arc-1 0.7.1 → 0.8.0

package/dist/server/http.d.ts

@@ -25,8 +25,33 @@
  * 4. Health endpoint is always unauthenticated — needed for CF health checks.
  */
 import type { Server as McpServer } from '@modelcontextprotocol/sdk/server/index.js';
+import express from 'express';
 import type { ServerConfig } from './types.js';
 import type { XsuaaCredentials } from './xsuaa.js';
+/**
+ * Apply security headers (helmet) and opt-in CORS to an Express app.
+ *
+ * helmet runs unconditionally — every response (including /health, /mcp,
+ * OAuth endpoints) gets HSTS, CSP, X-Frame-Options, etc. Native MCP clients
+ * ignore these; they exist to harden the server when a browser ever reaches
+ * it.
+ *
+ * COOP is **disabled** explicitly because Microsoft Copilot Studio (and any
+ * other connector platform that uses popup-based OAuth) breaks when the
+ * /authorize response sets any non-default COOP. The popup completes the
+ * flow server-side, but the parent window's `window.open()` reference is
+ * nulled by COOP isolation — Copilot Studio sees this as "consent pop-up
+ * window has been closed unexpectedly". ARC-1 renders no JS UI that would
+ * benefit from cross-origin isolation, so dropping COOP costs nothing.
+ *
+ * CORS is OFF by default (empty `allowedOrigins`). When enabled it uses
+ * `credentials: true` plus exact-origin reflection — disallowed origins are
+ * silently dropped by the browser and surfaced server-side as `cors_rejected`
+ * audit events.
+ *
+ * Exported for unit tests; also called from `startHttpServer` below.
+ */
+export declare function applySecurityMiddleware(app: express.Application, allowedOrigins: string[]): void;
 /**
  * Start the HTTP Streamable server.
  */

package/dist/server/http.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAQrF,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAuEnD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CAmMf;AA2GD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,CAiC5E"}
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAE,MAAM,IAAI,SAAS,EAAE,MAAM,2CAA2C,CAAC;AAIrF,OAAO,OAAO,MAAM,SAAS,CAAC;AAM9B,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAoCnD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,WAAW,EAAE,cAAc,EAAE,MAAM,EAAE,GAAG,IAAI,CA6DhG;AAuCD;;GAEG;AACH,wBAAsB,eAAe,CACnC,aAAa,EAAE,MAAM,SAAS,EAC9B,MAAM,EAAE,YAAY,EACpB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,IAAI,CAAC,CAoQf;AA2GD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,CAiC5E"}

package/dist/server/http.js

@@ -25,7 +25,9 @@
  * 4. Health endpoint is always unauthenticated — needed for CF health checks.
  */
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import cors from 'cors';
 import express from 'express';
+import helmet from 'helmet';
 import { expandScopes } from '../authz/policy.js';
 import { API_KEY_PROFILES } from './config.js';
 import { logger } from './logger.js';
@@ -55,6 +57,87 @@ function matchApiKey(token, config) {
 // ─── JWKS / JWT types (lazy-loaded from jose) ────────────────────────
 let joseModule = null;
 let jwksClient = null;
+// ─── Security Middleware (helmet + opt-in CORS) ──────────────────────
+/**
+ * Apply security headers (helmet) and opt-in CORS to an Express app.
+ *
+ * helmet runs unconditionally — every response (including /health, /mcp,
+ * OAuth endpoints) gets HSTS, CSP, X-Frame-Options, etc. Native MCP clients
+ * ignore these; they exist to harden the server when a browser ever reaches
+ * it.
+ *
+ * COOP is **disabled** explicitly because Microsoft Copilot Studio (and any
+ * other connector platform that uses popup-based OAuth) breaks when the
+ * /authorize response sets any non-default COOP. The popup completes the
+ * flow server-side, but the parent window's `window.open()` reference is
+ * nulled by COOP isolation — Copilot Studio sees this as "consent pop-up
+ * window has been closed unexpectedly". ARC-1 renders no JS UI that would
+ * benefit from cross-origin isolation, so dropping COOP costs nothing.
+ *
+ * CORS is OFF by default (empty `allowedOrigins`). When enabled it uses
+ * `credentials: true` plus exact-origin reflection — disallowed origins are
+ * silently dropped by the browser and surfaced server-side as `cors_rejected`
+ * audit events.
+ *
+ * Exported for unit tests; also called from `startHttpServer` below.
+ */
+export function applySecurityMiddleware(app, allowedOrigins) {
+    const hasCorsOrigins = allowedOrigins.length > 0;
+    app.use(helmet({
+        // COOP is disabled — see function docstring for rationale (Copilot Studio
+        // popup-based OAuth requires no COOP on /authorize).
+        crossOriginOpenerPolicy: false,
+        crossOriginResourcePolicy: hasCorsOrigins ? { policy: 'cross-origin' } : undefined,
+        // useDefaults keeps every other helmet directive intact (frame-ancestors
+        // 'self', object-src 'none', base-uri 'self', form-action 'self',
+        // upgrade-insecure-requests, …); we only relax style-src for any inline
+        // styles that browser-facing UIs may need.
+        contentSecurityPolicy: hasCorsOrigins
+            ? {
+                useDefaults: true,
+                directives: {
+                    'style-src': ["'self'", "'unsafe-inline'"],
+                },
+            }
+            : undefined,
+    }));
+    if (hasCorsOrigins) {
+        const allowed = new Set(allowedOrigins);
+        app.use(cors({
+            origin: (origin, callback) => {
+                if (!origin) {
+                    // Same-origin requests, server-to-server, curl: no Origin header.
+                    // Pass through without echoing CORS headers.
+                    callback(null, false);
+                    return;
+                }
+                callback(null, allowed.has(origin));
+            },
+            methods: ['GET', 'POST', 'DELETE', 'OPTIONS'],
+            allowedHeaders: ['Content-Type', 'Authorization', 'mcp-session-id'],
+            exposedHeaders: ['mcp-session-id'],
+            credentials: true,
+        }));
+        // Audit hook for blocked origins. Re-checks the origin against the
+        // allowlist and emits cors_rejected when it didn't match. Browsers drop
+        // the response either way; this gives us a server-side signal for triage.
+        app.use((req, _res, next) => {
+            const origin = req.headers.origin;
+            if (typeof origin === 'string' && origin.length > 0 && !allowed.has(origin)) {
+                logger.emitAudit({
+                    timestamp: new Date().toISOString(),
+                    level: 'warn',
+                    event: 'cors_rejected',
+                    origin,
+                    method: req.method,
+                    path: req.path,
+                });
+            }
+            next();
+        });
+        logger.info('CORS enabled', { origins: allowedOrigins });
+    }
+}
 // ─── MCP Request Handler ─────────────────────────────────────────────
 /**
  * Create an Express handler that processes MCP requests.
@@ -102,6 +185,7 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
     // Trust first proxy (CF gorouter) — required for express-rate-limit
     // and correct client IP detection behind CF's reverse proxy.
     app.set('trust proxy', 1);
+    applySecurityMiddleware(app, config.allowedOrigins);
     app.use(express.json());
     app.use(express.urlencoded({ extended: false }));
     const mcpHandler = createMcpHandler(serverFactory);
@@ -134,7 +218,9 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
         // Determine app URL for OAuth metadata
         const appUrl = getAppUrl() ?? `http://${bindHost}:${port}`;
         // Create XSUAA provider + chained verifier
-        const { provider, clientStore } = createXsuaaOAuthProvider(xsuaaCredentials, appUrl);
+        const { provider, clientStore } = createXsuaaOAuthProvider(xsuaaCredentials, appUrl, {
+            dcrTtlSeconds: config.oauthDcrTtlSeconds,
+        });
         const xsuaaVerifier = createXsuaaTokenVerifier(xsuaaCredentials);
         const oidcVerifier = config.oidcIssuer ? await createOidcVerifier(config) : undefined;
         const chainedVerifier = createChainedTokenVerifier(config, xsuaaVerifier, oidcVerifier);
@@ -198,17 +284,73 @@ export async function startHttpServer(serverFactory, config, xsuaaCredentials) {
             }
             next();
         });
-        // Install MCP SDK auth router at root (OAuth endpoints + DCR)
-        // resourceServerUrl must point to /mcp so that the protected resource
-        // metadata is served at /.well-known/oauth-protected-resource/mcp
-        // (per RFC 9728). Without this, MCP clients can't discover the
-        // resource endpoint and may send JSON-RPC to the wrong path.
+        // ─── Path-prefix-aware OAuth metadata override ────────────────
+        // The MCP SDK's `mcpAuthRouter` builds endpoint URLs with
+        // `new URL("/authorize", baseUrl).href`, which strips any path component
+        // from baseUrl ("https://api/arc1" → "https://api/authorize"). When arc-1
+        // is fronted by SAP API Management with a base path like /arc1, that
+        // produces metadata pointing at the wrong URL — clients then call
+        // `https://api/authorize` directly and bypass (or 404 on) the proxy.
+        //
+        // Override: if appUrl has a non-root path, mount custom GET handlers for
+        // both well-known endpoints BEFORE the SDK router so they win the route
+        // match. The handlers emit prefix-aware absolute URLs. The actual OAuth
+        // endpoints (/authorize, /token, /register, /revoke) stay at the root of
+        // arc-1's Express app — the proxy strips its base path before forwarding,
+        // so they resolve correctly without further changes.
+        const parsedAppUrl = new URL(appUrl);
+        const basePath = parsedAppUrl.pathname.replace(/\/$/, ''); // '' for root, '/arc1' otherwise
+        const fullBase = `${parsedAppUrl.origin}${basePath}`; // 'https://api/arc1' or 'https://api'
+        const scopesSupported = ['read', 'write', 'data', 'sql', 'transports', 'git', 'admin'];
+        if (basePath) {
+            const customAuthMetadata = {
+                issuer: `${fullBase}/`,
+                authorization_endpoint: `${fullBase}/authorize`,
+                response_types_supported: ['code'],
+                code_challenge_methods_supported: ['S256'],
+                token_endpoint: `${fullBase}/token`,
+                token_endpoint_auth_methods_supported: ['client_secret_post', 'none'],
+                grant_types_supported: ['authorization_code', 'refresh_token'],
+                scopes_supported: scopesSupported,
+                revocation_endpoint: `${fullBase}/revoke`,
+                revocation_endpoint_auth_methods_supported: ['client_secret_post'],
+                registration_endpoint: `${fullBase}/register`,
+            };
+            const customResourceMetadata = {
+                resource: `${fullBase}/mcp`,
+                authorization_servers: [`${fullBase}/`],
+                scopes_supported: scopesSupported,
+                resource_name: 'ARC-1 SAP MCP Server',
+            };
+            app.get('/.well-known/oauth-authorization-server', (_req, res) => {
+                res.json(customAuthMetadata);
+            });
+            // Serve PRM at BOTH the root path (where MCP clients look by default after
+            // a strip-prefix proxy hop) and at the prefixed path the SDK would have
+            // used — defensive in case some clients don't strip.
+            app.get('/.well-known/oauth-protected-resource/mcp', (_req, res) => {
+                res.json(customResourceMetadata);
+            });
+            app.get(`/.well-known/oauth-protected-resource${basePath}/mcp`, (_req, res) => {
+                res.json(customResourceMetadata);
+            });
+            logger.info('OAuth metadata override active (path-prefix mode)', {
+                publicUrl: fullBase,
+                basePath,
+            });
+        }
+        // Install MCP SDK auth router at root (OAuth endpoints + DCR).
+        // For root-path deployments (no basePath) the SDK's metadata is correct
+        // as-is and serves both well-known endpoints. For prefix deployments the
+        // custom handlers above shadow the SDK's metadata routes; the SDK still
+        // serves /authorize, /token, /register, /revoke at root which is what we
+        // want.
         app.use(mcpAuthRouter({
             provider,
             issuerUrl: new URL(appUrl),
             baseUrl: new URL(appUrl),
             resourceServerUrl: new URL(`${appUrl}/mcp`),
-            scopesSupported: ['read', 'write', 'data', 'sql', 'transports', 'git', 'admin'],
+            scopesSupported,
             resourceName: 'ARC-1 SAP MCP Server',
         }));
         // Protected MCP endpoint with chained token verification

package/dist/server/http.js.map

@@ -1 +1 @@
-{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AAEnG,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wEAAwE;AAExE;;;GAGG;AACH,SAAS,WAAW,CAClB,KAAa,EACb,MAAoB;IAEpB,8FAA8F;IAC9F,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,KAAK,KAAK,KAAK,CAAC,GAAG,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,4DAA4D;oBAC5D,OAAO,SAAS,CAAC;gBACnB,CAAC;gBACD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC5C,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAClF,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wEAAwE;AAExE,IAAI,UAAU,GAAiC,IAAI,CAAC;AACpD,IAAI,UAAU,GAAgE,IAAI,CAAC;AAEnF,wEAAwE;AAExE;;;GAGG;AACH,SAAS,gBAAgB,CAAC,aAA8B;IACtD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3C,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YAClC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;YACnB,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM;YAC5B,MAAM,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE;SACrB,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;gBAClD,kBAAkB,EAAE,SAAS,EAAE,iBAAiB;aACjD,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,8DAA8D;YAC9D,uEAAuE;YACvE,qEAAqE;YACrE,kEAAkE;YAClE,qEAAqE;YACrE,oDAAoD;YACpD,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/F,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAA8B,EAC9B,MAAoB,EACpB,gBAAmC;IAEnC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAI,IAAI,SAAS,CAAC;IAEnC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,oEAAoE;IACpE,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IAC1B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACxB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAEnD,+DAA+D;IAC/D,2DAA2D;IAC3D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QAC1B,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE;YAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YACxC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClD,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa;YACpC,EAAE,EAAE,GAAG,CAAC,EAAE;SACX,CAAC,CAAC;QACH,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,2EAA2E;IAC3E,gFAAgF;IAChF,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,IAAI,MAAM,CAAC,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,iDAAiD,CAAC,CAAC;QAC1F,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,gEAAgE,CAAC,CAAC;QAC7G,MAAM,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CACrG,YAAY,CACb,CAAC;QACF,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAEpD,uCAAuC;QACvC,MAAM,MAAM,GAAG,SAAS,EAAE,IAAI,UAAU,QAAQ,IAAI,IAAI,EAAE,CAAC;QAE3D,2CAA2C;QAC3C,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACrF,MAAM,aAAa,GAAG,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,eAAe,GAAG,0BAA0B,CAAC,MAAM,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;QAExF,uFAAuF;QACvF,yFAAyF;QACzF,MAAM,mBAAmB,GAAG,GAAG,MAAM,2CAA2C,CAAC;QACjF,MAAM,UAAU,GAAG,iBAAiB,CAAC;YACnC,QAAQ,EAAE,EAAE,iBAAiB,EAAE,eAAe,EAAE;YAChD,mBAAmB;SACpB,CAAC,CAAC;QAEH,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,iDAAiD;QACjD,EAAE;QACF,sEAAsE;QACtE,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACvC,2DAA2D;YAC3D,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;gBAC/C,MAAM,CAAC,IAAI,CAAC,oDAAoD,EAAE;oBAChE,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM;oBAC1B,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE;oBACf,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACnD,CAAC,CAAC;gBACH,qEAAqE;gBACrE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAa,EAAE,EAAE;oBACrC,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,GAAG,CAAC,CAAC;wBACV,OAAO;oBACT,CAAC;oBACD,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACvB,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBACtC,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;gBACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;gBACnB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC/C,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;gBACzE,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;gBACjD,MAAM,CAAC,KAAK,CAAC,gDAAgD,EAAE;oBAC7D,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS;iBAC9B,CAAC,CAAC;YACL,CAAC;YAED,kEAAkE;YAClE,qEAAqE;YACrE,sEAAsE;YACtE,wEAAwE;YACxE,qEAAqE;YACrE,uEAAuE;YACvE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;YAC5D,MAAM,WAAW,GAAG,MAAM,EAAE,YAAY,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAS,CAAC;YACnC,IAAI,QAAQ,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC/D,WAAW,CAAC,iBAAiB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YACvD,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC,CAAC,CAAC;QAEH,8DAA8D;QAC9D,sEAAsE;QACtE,kEAAkE;QAClE,+DAA+D;QAC/D,6DAA6D;QAC7D,GAAG,CAAC,GAAG,CACL,aAAa,CAAC;YACZ,QAAQ;YACR,SAAS,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC;YAC1B,OAAO,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC;YACxB,iBAAiB,EAAE,IAAI,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC;YAC3C,eAAe,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,OAAO,CAAC;YAC/E,YAAY,EAAE,sBAAsB;SACrC,CAAC,CACH,CAAC;QAEF,yDAAyD;QACzD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAExC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,SAAS,EAAE,gBAAgB,CAAC,SAAS;YACrC,MAAM;SACP,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC5D,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACxC,kFAAkF;YAClF,iFAAiF;YACjF,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,gEAAgE,CAAC,CAAC;YAC7G,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,QAAQ,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;YACpF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,mCAAmC;YACnC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5F,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iEAAiE,EAAE,CAAC,CAAC;IACrG,CAAC,CAAC,CAAC;IAEH,8DAA8D;IAC9D,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;QACjD,IAAI,QAAQ,GAAG,aAAa,CAAC;QAC7B,IAAI,MAAM,CAAC,SAAS,IAAI,gBAAgB;YAAE,QAAQ,GAAG,mBAAmB,CAAC;aACpE,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU;YAAE,QAAQ,GAAG,iBAAiB,CAAC;aACtE,IAAI,MAAM,CAAC,OAAO;YAAE,QAAQ,GAAG,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,QAAQ,CAAC;aAC1E,IAAI,MAAM,CAAC,UAAU;YAAE,QAAQ,GAAG,MAAM,CAAC;QAE9C,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,IAAI,EAAE,GAAG,QAAQ,IAAI,IAAI,EAAE;YAC3B,MAAM,EAAE,UAAU,QAAQ,IAAI,IAAI,SAAS;YAC3C,GAAG,EAAE,UAAU,QAAQ,IAAI,IAAI,MAAM;YACrC,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,oFAAoF;IACpF,gDAAgD;IAChD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;QACpD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9B,MAAM,CAAC,KAAK,CACV,QAAQ,IAAI,yHAAyH,EACrI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CACzB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,uEAAuE;AAEvE;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,MAAoB;IAEpB,OAAO,KAAK,EAAE,KAAa,EAAE,EAAE;QAC7B,mEAAmE;QACnE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,iDAAiD,CAAC,CAAC;QAE9F,qDAAqD;QACrD,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,qFAAqF;YACrF,MAAM,aAAa,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;YACzC,OAAO;gBACL,KAAK;gBACL,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,aAAa;aACzD,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC/B,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBACpC,CAAC;gBACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;gBAChF,CAAC;gBACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;oBAChE,MAAM,EAAE,MAAM,CAAC,UAAU;oBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;oBAC7B,cAAc,EAAE,CAAC,KAAK,CAAC;oBACvB,GAAG,CAAC,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC5F,CAAC,CAAC;gBAEH,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;gBAEpF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAE1C,OAAO;oBACL,KAAK;oBACL,QAAQ,EAAG,OAAO,CAAC,GAAc,IAAK,OAAO,CAAC,GAAc,IAAI,WAAW;oBAC3E,MAAM;oBACN,SAAS,EAAE,OAAO,CAAC,GAAG;oBACtB,KAAK,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;iBAC9C,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,4EAA4E;gBAC5E,IAAI,GAAG,YAAY,iBAAiB;oBAAE,MAAM,GAAG,CAAC;gBAChD,MAAM,IAAI,iBAAiB,CAAE,GAAa,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QAED,MAAM,IAAI,iBAAiB,CAAC,sCAAsC,CAAC,CAAC;IACtE,CAAC,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAC/B,MAAoB;IAEpB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAW,CAAC,CAAC;IAEnC,OAAO,KAAK,EAAE,KAAa,EAAE,EAAE;QAC7B,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;YAChE,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;YAC7B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5F,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAE3E,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAE1C,OAAO;YACL,KAAK;YACL,QAAQ,EAAG,OAAO,CAAC,GAAc,IAAK,OAAO,CAAC,GAAc,IAAI,WAAW;YAC3E,MAAM;YACN,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,KAAK,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;SAC9C,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,uEAAuE;AAEvE,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAgC;IAChE,IAAI,SAA+B,CAAC;IAEpC,wCAAwC;IACxC,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACtC,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACnE,CAAC;IACD,6FAA6F;SACxF,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACzC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACtC,SAAS,GAAI,OAAO,CAAC,GAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7F,CAAC;IAED,oDAAoD;IACpD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,gEAAgE;YAC9D,8EAA8E,CACjF,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,CAAC;IAClB,CAAC;IAED,yBAAyB;IACzB,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnE,uEAAuE;IACvE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,4EAA4E,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QACzG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,QAAQ,CAAC,MAAc;IACpC,IAAI,UAAU,IAAI,UAAU;QAAE,OAAO;IAErC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;QAC1G,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACtD,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAyB,CAAC;QAEvE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,+CAA+C,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,UAAU,GAAG,UAAU,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;YAC7C,MAAM;YACN,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}
+{"version":3,"file":"http.js","sourceRoot":"","sources":["../../src/server/http.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,IAAI,MAAM,MAAM,CAAC;AAExB,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAItC,wEAAwE;AAExE;;;GAGG;AACH,SAAS,WAAW,CAClB,KAAa,EACb,MAAoB;IAEpB,8FAA8F;IAC9F,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnC,IAAI,KAAK,KAAK,KAAK,CAAC,GAAG,EAAE,CAAC;gBACxB,MAAM,OAAO,GAAG,gBAAgB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;gBAChD,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,4DAA4D;oBAC5D,OAAO,SAAS,CAAC;gBACnB,CAAC;gBACD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;gBAC5C,OAAO,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,WAAW,KAAK,CAAC,OAAO,EAAE,EAAE,CAAC;YAClF,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,wEAAwE;AAExE,IAAI,UAAU,GAAiC,IAAI,CAAC;AACpD,IAAI,UAAU,GAAgE,IAAI,CAAC;AAEnF,wEAAwE;AAExE;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAwB,EAAE,cAAwB;IACxF,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC;IACjD,GAAG,CAAC,GAAG,CACL,MAAM,CAAC;QACL,0EAA0E;QAC1E,qDAAqD;QACrD,uBAAuB,EAAE,KAAK;QAC9B,yBAAyB,EAAE,cAAc,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,cAAuB,EAAE,CAAC,CAAC,CAAC,SAAS;QAC3F,yEAAyE;QACzE,kEAAkE;QAClE,wEAAwE;QACxE,2CAA2C;QAC3C,qBAAqB,EAAE,cAAc;YACnC,CAAC,CAAC;gBACE,WAAW,EAAE,IAAI;gBACjB,UAAU,EAAE;oBACV,WAAW,EAAE,CAAC,QAAQ,EAAE,iBAAiB,CAAC;iBAC3C;aACF;YACH,CAAC,CAAC,SAAS;KACd,CAAC,CACH,CAAC;IAEF,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,CAAC;QACxC,GAAG,CAAC,GAAG,CACL,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,MAAM,EAAE,QAAQ,EAAE,EAAE;gBAC3B,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,kEAAkE;oBAClE,6CAA6C;oBAC7C,QAAQ,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;oBACtB,OAAO;gBACT,CAAC;gBACD,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;YACtC,CAAC;YACD,OAAO,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC;YAC7C,cAAc,EAAE,CAAC,cAAc,EAAE,eAAe,EAAE,gBAAgB,CAAC;YACnE,cAAc,EAAE,CAAC,gBAAgB,CAAC;YAClC,WAAW,EAAE,IAAI;SAClB,CAAC,CACH,CAAC;QACF,mEAAmE;QACnE,wEAAwE;QACxE,0EAA0E;QAC1E,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;YAC1B,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;YAClC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC5E,MAAM,CAAC,SAAS,CAAC;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;oBACnC,KAAK,EAAE,MAAM;oBACb,KAAK,EAAE,eAAe;oBACtB,MAAM;oBACN,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,IAAI,EAAE,GAAG,CAAC,IAAI;iBACf,CAAC,CAAC;YACL,CAAC;YACD,IAAI,EAAE,CAAC;QACT,CAAC,CAAC,CAAC;QACH,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,SAAS,gBAAgB,CAAC,aAA8B;IACtD,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3C,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE;YAClC,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;YACnB,UAAU,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM;YAC5B,MAAM,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE;SACrB,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,aAAa,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;gBAClD,kBAAkB,EAAE,SAAS,EAAE,iBAAiB;aACjD,CAAC,CAAC;YACH,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,8DAA8D;YAC9D,uEAAuE;YACvE,qEAAqE;YACrE,kEAAkE;YAClE,qEAAqE;YACrE,oDAAoD;YACpD,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC/F,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;gBACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;IACH,CAAC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,aAA8B,EAC9B,MAAoB,EACpB,gBAAmC;IAEnC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnD,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,IAAI,MAAM,EAAE,EAAE,CAAC,CAAC;IACpD,MAAM,QAAQ,GAAG,IAAI,IAAI,SAAS,CAAC;IAEnC,MAAM,GAAG,GAAG,OAAO,EAAE,CAAC;IACtB,oEAAoE;IACpE,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC;IAE1B,uBAAuB,CAAC,GAAG,EAAE,MAAM,CAAC,cAAc,CAAC,CAAC;IAEpD,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IACxB,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;IACjD,MAAM,UAAU,GAAG,gBAAgB,CAAC,aAAa,CAAC,CAAC;IAEnD,+DAA+D;IAC/D,2DAA2D;IAC3D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE;QAC1B,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE;YAC3B,MAAM,EAAE,GAAG,CAAC,MAAM;YAClB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;YACxC,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClD,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,aAAa;YACpC,EAAE,EAAE,GAAG,CAAC,EAAE;SACX,CAAC,CAAC;QACH,IAAI,EAAE,CAAC;IACT,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,2EAA2E;IAC3E,gFAAgF;IAChF,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAC3C,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;QAC/B,GAAG,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,4DAA4D;IAC5D,IAAI,MAAM,CAAC,SAAS,IAAI,gBAAgB,EAAE,CAAC;QACzC,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,iDAAiD,CAAC,CAAC;QAC1F,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,gEAAgE,CAAC,CAAC;QAC7G,MAAM,EAAE,wBAAwB,EAAE,0BAA0B,EAAE,wBAAwB,EAAE,GAAG,MAAM,MAAM,CACrG,YAAY,CACb,CAAC;QACF,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAEpD,uCAAuC;QACvC,MAAM,MAAM,GAAG,SAAS,EAAE,IAAI,UAAU,QAAQ,IAAI,IAAI,EAAE,CAAC;QAE3D,2CAA2C;QAC3C,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,GAAG,wBAAwB,CAAC,gBAAgB,EAAE,MAAM,EAAE;YACnF,aAAa,EAAE,MAAM,CAAC,kBAAkB;SACzC,CAAC,CAAC;QACH,MAAM,aAAa,GAAG,wBAAwB,CAAC,gBAAgB,CAAC,CAAC;QACjE,MAAM,YAAY,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,kBAAkB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,eAAe,GAAG,0BAA0B,CAAC,MAAM,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;QAExF,uFAAuF;QACvF,yFAAyF;QACzF,MAAM,mBAAmB,GAAG,GAAG,MAAM,2CAA2C,CAAC;QACjF,MAAM,UAAU,GAAG,iBAAiB,CAAC;YACnC,QAAQ,EAAE,EAAE,iBAAiB,EAAE,eAAe,EAAE;YAChD,mBAAmB;SACpB,CAAC,CAAC;QAEH,uEAAuE;QACvE,sEAAsE;QACtE,uEAAuE;QACvE,wEAAwE;QACxE,iDAAiD;QACjD,EAAE;QACF,sEAAsE;QACtE,mEAAmE;QACnE,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;YACvC,2DAA2D;YAC3D,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;gBAC/C,MAAM,CAAC,IAAI,CAAC,oDAAoD,EAAE;oBAChE,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,MAAM;oBAC1B,EAAE,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE;oBACf,SAAS,EAAE,GAAG,CAAC,OAAO,CAAC,YAAY,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACnD,CAAC,CAAC;gBACH,qEAAqE;gBACrE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAa,EAAE,EAAE;oBACrC,IAAI,GAAG,EAAE,CAAC;wBACR,IAAI,CAAC,GAAG,CAAC,CAAC;wBACV,OAAO;oBACT,CAAC;oBACD,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;gBACvB,CAAC,CAAC,CAAC;gBACH,OAAO;YACT,CAAC;YAED,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE;gBACtC,MAAM,EAAE,GAAG,CAAC,MAAM;gBAClB,WAAW,EAAE,GAAG,CAAC,OAAO,CAAC,cAAc,CAAC;gBACxC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI;gBACnB,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE;gBAC/C,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;gBACzE,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,EAAE,CAAC;gBACjD,MAAM,CAAC,KAAK,CAAC,gDAAgD,EAAE;oBAC7D,SAAS,EAAE,GAAG,CAAC,IAAI,CAAC,SAAS;iBAC9B,CAAC,CAAC;YACL,CAAC;YAED,kEAAkE;YAClE,qEAAqE;YACrE,sEAAsE;YACtE,wEAAwE;YACxE,qEAAqE;YACrE,uEAAuE;YACvE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC;YAC5D,MAAM,WAAW,GAAG,MAAM,EAAE,YAAY,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM,EAAE,SAAS,CAAC;YACnC,IAAI,QAAQ,IAAI,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC/D,WAAW,CAAC,iBAAiB,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;YACvD,CAAC;YAED,IAAI,EAAE,CAAC;QACT,CAAC,CAAC,CAAC;QAEH,iEAAiE;QACjE,0DAA0D;QAC1D,yEAAyE;QACzE,0EAA0E;QAC1E,qEAAqE;QACrE,kEAAkE;QAClE,qEAAqE;QACrE,EAAE;QACF,yEAAyE;QACzE,wEAAwE;QACxE,wEAAwE;QACxE,yEAAyE;QACzE,0EAA0E;QAC1E,qDAAqD;QACrD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,MAAM,QAAQ,GAAG,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,iCAAiC;QAC5F,MAAM,QAAQ,GAAG,GAAG,YAAY,CAAC,MAAM,GAAG,QAAQ,EAAE,CAAC,CAAC,sCAAsC;QAC5F,MAAM,eAAe,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAEvF,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,kBAAkB,GAAG;gBACzB,MAAM,EAAE,GAAG,QAAQ,GAAG;gBACtB,sBAAsB,EAAE,GAAG,QAAQ,YAAY;gBAC/C,wBAAwB,EAAE,CAAC,MAAM,CAAC;gBAClC,gCAAgC,EAAE,CAAC,MAAM,CAAC;gBAC1C,cAAc,EAAE,GAAG,QAAQ,QAAQ;gBACnC,qCAAqC,EAAE,CAAC,oBAAoB,EAAE,MAAM,CAAC;gBACrE,qBAAqB,EAAE,CAAC,oBAAoB,EAAE,eAAe,CAAC;gBAC9D,gBAAgB,EAAE,eAAe;gBACjC,mBAAmB,EAAE,GAAG,QAAQ,SAAS;gBACzC,0CAA0C,EAAE,CAAC,oBAAoB,CAAC;gBAClE,qBAAqB,EAAE,GAAG,QAAQ,WAAW;aAC9C,CAAC;YACF,MAAM,sBAAsB,GAAG;gBAC7B,QAAQ,EAAE,GAAG,QAAQ,MAAM;gBAC3B,qBAAqB,EAAE,CAAC,GAAG,QAAQ,GAAG,CAAC;gBACvC,gBAAgB,EAAE,eAAe;gBACjC,aAAa,EAAE,sBAAsB;aACtC,CAAC;YAEF,GAAG,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;gBAC/D,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC;YACH,2EAA2E;YAC3E,wEAAwE;YACxE,qDAAqD;YACrD,GAAG,CAAC,GAAG,CAAC,2CAA2C,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;gBACjE,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACnC,CAAC,CAAC,CAAC;YACH,GAAG,CAAC,GAAG,CAAC,wCAAwC,QAAQ,MAAM,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE;gBAC5E,GAAG,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACnC,CAAC,CAAC,CAAC;YAEH,MAAM,CAAC,IAAI,CAAC,mDAAmD,EAAE;gBAC/D,SAAS,EAAE,QAAQ;gBACnB,QAAQ;aACT,CAAC,CAAC;QACL,CAAC;QAED,+DAA+D;QAC/D,wEAAwE;QACxE,yEAAyE;QACzE,wEAAwE;QACxE,yEAAyE;QACzE,QAAQ;QACR,GAAG,CAAC,GAAG,CACL,aAAa,CAAC;YACZ,QAAQ;YACR,SAAS,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC;YAC1B,OAAO,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC;YACxB,iBAAiB,EAAE,IAAI,GAAG,CAAC,GAAG,MAAM,MAAM,CAAC;YAC3C,eAAe;YACf,YAAY,EAAE,sBAAsB;SACrC,CAAC,CACH,CAAC;QAEF,yDAAyD;QACzD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAExC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,SAAS,EAAE,gBAAgB,CAAC,SAAS;YACrC,MAAM;SACP,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,4DAA4D;QAC5D,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACxC,kFAAkF;YAClF,iFAAiF;YACjF,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,gEAAgE,CAAC,CAAC;YAC7G,MAAM,QAAQ,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;YAChD,MAAM,UAAU,GAAG,iBAAiB,CAAC,EAAE,QAAQ,EAAE,EAAE,iBAAiB,EAAE,QAAQ,EAAE,EAAE,CAAC,CAAC;YACpF,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,mCAAmC;YACnC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAC9B,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACnB,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;QAC5F,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iEAAiE,EAAE,CAAC,CAAC;IACrG,CAAC,CAAC,CAAC;IAEH,8DAA8D;IAC9D,MAAM,UAAU,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE;QACjD,IAAI,QAAQ,GAAG,aAAa,CAAC;QAC7B,IAAI,MAAM,CAAC,SAAS,IAAI,gBAAgB;YAAE,QAAQ,GAAG,mBAAmB,CAAC;aACpE,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,UAAU;YAAE,QAAQ,GAAG,iBAAiB,CAAC;aACtE,IAAI,MAAM,CAAC,OAAO;YAAE,QAAQ,GAAG,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,QAAQ,CAAC;aAC1E,IAAI,MAAM,CAAC,UAAU;YAAE,QAAQ,GAAG,MAAM,CAAC;QAE9C,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE;YACvC,IAAI,EAAE,GAAG,QAAQ,IAAI,IAAI,EAAE;YAC3B,MAAM,EAAE,UAAU,QAAQ,IAAI,IAAI,SAAS;YAC3C,GAAG,EAAE,UAAU,QAAQ,IAAI,IAAI,MAAM;YACrC,IAAI,EAAE,QAAQ;SACf,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,oFAAoF;IACpF,gDAAgD;IAChD,UAAU,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAA0B,EAAE,EAAE;QACpD,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9B,MAAM,CAAC,KAAK,CACV,QAAQ,IAAI,yHAAyH,EACrI,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CACzB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QACtF,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,uEAAuE;AAEvE;;;;GAIG;AACH,SAAS,sBAAsB,CAC7B,MAAoB;IAEpB,OAAO,KAAK,EAAE,KAAa,EAAE,EAAE;QAC7B,mEAAmE;QACnE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,iDAAiD,CAAC,CAAC;QAE9F,qDAAqD;QACrD,MAAM,WAAW,GAAG,WAAW,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;QAC/C,IAAI,WAAW,EAAE,CAAC;YAChB,qFAAqF;YACrF,MAAM,aAAa,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;YACzC,OAAO;gBACL,KAAK;gBACL,QAAQ,EAAE,WAAW,CAAC,QAAQ;gBAC9B,MAAM,EAAE,WAAW,CAAC,MAAM;gBAC1B,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,aAAa;aACzD,CAAC;QACJ,CAAC;QAED,wCAAwC;QACxC,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;YACtB,IAAI,CAAC;gBACH,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC/B,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;gBACpC,CAAC;gBACD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;oBAC/B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;gBAChF,CAAC;gBACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;oBAChE,MAAM,EAAE,MAAM,CAAC,UAAU;oBACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;oBAC7B,cAAc,EAAE,CAAC,KAAK,CAAC;oBACvB,GAAG,CAAC,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;iBAC5F,CAAC,CAAC;gBAEH,MAAM,CAAC,KAAK,CAAC,6BAA6B,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;gBAEpF,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;gBAE1C,OAAO;oBACL,KAAK;oBACL,QAAQ,EAAG,OAAO,CAAC,GAAc,IAAK,OAAO,CAAC,GAAc,IAAI,WAAW;oBAC3E,MAAM;oBACN,SAAS,EAAE,OAAO,CAAC,GAAG;oBACtB,KAAK,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;iBAC9C,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,4EAA4E;gBAC5E,IAAI,GAAG,YAAY,iBAAiB;oBAAE,MAAM,GAAG,CAAC;gBAChD,MAAM,IAAI,iBAAiB,CAAE,GAAa,CAAC,OAAO,IAAI,eAAe,CAAC,CAAC;YACzE,CAAC;QACH,CAAC;QAED,MAAM,IAAI,iBAAiB,CAAC,sCAAsC,CAAC,CAAC;IACtE,CAAC,CAAC;AACJ,CAAC;AAED,wEAAwE;AAExE;;;GAGG;AACH,KAAK,UAAU,kBAAkB,CAC/B,MAAoB;IAEpB,MAAM,QAAQ,CAAC,MAAM,CAAC,UAAW,CAAC,CAAC;IAEnC,OAAO,KAAK,EAAE,KAAa,EAAE,EAAE;QAC7B,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QACD,MAAM,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,KAAK,EAAE,UAAU,EAAE;YAChE,MAAM,EAAE,MAAM,CAAC,UAAU;YACzB,QAAQ,EAAE,MAAM,CAAC,YAAY;YAC7B,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,GAAG,CAAC,MAAM,CAAC,kBAAkB,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC5F,CAAC,CAAC;QAEH,MAAM,CAAC,KAAK,CAAC,oBAAoB,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;QAE3E,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAE1C,OAAO;YACL,KAAK;YACL,QAAQ,EAAG,OAAO,CAAC,GAAc,IAAK,OAAO,CAAC,GAAc,IAAI,WAAW;YAC3E,MAAM;YACN,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,KAAK,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE;SAC9C,CAAC;IACJ,CAAC,CAAC;AACJ,CAAC;AAED,uEAAuE;AAEvE,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAgC;IAChE,IAAI,SAA+B,CAAC;IAEpC,wCAAwC;IACxC,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACtC,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACnE,CAAC;IACD,6FAA6F;SACxF,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACzC,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACjE,CAAC;SAAM,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACtC,SAAS,GAAI,OAAO,CAAC,GAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC7F,CAAC;IAED,oDAAoD;IACpD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACT,gEAAgE;YAC9D,8EAA8E,CACjF,CAAC;QACF,OAAO,CAAC,MAAM,CAAC,CAAC;IAClB,CAAC;IAED,yBAAyB;IACzB,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAEnE,uEAAuE;IACvE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,4EAA4E,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;QACzG,OAAO,CAAC,MAAM,CAAC,CAAC;IAClB,CAAC;IAED,OAAO,YAAY,CAAC,QAAQ,CAAC,CAAC;AAChC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,QAAQ,CAAC,MAAc;IACpC,IAAI,UAAU,IAAI,UAAU;QAAE,OAAO;IAErC,IAAI,CAAC;QACH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,UAAU,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QACpC,CAAC;QACD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,kCAAkC,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;QAC1G,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACtD,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAAyB,CAAC;QAEvE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,+CAA+C,OAAO,EAAE,CAAC,CAAC;QAC5E,CAAC;QAED,UAAU,GAAG,UAAU,CAAC,kBAAkB,CAAC,IAAI,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC;QACxE,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,QAAQ,EAAE,CAAC,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE;YAC7C,MAAM;YACN,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;IACL,CAAC;AACH,CAAC"}

package/dist/server/server.d.ts

@@ -13,7 +13,7 @@ import { CachingLayer } from '../cache/caching-layer.js';
 import { type ToolDefinition } from '../handlers/tools.js';
 import type { ServerConfig } from './types.js';
 /** ARC-1 version */
-export declare const VERSION = "0.7.1";
+export declare const VERSION = "0.8.0";
 /**
  * Filter tools by user scope + server deny list.
  *

package/dist/server/server.js

@@ -23,7 +23,7 @@ import { isActionDenied } from './deny-actions.js';
 import { initLogger, logger } from './logger.js';
 import { FileSink } from './sinks/file.js';
 /** ARC-1 version */
-export const VERSION = '0.7.1'; // x-release-please-version
+export const VERSION = '0.8.0'; // x-release-please-version
 /**
  * Prune a tool's action OR type enum (or both) based on the user's scopes and
  * the server's denyActions list. Uses ACTION_POLICY as the single source of truth.

package/dist/server/stateless-client-store.d.ts

@@ -0,0 +1,97 @@
+/**
+ * Stateless OAuth Dynamic Client Registration store.
+ *
+ * MCP clients (Claude Desktop, Cursor, Copilot CLI…) register dynamically
+ * via RFC 7591 and cache the returned `client_id` locally. With an
+ * in-memory or local-disk store, every CF push / restart wipes the
+ * server-side registry — the cached `client_id` then fails with
+ * `invalid_client` and the user has to clear their MCP client's OAuth
+ * cache to recover.
+ *
+ * This store eliminates the storage problem entirely. Each `client_id`
+ * is a self-validating token: it carries the registration payload
+ * (redirect_uris, grant_types, …) plus an HMAC-SHA256 signature derived
+ * from a server-held key. `getClient` re-derives the payload by
+ * verifying the signature; no persistence is needed. Any process with
+ * the same signing key can validate any client_id ever issued.
+ *
+ * Tradeoffs vs the persisted in-memory store:
+ *   + Survives `cf push`, `cf restart`, cell moves, multi-instance scale-out
+ *   + No external dependency, no service binding, no native module
+ *   - Per-client revocation is impossible (only TTL or full key rotation)
+ *   - Rotating the signing key invalidates every outstanding registration
+ *
+ * The signing key is derived (via HKDF-style HMAC) from the XSUAA
+ * `clientsecret`, so it's already as stable as the service binding —
+ * service rebinding rotates both at once, which is the right boundary.
+ */
+import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js';
+import type { OAuthClientInformationFull } from '@modelcontextprotocol/sdk/shared/auth.js';
+export interface StatelessDcrClientStoreOptions {
+    /**
+     * How long an issued client_id remains valid, in seconds. After this
+     * window `getClient()` returns undefined and clients re-register via
+     * `/register`. Default: 30 days. Lower values bound the blast radius if
+     * the signing key leaks; higher values reduce re-auth churn.
+     */
+    ttlSeconds?: number;
+    /** Clock injection point for tests. Default: `Date.now`. */
+    now?: () => number;
+}
+export declare class StatelessDcrClientStore implements OAuthRegisteredClientsStore {
+    private readonly xsuaaClient;
+    private readonly hmacKey;
+    private readonly ttlSeconds;
+    private readonly now;
+    constructor(xsuaaClientId: string, xsuaaClientSecret: string, signingSecret: string, options?: StatelessDcrClientStoreOptions);
+    getClient(clientId: string): Promise<OAuthClientInformationFull | undefined>;
+    registerClient(client: Omit<OAuthClientInformationFull, 'client_id' | 'client_id_issued_at'>): Promise<OAuthClientInformationFull>;
+    /**
+     * Called by the MCP SDK before redirect_uri validation on `/authorize`.
+     *
+     * For the pre-registered XSUAA client we mutate the in-memory list (XSUAA
+     * itself is the authoritative validator via `xs-security.json` wildcards,
+     * so the SDK's local list is decorative). The mutation is replayed on
+     * every `/authorize`, so it doesn't need to persist.
+     *
+     * For DCR (`arc1-…`) clients we are stateless by design: there's nothing
+     * to mutate. The previous in-memory store implemented a percent-encoding
+     * loose-match (BAS/Theia registers `?x=1` then authorizes with `%3Fx=1`).
+     * Reproducing that statelessly would require either bundling every
+     * encoding variant in the signed payload or keeping a per-process scratch
+     * map, both of which undermine the "no state" goal. We accept the
+     * regression: affected clients re-register on encoding-variant mismatch,
+     * which is exactly what they did under the old store after every restart.
+     */
+    ensureRedirectUri(clientId: string, uri: string): void;
+    private payloadToClientInfo;
+    private encode;
+    /**
+     * Decode and verify a `client_id`. Returns either the parsed payload or a
+     * structured failure reason — the caller emits the failure as an audit
+     * event with the right reason code (so probing attempts are observable).
+     */
+    private decodeAndVerify;
+    private verifySignature;
+    private sign;
+    /**
+     * The client_secret is derived deterministically from the client_id, so
+     * any instance with the same signing key can validate it. This is the
+     * core reason DCR survives container restarts and scales out horizontally
+     * with no shared state.
+     */
+    private deriveSecret;
+    private emitLookupFailed;
+}
+/**
+ * Validate a redirect URI against the allowed scheme/host policy.
+ *
+ * Allowed: `https://*`, `http://` to localhost / 127.0.0.1 / [::1], and known
+ * MCP-client custom schemes (`claude:`, `cursor:`, `vscode:`,
+ * `vscode-insiders:`).
+ *
+ * Rejected: `javascript:`, `data:`, `file:`, `ftp:`, and any `http://` to
+ * non-loopback hosts.
+ */
+export declare function validateRedirectUri(uri: string): void;
+//# sourceMappingURL=stateless-client-store.d.ts.map

package/dist/server/stateless-client-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"stateless-client-store.d.ts","sourceRoot":"","sources":["../../src/server/stateless-client-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,KAAK,EAAE,2BAA2B,EAAE,MAAM,kDAAkD,CAAC;AACpG,OAAO,KAAK,EAAE,0BAA0B,EAAE,MAAM,0CAA0C,CAAC;AAyE3F,MAAM,WAAW,8BAA8B;IAC7C;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,4DAA4D;IAC5D,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;CACpB;AAuBD,qBAAa,uBAAwB,YAAW,2BAA2B;IACzE,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA6B;IACzD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAe;gBAGjC,aAAa,EAAE,MAAM,EACrB,iBAAiB,EAAE,MAAM,EACzB,aAAa,EAAE,MAAM,EACrB,OAAO,GAAE,8BAAmC;IAgBxC,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,GAAG,SAAS,CAAC;IA0B5E,cAAc,CAClB,MAAM,EAAE,IAAI,CAAC,0BAA0B,EAAE,WAAW,GAAG,qBAAqB,CAAC,GAC5E,OAAO,CAAC,0BAA0B,CAAC;IA8CtC;;;;;;;;;;;;;;;;OAgBG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAiBtD,OAAO,CAAC,mBAAmB;IAa3B,OAAO,CAAC,MAAM;IAMd;;;;OAIG;IACH,OAAO,CAAC,eAAe;IAsBvB,OAAO,CAAC,eAAe;IAOvB,OAAO,CAAC,IAAI;IAMZ;;;;;OAKG;IACH,OAAO,CAAC,YAAY;IAIpB,OAAO,CAAC,gBAAgB;CAczB;AAoBD;;;;;;;;;GASG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CA6BrD"}