@vess-id/vess 0.2.0-alpha.1

package/dist/gateway/auth.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DeviceAuth = void 0;
+const config_1 = require("../config/config");
+const key_manager_1 = require("../identity/key-manager");
+/**
+ * Device authentication manager.
+ * Session token is stored in OS Keychain (not config file) for security.
+ * Falls back to config file for migration from older versions.
+ */
+class DeviceAuth {
+    configPath;
+    keyManager;
+    constructor(configPath, keyManager) {
+        this.configPath = configPath;
+        this.keyManager = keyManager ?? new key_manager_1.KeyManager();
+    }
+    getSessionToken() {
+        // Prefer Keychain, fall back to config for migration
+        const keychainToken = this.keyManager.getSessionToken();
+        if (keychainToken)
+            return keychainToken;
+        const config = (0, config_1.loadConfig)(this.configPath);
+        return config.deviceSessionToken;
+    }
+    setSessionToken(token) {
+        this.keyManager.storeSessionToken(token);
+    }
+    isAuthenticated() {
+        return !!this.getSessionToken();
+    }
+    /**
+     * Decode the session token JWT and return the `exp` claim (Unix epoch seconds).
+     * Returns null if no token is stored or the token is malformed.
+     */
+    getTokenExpiry() {
+        const token = this.getSessionToken();
+        if (!token)
+            return null;
+        try {
+            const parts = token.split('.');
+            if (parts.length !== 3)
+                return null;
+            const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString());
+            return payload.exp ?? null;
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Check if the current session token is expiring within the given threshold.
+     * Returns true if no token is stored (treat as expired).
+     */
+    isTokenExpiringSoon(thresholdSeconds) {
+        const exp = this.getTokenExpiry();
+        if (exp === null)
+            return true;
+        return exp - Math.floor(Date.now() / 1000) < thresholdSeconds;
+    }
+    getGatewayUrl() {
+        return (0, config_1.loadConfig)(this.configPath).gatewayUrl;
+    }
+}
+exports.DeviceAuth = DeviceAuth;
+//# sourceMappingURL=auth.js.map

package/dist/gateway/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/gateway/auth.ts"],"names":[],"mappings":";;;AAAA,6CAA6C;AAC7C,yDAAoD;AAEpD;;;;GAIG;AACH,MAAa,UAAU;IAIF;IAHF,UAAU,CAAY;IAEvC,YACmB,UAAkB,EACnC,UAAuB;QADN,eAAU,GAAV,UAAU,CAAQ;QAGnC,IAAI,CAAC,UAAU,GAAG,UAAU,IAAI,IAAI,wBAAU,EAAE,CAAA;IAClD,CAAC;IAED,eAAe;QACb,qDAAqD;QACrD,MAAM,aAAa,GAAG,IAAI,CAAC,UAAU,CAAC,eAAe,EAAE,CAAA;QACvD,IAAI,aAAa;YAAE,OAAO,aAAa,CAAA;QAEvC,MAAM,MAAM,GAAG,IAAA,mBAAU,EAAC,IAAI,CAAC,UAAU,CAAC,CAAA;QAC1C,OAAO,MAAM,CAAC,kBAAkB,CAAA;IAClC,CAAC;IAED,eAAe,CAAC,KAAa;QAC3B,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAA;IAC1C,CAAC;IAED,eAAe;QACb,OAAO,CAAC,CAAC,IAAI,CAAC,eAAe,EAAE,CAAA;IACjC,CAAC;IAED;;;OAGG;IACH,cAAc;QACZ,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,EAAE,CAAA;QACpC,IAAI,CAAC,KAAK;YAAE,OAAO,IAAI,CAAA;QACvB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAA;YACnC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAA;YACzE,OAAO,OAAO,CAAC,GAAG,IAAI,IAAI,CAAA;QAC5B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,mBAAmB,CAAC,gBAAwB;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,cAAc,EAAE,CAAA;QACjC,IAAI,GAAG,KAAK,IAAI;YAAE,OAAO,IAAI,CAAA;QAC7B,OAAO,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,gBAAgB,CAAA;IAC/D,CAAC;IAED,aAAa;QACX,OAAO,IAAA,mBAAU,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC,UAAU,CAAA;IAC/C,CAAC;CACF;AAzDD,gCAyDC"}

package/dist/gateway/gateway-client.d.ts

@@ -0,0 +1,298 @@
+/**
+ * Gateway API client for agentd (spec §10).
+ *
+ * All requests use X-Device-Session-Token header for authentication.
+ *
+ * Endpoints:
+ * - POST /api/v1/agentd/nonce              (nonce for VP replay prevention)
+ * - POST /api/v1/agentd/vc/auto-issue      (auto-issue VC)
+ * - GET  /api/v1/agentd/vc/approved        (find approved requests)
+ * - GET  /api/v1/agentd/vc/status/:jti     (VC revocation status)
+ * - POST /api/v1/agentd/vp/verify-authorize (VP verify + authorize)
+ * - POST /api/v1/agentd/approval/request   (OOB approval request create)
+ * - GET  /api/v1/agentd/approval/:id/status (OOB approval status poll)
+ * - POST /api/v1/grant/quick-approve       (inline Grant + VC issuance)
+ * - POST /api/v1/grant/consume             (one-time grant consumption)
+ * - POST /api/v1/tool/invoke               (SaaS tool execution)
+ * - POST /api/v1/audit/batch               (batch audit event sync)
+ * - GET  /api/v1/grant/policy/:projectId   (org policy sync)
+ * - POST /api/v1/agentd/resource/resolve   (resolve human-readable resource to canonical ID)
+ */
+/** Resource constraint describing a scoped resource (e.g., Slack channel, GitHub repo). */
+export interface ResourceConstraint {
+    provider: string;
+    type: string;
+    id?: string;
+    pattern?: string;
+}
+export interface AutoIssueVCParams {
+    subjectDid: string;
+    projectId: string;
+    actions: string[];
+    sessionId?: string;
+}
+export interface AutoIssueVCResult {
+    autoIssued: boolean;
+    credential: {
+        jwt: string;
+        expiresAt: number;
+    };
+    actions: string[];
+    resources?: ResourceConstraint[];
+    metadata?: Record<string, unknown>;
+}
+export interface ApprovedRequest {
+    id: string;
+    actions: string[];
+    credential?: {
+        jwt: string;
+        expiresAt: number;
+    };
+    resources?: ResourceConstraint[];
+}
+export interface VerifyAuthorizeResult {
+    authorized: boolean;
+    reason?: string;
+    projectId?: string;
+    issuerDid?: string;
+    grantId?: string;
+    approvalMode?: 'one_time' | 'persistent';
+}
+export interface CreateApprovalRequestParams {
+    subjectDid: string;
+    projectId: string;
+    actions: string[];
+    resources?: ResourceConstraint[];
+    expiresInHours?: number;
+}
+export interface CreateApprovalRequestResult {
+    requestId: string;
+    approvalUrl: string;
+    status: string;
+    expiresAt: string;
+}
+export interface ApprovalStatusResult {
+    status: 'pending' | 'approved' | 'denied' | 'expired';
+    actions?: string[];
+    resources?: ResourceConstraint[];
+    credential?: string;
+    grant?: any;
+    vcId?: string;
+    expiresAt?: string;
+}
+export interface QuickApproveParams {
+    actions: string[];
+    resources: Array<{
+        type: string;
+        pattern?: string;
+        id?: string;
+    }>;
+    normalizedResource?: string;
+    resourceFingerprint?: string;
+    subjectDid: string;
+    projectId: string;
+    issueVC: boolean;
+    approvalMode: 'one_time' | 'persistent';
+    approvalNonce: string;
+    expiresInHours?: number;
+}
+export interface QuickApproveResult {
+    grant: {
+        id: string;
+        actions: string[];
+        resources: Array<{
+            type: string;
+            id?: string;
+            pattern?: string;
+        }>;
+        status: string;
+    };
+    /** The VC credential JWT string (raw JWT, not wrapped in an object) */
+    credential: string;
+    vcId: string;
+    issuerDid: string;
+    subjectDid: string;
+    actions: string[];
+    issuedAt: string;
+    /** ISO 8601 expiration timestamp */
+    expiresAt: string;
+    /** Resources with provider enrichment, ready for wallet storage */
+    resources?: ResourceConstraint[];
+}
+export interface ResolveResourceResult {
+    canonicalId: string;
+    displayName: string;
+    provider: string;
+    type: string;
+    resolved: boolean;
+}
+export interface InvokeToolResult {
+    success: boolean;
+    data?: any;
+    error?: string;
+    errorCode?: string;
+    allowedResources?: string[];
+    requestedResource?: string;
+}
+export interface ConsumeGrantResult {
+    consumed: boolean;
+    reason?: string;
+}
+export interface RegisterAgentParams {
+    agentDid: string;
+    name: string;
+    type: string;
+    publicKey: {
+        kty: string;
+        crv: string;
+        x: string;
+        y: string;
+    };
+    projectId: string;
+    deviceInfo?: {
+        platform?: string;
+        hostname?: string;
+        runtime?: string;
+    };
+}
+export interface RegisterAgentResult {
+    id: string;
+    did: string;
+    name: string;
+    type: string;
+    status: string;
+}
+export interface InvokeToolParams {
+    action: string;
+    parameters: Record<string, any>;
+    holderDid: string;
+    vpJwt: string;
+    vpChallenge: string;
+    vpDomain: string;
+}
+/**
+ * Custom error for network-level failures (connection refused, DNS, timeout).
+ * Used by ExecutionEngine to distinguish network issues from code bugs.
+ */
+export declare class GatewayNetworkError extends Error {
+    readonly cause?: unknown | undefined;
+    constructor(message: string, cause?: unknown | undefined);
+}
+export declare class AgentdGatewayClient {
+    private readonly baseUrl;
+    private readonly getSessionToken;
+    private readonly onTokenRefreshed?;
+    /** Shared promise for deduplicating concurrent token refresh attempts */
+    private refreshPromise;
+    constructor(baseUrl: string, getSessionToken: () => string, onTokenRefreshed?: ((newToken: string) => void) | undefined);
+    private buildHeaders;
+    /**
+     * Wrap fetch calls to convert network errors into GatewayNetworkError.
+     */
+    private fetchWithNetworkError;
+    /**
+     * Wrap fetch calls with automatic retry on 401 (token expired).
+     * On 401, attempts to refresh the token and retry the original request.
+     * Does NOT apply to refreshToken itself (to avoid infinite loops).
+     */
+    private fetchWithAuthRetry;
+    /**
+     * Refresh the device session token.
+     * POST /api/v1/device/refresh
+     * NOTE: Uses fetchWithNetworkError (not fetchWithAuthRetry) to avoid infinite loops.
+     */
+    refreshToken(): Promise<{
+        deviceSessionToken: string;
+        expiresAt: string;
+    }>;
+    /**
+     * Issue nonce for VP replay prevention.
+     * POST /api/v1/agentd/nonce
+     */
+    issueNonce(agentDid: string): Promise<{
+        nonce: string;
+    }>;
+    /**
+     * Auto-issue VC when grant has autoApprove enabled.
+     * POST /api/v1/agentd/vc/auto-issue
+     */
+    autoIssueVC(params: AutoIssueVCParams): Promise<AutoIssueVCResult | null>;
+    /**
+     * Find approved requests by subjectDid.
+     * GET /api/v1/agentd/vc/approved?subjectDid=...
+     */
+    findApprovedRequests(subjectDid: string): Promise<ApprovedRequest[]>;
+    /**
+     * Check VC revocation status by jti.
+     * GET /api/v1/agentd/vc/status/:jti
+     */
+    checkVCStatus(jti: string): Promise<{
+        valid: boolean;
+        reason?: string;
+    }>;
+    /**
+     * VP verify + grant authorization check (gateway_verified_local).
+     * POST /api/v1/agentd/vp/verify-authorize
+     */
+    verifyAndAuthorize(vpJwt: string, challenge: string, domain: string, action: string, holderDid: string): Promise<VerifyAuthorizeResult>;
+    /**
+     * Register an agent in the API Agent table so it appears in agents.html / timeline.html.
+     * POST /api/v1/agents/create
+     *
+     * Requires X-Project-Id header for ProjectRoleGuard.
+     * Treats 409 Conflict as success (idempotent — agent already exists).
+     */
+    registerAgent(params: RegisterAgentParams): Promise<RegisterAgentResult>;
+    /**
+     * Inline Grant + VC issuance (spec §6.2).
+     * POST /api/v1/grant/quick-approve
+     */
+    quickApprove(params: QuickApproveParams): Promise<QuickApproveResult>;
+    /**
+     * Create an OOB approval request for high-risk actions.
+     * POST /api/v1/agentd/approval/request
+     */
+    createApprovalRequest(params: CreateApprovalRequestParams): Promise<CreateApprovalRequestResult>;
+    /**
+     * Poll the status of an OOB approval request.
+     * GET /api/v1/agentd/approval/:requestId/status
+     */
+    getApprovalStatus(requestId: string): Promise<ApprovalStatusResult>;
+    /**
+     * One-time grant atomic consumption (spec §6.2).
+     * POST /api/v1/grant/consume
+     */
+    consumeGrant(grantId: string): Promise<ConsumeGrantResult>;
+    /**
+     * SaaS tool execution via Gateway (VP in Authorization header).
+     * POST /api/v1/tool/invoke
+     */
+    invokeTool(params: InvokeToolParams): Promise<InvokeToolResult>;
+    /**
+     * Resolve a human-readable resource identifier to its canonical ID.
+     * POST /api/v1/agentd/resource/resolve
+     */
+    resolveResource(params: {
+        provider: string;
+        resourceType: string;
+        input: string;
+        projectId: string;
+    }): Promise<ResolveResourceResult>;
+    /**
+     * Fetch org-level policy for a project (spec §7.6).
+     */
+    fetchOrgPolicy(projectId: string): Promise<any>;
+    /**
+     * Verify a VP with the Gateway (spec §7.4 gateway_verified_local).
+     * @deprecated Use verifyAndAuthorize instead for full VP+grant check.
+     */
+    verifyVP(vpJwt: string, nonce: string, domain: string): Promise<{
+        valid: boolean;
+        reason?: string;
+    }>;
+    /**
+     * Check if Gateway is reachable.
+     */
+    isReachable(): Promise<boolean>;
+}
+//# sourceMappingURL=gateway-client.d.ts.map

package/dist/gateway/gateway-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gateway-client.d.ts","sourceRoot":"","sources":["../../src/gateway/gateway-client.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,2FAA2F;AAC3F,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;IACZ,EAAE,CAAC,EAAE,MAAM,CAAA;IACX,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,UAAU,EAAE,OAAO,CAAA;IACnB,UAAU,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IAC9C,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,SAAS,CAAC,EAAE,kBAAkB,EAAE,CAAA;IAChC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,UAAU,CAAC,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAA;IAC/C,SAAS,CAAC,EAAE,kBAAkB,EAAE,CAAA;CACjC;AAED,MAAM,WAAW,qBAAqB;IACpC,UAAU,EAAE,OAAO,CAAA;IACnB,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,UAAU,GAAG,YAAY,CAAA;CACzC;AAED,MAAM,WAAW,2BAA2B;IAC1C,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,SAAS,CAAC,EAAE,kBAAkB,EAAE,CAAA;IAChC,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,MAAM,WAAW,2BAA2B;IAC1C,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,MAAM,CAAA;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,SAAS,GAAG,UAAU,GAAG,QAAQ,GAAG,SAAS,CAAA;IACrD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,SAAS,CAAC,EAAE,kBAAkB,EAAE,CAAA;IAChC,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,KAAK,CAAC,EAAE,GAAG,CAAA;IACX,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,SAAS,CAAC,EAAE,MAAM,CAAA;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,SAAS,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC;QAAC,EAAE,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACjE,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,OAAO,CAAA;IAChB,YAAY,EAAE,UAAU,GAAG,YAAY,CAAA;IACvC,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAED,MAAM,WAAW,kBAAkB;IACjC,KAAK,EAAE;QACL,EAAE,EAAE,MAAM,CAAA;QACV,OAAO,EAAE,MAAM,EAAE,CAAA;QACjB,SAAS,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,CAAC,EAAE,MAAM,CAAC;YAAC,OAAO,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;QACjE,MAAM,EAAE,MAAM,CAAA;KACf,CAAA;IACD,uEAAuE;IACvE,UAAU,EAAE,MAAM,CAAA;IAClB,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,OAAO,EAAE,MAAM,EAAE,CAAA;IACjB,QAAQ,EAAE,MAAM,CAAA;IAChB,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAA;IACjB,mEAAmE;IACnE,SAAS,CAAC,EAAE,kBAAkB,EAAE,CAAA;CACjC;AAED,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;IACZ,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,OAAO,CAAA;IAChB,IAAI,CAAC,EAAE,GAAG,CAAA;IACV,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC3B,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAC3B;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,OAAO,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAA;IAChB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,GAAG,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;IAC7D,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,CAAA;CACxE;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,MAAM,CAAA;IACd,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC/B,SAAS,EAAE,MAAM,CAAA;IACjB,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED;;;GAGG;AACH,qBAAa,mBAAoB,SAAQ,KAAK;aACC,KAAK,CAAC,EAAE,OAAO;gBAAhD,OAAO,EAAE,MAAM,EAAkB,KAAK,CAAC,EAAE,OAAO,YAAA;CAI7D;AAED,qBAAa,mBAAmB;IAK5B,OAAO,CAAC,QAAQ,CAAC,OAAO;IACxB,OAAO,CAAC,QAAQ,CAAC,eAAe;IAChC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;IANpC,yEAAyE;IACzE,OAAO,CAAC,cAAc,CAA0E;gBAG7E,OAAO,EAAE,MAAM,EACf,eAAe,EAAE,MAAM,MAAM,EAC7B,gBAAgB,CAAC,GAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,IAAI,aAAA;IAGhE,OAAO,CAAC,YAAY;IAOpB;;OAEG;YACW,qBAAqB;IAWnC;;;;OAIG;YACW,kBAAkB;IAoChC;;;;OAIG;IACG,YAAY,IAAI,OAAO,CAAC;QAAE,kBAAkB,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;IAkBhF;;;OAGG;IACG,UAAU,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAC;IAiB9D;;;OAGG;IACG,WAAW,CAAC,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IAiD/E;;;OAGG;IACG,oBAAoB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IA6C1E;;;OAGG;IACG,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAgB9E;;;OAGG;IACG,kBAAkB,CACtB,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,qBAAqB,CAAC;IAqBjC;;;;;;OAMG;IACG,aAAa,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAsC9E;;;OAGG;IACG,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA2B3E;;;OAGG;IACG,qBAAqB,CAAC,MAAM,EAAE,2BAA2B,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAgBtG;;;OAGG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAezE;;;OAGG;IACG,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAiBhE;;;OAGG;IACG,UAAU,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,gBAAgB,CAAC;IA4DrE;;;OAGG;IACG,eAAe,CAAC,MAAM,EAAE;QAC5B,QAAQ,EAAE,MAAM,CAAA;QAChB,YAAY,EAAE,MAAM,CAAA;QACpB,KAAK,EAAE,MAAM,CAAA;QACb,SAAS,EAAE,MAAM,CAAA;KAClB,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAmBlC;;OAEG;IACG,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC;IAgBrD;;;OAGG;IACG,QAAQ,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;IAgB1G;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;CAWtC"}