alepha 0.12.1 → 0.13.1

package/dist/api-files/index.cjs.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.cjs","names":["Alepha","DateTimeProvider","directives: string[]","params: string[]","AlephaCache","t","Alepha","webRequest: Request | undefined","WebStream","HttpError","formData: FormData","body: Record<string, any>","tempFiles: HybridFile[]","os","AlephaServer","t","pageQuerySchema","t","pg","t","Alepha","DateTimeProvider","$bucket","NotFoundError","expirationDate: string | undefined","updateData: Partial<FileEntity>","FileNotFoundError","pg","t","okSchema","Alepha","ServerRouterProvider","HttpError","Descriptor","KIND","SecurityProvider","JwtProvider","Alepha","$action","userAccountInfoSchema","ForbiddenError","user: UserAccountToken | undefined","UnauthorizedError","ownership: boolean | string | undefined","$realm","$role","$permission","AlephaServer","AlephaSecurity","t","files","AlephaBucket"],"sources":["../../src/server-cache/providers/ServerCacheProvider.ts","../../src/server-cache/index.ts","../../src/server-multipart/providers/ServerMultipartProvider.ts","../../src/server-multipart/index.ts","../../src/api-files/schemas/fileQuerySchema.ts","../../src/api-files/entities/files.ts","../../src/api-files/schemas/fileResourceSchema.ts","../../src/api-files/services/FileService.ts","../../src/api-files/controllers/FileController.ts","../../src/server-security/providers/ServerBasicAuthProvider.ts","../../src/server-security/descriptors/$basicAuth.ts","../../src/server-security/providers/ServerSecurityProvider.ts","../../src/server-security/index.ts","../../src/api-files/schemas/storageStatsSchema.ts","../../src/api-files/controllers/StorageStatsController.ts","../../src/api-files/jobs/FileJobs.ts","../../src/api-files/index.ts"],"sourcesContent":["import type { BinaryLike } from \"node:crypto\";\nimport { createHash } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $cache, type CacheDescriptorOptions } from \"alepha/cache\";\nimport { DateTimeProvider, type DurationLike } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  ActionDescriptor,\n  type RequestConfigSchema,\n  type ServerRequest,\n  type ServerRoute,\n} from \"alepha/server\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha/server\" {\n  interface ServerRoute {\n    /**\n     * Enable caching for this route.\n     * - If true: enables both store and etag\n     * - If object: fine-grained control over store, etag, and cache-control headers\n     *\n     * @default false\n     */\n    cache?: ServerRouteCache;\n  }\n\n  interface ActionDescriptor<TConfig extends RequestConfigSchema> {\n    invalidate: () => Promise<void>;\n  }\n}\n\nActionDescriptor.prototype.invalidate = async function (\n  this: ActionDescriptor<RequestConfigSchema>,\n) {\n  await this.alepha.inject(ServerCacheProvider).invalidate(this.route);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class ServerCacheProvider {\n  protected readonly log = $logger();\n  protected readonly alepha = $inject(Alepha);\n  protected readonly time = $inject(DateTimeProvider);\n  protected readonly cache = $cache<RouteCacheEntry>({\n    provider: \"memory\",\n  });\n\n  public generateETag(content: BinaryLike): string {\n    return `\"${createHash(\"md5\").update(content).digest(\"hex\")}\"`;\n  }\n\n  public async invalidate(route: ServerRoute) {\n    const cache = route.cache;\n    if (!cache) {\n      return;\n    }\n\n    await this.cache.invalidate(this.createCacheKey(route));\n  }\n\n  protected readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request }) => {\n      const cache = action.route.cache;\n\n      const shouldStore = this.shouldStore(cache);\n\n      // Only check cache if storing is enabled\n      if (shouldStore) {\n        const key = this.createCacheKey(action.route, request);\n        const cached = await this.cache.get(key);\n\n        if (cached) {\n          const body =\n            cached.contentType === \"application/json\"\n              ? JSON.parse(cached.body)\n              : cached.body;\n\n          this.log.trace(\"Cache hit for action\", {\n            key,\n            action: action.name,\n          });\n\n          request.reply.body = body; // just re-use, full trust\n        } else {\n          this.log.trace(\"Cache miss for action\", {\n            key,\n            action: action.name,\n          });\n        }\n      }\n    },\n  });\n\n  protected readonly onActionResponse = $hook({\n    on: \"action:onResponse\",\n    handler: async ({ action, request, response }) => {\n      const cache = action.route.cache;\n\n      const shouldStore = this.shouldStore(cache);\n\n      if (!shouldStore || !response) {\n        return;\n      }\n\n      // Don't cache error responses (status >= 400)\n      if (request.reply.status && request.reply.status >= 400) {\n        return;\n      }\n\n      // TODO: serialize the response body, exactly like in the server response hook\n      // this is bad\n      const contentType =\n        typeof response === \"string\" ? \"text/plain\" : \"application/json\";\n      const body =\n        contentType === \"text/plain\" ? response : JSON.stringify(response);\n\n      const generatedEtag = this.generateETag(body);\n      const lastModified = this.time.toISOString();\n\n      // Store response for cached actions\n      const key = this.createCacheKey(action.route, request);\n\n      this.log.trace(\"Storing response\", {\n        key,\n        action: action.name,\n      });\n\n      await this.cache.set(key, {\n        body: body,\n        lastModified,\n        contentType: contentType,\n        hash: generatedEtag,\n      });\n\n      // Set Cache-Control header if configured (for HTTP responses)\n      const cacheControl = this.buildCacheControlHeader(cache);\n      if (cacheControl) {\n        request.reply.setHeader(\"cache-control\", cacheControl);\n      }\n    },\n  });\n\n  protected readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    handler: async ({ route, request }) => {\n      const cache = route.cache;\n\n      const shouldStore = this.shouldStore(cache);\n      const shouldUseEtag = this.shouldUseEtag(cache);\n\n      // Check for cached response or ETag\n      if (!shouldStore && !shouldUseEtag) {\n        return;\n      }\n\n      const key = this.createCacheKey(route, request);\n      const cached = await this.cache.get(key);\n\n      if (cached) {\n        // Check if client has matching ETag - return 304 for both cached and etag-only routes\n        if (\n          request.headers[\"if-none-match\"] === cached.hash ||\n          request.headers[\"if-modified-since\"] === cached.lastModified\n        ) {\n          request.reply.status = 304;\n          request.reply.setHeader(\"etag\", cached.hash);\n          request.reply.setHeader(\"last-modified\", cached.lastModified);\n          this.log.trace(\"ETag match, returning 304\", {\n            route: route.path,\n            etag: cached.hash,\n          });\n          return;\n        }\n\n        // Only serve cached content if storing is enabled (not for etag-only routes)\n        if (shouldStore) {\n          this.log.trace(\"Cache hit for route\", {\n            key,\n            route: route.path,\n          });\n\n          // if the cache is found, we can skip the request processing\n          // and return the cached response\n          request.reply.body = cached.body;\n          request.reply.status = cached.status ?? 200;\n\n          if (cached.contentType) {\n            request.reply.setHeader(\"Content-Type\", cached.contentType);\n          }\n\n          request.reply.setHeader(\"etag\", cached.hash);\n          request.reply.setHeader(\"last-modified\", cached.lastModified);\n        }\n      } else if (shouldStore) {\n        this.log.trace(\"Cache miss for route\", {\n          key,\n          route: route.path,\n        });\n      }\n    },\n  });\n\n  protected readonly onSend = $hook({\n    on: \"server:onSend\",\n    handler: async ({ route, request }) => {\n      // before sending the response, check if the ETag matches\n      // and if so, return a 304 Not Modified response\n      // -> this is only relevant for etag-only routes, not cached routes <-\n      const cache = route.cache;\n\n      const shouldStore = this.shouldStore(cache);\n      const shouldUseEtag = this.shouldUseEtag(cache);\n\n      if (request.reply.headers.etag) {\n        // ETag already set, skip\n        return;\n      }\n\n      if (\n        !shouldStore &&\n        shouldUseEtag &&\n        request.reply.body != null &&\n        (typeof request.reply.body === \"string\" ||\n          Buffer.isBuffer(request.reply.body))\n      ) {\n        const generatedEtag = this.generateETag(request.reply.body);\n\n        if (request.headers[\"if-none-match\"] === generatedEtag) {\n          request.reply.status = 304;\n          request.reply.body = undefined;\n          request.reply.setHeader(\"etag\", generatedEtag);\n          this.log.trace(\"ETag match on send, returning 304\", {\n            route: route.path,\n            etag: generatedEtag,\n          });\n          return;\n        }\n      }\n    },\n  });\n\n  protected readonly onResponse = $hook({\n    on: \"server:onResponse\",\n    priority: \"first\",\n    handler: async ({ route, request, response }) => {\n      const cache = route.cache;\n\n      // Set Cache-Control header if configured\n      const cacheControl = this.buildCacheControlHeader(cache);\n      if (cacheControl) {\n        response.headers[\"cache-control\"] = cacheControl;\n      }\n\n      const shouldStore = this.shouldStore(cache);\n      const shouldUseEtag = this.shouldUseEtag(cache);\n\n      // Skip if neither cache nor etag is enabled\n      if (!shouldStore && !shouldUseEtag) {\n        return;\n      }\n\n      // Only process string responses (text, html, json, etc.)\n      // Buffer is not supported by alepha/cache for now\n      if (typeof response.body !== \"string\") {\n        return;\n      }\n\n      // Don't cache error responses (status >= 400)\n      if (response.status && response.status >= 400) {\n        return;\n      }\n\n      const key = this.createCacheKey(route, request);\n      const generatedEtag = this.generateETag(response.body);\n      const lastModified = this.time.toISOString();\n\n      // Initialize headers if not present\n      response.headers ??= {};\n\n      // Store response if storing is enabled\n      if (shouldStore) {\n        this.log.trace(\"Storing response\", {\n          key,\n          route: route.path,\n          cache: !!cache,\n          etag: shouldUseEtag,\n        });\n\n        await this.cache.set(key, {\n          body: response.body,\n          status: response.status,\n          contentType: response.headers?.[\"content-type\"],\n          lastModified,\n          hash: generatedEtag,\n        });\n      }\n\n      // Set ETag headers if etag is enabled\n      if (shouldUseEtag) {\n        response.headers.etag = generatedEtag;\n        response.headers[\"last-modified\"] = lastModified;\n      }\n    },\n  });\n\n  public buildCacheControlHeader(cache?: ServerRouteCache): string | undefined {\n    if (!cache) {\n      return undefined;\n    }\n\n    // If cache is true or a DurationLike, no Cache-Control header is set\n    if (\n      cache === true ||\n      typeof cache === \"string\" ||\n      typeof cache === \"number\"\n    ) {\n      return undefined;\n    }\n\n    const control = cache.control;\n    if (!control) {\n      return undefined;\n    }\n\n    // If control is a string, return it directly\n    if (typeof control === \"string\") {\n      return control;\n    }\n\n    // If control is true, return default Cache-Control\n    if (control === true) {\n      return \"public, max-age=300\";\n    }\n\n    // Build Cache-Control from object directives\n    const directives: string[] = [];\n\n    if (control.public) {\n      directives.push(\"public\");\n    }\n    if (control.private) {\n      directives.push(\"private\");\n    }\n    if (control.noCache) {\n      directives.push(\"no-cache\");\n    }\n    if (control.noStore) {\n      directives.push(\"no-store\");\n    }\n    if (control.maxAge !== undefined) {\n      const maxAgeSeconds = this.durationToSeconds(control.maxAge);\n      directives.push(`max-age=${maxAgeSeconds}`);\n    }\n    if (control.sMaxAge !== undefined) {\n      const sMaxAgeSeconds = this.durationToSeconds(control.sMaxAge);\n      directives.push(`s-maxage=${sMaxAgeSeconds}`);\n    }\n    if (control.mustRevalidate) {\n      directives.push(\"must-revalidate\");\n    }\n    if (control.proxyRevalidate) {\n      directives.push(\"proxy-revalidate\");\n    }\n    if (control.immutable) {\n      directives.push(\"immutable\");\n    }\n\n    return directives.length > 0 ? directives.join(\", \") : undefined;\n  }\n\n  protected durationToSeconds(duration: number | DurationLike): number {\n    if (typeof duration === \"number\") {\n      return duration;\n    }\n\n    return this.time.duration(duration).asSeconds();\n  }\n\n  protected shouldStore(cache?: ServerRouteCache): boolean {\n    if (!cache) return false;\n    if (cache === true) return true;\n    if (typeof cache === \"object\" && cache.store) return true;\n    return false;\n  }\n\n  protected shouldUseEtag(cache?: ServerRouteCache): boolean {\n    // cache: true enables etag\n    if (cache === true) return true;\n    // Check object form\n    if (typeof cache === \"object\" && cache.etag) return true;\n    return false;\n  }\n\n  protected createCacheKey(route: ServerRoute, config?: ServerRequest): string {\n    const params: string[] = [];\n    for (const [key, value] of Object.entries(config?.params ?? {})) {\n      params.push(`${key}=${value}`);\n    }\n    for (const [key, value] of Object.entries(config?.query ?? {})) {\n      params.push(`${key}=${value}`);\n    }\n\n    return `${route.method}:${route.path.replaceAll(\":\", \"\")}:${params.join(\",\").replaceAll(\":\", \"\")}`;\n  }\n}\n\nexport type ServerRouteCache =\n  /**\n   * If true, enables caching with:\n   * - store: true\n   * - etag: true\n   */\n  | boolean\n  /**\n   * Object configuration for fine-grained cache control.\n   *\n   * If empty, no caching will be applied.\n   */\n  | {\n      /**\n       * If true, enables storing cached responses. (in-memory, Redis, @see alepha/cache for other providers)\n       * If a DurationLike is provided, it will be used as the TTL for the cache.\n       * If CacheDescriptorOptions is provided, it will be used to configure the cache storage.\n       *\n       * @default false\n       */\n      store?: true | DurationLike | CacheDescriptorOptions;\n      /**\n       * If true, enables ETag support for the cached responses.\n       */\n      etag?: true;\n      /**\n       * - If true, sets Cache-Control to \"public, max-age=300\" (5 minutes).\n       * - If string, sets Cache-Control to the provided value directly.\n       * - If object, configures Cache-Control directives.\n       */\n      control?: /**\n       * If true, sets Cache-Control to \"public, max-age=300\" (5 minutes).\n       */\n        | true\n        /**\n         * If string, sets Cache-Control to the provided value directly.\n         */\n        | string\n        /**\n         * If object, configures Cache-Control directives.\n         */\n        | {\n            /**\n             * Indicates that the response may be cached by any cache.\n             */\n            public?: boolean;\n            /**\n             * Indicates that the response is intended for a single user and must not be stored by a shared cache.\n             */\n            private?: boolean;\n            /**\n             * Forces caches to submit the request to the origin server for validation before releasing a cached copy.\n             */\n            noCache?: boolean;\n            /**\n             * Instructs caches not to store the response.\n             */\n            noStore?: boolean;\n            /**\n             * Maximum amount of time a resource is considered fresh.\n             * Can be specified as a number (seconds) or as a DurationLike object.\n             *\n             * @example 300 // 5 minutes in seconds\n             * @example { minutes: 5 } // 5 minutes\n             * @example { hours: 1 } // 1 hour\n             */\n            maxAge?: number | DurationLike;\n            /**\n             * Overrides max-age for shared caches (e.g., CDNs).\n             * Can be specified as a number (seconds) or as a DurationLike object.\n             */\n            sMaxAge?: number | DurationLike;\n            /**\n             * Indicates that once a resource becomes stale, caches must not use it without successful validation.\n             */\n            mustRevalidate?: boolean;\n            /**\n             * Similar to must-revalidate, but only for shared caches.\n             */\n            proxyRevalidate?: boolean;\n            /**\n             * Indicates that the response can be stored but must be revalidated before each use.\n             */\n            immutable?: boolean;\n          };\n    };\n\ninterface RouteCacheEntry {\n  contentType?: string;\n  body: any;\n  status?: number;\n  lastModified: string;\n  hash: string;\n}\n","import { $module } from \"alepha\";\nimport { AlephaCache } from \"alepha/cache\";\nimport { ServerCacheProvider } from \"./providers/ServerCacheProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./providers/ServerCacheProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Plugin for Alepha Server that provides server-side caching capabilities.\n * It uses the Alepha Cache module to cache responses from server actions ($action).\n * It also provides a ETag-based cache invalidation mechanism.\n *\n * @example\n * ```ts\n * import { Alepha } from \"alepha\";\n * import { $action } from \"alepha/server\";\n * import { AlephaServerCache } from \"alepha/server/cache\";\n *\n * class ApiServer {\n *   hello = $action({\n *     cache: true,\n *     handler: () => \"Hello, World!\",\n *   });\n * }\n *\n * const alepha = Alepha.create()\n *   .with(AlephaServerCache)\n *   .with(ApiServer);\n *\n * run(alepha);\n * ```\n *\n * @see {@link ServerCacheProvider}\n * @module alepha.server.cache\n */\nexport const AlephaServerCache = $module({\n  name: \"alepha.server.cache\",\n  services: [AlephaCache, ServerCacheProvider],\n});\n","import { randomUUID } from \"node:crypto\";\nimport { createReadStream } from \"node:fs\";\nimport { readFile, unlink, writeFile } from \"node:fs/promises\";\nimport * as os from \"node:os\";\nimport { ReadableStream as WebStream } from \"node:stream/web\";\nimport {\n  $env,\n  $hook,\n  $inject,\n  Alepha,\n  type FileLike,\n  isTypeFile,\n  t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport { HttpError, isMultipart, type ServerRoute } from \"alepha/server\";\n\nconst envSchema = t.object({\n  SERVER_MULTIPART_LIMIT: t.integer({\n    default: 10_000_000, // 10MB total\n    min: 0,\n    description: \"Maximum total size of multipart request body in bytes.\",\n  }),\n  SERVER_MULTIPART_FILE_LIMIT: t.integer({\n    default: 5_000_000, // 5MB per file\n    min: 0,\n    description: \"Maximum size of a single file in bytes.\",\n  }),\n  SERVER_MULTIPART_FILE_COUNT: t.integer({\n    default: 10,\n    min: 1,\n    description: \"Maximum number of files allowed in a single request.\",\n  }),\n});\n\nexport class ServerMultipartProvider {\n  protected readonly alepha = $inject(Alepha);\n  protected readonly env = $env(envSchema);\n  protected readonly log = $logger();\n\n  public readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    handler: async ({ route, request }) => {\n      // already parsed (e.g. by body parser)\n      if (request.body) {\n        return;\n      }\n\n      // we do not parse body if no schema\n      if (!route.schema?.body) {\n        return;\n      }\n\n      let webRequest: Request | undefined;\n\n      if (request.raw.web?.req) {\n        webRequest = request.raw.web.req;\n      } else if (request.raw.node?.req) {\n        webRequest = new Request(request.url, {\n          method: request.method,\n          headers: request.headers,\n          body: WebStream.from(request.raw.node.req) as ReadableStream,\n          duplex: \"half\",\n        } as RequestInit & { duplex: \"half\" });\n      }\n\n      if (!webRequest) {\n        return;\n      }\n\n      const contentType = request.headers[\"content-type\"];\n\n      // Check content-length before processing to fail fast on oversized requests\n      const contentLength = request.headers[\"content-length\"];\n      if (contentLength) {\n        const size = Number.parseInt(contentLength, 10);\n        if (!Number.isNaN(size) && size > this.env.SERVER_MULTIPART_LIMIT) {\n          this.log.error(\n            `Multipart request size limit exceeded: ${size} > ${this.env.SERVER_MULTIPART_LIMIT}`,\n          );\n          throw new HttpError({\n            status: 413,\n            message: `Request body size limit exceeded. Maximum allowed: ${this.env.SERVER_MULTIPART_LIMIT} bytes`,\n          });\n        }\n      }\n\n      if (!contentType?.startsWith(\"multipart/form-data\")) {\n        if (!isMultipart(route)) {\n          return;\n        }\n\n        // route expects multipart but content-type is not correct! reject with 415\n        throw new HttpError({\n          status: 415,\n          message: `Invalid content-type: ${contentType} - only \"multipart/form-data\" is accepted`,\n        });\n      }\n\n      const { body, cleanup } = await this.handleMultipartBodyFromWeb(\n        route,\n        webRequest,\n      );\n\n      request.body = body;\n      request.metadata.multipart = { cleanup };\n    },\n  });\n\n  public readonly onResponse = $hook({\n    on: \"server:onResponse\",\n    handler: async ({ request }) => {\n      const cleanup = request.metadata.multipart?.cleanup;\n      if (typeof cleanup === \"function\") {\n        await cleanup();\n      }\n    },\n  });\n\n  public async handleMultipartBodyFromWeb(\n    route: ServerRoute,\n    request: Request,\n  ): Promise<{\n    body: Record<string, unknown>;\n    cleanup: () => Promise<void>;\n  }> {\n    let formData: FormData;\n\n    try {\n      // Parse the FormData from the request\n      formData = await request.formData();\n    } catch (error) {\n      throw new HttpError(\n        {\n          status: 400,\n          message: \"Malformed multipart/form-data\",\n        },\n        error,\n      );\n    }\n\n    const body: Record<string, any> = {};\n    const tempFiles: HybridFile[] = [];\n\n    // Helper to clean up temp files on error\n    const cleanupOnError = async () => {\n      for (const file of tempFiles) {\n        try {\n          await file.cleanup();\n        } catch {\n          // Ignore cleanup errors during error handling\n        }\n      }\n    };\n\n    try {\n      let fileCount = 0;\n      let totalSize = 0;\n\n      if (route.schema?.body && t.schema.isObject(route.schema.body)) {\n        for (const [key, value] of Object.entries(\n          route.schema.body.properties,\n        )) {\n          if (t.schema.isSchema(value)) {\n            if (isTypeFile(value)) {\n              const file = formData.get(key);\n              // Check if file is a Blob (File extends Blob in Web APIs)\n              if (file && typeof file === \"object\" && \"arrayBuffer\" in file) {\n                const blob = file as Blob;\n\n                // Validate file count\n                fileCount++;\n                if (fileCount > this.env.SERVER_MULTIPART_FILE_COUNT) {\n                  this.log.error(\n                    `Too many files in multipart request: ${fileCount} > ${this.env.SERVER_MULTIPART_FILE_COUNT}`,\n                  );\n                  throw new HttpError({\n                    status: 413,\n                    message: `Too many files. Maximum allowed: ${this.env.SERVER_MULTIPART_FILE_COUNT}`,\n                  });\n                }\n\n                // Validate individual file size\n                if (blob.size > this.env.SERVER_MULTIPART_FILE_LIMIT) {\n                  this.log.error(\n                    `File \"${key}\" exceeds size limit: ${blob.size} > ${this.env.SERVER_MULTIPART_FILE_LIMIT}`,\n                  );\n                  throw new HttpError({\n                    status: 413,\n                    message: `File \"${key}\" exceeds size limit. Maximum allowed: ${this.env.SERVER_MULTIPART_FILE_LIMIT} bytes`,\n                  });\n                }\n\n                // Validate total size\n                totalSize += blob.size;\n                if (totalSize > this.env.SERVER_MULTIPART_LIMIT) {\n                  this.log.error(\n                    `Total multipart size exceeds limit: ${totalSize} > ${this.env.SERVER_MULTIPART_LIMIT}`,\n                  );\n                  throw new HttpError({\n                    status: 413,\n                    message: `Total request size exceeds limit. Maximum allowed: ${this.env.SERVER_MULTIPART_LIMIT} bytes`,\n                  });\n                }\n\n                const hybridFile = await this.createHybridFile(blob, key);\n                body[key] = hybridFile;\n                tempFiles.push(hybridFile);\n              }\n            } else {\n              const fieldValue = formData.get(key);\n              if (fieldValue !== null) {\n                // FormData values are either string or File/Blob\n                const stringValue =\n                  typeof fieldValue === \"string\" ? fieldValue : \"\";\n                body[key] = this.alepha.codec.decode(value, stringValue);\n              }\n            }\n          }\n        }\n      }\n\n      return {\n        body,\n        cleanup: async () => {\n          for (const file of tempFiles) {\n            await file.cleanup();\n          }\n        },\n      };\n    } catch (error) {\n      // Clean up any temp files that were created before the error\n      await cleanupOnError();\n      throw error;\n    }\n  }\n\n  /**\n   * This is a legacy code, previously we used \"busboy\" to parse multipart in Node.js environment.\n   * Now we rely on Web Request's formData() method, which is supported in modern Node.js versions.\n   * However, we still need to create temporary files for uploaded files to provide a consistent File-like interface.\n   *\n   * TODO: In future, we might want to refactor this to avoid using temporary files if not necessary?\n   */\n  protected async createHybridFile(\n    file: Blob,\n    fieldName: string,\n  ): Promise<HybridFile> {\n    const tmpPath = `${os.tmpdir()}/${randomUUID()}`;\n\n    // Get file data\n    const arrayBuffer = await file.arrayBuffer();\n    const buffer = Buffer.from(arrayBuffer);\n\n    // Write to temp file\n    await writeFile(tmpPath, buffer);\n\n    // Get file name - check if it has name property (File type)\n    const fileName = (file as any).name || `${fieldName}_${Date.now()}`;\n\n    const hybridFile: HybridFile = {\n      _state: {\n        cleanup: false,\n        size: file.size,\n        tmpPath,\n      },\n      name: fileName,\n      type: file.type || \"application/octet-stream\",\n      lastModified: (file as any).lastModified || Date.now(),\n      filepath: tmpPath,\n      get size() {\n        return this._state.size;\n      },\n      stream() {\n        return createReadStream(tmpPath);\n      },\n      async arrayBuffer() {\n        const content = await readFile(tmpPath);\n        return content.buffer.slice(\n          content.byteOffset,\n          content.byteOffset + content.byteLength,\n        ) as ArrayBuffer;\n      },\n      text: async () => {\n        return await readFile(tmpPath, \"utf-8\");\n      },\n      async cleanup() {\n        if (this._state.cleanup) {\n          return;\n        }\n\n        await unlink(tmpPath); // clean up the temp file\n        this._state.cleanup = true;\n      },\n    };\n\n    return hybridFile;\n  }\n}\n\ninterface HybridFile extends FileLike {\n  cleanup(): Promise<void>;\n  _state: {\n    cleanup: boolean;\n    size: number;\n    tmpPath: string;\n  };\n}\n","import { $module } from \"alepha\";\nimport { AlephaServer } from \"alepha/server\";\nimport { ServerMultipartProvider } from \"./providers/ServerMultipartProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./providers/ServerMultipartProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * This module provides support for handling multipart/form-data requests.\n * It allows to parse body data containing t.file().\n *\n * @see {@link ServerMultipartProvider}\n * @module alepha.server.multipart\n */\nexport const AlephaServerMultipart = $module({\n  name: \"alepha.server.multipart\",\n  services: [AlephaServer, ServerMultipartProvider],\n});\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\nimport { pageQuerySchema } from \"alepha/orm\";\n\nexport const fileQuerySchema = t.extend(pageQuerySchema, {\n  bucket: t.optional(t.string()),\n  tags: t.optional(t.array(t.string())),\n  name: t.optional(t.string()),\n  mimeType: t.optional(t.string()),\n  creator: t.optional(t.uuid()),\n  createdAfter: t.optional(t.datetime()),\n  createdBefore: t.optional(t.datetime()),\n});\n\nexport type FileQuery = Static<typeof fileQuerySchema>;\n","import { type Static, t } from \"alepha\";\nimport { $entity, pg } from \"alepha/orm\";\n\nexport const files = $entity({\n  name: \"files\",\n  schema: t.object({\n    id: pg.primaryKey(t.uuid()),\n    version: pg.version(),\n    createdAt: pg.createdAt(),\n    updatedAt: pg.updatedAt(),\n    blobId: t.text(),\n    creator: t.optional(t.uuid()),\n    creatorRealm: t.optional(t.string()),\n    creatorName: t.optional(t.string()),\n    bucket: t.text(),\n    expirationDate: t.optional(t.datetime()),\n    name: t.text(),\n    size: t.number(),\n    mimeType: t.string(),\n    tags: t.optional(t.array(t.text())),\n    checksum: t.optional(t.string()),\n  }),\n  indexes: [\n    \"expirationDate\",\n    \"bucket\",\n    \"creator\",\n    \"createdAt\",\n    \"mimeType\",\n    {\n      columns: [\"bucket\", \"createdAt\"],\n    },\n  ],\n});\n\nexport type FileEntity = Static<typeof files.schema>;\n","import { type Static, t } from \"alepha\";\nimport { files } from \"../entities/files.ts\";\n\nexport const fileResourceSchema = t.extend(\n  files.schema,\n  {},\n  {\n    title: \"FileResource\",\n    description: \"A file resource representing a file stored in the system.\",\n  },\n);\n\nexport type FileResource = Static<typeof fileResourceSchema>;\n","import { createHash } from \"node:crypto\";\nimport { $hook, $inject, Alepha, type FileLike } from \"alepha\";\nimport {\n  $bucket,\n  type BucketDescriptor,\n  FileNotFoundError,\n} from \"alepha/bucket\";\nimport {\n  type DateTime,\n  DateTimeProvider,\n  type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport { $repository, type Page } from \"alepha/orm\";\nimport type { UserAccountToken } from \"alepha/security\";\nimport type { Ok } from \"alepha/server\";\nimport { NotFoundError } from \"alepha/server\";\nimport { type FileEntity, files } from \"../entities/files.ts\";\nimport type { FileQuery } from \"../schemas/fileQuerySchema.ts\";\nimport type { FileResource } from \"../schemas/fileResourceSchema.ts\";\nimport type { StorageStats } from \"../schemas/storageStatsSchema.ts\";\n\nexport class FileService {\n  protected readonly alepha = $inject(Alepha);\n  protected readonly log = $logger();\n  protected readonly fileRepository = $repository(files);\n  protected readonly dateTimeProvider = $inject(DateTimeProvider);\n  protected readonly defaultBucket = $bucket({ name: \"default\" });\n\n  protected onUploadFile = $hook({\n    on: \"bucket:file:uploaded\",\n    handler: async ({ file, bucket, options, id }) => {\n      if (options.persist === false) {\n        return;\n      }\n\n      const checksum = await this.calculateChecksum(file);\n\n      await this.fileRepository.create({\n        blobId: id,\n        mimeType: file.type,\n        name: file.name,\n        size: file.size,\n        creator: options.user?.id,\n        creatorRealm: options.user?.realm,\n        expirationDate: this.getExpirationDate(options.ttl),\n        bucket: bucket.name,\n        checksum,\n      });\n    },\n  });\n\n  protected onDeleteBucketFile = $hook({\n    on: \"bucket:file:deleted\",\n    handler: async ({ bucket, id }) => {\n      await this.fileRepository.deleteMany({\n        blobId: { eq: id },\n        bucket: { eq: bucket.name },\n      });\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  /**\n   * Calculates SHA-256 checksum of a file.\n   *\n   * @param file - The file to calculate checksum for\n   * @returns Hexadecimal string representation of the SHA-256 hash\n   * @protected\n   */\n  protected async calculateChecksum(file: FileLike): Promise<string> {\n    const buffer = await file.arrayBuffer();\n    const hash = createHash(\"sha256\");\n    hash.update(Buffer.from(buffer));\n    return hash.digest(\"hex\");\n  }\n\n  /**\n   * Gets a bucket descriptor by name.\n   *\n   * @param bucketName - The name of the bucket to retrieve (defaults to \"default\")\n   * @returns The bucket descriptor\n   * @throws {NotFoundError} If the bucket is not found\n   */\n  public bucket(\n    bucketName: string = this.defaultBucket.name,\n  ): BucketDescriptor {\n    const bucket = this.alepha\n      .descriptors($bucket)\n      .find((it) => it.name === bucketName);\n\n    if (!bucket) {\n      throw new NotFoundError(`Bucket '${bucketName}' not found.`);\n    }\n\n    return bucket;\n  }\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  /**\n   * Finds files matching the given query criteria with pagination support.\n   * Supports filtering by bucket, tags, name, mimeType, creator, and date range.\n   *\n   * @param q - Query parameters including bucket, tags, name, mimeType, creator, date range, pagination, and sorting\n   * @returns Paginated list of file entities\n   */\n  public async findFiles(q: FileQuery = {}): Promise<Page<FileEntity>> {\n    q.sort ??= \"-createdAt\";\n\n    const where = this.fileRepository.createQueryWhere();\n\n    if (q.bucket) {\n      where.bucket = { eq: q.bucket };\n    }\n\n    if (q.tags) {\n      where.tags = { arrayContains: q.tags };\n    }\n\n    if (q.name) {\n      where.name = { ilike: `%${q.name}%` };\n    }\n\n    if (q.mimeType) {\n      where.mimeType = { eq: q.mimeType };\n    }\n\n    if (q.creator) {\n      where.creator = { eq: q.creator };\n    }\n\n    if (q.createdAfter && q.createdBefore) {\n      where.createdAt = {\n        gte: q.createdAfter,\n        lte: q.createdBefore,\n      };\n    } else if (q.createdAfter) {\n      where.createdAt = { gte: q.createdAfter };\n    } else if (q.createdBefore) {\n      where.createdAt = { lte: q.createdBefore };\n    }\n\n    return await this.fileRepository\n      .paginate(q, { where }, { count: true })\n      .then((page) => {\n        return {\n          ...page,\n          content: page.content.map((it) => this.entityToResource(it)),\n        };\n      });\n  }\n\n  /**\n   * Finds files that have expired based on their expiration date.\n   * Limited to 1000 files per call to prevent memory issues.\n   *\n   * @returns Array of expired file entities\n   */\n  public async findExpiredFiles(): Promise<FileEntity[]> {\n    return await this.fileRepository.findMany({\n      limit: 1000,\n      where: {\n        expirationDate: { lte: this.dateTimeProvider.nowISOString() },\n      },\n    });\n  }\n\n  /**\n   * Calculates an expiration date based on a TTL (time to live) duration.\n   *\n   * @param ttl - Duration like \"1 day\", \"2 hours\", etc.\n   * @returns DateTime representation of the expiration date, or undefined if no TTL provided\n   * @protected\n   */\n  protected getExpirationDate(ttl?: DurationLike): string | undefined {\n    return ttl\n      ? this.dateTimeProvider\n          .now()\n          .add(this.dateTimeProvider.duration(ttl))\n          .toISOString()\n      : undefined;\n  }\n\n  /**\n   * Uploads a file to a bucket and creates a database record with metadata.\n   * Automatically calculates and stores the file checksum (SHA-256).\n   *\n   * @param file - The file to upload\n   * @param options - Upload options including bucket, expiration, user, and tags\n   * @param options.bucket - Target bucket name (defaults to \"default\")\n   * @param options.expirationDate - When the file should expire\n   * @param options.user - User performing the upload (for audit trail)\n   * @param options.tags - Tags to associate with the file\n   * @returns The created file entity with all metadata\n   * @throws {NotFoundError} If the specified bucket doesn't exist\n   */\n  public async uploadFile(\n    file: FileLike,\n    options: {\n      expirationDate?: string | DateTime;\n      bucket?: string;\n      user?: UserAccountToken;\n      tags?: string[];\n    } = {},\n  ): Promise<FileEntity> {\n    const bucket = this.bucket(options.bucket);\n\n    const checksum = await this.calculateChecksum(file);\n    const blobId = await bucket.upload(file, { persist: false });\n\n    let expirationDate: string | undefined;\n    if (options.expirationDate) {\n      expirationDate = this.dateTimeProvider\n        .of(options.expirationDate)\n        .toISOString();\n    } else if (bucket.options.ttl) {\n      expirationDate = this.getExpirationDate(bucket.options.ttl);\n    }\n\n    return await this.fileRepository.create({\n      blobId: blobId,\n      mimeType: file.type,\n      name: file.name,\n      size: file.size,\n      creator: options.user?.id,\n      creatorRealm: options.user?.realm,\n      creatorName: options.user?.name,\n      expirationDate,\n      bucket: bucket.name,\n      tags: options.tags,\n      checksum,\n    });\n  }\n\n  /**\n   * Streams a file from storage by its database ID.\n   *\n   * @param id - The database ID (UUID) of the file to stream\n   * @returns The file object ready for streaming/downloading\n   * @throws {NotFoundError} If the file doesn't exist in the database\n   * @throws {FileNotFoundError} If the file exists in database but not in storage\n   */\n  public async streamFile(id: string): Promise<FileLike> {\n    const entity = await this.getFileById(id);\n    const bucket = this.bucket(entity.bucket);\n\n    return await bucket.download(entity.blobId);\n  }\n\n  /**\n   * Updates file metadata (name, tags, expiration date).\n   * Does not modify the actual file content in storage.\n   *\n   * @param id - The database ID (UUID) of the file to update\n   * @param data - Partial file data to update\n   * @param data.name - New file name\n   * @param data.tags - New tags array\n   * @param data.expirationDate - New expiration date\n   * @returns The updated file entity\n   * @throws {NotFoundError} If the file doesn't exist in the database\n   */\n  public async updateFile(\n    id: string,\n    data: {\n      name?: string;\n      tags?: string[];\n      expirationDate?: DateTime | string;\n    },\n  ): Promise<FileEntity> {\n    const file = await this.getFileById(id);\n\n    const updateData: Partial<FileEntity> = {};\n\n    if (data.name !== undefined) {\n      updateData.name = data.name;\n    }\n\n    if (data.tags !== undefined) {\n      updateData.tags = data.tags;\n    }\n\n    if (data.expirationDate !== undefined) {\n      updateData.expirationDate = this.dateTimeProvider\n        .of(data.expirationDate)\n        .toISOString();\n    }\n\n    return await this.fileRepository.updateById(file.id, updateData);\n  }\n\n  /**\n   * Deletes a file from both storage and database.\n   * Handles cases where file is already deleted from storage gracefully.\n   * Always ensures database record is removed even if storage deletion fails.\n   *\n   * @param id - The database ID (UUID) of the file to delete\n   * @returns Success response with the deleted file ID\n   * @throws {NotFoundError} If the file doesn't exist in the database\n   */\n  public async deleteFile(id: string): Promise<Ok> {\n    const file = await this.getFileById(id);\n    const bucket = this.bucket(file.bucket);\n\n    // Always delete the database record\n    await this.fileRepository.deleteById(file.id);\n\n    try {\n      await bucket.delete(file.blobId, true);\n    } catch (e) {\n      if (e instanceof FileNotFoundError) {\n        // File is already deleted in the bucket, this is okay\n        this.log.debug(\n          `File ${file.blobId} not found in bucket ${bucket.name}, cleaning up database record`,\n        );\n      } else {\n        // Other errors (permission, network, etc.) - log but continue to clean up database\n        this.log.warn(\n          `Failed to delete file ${file.blobId} from bucket ${bucket.name}`,\n          e,\n        );\n      }\n    }\n\n    return { ok: true, id: String(file.id) };\n  }\n\n  /**\n   * Retrieves a file entity by its ID.\n   * If already an entity object, returns it as-is (convenience method).\n   *\n   * @param id - Either a UUID string or an existing FileEntity object\n   * @returns The file entity\n   * @throws {NotFoundError} If the file doesn't exist in the database\n   */\n  public async getFileById(id: string | FileEntity): Promise<FileEntity> {\n    if (typeof id === \"object\") {\n      return id;\n    }\n\n    return await this.fileRepository.findById(id);\n  }\n\n  /**\n   * Gets storage statistics including total size, file count, and breakdowns by bucket and MIME type.\n   *\n   * @returns Storage statistics with aggregated data\n   */\n  public async getStorageStats(): Promise<StorageStats> {\n    const allFiles = await this.fileRepository.findMany({});\n\n    const totalSize = allFiles.reduce((sum, file) => sum + file.size, 0);\n    const totalFiles = allFiles.length;\n\n    // Group by bucket\n    const bucketMap = new Map<\n      string,\n      { totalSize: number; fileCount: number }\n    >();\n    for (const file of allFiles) {\n      const existing = bucketMap.get(file.bucket) || {\n        totalSize: 0,\n        fileCount: 0,\n      };\n      existing.totalSize += file.size;\n      existing.fileCount += 1;\n      bucketMap.set(file.bucket, existing);\n    }\n\n    // Group by MIME type\n    const mimeTypeMap = new Map<string, number>();\n    for (const file of allFiles) {\n      const existing = mimeTypeMap.get(file.mimeType) || 0;\n      mimeTypeMap.set(file.mimeType, existing + 1);\n    }\n\n    return {\n      totalSize,\n      totalFiles,\n      byBucket: Array.from(bucketMap.entries()).map(([bucket, stats]) => ({\n        bucket,\n        totalSize: stats.totalSize,\n        fileCount: stats.fileCount,\n      })),\n      byMimeType: Array.from(mimeTypeMap.entries()).map(\n        ([mimeType, fileCount]) => ({\n          mimeType,\n          fileCount,\n        }),\n      ),\n    };\n  }\n\n  /**\n   * Converts a file entity to a file resource (API response format).\n   * Currently a pass-through, but allows for future transformation logic.\n   *\n   * @param entity - The file entity to convert\n   * @returns The file resource for API responses\n   */\n  public entityToResource(entity: FileEntity): FileResource {\n    return entity;\n  }\n}\n","import { $inject, t } from \"alepha\";\nimport { pg } from \"alepha/orm\";\nimport { $action, okSchema } from \"alepha/server\";\nimport { fileQuerySchema } from \"../schemas/fileQuerySchema.ts\";\nimport { fileResourceSchema } from \"../schemas/fileResourceSchema.ts\";\nimport { FileService } from \"../services/FileService.ts\";\n\n/**\n * REST API controller for file management operations.\n * Provides endpoints for uploading, downloading, listing, and deleting files.\n */\nexport class FileController {\n  protected readonly url = \"/files\";\n  protected readonly group = \"files\";\n  protected readonly fileService = $inject(FileService);\n\n  /**\n   * GET /files - Lists files with optional filtering and pagination.\n   * Supports filtering by bucket and tags.\n   */\n  public readonly findFiles = $action({\n    path: this.url,\n    group: this.group,\n    description: \"List files with filtering and pagination\",\n    schema: {\n      query: fileQuerySchema,\n      response: pg.page(fileResourceSchema),\n    },\n    handler: ({ query }) => this.fileService.findFiles(query),\n  });\n\n  /**\n   * DELETE /files/:id - Deletes a file from both storage and database.\n   * Removes the file from the bucket and cleans up the database record.\n   */\n  public readonly deleteFile = $action({\n    method: \"DELETE\",\n    path: `${this.url}/:id`,\n    group: this.group,\n    description: \"Delete a file\",\n    schema: {\n      params: t.object({\n        id: t.uuid(),\n      }),\n      response: okSchema,\n    },\n    handler: ({ params }) => this.fileService.deleteFile(params.id),\n  });\n\n  /**\n   * POST /files - Uploads a new file to storage.\n   * Creates a database record with metadata and calculates checksum.\n   * Optionally specify bucket and expiration date.\n   */\n  public readonly uploadFile = $action({\n    path: this.url,\n    group: this.group,\n    description: \"Upload a new file\",\n    schema: {\n      body: t.object({\n        file: t.file(),\n      }),\n      query: t.object({\n        expirationDate: t.optional(t.datetime()),\n        bucket: t.optional(t.string()),\n      }),\n      response: fileResourceSchema,\n    },\n    handler: async ({ body, user, query }) =>\n      this.fileService.uploadFile(body.file, {\n        user,\n        ...query,\n      }),\n  });\n\n  /**\n   * PATCH /files/:id - Updates file metadata.\n   * Allows updating name, tags, and expiration date without modifying file content.\n   */\n  public readonly updateFile = $action({\n    method: \"PATCH\",\n    path: `${this.url}/:id`,\n    group: this.group,\n    description: \"Update file metadata\",\n    schema: {\n      params: t.object({\n        id: t.uuid(),\n      }),\n      body: t.object({\n        name: t.optional(t.string()),\n        tags: t.optional(t.array(t.string())),\n        expirationDate: t.optional(t.datetime()),\n      }),\n      response: fileResourceSchema,\n    },\n    handler: ({ params, body }) => this.fileService.updateFile(params.id, body),\n  });\n\n  /**\n   * GET /files/:id - Streams/downloads a file by its ID.\n   * Returns the file content with appropriate Content-Type header.\n   * Cached with ETag support for 1 year (immutable).\n   */\n  public readonly streamFile = $action({\n    path: `${this.url}/:id`,\n    group: this.group,\n    description: \"Download a file\",\n    cache: {\n      etag: true,\n      control: {\n        public: true,\n        maxAge: [1, \"year\"],\n        immutable: true,\n      },\n    },\n    schema: {\n      params: t.object({\n        id: t.uuid(),\n      }),\n      response: t.file(),\n    },\n    handler: async ({ params }) => {\n      return await this.fileService.streamFile(params.id);\n    },\n  });\n}\n","import { timingSafeEqual } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  HttpError,\n  type ServerRequest,\n  ServerRouterProvider,\n} from \"alepha/server\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface BasicAuthOptions {\n  username: string;\n  password: string;\n}\n\nexport interface BasicAuthDescriptorConfig extends BasicAuthOptions {\n  /** Name identifier for this basic auth (default: property key) */\n  name?: string;\n  /** Path patterns to match (supports wildcards like /devtools/*) */\n  paths?: string[];\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class ServerBasicAuthProvider {\n  protected readonly alepha = $inject(Alepha);\n  protected readonly log = $logger();\n  protected readonly routerProvider = $inject(ServerRouterProvider);\n  protected readonly realm = \"Secure Area\";\n\n  /**\n   * Registered basic auth descriptors with their configurations\n   */\n  public readonly registeredAuths: BasicAuthDescriptorConfig[] = [];\n\n  /**\n   * Register a basic auth configuration (called by descriptors)\n   */\n  public registerAuth(config: BasicAuthDescriptorConfig): void {\n    this.registeredAuths.push(config);\n  }\n\n  public readonly onStart = $hook({\n    on: \"start\",\n    handler: async () => {\n      for (const auth of this.registeredAuths) {\n        if (auth.paths) {\n          for (const pattern of auth.paths) {\n            const matchedRoutes = this.routerProvider.getRoutes(pattern);\n            for (const route of matchedRoutes) {\n              route.secure = {\n                basic: {\n                  username: auth.username,\n                  password: auth.password,\n                },\n              };\n            }\n          }\n        }\n      }\n\n      if (this.registeredAuths.length > 0) {\n        this.log.info(\n          `Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`,\n        );\n      }\n    },\n  });\n\n  /**\n   * Hook into server:onRequest to check basic auth\n   */\n  public readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    handler: async ({ route, request }) => {\n      const routeAuth = route.secure;\n      if (\n        typeof routeAuth === \"object\" &&\n        \"basic\" in routeAuth &&\n        routeAuth.basic\n      ) {\n        this.checkAuth(request, routeAuth.basic);\n      }\n    },\n  });\n\n  /**\n   * Hook into action:onRequest to check basic auth for actions\n   */\n  public readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request }) => {\n      const routeAuth = action.route.secure;\n      if (isBasicAuth(routeAuth)) {\n        this.checkAuth(request, routeAuth.basic);\n      }\n    },\n  });\n\n  /**\n   * Check basic authentication\n   */\n  public checkAuth(request: ServerRequest, options: BasicAuthOptions): void {\n    const authHeader = request.headers?.authorization;\n\n    if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n      this.sendAuthRequired(request);\n      throw new HttpError({\n        status: 401,\n        message: \"Authentication required\",\n      });\n    }\n\n    // decode base64 credentials\n    const base64Credentials = authHeader.slice(6); // Remove \"Basic \"\n    const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n      \"utf-8\",\n    );\n\n    // split only on the first colon to handle passwords with colons\n    const colonIndex = credentials.indexOf(\":\");\n    const username =\n      colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n    const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n    // verify credentials using timing-safe comparison to prevent timing attacks\n    const isValid = this.timingSafeCredentialCheck(\n      username,\n      password,\n      options.username,\n      options.password,\n    );\n\n    if (!isValid) {\n      this.sendAuthRequired(request);\n      this.log.warn(`Failed basic auth attempt for user`, {\n        username,\n      });\n      throw new HttpError({\n        status: 401,\n        message: \"Invalid credentials\",\n      });\n    }\n  }\n\n  /**\n   * Performs a timing-safe comparison of credentials to prevent timing attacks.\n   * Always compares both username and password to avoid leaking which one is wrong.\n   */\n  protected timingSafeCredentialCheck(\n    inputUsername: string,\n    inputPassword: string,\n    expectedUsername: string,\n    expectedPassword: string,\n  ): boolean {\n    // Convert to buffers for timing-safe comparison\n    const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n    const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n    const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n    const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n    // timingSafeEqual requires same-length buffers\n    // When lengths differ, we compare against a dummy buffer to maintain constant time\n    const userMatch = this.safeCompare(inputUserBuf, expectedUserBuf);\n    const passMatch = this.safeCompare(inputPassBuf, expectedPassBuf);\n\n    // Both must match - bitwise AND avoids short-circuit evaluation\n    // eslint-disable-next-line no-bitwise\n    return (userMatch & passMatch) === 1;\n  }\n\n  /**\n   * Compares two buffers in constant time, handling different lengths safely.\n   * Returns 1 if equal, 0 if not equal.\n   */\n  protected safeCompare(input: Buffer, expected: Buffer): number {\n    // If lengths differ, compare input against itself to maintain timing\n    // but return 0 (not equal)\n    if (input.length !== expected.length) {\n      // Still perform a comparison to keep timing consistent\n      timingSafeEqual(input, input);\n      return 0;\n    }\n\n    return timingSafeEqual(input, expected) ? 1 : 0;\n  }\n\n  /**\n   * Send WWW-Authenticate header\n   */\n  protected sendAuthRequired(request: ServerRequest): void {\n    request.reply.setHeader(\"WWW-Authenticate\", `Basic realm=\"${this.realm}\"`);\n  }\n}\n\nexport const isBasicAuth = (\n  value: unknown,\n): value is { basic: BasicAuthOptions } => {\n  return (\n    typeof value === \"object\" && !!value && \"basic\" in value && !!value.basic\n  );\n};\n","import { $inject, createDescriptor, Descriptor, KIND } from \"alepha\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type {\n  BasicAuthDescriptorConfig,\n  BasicAuthOptions,\n} from \"../providers/ServerBasicAuthProvider.ts\";\nimport { ServerBasicAuthProvider } from \"../providers/ServerBasicAuthProvider.ts\";\n\n/**\n * Declares HTTP Basic Authentication for server routes.\n * This descriptor provides methods to protect routes with username/password authentication.\n */\nexport const $basicAuth = (\n  options: BasicAuthDescriptorConfig,\n): AbstractBasicAuthDescriptor => {\n  return createDescriptor(BasicAuthDescriptor, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface AbstractBasicAuthDescriptor {\n  readonly name: string;\n  readonly options: BasicAuthDescriptorConfig;\n  check(request: ServerRequest, options?: BasicAuthOptions): void;\n}\n\nexport class BasicAuthDescriptor\n  extends Descriptor<BasicAuthDescriptorConfig>\n  implements AbstractBasicAuthDescriptor\n{\n  protected readonly serverBasicAuthProvider = $inject(ServerBasicAuthProvider);\n\n  public get name(): string {\n    return this.options.name ?? `${this.config.propertyKey}`;\n  }\n\n  protected onInit() {\n    // Register this auth configuration with the provider\n    this.serverBasicAuthProvider.registerAuth(this.options);\n  }\n\n  /**\n   * Checks basic auth for the given request using this descriptor's configuration.\n   */\n  public check(request: ServerRequest, options?: BasicAuthOptions): void {\n    const mergedOptions = { ...this.options, ...options };\n    this.serverBasicAuthProvider.checkAuth(request, mergedOptions);\n  }\n}\n\n$basicAuth[KIND] = BasicAuthDescriptor;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n  JwtProvider,\n  type Permission,\n  SecurityProvider,\n  type UserAccountToken,\n  userAccountInfoSchema,\n} from \"alepha/security\";\nimport {\n  $action,\n  ForbiddenError,\n  type ServerRequest,\n  UnauthorizedError,\n} from \"alepha/server\";\nimport {\n  type BasicAuthOptions,\n  isBasicAuth,\n} from \"./ServerBasicAuthProvider.ts\";\n\nexport class ServerSecurityProvider {\n  protected readonly log = $logger();\n  protected readonly securityProvider = $inject(SecurityProvider);\n  protected readonly jwtProvider = $inject(JwtProvider);\n  protected readonly alepha = $inject(Alepha);\n\n  protected readonly onConfigure = $hook({\n    on: \"configure\",\n    handler: async () => {\n      for (const action of this.alepha.descriptors($action)) {\n        // -------------------------------------------------------------------------------------------------------------\n        // if the action is disabled or not secure, we do NOT create a permission for it\n        // -------------------------------------------------------------------------------------------------------------\n        if (\n          action.options.disabled ||\n          action.options.secure === false ||\n          this.securityProvider.getRealms().length === 0\n        ) {\n          continue;\n        }\n\n        const secure = action.options.secure;\n        if (typeof secure !== \"object\") {\n          this.securityProvider.createPermission({\n            name: action.name,\n            group: action.group,\n            method: action.route.method,\n            path: action.route.path,\n          });\n        }\n      }\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  protected readonly onActionRequest = $hook({\n    on: \"action:onRequest\",\n    handler: async ({ action, request, options }) => {\n      // if you set explicitly secure: false, we assume you don't want any security check\n      // but only if no user is provided in options\n      if (action.options.secure === false && !options.user) {\n        this.log.trace(\"Skipping security check for route\");\n        return;\n      }\n\n      if (isBasicAuth(action.route.secure)) {\n        return;\n      }\n\n      const permission = this.securityProvider\n        .getPermissions()\n        .find(\n          (it) =>\n            it.path === action.route.path && it.method === action.route.method,\n        );\n\n      try {\n        request.user = this.createUserFromLocalFunctionContext(\n          options,\n          permission,\n        );\n\n        const route = action.route;\n        if (typeof route.secure === \"object\") {\n          this.check(request.user, route.secure);\n        }\n\n        this.alepha.state.set(\n          \"alepha.server.request.user\",\n          this.alepha.codec.decode(userAccountInfoSchema, request.user),\n        );\n      } catch (error) {\n        if (action.options.secure || permission) {\n          throw error;\n        }\n        // else, we skip the security check\n        this.log.trace(\"Skipping security check for action\");\n      }\n    },\n  });\n\n  protected readonly onRequest = $hook({\n    on: \"server:onRequest\",\n    priority: \"last\",\n    handler: async ({ request, route }) => {\n      // if you set explicitly secure: false, we assume you don't want any security check\n      if (route.secure === false) {\n        this.log.trace(\n          \"Skipping security check for route - explicitly disabled\",\n        );\n        return;\n      }\n\n      if (isBasicAuth(route.secure)) {\n        return;\n      }\n\n      const permission = this.securityProvider\n        .getPermissions()\n        .find((it) => it.path === route.path && it.method === route.method);\n\n      if (!request.headers.authorization && !route.secure && !permission) {\n        this.log.trace(\n          \"Skipping security check for route - no authorization header and not secure\",\n        );\n        return;\n      }\n\n      try {\n        // set user to request\n        request.user = await this.securityProvider.createUserFromToken(\n          request.headers.authorization,\n          { permission },\n        );\n\n        if (typeof route.secure === \"object\") {\n          this.check(request.user, route.secure);\n        }\n\n        this.alepha.state.set(\n          \"alepha.server.request.user\",\n          // remove sensitive info\n          this.alepha.codec.decode(userAccountInfoSchema, request.user),\n        );\n\n        this.log.trace(\"User set from request token\", {\n          user: request.user,\n          permission,\n        });\n      } catch (error) {\n        if (route.secure || permission) {\n          throw error;\n        }\n\n        // else, we skip the security check\n        this.log.trace(\n          \"Skipping security check for route - error occurred\",\n          error,\n        );\n      }\n    },\n  });\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  protected check(user: UserAccountToken, secure: ServerRouteSecure) {\n    if (secure.realm) {\n      if (user.realm !== secure.realm) {\n        throw new ForbiddenError(\n          `User must belong to realm '${secure.realm}' to access this route`,\n        );\n      }\n    }\n  }\n\n  /**\n   * Get the user account token for a local action call.\n   * There are three possible sources for the user:\n   * - `options.user`: the user passed in the options\n   * - `\"system\"`: the system user from the state (you MUST set state `server.security.system.user`)\n   * - `\"context\"`: the user from the request context (you MUST be in an HTTP request context)\n   *\n   * Priority order: `options.user` > `\"system\"` > `\"context\"`.\n   *\n   * In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.\n   */\n  protected createUserFromLocalFunctionContext(\n    options: { user?: UserAccountToken | \"system\" | \"context\" },\n    permission?: Permission,\n  ): UserAccountToken {\n    const fromOptions =\n      typeof options.user === \"object\" ? options.user : undefined;\n\n    const type = typeof options.user === \"string\" ? options.user : undefined;\n\n    let user: UserAccountToken | undefined;\n\n    const fromContext = this.alepha.context.get<ServerRequest>(\"request\")?.user;\n    const fromSystem = this.alepha.state.get(\n      \"alepha.server.security.system.user\",\n    );\n\n    if (type === \"system\") {\n      user = fromSystem;\n    } else if (type === \"context\") {\n      user = fromContext;\n    } else {\n      user = fromOptions ?? fromContext ?? fromSystem;\n    }\n\n    if (!user) {\n      // in testing mode, we create a test user\n      if (this.alepha.isTest() && !(\"user\" in options)) {\n        return this.createTestUser();\n      }\n\n      throw new UnauthorizedError(\"User is required for calling this action\");\n    }\n\n    const roles =\n      user.roles ??\n      (this.alepha.isTest()\n        ? this.securityProvider.getRoles().map((role) => role.name)\n        : []);\n    let ownership: boolean | string | undefined;\n\n    if (permission) {\n      const result = this.securityProvider.checkPermission(\n        permission,\n        ...roles,\n      );\n      if (!result.isAuthorized) {\n        throw new ForbiddenError(\n          `Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`,\n        );\n      }\n      ownership = result.ownership;\n    }\n\n    // create a new user object with ownership if needed\n    return {\n      ...user,\n      ownership,\n    };\n  }\n\n  // ---------------------------------------------------------------------------------------------------------------\n  // TESTING ONLY\n  // ---------------------------------------------------------------------------------------------------------------\n\n  protected createTestUser(): UserAccountToken {\n    return {\n      id: randomUUID(),\n      name: \"Test\",\n      roles: this.securityProvider.getRoles().map((role) => role.name),\n    };\n  }\n\n  protected readonly onClientRequest = $hook({\n    on: \"client:onRequest\",\n    handler: async ({ request, options }) => {\n      if (!this.alepha.isTest()) {\n        return;\n      }\n\n      // skip helper if user is explicitly set to undefined\n      if (\"user\" in options && options.user === undefined) {\n        return;\n      }\n\n      request.headers = new Headers(request.headers);\n\n      if (!request.headers.has(\"authorization\")) {\n        const test = this.createTestUser();\n        const user =\n          typeof options?.user === \"object\" ? options.user : undefined;\n        const sub = user?.id ?? test.id;\n        const roles = user?.roles ?? test.roles;\n\n        const token = await this.jwtProvider.create(\n          {\n            sub,\n            roles,\n          },\n          user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n        );\n\n        request.headers.set(\"authorization\", `Bearer ${token}`);\n      }\n    },\n  });\n}\n\nexport type ServerRouteSecure = {\n  realm?: string;\n  basic?: BasicAuthOptions;\n};\n","import { $module } from \"alepha\";\nimport {\n  $permission,\n  $realm,\n  $role,\n  AlephaSecurity,\n  type UserAccount,\n  type UserAccountToken,\n} from \"alepha/security\";\nimport { AlephaServer, type FetchOptions } from \"alepha/server\";\nimport { $basicAuth } from \"./descriptors/$basicAuth.ts\";\nimport { ServerBasicAuthProvider } from \"./providers/ServerBasicAuthProvider.ts\";\nimport {\n  type ServerRouteSecure,\n  ServerSecurityProvider,\n} from \"./providers/ServerSecurityProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./descriptors/$basicAuth.ts\";\nexport * from \"./providers/ServerBasicAuthProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n  interface State {\n    /**\n     * Real (or fake) user account, used for internal actions.\n     *\n     * If you define this, you assume that all actions are executed by this user by default.\n     * > To force a different user, you need to pass it explicitly in the options.\n     */\n\n    \"alepha.server.security.system.user\"?: UserAccountToken;\n\n    /**\n     * The authenticated user account attached to the server request state.\n     *\n     * @internal\n     */\n    \"alepha.server.request.user\"?: UserAccount;\n  }\n}\n\ndeclare module \"alepha/server\" {\n  interface ServerRequest<TConfig> {\n    user?: UserAccountToken; // for all routes, user is maybe present\n  }\n\n  interface ServerActionRequest<TConfig> {\n    user: UserAccountToken; // for actions, user is always present\n  }\n\n  interface ServerRoute {\n    /**\n     * If true, the route will be protected by the security provider.\n     * All actions are secure by default, but you can disable it for specific actions.\n     */\n    secure?: boolean | ServerRouteSecure;\n  }\n\n  interface ClientRequestOptions extends FetchOptions {\n    /**\n     * Forward user from the previous request.\n     * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n     * If \"context\", use the user from the current context (e.g. request).\n     *\n     * @default \"system\" if provided, else \"context\" if available.\n     */\n    user?: UserAccountToken | \"system\" | \"context\";\n  }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Plugin for Alepha Server that provides security features. Based on the Alepha Security module.\n *\n * By default, all $action will be guarded by a permission check.\n *\n * @see {@link ServerSecurityProvider}\n * @module alepha.server.security\n */\nexport const AlephaServerSecurity = $module({\n  name: \"alepha.server.security\",\n  descriptors: [$realm, $role, $permission, $basicAuth],\n  services: [\n    AlephaServer,\n    AlephaSecurity,\n    ServerSecurityProvider,\n    ServerBasicAuthProvider,\n  ],\n});\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const bucketStatsSchema = t.object({\n  bucket: t.string(),\n  totalSize: t.number(),\n  fileCount: t.number(),\n});\n\nexport const mimeTypeStatsSchema = t.object({\n  mimeType: t.string(),\n  fileCount: t.number(),\n});\n\nexport const storageStatsSchema = t.object({\n  totalSize: t.number(),\n  totalFiles: t.number(),\n  byBucket: t.array(bucketStatsSchema),\n  byMimeType: t.array(mimeTypeStatsSchema),\n});\n\nexport type BucketStats = Static<typeof bucketStatsSchema>;\nexport type MimeTypeStats = Static<typeof mimeTypeStatsSchema>;\nexport type StorageStats = Static<typeof storageStatsSchema>;\n","import \"alepha/server/security\";\nimport { $inject } from \"alepha\";\nimport { $action } from \"alepha/server\";\nimport { storageStatsSchema } from \"../schemas/storageStatsSchema.ts\";\nimport { FileService } from \"../services/FileService.ts\";\n\n/**\n * REST API controller for storage analytics and statistics.\n * Provides endpoints for viewing storage usage metrics.\n */\nexport class StorageStatsController {\n  protected readonly url = \"/files/stats\";\n  protected readonly group = \"files\";\n  protected readonly fileService = $inject(FileService);\n\n  /**\n   * GET /files/stats - Gets storage statistics.\n   * Returns aggregated data including total size, file count,\n   * and breakdowns by bucket and MIME type.\n   */\n  public readonly getStats = $action({\n    path: this.url,\n    group: this.group,\n    description: \"Get storage statistics\",\n    schema: {\n      response: storageStatsSchema,\n    },\n    handler: () => this.fileService.getStorageStats(),\n  });\n}\n","import { $inject } from \"alepha\";\nimport { $scheduler } from \"alepha/scheduler\";\nimport { FileService } from \"../services/FileService.ts\";\n\nexport class FileJobs {\n  protected readonly fileService = $inject(FileService);\n\n  public readonly purgeFiles = $scheduler({\n    description: \"Purge files that are marked for deletion\",\n    cron: \"*/15 * * * *\", // Every 15 minutes\n    handler: async () => {\n      const files = await this.fileService.findExpiredFiles();\n\n      await Promise.all(\n        files.map((file) => this.fileService.deleteFile(file.id)),\n      );\n    },\n  });\n}\n","import { $module } from \"alepha\";\nimport { AlephaBucket } from \"alepha/bucket\";\nimport type { DurationLike } from \"alepha/datetime\";\nimport type { UserAccountToken } from \"alepha/security\";\nimport { AlephaServerCache } from \"alepha/server/cache\";\nimport { AlephaServerMultipart } from \"alepha/server/multipart\";\nimport { FileController } from \"./controllers/FileController.ts\";\nimport { StorageStatsController } from \"./controllers/StorageStatsController.ts\";\nimport { FileJobs } from \"./jobs/FileJobs.ts\";\nimport { FileService } from \"./services/FileService.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./controllers/FileController.ts\";\nexport * from \"./controllers/StorageStatsController.ts\";\nexport * from \"./entities/files.ts\";\nexport * from \"./schemas/storageStatsSchema.ts\";\nexport * from \"./services/FileService.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha/bucket\" {\n  interface BucketFileOptions {\n    /**\n     * Time to live for the files in the bucket.\n     */\n    ttl?: DurationLike;\n\n    /**\n     * Tags for the bucket.\n     */\n    tags?: string[];\n\n    /**\n     * User performing the operation.\n     */\n    user?: UserAccountToken;\n\n    /**\n     * Whether to persist the file metadata in the database.\n     *\n     * @default true\n     */\n    persist?: boolean;\n  }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Provides file management API endpoints for Alepha applications.\n *\n * This module includes file upload, download, storage management,\n * and file metadata operations.\n *\n * @module alepha.api.files\n */\nexport const AlephaApiFiles = $module({\n  name: \"alepha.api.files\",\n  services: [FileController, StorageStatsController, FileJobs, FileService],\n  register: (alepha) => {\n    alepha\n      .with(AlephaBucket)\n      .with(AlephaServerCache)\n      .with(AlephaServerMultipart)\n      .with(FileController)\n      .with(StorageStatsController)\n      .with(FileJobs);\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCA,+BAAiB,UAAU,aAAa,iBAEtC;AACA,OAAM,KAAK,OAAO,OAAO,oBAAoB,CAAC,WAAW,KAAK,MAAM;;AAKtE,IAAa,sBAAb,MAAiC;CAC/B,AAAmB,kCAAe;CAClC,AAAmB,6BAAiBA,cAAO;CAC3C,AAAmB,2BAAeC,iCAAiB;CACnD,AAAmB,iCAAgC,EACjD,UAAU,UACX,CAAC;CAEF,AAAO,aAAa,SAA6B;AAC/C,SAAO,gCAAe,MAAM,CAAC,OAAO,QAAQ,CAAC,OAAO,MAAM,CAAC;;CAG7D,MAAa,WAAW,OAAoB;AAE1C,MAAI,CADU,MAAM,MAElB;AAGF,QAAM,KAAK,MAAM,WAAW,KAAK,eAAe,MAAM,CAAC;;CAGzD,AAAmB,oCAAwB;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,cAAc;GACtC,MAAM,QAAQ,OAAO,MAAM;AAK3B,OAHoB,KAAK,YAAY,MAAM,EAG1B;IACf,MAAM,MAAM,KAAK,eAAe,OAAO,OAAO,QAAQ;IACtD,MAAM,SAAS,MAAM,KAAK,MAAM,IAAI,IAAI;AAExC,QAAI,QAAQ;KACV,MAAM,OACJ,OAAO,gBAAgB,qBACnB,KAAK,MAAM,OAAO,KAAK,GACvB,OAAO;AAEb,UAAK,IAAI,MAAM,wBAAwB;MACrC;MACA,QAAQ,OAAO;MAChB,CAAC;AAEF,aAAQ,MAAM,OAAO;UAErB,MAAK,IAAI,MAAM,yBAAyB;KACtC;KACA,QAAQ,OAAO;KAChB,CAAC;;;EAIT,CAAC;CAEF,AAAmB,qCAAyB;EAC1C,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS,eAAe;GAChD,MAAM,QAAQ,OAAO,MAAM;AAI3B,OAAI,CAFgB,KAAK,YAAY,MAAM,IAEvB,CAAC,SACnB;AAIF,OAAI,QAAQ,MAAM,UAAU,QAAQ,MAAM,UAAU,IAClD;GAKF,MAAM,cACJ,OAAO,aAAa,WAAW,eAAe;GAChD,MAAM,OACJ,gBAAgB,eAAe,WAAW,KAAK,UAAU,SAAS;GAEpE,MAAM,gBAAgB,KAAK,aAAa,KAAK;GAC7C,MAAM,eAAe,KAAK,KAAK,aAAa;GAG5C,MAAM,MAAM,KAAK,eAAe,OAAO,OAAO,QAAQ;AAEtD,QAAK,IAAI,MAAM,oBAAoB;IACjC;IACA,QAAQ,OAAO;IAChB,CAAC;AAEF,SAAM,KAAK,MAAM,IAAI,KAAK;IAClB;IACN;IACa;IACb,MAAM;IACP,CAAC;GAGF,MAAM,eAAe,KAAK,wBAAwB,MAAM;AACxD,OAAI,aACF,SAAQ,MAAM,UAAU,iBAAiB,aAAa;;EAG3D,CAAC;CAEF,AAAmB,8BAAkB;EACnC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GACrC,MAAM,QAAQ,MAAM;GAEpB,MAAM,cAAc,KAAK,YAAY,MAAM;GAC3C,MAAM,gBAAgB,KAAK,cAAc,MAAM;AAG/C,OAAI,CAAC,eAAe,CAAC,cACnB;GAGF,MAAM,MAAM,KAAK,eAAe,OAAO,QAAQ;GAC/C,MAAM,SAAS,MAAM,KAAK,MAAM,IAAI,IAAI;AAExC,OAAI,QAAQ;AAEV,QACE,QAAQ,QAAQ,qBAAqB,OAAO,QAC5C,QAAQ,QAAQ,yBAAyB,OAAO,cAChD;AACA,aAAQ,MAAM,SAAS;AACvB,aAAQ,MAAM,UAAU,QAAQ,OAAO,KAAK;AAC5C,aAAQ,MAAM,UAAU,iBAAiB,OAAO,aAAa;AAC7D,UAAK,IAAI,MAAM,6BAA6B;MAC1C,OAAO,MAAM;MACb,MAAM,OAAO;MACd,CAAC;AACF;;AAIF,QAAI,aAAa;AACf,UAAK,IAAI,MAAM,uBAAuB;MACpC;MACA,OAAO,MAAM;MACd,CAAC;AAIF,aAAQ,MAAM,OAAO,OAAO;AAC5B,aAAQ,MAAM,SAAS,OAAO,UAAU;AAExC,SAAI,OAAO,YACT,SAAQ,MAAM,UAAU,gBAAgB,OAAO,YAAY;AAG7D,aAAQ,MAAM,UAAU,QAAQ,OAAO,KAAK;AAC5C,aAAQ,MAAM,UAAU,iBAAiB,OAAO,aAAa;;cAEtD,YACT,MAAK,IAAI,MAAM,wBAAwB;IACrC;IACA,OAAO,MAAM;IACd,CAAC;;EAGP,CAAC;CAEF,AAAmB,2BAAe;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GAIrC,MAAM,QAAQ,MAAM;GAEpB,MAAM,cAAc,KAAK,YAAY,MAAM;GAC3C,MAAM,gBAAgB,KAAK,cAAc,MAAM;AAE/C,OAAI,QAAQ,MAAM,QAAQ,KAExB;AAGF,OACE,CAAC,eACD,iBACA,QAAQ,MAAM,QAAQ,SACrB,OAAO,QAAQ,MAAM,SAAS,YAC7B,OAAO,SAAS,QAAQ,MAAM,KAAK,GACrC;IACA,MAAM,gBAAgB,KAAK,aAAa,QAAQ,MAAM,KAAK;AAE3D,QAAI,QAAQ,QAAQ,qBAAqB,eAAe;AACtD,aAAQ,MAAM,SAAS;AACvB,aAAQ,MAAM,OAAO;AACrB,aAAQ,MAAM,UAAU,QAAQ,cAAc;AAC9C,UAAK,IAAI,MAAM,qCAAqC;MAClD,OAAO,MAAM;MACb,MAAM;MACP,CAAC;AACF;;;;EAIP,CAAC;CAEF,AAAmB,+BAAmB;EACpC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,OAAO,SAAS,eAAe;GAC/C,MAAM,QAAQ,MAAM;GAGpB,MAAM,eAAe,KAAK,wBAAwB,MAAM;AACxD,OAAI,aACF,UAAS,QAAQ,mBAAmB;GAGtC,MAAM,cAAc,KAAK,YAAY,MAAM;GAC3C,MAAM,gBAAgB,KAAK,cAAc,MAAM;AAG/C,OAAI,CAAC,eAAe,CAAC,cACnB;AAKF,OAAI,OAAO,SAAS,SAAS,SAC3B;AAIF,OAAI,SAAS,UAAU,SAAS,UAAU,IACxC;GAGF,MAAM,MAAM,KAAK,eAAe,OAAO,QAAQ;GAC/C,MAAM,gBAAgB,KAAK,aAAa,SAAS,KAAK;GACtD,MAAM,eAAe,KAAK,KAAK,aAAa;AAG5C,YAAS,YAAY,EAAE;AAGvB,OAAI,aAAa;AACf,SAAK,IAAI,MAAM,oBAAoB;KACjC;KACA,OAAO,MAAM;KACb,OAAO,CAAC,CAAC;KACT,MAAM;KACP,CAAC;AAEF,UAAM,KAAK,MAAM,IAAI,KAAK;KACxB,MAAM,SAAS;KACf,QAAQ,SAAS;KACjB,aAAa,SAAS,UAAU;KAChC;KACA,MAAM;KACP,CAAC;;AAIJ,OAAI,eAAe;AACjB,aAAS,QAAQ,OAAO;AACxB,aAAS,QAAQ,mBAAmB;;;EAGzC,CAAC;CAEF,AAAO,wBAAwB,OAA8C;AAC3E,MAAI,CAAC,MACH;AAIF,MACE,UAAU,QACV,OAAO,UAAU,YACjB,OAAO,UAAU,SAEjB;EAGF,MAAM,UAAU,MAAM;AACtB,MAAI,CAAC,QACH;AAIF,MAAI,OAAO,YAAY,SACrB,QAAO;AAIT,MAAI,YAAY,KACd,QAAO;EAIT,MAAMC,aAAuB,EAAE;AAE/B,MAAI,QAAQ,OACV,YAAW,KAAK,SAAS;AAE3B,MAAI,QAAQ,QACV,YAAW,KAAK,UAAU;AAE5B,MAAI,QAAQ,QACV,YAAW,KAAK,WAAW;AAE7B,MAAI,QAAQ,QACV,YAAW,KAAK,WAAW;AAE7B,MAAI,QAAQ,WAAW,QAAW;GAChC,MAAM,gBAAgB,KAAK,kBAAkB,QAAQ,OAAO;AAC5D,cAAW,KAAK,WAAW,gBAAgB;;AAE7C,MAAI,QAAQ,YAAY,QAAW;GACjC,MAAM,iBAAiB,KAAK,kBAAkB,QAAQ,QAAQ;AAC9D,cAAW,KAAK,YAAY,iBAAiB;;AAE/C,MAAI,QAAQ,eACV,YAAW,KAAK,kBAAkB;AAEpC,MAAI,QAAQ,gBACV,YAAW,KAAK,mBAAmB;AAErC,MAAI,QAAQ,UACV,YAAW,KAAK,YAAY;AAG9B,SAAO,WAAW,SAAS,IAAI,WAAW,KAAK,KAAK,GAAG;;CAGzD,AAAU,kBAAkB,UAAyC;AACnE,MAAI,OAAO,aAAa,SACtB,QAAO;AAGT,SAAO,KAAK,KAAK,SAAS,SAAS,CAAC,WAAW;;CAGjD,AAAU,YAAY,OAAmC;AACvD,MAAI,CAAC,MAAO,QAAO;AACnB,MAAI,UAAU,KAAM,QAAO;AAC3B,MAAI,OAAO,UAAU,YAAY,MAAM,MAAO,QAAO;AACrD,SAAO;;CAGT,AAAU,cAAc,OAAmC;AAEzD,MAAI,UAAU,KAAM,QAAO;AAE3B,MAAI,OAAO,UAAU,YAAY,MAAM,KAAM,QAAO;AACpD,SAAO;;CAGT,AAAU,eAAe,OAAoB,QAAgC;EAC3E,MAAMC,SAAmB,EAAE;AAC3B,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,QAAQ,UAAU,EAAE,CAAC,CAC7D,QAAO,KAAK,GAAG,IAAI,GAAG,QAAQ;AAEhC,OAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAAQ,QAAQ,SAAS,EAAE,CAAC,CAC5D,QAAO,KAAK,GAAG,IAAI,GAAG,QAAQ;AAGhC,SAAO,GAAG,MAAM,OAAO,GAAG,MAAM,KAAK,WAAW,KAAK,GAAG,CAAC,GAAG,OAAO,KAAK,IAAI,CAAC,WAAW,KAAK,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC9WpG,MAAa,wCAA4B;CACvC,MAAM;CACN,UAAU,CAACC,0BAAa,oBAAoB;CAC7C,CAAC;;;;ACxBF,MAAM,YAAYC,SAAE,OAAO;CACzB,wBAAwBA,SAAE,QAAQ;EAChC,SAAS;EACT,KAAK;EACL,aAAa;EACd,CAAC;CACF,6BAA6BA,SAAE,QAAQ;EACrC,SAAS;EACT,KAAK;EACL,aAAa;EACd,CAAC;CACF,6BAA6BA,SAAE,QAAQ;EACrC,SAAS;EACT,KAAK;EACL,aAAa;EACd,CAAC;CACH,CAAC;AAEF,IAAa,0BAAb,MAAqC;CACnC,AAAmB,6BAAiBC,cAAO;CAC3C,AAAmB,uBAAW,UAAU;CACxC,AAAmB,kCAAe;CAElC,AAAgB,8BAAkB;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;AAErC,OAAI,QAAQ,KACV;AAIF,OAAI,CAAC,MAAM,QAAQ,KACjB;GAGF,IAAIC;AAEJ,OAAI,QAAQ,IAAI,KAAK,IACnB,cAAa,QAAQ,IAAI,IAAI;YACpB,QAAQ,IAAI,MAAM,IAC3B,cAAa,IAAI,QAAQ,QAAQ,KAAK;IACpC,QAAQ,QAAQ;IAChB,SAAS,QAAQ;IACjB,MAAMC,+BAAU,KAAK,QAAQ,IAAI,KAAK,IAAI;IAC1C,QAAQ;IACT,CAAqC;AAGxC,OAAI,CAAC,WACH;GAGF,MAAM,cAAc,QAAQ,QAAQ;GAGpC,MAAM,gBAAgB,QAAQ,QAAQ;AACtC,OAAI,eAAe;IACjB,MAAM,OAAO,OAAO,SAAS,eAAe,GAAG;AAC/C,QAAI,CAAC,OAAO,MAAM,KAAK,IAAI,OAAO,KAAK,IAAI,wBAAwB;AACjE,UAAK,IAAI,MACP,0CAA0C,KAAK,KAAK,KAAK,IAAI,yBAC9D;AACD,WAAM,IAAIC,wBAAU;MAClB,QAAQ;MACR,SAAS,sDAAsD,KAAK,IAAI,uBAAuB;MAChG,CAAC;;;AAIN,OAAI,CAAC,aAAa,WAAW,sBAAsB,EAAE;AACnD,QAAI,gCAAa,MAAM,CACrB;AAIF,UAAM,IAAIA,wBAAU;KAClB,QAAQ;KACR,SAAS,yBAAyB,YAAY;KAC/C,CAAC;;GAGJ,MAAM,EAAE,MAAM,YAAY,MAAM,KAAK,2BACnC,OACA,WACD;AAED,WAAQ,OAAO;AACf,WAAQ,SAAS,YAAY,EAAE,SAAS;;EAE3C,CAAC;CAEF,AAAgB,+BAAmB;EACjC,IAAI;EACJ,SAAS,OAAO,EAAE,cAAc;GAC9B,MAAM,UAAU,QAAQ,SAAS,WAAW;AAC5C,OAAI,OAAO,YAAY,WACrB,OAAM,SAAS;;EAGpB,CAAC;CAEF,MAAa,2BACX,OACA,SAIC;EACD,IAAIC;AAEJ,MAAI;AAEF,cAAW,MAAM,QAAQ,UAAU;WAC5B,OAAO;AACd,SAAM,IAAID,wBACR;IACE,QAAQ;IACR,SAAS;IACV,EACD,MACD;;EAGH,MAAME,OAA4B,EAAE;EACpC,MAAMC,YAA0B,EAAE;EAGlC,MAAM,iBAAiB,YAAY;AACjC,QAAK,MAAM,QAAQ,UACjB,KAAI;AACF,UAAM,KAAK,SAAS;WACd;;AAMZ,MAAI;GACF,IAAI,YAAY;GAChB,IAAI,YAAY;AAEhB,OAAI,MAAM,QAAQ,QAAQP,SAAE,OAAO,SAAS,MAAM,OAAO,KAAK,EAC5D;SAAK,MAAM,CAAC,KAAK,UAAU,OAAO,QAChC,MAAM,OAAO,KAAK,WACnB,CACC,KAAIA,SAAE,OAAO,SAAS,MAAM,CAC1B,4BAAe,MAAM,EAAE;KACrB,MAAM,OAAO,SAAS,IAAI,IAAI;AAE9B,SAAI,QAAQ,OAAO,SAAS,YAAY,iBAAiB,MAAM;MAC7D,MAAM,OAAO;AAGb;AACA,UAAI,YAAY,KAAK,IAAI,6BAA6B;AACpD,YAAK,IAAI,MACP,wCAAwC,UAAU,KAAK,KAAK,IAAI,8BACjE;AACD,aAAM,IAAII,wBAAU;QAClB,QAAQ;QACR,SAAS,oCAAoC,KAAK,IAAI;QACvD,CAAC;;AAIJ,UAAI,KAAK,OAAO,KAAK,IAAI,6BAA6B;AACpD,YAAK,IAAI,MACP,SAAS,IAAI,wBAAwB,KAAK,KAAK,KAAK,KAAK,IAAI,8BAC9D;AACD,aAAM,IAAIA,wBAAU;QAClB,QAAQ;QACR,SAAS,SAAS,IAAI,yCAAyC,KAAK,IAAI,4BAA4B;QACrG,CAAC;;AAIJ,mBAAa,KAAK;AAClB,UAAI,YAAY,KAAK,IAAI,wBAAwB;AAC/C,YAAK,IAAI,MACP,uCAAuC,UAAU,KAAK,KAAK,IAAI,yBAChE;AACD,aAAM,IAAIA,wBAAU;QAClB,QAAQ;QACR,SAAS,sDAAsD,KAAK,IAAI,uBAAuB;QAChG,CAAC;;MAGJ,MAAM,aAAa,MAAM,KAAK,iBAAiB,MAAM,IAAI;AACzD,WAAK,OAAO;AACZ,gBAAU,KAAK,WAAW;;WAEvB;KACL,MAAM,aAAa,SAAS,IAAI,IAAI;AACpC,SAAI,eAAe,MAAM;MAEvB,MAAM,cACJ,OAAO,eAAe,WAAW,aAAa;AAChD,WAAK,OAAO,KAAK,OAAO,MAAM,OAAO,OAAO,YAAY;;;;AAOlE,UAAO;IACL;IACA,SAAS,YAAY;AACnB,UAAK,MAAM,QAAQ,UACjB,OAAM,KAAK,SAAS;;IAGzB;WACM,OAAO;AAEd,SAAM,gBAAgB;AACtB,SAAM;;;;;;;;;;CAWV,MAAgB,iBACd,MACA,WACqB;EACrB,MAAM,UAAU,GAAGI,QAAG,QAAQ,CAAC,gCAAe;EAG9C,MAAM,cAAc,MAAM,KAAK,aAAa;AAI5C,wCAAgB,SAHD,OAAO,KAAK,YAAY,CAGP;EAGhC,MAAM,WAAY,KAAa,QAAQ,GAAG,UAAU,GAAG,KAAK,KAAK;AAsCjE,SApC+B;GAC7B,QAAQ;IACN,SAAS;IACT,MAAM,KAAK;IACX;IACD;GACD,MAAM;GACN,MAAM,KAAK,QAAQ;GACnB,cAAe,KAAa,gBAAgB,KAAK,KAAK;GACtD,UAAU;GACV,IAAI,OAAO;AACT,WAAO,KAAK,OAAO;;GAErB,SAAS;AACP,yCAAwB,QAAQ;;GAElC,MAAM,cAAc;IAClB,MAAM,UAAU,qCAAe,QAAQ;AACvC,WAAO,QAAQ,OAAO,MACpB,QAAQ,YACR,QAAQ,aAAa,QAAQ,WAC9B;;GAEH,MAAM,YAAY;AAChB,WAAO,qCAAe,SAAS,QAAQ;;GAEzC,MAAM,UAAU;AACd,QAAI,KAAK,OAAO,QACd;AAGF,uCAAa,QAAQ;AACrB,SAAK,OAAO,UAAU;;GAEzB;;;;;;;;;;;;;ACrRL,MAAa,4CAAgC;CAC3C,MAAM;CACN,UAAU,CAACC,4BAAc,wBAAwB;CAClD,CAAC;;;;AChBF,MAAa,kBAAkBC,SAAE,OAAOC,4BAAiB;CACvD,QAAQD,SAAE,SAASA,SAAE,QAAQ,CAAC;CAC9B,MAAMA,SAAE,SAASA,SAAE,MAAMA,SAAE,QAAQ,CAAC,CAAC;CACrC,MAAMA,SAAE,SAASA,SAAE,QAAQ,CAAC;CAC5B,UAAUA,SAAE,SAASA,SAAE,QAAQ,CAAC;CAChC,SAASA,SAAE,SAASA,SAAE,MAAM,CAAC;CAC7B,cAAcA,SAAE,SAASA,SAAE,UAAU,CAAC;CACtC,eAAeA,SAAE,SAASA,SAAE,UAAU,CAAC;CACxC,CAAC;;;;ACTF,MAAa,gCAAgB;CAC3B,MAAM;CACN,QAAQE,SAAE,OAAO;EACf,IAAIC,cAAG,WAAWD,SAAE,MAAM,CAAC;EAC3B,SAASC,cAAG,SAAS;EACrB,WAAWA,cAAG,WAAW;EACzB,WAAWA,cAAG,WAAW;EACzB,QAAQD,SAAE,MAAM;EAChB,SAASA,SAAE,SAASA,SAAE,MAAM,CAAC;EAC7B,cAAcA,SAAE,SAASA,SAAE,QAAQ,CAAC;EACpC,aAAaA,SAAE,SAASA,SAAE,QAAQ,CAAC;EACnC,QAAQA,SAAE,MAAM;EAChB,gBAAgBA,SAAE,SAASA,SAAE,UAAU,CAAC;EACxC,MAAMA,SAAE,MAAM;EACd,MAAMA,SAAE,QAAQ;EAChB,UAAUA,SAAE,QAAQ;EACpB,MAAMA,SAAE,SAASA,SAAE,MAAMA,SAAE,MAAM,CAAC,CAAC;EACnC,UAAUA,SAAE,SAASA,SAAE,QAAQ,CAAC;EACjC,CAAC;CACF,SAAS;EACP;EACA;EACA;EACA;EACA;EACA,EACE,SAAS,CAAC,UAAU,YAAY,EACjC;EACF;CACF,CAAC;;;;AC7BF,MAAa,qBAAqBE,SAAE,OAClC,MAAM,QACN,EAAE,EACF;CACE,OAAO;CACP,aAAa;CACd,CACF;;;;ACYD,IAAa,cAAb,MAAyB;CACvB,AAAmB,6BAAiBC,cAAO;CAC3C,AAAmB,kCAAe;CAClC,AAAmB,6CAA6B,MAAM;CACtD,AAAmB,uCAA2BC,iCAAiB;CAC/D,AAAmB,2CAAwB,EAAE,MAAM,WAAW,CAAC;CAE/D,AAAU,iCAAqB;EAC7B,IAAI;EACJ,SAAS,OAAO,EAAE,MAAM,QAAQ,SAAS,SAAS;AAChD,OAAI,QAAQ,YAAY,MACtB;GAGF,MAAM,WAAW,MAAM,KAAK,kBAAkB,KAAK;AAEnD,SAAM,KAAK,eAAe,OAAO;IAC/B,QAAQ;IACR,UAAU,KAAK;IACf,MAAM,KAAK;IACX,MAAM,KAAK;IACX,SAAS,QAAQ,MAAM;IACvB,cAAc,QAAQ,MAAM;IAC5B,gBAAgB,KAAK,kBAAkB,QAAQ,IAAI;IACnD,QAAQ,OAAO;IACf;IACD,CAAC;;EAEL,CAAC;CAEF,AAAU,uCAA2B;EACnC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS;AACjC,SAAM,KAAK,eAAe,WAAW;IACnC,QAAQ,EAAE,IAAI,IAAI;IAClB,QAAQ,EAAE,IAAI,OAAO,MAAM;IAC5B,CAAC;;EAEL,CAAC;;;;;;;;CAWF,MAAgB,kBAAkB,MAAiC;EACjE,MAAM,SAAS,MAAM,KAAK,aAAa;EACvC,MAAM,mCAAkB,SAAS;AACjC,OAAK,OAAO,OAAO,KAAK,OAAO,CAAC;AAChC,SAAO,KAAK,OAAO,MAAM;;;;;;;;;CAU3B,AAAO,OACL,aAAqB,KAAK,cAAc,MACtB;EAClB,MAAM,SAAS,KAAK,OACjB,YAAYC,sBAAQ,CACpB,MAAM,OAAO,GAAG,SAAS,WAAW;AAEvC,MAAI,CAAC,OACH,OAAM,IAAIC,4BAAc,WAAW,WAAW,cAAc;AAG9D,SAAO;;;;;;;;;CAYT,MAAa,UAAU,IAAe,EAAE,EAA6B;AACnE,IAAE,SAAS;EAEX,MAAM,QAAQ,KAAK,eAAe,kBAAkB;AAEpD,MAAI,EAAE,OACJ,OAAM,SAAS,EAAE,IAAI,EAAE,QAAQ;AAGjC,MAAI,EAAE,KACJ,OAAM,OAAO,EAAE,eAAe,EAAE,MAAM;AAGxC,MAAI,EAAE,KACJ,OAAM,OAAO,EAAE,OAAO,IAAI,EAAE,KAAK,IAAI;AAGvC,MAAI,EAAE,SACJ,OAAM,WAAW,EAAE,IAAI,EAAE,UAAU;AAGrC,MAAI,EAAE,QACJ,OAAM,UAAU,EAAE,IAAI,EAAE,SAAS;AAGnC,MAAI,EAAE,gBAAgB,EAAE,cACtB,OAAM,YAAY;GAChB,KAAK,EAAE;GACP,KAAK,EAAE;GACR;WACQ,EAAE,aACX,OAAM,YAAY,EAAE,KAAK,EAAE,cAAc;WAChC,EAAE,cACX,OAAM,YAAY,EAAE,KAAK,EAAE,eAAe;AAG5C,SAAO,MAAM,KAAK,eACf,SAAS,GAAG,EAAE,OAAO,EAAE,EAAE,OAAO,MAAM,CAAC,CACvC,MAAM,SAAS;AACd,UAAO;IACL,GAAG;IACH,SAAS,KAAK,QAAQ,KAAK,OAAO,KAAK,iBAAiB,GAAG,CAAC;IAC7D;IACD;;;;;;;;CASN,MAAa,mBAA0C;AACrD,SAAO,MAAM,KAAK,eAAe,SAAS;GACxC,OAAO;GACP,OAAO,EACL,gBAAgB,EAAE,KAAK,KAAK,iBAAiB,cAAc,EAAE,EAC9D;GACF,CAAC;;;;;;;;;CAUJ,AAAU,kBAAkB,KAAwC;AAClE,SAAO,MACH,KAAK,iBACF,KAAK,CACL,IAAI,KAAK,iBAAiB,SAAS,IAAI,CAAC,CACxC,aAAa,GAChB;;;;;;;;;;;;;;;CAgBN,MAAa,WACX,MACA,UAKI,EAAE,EACe;EACrB,MAAM,SAAS,KAAK,OAAO,QAAQ,OAAO;EAE1C,MAAM,WAAW,MAAM,KAAK,kBAAkB,KAAK;EACnD,MAAM,SAAS,MAAM,OAAO,OAAO,MAAM,EAAE,SAAS,OAAO,CAAC;EAE5D,IAAIC;AACJ,MAAI,QAAQ,eACV,kBAAiB,KAAK,iBACnB,GAAG,QAAQ,eAAe,CAC1B,aAAa;WACP,OAAO,QAAQ,IACxB,kBAAiB,KAAK,kBAAkB,OAAO,QAAQ,IAAI;AAG7D,SAAO,MAAM,KAAK,eAAe,OAAO;GAC9B;GACR,UAAU,KAAK;GACf,MAAM,KAAK;GACX,MAAM,KAAK;GACX,SAAS,QAAQ,MAAM;GACvB,cAAc,QAAQ,MAAM;GAC5B,aAAa,QAAQ,MAAM;GAC3B;GACA,QAAQ,OAAO;GACf,MAAM,QAAQ;GACd;GACD,CAAC;;;;;;;;;;CAWJ,MAAa,WAAW,IAA+B;EACrD,MAAM,SAAS,MAAM,KAAK,YAAY,GAAG;AAGzC,SAAO,MAFQ,KAAK,OAAO,OAAO,OAAO,CAErB,SAAS,OAAO,OAAO;;;;;;;;;;;;;;CAe7C,MAAa,WACX,IACA,MAKqB;EACrB,MAAM,OAAO,MAAM,KAAK,YAAY,GAAG;EAEvC,MAAMC,aAAkC,EAAE;AAE1C,MAAI,KAAK,SAAS,OAChB,YAAW,OAAO,KAAK;AAGzB,MAAI,KAAK,SAAS,OAChB,YAAW,OAAO,KAAK;AAGzB,MAAI,KAAK,mBAAmB,OAC1B,YAAW,iBAAiB,KAAK,iBAC9B,GAAG,KAAK,eAAe,CACvB,aAAa;AAGlB,SAAO,MAAM,KAAK,eAAe,WAAW,KAAK,IAAI,WAAW;;;;;;;;;;;CAYlE,MAAa,WAAW,IAAyB;EAC/C,MAAM,OAAO,MAAM,KAAK,YAAY,GAAG;EACvC,MAAM,SAAS,KAAK,OAAO,KAAK,OAAO;AAGvC,QAAM,KAAK,eAAe,WAAW,KAAK,GAAG;AAE7C,MAAI;AACF,SAAM,OAAO,OAAO,KAAK,QAAQ,KAAK;WAC/B,GAAG;AACV,OAAI,aAAaC,gCAEf,MAAK,IAAI,MACP,QAAQ,KAAK,OAAO,uBAAuB,OAAO,KAAK,+BACxD;OAGD,MAAK,IAAI,KACP,yBAAyB,KAAK,OAAO,eAAe,OAAO,QAC3D,EACD;;AAIL,SAAO;GAAE,IAAI;GAAM,IAAI,OAAO,KAAK,GAAG;GAAE;;;;;;;;;;CAW1C,MAAa,YAAY,IAA8C;AACrE,MAAI,OAAO,OAAO,SAChB,QAAO;AAGT,SAAO,MAAM,KAAK,eAAe,SAAS,GAAG;;;;;;;CAQ/C,MAAa,kBAAyC;EACpD,MAAM,WAAW,MAAM,KAAK,eAAe,SAAS,EAAE,CAAC;EAEvD,MAAM,YAAY,SAAS,QAAQ,KAAK,SAAS,MAAM,KAAK,MAAM,EAAE;EACpE,MAAM,aAAa,SAAS;EAG5B,MAAM,4BAAY,IAAI,KAGnB;AACH,OAAK,MAAM,QAAQ,UAAU;GAC3B,MAAM,WAAW,UAAU,IAAI,KAAK,OAAO,IAAI;IAC7C,WAAW;IACX,WAAW;IACZ;AACD,YAAS,aAAa,KAAK;AAC3B,YAAS,aAAa;AACtB,aAAU,IAAI,KAAK,QAAQ,SAAS;;EAItC,MAAM,8BAAc,IAAI,KAAqB;AAC7C,OAAK,MAAM,QAAQ,UAAU;GAC3B,MAAM,WAAW,YAAY,IAAI,KAAK,SAAS,IAAI;AACnD,eAAY,IAAI,KAAK,UAAU,WAAW,EAAE;;AAG9C,SAAO;GACL;GACA;GACA,UAAU,MAAM,KAAK,UAAU,SAAS,CAAC,CAAC,KAAK,CAAC,QAAQ,YAAY;IAClE;IACA,WAAW,MAAM;IACjB,WAAW,MAAM;IAClB,EAAE;GACH,YAAY,MAAM,KAAK,YAAY,SAAS,CAAC,CAAC,KAC3C,CAAC,UAAU,gBAAgB;IAC1B;IACA;IACD,EACF;GACF;;;;;;;;;CAUH,AAAO,iBAAiB,QAAkC;AACxD,SAAO;;;;;;;;;;ACvYX,IAAa,iBAAb,MAA4B;CAC1B,AAAmB,MAAM;CACzB,AAAmB,QAAQ;CAC3B,AAAmB,kCAAsB,YAAY;;;;;CAMrD,AAAgB,uCAAoB;EAClC,MAAM,KAAK;EACX,OAAO,KAAK;EACZ,aAAa;EACb,QAAQ;GACN,OAAO;GACP,UAAUC,cAAG,KAAK,mBAAmB;GACtC;EACD,UAAU,EAAE,YAAY,KAAK,YAAY,UAAU,MAAM;EAC1D,CAAC;;;;;CAMF,AAAgB,wCAAqB;EACnC,QAAQ;EACR,MAAM,GAAG,KAAK,IAAI;EAClB,OAAO,KAAK;EACZ,aAAa;EACb,QAAQ;GACN,QAAQC,SAAE,OAAO,EACf,IAAIA,SAAE,MAAM,EACb,CAAC;GACF,UAAUC;GACX;EACD,UAAU,EAAE,aAAa,KAAK,YAAY,WAAW,OAAO,GAAG;EAChE,CAAC;;;;;;CAOF,AAAgB,wCAAqB;EACnC,MAAM,KAAK;EACX,OAAO,KAAK;EACZ,aAAa;EACb,QAAQ;GACN,MAAMD,SAAE,OAAO,EACb,MAAMA,SAAE,MAAM,EACf,CAAC;GACF,OAAOA,SAAE,OAAO;IACd,gBAAgBA,SAAE,SAASA,SAAE,UAAU,CAAC;IACxC,QAAQA,SAAE,SAASA,SAAE,QAAQ,CAAC;IAC/B,CAAC;GACF,UAAU;GACX;EACD,SAAS,OAAO,EAAE,MAAM,MAAM,YAC5B,KAAK,YAAY,WAAW,KAAK,MAAM;GACrC;GACA,GAAG;GACJ,CAAC;EACL,CAAC;;;;;CAMF,AAAgB,wCAAqB;EACnC,QAAQ;EACR,MAAM,GAAG,KAAK,IAAI;EAClB,OAAO,KAAK;EACZ,aAAa;EACb,QAAQ;GACN,QAAQA,SAAE,OAAO,EACf,IAAIA,SAAE,MAAM,EACb,CAAC;GACF,MAAMA,SAAE,OAAO;IACb,MAAMA,SAAE,SAASA,SAAE,QAAQ,CAAC;IAC5B,MAAMA,SAAE,SAASA,SAAE,MAAMA,SAAE,QAAQ,CAAC,CAAC;IACrC,gBAAgBA,SAAE,SAASA,SAAE,UAAU,CAAC;IACzC,CAAC;GACF,UAAU;GACX;EACD,UAAU,EAAE,QAAQ,WAAW,KAAK,YAAY,WAAW,OAAO,IAAI,KAAK;EAC5E,CAAC;;;;;;CAOF,AAAgB,wCAAqB;EACnC,MAAM,GAAG,KAAK,IAAI;EAClB,OAAO,KAAK;EACZ,aAAa;EACb,OAAO;GACL,MAAM;GACN,SAAS;IACP,QAAQ;IACR,QAAQ,CAAC,GAAG,OAAO;IACnB,WAAW;IACZ;GACF;EACD,QAAQ;GACN,QAAQA,SAAE,OAAO,EACf,IAAIA,SAAE,MAAM,EACb,CAAC;GACF,UAAUA,SAAE,MAAM;GACnB;EACD,SAAS,OAAO,EAAE,aAAa;AAC7B,UAAO,MAAM,KAAK,YAAY,WAAW,OAAO,GAAG;;EAEtD,CAAC;;;;;ACnGJ,IAAa,0BAAb,MAAqC;CACnC,AAAmB,6BAAiBE,cAAO;CAC3C,AAAmB,kCAAe;CAClC,AAAmB,qCAAyBC,mCAAqB;CACjE,AAAmB,QAAQ;;;;CAK3B,AAAgB,kBAA+C,EAAE;;;;CAKjE,AAAO,aAAa,QAAyC;AAC3D,OAAK,gBAAgB,KAAK,OAAO;;CAGnC,AAAgB,4BAAgB;EAC9B,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,QAAQ,KAAK,gBACtB,KAAI,KAAK,MACP,MAAK,MAAM,WAAW,KAAK,OAAO;IAChC,MAAM,gBAAgB,KAAK,eAAe,UAAU,QAAQ;AAC5D,SAAK,MAAM,SAAS,cAClB,OAAM,SAAS,EACb,OAAO;KACL,UAAU,KAAK;KACf,UAAU,KAAK;KAChB,EACF;;AAMT,OAAI,KAAK,gBAAgB,SAAS,EAChC,MAAK,IAAI,KACP,oBAAoB,KAAK,gBAAgB,OAAO,wCACjD;;EAGN,CAAC;;;;CAKF,AAAgB,8BAAkB;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GACrC,MAAM,YAAY,MAAM;AACxB,OACE,OAAO,cAAc,YACrB,WAAW,aACX,UAAU,MAEV,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAgB,oCAAwB;EACtC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,cAAc;GACtC,MAAM,YAAY,OAAO,MAAM;AAC/B,OAAI,YAAY,UAAU,CACxB,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAO,UAAU,SAAwB,SAAiC;EACxE,MAAM,aAAa,QAAQ,SAAS;AAEpC,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,SAAS,EAAE;AACnD,QAAK,iBAAiB,QAAQ;AAC9B,SAAM,IAAIC,wBAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;EAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;EAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;EAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;EAC3C,MAAM,WACJ,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG;EACzD,MAAM,WAAW,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG;AAUzE,MAAI,CAPY,KAAK,0BACnB,UACA,UACA,QAAQ,UACR,QAAQ,SACT,EAEa;AACZ,QAAK,iBAAiB,QAAQ;AAC9B,QAAK,IAAI,KAAK,sCAAsC,EAClD,UACD,CAAC;AACF,SAAM,IAAIA,wBAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;;;;;;CAQN,AAAU,0BACR,eACA,eACA,kBACA,kBACS;EAET,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;EAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;AAS9D,UALkB,KAAK,YAAY,cAAc,gBAAgB,GAC/C,KAAK,YAAY,cAAc,gBAAgB,MAI9B;;;;;;CAOrC,AAAU,YAAY,OAAe,UAA0B;AAG7D,MAAI,MAAM,WAAW,SAAS,QAAQ;AAEpC,oCAAgB,OAAO,MAAM;AAC7B,UAAO;;AAGT,0CAAuB,OAAO,SAAS,GAAG,IAAI;;;;;CAMhD,AAAU,iBAAiB,SAA8B;AACvD,UAAQ,MAAM,UAAU,oBAAoB,gBAAgB,KAAK,MAAM,GAAG;;;AAI9E,MAAa,eACX,UACyC;AACzC,QACE,OAAO,UAAU,YAAY,CAAC,CAAC,SAAS,WAAW,SAAS,CAAC,CAAC,MAAM;;;;;;;;;AC5LxE,MAAa,cACX,YACgC;AAChC,qCAAwB,qBAAqB,QAAQ;;AAWvD,IAAa,sBAAb,cACUC,kBAEV;CACE,AAAmB,8CAAkC,wBAAwB;CAE7E,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,GAAG,KAAK,OAAO;;CAG7C,AAAU,SAAS;AAEjB,OAAK,wBAAwB,aAAa,KAAK,QAAQ;;;;;CAMzD,AAAO,MAAM,SAAwB,SAAkC;EACrE,MAAM,gBAAgB;GAAE,GAAG,KAAK;GAAS,GAAG;GAAS;AACrD,OAAK,wBAAwB,UAAU,SAAS,cAAc;;;AAIlE,WAAWC,eAAQ;;;;AC7BnB,IAAa,yBAAb,MAAoC;CAClC,AAAmB,kCAAe;CAClC,AAAmB,uCAA2BC,iCAAiB;CAC/D,AAAmB,kCAAsBC,4BAAY;CACrD,AAAmB,6BAAiBC,cAAO;CAE3C,AAAmB,gCAAoB;EACrC,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,UAAU,KAAK,OAAO,YAAYC,sBAAQ,EAAE;AAIrD,QACE,OAAO,QAAQ,YACf,OAAO,QAAQ,WAAW,SAC1B,KAAK,iBAAiB,WAAW,CAAC,WAAW,EAE7C;AAIF,QAAI,OADW,OAAO,QAAQ,WACR,SACpB,MAAK,iBAAiB,iBAAiB;KACrC,MAAM,OAAO;KACb,OAAO,OAAO;KACd,QAAQ,OAAO,MAAM;KACrB,MAAM,OAAO,MAAM;KACpB,CAAC;;;EAIT,CAAC;CAIF,AAAmB,oCAAwB;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS,cAAc;AAG/C,OAAI,OAAO,QAAQ,WAAW,SAAS,CAAC,QAAQ,MAAM;AACpD,SAAK,IAAI,MAAM,oCAAoC;AACnD;;AAGF,OAAI,YAAY,OAAO,MAAM,OAAO,CAClC;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MACE,OACC,GAAG,SAAS,OAAO,MAAM,QAAQ,GAAG,WAAW,OAAO,MAAM,OAC/D;AAEH,OAAI;AACF,YAAQ,OAAO,KAAK,mCAClB,SACA,WACD;IAED,MAAM,QAAQ,OAAO;AACrB,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BACA,KAAK,OAAO,MAAM,OAAOC,uCAAuB,QAAQ,KAAK,CAC9D;YACM,OAAO;AACd,QAAI,OAAO,QAAQ,UAAU,WAC3B,OAAM;AAGR,SAAK,IAAI,MAAM,qCAAqC;;;EAGzD,CAAC;CAEF,AAAmB,8BAAkB;EACnC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,SAAS,YAAY;AAErC,OAAI,MAAM,WAAW,OAAO;AAC1B,SAAK,IAAI,MACP,0DACD;AACD;;AAGF,OAAI,YAAY,MAAM,OAAO,CAC3B;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MAAM,OAAO,GAAG,SAAS,MAAM,QAAQ,GAAG,WAAW,MAAM,OAAO;AAErE,OAAI,CAAC,QAAQ,QAAQ,iBAAiB,CAAC,MAAM,UAAU,CAAC,YAAY;AAClE,SAAK,IAAI,MACP,6EACD;AACD;;AAGF,OAAI;AAEF,YAAQ,OAAO,MAAM,KAAK,iBAAiB,oBACzC,QAAQ,QAAQ,eAChB,EAAE,YAAY,CACf;AAED,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BAEA,KAAK,OAAO,MAAM,OAAOA,uCAAuB,QAAQ,KAAK,CAC9D;AAED,SAAK,IAAI,MAAM,+BAA+B;KAC5C,MAAM,QAAQ;KACd;KACD,CAAC;YACK,OAAO;AACd,QAAI,MAAM,UAAU,WAClB,OAAM;AAIR,SAAK,IAAI,MACP,sDACA,MACD;;;EAGN,CAAC;CAIF,AAAU,MAAM,MAAwB,QAA2B;AACjE,MAAI,OAAO,OACT;OAAI,KAAK,UAAU,OAAO,MACxB,OAAM,IAAIC,6BACR,8BAA8B,OAAO,MAAM,wBAC5C;;;;;;;;;;;;;;CAgBP,AAAU,mCACR,SACA,YACkB;EAClB,MAAM,cACJ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAEpD,MAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAE/D,IAAIC;EAEJ,MAAM,cAAc,KAAK,OAAO,QAAQ,IAAmB,UAAU,EAAE;EACvE,MAAM,aAAa,KAAK,OAAO,MAAM,IACnC,qCACD;AAED,MAAI,SAAS,SACX,QAAO;WACE,SAAS,UAClB,QAAO;MAEP,QAAO,eAAe,eAAe;AAGvC,MAAI,CAAC,MAAM;AAET,OAAI,KAAK,OAAO,QAAQ,IAAI,EAAE,UAAU,SACtC,QAAO,KAAK,gBAAgB;AAG9B,SAAM,IAAIC,gCAAkB,2CAA2C;;EAGzE,MAAM,QACJ,KAAK,UACJ,KAAK,OAAO,QAAQ,GACjB,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK,GACzD,EAAE;EACR,IAAIC;AAEJ,MAAI,YAAY;GACd,MAAM,SAAS,KAAK,iBAAiB,gBACnC,YACA,GAAG,MACJ;AACD,OAAI,CAAC,OAAO,aACV,OAAM,IAAIH,6BACR,eAAe,KAAK,iBAAiB,mBAAmB,WAAW,CAAC,8BACrE;AAEH,eAAY,OAAO;;AAIrB,SAAO;GACL,GAAG;GACH;GACD;;CAOH,AAAU,iBAAmC;AAC3C,SAAO;GACL,iCAAgB;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,AAAmB,oCAAwB;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;AACvC,OAAI,CAAC,KAAK,OAAO,QAAQ,CACvB;AAIF,OAAI,UAAU,WAAW,QAAQ,SAAS,OACxC;AAGF,WAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE9C,OAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;;;;AChNJ,MAAa,2CAA+B;CAC1C,MAAM;CACN,aAAa;EAACI;EAAQC;EAAOC;EAAa;EAAW;CACrD,UAAU;EACRC;EACAC;EACA;EACA;EACD;CACF,CAAC;;;;AC1FF,MAAa,oBAAoBC,SAAE,OAAO;CACxC,QAAQA,SAAE,QAAQ;CAClB,WAAWA,SAAE,QAAQ;CACrB,WAAWA,SAAE,QAAQ;CACtB,CAAC;AAEF,MAAa,sBAAsBA,SAAE,OAAO;CAC1C,UAAUA,SAAE,QAAQ;CACpB,WAAWA,SAAE,QAAQ;CACtB,CAAC;AAEF,MAAa,qBAAqBA,SAAE,OAAO;CACzC,WAAWA,SAAE,QAAQ;CACrB,YAAYA,SAAE,QAAQ;CACtB,UAAUA,SAAE,MAAM,kBAAkB;CACpC,YAAYA,SAAE,MAAM,oBAAoB;CACzC,CAAC;;;;;;;;ACTF,IAAa,yBAAb,MAAoC;CAClC,AAAmB,MAAM;CACzB,AAAmB,QAAQ;CAC3B,AAAmB,kCAAsB,YAAY;;;;;;CAOrD,AAAgB,sCAAmB;EACjC,MAAM,KAAK;EACX,OAAO,KAAK;EACZ,aAAa;EACb,QAAQ,EACN,UAAU,oBACX;EACD,eAAe,KAAK,YAAY,iBAAiB;EAClD,CAAC;;;;;ACxBJ,IAAa,WAAb,MAAsB;CACpB,AAAmB,kCAAsB,YAAY;CAErD,AAAgB,8CAAwB;EACtC,aAAa;EACb,MAAM;EACN,SAAS,YAAY;GACnB,MAAMC,UAAQ,MAAM,KAAK,YAAY,kBAAkB;AAEvD,SAAM,QAAQ,IACZA,QAAM,KAAK,SAAS,KAAK,YAAY,WAAW,KAAK,GAAG,CAAC,CAC1D;;EAEJ,CAAC;;;;;;;;;;;;;ACwCJ,MAAa,qCAAyB;CACpC,MAAM;CACN,UAAU;EAAC;EAAgB;EAAwB;EAAU;EAAY;CACzE,WAAW,aAAW;AACpB,WACG,KAAKC,2BAAa,CAClB,KAAK,kBAAkB,CACvB,KAAK,sBAAsB,CAC3B,KAAK,eAAe,CACpB,KAAK,uBAAuB,CAC5B,KAAK,SAAS;;CAEpB,CAAC"}