alepha 0.15.2 → 0.15.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (180) hide show
  1. package/README.md +68 -80
  2. package/dist/api/audits/index.d.ts.map +1 -1
  3. package/dist/api/audits/index.js +8 -0
  4. package/dist/api/audits/index.js.map +1 -1
  5. package/dist/api/files/index.d.ts +170 -170
  6. package/dist/api/files/index.d.ts.map +1 -1
  7. package/dist/api/files/index.js +1 -0
  8. package/dist/api/files/index.js.map +1 -1
  9. package/dist/api/jobs/index.d.ts.map +1 -1
  10. package/dist/api/jobs/index.js +3 -0
  11. package/dist/api/jobs/index.js.map +1 -1
  12. package/dist/api/notifications/index.browser.js +1 -0
  13. package/dist/api/notifications/index.browser.js.map +1 -1
  14. package/dist/api/notifications/index.js +1 -0
  15. package/dist/api/notifications/index.js.map +1 -1
  16. package/dist/api/parameters/index.d.ts +260 -260
  17. package/dist/api/parameters/index.d.ts.map +1 -1
  18. package/dist/api/parameters/index.js +10 -0
  19. package/dist/api/parameters/index.js.map +1 -1
  20. package/dist/api/users/index.d.ts +12 -1
  21. package/dist/api/users/index.d.ts.map +1 -1
  22. package/dist/api/users/index.js +18 -2
  23. package/dist/api/users/index.js.map +1 -1
  24. package/dist/batch/index.d.ts +4 -4
  25. package/dist/bucket/index.d.ts +8 -0
  26. package/dist/bucket/index.d.ts.map +1 -1
  27. package/dist/bucket/index.js +7 -2
  28. package/dist/bucket/index.js.map +1 -1
  29. package/dist/cli/index.d.ts +196 -74
  30. package/dist/cli/index.d.ts.map +1 -1
  31. package/dist/cli/index.js +234 -50
  32. package/dist/cli/index.js.map +1 -1
  33. package/dist/command/index.d.ts +10 -0
  34. package/dist/command/index.d.ts.map +1 -1
  35. package/dist/command/index.js +67 -13
  36. package/dist/command/index.js.map +1 -1
  37. package/dist/core/index.browser.js +28 -21
  38. package/dist/core/index.browser.js.map +1 -1
  39. package/dist/core/index.d.ts.map +1 -1
  40. package/dist/core/index.js +28 -21
  41. package/dist/core/index.js.map +1 -1
  42. package/dist/core/index.native.js +28 -21
  43. package/dist/core/index.native.js.map +1 -1
  44. package/dist/email/index.d.ts +21 -13
  45. package/dist/email/index.d.ts.map +1 -1
  46. package/dist/email/index.js +10561 -4
  47. package/dist/email/index.js.map +1 -1
  48. package/dist/lock/core/index.d.ts +6 -1
  49. package/dist/lock/core/index.d.ts.map +1 -1
  50. package/dist/lock/core/index.js +9 -1
  51. package/dist/lock/core/index.js.map +1 -1
  52. package/dist/mcp/index.d.ts +5 -5
  53. package/dist/orm/index.bun.js +32 -16
  54. package/dist/orm/index.bun.js.map +1 -1
  55. package/dist/orm/index.d.ts +4 -1
  56. package/dist/orm/index.d.ts.map +1 -1
  57. package/dist/orm/index.js +34 -22
  58. package/dist/orm/index.js.map +1 -1
  59. package/dist/react/auth/index.browser.js +2 -1
  60. package/dist/react/auth/index.browser.js.map +1 -1
  61. package/dist/react/auth/index.js +2 -1
  62. package/dist/react/auth/index.js.map +1 -1
  63. package/dist/react/core/index.d.ts +3 -3
  64. package/dist/react/router/index.browser.js +9 -15
  65. package/dist/react/router/index.browser.js.map +1 -1
  66. package/dist/react/router/index.d.ts +305 -407
  67. package/dist/react/router/index.d.ts.map +1 -1
  68. package/dist/react/router/index.js +581 -781
  69. package/dist/react/router/index.js.map +1 -1
  70. package/dist/scheduler/index.d.ts +13 -1
  71. package/dist/scheduler/index.d.ts.map +1 -1
  72. package/dist/scheduler/index.js +42 -4
  73. package/dist/scheduler/index.js.map +1 -1
  74. package/dist/security/index.d.ts +42 -42
  75. package/dist/security/index.d.ts.map +1 -1
  76. package/dist/security/index.js +8 -7
  77. package/dist/security/index.js.map +1 -1
  78. package/dist/server/auth/index.d.ts +167 -167
  79. package/dist/server/compress/index.d.ts.map +1 -1
  80. package/dist/server/compress/index.js +1 -0
  81. package/dist/server/compress/index.js.map +1 -1
  82. package/dist/server/health/index.d.ts +17 -17
  83. package/dist/server/links/index.d.ts +39 -39
  84. package/dist/server/links/index.js +1 -1
  85. package/dist/server/links/index.js.map +1 -1
  86. package/dist/server/static/index.js +7 -2
  87. package/dist/server/static/index.js.map +1 -1
  88. package/dist/server/swagger/index.d.ts +8 -0
  89. package/dist/server/swagger/index.d.ts.map +1 -1
  90. package/dist/server/swagger/index.js +7 -2
  91. package/dist/server/swagger/index.js.map +1 -1
  92. package/dist/sms/index.d.ts +8 -0
  93. package/dist/sms/index.d.ts.map +1 -1
  94. package/dist/sms/index.js +7 -2
  95. package/dist/sms/index.js.map +1 -1
  96. package/dist/system/index.browser.js +734 -12
  97. package/dist/system/index.browser.js.map +1 -1
  98. package/dist/system/index.d.ts +8 -0
  99. package/dist/system/index.d.ts.map +1 -1
  100. package/dist/system/index.js +7 -2
  101. package/dist/system/index.js.map +1 -1
  102. package/dist/vite/index.d.ts +3 -2
  103. package/dist/vite/index.d.ts.map +1 -1
  104. package/dist/vite/index.js +42 -8
  105. package/dist/vite/index.js.map +1 -1
  106. package/dist/websocket/index.d.ts +34 -34
  107. package/dist/websocket/index.d.ts.map +1 -1
  108. package/package.json +9 -4
  109. package/src/api/audits/controllers/AdminAuditController.ts +8 -0
  110. package/src/api/files/controllers/AdminFileStatsController.ts +1 -0
  111. package/src/api/jobs/controllers/AdminJobController.ts +3 -0
  112. package/src/api/logs/TODO.md +13 -10
  113. package/src/api/notifications/controllers/AdminNotificationController.ts +1 -0
  114. package/src/api/parameters/controllers/AdminConfigController.ts +10 -0
  115. package/src/api/users/controllers/AdminIdentityController.ts +3 -0
  116. package/src/api/users/controllers/AdminSessionController.ts +3 -0
  117. package/src/api/users/controllers/AdminUserController.ts +5 -0
  118. package/src/cli/apps/AlephaPackageBuilderCli.ts +9 -0
  119. package/src/cli/atoms/buildOptions.ts +99 -9
  120. package/src/cli/commands/build.ts +150 -32
  121. package/src/cli/commands/db.ts +5 -7
  122. package/src/cli/commands/init.spec.ts +50 -6
  123. package/src/cli/commands/init.ts +28 -5
  124. package/src/cli/providers/ViteDevServerProvider.ts +31 -9
  125. package/src/cli/services/AlephaCliUtils.ts +16 -0
  126. package/src/cli/services/PackageManagerUtils.ts +2 -0
  127. package/src/cli/services/ProjectScaffolder.spec.ts +97 -0
  128. package/src/cli/services/ProjectScaffolder.ts +28 -6
  129. package/src/cli/templates/agentMd.ts +6 -1
  130. package/src/cli/templates/apiAppSecurityTs.ts +11 -0
  131. package/src/cli/templates/apiIndexTs.ts +18 -4
  132. package/src/cli/templates/webAppRouterTs.ts +25 -1
  133. package/src/cli/templates/webHelloComponentTsx.ts +15 -5
  134. package/src/command/helpers/Runner.spec.ts +135 -0
  135. package/src/command/helpers/Runner.ts +4 -1
  136. package/src/command/providers/CliProvider.spec.ts +325 -0
  137. package/src/command/providers/CliProvider.ts +117 -7
  138. package/src/core/Alepha.ts +32 -25
  139. package/src/email/index.workerd.ts +36 -0
  140. package/src/email/providers/WorkermailerEmailProvider.ts +221 -0
  141. package/src/lock/core/primitives/$lock.ts +13 -1
  142. package/src/orm/index.bun.ts +1 -1
  143. package/src/orm/index.ts +2 -6
  144. package/src/orm/providers/drivers/BunSqliteProvider.ts +4 -1
  145. package/src/orm/providers/drivers/CloudflareD1Provider.ts +57 -30
  146. package/src/orm/providers/drivers/DatabaseProvider.ts +9 -1
  147. package/src/orm/providers/drivers/NodeSqliteProvider.ts +4 -1
  148. package/src/react/auth/services/ReactAuth.ts +3 -1
  149. package/src/react/router/atoms/ssrManifestAtom.ts +7 -0
  150. package/src/react/router/hooks/useActive.ts +1 -1
  151. package/src/react/router/hooks/useRouter.ts +1 -1
  152. package/src/react/router/index.ts +4 -0
  153. package/src/react/router/primitives/$page.browser.spec.tsx +24 -24
  154. package/src/react/router/primitives/$page.spec.tsx +0 -32
  155. package/src/react/router/primitives/$page.ts +6 -14
  156. package/src/react/router/providers/ReactBrowserProvider.ts +6 -3
  157. package/src/react/router/providers/ReactPageProvider.ts +1 -1
  158. package/src/react/router/providers/ReactPreloadProvider.spec.ts +142 -0
  159. package/src/react/router/providers/ReactPreloadProvider.ts +85 -0
  160. package/src/react/router/providers/ReactServerProvider.ts +21 -82
  161. package/src/react/router/providers/ReactServerTemplateProvider.spec.ts +210 -0
  162. package/src/react/router/providers/ReactServerTemplateProvider.ts +228 -665
  163. package/src/react/router/providers/SSRManifestProvider.ts +7 -0
  164. package/src/react/router/services/ReactRouter.ts +13 -13
  165. package/src/scheduler/index.workerd.ts +43 -0
  166. package/src/scheduler/providers/CronProvider.ts +53 -6
  167. package/src/scheduler/providers/WorkerdCronProvider.ts +102 -0
  168. package/src/security/__tests__/ServerSecurityProvider.spec.ts +77 -0
  169. package/src/security/providers/ServerSecurityProvider.ts +30 -22
  170. package/src/server/compress/providers/ServerCompressProvider.ts +6 -0
  171. package/src/server/core/providers/NodeHttpServerProvider.spec.ts +9 -3
  172. package/src/server/links/providers/ServerLinksProvider.spec.ts +332 -0
  173. package/src/server/links/providers/ServerLinksProvider.ts +1 -1
  174. package/src/system/index.browser.ts +25 -0
  175. package/src/system/index.workerd.ts +1 -0
  176. package/src/system/providers/FileSystemProvider.ts +8 -0
  177. package/src/system/providers/NodeFileSystemProvider.ts +11 -2
  178. package/src/vite/tasks/buildServer.ts +2 -12
  179. package/src/vite/tasks/generateCloudflare.ts +47 -8
  180. package/src/vite/tasks/generateDocker.ts +4 -0
package/dist/security/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["encode","decodeBase64URL","jwk.isJWK","jwk.isSecretJWK","invalidKeyInput","jwk.isPrivateJWK","jwk.isPublicJWK","b64u","encode","#payload","#payload","#protectedHeader","#unprotectedHeader","b64u","encode","#flattened","#jwt","#protectedHeader","#jwks","#cached","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#headers","#customFetch","#cache","#jwksTimestamp","#local","#pendingFetch"],"sources":["../../src/security/providers/ServerBasicAuthProvider.ts","../../src/security/primitives/$basicAuth.ts","../../src/security/errors/SecurityError.ts","../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js","../../../../node_modules/jose/dist/webapi/lib/base64.js","../../../../node_modules/jose/dist/webapi/util/base64url.js","../../../../node_modules/jose/dist/webapi/util/errors.js","../../../../node_modules/jose/dist/webapi/lib/crypto_key.js","../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../../../../node_modules/jose/dist/webapi/lib/is_key_like.js","../../../../node_modules/jose/dist/webapi/lib/is_disjoint.js","../../../../node_modules/jose/dist/webapi/lib/is_object.js","../../../../node_modules/jose/dist/webapi/lib/check_key_length.js","../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../../../../node_modules/jose/dist/webapi/key/import.js","../../../../node_modules/jose/dist/webapi/lib/validate_crit.js","../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../../../../node_modules/jose/dist/webapi/lib/is_jwk.js","../../../../node_modules/jose/dist/webapi/lib/normalize_key.js","../../../../node_modules/jose/dist/webapi/lib/check_key_type.js","../../../../node_modules/jose/dist/webapi/lib/subtle_dsa.js","../../../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js","../../../../node_modules/jose/dist/webapi/lib/verify.js","../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js","../../../../node_modules/jose/dist/webapi/jws/compact/verify.js","../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../../../../node_modules/jose/dist/webapi/jwt/verify.js","../../../../node_modules/jose/dist/webapi/lib/sign.js","../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../node_modules/jose/dist/webapi/jwt/sign.js","../../../../node_modules/jose/dist/webapi/jwks/local.js","../../../../node_modules/jose/dist/webapi/jwks/remote.js","../../src/security/providers/JwtProvider.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/index.ts"],"sourcesContent":["import { timingSafeEqual } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n HttpError,\n type ServerRequest,\n ServerRouterProvider,\n} from \"alepha/server\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface BasicAuthOptions {\n username: string;\n password: string;\n}\n\nexport interface BasicAuthPrimitiveConfig extends BasicAuthOptions {\n /**\n * Name identifier for this basic auth (default: property key).\n */\n name?: string;\n /**\n * Path patterns to match (supports wildcards like /devtools/*).\n */\n paths?: string[];\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class ServerBasicAuthProvider {\n protected readonly alepha = $inject(Alepha);\n protected readonly log = $logger();\n protected readonly routerProvider = $inject(ServerRouterProvider);\n protected readonly realm = \"Secure Area\";\n\n /**\n * Registered basic auth primitives with their configurations\n */\n public readonly registeredAuths: BasicAuthPrimitiveConfig[] = [];\n\n /**\n * Register a basic auth configuration (called by primitives)\n */\n public registerAuth(config: BasicAuthPrimitiveConfig): void {\n this.registeredAuths.push(config);\n }\n\n public readonly onStart = $hook({\n on: \"start\",\n handler: async () => {\n for (const auth of this.registeredAuths) {\n if (auth.paths) {\n for (const pattern of auth.paths) {\n const matchedRoutes = this.routerProvider.getRoutes(pattern);\n for (const route of matchedRoutes) {\n route.secure = {\n basic: {\n username: auth.username,\n password: auth.password,\n },\n };\n }\n }\n }\n }\n\n if (this.registeredAuths.length > 0) {\n this.log.info(\n `Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`,\n );\n }\n },\n });\n\n /**\n * Hook into server:onRequest to check basic auth\n */\n public readonly onRequest = $hook({\n on: \"server:onRequest\",\n handler: async ({ route, request }) => {\n const routeAuth = route.secure;\n if (\n typeof routeAuth === \"object\" &&\n \"basic\" in routeAuth &&\n routeAuth.basic\n ) {\n this.checkAuth(request, routeAuth.basic);\n }\n },\n });\n\n /**\n * Hook into action:onRequest to check basic auth for actions\n */\n public readonly onActionRequest = $hook({\n on: \"action:onRequest\",\n handler: async ({ action, request }) => {\n const routeAuth = action.route.secure;\n if (isBasicAuth(routeAuth)) {\n this.checkAuth(request, routeAuth.basic);\n }\n },\n });\n\n /**\n * Check basic authentication\n */\n public checkAuth(request: ServerRequest, options: BasicAuthOptions): void {\n const authHeader = request.headers?.authorization;\n\n if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n this.sendAuthRequired(request);\n throw new HttpError({\n status: 401,\n message: \"Authentication required\",\n });\n }\n\n // decode base64 credentials\n const base64Credentials = authHeader.slice(6); // Remove \"Basic \"\n const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n \"utf-8\",\n );\n\n // split only on the first colon to handle passwords with colons\n const colonIndex = credentials.indexOf(\":\");\n const username =\n colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n // verify credentials using timing-safe comparison to prevent timing attacks\n const isValid = this.timingSafeCredentialCheck(\n username,\n password,\n options.username,\n options.password,\n );\n\n if (!isValid) {\n this.sendAuthRequired(request);\n this.log.warn(`Failed basic auth attempt for user`, {\n username,\n });\n throw new HttpError({\n status: 401,\n message: \"Invalid credentials\",\n });\n }\n }\n\n /**\n * Performs a timing-safe comparison of credentials to prevent timing attacks.\n * Always compares both username and password to avoid leaking which one is wrong.\n */\n protected timingSafeCredentialCheck(\n inputUsername: string,\n inputPassword: string,\n expectedUsername: string,\n expectedPassword: string,\n ): boolean {\n // Convert to buffers for timing-safe comparison\n const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n // timingSafeEqual requires same-length buffers\n // When lengths differ, we compare against a dummy buffer to maintain constant time\n const userMatch = this.safeCompare(inputUserBuf, expectedUserBuf);\n const passMatch = this.safeCompare(inputPassBuf, expectedPassBuf);\n\n // Both must match - bitwise AND avoids short-circuit evaluation\n // eslint-disable-next-line no-bitwise\n return (userMatch & passMatch) === 1;\n }\n\n /**\n * Compares two buffers in constant time, handling different lengths safely.\n * Returns 1 if equal, 0 if not equal.\n */\n protected safeCompare(input: Buffer, expected: Buffer): number {\n // If lengths differ, compare input against itself to maintain timing\n // but return 0 (not equal)\n if (input.length !== expected.length) {\n // Still perform a comparison to keep timing consistent\n timingSafeEqual(input, input);\n return 0;\n }\n\n return timingSafeEqual(input, expected) ? 1 : 0;\n }\n\n /**\n * Send WWW-Authenticate header\n */\n protected sendAuthRequired(request: ServerRequest): void {\n request.reply.setHeader(\"WWW-Authenticate\", `Basic realm=\"${this.realm}\"`);\n }\n}\n\nexport const isBasicAuth = (\n value: unknown,\n): value is { basic: BasicAuthOptions } => {\n return (\n typeof value === \"object\" && !!value && \"basic\" in value && !!value.basic\n );\n};\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type {\n BasicAuthOptions,\n BasicAuthPrimitiveConfig,\n} from \"../providers/ServerBasicAuthProvider.ts\";\nimport { ServerBasicAuthProvider } from \"../providers/ServerBasicAuthProvider.ts\";\n\n/**\n * Declares HTTP Basic Authentication for server routes.\n * This primitive provides methods to protect routes with username/password authentication.\n */\nexport const $basicAuth = (\n options: BasicAuthPrimitiveConfig,\n): AbstractBasicAuthPrimitive => {\n return createPrimitive(BasicAuthPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface AbstractBasicAuthPrimitive {\n readonly name: string;\n readonly options: BasicAuthPrimitiveConfig;\n check(request: ServerRequest, options?: BasicAuthOptions): void;\n}\n\nexport class BasicAuthPrimitive\n extends Primitive<BasicAuthPrimitiveConfig>\n implements AbstractBasicAuthPrimitive\n{\n protected readonly serverBasicAuthProvider = $inject(ServerBasicAuthProvider);\n\n public get name(): string {\n return this.options.name ?? `${this.config.propertyKey}`;\n }\n\n protected onInit() {\n // Register this auth configuration with the provider\n this.serverBasicAuthProvider.registerAuth(this.options);\n }\n\n /**\n * Checks basic auth for the given request using this primitive's configuration.\n */\n public check(request: ServerRequest, options?: BasicAuthOptions): void {\n const mergedOptions = { ...this.options, ...options };\n this.serverBasicAuthProvider.checkAuth(request, mergedOptions);\n }\n}\n\n$basicAuth[KIND] = BasicAuthPrimitive;\n","export class SecurityError extends Error {\n public name = \"SecurityError\";\n public readonly status = 403;\n}\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","export function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","export function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { isObject } from './is_object.js';\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { isJWK } from './is_jwk.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg === 'ES256' && namedCurve === 'P-256') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES384' && namedCurve === 'P-384') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES512' && namedCurve === 'P-521') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './is_jwk.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nexport function subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport async function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { isObject } from '../../lib/is_object.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n let signature;\n try {\n signature = b64u(jws.signature);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the signature');\n }\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n try {\n payload = b64u(jws.payload);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the payload');\n }\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './is_object.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/sign.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport class FlattenedSign {\n #payload;\n #protectedHeader;\n #unprotectedHeader;\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this.#payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n if (this.#protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this.#protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.#unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this.#unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this.#protectedHeader && !this.#unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this.#protectedHeader,\n ...this.#unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this.#protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payloadS;\n let payloadB;\n if (b64) {\n payloadS = b64u(this.#payload);\n payloadB = encode(payloadS);\n }\n else {\n payloadB = this.#payload;\n payloadS = '';\n }\n let protectedHeaderString;\n let protectedHeaderBytes;\n if (this.#protectedHeader) {\n protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n protectedHeaderBytes = encode(protectedHeaderString);\n }\n else {\n protectedHeaderString = '';\n protectedHeaderBytes = new Uint8Array();\n }\n const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n const k = await normalizeKey(key, alg);\n const signature = await sign(alg, k, data);\n const jws = {\n signature: b64u(signature),\n payload: payloadS,\n };\n if (this.#unprotectedHeader) {\n jws.header = this.#unprotectedHeader;\n }\n if (this.#protectedHeader) {\n jws.protected = protectedHeaderString;\n }\n return jws;\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n #flattened;\n constructor(payload) {\n this.#flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this.#flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this.#flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n #protectedHeader;\n #jwt;\n constructor(payload = {}) {\n this.#jwt = new JWTClaimsBuilder(payload);\n }\n setIssuer(issuer) {\n this.#jwt.iss = issuer;\n return this;\n }\n setSubject(subject) {\n this.#jwt.sub = subject;\n return this;\n }\n setAudience(audience) {\n this.#jwt.aud = audience;\n return this;\n }\n setJti(jwtId) {\n this.#jwt.jti = jwtId;\n return this;\n }\n setNotBefore(input) {\n this.#jwt.nbf = input;\n return this;\n }\n setExpirationTime(input) {\n this.#jwt.exp = input;\n return this;\n }\n setIssuedAt(input) {\n this.#jwt.iat = input;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this.#protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n const sig = new CompactSign(this.#jwt.data());\n sig.setProtectedHeader(this.#protectedHeader);\n if (Array.isArray(this.#protectedHeader?.crit) &&\n this.#protectedHeader.crit.includes('b64') &&\n this.#protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/is_object.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.1.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) ||\n !isObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n type CryptoKey,\n createLocalJWKSet,\n createRemoteJWKSet,\n type FlattenedJWSInput,\n type JSONWebKeySet,\n type JWSHeaderParameters,\n type JWTHeaderParameters,\n type JWTPayload,\n type JWTVerifyResult,\n jwtVerify,\n type KeyObject,\n SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/**\n * Provides utilities for working with JSON Web Tokens (JWT).\n */\nexport class JwtProvider {\n protected readonly log = $logger();\n protected readonly keystore: KeyLoaderHolder[] = [];\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly encoder = new TextEncoder();\n\n /**\n * Adds a key loader to the embedded keystore.\n *\n * @param name\n * @param secretKeyOrJwks\n */\n public setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet) {\n if (typeof secretKeyOrJwks === \"object\") {\n this.log.info(\n `will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`,\n );\n this.keystore.push({\n name,\n keyLoader: createLocalJWKSet(secretKeyOrJwks),\n });\n } else if (this.isSecretKey(secretKeyOrJwks)) {\n const secretKey = this.encoder.encode(secretKeyOrJwks);\n this.log.info(\n `will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`,\n );\n this.keystore.push({\n name,\n secretKey: secretKeyOrJwks,\n keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n });\n } else {\n this.log.info(\n `will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`,\n );\n this.keystore.push({\n name,\n keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n });\n }\n }\n\n /**\n * Retrieves the payload from a JSON Web Token (JWT).\n *\n * @param token - The JWT to extract the payload from.\n *\n * @return A Promise that resolves with the payload object from the token.\n */\n public async parse(\n token: string,\n keyName?: string,\n options?: JWTVerifyOptions,\n ): Promise<JwtParseResult> {\n for (const it of this.keystore) {\n if (keyName && it.name !== keyName) {\n continue;\n }\n\n this.log.trace(`Trying to verify token`, {\n keyName: it.name,\n options,\n });\n\n try {\n const verified = {\n keyName: it.name,\n result: await jwtVerify(token, it.keyLoader, {\n currentDate: this.dateTimeProvider.now().toDate(),\n ...options,\n }),\n };\n\n this.log.trace(\"Token verified successfully\", {\n keyName: verified.keyName,\n });\n\n return verified;\n } catch (error) {\n this.log.trace(\"Token verification has failed\", error);\n\n if (error instanceof JWTExpired) {\n throw new SecurityError(\"Token expired\", { cause: error });\n }\n\n if (error instanceof JWTClaimValidationFailed) {\n throw new SecurityError(\"Token claim validation failed\", {\n cause: error,\n });\n }\n }\n }\n\n this.log.warn(\n `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n );\n\n throw new SecurityError(\"Invalid token\");\n }\n\n /**\n * Creates a JWT token with the provided payload and secret key.\n *\n * @param payload - The payload to be encoded in the token.\n * \tIt should include the `realm_access` property which contains an array of roles.\n * @param keyName - The name of the key to use when signing the token.\n *\n * @returns The signed JWT token.\n */\n public async create(\n payload: ExtendedJWTPayload,\n keyName?: string,\n signOptions?: JwtSignOptions,\n ): Promise<string> {\n const secretKey = keyName\n ? this.keystore.find((it) => it.name === keyName)?.secretKey\n : this.keystore[0]?.secretKey;\n\n if (!secretKey) {\n throw new AlephaError(\"No secret key found in the keystore\");\n }\n\n const signJwt = new SignJWT(payload);\n\n signJwt.setProtectedHeader({\n alg: \"HS256\",\n ...signOptions?.header,\n });\n\n return await signJwt.sign(this.encoder.encode(secretKey));\n }\n\n /**\n * Determines if the provided key is a secret key.\n *\n * @param key\n * @protected\n */\n protected isSecretKey(key: string): boolean {\n return !key.startsWith(\"http\");\n }\n}\n\nexport type KeyLoader = (\n protectedHeader?: JWSHeaderParameters,\n token?: FlattenedJWSInput,\n) => Promise<CryptoKey | KeyObject>;\n\nexport interface KeyLoaderHolder {\n name: string;\n keyLoader: KeyLoader;\n secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n sid?: string;\n //\n name?: string;\n roles?: string[];\n email?: string;\n organizations?: string[];\n // keycloak specific\n realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n keyName: string;\n result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","export class InvalidPermissionError extends Error {\n constructor(name: string) {\n super(`Permission '${name}' is invalid`);\n }\n}\n","export class InvalidTokenError extends Error {\n public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n constructor(realm: string) {\n super(`Realm '${realm}' not found`);\n }\n}\n","import {\n $env,\n $hook,\n $inject,\n Alepha,\n AppNotStartedError,\n ContainerLockedError,\n type Static,\n t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver, UserInfo } from \"../interfaces/IssuerResolver.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport const DEFAULT_APP_SECRET = \"05759934015388327323179852515731\"; // (32)\n\nconst envSchema = t.object({\n APP_SECRET: t.text({\n default: DEFAULT_APP_SECRET,\n }),\n});\n\ndeclare module \"alepha\" {\n interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SecurityProvider {\n protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n protected readonly PERMISSION_REGEXP_WILDCARD =\n /^[\\w-]+((:[\\w-]+)*:\\*|(:[\\w-]+)+)?$/;\n\n protected readonly log = $logger();\n protected readonly jwt = $inject(JwtProvider);\n protected readonly env = $env(envSchema);\n protected readonly alepha = $inject(Alepha);\n\n public get secretKey() {\n return this.env.APP_SECRET;\n }\n\n /**\n * The permissions configured for the security provider.\n */\n protected readonly permissions: Permission[] = [];\n\n /**\n * The realms configured for the security provider.\n */\n protected readonly realms: Realm[] = this.alepha.isTest()\n ? [\n {\n name: \"default\",\n secret: this.env.APP_SECRET,\n roles: [\n {\n name: \"admin\",\n permissions: [\n {\n name: \"*\",\n },\n ],\n },\n ],\n },\n ]\n : [];\n\n protected start = $hook({\n on: \"start\",\n handler: async () => {\n if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) {\n this.log.warn(\n \"Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.\",\n );\n }\n\n for (const realm of this.realms) {\n if (realm.secret) {\n const secret =\n typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n this.jwt.setKeyLoader(realm.name, secret);\n }\n\n // Register default JWT resolver for realms without resolvers\n if (!realm.resolvers || realm.resolvers.length === 0) {\n this.registerResolver(\n this.createDefaultJwtResolver(realm.name),\n realm.name,\n );\n }\n }\n },\n });\n\n /**\n * Creates a default JWT resolver for a realm.\n */\n protected createDefaultJwtResolver(realmName: string): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, realmName);\n\n // Extract user info from JWT payload\n return this.createUserFromPayload(result.payload, realmName);\n },\n };\n }\n\n /**\n * Adds a role to one or more realms.\n *\n * @param role\n * @param realms\n */\n public createRole(role: Role, ...realms: string[]): Role {\n const list = realms.length\n ? realms.map((it) => {\n const item = this.realms.find((realm) => realm.name === it);\n if (!item) {\n throw new RealmNotFoundError(it);\n }\n return item;\n })\n : this.realms;\n\n for (const realm of list) {\n for (const { name } of role.permissions) {\n if (this.alepha.isStarted()) {\n // Check if permission exists or matches a wildcard pattern\n if (name === \"*\") {\n // Global wildcard is always allowed\n continue;\n }\n\n // Check for exact match first\n const existingExact = this.permissions.find(\n (it) => this.permissionToString(it) === name,\n );\n if (existingExact) {\n continue;\n }\n\n // Check if it's a wildcard pattern (e.g., \"admin:api:*\")\n if (name.endsWith(\":*\")) {\n const groupPrefix = name.slice(0, -2); // Remove \":*\"\n // Check if any permission exists with this group prefix\n const existingWithPrefix = this.permissions.find((it) => {\n if (!it.group) return false;\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n });\n if (existingWithPrefix) {\n continue;\n }\n }\n\n // Permission not found\n throw new SecurityError(`Permission '${name}' not found`);\n } else {\n if (name !== \"*\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n throw new InvalidPermissionError(name);\n }\n }\n }\n\n realm.roles.push(role);\n }\n\n return role;\n }\n\n /**\n * Adds a permission to the security provider.\n *\n * @param raw - The permission to add.\n */\n public createPermission(raw: Permission | string): Permission {\n if (this.alepha.isStarted()) {\n throw new ContainerLockedError();\n }\n\n let permission: Permission;\n if (typeof raw === \"string\") {\n if (!this.PERMISSION_REGEXP.test(raw)) {\n throw new InvalidPermissionError(raw);\n }\n\n const parts = raw.split(\":\");\n if (parts.length === 1) {\n // No group, just name (e.g., \"read\")\n permission = { name: parts[0] };\n } else {\n // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n // The last part is the name, everything else is the group\n const name = parts[parts.length - 1];\n const groupParts = parts.slice(0, -1);\n\n if (groupParts.length === 1) {\n permission = {\n group: groupParts[0],\n name,\n };\n } else {\n // Multi-layer group\n permission = {\n group: groupParts.join(\":\"),\n name,\n };\n }\n }\n } else {\n permission = raw;\n }\n\n const asString = this.permissionToString(permission);\n if (!this.PERMISSION_REGEXP.test(asString)) {\n throw new InvalidPermissionError(asString);\n }\n\n const existing = this.permissions.find(\n (it) => this.permissionToString(it) === asString,\n );\n\n if (existing) {\n this.log.warn(`Permission '${asString}' already exists. Skipping.`, {\n current: existing,\n new: permission,\n });\n\n return existing;\n }\n\n this.log.trace(`Creating permission '${asString}'`);\n\n this.permissions.push(permission);\n\n return permission;\n }\n\n public createRealm(realm: Realm) {\n if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n // if the default realm is the only one, we remove it to allow creating new realms\n this.realms.pop();\n }\n\n this.realms.push(realm);\n }\n\n /**\n * Updates the roles for a realm then synchronizes the user account provider if available.\n *\n * Only available when the app is started.\n *\n * @param realm - The realm to update the roles for.\n * @param roles - The roles to update.\n */\n public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n if (!this.alepha.isStarted()) {\n throw new AppNotStartedError();\n }\n\n const realmInstance = this.realms.find((it) => it.name === realm);\n if (!realmInstance) {\n throw new RealmNotFoundError(realm);\n }\n\n realmInstance.roles = roles;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Creates a user account from the provided payload.\n *\n * @param payload - The payload to create the user account from.\n * @param [realmName] - The realm containing the roles. Default is all.\n *\n * @returns The user info created from the payload.\n */\n public createUserFromPayload(\n payload: JWTPayload,\n realmName?: string,\n ): UserAccount {\n const id = this.getIdFromPayload(payload);\n const sessionId = this.getSessionIdFromPayload(payload);\n const rolesFromPayload = this.getRolesFromPayload(payload);\n const email = this.getEmailFromPayload(payload);\n const username = this.getUsernameFromPayload(payload);\n const picture = this.getPictureFromPayload(payload);\n const name = this.getNameFromPayload(payload);\n const organizations = this.getOrganizationsFromPayload(payload);\n const rolesFromSystem = this.getRoles(realmName);\n const roles = rolesFromPayload\n .reduce<Role[]>(\n (arr, roleName) =>\n arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n [],\n )\n .map((it) => it.name);\n\n const realm = this.realms.find((it) => it.name === realmName);\n if (realm?.profile) {\n return realm.profile(payload);\n }\n\n return {\n id,\n roles,\n name,\n email,\n username,\n picture,\n organizations,\n sessionId,\n };\n }\n\n /**\n * Generic user creation from any source (JWT, API key, etc.).\n * Handles permission checking, ownership, default roles.\n */\n public createUser(\n userInfo: UserInfo,\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): UserAccountToken {\n const realmRoles = this.getRoles(options.realm).filter((it) => it.default);\n const roles = [...(userInfo.roles ?? [])];\n\n // Add default roles\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n let ownership: string | boolean | undefined;\n\n // Permission check\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n ownership = check.ownership;\n }\n\n return {\n ...userInfo,\n roles,\n ownership,\n realm: options.realm,\n };\n }\n\n /**\n * Register a resolver to a realm.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver, realmName?: string): void {\n const realm = this.getRealm(realmName);\n if (!realm.resolvers) {\n realm.resolvers = [];\n }\n\n realm.resolvers.push(resolver);\n realm.resolvers.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));\n }\n\n /**\n * Get a realm by name.\n * Throws if realm not found.\n */\n public getRealm(realmName?: string): Realm {\n const realm = realmName\n ? this.realms.find((it) => it.name === realmName)\n : this.realms[0];\n\n if (!realm) {\n throw new RealmNotFoundError(realmName ?? \"default\");\n }\n\n return realm;\n }\n\n /**\n * Resolve user from request using registered resolvers.\n * Returns undefined if no resolver could authenticate (no auth provided).\n * Throws UnauthorizedError if auth was provided but invalid.\n *\n * Note: This method tries resolvers from ALL realms to find a match,\n * regardless of the `realm` option. The `realm` option is only used for\n * permission checking after the user is resolved.\n */\n public async resolveUserFromServerRequest(\n req: { url: URL | string; headers: { authorization?: string } },\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): Promise<UserAccountToken | undefined> {\n // Collect all resolvers from all realms with their realm name\n const allResolvers: Array<{\n resolver: IssuerResolver;\n realmName: string;\n }> = [];\n\n for (const realm of this.realms) {\n for (const resolver of realm.resolvers ?? []) {\n allResolvers.push({ resolver, realmName: realm.name });\n }\n }\n\n // Sort by priority\n allResolvers.sort(\n (a, b) => (a.resolver.priority ?? 100) - (b.resolver.priority ?? 100),\n );\n\n // Try resolvers in priority order\n for (const { resolver, realmName } of allResolvers) {\n let userInfo: UserInfo | null;\n\n try {\n userInfo = await resolver.onRequest(req as any);\n } catch {\n // Resolver failed (e.g., wrong key), try next\n continue;\n }\n\n if (userInfo) {\n // User was resolved - now create user and check permissions\n // (errors from createUser should propagate, not be caught)\n const user = this.createUser(userInfo, {\n realm: realmName,\n permission: options.permission,\n });\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm: realmName,\n user,\n });\n\n return user;\n }\n }\n\n // No resolver matched = no auth provided\n return undefined;\n }\n\n /**\n * Checks if the user has the specified permission.\n *\n * Bonus: we check also if the user has \"ownership\" flag.\n *\n * @param permissionLike - The permission to check for.\n * @param roleEntries - The roles to check for the permission.\n */\n public checkPermission(\n permissionLike: string | Permission,\n ...roleEntries: string[]\n ): SecurityCheckResult {\n const roles: Role[] = roleEntries.map((it) => {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n });\n\n const permission = this.permissionToString(permissionLike);\n const isAdmin = roles.find((it) =>\n it.permissions.find(\n (it) => it.name === \"*\" && !it.exclude && !it.ownership,\n ),\n );\n\n // if the user is an admin, we can return early\n if (isAdmin) {\n return {\n isAuthorized: true,\n ownership: false,\n };\n }\n\n const result: SecurityCheckResult = {\n isAuthorized: false,\n ownership: undefined,\n };\n\n // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n const matchesPattern = (\n permissionName: string,\n pattern: string,\n ): boolean => {\n if (pattern === \"*\") return true;\n if (pattern === permissionName) return true;\n\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" matches \"admin:api:users:read\")\n if (pattern.endsWith(\":*\")) {\n const patternPrefix = pattern.slice(0, -2);\n // Check if permission starts with the pattern prefix\n if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:*\"\n return permissionName.startsWith(`${patternPrefix}:`);\n }\n\n return false;\n };\n\n for (const role of roles) {\n // for each role candidate\n for (const rolePermission of role.permissions) {\n // for each permission in the role\n if (matchesPattern(permission, rolePermission.name)) {\n // [feature]: exclude permissions including wildcards\n if (rolePermission.exclude) {\n let isExcluded = false;\n for (const excludePattern of rolePermission.exclude) {\n if (matchesPattern(permission, excludePattern)) {\n isExcluded = true;\n break;\n }\n }\n if (isExcluded) {\n continue;\n }\n }\n\n result.isAuthorized = true; // OK !\n\n // but we also need to check if the user has ownership\n if (rolePermission.ownership) {\n // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n result.ownership = rolePermission.ownership;\n } else {\n // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n result.ownership = false;\n return result;\n }\n }\n }\n }\n\n return result;\n }\n\n /**\n * Creates a user account from the provided payload.\n */\n public async createUserFromToken(\n headerOrToken?: string,\n options: {\n permission?: Permission | string;\n realm?: string;\n verify?: JWTVerifyOptions;\n } = {},\n ): Promise<UserAccountToken> {\n const token = headerOrToken?.replace(\"Bearer\", \"\").trim();\n if (typeof token !== \"string\" || token === \"\") {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n\n const { result, keyName: realm } = await this.jwt.parse(\n token,\n options.realm,\n options.verify,\n );\n\n const info = this.createUserFromPayload(result.payload, realm);\n const realmRoles = this.getRoles(realm).filter((it) => it.default);\n const roles = info.roles ?? [];\n\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n info.roles = roles;\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm,\n user: info,\n });\n\n let ownership: string | boolean | undefined;\n\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n\n ownership = check.ownership;\n }\n\n return {\n ...info,\n ownership,\n token,\n realm,\n };\n }\n\n /**\n * Checks if a user has a specific role.\n *\n * @param roleName - The role to check for.\n * @param permission - The permission to check for.\n * @returns True if the user has the role, false otherwise.\n */\n public can(roleName: string, permission: string | Permission): boolean {\n return this.checkPermission(permission, roleName).isAuthorized;\n }\n\n /**\n * Checks if a user has ownership of a specific permission.\n */\n public ownership(\n roleName: string,\n permission: string | Permission,\n ): string | boolean | undefined {\n return this.checkPermission(permission, roleName).ownership;\n }\n\n /**\n * Converts a permission object to a string.\n *\n * @param permission\n */\n public permissionToString(permission: Permission | string): string {\n if (typeof permission === \"string\") {\n return permission;\n }\n\n if (!permission.group) {\n return permission.name;\n }\n\n // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n const groupParts = Array.isArray(permission.group)\n ? permission.group\n : [permission.group];\n\n return `${groupParts.join(\":\")}:${permission.name}`;\n }\n\n // accessors\n\n public getRealms(): Realm[] {\n return this.realms;\n }\n\n /**\n * Retrieves the user account from the provided user ID.\n *\n * @param realm\n */\n public getRoles(realm?: string): Role[] {\n if (realm) {\n return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n }\n\n return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n }\n\n /**\n * Returns all permissions.\n *\n * @param user - Filter permissions by user.\n *\n * @return An array containing all permissions.\n */\n public getPermissions(user?: {\n roles?: Array<Role | string>;\n realm?: string;\n }): Permission[] {\n if (user?.roles) {\n const permissions: Permission[] = [];\n const roles = user.roles ?? [];\n\n for (const roleOrString of roles) {\n const role =\n typeof roleOrString === \"string\"\n ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n : roleOrString;\n\n if (!role) {\n throw new SecurityError(`Role '${roleOrString}' not found`);\n }\n\n if (role.permissions.some((it) => it.name === \"*\" && !it.exclude)) {\n return this.getPermissions();\n }\n\n for (const permission of role.permissions) {\n let ref: Permission[] = [];\n if (permission.name === \"*\") {\n ref.push(...this.permissions);\n } else if (permission.name.includes(\":\")) {\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" or \"users:read\")\n const parts = permission.name.split(\":\");\n const lastPart = parts[parts.length - 1];\n\n if (lastPart === \"*\") {\n // Wildcard at any level (e.g., \"admin:*\", \"admin:api:*\")\n const groupPrefix = parts.slice(0, -1).join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (!it.group) return false;\n // Match exact group or any sub-group\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n }),\n );\n } else {\n // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n const name = lastPart;\n const groupParts = parts.slice(0, -1);\n const group = groupParts.join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (it.name !== name) return false;\n if (!it.group) return false;\n return it.group === group;\n }),\n );\n }\n } else {\n // all permissions without a group\n ref.push(\n ...this.permissions.filter(\n (it) => it.name === permission.name && !it.group,\n ),\n );\n }\n const exclude = permission.exclude;\n if (exclude) {\n // exclude permissions with multi-layer wildcard support\n ref = ref.filter((it) => {\n const permString = this.permissionToString(it);\n return !exclude.some((excludePattern) => {\n if (excludePattern === permString) return true;\n if (excludePattern.endsWith(\":*\")) {\n const excludePrefix = excludePattern.slice(0, -2);\n return permString.startsWith(`${excludePrefix}:`);\n }\n return false;\n });\n });\n }\n permissions.push(...ref);\n }\n }\n\n return [...new Set(permissions.filter((it) => it != null))];\n }\n\n return this.permissions;\n }\n\n /**\n * Retrieves the user ID from the provided payload object.\n *\n * @param payload - The payload object from which to extract the user ID.\n * @return The user ID as a string.\n */\n public getIdFromPayload(payload: Record<string, any>): string {\n if (payload.sub != null) {\n return String(payload.sub);\n }\n\n if (payload.id != null) {\n return String(payload.id);\n }\n\n if (payload.userId != null) {\n return String(payload.userId);\n }\n\n throw new SecurityError(\"Invalid JWT - missing id\");\n }\n\n public getSessionIdFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n if (payload.sid) {\n return String(payload.sid);\n }\n }\n\n /**\n * Retrieves the roles from the provided payload object.\n * @param payload - The payload object from which to extract the roles.\n * @return An array of role strings.\n */\n public getRolesFromPayload(payload: Record<string, any>): string[] {\n return payload?.realm_access?.roles ?? payload?.roles ?? [];\n }\n\n public getPictureFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.picture) {\n return payload.picture;\n }\n\n if (payload.avatar_url) {\n return payload.avatar_url;\n }\n\n if (payload.user_picture) {\n return payload.user_picture;\n }\n\n return undefined;\n }\n\n public getUsernameFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.preferred_username) {\n return payload.preferred_username;\n }\n\n if (payload.username) {\n return payload.username;\n }\n\n return undefined;\n }\n\n public getEmailFromPayload(payload: Record<string, any>): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.email) {\n return payload.email;\n }\n\n return undefined;\n }\n\n /**\n * Returns the name from the given payload.\n *\n * @param payload - The payload object.\n * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n */\n public getNameFromPayload(payload: Record<string, any>): string {\n if (!payload) {\n return this.UNKNOWN_USER_NAME;\n }\n\n if (payload.name) {\n return payload.name;\n }\n\n if (\n typeof payload.given_name === \"string\" &&\n typeof payload.family_name === \"string\"\n ) {\n return `${payload.given_name} ${payload.family_name}`.trim();\n }\n\n return this.UNKNOWN_USER_NAME;\n }\n\n public getOrganizationsFromPayload(\n payload: Record<string, any>,\n ): string[] | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.organization) {\n if (typeof payload.organization === \"string\") {\n return [payload.organization];\n }\n if (Array.isArray(payload.organization)) {\n return payload.organization;\n }\n }\n }\n}\n\n// =====================================================================================================================\n\n/**\n * A realm definition.\n */\nexport interface Realm {\n name: string;\n\n roles: Role[];\n\n /**\n * The secret key for the realm.\n *\n * Can be also a JWKS URL.\n */\n secret?: string | JSONWebKeySet | (() => string);\n\n /**\n * Create the user account info based on the raw JWT payload.\n * By default, SecurityProvider has his own implementation, but this method allow to override it.\n */\n profile?: (raw: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers for this realm (sorted by priority).\n */\n resolvers?: IssuerResolver[];\n}\n\nexport interface SecurityCheckResult {\n isAuthorized: boolean;\n ownership: string | boolean | undefined;\n}\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n DateTimeProvider,\n type Duration,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver } from \"../interfaces/IssuerResolver.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new issuer.\n *\n * An issuer is responsible for creating and verifying JWT tokens.\n * It can be internal (with a secret) or external (with a JWKS).\n */\nexport const $issuer = (options: IssuerPrimitiveOptions): IssuerPrimitive => {\n return createPrimitive(IssuerPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type IssuerPrimitiveOptions = {\n /**\n * Define the issuer name.\n * If not provided, it will use the property key.\n */\n name?: string;\n\n /**\n * Short description about the issuer.\n */\n description?: string;\n\n /**\n * All roles available in the issuer. Role is a string (role name) or a Role object (embedded role).\n */\n roles?: Array<string | Role>;\n\n /**\n * Issuer settings.\n */\n settings?: IssuerSettings;\n\n /**\n * Parse the JWT payload to create a user account info.\n */\n profile?: (jwtPayload: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers (in addition to default JWT resolver).\n */\n resolvers?: IssuerResolver[];\n} & (IssuerInternal | IssuerExternal);\n\nexport interface IssuerSettings {\n accessToken?: {\n /**\n * Lifetime of the access token.\n * @default 15 minutes\n */\n expiration?: DurationLike;\n };\n\n refreshToken?: {\n /**\n * Lifetime of the refresh token.\n * @default 30 days\n */\n expiration?: DurationLike;\n\n // TODO: expirationIdle (max inactive time before the token is invalidated)\n };\n\n onCreateSession?: (\n user: UserAccount,\n config: {\n expiresIn: number;\n },\n ) => Promise<{\n refreshToken: string;\n sessionId?: string;\n }>;\n\n onRefreshSession?: (refreshToken: string) => Promise<{\n user: UserAccount;\n expiresIn: number;\n sessionId?: string;\n }>;\n\n onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type IssuerInternal = {\n /**\n * Internal secret to sign JWT tokens and verify them.\n */\n secret: string;\n};\n\nexport interface IssuerExternal {\n /**\n * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n */\n jwks: (() => string) | JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly jwt = $inject(JwtProvider);\n protected readonly log = $logger();\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get accessTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n );\n }\n\n public get refreshTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n );\n }\n\n protected onInit() {\n const roles =\n this.options.roles?.map((it) => {\n if (typeof it === \"string\") {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n }\n\n return it;\n }) ?? [];\n\n this.securityProvider.createRealm({\n name: this.name,\n profile: this.options.profile,\n secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n roles,\n resolvers: [],\n });\n\n // Register custom resolvers first (they usually have lower priority)\n for (const resolver of this.options.resolvers ?? []) {\n this.registerResolver(resolver);\n }\n\n // Register default JWT resolver (priority 100)\n this.registerResolver(this.createJwtResolver());\n }\n\n /**\n * Creates the default JWT resolver.\n */\n protected createJwtResolver(): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req: ServerRequest) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, this.name);\n\n // Extract user info from JWT payload\n return this.securityProvider.createUserFromPayload(\n result.payload,\n this.name,\n );\n },\n };\n }\n\n /**\n * Register a resolver to this issuer.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver): void {\n this.securityProvider.registerResolver(resolver, this.name);\n }\n\n /**\n * Get all roles in the issuer.\n */\n public getRoles(): Role[] {\n return this.securityProvider.getRoles(this.name);\n }\n\n /**\n * Set all roles in the issuer.\n */\n public async setRoles(roles: Role[]): Promise<void> {\n await this.securityProvider.updateRealm(this.name, roles);\n }\n\n /**\n * Get a role by name, throws an error if not found.\n */\n public getRoleByName(name: string): Role {\n const role = this.getRoles().find((it) => it.name === name);\n if (!role) {\n throw new SecurityError(`Role '${name}' not found`);\n }\n return role;\n }\n\n public async parseToken(token: string): Promise<JWTPayload> {\n const { result } = await this.jwt.parse(token, this.name);\n return result.payload;\n }\n\n /**\n * Create a token for the subject.\n */\n public async createToken(\n user: UserAccount,\n refreshToken?: {\n sid?: string;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n },\n ): Promise<AccessTokenResponse> {\n let sid: string | undefined = refreshToken?.sid;\n let refresh_token: string | undefined = refreshToken?.refresh_token;\n let refresh_token_expires_in: number | undefined =\n refreshToken?.refresh_token_expires_in;\n\n const iat = this.dateTimeProvider.now().unix();\n const exp = iat + this.accessTokenExpiration.asSeconds();\n\n if (!refreshToken) {\n const create = this.options.settings?.onCreateSession;\n if (create) {\n // -----------------------------------------------------------------------------------------------------------------\n // managed by the application\n const expiresIn = this.refreshTokenExpiration.asSeconds();\n const { refreshToken, sessionId } = await create(user, {\n expiresIn,\n });\n\n refresh_token = refreshToken;\n refresh_token_expires_in = expiresIn;\n sid = sessionId;\n } else {\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n const payload = {\n sub: user.id,\n exp: iat + this.refreshTokenExpiration.asSeconds(),\n iat,\n aud: this.name,\n };\n\n this.log.trace(\"Creating refresh token\", payload);\n\n sid = crypto.randomUUID();\n refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n refresh_token = await this.jwt.create(payload, this.name, {\n header: {\n typ: \"refresh\",\n },\n });\n }\n }\n\n this.log.trace(\"Creating access token\", {\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n });\n\n const access_token = await this.jwt.create(\n {\n // jwt\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n sid, // session id, if available\n // oidc\n name: user.name,\n email: user.email,\n preferred_username: user.username,\n picture: user.picture,\n // our claims\n organizations: user.organizations,\n roles: user.roles,\n },\n this.name,\n );\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: \"Bearer\",\n expires_in: this.accessTokenExpiration.asSeconds(),\n issued_at: iat,\n refresh_token,\n refresh_token_expires_in,\n };\n\n return response;\n }\n\n public async refreshToken(\n refreshToken: string,\n accessToken?: string,\n ): Promise<{\n tokens: AccessTokenResponse;\n user: UserAccount;\n }> {\n // -----------------------------------------------------------------------------------------------------------------\n // session based\n\n if (this.options.settings?.onRefreshSession) {\n // get user and expiration from the session\n const { user, expiresIn, sessionId } =\n await this.options.settings.onRefreshSession(refreshToken);\n\n // then, create a new access token\n const tokens = await this.createToken(user, {\n sid: sessionId,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n });\n\n return { user, tokens };\n }\n\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n if (!accessToken) {\n throw new AlephaError(\"An access token is required for refreshing\");\n }\n\n // extract user from an expired token\n const user = await this.securityProvider.createUserFromToken(accessToken, {\n realm: this.name,\n verify: {\n currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n },\n });\n\n // check if the refresh token is valid + match access token user\n const {\n result: { payload },\n } = await this.jwt.parse(refreshToken, this.name, {\n typ: \"refresh\",\n audience: this.name,\n subject: user.id,\n });\n\n const iat = this.dateTimeProvider.now().unix();\n const expiresIn = payload.exp\n ? payload.exp - iat\n : this.refreshTokenExpiration.asSeconds();\n\n return {\n user,\n tokens: await this.createToken(user, {\n sid: payload.sid,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n }),\n };\n }\n}\n\n$issuer[KIND] = IssuerPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n sub: string;\n roles?: string[];\n email?: string;\n}\n\nexport interface AccessTokenResponse {\n access_token: string;\n token_type: string;\n expires_in?: number;\n issued_at: number;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new permission.\n */\nexport const $permission = (\n options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n /**\n * Name of the permission. Use Property name is not provided.\n */\n name?: string;\n\n /**\n * Group of the permission. Use Class name is not provided.\n */\n group?: string;\n\n /**\n * Describe the permission.\n */\n description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get group(): string {\n return this.options.group || this.config.service.name;\n }\n\n public toString(): string {\n return `${this.group}:${this.name}`;\n }\n\n protected onInit() {\n this.securityProvider.createPermission({\n name: this.name,\n group: this.group,\n description: this.options.description,\n });\n }\n\n /**\n * Check if the user has the permission.\n */\n public can(user?: UserAccount): boolean {\n if (!user?.roles) {\n return false;\n }\n const check = this.securityProvider.checkPermission(this, ...user.roles);\n return check.isAuthorized;\n }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { IssuerPrimitive } from \"./$issuer.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\n\n/**\n * Create a new role.\n */\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n /**\n * Name of the role.\n */\n name?: string;\n\n /**\n * Describe the role.\n */\n description?: string;\n\n issuer?: string | IssuerPrimitive;\n\n permissions?: Array<\n | string\n | {\n name: string;\n ownership?: boolean;\n exclude?: string[];\n }\n >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n protected onInit() {\n this.securityProvider.createRole({\n ...this.options,\n name: this.name,\n permissions:\n this.options.permissions?.map((it) => {\n if (typeof it === \"string\") {\n return {\n name: it,\n };\n }\n\n return it;\n }) ?? [],\n });\n }\n\n /**\n * Get the issuer of the role.\n */\n public get issuer(): string | IssuerPrimitive | undefined {\n return this.options.issuer;\n }\n\n public can(permission: string | PermissionPrimitive): boolean {\n return this.securityProvider.can(this.name, permission);\n }\n\n public check(permission: string | PermissionPrimitive) {\n return this.securityProvider.checkPermission(permission, this.name);\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomBytes, randomUUID, scrypt, timingSafeEqual } from \"node:crypto\";\nimport { promisify } from \"node:util\";\n\nconst scryptAsync = promisify(scrypt);\n\nexport class CryptoProvider {\n public async hashPassword(password: string): Promise<string> {\n const salt = randomBytes(16).toString(\"hex\"); // 128-bit salt\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n return `${salt}:${derivedKey.toString(\"hex\")}`;\n }\n\n public async verifyPassword(\n password: string,\n stored: string,\n ): Promise<boolean> {\n // Validate input format\n if (!stored || typeof stored !== \"string\") {\n return false;\n }\n\n const parts = stored.split(\":\");\n if (parts.length !== 2) {\n return false;\n }\n\n const [salt, originalHex] = parts;\n\n // Validate salt and hash are non-empty\n if (!salt || !originalHex) {\n return false;\n }\n\n // Validate hex format (must be even length and valid hex)\n if (originalHex.length % 2 !== 0 || !/^[0-9a-f]+$/i.test(originalHex)) {\n return false;\n }\n\n try {\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n const originalKey = Buffer.from(originalHex, \"hex\");\n\n // Validate buffer lengths match (scrypt should produce 64 bytes)\n if (derivedKey.length !== originalKey.length) {\n return false;\n }\n\n // Important: prevent timing attacks\n return timingSafeEqual(derivedKey, originalKey);\n } catch (error) {\n // Handle any errors during verification (e.g., invalid salt encoding)\n return false;\n }\n }\n\n public randomUUID(): string {\n return randomUUID();\n }\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n id: t.text({\n description: \"Unique identifier for the user.\",\n }),\n\n name: t.optional(\n t.text({\n description: \"Full name of the user.\",\n }),\n ),\n\n email: t.optional(\n t.text({\n description: \"Email address of the user.\",\n format: \"email\",\n }),\n ),\n\n username: t.optional(\n t.text({\n description: \"Preferred username of the user.\",\n }),\n ),\n\n picture: t.optional(\n t.text({\n description: \"URL to the user's profile picture.\",\n }),\n ),\n\n sessionId: t.optional(\n t.text({\n description: \"Session identifier for the user, if applicable.\",\n }),\n ),\n\n // -------------------------------------------------------------------------------------------------------------------\n\n organizations: t.optional(\n t.array(t.text(), {\n description: \"List of organizations the user belongs to.\",\n }),\n ),\n\n roles: t.optional(\n t.array(t.text(), {\n description: \"List of roles assigned to the user.\",\n }),\n ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n $action,\n ForbiddenError,\n type ServerRequest,\n UnauthorizedError,\n} from \"alepha/server\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport { userAccountInfoSchema } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\nimport { SecurityProvider } from \"./SecurityProvider.ts\";\nimport {\n type BasicAuthOptions,\n isBasicAuth,\n} from \"./ServerBasicAuthProvider.ts\";\n\nexport class ServerSecurityProvider {\n protected readonly log = $logger();\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly jwtProvider = $inject(JwtProvider);\n protected readonly alepha = $inject(Alepha);\n\n protected readonly resolvers: Array<ServerSecurityUserResolver> = [];\n\n protected readonly onConfigure = $hook({\n on: \"configure\",\n handler: async () => {\n for (const action of this.alepha.primitives($action)) {\n // -------------------------------------------------------------------------------------------------------------\n // if the action is disabled or not secure, we do NOT create a permission for it\n // -------------------------------------------------------------------------------------------------------------\n if (\n action.options.disabled ||\n action.options.secure === false ||\n this.securityProvider.getRealms().length === 0\n ) {\n continue;\n }\n\n const secure = action.options.secure;\n if (typeof secure !== \"object\") {\n this.securityProvider.createPermission({\n name: action.name,\n group: action.group,\n method: action.route.method,\n path: action.route.path,\n });\n }\n }\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n protected readonly onActionRequest = $hook({\n on: \"action:onRequest\",\n handler: async ({ action, request, options }) => {\n // if you set explicitly secure: false, we assume you don't want any security check\n // but only if no user is provided in options\n if (action.options.secure === false && !options.user) {\n this.log.trace(\"Skipping security check for route\");\n return;\n }\n\n if (isBasicAuth(action.route.secure)) {\n return;\n }\n\n const permission = this.securityProvider\n .getPermissions()\n .find(\n (it) =>\n it.path === action.route.path && it.method === action.route.method,\n );\n\n try {\n request.user = this.createUserFromLocalFunctionContext(\n options,\n permission,\n );\n\n const route = action.route;\n if (typeof route.secure === \"object\") {\n this.check(request.user, route.secure);\n }\n\n this.alepha.store.set(\n \"alepha.server.request.user\",\n this.alepha.codec.decode(userAccountInfoSchema, request.user),\n );\n } catch (error) {\n if (action.options.secure || permission) {\n throw error;\n }\n // else, we skip the security check\n this.log.trace(\"Skipping security check for action\");\n }\n },\n });\n\n protected readonly onRequest = $hook({\n on: \"server:onRequest\",\n priority: \"last\",\n handler: async ({ request, route }) => {\n // if you set explicitly secure: false, we assume you don't want any security check\n if (route.secure === false) {\n this.log.trace(\n \"Skipping security check for route - explicitly disabled\",\n );\n return;\n }\n\n if (isBasicAuth(route.secure)) {\n return;\n }\n\n const permission = this.securityProvider\n .getPermissions()\n .find((it) => it.path === route.path && it.method === route.method);\n\n const realm =\n typeof route.secure === \"object\" ? route.secure.realm : undefined;\n\n try {\n // Try to resolve user (JWT, API key, etc.)\n request.user = await this.securityProvider.resolveUserFromServerRequest(\n request,\n { permission, realm },\n );\n\n // No user resolved?\n if (!request.user) {\n // Route requires auth → throw\n if (route.secure || permission) {\n // Provide a more specific error message when no auth header was provided\n if (!request.headers.authorization) {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n throw new UnauthorizedError(\"Authentication required\");\n }\n // Route is public → skip\n this.log.trace(\n \"Skipping security check for route - no auth provided and not required\",\n );\n return;\n }\n\n if (typeof route.secure === \"object\") {\n this.check(request.user, route.secure);\n }\n\n this.alepha.store.set(\n \"alepha.server.request.user\",\n // remove sensitive info\n this.alepha.codec.decode(userAccountInfoSchema, request.user),\n );\n\n this.log.trace(\"User set from request\", {\n user: request.user,\n permission,\n });\n } catch (error) {\n if (route.secure || permission) {\n throw error;\n }\n\n // else, we skip the security check\n this.log.trace(\n \"Skipping security check for route - error occurred\",\n error,\n );\n }\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n protected check(user: UserAccountToken, secure: ServerRouteSecure) {\n if (secure.realm) {\n if (user.realm !== secure.realm) {\n throw new ForbiddenError(\n `User must belong to realm '${secure.realm}' to access this route`,\n );\n }\n }\n }\n\n /**\n * Get the user account token for a local action call.\n * There are three possible sources for the user:\n * - `options.user`: the user passed in the options\n * - `\"system\"`: the system user from the state (you MUST set state `server.security.system.user`)\n * - `\"context\"`: the user from the request context (you MUST be in an HTTP request context)\n *\n * Priority order: `options.user` > `\"system\"` > `\"context\"`.\n *\n * In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.\n */\n protected createUserFromLocalFunctionContext(\n options: { user?: UserAccountToken | \"system\" | \"context\" },\n permission?: Permission,\n ): UserAccountToken {\n const fromOptions =\n typeof options.user === \"object\" ? options.user : undefined;\n\n const type = typeof options.user === \"string\" ? options.user : undefined;\n\n let user: UserAccountToken | undefined;\n\n const fromContext = this.alepha.context.get<ServerRequest>(\"request\")?.user;\n const fromSystem = this.alepha.store.get(\n \"alepha.server.security.system.user\",\n );\n\n if (type === \"system\") {\n user = fromSystem;\n } else if (type === \"context\") {\n user = fromContext;\n } else {\n user = fromOptions ?? fromContext ?? fromSystem;\n }\n\n if (!user) {\n throw new UnauthorizedError(\"User is required for calling this action\");\n }\n\n const roles = user.roles ?? [];\n let ownership: boolean | string | undefined;\n\n if (permission) {\n const result = this.securityProvider.checkPermission(\n permission,\n ...roles,\n );\n if (!result.isAuthorized) {\n throw new ForbiddenError(\n `Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`,\n );\n }\n ownership = result.ownership;\n }\n\n // create a new user object with ownership if needed\n return {\n ...user,\n ownership,\n };\n }\n\n // ---------------------------------------------------------------------------------------------------------------\n // TESTING ONLY\n // ---------------------------------------------------------------------------------------------------------------\n\n protected createTestUser(): UserAccountToken {\n return {\n id: randomUUID(),\n name: \"Test\",\n roles: this.securityProvider.getRoles().map((role) => role.name),\n };\n }\n\n protected readonly onClientRequest = $hook({\n on: \"client:onRequest\",\n handler: async ({ request, options }) => {\n if (!this.alepha.isTest()) {\n return;\n }\n\n // skip helper if user is explicitly set to undefined\n //if (\"user\" in options && options.user === undefined) {\n if (!options.user) {\n return;\n }\n\n request.headers = new Headers(request.headers);\n\n if (!request.headers.has(\"authorization\")) {\n const test = this.createTestUser();\n const user =\n typeof options?.user === \"object\" ? options.user : undefined;\n const sub = user?.id ?? test.id;\n const roles = user?.roles ?? test.roles;\n\n const token = await this.jwtProvider.create(\n {\n sub,\n roles,\n },\n user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n );\n\n request.headers.set(\"authorization\", `Bearer ${token}`);\n }\n },\n });\n}\n\nexport type ServerRouteSecure = {\n realm?: string;\n basic?: BasicAuthOptions;\n};\n\nexport type ServerSecurityUserResolver = (\n request: ServerRequest,\n) => Promise<UserAccountToken | undefined>;\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n readonly name = \"UnauthorizedError\";\n constructor() {\n super(\"Invalid credentials\");\n }\n}\n","import { $context } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, IssuerPrimitive } from \"./$issuer.ts\";\n\n/**\n * Allow to get an access token for a service account.\n *\n * You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n *\n * @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n *\n * class MyService {\n * serviceAccount = $serviceAccount({\n * oauth2: {\n * url: \"https://example.com/oauth2/token\",\n * clientId: \"your-client-id\",\n * clientSecret: \"your-client-secret\",\n * }\n * });\n *\n * async fetchData() {\n * const token = await this.serviceAccount.token();\n * // or\n * const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n * }\n * }\n * ```\n */\nexport const $serviceAccount = (\n options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n const { alepha } = $context();\n const store: {\n cache?: AccessTokenResponse;\n } = {};\n const dateTimeProvider = alepha.inject(DateTimeProvider);\n const gracePeriod = options.gracePeriod ?? 30;\n\n const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n store.cache = {\n ...response,\n issued_at: dateTimeProvider.now().unix(),\n };\n };\n\n const getTokenFromCache = () => {\n if (store.cache) {\n const { access_token, expires_in, issued_at } = store.cache;\n if (!expires_in) {\n return access_token;\n }\n\n const now = dateTimeProvider.now().unix();\n const expires = issued_at + expires_in;\n\n if (expires - gracePeriod > now) {\n return access_token;\n }\n }\n };\n\n if (\"oauth2\" in options) {\n const { url, clientId, clientSecret } = options.oauth2;\n\n const token = async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n let response: Response;\n try {\n response = await fetch(url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n grant_type: \"client_credentials\",\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n } catch (error) {\n throw new Error(\n `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Check HTTP status\n if (!response.ok) {\n let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n try {\n const errorBody = await response.text();\n errorMessage += `: ${errorBody}`;\n } catch {\n // Ignore error reading body\n }\n throw new Error(`Failed to fetch access token: ${errorMessage}`);\n }\n\n // Parse JSON response\n let json: any;\n try {\n json = await response.json();\n } catch (error) {\n throw new Error(\n `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Validate response structure\n if (!json.access_token || !json.expires_in) {\n throw new Error(\n `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n );\n }\n\n cacheToken(json);\n\n return json.access_token;\n };\n\n return {\n token,\n };\n }\n\n return {\n token: async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n const token = await options.issuer.createToken(options.user);\n\n cacheToken({\n ...token,\n issued_at: dateTimeProvider.now().unix(),\n });\n\n return token.access_token;\n },\n };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n gracePeriod?: number; // Grace period in milliseconds before token expiration\n} & (\n | {\n oauth2: Oauth2ServiceAccountPrimitiveOptions;\n }\n | {\n issuer: IssuerPrimitive;\n user: UserAccount;\n }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n /**\n * Get Token URL.\n */\n url: string;\n\n /**\n * Client ID.\n */\n clientId: string;\n\n /**\n * Client Secret.\n */\n clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n\n group: t.optional(\n t.text({\n description: \"Group of the permission.\",\n }),\n ),\n\n description: t.optional(\n t.text({\n description: \"Describe the permission.\",\n }),\n ),\n\n // HTTP Only\n\n method: t.optional(\n t.text({\n description: \"HTTP method of the permission. When available.\",\n }),\n ),\n\n path: t.optional(\n t.text({\n description: \"Pathname of the permission. When available.\",\n }),\n ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n name: t.text({\n description: \"Name of the role.\",\n }),\n\n description: t.optional(\n t.text({\n description: \"Describe the role.\",\n }),\n ),\n\n default: t.optional(\n t.boolean({\n description:\n \"If true, this role will be assigned to all users by default.\",\n }),\n ),\n\n permissions: t.array(\n t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n ownership: t.optional(\n t.boolean({\n description:\n \"If true, user will only have access to it's own resources.\",\n }),\n ),\n exclude: t.optional(\n t.array(t.text(), {\n description:\n \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n }),\n ),\n }),\n ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import { $module, type Alepha } from \"alepha\";\nimport { AlephaServer, type FetchOptions } from \"alepha/server\";\nimport type { UserAccountToken } from \"./interfaces/UserAccountToken.ts\";\nimport { $basicAuth } from \"./primitives/$basicAuth.ts\";\nimport { $issuer } from \"./primitives/$issuer.ts\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { CryptoProvider } from \"./providers/CryptoProvider.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport { ServerBasicAuthProvider } from \"./providers/ServerBasicAuthProvider.ts\";\nimport { ServerSecurityProvider } from \"./providers/ServerSecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/IssuerResolver.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$basicAuth.ts\";\nexport * from \"./primitives/$issuer.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/CryptoProvider.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./providers/ServerBasicAuthProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\nimport type { ServerRouteSecure } from \"./providers/ServerSecurityProvider.ts\";\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"security:user:created\": {\n realm: string;\n user: UserAccount;\n };\n }\n\n interface State {\n /**\n * Real (or fake) user account, used for internal actions.\n *\n * If you define this, you assume that all actions are executed by this user by default.\n * > To force a different user, you need to pass it explicitly in the options.\n */\n \"alepha.server.security.system.user\"?: UserAccountToken;\n\n /**\n * The authenticated user account attached to the server request state.\n *\n * @internal\n */\n \"alepha.server.request.user\"?: UserAccount;\n }\n}\n\ndeclare module \"alepha/server\" {\n interface ServerRequest<TConfig> {\n user?: UserAccountToken; // for all routes, user is maybe present\n }\n\n interface ServerActionRequest<TConfig> {\n user: UserAccountToken; // for actions, user is always present\n }\n\n interface ServerRoute {\n /**\n * If true, the route will be protected by the security provider.\n * All actions are secure by default, but you can disable it for specific actions.\n */\n secure?: boolean | ServerRouteSecure;\n }\n\n interface ClientRequestOptions extends FetchOptions {\n /**\n * Forward user from the previous request.\n * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n * If \"context\", use the user from the current context (e.g. request).\n *\n * @default \"system\" if provided, else \"context\" if available.\n */\n user?: UserAccountToken | \"system\" | \"context\";\n }\n}\n\n/**\n * | type | quality | stability |\n * |------|---------|-----------|\n * | backend | epic | stable |\n *\n * Complete authentication and authorization system with JWT, RBAC, and multi-issuer support.\n *\n * **Features:**\n * - JWT token issuer with role definitions\n * - Role-based access control (RBAC)\n * - Fine-grained permissions\n * - HTTP Basic Authentication\n * - Service-to-service authentication\n * - Multi-issuer support for federated auth\n * - JWKS (JSON Web Key Set) for external issuers\n * - Token refresh logic\n * - User profile extraction from JWT\n *\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n name: \"alepha.security\",\n primitives: [$issuer, $role, $permission, $basicAuth],\n services: [\n SecurityProvider,\n JwtProvider,\n CryptoProvider,\n ServerSecurityProvider,\n ServerBasicAuthProvider,\n ],\n register: (alepha: Alepha) => {\n // Always register core security providers\n alepha.with(SecurityProvider);\n alepha.with(JwtProvider);\n alepha.with(CryptoProvider);\n\n // Register server security providers only if AlephaServer is available\n if (alepha.has(AlephaServer)) {\n alepha.with(ServerSecurityProvider);\n alepha.with(ServerBasicAuthProvider);\n }\n },\n});\n\n/**\n * @deprecated Use `AlephaSecurity` instead. Server security providers are automatically registered when `AlephaServer` is available.\n */\nexport const AlephaServerSecurity = AlephaSecurity;\n"],"x_google_ignoreList":[3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32],"mappings":";;;;;;;;AA6BA,IAAa,0BAAb,MAAqC;CACnC,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,MAAM,SAAS;CAClC,AAAmB,iBAAiB,QAAQ,qBAAqB;CACjE,AAAmB,QAAQ;;;;CAK3B,AAAgB,kBAA8C,EAAE;;;;CAKhE,AAAO,aAAa,QAAwC;AAC1D,OAAK,gBAAgB,KAAK,OAAO;;CAGnC,AAAgB,UAAU,MAAM;EAC9B,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,QAAQ,KAAK,gBACtB,KAAI,KAAK,MACP,MAAK,MAAM,WAAW,KAAK,OAAO;IAChC,MAAM,gBAAgB,KAAK,eAAe,UAAU,QAAQ;AAC5D,SAAK,MAAM,SAAS,cAClB,OAAM,SAAS,EACb,OAAO;KACL,UAAU,KAAK;KACf,UAAU,KAAK;KAChB,EACF;;AAMT,OAAI,KAAK,gBAAgB,SAAS,EAChC,MAAK,IAAI,KACP,oBAAoB,KAAK,gBAAgB,OAAO,wCACjD;;EAGN,CAAC;;;;CAKF,AAAgB,YAAY,MAAM;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GACrC,MAAM,YAAY,MAAM;AACxB,OACE,OAAO,cAAc,YACrB,WAAW,aACX,UAAU,MAEV,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAgB,kBAAkB,MAAM;EACtC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,cAAc;GACtC,MAAM,YAAY,OAAO,MAAM;AAC/B,OAAI,YAAY,UAAU,CACxB,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAO,UAAU,SAAwB,SAAiC;EACxE,MAAM,aAAa,QAAQ,SAAS;AAEpC,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,SAAS,EAAE;AACnD,QAAK,iBAAiB,QAAQ;AAC9B,SAAM,IAAI,UAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;EAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;EAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;EAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;EAC3C,MAAM,WACJ,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG;EACzD,MAAM,WAAW,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG;AAUzE,MAAI,CAPY,KAAK,0BACnB,UACA,UACA,QAAQ,UACR,QAAQ,SACT,EAEa;AACZ,QAAK,iBAAiB,QAAQ;AAC9B,QAAK,IAAI,KAAK,sCAAsC,EAClD,UACD,CAAC;AACF,SAAM,IAAI,UAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;;;;;;CAQN,AAAU,0BACR,eACA,eACA,kBACA,kBACS;EAET,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;EAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;AAS9D,UALkB,KAAK,YAAY,cAAc,gBAAgB,GAC/C,KAAK,YAAY,cAAc,gBAAgB,MAI9B;;;;;;CAOrC,AAAU,YAAY,OAAe,UAA0B;AAG7D,MAAI,MAAM,WAAW,SAAS,QAAQ;AAEpC,mBAAgB,OAAO,MAAM;AAC7B,UAAO;;AAGT,SAAO,gBAAgB,OAAO,SAAS,GAAG,IAAI;;;;;CAMhD,AAAU,iBAAiB,SAA8B;AACvD,UAAQ,MAAM,UAAU,oBAAoB,gBAAgB,KAAK,MAAM,GAAG;;;AAI9E,MAAa,eACX,UACyC;AACzC,QACE,OAAO,UAAU,YAAY,CAAC,CAAC,SAAS,WAAW,SAAS,CAAC,CAAC,MAAM;;;;;;;;;AChMxE,MAAa,cACX,YAC+B;AAC/B,QAAO,gBAAgB,oBAAoB,QAAQ;;AAWrD,IAAa,qBAAb,cACU,UAEV;CACE,AAAmB,0BAA0B,QAAQ,wBAAwB;CAE7E,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,GAAG,KAAK,OAAO;;CAG7C,AAAU,SAAS;AAEjB,OAAK,wBAAwB,aAAa,KAAK,QAAQ;;;;;CAMzD,AAAO,MAAM,SAAwB,SAAkC;EACrE,MAAM,gBAAgB;GAAE,GAAG,KAAK;GAAS,GAAG;GAAS;AACrD,OAAK,wBAAwB,UAAU,SAAS,cAAc;;;AAIlE,WAAW,QAAQ;;;;AClDnB,IAAa,gBAAb,cAAmC,MAAM;CACvC,AAAO,OAAO;CACd,AAAgB,SAAS;;;;;ACF3B,MAAa,UAAU,IAAI,aAAa;AACxC,MAAa,UAAU,IAAI,aAAa;AACxC,MAAM,YAAY,KAAK;AACvB,SAAgB,OAAO,GAAG,SAAS;CAC/B,MAAM,OAAO,QAAQ,QAAQ,KAAK,EAAE,aAAa,MAAM,QAAQ,EAAE;CACjE,MAAM,MAAM,IAAI,WAAW,KAAK;CAChC,IAAI,IAAI;AACR,MAAK,MAAM,UAAU,SAAS;AAC1B,MAAI,IAAI,QAAQ,EAAE;AAClB,OAAK,OAAO;;AAEhB,QAAO;;AAqBX,SAAgBA,SAAO,QAAQ;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;EACpC,MAAM,OAAO,OAAO,WAAW,EAAE;AACjC,MAAI,OAAO,IACP,OAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAM,KAAK;;AAEf,QAAO;;;;;ACzCX,SAAgB,aAAa,OAAO;AAChC,KAAI,WAAW,UAAU,SACrB,QAAO,MAAM,UAAU;CAE3B,MAAM,aAAa;CACnB,MAAM,MAAM,EAAE;AACd,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,WACnC,KAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,CAAC;AAEhF,QAAO,KAAK,IAAI,KAAK,GAAG,CAAC;;AAE7B,SAAgB,aAAa,SAAS;AAClC,KAAI,WAAW,WACX,QAAO,WAAW,WAAW,QAAQ;CAEzC,MAAM,SAAS,KAAK,QAAQ;CAC5B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IAC/B,OAAM,KAAK,OAAO,WAAW,EAAE;AAEnC,QAAO;;;;;AClBX,SAAgB,OAAO,OAAO;AAC1B,KAAI,WAAW,WACX,QAAO,WAAW,WAAW,OAAO,UAAU,WAAW,QAAQ,QAAQ,OAAO,MAAM,EAAE,EACpF,UAAU,aACb,CAAC;CAEN,IAAI,UAAU;AACd,KAAI,mBAAmB,WACnB,WAAU,QAAQ,OAAO,QAAQ;AAErC,WAAU,QAAQ,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;AACvD,KAAI;AACA,SAAO,aAAa,QAAQ;SAE1B;AACF,QAAM,IAAI,UAAU,oDAAoD;;;AAGhF,SAAgB,OAAO,OAAO;CAC1B,IAAI,YAAY;AAChB,KAAI,OAAO,cAAc,SACrB,aAAY,QAAQ,OAAO,UAAU;AAEzC,KAAI,WAAW,UAAU,SACrB,QAAO,UAAU,SAAS;EAAE,UAAU;EAAa,aAAa;EAAM,CAAC;AAE3E,QAAO,aAAa,UAAU,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI;;;;;AC5B5F,IAAa,YAAb,cAA+B,MAAM;CACjC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,SAAS,SAAS;AAC1B,QAAM,SAAS,QAAQ;AACvB,OAAK,OAAO,KAAK,YAAY;AAC7B,QAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,2BAAb,cAA8C,UAAU;CACpD,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;AACzE,QAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;AACrD,OAAK,QAAQ;AACb,OAAK,SAAS;AACd,OAAK,UAAU;;;AAGvB,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;AACzE,QAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;AACrD,OAAK,QAAQ;AACb,OAAK,SAAS;AACd,OAAK,UAAU;;;AAGvB,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,mBAAb,cAAsC,UAAU;CAC5C,OAAO,OAAO;CACd,OAAO;;AAaX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAMX,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,mDAAmD,SAAS;AAC9E,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,2BAAb,cAA8C,UAAU;CACpD,CAAC,OAAO;CACR,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,wDAAwD,SAAS;AACnF,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,qBAAqB,SAAS;AAChD,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,iCAAb,cAAoD,UAAU;CAC1D,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,iCAAiC,SAAS;AAC5D,QAAM,SAAS,QAAQ;;;;;;AChG/B,MAAM,YAAY,MAAM,OAAO,qCAAqB,IAAI,UAAU,kDAAkD,KAAK,WAAW,OAAO;AAC3I,MAAM,eAAe,WAAW,SAAS,UAAU,SAAS;AAC5D,SAAS,cAAc,MAAM;AACzB,QAAO,SAAS,KAAK,KAAK,MAAM,EAAE,EAAE,GAAG;;AAE3C,SAAS,cAAc,KAAK;AACxB,SAAQ,KAAR;EACI,KAAK,QACD,QAAO;EACX,KAAK,QACD,QAAO;EACX,KAAK,QACD,QAAO;EACX,QACI,OAAM,IAAI,MAAM,cAAc;;;AAG1C,SAAS,WAAW,KAAK,OAAO;AAC5B,KAAI,SAAS,CAAC,IAAI,OAAO,SAAS,MAAM,CACpC,OAAM,IAAI,UAAU,sEAAsE,MAAM,GAAG;;AAG3G,SAAgB,kBAAkB,KAAK,KAAK,OAAO;AAC/C,SAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,OAAO,CACnC,OAAM,SAAS,OAAO;GAC1B,MAAM,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG;AAE3C,OADe,cAAc,IAAI,UAAU,KAAK,KACjC,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;AACvD;;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,oBAAoB,CAChD,OAAM,SAAS,oBAAoB;GACvC,MAAM,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG;AAE3C,OADe,cAAc,IAAI,UAAU,KAAK,KACjC,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;AACvD;;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,UAAU,CACtC,OAAM,SAAS,UAAU;GAC7B,MAAM,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG;AAE3C,OADe,cAAc,IAAI,UAAU,KAAK,KACjC,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;AACvD;;EAEJ,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,UAAU,CACtC,OAAM,SAAS,UAAU;AAC7B;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,IAAI,CAChC,OAAM,SAAS,IAAI;AACvB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,QAAQ,CACpC,OAAM,SAAS,QAAQ;GAC3B,MAAM,WAAW,cAAc,IAAI;AAEnC,OADe,IAAI,UAAU,eACd,SACX,OAAM,SAAS,UAAU,uBAAuB;AACpD;;EAEJ,QACI,OAAM,IAAI,UAAU,4CAA4C;;AAExE,YAAW,KAAK,MAAM;;;;;ACpF1B,SAAS,QAAQ,KAAK,QAAQ,GAAG,OAAO;AACpC,SAAQ,MAAM,OAAO,QAAQ;AAC7B,KAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,KAAK;AACxB,SAAO,eAAe,MAAM,KAAK,KAAK,CAAC,OAAO,KAAK;YAE9C,MAAM,WAAW,EACtB,QAAO,eAAe,MAAM,GAAG,MAAM,MAAM,GAAG;KAG9C,QAAO,WAAW,MAAM,GAAG;AAE/B,KAAI,UAAU,KACV,QAAO,aAAa;UAEf,OAAO,WAAW,cAAc,OAAO,KAC5C,QAAO,sBAAsB,OAAO;UAE/B,OAAO,WAAW,YAAY,UAAU,MAC7C;MAAI,OAAO,aAAa,KACpB,QAAO,4BAA4B,OAAO,YAAY;;AAG9D,QAAO;;AAEX,MAAa,mBAAmB,QAAQ,GAAG,UAAU,QAAQ,gBAAgB,QAAQ,GAAG,MAAM;AAC9F,MAAa,WAAW,KAAK,QAAQ,GAAG,UAAU,QAAQ,eAAe,IAAI,sBAAsB,QAAQ,GAAG,MAAM;;;;ACrBpH,MAAa,eAAe,QAAQ;AAChC,KAAI,MAAM,OAAO,iBAAiB,YAC9B,QAAO;AACX,KAAI;AACA,SAAO,eAAe;SAEpB;AACF,SAAO;;;AAGf,MAAa,eAAe,QAAQ,MAAM,OAAO,iBAAiB;AAClE,MAAa,aAAa,QAAQ,YAAY,IAAI,IAAI,YAAY,IAAI;;;;AChBtE,SAAgB,WAAW,GAAG,SAAS;CACnC,MAAM,UAAU,QAAQ,OAAO,QAAQ;AACvC,KAAI,QAAQ,WAAW,KAAK,QAAQ,WAAW,EAC3C,QAAO;CAEX,IAAI;AACJ,MAAK,MAAM,UAAU,SAAS;EAC1B,MAAM,aAAa,OAAO,KAAK,OAAO;AACtC,MAAI,CAAC,OAAO,IAAI,SAAS,GAAG;AACxB,SAAM,IAAI,IAAI,WAAW;AACzB;;AAEJ,OAAK,MAAM,aAAa,YAAY;AAChC,OAAI,IAAI,IAAI,UAAU,CAClB,QAAO;AAEX,OAAI,IAAI,UAAU;;;AAG1B,QAAO;;;;;ACnBX,MAAM,gBAAgB,UAAU,OAAO,UAAU,YAAY,UAAU;AACvE,SAAgB,SAAS,OAAO;AAC5B,KAAI,CAAC,aAAa,MAAM,IAAI,OAAO,UAAU,SAAS,KAAK,MAAM,KAAK,kBAClE,QAAO;AAEX,KAAI,OAAO,eAAe,MAAM,KAAK,KACjC,QAAO;CAEX,IAAI,QAAQ;AACZ,QAAO,OAAO,eAAe,MAAM,KAAK,KACpC,SAAQ,OAAO,eAAe,MAAM;AAExC,QAAO,OAAO,eAAe,MAAM,KAAK;;;;;ACZ5C,SAAgB,eAAe,KAAK,KAAK;AACrC,KAAI,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,EAAE;EAC9C,MAAM,EAAE,kBAAkB,IAAI;AAC9B,MAAI,OAAO,kBAAkB,YAAY,gBAAgB,KACrD,OAAM,IAAI,UAAU,GAAG,IAAI,uDAAuD;;;;;;ACH9F,SAAS,cAAc,KAAK;CACxB,IAAI;CACJ,IAAI;AACJ,SAAQ,IAAI,KAAZ;EACI,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,IAAI,KAAK;AAC7B,iBAAY,IAAI,OAAO,CAAC,OAAO,GAAG,CAAC,SAAS;AAC5C;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAW,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;AACjE,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAqB,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;AAC3E,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MACR,MAAM;MACN,MAAM,OAAO,SAAS,IAAI,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;MACnD;AACD,iBAAY,IAAI,IAAI,CAAC,WAAW,YAAY,GAAG,CAAC,WAAW,UAAU;AACrE;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;AACD,iBAAY;MAAE,MAAM;MAAS,YAAY;MAAS;AAClD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;AACD,iBAAY;MAAE,MAAM;MAAS,YAAY;MAAS;AAClD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;AACD,iBAAY;MAAE,MAAM;MAAS,YAAY;MAAS;AAClD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAQ,YAAY,IAAI;MAAK;AACjD,iBAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;AACvC;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,WAAW;AAC/B,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,IAAI,KAAK;AAC7B,iBAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;AACvC;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,QACI,OAAM,IAAI,iBAAiB,gEAA8D;;AAEjG,QAAO;EAAE;EAAW;EAAW;;AAEnC,eAAsB,SAAS,KAAK;AAChC,KAAI,CAAC,IAAI,IACL,OAAM,IAAI,UAAU,+DAA2D;CAEnF,MAAM,EAAE,WAAW,cAAc,cAAc,IAAI;CACnD,MAAM,UAAU,EAAE,GAAG,KAAK;AAC1B,KAAI,QAAQ,QAAQ,MAChB,QAAO,QAAQ;AAEnB,QAAO,QAAQ;AACf,QAAO,OAAO,OAAO,UAAU,OAAO,SAAS,WAAW,IAAI,QAAQ,IAAI,KAAK,IAAI,OAAO,QAAQ,OAAO,IAAI,WAAW,UAAU;;;;;ACpFtI,eAAsB,UAAU,KAAK,KAAK,SAAS;AAC/C,KAAI,CAAC,SAAS,IAAI,CACd,OAAM,IAAI,UAAU,wBAAwB;CAEhD,IAAI;AACJ,SAAQ,IAAI;AACZ,SAAQ,SAAS,eAAe,IAAI;AACpC,SAAQ,IAAI,KAAZ;EACI,KAAK;AACD,OAAI,OAAO,IAAI,MAAM,YAAY,CAAC,IAAI,EAClC,OAAM,IAAI,UAAU,4CAA0C;AAElE,UAAOC,OAAgB,IAAI,EAAE;EACjC,KAAK;AACD,OAAI,SAAS,OAAO,IAAI,QAAQ,OAC5B,OAAM,IAAI,iBAAiB,uEAAqE;AAEpG,UAAO,SAAS;IAAE,GAAG;IAAK;IAAK;IAAK,CAAC;EACzC,KAAK;AACD,OAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,IACpC,OAAM,IAAI,UAAU,8CAA4C;AAEpE,OAAI,QAAQ,UAAa,QAAQ,IAAI,IACjC,OAAM,IAAI,UAAU,wCAAwC;AAEhE,UAAO,SAAS;IAAE,GAAG;IAAK;IAAK,CAAC;EAEpC,KAAK;EACL,KAAK,MACD,QAAO,SAAS;GAAE,GAAG;GAAK;GAAK;GAAK,CAAC;EACzC,QACI,OAAM,IAAI,iBAAiB,iDAA+C;;;;;;ACrDtF,SAAgB,aAAa,KAAK,mBAAmB,kBAAkB,iBAAiB,YAAY;AAChG,KAAI,WAAW,SAAS,UAAa,iBAAiB,SAAS,OAC3D,OAAM,IAAI,IAAI,mEAAiE;AAEnF,KAAI,CAAC,mBAAmB,gBAAgB,SAAS,OAC7C,wBAAO,IAAI,KAAK;AAEpB,KAAI,CAAC,MAAM,QAAQ,gBAAgB,KAAK,IACpC,gBAAgB,KAAK,WAAW,KAChC,gBAAgB,KAAK,MAAM,UAAU,OAAO,UAAU,YAAY,MAAM,WAAW,EAAE,CACrF,OAAM,IAAI,IAAI,0FAAwF;CAE1G,IAAI;AACJ,KAAI,qBAAqB,OACrB,cAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQ,iBAAiB,EAAE,GAAG,kBAAkB,SAAS,CAAC,CAAC;KAG3F,cAAa;AAEjB,MAAK,MAAM,aAAa,gBAAgB,MAAM;AAC1C,MAAI,CAAC,WAAW,IAAI,UAAU,CAC1B,OAAM,IAAI,iBAAiB,+BAA+B,UAAU,qBAAqB;AAE7F,MAAI,WAAW,eAAe,OAC1B,OAAM,IAAI,IAAI,+BAA+B,UAAU,cAAc;AAEzE,MAAI,WAAW,IAAI,UAAU,IAAI,gBAAgB,eAAe,OAC5D,OAAM,IAAI,IAAI,+BAA+B,UAAU,+BAA+B;;AAG9F,QAAO,IAAI,IAAI,gBAAgB,KAAK;;;;;AC/BxC,SAAgB,mBAAmB,QAAQ,YAAY;AACnD,KAAI,eAAe,WACd,CAAC,MAAM,QAAQ,WAAW,IAAI,WAAW,MAAM,MAAM,OAAO,MAAM,SAAS,EAC5E,OAAM,IAAI,UAAU,IAAI,OAAO,sCAAsC;AAEzE,KAAI,CAAC,WACD;AAEJ,QAAO,IAAI,IAAI,WAAW;;;;;ACP9B,MAAa,SAAS,QAAQ,SAAS,IAAI,IAAI,OAAO,IAAI,QAAQ;AAClE,MAAa,gBAAgB,QAAQ,IAAI,QAAQ,UAC3C,IAAI,QAAQ,SAAS,OAAO,IAAI,SAAS,YAAa,OAAO,IAAI,MAAM;AAC7E,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,IAAI,MAAM,UAAa,IAAI,SAAS;AAC7F,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,OAAO,IAAI,MAAM;;;;ACD1E,IAAI;AACJ,MAAM,YAAY,OAAO,KAAK,KAAK,KAAK,SAAS,UAAU;AACvD,2BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,IAAI;AAC3B,KAAI,SAAS,KACT,QAAO,OAAO;CAElB,MAAM,YAAY,MAAM,SAAS;EAAE,GAAG;EAAK;EAAK,CAAC;AACjD,KAAI,OACA,QAAO,OAAO,IAAI;AACtB,KAAI,CAAC,OACD,OAAM,IAAI,KAAK,GAAG,MAAM,WAAW,CAAC;KAGpC,QAAO,OAAO;AAElB,QAAO;;AAEX,MAAM,mBAAmB,WAAW,QAAQ;AACxC,2BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,UAAU;AACjC,KAAI,SAAS,KACT,QAAO,OAAO;CAElB,MAAM,WAAW,UAAU,SAAS;CACpC,MAAM,cAAc,WAAW,OAAO;CACtC,IAAI;AACJ,KAAI,UAAU,sBAAsB,UAAU;AAC1C,UAAQ,KAAR;GACI,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,iBACD;GACJ,QACI,OAAM,IAAI,UAAU,6DAA6D;;AAEzF,cAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;AAE/G,KAAI,UAAU,sBAAsB,WAAW;AAC3C,MAAI,QAAQ,WAAW,QAAQ,UAC3B,OAAM,IAAI,UAAU,6DAA6D;AAErF,cAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;AAEN,SAAQ,UAAU,mBAAlB;EACI,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,QAAQ,UAAU,kBAAkB,aAAa,CACjD,OAAM,IAAI,UAAU,6DAA6D;AAErF,eAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;AAGV,KAAI,UAAU,sBAAsB,OAAO;EACvC,IAAI;AACJ,UAAQ,KAAR;GACI,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,QACI,OAAM,IAAI,UAAU,6DAA6D;;AAEzF,MAAI,IAAI,WAAW,WAAW,CAC1B,QAAO,UAAU,YAAY;GACzB,MAAM;GACN;GACH,EAAE,aAAa,WAAW,CAAC,UAAU,GAAG,CAAC,UAAU,CAAC;AAEzD,cAAY,UAAU,YAAY;GAC9B,MAAM,IAAI,WAAW,KAAK,GAAG,YAAY;GACzC;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;;AAEnD,KAAI,UAAU,sBAAsB,MAAM;EAMtC,MAAM,aALO,IAAI,IAAI;GACjB,CAAC,cAAc,QAAQ;GACvB,CAAC,aAAa,QAAQ;GACtB,CAAC,aAAa,QAAQ;GACzB,CAAC,CACsB,IAAI,UAAU,sBAAsB,WAAW;AACvE,MAAI,CAAC,WACD,OAAM,IAAI,UAAU,6DAA6D;AAErF,MAAI,QAAQ,WAAW,eAAe,QAClC,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,QAAQ,WAAW,eAAe,QAClC,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,QAAQ,WAAW,eAAe,QAClC,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,IAAI,WAAW,UAAU,CACzB,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;AAGvD,KAAI,CAAC,UACD,OAAM,IAAI,UAAU,6DAA6D;AAErF,KAAI,CAAC,OACD,OAAM,IAAI,WAAW,GAAG,MAAM,WAAW,CAAC;KAG1C,QAAO,OAAO;AAElB,QAAO;;AAEX,eAAsB,aAAa,KAAK,KAAK;AACzC,KAAI,eAAe,WACf,QAAO;AAEX,KAAI,YAAY,IAAI,CAChB,QAAO;AAEX,KAAI,YAAY,IAAI,EAAE;AAClB,MAAI,IAAI,SAAS,SACb,QAAO,IAAI,QAAQ;AAEvB,MAAI,iBAAiB,OAAO,OAAO,IAAI,gBAAgB,WACnD,KAAI;AACA,UAAO,gBAAgB,KAAK,IAAI;WAE7B,KAAK;AACR,OAAI,eAAe,UACf,OAAM;;AAKlB,SAAO,UAAU,KADP,IAAI,OAAO,EAAE,QAAQ,OAAO,CAAC,EACZ,IAAI;;AAEnC,KAAI,MAAM,IAAI,EAAE;AACZ,MAAI,IAAI,EACJ,QAAO,OAAO,IAAI,EAAE;AAExB,SAAO,UAAU,KAAK,KAAK,KAAK,KAAK;;AAEzC,OAAM,IAAI,MAAM,cAAc;;;;;AC3KlC,MAAM,OAAO,QAAQ,MAAM,OAAO;AAClC,MAAM,gBAAgB,KAAK,KAAK,UAAU;AACtC,KAAI,IAAI,QAAQ,QAAW;EACvB,IAAI;AACJ,UAAQ,OAAR;GACI,KAAK;GACL,KAAK;AACD,eAAW;AACX;GACJ,KAAK;GACL,KAAK;AACD,eAAW;AACX;;AAER,MAAI,IAAI,QAAQ,SACZ,OAAM,IAAI,UAAU,sDAAsD,SAAS,gBAAgB;;AAG3G,KAAI,IAAI,QAAQ,UAAa,IAAI,QAAQ,IACrC,OAAM,IAAI,UAAU,sDAAsD,IAAI,gBAAgB;AAElG,KAAI,MAAM,QAAQ,IAAI,QAAQ,EAAE;EAC5B,IAAI;AACJ,UAAQ,MAAR;GACI,KAAK,UAAU,UAAU,UAAU;GACnC,KAAK,QAAQ;GACb,KAAK,IAAI,SAAS,SAAS;AACvB,oBAAgB;AAChB;GACJ,KAAK,IAAI,WAAW,QAAQ;AACxB,oBAAgB;AAChB;GACJ,KAAK,0BAA0B,KAAK,IAAI;AACpC,QAAI,CAAC,IAAI,SAAS,MAAM,IAAI,IAAI,SAAS,KAAK,CAC1C,iBAAgB,UAAU,YAAY,YAAY;QAGlD,iBAAgB;AAEpB;GACJ,KAAK,UAAU,aAAa,IAAI,WAAW,MAAM;AAC7C,oBAAgB;AAChB;GACJ,KAAK,UAAU;AACX,oBAAgB,IAAI,WAAW,MAAM,GAAG,cAAc;AACtD;;AAER,MAAI,iBAAiB,IAAI,SAAS,WAAW,cAAc,KAAK,MAC5D,OAAM,IAAI,UAAU,+DAA+D,cAAc,gBAAgB;;AAGzH,QAAO;;AAEX,MAAM,sBAAsB,KAAK,KAAK,UAAU;AAC5C,KAAI,eAAe,WACf;AACJ,KAAIC,MAAU,IAAI,EAAE;AAChB,MAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACrD;AACJ,QAAM,IAAI,UAAU,0HAA0H;;AAElJ,KAAI,CAAC,UAAU,IAAI,CACf,OAAM,IAAI,UAAUC,QAAgB,KAAK,KAAK,aAAa,aAAa,gBAAgB,aAAa,CAAC;AAE1G,KAAI,IAAI,SAAS,SACb,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,8DAA8D;;AAGtG,MAAM,uBAAuB,KAAK,KAAK,UAAU;AAC7C,KAAIF,MAAU,IAAI,CACd,SAAQ,OAAR;EACI,KAAK;EACL,KAAK;AACD,OAAIG,aAAiB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACtD;AACJ,SAAM,IAAI,UAAU,wDAAwD;EAChF,KAAK;EACL,KAAK;AACD,OAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACrD;AACJ,SAAM,IAAI,UAAU,uDAAuD;;AAGvF,KAAI,CAAC,UAAU,IAAI,CACf,OAAM,IAAI,UAAUF,QAAgB,KAAK,KAAK,aAAa,aAAa,eAAe,CAAC;AAE5F,KAAI,IAAI,SAAS,SACb,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,mEAAmE;AAEvG,KAAI,IAAI,SAAS,SACb,SAAQ,OAAR;EACI,KAAK,OACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,uEAAuE;EAC3G,KAAK,UACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,0EAA0E;;AAGtH,KAAI,IAAI,SAAS,UACb,SAAQ,OAAR;EACI,KAAK,SACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,wEAAwE;EAC5G,KAAK,UACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,yEAAyE;;;AAIzH,SAAgB,aAAa,KAAK,KAAK,OAAO;AAC1C,SAAQ,IAAI,UAAU,GAAG,EAAE,EAA3B;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,sBAAmB,KAAK,KAAK,MAAM;AACnC;EACJ,QACI,qBAAoB,KAAK,KAAK,MAAM;;;;;;ACtHhD,SAAgB,gBAAgB,KAAK,WAAW;CAC5C,MAAM,OAAO,OAAO,IAAI,MAAM,GAAG;AACjC,SAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAQ;EACjC,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAW,YAAY,SAAS,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;GAAG;EAClF,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAqB;EAC9C,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAS,YAAY,UAAU;GAAY;EACpE,KAAK;EACL,KAAK,QACD,QAAO,EAAE,MAAM,WAAW;EAC9B,KAAK;EACL,KAAK;EACL,KAAK,YACD,QAAO,EAAE,MAAM,KAAK;EACxB,QACI,OAAM,IAAI,iBAAiB,OAAO,IAAI,6DAA6D;;;;;;AC1B/G,eAAsB,UAAU,KAAK,KAAK,OAAO;AAC7C,KAAI,eAAe,YAAY;AAC3B,MAAI,CAAC,IAAI,WAAW,KAAK,CACrB,OAAM,IAAI,UAAU,gBAAgB,KAAK,aAAa,aAAa,eAAe,CAAC;AAEvF,SAAO,OAAO,OAAO,UAAU,OAAO,KAAK;GAAE,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI,MAAM;GAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;;AAE9G,mBAAkB,KAAK,KAAK,MAAM;AAClC,QAAO;;;;;ACPX,eAAsB,OAAO,KAAK,KAAK,WAAW,MAAM;CACpD,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,SAAS;AACrD,gBAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,gBAAgB,KAAK,UAAU,UAAU;AAC3D,KAAI;AACA,SAAO,MAAM,OAAO,OAAO,OAAO,WAAW,WAAW,WAAW,KAAK;SAEtE;AACF,SAAO;;;;;;ACDf,eAAsB,gBAAgB,KAAK,KAAK,SAAS;AACrD,KAAI,CAAC,SAAS,IAAI,CACd,OAAM,IAAI,WAAW,kCAAkC;AAE3D,KAAI,IAAI,cAAc,UAAa,IAAI,WAAW,OAC9C,OAAM,IAAI,WAAW,4EAAwE;AAEjG,KAAI,IAAI,cAAc,UAAa,OAAO,IAAI,cAAc,SACxD,OAAM,IAAI,WAAW,sCAAsC;AAE/D,KAAI,IAAI,YAAY,OAChB,OAAM,IAAI,WAAW,sBAAsB;AAE/C,KAAI,OAAO,IAAI,cAAc,SACzB,OAAM,IAAI,WAAW,0CAA0C;AAEnE,KAAI,IAAI,WAAW,UAAa,CAAC,SAAS,IAAI,OAAO,CACjD,OAAM,IAAI,WAAW,wCAAwC;CAEjE,IAAI,aAAa,EAAE;AACnB,KAAI,IAAI,UACJ,KAAI;EACA,MAAM,kBAAkBG,OAAK,IAAI,UAAU;AAC3C,eAAa,KAAK,MAAM,QAAQ,OAAO,gBAAgB,CAAC;SAEtD;AACF,QAAM,IAAI,WAAW,kCAAkC;;AAG/D,KAAI,CAAC,WAAW,YAAY,IAAI,OAAO,CACnC,OAAM,IAAI,WAAW,4EAA4E;CAErG,MAAM,aAAa;EACf,GAAG;EACH,GAAG,IAAI;EACV;CACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,YAAY,WAAW;CAC5G,IAAI,MAAM;AACV,KAAI,WAAW,IAAI,MAAM,EAAE;AACvB,QAAM,WAAW;AACjB,MAAI,OAAO,QAAQ,UACf,OAAM,IAAI,WAAW,4EAA0E;;CAGvG,MAAM,EAAE,QAAQ;AAChB,KAAI,OAAO,QAAQ,YAAY,CAAC,IAC5B,OAAM,IAAI,WAAW,8DAA4D;CAErF,MAAM,aAAa,WAAW,mBAAmB,cAAc,QAAQ,WAAW;AAClF,KAAI,cAAc,CAAC,WAAW,IAAI,IAAI,CAClC,OAAM,IAAI,kBAAkB,yDAAuD;AAEvF,KAAI,KACA;MAAI,OAAO,IAAI,YAAY,SACvB,OAAM,IAAI,WAAW,+BAA+B;YAGnD,OAAO,IAAI,YAAY,YAAY,EAAE,IAAI,mBAAmB,YACjE,OAAM,IAAI,WAAW,yDAAyD;CAElF,IAAI,cAAc;AAClB,KAAI,OAAO,QAAQ,YAAY;AAC3B,QAAM,MAAM,IAAI,YAAY,IAAI;AAChC,gBAAc;;AAElB,cAAa,KAAK,KAAK,SAAS;CAChC,MAAM,OAAO,OAAO,IAAI,cAAc,SAAYC,SAAO,IAAI,UAAU,GAAG,IAAI,YAAY,EAAEA,SAAO,IAAI,EAAE,OAAO,IAAI,YAAY,WAC1H,MACIA,SAAO,IAAI,QAAQ,GACnB,QAAQ,OAAO,IAAI,QAAQ,GAC/B,IAAI,QAAQ;CAClB,IAAI;AACJ,KAAI;AACA,cAAYD,OAAK,IAAI,UAAU;SAE7B;AACF,QAAM,IAAI,WAAW,2CAA2C;;CAEpE,MAAM,IAAI,MAAM,aAAa,KAAK,IAAI;AAEtC,KAAI,CADa,MAAM,OAAO,KAAK,GAAG,WAAW,KAAK,CAElD,OAAM,IAAI,gCAAgC;CAE9C,IAAI;AACJ,KAAI,IACA,KAAI;AACA,YAAUA,OAAK,IAAI,QAAQ;SAEzB;AACF,QAAM,IAAI,WAAW,yCAAyC;;UAG7D,OAAO,IAAI,YAAY,SAC5B,WAAU,QAAQ,OAAO,IAAI,QAAQ;KAGrC,WAAU,IAAI;CAElB,MAAM,SAAS,EAAE,SAAS;AAC1B,KAAI,IAAI,cAAc,OAClB,QAAO,kBAAkB;AAE7B,KAAI,IAAI,WAAW,OACf,QAAO,oBAAoB,IAAI;AAEnC,KAAI,YACA,QAAO;EAAE,GAAG;EAAQ,KAAK;EAAG;AAEhC,QAAO;;;;;ACnHX,eAAsB,cAAc,KAAK,KAAK,SAAS;AACnD,KAAI,eAAe,WACf,OAAM,QAAQ,OAAO,IAAI;AAE7B,KAAI,OAAO,QAAQ,SACf,OAAM,IAAI,WAAW,6CAA6C;CAEtE,MAAM,EAAE,GAAG,iBAAiB,GAAG,SAAS,GAAG,WAAW,WAAW,IAAI,MAAM,IAAI;AAC/E,KAAI,WAAW,EACX,OAAM,IAAI,WAAW,sBAAsB;CAE/C,MAAM,WAAW,MAAM,gBAAgB;EAAE;EAAS,WAAW;EAAiB;EAAW,EAAE,KAAK,QAAQ;CACxG,MAAM,SAAS;EAAE,SAAS,SAAS;EAAS,iBAAiB,SAAS;EAAiB;AACvF,KAAI,OAAO,QAAQ,WACf,QAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;AAE3C,QAAO;;;;;AChBX,MAAM,SAAS,SAAS,KAAK,MAAM,KAAK,SAAS,GAAG,IAAK;AACzD,MAAM,SAAS;AACf,MAAM,OAAO,SAAS;AACtB,MAAM,MAAM,OAAO;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,QAAQ;AACd,SAAgB,KAAK,KAAK;CACtB,MAAM,UAAU,MAAM,KAAK,IAAI;AAC/B,KAAI,CAAC,WAAY,QAAQ,MAAM,QAAQ,GACnC,OAAM,IAAI,UAAU,6BAA6B;CAErD,MAAM,QAAQ,WAAW,QAAQ,GAAG;CACpC,MAAM,OAAO,QAAQ,GAAG,aAAa;CACrC,IAAI;AACJ,SAAQ,MAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,MAAM;AAC/B;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,OAAO;AACxC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,IAAI;AACrC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;EACJ;AACI,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;;AAER,KAAI,QAAQ,OAAO,OAAO,QAAQ,OAAO,MACrC,QAAO,CAAC;AAEZ,QAAO;;AAEX,SAAS,cAAc,OAAO,OAAO;AACjC,KAAI,CAAC,OAAO,SAAS,MAAM,CACvB,OAAM,IAAI,UAAU,WAAW,MAAM,QAAQ;AAEjD,QAAO;;AAEX,MAAM,gBAAgB,UAAU;AAC5B,KAAI,MAAM,SAAS,IAAI,CACnB,QAAO,MAAM,aAAa;AAE9B,QAAO,eAAe,MAAM,aAAa;;AAE7C,MAAM,yBAAyB,YAAY,cAAc;AACrD,KAAI,OAAO,eAAe,SACtB,QAAO,UAAU,SAAS,WAAW;AAEzC,KAAI,MAAM,QAAQ,WAAW,CACzB,QAAO,UAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAI,WAAW,CAAC,CAAC;AAEtE,QAAO;;AAEX,SAAgB,kBAAkB,iBAAiB,gBAAgB,UAAU,EAAE,EAAE;CAC7E,IAAI;AACJ,KAAI;AACA,YAAU,KAAK,MAAM,QAAQ,OAAO,eAAe,CAAC;SAElD;AAEN,KAAI,CAAC,SAAS,QAAQ,CAClB,OAAM,IAAI,WAAW,iDAAiD;CAE1E,MAAM,EAAE,QAAQ;AAChB,KAAI,QACC,OAAO,gBAAgB,QAAQ,YAC5B,aAAa,gBAAgB,IAAI,KAAK,aAAa,IAAI,EAC3D,OAAM,IAAI,yBAAyB,uCAAqC,SAAS,OAAO,eAAe;CAE3G,MAAM,EAAE,iBAAiB,EAAE,EAAE,QAAQ,SAAS,UAAU,gBAAgB;CACxE,MAAM,gBAAgB,CAAC,GAAG,eAAe;AACzC,KAAI,gBAAgB,OAChB,eAAc,KAAK,MAAM;AAC7B,KAAI,aAAa,OACb,eAAc,KAAK,MAAM;AAC7B,KAAI,YAAY,OACZ,eAAc,KAAK,MAAM;AAC7B,KAAI,WAAW,OACX,eAAc,KAAK,MAAM;AAC7B,MAAK,MAAM,SAAS,IAAI,IAAI,cAAc,SAAS,CAAC,CAChD,KAAI,EAAE,SAAS,SACX,OAAM,IAAI,yBAAyB,qBAAqB,MAAM,UAAU,SAAS,OAAO,UAAU;AAG1G,KAAI,UACA,EAAE,MAAM,QAAQ,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,SAAS,QAAQ,IAAI,CAClE,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;AAEtG,KAAI,WAAW,QAAQ,QAAQ,QAC3B,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;AAEtG,KAAI,YACA,CAAC,sBAAsB,QAAQ,KAAK,OAAO,aAAa,WAAW,CAAC,SAAS,GAAG,SAAS,CACzF,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;CAEtG,IAAI;AACJ,SAAQ,OAAO,QAAQ,gBAAvB;EACI,KAAK;AACD,eAAY,KAAK,QAAQ,eAAe;AACxC;EACJ,KAAK;AACD,eAAY,QAAQ;AACpB;EACJ,KAAK;AACD,eAAY;AACZ;EACJ,QACI,OAAM,IAAI,UAAU,qCAAqC;;CAEjE,MAAM,EAAE,gBAAgB;CACxB,MAAM,MAAM,MAAM,+BAAe,IAAI,MAAM,CAAC;AAC5C,MAAK,QAAQ,QAAQ,UAAa,gBAAgB,OAAO,QAAQ,QAAQ,SACrE,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,KAAI,QAAQ,QAAQ,QAAW;AAC3B,MAAI,OAAO,QAAQ,QAAQ,SACvB,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,MAAI,QAAQ,MAAM,MAAM,UACpB,OAAM,IAAI,yBAAyB,wCAAsC,SAAS,OAAO,eAAe;;AAGhH,KAAI,QAAQ,QAAQ,QAAW;AAC3B,MAAI,OAAO,QAAQ,QAAQ,SACvB,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,MAAI,QAAQ,OAAO,MAAM,UACrB,OAAM,IAAI,WAAW,wCAAsC,SAAS,OAAO,eAAe;;AAGlG,KAAI,aAAa;EACb,MAAM,MAAM,MAAM,QAAQ;EAC1B,MAAM,MAAM,OAAO,gBAAgB,WAAW,cAAc,KAAK,YAAY;AAC7E,MAAI,MAAM,YAAY,IAClB,OAAM,IAAI,WAAW,8DAA4D,SAAS,OAAO,eAAe;AAEpH,MAAI,MAAM,IAAI,UACV,OAAM,IAAI,yBAAyB,mEAAiE,SAAS,OAAO,eAAe;;AAG3I,QAAO;;AAEX,IAAa,mBAAb,MAA8B;CAC1B;CACA,YAAY,SAAS;AACjB,MAAI,CAAC,SAAS,QAAQ,CAClB,OAAM,IAAI,UAAU,mCAAmC;AAE3D,QAAKE,UAAW,gBAAgB,QAAQ;;CAE5C,OAAO;AACH,SAAO,QAAQ,OAAO,KAAK,UAAU,MAAKA,QAAS,CAAC;;CAExD,IAAI,MAAM;AACN,SAAO,MAAKA,QAAS;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,MAAM;AACN,SAAO,MAAKA,QAAS;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,MAAM;AACN,SAAO,MAAKA,QAAS;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,IAAI,OAAO;AACX,MAAI,OAAO,UAAU,SACjB,OAAKA,QAAS,MAAM,cAAc,gBAAgB,MAAM;WAEnD,iBAAiB,KACtB,OAAKA,QAAS,MAAM,cAAc,gBAAgB,MAAM,MAAM,CAAC;MAG/D,OAAKA,QAAS,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;AACX,MAAI,OAAO,UAAU,SACjB,OAAKA,QAAS,MAAM,cAAc,qBAAqB,MAAM;WAExD,iBAAiB,KACtB,OAAKA,QAAS,MAAM,cAAc,qBAAqB,MAAM,MAAM,CAAC;MAGpE,OAAKA,QAAS,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;AACX,MAAI,UAAU,OACV,OAAKA,QAAS,MAAM,sBAAM,IAAI,MAAM,CAAC;WAEhC,iBAAiB,KACtB,OAAKA,QAAS,MAAM,cAAc,eAAe,MAAM,MAAM,CAAC;WAEzD,OAAO,UAAU,SACtB,OAAKA,QAAS,MAAM,cAAc,eAAe,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC;MAGjF,OAAKA,QAAS,MAAM,cAAc,eAAe,MAAM;;;;;;ACvOnE,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,MAAM,WAAW,MAAM,cAAc,KAAK,KAAK,QAAQ;AACvD,KAAI,SAAS,gBAAgB,MAAM,SAAS,MAAM,IAAI,SAAS,gBAAgB,QAAQ,MACnF,OAAM,IAAI,WAAW,sCAAsC;CAG/D,MAAM,SAAS;EAAE,SADD,kBAAkB,SAAS,iBAAiB,SAAS,SAAS,QAAQ;EAC5D,iBAAiB,SAAS;EAAiB;AACrE,KAAI,OAAO,QAAQ,WACf,QAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;AAE3C,QAAO;;;;;ACVX,eAAsB,KAAK,KAAK,KAAK,MAAM;CACvC,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,OAAO;AACnD,gBAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,UAAU,EAAE,WAAW,KAAK;AACtG,QAAO,IAAI,WAAW,UAAU;;;;;ACCpC,IAAa,gBAAb,MAA2B;CACvB;CACA;CACA;CACA,YAAY,SAAS;AACjB,MAAI,EAAE,mBAAmB,YACrB,OAAM,IAAI,UAAU,4CAA4C;AAEpE,QAAKC,UAAW;;CAEpB,mBAAmB,iBAAiB;AAChC,MAAI,MAAKC,gBACL,OAAM,IAAI,UAAU,6CAA6C;AAErE,QAAKA,kBAAmB;AACxB,SAAO;;CAEX,qBAAqB,mBAAmB;AACpC,MAAI,MAAKC,kBACL,OAAM,IAAI,UAAU,+CAA+C;AAEvE,QAAKA,oBAAqB;AAC1B,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;AACrB,MAAI,CAAC,MAAKD,mBAAoB,CAAC,MAAKC,kBAChC,OAAM,IAAI,WAAW,kFAAkF;AAE3G,MAAI,CAAC,WAAW,MAAKD,iBAAkB,MAAKC,kBAAmB,CAC3D,OAAM,IAAI,WAAW,4EAA4E;EAErG,MAAM,aAAa;GACf,GAAG,MAAKD;GACR,GAAG,MAAKC;GACX;EACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,MAAKD,iBAAkB,WAAW;EACvH,IAAI,MAAM;AACV,MAAI,WAAW,IAAI,MAAM,EAAE;AACvB,SAAM,MAAKA,gBAAiB;AAC5B,OAAI,OAAO,QAAQ,UACf,OAAM,IAAI,WAAW,4EAA0E;;EAGvG,MAAM,EAAE,QAAQ;AAChB,MAAI,OAAO,QAAQ,YAAY,CAAC,IAC5B,OAAM,IAAI,WAAW,8DAA4D;AAErF,eAAa,KAAK,KAAK,OAAO;EAC9B,IAAI;EACJ,IAAI;AACJ,MAAI,KAAK;AACL,cAAWE,OAAK,MAAKH,QAAS;AAC9B,cAAWI,SAAO,SAAS;SAE1B;AACD,cAAW,MAAKJ;AAChB,cAAW;;EAEf,IAAI;EACJ,IAAI;AACJ,MAAI,MAAKC,iBAAkB;AACvB,2BAAwBE,OAAK,KAAK,UAAU,MAAKF,gBAAiB,CAAC;AACnE,0BAAuBG,SAAO,sBAAsB;SAEnD;AACD,2BAAwB;AACxB,0BAAuB,IAAI,YAAY;;EAE3C,MAAM,OAAO,OAAO,sBAAsBA,SAAO,IAAI,EAAE,SAAS;EAGhE,MAAM,MAAM;GACR,WAAWD,OAFG,MAAM,KAAK,KADnB,MAAM,aAAa,KAAK,IAAI,EACD,KAAK,CAEZ;GAC1B,SAAS;GACZ;AACD,MAAI,MAAKD,kBACL,KAAI,SAAS,MAAKA;AAEtB,MAAI,MAAKD,gBACL,KAAI,YAAY;AAEpB,SAAO;;;;;;ACxFf,IAAa,cAAb,MAAyB;CACrB;CACA,YAAY,SAAS;AACjB,QAAKI,YAAa,IAAI,cAAc,QAAQ;;CAEhD,mBAAmB,iBAAiB;AAChC,QAAKA,UAAW,mBAAmB,gBAAgB;AACnD,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,MAAM,MAAKA,UAAW,KAAK,KAAK,QAAQ;AACpD,MAAI,IAAI,YAAY,OAChB,OAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAO,GAAG,IAAI,UAAU,GAAG,IAAI,QAAQ,GAAG,IAAI;;;;;;ACZtD,IAAa,UAAb,MAAqB;CACjB;CACA;CACA,YAAY,UAAU,EAAE,EAAE;AACtB,QAAKC,MAAO,IAAI,iBAAiB,QAAQ;;CAE7C,UAAU,QAAQ;AACd,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,WAAW,SAAS;AAChB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,YAAY,UAAU;AAClB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,OAAO,OAAO;AACV,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,aAAa,OAAO;AAChB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,kBAAkB,OAAO;AACrB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,YAAY,OAAO;AACf,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,mBAAmB,iBAAiB;AAChC,QAAKC,kBAAmB;AACxB,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,IAAI,YAAY,MAAKD,IAAK,MAAM,CAAC;AAC7C,MAAI,mBAAmB,MAAKC,gBAAiB;AAC7C,MAAI,MAAM,QAAQ,MAAKA,iBAAkB,KAAK,IAC1C,MAAKA,gBAAiB,KAAK,SAAS,MAAM,IAC1C,MAAKA,gBAAiB,QAAQ,MAC9B,OAAM,IAAI,WAAW,sCAAsC;AAE/D,SAAO,IAAI,KAAK,KAAK,QAAQ;;;;;;AC9CrC,SAAS,cAAc,KAAK;AACxB,SAAQ,OAAO,QAAQ,YAAY,IAAI,MAAM,GAAG,EAAE,EAAlD;EACI,KAAK;EACL,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,QACI,OAAM,IAAI,iBAAiB,mDAAiD;;;AAGxF,SAAS,WAAW,MAAM;AACtB,QAAQ,QACJ,OAAO,SAAS,YAChB,MAAM,QAAQ,KAAK,KAAK,IACxB,KAAK,KAAK,MAAM,UAAU;;AAElC,SAAS,UAAU,KAAK;AACpB,QAAO,SAAS,IAAI;;AAExB,IAAM,cAAN,MAAkB;CACd;CACA,0BAAU,IAAI,SAAS;CACvB,YAAY,MAAM;AACd,MAAI,CAAC,WAAW,KAAK,CACjB,OAAM,IAAI,YAAY,6BAA6B;AAEvD,QAAKC,OAAQ,gBAAgB,KAAK;;CAEtC,OAAO;AACH,SAAO,MAAKA;;CAEhB,MAAM,OAAO,iBAAiB,OAAO;EACjC,MAAM,EAAE,KAAK,QAAQ;GAAE,GAAG;GAAiB,GAAG,OAAO;GAAQ;EAC7D,MAAM,MAAM,cAAc,IAAI;EAC9B,MAAM,aAAa,MAAKA,KAAM,KAAK,QAAQ,QAAQ;GAC/C,IAAI,YAAY,QAAQ,IAAI;AAC5B,OAAI,aAAa,OAAO,QAAQ,SAC5B,aAAY,QAAQ,IAAI;AAE5B,OAAI,cAAc,OAAO,IAAI,QAAQ,YAAY,QAAQ,OACrD,aAAY,QAAQ,IAAI;AAE5B,OAAI,aAAa,OAAO,IAAI,QAAQ,SAChC,aAAY,IAAI,QAAQ;AAE5B,OAAI,aAAa,MAAM,QAAQ,IAAI,QAAQ,CACvC,aAAY,IAAI,QAAQ,SAAS,SAAS;AAE9C,OAAI,UACA,SAAQ,KAAR;IACI,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;IACL,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;;AAGZ,UAAO;IACT;EACF,MAAM,EAAE,GAAG,KAAK,WAAW;AAC3B,MAAI,WAAW,EACX,OAAM,IAAI,mBAAmB;AAEjC,MAAI,WAAW,GAAG;GACd,MAAM,QAAQ,IAAI,0BAA0B;GAC5C,MAAM,UAAU,MAAKC;AACrB,SAAM,OAAO,iBAAiB,mBAAmB;AAC7C,SAAK,MAAM,OAAO,WACd,KAAI;AACA,WAAM,MAAM,mBAAmB,SAAS,KAAK,IAAI;YAE/C;;AAGd,SAAM;;AAEV,SAAO,mBAAmB,MAAKA,QAAS,KAAK,IAAI;;;AAGzD,eAAe,mBAAmB,OAAO,KAAK,KAAK;CAC/C,MAAM,SAAS,MAAM,IAAI,IAAI,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,IAAI;AAC5D,KAAI,OAAO,SAAS,QAAW;EAC3B,MAAM,MAAM,MAAM,UAAU;GAAE,GAAG;GAAK,KAAK;GAAM,EAAE,IAAI;AACvD,MAAI,eAAe,cAAc,IAAI,SAAS,SAC1C,OAAM,IAAI,YAAY,+CAA+C;AAEzE,SAAO,OAAO;;AAElB,QAAO,OAAO;;AAElB,SAAgB,kBAAkB,MAAM;CACpC,MAAM,MAAM,IAAI,YAAY,KAAK;CACjC,MAAM,cAAc,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;AACxF,QAAO,iBAAiB,aAAa,EACjC,MAAM;EACF,aAAa,gBAAgB,IAAI,MAAM,CAAC;EACxC,YAAY;EACZ,cAAc;EACd,UAAU;EACb,EACJ,CAAC;AACF,QAAO;;;;;AClHX,SAAS,sBAAsB;AAC3B,QAAQ,OAAO,kBAAkB,eAC5B,OAAO,cAAc,eAAe,UAAU,cAAc,wBAC5D,OAAO,gBAAgB,eAAe,gBAAgB;;AAE/D,IAAI;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,eAAe,CAGtF,cAAa;AAEjB,MAAa,cAAc,QAAQ;AACnC,eAAe,UAAU,KAAK,SAAS,QAAQ,YAAY,OAAO;CAC9D,MAAM,WAAW,MAAM,UAAU,KAAK;EAClC,QAAQ;EACR;EACA,UAAU;EACV;EACH,CAAC,CAAC,OAAO,QAAQ;AACd,MAAI,IAAI,SAAS,eACb,OAAM,IAAI,aAAa;AAE3B,QAAM;GACR;AACF,KAAI,SAAS,WAAW,IACpB,OAAM,IAAI,UAAU,0DAA0D;AAElF,KAAI;AACA,SAAO,MAAM,SAAS,MAAM;SAE1B;AACF,QAAM,IAAI,UAAU,6DAA6D;;;AAGzF,MAAa,YAAY,QAAQ;AACjC,SAAS,iBAAiB,OAAO,aAAa;AAC1C,KAAI,OAAO,UAAU,YAAY,UAAU,KACvC,QAAO;AAEX,KAAI,EAAE,SAAS,UAAU,OAAO,MAAM,QAAQ,YAAY,KAAK,KAAK,GAAG,MAAM,OAAO,YAChF,QAAO;AAEX,KAAI,EAAE,UAAU,UACZ,CAAC,SAAS,MAAM,KAAK,IACrB,CAAC,MAAM,QAAQ,MAAM,KAAK,KAAK,IAC/B,CAAC,MAAM,UAAU,MAAM,KAAK,MAAM,KAAK,MAAM,SAAS,CACtD,QAAO;AAEX,QAAO;;AAEX,IAAM,eAAN,MAAmB;CACf;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA,YAAY,KAAK,SAAS;AACtB,MAAI,EAAE,eAAe,KACjB,OAAM,IAAI,UAAU,iCAAiC;AAEzD,QAAKC,MAAO,IAAI,IAAI,IAAI,KAAK;AAC7B,QAAKC,kBACD,OAAO,SAAS,oBAAoB,WAAW,SAAS,kBAAkB;AAC9E,QAAKC,mBACD,OAAO,SAAS,qBAAqB,WAAW,SAAS,mBAAmB;AAChF,QAAKC,cAAe,OAAO,SAAS,gBAAgB,WAAW,SAAS,cAAc;AACtF,QAAKC,UAAW,IAAI,QAAQ,SAAS,QAAQ;AAC7C,MAAI,cAAc,CAAC,MAAKA,QAAS,IAAI,aAAa,CAC9C,OAAKA,QAAS,IAAI,cAAc,WAAW;AAE/C,MAAI,CAAC,MAAKA,QAAS,IAAI,SAAS,EAAE;AAC9B,SAAKA,QAAS,IAAI,UAAU,mBAAmB;AAC/C,SAAKA,QAAS,OAAO,UAAU,2BAA2B;;AAE9D,QAAKC,cAAe,UAAU;AAC9B,MAAI,UAAU,eAAe,QAAW;AACpC,SAAKC,QAAS,UAAU;AACxB,OAAI,iBAAiB,UAAU,YAAY,MAAKH,YAAa,EAAE;AAC3D,UAAKI,gBAAiB,MAAKD,MAAO;AAClC,UAAKE,QAAS,kBAAkB,MAAKF,MAAO,KAAK;;;;CAI7D,eAAe;AACX,SAAO,CAAC,CAAC,MAAKG;;CAElB,cAAc;AACV,SAAO,OAAO,MAAKF,kBAAmB,WAChC,KAAK,KAAK,GAAG,MAAKA,gBAAiB,MAAKL,mBACxC;;CAEV,QAAQ;AACJ,SAAO,OAAO,MAAKK,kBAAmB,WAChC,KAAK,KAAK,GAAG,MAAKA,gBAAiB,MAAKJ,cACxC;;CAEV,OAAO;AACH,SAAO,MAAKK,OAAQ,MAAM;;CAE9B,MAAM,OAAO,iBAAiB,OAAO;AACjC,MAAI,CAAC,MAAKA,SAAU,CAAC,KAAK,OAAO,CAC7B,OAAM,KAAK,QAAQ;AAEvB,MAAI;AACA,UAAO,MAAM,MAAKA,MAAO,iBAAiB,MAAM;WAE7C,KAAK;AACR,OAAI,eAAe,mBACf;QAAI,KAAK,aAAa,KAAK,OAAO;AAC9B,WAAM,KAAK,QAAQ;AACnB,YAAO,MAAKA,MAAO,iBAAiB,MAAM;;;AAGlD,SAAM;;;CAGd,MAAM,SAAS;AACX,MAAI,MAAKC,gBAAiB,qBAAqB,CAC3C,OAAKA,eAAgB;AAEzB,QAAKA,iBAAkB,UAAU,MAAKT,IAAK,MAAM,MAAKI,SAAU,YAAY,QAAQ,MAAKH,gBAAiB,EAAE,MAAKI,YAAa,CACzH,MAAM,SAAS;AAChB,SAAKG,QAAS,kBAAkB,KAAK;AACrC,OAAI,MAAKF,OAAQ;AACb,UAAKA,MAAO,MAAM,KAAK,KAAK;AAC5B,UAAKA,MAAO,OAAO;;AAEvB,SAAKC,gBAAiB,KAAK,KAAK;AAChC,SAAKE,eAAgB;IACvB,CACG,OAAO,QAAQ;AAChB,SAAKA,eAAgB;AACrB,SAAM;IACR;AACF,QAAM,MAAKA;;;AAGnB,SAAgB,mBAAmB,KAAK,SAAS;CAC7C,MAAM,MAAM,IAAI,aAAa,KAAK,QAAQ;CAC1C,MAAM,eAAe,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;AACzF,QAAO,iBAAiB,cAAc;EAClC,aAAa;GACT,WAAW,IAAI,aAAa;GAC5B,YAAY;GACZ,cAAc;GACjB;EACD,OAAO;GACH,WAAW,IAAI,OAAO;GACtB,YAAY;GACZ,cAAc;GACjB;EACD,QAAQ;GACJ,aAAa,IAAI,QAAQ;GACzB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACD,WAAW;GACP,WAAW,IAAI,cAAc;GAC7B,YAAY;GACZ,cAAc;GACjB;EACD,MAAM;GACF,aAAa,IAAI,MAAM;GACvB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACJ,CAAC;AACF,QAAO;;;;;;;;ACxJX,IAAa,cAAb,MAAyB;CACvB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA8B,EAAE;CACnD,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,UAAU,IAAI,aAAa;;;;;;;CAQ9C,AAAO,aAAa,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,KACP,8BAA8B,KAAK,uBAAuB,gBAAgB,KAAK,OAAO,GACvF;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,KACP,0BAA0B,KAAK,uBAAuB,UAAU,OAAO,SACxE;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,KACP,0BAA0B,KAAK,cAAc,kBAC9C;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,AAAU,YAAY,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,OAAO;;;;;;ACpKlC,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,AAAgB,SAAS;;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;;ACsBvC,MAAa,qBAAqB;AAElC,MAAM,YAAY,EAAE,OAAO,EACzB,YAAY,EAAE,KAAK,EACjB,SAAS,oBACV,CAAC,EACH,CAAC;AAMF,IAAa,mBAAb,MAA8B;CAC5B,AAAmB,oBAAoB;CACvC,AAAmB,oBAAoB;CACvC,AAAmB,6BACjB;CAEF,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAE3C,IAAW,YAAY;AACrB,SAAO,KAAK,IAAI;;;;;CAMlB,AAAmB,cAA4B,EAAE;;;;CAKjD,AAAmB,SAAkB,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK,IAAI;EACjB,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,AAAU,QAAQ,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,OAAI,KAAK,OAAO,cAAc,IAAI,KAAK,cAAc,mBACnD,MAAK,IAAI,KACP,mGACD;AAGH,QAAK,MAAM,SAAS,KAAK,QAAQ;AAC/B,QAAI,MAAM,QAAQ;KAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,UAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;AAI3C,QAAI,CAAC,MAAM,aAAa,MAAM,UAAU,WAAW,EACjD,MAAK,iBACH,KAAK,yBAAyB,MAAM,KAAK,EACzC,MAAM,KACP;;;EAIR,CAAC;;;;CAKF,AAAU,yBAAyB,WAAmC;AACpE,SAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAQ;IACxB,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,MAAM,WAAW,UAAU,CAC9B,QAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;AAG3B,QAAI,CAAC,MAAM,SAAS,IAAI,CACtB,QAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,UAAU;AAGzD,WAAO,KAAK,sBAAsB,OAAO,SAAS,UAAU;;GAE/D;;;;;;;;CASH,AAAO,WAAW,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KACzC,CAEC;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAExC,CAEA;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,AAAO,iBAAiB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAI;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,UAAU;AACZ,QAAK,IAAI,KAAK,eAAe,SAAS,8BAA8B;IAClE,SAAS;IACT,KAAK;IACN,CAAC;AAEF,UAAO;;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,AAAO,YAAY,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,AAAO,sBACL,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,gBAAgB,KAAK,4BAA4B,QAAQ;EAC/D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;CAOH,AAAO,WACL,UACA,UAGI,EAAE,EACY;EAClB,MAAM,aAAa,KAAK,SAAS,QAAQ,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAC1E,MAAM,QAAQ,CAAC,GAAI,SAAS,SAAS,EAAE,CAAE;AAGzC,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;EAIzB,IAAI;AAGJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAEH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA,OAAO,QAAQ;GAChB;;;;;;CAOH,AAAO,iBAAiB,UAA0B,WAA0B;EAC1E,MAAM,QAAQ,KAAK,SAAS,UAAU;AACtC,MAAI,CAAC,MAAM,UACT,OAAM,YAAY,EAAE;AAGtB,QAAM,UAAU,KAAK,SAAS;AAC9B,QAAM,UAAU,MAAM,GAAG,OAAO,EAAE,YAAY,QAAQ,EAAE,YAAY,KAAK;;;;;;CAO3E,AAAO,SAAS,WAA2B;EACzC,MAAM,QAAQ,YACV,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU,GAC/C,KAAK,OAAO;AAEhB,MAAI,CAAC,MACH,OAAM,IAAI,mBAAmB,aAAa,UAAU;AAGtD,SAAO;;;;;;;;;;;CAYT,MAAa,6BACX,KACA,UAGI,EAAE,EACiC;EAEvC,MAAM,eAGD,EAAE;AAEP,OAAK,MAAM,SAAS,KAAK,OACvB,MAAK,MAAM,YAAY,MAAM,aAAa,EAAE,CAC1C,cAAa,KAAK;GAAE;GAAU,WAAW,MAAM;GAAM,CAAC;AAK1D,eAAa,MACV,GAAG,OAAO,EAAE,SAAS,YAAY,QAAQ,EAAE,SAAS,YAAY,KAClE;AAGD,OAAK,MAAM,EAAE,UAAU,eAAe,cAAc;GAClD,IAAI;AAEJ,OAAI;AACF,eAAW,MAAM,SAAS,UAAU,IAAW;WACzC;AAEN;;AAGF,OAAI,UAAU;IAGZ,MAAM,OAAO,KAAK,WAAW,UAAU;KACrC,OAAO;KACP,YAAY,QAAQ;KACrB,CAAC;AAEF,UAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;KACrD,OAAO;KACP;KACD,CAAC;AAEF,WAAO;;;;;;;;;;;;CAgBb,AAAO,gBACL,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,WAAW,CAAC,GAAG,UAC/C,CACF,CAIC,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,UAAU,GAAG,CAAC,MAAM;AACzD,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,AAAO,IAAI,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,AAAO,UACL,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,AAAO,mBAAmB,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;CAK/C,AAAO,YAAqB;AAC1B,SAAO,KAAK;;;;;;;CAQd,AAAO,SAAS,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,AAAO,eAAe,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GAAG,CACZ,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,AAAO,iBAAiB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,AAAO,wBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,AAAO,oBAAoB,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,AAAO,sBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,AAAO,uBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,AAAO,oBAAoB,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,AAAO,mBAAmB,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,AAAO,4BACL,SACsB;AACtB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,cAAc;AACxB,OAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,CAAC,QAAQ,aAAa;AAE/B,OAAI,MAAM,QAAQ,QAAQ,aAAa,CACrC,QAAO,QAAQ;;;;;;;;;;;;;AC74BvB,MAAa,WAAW,YAAqD;AAC3E,QAAO,gBAAgB,iBAAiB,QAAQ;;AA4FlD,IAAa,kBAAb,cAAqC,UAAkC;CACrE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,AAAU,SAAS;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACA,WAAW,EAAE;GACd,CAAC;AAGF,OAAK,MAAM,YAAY,KAAK,QAAQ,aAAa,EAAE,CACjD,MAAK,iBAAiB,SAAS;AAIjC,OAAK,iBAAiB,KAAK,mBAAmB,CAAC;;;;;CAMjD,AAAU,oBAAoC;AAC5C,SAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAuB;IACvC,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,MAAM,WAAW,UAAU,CAC9B,QAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;AAG3B,QAAI,CAAC,MAAM,SAAS,IAAI,CACtB,QAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AAGzD,WAAO,KAAK,iBAAiB,sBAC3B,OAAO,SACP,KAAK,KACN;;GAEJ;;;;;;CAOH,AAAO,iBAAiB,UAAgC;AACtD,OAAK,iBAAiB,iBAAiB,UAAU,KAAK,KAAK;;;;;CAM7D,AAAO,WAAmB;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,AAAO,cAAc,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,cAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgB;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SATsC;GACpC,cArBmB,MAAM,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,eAAe,KAAK;IACpB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GACD;;CAKH,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,MAAM,WAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QANA,MAAM,KAAK,YAAY,MAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0B;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAIrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,QAAQ,QAAQ;;;;;;;ACrYhB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,AAAO,WAAmB;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,AAAU,SAAS;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,AAAO,IAAI,MAA6B;AACtC,MAAI,CAAC,MAAM,MACT,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MAAM,CAC3D;;;AAIjB,YAAY,QAAQ;;;;;;;AC7DpB,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,AAAU,SAAS;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,SAA+C;AACxD,SAAO,KAAK,QAAQ;;CAGtB,AAAO,IAAI,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,AAAO,MAAM,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;;AC5Ed,MAAM,cAAc,UAAU,OAAO;AAErC,IAAa,iBAAb,MAA4B;CAC1B,MAAa,aAAa,UAAmC;EAC3D,MAAM,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;AAE5C,SAAO,GAAG,KAAK,IADK,MAAM,YAAY,UAAU,MAAM,GAAG,EAC5B,SAAS,MAAM;;CAG9C,MAAa,eACX,UACA,QACkB;AAElB,MAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;EAGT,MAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,MAAI,MAAM,WAAW,EACnB,QAAO;EAGT,MAAM,CAAC,MAAM,eAAe;AAG5B,MAAI,CAAC,QAAQ,CAAC,YACZ,QAAO;AAIT,MAAI,YAAY,SAAS,MAAM,KAAK,CAAC,eAAe,KAAK,YAAY,CACnE,QAAO;AAGT,MAAI;GACF,MAAM,aAAc,MAAM,YAAY,UAAU,MAAM,GAAG;GACzD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AAGnD,OAAI,WAAW,WAAW,YAAY,OACpC,QAAO;AAIT,UAAO,gBAAgB,YAAY,YAAY;WACxC,OAAO;AAEd,UAAO;;;CAIX,AAAO,aAAqB;AAC1B,SAAO,YAAY;;;;;;ACrDvB,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,eAAe,EAAE,SACf,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,8CACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CACF,CAAC;;;;AChCF,IAAa,yBAAb,MAAoC;CAClC,AAAmB,MAAM,SAAS;CAClC,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,cAAc,QAAQ,YAAY;CACrD,AAAmB,SAAS,QAAQ,OAAO;CAE3C,AAAmB,YAA+C,EAAE;CAEpE,AAAmB,cAAc,MAAM;EACrC,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,UAAU,KAAK,OAAO,WAAW,QAAQ,EAAE;AAIpD,QACE,OAAO,QAAQ,YACf,OAAO,QAAQ,WAAW,SAC1B,KAAK,iBAAiB,WAAW,CAAC,WAAW,EAE7C;AAIF,QAAI,OADW,OAAO,QAAQ,WACR,SACpB,MAAK,iBAAiB,iBAAiB;KACrC,MAAM,OAAO;KACb,OAAO,OAAO;KACd,QAAQ,OAAO,MAAM;KACrB,MAAM,OAAO,MAAM;KACpB,CAAC;;;EAIT,CAAC;CAIF,AAAmB,kBAAkB,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS,cAAc;AAG/C,OAAI,OAAO,QAAQ,WAAW,SAAS,CAAC,QAAQ,MAAM;AACpD,SAAK,IAAI,MAAM,oCAAoC;AACnD;;AAGF,OAAI,YAAY,OAAO,MAAM,OAAO,CAClC;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MACE,OACC,GAAG,SAAS,OAAO,MAAM,QAAQ,GAAG,WAAW,OAAO,MAAM,OAC/D;AAEH,OAAI;AACF,YAAQ,OAAO,KAAK,mCAClB,SACA,WACD;IAED,MAAM,QAAQ,OAAO;AACrB,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BACA,KAAK,OAAO,MAAM,OAAO,uBAAuB,QAAQ,KAAK,CAC9D;YACM,OAAO;AACd,QAAI,OAAO,QAAQ,UAAU,WAC3B,OAAM;AAGR,SAAK,IAAI,MAAM,qCAAqC;;;EAGzD,CAAC;CAEF,AAAmB,YAAY,MAAM;EACnC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,SAAS,YAAY;AAErC,OAAI,MAAM,WAAW,OAAO;AAC1B,SAAK,IAAI,MACP,0DACD;AACD;;AAGF,OAAI,YAAY,MAAM,OAAO,CAC3B;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MAAM,OAAO,GAAG,SAAS,MAAM,QAAQ,GAAG,WAAW,MAAM,OAAO;GAErE,MAAM,QACJ,OAAO,MAAM,WAAW,WAAW,MAAM,OAAO,QAAQ;AAE1D,OAAI;AAEF,YAAQ,OAAO,MAAM,KAAK,iBAAiB,6BACzC,SACA;KAAE;KAAY;KAAO,CACtB;AAGD,QAAI,CAAC,QAAQ,MAAM;AAEjB,SAAI,MAAM,UAAU,YAAY;AAE9B,UAAI,CAAC,QAAQ,QAAQ,cACnB,OAAM,IAAI,kBACR,yDACD;AAEH,YAAM,IAAI,kBAAkB,0BAA0B;;AAGxD,UAAK,IAAI,MACP,wEACD;AACD;;AAGF,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BAEA,KAAK,OAAO,MAAM,OAAO,uBAAuB,QAAQ,KAAK,CAC9D;AAED,SAAK,IAAI,MAAM,yBAAyB;KACtC,MAAM,QAAQ;KACd;KACD,CAAC;YACK,OAAO;AACd,QAAI,MAAM,UAAU,WAClB,OAAM;AAIR,SAAK,IAAI,MACP,sDACA,MACD;;;EAGN,CAAC;CAIF,AAAU,MAAM,MAAwB,QAA2B;AACjE,MAAI,OAAO,OACT;OAAI,KAAK,UAAU,OAAO,MACxB,OAAM,IAAI,eACR,8BAA8B,OAAO,MAAM,wBAC5C;;;;;;;;;;;;;;CAgBP,AAAU,mCACR,SACA,YACkB;EAClB,MAAM,cACJ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAEpD,MAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAE/D,IAAI;EAEJ,MAAM,cAAc,KAAK,OAAO,QAAQ,IAAmB,UAAU,EAAE;EACvE,MAAM,aAAa,KAAK,OAAO,MAAM,IACnC,qCACD;AAED,MAAI,SAAS,SACX,QAAO;WACE,SAAS,UAClB,QAAO;MAEP,QAAO,eAAe,eAAe;AAGvC,MAAI,CAAC,KACH,OAAM,IAAI,kBAAkB,2CAA2C;EAGzE,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,IAAI;AAEJ,MAAI,YAAY;GACd,MAAM,SAAS,KAAK,iBAAiB,gBACnC,YACA,GAAG,MACJ;AACD,OAAI,CAAC,OAAO,aACV,OAAM,IAAI,eACR,eAAe,KAAK,iBAAiB,mBAAmB,WAAW,CAAC,8BACrE;AAEH,eAAY,OAAO;;AAIrB,SAAO;GACL,GAAG;GACH;GACD;;CAOH,AAAU,iBAAmC;AAC3C,SAAO;GACL,IAAI,YAAY;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,AAAmB,kBAAkB,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;AACvC,OAAI,CAAC,KAAK,OAAO,QAAQ,CACvB;AAKF,OAAI,CAAC,QAAQ,KACX;AAGF,WAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE9C,OAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;;ACpSJ,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,AAAS,OAAO;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsBhC,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,MACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,MAAM,iCAAiC,eAAe;;GAIlE,IAAI;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,MACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,MACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,OAAO,YAAY,QAAQ,KAAK;AAE5D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;;;;;;;;;ACsEF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAS;EAAO;EAAa;EAAW;CACrD,UAAU;EACR;EACA;EACA;EACA;EACA;EACD;CACD,WAAW,WAAmB;AAE5B,SAAO,KAAK,iBAAiB;AAC7B,SAAO,KAAK,YAAY;AACxB,SAAO,KAAK,eAAe;AAG3B,MAAI,OAAO,IAAI,aAAa,EAAE;AAC5B,UAAO,KAAK,uBAAuB;AACnC,UAAO,KAAK,wBAAwB;;;CAGzC,CAAC;;;;AAKF,MAAa,uBAAuB"}
1
+ {"version":3,"file":"index.js","names":["encode","decodeBase64URL","jwk.isJWK","jwk.isSecretJWK","invalidKeyInput","jwk.isPrivateJWK","jwk.isPublicJWK","b64u","encode","#payload","#payload","#protectedHeader","#unprotectedHeader","b64u","encode","#flattened","#jwt","#protectedHeader","#jwks","#cached","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#headers","#customFetch","#cache","#jwksTimestamp","#local","#pendingFetch"],"sources":["../../src/security/providers/ServerBasicAuthProvider.ts","../../src/security/primitives/$basicAuth.ts","../../src/security/errors/SecurityError.ts","../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js","../../../../node_modules/jose/dist/webapi/lib/base64.js","../../../../node_modules/jose/dist/webapi/util/base64url.js","../../../../node_modules/jose/dist/webapi/util/errors.js","../../../../node_modules/jose/dist/webapi/lib/crypto_key.js","../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../../../../node_modules/jose/dist/webapi/lib/is_key_like.js","../../../../node_modules/jose/dist/webapi/lib/is_disjoint.js","../../../../node_modules/jose/dist/webapi/lib/is_object.js","../../../../node_modules/jose/dist/webapi/lib/check_key_length.js","../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../../../../node_modules/jose/dist/webapi/key/import.js","../../../../node_modules/jose/dist/webapi/lib/validate_crit.js","../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../../../../node_modules/jose/dist/webapi/lib/is_jwk.js","../../../../node_modules/jose/dist/webapi/lib/normalize_key.js","../../../../node_modules/jose/dist/webapi/lib/check_key_type.js","../../../../node_modules/jose/dist/webapi/lib/subtle_dsa.js","../../../../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js","../../../../node_modules/jose/dist/webapi/lib/verify.js","../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js","../../../../node_modules/jose/dist/webapi/jws/compact/verify.js","../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../../../../node_modules/jose/dist/webapi/jwt/verify.js","../../../../node_modules/jose/dist/webapi/lib/sign.js","../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../node_modules/jose/dist/webapi/jwt/sign.js","../../../../node_modules/jose/dist/webapi/jwks/local.js","../../../../node_modules/jose/dist/webapi/jwks/remote.js","../../src/security/providers/JwtProvider.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/providers/CryptoProvider.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/index.ts"],"sourcesContent":["import { timingSafeEqual } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n HttpError,\n type ServerRequest,\n ServerRouterProvider,\n} from \"alepha/server\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface BasicAuthOptions {\n username: string;\n password: string;\n}\n\nexport interface BasicAuthPrimitiveConfig extends BasicAuthOptions {\n /**\n * Name identifier for this basic auth (default: property key).\n */\n name?: string;\n /**\n * Path patterns to match (supports wildcards like /devtools/*).\n */\n paths?: string[];\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class ServerBasicAuthProvider {\n protected readonly alepha = $inject(Alepha);\n protected readonly log = $logger();\n protected readonly routerProvider = $inject(ServerRouterProvider);\n protected readonly realm = \"Secure Area\";\n\n /**\n * Registered basic auth primitives with their configurations\n */\n public readonly registeredAuths: BasicAuthPrimitiveConfig[] = [];\n\n /**\n * Register a basic auth configuration (called by primitives)\n */\n public registerAuth(config: BasicAuthPrimitiveConfig): void {\n this.registeredAuths.push(config);\n }\n\n public readonly onStart = $hook({\n on: \"start\",\n handler: async () => {\n for (const auth of this.registeredAuths) {\n if (auth.paths) {\n for (const pattern of auth.paths) {\n const matchedRoutes = this.routerProvider.getRoutes(pattern);\n for (const route of matchedRoutes) {\n route.secure = {\n basic: {\n username: auth.username,\n password: auth.password,\n },\n };\n }\n }\n }\n }\n\n if (this.registeredAuths.length > 0) {\n this.log.info(\n `Initialized with ${this.registeredAuths.length} registered basic-auth configurations.`,\n );\n }\n },\n });\n\n /**\n * Hook into server:onRequest to check basic auth\n */\n public readonly onRequest = $hook({\n on: \"server:onRequest\",\n handler: async ({ route, request }) => {\n const routeAuth = route.secure;\n if (\n typeof routeAuth === \"object\" &&\n \"basic\" in routeAuth &&\n routeAuth.basic\n ) {\n this.checkAuth(request, routeAuth.basic);\n }\n },\n });\n\n /**\n * Hook into action:onRequest to check basic auth for actions\n */\n public readonly onActionRequest = $hook({\n on: \"action:onRequest\",\n handler: async ({ action, request }) => {\n const routeAuth = action.route.secure;\n if (isBasicAuth(routeAuth)) {\n this.checkAuth(request, routeAuth.basic);\n }\n },\n });\n\n /**\n * Check basic authentication\n */\n public checkAuth(request: ServerRequest, options: BasicAuthOptions): void {\n const authHeader = request.headers?.authorization;\n\n if (!authHeader || !authHeader.startsWith(\"Basic \")) {\n this.sendAuthRequired(request);\n throw new HttpError({\n status: 401,\n message: \"Authentication required\",\n });\n }\n\n // decode base64 credentials\n const base64Credentials = authHeader.slice(6); // Remove \"Basic \"\n const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n \"utf-8\",\n );\n\n // split only on the first colon to handle passwords with colons\n const colonIndex = credentials.indexOf(\":\");\n const username =\n colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n const password = colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n // verify credentials using timing-safe comparison to prevent timing attacks\n const isValid = this.timingSafeCredentialCheck(\n username,\n password,\n options.username,\n options.password,\n );\n\n if (!isValid) {\n this.sendAuthRequired(request);\n this.log.warn(`Failed basic auth attempt for user`, {\n username,\n });\n throw new HttpError({\n status: 401,\n message: \"Invalid credentials\",\n });\n }\n }\n\n /**\n * Performs a timing-safe comparison of credentials to prevent timing attacks.\n * Always compares both username and password to avoid leaking which one is wrong.\n */\n protected timingSafeCredentialCheck(\n inputUsername: string,\n inputPassword: string,\n expectedUsername: string,\n expectedPassword: string,\n ): boolean {\n // Convert to buffers for timing-safe comparison\n const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n // timingSafeEqual requires same-length buffers\n // When lengths differ, we compare against a dummy buffer to maintain constant time\n const userMatch = this.safeCompare(inputUserBuf, expectedUserBuf);\n const passMatch = this.safeCompare(inputPassBuf, expectedPassBuf);\n\n // Both must match - bitwise AND avoids short-circuit evaluation\n // eslint-disable-next-line no-bitwise\n return (userMatch & passMatch) === 1;\n }\n\n /**\n * Compares two buffers in constant time, handling different lengths safely.\n * Returns 1 if equal, 0 if not equal.\n */\n protected safeCompare(input: Buffer, expected: Buffer): number {\n // If lengths differ, compare input against itself to maintain timing\n // but return 0 (not equal)\n if (input.length !== expected.length) {\n // Still perform a comparison to keep timing consistent\n timingSafeEqual(input, input);\n return 0;\n }\n\n return timingSafeEqual(input, expected) ? 1 : 0;\n }\n\n /**\n * Send WWW-Authenticate header\n */\n protected sendAuthRequired(request: ServerRequest): void {\n request.reply.setHeader(\"WWW-Authenticate\", `Basic realm=\"${this.realm}\"`);\n }\n}\n\nexport const isBasicAuth = (\n value: unknown,\n): value is { basic: BasicAuthOptions } => {\n return (\n typeof value === \"object\" && !!value && \"basic\" in value && !!value.basic\n );\n};\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type {\n BasicAuthOptions,\n BasicAuthPrimitiveConfig,\n} from \"../providers/ServerBasicAuthProvider.ts\";\nimport { ServerBasicAuthProvider } from \"../providers/ServerBasicAuthProvider.ts\";\n\n/**\n * Declares HTTP Basic Authentication for server routes.\n * This primitive provides methods to protect routes with username/password authentication.\n */\nexport const $basicAuth = (\n options: BasicAuthPrimitiveConfig,\n): AbstractBasicAuthPrimitive => {\n return createPrimitive(BasicAuthPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface AbstractBasicAuthPrimitive {\n readonly name: string;\n readonly options: BasicAuthPrimitiveConfig;\n check(request: ServerRequest, options?: BasicAuthOptions): void;\n}\n\nexport class BasicAuthPrimitive\n extends Primitive<BasicAuthPrimitiveConfig>\n implements AbstractBasicAuthPrimitive\n{\n protected readonly serverBasicAuthProvider = $inject(ServerBasicAuthProvider);\n\n public get name(): string {\n return this.options.name ?? `${this.config.propertyKey}`;\n }\n\n protected onInit() {\n // Register this auth configuration with the provider\n this.serverBasicAuthProvider.registerAuth(this.options);\n }\n\n /**\n * Checks basic auth for the given request using this primitive's configuration.\n */\n public check(request: ServerRequest, options?: BasicAuthOptions): void {\n const mergedOptions = { ...this.options, ...options };\n this.serverBasicAuthProvider.checkAuth(request, mergedOptions);\n }\n}\n\n$basicAuth[KIND] = BasicAuthPrimitive;\n","export class SecurityError extends Error {\n public name = \"SecurityError\";\n public readonly status = 403;\n}\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","export function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","export function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { isObject } from './is_object.js';\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { isJWK } from './is_jwk.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg === 'ES256' && namedCurve === 'P-256') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES384' && namedCurve === 'P-384') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES512' && namedCurve === 'P-521') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './is_jwk.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nexport function subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport async function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { isObject } from '../../lib/is_object.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n let signature;\n try {\n signature = b64u(jws.signature);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the signature');\n }\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n try {\n payload = b64u(jws.payload);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the payload');\n }\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './is_object.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/sign.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport class FlattenedSign {\n #payload;\n #protectedHeader;\n #unprotectedHeader;\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this.#payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n if (this.#protectedHeader) {\n throw new TypeError('setProtectedHeader can only be called once');\n }\n this.#protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n if (this.#unprotectedHeader) {\n throw new TypeError('setUnprotectedHeader can only be called once');\n }\n this.#unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this.#protectedHeader && !this.#unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this.#protectedHeader,\n ...this.#unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this.#protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payloadS;\n let payloadB;\n if (b64) {\n payloadS = b64u(this.#payload);\n payloadB = encode(payloadS);\n }\n else {\n payloadB = this.#payload;\n payloadS = '';\n }\n let protectedHeaderString;\n let protectedHeaderBytes;\n if (this.#protectedHeader) {\n protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n protectedHeaderBytes = encode(protectedHeaderString);\n }\n else {\n protectedHeaderString = '';\n protectedHeaderBytes = new Uint8Array();\n }\n const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n const k = await normalizeKey(key, alg);\n const signature = await sign(alg, k, data);\n const jws = {\n signature: b64u(signature),\n payload: payloadS,\n };\n if (this.#unprotectedHeader) {\n jws.header = this.#unprotectedHeader;\n }\n if (this.#protectedHeader) {\n jws.protected = protectedHeaderString;\n }\n return jws;\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n #flattened;\n constructor(payload) {\n this.#flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this.#flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this.#flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n #protectedHeader;\n #jwt;\n constructor(payload = {}) {\n this.#jwt = new JWTClaimsBuilder(payload);\n }\n setIssuer(issuer) {\n this.#jwt.iss = issuer;\n return this;\n }\n setSubject(subject) {\n this.#jwt.sub = subject;\n return this;\n }\n setAudience(audience) {\n this.#jwt.aud = audience;\n return this;\n }\n setJti(jwtId) {\n this.#jwt.jti = jwtId;\n return this;\n }\n setNotBefore(input) {\n this.#jwt.nbf = input;\n return this;\n }\n setExpirationTime(input) {\n this.#jwt.exp = input;\n return this;\n }\n setIssuedAt(input) {\n this.#jwt.iat = input;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this.#protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n const sig = new CompactSign(this.#jwt.data());\n sig.setProtectedHeader(this.#protectedHeader);\n if (Array.isArray(this.#protectedHeader?.crit) &&\n this.#protectedHeader.crit.includes('b64') &&\n this.#protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/is_object.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.1.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) ||\n !isObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n type CryptoKey,\n createLocalJWKSet,\n createRemoteJWKSet,\n type FlattenedJWSInput,\n type JSONWebKeySet,\n type JWSHeaderParameters,\n type JWTHeaderParameters,\n type JWTPayload,\n type JWTVerifyResult,\n jwtVerify,\n type KeyObject,\n SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/**\n * Provides utilities for working with JSON Web Tokens (JWT).\n */\nexport class JwtProvider {\n protected readonly log = $logger();\n protected readonly keystore: KeyLoaderHolder[] = [];\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly encoder = new TextEncoder();\n\n /**\n * Adds a key loader to the embedded keystore.\n *\n * @param name\n * @param secretKeyOrJwks\n */\n public setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet) {\n if (typeof secretKeyOrJwks === \"object\") {\n this.log.info(\n `will verify JWTs from key '${name}' with JWKS object (x${secretKeyOrJwks.keys.length})`,\n );\n this.keystore.push({\n name,\n keyLoader: createLocalJWKSet(secretKeyOrJwks),\n });\n } else if (this.isSecretKey(secretKeyOrJwks)) {\n const secretKey = this.encoder.encode(secretKeyOrJwks);\n this.log.info(\n `will verify JWTs from '${name}' with secret a key (${secretKey.length} bytes)`,\n );\n this.keystore.push({\n name,\n secretKey: secretKeyOrJwks,\n keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n });\n } else {\n this.log.info(\n `will verify JWTs from '${name}' with JWKS ${secretKeyOrJwks}`,\n );\n this.keystore.push({\n name,\n keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n });\n }\n }\n\n /**\n * Retrieves the payload from a JSON Web Token (JWT).\n *\n * @param token - The JWT to extract the payload from.\n *\n * @return A Promise that resolves with the payload object from the token.\n */\n public async parse(\n token: string,\n keyName?: string,\n options?: JWTVerifyOptions,\n ): Promise<JwtParseResult> {\n for (const it of this.keystore) {\n if (keyName && it.name !== keyName) {\n continue;\n }\n\n this.log.trace(`Trying to verify token`, {\n keyName: it.name,\n options,\n });\n\n try {\n const verified = {\n keyName: it.name,\n result: await jwtVerify(token, it.keyLoader, {\n currentDate: this.dateTimeProvider.now().toDate(),\n ...options,\n }),\n };\n\n this.log.trace(\"Token verified successfully\", {\n keyName: verified.keyName,\n });\n\n return verified;\n } catch (error) {\n this.log.trace(\"Token verification has failed\", error);\n\n if (error instanceof JWTExpired) {\n throw new SecurityError(\"Token expired\", { cause: error });\n }\n\n if (error instanceof JWTClaimValidationFailed) {\n throw new SecurityError(\"Token claim validation failed\", {\n cause: error,\n });\n }\n }\n }\n\n this.log.warn(\n `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n );\n\n throw new SecurityError(\"Invalid token\");\n }\n\n /**\n * Creates a JWT token with the provided payload and secret key.\n *\n * @param payload - The payload to be encoded in the token.\n * \tIt should include the `realm_access` property which contains an array of roles.\n * @param keyName - The name of the key to use when signing the token.\n *\n * @returns The signed JWT token.\n */\n public async create(\n payload: ExtendedJWTPayload,\n keyName?: string,\n signOptions?: JwtSignOptions,\n ): Promise<string> {\n const secretKey = keyName\n ? this.keystore.find((it) => it.name === keyName)?.secretKey\n : this.keystore[0]?.secretKey;\n\n if (!secretKey) {\n throw new AlephaError(\"No secret key found in the keystore\");\n }\n\n const signJwt = new SignJWT(payload);\n\n signJwt.setProtectedHeader({\n alg: \"HS256\",\n ...signOptions?.header,\n });\n\n return await signJwt.sign(this.encoder.encode(secretKey));\n }\n\n /**\n * Determines if the provided key is a secret key.\n *\n * @param key\n * @protected\n */\n protected isSecretKey(key: string): boolean {\n return !key.startsWith(\"http\");\n }\n}\n\nexport type KeyLoader = (\n protectedHeader?: JWSHeaderParameters,\n token?: FlattenedJWSInput,\n) => Promise<CryptoKey | KeyObject>;\n\nexport interface KeyLoaderHolder {\n name: string;\n keyLoader: KeyLoader;\n secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n sid?: string;\n //\n name?: string;\n roles?: string[];\n email?: string;\n organizations?: string[];\n // keycloak specific\n realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n keyName: string;\n result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","export class InvalidPermissionError extends Error {\n constructor(name: string) {\n super(`Permission '${name}' is invalid`);\n }\n}\n","export class InvalidTokenError extends Error {\n public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n constructor(realm: string) {\n super(`Realm '${realm}' not found`);\n }\n}\n","import {\n $env,\n $hook,\n $inject,\n Alepha,\n AppNotStartedError,\n ContainerLockedError,\n type Static,\n t,\n} from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver, UserInfo } from \"../interfaces/IssuerResolver.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport const DEFAULT_APP_SECRET = \"05759934015388327323179852515731\"; // (32)\n\nconst envSchema = t.object({\n APP_SECRET: t.text({\n default: DEFAULT_APP_SECRET,\n }),\n});\n\ndeclare module \"alepha\" {\n interface Env extends Partial<Static<typeof envSchema>> {}\n}\n\nexport class SecurityProvider {\n protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n protected readonly PERMISSION_REGEXP_WILDCARD =\n /^[\\w-]+((:[\\w-]+)*:\\*|(:[\\w-]+)+)?$/;\n\n protected readonly log = $logger();\n protected readonly jwt = $inject(JwtProvider);\n protected readonly env = $env(envSchema);\n protected readonly alepha = $inject(Alepha);\n\n public get secretKey() {\n return this.env.APP_SECRET;\n }\n\n /**\n * The permissions configured for the security provider.\n */\n protected readonly permissions: Permission[] = [];\n\n /**\n * The realms configured for the security provider.\n */\n protected readonly realms: Realm[] = this.alepha.isTest()\n ? [\n {\n name: \"default\",\n secret: this.env.APP_SECRET,\n roles: [\n {\n name: \"admin\",\n permissions: [\n {\n name: \"*\",\n },\n ],\n },\n ],\n },\n ]\n : [];\n\n protected start = $hook({\n on: \"start\",\n handler: async () => {\n if (this.alepha.isProduction() && this.secretKey === DEFAULT_APP_SECRET) {\n this.log.warn(\n \"Using default APP_SECRET in production is not recommended. Please set a strong APP_SECRET value.\",\n );\n }\n\n for (const realm of this.realms) {\n if (realm.secret) {\n const secret =\n typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n this.jwt.setKeyLoader(realm.name, secret);\n }\n\n // Register default JWT resolver for realms without resolvers\n if (!realm.resolvers || realm.resolvers.length === 0) {\n this.registerResolver(\n this.createDefaultJwtResolver(realm.name),\n realm.name,\n );\n }\n }\n },\n });\n\n /**\n * Creates a default JWT resolver for a realm.\n */\n protected createDefaultJwtResolver(realmName: string): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, realmName);\n\n // Extract user info from JWT payload\n return this.createUserFromPayload(result.payload, realmName);\n },\n };\n }\n\n /**\n * Adds a role to one or more realms.\n *\n * @param role\n * @param realms\n */\n public createRole(role: Role, ...realms: string[]): Role {\n const list = realms.length\n ? realms.map((it) => {\n const item = this.realms.find((realm) => realm.name === it);\n if (!item) {\n throw new RealmNotFoundError(it);\n }\n return item;\n })\n : this.realms;\n\n for (const realm of list) {\n for (const { name } of role.permissions) {\n if (this.alepha.isStarted()) {\n // Check if permission exists or matches a wildcard pattern\n if (name === \"*\") {\n // Global wildcard is always allowed\n continue;\n }\n\n // Check for exact match first\n const existingExact = this.permissions.find(\n (it) => this.permissionToString(it) === name,\n );\n if (existingExact) {\n continue;\n }\n\n // Check if it's a wildcard pattern (e.g., \"admin:api:*\")\n if (name.endsWith(\":*\")) {\n const groupPrefix = name.slice(0, -2); // Remove \":*\"\n // Check if any permission exists with this group prefix\n const existingWithPrefix = this.permissions.find((it) => {\n if (!it.group) return false;\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n });\n if (existingWithPrefix) {\n continue;\n }\n }\n\n // Permission not found\n throw new SecurityError(`Permission '${name}' not found`);\n } else {\n if (name !== \"*\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n throw new InvalidPermissionError(name);\n }\n }\n }\n\n realm.roles.push(role);\n }\n\n return role;\n }\n\n /**\n * Adds a permission to the security provider.\n *\n * @param raw - The permission to add.\n */\n public createPermission(raw: Permission | string): Permission {\n if (this.alepha.isStarted()) {\n throw new ContainerLockedError();\n }\n\n let permission: Permission;\n if (typeof raw === \"string\") {\n if (!this.PERMISSION_REGEXP.test(raw)) {\n throw new InvalidPermissionError(raw);\n }\n\n const parts = raw.split(\":\");\n if (parts.length === 1) {\n // No group, just name (e.g., \"read\")\n permission = { name: parts[0] };\n } else {\n // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n // The last part is the name, everything else is the group\n const name = parts[parts.length - 1];\n const groupParts = parts.slice(0, -1);\n\n if (groupParts.length === 1) {\n permission = {\n group: groupParts[0],\n name,\n };\n } else {\n // Multi-layer group\n permission = {\n group: groupParts.join(\":\"),\n name,\n };\n }\n }\n } else {\n permission = raw;\n }\n\n const asString = this.permissionToString(permission);\n if (!this.PERMISSION_REGEXP.test(asString)) {\n throw new InvalidPermissionError(asString);\n }\n\n const existing = this.permissions.find(\n (it) => this.permissionToString(it) === asString,\n );\n\n if (existing) {\n this.log.warn(`Permission '${asString}' already exists. Skipping.`, {\n current: existing,\n new: permission,\n });\n\n return existing;\n }\n\n this.log.trace(`Creating permission '${asString}'`);\n\n this.permissions.push(permission);\n\n return permission;\n }\n\n public createRealm(realm: Realm) {\n if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n // if the default realm is the only one, we remove it to allow creating new realms\n this.realms.pop();\n }\n\n this.realms.push(realm);\n }\n\n /**\n * Updates the roles for a realm then synchronizes the user account provider if available.\n *\n * Only available when the app is started.\n *\n * @param realm - The realm to update the roles for.\n * @param roles - The roles to update.\n */\n public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n if (!this.alepha.isStarted()) {\n throw new AppNotStartedError();\n }\n\n const realmInstance = this.realms.find((it) => it.name === realm);\n if (!realmInstance) {\n throw new RealmNotFoundError(realm);\n }\n\n realmInstance.roles = roles;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Creates a user account from the provided payload.\n *\n * @param payload - The payload to create the user account from.\n * @param [realmName] - The realm containing the roles. Default is all.\n *\n * @returns The user info created from the payload.\n */\n public createUserFromPayload(\n payload: JWTPayload,\n realmName?: string,\n ): UserAccount {\n const id = this.getIdFromPayload(payload);\n const sessionId = this.getSessionIdFromPayload(payload);\n const rolesFromPayload = this.getRolesFromPayload(payload);\n const email = this.getEmailFromPayload(payload);\n const username = this.getUsernameFromPayload(payload);\n const picture = this.getPictureFromPayload(payload);\n const name = this.getNameFromPayload(payload);\n const organizations = this.getOrganizationsFromPayload(payload);\n const rolesFromSystem = this.getRoles(realmName);\n const roles = rolesFromPayload\n .reduce<Role[]>(\n (arr, roleName) =>\n arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n [],\n )\n .map((it) => it.name);\n\n const realm = this.realms.find((it) => it.name === realmName);\n if (realm?.profile) {\n return realm.profile(payload);\n }\n\n return {\n id,\n roles,\n name,\n email,\n username,\n picture,\n organizations,\n sessionId,\n };\n }\n\n /**\n * Generic user creation from any source (JWT, API key, etc.).\n * Handles permission checking, ownership, default roles.\n */\n public createUser(\n userInfo: UserInfo,\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): UserAccountToken {\n const realmRoles = this.getRoles(options.realm).filter((it) => it.default);\n const roles = [...(userInfo.roles ?? [])];\n\n // Add default roles\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n let ownership: string | boolean | undefined;\n\n // Permission check\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n ownership = check.ownership;\n }\n\n return {\n ...userInfo,\n roles,\n ownership,\n realm: options.realm,\n };\n }\n\n /**\n * Register a resolver to a realm.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver, realmName?: string): void {\n const realm = this.getRealm(realmName);\n if (!realm.resolvers) {\n realm.resolvers = [];\n }\n\n realm.resolvers.push(resolver);\n realm.resolvers.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));\n }\n\n /**\n * Get a realm by name.\n * Throws if realm not found.\n */\n public getRealm(realmName?: string): Realm {\n const realm = realmName\n ? this.realms.find((it) => it.name === realmName)\n : this.realms[0];\n\n if (!realm) {\n throw new RealmNotFoundError(realmName ?? \"default\");\n }\n\n return realm;\n }\n\n /**\n * Resolve user from request using registered resolvers.\n * Returns undefined if no resolver could authenticate (no auth provided).\n * Throws UnauthorizedError if auth was provided but invalid.\n *\n * Note: This method tries resolvers from ALL realms to find a match,\n * regardless of the `realm` option. The `realm` option is only used for\n * permission checking after the user is resolved.\n */\n public async resolveUserFromServerRequest(\n req: { url: URL | string; headers: { authorization?: string } },\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): Promise<UserAccountToken | undefined> {\n // Collect all resolvers from all realms with their realm name\n const allResolvers: Array<{\n resolver: IssuerResolver;\n realmName: string;\n }> = [];\n\n for (const realm of this.realms) {\n for (const resolver of realm.resolvers ?? []) {\n allResolvers.push({ resolver, realmName: realm.name });\n }\n }\n\n // Sort by priority\n allResolvers.sort(\n (a, b) => (a.resolver.priority ?? 100) - (b.resolver.priority ?? 100),\n );\n\n // Try resolvers in priority order\n for (const { resolver, realmName } of allResolvers) {\n let userInfo: UserInfo | null;\n\n try {\n userInfo = await resolver.onRequest(req as any);\n } catch {\n // Resolver failed (e.g., wrong key), try next\n continue;\n }\n\n if (userInfo) {\n // User was resolved - now create user and check permissions\n // (errors from createUser should propagate, not be caught)\n const user = this.createUser(userInfo, {\n realm: realmName,\n permission: options.permission,\n });\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm: realmName,\n user,\n });\n\n return user;\n }\n }\n\n // No resolver matched = no auth provided\n return undefined;\n }\n\n /**\n * Checks if the user has the specified permission.\n *\n * Bonus: we check also if the user has \"ownership\" flag.\n *\n * @param permissionLike - The permission to check for.\n * @param roleEntries - The roles to check for the permission.\n */\n public checkPermission(\n permissionLike: string | Permission,\n ...roleEntries: string[]\n ): SecurityCheckResult {\n const roles: Role[] = roleEntries.map((it) => {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n });\n\n const permission = this.permissionToString(permissionLike);\n const isAdmin = roles.find((it) =>\n it.permissions.find(\n (it) => it.name === \"*\" && !it.exclude && !it.ownership,\n ),\n );\n\n // if the user is an admin, we can return early\n if (isAdmin) {\n return {\n isAuthorized: true,\n ownership: false,\n };\n }\n\n const result: SecurityCheckResult = {\n isAuthorized: false,\n ownership: undefined,\n };\n\n // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n const matchesPattern = (\n permissionName: string,\n pattern: string,\n ): boolean => {\n if (pattern === \"*\") return true;\n if (pattern === permissionName) return true;\n\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" matches \"admin:api:users:read\")\n if (pattern.endsWith(\":*\")) {\n const patternPrefix = pattern.slice(0, -2);\n // Check if permission starts with the pattern prefix\n if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:*\"\n return permissionName.startsWith(`${patternPrefix}:`);\n }\n\n return false;\n };\n\n for (const role of roles) {\n // for each role candidate\n for (const rolePermission of role.permissions) {\n // for each permission in the role\n if (matchesPattern(permission, rolePermission.name)) {\n // [feature]: exclude permissions including wildcards\n if (rolePermission.exclude) {\n let isExcluded = false;\n for (const excludePattern of rolePermission.exclude) {\n if (matchesPattern(permission, excludePattern)) {\n isExcluded = true;\n break;\n }\n }\n if (isExcluded) {\n continue;\n }\n }\n\n result.isAuthorized = true; // OK !\n\n // but we also need to check if the user has ownership\n if (rolePermission.ownership) {\n // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n result.ownership = rolePermission.ownership;\n } else {\n // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n result.ownership = false;\n return result;\n }\n }\n }\n }\n\n return result;\n }\n\n /**\n * Creates a user account from the provided payload.\n */\n public async createUserFromToken(\n headerOrToken?: string,\n options: {\n permission?: Permission | string;\n realm?: string;\n verify?: JWTVerifyOptions;\n } = {},\n ): Promise<UserAccountToken> {\n const token = headerOrToken?.replace(\"Bearer\", \"\").trim();\n if (typeof token !== \"string\" || token === \"\") {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n\n const { result, keyName: realm } = await this.jwt.parse(\n token,\n options.realm,\n options.verify,\n );\n\n const info = this.createUserFromPayload(result.payload, realm);\n const realmRoles = this.getRoles(realm).filter((it) => it.default);\n const roles = info.roles ?? [];\n\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n info.roles = roles;\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm,\n user: info,\n });\n\n let ownership: string | boolean | undefined;\n\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n\n ownership = check.ownership;\n }\n\n return {\n ...info,\n ownership,\n token,\n realm,\n };\n }\n\n /**\n * Checks if a user has a specific role.\n *\n * @param roleName - The role to check for.\n * @param permission - The permission to check for.\n * @returns True if the user has the role, false otherwise.\n */\n public can(roleName: string, permission: string | Permission): boolean {\n return this.checkPermission(permission, roleName).isAuthorized;\n }\n\n /**\n * Checks if a user has ownership of a specific permission.\n */\n public ownership(\n roleName: string,\n permission: string | Permission,\n ): string | boolean | undefined {\n return this.checkPermission(permission, roleName).ownership;\n }\n\n /**\n * Converts a permission object to a string.\n *\n * @param permission\n */\n public permissionToString(permission: Permission | string): string {\n if (typeof permission === \"string\") {\n return permission;\n }\n\n if (!permission.group) {\n return permission.name;\n }\n\n // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n const groupParts = Array.isArray(permission.group)\n ? permission.group\n : [permission.group];\n\n return `${groupParts.join(\":\")}:${permission.name}`;\n }\n\n // accessors\n\n public getRealms(): Realm[] {\n return this.realms;\n }\n\n /**\n * Retrieves the user account from the provided user ID.\n *\n * @param realm\n */\n public getRoles(realm?: string): Role[] {\n if (realm) {\n return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n }\n\n return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n }\n\n /**\n * Returns all permissions.\n *\n * @param user - Filter permissions by user.\n *\n * @return An array containing all permissions.\n */\n public getPermissions(user?: {\n roles?: Array<Role | string>;\n realm?: string;\n }): Permission[] {\n if (user?.roles) {\n const permissions: Permission[] = [];\n const roles = user.roles ?? [];\n\n for (const roleOrString of roles) {\n const role =\n typeof roleOrString === \"string\"\n ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n : roleOrString;\n\n if (!role) {\n throw new SecurityError(`Role '${roleOrString}' not found`);\n }\n\n if (role.permissions.some((it) => it.name === \"*\" && !it.exclude)) {\n return this.getPermissions();\n }\n\n for (const permission of role.permissions) {\n let ref: Permission[] = [];\n if (permission.name === \"*\") {\n ref.push(...this.permissions);\n } else if (permission.name.includes(\":\")) {\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" or \"users:read\")\n const parts = permission.name.split(\":\");\n const lastPart = parts[parts.length - 1];\n\n if (lastPart === \"*\") {\n // Wildcard at any level (e.g., \"admin:*\", \"admin:api:*\")\n const groupPrefix = parts.slice(0, -1).join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (!it.group) return false;\n // Match exact group or any sub-group\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n }),\n );\n } else {\n // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n const name = lastPart;\n const groupParts = parts.slice(0, -1);\n const group = groupParts.join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (it.name !== name) return false;\n if (!it.group) return false;\n return it.group === group;\n }),\n );\n }\n } else {\n // all permissions without a group\n ref.push(\n ...this.permissions.filter(\n (it) => it.name === permission.name && !it.group,\n ),\n );\n }\n const exclude = permission.exclude;\n if (exclude) {\n // exclude permissions with multi-layer wildcard support\n ref = ref.filter((it) => {\n const permString = this.permissionToString(it);\n return !exclude.some((excludePattern) => {\n if (excludePattern === permString) return true;\n if (excludePattern.endsWith(\":*\")) {\n const excludePrefix = excludePattern.slice(0, -2);\n return permString.startsWith(`${excludePrefix}:`);\n }\n return false;\n });\n });\n }\n permissions.push(...ref);\n }\n }\n\n return [...new Set(permissions.filter((it) => it != null))];\n }\n\n return this.permissions;\n }\n\n /**\n * Retrieves the user ID from the provided payload object.\n *\n * @param payload - The payload object from which to extract the user ID.\n * @return The user ID as a string.\n */\n public getIdFromPayload(payload: Record<string, any>): string {\n if (payload.sub != null) {\n return String(payload.sub);\n }\n\n if (payload.id != null) {\n return String(payload.id);\n }\n\n if (payload.userId != null) {\n return String(payload.userId);\n }\n\n throw new SecurityError(\"Invalid JWT - missing id\");\n }\n\n public getSessionIdFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n if (payload.sid) {\n return String(payload.sid);\n }\n }\n\n /**\n * Retrieves the roles from the provided payload object.\n * @param payload - The payload object from which to extract the roles.\n * @return An array of role strings.\n */\n public getRolesFromPayload(payload: Record<string, any>): string[] {\n return payload?.realm_access?.roles ?? payload?.roles ?? [];\n }\n\n public getPictureFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.picture) {\n return payload.picture;\n }\n\n if (payload.avatar_url) {\n return payload.avatar_url;\n }\n\n if (payload.user_picture) {\n return payload.user_picture;\n }\n\n return undefined;\n }\n\n public getUsernameFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.preferred_username) {\n return payload.preferred_username;\n }\n\n if (payload.username) {\n return payload.username;\n }\n\n return undefined;\n }\n\n public getEmailFromPayload(payload: Record<string, any>): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.email) {\n return payload.email;\n }\n\n return undefined;\n }\n\n /**\n * Returns the name from the given payload.\n *\n * @param payload - The payload object.\n * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n */\n public getNameFromPayload(payload: Record<string, any>): string {\n if (!payload) {\n return this.UNKNOWN_USER_NAME;\n }\n\n if (payload.name) {\n return payload.name;\n }\n\n if (\n typeof payload.given_name === \"string\" &&\n typeof payload.family_name === \"string\"\n ) {\n return `${payload.given_name} ${payload.family_name}`.trim();\n }\n\n return this.UNKNOWN_USER_NAME;\n }\n\n public getOrganizationsFromPayload(\n payload: Record<string, any>,\n ): string[] | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.organization) {\n if (typeof payload.organization === \"string\") {\n return [payload.organization];\n }\n if (Array.isArray(payload.organization)) {\n return payload.organization;\n }\n }\n }\n}\n\n// =====================================================================================================================\n\n/**\n * A realm definition.\n */\nexport interface Realm {\n name: string;\n\n roles: Role[];\n\n /**\n * The secret key for the realm.\n *\n * Can be also a JWKS URL.\n */\n secret?: string | JSONWebKeySet | (() => string);\n\n /**\n * Create the user account info based on the raw JWT payload.\n * By default, SecurityProvider has his own implementation, but this method allow to override it.\n */\n profile?: (raw: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers for this realm (sorted by priority).\n */\n resolvers?: IssuerResolver[];\n}\n\nexport interface SecurityCheckResult {\n isAuthorized: boolean;\n ownership: string | boolean | undefined;\n}\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n DateTimeProvider,\n type Duration,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver } from \"../interfaces/IssuerResolver.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new issuer.\n *\n * An issuer is responsible for creating and verifying JWT tokens.\n * It can be internal (with a secret) or external (with a JWKS).\n */\nexport const $issuer = (options: IssuerPrimitiveOptions): IssuerPrimitive => {\n return createPrimitive(IssuerPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type IssuerPrimitiveOptions = {\n /**\n * Define the issuer name.\n * If not provided, it will use the property key.\n */\n name?: string;\n\n /**\n * Short description about the issuer.\n */\n description?: string;\n\n /**\n * All roles available in the issuer. Role is a string (role name) or a Role object (embedded role).\n */\n roles?: Array<string | Role>;\n\n /**\n * Issuer settings.\n */\n settings?: IssuerSettings;\n\n /**\n * Parse the JWT payload to create a user account info.\n */\n profile?: (jwtPayload: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers (in addition to default JWT resolver).\n */\n resolvers?: IssuerResolver[];\n} & (IssuerInternal | IssuerExternal);\n\nexport interface IssuerSettings {\n accessToken?: {\n /**\n * Lifetime of the access token.\n * @default 15 minutes\n */\n expiration?: DurationLike;\n };\n\n refreshToken?: {\n /**\n * Lifetime of the refresh token.\n * @default 30 days\n */\n expiration?: DurationLike;\n\n // TODO: expirationIdle (max inactive time before the token is invalidated)\n };\n\n onCreateSession?: (\n user: UserAccount,\n config: {\n expiresIn: number;\n },\n ) => Promise<{\n refreshToken: string;\n sessionId?: string;\n }>;\n\n onRefreshSession?: (refreshToken: string) => Promise<{\n user: UserAccount;\n expiresIn: number;\n sessionId?: string;\n }>;\n\n onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type IssuerInternal = {\n /**\n * Internal secret to sign JWT tokens and verify them.\n */\n secret: string;\n};\n\nexport interface IssuerExternal {\n /**\n * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n */\n jwks: (() => string) | JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly jwt = $inject(JwtProvider);\n protected readonly log = $logger();\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get accessTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n );\n }\n\n public get refreshTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n );\n }\n\n protected onInit() {\n const roles =\n this.options.roles?.map((it) => {\n if (typeof it === \"string\") {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n }\n\n return it;\n }) ?? [];\n\n this.securityProvider.createRealm({\n name: this.name,\n profile: this.options.profile,\n secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n roles,\n resolvers: [],\n });\n\n // Register custom resolvers first (they usually have lower priority)\n for (const resolver of this.options.resolvers ?? []) {\n this.registerResolver(resolver);\n }\n\n // Register default JWT resolver (priority 100)\n this.registerResolver(this.createJwtResolver());\n }\n\n /**\n * Creates the default JWT resolver.\n */\n protected createJwtResolver(): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req: ServerRequest) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, this.name);\n\n // Extract user info from JWT payload\n return this.securityProvider.createUserFromPayload(\n result.payload,\n this.name,\n );\n },\n };\n }\n\n /**\n * Register a resolver to this issuer.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver): void {\n this.securityProvider.registerResolver(resolver, this.name);\n }\n\n /**\n * Get all roles in the issuer.\n */\n public getRoles(): Role[] {\n return this.securityProvider.getRoles(this.name);\n }\n\n /**\n * Set all roles in the issuer.\n */\n public async setRoles(roles: Role[]): Promise<void> {\n await this.securityProvider.updateRealm(this.name, roles);\n }\n\n /**\n * Get a role by name, throws an error if not found.\n */\n public getRoleByName(name: string): Role {\n const role = this.getRoles().find((it) => it.name === name);\n if (!role) {\n throw new SecurityError(`Role '${name}' not found`);\n }\n return role;\n }\n\n public async parseToken(token: string): Promise<JWTPayload> {\n const { result } = await this.jwt.parse(token, this.name);\n return result.payload;\n }\n\n /**\n * Create a token for the subject.\n */\n public async createToken(\n user: UserAccount,\n refreshToken?: {\n sid?: string;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n },\n ): Promise<AccessTokenResponse> {\n let sid: string | undefined = refreshToken?.sid;\n let refresh_token: string | undefined = refreshToken?.refresh_token;\n let refresh_token_expires_in: number | undefined =\n refreshToken?.refresh_token_expires_in;\n\n const iat = this.dateTimeProvider.now().unix();\n const exp = iat + this.accessTokenExpiration.asSeconds();\n\n if (!refreshToken) {\n const create = this.options.settings?.onCreateSession;\n if (create) {\n // -----------------------------------------------------------------------------------------------------------------\n // managed by the application\n const expiresIn = this.refreshTokenExpiration.asSeconds();\n const { refreshToken, sessionId } = await create(user, {\n expiresIn,\n });\n\n refresh_token = refreshToken;\n refresh_token_expires_in = expiresIn;\n sid = sessionId;\n } else {\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n const payload = {\n sub: user.id,\n exp: iat + this.refreshTokenExpiration.asSeconds(),\n iat,\n aud: this.name,\n };\n\n this.log.trace(\"Creating refresh token\", payload);\n\n sid = crypto.randomUUID();\n refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n refresh_token = await this.jwt.create(payload, this.name, {\n header: {\n typ: \"refresh\",\n },\n });\n }\n }\n\n this.log.trace(\"Creating access token\", {\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n });\n\n const access_token = await this.jwt.create(\n {\n // jwt\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n sid, // session id, if available\n // oidc\n name: user.name,\n email: user.email,\n preferred_username: user.username,\n picture: user.picture,\n // our claims\n organizations: user.organizations,\n roles: user.roles,\n },\n this.name,\n );\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: \"Bearer\",\n expires_in: this.accessTokenExpiration.asSeconds(),\n issued_at: iat,\n refresh_token,\n refresh_token_expires_in,\n };\n\n return response;\n }\n\n public async refreshToken(\n refreshToken: string,\n accessToken?: string,\n ): Promise<{\n tokens: AccessTokenResponse;\n user: UserAccount;\n }> {\n // -----------------------------------------------------------------------------------------------------------------\n // session based\n\n if (this.options.settings?.onRefreshSession) {\n // get user and expiration from the session\n const { user, expiresIn, sessionId } =\n await this.options.settings.onRefreshSession(refreshToken);\n\n // then, create a new access token\n const tokens = await this.createToken(user, {\n sid: sessionId,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n });\n\n return { user, tokens };\n }\n\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n if (!accessToken) {\n throw new AlephaError(\"An access token is required for refreshing\");\n }\n\n // extract user from an expired token\n const user = await this.securityProvider.createUserFromToken(accessToken, {\n realm: this.name,\n verify: {\n currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n },\n });\n\n // check if the refresh token is valid + match access token user\n const {\n result: { payload },\n } = await this.jwt.parse(refreshToken, this.name, {\n typ: \"refresh\",\n audience: this.name,\n subject: user.id,\n });\n\n const iat = this.dateTimeProvider.now().unix();\n const expiresIn = payload.exp\n ? payload.exp - iat\n : this.refreshTokenExpiration.asSeconds();\n\n return {\n user,\n tokens: await this.createToken(user, {\n sid: payload.sid,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n }),\n };\n }\n}\n\n$issuer[KIND] = IssuerPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n sub: string;\n roles?: string[];\n email?: string;\n}\n\nexport interface AccessTokenResponse {\n access_token: string;\n token_type: string;\n expires_in?: number;\n issued_at: number;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new permission.\n */\nexport const $permission = (\n options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n /**\n * Name of the permission. Use Property name is not provided.\n */\n name?: string;\n\n /**\n * Group of the permission. Use Class name is not provided.\n */\n group?: string;\n\n /**\n * Describe the permission.\n */\n description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get group(): string {\n return this.options.group || this.config.service.name;\n }\n\n public toString(): string {\n return `${this.group}:${this.name}`;\n }\n\n protected onInit() {\n this.securityProvider.createPermission({\n name: this.name,\n group: this.group,\n description: this.options.description,\n });\n }\n\n /**\n * Check if the user has the permission.\n */\n public can(user?: UserAccount): boolean {\n if (!user?.roles) {\n return false;\n }\n const check = this.securityProvider.checkPermission(this, ...user.roles);\n return check.isAuthorized;\n }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { IssuerPrimitive } from \"./$issuer.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\n\n/**\n * Create a new role.\n */\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n /**\n * Name of the role.\n */\n name?: string;\n\n /**\n * Describe the role.\n */\n description?: string;\n\n issuer?: string | IssuerPrimitive;\n\n permissions?: Array<\n | string\n | {\n name: string;\n ownership?: boolean;\n exclude?: string[];\n }\n >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n protected onInit() {\n this.securityProvider.createRole({\n ...this.options,\n name: this.name,\n permissions:\n this.options.permissions?.map((it) => {\n if (typeof it === \"string\") {\n return {\n name: it,\n };\n }\n\n return it;\n }) ?? [],\n });\n }\n\n /**\n * Get the issuer of the role.\n */\n public get issuer(): string | IssuerPrimitive | undefined {\n return this.options.issuer;\n }\n\n public can(permission: string | PermissionPrimitive): boolean {\n return this.securityProvider.can(this.name, permission);\n }\n\n public check(permission: string | PermissionPrimitive) {\n return this.securityProvider.checkPermission(permission, this.name);\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomBytes, randomUUID, scrypt, timingSafeEqual } from \"node:crypto\";\nimport { promisify } from \"node:util\";\n\nconst scryptAsync = promisify(scrypt);\n\nexport class CryptoProvider {\n public async hashPassword(password: string): Promise<string> {\n const salt = randomBytes(16).toString(\"hex\"); // 128-bit salt\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n return `${salt}:${derivedKey.toString(\"hex\")}`;\n }\n\n public async verifyPassword(\n password: string,\n stored: string,\n ): Promise<boolean> {\n // Validate input format\n if (!stored || typeof stored !== \"string\") {\n return false;\n }\n\n const parts = stored.split(\":\");\n if (parts.length !== 2) {\n return false;\n }\n\n const [salt, originalHex] = parts;\n\n // Validate salt and hash are non-empty\n if (!salt || !originalHex) {\n return false;\n }\n\n // Validate hex format (must be even length and valid hex)\n if (originalHex.length % 2 !== 0 || !/^[0-9a-f]+$/i.test(originalHex)) {\n return false;\n }\n\n try {\n const derivedKey = (await scryptAsync(password, salt, 64)) as Buffer;\n const originalKey = Buffer.from(originalHex, \"hex\");\n\n // Validate buffer lengths match (scrypt should produce 64 bytes)\n if (derivedKey.length !== originalKey.length) {\n return false;\n }\n\n // Important: prevent timing attacks\n return timingSafeEqual(derivedKey, originalKey);\n } catch (error) {\n // Handle any errors during verification (e.g., invalid salt encoding)\n return false;\n }\n }\n\n public randomUUID(): string {\n return randomUUID();\n }\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n id: t.text({\n description: \"Unique identifier for the user.\",\n }),\n\n name: t.optional(\n t.text({\n description: \"Full name of the user.\",\n }),\n ),\n\n email: t.optional(\n t.text({\n description: \"Email address of the user.\",\n format: \"email\",\n }),\n ),\n\n username: t.optional(\n t.text({\n description: \"Preferred username of the user.\",\n }),\n ),\n\n picture: t.optional(\n t.text({\n description: \"URL to the user's profile picture.\",\n }),\n ),\n\n sessionId: t.optional(\n t.text({\n description: \"Session identifier for the user, if applicable.\",\n }),\n ),\n\n // -------------------------------------------------------------------------------------------------------------------\n\n organizations: t.optional(\n t.array(t.text(), {\n description: \"List of organizations the user belongs to.\",\n }),\n ),\n\n roles: t.optional(\n t.array(t.text(), {\n description: \"List of roles assigned to the user.\",\n }),\n ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport {\n $action,\n ForbiddenError,\n type ServerRequest,\n UnauthorizedError,\n} from \"alepha/server\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport { userAccountInfoSchema } from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\nimport { SecurityProvider } from \"./SecurityProvider.ts\";\nimport {\n type BasicAuthOptions,\n isBasicAuth,\n} from \"./ServerBasicAuthProvider.ts\";\n\nexport class ServerSecurityProvider {\n protected readonly log = $logger();\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly jwtProvider = $inject(JwtProvider);\n protected readonly alepha = $inject(Alepha);\n\n protected readonly resolvers: Array<ServerSecurityUserResolver> = [];\n\n protected readonly onConfigure = $hook({\n on: \"configure\",\n handler: async () => {\n for (const action of this.alepha.primitives($action)) {\n // -------------------------------------------------------------------------------------------------------------\n // Only create permission when secure is explicitly set to true\n // Actions are public by default (like $route)\n // -------------------------------------------------------------------------------------------------------------\n if (\n action.options.disabled ||\n action.options.secure !== true ||\n this.securityProvider.getRealms().length === 0\n ) {\n continue;\n }\n\n this.securityProvider.createPermission({\n name: action.name,\n group: action.group,\n method: action.route.method,\n path: action.route.path,\n });\n }\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n protected readonly onActionRequest = $hook({\n on: \"action:onRequest\",\n handler: async ({ action, request, options }) => {\n const secure = action.options.secure;\n\n // Skip security if not explicitly enabled (secure: true or secure: { realm: ... })\n // Actions are public by default (like $route)\n if (secure !== true && typeof secure !== \"object\" && !options.user) {\n this.log.trace(\"Skipping security check for action - not secured\");\n return;\n }\n\n if (isBasicAuth(action.route.secure)) {\n return;\n }\n\n const permission = this.securityProvider\n .getPermissions()\n .find(\n (it) =>\n it.path === action.route.path && it.method === action.route.method,\n );\n\n try {\n request.user = this.createUserFromLocalFunctionContext(\n options,\n permission,\n );\n\n const route = action.route;\n if (typeof route.secure === \"object\") {\n this.check(request.user, route.secure);\n }\n\n this.alepha.store.set(\n \"alepha.server.request.user\",\n this.alepha.codec.decode(userAccountInfoSchema, request.user),\n );\n } catch (error) {\n if (secure === true || typeof secure === \"object\" || permission) {\n throw error;\n }\n // else, we skip the security check\n this.log.trace(\"Skipping security check for action\");\n }\n },\n });\n\n protected readonly onRequest = $hook({\n on: \"server:onRequest\",\n priority: \"last\",\n handler: async ({ request, route }) => {\n // Skip entirely only if explicitly disabled\n if (route.secure === false) {\n this.log.trace(\n \"Skipping security check for route - explicitly disabled\",\n );\n return;\n }\n\n if (isBasicAuth(route.secure)) {\n return;\n }\n\n const permission = this.securityProvider\n .getPermissions()\n .find((it) => it.path === route.path && it.method === route.method);\n\n const realm =\n typeof route.secure === \"object\" ? route.secure.realm : undefined;\n\n try {\n // Try to resolve user (JWT, API key, etc.) - even for public routes (optional auth)\n request.user = await this.securityProvider.resolveUserFromServerRequest(\n request,\n { permission, realm },\n );\n\n // No user resolved?\n if (!request.user) {\n // Route requires auth → throw\n if (\n route.secure === true ||\n typeof route.secure === \"object\" ||\n permission\n ) {\n // Provide a more specific error message when no auth header was provided\n if (!request.headers.authorization) {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n throw new UnauthorizedError(\"Authentication required\");\n }\n // Route is public → skip (but we tried to resolve user for optional auth)\n this.log.trace(\n \"Skipping security check for route - no auth provided and not required\",\n );\n return;\n }\n\n if (typeof route.secure === \"object\") {\n this.check(request.user, route.secure);\n }\n\n this.alepha.store.set(\n \"alepha.server.request.user\",\n // remove sensitive info\n this.alepha.codec.decode(userAccountInfoSchema, request.user),\n );\n\n this.log.trace(\"User set from request\", {\n user: request.user,\n permission,\n });\n } catch (error) {\n if (\n route.secure === true ||\n typeof route.secure === \"object\" ||\n permission\n ) {\n throw error;\n }\n\n // else, we skip the security check (route is public)\n this.log.trace(\n \"Skipping security check for route - error occurred\",\n error,\n );\n }\n },\n });\n\n // -------------------------------------------------------------------------------------------------------------------\n\n protected check(user: UserAccountToken, secure: ServerRouteSecure) {\n if (secure.realm) {\n if (user.realm !== secure.realm) {\n throw new ForbiddenError(\n `User must belong to realm '${secure.realm}' to access this route`,\n );\n }\n }\n }\n\n /**\n * Get the user account token for a local action call.\n * There are three possible sources for the user:\n * - `options.user`: the user passed in the options\n * - `\"system\"`: the system user from the state (you MUST set state `server.security.system.user`)\n * - `\"context\"`: the user from the request context (you MUST be in an HTTP request context)\n *\n * Priority order: `options.user` > `\"system\"` > `\"context\"`.\n *\n * In testing environment, if no user is provided, a test user is created based on the SecurityProvider's roles.\n */\n protected createUserFromLocalFunctionContext(\n options: { user?: UserAccountToken | \"system\" | \"context\" },\n permission?: Permission,\n ): UserAccountToken {\n const fromOptions =\n typeof options.user === \"object\" ? options.user : undefined;\n\n const type = typeof options.user === \"string\" ? options.user : undefined;\n\n let user: UserAccountToken | undefined;\n\n const fromContext = this.alepha.context.get<ServerRequest>(\"request\")?.user;\n const fromSystem = this.alepha.store.get(\n \"alepha.server.security.system.user\",\n );\n\n if (type === \"system\") {\n user = fromSystem;\n } else if (type === \"context\") {\n user = fromContext;\n } else {\n user = fromOptions ?? fromContext ?? fromSystem;\n }\n\n if (!user) {\n throw new UnauthorizedError(\"User is required for calling this action\");\n }\n\n const roles = user.roles ?? [];\n let ownership: boolean | string | undefined;\n\n if (permission) {\n const result = this.securityProvider.checkPermission(\n permission,\n ...roles,\n );\n if (!result.isAuthorized) {\n throw new ForbiddenError(\n `Permission '${this.securityProvider.permissionToString(permission)}' is required for this route`,\n );\n }\n ownership = result.ownership;\n }\n\n // create a new user object with ownership if needed\n return {\n ...user,\n ownership,\n };\n }\n\n // ---------------------------------------------------------------------------------------------------------------\n // TESTING ONLY\n // ---------------------------------------------------------------------------------------------------------------\n\n protected createTestUser(): UserAccountToken {\n return {\n id: randomUUID(),\n name: \"Test\",\n roles: this.securityProvider.getRoles().map((role) => role.name),\n };\n }\n\n protected readonly onClientRequest = $hook({\n on: \"client:onRequest\",\n handler: async ({ request, options }) => {\n if (!this.alepha.isTest()) {\n return;\n }\n\n // skip helper if user is explicitly set to undefined\n //if (\"user\" in options && options.user === undefined) {\n if (!options.user) {\n return;\n }\n\n request.headers = new Headers(request.headers);\n\n if (!request.headers.has(\"authorization\")) {\n const test = this.createTestUser();\n const user =\n typeof options?.user === \"object\" ? options.user : undefined;\n const sub = user?.id ?? test.id;\n const roles = user?.roles ?? test.roles;\n\n const token = await this.jwtProvider.create(\n {\n sub,\n roles,\n },\n user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n );\n\n request.headers.set(\"authorization\", `Bearer ${token}`);\n }\n },\n });\n}\n\nexport type ServerRouteSecure = {\n realm?: string;\n basic?: BasicAuthOptions;\n};\n\nexport type ServerSecurityUserResolver = (\n request: ServerRequest,\n) => Promise<UserAccountToken | undefined>;\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n readonly name = \"UnauthorizedError\";\n constructor() {\n super(\"Invalid credentials\");\n }\n}\n","import { $context } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, IssuerPrimitive } from \"./$issuer.ts\";\n\n/**\n * Allow to get an access token for a service account.\n *\n * You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n *\n * @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n *\n * class MyService {\n * serviceAccount = $serviceAccount({\n * oauth2: {\n * url: \"https://example.com/oauth2/token\",\n * clientId: \"your-client-id\",\n * clientSecret: \"your-client-secret\",\n * }\n * });\n *\n * async fetchData() {\n * const token = await this.serviceAccount.token();\n * // or\n * const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n * }\n * }\n * ```\n */\nexport const $serviceAccount = (\n options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n const { alepha } = $context();\n const store: {\n cache?: AccessTokenResponse;\n } = {};\n const dateTimeProvider = alepha.inject(DateTimeProvider);\n const gracePeriod = options.gracePeriod ?? 30;\n\n const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n store.cache = {\n ...response,\n issued_at: dateTimeProvider.now().unix(),\n };\n };\n\n const getTokenFromCache = () => {\n if (store.cache) {\n const { access_token, expires_in, issued_at } = store.cache;\n if (!expires_in) {\n return access_token;\n }\n\n const now = dateTimeProvider.now().unix();\n const expires = issued_at + expires_in;\n\n if (expires - gracePeriod > now) {\n return access_token;\n }\n }\n };\n\n if (\"oauth2\" in options) {\n const { url, clientId, clientSecret } = options.oauth2;\n\n const token = async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n let response: Response;\n try {\n response = await fetch(url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n grant_type: \"client_credentials\",\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n } catch (error) {\n throw new Error(\n `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Check HTTP status\n if (!response.ok) {\n let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n try {\n const errorBody = await response.text();\n errorMessage += `: ${errorBody}`;\n } catch {\n // Ignore error reading body\n }\n throw new Error(`Failed to fetch access token: ${errorMessage}`);\n }\n\n // Parse JSON response\n let json: any;\n try {\n json = await response.json();\n } catch (error) {\n throw new Error(\n `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Validate response structure\n if (!json.access_token || !json.expires_in) {\n throw new Error(\n `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n );\n }\n\n cacheToken(json);\n\n return json.access_token;\n };\n\n return {\n token,\n };\n }\n\n return {\n token: async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n const token = await options.issuer.createToken(options.user);\n\n cacheToken({\n ...token,\n issued_at: dateTimeProvider.now().unix(),\n });\n\n return token.access_token;\n },\n };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n gracePeriod?: number; // Grace period in milliseconds before token expiration\n} & (\n | {\n oauth2: Oauth2ServiceAccountPrimitiveOptions;\n }\n | {\n issuer: IssuerPrimitive;\n user: UserAccount;\n }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n /**\n * Get Token URL.\n */\n url: string;\n\n /**\n * Client ID.\n */\n clientId: string;\n\n /**\n * Client Secret.\n */\n clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n\n group: t.optional(\n t.text({\n description: \"Group of the permission.\",\n }),\n ),\n\n description: t.optional(\n t.text({\n description: \"Describe the permission.\",\n }),\n ),\n\n // HTTP Only\n\n method: t.optional(\n t.text({\n description: \"HTTP method of the permission. When available.\",\n }),\n ),\n\n path: t.optional(\n t.text({\n description: \"Pathname of the permission. When available.\",\n }),\n ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n name: t.text({\n description: \"Name of the role.\",\n }),\n\n description: t.optional(\n t.text({\n description: \"Describe the role.\",\n }),\n ),\n\n default: t.optional(\n t.boolean({\n description:\n \"If true, this role will be assigned to all users by default.\",\n }),\n ),\n\n permissions: t.array(\n t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n ownership: t.optional(\n t.boolean({\n description:\n \"If true, user will only have access to it's own resources.\",\n }),\n ),\n exclude: t.optional(\n t.array(t.text(), {\n description:\n \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n }),\n ),\n }),\n ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import { $module, type Alepha } from \"alepha\";\nimport { AlephaServer, type FetchOptions } from \"alepha/server\";\nimport type { UserAccountToken } from \"./interfaces/UserAccountToken.ts\";\nimport { $basicAuth } from \"./primitives/$basicAuth.ts\";\nimport { $issuer } from \"./primitives/$issuer.ts\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { CryptoProvider } from \"./providers/CryptoProvider.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport { ServerBasicAuthProvider } from \"./providers/ServerBasicAuthProvider.ts\";\nimport { ServerSecurityProvider } from \"./providers/ServerSecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/IssuerResolver.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$basicAuth.ts\";\nexport * from \"./primitives/$issuer.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/CryptoProvider.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./providers/ServerBasicAuthProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\nimport type { ServerRouteSecure } from \"./providers/ServerSecurityProvider.ts\";\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"security:user:created\": {\n realm: string;\n user: UserAccount;\n };\n }\n\n interface State {\n /**\n * Real (or fake) user account, used for internal actions.\n *\n * If you define this, you assume that all actions are executed by this user by default.\n * > To force a different user, you need to pass it explicitly in the options.\n */\n \"alepha.server.security.system.user\"?: UserAccountToken;\n\n /**\n * The authenticated user account attached to the server request state.\n *\n * @internal\n */\n \"alepha.server.request.user\"?: UserAccount;\n }\n}\n\ndeclare module \"alepha/server\" {\n interface ServerRequest<TConfig> {\n user?: UserAccountToken; // for all routes, user is maybe present\n }\n\n interface ServerActionRequest<TConfig> {\n user: UserAccountToken; // for actions, user is always present\n }\n\n interface ServerRoute {\n /**\n * If true, the route will be protected by the security provider.\n * All actions are secure by default, but you can disable it for specific actions.\n */\n secure?: boolean | ServerRouteSecure;\n }\n\n interface ClientRequestOptions extends FetchOptions {\n /**\n * Forward user from the previous request.\n * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n * If \"context\", use the user from the current context (e.g. request).\n *\n * @default \"system\" if provided, else \"context\" if available.\n */\n user?: UserAccountToken | \"system\" | \"context\";\n }\n}\n\n/**\n * | type | quality | stability |\n * |------|---------|-----------|\n * | backend | epic | stable |\n *\n * Complete authentication and authorization system with JWT, RBAC, and multi-issuer support.\n *\n * **Features:**\n * - JWT token issuer with role definitions\n * - Role-based access control (RBAC)\n * - Fine-grained permissions\n * - HTTP Basic Authentication\n * - Service-to-service authentication\n * - Multi-issuer support for federated auth\n * - JWKS (JSON Web Key Set) for external issuers\n * - Token refresh logic\n * - User profile extraction from JWT\n *\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n name: \"alepha.security\",\n primitives: [$issuer, $role, $permission, $basicAuth],\n services: [\n SecurityProvider,\n JwtProvider,\n CryptoProvider,\n ServerSecurityProvider,\n ServerBasicAuthProvider,\n ],\n register: (alepha: Alepha) => {\n // Always register core security providers\n alepha.with(SecurityProvider);\n alepha.with(JwtProvider);\n alepha.with(CryptoProvider);\n\n // Register server security providers only if AlephaServer is available\n if (alepha.has(AlephaServer)) {\n alepha.with(ServerSecurityProvider);\n alepha.with(ServerBasicAuthProvider);\n }\n },\n});\n\n/**\n * @deprecated Use `AlephaSecurity` instead. Server security providers are automatically registered when `AlephaServer` is available.\n */\nexport const AlephaServerSecurity = AlephaSecurity;\n"],"x_google_ignoreList":[3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32],"mappings":";;;;;;;;AA6BA,IAAa,0BAAb,MAAqC;CACnC,AAAmB,SAAS,QAAQ,OAAO;CAC3C,AAAmB,MAAM,SAAS;CAClC,AAAmB,iBAAiB,QAAQ,qBAAqB;CACjE,AAAmB,QAAQ;;;;CAK3B,AAAgB,kBAA8C,EAAE;;;;CAKhE,AAAO,aAAa,QAAwC;AAC1D,OAAK,gBAAgB,KAAK,OAAO;;CAGnC,AAAgB,UAAU,MAAM;EAC9B,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,QAAQ,KAAK,gBACtB,KAAI,KAAK,MACP,MAAK,MAAM,WAAW,KAAK,OAAO;IAChC,MAAM,gBAAgB,KAAK,eAAe,UAAU,QAAQ;AAC5D,SAAK,MAAM,SAAS,cAClB,OAAM,SAAS,EACb,OAAO;KACL,UAAU,KAAK;KACf,UAAU,KAAK;KAChB,EACF;;AAMT,OAAI,KAAK,gBAAgB,SAAS,EAChC,MAAK,IAAI,KACP,oBAAoB,KAAK,gBAAgB,OAAO,wCACjD;;EAGN,CAAC;;;;CAKF,AAAgB,YAAY,MAAM;EAChC,IAAI;EACJ,SAAS,OAAO,EAAE,OAAO,cAAc;GACrC,MAAM,YAAY,MAAM;AACxB,OACE,OAAO,cAAc,YACrB,WAAW,aACX,UAAU,MAEV,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAgB,kBAAkB,MAAM;EACtC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,cAAc;GACtC,MAAM,YAAY,OAAO,MAAM;AAC/B,OAAI,YAAY,UAAU,CACxB,MAAK,UAAU,SAAS,UAAU,MAAM;;EAG7C,CAAC;;;;CAKF,AAAO,UAAU,SAAwB,SAAiC;EACxE,MAAM,aAAa,QAAQ,SAAS;AAEpC,MAAI,CAAC,cAAc,CAAC,WAAW,WAAW,SAAS,EAAE;AACnD,QAAK,iBAAiB,QAAQ;AAC9B,SAAM,IAAI,UAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;EAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;EAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;EAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;EAC3C,MAAM,WACJ,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG;EACzD,MAAM,WAAW,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG;AAUzE,MAAI,CAPY,KAAK,0BACnB,UACA,UACA,QAAQ,UACR,QAAQ,SACT,EAEa;AACZ,QAAK,iBAAiB,QAAQ;AAC9B,QAAK,IAAI,KAAK,sCAAsC,EAClD,UACD,CAAC;AACF,SAAM,IAAI,UAAU;IAClB,QAAQ;IACR,SAAS;IACV,CAAC;;;;;;;CAQN,AAAU,0BACR,eACA,eACA,kBACA,kBACS;EAET,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;EAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;EACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;AAS9D,UALkB,KAAK,YAAY,cAAc,gBAAgB,GAC/C,KAAK,YAAY,cAAc,gBAAgB,MAI9B;;;;;;CAOrC,AAAU,YAAY,OAAe,UAA0B;AAG7D,MAAI,MAAM,WAAW,SAAS,QAAQ;AAEpC,mBAAgB,OAAO,MAAM;AAC7B,UAAO;;AAGT,SAAO,gBAAgB,OAAO,SAAS,GAAG,IAAI;;;;;CAMhD,AAAU,iBAAiB,SAA8B;AACvD,UAAQ,MAAM,UAAU,oBAAoB,gBAAgB,KAAK,MAAM,GAAG;;;AAI9E,MAAa,eACX,UACyC;AACzC,QACE,OAAO,UAAU,YAAY,CAAC,CAAC,SAAS,WAAW,SAAS,CAAC,CAAC,MAAM;;;;;;;;;AChMxE,MAAa,cACX,YAC+B;AAC/B,QAAO,gBAAgB,oBAAoB,QAAQ;;AAWrD,IAAa,qBAAb,cACU,UAEV;CACE,AAAmB,0BAA0B,QAAQ,wBAAwB;CAE7E,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,GAAG,KAAK,OAAO;;CAG7C,AAAU,SAAS;AAEjB,OAAK,wBAAwB,aAAa,KAAK,QAAQ;;;;;CAMzD,AAAO,MAAM,SAAwB,SAAkC;EACrE,MAAM,gBAAgB;GAAE,GAAG,KAAK;GAAS,GAAG;GAAS;AACrD,OAAK,wBAAwB,UAAU,SAAS,cAAc;;;AAIlE,WAAW,QAAQ;;;;AClDnB,IAAa,gBAAb,cAAmC,MAAM;CACvC,AAAO,OAAO;CACd,AAAgB,SAAS;;;;;ACF3B,MAAa,UAAU,IAAI,aAAa;AACxC,MAAa,UAAU,IAAI,aAAa;AACxC,MAAM,YAAY,KAAK;AACvB,SAAgB,OAAO,GAAG,SAAS;CAC/B,MAAM,OAAO,QAAQ,QAAQ,KAAK,EAAE,aAAa,MAAM,QAAQ,EAAE;CACjE,MAAM,MAAM,IAAI,WAAW,KAAK;CAChC,IAAI,IAAI;AACR,MAAK,MAAM,UAAU,SAAS;AAC1B,MAAI,IAAI,QAAQ,EAAE;AAClB,OAAK,OAAO;;AAEhB,QAAO;;AAqBX,SAAgBA,SAAO,QAAQ;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;EACpC,MAAM,OAAO,OAAO,WAAW,EAAE;AACjC,MAAI,OAAO,IACP,OAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAM,KAAK;;AAEf,QAAO;;;;;ACzCX,SAAgB,aAAa,OAAO;AAChC,KAAI,WAAW,UAAU,SACrB,QAAO,MAAM,UAAU;CAE3B,MAAM,aAAa;CACnB,MAAM,MAAM,EAAE;AACd,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,WACnC,KAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,CAAC;AAEhF,QAAO,KAAK,IAAI,KAAK,GAAG,CAAC;;AAE7B,SAAgB,aAAa,SAAS;AAClC,KAAI,WAAW,WACX,QAAO,WAAW,WAAW,QAAQ;CAEzC,MAAM,SAAS,KAAK,QAAQ;CAC5B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IAC/B,OAAM,KAAK,OAAO,WAAW,EAAE;AAEnC,QAAO;;;;;AClBX,SAAgB,OAAO,OAAO;AAC1B,KAAI,WAAW,WACX,QAAO,WAAW,WAAW,OAAO,UAAU,WAAW,QAAQ,QAAQ,OAAO,MAAM,EAAE,EACpF,UAAU,aACb,CAAC;CAEN,IAAI,UAAU;AACd,KAAI,mBAAmB,WACnB,WAAU,QAAQ,OAAO,QAAQ;AAErC,WAAU,QAAQ,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;AACvD,KAAI;AACA,SAAO,aAAa,QAAQ;SAE1B;AACF,QAAM,IAAI,UAAU,oDAAoD;;;AAGhF,SAAgB,OAAO,OAAO;CAC1B,IAAI,YAAY;AAChB,KAAI,OAAO,cAAc,SACrB,aAAY,QAAQ,OAAO,UAAU;AAEzC,KAAI,WAAW,UAAU,SACrB,QAAO,UAAU,SAAS;EAAE,UAAU;EAAa,aAAa;EAAM,CAAC;AAE3E,QAAO,aAAa,UAAU,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI;;;;;AC5B5F,IAAa,YAAb,cAA+B,MAAM;CACjC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,SAAS,SAAS;AAC1B,QAAM,SAAS,QAAQ;AACvB,OAAK,OAAO,KAAK,YAAY;AAC7B,QAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,2BAAb,cAA8C,UAAU;CACpD,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;AACzE,QAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;AACrD,OAAK,QAAQ;AACb,OAAK,SAAS;AACd,OAAK,UAAU;;;AAGvB,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;AACzE,QAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;AACrD,OAAK,QAAQ;AACb,OAAK,SAAS;AACd,OAAK,UAAU;;;AAGvB,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,mBAAb,cAAsC,UAAU;CAC5C,OAAO,OAAO;CACd,OAAO;;AAaX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAMX,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,mDAAmD,SAAS;AAC9E,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,2BAAb,cAA8C,UAAU;CACpD,CAAC,OAAO;CACR,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,wDAAwD,SAAS;AACnF,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,qBAAqB,SAAS;AAChD,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,iCAAb,cAAoD,UAAU;CAC1D,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,iCAAiC,SAAS;AAC5D,QAAM,SAAS,QAAQ;;;;;;AChG/B,MAAM,YAAY,MAAM,OAAO,qCAAqB,IAAI,UAAU,kDAAkD,KAAK,WAAW,OAAO;AAC3I,MAAM,eAAe,WAAW,SAAS,UAAU,SAAS;AAC5D,SAAS,cAAc,MAAM;AACzB,QAAO,SAAS,KAAK,KAAK,MAAM,EAAE,EAAE,GAAG;;AAE3C,SAAS,cAAc,KAAK;AACxB,SAAQ,KAAR;EACI,KAAK,QACD,QAAO;EACX,KAAK,QACD,QAAO;EACX,KAAK,QACD,QAAO;EACX,QACI,OAAM,IAAI,MAAM,cAAc;;;AAG1C,SAAS,WAAW,KAAK,OAAO;AAC5B,KAAI,SAAS,CAAC,IAAI,OAAO,SAAS,MAAM,CACpC,OAAM,IAAI,UAAU,sEAAsE,MAAM,GAAG;;AAG3G,SAAgB,kBAAkB,KAAK,KAAK,OAAO;AAC/C,SAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,OAAO,CACnC,OAAM,SAAS,OAAO;GAC1B,MAAM,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG;AAE3C,OADe,cAAc,IAAI,UAAU,KAAK,KACjC,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;AACvD;;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,oBAAoB,CAChD,OAAM,SAAS,oBAAoB;GACvC,MAAM,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG;AAE3C,OADe,cAAc,IAAI,UAAU,KAAK,KACjC,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;AACvD;;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,UAAU,CACtC,OAAM,SAAS,UAAU;GAC7B,MAAM,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG;AAE3C,OADe,cAAc,IAAI,UAAU,KAAK,KACjC,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;AACvD;;EAEJ,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,UAAU,CACtC,OAAM,SAAS,UAAU;AAC7B;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,IAAI,CAChC,OAAM,SAAS,IAAI;AACvB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,QAAQ,CACpC,OAAM,SAAS,QAAQ;GAC3B,MAAM,WAAW,cAAc,IAAI;AAEnC,OADe,IAAI,UAAU,eACd,SACX,OAAM,SAAS,UAAU,uBAAuB;AACpD;;EAEJ,QACI,OAAM,IAAI,UAAU,4CAA4C;;AAExE,YAAW,KAAK,MAAM;;;;;ACpF1B,SAAS,QAAQ,KAAK,QAAQ,GAAG,OAAO;AACpC,SAAQ,MAAM,OAAO,QAAQ;AAC7B,KAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,KAAK;AACxB,SAAO,eAAe,MAAM,KAAK,KAAK,CAAC,OAAO,KAAK;YAE9C,MAAM,WAAW,EACtB,QAAO,eAAe,MAAM,GAAG,MAAM,MAAM,GAAG;KAG9C,QAAO,WAAW,MAAM,GAAG;AAE/B,KAAI,UAAU,KACV,QAAO,aAAa;UAEf,OAAO,WAAW,cAAc,OAAO,KAC5C,QAAO,sBAAsB,OAAO;UAE/B,OAAO,WAAW,YAAY,UAAU,MAC7C;MAAI,OAAO,aAAa,KACpB,QAAO,4BAA4B,OAAO,YAAY;;AAG9D,QAAO;;AAEX,MAAa,mBAAmB,QAAQ,GAAG,UAAU,QAAQ,gBAAgB,QAAQ,GAAG,MAAM;AAC9F,MAAa,WAAW,KAAK,QAAQ,GAAG,UAAU,QAAQ,eAAe,IAAI,sBAAsB,QAAQ,GAAG,MAAM;;;;ACrBpH,MAAa,eAAe,QAAQ;AAChC,KAAI,MAAM,OAAO,iBAAiB,YAC9B,QAAO;AACX,KAAI;AACA,SAAO,eAAe;SAEpB;AACF,SAAO;;;AAGf,MAAa,eAAe,QAAQ,MAAM,OAAO,iBAAiB;AAClE,MAAa,aAAa,QAAQ,YAAY,IAAI,IAAI,YAAY,IAAI;;;;AChBtE,SAAgB,WAAW,GAAG,SAAS;CACnC,MAAM,UAAU,QAAQ,OAAO,QAAQ;AACvC,KAAI,QAAQ,WAAW,KAAK,QAAQ,WAAW,EAC3C,QAAO;CAEX,IAAI;AACJ,MAAK,MAAM,UAAU,SAAS;EAC1B,MAAM,aAAa,OAAO,KAAK,OAAO;AACtC,MAAI,CAAC,OAAO,IAAI,SAAS,GAAG;AACxB,SAAM,IAAI,IAAI,WAAW;AACzB;;AAEJ,OAAK,MAAM,aAAa,YAAY;AAChC,OAAI,IAAI,IAAI,UAAU,CAClB,QAAO;AAEX,OAAI,IAAI,UAAU;;;AAG1B,QAAO;;;;;ACnBX,MAAM,gBAAgB,UAAU,OAAO,UAAU,YAAY,UAAU;AACvE,SAAgB,SAAS,OAAO;AAC5B,KAAI,CAAC,aAAa,MAAM,IAAI,OAAO,UAAU,SAAS,KAAK,MAAM,KAAK,kBAClE,QAAO;AAEX,KAAI,OAAO,eAAe,MAAM,KAAK,KACjC,QAAO;CAEX,IAAI,QAAQ;AACZ,QAAO,OAAO,eAAe,MAAM,KAAK,KACpC,SAAQ,OAAO,eAAe,MAAM;AAExC,QAAO,OAAO,eAAe,MAAM,KAAK;;;;;ACZ5C,SAAgB,eAAe,KAAK,KAAK;AACrC,KAAI,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,EAAE;EAC9C,MAAM,EAAE,kBAAkB,IAAI;AAC9B,MAAI,OAAO,kBAAkB,YAAY,gBAAgB,KACrD,OAAM,IAAI,UAAU,GAAG,IAAI,uDAAuD;;;;;;ACH9F,SAAS,cAAc,KAAK;CACxB,IAAI;CACJ,IAAI;AACJ,SAAQ,IAAI,KAAZ;EACI,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,IAAI,KAAK;AAC7B,iBAAY,IAAI,OAAO,CAAC,OAAO,GAAG,CAAC,SAAS;AAC5C;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAW,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;AACjE,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAqB,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;AAC3E,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MACR,MAAM;MACN,MAAM,OAAO,SAAS,IAAI,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;MACnD;AACD,iBAAY,IAAI,IAAI,CAAC,WAAW,YAAY,GAAG,CAAC,WAAW,UAAU;AACrE;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;AACD,iBAAY;MAAE,MAAM;MAAS,YAAY;MAAS;AAClD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;AACD,iBAAY;MAAE,MAAM;MAAS,YAAY;MAAS;AAClD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;AACD,iBAAY;MAAE,MAAM;MAAS,YAAY;MAAS;AAClD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAQ,YAAY,IAAI;MAAK;AACjD,iBAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;AACvC;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,WAAW;AAC/B,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,IAAI,KAAK;AAC7B,iBAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;AACvC;IACJ,QACI,OAAM,IAAI,iBAAiB,iEAA+D;;AAElG;EAEJ,QACI,OAAM,IAAI,iBAAiB,gEAA8D;;AAEjG,QAAO;EAAE;EAAW;EAAW;;AAEnC,eAAsB,SAAS,KAAK;AAChC,KAAI,CAAC,IAAI,IACL,OAAM,IAAI,UAAU,+DAA2D;CAEnF,MAAM,EAAE,WAAW,cAAc,cAAc,IAAI;CACnD,MAAM,UAAU,EAAE,GAAG,KAAK;AAC1B,KAAI,QAAQ,QAAQ,MAChB,QAAO,QAAQ;AAEnB,QAAO,QAAQ;AACf,QAAO,OAAO,OAAO,UAAU,OAAO,SAAS,WAAW,IAAI,QAAQ,IAAI,KAAK,IAAI,OAAO,QAAQ,OAAO,IAAI,WAAW,UAAU;;;;;ACpFtI,eAAsB,UAAU,KAAK,KAAK,SAAS;AAC/C,KAAI,CAAC,SAAS,IAAI,CACd,OAAM,IAAI,UAAU,wBAAwB;CAEhD,IAAI;AACJ,SAAQ,IAAI;AACZ,SAAQ,SAAS,eAAe,IAAI;AACpC,SAAQ,IAAI,KAAZ;EACI,KAAK;AACD,OAAI,OAAO,IAAI,MAAM,YAAY,CAAC,IAAI,EAClC,OAAM,IAAI,UAAU,4CAA0C;AAElE,UAAOC,OAAgB,IAAI,EAAE;EACjC,KAAK;AACD,OAAI,SAAS,OAAO,IAAI,QAAQ,OAC5B,OAAM,IAAI,iBAAiB,uEAAqE;AAEpG,UAAO,SAAS;IAAE,GAAG;IAAK;IAAK;IAAK,CAAC;EACzC,KAAK;AACD,OAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,IACpC,OAAM,IAAI,UAAU,8CAA4C;AAEpE,OAAI,QAAQ,UAAa,QAAQ,IAAI,IACjC,OAAM,IAAI,UAAU,wCAAwC;AAEhE,UAAO,SAAS;IAAE,GAAG;IAAK;IAAK,CAAC;EAEpC,KAAK;EACL,KAAK,MACD,QAAO,SAAS;GAAE,GAAG;GAAK;GAAK;GAAK,CAAC;EACzC,QACI,OAAM,IAAI,iBAAiB,iDAA+C;;;;;;ACrDtF,SAAgB,aAAa,KAAK,mBAAmB,kBAAkB,iBAAiB,YAAY;AAChG,KAAI,WAAW,SAAS,UAAa,iBAAiB,SAAS,OAC3D,OAAM,IAAI,IAAI,mEAAiE;AAEnF,KAAI,CAAC,mBAAmB,gBAAgB,SAAS,OAC7C,wBAAO,IAAI,KAAK;AAEpB,KAAI,CAAC,MAAM,QAAQ,gBAAgB,KAAK,IACpC,gBAAgB,KAAK,WAAW,KAChC,gBAAgB,KAAK,MAAM,UAAU,OAAO,UAAU,YAAY,MAAM,WAAW,EAAE,CACrF,OAAM,IAAI,IAAI,0FAAwF;CAE1G,IAAI;AACJ,KAAI,qBAAqB,OACrB,cAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQ,iBAAiB,EAAE,GAAG,kBAAkB,SAAS,CAAC,CAAC;KAG3F,cAAa;AAEjB,MAAK,MAAM,aAAa,gBAAgB,MAAM;AAC1C,MAAI,CAAC,WAAW,IAAI,UAAU,CAC1B,OAAM,IAAI,iBAAiB,+BAA+B,UAAU,qBAAqB;AAE7F,MAAI,WAAW,eAAe,OAC1B,OAAM,IAAI,IAAI,+BAA+B,UAAU,cAAc;AAEzE,MAAI,WAAW,IAAI,UAAU,IAAI,gBAAgB,eAAe,OAC5D,OAAM,IAAI,IAAI,+BAA+B,UAAU,+BAA+B;;AAG9F,QAAO,IAAI,IAAI,gBAAgB,KAAK;;;;;AC/BxC,SAAgB,mBAAmB,QAAQ,YAAY;AACnD,KAAI,eAAe,WACd,CAAC,MAAM,QAAQ,WAAW,IAAI,WAAW,MAAM,MAAM,OAAO,MAAM,SAAS,EAC5E,OAAM,IAAI,UAAU,IAAI,OAAO,sCAAsC;AAEzE,KAAI,CAAC,WACD;AAEJ,QAAO,IAAI,IAAI,WAAW;;;;;ACP9B,MAAa,SAAS,QAAQ,SAAS,IAAI,IAAI,OAAO,IAAI,QAAQ;AAClE,MAAa,gBAAgB,QAAQ,IAAI,QAAQ,UAC3C,IAAI,QAAQ,SAAS,OAAO,IAAI,SAAS,YAAa,OAAO,IAAI,MAAM;AAC7E,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,IAAI,MAAM,UAAa,IAAI,SAAS;AAC7F,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,OAAO,IAAI,MAAM;;;;ACD1E,IAAI;AACJ,MAAM,YAAY,OAAO,KAAK,KAAK,KAAK,SAAS,UAAU;AACvD,2BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,IAAI;AAC3B,KAAI,SAAS,KACT,QAAO,OAAO;CAElB,MAAM,YAAY,MAAM,SAAS;EAAE,GAAG;EAAK;EAAK,CAAC;AACjD,KAAI,OACA,QAAO,OAAO,IAAI;AACtB,KAAI,CAAC,OACD,OAAM,IAAI,KAAK,GAAG,MAAM,WAAW,CAAC;KAGpC,QAAO,OAAO;AAElB,QAAO;;AAEX,MAAM,mBAAmB,WAAW,QAAQ;AACxC,2BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,UAAU;AACjC,KAAI,SAAS,KACT,QAAO,OAAO;CAElB,MAAM,WAAW,UAAU,SAAS;CACpC,MAAM,cAAc,WAAW,OAAO;CACtC,IAAI;AACJ,KAAI,UAAU,sBAAsB,UAAU;AAC1C,UAAQ,KAAR;GACI,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,iBACD;GACJ,QACI,OAAM,IAAI,UAAU,6DAA6D;;AAEzF,cAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;AAE/G,KAAI,UAAU,sBAAsB,WAAW;AAC3C,MAAI,QAAQ,WAAW,QAAQ,UAC3B,OAAM,IAAI,UAAU,6DAA6D;AAErF,cAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;AAEN,SAAQ,UAAU,mBAAlB;EACI,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,QAAQ,UAAU,kBAAkB,aAAa,CACjD,OAAM,IAAI,UAAU,6DAA6D;AAErF,eAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;AAGV,KAAI,UAAU,sBAAsB,OAAO;EACvC,IAAI;AACJ,UAAQ,KAAR;GACI,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,QACI,OAAM,IAAI,UAAU,6DAA6D;;AAEzF,MAAI,IAAI,WAAW,WAAW,CAC1B,QAAO,UAAU,YAAY;GACzB,MAAM;GACN;GACH,EAAE,aAAa,WAAW,CAAC,UAAU,GAAG,CAAC,UAAU,CAAC;AAEzD,cAAY,UAAU,YAAY;GAC9B,MAAM,IAAI,WAAW,KAAK,GAAG,YAAY;GACzC;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;;AAEnD,KAAI,UAAU,sBAAsB,MAAM;EAMtC,MAAM,aALO,IAAI,IAAI;GACjB,CAAC,cAAc,QAAQ;GACvB,CAAC,aAAa,QAAQ;GACtB,CAAC,aAAa,QAAQ;GACzB,CAAC,CACsB,IAAI,UAAU,sBAAsB,WAAW;AACvE,MAAI,CAAC,WACD,OAAM,IAAI,UAAU,6DAA6D;AAErF,MAAI,QAAQ,WAAW,eAAe,QAClC,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,QAAQ,WAAW,eAAe,QAClC,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,QAAQ,WAAW,eAAe,QAClC,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,IAAI,WAAW,UAAU,CACzB,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;AAGvD,KAAI,CAAC,UACD,OAAM,IAAI,UAAU,6DAA6D;AAErF,KAAI,CAAC,OACD,OAAM,IAAI,WAAW,GAAG,MAAM,WAAW,CAAC;KAG1C,QAAO,OAAO;AAElB,QAAO;;AAEX,eAAsB,aAAa,KAAK,KAAK;AACzC,KAAI,eAAe,WACf,QAAO;AAEX,KAAI,YAAY,IAAI,CAChB,QAAO;AAEX,KAAI,YAAY,IAAI,EAAE;AAClB,MAAI,IAAI,SAAS,SACb,QAAO,IAAI,QAAQ;AAEvB,MAAI,iBAAiB,OAAO,OAAO,IAAI,gBAAgB,WACnD,KAAI;AACA,UAAO,gBAAgB,KAAK,IAAI;WAE7B,KAAK;AACR,OAAI,eAAe,UACf,OAAM;;AAKlB,SAAO,UAAU,KADP,IAAI,OAAO,EAAE,QAAQ,OAAO,CAAC,EACZ,IAAI;;AAEnC,KAAI,MAAM,IAAI,EAAE;AACZ,MAAI,IAAI,EACJ,QAAO,OAAO,IAAI,EAAE;AAExB,SAAO,UAAU,KAAK,KAAK,KAAK,KAAK;;AAEzC,OAAM,IAAI,MAAM,cAAc;;;;;AC3KlC,MAAM,OAAO,QAAQ,MAAM,OAAO;AAClC,MAAM,gBAAgB,KAAK,KAAK,UAAU;AACtC,KAAI,IAAI,QAAQ,QAAW;EACvB,IAAI;AACJ,UAAQ,OAAR;GACI,KAAK;GACL,KAAK;AACD,eAAW;AACX;GACJ,KAAK;GACL,KAAK;AACD,eAAW;AACX;;AAER,MAAI,IAAI,QAAQ,SACZ,OAAM,IAAI,UAAU,sDAAsD,SAAS,gBAAgB;;AAG3G,KAAI,IAAI,QAAQ,UAAa,IAAI,QAAQ,IACrC,OAAM,IAAI,UAAU,sDAAsD,IAAI,gBAAgB;AAElG,KAAI,MAAM,QAAQ,IAAI,QAAQ,EAAE;EAC5B,IAAI;AACJ,UAAQ,MAAR;GACI,KAAK,UAAU,UAAU,UAAU;GACnC,KAAK,QAAQ;GACb,KAAK,IAAI,SAAS,SAAS;AACvB,oBAAgB;AAChB;GACJ,KAAK,IAAI,WAAW,QAAQ;AACxB,oBAAgB;AAChB;GACJ,KAAK,0BAA0B,KAAK,IAAI;AACpC,QAAI,CAAC,IAAI,SAAS,MAAM,IAAI,IAAI,SAAS,KAAK,CAC1C,iBAAgB,UAAU,YAAY,YAAY;QAGlD,iBAAgB;AAEpB;GACJ,KAAK,UAAU,aAAa,IAAI,WAAW,MAAM;AAC7C,oBAAgB;AAChB;GACJ,KAAK,UAAU;AACX,oBAAgB,IAAI,WAAW,MAAM,GAAG,cAAc;AACtD;;AAER,MAAI,iBAAiB,IAAI,SAAS,WAAW,cAAc,KAAK,MAC5D,OAAM,IAAI,UAAU,+DAA+D,cAAc,gBAAgB;;AAGzH,QAAO;;AAEX,MAAM,sBAAsB,KAAK,KAAK,UAAU;AAC5C,KAAI,eAAe,WACf;AACJ,KAAIC,MAAU,IAAI,EAAE;AAChB,MAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACrD;AACJ,QAAM,IAAI,UAAU,0HAA0H;;AAElJ,KAAI,CAAC,UAAU,IAAI,CACf,OAAM,IAAI,UAAUC,QAAgB,KAAK,KAAK,aAAa,aAAa,gBAAgB,aAAa,CAAC;AAE1G,KAAI,IAAI,SAAS,SACb,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,8DAA8D;;AAGtG,MAAM,uBAAuB,KAAK,KAAK,UAAU;AAC7C,KAAIF,MAAU,IAAI,CACd,SAAQ,OAAR;EACI,KAAK;EACL,KAAK;AACD,OAAIG,aAAiB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACtD;AACJ,SAAM,IAAI,UAAU,wDAAwD;EAChF,KAAK;EACL,KAAK;AACD,OAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACrD;AACJ,SAAM,IAAI,UAAU,uDAAuD;;AAGvF,KAAI,CAAC,UAAU,IAAI,CACf,OAAM,IAAI,UAAUF,QAAgB,KAAK,KAAK,aAAa,aAAa,eAAe,CAAC;AAE5F,KAAI,IAAI,SAAS,SACb,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,mEAAmE;AAEvG,KAAI,IAAI,SAAS,SACb,SAAQ,OAAR;EACI,KAAK,OACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,uEAAuE;EAC3G,KAAK,UACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,0EAA0E;;AAGtH,KAAI,IAAI,SAAS,UACb,SAAQ,OAAR;EACI,KAAK,SACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,wEAAwE;EAC5G,KAAK,UACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,yEAAyE;;;AAIzH,SAAgB,aAAa,KAAK,KAAK,OAAO;AAC1C,SAAQ,IAAI,UAAU,GAAG,EAAE,EAA3B;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,sBAAmB,KAAK,KAAK,MAAM;AACnC;EACJ,QACI,qBAAoB,KAAK,KAAK,MAAM;;;;;;ACtHhD,SAAgB,gBAAgB,KAAK,WAAW;CAC5C,MAAM,OAAO,OAAO,IAAI,MAAM,GAAG;AACjC,SAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAQ;EACjC,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAW,YAAY,SAAS,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;GAAG;EAClF,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAqB;EAC9C,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAS,YAAY,UAAU;GAAY;EACpE,KAAK;EACL,KAAK,QACD,QAAO,EAAE,MAAM,WAAW;EAC9B,KAAK;EACL,KAAK;EACL,KAAK,YACD,QAAO,EAAE,MAAM,KAAK;EACxB,QACI,OAAM,IAAI,iBAAiB,OAAO,IAAI,6DAA6D;;;;;;AC1B/G,eAAsB,UAAU,KAAK,KAAK,OAAO;AAC7C,KAAI,eAAe,YAAY;AAC3B,MAAI,CAAC,IAAI,WAAW,KAAK,CACrB,OAAM,IAAI,UAAU,gBAAgB,KAAK,aAAa,aAAa,eAAe,CAAC;AAEvF,SAAO,OAAO,OAAO,UAAU,OAAO,KAAK;GAAE,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI,MAAM;GAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;;AAE9G,mBAAkB,KAAK,KAAK,MAAM;AAClC,QAAO;;;;;ACPX,eAAsB,OAAO,KAAK,KAAK,WAAW,MAAM;CACpD,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,SAAS;AACrD,gBAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,gBAAgB,KAAK,UAAU,UAAU;AAC3D,KAAI;AACA,SAAO,MAAM,OAAO,OAAO,OAAO,WAAW,WAAW,WAAW,KAAK;SAEtE;AACF,SAAO;;;;;;ACDf,eAAsB,gBAAgB,KAAK,KAAK,SAAS;AACrD,KAAI,CAAC,SAAS,IAAI,CACd,OAAM,IAAI,WAAW,kCAAkC;AAE3D,KAAI,IAAI,cAAc,UAAa,IAAI,WAAW,OAC9C,OAAM,IAAI,WAAW,4EAAwE;AAEjG,KAAI,IAAI,cAAc,UAAa,OAAO,IAAI,cAAc,SACxD,OAAM,IAAI,WAAW,sCAAsC;AAE/D,KAAI,IAAI,YAAY,OAChB,OAAM,IAAI,WAAW,sBAAsB;AAE/C,KAAI,OAAO,IAAI,cAAc,SACzB,OAAM,IAAI,WAAW,0CAA0C;AAEnE,KAAI,IAAI,WAAW,UAAa,CAAC,SAAS,IAAI,OAAO,CACjD,OAAM,IAAI,WAAW,wCAAwC;CAEjE,IAAI,aAAa,EAAE;AACnB,KAAI,IAAI,UACJ,KAAI;EACA,MAAM,kBAAkBG,OAAK,IAAI,UAAU;AAC3C,eAAa,KAAK,MAAM,QAAQ,OAAO,gBAAgB,CAAC;SAEtD;AACF,QAAM,IAAI,WAAW,kCAAkC;;AAG/D,KAAI,CAAC,WAAW,YAAY,IAAI,OAAO,CACnC,OAAM,IAAI,WAAW,4EAA4E;CAErG,MAAM,aAAa;EACf,GAAG;EACH,GAAG,IAAI;EACV;CACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,YAAY,WAAW;CAC5G,IAAI,MAAM;AACV,KAAI,WAAW,IAAI,MAAM,EAAE;AACvB,QAAM,WAAW;AACjB,MAAI,OAAO,QAAQ,UACf,OAAM,IAAI,WAAW,4EAA0E;;CAGvG,MAAM,EAAE,QAAQ;AAChB,KAAI,OAAO,QAAQ,YAAY,CAAC,IAC5B,OAAM,IAAI,WAAW,8DAA4D;CAErF,MAAM,aAAa,WAAW,mBAAmB,cAAc,QAAQ,WAAW;AAClF,KAAI,cAAc,CAAC,WAAW,IAAI,IAAI,CAClC,OAAM,IAAI,kBAAkB,yDAAuD;AAEvF,KAAI,KACA;MAAI,OAAO,IAAI,YAAY,SACvB,OAAM,IAAI,WAAW,+BAA+B;YAGnD,OAAO,IAAI,YAAY,YAAY,EAAE,IAAI,mBAAmB,YACjE,OAAM,IAAI,WAAW,yDAAyD;CAElF,IAAI,cAAc;AAClB,KAAI,OAAO,QAAQ,YAAY;AAC3B,QAAM,MAAM,IAAI,YAAY,IAAI;AAChC,gBAAc;;AAElB,cAAa,KAAK,KAAK,SAAS;CAChC,MAAM,OAAO,OAAO,IAAI,cAAc,SAAYC,SAAO,IAAI,UAAU,GAAG,IAAI,YAAY,EAAEA,SAAO,IAAI,EAAE,OAAO,IAAI,YAAY,WAC1H,MACIA,SAAO,IAAI,QAAQ,GACnB,QAAQ,OAAO,IAAI,QAAQ,GAC/B,IAAI,QAAQ;CAClB,IAAI;AACJ,KAAI;AACA,cAAYD,OAAK,IAAI,UAAU;SAE7B;AACF,QAAM,IAAI,WAAW,2CAA2C;;CAEpE,MAAM,IAAI,MAAM,aAAa,KAAK,IAAI;AAEtC,KAAI,CADa,MAAM,OAAO,KAAK,GAAG,WAAW,KAAK,CAElD,OAAM,IAAI,gCAAgC;CAE9C,IAAI;AACJ,KAAI,IACA,KAAI;AACA,YAAUA,OAAK,IAAI,QAAQ;SAEzB;AACF,QAAM,IAAI,WAAW,yCAAyC;;UAG7D,OAAO,IAAI,YAAY,SAC5B,WAAU,QAAQ,OAAO,IAAI,QAAQ;KAGrC,WAAU,IAAI;CAElB,MAAM,SAAS,EAAE,SAAS;AAC1B,KAAI,IAAI,cAAc,OAClB,QAAO,kBAAkB;AAE7B,KAAI,IAAI,WAAW,OACf,QAAO,oBAAoB,IAAI;AAEnC,KAAI,YACA,QAAO;EAAE,GAAG;EAAQ,KAAK;EAAG;AAEhC,QAAO;;;;;ACnHX,eAAsB,cAAc,KAAK,KAAK,SAAS;AACnD,KAAI,eAAe,WACf,OAAM,QAAQ,OAAO,IAAI;AAE7B,KAAI,OAAO,QAAQ,SACf,OAAM,IAAI,WAAW,6CAA6C;CAEtE,MAAM,EAAE,GAAG,iBAAiB,GAAG,SAAS,GAAG,WAAW,WAAW,IAAI,MAAM,IAAI;AAC/E,KAAI,WAAW,EACX,OAAM,IAAI,WAAW,sBAAsB;CAE/C,MAAM,WAAW,MAAM,gBAAgB;EAAE;EAAS,WAAW;EAAiB;EAAW,EAAE,KAAK,QAAQ;CACxG,MAAM,SAAS;EAAE,SAAS,SAAS;EAAS,iBAAiB,SAAS;EAAiB;AACvF,KAAI,OAAO,QAAQ,WACf,QAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;AAE3C,QAAO;;;;;AChBX,MAAM,SAAS,SAAS,KAAK,MAAM,KAAK,SAAS,GAAG,IAAK;AACzD,MAAM,SAAS;AACf,MAAM,OAAO,SAAS;AACtB,MAAM,MAAM,OAAO;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,QAAQ;AACd,SAAgB,KAAK,KAAK;CACtB,MAAM,UAAU,MAAM,KAAK,IAAI;AAC/B,KAAI,CAAC,WAAY,QAAQ,MAAM,QAAQ,GACnC,OAAM,IAAI,UAAU,6BAA6B;CAErD,MAAM,QAAQ,WAAW,QAAQ,GAAG;CACpC,MAAM,OAAO,QAAQ,GAAG,aAAa;CACrC,IAAI;AACJ,SAAQ,MAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,MAAM;AAC/B;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,OAAO;AACxC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,IAAI;AACrC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;EACJ;AACI,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;;AAER,KAAI,QAAQ,OAAO,OAAO,QAAQ,OAAO,MACrC,QAAO,CAAC;AAEZ,QAAO;;AAEX,SAAS,cAAc,OAAO,OAAO;AACjC,KAAI,CAAC,OAAO,SAAS,MAAM,CACvB,OAAM,IAAI,UAAU,WAAW,MAAM,QAAQ;AAEjD,QAAO;;AAEX,MAAM,gBAAgB,UAAU;AAC5B,KAAI,MAAM,SAAS,IAAI,CACnB,QAAO,MAAM,aAAa;AAE9B,QAAO,eAAe,MAAM,aAAa;;AAE7C,MAAM,yBAAyB,YAAY,cAAc;AACrD,KAAI,OAAO,eAAe,SACtB,QAAO,UAAU,SAAS,WAAW;AAEzC,KAAI,MAAM,QAAQ,WAAW,CACzB,QAAO,UAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAI,WAAW,CAAC,CAAC;AAEtE,QAAO;;AAEX,SAAgB,kBAAkB,iBAAiB,gBAAgB,UAAU,EAAE,EAAE;CAC7E,IAAI;AACJ,KAAI;AACA,YAAU,KAAK,MAAM,QAAQ,OAAO,eAAe,CAAC;SAElD;AAEN,KAAI,CAAC,SAAS,QAAQ,CAClB,OAAM,IAAI,WAAW,iDAAiD;CAE1E,MAAM,EAAE,QAAQ;AAChB,KAAI,QACC,OAAO,gBAAgB,QAAQ,YAC5B,aAAa,gBAAgB,IAAI,KAAK,aAAa,IAAI,EAC3D,OAAM,IAAI,yBAAyB,uCAAqC,SAAS,OAAO,eAAe;CAE3G,MAAM,EAAE,iBAAiB,EAAE,EAAE,QAAQ,SAAS,UAAU,gBAAgB;CACxE,MAAM,gBAAgB,CAAC,GAAG,eAAe;AACzC,KAAI,gBAAgB,OAChB,eAAc,KAAK,MAAM;AAC7B,KAAI,aAAa,OACb,eAAc,KAAK,MAAM;AAC7B,KAAI,YAAY,OACZ,eAAc,KAAK,MAAM;AAC7B,KAAI,WAAW,OACX,eAAc,KAAK,MAAM;AAC7B,MAAK,MAAM,SAAS,IAAI,IAAI,cAAc,SAAS,CAAC,CAChD,KAAI,EAAE,SAAS,SACX,OAAM,IAAI,yBAAyB,qBAAqB,MAAM,UAAU,SAAS,OAAO,UAAU;AAG1G,KAAI,UACA,EAAE,MAAM,QAAQ,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,SAAS,QAAQ,IAAI,CAClE,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;AAEtG,KAAI,WAAW,QAAQ,QAAQ,QAC3B,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;AAEtG,KAAI,YACA,CAAC,sBAAsB,QAAQ,KAAK,OAAO,aAAa,WAAW,CAAC,SAAS,GAAG,SAAS,CACzF,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;CAEtG,IAAI;AACJ,SAAQ,OAAO,QAAQ,gBAAvB;EACI,KAAK;AACD,eAAY,KAAK,QAAQ,eAAe;AACxC;EACJ,KAAK;AACD,eAAY,QAAQ;AACpB;EACJ,KAAK;AACD,eAAY;AACZ;EACJ,QACI,OAAM,IAAI,UAAU,qCAAqC;;CAEjE,MAAM,EAAE,gBAAgB;CACxB,MAAM,MAAM,MAAM,+BAAe,IAAI,MAAM,CAAC;AAC5C,MAAK,QAAQ,QAAQ,UAAa,gBAAgB,OAAO,QAAQ,QAAQ,SACrE,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,KAAI,QAAQ,QAAQ,QAAW;AAC3B,MAAI,OAAO,QAAQ,QAAQ,SACvB,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,MAAI,QAAQ,MAAM,MAAM,UACpB,OAAM,IAAI,yBAAyB,wCAAsC,SAAS,OAAO,eAAe;;AAGhH,KAAI,QAAQ,QAAQ,QAAW;AAC3B,MAAI,OAAO,QAAQ,QAAQ,SACvB,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,MAAI,QAAQ,OAAO,MAAM,UACrB,OAAM,IAAI,WAAW,wCAAsC,SAAS,OAAO,eAAe;;AAGlG,KAAI,aAAa;EACb,MAAM,MAAM,MAAM,QAAQ;EAC1B,MAAM,MAAM,OAAO,gBAAgB,WAAW,cAAc,KAAK,YAAY;AAC7E,MAAI,MAAM,YAAY,IAClB,OAAM,IAAI,WAAW,8DAA4D,SAAS,OAAO,eAAe;AAEpH,MAAI,MAAM,IAAI,UACV,OAAM,IAAI,yBAAyB,mEAAiE,SAAS,OAAO,eAAe;;AAG3I,QAAO;;AAEX,IAAa,mBAAb,MAA8B;CAC1B;CACA,YAAY,SAAS;AACjB,MAAI,CAAC,SAAS,QAAQ,CAClB,OAAM,IAAI,UAAU,mCAAmC;AAE3D,QAAKE,UAAW,gBAAgB,QAAQ;;CAE5C,OAAO;AACH,SAAO,QAAQ,OAAO,KAAK,UAAU,MAAKA,QAAS,CAAC;;CAExD,IAAI,MAAM;AACN,SAAO,MAAKA,QAAS;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,MAAM;AACN,SAAO,MAAKA,QAAS;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,MAAM;AACN,SAAO,MAAKA,QAAS;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,IAAI,OAAO;AACX,QAAKA,QAAS,MAAM;;CAExB,IAAI,IAAI,OAAO;AACX,MAAI,OAAO,UAAU,SACjB,OAAKA,QAAS,MAAM,cAAc,gBAAgB,MAAM;WAEnD,iBAAiB,KACtB,OAAKA,QAAS,MAAM,cAAc,gBAAgB,MAAM,MAAM,CAAC;MAG/D,OAAKA,QAAS,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;AACX,MAAI,OAAO,UAAU,SACjB,OAAKA,QAAS,MAAM,cAAc,qBAAqB,MAAM;WAExD,iBAAiB,KACtB,OAAKA,QAAS,MAAM,cAAc,qBAAqB,MAAM,MAAM,CAAC;MAGpE,OAAKA,QAAS,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;AACX,MAAI,UAAU,OACV,OAAKA,QAAS,MAAM,sBAAM,IAAI,MAAM,CAAC;WAEhC,iBAAiB,KACtB,OAAKA,QAAS,MAAM,cAAc,eAAe,MAAM,MAAM,CAAC;WAEzD,OAAO,UAAU,SACtB,OAAKA,QAAS,MAAM,cAAc,eAAe,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC;MAGjF,OAAKA,QAAS,MAAM,cAAc,eAAe,MAAM;;;;;;ACvOnE,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,MAAM,WAAW,MAAM,cAAc,KAAK,KAAK,QAAQ;AACvD,KAAI,SAAS,gBAAgB,MAAM,SAAS,MAAM,IAAI,SAAS,gBAAgB,QAAQ,MACnF,OAAM,IAAI,WAAW,sCAAsC;CAG/D,MAAM,SAAS;EAAE,SADD,kBAAkB,SAAS,iBAAiB,SAAS,SAAS,QAAQ;EAC5D,iBAAiB,SAAS;EAAiB;AACrE,KAAI,OAAO,QAAQ,WACf,QAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;AAE3C,QAAO;;;;;ACVX,eAAsB,KAAK,KAAK,KAAK,MAAM;CACvC,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,OAAO;AACnD,gBAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,UAAU,EAAE,WAAW,KAAK;AACtG,QAAO,IAAI,WAAW,UAAU;;;;;ACCpC,IAAa,gBAAb,MAA2B;CACvB;CACA;CACA;CACA,YAAY,SAAS;AACjB,MAAI,EAAE,mBAAmB,YACrB,OAAM,IAAI,UAAU,4CAA4C;AAEpE,QAAKC,UAAW;;CAEpB,mBAAmB,iBAAiB;AAChC,MAAI,MAAKC,gBACL,OAAM,IAAI,UAAU,6CAA6C;AAErE,QAAKA,kBAAmB;AACxB,SAAO;;CAEX,qBAAqB,mBAAmB;AACpC,MAAI,MAAKC,kBACL,OAAM,IAAI,UAAU,+CAA+C;AAEvE,QAAKA,oBAAqB;AAC1B,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;AACrB,MAAI,CAAC,MAAKD,mBAAoB,CAAC,MAAKC,kBAChC,OAAM,IAAI,WAAW,kFAAkF;AAE3G,MAAI,CAAC,WAAW,MAAKD,iBAAkB,MAAKC,kBAAmB,CAC3D,OAAM,IAAI,WAAW,4EAA4E;EAErG,MAAM,aAAa;GACf,GAAG,MAAKD;GACR,GAAG,MAAKC;GACX;EACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,MAAKD,iBAAkB,WAAW;EACvH,IAAI,MAAM;AACV,MAAI,WAAW,IAAI,MAAM,EAAE;AACvB,SAAM,MAAKA,gBAAiB;AAC5B,OAAI,OAAO,QAAQ,UACf,OAAM,IAAI,WAAW,4EAA0E;;EAGvG,MAAM,EAAE,QAAQ;AAChB,MAAI,OAAO,QAAQ,YAAY,CAAC,IAC5B,OAAM,IAAI,WAAW,8DAA4D;AAErF,eAAa,KAAK,KAAK,OAAO;EAC9B,IAAI;EACJ,IAAI;AACJ,MAAI,KAAK;AACL,cAAWE,OAAK,MAAKH,QAAS;AAC9B,cAAWI,SAAO,SAAS;SAE1B;AACD,cAAW,MAAKJ;AAChB,cAAW;;EAEf,IAAI;EACJ,IAAI;AACJ,MAAI,MAAKC,iBAAkB;AACvB,2BAAwBE,OAAK,KAAK,UAAU,MAAKF,gBAAiB,CAAC;AACnE,0BAAuBG,SAAO,sBAAsB;SAEnD;AACD,2BAAwB;AACxB,0BAAuB,IAAI,YAAY;;EAE3C,MAAM,OAAO,OAAO,sBAAsBA,SAAO,IAAI,EAAE,SAAS;EAGhE,MAAM,MAAM;GACR,WAAWD,OAFG,MAAM,KAAK,KADnB,MAAM,aAAa,KAAK,IAAI,EACD,KAAK,CAEZ;GAC1B,SAAS;GACZ;AACD,MAAI,MAAKD,kBACL,KAAI,SAAS,MAAKA;AAEtB,MAAI,MAAKD,gBACL,KAAI,YAAY;AAEpB,SAAO;;;;;;ACxFf,IAAa,cAAb,MAAyB;CACrB;CACA,YAAY,SAAS;AACjB,QAAKI,YAAa,IAAI,cAAc,QAAQ;;CAEhD,mBAAmB,iBAAiB;AAChC,QAAKA,UAAW,mBAAmB,gBAAgB;AACnD,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,MAAM,MAAKA,UAAW,KAAK,KAAK,QAAQ;AACpD,MAAI,IAAI,YAAY,OAChB,OAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAO,GAAG,IAAI,UAAU,GAAG,IAAI,QAAQ,GAAG,IAAI;;;;;;ACZtD,IAAa,UAAb,MAAqB;CACjB;CACA;CACA,YAAY,UAAU,EAAE,EAAE;AACtB,QAAKC,MAAO,IAAI,iBAAiB,QAAQ;;CAE7C,UAAU,QAAQ;AACd,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,WAAW,SAAS;AAChB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,YAAY,UAAU;AAClB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,OAAO,OAAO;AACV,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,aAAa,OAAO;AAChB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,kBAAkB,OAAO;AACrB,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,YAAY,OAAO;AACf,QAAKA,IAAK,MAAM;AAChB,SAAO;;CAEX,mBAAmB,iBAAiB;AAChC,QAAKC,kBAAmB;AACxB,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,IAAI,YAAY,MAAKD,IAAK,MAAM,CAAC;AAC7C,MAAI,mBAAmB,MAAKC,gBAAiB;AAC7C,MAAI,MAAM,QAAQ,MAAKA,iBAAkB,KAAK,IAC1C,MAAKA,gBAAiB,KAAK,SAAS,MAAM,IAC1C,MAAKA,gBAAiB,QAAQ,MAC9B,OAAM,IAAI,WAAW,sCAAsC;AAE/D,SAAO,IAAI,KAAK,KAAK,QAAQ;;;;;;AC9CrC,SAAS,cAAc,KAAK;AACxB,SAAQ,OAAO,QAAQ,YAAY,IAAI,MAAM,GAAG,EAAE,EAAlD;EACI,KAAK;EACL,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,QACI,OAAM,IAAI,iBAAiB,mDAAiD;;;AAGxF,SAAS,WAAW,MAAM;AACtB,QAAQ,QACJ,OAAO,SAAS,YAChB,MAAM,QAAQ,KAAK,KAAK,IACxB,KAAK,KAAK,MAAM,UAAU;;AAElC,SAAS,UAAU,KAAK;AACpB,QAAO,SAAS,IAAI;;AAExB,IAAM,cAAN,MAAkB;CACd;CACA,0BAAU,IAAI,SAAS;CACvB,YAAY,MAAM;AACd,MAAI,CAAC,WAAW,KAAK,CACjB,OAAM,IAAI,YAAY,6BAA6B;AAEvD,QAAKC,OAAQ,gBAAgB,KAAK;;CAEtC,OAAO;AACH,SAAO,MAAKA;;CAEhB,MAAM,OAAO,iBAAiB,OAAO;EACjC,MAAM,EAAE,KAAK,QAAQ;GAAE,GAAG;GAAiB,GAAG,OAAO;GAAQ;EAC7D,MAAM,MAAM,cAAc,IAAI;EAC9B,MAAM,aAAa,MAAKA,KAAM,KAAK,QAAQ,QAAQ;GAC/C,IAAI,YAAY,QAAQ,IAAI;AAC5B,OAAI,aAAa,OAAO,QAAQ,SAC5B,aAAY,QAAQ,IAAI;AAE5B,OAAI,cAAc,OAAO,IAAI,QAAQ,YAAY,QAAQ,OACrD,aAAY,QAAQ,IAAI;AAE5B,OAAI,aAAa,OAAO,IAAI,QAAQ,SAChC,aAAY,IAAI,QAAQ;AAE5B,OAAI,aAAa,MAAM,QAAQ,IAAI,QAAQ,CACvC,aAAY,IAAI,QAAQ,SAAS,SAAS;AAE9C,OAAI,UACA,SAAQ,KAAR;IACI,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;IACL,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;;AAGZ,UAAO;IACT;EACF,MAAM,EAAE,GAAG,KAAK,WAAW;AAC3B,MAAI,WAAW,EACX,OAAM,IAAI,mBAAmB;AAEjC,MAAI,WAAW,GAAG;GACd,MAAM,QAAQ,IAAI,0BAA0B;GAC5C,MAAM,UAAU,MAAKC;AACrB,SAAM,OAAO,iBAAiB,mBAAmB;AAC7C,SAAK,MAAM,OAAO,WACd,KAAI;AACA,WAAM,MAAM,mBAAmB,SAAS,KAAK,IAAI;YAE/C;;AAGd,SAAM;;AAEV,SAAO,mBAAmB,MAAKA,QAAS,KAAK,IAAI;;;AAGzD,eAAe,mBAAmB,OAAO,KAAK,KAAK;CAC/C,MAAM,SAAS,MAAM,IAAI,IAAI,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,IAAI;AAC5D,KAAI,OAAO,SAAS,QAAW;EAC3B,MAAM,MAAM,MAAM,UAAU;GAAE,GAAG;GAAK,KAAK;GAAM,EAAE,IAAI;AACvD,MAAI,eAAe,cAAc,IAAI,SAAS,SAC1C,OAAM,IAAI,YAAY,+CAA+C;AAEzE,SAAO,OAAO;;AAElB,QAAO,OAAO;;AAElB,SAAgB,kBAAkB,MAAM;CACpC,MAAM,MAAM,IAAI,YAAY,KAAK;CACjC,MAAM,cAAc,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;AACxF,QAAO,iBAAiB,aAAa,EACjC,MAAM;EACF,aAAa,gBAAgB,IAAI,MAAM,CAAC;EACxC,YAAY;EACZ,cAAc;EACd,UAAU;EACb,EACJ,CAAC;AACF,QAAO;;;;;AClHX,SAAS,sBAAsB;AAC3B,QAAQ,OAAO,kBAAkB,eAC5B,OAAO,cAAc,eAAe,UAAU,cAAc,wBAC5D,OAAO,gBAAgB,eAAe,gBAAgB;;AAE/D,IAAI;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,eAAe,CAGtF,cAAa;AAEjB,MAAa,cAAc,QAAQ;AACnC,eAAe,UAAU,KAAK,SAAS,QAAQ,YAAY,OAAO;CAC9D,MAAM,WAAW,MAAM,UAAU,KAAK;EAClC,QAAQ;EACR;EACA,UAAU;EACV;EACH,CAAC,CAAC,OAAO,QAAQ;AACd,MAAI,IAAI,SAAS,eACb,OAAM,IAAI,aAAa;AAE3B,QAAM;GACR;AACF,KAAI,SAAS,WAAW,IACpB,OAAM,IAAI,UAAU,0DAA0D;AAElF,KAAI;AACA,SAAO,MAAM,SAAS,MAAM;SAE1B;AACF,QAAM,IAAI,UAAU,6DAA6D;;;AAGzF,MAAa,YAAY,QAAQ;AACjC,SAAS,iBAAiB,OAAO,aAAa;AAC1C,KAAI,OAAO,UAAU,YAAY,UAAU,KACvC,QAAO;AAEX,KAAI,EAAE,SAAS,UAAU,OAAO,MAAM,QAAQ,YAAY,KAAK,KAAK,GAAG,MAAM,OAAO,YAChF,QAAO;AAEX,KAAI,EAAE,UAAU,UACZ,CAAC,SAAS,MAAM,KAAK,IACrB,CAAC,MAAM,QAAQ,MAAM,KAAK,KAAK,IAC/B,CAAC,MAAM,UAAU,MAAM,KAAK,MAAM,KAAK,MAAM,SAAS,CACtD,QAAO;AAEX,QAAO;;AAEX,IAAM,eAAN,MAAmB;CACf;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA,YAAY,KAAK,SAAS;AACtB,MAAI,EAAE,eAAe,KACjB,OAAM,IAAI,UAAU,iCAAiC;AAEzD,QAAKC,MAAO,IAAI,IAAI,IAAI,KAAK;AAC7B,QAAKC,kBACD,OAAO,SAAS,oBAAoB,WAAW,SAAS,kBAAkB;AAC9E,QAAKC,mBACD,OAAO,SAAS,qBAAqB,WAAW,SAAS,mBAAmB;AAChF,QAAKC,cAAe,OAAO,SAAS,gBAAgB,WAAW,SAAS,cAAc;AACtF,QAAKC,UAAW,IAAI,QAAQ,SAAS,QAAQ;AAC7C,MAAI,cAAc,CAAC,MAAKA,QAAS,IAAI,aAAa,CAC9C,OAAKA,QAAS,IAAI,cAAc,WAAW;AAE/C,MAAI,CAAC,MAAKA,QAAS,IAAI,SAAS,EAAE;AAC9B,SAAKA,QAAS,IAAI,UAAU,mBAAmB;AAC/C,SAAKA,QAAS,OAAO,UAAU,2BAA2B;;AAE9D,QAAKC,cAAe,UAAU;AAC9B,MAAI,UAAU,eAAe,QAAW;AACpC,SAAKC,QAAS,UAAU;AACxB,OAAI,iBAAiB,UAAU,YAAY,MAAKH,YAAa,EAAE;AAC3D,UAAKI,gBAAiB,MAAKD,MAAO;AAClC,UAAKE,QAAS,kBAAkB,MAAKF,MAAO,KAAK;;;;CAI7D,eAAe;AACX,SAAO,CAAC,CAAC,MAAKG;;CAElB,cAAc;AACV,SAAO,OAAO,MAAKF,kBAAmB,WAChC,KAAK,KAAK,GAAG,MAAKA,gBAAiB,MAAKL,mBACxC;;CAEV,QAAQ;AACJ,SAAO,OAAO,MAAKK,kBAAmB,WAChC,KAAK,KAAK,GAAG,MAAKA,gBAAiB,MAAKJ,cACxC;;CAEV,OAAO;AACH,SAAO,MAAKK,OAAQ,MAAM;;CAE9B,MAAM,OAAO,iBAAiB,OAAO;AACjC,MAAI,CAAC,MAAKA,SAAU,CAAC,KAAK,OAAO,CAC7B,OAAM,KAAK,QAAQ;AAEvB,MAAI;AACA,UAAO,MAAM,MAAKA,MAAO,iBAAiB,MAAM;WAE7C,KAAK;AACR,OAAI,eAAe,mBACf;QAAI,KAAK,aAAa,KAAK,OAAO;AAC9B,WAAM,KAAK,QAAQ;AACnB,YAAO,MAAKA,MAAO,iBAAiB,MAAM;;;AAGlD,SAAM;;;CAGd,MAAM,SAAS;AACX,MAAI,MAAKC,gBAAiB,qBAAqB,CAC3C,OAAKA,eAAgB;AAEzB,QAAKA,iBAAkB,UAAU,MAAKT,IAAK,MAAM,MAAKI,SAAU,YAAY,QAAQ,MAAKH,gBAAiB,EAAE,MAAKI,YAAa,CACzH,MAAM,SAAS;AAChB,SAAKG,QAAS,kBAAkB,KAAK;AACrC,OAAI,MAAKF,OAAQ;AACb,UAAKA,MAAO,MAAM,KAAK,KAAK;AAC5B,UAAKA,MAAO,OAAO;;AAEvB,SAAKC,gBAAiB,KAAK,KAAK;AAChC,SAAKE,eAAgB;IACvB,CACG,OAAO,QAAQ;AAChB,SAAKA,eAAgB;AACrB,SAAM;IACR;AACF,QAAM,MAAKA;;;AAGnB,SAAgB,mBAAmB,KAAK,SAAS;CAC7C,MAAM,MAAM,IAAI,aAAa,KAAK,QAAQ;CAC1C,MAAM,eAAe,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;AACzF,QAAO,iBAAiB,cAAc;EAClC,aAAa;GACT,WAAW,IAAI,aAAa;GAC5B,YAAY;GACZ,cAAc;GACjB;EACD,OAAO;GACH,WAAW,IAAI,OAAO;GACtB,YAAY;GACZ,cAAc;GACjB;EACD,QAAQ;GACJ,aAAa,IAAI,QAAQ;GACzB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACD,WAAW;GACP,WAAW,IAAI,cAAc;GAC7B,YAAY;GACZ,cAAc;GACjB;EACD,MAAM;GACF,aAAa,IAAI,MAAM;GACvB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACJ,CAAC;AACF,QAAO;;;;;;;;ACxJX,IAAa,cAAb,MAAyB;CACvB,AAAmB,MAAM,SAAS;CAClC,AAAmB,WAA8B,EAAE;CACnD,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,UAAU,IAAI,aAAa;;;;;;;CAQ9C,AAAO,aAAa,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,KACP,8BAA8B,KAAK,uBAAuB,gBAAgB,KAAK,OAAO,GACvF;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,KACP,0BAA0B,KAAK,uBAAuB,UAAU,OAAO,SACxE;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,KACP,0BAA0B,KAAK,cAAc,kBAC9C;AACD,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,AAAU,YAAY,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,OAAO;;;;;;ACpKlC,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,AAAgB,SAAS;;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;;ACsBvC,MAAa,qBAAqB;AAElC,MAAM,YAAY,EAAE,OAAO,EACzB,YAAY,EAAE,KAAK,EACjB,SAAS,oBACV,CAAC,EACH,CAAC;AAMF,IAAa,mBAAb,MAA8B;CAC5B,AAAmB,oBAAoB;CACvC,AAAmB,oBAAoB;CACvC,AAAmB,6BACjB;CAEF,AAAmB,MAAM,SAAS;CAClC,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,KAAK,UAAU;CACxC,AAAmB,SAAS,QAAQ,OAAO;CAE3C,IAAW,YAAY;AACrB,SAAO,KAAK,IAAI;;;;;CAMlB,AAAmB,cAA4B,EAAE;;;;CAKjD,AAAmB,SAAkB,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK,IAAI;EACjB,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,AAAU,QAAQ,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,OAAI,KAAK,OAAO,cAAc,IAAI,KAAK,cAAc,mBACnD,MAAK,IAAI,KACP,mGACD;AAGH,QAAK,MAAM,SAAS,KAAK,QAAQ;AAC/B,QAAI,MAAM,QAAQ;KAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,UAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;AAI3C,QAAI,CAAC,MAAM,aAAa,MAAM,UAAU,WAAW,EACjD,MAAK,iBACH,KAAK,yBAAyB,MAAM,KAAK,EACzC,MAAM,KACP;;;EAIR,CAAC;;;;CAKF,AAAU,yBAAyB,WAAmC;AACpE,SAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAQ;IACxB,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,MAAM,WAAW,UAAU,CAC9B,QAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;AAG3B,QAAI,CAAC,MAAM,SAAS,IAAI,CACtB,QAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,UAAU;AAGzD,WAAO,KAAK,sBAAsB,OAAO,SAAS,UAAU;;GAE/D;;;;;;;;CASH,AAAO,WAAW,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KACzC,CAEC;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAExC,CAEA;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,AAAO,iBAAiB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAI;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,UAAU;AACZ,QAAK,IAAI,KAAK,eAAe,SAAS,8BAA8B;IAClE,SAAS;IACT,KAAK;IACN,CAAC;AAEF,UAAO;;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,AAAO,YAAY,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,AAAO,sBACL,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,gBAAgB,KAAK,4BAA4B,QAAQ;EAC/D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;CAOH,AAAO,WACL,UACA,UAGI,EAAE,EACY;EAClB,MAAM,aAAa,KAAK,SAAS,QAAQ,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAC1E,MAAM,QAAQ,CAAC,GAAI,SAAS,SAAS,EAAE,CAAE;AAGzC,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;EAIzB,IAAI;AAGJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAEH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA,OAAO,QAAQ;GAChB;;;;;;CAOH,AAAO,iBAAiB,UAA0B,WAA0B;EAC1E,MAAM,QAAQ,KAAK,SAAS,UAAU;AACtC,MAAI,CAAC,MAAM,UACT,OAAM,YAAY,EAAE;AAGtB,QAAM,UAAU,KAAK,SAAS;AAC9B,QAAM,UAAU,MAAM,GAAG,OAAO,EAAE,YAAY,QAAQ,EAAE,YAAY,KAAK;;;;;;CAO3E,AAAO,SAAS,WAA2B;EACzC,MAAM,QAAQ,YACV,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU,GAC/C,KAAK,OAAO;AAEhB,MAAI,CAAC,MACH,OAAM,IAAI,mBAAmB,aAAa,UAAU;AAGtD,SAAO;;;;;;;;;;;CAYT,MAAa,6BACX,KACA,UAGI,EAAE,EACiC;EAEvC,MAAM,eAGD,EAAE;AAEP,OAAK,MAAM,SAAS,KAAK,OACvB,MAAK,MAAM,YAAY,MAAM,aAAa,EAAE,CAC1C,cAAa,KAAK;GAAE;GAAU,WAAW,MAAM;GAAM,CAAC;AAK1D,eAAa,MACV,GAAG,OAAO,EAAE,SAAS,YAAY,QAAQ,EAAE,SAAS,YAAY,KAClE;AAGD,OAAK,MAAM,EAAE,UAAU,eAAe,cAAc;GAClD,IAAI;AAEJ,OAAI;AACF,eAAW,MAAM,SAAS,UAAU,IAAW;WACzC;AAEN;;AAGF,OAAI,UAAU;IAGZ,MAAM,OAAO,KAAK,WAAW,UAAU;KACrC,OAAO;KACP,YAAY,QAAQ;KACrB,CAAC;AAEF,UAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;KACrD,OAAO;KACP;KACD,CAAC;AAEF,WAAO;;;;;;;;;;;;CAgBb,AAAO,gBACL,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,WAAW,CAAC,GAAG,UAC/C,CACF,CAIC,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,UAAU,GAAG,CAAC,MAAM;AACzD,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,AAAO,IAAI,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,AAAO,UACL,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,AAAO,mBAAmB,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;CAK/C,AAAO,YAAqB;AAC1B,SAAO,KAAK;;;;;;;CAQd,AAAO,SAAS,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,AAAO,eAAe,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GAAG,CACZ,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,AAAO,iBAAiB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,AAAO,wBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,AAAO,oBAAoB,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,AAAO,sBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,AAAO,uBACL,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,AAAO,oBAAoB,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,AAAO,mBAAmB,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,AAAO,4BACL,SACsB;AACtB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,cAAc;AACxB,OAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,CAAC,QAAQ,aAAa;AAE/B,OAAI,MAAM,QAAQ,QAAQ,aAAa,CACrC,QAAO,QAAQ;;;;;;;;;;;;;AC74BvB,MAAa,WAAW,YAAqD;AAC3E,QAAO,gBAAgB,iBAAiB,QAAQ;;AA4FlD,IAAa,kBAAb,cAAqC,UAAkC;CACrE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,MAAM,QAAQ,YAAY;CAC7C,AAAmB,MAAM,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,AAAU,SAAS;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACA,WAAW,EAAE;GACd,CAAC;AAGF,OAAK,MAAM,YAAY,KAAK,QAAQ,aAAa,EAAE,CACjD,MAAK,iBAAiB,SAAS;AAIjC,OAAK,iBAAiB,KAAK,mBAAmB,CAAC;;;;;CAMjD,AAAU,oBAAoC;AAC5C,SAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAuB;IACvC,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,MAAM,WAAW,UAAU,CAC9B,QAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;AAG3B,QAAI,CAAC,MAAM,SAAS,IAAI,CACtB,QAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AAGzD,WAAO,KAAK,iBAAiB,sBAC3B,OAAO,SACP,KAAK,KACN;;GAEJ;;;;;;CAOH,AAAO,iBAAiB,UAAgC;AACtD,OAAK,iBAAiB,iBAAiB,UAAU,KAAK,KAAK;;;;;CAM7D,AAAO,WAAmB;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,AAAO,cAAc,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,cAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgB;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SATsC;GACpC,cArBmB,MAAM,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,eAAe,KAAK;IACpB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GACD;;CAKH,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,MAAM,WAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QANA,MAAM,KAAK,YAAY,MAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0B;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAIrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,QAAQ,QAAQ;;;;;;;ACrYhB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,AAAO,WAAmB;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,AAAU,SAAS;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,AAAO,IAAI,MAA6B;AACtC,MAAI,CAAC,MAAM,MACT,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MAAM,CAC3D;;;AAIjB,YAAY,QAAQ;;;;;;;AC7DpB,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,AAAmB,mBAAmB,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,AAAU,SAAS;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,SAA+C;AACxD,SAAO,KAAK,QAAQ;;CAGtB,AAAO,IAAI,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,AAAO,MAAM,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;;AC5Ed,MAAM,cAAc,UAAU,OAAO;AAErC,IAAa,iBAAb,MAA4B;CAC1B,MAAa,aAAa,UAAmC;EAC3D,MAAM,OAAO,YAAY,GAAG,CAAC,SAAS,MAAM;AAE5C,SAAO,GAAG,KAAK,IADK,MAAM,YAAY,UAAU,MAAM,GAAG,EAC5B,SAAS,MAAM;;CAG9C,MAAa,eACX,UACA,QACkB;AAElB,MAAI,CAAC,UAAU,OAAO,WAAW,SAC/B,QAAO;EAGT,MAAM,QAAQ,OAAO,MAAM,IAAI;AAC/B,MAAI,MAAM,WAAW,EACnB,QAAO;EAGT,MAAM,CAAC,MAAM,eAAe;AAG5B,MAAI,CAAC,QAAQ,CAAC,YACZ,QAAO;AAIT,MAAI,YAAY,SAAS,MAAM,KAAK,CAAC,eAAe,KAAK,YAAY,CACnE,QAAO;AAGT,MAAI;GACF,MAAM,aAAc,MAAM,YAAY,UAAU,MAAM,GAAG;GACzD,MAAM,cAAc,OAAO,KAAK,aAAa,MAAM;AAGnD,OAAI,WAAW,WAAW,YAAY,OACpC,QAAO;AAIT,UAAO,gBAAgB,YAAY,YAAY;WACxC,OAAO;AAEd,UAAO;;;CAIX,AAAO,aAAqB;AAC1B,SAAO,YAAY;;;;;;ACrDvB,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,eAAe,EAAE,SACf,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,8CACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CACF,CAAC;;;;AChCF,IAAa,yBAAb,MAAoC;CAClC,AAAmB,MAAM,SAAS;CAClC,AAAmB,mBAAmB,QAAQ,iBAAiB;CAC/D,AAAmB,cAAc,QAAQ,YAAY;CACrD,AAAmB,SAAS,QAAQ,OAAO;CAE3C,AAAmB,YAA+C,EAAE;CAEpE,AAAmB,cAAc,MAAM;EACrC,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,UAAU,KAAK,OAAO,WAAW,QAAQ,EAAE;AAKpD,QACE,OAAO,QAAQ,YACf,OAAO,QAAQ,WAAW,QAC1B,KAAK,iBAAiB,WAAW,CAAC,WAAW,EAE7C;AAGF,SAAK,iBAAiB,iBAAiB;KACrC,MAAM,OAAO;KACb,OAAO,OAAO;KACd,QAAQ,OAAO,MAAM;KACrB,MAAM,OAAO,MAAM;KACpB,CAAC;;;EAGP,CAAC;CAIF,AAAmB,kBAAkB,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,QAAQ,SAAS,cAAc;GAC/C,MAAM,SAAS,OAAO,QAAQ;AAI9B,OAAI,WAAW,QAAQ,OAAO,WAAW,YAAY,CAAC,QAAQ,MAAM;AAClE,SAAK,IAAI,MAAM,mDAAmD;AAClE;;AAGF,OAAI,YAAY,OAAO,MAAM,OAAO,CAClC;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MACE,OACC,GAAG,SAAS,OAAO,MAAM,QAAQ,GAAG,WAAW,OAAO,MAAM,OAC/D;AAEH,OAAI;AACF,YAAQ,OAAO,KAAK,mCAClB,SACA,WACD;IAED,MAAM,QAAQ,OAAO;AACrB,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BACA,KAAK,OAAO,MAAM,OAAO,uBAAuB,QAAQ,KAAK,CAC9D;YACM,OAAO;AACd,QAAI,WAAW,QAAQ,OAAO,WAAW,YAAY,WACnD,OAAM;AAGR,SAAK,IAAI,MAAM,qCAAqC;;;EAGzD,CAAC;CAEF,AAAmB,YAAY,MAAM;EACnC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,SAAS,YAAY;AAErC,OAAI,MAAM,WAAW,OAAO;AAC1B,SAAK,IAAI,MACP,0DACD;AACD;;AAGF,OAAI,YAAY,MAAM,OAAO,CAC3B;GAGF,MAAM,aAAa,KAAK,iBACrB,gBAAgB,CAChB,MAAM,OAAO,GAAG,SAAS,MAAM,QAAQ,GAAG,WAAW,MAAM,OAAO;GAErE,MAAM,QACJ,OAAO,MAAM,WAAW,WAAW,MAAM,OAAO,QAAQ;AAE1D,OAAI;AAEF,YAAQ,OAAO,MAAM,KAAK,iBAAiB,6BACzC,SACA;KAAE;KAAY;KAAO,CACtB;AAGD,QAAI,CAAC,QAAQ,MAAM;AAEjB,SACE,MAAM,WAAW,QACjB,OAAO,MAAM,WAAW,YACxB,YACA;AAEA,UAAI,CAAC,QAAQ,QAAQ,cACnB,OAAM,IAAI,kBACR,yDACD;AAEH,YAAM,IAAI,kBAAkB,0BAA0B;;AAGxD,UAAK,IAAI,MACP,wEACD;AACD;;AAGF,QAAI,OAAO,MAAM,WAAW,SAC1B,MAAK,MAAM,QAAQ,MAAM,MAAM,OAAO;AAGxC,SAAK,OAAO,MAAM,IAChB,8BAEA,KAAK,OAAO,MAAM,OAAO,uBAAuB,QAAQ,KAAK,CAC9D;AAED,SAAK,IAAI,MAAM,yBAAyB;KACtC,MAAM,QAAQ;KACd;KACD,CAAC;YACK,OAAO;AACd,QACE,MAAM,WAAW,QACjB,OAAO,MAAM,WAAW,YACxB,WAEA,OAAM;AAIR,SAAK,IAAI,MACP,sDACA,MACD;;;EAGN,CAAC;CAIF,AAAU,MAAM,MAAwB,QAA2B;AACjE,MAAI,OAAO,OACT;OAAI,KAAK,UAAU,OAAO,MACxB,OAAM,IAAI,eACR,8BAA8B,OAAO,MAAM,wBAC5C;;;;;;;;;;;;;;CAgBP,AAAU,mCACR,SACA,YACkB;EAClB,MAAM,cACJ,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAEpD,MAAM,OAAO,OAAO,QAAQ,SAAS,WAAW,QAAQ,OAAO;EAE/D,IAAI;EAEJ,MAAM,cAAc,KAAK,OAAO,QAAQ,IAAmB,UAAU,EAAE;EACvE,MAAM,aAAa,KAAK,OAAO,MAAM,IACnC,qCACD;AAED,MAAI,SAAS,SACX,QAAO;WACE,SAAS,UAClB,QAAO;MAEP,QAAO,eAAe,eAAe;AAGvC,MAAI,CAAC,KACH,OAAM,IAAI,kBAAkB,2CAA2C;EAGzE,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,IAAI;AAEJ,MAAI,YAAY;GACd,MAAM,SAAS,KAAK,iBAAiB,gBACnC,YACA,GAAG,MACJ;AACD,OAAI,CAAC,OAAO,aACV,OAAM,IAAI,eACR,eAAe,KAAK,iBAAiB,mBAAmB,WAAW,CAAC,8BACrE;AAEH,eAAY,OAAO;;AAIrB,SAAO;GACL,GAAG;GACH;GACD;;CAOH,AAAU,iBAAmC;AAC3C,SAAO;GACL,IAAI,YAAY;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,AAAmB,kBAAkB,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;AACvC,OAAI,CAAC,KAAK,OAAO,QAAQ,CACvB;AAKF,OAAI,CAAC,QAAQ,KACX;AAGF,WAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE9C,OAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;;AC5SJ,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,AAAS,OAAO;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACsBhC,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,MACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,MAAM,iCAAiC,eAAe;;GAIlE,IAAI;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,MACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,MACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,OAAO,YAAY,QAAQ,KAAK;AAE5D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;;;;;;;;;ACsEF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAS;EAAO;EAAa;EAAW;CACrD,UAAU;EACR;EACA;EACA;EACA;EACA;EACD;CACD,WAAW,WAAmB;AAE5B,SAAO,KAAK,iBAAiB;AAC7B,SAAO,KAAK,YAAY;AACxB,SAAO,KAAK,eAAe;AAG3B,MAAI,OAAO,IAAI,aAAa,EAAE;AAC5B,UAAO,KAAK,uBAAuB;AACnC,UAAO,KAAK,wBAAwB;;;CAGzC,CAAC;;;;AAKF,MAAa,uBAAuB"}