alepha 0.20.4 → 0.20.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/dist/api/audits/index.d.ts +391 -359
  2. package/dist/api/audits/index.d.ts.map +1 -1
  3. package/dist/api/audits/index.js +23 -1
  4. package/dist/api/audits/index.js.map +1 -1
  5. package/dist/api/files/index.d.ts +18 -0
  6. package/dist/api/files/index.d.ts.map +1 -1
  7. package/dist/api/files/index.js +51 -0
  8. package/dist/api/files/index.js.map +1 -1
  9. package/dist/api/jobs/index.browser.js +33 -14
  10. package/dist/api/jobs/index.browser.js.map +1 -1
  11. package/dist/api/jobs/index.d.ts +452 -155
  12. package/dist/api/jobs/index.d.ts.map +1 -1
  13. package/dist/api/jobs/index.js +474 -159
  14. package/dist/api/jobs/index.js.map +1 -1
  15. package/dist/api/keys/index.d.ts +32 -4
  16. package/dist/api/keys/index.d.ts.map +1 -1
  17. package/dist/api/keys/index.js +53 -0
  18. package/dist/api/keys/index.js.map +1 -1
  19. package/dist/api/notifications/index.d.ts +29 -1
  20. package/dist/api/notifications/index.d.ts.map +1 -1
  21. package/dist/api/notifications/index.js +55 -13
  22. package/dist/api/notifications/index.js.map +1 -1
  23. package/dist/api/organizations/index.js.map +1 -1
  24. package/dist/api/parameters/index.d.ts +15 -0
  25. package/dist/api/parameters/index.d.ts.map +1 -1
  26. package/dist/api/parameters/index.js +37 -0
  27. package/dist/api/parameters/index.js.map +1 -1
  28. package/dist/api/payments/index.js.map +1 -1
  29. package/dist/api/users/index.d.ts +150 -9
  30. package/dist/api/users/index.d.ts.map +1 -1
  31. package/dist/api/users/index.js +237 -28
  32. package/dist/api/users/index.js.map +1 -1
  33. package/dist/api/verifications/index.d.ts +3 -3
  34. package/dist/api/verifications/index.js.map +1 -1
  35. package/dist/batch/index.js.map +1 -1
  36. package/dist/bin/index.js +0 -0
  37. package/dist/bucket/index.d.ts +18 -0
  38. package/dist/bucket/index.d.ts.map +1 -1
  39. package/dist/bucket/index.js +47 -0
  40. package/dist/bucket/index.js.map +1 -1
  41. package/dist/bucket/index.workerd.js +24 -0
  42. package/dist/bucket/index.workerd.js.map +1 -1
  43. package/dist/cache/core/index.d.ts +20 -3
  44. package/dist/cache/core/index.d.ts.map +1 -1
  45. package/dist/cache/core/index.js.map +1 -1
  46. package/dist/cache/core/index.workerd.js.map +1 -1
  47. package/dist/cache/database/index.d.ts +155 -0
  48. package/dist/cache/database/index.d.ts.map +1 -0
  49. package/dist/cache/database/index.js +266 -0
  50. package/dist/cache/database/index.js.map +1 -0
  51. package/dist/cache/redis/index.js.map +1 -1
  52. package/dist/captcha/index.js.map +1 -1
  53. package/dist/cli/config/index.js.map +1 -1
  54. package/dist/cli/core/index.d.ts +35 -5
  55. package/dist/cli/core/index.d.ts.map +1 -1
  56. package/dist/cli/core/index.js +85 -6
  57. package/dist/cli/core/index.js.map +1 -1
  58. package/dist/cli/devtools/index.js.map +1 -1
  59. package/dist/cli/platform/index.js +1 -1
  60. package/dist/cli/platform/index.js.map +1 -1
  61. package/dist/cli/vendor/index.js.map +1 -1
  62. package/dist/command/index.js.map +1 -1
  63. package/dist/core/index.browser.js.map +1 -1
  64. package/dist/core/index.js.map +1 -1
  65. package/dist/core/index.native.js.map +1 -1
  66. package/dist/core/index.workerd.js.map +1 -1
  67. package/dist/crypto/index.browser.js.map +1 -1
  68. package/dist/crypto/index.js.map +1 -1
  69. package/dist/datetime/index.js.map +1 -1
  70. package/dist/email/brevo/index.js.map +1 -1
  71. package/dist/email/core/index.js.map +1 -1
  72. package/dist/email/core/index.workerd.js.map +1 -1
  73. package/dist/email/smtp/index.js.map +1 -1
  74. package/dist/fake/index.js.map +1 -1
  75. package/dist/lock/core/index.js.map +1 -1
  76. package/dist/lock/redis/index.js.map +1 -1
  77. package/dist/logger/index.js.map +1 -1
  78. package/dist/mcp/index.js.map +1 -1
  79. package/dist/orm/core/index.browser.js.map +1 -1
  80. package/dist/orm/core/index.bun.js.map +1 -1
  81. package/dist/orm/core/index.js.map +1 -1
  82. package/dist/orm/postgres/index.bun.js.map +1 -1
  83. package/dist/orm/postgres/index.js.map +1 -1
  84. package/dist/queue/core/index.js.map +1 -1
  85. package/dist/queue/core/index.workerd.js.map +1 -1
  86. package/dist/queue/redis/index.js.map +1 -1
  87. package/dist/react/auth/index.browser.js.map +1 -1
  88. package/dist/react/auth/index.js.map +1 -1
  89. package/dist/react/core/index.js.map +1 -1
  90. package/dist/react/form/index.js +2 -0
  91. package/dist/react/form/index.js.map +1 -1
  92. package/dist/react/head/index.browser.js.map +1 -1
  93. package/dist/react/head/index.js.map +1 -1
  94. package/dist/react/i18n/index.js.map +1 -1
  95. package/dist/react/intro/index.js.map +1 -1
  96. package/dist/react/router/index.browser.js.map +1 -1
  97. package/dist/react/router/index.js.map +1 -1
  98. package/dist/react/testing/index.js.map +1 -1
  99. package/dist/react/ui/index.js.map +1 -1
  100. package/dist/react/websocket/index.js.map +1 -1
  101. package/dist/redis/index.bun.js.map +1 -1
  102. package/dist/redis/index.js.map +1 -1
  103. package/dist/retry/index.js.map +1 -1
  104. package/dist/router/index.js.map +1 -1
  105. package/dist/scheduler/index.d.ts +22 -0
  106. package/dist/scheduler/index.d.ts.map +1 -1
  107. package/dist/scheduler/index.js +12 -0
  108. package/dist/scheduler/index.js.map +1 -1
  109. package/dist/scheduler/index.workerd.js +12 -0
  110. package/dist/scheduler/index.workerd.js.map +1 -1
  111. package/dist/security/index.browser.js.map +1 -1
  112. package/dist/security/index.js.map +1 -1
  113. package/dist/server/auth/index.js.map +1 -1
  114. package/dist/server/cookies/index.browser.js.map +1 -1
  115. package/dist/server/cookies/index.js.map +1 -1
  116. package/dist/server/core/index.browser.js.map +1 -1
  117. package/dist/server/core/index.js.map +1 -1
  118. package/dist/server/cors/index.js.map +1 -1
  119. package/dist/server/etag/index.js.map +1 -1
  120. package/dist/server/health/index.js.map +1 -1
  121. package/dist/server/links/index.browser.js.map +1 -1
  122. package/dist/server/links/index.js.map +1 -1
  123. package/dist/server/metrics/index.js.map +1 -1
  124. package/dist/server/proxy/index.js.map +1 -1
  125. package/dist/server/rate-limit/index.js.map +1 -1
  126. package/dist/server/static/index.js.map +1 -1
  127. package/dist/server/swagger/index.js.map +1 -1
  128. package/dist/sms/index.js.map +1 -1
  129. package/dist/system/index.browser.js.map +1 -1
  130. package/dist/system/index.js.map +1 -1
  131. package/dist/system/index.workerd.js.map +1 -1
  132. package/dist/topic/core/index.js.map +1 -1
  133. package/dist/topic/redis/index.js.map +1 -1
  134. package/dist/websocket/index.browser.js +4 -0
  135. package/dist/websocket/index.browser.js.map +1 -1
  136. package/dist/websocket/index.js +10 -0
  137. package/dist/websocket/index.js.map +1 -1
  138. package/package.json +282 -272
  139. package/src/api/audits/controllers/AdminAuditController.ts +29 -0
  140. package/src/api/files/controllers/FileController.ts +24 -0
  141. package/src/api/files/services/FileService.ts +41 -0
  142. package/src/api/jobs/__tests__/$job.spec.ts +427 -2
  143. package/src/api/jobs/entities/jobExecutionEntity.ts +3 -3
  144. package/src/api/jobs/index.ts +47 -10
  145. package/src/api/jobs/primitives/$job.ts +22 -9
  146. package/src/api/jobs/providers/DirectJobDispatcher.ts +71 -0
  147. package/src/api/jobs/providers/JobDispatcher.ts +49 -0
  148. package/src/api/jobs/providers/JobProvider.ts +365 -142
  149. package/src/api/jobs/providers/JobQueueProvider.ts +43 -18
  150. package/src/api/jobs/schemas/jobConfigAtom.ts +4 -3
  151. package/src/api/jobs/schemas/jobExecutionResourceSchema.ts +11 -0
  152. package/src/api/jobs/schemas/jobRegistrationSchema.ts +4 -2
  153. package/src/api/jobs/services/JobService.ts +21 -11
  154. package/src/api/keys/controllers/AdminApiKeyController.ts +23 -0
  155. package/src/api/keys/services/ApiKeyService.ts +42 -0
  156. package/src/api/notifications/__tests__/AlephaApiNotifications.spec.ts +63 -0
  157. package/src/api/notifications/controllers/AdminNotificationController.ts +48 -1
  158. package/src/api/notifications/index.ts +13 -3
  159. package/src/api/notifications/jobs/NotificationJobs.ts +0 -6
  160. package/src/api/parameters/controllers/AdminParameterController.ts +26 -0
  161. package/src/api/parameters/services/ParameterProvider.ts +18 -0
  162. package/src/api/users/__tests__/Registration-emailMode.spec.ts +203 -0
  163. package/src/api/users/__tests__/UsernameSlugger.spec.ts +138 -0
  164. package/src/api/users/atoms/realmAuthSettingsAtom.ts +41 -3
  165. package/src/api/users/controllers/AdminSessionController.ts +29 -0
  166. package/src/api/users/controllers/AdminUserController.ts +32 -0
  167. package/src/api/users/index.ts +3 -0
  168. package/src/api/users/services/CredentialService.ts +5 -0
  169. package/src/api/users/services/RegistrationService.ts +49 -1
  170. package/src/api/users/services/SessionCrudService.ts +16 -0
  171. package/src/api/users/services/SessionService.ts +17 -59
  172. package/src/api/users/services/UsernameSlugger.ts +195 -0
  173. package/src/bucket/primitives/$bucket.ts +21 -0
  174. package/src/bucket/providers/CloudflareR2Provider.ts +15 -0
  175. package/src/bucket/providers/FileStorageProvider.ts +9 -0
  176. package/src/bucket/providers/LocalFileStorageProvider.ts +14 -0
  177. package/src/bucket/providers/MemoryFileStorageProvider.ts +9 -0
  178. package/src/bucket/providers/NodeS3BucketProvider.ts +35 -0
  179. package/src/cache/core/primitives/$cache.ts +20 -3
  180. package/src/cache/database/__tests__/DatabaseCacheProvider.behavior.spec.ts +203 -0
  181. package/src/cache/database/__tests__/DatabaseCacheProvider.spec.ts +110 -0
  182. package/src/cache/database/entities/cacheEntries.ts +55 -0
  183. package/src/cache/database/index.ts +36 -0
  184. package/src/cache/database/providers/DatabaseCacheProvider.ts +348 -0
  185. package/src/cli/core/services/ProjectScaffolder.ts +0 -2
  186. package/src/cli/core/tasks/BuildCloudflareTask.ts +17 -3
  187. package/src/cli/core/tasks/BuildSitemapTask.ts +7 -0
  188. package/src/cli/core/tasks/BuildVercelTask.ts +82 -3
  189. package/src/cli/platform/__tests__/detectResources.spec.ts +96 -0
  190. package/src/cli/platform/commands/platform.ts +7 -1
  191. package/src/scheduler/index.ts +14 -0
  192. package/src/scheduler/providers/CronProvider.ts +13 -0
package/dist/security/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","names":["encode","decodeBase64URL","jwk.isJWK","jwk.isSecretJWK","invalidKeyInput","jwk.isPrivateJWK","jwk.isPublicJWK","b64u","encode","#payload","#payload","#protectedHeader","#unprotectedHeader","b64u","encode","#flattened","#jwt","#protectedHeader","#jwks","#cached","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#headers","#customFetch","#cache","#jwksTimestamp","#local","#pendingFetch"],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/atoms/currentUserAtom.ts","../../src/security/errors/SecurityError.ts","../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js","../../../../node_modules/jose/dist/webapi/lib/base64.js","../../../../node_modules/jose/dist/webapi/util/base64url.js","../../../../node_modules/jose/dist/webapi/lib/crypto_key.js","../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../../../../node_modules/jose/dist/webapi/util/errors.js","../../../../node_modules/jose/dist/webapi/lib/is_key_like.js","../../../../node_modules/jose/dist/webapi/lib/helpers.js","../../../../node_modules/jose/dist/webapi/lib/type_checks.js","../../../../node_modules/jose/dist/webapi/lib/signing.js","../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../../../../node_modules/jose/dist/webapi/lib/normalize_key.js","../../../../node_modules/jose/dist/webapi/key/import.js","../../../../node_modules/jose/dist/webapi/lib/validate_crit.js","../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../../../../node_modules/jose/dist/webapi/lib/check_key_type.js","../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js","../../../../node_modules/jose/dist/webapi/jws/compact/verify.js","../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../../../../node_modules/jose/dist/webapi/jwt/verify.js","../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../node_modules/jose/dist/webapi/jwt/sign.js","../../../../node_modules/jose/dist/webapi/jwks/local.js","../../../../node_modules/jose/dist/webapi/jwks/remote.js","../../src/security/providers/JwtProvider.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$basicAuth.ts","../../src/security/primitives/$secure.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/index.ts"],"sourcesContent":["import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n id: t.text({\n description: \"Unique identifier for the user.\",\n }),\n\n name: t.optional(\n t.text({\n description: \"Full name of the user.\",\n }),\n ),\n\n email: t.optional(\n t.text({\n description: \"Email address of the user.\",\n format: \"email\",\n }),\n ),\n\n username: t.optional(\n t.text({\n description: \"Preferred username of the user.\",\n }),\n ),\n\n picture: t.optional(\n t.text({\n description: \"URL to the user's profile picture.\",\n }),\n ),\n\n sessionId: t.optional(\n t.text({\n description: \"Session identifier for the user, if applicable.\",\n }),\n ),\n\n // -------------------------------------------------------------------------------------------------------------------\n\n organization: t.optional(\n t.uuid({\n description: \"Organization the user belongs to.\",\n }),\n ),\n\n roles: t.optional(\n t.array(t.text(), {\n description: \"List of roles assigned to the user.\",\n }),\n ),\n\n realm: t.optional(\n t.text({\n description: \"The realm (issuer) the user was authenticated from.\",\n }),\n ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $atom, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Atom storing the current authenticated user.\n *\n * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context\n * that sets the atom before calling secured logic.\n */\nexport const currentUserAtom = $atom({\n name: \"alepha.security.user\",\n schema: t.optional(userAccountInfoSchema),\n});\n","export class SecurityError extends Error {\n public name = \"SecurityError\";\n public readonly status = 403;\n}\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction checkHashLength(algorithm, expected) {\n const actual = getHashLength(algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","import { decode } from '../util/base64url.js';\nexport const unprotected = Symbol();\nexport function assertNotSet(value, name) {\n if (value) {\n throw new TypeError(`${name} can only be called once`);\n }\n}\nexport function decodeBase64url(value, label, ErrorClass) {\n try {\n return decode(value);\n }\n catch {\n throw new ErrorClass(`Failed to base64url decode the ${label}`);\n }\n}\nexport async function digest(algorithm, data) {\n const subtleDigest = `SHA-${algorithm.slice(-3)}`;\n return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\nexport function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { JOSENotSupported } from '../util/errors.js';\nimport { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\nfunction subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\nasync function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nconst unsupportedAlg = 'Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n case 'ES384':\n case 'ES512':\n algorithm = {\n name: 'ECDSA',\n namedCurve: { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' }[jwk.alg],\n };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { isJWK } from './type_checks.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nconst unusableForAlg = 'given KeyObject instance cannot be used for this algorithm';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError(unusableForAlg);\n }\n const expectedCurve = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };\n if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError(unusableForAlg);\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/type_checks.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './type_checks.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/signing.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { decodeBase64url } from '../../lib/helpers.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { isObject } from '../../lib/type_checks.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n const signature = decodeBase64url(jws.signature, 'signature', JWSInvalid);\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = decodeBase64url(jws.payload, 'payload', JWSInvalid);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './type_checks.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/signing.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nimport { assertNotSet } from '../../lib/helpers.js';\nexport class FlattenedSign {\n #payload;\n #protectedHeader;\n #unprotectedHeader;\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this.#payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n assertNotSet(this.#protectedHeader, 'setProtectedHeader');\n this.#protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');\n this.#unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this.#protectedHeader && !this.#unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this.#protectedHeader,\n ...this.#unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this.#protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payloadS;\n let payloadB;\n if (b64) {\n payloadS = b64u(this.#payload);\n payloadB = encode(payloadS);\n }\n else {\n payloadB = this.#payload;\n payloadS = '';\n }\n let protectedHeaderString;\n let protectedHeaderBytes;\n if (this.#protectedHeader) {\n protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n protectedHeaderBytes = encode(protectedHeaderString);\n }\n else {\n protectedHeaderString = '';\n protectedHeaderBytes = new Uint8Array();\n }\n const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n const k = await normalizeKey(key, alg);\n const signature = await sign(alg, k, data);\n const jws = {\n signature: b64u(signature),\n payload: payloadS,\n };\n if (this.#unprotectedHeader) {\n jws.header = this.#unprotectedHeader;\n }\n if (this.#protectedHeader) {\n jws.protected = protectedHeaderString;\n }\n return jws;\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n #flattened;\n constructor(payload) {\n this.#flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this.#flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this.#flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n #protectedHeader;\n #jwt;\n constructor(payload = {}) {\n this.#jwt = new JWTClaimsBuilder(payload);\n }\n setIssuer(issuer) {\n this.#jwt.iss = issuer;\n return this;\n }\n setSubject(subject) {\n this.#jwt.sub = subject;\n return this;\n }\n setAudience(audience) {\n this.#jwt.aud = audience;\n return this;\n }\n setJti(jwtId) {\n this.#jwt.jti = jwtId;\n return this;\n }\n setNotBefore(input) {\n this.#jwt.nbf = input;\n return this;\n }\n setExpirationTime(input) {\n this.#jwt.exp = input;\n return this;\n }\n setIssuedAt(input) {\n this.#jwt.iat = input;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this.#protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n const sig = new CompactSign(this.#jwt.data());\n sig.setProtectedHeader(this.#protectedHeader);\n if (Array.isArray(this.#protectedHeader?.crit) &&\n this.#protectedHeader.crit.includes('b64') &&\n this.#protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/type_checks.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/type_checks.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.2.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) ||\n !isObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n type CryptoKey,\n createLocalJWKSet,\n createRemoteJWKSet,\n type FlattenedJWSInput,\n type JSONWebKeySet,\n type JWSHeaderParameters,\n type JWTHeaderParameters,\n type JWTPayload,\n type JWTVerifyResult,\n jwtVerify,\n type KeyObject,\n SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/**\n * Provides utilities for working with JSON Web Tokens (JWT).\n */\nexport class JwtProvider {\n protected readonly log = $logger();\n protected readonly keystore: KeyLoaderHolder[] = [];\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly encoder = new TextEncoder();\n\n /**\n * Adds a key loader to the embedded keystore.\n *\n * @param name\n * @param secretKeyOrJwks\n */\n public setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet) {\n if (typeof secretKeyOrJwks === \"object\") {\n this.log.debug(`will verify JWTs from key '${name}' with JWKS object`);\n this.keystore.push({\n name,\n keyLoader: createLocalJWKSet(secretKeyOrJwks),\n });\n } else if (this.isSecretKey(secretKeyOrJwks)) {\n const secretKey = this.encoder.encode(secretKeyOrJwks);\n this.log.debug(`will verify JWTs from issuer '${name}' with secret key`);\n this.keystore.push({\n name,\n secretKey: secretKeyOrJwks,\n keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n });\n } else {\n this.log.debug(`will verify JWTs from issuer '${name}' with JWKS`, {\n url: secretKeyOrJwks,\n });\n this.keystore.push({\n name,\n keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n });\n }\n }\n\n /**\n * Retrieves the payload from a JSON Web Token (JWT).\n *\n * @param token - The JWT to extract the payload from.\n *\n * @return A Promise that resolves with the payload object from the token.\n */\n public async parse(\n token: string,\n keyName?: string,\n options?: JWTVerifyOptions,\n ): Promise<JwtParseResult> {\n for (const it of this.keystore) {\n if (keyName && it.name !== keyName) {\n continue;\n }\n\n this.log.trace(`Trying to verify token`, {\n keyName: it.name,\n options,\n });\n\n try {\n const verified = {\n keyName: it.name,\n result: await jwtVerify(token, it.keyLoader, {\n currentDate: this.dateTimeProvider.now().toDate(),\n ...options,\n }),\n };\n\n this.log.trace(\"Token verified successfully\", {\n keyName: verified.keyName,\n });\n\n return verified;\n } catch (error) {\n this.log.trace(\"Token verification has failed\", error);\n\n if (error instanceof JWTExpired) {\n throw new SecurityError(\"Token expired\", { cause: error });\n }\n\n if (error instanceof JWTClaimValidationFailed) {\n throw new SecurityError(\"Token claim validation failed\", {\n cause: error,\n });\n }\n }\n }\n\n this.log.warn(\n `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n );\n\n throw new SecurityError(\"Invalid token\");\n }\n\n /**\n * Creates a JWT token with the provided payload and secret key.\n *\n * @param payload - The payload to be encoded in the token.\n * \tIt should include the `realm_access` property which contains an array of roles.\n * @param keyName - The name of the key to use when signing the token.\n *\n * @returns The signed JWT token.\n */\n public async create(\n payload: ExtendedJWTPayload,\n keyName?: string,\n signOptions?: JwtSignOptions,\n ): Promise<string> {\n const secretKey = keyName\n ? this.keystore.find((it) => it.name === keyName)?.secretKey\n : this.keystore[0]?.secretKey;\n\n if (!secretKey) {\n throw new AlephaError(\"No secret key found in the keystore\");\n }\n\n const signJwt = new SignJWT(payload);\n\n signJwt.setProtectedHeader({\n alg: \"HS256\",\n ...signOptions?.header,\n });\n\n return await signJwt.sign(this.encoder.encode(secretKey));\n }\n\n /**\n * Determines if the provided key is a secret key.\n *\n * @param key\n * @protected\n */\n protected isSecretKey(key: string): boolean {\n return !key.startsWith(\"http://\") && !key.startsWith(\"https://\");\n }\n}\n\nexport type KeyLoader = (\n protectedHeader?: JWSHeaderParameters,\n token?: FlattenedJWSInput,\n) => Promise<CryptoKey | KeyObject>;\n\nexport interface KeyLoaderHolder {\n name: string;\n keyLoader: KeyLoader;\n secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n sid?: string;\n //\n name?: string;\n roles?: string[];\n email?: string;\n organization?: string;\n // keycloak specific\n realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n keyName: string;\n result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","export class InvalidPermissionError extends Error {\n constructor(name: string) {\n super(`Permission '${name}' is invalid`);\n }\n}\n","export class InvalidTokenError extends Error {\n public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n constructor(realm: string) {\n super(`Realm '${realm}' not found`);\n }\n}\n","import {\n $hook,\n $inject,\n Alepha,\n AppNotStartedError,\n ContainerLockedError,\n} from \"alepha\";\nimport { SecretProvider } from \"alepha/crypto\";\nimport { $logger } from \"alepha/logger\";\nimport { ForbiddenError } from \"alepha/server\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver, UserInfo } from \"../interfaces/IssuerResolver.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport {\n type UserAccount,\n userAccountInfoSchema,\n} from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport class SecurityProvider {\n protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n protected readonly PERMISSION_REGEXP_WILDCARD =\n /^[\\w-]+((:[\\w-]+)*:\\*|(:[\\w-]+)+)?$/;\n\n protected readonly log = $logger();\n protected readonly jwt = $inject(JwtProvider);\n protected readonly alepha = $inject(Alepha);\n protected readonly secretProvider = $inject(SecretProvider);\n\n public get secretKey(): string {\n return this.secretProvider.secretKey;\n }\n\n /**\n * The permissions configured for the security provider.\n */\n protected readonly permissions: Permission[] = [];\n\n /**\n * The realms configured for the security provider.\n */\n protected readonly realms: Realm[] = this.alepha.isTest()\n ? [\n {\n name: \"default\",\n secret: this.secretKey,\n roles: [\n {\n name: \"admin\",\n permissions: [\n {\n name: \"*\",\n },\n ],\n },\n ],\n },\n ]\n : [];\n\n protected start = $hook({\n on: \"start\",\n handler: async () => {\n for (const realm of this.realms) {\n if (realm.secret) {\n const secret =\n typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n this.jwt.setKeyLoader(realm.name, secret);\n }\n\n // Register default JWT resolver for realms without resolvers\n if (!realm.resolvers || realm.resolvers.length === 0) {\n this.registerResolver(\n this.createDefaultJwtResolver(realm.name),\n realm.name,\n );\n }\n }\n },\n });\n\n /**\n * Creates a default JWT resolver for a realm.\n */\n protected createDefaultJwtResolver(realmName: string): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, realmName);\n\n // Extract user info from JWT payload\n return this.createUserFromPayload(result.payload, realmName);\n },\n };\n }\n\n /**\n * Adds a role to one or more realms.\n *\n * @param role\n * @param realms\n */\n public createRole(role: Role, ...realms: string[]): Role {\n const list = realms.length\n ? realms.map((it) => {\n const item = this.realms.find((realm) => realm.name === it);\n if (!item) {\n throw new RealmNotFoundError(it);\n }\n return item;\n })\n : this.realms;\n\n for (const realm of list) {\n for (const { name } of role.permissions) {\n if (this.alepha.isStarted()) {\n // Check if permission exists or matches a wildcard pattern\n if (name === \"*\") {\n // Global wildcard is always allowed\n continue;\n }\n\n // Check for exact match first\n const existingExact = this.permissions.find(\n (it) => this.permissionToString(it) === name,\n );\n if (existingExact) {\n continue;\n }\n\n // Check if it's a wildcard pattern (e.g., \"admin:api:*\")\n if (name.endsWith(\":*\")) {\n const groupPrefix = name.slice(0, -2); // Remove \":*\"\n // Check if any permission exists with this group prefix\n const existingWithPrefix = this.permissions.find((it) => {\n if (!it.group) return false;\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n });\n if (existingWithPrefix) {\n continue;\n }\n }\n\n // Permission not found\n throw new SecurityError(`Permission '${name}' not found`);\n } else {\n if (name !== \"*\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n throw new InvalidPermissionError(name);\n }\n }\n }\n\n realm.roles.push(role);\n }\n\n return role;\n }\n\n /**\n * Adds a permission to the security provider.\n *\n * @param raw - The permission to add.\n */\n public createPermission(raw: Permission | string): Permission {\n if (this.alepha.isStarted()) {\n throw new ContainerLockedError();\n }\n\n let permission: Permission;\n if (typeof raw === \"string\") {\n if (!this.PERMISSION_REGEXP.test(raw)) {\n throw new InvalidPermissionError(raw);\n }\n\n const parts = raw.split(\":\");\n if (parts.length === 1) {\n // No group, just name (e.g., \"read\")\n permission = { name: parts[0] };\n } else {\n // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n // The last part is the name, everything else is the group\n const name = parts[parts.length - 1];\n const groupParts = parts.slice(0, -1);\n\n if (groupParts.length === 1) {\n permission = {\n group: groupParts[0],\n name,\n };\n } else {\n // Multi-layer group\n permission = {\n group: groupParts.join(\":\"),\n name,\n };\n }\n }\n } else {\n permission = raw;\n }\n\n const asString = this.permissionToString(permission);\n if (!this.PERMISSION_REGEXP.test(asString)) {\n throw new InvalidPermissionError(asString);\n }\n\n const existing = this.permissions.find(\n (it) => this.permissionToString(it) === asString,\n );\n\n if (existing) {\n return existing;\n }\n\n this.log.trace(`Creating permission '${asString}'`);\n\n this.permissions.push(permission);\n\n return permission;\n }\n\n public createRealm(realm: Realm) {\n if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n // if the default realm is the only one, we remove it to allow creating new realms\n this.realms.pop();\n }\n\n this.realms.push(realm);\n }\n\n /**\n * Updates the roles for a realm then synchronizes the user account provider if available.\n *\n * Only available when the app is started.\n *\n * @param realm - The realm to update the roles for.\n * @param roles - The roles to update.\n */\n public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n if (!this.alepha.isStarted()) {\n throw new AppNotStartedError();\n }\n\n const realmInstance = this.realms.find((it) => it.name === realm);\n if (!realmInstance) {\n throw new RealmNotFoundError(realm);\n }\n\n realmInstance.roles = roles;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Creates a user account from the provided payload.\n *\n * @param payload - The payload to create the user account from.\n * @param [realmName] - The realm containing the roles. Default is all.\n *\n * @returns The user info created from the payload.\n */\n public createUserFromPayload(\n payload: JWTPayload,\n realmName?: string,\n ): UserAccount {\n const id = this.getIdFromPayload(payload);\n const sessionId = this.getSessionIdFromPayload(payload);\n const rolesFromPayload = this.getRolesFromPayload(payload);\n const email = this.getEmailFromPayload(payload);\n const username = this.getUsernameFromPayload(payload);\n const picture = this.getPictureFromPayload(payload);\n const name = this.getNameFromPayload(payload);\n const organization = this.getOrganizationFromPayload(payload);\n const rolesFromSystem = this.getRoles(realmName);\n const roles = rolesFromPayload\n .reduce<Role[]>(\n (arr, roleName) =>\n arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n [],\n )\n .map((it) => it.name);\n\n const realm = this.realms.find((it) => it.name === realmName);\n if (realm?.profile) {\n return realm.profile(payload);\n }\n\n return {\n id,\n roles,\n name,\n email,\n username,\n picture,\n organization,\n sessionId,\n };\n }\n\n /**\n * Generic user creation from any source (JWT, API key, etc.).\n * Handles permission checking, ownership, default roles.\n */\n public createUser(\n userInfo: UserInfo,\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): UserAccountToken {\n const realmRoles = this.getRoles(options.realm).filter((it) => it.default);\n const roles = [...(userInfo.roles ?? [])];\n\n // Add default roles\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n let ownership: string | boolean | undefined;\n\n // Permission check\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n ownership = check.ownership;\n }\n\n return {\n ...userInfo,\n roles,\n ownership,\n realm: options.realm,\n };\n }\n\n /**\n * Register a resolver to a realm.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver, realmName?: string): void {\n const realm = this.getRealm(realmName);\n if (!realm.resolvers) {\n realm.resolvers = [];\n }\n\n realm.resolvers.push(resolver);\n realm.resolvers.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));\n }\n\n /**\n * Get a realm by name.\n * Throws if realm not found.\n */\n public getRealm(realmName?: string): Realm {\n const realm = realmName\n ? this.realms.find((it) => it.name === realmName)\n : this.realms[0];\n\n if (!realm) {\n throw new RealmNotFoundError(realmName ?? \"default\");\n }\n\n return realm;\n }\n\n /**\n * Resolve user from request using registered resolvers.\n * Returns undefined if no resolver could authenticate (no auth provided).\n * Throws UnauthorizedError if auth was provided but invalid.\n *\n * Note: This method tries resolvers from ALL realms to find a match,\n * regardless of the `realm` option. The `realm` option is only used for\n * permission checking after the user is resolved.\n */\n public async resolveUserFromServerRequest(\n req: { url: URL | string; headers: { authorization?: string } },\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): Promise<UserAccountToken | undefined> {\n // Collect all resolvers from all realms with their realm name\n const allResolvers: Array<{\n resolver: IssuerResolver;\n realmName: string;\n }> = [];\n\n for (const realm of this.realms) {\n for (const resolver of realm.resolvers ?? []) {\n allResolvers.push({ resolver, realmName: realm.name });\n }\n }\n\n // Sort by priority\n allResolvers.sort(\n (a, b) => (a.resolver.priority ?? 100) - (b.resolver.priority ?? 100),\n );\n\n // Try resolvers in priority order\n for (const { resolver, realmName } of allResolvers) {\n let userInfo: UserInfo | null;\n\n try {\n userInfo = await resolver.onRequest(req as any);\n } catch {\n // Resolver failed (e.g., wrong key), try next\n continue;\n }\n\n if (userInfo) {\n // User was resolved - now create user and check permissions\n // (errors from createUser should propagate, not be caught)\n const user = this.createUser(userInfo, {\n realm: realmName,\n permission: options.permission,\n });\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm: realmName,\n user,\n });\n\n return user;\n }\n }\n\n // No resolver matched = no auth provided\n return undefined;\n }\n\n /**\n * Checks if the user has the specified permission.\n *\n * Bonus: we check also if the user has \"ownership\" flag.\n *\n * @param permissionLike - The permission to check for.\n * @param roleEntries - The roles to check for the permission.\n */\n public checkPermission(\n permissionLike: string | Permission,\n ...roleEntries: string[]\n ): SecurityCheckResult {\n const roles: Role[] = roleEntries.map((it) => {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n });\n\n const permission = this.permissionToString(permissionLike);\n const isAdmin = roles.find((it) =>\n it.permissions.find(\n (it) => it.name === \"*\" && !it.exclude && !it.ownership,\n ),\n );\n\n // if the user is an admin, we can return early\n if (isAdmin) {\n return {\n isAuthorized: true,\n ownership: false,\n };\n }\n\n const result: SecurityCheckResult = {\n isAuthorized: false,\n ownership: undefined,\n };\n\n // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n const matchesPattern = (\n permissionName: string,\n pattern: string,\n ): boolean => {\n if (pattern === \"*\") return true;\n if (pattern === permissionName) return true;\n\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" matches \"admin:api:users:read\")\n if (pattern.endsWith(\":*\")) {\n const patternPrefix = pattern.slice(0, -2);\n // Check if permission starts with the pattern prefix\n if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:*\"\n return permissionName.startsWith(`${patternPrefix}:`);\n }\n\n return false;\n };\n\n for (const role of roles) {\n // for each role candidate\n for (const rolePermission of role.permissions) {\n // for each permission in the role\n if (matchesPattern(permission, rolePermission.name)) {\n // [feature]: exclude permissions including wildcards\n if (rolePermission.exclude) {\n let isExcluded = false;\n for (const excludePattern of rolePermission.exclude) {\n if (matchesPattern(permission, excludePattern)) {\n isExcluded = true;\n break;\n }\n }\n if (isExcluded) {\n continue;\n }\n }\n\n result.isAuthorized = true; // OK !\n\n // but we also need to check if the user has ownership\n if (rolePermission.ownership) {\n // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n result.ownership = rolePermission.ownership;\n } else {\n // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n result.ownership = false;\n return result;\n }\n }\n }\n }\n\n return result;\n }\n\n /**\n * Creates a user account from the provided payload.\n */\n public async createUserFromToken(\n headerOrToken?: string,\n options: {\n permission?: Permission | string;\n realm?: string;\n verify?: JWTVerifyOptions;\n } = {},\n ): Promise<UserAccountToken> {\n const token = headerOrToken?.replace(/^Bearer\\s+/i, \"\").trim();\n if (typeof token !== \"string\" || token === \"\") {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n\n const { result, keyName: realm } = await this.jwt.parse(\n token,\n options.realm,\n options.verify,\n );\n\n const info = this.createUserFromPayload(result.payload, realm);\n const realmRoles = this.getRoles(realm).filter((it) => it.default);\n const roles = info.roles ?? [];\n\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n info.roles = roles;\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm,\n user: info,\n });\n\n let ownership: string | boolean | undefined;\n\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n\n ownership = check.ownership;\n }\n\n return {\n ...info,\n ownership,\n token,\n realm,\n };\n }\n\n /**\n * Checks if a user has a specific role.\n *\n * @param roleName - The role to check for.\n * @param permission - The permission to check for.\n * @returns True if the user has the role, false otherwise.\n */\n public can(roleName: string, permission: string | Permission): boolean {\n return this.checkPermission(permission, roleName).isAuthorized;\n }\n\n /**\n * Checks if a user has ownership of a specific permission.\n */\n public ownership(\n roleName: string,\n permission: string | Permission,\n ): string | boolean | undefined {\n return this.checkPermission(permission, roleName).ownership;\n }\n\n /**\n * Converts a permission object to a string.\n *\n * @param permission\n */\n public permissionToString(permission: Permission | string): string {\n if (typeof permission === \"string\") {\n return permission;\n }\n\n if (!permission.group) {\n return permission.name;\n }\n\n // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n const groupParts = Array.isArray(permission.group)\n ? permission.group\n : [permission.group];\n\n return `${groupParts.join(\":\")}:${permission.name}`;\n }\n\n /**\n * Check that the user belongs to one of the required issuers.\n */\n public checkIssuers(user: UserAccountToken, issuers?: string[]) {\n if (issuers?.length && (!user.realm || !issuers.includes(user.realm))) {\n throw new ForbiddenError(\n `User must belong to issuer '${issuers.join(\"' or '\")}' to access this route`,\n );\n }\n }\n\n /**\n * Store the resolved user in the atom for downstream access (useAuth, audit trail, etc.).\n */\n public storeUserInContext(user: UserAccountToken) {\n const decoded = this.alepha.codec.decode(userAccountInfoSchema, user);\n this.alepha.store.set(currentUserAtom, decoded);\n }\n\n // accessors\n\n public getRealms(): Realm[] {\n return this.realms;\n }\n\n /**\n * Retrieves the user account from the provided user ID.\n *\n * @param realm\n */\n public getRoles(realm?: string): Role[] {\n if (realm) {\n return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n }\n\n return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n }\n\n /**\n * Returns all permissions.\n *\n * @param user - Filter permissions by user.\n *\n * @return An array containing all permissions.\n */\n public getPermissions(user?: {\n roles?: Array<Role | string>;\n realm?: string;\n }): Permission[] {\n if (user?.roles) {\n const permissions: Permission[] = [];\n const roles = user.roles ?? [];\n\n for (const roleOrString of roles) {\n const role =\n typeof roleOrString === \"string\"\n ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n : roleOrString;\n\n if (!role) {\n throw new SecurityError(`Role '${roleOrString}' not found`);\n }\n\n if (role.permissions.some((it) => it.name === \"*\" && !it.exclude)) {\n return this.getPermissions();\n }\n\n for (const permission of role.permissions) {\n let ref: Permission[] = [];\n if (permission.name === \"*\") {\n ref.push(...this.permissions);\n } else if (permission.name.includes(\":\")) {\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" or \"users:read\")\n const parts = permission.name.split(\":\");\n const lastPart = parts[parts.length - 1];\n\n if (lastPart === \"*\") {\n // Wildcard at any level (e.g., \"admin:*\", \"admin:api:*\")\n const groupPrefix = parts.slice(0, -1).join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (!it.group) return false;\n // Match exact group or any sub-group\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n }),\n );\n } else {\n // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n const name = lastPart;\n const groupParts = parts.slice(0, -1);\n const group = groupParts.join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (it.name !== name) return false;\n if (!it.group) return false;\n return it.group === group;\n }),\n );\n }\n } else {\n // all permissions without a group\n ref.push(\n ...this.permissions.filter(\n (it) => it.name === permission.name && !it.group,\n ),\n );\n }\n const exclude = permission.exclude;\n if (exclude) {\n // exclude permissions with multi-layer wildcard support\n ref = ref.filter((it) => {\n const permString = this.permissionToString(it);\n return !exclude.some((excludePattern) => {\n if (excludePattern === permString) return true;\n if (excludePattern.endsWith(\":*\")) {\n const excludePrefix = excludePattern.slice(0, -2);\n return permString.startsWith(`${excludePrefix}:`);\n }\n return false;\n });\n });\n }\n permissions.push(...ref);\n }\n }\n\n return [...new Set(permissions.filter((it) => it != null))];\n }\n\n return this.permissions;\n }\n\n /**\n * Retrieves the user ID from the provided payload object.\n *\n * @param payload - The payload object from which to extract the user ID.\n * @return The user ID as a string.\n */\n public getIdFromPayload(payload: Record<string, any>): string {\n if (payload.sub != null) {\n return String(payload.sub);\n }\n\n if (payload.id != null) {\n return String(payload.id);\n }\n\n if (payload.userId != null) {\n return String(payload.userId);\n }\n\n throw new SecurityError(\"Invalid JWT - missing id\");\n }\n\n public getSessionIdFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n if (payload.sid) {\n return String(payload.sid);\n }\n }\n\n /**\n * Retrieves the roles from the provided payload object.\n * @param payload - The payload object from which to extract the roles.\n * @return An array of role strings.\n */\n public getRolesFromPayload(payload: Record<string, any>): string[] {\n return payload?.realm_access?.roles ?? payload?.roles ?? [];\n }\n\n public getPictureFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.picture) {\n return payload.picture;\n }\n\n if (payload.avatar_url) {\n return payload.avatar_url;\n }\n\n if (payload.user_picture) {\n return payload.user_picture;\n }\n\n return undefined;\n }\n\n public getUsernameFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.preferred_username) {\n return payload.preferred_username;\n }\n\n if (payload.username) {\n return payload.username;\n }\n\n return undefined;\n }\n\n public getEmailFromPayload(payload: Record<string, any>): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.email) {\n return payload.email;\n }\n\n return undefined;\n }\n\n /**\n * Returns the name from the given payload.\n *\n * @param payload - The payload object.\n * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n */\n public getNameFromPayload(payload: Record<string, any>): string {\n if (!payload) {\n return this.UNKNOWN_USER_NAME;\n }\n\n if (payload.name) {\n return payload.name;\n }\n\n if (\n typeof payload.given_name === \"string\" &&\n typeof payload.family_name === \"string\"\n ) {\n return `${payload.given_name} ${payload.family_name}`.trim();\n }\n\n return this.UNKNOWN_USER_NAME;\n }\n\n public getOrganizationFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (typeof payload.organization === \"string\") {\n return payload.organization;\n }\n }\n}\n\n// =====================================================================================================================\n\n/**\n * A realm definition.\n */\nexport interface Realm {\n name: string;\n\n roles: Role[];\n\n /**\n * The secret key for the realm.\n *\n * Can be also a JWKS URL.\n */\n secret?: string | JSONWebKeySet | (() => string);\n\n /**\n * Create the user account info based on the raw JWT payload.\n * By default, SecurityProvider has his own implementation, but this method allow to override it.\n */\n profile?: (raw: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers for this realm (sorted by priority).\n */\n resolvers?: IssuerResolver[];\n}\n\nexport interface SecurityCheckResult {\n isAuthorized: boolean;\n ownership: string | boolean | undefined;\n}\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n DateTimeProvider,\n type Duration,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver } from \"../interfaces/IssuerResolver.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new issuer.\n *\n * An issuer is responsible for creating and verifying JWT tokens.\n * It can be internal (with a secret) or external (with a JWKS).\n */\nexport const $issuer = (options: IssuerPrimitiveOptions): IssuerPrimitive => {\n return createPrimitive(IssuerPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type IssuerPrimitiveOptions = {\n /**\n * Define the issuer name.\n * If not provided, it will use the property key.\n */\n name?: string;\n\n /**\n * Short description about the issuer.\n */\n description?: string;\n\n /**\n * All roles available in the issuer. Role is a string (role name) or a Role object (embedded role).\n */\n roles?: Array<string | Role>;\n\n /**\n * Issuer settings.\n */\n settings?: IssuerSettings;\n\n /**\n * Parse the JWT payload to create a user account info.\n */\n profile?: (jwtPayload: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers (in addition to default JWT resolver).\n */\n resolvers?: IssuerResolver[];\n} & (IssuerInternal | IssuerExternal);\n\nexport interface IssuerSettings {\n accessToken?: {\n /**\n * Lifetime of the access token.\n * @default 15 minutes\n */\n expiration?: DurationLike;\n };\n\n refreshToken?: {\n /**\n * Lifetime of the refresh token.\n * @default 30 days\n */\n expiration?: DurationLike;\n\n /**\n * Idle invalidation is enforced by session-backed realms via\n * `realmAuthSettings.refreshToken.expirationIdle` (in `alepha/api/users`).\n * Token-only refresh (no `onRefreshSession`) does not support idle\n * invalidation — it has no stateful row to track `lastUsedAt`.\n */\n };\n\n onCreateSession?: (\n user: UserAccount,\n config: {\n expiresIn: number;\n },\n ) => Promise<{\n refreshToken: string;\n sessionId?: string;\n }>;\n\n onRefreshSession?: (refreshToken: string) => Promise<{\n user: UserAccount;\n expiresIn: number;\n sessionId?: string;\n }>;\n\n onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type IssuerInternal = {\n /**\n * Internal secret to sign JWT tokens and verify them.\n */\n secret: string;\n};\n\nexport interface IssuerExternal {\n /**\n * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n */\n jwks: (() => string) | JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly jwt = $inject(JwtProvider);\n protected readonly log = $logger();\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get accessTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n );\n }\n\n public get refreshTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n );\n }\n\n protected onInit() {\n const roles =\n this.options.roles?.map((it) => {\n if (typeof it === \"string\") {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n }\n\n return it;\n }) ?? [];\n\n this.securityProvider.createRealm({\n name: this.name,\n profile: this.options.profile,\n secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n roles,\n resolvers: [],\n });\n\n // Register custom resolvers first (they usually have lower priority)\n for (const resolver of this.options.resolvers ?? []) {\n this.registerResolver(resolver);\n }\n\n // Register default JWT resolver (priority 100)\n this.registerResolver(this.createJwtResolver());\n }\n\n /**\n * Creates the default JWT resolver.\n */\n protected createJwtResolver(): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req: ServerRequest) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, this.name);\n\n // Extract user info from JWT payload\n return this.securityProvider.createUserFromPayload(\n result.payload,\n this.name,\n );\n },\n };\n }\n\n /**\n * Register a resolver to this issuer.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver): void {\n this.securityProvider.registerResolver(resolver, this.name);\n }\n\n /**\n * Get all roles in the issuer.\n */\n public getRoles(): Role[] {\n return this.securityProvider.getRoles(this.name);\n }\n\n /**\n * Set all roles in the issuer.\n */\n public async setRoles(roles: Role[]): Promise<void> {\n await this.securityProvider.updateRealm(this.name, roles);\n }\n\n /**\n * Get a role by name, throws an error if not found.\n */\n public getRoleByName(name: string): Role {\n const role = this.getRoles().find((it) => it.name === name);\n if (!role) {\n throw new SecurityError(`Role '${name}' not found`);\n }\n return role;\n }\n\n public async parseToken(token: string): Promise<JWTPayload> {\n const { result } = await this.jwt.parse(token, this.name);\n return result.payload;\n }\n\n /**\n * Create a token for the subject.\n */\n public async createToken(\n user: UserAccount,\n refreshToken?: {\n sid?: string;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n },\n ): Promise<AccessTokenResponse> {\n let sid: string | undefined = refreshToken?.sid;\n let refresh_token: string | undefined = refreshToken?.refresh_token;\n let refresh_token_expires_in: number | undefined =\n refreshToken?.refresh_token_expires_in;\n\n const iat = this.dateTimeProvider.now().unix();\n const exp = iat + this.accessTokenExpiration.asSeconds();\n\n if (!refreshToken) {\n const create = this.options.settings?.onCreateSession;\n if (create) {\n // -----------------------------------------------------------------------------------------------------------------\n // managed by the application\n const expiresIn = this.refreshTokenExpiration.asSeconds();\n const { refreshToken, sessionId } = await create(user, {\n expiresIn,\n });\n\n refresh_token = refreshToken;\n refresh_token_expires_in = expiresIn;\n sid = sessionId;\n } else {\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n const payload = {\n sub: user.id,\n exp: iat + this.refreshTokenExpiration.asSeconds(),\n iat,\n aud: this.name,\n };\n\n this.log.trace(\"Creating refresh token\", payload);\n\n sid = crypto.randomUUID();\n refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n refresh_token = await this.jwt.create(payload, this.name, {\n header: {\n typ: \"refresh\",\n },\n });\n }\n }\n\n this.log.trace(\"Creating access token\", {\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n });\n\n const access_token = await this.jwt.create(\n {\n // jwt\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n sid, // session id, if available\n // oidc\n name: user.name,\n email: user.email,\n preferred_username: user.username,\n picture: user.picture,\n // our claims\n organization: user.organization,\n roles: user.roles,\n },\n this.name,\n );\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: \"Bearer\",\n expires_in: this.accessTokenExpiration.asSeconds(),\n issued_at: iat,\n refresh_token,\n refresh_token_expires_in,\n };\n\n return response;\n }\n\n public async refreshToken(\n refreshToken: string,\n accessToken?: string,\n ): Promise<{\n tokens: AccessTokenResponse;\n user: UserAccount;\n }> {\n // -----------------------------------------------------------------------------------------------------------------\n // session based\n\n if (this.options.settings?.onRefreshSession) {\n // get user and expiration from the session\n const { user, expiresIn, sessionId } =\n await this.options.settings.onRefreshSession(refreshToken);\n\n // then, create a new access token\n const tokens = await this.createToken(user, {\n sid: sessionId,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n });\n\n return { user, tokens };\n }\n\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n if (!accessToken) {\n throw new AlephaError(\"An access token is required for refreshing\");\n }\n\n // Extract user from an expired token.\n // WARNING: Roles from the expired token are reused without re-validation.\n // If roles were revoked, the new access token will still contain old roles\n // until the refresh token expires. Use session-based refresh (onRefreshSession)\n // to re-fetch current roles from the database on each refresh.\n const user = await this.securityProvider.createUserFromToken(accessToken, {\n realm: this.name,\n verify: {\n currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n },\n });\n\n // check if the refresh token is valid + match access token user\n const {\n result: { payload },\n } = await this.jwt.parse(refreshToken, this.name, {\n typ: \"refresh\",\n audience: this.name,\n subject: user.id,\n });\n\n const iat = this.dateTimeProvider.now().unix();\n const expiresIn = payload.exp\n ? payload.exp - iat\n : this.refreshTokenExpiration.asSeconds();\n\n return {\n user,\n tokens: await this.createToken(user, {\n sid: payload.sid,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n }),\n };\n }\n}\n\n$issuer[KIND] = IssuerPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n sub: string;\n roles?: string[];\n email?: string;\n}\n\nexport interface AccessTokenResponse {\n access_token: string;\n token_type: string;\n expires_in?: number;\n issued_at: number;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new permission.\n */\nexport const $permission = (\n options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n /**\n * Name of the permission. Use Property name is not provided.\n */\n name?: string;\n\n /**\n * Group of the permission. Use Class name is not provided.\n */\n group?: string;\n\n /**\n * Describe the permission.\n */\n description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get group(): string {\n return this.options.group || this.config.service.name;\n }\n\n public toString(): string {\n return `${this.group}:${this.name}`;\n }\n\n protected onInit() {\n this.securityProvider.createPermission({\n name: this.name,\n group: this.group,\n description: this.options.description,\n });\n }\n\n /**\n * Check if the user has the permission.\n */\n public can(user?: UserAccount): boolean {\n if (!user?.roles) {\n return false;\n }\n const check = this.securityProvider.checkPermission(this, ...user.roles);\n return check.isAuthorized;\n }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { IssuerPrimitive } from \"./$issuer.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\n\n/**\n * Create a new role.\n */\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n /**\n * Name of the role.\n */\n name?: string;\n\n /**\n * Describe the role.\n */\n description?: string;\n\n issuer?: string | IssuerPrimitive;\n\n permissions?: Array<\n | string\n | {\n name: string;\n ownership?: boolean;\n exclude?: string[];\n }\n >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n protected onInit() {\n this.securityProvider.createRole({\n ...this.options,\n name: this.name,\n permissions:\n this.options.permissions?.map((it) => {\n if (typeof it === \"string\") {\n return {\n name: it,\n };\n }\n\n return it;\n }) ?? [],\n });\n }\n\n /**\n * Get the issuer of the role.\n */\n public get issuer(): string | IssuerPrimitive | undefined {\n return this.options.issuer;\n }\n\n public can(permission: string | PermissionPrimitive): boolean {\n return this.securityProvider.can(this.name, permission);\n }\n\n public check(permission: string | PermissionPrimitive) {\n return this.securityProvider.checkPermission(permission, this.name);\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { ServerRequest } from \"alepha/server\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\nimport { SecurityProvider } from \"./SecurityProvider.ts\";\n\nexport class ServerSecurityProvider {\n protected readonly log = $logger();\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly jwtProvider = $inject(JwtProvider);\n protected readonly alepha = $inject(Alepha);\n\n protected readonly onServerRequest = $hook({\n on: \"server:onRequest\",\n priority: \"last\",\n handler: async ({ request }) => {\n // Resolve user from authorization header (authentication).\n // This makes currentUserAtom available on ALL routes, not just $secure ones.\n // $secure() then acts purely as an authorization gate.\n if (request.headers.authorization) {\n try {\n const user =\n await this.securityProvider.resolveUserFromServerRequest(request);\n if (user) {\n this.securityProvider.storeUserInContext(user);\n request.user = user;\n }\n } catch (error) {\n this.log.debug(\n \"Failed to resolve user from request authorization header\",\n error,\n );\n // Invalid/expired token — request continues as unauthenticated\n }\n }\n },\n });\n\n // ---------------------------------------------------------------------------------------------------------------\n // action:onRequest — resolve user from options, request fork for ALS isolation\n // ---------------------------------------------------------------------------------------------------------------\n\n protected readonly onActionRequest = $hook({\n on: \"action:onRequest\",\n handler: async (data) => {\n if (!data.options.user) return;\n\n let user: UserAccountToken | undefined;\n\n if (typeof data.options.user === \"object\") {\n user = data.options.user;\n } else if (data.options.user === \"system\") {\n user = this.alepha.store.get(\"alepha.security.system.user\");\n } else if (data.options.user === \"context\") {\n const ctx = this.alepha.store.get(\"alepha.http.request\");\n user = ctx?.user;\n }\n\n if (user) {\n data.context = { [currentUserAtom.key]: user };\n }\n },\n });\n\n // ---------------------------------------------------------------------------------------------------------------\n // client:onRequest — automatic test token creation for .fetch()\n // ---------------------------------------------------------------------------------------------------------------\n\n protected createTestUser(): UserAccountToken {\n return {\n id: randomUUID(),\n name: \"Test\",\n roles: this.securityProvider.getRoles().map((role) => role.name),\n };\n }\n\n protected readonly onClientRequest = $hook({\n on: \"client:onRequest\",\n handler: async ({ request, options }) => {\n if (!this.alepha.isTest()) {\n return;\n }\n\n // skip helper if user is explicitly set to undefined\n if (!options.user) {\n return;\n }\n\n request.headers = new Headers(request.headers);\n\n if (!request.headers.has(\"authorization\")) {\n const test = this.createTestUser();\n const user =\n typeof options?.user === \"object\" ? options.user : undefined;\n const sub = user?.id ?? test.id;\n const roles = user?.roles ?? test.roles;\n\n const token = await this.jwtProvider.create(\n {\n sub,\n roles,\n },\n user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n );\n\n request.headers.set(\"authorization\", `Bearer ${token}`);\n }\n },\n });\n}\n\nexport type ServerSecurityUserResolver = (\n request: ServerRequest,\n) => Promise<UserAccountToken | undefined>;\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n readonly name = \"UnauthorizedError\";\n constructor() {\n super(\"Invalid credentials\");\n }\n}\n","import { timingSafeEqual } from \"node:crypto\";\nimport { createMiddleware, type Middleware } from \"alepha\";\nimport { HttpError, type ServerRequest } from \"alepha/server\";\n\nexport interface BasicAuthOptions {\n username: string;\n password: string;\n}\n\n/**\n * Middleware that enforces HTTP Basic Authentication on the request.\n *\n * Works with request context only (HTTP). Reads the `Authorization: Basic` header,\n * validates credentials using timing-safe comparison, and throws 401 if invalid.\n *\n * ```typescript\n * class DevToolsController {\n * dashboard = $action({\n * use: [$basicAuth({ username: \"admin\", password: \"secret\" })],\n * handler: async () => { ... },\n * });\n * }\n * ```\n */\nexport function $basicAuth(options: BasicAuthOptions): Middleware {\n return createMiddleware({\n name: \"$basicAuth\",\n options: options as unknown as Record<string, unknown>,\n handler: ({ alepha, next }) => {\n return async (...args: any[]) => {\n const request = alepha.store.get(\"alepha.http.request\");\n\n if (!request?.headers) {\n throw new HttpError({\n status: 401,\n message: \"Authentication required\",\n });\n }\n\n const authHeader = request.headers.authorization;\n\n if (!authHeader?.startsWith(\"Basic \")) {\n sendAuthRequired(request);\n throw new HttpError({\n status: 401,\n message: \"Authentication required\",\n });\n }\n\n // Decode base64 credentials\n const base64Credentials = authHeader.slice(6);\n const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n \"utf-8\",\n );\n\n // Split only on the first colon to handle passwords with colons\n const colonIndex = credentials.indexOf(\":\");\n const username =\n colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n const password =\n colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n // Verify credentials using timing-safe comparison\n const isValid = timingSafeCredentialCheck(\n username,\n password,\n options.username,\n options.password,\n );\n\n if (!isValid) {\n sendAuthRequired(request);\n throw new HttpError({\n status: 401,\n message: \"Invalid credentials\",\n });\n }\n\n return next(...args);\n };\n },\n });\n}\n\n// =====================================================================================================================\n\nfunction sendAuthRequired(request: ServerRequest): void {\n request.reply?.setHeader(\"WWW-Authenticate\", 'Basic realm=\"Secure Area\"');\n}\n\nfunction timingSafeCredentialCheck(\n inputUsername: string,\n inputPassword: string,\n expectedUsername: string,\n expectedPassword: string,\n): boolean {\n const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n const userMatch = safeCompare(inputUserBuf, expectedUserBuf);\n const passMatch = safeCompare(inputPassBuf, expectedPassBuf);\n\n // Both must match — bitwise AND avoids short-circuit evaluation\n // eslint-disable-next-line no-bitwise\n return (userMatch & passMatch) === 1;\n}\n\nfunction safeCompare(input: Buffer, expected: Buffer): number {\n if (input.length !== expected.length) {\n timingSafeEqual(input, input);\n return 0;\n }\n return timingSafeEqual(input, expected) ? 1 : 0;\n}\n","import { $context, createMiddleware, type Middleware } from \"alepha\";\nimport { ForbiddenError, UnauthorizedError } from \"alepha/server\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\n\nexport interface SecureOptions {\n /**\n * Restrict to specific issuers (realms).\n * User must belong to one of the listed issuers.\n */\n issuers?: string[];\n\n /**\n * Required roles. User must have at least one of the listed roles.\n */\n roles?: string[];\n\n /**\n * Required permissions. All must be satisfied.\n */\n permissions?: (string | Permission)[];\n\n /**\n * Custom guard function. Runs after all other checks.\n * Return `false` to deny access.\n */\n guard?: (user: UserAccountToken) => boolean;\n}\n\n/**\n * Middleware that enforces authentication and authorization.\n *\n * Resolves the user from the request context, `currentUserAtom`, or authorization headers.\n * Throws `UnauthorizedError` if no user is resolved, `ForbiddenError` if checks fail.\n * Stores the resolved user in `currentUserAtom` and `request.user` for downstream access.\n *\n * Works across all transports (atom-first resolution):\n * 1. `currentUserAtom` — set by `action.run()` fork, MCP transport, pipelines, jobs\n * 2. `request.user` — set by previous middleware\n * 3. HTTP headers — JWT/API key resolution\n *\n * ## Check Order\n *\n * When multiple options are provided, they are checked in this fixed order.\n * All provided options must pass (AND). Each option has its own logic:\n *\n * 1. **Authentication** — Is there a valid user? → `UnauthorizedError` (401)\n * 2. **Issuers** (OR) — Does the user's realm match at least one? → `ForbiddenError` (403)\n * 3. **Roles** (OR) — Does the user have at least one of the listed roles? → `ForbiddenError` (403)\n * 4. **Permissions** (AND) — Does the user's role grant all listed permissions? → `ForbiddenError` (403)\n * 5. **Guard** — Does the custom function return `true`? → `ForbiddenError` (403)\n *\n * Permissions declared in `$secure()` are auto-created in the permission registry at definition time.\n *\n * ## Browser Behavior\n *\n * On the server, `$secure` throws `UnauthorizedError` or `ForbiddenError`.\n * In the browser, it returns `undefined` instead — the handler is never called.\n *\n * ```typescript\n * class OrderController {\n * getOrders = $action({\n * use: [$secure()],\n * handler: async ({ query }) => { ... },\n * });\n *\n * deleteOrder = $action({\n * use: [$secure({ permissions: [\"orders:delete\"] })],\n * handler: async ({ params }) => { ... },\n * });\n *\n * adminManage = $action({\n * use: [$secure({\n * issuers: [\"main\"],\n * roles: [\"admin\"],\n * permissions: [\"admin:manage\"],\n * guard: (user) => !!user.email,\n * })],\n * handler: () => { ... },\n * });\n * }\n * ```\n */\nexport function $secure(options?: SecureOptions): Middleware {\n const { alepha } = $context();\n const securityProvider = alepha.inject(SecurityProvider);\n\n // Register declared permissions at definition time\n if (options?.permissions?.length) {\n for (const perm of options.permissions) {\n securityProvider.createPermission(perm);\n }\n }\n\n return createMiddleware({\n name: \"$secure\",\n options: (options as unknown as Record<string, unknown>) ?? undefined,\n handler: ({ alepha, next }) => {\n return async (...args: any[]) => {\n let user: UserAccountToken | undefined;\n\n // 1. Atom-first (set by action.run fork, MCP transport, pipelines, jobs)\n user = alepha.store.get(currentUserAtom);\n\n // 2. HTTP request fallback (walks up fork tree to find real HTTP request)\n if (!user) {\n const httpRequest = alepha.store.get(\"alepha.http.request\");\n if (httpRequest) {\n // 2a. request.user (set by previous middleware)\n user = httpRequest.user;\n\n // 2b. Resolve from HTTP headers (JWT/API key)\n if (!user) {\n user = await securityProvider.resolveUserFromServerRequest(\n httpRequest,\n { realm: options?.issuers?.[0] },\n );\n }\n }\n }\n\n // 3. Handle unauthenticated\n if (!user) {\n throw new UnauthorizedError(\"Authentication required\");\n }\n\n // 4. Issuer check (user must belong to one of the listed issuers)\n securityProvider.checkIssuers(user, options?.issuers);\n\n // 5. Role check (user must have at least one of the listed roles)\n if (options?.roles?.length) {\n const hasRole = options.roles.some((role) =>\n user!.roles?.includes(role),\n );\n if (!hasRole) {\n throw new ForbiddenError(\n `One of roles '${options.roles.join(\"', '\")}' required`,\n );\n }\n }\n\n // 6. Explicit permission checks (all must pass)\n if (options?.permissions?.length) {\n for (const perm of options.permissions) {\n const result = securityProvider.checkPermission(\n perm,\n ...(user.roles ?? []),\n );\n if (!result.isAuthorized) {\n throw new ForbiddenError(\n `Permission '${typeof perm === \"string\" ? perm : perm.name}' required`,\n );\n }\n user = { ...user, ownership: result.ownership };\n }\n }\n\n // 7. Custom guard\n if (options?.guard) {\n if (!options.guard(user)) {\n throw new ForbiddenError(\"Access denied\");\n }\n }\n\n // 8. Store user in atom and requests\n securityProvider.storeUserInContext(user);\n\n const httpRequest = alepha.store.get(\"alepha.http.request\", \"current\");\n if (httpRequest) {\n httpRequest.user = user;\n }\n\n const actionRequest = alepha.store.get(\n \"alepha.action.request\",\n \"current\",\n );\n if (actionRequest) {\n actionRequest.user = user;\n }\n\n return next(...args);\n };\n },\n });\n}\n","import { $context, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, IssuerPrimitive } from \"./$issuer.ts\";\n\n/**\n * Allow to get an access token for a service account.\n *\n * You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n *\n * @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n *\n * class MyService {\n * serviceAccount = $serviceAccount({\n * oauth2: {\n * url: \"https://example.com/oauth2/token\",\n * clientId: \"your-client-id\",\n * clientSecret: \"your-client-secret\",\n * }\n * });\n *\n * async fetchData() {\n * const token = await this.serviceAccount.token();\n * // or\n * const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n * }\n * }\n * ```\n */\nexport const $serviceAccount = (\n options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n const { alepha } = $context();\n const store: {\n cache?: AccessTokenResponse;\n } = {};\n const dateTimeProvider = alepha.inject(DateTimeProvider);\n const gracePeriod = options.gracePeriod ?? 30;\n\n const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n store.cache = {\n ...response,\n issued_at: dateTimeProvider.now().unix(),\n };\n };\n\n const getTokenFromCache = () => {\n if (store.cache) {\n const { access_token, expires_in, issued_at } = store.cache;\n if (!expires_in) {\n return access_token;\n }\n\n const now = dateTimeProvider.now().unix();\n const expires = issued_at + expires_in;\n\n if (expires - gracePeriod > now) {\n return access_token;\n }\n }\n };\n\n if (\"oauth2\" in options) {\n const { url, clientId, clientSecret } = options.oauth2;\n\n const token = async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n let response: Response;\n try {\n response = await fetch(url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n grant_type: \"client_credentials\",\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n } catch (error) {\n throw new AlephaError(\n `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Check HTTP status\n if (!response.ok) {\n let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n try {\n const errorBody = await response.text();\n errorMessage += `: ${errorBody}`;\n } catch {\n // Ignore error reading body\n }\n throw new AlephaError(`Failed to fetch access token: ${errorMessage}`);\n }\n\n // Parse JSON response\n let json: any;\n try {\n json = await response.json();\n } catch (error) {\n throw new AlephaError(\n `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Validate response structure\n if (!json.access_token || !json.expires_in) {\n throw new AlephaError(\n `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n );\n }\n\n cacheToken(json);\n\n return json.access_token;\n };\n\n return {\n token,\n };\n }\n\n return {\n token: async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n const token = await options.issuer.createToken(options.user);\n\n cacheToken({\n ...token,\n issued_at: dateTimeProvider.now().unix(),\n });\n\n return token.access_token;\n },\n };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n gracePeriod?: number; // Grace period in seconds before token expiration\n} & (\n | {\n oauth2: Oauth2ServiceAccountPrimitiveOptions;\n }\n | {\n issuer: IssuerPrimitive;\n user: UserAccount;\n }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n /**\n * Get Token URL.\n */\n url: string;\n\n /**\n * Client ID.\n */\n clientId: string;\n\n /**\n * Client Secret.\n */\n clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n\n group: t.optional(\n t.text({\n description: \"Group of the permission.\",\n }),\n ),\n\n description: t.optional(\n t.text({\n description: \"Describe the permission.\",\n }),\n ),\n\n // HTTP Only\n\n method: t.optional(\n t.text({\n description: \"HTTP method of the permission. When available.\",\n }),\n ),\n\n path: t.optional(\n t.text({\n description: \"Pathname of the permission. When available.\",\n }),\n ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n name: t.text({\n description: \"Name of the role.\",\n }),\n\n description: t.optional(\n t.text({\n description: \"Describe the role.\",\n }),\n ),\n\n default: t.optional(\n t.boolean({\n description:\n \"If true, this role will be assigned to all users by default.\",\n }),\n ),\n\n permissions: t.array(\n t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n ownership: t.optional(\n t.boolean({\n description:\n \"If true, user will only have access to it's own resources.\",\n }),\n ),\n exclude: t.optional(\n t.array(t.text(), {\n description:\n \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n }),\n ),\n }),\n ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import { $module } from \"alepha\";\nimport type { FetchOptions } from \"alepha/server\";\nimport { currentUserAtom } from \"./atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"./interfaces/UserAccountToken.ts\";\nimport { $issuer } from \"./primitives/$issuer.ts\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport { ServerSecurityProvider } from \"./providers/ServerSecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"alepha/crypto\";\nexport * from \"./atoms/currentUserAtom.ts\";\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/IssuerResolver.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$basicAuth.ts\";\nexport * from \"./primitives/$issuer.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$secure.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"security:user:created\": {\n realm: string;\n user: UserAccount;\n };\n }\n\n interface State {\n /**\n * Real (or fake) user account, used for internal actions.\n *\n * If you define this, you assume that all actions are executed by this user by default.\n * > To force a different user, you need to pass it explicitly in the options.\n */\n \"alepha.security.system.user\"?: UserAccountToken;\n\n /**\n * The current authenticated user.\n */\n \"alepha.security.user\"?: UserAccount;\n }\n}\n\ndeclare module \"alepha/server\" {\n interface ServerRequest<TConfig> {\n user?: UserAccountToken; // for all routes, user is maybe present\n }\n\n interface ServerActionRequest<TConfig> {\n user: UserAccountToken; // for actions, user is always present\n }\n\n interface ClientRequestOptions extends FetchOptions {\n /**\n * Forward user from the previous request.\n * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n * If \"context\", use the user from the current context (e.g. request).\n *\n * @default \"system\" if provided, else \"context\" if available.\n */\n user?: UserAccountToken | \"system\" | \"context\";\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Complete authentication and authorization system with JWT, RBAC, and multi-issuer support.\n *\n * **Features:**\n * - JWT token issuer with role definitions\n * - Role-based access control (RBAC)\n * - Fine-grained permissions\n * - HTTP Basic Authentication\n * - Service-to-service authentication\n * - Multi-issuer support for federated auth\n * - JWKS (JSON Web Key Set) for external issuers\n * - Token refresh logic\n * - User profile extraction from JWT\n *\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n name: \"alepha.security\",\n primitives: [$issuer, $role, $permission],\n atoms: [currentUserAtom],\n services: [SecurityProvider, JwtProvider, ServerSecurityProvider],\n});\n"],"x_google_ignoreList":[3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27],"mappings":";;;;;;;;AAGA,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,cAAc,EAAE,SACd,EAAE,KAAK,EACL,aAAa,qCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,uDACd,CAAC,CACH;CACF,CAAC;;;;;;;;;ACjDF,MAAa,kBAAkB,MAAM;CACnC,MAAM;CACN,QAAQ,EAAE,SAAS,sBAAsB;CAC1C,CAAC;;;ACZF,IAAa,gBAAb,cAAmC,MAAM;CACvC,OAAc;CACd,SAAyB;;;;ACF3B,MAAa,UAAU,IAAI,aAAa;AACxC,MAAa,UAAU,IAAI,aAAa;AAExC,SAAgB,OAAO,GAAG,SAAS;CAC/B,MAAM,OAAO,QAAQ,QAAQ,KAAK,EAAE,aAAa,MAAM,QAAQ,EAAE;CACjE,MAAM,MAAM,IAAI,WAAW,KAAK;CAChC,IAAI,IAAI;AACR,MAAK,MAAM,UAAU,SAAS;AAC1B,MAAI,IAAI,QAAQ,EAAE;AAClB,OAAK,OAAO;;AAEhB,QAAO;;AAqBX,SAAgBA,SAAO,QAAQ;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;EACpC,MAAM,OAAO,OAAO,WAAW,EAAE;AACjC,MAAI,OAAO,IACP,OAAM,IAAI,UAAU,2CAA2C;AAEnE,QAAM,KAAK;;AAEf,QAAO;;;;ACzCX,SAAgB,aAAa,OAAO;AAChC,KAAI,WAAW,UAAU,SACrB,QAAO,MAAM,UAAU;CAE3B,MAAM,aAAa;CACnB,MAAM,MAAM,EAAE;AACd,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,WACnC,KAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,CAAC;AAEhF,QAAO,KAAK,IAAI,KAAK,GAAG,CAAC;;AAE7B,SAAgB,aAAa,SAAS;AAClC,KAAI,WAAW,WACX,QAAO,WAAW,WAAW,QAAQ;CAEzC,MAAM,SAAS,KAAK,QAAQ;CAC5B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;AAC3C,MAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,IAC/B,OAAM,KAAK,OAAO,WAAW,EAAE;AAEnC,QAAO;;;;AClBX,SAAgB,OAAO,OAAO;AAC1B,KAAI,WAAW,WACX,QAAO,WAAW,WAAW,OAAO,UAAU,WAAW,QAAQ,QAAQ,OAAO,MAAM,EAAE,EACpF,UAAU,aACb,CAAC;CAEN,IAAI,UAAU;AACd,KAAI,mBAAmB,WACnB,WAAU,QAAQ,OAAO,QAAQ;AAErC,WAAU,QAAQ,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;AACvD,KAAI;AACA,SAAO,aAAa,QAAQ;SAE1B;AACF,QAAM,IAAI,UAAU,oDAAoD;;;AAGhF,SAAgB,OAAO,OAAO;CAC1B,IAAI,YAAY;AAChB,KAAI,OAAO,cAAc,SACrB,aAAY,QAAQ,OAAO,UAAU;AAEzC,KAAI,WAAW,UAAU,SACrB,QAAO,UAAU,SAAS;EAAE,UAAU;EAAa,aAAa;EAAM,CAAC;AAE3E,QAAO,aAAa,UAAU,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI;;;;AC5B5F,MAAM,YAAY,MAAM,OAAO,qCAAqB,IAAI,UAAU,kDAAkD,KAAK,WAAW,OAAO;AAC3I,MAAM,eAAe,WAAW,SAAS,UAAU,SAAS;AAC5D,SAAS,cAAc,MAAM;AACzB,QAAO,SAAS,KAAK,KAAK,MAAM,EAAE,EAAE,GAAG;;AAE3C,SAAS,gBAAgB,WAAW,UAAU;AAE1C,KADe,cAAc,UAAU,KAC7B,KAAK,SACX,OAAM,SAAS,OAAO,YAAY,iBAAiB;;AAE3D,SAAS,cAAc,KAAK;AACxB,SAAQ,KAAR;EACI,KAAK,QACD,QAAO;EACX,KAAK,QACD,QAAO;EACX,KAAK,QACD,QAAO;EACX,QACI,OAAM,IAAI,MAAM,cAAc;;;AAG1C,SAAS,WAAW,KAAK,OAAO;AAC5B,KAAI,SAAS,CAAC,IAAI,OAAO,SAAS,MAAM,CACpC,OAAM,IAAI,UAAU,sEAAsE,MAAM,GAAG;;AAG3G,SAAgB,kBAAkB,KAAK,KAAK,OAAO;AAC/C,SAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,OAAO,CACnC,OAAM,SAAS,OAAO;AAC1B,mBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG,CAAC;AAC1D;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,oBAAoB,CAChD,OAAM,SAAS,oBAAoB;AACvC,mBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG,CAAC;AAC1D;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,UAAU,CACtC,OAAM,SAAS,UAAU;AAC7B,mBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG,CAAC;AAC1D;EAEJ,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,UAAU,CACtC,OAAM,SAAS,UAAU;AAC7B;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,CAAC,YAAY,IAAI,WAAW,IAAI,CAChC,OAAM,SAAS,IAAI;AACvB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;AACV,OAAI,CAAC,YAAY,IAAI,WAAW,QAAQ,CACpC,OAAM,SAAS,QAAQ;GAC3B,MAAM,WAAW,cAAc,IAAI;AAEnC,OADe,IAAI,UAAU,eACd,SACX,OAAM,SAAS,UAAU,uBAAuB;AACpD;;EAEJ,QACI,OAAM,IAAI,UAAU,4CAA4C;;AAExE,YAAW,KAAK,MAAM;;;;AChF1B,SAAS,QAAQ,KAAK,QAAQ,GAAG,OAAO;AACpC,SAAQ,MAAM,OAAO,QAAQ;AAC7B,KAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,KAAK;AACxB,SAAO,eAAe,MAAM,KAAK,KAAK,CAAC,OAAO,KAAK;YAE9C,MAAM,WAAW,EACtB,QAAO,eAAe,MAAM,GAAG,MAAM,MAAM,GAAG;KAG9C,QAAO,WAAW,MAAM,GAAG;AAE/B,KAAI,UAAU,KACV,QAAO,aAAa;UAEf,OAAO,WAAW,cAAc,OAAO,KAC5C,QAAO,sBAAsB,OAAO;UAE/B,OAAO,WAAW,YAAY,UAAU;MACzC,OAAO,aAAa,KACpB,QAAO,4BAA4B,OAAO,YAAY;;AAG9D,QAAO;;AAEX,MAAa,mBAAmB,QAAQ,GAAG,UAAU,QAAQ,gBAAgB,QAAQ,GAAG,MAAM;AAC9F,MAAa,WAAW,KAAK,QAAQ,GAAG,UAAU,QAAQ,eAAe,IAAI,sBAAsB,QAAQ,GAAG,MAAM;;;AC1BpH,IAAa,YAAb,cAA+B,MAAM;CACjC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,SAAS,SAAS;AAC1B,QAAM,SAAS,QAAQ;AACvB,OAAK,OAAO,KAAK,YAAY;AAC7B,QAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,2BAAb,cAA8C,UAAU;CACpD,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;AACzE,QAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;AACrD,OAAK,QAAQ;AACb,OAAK,SAAS;AACd,OAAK,UAAU;;;AAGvB,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;AACzE,QAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;AACrD,OAAK,QAAQ;AACb,OAAK,SAAS;AACd,OAAK,UAAU;;;AAGvB,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,mBAAb,cAAsC,UAAU;CAC5C,OAAO,OAAO;CACd,OAAO;;AAaX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAMX,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,mDAAmD,SAAS;AAC9E,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,2BAAb,cAA8C,UAAU;CACpD,CAAC,OAAO;CACR,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,wDAAwD,SAAS;AACnF,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,qBAAqB,SAAS;AAChD,QAAM,SAAS,QAAQ;;;AAG/B,IAAa,iCAAb,cAAoD,UAAU;CAC1D,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,iCAAiC,SAAS;AAC5D,QAAM,SAAS,QAAQ;;;;;AC3F/B,MAAa,eAAe,QAAQ;AAChC,KAAI,MAAM,OAAO,iBAAiB,YAC9B,QAAO;AACX,KAAI;AACA,SAAO,eAAe;SAEpB;AACF,SAAO;;;AAGf,MAAa,eAAe,QAAQ,MAAM,OAAO,iBAAiB;AAClE,MAAa,aAAa,QAAQ,YAAY,IAAI,IAAI,YAAY,IAAI;;;ACdtE,SAAgB,aAAa,OAAO,MAAM;AACtC,KAAI,MACA,OAAM,IAAI,UAAU,GAAG,KAAK,0BAA0B;;AAG9D,SAAgB,gBAAgB,OAAO,OAAO,YAAY;AACtD,KAAI;AACA,SAAO,OAAO,MAAM;SAElB;AACF,QAAM,IAAI,WAAW,kCAAkC,QAAQ;;;;;ACZvE,MAAM,gBAAgB,UAAU,OAAO,UAAU,YAAY,UAAU;AACvE,SAAgB,SAAS,OAAO;AAC5B,KAAI,CAAC,aAAa,MAAM,IAAI,OAAO,UAAU,SAAS,KAAK,MAAM,KAAK,kBAClE,QAAO;AAEX,KAAI,OAAO,eAAe,MAAM,KAAK,KACjC,QAAO;CAEX,IAAI,QAAQ;AACZ,QAAO,OAAO,eAAe,MAAM,KAAK,KACpC,SAAQ,OAAO,eAAe,MAAM;AAExC,QAAO,OAAO,eAAe,MAAM,KAAK;;AAE5C,SAAgB,WAAW,GAAG,SAAS;CACnC,MAAM,UAAU,QAAQ,OAAO,QAAQ;AACvC,KAAI,QAAQ,WAAW,KAAK,QAAQ,WAAW,EAC3C,QAAO;CAEX,IAAI;AACJ,MAAK,MAAM,UAAU,SAAS;EAC1B,MAAM,aAAa,OAAO,KAAK,OAAO;AACtC,MAAI,CAAC,OAAO,IAAI,SAAS,GAAG;AACxB,SAAM,IAAI,IAAI,WAAW;AACzB;;AAEJ,OAAK,MAAM,aAAa,YAAY;AAChC,OAAI,IAAI,IAAI,UAAU,CAClB,QAAO;AAEX,OAAI,IAAI,UAAU;;;AAG1B,QAAO;;AAEX,MAAa,SAAS,QAAQ,SAAS,IAAI,IAAI,OAAO,IAAI,QAAQ;AAClE,MAAa,gBAAgB,QAAQ,IAAI,QAAQ,UAC3C,IAAI,QAAQ,SAAS,OAAO,IAAI,SAAS,YAAa,OAAO,IAAI,MAAM;AAC7E,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,IAAI,MAAM,KAAA,KAAa,IAAI,SAAS,KAAA;AAC7F,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,OAAO,IAAI,MAAM;;;ACpC1E,SAAgB,eAAe,KAAK,KAAK;AACrC,KAAI,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,EAAE;EAC9C,MAAM,EAAE,kBAAkB,IAAI;AAC9B,MAAI,OAAO,kBAAkB,YAAY,gBAAgB,KACrD,OAAM,IAAI,UAAU,GAAG,IAAI,uDAAuD;;;AAI9F,SAAS,gBAAgB,KAAK,WAAW;CACrC,MAAM,OAAO,OAAO,IAAI,MAAM,GAAG;AACjC,SAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAQ;EACjC,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAW,YAAY,SAAS,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;GAAG;EAClF,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAqB;EAC9C,KAAK;EACL,KAAK;EACL,KAAK,QACD,QAAO;GAAE;GAAM,MAAM;GAAS,YAAY,UAAU;GAAY;EACpE,KAAK;EACL,KAAK,QACD,QAAO,EAAE,MAAM,WAAW;EAC9B,KAAK;EACL,KAAK;EACL,KAAK,YACD,QAAO,EAAE,MAAM,KAAK;EACxB,QACI,OAAM,IAAI,iBAAiB,OAAO,IAAI,6DAA6D;;;AAG/G,eAAe,UAAU,KAAK,KAAK,OAAO;AACtC,KAAI,eAAe,YAAY;AAC3B,MAAI,CAAC,IAAI,WAAW,KAAK,CACrB,OAAM,IAAI,UAAU,gBAAgB,KAAK,aAAa,aAAa,eAAe,CAAC;AAEvF,SAAO,OAAO,OAAO,UAAU,OAAO,KAAK;GAAE,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI,MAAM;GAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;;AAE9G,mBAAkB,KAAK,KAAK,MAAM;AAClC,QAAO;;AAEX,eAAsB,KAAK,KAAK,KAAK,MAAM;CACvC,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,OAAO;AACnD,gBAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,UAAU,EAAE,WAAW,KAAK;AACtG,QAAO,IAAI,WAAW,UAAU;;AAEpC,eAAsB,OAAO,KAAK,KAAK,WAAW,MAAM;CACpD,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,SAAS;AACrD,gBAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,gBAAgB,KAAK,UAAU,UAAU;AAC3D,KAAI;AACA,SAAO,MAAM,OAAO,OAAO,OAAO,WAAW,WAAW,WAAW,KAAK;SAEtE;AACF,SAAO;;;;;AChEf,MAAM,iBAAiB;AACvB,SAAS,cAAc,KAAK;CACxB,IAAI;CACJ,IAAI;AACJ,SAAQ,IAAI,KAAZ;EACI,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,IAAI,KAAK;AAC7B,iBAAY,IAAI,OAAO,CAAC,OAAO,GAAG,CAAC,SAAS;AAC5C;IACJ,QACI,OAAM,IAAI,iBAAiB,eAAe;;AAElD;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAW,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;AACjE,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAqB,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;AAC3E,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MACR,MAAM;MACN,MAAM,OAAO,SAAS,IAAI,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;MACnD;AACD,iBAAY,IAAI,IAAI,CAAC,WAAW,YAAY,GAAG,CAAC,WAAW,UAAU;AACrE;IACJ,QACI,OAAM,IAAI,iBAAiB,eAAe;;AAElD;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MACR,MAAM;MACN,YAAY;OAAE,OAAO;OAAS,OAAO;OAAS,OAAO;OAAS,CAAC,IAAI;MACtE;AACD,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY;MAAE,MAAM;MAAQ,YAAY,IAAI;MAAK;AACjD,iBAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;AACvC;IACJ,QACI,OAAM,IAAI,iBAAiB,eAAe;;AAElD;EAEJ,KAAK;AACD,WAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,WAAW;AAC/B,iBAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;AACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;AACD,iBAAY,EAAE,MAAM,IAAI,KAAK;AAC7B,iBAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;AACvC;IACJ,QACI,OAAM,IAAI,iBAAiB,eAAe;;AAElD;EAEJ,QACI,OAAM,IAAI,iBAAiB,gEAA8D;;AAEjG,QAAO;EAAE;EAAW;EAAW;;AAEnC,eAAsB,SAAS,KAAK;AAChC,KAAI,CAAC,IAAI,IACL,OAAM,IAAI,UAAU,+DAA2D;CAEnF,MAAM,EAAE,WAAW,cAAc,cAAc,IAAI;CACnD,MAAM,UAAU,EAAE,GAAG,KAAK;AAC1B,KAAI,QAAQ,QAAQ,MAChB,QAAO,QAAQ;AAEnB,QAAO,QAAQ;AACf,QAAO,OAAO,OAAO,UAAU,OAAO,SAAS,WAAW,IAAI,QAAQ,IAAI,KAAK,IAAI,OAAO,QAAQ,OAAO,IAAI,WAAW,UAAU;;;;ACrGtI,MAAM,iBAAiB;AACvB,IAAI;AACJ,MAAM,YAAY,OAAO,KAAK,KAAK,KAAK,SAAS,UAAU;AACvD,2BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,IAAI;AAC3B,KAAI,SAAS,KACT,QAAO,OAAO;CAElB,MAAM,YAAY,MAAM,SAAS;EAAE,GAAG;EAAK;EAAK,CAAC;AACjD,KAAI,OACA,QAAO,OAAO,IAAI;AACtB,KAAI,CAAC,OACD,OAAM,IAAI,KAAK,GAAG,MAAM,WAAW,CAAC;KAGpC,QAAO,OAAO;AAElB,QAAO;;AAEX,MAAM,mBAAmB,WAAW,QAAQ;AACxC,2BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,UAAU;AACjC,KAAI,SAAS,KACT,QAAO,OAAO;CAElB,MAAM,WAAW,UAAU,SAAS;CACpC,MAAM,cAAc,WAAW,OAAO;CACtC,IAAI;AACJ,KAAI,UAAU,sBAAsB,UAAU;AAC1C,UAAQ,KAAR;GACI,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,iBACD;GACJ,QACI,OAAM,IAAI,UAAU,eAAe;;AAE3C,cAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;AAE/G,KAAI,UAAU,sBAAsB,WAAW;AAC3C,MAAI,QAAQ,WAAW,QAAQ,UAC3B,OAAM,IAAI,UAAU,eAAe;AAEvC,cAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;AAEN,SAAQ,UAAU,mBAAlB;EACI,KAAK;EACL,KAAK;EACL,KAAK;AACD,OAAI,QAAQ,UAAU,kBAAkB,aAAa,CACjD,OAAM,IAAI,UAAU,eAAe;AAEvC,eAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;AAGV,KAAI,UAAU,sBAAsB,OAAO;EACvC,IAAI;AACJ,UAAQ,KAAR;GACI,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;AACD,WAAO;AACP;GACJ,QACI,OAAM,IAAI,UAAU,eAAe;;AAE3C,MAAI,IAAI,WAAW,WAAW,CAC1B,QAAO,UAAU,YAAY;GACzB,MAAM;GACN;GACH,EAAE,aAAa,WAAW,CAAC,UAAU,GAAG,CAAC,UAAU,CAAC;AAEzD,cAAY,UAAU,YAAY;GAC9B,MAAM,IAAI,WAAW,KAAK,GAAG,YAAY;GACzC;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;;AAEnD,KAAI,UAAU,sBAAsB,MAAM;EAMtC,MAAM,aAAa,IALF,IAAI;GACjB,CAAC,cAAc,QAAQ;GACvB,CAAC,aAAa,QAAQ;GACtB,CAAC,aAAa,QAAQ;GACzB,CACsB,CAAC,IAAI,UAAU,sBAAsB,WAAW;AACvE,MAAI,CAAC,WACD,OAAM,IAAI,UAAU,eAAe;EAEvC,MAAM,gBAAgB;GAAE,OAAO;GAAS,OAAO;GAAS,OAAO;GAAS;AACxE,MAAI,cAAc,QAAQ,eAAe,cAAc,KACnD,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;AAEnD,MAAI,IAAI,WAAW,UAAU,CACzB,aAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;AAGvD,KAAI,CAAC,UACD,OAAM,IAAI,UAAU,eAAe;AAEvC,KAAI,CAAC,OACD,OAAM,IAAI,WAAW,GAAG,MAAM,WAAW,CAAC;KAG1C,QAAO,OAAO;AAElB,QAAO;;AAEX,eAAsB,aAAa,KAAK,KAAK;AACzC,KAAI,eAAe,WACf,QAAO;AAEX,KAAI,YAAY,IAAI,CAChB,QAAO;AAEX,KAAI,YAAY,IAAI,EAAE;AAClB,MAAI,IAAI,SAAS,SACb,QAAO,IAAI,QAAQ;AAEvB,MAAI,iBAAiB,OAAO,OAAO,IAAI,gBAAgB,WACnD,KAAI;AACA,UAAO,gBAAgB,KAAK,IAAI;WAE7B,KAAK;AACR,OAAI,eAAe,UACf,OAAM;;AAKlB,SAAO,UAAU,KADP,IAAI,OAAO,EAAE,QAAQ,OAAO,CACb,EAAE,IAAI;;AAEnC,KAAI,MAAM,IAAI,EAAE;AACZ,MAAI,IAAI,EACJ,QAAO,OAAO,IAAI,EAAE;AAExB,SAAO,UAAU,KAAK,KAAK,KAAK,KAAK;;AAEzC,OAAM,IAAI,MAAM,cAAc;;;;AC7IlC,eAAsB,UAAU,KAAK,KAAK,SAAS;AAC/C,KAAI,CAAC,SAAS,IAAI,CACd,OAAM,IAAI,UAAU,wBAAwB;CAEhD,IAAI;AACJ,SAAQ,IAAI;AACZ,SAAQ,SAAS,eAAe,IAAI;AACpC,SAAQ,IAAI,KAAZ;EACI,KAAK;AACD,OAAI,OAAO,IAAI,MAAM,YAAY,CAAC,IAAI,EAClC,OAAM,IAAI,UAAU,4CAA0C;AAElE,UAAOC,OAAgB,IAAI,EAAE;EACjC,KAAK;AACD,OAAI,SAAS,OAAO,IAAI,QAAQ,KAAA,EAC5B,OAAM,IAAI,iBAAiB,uEAAqE;AAEpG,UAAO,SAAS;IAAE,GAAG;IAAK;IAAK;IAAK,CAAC;EACzC,KAAK;AACD,OAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,IACpC,OAAM,IAAI,UAAU,8CAA4C;AAEpE,OAAI,QAAQ,KAAA,KAAa,QAAQ,IAAI,IACjC,OAAM,IAAI,UAAU,wCAAwC;AAEhE,UAAO,SAAS;IAAE,GAAG;IAAK;IAAK,CAAC;EAEpC,KAAK;EACL,KAAK,MACD,QAAO,SAAS;GAAE,GAAG;GAAK;GAAK;GAAK,CAAC;EACzC,QACI,OAAM,IAAI,iBAAiB,iDAA+C;;;;;ACrDtF,SAAgB,aAAa,KAAK,mBAAmB,kBAAkB,iBAAiB,YAAY;AAChG,KAAI,WAAW,SAAS,KAAA,KAAa,iBAAiB,SAAS,KAAA,EAC3D,OAAM,IAAI,IAAI,mEAAiE;AAEnF,KAAI,CAAC,mBAAmB,gBAAgB,SAAS,KAAA,EAC7C,wBAAO,IAAI,KAAK;AAEpB,KAAI,CAAC,MAAM,QAAQ,gBAAgB,KAAK,IACpC,gBAAgB,KAAK,WAAW,KAChC,gBAAgB,KAAK,MAAM,UAAU,OAAO,UAAU,YAAY,MAAM,WAAW,EAAE,CACrF,OAAM,IAAI,IAAI,0FAAwF;CAE1G,IAAI;AACJ,KAAI,qBAAqB,KAAA,EACrB,cAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQ,iBAAiB,EAAE,GAAG,kBAAkB,SAAS,CAAC,CAAC;KAG3F,cAAa;AAEjB,MAAK,MAAM,aAAa,gBAAgB,MAAM;AAC1C,MAAI,CAAC,WAAW,IAAI,UAAU,CAC1B,OAAM,IAAI,iBAAiB,+BAA+B,UAAU,qBAAqB;AAE7F,MAAI,WAAW,eAAe,KAAA,EAC1B,OAAM,IAAI,IAAI,+BAA+B,UAAU,cAAc;AAEzE,MAAI,WAAW,IAAI,UAAU,IAAI,gBAAgB,eAAe,KAAA,EAC5D,OAAM,IAAI,IAAI,+BAA+B,UAAU,+BAA+B;;AAG9F,QAAO,IAAI,IAAI,gBAAgB,KAAK;;;;AC/BxC,SAAgB,mBAAmB,QAAQ,YAAY;AACnD,KAAI,eAAe,KAAA,MACd,CAAC,MAAM,QAAQ,WAAW,IAAI,WAAW,MAAM,MAAM,OAAO,MAAM,SAAS,EAC5E,OAAM,IAAI,UAAU,IAAI,OAAO,sCAAsC;AAEzE,KAAI,CAAC,WACD;AAEJ,QAAO,IAAI,IAAI,WAAW;;;;ACL9B,MAAM,OAAO,QAAQ,MAAM,OAAO;AAClC,MAAM,gBAAgB,KAAK,KAAK,UAAU;AACtC,KAAI,IAAI,QAAQ,KAAA,GAAW;EACvB,IAAI;AACJ,UAAQ,OAAR;GACI,KAAK;GACL,KAAK;AACD,eAAW;AACX;GACJ,KAAK;GACL,KAAK;AACD,eAAW;AACX;;AAER,MAAI,IAAI,QAAQ,SACZ,OAAM,IAAI,UAAU,sDAAsD,SAAS,gBAAgB;;AAG3G,KAAI,IAAI,QAAQ,KAAA,KAAa,IAAI,QAAQ,IACrC,OAAM,IAAI,UAAU,sDAAsD,IAAI,gBAAgB;AAElG,KAAI,MAAM,QAAQ,IAAI,QAAQ,EAAE;EAC5B,IAAI;AACJ,UAAQ,MAAR;GACI,KAAK,UAAU,UAAU,UAAU;GACnC,KAAK,QAAQ;GACb,KAAK,IAAI,SAAS,SAAS;AACvB,oBAAgB;AAChB;GACJ,KAAK,IAAI,WAAW,QAAQ;AACxB,oBAAgB;AAChB;GACJ,KAAK,0BAA0B,KAAK,IAAI;AACpC,QAAI,CAAC,IAAI,SAAS,MAAM,IAAI,IAAI,SAAS,KAAK,CAC1C,iBAAgB,UAAU,YAAY,YAAY;QAGlD,iBAAgB;AAEpB;GACJ,KAAK,UAAU,aAAa,IAAI,WAAW,MAAM;AAC7C,oBAAgB;AAChB;GACJ,KAAK,UAAU;AACX,oBAAgB,IAAI,WAAW,MAAM,GAAG,cAAc;AACtD;;AAER,MAAI,iBAAiB,IAAI,SAAS,WAAW,cAAc,KAAK,MAC5D,OAAM,IAAI,UAAU,+DAA+D,cAAc,gBAAgB;;AAGzH,QAAO;;AAEX,MAAM,sBAAsB,KAAK,KAAK,UAAU;AAC5C,KAAI,eAAe,WACf;AACJ,KAAIC,MAAU,IAAI,EAAE;AAChB,MAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACrD;AACJ,QAAM,IAAI,UAAU,0HAA0H;;AAElJ,KAAI,CAAC,UAAU,IAAI,CACf,OAAM,IAAI,UAAUC,QAAgB,KAAK,KAAK,aAAa,aAAa,gBAAgB,aAAa,CAAC;AAE1G,KAAI,IAAI,SAAS,SACb,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,8DAA8D;;AAGtG,MAAM,uBAAuB,KAAK,KAAK,UAAU;AAC7C,KAAIF,MAAU,IAAI,CACd,SAAQ,OAAR;EACI,KAAK;EACL,KAAK;AACD,OAAIG,aAAiB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACtD;AACJ,SAAM,IAAI,UAAU,wDAAwD;EAChF,KAAK;EACL,KAAK;AACD,OAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,CACrD;AACJ,SAAM,IAAI,UAAU,uDAAuD;;AAGvF,KAAI,CAAC,UAAU,IAAI,CACf,OAAM,IAAI,UAAUF,QAAgB,KAAK,KAAK,aAAa,aAAa,eAAe,CAAC;AAE5F,KAAI,IAAI,SAAS,SACb,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,mEAAmE;AAEvG,KAAI,IAAI,SAAS,SACb,SAAQ,OAAR;EACI,KAAK,OACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,uEAAuE;EAC3G,KAAK,UACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,0EAA0E;;AAGtH,KAAI,IAAI,SAAS,UACb,SAAQ,OAAR;EACI,KAAK,SACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,wEAAwE;EAC5G,KAAK,UACD,OAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,yEAAyE;;;AAIzH,SAAgB,aAAa,KAAK,KAAK,OAAO;AAC1C,SAAQ,IAAI,UAAU,GAAG,EAAE,EAA3B;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,sBAAmB,KAAK,KAAK,MAAM;AACnC;EACJ,QACI,qBAAoB,KAAK,KAAK,MAAM;;;;;AC5GhD,eAAsB,gBAAgB,KAAK,KAAK,SAAS;AACrD,KAAI,CAAC,SAAS,IAAI,CACd,OAAM,IAAI,WAAW,kCAAkC;AAE3D,KAAI,IAAI,cAAc,KAAA,KAAa,IAAI,WAAW,KAAA,EAC9C,OAAM,IAAI,WAAW,4EAAwE;AAEjG,KAAI,IAAI,cAAc,KAAA,KAAa,OAAO,IAAI,cAAc,SACxD,OAAM,IAAI,WAAW,sCAAsC;AAE/D,KAAI,IAAI,YAAY,KAAA,EAChB,OAAM,IAAI,WAAW,sBAAsB;AAE/C,KAAI,OAAO,IAAI,cAAc,SACzB,OAAM,IAAI,WAAW,0CAA0C;AAEnE,KAAI,IAAI,WAAW,KAAA,KAAa,CAAC,SAAS,IAAI,OAAO,CACjD,OAAM,IAAI,WAAW,wCAAwC;CAEjE,IAAI,aAAa,EAAE;AACnB,KAAI,IAAI,UACJ,KAAI;EACA,MAAM,kBAAkBG,OAAK,IAAI,UAAU;AAC3C,eAAa,KAAK,MAAM,QAAQ,OAAO,gBAAgB,CAAC;SAEtD;AACF,QAAM,IAAI,WAAW,kCAAkC;;AAG/D,KAAI,CAAC,WAAW,YAAY,IAAI,OAAO,CACnC,OAAM,IAAI,WAAW,4EAA4E;CAErG,MAAM,aAAa;EACf,GAAG;EACH,GAAG,IAAI;EACV;CACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,YAAY,WAAW;CAC5G,IAAI,MAAM;AACV,KAAI,WAAW,IAAI,MAAM,EAAE;AACvB,QAAM,WAAW;AACjB,MAAI,OAAO,QAAQ,UACf,OAAM,IAAI,WAAW,4EAA0E;;CAGvG,MAAM,EAAE,QAAQ;AAChB,KAAI,OAAO,QAAQ,YAAY,CAAC,IAC5B,OAAM,IAAI,WAAW,8DAA4D;CAErF,MAAM,aAAa,WAAW,mBAAmB,cAAc,QAAQ,WAAW;AAClF,KAAI,cAAc,CAAC,WAAW,IAAI,IAAI,CAClC,OAAM,IAAI,kBAAkB,yDAAuD;AAEvF,KAAI;MACI,OAAO,IAAI,YAAY,SACvB,OAAM,IAAI,WAAW,+BAA+B;YAGnD,OAAO,IAAI,YAAY,YAAY,EAAE,IAAI,mBAAmB,YACjE,OAAM,IAAI,WAAW,yDAAyD;CAElF,IAAI,cAAc;AAClB,KAAI,OAAO,QAAQ,YAAY;AAC3B,QAAM,MAAM,IAAI,YAAY,IAAI;AAChC,gBAAc;;AAElB,cAAa,KAAK,KAAK,SAAS;CAChC,MAAM,OAAO,OAAO,IAAI,cAAc,KAAA,IAAYC,SAAO,IAAI,UAAU,GAAG,IAAI,YAAY,EAAEA,SAAO,IAAI,EAAE,OAAO,IAAI,YAAY,WAC1H,MACIA,SAAO,IAAI,QAAQ,GACnB,QAAQ,OAAO,IAAI,QAAQ,GAC/B,IAAI,QAAQ;CAClB,MAAM,YAAY,gBAAgB,IAAI,WAAW,aAAa,WAAW;CACzE,MAAM,IAAI,MAAM,aAAa,KAAK,IAAI;AAEtC,KAAI,CAAC,MADkB,OAAO,KAAK,GAAG,WAAW,KAAK,CAElD,OAAM,IAAI,gCAAgC;CAE9C,IAAI;AACJ,KAAI,IACA,WAAU,gBAAgB,IAAI,SAAS,WAAW,WAAW;UAExD,OAAO,IAAI,YAAY,SAC5B,WAAU,QAAQ,OAAO,IAAI,QAAQ;KAGrC,WAAU,IAAI;CAElB,MAAM,SAAS,EAAE,SAAS;AAC1B,KAAI,IAAI,cAAc,KAAA,EAClB,QAAO,kBAAkB;AAE7B,KAAI,IAAI,WAAW,KAAA,EACf,QAAO,oBAAoB,IAAI;AAEnC,KAAI,YACA,QAAO;EAAE,GAAG;EAAQ,KAAK;EAAG;AAEhC,QAAO;;;;ACzGX,eAAsB,cAAc,KAAK,KAAK,SAAS;AACnD,KAAI,eAAe,WACf,OAAM,QAAQ,OAAO,IAAI;AAE7B,KAAI,OAAO,QAAQ,SACf,OAAM,IAAI,WAAW,6CAA6C;CAEtE,MAAM,EAAE,GAAG,iBAAiB,GAAG,SAAS,GAAG,WAAW,WAAW,IAAI,MAAM,IAAI;AAC/E,KAAI,WAAW,EACX,OAAM,IAAI,WAAW,sBAAsB;CAE/C,MAAM,WAAW,MAAM,gBAAgB;EAAE;EAAS,WAAW;EAAiB;EAAW,EAAE,KAAK,QAAQ;CACxG,MAAM,SAAS;EAAE,SAAS,SAAS;EAAS,iBAAiB,SAAS;EAAiB;AACvF,KAAI,OAAO,QAAQ,WACf,QAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;AAE3C,QAAO;;;;AChBX,MAAM,SAAS,SAAS,KAAK,MAAM,KAAK,SAAS,GAAG,IAAK;AACzD,MAAM,SAAS;AACf,MAAM,OAAO,SAAS;AACtB,MAAM,MAAM,OAAO;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,QAAQ;AACd,SAAgB,KAAK,KAAK;CACtB,MAAM,UAAU,MAAM,KAAK,IAAI;AAC/B,KAAI,CAAC,WAAY,QAAQ,MAAM,QAAQ,GACnC,OAAM,IAAI,UAAU,6BAA6B;CAErD,MAAM,QAAQ,WAAW,QAAQ,GAAG;CACpC,MAAM,OAAO,QAAQ,GAAG,aAAa;CACrC,IAAI;AACJ,SAAQ,MAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,MAAM;AAC/B;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,OAAO;AACxC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,IAAI;AACrC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;AACD,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;EACJ;AACI,iBAAc,KAAK,MAAM,QAAQ,KAAK;AACtC;;AAER,KAAI,QAAQ,OAAO,OAAO,QAAQ,OAAO,MACrC,QAAO,CAAC;AAEZ,QAAO;;AAEX,SAAS,cAAc,OAAO,OAAO;AACjC,KAAI,CAAC,OAAO,SAAS,MAAM,CACvB,OAAM,IAAI,UAAU,WAAW,MAAM,QAAQ;AAEjD,QAAO;;AAEX,MAAM,gBAAgB,UAAU;AAC5B,KAAI,MAAM,SAAS,IAAI,CACnB,QAAO,MAAM,aAAa;AAE9B,QAAO,eAAe,MAAM,aAAa;;AAE7C,MAAM,yBAAyB,YAAY,cAAc;AACrD,KAAI,OAAO,eAAe,SACtB,QAAO,UAAU,SAAS,WAAW;AAEzC,KAAI,MAAM,QAAQ,WAAW,CACzB,QAAO,UAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAI,WAAW,CAAC,CAAC;AAEtE,QAAO;;AAEX,SAAgB,kBAAkB,iBAAiB,gBAAgB,UAAU,EAAE,EAAE;CAC7E,IAAI;AACJ,KAAI;AACA,YAAU,KAAK,MAAM,QAAQ,OAAO,eAAe,CAAC;SAElD;AAEN,KAAI,CAAC,SAAS,QAAQ,CAClB,OAAM,IAAI,WAAW,iDAAiD;CAE1E,MAAM,EAAE,QAAQ;AAChB,KAAI,QACC,OAAO,gBAAgB,QAAQ,YAC5B,aAAa,gBAAgB,IAAI,KAAK,aAAa,IAAI,EAC3D,OAAM,IAAI,yBAAyB,uCAAqC,SAAS,OAAO,eAAe;CAE3G,MAAM,EAAE,iBAAiB,EAAE,EAAE,QAAQ,SAAS,UAAU,gBAAgB;CACxE,MAAM,gBAAgB,CAAC,GAAG,eAAe;AACzC,KAAI,gBAAgB,KAAA,EAChB,eAAc,KAAK,MAAM;AAC7B,KAAI,aAAa,KAAA,EACb,eAAc,KAAK,MAAM;AAC7B,KAAI,YAAY,KAAA,EACZ,eAAc,KAAK,MAAM;AAC7B,KAAI,WAAW,KAAA,EACX,eAAc,KAAK,MAAM;AAC7B,MAAK,MAAM,SAAS,IAAI,IAAI,cAAc,SAAS,CAAC,CAChD,KAAI,EAAE,SAAS,SACX,OAAM,IAAI,yBAAyB,qBAAqB,MAAM,UAAU,SAAS,OAAO,UAAU;AAG1G,KAAI,UACA,EAAE,MAAM,QAAQ,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,SAAS,QAAQ,IAAI,CAClE,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;AAEtG,KAAI,WAAW,QAAQ,QAAQ,QAC3B,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;AAEtG,KAAI,YACA,CAAC,sBAAsB,QAAQ,KAAK,OAAO,aAAa,WAAW,CAAC,SAAS,GAAG,SAAS,CACzF,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;CAEtG,IAAI;AACJ,SAAQ,OAAO,QAAQ,gBAAvB;EACI,KAAK;AACD,eAAY,KAAK,QAAQ,eAAe;AACxC;EACJ,KAAK;AACD,eAAY,QAAQ;AACpB;EACJ,KAAK;AACD,eAAY;AACZ;EACJ,QACI,OAAM,IAAI,UAAU,qCAAqC;;CAEjE,MAAM,EAAE,gBAAgB;CACxB,MAAM,MAAM,MAAM,+BAAe,IAAI,MAAM,CAAC;AAC5C,MAAK,QAAQ,QAAQ,KAAA,KAAa,gBAAgB,OAAO,QAAQ,QAAQ,SACrE,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,KAAI,QAAQ,QAAQ,KAAA,GAAW;AAC3B,MAAI,OAAO,QAAQ,QAAQ,SACvB,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,MAAI,QAAQ,MAAM,MAAM,UACpB,OAAM,IAAI,yBAAyB,wCAAsC,SAAS,OAAO,eAAe;;AAGhH,KAAI,QAAQ,QAAQ,KAAA,GAAW;AAC3B,MAAI,OAAO,QAAQ,QAAQ,SACvB,OAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;AAEjG,MAAI,QAAQ,OAAO,MAAM,UACrB,OAAM,IAAI,WAAW,wCAAsC,SAAS,OAAO,eAAe;;AAGlG,KAAI,aAAa;EACb,MAAM,MAAM,MAAM,QAAQ;EAC1B,MAAM,MAAM,OAAO,gBAAgB,WAAW,cAAc,KAAK,YAAY;AAC7E,MAAI,MAAM,YAAY,IAClB,OAAM,IAAI,WAAW,8DAA4D,SAAS,OAAO,eAAe;AAEpH,MAAI,MAAM,IAAI,UACV,OAAM,IAAI,yBAAyB,mEAAiE,SAAS,OAAO,eAAe;;AAG3I,QAAO;;AAEX,IAAa,mBAAb,MAA8B;CAC1B;CACA,YAAY,SAAS;AACjB,MAAI,CAAC,SAAS,QAAQ,CAClB,OAAM,IAAI,UAAU,mCAAmC;AAE3D,QAAA,UAAgB,gBAAgB,QAAQ;;CAE5C,OAAO;AACH,SAAO,QAAQ,OAAO,KAAK,UAAU,MAAA,QAAc,CAAC;;CAExD,IAAI,MAAM;AACN,SAAO,MAAA,QAAc;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAA,QAAc,MAAM;;CAExB,IAAI,MAAM;AACN,SAAO,MAAA,QAAc;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAA,QAAc,MAAM;;CAExB,IAAI,MAAM;AACN,SAAO,MAAA,QAAc;;CAEzB,IAAI,IAAI,OAAO;AACX,QAAA,QAAc,MAAM;;CAExB,IAAI,IAAI,OAAO;AACX,QAAA,QAAc,MAAM;;CAExB,IAAI,IAAI,OAAO;AACX,MAAI,OAAO,UAAU,SACjB,OAAA,QAAc,MAAM,cAAc,gBAAgB,MAAM;WAEnD,iBAAiB,KACtB,OAAA,QAAc,MAAM,cAAc,gBAAgB,MAAM,MAAM,CAAC;MAG/D,OAAA,QAAc,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;AACX,MAAI,OAAO,UAAU,SACjB,OAAA,QAAc,MAAM,cAAc,qBAAqB,MAAM;WAExD,iBAAiB,KACtB,OAAA,QAAc,MAAM,cAAc,qBAAqB,MAAM,MAAM,CAAC;MAGpE,OAAA,QAAc,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;AACX,MAAI,UAAU,KAAA,EACV,OAAA,QAAc,MAAM,sBAAM,IAAI,MAAM,CAAC;WAEhC,iBAAiB,KACtB,OAAA,QAAc,MAAM,cAAc,eAAe,MAAM,MAAM,CAAC;WAEzD,OAAO,UAAU,SACtB,OAAA,QAAc,MAAM,cAAc,eAAe,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC;MAGjF,OAAA,QAAc,MAAM,cAAc,eAAe,MAAM;;;;;ACvOnE,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,MAAM,WAAW,MAAM,cAAc,KAAK,KAAK,QAAQ;AACvD,KAAI,SAAS,gBAAgB,MAAM,SAAS,MAAM,IAAI,SAAS,gBAAgB,QAAQ,MACnF,OAAM,IAAI,WAAW,sCAAsC;CAG/D,MAAM,SAAS;EAAE,SADD,kBAAkB,SAAS,iBAAiB,SAAS,SAAS,QACtD;EAAE,iBAAiB,SAAS;EAAiB;AACrE,KAAI,OAAO,QAAQ,WACf,QAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;AAE3C,QAAO;;;;ACJX,IAAa,gBAAb,MAA2B;CACvB;CACA;CACA;CACA,YAAY,SAAS;AACjB,MAAI,EAAE,mBAAmB,YACrB,OAAM,IAAI,UAAU,4CAA4C;AAEpE,QAAA,UAAgB;;CAEpB,mBAAmB,iBAAiB;AAChC,eAAa,MAAA,iBAAuB,qBAAqB;AACzD,QAAA,kBAAwB;AACxB,SAAO;;CAEX,qBAAqB,mBAAmB;AACpC,eAAa,MAAA,mBAAyB,uBAAuB;AAC7D,QAAA,oBAA0B;AAC1B,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;AACrB,MAAI,CAAC,MAAA,mBAAyB,CAAC,MAAA,kBAC3B,OAAM,IAAI,WAAW,kFAAkF;AAE3G,MAAI,CAAC,WAAW,MAAA,iBAAuB,MAAA,kBAAwB,CAC3D,OAAM,IAAI,WAAW,4EAA4E;EAErG,MAAM,aAAa;GACf,GAAG,MAAA;GACH,GAAG,MAAA;GACN;EACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,MAAA,iBAAuB,WAAW;EACvH,IAAI,MAAM;AACV,MAAI,WAAW,IAAI,MAAM,EAAE;AACvB,SAAM,MAAA,gBAAsB;AAC5B,OAAI,OAAO,QAAQ,UACf,OAAM,IAAI,WAAW,4EAA0E;;EAGvG,MAAM,EAAE,QAAQ;AAChB,MAAI,OAAO,QAAQ,YAAY,CAAC,IAC5B,OAAM,IAAI,WAAW,8DAA4D;AAErF,eAAa,KAAK,KAAK,OAAO;EAC9B,IAAI;EACJ,IAAI;AACJ,MAAI,KAAK;AACL,cAAWK,OAAK,MAAA,QAAc;AAC9B,cAAWC,SAAO,SAAS;SAE1B;AACD,cAAW,MAAA;AACX,cAAW;;EAEf,IAAI;EACJ,IAAI;AACJ,MAAI,MAAA,iBAAuB;AACvB,2BAAwBD,OAAK,KAAK,UAAU,MAAA,gBAAsB,CAAC;AACnE,0BAAuBC,SAAO,sBAAsB;SAEnD;AACD,2BAAwB;AACxB,0BAAuB,IAAI,YAAY;;EAE3C,MAAM,OAAO,OAAO,sBAAsBA,SAAO,IAAI,EAAE,SAAS;EAGhE,MAAM,MAAM;GACR,WAAWD,OAAK,MAFI,KAAK,KAAK,MADlB,aAAa,KAAK,IAAI,EACD,KAAK,CAEZ;GAC1B,SAAS;GACZ;AACD,MAAI,MAAA,kBACA,KAAI,SAAS,MAAA;AAEjB,MAAI,MAAA,gBACA,KAAI,YAAY;AAEpB,SAAO;;;;;ACrFf,IAAa,cAAb,MAAyB;CACrB;CACA,YAAY,SAAS;AACjB,QAAA,YAAkB,IAAI,cAAc,QAAQ;;CAEhD,mBAAmB,iBAAiB;AAChC,QAAA,UAAgB,mBAAmB,gBAAgB;AACnD,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,MAAM,MAAA,UAAgB,KAAK,KAAK,QAAQ;AACpD,MAAI,IAAI,YAAY,KAAA,EAChB,OAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAO,GAAG,IAAI,UAAU,GAAG,IAAI,QAAQ,GAAG,IAAI;;;;;ACZtD,IAAa,UAAb,MAAqB;CACjB;CACA;CACA,YAAY,UAAU,EAAE,EAAE;AACtB,QAAA,MAAY,IAAI,iBAAiB,QAAQ;;CAE7C,UAAU,QAAQ;AACd,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,WAAW,SAAS;AAChB,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,YAAY,UAAU;AAClB,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,OAAO,OAAO;AACV,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,aAAa,OAAO;AAChB,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,kBAAkB,OAAO;AACrB,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,YAAY,OAAO;AACf,QAAA,IAAU,MAAM;AAChB,SAAO;;CAEX,mBAAmB,iBAAiB;AAChC,QAAA,kBAAwB;AACxB,SAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,IAAI,YAAY,MAAA,IAAU,MAAM,CAAC;AAC7C,MAAI,mBAAmB,MAAA,gBAAsB;AAC7C,MAAI,MAAM,QAAQ,MAAA,iBAAuB,KAAK,IAC1C,MAAA,gBAAsB,KAAK,SAAS,MAAM,IAC1C,MAAA,gBAAsB,QAAQ,MAC9B,OAAM,IAAI,WAAW,sCAAsC;AAE/D,SAAO,IAAI,KAAK,KAAK,QAAQ;;;;;AC9CrC,SAAS,cAAc,KAAK;AACxB,SAAQ,OAAO,QAAQ,YAAY,IAAI,MAAM,GAAG,EAAE,EAAlD;EACI,KAAK;EACL,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,KAAK,KACD,QAAO;EACX,QACI,OAAM,IAAI,iBAAiB,mDAAiD;;;AAGxF,SAAS,WAAW,MAAM;AACtB,QAAQ,QACJ,OAAO,SAAS,YAChB,MAAM,QAAQ,KAAK,KAAK,IACxB,KAAK,KAAK,MAAM,UAAU;;AAElC,SAAS,UAAU,KAAK;AACpB,QAAO,SAAS,IAAI;;AAExB,IAAM,cAAN,MAAkB;CACd;CACA,0BAAU,IAAI,SAAS;CACvB,YAAY,MAAM;AACd,MAAI,CAAC,WAAW,KAAK,CACjB,OAAM,IAAI,YAAY,6BAA6B;AAEvD,QAAA,OAAa,gBAAgB,KAAK;;CAEtC,OAAO;AACH,SAAO,MAAA;;CAEX,MAAM,OAAO,iBAAiB,OAAO;EACjC,MAAM,EAAE,KAAK,QAAQ;GAAE,GAAG;GAAiB,GAAG,OAAO;GAAQ;EAC7D,MAAM,MAAM,cAAc,IAAI;EAC9B,MAAM,aAAa,MAAA,KAAW,KAAK,QAAQ,QAAQ;GAC/C,IAAI,YAAY,QAAQ,IAAI;AAC5B,OAAI,aAAa,OAAO,QAAQ,SAC5B,aAAY,QAAQ,IAAI;AAE5B,OAAI,cAAc,OAAO,IAAI,QAAQ,YAAY,QAAQ,OACrD,aAAY,QAAQ,IAAI;AAE5B,OAAI,aAAa,OAAO,IAAI,QAAQ,SAChC,aAAY,IAAI,QAAQ;AAE5B,OAAI,aAAa,MAAM,QAAQ,IAAI,QAAQ,CACvC,aAAY,IAAI,QAAQ,SAAS,SAAS;AAE9C,OAAI,UACA,SAAQ,KAAR;IACI,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;IACJ,KAAK;IACL,KAAK;AACD,iBAAY,IAAI,QAAQ;AACxB;;AAGZ,UAAO;IACT;EACF,MAAM,EAAE,GAAG,KAAK,WAAW;AAC3B,MAAI,WAAW,EACX,OAAM,IAAI,mBAAmB;AAEjC,MAAI,WAAW,GAAG;GACd,MAAM,QAAQ,IAAI,0BAA0B;GAC5C,MAAM,UAAU,MAAA;AAChB,SAAM,OAAO,iBAAiB,mBAAmB;AAC7C,SAAK,MAAM,OAAO,WACd,KAAI;AACA,WAAM,MAAM,mBAAmB,SAAS,KAAK,IAAI;YAE/C;;AAGd,SAAM;;AAEV,SAAO,mBAAmB,MAAA,QAAc,KAAK,IAAI;;;AAGzD,eAAe,mBAAmB,OAAO,KAAK,KAAK;CAC/C,MAAM,SAAS,MAAM,IAAI,IAAI,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,IAAI;AAC5D,KAAI,OAAO,SAAS,KAAA,GAAW;EAC3B,MAAM,MAAM,MAAM,UAAU;GAAE,GAAG;GAAK,KAAK;GAAM,EAAE,IAAI;AACvD,MAAI,eAAe,cAAc,IAAI,SAAS,SAC1C,OAAM,IAAI,YAAY,+CAA+C;AAEzE,SAAO,OAAO;;AAElB,QAAO,OAAO;;AAElB,SAAgB,kBAAkB,MAAM;CACpC,MAAM,MAAM,IAAI,YAAY,KAAK;CACjC,MAAM,cAAc,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;AACxF,QAAO,iBAAiB,aAAa,EACjC,MAAM;EACF,aAAa,gBAAgB,IAAI,MAAM,CAAC;EACxC,YAAY;EACZ,cAAc;EACd,UAAU;EACb,EACJ,CAAC;AACF,QAAO;;;;AClHX,SAAS,sBAAsB;AAC3B,QAAQ,OAAO,kBAAkB,eAC5B,OAAO,cAAc,eAAe,UAAU,cAAc,wBAC5D,OAAO,gBAAgB,eAAe,gBAAgB;;AAE/D,IAAI;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,eAAe,CAGtF,cAAa;AAEjB,MAAa,cAAc,QAAQ;AACnC,eAAe,UAAU,KAAK,SAAS,QAAQ,YAAY,OAAO;CAC9D,MAAM,WAAW,MAAM,UAAU,KAAK;EAClC,QAAQ;EACR;EACA,UAAU;EACV;EACH,CAAC,CAAC,OAAO,QAAQ;AACd,MAAI,IAAI,SAAS,eACb,OAAM,IAAI,aAAa;AAE3B,QAAM;GACR;AACF,KAAI,SAAS,WAAW,IACpB,OAAM,IAAI,UAAU,0DAA0D;AAElF,KAAI;AACA,SAAO,MAAM,SAAS,MAAM;SAE1B;AACF,QAAM,IAAI,UAAU,6DAA6D;;;AAGzF,MAAa,YAAY,QAAQ;AACjC,SAAS,iBAAiB,OAAO,aAAa;AAC1C,KAAI,OAAO,UAAU,YAAY,UAAU,KACvC,QAAO;AAEX,KAAI,EAAE,SAAS,UAAU,OAAO,MAAM,QAAQ,YAAY,KAAK,KAAK,GAAG,MAAM,OAAO,YAChF,QAAO;AAEX,KAAI,EAAE,UAAU,UACZ,CAAC,SAAS,MAAM,KAAK,IACrB,CAAC,MAAM,QAAQ,MAAM,KAAK,KAAK,IAC/B,CAAC,MAAM,UAAU,MAAM,KAAK,MAAM,KAAK,MAAM,SAAS,CACtD,QAAO;AAEX,QAAO;;AAEX,IAAM,eAAN,MAAmB;CACf;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA,YAAY,KAAK,SAAS;AACtB,MAAI,EAAE,eAAe,KACjB,OAAM,IAAI,UAAU,iCAAiC;AAEzD,QAAA,MAAY,IAAI,IAAI,IAAI,KAAK;AAC7B,QAAA,kBACI,OAAO,SAAS,oBAAoB,WAAW,SAAS,kBAAkB;AAC9E,QAAA,mBACI,OAAO,SAAS,qBAAqB,WAAW,SAAS,mBAAmB;AAChF,QAAA,cAAoB,OAAO,SAAS,gBAAgB,WAAW,SAAS,cAAc;AACtF,QAAA,UAAgB,IAAI,QAAQ,SAAS,QAAQ;AAC7C,MAAI,cAAc,CAAC,MAAA,QAAc,IAAI,aAAa,CAC9C,OAAA,QAAc,IAAI,cAAc,WAAW;AAE/C,MAAI,CAAC,MAAA,QAAc,IAAI,SAAS,EAAE;AAC9B,SAAA,QAAc,IAAI,UAAU,mBAAmB;AAC/C,SAAA,QAAc,OAAO,UAAU,2BAA2B;;AAE9D,QAAA,cAAoB,UAAU;AAC9B,MAAI,UAAU,eAAe,KAAA,GAAW;AACpC,SAAA,QAAc,UAAU;AACxB,OAAI,iBAAiB,UAAU,YAAY,MAAA,YAAkB,EAAE;AAC3D,UAAA,gBAAsB,MAAA,MAAY;AAClC,UAAA,QAAc,kBAAkB,MAAA,MAAY,KAAK;;;;CAI7D,eAAe;AACX,SAAO,CAAC,CAAC,MAAA;;CAEb,cAAc;AACV,SAAO,OAAO,MAAA,kBAAwB,WAChC,KAAK,KAAK,GAAG,MAAA,gBAAsB,MAAA,mBACnC;;CAEV,QAAQ;AACJ,SAAO,OAAO,MAAA,kBAAwB,WAChC,KAAK,KAAK,GAAG,MAAA,gBAAsB,MAAA,cACnC;;CAEV,OAAO;AACH,SAAO,MAAA,OAAa,MAAM;;CAE9B,MAAM,OAAO,iBAAiB,OAAO;AACjC,MAAI,CAAC,MAAA,SAAe,CAAC,KAAK,OAAO,CAC7B,OAAM,KAAK,QAAQ;AAEvB,MAAI;AACA,UAAO,MAAM,MAAA,MAAY,iBAAiB,MAAM;WAE7C,KAAK;AACR,OAAI,eAAe;QACX,KAAK,aAAa,KAAK,OAAO;AAC9B,WAAM,KAAK,QAAQ;AACnB,YAAO,MAAA,MAAY,iBAAiB,MAAM;;;AAGlD,SAAM;;;CAGd,MAAM,SAAS;AACX,MAAI,MAAA,gBAAsB,qBAAqB,CAC3C,OAAA,eAAqB,KAAA;AAEzB,QAAA,iBAAuB,UAAU,MAAA,IAAU,MAAM,MAAA,SAAe,YAAY,QAAQ,MAAA,gBAAsB,EAAE,MAAA,YAAkB,CACzH,MAAM,SAAS;AAChB,SAAA,QAAc,kBAAkB,KAAK;AACrC,OAAI,MAAA,OAAa;AACb,UAAA,MAAY,MAAM,KAAK,KAAK;AAC5B,UAAA,MAAY,OAAO;;AAEvB,SAAA,gBAAsB,KAAK,KAAK;AAChC,SAAA,eAAqB,KAAA;IACvB,CACG,OAAO,QAAQ;AAChB,SAAA,eAAqB,KAAA;AACrB,SAAM;IACR;AACF,QAAM,MAAA;;;AAGd,SAAgB,mBAAmB,KAAK,SAAS;CAC7C,MAAM,MAAM,IAAI,aAAa,KAAK,QAAQ;CAC1C,MAAM,eAAe,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;AACzF,QAAO,iBAAiB,cAAc;EAClC,aAAa;GACT,WAAW,IAAI,aAAa;GAC5B,YAAY;GACZ,cAAc;GACjB;EACD,OAAO;GACH,WAAW,IAAI,OAAO;GACtB,YAAY;GACZ,cAAc;GACjB;EACD,QAAQ;GACJ,aAAa,IAAI,QAAQ;GACzB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACD,WAAW;GACP,WAAW,IAAI,cAAc;GAC7B,YAAY;GACZ,cAAc;GACjB;EACD,MAAM;GACF,aAAa,IAAI,MAAM;GACvB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACJ,CAAC;AACF,QAAO;;;;;;;ACxJX,IAAa,cAAb,MAAyB;CACvB,MAAyB,SAAS;CAClC,WAAiD,EAAE;CACnD,mBAAsC,QAAQ,iBAAiB;CAC/D,UAA6B,IAAI,aAAa;;;;;;;CAQ9C,aAAoB,MAAc,iBAAyC;AACzE,MAAI,OAAO,oBAAoB,UAAU;AACvC,QAAK,IAAI,MAAM,8BAA8B,KAAK,oBAAoB;AACtE,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;aACO,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;AACtD,QAAK,IAAI,MAAM,iCAAiC,KAAK,mBAAmB;AACxE,QAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;AACL,QAAK,IAAI,MAAM,iCAAiC,KAAK,cAAc,EACjE,KAAK,iBACN,CAAC;AACF,QAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;AACzB,OAAK,MAAM,MAAM,KAAK,UAAU;AAC9B,OAAI,WAAW,GAAG,SAAS,QACzB;AAGF,QAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;AAEF,OAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;AAED,SAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;AAEF,WAAO;YACA,OAAO;AACd,SAAK,IAAI,MAAM,iCAAiC,MAAM;AAEtD,QAAI,iBAAiB,WACnB,OAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;AAG5D,QAAI,iBAAiB,yBACnB,OAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;AAKR,OAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;AAED,QAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;AAEtB,MAAI,CAAC,UACH,OAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;AAEpC,UAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;AAEF,SAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,YAAsB,KAAsB;AAC1C,SAAO,CAAC,IAAI,WAAW,UAAU,IAAI,CAAC,IAAI,WAAW,WAAW;;;;;AChKpE,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;AACxB,QAAM,eAAe,KAAK,cAAc;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,SAAyB;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;AACzB,QAAM,UAAU,MAAM,aAAa;;;;;ACyBvC,IAAa,mBAAb,MAA8B;CAC5B,oBAAuC;CACvC,oBAAuC;CACvC,6BACE;CAEF,MAAyB,SAAS;CAClC,MAAyB,QAAQ,YAAY;CAC7C,SAA4B,QAAQ,OAAO;CAC3C,iBAAoC,QAAQ,eAAe;CAE3D,IAAW,YAAoB;AAC7B,SAAO,KAAK,eAAe;;;;;CAM7B,cAA+C,EAAE;;;;CAKjD,SAAqC,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK;EACb,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,QAAkB,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;AACnB,QAAK,MAAM,SAAS,KAAK,QAAQ;AAC/B,QAAI,MAAM,QAAQ;KAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;AAC9D,UAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;AAI3C,QAAI,CAAC,MAAM,aAAa,MAAM,UAAU,WAAW,EACjD,MAAK,iBACH,KAAK,yBAAyB,MAAM,KAAK,EACzC,MAAM,KACP;;;EAIR,CAAC;;;;CAKF,yBAAmC,WAAmC;AACpE,SAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAQ;IACxB,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,MAAM,WAAW,UAAU,CAC9B,QAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;AAG3B,QAAI,CAAC,MAAM,SAAS,IAAI,CACtB,QAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,UAAU;AAGzD,WAAO,KAAK,sBAAsB,OAAO,SAAS,UAAU;;GAE/D;;;;;;;;CASH,WAAkB,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;AAC3D,OAAI,CAAC,KACH,OAAM,IAAI,mBAAmB,GAAG;AAElC,UAAO;IACP,GACF,KAAK;AAET,OAAK,MAAM,SAAS,MAAM;AACxB,QAAK,MAAM,EAAE,UAAU,KAAK,YAC1B,KAAI,KAAK,OAAO,WAAW,EAAE;AAE3B,QAAI,SAAS,IAEX;AAOF,QAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KAEzB,CACf;AAIF,QAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;AASrC,SAP2B,KAAK,YAAY,MAAM,OAAO;AACvD,UAAI,CAAC,GAAG,MAAO,QAAO;AACtB,aACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAGpB,CACpB;;AAKJ,UAAM,IAAI,cAAc,eAAe,KAAK,aAAa;cAErD,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,CAC7D,OAAM,IAAI,uBAAuB,KAAK;AAK5C,SAAM,MAAM,KAAK,KAAK;;AAGxB,SAAO;;;;;;;CAQT,iBAAwB,KAAsC;AAC5D,MAAI,KAAK,OAAO,WAAW,CACzB,OAAM,IAAI,sBAAsB;EAGlC,IAAI;AACJ,MAAI,OAAO,QAAQ,UAAU;AAC3B,OAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,CACnC,OAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;AAC5B,OAAI,MAAM,WAAW,EAEnB,cAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;AAErC,QAAI,WAAW,WAAW,EACxB,cAAa;KACX,OAAO,WAAW;KAClB;KACD;QAGD,cAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;QAIL,cAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;AACpD,MAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,CACxC,OAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;AAED,MAAI,SACF,QAAO;AAGT,OAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;AAEnD,OAAK,YAAY,KAAK,WAAW;AAEjC,SAAO;;CAGT,YAAmB,OAAc;AAC/B,MAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,UAEtD,MAAK,OAAO,KAAK;AAGnB,OAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;AACpE,MAAI,CAAC,KAAK,OAAO,WAAW,CAC1B,OAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;AACjE,MAAI,CAAC,cACH,OAAM,IAAI,mBAAmB,MAAM;AAGrC,gBAAc,QAAQ;;;;;;;;;;CAaxB,sBACE,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,eAAe,KAAK,2BAA2B,QAAQ;EAC7D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;AAC7D,MAAI,OAAO,QACT,QAAO,MAAM,QAAQ,QAAQ;AAG/B,SAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;CAOH,WACE,UACA,UAGI,EAAE,EACY;EAClB,MAAM,aAAa,KAAK,SAAS,QAAQ,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAC1E,MAAM,QAAQ,CAAC,GAAI,SAAS,SAAS,EAAE,CAAE;AAGzC,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;EAIzB,IAAI;AAGJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAEH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA,OAAO,QAAQ;GAChB;;;;;;CAOH,iBAAwB,UAA0B,WAA0B;EAC1E,MAAM,QAAQ,KAAK,SAAS,UAAU;AACtC,MAAI,CAAC,MAAM,UACT,OAAM,YAAY,EAAE;AAGtB,QAAM,UAAU,KAAK,SAAS;AAC9B,QAAM,UAAU,MAAM,GAAG,OAAO,EAAE,YAAY,QAAQ,EAAE,YAAY,KAAK;;;;;;CAO3E,SAAgB,WAA2B;EACzC,MAAM,QAAQ,YACV,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU,GAC/C,KAAK,OAAO;AAEhB,MAAI,CAAC,MACH,OAAM,IAAI,mBAAmB,aAAa,UAAU;AAGtD,SAAO;;;;;;;;;;;CAYT,MAAa,6BACX,KACA,UAGI,EAAE,EACiC;EAEvC,MAAM,eAGD,EAAE;AAEP,OAAK,MAAM,SAAS,KAAK,OACvB,MAAK,MAAM,YAAY,MAAM,aAAa,EAAE,CAC1C,cAAa,KAAK;GAAE;GAAU,WAAW,MAAM;GAAM,CAAC;AAK1D,eAAa,MACV,GAAG,OAAO,EAAE,SAAS,YAAY,QAAQ,EAAE,SAAS,YAAY,KAClE;AAGD,OAAK,MAAM,EAAE,UAAU,eAAe,cAAc;GAClD,IAAI;AAEJ,OAAI;AACF,eAAW,MAAM,SAAS,UAAU,IAAW;WACzC;AAEN;;AAGF,OAAI,UAAU;IAGZ,MAAM,OAAO,KAAK,WAAW,UAAU;KACrC,OAAO;KACP,YAAY,QAAQ;KACrB,CAAC;AAEF,UAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;KACrD,OAAO;KACP;KACD,CAAC;AAEF,WAAO;;;;;;;;;;;;CAgBb,gBACE,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;AAC7D,OAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,UAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;AAQ1D,MAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,WAAW,CAAC,GAAG,UAC/C,CAIQ,CACT,QAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW,KAAA;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;AACZ,OAAI,YAAY,IAAK,QAAO;AAC5B,OAAI,YAAY,eAAgB,QAAO;AAGvC,OAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;AAE1C,QAAI,mBAAmB,cAAe,QAAO;AAC7C,WAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;AAGvD,UAAO;;AAGT,OAAK,MAAM,QAAQ,MAEjB,MAAK,MAAM,kBAAkB,KAAK,YAEhC,KAAI,eAAe,YAAY,eAAe,KAAK,EAAE;AAEnD,OAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;AACjB,SAAK,MAAM,kBAAkB,eAAe,QAC1C,KAAI,eAAe,YAAY,eAAe,EAAE;AAC9C,kBAAa;AACb;;AAGJ,QAAI,WACF;;AAIJ,UAAO,eAAe;AAGtB,OAAI,eAAe,UAEjB,QAAO,YAAY,eAAe;QAC7B;AAEL,WAAO,YAAY;AACnB,WAAO;;;AAMf,SAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,eAAe,GAAG,CAAC,MAAM;AAC9D,MAAI,OAAO,UAAU,YAAY,UAAU,GACzC,OAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,OAAK,MAAM,QAAQ,WACjB,KAAI,CAAC,MAAM,SAAS,KAAK,KAAK,CAC5B,OAAM,KAAK,KAAK,KAAK;AAIzB,OAAK,QAAQ;AAEb,QAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;AAEJ,MAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;AAChE,OAAI,CAAC,MAAM,aACT,OAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;AAGH,eAAY,MAAM;;AAGpB,SAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,IAAW,UAAkB,YAA0C;AACrE,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,UACE,UACA,YAC8B;AAC9B,SAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,mBAA0B,YAAyC;AACjE,MAAI,OAAO,eAAe,SACxB,QAAO;AAGT,MAAI,CAAC,WAAW,MACd,QAAO,WAAW;AAQpB,SAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;;;;CAM/C,aAAoB,MAAwB,SAAoB;AAC9D,MAAI,SAAS,WAAW,CAAC,KAAK,SAAS,CAAC,QAAQ,SAAS,KAAK,MAAM,EAClE,OAAM,IAAI,eACR,+BAA+B,QAAQ,KAAK,SAAS,CAAC,wBACvD;;;;;CAOL,mBAA0B,MAAwB;EAChD,MAAM,UAAU,KAAK,OAAO,MAAM,OAAO,uBAAuB,KAAK;AACrE,OAAK,OAAO,MAAM,IAAI,iBAAiB,QAAQ;;CAKjD,YAA4B;AAC1B,SAAO,KAAK;;;;;;;CAQd,SAAgB,OAAwB;AACtC,MAAI,MACF,QAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;AAGxE,SAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,eAAsB,MAGL;AACf,MAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;AAE9B,QAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;AAEN,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,aAAa,aAAa;AAG7D,QAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,CAC/D,QAAO,KAAK,gBAAgB;AAG9B,SAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;AAC1B,SAAI,WAAW,SAAS,IACtB,KAAI,KAAK,GAAG,KAAK,YAAY;cACpB,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;AAEtC,UAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;AAEhD,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,CAAC,GAAG,MAAO,QAAO;AAEtB,eACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GACV,CAAC,KAAK,IAAI;AAElC,WAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;AACjC,YAAI,GAAG,SAAS,KAAM,QAAO;AAC7B,YAAI,CAAC,GAAG,MAAO,QAAO;AACtB,eAAO,GAAG,UAAU;SACpB,CACH;;WAIH,KAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;AAC3B,SAAI,QAEF,OAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;AAC9C,aAAO,CAAC,QAAQ,MAAM,mBAAmB;AACvC,WAAI,mBAAmB,WAAY,QAAO;AAC1C,WAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;AACjD,eAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;AAEnD,cAAO;QACP;OACF;AAEJ,iBAAY,KAAK,GAAG,IAAI;;;AAI5B,UAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;AAG7D,SAAO,KAAK;;;;;;;;CASd,iBAAwB,SAAsC;AAC5D,MAAI,QAAQ,OAAO,KACjB,QAAO,OAAO,QAAQ,IAAI;AAG5B,MAAI,QAAQ,MAAM,KAChB,QAAO,OAAO,QAAQ,GAAG;AAG3B,MAAI,QAAQ,UAAU,KACpB,QAAO,OAAO,QAAQ,OAAO;AAG/B,QAAM,IAAI,cAAc,2BAA2B;;CAGrD,wBACE,SACoB;AACpB,MAAI,CAAC,QACH;AAEF,MAAI,QAAQ,IACV,QAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,oBAA2B,SAAwC;AACjE,SAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,sBACE,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,QACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,WACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,aACV,QAAO,QAAQ;;CAMnB,uBACE,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,mBACV,QAAO,QAAQ;AAGjB,MAAI,QAAQ,SACV,QAAO,QAAQ;;CAMnB,oBAA2B,SAAkD;AAC3E,MAAI,CAAC,QACH;AAGF,MAAI,QAAQ,MACV,QAAO,QAAQ;;;;;;;;CAYnB,mBAA0B,SAAsC;AAC9D,MAAI,CAAC,QACH,QAAO,KAAK;AAGd,MAAI,QAAQ,KACV,QAAO,QAAQ;AAGjB,MACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,SAE/B,QAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;AAG9D,SAAO,KAAK;;CAGd,2BACE,SACoB;AACpB,MAAI,CAAC,QACH;AAGF,MAAI,OAAO,QAAQ,iBAAiB,SAClC,QAAO,QAAQ;;;;;;;;;;;ACx4BrB,MAAa,WAAW,YAAqD;AAC3E,QAAO,gBAAgB,iBAAiB,QAAQ;;AAiGlD,IAAa,kBAAb,cAAqC,UAAkC;CACrE,mBAAsC,QAAQ,iBAAiB;CAC/D,mBAAsC,QAAQ,iBAAiB;CAC/D,MAAyB,QAAQ,YAAY;CAC7C,MAAyB,SAAS;CAElC,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;AAC3C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;AAC5C,SAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,SAAmB;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;AAC9B,OAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;AAC7D,QAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,GAAG,aAAa;AAEnD,WAAO;;AAGT,UAAO;IACP,IAAI,EAAE;AAEV,OAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACA,WAAW,EAAE;GACd,CAAC;AAGF,OAAK,MAAM,YAAY,KAAK,QAAQ,aAAa,EAAE,CACjD,MAAK,iBAAiB,SAAS;AAIjC,OAAK,iBAAiB,KAAK,mBAAmB,CAAC;;;;;CAMjD,oBAA8C;AAC5C,SAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAuB;IACvC,MAAM,OAAO,IAAI,QAAQ;AACzB,QAAI,CAAC,MAAM,WAAW,UAAU,CAC9B,QAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;AAG3B,QAAI,CAAC,MAAM,SAAS,IAAI,CACtB,QAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AAGzD,WAAO,KAAK,iBAAiB,sBAC3B,OAAO,SACP,KAAK,KACN;;GAEJ;;;;;;CAOH,iBAAwB,UAAgC;AACtD,OAAK,iBAAiB,iBAAiB,UAAU,KAAK,KAAK;;;;;CAM7D,WAA0B;AACxB,SAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;AAClD,QAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,cAAqB,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;AAC3D,MAAI,CAAC,KACH,OAAM,IAAI,cAAc,SAAS,KAAK,aAAa;AAErD,SAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;AACzD,SAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;AAExD,MAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;AACtC,OAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,cAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;AAEF,oBAAgB;AAChB,+BAA2B;AAC3B,UAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;AAED,SAAK,IAAI,MAAM,0BAA0B,QAAQ;AAEjD,UAAM,OAAO,YAAY;AACzB,+BAA2B,KAAK,uBAAuB,WAAW;AAClE,oBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;AAIN,OAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;AA+BF,SAAO;GARL,cAAA,MArByB,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,cAAc,KAAK;IACnB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GAGa;;CAGjB,MAAa,aACX,cACA,aAIC;AAID,MAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,MAAM,WAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;AAS5D,UAAO;IAAE;IAAM,QAAA,MANM,KAAK,YAAY,MAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0B;KAC3B,CAAC;IAEqB;;AAMzB,MAAI,CAAC,YACH,OAAM,IAAI,YAAY,6CAA6C;EAQrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;AAE3C,SAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,QAAQ,QAAQ;;;;;;AC9YhB,MAAa,eACX,UAAsC,EAAE,KAChB;AACxB,QAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,mBAAsC,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;AACzB,SAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,WAA0B;AACxB,SAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,SAAmB;AACjB,OAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,IAAW,MAA6B;AACtC,MAAI,CAAC,MAAM,MACT,QAAO;AAGT,SADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MACtD,CAAC;;;AAIjB,YAAY,QAAQ;;;;;;AC7DpB,MAAa,SAAS,UAAgC,EAAE,KAAoB;AAC1E,QAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,mBAAsC,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;AACxB,SAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,SAAmB;AACjB,OAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;AACpC,QAAI,OAAO,OAAO,SAChB,QAAO,EACL,MAAM,IACP;AAGH,WAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,SAA+C;AACxD,SAAO,KAAK,QAAQ;;CAGtB,IAAW,YAAmD;AAC5D,SAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,MAAa,YAA0C;AACrD,SAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;ACtEd,IAAa,yBAAb,MAAoC;CAClC,MAAyB,SAAS;CAClC,mBAAsC,QAAQ,iBAAiB;CAC/D,cAAiC,QAAQ,YAAY;CACrD,SAA4B,QAAQ,OAAO;CAE3C,kBAAqC,MAAM;EACzC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,cAAc;AAI9B,OAAI,QAAQ,QAAQ,cAClB,KAAI;IACF,MAAM,OACJ,MAAM,KAAK,iBAAiB,6BAA6B,QAAQ;AACnE,QAAI,MAAM;AACR,UAAK,iBAAiB,mBAAmB,KAAK;AAC9C,aAAQ,OAAO;;YAEV,OAAO;AACd,SAAK,IAAI,MACP,4DACA,MACD;;;EAKR,CAAC;CAMF,kBAAqC,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,SAAS;AACvB,OAAI,CAAC,KAAK,QAAQ,KAAM;GAExB,IAAI;AAEJ,OAAI,OAAO,KAAK,QAAQ,SAAS,SAC/B,QAAO,KAAK,QAAQ;YACX,KAAK,QAAQ,SAAS,SAC/B,QAAO,KAAK,OAAO,MAAM,IAAI,8BAA8B;YAClD,KAAK,QAAQ,SAAS,UAE/B,QADY,KAAK,OAAO,MAAM,IAAI,sBACxB,EAAE;AAGd,OAAI,KACF,MAAK,UAAU,GAAG,gBAAgB,MAAM,MAAM;;EAGnD,CAAC;CAMF,iBAA6C;AAC3C,SAAO;GACL,IAAI,YAAY;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,kBAAqC,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;AACvC,OAAI,CAAC,KAAK,OAAO,QAAQ,CACvB;AAIF,OAAI,CAAC,QAAQ,KACX;AAGF,WAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;AAE9C,OAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO,KAAA;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;AAED,YAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;ACvGJ,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,OAAgB;CAChB,cAAc;AACZ,QAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;ACahC,SAAgB,WAAW,SAAuC;AAChE,QAAO,iBAAiB;EACtB,MAAM;EACG;EACT,UAAU,EAAE,QAAQ,WAAW;AAC7B,UAAO,OAAO,GAAG,SAAgB;IAC/B,MAAM,UAAU,OAAO,MAAM,IAAI,sBAAsB;AAEvD,QAAI,CAAC,SAAS,QACZ,OAAM,IAAI,UAAU;KAClB,QAAQ;KACR,SAAS;KACV,CAAC;IAGJ,MAAM,aAAa,QAAQ,QAAQ;AAEnC,QAAI,CAAC,YAAY,WAAW,SAAS,EAAE;AACrC,sBAAiB,QAAQ;AACzB,WAAM,IAAI,UAAU;MAClB,QAAQ;MACR,SAAS;MACV,CAAC;;IAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;IAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;IAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;AAc3C,QAAI,CAPY,0BALd,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG,aAEvD,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG,IAMxD,QAAQ,UACR,QAAQ,SAGE,EAAE;AACZ,sBAAiB,QAAQ;AACzB,WAAM,IAAI,UAAU;MAClB,QAAQ;MACR,SAAS;MACV,CAAC;;AAGJ,WAAO,KAAK,GAAG,KAAK;;;EAGzB,CAAC;;AAKJ,SAAS,iBAAiB,SAA8B;AACtD,SAAQ,OAAO,UAAU,oBAAoB,8BAA4B;;AAG3E,SAAS,0BACP,eACA,eACA,kBACA,kBACS;CACT,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;CACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;CAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;CACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;AAO9D,SALkB,YAAY,cAAc,gBAK3B,GAJC,YAAY,cAAc,gBAIf,MAAM;;AAGrC,SAAS,YAAY,OAAe,UAA0B;AAC5D,KAAI,MAAM,WAAW,SAAS,QAAQ;AACpC,kBAAgB,OAAO,MAAM;AAC7B,SAAO;;AAET,QAAO,gBAAgB,OAAO,SAAS,GAAG,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC7BhD,SAAgB,QAAQ,SAAqC;CAC3D,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;AAGxD,KAAI,SAAS,aAAa,OACxB,MAAK,MAAM,QAAQ,QAAQ,YACzB,kBAAiB,iBAAiB,KAAK;AAI3C,QAAO,iBAAiB;EACtB,MAAM;EACN,SAAU,WAAkD,KAAA;EAC5D,UAAU,EAAE,QAAQ,WAAW;AAC7B,UAAO,OAAO,GAAG,SAAgB;IAC/B,IAAI;AAGJ,WAAO,OAAO,MAAM,IAAI,gBAAgB;AAGxC,QAAI,CAAC,MAAM;KACT,MAAM,cAAc,OAAO,MAAM,IAAI,sBAAsB;AAC3D,SAAI,aAAa;AAEf,aAAO,YAAY;AAGnB,UAAI,CAAC,KACH,QAAO,MAAM,iBAAiB,6BAC5B,aACA,EAAE,OAAO,SAAS,UAAU,IAAI,CACjC;;;AAMP,QAAI,CAAC,KACH,OAAM,IAAI,kBAAkB,0BAA0B;AAIxD,qBAAiB,aAAa,MAAM,SAAS,QAAQ;AAGrD,QAAI,SAAS,OAAO;SAId,CAHY,QAAQ,MAAM,MAAM,SAClC,KAAM,OAAO,SAAS,KAAK,CAEjB,CACV,OAAM,IAAI,eACR,iBAAiB,QAAQ,MAAM,KAAK,OAAO,CAAC,YAC7C;;AAKL,QAAI,SAAS,aAAa,OACxB,MAAK,MAAM,QAAQ,QAAQ,aAAa;KACtC,MAAM,SAAS,iBAAiB,gBAC9B,MACA,GAAI,KAAK,SAAS,EAAE,CACrB;AACD,SAAI,CAAC,OAAO,aACV,OAAM,IAAI,eACR,eAAe,OAAO,SAAS,WAAW,OAAO,KAAK,KAAK,YAC5D;AAEH,YAAO;MAAE,GAAG;MAAM,WAAW,OAAO;MAAW;;AAKnD,QAAI,SAAS;SACP,CAAC,QAAQ,MAAM,KAAK,CACtB,OAAM,IAAI,eAAe,gBAAgB;;AAK7C,qBAAiB,mBAAmB,KAAK;IAEzC,MAAM,cAAc,OAAO,MAAM,IAAI,uBAAuB,UAAU;AACtE,QAAI,YACF,aAAY,OAAO;IAGrB,MAAM,gBAAgB,OAAO,MAAM,IACjC,yBACA,UACD;AACD,QAAI,cACF,eAAc,OAAO;AAGvB,WAAO,KAAK,GAAG,KAAK;;;EAGzB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACxJJ,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;AAChE,QAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;AAC9B,MAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;AACtD,OAAI,CAAC,WACH,QAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;AAGzC,OAFgB,YAAY,aAEd,cAAc,IAC1B,QAAO;;;AAKb,KAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;AAC1C,OAAI,eACF,QAAO;GAGT,IAAI;AACJ,OAAI;AACF,eAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;AACd,UAAM,IAAI,YACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;AAIH,OAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;AACvD,QAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;AACvC,qBAAgB,KAAK;YACf;AAGR,UAAM,IAAI,YAAY,iCAAiC,eAAe;;GAIxE,IAAI;AACJ,OAAI;AACF,WAAO,MAAM,SAAS,MAAM;YACrB,OAAO;AACd,UAAM,IAAI,YACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;AAIH,OAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,WAC9B,OAAM,IAAI,YACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;AAGH,cAAW,KAAK;AAEhB,UAAO,KAAK;;AAGd,SAAO,EACL,OACD;;AAGH,QAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;AAC1C,MAAI,eACF,QAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,OAAO,YAAY,QAAQ,KAAK;AAE5D,aAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;AAEF,SAAO,MAAM;IAEhB;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;;;;AC2DF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAS;EAAO;EAAY;CACzC,OAAO,CAAC,gBAAgB;CACxB,UAAU;EAAC;EAAkB;EAAa;EAAuB;CAClE,CAAC"}
1
+ {"version":3,"file":"index.js","names":["encode","decodeBase64URL","jwk.isJWK","jwk.isSecretJWK","invalidKeyInput","jwk.isPrivateJWK","jwk.isPublicJWK","b64u","encode","#payload","#payload","#protectedHeader","#unprotectedHeader","b64u","encode","#flattened","#jwt","#protectedHeader","#jwks","#cached","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#headers","#customFetch","#cache","#jwksTimestamp","#local","#pendingFetch"],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/atoms/currentUserAtom.ts","../../src/security/errors/SecurityError.ts","../../../../node_modules/jose/dist/webapi/lib/buffer_utils.js","../../../../node_modules/jose/dist/webapi/lib/base64.js","../../../../node_modules/jose/dist/webapi/util/base64url.js","../../../../node_modules/jose/dist/webapi/lib/crypto_key.js","../../../../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../../../../node_modules/jose/dist/webapi/util/errors.js","../../../../node_modules/jose/dist/webapi/lib/is_key_like.js","../../../../node_modules/jose/dist/webapi/lib/helpers.js","../../../../node_modules/jose/dist/webapi/lib/type_checks.js","../../../../node_modules/jose/dist/webapi/lib/signing.js","../../../../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../../../../node_modules/jose/dist/webapi/lib/normalize_key.js","../../../../node_modules/jose/dist/webapi/key/import.js","../../../../node_modules/jose/dist/webapi/lib/validate_crit.js","../../../../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../../../../node_modules/jose/dist/webapi/lib/check_key_type.js","../../../../node_modules/jose/dist/webapi/jws/flattened/verify.js","../../../../node_modules/jose/dist/webapi/jws/compact/verify.js","../../../../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../../../../node_modules/jose/dist/webapi/jwt/verify.js","../../../../node_modules/jose/dist/webapi/jws/flattened/sign.js","../../../../node_modules/jose/dist/webapi/jws/compact/sign.js","../../../../node_modules/jose/dist/webapi/jwt/sign.js","../../../../node_modules/jose/dist/webapi/jwks/local.js","../../../../node_modules/jose/dist/webapi/jwks/remote.js","../../src/security/providers/JwtProvider.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/InvalidTokenError.ts","../../src/security/errors/RealmNotFoundError.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/primitives/$basicAuth.ts","../../src/security/primitives/$secure.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/index.ts"],"sourcesContent":["import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n id: t.text({\n description: \"Unique identifier for the user.\",\n }),\n\n name: t.optional(\n t.text({\n description: \"Full name of the user.\",\n }),\n ),\n\n email: t.optional(\n t.text({\n description: \"Email address of the user.\",\n format: \"email\",\n }),\n ),\n\n username: t.optional(\n t.text({\n description: \"Preferred username of the user.\",\n }),\n ),\n\n picture: t.optional(\n t.text({\n description: \"URL to the user's profile picture.\",\n }),\n ),\n\n sessionId: t.optional(\n t.text({\n description: \"Session identifier for the user, if applicable.\",\n }),\n ),\n\n // -------------------------------------------------------------------------------------------------------------------\n\n organization: t.optional(\n t.uuid({\n description: \"Organization the user belongs to.\",\n }),\n ),\n\n roles: t.optional(\n t.array(t.text(), {\n description: \"List of roles assigned to the user.\",\n }),\n ),\n\n realm: t.optional(\n t.text({\n description: \"The realm (issuer) the user was authenticated from.\",\n }),\n ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $atom, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Atom storing the current authenticated user.\n *\n * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context\n * that sets the atom before calling secured logic.\n */\nexport const currentUserAtom = $atom({\n name: \"alepha.security.user\",\n schema: t.optional(userAccountInfoSchema),\n});\n","export class SecurityError extends Error {\n public name = \"SecurityError\";\n public readonly status = 403;\n}\n","export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction checkHashLength(algorithm, expected) {\n const actual = getHashLength(algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","import { decode } from '../util/base64url.js';\nexport const unprotected = Symbol();\nexport function assertNotSet(value, name) {\n if (value) {\n throw new TypeError(`${name} can only be called once`);\n }\n}\nexport function decodeBase64url(value, label, ErrorClass) {\n try {\n return decode(value);\n }\n catch {\n throw new ErrorClass(`Failed to base64url decode the ${label}`);\n }\n}\nexport async function digest(algorithm, data) {\n const subtleDigest = `SHA-${algorithm.slice(-3)}`;\n return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\nexport function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { JOSENotSupported } from '../util/errors.js';\nimport { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\nfunction subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\nasync function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\nexport async function sign(alg, key, data) {\n const cryptoKey = await getSigKey(alg, key, 'sign');\n checkKeyLength(alg, cryptoKey);\n const signature = await crypto.subtle.sign(subtleAlgorithm(alg, cryptoKey.algorithm), cryptoKey, data);\n return new Uint8Array(signature);\n}\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nconst unsupportedAlg = 'Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n case 'ES384':\n case 'ES512':\n algorithm = {\n name: 'ECDSA',\n namedCurve: { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' }[jwk.alg],\n };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported(unsupportedAlg);\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { isJWK } from './type_checks.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nconst unusableForAlg = 'given KeyObject instance cannot be used for this algorithm';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError(unusableForAlg);\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError(unusableForAlg);\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError(unusableForAlg);\n }\n const expectedCurve = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };\n if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError(unusableForAlg);\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/type_checks.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './type_checks.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/signing.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { decodeBase64url } from '../../lib/helpers.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { isObject } from '../../lib/type_checks.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n const signature = decodeBase64url(jws.signature, 'signature', JWSInvalid);\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n payload = decodeBase64url(jws.payload, 'payload', JWSInvalid);\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './type_checks.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { encode as b64u } from '../../util/base64url.js';\nimport { sign } from '../../lib/signing.js';\nimport { isDisjoint } from '../../lib/type_checks.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { concat, encode } from '../../lib/buffer_utils.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nimport { assertNotSet } from '../../lib/helpers.js';\nexport class FlattenedSign {\n #payload;\n #protectedHeader;\n #unprotectedHeader;\n constructor(payload) {\n if (!(payload instanceof Uint8Array)) {\n throw new TypeError('payload must be an instance of Uint8Array');\n }\n this.#payload = payload;\n }\n setProtectedHeader(protectedHeader) {\n assertNotSet(this.#protectedHeader, 'setProtectedHeader');\n this.#protectedHeader = protectedHeader;\n return this;\n }\n setUnprotectedHeader(unprotectedHeader) {\n assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');\n this.#unprotectedHeader = unprotectedHeader;\n return this;\n }\n async sign(key, options) {\n if (!this.#protectedHeader && !this.#unprotectedHeader) {\n throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');\n }\n if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...this.#protectedHeader,\n ...this.#unprotectedHeader,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = this.#protectedHeader.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n checkKeyType(alg, key, 'sign');\n let payloadS;\n let payloadB;\n if (b64) {\n payloadS = b64u(this.#payload);\n payloadB = encode(payloadS);\n }\n else {\n payloadB = this.#payload;\n payloadS = '';\n }\n let protectedHeaderString;\n let protectedHeaderBytes;\n if (this.#protectedHeader) {\n protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));\n protectedHeaderBytes = encode(protectedHeaderString);\n }\n else {\n protectedHeaderString = '';\n protectedHeaderBytes = new Uint8Array();\n }\n const data = concat(protectedHeaderBytes, encode('.'), payloadB);\n const k = await normalizeKey(key, alg);\n const signature = await sign(alg, k, data);\n const jws = {\n signature: b64u(signature),\n payload: payloadS,\n };\n if (this.#unprotectedHeader) {\n jws.header = this.#unprotectedHeader;\n }\n if (this.#protectedHeader) {\n jws.protected = protectedHeaderString;\n }\n return jws;\n }\n}\n","import { FlattenedSign } from '../flattened/sign.js';\nexport class CompactSign {\n #flattened;\n constructor(payload) {\n this.#flattened = new FlattenedSign(payload);\n }\n setProtectedHeader(protectedHeader) {\n this.#flattened.setProtectedHeader(protectedHeader);\n return this;\n }\n async sign(key, options) {\n const jws = await this.#flattened.sign(key, options);\n if (jws.payload === undefined) {\n throw new TypeError('use the flattened module for creating JWS with b64: false');\n }\n return `${jws.protected}.${jws.payload}.${jws.signature}`;\n }\n}\n","import { CompactSign } from '../jws/compact/sign.js';\nimport { JWTInvalid } from '../util/errors.js';\nimport { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';\nexport class SignJWT {\n #protectedHeader;\n #jwt;\n constructor(payload = {}) {\n this.#jwt = new JWTClaimsBuilder(payload);\n }\n setIssuer(issuer) {\n this.#jwt.iss = issuer;\n return this;\n }\n setSubject(subject) {\n this.#jwt.sub = subject;\n return this;\n }\n setAudience(audience) {\n this.#jwt.aud = audience;\n return this;\n }\n setJti(jwtId) {\n this.#jwt.jti = jwtId;\n return this;\n }\n setNotBefore(input) {\n this.#jwt.nbf = input;\n return this;\n }\n setExpirationTime(input) {\n this.#jwt.exp = input;\n return this;\n }\n setIssuedAt(input) {\n this.#jwt.iat = input;\n return this;\n }\n setProtectedHeader(protectedHeader) {\n this.#protectedHeader = protectedHeader;\n return this;\n }\n async sign(key, options) {\n const sig = new CompactSign(this.#jwt.data());\n sig.setProtectedHeader(this.#protectedHeader);\n if (Array.isArray(this.#protectedHeader?.crit) &&\n this.#protectedHeader.crit.includes('b64') &&\n this.#protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n return sig.sign(key, options);\n }\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/type_checks.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/type_checks.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.2.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) ||\n !isObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createSecretKey } from \"node:crypto\";\nimport { $inject, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport {\n type CryptoKey,\n createLocalJWKSet,\n createRemoteJWKSet,\n type FlattenedJWSInput,\n type JSONWebKeySet,\n type JWSHeaderParameters,\n type JWTHeaderParameters,\n type JWTPayload,\n type JWTVerifyResult,\n jwtVerify,\n type KeyObject,\n SignJWT,\n} from \"jose\";\nimport { JWTClaimValidationFailed, JWTExpired } from \"jose/errors\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\n\n/**\n * Provides utilities for working with JSON Web Tokens (JWT).\n */\nexport class JwtProvider {\n protected readonly log = $logger();\n protected readonly keystore: KeyLoaderHolder[] = [];\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly encoder = new TextEncoder();\n\n /**\n * Adds a key loader to the embedded keystore.\n *\n * @param name\n * @param secretKeyOrJwks\n */\n public setKeyLoader(name: string, secretKeyOrJwks: string | JSONWebKeySet) {\n if (typeof secretKeyOrJwks === \"object\") {\n this.log.debug(`will verify JWTs from key '${name}' with JWKS object`);\n this.keystore.push({\n name,\n keyLoader: createLocalJWKSet(secretKeyOrJwks),\n });\n } else if (this.isSecretKey(secretKeyOrJwks)) {\n const secretKey = this.encoder.encode(secretKeyOrJwks);\n this.log.debug(`will verify JWTs from issuer '${name}' with secret key`);\n this.keystore.push({\n name,\n secretKey: secretKeyOrJwks,\n keyLoader: () => Promise.resolve(createSecretKey(secretKey)),\n });\n } else {\n this.log.debug(`will verify JWTs from issuer '${name}' with JWKS`, {\n url: secretKeyOrJwks,\n });\n this.keystore.push({\n name,\n keyLoader: createRemoteJWKSet(new URL(secretKeyOrJwks)),\n });\n }\n }\n\n /**\n * Retrieves the payload from a JSON Web Token (JWT).\n *\n * @param token - The JWT to extract the payload from.\n *\n * @return A Promise that resolves with the payload object from the token.\n */\n public async parse(\n token: string,\n keyName?: string,\n options?: JWTVerifyOptions,\n ): Promise<JwtParseResult> {\n for (const it of this.keystore) {\n if (keyName && it.name !== keyName) {\n continue;\n }\n\n this.log.trace(`Trying to verify token`, {\n keyName: it.name,\n options,\n });\n\n try {\n const verified = {\n keyName: it.name,\n result: await jwtVerify(token, it.keyLoader, {\n currentDate: this.dateTimeProvider.now().toDate(),\n ...options,\n }),\n };\n\n this.log.trace(\"Token verified successfully\", {\n keyName: verified.keyName,\n });\n\n return verified;\n } catch (error) {\n this.log.trace(\"Token verification has failed\", error);\n\n if (error instanceof JWTExpired) {\n throw new SecurityError(\"Token expired\", { cause: error });\n }\n\n if (error instanceof JWTClaimValidationFailed) {\n throw new SecurityError(\"Token claim validation failed\", {\n cause: error,\n });\n }\n }\n }\n\n this.log.warn(\n `No valid key loader found to verify the token (keystore size: ${this.keystore.length})`,\n );\n\n throw new SecurityError(\"Invalid token\");\n }\n\n /**\n * Creates a JWT token with the provided payload and secret key.\n *\n * @param payload - The payload to be encoded in the token.\n * \tIt should include the `realm_access` property which contains an array of roles.\n * @param keyName - The name of the key to use when signing the token.\n *\n * @returns The signed JWT token.\n */\n public async create(\n payload: ExtendedJWTPayload,\n keyName?: string,\n signOptions?: JwtSignOptions,\n ): Promise<string> {\n const secretKey = keyName\n ? this.keystore.find((it) => it.name === keyName)?.secretKey\n : this.keystore[0]?.secretKey;\n\n if (!secretKey) {\n throw new AlephaError(\"No secret key found in the keystore\");\n }\n\n const signJwt = new SignJWT(payload);\n\n signJwt.setProtectedHeader({\n alg: \"HS256\",\n ...signOptions?.header,\n });\n\n return await signJwt.sign(this.encoder.encode(secretKey));\n }\n\n /**\n * Determines if the provided key is a secret key.\n *\n * @param key\n * @protected\n */\n protected isSecretKey(key: string): boolean {\n return !key.startsWith(\"http://\") && !key.startsWith(\"https://\");\n }\n}\n\nexport type KeyLoader = (\n protectedHeader?: JWSHeaderParameters,\n token?: FlattenedJWSInput,\n) => Promise<CryptoKey | KeyObject>;\n\nexport interface KeyLoaderHolder {\n name: string;\n keyLoader: KeyLoader;\n secretKey?: string;\n}\n\nexport interface JwtSignOptions {\n header?: Partial<JWTHeaderParameters>;\n}\n\nexport interface ExtendedJWTPayload extends JWTPayload {\n sid?: string;\n //\n name?: string;\n roles?: string[];\n email?: string;\n organization?: string;\n // keycloak specific\n realm_access?: { roles: string[] };\n}\n\nexport interface JwtParseResult {\n keyName: string;\n result: JWTVerifyResult<ExtendedJWTPayload>;\n}\n","export class InvalidPermissionError extends Error {\n constructor(name: string) {\n super(`Permission '${name}' is invalid`);\n }\n}\n","export class InvalidTokenError extends Error {\n public readonly status = 401;\n}\n","export class RealmNotFoundError extends Error {\n constructor(realm: string) {\n super(`Realm '${realm}' not found`);\n }\n}\n","import {\n $hook,\n $inject,\n Alepha,\n AppNotStartedError,\n ContainerLockedError,\n} from \"alepha\";\nimport { SecretProvider } from \"alepha/crypto\";\nimport { $logger } from \"alepha/logger\";\nimport { ForbiddenError } from \"alepha/server\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport type { JWTVerifyOptions } from \"jose/jwt/verify\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport { InvalidPermissionError } from \"../errors/InvalidPermissionError.ts\";\nimport { InvalidTokenError } from \"../errors/InvalidTokenError.ts\";\nimport { RealmNotFoundError } from \"../errors/RealmNotFoundError.ts\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver, UserInfo } from \"../interfaces/IssuerResolver.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport {\n type UserAccount,\n userAccountInfoSchema,\n} from \"../schemas/userAccountInfoSchema.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\n\nexport class SecurityProvider {\n protected readonly UNKNOWN_USER_NAME = \"Anonymous User\";\n protected readonly PERMISSION_REGEXP = /^[\\w-]+((:[\\w-]+)+)?$/;\n protected readonly PERMISSION_REGEXP_WILDCARD =\n /^[\\w-]+((:[\\w-]+)*:\\*|(:[\\w-]+)+)?$/;\n\n protected readonly log = $logger();\n protected readonly jwt = $inject(JwtProvider);\n protected readonly alepha = $inject(Alepha);\n protected readonly secretProvider = $inject(SecretProvider);\n\n public get secretKey(): string {\n return this.secretProvider.secretKey;\n }\n\n /**\n * The permissions configured for the security provider.\n */\n protected readonly permissions: Permission[] = [];\n\n /**\n * The realms configured for the security provider.\n */\n protected readonly realms: Realm[] = this.alepha.isTest()\n ? [\n {\n name: \"default\",\n secret: this.secretKey,\n roles: [\n {\n name: \"admin\",\n permissions: [\n {\n name: \"*\",\n },\n ],\n },\n ],\n },\n ]\n : [];\n\n protected start = $hook({\n on: \"start\",\n handler: async () => {\n for (const realm of this.realms) {\n if (realm.secret) {\n const secret =\n typeof realm.secret === \"function\" ? realm.secret() : realm.secret;\n this.jwt.setKeyLoader(realm.name, secret);\n }\n\n // Register default JWT resolver for realms without resolvers\n if (!realm.resolvers || realm.resolvers.length === 0) {\n this.registerResolver(\n this.createDefaultJwtResolver(realm.name),\n realm.name,\n );\n }\n }\n },\n });\n\n /**\n * Creates a default JWT resolver for a realm.\n */\n protected createDefaultJwtResolver(realmName: string): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, realmName);\n\n // Extract user info from JWT payload\n return this.createUserFromPayload(result.payload, realmName);\n },\n };\n }\n\n /**\n * Adds a role to one or more realms.\n *\n * @param role\n * @param realms\n */\n public createRole(role: Role, ...realms: string[]): Role {\n const list = realms.length\n ? realms.map((it) => {\n const item = this.realms.find((realm) => realm.name === it);\n if (!item) {\n throw new RealmNotFoundError(it);\n }\n return item;\n })\n : this.realms;\n\n for (const realm of list) {\n for (const { name } of role.permissions) {\n if (this.alepha.isStarted()) {\n // Check if permission exists or matches a wildcard pattern\n if (name === \"*\") {\n // Global wildcard is always allowed\n continue;\n }\n\n // Check for exact match first\n const existingExact = this.permissions.find(\n (it) => this.permissionToString(it) === name,\n );\n if (existingExact) {\n continue;\n }\n\n // Check if it's a wildcard pattern (e.g., \"admin:api:*\")\n if (name.endsWith(\":*\")) {\n const groupPrefix = name.slice(0, -2); // Remove \":*\"\n // Check if any permission exists with this group prefix\n const existingWithPrefix = this.permissions.find((it) => {\n if (!it.group) return false;\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n });\n if (existingWithPrefix) {\n continue;\n }\n }\n\n // Permission not found\n throw new SecurityError(`Permission '${name}' not found`);\n } else {\n if (name !== \"*\" && !this.PERMISSION_REGEXP_WILDCARD.test(name)) {\n throw new InvalidPermissionError(name);\n }\n }\n }\n\n realm.roles.push(role);\n }\n\n return role;\n }\n\n /**\n * Adds a permission to the security provider.\n *\n * @param raw - The permission to add.\n */\n public createPermission(raw: Permission | string): Permission {\n if (this.alepha.isStarted()) {\n throw new ContainerLockedError();\n }\n\n let permission: Permission;\n if (typeof raw === \"string\") {\n if (!this.PERMISSION_REGEXP.test(raw)) {\n throw new InvalidPermissionError(raw);\n }\n\n const parts = raw.split(\":\");\n if (parts.length === 1) {\n // No group, just name (e.g., \"read\")\n permission = { name: parts[0] };\n } else {\n // Has group(s) (e.g., \"users:read\" or \"admin:api:users:read\")\n // The last part is the name, everything else is the group\n const name = parts[parts.length - 1];\n const groupParts = parts.slice(0, -1);\n\n if (groupParts.length === 1) {\n permission = {\n group: groupParts[0],\n name,\n };\n } else {\n // Multi-layer group\n permission = {\n group: groupParts.join(\":\"),\n name,\n };\n }\n }\n } else {\n permission = raw;\n }\n\n const asString = this.permissionToString(permission);\n if (!this.PERMISSION_REGEXP.test(asString)) {\n throw new InvalidPermissionError(asString);\n }\n\n const existing = this.permissions.find(\n (it) => this.permissionToString(it) === asString,\n );\n\n if (existing) {\n return existing;\n }\n\n this.log.trace(`Creating permission '${asString}'`);\n\n this.permissions.push(permission);\n\n return permission;\n }\n\n public createRealm(realm: Realm) {\n if (this.realms.length === 1 && this.realms[0].name === \"default\") {\n // if the default realm is the only one, we remove it to allow creating new realms\n this.realms.pop();\n }\n\n this.realms.push(realm);\n }\n\n /**\n * Updates the roles for a realm then synchronizes the user account provider if available.\n *\n * Only available when the app is started.\n *\n * @param realm - The realm to update the roles for.\n * @param roles - The roles to update.\n */\n public async updateRealm(realm: string, roles: Role[]): Promise<void> {\n if (!this.alepha.isStarted()) {\n throw new AppNotStartedError();\n }\n\n const realmInstance = this.realms.find((it) => it.name === realm);\n if (!realmInstance) {\n throw new RealmNotFoundError(realm);\n }\n\n realmInstance.roles = roles;\n }\n\n // -------------------------------------------------------------------------------------------------------------------\n\n /**\n * Creates a user account from the provided payload.\n *\n * @param payload - The payload to create the user account from.\n * @param [realmName] - The realm containing the roles. Default is all.\n *\n * @returns The user info created from the payload.\n */\n public createUserFromPayload(\n payload: JWTPayload,\n realmName?: string,\n ): UserAccount {\n const id = this.getIdFromPayload(payload);\n const sessionId = this.getSessionIdFromPayload(payload);\n const rolesFromPayload = this.getRolesFromPayload(payload);\n const email = this.getEmailFromPayload(payload);\n const username = this.getUsernameFromPayload(payload);\n const picture = this.getPictureFromPayload(payload);\n const name = this.getNameFromPayload(payload);\n const organization = this.getOrganizationFromPayload(payload);\n const rolesFromSystem = this.getRoles(realmName);\n const roles = rolesFromPayload\n .reduce<Role[]>(\n (arr, roleName) =>\n arr.concat(rolesFromSystem.filter((it) => it.name === roleName)),\n [],\n )\n .map((it) => it.name);\n\n const realm = this.realms.find((it) => it.name === realmName);\n if (realm?.profile) {\n return realm.profile(payload);\n }\n\n return {\n id,\n roles,\n name,\n email,\n username,\n picture,\n organization,\n sessionId,\n };\n }\n\n /**\n * Generic user creation from any source (JWT, API key, etc.).\n * Handles permission checking, ownership, default roles.\n */\n public createUser(\n userInfo: UserInfo,\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): UserAccountToken {\n const realmRoles = this.getRoles(options.realm).filter((it) => it.default);\n const roles = [...(userInfo.roles ?? [])];\n\n // Add default roles\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n let ownership: string | boolean | undefined;\n\n // Permission check\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n ownership = check.ownership;\n }\n\n return {\n ...userInfo,\n roles,\n ownership,\n realm: options.realm,\n };\n }\n\n /**\n * Register a resolver to a realm.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver, realmName?: string): void {\n const realm = this.getRealm(realmName);\n if (!realm.resolvers) {\n realm.resolvers = [];\n }\n\n realm.resolvers.push(resolver);\n realm.resolvers.sort((a, b) => (a.priority ?? 100) - (b.priority ?? 100));\n }\n\n /**\n * Get a realm by name.\n * Throws if realm not found.\n */\n public getRealm(realmName?: string): Realm {\n const realm = realmName\n ? this.realms.find((it) => it.name === realmName)\n : this.realms[0];\n\n if (!realm) {\n throw new RealmNotFoundError(realmName ?? \"default\");\n }\n\n return realm;\n }\n\n /**\n * Resolve user from request using registered resolvers.\n * Returns undefined if no resolver could authenticate (no auth provided).\n * Throws UnauthorizedError if auth was provided but invalid.\n *\n * Note: This method tries resolvers from ALL realms to find a match,\n * regardless of the `realm` option. The `realm` option is only used for\n * permission checking after the user is resolved.\n */\n public async resolveUserFromServerRequest(\n req: { url: URL | string; headers: { authorization?: string } },\n options: {\n realm?: string;\n permission?: Permission | string;\n } = {},\n ): Promise<UserAccountToken | undefined> {\n // Collect all resolvers from all realms with their realm name\n const allResolvers: Array<{\n resolver: IssuerResolver;\n realmName: string;\n }> = [];\n\n for (const realm of this.realms) {\n for (const resolver of realm.resolvers ?? []) {\n allResolvers.push({ resolver, realmName: realm.name });\n }\n }\n\n // Sort by priority\n allResolvers.sort(\n (a, b) => (a.resolver.priority ?? 100) - (b.resolver.priority ?? 100),\n );\n\n // Try resolvers in priority order\n for (const { resolver, realmName } of allResolvers) {\n let userInfo: UserInfo | null;\n\n try {\n userInfo = await resolver.onRequest(req as any);\n } catch {\n // Resolver failed (e.g., wrong key), try next\n continue;\n }\n\n if (userInfo) {\n // User was resolved - now create user and check permissions\n // (errors from createUser should propagate, not be caught)\n const user = this.createUser(userInfo, {\n realm: realmName,\n permission: options.permission,\n });\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm: realmName,\n user,\n });\n\n return user;\n }\n }\n\n // No resolver matched = no auth provided\n return undefined;\n }\n\n /**\n * Checks if the user has the specified permission.\n *\n * Bonus: we check also if the user has \"ownership\" flag.\n *\n * @param permissionLike - The permission to check for.\n * @param roleEntries - The roles to check for the permission.\n */\n public checkPermission(\n permissionLike: string | Permission,\n ...roleEntries: string[]\n ): SecurityCheckResult {\n const roles: Role[] = roleEntries.map((it) => {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n });\n\n const permission = this.permissionToString(permissionLike);\n const isAdmin = roles.find((it) =>\n it.permissions.find(\n (it) => it.name === \"*\" && !it.exclude && !it.ownership,\n ),\n );\n\n // if the user is an admin, we can return early\n if (isAdmin) {\n return {\n isAuthorized: true,\n ownership: false,\n };\n }\n\n const result: SecurityCheckResult = {\n isAuthorized: false,\n ownership: undefined,\n };\n\n // Helper function to check if a permission matches a pattern with multi-layer wildcard support\n const matchesPattern = (\n permissionName: string,\n pattern: string,\n ): boolean => {\n if (pattern === \"*\") return true;\n if (pattern === permissionName) return true;\n\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" matches \"admin:api:users:read\")\n if (pattern.endsWith(\":*\")) {\n const patternPrefix = pattern.slice(0, -2);\n // Check if permission starts with the pattern prefix\n if (permissionName === patternPrefix) return false; // \"admin:api\" doesn't match \"admin:api:*\"\n return permissionName.startsWith(`${patternPrefix}:`);\n }\n\n return false;\n };\n\n for (const role of roles) {\n // for each role candidate\n for (const rolePermission of role.permissions) {\n // for each permission in the role\n if (matchesPattern(permission, rolePermission.name)) {\n // [feature]: exclude permissions including wildcards\n if (rolePermission.exclude) {\n let isExcluded = false;\n for (const excludePattern of rolePermission.exclude) {\n if (matchesPattern(permission, excludePattern)) {\n isExcluded = true;\n break;\n }\n }\n if (isExcluded) {\n continue;\n }\n }\n\n result.isAuthorized = true; // OK !\n\n // but we also need to check if the user has ownership\n if (rolePermission.ownership) {\n // if ownership is true, we have to check all other matching permissions in case of ownership === false ...\n result.ownership = rolePermission.ownership;\n } else {\n // but if isAuthorized && ownership === false, we can break the loop \\ :D /\n result.ownership = false;\n return result;\n }\n }\n }\n }\n\n return result;\n }\n\n /**\n * Creates a user account from the provided payload.\n */\n public async createUserFromToken(\n headerOrToken?: string,\n options: {\n permission?: Permission | string;\n realm?: string;\n verify?: JWTVerifyOptions;\n } = {},\n ): Promise<UserAccountToken> {\n const token = headerOrToken?.replace(/^Bearer\\s+/i, \"\").trim();\n if (typeof token !== \"string\" || token === \"\") {\n throw new InvalidTokenError(\n \"Invalid authorization header, maybe token is missing ?\",\n );\n }\n\n const { result, keyName: realm } = await this.jwt.parse(\n token,\n options.realm,\n options.verify,\n );\n\n const info = this.createUserFromPayload(result.payload, realm);\n const realmRoles = this.getRoles(realm).filter((it) => it.default);\n const roles = info.roles ?? [];\n\n for (const role of realmRoles) {\n if (!roles.includes(role.name)) {\n roles.push(role.name);\n }\n }\n\n info.roles = roles;\n\n await this.alepha.events.emit(\"security:user:created\", {\n realm,\n user: info,\n });\n\n let ownership: string | boolean | undefined;\n\n if (options.permission) {\n const check = this.checkPermission(options.permission, ...roles);\n if (!check.isAuthorized) {\n throw new SecurityError(\n `User is not allowed to access '${this.permissionToString(options.permission)}'`,\n );\n }\n\n ownership = check.ownership;\n }\n\n return {\n ...info,\n ownership,\n token,\n realm,\n };\n }\n\n /**\n * Checks if a user has a specific role.\n *\n * @param roleName - The role to check for.\n * @param permission - The permission to check for.\n * @returns True if the user has the role, false otherwise.\n */\n public can(roleName: string, permission: string | Permission): boolean {\n return this.checkPermission(permission, roleName).isAuthorized;\n }\n\n /**\n * Checks if a user has ownership of a specific permission.\n */\n public ownership(\n roleName: string,\n permission: string | Permission,\n ): string | boolean | undefined {\n return this.checkPermission(permission, roleName).ownership;\n }\n\n /**\n * Converts a permission object to a string.\n *\n * @param permission\n */\n public permissionToString(permission: Permission | string): string {\n if (typeof permission === \"string\") {\n return permission;\n }\n\n if (!permission.group) {\n return permission.name;\n }\n\n // Handle multi-layer groups (e.g., \"admin:api\" or \"management:users\")\n const groupParts = Array.isArray(permission.group)\n ? permission.group\n : [permission.group];\n\n return `${groupParts.join(\":\")}:${permission.name}`;\n }\n\n /**\n * Check that the user belongs to one of the required issuers.\n */\n public checkIssuers(user: UserAccountToken, issuers?: string[]) {\n if (issuers?.length && (!user.realm || !issuers.includes(user.realm))) {\n throw new ForbiddenError(\n `User must belong to issuer '${issuers.join(\"' or '\")}' to access this route`,\n );\n }\n }\n\n /**\n * Store the resolved user in the atom for downstream access (useAuth, audit trail, etc.).\n */\n public storeUserInContext(user: UserAccountToken) {\n const decoded = this.alepha.codec.decode(userAccountInfoSchema, user);\n this.alepha.store.set(currentUserAtom, decoded);\n }\n\n // accessors\n\n public getRealms(): Realm[] {\n return this.realms;\n }\n\n /**\n * Retrieves the user account from the provided user ID.\n *\n * @param realm\n */\n public getRoles(realm?: string): Role[] {\n if (realm) {\n return [...(this.realms.find((it) => it.name === realm)?.roles ?? [])];\n }\n\n return this.realms.reduce<Role[]>((arr, it) => arr.concat(it.roles), []);\n }\n\n /**\n * Returns all permissions.\n *\n * @param user - Filter permissions by user.\n *\n * @return An array containing all permissions.\n */\n public getPermissions(user?: {\n roles?: Array<Role | string>;\n realm?: string;\n }): Permission[] {\n if (user?.roles) {\n const permissions: Permission[] = [];\n const roles = user.roles ?? [];\n\n for (const roleOrString of roles) {\n const role =\n typeof roleOrString === \"string\"\n ? this.getRoles(user.realm).find((it) => it.name === roleOrString)\n : roleOrString;\n\n if (!role) {\n throw new SecurityError(`Role '${roleOrString}' not found`);\n }\n\n if (role.permissions.some((it) => it.name === \"*\" && !it.exclude)) {\n return this.getPermissions();\n }\n\n for (const permission of role.permissions) {\n let ref: Permission[] = [];\n if (permission.name === \"*\") {\n ref.push(...this.permissions);\n } else if (permission.name.includes(\":\")) {\n // Handle multi-layer wildcards (e.g., \"admin:api:*\" or \"users:read\")\n const parts = permission.name.split(\":\");\n const lastPart = parts[parts.length - 1];\n\n if (lastPart === \"*\") {\n // Wildcard at any level (e.g., \"admin:*\", \"admin:api:*\")\n const groupPrefix = parts.slice(0, -1).join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (!it.group) return false;\n // Match exact group or any sub-group\n return (\n it.group === groupPrefix ||\n it.group.startsWith(`${groupPrefix}:`)\n );\n }),\n );\n } else {\n // Specific permission (e.g., \"users:read\" or \"admin:api:users:read\")\n const name = lastPart;\n const groupParts = parts.slice(0, -1);\n const group = groupParts.join(\":\");\n\n ref.push(\n ...this.permissions.filter((it) => {\n if (it.name !== name) return false;\n if (!it.group) return false;\n return it.group === group;\n }),\n );\n }\n } else {\n // all permissions without a group\n ref.push(\n ...this.permissions.filter(\n (it) => it.name === permission.name && !it.group,\n ),\n );\n }\n const exclude = permission.exclude;\n if (exclude) {\n // exclude permissions with multi-layer wildcard support\n ref = ref.filter((it) => {\n const permString = this.permissionToString(it);\n return !exclude.some((excludePattern) => {\n if (excludePattern === permString) return true;\n if (excludePattern.endsWith(\":*\")) {\n const excludePrefix = excludePattern.slice(0, -2);\n return permString.startsWith(`${excludePrefix}:`);\n }\n return false;\n });\n });\n }\n permissions.push(...ref);\n }\n }\n\n return [...new Set(permissions.filter((it) => it != null))];\n }\n\n return this.permissions;\n }\n\n /**\n * Retrieves the user ID from the provided payload object.\n *\n * @param payload - The payload object from which to extract the user ID.\n * @return The user ID as a string.\n */\n public getIdFromPayload(payload: Record<string, any>): string {\n if (payload.sub != null) {\n return String(payload.sub);\n }\n\n if (payload.id != null) {\n return String(payload.id);\n }\n\n if (payload.userId != null) {\n return String(payload.userId);\n }\n\n throw new SecurityError(\"Invalid JWT - missing id\");\n }\n\n public getSessionIdFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n if (payload.sid) {\n return String(payload.sid);\n }\n }\n\n /**\n * Retrieves the roles from the provided payload object.\n * @param payload - The payload object from which to extract the roles.\n * @return An array of role strings.\n */\n public getRolesFromPayload(payload: Record<string, any>): string[] {\n return payload?.realm_access?.roles ?? payload?.roles ?? [];\n }\n\n public getPictureFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.picture) {\n return payload.picture;\n }\n\n if (payload.avatar_url) {\n return payload.avatar_url;\n }\n\n if (payload.user_picture) {\n return payload.user_picture;\n }\n\n return undefined;\n }\n\n public getUsernameFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.preferred_username) {\n return payload.preferred_username;\n }\n\n if (payload.username) {\n return payload.username;\n }\n\n return undefined;\n }\n\n public getEmailFromPayload(payload: Record<string, any>): string | undefined {\n if (!payload) {\n return;\n }\n\n if (payload.email) {\n return payload.email;\n }\n\n return undefined;\n }\n\n /**\n * Returns the name from the given payload.\n *\n * @param payload - The payload object.\n * @returns The name extracted from the payload, or an empty string if the payload is falsy or no name is found.\n */\n public getNameFromPayload(payload: Record<string, any>): string {\n if (!payload) {\n return this.UNKNOWN_USER_NAME;\n }\n\n if (payload.name) {\n return payload.name;\n }\n\n if (\n typeof payload.given_name === \"string\" &&\n typeof payload.family_name === \"string\"\n ) {\n return `${payload.given_name} ${payload.family_name}`.trim();\n }\n\n return this.UNKNOWN_USER_NAME;\n }\n\n public getOrganizationFromPayload(\n payload: Record<string, any>,\n ): string | undefined {\n if (!payload) {\n return;\n }\n\n if (typeof payload.organization === \"string\") {\n return payload.organization;\n }\n }\n}\n\n// =====================================================================================================================\n\n/**\n * A realm definition.\n */\nexport interface Realm {\n name: string;\n\n roles: Role[];\n\n /**\n * The secret key for the realm.\n *\n * Can be also a JWKS URL.\n */\n secret?: string | JSONWebKeySet | (() => string);\n\n /**\n * Create the user account info based on the raw JWT payload.\n * By default, SecurityProvider has his own implementation, but this method allow to override it.\n */\n profile?: (raw: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers for this realm (sorted by priority).\n */\n resolvers?: IssuerResolver[];\n}\n\nexport interface SecurityCheckResult {\n isAuthorized: boolean;\n ownership: string | boolean | undefined;\n}\n","import { $inject, AlephaError, createPrimitive, KIND, Primitive } from \"alepha\";\nimport {\n DateTimeProvider,\n type Duration,\n type DurationLike,\n} from \"alepha/datetime\";\nimport { $logger } from \"alepha/logger\";\nimport type { ServerRequest } from \"alepha/server\";\nimport type { JSONWebKeySet, JWTPayload } from \"jose\";\nimport { SecurityError } from \"../errors/SecurityError.ts\";\nimport type { IssuerResolver } from \"../interfaces/IssuerResolver.ts\";\nimport { JwtProvider } from \"../providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Role } from \"../schemas/roleSchema.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new issuer.\n *\n * An issuer is responsible for creating and verifying JWT tokens.\n * It can be internal (with a secret) or external (with a JWKS).\n */\nexport const $issuer = (options: IssuerPrimitiveOptions): IssuerPrimitive => {\n return createPrimitive(IssuerPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport type IssuerPrimitiveOptions = {\n /**\n * Define the issuer name.\n * If not provided, it will use the property key.\n */\n name?: string;\n\n /**\n * Short description about the issuer.\n */\n description?: string;\n\n /**\n * All roles available in the issuer. Role is a string (role name) or a Role object (embedded role).\n */\n roles?: Array<string | Role>;\n\n /**\n * Issuer settings.\n */\n settings?: IssuerSettings;\n\n /**\n * Parse the JWT payload to create a user account info.\n */\n profile?: (jwtPayload: Record<string, any>) => UserAccount;\n\n /**\n * Custom resolvers (in addition to default JWT resolver).\n */\n resolvers?: IssuerResolver[];\n} & (IssuerInternal | IssuerExternal);\n\nexport interface IssuerSettings {\n accessToken?: {\n /**\n * Lifetime of the access token.\n * @default 15 minutes\n */\n expiration?: DurationLike;\n };\n\n refreshToken?: {\n /**\n * Lifetime of the refresh token.\n * @default 30 days\n */\n expiration?: DurationLike;\n\n /**\n * Idle invalidation is enforced by session-backed realms via\n * `realmAuthSettings.refreshToken.expirationIdle` (in `alepha/api/users`).\n * Token-only refresh (no `onRefreshSession`) does not support idle\n * invalidation — it has no stateful row to track `lastUsedAt`.\n */\n };\n\n onCreateSession?: (\n user: UserAccount,\n config: {\n expiresIn: number;\n },\n ) => Promise<{\n refreshToken: string;\n sessionId?: string;\n }>;\n\n onRefreshSession?: (refreshToken: string) => Promise<{\n user: UserAccount;\n expiresIn: number;\n sessionId?: string;\n }>;\n\n onDeleteSession?: (refreshToken: string) => Promise<void>;\n}\n\nexport type IssuerInternal = {\n /**\n * Internal secret to sign JWT tokens and verify them.\n */\n secret: string;\n};\n\nexport interface IssuerExternal {\n /**\n * URL to the JWKS (JSON Web Key Set) to verify JWT tokens from external providers.\n */\n jwks: (() => string) | JSONWebKeySet;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly dateTimeProvider = $inject(DateTimeProvider);\n protected readonly jwt = $inject(JwtProvider);\n protected readonly log = $logger();\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get accessTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.accessToken?.expiration ?? [15, \"minutes\"],\n );\n }\n\n public get refreshTokenExpiration(): Duration {\n return this.dateTimeProvider.duration(\n this.options.settings?.refreshToken?.expiration ?? [30, \"days\"],\n );\n }\n\n protected onInit() {\n const roles =\n this.options.roles?.map((it) => {\n if (typeof it === \"string\") {\n const role = this.getRoles().find((role) => role.name === it);\n if (!role) {\n throw new SecurityError(`Role '${it}' not found`);\n }\n return role;\n }\n\n return it;\n }) ?? [];\n\n this.securityProvider.createRealm({\n name: this.name,\n profile: this.options.profile,\n secret: \"jwks\" in this.options ? this.options.jwks : this.options.secret,\n roles,\n resolvers: [],\n });\n\n // Register custom resolvers first (they usually have lower priority)\n for (const resolver of this.options.resolvers ?? []) {\n this.registerResolver(resolver);\n }\n\n // Register default JWT resolver (priority 100)\n this.registerResolver(this.createJwtResolver());\n }\n\n /**\n * Creates the default JWT resolver.\n */\n protected createJwtResolver(): IssuerResolver {\n return {\n priority: 100,\n onRequest: async (req: ServerRequest) => {\n const auth = req.headers.authorization;\n if (!auth?.startsWith(\"Bearer \")) {\n return null;\n }\n\n const token = auth.slice(7);\n\n // Check if it looks like a JWT (has dots)\n if (!token.includes(\".\")) {\n return null;\n }\n\n // Parse and validate JWT\n const { result } = await this.jwt.parse(token, this.name);\n\n // Extract user info from JWT payload\n return this.securityProvider.createUserFromPayload(\n result.payload,\n this.name,\n );\n },\n };\n }\n\n /**\n * Register a resolver to this issuer.\n * Resolvers are sorted by priority (lower = first).\n */\n public registerResolver(resolver: IssuerResolver): void {\n this.securityProvider.registerResolver(resolver, this.name);\n }\n\n /**\n * Get all roles in the issuer.\n */\n public getRoles(): Role[] {\n return this.securityProvider.getRoles(this.name);\n }\n\n /**\n * Set all roles in the issuer.\n */\n public async setRoles(roles: Role[]): Promise<void> {\n await this.securityProvider.updateRealm(this.name, roles);\n }\n\n /**\n * Get a role by name, throws an error if not found.\n */\n public getRoleByName(name: string): Role {\n const role = this.getRoles().find((it) => it.name === name);\n if (!role) {\n throw new SecurityError(`Role '${name}' not found`);\n }\n return role;\n }\n\n public async parseToken(token: string): Promise<JWTPayload> {\n const { result } = await this.jwt.parse(token, this.name);\n return result.payload;\n }\n\n /**\n * Create a token for the subject.\n */\n public async createToken(\n user: UserAccount,\n refreshToken?: {\n sid?: string;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n },\n ): Promise<AccessTokenResponse> {\n let sid: string | undefined = refreshToken?.sid;\n let refresh_token: string | undefined = refreshToken?.refresh_token;\n let refresh_token_expires_in: number | undefined =\n refreshToken?.refresh_token_expires_in;\n\n const iat = this.dateTimeProvider.now().unix();\n const exp = iat + this.accessTokenExpiration.asSeconds();\n\n if (!refreshToken) {\n const create = this.options.settings?.onCreateSession;\n if (create) {\n // -----------------------------------------------------------------------------------------------------------------\n // managed by the application\n const expiresIn = this.refreshTokenExpiration.asSeconds();\n const { refreshToken, sessionId } = await create(user, {\n expiresIn,\n });\n\n refresh_token = refreshToken;\n refresh_token_expires_in = expiresIn;\n sid = sessionId;\n } else {\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n const payload = {\n sub: user.id,\n exp: iat + this.refreshTokenExpiration.asSeconds(),\n iat,\n aud: this.name,\n };\n\n this.log.trace(\"Creating refresh token\", payload);\n\n sid = crypto.randomUUID();\n refresh_token_expires_in = this.refreshTokenExpiration.asSeconds();\n refresh_token = await this.jwt.create(payload, this.name, {\n header: {\n typ: \"refresh\",\n },\n });\n }\n }\n\n this.log.trace(\"Creating access token\", {\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n });\n\n const access_token = await this.jwt.create(\n {\n // jwt\n sub: user.id,\n exp,\n iat,\n aud: this.name,\n sid, // session id, if available\n // oidc\n name: user.name,\n email: user.email,\n preferred_username: user.username,\n picture: user.picture,\n // our claims\n organization: user.organization,\n roles: user.roles,\n },\n this.name,\n );\n\n const response: AccessTokenResponse = {\n access_token,\n token_type: \"Bearer\",\n expires_in: this.accessTokenExpiration.asSeconds(),\n issued_at: iat,\n refresh_token,\n refresh_token_expires_in,\n };\n\n return response;\n }\n\n public async refreshToken(\n refreshToken: string,\n accessToken?: string,\n ): Promise<{\n tokens: AccessTokenResponse;\n user: UserAccount;\n }> {\n // -----------------------------------------------------------------------------------------------------------------\n // session based\n\n if (this.options.settings?.onRefreshSession) {\n // get user and expiration from the session\n const { user, expiresIn, sessionId } =\n await this.options.settings.onRefreshSession(refreshToken);\n\n // then, create a new access token\n const tokens = await this.createToken(user, {\n sid: sessionId,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n });\n\n return { user, tokens };\n }\n\n // -----------------------------------------------------------------------------------------------------------------\n // token based\n\n if (!accessToken) {\n throw new AlephaError(\"An access token is required for refreshing\");\n }\n\n // Extract user from an expired token.\n // WARNING: Roles from the expired token are reused without re-validation.\n // If roles were revoked, the new access token will still contain old roles\n // until the refresh token expires. Use session-based refresh (onRefreshSession)\n // to re-fetch current roles from the database on each refresh.\n const user = await this.securityProvider.createUserFromToken(accessToken, {\n realm: this.name,\n verify: {\n currentDate: new Date(0), // don't verify expiration, it's expected to be expired...\n },\n });\n\n // check if the refresh token is valid + match access token user\n const {\n result: { payload },\n } = await this.jwt.parse(refreshToken, this.name, {\n typ: \"refresh\",\n audience: this.name,\n subject: user.id,\n });\n\n const iat = this.dateTimeProvider.now().unix();\n const expiresIn = payload.exp\n ? payload.exp - iat\n : this.refreshTokenExpiration.asSeconds();\n\n return {\n user,\n tokens: await this.createToken(user, {\n sid: payload.sid,\n refresh_token: refreshToken,\n refresh_token_expires_in: expiresIn,\n }),\n };\n }\n}\n\n$issuer[KIND] = IssuerPrimitive;\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface CreateTokenOptions {\n sub: string;\n roles?: string[];\n email?: string;\n}\n\nexport interface AccessTokenResponse {\n access_token: string;\n token_type: string;\n expires_in?: number;\n issued_at: number;\n refresh_token?: string;\n refresh_token_expires_in?: number;\n scope?: string;\n}\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Create a new permission.\n */\nexport const $permission = (\n options: PermissionPrimitiveOptions = {},\n): PermissionPrimitive => {\n return createPrimitive(PermissionPrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface PermissionPrimitiveOptions {\n /**\n * Name of the permission. Use Property name is not provided.\n */\n name?: string;\n\n /**\n * Group of the permission. Use Class name is not provided.\n */\n group?: string;\n\n /**\n * Describe the permission.\n */\n description?: string;\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport class PermissionPrimitive extends Primitive<PermissionPrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n public get group(): string {\n return this.options.group || this.config.service.name;\n }\n\n public toString(): string {\n return `${this.group}:${this.name}`;\n }\n\n protected onInit() {\n this.securityProvider.createPermission({\n name: this.name,\n group: this.group,\n description: this.options.description,\n });\n }\n\n /**\n * Check if the user has the permission.\n */\n public can(user?: UserAccount): boolean {\n if (!user?.roles) {\n return false;\n }\n const check = this.securityProvider.checkPermission(this, ...user.roles);\n return check.isAuthorized;\n }\n}\n\n$permission[KIND] = PermissionPrimitive;\n","import { $inject, createPrimitive, KIND, Primitive } from \"alepha\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { IssuerPrimitive } from \"./$issuer.ts\";\nimport type { PermissionPrimitive } from \"./$permission.ts\";\n\n/**\n * Create a new role.\n */\nexport const $role = (options: RolePrimitiveOptions = {}): RolePrimitive => {\n return createPrimitive(RolePrimitive, options);\n};\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport interface RolePrimitiveOptions {\n /**\n * Name of the role.\n */\n name?: string;\n\n /**\n * Describe the role.\n */\n description?: string;\n\n issuer?: string | IssuerPrimitive;\n\n permissions?: Array<\n | string\n | {\n name: string;\n ownership?: boolean;\n exclude?: string[];\n }\n >;\n}\n\nexport class RolePrimitive extends Primitive<RolePrimitiveOptions> {\n protected readonly securityProvider = $inject(SecurityProvider);\n\n public get name(): string {\n return this.options.name || this.config.propertyKey;\n }\n\n protected onInit() {\n this.securityProvider.createRole({\n ...this.options,\n name: this.name,\n permissions:\n this.options.permissions?.map((it) => {\n if (typeof it === \"string\") {\n return {\n name: it,\n };\n }\n\n return it;\n }) ?? [],\n });\n }\n\n /**\n * Get the issuer of the role.\n */\n public get issuer(): string | IssuerPrimitive | undefined {\n return this.options.issuer;\n }\n\n public can(permission: string | PermissionPrimitive): boolean {\n return this.securityProvider.can(this.name, permission);\n }\n\n public check(permission: string | PermissionPrimitive) {\n return this.securityProvider.checkPermission(permission, this.name);\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n$role[KIND] = RolePrimitive;\n","import { randomUUID } from \"node:crypto\";\nimport { $hook, $inject, Alepha } from \"alepha\";\nimport { $logger } from \"alepha/logger\";\nimport type { ServerRequest } from \"alepha/server\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport { JwtProvider } from \"./JwtProvider.ts\";\nimport { SecurityProvider } from \"./SecurityProvider.ts\";\n\nexport class ServerSecurityProvider {\n protected readonly log = $logger();\n protected readonly securityProvider = $inject(SecurityProvider);\n protected readonly jwtProvider = $inject(JwtProvider);\n protected readonly alepha = $inject(Alepha);\n\n protected readonly onServerRequest = $hook({\n on: \"server:onRequest\",\n priority: \"last\",\n handler: async ({ request }) => {\n // Resolve user from authorization header (authentication).\n // This makes currentUserAtom available on ALL routes, not just $secure ones.\n // $secure() then acts purely as an authorization gate.\n if (request.headers.authorization) {\n try {\n const user =\n await this.securityProvider.resolveUserFromServerRequest(request);\n if (user) {\n this.securityProvider.storeUserInContext(user);\n request.user = user;\n }\n } catch (error) {\n this.log.debug(\n \"Failed to resolve user from request authorization header\",\n error,\n );\n // Invalid/expired token — request continues as unauthenticated\n }\n }\n },\n });\n\n // ---------------------------------------------------------------------------------------------------------------\n // action:onRequest — resolve user from options, request fork for ALS isolation\n // ---------------------------------------------------------------------------------------------------------------\n\n protected readonly onActionRequest = $hook({\n on: \"action:onRequest\",\n handler: async (data) => {\n if (!data.options.user) return;\n\n let user: UserAccountToken | undefined;\n\n if (typeof data.options.user === \"object\") {\n user = data.options.user;\n } else if (data.options.user === \"system\") {\n user = this.alepha.store.get(\"alepha.security.system.user\");\n } else if (data.options.user === \"context\") {\n const ctx = this.alepha.store.get(\"alepha.http.request\");\n user = ctx?.user;\n }\n\n if (user) {\n data.context = { [currentUserAtom.key]: user };\n }\n },\n });\n\n // ---------------------------------------------------------------------------------------------------------------\n // client:onRequest — automatic test token creation for .fetch()\n // ---------------------------------------------------------------------------------------------------------------\n\n protected createTestUser(): UserAccountToken {\n return {\n id: randomUUID(),\n name: \"Test\",\n roles: this.securityProvider.getRoles().map((role) => role.name),\n };\n }\n\n protected readonly onClientRequest = $hook({\n on: \"client:onRequest\",\n handler: async ({ request, options }) => {\n if (!this.alepha.isTest()) {\n return;\n }\n\n // skip helper if user is explicitly set to undefined\n if (!options.user) {\n return;\n }\n\n request.headers = new Headers(request.headers);\n\n if (!request.headers.has(\"authorization\")) {\n const test = this.createTestUser();\n const user =\n typeof options?.user === \"object\" ? options.user : undefined;\n const sub = user?.id ?? test.id;\n const roles = user?.roles ?? test.roles;\n\n const token = await this.jwtProvider.create(\n {\n sub,\n roles,\n },\n user?.realm ?? this.securityProvider.getRealms()[0]?.name,\n );\n\n request.headers.set(\"authorization\", `Bearer ${token}`);\n }\n },\n });\n}\n\nexport type ServerSecurityUserResolver = (\n request: ServerRequest,\n) => Promise<UserAccountToken | undefined>;\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n readonly name = \"UnauthorizedError\";\n constructor() {\n super(\"Invalid credentials\");\n }\n}\n","import { timingSafeEqual } from \"node:crypto\";\nimport { createMiddleware, type Middleware } from \"alepha\";\nimport { HttpError, type ServerRequest } from \"alepha/server\";\n\nexport interface BasicAuthOptions {\n username: string;\n password: string;\n}\n\n/**\n * Middleware that enforces HTTP Basic Authentication on the request.\n *\n * Works with request context only (HTTP). Reads the `Authorization: Basic` header,\n * validates credentials using timing-safe comparison, and throws 401 if invalid.\n *\n * ```typescript\n * class DevToolsController {\n * dashboard = $action({\n * use: [$basicAuth({ username: \"admin\", password: \"secret\" })],\n * handler: async () => { ... },\n * });\n * }\n * ```\n */\nexport function $basicAuth(options: BasicAuthOptions): Middleware {\n return createMiddleware({\n name: \"$basicAuth\",\n options: options as unknown as Record<string, unknown>,\n handler: ({ alepha, next }) => {\n return async (...args: any[]) => {\n const request = alepha.store.get(\"alepha.http.request\");\n\n if (!request?.headers) {\n throw new HttpError({\n status: 401,\n message: \"Authentication required\",\n });\n }\n\n const authHeader = request.headers.authorization;\n\n if (!authHeader?.startsWith(\"Basic \")) {\n sendAuthRequired(request);\n throw new HttpError({\n status: 401,\n message: \"Authentication required\",\n });\n }\n\n // Decode base64 credentials\n const base64Credentials = authHeader.slice(6);\n const credentials = Buffer.from(base64Credentials, \"base64\").toString(\n \"utf-8\",\n );\n\n // Split only on the first colon to handle passwords with colons\n const colonIndex = credentials.indexOf(\":\");\n const username =\n colonIndex !== -1 ? credentials.slice(0, colonIndex) : credentials;\n const password =\n colonIndex !== -1 ? credentials.slice(colonIndex + 1) : \"\";\n\n // Verify credentials using timing-safe comparison\n const isValid = timingSafeCredentialCheck(\n username,\n password,\n options.username,\n options.password,\n );\n\n if (!isValid) {\n sendAuthRequired(request);\n throw new HttpError({\n status: 401,\n message: \"Invalid credentials\",\n });\n }\n\n return next(...args);\n };\n },\n });\n}\n\n// =====================================================================================================================\n\nfunction sendAuthRequired(request: ServerRequest): void {\n request.reply?.setHeader(\"WWW-Authenticate\", 'Basic realm=\"Secure Area\"');\n}\n\nfunction timingSafeCredentialCheck(\n inputUsername: string,\n inputPassword: string,\n expectedUsername: string,\n expectedPassword: string,\n): boolean {\n const inputUserBuf = Buffer.from(inputUsername, \"utf-8\");\n const expectedUserBuf = Buffer.from(expectedUsername, \"utf-8\");\n const inputPassBuf = Buffer.from(inputPassword, \"utf-8\");\n const expectedPassBuf = Buffer.from(expectedPassword, \"utf-8\");\n\n const userMatch = safeCompare(inputUserBuf, expectedUserBuf);\n const passMatch = safeCompare(inputPassBuf, expectedPassBuf);\n\n // Both must match — bitwise AND avoids short-circuit evaluation\n // eslint-disable-next-line no-bitwise\n return (userMatch & passMatch) === 1;\n}\n\nfunction safeCompare(input: Buffer, expected: Buffer): number {\n if (input.length !== expected.length) {\n timingSafeEqual(input, input);\n return 0;\n }\n return timingSafeEqual(input, expected) ? 1 : 0;\n}\n","import { $context, createMiddleware, type Middleware } from \"alepha\";\nimport { ForbiddenError, UnauthorizedError } from \"alepha/server\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport { SecurityProvider } from \"../providers/SecurityProvider.ts\";\nimport type { Permission } from \"../schemas/permissionSchema.ts\";\n\nexport interface SecureOptions {\n /**\n * Restrict to specific issuers (realms).\n * User must belong to one of the listed issuers.\n */\n issuers?: string[];\n\n /**\n * Required roles. User must have at least one of the listed roles.\n */\n roles?: string[];\n\n /**\n * Required permissions. All must be satisfied.\n */\n permissions?: (string | Permission)[];\n\n /**\n * Custom guard function. Runs after all other checks.\n * Return `false` to deny access.\n */\n guard?: (user: UserAccountToken) => boolean;\n}\n\n/**\n * Middleware that enforces authentication and authorization.\n *\n * Resolves the user from the request context, `currentUserAtom`, or authorization headers.\n * Throws `UnauthorizedError` if no user is resolved, `ForbiddenError` if checks fail.\n * Stores the resolved user in `currentUserAtom` and `request.user` for downstream access.\n *\n * Works across all transports (atom-first resolution):\n * 1. `currentUserAtom` — set by `action.run()` fork, MCP transport, pipelines, jobs\n * 2. `request.user` — set by previous middleware\n * 3. HTTP headers — JWT/API key resolution\n *\n * ## Check Order\n *\n * When multiple options are provided, they are checked in this fixed order.\n * All provided options must pass (AND). Each option has its own logic:\n *\n * 1. **Authentication** — Is there a valid user? → `UnauthorizedError` (401)\n * 2. **Issuers** (OR) — Does the user's realm match at least one? → `ForbiddenError` (403)\n * 3. **Roles** (OR) — Does the user have at least one of the listed roles? → `ForbiddenError` (403)\n * 4. **Permissions** (AND) — Does the user's role grant all listed permissions? → `ForbiddenError` (403)\n * 5. **Guard** — Does the custom function return `true`? → `ForbiddenError` (403)\n *\n * Permissions declared in `$secure()` are auto-created in the permission registry at definition time.\n *\n * ## Browser Behavior\n *\n * On the server, `$secure` throws `UnauthorizedError` or `ForbiddenError`.\n * In the browser, it returns `undefined` instead — the handler is never called.\n *\n * ```typescript\n * class OrderController {\n * getOrders = $action({\n * use: [$secure()],\n * handler: async ({ query }) => { ... },\n * });\n *\n * deleteOrder = $action({\n * use: [$secure({ permissions: [\"orders:delete\"] })],\n * handler: async ({ params }) => { ... },\n * });\n *\n * adminManage = $action({\n * use: [$secure({\n * issuers: [\"main\"],\n * roles: [\"admin\"],\n * permissions: [\"admin:manage\"],\n * guard: (user) => !!user.email,\n * })],\n * handler: () => { ... },\n * });\n * }\n * ```\n */\nexport function $secure(options?: SecureOptions): Middleware {\n const { alepha } = $context();\n const securityProvider = alepha.inject(SecurityProvider);\n\n // Register declared permissions at definition time\n if (options?.permissions?.length) {\n for (const perm of options.permissions) {\n securityProvider.createPermission(perm);\n }\n }\n\n return createMiddleware({\n name: \"$secure\",\n options: (options as unknown as Record<string, unknown>) ?? undefined,\n handler: ({ alepha, next }) => {\n return async (...args: any[]) => {\n let user: UserAccountToken | undefined;\n\n // 1. Atom-first (set by action.run fork, MCP transport, pipelines, jobs)\n user = alepha.store.get(currentUserAtom);\n\n // 2. HTTP request fallback (walks up fork tree to find real HTTP request)\n if (!user) {\n const httpRequest = alepha.store.get(\"alepha.http.request\");\n if (httpRequest) {\n // 2a. request.user (set by previous middleware)\n user = httpRequest.user;\n\n // 2b. Resolve from HTTP headers (JWT/API key)\n if (!user) {\n user = await securityProvider.resolveUserFromServerRequest(\n httpRequest,\n { realm: options?.issuers?.[0] },\n );\n }\n }\n }\n\n // 3. Handle unauthenticated\n if (!user) {\n throw new UnauthorizedError(\"Authentication required\");\n }\n\n // 4. Issuer check (user must belong to one of the listed issuers)\n securityProvider.checkIssuers(user, options?.issuers);\n\n // 5. Role check (user must have at least one of the listed roles)\n if (options?.roles?.length) {\n const hasRole = options.roles.some((role) =>\n user!.roles?.includes(role),\n );\n if (!hasRole) {\n throw new ForbiddenError(\n `One of roles '${options.roles.join(\"', '\")}' required`,\n );\n }\n }\n\n // 6. Explicit permission checks (all must pass)\n if (options?.permissions?.length) {\n for (const perm of options.permissions) {\n const result = securityProvider.checkPermission(\n perm,\n ...(user.roles ?? []),\n );\n if (!result.isAuthorized) {\n throw new ForbiddenError(\n `Permission '${typeof perm === \"string\" ? perm : perm.name}' required`,\n );\n }\n user = { ...user, ownership: result.ownership };\n }\n }\n\n // 7. Custom guard\n if (options?.guard) {\n if (!options.guard(user)) {\n throw new ForbiddenError(\"Access denied\");\n }\n }\n\n // 8. Store user in atom and requests\n securityProvider.storeUserInContext(user);\n\n const httpRequest = alepha.store.get(\"alepha.http.request\", \"current\");\n if (httpRequest) {\n httpRequest.user = user;\n }\n\n const actionRequest = alepha.store.get(\n \"alepha.action.request\",\n \"current\",\n );\n if (actionRequest) {\n actionRequest.user = user;\n }\n\n return next(...args);\n };\n },\n });\n}\n","import { $context, AlephaError } from \"alepha\";\nimport { DateTimeProvider } from \"alepha/datetime\";\nimport type { UserAccount } from \"../schemas/userAccountInfoSchema.ts\";\nimport type { AccessTokenResponse, IssuerPrimitive } from \"./$issuer.ts\";\n\n/**\n * Allow to get an access token for a service account.\n *\n * You have some options to configure the service account:\n * - a OAUTH2 URL using client credentials grant type\n * - a JWT secret shared between the services\n *\n * @example\n * ```ts\n * import { $serviceAccount } from \"alepha/security\";\n *\n * class MyService {\n * serviceAccount = $serviceAccount({\n * oauth2: {\n * url: \"https://example.com/oauth2/token\",\n * clientId: \"your-client-id\",\n * clientSecret: \"your-client-secret\",\n * }\n * });\n *\n * async fetchData() {\n * const token = await this.serviceAccount.token();\n * // or\n * const response = await this.serviceAccount.fetch(\"https://api.example.com/data\");\n * }\n * }\n * ```\n */\nexport const $serviceAccount = (\n options: ServiceAccountPrimitiveOptions,\n): ServiceAccountPrimitive => {\n const { alepha } = $context();\n const store: {\n cache?: AccessTokenResponse;\n } = {};\n const dateTimeProvider = alepha.inject(DateTimeProvider);\n const gracePeriod = options.gracePeriod ?? 30;\n\n const cacheToken = (response: Omit<AccessTokenResponse, \"at\">) => {\n store.cache = {\n ...response,\n issued_at: dateTimeProvider.now().unix(),\n };\n };\n\n const getTokenFromCache = () => {\n if (store.cache) {\n const { access_token, expires_in, issued_at } = store.cache;\n if (!expires_in) {\n return access_token;\n }\n\n const now = dateTimeProvider.now().unix();\n const expires = issued_at + expires_in;\n\n if (expires - gracePeriod > now) {\n return access_token;\n }\n }\n };\n\n if (\"oauth2\" in options) {\n const { url, clientId, clientSecret } = options.oauth2;\n\n const token = async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n let response: Response;\n try {\n response = await fetch(url, {\n method: \"POST\",\n headers: {\n \"Content-Type\": \"application/x-www-form-urlencoded\",\n },\n body: new URLSearchParams({\n grant_type: \"client_credentials\",\n client_id: clientId,\n client_secret: clientSecret,\n }),\n });\n } catch (error) {\n throw new AlephaError(\n `Failed to fetch access token from ${url}: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Check HTTP status\n if (!response.ok) {\n let errorMessage = `HTTP ${response.status} ${response.statusText}`;\n try {\n const errorBody = await response.text();\n errorMessage += `: ${errorBody}`;\n } catch {\n // Ignore error reading body\n }\n throw new AlephaError(`Failed to fetch access token: ${errorMessage}`);\n }\n\n // Parse JSON response\n let json: any;\n try {\n json = await response.json();\n } catch (error) {\n throw new AlephaError(\n `Failed to parse access token response as JSON: ${error instanceof Error ? error.message : String(error)}`,\n );\n }\n\n // Validate response structure\n if (!json.access_token || !json.expires_in) {\n throw new AlephaError(\n `Invalid access token response: missing access_token or expires_in. Response: ${JSON.stringify(json)}`,\n );\n }\n\n cacheToken(json);\n\n return json.access_token;\n };\n\n return {\n token,\n };\n }\n\n return {\n token: async () => {\n const tokenFromCache = getTokenFromCache();\n if (tokenFromCache) {\n return tokenFromCache;\n }\n\n const token = await options.issuer.createToken(options.user);\n\n cacheToken({\n ...token,\n issued_at: dateTimeProvider.now().unix(),\n });\n\n return token.access_token;\n },\n };\n};\n\nexport type ServiceAccountPrimitiveOptions = {\n gracePeriod?: number; // Grace period in seconds before token expiration\n} & (\n | {\n oauth2: Oauth2ServiceAccountPrimitiveOptions;\n }\n | {\n issuer: IssuerPrimitive;\n user: UserAccount;\n }\n);\n\nexport interface Oauth2ServiceAccountPrimitiveOptions {\n /**\n * Get Token URL.\n */\n url: string;\n\n /**\n * Client ID.\n */\n clientId: string;\n\n /**\n * Client Secret.\n */\n clientSecret: string;\n}\n\nexport interface ServiceAccountPrimitive {\n token: () => Promise<string>;\n}\n\nexport interface ServiceAccountStore {\n response?: AccessTokenResponse;\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n\n group: t.optional(\n t.text({\n description: \"Group of the permission.\",\n }),\n ),\n\n description: t.optional(\n t.text({\n description: \"Describe the permission.\",\n }),\n ),\n\n // HTTP Only\n\n method: t.optional(\n t.text({\n description: \"HTTP method of the permission. When available.\",\n }),\n ),\n\n path: t.optional(\n t.text({\n description: \"Pathname of the permission. When available.\",\n }),\n ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n name: t.text({\n description: \"Name of the role.\",\n }),\n\n description: t.optional(\n t.text({\n description: \"Describe the role.\",\n }),\n ),\n\n default: t.optional(\n t.boolean({\n description:\n \"If true, this role will be assigned to all users by default.\",\n }),\n ),\n\n permissions: t.array(\n t.object({\n name: t.text({\n description: \"Name of the permission.\",\n }),\n ownership: t.optional(\n t.boolean({\n description:\n \"If true, user will only have access to it's own resources.\",\n }),\n ),\n exclude: t.optional(\n t.array(t.text(), {\n description:\n \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n }),\n ),\n }),\n ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import { $module } from \"alepha\";\nimport type { FetchOptions } from \"alepha/server\";\nimport { currentUserAtom } from \"./atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"./interfaces/UserAccountToken.ts\";\nimport { $issuer } from \"./primitives/$issuer.ts\";\nimport { $permission } from \"./primitives/$permission.ts\";\nimport { $role } from \"./primitives/$role.ts\";\nimport { JwtProvider } from \"./providers/JwtProvider.ts\";\nimport { SecurityProvider } from \"./providers/SecurityProvider.ts\";\nimport { ServerSecurityProvider } from \"./providers/ServerSecurityProvider.ts\";\nimport type { UserAccount } from \"./schemas/userAccountInfoSchema.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"alepha/crypto\";\nexport * from \"./atoms/currentUserAtom.ts\";\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/IssuerResolver.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$basicAuth.ts\";\nexport * from \"./primitives/$issuer.ts\";\nexport * from \"./primitives/$permission.ts\";\nexport * from \"./primitives/$role.ts\";\nexport * from \"./primitives/$secure.ts\";\nexport * from \"./primitives/$serviceAccount.ts\";\nexport * from \"./providers/JwtProvider.ts\";\nexport * from \"./providers/SecurityProvider.ts\";\nexport * from \"./providers/ServerSecurityProvider.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\ndeclare module \"alepha\" {\n interface Hooks {\n \"security:user:created\": {\n realm: string;\n user: UserAccount;\n };\n }\n\n interface State {\n /**\n * Real (or fake) user account, used for internal actions.\n *\n * If you define this, you assume that all actions are executed by this user by default.\n * > To force a different user, you need to pass it explicitly in the options.\n */\n \"alepha.security.system.user\"?: UserAccountToken;\n\n /**\n * The current authenticated user.\n */\n \"alepha.security.user\"?: UserAccount;\n }\n}\n\ndeclare module \"alepha/server\" {\n interface ServerRequest<TConfig> {\n user?: UserAccountToken; // for all routes, user is maybe present\n }\n\n interface ServerActionRequest<TConfig> {\n user: UserAccountToken; // for actions, user is always present\n }\n\n interface ClientRequestOptions extends FetchOptions {\n /**\n * Forward user from the previous request.\n * If \"system\", use system user. @see {ServerSecurityProvider.localSystemUser}\n * If \"context\", use the user from the current context (e.g. request).\n *\n * @default \"system\" if provided, else \"context\" if available.\n */\n user?: UserAccountToken | \"system\" | \"context\";\n }\n}\n\n// ---------------------------------------------------------------------------------------------------------------------\n\n/**\n * Complete authentication and authorization system with JWT, RBAC, and multi-issuer support.\n *\n * **Features:**\n * - JWT token issuer with role definitions\n * - Role-based access control (RBAC)\n * - Fine-grained permissions\n * - HTTP Basic Authentication\n * - Service-to-service authentication\n * - Multi-issuer support for federated auth\n * - JWKS (JSON Web Key Set) for external issuers\n * - Token refresh logic\n * - User profile extraction from JWT\n *\n * @module alepha.security\n */\nexport const AlephaSecurity = $module({\n name: \"alepha.security\",\n primitives: [$issuer, $role, $permission],\n atoms: [currentUserAtom],\n services: [SecurityProvider, JwtProvider, ServerSecurityProvider],\n});\n"],"x_google_ignoreList":[3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27],"mappings":";;;;;;;;AAGA,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,cAAc,EAAE,SACd,EAAE,KAAK,EACL,aAAa,qCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,uDACd,CAAC,CACH;CACF,CAAC;;;;;;;;;ACjDF,MAAa,kBAAkB,MAAM;CACnC,MAAM;CACN,QAAQ,EAAE,SAAS,sBAAsB;CAC1C,CAAC;;;ACZF,IAAa,gBAAb,cAAmC,MAAM;CACvC,OAAc;CACd,SAAyB;;;;ACF3B,MAAa,UAAU,IAAI,aAAa;AACxC,MAAa,UAAU,IAAI,aAAa;AAExC,SAAgB,OAAO,GAAG,SAAS;CAC/B,MAAM,OAAO,QAAQ,QAAQ,KAAK,EAAE,aAAa,MAAM,QAAQ,EAAE;CACjE,MAAM,MAAM,IAAI,WAAW,KAAK;CAChC,IAAI,IAAI;CACR,KAAK,MAAM,UAAU,SAAS;EAC1B,IAAI,IAAI,QAAQ,EAAE;EAClB,KAAK,OAAO;;CAEhB,OAAO;;AAqBX,SAAgBA,SAAO,QAAQ;CAC3B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;CAC3C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;EACpC,MAAM,OAAO,OAAO,WAAW,EAAE;EACjC,IAAI,OAAO,KACP,MAAM,IAAI,UAAU,2CAA2C;EAEnE,MAAM,KAAK;;CAEf,OAAO;;;;ACzCX,SAAgB,aAAa,OAAO;CAChC,IAAI,WAAW,UAAU,UACrB,OAAO,MAAM,UAAU;CAE3B,MAAM,aAAa;CACnB,MAAM,MAAM,EAAE;CACd,KAAK,IAAI,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK,YACnC,IAAI,KAAK,OAAO,aAAa,MAAM,MAAM,MAAM,SAAS,GAAG,IAAI,WAAW,CAAC,CAAC;CAEhF,OAAO,KAAK,IAAI,KAAK,GAAG,CAAC;;AAE7B,SAAgB,aAAa,SAAS;CAClC,IAAI,WAAW,YACX,OAAO,WAAW,WAAW,QAAQ;CAEzC,MAAM,SAAS,KAAK,QAAQ;CAC5B,MAAM,QAAQ,IAAI,WAAW,OAAO,OAAO;CAC3C,KAAK,IAAI,IAAI,GAAG,IAAI,OAAO,QAAQ,KAC/B,MAAM,KAAK,OAAO,WAAW,EAAE;CAEnC,OAAO;;;;AClBX,SAAgB,OAAO,OAAO;CAC1B,IAAI,WAAW,YACX,OAAO,WAAW,WAAW,OAAO,UAAU,WAAW,QAAQ,QAAQ,OAAO,MAAM,EAAE,EACpF,UAAU,aACb,CAAC;CAEN,IAAI,UAAU;CACd,IAAI,mBAAmB,YACnB,UAAU,QAAQ,OAAO,QAAQ;CAErC,UAAU,QAAQ,QAAQ,MAAM,IAAI,CAAC,QAAQ,MAAM,IAAI;CACvD,IAAI;EACA,OAAO,aAAa,QAAQ;SAE1B;EACF,MAAM,IAAI,UAAU,oDAAoD;;;AAGhF,SAAgB,OAAO,OAAO;CAC1B,IAAI,YAAY;CAChB,IAAI,OAAO,cAAc,UACrB,YAAY,QAAQ,OAAO,UAAU;CAEzC,IAAI,WAAW,UAAU,UACrB,OAAO,UAAU,SAAS;EAAE,UAAU;EAAa,aAAa;EAAM,CAAC;CAE3E,OAAO,aAAa,UAAU,CAAC,QAAQ,MAAM,GAAG,CAAC,QAAQ,OAAO,IAAI,CAAC,QAAQ,OAAO,IAAI;;;;AC5B5F,MAAM,YAAY,MAAM,OAAO,qCAAqB,IAAI,UAAU,kDAAkD,KAAK,WAAW,OAAO;AAC3I,MAAM,eAAe,WAAW,SAAS,UAAU,SAAS;AAC5D,SAAS,cAAc,MAAM;CACzB,OAAO,SAAS,KAAK,KAAK,MAAM,EAAE,EAAE,GAAG;;AAE3C,SAAS,gBAAgB,WAAW,UAAU;CAE1C,IADe,cAAc,UAAU,KAC7B,KAAK,UACX,MAAM,SAAS,OAAO,YAAY,iBAAiB;;AAE3D,SAAS,cAAc,KAAK;CACxB,QAAQ,KAAR;EACI,KAAK,SACD,OAAO;EACX,KAAK,SACD,OAAO;EACX,KAAK,SACD,OAAO;EACX,SACI,MAAM,IAAI,MAAM,cAAc;;;AAG1C,SAAS,WAAW,KAAK,OAAO;CAC5B,IAAI,SAAS,CAAC,IAAI,OAAO,SAAS,MAAM,EACpC,MAAM,IAAI,UAAU,sEAAsE,MAAM,GAAG;;AAG3G,SAAgB,kBAAkB,KAAK,KAAK,OAAO;CAC/C,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,OAAO,EACnC,MAAM,SAAS,OAAO;GAC1B,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG,CAAC;GAC1D;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,oBAAoB,EAChD,MAAM,SAAS,oBAAoB;GACvC,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG,CAAC;GAC1D;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,UAAU,EACtC,MAAM,SAAS,UAAU;GAC7B,gBAAgB,IAAI,WAAW,SAAS,IAAI,MAAM,EAAE,EAAE,GAAG,CAAC;GAC1D;EAEJ,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,UAAU,EACtC,MAAM,SAAS,UAAU;GAC7B;EAEJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,CAAC,YAAY,IAAI,WAAW,IAAI,EAChC,MAAM,SAAS,IAAI;GACvB;EAEJ,KAAK;EACL,KAAK;EACL,KAAK,SAAS;GACV,IAAI,CAAC,YAAY,IAAI,WAAW,QAAQ,EACpC,MAAM,SAAS,QAAQ;GAC3B,MAAM,WAAW,cAAc,IAAI;GAEnC,IADe,IAAI,UAAU,eACd,UACX,MAAM,SAAS,UAAU,uBAAuB;GACpD;;EAEJ,SACI,MAAM,IAAI,UAAU,4CAA4C;;CAExE,WAAW,KAAK,MAAM;;;;AChF1B,SAAS,QAAQ,KAAK,QAAQ,GAAG,OAAO;CACpC,QAAQ,MAAM,OAAO,QAAQ;CAC7B,IAAI,MAAM,SAAS,GAAG;EAClB,MAAM,OAAO,MAAM,KAAK;EACxB,OAAO,eAAe,MAAM,KAAK,KAAK,CAAC,OAAO,KAAK;QAElD,IAAI,MAAM,WAAW,GACtB,OAAO,eAAe,MAAM,GAAG,MAAM,MAAM,GAAG;MAG9C,OAAO,WAAW,MAAM,GAAG;CAE/B,IAAI,UAAU,MACV,OAAO,aAAa;MAEnB,IAAI,OAAO,WAAW,cAAc,OAAO,MAC5C,OAAO,sBAAsB,OAAO;MAEnC,IAAI,OAAO,WAAW,YAAY,UAAU;MACzC,OAAO,aAAa,MACpB,OAAO,4BAA4B,OAAO,YAAY;;CAG9D,OAAO;;AAEX,MAAa,mBAAmB,QAAQ,GAAG,UAAU,QAAQ,gBAAgB,QAAQ,GAAG,MAAM;AAC9F,MAAa,WAAW,KAAK,QAAQ,GAAG,UAAU,QAAQ,eAAe,IAAI,sBAAsB,QAAQ,GAAG,MAAM;;;AC1BpH,IAAa,YAAb,cAA+B,MAAM;CACjC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,SAAS,SAAS;EAC1B,MAAM,SAAS,QAAQ;EACvB,KAAK,OAAO,KAAK,YAAY;EAC7B,MAAM,oBAAoB,MAAM,KAAK,YAAY;;;AAGzD,IAAa,2BAAb,cAA8C,UAAU;CACpD,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;EACzE,MAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;EACrD,KAAK,QAAQ;EACb,KAAK,SAAS;EACd,KAAK,UAAU;;;AAGvB,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;CACP;CACA;CACA;CACA,YAAY,SAAS,SAAS,QAAQ,eAAe,SAAS,eAAe;EACzE,MAAM,SAAS,EAAE,OAAO;GAAE;GAAO;GAAQ;GAAS,EAAE,CAAC;EACrD,KAAK,QAAQ;EACb,KAAK,SAAS;EACd,KAAK,UAAU;;;AAGvB,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,mBAAb,cAAsC,UAAU;CAC5C,OAAO,OAAO;CACd,OAAO;;AAaX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,aAAb,cAAgC,UAAU;CACtC,OAAO,OAAO;CACd,OAAO;;AAMX,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;;AAEX,IAAa,oBAAb,cAAuC,UAAU;CAC7C,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,mDAAmD,SAAS;EAC9E,MAAM,SAAS,QAAQ;;;AAG/B,IAAa,2BAAb,cAA8C,UAAU;CACpD,CAAC,OAAO;CACR,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,wDAAwD,SAAS;EACnF,MAAM,SAAS,QAAQ;;;AAG/B,IAAa,cAAb,cAAiC,UAAU;CACvC,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,qBAAqB,SAAS;EAChD,MAAM,SAAS,QAAQ;;;AAG/B,IAAa,iCAAb,cAAoD,UAAU;CAC1D,OAAO,OAAO;CACd,OAAO;CACP,YAAY,UAAU,iCAAiC,SAAS;EAC5D,MAAM,SAAS,QAAQ;;;;;AC3F/B,MAAa,eAAe,QAAQ;CAChC,IAAI,MAAM,OAAO,iBAAiB,aAC9B,OAAO;CACX,IAAI;EACA,OAAO,eAAe;SAEpB;EACF,OAAO;;;AAGf,MAAa,eAAe,QAAQ,MAAM,OAAO,iBAAiB;AAClE,MAAa,aAAa,QAAQ,YAAY,IAAI,IAAI,YAAY,IAAI;;;ACdtE,SAAgB,aAAa,OAAO,MAAM;CACtC,IAAI,OACA,MAAM,IAAI,UAAU,GAAG,KAAK,0BAA0B;;AAG9D,SAAgB,gBAAgB,OAAO,OAAO,YAAY;CACtD,IAAI;EACA,OAAO,OAAO,MAAM;SAElB;EACF,MAAM,IAAI,WAAW,kCAAkC,QAAQ;;;;;ACZvE,MAAM,gBAAgB,UAAU,OAAO,UAAU,YAAY,UAAU;AACvE,SAAgB,SAAS,OAAO;CAC5B,IAAI,CAAC,aAAa,MAAM,IAAI,OAAO,UAAU,SAAS,KAAK,MAAM,KAAK,mBAClE,OAAO;CAEX,IAAI,OAAO,eAAe,MAAM,KAAK,MACjC,OAAO;CAEX,IAAI,QAAQ;CACZ,OAAO,OAAO,eAAe,MAAM,KAAK,MACpC,QAAQ,OAAO,eAAe,MAAM;CAExC,OAAO,OAAO,eAAe,MAAM,KAAK;;AAE5C,SAAgB,WAAW,GAAG,SAAS;CACnC,MAAM,UAAU,QAAQ,OAAO,QAAQ;CACvC,IAAI,QAAQ,WAAW,KAAK,QAAQ,WAAW,GAC3C,OAAO;CAEX,IAAI;CACJ,KAAK,MAAM,UAAU,SAAS;EAC1B,MAAM,aAAa,OAAO,KAAK,OAAO;EACtC,IAAI,CAAC,OAAO,IAAI,SAAS,GAAG;GACxB,MAAM,IAAI,IAAI,WAAW;GACzB;;EAEJ,KAAK,MAAM,aAAa,YAAY;GAChC,IAAI,IAAI,IAAI,UAAU,EAClB,OAAO;GAEX,IAAI,IAAI,UAAU;;;CAG1B,OAAO;;AAEX,MAAa,SAAS,QAAQ,SAAS,IAAI,IAAI,OAAO,IAAI,QAAQ;AAClE,MAAa,gBAAgB,QAAQ,IAAI,QAAQ,UAC3C,IAAI,QAAQ,SAAS,OAAO,IAAI,SAAS,YAAa,OAAO,IAAI,MAAM;AAC7E,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,IAAI,MAAM,KAAA,KAAa,IAAI,SAAS,KAAA;AAC7F,MAAa,eAAe,QAAQ,IAAI,QAAQ,SAAS,OAAO,IAAI,MAAM;;;ACpC1E,SAAgB,eAAe,KAAK,KAAK;CACrC,IAAI,IAAI,WAAW,KAAK,IAAI,IAAI,WAAW,KAAK,EAAE;EAC9C,MAAM,EAAE,kBAAkB,IAAI;EAC9B,IAAI,OAAO,kBAAkB,YAAY,gBAAgB,MACrD,MAAM,IAAI,UAAU,GAAG,IAAI,uDAAuD;;;AAI9F,SAAS,gBAAgB,KAAK,WAAW;CACrC,MAAM,OAAO,OAAO,IAAI,MAAM,GAAG;CACjC,QAAQ,KAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAQ;EACjC,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAW,YAAY,SAAS,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;GAAG;EAClF,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAqB;EAC9C,KAAK;EACL,KAAK;EACL,KAAK,SACD,OAAO;GAAE;GAAM,MAAM;GAAS,YAAY,UAAU;GAAY;EACpE,KAAK;EACL,KAAK,SACD,OAAO,EAAE,MAAM,WAAW;EAC9B,KAAK;EACL,KAAK;EACL,KAAK,aACD,OAAO,EAAE,MAAM,KAAK;EACxB,SACI,MAAM,IAAI,iBAAiB,OAAO,IAAI,6DAA6D;;;AAG/G,eAAe,UAAU,KAAK,KAAK,OAAO;CACtC,IAAI,eAAe,YAAY;EAC3B,IAAI,CAAC,IAAI,WAAW,KAAK,EACrB,MAAM,IAAI,UAAU,gBAAgB,KAAK,aAAa,aAAa,eAAe,CAAC;EAEvF,OAAO,OAAO,OAAO,UAAU,OAAO,KAAK;GAAE,MAAM,OAAO,IAAI,MAAM,GAAG;GAAI,MAAM;GAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;;CAE9G,kBAAkB,KAAK,KAAK,MAAM;CAClC,OAAO;;AAEX,eAAsB,KAAK,KAAK,KAAK,MAAM;CACvC,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,OAAO;CACnD,eAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,MAAM,OAAO,OAAO,KAAK,gBAAgB,KAAK,UAAU,UAAU,EAAE,WAAW,KAAK;CACtG,OAAO,IAAI,WAAW,UAAU;;AAEpC,eAAsB,OAAO,KAAK,KAAK,WAAW,MAAM;CACpD,MAAM,YAAY,MAAM,UAAU,KAAK,KAAK,SAAS;CACrD,eAAe,KAAK,UAAU;CAC9B,MAAM,YAAY,gBAAgB,KAAK,UAAU,UAAU;CAC3D,IAAI;EACA,OAAO,MAAM,OAAO,OAAO,OAAO,WAAW,WAAW,WAAW,KAAK;SAEtE;EACF,OAAO;;;;;AChEf,MAAM,iBAAiB;AACvB,SAAS,cAAc,KAAK;CACxB,IAAI;CACJ,IAAI;CACJ,QAAQ,IAAI,KAAZ;EACI,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,IAAI,KAAK;KAC7B,YAAY,IAAI,OAAO,CAAC,OAAO,GAAG,CAAC,SAAS;KAC5C;IACJ,SACI,MAAM,IAAI,iBAAiB,eAAe;;GAElD;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAW,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;KACjE,YAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;KACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAqB,MAAM,OAAO,IAAI,IAAI,MAAM,GAAG;MAAI;KAC3E,YAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;KACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MACR,MAAM;MACN,MAAM,OAAO,SAAS,IAAI,IAAI,MAAM,GAAG,EAAE,GAAG,IAAI;MACnD;KACD,YAAY,IAAI,IAAI,CAAC,WAAW,YAAY,GAAG,CAAC,WAAW,UAAU;KACrE;IACJ,SACI,MAAM,IAAI,iBAAiB,eAAe;;GAElD;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MACR,MAAM;MACN,YAAY;OAAE,OAAO;OAAS,OAAO;OAAS,OAAO;OAAS,CAAC,IAAI;MACtE;KACD,YAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;KACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY;MAAE,MAAM;MAAQ,YAAY,IAAI;MAAK;KACjD,YAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;KACvC;IACJ,SACI,MAAM,IAAI,iBAAiB,eAAe;;GAElD;EAEJ,KAAK;GACD,QAAQ,IAAI,KAAZ;IACI,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,WAAW;KAC/B,YAAY,IAAI,IAAI,CAAC,OAAO,GAAG,CAAC,SAAS;KACzC;IACJ,KAAK;IACL,KAAK;IACL,KAAK;IACL,KAAK;KACD,YAAY,EAAE,MAAM,IAAI,KAAK;KAC7B,YAAY,IAAI,IAAI,CAAC,aAAa,GAAG,EAAE;KACvC;IACJ,SACI,MAAM,IAAI,iBAAiB,eAAe;;GAElD;EAEJ,SACI,MAAM,IAAI,iBAAiB,gEAA8D;;CAEjG,OAAO;EAAE;EAAW;EAAW;;AAEnC,eAAsB,SAAS,KAAK;CAChC,IAAI,CAAC,IAAI,KACL,MAAM,IAAI,UAAU,+DAA2D;CAEnF,MAAM,EAAE,WAAW,cAAc,cAAc,IAAI;CACnD,MAAM,UAAU,EAAE,GAAG,KAAK;CAC1B,IAAI,QAAQ,QAAQ,OAChB,OAAO,QAAQ;CAEnB,OAAO,QAAQ;CACf,OAAO,OAAO,OAAO,UAAU,OAAO,SAAS,WAAW,IAAI,QAAQ,IAAI,KAAK,IAAI,OAAO,QAAQ,OAAO,IAAI,WAAW,UAAU;;;;ACrGtI,MAAM,iBAAiB;AACvB,IAAI;AACJ,MAAM,YAAY,OAAO,KAAK,KAAK,KAAK,SAAS,UAAU;CACvD,0BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,IAAI;CAC3B,IAAI,SAAS,MACT,OAAO,OAAO;CAElB,MAAM,YAAY,MAAM,SAAS;EAAE,GAAG;EAAK;EAAK,CAAC;CACjD,IAAI,QACA,OAAO,OAAO,IAAI;CACtB,IAAI,CAAC,QACD,MAAM,IAAI,KAAK,GAAG,MAAM,WAAW,CAAC;MAGpC,OAAO,OAAO;CAElB,OAAO;;AAEX,MAAM,mBAAmB,WAAW,QAAQ;CACxC,0BAAU,IAAI,SAAS;CACvB,IAAI,SAAS,MAAM,IAAI,UAAU;CACjC,IAAI,SAAS,MACT,OAAO,OAAO;CAElB,MAAM,WAAW,UAAU,SAAS;CACpC,MAAM,cAAc,WAAW,OAAO;CACtC,IAAI;CACJ,IAAI,UAAU,sBAAsB,UAAU;EAC1C,QAAQ,KAAR;GACI,KAAK;GACL,KAAK;GACL,KAAK;GACL,KAAK,kBACD;GACJ,SACI,MAAM,IAAI,UAAU,eAAe;;EAE3C,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;CAE/G,IAAI,UAAU,sBAAsB,WAAW;EAC3C,IAAI,QAAQ,WAAW,QAAQ,WAC3B,MAAM,IAAI,UAAU,eAAe;EAEvC,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;CAEN,QAAQ,UAAU,mBAAlB;EACI,KAAK;EACL,KAAK;EACL,KAAK;GACD,IAAI,QAAQ,UAAU,kBAAkB,aAAa,EACjD,MAAM,IAAI,UAAU,eAAe;GAEvC,YAAY,UAAU,YAAY,UAAU,mBAAmB,aAAa,CACxE,WAAW,WAAW,OACzB,CAAC;;CAGV,IAAI,UAAU,sBAAsB,OAAO;EACvC,IAAI;EACJ,QAAQ,KAAR;GACI,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,KAAK;GACL,KAAK;GACL,KAAK;IACD,OAAO;IACP;GACJ,SACI,MAAM,IAAI,UAAU,eAAe;;EAE3C,IAAI,IAAI,WAAW,WAAW,EAC1B,OAAO,UAAU,YAAY;GACzB,MAAM;GACN;GACH,EAAE,aAAa,WAAW,CAAC,UAAU,GAAG,CAAC,UAAU,CAAC;EAEzD,YAAY,UAAU,YAAY;GAC9B,MAAM,IAAI,WAAW,KAAK,GAAG,YAAY;GACzC;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;;CAEnD,IAAI,UAAU,sBAAsB,MAAM;EAMtC,MAAM,aAAa,IALF,IAAI;GACjB,CAAC,cAAc,QAAQ;GACvB,CAAC,aAAa,QAAQ;GACtB,CAAC,aAAa,QAAQ;GACzB,CACsB,CAAC,IAAI,UAAU,sBAAsB,WAAW;EACvE,IAAI,CAAC,YACD,MAAM,IAAI,UAAU,eAAe;EAEvC,MAAM,gBAAgB;GAAE,OAAO;GAAS,OAAO;GAAS,OAAO;GAAS;EACxE,IAAI,cAAc,QAAQ,eAAe,cAAc,MACnD,YAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,CAAC,WAAW,WAAW,OAAO,CAAC;EAEnD,IAAI,IAAI,WAAW,UAAU,EACzB,YAAY,UAAU,YAAY;GAC9B,MAAM;GACN;GACH,EAAE,aAAa,WAAW,EAAE,GAAG,CAAC,aAAa,CAAC;;CAGvD,IAAI,CAAC,WACD,MAAM,IAAI,UAAU,eAAe;CAEvC,IAAI,CAAC,QACD,MAAM,IAAI,WAAW,GAAG,MAAM,WAAW,CAAC;MAG1C,OAAO,OAAO;CAElB,OAAO;;AAEX,eAAsB,aAAa,KAAK,KAAK;CACzC,IAAI,eAAe,YACf,OAAO;CAEX,IAAI,YAAY,IAAI,EAChB,OAAO;CAEX,IAAI,YAAY,IAAI,EAAE;EAClB,IAAI,IAAI,SAAS,UACb,OAAO,IAAI,QAAQ;EAEvB,IAAI,iBAAiB,OAAO,OAAO,IAAI,gBAAgB,YACnD,IAAI;GACA,OAAO,gBAAgB,KAAK,IAAI;WAE7B,KAAK;GACR,IAAI,eAAe,WACf,MAAM;;EAKlB,OAAO,UAAU,KADP,IAAI,OAAO,EAAE,QAAQ,OAAO,CACb,EAAE,IAAI;;CAEnC,IAAI,MAAM,IAAI,EAAE;EACZ,IAAI,IAAI,GACJ,OAAO,OAAO,IAAI,EAAE;EAExB,OAAO,UAAU,KAAK,KAAK,KAAK,KAAK;;CAEzC,MAAM,IAAI,MAAM,cAAc;;;;AC7IlC,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,IAAI,CAAC,SAAS,IAAI,EACd,MAAM,IAAI,UAAU,wBAAwB;CAEhD,IAAI;CACJ,QAAQ,IAAI;CACZ,QAAQ,SAAS,eAAe,IAAI;CACpC,QAAQ,IAAI,KAAZ;EACI,KAAK;GACD,IAAI,OAAO,IAAI,MAAM,YAAY,CAAC,IAAI,GAClC,MAAM,IAAI,UAAU,4CAA0C;GAElE,OAAOC,OAAgB,IAAI,EAAE;EACjC,KAAK;GACD,IAAI,SAAS,OAAO,IAAI,QAAQ,KAAA,GAC5B,MAAM,IAAI,iBAAiB,uEAAqE;GAEpG,OAAO,SAAS;IAAE,GAAG;IAAK;IAAK;IAAK,CAAC;EACzC,KAAK;GACD,IAAI,OAAO,IAAI,QAAQ,YAAY,CAAC,IAAI,KACpC,MAAM,IAAI,UAAU,8CAA4C;GAEpE,IAAI,QAAQ,KAAA,KAAa,QAAQ,IAAI,KACjC,MAAM,IAAI,UAAU,wCAAwC;GAEhE,OAAO,SAAS;IAAE,GAAG;IAAK;IAAK,CAAC;EAEpC,KAAK;EACL,KAAK,OACD,OAAO,SAAS;GAAE,GAAG;GAAK;GAAK;GAAK,CAAC;EACzC,SACI,MAAM,IAAI,iBAAiB,iDAA+C;;;;;ACrDtF,SAAgB,aAAa,KAAK,mBAAmB,kBAAkB,iBAAiB,YAAY;CAChG,IAAI,WAAW,SAAS,KAAA,KAAa,iBAAiB,SAAS,KAAA,GAC3D,MAAM,IAAI,IAAI,mEAAiE;CAEnF,IAAI,CAAC,mBAAmB,gBAAgB,SAAS,KAAA,GAC7C,uBAAO,IAAI,KAAK;CAEpB,IAAI,CAAC,MAAM,QAAQ,gBAAgB,KAAK,IACpC,gBAAgB,KAAK,WAAW,KAChC,gBAAgB,KAAK,MAAM,UAAU,OAAO,UAAU,YAAY,MAAM,WAAW,EAAE,EACrF,MAAM,IAAI,IAAI,0FAAwF;CAE1G,IAAI;CACJ,IAAI,qBAAqB,KAAA,GACrB,aAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQ,iBAAiB,EAAE,GAAG,kBAAkB,SAAS,CAAC,CAAC;MAG3F,aAAa;CAEjB,KAAK,MAAM,aAAa,gBAAgB,MAAM;EAC1C,IAAI,CAAC,WAAW,IAAI,UAAU,EAC1B,MAAM,IAAI,iBAAiB,+BAA+B,UAAU,qBAAqB;EAE7F,IAAI,WAAW,eAAe,KAAA,GAC1B,MAAM,IAAI,IAAI,+BAA+B,UAAU,cAAc;EAEzE,IAAI,WAAW,IAAI,UAAU,IAAI,gBAAgB,eAAe,KAAA,GAC5D,MAAM,IAAI,IAAI,+BAA+B,UAAU,+BAA+B;;CAG9F,OAAO,IAAI,IAAI,gBAAgB,KAAK;;;;AC/BxC,SAAgB,mBAAmB,QAAQ,YAAY;CACnD,IAAI,eAAe,KAAA,MACd,CAAC,MAAM,QAAQ,WAAW,IAAI,WAAW,MAAM,MAAM,OAAO,MAAM,SAAS,GAC5E,MAAM,IAAI,UAAU,IAAI,OAAO,sCAAsC;CAEzE,IAAI,CAAC,YACD;CAEJ,OAAO,IAAI,IAAI,WAAW;;;;ACL9B,MAAM,OAAO,QAAQ,MAAM,OAAO;AAClC,MAAM,gBAAgB,KAAK,KAAK,UAAU;CACtC,IAAI,IAAI,QAAQ,KAAA,GAAW;EACvB,IAAI;EACJ,QAAQ,OAAR;GACI,KAAK;GACL,KAAK;IACD,WAAW;IACX;GACJ,KAAK;GACL,KAAK;IACD,WAAW;IACX;;EAER,IAAI,IAAI,QAAQ,UACZ,MAAM,IAAI,UAAU,sDAAsD,SAAS,gBAAgB;;CAG3G,IAAI,IAAI,QAAQ,KAAA,KAAa,IAAI,QAAQ,KACrC,MAAM,IAAI,UAAU,sDAAsD,IAAI,gBAAgB;CAElG,IAAI,MAAM,QAAQ,IAAI,QAAQ,EAAE;EAC5B,IAAI;EACJ,QAAQ,MAAR;GACI,KAAK,UAAU,UAAU,UAAU;GACnC,KAAK,QAAQ;GACb,KAAK,IAAI,SAAS,SAAS;IACvB,gBAAgB;IAChB;GACJ,KAAK,IAAI,WAAW,QAAQ;IACxB,gBAAgB;IAChB;GACJ,KAAK,0BAA0B,KAAK,IAAI;IACpC,IAAI,CAAC,IAAI,SAAS,MAAM,IAAI,IAAI,SAAS,KAAK,EAC1C,gBAAgB,UAAU,YAAY,YAAY;SAGlD,gBAAgB;IAEpB;GACJ,KAAK,UAAU,aAAa,IAAI,WAAW,MAAM;IAC7C,gBAAgB;IAChB;GACJ,KAAK,UAAU;IACX,gBAAgB,IAAI,WAAW,MAAM,GAAG,cAAc;IACtD;;EAER,IAAI,iBAAiB,IAAI,SAAS,WAAW,cAAc,KAAK,OAC5D,MAAM,IAAI,UAAU,+DAA+D,cAAc,gBAAgB;;CAGzH,OAAO;;AAEX,MAAM,sBAAsB,KAAK,KAAK,UAAU;CAC5C,IAAI,eAAe,YACf;CACJ,IAAIC,MAAU,IAAI,EAAE;EAChB,IAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,EACrD;EACJ,MAAM,IAAI,UAAU,0HAA0H;;CAElJ,IAAI,CAAC,UAAU,IAAI,EACf,MAAM,IAAI,UAAUC,QAAgB,KAAK,KAAK,aAAa,aAAa,gBAAgB,aAAa,CAAC;CAE1G,IAAI,IAAI,SAAS,UACb,MAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,8DAA8D;;AAGtG,MAAM,uBAAuB,KAAK,KAAK,UAAU;CAC7C,IAAIF,MAAU,IAAI,EACd,QAAQ,OAAR;EACI,KAAK;EACL,KAAK;GACD,IAAIG,aAAiB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,EACtD;GACJ,MAAM,IAAI,UAAU,wDAAwD;EAChF,KAAK;EACL,KAAK;GACD,IAAIC,YAAgB,IAAI,IAAI,aAAa,KAAK,KAAK,MAAM,EACrD;GACJ,MAAM,IAAI,UAAU,uDAAuD;;CAGvF,IAAI,CAAC,UAAU,IAAI,EACf,MAAM,IAAI,UAAUF,QAAgB,KAAK,KAAK,aAAa,aAAa,eAAe,CAAC;CAE5F,IAAI,IAAI,SAAS,UACb,MAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,mEAAmE;CAEvG,IAAI,IAAI,SAAS,UACb,QAAQ,OAAR;EACI,KAAK,QACD,MAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,uEAAuE;EAC3G,KAAK,WACD,MAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,0EAA0E;;CAGtH,IAAI,IAAI,SAAS,WACb,QAAQ,OAAR;EACI,KAAK,UACD,MAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,wEAAwE;EAC5G,KAAK,WACD,MAAM,IAAI,UAAU,GAAG,IAAI,IAAI,CAAC,yEAAyE;;;AAIzH,SAAgB,aAAa,KAAK,KAAK,OAAO;CAC1C,QAAQ,IAAI,UAAU,GAAG,EAAE,EAA3B;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,mBAAmB,KAAK,KAAK,MAAM;GACnC;EACJ,SACI,oBAAoB,KAAK,KAAK,MAAM;;;;;AC5GhD,eAAsB,gBAAgB,KAAK,KAAK,SAAS;CACrD,IAAI,CAAC,SAAS,IAAI,EACd,MAAM,IAAI,WAAW,kCAAkC;CAE3D,IAAI,IAAI,cAAc,KAAA,KAAa,IAAI,WAAW,KAAA,GAC9C,MAAM,IAAI,WAAW,4EAAwE;CAEjG,IAAI,IAAI,cAAc,KAAA,KAAa,OAAO,IAAI,cAAc,UACxD,MAAM,IAAI,WAAW,sCAAsC;CAE/D,IAAI,IAAI,YAAY,KAAA,GAChB,MAAM,IAAI,WAAW,sBAAsB;CAE/C,IAAI,OAAO,IAAI,cAAc,UACzB,MAAM,IAAI,WAAW,0CAA0C;CAEnE,IAAI,IAAI,WAAW,KAAA,KAAa,CAAC,SAAS,IAAI,OAAO,EACjD,MAAM,IAAI,WAAW,wCAAwC;CAEjE,IAAI,aAAa,EAAE;CACnB,IAAI,IAAI,WACJ,IAAI;EACA,MAAM,kBAAkBG,OAAK,IAAI,UAAU;EAC3C,aAAa,KAAK,MAAM,QAAQ,OAAO,gBAAgB,CAAC;SAEtD;EACF,MAAM,IAAI,WAAW,kCAAkC;;CAG/D,IAAI,CAAC,WAAW,YAAY,IAAI,OAAO,EACnC,MAAM,IAAI,WAAW,4EAA4E;CAErG,MAAM,aAAa;EACf,GAAG;EACH,GAAG,IAAI;EACV;CACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,YAAY,WAAW;CAC5G,IAAI,MAAM;CACV,IAAI,WAAW,IAAI,MAAM,EAAE;EACvB,MAAM,WAAW;EACjB,IAAI,OAAO,QAAQ,WACf,MAAM,IAAI,WAAW,4EAA0E;;CAGvG,MAAM,EAAE,QAAQ;CAChB,IAAI,OAAO,QAAQ,YAAY,CAAC,KAC5B,MAAM,IAAI,WAAW,8DAA4D;CAErF,MAAM,aAAa,WAAW,mBAAmB,cAAc,QAAQ,WAAW;CAClF,IAAI,cAAc,CAAC,WAAW,IAAI,IAAI,EAClC,MAAM,IAAI,kBAAkB,yDAAuD;CAEvF,IAAI;MACI,OAAO,IAAI,YAAY,UACvB,MAAM,IAAI,WAAW,+BAA+B;QAGvD,IAAI,OAAO,IAAI,YAAY,YAAY,EAAE,IAAI,mBAAmB,aACjE,MAAM,IAAI,WAAW,yDAAyD;CAElF,IAAI,cAAc;CAClB,IAAI,OAAO,QAAQ,YAAY;EAC3B,MAAM,MAAM,IAAI,YAAY,IAAI;EAChC,cAAc;;CAElB,aAAa,KAAK,KAAK,SAAS;CAChC,MAAM,OAAO,OAAO,IAAI,cAAc,KAAA,IAAYC,SAAO,IAAI,UAAU,GAAG,IAAI,YAAY,EAAEA,SAAO,IAAI,EAAE,OAAO,IAAI,YAAY,WAC1H,MACIA,SAAO,IAAI,QAAQ,GACnB,QAAQ,OAAO,IAAI,QAAQ,GAC/B,IAAI,QAAQ;CAClB,MAAM,YAAY,gBAAgB,IAAI,WAAW,aAAa,WAAW;CACzE,MAAM,IAAI,MAAM,aAAa,KAAK,IAAI;CAEtC,IAAI,CAAC,MADkB,OAAO,KAAK,GAAG,WAAW,KAAK,EAElD,MAAM,IAAI,gCAAgC;CAE9C,IAAI;CACJ,IAAI,KACA,UAAU,gBAAgB,IAAI,SAAS,WAAW,WAAW;MAE5D,IAAI,OAAO,IAAI,YAAY,UAC5B,UAAU,QAAQ,OAAO,IAAI,QAAQ;MAGrC,UAAU,IAAI;CAElB,MAAM,SAAS,EAAE,SAAS;CAC1B,IAAI,IAAI,cAAc,KAAA,GAClB,OAAO,kBAAkB;CAE7B,IAAI,IAAI,WAAW,KAAA,GACf,OAAO,oBAAoB,IAAI;CAEnC,IAAI,aACA,OAAO;EAAE,GAAG;EAAQ,KAAK;EAAG;CAEhC,OAAO;;;;ACzGX,eAAsB,cAAc,KAAK,KAAK,SAAS;CACnD,IAAI,eAAe,YACf,MAAM,QAAQ,OAAO,IAAI;CAE7B,IAAI,OAAO,QAAQ,UACf,MAAM,IAAI,WAAW,6CAA6C;CAEtE,MAAM,EAAE,GAAG,iBAAiB,GAAG,SAAS,GAAG,WAAW,WAAW,IAAI,MAAM,IAAI;CAC/E,IAAI,WAAW,GACX,MAAM,IAAI,WAAW,sBAAsB;CAE/C,MAAM,WAAW,MAAM,gBAAgB;EAAE;EAAS,WAAW;EAAiB;EAAW,EAAE,KAAK,QAAQ;CACxG,MAAM,SAAS;EAAE,SAAS,SAAS;EAAS,iBAAiB,SAAS;EAAiB;CACvF,IAAI,OAAO,QAAQ,YACf,OAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;CAE3C,OAAO;;;;AChBX,MAAM,SAAS,SAAS,KAAK,MAAM,KAAK,SAAS,GAAG,IAAK;AACzD,MAAM,SAAS;AACf,MAAM,OAAO,SAAS;AACtB,MAAM,MAAM,OAAO;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,OAAO,MAAM;AACnB,MAAM,QAAQ;AACd,SAAgB,KAAK,KAAK;CACtB,MAAM,UAAU,MAAM,KAAK,IAAI;CAC/B,IAAI,CAAC,WAAY,QAAQ,MAAM,QAAQ,IACnC,MAAM,IAAI,UAAU,6BAA6B;CAErD,MAAM,QAAQ,WAAW,QAAQ,GAAG;CACpC,MAAM,OAAO,QAAQ,GAAG,aAAa;CACrC,IAAI;CACJ,QAAQ,MAAR;EACI,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,MAAM;GAC/B;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,OAAO;GACxC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,KAAK;GACtC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,IAAI;GACrC;EACJ,KAAK;EACL,KAAK;EACL,KAAK;GACD,cAAc,KAAK,MAAM,QAAQ,KAAK;GACtC;EACJ;GACI,cAAc,KAAK,MAAM,QAAQ,KAAK;GACtC;;CAER,IAAI,QAAQ,OAAO,OAAO,QAAQ,OAAO,OACrC,OAAO,CAAC;CAEZ,OAAO;;AAEX,SAAS,cAAc,OAAO,OAAO;CACjC,IAAI,CAAC,OAAO,SAAS,MAAM,EACvB,MAAM,IAAI,UAAU,WAAW,MAAM,QAAQ;CAEjD,OAAO;;AAEX,MAAM,gBAAgB,UAAU;CAC5B,IAAI,MAAM,SAAS,IAAI,EACnB,OAAO,MAAM,aAAa;CAE9B,OAAO,eAAe,MAAM,aAAa;;AAE7C,MAAM,yBAAyB,YAAY,cAAc;CACrD,IAAI,OAAO,eAAe,UACtB,OAAO,UAAU,SAAS,WAAW;CAEzC,IAAI,MAAM,QAAQ,WAAW,EACzB,OAAO,UAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAI,WAAW,CAAC,CAAC;CAEtE,OAAO;;AAEX,SAAgB,kBAAkB,iBAAiB,gBAAgB,UAAU,EAAE,EAAE;CAC7E,IAAI;CACJ,IAAI;EACA,UAAU,KAAK,MAAM,QAAQ,OAAO,eAAe,CAAC;SAElD;CAEN,IAAI,CAAC,SAAS,QAAQ,EAClB,MAAM,IAAI,WAAW,iDAAiD;CAE1E,MAAM,EAAE,QAAQ;CAChB,IAAI,QACC,OAAO,gBAAgB,QAAQ,YAC5B,aAAa,gBAAgB,IAAI,KAAK,aAAa,IAAI,GAC3D,MAAM,IAAI,yBAAyB,uCAAqC,SAAS,OAAO,eAAe;CAE3G,MAAM,EAAE,iBAAiB,EAAE,EAAE,QAAQ,SAAS,UAAU,gBAAgB;CACxE,MAAM,gBAAgB,CAAC,GAAG,eAAe;CACzC,IAAI,gBAAgB,KAAA,GAChB,cAAc,KAAK,MAAM;CAC7B,IAAI,aAAa,KAAA,GACb,cAAc,KAAK,MAAM;CAC7B,IAAI,YAAY,KAAA,GACZ,cAAc,KAAK,MAAM;CAC7B,IAAI,WAAW,KAAA,GACX,cAAc,KAAK,MAAM;CAC7B,KAAK,MAAM,SAAS,IAAI,IAAI,cAAc,SAAS,CAAC,EAChD,IAAI,EAAE,SAAS,UACX,MAAM,IAAI,yBAAyB,qBAAqB,MAAM,UAAU,SAAS,OAAO,UAAU;CAG1G,IAAI,UACA,EAAE,MAAM,QAAQ,OAAO,GAAG,SAAS,CAAC,OAAO,EAAE,SAAS,QAAQ,IAAI,EAClE,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;CAEtG,IAAI,WAAW,QAAQ,QAAQ,SAC3B,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;CAEtG,IAAI,YACA,CAAC,sBAAsB,QAAQ,KAAK,OAAO,aAAa,WAAW,CAAC,SAAS,GAAG,SAAS,EACzF,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,eAAe;CAEtG,IAAI;CACJ,QAAQ,OAAO,QAAQ,gBAAvB;EACI,KAAK;GACD,YAAY,KAAK,QAAQ,eAAe;GACxC;EACJ,KAAK;GACD,YAAY,QAAQ;GACpB;EACJ,KAAK;GACD,YAAY;GACZ;EACJ,SACI,MAAM,IAAI,UAAU,qCAAqC;;CAEjE,MAAM,EAAE,gBAAgB;CACxB,MAAM,MAAM,MAAM,+BAAe,IAAI,MAAM,CAAC;CAC5C,KAAK,QAAQ,QAAQ,KAAA,KAAa,gBAAgB,OAAO,QAAQ,QAAQ,UACrE,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;CAEjG,IAAI,QAAQ,QAAQ,KAAA,GAAW;EAC3B,IAAI,OAAO,QAAQ,QAAQ,UACvB,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;EAEjG,IAAI,QAAQ,MAAM,MAAM,WACpB,MAAM,IAAI,yBAAyB,wCAAsC,SAAS,OAAO,eAAe;;CAGhH,IAAI,QAAQ,QAAQ,KAAA,GAAW;EAC3B,IAAI,OAAO,QAAQ,QAAQ,UACvB,MAAM,IAAI,yBAAyB,kCAAgC,SAAS,OAAO,UAAU;EAEjG,IAAI,QAAQ,OAAO,MAAM,WACrB,MAAM,IAAI,WAAW,wCAAsC,SAAS,OAAO,eAAe;;CAGlG,IAAI,aAAa;EACb,MAAM,MAAM,MAAM,QAAQ;EAC1B,MAAM,MAAM,OAAO,gBAAgB,WAAW,cAAc,KAAK,YAAY;EAC7E,IAAI,MAAM,YAAY,KAClB,MAAM,IAAI,WAAW,8DAA4D,SAAS,OAAO,eAAe;EAEpH,IAAI,MAAM,IAAI,WACV,MAAM,IAAI,yBAAyB,mEAAiE,SAAS,OAAO,eAAe;;CAG3I,OAAO;;AAEX,IAAa,mBAAb,MAA8B;CAC1B;CACA,YAAY,SAAS;EACjB,IAAI,CAAC,SAAS,QAAQ,EAClB,MAAM,IAAI,UAAU,mCAAmC;EAE3D,KAAKC,WAAW,gBAAgB,QAAQ;;CAE5C,OAAO;EACH,OAAO,QAAQ,OAAO,KAAK,UAAU,KAAKA,SAAS,CAAC;;CAExD,IAAI,MAAM;EACN,OAAO,KAAKA,SAAS;;CAEzB,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;;CAExB,IAAI,MAAM;EACN,OAAO,KAAKA,SAAS;;CAEzB,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;;CAExB,IAAI,MAAM;EACN,OAAO,KAAKA,SAAS;;CAEzB,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;;CAExB,IAAI,IAAI,OAAO;EACX,KAAKA,SAAS,MAAM;;CAExB,IAAI,IAAI,OAAO;EACX,IAAI,OAAO,UAAU,UACjB,KAAKA,SAAS,MAAM,cAAc,gBAAgB,MAAM;OAEvD,IAAI,iBAAiB,MACtB,KAAKA,SAAS,MAAM,cAAc,gBAAgB,MAAM,MAAM,CAAC;OAG/D,KAAKA,SAAS,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;EACX,IAAI,OAAO,UAAU,UACjB,KAAKA,SAAS,MAAM,cAAc,qBAAqB,MAAM;OAE5D,IAAI,iBAAiB,MACtB,KAAKA,SAAS,MAAM,cAAc,qBAAqB,MAAM,MAAM,CAAC;OAGpE,KAAKA,SAAS,MAAM,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM;;CAG3D,IAAI,IAAI,OAAO;EACX,IAAI,UAAU,KAAA,GACV,KAAKA,SAAS,MAAM,sBAAM,IAAI,MAAM,CAAC;OAEpC,IAAI,iBAAiB,MACtB,KAAKA,SAAS,MAAM,cAAc,eAAe,MAAM,MAAM,CAAC;OAE7D,IAAI,OAAO,UAAU,UACtB,KAAKA,SAAS,MAAM,cAAc,eAAe,sBAAM,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC;OAGjF,KAAKA,SAAS,MAAM,cAAc,eAAe,MAAM;;;;;ACvOnE,eAAsB,UAAU,KAAK,KAAK,SAAS;CAC/C,MAAM,WAAW,MAAM,cAAc,KAAK,KAAK,QAAQ;CACvD,IAAI,SAAS,gBAAgB,MAAM,SAAS,MAAM,IAAI,SAAS,gBAAgB,QAAQ,OACnF,MAAM,IAAI,WAAW,sCAAsC;CAG/D,MAAM,SAAS;EAAE,SADD,kBAAkB,SAAS,iBAAiB,SAAS,SAAS,QACtD;EAAE,iBAAiB,SAAS;EAAiB;CACrE,IAAI,OAAO,QAAQ,YACf,OAAO;EAAE,GAAG;EAAQ,KAAK,SAAS;EAAK;CAE3C,OAAO;;;;ACJX,IAAa,gBAAb,MAA2B;CACvB;CACA;CACA;CACA,YAAY,SAAS;EACjB,IAAI,EAAE,mBAAmB,aACrB,MAAM,IAAI,UAAU,4CAA4C;EAEpE,KAAKC,WAAW;;CAEpB,mBAAmB,iBAAiB;EAChC,aAAa,KAAKC,kBAAkB,qBAAqB;EACzD,KAAKA,mBAAmB;EACxB,OAAO;;CAEX,qBAAqB,mBAAmB;EACpC,aAAa,KAAKC,oBAAoB,uBAAuB;EAC7D,KAAKA,qBAAqB;EAC1B,OAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,IAAI,CAAC,KAAKD,oBAAoB,CAAC,KAAKC,oBAChC,MAAM,IAAI,WAAW,kFAAkF;EAE3G,IAAI,CAAC,WAAW,KAAKD,kBAAkB,KAAKC,mBAAmB,EAC3D,MAAM,IAAI,WAAW,4EAA4E;EAErG,MAAM,aAAa;GACf,GAAG,KAAKD;GACR,GAAG,KAAKC;GACX;EACD,MAAM,aAAa,aAAa,YAAY,IAAI,IAAI,CAAC,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,SAAS,MAAM,KAAKD,kBAAkB,WAAW;EACvH,IAAI,MAAM;EACV,IAAI,WAAW,IAAI,MAAM,EAAE;GACvB,MAAM,KAAKA,iBAAiB;GAC5B,IAAI,OAAO,QAAQ,WACf,MAAM,IAAI,WAAW,4EAA0E;;EAGvG,MAAM,EAAE,QAAQ;EAChB,IAAI,OAAO,QAAQ,YAAY,CAAC,KAC5B,MAAM,IAAI,WAAW,8DAA4D;EAErF,aAAa,KAAK,KAAK,OAAO;EAC9B,IAAI;EACJ,IAAI;EACJ,IAAI,KAAK;GACL,WAAWE,OAAK,KAAKH,SAAS;GAC9B,WAAWI,SAAO,SAAS;SAE1B;GACD,WAAW,KAAKJ;GAChB,WAAW;;EAEf,IAAI;EACJ,IAAI;EACJ,IAAI,KAAKC,kBAAkB;GACvB,wBAAwBE,OAAK,KAAK,UAAU,KAAKF,iBAAiB,CAAC;GACnE,uBAAuBG,SAAO,sBAAsB;SAEnD;GACD,wBAAwB;GACxB,uBAAuB,IAAI,YAAY;;EAE3C,MAAM,OAAO,OAAO,sBAAsBA,SAAO,IAAI,EAAE,SAAS;EAGhE,MAAM,MAAM;GACR,WAAWD,OAAK,MAFI,KAAK,KAAK,MADlB,aAAa,KAAK,IAAI,EACD,KAAK,CAEZ;GAC1B,SAAS;GACZ;EACD,IAAI,KAAKD,oBACL,IAAI,SAAS,KAAKA;EAEtB,IAAI,KAAKD,kBACL,IAAI,YAAY;EAEpB,OAAO;;;;;ACrFf,IAAa,cAAb,MAAyB;CACrB;CACA,YAAY,SAAS;EACjB,KAAKI,aAAa,IAAI,cAAc,QAAQ;;CAEhD,mBAAmB,iBAAiB;EAChC,KAAKA,WAAW,mBAAmB,gBAAgB;EACnD,OAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,MAAM,KAAKA,WAAW,KAAK,KAAK,QAAQ;EACpD,IAAI,IAAI,YAAY,KAAA,GAChB,MAAM,IAAI,UAAU,4DAA4D;EAEpF,OAAO,GAAG,IAAI,UAAU,GAAG,IAAI,QAAQ,GAAG,IAAI;;;;;ACZtD,IAAa,UAAb,MAAqB;CACjB;CACA;CACA,YAAY,UAAU,EAAE,EAAE;EACtB,KAAKC,OAAO,IAAI,iBAAiB,QAAQ;;CAE7C,UAAU,QAAQ;EACd,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,WAAW,SAAS;EAChB,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,YAAY,UAAU;EAClB,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,OAAO,OAAO;EACV,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,aAAa,OAAO;EAChB,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,kBAAkB,OAAO;EACrB,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,YAAY,OAAO;EACf,KAAKA,KAAK,MAAM;EAChB,OAAO;;CAEX,mBAAmB,iBAAiB;EAChC,KAAKC,mBAAmB;EACxB,OAAO;;CAEX,MAAM,KAAK,KAAK,SAAS;EACrB,MAAM,MAAM,IAAI,YAAY,KAAKD,KAAK,MAAM,CAAC;EAC7C,IAAI,mBAAmB,KAAKC,iBAAiB;EAC7C,IAAI,MAAM,QAAQ,KAAKA,kBAAkB,KAAK,IAC1C,KAAKA,iBAAiB,KAAK,SAAS,MAAM,IAC1C,KAAKA,iBAAiB,QAAQ,OAC9B,MAAM,IAAI,WAAW,sCAAsC;EAE/D,OAAO,IAAI,KAAK,KAAK,QAAQ;;;;;AC9CrC,SAAS,cAAc,KAAK;CACxB,QAAQ,OAAO,QAAQ,YAAY,IAAI,MAAM,GAAG,EAAE,EAAlD;EACI,KAAK;EACL,KAAK,MACD,OAAO;EACX,KAAK,MACD,OAAO;EACX,KAAK,MACD,OAAO;EACX,KAAK,MACD,OAAO;EACX,SACI,MAAM,IAAI,iBAAiB,mDAAiD;;;AAGxF,SAAS,WAAW,MAAM;CACtB,OAAQ,QACJ,OAAO,SAAS,YAChB,MAAM,QAAQ,KAAK,KAAK,IACxB,KAAK,KAAK,MAAM,UAAU;;AAElC,SAAS,UAAU,KAAK;CACpB,OAAO,SAAS,IAAI;;AAExB,IAAM,cAAN,MAAkB;CACd;CACA,0BAAU,IAAI,SAAS;CACvB,YAAY,MAAM;EACd,IAAI,CAAC,WAAW,KAAK,EACjB,MAAM,IAAI,YAAY,6BAA6B;EAEvD,KAAKC,QAAQ,gBAAgB,KAAK;;CAEtC,OAAO;EACH,OAAO,KAAKA;;CAEhB,MAAM,OAAO,iBAAiB,OAAO;EACjC,MAAM,EAAE,KAAK,QAAQ;GAAE,GAAG;GAAiB,GAAG,OAAO;GAAQ;EAC7D,MAAM,MAAM,cAAc,IAAI;EAC9B,MAAM,aAAa,KAAKA,MAAM,KAAK,QAAQ,QAAQ;GAC/C,IAAI,YAAY,QAAQ,IAAI;GAC5B,IAAI,aAAa,OAAO,QAAQ,UAC5B,YAAY,QAAQ,IAAI;GAE5B,IAAI,cAAc,OAAO,IAAI,QAAQ,YAAY,QAAQ,QACrD,YAAY,QAAQ,IAAI;GAE5B,IAAI,aAAa,OAAO,IAAI,QAAQ,UAChC,YAAY,IAAI,QAAQ;GAE5B,IAAI,aAAa,MAAM,QAAQ,IAAI,QAAQ,EACvC,YAAY,IAAI,QAAQ,SAAS,SAAS;GAE9C,IAAI,WACA,QAAQ,KAAR;IACI,KAAK;KACD,YAAY,IAAI,QAAQ;KACxB;IACJ,KAAK;KACD,YAAY,IAAI,QAAQ;KACxB;IACJ,KAAK;KACD,YAAY,IAAI,QAAQ;KACxB;IACJ,KAAK;IACL,KAAK;KACD,YAAY,IAAI,QAAQ;KACxB;;GAGZ,OAAO;IACT;EACF,MAAM,EAAE,GAAG,KAAK,WAAW;EAC3B,IAAI,WAAW,GACX,MAAM,IAAI,mBAAmB;EAEjC,IAAI,WAAW,GAAG;GACd,MAAM,QAAQ,IAAI,0BAA0B;GAC5C,MAAM,UAAU,KAAKC;GACrB,MAAM,OAAO,iBAAiB,mBAAmB;IAC7C,KAAK,MAAM,OAAO,YACd,IAAI;KACA,MAAM,MAAM,mBAAmB,SAAS,KAAK,IAAI;YAE/C;;GAGd,MAAM;;EAEV,OAAO,mBAAmB,KAAKA,SAAS,KAAK,IAAI;;;AAGzD,eAAe,mBAAmB,OAAO,KAAK,KAAK;CAC/C,MAAM,SAAS,MAAM,IAAI,IAAI,IAAI,MAAM,IAAI,KAAK,EAAE,CAAC,CAAC,IAAI,IAAI;CAC5D,IAAI,OAAO,SAAS,KAAA,GAAW;EAC3B,MAAM,MAAM,MAAM,UAAU;GAAE,GAAG;GAAK,KAAK;GAAM,EAAE,IAAI;EACvD,IAAI,eAAe,cAAc,IAAI,SAAS,UAC1C,MAAM,IAAI,YAAY,+CAA+C;EAEzE,OAAO,OAAO;;CAElB,OAAO,OAAO;;AAElB,SAAgB,kBAAkB,MAAM;CACpC,MAAM,MAAM,IAAI,YAAY,KAAK;CACjC,MAAM,cAAc,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;CACxF,OAAO,iBAAiB,aAAa,EACjC,MAAM;EACF,aAAa,gBAAgB,IAAI,MAAM,CAAC;EACxC,YAAY;EACZ,cAAc;EACd,UAAU;EACb,EACJ,CAAC;CACF,OAAO;;;;AClHX,SAAS,sBAAsB;CAC3B,OAAQ,OAAO,kBAAkB,eAC5B,OAAO,cAAc,eAAe,UAAU,cAAc,wBAC5D,OAAO,gBAAgB,eAAe,gBAAgB;;AAE/D,IAAI;AACJ,IAAI,OAAO,cAAc,eAAe,CAAC,UAAU,WAAW,aAAa,eAAe,EAGtF,aAAa;AAEjB,MAAa,cAAc,QAAQ;AACnC,eAAe,UAAU,KAAK,SAAS,QAAQ,YAAY,OAAO;CAC9D,MAAM,WAAW,MAAM,UAAU,KAAK;EAClC,QAAQ;EACR;EACA,UAAU;EACV;EACH,CAAC,CAAC,OAAO,QAAQ;EACd,IAAI,IAAI,SAAS,gBACb,MAAM,IAAI,aAAa;EAE3B,MAAM;GACR;CACF,IAAI,SAAS,WAAW,KACpB,MAAM,IAAI,UAAU,0DAA0D;CAElF,IAAI;EACA,OAAO,MAAM,SAAS,MAAM;SAE1B;EACF,MAAM,IAAI,UAAU,6DAA6D;;;AAGzF,MAAa,YAAY,QAAQ;AACjC,SAAS,iBAAiB,OAAO,aAAa;CAC1C,IAAI,OAAO,UAAU,YAAY,UAAU,MACvC,OAAO;CAEX,IAAI,EAAE,SAAS,UAAU,OAAO,MAAM,QAAQ,YAAY,KAAK,KAAK,GAAG,MAAM,OAAO,aAChF,OAAO;CAEX,IAAI,EAAE,UAAU,UACZ,CAAC,SAAS,MAAM,KAAK,IACrB,CAAC,MAAM,QAAQ,MAAM,KAAK,KAAK,IAC/B,CAAC,MAAM,UAAU,MAAM,KAAK,MAAM,KAAK,MAAM,SAAS,EACtD,OAAO;CAEX,OAAO;;AAEX,IAAM,eAAN,MAAmB;CACf;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA;CACA,YAAY,KAAK,SAAS;EACtB,IAAI,EAAE,eAAe,MACjB,MAAM,IAAI,UAAU,iCAAiC;EAEzD,KAAKC,OAAO,IAAI,IAAI,IAAI,KAAK;EAC7B,KAAKC,mBACD,OAAO,SAAS,oBAAoB,WAAW,SAAS,kBAAkB;EAC9E,KAAKC,oBACD,OAAO,SAAS,qBAAqB,WAAW,SAAS,mBAAmB;EAChF,KAAKC,eAAe,OAAO,SAAS,gBAAgB,WAAW,SAAS,cAAc;EACtF,KAAKC,WAAW,IAAI,QAAQ,SAAS,QAAQ;EAC7C,IAAI,cAAc,CAAC,KAAKA,SAAS,IAAI,aAAa,EAC9C,KAAKA,SAAS,IAAI,cAAc,WAAW;EAE/C,IAAI,CAAC,KAAKA,SAAS,IAAI,SAAS,EAAE;GAC9B,KAAKA,SAAS,IAAI,UAAU,mBAAmB;GAC/C,KAAKA,SAAS,OAAO,UAAU,2BAA2B;;EAE9D,KAAKC,eAAe,UAAU;EAC9B,IAAI,UAAU,eAAe,KAAA,GAAW;GACpC,KAAKC,SAAS,UAAU;GACxB,IAAI,iBAAiB,UAAU,YAAY,KAAKH,aAAa,EAAE;IAC3D,KAAKI,iBAAiB,KAAKD,OAAO;IAClC,KAAKE,SAAS,kBAAkB,KAAKF,OAAO,KAAK;;;;CAI7D,eAAe;EACX,OAAO,CAAC,CAAC,KAAKG;;CAElB,cAAc;EACV,OAAO,OAAO,KAAKF,mBAAmB,WAChC,KAAK,KAAK,GAAG,KAAKA,iBAAiB,KAAKL,oBACxC;;CAEV,QAAQ;EACJ,OAAO,OAAO,KAAKK,mBAAmB,WAChC,KAAK,KAAK,GAAG,KAAKA,iBAAiB,KAAKJ,eACxC;;CAEV,OAAO;EACH,OAAO,KAAKK,QAAQ,MAAM;;CAE9B,MAAM,OAAO,iBAAiB,OAAO;EACjC,IAAI,CAAC,KAAKA,UAAU,CAAC,KAAK,OAAO,EAC7B,MAAM,KAAK,QAAQ;EAEvB,IAAI;GACA,OAAO,MAAM,KAAKA,OAAO,iBAAiB,MAAM;WAE7C,KAAK;GACR,IAAI,eAAe;QACX,KAAK,aAAa,KAAK,OAAO;KAC9B,MAAM,KAAK,QAAQ;KACnB,OAAO,KAAKA,OAAO,iBAAiB,MAAM;;;GAGlD,MAAM;;;CAGd,MAAM,SAAS;EACX,IAAI,KAAKC,iBAAiB,qBAAqB,EAC3C,KAAKA,gBAAgB,KAAA;EAEzB,KAAKA,kBAAkB,UAAU,KAAKT,KAAK,MAAM,KAAKI,UAAU,YAAY,QAAQ,KAAKH,iBAAiB,EAAE,KAAKI,aAAa,CACzH,MAAM,SAAS;GAChB,KAAKG,SAAS,kBAAkB,KAAK;GACrC,IAAI,KAAKF,QAAQ;IACb,KAAKA,OAAO,MAAM,KAAK,KAAK;IAC5B,KAAKA,OAAO,OAAO;;GAEvB,KAAKC,iBAAiB,KAAK,KAAK;GAChC,KAAKE,gBAAgB,KAAA;IACvB,CACG,OAAO,QAAQ;GAChB,KAAKA,gBAAgB,KAAA;GACrB,MAAM;IACR;EACF,MAAM,KAAKA;;;AAGnB,SAAgB,mBAAmB,KAAK,SAAS;CAC7C,MAAM,MAAM,IAAI,aAAa,KAAK,QAAQ;CAC1C,MAAM,eAAe,OAAO,iBAAiB,UAAU,IAAI,OAAO,iBAAiB,MAAM;CACzF,OAAO,iBAAiB,cAAc;EAClC,aAAa;GACT,WAAW,IAAI,aAAa;GAC5B,YAAY;GACZ,cAAc;GACjB;EACD,OAAO;GACH,WAAW,IAAI,OAAO;GACtB,YAAY;GACZ,cAAc;GACjB;EACD,QAAQ;GACJ,aAAa,IAAI,QAAQ;GACzB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACD,WAAW;GACP,WAAW,IAAI,cAAc;GAC7B,YAAY;GACZ,cAAc;GACjB;EACD,MAAM;GACF,aAAa,IAAI,MAAM;GACvB,YAAY;GACZ,cAAc;GACd,UAAU;GACb;EACJ,CAAC;CACF,OAAO;;;;;;;ACxJX,IAAa,cAAb,MAAyB;CACvB,MAAyB,SAAS;CAClC,WAAiD,EAAE;CACnD,mBAAsC,QAAQ,iBAAiB;CAC/D,UAA6B,IAAI,aAAa;;;;;;;CAQ9C,aAAoB,MAAc,iBAAyC;EACzE,IAAI,OAAO,oBAAoB,UAAU;GACvC,KAAK,IAAI,MAAM,8BAA8B,KAAK,oBAAoB;GACtE,KAAK,SAAS,KAAK;IACjB;IACA,WAAW,kBAAkB,gBAAgB;IAC9C,CAAC;SACG,IAAI,KAAK,YAAY,gBAAgB,EAAE;GAC5C,MAAM,YAAY,KAAK,QAAQ,OAAO,gBAAgB;GACtD,KAAK,IAAI,MAAM,iCAAiC,KAAK,mBAAmB;GACxE,KAAK,SAAS,KAAK;IACjB;IACA,WAAW;IACX,iBAAiB,QAAQ,QAAQ,gBAAgB,UAAU,CAAC;IAC7D,CAAC;SACG;GACL,KAAK,IAAI,MAAM,iCAAiC,KAAK,cAAc,EACjE,KAAK,iBACN,CAAC;GACF,KAAK,SAAS,KAAK;IACjB;IACA,WAAW,mBAAmB,IAAI,IAAI,gBAAgB,CAAC;IACxD,CAAC;;;;;;;;;;CAWN,MAAa,MACX,OACA,SACA,SACyB;EACzB,KAAK,MAAM,MAAM,KAAK,UAAU;GAC9B,IAAI,WAAW,GAAG,SAAS,SACzB;GAGF,KAAK,IAAI,MAAM,0BAA0B;IACvC,SAAS,GAAG;IACZ;IACD,CAAC;GAEF,IAAI;IACF,MAAM,WAAW;KACf,SAAS,GAAG;KACZ,QAAQ,MAAM,UAAU,OAAO,GAAG,WAAW;MAC3C,aAAa,KAAK,iBAAiB,KAAK,CAAC,QAAQ;MACjD,GAAG;MACJ,CAAC;KACH;IAED,KAAK,IAAI,MAAM,+BAA+B,EAC5C,SAAS,SAAS,SACnB,CAAC;IAEF,OAAO;YACA,OAAO;IACd,KAAK,IAAI,MAAM,iCAAiC,MAAM;IAEtD,IAAI,iBAAiB,YACnB,MAAM,IAAI,cAAc,iBAAiB,EAAE,OAAO,OAAO,CAAC;IAG5D,IAAI,iBAAiB,0BACnB,MAAM,IAAI,cAAc,iCAAiC,EACvD,OAAO,OACR,CAAC;;;EAKR,KAAK,IAAI,KACP,iEAAiE,KAAK,SAAS,OAAO,GACvF;EAED,MAAM,IAAI,cAAc,gBAAgB;;;;;;;;;;;CAY1C,MAAa,OACX,SACA,SACA,aACiB;EACjB,MAAM,YAAY,UACd,KAAK,SAAS,MAAM,OAAO,GAAG,SAAS,QAAQ,EAAE,YACjD,KAAK,SAAS,IAAI;EAEtB,IAAI,CAAC,WACH,MAAM,IAAI,YAAY,sCAAsC;EAG9D,MAAM,UAAU,IAAI,QAAQ,QAAQ;EAEpC,QAAQ,mBAAmB;GACzB,KAAK;GACL,GAAG,aAAa;GACjB,CAAC;EAEF,OAAO,MAAM,QAAQ,KAAK,KAAK,QAAQ,OAAO,UAAU,CAAC;;;;;;;;CAS3D,YAAsB,KAAsB;EAC1C,OAAO,CAAC,IAAI,WAAW,UAAU,IAAI,CAAC,IAAI,WAAW,WAAW;;;;;AChKpE,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;EACxB,MAAM,eAAe,KAAK,cAAc;;;;;ACF5C,IAAa,oBAAb,cAAuC,MAAM;CAC3C,SAAyB;;;;ACD3B,IAAa,qBAAb,cAAwC,MAAM;CAC5C,YAAY,OAAe;EACzB,MAAM,UAAU,MAAM,aAAa;;;;;ACyBvC,IAAa,mBAAb,MAA8B;CAC5B,oBAAuC;CACvC,oBAAuC;CACvC,6BACE;CAEF,MAAyB,SAAS;CAClC,MAAyB,QAAQ,YAAY;CAC7C,SAA4B,QAAQ,OAAO;CAC3C,iBAAoC,QAAQ,eAAe;CAE3D,IAAW,YAAoB;EAC7B,OAAO,KAAK,eAAe;;;;;CAM7B,cAA+C,EAAE;;;;CAKjD,SAAqC,KAAK,OAAO,QAAQ,GACrD,CACE;EACE,MAAM;EACN,QAAQ,KAAK;EACb,OAAO,CACL;GACE,MAAM;GACN,aAAa,CACX,EACE,MAAM,KACP,CACF;GACF,CACF;EACF,CACF,GACD,EAAE;CAEN,QAAkB,MAAM;EACtB,IAAI;EACJ,SAAS,YAAY;GACnB,KAAK,MAAM,SAAS,KAAK,QAAQ;IAC/B,IAAI,MAAM,QAAQ;KAChB,MAAM,SACJ,OAAO,MAAM,WAAW,aAAa,MAAM,QAAQ,GAAG,MAAM;KAC9D,KAAK,IAAI,aAAa,MAAM,MAAM,OAAO;;IAI3C,IAAI,CAAC,MAAM,aAAa,MAAM,UAAU,WAAW,GACjD,KAAK,iBACH,KAAK,yBAAyB,MAAM,KAAK,EACzC,MAAM,KACP;;;EAIR,CAAC;;;;CAKF,yBAAmC,WAAmC;EACpE,OAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAQ;IACxB,MAAM,OAAO,IAAI,QAAQ;IACzB,IAAI,CAAC,MAAM,WAAW,UAAU,EAC9B,OAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;IAG3B,IAAI,CAAC,MAAM,SAAS,IAAI,EACtB,OAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,UAAU;IAGzD,OAAO,KAAK,sBAAsB,OAAO,SAAS,UAAU;;GAE/D;;;;;;;;CASH,WAAkB,MAAY,GAAG,QAAwB;EACvD,MAAM,OAAO,OAAO,SAChB,OAAO,KAAK,OAAO;GACjB,MAAM,OAAO,KAAK,OAAO,MAAM,UAAU,MAAM,SAAS,GAAG;GAC3D,IAAI,CAAC,MACH,MAAM,IAAI,mBAAmB,GAAG;GAElC,OAAO;IACP,GACF,KAAK;EAET,KAAK,MAAM,SAAS,MAAM;GACxB,KAAK,MAAM,EAAE,UAAU,KAAK,aAC1B,IAAI,KAAK,OAAO,WAAW,EAAE;IAE3B,IAAI,SAAS,KAEX;IAOF,IAHsB,KAAK,YAAY,MACpC,OAAO,KAAK,mBAAmB,GAAG,KAAK,KAEzB,EACf;IAIF,IAAI,KAAK,SAAS,KAAK,EAAE;KACvB,MAAM,cAAc,KAAK,MAAM,GAAG,GAAG;KASrC,IAP2B,KAAK,YAAY,MAAM,OAAO;MACvD,IAAI,CAAC,GAAG,OAAO,OAAO;MACtB,OACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;OAGpB,EACpB;;IAKJ,MAAM,IAAI,cAAc,eAAe,KAAK,aAAa;UAEzD,IAAI,SAAS,OAAO,CAAC,KAAK,2BAA2B,KAAK,KAAK,EAC7D,MAAM,IAAI,uBAAuB,KAAK;GAK5C,MAAM,MAAM,KAAK,KAAK;;EAGxB,OAAO;;;;;;;CAQT,iBAAwB,KAAsC;EAC5D,IAAI,KAAK,OAAO,WAAW,EACzB,MAAM,IAAI,sBAAsB;EAGlC,IAAI;EACJ,IAAI,OAAO,QAAQ,UAAU;GAC3B,IAAI,CAAC,KAAK,kBAAkB,KAAK,IAAI,EACnC,MAAM,IAAI,uBAAuB,IAAI;GAGvC,MAAM,QAAQ,IAAI,MAAM,IAAI;GAC5B,IAAI,MAAM,WAAW,GAEnB,aAAa,EAAE,MAAM,MAAM,IAAI;QAC1B;IAGL,MAAM,OAAO,MAAM,MAAM,SAAS;IAClC,MAAM,aAAa,MAAM,MAAM,GAAG,GAAG;IAErC,IAAI,WAAW,WAAW,GACxB,aAAa;KACX,OAAO,WAAW;KAClB;KACD;SAGD,aAAa;KACX,OAAO,WAAW,KAAK,IAAI;KAC3B;KACD;;SAIL,aAAa;EAGf,MAAM,WAAW,KAAK,mBAAmB,WAAW;EACpD,IAAI,CAAC,KAAK,kBAAkB,KAAK,SAAS,EACxC,MAAM,IAAI,uBAAuB,SAAS;EAG5C,MAAM,WAAW,KAAK,YAAY,MAC/B,OAAO,KAAK,mBAAmB,GAAG,KAAK,SACzC;EAED,IAAI,UACF,OAAO;EAGT,KAAK,IAAI,MAAM,wBAAwB,SAAS,GAAG;EAEnD,KAAK,YAAY,KAAK,WAAW;EAEjC,OAAO;;CAGT,YAAmB,OAAc;EAC/B,IAAI,KAAK,OAAO,WAAW,KAAK,KAAK,OAAO,GAAG,SAAS,WAEtD,KAAK,OAAO,KAAK;EAGnB,KAAK,OAAO,KAAK,MAAM;;;;;;;;;;CAWzB,MAAa,YAAY,OAAe,OAA8B;EACpE,IAAI,CAAC,KAAK,OAAO,WAAW,EAC1B,MAAM,IAAI,oBAAoB;EAGhC,MAAM,gBAAgB,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM;EACjE,IAAI,CAAC,eACH,MAAM,IAAI,mBAAmB,MAAM;EAGrC,cAAc,QAAQ;;;;;;;;;;CAaxB,sBACE,SACA,WACa;EACb,MAAM,KAAK,KAAK,iBAAiB,QAAQ;EACzC,MAAM,YAAY,KAAK,wBAAwB,QAAQ;EACvD,MAAM,mBAAmB,KAAK,oBAAoB,QAAQ;EAC1D,MAAM,QAAQ,KAAK,oBAAoB,QAAQ;EAC/C,MAAM,WAAW,KAAK,uBAAuB,QAAQ;EACrD,MAAM,UAAU,KAAK,sBAAsB,QAAQ;EACnD,MAAM,OAAO,KAAK,mBAAmB,QAAQ;EAC7C,MAAM,eAAe,KAAK,2BAA2B,QAAQ;EAC7D,MAAM,kBAAkB,KAAK,SAAS,UAAU;EAChD,MAAM,QAAQ,iBACX,QACE,KAAK,aACJ,IAAI,OAAO,gBAAgB,QAAQ,OAAO,GAAG,SAAS,SAAS,CAAC,EAClE,EAAE,CACH,CACA,KAAK,OAAO,GAAG,KAAK;EAEvB,MAAM,QAAQ,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU;EAC7D,IAAI,OAAO,SACT,OAAO,MAAM,QAAQ,QAAQ;EAG/B,OAAO;GACL;GACA;GACA;GACA;GACA;GACA;GACA;GACA;GACD;;;;;;CAOH,WACE,UACA,UAGI,EAAE,EACY;EAClB,MAAM,aAAa,KAAK,SAAS,QAAQ,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAC1E,MAAM,QAAQ,CAAC,GAAI,SAAS,SAAS,EAAE,CAAE;EAGzC,KAAK,MAAM,QAAQ,YACjB,IAAI,CAAC,MAAM,SAAS,KAAK,KAAK,EAC5B,MAAM,KAAK,KAAK,KAAK;EAIzB,IAAI;EAGJ,IAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;GAChE,IAAI,CAAC,MAAM,cACT,MAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;GAEH,YAAY,MAAM;;EAGpB,OAAO;GACL,GAAG;GACH;GACA;GACA,OAAO,QAAQ;GAChB;;;;;;CAOH,iBAAwB,UAA0B,WAA0B;EAC1E,MAAM,QAAQ,KAAK,SAAS,UAAU;EACtC,IAAI,CAAC,MAAM,WACT,MAAM,YAAY,EAAE;EAGtB,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,UAAU,MAAM,GAAG,OAAO,EAAE,YAAY,QAAQ,EAAE,YAAY,KAAK;;;;;;CAO3E,SAAgB,WAA2B;EACzC,MAAM,QAAQ,YACV,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,UAAU,GAC/C,KAAK,OAAO;EAEhB,IAAI,CAAC,OACH,MAAM,IAAI,mBAAmB,aAAa,UAAU;EAGtD,OAAO;;;;;;;;;;;CAYT,MAAa,6BACX,KACA,UAGI,EAAE,EACiC;EAEvC,MAAM,eAGD,EAAE;EAEP,KAAK,MAAM,SAAS,KAAK,QACvB,KAAK,MAAM,YAAY,MAAM,aAAa,EAAE,EAC1C,aAAa,KAAK;GAAE;GAAU,WAAW,MAAM;GAAM,CAAC;EAK1D,aAAa,MACV,GAAG,OAAO,EAAE,SAAS,YAAY,QAAQ,EAAE,SAAS,YAAY,KAClE;EAGD,KAAK,MAAM,EAAE,UAAU,eAAe,cAAc;GAClD,IAAI;GAEJ,IAAI;IACF,WAAW,MAAM,SAAS,UAAU,IAAW;WACzC;IAEN;;GAGF,IAAI,UAAU;IAGZ,MAAM,OAAO,KAAK,WAAW,UAAU;KACrC,OAAO;KACP,YAAY,QAAQ;KACrB,CAAC;IAEF,MAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;KACrD,OAAO;KACP;KACD,CAAC;IAEF,OAAO;;;;;;;;;;;;CAgBb,gBACE,gBACA,GAAG,aACkB;EACrB,MAAM,QAAgB,YAAY,KAAK,OAAO;GAC5C,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;GAC7D,IAAI,CAAC,MACH,MAAM,IAAI,cAAc,SAAS,GAAG,aAAa;GAEnD,OAAO;IACP;EAEF,MAAM,aAAa,KAAK,mBAAmB,eAAe;EAQ1D,IAPgB,MAAM,MAAM,OAC1B,GAAG,YAAY,MACZ,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,WAAW,CAAC,GAAG,UAC/C,CAIQ,EACT,OAAO;GACL,cAAc;GACd,WAAW;GACZ;EAGH,MAAM,SAA8B;GAClC,cAAc;GACd,WAAW,KAAA;GACZ;EAGD,MAAM,kBACJ,gBACA,YACY;GACZ,IAAI,YAAY,KAAK,OAAO;GAC5B,IAAI,YAAY,gBAAgB,OAAO;GAGvC,IAAI,QAAQ,SAAS,KAAK,EAAE;IAC1B,MAAM,gBAAgB,QAAQ,MAAM,GAAG,GAAG;IAE1C,IAAI,mBAAmB,eAAe,OAAO;IAC7C,OAAO,eAAe,WAAW,GAAG,cAAc,GAAG;;GAGvD,OAAO;;EAGT,KAAK,MAAM,QAAQ,OAEjB,KAAK,MAAM,kBAAkB,KAAK,aAEhC,IAAI,eAAe,YAAY,eAAe,KAAK,EAAE;GAEnD,IAAI,eAAe,SAAS;IAC1B,IAAI,aAAa;IACjB,KAAK,MAAM,kBAAkB,eAAe,SAC1C,IAAI,eAAe,YAAY,eAAe,EAAE;KAC9C,aAAa;KACb;;IAGJ,IAAI,YACF;;GAIJ,OAAO,eAAe;GAGtB,IAAI,eAAe,WAEjB,OAAO,YAAY,eAAe;QAC7B;IAEL,OAAO,YAAY;IACnB,OAAO;;;EAMf,OAAO;;;;;CAMT,MAAa,oBACX,eACA,UAII,EAAE,EACqB;EAC3B,MAAM,QAAQ,eAAe,QAAQ,eAAe,GAAG,CAAC,MAAM;EAC9D,IAAI,OAAO,UAAU,YAAY,UAAU,IACzC,MAAM,IAAI,kBACR,yDACD;EAGH,MAAM,EAAE,QAAQ,SAAS,UAAU,MAAM,KAAK,IAAI,MAChD,OACA,QAAQ,OACR,QAAQ,OACT;EAED,MAAM,OAAO,KAAK,sBAAsB,OAAO,SAAS,MAAM;EAC9D,MAAM,aAAa,KAAK,SAAS,MAAM,CAAC,QAAQ,OAAO,GAAG,QAAQ;EAClE,MAAM,QAAQ,KAAK,SAAS,EAAE;EAE9B,KAAK,MAAM,QAAQ,YACjB,IAAI,CAAC,MAAM,SAAS,KAAK,KAAK,EAC5B,MAAM,KAAK,KAAK,KAAK;EAIzB,KAAK,QAAQ;EAEb,MAAM,KAAK,OAAO,OAAO,KAAK,yBAAyB;GACrD;GACA,MAAM;GACP,CAAC;EAEF,IAAI;EAEJ,IAAI,QAAQ,YAAY;GACtB,MAAM,QAAQ,KAAK,gBAAgB,QAAQ,YAAY,GAAG,MAAM;GAChE,IAAI,CAAC,MAAM,cACT,MAAM,IAAI,cACR,kCAAkC,KAAK,mBAAmB,QAAQ,WAAW,CAAC,GAC/E;GAGH,YAAY,MAAM;;EAGpB,OAAO;GACL,GAAG;GACH;GACA;GACA;GACD;;;;;;;;;CAUH,IAAW,UAAkB,YAA0C;EACrE,OAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;CAMpD,UACE,UACA,YAC8B;EAC9B,OAAO,KAAK,gBAAgB,YAAY,SAAS,CAAC;;;;;;;CAQpD,mBAA0B,YAAyC;EACjE,IAAI,OAAO,eAAe,UACxB,OAAO;EAGT,IAAI,CAAC,WAAW,OACd,OAAO,WAAW;EAQpB,OAAO,IAJY,MAAM,QAAQ,WAAW,MAAM,GAC9C,WAAW,QACX,CAAC,WAAW,MAAM,EAED,KAAK,IAAI,CAAC,GAAG,WAAW;;;;;CAM/C,aAAoB,MAAwB,SAAoB;EAC9D,IAAI,SAAS,WAAW,CAAC,KAAK,SAAS,CAAC,QAAQ,SAAS,KAAK,MAAM,GAClE,MAAM,IAAI,eACR,+BAA+B,QAAQ,KAAK,SAAS,CAAC,wBACvD;;;;;CAOL,mBAA0B,MAAwB;EAChD,MAAM,UAAU,KAAK,OAAO,MAAM,OAAO,uBAAuB,KAAK;EACrE,KAAK,OAAO,MAAM,IAAI,iBAAiB,QAAQ;;CAKjD,YAA4B;EAC1B,OAAO,KAAK;;;;;;;CAQd,SAAgB,OAAwB;EACtC,IAAI,OACF,OAAO,CAAC,GAAI,KAAK,OAAO,MAAM,OAAO,GAAG,SAAS,MAAM,EAAE,SAAS,EAAE,CAAE;EAGxE,OAAO,KAAK,OAAO,QAAgB,KAAK,OAAO,IAAI,OAAO,GAAG,MAAM,EAAE,EAAE,CAAC;;;;;;;;;CAU1E,eAAsB,MAGL;EACf,IAAI,MAAM,OAAO;GACf,MAAM,cAA4B,EAAE;GACpC,MAAM,QAAQ,KAAK,SAAS,EAAE;GAE9B,KAAK,MAAM,gBAAgB,OAAO;IAChC,MAAM,OACJ,OAAO,iBAAiB,WACpB,KAAK,SAAS,KAAK,MAAM,CAAC,MAAM,OAAO,GAAG,SAAS,aAAa,GAChE;IAEN,IAAI,CAAC,MACH,MAAM,IAAI,cAAc,SAAS,aAAa,aAAa;IAG7D,IAAI,KAAK,YAAY,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,GAAG,QAAQ,EAC/D,OAAO,KAAK,gBAAgB;IAG9B,KAAK,MAAM,cAAc,KAAK,aAAa;KACzC,IAAI,MAAoB,EAAE;KAC1B,IAAI,WAAW,SAAS,KACtB,IAAI,KAAK,GAAG,KAAK,YAAY;UACxB,IAAI,WAAW,KAAK,SAAS,IAAI,EAAE;MAExC,MAAM,QAAQ,WAAW,KAAK,MAAM,IAAI;MACxC,MAAM,WAAW,MAAM,MAAM,SAAS;MAEtC,IAAI,aAAa,KAAK;OAEpB,MAAM,cAAc,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,IAAI;OAEhD,IAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;QACjC,IAAI,CAAC,GAAG,OAAO,OAAO;QAEtB,OACE,GAAG,UAAU,eACb,GAAG,MAAM,WAAW,GAAG,YAAY,GAAG;SAExC,CACH;aACI;OAEL,MAAM,OAAO;OAEb,MAAM,QADa,MAAM,MAAM,GAAG,GACV,CAAC,KAAK,IAAI;OAElC,IAAI,KACF,GAAG,KAAK,YAAY,QAAQ,OAAO;QACjC,IAAI,GAAG,SAAS,MAAM,OAAO;QAC7B,IAAI,CAAC,GAAG,OAAO,OAAO;QACtB,OAAO,GAAG,UAAU;SACpB,CACH;;YAIH,IAAI,KACF,GAAG,KAAK,YAAY,QACjB,OAAO,GAAG,SAAS,WAAW,QAAQ,CAAC,GAAG,MAC5C,CACF;KAEH,MAAM,UAAU,WAAW;KAC3B,IAAI,SAEF,MAAM,IAAI,QAAQ,OAAO;MACvB,MAAM,aAAa,KAAK,mBAAmB,GAAG;MAC9C,OAAO,CAAC,QAAQ,MAAM,mBAAmB;OACvC,IAAI,mBAAmB,YAAY,OAAO;OAC1C,IAAI,eAAe,SAAS,KAAK,EAAE;QACjC,MAAM,gBAAgB,eAAe,MAAM,GAAG,GAAG;QACjD,OAAO,WAAW,WAAW,GAAG,cAAc,GAAG;;OAEnD,OAAO;QACP;OACF;KAEJ,YAAY,KAAK,GAAG,IAAI;;;GAI5B,OAAO,CAAC,GAAG,IAAI,IAAI,YAAY,QAAQ,OAAO,MAAM,KAAK,CAAC,CAAC;;EAG7D,OAAO,KAAK;;;;;;;;CASd,iBAAwB,SAAsC;EAC5D,IAAI,QAAQ,OAAO,MACjB,OAAO,OAAO,QAAQ,IAAI;EAG5B,IAAI,QAAQ,MAAM,MAChB,OAAO,OAAO,QAAQ,GAAG;EAG3B,IAAI,QAAQ,UAAU,MACpB,OAAO,OAAO,QAAQ,OAAO;EAG/B,MAAM,IAAI,cAAc,2BAA2B;;CAGrD,wBACE,SACoB;EACpB,IAAI,CAAC,SACH;EAEF,IAAI,QAAQ,KACV,OAAO,OAAO,QAAQ,IAAI;;;;;;;CAS9B,oBAA2B,SAAwC;EACjE,OAAO,SAAS,cAAc,SAAS,SAAS,SAAS,EAAE;;CAG7D,sBACE,SACoB;EACpB,IAAI,CAAC,SACH;EAGF,IAAI,QAAQ,SACV,OAAO,QAAQ;EAGjB,IAAI,QAAQ,YACV,OAAO,QAAQ;EAGjB,IAAI,QAAQ,cACV,OAAO,QAAQ;;CAMnB,uBACE,SACoB;EACpB,IAAI,CAAC,SACH;EAGF,IAAI,QAAQ,oBACV,OAAO,QAAQ;EAGjB,IAAI,QAAQ,UACV,OAAO,QAAQ;;CAMnB,oBAA2B,SAAkD;EAC3E,IAAI,CAAC,SACH;EAGF,IAAI,QAAQ,OACV,OAAO,QAAQ;;;;;;;;CAYnB,mBAA0B,SAAsC;EAC9D,IAAI,CAAC,SACH,OAAO,KAAK;EAGd,IAAI,QAAQ,MACV,OAAO,QAAQ;EAGjB,IACE,OAAO,QAAQ,eAAe,YAC9B,OAAO,QAAQ,gBAAgB,UAE/B,OAAO,GAAG,QAAQ,WAAW,GAAG,QAAQ,cAAc,MAAM;EAG9D,OAAO,KAAK;;CAGd,2BACE,SACoB;EACpB,IAAI,CAAC,SACH;EAGF,IAAI,OAAO,QAAQ,iBAAiB,UAClC,OAAO,QAAQ;;;;;;;;;;;ACx4BrB,MAAa,WAAW,YAAqD;CAC3E,OAAO,gBAAgB,iBAAiB,QAAQ;;AAiGlD,IAAa,kBAAb,cAAqC,UAAkC;CACrE,mBAAsC,QAAQ,iBAAiB;CAC/D,mBAAsC,QAAQ,iBAAiB;CAC/D,MAAyB,QAAQ,YAAY;CAC7C,MAAyB,SAAS;CAElC,IAAW,OAAe;EACxB,OAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,wBAAkC;EAC3C,OAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,aAAa,cAAc,CAAC,IAAI,UAAU,CAClE;;CAGH,IAAW,yBAAmC;EAC5C,OAAO,KAAK,iBAAiB,SAC3B,KAAK,QAAQ,UAAU,cAAc,cAAc,CAAC,IAAI,OAAO,CAChE;;CAGH,SAAmB;EACjB,MAAM,QACJ,KAAK,QAAQ,OAAO,KAAK,OAAO;GAC9B,IAAI,OAAO,OAAO,UAAU;IAC1B,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,SAAS,KAAK,SAAS,GAAG;IAC7D,IAAI,CAAC,MACH,MAAM,IAAI,cAAc,SAAS,GAAG,aAAa;IAEnD,OAAO;;GAGT,OAAO;IACP,IAAI,EAAE;EAEV,KAAK,iBAAiB,YAAY;GAChC,MAAM,KAAK;GACX,SAAS,KAAK,QAAQ;GACtB,QAAQ,UAAU,KAAK,UAAU,KAAK,QAAQ,OAAO,KAAK,QAAQ;GAClE;GACA,WAAW,EAAE;GACd,CAAC;EAGF,KAAK,MAAM,YAAY,KAAK,QAAQ,aAAa,EAAE,EACjD,KAAK,iBAAiB,SAAS;EAIjC,KAAK,iBAAiB,KAAK,mBAAmB,CAAC;;;;;CAMjD,oBAA8C;EAC5C,OAAO;GACL,UAAU;GACV,WAAW,OAAO,QAAuB;IACvC,MAAM,OAAO,IAAI,QAAQ;IACzB,IAAI,CAAC,MAAM,WAAW,UAAU,EAC9B,OAAO;IAGT,MAAM,QAAQ,KAAK,MAAM,EAAE;IAG3B,IAAI,CAAC,MAAM,SAAS,IAAI,EACtB,OAAO;IAIT,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;IAGzD,OAAO,KAAK,iBAAiB,sBAC3B,OAAO,SACP,KAAK,KACN;;GAEJ;;;;;;CAOH,iBAAwB,UAAgC;EACtD,KAAK,iBAAiB,iBAAiB,UAAU,KAAK,KAAK;;;;;CAM7D,WAA0B;EACxB,OAAO,KAAK,iBAAiB,SAAS,KAAK,KAAK;;;;;CAMlD,MAAa,SAAS,OAA8B;EAClD,MAAM,KAAK,iBAAiB,YAAY,KAAK,MAAM,MAAM;;;;;CAM3D,cAAqB,MAAoB;EACvC,MAAM,OAAO,KAAK,UAAU,CAAC,MAAM,OAAO,GAAG,SAAS,KAAK;EAC3D,IAAI,CAAC,MACH,MAAM,IAAI,cAAc,SAAS,KAAK,aAAa;EAErD,OAAO;;CAGT,MAAa,WAAW,OAAoC;EAC1D,MAAM,EAAE,WAAW,MAAM,KAAK,IAAI,MAAM,OAAO,KAAK,KAAK;EACzD,OAAO,OAAO;;;;;CAMhB,MAAa,YACX,MACA,cAK8B;EAC9B,IAAI,MAA0B,cAAc;EAC5C,IAAI,gBAAoC,cAAc;EACtD,IAAI,2BACF,cAAc;EAEhB,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,MAAM,MAAM,KAAK,sBAAsB,WAAW;EAExD,IAAI,CAAC,cAAc;GACjB,MAAM,SAAS,KAAK,QAAQ,UAAU;GACtC,IAAI,QAAQ;IAGV,MAAM,YAAY,KAAK,uBAAuB,WAAW;IACzD,MAAM,EAAE,cAAc,cAAc,MAAM,OAAO,MAAM,EACrD,WACD,CAAC;IAEF,gBAAgB;IAChB,2BAA2B;IAC3B,MAAM;UACD;IAIL,MAAM,UAAU;KACd,KAAK,KAAK;KACV,KAAK,MAAM,KAAK,uBAAuB,WAAW;KAClD;KACA,KAAK,KAAK;KACX;IAED,KAAK,IAAI,MAAM,0BAA0B,QAAQ;IAEjD,MAAM,OAAO,YAAY;IACzB,2BAA2B,KAAK,uBAAuB,WAAW;IAClE,gBAAgB,MAAM,KAAK,IAAI,OAAO,SAAS,KAAK,MAAM,EACxD,QAAQ,EACN,KAAK,WACN,EACF,CAAC;;;EAIN,KAAK,IAAI,MAAM,yBAAyB;GACtC,KAAK,KAAK;GACV;GACA;GACA,KAAK,KAAK;GACX,CAAC;EA+BF,OAAO;GARL,cAAA,MArByB,KAAK,IAAI,OAClC;IAEE,KAAK,KAAK;IACV;IACA;IACA,KAAK,KAAK;IACV;IAEA,MAAM,KAAK;IACX,OAAO,KAAK;IACZ,oBAAoB,KAAK;IACzB,SAAS,KAAK;IAEd,cAAc,KAAK;IACnB,OAAO,KAAK;IACb,EACD,KAAK,KACN;GAIC,YAAY;GACZ,YAAY,KAAK,sBAAsB,WAAW;GAClD,WAAW;GACX;GACA;GAGa;;CAGjB,MAAa,aACX,cACA,aAIC;EAID,IAAI,KAAK,QAAQ,UAAU,kBAAkB;GAE3C,MAAM,EAAE,MAAM,WAAW,cACvB,MAAM,KAAK,QAAQ,SAAS,iBAAiB,aAAa;GAS5D,OAAO;IAAE;IAAM,QAAA,MANM,KAAK,YAAY,MAAM;KAC1C,KAAK;KACL,eAAe;KACf,0BAA0B;KAC3B,CAAC;IAEqB;;EAMzB,IAAI,CAAC,aACH,MAAM,IAAI,YAAY,6CAA6C;EAQrE,MAAM,OAAO,MAAM,KAAK,iBAAiB,oBAAoB,aAAa;GACxE,OAAO,KAAK;GACZ,QAAQ,EACN,6BAAa,IAAI,KAAK,EAAE,EACzB;GACF,CAAC;EAGF,MAAM,EACJ,QAAQ,EAAE,cACR,MAAM,KAAK,IAAI,MAAM,cAAc,KAAK,MAAM;GAChD,KAAK;GACL,UAAU,KAAK;GACf,SAAS,KAAK;GACf,CAAC;EAEF,MAAM,MAAM,KAAK,iBAAiB,KAAK,CAAC,MAAM;EAC9C,MAAM,YAAY,QAAQ,MACtB,QAAQ,MAAM,MACd,KAAK,uBAAuB,WAAW;EAE3C,OAAO;GACL;GACA,QAAQ,MAAM,KAAK,YAAY,MAAM;IACnC,KAAK,QAAQ;IACb,eAAe;IACf,0BAA0B;IAC3B,CAAC;GACH;;;AAIL,QAAQ,QAAQ;;;;;;AC9YhB,MAAa,eACX,UAAsC,EAAE,KAChB;CACxB,OAAO,gBAAgB,qBAAqB,QAAQ;;AAwBtD,IAAa,sBAAb,cAAyC,UAAsC;CAC7E,mBAAsC,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;EACxB,OAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,IAAW,QAAgB;EACzB,OAAO,KAAK,QAAQ,SAAS,KAAK,OAAO,QAAQ;;CAGnD,WAA0B;EACxB,OAAO,GAAG,KAAK,MAAM,GAAG,KAAK;;CAG/B,SAAmB;EACjB,KAAK,iBAAiB,iBAAiB;GACrC,MAAM,KAAK;GACX,OAAO,KAAK;GACZ,aAAa,KAAK,QAAQ;GAC3B,CAAC;;;;;CAMJ,IAAW,MAA6B;EACtC,IAAI,CAAC,MAAM,OACT,OAAO;EAGT,OADc,KAAK,iBAAiB,gBAAgB,MAAM,GAAG,KAAK,MACtD,CAAC;;;AAIjB,YAAY,QAAQ;;;;;;AC7DpB,MAAa,SAAS,UAAgC,EAAE,KAAoB;CAC1E,OAAO,gBAAgB,eAAe,QAAQ;;AA4BhD,IAAa,gBAAb,cAAmC,UAAgC;CACjE,mBAAsC,QAAQ,iBAAiB;CAE/D,IAAW,OAAe;EACxB,OAAO,KAAK,QAAQ,QAAQ,KAAK,OAAO;;CAG1C,SAAmB;EACjB,KAAK,iBAAiB,WAAW;GAC/B,GAAG,KAAK;GACR,MAAM,KAAK;GACX,aACE,KAAK,QAAQ,aAAa,KAAK,OAAO;IACpC,IAAI,OAAO,OAAO,UAChB,OAAO,EACL,MAAM,IACP;IAGH,OAAO;KACP,IAAI,EAAE;GACX,CAAC;;;;;CAMJ,IAAW,SAA+C;EACxD,OAAO,KAAK,QAAQ;;CAGtB,IAAW,YAAmD;EAC5D,OAAO,KAAK,iBAAiB,IAAI,KAAK,MAAM,WAAW;;CAGzD,MAAa,YAA0C;EACrD,OAAO,KAAK,iBAAiB,gBAAgB,YAAY,KAAK,KAAK;;;AAMvE,MAAM,QAAQ;;;ACtEd,IAAa,yBAAb,MAAoC;CAClC,MAAyB,SAAS;CAClC,mBAAsC,QAAQ,iBAAiB;CAC/D,cAAiC,QAAQ,YAAY;CACrD,SAA4B,QAAQ,OAAO;CAE3C,kBAAqC,MAAM;EACzC,IAAI;EACJ,UAAU;EACV,SAAS,OAAO,EAAE,cAAc;GAI9B,IAAI,QAAQ,QAAQ,eAClB,IAAI;IACF,MAAM,OACJ,MAAM,KAAK,iBAAiB,6BAA6B,QAAQ;IACnE,IAAI,MAAM;KACR,KAAK,iBAAiB,mBAAmB,KAAK;KAC9C,QAAQ,OAAO;;YAEV,OAAO;IACd,KAAK,IAAI,MACP,4DACA,MACD;;;EAKR,CAAC;CAMF,kBAAqC,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,SAAS;GACvB,IAAI,CAAC,KAAK,QAAQ,MAAM;GAExB,IAAI;GAEJ,IAAI,OAAO,KAAK,QAAQ,SAAS,UAC/B,OAAO,KAAK,QAAQ;QACf,IAAI,KAAK,QAAQ,SAAS,UAC/B,OAAO,KAAK,OAAO,MAAM,IAAI,8BAA8B;QACtD,IAAI,KAAK,QAAQ,SAAS,WAE/B,OADY,KAAK,OAAO,MAAM,IAAI,sBACxB,EAAE;GAGd,IAAI,MACF,KAAK,UAAU,GAAG,gBAAgB,MAAM,MAAM;;EAGnD,CAAC;CAMF,iBAA6C;EAC3C,OAAO;GACL,IAAI,YAAY;GAChB,MAAM;GACN,OAAO,KAAK,iBAAiB,UAAU,CAAC,KAAK,SAAS,KAAK,KAAK;GACjE;;CAGH,kBAAqC,MAAM;EACzC,IAAI;EACJ,SAAS,OAAO,EAAE,SAAS,cAAc;GACvC,IAAI,CAAC,KAAK,OAAO,QAAQ,EACvB;GAIF,IAAI,CAAC,QAAQ,MACX;GAGF,QAAQ,UAAU,IAAI,QAAQ,QAAQ,QAAQ;GAE9C,IAAI,CAAC,QAAQ,QAAQ,IAAI,gBAAgB,EAAE;IACzC,MAAM,OAAO,KAAK,gBAAgB;IAClC,MAAM,OACJ,OAAO,SAAS,SAAS,WAAW,QAAQ,OAAO,KAAA;IACrD,MAAM,MAAM,MAAM,MAAM,KAAK;IAC7B,MAAM,QAAQ,MAAM,SAAS,KAAK;IAElC,MAAM,QAAQ,MAAM,KAAK,YAAY,OACnC;KACE;KACA;KACD,EACD,MAAM,SAAS,KAAK,iBAAiB,WAAW,CAAC,IAAI,KACtD;IAED,QAAQ,QAAQ,IAAI,iBAAiB,UAAU,QAAQ;;;EAG5D,CAAC;;;;;;;;;;ACvGJ,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,OAAgB;CAChB,cAAc;EACZ,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;ACahC,SAAgB,WAAW,SAAuC;CAChE,OAAO,iBAAiB;EACtB,MAAM;EACG;EACT,UAAU,EAAE,QAAQ,WAAW;GAC7B,OAAO,OAAO,GAAG,SAAgB;IAC/B,MAAM,UAAU,OAAO,MAAM,IAAI,sBAAsB;IAEvD,IAAI,CAAC,SAAS,SACZ,MAAM,IAAI,UAAU;KAClB,QAAQ;KACR,SAAS;KACV,CAAC;IAGJ,MAAM,aAAa,QAAQ,QAAQ;IAEnC,IAAI,CAAC,YAAY,WAAW,SAAS,EAAE;KACrC,iBAAiB,QAAQ;KACzB,MAAM,IAAI,UAAU;MAClB,QAAQ;MACR,SAAS;MACV,CAAC;;IAIJ,MAAM,oBAAoB,WAAW,MAAM,EAAE;IAC7C,MAAM,cAAc,OAAO,KAAK,mBAAmB,SAAS,CAAC,SAC3D,QACD;IAGD,MAAM,aAAa,YAAY,QAAQ,IAAI;IAc3C,IAAI,CAPY,0BALd,eAAe,KAAK,YAAY,MAAM,GAAG,WAAW,GAAG,aAEvD,eAAe,KAAK,YAAY,MAAM,aAAa,EAAE,GAAG,IAMxD,QAAQ,UACR,QAAQ,SAGE,EAAE;KACZ,iBAAiB,QAAQ;KACzB,MAAM,IAAI,UAAU;MAClB,QAAQ;MACR,SAAS;MACV,CAAC;;IAGJ,OAAO,KAAK,GAAG,KAAK;;;EAGzB,CAAC;;AAKJ,SAAS,iBAAiB,SAA8B;CACtD,QAAQ,OAAO,UAAU,oBAAoB,8BAA4B;;AAG3E,SAAS,0BACP,eACA,eACA,kBACA,kBACS;CACT,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;CACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;CAC9D,MAAM,eAAe,OAAO,KAAK,eAAe,QAAQ;CACxD,MAAM,kBAAkB,OAAO,KAAK,kBAAkB,QAAQ;CAO9D,QALkB,YAAY,cAAc,gBAK3B,GAJC,YAAY,cAAc,gBAIf,MAAM;;AAGrC,SAAS,YAAY,OAAe,UAA0B;CAC5D,IAAI,MAAM,WAAW,SAAS,QAAQ;EACpC,gBAAgB,OAAO,MAAM;EAC7B,OAAO;;CAET,OAAO,gBAAgB,OAAO,SAAS,GAAG,IAAI;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC7BhD,SAAgB,QAAQ,SAAqC;CAC3D,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CAGxD,IAAI,SAAS,aAAa,QACxB,KAAK,MAAM,QAAQ,QAAQ,aACzB,iBAAiB,iBAAiB,KAAK;CAI3C,OAAO,iBAAiB;EACtB,MAAM;EACN,SAAU,WAAkD,KAAA;EAC5D,UAAU,EAAE,QAAQ,WAAW;GAC7B,OAAO,OAAO,GAAG,SAAgB;IAC/B,IAAI;IAGJ,OAAO,OAAO,MAAM,IAAI,gBAAgB;IAGxC,IAAI,CAAC,MAAM;KACT,MAAM,cAAc,OAAO,MAAM,IAAI,sBAAsB;KAC3D,IAAI,aAAa;MAEf,OAAO,YAAY;MAGnB,IAAI,CAAC,MACH,OAAO,MAAM,iBAAiB,6BAC5B,aACA,EAAE,OAAO,SAAS,UAAU,IAAI,CACjC;;;IAMP,IAAI,CAAC,MACH,MAAM,IAAI,kBAAkB,0BAA0B;IAIxD,iBAAiB,aAAa,MAAM,SAAS,QAAQ;IAGrD,IAAI,SAAS,OAAO;SAId,CAHY,QAAQ,MAAM,MAAM,SAClC,KAAM,OAAO,SAAS,KAAK,CAEjB,EACV,MAAM,IAAI,eACR,iBAAiB,QAAQ,MAAM,KAAK,OAAO,CAAC,YAC7C;;IAKL,IAAI,SAAS,aAAa,QACxB,KAAK,MAAM,QAAQ,QAAQ,aAAa;KACtC,MAAM,SAAS,iBAAiB,gBAC9B,MACA,GAAI,KAAK,SAAS,EAAE,CACrB;KACD,IAAI,CAAC,OAAO,cACV,MAAM,IAAI,eACR,eAAe,OAAO,SAAS,WAAW,OAAO,KAAK,KAAK,YAC5D;KAEH,OAAO;MAAE,GAAG;MAAM,WAAW,OAAO;MAAW;;IAKnD,IAAI,SAAS;SACP,CAAC,QAAQ,MAAM,KAAK,EACtB,MAAM,IAAI,eAAe,gBAAgB;;IAK7C,iBAAiB,mBAAmB,KAAK;IAEzC,MAAM,cAAc,OAAO,MAAM,IAAI,uBAAuB,UAAU;IACtE,IAAI,aACF,YAAY,OAAO;IAGrB,MAAM,gBAAgB,OAAO,MAAM,IACjC,yBACA,UACD;IACD,IAAI,eACF,cAAc,OAAO;IAGvB,OAAO,KAAK,GAAG,KAAK;;;EAGzB,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;ACxJJ,MAAa,mBACX,YAC4B;CAC5B,MAAM,EAAE,WAAW,UAAU;CAC7B,MAAM,QAEF,EAAE;CACN,MAAM,mBAAmB,OAAO,OAAO,iBAAiB;CACxD,MAAM,cAAc,QAAQ,eAAe;CAE3C,MAAM,cAAc,aAA8C;EAChE,MAAM,QAAQ;GACZ,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC;;CAGH,MAAM,0BAA0B;EAC9B,IAAI,MAAM,OAAO;GACf,MAAM,EAAE,cAAc,YAAY,cAAc,MAAM;GACtD,IAAI,CAAC,YACH,OAAO;GAGT,MAAM,MAAM,iBAAiB,KAAK,CAAC,MAAM;GAGzC,IAFgB,YAAY,aAEd,cAAc,KAC1B,OAAO;;;CAKb,IAAI,YAAY,SAAS;EACvB,MAAM,EAAE,KAAK,UAAU,iBAAiB,QAAQ;EAEhD,MAAM,QAAQ,YAAY;GACxB,MAAM,iBAAiB,mBAAmB;GAC1C,IAAI,gBACF,OAAO;GAGT,IAAI;GACJ,IAAI;IACF,WAAW,MAAM,MAAM,KAAK;KAC1B,QAAQ;KACR,SAAS,EACP,gBAAgB,qCACjB;KACD,MAAM,IAAI,gBAAgB;MACxB,YAAY;MACZ,WAAW;MACX,eAAe;MAChB,CAAC;KACH,CAAC;YACK,OAAO;IACd,MAAM,IAAI,YACR,qCAAqC,IAAI,IAAI,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACpG;;GAIH,IAAI,CAAC,SAAS,IAAI;IAChB,IAAI,eAAe,QAAQ,SAAS,OAAO,GAAG,SAAS;IACvD,IAAI;KACF,MAAM,YAAY,MAAM,SAAS,MAAM;KACvC,gBAAgB,KAAK;YACf;IAGR,MAAM,IAAI,YAAY,iCAAiC,eAAe;;GAIxE,IAAI;GACJ,IAAI;IACF,OAAO,MAAM,SAAS,MAAM;YACrB,OAAO;IACd,MAAM,IAAI,YACR,kDAAkD,iBAAiB,QAAQ,MAAM,UAAU,OAAO,MAAM,GACzG;;GAIH,IAAI,CAAC,KAAK,gBAAgB,CAAC,KAAK,YAC9B,MAAM,IAAI,YACR,gFAAgF,KAAK,UAAU,KAAK,GACrG;GAGH,WAAW,KAAK;GAEhB,OAAO,KAAK;;EAGd,OAAO,EACL,OACD;;CAGH,OAAO,EACL,OAAO,YAAY;EACjB,MAAM,iBAAiB,mBAAmB;EAC1C,IAAI,gBACF,OAAO;EAGT,MAAM,QAAQ,MAAM,QAAQ,OAAO,YAAY,QAAQ,KAAK;EAE5D,WAAW;GACT,GAAG;GACH,WAAW,iBAAiB,KAAK,CAAC,MAAM;GACzC,CAAC;EAEF,OAAO,MAAM;IAEhB;;;;AClJH,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;;;;;;;;;;;;;;;;;AC2DF,MAAa,iBAAiB,QAAQ;CACpC,MAAM;CACN,YAAY;EAAC;EAAS;EAAO;EAAY;CACzC,OAAO,CAAC,gBAAgB;CACxB,UAAU;EAAC;EAAkB;EAAa;EAAuB;CAClE,CAAC"}