@zenstackhq/runtime 0.6.0-pre.2 → 1.0.0-alpha.20

package/enhancements/policy/policy-utils.js

@@ -0,0 +1,575 @@
+"use strict";
+/* eslint-disable @typescript-eslint/no-explicit-any */
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PolicyUtil = void 0;
+const runtime_1 = require("@prisma/client/runtime");
+const sdk_1 = require("@zenstackhq/sdk");
+const change_case_1 = require("change-case");
+const cuid_1 = __importDefault(require("cuid"));
+const deepcopy_1 = __importDefault(require("deepcopy"));
+const util_1 = require("util");
+const zod_validation_error_1 = require("zod-validation-error");
+const version_1 = require("../../version");
+const model_meta_1 = require("../model-meta");
+const nested_write_vistor_1 = require("../nested-write-vistor");
+const utils_1 = require("../utils");
+const logger_1 = require("./logger");
+/**
+ * Access policy enforcement utilities
+ */
+class PolicyUtil {
+    constructor(db, modelMeta, policy, user) {
+        this.db = db;
+        this.modelMeta = modelMeta;
+        this.policy = policy;
+        this.user = user;
+        this.logger = new logger_1.Logger(db);
+    }
+    /**
+     * Creates a conjunction of a list of query conditions.
+     */
+    and(...conditions) {
+        if (conditions.includes(false)) {
+            // always false
+            return { id: { in: [] } };
+        }
+        const filtered = conditions.filter((c) => typeof c === 'object' && !!c && Object.keys(c).length > 0);
+        if (filtered.length === 0) {
+            return undefined;
+        }
+        else if (filtered.length === 1) {
+            return filtered[0];
+        }
+        else {
+            return { AND: filtered };
+        }
+    }
+    /**
+     * Creates a disjunction of a list of query conditions.
+     */
+    or(...conditions) {
+        if (conditions.includes(true)) {
+            // always true
+            return { id: { notIn: [] } };
+        }
+        const filtered = conditions.filter((c) => typeof c === 'object' && !!c);
+        if (filtered.length === 0) {
+            return undefined;
+        }
+        else if (filtered.length === 1) {
+            return filtered[0];
+        }
+        else {
+            return { OR: filtered };
+        }
+    }
+    /**
+     * Gets pregenerated authorization guard object for a given model and operation.
+     *
+     * @returns true if operation is unconditionally allowed, false if unconditionally denied,
+     * otherwise returns a guard object
+     */
+    getAuthGuard(model, operation, preValue) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = this.policy.guard[(0, change_case_1.camelCase)(model)];
+            if (!guard) {
+                throw this.unknownError(`unable to load policy guard for ${model}`);
+            }
+            const provider = guard[operation];
+            if (typeof provider === 'boolean') {
+                return provider;
+            }
+            if (!provider) {
+                throw this.unknownError(`zenstack: unable to load authorization guard for ${model}`);
+            }
+            return provider({ user: this.user, preValue });
+        });
+    }
+    getPreValueSelect(model) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = this.policy.guard[(0, change_case_1.camelCase)(model)];
+            if (!guard) {
+                throw this.unknownError(`unable to load policy guard for ${model}`);
+            }
+            return guard.preValueSelect;
+        });
+    }
+    getModelSchema(model) {
+        return __awaiter(this, void 0, void 0, function* () {
+            return this.policy.schema[(0, change_case_1.camelCase)(model)];
+        });
+    }
+    /**
+     * Injects model auth guard as where clause.
+     */
+    injectAuthGuard(args, model, operation) {
+        return __awaiter(this, void 0, void 0, function* () {
+            const guard = yield this.getAuthGuard(model, operation);
+            args.where = this.and(args.where, guard);
+        });
+    }
+    /**
+     * Read model entities w.r.t the given query args. The result list
+     * are guaranteed to fully satisfy 'read' policy rules recursively.
+     *
+     * For to-many relations involved, items not satisfying policy are
+     * silently trimmed. For to-one relation, if relation data fails policy
+     * an error is thrown.
+     */
+    readWithCheck(model, args) {
+        return __awaiter(this, void 0, void 0, function* () {
+            args = this.clone(args);
+            yield this.injectAuthGuard(args, model, 'read');
+            // recursively inject read guard conditions into the query args
+            yield this.injectNestedReadConditions(model, args);
+            this.logger.info(`Reading with validation for ${model}: ${(0, util_1.format)(args)}`);
+            const result = yield this.db[model].findMany(args);
+            yield Promise.all(result.map((item) => this.postProcessForRead(item, model, args, 'read')));
+            return result;
+        });
+    }
+    injectNestedReadConditions(model, args) {
+        var _a, _b, _c, _d;
+        return __awaiter(this, void 0, void 0, function* () {
+            const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
+            if (!injectTarget) {
+                return;
+            }
+            const idField = this.getIdField(model);
+            for (const field of (0, utils_1.getModelFields)(injectTarget)) {
+                const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
+                if (!fieldInfo || !fieldInfo.isDataModel) {
+                    // only care about relation fields
+                    continue;
+                }
+                if (fieldInfo.isArray) {
+                    if (typeof injectTarget[field] !== 'object') {
+                        injectTarget[field] = {};
+                    }
+                    // inject extra condition for to-many relation
+                    const guard = yield this.getAuthGuard(fieldInfo.type, 'read');
+                    injectTarget[field].where = this.and(injectTarget.where, guard);
+                }
+                else {
+                    // there's no way of injecting condition for to-one relation, so we
+                    // make sure 'id' field is selected and check them against query result
+                    if (((_b = injectTarget[field]) === null || _b === void 0 ? void 0 : _b.select) && ((_d = (_c = injectTarget[field]) === null || _c === void 0 ? void 0 : _c.select) === null || _d === void 0 ? void 0 : _d[idField.name]) !== true) {
+                        injectTarget[field].select[idField.name] = true;
+                    }
+                }
+                // recurse
+                yield this.injectNestedReadConditions(fieldInfo.type, injectTarget[field]);
+            }
+        });
+    }
+    /**
+     * Post processing checks for read model entities. Validates to-one relations
+     * (which can't be trimmed at query time) and removes fields that should be
+     * omitted.
+     */
+    postProcessForRead(entityData, model, args, operation) {
+        var _a, _b;
+        return __awaiter(this, void 0, void 0, function* () {
+            if (!this.getEntityId(model, entityData)) {
+                return;
+            }
+            // strip auxiliary fields
+            for (const auxField of sdk_1.AUXILIARY_FIELDS) {
+                if (auxField in entityData) {
+                    delete entityData[auxField];
+                }
+            }
+            const injectTarget = (_a = args.select) !== null && _a !== void 0 ? _a : args.include;
+            if (!injectTarget) {
+                return;
+            }
+            // to-one relation data cannot be trimmed by injected guards, we have to
+            // post-check them
+            for (const field of (0, utils_1.getModelFields)(injectTarget)) {
+                const fieldInfo = (0, model_meta_1.resolveField)(this.modelMeta, model, field);
+                if (!fieldInfo || !fieldInfo.isDataModel || fieldInfo.isArray) {
+                    continue;
+                }
+                const idField = this.getIdField(fieldInfo.type);
+                const relatedEntityId = (_b = entityData === null || entityData === void 0 ? void 0 : entityData[field]) === null || _b === void 0 ? void 0 : _b[idField.name];
+                if (!relatedEntityId) {
+                    continue;
+                }
+                this.logger.info(`Validating read of to-one relation: ${fieldInfo.type}#${relatedEntityId}`);
+                yield this.checkPolicyForFilter(fieldInfo.type, { [idField.name]: relatedEntityId }, operation, this.db);
+                // recurse
+                yield this.postProcessForRead(entityData[field], fieldInfo.type, injectTarget[field], operation);
+            }
+        });
+    }
+    /**
+     * Process Prisma write actions.
+     */
+    processWrite(model, action, args, writeAction) {
+        return __awaiter(this, void 0, void 0, function* () {
+            // record model types for which new entities are created
+            // so we can post-check if they satisfy 'create' policies
+            const createdModels = new Set();
+            // record model entities that are updated, together with their
+            // values before update, so we can post-check if they satisfy
+            //     model => id => entity value
+            const updatedModels = new Map();
+            const idField = this.getIdField(model);
+            if (args.select && !args.select[idField.name]) {
+                // make sure 'id' field is selected, we need it to
+                // read back the updated entity
+                args.select[idField.name] = true;
+            }
+            // use a transaction to conduct write, so in case any create or nested create
+            // fails access policies, we can roll back the entire operation
+            const transactionId = (0, cuid_1.default)();
+            // args processor for create
+            const processCreate = (model, args) => __awaiter(this, void 0, void 0, function* () {
+                const guard = yield this.getAuthGuard(model, 'create');
+                const schema = yield this.getModelSchema(model);
+                if (guard === false) {
+                    throw this.deniedByPolicy(model, 'create');
+                }
+                else if (guard !== true || schema) {
+                    // mark the create with a transaction tag so we can check them later
+                    args[sdk_1.TRANSACTION_FIELD_NAME] = `${transactionId}:create`;
+                    createdModels.add(model);
+                }
+            });
+            // build a reversed query for fetching entities affected by nested updates
+            const buildReversedQuery = (context) => __awaiter(this, void 0, void 0, function* () {
+                let result, currQuery;
+                let currField;
+                for (let i = context.nestingPath.length - 1; i >= 0; i--) {
+                    const { field, where } = context.nestingPath[i];
+                    if (!result) {
+                        // first segment (bottom), just use its where clause
+                        result = currQuery = Object.assign({}, where);
+                        currField = field;
+                    }
+                    else {
+                        if (!currField) {
+                            throw this.unknownError(`missing field in nested path`);
+                        }
+                        if (!currField.backLink) {
+                            throw this.unknownError(`field ${currField.type}.${currField.name} doesn't have a backLink`);
+                        }
+                        currQuery[currField.backLink] = Object.assign({}, where);
+                        currQuery = currQuery[currField.backLink];
+                        currField = field;
+                    }
+                }
+                return result;
+            });
+            // args processor for update/upsert
+            const processUpdate = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                const preGuard = yield this.getAuthGuard(model, 'update');
+                if (preGuard === false) {
+                    throw this.deniedByPolicy(model, 'update');
+                }
+                else if (preGuard !== true) {
+                    if (this.isToOneRelation(context.field)) {
+                        // To-one relation field is complicated because there's no way to
+                        // filter it during update (args doesn't carry a 'where' clause).
+                        //
+                        // We need to recursively walk up its hierarcy in the query args
+                        // to construct a reversed query to identify the nested entity
+                        // under update, and then check if it satisfies policy.
+                        //
+                        // E.g.:
+                        // A - B - C
+                        //
+                        // update A with:
+                        // {
+                        //   where: { id: 'aId' },
+                        //   data: {
+                        //     b: {
+                        //       c: { value: 1 }
+                        //     }
+                        //   }
+                        // }
+                        //
+                        // To check if the update to 'c' field is permitted, we
+                        // reverse the query stack into a filter for C model, like:
+                        // {
+                        //   where: {
+                        //     b: { a: { id: 'aId' } }
+                        //   }
+                        // }
+                        // , and with this we can filter out the C entity that's going
+                        // to be nestedly updated, and check if it's allowed.
+                        //
+                        // The same logic applies to nested delete.
+                        const subQuery = yield buildReversedQuery(context);
+                        yield this.checkPolicyForFilter(model, subQuery, 'update', this.db);
+                    }
+                    else {
+                        // non-nested update, check policies directly
+                        if (!args.where) {
+                            throw this.unknownError(`Missing 'where' in update args`);
+                        }
+                        yield this.checkPolicyForFilter(model, args.where, 'update', this.db);
+                    }
+                }
+                yield preparePostUpdateCheck(model, context);
+            });
+            // args processor for updateMany
+            const processUpdateMany = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                const guard = yield this.getAuthGuard(model, 'update');
+                if (guard === false) {
+                    throw this.deniedByPolicy(model, 'update');
+                }
+                else if (guard !== true) {
+                    // inject policy filter
+                    yield this.injectAuthGuard(args, model, 'update');
+                }
+                yield preparePostUpdateCheck(model, context);
+            });
+            // for models with post-update rules, we need to read and store
+            // entity values before the update for post-update check
+            const preparePostUpdateCheck = (model, context) => __awaiter(this, void 0, void 0, function* () {
+                const postGuard = yield this.getAuthGuard(model, 'postUpdate');
+                const schema = yield this.getModelSchema(model);
+                // post-update check is needed if there's post-update rule or validation schema
+                if (postGuard !== true || schema) {
+                    let modelEntities = updatedModels.get(model);
+                    if (!modelEntities) {
+                        modelEntities = new Map();
+                        updatedModels.set(model, modelEntities);
+                    }
+                    // fetch preValue selection (analyzed from the post-update rules)
+                    const preValueSelect = yield this.getPreValueSelect(model);
+                    const filter = yield buildReversedQuery(context);
+                    const idField = this.getIdField(model);
+                    const query = { where: filter, select: Object.assign(Object.assign({}, preValueSelect), { [idField.name]: true }) };
+                    this.logger.info(`fetching pre-update entities for ${model}: ${(0, util_1.format)(query)})}`);
+                    const entities = yield this.db[model].findMany(query);
+                    entities.forEach((entity) => modelEntities === null || modelEntities === void 0 ? void 0 : modelEntities.set(this.getEntityId(model, entity), entity));
+                }
+            });
+            // args processor for delete
+            const processDelete = (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                const guard = yield this.getAuthGuard(model, 'delete');
+                if (guard === false) {
+                    throw this.deniedByPolicy(model, 'delete');
+                }
+                else if (guard !== true) {
+                    if (this.isToOneRelation(context.field)) {
+                        // see comments in processUpdate
+                        const subQuery = yield buildReversedQuery(context);
+                        yield this.checkPolicyForFilter(model, subQuery, 'delete', this.db);
+                    }
+                    else {
+                        yield this.checkPolicyForFilter(model, args, 'delete', this.db);
+                    }
+                }
+            });
+            // use a visitor to process args before conducting the write action
+            const visitor = new nested_write_vistor_1.NestedWriteVisitor(this.modelMeta, {
+                create: (model, args) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processCreate(model, oneArgs);
+                    }
+                }),
+                connectOrCreate: (model, args) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        if (oneArgs.create) {
+                            yield processCreate(model, oneArgs.create);
+                        }
+                    }
+                }),
+                update: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processUpdate(model, oneArgs, context);
+                    }
+                }),
+                updateMany: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processUpdateMany(model, oneArgs, context);
+                    }
+                }),
+                upsert: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        if (oneArgs.create) {
+                            yield processCreate(model, oneArgs.create);
+                        }
+                        if (oneArgs.update) {
+                            yield processUpdate(model, { where: oneArgs.where, data: oneArgs.update }, context);
+                        }
+                    }
+                }),
+                delete: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    for (const oneArgs of (0, utils_1.enumerate)(args)) {
+                        yield processDelete(model, oneArgs, context);
+                    }
+                }),
+                deleteMany: (model, args, context) => __awaiter(this, void 0, void 0, function* () {
+                    const guard = yield this.getAuthGuard(model, 'delete');
+                    if (guard === false) {
+                        throw this.deniedByPolicy(model, 'delete');
+                    }
+                    else if (guard !== true) {
+                        if (Array.isArray(args)) {
+                            context.parent.deleteMany = args.map((oneArgs) => this.and(oneArgs, guard));
+                        }
+                        else {
+                            context.parent.deleteMany = this.and(args, guard);
+                        }
+                    }
+                }),
+            });
+            yield visitor.visit(model, action, args);
+            if (createdModels.size === 0 && updatedModels.size === 0) {
+                // no post-check needed, we can proceed with the write without transaction
+                return yield writeAction(this.db[model], args);
+            }
+            else {
+                return yield this.transaction(this.db, (tx) => __awaiter(this, void 0, void 0, function* () {
+                    // proceed with the update (with args processed)
+                    const result = yield writeAction(tx[model], args);
+                    if (createdModels.size > 0) {
+                        // do post-check on created entities
+                        yield Promise.all([...createdModels].map((model) => this.checkPolicyForFilter(model, { [sdk_1.TRANSACTION_FIELD_NAME]: `${transactionId}:create` }, 'create', tx)));
+                    }
+                    if (updatedModels.size > 0) {
+                        // do post-check on updated entities
+                        yield Promise.all([...updatedModels.entries()]
+                            .map(([model, modelEntities]) => [...modelEntities.entries()].map(([id, preValue]) => __awaiter(this, void 0, void 0, function* () { return this.checkPostUpdate(model, id, tx, preValue); })))
+                            .flat());
+                    }
+                    return result;
+                }));
+            }
+        });
+    }
+    transaction(db, action) {
+        if (db.__zenstack_tx) {
+            // already in transaction, don't nest
+            return action(db);
+        }
+        else {
+            return db.$transaction((tx) => action(tx));
+        }
+    }
+    deniedByPolicy(model, operation, extra) {
+        return new runtime_1.PrismaClientKnownRequestError(`denied by policy: ${model} entities failed '${operation}' check${extra ? ', ' + extra : ''}`, { clientVersion: (0, version_1.getVersion)(), code: 'P2004' });
+    }
+    notFound(model) {
+        return new runtime_1.PrismaClientKnownRequestError(`entity not found for model ${model}`, {
+            clientVersion: (0, version_1.getVersion)(),
+            code: 'P2025',
+        });
+    }
+    unknownError(message) {
+        return new runtime_1.PrismaClientUnknownRequestError(message, {
+            clientVersion: (0, version_1.getVersion)(),
+        });
+    }
+    /**
+     * Given a filter, check if applying access policy filtering will result
+     * in data being trimmed, and if so, throw an error.
+     */
+    checkPolicyForFilter(model, filter, operation, db) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.logger.info(`Checking policy for ${model}#${JSON.stringify(filter)} for ${operation}`);
+            const count = (yield db[model].count({ where: filter }));
+            const guard = yield this.getAuthGuard(model, operation);
+            // build a query condition with policy injected
+            const guardedQuery = { where: this.and(filter, guard) };
+            const schema = (operation === 'create' || operation === 'update') && (yield this.getModelSchema(model));
+            if (schema) {
+                // we've got schemas, so have to fetch entities and validate them
+                const entities = yield db[model].findMany(guardedQuery);
+                if (entities.length < count) {
+                    this.logger.info(`entity ${model} failed policy check for operation ${operation}`);
+                    throw this.deniedByPolicy(model, operation, `${count - entities.length} entities failed policy check`);
+                }
+                // TODO: push down schema check to the database
+                const schemaCheckErrors = entities.map((entity) => schema.safeParse(entity)).filter((r) => !r.success);
+                if (schemaCheckErrors.length > 0) {
+                    const error = schemaCheckErrors.map((r) => !r.success && (0, zod_validation_error_1.fromZodError)(r.error).message).join(', ');
+                    this.logger.info(`entity ${model} failed schema check for operation ${operation}: ${error}`);
+                    throw this.deniedByPolicy(model, operation, `entities failed schema check: [${error}]`);
+                }
+            }
+            else {
+                // count entities with policy injected and see if any of them are filtered out
+                const guardedCount = (yield db[model].count(guardedQuery));
+                if (guardedCount < count) {
+                    this.logger.info(`entity ${model} failed policy check for operation ${operation}`);
+                    throw this.deniedByPolicy(model, operation, `${count - guardedCount} entities failed policy check`);
+                }
+            }
+        });
+    }
+    checkPostUpdate(model, id, db, preValue) {
+        return __awaiter(this, void 0, void 0, function* () {
+            this.logger.info(`Checking post-update policy for ${model}#${id}, preValue: ${(0, util_1.format)(preValue)}`);
+            const guard = yield this.getAuthGuard(model, 'postUpdate', preValue);
+            // build a query condition with policy injected
+            const idField = this.getIdField(model);
+            const guardedQuery = { where: this.and({ [idField.name]: id }, guard) };
+            // query with policy injected
+            const entity = yield db[model].findFirst(guardedQuery);
+            // see if we get fewer items with policy, if so, reject with an throw
+            if (!entity) {
+                this.logger.info(`entity ${model} failed policy check for operation postUpdate`);
+                throw this.deniedByPolicy(model, 'postUpdate');
+            }
+            // TODO: push down schema check to the database
+            const schema = yield this.getModelSchema(model);
+            if (schema) {
+                const schemaCheckResult = schema.safeParse(entity);
+                if (!schemaCheckResult.success) {
+                    const error = (0, zod_validation_error_1.fromZodError)(schemaCheckResult.error).message;
+                    this.logger.info(`entity ${model} failed schema check for operation postUpdate: ${error}`);
+                    throw this.deniedByPolicy(model, 'postUpdate', `entity failed schema check: ${error}`);
+                }
+            }
+        });
+    }
+    isToOneRelation(field) {
+        return !!field && field.isDataModel && !field.isArray;
+    }
+    /**
+     * Clones an object and makes sure it's not empty.
+     */
+    clone(value) {
+        return value ? (0, deepcopy_1.default)(value) : {};
+    }
+    /**
+     * Gets "id" field for a given model.
+     */
+    getIdField(model) {
+        const fields = this.modelMeta.fields[(0, change_case_1.camelCase)(model)];
+        if (!fields) {
+            throw this.unknownError(`Unable to load fields for ${model}`);
+        }
+        const result = Object.values(fields).find((f) => f.isId);
+        if (!result) {
+            throw this.unknownError(`model ${model} does not have an id field`);
+        }
+        return result;
+    }
+    /**
+     * Gets id field value from an entity.
+     */
+    getEntityId(model, entityData) {
+        const idField = this.getIdField(model);
+        return entityData[idField.name];
+    }
+}
+exports.PolicyUtil = PolicyUtil;
+//# sourceMappingURL=policy-utils.js.map

package/enhancements/policy/policy-utils.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-utils.js","sourceRoot":"","sources":["../../../src/enhancements/policy/policy-utils.ts"],"names":[],"mappings":";AAAA,uDAAuD;;;;;;;;;;;;;;;AAEvD,oDAAwG;AACxG,yCAA2E;AAC3E,6CAAwC;AACxC,gDAAwB;AACxB,wDAAgC;AAChC,+BAA8B;AAC9B,+DAAoD;AASpD,2CAA2C;AAC3C,8CAA6C;AAC7C,gEAA4E;AAE5E,oCAAqD;AACrD,qCAAkC;AAElC;;GAEG;AACH,MAAa,UAAU;IAGnB,YACqB,EAAoB,EACpB,SAAoB,EACpB,MAAiB,EACjB,IAAe;QAHf,OAAE,GAAF,EAAE,CAAkB;QACpB,cAAS,GAAT,SAAS,CAAW;QACpB,WAAM,GAAN,MAAM,CAAW;QACjB,SAAI,GAAJ,IAAI,CAAW;QAEhC,IAAI,CAAC,MAAM,GAAG,IAAI,eAAM,CAAC,EAAE,CAAC,CAAC;IACjC,CAAC;IAED;;OAEG;IACH,GAAG,CAAC,GAAG,UAAgC;QACnC,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE;YAC5B,eAAe;YACf,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,EAAE,CAAC;SAC7B;QAED,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAChF,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;YACvB,OAAO,SAAS,CAAC;SACpB;aAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;YAC9B,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;SACtB;aAAM;YACH,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,CAAC;SAC5B;IACL,CAAC;IAED;;OAEG;IACH,EAAE,CAAC,GAAG,UAAgC;QAClC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;YAC3B,cAAc;YACd,OAAO,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,CAAC;SAChC;QAED,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACrF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;YACvB,OAAO,SAAS,CAAC;SACpB;aAAM,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE;YAC9B,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC;SACtB;aAAM;YACH,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC;SAC3B;IACL,CAAC;IAED;;;;;OAKG;IACG,YAAY,CAAC,KAAa,EAAE,SAA8B,EAAE,QAAc;;YAC5E,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,uBAAS,EAAC,KAAK,CAAC,CAAC,CAAC;YAClD,IAAI,CAAC,KAAK,EAAE;gBACR,MAAM,IAAI,CAAC,YAAY,CAAC,mCAAmC,KAAK,EAAE,CAAC,CAAC;aACvE;YAED,MAAM,QAAQ,GAAqC,KAAK,CAAC,SAAS,CAAC,CAAC;YACpE,IAAI,OAAO,QAAQ,KAAK,SAAS,EAAE;gBAC/B,OAAO,QAAQ,CAAC;aACnB;YAED,IAAI,CAAC,QAAQ,EAAE;gBACX,MAAM,IAAI,CAAC,YAAY,CAAC,oDAAoD,KAAK,EAAE,CAAC,CAAC;aACxF;YACD,OAAO,QAAQ,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;QACnD,CAAC;KAAA;IAEa,iBAAiB,CAAC,KAAa;;YACzC,MAAM,KAAK,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,uBAAS,EAAC,KAAK,CAAC,CAAC,CAAC;YAClD,IAAI,CAAC,KAAK,EAAE;gBACR,MAAM,IAAI,CAAC,YAAY,CAAC,mCAAmC,KAAK,EAAE,CAAC,CAAC;aACvE;YACD,OAAO,KAAK,CAAC,cAAc,CAAC;QAChC,CAAC;KAAA;IAEa,cAAc,CAAC,KAAa;;YACtC,OAAO,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAA,uBAAS,EAAC,KAAK,CAAC,CAAC,CAAC;QAChD,CAAC;KAAA;IAED;;OAEG;IACG,eAAe,CAAC,IAAS,EAAE,KAAa,EAAE,SAA8B;;YAC1E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YACxD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC7C,CAAC;KAAA;IAED;;;;;;;OAOG;IACG,aAAa,CAAC,KAAa,EAAE,IAAS;;YACxC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACxB,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YAEhD,+DAA+D;YAC/D,MAAM,IAAI,CAAC,0BAA0B,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;YAEnD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,+BAA+B,KAAK,KAAK,IAAA,aAAM,EAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAC1E,MAAM,MAAM,GAAU,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YAE1D,MAAM,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;YAE5F,OAAO,MAAM,CAAC;QAClB,CAAC;KAAA;IAEa,0BAA0B,CAAC,KAAa,EAAE,IAAS;;;YAC7D,MAAM,YAAY,GAAG,MAAA,IAAI,CAAC,MAAM,mCAAI,IAAI,CAAC,OAAO,CAAC;YACjD,IAAI,CAAC,YAAY,EAAE;gBACf,OAAO;aACV;YAED,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACvC,KAAK,MAAM,KAAK,IAAI,IAAA,sBAAc,EAAC,YAAY,CAAC,EAAE;gBAC9C,MAAM,SAAS,GAAG,IAAA,yBAAY,EAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;gBAC7D,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;oBACtC,kCAAkC;oBAClC,SAAS;iBACZ;gBAED,IAAI,SAAS,CAAC,OAAO,EAAE;oBACnB,IAAI,OAAO,YAAY,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE;wBACzC,YAAY,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;qBAC5B;oBACD,8CAA8C;oBAC9C,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;oBAC9D,YAAY,CAAC,KAAK,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;iBACnE;qBAAM;oBACH,mEAAmE;oBACnE,uEAAuE;oBACvE,IAAI,CAAA,MAAA,YAAY,CAAC,KAAK,CAAC,0CAAE,MAAM,KAAI,CAAA,MAAA,MAAA,YAAY,CAAC,KAAK,CAAC,0CAAE,MAAM,0CAAG,OAAO,CAAC,IAAI,CAAC,MAAK,IAAI,EAAE;wBACrF,YAAY,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;qBACnD;iBACJ;gBAED,UAAU;gBACV,MAAM,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,IAAI,EAAE,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;aAC9E;;KACJ;IAED;;;;OAIG;IACG,kBAAkB,CAAC,UAAe,EAAE,KAAa,EAAE,IAAS,EAAE,SAA8B;;;YAC9F,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,EAAE;gBACtC,OAAO;aACV;YAED,yBAAyB;YACzB,KAAK,MAAM,QAAQ,IAAI,sBAAgB,EAAE;gBACrC,IAAI,QAAQ,IAAI,UAAU,EAAE;oBACxB,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC;iBAC/B;aACJ;YAED,MAAM,YAAY,GAAG,MAAA,IAAI,CAAC,MAAM,mCAAI,IAAI,CAAC,OAAO,CAAC;YACjD,IAAI,CAAC,YAAY,EAAE;gBACf,OAAO;aACV;YAED,wEAAwE;YACxE,kBAAkB;YAElB,KAAK,MAAM,KAAK,IAAI,IAAA,sBAAc,EAAC,YAAY,CAAC,EAAE;gBAC9C,MAAM,SAAS,GAAG,IAAA,yBAAY,EAAC,IAAI,CAAC,SAAS,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC;gBAC7D,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,WAAW,IAAI,SAAS,CAAC,OAAO,EAAE;oBAC3D,SAAS;iBACZ;gBAED,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBAChD,MAAM,eAAe,GAAG,MAAA,UAAU,aAAV,UAAU,uBAAV,UAAU,CAAG,KAAK,CAAC,0CAAG,OAAO,CAAC,IAAI,CAAC,CAAC;gBAE5D,IAAI,CAAC,eAAe,EAAE;oBAClB,SAAS;iBACZ;gBAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uCAAuC,SAAS,CAAC,IAAI,IAAI,eAAe,EAAE,CAAC,CAAC;gBAE7F,MAAM,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;gBAEzG,UAAU;gBACV,MAAM,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC,IAAI,EAAE,YAAY,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC,CAAC;aACpG;;KACJ;IAED;;OAEG;IACG,YAAY,CACd,KAAa,EACb,MAA6B,EAC7B,IAAS,EACT,WAAsE;;YAEtE,wDAAwD;YACxD,yDAAyD;YACzD,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;YAExC,8DAA8D;YAC9D,6DAA6D;YAC7D,kCAAkC;YAClC,MAAM,aAAa,GAAG,IAAI,GAAG,EAA4B,CAAC;YAE1D,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACvC,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;gBAC3C,kDAAkD;gBAClD,+BAA+B;gBAC/B,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;aACpC;YAED,6EAA6E;YAC7E,+DAA+D;YAC/D,MAAM,aAAa,GAAG,IAAA,cAAI,GAAE,CAAC;YAE7B,4BAA4B;YAC5B,MAAM,aAAa,GAAG,CAAO,KAAa,EAAE,IAAS,EAAE,EAAE;gBACrD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBACvD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBAChD,IAAI,KAAK,KAAK,KAAK,EAAE;oBACjB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;iBAC9C;qBAAM,IAAI,KAAK,KAAK,IAAI,IAAI,MAAM,EAAE;oBACjC,oEAAoE;oBACpE,IAAI,CAAC,4BAAsB,CAAC,GAAG,GAAG,aAAa,SAAS,CAAC;oBACzD,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;iBAC5B;YACL,CAAC,CAAA,CAAC;YAEF,0EAA0E;YAC1E,MAAM,kBAAkB,GAAG,CAAO,OAAuB,EAAE,EAAE;gBACzD,IAAI,MAAM,EAAE,SAAc,CAAC;gBAC3B,IAAI,SAAgC,CAAC;gBAErC,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE;oBACtD,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;oBAEhD,IAAI,CAAC,MAAM,EAAE;wBACT,oDAAoD;wBACpD,MAAM,GAAG,SAAS,qBAAQ,KAAK,CAAE,CAAC;wBAClC,SAAS,GAAG,KAAK,CAAC;qBACrB;yBAAM;wBACH,IAAI,CAAC,SAAS,EAAE;4BACZ,MAAM,IAAI,CAAC,YAAY,CAAC,8BAA8B,CAAC,CAAC;yBAC3D;wBACD,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE;4BACrB,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC,IAAI,0BAA0B,CAAC,CAAC;yBAChG;wBACD,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC,qBAAQ,KAAK,CAAE,CAAC;wBAC7C,SAAS,GAAG,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;wBAC1C,SAAS,GAAG,KAAK,CAAC;qBACrB;iBACJ;gBACD,OAAO,MAAM,CAAC;YAClB,CAAC,CAAA,CAAC;YAEF,mCAAmC;YACnC,MAAM,aAAa,GAAG,CAAO,KAAa,EAAE,IAAS,EAAE,OAAuB,EAAE,EAAE;gBAC9E,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBAC1D,IAAI,QAAQ,KAAK,KAAK,EAAE;oBACpB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;iBAC9C;qBAAM,IAAI,QAAQ,KAAK,IAAI,EAAE;oBAC1B,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;wBACrC,iEAAiE;wBACjE,iEAAiE;wBACjE,EAAE;wBACF,gEAAgE;wBAChE,8DAA8D;wBAC9D,uDAAuD;wBACvD,EAAE;wBACF,QAAQ;wBACR,YAAY;wBACZ,EAAE;wBACF,iBAAiB;wBACjB,IAAI;wBACJ,0BAA0B;wBAC1B,YAAY;wBACZ,WAAW;wBACX,wBAAwB;wBACxB,QAAQ;wBACR,MAAM;wBACN,IAAI;wBACJ,EAAE;wBACF,uDAAuD;wBACvD,2DAA2D;wBAC3D,IAAI;wBACJ,aAAa;wBACb,8BAA8B;wBAC9B,MAAM;wBACN,IAAI;wBACJ,8DAA8D;wBAC9D,qDAAqD;wBACrD,EAAE;wBACF,2CAA2C;wBAE3C,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;wBACnD,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;qBACvE;yBAAM;wBACH,6CAA6C;wBAC7C,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE;4BACb,MAAM,IAAI,CAAC,YAAY,CAAC,gCAAgC,CAAC,CAAC;yBAC7D;wBACD,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;qBACzE;iBACJ;gBAED,MAAM,sBAAsB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC,CAAA,CAAC;YAEF,gCAAgC;YAChC,MAAM,iBAAiB,GAAG,CAAO,KAAa,EAAE,IAAS,EAAE,OAAuB,EAAE,EAAE;gBAClF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBACvD,IAAI,KAAK,KAAK,KAAK,EAAE;oBACjB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;iBAC9C;qBAAM,IAAI,KAAK,KAAK,IAAI,EAAE;oBACvB,uBAAuB;oBACvB,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;iBACrD;gBAED,MAAM,sBAAsB,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;YACjD,CAAC,CAAA,CAAC;YAEF,+DAA+D;YAC/D,wDAAwD;YACxD,MAAM,sBAAsB,GAAG,CAAO,KAAa,EAAE,OAAuB,EAAE,EAAE;gBAC5E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;gBAC/D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;gBAEhD,+EAA+E;gBAC/E,IAAI,SAAS,KAAK,IAAI,IAAI,MAAM,EAAE;oBAC9B,IAAI,aAAa,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;oBAC7C,IAAI,CAAC,aAAa,EAAE;wBAChB,aAAa,GAAG,IAAI,GAAG,EAAe,CAAC;wBACvC,aAAa,CAAC,GAAG,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC;qBAC3C;oBAED,iEAAiE;oBACjE,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;oBAC3D,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;oBACjD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;oBACvC,MAAM,KAAK,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,kCAAO,cAAc,KAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,GAAE,EAAE,CAAC;oBACrF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,KAAK,KAAK,IAAA,aAAM,EAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oBAClF,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;oBACtD,QAAQ,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,aAAa,aAAb,aAAa,uBAAb,aAAa,CAAE,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;iBAC7F;YACL,CAAC,CAAA,CAAC;YAEF,4BAA4B;YAC5B,MAAM,aAAa,GAAG,CAAO,KAAa,EAAE,IAAS,EAAE,OAAuB,EAAE,EAAE;gBAC9E,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;gBACvD,IAAI,KAAK,KAAK,KAAK,EAAE;oBACjB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;iBAC9C;qBAAM,IAAI,KAAK,KAAK,IAAI,EAAE;oBACvB,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE;wBACrC,gCAAgC;wBAChC,MAAM,QAAQ,GAAG,MAAM,kBAAkB,CAAC,OAAO,CAAC,CAAC;wBACnD,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;qBACvE;yBAAM;wBACH,MAAM,IAAI,CAAC,oBAAoB,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;qBACnE;iBACJ;YACL,CAAC,CAAA,CAAC;YAEF,mEAAmE;YACnE,MAAM,OAAO,GAAG,IAAI,wCAAkB,CAAC,IAAI,CAAC,SAAS,EAAE;gBACnD,MAAM,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,EAAE;oBAC1B,KAAK,MAAM,OAAO,IAAI,IAAA,iBAAS,EAAC,IAAI,CAAC,EAAE;wBACnC,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;qBACvC;gBACL,CAAC,CAAA;gBAED,eAAe,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,EAAE;oBACnC,KAAK,MAAM,OAAO,IAAI,IAAA,iBAAS,EAAC,IAAI,CAAC,EAAE;wBACnC,IAAI,OAAO,CAAC,MAAM,EAAE;4BAChB,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;yBAC9C;qBACJ;gBACL,CAAC,CAAA;gBAED,MAAM,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;oBACnC,KAAK,MAAM,OAAO,IAAI,IAAA,iBAAS,EAAC,IAAI,CAAC,EAAE;wBACnC,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;qBAChD;gBACL,CAAC,CAAA;gBAED,UAAU,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;oBACvC,KAAK,MAAM,OAAO,IAAI,IAAA,iBAAS,EAAC,IAAI,CAAC,EAAE;wBACnC,MAAM,iBAAiB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;qBACpD;gBACL,CAAC,CAAA;gBAED,MAAM,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;oBACnC,KAAK,MAAM,OAAO,IAAI,IAAA,iBAAS,EAAC,IAAI,CAAC,EAAE;wBACnC,IAAI,OAAO,CAAC,MAAM,EAAE;4BAChB,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;yBAC9C;wBAED,IAAI,OAAO,CAAC,MAAM,EAAE;4BAChB,MAAM,aAAa,CAAC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC;yBACvF;qBACJ;gBACL,CAAC,CAAA;gBAED,MAAM,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;oBACnC,KAAK,MAAM,OAAO,IAAI,IAAA,iBAAS,EAAC,IAAI,CAAC,EAAE;wBACnC,MAAM,aAAa,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;qBAChD;gBACL,CAAC,CAAA;gBAED,UAAU,EAAE,CAAO,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE;oBACvC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;oBACvD,IAAI,KAAK,KAAK,KAAK,EAAE;wBACjB,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;qBAC9C;yBAAM,IAAI,KAAK,KAAK,IAAI,EAAE;wBACvB,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE;4BACrB,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC;yBAC/E;6BAAM;4BACH,OAAO,CAAC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;yBACrD;qBACJ;gBACL,CAAC,CAAA;aACJ,CAAC,CAAC;YAEH,MAAM,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;YAEzC,IAAI,aAAa,CAAC,IAAI,KAAK,CAAC,IAAI,aAAa,CAAC,IAAI,KAAK,CAAC,EAAE;gBACtD,0EAA0E;gBAC1E,OAAO,MAAM,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;aAClD;iBAAM;gBACH,OAAO,MAAM,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,CAAO,EAAE,EAAE,EAAE;oBAChD,gDAAgD;oBAChD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,IAAI,CAAC,CAAC;oBAElD,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE;wBACxB,oCAAoC;wBACpC,MAAM,OAAO,CAAC,GAAG,CACb,CAAC,GAAG,aAAa,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAC7B,IAAI,CAAC,oBAAoB,CACrB,KAAK,EACL,EAAE,CAAC,4BAAsB,CAAC,EAAE,GAAG,aAAa,SAAS,EAAE,EACvD,QAAQ,EACR,EAAE,CACL,CACJ,CACJ,CAAC;qBACL;oBAED,IAAI,aAAa,CAAC,IAAI,GAAG,CAAC,EAAE;wBACxB,oCAAoC;wBACpC,MAAM,OAAO,CAAC,GAAG,CACb,CAAC,GAAG,aAAa,CAAC,OAAO,EAAE,CAAC;6BACvB,GAAG,CAAC,CAAC,CAAC,KAAK,EAAE,aAAa,CAAC,EAAE,EAAE,CAC5B,CAAC,GAAG,aAAa,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,EAAE,gDACtD,OAAA,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAA,GAAA,CAChD,CACJ;6BACA,IAAI,EAAE,CACd,CAAC;qBACL;oBAED,OAAO,MAAM,CAAC;gBAClB,CAAC,CAAA,CAAC,CAAC;aACN;QACL,CAAC;KAAA;IAEO,WAAW,CAAC,EAAoB,EAAE,MAA0D;QAChG,IAAI,EAAE,CAAC,aAAa,EAAE;YAClB,qCAAqC;YACrC,OAAO,MAAM,CAAC,EAAE,CAAC,CAAC;SACrB;aAAM;YACH,OAAO,EAAE,CAAC,YAAY,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC;SAC9C;IACL,CAAC;IAED,cAAc,CAAC,KAAa,EAAE,SAA8B,EAAE,KAAc;QACxE,OAAO,IAAI,uCAA6B,CACpC,qBAAqB,KAAK,qBAAqB,SAAS,UAAU,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,EAC7F,EAAE,aAAa,EAAE,IAAA,oBAAU,GAAE,EAAE,IAAI,EAAE,OAAO,EAAE,CACjD,CAAC;IACN,CAAC;IAED,QAAQ,CAAC,KAAa;QAClB,OAAO,IAAI,uCAA6B,CAAC,8BAA8B,KAAK,EAAE,EAAE;YAC5E,aAAa,EAAE,IAAA,oBAAU,GAAE;YAC3B,IAAI,EAAE,OAAO;SAChB,CAAC,CAAC;IACP,CAAC;IAED,YAAY,CAAC,OAAe;QACxB,OAAO,IAAI,yCAA+B,CAAC,OAAO,EAAE;YAChD,aAAa,EAAE,IAAA,oBAAU,GAAE;SAC9B,CAAC,CAAC;IACP,CAAC;IAED;;;OAGG;IACG,oBAAoB,CACtB,KAAa,EACb,MAAW,EACX,SAA8B,EAC9B,EAAgC;;YAEhC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,uBAAuB,KAAK,IAAI,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,SAAS,EAAE,CAAC,CAAC;YAE5F,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAW,CAAC;YACnE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,SAAS,CAAC,CAAC;YAExD,+CAA+C;YAC/C,MAAM,YAAY,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,CAAC;YAExD,MAAM,MAAM,GAAG,CAAC,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,QAAQ,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC;YAExG,IAAI,MAAM,EAAE;gBACR,iEAAiE;gBACjE,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC;gBACxD,IAAI,QAAQ,CAAC,MAAM,GAAG,KAAK,EAAE;oBACzB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,sCAAsC,SAAS,EAAE,CAAC,CAAC;oBACnF,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,KAAK,GAAG,QAAQ,CAAC,MAAM,+BAA+B,CAAC,CAAC;iBAC1G;gBAED,+CAA+C;gBAC/C,MAAM,iBAAiB,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;gBACvG,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE;oBAC9B,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,IAAA,mCAAY,EAAC,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACnG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,sCAAsC,SAAS,KAAK,KAAK,EAAE,CAAC,CAAC;oBAC7F,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,kCAAkC,KAAK,GAAG,CAAC,CAAC;iBAC3F;aACJ;iBAAM;gBACH,8EAA8E;gBAC9E,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,YAAY,CAAC,CAAW,CAAC;gBACrE,IAAI,YAAY,GAAG,KAAK,EAAE;oBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,sCAAsC,SAAS,EAAE,CAAC,CAAC;oBACnF,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,GAAG,KAAK,GAAG,YAAY,+BAA+B,CAAC,CAAC;iBACvG;aACJ;QACL,CAAC;KAAA;IAEa,eAAe,CAAC,KAAa,EAAE,EAAO,EAAE,EAAgC,EAAE,QAAa;;YACjG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,KAAK,IAAI,EAAE,eAAe,IAAA,aAAM,EAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;YAElG,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,YAAY,EAAE,QAAQ,CAAC,CAAC;YAErE,+CAA+C;YAC/C,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;YACvC,MAAM,YAAY,GAAG,EAAE,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,CAAC;YAExE,6BAA6B;YAC7B,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YAEvD,qEAAqE;YACrE,IAAI,CAAC,MAAM,EAAE;gBACT,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,+CAA+C,CAAC,CAAC;gBACjF,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;aAClD;YAED,+CAA+C;YAC/C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAChD,IAAI,MAAM,EAAE;gBACR,MAAM,iBAAiB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;gBACnD,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE;oBAC5B,MAAM,KAAK,GAAG,IAAA,mCAAY,EAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC;oBAC5D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,KAAK,kDAAkD,KAAK,EAAE,CAAC,CAAC;oBAC3F,MAAM,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,YAAY,EAAE,+BAA+B,KAAK,EAAE,CAAC,CAAC;iBAC1F;aACJ;QACL,CAAC;KAAA;IAEO,eAAe,CAAC,KAA4B;QAChD,OAAO,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,WAAW,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;IAC1D,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,KAAc;QAChB,OAAO,KAAK,CAAC,CAAC,CAAC,IAAA,kBAAQ,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACxC,CAAC;IAED;;OAEG;IACH,UAAU,CAAC,KAAa;QACpB,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAA,uBAAS,EAAC,KAAK,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,MAAM,EAAE;YACT,MAAM,IAAI,CAAC,YAAY,CAAC,6BAA6B,KAAK,EAAE,CAAC,CAAC;SACjE;QACD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,MAAM,EAAE;YACT,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,KAAK,4BAA4B,CAAC,CAAC;SACvE;QACD,OAAO,MAAM,CAAC;IAClB,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,KAAa,EAAE,UAAe;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACpC,CAAC;CACJ;AAtmBD,gCAsmBC"}

package/enhancements/preset.d.ts

@@ -0,0 +1,16 @@
+import { WithPolicyContext } from './policy';
+import { ModelMeta, PolicyDef } from './types';
+/**
+ * Gets a Prisma client enhanced with all essential behaviors, including access
+ * policy, field validation, field omission and password hashing.
+ *
+ * It's a shortcut for calling withOmit(withPassword(withPolicy(prisma, options))).
+ *
+ * @param prisma The Prisma client to enhance.
+ * @param context The context to for evaluating access policies.
+ * @param policy The access policy data, generated by @zenstack/access-policy plugin.
+ * You only need to pass it if you configured the plugin to generate into custom location.
+ * @param modelMeta The model metadata, generated by @zenstack/model-meta plugin.
+ * You only need to pass it if you configured the plugin to generate into custom location.
+ */
+export declare function withPresets<DbClient extends object>(prisma: DbClient, context?: WithPolicyContext, policy?: PolicyDef, modelMeta?: ModelMeta): DbClient;

package/enhancements/preset.js

@@ -0,0 +1,24 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.withPresets = void 0;
+const omit_1 = require("./omit");
+const password_1 = require("./password");
+const policy_1 = require("./policy");
+/**
+ * Gets a Prisma client enhanced with all essential behaviors, including access
+ * policy, field validation, field omission and password hashing.
+ *
+ * It's a shortcut for calling withOmit(withPassword(withPolicy(prisma, options))).
+ *
+ * @param prisma The Prisma client to enhance.
+ * @param context The context to for evaluating access policies.
+ * @param policy The access policy data, generated by @zenstack/access-policy plugin.
+ * You only need to pass it if you configured the plugin to generate into custom location.
+ * @param modelMeta The model metadata, generated by @zenstack/model-meta plugin.
+ * You only need to pass it if you configured the plugin to generate into custom location.
+ */
+function withPresets(prisma, context, policy, modelMeta) {
+    return (0, policy_1.withPolicy)((0, omit_1.withOmit)((0, password_1.withPassword)(prisma, modelMeta), modelMeta), context, policy, modelMeta);
+}
+exports.withPresets = withPresets;
+//# sourceMappingURL=preset.js.map

package/enhancements/preset.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"preset.js","sourceRoot":"","sources":["../../src/enhancements/preset.ts"],"names":[],"mappings":";;;AAAA,iCAAkC;AAClC,yCAA0C;AAC1C,qCAAyD;AAGzD;;;;;;;;;;;;GAYG;AACH,SAAgB,WAAW,CACvB,MAAgB,EAChB,OAA2B,EAC3B,MAAkB,EAClB,SAAqB;IAErB,OAAO,IAAA,mBAAU,EAAC,IAAA,eAAQ,EAAC,IAAA,uBAAY,EAAC,MAAM,EAAE,SAAS,CAAC,EAAE,SAAS,CAAC,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;AACxG,CAAC;AAPD,kCAOC"}