@vorionsys/security 1.0.0

package/dist/api/v1/auth.js

@@ -0,0 +1,637 @@
+/**
+ * API v1 Authentication Routes
+ *
+ * Provides authentication endpoints including:
+ * - Logout (single session)
+ * - Logout all (all sessions)
+ * - Revoke all tokens (with password confirmation)
+ *
+ * @packageDocumentation
+ */
+import '@fastify/swagger'; // Activates FastifySchema augmentation (description, tags)
+import { z } from 'zod';
+import { eq, and } from 'drizzle-orm';
+import { createLogger } from '../../common/logger.js';
+import { getDatabase } from '../../common/db.js';
+import { createTokenRevocationService, recordTokenRevocationAudit } from '../../common/token-revocation.js';
+import { createEndpointRateLimit } from '../middleware/rate-limits.js';
+import { getTokenLifecycleService } from '../../security/token-lifecycle.js';
+import { getRevocationCheckService } from '../../security/revocation-check.js';
+import { getSessionStore } from '../../security/session-store.js';
+import { verifyPassword, needsRehash, hashPassword } from '../../security/password-hashing.js';
+import { getSecurityAuditLogger } from '../../audit/security-logger.js';
+import { userCredentials, loginAuditLog } from '../../db/schema/users.js';
+const authLogger = createLogger({ component: 'api-v1-auth' });
+const tokenRevocationService = createTokenRevocationService();
+// Rate limit configurations for auth endpoints
+const authRateLimits = {
+    logout: createEndpointRateLimit({ max: 10, windowSeconds: 60 }),
+    revokeAll: createEndpointRateLimit({ max: 3, windowSeconds: 3600 }),
+    refresh: createEndpointRateLimit({ max: 10, windowSeconds: 60 }),
+};
+// =============================================================================
+// Request/Response Schemas
+// =============================================================================
+/**
+ * Logout request body schema
+ */
+const logoutBodySchema = z.object({
+    /** Whether to logout from all sessions */
+    logoutAll: z.boolean().optional().default(false),
+    /** Specific session ID to exclude from logout all (keep current session) */
+    excludeCurrentSession: z.boolean().optional().default(false),
+}).optional();
+/**
+ * Revoke all tokens request body schema
+ */
+const revokeAllBodySchema = z.object({
+    /** Current password for confirmation */
+    currentPassword: z.string().min(1, 'Current password is required'),
+    /** Whether to also revoke API keys */
+    includeApiKeys: z.boolean().optional().default(false),
+});
+// =============================================================================
+// Helper Functions
+// =============================================================================
+/**
+ * Build security actor from request
+ */
+function buildActor(userId, tenantId, request) {
+    return {
+        type: 'user',
+        id: userId,
+        tenantId,
+        ip: request.ip,
+        userAgent: request.headers['user-agent'],
+        sessionId: request.headers['x-session-id'],
+    };
+}
+/** Maximum failed login attempts before DB-level lockout */
+const MAX_FAILED_ATTEMPTS = 10;
+/** Lockout duration in minutes after exceeding max failed attempts */
+const LOCKOUT_DURATION_MINUTES = 30;
+/**
+ * Verify a user's password against the stored hash in the database.
+ *
+ * Security properties:
+ * - Uses Argon2id via password-hashing.ts for timing-safe comparison
+ * - Checks account status (locked, suspended, disabled) before verification
+ * - Tracks failed login attempts at the DB level for persistent lockout
+ * - Automatically rehashes passwords if hash parameters are outdated
+ * - Records login audit events for compliance and forensics
+ * - Fails closed on any unexpected error (returns false, never throws)
+ *
+ * @param userId  - User ID from JWT sub claim
+ * @param tenantId - Tenant ID for scoped credential lookup
+ * @param password - Plaintext password to verify
+ * @param request  - Optional Fastify request for audit context (IP, user agent)
+ * @returns Verification result with MFA flag for downstream flow
+ */
+async function verifyUserPassword(userId, tenantId, password, request) {
+    // Reject empty passwords immediately (no DB round-trip)
+    if (!password || password.length < 1) {
+        return { valid: false, mfaRequired: false, failureCode: 'INVALID_CREDENTIALS' };
+    }
+    const db = getDatabase();
+    try {
+        // -------------------------------------------------------------------------
+        // 1. Look up user credentials by userId and tenantId
+        // -------------------------------------------------------------------------
+        const [credential] = await db
+            .select({
+            userId: userCredentials.userId,
+            passwordHash: userCredentials.passwordHash,
+            status: userCredentials.status,
+            mfaEnabled: userCredentials.mfaEnabled,
+            failedLoginAttempts: userCredentials.failedLoginAttempts,
+            lockedUntil: userCredentials.lockedUntil,
+            email: userCredentials.email,
+        })
+            .from(userCredentials)
+            .where(and(eq(userCredentials.userId, userId), eq(userCredentials.tenantId, tenantId)))
+            .limit(1);
+        // No credential record found -- fail closed with generic error
+        if (!credential) {
+            authLogger.warn({ userId, tenantId }, 'Password verification failed: no credential record found for user');
+            // Record audit event for unknown user attempt
+            await recordLoginAudit(db, {
+                userId,
+                tenantId,
+                loginIdentifier: userId,
+                event: 'login_failed',
+                failureReason: 'user_not_found',
+                ipAddress: request?.ip,
+                userAgent: request?.headers['user-agent'],
+            });
+            return { valid: false, mfaRequired: false, failureCode: 'INVALID_CREDENTIALS' };
+        }
+        // -------------------------------------------------------------------------
+        // 2. Check account status
+        // -------------------------------------------------------------------------
+        if (credential.status === 'disabled' || credential.status === 'suspended') {
+            authLogger.warn({ userId, tenantId, status: credential.status }, 'Password verification rejected: account is not active');
+            await recordLoginAudit(db, {
+                userId,
+                tenantId,
+                loginIdentifier: credential.email,
+                event: 'login_failed',
+                failureReason: `account_${credential.status}`,
+                ipAddress: request?.ip,
+                userAgent: request?.headers['user-agent'],
+            });
+            return { valid: false, mfaRequired: false, failureCode: 'ACCOUNT_DISABLED' };
+        }
+        // -------------------------------------------------------------------------
+        // 3. Check DB-level lockout
+        // -------------------------------------------------------------------------
+        if (credential.lockedUntil && credential.lockedUntil > new Date()) {
+            authLogger.warn({ userId, tenantId, lockedUntil: credential.lockedUntil.toISOString() }, 'Password verification rejected: account is locked');
+            await recordLoginAudit(db, {
+                userId,
+                tenantId,
+                loginIdentifier: credential.email,
+                event: 'login_failed',
+                failureReason: 'account_locked',
+                ipAddress: request?.ip,
+                userAgent: request?.headers['user-agent'],
+            });
+            return { valid: false, mfaRequired: false, failureCode: 'ACCOUNT_LOCKED' };
+        }
+        // -------------------------------------------------------------------------
+        // 4. Verify password using Argon2id (timing-safe)
+        // -------------------------------------------------------------------------
+        const isValid = await verifyPassword(password, credential.passwordHash);
+        if (!isValid) {
+            // Increment failed attempt counter and potentially lock the account
+            const newFailedAttempts = credential.failedLoginAttempts + 1;
+            const shouldLock = newFailedAttempts >= MAX_FAILED_ATTEMPTS;
+            const updateData = {
+                failedLoginAttempts: newFailedAttempts,
+                lastFailedLoginAt: new Date(),
+                updatedAt: new Date(),
+            };
+            if (shouldLock) {
+                const lockUntil = new Date(Date.now() + LOCKOUT_DURATION_MINUTES * 60 * 1000);
+                updateData.lockedUntil = lockUntil;
+                updateData.status = 'locked';
+                authLogger.warn({ userId, tenantId, failedAttempts: newFailedAttempts, lockedUntil: lockUntil.toISOString() }, 'Account locked due to excessive failed login attempts');
+                await recordLoginAudit(db, {
+                    userId,
+                    tenantId,
+                    loginIdentifier: credential.email,
+                    event: 'account_locked',
+                    failureReason: `locked_after_${newFailedAttempts}_failed_attempts`,
+                    ipAddress: request?.ip,
+                    userAgent: request?.headers['user-agent'],
+                });
+            }
+            await db
+                .update(userCredentials)
+                .set(updateData)
+                .where(eq(userCredentials.userId, userId));
+            await recordLoginAudit(db, {
+                userId,
+                tenantId,
+                loginIdentifier: credential.email,
+                event: 'login_failed',
+                failureReason: 'invalid_password',
+                ipAddress: request?.ip,
+                userAgent: request?.headers['user-agent'],
+            });
+            authLogger.debug({ userId, tenantId, failedAttempts: newFailedAttempts }, 'Password verification failed');
+            return { valid: false, mfaRequired: false, failureCode: 'INVALID_CREDENTIALS' };
+        }
+        // -------------------------------------------------------------------------
+        // 5. Password correct -- reset failed attempts and update last login
+        // -------------------------------------------------------------------------
+        const updateData = {
+            failedLoginAttempts: 0,
+            lastFailedLoginAt: null,
+            lockedUntil: null,
+            lastLoginAt: new Date(),
+            updatedAt: new Date(),
+        };
+        // If the account was locked but the lock expired, re-activate it
+        if (credential.status === 'locked') {
+            updateData.status = 'active';
+        }
+        // -------------------------------------------------------------------------
+        // 6. Rehash password if hash parameters are outdated (transparent upgrade)
+        // -------------------------------------------------------------------------
+        if (needsRehash(credential.passwordHash)) {
+            try {
+                const newHash = await hashPassword(password);
+                updateData.passwordHash = newHash;
+                updateData.passwordChangedAt = new Date();
+                authLogger.info({ userId, tenantId }, 'Password hash upgraded to current Argon2id parameters');
+            }
+            catch (rehashError) {
+                // Non-fatal: log and continue with the old hash
+                authLogger.error({ userId, tenantId, error: rehashError }, 'Failed to rehash password during transparent upgrade');
+            }
+        }
+        await db
+            .update(userCredentials)
+            .set(updateData)
+            .where(eq(userCredentials.userId, userId));
+        await recordLoginAudit(db, {
+            userId,
+            tenantId,
+            loginIdentifier: credential.email,
+            event: 'login_success',
+            ipAddress: request?.ip,
+            userAgent: request?.headers['user-agent'],
+        });
+        authLogger.debug({ userId, tenantId }, 'Password verification succeeded');
+        return {
+            valid: true,
+            mfaRequired: credential.mfaEnabled,
+        };
+    }
+    catch (error) {
+        // FAIL CLOSED: Any unexpected error results in rejection
+        authLogger.error({ userId, tenantId, error }, 'Password verification failed due to unexpected error -- failing closed');
+        return { valid: false, mfaRequired: false, failureCode: 'INVALID_CREDENTIALS' };
+    }
+}
+/**
+ * Record a login audit event in the database.
+ *
+ * This is a fire-and-forget helper: errors are logged but never propagated
+ * to avoid disrupting the authentication flow.
+ */
+async function recordLoginAudit(db, params) {
+    try {
+        await db.insert(loginAuditLog).values({
+            userId: params.userId,
+            tenantId: params.tenantId,
+            loginIdentifier: params.loginIdentifier,
+            event: params.event,
+            failureReason: params.failureReason,
+            ipAddress: params.ipAddress,
+            userAgent: params.userAgent,
+        });
+    }
+    catch (auditError) {
+        // Never let audit failures break authentication
+        authLogger.error({ error: auditError, event: params.event, userId: params.userId }, 'Failed to record login audit event');
+    }
+}
+// =============================================================================
+// Route Handlers
+// =============================================================================
+/**
+ * Register v1 authentication routes
+ */
+export async function registerAuthRoutesV1(fastify) {
+    const securityLogger = getSecurityAuditLogger();
+    const tokenLifecycleService = getTokenLifecycleService();
+    const revocationCheckService = getRevocationCheckService();
+    const sessionStore = getSessionStore();
+    // ===========================================================================
+    // POST /auth/logout - Logout from current or all sessions
+    // ===========================================================================
+    fastify.post('/auth/logout', {
+        preHandler: authRateLimits.logout,
+        schema: {
+            description: 'Logout from current session or all sessions',
+            tags: ['auth'],
+            body: {
+                type: 'object',
+                properties: {
+                    logoutAll: { type: 'boolean', default: false },
+                    excludeCurrentSession: { type: 'boolean', default: false },
+                },
+            },
+            response: {
+                200: {
+                    type: 'object',
+                    properties: {
+                        message: { type: 'string' },
+                        loggedOutSessions: { type: 'number' },
+                        revokedTokenFamilies: { type: 'number' },
+                    },
+                },
+            },
+        },
+    }, async (request, reply) => {
+        const response = {
+            message: 'Logged out successfully',
+        };
+        try {
+            // Verify JWT and get payload
+            const payload = await request.jwtVerify();
+            const { jti, sub: userId, exp, tenantId, sessionId } = payload;
+            if (!userId) {
+                authLogger.warn('Logout attempted with token missing sub claim');
+                return reply.send(response);
+            }
+            // Parse body
+            const body = logoutBodySchema.safeParse(request.body);
+            const logoutAll = body.success ? body.data?.logoutAll ?? false : false;
+            const excludeCurrentSession = body.success ? body.data?.excludeCurrentSession ?? false : false;
+            // Build actor for audit logging
+            const actor = buildActor(userId, tenantId, request);
+            if (logoutAll) {
+                // ==== Logout All Sessions ====
+                authLogger.info({ userId, tenantId }, 'User initiated logout from all sessions');
+                const result = await tokenLifecycleService.revokeAllUserTokens(userId, tenantId ?? 'default', {
+                    reason: 'logout_all',
+                    revokedBy: userId,
+                    tokenTypes: ['jwt', 'refresh', 'session'],
+                    excludeSessionId: excludeCurrentSession ? sessionId : undefined,
+                });
+                response.loggedOutSessions = result.sessionsRevoked;
+                response.revokedTokenFamilies = result.refreshTokenFamiliesRevoked;
+                response.message = `Logged out from ${result.sessionsRevoked} session(s)`;
+                // Audit log
+                await securityLogger.logSessionsBulkRevoked(actor, userId, result.totalRevoked, 'User initiated logout all');
+                authLogger.info({
+                    userId,
+                    tenantId,
+                    sessionsRevoked: result.sessionsRevoked,
+                    refreshFamiliesRevoked: result.refreshTokenFamiliesRevoked,
+                }, 'User logged out from all sessions');
+            }
+            else {
+                // ==== Single Session Logout ====
+                // Revoke the current JWT token
+                if (jti) {
+                    const expiresAt = exp ? new Date(exp * 1000) : new Date(Date.now() + 60 * 60 * 1000);
+                    await tokenRevocationService.revokeToken(jti, expiresAt);
+                    // Add to bloom filter for fast revocation checking
+                    revocationCheckService.addRevokedToken(jti);
+                    // Publish revocation to other instances
+                    await revocationCheckService.publishRevocation(jti);
+                }
+                // Revoke the session if sessionId is present
+                if (sessionId) {
+                    await sessionStore.revoke(sessionId, 'User logout', userId);
+                    response.loggedOutSessions = 1;
+                }
+                // Audit log single logout
+                if (tenantId) {
+                    await recordTokenRevocationAudit(tenantId, userId, 'token.revoked', {
+                        type: 'user',
+                        id: userId,
+                        ip: request.ip,
+                    }, { jti, sessionId, reason: 'logout' });
+                }
+                // Log session revocation
+                if (sessionId) {
+                    await securityLogger.logSessionRevoked(actor, sessionId, 'User logout', { jti });
+                }
+                authLogger.info({ jti, userId, sessionId }, 'User logged out');
+            }
+            return reply.send(response);
+        }
+        catch (error) {
+            // Even if token verification fails, we still return success
+            // This prevents information leakage about token validity
+            authLogger.warn({ error }, 'Logout with invalid or expired token');
+            return reply.send(response);
+        }
+    });
+    // ===========================================================================
+    // POST /auth/revoke-all - Revoke all tokens (requires password)
+    // ===========================================================================
+    fastify.post('/auth/revoke-all', {
+        preHandler: authRateLimits.revokeAll,
+        schema: {
+            description: 'Revoke all tokens for the current user. Requires password confirmation.',
+            tags: ['auth'],
+            security: [{ bearerAuth: [] }],
+            body: {
+                type: 'object',
+                required: ['currentPassword'],
+                properties: {
+                    currentPassword: { type: 'string', minLength: 1 },
+                    includeApiKeys: { type: 'boolean', default: false },
+                },
+            },
+            response: {
+                200: {
+                    type: 'object',
+                    properties: {
+                        message: { type: 'string' },
+                        result: {
+                            type: 'object',
+                            properties: {
+                                totalRevoked: { type: 'number' },
+                                jwtTokensRevoked: { type: 'number' },
+                                refreshTokenFamiliesRevoked: { type: 'number' },
+                                sessionsRevoked: { type: 'number' },
+                                apiKeysRevoked: { type: 'number' },
+                            },
+                        },
+                    },
+                },
+                400: {
+                    type: 'object',
+                    properties: {
+                        error: {
+                            type: 'object',
+                            properties: {
+                                code: { type: 'string' },
+                                message: { type: 'string' },
+                            },
+                        },
+                    },
+                },
+                401: {
+                    type: 'object',
+                    properties: {
+                        error: {
+                            type: 'object',
+                            properties: {
+                                code: { type: 'string' },
+                                message: { type: 'string' },
+                            },
+                        },
+                    },
+                },
+                429: {
+                    type: 'object',
+                    properties: {
+                        error: {
+                            type: 'object',
+                            properties: {
+                                code: { type: 'string' },
+                                message: { type: 'string' },
+                            },
+                        },
+                    },
+                },
+            },
+        },
+    }, async (request, reply) => {
+        // Verify JWT
+        let payload;
+        try {
+            payload = await request.jwtVerify();
+        }
+        catch {
+            return reply.status(401).send({
+                error: {
+                    code: 'UNAUTHORIZED',
+                    message: 'Valid authentication token required',
+                },
+            });
+        }
+        const { sub: userId, tenantId } = payload;
+        if (!userId) {
+            return reply.status(401).send({
+                error: {
+                    code: 'UNAUTHORIZED',
+                    message: 'Token missing user identifier',
+                },
+            });
+        }
+        // Validate request body
+        const bodyResult = revokeAllBodySchema.safeParse(request.body);
+        if (!bodyResult.success) {
+            return reply.status(400).send({
+                error: {
+                    code: 'VALIDATION_ERROR',
+                    message: bodyResult.error.errors[0]?.message ?? 'Invalid request body',
+                },
+            });
+        }
+        const { currentPassword, includeApiKeys } = bodyResult.data;
+        // Verify current password against stored hash
+        const passwordResult = await verifyUserPassword(userId, tenantId ?? 'default', currentPassword, request);
+        if (!passwordResult.valid) {
+            authLogger.warn({ userId, failureCode: passwordResult.failureCode }, 'Revoke-all failed: password verification rejected');
+            // Audit log failed attempt
+            const actor = buildActor(userId, tenantId, request);
+            await securityLogger.logAuthAttempt(actor, false, { type: 'user', id: userId }, { action: 'revoke_all' }, passwordResult.failureCode ?? 'Invalid password');
+            // Return 429 for locked accounts, 401 for invalid credentials
+            const statusCode = passwordResult.failureCode === 'ACCOUNT_LOCKED' ? 429 : 401;
+            const errorCode = passwordResult.failureCode === 'ACCOUNT_LOCKED'
+                ? 'ACCOUNT_LOCKED'
+                : 'INVALID_PASSWORD';
+            const errorMessage = passwordResult.failureCode === 'ACCOUNT_LOCKED'
+                ? 'Account is temporarily locked due to too many failed attempts'
+                : 'Current password is incorrect';
+            return reply.status(statusCode).send({
+                error: {
+                    code: errorCode,
+                    message: errorMessage,
+                },
+            });
+        }
+        // Perform bulk revocation
+        const tokenTypes = [
+            'jwt',
+            'refresh',
+            'session',
+        ];
+        if (includeApiKeys) {
+            tokenTypes.push('api_key');
+        }
+        authLogger.info({ userId, tenantId, includeApiKeys }, 'User initiated revoke-all with password confirmation');
+        const result = await tokenLifecycleService.revokeAllUserTokens(userId, tenantId ?? 'default', {
+            reason: 'manual_revocation',
+            revokedBy: userId,
+            tokenTypes,
+            metadata: { passwordConfirmed: true },
+        });
+        // Build response
+        const response = {
+            message: 'All tokens have been revoked',
+            result: {
+                totalRevoked: result.totalRevoked,
+                jwtTokensRevoked: result.jwtTokensRevoked,
+                refreshTokenFamiliesRevoked: result.refreshTokenFamiliesRevoked,
+                sessionsRevoked: result.sessionsRevoked,
+                apiKeysRevoked: result.apiKeysRevoked,
+            },
+        };
+        // Audit log success
+        const actor = buildActor(userId, tenantId, request);
+        await securityLogger.logSessionsBulkRevoked(actor, userId, result.totalRevoked, 'User initiated revoke-all with password confirmation');
+        authLogger.info({
+            userId,
+            tenantId,
+            result: response.result,
+        }, 'User revoked all tokens successfully');
+        return reply.send(response);
+    });
+    // ===========================================================================
+    // POST /auth/logout-device - Logout from a specific device
+    // ===========================================================================
+    fastify.post('/auth/logout-device', {
+        preHandler: authRateLimits.logout,
+        schema: {
+            description: 'Logout from a specific device',
+            tags: ['auth'],
+            security: [{ bearerAuth: [] }],
+            body: {
+                type: 'object',
+                required: ['deviceId'],
+                properties: {
+                    deviceId: { type: 'string', minLength: 1 },
+                },
+            },
+            response: {
+                200: {
+                    type: 'object',
+                    properties: {
+                        message: { type: 'string' },
+                        sessionsRevoked: { type: 'number' },
+                        refreshTokensRevoked: { type: 'number' },
+                    },
+                },
+            },
+        },
+    }, async (request, reply) => {
+        // Verify JWT
+        let payload;
+        try {
+            payload = await request.jwtVerify();
+        }
+        catch {
+            return reply.status(401).send({
+                error: {
+                    code: 'UNAUTHORIZED',
+                    message: 'Valid authentication token required',
+                },
+            });
+        }
+        const { sub: userId, tenantId } = payload;
+        const { deviceId } = request.body;
+        if (!userId) {
+            return reply.status(401).send({
+                error: {
+                    code: 'UNAUTHORIZED',
+                    message: 'Token missing user identifier',
+                },
+            });
+        }
+        if (!deviceId) {
+            return reply.status(400).send({
+                error: {
+                    code: 'VALIDATION_ERROR',
+                    message: 'Device ID is required',
+                },
+            });
+        }
+        authLogger.info({ userId, deviceId }, 'User initiated device logout');
+        const result = await tokenLifecycleService.revokeByDevice(userId, deviceId);
+        // Audit log
+        const actor = buildActor(userId, tenantId, request);
+        await securityLogger.logSessionsBulkRevoked(actor, userId, result.totalRevoked, `Device logout: ${deviceId}`);
+        authLogger.info({
+            userId,
+            deviceId,
+            sessionsRevoked: result.sessionsRevoked,
+            refreshTokensRevoked: result.refreshTokenFamiliesRevoked,
+        }, 'Device logout completed');
+        return reply.send({
+            message: 'Device logged out successfully',
+            sessionsRevoked: result.sessionsRevoked,
+            refreshTokensRevoked: result.refreshTokenFamiliesRevoked,
+        });
+    });
+}
+//# sourceMappingURL=auth.js.map

package/dist/api/v1/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/api/v1/auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,kBAAkB,CAAC,CAAC,2DAA2D;AACtF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,EAAE,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,4BAA4B,EAAE,0BAA0B,EAAE,MAAM,kCAAkC,CAAC;AAC5G,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,wBAAwB,EAAE,MAAM,mCAAmC,CAAC;AAC7E,OAAO,EAAE,yBAAyB,EAAE,MAAM,oCAAoC,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAC;AAC/F,OAAO,EAAE,sBAAsB,EAAE,MAAM,gCAAgC,CAAC;AAExE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAC;AAE1E,MAAM,UAAU,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC,CAAC;AAC9D,MAAM,sBAAsB,GAAG,4BAA4B,EAAE,CAAC;AAE9D,+CAA+C;AAC/C,MAAM,cAAc,GAAG;IACrB,MAAM,EAAE,uBAAuB,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;IAC/D,SAAS,EAAE,uBAAuB,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IACnE,OAAO,EAAE,uBAAuB,CAAC,EAAE,GAAG,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC;CACjE,CAAC;AAEF,gFAAgF;AAChF,2BAA2B;AAC3B,gFAAgF;AAEhF;;GAEG;AACH,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IAChC,0CAA0C;IAC1C,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;IAChD,4EAA4E;IAC5E,qBAAqB,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CAC7D,CAAC,CAAC,QAAQ,EAAE,CAAC;AAEd;;GAEG;AACH,MAAM,mBAAmB,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,wCAAwC;IACxC,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,8BAA8B,CAAC;IAClE,sCAAsC;IACtC,cAAc,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC;CACtD,CAAC,CAAC;AAuCH,gFAAgF;AAChF,mBAAmB;AACnB,gFAAgF;AAEhF;;GAEG;AACH,SAAS,UAAU,CACjB,MAAc,EACd,QAA4B,EAC5B,OAAuB;IAEvB,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,EAAE,EAAE,MAAM;QACV,QAAQ;QACR,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;QACxC,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,cAAc,CAAuB;KACjE,CAAC;AACJ,CAAC;AAED,4DAA4D;AAC5D,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,sEAAsE;AACtE,MAAM,wBAAwB,GAAG,EAAE,CAAC;AAcpC;;;;;;;;;;;;;;;;GAgBG;AACH,KAAK,UAAU,kBAAkB,CAC/B,MAAc,EACd,QAAgB,EAChB,QAAgB,EAChB,OAAwB;IAExB,wDAAwD;IACxD,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACrC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;IAClF,CAAC;IAED,MAAM,EAAE,GAAG,WAAW,EAAE,CAAC;IAEzB,IAAI,CAAC;QACH,4EAA4E;QAC5E,qDAAqD;QACrD,4EAA4E;QAC5E,MAAM,CAAC,UAAU,CAAC,GAAG,MAAM,EAAE;aAC1B,MAAM,CAAC;YACN,MAAM,EAAE,eAAe,CAAC,MAAM;YAC9B,YAAY,EAAE,eAAe,CAAC,YAAY;YAC1C,MAAM,EAAE,eAAe,CAAC,MAAM;YAC9B,UAAU,EAAE,eAAe,CAAC,UAAU;YACtC,mBAAmB,EAAE,eAAe,CAAC,mBAAmB;YACxD,WAAW,EAAE,eAAe,CAAC,WAAW;YACxC,KAAK,EAAE,eAAe,CAAC,KAAK;SAC7B,CAAC;aACD,IAAI,CAAC,eAAe,CAAC;aACrB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,EAClC,EAAE,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CACvC,CACF;aACA,KAAK,CAAC,CAAC,CAAC,CAAC;QAEZ,+DAA+D;QAC/D,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,QAAQ,EAAE,EACpB,mEAAmE,CACpE,CAAC;YAEF,8CAA8C;YAC9C,MAAM,gBAAgB,CAAC,EAAE,EAAE;gBACzB,MAAM;gBACN,QAAQ;gBACR,eAAe,EAAE,MAAM;gBACvB,KAAK,EAAE,cAAc;gBACrB,aAAa,EAAE,gBAAgB;gBAC/B,SAAS,EAAE,OAAO,EAAE,EAAE;gBACtB,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC;aAC1C,CAAC,CAAC;YAEH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;QAClF,CAAC;QAED,4EAA4E;QAC5E,0BAA0B;QAC1B,4EAA4E;QAC5E,IAAI,UAAU,CAAC,MAAM,KAAK,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAC1E,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,MAAM,EAAE,EAC/C,uDAAuD,CACxD,CAAC;YAEF,MAAM,gBAAgB,CAAC,EAAE,EAAE;gBACzB,MAAM;gBACN,QAAQ;gBACR,eAAe,EAAE,UAAU,CAAC,KAAK;gBACjC,KAAK,EAAE,cAAc;gBACrB,aAAa,EAAE,WAAW,UAAU,CAAC,MAAM,EAAE;gBAC7C,SAAS,EAAE,OAAO,EAAE,EAAE;gBACtB,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC;aAC1C,CAAC,CAAC;YAEH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;QAC/E,CAAC;QAED,4EAA4E;QAC5E,4BAA4B;QAC5B,4EAA4E;QAC5E,IAAI,UAAU,CAAC,WAAW,IAAI,UAAU,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;YAClE,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,UAAU,CAAC,WAAW,CAAC,WAAW,EAAE,EAAE,EACvE,mDAAmD,CACpD,CAAC;YAEF,MAAM,gBAAgB,CAAC,EAAE,EAAE;gBACzB,MAAM;gBACN,QAAQ;gBACR,eAAe,EAAE,UAAU,CAAC,KAAK;gBACjC,KAAK,EAAE,cAAc;gBACrB,aAAa,EAAE,gBAAgB;gBAC/B,SAAS,EAAE,OAAO,EAAE,EAAE;gBACtB,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC;aAC1C,CAAC,CAAC;YAEH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,gBAAgB,EAAE,CAAC;QAC7E,CAAC;QAED,4EAA4E;QAC5E,kDAAkD;QAClD,4EAA4E;QAC5E,MAAM,OAAO,GAAG,MAAM,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,YAAY,CAAC,CAAC;QAExE,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,oEAAoE;YACpE,MAAM,iBAAiB,GAAG,UAAU,CAAC,mBAAmB,GAAG,CAAC,CAAC;YAC7D,MAAM,UAAU,GAAG,iBAAiB,IAAI,mBAAmB,CAAC;YAE5D,MAAM,UAAU,GAA4B;gBAC1C,mBAAmB,EAAE,iBAAiB;gBACtC,iBAAiB,EAAE,IAAI,IAAI,EAAE;gBAC7B,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;YAEF,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,wBAAwB,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;gBAC9E,UAAU,CAAC,WAAW,GAAG,SAAS,CAAC;gBACnC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC;gBAE7B,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,iBAAiB,EAAE,WAAW,EAAE,SAAS,CAAC,WAAW,EAAE,EAAE,EAC7F,uDAAuD,CACxD,CAAC;gBAEF,MAAM,gBAAgB,CAAC,EAAE,EAAE;oBACzB,MAAM;oBACN,QAAQ;oBACR,eAAe,EAAE,UAAU,CAAC,KAAK;oBACjC,KAAK,EAAE,gBAAgB;oBACvB,aAAa,EAAE,gBAAgB,iBAAiB,kBAAkB;oBAClE,SAAS,EAAE,OAAO,EAAE,EAAE;oBACtB,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC;iBAC1C,CAAC,CAAC;YACL,CAAC;YAED,MAAM,EAAE;iBACL,MAAM,CAAC,eAAe,CAAC;iBACvB,GAAG,CAAC,UAAU,CAAC;iBACf,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;YAE7C,MAAM,gBAAgB,CAAC,EAAE,EAAE;gBACzB,MAAM;gBACN,QAAQ;gBACR,eAAe,EAAE,UAAU,CAAC,KAAK;gBACjC,KAAK,EAAE,cAAc;gBACrB,aAAa,EAAE,kBAAkB;gBACjC,SAAS,EAAE,OAAO,EAAE,EAAE;gBACtB,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC;aAC1C,CAAC,CAAC;YAEH,UAAU,CAAC,KAAK,CACd,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,iBAAiB,EAAE,EACvD,8BAA8B,CAC/B,CAAC;YAEF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;QAClF,CAAC;QAED,4EAA4E;QAC5E,qEAAqE;QACrE,4EAA4E;QAC5E,MAAM,UAAU,GAA4B;YAC1C,mBAAmB,EAAE,CAAC;YACtB,iBAAiB,EAAE,IAAI;YACvB,WAAW,EAAE,IAAI;YACjB,WAAW,EAAE,IAAI,IAAI,EAAE;YACvB,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC;QAEF,iEAAiE;QACjE,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YACnC,UAAU,CAAC,MAAM,GAAG,QAAQ,CAAC;QAC/B,CAAC;QAED,4EAA4E;QAC5E,2EAA2E;QAC3E,4EAA4E;QAC5E,IAAI,WAAW,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,QAAQ,CAAC,CAAC;gBAC7C,UAAU,CAAC,YAAY,GAAG,OAAO,CAAC;gBAClC,UAAU,CAAC,iBAAiB,GAAG,IAAI,IAAI,EAAE,CAAC;gBAC1C,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,QAAQ,EAAE,EACpB,uDAAuD,CACxD,CAAC;YACJ,CAAC;YAAC,OAAO,WAAW,EAAE,CAAC;gBACrB,gDAAgD;gBAChD,UAAU,CAAC,KAAK,CACd,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,EACxC,sDAAsD,CACvD,CAAC;YACJ,CAAC;QACH,CAAC;QAED,MAAM,EAAE;aACL,MAAM,CAAC,eAAe,CAAC;aACvB,GAAG,CAAC,UAAU,CAAC;aACf,KAAK,CAAC,EAAE,CAAC,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAE7C,MAAM,gBAAgB,CAAC,EAAE,EAAE;YACzB,MAAM;YACN,QAAQ;YACR,eAAe,EAAE,UAAU,CAAC,KAAK;YACjC,KAAK,EAAE,eAAe;YACtB,SAAS,EAAE,OAAO,EAAE,EAAE;YACtB,SAAS,EAAE,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC;SAC1C,CAAC,CAAC;QAEH,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,iCAAiC,CAAC,CAAC;QAE1E,OAAO;YACL,KAAK,EAAE,IAAI;YACX,WAAW,EAAE,UAAU,CAAC,UAAU;SACnC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,yDAAyD;QACzD,UAAU,CAAC,KAAK,CACd,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,EAC3B,wEAAwE,CACzE,CAAC;QACF,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;IAClF,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,KAAK,UAAU,gBAAgB,CAC7B,EAAkC,EAClC,MAUC;IAED,IAAI,CAAC;QACH,MAAM,EAAE,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;YACpC,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,aAAa,EAAE,MAAM,CAAC,aAAa;YACnC,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,SAAS,EAAE,MAAM,CAAC,SAAS;SAC5B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,UAAU,EAAE,CAAC;QACpB,gDAAgD;QAChD,UAAU,CAAC,KAAK,CACd,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,EACjE,oCAAoC,CACrC,CAAC;IACJ,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,OAAwB;IACjE,MAAM,cAAc,GAAG,sBAAsB,EAAE,CAAC;IAChD,MAAM,qBAAqB,GAAG,wBAAwB,EAAE,CAAC;IACzD,MAAM,sBAAsB,GAAG,yBAAyB,EAAE,CAAC;IAC3D,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;IAEvC,8EAA8E;IAC9E,0DAA0D;IAC1D,8EAA8E;IAC9E,OAAO,CAAC,IAAI,CAET,cAAc,EAAE;QACjB,UAAU,EAAE,cAAc,CAAC,MAAM;QACjC,MAAM,EAAE;YACN,WAAW,EAAE,6CAA6C;YAC1D,IAAI,EAAE,CAAC,MAAM,CAAC;YACd,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,UAAU,EAAE;oBACV,SAAS,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;oBAC9C,qBAAqB,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;iBAC3D;aACF;YACD,QAAQ,EAAE;gBACR,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC3B,iBAAiB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACrC,oBAAoB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;qBACzC;iBACF;aACF;SACF;KACF,EAAE,KAAK,EAAE,OAAmE,EAAE,KAAmB,EAAE,EAAE;QACpG,MAAM,QAAQ,GAAmB;YAC/B,OAAO,EAAE,yBAAyB;SACnC,CAAC;QAEF,IAAI,CAAC;YACH,6BAA6B;YAC7B,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,SAAS,EAAc,CAAC;YAEtD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;YAE/D,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,UAAU,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAC;gBACjE,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9B,CAAC;YAED,aAAa;YACb,MAAM,IAAI,GAAG,gBAAgB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;YACvE,MAAM,qBAAqB,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,qBAAqB,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC;YAE/F,gCAAgC;YAChC,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YAEpD,IAAI,SAAS,EAAE,CAAC;gBACd,gCAAgC;gBAChC,UAAU,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,yCAAyC,CAAC,CAAC;gBAEjF,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,mBAAmB,CAC5D,MAAM,EACN,QAAQ,IAAI,SAAS,EACrB;oBACE,MAAM,EAAE,YAAY;oBACpB,SAAS,EAAE,MAAM;oBACjB,UAAU,EAAE,CAAC,KAAK,EAAE,SAAS,EAAE,SAAS,CAAC;oBACzC,gBAAgB,EAAE,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;iBAChE,CACF,CAAC;gBAEF,QAAQ,CAAC,iBAAiB,GAAG,MAAM,CAAC,eAAe,CAAC;gBACpD,QAAQ,CAAC,oBAAoB,GAAG,MAAM,CAAC,2BAA2B,CAAC;gBACnE,QAAQ,CAAC,OAAO,GAAG,mBAAmB,MAAM,CAAC,eAAe,aAAa,CAAC;gBAE1E,YAAY;gBACZ,MAAM,cAAc,CAAC,sBAAsB,CACzC,KAAK,EACL,MAAM,EACN,MAAM,CAAC,YAAY,EACnB,2BAA2B,CAC5B,CAAC;gBAEF,UAAU,CAAC,IAAI,CACb;oBACE,MAAM;oBACN,QAAQ;oBACR,eAAe,EAAE,MAAM,CAAC,eAAe;oBACvC,sBAAsB,EAAE,MAAM,CAAC,2BAA2B;iBAC3D,EACD,mCAAmC,CACpC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,kCAAkC;gBAElC,+BAA+B;gBAC/B,IAAI,GAAG,EAAE,CAAC;oBACR,MAAM,SAAS,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;oBACrF,MAAM,sBAAsB,CAAC,WAAW,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;oBAEzD,mDAAmD;oBACnD,sBAAsB,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;oBAE5C,wCAAwC;oBACxC,MAAM,sBAAsB,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;gBACtD,CAAC;gBAED,6CAA6C;gBAC7C,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,YAAY,CAAC,MAAM,CAAC,SAAS,EAAE,aAAa,EAAE,MAAM,CAAC,CAAC;oBAC5D,QAAQ,CAAC,iBAAiB,GAAG,CAAC,CAAC;gBACjC,CAAC;gBAED,0BAA0B;gBAC1B,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,0BAA0B,CAC9B,QAAQ,EACR,MAAM,EACN,eAAe,EACf;wBACE,IAAI,EAAE,MAAM;wBACZ,EAAE,EAAE,MAAM;wBACV,EAAE,EAAE,OAAO,CAAC,EAAE;qBACf,EACD,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,CACrC,CAAC;gBACJ,CAAC;gBAED,yBAAyB;gBACzB,IAAI,SAAS,EAAE,CAAC;oBACd,MAAM,cAAc,CAAC,iBAAiB,CACpC,KAAK,EACL,SAAS,EACT,aAAa,EACb,EAAE,GAAG,EAAE,CACR,CAAC;gBACJ,CAAC;gBAED,UAAU,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,EAAE,iBAAiB,CAAC,CAAC;YACjE,CAAC;YAED,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,4DAA4D;YAC5D,yDAAyD;YACzD,UAAU,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,sCAAsC,CAAC,CAAC;YACnE,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,8EAA8E;IAC9E,gEAAgE;IAChE,8EAA8E;IAC9E,OAAO,CAAC,IAAI,CAET,kBAAkB,EAAE;QACrB,UAAU,EAAE,cAAc,CAAC,SAAS;QACpC,MAAM,EAAE;YACN,WAAW,EAAE,yEAAyE;YACtF,IAAI,EAAE,CAAC,MAAM,CAAC;YACd,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;YAC9B,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,CAAC,iBAAiB,CAAC;gBAC7B,UAAU,EAAE;oBACV,eAAe,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE;oBACjD,cAAc,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,EAAE;iBACpD;aACF;YACD,QAAQ,EAAE;gBACR,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC3B,MAAM,EAAE;4BACN,IAAI,EAAE,QAAQ;4BACd,UAAU,EAAE;gCACV,YAAY,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCAChC,gBAAgB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCACpC,2BAA2B,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCAC/C,eAAe,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCACnC,cAAc,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;6BACnC;yBACF;qBACF;iBACF;gBACD,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,KAAK,EAAE;4BACL,IAAI,EAAE,QAAQ;4BACd,UAAU,EAAE;gCACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCACxB,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;6BAC5B;yBACF;qBACF;iBACF;gBACD,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,KAAK,EAAE;4BACL,IAAI,EAAE,QAAQ;4BACd,UAAU,EAAE;gCACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCACxB,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;6BAC5B;yBACF;qBACF;iBACF;gBACD,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,KAAK,EAAE;4BACL,IAAI,EAAE,QAAQ;4BACd,UAAU,EAAE;gCACV,IAAI,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;gCACxB,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;6BAC5B;yBACF;qBACF;iBACF;aACF;SACF;KACF,EAAE,KAAK,EAAE,OAAsE,EAAE,KAAmB,EAAE,EAAE;QACvG,aAAa;QACb,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,SAAS,EAAc,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,qCAAqC;iBAC/C;aACF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAE1C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,+BAA+B;iBACzC;aACF,CAAC,CAAC;QACL,CAAC;QAED,wBAAwB;QACxB,MAAM,UAAU,GAAG,mBAAmB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC/D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,OAAO,IAAI,sBAAsB;iBACvE;aACF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,eAAe,EAAE,cAAc,EAAE,GAAG,UAAU,CAAC,IAAI,CAAC;QAE5D,8CAA8C;QAC9C,MAAM,cAAc,GAAG,MAAM,kBAAkB,CAC7C,MAAM,EACN,QAAQ,IAAI,SAAS,EACrB,eAAe,EACf,OAAO,CACR,CAAC;QAEF,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;YAC1B,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,WAAW,EAAE,cAAc,CAAC,WAAW,EAAE,EACnD,mDAAmD,CACpD,CAAC;YAEF,2BAA2B;YAC3B,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;YACpD,MAAM,cAAc,CAAC,cAAc,CACjC,KAAK,EACL,KAAK,EACL,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,EAC5B,EAAE,MAAM,EAAE,YAAY,EAAE,EACxB,cAAc,CAAC,WAAW,IAAI,kBAAkB,CACjD,CAAC;YAEF,8DAA8D;YAC9D,MAAM,UAAU,GAAG,cAAc,CAAC,WAAW,KAAK,gBAAgB,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;YAC/E,MAAM,SAAS,GAAG,cAAc,CAAC,WAAW,KAAK,gBAAgB;gBAC/D,CAAC,CAAC,gBAAgB;gBAClB,CAAC,CAAC,kBAAkB,CAAC;YACvB,MAAM,YAAY,GAAG,cAAc,CAAC,WAAW,KAAK,gBAAgB;gBAClE,CAAC,CAAC,+DAA+D;gBACjE,CAAC,CAAC,+BAA+B,CAAC;YAEpC,OAAO,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC;gBACnC,KAAK,EAAE;oBACL,IAAI,EAAE,SAAS;oBACf,OAAO,EAAE,YAAY;iBACtB;aACF,CAAC,CAAC;QACL,CAAC;QAED,0BAA0B;QAC1B,MAAM,UAAU,GAAqD;YACnE,KAAK;YACL,SAAS;YACT,SAAS;SACV,CAAC;QACF,IAAI,cAAc,EAAE,CAAC;YACnB,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QAED,UAAU,CAAC,IAAI,CACb,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,EAAE,EACpC,sDAAsD,CACvD,CAAC;QAEF,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,mBAAmB,CAC5D,MAAM,EACN,QAAQ,IAAI,SAAS,EACrB;YACE,MAAM,EAAE,mBAAmB;YAC3B,SAAS,EAAE,MAAM;YACjB,UAAU;YACV,QAAQ,EAAE,EAAE,iBAAiB,EAAE,IAAI,EAAE;SACtC,CACF,CAAC;QAEF,iBAAiB;QACjB,MAAM,QAAQ,GAAsB;YAClC,OAAO,EAAE,8BAA8B;YACvC,MAAM,EAAE;gBACN,YAAY,EAAE,MAAM,CAAC,YAAY;gBACjC,gBAAgB,EAAE,MAAM,CAAC,gBAAgB;gBACzC,2BAA2B,EAAE,MAAM,CAAC,2BAA2B;gBAC/D,eAAe,EAAE,MAAM,CAAC,eAAe;gBACvC,cAAc,EAAE,MAAM,CAAC,cAAc;aACtC;SACF,CAAC;QAEF,oBAAoB;QACpB,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,cAAc,CAAC,sBAAsB,CACzC,KAAK,EACL,MAAM,EACN,MAAM,CAAC,YAAY,EACnB,sDAAsD,CACvD,CAAC;QAEF,UAAU,CAAC,IAAI,CACb;YACE,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,QAAQ,CAAC,MAAM;SACxB,EACD,sCAAsC,CACvC,CAAC;QAEF,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,8EAA8E;IAC9E,2DAA2D;IAC3D,8EAA8E;IAC9E,OAAO,CAAC,IAAI,CAET,qBAAqB,EAAE;QACxB,UAAU,EAAE,cAAc,CAAC,MAAM;QACjC,MAAM,EAAE;YACN,WAAW,EAAE,+BAA+B;YAC5C,IAAI,EAAE,CAAC,MAAM,CAAC;YACd,QAAQ,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;YAC9B,IAAI,EAAE;gBACJ,IAAI,EAAE,QAAQ;gBACd,QAAQ,EAAE,CAAC,UAAU,CAAC;gBACtB,UAAU,EAAE;oBACV,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC,EAAE;iBAC3C;aACF;YACD,QAAQ,EAAE;gBACR,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,UAAU,EAAE;wBACV,OAAO,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBAC3B,eAAe,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;wBACnC,oBAAoB,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE;qBACzC;iBACF;aACF;SACF;KACF,EAAE,KAAK,EAAE,OAAuD,EAAE,KAAmB,EAAE,EAAE;QACxF,aAAa;QACb,IAAI,OAAmB,CAAC;QACxB,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,OAAO,CAAC,SAAS,EAAc,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,qCAAqC;iBAC/C;aACF,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAC1C,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC;QAElC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,cAAc;oBACpB,OAAO,EAAE,+BAA+B;iBACzC;aACF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBAC5B,KAAK,EAAE;oBACL,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,uBAAuB;iBACjC;aACF,CAAC,CAAC;QACL,CAAC;QAED,UAAU,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,8BAA8B,CAAC,CAAC;QAEtE,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,cAAc,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAE5E,YAAY;QACZ,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACpD,MAAM,cAAc,CAAC,sBAAsB,CACzC,KAAK,EACL,MAAM,EACN,MAAM,CAAC,YAAY,EACnB,kBAAkB,QAAQ,EAAE,CAC7B,CAAC;QAEF,UAAU,CAAC,IAAI,CACb;YACE,MAAM;YACN,QAAQ;YACR,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,oBAAoB,EAAE,MAAM,CAAC,2BAA2B;SACzD,EACD,yBAAyB,CAC1B,CAAC;QAEF,OAAO,KAAK,CAAC,IAAI,CAAC;YAChB,OAAO,EAAE,gCAAgC;YACzC,eAAe,EAAE,MAAM,CAAC,eAAe;YACvC,oBAAoB,EAAE,MAAM,CAAC,2BAA2B;SACzD,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}