
+
.unique();
|
|
58
|
+
if (!principal || principal.type !== "user") {
|
|
59
|
+
return {
|
|
60
|
+
kind: "fallback",
|
|
61
|
+
reason: "principal_missing",
|
|
62
|
+
stateVersion: state.sourceVersion,
|
|
63
|
+
};
|
|
64
|
+
}
|
|
65
|
+
return {
|
|
66
|
+
kind: "principal",
|
|
67
|
+
principalId: principal.principalId,
|
|
68
|
+
status: principal.status,
|
|
69
|
+
stateVersion: state.sourceVersion,
|
|
70
|
+
};
|
|
71
|
+
},
|
|
72
|
+
});
|
|
73
|
+
export const listMyMemberships = query({
|
|
74
|
+
args: { tokenIdentifier: v.optional(v.string()) },
|
|
75
|
+
handler: async (ctx, args) => {
|
|
76
|
+
if (!args.tokenIdentifier)
|
|
77
|
+
return [];
|
|
78
|
+
const state = await ctx.db.query("sync_state").unique();
|
|
79
|
+
if (!state)
|
|
80
|
+
return [];
|
|
81
|
+
const token = parseTokenIdentifier(args.tokenIdentifier);
|
|
82
|
+
if (!token || token.issuer !== state.expectedIssuer)
|
|
83
|
+
return [];
|
|
84
|
+
const principals = await ctx.db
|
|
85
|
+
.query("principals")
|
|
86
|
+
.withIndex("by_auth_user", (q) => q.eq("herculesAuthUserId", token.subject))
|
|
87
|
+
.collect();
|
|
88
|
+
const memberships = [];
|
|
89
|
+
for (const principal of principals) {
|
|
90
|
+
const scope = await ctx.db
|
|
91
|
+
.query("scopes")
|
|
92
|
+
.withIndex("by_scope_id", (q) => q.eq("accessScopeId", principal.accessScopeId))
|
|
93
|
+
.unique();
|
|
94
|
+
if (!scope)
|
|
95
|
+
continue;
|
|
96
|
+
if (scope.status === "disabled")
|
|
97
|
+
continue;
|
|
98
|
+
const roles = await collectPrincipalScopeRoles(ctx, {
|
|
99
|
+
principalId: principal.principalId,
|
|
100
|
+
scopeId: principal.accessScopeId,
|
|
101
|
+
});
|
|
102
|
+
if (roles.length === 0)
|
|
103
|
+
continue;
|
|
104
|
+
memberships.push({
|
|
105
|
+
scopeId: scope.accessScopeId,
|
|
106
|
+
scopeName: scope.name,
|
|
107
|
+
kind: scope.kind,
|
|
108
|
+
roles,
|
|
109
|
+
joinedAt: principal.joinedAt,
|
|
110
|
+
status: principal.status,
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
return memberships;
|
|
114
|
+
},
|
|
115
|
+
});
|
|
116
|
+
export const listMyRoles = query({
|
|
117
|
+
args: { tokenIdentifier: v.optional(v.string()), scopeId: v.string() },
|
|
118
|
+
handler: async (ctx, args) => {
|
|
119
|
+
if (!args.tokenIdentifier)
|
|
120
|
+
return [];
|
|
121
|
+
const state = await ctx.db.query("sync_state").unique();
|
|
122
|
+
if (!state)
|
|
123
|
+
return [];
|
|
124
|
+
const token = parseTokenIdentifier(args.tokenIdentifier);
|
|
125
|
+
if (!token || token.issuer !== state.expectedIssuer)
|
|
126
|
+
return [];
|
|
127
|
+
// E5: resolve the scope through resolveScopeRow so the
|
|
128
|
+
// __hercules_default_scope__ sentinel maps to the real default scope (the
|
|
129
|
+
// other queries already do this; using the sentinel literally never matched
|
|
130
|
+
// a row, so this returned []). Use the RESOLVED accessScopeId for the
|
|
131
|
+
// principal and role lookups.
|
|
132
|
+
const scope = await resolveScopeRow(ctx, args.scopeId);
|
|
133
|
+
if (!scope || scope.status === "disabled")
|
|
134
|
+
return [];
|
|
135
|
+
const principal = await ctx.db
|
|
136
|
+
.query("principals")
|
|
137
|
+
.withIndex("by_scope_auth_user", (q) => q.eq("accessScopeId", scope.accessScopeId).eq("herculesAuthUserId", token.subject))
|
|
138
|
+
.unique();
|
|
139
|
+
if (!principal)
|
|
140
|
+
return [];
|
|
141
|
+
return collectPrincipalScopeRoles(ctx, {
|
|
142
|
+
principalId: principal.principalId,
|
|
143
|
+
scopeId: scope.accessScopeId,
|
|
144
|
+
});
|
|
145
|
+
},
|
|
146
|
+
});
|
|
147
|
+
export const getEffectivePermissions = query({
|
|
148
|
+
args: {
|
|
149
|
+
tokenIdentifier: v.optional(v.string()),
|
|
150
|
+
scopeId: v.string(),
|
|
151
|
+
resourceType: v.optional(v.string()),
|
|
152
|
+
resourceId: v.optional(v.string()),
|
|
153
|
+
ancestors: v.optional(v.array(v.object({ resourceType: v.string(), resourceId: v.string() }))),
|
|
154
|
+
},
|
|
155
|
+
handler: async (ctx, args) => {
|
|
156
|
+
const evaluation = await evaluateEffectiveAccess(ctx, args);
|
|
157
|
+
const permissions = enumeratePermissions(evaluation.catalogPermissions, evaluation.wildcard, evaluation.entries, args);
|
|
158
|
+
return {
|
|
159
|
+
allowed: evaluation.allowed,
|
|
160
|
+
reasonCode: evaluation.reasonCode,
|
|
161
|
+
sourceVersion: evaluation.sourceVersion,
|
|
162
|
+
scopeId: evaluation.scopeId,
|
|
163
|
+
principalId: evaluation.principalId,
|
|
164
|
+
effectiveRoleIds: evaluation.effectiveRoleIds,
|
|
165
|
+
wildcard: evaluation.wildcard,
|
|
166
|
+
permissions: permissions.map((permission) => permission.key),
|
|
167
|
+
};
|
|
168
|
+
},
|
|
169
|
+
});
|
|
170
|
+
export const listScopeMemberDirectory = query({
|
|
171
|
+
args: {
|
|
172
|
+
tokenIdentifier: v.optional(v.string()),
|
|
173
|
+
scopeId: v.string(),
|
|
174
|
+
cursor: v.optional(v.string()),
|
|
175
|
+
limit: v.optional(v.number()),
|
|
176
|
+
},
|
|
177
|
+
handler: async (ctx, args) => {
|
|
178
|
+
if (!(await callerHasScopePermission(ctx, args, "app.members:read"))) {
|
|
179
|
+
return { members: [] };
|
|
180
|
+
}
|
|
181
|
+
const scope = await resolveScopeRow(ctx, args.scopeId);
|
|
182
|
+
if (!scope)
|
|
183
|
+
return { members: [] };
|
|
184
|
+
const limit = args.limit ?? 50;
|
|
185
|
+
if (!Number.isInteger(limit) || limit < 1 || limit > 100) {
|
|
186
|
+
throw new Error("listScopeMemberDirectory limit must be an integer from 1 to 100");
|
|
187
|
+
}
|
|
188
|
+
const page = await paginator(ctx.db, schema)
|
|
189
|
+
.query("principals")
|
|
190
|
+
.withIndex("by_scope_status_type", (q) => q
|
|
191
|
+
.eq("accessScopeId", scope.accessScopeId)
|
|
192
|
+
.eq("status", "active")
|
|
193
|
+
.eq("type", "user"))
|
|
194
|
+
.paginate({ cursor: args.cursor ?? null, numItems: limit });
|
|
195
|
+
const members = (await Promise.all(page.page.map(async (principal) => {
|
|
196
|
+
if (!principal.herculesAuthUserId)
|
|
197
|
+
return null;
|
|
198
|
+
const user = await ctx.db
|
|
199
|
+
.query("users")
|
|
200
|
+
.withIndex("by_auth_user_id", (q) => q.eq("herculesAuthUserId", principal.herculesAuthUserId))
|
|
201
|
+
.unique();
|
|
202
|
+
if (!user)
|
|
203
|
+
return null;
|
|
204
|
+
const roles = await collectPrincipalScopeRoles(ctx, {
|
|
205
|
+
principalId: principal.principalId,
|
|
206
|
+
scopeId: scope.accessScopeId,
|
|
207
|
+
});
|
|
208
|
+
return {
|
|
209
|
+
principalId: principal.principalId,
|
|
210
|
+
herculesAuthUserId: principal.herculesAuthUserId,
|
|
211
|
+
name: user.name,
|
|
212
|
+
email: user.email,
|
|
213
|
+
...(user.image === undefined ? {} : { image: user.image }),
|
|
214
|
+
roleKeys: roles.map((role) => role.roleKey),
|
|
215
|
+
};
|
|
216
|
+
}))).filter((member) => member !== null);
|
|
217
|
+
return {
|
|
218
|
+
members,
|
|
219
|
+
...(page.isDone ? {} : { cursor: page.continueCursor }),
|
|
220
|
+
};
|
|
221
|
+
},
|
|
222
|
+
});
|
|
223
|
+
export const getScopeMemberDirectoryEntry = query({
|
|
224
|
+
args: {
|
|
225
|
+
tokenIdentifier: v.optional(v.string()),
|
|
226
|
+
scopeId: v.string(),
|
|
227
|
+
principalId: v.optional(v.string()),
|
|
228
|
+
herculesAuthUserId: v.optional(v.string()),
|
|
229
|
+
},
|
|
230
|
+
handler: async (ctx, args) => {
|
|
231
|
+
if ((args.principalId === undefined) === (args.herculesAuthUserId === undefined)) {
|
|
232
|
+
throw new Error("getScopeMemberDirectoryEntry requires exactly one of principalId or herculesAuthUserId");
|
|
233
|
+
}
|
|
234
|
+
if (!(await callerHasScopePermission(ctx, args, "app.members:read"))) {
|
|
235
|
+
return null;
|
|
236
|
+
}
|
|
237
|
+
const scope = await resolveScopeRow(ctx, args.scopeId);
|
|
238
|
+
if (!scope)
|
|
239
|
+
return null;
|
|
240
|
+
const principal = args.principalId !== undefined
|
|
241
|
+
? await ctx.db
|
|
242
|
+
.query("principals")
|
|
243
|
+
.withIndex("by_principal_id", (q) => q.eq("principalId", args.principalId))
|
|
244
|
+
.unique()
|
|
245
|
+
: await ctx.db
|
|
246
|
+
.query("principals")
|
|
247
|
+
.withIndex("by_scope_auth_user", (q) => q.eq("accessScopeId", scope.accessScopeId).eq("herculesAuthUserId", args.herculesAuthUserId))
|
|
248
|
+
.unique();
|
|
249
|
+
if (!principal ||
|
|
250
|
+
principal.accessScopeId !== scope.accessScopeId ||
|
|
251
|
+
principal.type !== "user" ||
|
|
252
|
+
principal.status !== "active" ||
|
|
253
|
+
!principal.herculesAuthUserId) {
|
|
254
|
+
return null;
|
|
255
|
+
}
|
|
256
|
+
const user = await ctx.db
|
|
257
|
+
.query("users")
|
|
258
|
+
.withIndex("by_auth_user_id", (q) => q.eq("herculesAuthUserId", principal.herculesAuthUserId))
|
|
259
|
+
.unique();
|
|
260
|
+
if (!user)
|
|
261
|
+
return null;
|
|
262
|
+
const roles = await collectPrincipalScopeRoles(ctx, {
|
|
263
|
+
principalId: principal.principalId,
|
|
264
|
+
scopeId: scope.accessScopeId,
|
|
265
|
+
});
|
|
266
|
+
return {
|
|
267
|
+
principalId: principal.principalId,
|
|
268
|
+
herculesAuthUserId: principal.herculesAuthUserId,
|
|
269
|
+
name: user.name,
|
|
270
|
+
email: user.email,
|
|
271
|
+
...(user.image === undefined ? {} : { image: user.image }),
|
|
272
|
+
roleKeys: roles.map((role) => role.roleKey),
|
|
273
|
+
};
|
|
274
|
+
},
|
|
275
|
+
});
|
|
276
|
+
export const listScopeMembers = query({
|
|
277
|
+
args: { tokenIdentifier: v.optional(v.string()), scopeId: v.string() },
|
|
278
|
+
handler: async (ctx, args) => {
|
|
279
|
+
if (!(await callerHasScopePermission(ctx, args, "system.members:read")))
|
|
280
|
+
return [];
|
|
281
|
+
const scope = await resolveScopeRow(ctx, args.scopeId);
|
|
282
|
+
if (!scope)
|
|
283
|
+
return [];
|
|
284
|
+
// Both principal kinds are listed: user members AND groups. A user's
|
|
285
|
+
// name/email/image resolve from the deployment-wide user row; a group's
|
|
286
|
+
// name is the group's own display name carried on the principal row.
|
|
287
|
+
const principals = await ctx.db
|
|
288
|
+
.query("principals")
|
|
289
|
+
.withIndex("by_scope", (q) => q.eq("accessScopeId", scope.accessScopeId))
|
|
290
|
+
.collect();
|
|
291
|
+
const members = [];
|
|
292
|
+
for (const principal of principals) {
|
|
293
|
+
let name;
|
|
294
|
+
let email;
|
|
295
|
+
let image;
|
|
296
|
+
if (principal.type === "group") {
|
|
297
|
+
name = principal.name;
|
|
298
|
+
}
|
|
299
|
+
const authUserId = principal.herculesAuthUserId;
|
|
300
|
+
if (principal.type === "user" && authUserId) {
|
|
301
|
+
const user = await ctx.db
|
|
302
|
+
.query("users")
|
|
303
|
+
.withIndex("by_auth_user_id", (q) => q.eq("herculesAuthUserId", authUserId))
|
|
304
|
+
.unique();
|
|
305
|
+
if (user) {
|
|
306
|
+
name = user.name;
|
|
307
|
+
email = user.email;
|
|
308
|
+
image = user.image;
|
|
309
|
+
}
|
|
310
|
+
}
|
|
311
|
+
const roles = await collectPrincipalScopeRoles(ctx, {
|
|
312
|
+
principalId: principal.principalId,
|
|
313
|
+
scopeId: scope.accessScopeId,
|
|
314
|
+
});
|
|
315
|
+
members.push({
|
|
316
|
+
principalId: principal.principalId,
|
|
317
|
+
type: principal.type,
|
|
318
|
+
herculesAuthUserId: authUserId,
|
|
319
|
+
status: principal.status,
|
|
320
|
+
joinedAt: principal.joinedAt,
|
|
321
|
+
name,
|
|
322
|
+
email,
|
|
323
|
+
image,
|
|
324
|
+
roles,
|
|
325
|
+
});
|
|
326
|
+
}
|
|
327
|
+
members.sort((a, b) => (a.name ?? a.email ?? a.principalId).localeCompare(b.name ?? b.email ?? b.principalId));
|
|
328
|
+
return members;
|
|
329
|
+
},
|
|
330
|
+
});
|
|
331
|
+
export const listScopeRoles = query({
|
|
332
|
+
args: { tokenIdentifier: v.optional(v.string()), scopeId: v.string() },
|
|
333
|
+
handler: async (ctx, args) => {
|
|
334
|
+
if (!(await callerHasScopePermission(ctx, args, "system.roles:read")))
|
|
335
|
+
return [];
|
|
336
|
+
const scope = await resolveScopeRow(ctx, args.scopeId);
|
|
337
|
+
if (!scope)
|
|
338
|
+
return [];
|
|
339
|
+
const defaultScope = await ctx.db
|
|
340
|
+
.query("scopes")
|
|
341
|
+
.withIndex("by_kind", (q) => q.eq("kind", "default"))
|
|
342
|
+
.unique();
|
|
343
|
+
const defaultScopeId = defaultScope?.accessScopeId;
|
|
344
|
+
// Tenant roles owned by THIS scope (source=tenant, accessScopeId=scope).
|
|
345
|
+
const scopeRoles = await ctx.db
|
|
346
|
+
.query("roles")
|
|
347
|
+
.withIndex("by_scope", (q) => q.eq("accessScopeId", scope.accessScopeId))
|
|
348
|
+
.collect();
|
|
349
|
+
// Deployment-wide reusable catalog roles (source system|iam) carry NO
|
|
350
|
+
// accessScopeId in v3. They are app-wide and assignable inside any scope, so
|
|
351
|
+
// surface them alongside the scope's own roles. When viewing the default
|
|
352
|
+
// scope they are the scope's "own" roles (shared=false); inside an org they
|
|
353
|
+
// are shared.
|
|
354
|
+
const isDefaultScope = defaultScopeId !== undefined && defaultScopeId === scope.accessScopeId;
|
|
355
|
+
const catalogRoles = await ctx.db
|
|
356
|
+
.query("roles")
|
|
357
|
+
.withIndex("by_scope", (q) => q.eq("accessScopeId", undefined))
|
|
358
|
+
.collect();
|
|
359
|
+
const seen = new Set();
|
|
360
|
+
const roles = [];
|
|
361
|
+
for (const role of [...scopeRoles, ...catalogRoles]) {
|
|
362
|
+
if (seen.has(role.roleId))
|
|
363
|
+
continue;
|
|
364
|
+
seen.add(role.roleId);
|
|
365
|
+
roles.push({
|
|
366
|
+
roleId: role.roleId,
|
|
367
|
+
roleKey: role.key,
|
|
368
|
+
roleName: role.name,
|
|
369
|
+
roleKind: roleKindFromSource(role.source),
|
|
370
|
+
// A reusable catalog role (no accessScopeId) is "shared" when surfaced
|
|
371
|
+
// inside a non-default scope; a scope's own tenant role is never shared.
|
|
372
|
+
shared: role.accessScopeId === undefined && !isDefaultScope,
|
|
373
|
+
});
|
|
374
|
+
}
|
|
375
|
+
roles.sort((a, b) => a.roleKey.localeCompare(b.roleKey) ||
|
|
376
|
+
a.roleName.localeCompare(b.roleName) ||
|
|
377
|
+
a.roleId.localeCompare(b.roleId));
|
|
378
|
+
return roles;
|
|
379
|
+
},
|
|
380
|
+
});
|
|
381
|
+
export const listScopePermissions = query({
|
|
382
|
+
args: { tokenIdentifier: v.optional(v.string()), scopeId: v.string() },
|
|
383
|
+
handler: async (ctx, args) => {
|
|
384
|
+
if (!(await callerHasScopePermission(ctx, args, "system.permissions:read")))
|
|
385
|
+
return [];
|
|
386
|
+
// The permission catalog is app-wide and always lives in the default scope (DL15).
|
|
387
|
+
const defaultScope = await ctx.db
|
|
388
|
+
.query("scopes")
|
|
389
|
+
.withIndex("by_kind", (q) => q.eq("kind", "default"))
|
|
390
|
+
.unique();
|
|
391
|
+
if (!defaultScope)
|
|
392
|
+
return [];
|
|
393
|
+
const permissions = await ctx.db
|
|
394
|
+
.query("permissions")
|
|
395
|
+
.withIndex("by_scope", (q) => q.eq("accessScopeId", defaultScope.accessScopeId))
|
|
396
|
+
.collect();
|
|
397
|
+
return permissions
|
|
398
|
+
.map((permission) => ({
|
|
399
|
+
permissionId: permission.permissionId,
|
|
400
|
+
key: permission.key,
|
|
401
|
+
resourceType: permission.resourceType,
|
|
402
|
+
action: permission.action,
|
|
403
|
+
classification: permission.classification,
|
|
404
|
+
tenantAssignable: permission.tenantAssignable,
|
|
405
|
+
}))
|
|
406
|
+
.sort((a, b) => a.key.localeCompare(b.key) || a.permissionId.localeCompare(b.permissionId));
|
|
407
|
+
},
|
|
408
|
+
});
|
|
409
|
+
// "Who has a DIRECT grant on this resource" — for an in-app membership panel
|
|
410
|
+
// (e.g. "people on this project"). DIRECT grants only: this intentionally does
|
|
411
|
+
// NOT include principals who reach the resource via a scope-wide role/wildcard
|
|
412
|
+
// or a parent resource. Self-gates resource-aware on `permission` against THIS
|
|
413
|
+
// resource (so a per-resource manager, not only a scope admin, can see it), via
|
|
414
|
+
// the same evaluator as a real can() check; returns [] when the caller is not
|
|
415
|
+
// allowed. `permission`'s resourceType should match `resourceType`.
|
|
416
|
+
export const listDirectSubjectsForResource = query({
|
|
417
|
+
args: {
|
|
418
|
+
tokenIdentifier: v.optional(v.string()),
|
|
419
|
+
scopeId: v.string(),
|
|
420
|
+
resourceType: v.string(),
|
|
421
|
+
resourceId: v.string(),
|
|
422
|
+
permission: v.string(),
|
|
423
|
+
},
|
|
424
|
+
handler: async (ctx, args) => {
|
|
425
|
+
const decision = await evaluatePermissionDecision(ctx, {
|
|
426
|
+
tokenIdentifier: args.tokenIdentifier,
|
|
427
|
+
scopeId: args.scopeId,
|
|
428
|
+
permission: args.permission,
|
|
429
|
+
resourceType: args.resourceType,
|
|
430
|
+
resourceId: args.resourceId,
|
|
431
|
+
});
|
|
432
|
+
if (!decision.allowed)
|
|
433
|
+
return [];
|
|
434
|
+
const scope = await resolveScopeRow(ctx, args.scopeId);
|
|
435
|
+
if (!scope)
|
|
436
|
+
return [];
|
|
437
|
+
// "Who has a DIRECT binding on this exact resource" = the union of role
|
|
438
|
+
// bindings and direct-permission bindings whose (resourceType, resourceId)
|
|
439
|
+
// target is this exact resource. Type-wide bindings (resourceId undefined)
|
|
440
|
+
// are intentionally excluded — this panel lists direct-on-this-resource
|
|
441
|
+
// subjects only, mirroring the old exact-objectId `by_object_resource` read.
|
|
442
|
+
const resourceRoleBindings = await ctx.db
|
|
443
|
+
.query("role_bindings")
|
|
444
|
+
.withIndex("by_scope_resource", (q) => q
|
|
445
|
+
.eq("accessScopeId", scope.accessScopeId)
|
|
446
|
+
.eq("resourceType", args.resourceType)
|
|
447
|
+
.eq("resourceId", args.resourceId))
|
|
448
|
+
.collect();
|
|
449
|
+
const resourcePermissionBindings = await ctx.db
|
|
450
|
+
.query("permission_bindings")
|
|
451
|
+
.withIndex("by_scope_resource", (q) => q
|
|
452
|
+
.eq("accessScopeId", scope.accessScopeId)
|
|
453
|
+
.eq("resourceType", args.resourceType)
|
|
454
|
+
.eq("resourceId", args.resourceId))
|
|
455
|
+
.collect();
|
|
456
|
+
const grants = [
|
|
457
|
+
...resourceRoleBindings.map((binding) => ({
|
|
458
|
+
grantId: binding.bindingId,
|
|
459
|
+
subjectPrincipalId: binding.subjectPrincipalId,
|
|
460
|
+
relationKind: "role",
|
|
461
|
+
roleId: binding.roleId,
|
|
462
|
+
effect: "allow",
|
|
463
|
+
appliesTo: binding.appliesTo,
|
|
464
|
+
expiresAt: binding.expiresAt,
|
|
465
|
+
})),
|
|
466
|
+
...resourcePermissionBindings.flatMap((binding) => binding.subjectPrincipalId
|
|
467
|
+
? [
|
|
468
|
+
{
|
|
469
|
+
grantId: binding.bindingId,
|
|
470
|
+
subjectPrincipalId: binding.subjectPrincipalId,
|
|
471
|
+
relationKind: "direct_permission",
|
|
472
|
+
permissionId: binding.permissionId,
|
|
473
|
+
effect: binding.effect,
|
|
474
|
+
appliesTo: binding.appliesTo,
|
|
475
|
+
expiresAt: binding.expiresAt,
|
|
476
|
+
},
|
|
477
|
+
]
|
|
478
|
+
: []),
|
|
479
|
+
];
|
|
480
|
+
const now = Date.now();
|
|
481
|
+
const results = [];
|
|
482
|
+
for (const grant of grants) {
|
|
483
|
+
const subjectPrincipalId = grant.subjectPrincipalId;
|
|
484
|
+
if (!subjectPrincipalId)
|
|
485
|
+
continue;
|
|
486
|
+
if (typeof grant.expiresAt === "number" && grant.expiresAt <= now)
|
|
487
|
+
continue;
|
|
488
|
+
const principal = await ctx.db
|
|
489
|
+
.query("principals")
|
|
490
|
+
.withIndex("by_principal_id", (q) => q.eq("principalId", subjectPrincipalId))
|
|
491
|
+
.unique();
|
|
492
|
+
if (!principal)
|
|
493
|
+
continue;
|
|
494
|
+
// Group subjects are listed by their own display name; user subjects
|
|
495
|
+
// resolve name/email/image from the deployment-wide user row.
|
|
496
|
+
let name;
|
|
497
|
+
let email;
|
|
498
|
+
let image;
|
|
499
|
+
if (principal.type === "group") {
|
|
500
|
+
name = principal.name;
|
|
501
|
+
}
|
|
502
|
+
const authUserId = principal.herculesAuthUserId;
|
|
503
|
+
if (principal.type === "user" && authUserId) {
|
|
504
|
+
const user = await ctx.db
|
|
505
|
+
.query("users")
|
|
506
|
+
.withIndex("by_auth_user_id", (q) => q.eq("herculesAuthUserId", authUserId))
|
|
507
|
+
.unique();
|
|
508
|
+
if (user) {
|
|
509
|
+
name = user.name;
|
|
510
|
+
email = user.email;
|
|
511
|
+
image = user.image;
|
|
512
|
+
}
|
|
513
|
+
}
|
|
514
|
+
let roleKey;
|
|
515
|
+
let roleName;
|
|
516
|
+
let permissionKey;
|
|
517
|
+
if (grant.relationKind === "role" && grant.roleId) {
|
|
518
|
+
const role = await ctx.db
|
|
519
|
+
.query("roles")
|
|
520
|
+
.withIndex("by_role_id", (q) => q.eq("roleId", grant.roleId))
|
|
521
|
+
.unique();
|
|
522
|
+
if (role) {
|
|
523
|
+
roleKey = role.key;
|
|
524
|
+
roleName = role.name;
|
|
525
|
+
}
|
|
526
|
+
}
|
|
527
|
+
else if (grant.relationKind === "direct_permission" && grant.permissionId) {
|
|
528
|
+
const permission = await ctx.db
|
|
529
|
+
.query("permissions")
|
|
530
|
+
.withIndex("by_permission_id", (q) => q.eq("permissionId", grant.permissionId))
|
|
531
|
+
.unique();
|
|
532
|
+
if (permission)
|
|
533
|
+
permissionKey = permission.key;
|
|
534
|
+
}
|
|
535
|
+
results.push({
|
|
536
|
+
grantId: grant.grantId,
|
|
537
|
+
principalId: principal.principalId,
|
|
538
|
+
type: principal.type,
|
|
539
|
+
herculesAuthUserId: authUserId,
|
|
540
|
+
name,
|
|
541
|
+
email,
|
|
542
|
+
image,
|
|
543
|
+
status: principal.status,
|
|
544
|
+
effect: grant.effect,
|
|
545
|
+
appliesTo: grant.appliesTo,
|
|
546
|
+
expiresAt: grant.expiresAt,
|
|
547
|
+
roleId: grant.roleId,
|
|
548
|
+
roleKey,
|
|
549
|
+
roleName,
|
|
550
|
+
permissionId: grant.permissionId,
|
|
551
|
+
permissionKey,
|
|
552
|
+
});
|
|
553
|
+
}
|
|
554
|
+
results.sort((a, b) => (a.name ?? a.email ?? a.principalId).localeCompare(b.name ?? b.email ?? b.principalId));
|
|
555
|
+
return results;
|
|
556
|
+
},
|
|
557
|
+
});
|
|
558
|
+
// Scope-admin reads share the canonical permission gate with authorize(), so an
|
|
559
|
+
// in-app admin screen and a can() check resolve identically (wildcard,
|
|
560
|
+
// deny-override, owner-only levers). Returns false when not allowed, and the
|
|
561
|
+
// queries above then return an empty list.
|
|
562
|
+
async function callerHasScopePermission(ctx, args, permission) {
|
|
563
|
+
const decision = await evaluatePermissionDecision(ctx, {
|
|
564
|
+
tokenIdentifier: args.tokenIdentifier,
|
|
565
|
+
scopeId: args.scopeId,
|
|
566
|
+
permission,
|
|
567
|
+
});
|
|
568
|
+
return decision.allowed;
|
|
569
|
+
}
|
|
570
|
+
async function resolveScopeRow(ctx, scopeId) {
|
|
571
|
+
if (scopeId === DEFAULT_SCOPE_SENTINEL) {
|
|
572
|
+
return await ctx.db
|
|
573
|
+
.query("scopes")
|
|
574
|
+
.withIndex("by_kind", (q) => q.eq("kind", "default"))
|
|
575
|
+
.unique();
|
|
576
|
+
}
|
|
577
|
+
return await ctx.db
|
|
578
|
+
.query("scopes")
|
|
579
|
+
.withIndex("by_scope_id", (q) => q.eq("accessScopeId", scopeId))
|
|
580
|
+
.unique();
|
|
581
|
+
}
|
|
582
|
+
async function collectPrincipalScopeRoles(ctx, args) {
|
|
583
|
+
// Authorization treats the user and each directly joined group as subjects.
|
|
584
|
+
// Reuse the E3-fenced expansion (effective.collectPrincipalIds): a membership
|
|
585
|
+
// confers its group only when the group principal exists, is a group, lives in
|
|
586
|
+
// this scope, and is active. A blocked/deleted group, or a row pointing at a
|
|
587
|
+
// non-group principal, grants nothing here too.
|
|
588
|
+
const subjectPrincipalIds = await collectPrincipalIds(ctx, {
|
|
589
|
+
principalId: args.principalId,
|
|
590
|
+
scopeId: args.scopeId,
|
|
591
|
+
});
|
|
592
|
+
const now = Date.now();
|
|
593
|
+
const allowedRoleIds = new Set();
|
|
594
|
+
for (const subjectPrincipalId of subjectPrincipalIds) {
|
|
595
|
+
// Scope-object role bindings (resourceType/resourceId undefined): who holds
|
|
596
|
+
// which role on this scope. Role bindings are purely additive membership —
|
|
597
|
+
// the wire carries no deny role binding (a removed membership is a delete).
|
|
598
|
+
const roleBindings = await ctx.db
|
|
599
|
+
.query("role_bindings")
|
|
600
|
+
.withIndex("by_subject_scope_resource", (q) => q
|
|
601
|
+
.eq("subjectPrincipalId", subjectPrincipalId)
|
|
602
|
+
.eq("accessScopeId", args.scopeId)
|
|
603
|
+
.eq("resourceType", undefined)
|
|
604
|
+
.eq("resourceId", undefined))
|
|
605
|
+
.collect();
|
|
606
|
+
for (const binding of roleBindings) {
|
|
607
|
+
if (typeof binding.expiresAt === "number" && binding.expiresAt <= now) {
|
|
608
|
+
continue;
|
|
609
|
+
}
|
|
610
|
+
allowedRoleIds.add(binding.roleId);
|
|
611
|
+
}
|
|
612
|
+
}
|
|
613
|
+
const roles = [];
|
|
614
|
+
for (const roleId of allowedRoleIds) {
|
|
615
|
+
const role = await ctx.db
|
|
616
|
+
.query("roles")
|
|
617
|
+
.withIndex("by_role_id", (q) => q.eq("roleId", roleId))
|
|
618
|
+
.unique();
|
|
619
|
+
if (!role)
|
|
620
|
+
continue;
|
|
621
|
+
roles.push({
|
|
622
|
+
roleId: role.roleId,
|
|
623
|
+
roleKey: role.key,
|
|
624
|
+
roleName: role.name,
|
|
625
|
+
roleKind: roleKindFromSource(role.source),
|
|
626
|
+
});
|
|
627
|
+
}
|
|
628
|
+
roles.sort((a, b) => a.roleKey.localeCompare(b.roleKey) ||
|
|
629
|
+
a.roleName.localeCompare(b.roleName) ||
|
|
630
|
+
a.roleId.localeCompare(b.roleId));
|
|
631
|
+
return roles;
|
|
632
|
+
}
|
|
633
|
+
//# sourceMappingURL=queries.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"queries.js","sourceRoot":"","sources":["../../src/component/queries.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,GAIb,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,SAAS,EAAE,MAAM,kCAAkC,CAAC;AAC7D,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAClC,OAAO,EAAE,0BAA0B,EAAE,MAAM,UAAU,CAAC;AACtD,OAAO,EACL,mBAAmB,EACnB,oBAAoB,EACpB,uBAAuB,GACxB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,oBAAoB,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,MAAM,MAAM,UAAU,CAAC;AAE9B,MAAM,sBAAsB,GAAG,4BAA4B,CAAC;AAG5D,2EAA2E;AAC3E,MAAM,KAAK,GAAG,YAAiD,CAAC;AAShE,iFAAiF;AACjF,6EAA6E;AAC7E,6EAA6E;AAC7E,yEAAyE;AACzE,SAAS,kBAAkB,CAAC,MAAmC;IAC7D,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AACnD,CAAC;AAmED,MAAM,CAAC,MAAM,wBAAwB,GAAG,KAAK,CAAC;IAC5C,IAAI,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;IACjD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,IAAI,CAAC,IAAI,CAAC,eAAe,EAAE,CAAC;YAC1B,OAAO,EAAE,IAAI,EAAE,UAAmB,EAAE,MAAM,EAAE,kBAA2B,EAAE,CAAC;QAC5E,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;QACxD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO,EAAE,IAAI,EAAE,UAAmB,EAAE,MAAM,EAAE,kBAA2B,EAAE,CAAC;QAC5E,CAAC;QAED,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,OAAO;gBACL,IAAI,EAAE,UAAmB;gBACzB,MAAM,EAAE,kBAA2B;gBACnC,YAAY,EAAE,KAAK,CAAC,aAAa;aAClC,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1C,OAAO;gBACL,IAAI,EAAE,UAAmB;gBACzB,MAAM,EAAE,mBAA4B;gBACpC,YAAY,EAAE,KAAK,CAAC,aAAa;aAClC,CAAC;QACJ,CAAC;QAED,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE;aACvB,KAAK,CAAC,QAAQ,CAAC;aACf,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;aACpD,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACxC,OAAO;gBACL,IAAI,EAAE,UAAmB;gBACzB,MAAM,EAAE,uBAAgC;gBACxC,YAAY,EAAE,KAAK,CAAC,aAAa;aAClC,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,EAAE;aAC3B,KAAK,CAAC,YAAY,CAAC;aACnB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CACnF;aACA,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;YAC5C,OAAO;gBACL,IAAI,EAAE,UAAmB;gBACzB,MAAM,EAAE,mBAA4B;gBACpC,YAAY,EAAE,KAAK,CAAC,aAAa;aAClC,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI,EAAE,WAAoB;YAC1B,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,YAAY,EAAE,KAAK,CAAC,aAAa;SAClC,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,CAAC;IACrC,IAAI,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE;IACjD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAC3B,IAAI,CAAC,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAErC,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;QACxD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,cAAc;YAAE,OAAO,EAAE,CAAC;QAE/D,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,EAAE;aAC5B,KAAK,CAAC,YAAY,CAAC;aACnB,SAAS,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CAAC;aAC3E,OAAO,EAAE,CAAC;QAEb,MAAM,WAAW,GAAiB,EAAE,CAAC;QAErC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE;iBACvB,KAAK,CAAC,QAAQ,CAAC;iBACf,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,SAAS,CAAC,aAAa,CAAC,CAAC;iBAC/E,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,KAAK;gBAAE,SAAS;YACrB,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU;gBAAE,SAAS;YAE1C,MAAM,KAAK,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;gBAClD,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,OAAO,EAAE,SAAS,CAAC,aAAa;aACjC,CAAC,CAAC;YACH,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,SAAS;YAEjC,WAAW,CAAC,IAAI,CAAC;gBACf,OAAO,EAAE,KAAK,CAAC,aAAa;gBAC5B,SAAS,EAAE,KAAK,CAAC,IAAI;gBACrB,IAAI,EAAE,KAAK,CAAC,IAAI;gBAChB,KAAK;gBACL,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,MAAM,EAAE,SAAS,CAAC,MAAM;aACzB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,WAAW,GAAG,KAAK,CAAC;IAC/B,IAAI,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IACtE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAA0B,EAAE;QACnD,IAAI,CAAC,IAAI,CAAC,eAAe;YAAE,OAAO,EAAE,CAAC;QAErC,MAAM,KAAK,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC;QACxD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,cAAc;YAAE,OAAO,EAAE,CAAC;QAE/D,uDAAuD;QACvD,0EAA0E;QAC1E,4EAA4E;QAC5E,sEAAsE;QACtE,8BAA8B;QAC9B,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU;YAAE,OAAO,EAAE,CAAC;QAErD,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,EAAE;aAC3B,KAAK,CAAC,YAAY,CAAC;aACnB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,KAAK,CAAC,OAAO,CAAC,CACnF;aACA,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,SAAS;YAAE,OAAO,EAAE,CAAC;QAE1B,OAAO,0BAA0B,CAAC,GAAG,EAAE;YACrC,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,OAAO,EAAE,KAAK,CAAC,aAAa;SAC7B,CAAC,CAAC;IACL,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,uBAAuB,GAAG,KAAK,CAAC;IAC3C,IAAI,EAAE;QACJ,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACpC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAClC,SAAS,EAAE,CAAC,CAAC,QAAQ,CACnB,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CACxE;KACF;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAuC,EAAE;QAChE,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC5D,MAAM,WAAW,GAAG,oBAAoB,CACtC,UAAU,CAAC,kBAAkB,EAC7B,UAAU,CAAC,QAAQ,EACnB,UAAU,CAAC,OAAO,EAClB,IAAI,CACL,CAAC;QACF,OAAO;YACL,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,UAAU,EAAE,UAAU,CAAC,UAAU;YACjC,aAAa,EAAE,UAAU,CAAC,aAAa;YACvC,OAAO,EAAE,UAAU,CAAC,OAAO;YAC3B,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;YAC7C,QAAQ,EAAE,UAAU,CAAC,QAAQ;YAC7B,WAAW,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;SAC7D,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,wBAAwB,GAAG,KAAK,CAAC;IAC5C,IAAI,EAAE;QACJ,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC9B,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAC9B;IACD,OAAO,EAAE,KAAK,EACZ,GAAG,EACH,IAAI,EACgE,EAAE;QACtE,IAAI,CAAC,CAAC,MAAM,wBAAwB,CAAC,GAAG,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAE,CAAC;YACrE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QACzB,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAEnC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;QACrF,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,EAAE,EAAE,MAAM,CAAC;aACzC,KAAK,CAAC,YAAY,CAAC;aACnB,SAAS,CAAC,sBAAsB,EAAE,CAAC,CAAC,EAAE,EAAE,CACvC,CAAC;aACE,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC;aACxC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC;aACtB,EAAE,CAAC,MAAM,EAAE,MAAM,CAAC,CACtB;aACA,QAAQ,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC;QAE9D,MAAM,OAAO,GAAG,CACd,MAAM,OAAO,CAAC,GAAG,CACf,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,SAAS,EAA6C,EAAE;YAC3E,IAAI,CAAC,SAAS,CAAC,kBAAkB;gBAAE,OAAO,IAAI,CAAC;YAC/C,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;iBACtB,KAAK,CAAC,OAAO,CAAC;iBACd,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAClC,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,SAAS,CAAC,kBAAmB,CAAC,CAC1D;iBACA,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAI,CAAC;YACvB,MAAM,KAAK,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;gBAClD,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,OAAO,EAAE,KAAK,CAAC,aAAa;aAC7B,CAAC,CAAC;YACH,OAAO;gBACL,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,kBAAkB,EAAE,SAAS,CAAC,kBAAkB;gBAChD,IAAI,EAAE,IAAI,CAAC,IAAI;gBACf,KAAK,EAAE,IAAI,CAAC,KAAK;gBACjB,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;gBAC1D,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;aAC5C,CAAC;QACJ,CAAC,CAAC,CACH,CACF,CAAC,MAAM,CAAC,CAAC,MAAM,EAAuC,EAAE,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC;QAE3E,OAAO;YACL,OAAO;YACP,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;SACxD,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,4BAA4B,GAAG,KAAK,CAAC;IAChD,IAAI,EAAE;QACJ,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACnC,kBAAkB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAC3C;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAA6C,EAAE;QACtE,IAAI,CAAC,IAAI,CAAC,WAAW,KAAK,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,KAAK,SAAS,CAAC,EAAE,CAAC;YACjF,MAAM,IAAI,KAAK,CAAC,wFAAwF,CAAC,CAAC;QAC5G,CAAC;QACD,IAAI,CAAC,CAAC,MAAM,wBAAwB,CAAC,GAAG,EAAE,IAAI,EAAE,kBAAkB,CAAC,CAAC,EAAE,CAAC;YACrE,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAC;QAExB,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,KAAK,SAAS;YAC9C,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;iBACT,KAAK,CAAC,YAAY,CAAC;iBACnB,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,EAAE,IAAI,CAAC,WAAY,CAAC,CAAC;iBAC3E,MAAM,EAAE;YACb,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE;iBACT,KAAK,CAAC,YAAY,CAAC;iBACnB,SAAS,CAAC,oBAAoB,EAAE,CAAC,CAAC,EAAE,EAAE,CACrC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,IAAI,CAAC,kBAAkB,CAAC,CAC7F;iBACA,MAAM,EAAE,CAAC;QAChB,IACE,CAAC,SAAS;YACV,SAAS,CAAC,aAAa,KAAK,KAAK,CAAC,aAAa;YAC/C,SAAS,CAAC,IAAI,KAAK,MAAM;YACzB,SAAS,CAAC,MAAM,KAAK,QAAQ;YAC7B,CAAC,SAAS,CAAC,kBAAkB,EAC7B,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;aACtB,KAAK,CAAC,OAAO,CAAC;aACd,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,SAAS,CAAC,kBAAmB,CAAC,CAAC;aAC9F,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI;YAAE,OAAO,IAAI,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;YAClD,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,OAAO,EAAE,KAAK,CAAC,aAAa;SAC7B,CAAC,CAAC;QAEH,OAAO;YACL,WAAW,EAAE,SAAS,CAAC,WAAW;YAClC,kBAAkB,EAAE,SAAS,CAAC,kBAAkB;YAChD,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;YAC1D,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC;SAC5C,CAAC;IACJ,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAK,CAAC;IACpC,IAAI,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IACtE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAA0B,EAAE;QACnD,IAAI,CAAC,CAAC,MAAM,wBAAwB,CAAC,GAAG,EAAE,IAAI,EAAE,qBAAqB,CAAC,CAAC;YAAE,OAAO,EAAE,CAAC;QACnF,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,qEAAqE;QACrE,wEAAwE;QACxE,qEAAqE;QACrE,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,EAAE;aAC5B,KAAK,CAAC,YAAY,CAAC;aACnB,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;aACxE,OAAO,EAAE,CAAC;QAEb,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;YACnC,IAAI,IAAwB,CAAC;YAC7B,IAAI,KAAyB,CAAC;YAC9B,IAAI,KAAyB,CAAC;YAC9B,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC/B,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;YACxB,CAAC;YACD,MAAM,UAAU,GAAG,SAAS,CAAC,kBAAkB,CAAC;YAChD,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,IAAI,UAAU,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;qBACtB,KAAK,CAAC,OAAO,CAAC;qBACd,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC;qBAC3E,MAAM,EAAE,CAAC;gBACZ,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;oBACjB,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;oBACnB,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACrB,CAAC;YACH,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;gBAClD,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,OAAO,EAAE,KAAK,CAAC,aAAa;aAC7B,CAAC,CAAC;YACH,OAAO,CAAC,IAAI,CAAC;gBACX,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,kBAAkB,EAAE,UAAU;gBAC9B,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,IAAI;gBACJ,KAAK;gBACL,KAAK;gBACL,KAAK;aACN,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACpB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,CAAC,CACvF,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,cAAc,GAAG,KAAK,CAAC;IAClC,IAAI,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IACtE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAA+B,EAAE;QACxD,IAAI,CAAC,CAAC,MAAM,wBAAwB,CAAC,GAAG,EAAE,IAAI,EAAE,mBAAmB,CAAC,CAAC;YAAE,OAAO,EAAE,CAAC;QACjF,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,EAAE;aAC9B,KAAK,CAAC,QAAQ,CAAC;aACf,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;aACpD,MAAM,EAAE,CAAC;QACZ,MAAM,cAAc,GAAG,YAAY,EAAE,aAAa,CAAC;QAEnD,yEAAyE;QACzE,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,EAAE;aAC5B,KAAK,CAAC,OAAO,CAAC;aACd,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;aACxE,OAAO,EAAE,CAAC;QACb,sEAAsE;QACtE,6EAA6E;QAC7E,yEAAyE;QACzE,4EAA4E;QAC5E,cAAc;QACd,MAAM,cAAc,GAAG,cAAc,KAAK,SAAS,IAAI,cAAc,KAAK,KAAK,CAAC,aAAa,CAAC;QAC9F,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,EAAE;aAC9B,KAAK,CAAC,OAAO,CAAC;aACd,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC;aAC9D,OAAO,EAAE,CAAC;QAEb,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,KAAK,GAAuB,EAAE,CAAC;QACrC,KAAK,MAAM,IAAI,IAAI,CAAC,GAAG,UAAU,EAAE,GAAG,YAAY,CAAC,EAAE,CAAC;YACpD,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,SAAS;YACpC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtB,KAAK,CAAC,IAAI,CAAC;gBACT,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,OAAO,EAAE,IAAI,CAAC,GAAG;gBACjB,QAAQ,EAAE,IAAI,CAAC,IAAI;gBACnB,QAAQ,EAAE,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC;gBACzC,uEAAuE;gBACvE,yEAAyE;gBACzE,MAAM,EAAE,IAAI,CAAC,aAAa,KAAK,SAAS,IAAI,CAAC,cAAc;aAC5D,CAAC,CAAC;QACL,CAAC;QAED,KAAK,CAAC,IAAI,CACR,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC;YAClC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC;YACpC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CACnC,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;CACF,CAAC,CAAC;AAEH,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,CAAC;IACxC,IAAI,EAAE,EAAE,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE;IACtE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAqC,EAAE;QAC9D,IAAI,CAAC,CAAC,MAAM,wBAAwB,CAAC,GAAG,EAAE,IAAI,EAAE,yBAAyB,CAAC,CAAC;YAAE,OAAO,EAAE,CAAC;QACvF,mFAAmF;QACnF,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,EAAE;aAC9B,KAAK,CAAC,QAAQ,CAAC;aACf,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;aACpD,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,YAAY;YAAE,OAAO,EAAE,CAAC;QAE7B,MAAM,WAAW,GAAG,MAAM,GAAG,CAAC,EAAE;aAC7B,KAAK,CAAC,aAAa,CAAC;aACpB,SAAS,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,YAAY,CAAC,aAAa,CAAC,CAAC;aAC/E,OAAO,EAAE,CAAC;QAEb,OAAO,WAAW;aACf,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YACpB,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,GAAG,EAAE,UAAU,CAAC,GAAG;YACnB,YAAY,EAAE,UAAU,CAAC,YAAY;YACrC,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,cAAc,EAAE,UAAU,CAAC,cAAc;YACzC,gBAAgB,EAAE,UAAU,CAAC,gBAAgB;SAC9C,CAAC,CAAC;aACF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,YAAY,CAAC,aAAa,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC;IAChG,CAAC;CACF,CAAC,CAAC;AAuBH,6EAA6E;AAC7E,+EAA+E;AAC/E,+EAA+E;AAC/E,+EAA+E;AAC/E,gFAAgF;AAChF,8EAA8E;AAC9E,oEAAoE;AACpE,MAAM,CAAC,MAAM,6BAA6B,GAAG,KAAK,CAAC;IACjD,IAAI,EAAE;QACJ,eAAe,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACvC,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE;QACnB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;QACtB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB;IACD,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,EAAoC,EAAE;QAC7D,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;YACrD,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,UAAU,EAAE,IAAI,CAAC,UAAU;SAC5B,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QACjC,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;QACvD,IAAI,CAAC,KAAK;YAAE,OAAO,EAAE,CAAC;QAEtB,wEAAwE;QACxE,2EAA2E;QAC3E,2EAA2E;QAC3E,wEAAwE;QACxE,6EAA6E;QAC7E,MAAM,oBAAoB,GAAG,MAAM,GAAG,CAAC,EAAE;aACtC,KAAK,CAAC,eAAe,CAAC;aACtB,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE,CACpC,CAAC;aACE,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC;aACxC,EAAE,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC;aACrC,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CACrC;aACA,OAAO,EAAE,CAAC;QACb,MAAM,0BAA0B,GAAG,MAAM,GAAG,CAAC,EAAE;aAC5C,KAAK,CAAC,qBAAqB,CAAC;aAC5B,SAAS,CAAC,mBAAmB,EAAE,CAAC,CAAC,EAAE,EAAE,CACpC,CAAC;aACE,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,aAAa,CAAC;aACxC,EAAE,CAAC,cAAc,EAAE,IAAI,CAAC,YAAY,CAAC;aACrC,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CACrC;aACA,OAAO,EAAE,CAAC;QAiBb,MAAM,MAAM,GAAsB;YAChC,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;gBACxC,OAAO,EAAE,OAAO,CAAC,SAAS;gBAC1B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;gBAC9C,YAAY,EAAE,MAAe;gBAC7B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,MAAM,EAAE,OAAgB;gBACxB,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;aAC7B,CAAC,CAAC;YACH,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAChD,OAAO,CAAC,kBAAkB;gBACxB,CAAC,CAAC;oBACE;wBACE,OAAO,EAAE,OAAO,CAAC,SAAS;wBAC1B,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;wBAC9C,YAAY,EAAE,mBAA4B;wBAC1C,YAAY,EAAE,OAAO,CAAC,YAAY;wBAClC,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,SAAS,EAAE,OAAO,CAAC,SAAS;qBAC7B;iBACF;gBACH,CAAC,CAAC,EAAE,CACP;SACF,CAAC;QAEF,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAA4B,EAAE,CAAC;QAC5C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;YAC3B,MAAM,kBAAkB,GAAG,KAAK,CAAC,kBAAkB,CAAC;YACpD,IAAI,CAAC,kBAAkB;gBAAE,SAAS;YAClC,IAAI,OAAO,KAAK,CAAC,SAAS,KAAK,QAAQ,IAAI,KAAK,CAAC,SAAS,IAAI,GAAG;gBAAE,SAAS;YAE5E,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,EAAE;iBAC3B,KAAK,CAAC,YAAY,CAAC;iBACnB,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;iBAC5E,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,SAAS;gBAAE,SAAS;YAEzB,qEAAqE;YACrE,8DAA8D;YAC9D,IAAI,IAAwB,CAAC;YAC7B,IAAI,KAAyB,CAAC;YAC9B,IAAI,KAAyB,CAAC;YAC9B,IAAI,SAAS,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;gBAC/B,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;YACxB,CAAC;YACD,MAAM,UAAU,GAAG,SAAS,CAAC,kBAAkB,CAAC;YAChD,IAAI,SAAS,CAAC,IAAI,KAAK,MAAM,IAAI,UAAU,EAAE,CAAC;gBAC5C,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;qBACtB,KAAK,CAAC,OAAO,CAAC;qBACd,SAAS,CAAC,iBAAiB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,oBAAoB,EAAE,UAAU,CAAC,CAAC;qBAC3E,MAAM,EAAE,CAAC;gBACZ,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;oBACjB,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;oBACnB,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;gBACrB,CAAC;YACH,CAAC;YAED,IAAI,OAA2B,CAAC;YAChC,IAAI,QAA4B,CAAC;YACjC,IAAI,aAAiC,CAAC;YACtC,IAAI,KAAK,CAAC,YAAY,KAAK,MAAM,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBAClD,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;qBACtB,KAAK,CAAC,OAAO,CAAC;qBACd,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,KAAK,CAAC,MAAO,CAAC,CAAC;qBAC7D,MAAM,EAAE,CAAC;gBACZ,IAAI,IAAI,EAAE,CAAC;oBACT,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC;oBACnB,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;gBACvB,CAAC;YACH,CAAC;iBAAM,IAAI,KAAK,CAAC,YAAY,KAAK,mBAAmB,IAAI,KAAK,CAAC,YAAY,EAAE,CAAC;gBAC5E,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,EAAE;qBAC5B,KAAK,CAAC,aAAa,CAAC;qBACpB,SAAS,CAAC,kBAAkB,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,EAAE,KAAK,CAAC,YAAa,CAAC,CAAC;qBAC/E,MAAM,EAAE,CAAC;gBACZ,IAAI,UAAU;oBAAE,aAAa,GAAG,UAAU,CAAC,GAAG,CAAC;YACjD,CAAC;YAED,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO,EAAE,KAAK,CAAC,OAAO;gBACtB,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,kBAAkB,EAAE,UAAU;gBAC9B,IAAI;gBACJ,KAAK;gBACL,KAAK;gBACL,MAAM,EAAE,SAAS,CAAC,MAAM;gBACxB,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;gBACpB,OAAO;gBACP,QAAQ;gBACR,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,aAAa;aACd,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACpB,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,WAAW,CAAC,CACvF,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;CACF,CAAC,CAAC;AAEH,gFAAgF;AAChF,uEAAuE;AACvE,6EAA6E;AAC7E,2CAA2C;AAC3C,KAAK,UAAU,wBAAwB,CACrC,GAA+B,EAC/B,IAAmD,EACnD,UAAkB;IAElB,MAAM,QAAQ,GAAG,MAAM,0BAA0B,CAAC,GAAG,EAAE;QACrD,eAAe,EAAE,IAAI,CAAC,eAAe;QACrC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,UAAU;KACX,CAAC,CAAC;IACH,OAAO,QAAQ,CAAC,OAAO,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,GAA+B,EAAE,OAAe;IAC7E,IAAI,OAAO,KAAK,sBAAsB,EAAE,CAAC;QACvC,OAAO,MAAM,GAAG,CAAC,EAAE;aAChB,KAAK,CAAC,QAAQ,CAAC;aACf,SAAS,CAAC,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;aACpD,MAAM,EAAE,CAAC;IACd,CAAC;IACD,OAAO,MAAM,GAAG,CAAC,EAAE;SAChB,KAAK,CAAC,QAAQ,CAAC;SACf,SAAS,CAAC,aAAa,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,eAAe,EAAE,OAAO,CAAC,CAAC;SAC/D,MAAM,EAAE,CAAC;AACd,CAAC;AAED,KAAK,UAAU,0BAA0B,CACvC,GAA+B,EAC/B,IAA8C;IAE9C,4EAA4E;IAC5E,8EAA8E;IAC9E,+EAA+E;IAC/E,6EAA6E;IAC7E,gDAAgD;IAChD,MAAM,mBAAmB,GAAG,MAAM,mBAAmB,CAAC,GAAG,EAAE;QACzD,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAC;IAEzC,KAAK,MAAM,kBAAkB,IAAI,mBAAmB,EAAE,CAAC;QACrD,4EAA4E;QAC5E,2EAA2E;QAC3E,4EAA4E;QAC5E,MAAM,YAAY,GAAG,MAAM,GAAG,CAAC,EAAE;aAC9B,KAAK,CAAC,eAAe,CAAC;aACtB,SAAS,CAAC,2BAA2B,EAAE,CAAC,CAAC,EAAE,EAAE,CAC5C,CAAC;aACE,EAAE,CAAC,oBAAoB,EAAE,kBAAkB,CAAC;aAC5C,EAAE,CAAC,eAAe,EAAE,IAAI,CAAC,OAAO,CAAC;aACjC,EAAE,CAAC,cAAc,EAAE,SAAS,CAAC;aAC7B,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC,CAC/B;aACA,OAAO,EAAE,CAAC;QAEb,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACnC,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,IAAI,OAAO,CAAC,SAAS,IAAI,GAAG,EAAE,CAAC;gBACtE,SAAS;YACX,CAAC;YACD,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,KAAK,MAAM,MAAM,IAAI,cAAc,EAAE,CAAC;QACpC,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,EAAE;aACtB,KAAK,CAAC,OAAO,CAAC;aACd,SAAS,CAAC,YAAY,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;aACtD,MAAM,EAAE,CAAC;QACZ,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,OAAO,EAAE,IAAI,CAAC,GAAG;YACjB,QAAQ,EAAE,IAAI,CAAC,IAAI;YACnB,QAAQ,EAAE,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC;SAC1C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CACR,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CACP,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC;QAClC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC;QACpC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,CACnC,CAAC;IACF,OAAO,KAAK,CAAC;AACf,CAAC"}
|