npm - autotel-audit - Versions diffs - 0.2.1 → 0.3.0 - Mend

autotel-audit 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,15 +1,27 @@
-import { RequestLogger } from 'autotel';
-import { SecuritySeverity } from 'autotel/security-schema';
-export { SecuritySeverity } from 'autotel/security-schema';
+import { RequestLogger } from "autotel";
+import { SecuritySeverity } from "autotel/security-schema";
+//#region src/context.d.ts
 interface AuditContext {
-    traceId: string;
-    spanId: string;
-    correlationId: string;
-    setAttribute(key: string, value: string | number | boolean): void;
-    setAttributes(attrs: Record<string, string | number | boolean | string[] | number[] | boolean[]>): void;
+  traceId: string;
+  spanId: string;
+  correlationId: string;
+  setAttribute(key: string, value: string | number | boolean): void;
+  setAttributes(attrs: Record<string, string | number | boolean | string[] | number[] | boolean[]>): void;
 }
+/**
+ * How instrumentation should behave when no trace context is available.
+ *
+ * - `throw` — fail fast (original behaviour). Use when telemetry is mandatory.
+ * - `warn` — run the wrapped handler un-audited and log one warning per action (default).
+ * - `skip` — run the wrapped handler un-audited, silently.
+ *
+ * Telemetry is observability: a missing context should never crash the business
+ * logic it wraps, so the default is best-effort (`warn`).
+ */
+type OnMissingContext = 'throw' | 'warn' | 'skip';
+//#endregion
+//#region src/security.d.ts
 /**
  * Security event categories, aligned with OWASP A09:2025
  * (Security Logging & Alerting Failures) and ASVS V7.
@@ -22,40 +34,46 @@ type SecurityOutcome = 'success' | 'failure' | 'denied' | 'blocked' | 'error';
  */
 type SuggestedSecurityEventName = 'auth.login.success' | 'auth.login.failed' | 'auth.mfa.failed' | 'auth.session.revoked' | 'auth.password.reset' | 'auth.account.locked' | 'access.denied' | 'access.role.changed' | 'access.permission.changed' | 'access.tenant.violation' | 'admin.action' | 'config.changed' | 'secret.accessed' | 'secret.rotation.failed' | 'api_key.created' | 'api_key.revoked' | 'rate_limit.exceeded' | 'validation.failed' | 'webhook.signature.failed' | 'dependency.scan.failed' | 'llm.prompt_injection.detected' | 'llm.tool_call.denied' | 'llm.output.blocked';
 interface SecurityEventMetadata {
-    /** Stable, dot-separated event name, e.g. `auth.login.failed`. */
-    name: SuggestedSecurityEventName | (string & {});
-    category: SecurityEventCategory;
-    outcome: SecurityOutcome;
-    /** Defaults to `info`. */
-    severity?: SecuritySeverity;
-    /** Stable identifier of the actor — an id or a `hashIdentifier()` digest, never raw PII. */
-    actorId?: string;
-    targetType?: string;
-    targetId?: string;
-    tenantId?: string;
-    /** Short machine-readable reason, e.g. `invalid_password`. */
-    reason?: string;
-    [key: string]: unknown;
+  /** Stable, dot-separated event name, e.g. `auth.login.failed`. */
+  name: SuggestedSecurityEventName | (string & {});
+  category: SecurityEventCategory;
+  outcome: SecurityOutcome;
+  /** Defaults to `info`. */
+  severity?: SecuritySeverity;
+  /** Stable identifier of the actor — an id or a `hashIdentifier()` digest, never raw PII. */
+  actorId?: string;
+  targetType?: string;
+  targetId?: string;
+  tenantId?: string;
+  /** Short machine-readable reason, e.g. `invalid_password`. */
+  reason?: string;
+  [key: string]: unknown;
 }
 interface SecurityEventOptions {
-    ctx?: AuditContext;
-    /**
-     * Security events are exempt from tail sampling by default —
-     * an attack you sampled away is an attack you cannot investigate.
-     * Pass `false` to opt out (e.g. very high-volume info events).
-     */
-    forceKeep?: boolean;
-    emitNow?: boolean;
-    logger?: RequestLogger;
-    /**
-     * Also increment the `autotel.security.events` counter
-     * (attributes: event, category, outcome, severity) so security teams
-     * can alert on rates without log-based alerting. Default true.
-     *
-     * Cardinality note: the event name is a counter attribute — keep names
-     * to a stable catalogue, never interpolate user input into them.
-     */
-    metrics?: boolean;
+  ctx?: AuditContext;
+  /**
+   * Security events are exempt from tail sampling by default —
+   * an attack you sampled away is an attack you cannot investigate.
+   * Pass `false` to opt out (e.g. very high-volume info events).
+   */
+  forceKeep?: boolean;
+  emitNow?: boolean;
+  logger?: RequestLogger;
+  /**
+   * Also increment the `autotel.security.events` counter
+   * (attributes: event, category, outcome, severity) so security teams
+   * can alert on rates without log-based alerting. Default true.
+   *
+   * Cardinality note: the event name is a counter attribute — keep names
+   * to a stable catalogue, never interpolate user input into them.
+   */
+  metrics?: boolean;
+  /**
+   * Behaviour when no trace context can be resolved. Defaults to `warn`
+   * (best-effort: record nothing, warn once). A dropped security event is still
+   * better than a crashed request — but the warning makes the gap visible.
+   */
+  onMissingContext?: OnMissingContext;
 }
 type WithSecurityOptions = SecurityEventOptions;
 /**
@@ -93,10 +111,10 @@ declare function securityEvent(metadata: SecurityEventMetadata, options?: Securi
  */
 declare function withSecurity<T>(metadata: SecurityEventMetadata, fn: (ctx: AuditContext, logger: RequestLogger) => T | Promise<T>, options?: WithSecurityOptions): Promise<T>;
 interface HashIdentifierOptions {
-    /** Optional salt; use one stable per-deployment salt to defeat rainbow lookups. */
-    salt?: string;
-    /** Digest length in hex chars (default 16). */
-    length?: number;
+  /** Optional salt; use one stable per-deployment salt to defeat rainbow lookups. */
+  salt?: string;
+  /** Digest length in hex chars (default 16). */
+  length?: number;
 }
 /**
  * Stable one-way digest for correlating PII-bearing identifiers
@@ -105,7 +123,8 @@ interface HashIdentifierOptions {
  * NOT for secrets — never log secrets in any form, hashed or not.
  */
 declare function hashIdentifier(value: string, options?: HashIdentifierOptions): string;
+//#endregion
+//#region src/security-signals.d.ts
 /**
  * Zero-code security signal derivation from spans you already have.
  *
@@ -132,112 +151,110 @@ declare function hashIdentifier(value: string, options?: HashIdentifierOptions):
  */
 type AttributeValue = string | number | boolean | Array<null | undefined | string> | Array<null | undefined | number> | Array<null | undefined | boolean>;
 interface MutableSpanLike {
-    attributes: Record<string, AttributeValue | undefined>;
-    setAttribute(key: string, value: AttributeValue): unknown;
+  attributes: Record<string, AttributeValue | undefined>;
+  setAttribute(key: string, value: AttributeValue): unknown;
 }
 interface ReadableSpanLike {
-    attributes: Record<string, AttributeValue | undefined>;
+  attributes: Record<string, AttributeValue | undefined>;
 }
 interface SecuritySignalProcessor {
-    onStart(span: MutableSpanLike, parentContext?: unknown): void;
-    onEnd(span: ReadableSpanLike): void;
-    shutdown(): Promise<void>;
-    forceFlush(): Promise<void>;
+  onStart(span: MutableSpanLike, parentContext?: unknown): void;
+  onEnd(span: ReadableSpanLike): void;
+  shutdown(): Promise<void>;
+  forceFlush(): Promise<void>;
 }
 interface SuspiciousRequestSignal {
-    signal: 'suspicious_request';
-    /** Which pattern matched, e.g. `path_traversal`. */
-    pattern: string;
-    /** The matched request path/URL (as found on the span). */
-    target: string;
+  signal: 'suspicious_request';
+  /** Which pattern matched, e.g. `path_traversal`. */
+  pattern: string;
+  /** The matched request path/URL (as found on the span). */
+  target: string;
 }
 interface AuthFailureBurstSignal {
-    signal: 'auth_failure_burst';
-    /** Value of the configured key attribute (e.g. client address). */
-    key: string;
-    /** Denied responses observed inside the window. */
-    count: number;
-    windowMs: number;
-    status: number;
+  signal: 'auth_failure_burst';
+  /** Value of the configured key attribute (e.g. client address). */
+  key: string;
+  /** Denied responses observed inside the window. */
+  count: number;
+  windowMs: number;
+  status: number;
 }
 interface LlmExcessiveTokensSignal {
-    signal: 'llm_excessive_tokens';
-    /** Total tokens consumed by the single LLM call. */
-    tokens: number;
-    maxTokens: number;
-    model?: string;
+  signal: 'llm_excessive_tokens';
+  /** Total tokens consumed by the single LLM call. */
+  tokens: number;
+  maxTokens: number;
+  model?: string;
 }
 interface LlmTokenBudgetSignal {
-    signal: 'llm_token_budget_exceeded';
-    /** Value of the configured key attribute (e.g. end-user id). */
-    key: string;
-    /** Tokens consumed inside the window. */
-    tokens: number;
-    budget: number;
-    windowMs: number;
+  signal: 'llm_token_budget_exceeded';
+  /** Value of the configured key attribute (e.g. end-user id). */
+  key: string;
+  /** Tokens consumed inside the window. */
+  tokens: number;
+  budget: number;
+  windowMs: number;
 }
 type SecuritySignal = SuspiciousRequestSignal | AuthFailureBurstSignal | LlmExcessiveTokensSignal | LlmTokenBudgetSignal;
 interface BurstOptions {
-    /** HTTP statuses counted toward a burst. Default `[401, 403]`. */
-    statuses?: number[];
-    /** Denied responses within the window that trigger a signal. Default 10. */
-    threshold?: number;
-    /** Sliding window size in milliseconds. Default 60_000. */
-    windowMs?: number;
-    /**
-     * Span attribute identifying the client. Default `client.address`
-     * (falls back to `http.client_ip`).
-     */
-    keyAttribute?: string;
-    /** Max distinct clients tracked (oldest evicted). Default 10_000. */
-    maxKeys?: number;
+  /** HTTP statuses counted toward a burst. Default `[401, 403]`. */
+  statuses?: number[];
+  /** Denied responses within the window that trigger a signal. Default 10. */
+  threshold?: number;
+  /** Sliding window size in milliseconds. Default 60_000. */
+  windowMs?: number;
+  /**
+   * Span attribute identifying the client. Default `client.address`
+   * (falls back to `http.client_ip`).
+   */
+  keyAttribute?: string;
+  /** Max distinct clients tracked (oldest evicted). Default 10_000. */
+  maxKeys?: number;
 }
 interface LlmSignalOptions {
+  /**
+   * Single-call token ceiling (`gen_ai.usage.total_tokens`, or input+output).
+   * Default 100_000. Pass `false` to disable the per-call check.
+   */
+  maxTokensPerCall?: number | false;
+  /**
+   * Sliding-window token budget per key — catches slow-drip abuse that
+   * stays under the per-call ceiling (OWASP LLM10: Unbounded Consumption).
+   * Off unless configured.
+   */
+  tokenBudget?: {
+    budget: number; /** Window size in milliseconds. Default 300_000 (5 min). */
+    windowMs?: number;
     /**
-     * Single-call token ceiling (`gen_ai.usage.total_tokens`, or input+output).
-     * Default 100_000. Pass `false` to disable the per-call check.
-     */
-    maxTokensPerCall?: number | false;
-    /**
-     * Sliding-window token budget per key — catches slow-drip abuse that
-     * stays under the per-call ceiling (OWASP LLM10: Unbounded Consumption).
-     * Off unless configured.
+     * Span attribute identifying the consumer. Default `enduser.id`
+     * (falls back to `client.address`).
      */
-    tokenBudget?: {
-        budget: number;
-        /** Window size in milliseconds. Default 300_000 (5 min). */
-        windowMs?: number;
-        /**
-         * Span attribute identifying the consumer. Default `enduser.id`
-         * (falls back to `client.address`).
-         */
-        keyAttribute?: string;
-        /** Max distinct keys tracked (oldest evicted). Default 10_000. */
-        maxKeys?: number;
-    };
+    keyAttribute?: string; /** Max distinct keys tracked (oldest evicted). Default 10_000. */
+    maxKeys?: number;
+  };
 }
 interface SecuritySignalProcessorOptions {
-    /** Flag suspicious request paths on span start. Default true. */
-    detectSuspiciousRequests?: boolean;
-    /** Additional name → pattern pairs checked against the request target. */
-    extraPatterns?: Record<string, RegExp>;
-    /** Force-keep flagged spans through tail sampling. Default true. */
-    forceKeepSuspicious?: boolean;
-    /** HTTP statuses counted as denied. Default `[401, 403, 429]`. */
-    deniedStatuses?: number[];
-    /** Burst detection over denied responses. Pass `false` to disable. */
-    burst?: BurstOptions | false;
-    /**
-     * LLM consumption signals from `gen_ai.*` spans (OWASP LLM10).
-     * Enabled with the per-call ceiling by default; pass `false` to disable.
-     */
-    llm?: LlmSignalOptions | false;
-    /** Emit `autotel.security.*` metrics. Default true. */
-    metrics?: boolean;
-    /** Called whenever a signal fires. Keep it fast and non-throwing. */
-    onSignal?: (signal: SecuritySignal) => void;
-    /** Clock override for tests. */
-    now?: () => number;
+  /** Flag suspicious request paths on span start. Default true. */
+  detectSuspiciousRequests?: boolean;
+  /** Additional name → pattern pairs checked against the request target. */
+  extraPatterns?: Record<string, RegExp>;
+  /** Force-keep flagged spans through tail sampling. Default true. */
+  forceKeepSuspicious?: boolean;
+  /** HTTP statuses counted as denied. Default `[401, 403, 429]`. */
+  deniedStatuses?: number[];
+  /** Burst detection over denied responses. Pass `false` to disable. */
+  burst?: BurstOptions | false;
+  /**
+   * LLM consumption signals from `gen_ai.*` spans (OWASP LLM10).
+   * Enabled with the per-call ceiling by default; pass `false` to disable.
+   */
+  llm?: LlmSignalOptions | false;
+  /** Emit `autotel.security.*` metrics. Default true. */
+  metrics?: boolean;
+  /** Called whenever a signal fires. Keep it fast and non-throwing. */
+  onSignal?: (signal: SecuritySignal) => void;
+  /** Clock override for tests. */
+  now?: () => number;
 }
 /**
  * Conservative request-target patterns. Tuned for scanner/probe traffic —
@@ -245,7 +262,8 @@ interface SecuritySignalProcessorOptions {
  */
 declare const SUSPICIOUS_REQUEST_PATTERNS: Record<string, RegExp>;
 declare function createSecuritySignalProcessor(options?: SecuritySignalProcessorOptions): SecuritySignalProcessor;
+//#endregion
+//#region src/security-heartbeat.d.ts
 /**
  * Security-telemetry heartbeat.
  *
@@ -266,32 +284,39 @@ declare function createSecuritySignalProcessor(options?: SecuritySignalProcessor
  * ```
  */
 interface SecurityHeartbeatOptions {
-    /** Beat interval in milliseconds. Default 60_000. */
-    intervalMs?: number;
-    /** Extra counter attributes (keep cardinality low — labels, not data). */
-    attributes?: Record<string, string | number | boolean>;
+  /** Beat interval in milliseconds. Default 60_000. */
+  intervalMs?: number;
+  /** Extra counter attributes (keep cardinality low — labels, not data). */
+  attributes?: Record<string, string | number | boolean>;
 }
 interface SecurityHeartbeat {
-    stop(): void;
+  stop(): void;
 }
 declare function startSecurityHeartbeat(options?: SecurityHeartbeatOptions): SecurityHeartbeat;
+//#endregion
+//#region src/index.d.ts
 interface AuditMetadata {
-    action: string;
-    resource?: string;
-    actorId?: string;
-    category?: string;
-    outcome?: 'success' | 'failure' | (string & {});
-    [key: string]: unknown;
+  action: string;
+  resource?: string;
+  actorId?: string;
+  category?: string;
+  outcome?: 'success' | 'failure' | (string & {});
+  [key: string]: unknown;
 }
 interface WithAuditOptions {
-    ctx?: AuditContext;
-    emitNow?: boolean;
-    forceKeep?: boolean;
-    logger?: RequestLogger;
+  ctx?: AuditContext;
+  emitNow?: boolean;
+  forceKeep?: boolean;
+  logger?: RequestLogger;
+  /**
+   * Behaviour when no trace context can be resolved. Defaults to `warn`
+   * (best-effort: run un-audited, warn once). See {@link OnMissingContext}.
+   */
+  onMissingContext?: OnMissingContext;
 }
 declare function forceKeepAuditEvent(ctx?: AuditContext): void;
 declare function setAuditAttributes(metadata: AuditMetadata, ctx?: AuditContext): void;
 declare function withAudit<T>(metadata: AuditMetadata, fn: (ctx: AuditContext, logger: RequestLogger) => T | Promise<T>, options?: WithAuditOptions): Promise<T>;
-export { type AuditContext, type AuditMetadata, type AuthFailureBurstSignal, type BurstOptions, type HashIdentifierOptions, type LlmExcessiveTokensSignal, type LlmSignalOptions, type LlmTokenBudgetSignal, SUSPICIOUS_REQUEST_PATTERNS, type SecurityEventCategory, type SecurityEventMetadata, type SecurityEventOptions, type SecurityHeartbeat, type SecurityHeartbeatOptions, type SecurityOutcome, type SecuritySignal, type SecuritySignalProcessor, type SecuritySignalProcessorOptions, type SuggestedSecurityEventName, type SuspiciousRequestSignal, type WithAuditOptions, type WithSecurityOptions, createSecuritySignalProcessor, forceKeepAuditEvent, hashIdentifier, securityEvent, setAuditAttributes, startSecurityHeartbeat, withAudit, withSecurity };
+//#endregion
+export { type AuditContext, AuditMetadata, AuthFailureBurstSignal, BurstOptions, HashIdentifierOptions, LlmExcessiveTokensSignal, LlmSignalOptions, LlmTokenBudgetSignal, type OnMissingContext, SUSPICIOUS_REQUEST_PATTERNS, SecurityEventCategory, SecurityEventMetadata, SecurityEventOptions, SecurityHeartbeat, SecurityHeartbeatOptions, SecurityOutcome, type SecuritySeverity, SecuritySignal, SecuritySignalProcessor, SecuritySignalProcessorOptions, SuggestedSecurityEventName, SuspiciousRequestSignal, WithAuditOptions, WithSecurityOptions, createSecuritySignalProcessor, forceKeepAuditEvent, hashIdentifier, securityEvent, setAuditAttributes, startSecurityHeartbeat, withAudit, withSecurity };
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","names":[],"sources":["../src/context.ts","../src/security.ts","../src/security-signals.ts","../src/security-heartbeat.ts","../src/index.ts"],"mappings":";;;;UAEiB,YAAA;EACf,OAAA;EACA,MAAA;EACA,aAAA;EACA,YAAA,CAAa,GAAA,UAAa,KAAA;EAC1B,aAAA,CACE,KAAA,EAAO,MAAM;AAAA;;;;;;;;AAAqE;AAuDtF;;KAAY,gBAAA;;;AA7DZ;;;;AAAA,KC8BY,qBAAA;AAAA,KAYA,eAAA;;;;;KAWA,0BAAA;AAAA,UAyBK,qBAAA;EDxEb;EC0EF,IAAA,EAAM,0BAAA;EACN,QAAA,EAAU,qBAAA;EACV,OAAA,EAAS,eAAA;EDrBiB;ECuB1B,QAAA,GAAW,gBAAA;EDvBe;ECyB1B,OAAA;EACA,UAAA;EACA,QAAA;EACA,QAAA;EA3DU;EA6DV,MAAA;EAAA,CACC,GAAA;AAAA;AAAA,UAGc,oBAAA;EACf,GAAA,GAAM,YAAA;EAtDmB;;;AAAA;AAW3B;EAiDE,SAAA;EACA,OAAA;EACA,MAAA,GAAS,aAAA;EAnD2B;AAyBtC;;;;;;;EAmCE,OAAA;EA7B2B;;;;;EAmC3B,gBAAA,GAAmB,gBAAA;AAAA;AAAA,KAGT,mBAAA,GAAsB,oBAAoB;;;;;;;;;AA9BxC;AAGd;;;;;;;;;;iBAqHgB,aAAA,CACd,QAAA,EAAU,qBAAA,EACV,OAAA,GAAS,oBAAyB;;;;;;;;AA/FC;AAGrC;;;;AAAsD;iBAuJhC,YAAA,IACpB,QAAA,EAAU,qBAAA,EACV,EAAA,GAAK,GAAA,EAAK,YAAA,EAAc,MAAA,EAAQ,aAAA,KAAkB,CAAA,GAAI,OAAA,CAAQ,CAAA,GAC9D,OAAA,GAAS,mBAAA,GACR,OAAA,CAAQ,CAAA;AAAA,UAgCM,qBAAA;;EAEf,IAAA;EAlGU;EAoGV,MAAM;AAAA;;;AAnG4B;AA2DpC;;;iBAiDgB,cAAA,CACd,KAAA,UACA,OAAA,GAAS,qBAA0B;;;;;;;ADpUrC;;;;;;;;;;;;;;AAMsF;AAuDtF;;;;AAA4B;KEtBvB,cAAA,+BAID,KAAA,8BACA,KAAA,8BACA,KAAA;AAAA,UAEM,eAAA;EACR,UAAA,EAAY,MAAA,SAAe,cAAA;EAC3B,YAAA,CAAa,GAAA,UAAa,KAAA,EAAO,cAAA;AAAA;AAAA,UAGzB,gBAAA;EACR,UAAA,EAAY,MAAM,SAAS,cAAA;AAAA;AAAA,UAGZ,uBAAA;EACf,OAAA,CAAQ,IAAA,EAAM,eAAA,EAAiB,aAAA;EAC/B,KAAA,CAAM,IAAA,EAAM,gBAAA;EACZ,QAAA,IAAY,OAAA;EACZ,UAAA,IAAc,OAAA;AAAA;AAAA,UAGC,uBAAA;EACf,MAAA;EDXoC;ECapC,OAAA;EDYe;ECVf,MAAA;AAAA;AAAA,UAGe,sBAAA;EACf,MAAA;EDUS;ECRT,GAAA;EDU2B;ECR3B,KAAA;EACA,QAAA;EACA,MAAA;AAAA;AAAA,UAGe,wBAAA;EACf,MAAA;EDAS;ECET,MAAA;EACA,SAAA;EACA,KAAA;AAAA;AAAA,UAGe,oBAAA;EACf,MAAA;EDCA;ECCA,GAAA;EDAY;ECEZ,MAAA;EACA,MAAA;EACA,QAAA;AAAA;AAAA,KAGU,cAAA,GACR,uBAAA,GACA,sBAAA,GACA,wBAAA,GACA,oBAAA;AAAA,UAEa,YAAA;EDcI;ECZnB,QAAA;EDYmC;ECVnC,SAAA;EDbM;ECeN,QAAA;EDRA;;;;ECaA,YAAA;EDGmB;ECDnB,OAAA;AAAA;AAAA,UAGe,gBAAA;EDCc;;;AAAuB;ECIpD,gBAAA;EDsF2B;;;;;EChF3B,WAAA;IACE,MAAA,UDiFgC;IC/EhC,QAAA;ID0IkB;;;;ICrIlB,YAAA,WDuI8B;ICrI9B,OAAA;EAAA;AAAA;AAAA,UAIa,8BAAA;EDmIN;ECjIT,wBAAA;EDiIQ;EC/HR,aAAA,GAAgB,MAAA,SAAe,MAAA;ED2HE;ECzHjC,mBAAA;ED0HA;ECxHA,cAAA;EDyHK;ECvHL,KAAA,GAAQ,YAAA;EDuHgB;;;;EClHxB,GAAA,GAAM,gBAAA;EDmHG;ECjHT,OAAA;EDkHC;EChHD,QAAA,IAAY,MAAA,EAAQ,cAAA;EDgHV;EC9GV,GAAA;AAAA;;;;ADkJM;cC3IK,2BAAA,EAA6B,MAAM,SAAS,MAAA;AAAA,iBA4HzC,6BAAA,CACd,OAAA,GAAS,8BAAA,GACR,uBAAuB;;;;;;;AF5S1B;;;;;;;;;;;;;;AAMsF;UGerE,wBAAA;EHwCW;EGtC1B,UAAA;EHsC0B;EGpC1B,UAAA,GAAa,MAAM;AAAA;AAAA,UAGJ,iBAAA;EACf,IAAI;AAAA;AAAA,iBAGU,sBAAA,CACd,OAAA,GAAS,wBAAA,GACR,iBAAiB;;;UCbH,aAAA;EACf,MAAA;EACA,QAAA;EACA,OAAA;EACA,QAAA;EACA,OAAA;EAAA,CACC,GAAA;AAAA;AAAA,UAGc,gBAAA;EACf,GAAA,GAAM,YAAA;EACN,OAAA;EACA,SAAA;EACA,MAAA,GAAS,aAAA;EJ2BC;;;;EItBV,gBAAA,GAAmB,gBAAA;AAAA;AAAA,iBAuBL,mBAAA,CAAoB,GAAkB,GAAZ,YAAY;AAAA,iBAQtC,kBAAA,CACd,QAAA,EAAU,aAAA,EACV,GAAA,GAAM,YAAY;AAAA,iBAOE,SAAA,IACpB,QAAA,EAAU,aAAA,EACV,EAAA,GAAK,GAAA,EAAK,YAAA,EAAc,MAAA,EAAQ,aAAA,KAAkB,CAAA,GAAI,OAAA,CAAQ,CAAA,GAC9D,OAAA,GAAS,gBAAA,GACR,OAAA,CAAQ,CAAA"}