arc-1 0.9.18 → 0.9.19

package/dist/server/stateless-client-store.js

@@ -1,503 +0,0 @@
-/**
- * Stateless OAuth Dynamic Client Registration store.
- *
- * MCP clients (Claude Desktop, Cursor, Copilot CLI…) register dynamically
- * via RFC 7591 and cache the returned `client_id` locally. With an
- * in-memory or local-disk store, every CF push / restart wipes the
- * server-side registry — the cached `client_id` then fails with
- * `invalid_client` and the user has to clear their MCP client's OAuth
- * cache to recover.
- *
- * This store eliminates the storage problem entirely. Each `client_id`
- * is a self-validating token: it carries the registration payload
- * (redirect_uris, grant_types, …) plus an HMAC-SHA256 signature derived
- * from a server-held key. `getClient` re-derives the payload by
- * verifying the signature; no persistence is needed. Any process with
- * the same signing key can validate any client_id ever issued.
- *
- * Tradeoffs vs the persisted in-memory store:
- *   + Survives `cf push`, `cf restart`, cell moves, multi-instance scale-out
- *   + No external dependency, no service binding, no native module
- *   - Per-client revocation is impossible (only TTL or full key rotation)
- *   - Rotating the signing key invalidates every outstanding registration
- *
- * Default TTL is 30 days (matches typical refresh-token lifetimes). Setting
- * `ttlSeconds` to `0` or a negative value disables expiration — recommended
- * when MCP clients don't auto-re-register on `invalid_client` (Copilot CLI,
- * Cursor) and a finite TTL just produces periodic outages without security
- * gain. In that mode, forced revocation goes through full key rotation
- * (rotate the signing secret or bump `KDF_LABEL` from `arc1-dcr/v1` → `v2`).
- *
- * The signing key is derived (via HKDF-style HMAC) from the XSUAA
- * `clientsecret`, so it's already as stable as the service binding —
- * service rebinding rotates both at once, which is the right boundary.
- */
-import crypto from 'node:crypto';
-import { logger } from './logger.js';
-// ─── Constants ────────────────────────────────────────────────────────
-/** All DCR-issued client_ids start with this prefix. */
-const ID_PREFIX = 'arc1-';
-/**
- * Domain-separation label bound into the HMAC key derivation. Bumping the
- * suffix ("v1" → "v2") invalidates every previously-issued client_id without
- * requiring a service-binding rotation, which is a useful escape hatch.
- */
-const KDF_LABEL = 'arc1-dcr/v1';
-/** Schema version of the JSON payload embedded in the signed client_id. */
-const PAYLOAD_VERSION = 1;
-/**
- * Truncated HMAC-SHA256 length in bytes. 16 bytes = 128 bits, which is well
- * above the practical forgery threshold for opaque IDs (NIST SP 800-107
- * acceptable for non-replayable identifiers).
- */
-const SIG_BYTES = 16;
-/**
- * Default lifetime of a DCR registration. 30 days matches typical OAuth
- * refresh-token lifetimes and provides a conservative compromise window.
- * Set `ttlSeconds` to `0` (or any non-positive value) to disable expiration
- * — recommended for environments where MCP clients don't auto-re-register
- * on `invalid_client` (Copilot CLI, Cursor) and a finite TTL produces
- * periodic outages. Forced revocation in that case goes through full key
- * rotation (rotate the signing secret or bump `KDF_LABEL`).
- */
-const DEFAULT_TTL_SECONDS = 30 * 24 * 60 * 60;
-// Defaults applied when a registration omits these fields.
-const DEFAULT_GRANT_TYPES = ['authorization_code', 'refresh_token'];
-const DEFAULT_RESPONSE_TYPES = ['code'];
-const DEFAULT_TOKEN_AUTH_METHOD = 'client_secret_post';
-/**
- * Built-in redirect_uris for the pre-registered XSUAA client. These cover the
- * common MCP clients out of the box; additional URIs can be added at
- * `/authorize` time via `ensureRedirectUri()`. The list MUST also be registered
- * in `xs-security.json` — XSUAA is the authoritative validator for this client.
- */
-const XSUAA_DEFAULT_REDIRECT_URIS = [
-    'http://localhost:6274/oauth/callback', // MCP Inspector
-    'http://localhost:3000/oauth/callback', // Local dev
-    'https://claude.ai/api/mcp/auth_callback', // Claude Desktop
-    'cursor://anysphere.cursor-retrieval/oauth/callback', // Cursor
-    'vscode://vscode.microsoft-authentication/callback', // VS Code
-];
-/**
- * Redirect-URI allowlist for the pre-registered XSUAA default client — a vendored
- * mirror of `oauth2-configuration.redirect-uris` in `xs-security.json`.
- *
- * ── Why ARC-1 must enforce this (not just XSUAA) ──
- * The issue-#214 callback proxy (see `oauth-state.ts`) sends XSUAA ARC-1's OWN
- * `/oauth/callback` as the redirect_uri and carries the client's real
- * redirect_uri inside the signed state. XSUAA therefore no longer validates the
- * client's redirect_uri — ARC-1 does. Without an allowlist, `ensureRedirectUri`
- * would auto-trust ANY redirect_uri supplied at `/authorize` for the shared
- * default client, letting an attacker steer a victim's authorization code to
- * their own URI (security audit 2026-06, follow-up to PR #352).
- *
- * ── Why vendored, not read from xs-security.json ──
- * `xs-security.json` is consumed by XSUAA at service-creation time and is NOT
- * shipped with the running app (excluded by `.cfignore`, the npm `files`
- * allowlist, and the Dockerfile), and the service binding does not expose the
- * patterns — so ARC-1 cannot read them at runtime. To prevent drift,
- * `tests/unit/server/stateless-client-store.test.ts` asserts this list stays
- * equal to `xs-security.json`. Keep the two in sync when adding a client.
- *
- * Glob semantics (xs-security.json): `*` matches within a single host/path
- * segment (never `/`), `**` matches across segments.
- */
-export const XSUAA_REDIRECT_URI_PATTERNS = [
-    'http://localhost:*/**',
-    'https://*.hana.ondemand.com/**',
-    'https://*.applicationstudio.cloud.sap/**',
-    'https://claude.ai/api/mcp/auth_callback',
-    'https://callback.mistral.ai/v1/integrations_auth/oauth2_callback',
-    'cursor://anysphere.cursor-retrieval/**',
-    'cursor://anysphere.cursor-mcp/**',
-    'vscode://vscode.microsoft-authentication/**',
-    'https://global.consent.azure-apim.net/redirect/**',
-];
-/** Translate one xs-security.json redirect-uri glob into an anchored,
- *  case-insensitive RegExp. `**` → `.*` (crosses `/`); `*` → `[^/]*` (within a
- *  segment); every other character is matched literally. The trailing `/` and
- *  anchoring mean a host-label `*` (e.g. `*.hana.ondemand.com`) cannot be widened
- *  to a different registrable domain. */
-function redirectPatternToRegExp(pattern) {
-    // Split on the wildcard tokens, keeping them (the capturing group keeps the
-    // delimiters in the result array). `**` is tried before `*`, so it tokenizes
-    // as a single token.
-    const body = pattern
-        .split(/(\*\*|\*)/)
-        .map((segment) => {
-        if (segment === '**')
-            return '.*'; // crosses path separators
-        if (segment === '*')
-            return '[^/]*'; // within a single segment (never `/`)
-        return segment.replace(/[.+?^${}()|[\]\\]/g, '\\$&'); // escape literal regex metachars
-    })
-        .join('');
-    return new RegExp(`^${body}$`, 'i');
-}
-const XSUAA_REDIRECT_URI_REGEXPS = XSUAA_REDIRECT_URI_PATTERNS.map(redirectPatternToRegExp);
-/**
- * Is `uri` an allowed redirect target for the pre-registered XSUAA default
- * client? True iff it matches an `XSUAA_REDIRECT_URI_PATTERNS` entry. Stateless,
- * so it gives the same answer on every instance — used both to gate dynamic
- * registration (`ensureRedirectUri`) and to validate the redirect target at
- * `/oauth/callback` (`checkRedirectUri`).
- *
- * SECURITY — parse before matching: the value matched here is later re-parsed
- * with `new URL()` and used as the 302 target that carries the OAuth `code`, so
- * the glob decision MUST agree with how the URL actually parses. The patterns
- * are string globs; a `*` sitting in the PORT position (the localhost pattern)
- * would otherwise let a URL-userinfo segment ride inside the same-segment
- * wildcard — `http://localhost:x@evil.com/cb` matches the `localhost:[^slash]`
- * port glob yet `new URL(...).host === 'evil.com'`, steering a victim's code to an
- * attacker host. So we reject anything that doesn't parse, reject any userinfo
- * (`user[:pass]@`, which no legitimate redirect_uri carries), and — for http/https —
- * match the glob against a subject rebuilt from the PARSED components rather than the
- * raw string, so `\`, `#` and `?` (authority terminators the WHATWG parser folds) cannot
- * relocate the host past a same-segment wildcard. After these guards, a glob match
- * implies the parsed host is the literal host in the pattern.
- */
-export function matchesXsuaaRedirectPattern(uri) {
-    let parsed;
-    try {
-        parsed = new URL(uri);
-    }
-    catch {
-        return false;
-    }
-    if (parsed.username !== '' || parsed.password !== '')
-        return false;
-    // SECURITY: match the glob against a subject rebuilt from the PARSED components, not the
-    // raw string. For http/https, `\`, `#` and `?` are authority terminators the parser folds,
-    // so a raw value like `https://evil.com\@x.hana.ondemand.com/cb` matches a `*.hana.ondemand.com`
-    // glob yet parses to host `evil.com` — and `evil.com` is the host the `code`-bearing 302 reaches.
-    // Rebuilding `${protocol}//${host}${pathname}${search}` makes the regex see that same host.
-    // Custom schemes (cursor:, vscode:) carry no authority component, so match their raw value.
-    const subject = parsed.protocol === 'http:' || parsed.protocol === 'https:'
-        ? `${parsed.protocol}//${parsed.host}${parsed.pathname}${parsed.search}`
-        : uri;
-    return XSUAA_REDIRECT_URI_REGEXPS.some((re) => re.test(subject));
-}
-// ─── Default XSUAA client ─────────────────────────────────────────────
-/**
- * Pre-registered XSUAA client config. MCP clients that hit the XSUAA
- * `clientid` directly (Manual mode in Copilot Studio, etc.) resolve through
- * this entry instead of going through DCR.
- */
-function buildXsuaaDefaultClient(clientId, clientSecret) {
-    return {
-        client_id: clientId,
-        client_secret: clientSecret,
-        redirect_uris: [...XSUAA_DEFAULT_REDIRECT_URIS],
-        grant_types: [...DEFAULT_GRANT_TYPES],
-        response_types: [...DEFAULT_RESPONSE_TYPES],
-        token_endpoint_auth_method: DEFAULT_TOKEN_AUTH_METHOD,
-        client_name: 'ARC-1 XSUAA Default Client',
-    };
-}
-// ─── Store ────────────────────────────────────────────────────────────
-export class StatelessDcrClientStore {
-    xsuaaClient;
-    hmacKey;
-    ttlSeconds;
-    now;
-    constructor(xsuaaClientId, xsuaaClientSecret, signingSecret, options = {}) {
-        if (!signingSecret) {
-            throw new Error('StatelessDcrClientStore requires a non-empty signingSecret');
-        }
-        // Defense-in-depth: warn (don't throw) on weak signing secrets. NIST
-        // SP 800-131A r2 sets 112 bits / 14 bytes as the HMAC floor; 128 bits /
-        // 16 bytes is the conservative consensus across production OAuth servers
-        // (Keycloak documents 14 chars, Okta requires 32 for client_secret_jwt,
-        // Hydra accepts 6 silently). ARC-1's legacy default (XSUAA `clientsecret`,
-        // typically 40+ chars) clears the bar; the realistic trigger here is a
-        // test/dev secret. Use byte length, not char length, so multi-byte UTF-8
-        // is measured correctly.
-        const secretBytes = Buffer.byteLength(signingSecret, 'utf8');
-        if (secretBytes < 16) {
-            logger.warn('StatelessDcrClientStore signing secret is shorter than 16 bytes (128 bits) — below the recommended minimum. Use `openssl rand -base64 48` for a secure value.', { bytes: secretBytes });
-        }
-        // Derive a dedicated HMAC key so the raw service-binding secret is never
-        // used directly to sign client_ids. The KDF_LABEL doubles as a domain
-        // separator (see comment on the constant).
-        this.hmacKey = crypto.createHmac('sha256', signingSecret).update(KDF_LABEL).digest();
-        this.xsuaaClient = buildXsuaaDefaultClient(xsuaaClientId, xsuaaClientSecret);
-        this.ttlSeconds = options.ttlSeconds ?? DEFAULT_TTL_SECONDS;
-        this.now = options.now ?? (() => Date.now());
-    }
-    // ── OAuthRegisteredClientsStore implementation ──
-    async getClient(clientId) {
-        if (clientId === this.xsuaaClient.client_id) {
-            return this.xsuaaClient;
-        }
-        if (!clientId.startsWith(ID_PREFIX)) {
-            this.emitLookupFailed(clientId, 'unknown_prefix');
-            return undefined;
-        }
-        const decoded = this.decodeAndVerify(clientId);
-        if (decoded.kind === 'error') {
-            this.emitLookupFailed(clientId, decoded.reason);
-            return undefined;
-        }
-        if (this.ttlSeconds > 0) {
-            const ageSec = Math.floor(this.now() / 1000) - decoded.payload.iat;
-            if (ageSec > this.ttlSeconds) {
-                this.emitLookupFailed(clientId, 'expired');
-                logger.debug('OAuth client expired (TTL)', { clientId, ageSec, ttlSeconds: this.ttlSeconds });
-                return undefined;
-            }
-        }
-        return this.payloadToClientInfo(clientId, decoded.payload);
-    }
-    async registerClient(client) {
-        if (client.redirect_uris) {
-            for (const uri of client.redirect_uris) {
-                validateRedirectUri(uri);
-            }
-        }
-        const issuedAt = Math.floor(this.now() / 1000);
-        const payload = {
-            v: PAYLOAD_VERSION,
-            iat: issuedAt,
-            ru: client.redirect_uris ?? [],
-        };
-        if (client.grant_types)
-            payload.gt = client.grant_types;
-        if (client.response_types)
-            payload.rt = client.response_types;
-        if (client.token_endpoint_auth_method)
-            payload.am = client.token_endpoint_auth_method;
-        if (client.client_name)
-            payload.cn = client.client_name;
-        const clientId = this.encode(payload);
-        const clientSecret = this.deriveSecret(clientId);
-        logger.debug('OAuth client registered (stateless)', {
-            clientId,
-            clientName: client.client_name,
-            idBytes: clientId.length,
-        });
-        logger.emitAudit({
-            timestamp: new Date().toISOString(),
-            level: 'info',
-            event: 'oauth_client_registered',
-            registeredClientId: clientId,
-            clientName: client.client_name,
-            redirectUriCount: payload.ru.length,
-            idBytes: clientId.length,
-        });
-        // RFC 7591 §3.2.1: `client_secret_expires_at` is REQUIRED when a
-        // `client_secret` is issued. Value is the absolute expiry time in
-        // seconds since epoch, OR exactly 0 if the secret never expires —
-        // exactly the semantic ARC1_OAUTH_DCR_TTL_SECONDS=0 introduces.
-        const clientSecretExpiresAt = this.ttlSeconds > 0 ? issuedAt + this.ttlSeconds : 0;
-        return {
-            ...client,
-            client_id: clientId,
-            client_secret: clientSecret,
-            client_id_issued_at: issuedAt,
-            client_secret_expires_at: clientSecretExpiresAt,
-        };
-    }
-    // ── SDK redirect_uri hook ──
-    /**
-     * Called by the MCP SDK before redirect_uri validation on `/authorize`.
-     *
-     * For the pre-registered XSUAA client we mutate the in-memory list so the
-     * SDK's exact-match check passes. The mutation is replayed on every
-     * `/authorize`, so it doesn't need to persist. SECURITY: we register a
-     * candidate URI ONLY if it matches `XSUAA_REDIRECT_URI_PATTERNS` (the vendored
-     * mirror of xs-security.json). The issue-#214 callback proxy removed XSUAA
-     * from the client-redirect path, so an un-gated add here would let an attacker
-     * register an arbitrary redirect_uri and have the SDK accept it — the entry
-     * point for authorization-code interception (security audit 2026-06). A
-     * non-matching URI is dropped (audited); the SDK's exact-match check then
-     * rejects the `/authorize` request before any state is minted.
-     *
-     * For DCR (`arc1-…`) clients we are stateless by design: there's nothing
-     * to mutate. The previous in-memory store implemented a percent-encoding
-     * loose-match (BAS/Theia registers `?x=1` then authorizes with `%3Fx=1`).
-     * Reproducing that statelessly would require either bundling every
-     * encoding variant in the signed payload or keeping a per-process scratch
-     * map, both of which undermine the "no state" goal. We accept the
-     * regression: affected clients re-register on encoding-variant mismatch,
-     * which is exactly what they did under the old store after every restart.
-     */
-    ensureRedirectUri(clientId, uri) {
-        if (clientId !== this.xsuaaClient.client_id)
-            return;
-        if (this.xsuaaClient.redirect_uris.includes(uri))
-            return;
-        if (!matchesXsuaaRedirectPattern(uri)) {
-            logger.warn('Dynamic redirect_uri rejected for XSUAA default client (not in allowlist)', { clientId, uri });
-            logger.emitAudit({
-                timestamp: new Date().toISOString(),
-                level: 'warn',
-                event: 'oauth_redirect_uri_rejected',
-                registeredClientId: clientId,
-                redirectUri: uri,
-            });
-            return;
-        }
-        this.xsuaaClient.redirect_uris.push(uri);
-        logger.debug('Dynamic redirect_uri registered for XSUAA client', { clientId, uri });
-        logger.emitAudit({
-            timestamp: new Date().toISOString(),
-            level: 'info',
-            event: 'oauth_redirect_uri_registered',
-            registeredClientId: clientId,
-            redirectUri: uri,
-        });
-    }
-    /**
-     * Validate that `uri` is an allowed redirect target for `clientId` at the
-     * `/oauth/callback` proxy — the control that stops authorization-code
-     * interception (security audit 2026-06, follow-up to PR #352).
-     *
-     *  - Default (pre-registered XSUAA) client → must match the redirect-uri
-     *    allowlist (`matchesXsuaaRedirectPattern`). Deliberately consults the
-     *    static allowlist, NOT the mutable in-memory list, so the verdict is
-     *    stateless and identical on every instance — a code is never forwarded to
-     *    an unlisted URI even if `/authorize` ran on a different instance.
-     *  - DCR (`arc1-…`) client → must be one of the redirect_uris baked immutably
-     *    into the signed client_id (re-derived by `getClient`). Returns
-     *    `unknown_client` when the id is unrecognised / expired / forged.
-     */
-    async checkRedirectUri(clientId, uri) {
-        if (clientId === this.xsuaaClient.client_id) {
-            return matchesXsuaaRedirectPattern(uri) ? 'ok' : 'unregistered';
-        }
-        const info = await this.getClient(clientId);
-        if (!info)
-            return 'unknown_client';
-        return info.redirect_uris.includes(uri) ? 'ok' : 'unregistered';
-    }
-    // ── Internals: encode / decode / sign / verify ──
-    payloadToClientInfo(clientId, payload) {
-        return {
-            client_id: clientId,
-            client_secret: this.deriveSecret(clientId),
-            client_id_issued_at: payload.iat,
-            redirect_uris: payload.ru,
-            grant_types: payload.gt ?? [...DEFAULT_GRANT_TYPES],
-            response_types: payload.rt ?? [...DEFAULT_RESPONSE_TYPES],
-            token_endpoint_auth_method: payload.am ?? DEFAULT_TOKEN_AUTH_METHOD,
-            client_name: payload.cn,
-        };
-    }
-    encode(payload) {
-        const payloadB64 = Buffer.from(JSON.stringify(payload), 'utf8').toString('base64url');
-        const sig = this.sign(payloadB64);
-        return `${ID_PREFIX}${payloadB64}.${sig}`;
-    }
-    /**
-     * Decode and verify a `client_id`. Returns either the parsed payload or a
-     * structured failure reason — the caller emits the failure as an audit
-     * event with the right reason code (so probing attempts are observable).
-     */
-    decodeAndVerify(clientId) {
-        const stripped = clientId.slice(ID_PREFIX.length);
-        const dot = stripped.lastIndexOf('.');
-        if (dot < 0)
-            return { kind: 'error', reason: 'malformed' };
-        const payloadB64 = stripped.slice(0, dot);
-        const sigB64 = stripped.slice(dot + 1);
-        if (!this.verifySignature(payloadB64, sigB64)) {
-            return { kind: 'error', reason: 'bad_signature' };
-        }
-        const payload = parsePayload(payloadB64);
-        if (!payload)
-            return { kind: 'error', reason: 'invalid_payload' };
-        return { kind: 'ok', payload };
-    }
-    verifySignature(payloadB64, sigB64) {
-        const expected = Buffer.from(this.sign(payloadB64), 'base64url');
-        const actual = Buffer.from(sigB64, 'base64url');
-        if (actual.length !== expected.length || actual.length !== SIG_BYTES)
-            return false;
-        return crypto.timingSafeEqual(actual, expected);
-    }
-    sign(payloadB64) {
-        const fullDigest = crypto.createHmac('sha256', this.hmacKey).update(payloadB64).digest();
-        // Truncate to SIG_BYTES — see the comment on the constant for rationale.
-        return fullDigest.subarray(0, SIG_BYTES).toString('base64url');
-    }
-    /**
-     * The client_secret is derived deterministically from the client_id, so
-     * any instance with the same signing key can validate it. This is the
-     * core reason DCR survives container restarts and scales out horizontally
-     * with no shared state.
-     */
-    deriveSecret(clientId) {
-        return crypto.createHmac('sha256', this.hmacKey).update(`secret:${clientId}`).digest('base64url');
-    }
-    emitLookupFailed(clientId, reason) {
-        logger.debug('OAuth client lookup failed', { clientId, reason });
-        logger.emitAudit({
-            timestamp: new Date().toISOString(),
-            // 'expired' is normal-ish (TTL eviction); the rest are probing/forgery signals.
-            level: reason === 'expired' ? 'info' : 'warn',
-            event: 'oauth_client_lookup_failed',
-            registeredClientId: clientId,
-            reason,
-        });
-    }
-}
-// ─── Module-level helpers ─────────────────────────────────────────────
-/**
- * Parse a base64url-encoded payload back into a typed `SignedPayload`. Returns
- * `undefined` on any failure (decode error, JSON parse error, schema mismatch).
- */
-function parsePayload(payloadB64) {
-    try {
-        const json = Buffer.from(payloadB64, 'base64url').toString('utf8');
-        const parsed = JSON.parse(json);
-        if (parsed.v !== PAYLOAD_VERSION)
-            return undefined;
-        if (typeof parsed.iat !== 'number' || !Array.isArray(parsed.ru))
-            return undefined;
-        return parsed;
-    }
-    catch {
-        return undefined;
-    }
-}
-/**
- * Validate a redirect URI against the allowed scheme/host policy.
- *
- * Allowed: `https://*`, `http://` to localhost / 127.0.0.1 / [::1], and known
- * MCP-client custom schemes (`claude:`, `cursor:`, `vscode:`,
- * `vscode-insiders:`).
- *
- * Rejected: `javascript:`, `data:`, `file:`, `ftp:`, and any `http://` to
- * non-loopback hosts.
- */
-export function validateRedirectUri(uri) {
-    const ALLOWED_CUSTOM_SCHEMES = ['claude:', 'cursor:', 'vscode:', 'vscode-insiders:'];
-    const BLOCKED_SCHEMES = ['javascript:', 'data:', 'file:', 'ftp:'];
-    for (const scheme of BLOCKED_SCHEMES) {
-        if (uri.toLowerCase().startsWith(scheme)) {
-            throw new Error(`Redirect URI rejected: '${scheme}' scheme is not allowed. Use https:// or a registered custom scheme.`);
-        }
-    }
-    for (const scheme of ALLOWED_CUSTOM_SCHEMES) {
-        if (uri.toLowerCase().startsWith(scheme))
-            return;
-    }
-    try {
-        const parsed = new URL(uri);
-        if (parsed.protocol === 'https:')
-            return;
-        if (parsed.protocol === 'http:') {
-            const host = parsed.hostname.toLowerCase();
-            if (host === 'localhost' || host === '127.0.0.1' || host === '[::1]' || host === '::1')
-                return;
-            throw new Error(`Redirect URI rejected: http:// is only allowed for localhost/127.0.0.1. Got: '${uri}'`);
-        }
-        return;
-    }
-    catch (err) {
-        if (err instanceof Error && err.message.startsWith('Redirect URI rejected'))
-            throw err;
-        // URL parsing failed for some other reason (unknown protocol etc.) — allow.
-    }
-}
-//# sourceMappingURL=stateless-client-store.js.map

package/dist/server/stateless-client-store.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"stateless-client-store.js","sourceRoot":"","sources":["../../src/server/stateless-client-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAC;AAGjC,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,yEAAyE;AAEzE,wDAAwD;AACxD,MAAM,SAAS,GAAG,OAAO,CAAC;AAE1B;;;;GAIG;AACH,MAAM,SAAS,GAAG,aAAa,CAAC;AAEhC,2EAA2E;AAC3E,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B;;;;GAIG;AACH,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB;;;;;;;;GAQG;AACH,MAAM,mBAAmB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;AAE9C,2DAA2D;AAC3D,MAAM,mBAAmB,GAAG,CAAC,oBAAoB,EAAE,eAAe,CAAU,CAAC;AAC7E,MAAM,sBAAsB,GAAG,CAAC,MAAM,CAAU,CAAC;AACjD,MAAM,yBAAyB,GAAG,oBAAoB,CAAC;AAEvD;;;;;GAKG;AACH,MAAM,2BAA2B,GAAG;IAClC,sCAAsC,EAAE,gBAAgB;IACxD,sCAAsC,EAAE,YAAY;IACpD,yCAAyC,EAAE,iBAAiB;IAC5D,oDAAoD,EAAE,SAAS;IAC/D,mDAAmD,EAAE,UAAU;CACvD,CAAC;AAEX;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,uBAAuB;IACvB,gCAAgC;IAChC,0CAA0C;IAC1C,yCAAyC;IACzC,kEAAkE;IAClE,wCAAwC;IACxC,kCAAkC;IAClC,6CAA6C;IAC7C,mDAAmD;CAC3C,CAAC;AAEX;;;;yCAIyC;AACzC,SAAS,uBAAuB,CAAC,OAAe;IAC9C,4EAA4E;IAC5E,6EAA6E;IAC7E,qBAAqB;IACrB,MAAM,IAAI,GAAG,OAAO;SACjB,KAAK,CAAC,WAAW,CAAC;SAClB,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;QACf,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC,CAAC,0BAA0B;QAC7D,IAAI,OAAO,KAAK,GAAG;YAAE,OAAO,OAAO,CAAC,CAAC,sCAAsC;QAC3E,OAAO,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC,CAAC,iCAAiC;IACzF,CAAC,CAAC;SACD,IAAI,CAAC,EAAE,CAAC,CAAC;IACZ,OAAO,IAAI,MAAM,CAAC,IAAI,IAAI,GAAG,EAAE,GAAG,CAAC,CAAC;AACtC,CAAC;AAED,MAAM,0BAA0B,GAAG,2BAA2B,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;AAE5F;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,2BAA2B,CAAC,GAAW;IACrD,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,MAAM,CAAC,QAAQ,KAAK,EAAE,IAAI,MAAM,CAAC,QAAQ,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IACnE,yFAAyF;IACzF,2FAA2F;IAC3F,iGAAiG;IACjG,kGAAkG;IAClG,4FAA4F;IAC5F,4FAA4F;IAC5F,MAAM,OAAO,GACX,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ;QACzD,CAAC,CAAC,GAAG,MAAM,CAAC,QAAQ,KAAK,MAAM,CAAC,IAAI,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE;QACxE,CAAC,CAAC,GAAG,CAAC;IACV,OAAO,0BAA0B,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;AACnE,CAAC;AAqCD,yEAAyE;AAEzE;;;;GAIG;AACH,SAAS,uBAAuB,CAAC,QAAgB,EAAE,YAAoB;IACrE,OAAO;QACL,SAAS,EAAE,QAAQ;QACnB,aAAa,EAAE,YAAY;QAC3B,aAAa,EAAE,CAAC,GAAG,2BAA2B,CAAC;QAC/C,WAAW,EAAE,CAAC,GAAG,mBAAmB,CAAC;QACrC,cAAc,EAAE,CAAC,GAAG,sBAAsB,CAAC;QAC3C,0BAA0B,EAAE,yBAAyB;QACrD,WAAW,EAAE,4BAA4B;KAC1C,CAAC;AACJ,CAAC;AAED,yEAAyE;AAEzE,MAAM,OAAO,uBAAuB;IACjB,WAAW,CAA6B;IACxC,OAAO,CAAS;IAChB,UAAU,CAAS;IACnB,GAAG,CAAe;IAEnC,YACE,aAAqB,EACrB,iBAAyB,EACzB,aAAqB,EACrB,UAA0C,EAAE;QAE5C,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QACD,qEAAqE;QACrE,wEAAwE;QACxE,yEAAyE;QACzE,wEAAwE;QACxE,2EAA2E;QAC3E,uEAAuE;QACvE,yEAAyE;QACzE,yBAAyB;QACzB,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAC7D,IAAI,WAAW,GAAG,EAAE,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CACT,+JAA+J,EAC/J,EAAE,KAAK,EAAE,WAAW,EAAE,CACvB,CAAC;QACJ,CAAC;QACD,yEAAyE;QACzE,sEAAsE;QACtE,2CAA2C;QAC3C,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,EAAE,CAAC;QACrF,IAAI,CAAC,WAAW,GAAG,uBAAuB,CAAC,aAAa,EAAE,iBAAiB,CAAC,CAAC;QAC7E,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,mBAAmB,CAAC;QAC5D,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/C,CAAC;IAED,mDAAmD;IAEnD,KAAK,CAAC,SAAS,CAAC,QAAgB;QAC9B,IAAI,QAAQ,KAAK,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,WAAW,CAAC;QAC1B,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YACpC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC;YAClD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;YAChD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,IAAI,IAAI,CAAC,UAAU,GAAG,CAAC,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC;YACnE,IAAI,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;gBAC7B,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;gBAC3C,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC;gBAC9F,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,mBAAmB,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7D,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,MAA6E;QAE7E,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACzB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;gBACvC,mBAAmB,CAAC,GAAG,CAAC,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAkB;YAC7B,CAAC,EAAE,eAAe;YAClB,GAAG,EAAE,QAAQ;YACb,EAAE,EAAE,MAAM,CAAC,aAAa,IAAI,EAAE;SAC/B,CAAC;QACF,IAAI,MAAM,CAAC,WAAW;YAAE,OAAO,CAAC,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC;QACxD,IAAI,MAAM,CAAC,cAAc;YAAE,OAAO,CAAC,EAAE,GAAG,MAAM,CAAC,cAAc,CAAC;QAC9D,IAAI,MAAM,CAAC,0BAA0B;YAAE,OAAO,CAAC,EAAE,GAAG,MAAM,CAAC,0BAA0B,CAAC;QACtF,IAAI,MAAM,CAAC,WAAW;YAAE,OAAO,CAAC,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC;QAExD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QACtC,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAEjD,MAAM,CAAC,KAAK,CAAC,qCAAqC,EAAE;YAClD,QAAQ;YACR,UAAU,EAAE,MAAM,CAAC,WAAW;YAC9B,OAAO,EAAE,QAAQ,CAAC,MAAM;SACzB,CAAC,CAAC;QACH,MAAM,CAAC,SAAS,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,yBAAyB;YAChC,kBAAkB,EAAE,QAAQ;YAC5B,UAAU,EAAE,MAAM,CAAC,WAAW;YAC9B,gBAAgB,EAAE,OAAO,CAAC,EAAE,CAAC,MAAM;YACnC,OAAO,EAAE,QAAQ,CAAC,MAAM;SACzB,CAAC,CAAC;QAEH,iEAAiE;QACjE,kEAAkE;QAClE,kEAAkE;QAClE,gEAAgE;QAChE,MAAM,qBAAqB,GAAG,IAAI,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,OAAO;YACL,GAAG,MAAM;YACT,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,YAAY;YAC3B,mBAAmB,EAAE,QAAQ;YAC7B,wBAAwB,EAAE,qBAAqB;SAChD,CAAC;IACJ,CAAC;IAED,8BAA8B;IAE9B;;;;;;;;;;;;;;;;;;;;;;OAsBG;IACH,iBAAiB,CAAC,QAAgB,EAAE,GAAW;QAC7C,IAAI,QAAQ,KAAK,IAAI,CAAC,WAAW,CAAC,SAAS;YAAE,OAAO;QACpD,IAAI,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO;QAEzD,IAAI,CAAC,2BAA2B,CAAC,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,CAAC,IAAI,CAAC,2EAA2E,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;YAC5G,MAAM,CAAC,SAAS,CAAC;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;gBACnC,KAAK,EAAE,MAAM;gBACb,KAAK,EAAE,6BAA6B;gBACpC,kBAAkB,EAAE,QAAQ;gBAC5B,WAAW,EAAE,GAAG;aACjB,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,CAAC,WAAW,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACzC,MAAM,CAAC,KAAK,CAAC,kDAAkD,EAAE,EAAE,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC;QACpF,MAAM,CAAC,SAAS,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,KAAK,EAAE,MAAM;YACb,KAAK,EAAE,+BAA+B;YACtC,kBAAkB,EAAE,QAAQ;YAC5B,WAAW,EAAE,GAAG;SACjB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,KAAK,CAAC,gBAAgB,CAAC,QAAgB,EAAE,GAAW;QAClD,IAAI,QAAQ,KAAK,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;YAC5C,OAAO,2BAA2B,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC;QAClE,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QAC5C,IAAI,CAAC,IAAI;YAAE,OAAO,gBAAgB,CAAC;QACnC,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC;IAClE,CAAC;IAED,mDAAmD;IAE3C,mBAAmB,CAAC,QAAgB,EAAE,OAAsB;QAClE,OAAO;YACL,SAAS,EAAE,QAAQ;YACnB,aAAa,EAAE,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC;YAC1C,mBAAmB,EAAE,OAAO,CAAC,GAAG;YAChC,aAAa,EAAE,OAAO,CAAC,EAAE;YACzB,WAAW,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,GAAG,mBAAmB,CAAC;YACnD,cAAc,EAAE,OAAO,CAAC,EAAE,IAAI,CAAC,GAAG,sBAAsB,CAAC;YACzD,0BAA0B,EAAE,OAAO,CAAC,EAAE,IAAI,yBAAyB;YACnE,WAAW,EAAE,OAAO,CAAC,EAAE;SACxB,CAAC;IACJ,CAAC;IAEO,MAAM,CAAC,OAAsB;QACnC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QACtF,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAClC,OAAO,GAAG,SAAS,GAAG,UAAU,IAAI,GAAG,EAAE,CAAC;IAC5C,CAAC;IAED;;;;OAIG;IACK,eAAe,CACrB,QAAgB;QAIhB,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAClD,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACtC,IAAI,GAAG,GAAG,CAAC;YAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;QAE3D,MAAM,UAAU,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAC1C,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAEvC,IAAI,CAAC,IAAI,CAAC,eAAe,CAAC,UAAU,EAAE,MAAM,CAAC,EAAE,CAAC;YAC9C,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,eAAe,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,OAAO,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;QAElE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;IACjC,CAAC;IAEO,eAAe,CAAC,UAAkB,EAAE,MAAc;QACxD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,WAAW,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAChD,IAAI,MAAM,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QACnF,OAAO,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAClD,CAAC;IAEO,IAAI,CAAC,UAAkB;QAC7B,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,EAAE,CAAC;QACzF,yEAAyE;QACzE,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IACjE,CAAC;IAED;;;;;OAKG;IACK,YAAY,CAAC,QAAgB;QACnC,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,UAAU,QAAQ,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IACpG,CAAC;IAEO,gBAAgB,CACtB,QAAgB,EAChB,MAAwF;QAExF,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QACjE,MAAM,CAAC,SAAS,CAAC;YACf,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACnC,gFAAgF;YAChF,KAAK,EAAE,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM;YAC7C,KAAK,EAAE,4BAA4B;YACnC,kBAAkB,EAAE,QAAQ;YAC5B,MAAM;SACP,CAAC,CAAC;IACL,CAAC;CACF;AAED,yEAAyE;AAEzE;;;GAGG;AACH,SAAS,YAAY,CAAC,UAAkB;IACtC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACnE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAkB,CAAC;QACjD,IAAI,MAAM,CAAC,CAAC,KAAK,eAAe;YAAE,OAAO,SAAS,CAAC;QACnD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAAE,OAAO,SAAS,CAAC;QAClF,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,MAAM,sBAAsB,GAAG,CAAC,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,kBAAkB,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAElE,KAAK,MAAM,MAAM,IAAI,eAAe,EAAE,CAAC;QACrC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACzC,MAAM,IAAI,KAAK,CACb,2BAA2B,MAAM,sEAAsE,CACxG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,KAAK,MAAM,MAAM,IAAI,sBAAsB,EAAE,CAAC;QAC5C,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;YAAE,OAAO;IACnD,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAO;QACzC,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC3C,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,KAAK;gBAAE,OAAO;YAC/F,MAAM,IAAI,KAAK,CAAC,iFAAiF,GAAG,GAAG,CAAC,CAAC;QAC3G,CAAC;QACD,OAAO;IACT,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,UAAU,CAAC,uBAAuB,CAAC;YAAE,MAAM,GAAG,CAAC;QACvF,4EAA4E;IAC9E,CAAC;AACH,CAAC"}