blockintel-gate-sdk 0.4.4 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/dist/index.cjs +120 -3
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +13 -0
  4. package/dist/index.d.ts +13 -0
  5. package/dist/index.js +120 -3
  6. package/dist/index.js.map +1 -1
  7. package/dist/pilot/index.cjs +120 -3
  8. package/dist/pilot/index.cjs.map +1 -1
  9. package/dist/pilot/index.js +120 -3
  10. package/dist/pilot/index.js.map +1 -1
  11. package/package.json +1 -1
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/utils/canonicalJson.ts","../src/utils/decisionTokenVerify.ts","../src/utils/crypto.ts","../src/auth/HmacSigner.ts","../src/auth/ApiKeyAuth.ts","../src/types/errors.ts","../src/http/retry.ts","../src/utils/sanitize.ts","../src/http/HttpClient.ts","../src/utils/time.ts","../src/stepup/stepup.ts","../src/circuit/CircuitBreaker.ts","../src/metrics/MetricsCollector.ts","../src/utils/txDigest.ts","../src/metrics/GateMetricsSink.ts","../src/kms/wrapAwsSdkV3KmsClient.ts","../src/provenance/ProvenanceProvider.ts","../src/heartbeat/HeartbeatManager.ts","../src/security/IamPermissionRiskChecker.ts","../src/client/GateClient.ts","../src/client/Gate.ts","../src/signer/AwsKmsSigner.ts","../src/signer/VaultSigner.ts","../src/signer/GcpKmsSigner.ts","../src/signer/FireblocksSigner.ts","../src/signer/pkcs11/Pkcs11SessionImpl.ts","../src/signer/GenericHsmSigner.ts"],"names":["sorted","createHash","createVerify","createHmac","GateErrorCode","hasReceipt","SignCommand","uuidv4","t","effectiveSignerId","canonicalizeJson","decodeJwtUnsafe","verifyDecisionTokenRs256","SigningAlgorithmSpec","randomBytes","createSign","require","createRequire"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,IAAA,qBAAA,GAAA,EAAA;AAAA,QAAA,CAAA,qBAAA,EAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,SAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAmBO,SAAS,iBAAiB,GAAA,EAAsB;AACrD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW;AACrC,IAAA,OAAO,MAAA;AAAA,EACT;AAGA,EAAA,MAAM,SAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,GAAG,CAAC,CAAA;AAG7C,EAAA,SAAS,SAAS,IAAA,EAAwB;AACxC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAI,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA,CAAK,IAAI,QAAQ,CAAA;AAAA,IAC1B;AACA,IAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AAC7C,MAAA,MAAMA,UAAkC,EAAC;AACzC,MAAA,MAAA,CAAO,KAAK,IAAI,CAAA,CAAE,IAAA,EAAK,CAAE,QAAQ,CAAA,GAAA,KAAO;AACtC,QAAAA,QAAO,GAAG,CAAA,GAAI,QAAA,CAAU,IAAA,CAAiC,GAAG,CAAC,CAAA;AAAA,MAC/D,CAAC,CAAA;AACD,MAAA,OAAOA,OAAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,MAAA,GAAS,SAAS,MAAM,CAAA;AAC9B,EAAA,OAAO,IAAA,CAAK,UAAU,MAAM,CAAA;AAC9B;AAKA,eAAsB,UAAU,KAAA,EAAgC;AAC9D,EAAA,OAAOC,iBAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,MAAM,CAAA,CAAE,OAAO,KAAK,CAAA;AAChE;AAnDA,IAAA,kBAAA,GAAA,KAAA,CAAA;AAAA,EAAA,4BAAA,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACAA,IAAA,2BAAA,GAAA,EAAA;AAAA,QAAA,CAAA,2BAAA,EAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,wBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AA2BO,SAAS,gBAAgB,KAAA,EAAmF;AACjH,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,IAAA,MAAM,SAAS,IAAA,CAAK,KAAA;AAAA,MAClB,MAAA,CAAO,KAAK,KAAA,CAAM,CAAC,GAAG,WAAW,CAAA,CAAE,SAAS,MAAM;AAAA,KACpD;AACA,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,MACnB,MAAA,CAAO,KAAK,KAAA,CAAM,CAAC,GAAG,WAAW,CAAA,CAAE,SAAS,MAAM;AAAA,KACpD;AACA,IAAA,OAAO,EAAE,QAAQ,OAAA,EAAQ;AAAA,EAC3B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,wBAAA,CACd,OACA,YAAA,EAC6B;AAC7B,EAAA,MAAM,OAAA,GAAU,gBAAgB,KAAK,CAAA;AACrC,EAAA,IAAI,CAAC,YAAY,OAAA,CAAQ,MAAA,CAAO,OAAO,EAAA,EAAI,WAAA,EAAY,KAAM,OAAA,EAAS,OAAO,IAAA;AAE7E,EAAA,MAAM,EAAE,SAAQ,GAAI,OAAA;AACpB,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,EAAA,IAAI,QAAQ,GAAA,KAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,KAAQ,KAAK,OAAO,IAAA;AACvD,EAAA,IAAI,QAAQ,GAAA,IAAO,IAAA,IAAQ,QAAQ,GAAA,GAAM,GAAA,GAAM,GAAG,OAAO,IAAA;AAEzD,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,MAAM,YAAA,GAAe,GAAG,KAAA,CAAM,CAAC,CAAC,CAAA,CAAA,EAAI,KAAA,CAAM,CAAC,CAAC,CAAA,CAAA;AAC5C,IAAA,MAAM,YAAY,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,CAAC,GAAG,WAAW,CAAA;AACnD,IAAA,MAAM,MAAA,GAASC,oBAAa,YAAY,CAAA;AACxC,IAAA,MAAA,CAAO,OAAO,YAAY,CAAA;AAC1B,IAAA,MAAA,CAAO,GAAA,EAAI;AACX,IAAA,MAAM,EAAA,GAAK,MAAA,CAAO,MAAA,CAAO,YAAA,EAAc,SAAS,CAAA;AAChD,IAAA,OAAO,KAAK,OAAA,GAAU,IAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAvEA,IAOM,GAAA,EACA,GAAA;AARN,IAAA,wBAAA,GAAA,KAAA,CAAA;AAAA,EAAA,kCAAA,GAAA;AAOA,IAAM,GAAA,GAAM,iBAAA;AACZ,IAAM,GAAA,GAAM,eAAA;AAAA,EAAA;AAAA,CAAA,CAAA;ACGZ,eAAsB,UAAA,CAAW,QAAgB,OAAA,EAAkC;AAIjF,EAAA,MAAM,IAAA,GAAOC,iBAAA,CAAW,QAAA,EAAU,MAAM,CAAA;AACxC,EAAA,IAAA,CAAK,MAAA,CAAO,SAAS,MAAM,CAAA;AAC3B,EAAA,MAAM,YAAA,GAAe,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA;AAGtC,EAAA,OAAA,CAAQ,KAAA,CAAM,4CAAA,EAA8C,IAAA,CAAK,SAAA,CAAU;AAAA,IACzE,cAAc,MAAA,CAAO,MAAA;AAAA,IACrB,eAAe,OAAA,CAAQ,MAAA;AAAA,IACvB,cAAA,EAAgB,OAAA,CAAQ,SAAA,CAAU,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAAA,IAC5C,iBAAiB,YAAA,CAAa,MAAA;AAAA,IAC9B,gBAAA,EAAkB,YAAA,CAAa,SAAA,CAAU,CAAA,EAAG,EAAE,CAAA,GAAI;AAAA,GACpD,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAEX,EAAA,OAAO,YAAA;AACT;;;ACFA,kBAAA,EAAA;AAkBO,IAAM,aAAN,MAAiB;AAAA,EACL,KAAA;AAAA,EACA,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,QAAQ,MAAA,CAAO,KAAA;AAEpB,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA,CAAO,MAAA,CAAO,IAAA,EAAK;AAEjC,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA,EAAG;AAC5C,MAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,MAAA,EAOU;AAC1B,IAAA,MAAM,EAAE,MAAA,EAAQ,IAAA,EAAM,UAAU,WAAA,EAAa,SAAA,EAAW,MAAK,GAAI,MAAA;AAGjE,IAAA,MAAM,QAAA,GAAW,IAAA,GAAO,gBAAA,CAAiB,IAAI,CAAA,GAAI,EAAA;AACjD,IAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,QAAQ,CAAA;AAGzC,IAAA,MAAM,aAAA,GAAgB;AAAA,MACpB,IAAA;AAAA,MACA,OAAO,WAAA,EAAY;AAAA,MACnB,IAAA;AAAA,MACA,QAAA;AAAA,MACA,IAAA,CAAK,KAAA;AAAA,MACL,OAAO,WAAW,CAAA;AAAA,MAClB,SAAA;AAAA;AAAA,MACA;AAAA,KACF,CAAE,KAAK,IAAI,CAAA;AAGX,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,IAAA,CAAK,QAAQ,aAAa,CAAA;AAE7D,IAAA,OAAO;AAAA,MACL,kBAAA,EAAoB,QAAA;AAAA,MACpB,iBAAiB,IAAA,CAAK,KAAA;AAAA,MACtB,qBAAA,EAAuB,OAAO,WAAW,CAAA;AAAA,MACzC,mBAAA,EAAqB,SAAA;AAAA,MACrB,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AACF,CAAA;;;AC9EO,IAAM,aAAN,MAAiB;AAAA,EACL,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA,EAAG;AAC5C,MAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,IAC3C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,MAAA,EAII;AAChB,IAAA,MAAM,EAAE,QAAA,EAAU,WAAA,EAAa,SAAA,EAAU,GAAI,MAAA;AAE7C,IAAA,OAAO;AAAA,MACL,aAAa,IAAA,CAAK,MAAA;AAAA,MAClB,kBAAA,EAAoB,QAAA;AAAA,MACpB,mBAAA,EAAqB,SAAA;AAAA,MACrB,qBAAA,EAAuB,OAAO,WAAW;AAAA,KAC3C;AAAA,EACF;AACF,CAAA;;;AC1CO,IAAK,aAAA,qBAAAC,cAAAA,KAAL;AACL,EAAAA,eAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,eAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,eAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,kBAAA,CAAA,GAAmB,kBAAA;AACnB,EAAAA,eAAA,wBAAA,CAAA,GAAyB,wBAAA;AACzB,EAAAA,eAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,eAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,eAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,eAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,eAAA,mBAAA,CAAA,GAAoB,mBAAA;AACpB,EAAAA,eAAA,mBAAA,CAAA,GAAoB,mBAAA;AACpB,EAAAA,eAAA,mBAAA,CAAA,GAAoB,mBAAA;AACpB,EAAAA,eAAA,oBAAA,CAAA,GAAqB,oBAAA;AAjBX,EAAA,OAAAA,cAAAA;AAAA,CAAA,EAAA,aAAA,IAAA,EAAA;AAuBL,IAAM,SAAA,GAAN,cAAwB,KAAA,CAAM;AAAA,EACnB,IAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EAEhB,WAAA,CACE,IAAA,EACA,OAAA,EACA,OAAA,EAOA;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,SAAS,OAAA,EAAS,MAAA;AACvB,IAAA,IAAA,CAAK,UAAU,OAAA,EAAS,OAAA;AACxB,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,gBAAgB,OAAA,EAAS,aAAA;AAC9B,IAAA,IAAI,SAAS,KAAA,EAAO;AAClB,MAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AAAA,IACvB;AACA,IAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,EAChD;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO;AAAA,MACL,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,eAAe,IAAA,CAAK;AAAA,KACtB;AAAA,EACF;AACF;AAMO,IAAM,wBAAA,GAAN,cAAuC,SAAA,CAAU;AAAA,EACtD,YAAY,SAAA,EAAoB;AAC9B,IAAA,KAAA;AAAA,MACE,wBAAA;AAAA,MACA,mHAAA;AAAA,MACA,EAAE,SAAA;AAAU,KACd;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,0BAAA;AAAA,EACd;AACF;AAMO,IAAM,sBAAA,GAAN,cAAqC,SAAA,CAAU;AAAA,EACpC,SAAA;AAAA,EACA,UAAA;AAAA,EAEhB,WAAA,CACE,UAAA,EACA,SAAA,EACA,aAAA,EACA,SAAA,EACA;AACA,IAAA,KAAA;AAAA,MACE,SAAA;AAAA,MACA,wBAAwB,UAAU,CAAA,CAAA;AAAA,MAClC,EAAE,aAAA,EAAe,SAAA,EAAW,SAAS,EAAE,UAAA,EAAY,WAAU;AAAE,KACjE;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AACjB,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAMO,IAAM,0BAAA,GAAN,cAAyC,SAAA,CAAU;AAAA,EACxD,WAAA,CAAY,SAAiB,SAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,qBAAA,4BAAmC,OAAA,EAAS,EAAE,SAAA,EAAW,CAAA;AAC/D,IAAA,IAAA,CAAK,IAAA,GAAO,4BAAA;AAAA,EACd;AACF;AAMO,IAAM,mBAAA,GAAN,cAAkC,SAAA,CAAU;AAAA,EACjD,WAAA,CAAY,OAAA,EAAiB,MAAA,EAAgB,SAAA,EAAoB;AAC/D,IAAA,KAAA;AAAA,MACE,MAAA,KAAW,MAAM,cAAA,sBAA6B,WAAA;AAAA,MAC9C,OAAA;AAAA,MACA,EAAE,QAAQ,SAAA;AAAU,KACtB;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AAAA,EACd;AACF;AAMO,IAAM,6BAAA,GAAN,cAA4C,SAAA,CAAU;AAAA,EAC3C,eAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EAEhB,WAAA,CACE,eAAA,EACA,SAAA,EACA,WAAA,EACA,SAAA,EACA;AACA,IAAA,KAAA;AAAA,MACE,wBAAA;AAAA,MACA,2BAAA;AAAA,MACA;AAAA,QACE,SAAA;AAAA,QACA,OAAA,EAAS,EAAE,eAAA,EAAiB,SAAA,EAAW,WAAA;AAAY;AACrD,KACF;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,+BAAA;AACZ,IAAA,IAAA,CAAK,eAAA,GAAkB,eAAA;AACvB,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AACjB,IAAA,IAAA,CAAK,WAAA,GAAc,WAAA;AAAA,EACrB;AACF;;;AC3JA,IAAM,qBAAA,GAAgD;AAAA,EACpD,WAAA,EAAa,CAAA;AAAA,EACb,WAAA,EAAa,GAAA;AAAA,EACb,UAAA,EAAY,GAAA;AAAA,EACZ,MAAA,EAAQ;AACV,CAAA;AAKO,SAAS,kBAAkB,MAAA,EAAyB;AAEzD,EAAA,OAAO,MAAA,KAAW,GAAA,IAAQ,MAAA,IAAU,GAAA,IAAO,MAAA,GAAS,GAAA;AACtD;AAKO,SAAS,iBAAiB,KAAA,EAAyB;AAExD,EAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,IAAA,MAAM,OAAA,GAAU,KAAA,CAAM,OAAA,CAAQ,WAAA,EAAY;AAC1C,IAAA,OACE,OAAA,CAAQ,SAAS,SAAS,CAAA,IAC1B,QAAQ,QAAA,CAAS,SAAS,CAAA,IAC1B,OAAA,CAAQ,QAAA,CAAS,YAAY,KAC7B,OAAA,CAAQ,QAAA,CAAS,cAAc,CAAA,IAC/B,OAAA,CAAQ,SAAS,WAAW,CAAA,IAC5B,OAAA,CAAQ,QAAA,CAAS,YAAY,CAAA;AAAA,EAEjC;AACA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,qBAAA,CACd,SACA,OAAA,EACQ;AACR,EAAA,MAAM,gBAAA,GAAmB,QAAQ,WAAA,GAAc,IAAA,CAAK,IAAI,OAAA,CAAQ,MAAA,EAAQ,UAAU,CAAC,CAAA;AACnF,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,EAAO,GAAI,GAAA,GAAM,gBAAA;AACrC,EAAA,MAAM,QAAQ,gBAAA,GAAmB,MAAA;AACjC,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,OAAA,CAAQ,UAAU,CAAA;AAC3C;AAKA,SAAS,qBAAqB,KAAA,EAAyB;AACrD,EAAA,IAAI,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,IAAY,UAAU,KAAA,EAAO;AACzD,IAAA,MAAM,SAAA,GAAY,KAAA;AAElB,IAAA,IAAI,SAAA,CAAU,IAAA,KAAS,cAAA,IAAkB,SAAA,CAAU,SAAS,cAAA,EAAgB;AAC1E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,SAAA,CAAU,MAAA,IAAU,iBAAA,CAAkB,SAAA,CAAU,MAAM,CAAA,EAAG;AAC3D,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAKA,eAAsB,gBAAA,CACpB,EAAA,EACA,OAAA,GAAwB,EAAC,EACb;AACZ,EAAA,MAAM,IAAA,GAAO,EAAE,GAAG,qBAAA,EAAuB,GAAG,OAAA,EAAQ;AACpD,EAAA,IAAI,SAAA;AAEJ,EAAA,KAAA,IAAS,OAAA,GAAU,CAAA,EAAG,OAAA,IAAW,IAAA,CAAK,aAAa,OAAA,EAAA,EAAW;AAC5D,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,EAAA,EAAG;AAAA,IAClB,SAAS,KAAA,EAAO;AACd,MAAA,SAAA,GAAY,KAAA;AAGZ,MAAA,IAAI,OAAA,IAAW,KAAK,WAAA,EAAa;AAC/B,QAAA;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,QAAA,IAAY,CAAC,iBAAA,CAAkB,KAAA,CAAM,MAAM,CAAA,EAAG;AACjE,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,WAAA,GACH,KAAA,YAAiB,QAAA,IAAY,iBAAA,CAAkB,KAAA,CAAM,MAAM,CAAA,IAC5D,gBAAA,CAAiB,KAAK,CAAA,IACtB,oBAAA,CAAqB,KAAK,CAAA;AAE5B,MAAA,IAAI,CAAC,WAAA,EAAa;AAChB,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,SACH,KAAA,YAAiB,QAAA,IAAY,MAAM,MAAA,IACnC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,IAAY,YAAY,KAAA,IAAU,KAAA,CAA8B,UAC1F,KAAA,IAAS,OAAO,UAAU,QAAA,IAAY,YAAA,IAAgB,SAAU,KAAA,CAAkC,UAAA;AACrG,MAAA,MAAM,OAAA,GAAU,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,IAAA,GAAQ,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,IAAY,MAAA,IAAU,KAAA,GAAS,KAAA,CAA2B,IAAA,GAAO,SAAA;AAClJ,MAAA,MAAM,KAAA,GAAQ,CAAA,SAAA,EAAY,OAAO,CAAA,CAAA,EAAI,IAAA,CAAK,WAAW,CAAA,QAAA,EAAW,MAAA,IAAU,KAAK,CAAA,KAAA,EAAQ,OAAO,CAAA,CAAA;AAC9F,MAAA,OAAA,CAAQ,IAAA,CAAK,0DAA0D,KAAK,CAAA;AAG5E,MAAA,MAAM,KAAA,GAAQ,qBAAA,CAAsB,OAAA,EAAS,IAAI,CAAA;AACjD,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,KAAK,CAAC,CAAA;AAAA,IAC3D;AAAA,EACF;AAEA,EAAA,MAAM,SAAA;AACR;;;AC7HA,IAAM,sBAAA,uBAA6B,GAAA,CAAI;AAAA,EACrC,eAAA;AAAA,EACA,WAAA;AAAA,EACA,sBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC,CAAA;AAED,IAAM,iBAAA,GAAoB,EAAA;AAKnB,SAAS,gBAAgB,OAAA,EAAyD;AACvF,EAAA,MAAM,MAA8B,EAAC;AACrC,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,IAAA,MAAM,KAAA,GAAQ,IAAI,WAAA,EAAY;AAC9B,IAAA,IAAI,sBAAA,CAAuB,GAAA,CAAI,KAAK,CAAA,IAAK,MAAM,QAAA,CAAS,WAAW,CAAA,IAAK,KAAA,CAAM,SAAS,QAAQ,CAAA,IAAK,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA,EAAG;AAC3H,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,KAAA,GAAQ,YAAA,GAAe,SAAA;AAAA,IACpC,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,QAAA,CAAS,MAAA,CAAO,KAAK,GAAG,iBAAiB,CAAA;AAAA,IACtD;AAAA,EACF;AACA,EAAA,OAAO,GAAA;AACT;AAKO,SAAS,kBAAkB,IAAA,EAAuC;AACvE,EAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,MAAA,EAAW;AACvC,IAAA,OAAO,EAAC;AAAA,EACV;AACA,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC5B,IAAA,OAAO,EAAE,CAAA,EAAG,OAAO,IAAA,EAAK;AAAA,EAC1B;AACA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAI,CAAA,EAAG;AACvB,IAAA,OAAO,EAAE,CAAA,EAAG,OAAA,EAAS,QAAQ,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,EAAE;AAAA,EACnD;AACA,EAAA,MAAM,MAA8B,EAAC;AACrC,EAAA,KAAA,MAAW,OAAO,MAAA,CAAO,IAAA,CAAK,IAAc,CAAA,CAAE,MAAK,EAAG;AACpD,IAAA,MAAM,GAAA,GAAO,KAAiC,GAAG,CAAA;AACjD,IAAA,IAAI,GAAA,KAAQ,QAAQ,OAAO,GAAA,KAAQ,YAAY,CAAC,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AAClE,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,QAAA;AAAA,IACb,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC7B,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,OAAA;AAAA,IACb,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,GAAG,IAAI,OAAO,GAAA;AAAA,IACpB;AAAA,EACF;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,QAAA,CAAS,GAAW,GAAA,EAAqB;AAChD,EAAA,IAAI,CAAA,CAAE,MAAA,IAAU,GAAA,EAAK,OAAO,CAAA;AAC5B,EAAA,OAAO,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAC3B;AAKO,SAAS,eAAe,WAAA,EAAgC;AAC7D,EAAA,IAAI,WAAA,KAAgB,MAAM,OAAO,IAAA;AACjC,EAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,QAAQ,GAAA,CAAI,cAAA,KAAmB,KAAK,OAAO,IAAA;AACjF,EAAA,OAAO,KAAA;AACT;;;ACnCO,IAAM,aAAN,MAAiB;AAAA,EACL,OAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,YAAA;AAAA,EACA,KAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/C,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,SAAA,IAAa,IAAA;AACrC,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,SAAA,IAAa,2BAAA;AACrC,IAAA,IAAA,CAAK,eAAe,MAAA,CAAO,YAAA;AAC3B,IAAA,IAAA,CAAK,KAAA,GAAQ,cAAA,CAAe,MAAA,CAAO,KAAK,CAAA;AAGxC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,MAAM,IAAI,MAAM,qBAAqB,CAAA;AAAA,IACvC;AAGA,IAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,aAAa,YAAA,EAAc;AAC3E,MAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,UAAA,CAAW,UAAU,CAAA,IAAK,CAAC,IAAA,CAAK,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA,EAAG;AAC/E,QAAA,MAAM,IAAI,MAAM,yDAAyD,CAAA;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAW,OAAA,EAAqC;AACpD,IAAA,MAAM,EAAE,QAAQ,IAAA,EAAM,OAAA,GAAU,EAAC,EAAG,IAAA,EAAM,WAAU,GAAI,OAAA;AAExD,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,OAAO,GAAG,IAAI,CAAA,CAAA;AAGlC,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,SAAS,CAAA;AAOrE,IAAA,IAAI,wBAAA,GAAkD,IAAA;AAEtD,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,MAAM,gBAAA;AAAA,QACrB,YAAY;AACV,UAAA,MAAM,iBAAyC,EAAC;AAChD,UAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,YAAA,cAAA,CAAe,GAAG,CAAA,GAAI,MAAA,CAAO,KAAK,CAAA;AAAA,UACpC;AACA,UAAA,cAAA,CAAe,YAAY,IAAI,IAAA,CAAK,SAAA;AACpC,UAAA,cAAA,CAAe,cAAc,CAAA,GAAI,kBAAA;AAEjC,UAAA,MAAM,YAAA,GAA4B;AAAA,YAChC,MAAA;AAAA,YACA,OAAA,EAAS,cAAA;AAAA,YACT,QAAQ,UAAA,CAAW;AAAA,WACrB;AAEA,UAAA,IAAI,IAAA,EAAM;AACR,YAAA,IAAK,KAAa,eAAA,EAAiB;AACjC,cAAA,YAAA,CAAa,OAAQ,IAAA,CAAa,eAAA;AAClC,cAAA,OAAQ,IAAA,CAAa,eAAA;AAAA,YACvB,CAAA,MAAO;AACL,cAAA,YAAA,CAAa,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAAA,YACzC;AAAA,UACF;AAEA,UAAA,MAAM,UAAU,OAAO,YAAA,CAAa,IAAA,KAAS,QAAA,GAAW,aAAa,IAAA,GAAO,IAAA;AAC5E,UAAA,wBAAA,GAA2B;AAAA,YACzB,SAAS,IAAA,CAAK,KAAA,GAAQ,eAAA,CAAgB,cAAwC,IAAI,EAAC;AAAA,YACnF,UAAA,EAAY,OAAA,GAAU,OAAA,CAAQ,MAAA,GAAS;AAAA,WACzC;AAEA,UAAA,IAAI,KAAK,KAAA,EAAO;AACd,YAAA,MAAM,SAAA,GAAY,QAAQ,OAAO,IAAA,KAAS,WAAW,iBAAA,CAAkB,IAAI,IAAI,EAAC;AAChF,YAAA,OAAA,CAAQ,KAAA,CAAM,qBAAA,EAAuB,IAAA,CAAK,SAAA,CAAU;AAAA,cAClD,GAAA;AAAA,cACA,MAAA;AAAA,cACA,WAAA,EAAa,MAAA,CAAO,IAAA,CAAK,cAAc,CAAA;AAAA,cACvC,iBAAiB,wBAAA,CAAyB,OAAA;AAAA,cAC1C,YAAY,wBAAA,CAAyB,UAAA;AAAA,cACrC,gBAAA,EAAkB;AAAA,aACpB,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,UACb;AAEA,UAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK,YAAY,CAAA;AAGzC,UAAA,IAAI,CAAC,GAAA,CAAI,EAAA,IAAM,iBAAA,CAAkB,GAAA,CAAI,MAAM,CAAA,EAAG;AAC5C,YAAA,MAAM,GAAA;AAAA,UACR;AAGA,UAAA,IAAI,CAAC,GAAA,CAAI,EAAA,IAAM,CAAC,iBAAA,CAAkB,GAAA,CAAI,MAAM,CAAA,EAAG;AAC7C,YAAA,MAAM,GAAA;AAAA,UACR;AAEA,UAAA,OAAO,GAAA;AAAA,QACT,CAAA;AAAA,QACA;AAAA,UACE,GAAG,IAAA,CAAK;AAAA;AAAA;AAEV,OACF;AAEA,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,IAAA;AACJ,MAAA,MAAM,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA;AAEvD,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,sBAAA,EAAwB,IAAA,CAAK,SAAA,CAAU;AAAA,UACnD,QAAQ,QAAA,CAAS,MAAA;AAAA,UACjB,IAAI,QAAA,CAAS,EAAA;AAAA,UACb,KAAK,QAAA,CAAS;AAAA,SAChB,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,MACb;AAEA,MAAA,IAAI,WAAA,IAAe,WAAA,CAAY,QAAA,CAAS,kBAAkB,CAAA,EAAG;AAC3D,QAAA,IAAI;AACF,UAAA,MAAM,QAAA,GAAW,MAAM,QAAA,CAAS,IAAA,EAAK;AACrC,UAAA,IAAA,GAAO,IAAA,CAAK,MAAM,QAAQ,CAAA;AAC1B,UAAA,IAAI,IAAA,CAAK,KAAA,IAAS,IAAA,IAAQ,OAAO,SAAS,QAAA,EAAU;AAClD,YAAA,OAAA,CAAQ,KAAA,CAAM,2BAAA,EAA6B,MAAA,CAAO,IAAA,CAAK,IAAc,CAAC,CAAA;AAAA,UACxE;AAAA,QACF,SAAS,UAAA,EAAY;AACnB,UAAA,IAAI,KAAK,KAAA,EAAO;AACd,YAAA,OAAA,CAAQ,KAAA,CAAM,gCAAgC,UAAA,YAAsB,KAAA,GAAQ,WAAW,OAAA,GAAU,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,UACrH;AACA,UAAA,MAAM,IAAI,SAAA;AAAA,YAAA,kBAAA;AAAA,YAER,+BAAA;AAAA,YACA;AAAA,cACE,QAAQ,QAAA,CAAS,MAAA;AAAA,cACjB,SAAA;AAAA,cACA,KAAA,EAAO,UAAA,YAAsB,KAAA,GAAQ,UAAA,GAAa,KAAA;AAAA;AACpD,WACF;AAAA,QACF;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,kBAAA;AAAA,UAER,4BAA4B,WAAW,CAAA,CAAA;AAAA,UACvC;AAAA,YACE,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,SAAS,EAAE,IAAA,EAAM,KAAK,SAAA,CAAU,CAAA,EAAG,GAAG,CAAA,EAAE;AAAA,YACxC;AAAA;AACF,SACF;AAAA,MACF;AAGA,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAEhB,QAAA,MAAM,kBAA0C,EAAC;AACjD,QAAA,QAAA,CAAS,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACvC,UAAA,eAAA,CAAgB,GAAG,CAAA,GAAI,KAAA;AAAA,QACzB,CAAC,CAAA;AAED,QAAA,IAAI,KAAK,KAAA,EAAO;AACd,UAAA,OAAA,CAAQ,KAAA,CAAM,4BAAA,EAA8B,IAAA,CAAK,SAAA,CAAU;AAAA,YACzD,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,KAAK,QAAA,CAAS,GAAA;AAAA,YACd,WAAA,EAAa,IAAA;AAAA,YACb,YAAA,EAAc,QAAQ,OAAO,IAAA,KAAS,WAAW,MAAA,CAAO,IAAA,CAAK,IAAc,CAAA,GAAI;AAAC,WAClF,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,QACb;AAEA,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,iBAAA,CAAkB,QAAA,CAAS,MAAM,CAAA;AACxD,QAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAAK,KAAA,CAAA;AAElE,QAAA,MAAM,IAAI,UAAU,SAAA,EAAW,CAAA,KAAA,EAAQ,SAAS,MAAM,CAAA,EAAA,EAAK,QAAA,CAAS,UAAU,CAAA,CAAA,EAAI;AAAA,UAChF,QAAQ,QAAA,CAAS,MAAA;AAAA,UACjB,aAAA;AAAA,UACA,SAAA;AAAA,UACA,OAAA,EAAS;AAAA,SACV,CAAA;AAAA,MACH;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,YAAA,CAAa,SAAS,CAAA;AAGtB,MAAA,IAAI,KAAA,YAAiB,KAAA,IAAS,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AACzD,QAAA,MAAM,IAAI,SAAA,CAAA,SAAA,gBAAiC,CAAA,sBAAA,EAAyB,IAAA,CAAK,SAAS,CAAA,EAAA,CAAA,EAAM;AAAA,UACtF;AAAA,SACD,CAAA;AAAA,MACH;AAGA,MAAA,IAAI,iBAAiB,QAAA,EAAU;AAC7B,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,iBAAA,CAAkB,KAAA,CAAM,MAAM,CAAA;AACrD,QAAA,MAAM,aAAA,GAAgB,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAAK,MAAA;AAE/D,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,IAAA,GAAO,MAAM,KAAA,CAAM,IAAA,EAAK;AAC9B,UAAA,IAAI;AACF,YAAA,OAAA,GAAU,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,UAC3B,CAAA,CAAA,MAAQ;AACN,YAAA,OAAA,GAAU,EAAE,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,CAAA,EAAG,GAAG,CAAA,EAAE;AAAA,UAC3C;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAEA,QAAA,MAAM,IAAI,UAAU,SAAA,EAAW,CAAA,KAAA,EAAQ,MAAM,MAAM,CAAA,EAAA,EAAK,KAAA,CAAM,UAAU,CAAA,CAAA,EAAI;AAAA,UAC1E,QAAQ,KAAA,CAAM,MAAA;AAAA,UACd,aAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA,SACD,CAAA;AAAA,MACH;AAGA,MAAA,IAAI,gBAAA,CAAiB,KAAK,CAAA,EAAG;AAC3B,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,eAAA;AAAA,UAER,kBAAkB,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA,CAAA;AAAA,UACxE;AAAA,YACE,SAAA;AAAA,YACA,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,KAAA,GAAQ;AAAA;AAC1C,SACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,SAAA,EAAW;AAC9B,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,eAAA;AAAA,QAER,qBAAqB,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA,CAAA;AAAA,QAC3E;AAAA,UACE,SAAA;AAAA,UACA,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,KAAA,GAAQ;AAAA;AAC1C,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,MAAA,EAA+B;AACvD,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,cAAA;AACpB,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,WAAA;AACpB,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,WAAA;AACpB,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,cAAA;AACpB,IAAA,IAAI,MAAA,IAAU,GAAA,IAAO,MAAA,GAAS,GAAA,EAAK,OAAA,cAAA;AACnC,IAAA,OAAA,eAAA;AAAA,EACF;AACF,CAAA;;;AChSO,SAAS,KAAA,GAAgB;AAC9B,EAAA,OAAO,KAAK,GAAA,EAAI;AAClB;AAKO,SAAS,eAAA,GAA0B;AACxC,EAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACrC;AAKO,SAAS,KAAA,CAAM,KAAA,EAAe,GAAA,EAAa,GAAA,EAAqB;AACrE,EAAA,OAAO,KAAK,GAAA,CAAI,GAAA,EAAK,KAAK,GAAA,CAAI,GAAA,EAAK,KAAK,CAAC,CAAA;AAC3C;AAKO,SAAS,MAAM,EAAA,EAA2B;AAC/C,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,EAAE,CAAC,CAAA;AACzD;;;ACTA,IAAM,2BAAA,GAA8B,GAAA;AACpC,IAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAM,uBAAA,GAA0B,GAAA;AAChC,IAAM,uBAAA,GAA0B,GAAA;AAChC,IAAM,2BAAA,GAA8B,GAAA;AAK7B,IAAM,eAAN,MAAmB;AAAA,EACP,UAAA;AAAA,EACA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,iBAAA;AAAA,EAEjB,YAAY,MAAA,EAA6B;AACvC,IAAA,IAAA,CAAK,aAAa,MAAA,CAAO,UAAA;AACzB,IAAA,IAAA,CAAK,WAAW,MAAA,CAAO,QAAA;AACvB,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAO,iBAAA,IAAqB,2BAAA;AACrD,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,SAAA,IAAa,mBAAA;AACrC,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAO,aAAA,IAAiB,uBAAA;AAC7C,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAO,aAAA,IAAiB,uBAAA;AAC7C,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAO,iBAAA,IAAqB,2BAAA;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAU,SAAA,EAAkD;AAChE,IAAA,MAAM,IAAA,GAAO,mCAAmC,kBAAA,CAAmB,IAAA,CAAK,QAAQ,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,CAAA;AAE5H,IAAA,IAAI;AAEF,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAQxC;AAAA,QACA,MAAA,EAAQ,KAAA;AAAA,QACR,IAAA;AAAA,QACA;AAAA,OACD,CAAA;AAED,MAAA,MAAM,QAAA,GAAiC;AAAA,QACrC,QAAQ,WAAA,CAAY,MAAA;AAAA,QACpB,QAAA,EAAU,WAAA,CAAY,SAAA,IAAa,WAAA,CAAY,QAAA;AAAA,QAC/C,SAAA,EAAW,WAAA,CAAY,UAAA,IAAc,WAAA,CAAY,SAAA;AAAA,QACjD,UAAU,WAAA,CAAY,QAAA;AAAA,QACtB,WAAA,EAAa,WAAA,CAAY,YAAA,IAAgB,WAAA,CAAY,WAAA;AAAA,QACrD,aAAA,EAAe,WAAA,CAAY,cAAA,IAAkB,WAAA,CAAY,aAAA;AAAA,QACzD,WAAA,EAAa,WAAA,CAAY,aAAA,IAAiB,WAAA,CAAY,WAAA;AAAA,QACtD,KAAK,WAAA,CAAY;AAAA,OACnB;AAGA,MAAA,MAAM,MAAM,eAAA,EAAgB;AAC5B,MAAA,IAAI,QAAA,CAAS,GAAA,KAAQ,KAAA,CAAA,IAAa,QAAA,CAAS,OAAO,GAAA,EAAK;AACrD,QAAA,OAAO;AAAA,UACL,GAAG,QAAA;AAAA,UACH,MAAA,EAAQ;AAAA,SACV;AAAA,MACF;AAEA,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,WAAA,kBAAkC;AACxE,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,WAAA;AAAA,UAER,8BAA8B,SAAS,CAAA,CAAA;AAAA,UACvC,EAAE,SAAA;AAAU,SACd;AAAA,MACF;AACA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,aAAA,CACJ,SAAA,EACA,OAAA,EAC4B;AAC5B,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,IAAA,MAAM,SAAA,GAAY,OAAA,EAAS,SAAA,IAAa,IAAA,CAAK,SAAA;AAC7C,IAAA,MAAM,UAAA,GAAa,OAAA,EAAS,UAAA,IAAc,IAAA,CAAK,iBAAA;AAE/C,IAAA,OAAO,IAAA,EAAM;AACX,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA;AAG/B,MAAA,IAAI,aAAa,SAAA,EAAW;AAC1B,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,iBAAA;AAAA,UAER,kCAAkC,SAAS,CAAA,EAAA,CAAA;AAAA,UAC3C,EAAE,SAAA;AAAU,SACd;AAAA,MACF;AAEA,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,CAAU,SAAS,CAAA;AAG7C,QAAA,MAAM,MAAM,eAAA,EAAgB;AAC5B,QAAA,IAAI,MAAA,CAAO,GAAA,KAAQ,KAAA,CAAA,IAAa,MAAA,CAAO,OAAO,GAAA,EAAK;AACjD,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,SAAA;AAAA,YACR,SAAA;AAAA,YACA,SAAA;AAAA,YACA,eAAe,MAAA,CAAO;AAAA,WACxB;AAAA,QACF;AAGA,QAAA,IACE,MAAA,CAAO,WAAW,UAAA,IAClB,MAAA,CAAO,WAAW,QAAA,IAClB,MAAA,CAAO,WAAW,SAAA,EAClB;AACA,UAAA,OAAO;AAAA,YACL,QAAQ,MAAA,CAAO,MAAA;AAAA,YACf,SAAA;AAAA,YACA,SAAA;AAAA,YACA,UAAU,MAAA,CAAO,QAAA;AAAA,YACjB,aAAa,MAAA,CAAO,WAAA;AAAA,YACpB,eAAe,MAAA,CAAO;AAAA,WACxB;AAAA,QACF;AAGA,QAAA,MAAM,MAAM,UAAU,CAAA;AAAA,MACxB,SAAS,KAAA,EAAO;AAEd,QAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,WAAA,kBAAkC;AACxE,UAAA,MAAM,KAAA;AAAA,QACR;AAIA,QAAA,MAAM,WAAA,GAAc,SAAA,IAAa,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,CAAA;AAC9C,QAAA,IAAI,eAAe,CAAA,EAAG;AACpB,UAAA,MAAM,IAAI,SAAA;AAAA,YAAA,iBAAA;AAAA,YAER,kCAAkC,SAAS,CAAA,EAAA,CAAA;AAAA,YAC3C,EAAE,SAAA,EAAW,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,QAAQ,MAAA;AAAU,WACjE;AAAA,QACF;AAEA,QAAA,MAAM,KAAA,CAAM,IAAA,CAAK,GAAA,CAAI,UAAA,EAAY,WAAW,CAAC,CAAA;AAAA,MAC/C;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,UAAA,EAA6B;AACpC,IAAA,IAAI,eAAe,MAAA,EAAW;AAC5B,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AACA,IAAA,OAAO,KAAA,CAAM,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,KAAK,aAAa,CAAA;AAAA,EACjE;AACF,CAAA;;;ACvKO,IAAM,iBAAN,MAAqB;AAAA,EAClB,KAAA,GAAsB,QAAA;AAAA,EACtB,QAAA,GAAW,CAAA;AAAA,EACX,SAAA,GAAY,CAAA;AAAA,EACZ,eAAA;AAAA,EACA,eAAA;AAAA,EACA,WAAA,GAAc,CAAA;AAAA,EAEL,aAAA;AAAA,EACA,UAAA;AAAA,EAEjB,WAAA,CAAY,MAAA,GAA+B,EAAC,EAAG;AAC7C,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAO,4BAAA,IAAgC,CAAA;AAC5D,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,GAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAW,EAAA,EAAkC;AAEjD,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,EAAQ;AACzB,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,MAAM,oBAAA,GAAuB,IAAA,CAAK,eAAA,GAC9B,GAAA,GAAM,KAAK,eAAA,GACX,QAAA;AAEJ,MAAA,IAAI,oBAAA,IAAwB,KAAK,UAAA,EAAY;AAC3C,QAAA,IAAA,CAAK,KAAA,GAAQ,WAAA;AACb,QAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAAA,MAClB,CAAA,MAAO;AACL,QAAA,MAAM,IAAI,uBAAA;AAAA,UACR,CAAA,0CAAA,EAA6C,IAAA,CAAK,UAAA,GAAa,oBAAoB,CAAA,EAAA;AAAA,SACrF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,EAAA,EAAG;AACxB,MAAA,IAAA,CAAK,SAAA,EAAU;AACf,MAAA,OAAO,MAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,SAAA,EAAU;AACf,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEQ,SAAA,GAAkB;AACxB,IAAA,IAAA,CAAK,SAAA,EAAA;AACL,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,GAAA,EAAI;AAEhC,IAAA,IAAI,IAAA,CAAK,UAAU,WAAA,EAAa;AAE9B,MAAA,IAAA,CAAK,KAAA,GAAQ,QAAA;AACb,MAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAAA,IAClB,CAAA,MAAA,IAAW,IAAA,CAAK,KAAA,KAAU,QAAA,EAAU;AAElC,MAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAAA,IAClB;AAAA,EACF;AAAA,EAEQ,SAAA,GAAkB;AACxB,IAAA,IAAA,CAAK,QAAA,EAAA;AACL,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,GAAA,EAAI;AAEhC,IAAA,IAAI,IAAA,CAAK,UAAU,WAAA,EAAa;AAE9B,MAAA,IAAA,CAAK,KAAA,GAAQ,MAAA;AACb,MAAA,IAAA,CAAK,WAAA,EAAA;AAAA,IACP,WAAW,IAAA,CAAK,KAAA,KAAU,YAAY,IAAA,CAAK,QAAA,IAAY,KAAK,aAAA,EAAe;AAEzE,MAAA,IAAA,CAAK,KAAA,GAAQ,MAAA;AACb,MAAA,IAAA,CAAK,WAAA,EAAA;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAoC;AAClC,IAAA,OAAO;AAAA,MACL,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,iBAAiB,IAAA,CAAK,eAAA;AAAA,MACtB,iBAAiB,IAAA,CAAK,eAAA;AAAA,MACtB,aAAa,IAAA,CAAK;AAAA,KACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,KAAA,GAAQ,QAAA;AACb,IAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAChB,IAAA,IAAA,CAAK,SAAA,GAAY,CAAA;AACjB,IAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AACvB,IAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AACvB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AAAA,EACrB;AACF,CAAA;AAKO,IAAM,uBAAA,GAAN,cAAsC,KAAA,CAAM;AAAA,EACjD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,yBAAA;AAAA,EACd;AACF,CAAA;;;AChHO,IAAM,mBAAN,MAAuB;AAAA,EACpB,aAAA,GAAgB,CAAA;AAAA,EAChB,YAAA,GAAe,CAAA;AAAA,EACf,YAAA,GAAe,CAAA;AAAA,EACf,WAAA,GAAc,CAAA;AAAA,EACd,aAAA,GAAgB,CAAA;AAAA,EAChB,WAAA,GAAc,CAAA;AAAA,EACd,uBAAA,GAA0B,CAAA;AAAA,EAC1B,eAAA,GAAkB,CAAA;AAAA;AAAA,EAClB,aAAA,GAAgB,CAAA;AAAA;AAAA,EAChB,YAAsB,EAAC;AAAA,EAEd,UAAA,GAAa,GAAA;AAAA;AAAA,EACb,QAAuB,EAAC;AAAA;AAAA;AAAA;AAAA,EAKzC,aAAA,CAAc,UAA+E,SAAA,EAAyB;AACpH,IAAA,IAAA,CAAK,aAAA,EAAA;AAEL,IAAA,IAAI,aAAa,OAAA,EAAS;AACxB,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,OAAA,EAAS;AAC/B,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,iBAAA,EAAmB;AACzC,MAAA,IAAA,CAAK,WAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,aAAA,EAAe;AACrC,MAAA,IAAA,CAAK,eAAA,EAAA;AACL,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,WAAA,EAAa;AACnC,MAAA,IAAA,CAAK,aAAA,EAAA;AACL,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP;AAGA,IAAA,IAAA,CAAK,SAAA,CAAU,KAAK,SAAS,CAAA;AAC7B,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,GAAS,IAAA,CAAK,UAAA,EAAY;AAC3C,MAAA,IAAA,CAAK,UAAU,KAAA,EAAM;AAAA,IACvB;AAEA,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA,GAAsB;AACpB,IAAA,IAAA,CAAK,aAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAoB;AAClB,IAAA,IAAA,CAAK,WAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAA,GAAiC;AAC/B,IAAA,IAAA,CAAK,uBAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAwB,QAAA,EAAmC;AAEzD,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO;AAAA,MACL,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,yBAAyB,IAAA,CAAK,uBAAA;AAAA,MAC9B,iBAAiB,IAAA,CAAK,eAAA;AAAA,MACtB,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,SAAA,EAAW,CAAC,GAAG,IAAA,CAAK,SAAS;AAAA;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,IAAA,EAAyB;AACpC,IAAA,IAAA,CAAK,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAA,GAAoB;AAC1B,IAAA,MAAM,OAAA,GAAU,KAAK,UAAA,EAAW;AAChC,IAAA,KAAA,MAAW,IAAA,IAAQ,KAAK,KAAA,EAAO;AAC7B,MAAA,IAAI;AACF,QAAA,IAAA,CAAK,OAAO,CAAA;AAAA,MACd,SAAS,KAAA,EAAO;AAEd,QAAA,OAAA,CAAQ,KAAA,CAAM,0BAA0B,KAAK,CAAA;AAAA,MAC/C;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,CAAA;AACrB,IAAA,IAAA,CAAK,YAAA,GAAe,CAAA;AACpB,IAAA,IAAA,CAAK,YAAA,GAAe,CAAA;AACpB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AACnB,IAAA,IAAA,CAAK,aAAA,GAAgB,CAAA;AACrB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AACnB,IAAA,IAAA,CAAK,uBAAA,GAA0B,CAAA;AAC/B,IAAA,IAAA,CAAK,eAAA,GAAkB,CAAA;AACvB,IAAA,IAAA,CAAK,aAAA,GAAgB,CAAA;AACrB,IAAA,IAAA,CAAK,YAAY,EAAC;AAAA,EACpB;AACF,CAAA;ACrIA,SAAS,qBAAqB,GAAA,EAAsB;AAClD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,MAAA;AAC9C,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,IAAA,CAAK,UAAU,GAAG,CAAA;AACtD,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,IAAI,QAAA,EAAS;AACjD,EAAA,IAAI,OAAO,GAAA,KAAQ,SAAA,EAAW,OAAO,MAAM,MAAA,GAAS,OAAA;AACpD,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,MAAM,QAAQ,GAAA,CAAI,GAAA,CAAI,CAAC,IAAA,KAAS,oBAAA,CAAqB,IAAI,CAAC,CAAA;AAC1D,IAAA,OAAO,GAAA,GAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACjC;AACA,EAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,GAAG,EAAE,IAAA,EAAK;AACnC,IAAA,MAAM,QAAkB,EAAC;AACzB,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,MAAM,KAAA,GAAS,IAAgC,GAAG,CAAA;AAClD,MAAA,IAAI,UAAU,MAAA,EAAW;AACvB,QAAA,KAAA,CAAM,IAAA,CAAK,KAAK,SAAA,CAAU,GAAG,IAAI,GAAA,GAAM,oBAAA,CAAqB,KAAK,CAAC,CAAA;AAAA,MACpE;AAAA,IACF;AACA,IAAA,OAAO,GAAA,GAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACjC;AACA,EAAA,OAAO,IAAA,CAAK,UAAU,GAAG,CAAA;AAC3B;AAEA,SAAS,iBAAiB,IAAA,EAAkC;AAC1D,EAAA,IAAI,IAAA,IAAQ,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI,OAAO,EAAA;AACxC,EAAA,MAAM,CAAA,GAAI,MAAA,CAAO,IAAI,CAAA,CAAE,IAAA,EAAK;AAC5B,EAAA,IAAI,EAAE,UAAA,CAAW,IAAI,CAAA,EAAG,OAAO,EAAE,WAAA,EAAY;AAC7C,EAAA,OAAO,IAAA,GAAO,EAAE,WAAA,EAAY;AAC9B;AAEA,SAAS,cAAc,IAAA,EAAkC;AACvD,EAAA,IAAI,IAAA,IAAQ,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI,OAAO,EAAA;AACxC,EAAA,MAAM,IAAI,MAAA,CAAO,IAAI,CAAA,CAAE,IAAA,GAAO,WAAA,EAAY;AAC1C,EAAA,OAAO,CAAA,CAAE,UAAA,CAAW,IAAI,CAAA,GAAI,IAAI,IAAA,GAAO,CAAA;AACzC;AAMO,SAAS,oBAAA,CACd,QAAA,EAeA,QAAA,EACA,gBAAA,EACA,eACA,WAAA,EACiB;AACjB,EAAA,MAAM,MAAA,GAAS,QAAA,CAAS,SAAA,IAAa,QAAA,CAAS,EAAA,IAAM,EAAA;AACpD,EAAA,MAAM,KAAA,GAAA,CAAS,SAAS,WAAA,IAAe,QAAA,CAAS,gBAAgB,QAAA,CAAS,KAAA,IAAS,KAAK,QAAA,EAAS;AAChG,EAAA,MAAM,IAAA,GAAO,aAAA;AAAA,IACV,QAAA,CAAS,IAAA,IAAQ,QAAA,CAAS,WAAA,IAAe,SAAS,QAAA,IAAY;AAAA,GACjE;AACA,EAAA,MAAM,WAAW,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,KAAA,IAAS,IAAI,QAAA,EAAS;AACpE,EAAA,MAAM,SAAA,GAAY,iBAAiB,MAAM,CAAA;AACzC,EAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,IAAS,OAAO,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,GAAI,EAAA;AAChE,EAAA,MAAM,UAAmC,EAAC;AAC1C,EAAA,IAAI,aAAA,IAAiB,OAAO,aAAA,KAAkB,QAAA,EAAU;AACtD,IAAA,KAAA,MAAW,CAAC,CAAA,EAAG,CAAC,KAAK,MAAA,CAAO,OAAA,CAAQ,aAAa,CAAA,EAAG;AAClD,MAAA,IAAI,CAAA,KAAM,MAAA,EAAW,OAAA,CAAQ,CAAC,CAAA,GAAI,CAAA;AAAA,IACpC;AAAA,EACF;AACA,EAAA,MAAM,GAAA,GAAuB;AAAA,IAC3B,OAAA;AAAA,IACA,SAAA;AAAA,IACA,KAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA,GACF;AACA,EAAA,IAAI,WAAA,EAAa,GAAA,CAAI,WAAA,GAAc,gBAAA,CAAiB,WAAW,CAAA;AAC/D,EAAA,IAAI,gBAAA,IAAoB,IAAA;AACtB,IAAA,GAAA,CAAI,gBAAA,GAAmB,gBAAA,GAAmB,gBAAA,CAAiB,gBAAgB,CAAA,GAAI,IAAA;AACjF,EAAA,IAAI,OAAO,IAAA,CAAK,OAAO,EAAE,MAAA,GAAS,CAAA,MAAO,OAAA,GAAU,OAAA;AACnD,EAAA,IAAI,QAAA,MAAc,QAAA,GAAW,QAAA;AAC7B,EAAA,IAAI,QAAA,CAAS,aAAA,EAAe,GAAA,CAAI,aAAA,GAAgB,QAAA,CAAS,aAAA;AACzD,EAAA,OAAO,GAAA;AACT;AAKO,SAAS,gBAAgB,OAAA,EAAkC;AAChE,EAAA,MAAM,SAAA,GAAY,qBAAqB,OAAO,CAAA;AAC9C,EAAA,OAAOH,iBAAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,WAAW,MAAM,CAAA,CAAE,OAAO,KAAK,CAAA;AACpE;;;AClFO,IAAM,eAAA,GAAmC;AAAA,EAC9C,IAAA,GAAO;AAAA,EAAC;AACV;;;ACsEO,SAAS,aAAA,CACd,SAAA,EACA,UAAA,EACA,OAAA,GAAgC,EAAC,EACf;AAClB,EAAA,MAAM,cAAA,GAAiD;AAAA,IACrD,IAAA,EAAM,QAAQ,IAAA,IAAQ,SAAA;AAAA,IACtB,qBAAA,EAAuB,QAAQ,qBAAA,IAAyB,KAAA;AAAA,IACxD,UAAA,EAAY,OAAA,CAAQ,UAAA,KAAe,MAAM;AAAA,IAAC,CAAA,CAAA;AAAA,IAC1C,eAAA,EAAiB,QAAQ,eAAA,IAAmB,sBAAA;AAAA,IAC5C,WAAA,EAAa,QAAQ,WAAA,IAAe;AAAA,GACtC;AAGA,EAAA,MAAM,OAAA,GAAU,IAAI,KAAA,CAAM,SAAA,EAAW;AAAA,IACnC,GAAA,CAAI,MAAA,EAAQ,IAAA,EAAM,QAAA,EAAU;AAC1B,MAAA,IAAI,SAAS,MAAA,EAAQ;AAEnB,QAAA,OAAO,eAAgB,OAAA,EAAc;AAEnC,UAAA,IAAI,WAAW,OAAA,CAAQ,WAAA,IAAe,OAAA,CAAQ,WAAA,CAAY,SAAS,aAAA,EAAe;AAChF,YAAA,OAAO,MAAM,iBAAA;AAAA,cACX,OAAA;AAAA,cACA,MAAA;AAAA,cACA,UAAA;AAAA,cACA;AAAA,aACF;AAAA,UACF;AAGA,UAAA,OAAO,MAAO,MAAA,CAAe,IAAA,CAAK,OAAO,CAAA;AAAA,QAC3C,CAAA;AAAA,MACF;AAGA,MAAA,OAAO,OAAA,CAAQ,GAAA,CAAI,MAAA,EAAQ,IAAA,EAAM,QAAQ,CAAA;AAAA,IAC3C;AAAA,GACD,CAAA;AAGD,EAAA,OAAA,CAAQ,eAAA,GAAkB,SAAA;AAC1B,EAAA,OAAA,CAAQ,WAAA,GAAc,UAAA;AACtB,EAAA,OAAA,CAAQ,eAAA,GAAkB,cAAA;AAE1B,EAAA,OAAO,OAAA;AACT;AAUA,SAAS,uBAAuB,OAAA,EAO9B;AAGA,EAAA,MAAM,OAAA,GAAW,OAAA,CAAgB,KAAA,EAAO,OAAA,IAAY,OAAA,CAAgB,OAAA;AACpE,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,MAAM,+CAA+C,CAAA;AAAA,EACjE;AACA,EAAA,MAAM,gBAAgB,OAAA,YAAmB,MAAA,GACrC,OAAA,GACA,MAAA,CAAO,KAAK,OAAc,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAcA,kBAAW,QAAQ,CAAA,CAAE,OAAO,aAAa,CAAA,CAAE,OAAO,KAAK,CAAA;AAE3E,EAAA,OAAO;AAAA,IACL,aAAA,EAAe,OAAA;AAAA,IACf,SAAA,EAAW,MAAA;AAAA;AAAA,IACX,WAAA,EAAa,WAAA;AAAA,IACb,QAAA,EAAU;AAAA;AAAA,GACZ;AACF;AAGA,SAAS,iBAAA,CACP,UAAA,EACA,OAAA,EACA,QAAA,EACA,QAAA,EACuB;AACvB,EAAA,MAAM,SAAU,UAAA,CAAmB,MAAA;AACnC,EAAA,MAAM,KAAA,GAAS,OAAA,CAAgB,KAAA,EAAO,KAAA,IAAU,OAAA,CAAgB,KAAA;AAChE,EAAA,OAAO;AAAA,IACL,UAAU,MAAA,EAAQ,QAAA;AAAA,IAClB,UAAU,QAAA,IAAY,MAAA;AAAA,IACtB,aAAA,EAAe,MAAA,EAAQ,aAAA,IAAiB,OAAA,CAAQ,GAAA,CAAI,mBAAA;AAAA,IACpD,KAAK,MAAA,EAAQ,GAAA,IAAO,QAAQ,GAAA,CAAI,QAAA,IAAY,QAAQ,GAAA,CAAI,QAAA;AAAA,IACxD,KAAA,EAAO,SAAS,OAAA,IAAW,IAAA,GAAO,OAAO,QAAA,CAAS,OAAO,IAAI,QAAA,CAAS,aAAA;AAAA,IACtE,QAAA,EAAU,KAAA;AAAA,IACV,MAAA,EAAQ,QAAQ,GAAA,CAAI;AAAA,GACtB;AACF;AAGA,SAAS,UAAA,CACP,IAAA,EACA,IAAA,EACA,MAAA,EACM;AACN,EAAA,MAAM,QAAyB,EAAE,IAAA,EAAM,QAAQ,WAAA,EAAa,IAAA,CAAK,KAAI,EAAE;AACvE,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,IAAA,CAAK,KAAK,CAAA;AAC9B,IAAA,IAAI,MAAA,IAAU,OAAQ,MAAA,CAAyB,KAAA,KAAU,UAAA,EAAY;AACnE,MAAC,MAAA,CAAyB,MAAM,MAAM;AAAA,MAAC,CAAC,CAAA;AAAA,IAC1C;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAKA,eAAe,iBAAA,CACb,OAAA,EACA,cAAA,EACA,UAAA,EACA,OAAA,EACc;AAEd,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,eAAA,CAAgB,OAAO,CAAA;AAIhD,EAAA,MAAM,QAAA,GAAY,OAAA,CAAgB,KAAA,EAAO,KAAA,IAAU,QAAgB,KAAA,IAAS,SAAA;AAE5E,EAAA,MAAM,MAAA,GAAS,iBAAA,CAAkB,UAAA,EAAY,OAAA,EAAS,UAAU,QAAQ,CAAA;AACxE,EAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oBAAA,EAAsB,MAAM,CAAA;AAI5D,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI;AACF,IAAA,cAAA,GAAiB,MAAO,UAAA,CAAmB,gBAAA,CAAiB,iBAAA,CAAkB,UAAU,GAAI,CAAA;AAAA,EAC9F,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,sBAAA;AAAA,MACR,mBAAA;AAAA,MACA,MAAA;AAAA;AAAA,MACA,MAAA;AAAA;AAAA,MACA;AAAA;AAAA,KACF;AAAA,EACF;AAGA,EAAA,MAAM,cAAA,GAAiB;AAAA,IACrB,QAAA;AAAA,IACA,cAAA,EAAgB,YAAA;AAAA;AAAA,IAChB;AAAA;AAAA,GACF;AAEA,EAAA,IAAI;AAEF,IAAA,MAAM,QAAA,GAAW,MAAM,UAAA,CAAW,QAAA,CAAS;AAAA,MACzC,QAAA;AAAA;AAAA,MACA;AAAA,KACD,CAAA;AAGD,IAAA,IAAI,QAAA,CAAS,QAAA,KAAa,OAAA,IAAW,OAAA,CAAQ,qBAAA,EAAuB;AAClE,MAAA,MAAMI,WAAAA,GACH,SAAiB,OAAA,IAAW,IAAA,IAC3B,SAAiB,YAAA,IAAgB,IAAA,IAAS,SAAiB,gBAAA,IAAoB,IAAA;AACnF,MAAA,IAAI,CAACA,WAAAA,EAAY;AACf,QAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oCAAA,EAAsC,MAAM,CAAA;AAC5E,QAAA,OAAA,CAAQ,WAAW,OAAA,EAAS;AAAA,UAC1B,OAAO,IAAI,sBAAA;AAAA,YACT,kBAAA;AAAA,YACC,QAAA,CAAiB,UAAA;AAAA,YACjB,QAAA,CAAiB,aAAA;AAAA,YAClB,KAAA;AAAA,WACF;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,kBAAA;AAAA,UACC,QAAA,CAAiB,UAAA;AAAA,UACjB,QAAA,CAAiB,aAAA;AAAA,UAClB,KAAA;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IACE,QAAA,CAAS,aAAa,OAAA,IACtB,UAAA,CAAW,yBAAwB,IACnC,QAAA,CAAS,YAAY,IAAA,EACrB;AACA,MAAA,MAAM,OAAA,GAAU,oBAAA;AAAA,QACd,QAAA;AAAA,QACA,QAAA;AAAA,QACA,KAAA,CAAA;AAAA,QACA,KAAA,CAAA;AAAA,QACC,cAAA,CAAuB;AAAA,OAC1B;AACA,MAAA,MAAM,cAAA,GAAiB,gBAAgB,OAAO,CAAA;AAC9C,MAAA,IAAI,cAAA,KAAmB,SAAS,QAAA,EAAU;AACxC,QAAA,OAAA,CAAQ,WAAW,OAAA,EAAS;AAAA,UAC1B,OAAO,IAAI,sBAAA;AAAA,YACT,4BAAA;AAAA,YACA,QAAA,CAAS,UAAA;AAAA,YACT,QAAA,CAAS,aAAA;AAAA,YACT,KAAA;AAAA,WACF;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,4BAAA;AAAA,UACA,QAAA,CAAS,UAAA;AAAA,UACT,QAAA,CAAS,aAAA;AAAA,UACT,KAAA;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,UAAA,GACH,SAAiB,OAAA,IAAW,IAAA,IAC3B,SAAiB,YAAA,IAAgB,IAAA,IAAS,SAAiB,gBAAA,IAAoB,IAAA;AACnF,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,iCAAA,EAAmC,MAAM,CAAA;AAAA,IAC3E;AACA,IAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oBAAA,EAAsB,MAAM,CAAA;AAE5D,IAAA,OAAA,CAAQ,WAAW,OAAA,EAAS,EAAE,QAAA,EAAU,QAAA,EAAU,SAAS,CAAA;AAE3D,IAAA,IAAI,OAAA,CAAQ,SAAS,SAAA,EAAW;AAE9B,MAAA,OAAO,MAAM,cAAA,CAAe,IAAA,CAAK,IAAIC,qBAAA,CAAY,OAAO,CAAC,CAAA;AAAA,IAC3D;AAGA,IAAA,OAAO,MAAM,cAAA,CAAe,IAAA,CAAK,IAAIA,qBAAA,CAAY,OAAO,CAAC,CAAA;AAAA,EAC3D,SAAS,KAAA,EAAY;AAEnB,IAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,MAAA,OAAA,CAAQ,WAAW,OAAA,EAAS,EAAE,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AACxD,MAAA,MAAM,KAAA;AAAA,IACR;AAEA,IAAA,IAAI,iBAAiB,6BAAA,EAA+B;AAClD,MAAA,OAAA,CAAQ,WAAW,iBAAA,EAAmB,EAAE,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AAClE,MAAA,MAAM,KAAA;AAAA,IACR;AAGA,IAAA,MAAM,KAAA;AAAA,EACR;AACF;;;AC5UO,IAAM,qBAAN,MAAyB;AAAA;AAAA;AAAA;AAAA,EAI9B,OAAO,aAAA,GAAmC;AACxC,IAAA,MAAM,IAAA,GAAO,QAAQ,GAAA,CAAI,gBAAA;AACzB,IAAA,MAAM,QAAA,GAAW,QAAQ,GAAA,CAAI,oBAAA;AAC7B,IAAA,MAAM,GAAA,GAAM,QAAQ,GAAA,CAAI,eAAA;AACxB,IAAA,MAAM,KAAA,GAAQ,QAAQ,GAAA,CAAI,iBAAA;AAC1B,IAAA,MAAM,gBAAA,GAAmB,QAAQ,GAAA,CAAI,sBAAA;AACrC,IAAA,MAAM,iBAAA,GAAoB,QAAQ,GAAA,CAAI,uBAAA;AACtC,IAAA,MAAM,kBAAA,GAAqB,QAAQ,GAAA,CAAI,wBAAA;AACvC,IAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,oBAAA;AAGnC,IAAA,IAAI,CAAC,QAAQ,CAAC,QAAA,IAAY,CAAC,GAAA,IAAO,CAAC,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC7D,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,aAAyB,EAAC;AAEhC,IAAA,IAAI,IAAA,aAAiB,IAAA,GAAO,IAAA;AAC5B,IAAA,IAAI,QAAA,aAAqB,QAAA,GAAW,QAAA;AACpC,IAAA,IAAI,GAAA,aAAgB,GAAA,GAAM,GAAA;AAC1B,IAAA,IAAI,KAAA,aAAkB,KAAA,GAAQ,KAAA;AAG9B,IAAA,IAAI,gBAAA,IAAoB,iBAAA,IAAqB,kBAAA,IAAsB,cAAA,EAAgB;AACjF,MAAA,UAAA,CAAW,WAAA,GAAc;AAAA,QACvB,KAAA,EAAO,gBAAA,KAAqB,MAAA,IAAU,gBAAA,KAAqB,GAAA;AAAA,QAC3D,MAAA,EAAQ,iBAAA;AAAA,QACR,OAAA,EAAS,kBAAA;AAAA,QACT,GAAA,EAAK;AAAA,OACP;AAAA,IACF;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,SAAA,GAAqB;AAC1B,IAAA,OAAO,CAAC,EACN,OAAA,CAAQ,GAAA,CAAI,oBACZ,OAAA,CAAQ,GAAA,CAAI,oBAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,sBAAA,CAAA;AAAA,EAEhB;AACF;ACnDO,IAAM,mBAAN,MAAuB;AAAA,EACX,UAAA;AAAA,EACA,QAAA;AAAA,EACT,eAAA;AAAA,EACS,WAAA;AAAA,EACA,0BAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EACA,UAAA;AAAA;AAAA,EACA,MAAA;AAAA;AAAA,EAEA,aAAA,uBAAuD,GAAA,EAAI;AAAA,EACpE,aAAA,GAAuC,IAAA;AAAA,EACvC,OAAA,GAAU,KAAA;AAAA,EACV,iBAAA,GAAoB,EAAA;AAAA;AAAA,EAEX,UAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EAEjB,YAAY,OAAA,EAaT;AACD,IAAA,IAAA,CAAK,aAAa,OAAA,CAAQ,UAAA;AAC1B,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,kBAAkB,OAAA,CAAQ,QAAA;AAC/B,IAAA,IAAA,CAAK,WAAA,GAAc,QAAQ,WAAA,IAAe,MAAA;AAC1C,IAAA,IAAA,CAAK,0BAAA,GAA6B,QAAQ,sBAAA,IAA0B,EAAA;AACpE,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AAGtB,IAAA,IAAA,CAAK,gBAAA,GAAmB,OAAA,CAAQ,gBAAA,IAAoBC,OAAA,EAAO;AAG3D,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,OAAA;AACxC,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AAEtB,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,EAAA;AACxC,IAAA,IAAA,CAAK,eAAA,GAAkB,QAAQ,eAAA,IAAmB,GAAA;AAClD,IAAA,IAAA,CAAK,gBAAA,GAAmB,QAAQ,gBAAA,IAAoB,IAAA;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAA,EAA8C;AAClD,IAAA,IAAI,KAAK,OAAA,EAAS;AAChB,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AACf,IAAA,IAAA,CAAK,kBAAA,EAAmB;AAGxB,IAAA,IAAA,CAAK,kBAAkB,IAAA,CAAK,eAAA,EAAiB,CAAC,CAAA,CAAE,KAAA,CAAM,CAAC,KAAA,KAAU;AAE/D,MAAA,OAAA,CAAQ,KAAK,kDAAA,EAAoD,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA,IACjH,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,kBAAA,GAA2B;AACjC,IAAA,IAAI,IAAA,CAAK,aAAA,EAAe,aAAA,CAAc,IAAA,CAAK,aAAa,CAAA;AAExD,IAAA,IAAA,CAAK,aAAA,GAAgB,YAAY,MAAM;AACrC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,CAAA,IAAK,KAAK,aAAA,EAAe;AAClD,QAAA,IAAI,GAAA,GAAM,KAAA,CAAM,UAAA,GAAa,IAAA,CAAK,eAAA,EAAiB;AACjD,UAAA,IAAI,KAAA,CAAM,YAAA,EAAc,YAAA,CAAa,KAAA,CAAM,YAAY,CAAA;AACvD,UAAA,IAAA,CAAK,aAAA,CAAc,OAAO,QAAQ,CAAA;AAAA,QACpC;AAAA,MACF;AAAA,IACF,GAAG,GAAM,CAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAAA,CAAyB,UAAkB,KAAA,EAAmC;AACpF,IAAA,IAAI,CAAC,KAAK,OAAA,IAAW,CAAC,KAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA,EAAG;AACtD,MAAA;AAAA,IACF;AAEA,IAAA,IAAI,MAAM,YAAA,EAAc;AACtB,MAAA,YAAA,CAAa,MAAM,YAAY,CAAA;AAC/B,MAAA,KAAA,CAAM,YAAA,GAAe,IAAA;AAAA,IACvB;AAEA,IAAA,MAAM,YAAA,GAAe,KAAK,0BAAA,GAA6B,GAAA;AACvD,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,EAAO,GAAI,GAAA;AAC/B,IAAA,MAAM,UAAU,IAAA,CAAK,GAAA;AAAA,MACnB,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,KAAA,CAAM,mBAAmB,CAAA,GAAI,GAAA;AAAA,MACzC,KAAK,iBAAA,GAAoB;AAAA,KAC3B;AACA,IAAA,MAAM,QAAA,GAAW,eAAe,MAAA,GAAS,OAAA;AAEzC,IAAA,KAAA,CAAM,YAAA,GAAe,WAAW,MAAM;AAEpC,MAAA,IAAI,CAAC,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA,EAAG;AAEvC,MAAA,KAAA,CAAM,SAAA,GAAY,IAAA;AAClB,MAAA,KAAA,CAAM,iBAAiB,IAAA,CAAK,yBAAA,CAA0B,UAAU,KAAK,CAAA,CAClE,KAAK,MAAM;AACV,QAAA,IAAA,CAAK,wBAAA,CAAyB,UAAU,KAAK,CAAA;AAAA,MAC/C,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,KAAA,KAAU;AAChB,QAAA,KAAA,CAAM,mBAAA,EAAA;AACN,QAAA,OAAA,CAAQ,MAAM,CAAA,sCAAA,EAAyC,QAAQ,CAAA,cAAA,CAAA,EAAkB,KAAA,CAAM,WAAW,KAAK,CAAA;AACvG,QAAA,IAAA,CAAK,wBAAA,CAAyB,UAAU,KAAK,CAAA;AAAA,MAC/C,CAAC,CAAA,CACA,OAAA,CAAQ,MAAM;AACb,QAAA,KAAA,CAAM,SAAA,GAAY,KAAA;AAClB,QAAA,KAAA,CAAM,cAAA,GAAiB,IAAA;AAAA,MACzB,CAAC,CAAA;AAAA,IACL,GAAG,QAAQ,CAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,IAAA,GAAa;AACX,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,KAAA;AAEf,IAAA,IAAI,KAAK,aAAA,EAAe;AACtB,MAAA,aAAA,CAAc,KAAK,aAAa,CAAA;AAChC,MAAA,IAAA,CAAK,aAAA,GAAgB,IAAA;AAAA,IACvB;AAEA,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,CAAA,IAAK,KAAK,aAAA,EAAe;AAClD,MAAA,IAAI,MAAM,YAAA,EAAc;AACtB,QAAA,YAAA,CAAa,MAAM,YAAY,CAAA;AAC/B,QAAA,KAAA,CAAM,YAAA,GAAe,IAAA;AAAA,MACvB;AAAA,IACF;AACA,IAAA,IAAA,CAAK,cAAc,KAAA,EAAM;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAA,GAA0B;AACxB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,KAAK,eAAe,CAAA;AACzD,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,KAAA,IAAS,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,IAAI,CAAA,EAAG;AACrF,MAAA,KAAA,CAAM,UAAA,GAAa,KAAK,GAAA,EAAI;AAC5B,MAAA,OAAO,MAAM,KAAA,CAAM,KAAA;AAAA,IACrB;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAmB;AACjB,IAAA,OAAO,IAAA,CAAK,UAAS,KAAM,IAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,QAAA,EAAwB;AACrC,IAAA,IAAA,CAAK,eAAA,GAAkB,QAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAA,CAAkB,QAAA,EAAkB,SAAA,GAAY,GAAA,EAAuB;AAC3E,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,MAAM,IAAI,uDAA2C,8BAA8B,CAAA;AAAA,IACrF;AAEA,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,IAAA,IAAI,KAAA,GAAQ,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA;AAC3C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,MAAM,aAAA,GAAgB,CAAC,CAAA,KAA4B;AACjD,MAAA,IAAI,CAAA,CAAE,KAAA,IAAS,CAAA,CAAE,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,CAAA,EAAG;AACpE,QAAA,OAAO,EAAE,KAAA,CAAM,KAAA;AAAA,MACjB;AACA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAEA,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,KAAA,CAAM,UAAA,GAAa,GAAA;AACnB,MAAA,MAAMC,EAAAA,GAAI,cAAc,KAAK,CAAA;AAC7B,MAAA,IAAIA,IAAG,OAAOA,EAAAA;AAAA,IAChB,CAAA,MAAO;AACL,MAAA,IAAI,IAAA,CAAK,aAAA,CAAc,IAAA,IAAQ,IAAA,CAAK,UAAA,EAAY;AAC9C,QAAA,IAAI,cAAA,GAAgC,IAAA;AACpC,QAAA,IAAI,YAAA,GAAe,QAAA;AACnB,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,CAAC,CAAA,IAAK,KAAK,aAAA,EAAe;AACzC,UAAA,IAAI,CAAA,CAAE,aAAa,YAAA,EAAc;AAC/B,YAAA,YAAA,GAAe,CAAA,CAAE,UAAA;AACjB,YAAA,cAAA,GAAiB,GAAA;AAAA,UACnB;AAAA,QACF;AACA,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,MAAM,WAAA,GAAc,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,cAAc,CAAA;AACzD,UAAA,IAAI,WAAA,EAAa,YAAA,EAAc,YAAA,CAAa,WAAA,CAAY,YAAY,CAAA;AACpE,UAAA,IAAA,CAAK,aAAA,CAAc,OAAO,cAAc,CAAA;AAAA,QAC1C;AAAA,MACF;AACA,MAAA,KAAA,GAAQ;AAAA,QACN,KAAA,EAAO,IAAA;AAAA,QACP,YAAA,EAAc,IAAA;AAAA,QACd,mBAAA,EAAqB,CAAA;AAAA,QACrB,oBAAA,EAAsB,CAAA;AAAA,QACtB,UAAA,EAAY,GAAA;AAAA,QACZ,SAAA,EAAW,KAAA;AAAA,QACX,cAAA,EAAgB;AAAA,OAClB;AACA,MAAA,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AAAA,IACxC;AAEA,IAAA,IAAI,KAAA,CAAM,SAAA,IAAa,KAAA,CAAM,cAAA,EAAgB;AAC3C,MAAA,MAAM,aAAA,GAAgB,KAAK,GAAA,CAAI,CAAA,EAAG,aAAa,IAAA,CAAK,GAAA,KAAQ,SAAA,CAAU,CAAA;AACtE,MAAA,IAAI;AACF,QAAA,MAAM,QAAQ,IAAA,CAAK;AAAA,UACjB,KAAA,CAAM,cAAA;AAAA,UACN,IAAI,OAAA,CAAQ,CAAC,CAAA,EAAG,WAAW,UAAA,CAAW,MAAM,MAAA,CAAO,IAAI,KAAA,CAAM,SAAS,CAAC,CAAA,EAAG,aAAa,CAAC;AAAA,SACzF,CAAA;AAAA,MACH,SAAS,CAAA,EAAG;AAAA,MAAC;AACb,MAAA,MAAMA,EAAAA,GAAI,cAAc,KAAK,CAAA;AAC7B,MAAA,IAAIA,IAAG,OAAOA,EAAAA;AAAA,IAChB;AAEA,IAAA,MAAM,oBAAA,GAAuB,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA,CAAM,oBAAA;AAChD,IAAA,IAAI,qBAAA,GAAwB,CAAA;AAC5B,IAAA,IAAI,oBAAA,GAAuB,KAAK,gBAAA,EAAkB;AAChD,MAAA,qBAAA,GAAwB,KAAK,gBAAA,GAAmB,oBAAA;AAAA,IAClD;AAEA,IAAA,MAAM,cAAA,GAAiB,KAAK,GAAA,CAAI,CAAA,EAAG,aAAa,IAAA,CAAK,GAAA,KAAQ,SAAA,CAAU,CAAA;AACvE,IAAA,IAAI,yBAAyB,cAAA,EAAgB;AAC1C,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,mBAAA;AAAA,QAET;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAI,wBAAwB,CAAA,EAAG;AAC7B,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAA,OAAA,KAAW,UAAA,CAAW,OAAA,EAAS,qBAAqB,CAAC,CAAA;AAAA,IACzE;AAEA,IAAA,IAAI,CAAC,MAAM,SAAA,EAAW;AACpB,MAAA,KAAA,CAAM,SAAA,GAAY,IAAA;AAClB,MAAA,KAAA,CAAM,iBAAiB,IAAA,CAAK,yBAAA,CAA0B,UAAU,KAAK,CAAA,CAAE,QAAQ,MAAM;AACnF,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,KAAA,CAAM,SAAA,GAAY,KAAA;AAClB,UAAA,KAAA,CAAM,cAAA,GAAiB,IAAA;AAAA,QACzB;AAAA,MACF,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,cAAA,GAAiB,KAAK,GAAA,CAAI,CAAA,EAAG,aAAa,IAAA,CAAK,GAAA,KAAQ,SAAA,CAAU,CAAA;AACvE,IAAA,IAAI;AACF,MAAA,IAAI,MAAM,cAAA,EAAgB;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK;AAAA,UACjB,KAAA,CAAM,cAAA;AAAA,UACN,IAAI,OAAA,CAAQ,CAAC,CAAA,EAAG,WAAW,UAAA,CAAW,MAAM,MAAA,CAAO,IAAI,KAAA,CAAM,SAAS,CAAC,CAAA,EAAG,cAAc,CAAC;AAAA,SAC1F,CAAA;AAAA,MACH;AAAA,IACF,SAAS,CAAA,EAAG;AAAA,IAAC;AAEb,IAAA,MAAM,CAAA,GAAI,cAAc,KAAK,CAAA;AAC7B,IAAA,IAAI,GAAG,OAAO,CAAA;AAEd,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,mBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,yBAAA,CAA0B,QAAA,EAAkB,KAAA,EAA4C;AACpG,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA,EAAG;AAC5C,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,cAAA;AAAA,QAER,mHAAA;AAAA,QACA;AAAC,OACH;AAAA,IACF;AAEA,IAAA,KAAA,CAAM,oBAAA,GAAuB,KAAK,GAAA,EAAI;AAEtC,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAYpC;AAAA,QACD,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,wBAAA;AAAA,QACN,OAAA,EAAS;AAAA,UACP,wBAAwB,IAAA,CAAK;AAAA,SAC/B;AAAA,QACA,IAAA,EAAM;AAAA,UACJ,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,QAAA;AAAA,UACA,aAAa,IAAA,CAAK,WAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,YAAY,IAAA,CAAK;AAAA;AACnB,OACD,CAAA;AAGD,MAAA,IAAI,CAAC,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA,EAAG;AACrC,QAAA;AAAA,MACF;AAEA,MAAA,IAAI,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,IAAA,EAAM;AACrC,QAAA,MAAM,KAAA,GAAQ,SAAS,IAAA,CAAK,cAAA;AAC5B,QAAA,MAAM,SAAA,GAAY,SAAS,IAAA,CAAK,SAAA;AAEhC,QAAA,IAAI,CAAC,KAAA,IAAS,CAAC,SAAA,EAAW;AACxB,UAAA,MAAM,IAAI,SAAA;AAAA,YAAA,kBAAA;AAAA,YAER;AAAA,WACF;AAAA,QACF;AAEA,QAAA,KAAA,CAAM,KAAA,GAAQ;AAAA,UACZ,KAAA;AAAA,UACA,SAAA;AAAA,UACA,GAAA,EAAK,SAAS,IAAA,CAAK,GAAA;AAAA,UACnB,UAAA,EAAY,SAAS,IAAA,CAAK;AAAA,SAC5B;AACA,QAAA,KAAA,CAAM,mBAAA,GAAsB,CAAA;AAG5B,QAAA,OAAA,CAAQ,IAAI,sCAAA,EAAwC;AAAA,UAClD,SAAA;AAAA,UACA,QAAA;AAAA,UACA,GAAA,EAAK,SAAS,IAAA,CAAK,GAAA;AAAA,UACnB,YAAY,QAAA,CAAS,IAAA,CAAK,YAAY,SAAA,CAAU,CAAA,EAAG,CAAC,CAAA,GAAI;AAAA;AAAA,SAEzD,CAAA;AAGD,QAAA,IAAI,CAAC,MAAM,YAAA,EAAc;AACvB,UAAA,IAAA,CAAK,wBAAA,CAAyB,UAAU,KAAK,CAAA;AAAA,QAC/C;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAM,KAAA,GAAS,QAAA,CAAiB,KAAA,IAAS,EAAC;AAC1C,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,cAAA;AAAA,UAER,CAAA,8BAAA,EAAiC,KAAA,CAAM,OAAA,IAAW,eAAe,CAAA;AAAA,SACnE;AAAA,MACF;AAAA,IACF,SAAS,KAAA,EAAY;AAEnB,MAAA,OAAA,CAAQ,MAAM,CAAA,mDAAA,EAAsD,QAAQ,CAAA,CAAA,CAAA,EAAK,KAAA,CAAM,WAAW,KAAK,CAAA;AACvG,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA,GAA8B;AAC5B,IAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,EACd;AACF;;;AC7YO,IAAM,2BAAN,MAA+B;AAAA,EACnB,OAAA;AAAA,EAEjB,YAAY,OAAA,EAA0C;AACpD,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,SAAA,GAA0C;AACxC,IAAA,MAAM,SAAyC,EAAC;AAGhD,IAAA,MAAM,gBAAA,GAAmB,KAAK,mBAAA,EAAoB;AAClD,IAAA,IAAI,iBAAiB,OAAA,EAAS;AAC5B,MAAA,MAAA,CAAO,KAAK,gBAAgB,CAAA;AAAA,IAC9B;AAGA,IAAA,MAAM,QAAA,GAAW,KAAK,uBAAA,EAAwB;AAC9C,IAAA,IAAI,SAAS,OAAA,EAAS;AACpB,MAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AAAA,IACtB;AAGA,IAAA,MAAM,iBAAA,GAAoB,IAAA,CAAK,oBAAA,CAAqB,MAAM,CAAA;AAC1D,IAAA,MAAM,cAAc,MAAA,CAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,eAAe,iBAAiB,CAAA;AAEvE,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,WAAA,CAAY,OAAA,EAAS;AACxC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,KAAA;AAAA,QACZ,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAGA,IAAA,IAAI,KAAK,OAAA,CAAQ,eAAA,KAAoB,UAAU,CAAC,IAAA,CAAK,QAAQ,8BAAA,EAAgC;AAC3F,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,iBAAA,CAAkB,WAAW,CAAA;AACvD,MAAA,MAAM,IAAI,MAAM,YAAY,CAAA;AAAA,IAC9B;AAGA,IAAA,IAAA,CAAK,WAAW,WAAW,CAAA;AAE3B,IAAA,OAAO,WAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAA,GAA+C;AAEnD,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,EAAU;AAMlC,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,kBAAA,EAAmB;AACtD,IAAA,IAAI,gBAAgB,OAAA,EAAS;AAE3B,MAAA,IAAI,KAAK,OAAA,CAAQ,eAAA,KAAoB,UAAU,CAAC,IAAA,CAAK,QAAQ,8BAAA,EAAgC;AAC3F,QAAA,MAAM,YAAA,GAAe,IAAA,CAAK,iBAAA,CAAkB,eAAe,CAAA;AAC3D,QAAA,MAAM,IAAI,MAAM,YAAY,CAAA;AAAA,MAC9B;AAGA,MAAA,IAAA,CAAK,WAAW,eAAe,CAAA;AAE/B,MAAA,OAAO,eAAA;AAAA,IACT;AAGA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAA,GAAoD;AAC1D,IAAA,MAAM,UAAA,GAAa,CAAC,EAClB,OAAA,CAAQ,GAAA,CAAI,qBACZ,OAAA,CAAQ,GAAA,CAAI,qBAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,iBAAA,CAAA;AAGd,IAAA,MAAM,kBAAA,GAAqB,CAAC,EAC1B,OAAA,CAAQ,GAAA,CAAI,gBACZ,OAAA,CAAQ,GAAA,CAAI,2BAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,sCAAA,CAAA;AAGd,IAAA,IAAI,cAAc,kBAAA,EAAoB;AACpC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,IAAA;AAAA,QACT,QAAA,EAAU,0BAAA;AAAA,QACV,UAAA,EAAY,QAAA;AAAA,QACZ,OAAA,EAAS,+FAAA;AAAA,QACT,WAAA,EAAa;AAAA,OACf;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,KAAA;AAAA,MACZ,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,kBAAA,GAA4D;AAIxE,IAAA,IAAI;AAEF,MAAA,MAAM,YAAY,MAAM,OAAO,qBAAqB,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAEtE,MAAA,IAAI,CAAC,SAAA,IAAa,CAAC,UAAU,SAAA,IAAa,CAAC,UAAU,8BAAA,EAAgC;AAEnF,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,UAAA,EAAY,KAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAEA,MAAA,MAAM,EAAE,SAAA,EAAW,8BAAA,EAA+B,GAAI,SAAA;AAGtD,MAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,sBAAA,EAAuB;AACvD,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,UAAA,EAAY,KAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAAS,IAAI,SAAA,CAAU,EAAE,CAAA;AAC/B,MAAA,MAAM,OAAA,GAAU,IAAI,8BAAA,CAA+B;AAAA,QACjD,eAAA,EAAiB,YAAA;AAAA,QACjB,WAAA,EAAa,CAAC,UAAU,CAAA;AAAA,QACxB,YAAA,EAAc,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAW,GAAA,CAAI,CAAA,EAAA,KAAM,CAAA,oBAAA,EAAuB,EAAE,CAAA,CAAE,CAAA,IAAK,CAAC,uBAAuB;AAAA,OACzG,CAAA;AAED,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAE5D,MAAA,IAAI,CAAC,QAAA,EAAU;AAEb,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,UAAA,EAAY,KAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAGA,MAAA,MAAM,UAAA,GAAa,SAAS,iBAAA,EAAmB,IAAA;AAAA,QAC7C,CAAC,MAAA,KAAgB,MAAA,CAAO,YAAA,KAAiB,SAAA,IAAa,OAAO,YAAA,KAAiB;AAAA,OAChF;AAEA,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,IAAA;AAAA,UACT,QAAA,EAAU,4BAAA;AAAA,UACV,UAAA,EAAY,MAAA;AAAA,UACZ,OAAA,EAAS,qCAAqC,YAAY,CAAA,6DAAA,CAAA;AAAA,UAC1D,WAAA,EAAa;AAAA,SACf;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,MAAA;AAAA,QACZ,OAAA,EAAS;AAAA,OACX;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,KAAA;AAAA,QACZ,SAAS,CAAA,uBAAA,EAA0B,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,eAAe,CAAA;AAAA,OAC7F;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAAA,GAAwD;AAE9D,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,YAAA;AAAA,MACA,gBAAA;AAAA,MACA,aAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,eAAe,OAAA,CAAQ,MAAA,CAAO,YAAU,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAC,CAAA;AAEjE,IAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,IAAA;AAAA,QACT,QAAA,EAAU,qBAAA;AAAA,QACV,UAAA,EAAY,KAAA;AAAA,QACZ,OAAA,EAAS,CAAA,8CAAA,EAAiD,YAAA,CAAa,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,QACjF,WAAA,EAAa;AAAA,OACf;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,KAAA;AAAA,MACZ,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAA,GAAiD;AAC7D,IAAA,IAAI;AAEF,MAAA,MAAM,YAAY,MAAM,OAAO,qBAAqB,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAEtE,MAAA,IAAI,CAAC,SAAA,IAAa,CAAC,UAAU,SAAA,IAAa,CAAC,UAAU,wBAAA,EAA0B;AAC7E,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,EAAE,SAAA,EAAW,wBAAA,EAAyB,GAAI,SAAA;AAEhD,MAAA,MAAM,MAAA,GAAS,IAAI,SAAA,CAAU,EAAE,CAAA;AAC/B,MAAA,MAAM,OAAA,GAAU,IAAI,wBAAA,CAAyB,EAAE,CAAA;AAC/C,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAE5D,MAAA,IAAI,UAAU,GAAA,EAAK;AACjB,QAAA,OAAO,QAAA,CAAS,GAAA;AAAA,MAClB;AAAA,IACF,SAAS,KAAA,EAAO;AAAA,IAEhB;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAqB,MAAA,EAAmE;AAC9F,IAAA,IAAI,OAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,KAAe,MAAM,CAAA,EAAG;AAC7C,MAAA,OAAO,MAAA;AAAA,IACT;AACA,IAAA,IAAI,OAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,KAAe,QAAQ,CAAA,EAAG;AAC/C,MAAA,OAAO,QAAA;AAAA,IACT;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,MAAA,EAA8C;AACtE,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,4DAAA;AAAA,MACA,CAAA,yBAAA,EAA4B,OAAO,OAAO,CAAA,CAAA;AAAA,MAC1C,CAAA,eAAA,EAAkB,OAAO,QAAQ,CAAA,CAAA;AAAA,MACjC,CAAA,gBAAA,EAAmB,OAAO,UAAU,CAAA,CAAA;AAAA,MACpC,CAAA,eAAA,EAAkB,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA;AAAA,KACzC;AAEA,IAAA,IAAI,IAAA,CAAK,QAAQ,QAAA,EAAU;AACzB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,eAAA,EAAkB,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA,CAAE,CAAA;AAAA,IACtD;AAEA,IAAA,IAAI,IAAA,CAAK,QAAQ,WAAA,EAAa;AAC5B,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,iBAAA,EAAoB,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA,CAAE,CAAA;AAAA,IAC3D;AAEA,IAAA,IAAI,OAAO,WAAA,EAAa;AACtB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,WAAW,CAAA,CAAE,CAAA;AAAA,IACrD;AAEA,IAAA,KAAA,CAAM,KAAK,2DAA2D,CAAA;AACtE,IAAA,KAAA,CAAM,KAAK,CAAA,sFAAA,CAAwF,CAAA;AAEnG,IAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAW,MAAA,EAA4C;AAC7D,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,KAAA,EAAO,MAAA;AAAA,MACP,OAAA,EAAS,8BAAA;AAAA,MACT,QAAA,EAAU,KAAK,OAAA,CAAQ,QAAA;AAAA,MACvB,QAAA,EAAU,KAAK,OAAA,CAAQ,QAAA;AAAA,MACvB,WAAA,EAAa,KAAK,OAAA,CAAQ,WAAA;AAAA,MAC1B,eAAA,EAAiB,KAAK,OAAA,CAAQ,eAAA;AAAA,MAC9B,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,YAAY,MAAA,CAAO,UAAA;AAAA,MACnB,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,aAAa,MAAA,CAAO,WAAA;AAAA,MACpB,aAAA,EAAe;AAAA,KACjB;AAGA,IAAA,OAAA,CAAQ,KAAK,gBAAA,EAAkB,IAAA,CAAK,UAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EACjE;AACF,CAAA;;;ACtTA,IAAM,iBAAA,GAAoB,iBAAA;AAKnB,IAAM,aAAN,MAAiB;AAAA,EACL,MAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,IAAA;AAAA,EACA,mBAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAGd,IAAA,MAAM,OAAA,GAAU,QAAQ,GAAA,CAAI,SAAA;AAC5B,IAAA,IAAA,CAAK,IAAA,GAAO,OAAA,IAAW,MAAA,CAAO,IAAA,IAAQ,QAAA;AAGtC,IAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,MAAA,IAAA,CAAK,sBAAsB,MAAA,CAAO,mBAAA;AAAA,IACpC,CAAA,MAAO;AAEL,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA,CAAK,IAAA,KAAS,QAAA,GAAW,WAAA,GAAc,aAAA;AAAA,IACpE;AAGA,IAAA,IAAI,MAAA,CAAO,IAAA,CAAK,IAAA,KAAS,MAAA,EAAQ;AAC/B,MAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,QAC/B,KAAA,EAAO,OAAO,IAAA,CAAK,KAAA;AAAA,QACnB,MAAA,EAAQ,OAAO,IAAA,CAAK;AAAA,OACrB,CAAA;AAAA,IACH,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,QAC/B,MAAA,EAAQ,OAAO,IAAA,CAAK;AAAA,OACrB,CAAA;AAAA,IACH;AAGA,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,MAC/B,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAGD,IAAA,IAAI,OAAO,YAAA,EAAc;AACvB,MAAA,IAAA,CAAK,YAAA,GAAe,IAAI,YAAA,CAAa;AAAA,QACnC,YAAY,IAAA,CAAK,UAAA;AAAA,QACjB,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,iBAAA,EAAmB,OAAO,MAAA,EAAQ,iBAAA;AAAA,QAClC,SAAA,EAAW,OAAO,MAAA,EAAQ;AAAA,OAC3B,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,OAAO,cAAA,EAAgB;AACzB,MAAA,IAAA,CAAK,cAAA,GAAiB,IAAI,cAAA,CAAe,MAAA,CAAO,cAAc,CAAA;AAAA,IAChE;AAGA,IAAA,IAAA,CAAK,OAAA,GAAU,IAAI,gBAAA,EAAiB;AACpC,IAAA,IAAI,OAAO,SAAA,EAAW;AACpB,MAAA,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,MAAA,CAAO,SAAS,CAAA;AAAA,IAC5C;AAGA,IAAA,IAAI,OAAO,KAAA,EAAO;AAChB,MAAA,OAAA,CAAQ,KAAK,kFAAkF,CAAA;AAE/F,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AAAA,IAC1B,CAAA,MAAO;AAEL,MAAA,MAAM,eAAA,GAAkB,OAAO,eAAA,KAAoB,OAAO,YAAY,WAAA,GAAc,OAAA,CAAQ,IAAI,kBAAA,GAAqB,MAAA,CAAA;AACrH,MAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAEF;AAAA,MACF;AAGA,MAAA,IAAI,kBAAkB,MAAA,CAAO,OAAA;AAC7B,MAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,UAAU,CAAA,EAAG;AACxC,QAAA,eAAA,GAAkB,eAAA,CAAgB,KAAA,CAAM,UAAU,CAAA,CAAE,CAAC,CAAA;AAAA,MACvD;AAEA,MAAA,IAAK,OAAe,eAAA,EAAiB;AACnC,QAAA,eAAA,GAAmB,MAAA,CAAe,eAAA;AAAA,MACpC;AAEA,MAAA,MAAM,mBAAA,GAAsB,IAAI,UAAA,CAAW;AAAA,QACzC,OAAA,EAAS,eAAA;AAAA,QACT,SAAA,EAAW,GAAA;AAAA;AAAA,QACX,WAAW,MAAA,CAAO;AAAA,OACnB,CAAA;AAID,MAAA,MAAM,eAAA,GAAkB,OAAO,QAAA,IAAY,iBAAA;AAC3C,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAI,gBAAA,CAAiB;AAAA,QAC3C,UAAA,EAAY,mBAAA;AAAA,QACZ,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,QAAA,EAAU,eAAA;AAAA,QACV,WAAA,EAAc,OAAe,WAAA,IAAe,MAAA;AAAA,QAC5C,sBAAA,EAAwB,OAAO,+BAAA,IAAmC,EAAA;AAAA,QAClE,MAAA,EAAQ;AAAA,OACT,CAAA;AAGD,MAAA,IAAA,CAAK,iBAAiB,KAAA,EAAM;AAAA,IAC9B;AAGA,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,MAAM,eAAA,GAAkB,OAAO,eAAA,IAAmB,MAAA;AAClD,MAAA,MAAM,8BAAA,GAAiC,MAAA,CAAO,8BAAA,IAAmC,eAAA,KAAoB,MAAA;AAErG,MAAA,MAAM,WAAA,GAAc,IAAI,wBAAA,CAAyB;AAAA,QAC/C,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,aAAc,MAAA,CAAe,WAAA;AAAA,QAC7B,eAAA;AAAA,QACA,8BAAA;AAAA,QACA,WAAW,MAAA,CAAO;AAAA,OACnB,CAAA;AAID,MAAA,WAAA,CAAY,SAAA,EAAU;AAKtB,MAAA,IAAA,CAAK,yBAAyB,WAAA,EAAa,eAAe,CAAA,CAAE,KAAA,CAAM,CAAC,KAAA,KAAU;AAE3E,QAAA,IAAI,eAAA,KAAoB,UAAU,8BAAA,EAAgC;AAChE,UAAA,OAAA,CAAQ,IAAA,CAAK,+CAA+C,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,QACpH,CAAA,MAAO;AAEL,UAAA,OAAA,CAAQ,KAAA,CAAM,uEAAuE,KAAK,CAAA;AAAA,QAC5F;AAAA,MACF,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,uBAAA,GAAmC;AACjC,IAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,gCAAgC,MAAA,EAAW;AAC3F,MAAA,OAAO,QAAQ,GAAA,CAAI,2BAAA,KAAgC,MAAA,IAAU,OAAA,CAAQ,IAAI,2BAAA,KAAgC,GAAA;AAAA,IAC3G;AACA,IAAA,OACE,IAAA,CAAK,OAAO,oBAAA,KACX,IAAA,CAAK,SAAS,SAAA,IAAc,IAAA,CAAK,OAAe,eAAA,KAAoB,MAAA,CAAA;AAAA,EAEzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,wBAAA,CACZ,WAAA,EACA,eAAA,EACe;AACf,IAAA,IAAI;AAIF,MAAA,MAAM,YAAY,KAAA,EAAM;AAAA,IAC1B,SAAS,KAAA,EAAO;AAGd,MAAA,OAAA,CAAQ,IAAA,CAAK,+CAA+C,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,IACpH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAA,CACJ,GAAA,EACA,IAAA,EACoC;AACpC,IAAA,MAAM,SAAA,GAAY,IAAA,EAAM,SAAA,IAAaD,OAAAA,EAAO;AAC5C,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,WAAA,IAAe,KAAA,EAAM;AAC7C,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,MAAA,CAAO,YAAA,IAAgB,kBAAA;AACjD,IAAA,MAAM,cAAA,GAAkC,IAAA,CAAK,MAAA,CAAe,cAAA,IAAkB,UAAA;AAG9E,IAAA,MAAM,WAAA,GAAyB,GAAA,CAAY,IAAA,IAAQ,IAAA,CAAK,IAAA;AACxD,IAAA,MAAM,YAAA,GAAe,KAAK,uBAAA,EAAwB;AAGlD,IAAA,MAAM,iBAAiB,YAAgD;AAKrE,MAAA,IAAI,cAAA,GAAgC,IAAA;AACpC,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,KAAK,gBAAA,EAAkB;AAC/C,QAAA,MAAME,qBAAoB,GAAA,CAAI,cAAA,EAAgB,QAAA,IAAa,GAAA,CAAI,gBAAwB,cAAA,IAAkB,iBAAA;AAEzG,QAAA,cAAA,GAAiB,MAAM,IAAA,CAAK,gBAAA,CAAiB,iBAAA,CAAkBA,oBAAmB,GAAI,CAAA;AAAA,MACxF;AAGA,MAAA,MAAM,QAAA,GAAgB,EAAE,GAAG,GAAA,CAAI,QAAA,EAAS;AAExC,MAAA,IAAI,QAAA,CAAS,EAAA,IAAM,CAAC,QAAA,CAAS,SAAA,EAAW;AACtC,QAAA,QAAA,CAAS,YAAY,QAAA,CAAS,EAAA;AAC9B,QAAA,OAAO,QAAA,CAAS,EAAA;AAAA,MAClB;AAEA,MAAA,IAAI,CAAC,QAAA,CAAS,aAAA,IAAiB,QAAA,CAAS,OAAA,EAAS;AAC/C,QAAA,QAAA,CAAS,aAAA,GAAgB,KAAA;AAAA,MAC3B;AAEA,MAAA,IAAI,QAAA,CAAS,IAAA,IAAQ,CAAC,QAAA,CAAS,WAAA,EAAa;AAC1C,QAAA,OAAO,QAAA,CAAS,IAAA;AAAA,MAClB;AAIA,MAAA,MAAM,oBAAoB,GAAA,CAAI,cAAA,EAAgB,QAAA,IAAY,GAAA,CAAI,gBAAgB,cAAA,IAAkB,iBAAA;AAChG,MAAA,MAAM,cAAA,GAAsB;AAAA,QAC1B,GAAG,GAAA,CAAI,cAAA;AAAA,QACP,gBAAgB,GAAA,CAAI,cAAA,EAAgB,cAAA,IAAkB,GAAA,CAAI,gBAAgB,QAAA,IAAY,iBAAA;AAAA,QACtF,QAAA,EAAU;AAAA,OACZ;AAIA,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,cAAA,CAAe,cAAA,GAAiB,cAAA;AAAA,MAClC;AAGA,MAAA,MAAM,UAAA,GAAa,mBAAmB,aAAA,EAAc;AACpD,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,cAAA,CAAe,MAAA,GAAS;AAAA,UACtB,MAAM,UAAA,CAAW,IAAA;AAAA,UACjB,UAAU,UAAA,CAAW,QAAA;AAAA,UACrB,KAAK,UAAA,CAAW,GAAA;AAAA,UAChB,OAAO,UAAA,CAAW,KAAA;AAAA,UAClB,aAAa,UAAA,CAAW;AAAA,SAC1B;AAAA,MACF;AAGA,MAAA,IAAI,IAAA,GAAY;AAAA,QACd,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,QACtB,SAAA;AAAA,QACA,WAAA;AAAA,QACA,QAAA;AAAA,QACA,cAAA;AAAA;AAAA,QAEA,GAAA,EAAK;AAAA,UACH,IAAA,EAAM,UAAA;AAAA,UACN,OAAA,EAAS;AAAA,SACX;AAAA,QACA,IAAA,EAAM,WAAA;AAAA,QACN,qBAAqB,IAAA,CAAK;AAAA,OAC5B;AAGA,MAAA,IAAI,GAAA,CAAI,aAAa,IAAA,EAAM;AACzB,QAAA,IAAA,CAAK,QAAA,GAAW,IAAA;AAAA,MAClB;AAGA,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,IAAA,CAAK,OAAO,eAAA,EAAiB;AACrD,QAAA,cAAA,CAAe,eAAA,GAAkB,KAAK,MAAA,CAAO,eAAA;AAAA,MAC/C;AAGA,MAAA,IAAI,UAAkC,EAAC;AAEvC,MAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO;AAErB,QAAA,OAAA,GAAU;AAAA,UACR,cAAA,EAAgB;AAAA,SAClB;AACA,QAAA,OAAA,CAAQ,IAAI,oDAAoD,CAAA;AAAA,MAClE,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAM1B,QAAA,MAAM,EAAE,gBAAA,EAAAC,iBAAAA,EAAiB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,kBAAA,EAAA,EAAA,qBAAA,CAAA,CAAA;AACnC,QAAA,MAAM,iBAAA,GAAoBA,kBAAiB,IAAI,CAAA;AAE/C,QAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,WAAA,CAAY;AAAA,UACpD,MAAA,EAAQ,MAAA;AAAA,UACR,IAAA,EAAM,mBAAA;AAAA,UACN,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,UACtB,WAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA;AAAA,SACD,CAAA;AACD,QAAA,OAAA,GAAU,EAAE,GAAG,WAAA,EAAY;AAI3B,QAAC,KAAa,eAAA,GAAkB,iBAAA;AAAA,MAClC,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,QAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,UAAA,CAAW,aAAA,CAAc;AAAA,UAClD,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,UACtB,WAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,OAAA,GAAU,EAAE,GAAG,aAAA,EAAc;AAAA,MAC/B,CAAA,MAAO;AACL,QAAA,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAA,MAChD;AAGA,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAavC;AAAA,QACD,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,mBAAA;AAAA,QACN,OAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACD,CAAA;AAID,MAAA,IAAI,YAAA;AACJ,MAAA,IAAI,WAAA,CAAY,OAAA,KAAY,IAAA,IAAQ,WAAA,CAAY,IAAA,EAAM;AAEpD,QAAA,YAAA,GAAe,WAAA,CAAY,IAAA;AAAA,MAC7B,CAAA,MAAA,IAAW,WAAA,CAAY,OAAA,KAAY,KAAA,IAAS,YAAY,KAAA,EAAO;AAE7D,QAAA,MAAM,QAAQ,WAAA,CAAY,KAAA;AAC1B,QAAA,MAAM,IAAI,SAAA;AAAA,UACR,KAAA,CAAM,IAAA,IAAA,cAAA;AAAA,UACN,MAAM,OAAA,IAAW,gBAAA;AAAA,UACjB;AAAA,YACE,QAAQ,KAAA,CAAM,MAAA;AAAA,YACd,eAAe,KAAA,CAAM,aAAA;AAAA,YACrB,SAAA;AAAA,YACA,OAAA,EAAS;AAAA;AACX,SACF;AAAA,MACF,CAAA,MAAA,IAAY,YAAoB,QAAA,EAAU;AAExC,QAAA,YAAA,GAAe,WAAA;AAAA,MACjB,CAAA,MAAO;AACL,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,kBAAA;AAAA,UAER,0FAAA;AAAA,UACA;AAAA,YACE,SAAA;AAAA,YACA,OAAA,EAAS;AAAA;AACX,SACF;AAAA,MACF;AAGA,MAAA,MAAM,QAAA,GAAW,YAAA,CAAa,QAAA,IAAY,EAAC;AAC3C,MAAA,MAAM,iBAAiB,QAAA,CAAS,UAAA;AAGhC,MAAA,MAAM,MAAA,GAAoC;AAAA,QACxC,UAAU,YAAA,CAAa,QAAA;AAAA,QACvB,WAAA,EAAa,YAAA,CAAa,YAAA,IAAgB,YAAA,CAAa,eAAe,EAAC;AAAA,QACvE,aAAA,EAAe,YAAA,CAAa,cAAA,IAAkB,YAAA,CAAa,aAAA;AAAA,QAC3D,aAAA,EAAe,YAAA,CAAa,cAAA,IAAkB,YAAA,CAAa,aAAA;AAAA,QAC3D,UAAA,EAAY,YAAA,CAAa,WAAA,IAAe,YAAA,CAAa,UAAA;AAAA,QACrD,aAAA,EAAe,YAAA,CAAa,cAAA,IAAkB,YAAA,CAAa,aAAA;AAAA,QAC3D,SAAA,EAAW,YAAA,CAAa,UAAA,IAAc,YAAA,CAAa,SAAA;AAAA,QACnD,QAAA,EAAU,YAAA,CAAa,SAAA,IAAa,YAAA,CAAa,QAAA;AAAA,QACjD,MAAA,EAAQ,aAAa,OAAA,GACjB;AAAA,UACE,WAAW,YAAA,CAAa,OAAA,CAAQ,UAAA,KAAe,YAAA,CAAa,QAAQ,SAAA,IAAa,EAAA,CAAA;AAAA,UACjF,UAAA,EAAY,YAAA,CAAa,OAAA,CAAQ,WAAA,IAAe,aAAa,MAAA,EAAQ;AAAA,YAEvE,YAAA,CAAa,MAAA;AAAA,QACjB,QAAA,EAAU,YAAA,CAAa,QAAA,IAAa,WAAA,KAAgB,SAAA;AAAA,QACpD,gBAAA,EAAkB,YAAA,CAAa,kBAAA,IAAsB,YAAA,CAAa,gBAAA,IAAoB,KAAA;AAAA,QACtF,IAAA,EAAM,aAAa,IAAA,IAAQ,WAAA;AAAA,QAC3B,SAAS,YAAA,CAAa,OAAA;AAAA,QACtB,YAAA,EAAc,YAAA,CAAa,aAAA,IAAiB,YAAA,CAAa,YAAA;AAAA,QACzD,gBAAA,EAAkB,YAAA,CAAa,iBAAA,IAAqB,YAAA,CAAa,gBAAA;AAAA,QACjE,GAAI,cAAA,GAAiB;AAAA,UACnB,UAAA,EAAY;AAAA,YACV,UAAA,EAAY,cAAA,CAAe,UAAA,IAAc,cAAA,CAAe,WAAA,IAAe,KAAA;AAAA,YACvE,OAAA,EAAS,cAAA,CAAe,OAAA,IAAW,cAAA,CAAe,QAAA;AAAA,YAClD,cAAA,EAAgB,cAAA,CAAe,cAAA,IAAkB,cAAA,CAAe,eAAA;AAAA,YAChE,WAAA,EAAa,cAAA,CAAe,WAAA,IAAe,cAAA,CAAe;AAAA,WAC5D;AAAA,UACA,mBAAA,EAAqB,QAAA,CAAS,mBAAA,IAAuB,QAAA,CAAS;AAAA,YAC5D,EAAC;AAAA,QACL,QAAA,EAAU;AAAA,UACR,mBAAA,EAAqB,QAAA,CAAS,mBAAA,IAAuB,QAAA,CAAS,qBAAA;AAAA,UAC9D,UAAA,EAAY,QAAA,CAAS,UAAA,IAAc,QAAA,CAAS,WAAA;AAAA,UAC5C,eAAA,EAAiB,QAAA,CAAS,eAAA,IAAmB,QAAA,CAAS;AAAA;AACxD,OACF;AAEA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA;AAG/B,MAAA,MAAM,kBAAA,GAAqB,KAAK,MAAA,CAAO,kBAAA;AACvC,MAAA,MAAM,uBAAA,GAA0B,KAAK,MAAA,CAAO,uBAAA;AAC5C,MAAA,IAAI,kBAAA,IAAsB,IAAA,IAAQ,MAAA,CAAO,QAAA,EAAU,eAAe,kBAAA,EAAoB;AACpF,QAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO;AACrB,UAAA,OAAA,CAAQ,KAAK,2CAAA,EAA6C;AAAA,YACxD,QAAA,EAAU,kBAAA;AAAA,YACV,QAAA,EAAU,OAAO,QAAA,EAAU,UAAA;AAAA,YAC3B;AAAA,WACD,CAAA;AAAA,QACH;AACA,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,sBAAA;AAAA,UACA,OAAO,UAAA,IAAc,SAAA;AAAA,UACrB,MAAA,CAAO,aAAA;AAAA,UACP;AAAA,SACF;AAAA,MACF;AACA,MAAA,IAAI,uBAAA,IAA2B,QAAQ,MAAA,CAAO,QAAA,EAAU,oBAAoB,MAAA,IAAa,MAAA,CAAO,QAAA,CAAS,eAAA,KAAoB,uBAAA,EAAyB;AACpJ,QAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO;AACrB,UAAA,OAAA,CAAQ,KAAK,gDAAA,EAAkD;AAAA,YAC7D,QAAA,EAAU,uBAAA;AAAA,YACV,QAAA,EAAU,OAAO,QAAA,EAAU,eAAA;AAAA,YAC3B;AAAA,WACD,CAAA;AAAA,QACH;AACA,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,2BAAA;AAAA,UACA,OAAO,UAAA,IAAc,SAAA;AAAA,UACrB,MAAA,CAAO,aAAA;AAAA,UACP;AAAA,SACF;AAAA,MACF;AAGA,MAAA,IACE,YAAA,IACA,gBAAgB,SAAA,IAChB,MAAA,CAAO,aAAa,OAAA,IACpB,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,EACb;AACA,QAAA,IAAI,CAAC,MAAA,CAAO,aAAA,IAAiB,CAAC,OAAO,QAAA,EAAU;AAC7C,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,wBAAA;AAAA,YACA,OAAO,UAAA,IAAc,SAAA;AAAA,YACrB,MAAA,CAAO,aAAA;AAAA,YACP;AAAA,WACF;AAAA,QACF;AACA,QAAA,MAAM,SAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAC3C,QAAA,IAAI,OAAO,SAAA,IAAa,IAAA,IAAQ,MAAA,CAAO,SAAA,GAAY,SAAS,CAAA,EAAG;AAC7D,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,wBAAA;AAAA,YACA,OAAO,UAAA,IAAc,SAAA;AAAA,YACrB,MAAA,CAAO,aAAA;AAAA,YACP;AAAA,WACF;AAAA,QACF;AAEA,QAAA,MAAM,YAAA,GAAe,KAAK,MAAA,CAAO,sBAAA;AACjC,QAAA,IAAI,YAAA,IAAgB,OAAO,aAAA,EAAe;AACxC,UAAA,MAAM,EAAE,eAAA,EAAAC,gBAAAA,EAAiB,wBAAA,EAAAC,yBAAAA,KAA6B,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,wBAAA,EAAA,EAAA,2BAAA,CAAA,CAAA;AAC5D,UAAA,MAAM,OAAA,GAAUD,gBAAAA,CAAgB,MAAA,CAAO,aAAa,CAAA;AACpD,UAAA,IAAI,YAAY,OAAA,CAAQ,MAAA,CAAO,OAAO,EAAA,EAAI,WAAA,OAAkB,OAAA,EAAS;AACnE,YAAA,MAAM,WAAA,GAAc,YAAA,CAAa,UAAA,CAAW,OAAO,CAAA,GAAI,YAAA,GAAe,MAAA,CAAO,IAAA,CAAK,YAAA,EAAc,QAAQ,CAAA,CAAE,QAAA,CAAS,MAAM,CAAA;AACzH,YAAA,MAAM,QAAA,GAAWC,yBAAAA,CAAyB,MAAA,CAAO,aAAA,EAAe,WAAW,CAAA;AAC3E,YAAA,IAAI,aAAa,IAAA,EAAM;AACrB,cAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,cAAA,MAAM,IAAI,sBAAA;AAAA,gBACR,wBAAA;AAAA,gBACA,OAAO,UAAA,IAAc,SAAA;AAAA,gBACrB,MAAA,CAAO,aAAA;AAAA,gBACP;AAAA,eACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAEA,QAAA,MAAM,QAAA,GAAW,cAAA,EAAgB,QAAA,IAAY,GAAA,CAAI,cAAA,EAAgB,QAAA;AACjE,QAAA,MAAM,WAAA,GAAe,QAAA,CAAiB,WAAA,IAAgB,QAAA,CAAiB,IAAA;AACvE,QAAA,MAAM,UAAU,oBAAA,CAAqB,QAAA,EAAU,QAAA,EAAU,MAAA,EAAW,QAAW,WAAW,CAAA;AAC1F,QAAA,MAAM,cAAA,GAAiB,gBAAgB,OAAO,CAAA;AAC9C,QAAA,IAAI,cAAA,KAAmB,OAAO,QAAA,EAAU;AACtC,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,gCAAA;AAAA,YACA,OAAO,UAAA,IAAc,SAAA;AAAA,YACrB,MAAA,CAAO,aAAA;AAAA,YACP;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,MAAA,CAAO,aAAa,OAAA,EAAS;AAE/B,QAAA,IAAI,gBAAgB,cAAA,EAAgB;AAClC,UAAA,OAAA,CAAQ,KAAK,6DAAA,EAA+D;AAAA,YAC1E,SAAA;AAAA,YACA,aAAa,MAAA,CAAO;AAAA,WACrB,CAAA;AACD,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,OAAO;AAAA,YACL,GAAG,MAAA;AAAA,YACH,QAAA,EAAU,OAAA;AAAA,YACV,QAAA,EAAU,KAAA;AAAA,YACV,IAAA,EAAM,cAAA;AAAA,YACN,OAAA,EAAS;AAAA,WACX;AAAA,QACF;AAEA,QAAA,IAAI,gBAAgB,QAAA,EAAU;AAE5B,UAAA,OAAA,CAAQ,KAAK,mDAAA,EAAqD;AAAA,YAChE,SAAA;AAAA,YACA,aAAa,MAAA,CAAO,WAAA;AAAA,YACpB,eAAe,MAAA,CAAO,aAAA;AAAA,YACtB,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,YACtB,QAAA,EAAU,IAAI,cAAA,EAAgB;AAAA,WAC/B,CAAA;AAGD,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,aAAA,EAAe,SAAS,CAAA;AAGnD,UAAA,OAAO;AAAA,YACL,GAAG,MAAA;AAAA,YACH,QAAA,EAAU,OAAA;AAAA,YACV,QAAA,EAAU,KAAA;AAAA,YACV,gBAAA,EAAkB;AAAA,WACpB;AAAA,QACF;AAGA,QAAA,MAAM,SAAA,GAAa,aAAqB,WAAA,IAAe,SAAA;AACvD,QAAA,MAAM,UAAA,GAAa,MAAA,CAAO,WAAA,CAAY,CAAC,CAAA,IAAK,kBAAA;AAC5C,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,QAAA,MAAM,IAAI,sBAAA,CAAuB,UAAA,EAAY,SAAA,EAAW,MAAA,CAAO,eAAe,SAAS,CAAA;AAAA,MACzF;AAEA,MAAA,IAAI,MAAA,CAAO,aAAa,iBAAA,EAAmB;AAEzC,QAAA,IAAI,KAAK,MAAA,CAAO,YAAA,IAAgB,IAAA,CAAK,YAAA,IAAgB,OAAO,MAAA,EAAQ;AAElE,UAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,MAAA,CAAO,SAAA,IAAa,SAAA;AACnD,UAAA,MAAM,WAAA,GAAe,aAAa,OAAA,EAAiB,aAAA;AACnD,UAAA,MAAM,YAAY,CAAA,gCAAA,EAAmC,IAAA,CAAK,MAAA,CAAO,QAAQ,cAAc,eAAe,CAAA,CAAA;AACtG,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,iBAAA,EAAmB,SAAS,CAAA;AACvD,UAAA,MAAM,IAAI,6BAAA,CAA8B,eAAA,EAAiB,SAAA,EAAW,aAAa,SAAS,CAAA;AAAA,QAC5F,CAAA,MAAO;AAEL,UAAA,MAAM,SAAA,GAAa,aAAqB,WAAA,IAAe,SAAA;AACvD,UAAA,MAAM,UAAA,GAAa,iBAAA;AACnB,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA,CAAuB,UAAA,EAAY,SAAA,EAAW,MAAA,CAAO,eAAe,SAAS,CAAA;AAAA,QACzF;AAAA,MACF;AAGA,MAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,MAAA,OAAO,MAAA;AAAA,IACT,CAAA;AAGA,IAAA,IAAI,mBAAmB,iBAAA,EAAmB;AACxC,MAAA,cAAA,EAAe,CACZ,IAAA,CAAK,CAAC,GAAA,KAAQ;AACb,QAAA,IAAI,GAAA,CAAI,QAAA,KAAa,OAAA,IAAW,GAAA,CAAI,gBAAA,EAAkB;AACpD,UAAA,OAAA,CAAQ,IAAA,CAAK,uCAAA,EAAyC,GAAA,CAAI,WAAW,CAAA;AAAA,QACvE;AACA,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,CAAI,QAAA,KAAa,OAAA,GAAU,UAAU,aAAA,EAAe,IAAA,CAAK,GAAA,EAAI,GAAI,SAAS,CAAA;AAAA,MACvG,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,GAAA,KAAQ;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,GAAG,CAAA;AAC1D,QAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AAAA,MAC3B,CAAC,CAAA;AACH,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,UAAA,EAAY,SAAA;AAAA,QACZ,aAAA,EAAe,SAAA;AAAA,QACf,aAAa,EAAC;AAAA,QACd,QAAA,EAAU,KAAA;AAAA,QACV,IAAA,EAAM,WAAA;AAAA,QACN,aAAA,EAAe;AAAA,OACjB;AAAA,IACF;AAGA,IAAA,IAAI;AACF,MAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,QAAA,OAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAA,CAAQ,cAAc,CAAA;AAAA,MACzD;AACA,MAAA,OAAO,MAAM,cAAA,EAAe;AAAA,IAC9B,SAAS,KAAA,EAAY;AAInB,MAAA,IAAI,iBAAiB,uBAAA,EAAyB;AAC5C,QAAA,IAAA,CAAK,QAAQ,wBAAA,EAAyB;AACtC,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,cAAA,CAAe,YAAA,EAAc,OAAO,SAAS,CAAA;AACzE,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,cAAA;AAAA,QACT;AACA,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,KAAc,KAAA,CAAM,IAAA,KAAA,cAAA,uBAAuC,MAAM,IAAA,KAAA,WAAA,iBAAA,EAAmC;AACvH,QAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AACzB,QAAA,MAAM,IAAI,mBAAA;AAAA,UACR,KAAA,CAAM,OAAA;AAAA,UACN,MAAM,MAAA,IAAU,GAAA;AAAA,UAChB;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,sBACH,KAAA,YAAiB,SAAA,KAAc,KAAA,CAAM,IAAA,KAAA,SAAA,kBAAkC,MAAM,IAAA,KAAA,cAAA,oBAAA,IAC9E,KAAA,YAAiB,0BAAA,IAChB,KAAA,EAAe,SAAS,cAAA,IACxB,KAAA,EAAe,IAAA,KAAS,WAAA,IACxB,OAAe,IAAA,KAAS,WAAA;AAE3B,MAAA,IAAI,mBAAA,EAAqB;AACvB,QAAA,IAAA,CAAK,QAAQ,aAAA,EAAc;AAG3B,QAAA,IAAI,IAAA,CAAK,wBAAwB,WAAA,EAAa;AAE5C,UAAA,OAAA,CAAQ,MAAM,iEAAA,EAAmE;AAAA,YAC/E,SAAA;AAAA,YACA,OAAO,KAAA,CAAM,OAAA;AAAA,YACb,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,YACtB,IAAA,EAAM;AAAA,WACP,CAAA;AACD,UAAA,OAAA,CAAQ,KAAK,4DAA4D,CAAA;AAGzE,UAAA,IAAA,CAAK,QAAQ,aAAA,CAAc,WAAA,EAAa,IAAA,CAAK,GAAA,KAAQ,SAAS,CAAA;AAE9D,UAAA,OAAO;AAAA,YACL,QAAA,EAAU,OAAA;AAAA,YACV,WAAA,EAAa,CAAC,0BAA0B,CAAA;AAAA,YACxC,aAAA,EAAe,SAAA;AAAA,YACf,QAAA,EAAU,KAAA;AAAA,YACV,IAAA,EAAM;AAAA,WACR;AAAA,QACF,CAAA,MAAO;AAEL,UAAA,MAAM,IAAI,0BAAA;AAAA,YACR,CAAA,0DAAA,EAA6D,MAAM,OAAO,CAAA,CAAA;AAAA,YAC1E;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,SAAA,gBAAgC;AACtE,QAAA,IAAA,CAAK,QAAQ,aAAA,EAAc;AAC3B,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,cAAA,CAAe,YAAA,EAAc,OAAO,SAAS,CAAA;AACzE,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,cAAA;AAAA,QACT;AACA,QAAA,MAAM,IAAI,0BAAA,CAA2B,CAAA,iBAAA,EAAoB,KAAA,CAAM,OAAO,IAAI,SAAS,CAAA;AAAA,MACrF;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,cAAA,qBAAqC;AAC3E,QAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AACzB,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,cAAA,CAAe,YAAA,EAAc,OAAO,SAAS,CAAA;AACzE,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,cAAA;AAAA,QACT;AACA,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,cAAA,qBAAqC;AAC3E,QAAA,OAAA,CAAQ,KAAK,sDAAsD,CAAA;AACnE,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,sBAAA,IAA0B,KAAA,YAAiB,6BAAA,EAA+B;AAC7F,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AACzB,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAA,CACN,IAAA,EACA,KAAA,EACA,SAAA,EACkC;AAClC,IAAA,IAAI,SAAS,kBAAA,EAAoB;AAE/B,MAAA,OAAA,CAAQ,KAAK,kEAAkE,CAAA;AAC/E,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,WAAA,EAAa,CAAC,iBAAiB,CAAA;AAAA,QAC/B,aAAA,EAAe;AAAA,OACjB;AAAA,IACF;AAEA,IAAA,IAAI,SAAS,kBAAA,EAAoB;AAE/B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,SAAS,kBAAA,EAAoB;AAG/B,MAAA,OAAA,CAAQ,KAAK,kEAAkE,CAAA;AAC/E,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,WAAA,EAAa,CAAC,iBAAiB,CAAA;AAAA,QAC/B,aAAA,EAAe;AAAA,OACjB;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAyD;AACvD,IAAA,OAAO,IAAA,CAAK,QAAQ,UAAA,EAAW;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAA,GAA4E;AAC1E,IAAA,OAAO,IAAA,CAAK,cAAA,EAAgB,UAAA,EAAW,IAAK,IAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,IAAA,EAGY;AAChC,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACtB,MAAA,MAAM,IAAI,wBAAA,CAAyB,IAAA,CAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,IAAY,IAAA,CAAK,MAAA,CAAO,QAAA;AAC9C,IAAA,MAAM,MAAA,GAAS,IAAI,YAAA,CAAa;AAAA,MAC9B,YAAY,IAAA,CAAK,UAAA;AAAA,MACjB,QAAA;AAAA,MACA,iBAAA,EAAmB,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ,iBAAA;AAAA,MACvC,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ;AAAA,KAChC,CAAA;AAED,IAAA,OAAO,MAAA,CAAO,SAAA,CAAU,IAAA,CAAK,SAAS,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,IAAA,EAIK;AAC7B,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACtB,MAAA,MAAM,IAAI,wBAAA,CAAyB,IAAA,CAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA,CAAK,YAAA,CAAa,aAAA,CAAc,IAAA,CAAK,SAAA,EAAW;AAAA,MACrD,SAAA,EAAW,IAAA,CAAK,SAAA,IAAa,IAAA,CAAK,OAAO,MAAA,EAAQ,SAAA;AAAA,MACjD,UAAA,EAAY,IAAA,CAAK,UAAA,IAAc,IAAA,CAAK,OAAO,MAAA,EAAQ;AAAA,KACpD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,MAAA,EAOyD;AAC7E,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,QAAA,CAAS;AAAA,MACnC,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,gBAAgB,MAAA,CAAO;AAAA,KACxB,CAAA;AACD,IAAA,IAAI,QAAA,CAAS,aAAa,OAAA,EAAS;AACjC,MAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK;AAAA,QACzC,OAAO,MAAA,CAAO,KAAA;AAAA,QACd,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,SAAA,EAAW,OAAO,SAAA,IAAa;AAAA,OAChC,CAAA;AACD,MAAA,OAAO,EAAE,UAAU,SAAA,EAAU;AAAA,IAC/B;AACA,IAAA,OAAO,EAAE,QAAA,EAAS;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,GAAA,EAA+D;AACnF,IAAA,MAAM,YAAYL,OAAAA,EAAO;AACzB,IAAA,MAAM,cAAc,KAAA,EAAM;AAC1B,IAAA,MAAM,QAAA,GAAgB,EAAE,GAAG,GAAA,CAAI,QAAA,EAAS;AACxC,IAAA,IAAI,QAAA,CAAS,EAAA,IAAM,CAAC,QAAA,CAAS,SAAA,EAAW;AACtC,MAAA,QAAA,CAAS,YAAY,QAAA,CAAS,EAAA;AAC9B,MAAA,OAAO,QAAA,CAAS,EAAA;AAAA,IAClB;AACA,IAAA,IAAI,CAAC,QAAA,CAAS,aAAA,IAAiB,QAAA,CAAS,OAAA,WAAkB,aAAA,GAAgB,KAAA;AAC1E,IAAA,MAAM,cAAA,GAAiB;AAAA,MACrB,GAAG,GAAA,CAAI,cAAA;AAAA,MACP,QAAA,EAAU,GAAA,CAAI,cAAA,EAAgB,QAAA,IAAY,IAAI,SAAA,CAAU;AAAA,KAC1D;AACA,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,MACtB,SAAA;AAAA,MACA,WAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAW,GAAA,CAAI,SAAA;AAAA,MACf;AAAA,KACF;AACA,IAAA,IAAI,OAAA,GAAkC,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAC3E,IAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO,CAEvB,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,MAAA,MAAM,EAAE,gBAAA,EAAAG,iBAAAA,EAAiB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,kBAAA,EAAA,EAAA,qBAAA,CAAA,CAAA;AACnC,MAAA,MAAM,iBAAA,GAAoBA,kBAAiB,IAAI,CAAA;AAC/C,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,WAAA,CAAY;AAAA,QACpD,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,2BAAA;AAAA,QACN,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,QACtB,WAAA;AAAA,QACA,SAAA;AAAA,QACA;AAAA,OACD,CAAA;AACD,MAAA,OAAA,GAAU,EAAE,GAAG,WAAA,EAAY;AAC3B,MAAC,KAAa,eAAA,GAAkB,iBAAA;AAAA,IAClC,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,MAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,UAAA,CAAW,aAAA,CAAc;AAAA,QAClD,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,QACtB,WAAA;AAAA,QACA;AAAA,OACD,CAAA;AACD,MAAA,OAAA,GAAU,EAAE,GAAG,aAAA,EAAc;AAAA,IAC/B,CAAA,MAAO;AACL,MAAA,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAA,IAChD;AACA,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAA2E;AAAA,MACnH,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,2BAAA;AAAA,MACN,OAAA;AAAA,MACA,IAAA;AAAA,MACA;AAAA,KACD,CAAA;AACD,IAAA,IAAI,WAAA,CAAY,OAAA,KAAY,IAAA,IAAS,WAAA,CAAoB,IAAA,EAAM;AAC7D,MAAA,MAAM,OAAQ,WAAA,CAAoB,IAAA;AAClC,MAAA,IAAI,IAAA,CAAK,aAAa,2BAAA,EAA6B;AACjD,QAAA,OAAA,CAAQ,KAAK,iEAAA,EAAmE;AAAA,UAC9E,SAAA;AAAA,UACA,aAAa,IAAA,CAAK;AAAA,SACnB,CAAA;AAAA,MACH;AACA,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,IAAK,YAAoB,KAAA,EAAO;AAC9B,MAAA,MAAM,MAAO,WAAA,CAAoB,KAAA;AACjC,MAAA,MAAM,IAAI,SAAA,CAAU,GAAA,CAAI,QAAQ,cAAA,EAAgB,GAAA,CAAI,WAAW,gBAAA,EAAkB;AAAA,QAC/E,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,eAAe,GAAA,CAAI,aAAA;AAAA,QACnB;AAAA,OACD,CAAA;AAAA,IACH;AACA,IAAA,MAAM,IAAI,SAAA,CAAA,kBAAA,yBAA0C,wCAAA,EAA0C,EAAE,WAAW,CAAA;AAAA,EAC7G;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,aAAA,CACE,WACA,OAAA,EACkB;AAClB,IAAA,OAAO,aAAA,CAAc,SAAA,EAAkB,IAAA,EAAM,OAAO,CAAA;AAAA,EACtD;AACF;AAKO,SAAS,iBAAiB,MAAA,EAAsC;AACrE,EAAA,OAAO,IAAI,WAAW,MAAM,CAAA;AAC9B;;;ACp+BO,IAAM,OAAN,MAAW;AAAA,EACC,MAAA;AAAA,EAEjB,YAAY,IAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,MAAA,GAAS,IAAA,EAAM,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,kBAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,QAAQ,SAAA,EAAmD;AAChE,IAAA,MAAM,OAAA,GAAU,QAAQ,GAAA,CAAI,aAAA;AAC5B,IAAA,MAAM,QAAA,GAAW,QAAQ,GAAA,CAAI,cAAA;AAC7B,IAAA,MAAM,MAAA,GAAS,QAAQ,GAAA,CAAI,YAAA;AAC3B,IAAA,MAAM,KAAA,GAAQ,QAAQ,GAAA,CAAI,WAAA;AAC1B,IAAA,MAAM,UAAA,GAAa,QAAQ,GAAA,CAAI,gBAAA;AAC/B,IAAA,MAAM,IAAA,GAAQ,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAsC,QAAA;AAEhE,IAAA,IAAI,CAAC,OAAA,IAAW,CAAC,QAAA,EAAU;AACzB,MAAA,MAAM,IAAI,MAAM,qEAAqE,CAAA;AAAA,IACvF;AAEA,IAAA,IAAI,IAAA;AACJ,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,GAAO,EAAE,IAAA,EAAM,QAAA,EAAU,MAAA,EAAO;AAAA,IAClC,CAAA,MAAA,IAAW,SAAS,UAAA,EAAY;AAC9B,MAAA,IAAA,GAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,QAAQ,UAAA,EAAW;AAAA,IACnD,CAAA,MAAO;AACL,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,OAAO,IAAI,UAAA,CAAW;AAAA,MACpB,OAAA;AAAA,MACA,QAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,GAAG;AAAA,KACJ,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,KAAA,CACJ,IAAA,EACA,EAAA,EACY;AACZ,IAAA,OAAO,EAAA,EAAG;AAAA,EACZ;AACF;ACrCO,IAAM,eAAN,MAA4C;AAAA,EAChC,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,SAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,SAAA;AAAA,EACvB;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AAGA,IAAA,MAAM,SAAA,GAAY,KAAK,YAAA,CAAa,OAAA,CAAQ,aAAa,IAAA,CAAK,MAAA,CAAO,oBAAoB,eAAe,CAAA;AAGxG,IAAA,MAAM,SAAA,GAA8B;AAAA,MAClC,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAA,EAAS,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA;AAAA,MACpC,WAAA,EAAc,OAAA,CAAQ,WAAA,IAAe,IAAA,CAAK,OAAO,kBAAA,IAAsB,KAAA;AAAA,MACvE,gBAAA,EAAkB;AAAA,KACpB;AAGA,IAAA,MAAM,OAAA,GAAU,IAAIJ,qBAAAA,CAAY,SAAS,CAAA;AACzC,IAAA,MAAM,WAAW,MAAM,IAAA,CAAK,MAAA,CAAO,SAAA,CAAU,KAAK,OAAO,CAAA;AAEzD,IAAA,IAAI,CAAC,SAAS,SAAA,EAAW;AACvB,MAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,IAC3D;AAEA,IAAA,OAAO;AAAA,MACL,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA;AAAA,MACzC,KAAA,EAAO,QAAA,CAAS,KAAA,IAAS,OAAA,CAAQ,KAAA;AAAA,MACjC,SAAA,EAAW,SAAS,gBAAA,IAAoB,SAAA;AAAA,MACxC,QAAA,EAAU;AAAA,QACR,OAAO,QAAA,CAAS,KAAA;AAAA,QAChB,kBAAkB,QAAA,CAAS;AAAA;AAC7B,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAAgE;AAEnF,IAAA,IAAI,OAAO,MAAA,CAAOO,8BAAoB,CAAA,CAAE,QAAA,CAAS,SAAiC,CAAA,EAAG;AACnF,MAAA,OAAO,SAAA;AAAA,IACT;AAGA,IAAA,MAAM,YAAA,GAAqD;AAAA,MACzD,iBAAiBA,8BAAA,CAAqB,aAAA;AAAA,MACtC,iBAAiBA,8BAAA,CAAqB,aAAA;AAAA,MACtC,iBAAiBA,8BAAA,CAAqB,aAAA;AAAA,MACtC,sBAAsBA,8BAAA,CAAqB,kBAAA;AAAA,MAC3C,sBAAsBA,8BAAA,CAAqB,kBAAA;AAAA,MAC3C,sBAAsBA,8BAAA,CAAqB,kBAAA;AAAA,MAC3C,6BAA6BA,8BAAA,CAAqB,yBAAA;AAAA,MAClD,6BAA6BA,8BAAA,CAAqB,yBAAA;AAAA,MAClD,6BAA6BA,8BAAA,CAAqB;AAAA,KACpD;AAEA,IAAA,OAAO,YAAA,CAAa,SAAA,CAAU,WAAA,EAAa,KAAKA,8BAAA,CAAqB,aAAA;AAAA,EACvE;AACF;;;AC1CO,IAAM,cAAN,MAA2C;AAAA,EAC/B,MAAA;AAAA,EACT,SAAA,GAA2B,IAAA;AAAA,EAEnC,YAAY,MAAA,EAA2B;AACrC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAA,EAAW,SAAA;AAAA,MACX,GAAG;AAAA,KACL;AAAA,EACF;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,iBAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,QAAA,KAAa,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,CAAC,CAAC,KAAK,MAAA,CAAO,OAAA,CAAA;AAAA,EACzE;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,IAC/C;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,IAAa,IAAA,CAAK,OAAO,OAAA,EAAS;AAC1C,MAAA,MAAM,KAAK,mBAAA,EAAoB;AAAA,IACjC;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,IAAA,CAAK,SAAA;AACxC,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AAGA,IAAA,MAAM,SAAA,GAAY,KAAK,YAAA,CAAa,OAAA,CAAQ,aAAa,IAAA,CAAK,MAAA,CAAO,oBAAoB,gBAAgB,CAAA;AAGzG,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,QAAQ,CAAA,IAAA,EAAO,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,MAAA,EAAS,OAAA,CAAQ,KAAK,CAAA,CAAA;AAGrF,IAAA,MAAM,gBAAgB,MAAA,CAAO,IAAA,CAAK,QAAQ,OAAO,CAAA,CAAE,SAAS,QAAQ,CAAA;AAEpE,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,KAAA,EAAO,aAAA;AAAA,MACP,GAAI,SAAA,IAAa,EAAE,SAAA,EAAU;AAAA,MAC7B,GAAI,OAAA,CAAQ,OAAA,IAAW;AAAC,KAC1B;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,WAAA,EAAa,OAAA,IAAW,GAAA;AACpD,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,YAAY,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE9D,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,QAChC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,eAAA,EAAiB;AAAA,SACnB;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AAAA,QAChC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AAED,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,SAAS,MAAM,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAAA,MACtE;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,MAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,CAAC,IAAA,CAAK,KAAK,SAAA,EAAW;AACtC,QAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,MACzD;AAIA,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAM,GAAG,CAAA;AACpD,MAAA,MAAM,eAAA,GAAkB,cAAA,CAAe,cAAA,CAAe,MAAA,GAAS,CAAC,CAAA;AAChE,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,IAAA,CAAK,eAAA,EAAiB,QAAQ,CAAA;AAEvD,MAAA,OAAO;AAAA,QACL,SAAA;AAAA,QACA,OAAO,OAAA,CAAQ,KAAA;AAAA,QACf,SAAA;AAAA,QACA,QAAA,EAAU;AAAA,UACR,cAAA,EAAgB,KAAK,IAAA,CAAK,SAAA;AAAA,UAC1B,UAAA,EAAY,KAAK,IAAA,CAAK;AAAA;AACxB,OACF;AAAA,IACF,SAAS,KAAA,EAAY;AACnB,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,KAAA,CAAM,SAAS,YAAA,EAAc;AAC/B,QAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,MAC9C;AAEA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBAAA,GAAqC;AACjD,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,MAAA,MAAM,IAAI,MAAM,wBAAwB,CAAA;AAAA,IAC1C;AAEA,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,QAAQ,CAAA,sBAAA,CAAA;AAEnC,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MAChC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACnB,OAAA,EAAS,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,MAAA;AAAA,QAC7B,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ;AAAA,OAChC;AAAA,KACF,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qCAAA,EAAwC,SAAS,MAAM,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAAA,IACxF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,CAAC,IAAA,CAAK,KAAK,YAAA,EAAc;AACzC,MAAA,MAAM,IAAI,MAAM,qDAAqD,CAAA;AAAA,IACvE;AAEA,IAAA,IAAA,CAAK,SAAA,GAAY,KAAK,IAAA,CAAK,YAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAA2B;AAC9C,IAAA,MAAM,YAAA,GAAuC;AAAA,MAC3C,eAAA,EAAiB,gBAAA;AAAA,MACjB,eAAA,EAAiB,gBAAA;AAAA,MACjB,eAAA,EAAiB,gBAAA;AAAA,MACjB,oBAAA,EAAsB,cAAA;AAAA,MACtB,oBAAA,EAAsB,cAAA;AAAA,MACtB,oBAAA,EAAsB;AAAA,KACxB;AAGA,IAAA,IAAI,UAAU,UAAA,CAAW,QAAQ,KAAK,SAAA,CAAU,UAAA,CAAW,MAAM,CAAA,EAAG;AAClE,MAAA,OAAO,SAAA;AAAA,IACT;AAEA,IAAA,OAAO,YAAA,CAAa,SAAA,CAAU,WAAA,EAAa,CAAA,IAAK,gBAAA;AAAA,EAClD;AACF;;;AC1JO,IAAM,eAAN,MAA4C;AAAA,EAChC,MAAA;AAAA,EACT,WAAA,GAA6B,IAAA;AAAA,EAC7B,WAAA,GAAsB,CAAA;AAAA,EAE9B,YAAY,MAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,mBAAA,EAAqB,KAAA;AAAA,MACrB,GAAG;AAAA,KACL;AAAA,EACF;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,kBAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,IAAI,IAAA,CAAK,OAAO,mBAAA,EAAqB;AACnC,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,eAAe,CAAC,CAAC,KAAK,MAAA,CAAO,SAAA;AAAA,EACpD;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AAGA,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAG9C,IAAA,MAAM,SAAA,GAAY,KAAK,YAAA,CAAa,OAAA,CAAQ,aAAa,IAAA,CAAK,MAAA,CAAO,oBAAoB,qBAAqB,CAAA;AAI9G,IAAA,MAAM,OAAA,GAAU,QAAQ,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,GACtC,OAAA,CAAQ,KAAA,GACR,CAAA,SAAA,EAAY,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,WAAA,EAAc,IAAA,CAAK,OAAO,QAAQ,CAAA,UAAA,EAAa,KAAK,MAAA,CAAO,OAAO,CAAA,YAAA,EAAe,OAAA,CAAQ,KAAK,CAAA,CAAA;AAGnI,IAAA,MAAM,GAAA,GAAM,sCAAsC,OAAO,CAAA,eAAA,CAAA;AAGzD,IAAA,MAAM,gBAAgB,MAAA,CAAO,IAAA,CAAK,QAAQ,OAAO,CAAA,CAAE,SAAS,QAAQ,CAAA;AAEpE,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,MAAA,EAAQ;AAAA,QACN,MAAA,EAAQ;AAAA;AAAA;AACV,KACF;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,WAAA,EAAa,OAAA,IAAW,GAAA;AACpD,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,YAAY,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE9D,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,QAChC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,eAAA,EAAiB,UAAU,WAAW,CAAA;AAAA,SACxC;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AAAA,QAChC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AAED,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qBAAA,EAAwB,SAAS,MAAM,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAAA,MACxE;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,MAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACnB,QAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,MAC3D;AAGA,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,WAAW,QAAQ,CAAA;AAEtD,MAAA,OAAO;AAAA,QACL,SAAA;AAAA,QACA,OAAO,OAAA,CAAQ,KAAA;AAAA,QACf,SAAA;AAAA,QACA,QAAA,EAAU;AAAA,UACR,MAAM,IAAA,CAAK,IAAA;AAAA,UACX,sBAAsB,IAAA,CAAK;AAAA;AAC7B,OACF;AAAA,IACF,SAAS,KAAA,EAAY;AACnB,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,KAAA,CAAM,SAAS,YAAA,EAAc;AAC/B,QAAA,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAA,MAChD;AAEA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,cAAA,GAAkC;AAE9C,IAAA,IAAI,IAAA,CAAK,eAAe,IAAA,CAAK,GAAA,KAAQ,IAAA,CAAK,WAAA,GAAc,CAAA,GAAI,EAAA,GAAK,GAAA,EAAM;AACrE,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IACd;AAEA,IAAA,IAAI,IAAA,CAAK,OAAO,mBAAA,EAAqB;AAEnC,MAAA,MAAM,WAAA,GAAc,4FAAA;AAEpB,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,WAAA,EAAa;AAAA,QACxC,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,iBAAA,EAAmB;AAAA;AACrB,OACD,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,4CAAA,EAA+C,QAAA,CAAS,MAAM,CAAA,CAAE,CAAA;AAAA,MAClF;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,MAAA,IAAA,CAAK,cAAc,IAAA,CAAK,YAAA;AACxB,MAAA,IAAA,CAAK,WAAA,GAAc,IAAA,CAAK,GAAA,EAAI,GAAK,KAAK,UAAA,GAAa,GAAA;AAEnD,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd,CAAA,MAAO;AAEL,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,WAAA,EAAa;AAC5B,QAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,MAClD;AAQA,MAAA,MAAM,IAAI,MAAM,yLAAyL,CAAA;AAAA,IAC3M;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAA2B;AAC9C,IAAA,MAAM,YAAA,GAAuC;AAAA,MAC3C,eAAA,EAAiB,qBAAA;AAAA,MACjB,eAAA,EAAiB,qBAAA;AAAA,MACjB,eAAA,EAAiB,qBAAA;AAAA,MACjB,oBAAA,EAAsB,0BAAA;AAAA,MACtB,oBAAA,EAAsB,0BAAA;AAAA,MACtB,oBAAA,EAAsB,0BAAA;AAAA,MACtB,2BAAA,EAA6B,4BAAA;AAAA,MAC7B,2BAAA,EAA6B,4BAAA;AAAA,MAC7B,2BAAA,EAA6B;AAAA,KAC/B;AAGA,IAAA,IAAI,UAAU,UAAA,CAAW,UAAU,KAAK,SAAA,CAAU,UAAA,CAAW,WAAW,CAAA,EAAG;AACzE,MAAA,OAAO,SAAA;AAAA,IACT;AAEA,IAAA,OAAO,YAAA,CAAa,SAAA,CAAU,WAAA,EAAa,CAAA,IAAK,qBAAA;AAAA,EAClD;AACF;AC1MO,IAAM,mBAAN,MAAgD;AAAA,EACpC,MAAA;AAAA,EACA,UAAA;AAAA,EAEjB,YAAY,MAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,2BAAA;AAAA,EACzC;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,YAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,UAAU,CAAC,CAAC,KAAK,MAAA,CAAO,SAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,IAC1D;AAEA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,KAAA,CAAM,gCAAgC,CAAA;AACvE,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,MAAM,GAAG,cAAA,EAAgB,OAAO,CAAA,GAAI,UAAA;AAEpC,IAAA,MAAM,UAAA,GACJ,OAAA,CAAQ,OAAA,YAAmB,MAAA,GACvB,QAAQ,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,GAC9B,OAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA,CAAE,SAAS,KAAK,CAAA;AACjD,IAAA,MAAM,SAAA,GACH,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAyB,OAAA,CAAiD,SAAA;AAE9F,IAAA,MAAM,SAAA,GAA0C;AAAA,MAC9C,SAAA,EAAW,KAAA;AAAA,MACX,MAAA,EAAQ,EAAE,IAAA,EAAM,eAAA,EAAiB,IAAI,cAAA,EAAe;AAAA,MACpD,OAAA;AAAA,MACA,IAAA,EAAM,CAAA,sBAAA,EAAyB,SAAA,IAAa,SAAS,CAAA,CAAA;AAAA,MACrD,eAAA,EAAiB;AAAA,QACf,cAAA,EAAgB;AAAA,UACd,QAAA,EAAU,CAAC,EAAE,OAAA,EAAS,YAAY;AAAA;AACpC;AACF,KACF;AAEA,IAAA,MAAM,QAAQ,IAAA,CAAK,eAAA,CAAgB,oBAAoB,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,CAAA;AAEhF,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,gBAAA,CAAA,EAAoB;AAAA,MACjE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,WAAA,EAAa,KAAK,MAAA,CAAO,MAAA;AAAA,QACzB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA,OAChC;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,SAAS;AAAA,KAC/B,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,KAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,SAAS,MAAM,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,IACrE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AACpC,IAAA,MAAM,OAAO,MAAA,CAAO,EAAA;AACpB,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,eAAA,CAAgB,IAAI,CAAA;AAC9C,IAAA,MAAM,SAAS,MAAA,EAAQ,SAAA,IAAc,MAAA,EAA+D,cAAA,GAAiB,CAAC,CAAA,EAAG,SAAA;AACzH,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,IAAI,CAAA,yBAAA,CAA2B,CAAA;AAAA,IAC3E;AAEA,IAAA,OAAO;AAAA,MACL,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,KAAK,CAAA;AAAA,MACpC,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,SAAA,EAAW,QAAQ,SAAA,IAAa;AAAA,KAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAA,CAAgB,KAAa,QAAA,EAA2B;AAC9D,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,KAAA,GAAQC,kBAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AAC5C,IAAA,MAAM,QAAA,GAAW,QAAA,GACbb,iBAAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,QAAA,EAAU,MAAM,CAAA,CAAE,MAAA,CAAO,KAAK,CAAA,GAC1D,EAAA;AAEJ,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,GAAA;AAAA,MACA,KAAA;AAAA,MACA,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,EAAA;AAAA,MACX,GAAA,EAAK,KAAK,MAAA,CAAO,MAAA;AAAA,MACjB;AAAA,KACF;AAEA,IAAA,MAAM,MAAA,GAAS,EAAE,GAAA,EAAK,OAAA,EAAS,KAAK,KAAA,EAAM;AAC1C,IAAA,MAAM,aAAA,GAAgB,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AAC5D,IAAA,MAAM,cAAA,GAAiB,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AAC9D,IAAA,MAAM,YAAA,GAAe,CAAA,EAAG,aAAa,CAAA,CAAA,EAAI,cAAc,CAAA,CAAA;AAEvD,IAAA,MAAM,IAAA,GAAOc,kBAAW,YAAY,CAAA;AACpC,IAAA,IAAA,CAAK,OAAO,YAAY,CAAA;AACxB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,OAAO,SAAS,CAAA;AACjD,IAAA,MAAM,UAAA,GAAa,gBAAgB,SAAS,CAAA;AAE5C,IAAA,OAAO,CAAA,EAAG,YAAY,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA;AAAA,EACtC;AAAA,EAEA,MAAc,eAAA,CACZ,IAAA,EACA,WAAA,GAAc,EAAA,EACmE;AACjF,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,EAAa,CAAA,EAAA,EAAK;AACpC,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,eAAA,CAAgB,CAAA,iBAAA,EAAoB,IAAI,CAAA,CAAE,CAAA;AAC7D,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,KAAK,UAAU,CAAA,iBAAA,EAAoB,IAAI,CAAA,CAAA,EAAI;AAAA,QACzE,OAAA,EAAS;AAAA,UACP,WAAA,EAAa,KAAK,MAAA,CAAO,MAAA;AAAA,UACzB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,MAAM,QAAA,CAAS,IAAA,EAAM,CAAA,CAAE,CAAA;AAAA,MAChF;AAEA,MAAA,MAAM,EAAA,GAAM,MAAM,QAAA,CAAS,IAAA,EAAK;AAMhC,MAAA,IAAI,EAAA,CAAG,WAAW,WAAA,EAAa;AAC7B,QAAA,OAAO,EAAA,CAAG,cAAA,GAAiB,CAAC,CAAA,GAAI,EAAE,SAAA,EAAW,EAAA,CAAG,cAAA,CAAe,CAAC,CAAA,CAAE,SAAA,EAAU,GAAI,EAAA;AAAA,MAClF;AACA,MAAA,IAAI,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,EAAA,CAAG,WAAW,UAAA,EAAY;AACtD,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,IAAI,CAAA,SAAA,EAAY,EAAA,CAAG,MAAM,CAAA,CAAE,CAAA;AAAA,MACvE;AAEA,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,MAAM,UAAA,CAAW,CAAA,EAAG,GAAI,CAAC,CAAA;AAAA,IAC9C;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,uBAAA,EAA0B,IAAI,CAAA,yBAAA,EAA4B,WAAW,CAAA,QAAA;AAAA,KACvE;AAAA,EACF;AACF;AAEA,SAAS,gBAAgB,KAAA,EAAgC;AACvD,EAAA,MAAM,GAAA,GACJ,OAAO,KAAA,KAAU,QAAA,GACb,OAAO,IAAA,CAAK,KAAA,EAAO,MAAM,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAA,GAC5C,KAAA,CAAM,SAAS,QAAQ,CAAA;AAC7B,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtE;ACzLA,IAAMC,QAAAA,GAAUC,sBAAA,CAAc,2PAAe,CAAA;AAa7C,IAAM,UAAA,GACJ,wKAAA;AAGF,SAAS,kBAAkB,SAAA,EAA2B;AACpD,EAAA,QAAQ,SAAA;AAAW,IACjB,KAAK,kBAAA;AACH,MAAA,OAAO,WAAU,CAAE,gBAAA;AAAA,IACrB,KAAK,cAAA;AAEH,MAAA,OAAO,WAAU,CAAE,mBAAA;AAAA,IACrB;AACE,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,+BAAA,EAAkC,SAAS,CAAA,CAAE,CAAA;AAAA;AAEnE;AAGA,IAAI,YAAA,GAAoB,MAAA;AAExB,SAAS,SAAA,GAAiB;AACxB,EAAA,IAAI,iBAAiB,MAAA,EAAW;AAC9B,IAAA,IAAI,YAAA,KAAiB,IAAA,EAAM,MAAM,IAAI,MAAM,UAAU,CAAA;AACrD,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,IAAI;AACF,IAAA,YAAA,GAAeD,SAAQ,UAAU,CAAA;AACjC,IAAA,OAAO,YAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,YAAA,GAAe,IAAA;AACf,IAAA,MAAM,IAAI,MAAM,UAAU,CAAA;AAAA,EAC5B;AACF;AAEO,IAAM,oBAAN,MAAiD;AAAA,EAC9C,OAAA,GAAkB,EAAA;AAAA,EAClB,GAAA,GAAc,EAAA;AAAA,EACd,MAAA,GAAc,IAAA;AAAA,EACd,OAAA,GAAyB,IAAA;AAAA,EACzB,WAAA,GAAc,KAAA;AAAA,EAEtB,MAAM,UAAA,CAAW,WAAA,EAAqB,GAAA,EAAa,OAAA,EAAmD;AACpG,IAAA,MAAM,IAAI,SAAA,EAAU;AACpB,IAAA,IAAA,CAAK,OAAA,GAAU,WAAA;AACf,IAAA,IAAA,CAAK,GAAA,GAAM,GAAA;AACX,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,CAAA,CAAE,MAAA,EAAO;AAC3B,IAAA,IAAA,CAAK,MAAA,CAAO,KAAK,WAAW,CAAA;AAC5B,IAAA,IAAA,CAAK,OAAO,YAAA,EAAa;AACzB,IAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,IAAI,CAAA;AAC5C,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAChC,MAAA,MAAM,KAAK,KAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,IACzD;AACA,IAAA,MAAM,SAAA,GAAY,SAAS,MAAA,IAAU,CAAA;AACrC,IAAA,IAAI,SAAA,GAAY,CAAA,IAAK,SAAA,IAAa,KAAA,CAAM,MAAA,EAAQ;AAC9C,MAAA,MAAM,KAAK,KAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,CAAA,gBAAA,EAAmB,SAAS,qBAAqB,KAAA,CAAM,MAAA,GAAS,CAAC,CAAA,CAAA,CAAG,CAAA;AAAA,IACtF;AACA,IAAA,MAAM,IAAA,GAAO,MAAM,SAAS,CAAA;AAC5B,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,kBAAA,GAAqB,CAAA,CAAE,cAAA;AACvC,IAAA,IAAA,CAAK,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,MAAM,KAAK,CAAA;AACpD,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,CAAA,CAAE,UAAU,GAAG,CAAA;AAAA,EACnD;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,SAAA,EAAmB,IAAA,EAA+B;AAC9E,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,CAAC,KAAK,OAAA,EAAS;AACjC,MAAA,MAAM,IAAI,MAAM,2DAA2D,CAAA;AAAA,IAC7E;AACA,IAAU,SAAA;AACV,IAAA,MAAM,QAAA,GAAW,kBAAkB,SAAS,CAAA;AAC5C,IAAA,IAAA,CAAK,MAAA,CAAO,WAAW,IAAA,CAAK,OAAA,EAAS,EAAE,SAAA,EAAW,QAAA,IAAY,SAAS,CAAA;AACvE,IAAA,MAAM,SAAA,GAAY,GAAA;AAClB,IAAA,MAAM,OAAA,GAAU,MAAA,CAAO,KAAA,CAAM,SAAS,CAAA;AACtC,IAAA,MAAM,YAAY,IAAA,CAAK,MAAA,CAAO,OAAO,IAAA,CAAK,OAAA,EAAS,MAAM,OAAO,CAAA;AAChE,IAAA,OAAO,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,EAC9B;AAAA,EAEA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACvB,IAAA,IAAA,CAAK,WAAA,GAAc,KAAA;AACnB,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,OAAA,EAAS;AAC/B,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,IAAA,CAAK,OAAO,CAAA;AAAA,QACnC,CAAA,CAAA,MAAQ;AAAA,QAER;AACA,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,OAAO,CAAA;AAAA,QACzC,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AACA,MAAA,IAAI,KAAK,MAAA,EAAQ;AACf,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,OAAO,UAAA,EAAW;AAAA,QACzB,CAAA,CAAA,MAAQ;AAAA,QAER;AACA,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,OAAO,KAAA,EAAM;AAAA,QACpB,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AACd,MAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AAAA,IACjB;AAAA,EACF;AACF,CAAA;;;AC9GO,IAAM,mBAAN,MAAgD;AAAA,EACpC,MAAA;AAAA,EACT,OAAA,GAAgC,IAAA;AAAA,EAExC,YAAY,MAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,uBAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,qBAAqB,CAAC,CAAC,KAAK,MAAA,CAAO,GAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,IAAA,CAAK,UACH,IAAA,CAAK,MAAA,CAAO,aAAA,IACX,MAAM,KAAK,uBAAA,EAAwB;AAAA,IACxC;AAEA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,KAAA,CAAM,gBAAgB,CAAA;AACvD,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,MAAM,YAAY,MAAA,CAAO,IAAA,CAAK,UAAA,CAAW,CAAC,GAAG,KAAK,CAAA;AAElD,IAAA,MAAM,YAAY,IAAA,CAAK,uBAAA;AAAA,MACrB,QAAQ,SAAA,IAAa;AAAA,KACvB;AACA,IAAA,MAAM,OAAA,GACJ,QAAQ,OAAA,YAAmB,MAAA,GACvB,QAAQ,OAAA,GACR,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA;AAEjC,IAAA,MAAM,YAAY,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,WAAW,OAAO,CAAA;AAEvE,IAAA,OAAO;AAAA,MACL,SAAA;AAAA,MACA,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,SAAA,EAAW,QAAQ,SAAA,IAAa;AAAA,KAClC;AAAA,EACF;AAAA,EAEA,MAAc,uBAAA,GAAkD;AAC9D,IAAA,MAAM,OAAA,GAAU,IAAI,iBAAA,EAAkB;AACtC,IAAA,MAAM,QAAQ,UAAA,CAAW,IAAA,CAAK,OAAO,iBAAA,EAAmB,IAAA,CAAK,OAAO,GAAA,EAAK;AAAA,MACvE,MAAA,EAAQ,KAAK,MAAA,CAAO;AAAA,KACrB,CAAA;AACD,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEQ,wBAAwB,SAAA,EAA2B;AACzD,IAAA,QAAQ,SAAA;AAAW,MACjB,KAAK,eAAA;AACH,QAAA,OAAO,kBAAA;AAAA,MACT,KAAK,2BAAA;AACH,QAAA,OAAO,cAAA;AAAA,MACT;AACE,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,+BAAA,EAAkC,SAAS,CAAA,CAAE,CAAA;AAAA;AACjE,EACF;AAAA;AAAA,EAGA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,OAAA,EAAS;AAChB,MAAA,MAAM,IAAA,CAAK,QAAQ,KAAA,EAAM;AACzB,MAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AAAA,IACjB;AAAA,EACF;AACF","file":"index.cjs","sourcesContent":["/**\n * BlockIntel Gate SDK - Canonical JSON Utilities\n * \n * Implements deterministic JSON serialization for HMAC signing.\n * Ensures stable key ordering and no whitespace.\n */\n\nimport { createHash } from 'node:crypto';\n\n/**\n * Sort object keys recursively and produce canonical JSON string\n * \n * Matches Hot Path implementation: JSON.stringify(sorted object)\n * Rules:\n * - All keys sorted alphabetically (case-sensitive)\n * - Uses JSON.stringify for consistent formatting\n * - UTF-8 encoding\n * - Stable ordering for arrays and nested objects\n */\nexport function canonicalizeJson(obj: unknown): string {\n if (obj === null || obj === undefined) {\n return 'null';\n }\n\n // Deep clone to avoid mutating original (matches Hot Path)\n const cloned = JSON.parse(JSON.stringify(obj));\n \n // Recursively sort object keys (matches Hot Path sortKeys function)\n function sortKeys(item: unknown): unknown {\n if (Array.isArray(item)) {\n return item.map(sortKeys);\n }\n if (item !== null && typeof item === 'object') {\n const sorted: Record<string, unknown> = {};\n Object.keys(item).sort().forEach(key => {\n sorted[key] = sortKeys((item as Record<string, unknown>)[key]);\n });\n return sorted;\n }\n return item;\n }\n\n const sorted = sortKeys(cloned);\n return JSON.stringify(sorted);\n}\n\n/**\n * Compute SHA-256 hash of canonical JSON (Node.js: node:crypto)\n */\nexport async function sha256Hex(input: string): Promise<string> {\n return createHash('sha256').update(input, 'utf8').digest('hex');\n}\n\n","/**\n * Verify decision token (RS256) with public key only.\n * No JWT library dependency; uses Node crypto.\n */\n\nimport { createVerify } from 'crypto';\n\nconst ISS = 'blockintel-gate';\nconst AUD = 'gate-decision';\n\nexport interface DecisionTokenPayload {\n tid: string;\n sid: string;\n env: string;\n ph: string;\n txDigest: string;\n decision: string;\n request_id: string;\n iat: number;\n exp: number;\n iss: string;\n aud: string;\n}\n\n/**\n * Decode JWT without verifying (to get alg and payload).\n */\nexport function decodeJwtUnsafe(token: string): { header: { alg?: string }; payload: DecisionTokenPayload } | null {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) return null;\n const header = JSON.parse(\n Buffer.from(parts[0], 'base64url').toString('utf8')\n ) as { alg?: string };\n const payload = JSON.parse(\n Buffer.from(parts[1], 'base64url').toString('utf8')\n ) as DecisionTokenPayload;\n return { header, payload };\n } catch {\n return null;\n }\n}\n\n/**\n * Verify RS256 JWT signature and standard claims (iss, aud, exp).\n * Returns payload if valid; null otherwise.\n */\nexport function verifyDecisionTokenRs256(\n token: string,\n publicKeyPem: string\n): DecisionTokenPayload | null {\n const decoded = decodeJwtUnsafe(token);\n if (!decoded || (decoded.header.alg || '').toUpperCase() !== 'RS256') return null;\n\n const { payload } = decoded;\n const now = Math.floor(Date.now() / 1000);\n if (payload.iss !== ISS || payload.aud !== AUD) return null;\n if (payload.exp != null && payload.exp < now - 5) return null;\n\n try {\n const parts = token.split('.');\n const signingInput = `${parts[0]}.${parts[1]}`;\n const signature = Buffer.from(parts[2], 'base64url');\n const verify = createVerify('RSA-SHA256');\n verify.update(signingInput);\n verify.end();\n const ok = verify.verify(publicKeyPem, signature);\n return ok ? payload : null;\n } catch {\n return null;\n }\n}\n","/**\n * BlockIntel Gate SDK - Crypto Utilities\n * \n * HMAC-SHA256 using Node.js crypto (node:crypto) for ESM/CJS compatibility.\n */\n\nimport { createHmac } from 'node:crypto';\n\n/**\n * Compute HMAC-SHA256 signature\n */\nexport async function hmacSha256(secret: string, message: string): Promise<string> {\n // Hot Path uses Node.js crypto.createHmac('sha256', secret) which treats the secret as UTF-8 string\n // Python SDK uses hmac.new(secret.encode('utf-8'), ...) which also treats secret as UTF-8 bytes\n // We must match this behavior exactly\n const hmac = createHmac('sha256', secret);\n hmac.update(message, 'utf8');\n const signatureHex = hmac.digest('hex');\n\n // Debug logging for signature computation\n console.error('[HMAC CRYPTO DEBUG] Signature computation:', JSON.stringify({\n secretLength: secret.length,\n messageLength: message.length,\n messagePreview: message.substring(0, 200) + '...',\n signatureLength: signatureHex.length,\n signaturePreview: signatureHex.substring(0, 16) + '...',\n }, null, 2));\n\n return signatureHex;\n}\n\n","/**\n * BlockIntel Gate SDK - HMAC v1 Signer\n * \n * Implements canonical request signing for Gate Hot Path API.\n * \n * Signing Algorithm (v1):\n * 1. Create canonical signing string:\n * v1\\n\n * <HTTP_METHOD>\\n\n * <PATH>\\n\n * <TENANT_ID>\\n\n * <KEY_ID>\\n\n * <TIMESTAMP_MS>\\n\n * <REQUEST_ID_AS_NONCE>\\n\n * <SHA256_HEX_OF_BODY>\n * \n * 2. Compute HMAC-SHA256(secret, signingString) as hex\n * \n * 3. Include headers:\n * - X-GATE-TENANT-ID\n * - X-GATE-KEY-ID\n * - X-GATE-TIMESTAMP-MS\n * - X-GATE-REQUEST-ID (used as nonce in canonical string)\n * - X-GATE-SIGNATURE (hex string)\n */\n\nimport { hmacSha256 } from '../utils/crypto.js';\nimport { canonicalizeJson, sha256Hex } from '../utils/canonicalJson.js';\n\nexport interface HmacSignerConfig {\n keyId: string;\n secret: string;\n}\n\nexport interface SigningHeaders {\n 'X-GATE-TENANT-ID': string;\n 'X-GATE-KEY-ID': string;\n 'X-GATE-TIMESTAMP-MS': string;\n 'X-GATE-REQUEST-ID': string;\n 'X-GATE-SIGNATURE': string;\n}\n\n/**\n * HMAC v1 signer for Gate API requests\n */\nexport class HmacSigner {\n private readonly keyId: string;\n private readonly secret: string;\n\n constructor(config: HmacSignerConfig) {\n this.keyId = config.keyId;\n // Trim whitespace/newlines - ECS Secrets Manager injection might add trailing newline\n this.secret = config.secret.trim();\n\n if (!this.secret || this.secret.length === 0) {\n throw new Error('HMAC secret cannot be empty');\n }\n }\n\n /**\n * Sign a request and return headers\n */\n async signRequest(params: {\n method: string;\n path: string;\n tenantId: string;\n timestampMs: number;\n requestId: string;\n body?: unknown;\n }): Promise<SigningHeaders> {\n const { method, path, tenantId, timestampMs, requestId, body } = params;\n\n // Canonicalize body\n const bodyJson = body ? canonicalizeJson(body) : '';\n const bodyHash = await sha256Hex(bodyJson);\n\n // Construct canonical signing string (matches Hot Path format)\n const signingString = [\n 'v1',\n method.toUpperCase(),\n path,\n tenantId,\n this.keyId,\n String(timestampMs),\n requestId, // Used as nonce in canonical string\n bodyHash,\n ].join('\\n');\n\n // Compute signature (returns hex); never log secret or signature value\n const signature = await hmacSha256(this.secret, signingString);\n\n return {\n 'X-GATE-TENANT-ID': tenantId,\n 'X-GATE-KEY-ID': this.keyId,\n 'X-GATE-TIMESTAMP-MS': String(timestampMs),\n 'X-GATE-REQUEST-ID': requestId,\n 'X-GATE-SIGNATURE': signature,\n };\n }\n}\n\n","/**\n * BlockIntel Gate SDK - API Key Authentication\n * \n * Simple API key authentication using X-API-KEY header.\n * Still includes tenant/request/timestamp headers for replay semantics.\n */\n\nexport interface ApiKeyAuthConfig {\n apiKey: string;\n}\n\nexport interface ApiKeyHeaders {\n 'X-API-KEY': string;\n 'X-GATE-TENANT-ID': string;\n 'X-GATE-REQUEST-ID': string;\n 'X-GATE-TIMESTAMP-MS': string;\n}\n\n/**\n * API Key authenticator for Gate API requests\n */\nexport class ApiKeyAuth {\n private readonly apiKey: string;\n\n constructor(config: ApiKeyAuthConfig) {\n this.apiKey = config.apiKey;\n\n if (!this.apiKey || this.apiKey.length === 0) {\n throw new Error('API key cannot be empty');\n }\n }\n\n /**\n * Create headers for API key authentication\n */\n createHeaders(params: {\n tenantId: string;\n timestampMs: number;\n requestId: string;\n }): ApiKeyHeaders {\n const { tenantId, timestampMs, requestId } = params;\n\n return {\n 'X-API-KEY': this.apiKey,\n 'X-GATE-TENANT-ID': tenantId,\n 'X-GATE-REQUEST-ID': requestId,\n 'X-GATE-TIMESTAMP-MS': String(timestampMs),\n };\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Error Types\n */\n\n/**\n * Gate error codes\n */\nexport enum GateErrorCode {\n NETWORK_ERROR = 'NETWORK_ERROR',\n TIMEOUT = 'TIMEOUT',\n NOT_FOUND = 'NOT_FOUND',\n UNAUTHORIZED = 'UNAUTHORIZED',\n FORBIDDEN = 'FORBIDDEN',\n RATE_LIMITED = 'RATE_LIMITED',\n SERVER_ERROR = 'SERVER_ERROR',\n INVALID_RESPONSE = 'INVALID_RESPONSE',\n STEP_UP_NOT_CONFIGURED = 'STEP_UP_NOT_CONFIGURED',\n STEP_UP_TIMEOUT = 'STEP_UP_TIMEOUT',\n BLOCKED = 'BLOCKED',\n SERVICE_UNAVAILABLE = 'SERVICE_UNAVAILABLE',\n AUTH_ERROR = 'AUTH_ERROR',\n HEARTBEAT_MISSING = 'HEARTBEAT_MISSING',\n HEARTBEAT_EXPIRED = 'HEARTBEAT_EXPIRED',\n HEARTBEAT_INVALID = 'HEARTBEAT_INVALID',\n HEARTBEAT_MISMATCH = 'HEARTBEAT_MISMATCH',\n}\n\n/**\n * Base Gate error class\n */\nexport class GateError extends Error {\n public readonly code: GateErrorCode;\n public readonly status?: number;\n public readonly details?: Record<string, unknown>;\n public readonly requestId?: string;\n public readonly correlationId?: string;\n\n constructor(\n code: GateErrorCode,\n message: string,\n options?: {\n status?: number;\n details?: Record<string, unknown>;\n requestId?: string;\n correlationId?: string;\n cause?: Error;\n }\n ) {\n super(message);\n this.name = 'GateError';\n this.code = code;\n this.status = options?.status;\n this.details = options?.details;\n this.requestId = options?.requestId;\n this.correlationId = options?.correlationId;\n if (options?.cause) {\n this.cause = options.cause;\n }\n Error.captureStackTrace(this, this.constructor);\n }\n\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n code: this.code,\n message: this.message,\n status: this.status,\n details: this.details,\n requestId: this.requestId,\n correlationId: this.correlationId,\n };\n }\n}\n\n/**\n * Step-up not configured error\n * Thrown when REQUIRE_STEP_UP is returned but SDK is not configured for step-up\n */\nexport class StepUpNotConfiguredError extends GateError {\n constructor(requestId?: string) {\n super(\n GateErrorCode.STEP_UP_NOT_CONFIGURED,\n 'Step-up is required but not configured in SDK. Enable step-up in client config or treat REQUIRE_STEP_UP as BLOCK.',\n { requestId }\n );\n this.name = 'StepUpNotConfiguredError';\n }\n}\n\n/**\n * Blocked error\n * Thrown when transaction is BLOCKED by Gate\n */\nexport class BlockIntelBlockedError extends GateError {\n public readonly receiptId?: string;\n public readonly reasonCode: string;\n\n constructor(\n reasonCode: string,\n receiptId?: string,\n correlationId?: string,\n requestId?: string\n ) {\n super(\n GateErrorCode.BLOCKED,\n `Transaction blocked: ${reasonCode}`,\n { correlationId, requestId, details: { reasonCode, receiptId } }\n );\n this.name = 'BlockIntelBlockedError';\n this.receiptId = receiptId;\n this.reasonCode = reasonCode;\n }\n}\n\n/**\n * Service unavailable error\n * Thrown when fail-safe mode is BLOCK_ON_TIMEOUT and service is unavailable\n */\nexport class BlockIntelUnavailableError extends GateError {\n constructor(message: string, requestId?: string) {\n super(GateErrorCode.SERVICE_UNAVAILABLE, message, { requestId });\n this.name = 'BlockIntelUnavailableError';\n }\n}\n\n/**\n * Auth error\n * Thrown on 401/403 - always fails CLOSED (never silently allows)\n */\nexport class BlockIntelAuthError extends GateError {\n constructor(message: string, status: number, requestId?: string) {\n super(\n status === 401 ? GateErrorCode.UNAUTHORIZED : GateErrorCode.FORBIDDEN,\n message,\n { status, requestId }\n );\n this.name = 'BlockIntelAuthError';\n }\n}\n\n/**\n * Step-up required error\n * Thrown when REQUIRE_STEP_UP is returned and step-up is enabled\n */\nexport class BlockIntelStepUpRequiredError extends GateError {\n public readonly stepUpRequestId: string;\n public readonly statusUrl?: string;\n public readonly expiresAtMs?: number;\n\n constructor(\n stepUpRequestId: string,\n statusUrl?: string,\n expiresAtMs?: number,\n requestId?: string\n ) {\n super(\n GateErrorCode.STEP_UP_NOT_CONFIGURED,\n 'Step-up approval required',\n {\n requestId,\n details: { stepUpRequestId, statusUrl, expiresAtMs },\n }\n );\n this.name = 'BlockIntelStepUpRequiredError';\n this.stepUpRequestId = stepUpRequestId;\n this.statusUrl = statusUrl;\n this.expiresAtMs = expiresAtMs;\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Retry Logic\n * \n * Exponential backoff with jitter for retryable requests.\n */\n\nexport interface RetryOptions {\n maxAttempts?: number;\n baseDelayMs?: number;\n maxDelayMs?: number;\n factor?: number;\n}\n\nconst DEFAULT_RETRY_OPTIONS: Required<RetryOptions> = {\n maxAttempts: 3,\n baseDelayMs: 100,\n maxDelayMs: 800,\n factor: 2,\n};\n\n/**\n * Determine if an HTTP status code is retryable\n */\nexport function isRetryableStatus(status: number): boolean {\n // Retry on 429 (rate limit) and 5xx (server errors)\n return status === 429 || (status >= 500 && status < 600);\n}\n\n/**\n * Determine if an error is retryable\n */\nexport function isRetryableError(error: unknown): boolean {\n // Network errors, timeouts, connection errors\n if (error instanceof Error) {\n const message = error.message.toLowerCase();\n return (\n message.includes('network') ||\n message.includes('timeout') ||\n message.includes('connection') ||\n message.includes('econnrefused') ||\n message.includes('enotfound') ||\n message.includes('econnreset')\n );\n }\n return false;\n}\n\n/**\n * Calculate delay with exponential backoff and jitter\n */\nexport function calculateBackoffDelay(\n attempt: number,\n options: Required<RetryOptions>\n): number {\n const exponentialDelay = options.baseDelayMs * Math.pow(options.factor, attempt - 1);\n const jitter = Math.random() * 0.3 * exponentialDelay; // 0-30% jitter\n const delay = exponentialDelay + jitter;\n return Math.min(delay, options.maxDelayMs);\n}\n\n/**\n * Check if an error is a GateError with retryable status\n */\nfunction isRetryableGateError(error: unknown): boolean {\n if (error && typeof error === 'object' && 'code' in error) {\n const gateError = error as { code: string; status?: number };\n // Retry on SERVER_ERROR or RATE_LIMITED codes\n if (gateError.code === 'SERVER_ERROR' || gateError.code === 'RATE_LIMITED') {\n return true;\n }\n // Also check status if available\n if (gateError.status && isRetryableStatus(gateError.status)) {\n return true;\n }\n }\n return false;\n}\n\n/**\n * Retry a function with exponential backoff\n */\nexport async function retryWithBackoff<T>(\n fn: () => Promise<T>,\n options: RetryOptions = {}\n): Promise<T> {\n const opts = { ...DEFAULT_RETRY_OPTIONS, ...options };\n let lastError: unknown;\n\n for (let attempt = 1; attempt <= opts.maxAttempts; attempt++) {\n try {\n return await fn();\n } catch (error) {\n lastError = error;\n\n // Don't retry if we've exhausted attempts\n if (attempt >= opts.maxAttempts) {\n break;\n }\n\n // Don't retry on non-retryable Response errors\n if (error instanceof Response && !isRetryableStatus(error.status)) {\n throw error;\n }\n\n // Check if it's a retryable error (Response, network error, or GateError with retryable status)\n const isRetryable =\n (error instanceof Response && isRetryableStatus(error.status)) ||\n isRetryableError(error) ||\n isRetryableGateError(error);\n\n if (!isRetryable) {\n throw error;\n }\n\n // Log degraded once per attempt (logs/telemetry only; never sent as HTTP request header)\n const status =\n (error instanceof Response && error.status) ||\n (error && typeof error === 'object' && 'status' in error && (error as { status?: number }).status) ||\n (error && typeof error === 'object' && 'statusCode' in error && (error as { statusCode?: number }).statusCode);\n const errName = error instanceof Error ? error.name : (error && typeof error === 'object' && 'code' in error ? (error as { code: string }).code : 'Unknown');\n const extra = ` attempt=${attempt}/${opts.maxAttempts} status=${status ?? 'n/a'} err=${errName}`;\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason=retry)' + extra);\n\n // Wait before retrying\n const delay = calculateBackoffDelay(attempt, opts);\n await new Promise((resolve) => setTimeout(resolve, delay));\n }\n }\n\n throw lastError;\n}\n\n","/**\n * Sanitize for debug logging: never log secrets, API keys, tokens, or full request bodies.\n * Use when GATE_SDK_DEBUG=1 or debug: true only.\n */\n\nconst SENSITIVE_HEADER_NAMES = new Set([\n 'authorization',\n 'x-api-key',\n 'x-gate-heartbeat-key',\n 'x-gate-signature',\n 'cookie',\n]);\n\nconst MAX_STRING_LENGTH = 80;\n\n/**\n * Redact sensitive header values; return header names and whether value is set (value redacted).\n */\nexport function sanitizeHeaders(headers: Record<string, string>): Record<string, string> {\n const out: Record<string, string> = {};\n for (const [key, value] of Object.entries(headers)) {\n const lower = key.toLowerCase();\n if (SENSITIVE_HEADER_NAMES.has(lower) || lower.includes('signature') || lower.includes('secret') || lower.includes('token')) {\n out[key] = value ? '[REDACTED]' : '[empty]';\n } else {\n out[key] = truncate(String(value), MAX_STRING_LENGTH);\n }\n }\n return out;\n}\n\n/**\n * Return keys and types of a JSON-serializable value (no values, to avoid leaking credentials).\n */\nexport function sanitizeBodyShape(body: unknown): Record<string, string> {\n if (body === null || body === undefined) {\n return {};\n }\n if (typeof body !== 'object') {\n return { _: typeof body };\n }\n if (Array.isArray(body)) {\n return { _: 'array', length: String(body.length) };\n }\n const out: Record<string, string> = {};\n for (const key of Object.keys(body as object).sort()) {\n const val = (body as Record<string, unknown>)[key];\n if (val !== null && typeof val === 'object' && !Array.isArray(val)) {\n out[key] = 'object';\n } else if (Array.isArray(val)) {\n out[key] = 'array';\n } else {\n out[key] = typeof val;\n }\n }\n return out;\n}\n\nfunction truncate(s: string, max: number): string {\n if (s.length <= max) return s;\n return s.slice(0, max) + '...';\n}\n\n/**\n * Check if debug mode is enabled via env or config.\n */\nexport function isDebugEnabled(debugOption?: boolean): boolean {\n if (debugOption === true) return true;\n if (typeof process !== 'undefined' && process.env.GATE_SDK_DEBUG === '1') return true;\n return false;\n}\n","/**\n * BlockIntel Gate SDK - HTTP Client\n * \n * Fetch wrapper with timeout, retry, and error handling.\n */\n\nimport { GateError, GateErrorCode } from '../types/errors.js';\nimport { retryWithBackoff, isRetryableStatus, isRetryableError } from './retry.js';\nimport { sanitizeHeaders, sanitizeBodyShape, isDebugEnabled } from '../utils/sanitize.js';\n\nexport interface HttpClientConfig {\n baseUrl: string;\n timeoutMs?: number;\n userAgent?: string;\n /** When true or GATE_SDK_DEBUG=1, log sanitized request/response (no secrets, no body values). */\n debug?: boolean;\n retryOptions?: {\n maxAttempts?: number;\n baseDelayMs?: number;\n maxDelayMs?: number;\n factor?: number;\n };\n}\n\nexport interface RequestOptions {\n method: string;\n path: string;\n headers?: Record<string, string>;\n body?: unknown;\n requestId?: string;\n}\n\n/**\n * HTTP client with retry and timeout support\n */\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeoutMs: number;\n private readonly userAgent: string;\n private readonly retryOptions: Parameters<typeof retryWithBackoff>[1];\n private readonly debug: boolean;\n\n constructor(config: HttpClientConfig) {\n this.baseUrl = config.baseUrl.replace(/\\/$/, ''); // Remove trailing slash\n this.timeoutMs = config.timeoutMs ?? 15000;\n this.userAgent = config.userAgent ?? 'blockintel-gate-sdk/0.1.0';\n this.retryOptions = config.retryOptions;\n this.debug = isDebugEnabled(config.debug);\n\n // Validate baseUrl\n if (!this.baseUrl) {\n throw new Error('baseUrl is required');\n }\n\n // Validate HTTPS in production (allow http only for localhost)\n if (typeof process !== 'undefined' && process.env.NODE_ENV === 'production') {\n if (!this.baseUrl.startsWith('https://') && !this.baseUrl.includes('localhost')) {\n throw new Error('baseUrl must use HTTPS in production (except localhost)');\n }\n }\n }\n\n /**\n * Make an HTTP request with retry and timeout\n */\n async request<T>(options: RequestOptions): Promise<T> {\n const { method, path, headers = {}, body, requestId } = options;\n\n const url = `${this.baseUrl}${path}`;\n\n // Create AbortController for timeout\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);\n\n // Store request details for error logging (sanitized; no body values)\n type RequestDetails = {\n headers: Record<string, string>;\n bodyLength: number;\n };\n let requestDetailsForLogging: RequestDetails | null = null;\n\n try {\n const response = await retryWithBackoff(\n async () => {\n const requestHeaders: Record<string, string> = {};\n for (const [key, value] of Object.entries(headers)) {\n requestHeaders[key] = String(value);\n }\n requestHeaders['User-Agent'] = this.userAgent;\n requestHeaders['Content-Type'] = 'application/json';\n\n const fetchOptions: RequestInit = {\n method,\n headers: requestHeaders,\n signal: controller.signal,\n };\n\n if (body) {\n if ((body as any).__canonicalJson) {\n fetchOptions.body = (body as any).__canonicalJson;\n delete (body as any).__canonicalJson;\n } else {\n fetchOptions.body = JSON.stringify(body);\n }\n }\n\n const bodyStr = typeof fetchOptions.body === 'string' ? fetchOptions.body : null;\n requestDetailsForLogging = {\n headers: this.debug ? sanitizeHeaders(requestHeaders as Record<string, string>) : {},\n bodyLength: bodyStr ? bodyStr.length : 0,\n };\n\n if (this.debug) {\n const bodyShape = body && typeof body === 'object' ? sanitizeBodyShape(body) : {};\n console.error('[GATE SDK] Request:', JSON.stringify({\n url,\n method,\n headerNames: Object.keys(requestHeaders),\n headersRedacted: requestDetailsForLogging.headers,\n bodyLength: requestDetailsForLogging.bodyLength,\n bodyKeysAndTypes: bodyShape,\n }, null, 2));\n }\n\n const res = await fetch(url, fetchOptions);\n\n // Throw Response for retryable errors so retry logic can handle it\n if (!res.ok && isRetryableStatus(res.status)) {\n throw res;\n }\n\n // Don't retry non-retryable status codes\n if (!res.ok && !isRetryableStatus(res.status)) {\n throw res;\n }\n\n return res;\n },\n {\n ...this.retryOptions,\n // Custom retry logic that handles Response objects\n }\n );\n\n clearTimeout(timeoutId);\n\n let data: T;\n const contentType = response.headers.get('content-type');\n\n if (this.debug) {\n console.error('[GATE SDK] Response:', JSON.stringify({\n status: response.status,\n ok: response.ok,\n url: response.url,\n }, null, 2));\n }\n\n if (contentType && contentType.includes('application/json')) {\n try {\n const jsonText = await response.text();\n data = JSON.parse(jsonText) as T;\n if (this.debug && data && typeof data === 'object') {\n console.error('[GATE SDK] Response keys:', Object.keys(data as object));\n }\n } catch (parseError) {\n if (this.debug) {\n console.error('[GATE SDK] JSON parse error:', parseError instanceof Error ? parseError.message : String(parseError));\n }\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n 'Failed to parse JSON response',\n {\n status: response.status,\n requestId,\n cause: parseError instanceof Error ? parseError : undefined,\n }\n );\n }\n } else {\n const text = await response.text();\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n `Unexpected content type: ${contentType}`,\n {\n status: response.status,\n details: { body: text.substring(0, 200) },\n requestId,\n }\n );\n }\n\n // Check for errors\n if (!response.ok) {\n // Log full response details for debugging\n const responseHeaders: Record<string, string> = {};\n response.headers.forEach((value, key) => {\n responseHeaders[key] = value;\n });\n \n if (this.debug) {\n console.error('[GATE SDK] Error response:', JSON.stringify({\n status: response.status,\n url: response.url,\n requestPath: path,\n responseKeys: data && typeof data === 'object' ? Object.keys(data as object) : [],\n }, null, 2));\n }\n \n const errorCode = this.statusToErrorCode(response.status);\n const correlationId = response.headers.get('X-Correlation-ID') ?? undefined;\n\n throw new GateError(errorCode, `HTTP ${response.status}: ${response.statusText}`, {\n status: response.status,\n correlationId,\n requestId,\n details: data as Record<string, unknown>,\n });\n }\n\n return data;\n } catch (error) {\n clearTimeout(timeoutId);\n\n // Handle abort (timeout)\n if (error instanceof Error && error.name === 'AbortError') {\n throw new GateError(GateErrorCode.TIMEOUT, `Request timeout after ${this.timeoutMs}ms`, {\n requestId,\n });\n }\n\n // Handle Response errors (non-ok responses)\n if (error instanceof Response) {\n const errorCode = this.statusToErrorCode(error.status);\n const correlationId = error.headers.get('X-Correlation-ID') ?? undefined;\n\n let details: Record<string, unknown> | undefined;\n try {\n const text = await error.text();\n try {\n details = JSON.parse(text);\n } catch {\n details = { body: text.substring(0, 200) };\n }\n } catch {\n // Ignore parsing errors\n }\n\n throw new GateError(errorCode, `HTTP ${error.status}: ${error.statusText}`, {\n status: error.status,\n correlationId,\n requestId,\n details,\n });\n }\n\n // Handle network errors\n if (isRetryableError(error)) {\n throw new GateError(\n GateErrorCode.NETWORK_ERROR,\n `Network error: ${error instanceof Error ? error.message : String(error)}`,\n {\n requestId,\n cause: error instanceof Error ? error : undefined,\n }\n );\n }\n\n // Re-throw GateError as-is\n if (error instanceof GateError) {\n throw error;\n }\n\n // Unknown error\n throw new GateError(\n GateErrorCode.NETWORK_ERROR,\n `Unexpected error: ${error instanceof Error ? error.message : String(error)}`,\n {\n requestId,\n cause: error instanceof Error ? error : undefined,\n }\n );\n }\n }\n\n /**\n * Map HTTP status code to GateErrorCode\n */\n private statusToErrorCode(status: number): GateErrorCode {\n if (status === 401) return GateErrorCode.UNAUTHORIZED;\n if (status === 403) return GateErrorCode.FORBIDDEN;\n if (status === 404) return GateErrorCode.NOT_FOUND;\n if (status === 429) return GateErrorCode.RATE_LIMITED;\n if (status >= 500 && status < 600) return GateErrorCode.SERVER_ERROR;\n return GateErrorCode.NETWORK_ERROR;\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Time Utilities\n */\n\n/**\n * Get current timestamp in milliseconds\n */\nexport function nowMs(): number {\n return Date.now();\n}\n\n/**\n * Get current timestamp in seconds (epoch)\n */\nexport function nowEpochSeconds(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/**\n * Clamp a value between min and max\n */\nexport function clamp(value: number, min: number, max: number): number {\n return Math.max(min, Math.min(max, value));\n}\n\n/**\n * Sleep for specified milliseconds\n */\nexport function sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n","/**\n * BlockIntel Gate SDK - Step-Up Polling\n * \n * Polls Gate Hot Path step-up status endpoint until decision is reached.\n */\n\nimport { GateError, GateErrorCode } from '../types/errors.js';\nimport { StepUpStatusResponse, GateStepUpStatus, StepUpFinalResult } from '../types/contracts.js';\nimport { nowEpochSeconds, clamp, sleep } from '../utils/time.js';\nimport { HttpClient } from '../http/HttpClient.js';\n\nexport interface StepUpPollingConfig {\n httpClient: HttpClient;\n tenantId: string;\n pollingIntervalMs?: number;\n maxWaitMs?: number;\n ttlMinSeconds?: number;\n ttlMaxSeconds?: number;\n ttlDefaultSeconds?: number;\n}\n\nconst DEFAULT_POLLING_INTERVAL_MS = 250;\nconst DEFAULT_MAX_WAIT_MS = 15000;\nconst DEFAULT_TTL_MIN_SECONDS = 300;\nconst DEFAULT_TTL_MAX_SECONDS = 900;\nconst DEFAULT_TTL_DEFAULT_SECONDS = 600;\n\n/**\n * Step-up polling helper\n */\nexport class StepUpPoller {\n private readonly httpClient: HttpClient;\n private readonly tenantId: string;\n private readonly pollingIntervalMs: number;\n private readonly maxWaitMs: number;\n private readonly ttlMinSeconds: number;\n private readonly ttlMaxSeconds: number;\n private readonly ttlDefaultSeconds: number;\n\n constructor(config: StepUpPollingConfig) {\n this.httpClient = config.httpClient;\n this.tenantId = config.tenantId;\n this.pollingIntervalMs = config.pollingIntervalMs ?? DEFAULT_POLLING_INTERVAL_MS;\n this.maxWaitMs = config.maxWaitMs ?? DEFAULT_MAX_WAIT_MS;\n this.ttlMinSeconds = config.ttlMinSeconds ?? DEFAULT_TTL_MIN_SECONDS;\n this.ttlMaxSeconds = config.ttlMaxSeconds ?? DEFAULT_TTL_MAX_SECONDS;\n this.ttlDefaultSeconds = config.ttlDefaultSeconds ?? DEFAULT_TTL_DEFAULT_SECONDS;\n }\n\n /**\n * Get current step-up status\n */\n async getStatus(requestId: string): Promise<StepUpStatusResponse> {\n const path = `/defense/stepup/status?tenantId=${encodeURIComponent(this.tenantId)}&requestId=${encodeURIComponent(requestId)}`;\n\n try {\n // API returns snake_case, convert to camelCase\n const apiResponse = await this.httpClient.request<\n StepUpStatusResponse & {\n tenant_id?: string;\n request_id?: string;\n reason_codes?: string[];\n correlation_id?: string;\n expires_at_ms?: number;\n }\n >({\n method: 'GET',\n path,\n requestId,\n });\n\n const response: StepUpStatusResponse = {\n status: apiResponse.status,\n tenantId: apiResponse.tenant_id ?? apiResponse.tenantId,\n requestId: apiResponse.request_id ?? apiResponse.requestId,\n decision: apiResponse.decision,\n reasonCodes: apiResponse.reason_codes ?? apiResponse.reasonCodes,\n correlationId: apiResponse.correlation_id ?? apiResponse.correlationId,\n expiresAtMs: apiResponse.expires_at_ms ?? apiResponse.expiresAtMs,\n ttl: apiResponse.ttl,\n };\n\n // Check if expired based on TTL\n const now = nowEpochSeconds();\n if (response.ttl !== undefined && response.ttl <= now) {\n return {\n ...response,\n status: 'EXPIRED',\n };\n }\n\n return response;\n } catch (error) {\n if (error instanceof GateError && error.code === GateErrorCode.NOT_FOUND) {\n throw new GateError(\n GateErrorCode.NOT_FOUND,\n `Step-up request not found: ${requestId}`,\n { requestId }\n );\n }\n throw error;\n }\n }\n\n /**\n * Wait for step-up decision with polling\n * \n * Polls until status is APPROVED, DENIED, or EXPIRED, or timeout is reached.\n */\n async awaitDecision(\n requestId: string,\n options?: { maxWaitMs?: number; intervalMs?: number }\n ): Promise<StepUpFinalResult> {\n const startTime = Date.now();\n const maxWaitMs = options?.maxWaitMs ?? this.maxWaitMs;\n const intervalMs = options?.intervalMs ?? this.pollingIntervalMs;\n\n while (true) {\n const elapsedMs = Date.now() - startTime;\n\n // Check timeout\n if (elapsedMs >= maxWaitMs) {\n throw new GateError(\n GateErrorCode.STEP_UP_TIMEOUT,\n `Step-up decision timeout after ${maxWaitMs}ms`,\n { requestId }\n );\n }\n\n try {\n const status = await this.getStatus(requestId);\n\n // Check if expired\n const now = nowEpochSeconds();\n if (status.ttl !== undefined && status.ttl <= now) {\n return {\n status: 'EXPIRED',\n requestId,\n elapsedMs,\n correlationId: status.correlationId,\n };\n }\n\n // Check if decision reached\n if (\n status.status === 'APPROVED' ||\n status.status === 'DENIED' ||\n status.status === 'EXPIRED'\n ) {\n return {\n status: status.status,\n requestId,\n elapsedMs,\n decision: status.decision,\n reasonCodes: status.reasonCodes,\n correlationId: status.correlationId,\n };\n }\n\n // Status is PENDING, wait and poll again\n await sleep(intervalMs);\n } catch (error) {\n // If NOT_FOUND, throw immediately (don't retry)\n if (error instanceof GateError && error.code === GateErrorCode.NOT_FOUND) {\n throw error;\n }\n\n // For other errors, wait and retry\n // But still respect timeout\n const remainingMs = maxWaitMs - (Date.now() - startTime);\n if (remainingMs <= 0) {\n throw new GateError(\n GateErrorCode.STEP_UP_TIMEOUT,\n `Step-up decision timeout after ${maxWaitMs}ms`,\n { requestId, cause: error instanceof Error ? error : undefined }\n );\n }\n\n await sleep(Math.min(intervalMs, remainingMs));\n }\n }\n }\n\n /**\n * Clamp TTL to guardrails\n */\n clampTtl(ttlSeconds?: number): number {\n if (ttlSeconds === undefined) {\n return this.ttlDefaultSeconds;\n }\n return clamp(ttlSeconds, this.ttlMinSeconds, this.ttlMaxSeconds);\n }\n}\n\n","/**\n * Circuit Breaker for SDK\n * \n * Prevents cascading failures by opening the circuit after consecutive failures.\n */\n\nexport type CircuitState = 'CLOSED' | 'OPEN' | 'HALF_OPEN';\n\nexport interface CircuitBreakerConfig {\n tripAfterConsecutiveFailures?: number; // Default: 5\n coolDownMs?: number; // Default: 30000 (30 seconds)\n}\n\nexport interface CircuitBreakerMetrics {\n failures: number;\n successes: number;\n state: CircuitState;\n lastFailureTime?: number;\n lastSuccessTime?: number;\n tripsToOpen: number;\n}\n\n/**\n * Circuit Breaker implementation\n */\nexport class CircuitBreaker {\n private state: CircuitState = 'CLOSED';\n private failures = 0;\n private successes = 0;\n private lastFailureTime?: number;\n private lastSuccessTime?: number;\n private tripsToOpen = 0;\n \n private readonly tripThreshold: number;\n private readonly coolDownMs: number;\n\n constructor(config: CircuitBreakerConfig = {}) {\n this.tripThreshold = config.tripAfterConsecutiveFailures ?? 5;\n this.coolDownMs = config.coolDownMs ?? 30000; // 30 seconds\n }\n\n /**\n * Execute function with circuit breaker protection\n */\n async execute<T>(fn: () => Promise<T>): Promise<T> {\n // Check if circuit should transition from OPEN to HALF_OPEN\n if (this.state === 'OPEN') {\n const now = Date.now();\n const timeSinceLastFailure = this.lastFailureTime \n ? now - this.lastFailureTime \n : Infinity;\n \n if (timeSinceLastFailure >= this.coolDownMs) {\n this.state = 'HALF_OPEN';\n this.failures = 0; // Reset failures for half-open probe\n } else {\n throw new CircuitBreakerOpenError(\n `Circuit breaker is OPEN. Will retry after ${this.coolDownMs - timeSinceLastFailure}ms`\n );\n }\n }\n\n try {\n const result = await fn();\n this.onSuccess();\n return result;\n } catch (error) {\n this.onFailure();\n throw error;\n }\n }\n\n private onSuccess(): void {\n this.successes++;\n this.lastSuccessTime = Date.now();\n\n if (this.state === 'HALF_OPEN') {\n // Successful probe - close circuit\n this.state = 'CLOSED';\n this.failures = 0;\n } else if (this.state === 'CLOSED') {\n // Success in closed state - reset failure count\n this.failures = 0;\n }\n }\n\n private onFailure(): void {\n this.failures++;\n this.lastFailureTime = Date.now();\n\n if (this.state === 'HALF_OPEN') {\n // Failed probe - open circuit again\n this.state = 'OPEN';\n this.tripsToOpen++;\n } else if (this.state === 'CLOSED' && this.failures >= this.tripThreshold) {\n // Too many failures - open circuit\n this.state = 'OPEN';\n this.tripsToOpen++;\n }\n }\n\n /**\n * Get current metrics\n */\n getMetrics(): CircuitBreakerMetrics {\n return {\n failures: this.failures,\n successes: this.successes,\n state: this.state,\n lastFailureTime: this.lastFailureTime,\n lastSuccessTime: this.lastSuccessTime,\n tripsToOpen: this.tripsToOpen,\n };\n }\n\n /**\n * Reset circuit breaker to CLOSED state\n */\n reset(): void {\n this.state = 'CLOSED';\n this.failures = 0;\n this.successes = 0;\n this.lastFailureTime = undefined;\n this.lastSuccessTime = undefined;\n this.tripsToOpen = 0;\n }\n}\n\n/**\n * Circuit Breaker Open Error\n */\nexport class CircuitBreakerOpenError extends Error {\n constructor(message: string) {\n super(message);\n this.name = 'CircuitBreakerOpenError';\n }\n}\n\n","/**\n * Metrics Collector for SDK\n * \n * Collects counters and latency metrics for observability.\n */\n\nexport interface Metrics {\n requestsTotal: number;\n allowedTotal: number;\n blockedTotal: number;\n stepupTotal: number;\n timeoutsTotal: number;\n errorsTotal: number;\n circuitBreakerOpenTotal: number;\n wouldBlockTotal: number; // Shadow mode would-block count\n failOpenTotal: number; // Fail-open count\n latencyMs: number[]; // Histogram samples\n}\n\nexport type MetricsHook = (metrics: Metrics) => void | Promise<void>;\n\n/**\n * Metrics Collector\n */\nexport class MetricsCollector {\n private requestsTotal = 0;\n private allowedTotal = 0;\n private blockedTotal = 0;\n private stepupTotal = 0;\n private timeoutsTotal = 0;\n private errorsTotal = 0;\n private circuitBreakerOpenTotal = 0;\n private wouldBlockTotal = 0; // Shadow mode would-block count\n private failOpenTotal = 0; // Fail-open count\n private latencyMs: number[] = [];\n\n private readonly maxSamples = 1000; // Keep last 1000 samples\n private readonly hooks: MetricsHook[] = [];\n\n /**\n * Record a request\n */\n recordRequest(decision: 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP' | 'WOULD_BLOCK' | 'FAIL_OPEN', latencyMs: number): void {\n this.requestsTotal++;\n \n if (decision === 'ALLOW') {\n this.allowedTotal++;\n } else if (decision === 'BLOCK') {\n this.blockedTotal++;\n } else if (decision === 'REQUIRE_STEP_UP') {\n this.stepupTotal++;\n } else if (decision === 'WOULD_BLOCK') {\n this.wouldBlockTotal++;\n this.allowedTotal++; // Count as allowed (shadow mode)\n } else if (decision === 'FAIL_OPEN') {\n this.failOpenTotal++;\n this.allowedTotal++; // Count as allowed (fail-open)\n }\n\n // Add latency sample (keep rolling window)\n this.latencyMs.push(latencyMs);\n if (this.latencyMs.length > this.maxSamples) {\n this.latencyMs.shift(); // Remove oldest sample\n }\n\n this.emitMetrics();\n }\n\n /**\n * Record a timeout\n */\n recordTimeout(): void {\n this.timeoutsTotal++;\n this.errorsTotal++;\n this.emitMetrics();\n }\n\n /**\n * Record an error\n */\n recordError(): void {\n this.errorsTotal++;\n this.emitMetrics();\n }\n\n /**\n * Record circuit breaker open\n */\n recordCircuitBreakerOpen(): void {\n this.circuitBreakerOpenTotal++;\n this.emitMetrics();\n }\n\n /**\n * Record soft-enforce override (app chose to sign despite BLOCK decision)\n */\n recordSoftBlockOverride(decision: 'ALLOW' | 'BLOCK'): void {\n // Optional: extend Metrics interface with softBlockOverrideTotal if needed\n this.emitMetrics();\n }\n\n /**\n * Get current metrics snapshot\n */\n getMetrics(): Metrics {\n return {\n requestsTotal: this.requestsTotal,\n allowedTotal: this.allowedTotal,\n blockedTotal: this.blockedTotal,\n stepupTotal: this.stepupTotal,\n timeoutsTotal: this.timeoutsTotal,\n errorsTotal: this.errorsTotal,\n circuitBreakerOpenTotal: this.circuitBreakerOpenTotal,\n wouldBlockTotal: this.wouldBlockTotal,\n failOpenTotal: this.failOpenTotal,\n latencyMs: [...this.latencyMs], // Copy array\n };\n }\n\n /**\n * Register a metrics hook (e.g., for Prometheus/OpenTelemetry export)\n */\n registerHook(hook: MetricsHook): void {\n this.hooks.push(hook);\n }\n\n /**\n * Emit metrics to all registered hooks\n */\n private emitMetrics(): void {\n const metrics = this.getMetrics();\n for (const hook of this.hooks) {\n try {\n hook(metrics);\n } catch (error) {\n // Don't throw - metrics hooks should not break SDK\n console.error('Error in metrics hook:', error);\n }\n }\n }\n\n /**\n * Reset all metrics\n */\n reset(): void {\n this.requestsTotal = 0;\n this.allowedTotal = 0;\n this.blockedTotal = 0;\n this.stepupTotal = 0;\n this.timeoutsTotal = 0;\n this.errorsTotal = 0;\n this.circuitBreakerOpenTotal = 0;\n this.wouldBlockTotal = 0;\n this.failOpenTotal = 0;\n this.latencyMs = [];\n }\n}\n\n","/**\n * Canonical transaction digest for decision-token binding.\n * MUST match gate-hotpath/src/utils/txDigest.ts and backend contract.\n * Used to verify the transaction being signed matches the one evaluated.\n */\n\nimport { createHash } from 'node:crypto';\n\n/** Canonical tx binding object - same shape as hot path */\nexport interface TxBindingObject {\n chainId: string;\n toAddress: string;\n value: string;\n data: string;\n nonce: string;\n fromAddress?: string;\n decodedRecipient?: string | null;\n decoded?: Record<string, unknown>;\n signerId?: string;\n networkFamily?: string;\n}\n\n/** Canonical JSON for binding object only - must match hot path output */\nfunction canonicalJsonBinding(obj: unknown): string {\n if (obj === null || obj === undefined) return 'null';\n if (typeof obj === 'string') return JSON.stringify(obj);\n if (typeof obj === 'number') return obj.toString();\n if (typeof obj === 'boolean') return obj ? 'true' : 'false';\n if (Array.isArray(obj)) {\n const items = obj.map((item) => canonicalJsonBinding(item));\n return '[' + items.join(',') + ']';\n }\n if (typeof obj === 'object') {\n const keys = Object.keys(obj).sort();\n const pairs: string[] = [];\n for (const key of keys) {\n const value = (obj as Record<string, unknown>)[key];\n if (value !== undefined) {\n pairs.push(JSON.stringify(key) + ':' + canonicalJsonBinding(value));\n }\n }\n return '{' + pairs.join(',') + '}';\n }\n return JSON.stringify(obj);\n}\n\nfunction normalizeAddress(addr: string | undefined): string {\n if (addr == null || addr === '') return '';\n const s = String(addr).trim();\n if (s.startsWith('0x')) return s.toLowerCase();\n return '0x' + s.toLowerCase();\n}\n\nfunction normalizeData(data: string | undefined): string {\n if (data == null || data === '') return '';\n const s = String(data).trim().toLowerCase();\n return s.startsWith('0x') ? s : '0x' + s;\n}\n\n/**\n * Build canonical tx binding from intent (same as hot path).\n * txIntent may use 'to' or 'toAddress', 'value' or 'valueAtomic'/'valueDecimal'.\n */\nexport function buildTxBindingObject(\n txIntent: {\n toAddress?: string;\n to?: string;\n value?: string;\n valueAtomic?: string;\n valueDecimal?: string;\n data?: string;\n payloadHash?: string;\n dataHash?: string;\n nonce?: number | string;\n chainId?: number | string;\n chain?: string;\n networkFamily?: string;\n [key: string]: unknown;\n },\n signerId?: string,\n decodedRecipient?: string | null,\n decodedFields?: Record<string, unknown> | null,\n fromAddress?: string\n): TxBindingObject {\n const toAddr = txIntent.toAddress ?? txIntent.to ?? '';\n const value = (txIntent.valueAtomic ?? txIntent.valueDecimal ?? txIntent.value ?? '0').toString();\n const data = normalizeData(\n (txIntent.data ?? txIntent.payloadHash ?? txIntent.dataHash ?? '') as string\n );\n const chainId = (txIntent.chainId ?? txIntent.chain ?? '').toString();\n const toAddress = normalizeAddress(toAddr);\n const nonce = txIntent.nonce != null ? String(txIntent.nonce) : '';\n const decoded: Record<string, unknown> = {};\n if (decodedFields && typeof decodedFields === 'object') {\n for (const [k, v] of Object.entries(decodedFields)) {\n if (v !== undefined) decoded[k] = v;\n }\n }\n const out: TxBindingObject = {\n chainId,\n toAddress,\n value,\n data,\n nonce,\n };\n if (fromAddress) out.fromAddress = normalizeAddress(fromAddress);\n if (decodedRecipient != null)\n out.decodedRecipient = decodedRecipient ? normalizeAddress(decodedRecipient) : null;\n if (Object.keys(decoded).length > 0) out.decoded = decoded;\n if (signerId) out.signerId = signerId;\n if (txIntent.networkFamily) out.networkFamily = txIntent.networkFamily as string;\n return out;\n}\n\n/**\n * Compute SHA256(canonicalJson(binding)). Must match hot path digest.\n */\nexport function computeTxDigest(binding: TxBindingObject): string {\n const canonical = canonicalJsonBinding(binding);\n return createHash('sha256').update(canonical, 'utf8').digest('hex');\n}\n","/**\n * Pluggable metrics sink for Gate SDK sign attempts.\n * Used to compute receipt coverage % (signed_with_receipt / sign_attempts) for underwriting.\n * Default: no-op. Wire to POST /api/v1/gate/metrics/sign for backend aggregation.\n */\n\nexport type GateSignMetricName =\n | 'sign_attempt_total'\n | 'sign_blocked_missing_receipt_total'\n | 'sign_blocked_invalid_receipt_total'\n | 'sign_success_with_receipt_total'\n | 'sign_success_total';\n\nexport interface GateMetricEventLabels {\n tenantId?: string;\n signerId?: string;\n adoptionStage?: string;\n env?: string;\n chain?: string;\n kmsKeyId?: string;\n region?: string;\n}\n\nexport interface GateMetricEvent {\n name: GateSignMetricName;\n labels: GateMetricEventLabels;\n timestampMs?: number;\n}\n\n/**\n * Sink for sign metrics. Implement to forward events to your backend (e.g. POST /api/v1/gate/metrics/sign).\n * Default when not provided: no-op.\n */\nexport interface GateMetricsSink {\n emit(event: GateMetricEvent): void | Promise<void>;\n}\n\n/** No-op sink (default). */\nexport const noOpMetricsSink: GateMetricsSink = {\n emit() {},\n};\n","/**\n * BlockIntel Gate SDK - AWS SDK v3 KMS Wrapper\n * \n * Wraps AWS SDK v3 KMSClient to intercept SignCommand calls and enforce Gate policies.\n */\n\nimport { KMSClient, SignCommand, SignCommandInput } from '@aws-sdk/client-kms';\nimport { GateClient } from '../client/GateClient.js';\nimport { BlockIntelBlockedError, BlockIntelStepUpRequiredError } from '../types/errors.js';\nimport { createHash } from 'crypto';\nimport { buildTxBindingObject, computeTxDigest } from '../utils/txDigest.js';\nimport type { GateMetricsSink, GateMetricEvent, GateMetricEventLabels } from '../metrics/GateMetricsSink.js';\nimport { noOpMetricsSink } from '../metrics/GateMetricsSink.js';\n\n/**\n * KMS wrapper options\n */\nexport interface WrapKmsClientOptions {\n /**\n * Wrapper mode\n * - \"enforce\": Block if Gate denies, require step-up approval\n * - \"dry-run\": Evaluate but always allow KMS call (for testing)\n */\n mode?: 'enforce' | 'dry-run';\n\n /**\n * When true (e.g. HARD_KMS_ATTESTED mode), KMS Sign is only allowed if the evaluate response\n * includes a receipt (or decisionHash). Rejects with RECEIPT_REQUIRED if missing.\n */\n requireReceiptForSign?: boolean;\n\n /**\n * Callback invoked when a decision is made\n */\n onDecision?: (decision: 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP', details: any) => void;\n\n /**\n * Custom hook to extract transaction intent from SignCommand\n * If not provided, uses default extraction (minimal txIntent from message hash)\n */\n extractTxIntent?: (command: SignCommandInput) => {\n toAddress?: string;\n networkFamily?: 'EVM' | 'BTC' | 'SOL' | 'OTHER';\n chainId?: number;\n [key: string]: any;\n };\n\n /**\n * Optional metrics sink for observability.\n * If not provided, uses no-op sink (metrics are discarded).\n */\n metricsSink?: GateMetricsSink;\n}\n\n/**\n * Wrapped KMS client type (proxy that intercepts send calls)\n */\nexport interface WrappedKmsClient extends KMSClient {\n /**\n * Intercepted send method (overrides KMSClient.send)\n */\n send<T>(command: T): Promise<any>;\n\n /**\n * Original KMS client (for fallback or direct access)\n */\n _originalClient: KMSClient;\n\n /**\n * Gate client used for evaluation\n */\n _gateClient: GateClient;\n\n /**\n * Wrapper options\n */\n _wrapperOptions: Required<WrapKmsClientOptions>;\n}\n\n/**\n * Wrap AWS SDK v3 KMS client to intercept SignCommand calls\n * \n * @param kmsClient - AWS SDK v3 KMSClient instance\n * @param gateClient - Gate client for evaluation\n * @param options - Wrapper options\n * @returns Proxy object that intercepts send() calls\n * \n * @example\n * ```typescript\n * import { KMSClient } from '@aws-sdk/client-kms';\n * import { GateClient, wrapKmsClient } from 'blockintel-gate-sdk';\n * \n * const kms = new KMSClient({});\n * const gate = new GateClient({\n * baseUrl: process.env.GATE_BASE_URL!,\n * tenantId: process.env.GATE_TENANT_ID!,\n * auth: { mode: 'hmac', keyId: process.env.GATE_KEY_ID!, secret: process.env.GATE_HMAC_SECRET! },\n * });\n * \n * const protectedKms = wrapKmsClient(kms, gate);\n * \n * // Now calls to protectedKms.send(new SignCommand(...)) will be intercepted\n * const result = await protectedKms.send(new SignCommand({\n * KeyId: 'alias/my-key',\n * Message: Buffer.from('...'),\n * MessageType: 'RAW',\n * SigningAlgorithm: 'ECDSA_SHA_256',\n * }));\n * ```\n */\nexport function wrapKmsClient(\n kmsClient: KMSClient,\n gateClient: GateClient,\n options: WrapKmsClientOptions = {}\n): WrappedKmsClient {\n const defaultOptions: Required<WrapKmsClientOptions> = {\n mode: options.mode || 'enforce',\n requireReceiptForSign: options.requireReceiptForSign ?? false,\n onDecision: options.onDecision || (() => {}),\n extractTxIntent: options.extractTxIntent || defaultExtractTxIntent,\n metricsSink: options.metricsSink ?? noOpMetricsSink,\n };\n\n // Create proxy that intercepts send() calls\n const wrapped = new Proxy(kmsClient, {\n get(target, prop, receiver) {\n if (prop === 'send') {\n // Intercept send() method\n return async function (command: any) {\n // Check if this is a SignCommand\n if (command && command.constructor && command.constructor.name === 'SignCommand') {\n return await handleSignCommand(\n command,\n target as KMSClient,\n gateClient,\n defaultOptions\n );\n }\n\n // Not a SignCommand - pass through to original client\n return await (target as any).send(command);\n };\n }\n\n // All other properties pass through\n return Reflect.get(target, prop, receiver);\n },\n }) as WrappedKmsClient;\n\n // Attach metadata for introspection\n wrapped._originalClient = kmsClient;\n wrapped._gateClient = gateClient;\n wrapped._wrapperOptions = defaultOptions;\n\n return wrapped;\n}\n\n/**\n * Default transaction intent extraction from SignCommand\n * \n * Extracts minimal txIntent from KMS SignCommand:\n * - Uses Message hash as payloadHash\n * - Sets networkFamily to 'OTHER' (unknown)\n * - Sets signerId from KeyId\n */\nfunction defaultExtractTxIntent(command: SignCommandInput): {\n toAddress?: string;\n networkFamily?: 'EVM' | 'BTC' | 'SOL' | 'OTHER';\n chainId?: number;\n payloadHash?: string;\n dataHash?: string;\n [key: string]: any;\n} {\n // Compute SHA256 hash of message\n // SignCommand.Message can be accessed via input property or directly\n const message = (command as any).input?.Message ?? (command as any).Message;\n if (!message) {\n throw new Error('SignCommand missing required Message property');\n }\n const messageBuffer = message instanceof Buffer \n ? message \n : Buffer.from(message as any);\n const messageHash = createHash('sha256').update(messageBuffer).digest('hex');\n\n return {\n networkFamily: 'OTHER',\n toAddress: undefined, // Unknown from KMS message alone\n payloadHash: messageHash,\n dataHash: messageHash, // Backward compatibility\n };\n}\n\n/** Build metric labels from gateClient and command (tenantId, signerId, adoptionStage, env, chain, kmsKeyId, region). */\nfunction buildMetricLabels(\n gateClient: GateClient,\n command: SignCommandInput,\n signerId: string,\n txIntent: { chainId?: number; networkFamily?: string }\n): GateMetricEventLabels {\n const config = (gateClient as any).config;\n const keyId = (command as any).input?.KeyId ?? (command as any).KeyId;\n return {\n tenantId: config?.tenantId,\n signerId: signerId || undefined,\n adoptionStage: config?.adoptionStage ?? process.env.GATE_ADOPTION_STAGE,\n env: config?.env ?? process.env.GATE_ENV ?? process.env.NODE_ENV,\n chain: txIntent.chainId != null ? String(txIntent.chainId) : txIntent.networkFamily,\n kmsKeyId: keyId,\n region: process.env.AWS_REGION,\n };\n}\n\n/** Emit metric; never throw (sink errors are ignored). */\nfunction emitMetric(\n sink: GateMetricsSink,\n name: GateMetricEvent['name'],\n labels: GateMetricEventLabels\n): void {\n const event: GateMetricEvent = { name, labels, timestampMs: Date.now() };\n try {\n const result = sink.emit(event);\n if (result && typeof (result as Promise<void>).catch === 'function') {\n (result as Promise<void>).catch(() => {});\n }\n } catch {\n // no-op: metrics must not break signing\n }\n}\n\n/**\n * Handle intercepted SignCommand\n */\nasync function handleSignCommand(\n command: SignCommandInput,\n originalClient: KMSClient,\n gateClient: GateClient,\n options: Required<WrapKmsClientOptions>\n): Promise<any> {\n // Extract transaction intent\n const txIntent = options.extractTxIntent(command);\n\n // Extract signer ID from KeyId\n // SignCommand.KeyId can be accessed via input property or directly\n const signerId = (command as any).input?.KeyId ?? (command as any).KeyId ?? 'unknown';\n\n const labels = buildMetricLabels(gateClient, command, signerId, txIntent);\n emitMetric(options.metricsSink, 'sign_attempt_total', labels);\n\n // CRITICAL: Check heartbeat before any Gate evaluation\n // Per-signer token cache: async fetch with 2s timeout\n let heartbeatToken: string;\n try {\n heartbeatToken = await (gateClient as any).heartbeatManager.getTokenForSigner(signerId, 2000);\n } catch {\n throw new BlockIntelBlockedError(\n 'HEARTBEAT_MISSING',\n undefined, // receiptId\n undefined, // correlationId\n undefined // requestId\n );\n }\n\n // Build signing context\n const signingContext = {\n signerId,\n actorPrincipal: 'kms-signer', // Default - can be customized via extractTxIntent\n heartbeatToken, // Attach heartbeat token\n };\n\n try {\n // Call Gate evaluate()\n const decision = await gateClient.evaluate({\n txIntent: txIntent as any, // Type assertion - txIntent may have extra fields\n signingContext,\n });\n\n // Receipt-required (HARD_KMS_ATTESTED): block KMS call if no receipt in response\n if (decision.decision === 'ALLOW' && options.requireReceiptForSign) {\n const hasReceipt =\n (decision as any).receipt != null ||\n ((decision as any).decisionHash != null && (decision as any).receiptSignature != null);\n if (!hasReceipt) {\n emitMetric(options.metricsSink, 'sign_blocked_missing_receipt_total', labels);\n options.onDecision('BLOCK', {\n error: new BlockIntelBlockedError(\n 'RECEIPT_REQUIRED',\n (decision as any).decisionId,\n (decision as any).correlationId,\n undefined\n ),\n signerId,\n command,\n });\n throw new BlockIntelBlockedError(\n 'RECEIPT_REQUIRED',\n (decision as any).decisionId,\n (decision as any).correlationId,\n undefined\n );\n }\n }\n\n // Decision is ALLOW (evaluate() doesn't throw) - verify decision token binding when required\n if (\n decision.decision === 'ALLOW' &&\n gateClient.getRequireDecisionToken() &&\n decision.txDigest != null\n ) {\n const binding = buildTxBindingObject(\n txIntent as any,\n signerId,\n undefined,\n undefined,\n (signingContext as any).actorPrincipal\n );\n const computedDigest = computeTxDigest(binding);\n if (computedDigest !== decision.txDigest) {\n options.onDecision('BLOCK', {\n error: new BlockIntelBlockedError(\n 'DECISION_TOKEN_TX_MISMATCH',\n decision.decisionId,\n decision.correlationId,\n undefined\n ),\n signerId,\n command,\n });\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_TX_MISMATCH',\n decision.decisionId,\n decision.correlationId,\n undefined\n );\n }\n }\n\n const hasReceipt =\n (decision as any).receipt != null ||\n ((decision as any).decisionHash != null && (decision as any).receiptSignature != null);\n if (hasReceipt) {\n emitMetric(options.metricsSink, 'sign_success_with_receipt_total', labels);\n }\n emitMetric(options.metricsSink, 'sign_success_total', labels);\n\n options.onDecision('ALLOW', { decision, signerId, command });\n\n if (options.mode === 'dry-run') {\n // Dry-run mode: evaluate but still allow\n return await originalClient.send(new SignCommand(command));\n }\n\n // Enforce mode: forward to real KMS\n return await originalClient.send(new SignCommand(command));\n } catch (error: any) {\n // Handle Gate errors\n if (error instanceof BlockIntelBlockedError) {\n options.onDecision('BLOCK', { error, signerId, command });\n throw error; // Re-throw to block KMS call\n }\n\n if (error instanceof BlockIntelStepUpRequiredError) {\n options.onDecision('REQUIRE_STEP_UP', { error, signerId, command });\n throw error; // Re-throw to prevent KMS call until step-up approved\n }\n\n // Other errors (network, auth, etc.) - re-throw\n throw error;\n }\n}\n\n","/**\n * Provenance Provider\n * \n * Provides provenance information (repo, workflow, attestation) from environment variables.\n * Used for CI/CD provenance enforcement in Gate.\n */\n\n/**\n * Provenance information extracted from environment\n */\nexport interface Provenance {\n repo?: string;\n workflow?: string;\n ref?: string;\n actor?: string;\n attestation?: {\n valid: boolean;\n issuer?: string;\n subject?: string;\n sha?: string;\n };\n}\n\n/**\n * Provenance Provider\n * \n * Reads provenance information from environment variables:\n * - GATE_CALLER_REPO\n * - GATE_CALLER_WORKFLOW\n * - GATE_CALLER_REF\n * - GATE_CALLER_ACTOR\n * - GATE_ATTESTATION_VALID\n * - GATE_ATTESTATION_ISSUER\n * - GATE_ATTESTATION_SUBJECT\n * - GATE_ATTESTATION_SHA\n */\nexport class ProvenanceProvider {\n /**\n * Get provenance from environment variables\n */\n static getProvenance(): Provenance | null {\n const repo = process.env.GATE_CALLER_REPO;\n const workflow = process.env.GATE_CALLER_WORKFLOW;\n const ref = process.env.GATE_CALLER_REF;\n const actor = process.env.GATE_CALLER_ACTOR;\n const attestationValid = process.env.GATE_ATTESTATION_VALID;\n const attestationIssuer = process.env.GATE_ATTESTATION_ISSUER;\n const attestationSubject = process.env.GATE_ATTESTATION_SUBJECT;\n const attestationSha = process.env.GATE_ATTESTATION_SHA;\n\n // If no provenance env vars are set, return null\n if (!repo && !workflow && !ref && !actor && !attestationValid) {\n return null;\n }\n\n const provenance: Provenance = {};\n\n if (repo) provenance.repo = repo;\n if (workflow) provenance.workflow = workflow;\n if (ref) provenance.ref = ref;\n if (actor) provenance.actor = actor;\n\n // Build attestation if any attestation env vars are set\n if (attestationValid || attestationIssuer || attestationSubject || attestationSha) {\n provenance.attestation = {\n valid: attestationValid === 'true' || attestationValid === '1',\n issuer: attestationIssuer,\n subject: attestationSubject,\n sha: attestationSha,\n };\n }\n\n return provenance;\n }\n\n /**\n * Check if provenance is enabled (env vars present)\n */\n static isEnabled(): boolean {\n return !!(\n process.env.GATE_CALLER_REPO ||\n process.env.GATE_CALLER_WORKFLOW ||\n process.env.GATE_ATTESTATION_VALID\n );\n }\n}\n\n","/**\n * Gate SDK - Heartbeat Manager\n * \n * Manages heartbeat token acquisition and validation.\n * Heartbeat tokens prove Gate is alive and enforcing policy.\n * Required for all signing operations.\n * \n * Features:\n * - Automatic refresh with jitter\n * - Exponential backoff on failures\n * - Client instance metadata tracking\n */\n\nimport { v4 as uuidv4 } from 'uuid';\nimport { HttpClient } from '../http/HttpClient.js';\nimport { GateError, GateErrorCode } from '../types/errors.js';\n\nexport interface HeartbeatToken {\n token: string;\n expiresAt: number; // Unix timestamp (seconds)\n jti?: string; // JWT ID (for reference)\n policyHash?: string; // Policy hash (for reference)\n}\n\ninterface SignerHeartbeatEntry {\n token: HeartbeatToken | null;\n refreshTimer: NodeJS.Timeout | null;\n consecutiveFailures: number;\n lastAcquireAttemptMs: number;\n lastUsedMs: number;\n acquiring: boolean;\n acquirePromise: Promise<void> | null;\n}\n\nexport class HeartbeatManager {\n private readonly httpClient: HttpClient;\n private readonly tenantId: string;\n private defaultSignerId: string;\n private readonly environment: string;\n private readonly baseRefreshIntervalSeconds: number;\n private readonly clientInstanceId: string; // Unique per process\n private readonly sdkVersion: string; // SDK version for tracking\n private readonly apiKey: string | undefined; // x-gate-heartbeat-key for Control Plane auth\n\n private readonly signerEntries: Map<string, SignerHeartbeatEntry> = new Map();\n private evictionTimer: NodeJS.Timeout | null = null;\n private started = false;\n private maxBackoffSeconds = 30; // Maximum backoff interval\n\n private readonly maxSigners: number;\n private readonly signerIdleTtlMs: number;\n private readonly localRateLimitMs: number;\n\n constructor(options: {\n httpClient: HttpClient;\n tenantId: string;\n signerId: string;\n environment?: string;\n refreshIntervalSeconds?: number;\n clientInstanceId?: string;\n sdkVersion?: string;\n /** API key for heartbeat endpoint auth (x-gate-heartbeat-key). Required unless local mode. */\n apiKey?: string;\n maxSigners?: number;\n signerIdleTtlMs?: number;\n localRateLimitMs?: number;\n }) {\n this.httpClient = options.httpClient;\n this.tenantId = options.tenantId;\n this.defaultSignerId = options.signerId;\n this.environment = options.environment ?? 'prod';\n this.baseRefreshIntervalSeconds = options.refreshIntervalSeconds ?? 10;\n this.apiKey = options.apiKey;\n \n // Generate unique client instance ID (once per process)\n this.clientInstanceId = options.clientInstanceId || uuidv4();\n \n // Get SDK version (from package.json or default)\n this.sdkVersion = options.sdkVersion || '1.0.0';\n this.apiKey = options.apiKey;\n\n this.maxSigners = options.maxSigners ?? 20;\n this.signerIdleTtlMs = options.signerIdleTtlMs ?? 300_000; // 5 min\n this.localRateLimitMs = options.localRateLimitMs ?? 2100; // 2.1s\n }\n\n /**\n * Start background heartbeat refresher.\n * Optionally wait for initial token (first evaluate() will otherwise wait up to 2s for token).\n */\n start(options?: { waitForInitial?: boolean }): void {\n if (this.started) {\n return;\n }\n\n this.started = true;\n this.startEvictionTimer();\n\n // Fire off initial acquire for default signer\n this.getTokenForSigner(this.defaultSignerId, 0).catch((error) => {\n // Ignored: expected if maxWaitMs=0 or if it takes longer\n console.warn('[HEARTBEAT] Failed to acquire initial heartbeat:', error instanceof Error ? error.message : error);\n });\n }\n\n private startEvictionTimer(): void {\n if (this.evictionTimer) clearInterval(this.evictionTimer);\n \n this.evictionTimer = setInterval(() => {\n const now = Date.now();\n for (const [signerId, entry] of this.signerEntries) {\n if (now - entry.lastUsedMs > this.signerIdleTtlMs) {\n if (entry.refreshTimer) clearTimeout(entry.refreshTimer);\n this.signerEntries.delete(signerId);\n }\n }\n }, 60_000);\n }\n\n /**\n * Schedule next refresh with jitter and backoff for a specific signer\n */\n private scheduleRefreshForSigner(signerId: string, entry: SignerHeartbeatEntry): void {\n if (!this.started || !this.signerEntries.has(signerId)) {\n return;\n }\n\n if (entry.refreshTimer) {\n clearTimeout(entry.refreshTimer);\n entry.refreshTimer = null;\n }\n\n const baseInterval = this.baseRefreshIntervalSeconds * 1000;\n const jitter = Math.random() * 2000; // 0-2 seconds jitter\n const backoff = Math.min(\n Math.pow(2, entry.consecutiveFailures) * 1000,\n this.maxBackoffSeconds * 1000\n );\n const interval = baseInterval + jitter + backoff;\n\n entry.refreshTimer = setTimeout(() => {\n // Skip if evicted\n if (!this.signerEntries.has(signerId)) return;\n\n entry.acquiring = true;\n entry.acquirePromise = this.acquireHeartbeatForSigner(signerId, entry)\n .then(() => {\n this.scheduleRefreshForSigner(signerId, entry);\n })\n .catch((error) => {\n entry.consecutiveFailures++;\n console.error(`[HEARTBEAT] Refresh failed for signer ${signerId} (will retry):`, error.message || error);\n this.scheduleRefreshForSigner(signerId, entry);\n })\n .finally(() => {\n entry.acquiring = false;\n entry.acquirePromise = null;\n });\n }, interval);\n }\n\n /**\n * Stop background heartbeat refresher\n */\n stop(): void {\n if (!this.started) {\n return;\n }\n\n this.started = false;\n\n if (this.evictionTimer) {\n clearInterval(this.evictionTimer);\n this.evictionTimer = null;\n }\n\n for (const [signerId, entry] of this.signerEntries) {\n if (entry.refreshTimer) {\n clearTimeout(entry.refreshTimer);\n entry.refreshTimer = null;\n }\n }\n this.signerEntries.clear();\n }\n\n /**\n * Get current heartbeat token if valid for the default signer\n * @deprecated Use getTokenForSigner() instead.\n */\n getToken(): string | null {\n const entry = this.signerEntries.get(this.defaultSignerId);\n if (entry && entry.token && entry.token.expiresAt > Math.floor(Date.now() / 1000) + 2) {\n entry.lastUsedMs = Date.now();\n return entry.token.token;\n }\n return null;\n }\n\n /**\n * Check if current heartbeat token is valid for the default signer\n * @deprecated Use getTokenForSigner() instead.\n */\n isValid(): boolean {\n return this.getToken() !== null;\n }\n\n /**\n * Update signer ID (called when signer is known).\n * @deprecated Use getTokenForSigner() — signerId changes are handled automatically by the per-signer cache.\n */\n updateSignerId(signerId: string): void {\n this.defaultSignerId = signerId;\n }\n\n /**\n * Get a valid heartbeat token for a specific signer.\n * Returns immediately if a cached valid token exists.\n * If no token, triggers acquisition and returns a Promise that resolves\n * when the token is available (or rejects after maxWaitMs).\n */\n async getTokenForSigner(signerId: string, maxWaitMs = 2000): Promise<string> {\n if (!this.started) {\n throw new GateError(GateErrorCode.HEARTBEAT_MISSING, 'HeartbeatManager not started');\n }\n\n const startTime = Date.now();\n let entry = this.signerEntries.get(signerId);\n const now = Date.now();\n\n const getValidToken = (e: SignerHeartbeatEntry) => {\n if (e.token && e.token.expiresAt > Math.floor(Date.now() / 1000) + 2) {\n return e.token.token;\n }\n return null;\n };\n\n if (entry) {\n entry.lastUsedMs = now;\n const t = getValidToken(entry);\n if (t) return t;\n } else {\n if (this.signerEntries.size >= this.maxSigners) {\n let oldestSignerId: string | null = null;\n let oldestUsedMs = Infinity;\n for (const [sId, e] of this.signerEntries) {\n if (e.lastUsedMs < oldestUsedMs) {\n oldestUsedMs = e.lastUsedMs;\n oldestSignerId = sId;\n }\n }\n if (oldestSignerId) {\n const oldestEntry = this.signerEntries.get(oldestSignerId);\n if (oldestEntry?.refreshTimer) clearTimeout(oldestEntry.refreshTimer);\n this.signerEntries.delete(oldestSignerId);\n }\n }\n entry = {\n token: null,\n refreshTimer: null,\n consecutiveFailures: 0,\n lastAcquireAttemptMs: 0,\n lastUsedMs: now,\n acquiring: false,\n acquirePromise: null,\n };\n this.signerEntries.set(signerId, entry);\n }\n\n if (entry.acquiring && entry.acquirePromise) {\n const remainingWait = Math.max(0, maxWaitMs - (Date.now() - startTime));\n try {\n await Promise.race([\n entry.acquirePromise,\n new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), remainingWait))\n ]);\n } catch (e) {}\n const t = getValidToken(entry);\n if (t) return t;\n }\n\n const timeSinceLastAttempt = Date.now() - entry.lastAcquireAttemptMs;\n let timeToWaitBeforeFetch = 0;\n if (timeSinceLastAttempt < this.localRateLimitMs) {\n timeToWaitBeforeFetch = this.localRateLimitMs - timeSinceLastAttempt;\n }\n\n const remainingWait2 = Math.max(0, maxWaitMs - (Date.now() - startTime));\n if (timeToWaitBeforeFetch >= remainingWait2) {\n throw new GateError(\n GateErrorCode.HEARTBEAT_MISSING,\n 'Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy.'\n );\n }\n\n if (timeToWaitBeforeFetch > 0) {\n await new Promise(resolve => setTimeout(resolve, timeToWaitBeforeFetch));\n }\n\n if (!entry.acquiring) {\n entry.acquiring = true;\n entry.acquirePromise = this.acquireHeartbeatForSigner(signerId, entry).finally(() => {\n if (entry) {\n entry.acquiring = false;\n entry.acquirePromise = null;\n }\n });\n }\n\n const remainingWait3 = Math.max(0, maxWaitMs - (Date.now() - startTime));\n try {\n if (entry.acquirePromise) {\n await Promise.race([\n entry.acquirePromise,\n new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), remainingWait3))\n ]);\n }\n } catch (e) {}\n\n const t = getValidToken(entry);\n if (t) return t;\n\n throw new GateError(\n GateErrorCode.HEARTBEAT_MISSING,\n 'Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy.'\n );\n }\n\n /**\n * Acquire a new heartbeat token from Control Plane for a specific signer\n * NEVER logs token value (security)\n * Requires x-gate-heartbeat-key header (apiKey) for authentication.\n */\n private async acquireHeartbeatForSigner(signerId: string, entry: SignerHeartbeatEntry): Promise<void> {\n if (!this.apiKey || this.apiKey.length === 0) {\n throw new GateError(\n GateErrorCode.UNAUTHORIZED,\n 'Heartbeat API key is required. Set GATE_HEARTBEAT_KEY in environment or pass heartbeatApiKey in GateClientConfig.',\n {}\n );\n }\n\n entry.lastAcquireAttemptMs = Date.now();\n\n try {\n const response = await this.httpClient.request<{\n success: boolean;\n data?: {\n heartbeatToken: string;\n expiresAt: number;\n ttl?: number;\n policyHash?: string;\n jti?: string;\n };\n error?: {\n message: string;\n };\n }>({\n method: 'POST',\n path: '/api/v1/gate/heartbeat',\n headers: {\n 'x-gate-heartbeat-key': this.apiKey,\n },\n body: {\n tenantId: this.tenantId,\n signerId: signerId,\n environment: this.environment,\n clientInstanceId: this.clientInstanceId,\n sdkVersion: this.sdkVersion,\n },\n });\n\n // Verify entry hasn't been evicted\n if (!this.signerEntries.has(signerId)) {\n return; // Evicted while acquiring\n }\n\n if (response.success && response.data) {\n const token = response.data.heartbeatToken;\n const expiresAt = response.data.expiresAt;\n\n if (!token || !expiresAt) {\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n 'Invalid heartbeat response: missing token or expiresAt'\n );\n }\n\n entry.token = {\n token,\n expiresAt,\n jti: response.data.jti,\n policyHash: response.data.policyHash,\n };\n entry.consecutiveFailures = 0;\n\n // Log WITHOUT token value (security)\n console.log('[HEARTBEAT] Acquired heartbeat token', {\n expiresAt,\n signerId,\n jti: response.data.jti,\n policyHash: response.data.policyHash?.substring(0, 8) + '...',\n // DO NOT log token value\n });\n\n // Ensure refresh timer is running for this signer\n if (!entry.refreshTimer) {\n this.scheduleRefreshForSigner(signerId, entry);\n }\n } else {\n const error = (response as any).error || {};\n throw new GateError(\n GateErrorCode.SERVER_ERROR,\n `Heartbeat acquisition failed: ${error.message || 'Unknown error'}`\n );\n }\n } catch (error: any) {\n // Log error but NEVER log token\n console.error(`[HEARTBEAT] Failed to acquire heartbeat for signer ${signerId}:`, error.message || error);\n throw error;\n }\n }\n\n /**\n * Get client instance ID (for tracking)\n */\n getClientInstanceId(): string {\n return this.clientInstanceId;\n }\n}\n\n","/**\n * BlockIntel Gate SDK - IAM Permission Risk Checker\n * \n * Best-effort detection of IAM permissions that could bypass Gate.\n */\n\nexport type EnforcementMode = 'SOFT' | 'HARD';\n\nexport interface IamPermissionRiskCheckResult {\n hasRisk: boolean;\n riskType?: 'DIRECT_KMS_SIGN_PERMISSION' | 'AWS_CREDENTIALS_DETECTED' | 'ENVIRONMENT_MARKERS';\n confidence: 'HIGH' | 'MEDIUM' | 'LOW';\n details: string;\n remediation?: string;\n}\n\nexport interface IamPermissionRiskCheckerOptions {\n tenantId: string;\n signerId?: string;\n environment?: string;\n enforcementMode: EnforcementMode;\n allowInsecureKmsSignPermission: boolean;\n kmsKeyIds?: string[]; // Optional: specific KMS keys to check\n}\n\n/**\n * IAM Permission Risk Checker\n * \n * Performs best-effort detection of IAM permissions that could allow\n * direct KMS signing, bypassing Gate SDK.\n */\nexport class IamPermissionRiskChecker {\n private readonly options: IamPermissionRiskCheckerOptions;\n\n constructor(options: IamPermissionRiskCheckerOptions) {\n this.options = options;\n }\n\n /**\n * Perform synchronous IAM permission risk check\n * \n * Performs quick checks (credentials, environment markers) synchronously.\n * In HARD mode, throws error if risk detected and override not set.\n * \n * Use this for blocking initialization checks.\n */\n checkSync(): IamPermissionRiskCheckResult {\n const checks: IamPermissionRiskCheckResult[] = [];\n\n // Check 1: AWS Credentials Presence\n const credentialsCheck = this.checkAwsCredentials();\n if (credentialsCheck.hasRisk) {\n checks.push(credentialsCheck);\n }\n\n // Check 2: Environment Markers\n const envCheck = this.checkEnvironmentMarkers();\n if (envCheck.hasRisk) {\n checks.push(envCheck);\n }\n\n // Aggregate results\n const highestConfidence = this.getHighestConfidence(checks);\n const highestRisk = checks.find(c => c.confidence === highestConfidence);\n\n if (!highestRisk || !highestRisk.hasRisk) {\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'No IAM permission risk detected (synchronous check)',\n };\n }\n\n // In HARD mode, throw error if risk detected and override not set\n if (this.options.enforcementMode === 'HARD' && !this.options.allowInsecureKmsSignPermission) {\n const errorMessage = this.buildErrorMessage(highestRisk);\n throw new Error(errorMessage);\n }\n\n // Log warning in SOFT mode or if override is set\n this.logWarning(highestRisk);\n\n return highestRisk;\n }\n\n /**\n * Perform full IAM permission risk check (including async IAM simulation)\n * \n * Returns risk assessment with confidence level.\n * In HARD mode, throws error if risk detected and override not set.\n */\n async check(): Promise<IamPermissionRiskCheckResult> {\n // First do synchronous checks\n const syncResult = this.checkSync();\n \n // If sync check found risk and we're in HARD mode, it already threw\n // If we're here, either no risk or SOFT mode - continue with async checks\n \n // Check 3: IAM Permission Simulation (if available) - async\n const simulationCheck = await this.checkIamSimulation();\n if (simulationCheck.hasRisk) {\n // In HARD mode, throw error if risk detected and override not set\n if (this.options.enforcementMode === 'HARD' && !this.options.allowInsecureKmsSignPermission) {\n const errorMessage = this.buildErrorMessage(simulationCheck);\n throw new Error(errorMessage);\n }\n\n // Log warning in SOFT mode or if override is set\n this.logWarning(simulationCheck);\n \n return simulationCheck;\n }\n\n // Return sync result (no async risk found)\n return syncResult;\n }\n\n /**\n * Check if AWS credentials are present\n */\n private checkAwsCredentials(): IamPermissionRiskCheckResult {\n const hasEnvVars = !!(\n process.env.AWS_ACCESS_KEY_ID ||\n process.env.AWS_SECRET_ACCESS_KEY ||\n process.env.AWS_SESSION_TOKEN\n );\n\n const hasRoleCredentials = !!(\n process.env.AWS_ROLE_ARN ||\n process.env.AWS_WEB_IDENTITY_TOKEN_FILE ||\n process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\n );\n\n if (hasEnvVars || hasRoleCredentials) {\n return {\n hasRisk: true,\n riskType: 'AWS_CREDENTIALS_DETECTED',\n confidence: 'MEDIUM',\n details: 'AWS credentials detected in environment. Application may have direct KMS signing permissions.',\n remediation: 'Remove kms:Sign permission from application role. See https://docs.blockintelai.com/gate/IAM_HARDENING',\n };\n }\n\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'No AWS credentials detected in environment variables',\n };\n }\n\n /**\n * Check IAM permissions using simulation API (if available)\n */\n private async checkIamSimulation(): Promise<IamPermissionRiskCheckResult> {\n // IAM simulation requires additional permissions and AWS SDK\n // This is best-effort - if simulation fails, we fall back to other checks\n \n try {\n // Try to use AWS SDK v3 if available\n const iamModule = await import('@aws-sdk/client-iam').catch(() => null);\n \n if (!iamModule || !iamModule.IAMClient || !iamModule.SimulatePrincipalPolicyCommand) {\n // AWS SDK not available - skip simulation\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'AWS SDK not available for IAM simulation',\n };\n }\n \n const { IAMClient, SimulatePrincipalPolicyCommand } = iamModule;\n\n // Get current principal ARN (best-effort)\n const principalArn = await this.getCurrentPrincipalArn();\n if (!principalArn) {\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'Could not determine current principal ARN for simulation',\n };\n }\n\n // Try to simulate kms:Sign permission\n const client = new IAMClient({});\n const command = new SimulatePrincipalPolicyCommand({\n PolicySourceArn: principalArn,\n ActionNames: ['kms:Sign'],\n ResourceArns: this.options.kmsKeyIds?.map(id => `arn:aws:kms:*:*:key/${id}`) || ['arn:aws:kms:*:*:key/*'],\n });\n\n const response = await client.send(command).catch(() => null);\n \n if (!response) {\n // Simulation failed (likely due to missing permissions)\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'IAM simulation not available (may require additional permissions)',\n };\n }\n\n // Check if any evaluation result allows kms:Sign\n const allowsSign = response.EvaluationResults?.some(\n (result: any) => result.EvalDecision === 'allowed' || result.EvalDecision === 'explicitAllow'\n );\n\n if (allowsSign) {\n return {\n hasRisk: true,\n riskType: 'DIRECT_KMS_SIGN_PERMISSION',\n confidence: 'HIGH',\n details: `IAM simulation confirms principal ${principalArn} has kms:Sign permission. Direct KMS signing can bypass Gate.`,\n remediation: 'Remove kms:Sign permission from application role. See https://docs.blockintelai.com/gate/IAM_HARDENING',\n };\n }\n\n return {\n hasRisk: false,\n confidence: 'HIGH',\n details: 'IAM simulation confirms no kms:Sign permission',\n };\n } catch (error) {\n // Simulation failed - fall back to other checks\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: `IAM simulation failed: ${error instanceof Error ? error.message : 'Unknown error'}`,\n };\n }\n }\n\n /**\n * Check environment markers that suggest direct KMS usage\n */\n private checkEnvironmentMarkers(): IamPermissionRiskCheckResult {\n // Check for environment variables that suggest direct KMS usage\n const markers = [\n 'KMS_KEY_ID',\n 'AWS_KMS_KEY_ID',\n 'KMS_KEY_ARN',\n 'AWS_KMS_KEY_ARN',\n ];\n\n const foundMarkers = markers.filter(marker => process.env[marker]);\n\n if (foundMarkers.length > 0) {\n return {\n hasRisk: true,\n riskType: 'ENVIRONMENT_MARKERS',\n confidence: 'LOW',\n details: `Environment markers suggest direct KMS usage: ${foundMarkers.join(', ')}`,\n remediation: 'Review environment variables and ensure KMS access is gated through Gate SDK',\n };\n }\n\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'No environment markers suggesting direct KMS usage',\n };\n }\n\n /**\n * Get current principal ARN (best-effort)\n */\n private async getCurrentPrincipalArn(): Promise<string | null> {\n try {\n // Try to get from STS GetCallerIdentity\n const stsModule = await import('@aws-sdk/client-sts').catch(() => null);\n \n if (!stsModule || !stsModule.STSClient || !stsModule.GetCallerIdentityCommand) {\n return null;\n }\n \n const { STSClient, GetCallerIdentityCommand } = stsModule;\n\n const client = new STSClient({});\n const command = new GetCallerIdentityCommand({});\n const response = await client.send(command).catch(() => null);\n \n if (response?.Arn) {\n return response.Arn;\n }\n } catch (error) {\n // Ignore errors - best-effort only\n }\n\n return null;\n }\n\n /**\n * Get highest confidence level from checks\n */\n private getHighestConfidence(checks: IamPermissionRiskCheckResult[]): 'HIGH' | 'MEDIUM' | 'LOW' {\n if (checks.some(c => c.confidence === 'HIGH')) {\n return 'HIGH';\n }\n if (checks.some(c => c.confidence === 'MEDIUM')) {\n return 'MEDIUM';\n }\n return 'LOW';\n }\n\n /**\n * Build error message for HARD mode\n */\n private buildErrorMessage(result: IamPermissionRiskCheckResult): string {\n const parts = [\n '[GATE ERROR] Hard enforcement mode blocked initialization:',\n ` - IAM permission risk: ${result.details}`,\n ` - Risk type: ${result.riskType}`,\n ` - Confidence: ${result.confidence}`,\n ` - Tenant ID: ${this.options.tenantId}`,\n ];\n\n if (this.options.signerId) {\n parts.push(` - Signer ID: ${this.options.signerId}`);\n }\n\n if (this.options.environment) {\n parts.push(` - Environment: ${this.options.environment}`);\n }\n\n if (result.remediation) {\n parts.push(` - Remediation: ${result.remediation}`);\n }\n\n parts.push(' - See: https://docs.blockintelai.com/gate/IAM_HARDENING');\n parts.push(` - Override: Set allowInsecureKmsSignPermission=true (not recommended for production)`);\n\n return parts.join('\\n');\n }\n\n /**\n * Log warning (SOFT mode or override set)\n */\n private logWarning(result: IamPermissionRiskCheckResult): void {\n const logData = {\n level: 'WARN',\n message: 'IAM permission risk detected',\n tenantId: this.options.tenantId,\n signerId: this.options.signerId,\n environment: this.options.environment,\n enforcementMode: this.options.enforcementMode,\n riskType: result.riskType,\n confidence: result.confidence,\n details: result.details,\n remediation: result.remediation,\n documentation: 'https://docs.blockintelai.com/gate/IAM_HARDENING',\n };\n\n // Use console.warn for structured logging\n console.warn('[GATE WARNING]', JSON.stringify(logData, null, 2));\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Gate Client\n * \n * Main client for interacting with Gate Hot Path API.\n */\n\nimport { v4 as uuidv4 } from 'uuid';\nimport { HmacSigner } from '../auth/HmacSigner.js';\nimport { ApiKeyAuth } from '../auth/ApiKeyAuth.js';\nimport { HttpClient } from '../http/HttpClient.js';\nimport { StepUpPoller } from '../stepup/stepup.js';\nimport {\n GateClientConfig,\n DefenseEvaluateRequestV2,\n DefenseEvaluateResponseV2,\n StepUpStatusResponse,\n StepUpFinalResult,\n GateMode,\n ConnectionFailureStrategy,\n EvaluationMode,\n SigningContext,\n AttestCompletedRequest,\n AttestCompletedResponse,\n} from '../types/contracts.js';\nimport {\n GateError,\n GateErrorCode,\n StepUpNotConfiguredError,\n BlockIntelBlockedError,\n BlockIntelUnavailableError,\n BlockIntelAuthError,\n BlockIntelStepUpRequiredError,\n} from '../types/errors.js';\nimport { CircuitBreaker, CircuitBreakerOpenError } from '../circuit/CircuitBreaker.js';\nimport { MetricsCollector } from '../metrics/MetricsCollector.js';\nimport { nowMs } from '../utils/time.js';\nimport { wrapKmsClient, WrapKmsClientOptions, WrappedKmsClient } from '../kms/wrapAwsSdkV3KmsClient.js';\nimport { ProvenanceProvider } from '../provenance/ProvenanceProvider.js';\nimport { buildTxBindingObject, computeTxDigest } from '../utils/txDigest.js';\nimport { HeartbeatManager } from '../heartbeat/HeartbeatManager.js';\nimport { IamPermissionRiskChecker } from '../security/IamPermissionRiskChecker.js';\nimport type { SignerBackend, SignResponse } from '../signer/SignerBackend.js';\n\n/** Default signerId when not set in config or request. Must match between heartbeat token and evaluate request to avoid HEARTBEAT_SIGNER_MISMATCH. */\nconst DEFAULT_SIGNER_ID = 'gate-sdk-client';\n\n/**\n * Gate Client for Hot Path API\n */\nexport class GateClient {\n private readonly config: GateClientConfig;\n private readonly httpClient: HttpClient;\n private readonly hmacSigner?: HmacSigner;\n private readonly apiKeyAuth?: ApiKeyAuth;\n private readonly stepUpPoller?: StepUpPoller;\n private readonly circuitBreaker?: CircuitBreaker;\n private readonly metrics: MetricsCollector;\n private readonly heartbeatManager: HeartbeatManager;\n private readonly mode: GateMode;\n private readonly onConnectionFailure: ConnectionFailureStrategy;\n\n constructor(config: GateClientConfig) {\n this.config = config;\n \n // Determine mode: env var > config > default (SHADOW for safety)\n const envMode = process.env.GATE_MODE as GateMode | undefined;\n this.mode = envMode || config.mode || 'SHADOW';\n \n // Determine connection failure strategy: config > default based on mode\n if (config.onConnectionFailure) {\n this.onConnectionFailure = config.onConnectionFailure;\n } else {\n // Default: FAIL_OPEN in SHADOW mode, FAIL_CLOSED in ENFORCE mode\n this.onConnectionFailure = this.mode === 'SHADOW' ? 'FAIL_OPEN' : 'FAIL_CLOSED';\n }\n\n // Initialize auth\n if (config.auth.mode === 'hmac') {\n this.hmacSigner = new HmacSigner({\n keyId: config.auth.keyId,\n secret: config.auth.secret,\n });\n } else {\n this.apiKeyAuth = new ApiKeyAuth({\n apiKey: config.auth.apiKey,\n });\n }\n\n // Initialize HTTP client (pass debug for sanitized logging when GATE_SDK_DEBUG=1 or config.debug)\n this.httpClient = new HttpClient({\n baseUrl: config.baseUrl,\n timeoutMs: config.timeoutMs,\n userAgent: config.userAgent,\n debug: config.debug,\n });\n\n // Initialize step-up poller if enabled\n if (config.enableStepUp) {\n this.stepUpPoller = new StepUpPoller({\n httpClient: this.httpClient,\n tenantId: config.tenantId,\n pollingIntervalMs: config.stepUp?.pollingIntervalMs,\n maxWaitMs: config.stepUp?.maxWaitMs,\n });\n }\n\n // Initialize circuit breaker if configured\n if (config.circuitBreaker) {\n this.circuitBreaker = new CircuitBreaker(config.circuitBreaker);\n }\n\n // Initialize metrics collector\n this.metrics = new MetricsCollector();\n if (config.onMetrics) {\n this.metrics.registerHook(config.onMetrics);\n }\n\n // Initialize heartbeat manager (skip in local mode)\n if (config.local) {\n console.warn('[GATE CLIENT] LOCAL MODE ENABLED - Auth, heartbeat, and break-glass are disabled');\n // @ts-ignore - heartbeatManager not needed in local mode\n this.heartbeatManager = null;\n } else {\n // Heartbeat API key required for Control Plane (parity with Python GATE_HEARTBEAT_KEY)\n const heartbeatApiKey = config.heartbeatApiKey ?? (typeof process !== 'undefined' ? process.env.GATE_HEARTBEAT_KEY : undefined);\n if (!heartbeatApiKey || heartbeatApiKey.length === 0) {\n throw new Error(\n 'GATE_HEARTBEAT_KEY environment variable or heartbeatApiKey in config is required for heartbeat authentication. ' +\n 'Set GATE_HEARTBEAT_KEY in your environment or pass heartbeatApiKey in GateClientConfig.'\n );\n }\n\n // Use control plane URL for heartbeat (different from hot path baseUrl)\n let controlPlaneUrl = config.baseUrl;\n if (controlPlaneUrl.includes('/defense')) {\n controlPlaneUrl = controlPlaneUrl.split('/defense')[0];\n }\n // Also try to get from config if explicitly set\n if ((config as any).controlPlaneUrl) {\n controlPlaneUrl = (config as any).controlPlaneUrl;\n }\n\n const heartbeatHttpClient = new HttpClient({\n baseUrl: controlPlaneUrl,\n timeoutMs: 5000, // 5s timeout for heartbeat\n userAgent: config.userAgent,\n });\n\n // Initialize heartbeat manager with configured signerId and API key (parity with Python).\n // Default must match evaluate() signingContext fallback so token sid and request signerId align (avoids HEARTBEAT_SIGNER_MISMATCH).\n const initialSignerId = config.signerId ?? DEFAULT_SIGNER_ID;\n this.heartbeatManager = new HeartbeatManager({\n httpClient: heartbeatHttpClient,\n tenantId: config.tenantId,\n signerId: initialSignerId,\n environment: (config as any).environment ?? 'prod',\n refreshIntervalSeconds: config.heartbeatRefreshIntervalSeconds ?? 10,\n apiKey: heartbeatApiKey,\n });\n\n // Start heartbeat refresher (first evaluate() waits up to 2s for token if needed)\n this.heartbeatManager.start();\n }\n\n // Perform IAM permission risk check (skip in local mode)\n if (!config.local) {\n const enforcementMode = config.enforcementMode || 'SOFT';\n const allowInsecureKmsSignPermission = config.allowInsecureKmsSignPermission ?? (enforcementMode === 'SOFT');\n \n const riskChecker = new IamPermissionRiskChecker({\n tenantId: config.tenantId,\n signerId: config.signerId,\n environment: (config as any).environment,\n enforcementMode,\n allowInsecureKmsSignPermission,\n kmsKeyIds: config.kmsKeyIds,\n });\n\n // Perform synchronous risk check first (blocks in HARD mode if risk detected)\n // This ensures HARD mode can block initialization synchronously\n riskChecker.checkSync();\n\n // Perform async IAM simulation check in background (non-blocking)\n // This provides higher confidence detection but doesn't block initialization\n // In HARD mode, if async check finds risk, it will log but won't block (already initialized)\n this.performIamRiskCheckAsync(riskChecker, enforcementMode).catch((error) => {\n // In SOFT mode or if override is set, just log\n if (enforcementMode === 'SOFT' || allowInsecureKmsSignPermission) {\n console.warn('[GATE CLIENT] Async IAM risk check warning:', error instanceof Error ? error.message : String(error));\n } else {\n // In HARD mode without override, log error (initialization already succeeded)\n console.error('[GATE CLIENT] Async IAM risk check found risk after initialization:', error);\n }\n });\n }\n }\n\n /**\n * Whether the SDK requires a decision token for ALLOW before sign (ENFORCE/HARD).\n * Env GATE_REQUIRE_DECISION_TOKEN overrides config.\n */\n getRequireDecisionToken(): boolean {\n if (typeof process !== 'undefined' && process.env.GATE_REQUIRE_DECISION_TOKEN !== undefined) {\n return process.env.GATE_REQUIRE_DECISION_TOKEN === 'true' || process.env.GATE_REQUIRE_DECISION_TOKEN === '1';\n }\n return (\n this.config.requireDecisionToken ??\n (this.mode === 'ENFORCE' || (this.config as any).enforcementMode === 'HARD')\n );\n }\n\n /**\n * Perform async IAM permission risk check (non-blocking)\n * \n * Performs async IAM simulation check in background.\n * Logs warnings but doesn't block (initialization already completed).\n */\n private async performIamRiskCheckAsync(\n riskChecker: IamPermissionRiskChecker,\n enforcementMode: 'SOFT' | 'HARD'\n ): Promise<void> {\n try {\n // This will perform async IAM simulation check\n // Note: checkSync() already ran and blocked if needed in HARD mode\n // This async check provides additional confidence but doesn't block initialization\n await riskChecker.check();\n } catch (error) {\n // Log but don't throw (initialization already succeeded)\n // The sync check already handled blocking in HARD mode\n console.warn('[GATE CLIENT] Async IAM risk check warning:', error instanceof Error ? error.message : String(error));\n }\n }\n\n /**\n * Evaluate a transaction defense request\n * \n * Implements:\n * - Shadow Mode (SHADOW: monitor-only, ENFORCE: enforce decisions)\n * - Connection failure strategy (FAIL_OPEN vs FAIL_CLOSED)\n * - Circuit breaker protection\n * - Fail-safe modes (ALLOW_ON_TIMEOUT, BLOCK_ON_TIMEOUT, BLOCK_ON_ANOMALY)\n * - Metrics collection\n * - Error handling (BLOCK → BlockIntelBlockedError, REQUIRE_STEP_UP → BlockIntelStepUpRequiredError)\n */\n async evaluate(\n req: DefenseEvaluateRequestV2,\n opts?: { requestId?: string }\n ): Promise<DefenseEvaluateResponseV2> {\n const requestId = opts?.requestId ?? uuidv4();\n const timestampMs = req.timestampMs ?? nowMs();\n const startTime = Date.now();\n const failSafeMode = this.config.failSafeMode ?? 'ALLOW_ON_TIMEOUT';\n const evaluationMode: EvaluationMode = (this.config as any).evaluationMode ?? 'BLOCKING';\n\n // Determine mode for this request (request-level override > client-level > default)\n const requestMode: GateMode = (req as any).mode || this.mode;\n const requireToken = this.getRequireDecisionToken();\n\n // Wrap request with circuit breaker if enabled\n const executeRequest = async (): Promise<DefenseEvaluateResponseV2> => {\n // Update heartbeat manager with signerId from signingContext if provided (skip in local mode)\n // Actually we don't need to updateSignerId anymore since getTokenForSigner handles it per-signer\n \n // CRITICAL: Check heartbeat before any policy evaluation (skip in local mode)\n let heartbeatToken: string | null = null;\n if (!this.config.local && this.heartbeatManager) {\n const effectiveSignerId = req.signingContext?.signerId ?? (req.signingContext as any)?.actorPrincipal ?? DEFAULT_SIGNER_ID;\n // Wait up to 2 seconds for heartbeat to be acquired if not available yet\n heartbeatToken = await this.heartbeatManager.getTokenForSigner(effectiveSignerId, 2000);\n }\n\n // Transform txIntent: map 'to' to 'toAddress', add 'networkFamily' if missing\n const txIntent: any = { ...req.txIntent };\n // Map 'to' to 'toAddress' (Hot Path expects toAddress, not to)\n if (txIntent.to && !txIntent.toAddress) {\n txIntent.toAddress = txIntent.to;\n delete txIntent.to; // Remove 'to' to avoid duplicate fields in canonical JSON\n }\n // Infer networkFamily from chainId if not provided\n if (!txIntent.networkFamily && txIntent.chainId) {\n txIntent.networkFamily = 'EVM';\n }\n // Remove 'from' if present (Hot Path doesn't use it in v2 contract)\n if (txIntent.from && !txIntent.fromAddress) {\n delete txIntent.from;\n }\n \n // Hot Path schema requires signingContext.actorPrincipal and signingContext.signerId.\n // Use same default as heartbeat token so token sid and request signerId match.\n const effectiveSignerId = req.signingContext?.signerId ?? req.signingContext?.actorPrincipal ?? DEFAULT_SIGNER_ID;\n const signingContext: any = {\n ...req.signingContext,\n actorPrincipal: req.signingContext?.actorPrincipal ?? req.signingContext?.signerId ?? DEFAULT_SIGNER_ID,\n signerId: effectiveSignerId,\n };\n \n // Only include heartbeatToken if it's valid (not null/undefined)\n // Including null/undefined would change the canonical JSON hash\n if (heartbeatToken) {\n signingContext.heartbeatToken = heartbeatToken;\n }\n\n // Inject provenance from environment if available\n const provenance = ProvenanceProvider.getProvenance();\n if (provenance) {\n signingContext.caller = {\n repo: provenance.repo,\n workflow: provenance.workflow,\n ref: provenance.ref,\n actor: provenance.actor,\n attestation: provenance.attestation,\n };\n }\n \n // Prepare request body (Hot Path expects camelCase at top level; parity with Python: include tenantId in body)\n let body: any = {\n tenantId: this.config.tenantId,\n requestId: requestId,\n timestampMs: timestampMs,\n txIntent: txIntent,\n signingContext: signingContext,\n // Add SDK info (required by Hot Path validation)\n sdk: {\n name: 'gate-sdk',\n version: '0.1.0',\n },\n mode: requestMode,\n onConnectionFailure: this.onConnectionFailure,\n };\n \n // Add simulation flag if requested\n if (req.simulate === true) {\n body.simulate = true;\n }\n \n // Add break-glass token if configured (skip in local mode)\n if (!this.config.local && this.config.breakglassToken) {\n signingContext.breakglassToken = this.config.breakglassToken;\n }\n\n // Prepare headers (skip auth in local mode)\n let headers: Record<string, string> = {};\n \n if (this.config.local) {\n // Local mode: no auth headers, just basic headers\n headers = {\n 'Content-Type': 'application/json',\n };\n console.log('[GATE CLIENT] LOCAL MODE - Skipping authentication');\n } else if (this.hmacSigner) {\n // CRITICAL: For HMAC signing, the body sent in the HTTP request must match\n // the canonical JSON used for signing. The HmacSigner will canonicalize the body\n // internally, so we need to ensure the body we send matches what was canonicalized.\n // We pass the original body to HmacSigner (it will canonicalize it), then use\n // the same canonicalized result for the HTTP request.\n const { canonicalizeJson } = await import('../utils/canonicalJson.js');\n const canonicalBodyJson = canonicalizeJson(body);\n \n const hmacHeaders = await this.hmacSigner.signRequest({\n method: 'POST',\n path: '/defense/evaluate',\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n body, // Pass original body - HmacSigner will canonicalize it internally\n });\n headers = { ...hmacHeaders };\n \n // CRITICAL: Use the canonical JSON string directly for HTTP request\n // This ensures the exact same string is sent that was used for signing\n (body as any).__canonicalJson = canonicalBodyJson;\n } else if (this.apiKeyAuth) {\n const apiKeyHeaders = this.apiKeyAuth.createHeaders({\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n });\n headers = { ...apiKeyHeaders };\n } else {\n throw new Error('No authentication configured');\n }\n\n // Make request (API returns { success: true, data: { ... } } format)\n const apiResponse = await this.httpClient.request<{\n success: boolean;\n data?: DefenseEvaluateResponseV2 & {\n reason_codes?: string[];\n policy_version?: string;\n correlation_id?: string;\n step_up?: {\n request_id?: string;\n ttl_seconds?: number;\n expires_at_ms?: number;\n };\n };\n error?: any;\n }>({\n method: 'POST',\n path: '/defense/evaluate',\n headers,\n body,\n requestId,\n });\n\n // Extract data from wrapped response (Hot Path returns { success: true, data: { ... } })\n // Fallback: if response is not wrapped, use it directly (for backward compatibility)\n let responseData: any;\n if (apiResponse.success === true && apiResponse.data) {\n // Wrapped format: { success: true, data: { ... } }\n responseData = apiResponse.data;\n } else if (apiResponse.success === false && apiResponse.error) {\n // Error format: { success: false, error: { ... } }\n const error = apiResponse.error;\n throw new GateError(\n error.code as GateErrorCode || GateErrorCode.SERVER_ERROR,\n error.message || 'Request failed',\n {\n status: error.status,\n correlationId: error.correlationId,\n requestId,\n details: error,\n }\n );\n } else if ((apiResponse as any).decision) {\n // Unwrapped format: { decision: ..., reasonCodes: ..., ... } (backward compatibility)\n responseData = apiResponse as any;\n } else {\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n 'Invalid response format: expected { success: true, data: { ... } } or unwrapped response',\n {\n requestId,\n details: apiResponse,\n }\n );\n }\n\n // Extract simulation results from metadata if present\n const metadata = responseData.metadata || {};\n const simulationData = metadata.simulation;\n \n // Convert snake_case to camelCase if needed\n const result: DefenseEvaluateResponseV2 = {\n decision: responseData.decision as 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP',\n reasonCodes: responseData.reason_codes ?? responseData.reasonCodes ?? [],\n policyVersion: responseData.policy_version ?? responseData.policyVersion,\n correlationId: responseData.correlation_id ?? responseData.correlationId,\n decisionId: responseData.decision_id ?? responseData.decisionId,\n decisionToken: responseData.decision_token ?? responseData.decisionToken,\n expiresAt: responseData.expires_at ?? responseData.expiresAt,\n txDigest: responseData.tx_digest ?? responseData.txDigest,\n stepUp: responseData.step_up\n ? {\n requestId: responseData.step_up.request_id ?? (responseData.stepUp?.requestId ?? ''),\n ttlSeconds: responseData.step_up.ttl_seconds ?? responseData.stepUp?.ttlSeconds,\n }\n : responseData.stepUp,\n enforced: responseData.enforced ?? (requestMode === 'ENFORCE'),\n shadowWouldBlock: responseData.shadow_would_block ?? responseData.shadowWouldBlock ?? false,\n mode: responseData.mode ?? requestMode,\n receipt: responseData.receipt,\n decisionHash: responseData.decision_hash ?? responseData.decisionHash,\n receiptSignature: responseData.receipt_signature ?? responseData.receiptSignature,\n ...(simulationData ? {\n simulation: {\n willRevert: simulationData.willRevert ?? simulationData.will_revert ?? false,\n gasUsed: simulationData.gasUsed ?? simulationData.gas_used,\n balanceChanges: simulationData.balanceChanges ?? simulationData.balance_changes,\n errorReason: simulationData.errorReason ?? simulationData.error_reason,\n },\n simulationLatencyMs: metadata.simulationLatencyMs ?? metadata.simulation_latency_ms,\n } : {}),\n metadata: {\n evaluationLatencyMs: metadata.evaluationLatencyMs ?? metadata.evaluation_latency_ms,\n policyHash: metadata.policyHash ?? metadata.policy_hash,\n snapshotVersion: metadata.snapshotVersion ?? metadata.snapshot_version,\n },\n };\n\n const latencyMs = Date.now() - startTime;\n\n // Policy pinning: if expectedPolicyHash or expectedSnapshotVersion set, treat mismatch as BLOCK locally\n const expectedPolicyHash = this.config.expectedPolicyHash;\n const expectedSnapshotVersion = this.config.expectedSnapshotVersion;\n if (expectedPolicyHash != null && result.metadata?.policyHash !== expectedPolicyHash) {\n if (this.config.debug) {\n console.warn('[GATE SDK] Policy hash mismatch (pinning)', {\n expected: expectedPolicyHash,\n received: result.metadata?.policyHash,\n requestId,\n });\n }\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'POLICY_HASH_MISMATCH',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n if (expectedSnapshotVersion != null && result.metadata?.snapshotVersion !== undefined && result.metadata.snapshotVersion !== expectedSnapshotVersion) {\n if (this.config.debug) {\n console.warn('[GATE SDK] Snapshot version mismatch (pinning)', {\n expected: expectedSnapshotVersion,\n received: result.metadata?.snapshotVersion,\n requestId,\n });\n }\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'SNAPSHOT_VERSION_MISMATCH',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n\n // ENFORCE + requireDecisionToken: ALLOW must include decisionToken/txDigest and valid expiry\n if (\n requireToken &&\n requestMode === 'ENFORCE' &&\n result.decision === 'ALLOW' &&\n !this.config.local\n ) {\n if (!result.decisionToken || !result.txDigest) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_MISSING',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n const nowSec = Math.floor(Date.now() / 1000);\n if (result.expiresAt != null && result.expiresAt < nowSec - 5) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_EXPIRED',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n // Optional: verify RS256 token signature when public key is configured (only for RS256 tokens)\n const publicKeyPem = this.config.decisionTokenPublicKey;\n if (publicKeyPem && result.decisionToken) {\n const { decodeJwtUnsafe, verifyDecisionTokenRs256 } = await import('../utils/decisionTokenVerify.js');\n const decoded = decodeJwtUnsafe(result.decisionToken);\n if (decoded && (decoded.header.alg || '').toUpperCase() === 'RS256') {\n const resolvedPem = publicKeyPem.startsWith('-----') ? publicKeyPem : Buffer.from(publicKeyPem, 'base64').toString('utf8');\n const verified = verifyDecisionTokenRs256(result.decisionToken, resolvedPem);\n if (verified === null) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_INVALID',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n }\n }\n // Verify digest matches this request (binding decision to exact tx)\n const signerId = signingContext?.signerId ?? req.signingContext?.signerId;\n const fromAddress = (txIntent as any).fromAddress ?? (txIntent as any).from;\n const binding = buildTxBindingObject(txIntent, signerId, undefined, undefined, fromAddress);\n const computedDigest = computeTxDigest(binding);\n if (computedDigest !== result.txDigest) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_DIGEST_MISMATCH',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n }\n\n // Handle decision types\n if (result.decision === 'BLOCK') {\n // In SOFT_ENFORCE mode: return BLOCK decision but let app override (no throw)\n if (requestMode === 'SOFT_ENFORCE') {\n console.warn('[SOFT ENFORCE] Policy violation detected - app can override', {\n requestId,\n reasonCodes: result.reasonCodes,\n });\n this.metrics.recordRequest('BLOCK', latencyMs);\n return {\n ...result,\n decision: 'BLOCK',\n enforced: false,\n mode: 'SOFT_ENFORCE',\n warning: 'Policy violation detected. Override at your own risk.',\n };\n }\n // In SHADOW mode, log but don't throw - always allow\n if (requestMode === 'SHADOW') {\n // Log shadow block event\n console.warn('[GATE SHADOW MODE] Would have blocked transaction', {\n requestId,\n reasonCodes: result.reasonCodes,\n correlationId: result.correlationId,\n tenantId: this.config.tenantId,\n signerId: req.signingContext?.signerId,\n });\n \n // Record metrics (always, not just when onMetrics hook is set)\n this.metrics.recordRequest('WOULD_BLOCK', latencyMs);\n \n // Return ALLOW with shadowWouldBlock flag\n return {\n ...result,\n decision: 'ALLOW',\n enforced: false,\n shadowWouldBlock: true,\n };\n }\n \n // ENFORCE mode: BLOCK → throw BlockIntelBlockedError\n const receiptId = (responseData as any).decision_id || requestId;\n const reasonCode = result.reasonCodes[0] || 'POLICY_VIOLATION';\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);\n }\n\n if (result.decision === 'REQUIRE_STEP_UP') {\n // REQUIRE_STEP_UP handling\n if (this.config.enableStepUp && this.stepUpPoller && result.stepUp) {\n // Step-up is enabled - throw BlockIntelStepUpRequiredError\n const stepUpRequestId = result.stepUp.requestId || requestId;\n const expiresAtMs = (responseData.step_up as any)?.expires_at_ms;\n const statusUrl = `/defense/stepup/status?tenantId=${this.config.tenantId}&requestId=${stepUpRequestId}`;\n this.metrics.recordRequest('REQUIRE_STEP_UP', latencyMs);\n throw new BlockIntelStepUpRequiredError(stepUpRequestId, statusUrl, expiresAtMs, requestId);\n } else {\n // Step-up not enabled - treat as BLOCK\n const receiptId = (responseData as any).decision_id || requestId;\n const reasonCode = 'STEPUP_REQUIRED';\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);\n }\n }\n\n // ALLOW - record metrics and return\n this.metrics.recordRequest('ALLOW', latencyMs);\n return result;\n };\n\n // Fire-and-forget: return immediately with optimistic ALLOW, attest in background\n if (evaluationMode === 'FIRE_AND_FORGET') {\n executeRequest()\n .then((res) => {\n if (res.decision === 'BLOCK' || res.shadowWouldBlock) {\n console.warn('[FIRE-AND-FORGET] Would have blocked:', res.reasonCodes);\n }\n this.metrics.recordRequest(res.decision === 'ALLOW' ? 'ALLOW' : 'WOULD_BLOCK', Date.now() - startTime);\n })\n .catch((err) => {\n console.error('[FIRE-AND-FORGET] Attestation failed:', err);\n this.metrics.recordError();\n });\n return {\n decision: 'ALLOW',\n decisionId: requestId,\n correlationId: requestId,\n reasonCodes: [],\n enforced: false,\n mode: requestMode,\n fireAndForget: true,\n };\n }\n\n // Execute with circuit breaker if enabled\n try {\n if (this.circuitBreaker) {\n return await this.circuitBreaker.execute(executeRequest);\n }\n return await executeRequest();\n } catch (error: any) {\n const latencyMs = Date.now() - startTime;\n\n // Handle circuit breaker open\n if (error instanceof CircuitBreakerOpenError) {\n this.metrics.recordCircuitBreakerOpen();\n const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);\n if (failSafeResult) {\n return failSafeResult;\n }\n throw error;\n }\n\n // Handle auth failures (401/403) - always fail CLOSED (BLOCK)\n if (error instanceof GateError && (error.code === GateErrorCode.UNAUTHORIZED || error.code === GateErrorCode.FORBIDDEN)) {\n this.metrics.recordError();\n throw new BlockIntelAuthError(\n error.message,\n error.status || 401,\n requestId\n );\n }\n\n // Handle connection failures (timeout, network errors, 5xx)\n const isConnectionFailure = \n (error instanceof GateError && (error.code === GateErrorCode.TIMEOUT || error.code === GateErrorCode.SERVER_ERROR)) ||\n error instanceof BlockIntelUnavailableError ||\n (error as any)?.code === 'ECONNREFUSED' ||\n (error as any)?.code === 'ENOTFOUND' ||\n (error as any)?.code === 'ETIMEDOUT';\n \n if (isConnectionFailure) {\n this.metrics.recordTimeout();\n\n // Apply connection failure strategy\n if (this.onConnectionFailure === 'FAIL_OPEN') {\n // FAIL_OPEN: Allow transaction, log critical event. Degraded (logs/telemetry only; never in HTTP request).\n console.error('[GATE CONNECTION FAILURE] FAIL_OPEN mode - allowing transaction', {\n requestId,\n error: error.message,\n tenantId: this.config.tenantId,\n mode: requestMode,\n });\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_open)');\n\n // Emit structured log for monitoring\n this.metrics.recordRequest('FAIL_OPEN', Date.now() - startTime);\n\n return {\n decision: 'ALLOW',\n reasonCodes: ['GATE_HOTPATH_UNAVAILABLE'],\n correlationId: requestId,\n enforced: false,\n mode: requestMode,\n };\n } else {\n // FAIL_CLOSED: Block transaction\n throw new BlockIntelUnavailableError(\n `Signing blocked: Gate hot path unreachable (fail-closed). ${error.message}`,\n requestId\n );\n }\n }\n\n // Handle timeout errors (legacy - for non-connection-failure timeouts)\n if (error instanceof GateError && error.code === GateErrorCode.TIMEOUT) {\n this.metrics.recordTimeout();\n const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);\n if (failSafeResult) {\n return failSafeResult;\n }\n throw new BlockIntelUnavailableError(`Service timeout: ${error.message}`, requestId);\n }\n\n // Handle 5xx server errors - treat as timeout bucket for fail-safe\n if (error instanceof GateError && error.code === GateErrorCode.SERVER_ERROR) {\n this.metrics.recordError();\n const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);\n if (failSafeResult) {\n return failSafeResult;\n }\n throw error;\n }\n\n // 429 RATE_LIMITED: log degraded, then re-throw\n if (error instanceof GateError && error.code === GateErrorCode.RATE_LIMITED) {\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: 429)');\n throw error;\n }\n\n // Re-throw BlockIntelBlockedError and BlockIntelStepUpRequiredError as-is\n if (error instanceof BlockIntelBlockedError || error instanceof BlockIntelStepUpRequiredError) {\n throw error;\n }\n\n // Other errors - record and re-throw\n this.metrics.recordError();\n throw error;\n }\n }\n\n /**\n * Handle fail-safe modes for timeouts/errors\n */\n private handleFailSafe(\n mode: 'ALLOW_ON_TIMEOUT' | 'BLOCK_ON_TIMEOUT' | 'BLOCK_ON_ANOMALY',\n error: Error,\n requestId: string\n ): DefenseEvaluateResponseV2 | null {\n if (mode === 'ALLOW_ON_TIMEOUT') {\n // Trading bots: ALLOW on timeout with degraded flag (logs/telemetry only; never in HTTP request)\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_safe_allow)');\n return {\n decision: 'ALLOW',\n reasonCodes: ['FAIL_SAFE_ALLOW'],\n correlationId: requestId,\n };\n }\n\n if (mode === 'BLOCK_ON_TIMEOUT') {\n // Fail CLOSED - don't return, let error propagate\n return null;\n }\n\n if (mode === 'BLOCK_ON_ANOMALY') {\n // BLOCK only on explicit BLOCK/REQUIRE_STEP_UP decisions, not network hiccups\n // On timeout: ALLOW gracefully (logs/telemetry only; never in HTTP request)\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_safe_allow)');\n return {\n decision: 'ALLOW',\n reasonCodes: ['FAIL_SAFE_ALLOW'],\n correlationId: requestId,\n };\n }\n\n return null;\n }\n\n /**\n * Get current metrics\n */\n getMetrics(): ReturnType<MetricsCollector['getMetrics']> {\n return this.metrics.getMetrics();\n }\n\n /**\n * Get circuit breaker metrics (if enabled)\n */\n getCircuitBreakerMetrics(): ReturnType<CircuitBreaker['getMetrics']> | null {\n return this.circuitBreaker?.getMetrics() || null;\n }\n\n /**\n * Get step-up status\n */\n async getStepUpStatus(args: {\n requestId: string;\n tenantId?: string;\n }): Promise<StepUpStatusResponse> {\n if (!this.stepUpPoller) {\n throw new StepUpNotConfiguredError(args.requestId);\n }\n\n const tenantId = args.tenantId ?? this.config.tenantId;\n const poller = new StepUpPoller({\n httpClient: this.httpClient,\n tenantId,\n pollingIntervalMs: this.config.stepUp?.pollingIntervalMs,\n maxWaitMs: this.config.stepUp?.maxWaitMs,\n });\n\n return poller.getStatus(args.requestId);\n }\n\n /**\n * Wait for step-up decision with polling\n */\n async awaitStepUpDecision(args: {\n requestId: string;\n maxWaitMs?: number;\n intervalMs?: number;\n }): Promise<StepUpFinalResult> {\n if (!this.stepUpPoller) {\n throw new StepUpNotConfiguredError(args.requestId);\n }\n\n return this.stepUpPoller.awaitDecision(args.requestId, {\n maxWaitMs: args.maxWaitMs ?? this.config.stepUp?.maxWaitMs,\n intervalMs: args.intervalMs ?? this.config.stepUp?.pollingIntervalMs,\n });\n }\n\n /**\n * Evaluate policy and sign in one call when decision is ALLOW.\n * Convenience for: evaluate → if ALLOW then sign → return { decision, signature }.\n */\n async evaluateAndSign(params: {\n txIntent: DefenseEvaluateRequestV2['txIntent'];\n signer: SignerBackend;\n keyId: string;\n message: Buffer | Uint8Array;\n algorithm?: string;\n signingContext?: SigningContext;\n }): Promise<{ decision: DefenseEvaluateResponseV2; signature?: SignResponse }> {\n const decision = await this.evaluate({\n txIntent: params.txIntent,\n signingContext: params.signingContext,\n });\n if (decision.decision === 'ALLOW') {\n const signature = await params.signer.sign({\n keyId: params.keyId,\n message: params.message,\n algorithm: params.algorithm ?? 'ECDSA_SHA_256',\n });\n return { decision, signature };\n }\n return { decision };\n }\n\n /**\n * Attest a completed signature (post-sign). Use when you want zero latency impact on signing\n * but still want an audit trail. Policy is evaluated against txIntent; returns ALLOW or\n * POLICY_VIOLATION_DETECTED. Cannot be used for enforcement (signature already created).\n */\n async attestCompleted(req: AttestCompletedRequest): Promise<AttestCompletedResponse> {\n const requestId = uuidv4();\n const timestampMs = nowMs();\n const txIntent: any = { ...req.txIntent };\n if (txIntent.to && !txIntent.toAddress) {\n txIntent.toAddress = txIntent.to;\n delete txIntent.to;\n }\n if (!txIntent.networkFamily && txIntent.chainId) txIntent.networkFamily = 'EVM';\n const signingContext = {\n ...req.signingContext,\n signerId: req.signingContext?.signerId ?? req.signature.signerId,\n };\n const body = {\n tenantId: this.config.tenantId,\n requestId,\n timestampMs,\n txIntent,\n signature: req.signature,\n signingContext,\n };\n let headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (this.config.local) {\n // no auth\n } else if (this.hmacSigner) {\n const { canonicalizeJson } = await import('../utils/canonicalJson.js');\n const canonicalBodyJson = canonicalizeJson(body);\n const hmacHeaders = await this.hmacSigner.signRequest({\n method: 'POST',\n path: '/defense/attest-completed',\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n body,\n });\n headers = { ...hmacHeaders };\n (body as any).__canonicalJson = canonicalBodyJson;\n } else if (this.apiKeyAuth) {\n const apiKeyHeaders = this.apiKeyAuth.createHeaders({\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n });\n headers = { ...apiKeyHeaders };\n } else {\n throw new Error('No authentication configured');\n }\n const apiResponse = await this.httpClient.request<{ success: boolean; data?: AttestCompletedResponse; error?: any }>({\n method: 'POST',\n path: '/defense/attest-completed',\n headers,\n body,\n requestId,\n });\n if (apiResponse.success === true && (apiResponse as any).data) {\n const data = (apiResponse as any).data as AttestCompletedResponse;\n if (data.decision === 'POLICY_VIOLATION_DETECTED') {\n console.warn('[POST-SIGN ATTESTATION] Policy violation detected after signing', {\n requestId,\n reasonCodes: data.reasonCodes,\n });\n }\n return data;\n }\n if ((apiResponse as any).error) {\n const err = (apiResponse as any).error;\n throw new GateError(err.code || 'SERVER_ERROR', err.message || 'Request failed', {\n status: err.status,\n correlationId: err.correlationId,\n requestId,\n });\n }\n throw new GateError(GateErrorCode.INVALID_RESPONSE, 'Invalid response from attest-completed', { requestId });\n }\n\n /**\n * Wrap AWS SDK v3 KMS client to intercept SignCommand calls\n * \n * @param kmsClient - AWS SDK v3 KMSClient instance\n * @param options - Wrapper options\n * @returns Wrapped KMS client that enforces Gate policies\n * \n * @example\n * ```typescript\n * import { KMSClient } from '@aws-sdk/client-kms';\n * \n * const kms = new KMSClient({});\n * const protectedKms = gateClient.wrapKmsClient(kms);\n * \n * // Now SignCommand calls will be intercepted and evaluated by Gate\n * const result = await protectedKms.send(new SignCommand({ ... }));\n * ```\n */\n wrapKmsClient<T extends typeof import('@aws-sdk/client-kms').KMSClient>(\n kmsClient: InstanceType<T>,\n options?: WrapKmsClientOptions\n ): WrappedKmsClient {\n return wrapKmsClient(kmsClient as any, this, options);\n }\n}\n\n/**\n * Create a Gate client instance\n */\nexport function createGateClient(config: GateClientConfig): GateClient {\n return new GateClient(config);\n}\n\n","/**\n * Gate - Simplified API for Nexus-style injection and 5-line integration\n *\n * - Gate.fromEnv(): Create a GateClient from env vars (GATE_BASE_URL, GATE_TENANT_ID,\n * GATE_API_KEY or GATE_KEY_ID+GATE_HMAC_SECRET, GATE_MODE). Enables true 5-line integration.\n * - new Gate({ apiKey }): Passthrough guard for Nexus-injected code.\n *\n * For full policy evaluation, use GateClient.evaluate() with tx params before sending.\n */\nimport type { GateClientConfig, GateMode } from '../types/contracts.js';\nimport { GateClient } from './GateClient.js';\n\nexport class Gate {\n private readonly apiKey?: string;\n\n constructor(opts?: { apiKey?: string }) {\n this.apiKey = opts?.apiKey ?? process.env.BLOCKINTEL_API_KEY;\n }\n\n /**\n * Create a GateClient from environment variables (5-line integration).\n *\n * Reads: GATE_BASE_URL, GATE_TENANT_ID, GATE_API_KEY (or GATE_KEY_ID + GATE_HMAC_SECRET), GATE_MODE.\n */\n static fromEnv(overrides?: Partial<GateClientConfig>): GateClient {\n const baseUrl = process.env.GATE_BASE_URL;\n const tenantId = process.env.GATE_TENANT_ID;\n const apiKey = process.env.GATE_API_KEY;\n const keyId = process.env.GATE_KEY_ID;\n const hmacSecret = process.env.GATE_HMAC_SECRET;\n const mode = (process.env.GATE_MODE as GateMode | undefined) ?? 'SHADOW';\n\n if (!baseUrl || !tenantId) {\n throw new Error('GATE_BASE_URL and GATE_TENANT_ID environment variables are required');\n }\n\n let auth: GateClientConfig['auth'];\n if (apiKey) {\n auth = { mode: 'apiKey', apiKey };\n } else if (keyId && hmacSecret) {\n auth = { mode: 'hmac', keyId, secret: hmacSecret };\n } else {\n throw new Error(\n 'Either GATE_API_KEY or (GATE_KEY_ID and GATE_HMAC_SECRET) environment variables are required'\n );\n }\n\n return new GateClient({\n baseUrl,\n tenantId,\n auth,\n mode,\n ...overrides,\n });\n }\n\n /**\n * Guard a signing operation. In passthrough mode, executes the callback.\n * For full Gate integration, use GateClient with evaluate() before sending.\n */\n async guard<T>(\n _ctx: { requestId: string; reason: string },\n cb: () => Promise<T>\n ): Promise<T> {\n return cb();\n }\n}\n","/**\n * AWS KMS Signer Backend\n * \n * Implements SignerBackend for AWS KMS using AWS SDK v3\n */\n\nimport { KMSClient, SignCommand, SignCommandInput, SigningAlgorithmSpec } from '@aws-sdk/client-kms';\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend';\n\nexport interface AwsKmsSignerConfig {\n /**\n * AWS KMS client instance\n */\n kmsClient: KMSClient;\n \n /**\n * Default signing algorithm (if not specified in request)\n */\n defaultAlgorithm?: SigningAlgorithmSpec;\n \n /**\n * Default message type (if not specified in request)\n */\n defaultMessageType?: 'RAW' | 'DIGEST';\n}\n\n/**\n * AWS KMS Signer Backend\n */\nexport class AwsKmsSigner implements SignerBackend {\n private readonly config: AwsKmsSignerConfig;\n\n constructor(config: AwsKmsSignerConfig) {\n this.config = config;\n }\n\n getName(): string {\n return 'AWS KMS';\n }\n\n isAvailable(): boolean {\n return !!this.config.kmsClient;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('AWS KMS client not configured');\n }\n\n // Map algorithm to AWS KMS SigningAlgorithmSpec\n const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || 'ECDSA_SHA_256');\n \n // Prepare SignCommand input\n const signInput: SignCommandInput = {\n KeyId: request.keyId,\n Message: Buffer.from(request.message),\n MessageType: (request.messageType || this.config.defaultMessageType || 'RAW') as 'RAW' | 'DIGEST',\n SigningAlgorithm: algorithm,\n };\n\n // Execute sign command\n const command = new SignCommand(signInput);\n const response = await this.config.kmsClient.send(command);\n\n if (!response.Signature) {\n throw new Error('AWS KMS sign response missing signature');\n }\n\n return {\n signature: Buffer.from(response.Signature),\n keyId: response.KeyId || request.keyId,\n algorithm: response.SigningAlgorithm || algorithm,\n metadata: {\n keyId: response.KeyId,\n signingAlgorithm: response.SigningAlgorithm,\n },\n };\n }\n\n /**\n * Map algorithm string to AWS KMS SigningAlgorithmSpec\n */\n private mapAlgorithm(algorithm: string | SigningAlgorithmSpec): SigningAlgorithmSpec {\n // If already a SigningAlgorithmSpec, return as-is\n if (Object.values(SigningAlgorithmSpec).includes(algorithm as SigningAlgorithmSpec)) {\n return algorithm as SigningAlgorithmSpec;\n }\n\n // Map common algorithm names to AWS KMS specs\n const algorithmMap: Record<string, SigningAlgorithmSpec> = {\n 'ECDSA_SHA_256': SigningAlgorithmSpec.ECDSA_SHA_256,\n 'ECDSA_SHA_384': SigningAlgorithmSpec.ECDSA_SHA_384,\n 'ECDSA_SHA_512': SigningAlgorithmSpec.ECDSA_SHA_512,\n 'RSASSA_PSS_SHA_256': SigningAlgorithmSpec.RSASSA_PSS_SHA_256,\n 'RSASSA_PSS_SHA_384': SigningAlgorithmSpec.RSASSA_PSS_SHA_384,\n 'RSASSA_PSS_SHA_512': SigningAlgorithmSpec.RSASSA_PSS_SHA_512,\n 'RSASSA_PKCS1_V1_5_SHA_256': SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,\n 'RSASSA_PKCS1_V1_5_SHA_384': SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_384,\n 'RSASSA_PKCS1_V1_5_SHA_512': SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_512,\n };\n\n return algorithmMap[algorithm.toUpperCase()] || SigningAlgorithmSpec.ECDSA_SHA_256;\n }\n}\n\n","/**\n * HashiCorp Vault Signer Backend\n * \n * Implements SignerBackend for HashiCorp Vault Transit Engine\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend';\n\ninterface VaultSignResponse {\n data: {\n signature: string;\n key_version?: number;\n };\n}\n\ninterface VaultAuthResponse {\n auth: {\n client_token: string;\n };\n}\n\nexport interface VaultSignerConfig {\n /**\n * Vault API base URL (e.g., 'https://vault.example.com:8200')\n */\n vaultUrl: string;\n \n /**\n * Vault authentication token\n */\n token?: string;\n \n /**\n * Vault AppRole authentication (alternative to token)\n */\n appRole?: {\n roleId: string;\n secretId: string;\n };\n \n /**\n * Transit engine mount path (default: 'transit')\n */\n mountPath?: string;\n \n /**\n * Default signing algorithm (if not specified in request)\n */\n defaultAlgorithm?: string;\n \n /**\n * HTTP client options (timeout, etc.)\n */\n httpOptions?: {\n timeout?: number;\n };\n}\n\n/**\n * HashiCorp Vault Signer Backend\n */\nexport class VaultSigner implements SignerBackend {\n private readonly config: Required<Pick<VaultSignerConfig, 'vaultUrl' | 'mountPath'>> & VaultSignerConfig;\n private authToken: string | null = null;\n\n constructor(config: VaultSignerConfig) {\n this.config = {\n mountPath: 'transit',\n ...config,\n };\n }\n\n getName(): string {\n return 'HashiCorp Vault';\n }\n\n isAvailable(): boolean {\n return !!this.config.vaultUrl && (!!this.config.token || !!this.config.appRole);\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('Vault signer not configured');\n }\n\n // Authenticate if needed (AppRole)\n if (!this.authToken && this.config.appRole) {\n await this.authenticateAppRole();\n }\n\n const token = this.config.token || this.authToken;\n if (!token) {\n throw new Error('Vault authentication token not available');\n }\n\n // Map algorithm to Vault format\n const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || 'ecdsa-sha2-256');\n \n // Vault Transit Engine sign endpoint\n const url = `${this.config.vaultUrl}/v1/${this.config.mountPath}/sign/${request.keyId}`;\n \n // Base64 encode message\n const messageBase64 = Buffer.from(request.message).toString('base64');\n\n const requestBody = {\n input: messageBase64,\n ...(algorithm && { algorithm }),\n ...(request.options || {}),\n };\n\n const timeout = this.config.httpOptions?.timeout || 5000;\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeout);\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'X-Vault-Token': token,\n },\n body: JSON.stringify(requestBody),\n signal: controller.signal,\n });\n\n clearTimeout(timeoutId);\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`Vault sign failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json() as VaultSignResponse;\n\n if (!data.data || !data.data.signature) {\n throw new Error('Vault sign response missing signature');\n }\n\n // Vault returns signature in format: vault:v1:base64signature\n // Extract the base64 signature\n const signatureParts = data.data.signature.split(':');\n const signatureBase64 = signatureParts[signatureParts.length - 1];\n const signature = Buffer.from(signatureBase64, 'base64');\n\n return {\n signature,\n keyId: request.keyId,\n algorithm,\n metadata: {\n vaultSignature: data.data.signature,\n keyVersion: data.data.key_version,\n },\n };\n } catch (error: any) {\n clearTimeout(timeoutId);\n \n if (error.name === 'AbortError') {\n throw new Error('Vault sign request timeout');\n }\n \n throw error;\n }\n }\n\n /**\n * Authenticate using AppRole\n */\n private async authenticateAppRole(): Promise<void> {\n if (!this.config.appRole) {\n throw new Error('AppRole not configured');\n }\n\n const url = `${this.config.vaultUrl}/v1/auth/approle/login`;\n \n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({\n role_id: this.config.appRole.roleId,\n secret_id: this.config.appRole.secretId,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`Vault AppRole authentication failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json() as VaultAuthResponse;\n \n if (!data.auth || !data.auth.client_token) {\n throw new Error('Vault AppRole authentication response missing token');\n }\n\n this.authToken = data.auth.client_token;\n }\n\n /**\n * Map algorithm string to Vault format\n */\n private mapAlgorithm(algorithm: string): string {\n const algorithmMap: Record<string, string> = {\n 'ECDSA_SHA_256': 'ecdsa-sha2-256',\n 'ECDSA_SHA_384': 'ecdsa-sha2-384',\n 'ECDSA_SHA_512': 'ecdsa-sha2-512',\n 'RSASSA_PSS_SHA_256': 'rsa-sha2-256',\n 'RSASSA_PSS_SHA_384': 'rsa-sha2-384',\n 'RSASSA_PSS_SHA_512': 'rsa-sha2-512',\n };\n\n // If already in Vault format, return as-is\n if (algorithm.startsWith('ecdsa-') || algorithm.startsWith('rsa-')) {\n return algorithm;\n }\n\n return algorithmMap[algorithm.toUpperCase()] || 'ecdsa-sha2-256';\n }\n}\n\n","/**\n * Google Cloud KMS Signer Backend\n * \n * Implements SignerBackend for Google Cloud KMS\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend';\n\ninterface GcpKmsSignResponse {\n signature: string;\n name?: string;\n verifiedDigestCrc32c?: boolean;\n}\n\ninterface GcpKmsTokenResponse {\n access_token: string;\n expires_in: number;\n}\n\nexport interface GcpKmsSignerConfig {\n /**\n * GCP project ID\n */\n projectId: string;\n \n /**\n * GCP location (e.g., 'us-east1', 'global')\n */\n location: string;\n \n /**\n * Key ring name\n */\n keyRing: string;\n \n /**\n * Service account credentials (JSON key file content or path)\n */\n credentials?: string | {\n client_email: string;\n private_key: string;\n };\n \n /**\n * Use workload identity (default: false)\n * When true, uses GCP metadata service for authentication\n */\n useWorkloadIdentity?: boolean;\n \n /**\n * Default signing algorithm (if not specified in request)\n */\n defaultAlgorithm?: string;\n \n /**\n * HTTP client options (timeout, etc.)\n */\n httpOptions?: {\n timeout?: number;\n };\n}\n\n/**\n * Google Cloud KMS Signer Backend\n */\nexport class GcpKmsSigner implements SignerBackend {\n private readonly config: Required<Pick<GcpKmsSignerConfig, 'useWorkloadIdentity'>> & GcpKmsSignerConfig;\n private accessToken: string | null = null;\n private tokenExpiry: number = 0;\n\n constructor(config: GcpKmsSignerConfig) {\n this.config = {\n useWorkloadIdentity: false,\n ...config,\n };\n }\n\n getName(): string {\n return 'Google Cloud KMS';\n }\n\n isAvailable(): boolean {\n if (this.config.useWorkloadIdentity) {\n return true; // Workload identity always available in GCP environment\n }\n return !!this.config.credentials && !!this.config.projectId;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('GCP KMS signer not configured');\n }\n\n // Get access token\n const accessToken = await this.getAccessToken();\n \n // Map algorithm to GCP format\n const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || 'EC_SIGN_P256_SHA256');\n \n // Build key resource name\n // Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{keyName}\n const keyName = request.keyId.includes('/') \n ? request.keyId \n : `projects/${this.config.projectId}/locations/${this.config.location}/keyRings/${this.config.keyRing}/cryptoKeys/${request.keyId}`;\n \n // GCP KMS API endpoint\n const url = `https://cloudkms.googleapis.com/v1/${keyName}:asymmetricSign`;\n \n // Base64 encode message digest\n const messageBase64 = Buffer.from(request.message).toString('base64');\n\n const requestBody = {\n digest: {\n sha256: messageBase64, // GCP expects digest, not raw message\n },\n };\n\n const timeout = this.config.httpOptions?.timeout || 5000;\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeout);\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'Authorization': `Bearer ${accessToken}`,\n },\n body: JSON.stringify(requestBody),\n signal: controller.signal,\n });\n\n clearTimeout(timeoutId);\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`GCP KMS sign failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json() as GcpKmsSignResponse;\n\n if (!data.signature) {\n throw new Error('GCP KMS sign response missing signature');\n }\n\n // GCP returns signature as base64 string\n const signature = Buffer.from(data.signature, 'base64');\n\n return {\n signature,\n keyId: request.keyId,\n algorithm,\n metadata: {\n name: data.name,\n verifiedDigestCrc32c: data.verifiedDigestCrc32c,\n },\n };\n } catch (error: any) {\n clearTimeout(timeoutId);\n \n if (error.name === 'AbortError') {\n throw new Error('GCP KMS sign request timeout');\n }\n \n throw error;\n }\n }\n\n /**\n * Get GCP access token\n */\n private async getAccessToken(): Promise<string> {\n // Check if token is still valid (with 5 minute buffer)\n if (this.accessToken && Date.now() < this.tokenExpiry - 5 * 60 * 1000) {\n return this.accessToken;\n }\n\n if (this.config.useWorkloadIdentity) {\n // Use GCP metadata service\n const metadataUrl = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token';\n \n const response = await fetch(metadataUrl, {\n method: 'GET',\n headers: {\n 'Metadata-Flavor': 'Google',\n },\n });\n\n if (!response.ok) {\n throw new Error(`GCP metadata service authentication failed: ${response.status}`);\n }\n\n const data = await response.json() as GcpKmsTokenResponse;\n this.accessToken = data.access_token;\n this.tokenExpiry = Date.now() + (data.expires_in * 1000);\n \n return data.access_token;\n } else {\n // Use service account credentials\n if (!this.config.credentials) {\n throw new Error('GCP credentials not configured');\n }\n\n // Service account authentication requires JWT signing\n // For production use, install @google-cloud/kms package:\n // npm install @google-cloud/kms\n // Then use: new kms.KeyManagementServiceClient({ credentials: this.config.credentials })\n // \n // For now, we support workload identity which is the recommended approach for GCP environments\n throw new Error('Service account authentication requires @google-cloud/kms SDK. Install it with: npm install @google-cloud/kms. Alternatively, use workload identity (recommended for GCP environments).');\n }\n }\n\n /**\n * Map algorithm string to GCP format\n */\n private mapAlgorithm(algorithm: string): string {\n const algorithmMap: Record<string, string> = {\n 'ECDSA_SHA_256': 'EC_SIGN_P256_SHA256',\n 'ECDSA_SHA_384': 'EC_SIGN_P384_SHA384',\n 'ECDSA_SHA_512': 'EC_SIGN_P512_SHA512',\n 'RSASSA_PSS_SHA_256': 'RSA_SIGN_PSS_2048_SHA256',\n 'RSASSA_PSS_SHA_384': 'RSA_SIGN_PSS_3072_SHA256',\n 'RSASSA_PSS_SHA_512': 'RSA_SIGN_PSS_4096_SHA256',\n 'RSASSA_PKCS1_V1_5_SHA_256': 'RSA_SIGN_PKCS1_2048_SHA256',\n 'RSASSA_PKCS1_V1_5_SHA_384': 'RSA_SIGN_PKCS1_3072_SHA256',\n 'RSASSA_PKCS1_V1_5_SHA_512': 'RSA_SIGN_PKCS1_4096_SHA256',\n };\n\n // If already in GCP format, return as-is\n if (algorithm.startsWith('EC_SIGN_') || algorithm.startsWith('RSA_SIGN_')) {\n return algorithm;\n }\n\n return algorithmMap[algorithm.toUpperCase()] || 'EC_SIGN_P256_SHA256';\n }\n}\n\n","/**\n * Fireblocks Signer Backend\n *\n * Implements SignerBackend for Fireblocks API.\n * Key ID format: fireblocks://vaultAccountId/assetId\n * Docs: https://developers.fireblocks.com/reference/post_transactions\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend.js';\nimport { createSign, createHash, randomBytes } from 'crypto';\n\nexport interface FireblocksSignerConfig {\n /** Fireblocks API base URL (default: https://api.fireblocks.io) */\n apiBaseUrl?: string;\n /** Fireblocks API key (API User ID) */\n apiKey: string;\n /** Fireblocks API secret (private key PEM) */\n apiSecret: string;\n /** Default vault account ID (optional) */\n vaultAccountId?: string;\n}\n\ninterface FireblocksTransactionRequest {\n operation: 'RAW';\n source: { type: 'VAULT_ACCOUNT'; id: string };\n assetId: string;\n note?: string;\n extraParameters?: {\n rawMessageData: {\n messages: Array<{ content: string }>;\n };\n };\n}\n\nexport class FireblocksSigner implements SignerBackend {\n private readonly config: FireblocksSignerConfig;\n private readonly apiBaseUrl: string;\n\n constructor(config: FireblocksSignerConfig) {\n this.config = config;\n this.apiBaseUrl = config.apiBaseUrl ?? 'https://api.fireblocks.io';\n }\n\n getName(): string {\n return 'Fireblocks';\n }\n\n isAvailable(): boolean {\n return !!this.config.apiKey && !!this.config.apiSecret;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('Fireblocks API key and secret required');\n }\n\n const keyIdMatch = request.keyId.match(/^fireblocks:\\/\\/([^/]+)\\/(.+)$/);\n if (!keyIdMatch) {\n throw new Error(\n 'Invalid Fireblocks keyId format. Expected: fireblocks://vaultAccountId/assetId'\n );\n }\n const [, vaultAccountId, assetId] = keyIdMatch;\n\n const messageHex =\n request.message instanceof Buffer\n ? request.message.toString('hex')\n : Buffer.from(request.message).toString('hex');\n const requestId =\n (request.options?.requestId as string) || (request as SignRequest & { requestId?: string }).requestId;\n\n const txRequest: FireblocksTransactionRequest = {\n operation: 'RAW',\n source: { type: 'VAULT_ACCOUNT', id: vaultAccountId },\n assetId,\n note: `Gate signing request: ${requestId ?? 'unknown'}`,\n extraParameters: {\n rawMessageData: {\n messages: [{ content: messageHex }],\n },\n },\n };\n\n const token = this.createAuthToken('/v1/transactions', JSON.stringify(txRequest));\n\n const response = await fetch(`${this.apiBaseUrl}/v1/transactions`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'X-API-Key': this.config.apiKey,\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify(txRequest),\n });\n\n if (!response.ok) {\n const error = await response.text();\n throw new Error(`Fireblocks API error: ${response.status} ${error}`);\n }\n\n const result = (await response.json()) as { id?: string; status?: string };\n const txId = result.id;\n if (!txId) {\n throw new Error('Fireblocks API did not return transaction id');\n }\n\n const signed = await this.pollTransaction(txId);\n const sigHex = signed?.signature ?? (signed as { signedMessages?: Array<{ signature?: string }> })?.signedMessages?.[0]?.signature;\n if (!sigHex) {\n throw new Error(`Fireblocks transaction ${txId} did not return signature`);\n }\n\n return {\n signature: Buffer.from(sigHex, 'hex'),\n keyId: request.keyId,\n algorithm: request.algorithm ?? 'ECDSA_SHA_256',\n };\n }\n\n /**\n * Create JWT for Fireblocks API (RS256, uri + bodyHash in payload).\n */\n private createAuthToken(uri: string, bodyJson?: string): string {\n const now = Math.floor(Date.now() / 1000);\n const nonce = randomBytes(16).toString('hex');\n const bodyHash = bodyJson\n ? createHash('sha256').update(bodyJson, 'utf8').digest('hex')\n : '';\n\n const payload = {\n uri,\n nonce,\n iat: now,\n exp: now + 30,\n sub: this.config.apiKey,\n bodyHash,\n };\n\n const header = { alg: 'RS256', typ: 'JWT' };\n const encodedHeader = base64UrlEncode(JSON.stringify(header));\n const encodedPayload = base64UrlEncode(JSON.stringify(payload));\n const signingInput = `${encodedHeader}.${encodedPayload}`;\n\n const sign = createSign('RSA-SHA256');\n sign.update(signingInput);\n const signature = sign.sign(this.config.apiSecret);\n const encodedSig = base64UrlEncode(signature);\n\n return `${signingInput}.${encodedSig}`;\n }\n\n private async pollTransaction(\n txId: string,\n maxAttempts = 30\n ): Promise<{ signature?: string; signedMessages?: Array<{ signature?: string }> }> {\n for (let i = 0; i < maxAttempts; i++) {\n const token = this.createAuthToken(`/v1/transactions/${txId}`);\n const response = await fetch(`${this.apiBaseUrl}/v1/transactions/${txId}`, {\n headers: {\n 'X-API-Key': this.config.apiKey,\n Authorization: `Bearer ${token}`,\n },\n });\n\n if (!response.ok) {\n throw new Error(`Failed to fetch transaction status: ${await response.text()}`);\n }\n\n const tx = (await response.json()) as {\n status?: string;\n signedMessages?: Array<{ signature?: string }>;\n signature?: string;\n };\n\n if (tx.status === 'COMPLETED') {\n return tx.signedMessages?.[0] ? { signature: tx.signedMessages[0].signature } : tx;\n }\n if (tx.status === 'FAILED' || tx.status === 'REJECTED') {\n throw new Error(`Fireblocks transaction ${txId} failed: ${tx.status}`);\n }\n\n await new Promise((r) => setTimeout(r, 1000));\n }\n\n throw new Error(\n `Fireblocks transaction ${txId} did not complete within ${maxAttempts} seconds`\n );\n }\n}\n\nfunction base64UrlEncode(input: string | Buffer): string {\n const raw =\n typeof input === 'string'\n ? Buffer.from(input, 'utf8').toString('base64')\n : input.toString('base64');\n return raw.replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n","/**\n * PKCS#11 session implementation using pkcs11js.\n *\n * When the optional dependency `pkcs11js` is installed, this class loads the\n * PKCS#11 library (e.g. SoftHSM2, Thales nShield, Utimaco, AWS CloudHSM),\n * opens a session, and performs sign operations. Without pkcs11js, use a\n * custom pkcs11Session in GenericHsmSigner or install: npm install pkcs11js\n */\n\nimport { createRequire } from 'module';\n\nconst require = createRequire(import.meta.url);\n\nexport interface Pkcs11SessionInitOptions {\n /** Slot index (default 0). Use when multiple tokens are present. */\n slotId?: number;\n}\n\nexport interface Pkcs11Session {\n initialize(libraryPath: string, pin: string, options?: Pkcs11SessionInitOptions): Promise<void>;\n sign(keyHandle: Buffer, mechanism: string, data: Buffer): Promise<Buffer>;\n close(): Promise<void>;\n}\n\nconst NOT_LINKED =\n 'PKCS#11 runtime not linked. Install pkcs11js (npm install pkcs11js) and ensure the HSM library path is correct, or provide a custom pkcs11Session to GenericHsmSigner.';\n\n/** Map mechanism names from GenericHsmSigner to pkcs11js CKM_* constants. */\nfunction mechanismToPkcs11(mechanism: string): number {\n switch (mechanism) {\n case 'CKM_ECDSA_SHA256':\n return getPkcs11().CKM_ECDSA_SHA256;\n case 'CKM_RSA_PKCS':\n // RSASSA PKCS#1 v1.5 with SHA-256: hash then sign (one-shot)\n return getPkcs11().CKM_SHA256_RSA_PKCS;\n default:\n throw new Error(`Unsupported PKCS#11 mechanism: ${mechanism}`);\n }\n}\n\n// Use any to avoid requiring pkcs11js at compile time (optional dependency)\nlet pkcs11Module: any = undefined;\n\nfunction getPkcs11(): any {\n if (pkcs11Module !== undefined) {\n if (pkcs11Module === null) throw new Error(NOT_LINKED);\n return pkcs11Module;\n }\n try {\n pkcs11Module = require('pkcs11js');\n return pkcs11Module;\n } catch {\n pkcs11Module = null;\n throw new Error(NOT_LINKED);\n }\n}\n\nexport class Pkcs11SessionImpl implements Pkcs11Session {\n private libPath: string = '';\n private pin: string = '';\n private pkcs11: any = null;\n private session: Buffer | null = null;\n private initialized = false;\n\n async initialize(libraryPath: string, pin: string, options?: Pkcs11SessionInitOptions): Promise<void> {\n const p = getPkcs11();\n this.libPath = libraryPath;\n this.pin = pin;\n this.pkcs11 = new p.PKCS11();\n this.pkcs11.load(libraryPath);\n this.pkcs11.C_Initialize();\n this.initialized = true;\n\n const slots = this.pkcs11.C_GetSlotList(true);\n if (!slots || slots.length === 0) {\n await this.close();\n throw new Error('PKCS#11: no token present in any slot');\n }\n const slotIndex = options?.slotId ?? 0;\n if (slotIndex < 0 || slotIndex >= slots.length) {\n await this.close();\n throw new Error(`PKCS#11: slotId ${slotIndex} out of range (0..${slots.length - 1})`);\n }\n const slot = slots[slotIndex];\n const flags = p.CKF_SERIAL_SESSION | p.CKF_RW_SESSION;\n this.session = this.pkcs11.C_OpenSession(slot, flags);\n this.pkcs11.C_Login(this.session, p.CKU_USER, pin);\n }\n\n async sign(keyHandle: Buffer, mechanism: string, data: Buffer): Promise<Buffer> {\n if (!this.pkcs11 || !this.session) {\n throw new Error('PKCS#11 session not initialized. Call initialize() first.');\n }\n const p = getPkcs11();\n const mechCode = mechanismToPkcs11(mechanism);\n this.pkcs11.C_SignInit(this.session, { mechanism: mechCode }, keyHandle);\n const maxSigLen = 512;\n const outData = Buffer.alloc(maxSigLen);\n const signature = this.pkcs11.C_Sign(this.session, data, outData);\n return Buffer.from(signature);\n }\n\n async close(): Promise<void> {\n if (!this.initialized) return;\n this.initialized = false;\n try {\n if (this.pkcs11 && this.session) {\n try {\n this.pkcs11.C_Logout(this.session);\n } catch {\n /* ignore */\n }\n try {\n this.pkcs11.C_CloseSession(this.session);\n } catch {\n /* ignore */\n }\n }\n if (this.pkcs11) {\n try {\n this.pkcs11.C_Finalize();\n } catch {\n /* ignore */\n }\n try {\n this.pkcs11.close();\n } catch {\n /* ignore */\n }\n }\n } finally {\n this.pkcs11 = null;\n this.session = null;\n }\n }\n}\n","/**\n * Generic HSM Signer Backend (PKCS#11)\n *\n * Abstraction for on-prem HSMs via PKCS#11 (Thales nShield, Utimaco, AWS CloudHSM, etc.).\n * Key ID format: hsm://<keyHandle> where keyHandle is hex-encoded.\n *\n * Requires a PKCS#11 session implementation. Use config.pkcs11Session for testing or\n * a real adapter; otherwise Pkcs11SessionImpl throws until a PKCS#11 library is linked.\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend.js';\nimport type { Pkcs11Session } from './pkcs11/Pkcs11SessionImpl.js';\nimport { Pkcs11SessionImpl } from './pkcs11/Pkcs11SessionImpl.js';\n\nexport interface GenericHsmSignerConfig {\n /** PKCS#11 library path (e.g. /usr/lib/libCryptoki2_64.so for Thales) */\n pkcs11LibraryPath: string;\n /** HSM slot ID (optional) */\n slotId?: number;\n /** PIN / password */\n pin: string;\n /** Optional: custom PKCS#11 session (for testing or custom HSM adapters) */\n pkcs11Session?: Pkcs11Session;\n}\n\nexport class GenericHsmSigner implements SignerBackend {\n private readonly config: GenericHsmSignerConfig;\n private session: Pkcs11Session | null = null;\n\n constructor(config: GenericHsmSignerConfig) {\n this.config = config;\n }\n\n getName(): string {\n return 'Generic HSM (PKCS#11)';\n }\n\n isAvailable(): boolean {\n return !!this.config.pkcs11LibraryPath && !!this.config.pin;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.session) {\n this.session =\n this.config.pkcs11Session ??\n (await this.initializePkcs11Session());\n }\n\n const keyIdMatch = request.keyId.match(/^hsm:\\/\\/(.+)$/);\n if (!keyIdMatch) {\n throw new Error(\n 'Invalid HSM keyId format. Expected: hsm://keyHandle (hex-encoded) or hsm://keyLabel'\n );\n }\n const keyHandle = Buffer.from(keyIdMatch[1], 'hex');\n\n const mechanism = this.mapAlgorithmToMechanism(\n request.algorithm ?? 'ECDSA_SHA_256'\n );\n const message =\n request.message instanceof Buffer\n ? request.message\n : Buffer.from(request.message);\n\n const signature = await this.session.sign(keyHandle, mechanism, message);\n\n return {\n signature,\n keyId: request.keyId,\n algorithm: request.algorithm ?? 'ECDSA_SHA_256',\n };\n }\n\n private async initializePkcs11Session(): Promise<Pkcs11Session> {\n const session = new Pkcs11SessionImpl();\n await session.initialize(this.config.pkcs11LibraryPath, this.config.pin, {\n slotId: this.config.slotId,\n });\n return session;\n }\n\n private mapAlgorithmToMechanism(algorithm: string): string {\n switch (algorithm) {\n case 'ECDSA_SHA_256':\n return 'CKM_ECDSA_SHA256';\n case 'RSASSA_PKCS1_V1_5_SHA_256':\n return 'CKM_RSA_PKCS';\n default:\n throw new Error(`Unsupported algorithm for HSM: ${algorithm}`);\n }\n }\n\n /** Release the PKCS#11 session. Call when done to free resources. */\n async close(): Promise<void> {\n if (this.session) {\n await this.session.close();\n this.session = null;\n }\n }\n}\n"]}
1
+ {"version":3,"sources":["../src/utils/canonicalJson.ts","../src/utils/decisionTokenVerify.ts","../src/utils/crypto.ts","../src/auth/HmacSigner.ts","../src/auth/ApiKeyAuth.ts","../src/types/errors.ts","../src/http/retry.ts","../src/utils/sanitize.ts","../src/http/HttpClient.ts","../src/utils/time.ts","../src/stepup/stepup.ts","../src/circuit/CircuitBreaker.ts","../src/metrics/MetricsCollector.ts","../src/utils/txDigest.ts","../src/metrics/GateMetricsSink.ts","../src/kms/wrapAwsSdkV3KmsClient.ts","../src/provenance/ProvenanceProvider.ts","../src/heartbeat/HeartbeatManager.ts","../src/security/IamPermissionRiskChecker.ts","../src/client/GateClient.ts","../src/client/Gate.ts","../src/signer/AwsKmsSigner.ts","../src/signer/VaultSigner.ts","../src/signer/GcpKmsSigner.ts","../src/signer/FireblocksSigner.ts","../src/signer/pkcs11/Pkcs11SessionImpl.ts","../src/signer/GenericHsmSigner.ts"],"names":["sorted","createHash","createVerify","createHmac","GateErrorCode","hasReceipt","SignCommand","uuidv4","t","effectiveSignerId","canonicalizeJson","decodeJwtUnsafe","verifyDecisionTokenRs256","SigningAlgorithmSpec","randomBytes","createSign","require","createRequire"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,IAAA,qBAAA,GAAA,EAAA;AAAA,QAAA,CAAA,qBAAA,EAAA;AAAA,EAAA,gBAAA,EAAA,MAAA,gBAAA;AAAA,EAAA,SAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AAmBO,SAAS,iBAAiB,GAAA,EAAsB;AACrD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW;AACrC,IAAA,OAAO,MAAA;AAAA,EACT;AAGA,EAAA,MAAM,SAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAA,CAAU,GAAG,CAAC,CAAA;AAG7C,EAAA,SAAS,SAAS,IAAA,EAAwB;AACxC,IAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAI,CAAA,EAAG;AACvB,MAAA,OAAO,IAAA,CAAK,IAAI,QAAQ,CAAA;AAAA,IAC1B;AACA,IAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,OAAO,IAAA,KAAS,QAAA,EAAU;AAC7C,MAAA,MAAMA,UAAkC,EAAC;AACzC,MAAA,MAAA,CAAO,KAAK,IAAI,CAAA,CAAE,IAAA,EAAK,CAAE,QAAQ,CAAA,GAAA,KAAO;AACtC,QAAAA,QAAO,GAAG,CAAA,GAAI,QAAA,CAAU,IAAA,CAAiC,GAAG,CAAC,CAAA;AAAA,MAC/D,CAAC,CAAA;AACD,MAAA,OAAOA,OAAAA;AAAA,IACT;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,MAAA,GAAS,SAAS,MAAM,CAAA;AAC9B,EAAA,OAAO,IAAA,CAAK,UAAU,MAAM,CAAA;AAC9B;AAKA,eAAsB,UAAU,KAAA,EAAgC;AAC9D,EAAA,OAAOC,iBAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,OAAO,MAAM,CAAA,CAAE,OAAO,KAAK,CAAA;AAChE;AAnDA,IAAA,kBAAA,GAAA,KAAA,CAAA;AAAA,EAAA,4BAAA,GAAA;AAAA,EAAA;AAAA,CAAA,CAAA;;;ACAA,IAAA,2BAAA,GAAA,EAAA;AAAA,QAAA,CAAA,2BAAA,EAAA;AAAA,EAAA,eAAA,EAAA,MAAA,eAAA;AAAA,EAAA,wBAAA,EAAA,MAAA;AAAA,CAAA,CAAA;AA2BO,SAAS,gBAAgB,KAAA,EAAmF;AACjH,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,IAAA,MAAM,SAAS,IAAA,CAAK,KAAA;AAAA,MAClB,MAAA,CAAO,KAAK,KAAA,CAAM,CAAC,GAAG,WAAW,CAAA,CAAE,SAAS,MAAM;AAAA,KACpD;AACA,IAAA,MAAM,UAAU,IAAA,CAAK,KAAA;AAAA,MACnB,MAAA,CAAO,KAAK,KAAA,CAAM,CAAC,GAAG,WAAW,CAAA,CAAE,SAAS,MAAM;AAAA,KACpD;AACA,IAAA,OAAO,EAAE,QAAQ,OAAA,EAAQ;AAAA,EAC3B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAMO,SAAS,wBAAA,CACd,OACA,YAAA,EAC6B;AAC7B,EAAA,MAAM,OAAA,GAAU,gBAAgB,KAAK,CAAA;AACrC,EAAA,IAAI,CAAC,YAAY,OAAA,CAAQ,MAAA,CAAO,OAAO,EAAA,EAAI,WAAA,EAAY,KAAM,OAAA,EAAS,OAAO,IAAA;AAE7E,EAAA,MAAM,EAAE,SAAQ,GAAI,OAAA;AACpB,EAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,EAAA,IAAI,QAAQ,GAAA,KAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,KAAQ,KAAK,OAAO,IAAA;AACvD,EAAA,IAAI,QAAQ,GAAA,IAAO,IAAA,IAAQ,QAAQ,GAAA,GAAM,GAAA,GAAM,GAAG,OAAO,IAAA;AAEzD,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,MAAM,YAAA,GAAe,GAAG,KAAA,CAAM,CAAC,CAAC,CAAA,CAAA,EAAI,KAAA,CAAM,CAAC,CAAC,CAAA,CAAA;AAC5C,IAAA,MAAM,YAAY,MAAA,CAAO,IAAA,CAAK,KAAA,CAAM,CAAC,GAAG,WAAW,CAAA;AACnD,IAAA,MAAM,MAAA,GAASC,oBAAa,YAAY,CAAA;AACxC,IAAA,MAAA,CAAO,OAAO,YAAY,CAAA;AAC1B,IAAA,MAAA,CAAO,GAAA,EAAI;AACX,IAAA,MAAM,EAAA,GAAK,MAAA,CAAO,MAAA,CAAO,YAAA,EAAc,SAAS,CAAA;AAChD,IAAA,OAAO,KAAK,OAAA,GAAU,IAAA;AAAA,EACxB,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AACF;AAvEA,IAOM,GAAA,EACA,GAAA;AARN,IAAA,wBAAA,GAAA,KAAA,CAAA;AAAA,EAAA,kCAAA,GAAA;AAOA,IAAM,GAAA,GAAM,iBAAA;AACZ,IAAM,GAAA,GAAM,eAAA;AAAA,EAAA;AAAA,CAAA,CAAA;ACGZ,eAAsB,UAAA,CAAW,QAAgB,OAAA,EAAkC;AAIjF,EAAA,MAAM,IAAA,GAAOC,iBAAA,CAAW,QAAA,EAAU,MAAM,CAAA;AACxC,EAAA,IAAA,CAAK,MAAA,CAAO,SAAS,MAAM,CAAA;AAC3B,EAAA,MAAM,YAAA,GAAe,IAAA,CAAK,MAAA,CAAO,KAAK,CAAA;AAGtC,EAAA,OAAA,CAAQ,KAAA,CAAM,4CAAA,EAA8C,IAAA,CAAK,SAAA,CAAU;AAAA,IACzE,cAAc,MAAA,CAAO,MAAA;AAAA,IACrB,eAAe,OAAA,CAAQ,MAAA;AAAA,IACvB,cAAA,EAAgB,OAAA,CAAQ,SAAA,CAAU,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAAA,IAC5C,iBAAiB,YAAA,CAAa,MAAA;AAAA,IAC9B,gBAAA,EAAkB,YAAA,CAAa,SAAA,CAAU,CAAA,EAAG,EAAE,CAAA,GAAI;AAAA,GACpD,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAEX,EAAA,OAAO,YAAA;AACT;;;ACFA,kBAAA,EAAA;AAkBO,IAAM,aAAN,MAAiB;AAAA,EACL,KAAA;AAAA,EACA,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,QAAQ,MAAA,CAAO,KAAA;AAEpB,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA,CAAO,MAAA,CAAO,IAAA,EAAK;AAEjC,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA,EAAG;AAC5C,MAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,IAC/C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,MAAA,EAOU;AAC1B,IAAA,MAAM,EAAE,MAAA,EAAQ,IAAA,EAAM,UAAU,WAAA,EAAa,SAAA,EAAW,MAAK,GAAI,MAAA;AAGjE,IAAA,MAAM,QAAA,GAAW,IAAA,GAAO,gBAAA,CAAiB,IAAI,CAAA,GAAI,EAAA;AACjD,IAAA,MAAM,QAAA,GAAW,MAAM,SAAA,CAAU,QAAQ,CAAA;AAGzC,IAAA,MAAM,aAAA,GAAgB;AAAA,MACpB,IAAA;AAAA,MACA,OAAO,WAAA,EAAY;AAAA,MACnB,IAAA;AAAA,MACA,QAAA;AAAA,MACA,IAAA,CAAK,KAAA;AAAA,MACL,OAAO,WAAW,CAAA;AAAA,MAClB,SAAA;AAAA;AAAA,MACA;AAAA,KACF,CAAE,KAAK,IAAI,CAAA;AAGX,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,IAAA,CAAK,QAAQ,aAAa,CAAA;AAE7D,IAAA,OAAO;AAAA,MACL,kBAAA,EAAoB,QAAA;AAAA,MACpB,iBAAiB,IAAA,CAAK,KAAA;AAAA,MACtB,qBAAA,EAAuB,OAAO,WAAW,CAAA;AAAA,MACzC,mBAAA,EAAqB,SAAA;AAAA,MACrB,kBAAA,EAAoB;AAAA,KACtB;AAAA,EACF;AACF,CAAA;;;AC9EO,IAAM,aAAN,MAAiB;AAAA,EACL,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AAErB,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA,EAAG;AAC5C,MAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,IAC3C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,MAAA,EAII;AAChB,IAAA,MAAM,EAAE,QAAA,EAAU,WAAA,EAAa,SAAA,EAAU,GAAI,MAAA;AAE7C,IAAA,OAAO;AAAA,MACL,aAAa,IAAA,CAAK,MAAA;AAAA,MAClB,kBAAA,EAAoB,QAAA;AAAA,MACpB,mBAAA,EAAqB,SAAA;AAAA,MACrB,qBAAA,EAAuB,OAAO,WAAW;AAAA,KAC3C;AAAA,EACF;AACF,CAAA;;;AC1CO,IAAK,aAAA,qBAAAC,cAAAA,KAAL;AACL,EAAAA,eAAA,eAAA,CAAA,GAAgB,eAAA;AAChB,EAAAA,eAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,eAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,WAAA,CAAA,GAAY,WAAA;AACZ,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,cAAA,CAAA,GAAe,cAAA;AACf,EAAAA,eAAA,kBAAA,CAAA,GAAmB,kBAAA;AACnB,EAAAA,eAAA,wBAAA,CAAA,GAAyB,wBAAA;AACzB,EAAAA,eAAA,iBAAA,CAAA,GAAkB,iBAAA;AAClB,EAAAA,eAAA,SAAA,CAAA,GAAU,SAAA;AACV,EAAAA,eAAA,qBAAA,CAAA,GAAsB,qBAAA;AACtB,EAAAA,eAAA,YAAA,CAAA,GAAa,YAAA;AACb,EAAAA,eAAA,mBAAA,CAAA,GAAoB,mBAAA;AACpB,EAAAA,eAAA,mBAAA,CAAA,GAAoB,mBAAA;AACpB,EAAAA,eAAA,mBAAA,CAAA,GAAoB,mBAAA;AACpB,EAAAA,eAAA,oBAAA,CAAA,GAAqB,oBAAA;AAjBX,EAAA,OAAAA,cAAAA;AAAA,CAAA,EAAA,aAAA,IAAA,EAAA;AAuBL,IAAM,SAAA,GAAN,cAAwB,KAAA,CAAM;AAAA,EACnB,IAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EAEhB,WAAA,CACE,IAAA,EACA,OAAA,EACA,OAAA,EAOA;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,WAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,SAAS,OAAA,EAAS,MAAA;AACvB,IAAA,IAAA,CAAK,UAAU,OAAA,EAAS,OAAA;AACxB,IAAA,IAAA,CAAK,YAAY,OAAA,EAAS,SAAA;AAC1B,IAAA,IAAA,CAAK,gBAAgB,OAAA,EAAS,aAAA;AAC9B,IAAA,IAAI,SAAS,KAAA,EAAO;AAClB,MAAA,IAAA,CAAK,QAAQ,OAAA,CAAQ,KAAA;AAAA,IACvB;AACA,IAAA,KAAA,CAAM,iBAAA,CAAkB,IAAA,EAAM,IAAA,CAAK,WAAW,CAAA;AAAA,EAChD;AAAA,EAEA,MAAA,GAAkC;AAChC,IAAA,OAAO;AAAA,MACL,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,QAAQ,IAAA,CAAK,MAAA;AAAA,MACb,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,eAAe,IAAA,CAAK;AAAA,KACtB;AAAA,EACF;AACF;AAMO,IAAM,wBAAA,GAAN,cAAuC,SAAA,CAAU;AAAA,EACtD,YAAY,SAAA,EAAoB;AAC9B,IAAA,KAAA;AAAA,MACE,wBAAA;AAAA,MACA,mHAAA;AAAA,MACA,EAAE,SAAA;AAAU,KACd;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,0BAAA;AAAA,EACd;AACF;AAMO,IAAM,sBAAA,GAAN,cAAqC,SAAA,CAAU;AAAA,EACpC,SAAA;AAAA,EACA,UAAA;AAAA,EAEhB,WAAA,CACE,UAAA,EACA,SAAA,EACA,aAAA,EACA,SAAA,EACA;AACA,IAAA,KAAA;AAAA,MACE,SAAA;AAAA,MACA,wBAAwB,UAAU,CAAA,CAAA;AAAA,MAClC,EAAE,aAAA,EAAe,SAAA,EAAW,SAAS,EAAE,UAAA,EAAY,WAAU;AAAE,KACjE;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,wBAAA;AACZ,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AACjB,IAAA,IAAA,CAAK,UAAA,GAAa,UAAA;AAAA,EACpB;AACF;AAMO,IAAM,0BAAA,GAAN,cAAyC,SAAA,CAAU;AAAA,EACxD,WAAA,CAAY,SAAiB,SAAA,EAAoB;AAC/C,IAAA,KAAA,CAAM,qBAAA,4BAAmC,OAAA,EAAS,EAAE,SAAA,EAAW,CAAA;AAC/D,IAAA,IAAA,CAAK,IAAA,GAAO,4BAAA;AAAA,EACd;AACF;AAMO,IAAM,mBAAA,GAAN,cAAkC,SAAA,CAAU;AAAA,EACjD,WAAA,CAAY,OAAA,EAAiB,MAAA,EAAgB,SAAA,EAAoB;AAC/D,IAAA,KAAA;AAAA,MACE,MAAA,KAAW,MAAM,cAAA,sBAA6B,WAAA;AAAA,MAC9C,OAAA;AAAA,MACA,EAAE,QAAQ,SAAA;AAAU,KACtB;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AAAA,EACd;AACF;AAMO,IAAM,6BAAA,GAAN,cAA4C,SAAA,CAAU;AAAA,EAC3C,eAAA;AAAA,EACA,SAAA;AAAA,EACA,WAAA;AAAA,EAEhB,WAAA,CACE,eAAA,EACA,SAAA,EACA,WAAA,EACA,SAAA,EACA;AACA,IAAA,KAAA;AAAA,MACE,wBAAA;AAAA,MACA,2BAAA;AAAA,MACA;AAAA,QACE,SAAA;AAAA,QACA,OAAA,EAAS,EAAE,eAAA,EAAiB,SAAA,EAAW,WAAA;AAAY;AACrD,KACF;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,+BAAA;AACZ,IAAA,IAAA,CAAK,eAAA,GAAkB,eAAA;AACvB,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AACjB,IAAA,IAAA,CAAK,WAAA,GAAc,WAAA;AAAA,EACrB;AACF;;;AC3JA,IAAM,qBAAA,GAAgD;AAAA,EACpD,WAAA,EAAa,CAAA;AAAA,EACb,WAAA,EAAa,GAAA;AAAA,EACb,UAAA,EAAY,GAAA;AAAA,EACZ,MAAA,EAAQ;AACV,CAAA;AAKO,SAAS,kBAAkB,MAAA,EAAyB;AAEzD,EAAA,OAAO,MAAA,KAAW,GAAA,IAAQ,MAAA,IAAU,GAAA,IAAO,MAAA,GAAS,GAAA;AACtD;AAKO,SAAS,iBAAiB,KAAA,EAAyB;AAExD,EAAA,IAAI,iBAAiB,KAAA,EAAO;AAC1B,IAAA,MAAM,OAAA,GAAU,KAAA,CAAM,OAAA,CAAQ,WAAA,EAAY;AAC1C,IAAA,OACE,OAAA,CAAQ,SAAS,SAAS,CAAA,IAC1B,QAAQ,QAAA,CAAS,SAAS,CAAA,IAC1B,OAAA,CAAQ,QAAA,CAAS,YAAY,KAC7B,OAAA,CAAQ,QAAA,CAAS,cAAc,CAAA,IAC/B,OAAA,CAAQ,SAAS,WAAW,CAAA,IAC5B,OAAA,CAAQ,QAAA,CAAS,YAAY,CAAA;AAAA,EAEjC;AACA,EAAA,OAAO,KAAA;AACT;AAKO,SAAS,qBAAA,CACd,SACA,OAAA,EACQ;AACR,EAAA,MAAM,gBAAA,GAAmB,QAAQ,WAAA,GAAc,IAAA,CAAK,IAAI,OAAA,CAAQ,MAAA,EAAQ,UAAU,CAAC,CAAA;AACnF,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,EAAO,GAAI,GAAA,GAAM,gBAAA;AACrC,EAAA,MAAM,QAAQ,gBAAA,GAAmB,MAAA;AACjC,EAAA,OAAO,IAAA,CAAK,GAAA,CAAI,KAAA,EAAO,OAAA,CAAQ,UAAU,CAAA;AAC3C;AAKA,SAAS,qBAAqB,KAAA,EAAyB;AACrD,EAAA,IAAI,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,IAAY,UAAU,KAAA,EAAO;AACzD,IAAA,MAAM,SAAA,GAAY,KAAA;AAElB,IAAA,IAAI,SAAA,CAAU,IAAA,KAAS,cAAA,IAAkB,SAAA,CAAU,SAAS,cAAA,EAAgB;AAC1E,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,SAAA,CAAU,MAAA,IAAU,iBAAA,CAAkB,SAAA,CAAU,MAAM,CAAA,EAAG;AAC3D,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACA,EAAA,OAAO,KAAA;AACT;AAKA,eAAsB,gBAAA,CACpB,EAAA,EACA,OAAA,GAAwB,EAAC,EACb;AACZ,EAAA,MAAM,IAAA,GAAO,EAAE,GAAG,qBAAA,EAAuB,GAAG,OAAA,EAAQ;AACpD,EAAA,IAAI,SAAA;AAEJ,EAAA,KAAA,IAAS,OAAA,GAAU,CAAA,EAAG,OAAA,IAAW,IAAA,CAAK,aAAa,OAAA,EAAA,EAAW;AAC5D,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,EAAA,EAAG;AAAA,IAClB,SAAS,KAAA,EAAO;AACd,MAAA,SAAA,GAAY,KAAA;AAGZ,MAAA,IAAI,OAAA,IAAW,KAAK,WAAA,EAAa;AAC/B,QAAA;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,QAAA,IAAY,CAAC,iBAAA,CAAkB,KAAA,CAAM,MAAM,CAAA,EAAG;AACjE,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,WAAA,GACH,KAAA,YAAiB,QAAA,IAAY,iBAAA,CAAkB,KAAA,CAAM,MAAM,CAAA,IAC5D,gBAAA,CAAiB,KAAK,CAAA,IACtB,oBAAA,CAAqB,KAAK,CAAA;AAE5B,MAAA,IAAI,CAAC,WAAA,EAAa;AAChB,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,SACH,KAAA,YAAiB,QAAA,IAAY,MAAM,MAAA,IACnC,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,IAAY,YAAY,KAAA,IAAU,KAAA,CAA8B,UAC1F,KAAA,IAAS,OAAO,UAAU,QAAA,IAAY,YAAA,IAAgB,SAAU,KAAA,CAAkC,UAAA;AACrG,MAAA,MAAM,OAAA,GAAU,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,IAAA,GAAQ,KAAA,IAAS,OAAO,KAAA,KAAU,QAAA,IAAY,MAAA,IAAU,KAAA,GAAS,KAAA,CAA2B,IAAA,GAAO,SAAA;AAClJ,MAAA,MAAM,KAAA,GAAQ,CAAA,SAAA,EAAY,OAAO,CAAA,CAAA,EAAI,IAAA,CAAK,WAAW,CAAA,QAAA,EAAW,MAAA,IAAU,KAAK,CAAA,KAAA,EAAQ,OAAO,CAAA,CAAA;AAC9F,MAAA,OAAA,CAAQ,IAAA,CAAK,0DAA0D,KAAK,CAAA;AAG5E,MAAA,MAAM,KAAA,GAAQ,qBAAA,CAAsB,OAAA,EAAS,IAAI,CAAA;AACjD,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,KAAK,CAAC,CAAA;AAAA,IAC3D;AAAA,EACF;AAEA,EAAA,MAAM,SAAA;AACR;;;AC7HA,IAAM,sBAAA,uBAA6B,GAAA,CAAI;AAAA,EACrC,eAAA;AAAA,EACA,WAAA;AAAA,EACA,sBAAA;AAAA,EACA,kBAAA;AAAA,EACA;AACF,CAAC,CAAA;AAED,IAAM,iBAAA,GAAoB,EAAA;AAKnB,SAAS,gBAAgB,OAAA,EAAyD;AACvF,EAAA,MAAM,MAA8B,EAAC;AACrC,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,IAAA,MAAM,KAAA,GAAQ,IAAI,WAAA,EAAY;AAC9B,IAAA,IAAI,sBAAA,CAAuB,GAAA,CAAI,KAAK,CAAA,IAAK,MAAM,QAAA,CAAS,WAAW,CAAA,IAAK,KAAA,CAAM,SAAS,QAAQ,CAAA,IAAK,KAAA,CAAM,QAAA,CAAS,OAAO,CAAA,EAAG;AAC3H,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,KAAA,GAAQ,YAAA,GAAe,SAAA;AAAA,IACpC,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,QAAA,CAAS,MAAA,CAAO,KAAK,GAAG,iBAAiB,CAAA;AAAA,IACtD;AAAA,EACF;AACA,EAAA,OAAO,GAAA;AACT;AAKO,SAAS,kBAAkB,IAAA,EAAuC;AACvE,EAAA,IAAI,IAAA,KAAS,IAAA,IAAQ,IAAA,KAAS,MAAA,EAAW;AACvC,IAAA,OAAO,EAAC;AAAA,EACV;AACA,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC5B,IAAA,OAAO,EAAE,CAAA,EAAG,OAAO,IAAA,EAAK;AAAA,EAC1B;AACA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,IAAI,CAAA,EAAG;AACvB,IAAA,OAAO,EAAE,CAAA,EAAG,OAAA,EAAS,QAAQ,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,EAAE;AAAA,EACnD;AACA,EAAA,MAAM,MAA8B,EAAC;AACrC,EAAA,KAAA,MAAW,OAAO,MAAA,CAAO,IAAA,CAAK,IAAc,CAAA,CAAE,MAAK,EAAG;AACpD,IAAA,MAAM,GAAA,GAAO,KAAiC,GAAG,CAAA;AACjD,IAAA,IAAI,GAAA,KAAQ,QAAQ,OAAO,GAAA,KAAQ,YAAY,CAAC,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AAClE,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,QAAA;AAAA,IACb,CAAA,MAAA,IAAW,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC7B,MAAA,GAAA,CAAI,GAAG,CAAA,GAAI,OAAA;AAAA,IACb,CAAA,MAAO;AACL,MAAA,GAAA,CAAI,GAAG,IAAI,OAAO,GAAA;AAAA,IACpB;AAAA,EACF;AACA,EAAA,OAAO,GAAA;AACT;AAEA,SAAS,QAAA,CAAS,GAAW,GAAA,EAAqB;AAChD,EAAA,IAAI,CAAA,CAAE,MAAA,IAAU,GAAA,EAAK,OAAO,CAAA;AAC5B,EAAA,OAAO,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,GAAG,CAAA,GAAI,KAAA;AAC3B;AAKO,SAAS,eAAe,WAAA,EAAgC;AAC7D,EAAA,IAAI,WAAA,KAAgB,MAAM,OAAO,IAAA;AACjC,EAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,QAAQ,GAAA,CAAI,cAAA,KAAmB,KAAK,OAAO,IAAA;AACjF,EAAA,OAAO,KAAA;AACT;;;ACnCO,IAAM,aAAN,MAAiB;AAAA,EACL,OAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,YAAA;AAAA,EACA,KAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,OAAA,GAAU,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC/C,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,SAAA,IAAa,IAAA;AACrC,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,SAAA,IAAa,2BAAA;AACrC,IAAA,IAAA,CAAK,eAAe,MAAA,CAAO,YAAA;AAC3B,IAAA,IAAA,CAAK,KAAA,GAAQ,cAAA,CAAe,MAAA,CAAO,KAAK,CAAA;AAGxC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,MAAM,IAAI,MAAM,qBAAqB,CAAA;AAAA,IACvC;AAGA,IAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,aAAa,YAAA,EAAc;AAC3E,MAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,UAAA,CAAW,UAAU,CAAA,IAAK,CAAC,IAAA,CAAK,OAAA,CAAQ,QAAA,CAAS,WAAW,CAAA,EAAG;AAC/E,QAAA,MAAM,IAAI,MAAM,yDAAyD,CAAA;AAAA,MAC3E;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAW,OAAA,EAAqC;AACpD,IAAA,MAAM,EAAE,QAAQ,IAAA,EAAM,OAAA,GAAU,EAAC,EAAG,IAAA,EAAM,WAAU,GAAI,OAAA;AAExD,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,OAAO,GAAG,IAAI,CAAA,CAAA;AAGlC,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,SAAS,CAAA;AAOrE,IAAA,IAAI,wBAAA,GAAkD,IAAA;AAEtD,IAAA,IAAI;AACF,MAAA,MAAM,WAAW,MAAM,gBAAA;AAAA,QACrB,YAAY;AACV,UAAA,MAAM,iBAAyC,EAAC;AAChD,UAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,EAAG;AAClD,YAAA,cAAA,CAAe,GAAG,CAAA,GAAI,MAAA,CAAO,KAAK,CAAA;AAAA,UACpC;AACA,UAAA,cAAA,CAAe,YAAY,IAAI,IAAA,CAAK,SAAA;AACpC,UAAA,cAAA,CAAe,cAAc,CAAA,GAAI,kBAAA;AAEjC,UAAA,MAAM,YAAA,GAA4B;AAAA,YAChC,MAAA;AAAA,YACA,OAAA,EAAS,cAAA;AAAA,YACT,QAAQ,UAAA,CAAW;AAAA,WACrB;AAEA,UAAA,IAAI,IAAA,EAAM;AACR,YAAA,IAAK,KAAa,eAAA,EAAiB;AACjC,cAAA,YAAA,CAAa,OAAQ,IAAA,CAAa,eAAA;AAClC,cAAA,OAAQ,IAAA,CAAa,eAAA;AAAA,YACvB,CAAA,MAAO;AACL,cAAA,YAAA,CAAa,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA;AAAA,YACzC;AAAA,UACF;AAEA,UAAA,MAAM,UAAU,OAAO,YAAA,CAAa,IAAA,KAAS,QAAA,GAAW,aAAa,IAAA,GAAO,IAAA;AAC5E,UAAA,wBAAA,GAA2B;AAAA,YACzB,SAAS,IAAA,CAAK,KAAA,GAAQ,eAAA,CAAgB,cAAwC,IAAI,EAAC;AAAA,YACnF,UAAA,EAAY,OAAA,GAAU,OAAA,CAAQ,MAAA,GAAS;AAAA,WACzC;AAEA,UAAA,IAAI,KAAK,KAAA,EAAO;AACd,YAAA,MAAM,SAAA,GAAY,QAAQ,OAAO,IAAA,KAAS,WAAW,iBAAA,CAAkB,IAAI,IAAI,EAAC;AAChF,YAAA,OAAA,CAAQ,KAAA,CAAM,qBAAA,EAAuB,IAAA,CAAK,SAAA,CAAU;AAAA,cAClD,GAAA;AAAA,cACA,MAAA;AAAA,cACA,WAAA,EAAa,MAAA,CAAO,IAAA,CAAK,cAAc,CAAA;AAAA,cACvC,iBAAiB,wBAAA,CAAyB,OAAA;AAAA,cAC1C,YAAY,wBAAA,CAAyB,UAAA;AAAA,cACrC,gBAAA,EAAkB;AAAA,aACpB,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,UACb;AAEA,UAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,GAAA,EAAK,YAAY,CAAA;AAGzC,UAAA,IAAI,CAAC,GAAA,CAAI,EAAA,IAAM,iBAAA,CAAkB,GAAA,CAAI,MAAM,CAAA,EAAG;AAC5C,YAAA,MAAM,GAAA;AAAA,UACR;AAGA,UAAA,IAAI,CAAC,GAAA,CAAI,EAAA,IAAM,CAAC,iBAAA,CAAkB,GAAA,CAAI,MAAM,CAAA,EAAG;AAC7C,YAAA,MAAM,GAAA;AAAA,UACR;AAEA,UAAA,OAAO,GAAA;AAAA,QACT,CAAA;AAAA,QACA;AAAA,UACE,GAAG,IAAA,CAAK;AAAA;AAAA;AAEV,OACF;AAEA,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,IAAA;AACJ,MAAA,MAAM,WAAA,GAAc,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA;AAEvD,MAAA,IAAI,KAAK,KAAA,EAAO;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,sBAAA,EAAwB,IAAA,CAAK,SAAA,CAAU;AAAA,UACnD,QAAQ,QAAA,CAAS,MAAA;AAAA,UACjB,IAAI,QAAA,CAAS,EAAA;AAAA,UACb,KAAK,QAAA,CAAS;AAAA,SAChB,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,MACb;AAEA,MAAA,IAAI,WAAA,IAAe,WAAA,CAAY,QAAA,CAAS,kBAAkB,CAAA,EAAG;AAC3D,QAAA,IAAI;AACF,UAAA,MAAM,QAAA,GAAW,MAAM,QAAA,CAAS,IAAA,EAAK;AACrC,UAAA,IAAA,GAAO,IAAA,CAAK,MAAM,QAAQ,CAAA;AAC1B,UAAA,IAAI,IAAA,CAAK,KAAA,IAAS,IAAA,IAAQ,OAAO,SAAS,QAAA,EAAU;AAClD,YAAA,OAAA,CAAQ,KAAA,CAAM,2BAAA,EAA6B,MAAA,CAAO,IAAA,CAAK,IAAc,CAAC,CAAA;AAAA,UACxE;AAAA,QACF,SAAS,UAAA,EAAY;AACnB,UAAA,IAAI,KAAK,KAAA,EAAO;AACd,YAAA,OAAA,CAAQ,KAAA,CAAM,gCAAgC,UAAA,YAAsB,KAAA,GAAQ,WAAW,OAAA,GAAU,MAAA,CAAO,UAAU,CAAC,CAAA;AAAA,UACrH;AACA,UAAA,MAAM,IAAI,SAAA;AAAA,YAAA,kBAAA;AAAA,YAER,+BAAA;AAAA,YACA;AAAA,cACE,QAAQ,QAAA,CAAS,MAAA;AAAA,cACjB,SAAA;AAAA,cACA,KAAA,EAAO,UAAA,YAAsB,KAAA,GAAQ,UAAA,GAAa,KAAA;AAAA;AACpD,WACF;AAAA,QACF;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,kBAAA;AAAA,UAER,4BAA4B,WAAW,CAAA,CAAA;AAAA,UACvC;AAAA,YACE,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,SAAS,EAAE,IAAA,EAAM,KAAK,SAAA,CAAU,CAAA,EAAG,GAAG,CAAA,EAAE;AAAA,YACxC;AAAA;AACF,SACF;AAAA,MACF;AAGA,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAEhB,QAAA,MAAM,kBAA0C,EAAC;AACjD,QAAA,QAAA,CAAS,OAAA,CAAQ,OAAA,CAAQ,CAAC,KAAA,EAAO,GAAA,KAAQ;AACvC,UAAA,eAAA,CAAgB,GAAG,CAAA,GAAI,KAAA;AAAA,QACzB,CAAC,CAAA;AAED,QAAA,IAAI,KAAK,KAAA,EAAO;AACd,UAAA,OAAA,CAAQ,KAAA,CAAM,4BAAA,EAA8B,IAAA,CAAK,SAAA,CAAU;AAAA,YACzD,QAAQ,QAAA,CAAS,MAAA;AAAA,YACjB,KAAK,QAAA,CAAS,GAAA;AAAA,YACd,WAAA,EAAa,IAAA;AAAA,YACb,YAAA,EAAc,QAAQ,OAAO,IAAA,KAAS,WAAW,MAAA,CAAO,IAAA,CAAK,IAAc,CAAA,GAAI;AAAC,WAClF,EAAG,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,QACb;AAEA,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,iBAAA,CAAkB,QAAA,CAAS,MAAM,CAAA;AACxD,QAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAAK,KAAA,CAAA;AAElE,QAAA,MAAM,IAAI,UAAU,SAAA,EAAW,CAAA,KAAA,EAAQ,SAAS,MAAM,CAAA,EAAA,EAAK,QAAA,CAAS,UAAU,CAAA,CAAA,EAAI;AAAA,UAChF,QAAQ,QAAA,CAAS,MAAA;AAAA,UACjB,aAAA;AAAA,UACA,SAAA;AAAA,UACA,OAAA,EAAS;AAAA,SACV,CAAA;AAAA,MACH;AAEA,MAAA,OAAO,IAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,YAAA,CAAa,SAAS,CAAA;AAGtB,MAAA,IAAI,KAAA,YAAiB,KAAA,IAAS,KAAA,CAAM,IAAA,KAAS,YAAA,EAAc;AACzD,QAAA,MAAM,IAAI,SAAA,CAAA,SAAA,gBAAiC,CAAA,sBAAA,EAAyB,IAAA,CAAK,SAAS,CAAA,EAAA,CAAA,EAAM;AAAA,UACtF;AAAA,SACD,CAAA;AAAA,MACH;AAGA,MAAA,IAAI,iBAAiB,QAAA,EAAU;AAC7B,QAAA,MAAM,SAAA,GAAY,IAAA,CAAK,iBAAA,CAAkB,KAAA,CAAM,MAAM,CAAA;AACrD,QAAA,MAAM,aAAA,GAAgB,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,kBAAkB,CAAA,IAAK,MAAA;AAE/D,QAAA,IAAI,OAAA;AACJ,QAAA,IAAI;AACF,UAAA,MAAM,IAAA,GAAO,MAAM,KAAA,CAAM,IAAA,EAAK;AAC9B,UAAA,IAAI;AACF,YAAA,OAAA,GAAU,IAAA,CAAK,MAAM,IAAI,CAAA;AAAA,UAC3B,CAAA,CAAA,MAAQ;AACN,YAAA,OAAA,GAAU,EAAE,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,CAAA,EAAG,GAAG,CAAA,EAAE;AAAA,UAC3C;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAEA,QAAA,MAAM,IAAI,UAAU,SAAA,EAAW,CAAA,KAAA,EAAQ,MAAM,MAAM,CAAA,EAAA,EAAK,KAAA,CAAM,UAAU,CAAA,CAAA,EAAI;AAAA,UAC1E,QAAQ,KAAA,CAAM,MAAA;AAAA,UACd,aAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA,SACD,CAAA;AAAA,MACH;AAGA,MAAA,IAAI,gBAAA,CAAiB,KAAK,CAAA,EAAG;AAC3B,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,eAAA;AAAA,UAER,kBAAkB,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA,CAAA;AAAA,UACxE;AAAA,YACE,SAAA;AAAA,YACA,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,KAAA,GAAQ;AAAA;AAC1C,SACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,SAAA,EAAW;AAC9B,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,eAAA;AAAA,QAER,qBAAqB,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA,CAAA;AAAA,QAC3E;AAAA,UACE,SAAA;AAAA,UACA,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,KAAA,GAAQ;AAAA;AAC1C,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,MAAA,EAA+B;AACvD,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,cAAA;AACpB,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,WAAA;AACpB,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,WAAA;AACpB,IAAA,IAAI,WAAW,GAAA,EAAK,OAAA,cAAA;AACpB,IAAA,IAAI,MAAA,IAAU,GAAA,IAAO,MAAA,GAAS,GAAA,EAAK,OAAA,cAAA;AACnC,IAAA,OAAA,eAAA;AAAA,EACF;AACF,CAAA;;;AChSO,SAAS,KAAA,GAAgB;AAC9B,EAAA,OAAO,KAAK,GAAA,EAAI;AAClB;AAKO,SAAS,eAAA,GAA0B;AACxC,EAAA,OAAO,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACrC;AAKO,SAAS,KAAA,CAAM,KAAA,EAAe,GAAA,EAAa,GAAA,EAAqB;AACrE,EAAA,OAAO,KAAK,GAAA,CAAI,GAAA,EAAK,KAAK,GAAA,CAAI,GAAA,EAAK,KAAK,CAAC,CAAA;AAC3C;AAKO,SAAS,MAAM,EAAA,EAA2B;AAC/C,EAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,YAAY,UAAA,CAAW,OAAA,EAAS,EAAE,CAAC,CAAA;AACzD;;;ACTA,IAAM,2BAAA,GAA8B,GAAA;AACpC,IAAM,mBAAA,GAAsB,IAAA;AAC5B,IAAM,uBAAA,GAA0B,GAAA;AAChC,IAAM,uBAAA,GAA0B,GAAA;AAChC,IAAM,2BAAA,GAA8B,GAAA;AAK7B,IAAM,eAAN,MAAmB;AAAA,EACP,UAAA;AAAA,EACA,QAAA;AAAA,EACA,iBAAA;AAAA,EACA,SAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,iBAAA;AAAA,EAEjB,YAAY,MAAA,EAA6B;AACvC,IAAA,IAAA,CAAK,aAAa,MAAA,CAAO,UAAA;AACzB,IAAA,IAAA,CAAK,WAAW,MAAA,CAAO,QAAA;AACvB,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAO,iBAAA,IAAqB,2BAAA;AACrD,IAAA,IAAA,CAAK,SAAA,GAAY,OAAO,SAAA,IAAa,mBAAA;AACrC,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAO,aAAA,IAAiB,uBAAA;AAC7C,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAO,aAAA,IAAiB,uBAAA;AAC7C,IAAA,IAAA,CAAK,iBAAA,GAAoB,OAAO,iBAAA,IAAqB,2BAAA;AAAA,EACvD;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,UAAU,SAAA,EAAkD;AAChE,IAAA,MAAM,IAAA,GAAO,mCAAmC,kBAAA,CAAmB,IAAA,CAAK,QAAQ,CAAC,CAAA,WAAA,EAAc,kBAAA,CAAmB,SAAS,CAAC,CAAA,CAAA;AAE5H,IAAA,IAAI;AAEF,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAQxC;AAAA,QACA,MAAA,EAAQ,KAAA;AAAA,QACR,IAAA;AAAA,QACA;AAAA,OACD,CAAA;AAED,MAAA,MAAM,QAAA,GAAiC;AAAA,QACrC,QAAQ,WAAA,CAAY,MAAA;AAAA,QACpB,QAAA,EAAU,WAAA,CAAY,SAAA,IAAa,WAAA,CAAY,QAAA;AAAA,QAC/C,SAAA,EAAW,WAAA,CAAY,UAAA,IAAc,WAAA,CAAY,SAAA;AAAA,QACjD,UAAU,WAAA,CAAY,QAAA;AAAA,QACtB,WAAA,EAAa,WAAA,CAAY,YAAA,IAAgB,WAAA,CAAY,WAAA;AAAA,QACrD,aAAA,EAAe,WAAA,CAAY,cAAA,IAAkB,WAAA,CAAY,aAAA;AAAA,QACzD,WAAA,EAAa,WAAA,CAAY,aAAA,IAAiB,WAAA,CAAY,WAAA;AAAA,QACtD,KAAK,WAAA,CAAY;AAAA,OACnB;AAGA,MAAA,MAAM,MAAM,eAAA,EAAgB;AAC5B,MAAA,IAAI,QAAA,CAAS,GAAA,KAAQ,KAAA,CAAA,IAAa,QAAA,CAAS,OAAO,GAAA,EAAK;AACrD,QAAA,OAAO;AAAA,UACL,GAAG,QAAA;AAAA,UACH,MAAA,EAAQ;AAAA,SACV;AAAA,MACF;AAEA,MAAA,OAAO,QAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,WAAA,kBAAkC;AACxE,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,WAAA;AAAA,UAER,8BAA8B,SAAS,CAAA,CAAA;AAAA,UACvC,EAAE,SAAA;AAAU,SACd;AAAA,MACF;AACA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,aAAA,CACJ,SAAA,EACA,OAAA,EAC4B;AAC5B,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,IAAA,MAAM,SAAA,GAAY,OAAA,EAAS,SAAA,IAAa,IAAA,CAAK,SAAA;AAC7C,IAAA,MAAM,UAAA,GAAa,OAAA,EAAS,UAAA,IAAc,IAAA,CAAK,iBAAA;AAE/C,IAAA,OAAO,IAAA,EAAM;AACX,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA;AAG/B,MAAA,IAAI,aAAa,SAAA,EAAW;AAC1B,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,iBAAA;AAAA,UAER,kCAAkC,SAAS,CAAA,EAAA,CAAA;AAAA,UAC3C,EAAE,SAAA;AAAU,SACd;AAAA,MACF;AAEA,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,SAAA,CAAU,SAAS,CAAA;AAG7C,QAAA,MAAM,MAAM,eAAA,EAAgB;AAC5B,QAAA,IAAI,MAAA,CAAO,GAAA,KAAQ,KAAA,CAAA,IAAa,MAAA,CAAO,OAAO,GAAA,EAAK;AACjD,UAAA,OAAO;AAAA,YACL,MAAA,EAAQ,SAAA;AAAA,YACR,SAAA;AAAA,YACA,SAAA;AAAA,YACA,eAAe,MAAA,CAAO;AAAA,WACxB;AAAA,QACF;AAGA,QAAA,IACE,MAAA,CAAO,WAAW,UAAA,IAClB,MAAA,CAAO,WAAW,QAAA,IAClB,MAAA,CAAO,WAAW,SAAA,EAClB;AACA,UAAA,OAAO;AAAA,YACL,QAAQ,MAAA,CAAO,MAAA;AAAA,YACf,SAAA;AAAA,YACA,SAAA;AAAA,YACA,UAAU,MAAA,CAAO,QAAA;AAAA,YACjB,aAAa,MAAA,CAAO,WAAA;AAAA,YACpB,eAAe,MAAA,CAAO;AAAA,WACxB;AAAA,QACF;AAGA,QAAA,MAAM,MAAM,UAAU,CAAA;AAAA,MACxB,SAAS,KAAA,EAAO;AAEd,QAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,WAAA,kBAAkC;AACxE,UAAA,MAAM,KAAA;AAAA,QACR;AAIA,QAAA,MAAM,WAAA,GAAc,SAAA,IAAa,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,CAAA;AAC9C,QAAA,IAAI,eAAe,CAAA,EAAG;AACpB,UAAA,MAAM,IAAI,SAAA;AAAA,YAAA,iBAAA;AAAA,YAER,kCAAkC,SAAS,CAAA,EAAA,CAAA;AAAA,YAC3C,EAAE,SAAA,EAAW,KAAA,EAAO,KAAA,YAAiB,KAAA,GAAQ,QAAQ,MAAA;AAAU,WACjE;AAAA,QACF;AAEA,QAAA,MAAM,KAAA,CAAM,IAAA,CAAK,GAAA,CAAI,UAAA,EAAY,WAAW,CAAC,CAAA;AAAA,MAC/C;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,UAAA,EAA6B;AACpC,IAAA,IAAI,eAAe,MAAA,EAAW;AAC5B,MAAA,OAAO,IAAA,CAAK,iBAAA;AAAA,IACd;AACA,IAAA,OAAO,KAAA,CAAM,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,KAAK,aAAa,CAAA;AAAA,EACjE;AACF,CAAA;;;ACvKO,IAAM,iBAAN,MAAqB;AAAA,EAClB,KAAA,GAAsB,QAAA;AAAA,EACtB,QAAA,GAAW,CAAA;AAAA,EACX,SAAA,GAAY,CAAA;AAAA,EACZ,eAAA;AAAA,EACA,eAAA;AAAA,EACA,WAAA,GAAc,CAAA;AAAA,EAEL,aAAA;AAAA,EACA,UAAA;AAAA,EAEjB,WAAA,CAAY,MAAA,GAA+B,EAAC,EAAG;AAC7C,IAAA,IAAA,CAAK,aAAA,GAAgB,OAAO,4BAAA,IAAgC,CAAA;AAC5D,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,GAAA;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAW,EAAA,EAAkC;AAEjD,IAAA,IAAI,IAAA,CAAK,UAAU,MAAA,EAAQ;AACzB,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,MAAM,oBAAA,GAAuB,IAAA,CAAK,eAAA,GAC9B,GAAA,GAAM,KAAK,eAAA,GACX,QAAA;AAEJ,MAAA,IAAI,oBAAA,IAAwB,KAAK,UAAA,EAAY;AAC3C,QAAA,IAAA,CAAK,KAAA,GAAQ,WAAA;AACb,QAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAAA,MAClB,CAAA,MAAO;AACL,QAAA,MAAM,IAAI,uBAAA;AAAA,UACR,CAAA,0CAAA,EAA6C,IAAA,CAAK,UAAA,GAAa,oBAAoB,CAAA,EAAA;AAAA,SACrF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,MAAM,EAAA,EAAG;AACxB,MAAA,IAAA,CAAK,SAAA,EAAU;AACf,MAAA,OAAO,MAAA;AAAA,IACT,SAAS,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,SAAA,EAAU;AACf,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA,EAEQ,SAAA,GAAkB;AACxB,IAAA,IAAA,CAAK,SAAA,EAAA;AACL,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,GAAA,EAAI;AAEhC,IAAA,IAAI,IAAA,CAAK,UAAU,WAAA,EAAa;AAE9B,MAAA,IAAA,CAAK,KAAA,GAAQ,QAAA;AACb,MAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAAA,IAClB,CAAA,MAAA,IAAW,IAAA,CAAK,KAAA,KAAU,QAAA,EAAU;AAElC,MAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAAA,IAClB;AAAA,EACF;AAAA,EAEQ,SAAA,GAAkB;AACxB,IAAA,IAAA,CAAK,QAAA,EAAA;AACL,IAAA,IAAA,CAAK,eAAA,GAAkB,KAAK,GAAA,EAAI;AAEhC,IAAA,IAAI,IAAA,CAAK,UAAU,WAAA,EAAa;AAE9B,MAAA,IAAA,CAAK,KAAA,GAAQ,MAAA;AACb,MAAA,IAAA,CAAK,WAAA,EAAA;AAAA,IACP,WAAW,IAAA,CAAK,KAAA,KAAU,YAAY,IAAA,CAAK,QAAA,IAAY,KAAK,aAAA,EAAe;AAEzE,MAAA,IAAA,CAAK,KAAA,GAAQ,MAAA;AACb,MAAA,IAAA,CAAK,WAAA,EAAA;AAAA,IACP;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAoC;AAClC,IAAA,OAAO;AAAA,MACL,UAAU,IAAA,CAAK,QAAA;AAAA,MACf,WAAW,IAAA,CAAK,SAAA;AAAA,MAChB,OAAO,IAAA,CAAK,KAAA;AAAA,MACZ,iBAAiB,IAAA,CAAK,eAAA;AAAA,MACtB,iBAAiB,IAAA,CAAK,eAAA;AAAA,MACtB,aAAa,IAAA,CAAK;AAAA,KACpB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,KAAA,GAAQ,QAAA;AACb,IAAA,IAAA,CAAK,QAAA,GAAW,CAAA;AAChB,IAAA,IAAA,CAAK,SAAA,GAAY,CAAA;AACjB,IAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AACvB,IAAA,IAAA,CAAK,eAAA,GAAkB,MAAA;AACvB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AAAA,EACrB;AACF,CAAA;AAKO,IAAM,uBAAA,GAAN,cAAsC,KAAA,CAAM;AAAA,EACjD,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,yBAAA;AAAA,EACd;AACF,CAAA;;;AChHO,IAAM,mBAAN,MAAuB;AAAA,EACpB,aAAA,GAAgB,CAAA;AAAA,EAChB,YAAA,GAAe,CAAA;AAAA,EACf,YAAA,GAAe,CAAA;AAAA,EACf,WAAA,GAAc,CAAA;AAAA,EACd,aAAA,GAAgB,CAAA;AAAA,EAChB,WAAA,GAAc,CAAA;AAAA,EACd,uBAAA,GAA0B,CAAA;AAAA,EAC1B,eAAA,GAAkB,CAAA;AAAA;AAAA,EAClB,aAAA,GAAgB,CAAA;AAAA;AAAA,EAChB,YAAsB,EAAC;AAAA,EAEd,UAAA,GAAa,GAAA;AAAA;AAAA,EACb,QAAuB,EAAC;AAAA;AAAA;AAAA;AAAA,EAKzC,aAAA,CAAc,UAA+E,SAAA,EAAyB;AACpH,IAAA,IAAA,CAAK,aAAA,EAAA;AAEL,IAAA,IAAI,aAAa,OAAA,EAAS;AACxB,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,OAAA,EAAS;AAC/B,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,iBAAA,EAAmB;AACzC,MAAA,IAAA,CAAK,WAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,aAAA,EAAe;AACrC,MAAA,IAAA,CAAK,eAAA,EAAA;AACL,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP,CAAA,MAAA,IAAW,aAAa,WAAA,EAAa;AACnC,MAAA,IAAA,CAAK,aAAA,EAAA;AACL,MAAA,IAAA,CAAK,YAAA,EAAA;AAAA,IACP;AAGA,IAAA,IAAA,CAAK,SAAA,CAAU,KAAK,SAAS,CAAA;AAC7B,IAAA,IAAI,IAAA,CAAK,SAAA,CAAU,MAAA,GAAS,IAAA,CAAK,UAAA,EAAY;AAC3C,MAAA,IAAA,CAAK,UAAU,KAAA,EAAM;AAAA,IACvB;AAEA,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,aAAA,GAAsB;AACpB,IAAA,IAAA,CAAK,aAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,GAAoB;AAClB,IAAA,IAAA,CAAK,WAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAA,GAAiC;AAC/B,IAAA,IAAA,CAAK,uBAAA,EAAA;AACL,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAwB,QAAA,EAAmC;AAEzD,IAAA,IAAA,CAAK,WAAA,EAAY;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO;AAAA,MACL,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,yBAAyB,IAAA,CAAK,uBAAA;AAAA,MAC9B,iBAAiB,IAAA,CAAK,eAAA;AAAA,MACtB,eAAe,IAAA,CAAK,aAAA;AAAA,MACpB,SAAA,EAAW,CAAC,GAAG,IAAA,CAAK,SAAS;AAAA;AAAA,KAC/B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,aAAa,IAAA,EAAyB;AACpC,IAAA,IAAA,CAAK,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAA,GAAoB;AAC1B,IAAA,MAAM,OAAA,GAAU,KAAK,UAAA,EAAW;AAChC,IAAA,KAAA,MAAW,IAAA,IAAQ,KAAK,KAAA,EAAO;AAC7B,MAAA,IAAI;AACF,QAAA,IAAA,CAAK,OAAO,CAAA;AAAA,MACd,SAAS,KAAA,EAAO;AAEd,QAAA,OAAA,CAAQ,KAAA,CAAM,0BAA0B,KAAK,CAAA;AAAA,MAC/C;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,aAAA,GAAgB,CAAA;AACrB,IAAA,IAAA,CAAK,YAAA,GAAe,CAAA;AACpB,IAAA,IAAA,CAAK,YAAA,GAAe,CAAA;AACpB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AACnB,IAAA,IAAA,CAAK,aAAA,GAAgB,CAAA;AACrB,IAAA,IAAA,CAAK,WAAA,GAAc,CAAA;AACnB,IAAA,IAAA,CAAK,uBAAA,GAA0B,CAAA;AAC/B,IAAA,IAAA,CAAK,eAAA,GAAkB,CAAA;AACvB,IAAA,IAAA,CAAK,aAAA,GAAgB,CAAA;AACrB,IAAA,IAAA,CAAK,YAAY,EAAC;AAAA,EACpB;AACF,CAAA;ACrIA,SAAS,qBAAqB,GAAA,EAAsB;AAClD,EAAA,IAAI,GAAA,KAAQ,IAAA,IAAQ,GAAA,KAAQ,MAAA,EAAW,OAAO,MAAA;AAC9C,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,IAAA,CAAK,UAAU,GAAG,CAAA;AACtD,EAAA,IAAI,OAAO,GAAA,KAAQ,QAAA,EAAU,OAAO,IAAI,QAAA,EAAS;AACjD,EAAA,IAAI,OAAO,GAAA,KAAQ,SAAA,EAAW,OAAO,MAAM,MAAA,GAAS,OAAA;AACpD,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,MAAM,QAAQ,GAAA,CAAI,GAAA,CAAI,CAAC,IAAA,KAAS,oBAAA,CAAqB,IAAI,CAAC,CAAA;AAC1D,IAAA,OAAO,GAAA,GAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACjC;AACA,EAAA,IAAI,OAAO,QAAQ,QAAA,EAAU;AAC3B,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,IAAA,CAAK,GAAG,EAAE,IAAA,EAAK;AACnC,IAAA,MAAM,QAAkB,EAAC;AACzB,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACtB,MAAA,MAAM,KAAA,GAAS,IAAgC,GAAG,CAAA;AAClD,MAAA,IAAI,UAAU,MAAA,EAAW;AACvB,QAAA,KAAA,CAAM,IAAA,CAAK,KAAK,SAAA,CAAU,GAAG,IAAI,GAAA,GAAM,oBAAA,CAAqB,KAAK,CAAC,CAAA;AAAA,MACpE;AAAA,IACF;AACA,IAAA,OAAO,GAAA,GAAM,KAAA,CAAM,IAAA,CAAK,GAAG,CAAA,GAAI,GAAA;AAAA,EACjC;AACA,EAAA,OAAO,IAAA,CAAK,UAAU,GAAG,CAAA;AAC3B;AAEA,SAAS,iBAAiB,IAAA,EAAkC;AAC1D,EAAA,IAAI,IAAA,IAAQ,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI,OAAO,EAAA;AACxC,EAAA,MAAM,CAAA,GAAI,MAAA,CAAO,IAAI,CAAA,CAAE,IAAA,EAAK;AAC5B,EAAA,IAAI,EAAE,UAAA,CAAW,IAAI,CAAA,EAAG,OAAO,EAAE,WAAA,EAAY;AAC7C,EAAA,OAAO,IAAA,GAAO,EAAE,WAAA,EAAY;AAC9B;AAEA,SAAS,cAAc,IAAA,EAAkC;AACvD,EAAA,IAAI,IAAA,IAAQ,IAAA,IAAQ,IAAA,KAAS,EAAA,EAAI,OAAO,EAAA;AACxC,EAAA,MAAM,IAAI,MAAA,CAAO,IAAI,CAAA,CAAE,IAAA,GAAO,WAAA,EAAY;AAC1C,EAAA,OAAO,CAAA,CAAE,UAAA,CAAW,IAAI,CAAA,GAAI,IAAI,IAAA,GAAO,CAAA;AACzC;AAMO,SAAS,oBAAA,CACd,QAAA,EAeA,QAAA,EACA,gBAAA,EACA,eACA,WAAA,EACiB;AACjB,EAAA,MAAM,MAAA,GAAS,QAAA,CAAS,SAAA,IAAa,QAAA,CAAS,EAAA,IAAM,EAAA;AACpD,EAAA,MAAM,KAAA,GAAA,CAAS,SAAS,WAAA,IAAe,QAAA,CAAS,gBAAgB,QAAA,CAAS,KAAA,IAAS,KAAK,QAAA,EAAS;AAChG,EAAA,MAAM,IAAA,GAAO,aAAA;AAAA,IACV,QAAA,CAAS,IAAA,IAAQ,QAAA,CAAS,WAAA,IAAe,SAAS,QAAA,IAAY;AAAA,GACjE;AACA,EAAA,MAAM,WAAW,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,KAAA,IAAS,IAAI,QAAA,EAAS;AACpE,EAAA,MAAM,SAAA,GAAY,iBAAiB,MAAM,CAAA;AACzC,EAAA,MAAM,QAAQ,QAAA,CAAS,KAAA,IAAS,OAAO,MAAA,CAAO,QAAA,CAAS,KAAK,CAAA,GAAI,EAAA;AAChE,EAAA,MAAM,UAAmC,EAAC;AAC1C,EAAA,IAAI,aAAA,IAAiB,OAAO,aAAA,KAAkB,QAAA,EAAU;AACtD,IAAA,KAAA,MAAW,CAAC,CAAA,EAAG,CAAC,KAAK,MAAA,CAAO,OAAA,CAAQ,aAAa,CAAA,EAAG;AAClD,MAAA,IAAI,CAAA,KAAM,MAAA,EAAW,OAAA,CAAQ,CAAC,CAAA,GAAI,CAAA;AAAA,IACpC;AAAA,EACF;AACA,EAAA,MAAM,GAAA,GAAuB;AAAA,IAC3B,OAAA;AAAA,IACA,SAAA;AAAA,IACA,KAAA;AAAA,IACA,IAAA;AAAA,IACA;AAAA,GACF;AACA,EAAA,IAAI,WAAA,EAAa,GAAA,CAAI,WAAA,GAAc,gBAAA,CAAiB,WAAW,CAAA;AAC/D,EAAA,IAAI,gBAAA,IAAoB,IAAA;AACtB,IAAA,GAAA,CAAI,gBAAA,GAAmB,gBAAA,GAAmB,gBAAA,CAAiB,gBAAgB,CAAA,GAAI,IAAA;AACjF,EAAA,IAAI,OAAO,IAAA,CAAK,OAAO,EAAE,MAAA,GAAS,CAAA,MAAO,OAAA,GAAU,OAAA;AACnD,EAAA,IAAI,QAAA,MAAc,QAAA,GAAW,QAAA;AAC7B,EAAA,IAAI,QAAA,CAAS,aAAA,EAAe,GAAA,CAAI,aAAA,GAAgB,QAAA,CAAS,aAAA;AACzD,EAAA,OAAO,GAAA;AACT;AAKO,SAAS,gBAAgB,OAAA,EAAkC;AAChE,EAAA,MAAM,SAAA,GAAY,qBAAqB,OAAO,CAAA;AAC9C,EAAA,OAAOH,iBAAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,WAAW,MAAM,CAAA,CAAE,OAAO,KAAK,CAAA;AACpE;;;AClFO,IAAM,eAAA,GAAmC;AAAA,EAC9C,IAAA,GAAO;AAAA,EAAC;AACV;;;ACsEO,SAAS,aAAA,CACd,SAAA,EACA,UAAA,EACA,OAAA,GAAgC,EAAC,EACf;AAClB,EAAA,MAAM,cAAA,GAAiD;AAAA,IACrD,IAAA,EAAM,QAAQ,IAAA,IAAQ,SAAA;AAAA,IACtB,qBAAA,EAAuB,QAAQ,qBAAA,IAAyB,KAAA;AAAA,IACxD,UAAA,EAAY,OAAA,CAAQ,UAAA,KAAe,MAAM;AAAA,IAAC,CAAA,CAAA;AAAA,IAC1C,eAAA,EAAiB,QAAQ,eAAA,IAAmB,sBAAA;AAAA,IAC5C,WAAA,EAAa,QAAQ,WAAA,IAAe;AAAA,GACtC;AAGA,EAAA,MAAM,OAAA,GAAU,IAAI,KAAA,CAAM,SAAA,EAAW;AAAA,IACnC,GAAA,CAAI,MAAA,EAAQ,IAAA,EAAM,QAAA,EAAU;AAC1B,MAAA,IAAI,SAAS,MAAA,EAAQ;AAEnB,QAAA,OAAO,eAAgB,OAAA,EAAc;AAEnC,UAAA,IAAI,WAAW,OAAA,CAAQ,WAAA,IAAe,OAAA,CAAQ,WAAA,CAAY,SAAS,aAAA,EAAe;AAChF,YAAA,OAAO,MAAM,iBAAA;AAAA,cACX,OAAA;AAAA,cACA,MAAA;AAAA,cACA,UAAA;AAAA,cACA;AAAA,aACF;AAAA,UACF;AAGA,UAAA,OAAO,MAAO,MAAA,CAAe,IAAA,CAAK,OAAO,CAAA;AAAA,QAC3C,CAAA;AAAA,MACF;AAGA,MAAA,OAAO,OAAA,CAAQ,GAAA,CAAI,MAAA,EAAQ,IAAA,EAAM,QAAQ,CAAA;AAAA,IAC3C;AAAA,GACD,CAAA;AAGD,EAAA,OAAA,CAAQ,eAAA,GAAkB,SAAA;AAC1B,EAAA,OAAA,CAAQ,WAAA,GAAc,UAAA;AACtB,EAAA,OAAA,CAAQ,eAAA,GAAkB,cAAA;AAE1B,EAAA,OAAO,OAAA;AACT;AAUA,SAAS,uBAAuB,OAAA,EAO9B;AAGA,EAAA,MAAM,OAAA,GAAW,OAAA,CAAgB,KAAA,EAAO,OAAA,IAAY,OAAA,CAAgB,OAAA;AACpE,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,MAAM,+CAA+C,CAAA;AAAA,EACjE;AACA,EAAA,MAAM,gBAAgB,OAAA,YAAmB,MAAA,GACrC,OAAA,GACA,MAAA,CAAO,KAAK,OAAc,CAAA;AAC9B,EAAA,MAAM,WAAA,GAAcA,kBAAW,QAAQ,CAAA,CAAE,OAAO,aAAa,CAAA,CAAE,OAAO,KAAK,CAAA;AAE3E,EAAA,OAAO;AAAA,IACL,aAAA,EAAe,OAAA;AAAA,IACf,SAAA,EAAW,MAAA;AAAA;AAAA,IACX,WAAA,EAAa,WAAA;AAAA,IACb,QAAA,EAAU;AAAA;AAAA,GACZ;AACF;AAGA,SAAS,iBAAA,CACP,UAAA,EACA,OAAA,EACA,QAAA,EACA,QAAA,EACuB;AACvB,EAAA,MAAM,SAAU,UAAA,CAAmB,MAAA;AACnC,EAAA,MAAM,KAAA,GAAS,OAAA,CAAgB,KAAA,EAAO,KAAA,IAAU,OAAA,CAAgB,KAAA;AAChE,EAAA,OAAO;AAAA,IACL,UAAU,MAAA,EAAQ,QAAA;AAAA,IAClB,UAAU,QAAA,IAAY,MAAA;AAAA,IACtB,aAAA,EAAe,MAAA,EAAQ,aAAA,IAAiB,OAAA,CAAQ,GAAA,CAAI,mBAAA;AAAA,IACpD,KAAK,MAAA,EAAQ,GAAA,IAAO,QAAQ,GAAA,CAAI,QAAA,IAAY,QAAQ,GAAA,CAAI,QAAA;AAAA,IACxD,KAAA,EAAO,SAAS,OAAA,IAAW,IAAA,GAAO,OAAO,QAAA,CAAS,OAAO,IAAI,QAAA,CAAS,aAAA;AAAA,IACtE,QAAA,EAAU,KAAA;AAAA,IACV,MAAA,EAAQ,QAAQ,GAAA,CAAI;AAAA,GACtB;AACF;AAGA,SAAS,UAAA,CACP,IAAA,EACA,IAAA,EACA,MAAA,EACM;AACN,EAAA,MAAM,QAAyB,EAAE,IAAA,EAAM,QAAQ,WAAA,EAAa,IAAA,CAAK,KAAI,EAAE;AACvE,EAAA,IAAI;AACF,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,IAAA,CAAK,KAAK,CAAA;AAC9B,IAAA,IAAI,MAAA,IAAU,OAAQ,MAAA,CAAyB,KAAA,KAAU,UAAA,EAAY;AACnE,MAAC,MAAA,CAAyB,MAAM,MAAM;AAAA,MAAC,CAAC,CAAA;AAAA,IAC1C;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAKA,eAAe,iBAAA,CACb,OAAA,EACA,cAAA,EACA,UAAA,EACA,OAAA,EACc;AAEd,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,eAAA,CAAgB,OAAO,CAAA;AAIhD,EAAA,MAAM,QAAA,GAAY,OAAA,CAAgB,KAAA,EAAO,KAAA,IAAU,QAAgB,KAAA,IAAS,SAAA;AAE5E,EAAA,MAAM,MAAA,GAAS,iBAAA,CAAkB,UAAA,EAAY,OAAA,EAAS,UAAU,QAAQ,CAAA;AACxE,EAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oBAAA,EAAsB,MAAM,CAAA;AAI5D,EAAA,IAAI,cAAA;AACJ,EAAA,IAAI;AACF,IAAA,cAAA,GAAiB,MAAO,UAAA,CAAmB,gBAAA,CAAiB,iBAAA,CAAkB,UAAU,GAAI,CAAA;AAAA,EAC9F,CAAA,CAAA,MAAQ;AACN,IAAA,MAAM,IAAI,sBAAA;AAAA,MACR,mBAAA;AAAA,MACA,MAAA;AAAA;AAAA,MACA,MAAA;AAAA;AAAA,MACA;AAAA;AAAA,KACF;AAAA,EACF;AAGA,EAAA,MAAM,cAAA,GAAiB;AAAA,IACrB,QAAA;AAAA,IACA,cAAA,EAAgB,YAAA;AAAA;AAAA,IAChB;AAAA;AAAA,GACF;AAEA,EAAA,IAAI;AAEF,IAAA,MAAM,QAAA,GAAW,MAAM,UAAA,CAAW,QAAA,CAAS;AAAA,MACzC,QAAA;AAAA;AAAA,MACA;AAAA,KACD,CAAA;AAGD,IAAA,IAAI,QAAA,CAAS,QAAA,KAAa,OAAA,IAAW,OAAA,CAAQ,qBAAA,EAAuB;AAClE,MAAA,MAAMI,WAAAA,GACH,SAAiB,OAAA,IAAW,IAAA,IAC3B,SAAiB,YAAA,IAAgB,IAAA,IAAS,SAAiB,gBAAA,IAAoB,IAAA;AACnF,MAAA,IAAI,CAACA,WAAAA,EAAY;AACf,QAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oCAAA,EAAsC,MAAM,CAAA;AAC5E,QAAA,OAAA,CAAQ,WAAW,OAAA,EAAS;AAAA,UAC1B,OAAO,IAAI,sBAAA;AAAA,YACT,kBAAA;AAAA,YACC,QAAA,CAAiB,UAAA;AAAA,YACjB,QAAA,CAAiB,aAAA;AAAA,YAClB,KAAA;AAAA,WACF;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,kBAAA;AAAA,UACC,QAAA,CAAiB,UAAA;AAAA,UACjB,QAAA,CAAiB,aAAA;AAAA,UAClB,KAAA;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IACE,QAAA,CAAS,aAAa,OAAA,IACtB,UAAA,CAAW,yBAAwB,IACnC,QAAA,CAAS,YAAY,IAAA,EACrB;AACA,MAAA,MAAM,OAAA,GAAU,oBAAA;AAAA,QACd,QAAA;AAAA,QACA,QAAA;AAAA,QACA,KAAA,CAAA;AAAA,QACA,KAAA,CAAA;AAAA,QACC,cAAA,CAAuB;AAAA,OAC1B;AACA,MAAA,MAAM,cAAA,GAAiB,gBAAgB,OAAO,CAAA;AAC9C,MAAA,IAAI,cAAA,KAAmB,SAAS,QAAA,EAAU;AACxC,QAAA,OAAA,CAAQ,WAAW,OAAA,EAAS;AAAA,UAC1B,OAAO,IAAI,sBAAA;AAAA,YACT,4BAAA;AAAA,YACA,QAAA,CAAS,UAAA;AAAA,YACT,QAAA,CAAS,aAAA;AAAA,YACT,KAAA;AAAA,WACF;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,4BAAA;AAAA,UACA,QAAA,CAAS,UAAA;AAAA,UACT,QAAA,CAAS,aAAA;AAAA,UACT,KAAA;AAAA,SACF;AAAA,MACF;AAAA,IACF;AAEA,IAAA,MAAM,UAAA,GACH,SAAiB,OAAA,IAAW,IAAA,IAC3B,SAAiB,YAAA,IAAgB,IAAA,IAAS,SAAiB,gBAAA,IAAoB,IAAA;AACnF,IAAA,IAAI,UAAA,EAAY;AACd,MAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,iCAAA,EAAmC,MAAM,CAAA;AAAA,IAC3E;AACA,IAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oBAAA,EAAsB,MAAM,CAAA;AAE5D,IAAA,OAAA,CAAQ,WAAW,OAAA,EAAS,EAAE,QAAA,EAAU,QAAA,EAAU,SAAS,CAAA;AAE3D,IAAA,IAAI,OAAA,CAAQ,SAAS,SAAA,EAAW;AAE9B,MAAA,OAAO,MAAM,cAAA,CAAe,IAAA,CAAK,IAAIC,qBAAA,CAAY,OAAO,CAAC,CAAA;AAAA,IAC3D;AAGA,IAAA,MAAM,cAAA,GAAiB,CAAC,kBAAA,EAAoB,kBAAA,EAAoB,kBAAkB,CAAA;AAClF,IAAA,MAAM,YAAA,GAAgB,UAAA,CAAmB,gBAAA,EAAkB,gBAAA,IAAmB;AAE9E,IAAA,IAAI,YAAA,IAAgB,cAAA,CAAe,QAAA,CAAS,YAAY,CAAA,EAAG;AAEzD,MAAA,UAAA,CAAW,OAAA,CAAQ,WAAA,EAAa,oBAAA,EAAsB,MAAM,CAAA;AAC5D,MAAA,OAAO,MAAM,YAAA,CAAa,UAAA,EAAY,QAAA,EAAU,SAAS,QAAQ,CAAA;AAAA,IACnE;AAGA,IAAA,OAAO,MAAM,cAAA,CAAe,IAAA,CAAK,IAAIA,qBAAA,CAAY,OAAO,CAAC,CAAA;AAAA,EAC3D,SAAS,KAAA,EAAY;AAEnB,IAAA,IAAI,iBAAiB,sBAAA,EAAwB;AAC3C,MAAA,OAAA,CAAQ,WAAW,OAAA,EAAS,EAAE,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AACxD,MAAA,MAAM,KAAA;AAAA,IACR;AAEA,IAAA,IAAI,iBAAiB,6BAAA,EAA+B;AAClD,MAAA,OAAA,CAAQ,WAAW,iBAAA,EAAmB,EAAE,KAAA,EAAO,QAAA,EAAU,SAAS,CAAA;AAClE,MAAA,MAAM,KAAA;AAAA,IACR;AAGA,IAAA,MAAM,KAAA;AAAA,EACR;AACF;AAOA,eAAe,YAAA,CACb,UAAA,EACA,QAAA,EACA,OAAA,EACA,QAAA,EACc;AACd,EAAA,MAAM,SAAU,UAAA,CAAmB,MAAA;AACnC,EAAA,MAAM,OAAA,GAAU,MAAA,EAAQ,OAAA,IAAW,MAAA,EAAQ,eAAA;AAC3C,EAAA,MAAM,WAAW,MAAA,EAAQ,QAAA;AAEzB,EAAA,IAAI,CAAC,OAAA,IAAW,CAAC,QAAA,EAAU;AACzB,IAAA,MAAM,IAAI,MAAM,uFAAuF,CAAA;AAAA,EACzG;AAGA,EAAA,MAAM,OAAA,GAAW,OAAA,CAAgB,KAAA,EAAO,OAAA,IAAY,OAAA,CAAgB,OAAA;AACpE,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,IAAI,MAAM,0DAA0D,CAAA;AAAA,EAC5E;AACA,EAAA,MAAM,gBAAgB,OAAA,YAAmB,MAAA,GAAS,OAAA,GAAU,MAAA,CAAO,KAAK,OAAc,CAAA;AACtF,EAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,QAAA,CAAS,QAAQ,CAAA;AAGrD,EAAA,MAAM,KAAA,GAAS,OAAA,CAAgB,KAAA,EAAO,KAAA,IAAU,OAAA,CAAgB,KAAA;AAChE,EAAA,IAAI,CAAC,KAAA,EAAO;AACV,IAAA,MAAM,IAAI,MAAM,wDAAwD,CAAA;AAAA,EAC1E;AAGA,EAAA,MAAM,gBAAA,GAAoB,OAAA,CAAgB,KAAA,EAAO,gBAAA,IAAqB,QAAgB,gBAAA,IAAoB,eAAA;AAC1G,EAAA,MAAM,WAAA,GAAe,OAAA,CAAgB,KAAA,EAAO,WAAA,IAAgB,QAAgB,WAAA,IAAe,KAAA;AAG3F,EAAA,MAAM,QAAA,GAAW,GAAG,OAAA,CAAQ,OAAA,CAAQ,YAAY,EAAE,CAAC,YAAY,QAAQ,CAAA,aAAA,CAAA;AAGvE,EAAA,MAAM,OAAA,GAAkC;AAAA,IACtC,cAAA,EAAgB;AAAA,GAClB;AAGA,EAAA,MAAM,WAAA,GAAe,WAAmB,cAAA,IAAiB;AACzD,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,MAAA,CAAO,MAAA,CAAO,SAAS,WAAW,CAAA;AAAA,EACpC,CAAA,MAAO;AAEL,IAAA,MAAM,OAAO,MAAA,EAAQ,IAAA;AACrB,IAAA,IAAI,IAAA,EAAM,IAAA,KAAS,SAAA,IAAa,IAAA,EAAM,MAAA,EAAQ;AAC5C,MAAA,OAAA,CAAQ,WAAW,IAAI,IAAA,CAAK,MAAA;AAAA,IAC9B;AAAA,EACF;AAGA,EAAA,MAAM,GAAA,GAAO,UAAA,CAAmB,GAAA,IAAQ,UAAA,CAAmB,MAAA,EAAQ,GAAA;AACnE,EAAA,IAAI,GAAA,EAAK;AACP,IAAA,OAAA,CAAQ,eAAe,CAAA,GAAI,CAAA,OAAA,EAAU,GAAG,CAAA,CAAA;AAAA,EAC1C;AAEA,EAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,QAAA,EAAU;AAAA,IACrC,MAAA,EAAQ,MAAA;AAAA,IACR,OAAA;AAAA,IACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,MACnB,SAAA,EAAW,QAAA,CAAS,UAAA,IAAc,QAAA,CAAS,SAAA;AAAA,MAC3C,eAAe,QAAA,CAAS,aAAA;AAAA,MACxB,KAAA;AAAA,MACA,OAAA,EAAS,aAAA;AAAA,MACT,gBAAA;AAAA,MACA;AAAA,KACD;AAAA,GACF,CAAA;AAED,EAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,IAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACxD,IAAA,MAAM,IAAA,GAAQ,SAAA,EAAmB,KAAA,EAAO,IAAA,IAAQ,mBAAA;AAChD,IAAA,MAAM,MAAO,SAAA,EAAmB,KAAA,EAAO,OAAA,IAAW,CAAA,uBAAA,EAA0B,SAAS,MAAM,CAAA,CAAA;AAC3F,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,WAAA,EAAc,IAAI,CAAA,EAAA,EAAK,GAAG,CAAA,CAAE,CAAA;AAAA,EAC9C;AAEA,EAAA,MAAM,MAAA,GAAS,MAAM,QAAA,CAAS,IAAA,EAAK;AACnC,EAAA,MAAM,OAAQ,MAAA,EAAgB,IAAA;AAE9B,EAAA,IAAI,CAAC,MAAM,SAAA,EAAW;AACpB,IAAA,MAAM,IAAI,MAAM,gDAAgD,CAAA;AAAA,EAClE;AAGA,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,WAAW,QAAQ,CAAA;AAAA,IAC/C,KAAA,EAAO,KAAK,KAAA,IAAS,KAAA;AAAA,IACrB,gBAAA,EAAkB,KAAK,gBAAA,IAAoB,gBAAA;AAAA,IAC3C,SAAA,EAAW,EAAE,cAAA,EAAgB,GAAA;AAAI,GACnC;AACF;;;ACzbO,IAAM,qBAAN,MAAyB;AAAA;AAAA;AAAA;AAAA,EAI9B,OAAO,aAAA,GAAmC;AACxC,IAAA,MAAM,IAAA,GAAO,QAAQ,GAAA,CAAI,gBAAA;AACzB,IAAA,MAAM,QAAA,GAAW,QAAQ,GAAA,CAAI,oBAAA;AAC7B,IAAA,MAAM,GAAA,GAAM,QAAQ,GAAA,CAAI,eAAA;AACxB,IAAA,MAAM,KAAA,GAAQ,QAAQ,GAAA,CAAI,iBAAA;AAC1B,IAAA,MAAM,gBAAA,GAAmB,QAAQ,GAAA,CAAI,sBAAA;AACrC,IAAA,MAAM,iBAAA,GAAoB,QAAQ,GAAA,CAAI,uBAAA;AACtC,IAAA,MAAM,kBAAA,GAAqB,QAAQ,GAAA,CAAI,wBAAA;AACvC,IAAA,MAAM,cAAA,GAAiB,QAAQ,GAAA,CAAI,oBAAA;AAGnC,IAAA,IAAI,CAAC,QAAQ,CAAC,QAAA,IAAY,CAAC,GAAA,IAAO,CAAC,KAAA,IAAS,CAAC,gBAAA,EAAkB;AAC7D,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,MAAM,aAAyB,EAAC;AAEhC,IAAA,IAAI,IAAA,aAAiB,IAAA,GAAO,IAAA;AAC5B,IAAA,IAAI,QAAA,aAAqB,QAAA,GAAW,QAAA;AACpC,IAAA,IAAI,GAAA,aAAgB,GAAA,GAAM,GAAA;AAC1B,IAAA,IAAI,KAAA,aAAkB,KAAA,GAAQ,KAAA;AAG9B,IAAA,IAAI,gBAAA,IAAoB,iBAAA,IAAqB,kBAAA,IAAsB,cAAA,EAAgB;AACjF,MAAA,UAAA,CAAW,WAAA,GAAc;AAAA,QACvB,KAAA,EAAO,gBAAA,KAAqB,MAAA,IAAU,gBAAA,KAAqB,GAAA;AAAA,QAC3D,MAAA,EAAQ,iBAAA;AAAA,QACR,OAAA,EAAS,kBAAA;AAAA,QACT,GAAA,EAAK;AAAA,OACP;AAAA,IACF;AAEA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,SAAA,GAAqB;AAC1B,IAAA,OAAO,CAAC,EACN,OAAA,CAAQ,GAAA,CAAI,oBACZ,OAAA,CAAQ,GAAA,CAAI,oBAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,sBAAA,CAAA;AAAA,EAEhB;AACF;ACnDO,IAAM,mBAAN,MAAuB;AAAA,EACX,UAAA;AAAA,EACA,QAAA;AAAA,EACT,eAAA;AAAA,EACS,WAAA;AAAA,EACA,0BAAA;AAAA,EACA,gBAAA;AAAA;AAAA,EACA,UAAA;AAAA;AAAA,EACA,MAAA;AAAA;AAAA,EAEA,aAAA,uBAAuD,GAAA,EAAI;AAAA,EACpE,aAAA,GAAuC,IAAA;AAAA,EACvC,OAAA,GAAU,KAAA;AAAA,EACV,iBAAA,GAAoB,EAAA;AAAA;AAAA;AAAA,EAEpB,aAAA,GAA+B,IAAA;AAAA,EAEtB,UAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EAEjB,YAAY,OAAA,EAaT;AACD,IAAA,IAAA,CAAK,aAAa,OAAA,CAAQ,UAAA;AAC1B,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,QAAA;AACxB,IAAA,IAAA,CAAK,kBAAkB,OAAA,CAAQ,QAAA;AAC/B,IAAA,IAAA,CAAK,WAAA,GAAc,QAAQ,WAAA,IAAe,MAAA;AAC1C,IAAA,IAAA,CAAK,0BAAA,GAA6B,QAAQ,sBAAA,IAA0B,EAAA;AACpE,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AAGtB,IAAA,IAAA,CAAK,gBAAA,GAAmB,OAAA,CAAQ,gBAAA,IAAoBC,OAAA,EAAO;AAG3D,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,OAAA;AACxC,IAAA,IAAA,CAAK,SAAS,OAAA,CAAQ,MAAA;AAEtB,IAAA,IAAA,CAAK,UAAA,GAAa,QAAQ,UAAA,IAAc,EAAA;AACxC,IAAA,IAAA,CAAK,eAAA,GAAkB,QAAQ,eAAA,IAAmB,GAAA;AAClD,IAAA,IAAA,CAAK,gBAAA,GAAmB,QAAQ,gBAAA,IAAoB,IAAA;AAAA,EACtD;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAA,EAA8C;AAClD,IAAA,IAAI,KAAK,OAAA,EAAS;AAChB,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AACf,IAAA,IAAA,CAAK,kBAAA,EAAmB;AAGxB,IAAA,IAAA,CAAK,kBAAkB,IAAA,CAAK,eAAA,EAAiB,CAAC,CAAA,CAAE,KAAA,CAAM,CAAC,KAAA,KAAU;AAE/D,MAAA,OAAA,CAAQ,KAAK,kDAAA,EAAoD,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,KAAK,CAAA;AAAA,IACjH,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,kBAAA,GAA2B;AACjC,IAAA,IAAI,IAAA,CAAK,aAAA,EAAe,aAAA,CAAc,IAAA,CAAK,aAAa,CAAA;AAExD,IAAA,IAAA,CAAK,aAAA,GAAgB,YAAY,MAAM;AACrC,MAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,MAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,CAAA,IAAK,KAAK,aAAA,EAAe;AAClD,QAAA,IAAI,GAAA,GAAM,KAAA,CAAM,UAAA,GAAa,IAAA,CAAK,eAAA,EAAiB;AACjD,UAAA,IAAI,KAAA,CAAM,YAAA,EAAc,YAAA,CAAa,KAAA,CAAM,YAAY,CAAA;AACvD,UAAA,IAAA,CAAK,aAAA,CAAc,OAAO,QAAQ,CAAA;AAAA,QACpC;AAAA,MACF;AAAA,IACF,GAAG,GAAM,CAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA,EAKQ,wBAAA,CAAyB,UAAkB,KAAA,EAAmC;AACpF,IAAA,IAAI,CAAC,KAAK,OAAA,IAAW,CAAC,KAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA,EAAG;AACtD,MAAA;AAAA,IACF;AAEA,IAAA,IAAI,MAAM,YAAA,EAAc;AACtB,MAAA,YAAA,CAAa,MAAM,YAAY,CAAA;AAC/B,MAAA,KAAA,CAAM,YAAA,GAAe,IAAA;AAAA,IACvB;AAEA,IAAA,MAAM,YAAA,GAAe,KAAK,0BAAA,GAA6B,GAAA;AACvD,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,EAAO,GAAI,GAAA;AAC/B,IAAA,MAAM,UAAU,IAAA,CAAK,GAAA;AAAA,MACnB,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,KAAA,CAAM,mBAAmB,CAAA,GAAI,GAAA;AAAA,MACzC,KAAK,iBAAA,GAAoB;AAAA,KAC3B;AACA,IAAA,MAAM,QAAA,GAAW,eAAe,MAAA,GAAS,OAAA;AAEzC,IAAA,KAAA,CAAM,YAAA,GAAe,WAAW,MAAM;AAEpC,MAAA,IAAI,CAAC,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA,EAAG;AAEvC,MAAA,KAAA,CAAM,SAAA,GAAY,IAAA;AAClB,MAAA,KAAA,CAAM,iBAAiB,IAAA,CAAK,yBAAA,CAA0B,UAAU,KAAK,CAAA,CAClE,KAAK,MAAM;AACV,QAAA,IAAA,CAAK,wBAAA,CAAyB,UAAU,KAAK,CAAA;AAAA,MAC/C,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,KAAA,KAAU;AAChB,QAAA,KAAA,CAAM,mBAAA,EAAA;AACN,QAAA,OAAA,CAAQ,MAAM,CAAA,sCAAA,EAAyC,QAAQ,CAAA,cAAA,CAAA,EAAkB,KAAA,CAAM,WAAW,KAAK,CAAA;AACvG,QAAA,IAAA,CAAK,wBAAA,CAAyB,UAAU,KAAK,CAAA;AAAA,MAC/C,CAAC,CAAA,CACA,OAAA,CAAQ,MAAM;AACb,QAAA,KAAA,CAAM,SAAA,GAAY,KAAA;AAClB,QAAA,KAAA,CAAM,cAAA,GAAiB,IAAA;AAAA,MACzB,CAAC,CAAA;AAAA,IACL,GAAG,QAAQ,CAAA;AAAA,EACb;AAAA;AAAA;AAAA;AAAA,EAKA,IAAA,GAAa;AACX,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,OAAA,GAAU,KAAA;AAEf,IAAA,IAAI,KAAK,aAAA,EAAe;AACtB,MAAA,aAAA,CAAc,KAAK,aAAa,CAAA;AAChC,MAAA,IAAA,CAAK,aAAA,GAAgB,IAAA;AAAA,IACvB;AAEA,IAAA,KAAA,MAAW,CAAC,QAAA,EAAU,KAAK,CAAA,IAAK,KAAK,aAAA,EAAe;AAClD,MAAA,IAAI,MAAM,YAAA,EAAc;AACtB,QAAA,YAAA,CAAa,MAAM,YAAY,CAAA;AAC/B,QAAA,KAAA,CAAM,YAAA,GAAe,IAAA;AAAA,MACvB;AAAA,IACF;AACA,IAAA,IAAA,CAAK,cAAc,KAAA,EAAM;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,QAAA,GAA0B;AACxB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,KAAK,eAAe,CAAA;AACzD,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,KAAA,IAAS,KAAA,CAAM,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,IAAI,CAAA,EAAG;AACrF,MAAA,KAAA,CAAM,UAAA,GAAa,KAAK,GAAA,EAAI;AAC5B,MAAA,OAAO,MAAM,KAAA,CAAM,KAAA;AAAA,IACrB;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,OAAA,GAAmB;AACjB,IAAA,OAAO,IAAA,CAAK,UAAS,KAAM,IAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe,QAAA,EAAwB;AACrC,IAAA,IAAA,CAAK,eAAA,GAAkB,QAAA;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,iBAAA,CAAkB,QAAA,EAAkB,SAAA,GAAY,GAAA,EAAuB;AAC3E,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,MAAM,IAAI,uDAA2C,8BAA8B,CAAA;AAAA,IACrF;AAEA,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,IAAA,IAAI,KAAA,GAAQ,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA;AAC3C,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AAErB,IAAA,MAAM,aAAA,GAAgB,CAAC,CAAA,KAA4B;AACjD,MAAA,IAAI,CAAA,CAAE,KAAA,IAAS,CAAA,CAAE,KAAA,CAAM,SAAA,GAAY,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,CAAA,EAAG;AACpE,QAAA,OAAO,EAAE,KAAA,CAAM,KAAA;AAAA,MACjB;AACA,MAAA,OAAO,IAAA;AAAA,IACT,CAAA;AAEA,IAAA,IAAI,KAAA,EAAO;AACT,MAAA,KAAA,CAAM,UAAA,GAAa,GAAA;AACnB,MAAA,MAAMC,EAAAA,GAAI,cAAc,KAAK,CAAA;AAC7B,MAAA,IAAIA,IAAG,OAAOA,EAAAA;AAAA,IAChB,CAAA,MAAO;AACL,MAAA,IAAI,IAAA,CAAK,aAAA,CAAc,IAAA,IAAQ,IAAA,CAAK,UAAA,EAAY;AAC9C,QAAA,IAAI,cAAA,GAAgC,IAAA;AACpC,QAAA,IAAI,YAAA,GAAe,QAAA;AACnB,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,CAAC,CAAA,IAAK,KAAK,aAAA,EAAe;AACzC,UAAA,IAAI,CAAA,CAAE,aAAa,YAAA,EAAc;AAC/B,YAAA,YAAA,GAAe,CAAA,CAAE,UAAA;AACjB,YAAA,cAAA,GAAiB,GAAA;AAAA,UACnB;AAAA,QACF;AACA,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,MAAM,WAAA,GAAc,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,cAAc,CAAA;AACzD,UAAA,IAAI,WAAA,EAAa,YAAA,EAAc,YAAA,CAAa,WAAA,CAAY,YAAY,CAAA;AACpE,UAAA,IAAA,CAAK,aAAA,CAAc,OAAO,cAAc,CAAA;AAAA,QAC1C;AAAA,MACF;AACA,MAAA,KAAA,GAAQ;AAAA,QACN,KAAA,EAAO,IAAA;AAAA,QACP,YAAA,EAAc,IAAA;AAAA,QACd,mBAAA,EAAqB,CAAA;AAAA,QACrB,oBAAA,EAAsB,CAAA;AAAA,QACtB,UAAA,EAAY,GAAA;AAAA,QACZ,SAAA,EAAW,KAAA;AAAA,QACX,cAAA,EAAgB;AAAA,OAClB;AACA,MAAA,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAA,EAAU,KAAK,CAAA;AAAA,IACxC;AAEA,IAAA,IAAI,KAAA,CAAM,SAAA,IAAa,KAAA,CAAM,cAAA,EAAgB;AAC3C,MAAA,MAAM,aAAA,GAAgB,KAAK,GAAA,CAAI,CAAA,EAAG,aAAa,IAAA,CAAK,GAAA,KAAQ,SAAA,CAAU,CAAA;AACtE,MAAA,IAAI;AACF,QAAA,MAAM,QAAQ,IAAA,CAAK;AAAA,UACjB,KAAA,CAAM,cAAA;AAAA,UACN,IAAI,OAAA,CAAQ,CAAC,CAAA,EAAG,WAAW,UAAA,CAAW,MAAM,MAAA,CAAO,IAAI,KAAA,CAAM,SAAS,CAAC,CAAA,EAAG,aAAa,CAAC;AAAA,SACzF,CAAA;AAAA,MACH,SAAS,CAAA,EAAG;AAAA,MAAC;AACb,MAAA,MAAMA,EAAAA,GAAI,cAAc,KAAK,CAAA;AAC7B,MAAA,IAAIA,IAAG,OAAOA,EAAAA;AAAA,IAChB;AAEA,IAAA,MAAM,oBAAA,GAAuB,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA,CAAM,oBAAA;AAChD,IAAA,IAAI,qBAAA,GAAwB,CAAA;AAC5B,IAAA,IAAI,oBAAA,GAAuB,KAAK,gBAAA,EAAkB;AAChD,MAAA,qBAAA,GAAwB,KAAK,gBAAA,GAAmB,oBAAA;AAAA,IAClD;AAEA,IAAA,MAAM,cAAA,GAAiB,KAAK,GAAA,CAAI,CAAA,EAAG,aAAa,IAAA,CAAK,GAAA,KAAQ,SAAA,CAAU,CAAA;AACvE,IAAA,IAAI,yBAAyB,cAAA,EAAgB;AAC1C,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,mBAAA;AAAA,QAET;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAI,wBAAwB,CAAA,EAAG;AAC7B,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAA,OAAA,KAAW,UAAA,CAAW,OAAA,EAAS,qBAAqB,CAAC,CAAA;AAAA,IACzE;AAEA,IAAA,IAAI,CAAC,MAAM,SAAA,EAAW;AACpB,MAAA,KAAA,CAAM,SAAA,GAAY,IAAA;AAClB,MAAA,KAAA,CAAM,iBAAiB,IAAA,CAAK,yBAAA,CAA0B,UAAU,KAAK,CAAA,CAAE,QAAQ,MAAM;AACnF,QAAA,IAAI,KAAA,EAAO;AACT,UAAA,KAAA,CAAM,SAAA,GAAY,KAAA;AAClB,UAAA,KAAA,CAAM,cAAA,GAAiB,IAAA;AAAA,QACzB;AAAA,MACF,CAAC,CAAA;AAAA,IACH;AAEA,IAAA,MAAM,cAAA,GAAiB,KAAK,GAAA,CAAI,CAAA,EAAG,aAAa,IAAA,CAAK,GAAA,KAAQ,SAAA,CAAU,CAAA;AACvE,IAAA,IAAI;AACF,MAAA,IAAI,MAAM,cAAA,EAAgB;AACxB,QAAA,MAAM,QAAQ,IAAA,CAAK;AAAA,UACjB,KAAA,CAAM,cAAA;AAAA,UACN,IAAI,OAAA,CAAQ,CAAC,CAAA,EAAG,WAAW,UAAA,CAAW,MAAM,MAAA,CAAO,IAAI,KAAA,CAAM,SAAS,CAAC,CAAA,EAAG,cAAc,CAAC;AAAA,SAC1F,CAAA;AAAA,MACH;AAAA,IACF,SAAS,CAAA,EAAG;AAAA,IAAC;AAEb,IAAA,MAAM,CAAA,GAAI,cAAc,KAAK,CAAA;AAC7B,IAAA,IAAI,GAAG,OAAO,CAAA;AAEd,IAAA,MAAM,IAAI,SAAA;AAAA,MAAA,mBAAA;AAAA,MAER;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,yBAAA,CAA0B,QAAA,EAAkB,KAAA,EAA4C;AACpG,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,CAAO,WAAW,CAAA,EAAG;AAC5C,MAAA,MAAM,IAAI,SAAA;AAAA,QAAA,cAAA;AAAA,QAER,mHAAA;AAAA,QACA;AAAC,OACH;AAAA,IACF;AAEA,IAAA,KAAA,CAAM,oBAAA,GAAuB,KAAK,GAAA,EAAI;AAEtC,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAapC;AAAA,QACD,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,wBAAA;AAAA,QACN,OAAA,EAAS;AAAA,UACP,wBAAwB,IAAA,CAAK;AAAA,SAC/B;AAAA,QACA,IAAA,EAAM;AAAA,UACJ,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,QAAA;AAAA,UACA,aAAa,IAAA,CAAK,WAAA;AAAA,UAClB,kBAAkB,IAAA,CAAK,gBAAA;AAAA,UACvB,YAAY,IAAA,CAAK;AAAA;AACnB,OACD,CAAA;AAGD,MAAA,IAAI,CAAC,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,QAAQ,CAAA,EAAG;AACrC,QAAA;AAAA,MACF;AAEA,MAAA,IAAI,QAAA,CAAS,OAAA,IAAW,QAAA,CAAS,IAAA,EAAM;AACrC,QAAA,MAAM,KAAA,GAAQ,SAAS,IAAA,CAAK,cAAA;AAC5B,QAAA,MAAM,SAAA,GAAY,SAAS,IAAA,CAAK,SAAA;AAEhC,QAAA,IAAI,CAAC,KAAA,IAAS,CAAC,SAAA,EAAW;AACxB,UAAA,MAAM,IAAI,SAAA;AAAA,YAAA,kBAAA;AAAA,YAER;AAAA,WACF;AAAA,QACF;AAEA,QAAA,KAAA,CAAM,KAAA,GAAQ;AAAA,UACZ,KAAA;AAAA,UACA,SAAA;AAAA,UACA,GAAA,EAAK,SAAS,IAAA,CAAK,GAAA;AAAA,UACnB,UAAA,EAAY,SAAS,IAAA,CAAK;AAAA,SAC5B;AACA,QAAA,KAAA,CAAM,mBAAA,GAAsB,CAAA;AAG5B,QAAA,IAAI,QAAA,CAAS,IAAA,CAAK,aAAA,IAAiB,IAAA,EAAM;AACvC,UAAA,IAAA,CAAK,aAAA,GAAgB,SAAS,IAAA,CAAK,aAAA;AAAA,QACrC;AAGA,QAAA,OAAA,CAAQ,IAAI,sCAAA,EAAwC;AAAA,UAClD,SAAA;AAAA,UACA,QAAA;AAAA,UACA,GAAA,EAAK,SAAS,IAAA,CAAK,GAAA;AAAA,UACnB,YAAY,QAAA,CAAS,IAAA,CAAK,YAAY,SAAA,CAAU,CAAA,EAAG,CAAC,CAAA,GAAI;AAAA;AAAA,SAEzD,CAAA;AAGD,QAAA,IAAI,CAAC,MAAM,YAAA,EAAc;AACvB,UAAA,IAAA,CAAK,wBAAA,CAAyB,UAAU,KAAK,CAAA;AAAA,QAC/C;AAAA,MACF,CAAA,MAAO;AACL,QAAA,MAAM,KAAA,GAAS,QAAA,CAAiB,KAAA,IAAS,EAAC;AAC1C,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,cAAA;AAAA,UAER,CAAA,8BAAA,EAAiC,KAAA,CAAM,OAAA,IAAW,eAAe,CAAA;AAAA,SACnE;AAAA,MACF;AAAA,IACF,SAAS,KAAA,EAAY;AAEnB,MAAA,OAAA,CAAQ,MAAM,CAAA,mDAAA,EAAsD,QAAQ,CAAA,CAAA,CAAA,EAAK,KAAA,CAAM,WAAW,KAAK,CAAA;AACvG,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA,GAA8B;AAC5B,IAAA,OAAO,IAAA,CAAK,gBAAA;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gBAAA,GAAkC;AAChC,IAAA,OAAO,IAAA,CAAK,aAAA;AAAA,EACd;AACF;;;AC9ZO,IAAM,2BAAN,MAA+B;AAAA,EACnB,OAAA;AAAA,EAEjB,YAAY,OAAA,EAA0C;AACpD,IAAA,IAAA,CAAK,OAAA,GAAU,OAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,SAAA,GAA0C;AACxC,IAAA,MAAM,SAAyC,EAAC;AAGhD,IAAA,MAAM,gBAAA,GAAmB,KAAK,mBAAA,EAAoB;AAClD,IAAA,IAAI,iBAAiB,OAAA,EAAS;AAC5B,MAAA,MAAA,CAAO,KAAK,gBAAgB,CAAA;AAAA,IAC9B;AAGA,IAAA,MAAM,QAAA,GAAW,KAAK,uBAAA,EAAwB;AAC9C,IAAA,IAAI,SAAS,OAAA,EAAS;AACpB,MAAA,MAAA,CAAO,KAAK,QAAQ,CAAA;AAAA,IACtB;AAGA,IAAA,MAAM,iBAAA,GAAoB,IAAA,CAAK,oBAAA,CAAqB,MAAM,CAAA;AAC1D,IAAA,MAAM,cAAc,MAAA,CAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,eAAe,iBAAiB,CAAA;AAEvE,IAAA,IAAI,CAAC,WAAA,IAAe,CAAC,WAAA,CAAY,OAAA,EAAS;AACxC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,KAAA;AAAA,QACZ,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAGA,IAAA,IAAI,KAAK,OAAA,CAAQ,eAAA,KAAoB,UAAU,CAAC,IAAA,CAAK,QAAQ,8BAAA,EAAgC;AAC3F,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,iBAAA,CAAkB,WAAW,CAAA;AACvD,MAAA,MAAM,IAAI,MAAM,YAAY,CAAA;AAAA,IAC9B;AAGA,IAAA,IAAA,CAAK,WAAW,WAAW,CAAA;AAE3B,IAAA,OAAO,WAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAA,GAA+C;AAEnD,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,EAAU;AAMlC,IAAA,MAAM,eAAA,GAAkB,MAAM,IAAA,CAAK,kBAAA,EAAmB;AACtD,IAAA,IAAI,gBAAgB,OAAA,EAAS;AAE3B,MAAA,IAAI,KAAK,OAAA,CAAQ,eAAA,KAAoB,UAAU,CAAC,IAAA,CAAK,QAAQ,8BAAA,EAAgC;AAC3F,QAAA,MAAM,YAAA,GAAe,IAAA,CAAK,iBAAA,CAAkB,eAAe,CAAA;AAC3D,QAAA,MAAM,IAAI,MAAM,YAAY,CAAA;AAAA,MAC9B;AAGA,MAAA,IAAA,CAAK,WAAW,eAAe,CAAA;AAE/B,MAAA,OAAO,eAAA;AAAA,IACT;AAGA,IAAA,OAAO,UAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,mBAAA,GAAoD;AAC1D,IAAA,MAAM,UAAA,GAAa,CAAC,EAClB,OAAA,CAAQ,GAAA,CAAI,qBACZ,OAAA,CAAQ,GAAA,CAAI,qBAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,iBAAA,CAAA;AAGd,IAAA,MAAM,kBAAA,GAAqB,CAAC,EAC1B,OAAA,CAAQ,GAAA,CAAI,gBACZ,OAAA,CAAQ,GAAA,CAAI,2BAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,sCAAA,CAAA;AAGd,IAAA,IAAI,cAAc,kBAAA,EAAoB;AACpC,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,IAAA;AAAA,QACT,QAAA,EAAU,0BAAA;AAAA,QACV,UAAA,EAAY,QAAA;AAAA,QACZ,OAAA,EAAS,+FAAA;AAAA,QACT,WAAA,EAAa;AAAA,OACf;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,KAAA;AAAA,MACZ,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,kBAAA,GAA4D;AAIxE,IAAA,IAAI;AAEF,MAAA,MAAM,YAAY,MAAM,OAAO,qBAAqB,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAEtE,MAAA,IAAI,CAAC,SAAA,IAAa,CAAC,UAAU,SAAA,IAAa,CAAC,UAAU,8BAAA,EAAgC;AAEnF,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,UAAA,EAAY,KAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAEA,MAAA,MAAM,EAAE,SAAA,EAAW,8BAAA,EAA+B,GAAI,SAAA;AAGtD,MAAA,MAAM,YAAA,GAAe,MAAM,IAAA,CAAK,sBAAA,EAAuB;AACvD,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,UAAA,EAAY,KAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAGA,MAAA,MAAM,MAAA,GAAS,IAAI,SAAA,CAAU,EAAE,CAAA;AAC/B,MAAA,MAAM,OAAA,GAAU,IAAI,8BAAA,CAA+B;AAAA,QACjD,eAAA,EAAiB,YAAA;AAAA,QACjB,WAAA,EAAa,CAAC,UAAU,CAAA;AAAA,QACxB,YAAA,EAAc,IAAA,CAAK,OAAA,CAAQ,SAAA,EAAW,GAAA,CAAI,CAAA,EAAA,KAAM,CAAA,oBAAA,EAAuB,EAAE,CAAA,CAAE,CAAA,IAAK,CAAC,uBAAuB;AAAA,OACzG,CAAA;AAED,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAE5D,MAAA,IAAI,CAAC,QAAA,EAAU;AAEb,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,KAAA;AAAA,UACT,UAAA,EAAY,KAAA;AAAA,UACZ,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAGA,MAAA,MAAM,UAAA,GAAa,SAAS,iBAAA,EAAmB,IAAA;AAAA,QAC7C,CAAC,MAAA,KAAgB,MAAA,CAAO,YAAA,KAAiB,SAAA,IAAa,OAAO,YAAA,KAAiB;AAAA,OAChF;AAEA,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,OAAO;AAAA,UACL,OAAA,EAAS,IAAA;AAAA,UACT,QAAA,EAAU,4BAAA;AAAA,UACV,UAAA,EAAY,MAAA;AAAA,UACZ,OAAA,EAAS,qCAAqC,YAAY,CAAA,6DAAA,CAAA;AAAA,UAC1D,WAAA,EAAa;AAAA,SACf;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,MAAA;AAAA,QACZ,OAAA,EAAS;AAAA,OACX;AAAA,IACF,SAAS,KAAA,EAAO;AAEd,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,KAAA;AAAA,QACT,UAAA,EAAY,KAAA;AAAA,QACZ,SAAS,CAAA,uBAAA,EAA0B,KAAA,YAAiB,KAAA,GAAQ,KAAA,CAAM,UAAU,eAAe,CAAA;AAAA,OAC7F;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,uBAAA,GAAwD;AAE9D,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,YAAA;AAAA,MACA,gBAAA;AAAA,MACA,aAAA;AAAA,MACA;AAAA,KACF;AAEA,IAAA,MAAM,eAAe,OAAA,CAAQ,MAAA,CAAO,YAAU,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAC,CAAA;AAEjE,IAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,MAAA,OAAO;AAAA,QACL,OAAA,EAAS,IAAA;AAAA,QACT,QAAA,EAAU,qBAAA;AAAA,QACV,UAAA,EAAY,KAAA;AAAA,QACZ,OAAA,EAAS,CAAA,8CAAA,EAAiD,YAAA,CAAa,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAAA,QACjF,WAAA,EAAa;AAAA,OACf;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACL,OAAA,EAAS,KAAA;AAAA,MACT,UAAA,EAAY,KAAA;AAAA,MACZ,OAAA,EAAS;AAAA,KACX;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,sBAAA,GAAiD;AAC7D,IAAA,IAAI;AAEF,MAAA,MAAM,YAAY,MAAM,OAAO,qBAAqB,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAEtE,MAAA,IAAI,CAAC,SAAA,IAAa,CAAC,UAAU,SAAA,IAAa,CAAC,UAAU,wBAAA,EAA0B;AAC7E,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,MAAM,EAAE,SAAA,EAAW,wBAAA,EAAyB,GAAI,SAAA;AAEhD,MAAA,MAAM,MAAA,GAAS,IAAI,SAAA,CAAU,EAAE,CAAA;AAC/B,MAAA,MAAM,OAAA,GAAU,IAAI,wBAAA,CAAyB,EAAE,CAAA;AAC/C,MAAA,MAAM,QAAA,GAAW,MAAM,MAAA,CAAO,IAAA,CAAK,OAAO,CAAA,CAAE,KAAA,CAAM,MAAM,IAAI,CAAA;AAE5D,MAAA,IAAI,UAAU,GAAA,EAAK;AACjB,QAAA,OAAO,QAAA,CAAS,GAAA;AAAA,MAClB;AAAA,IACF,SAAS,KAAA,EAAO;AAAA,IAEhB;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,qBAAqB,MAAA,EAAmE;AAC9F,IAAA,IAAI,OAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,KAAe,MAAM,CAAA,EAAG;AAC7C,MAAA,OAAO,MAAA;AAAA,IACT;AACA,IAAA,IAAI,OAAO,IAAA,CAAK,CAAA,CAAA,KAAK,CAAA,CAAE,UAAA,KAAe,QAAQ,CAAA,EAAG;AAC/C,MAAA,OAAO,QAAA;AAAA,IACT;AACA,IAAA,OAAO,KAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAkB,MAAA,EAA8C;AACtE,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,4DAAA;AAAA,MACA,CAAA,yBAAA,EAA4B,OAAO,OAAO,CAAA,CAAA;AAAA,MAC1C,CAAA,eAAA,EAAkB,OAAO,QAAQ,CAAA,CAAA;AAAA,MACjC,CAAA,gBAAA,EAAmB,OAAO,UAAU,CAAA,CAAA;AAAA,MACpC,CAAA,eAAA,EAAkB,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA;AAAA,KACzC;AAEA,IAAA,IAAI,IAAA,CAAK,QAAQ,QAAA,EAAU;AACzB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,eAAA,EAAkB,IAAA,CAAK,OAAA,CAAQ,QAAQ,CAAA,CAAE,CAAA;AAAA,IACtD;AAEA,IAAA,IAAI,IAAA,CAAK,QAAQ,WAAA,EAAa;AAC5B,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,iBAAA,EAAoB,IAAA,CAAK,OAAA,CAAQ,WAAW,CAAA,CAAE,CAAA;AAAA,IAC3D;AAEA,IAAA,IAAI,OAAO,WAAA,EAAa;AACtB,MAAA,KAAA,CAAM,IAAA,CAAK,CAAA,iBAAA,EAAoB,MAAA,CAAO,WAAW,CAAA,CAAE,CAAA;AAAA,IACrD;AAEA,IAAA,KAAA,CAAM,KAAK,2DAA2D,CAAA;AACtE,IAAA,KAAA,CAAM,KAAK,CAAA,sFAAA,CAAwF,CAAA;AAEnG,IAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA,EAKQ,WAAW,MAAA,EAA4C;AAC7D,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,KAAA,EAAO,MAAA;AAAA,MACP,OAAA,EAAS,8BAAA;AAAA,MACT,QAAA,EAAU,KAAK,OAAA,CAAQ,QAAA;AAAA,MACvB,QAAA,EAAU,KAAK,OAAA,CAAQ,QAAA;AAAA,MACvB,WAAA,EAAa,KAAK,OAAA,CAAQ,WAAA;AAAA,MAC1B,eAAA,EAAiB,KAAK,OAAA,CAAQ,eAAA;AAAA,MAC9B,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,YAAY,MAAA,CAAO,UAAA;AAAA,MACnB,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,aAAa,MAAA,CAAO,WAAA;AAAA,MACpB,aAAA,EAAe;AAAA,KACjB;AAGA,IAAA,OAAA,CAAQ,KAAK,gBAAA,EAAkB,IAAA,CAAK,UAAU,OAAA,EAAS,IAAA,EAAM,CAAC,CAAC,CAAA;AAAA,EACjE;AACF,CAAA;;;ACtTA,IAAM,iBAAA,GAAoB,iBAAA;AAKnB,IAAM,aAAN,MAAiB;AAAA,EACL,MAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,IAAA;AAAA,EACA,mBAAA;AAAA,EAEjB,YAAY,MAAA,EAA0B;AACpC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAGd,IAAA,MAAM,OAAA,GAAU,QAAQ,GAAA,CAAI,SAAA;AAC5B,IAAA,IAAA,CAAK,IAAA,GAAO,OAAA,IAAW,MAAA,CAAO,IAAA,IAAQ,QAAA;AAGtC,IAAA,IAAI,OAAO,mBAAA,EAAqB;AAC9B,MAAA,IAAA,CAAK,sBAAsB,MAAA,CAAO,mBAAA;AAAA,IACpC,CAAA,MAAO;AAEL,MAAA,IAAA,CAAK,mBAAA,GAAsB,IAAA,CAAK,IAAA,KAAS,QAAA,GAAW,WAAA,GAAc,aAAA;AAAA,IACpE;AAGA,IAAA,IAAI,MAAA,CAAO,IAAA,CAAK,IAAA,KAAS,MAAA,EAAQ;AAC/B,MAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,QAC/B,KAAA,EAAO,OAAO,IAAA,CAAK,KAAA;AAAA,QACnB,MAAA,EAAQ,OAAO,IAAA,CAAK;AAAA,OACrB,CAAA;AAAA,IACH,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,QAC/B,MAAA,EAAQ,OAAO,IAAA,CAAK;AAAA,OACrB,CAAA;AAAA,IACH;AAGA,IAAA,IAAA,CAAK,UAAA,GAAa,IAAI,UAAA,CAAW;AAAA,MAC/B,SAAS,MAAA,CAAO,OAAA;AAAA,MAChB,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,OAAO,MAAA,CAAO;AAAA,KACf,CAAA;AAGD,IAAA,IAAI,OAAO,YAAA,EAAc;AACvB,MAAA,IAAA,CAAK,YAAA,GAAe,IAAI,YAAA,CAAa;AAAA,QACnC,YAAY,IAAA,CAAK,UAAA;AAAA,QACjB,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,iBAAA,EAAmB,OAAO,MAAA,EAAQ,iBAAA;AAAA,QAClC,SAAA,EAAW,OAAO,MAAA,EAAQ;AAAA,OAC3B,CAAA;AAAA,IACH;AAGA,IAAA,IAAI,OAAO,cAAA,EAAgB;AACzB,MAAA,IAAA,CAAK,cAAA,GAAiB,IAAI,cAAA,CAAe,MAAA,CAAO,cAAc,CAAA;AAAA,IAChE;AAGA,IAAA,IAAA,CAAK,OAAA,GAAU,IAAI,gBAAA,EAAiB;AACpC,IAAA,IAAI,OAAO,SAAA,EAAW;AACpB,MAAA,IAAA,CAAK,OAAA,CAAQ,YAAA,CAAa,MAAA,CAAO,SAAS,CAAA;AAAA,IAC5C;AAGA,IAAA,IAAI,OAAO,KAAA,EAAO;AAChB,MAAA,OAAA,CAAQ,KAAK,kFAAkF,CAAA;AAE/F,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AAAA,IAC1B,CAAA,MAAO;AAEL,MAAA,MAAM,eAAA,GAAkB,OAAO,eAAA,KAAoB,OAAO,YAAY,WAAA,GAAc,OAAA,CAAQ,IAAI,kBAAA,GAAqB,MAAA,CAAA;AACrH,MAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,QAAA,MAAM,IAAI,KAAA;AAAA,UACR;AAAA,SAEF;AAAA,MACF;AAGA,MAAA,IAAI,kBAAkB,MAAA,CAAO,OAAA;AAC7B,MAAA,IAAI,eAAA,CAAgB,QAAA,CAAS,UAAU,CAAA,EAAG;AACxC,QAAA,eAAA,GAAkB,eAAA,CAAgB,KAAA,CAAM,UAAU,CAAA,CAAE,CAAC,CAAA;AAAA,MACvD;AAEA,MAAA,IAAK,OAAe,eAAA,EAAiB;AACnC,QAAA,eAAA,GAAmB,MAAA,CAAe,eAAA;AAAA,MACpC;AAEA,MAAA,MAAM,mBAAA,GAAsB,IAAI,UAAA,CAAW;AAAA,QACzC,OAAA,EAAS,eAAA;AAAA,QACT,SAAA,EAAW,GAAA;AAAA;AAAA,QACX,WAAW,MAAA,CAAO;AAAA,OACnB,CAAA;AAID,MAAA,MAAM,eAAA,GAAkB,OAAO,QAAA,IAAY,iBAAA;AAC3C,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAI,gBAAA,CAAiB;AAAA,QAC3C,UAAA,EAAY,mBAAA;AAAA,QACZ,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,QAAA,EAAU,eAAA;AAAA,QACV,WAAA,EAAc,OAAe,WAAA,IAAe,MAAA;AAAA,QAC5C,sBAAA,EAAwB,OAAO,+BAAA,IAAmC,EAAA;AAAA,QAClE,MAAA,EAAQ;AAAA,OACT,CAAA;AAGD,MAAA,IAAA,CAAK,iBAAiB,KAAA,EAAM;AAG5B,MAAA,IAAA,CAAK,0BAAA,EAA2B,CAAE,KAAA,CAAM,MAAM;AAAA,MAAC,CAAC,CAAA;AAAA,IAClD;AAGA,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,MAAM,eAAA,GAAkB,OAAO,eAAA,IAAmB,MAAA;AAClD,MAAA,MAAM,8BAAA,GAAiC,MAAA,CAAO,8BAAA,IAAmC,eAAA,KAAoB,MAAA;AAErG,MAAA,MAAM,WAAA,GAAc,IAAI,wBAAA,CAAyB;AAAA,QAC/C,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,UAAU,MAAA,CAAO,QAAA;AAAA,QACjB,aAAc,MAAA,CAAe,WAAA;AAAA,QAC7B,eAAA;AAAA,QACA,8BAAA;AAAA,QACA,WAAW,MAAA,CAAO;AAAA,OACnB,CAAA;AAID,MAAA,WAAA,CAAY,SAAA,EAAU;AAKtB,MAAA,IAAA,CAAK,yBAAyB,WAAA,EAAa,eAAe,CAAA,CAAE,KAAA,CAAM,CAAC,KAAA,KAAU;AAE3E,QAAA,IAAI,eAAA,KAAoB,UAAU,8BAAA,EAAgC;AAChE,UAAA,OAAA,CAAQ,IAAA,CAAK,+CAA+C,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,QACpH,CAAA,MAAO;AAEL,UAAA,OAAA,CAAQ,KAAA,CAAM,uEAAuE,KAAK,CAAA;AAAA,QAC5F;AAAA,MACF,CAAC,CAAA;AAAA,IACH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,uBAAA,GAAmC;AACjC,IAAA,IAAI,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,GAAA,CAAI,gCAAgC,MAAA,EAAW;AAC3F,MAAA,OAAO,QAAQ,GAAA,CAAI,2BAAA,KAAgC,MAAA,IAAU,OAAA,CAAQ,IAAI,2BAAA,KAAgC,GAAA;AAAA,IAC3G;AACA,IAAA,OACE,IAAA,CAAK,OAAO,oBAAA,KACX,IAAA,CAAK,SAAS,SAAA,IAAc,IAAA,CAAK,OAAe,eAAA,KAAoB,MAAA,CAAA;AAAA,EAEzE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,wBAAA,CACZ,WAAA,EACA,eAAA,EACe;AACf,IAAA,IAAI;AAIF,MAAA,MAAM,YAAY,KAAA,EAAM;AAAA,IAC1B,SAAS,KAAA,EAAO;AAGd,MAAA,OAAA,CAAQ,IAAA,CAAK,+CAA+C,KAAA,YAAiB,KAAA,GAAQ,MAAM,OAAA,GAAU,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,IACpH;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,0BAAA,GAA4C;AACxD,IAAA,IAAI,CAAC,KAAK,gBAAA,EAAkB;AAC5B,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,MAAA,CAAO,QAAA,IAAY,iBAAA;AACzC,IAAA,IAAI;AAEF,MAAA,MAAM,IAAA,CAAK,gBAAA,CAAiB,iBAAA,CAAkB,QAAA,EAAU,GAAI,CAAA;AAAA,IAC9D,CAAA,CAAA,MAAQ;AAEN,MAAA;AAAA,IACF;AACA,IAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,gBAAA,CAAiB,gBAAA,EAAiB;AAC7D,IAAA,IAAI,CAAC,aAAA,EAAe;AACpB,IAAA,MAAM,gBAAA,GAAmB;AAAA,MACvB,cAAA;AAAA,MAAgB,cAAA;AAAA,MAAgB,YAAA;AAAA,MAChC,kBAAA;AAAA,MAAoB,mBAAA;AAAA,MACpB,2BAAA;AAAA,MAA6B;AAAA,KAC/B;AACA,IAAA,IAAI,KAAK,IAAA,KAAS,QAAA,IAAY,gBAAA,CAAiB,QAAA,CAAS,aAAa,CAAA,EAAG;AACtE,MAAA,OAAA,CAAQ,IAAA;AAAA,QACN,uCAAuC,aAAa,CAAA,iLAAA;AAAA,OAGtD;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAA,CACJ,GAAA,EACA,IAAA,EACoC;AACpC,IAAA,MAAM,SAAA,GAAY,IAAA,EAAM,SAAA,IAAaD,OAAAA,EAAO;AAC5C,IAAA,MAAM,WAAA,GAAc,GAAA,CAAI,WAAA,IAAe,KAAA,EAAM;AAC7C,IAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,MAAA,CAAO,YAAA,IAAgB,kBAAA;AACjD,IAAA,MAAM,cAAA,GAAkC,IAAA,CAAK,MAAA,CAAe,cAAA,IAAkB,UAAA;AAG9E,IAAA,MAAM,WAAA,GAAyB,GAAA,CAAY,IAAA,IAAQ,IAAA,CAAK,IAAA;AACxD,IAAA,MAAM,YAAA,GAAe,KAAK,uBAAA,EAAwB;AAGlD,IAAA,MAAM,iBAAiB,YAAgD;AAKrE,MAAA,IAAI,cAAA,GAAgC,IAAA;AACpC,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,KAAK,gBAAA,EAAkB;AAC/C,QAAA,MAAME,qBAAoB,GAAA,CAAI,cAAA,EAAgB,QAAA,IAAa,GAAA,CAAI,gBAAwB,cAAA,IAAkB,iBAAA;AAEzG,QAAA,cAAA,GAAiB,MAAM,IAAA,CAAK,gBAAA,CAAiB,iBAAA,CAAkBA,oBAAmB,GAAI,CAAA;AAAA,MACxF;AAGA,MAAA,MAAM,QAAA,GAAgB,EAAE,GAAG,GAAA,CAAI,QAAA,EAAS;AAExC,MAAA,IAAI,QAAA,CAAS,EAAA,IAAM,CAAC,QAAA,CAAS,SAAA,EAAW;AACtC,QAAA,QAAA,CAAS,YAAY,QAAA,CAAS,EAAA;AAC9B,QAAA,OAAO,QAAA,CAAS,EAAA;AAAA,MAClB;AAEA,MAAA,IAAI,CAAC,QAAA,CAAS,aAAA,IAAiB,QAAA,CAAS,OAAA,EAAS;AAC/C,QAAA,QAAA,CAAS,aAAA,GAAgB,KAAA;AAAA,MAC3B;AAEA,MAAA,IAAI,QAAA,CAAS,IAAA,IAAQ,CAAC,QAAA,CAAS,WAAA,EAAa;AAC1C,QAAA,OAAO,QAAA,CAAS,IAAA;AAAA,MAClB;AAIA,MAAA,MAAM,oBAAoB,GAAA,CAAI,cAAA,EAAgB,QAAA,IAAY,GAAA,CAAI,gBAAgB,cAAA,IAAkB,iBAAA;AAChG,MAAA,MAAM,cAAA,GAAsB;AAAA,QAC1B,GAAG,GAAA,CAAI,cAAA;AAAA,QACP,gBAAgB,GAAA,CAAI,cAAA,EAAgB,cAAA,IAAkB,GAAA,CAAI,gBAAgB,QAAA,IAAY,iBAAA;AAAA,QACtF,QAAA,EAAU;AAAA,OACZ;AAIA,MAAA,IAAI,cAAA,EAAgB;AAClB,QAAA,cAAA,CAAe,cAAA,GAAiB,cAAA;AAAA,MAClC;AAGA,MAAA,MAAM,UAAA,GAAa,mBAAmB,aAAA,EAAc;AACpD,MAAA,IAAI,UAAA,EAAY;AACd,QAAA,cAAA,CAAe,MAAA,GAAS;AAAA,UACtB,MAAM,UAAA,CAAW,IAAA;AAAA,UACjB,UAAU,UAAA,CAAW,QAAA;AAAA,UACrB,KAAK,UAAA,CAAW,GAAA;AAAA,UAChB,OAAO,UAAA,CAAW,KAAA;AAAA,UAClB,aAAa,UAAA,CAAW;AAAA,SAC1B;AAAA,MACF;AAGA,MAAA,IAAI,IAAA,GAAY;AAAA,QACd,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,QACtB,SAAA;AAAA,QACA,WAAA;AAAA,QACA,QAAA;AAAA,QACA,cAAA;AAAA;AAAA,QAEA,GAAA,EAAK;AAAA,UACH,IAAA,EAAM,UAAA;AAAA,UACN,OAAA,EAAS;AAAA,SACX;AAAA,QACA,IAAA,EAAM,WAAA;AAAA,QACN,qBAAqB,IAAA,CAAK;AAAA,OAC5B;AAGA,MAAA,IAAI,GAAA,CAAI,aAAa,IAAA,EAAM;AACzB,QAAA,IAAA,CAAK,QAAA,GAAW,IAAA;AAAA,MAClB;AAGA,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,IAAA,CAAK,OAAO,eAAA,EAAiB;AACrD,QAAA,cAAA,CAAe,eAAA,GAAkB,KAAK,MAAA,CAAO,eAAA;AAAA,MAC/C;AAGA,MAAA,IAAI,UAAkC,EAAC;AAEvC,MAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO;AAErB,QAAA,OAAA,GAAU;AAAA,UACR,cAAA,EAAgB;AAAA,SAClB;AACA,QAAA,OAAA,CAAQ,IAAI,oDAAoD,CAAA;AAAA,MAClE,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAM1B,QAAA,MAAM,EAAE,gBAAA,EAAAC,iBAAAA,EAAiB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,kBAAA,EAAA,EAAA,qBAAA,CAAA,CAAA;AACnC,QAAA,MAAM,iBAAA,GAAoBA,kBAAiB,IAAI,CAAA;AAE/C,QAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,WAAA,CAAY;AAAA,UACpD,MAAA,EAAQ,MAAA;AAAA,UACR,IAAA,EAAM,mBAAA;AAAA,UACN,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,UACtB,WAAA;AAAA,UACA,SAAA;AAAA,UACA;AAAA;AAAA,SACD,CAAA;AACD,QAAA,OAAA,GAAU,EAAE,GAAG,WAAA,EAAY;AAI3B,QAAC,KAAa,eAAA,GAAkB,iBAAA;AAAA,MAClC,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,QAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,UAAA,CAAW,aAAA,CAAc;AAAA,UAClD,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,UACtB,WAAA;AAAA,UACA;AAAA,SACD,CAAA;AACD,QAAA,OAAA,GAAU,EAAE,GAAG,aAAA,EAAc;AAAA,MAC/B,CAAA,MAAO;AACL,QAAA,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAA,MAChD;AAGA,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAavC;AAAA,QACD,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,mBAAA;AAAA,QACN,OAAA;AAAA,QACA,IAAA;AAAA,QACA;AAAA,OACD,CAAA;AAID,MAAA,IAAI,YAAA;AACJ,MAAA,IAAI,WAAA,CAAY,OAAA,KAAY,IAAA,IAAQ,WAAA,CAAY,IAAA,EAAM;AAEpD,QAAA,YAAA,GAAe,WAAA,CAAY,IAAA;AAAA,MAC7B,CAAA,MAAA,IAAW,WAAA,CAAY,OAAA,KAAY,KAAA,IAAS,YAAY,KAAA,EAAO;AAE7D,QAAA,MAAM,QAAQ,WAAA,CAAY,KAAA;AAC1B,QAAA,MAAM,IAAI,SAAA;AAAA,UACR,KAAA,CAAM,IAAA,IAAA,cAAA;AAAA,UACN,MAAM,OAAA,IAAW,gBAAA;AAAA,UACjB;AAAA,YACE,QAAQ,KAAA,CAAM,MAAA;AAAA,YACd,eAAe,KAAA,CAAM,aAAA;AAAA,YACrB,SAAA;AAAA,YACA,OAAA,EAAS;AAAA;AACX,SACF;AAAA,MACF,CAAA,MAAA,IAAY,YAAoB,QAAA,EAAU;AAExC,QAAA,YAAA,GAAe,WAAA;AAAA,MACjB,CAAA,MAAO;AACL,QAAA,MAAM,IAAI,SAAA;AAAA,UAAA,kBAAA;AAAA,UAER,0FAAA;AAAA,UACA;AAAA,YACE,SAAA;AAAA,YACA,OAAA,EAAS;AAAA;AACX,SACF;AAAA,MACF;AAGA,MAAA,MAAM,QAAA,GAAW,YAAA,CAAa,QAAA,IAAY,EAAC;AAC3C,MAAA,MAAM,iBAAiB,QAAA,CAAS,UAAA;AAGhC,MAAA,MAAM,MAAA,GAAoC;AAAA,QACxC,UAAU,YAAA,CAAa,QAAA;AAAA,QACvB,WAAA,EAAa,YAAA,CAAa,YAAA,IAAgB,YAAA,CAAa,eAAe,EAAC;AAAA,QACvE,aAAA,EAAe,YAAA,CAAa,cAAA,IAAkB,YAAA,CAAa,aAAA;AAAA,QAC3D,aAAA,EAAe,YAAA,CAAa,cAAA,IAAkB,YAAA,CAAa,aAAA;AAAA,QAC3D,UAAA,EAAY,YAAA,CAAa,WAAA,IAAe,YAAA,CAAa,UAAA;AAAA,QACrD,aAAA,EAAe,YAAA,CAAa,cAAA,IAAkB,YAAA,CAAa,aAAA;AAAA,QAC3D,SAAA,EAAW,YAAA,CAAa,UAAA,IAAc,YAAA,CAAa,SAAA;AAAA,QACnD,QAAA,EAAU,YAAA,CAAa,SAAA,IAAa,YAAA,CAAa,QAAA;AAAA,QACjD,MAAA,EAAQ,aAAa,OAAA,GACjB;AAAA,UACE,WAAW,YAAA,CAAa,OAAA,CAAQ,UAAA,KAAe,YAAA,CAAa,QAAQ,SAAA,IAAa,EAAA,CAAA;AAAA,UACjF,UAAA,EAAY,YAAA,CAAa,OAAA,CAAQ,WAAA,IAAe,aAAa,MAAA,EAAQ;AAAA,YAEvE,YAAA,CAAa,MAAA;AAAA,QACjB,QAAA,EAAU,YAAA,CAAa,QAAA,IAAa,WAAA,KAAgB,SAAA;AAAA,QACpD,gBAAA,EAAkB,YAAA,CAAa,kBAAA,IAAsB,YAAA,CAAa,gBAAA,IAAoB,KAAA;AAAA,QACtF,IAAA,EAAM,aAAa,IAAA,IAAQ,WAAA;AAAA,QAC3B,SAAS,YAAA,CAAa,OAAA;AAAA,QACtB,YAAA,EAAc,YAAA,CAAa,aAAA,IAAiB,YAAA,CAAa,YAAA;AAAA,QACzD,gBAAA,EAAkB,YAAA,CAAa,iBAAA,IAAqB,YAAA,CAAa,gBAAA;AAAA,QACjE,GAAI,cAAA,GAAiB;AAAA,UACnB,UAAA,EAAY;AAAA,YACV,UAAA,EAAY,cAAA,CAAe,UAAA,IAAc,cAAA,CAAe,WAAA,IAAe,KAAA;AAAA,YACvE,OAAA,EAAS,cAAA,CAAe,OAAA,IAAW,cAAA,CAAe,QAAA;AAAA,YAClD,cAAA,EAAgB,cAAA,CAAe,cAAA,IAAkB,cAAA,CAAe,eAAA;AAAA,YAChE,WAAA,EAAa,cAAA,CAAe,WAAA,IAAe,cAAA,CAAe;AAAA,WAC5D;AAAA,UACA,mBAAA,EAAqB,QAAA,CAAS,mBAAA,IAAuB,QAAA,CAAS;AAAA,YAC5D,EAAC;AAAA,QACL,QAAA,EAAU;AAAA,UACR,mBAAA,EAAqB,QAAA,CAAS,mBAAA,IAAuB,QAAA,CAAS,qBAAA;AAAA,UAC9D,UAAA,EAAY,QAAA,CAAS,UAAA,IAAc,QAAA,CAAS,WAAA;AAAA,UAC5C,eAAA,EAAiB,QAAA,CAAS,eAAA,IAAmB,QAAA,CAAS;AAAA;AACxD,OACF;AAEA,MAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA;AAG/B,MAAA,MAAM,kBAAA,GAAqB,KAAK,MAAA,CAAO,kBAAA;AACvC,MAAA,MAAM,uBAAA,GAA0B,KAAK,MAAA,CAAO,uBAAA;AAC5C,MAAA,IAAI,kBAAA,IAAsB,IAAA,IAAQ,MAAA,CAAO,QAAA,EAAU,eAAe,kBAAA,EAAoB;AACpF,QAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO;AACrB,UAAA,OAAA,CAAQ,KAAK,2CAAA,EAA6C;AAAA,YACxD,QAAA,EAAU,kBAAA;AAAA,YACV,QAAA,EAAU,OAAO,QAAA,EAAU,UAAA;AAAA,YAC3B;AAAA,WACD,CAAA;AAAA,QACH;AACA,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,sBAAA;AAAA,UACA,OAAO,UAAA,IAAc,SAAA;AAAA,UACrB,MAAA,CAAO,aAAA;AAAA,UACP;AAAA,SACF;AAAA,MACF;AACA,MAAA,IAAI,uBAAA,IAA2B,QAAQ,MAAA,CAAO,QAAA,EAAU,oBAAoB,MAAA,IAAa,MAAA,CAAO,QAAA,CAAS,eAAA,KAAoB,uBAAA,EAAyB;AACpJ,QAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO;AACrB,UAAA,OAAA,CAAQ,KAAK,gDAAA,EAAkD;AAAA,YAC7D,QAAA,EAAU,uBAAA;AAAA,YACV,QAAA,EAAU,OAAO,QAAA,EAAU,eAAA;AAAA,YAC3B;AAAA,WACD,CAAA;AAAA,QACH;AACA,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,QAAA,MAAM,IAAI,sBAAA;AAAA,UACR,2BAAA;AAAA,UACA,OAAO,UAAA,IAAc,SAAA;AAAA,UACrB,MAAA,CAAO,aAAA;AAAA,UACP;AAAA,SACF;AAAA,MACF;AAGA,MAAA,IACE,YAAA,IACA,gBAAgB,SAAA,IAChB,MAAA,CAAO,aAAa,OAAA,IACpB,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,EACb;AACA,QAAA,IAAI,CAAC,MAAA,CAAO,aAAA,IAAiB,CAAC,OAAO,QAAA,EAAU;AAC7C,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,wBAAA;AAAA,YACA,OAAO,UAAA,IAAc,SAAA;AAAA,YACrB,MAAA,CAAO,aAAA;AAAA,YACP;AAAA,WACF;AAAA,QACF;AACA,QAAA,MAAM,SAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAC3C,QAAA,IAAI,OAAO,SAAA,IAAa,IAAA,IAAQ,MAAA,CAAO,SAAA,GAAY,SAAS,CAAA,EAAG;AAC7D,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,wBAAA;AAAA,YACA,OAAO,UAAA,IAAc,SAAA;AAAA,YACrB,MAAA,CAAO,aAAA;AAAA,YACP;AAAA,WACF;AAAA,QACF;AAEA,QAAA,MAAM,YAAA,GAAe,KAAK,MAAA,CAAO,sBAAA;AACjC,QAAA,IAAI,YAAA,IAAgB,OAAO,aAAA,EAAe;AACxC,UAAA,MAAM,EAAE,eAAA,EAAAC,gBAAAA,EAAiB,wBAAA,EAAAC,yBAAAA,KAA6B,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,wBAAA,EAAA,EAAA,2BAAA,CAAA,CAAA;AAC5D,UAAA,MAAM,OAAA,GAAUD,gBAAAA,CAAgB,MAAA,CAAO,aAAa,CAAA;AACpD,UAAA,IAAI,YAAY,OAAA,CAAQ,MAAA,CAAO,OAAO,EAAA,EAAI,WAAA,OAAkB,OAAA,EAAS;AACnE,YAAA,MAAM,WAAA,GAAc,YAAA,CAAa,UAAA,CAAW,OAAO,CAAA,GAAI,YAAA,GAAe,MAAA,CAAO,IAAA,CAAK,YAAA,EAAc,QAAQ,CAAA,CAAE,QAAA,CAAS,MAAM,CAAA;AACzH,YAAA,MAAM,QAAA,GAAWC,yBAAAA,CAAyB,MAAA,CAAO,aAAA,EAAe,WAAW,CAAA;AAC3E,YAAA,IAAI,aAAa,IAAA,EAAM;AACrB,cAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,cAAA,MAAM,IAAI,sBAAA;AAAA,gBACR,wBAAA;AAAA,gBACA,OAAO,UAAA,IAAc,SAAA;AAAA,gBACrB,MAAA,CAAO,aAAA;AAAA,gBACP;AAAA,eACF;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAEA,QAAA,MAAM,QAAA,GAAW,cAAA,EAAgB,QAAA,IAAY,GAAA,CAAI,cAAA,EAAgB,QAAA;AACjE,QAAA,MAAM,WAAA,GAAe,QAAA,CAAiB,WAAA,IAAgB,QAAA,CAAiB,IAAA;AACvE,QAAA,MAAM,UAAU,oBAAA,CAAqB,QAAA,EAAU,QAAA,EAAU,MAAA,EAAW,QAAW,WAAW,CAAA;AAC1F,QAAA,MAAM,cAAA,GAAiB,gBAAgB,OAAO,CAAA;AAC9C,QAAA,IAAI,cAAA,KAAmB,OAAO,QAAA,EAAU;AACtC,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA;AAAA,YACR,gCAAA;AAAA,YACA,OAAO,UAAA,IAAc,SAAA;AAAA,YACrB,MAAA,CAAO,aAAA;AAAA,YACP;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,MAAA,CAAO,aAAa,OAAA,EAAS;AAG/B,QAAA,MAAM,aAAA,GAAgB,OAAO,IAAA,IAAQ,WAAA;AAErC,QAAA,IAAI,kBAAkB,cAAA,EAAgB;AACpC,UAAA,OAAA,CAAQ,KAAK,6DAAA,EAA+D;AAAA,YAC1E,SAAA;AAAA,YACA,aAAa,MAAA,CAAO;AAAA,WACrB,CAAA;AACD,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,OAAO;AAAA,YACL,GAAG,MAAA;AAAA,YACH,QAAA,EAAU,OAAA;AAAA,YACV,QAAA,EAAU,KAAA;AAAA,YACV,IAAA,EAAM,cAAA;AAAA,YACN,OAAA,EAAS;AAAA,WACX;AAAA,QACF;AAEA,QAAA,IAAI,kBAAkB,QAAA,EAAU;AAE9B,UAAA,OAAA,CAAQ,KAAK,mDAAA,EAAqD;AAAA,YAChE,SAAA;AAAA,YACA,aAAa,MAAA,CAAO,WAAA;AAAA,YACpB,eAAe,MAAA,CAAO,aAAA;AAAA,YACtB,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,YACtB,QAAA,EAAU,IAAI,cAAA,EAAgB;AAAA,WAC/B,CAAA;AAGD,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,aAAA,EAAe,SAAS,CAAA;AAGnD,UAAA,OAAO;AAAA,YACL,GAAG,MAAA;AAAA,YACH,QAAA,EAAU,OAAA;AAAA,YACV,QAAA,EAAU,KAAA;AAAA,YACV,gBAAA,EAAkB;AAAA,WACpB;AAAA,QACF;AAGA,QAAA,MAAM,SAAA,GAAa,aAAqB,WAAA,IAAe,SAAA;AACvD,QAAA,MAAM,UAAA,GAAa,MAAA,CAAO,WAAA,CAAY,CAAC,CAAA,IAAK,kBAAA;AAC5C,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,QAAA,MAAM,IAAI,sBAAA,CAAuB,UAAA,EAAY,SAAA,EAAW,MAAA,CAAO,eAAe,SAAS,CAAA;AAAA,MACzF;AAEA,MAAA,IAAI,MAAA,CAAO,aAAa,iBAAA,EAAmB;AAEzC,QAAA,IAAI,KAAK,MAAA,CAAO,YAAA,IAAgB,IAAA,CAAK,YAAA,IAAgB,OAAO,MAAA,EAAQ;AAElE,UAAA,MAAM,eAAA,GAAkB,MAAA,CAAO,MAAA,CAAO,SAAA,IAAa,SAAA;AACnD,UAAA,MAAM,WAAA,GAAe,aAAa,OAAA,EAAiB,aAAA;AACnD,UAAA,MAAM,YAAY,CAAA,gCAAA,EAAmC,IAAA,CAAK,MAAA,CAAO,QAAQ,cAAc,eAAe,CAAA,CAAA;AACtG,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,iBAAA,EAAmB,SAAS,CAAA;AACvD,UAAA,MAAM,IAAI,6BAAA,CAA8B,eAAA,EAAiB,SAAA,EAAW,aAAa,SAAS,CAAA;AAAA,QAC5F,CAAA,MAAO;AAEL,UAAA,MAAM,SAAA,GAAa,aAAqB,WAAA,IAAe,SAAA;AACvD,UAAA,MAAM,UAAA,GAAa,iBAAA;AACnB,UAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,UAAA,MAAM,IAAI,sBAAA,CAAuB,UAAA,EAAY,SAAA,EAAW,MAAA,CAAO,eAAe,SAAS,CAAA;AAAA,QACzF;AAAA,MACF;AAGA,MAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,OAAA,EAAS,SAAS,CAAA;AAC7C,MAAA,OAAO,MAAA;AAAA,IACT,CAAA;AAGA,IAAA,IAAI,mBAAmB,iBAAA,EAAmB;AACxC,MAAA,cAAA,EAAe,CACZ,IAAA,CAAK,CAAC,GAAA,KAAQ;AACb,QAAA,IAAI,GAAA,CAAI,QAAA,KAAa,OAAA,IAAW,GAAA,CAAI,gBAAA,EAAkB;AACpD,UAAA,OAAA,CAAQ,IAAA,CAAK,uCAAA,EAAyC,GAAA,CAAI,WAAW,CAAA;AAAA,QACvE;AACA,QAAA,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,GAAA,CAAI,QAAA,KAAa,OAAA,GAAU,UAAU,aAAA,EAAe,IAAA,CAAK,GAAA,EAAI,GAAI,SAAS,CAAA;AAAA,MACvG,CAAC,CAAA,CACA,KAAA,CAAM,CAAC,GAAA,KAAQ;AACd,QAAA,OAAA,CAAQ,KAAA,CAAM,yCAAyC,GAAG,CAAA;AAC1D,QAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AAAA,MAC3B,CAAC,CAAA;AACH,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,UAAA,EAAY,SAAA;AAAA,QACZ,aAAA,EAAe,SAAA;AAAA,QACf,aAAa,EAAC;AAAA,QACd,QAAA,EAAU,KAAA;AAAA,QACV,IAAA,EAAM,WAAA;AAAA,QACN,aAAA,EAAe;AAAA,OACjB;AAAA,IACF;AAGA,IAAA,IAAI;AACF,MAAA,IAAI,KAAK,cAAA,EAAgB;AACvB,QAAA,OAAO,MAAM,IAAA,CAAK,cAAA,CAAe,OAAA,CAAQ,cAAc,CAAA;AAAA,MACzD;AACA,MAAA,OAAO,MAAM,cAAA,EAAe;AAAA,IAC9B,SAAS,KAAA,EAAY;AAInB,MAAA,IAAI,iBAAiB,uBAAA,EAAyB;AAC5C,QAAA,IAAA,CAAK,QAAQ,wBAAA,EAAyB;AACtC,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,cAAA,CAAe,YAAA,EAAc,OAAO,SAAS,CAAA;AACzE,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,cAAA;AAAA,QACT;AACA,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,KAAc,KAAA,CAAM,IAAA,KAAA,cAAA,uBAAuC,MAAM,IAAA,KAAA,WAAA,iBAAA,EAAmC;AACvH,QAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AACzB,QAAA,MAAM,IAAI,mBAAA;AAAA,UACR,KAAA,CAAM,OAAA;AAAA,UACN,MAAM,MAAA,IAAU,GAAA;AAAA,UAChB;AAAA,SACF;AAAA,MACF;AAGA,MAAA,MAAM,sBACH,KAAA,YAAiB,SAAA,KAAc,KAAA,CAAM,IAAA,KAAA,SAAA,kBAAkC,MAAM,IAAA,KAAA,cAAA,oBAAA,IAC9E,KAAA,YAAiB,0BAAA,IAChB,KAAA,EAAe,SAAS,cAAA,IACxB,KAAA,EAAe,IAAA,KAAS,WAAA,IACxB,OAAe,IAAA,KAAS,WAAA;AAE3B,MAAA,IAAI,mBAAA,EAAqB;AACvB,QAAA,IAAA,CAAK,QAAQ,aAAA,EAAc;AAG3B,QAAA,IAAI,IAAA,CAAK,wBAAwB,WAAA,EAAa;AAE5C,UAAA,OAAA,CAAQ,MAAM,iEAAA,EAAmE;AAAA,YAC/E,SAAA;AAAA,YACA,OAAO,KAAA,CAAM,OAAA;AAAA,YACb,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,YACtB,IAAA,EAAM;AAAA,WACP,CAAA;AACD,UAAA,OAAA,CAAQ,KAAK,4DAA4D,CAAA;AAGzE,UAAA,IAAA,CAAK,QAAQ,aAAA,CAAc,WAAA,EAAa,IAAA,CAAK,GAAA,KAAQ,SAAS,CAAA;AAE9D,UAAA,OAAO;AAAA,YACL,QAAA,EAAU,OAAA;AAAA,YACV,WAAA,EAAa,CAAC,0BAA0B,CAAA;AAAA,YACxC,aAAA,EAAe,SAAA;AAAA,YACf,QAAA,EAAU,KAAA;AAAA,YACV,IAAA,EAAM;AAAA,WACR;AAAA,QACF,CAAA,MAAO;AAEL,UAAA,MAAM,IAAI,0BAAA;AAAA,YACR,CAAA,0DAAA,EAA6D,MAAM,OAAO,CAAA,CAAA;AAAA,YAC1E;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,SAAA,gBAAgC;AACtE,QAAA,IAAA,CAAK,QAAQ,aAAA,EAAc;AAC3B,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,cAAA,CAAe,YAAA,EAAc,OAAO,SAAS,CAAA;AACzE,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,cAAA;AAAA,QACT;AACA,QAAA,MAAM,IAAI,0BAAA,CAA2B,CAAA,iBAAA,EAAoB,KAAA,CAAM,OAAO,IAAI,SAAS,CAAA;AAAA,MACrF;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,cAAA,qBAAqC;AAC3E,QAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AACzB,QAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,cAAA,CAAe,YAAA,EAAc,OAAO,SAAS,CAAA;AACzE,QAAA,IAAI,cAAA,EAAgB;AAClB,UAAA,OAAO,cAAA;AAAA,QACT;AACA,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,SAAA,IAAa,KAAA,CAAM,IAAA,KAAA,cAAA,qBAAqC;AAC3E,QAAA,OAAA,CAAQ,KAAK,sDAAsD,CAAA;AACnE,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAI,KAAA,YAAiB,sBAAA,IAA0B,KAAA,YAAiB,6BAAA,EAA+B;AAC7F,QAAA,MAAM,KAAA;AAAA,MACR;AAGA,MAAA,IAAA,CAAK,QAAQ,WAAA,EAAY;AACzB,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAA,CACN,IAAA,EACA,KAAA,EACA,SAAA,EACkC;AAClC,IAAA,IAAI,SAAS,kBAAA,EAAoB;AAE/B,MAAA,OAAA,CAAQ,KAAK,kEAAkE,CAAA;AAC/E,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,WAAA,EAAa,CAAC,iBAAiB,CAAA;AAAA,QAC/B,aAAA,EAAe;AAAA,OACjB;AAAA,IACF;AAEA,IAAA,IAAI,SAAS,kBAAA,EAAoB;AAE/B,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,IAAI,SAAS,kBAAA,EAAoB;AAG/B,MAAA,OAAA,CAAQ,KAAK,kEAAkE,CAAA;AAC/E,MAAA,OAAO;AAAA,QACL,QAAA,EAAU,OAAA;AAAA,QACV,WAAA,EAAa,CAAC,iBAAiB,CAAA;AAAA,QAC/B,aAAA,EAAe;AAAA,OACjB;AAAA,IACF;AAEA,IAAA,OAAO,IAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAyD;AACvD,IAAA,OAAO,IAAA,CAAK,QAAQ,UAAA,EAAW;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,wBAAA,GAA4E;AAC1E,IAAA,OAAO,IAAA,CAAK,cAAA,EAAgB,UAAA,EAAW,IAAK,IAAA;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,IAAA,EAGY;AAChC,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACtB,MAAA,MAAM,IAAI,wBAAA,CAAyB,IAAA,CAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,IAAY,IAAA,CAAK,MAAA,CAAO,QAAA;AAC9C,IAAA,MAAM,MAAA,GAAS,IAAI,YAAA,CAAa;AAAA,MAC9B,YAAY,IAAA,CAAK,UAAA;AAAA,MACjB,QAAA;AAAA,MACA,iBAAA,EAAmB,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ,iBAAA;AAAA,MACvC,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ;AAAA,KAChC,CAAA;AAED,IAAA,OAAO,MAAA,CAAO,SAAA,CAAU,IAAA,CAAK,SAAS,CAAA;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,IAAA,EAIK;AAC7B,IAAA,IAAI,CAAC,KAAK,YAAA,EAAc;AACtB,MAAA,MAAM,IAAI,wBAAA,CAAyB,IAAA,CAAK,SAAS,CAAA;AAAA,IACnD;AAEA,IAAA,OAAO,IAAA,CAAK,YAAA,CAAa,aAAA,CAAc,IAAA,CAAK,SAAA,EAAW;AAAA,MACrD,SAAA,EAAW,IAAA,CAAK,SAAA,IAAa,IAAA,CAAK,OAAO,MAAA,EAAQ,SAAA;AAAA,MACjD,UAAA,EAAY,IAAA,CAAK,UAAA,IAAc,IAAA,CAAK,OAAO,MAAA,EAAQ;AAAA,KACpD,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBAAgB,MAAA,EAOyD;AAC7E,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,QAAA,CAAS;AAAA,MACnC,UAAU,MAAA,CAAO,QAAA;AAAA,MACjB,gBAAgB,MAAA,CAAO;AAAA,KACxB,CAAA;AACD,IAAA,IAAI,QAAA,CAAS,aAAa,OAAA,EAAS;AACjC,MAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,MAAA,CAAO,IAAA,CAAK;AAAA,QACzC,OAAO,MAAA,CAAO,KAAA;AAAA,QACd,SAAS,MAAA,CAAO,OAAA;AAAA,QAChB,SAAA,EAAW,OAAO,SAAA,IAAa;AAAA,OAChC,CAAA;AACD,MAAA,OAAO,EAAE,UAAU,SAAA,EAAU;AAAA,IAC/B;AACA,IAAA,OAAO,EAAE,QAAA,EAAS;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,gBAAgB,GAAA,EAA+D;AACnF,IAAA,MAAM,YAAYL,OAAAA,EAAO;AACzB,IAAA,MAAM,cAAc,KAAA,EAAM;AAC1B,IAAA,MAAM,QAAA,GAAgB,EAAE,GAAG,GAAA,CAAI,QAAA,EAAS;AACxC,IAAA,IAAI,QAAA,CAAS,EAAA,IAAM,CAAC,QAAA,CAAS,SAAA,EAAW;AACtC,MAAA,QAAA,CAAS,YAAY,QAAA,CAAS,EAAA;AAC9B,MAAA,OAAO,QAAA,CAAS,EAAA;AAAA,IAClB;AACA,IAAA,IAAI,CAAC,QAAA,CAAS,aAAA,IAAiB,QAAA,CAAS,OAAA,WAAkB,aAAA,GAAgB,KAAA;AAC1E,IAAA,MAAM,cAAA,GAAiB;AAAA,MACrB,GAAG,GAAA,CAAI,cAAA;AAAA,MACP,QAAA,EAAU,GAAA,CAAI,cAAA,EAAgB,QAAA,IAAY,IAAI,SAAA,CAAU;AAAA,KAC1D;AACA,IAAA,MAAM,IAAA,GAAO;AAAA,MACX,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,MACtB,SAAA;AAAA,MACA,WAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAW,GAAA,CAAI,SAAA;AAAA,MACf;AAAA,KACF;AACA,IAAA,IAAI,OAAA,GAAkC,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAC3E,IAAA,IAAI,IAAA,CAAK,OAAO,KAAA,EAAO,CAEvB,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,MAAA,MAAM,EAAE,gBAAA,EAAAG,iBAAAA,EAAiB,GAAI,MAAM,OAAA,CAAA,OAAA,EAAA,CAAA,IAAA,CAAA,OAAA,kBAAA,EAAA,EAAA,qBAAA,CAAA,CAAA;AACnC,MAAA,MAAM,iBAAA,GAAoBA,kBAAiB,IAAI,CAAA;AAC/C,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,WAAA,CAAY;AAAA,QACpD,MAAA,EAAQ,MAAA;AAAA,QACR,IAAA,EAAM,2BAAA;AAAA,QACN,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,QACtB,WAAA;AAAA,QACA,SAAA;AAAA,QACA;AAAA,OACD,CAAA;AACD,MAAA,OAAA,GAAU,EAAE,GAAG,WAAA,EAAY;AAC3B,MAAC,KAAa,eAAA,GAAkB,iBAAA;AAAA,IAClC,CAAA,MAAA,IAAW,KAAK,UAAA,EAAY;AAC1B,MAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,UAAA,CAAW,aAAA,CAAc;AAAA,QAClD,QAAA,EAAU,KAAK,MAAA,CAAO,QAAA;AAAA,QACtB,WAAA;AAAA,QACA;AAAA,OACD,CAAA;AACD,MAAA,OAAA,GAAU,EAAE,GAAG,aAAA,EAAc;AAAA,IAC/B,CAAA,MAAO;AACL,MAAA,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAA,IAChD;AACA,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,UAAA,CAAW,OAAA,CAA2E;AAAA,MACnH,MAAA,EAAQ,MAAA;AAAA,MACR,IAAA,EAAM,2BAAA;AAAA,MACN,OAAA;AAAA,MACA,IAAA;AAAA,MACA;AAAA,KACD,CAAA;AACD,IAAA,IAAI,WAAA,CAAY,OAAA,KAAY,IAAA,IAAS,WAAA,CAAoB,IAAA,EAAM;AAC7D,MAAA,MAAM,OAAQ,WAAA,CAAoB,IAAA;AAClC,MAAA,IAAI,IAAA,CAAK,aAAa,2BAAA,EAA6B;AACjD,QAAA,OAAA,CAAQ,KAAK,iEAAA,EAAmE;AAAA,UAC9E,SAAA;AAAA,UACA,aAAa,IAAA,CAAK;AAAA,SACnB,CAAA;AAAA,MACH;AACA,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,IAAK,YAAoB,KAAA,EAAO;AAC9B,MAAA,MAAM,MAAO,WAAA,CAAoB,KAAA;AACjC,MAAA,MAAM,IAAI,SAAA,CAAU,GAAA,CAAI,QAAQ,cAAA,EAAgB,GAAA,CAAI,WAAW,gBAAA,EAAkB;AAAA,QAC/E,QAAQ,GAAA,CAAI,MAAA;AAAA,QACZ,eAAe,GAAA,CAAI,aAAA;AAAA,QACnB;AAAA,OACD,CAAA;AAAA,IACH;AACA,IAAA,MAAM,IAAI,SAAA,CAAA,kBAAA,yBAA0C,wCAAA,EAA0C,EAAE,WAAW,CAAA;AAAA,EAC7G;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAoBA,aAAA,CACE,WACA,OAAA,EACkB;AAClB,IAAA,OAAO,aAAA,CAAc,SAAA,EAAkB,IAAA,EAAM,OAAO,CAAA;AAAA,EACtD;AACF;AAKO,SAAS,iBAAiB,MAAA,EAAsC;AACrE,EAAA,OAAO,IAAI,WAAW,MAAM,CAAA;AAC9B;;;ACxgCO,IAAM,OAAN,MAAW;AAAA,EACC,MAAA;AAAA,EAEjB,YAAY,IAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,MAAA,GAAS,IAAA,EAAM,MAAA,IAAU,OAAA,CAAQ,GAAA,CAAI,kBAAA;AAAA,EAC5C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,OAAO,QAAQ,SAAA,EAAmD;AAChE,IAAA,MAAM,OAAA,GAAU,QAAQ,GAAA,CAAI,aAAA;AAC5B,IAAA,MAAM,QAAA,GAAW,QAAQ,GAAA,CAAI,cAAA;AAC7B,IAAA,MAAM,MAAA,GAAS,QAAQ,GAAA,CAAI,YAAA;AAC3B,IAAA,MAAM,KAAA,GAAQ,QAAQ,GAAA,CAAI,WAAA;AAC1B,IAAA,MAAM,UAAA,GAAa,QAAQ,GAAA,CAAI,gBAAA;AAC/B,IAAA,MAAM,IAAA,GAAQ,OAAA,CAAQ,GAAA,CAAI,SAAA,IAAsC,QAAA;AAEhE,IAAA,IAAI,CAAC,OAAA,IAAW,CAAC,QAAA,EAAU;AACzB,MAAA,MAAM,IAAI,MAAM,qEAAqE,CAAA;AAAA,IACvF;AAEA,IAAA,IAAI,IAAA;AACJ,IAAA,IAAI,MAAA,EAAQ;AACV,MAAA,IAAA,GAAO,EAAE,IAAA,EAAM,QAAA,EAAU,MAAA,EAAO;AAAA,IAClC,CAAA,MAAA,IAAW,SAAS,UAAA,EAAY;AAC9B,MAAA,IAAA,GAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,KAAA,EAAO,QAAQ,UAAA,EAAW;AAAA,IACnD,CAAA,MAAO;AACL,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,OAAO,IAAI,UAAA,CAAW;AAAA,MACpB,OAAA;AAAA,MACA,QAAA;AAAA,MACA,IAAA;AAAA,MACA,IAAA;AAAA,MACA,GAAG;AAAA,KACJ,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,KAAA,CACJ,IAAA,EACA,EAAA,EACY;AACZ,IAAA,OAAO,EAAA,EAAG;AAAA,EACZ;AACF;ACrCO,IAAM,eAAN,MAA4C;AAAA,EAChC,MAAA;AAAA,EAEjB,YAAY,MAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,SAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,SAAA;AAAA,EACvB;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AAGA,IAAA,MAAM,SAAA,GAAY,KAAK,YAAA,CAAa,OAAA,CAAQ,aAAa,IAAA,CAAK,MAAA,CAAO,oBAAoB,eAAe,CAAA;AAGxG,IAAA,MAAM,SAAA,GAA8B;AAAA,MAClC,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,OAAA,EAAS,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA;AAAA,MACpC,WAAA,EAAc,OAAA,CAAQ,WAAA,IAAe,IAAA,CAAK,OAAO,kBAAA,IAAsB,KAAA;AAAA,MACvE,gBAAA,EAAkB;AAAA,KACpB;AAGA,IAAA,MAAM,OAAA,GAAU,IAAIJ,qBAAAA,CAAY,SAAS,CAAA;AACzC,IAAA,MAAM,WAAW,MAAM,IAAA,CAAK,MAAA,CAAO,SAAA,CAAU,KAAK,OAAO,CAAA;AAEzD,IAAA,IAAI,CAAC,SAAS,SAAA,EAAW;AACvB,MAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,IAC3D;AAEA,IAAA,OAAO;AAAA,MACL,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,SAAS,CAAA;AAAA,MACzC,KAAA,EAAO,QAAA,CAAS,KAAA,IAAS,OAAA,CAAQ,KAAA;AAAA,MACjC,SAAA,EAAW,SAAS,gBAAA,IAAoB,SAAA;AAAA,MACxC,QAAA,EAAU;AAAA,QACR,OAAO,QAAA,CAAS,KAAA;AAAA,QAChB,kBAAkB,QAAA,CAAS;AAAA;AAC7B,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAAgE;AAEnF,IAAA,IAAI,OAAO,MAAA,CAAOO,8BAAoB,CAAA,CAAE,QAAA,CAAS,SAAiC,CAAA,EAAG;AACnF,MAAA,OAAO,SAAA;AAAA,IACT;AAGA,IAAA,MAAM,YAAA,GAAqD;AAAA,MACzD,iBAAiBA,8BAAA,CAAqB,aAAA;AAAA,MACtC,iBAAiBA,8BAAA,CAAqB,aAAA;AAAA,MACtC,iBAAiBA,8BAAA,CAAqB,aAAA;AAAA,MACtC,sBAAsBA,8BAAA,CAAqB,kBAAA;AAAA,MAC3C,sBAAsBA,8BAAA,CAAqB,kBAAA;AAAA,MAC3C,sBAAsBA,8BAAA,CAAqB,kBAAA;AAAA,MAC3C,6BAA6BA,8BAAA,CAAqB,yBAAA;AAAA,MAClD,6BAA6BA,8BAAA,CAAqB,yBAAA;AAAA,MAClD,6BAA6BA,8BAAA,CAAqB;AAAA,KACpD;AAEA,IAAA,OAAO,YAAA,CAAa,SAAA,CAAU,WAAA,EAAa,KAAKA,8BAAA,CAAqB,aAAA;AAAA,EACvE;AACF;;;AC1CO,IAAM,cAAN,MAA2C;AAAA,EAC/B,MAAA;AAAA,EACT,SAAA,GAA2B,IAAA;AAAA,EAEnC,YAAY,MAAA,EAA2B;AACrC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,SAAA,EAAW,SAAA;AAAA,MACX,GAAG;AAAA,KACL;AAAA,EACF;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,iBAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,QAAA,KAAa,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,CAAC,CAAC,KAAK,MAAA,CAAO,OAAA,CAAA;AAAA,EACzE;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,6BAA6B,CAAA;AAAA,IAC/C;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,SAAA,IAAa,IAAA,CAAK,OAAO,OAAA,EAAS;AAC1C,MAAA,MAAM,KAAK,mBAAA,EAAoB;AAAA,IACjC;AAEA,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,KAAA,IAAS,IAAA,CAAK,SAAA;AACxC,IAAA,IAAI,CAAC,KAAA,EAAO;AACV,MAAA,MAAM,IAAI,MAAM,0CAA0C,CAAA;AAAA,IAC5D;AAGA,IAAA,MAAM,SAAA,GAAY,KAAK,YAAA,CAAa,OAAA,CAAQ,aAAa,IAAA,CAAK,MAAA,CAAO,oBAAoB,gBAAgB,CAAA;AAGzG,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,QAAQ,CAAA,IAAA,EAAO,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,MAAA,EAAS,OAAA,CAAQ,KAAK,CAAA,CAAA;AAGrF,IAAA,MAAM,gBAAgB,MAAA,CAAO,IAAA,CAAK,QAAQ,OAAO,CAAA,CAAE,SAAS,QAAQ,CAAA;AAEpE,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,KAAA,EAAO,aAAA;AAAA,MACP,GAAI,SAAA,IAAa,EAAE,SAAA,EAAU;AAAA,MAC7B,GAAI,OAAA,CAAQ,OAAA,IAAW;AAAC,KAC1B;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,WAAA,EAAa,OAAA,IAAW,GAAA;AACpD,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,YAAY,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE9D,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,QAChC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,eAAA,EAAiB;AAAA,SACnB;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AAAA,QAChC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AAED,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,mBAAA,EAAsB,SAAS,MAAM,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAAA,MACtE;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,MAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,CAAC,IAAA,CAAK,KAAK,SAAA,EAAW;AACtC,QAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,MACzD;AAIA,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAM,GAAG,CAAA;AACpD,MAAA,MAAM,eAAA,GAAkB,cAAA,CAAe,cAAA,CAAe,MAAA,GAAS,CAAC,CAAA;AAChE,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,IAAA,CAAK,eAAA,EAAiB,QAAQ,CAAA;AAEvD,MAAA,OAAO;AAAA,QACL,SAAA;AAAA,QACA,OAAO,OAAA,CAAQ,KAAA;AAAA,QACf,SAAA;AAAA,QACA,QAAA,EAAU;AAAA,UACR,cAAA,EAAgB,KAAK,IAAA,CAAK,SAAA;AAAA,UAC1B,UAAA,EAAY,KAAK,IAAA,CAAK;AAAA;AACxB,OACF;AAAA,IACF,SAAS,KAAA,EAAY;AACnB,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,KAAA,CAAM,SAAS,YAAA,EAAc;AAC/B,QAAA,MAAM,IAAI,MAAM,4BAA4B,CAAA;AAAA,MAC9C;AAEA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,mBAAA,GAAqC;AACjD,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,OAAA,EAAS;AACxB,MAAA,MAAM,IAAI,MAAM,wBAAwB,CAAA;AAAA,IAC1C;AAEA,IAAA,MAAM,GAAA,GAAM,CAAA,EAAG,IAAA,CAAK,MAAA,CAAO,QAAQ,CAAA,sBAAA,CAAA;AAEnC,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MAChC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACnB,OAAA,EAAS,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,MAAA;AAAA,QAC7B,SAAA,EAAW,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ;AAAA,OAChC;AAAA,KACF,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qCAAA,EAAwC,SAAS,MAAM,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAAA,IACxF;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,IAAA,IAAI,CAAC,IAAA,CAAK,IAAA,IAAQ,CAAC,IAAA,CAAK,KAAK,YAAA,EAAc;AACzC,MAAA,MAAM,IAAI,MAAM,qDAAqD,CAAA;AAAA,IACvE;AAEA,IAAA,IAAA,CAAK,SAAA,GAAY,KAAK,IAAA,CAAK,YAAA;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAA2B;AAC9C,IAAA,MAAM,YAAA,GAAuC;AAAA,MAC3C,eAAA,EAAiB,gBAAA;AAAA,MACjB,eAAA,EAAiB,gBAAA;AAAA,MACjB,eAAA,EAAiB,gBAAA;AAAA,MACjB,oBAAA,EAAsB,cAAA;AAAA,MACtB,oBAAA,EAAsB,cAAA;AAAA,MACtB,oBAAA,EAAsB;AAAA,KACxB;AAGA,IAAA,IAAI,UAAU,UAAA,CAAW,QAAQ,KAAK,SAAA,CAAU,UAAA,CAAW,MAAM,CAAA,EAAG;AAClE,MAAA,OAAO,SAAA;AAAA,IACT;AAEA,IAAA,OAAO,YAAA,CAAa,SAAA,CAAU,WAAA,EAAa,CAAA,IAAK,gBAAA;AAAA,EAClD;AACF;;;AC1JO,IAAM,eAAN,MAA4C;AAAA,EAChC,MAAA;AAAA,EACT,WAAA,GAA6B,IAAA;AAAA,EAC7B,WAAA,GAAsB,CAAA;AAAA,EAE9B,YAAY,MAAA,EAA4B;AACtC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,mBAAA,EAAqB,KAAA;AAAA,MACrB,GAAG;AAAA,KACL;AAAA,EACF;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,kBAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,IAAI,IAAA,CAAK,OAAO,mBAAA,EAAqB;AACnC,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,eAAe,CAAC,CAAC,KAAK,MAAA,CAAO,SAAA;AAAA,EACpD;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,+BAA+B,CAAA;AAAA,IACjD;AAGA,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,cAAA,EAAe;AAG9C,IAAA,MAAM,SAAA,GAAY,KAAK,YAAA,CAAa,OAAA,CAAQ,aAAa,IAAA,CAAK,MAAA,CAAO,oBAAoB,qBAAqB,CAAA;AAI9G,IAAA,MAAM,OAAA,GAAU,QAAQ,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,GACtC,OAAA,CAAQ,KAAA,GACR,CAAA,SAAA,EAAY,IAAA,CAAK,MAAA,CAAO,SAAS,CAAA,WAAA,EAAc,IAAA,CAAK,OAAO,QAAQ,CAAA,UAAA,EAAa,KAAK,MAAA,CAAO,OAAO,CAAA,YAAA,EAAe,OAAA,CAAQ,KAAK,CAAA,CAAA;AAGnI,IAAA,MAAM,GAAA,GAAM,sCAAsC,OAAO,CAAA,eAAA,CAAA;AAGzD,IAAA,MAAM,gBAAgB,MAAA,CAAO,IAAA,CAAK,QAAQ,OAAO,CAAA,CAAE,SAAS,QAAQ,CAAA;AAEpE,IAAA,MAAM,WAAA,GAAc;AAAA,MAClB,MAAA,EAAQ;AAAA,QACN,MAAA,EAAQ;AAAA;AAAA;AACV,KACF;AAEA,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,WAAA,EAAa,OAAA,IAAW,GAAA;AACpD,IAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,IAAA,MAAM,YAAY,UAAA,CAAW,MAAM,UAAA,CAAW,KAAA,IAAS,OAAO,CAAA;AAE9D,IAAA,IAAI;AACF,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,QAChC,MAAA,EAAQ,MAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,cAAA,EAAgB,kBAAA;AAAA,UAChB,eAAA,EAAiB,UAAU,WAAW,CAAA;AAAA,SACxC;AAAA,QACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AAAA,QAChC,QAAQ,UAAA,CAAW;AAAA,OACpB,CAAA;AAED,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,SAAA,GAAY,MAAM,QAAA,CAAS,IAAA,EAAK;AACtC,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qBAAA,EAAwB,SAAS,MAAM,CAAA,CAAA,EAAI,SAAS,CAAA,CAAE,CAAA;AAAA,MACxE;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAEjC,MAAA,IAAI,CAAC,KAAK,SAAA,EAAW;AACnB,QAAA,MAAM,IAAI,MAAM,yCAAyC,CAAA;AAAA,MAC3D;AAGA,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,IAAA,CAAK,IAAA,CAAK,WAAW,QAAQ,CAAA;AAEtD,MAAA,OAAO;AAAA,QACL,SAAA;AAAA,QACA,OAAO,OAAA,CAAQ,KAAA;AAAA,QACf,SAAA;AAAA,QACA,QAAA,EAAU;AAAA,UACR,MAAM,IAAA,CAAK,IAAA;AAAA,UACX,sBAAsB,IAAA,CAAK;AAAA;AAC7B,OACF;AAAA,IACF,SAAS,KAAA,EAAY;AACnB,MAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,MAAA,IAAI,KAAA,CAAM,SAAS,YAAA,EAAc;AAC/B,QAAA,MAAM,IAAI,MAAM,8BAA8B,CAAA;AAAA,MAChD;AAEA,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,cAAA,GAAkC;AAE9C,IAAA,IAAI,IAAA,CAAK,eAAe,IAAA,CAAK,GAAA,KAAQ,IAAA,CAAK,WAAA,GAAc,CAAA,GAAI,EAAA,GAAK,GAAA,EAAM;AACrE,MAAA,OAAO,IAAA,CAAK,WAAA;AAAA,IACd;AAEA,IAAA,IAAI,IAAA,CAAK,OAAO,mBAAA,EAAqB;AAEnC,MAAA,MAAM,WAAA,GAAc,4FAAA;AAEpB,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,WAAA,EAAa;AAAA,QACxC,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS;AAAA,UACP,iBAAA,EAAmB;AAAA;AACrB,OACD,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,4CAAA,EAA+C,QAAA,CAAS,MAAM,CAAA,CAAE,CAAA;AAAA,MAClF;AAEA,MAAA,MAAM,IAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AACjC,MAAA,IAAA,CAAK,cAAc,IAAA,CAAK,YAAA;AACxB,MAAA,IAAA,CAAK,WAAA,GAAc,IAAA,CAAK,GAAA,EAAI,GAAK,KAAK,UAAA,GAAa,GAAA;AAEnD,MAAA,OAAO,IAAA,CAAK,YAAA;AAAA,IACd,CAAA,MAAO;AAEL,MAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,WAAA,EAAa;AAC5B,QAAA,MAAM,IAAI,MAAM,gCAAgC,CAAA;AAAA,MAClD;AAQA,MAAA,MAAM,IAAI,MAAM,yLAAyL,CAAA;AAAA,IAC3M;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,SAAA,EAA2B;AAC9C,IAAA,MAAM,YAAA,GAAuC;AAAA,MAC3C,eAAA,EAAiB,qBAAA;AAAA,MACjB,eAAA,EAAiB,qBAAA;AAAA,MACjB,eAAA,EAAiB,qBAAA;AAAA,MACjB,oBAAA,EAAsB,0BAAA;AAAA,MACtB,oBAAA,EAAsB,0BAAA;AAAA,MACtB,oBAAA,EAAsB,0BAAA;AAAA,MACtB,2BAAA,EAA6B,4BAAA;AAAA,MAC7B,2BAAA,EAA6B,4BAAA;AAAA,MAC7B,2BAAA,EAA6B;AAAA,KAC/B;AAGA,IAAA,IAAI,UAAU,UAAA,CAAW,UAAU,KAAK,SAAA,CAAU,UAAA,CAAW,WAAW,CAAA,EAAG;AACzE,MAAA,OAAO,SAAA;AAAA,IACT;AAEA,IAAA,OAAO,YAAA,CAAa,SAAA,CAAU,WAAA,EAAa,CAAA,IAAK,qBAAA;AAAA,EAClD;AACF;AC1MO,IAAM,mBAAN,MAAgD;AAAA,EACpC,MAAA;AAAA,EACA,UAAA;AAAA,EAEjB,YAAY,MAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,2BAAA;AAAA,EACzC;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,YAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,UAAU,CAAC,CAAC,KAAK,MAAA,CAAO,SAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,IAAA,CAAK,WAAA,EAAY,EAAG;AACvB,MAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,IAC1D;AAEA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,KAAA,CAAM,gCAAgC,CAAA;AACvE,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,MAAM,GAAG,cAAA,EAAgB,OAAO,CAAA,GAAI,UAAA;AAEpC,IAAA,MAAM,UAAA,GACJ,OAAA,CAAQ,OAAA,YAAmB,MAAA,GACvB,QAAQ,OAAA,CAAQ,QAAA,CAAS,KAAK,CAAA,GAC9B,OAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA,CAAE,SAAS,KAAK,CAAA;AACjD,IAAA,MAAM,SAAA,GACH,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAyB,OAAA,CAAiD,SAAA;AAE9F,IAAA,MAAM,SAAA,GAA0C;AAAA,MAC9C,SAAA,EAAW,KAAA;AAAA,MACX,MAAA,EAAQ,EAAE,IAAA,EAAM,eAAA,EAAiB,IAAI,cAAA,EAAe;AAAA,MACpD,OAAA;AAAA,MACA,IAAA,EAAM,CAAA,sBAAA,EAAyB,SAAA,IAAa,SAAS,CAAA,CAAA;AAAA,MACrD,eAAA,EAAiB;AAAA,QACf,cAAA,EAAgB;AAAA,UACd,QAAA,EAAU,CAAC,EAAE,OAAA,EAAS,YAAY;AAAA;AACpC;AACF,KACF;AAEA,IAAA,MAAM,QAAQ,IAAA,CAAK,eAAA,CAAgB,oBAAoB,IAAA,CAAK,SAAA,CAAU,SAAS,CAAC,CAAA;AAEhF,IAAA,MAAM,WAAW,MAAM,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,UAAU,CAAA,gBAAA,CAAA,EAAoB;AAAA,MACjE,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,cAAA,EAAgB,kBAAA;AAAA,QAChB,WAAA,EAAa,KAAK,MAAA,CAAO,MAAA;AAAA,QACzB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA,OAChC;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,SAAS;AAAA,KAC/B,CAAA;AAED,IAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,MAAA,MAAM,KAAA,GAAQ,MAAM,QAAA,CAAS,IAAA,EAAK;AAClC,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,SAAS,MAAM,CAAA,CAAA,EAAI,KAAK,CAAA,CAAE,CAAA;AAAA,IACrE;AAEA,IAAA,MAAM,MAAA,GAAU,MAAM,QAAA,CAAS,IAAA,EAAK;AACpC,IAAA,MAAM,OAAO,MAAA,CAAO,EAAA;AACpB,IAAA,IAAI,CAAC,IAAA,EAAM;AACT,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAAA,IAChE;AAEA,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,eAAA,CAAgB,IAAI,CAAA;AAC9C,IAAA,MAAM,SAAS,MAAA,EAAQ,SAAA,IAAc,MAAA,EAA+D,cAAA,GAAiB,CAAC,CAAA,EAAG,SAAA;AACzH,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,IAAI,CAAA,yBAAA,CAA2B,CAAA;AAAA,IAC3E;AAEA,IAAA,OAAO;AAAA,MACL,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,KAAK,CAAA;AAAA,MACpC,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,SAAA,EAAW,QAAQ,SAAA,IAAa;AAAA,KAClC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,eAAA,CAAgB,KAAa,QAAA,EAA2B;AAC9D,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,KAAA,GAAQC,kBAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AAC5C,IAAA,MAAM,QAAA,GAAW,QAAA,GACbb,iBAAAA,CAAW,QAAQ,CAAA,CAAE,MAAA,CAAO,QAAA,EAAU,MAAM,CAAA,CAAE,MAAA,CAAO,KAAK,CAAA,GAC1D,EAAA;AAEJ,IAAA,MAAM,OAAA,GAAU;AAAA,MACd,GAAA;AAAA,MACA,KAAA;AAAA,MACA,GAAA,EAAK,GAAA;AAAA,MACL,KAAK,GAAA,GAAM,EAAA;AAAA,MACX,GAAA,EAAK,KAAK,MAAA,CAAO,MAAA;AAAA,MACjB;AAAA,KACF;AAEA,IAAA,MAAM,MAAA,GAAS,EAAE,GAAA,EAAK,OAAA,EAAS,KAAK,KAAA,EAAM;AAC1C,IAAA,MAAM,aAAA,GAAgB,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,MAAM,CAAC,CAAA;AAC5D,IAAA,MAAM,cAAA,GAAiB,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AAC9D,IAAA,MAAM,YAAA,GAAe,CAAA,EAAG,aAAa,CAAA,CAAA,EAAI,cAAc,CAAA,CAAA;AAEvD,IAAA,MAAM,IAAA,GAAOc,kBAAW,YAAY,CAAA;AACpC,IAAA,IAAA,CAAK,OAAO,YAAY,CAAA;AACxB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,IAAA,CAAK,IAAA,CAAK,OAAO,SAAS,CAAA;AACjD,IAAA,MAAM,UAAA,GAAa,gBAAgB,SAAS,CAAA;AAE5C,IAAA,OAAO,CAAA,EAAG,YAAY,CAAA,CAAA,EAAI,UAAU,CAAA,CAAA;AAAA,EACtC;AAAA,EAEA,MAAc,eAAA,CACZ,IAAA,EACA,WAAA,GAAc,EAAA,EACmE;AACjF,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,EAAa,CAAA,EAAA,EAAK;AACpC,MAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,eAAA,CAAgB,CAAA,iBAAA,EAAoB,IAAI,CAAA,CAAE,CAAA;AAC7D,MAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,CAAA,EAAG,KAAK,UAAU,CAAA,iBAAA,EAAoB,IAAI,CAAA,CAAA,EAAI;AAAA,QACzE,OAAA,EAAS;AAAA,UACP,WAAA,EAAa,KAAK,MAAA,CAAO,MAAA;AAAA,UACzB,aAAA,EAAe,UAAU,KAAK,CAAA;AAAA;AAChC,OACD,CAAA;AAED,MAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,MAAM,QAAA,CAAS,IAAA,EAAM,CAAA,CAAE,CAAA;AAAA,MAChF;AAEA,MAAA,MAAM,EAAA,GAAM,MAAM,QAAA,CAAS,IAAA,EAAK;AAMhC,MAAA,IAAI,EAAA,CAAG,WAAW,WAAA,EAAa;AAC7B,QAAA,OAAO,EAAA,CAAG,cAAA,GAAiB,CAAC,CAAA,GAAI,EAAE,SAAA,EAAW,EAAA,CAAG,cAAA,CAAe,CAAC,CAAA,CAAE,SAAA,EAAU,GAAI,EAAA;AAAA,MAClF;AACA,MAAA,IAAI,EAAA,CAAG,MAAA,KAAW,QAAA,IAAY,EAAA,CAAG,WAAW,UAAA,EAAY;AACtD,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,uBAAA,EAA0B,IAAI,CAAA,SAAA,EAAY,EAAA,CAAG,MAAM,CAAA,CAAE,CAAA;AAAA,MACvE;AAEA,MAAA,MAAM,IAAI,OAAA,CAAQ,CAAC,MAAM,UAAA,CAAW,CAAA,EAAG,GAAI,CAAC,CAAA;AAAA,IAC9C;AAEA,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,CAAA,uBAAA,EAA0B,IAAI,CAAA,yBAAA,EAA4B,WAAW,CAAA,QAAA;AAAA,KACvE;AAAA,EACF;AACF;AAEA,SAAS,gBAAgB,KAAA,EAAgC;AACvD,EAAA,MAAM,GAAA,GACJ,OAAO,KAAA,KAAU,QAAA,GACb,OAAO,IAAA,CAAK,KAAA,EAAO,MAAM,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAA,GAC5C,KAAA,CAAM,SAAS,QAAQ,CAAA;AAC7B,EAAA,OAAO,GAAA,CAAI,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,EAAE,CAAA;AACtE;ACzLA,IAAMC,QAAAA,GAAUC,sBAAA,CAAc,2PAAe,CAAA;AAa7C,IAAM,UAAA,GACJ,wKAAA;AAGF,SAAS,kBAAkB,SAAA,EAA2B;AACpD,EAAA,QAAQ,SAAA;AAAW,IACjB,KAAK,kBAAA;AACH,MAAA,OAAO,WAAU,CAAE,gBAAA;AAAA,IACrB,KAAK,cAAA;AAEH,MAAA,OAAO,WAAU,CAAE,mBAAA;AAAA,IACrB;AACE,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,+BAAA,EAAkC,SAAS,CAAA,CAAE,CAAA;AAAA;AAEnE;AAGA,IAAI,YAAA,GAAoB,MAAA;AAExB,SAAS,SAAA,GAAiB;AACxB,EAAA,IAAI,iBAAiB,MAAA,EAAW;AAC9B,IAAA,IAAI,YAAA,KAAiB,IAAA,EAAM,MAAM,IAAI,MAAM,UAAU,CAAA;AACrD,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,IAAI;AACF,IAAA,YAAA,GAAeD,SAAQ,UAAU,CAAA;AACjC,IAAA,OAAO,YAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AACN,IAAA,YAAA,GAAe,IAAA;AACf,IAAA,MAAM,IAAI,MAAM,UAAU,CAAA;AAAA,EAC5B;AACF;AAEO,IAAM,oBAAN,MAAiD;AAAA,EAC9C,OAAA,GAAkB,EAAA;AAAA,EAClB,GAAA,GAAc,EAAA;AAAA,EACd,MAAA,GAAc,IAAA;AAAA,EACd,OAAA,GAAyB,IAAA;AAAA,EACzB,WAAA,GAAc,KAAA;AAAA,EAEtB,MAAM,UAAA,CAAW,WAAA,EAAqB,GAAA,EAAa,OAAA,EAAmD;AACpG,IAAA,MAAM,IAAI,SAAA,EAAU;AACpB,IAAA,IAAA,CAAK,OAAA,GAAU,WAAA;AACf,IAAA,IAAA,CAAK,GAAA,GAAM,GAAA;AACX,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,CAAA,CAAE,MAAA,EAAO;AAC3B,IAAA,IAAA,CAAK,MAAA,CAAO,KAAK,WAAW,CAAA;AAC5B,IAAA,IAAA,CAAK,OAAO,YAAA,EAAa;AACzB,IAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AAEnB,IAAA,MAAM,KAAA,GAAQ,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,IAAI,CAAA;AAC5C,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AAChC,MAAA,MAAM,KAAK,KAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,uCAAuC,CAAA;AAAA,IACzD;AACA,IAAA,MAAM,SAAA,GAAY,SAAS,MAAA,IAAU,CAAA;AACrC,IAAA,IAAI,SAAA,GAAY,CAAA,IAAK,SAAA,IAAa,KAAA,CAAM,MAAA,EAAQ;AAC9C,MAAA,MAAM,KAAK,KAAA,EAAM;AACjB,MAAA,MAAM,IAAI,MAAM,CAAA,gBAAA,EAAmB,SAAS,qBAAqB,KAAA,CAAM,MAAA,GAAS,CAAC,CAAA,CAAA,CAAG,CAAA;AAAA,IACtF;AACA,IAAA,MAAM,IAAA,GAAO,MAAM,SAAS,CAAA;AAC5B,IAAA,MAAM,KAAA,GAAQ,CAAA,CAAE,kBAAA,GAAqB,CAAA,CAAE,cAAA;AACvC,IAAA,IAAA,CAAK,OAAA,GAAU,IAAA,CAAK,MAAA,CAAO,aAAA,CAAc,MAAM,KAAK,CAAA;AACpD,IAAA,IAAA,CAAK,OAAO,OAAA,CAAQ,IAAA,CAAK,OAAA,EAAS,CAAA,CAAE,UAAU,GAAG,CAAA;AAAA,EACnD;AAAA,EAEA,MAAM,IAAA,CAAK,SAAA,EAAmB,SAAA,EAAmB,IAAA,EAA+B;AAC9E,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,IAAU,CAAC,KAAK,OAAA,EAAS;AACjC,MAAA,MAAM,IAAI,MAAM,2DAA2D,CAAA;AAAA,IAC7E;AACA,IAAU,SAAA;AACV,IAAA,MAAM,QAAA,GAAW,kBAAkB,SAAS,CAAA;AAC5C,IAAA,IAAA,CAAK,MAAA,CAAO,WAAW,IAAA,CAAK,OAAA,EAAS,EAAE,SAAA,EAAW,QAAA,IAAY,SAAS,CAAA;AACvE,IAAA,MAAM,SAAA,GAAY,GAAA;AAClB,IAAA,MAAM,OAAA,GAAU,MAAA,CAAO,KAAA,CAAM,SAAS,CAAA;AACtC,IAAA,MAAM,YAAY,IAAA,CAAK,MAAA,CAAO,OAAO,IAAA,CAAK,OAAA,EAAS,MAAM,OAAO,CAAA;AAChE,IAAA,OAAO,MAAA,CAAO,KAAK,SAAS,CAAA;AAAA,EAC9B;AAAA,EAEA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACvB,IAAA,IAAA,CAAK,WAAA,GAAc,KAAA;AACnB,IAAA,IAAI;AACF,MAAA,IAAI,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,OAAA,EAAS;AAC/B,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,IAAA,CAAK,OAAO,CAAA;AAAA,QACnC,CAAA,CAAA,MAAQ;AAAA,QAER;AACA,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,MAAA,CAAO,cAAA,CAAe,IAAA,CAAK,OAAO,CAAA;AAAA,QACzC,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AACA,MAAA,IAAI,KAAK,MAAA,EAAQ;AACf,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,OAAO,UAAA,EAAW;AAAA,QACzB,CAAA,CAAA,MAAQ;AAAA,QAER;AACA,QAAA,IAAI;AACF,UAAA,IAAA,CAAK,OAAO,KAAA,EAAM;AAAA,QACpB,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF;AAAA,IACF,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AACd,MAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AAAA,IACjB;AAAA,EACF;AACF,CAAA;;;AC9GO,IAAM,mBAAN,MAAgD;AAAA,EACpC,MAAA;AAAA,EACT,OAAA,GAAgC,IAAA;AAAA,EAExC,YAAY,MAAA,EAAgC;AAC1C,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAAA,EAChB;AAAA,EAEA,OAAA,GAAkB;AAChB,IAAA,OAAO,uBAAA;AAAA,EACT;AAAA,EAEA,WAAA,GAAuB;AACrB,IAAA,OAAO,CAAC,CAAC,IAAA,CAAK,MAAA,CAAO,qBAAqB,CAAC,CAAC,KAAK,MAAA,CAAO,GAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,KAAK,OAAA,EAA6C;AACtD,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AACjB,MAAA,IAAA,CAAK,UACH,IAAA,CAAK,MAAA,CAAO,aAAA,IACX,MAAM,KAAK,uBAAA,EAAwB;AAAA,IACxC;AAEA,IAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,KAAA,CAAM,KAAA,CAAM,gBAAgB,CAAA;AACvD,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,MAAM,YAAY,MAAA,CAAO,IAAA,CAAK,UAAA,CAAW,CAAC,GAAG,KAAK,CAAA;AAElD,IAAA,MAAM,YAAY,IAAA,CAAK,uBAAA;AAAA,MACrB,QAAQ,SAAA,IAAa;AAAA,KACvB;AACA,IAAA,MAAM,OAAA,GACJ,QAAQ,OAAA,YAAmB,MAAA,GACvB,QAAQ,OAAA,GACR,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,CAAA;AAEjC,IAAA,MAAM,YAAY,MAAM,IAAA,CAAK,QAAQ,IAAA,CAAK,SAAA,EAAW,WAAW,OAAO,CAAA;AAEvE,IAAA,OAAO;AAAA,MACL,SAAA;AAAA,MACA,OAAO,OAAA,CAAQ,KAAA;AAAA,MACf,SAAA,EAAW,QAAQ,SAAA,IAAa;AAAA,KAClC;AAAA,EACF;AAAA,EAEA,MAAc,uBAAA,GAAkD;AAC9D,IAAA,MAAM,OAAA,GAAU,IAAI,iBAAA,EAAkB;AACtC,IAAA,MAAM,QAAQ,UAAA,CAAW,IAAA,CAAK,OAAO,iBAAA,EAAmB,IAAA,CAAK,OAAO,GAAA,EAAK;AAAA,MACvE,MAAA,EAAQ,KAAK,MAAA,CAAO;AAAA,KACrB,CAAA;AACD,IAAA,OAAO,OAAA;AAAA,EACT;AAAA,EAEQ,wBAAwB,SAAA,EAA2B;AACzD,IAAA,QAAQ,SAAA;AAAW,MACjB,KAAK,eAAA;AACH,QAAA,OAAO,kBAAA;AAAA,MACT,KAAK,2BAAA;AACH,QAAA,OAAO,cAAA;AAAA,MACT;AACE,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,+BAAA,EAAkC,SAAS,CAAA,CAAE,CAAA;AAAA;AACjE,EACF;AAAA;AAAA,EAGA,MAAM,KAAA,GAAuB;AAC3B,IAAA,IAAI,KAAK,OAAA,EAAS;AAChB,MAAA,MAAM,IAAA,CAAK,QAAQ,KAAA,EAAM;AACzB,MAAA,IAAA,CAAK,OAAA,GAAU,IAAA;AAAA,IACjB;AAAA,EACF;AACF","file":"index.cjs","sourcesContent":["/**\n * BlockIntel Gate SDK - Canonical JSON Utilities\n * \n * Implements deterministic JSON serialization for HMAC signing.\n * Ensures stable key ordering and no whitespace.\n */\n\nimport { createHash } from 'node:crypto';\n\n/**\n * Sort object keys recursively and produce canonical JSON string\n * \n * Matches Hot Path implementation: JSON.stringify(sorted object)\n * Rules:\n * - All keys sorted alphabetically (case-sensitive)\n * - Uses JSON.stringify for consistent formatting\n * - UTF-8 encoding\n * - Stable ordering for arrays and nested objects\n */\nexport function canonicalizeJson(obj: unknown): string {\n if (obj === null || obj === undefined) {\n return 'null';\n }\n\n // Deep clone to avoid mutating original (matches Hot Path)\n const cloned = JSON.parse(JSON.stringify(obj));\n \n // Recursively sort object keys (matches Hot Path sortKeys function)\n function sortKeys(item: unknown): unknown {\n if (Array.isArray(item)) {\n return item.map(sortKeys);\n }\n if (item !== null && typeof item === 'object') {\n const sorted: Record<string, unknown> = {};\n Object.keys(item).sort().forEach(key => {\n sorted[key] = sortKeys((item as Record<string, unknown>)[key]);\n });\n return sorted;\n }\n return item;\n }\n\n const sorted = sortKeys(cloned);\n return JSON.stringify(sorted);\n}\n\n/**\n * Compute SHA-256 hash of canonical JSON (Node.js: node:crypto)\n */\nexport async function sha256Hex(input: string): Promise<string> {\n return createHash('sha256').update(input, 'utf8').digest('hex');\n}\n\n","/**\n * Verify decision token (RS256) with public key only.\n * No JWT library dependency; uses Node crypto.\n */\n\nimport { createVerify } from 'crypto';\n\nconst ISS = 'blockintel-gate';\nconst AUD = 'gate-decision';\n\nexport interface DecisionTokenPayload {\n tid: string;\n sid: string;\n env: string;\n ph: string;\n txDigest: string;\n decision: string;\n request_id: string;\n iat: number;\n exp: number;\n iss: string;\n aud: string;\n}\n\n/**\n * Decode JWT without verifying (to get alg and payload).\n */\nexport function decodeJwtUnsafe(token: string): { header: { alg?: string }; payload: DecisionTokenPayload } | null {\n try {\n const parts = token.split('.');\n if (parts.length !== 3) return null;\n const header = JSON.parse(\n Buffer.from(parts[0], 'base64url').toString('utf8')\n ) as { alg?: string };\n const payload = JSON.parse(\n Buffer.from(parts[1], 'base64url').toString('utf8')\n ) as DecisionTokenPayload;\n return { header, payload };\n } catch {\n return null;\n }\n}\n\n/**\n * Verify RS256 JWT signature and standard claims (iss, aud, exp).\n * Returns payload if valid; null otherwise.\n */\nexport function verifyDecisionTokenRs256(\n token: string,\n publicKeyPem: string\n): DecisionTokenPayload | null {\n const decoded = decodeJwtUnsafe(token);\n if (!decoded || (decoded.header.alg || '').toUpperCase() !== 'RS256') return null;\n\n const { payload } = decoded;\n const now = Math.floor(Date.now() / 1000);\n if (payload.iss !== ISS || payload.aud !== AUD) return null;\n if (payload.exp != null && payload.exp < now - 5) return null;\n\n try {\n const parts = token.split('.');\n const signingInput = `${parts[0]}.${parts[1]}`;\n const signature = Buffer.from(parts[2], 'base64url');\n const verify = createVerify('RSA-SHA256');\n verify.update(signingInput);\n verify.end();\n const ok = verify.verify(publicKeyPem, signature);\n return ok ? payload : null;\n } catch {\n return null;\n }\n}\n","/**\n * BlockIntel Gate SDK - Crypto Utilities\n * \n * HMAC-SHA256 using Node.js crypto (node:crypto) for ESM/CJS compatibility.\n */\n\nimport { createHmac } from 'node:crypto';\n\n/**\n * Compute HMAC-SHA256 signature\n */\nexport async function hmacSha256(secret: string, message: string): Promise<string> {\n // Hot Path uses Node.js crypto.createHmac('sha256', secret) which treats the secret as UTF-8 string\n // Python SDK uses hmac.new(secret.encode('utf-8'), ...) which also treats secret as UTF-8 bytes\n // We must match this behavior exactly\n const hmac = createHmac('sha256', secret);\n hmac.update(message, 'utf8');\n const signatureHex = hmac.digest('hex');\n\n // Debug logging for signature computation\n console.error('[HMAC CRYPTO DEBUG] Signature computation:', JSON.stringify({\n secretLength: secret.length,\n messageLength: message.length,\n messagePreview: message.substring(0, 200) + '...',\n signatureLength: signatureHex.length,\n signaturePreview: signatureHex.substring(0, 16) + '...',\n }, null, 2));\n\n return signatureHex;\n}\n\n","/**\n * BlockIntel Gate SDK - HMAC v1 Signer\n * \n * Implements canonical request signing for Gate Hot Path API.\n * \n * Signing Algorithm (v1):\n * 1. Create canonical signing string:\n * v1\\n\n * <HTTP_METHOD>\\n\n * <PATH>\\n\n * <TENANT_ID>\\n\n * <KEY_ID>\\n\n * <TIMESTAMP_MS>\\n\n * <REQUEST_ID_AS_NONCE>\\n\n * <SHA256_HEX_OF_BODY>\n * \n * 2. Compute HMAC-SHA256(secret, signingString) as hex\n * \n * 3. Include headers:\n * - X-GATE-TENANT-ID\n * - X-GATE-KEY-ID\n * - X-GATE-TIMESTAMP-MS\n * - X-GATE-REQUEST-ID (used as nonce in canonical string)\n * - X-GATE-SIGNATURE (hex string)\n */\n\nimport { hmacSha256 } from '../utils/crypto.js';\nimport { canonicalizeJson, sha256Hex } from '../utils/canonicalJson.js';\n\nexport interface HmacSignerConfig {\n keyId: string;\n secret: string;\n}\n\nexport interface SigningHeaders {\n 'X-GATE-TENANT-ID': string;\n 'X-GATE-KEY-ID': string;\n 'X-GATE-TIMESTAMP-MS': string;\n 'X-GATE-REQUEST-ID': string;\n 'X-GATE-SIGNATURE': string;\n}\n\n/**\n * HMAC v1 signer for Gate API requests\n */\nexport class HmacSigner {\n private readonly keyId: string;\n private readonly secret: string;\n\n constructor(config: HmacSignerConfig) {\n this.keyId = config.keyId;\n // Trim whitespace/newlines - ECS Secrets Manager injection might add trailing newline\n this.secret = config.secret.trim();\n\n if (!this.secret || this.secret.length === 0) {\n throw new Error('HMAC secret cannot be empty');\n }\n }\n\n /**\n * Sign a request and return headers\n */\n async signRequest(params: {\n method: string;\n path: string;\n tenantId: string;\n timestampMs: number;\n requestId: string;\n body?: unknown;\n }): Promise<SigningHeaders> {\n const { method, path, tenantId, timestampMs, requestId, body } = params;\n\n // Canonicalize body\n const bodyJson = body ? canonicalizeJson(body) : '';\n const bodyHash = await sha256Hex(bodyJson);\n\n // Construct canonical signing string (matches Hot Path format)\n const signingString = [\n 'v1',\n method.toUpperCase(),\n path,\n tenantId,\n this.keyId,\n String(timestampMs),\n requestId, // Used as nonce in canonical string\n bodyHash,\n ].join('\\n');\n\n // Compute signature (returns hex); never log secret or signature value\n const signature = await hmacSha256(this.secret, signingString);\n\n return {\n 'X-GATE-TENANT-ID': tenantId,\n 'X-GATE-KEY-ID': this.keyId,\n 'X-GATE-TIMESTAMP-MS': String(timestampMs),\n 'X-GATE-REQUEST-ID': requestId,\n 'X-GATE-SIGNATURE': signature,\n };\n }\n}\n\n","/**\n * BlockIntel Gate SDK - API Key Authentication\n * \n * Simple API key authentication using X-API-KEY header.\n * Still includes tenant/request/timestamp headers for replay semantics.\n */\n\nexport interface ApiKeyAuthConfig {\n apiKey: string;\n}\n\nexport interface ApiKeyHeaders {\n 'X-API-KEY': string;\n 'X-GATE-TENANT-ID': string;\n 'X-GATE-REQUEST-ID': string;\n 'X-GATE-TIMESTAMP-MS': string;\n}\n\n/**\n * API Key authenticator for Gate API requests\n */\nexport class ApiKeyAuth {\n private readonly apiKey: string;\n\n constructor(config: ApiKeyAuthConfig) {\n this.apiKey = config.apiKey;\n\n if (!this.apiKey || this.apiKey.length === 0) {\n throw new Error('API key cannot be empty');\n }\n }\n\n /**\n * Create headers for API key authentication\n */\n createHeaders(params: {\n tenantId: string;\n timestampMs: number;\n requestId: string;\n }): ApiKeyHeaders {\n const { tenantId, timestampMs, requestId } = params;\n\n return {\n 'X-API-KEY': this.apiKey,\n 'X-GATE-TENANT-ID': tenantId,\n 'X-GATE-REQUEST-ID': requestId,\n 'X-GATE-TIMESTAMP-MS': String(timestampMs),\n };\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Error Types\n */\n\n/**\n * Gate error codes\n */\nexport enum GateErrorCode {\n NETWORK_ERROR = 'NETWORK_ERROR',\n TIMEOUT = 'TIMEOUT',\n NOT_FOUND = 'NOT_FOUND',\n UNAUTHORIZED = 'UNAUTHORIZED',\n FORBIDDEN = 'FORBIDDEN',\n RATE_LIMITED = 'RATE_LIMITED',\n SERVER_ERROR = 'SERVER_ERROR',\n INVALID_RESPONSE = 'INVALID_RESPONSE',\n STEP_UP_NOT_CONFIGURED = 'STEP_UP_NOT_CONFIGURED',\n STEP_UP_TIMEOUT = 'STEP_UP_TIMEOUT',\n BLOCKED = 'BLOCKED',\n SERVICE_UNAVAILABLE = 'SERVICE_UNAVAILABLE',\n AUTH_ERROR = 'AUTH_ERROR',\n HEARTBEAT_MISSING = 'HEARTBEAT_MISSING',\n HEARTBEAT_EXPIRED = 'HEARTBEAT_EXPIRED',\n HEARTBEAT_INVALID = 'HEARTBEAT_INVALID',\n HEARTBEAT_MISMATCH = 'HEARTBEAT_MISMATCH',\n}\n\n/**\n * Base Gate error class\n */\nexport class GateError extends Error {\n public readonly code: GateErrorCode;\n public readonly status?: number;\n public readonly details?: Record<string, unknown>;\n public readonly requestId?: string;\n public readonly correlationId?: string;\n\n constructor(\n code: GateErrorCode,\n message: string,\n options?: {\n status?: number;\n details?: Record<string, unknown>;\n requestId?: string;\n correlationId?: string;\n cause?: Error;\n }\n ) {\n super(message);\n this.name = 'GateError';\n this.code = code;\n this.status = options?.status;\n this.details = options?.details;\n this.requestId = options?.requestId;\n this.correlationId = options?.correlationId;\n if (options?.cause) {\n this.cause = options.cause;\n }\n Error.captureStackTrace(this, this.constructor);\n }\n\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n code: this.code,\n message: this.message,\n status: this.status,\n details: this.details,\n requestId: this.requestId,\n correlationId: this.correlationId,\n };\n }\n}\n\n/**\n * Step-up not configured error\n * Thrown when REQUIRE_STEP_UP is returned but SDK is not configured for step-up\n */\nexport class StepUpNotConfiguredError extends GateError {\n constructor(requestId?: string) {\n super(\n GateErrorCode.STEP_UP_NOT_CONFIGURED,\n 'Step-up is required but not configured in SDK. Enable step-up in client config or treat REQUIRE_STEP_UP as BLOCK.',\n { requestId }\n );\n this.name = 'StepUpNotConfiguredError';\n }\n}\n\n/**\n * Blocked error\n * Thrown when transaction is BLOCKED by Gate\n */\nexport class BlockIntelBlockedError extends GateError {\n public readonly receiptId?: string;\n public readonly reasonCode: string;\n\n constructor(\n reasonCode: string,\n receiptId?: string,\n correlationId?: string,\n requestId?: string\n ) {\n super(\n GateErrorCode.BLOCKED,\n `Transaction blocked: ${reasonCode}`,\n { correlationId, requestId, details: { reasonCode, receiptId } }\n );\n this.name = 'BlockIntelBlockedError';\n this.receiptId = receiptId;\n this.reasonCode = reasonCode;\n }\n}\n\n/**\n * Service unavailable error\n * Thrown when fail-safe mode is BLOCK_ON_TIMEOUT and service is unavailable\n */\nexport class BlockIntelUnavailableError extends GateError {\n constructor(message: string, requestId?: string) {\n super(GateErrorCode.SERVICE_UNAVAILABLE, message, { requestId });\n this.name = 'BlockIntelUnavailableError';\n }\n}\n\n/**\n * Auth error\n * Thrown on 401/403 - always fails CLOSED (never silently allows)\n */\nexport class BlockIntelAuthError extends GateError {\n constructor(message: string, status: number, requestId?: string) {\n super(\n status === 401 ? GateErrorCode.UNAUTHORIZED : GateErrorCode.FORBIDDEN,\n message,\n { status, requestId }\n );\n this.name = 'BlockIntelAuthError';\n }\n}\n\n/**\n * Step-up required error\n * Thrown when REQUIRE_STEP_UP is returned and step-up is enabled\n */\nexport class BlockIntelStepUpRequiredError extends GateError {\n public readonly stepUpRequestId: string;\n public readonly statusUrl?: string;\n public readonly expiresAtMs?: number;\n\n constructor(\n stepUpRequestId: string,\n statusUrl?: string,\n expiresAtMs?: number,\n requestId?: string\n ) {\n super(\n GateErrorCode.STEP_UP_NOT_CONFIGURED,\n 'Step-up approval required',\n {\n requestId,\n details: { stepUpRequestId, statusUrl, expiresAtMs },\n }\n );\n this.name = 'BlockIntelStepUpRequiredError';\n this.stepUpRequestId = stepUpRequestId;\n this.statusUrl = statusUrl;\n this.expiresAtMs = expiresAtMs;\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Retry Logic\n * \n * Exponential backoff with jitter for retryable requests.\n */\n\nexport interface RetryOptions {\n maxAttempts?: number;\n baseDelayMs?: number;\n maxDelayMs?: number;\n factor?: number;\n}\n\nconst DEFAULT_RETRY_OPTIONS: Required<RetryOptions> = {\n maxAttempts: 3,\n baseDelayMs: 100,\n maxDelayMs: 800,\n factor: 2,\n};\n\n/**\n * Determine if an HTTP status code is retryable\n */\nexport function isRetryableStatus(status: number): boolean {\n // Retry on 429 (rate limit) and 5xx (server errors)\n return status === 429 || (status >= 500 && status < 600);\n}\n\n/**\n * Determine if an error is retryable\n */\nexport function isRetryableError(error: unknown): boolean {\n // Network errors, timeouts, connection errors\n if (error instanceof Error) {\n const message = error.message.toLowerCase();\n return (\n message.includes('network') ||\n message.includes('timeout') ||\n message.includes('connection') ||\n message.includes('econnrefused') ||\n message.includes('enotfound') ||\n message.includes('econnreset')\n );\n }\n return false;\n}\n\n/**\n * Calculate delay with exponential backoff and jitter\n */\nexport function calculateBackoffDelay(\n attempt: number,\n options: Required<RetryOptions>\n): number {\n const exponentialDelay = options.baseDelayMs * Math.pow(options.factor, attempt - 1);\n const jitter = Math.random() * 0.3 * exponentialDelay; // 0-30% jitter\n const delay = exponentialDelay + jitter;\n return Math.min(delay, options.maxDelayMs);\n}\n\n/**\n * Check if an error is a GateError with retryable status\n */\nfunction isRetryableGateError(error: unknown): boolean {\n if (error && typeof error === 'object' && 'code' in error) {\n const gateError = error as { code: string; status?: number };\n // Retry on SERVER_ERROR or RATE_LIMITED codes\n if (gateError.code === 'SERVER_ERROR' || gateError.code === 'RATE_LIMITED') {\n return true;\n }\n // Also check status if available\n if (gateError.status && isRetryableStatus(gateError.status)) {\n return true;\n }\n }\n return false;\n}\n\n/**\n * Retry a function with exponential backoff\n */\nexport async function retryWithBackoff<T>(\n fn: () => Promise<T>,\n options: RetryOptions = {}\n): Promise<T> {\n const opts = { ...DEFAULT_RETRY_OPTIONS, ...options };\n let lastError: unknown;\n\n for (let attempt = 1; attempt <= opts.maxAttempts; attempt++) {\n try {\n return await fn();\n } catch (error) {\n lastError = error;\n\n // Don't retry if we've exhausted attempts\n if (attempt >= opts.maxAttempts) {\n break;\n }\n\n // Don't retry on non-retryable Response errors\n if (error instanceof Response && !isRetryableStatus(error.status)) {\n throw error;\n }\n\n // Check if it's a retryable error (Response, network error, or GateError with retryable status)\n const isRetryable =\n (error instanceof Response && isRetryableStatus(error.status)) ||\n isRetryableError(error) ||\n isRetryableGateError(error);\n\n if (!isRetryable) {\n throw error;\n }\n\n // Log degraded once per attempt (logs/telemetry only; never sent as HTTP request header)\n const status =\n (error instanceof Response && error.status) ||\n (error && typeof error === 'object' && 'status' in error && (error as { status?: number }).status) ||\n (error && typeof error === 'object' && 'statusCode' in error && (error as { statusCode?: number }).statusCode);\n const errName = error instanceof Error ? error.name : (error && typeof error === 'object' && 'code' in error ? (error as { code: string }).code : 'Unknown');\n const extra = ` attempt=${attempt}/${opts.maxAttempts} status=${status ?? 'n/a'} err=${errName}`;\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason=retry)' + extra);\n\n // Wait before retrying\n const delay = calculateBackoffDelay(attempt, opts);\n await new Promise((resolve) => setTimeout(resolve, delay));\n }\n }\n\n throw lastError;\n}\n\n","/**\n * Sanitize for debug logging: never log secrets, API keys, tokens, or full request bodies.\n * Use when GATE_SDK_DEBUG=1 or debug: true only.\n */\n\nconst SENSITIVE_HEADER_NAMES = new Set([\n 'authorization',\n 'x-api-key',\n 'x-gate-heartbeat-key',\n 'x-gate-signature',\n 'cookie',\n]);\n\nconst MAX_STRING_LENGTH = 80;\n\n/**\n * Redact sensitive header values; return header names and whether value is set (value redacted).\n */\nexport function sanitizeHeaders(headers: Record<string, string>): Record<string, string> {\n const out: Record<string, string> = {};\n for (const [key, value] of Object.entries(headers)) {\n const lower = key.toLowerCase();\n if (SENSITIVE_HEADER_NAMES.has(lower) || lower.includes('signature') || lower.includes('secret') || lower.includes('token')) {\n out[key] = value ? '[REDACTED]' : '[empty]';\n } else {\n out[key] = truncate(String(value), MAX_STRING_LENGTH);\n }\n }\n return out;\n}\n\n/**\n * Return keys and types of a JSON-serializable value (no values, to avoid leaking credentials).\n */\nexport function sanitizeBodyShape(body: unknown): Record<string, string> {\n if (body === null || body === undefined) {\n return {};\n }\n if (typeof body !== 'object') {\n return { _: typeof body };\n }\n if (Array.isArray(body)) {\n return { _: 'array', length: String(body.length) };\n }\n const out: Record<string, string> = {};\n for (const key of Object.keys(body as object).sort()) {\n const val = (body as Record<string, unknown>)[key];\n if (val !== null && typeof val === 'object' && !Array.isArray(val)) {\n out[key] = 'object';\n } else if (Array.isArray(val)) {\n out[key] = 'array';\n } else {\n out[key] = typeof val;\n }\n }\n return out;\n}\n\nfunction truncate(s: string, max: number): string {\n if (s.length <= max) return s;\n return s.slice(0, max) + '...';\n}\n\n/**\n * Check if debug mode is enabled via env or config.\n */\nexport function isDebugEnabled(debugOption?: boolean): boolean {\n if (debugOption === true) return true;\n if (typeof process !== 'undefined' && process.env.GATE_SDK_DEBUG === '1') return true;\n return false;\n}\n","/**\n * BlockIntel Gate SDK - HTTP Client\n * \n * Fetch wrapper with timeout, retry, and error handling.\n */\n\nimport { GateError, GateErrorCode } from '../types/errors.js';\nimport { retryWithBackoff, isRetryableStatus, isRetryableError } from './retry.js';\nimport { sanitizeHeaders, sanitizeBodyShape, isDebugEnabled } from '../utils/sanitize.js';\n\nexport interface HttpClientConfig {\n baseUrl: string;\n timeoutMs?: number;\n userAgent?: string;\n /** When true or GATE_SDK_DEBUG=1, log sanitized request/response (no secrets, no body values). */\n debug?: boolean;\n retryOptions?: {\n maxAttempts?: number;\n baseDelayMs?: number;\n maxDelayMs?: number;\n factor?: number;\n };\n}\n\nexport interface RequestOptions {\n method: string;\n path: string;\n headers?: Record<string, string>;\n body?: unknown;\n requestId?: string;\n}\n\n/**\n * HTTP client with retry and timeout support\n */\nexport class HttpClient {\n private readonly baseUrl: string;\n private readonly timeoutMs: number;\n private readonly userAgent: string;\n private readonly retryOptions: Parameters<typeof retryWithBackoff>[1];\n private readonly debug: boolean;\n\n constructor(config: HttpClientConfig) {\n this.baseUrl = config.baseUrl.replace(/\\/$/, ''); // Remove trailing slash\n this.timeoutMs = config.timeoutMs ?? 15000;\n this.userAgent = config.userAgent ?? 'blockintel-gate-sdk/0.1.0';\n this.retryOptions = config.retryOptions;\n this.debug = isDebugEnabled(config.debug);\n\n // Validate baseUrl\n if (!this.baseUrl) {\n throw new Error('baseUrl is required');\n }\n\n // Validate HTTPS in production (allow http only for localhost)\n if (typeof process !== 'undefined' && process.env.NODE_ENV === 'production') {\n if (!this.baseUrl.startsWith('https://') && !this.baseUrl.includes('localhost')) {\n throw new Error('baseUrl must use HTTPS in production (except localhost)');\n }\n }\n }\n\n /**\n * Make an HTTP request with retry and timeout\n */\n async request<T>(options: RequestOptions): Promise<T> {\n const { method, path, headers = {}, body, requestId } = options;\n\n const url = `${this.baseUrl}${path}`;\n\n // Create AbortController for timeout\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), this.timeoutMs);\n\n // Store request details for error logging (sanitized; no body values)\n type RequestDetails = {\n headers: Record<string, string>;\n bodyLength: number;\n };\n let requestDetailsForLogging: RequestDetails | null = null;\n\n try {\n const response = await retryWithBackoff(\n async () => {\n const requestHeaders: Record<string, string> = {};\n for (const [key, value] of Object.entries(headers)) {\n requestHeaders[key] = String(value);\n }\n requestHeaders['User-Agent'] = this.userAgent;\n requestHeaders['Content-Type'] = 'application/json';\n\n const fetchOptions: RequestInit = {\n method,\n headers: requestHeaders,\n signal: controller.signal,\n };\n\n if (body) {\n if ((body as any).__canonicalJson) {\n fetchOptions.body = (body as any).__canonicalJson;\n delete (body as any).__canonicalJson;\n } else {\n fetchOptions.body = JSON.stringify(body);\n }\n }\n\n const bodyStr = typeof fetchOptions.body === 'string' ? fetchOptions.body : null;\n requestDetailsForLogging = {\n headers: this.debug ? sanitizeHeaders(requestHeaders as Record<string, string>) : {},\n bodyLength: bodyStr ? bodyStr.length : 0,\n };\n\n if (this.debug) {\n const bodyShape = body && typeof body === 'object' ? sanitizeBodyShape(body) : {};\n console.error('[GATE SDK] Request:', JSON.stringify({\n url,\n method,\n headerNames: Object.keys(requestHeaders),\n headersRedacted: requestDetailsForLogging.headers,\n bodyLength: requestDetailsForLogging.bodyLength,\n bodyKeysAndTypes: bodyShape,\n }, null, 2));\n }\n\n const res = await fetch(url, fetchOptions);\n\n // Throw Response for retryable errors so retry logic can handle it\n if (!res.ok && isRetryableStatus(res.status)) {\n throw res;\n }\n\n // Don't retry non-retryable status codes\n if (!res.ok && !isRetryableStatus(res.status)) {\n throw res;\n }\n\n return res;\n },\n {\n ...this.retryOptions,\n // Custom retry logic that handles Response objects\n }\n );\n\n clearTimeout(timeoutId);\n\n let data: T;\n const contentType = response.headers.get('content-type');\n\n if (this.debug) {\n console.error('[GATE SDK] Response:', JSON.stringify({\n status: response.status,\n ok: response.ok,\n url: response.url,\n }, null, 2));\n }\n\n if (contentType && contentType.includes('application/json')) {\n try {\n const jsonText = await response.text();\n data = JSON.parse(jsonText) as T;\n if (this.debug && data && typeof data === 'object') {\n console.error('[GATE SDK] Response keys:', Object.keys(data as object));\n }\n } catch (parseError) {\n if (this.debug) {\n console.error('[GATE SDK] JSON parse error:', parseError instanceof Error ? parseError.message : String(parseError));\n }\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n 'Failed to parse JSON response',\n {\n status: response.status,\n requestId,\n cause: parseError instanceof Error ? parseError : undefined,\n }\n );\n }\n } else {\n const text = await response.text();\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n `Unexpected content type: ${contentType}`,\n {\n status: response.status,\n details: { body: text.substring(0, 200) },\n requestId,\n }\n );\n }\n\n // Check for errors\n if (!response.ok) {\n // Log full response details for debugging\n const responseHeaders: Record<string, string> = {};\n response.headers.forEach((value, key) => {\n responseHeaders[key] = value;\n });\n \n if (this.debug) {\n console.error('[GATE SDK] Error response:', JSON.stringify({\n status: response.status,\n url: response.url,\n requestPath: path,\n responseKeys: data && typeof data === 'object' ? Object.keys(data as object) : [],\n }, null, 2));\n }\n \n const errorCode = this.statusToErrorCode(response.status);\n const correlationId = response.headers.get('X-Correlation-ID') ?? undefined;\n\n throw new GateError(errorCode, `HTTP ${response.status}: ${response.statusText}`, {\n status: response.status,\n correlationId,\n requestId,\n details: data as Record<string, unknown>,\n });\n }\n\n return data;\n } catch (error) {\n clearTimeout(timeoutId);\n\n // Handle abort (timeout)\n if (error instanceof Error && error.name === 'AbortError') {\n throw new GateError(GateErrorCode.TIMEOUT, `Request timeout after ${this.timeoutMs}ms`, {\n requestId,\n });\n }\n\n // Handle Response errors (non-ok responses)\n if (error instanceof Response) {\n const errorCode = this.statusToErrorCode(error.status);\n const correlationId = error.headers.get('X-Correlation-ID') ?? undefined;\n\n let details: Record<string, unknown> | undefined;\n try {\n const text = await error.text();\n try {\n details = JSON.parse(text);\n } catch {\n details = { body: text.substring(0, 200) };\n }\n } catch {\n // Ignore parsing errors\n }\n\n throw new GateError(errorCode, `HTTP ${error.status}: ${error.statusText}`, {\n status: error.status,\n correlationId,\n requestId,\n details,\n });\n }\n\n // Handle network errors\n if (isRetryableError(error)) {\n throw new GateError(\n GateErrorCode.NETWORK_ERROR,\n `Network error: ${error instanceof Error ? error.message : String(error)}`,\n {\n requestId,\n cause: error instanceof Error ? error : undefined,\n }\n );\n }\n\n // Re-throw GateError as-is\n if (error instanceof GateError) {\n throw error;\n }\n\n // Unknown error\n throw new GateError(\n GateErrorCode.NETWORK_ERROR,\n `Unexpected error: ${error instanceof Error ? error.message : String(error)}`,\n {\n requestId,\n cause: error instanceof Error ? error : undefined,\n }\n );\n }\n }\n\n /**\n * Map HTTP status code to GateErrorCode\n */\n private statusToErrorCode(status: number): GateErrorCode {\n if (status === 401) return GateErrorCode.UNAUTHORIZED;\n if (status === 403) return GateErrorCode.FORBIDDEN;\n if (status === 404) return GateErrorCode.NOT_FOUND;\n if (status === 429) return GateErrorCode.RATE_LIMITED;\n if (status >= 500 && status < 600) return GateErrorCode.SERVER_ERROR;\n return GateErrorCode.NETWORK_ERROR;\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Time Utilities\n */\n\n/**\n * Get current timestamp in milliseconds\n */\nexport function nowMs(): number {\n return Date.now();\n}\n\n/**\n * Get current timestamp in seconds (epoch)\n */\nexport function nowEpochSeconds(): number {\n return Math.floor(Date.now() / 1000);\n}\n\n/**\n * Clamp a value between min and max\n */\nexport function clamp(value: number, min: number, max: number): number {\n return Math.max(min, Math.min(max, value));\n}\n\n/**\n * Sleep for specified milliseconds\n */\nexport function sleep(ms: number): Promise<void> {\n return new Promise((resolve) => setTimeout(resolve, ms));\n}\n\n","/**\n * BlockIntel Gate SDK - Step-Up Polling\n * \n * Polls Gate Hot Path step-up status endpoint until decision is reached.\n */\n\nimport { GateError, GateErrorCode } from '../types/errors.js';\nimport { StepUpStatusResponse, GateStepUpStatus, StepUpFinalResult } from '../types/contracts.js';\nimport { nowEpochSeconds, clamp, sleep } from '../utils/time.js';\nimport { HttpClient } from '../http/HttpClient.js';\n\nexport interface StepUpPollingConfig {\n httpClient: HttpClient;\n tenantId: string;\n pollingIntervalMs?: number;\n maxWaitMs?: number;\n ttlMinSeconds?: number;\n ttlMaxSeconds?: number;\n ttlDefaultSeconds?: number;\n}\n\nconst DEFAULT_POLLING_INTERVAL_MS = 250;\nconst DEFAULT_MAX_WAIT_MS = 15000;\nconst DEFAULT_TTL_MIN_SECONDS = 300;\nconst DEFAULT_TTL_MAX_SECONDS = 900;\nconst DEFAULT_TTL_DEFAULT_SECONDS = 600;\n\n/**\n * Step-up polling helper\n */\nexport class StepUpPoller {\n private readonly httpClient: HttpClient;\n private readonly tenantId: string;\n private readonly pollingIntervalMs: number;\n private readonly maxWaitMs: number;\n private readonly ttlMinSeconds: number;\n private readonly ttlMaxSeconds: number;\n private readonly ttlDefaultSeconds: number;\n\n constructor(config: StepUpPollingConfig) {\n this.httpClient = config.httpClient;\n this.tenantId = config.tenantId;\n this.pollingIntervalMs = config.pollingIntervalMs ?? DEFAULT_POLLING_INTERVAL_MS;\n this.maxWaitMs = config.maxWaitMs ?? DEFAULT_MAX_WAIT_MS;\n this.ttlMinSeconds = config.ttlMinSeconds ?? DEFAULT_TTL_MIN_SECONDS;\n this.ttlMaxSeconds = config.ttlMaxSeconds ?? DEFAULT_TTL_MAX_SECONDS;\n this.ttlDefaultSeconds = config.ttlDefaultSeconds ?? DEFAULT_TTL_DEFAULT_SECONDS;\n }\n\n /**\n * Get current step-up status\n */\n async getStatus(requestId: string): Promise<StepUpStatusResponse> {\n const path = `/defense/stepup/status?tenantId=${encodeURIComponent(this.tenantId)}&requestId=${encodeURIComponent(requestId)}`;\n\n try {\n // API returns snake_case, convert to camelCase\n const apiResponse = await this.httpClient.request<\n StepUpStatusResponse & {\n tenant_id?: string;\n request_id?: string;\n reason_codes?: string[];\n correlation_id?: string;\n expires_at_ms?: number;\n }\n >({\n method: 'GET',\n path,\n requestId,\n });\n\n const response: StepUpStatusResponse = {\n status: apiResponse.status,\n tenantId: apiResponse.tenant_id ?? apiResponse.tenantId,\n requestId: apiResponse.request_id ?? apiResponse.requestId,\n decision: apiResponse.decision,\n reasonCodes: apiResponse.reason_codes ?? apiResponse.reasonCodes,\n correlationId: apiResponse.correlation_id ?? apiResponse.correlationId,\n expiresAtMs: apiResponse.expires_at_ms ?? apiResponse.expiresAtMs,\n ttl: apiResponse.ttl,\n };\n\n // Check if expired based on TTL\n const now = nowEpochSeconds();\n if (response.ttl !== undefined && response.ttl <= now) {\n return {\n ...response,\n status: 'EXPIRED',\n };\n }\n\n return response;\n } catch (error) {\n if (error instanceof GateError && error.code === GateErrorCode.NOT_FOUND) {\n throw new GateError(\n GateErrorCode.NOT_FOUND,\n `Step-up request not found: ${requestId}`,\n { requestId }\n );\n }\n throw error;\n }\n }\n\n /**\n * Wait for step-up decision with polling\n * \n * Polls until status is APPROVED, DENIED, or EXPIRED, or timeout is reached.\n */\n async awaitDecision(\n requestId: string,\n options?: { maxWaitMs?: number; intervalMs?: number }\n ): Promise<StepUpFinalResult> {\n const startTime = Date.now();\n const maxWaitMs = options?.maxWaitMs ?? this.maxWaitMs;\n const intervalMs = options?.intervalMs ?? this.pollingIntervalMs;\n\n while (true) {\n const elapsedMs = Date.now() - startTime;\n\n // Check timeout\n if (elapsedMs >= maxWaitMs) {\n throw new GateError(\n GateErrorCode.STEP_UP_TIMEOUT,\n `Step-up decision timeout after ${maxWaitMs}ms`,\n { requestId }\n );\n }\n\n try {\n const status = await this.getStatus(requestId);\n\n // Check if expired\n const now = nowEpochSeconds();\n if (status.ttl !== undefined && status.ttl <= now) {\n return {\n status: 'EXPIRED',\n requestId,\n elapsedMs,\n correlationId: status.correlationId,\n };\n }\n\n // Check if decision reached\n if (\n status.status === 'APPROVED' ||\n status.status === 'DENIED' ||\n status.status === 'EXPIRED'\n ) {\n return {\n status: status.status,\n requestId,\n elapsedMs,\n decision: status.decision,\n reasonCodes: status.reasonCodes,\n correlationId: status.correlationId,\n };\n }\n\n // Status is PENDING, wait and poll again\n await sleep(intervalMs);\n } catch (error) {\n // If NOT_FOUND, throw immediately (don't retry)\n if (error instanceof GateError && error.code === GateErrorCode.NOT_FOUND) {\n throw error;\n }\n\n // For other errors, wait and retry\n // But still respect timeout\n const remainingMs = maxWaitMs - (Date.now() - startTime);\n if (remainingMs <= 0) {\n throw new GateError(\n GateErrorCode.STEP_UP_TIMEOUT,\n `Step-up decision timeout after ${maxWaitMs}ms`,\n { requestId, cause: error instanceof Error ? error : undefined }\n );\n }\n\n await sleep(Math.min(intervalMs, remainingMs));\n }\n }\n }\n\n /**\n * Clamp TTL to guardrails\n */\n clampTtl(ttlSeconds?: number): number {\n if (ttlSeconds === undefined) {\n return this.ttlDefaultSeconds;\n }\n return clamp(ttlSeconds, this.ttlMinSeconds, this.ttlMaxSeconds);\n }\n}\n\n","/**\n * Circuit Breaker for SDK\n * \n * Prevents cascading failures by opening the circuit after consecutive failures.\n */\n\nexport type CircuitState = 'CLOSED' | 'OPEN' | 'HALF_OPEN';\n\nexport interface CircuitBreakerConfig {\n tripAfterConsecutiveFailures?: number; // Default: 5\n coolDownMs?: number; // Default: 30000 (30 seconds)\n}\n\nexport interface CircuitBreakerMetrics {\n failures: number;\n successes: number;\n state: CircuitState;\n lastFailureTime?: number;\n lastSuccessTime?: number;\n tripsToOpen: number;\n}\n\n/**\n * Circuit Breaker implementation\n */\nexport class CircuitBreaker {\n private state: CircuitState = 'CLOSED';\n private failures = 0;\n private successes = 0;\n private lastFailureTime?: number;\n private lastSuccessTime?: number;\n private tripsToOpen = 0;\n \n private readonly tripThreshold: number;\n private readonly coolDownMs: number;\n\n constructor(config: CircuitBreakerConfig = {}) {\n this.tripThreshold = config.tripAfterConsecutiveFailures ?? 5;\n this.coolDownMs = config.coolDownMs ?? 30000; // 30 seconds\n }\n\n /**\n * Execute function with circuit breaker protection\n */\n async execute<T>(fn: () => Promise<T>): Promise<T> {\n // Check if circuit should transition from OPEN to HALF_OPEN\n if (this.state === 'OPEN') {\n const now = Date.now();\n const timeSinceLastFailure = this.lastFailureTime \n ? now - this.lastFailureTime \n : Infinity;\n \n if (timeSinceLastFailure >= this.coolDownMs) {\n this.state = 'HALF_OPEN';\n this.failures = 0; // Reset failures for half-open probe\n } else {\n throw new CircuitBreakerOpenError(\n `Circuit breaker is OPEN. Will retry after ${this.coolDownMs - timeSinceLastFailure}ms`\n );\n }\n }\n\n try {\n const result = await fn();\n this.onSuccess();\n return result;\n } catch (error) {\n this.onFailure();\n throw error;\n }\n }\n\n private onSuccess(): void {\n this.successes++;\n this.lastSuccessTime = Date.now();\n\n if (this.state === 'HALF_OPEN') {\n // Successful probe - close circuit\n this.state = 'CLOSED';\n this.failures = 0;\n } else if (this.state === 'CLOSED') {\n // Success in closed state - reset failure count\n this.failures = 0;\n }\n }\n\n private onFailure(): void {\n this.failures++;\n this.lastFailureTime = Date.now();\n\n if (this.state === 'HALF_OPEN') {\n // Failed probe - open circuit again\n this.state = 'OPEN';\n this.tripsToOpen++;\n } else if (this.state === 'CLOSED' && this.failures >= this.tripThreshold) {\n // Too many failures - open circuit\n this.state = 'OPEN';\n this.tripsToOpen++;\n }\n }\n\n /**\n * Get current metrics\n */\n getMetrics(): CircuitBreakerMetrics {\n return {\n failures: this.failures,\n successes: this.successes,\n state: this.state,\n lastFailureTime: this.lastFailureTime,\n lastSuccessTime: this.lastSuccessTime,\n tripsToOpen: this.tripsToOpen,\n };\n }\n\n /**\n * Reset circuit breaker to CLOSED state\n */\n reset(): void {\n this.state = 'CLOSED';\n this.failures = 0;\n this.successes = 0;\n this.lastFailureTime = undefined;\n this.lastSuccessTime = undefined;\n this.tripsToOpen = 0;\n }\n}\n\n/**\n * Circuit Breaker Open Error\n */\nexport class CircuitBreakerOpenError extends Error {\n constructor(message: string) {\n super(message);\n this.name = 'CircuitBreakerOpenError';\n }\n}\n\n","/**\n * Metrics Collector for SDK\n * \n * Collects counters and latency metrics for observability.\n */\n\nexport interface Metrics {\n requestsTotal: number;\n allowedTotal: number;\n blockedTotal: number;\n stepupTotal: number;\n timeoutsTotal: number;\n errorsTotal: number;\n circuitBreakerOpenTotal: number;\n wouldBlockTotal: number; // Shadow mode would-block count\n failOpenTotal: number; // Fail-open count\n latencyMs: number[]; // Histogram samples\n}\n\nexport type MetricsHook = (metrics: Metrics) => void | Promise<void>;\n\n/**\n * Metrics Collector\n */\nexport class MetricsCollector {\n private requestsTotal = 0;\n private allowedTotal = 0;\n private blockedTotal = 0;\n private stepupTotal = 0;\n private timeoutsTotal = 0;\n private errorsTotal = 0;\n private circuitBreakerOpenTotal = 0;\n private wouldBlockTotal = 0; // Shadow mode would-block count\n private failOpenTotal = 0; // Fail-open count\n private latencyMs: number[] = [];\n\n private readonly maxSamples = 1000; // Keep last 1000 samples\n private readonly hooks: MetricsHook[] = [];\n\n /**\n * Record a request\n */\n recordRequest(decision: 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP' | 'WOULD_BLOCK' | 'FAIL_OPEN', latencyMs: number): void {\n this.requestsTotal++;\n \n if (decision === 'ALLOW') {\n this.allowedTotal++;\n } else if (decision === 'BLOCK') {\n this.blockedTotal++;\n } else if (decision === 'REQUIRE_STEP_UP') {\n this.stepupTotal++;\n } else if (decision === 'WOULD_BLOCK') {\n this.wouldBlockTotal++;\n this.allowedTotal++; // Count as allowed (shadow mode)\n } else if (decision === 'FAIL_OPEN') {\n this.failOpenTotal++;\n this.allowedTotal++; // Count as allowed (fail-open)\n }\n\n // Add latency sample (keep rolling window)\n this.latencyMs.push(latencyMs);\n if (this.latencyMs.length > this.maxSamples) {\n this.latencyMs.shift(); // Remove oldest sample\n }\n\n this.emitMetrics();\n }\n\n /**\n * Record a timeout\n */\n recordTimeout(): void {\n this.timeoutsTotal++;\n this.errorsTotal++;\n this.emitMetrics();\n }\n\n /**\n * Record an error\n */\n recordError(): void {\n this.errorsTotal++;\n this.emitMetrics();\n }\n\n /**\n * Record circuit breaker open\n */\n recordCircuitBreakerOpen(): void {\n this.circuitBreakerOpenTotal++;\n this.emitMetrics();\n }\n\n /**\n * Record soft-enforce override (app chose to sign despite BLOCK decision)\n */\n recordSoftBlockOverride(decision: 'ALLOW' | 'BLOCK'): void {\n // Optional: extend Metrics interface with softBlockOverrideTotal if needed\n this.emitMetrics();\n }\n\n /**\n * Get current metrics snapshot\n */\n getMetrics(): Metrics {\n return {\n requestsTotal: this.requestsTotal,\n allowedTotal: this.allowedTotal,\n blockedTotal: this.blockedTotal,\n stepupTotal: this.stepupTotal,\n timeoutsTotal: this.timeoutsTotal,\n errorsTotal: this.errorsTotal,\n circuitBreakerOpenTotal: this.circuitBreakerOpenTotal,\n wouldBlockTotal: this.wouldBlockTotal,\n failOpenTotal: this.failOpenTotal,\n latencyMs: [...this.latencyMs], // Copy array\n };\n }\n\n /**\n * Register a metrics hook (e.g., for Prometheus/OpenTelemetry export)\n */\n registerHook(hook: MetricsHook): void {\n this.hooks.push(hook);\n }\n\n /**\n * Emit metrics to all registered hooks\n */\n private emitMetrics(): void {\n const metrics = this.getMetrics();\n for (const hook of this.hooks) {\n try {\n hook(metrics);\n } catch (error) {\n // Don't throw - metrics hooks should not break SDK\n console.error('Error in metrics hook:', error);\n }\n }\n }\n\n /**\n * Reset all metrics\n */\n reset(): void {\n this.requestsTotal = 0;\n this.allowedTotal = 0;\n this.blockedTotal = 0;\n this.stepupTotal = 0;\n this.timeoutsTotal = 0;\n this.errorsTotal = 0;\n this.circuitBreakerOpenTotal = 0;\n this.wouldBlockTotal = 0;\n this.failOpenTotal = 0;\n this.latencyMs = [];\n }\n}\n\n","/**\n * Canonical transaction digest for decision-token binding.\n * MUST match gate-hotpath/src/utils/txDigest.ts and backend contract.\n * Used to verify the transaction being signed matches the one evaluated.\n */\n\nimport { createHash } from 'node:crypto';\n\n/** Canonical tx binding object - same shape as hot path */\nexport interface TxBindingObject {\n chainId: string;\n toAddress: string;\n value: string;\n data: string;\n nonce: string;\n fromAddress?: string;\n decodedRecipient?: string | null;\n decoded?: Record<string, unknown>;\n signerId?: string;\n networkFamily?: string;\n}\n\n/** Canonical JSON for binding object only - must match hot path output */\nfunction canonicalJsonBinding(obj: unknown): string {\n if (obj === null || obj === undefined) return 'null';\n if (typeof obj === 'string') return JSON.stringify(obj);\n if (typeof obj === 'number') return obj.toString();\n if (typeof obj === 'boolean') return obj ? 'true' : 'false';\n if (Array.isArray(obj)) {\n const items = obj.map((item) => canonicalJsonBinding(item));\n return '[' + items.join(',') + ']';\n }\n if (typeof obj === 'object') {\n const keys = Object.keys(obj).sort();\n const pairs: string[] = [];\n for (const key of keys) {\n const value = (obj as Record<string, unknown>)[key];\n if (value !== undefined) {\n pairs.push(JSON.stringify(key) + ':' + canonicalJsonBinding(value));\n }\n }\n return '{' + pairs.join(',') + '}';\n }\n return JSON.stringify(obj);\n}\n\nfunction normalizeAddress(addr: string | undefined): string {\n if (addr == null || addr === '') return '';\n const s = String(addr).trim();\n if (s.startsWith('0x')) return s.toLowerCase();\n return '0x' + s.toLowerCase();\n}\n\nfunction normalizeData(data: string | undefined): string {\n if (data == null || data === '') return '';\n const s = String(data).trim().toLowerCase();\n return s.startsWith('0x') ? s : '0x' + s;\n}\n\n/**\n * Build canonical tx binding from intent (same as hot path).\n * txIntent may use 'to' or 'toAddress', 'value' or 'valueAtomic'/'valueDecimal'.\n */\nexport function buildTxBindingObject(\n txIntent: {\n toAddress?: string;\n to?: string;\n value?: string;\n valueAtomic?: string;\n valueDecimal?: string;\n data?: string;\n payloadHash?: string;\n dataHash?: string;\n nonce?: number | string;\n chainId?: number | string;\n chain?: string;\n networkFamily?: string;\n [key: string]: unknown;\n },\n signerId?: string,\n decodedRecipient?: string | null,\n decodedFields?: Record<string, unknown> | null,\n fromAddress?: string\n): TxBindingObject {\n const toAddr = txIntent.toAddress ?? txIntent.to ?? '';\n const value = (txIntent.valueAtomic ?? txIntent.valueDecimal ?? txIntent.value ?? '0').toString();\n const data = normalizeData(\n (txIntent.data ?? txIntent.payloadHash ?? txIntent.dataHash ?? '') as string\n );\n const chainId = (txIntent.chainId ?? txIntent.chain ?? '').toString();\n const toAddress = normalizeAddress(toAddr);\n const nonce = txIntent.nonce != null ? String(txIntent.nonce) : '';\n const decoded: Record<string, unknown> = {};\n if (decodedFields && typeof decodedFields === 'object') {\n for (const [k, v] of Object.entries(decodedFields)) {\n if (v !== undefined) decoded[k] = v;\n }\n }\n const out: TxBindingObject = {\n chainId,\n toAddress,\n value,\n data,\n nonce,\n };\n if (fromAddress) out.fromAddress = normalizeAddress(fromAddress);\n if (decodedRecipient != null)\n out.decodedRecipient = decodedRecipient ? normalizeAddress(decodedRecipient) : null;\n if (Object.keys(decoded).length > 0) out.decoded = decoded;\n if (signerId) out.signerId = signerId;\n if (txIntent.networkFamily) out.networkFamily = txIntent.networkFamily as string;\n return out;\n}\n\n/**\n * Compute SHA256(canonicalJson(binding)). Must match hot path digest.\n */\nexport function computeTxDigest(binding: TxBindingObject): string {\n const canonical = canonicalJsonBinding(binding);\n return createHash('sha256').update(canonical, 'utf8').digest('hex');\n}\n","/**\n * Pluggable metrics sink for Gate SDK sign attempts.\n * Used to compute receipt coverage % (signed_with_receipt / sign_attempts) for underwriting.\n * Default: no-op. Wire to POST /api/v1/gate/metrics/sign for backend aggregation.\n */\n\nexport type GateSignMetricName =\n | 'sign_attempt_total'\n | 'sign_blocked_missing_receipt_total'\n | 'sign_blocked_invalid_receipt_total'\n | 'sign_success_with_receipt_total'\n | 'sign_success_total';\n\nexport interface GateMetricEventLabels {\n tenantId?: string;\n signerId?: string;\n adoptionStage?: string;\n env?: string;\n chain?: string;\n kmsKeyId?: string;\n region?: string;\n}\n\nexport interface GateMetricEvent {\n name: GateSignMetricName;\n labels: GateMetricEventLabels;\n timestampMs?: number;\n}\n\n/**\n * Sink for sign metrics. Implement to forward events to your backend (e.g. POST /api/v1/gate/metrics/sign).\n * Default when not provided: no-op.\n */\nexport interface GateMetricsSink {\n emit(event: GateMetricEvent): void | Promise<void>;\n}\n\n/** No-op sink (default). */\nexport const noOpMetricsSink: GateMetricsSink = {\n emit() {},\n};\n","/**\n * BlockIntel Gate SDK - AWS SDK v3 KMS Wrapper\n * \n * Wraps AWS SDK v3 KMSClient to intercept SignCommand calls and enforce Gate policies.\n */\n\nimport { KMSClient, SignCommand, SignCommandInput } from '@aws-sdk/client-kms';\nimport { GateClient } from '../client/GateClient.js';\nimport { BlockIntelBlockedError, BlockIntelStepUpRequiredError } from '../types/errors.js';\nimport { createHash } from 'crypto';\nimport { buildTxBindingObject, computeTxDigest } from '../utils/txDigest.js';\nimport type { GateMetricsSink, GateMetricEvent, GateMetricEventLabels } from '../metrics/GateMetricsSink.js';\nimport { noOpMetricsSink } from '../metrics/GateMetricsSink.js';\n\n/**\n * KMS wrapper options\n */\nexport interface WrapKmsClientOptions {\n /**\n * Wrapper mode\n * - \"enforce\": Block if Gate denies, require step-up approval\n * - \"dry-run\": Evaluate but always allow KMS call (for testing)\n */\n mode?: 'enforce' | 'dry-run';\n\n /**\n * When true (e.g. HARD_KMS_ATTESTED mode), KMS Sign is only allowed if the evaluate response\n * includes a receipt (or decisionHash). Rejects with RECEIPT_REQUIRED if missing.\n */\n requireReceiptForSign?: boolean;\n\n /**\n * Callback invoked when a decision is made\n */\n onDecision?: (decision: 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP', details: any) => void;\n\n /**\n * Custom hook to extract transaction intent from SignCommand\n * If not provided, uses default extraction (minimal txIntent from message hash)\n */\n extractTxIntent?: (command: SignCommandInput) => {\n toAddress?: string;\n networkFamily?: 'EVM' | 'BTC' | 'SOL' | 'OTHER';\n chainId?: number;\n [key: string]: any;\n };\n\n /**\n * Optional metrics sink for observability.\n * If not provided, uses no-op sink (metrics are discarded).\n */\n metricsSink?: GateMetricsSink;\n}\n\n/**\n * Wrapped KMS client type (proxy that intercepts send calls)\n */\nexport interface WrappedKmsClient extends KMSClient {\n /**\n * Intercepted send method (overrides KMSClient.send)\n */\n send<T>(command: T): Promise<any>;\n\n /**\n * Original KMS client (for fallback or direct access)\n */\n _originalClient: KMSClient;\n\n /**\n * Gate client used for evaluation\n */\n _gateClient: GateClient;\n\n /**\n * Wrapper options\n */\n _wrapperOptions: Required<WrapKmsClientOptions>;\n}\n\n/**\n * Wrap AWS SDK v3 KMS client to intercept SignCommand calls\n * \n * @param kmsClient - AWS SDK v3 KMSClient instance\n * @param gateClient - Gate client for evaluation\n * @param options - Wrapper options\n * @returns Proxy object that intercepts send() calls\n * \n * @example\n * ```typescript\n * import { KMSClient } from '@aws-sdk/client-kms';\n * import { GateClient, wrapKmsClient } from 'blockintel-gate-sdk';\n * \n * const kms = new KMSClient({});\n * const gate = new GateClient({\n * baseUrl: process.env.GATE_BASE_URL!,\n * tenantId: process.env.GATE_TENANT_ID!,\n * auth: { mode: 'hmac', keyId: process.env.GATE_KEY_ID!, secret: process.env.GATE_HMAC_SECRET! },\n * });\n * \n * const protectedKms = wrapKmsClient(kms, gate);\n * \n * // Now calls to protectedKms.send(new SignCommand(...)) will be intercepted\n * const result = await protectedKms.send(new SignCommand({\n * KeyId: 'alias/my-key',\n * Message: Buffer.from('...'),\n * MessageType: 'RAW',\n * SigningAlgorithm: 'ECDSA_SHA_256',\n * }));\n * ```\n */\nexport function wrapKmsClient(\n kmsClient: KMSClient,\n gateClient: GateClient,\n options: WrapKmsClientOptions = {}\n): WrappedKmsClient {\n const defaultOptions: Required<WrapKmsClientOptions> = {\n mode: options.mode || 'enforce',\n requireReceiptForSign: options.requireReceiptForSign ?? false,\n onDecision: options.onDecision || (() => {}),\n extractTxIntent: options.extractTxIntent || defaultExtractTxIntent,\n metricsSink: options.metricsSink ?? noOpMetricsSink,\n };\n\n // Create proxy that intercepts send() calls\n const wrapped = new Proxy(kmsClient, {\n get(target, prop, receiver) {\n if (prop === 'send') {\n // Intercept send() method\n return async function (command: any) {\n // Check if this is a SignCommand\n if (command && command.constructor && command.constructor.name === 'SignCommand') {\n return await handleSignCommand(\n command,\n target as KMSClient,\n gateClient,\n defaultOptions\n );\n }\n\n // Not a SignCommand - pass through to original client\n return await (target as any).send(command);\n };\n }\n\n // All other properties pass through\n return Reflect.get(target, prop, receiver);\n },\n }) as WrappedKmsClient;\n\n // Attach metadata for introspection\n wrapped._originalClient = kmsClient;\n wrapped._gateClient = gateClient;\n wrapped._wrapperOptions = defaultOptions;\n\n return wrapped;\n}\n\n/**\n * Default transaction intent extraction from SignCommand\n * \n * Extracts minimal txIntent from KMS SignCommand:\n * - Uses Message hash as payloadHash\n * - Sets networkFamily to 'OTHER' (unknown)\n * - Sets signerId from KeyId\n */\nfunction defaultExtractTxIntent(command: SignCommandInput): {\n toAddress?: string;\n networkFamily?: 'EVM' | 'BTC' | 'SOL' | 'OTHER';\n chainId?: number;\n payloadHash?: string;\n dataHash?: string;\n [key: string]: any;\n} {\n // Compute SHA256 hash of message\n // SignCommand.Message can be accessed via input property or directly\n const message = (command as any).input?.Message ?? (command as any).Message;\n if (!message) {\n throw new Error('SignCommand missing required Message property');\n }\n const messageBuffer = message instanceof Buffer \n ? message \n : Buffer.from(message as any);\n const messageHash = createHash('sha256').update(messageBuffer).digest('hex');\n\n return {\n networkFamily: 'OTHER',\n toAddress: undefined, // Unknown from KMS message alone\n payloadHash: messageHash,\n dataHash: messageHash, // Backward compatibility\n };\n}\n\n/** Build metric labels from gateClient and command (tenantId, signerId, adoptionStage, env, chain, kmsKeyId, region). */\nfunction buildMetricLabels(\n gateClient: GateClient,\n command: SignCommandInput,\n signerId: string,\n txIntent: { chainId?: number; networkFamily?: string }\n): GateMetricEventLabels {\n const config = (gateClient as any).config;\n const keyId = (command as any).input?.KeyId ?? (command as any).KeyId;\n return {\n tenantId: config?.tenantId,\n signerId: signerId || undefined,\n adoptionStage: config?.adoptionStage ?? process.env.GATE_ADOPTION_STAGE,\n env: config?.env ?? process.env.GATE_ENV ?? process.env.NODE_ENV,\n chain: txIntent.chainId != null ? String(txIntent.chainId) : txIntent.networkFamily,\n kmsKeyId: keyId,\n region: process.env.AWS_REGION,\n };\n}\n\n/** Emit metric; never throw (sink errors are ignored). */\nfunction emitMetric(\n sink: GateMetricsSink,\n name: GateMetricEvent['name'],\n labels: GateMetricEventLabels\n): void {\n const event: GateMetricEvent = { name, labels, timestampMs: Date.now() };\n try {\n const result = sink.emit(event);\n if (result && typeof (result as Promise<void>).catch === 'function') {\n (result as Promise<void>).catch(() => {});\n }\n } catch {\n // no-op: metrics must not break signing\n }\n}\n\n/**\n * Handle intercepted SignCommand\n */\nasync function handleSignCommand(\n command: SignCommandInput,\n originalClient: KMSClient,\n gateClient: GateClient,\n options: Required<WrapKmsClientOptions>\n): Promise<any> {\n // Extract transaction intent\n const txIntent = options.extractTxIntent(command);\n\n // Extract signer ID from KeyId\n // SignCommand.KeyId can be accessed via input property or directly\n const signerId = (command as any).input?.KeyId ?? (command as any).KeyId ?? 'unknown';\n\n const labels = buildMetricLabels(gateClient, command, signerId, txIntent);\n emitMetric(options.metricsSink, 'sign_attempt_total', labels);\n\n // CRITICAL: Check heartbeat before any Gate evaluation\n // Per-signer token cache: async fetch with 2s timeout\n let heartbeatToken: string;\n try {\n heartbeatToken = await (gateClient as any).heartbeatManager.getTokenForSigner(signerId, 2000);\n } catch {\n throw new BlockIntelBlockedError(\n 'HEARTBEAT_MISSING',\n undefined, // receiptId\n undefined, // correlationId\n undefined // requestId\n );\n }\n\n // Build signing context\n const signingContext = {\n signerId,\n actorPrincipal: 'kms-signer', // Default - can be customized via extractTxIntent\n heartbeatToken, // Attach heartbeat token\n };\n\n try {\n // Call Gate evaluate()\n const decision = await gateClient.evaluate({\n txIntent: txIntent as any, // Type assertion - txIntent may have extra fields\n signingContext,\n });\n\n // Receipt-required (HARD_KMS_ATTESTED): block KMS call if no receipt in response\n if (decision.decision === 'ALLOW' && options.requireReceiptForSign) {\n const hasReceipt =\n (decision as any).receipt != null ||\n ((decision as any).decisionHash != null && (decision as any).receiptSignature != null);\n if (!hasReceipt) {\n emitMetric(options.metricsSink, 'sign_blocked_missing_receipt_total', labels);\n options.onDecision('BLOCK', {\n error: new BlockIntelBlockedError(\n 'RECEIPT_REQUIRED',\n (decision as any).decisionId,\n (decision as any).correlationId,\n undefined\n ),\n signerId,\n command,\n });\n throw new BlockIntelBlockedError(\n 'RECEIPT_REQUIRED',\n (decision as any).decisionId,\n (decision as any).correlationId,\n undefined\n );\n }\n }\n\n // Decision is ALLOW (evaluate() doesn't throw) - verify decision token binding when required\n if (\n decision.decision === 'ALLOW' &&\n gateClient.getRequireDecisionToken() &&\n decision.txDigest != null\n ) {\n const binding = buildTxBindingObject(\n txIntent as any,\n signerId,\n undefined,\n undefined,\n (signingContext as any).actorPrincipal\n );\n const computedDigest = computeTxDigest(binding);\n if (computedDigest !== decision.txDigest) {\n options.onDecision('BLOCK', {\n error: new BlockIntelBlockedError(\n 'DECISION_TOKEN_TX_MISMATCH',\n decision.decisionId,\n decision.correlationId,\n undefined\n ),\n signerId,\n command,\n });\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_TX_MISMATCH',\n decision.decisionId,\n decision.correlationId,\n undefined\n );\n }\n }\n\n const hasReceipt =\n (decision as any).receipt != null ||\n ((decision as any).decisionHash != null && (decision as any).receiptSignature != null);\n if (hasReceipt) {\n emitMetric(options.metricsSink, 'sign_success_with_receipt_total', labels);\n }\n emitMetric(options.metricsSink, 'sign_success_total', labels);\n\n options.onDecision('ALLOW', { decision, signerId, command });\n\n if (options.mode === 'dry-run') {\n // Dry-run mode: evaluate but still allow\n return await originalClient.send(new SignCommand(command));\n }\n\n // Check adoption stage from heartbeat — at Gateway stages, route to signing proxy\n const GATEWAY_STAGES = ['HARD_KMS_GATEWAY', 'HARD_GCP_GATEWAY', 'HARD_HSM_GATEWAY'];\n const currentStage = (gateClient as any).heartbeatManager?.getAdoptionStage?.() as string | null;\n\n if (currentStage && GATEWAY_STAGES.includes(currentStage)) {\n // At KMS Gateway: app role has NO kms:Sign. Route to Gate's signing proxy.\n emitMetric(options.metricsSink, 'sign_success_total', labels); // via proxy\n return await signViaProxy(gateClient, decision, command, signerId);\n }\n\n // Pre-Gateway stages: forward to real KMS (app has kms:Sign)\n return await originalClient.send(new SignCommand(command));\n } catch (error: any) {\n // Handle Gate errors\n if (error instanceof BlockIntelBlockedError) {\n options.onDecision('BLOCK', { error, signerId, command });\n throw error; // Re-throw to block KMS call\n }\n\n if (error instanceof BlockIntelStepUpRequiredError) {\n options.onDecision('REQUIRE_STEP_UP', { error, signerId, command });\n throw error; // Re-throw to prevent KMS call until step-up approved\n }\n\n // Other errors (network, auth, etc.) - re-throw\n throw error;\n }\n}\n\n/**\n * Sign via Gate's server-side proxy (POST /defense/sign).\n * Used at HARD_KMS_GATEWAY+ stages where the app has no kms:Sign permission.\n * Gate's control plane holds signing credentials and proxies the KMS call.\n */\nasync function signViaProxy(\n gateClient: GateClient,\n decision: any,\n command: SignCommandInput,\n signerId: string\n): Promise<any> {\n const config = (gateClient as any).config;\n const baseUrl = config?.baseUrl || config?.controlPlaneUrl;\n const tenantId = config?.tenantId;\n\n if (!baseUrl || !tenantId) {\n throw new Error('[Gate SDK] Cannot use signing proxy: baseUrl or tenantId not configured on GateClient');\n }\n\n // Extract message from SignCommand\n const message = (command as any).input?.Message ?? (command as any).Message;\n if (!message) {\n throw new Error('[Gate SDK] SignCommand missing Message for proxy signing');\n }\n const messageBuffer = message instanceof Buffer ? message : Buffer.from(message as any);\n const messageBase64 = messageBuffer.toString('base64');\n\n // Extract key ID\n const keyId = (command as any).input?.KeyId ?? (command as any).KeyId;\n if (!keyId) {\n throw new Error('[Gate SDK] SignCommand missing KeyId for proxy signing');\n }\n\n // Extract algorithm\n const signingAlgorithm = (command as any).input?.SigningAlgorithm ?? (command as any).SigningAlgorithm ?? 'ECDSA_SHA_256';\n const messageType = (command as any).input?.MessageType ?? (command as any).MessageType ?? 'RAW';\n\n // Build proxy URL\n const proxyUrl = `${baseUrl.replace('/defense', '')}/tenants/${tenantId}/defense/sign`;\n\n // Get auth headers from gateClient\n const headers: Record<string, string> = {\n 'Content-Type': 'application/json',\n };\n\n // Reuse the gateClient's auth mechanism\n const authHeaders = (gateClient as any).getAuthHeaders?.();\n if (authHeaders) {\n Object.assign(headers, authHeaders);\n } else {\n // Fallback: try to get auth from config\n const auth = config?.auth;\n if (auth?.mode === 'api_key' && auth?.apiKey) {\n headers['x-api-key'] = auth.apiKey;\n }\n }\n\n // Also include JWT if available\n const jwt = (gateClient as any).jwt || (gateClient as any).config?.jwt;\n if (jwt) {\n headers['Authorization'] = `Bearer ${jwt}`;\n }\n\n const response = await fetch(proxyUrl, {\n method: 'POST',\n headers,\n body: JSON.stringify({\n requestId: decision.decisionId || decision.requestId,\n decisionToken: decision.decisionToken,\n keyId,\n message: messageBase64,\n signingAlgorithm,\n messageType,\n }),\n });\n\n if (!response.ok) {\n const errorBody = await response.json().catch(() => ({}));\n const code = (errorBody as any)?.error?.code || 'SIGN_PROXY_FAILED';\n const msg = (errorBody as any)?.error?.message || `Signing proxy returned ${response.status}`;\n throw new Error(`[Gate SDK] ${code}: ${msg}`);\n }\n\n const result = await response.json();\n const data = (result as any)?.data;\n\n if (!data?.signature) {\n throw new Error('[Gate SDK] Signing proxy returned no signature');\n }\n\n // Return in the same format as KMSClient.send(SignCommand) response\n return {\n Signature: Buffer.from(data.signature, 'base64'),\n KeyId: data.keyId || keyId,\n SigningAlgorithm: data.signingAlgorithm || signingAlgorithm,\n $metadata: { httpStatusCode: 200 },\n };\n}\n\n","/**\n * Provenance Provider\n * \n * Provides provenance information (repo, workflow, attestation) from environment variables.\n * Used for CI/CD provenance enforcement in Gate.\n */\n\n/**\n * Provenance information extracted from environment\n */\nexport interface Provenance {\n repo?: string;\n workflow?: string;\n ref?: string;\n actor?: string;\n attestation?: {\n valid: boolean;\n issuer?: string;\n subject?: string;\n sha?: string;\n };\n}\n\n/**\n * Provenance Provider\n * \n * Reads provenance information from environment variables:\n * - GATE_CALLER_REPO\n * - GATE_CALLER_WORKFLOW\n * - GATE_CALLER_REF\n * - GATE_CALLER_ACTOR\n * - GATE_ATTESTATION_VALID\n * - GATE_ATTESTATION_ISSUER\n * - GATE_ATTESTATION_SUBJECT\n * - GATE_ATTESTATION_SHA\n */\nexport class ProvenanceProvider {\n /**\n * Get provenance from environment variables\n */\n static getProvenance(): Provenance | null {\n const repo = process.env.GATE_CALLER_REPO;\n const workflow = process.env.GATE_CALLER_WORKFLOW;\n const ref = process.env.GATE_CALLER_REF;\n const actor = process.env.GATE_CALLER_ACTOR;\n const attestationValid = process.env.GATE_ATTESTATION_VALID;\n const attestationIssuer = process.env.GATE_ATTESTATION_ISSUER;\n const attestationSubject = process.env.GATE_ATTESTATION_SUBJECT;\n const attestationSha = process.env.GATE_ATTESTATION_SHA;\n\n // If no provenance env vars are set, return null\n if (!repo && !workflow && !ref && !actor && !attestationValid) {\n return null;\n }\n\n const provenance: Provenance = {};\n\n if (repo) provenance.repo = repo;\n if (workflow) provenance.workflow = workflow;\n if (ref) provenance.ref = ref;\n if (actor) provenance.actor = actor;\n\n // Build attestation if any attestation env vars are set\n if (attestationValid || attestationIssuer || attestationSubject || attestationSha) {\n provenance.attestation = {\n valid: attestationValid === 'true' || attestationValid === '1',\n issuer: attestationIssuer,\n subject: attestationSubject,\n sha: attestationSha,\n };\n }\n\n return provenance;\n }\n\n /**\n * Check if provenance is enabled (env vars present)\n */\n static isEnabled(): boolean {\n return !!(\n process.env.GATE_CALLER_REPO ||\n process.env.GATE_CALLER_WORKFLOW ||\n process.env.GATE_ATTESTATION_VALID\n );\n }\n}\n\n","/**\n * Gate SDK - Heartbeat Manager\n * \n * Manages heartbeat token acquisition and validation.\n * Heartbeat tokens prove Gate is alive and enforcing policy.\n * Required for all signing operations.\n * \n * Features:\n * - Automatic refresh with jitter\n * - Exponential backoff on failures\n * - Client instance metadata tracking\n */\n\nimport { v4 as uuidv4 } from 'uuid';\nimport { HttpClient } from '../http/HttpClient.js';\nimport { GateError, GateErrorCode } from '../types/errors.js';\n\nexport interface HeartbeatToken {\n token: string;\n expiresAt: number; // Unix timestamp (seconds)\n jti?: string; // JWT ID (for reference)\n policyHash?: string; // Policy hash (for reference)\n}\n\ninterface SignerHeartbeatEntry {\n token: HeartbeatToken | null;\n refreshTimer: NodeJS.Timeout | null;\n consecutiveFailures: number;\n lastAcquireAttemptMs: number;\n lastUsedMs: number;\n acquiring: boolean;\n acquirePromise: Promise<void> | null;\n}\n\nexport class HeartbeatManager {\n private readonly httpClient: HttpClient;\n private readonly tenantId: string;\n private defaultSignerId: string;\n private readonly environment: string;\n private readonly baseRefreshIntervalSeconds: number;\n private readonly clientInstanceId: string; // Unique per process\n private readonly sdkVersion: string; // SDK version for tracking\n private readonly apiKey: string | undefined; // x-gate-heartbeat-key for Control Plane auth\n\n private readonly signerEntries: Map<string, SignerHeartbeatEntry> = new Map();\n private evictionTimer: NodeJS.Timeout | null = null;\n private started = false;\n private maxBackoffSeconds = 30; // Maximum backoff interval\n /** Server's current adoption stage for this tenant (cached from heartbeat response) */\n private adoptionStage: string | null = null;\n\n private readonly maxSigners: number;\n private readonly signerIdleTtlMs: number;\n private readonly localRateLimitMs: number;\n\n constructor(options: {\n httpClient: HttpClient;\n tenantId: string;\n signerId: string;\n environment?: string;\n refreshIntervalSeconds?: number;\n clientInstanceId?: string;\n sdkVersion?: string;\n /** API key for heartbeat endpoint auth (x-gate-heartbeat-key). Required unless local mode. */\n apiKey?: string;\n maxSigners?: number;\n signerIdleTtlMs?: number;\n localRateLimitMs?: number;\n }) {\n this.httpClient = options.httpClient;\n this.tenantId = options.tenantId;\n this.defaultSignerId = options.signerId;\n this.environment = options.environment ?? 'prod';\n this.baseRefreshIntervalSeconds = options.refreshIntervalSeconds ?? 10;\n this.apiKey = options.apiKey;\n \n // Generate unique client instance ID (once per process)\n this.clientInstanceId = options.clientInstanceId || uuidv4();\n \n // Get SDK version (from package.json or default)\n this.sdkVersion = options.sdkVersion || '1.0.0';\n this.apiKey = options.apiKey;\n\n this.maxSigners = options.maxSigners ?? 20;\n this.signerIdleTtlMs = options.signerIdleTtlMs ?? 300_000; // 5 min\n this.localRateLimitMs = options.localRateLimitMs ?? 2100; // 2.1s\n }\n\n /**\n * Start background heartbeat refresher.\n * Optionally wait for initial token (first evaluate() will otherwise wait up to 2s for token).\n */\n start(options?: { waitForInitial?: boolean }): void {\n if (this.started) {\n return;\n }\n\n this.started = true;\n this.startEvictionTimer();\n\n // Fire off initial acquire for default signer\n this.getTokenForSigner(this.defaultSignerId, 0).catch((error) => {\n // Ignored: expected if maxWaitMs=0 or if it takes longer\n console.warn('[HEARTBEAT] Failed to acquire initial heartbeat:', error instanceof Error ? error.message : error);\n });\n }\n\n private startEvictionTimer(): void {\n if (this.evictionTimer) clearInterval(this.evictionTimer);\n \n this.evictionTimer = setInterval(() => {\n const now = Date.now();\n for (const [signerId, entry] of this.signerEntries) {\n if (now - entry.lastUsedMs > this.signerIdleTtlMs) {\n if (entry.refreshTimer) clearTimeout(entry.refreshTimer);\n this.signerEntries.delete(signerId);\n }\n }\n }, 60_000);\n }\n\n /**\n * Schedule next refresh with jitter and backoff for a specific signer\n */\n private scheduleRefreshForSigner(signerId: string, entry: SignerHeartbeatEntry): void {\n if (!this.started || !this.signerEntries.has(signerId)) {\n return;\n }\n\n if (entry.refreshTimer) {\n clearTimeout(entry.refreshTimer);\n entry.refreshTimer = null;\n }\n\n const baseInterval = this.baseRefreshIntervalSeconds * 1000;\n const jitter = Math.random() * 2000; // 0-2 seconds jitter\n const backoff = Math.min(\n Math.pow(2, entry.consecutiveFailures) * 1000,\n this.maxBackoffSeconds * 1000\n );\n const interval = baseInterval + jitter + backoff;\n\n entry.refreshTimer = setTimeout(() => {\n // Skip if evicted\n if (!this.signerEntries.has(signerId)) return;\n\n entry.acquiring = true;\n entry.acquirePromise = this.acquireHeartbeatForSigner(signerId, entry)\n .then(() => {\n this.scheduleRefreshForSigner(signerId, entry);\n })\n .catch((error) => {\n entry.consecutiveFailures++;\n console.error(`[HEARTBEAT] Refresh failed for signer ${signerId} (will retry):`, error.message || error);\n this.scheduleRefreshForSigner(signerId, entry);\n })\n .finally(() => {\n entry.acquiring = false;\n entry.acquirePromise = null;\n });\n }, interval);\n }\n\n /**\n * Stop background heartbeat refresher\n */\n stop(): void {\n if (!this.started) {\n return;\n }\n\n this.started = false;\n\n if (this.evictionTimer) {\n clearInterval(this.evictionTimer);\n this.evictionTimer = null;\n }\n\n for (const [signerId, entry] of this.signerEntries) {\n if (entry.refreshTimer) {\n clearTimeout(entry.refreshTimer);\n entry.refreshTimer = null;\n }\n }\n this.signerEntries.clear();\n }\n\n /**\n * Get current heartbeat token if valid for the default signer\n * @deprecated Use getTokenForSigner() instead.\n */\n getToken(): string | null {\n const entry = this.signerEntries.get(this.defaultSignerId);\n if (entry && entry.token && entry.token.expiresAt > Math.floor(Date.now() / 1000) + 2) {\n entry.lastUsedMs = Date.now();\n return entry.token.token;\n }\n return null;\n }\n\n /**\n * Check if current heartbeat token is valid for the default signer\n * @deprecated Use getTokenForSigner() instead.\n */\n isValid(): boolean {\n return this.getToken() !== null;\n }\n\n /**\n * Update signer ID (called when signer is known).\n * @deprecated Use getTokenForSigner() — signerId changes are handled automatically by the per-signer cache.\n */\n updateSignerId(signerId: string): void {\n this.defaultSignerId = signerId;\n }\n\n /**\n * Get a valid heartbeat token for a specific signer.\n * Returns immediately if a cached valid token exists.\n * If no token, triggers acquisition and returns a Promise that resolves\n * when the token is available (or rejects after maxWaitMs).\n */\n async getTokenForSigner(signerId: string, maxWaitMs = 2000): Promise<string> {\n if (!this.started) {\n throw new GateError(GateErrorCode.HEARTBEAT_MISSING, 'HeartbeatManager not started');\n }\n\n const startTime = Date.now();\n let entry = this.signerEntries.get(signerId);\n const now = Date.now();\n\n const getValidToken = (e: SignerHeartbeatEntry) => {\n if (e.token && e.token.expiresAt > Math.floor(Date.now() / 1000) + 2) {\n return e.token.token;\n }\n return null;\n };\n\n if (entry) {\n entry.lastUsedMs = now;\n const t = getValidToken(entry);\n if (t) return t;\n } else {\n if (this.signerEntries.size >= this.maxSigners) {\n let oldestSignerId: string | null = null;\n let oldestUsedMs = Infinity;\n for (const [sId, e] of this.signerEntries) {\n if (e.lastUsedMs < oldestUsedMs) {\n oldestUsedMs = e.lastUsedMs;\n oldestSignerId = sId;\n }\n }\n if (oldestSignerId) {\n const oldestEntry = this.signerEntries.get(oldestSignerId);\n if (oldestEntry?.refreshTimer) clearTimeout(oldestEntry.refreshTimer);\n this.signerEntries.delete(oldestSignerId);\n }\n }\n entry = {\n token: null,\n refreshTimer: null,\n consecutiveFailures: 0,\n lastAcquireAttemptMs: 0,\n lastUsedMs: now,\n acquiring: false,\n acquirePromise: null,\n };\n this.signerEntries.set(signerId, entry);\n }\n\n if (entry.acquiring && entry.acquirePromise) {\n const remainingWait = Math.max(0, maxWaitMs - (Date.now() - startTime));\n try {\n await Promise.race([\n entry.acquirePromise,\n new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), remainingWait))\n ]);\n } catch (e) {}\n const t = getValidToken(entry);\n if (t) return t;\n }\n\n const timeSinceLastAttempt = Date.now() - entry.lastAcquireAttemptMs;\n let timeToWaitBeforeFetch = 0;\n if (timeSinceLastAttempt < this.localRateLimitMs) {\n timeToWaitBeforeFetch = this.localRateLimitMs - timeSinceLastAttempt;\n }\n\n const remainingWait2 = Math.max(0, maxWaitMs - (Date.now() - startTime));\n if (timeToWaitBeforeFetch >= remainingWait2) {\n throw new GateError(\n GateErrorCode.HEARTBEAT_MISSING,\n 'Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy.'\n );\n }\n\n if (timeToWaitBeforeFetch > 0) {\n await new Promise(resolve => setTimeout(resolve, timeToWaitBeforeFetch));\n }\n\n if (!entry.acquiring) {\n entry.acquiring = true;\n entry.acquirePromise = this.acquireHeartbeatForSigner(signerId, entry).finally(() => {\n if (entry) {\n entry.acquiring = false;\n entry.acquirePromise = null;\n }\n });\n }\n\n const remainingWait3 = Math.max(0, maxWaitMs - (Date.now() - startTime));\n try {\n if (entry.acquirePromise) {\n await Promise.race([\n entry.acquirePromise,\n new Promise((_, reject) => setTimeout(() => reject(new Error('timeout')), remainingWait3))\n ]);\n }\n } catch (e) {}\n\n const t = getValidToken(entry);\n if (t) return t;\n\n throw new GateError(\n GateErrorCode.HEARTBEAT_MISSING,\n 'Signing blocked: Heartbeat token is missing or expired. Gate must be alive and enforcing policy.'\n );\n }\n\n /**\n * Acquire a new heartbeat token from Control Plane for a specific signer\n * NEVER logs token value (security)\n * Requires x-gate-heartbeat-key header (apiKey) for authentication.\n */\n private async acquireHeartbeatForSigner(signerId: string, entry: SignerHeartbeatEntry): Promise<void> {\n if (!this.apiKey || this.apiKey.length === 0) {\n throw new GateError(\n GateErrorCode.UNAUTHORIZED,\n 'Heartbeat API key is required. Set GATE_HEARTBEAT_KEY in environment or pass heartbeatApiKey in GateClientConfig.',\n {}\n );\n }\n\n entry.lastAcquireAttemptMs = Date.now();\n\n try {\n const response = await this.httpClient.request<{\n success: boolean;\n data?: {\n heartbeatToken: string;\n expiresAt: number;\n ttl?: number;\n policyHash?: string;\n jti?: string;\n adoptionStage?: string;\n };\n error?: {\n message: string;\n };\n }>({\n method: 'POST',\n path: '/api/v1/gate/heartbeat',\n headers: {\n 'x-gate-heartbeat-key': this.apiKey,\n },\n body: {\n tenantId: this.tenantId,\n signerId: signerId,\n environment: this.environment,\n clientInstanceId: this.clientInstanceId,\n sdkVersion: this.sdkVersion,\n },\n });\n\n // Verify entry hasn't been evicted\n if (!this.signerEntries.has(signerId)) {\n return; // Evicted while acquiring\n }\n\n if (response.success && response.data) {\n const token = response.data.heartbeatToken;\n const expiresAt = response.data.expiresAt;\n\n if (!token || !expiresAt) {\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n 'Invalid heartbeat response: missing token or expiresAt'\n );\n }\n\n entry.token = {\n token,\n expiresAt,\n jti: response.data.jti,\n policyHash: response.data.policyHash,\n };\n entry.consecutiveFailures = 0;\n\n // Cache adoption stage (per-tenant; any signer's heartbeat carries it)\n if (response.data.adoptionStage != null) {\n this.adoptionStage = response.data.adoptionStage;\n }\n\n // Log WITHOUT token value (security)\n console.log('[HEARTBEAT] Acquired heartbeat token', {\n expiresAt,\n signerId,\n jti: response.data.jti,\n policyHash: response.data.policyHash?.substring(0, 8) + '...',\n // DO NOT log token value\n });\n\n // Ensure refresh timer is running for this signer\n if (!entry.refreshTimer) {\n this.scheduleRefreshForSigner(signerId, entry);\n }\n } else {\n const error = (response as any).error || {};\n throw new GateError(\n GateErrorCode.SERVER_ERROR,\n `Heartbeat acquisition failed: ${error.message || 'Unknown error'}`\n );\n }\n } catch (error: any) {\n // Log error but NEVER log token\n console.error(`[HEARTBEAT] Failed to acquire heartbeat for signer ${signerId}:`, error.message || error);\n throw error;\n }\n }\n\n /**\n * Get client instance ID (for tracking)\n */\n getClientInstanceId(): string {\n return this.clientInstanceId;\n }\n\n /**\n * Get the server's current adoption stage for this tenant.\n * Populated after the first successful heartbeat response.\n * Returns null if not yet received.\n */\n getAdoptionStage(): string | null {\n return this.adoptionStage;\n }\n}\n\n","/**\n * BlockIntel Gate SDK - IAM Permission Risk Checker\n * \n * Best-effort detection of IAM permissions that could bypass Gate.\n */\n\nexport type EnforcementMode = 'SOFT' | 'HARD';\n\nexport interface IamPermissionRiskCheckResult {\n hasRisk: boolean;\n riskType?: 'DIRECT_KMS_SIGN_PERMISSION' | 'AWS_CREDENTIALS_DETECTED' | 'ENVIRONMENT_MARKERS';\n confidence: 'HIGH' | 'MEDIUM' | 'LOW';\n details: string;\n remediation?: string;\n}\n\nexport interface IamPermissionRiskCheckerOptions {\n tenantId: string;\n signerId?: string;\n environment?: string;\n enforcementMode: EnforcementMode;\n allowInsecureKmsSignPermission: boolean;\n kmsKeyIds?: string[]; // Optional: specific KMS keys to check\n}\n\n/**\n * IAM Permission Risk Checker\n * \n * Performs best-effort detection of IAM permissions that could allow\n * direct KMS signing, bypassing Gate SDK.\n */\nexport class IamPermissionRiskChecker {\n private readonly options: IamPermissionRiskCheckerOptions;\n\n constructor(options: IamPermissionRiskCheckerOptions) {\n this.options = options;\n }\n\n /**\n * Perform synchronous IAM permission risk check\n * \n * Performs quick checks (credentials, environment markers) synchronously.\n * In HARD mode, throws error if risk detected and override not set.\n * \n * Use this for blocking initialization checks.\n */\n checkSync(): IamPermissionRiskCheckResult {\n const checks: IamPermissionRiskCheckResult[] = [];\n\n // Check 1: AWS Credentials Presence\n const credentialsCheck = this.checkAwsCredentials();\n if (credentialsCheck.hasRisk) {\n checks.push(credentialsCheck);\n }\n\n // Check 2: Environment Markers\n const envCheck = this.checkEnvironmentMarkers();\n if (envCheck.hasRisk) {\n checks.push(envCheck);\n }\n\n // Aggregate results\n const highestConfidence = this.getHighestConfidence(checks);\n const highestRisk = checks.find(c => c.confidence === highestConfidence);\n\n if (!highestRisk || !highestRisk.hasRisk) {\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'No IAM permission risk detected (synchronous check)',\n };\n }\n\n // In HARD mode, throw error if risk detected and override not set\n if (this.options.enforcementMode === 'HARD' && !this.options.allowInsecureKmsSignPermission) {\n const errorMessage = this.buildErrorMessage(highestRisk);\n throw new Error(errorMessage);\n }\n\n // Log warning in SOFT mode or if override is set\n this.logWarning(highestRisk);\n\n return highestRisk;\n }\n\n /**\n * Perform full IAM permission risk check (including async IAM simulation)\n * \n * Returns risk assessment with confidence level.\n * In HARD mode, throws error if risk detected and override not set.\n */\n async check(): Promise<IamPermissionRiskCheckResult> {\n // First do synchronous checks\n const syncResult = this.checkSync();\n \n // If sync check found risk and we're in HARD mode, it already threw\n // If we're here, either no risk or SOFT mode - continue with async checks\n \n // Check 3: IAM Permission Simulation (if available) - async\n const simulationCheck = await this.checkIamSimulation();\n if (simulationCheck.hasRisk) {\n // In HARD mode, throw error if risk detected and override not set\n if (this.options.enforcementMode === 'HARD' && !this.options.allowInsecureKmsSignPermission) {\n const errorMessage = this.buildErrorMessage(simulationCheck);\n throw new Error(errorMessage);\n }\n\n // Log warning in SOFT mode or if override is set\n this.logWarning(simulationCheck);\n \n return simulationCheck;\n }\n\n // Return sync result (no async risk found)\n return syncResult;\n }\n\n /**\n * Check if AWS credentials are present\n */\n private checkAwsCredentials(): IamPermissionRiskCheckResult {\n const hasEnvVars = !!(\n process.env.AWS_ACCESS_KEY_ID ||\n process.env.AWS_SECRET_ACCESS_KEY ||\n process.env.AWS_SESSION_TOKEN\n );\n\n const hasRoleCredentials = !!(\n process.env.AWS_ROLE_ARN ||\n process.env.AWS_WEB_IDENTITY_TOKEN_FILE ||\n process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI\n );\n\n if (hasEnvVars || hasRoleCredentials) {\n return {\n hasRisk: true,\n riskType: 'AWS_CREDENTIALS_DETECTED',\n confidence: 'MEDIUM',\n details: 'AWS credentials detected in environment. Application may have direct KMS signing permissions.',\n remediation: 'Remove kms:Sign permission from application role. See https://docs.blockintelai.com/gate/IAM_HARDENING',\n };\n }\n\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'No AWS credentials detected in environment variables',\n };\n }\n\n /**\n * Check IAM permissions using simulation API (if available)\n */\n private async checkIamSimulation(): Promise<IamPermissionRiskCheckResult> {\n // IAM simulation requires additional permissions and AWS SDK\n // This is best-effort - if simulation fails, we fall back to other checks\n \n try {\n // Try to use AWS SDK v3 if available\n const iamModule = await import('@aws-sdk/client-iam').catch(() => null);\n \n if (!iamModule || !iamModule.IAMClient || !iamModule.SimulatePrincipalPolicyCommand) {\n // AWS SDK not available - skip simulation\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'AWS SDK not available for IAM simulation',\n };\n }\n \n const { IAMClient, SimulatePrincipalPolicyCommand } = iamModule;\n\n // Get current principal ARN (best-effort)\n const principalArn = await this.getCurrentPrincipalArn();\n if (!principalArn) {\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'Could not determine current principal ARN for simulation',\n };\n }\n\n // Try to simulate kms:Sign permission\n const client = new IAMClient({});\n const command = new SimulatePrincipalPolicyCommand({\n PolicySourceArn: principalArn,\n ActionNames: ['kms:Sign'],\n ResourceArns: this.options.kmsKeyIds?.map(id => `arn:aws:kms:*:*:key/${id}`) || ['arn:aws:kms:*:*:key/*'],\n });\n\n const response = await client.send(command).catch(() => null);\n \n if (!response) {\n // Simulation failed (likely due to missing permissions)\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'IAM simulation not available (may require additional permissions)',\n };\n }\n\n // Check if any evaluation result allows kms:Sign\n const allowsSign = response.EvaluationResults?.some(\n (result: any) => result.EvalDecision === 'allowed' || result.EvalDecision === 'explicitAllow'\n );\n\n if (allowsSign) {\n return {\n hasRisk: true,\n riskType: 'DIRECT_KMS_SIGN_PERMISSION',\n confidence: 'HIGH',\n details: `IAM simulation confirms principal ${principalArn} has kms:Sign permission. Direct KMS signing can bypass Gate.`,\n remediation: 'Remove kms:Sign permission from application role. See https://docs.blockintelai.com/gate/IAM_HARDENING',\n };\n }\n\n return {\n hasRisk: false,\n confidence: 'HIGH',\n details: 'IAM simulation confirms no kms:Sign permission',\n };\n } catch (error) {\n // Simulation failed - fall back to other checks\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: `IAM simulation failed: ${error instanceof Error ? error.message : 'Unknown error'}`,\n };\n }\n }\n\n /**\n * Check environment markers that suggest direct KMS usage\n */\n private checkEnvironmentMarkers(): IamPermissionRiskCheckResult {\n // Check for environment variables that suggest direct KMS usage\n const markers = [\n 'KMS_KEY_ID',\n 'AWS_KMS_KEY_ID',\n 'KMS_KEY_ARN',\n 'AWS_KMS_KEY_ARN',\n ];\n\n const foundMarkers = markers.filter(marker => process.env[marker]);\n\n if (foundMarkers.length > 0) {\n return {\n hasRisk: true,\n riskType: 'ENVIRONMENT_MARKERS',\n confidence: 'LOW',\n details: `Environment markers suggest direct KMS usage: ${foundMarkers.join(', ')}`,\n remediation: 'Review environment variables and ensure KMS access is gated through Gate SDK',\n };\n }\n\n return {\n hasRisk: false,\n confidence: 'LOW',\n details: 'No environment markers suggesting direct KMS usage',\n };\n }\n\n /**\n * Get current principal ARN (best-effort)\n */\n private async getCurrentPrincipalArn(): Promise<string | null> {\n try {\n // Try to get from STS GetCallerIdentity\n const stsModule = await import('@aws-sdk/client-sts').catch(() => null);\n \n if (!stsModule || !stsModule.STSClient || !stsModule.GetCallerIdentityCommand) {\n return null;\n }\n \n const { STSClient, GetCallerIdentityCommand } = stsModule;\n\n const client = new STSClient({});\n const command = new GetCallerIdentityCommand({});\n const response = await client.send(command).catch(() => null);\n \n if (response?.Arn) {\n return response.Arn;\n }\n } catch (error) {\n // Ignore errors - best-effort only\n }\n\n return null;\n }\n\n /**\n * Get highest confidence level from checks\n */\n private getHighestConfidence(checks: IamPermissionRiskCheckResult[]): 'HIGH' | 'MEDIUM' | 'LOW' {\n if (checks.some(c => c.confidence === 'HIGH')) {\n return 'HIGH';\n }\n if (checks.some(c => c.confidence === 'MEDIUM')) {\n return 'MEDIUM';\n }\n return 'LOW';\n }\n\n /**\n * Build error message for HARD mode\n */\n private buildErrorMessage(result: IamPermissionRiskCheckResult): string {\n const parts = [\n '[GATE ERROR] Hard enforcement mode blocked initialization:',\n ` - IAM permission risk: ${result.details}`,\n ` - Risk type: ${result.riskType}`,\n ` - Confidence: ${result.confidence}`,\n ` - Tenant ID: ${this.options.tenantId}`,\n ];\n\n if (this.options.signerId) {\n parts.push(` - Signer ID: ${this.options.signerId}`);\n }\n\n if (this.options.environment) {\n parts.push(` - Environment: ${this.options.environment}`);\n }\n\n if (result.remediation) {\n parts.push(` - Remediation: ${result.remediation}`);\n }\n\n parts.push(' - See: https://docs.blockintelai.com/gate/IAM_HARDENING');\n parts.push(` - Override: Set allowInsecureKmsSignPermission=true (not recommended for production)`);\n\n return parts.join('\\n');\n }\n\n /**\n * Log warning (SOFT mode or override set)\n */\n private logWarning(result: IamPermissionRiskCheckResult): void {\n const logData = {\n level: 'WARN',\n message: 'IAM permission risk detected',\n tenantId: this.options.tenantId,\n signerId: this.options.signerId,\n environment: this.options.environment,\n enforcementMode: this.options.enforcementMode,\n riskType: result.riskType,\n confidence: result.confidence,\n details: result.details,\n remediation: result.remediation,\n documentation: 'https://docs.blockintelai.com/gate/IAM_HARDENING',\n };\n\n // Use console.warn for structured logging\n console.warn('[GATE WARNING]', JSON.stringify(logData, null, 2));\n }\n}\n\n","/**\n * BlockIntel Gate SDK - Gate Client\n * \n * Main client for interacting with Gate Hot Path API.\n */\n\nimport { v4 as uuidv4 } from 'uuid';\nimport { HmacSigner } from '../auth/HmacSigner.js';\nimport { ApiKeyAuth } from '../auth/ApiKeyAuth.js';\nimport { HttpClient } from '../http/HttpClient.js';\nimport { StepUpPoller } from '../stepup/stepup.js';\nimport {\n GateClientConfig,\n DefenseEvaluateRequestV2,\n DefenseEvaluateResponseV2,\n StepUpStatusResponse,\n StepUpFinalResult,\n GateMode,\n ConnectionFailureStrategy,\n EvaluationMode,\n SigningContext,\n AttestCompletedRequest,\n AttestCompletedResponse,\n} from '../types/contracts.js';\nimport {\n GateError,\n GateErrorCode,\n StepUpNotConfiguredError,\n BlockIntelBlockedError,\n BlockIntelUnavailableError,\n BlockIntelAuthError,\n BlockIntelStepUpRequiredError,\n} from '../types/errors.js';\nimport { CircuitBreaker, CircuitBreakerOpenError } from '../circuit/CircuitBreaker.js';\nimport { MetricsCollector } from '../metrics/MetricsCollector.js';\nimport { nowMs } from '../utils/time.js';\nimport { wrapKmsClient, WrapKmsClientOptions, WrappedKmsClient } from '../kms/wrapAwsSdkV3KmsClient.js';\nimport { ProvenanceProvider } from '../provenance/ProvenanceProvider.js';\nimport { buildTxBindingObject, computeTxDigest } from '../utils/txDigest.js';\nimport { HeartbeatManager } from '../heartbeat/HeartbeatManager.js';\nimport { IamPermissionRiskChecker } from '../security/IamPermissionRiskChecker.js';\nimport type { SignerBackend, SignResponse } from '../signer/SignerBackend.js';\n\n/** Default signerId when not set in config or request. Must match between heartbeat token and evaluate request to avoid HEARTBEAT_SIGNER_MISMATCH. */\nconst DEFAULT_SIGNER_ID = 'gate-sdk-client';\n\n/**\n * Gate Client for Hot Path API\n */\nexport class GateClient {\n private readonly config: GateClientConfig;\n private readonly httpClient: HttpClient;\n private readonly hmacSigner?: HmacSigner;\n private readonly apiKeyAuth?: ApiKeyAuth;\n private readonly stepUpPoller?: StepUpPoller;\n private readonly circuitBreaker?: CircuitBreaker;\n private readonly metrics: MetricsCollector;\n private readonly heartbeatManager: HeartbeatManager;\n private readonly mode: GateMode;\n private readonly onConnectionFailure: ConnectionFailureStrategy;\n\n constructor(config: GateClientConfig) {\n this.config = config;\n \n // Determine mode: env var > config > default (SHADOW for safety)\n const envMode = process.env.GATE_MODE as GateMode | undefined;\n this.mode = envMode || config.mode || 'SHADOW';\n \n // Determine connection failure strategy: config > default based on mode\n if (config.onConnectionFailure) {\n this.onConnectionFailure = config.onConnectionFailure;\n } else {\n // Default: FAIL_OPEN in SHADOW mode, FAIL_CLOSED in ENFORCE mode\n this.onConnectionFailure = this.mode === 'SHADOW' ? 'FAIL_OPEN' : 'FAIL_CLOSED';\n }\n\n // Initialize auth\n if (config.auth.mode === 'hmac') {\n this.hmacSigner = new HmacSigner({\n keyId: config.auth.keyId,\n secret: config.auth.secret,\n });\n } else {\n this.apiKeyAuth = new ApiKeyAuth({\n apiKey: config.auth.apiKey,\n });\n }\n\n // Initialize HTTP client (pass debug for sanitized logging when GATE_SDK_DEBUG=1 or config.debug)\n this.httpClient = new HttpClient({\n baseUrl: config.baseUrl,\n timeoutMs: config.timeoutMs,\n userAgent: config.userAgent,\n debug: config.debug,\n });\n\n // Initialize step-up poller if enabled\n if (config.enableStepUp) {\n this.stepUpPoller = new StepUpPoller({\n httpClient: this.httpClient,\n tenantId: config.tenantId,\n pollingIntervalMs: config.stepUp?.pollingIntervalMs,\n maxWaitMs: config.stepUp?.maxWaitMs,\n });\n }\n\n // Initialize circuit breaker if configured\n if (config.circuitBreaker) {\n this.circuitBreaker = new CircuitBreaker(config.circuitBreaker);\n }\n\n // Initialize metrics collector\n this.metrics = new MetricsCollector();\n if (config.onMetrics) {\n this.metrics.registerHook(config.onMetrics);\n }\n\n // Initialize heartbeat manager (skip in local mode)\n if (config.local) {\n console.warn('[GATE CLIENT] LOCAL MODE ENABLED - Auth, heartbeat, and break-glass are disabled');\n // @ts-ignore - heartbeatManager not needed in local mode\n this.heartbeatManager = null;\n } else {\n // Heartbeat API key required for Control Plane (parity with Python GATE_HEARTBEAT_KEY)\n const heartbeatApiKey = config.heartbeatApiKey ?? (typeof process !== 'undefined' ? process.env.GATE_HEARTBEAT_KEY : undefined);\n if (!heartbeatApiKey || heartbeatApiKey.length === 0) {\n throw new Error(\n 'GATE_HEARTBEAT_KEY environment variable or heartbeatApiKey in config is required for heartbeat authentication. ' +\n 'Set GATE_HEARTBEAT_KEY in your environment or pass heartbeatApiKey in GateClientConfig.'\n );\n }\n\n // Use control plane URL for heartbeat (different from hot path baseUrl)\n let controlPlaneUrl = config.baseUrl;\n if (controlPlaneUrl.includes('/defense')) {\n controlPlaneUrl = controlPlaneUrl.split('/defense')[0];\n }\n // Also try to get from config if explicitly set\n if ((config as any).controlPlaneUrl) {\n controlPlaneUrl = (config as any).controlPlaneUrl;\n }\n\n const heartbeatHttpClient = new HttpClient({\n baseUrl: controlPlaneUrl,\n timeoutMs: 5000, // 5s timeout for heartbeat\n userAgent: config.userAgent,\n });\n\n // Initialize heartbeat manager with configured signerId and API key (parity with Python).\n // Default must match evaluate() signingContext fallback so token sid and request signerId align (avoids HEARTBEAT_SIGNER_MISMATCH).\n const initialSignerId = config.signerId ?? DEFAULT_SIGNER_ID;\n this.heartbeatManager = new HeartbeatManager({\n httpClient: heartbeatHttpClient,\n tenantId: config.tenantId,\n signerId: initialSignerId,\n environment: (config as any).environment ?? 'prod',\n refreshIntervalSeconds: config.heartbeatRefreshIntervalSeconds ?? 10,\n apiKey: heartbeatApiKey,\n });\n\n // Start heartbeat refresher (first evaluate() waits up to 2s for token if needed)\n this.heartbeatManager.start();\n\n // Warn if local mode config mismatches server adoption stage (warn-only, non-blocking)\n this.checkAdoptionStageMismatch().catch(() => {});\n }\n\n // Perform IAM permission risk check (skip in local mode)\n if (!config.local) {\n const enforcementMode = config.enforcementMode || 'SOFT';\n const allowInsecureKmsSignPermission = config.allowInsecureKmsSignPermission ?? (enforcementMode === 'SOFT');\n \n const riskChecker = new IamPermissionRiskChecker({\n tenantId: config.tenantId,\n signerId: config.signerId,\n environment: (config as any).environment,\n enforcementMode,\n allowInsecureKmsSignPermission,\n kmsKeyIds: config.kmsKeyIds,\n });\n\n // Perform synchronous risk check first (blocks in HARD mode if risk detected)\n // This ensures HARD mode can block initialization synchronously\n riskChecker.checkSync();\n\n // Perform async IAM simulation check in background (non-blocking)\n // This provides higher confidence detection but doesn't block initialization\n // In HARD mode, if async check finds risk, it will log but won't block (already initialized)\n this.performIamRiskCheckAsync(riskChecker, enforcementMode).catch((error) => {\n // In SOFT mode or if override is set, just log\n if (enforcementMode === 'SOFT' || allowInsecureKmsSignPermission) {\n console.warn('[GATE CLIENT] Async IAM risk check warning:', error instanceof Error ? error.message : String(error));\n } else {\n // In HARD mode without override, log error (initialization already succeeded)\n console.error('[GATE CLIENT] Async IAM risk check found risk after initialization:', error);\n }\n });\n }\n }\n\n /**\n * Whether the SDK requires a decision token for ALLOW before sign (ENFORCE/HARD).\n * Env GATE_REQUIRE_DECISION_TOKEN overrides config.\n */\n getRequireDecisionToken(): boolean {\n if (typeof process !== 'undefined' && process.env.GATE_REQUIRE_DECISION_TOKEN !== undefined) {\n return process.env.GATE_REQUIRE_DECISION_TOKEN === 'true' || process.env.GATE_REQUIRE_DECISION_TOKEN === '1';\n }\n return (\n this.config.requireDecisionToken ??\n (this.mode === 'ENFORCE' || (this.config as any).enforcementMode === 'HARD')\n );\n }\n\n /**\n * Perform async IAM permission risk check (non-blocking)\n * \n * Performs async IAM simulation check in background.\n * Logs warnings but doesn't block (initialization already completed).\n */\n private async performIamRiskCheckAsync(\n riskChecker: IamPermissionRiskChecker,\n enforcementMode: 'SOFT' | 'HARD'\n ): Promise<void> {\n try {\n // This will perform async IAM simulation check\n // Note: checkSync() already ran and blocked if needed in HARD mode\n // This async check provides additional confidence but doesn't block initialization\n await riskChecker.check();\n } catch (error) {\n // Log but don't throw (initialization already succeeded)\n // The sync check already handled blocking in HARD mode\n console.warn('[GATE CLIENT] Async IAM risk check warning:', error instanceof Error ? error.message : String(error));\n }\n }\n\n /**\n * Warn if the local SDK mode is SHADOW but the server's adoption stage is enforcing.\n * Runs non-blocking after heartbeat startup; never throws.\n */\n private async checkAdoptionStageMismatch(): Promise<void> {\n if (!this.heartbeatManager) return;\n const signerId = this.config.signerId ?? DEFAULT_SIGNER_ID;\n try {\n // Wait up to 5 s for the first heartbeat so we can read adoptionStage\n await this.heartbeatManager.getTokenForSigner(signerId, 5000);\n } catch {\n // Token may still not be available — skip the check for now\n return;\n }\n const adoptionStage = this.heartbeatManager.getAdoptionStage();\n if (!adoptionStage) return;\n const ENFORCING_STAGES = [\n 'SOFT_ENFORCE', 'HARD_ENFORCE', 'PROVENANCE',\n 'HARD_KMS_GATEWAY', 'HARD_KMS_ATTESTED',\n 'HARD_KMS_ATTESTED_ENCLAVE', 'HARD_GCP_CONFIDENTIAL_VM',\n ];\n if (this.mode === 'SHADOW' && ENFORCING_STAGES.includes(adoptionStage)) {\n console.warn(\n `[GATE SDK] Server adoption stage is ${adoptionStage} but SDK mode is SHADOW. ` +\n `Consider updating mode to 'ENFORCE' so your application handles blocks correctly. ` +\n `Until updated, the SDK will allow transactions the server would block.`\n );\n }\n }\n\n /**\n * Evaluate a transaction defense request\n *\n * Implements:\n * - Shadow Mode (SHADOW: monitor-only, ENFORCE: enforce decisions)\n * - Connection failure strategy (FAIL_OPEN vs FAIL_CLOSED)\n * - Circuit breaker protection\n * - Fail-safe modes (ALLOW_ON_TIMEOUT, BLOCK_ON_TIMEOUT, BLOCK_ON_ANOMALY)\n * - Metrics collection\n * - Error handling (BLOCK → BlockIntelBlockedError, REQUIRE_STEP_UP → BlockIntelStepUpRequiredError)\n */\n async evaluate(\n req: DefenseEvaluateRequestV2,\n opts?: { requestId?: string }\n ): Promise<DefenseEvaluateResponseV2> {\n const requestId = opts?.requestId ?? uuidv4();\n const timestampMs = req.timestampMs ?? nowMs();\n const startTime = Date.now();\n const failSafeMode = this.config.failSafeMode ?? 'ALLOW_ON_TIMEOUT';\n const evaluationMode: EvaluationMode = (this.config as any).evaluationMode ?? 'BLOCKING';\n\n // Determine mode for this request (request-level override > client-level > default)\n const requestMode: GateMode = (req as any).mode || this.mode;\n const requireToken = this.getRequireDecisionToken();\n\n // Wrap request with circuit breaker if enabled\n const executeRequest = async (): Promise<DefenseEvaluateResponseV2> => {\n // Update heartbeat manager with signerId from signingContext if provided (skip in local mode)\n // Actually we don't need to updateSignerId anymore since getTokenForSigner handles it per-signer\n \n // CRITICAL: Check heartbeat before any policy evaluation (skip in local mode)\n let heartbeatToken: string | null = null;\n if (!this.config.local && this.heartbeatManager) {\n const effectiveSignerId = req.signingContext?.signerId ?? (req.signingContext as any)?.actorPrincipal ?? DEFAULT_SIGNER_ID;\n // Wait up to 2 seconds for heartbeat to be acquired if not available yet\n heartbeatToken = await this.heartbeatManager.getTokenForSigner(effectiveSignerId, 2000);\n }\n\n // Transform txIntent: map 'to' to 'toAddress', add 'networkFamily' if missing\n const txIntent: any = { ...req.txIntent };\n // Map 'to' to 'toAddress' (Hot Path expects toAddress, not to)\n if (txIntent.to && !txIntent.toAddress) {\n txIntent.toAddress = txIntent.to;\n delete txIntent.to; // Remove 'to' to avoid duplicate fields in canonical JSON\n }\n // Infer networkFamily from chainId if not provided\n if (!txIntent.networkFamily && txIntent.chainId) {\n txIntent.networkFamily = 'EVM';\n }\n // Remove 'from' if present (Hot Path doesn't use it in v2 contract)\n if (txIntent.from && !txIntent.fromAddress) {\n delete txIntent.from;\n }\n \n // Hot Path schema requires signingContext.actorPrincipal and signingContext.signerId.\n // Use same default as heartbeat token so token sid and request signerId match.\n const effectiveSignerId = req.signingContext?.signerId ?? req.signingContext?.actorPrincipal ?? DEFAULT_SIGNER_ID;\n const signingContext: any = {\n ...req.signingContext,\n actorPrincipal: req.signingContext?.actorPrincipal ?? req.signingContext?.signerId ?? DEFAULT_SIGNER_ID,\n signerId: effectiveSignerId,\n };\n \n // Only include heartbeatToken if it's valid (not null/undefined)\n // Including null/undefined would change the canonical JSON hash\n if (heartbeatToken) {\n signingContext.heartbeatToken = heartbeatToken;\n }\n\n // Inject provenance from environment if available\n const provenance = ProvenanceProvider.getProvenance();\n if (provenance) {\n signingContext.caller = {\n repo: provenance.repo,\n workflow: provenance.workflow,\n ref: provenance.ref,\n actor: provenance.actor,\n attestation: provenance.attestation,\n };\n }\n \n // Prepare request body (Hot Path expects camelCase at top level; parity with Python: include tenantId in body)\n let body: any = {\n tenantId: this.config.tenantId,\n requestId: requestId,\n timestampMs: timestampMs,\n txIntent: txIntent,\n signingContext: signingContext,\n // Add SDK info (required by Hot Path validation)\n sdk: {\n name: 'gate-sdk',\n version: '0.1.0',\n },\n mode: requestMode,\n onConnectionFailure: this.onConnectionFailure,\n };\n \n // Add simulation flag if requested\n if (req.simulate === true) {\n body.simulate = true;\n }\n \n // Add break-glass token if configured (skip in local mode)\n if (!this.config.local && this.config.breakglassToken) {\n signingContext.breakglassToken = this.config.breakglassToken;\n }\n\n // Prepare headers (skip auth in local mode)\n let headers: Record<string, string> = {};\n \n if (this.config.local) {\n // Local mode: no auth headers, just basic headers\n headers = {\n 'Content-Type': 'application/json',\n };\n console.log('[GATE CLIENT] LOCAL MODE - Skipping authentication');\n } else if (this.hmacSigner) {\n // CRITICAL: For HMAC signing, the body sent in the HTTP request must match\n // the canonical JSON used for signing. The HmacSigner will canonicalize the body\n // internally, so we need to ensure the body we send matches what was canonicalized.\n // We pass the original body to HmacSigner (it will canonicalize it), then use\n // the same canonicalized result for the HTTP request.\n const { canonicalizeJson } = await import('../utils/canonicalJson.js');\n const canonicalBodyJson = canonicalizeJson(body);\n \n const hmacHeaders = await this.hmacSigner.signRequest({\n method: 'POST',\n path: '/defense/evaluate',\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n body, // Pass original body - HmacSigner will canonicalize it internally\n });\n headers = { ...hmacHeaders };\n \n // CRITICAL: Use the canonical JSON string directly for HTTP request\n // This ensures the exact same string is sent that was used for signing\n (body as any).__canonicalJson = canonicalBodyJson;\n } else if (this.apiKeyAuth) {\n const apiKeyHeaders = this.apiKeyAuth.createHeaders({\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n });\n headers = { ...apiKeyHeaders };\n } else {\n throw new Error('No authentication configured');\n }\n\n // Make request (API returns { success: true, data: { ... } } format)\n const apiResponse = await this.httpClient.request<{\n success: boolean;\n data?: DefenseEvaluateResponseV2 & {\n reason_codes?: string[];\n policy_version?: string;\n correlation_id?: string;\n step_up?: {\n request_id?: string;\n ttl_seconds?: number;\n expires_at_ms?: number;\n };\n };\n error?: any;\n }>({\n method: 'POST',\n path: '/defense/evaluate',\n headers,\n body,\n requestId,\n });\n\n // Extract data from wrapped response (Hot Path returns { success: true, data: { ... } })\n // Fallback: if response is not wrapped, use it directly (for backward compatibility)\n let responseData: any;\n if (apiResponse.success === true && apiResponse.data) {\n // Wrapped format: { success: true, data: { ... } }\n responseData = apiResponse.data;\n } else if (apiResponse.success === false && apiResponse.error) {\n // Error format: { success: false, error: { ... } }\n const error = apiResponse.error;\n throw new GateError(\n error.code as GateErrorCode || GateErrorCode.SERVER_ERROR,\n error.message || 'Request failed',\n {\n status: error.status,\n correlationId: error.correlationId,\n requestId,\n details: error,\n }\n );\n } else if ((apiResponse as any).decision) {\n // Unwrapped format: { decision: ..., reasonCodes: ..., ... } (backward compatibility)\n responseData = apiResponse as any;\n } else {\n throw new GateError(\n GateErrorCode.INVALID_RESPONSE,\n 'Invalid response format: expected { success: true, data: { ... } } or unwrapped response',\n {\n requestId,\n details: apiResponse,\n }\n );\n }\n\n // Extract simulation results from metadata if present\n const metadata = responseData.metadata || {};\n const simulationData = metadata.simulation;\n \n // Convert snake_case to camelCase if needed\n const result: DefenseEvaluateResponseV2 = {\n decision: responseData.decision as 'ALLOW' | 'BLOCK' | 'REQUIRE_STEP_UP',\n reasonCodes: responseData.reason_codes ?? responseData.reasonCodes ?? [],\n policyVersion: responseData.policy_version ?? responseData.policyVersion,\n correlationId: responseData.correlation_id ?? responseData.correlationId,\n decisionId: responseData.decision_id ?? responseData.decisionId,\n decisionToken: responseData.decision_token ?? responseData.decisionToken,\n expiresAt: responseData.expires_at ?? responseData.expiresAt,\n txDigest: responseData.tx_digest ?? responseData.txDigest,\n stepUp: responseData.step_up\n ? {\n requestId: responseData.step_up.request_id ?? (responseData.stepUp?.requestId ?? ''),\n ttlSeconds: responseData.step_up.ttl_seconds ?? responseData.stepUp?.ttlSeconds,\n }\n : responseData.stepUp,\n enforced: responseData.enforced ?? (requestMode === 'ENFORCE'),\n shadowWouldBlock: responseData.shadow_would_block ?? responseData.shadowWouldBlock ?? false,\n mode: responseData.mode ?? requestMode,\n receipt: responseData.receipt,\n decisionHash: responseData.decision_hash ?? responseData.decisionHash,\n receiptSignature: responseData.receipt_signature ?? responseData.receiptSignature,\n ...(simulationData ? {\n simulation: {\n willRevert: simulationData.willRevert ?? simulationData.will_revert ?? false,\n gasUsed: simulationData.gasUsed ?? simulationData.gas_used,\n balanceChanges: simulationData.balanceChanges ?? simulationData.balance_changes,\n errorReason: simulationData.errorReason ?? simulationData.error_reason,\n },\n simulationLatencyMs: metadata.simulationLatencyMs ?? metadata.simulation_latency_ms,\n } : {}),\n metadata: {\n evaluationLatencyMs: metadata.evaluationLatencyMs ?? metadata.evaluation_latency_ms,\n policyHash: metadata.policyHash ?? metadata.policy_hash,\n snapshotVersion: metadata.snapshotVersion ?? metadata.snapshot_version,\n },\n };\n\n const latencyMs = Date.now() - startTime;\n\n // Policy pinning: if expectedPolicyHash or expectedSnapshotVersion set, treat mismatch as BLOCK locally\n const expectedPolicyHash = this.config.expectedPolicyHash;\n const expectedSnapshotVersion = this.config.expectedSnapshotVersion;\n if (expectedPolicyHash != null && result.metadata?.policyHash !== expectedPolicyHash) {\n if (this.config.debug) {\n console.warn('[GATE SDK] Policy hash mismatch (pinning)', {\n expected: expectedPolicyHash,\n received: result.metadata?.policyHash,\n requestId,\n });\n }\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'POLICY_HASH_MISMATCH',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n if (expectedSnapshotVersion != null && result.metadata?.snapshotVersion !== undefined && result.metadata.snapshotVersion !== expectedSnapshotVersion) {\n if (this.config.debug) {\n console.warn('[GATE SDK] Snapshot version mismatch (pinning)', {\n expected: expectedSnapshotVersion,\n received: result.metadata?.snapshotVersion,\n requestId,\n });\n }\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'SNAPSHOT_VERSION_MISMATCH',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n\n // ENFORCE + requireDecisionToken: ALLOW must include decisionToken/txDigest and valid expiry\n if (\n requireToken &&\n requestMode === 'ENFORCE' &&\n result.decision === 'ALLOW' &&\n !this.config.local\n ) {\n if (!result.decisionToken || !result.txDigest) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_MISSING',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n const nowSec = Math.floor(Date.now() / 1000);\n if (result.expiresAt != null && result.expiresAt < nowSec - 5) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_EXPIRED',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n // Optional: verify RS256 token signature when public key is configured (only for RS256 tokens)\n const publicKeyPem = this.config.decisionTokenPublicKey;\n if (publicKeyPem && result.decisionToken) {\n const { decodeJwtUnsafe, verifyDecisionTokenRs256 } = await import('../utils/decisionTokenVerify.js');\n const decoded = decodeJwtUnsafe(result.decisionToken);\n if (decoded && (decoded.header.alg || '').toUpperCase() === 'RS256') {\n const resolvedPem = publicKeyPem.startsWith('-----') ? publicKeyPem : Buffer.from(publicKeyPem, 'base64').toString('utf8');\n const verified = verifyDecisionTokenRs256(result.decisionToken, resolvedPem);\n if (verified === null) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_INVALID',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n }\n }\n // Verify digest matches this request (binding decision to exact tx)\n const signerId = signingContext?.signerId ?? req.signingContext?.signerId;\n const fromAddress = (txIntent as any).fromAddress ?? (txIntent as any).from;\n const binding = buildTxBindingObject(txIntent, signerId, undefined, undefined, fromAddress);\n const computedDigest = computeTxDigest(binding);\n if (computedDigest !== result.txDigest) {\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(\n 'DECISION_TOKEN_DIGEST_MISMATCH',\n result.decisionId ?? requestId,\n result.correlationId,\n requestId\n );\n }\n }\n\n // Handle decision types\n if (result.decision === 'BLOCK') {\n // Use server's effective mode so stage changes in the UI take effect immediately\n // without requiring an SDK config change.\n const effectiveMode = result.mode ?? requestMode;\n // In SOFT_ENFORCE mode: return BLOCK decision but let app override (no throw)\n if (effectiveMode === 'SOFT_ENFORCE') {\n console.warn('[SOFT ENFORCE] Policy violation detected - app can override', {\n requestId,\n reasonCodes: result.reasonCodes,\n });\n this.metrics.recordRequest('BLOCK', latencyMs);\n return {\n ...result,\n decision: 'BLOCK',\n enforced: false,\n mode: 'SOFT_ENFORCE',\n warning: 'Policy violation detected. Override at your own risk.',\n };\n }\n // In SHADOW mode, log but don't throw - always allow\n if (effectiveMode === 'SHADOW') {\n // Log shadow block event\n console.warn('[GATE SHADOW MODE] Would have blocked transaction', {\n requestId,\n reasonCodes: result.reasonCodes,\n correlationId: result.correlationId,\n tenantId: this.config.tenantId,\n signerId: req.signingContext?.signerId,\n });\n \n // Record metrics (always, not just when onMetrics hook is set)\n this.metrics.recordRequest('WOULD_BLOCK', latencyMs);\n \n // Return ALLOW with shadowWouldBlock flag\n return {\n ...result,\n decision: 'ALLOW',\n enforced: false,\n shadowWouldBlock: true,\n };\n }\n \n // ENFORCE mode: BLOCK → throw BlockIntelBlockedError\n const receiptId = (responseData as any).decision_id || requestId;\n const reasonCode = result.reasonCodes[0] || 'POLICY_VIOLATION';\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);\n }\n\n if (result.decision === 'REQUIRE_STEP_UP') {\n // REQUIRE_STEP_UP handling\n if (this.config.enableStepUp && this.stepUpPoller && result.stepUp) {\n // Step-up is enabled - throw BlockIntelStepUpRequiredError\n const stepUpRequestId = result.stepUp.requestId || requestId;\n const expiresAtMs = (responseData.step_up as any)?.expires_at_ms;\n const statusUrl = `/defense/stepup/status?tenantId=${this.config.tenantId}&requestId=${stepUpRequestId}`;\n this.metrics.recordRequest('REQUIRE_STEP_UP', latencyMs);\n throw new BlockIntelStepUpRequiredError(stepUpRequestId, statusUrl, expiresAtMs, requestId);\n } else {\n // Step-up not enabled - treat as BLOCK\n const receiptId = (responseData as any).decision_id || requestId;\n const reasonCode = 'STEPUP_REQUIRED';\n this.metrics.recordRequest('BLOCK', latencyMs);\n throw new BlockIntelBlockedError(reasonCode, receiptId, result.correlationId, requestId);\n }\n }\n\n // ALLOW - record metrics and return\n this.metrics.recordRequest('ALLOW', latencyMs);\n return result;\n };\n\n // Fire-and-forget: return immediately with optimistic ALLOW, attest in background\n if (evaluationMode === 'FIRE_AND_FORGET') {\n executeRequest()\n .then((res) => {\n if (res.decision === 'BLOCK' || res.shadowWouldBlock) {\n console.warn('[FIRE-AND-FORGET] Would have blocked:', res.reasonCodes);\n }\n this.metrics.recordRequest(res.decision === 'ALLOW' ? 'ALLOW' : 'WOULD_BLOCK', Date.now() - startTime);\n })\n .catch((err) => {\n console.error('[FIRE-AND-FORGET] Attestation failed:', err);\n this.metrics.recordError();\n });\n return {\n decision: 'ALLOW',\n decisionId: requestId,\n correlationId: requestId,\n reasonCodes: [],\n enforced: false,\n mode: requestMode,\n fireAndForget: true,\n };\n }\n\n // Execute with circuit breaker if enabled\n try {\n if (this.circuitBreaker) {\n return await this.circuitBreaker.execute(executeRequest);\n }\n return await executeRequest();\n } catch (error: any) {\n const latencyMs = Date.now() - startTime;\n\n // Handle circuit breaker open\n if (error instanceof CircuitBreakerOpenError) {\n this.metrics.recordCircuitBreakerOpen();\n const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);\n if (failSafeResult) {\n return failSafeResult;\n }\n throw error;\n }\n\n // Handle auth failures (401/403) - always fail CLOSED (BLOCK)\n if (error instanceof GateError && (error.code === GateErrorCode.UNAUTHORIZED || error.code === GateErrorCode.FORBIDDEN)) {\n this.metrics.recordError();\n throw new BlockIntelAuthError(\n error.message,\n error.status || 401,\n requestId\n );\n }\n\n // Handle connection failures (timeout, network errors, 5xx)\n const isConnectionFailure = \n (error instanceof GateError && (error.code === GateErrorCode.TIMEOUT || error.code === GateErrorCode.SERVER_ERROR)) ||\n error instanceof BlockIntelUnavailableError ||\n (error as any)?.code === 'ECONNREFUSED' ||\n (error as any)?.code === 'ENOTFOUND' ||\n (error as any)?.code === 'ETIMEDOUT';\n \n if (isConnectionFailure) {\n this.metrics.recordTimeout();\n\n // Apply connection failure strategy\n if (this.onConnectionFailure === 'FAIL_OPEN') {\n // FAIL_OPEN: Allow transaction, log critical event. Degraded (logs/telemetry only; never in HTTP request).\n console.error('[GATE CONNECTION FAILURE] FAIL_OPEN mode - allowing transaction', {\n requestId,\n error: error.message,\n tenantId: this.config.tenantId,\n mode: requestMode,\n });\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_open)');\n\n // Emit structured log for monitoring\n this.metrics.recordRequest('FAIL_OPEN', Date.now() - startTime);\n\n return {\n decision: 'ALLOW',\n reasonCodes: ['GATE_HOTPATH_UNAVAILABLE'],\n correlationId: requestId,\n enforced: false,\n mode: requestMode,\n };\n } else {\n // FAIL_CLOSED: Block transaction\n throw new BlockIntelUnavailableError(\n `Signing blocked: Gate hot path unreachable (fail-closed). ${error.message}`,\n requestId\n );\n }\n }\n\n // Handle timeout errors (legacy - for non-connection-failure timeouts)\n if (error instanceof GateError && error.code === GateErrorCode.TIMEOUT) {\n this.metrics.recordTimeout();\n const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);\n if (failSafeResult) {\n return failSafeResult;\n }\n throw new BlockIntelUnavailableError(`Service timeout: ${error.message}`, requestId);\n }\n\n // Handle 5xx server errors - treat as timeout bucket for fail-safe\n if (error instanceof GateError && error.code === GateErrorCode.SERVER_ERROR) {\n this.metrics.recordError();\n const failSafeResult = this.handleFailSafe(failSafeMode, error, requestId);\n if (failSafeResult) {\n return failSafeResult;\n }\n throw error;\n }\n\n // 429 RATE_LIMITED: log degraded, then re-throw\n if (error instanceof GateError && error.code === GateErrorCode.RATE_LIMITED) {\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: 429)');\n throw error;\n }\n\n // Re-throw BlockIntelBlockedError and BlockIntelStepUpRequiredError as-is\n if (error instanceof BlockIntelBlockedError || error instanceof BlockIntelStepUpRequiredError) {\n throw error;\n }\n\n // Other errors - record and re-throw\n this.metrics.recordError();\n throw error;\n }\n }\n\n /**\n * Handle fail-safe modes for timeouts/errors\n */\n private handleFailSafe(\n mode: 'ALLOW_ON_TIMEOUT' | 'BLOCK_ON_TIMEOUT' | 'BLOCK_ON_ANOMALY',\n error: Error,\n requestId: string\n ): DefenseEvaluateResponseV2 | null {\n if (mode === 'ALLOW_ON_TIMEOUT') {\n // Trading bots: ALLOW on timeout with degraded flag (logs/telemetry only; never in HTTP request)\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_safe_allow)');\n return {\n decision: 'ALLOW',\n reasonCodes: ['FAIL_SAFE_ALLOW'],\n correlationId: requestId,\n };\n }\n\n if (mode === 'BLOCK_ON_TIMEOUT') {\n // Fail CLOSED - don't return, let error propagate\n return null;\n }\n\n if (mode === 'BLOCK_ON_ANOMALY') {\n // BLOCK only on explicit BLOCK/REQUIRE_STEP_UP decisions, not network hiccups\n // On timeout: ALLOW gracefully (logs/telemetry only; never in HTTP request)\n console.warn('[GATE SDK] X-BlockIntel-Degraded: true (reason: fail_safe_allow)');\n return {\n decision: 'ALLOW',\n reasonCodes: ['FAIL_SAFE_ALLOW'],\n correlationId: requestId,\n };\n }\n\n return null;\n }\n\n /**\n * Get current metrics\n */\n getMetrics(): ReturnType<MetricsCollector['getMetrics']> {\n return this.metrics.getMetrics();\n }\n\n /**\n * Get circuit breaker metrics (if enabled)\n */\n getCircuitBreakerMetrics(): ReturnType<CircuitBreaker['getMetrics']> | null {\n return this.circuitBreaker?.getMetrics() || null;\n }\n\n /**\n * Get step-up status\n */\n async getStepUpStatus(args: {\n requestId: string;\n tenantId?: string;\n }): Promise<StepUpStatusResponse> {\n if (!this.stepUpPoller) {\n throw new StepUpNotConfiguredError(args.requestId);\n }\n\n const tenantId = args.tenantId ?? this.config.tenantId;\n const poller = new StepUpPoller({\n httpClient: this.httpClient,\n tenantId,\n pollingIntervalMs: this.config.stepUp?.pollingIntervalMs,\n maxWaitMs: this.config.stepUp?.maxWaitMs,\n });\n\n return poller.getStatus(args.requestId);\n }\n\n /**\n * Wait for step-up decision with polling\n */\n async awaitStepUpDecision(args: {\n requestId: string;\n maxWaitMs?: number;\n intervalMs?: number;\n }): Promise<StepUpFinalResult> {\n if (!this.stepUpPoller) {\n throw new StepUpNotConfiguredError(args.requestId);\n }\n\n return this.stepUpPoller.awaitDecision(args.requestId, {\n maxWaitMs: args.maxWaitMs ?? this.config.stepUp?.maxWaitMs,\n intervalMs: args.intervalMs ?? this.config.stepUp?.pollingIntervalMs,\n });\n }\n\n /**\n * Evaluate policy and sign in one call when decision is ALLOW.\n * Convenience for: evaluate → if ALLOW then sign → return { decision, signature }.\n */\n async evaluateAndSign(params: {\n txIntent: DefenseEvaluateRequestV2['txIntent'];\n signer: SignerBackend;\n keyId: string;\n message: Buffer | Uint8Array;\n algorithm?: string;\n signingContext?: SigningContext;\n }): Promise<{ decision: DefenseEvaluateResponseV2; signature?: SignResponse }> {\n const decision = await this.evaluate({\n txIntent: params.txIntent,\n signingContext: params.signingContext,\n });\n if (decision.decision === 'ALLOW') {\n const signature = await params.signer.sign({\n keyId: params.keyId,\n message: params.message,\n algorithm: params.algorithm ?? 'ECDSA_SHA_256',\n });\n return { decision, signature };\n }\n return { decision };\n }\n\n /**\n * Attest a completed signature (post-sign). Use when you want zero latency impact on signing\n * but still want an audit trail. Policy is evaluated against txIntent; returns ALLOW or\n * POLICY_VIOLATION_DETECTED. Cannot be used for enforcement (signature already created).\n */\n async attestCompleted(req: AttestCompletedRequest): Promise<AttestCompletedResponse> {\n const requestId = uuidv4();\n const timestampMs = nowMs();\n const txIntent: any = { ...req.txIntent };\n if (txIntent.to && !txIntent.toAddress) {\n txIntent.toAddress = txIntent.to;\n delete txIntent.to;\n }\n if (!txIntent.networkFamily && txIntent.chainId) txIntent.networkFamily = 'EVM';\n const signingContext = {\n ...req.signingContext,\n signerId: req.signingContext?.signerId ?? req.signature.signerId,\n };\n const body = {\n tenantId: this.config.tenantId,\n requestId,\n timestampMs,\n txIntent,\n signature: req.signature,\n signingContext,\n };\n let headers: Record<string, string> = { 'Content-Type': 'application/json' };\n if (this.config.local) {\n // no auth\n } else if (this.hmacSigner) {\n const { canonicalizeJson } = await import('../utils/canonicalJson.js');\n const canonicalBodyJson = canonicalizeJson(body);\n const hmacHeaders = await this.hmacSigner.signRequest({\n method: 'POST',\n path: '/defense/attest-completed',\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n body,\n });\n headers = { ...hmacHeaders };\n (body as any).__canonicalJson = canonicalBodyJson;\n } else if (this.apiKeyAuth) {\n const apiKeyHeaders = this.apiKeyAuth.createHeaders({\n tenantId: this.config.tenantId,\n timestampMs,\n requestId,\n });\n headers = { ...apiKeyHeaders };\n } else {\n throw new Error('No authentication configured');\n }\n const apiResponse = await this.httpClient.request<{ success: boolean; data?: AttestCompletedResponse; error?: any }>({\n method: 'POST',\n path: '/defense/attest-completed',\n headers,\n body,\n requestId,\n });\n if (apiResponse.success === true && (apiResponse as any).data) {\n const data = (apiResponse as any).data as AttestCompletedResponse;\n if (data.decision === 'POLICY_VIOLATION_DETECTED') {\n console.warn('[POST-SIGN ATTESTATION] Policy violation detected after signing', {\n requestId,\n reasonCodes: data.reasonCodes,\n });\n }\n return data;\n }\n if ((apiResponse as any).error) {\n const err = (apiResponse as any).error;\n throw new GateError(err.code || 'SERVER_ERROR', err.message || 'Request failed', {\n status: err.status,\n correlationId: err.correlationId,\n requestId,\n });\n }\n throw new GateError(GateErrorCode.INVALID_RESPONSE, 'Invalid response from attest-completed', { requestId });\n }\n\n /**\n * Wrap AWS SDK v3 KMS client to intercept SignCommand calls\n * \n * @param kmsClient - AWS SDK v3 KMSClient instance\n * @param options - Wrapper options\n * @returns Wrapped KMS client that enforces Gate policies\n * \n * @example\n * ```typescript\n * import { KMSClient } from '@aws-sdk/client-kms';\n * \n * const kms = new KMSClient({});\n * const protectedKms = gateClient.wrapKmsClient(kms);\n * \n * // Now SignCommand calls will be intercepted and evaluated by Gate\n * const result = await protectedKms.send(new SignCommand({ ... }));\n * ```\n */\n wrapKmsClient<T extends typeof import('@aws-sdk/client-kms').KMSClient>(\n kmsClient: InstanceType<T>,\n options?: WrapKmsClientOptions\n ): WrappedKmsClient {\n return wrapKmsClient(kmsClient as any, this, options);\n }\n}\n\n/**\n * Create a Gate client instance\n */\nexport function createGateClient(config: GateClientConfig): GateClient {\n return new GateClient(config);\n}\n\n","/**\n * Gate - Simplified API for Nexus-style injection and 5-line integration\n *\n * - Gate.fromEnv(): Create a GateClient from env vars (GATE_BASE_URL, GATE_TENANT_ID,\n * GATE_API_KEY or GATE_KEY_ID+GATE_HMAC_SECRET, GATE_MODE). Enables true 5-line integration.\n * - new Gate({ apiKey }): Passthrough guard for Nexus-injected code.\n *\n * For full policy evaluation, use GateClient.evaluate() with tx params before sending.\n */\nimport type { GateClientConfig, GateMode } from '../types/contracts.js';\nimport { GateClient } from './GateClient.js';\n\nexport class Gate {\n private readonly apiKey?: string;\n\n constructor(opts?: { apiKey?: string }) {\n this.apiKey = opts?.apiKey ?? process.env.BLOCKINTEL_API_KEY;\n }\n\n /**\n * Create a GateClient from environment variables (5-line integration).\n *\n * Reads: GATE_BASE_URL, GATE_TENANT_ID, GATE_API_KEY (or GATE_KEY_ID + GATE_HMAC_SECRET), GATE_MODE.\n */\n static fromEnv(overrides?: Partial<GateClientConfig>): GateClient {\n const baseUrl = process.env.GATE_BASE_URL;\n const tenantId = process.env.GATE_TENANT_ID;\n const apiKey = process.env.GATE_API_KEY;\n const keyId = process.env.GATE_KEY_ID;\n const hmacSecret = process.env.GATE_HMAC_SECRET;\n const mode = (process.env.GATE_MODE as GateMode | undefined) ?? 'SHADOW';\n\n if (!baseUrl || !tenantId) {\n throw new Error('GATE_BASE_URL and GATE_TENANT_ID environment variables are required');\n }\n\n let auth: GateClientConfig['auth'];\n if (apiKey) {\n auth = { mode: 'apiKey', apiKey };\n } else if (keyId && hmacSecret) {\n auth = { mode: 'hmac', keyId, secret: hmacSecret };\n } else {\n throw new Error(\n 'Either GATE_API_KEY or (GATE_KEY_ID and GATE_HMAC_SECRET) environment variables are required'\n );\n }\n\n return new GateClient({\n baseUrl,\n tenantId,\n auth,\n mode,\n ...overrides,\n });\n }\n\n /**\n * Guard a signing operation. In passthrough mode, executes the callback.\n * For full Gate integration, use GateClient with evaluate() before sending.\n */\n async guard<T>(\n _ctx: { requestId: string; reason: string },\n cb: () => Promise<T>\n ): Promise<T> {\n return cb();\n }\n}\n","/**\n * AWS KMS Signer Backend\n * \n * Implements SignerBackend for AWS KMS using AWS SDK v3\n */\n\nimport { KMSClient, SignCommand, SignCommandInput, SigningAlgorithmSpec } from '@aws-sdk/client-kms';\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend';\n\nexport interface AwsKmsSignerConfig {\n /**\n * AWS KMS client instance\n */\n kmsClient: KMSClient;\n \n /**\n * Default signing algorithm (if not specified in request)\n */\n defaultAlgorithm?: SigningAlgorithmSpec;\n \n /**\n * Default message type (if not specified in request)\n */\n defaultMessageType?: 'RAW' | 'DIGEST';\n}\n\n/**\n * AWS KMS Signer Backend\n */\nexport class AwsKmsSigner implements SignerBackend {\n private readonly config: AwsKmsSignerConfig;\n\n constructor(config: AwsKmsSignerConfig) {\n this.config = config;\n }\n\n getName(): string {\n return 'AWS KMS';\n }\n\n isAvailable(): boolean {\n return !!this.config.kmsClient;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('AWS KMS client not configured');\n }\n\n // Map algorithm to AWS KMS SigningAlgorithmSpec\n const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || 'ECDSA_SHA_256');\n \n // Prepare SignCommand input\n const signInput: SignCommandInput = {\n KeyId: request.keyId,\n Message: Buffer.from(request.message),\n MessageType: (request.messageType || this.config.defaultMessageType || 'RAW') as 'RAW' | 'DIGEST',\n SigningAlgorithm: algorithm,\n };\n\n // Execute sign command\n const command = new SignCommand(signInput);\n const response = await this.config.kmsClient.send(command);\n\n if (!response.Signature) {\n throw new Error('AWS KMS sign response missing signature');\n }\n\n return {\n signature: Buffer.from(response.Signature),\n keyId: response.KeyId || request.keyId,\n algorithm: response.SigningAlgorithm || algorithm,\n metadata: {\n keyId: response.KeyId,\n signingAlgorithm: response.SigningAlgorithm,\n },\n };\n }\n\n /**\n * Map algorithm string to AWS KMS SigningAlgorithmSpec\n */\n private mapAlgorithm(algorithm: string | SigningAlgorithmSpec): SigningAlgorithmSpec {\n // If already a SigningAlgorithmSpec, return as-is\n if (Object.values(SigningAlgorithmSpec).includes(algorithm as SigningAlgorithmSpec)) {\n return algorithm as SigningAlgorithmSpec;\n }\n\n // Map common algorithm names to AWS KMS specs\n const algorithmMap: Record<string, SigningAlgorithmSpec> = {\n 'ECDSA_SHA_256': SigningAlgorithmSpec.ECDSA_SHA_256,\n 'ECDSA_SHA_384': SigningAlgorithmSpec.ECDSA_SHA_384,\n 'ECDSA_SHA_512': SigningAlgorithmSpec.ECDSA_SHA_512,\n 'RSASSA_PSS_SHA_256': SigningAlgorithmSpec.RSASSA_PSS_SHA_256,\n 'RSASSA_PSS_SHA_384': SigningAlgorithmSpec.RSASSA_PSS_SHA_384,\n 'RSASSA_PSS_SHA_512': SigningAlgorithmSpec.RSASSA_PSS_SHA_512,\n 'RSASSA_PKCS1_V1_5_SHA_256': SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_256,\n 'RSASSA_PKCS1_V1_5_SHA_384': SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_384,\n 'RSASSA_PKCS1_V1_5_SHA_512': SigningAlgorithmSpec.RSASSA_PKCS1_V1_5_SHA_512,\n };\n\n return algorithmMap[algorithm.toUpperCase()] || SigningAlgorithmSpec.ECDSA_SHA_256;\n }\n}\n\n","/**\n * HashiCorp Vault Signer Backend\n * \n * Implements SignerBackend for HashiCorp Vault Transit Engine\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend';\n\ninterface VaultSignResponse {\n data: {\n signature: string;\n key_version?: number;\n };\n}\n\ninterface VaultAuthResponse {\n auth: {\n client_token: string;\n };\n}\n\nexport interface VaultSignerConfig {\n /**\n * Vault API base URL (e.g., 'https://vault.example.com:8200')\n */\n vaultUrl: string;\n \n /**\n * Vault authentication token\n */\n token?: string;\n \n /**\n * Vault AppRole authentication (alternative to token)\n */\n appRole?: {\n roleId: string;\n secretId: string;\n };\n \n /**\n * Transit engine mount path (default: 'transit')\n */\n mountPath?: string;\n \n /**\n * Default signing algorithm (if not specified in request)\n */\n defaultAlgorithm?: string;\n \n /**\n * HTTP client options (timeout, etc.)\n */\n httpOptions?: {\n timeout?: number;\n };\n}\n\n/**\n * HashiCorp Vault Signer Backend\n */\nexport class VaultSigner implements SignerBackend {\n private readonly config: Required<Pick<VaultSignerConfig, 'vaultUrl' | 'mountPath'>> & VaultSignerConfig;\n private authToken: string | null = null;\n\n constructor(config: VaultSignerConfig) {\n this.config = {\n mountPath: 'transit',\n ...config,\n };\n }\n\n getName(): string {\n return 'HashiCorp Vault';\n }\n\n isAvailable(): boolean {\n return !!this.config.vaultUrl && (!!this.config.token || !!this.config.appRole);\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('Vault signer not configured');\n }\n\n // Authenticate if needed (AppRole)\n if (!this.authToken && this.config.appRole) {\n await this.authenticateAppRole();\n }\n\n const token = this.config.token || this.authToken;\n if (!token) {\n throw new Error('Vault authentication token not available');\n }\n\n // Map algorithm to Vault format\n const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || 'ecdsa-sha2-256');\n \n // Vault Transit Engine sign endpoint\n const url = `${this.config.vaultUrl}/v1/${this.config.mountPath}/sign/${request.keyId}`;\n \n // Base64 encode message\n const messageBase64 = Buffer.from(request.message).toString('base64');\n\n const requestBody = {\n input: messageBase64,\n ...(algorithm && { algorithm }),\n ...(request.options || {}),\n };\n\n const timeout = this.config.httpOptions?.timeout || 5000;\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeout);\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'X-Vault-Token': token,\n },\n body: JSON.stringify(requestBody),\n signal: controller.signal,\n });\n\n clearTimeout(timeoutId);\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`Vault sign failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json() as VaultSignResponse;\n\n if (!data.data || !data.data.signature) {\n throw new Error('Vault sign response missing signature');\n }\n\n // Vault returns signature in format: vault:v1:base64signature\n // Extract the base64 signature\n const signatureParts = data.data.signature.split(':');\n const signatureBase64 = signatureParts[signatureParts.length - 1];\n const signature = Buffer.from(signatureBase64, 'base64');\n\n return {\n signature,\n keyId: request.keyId,\n algorithm,\n metadata: {\n vaultSignature: data.data.signature,\n keyVersion: data.data.key_version,\n },\n };\n } catch (error: any) {\n clearTimeout(timeoutId);\n \n if (error.name === 'AbortError') {\n throw new Error('Vault sign request timeout');\n }\n \n throw error;\n }\n }\n\n /**\n * Authenticate using AppRole\n */\n private async authenticateAppRole(): Promise<void> {\n if (!this.config.appRole) {\n throw new Error('AppRole not configured');\n }\n\n const url = `${this.config.vaultUrl}/v1/auth/approle/login`;\n \n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify({\n role_id: this.config.appRole.roleId,\n secret_id: this.config.appRole.secretId,\n }),\n });\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`Vault AppRole authentication failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json() as VaultAuthResponse;\n \n if (!data.auth || !data.auth.client_token) {\n throw new Error('Vault AppRole authentication response missing token');\n }\n\n this.authToken = data.auth.client_token;\n }\n\n /**\n * Map algorithm string to Vault format\n */\n private mapAlgorithm(algorithm: string): string {\n const algorithmMap: Record<string, string> = {\n 'ECDSA_SHA_256': 'ecdsa-sha2-256',\n 'ECDSA_SHA_384': 'ecdsa-sha2-384',\n 'ECDSA_SHA_512': 'ecdsa-sha2-512',\n 'RSASSA_PSS_SHA_256': 'rsa-sha2-256',\n 'RSASSA_PSS_SHA_384': 'rsa-sha2-384',\n 'RSASSA_PSS_SHA_512': 'rsa-sha2-512',\n };\n\n // If already in Vault format, return as-is\n if (algorithm.startsWith('ecdsa-') || algorithm.startsWith('rsa-')) {\n return algorithm;\n }\n\n return algorithmMap[algorithm.toUpperCase()] || 'ecdsa-sha2-256';\n }\n}\n\n","/**\n * Google Cloud KMS Signer Backend\n * \n * Implements SignerBackend for Google Cloud KMS\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend';\n\ninterface GcpKmsSignResponse {\n signature: string;\n name?: string;\n verifiedDigestCrc32c?: boolean;\n}\n\ninterface GcpKmsTokenResponse {\n access_token: string;\n expires_in: number;\n}\n\nexport interface GcpKmsSignerConfig {\n /**\n * GCP project ID\n */\n projectId: string;\n \n /**\n * GCP location (e.g., 'us-east1', 'global')\n */\n location: string;\n \n /**\n * Key ring name\n */\n keyRing: string;\n \n /**\n * Service account credentials (JSON key file content or path)\n */\n credentials?: string | {\n client_email: string;\n private_key: string;\n };\n \n /**\n * Use workload identity (default: false)\n * When true, uses GCP metadata service for authentication\n */\n useWorkloadIdentity?: boolean;\n \n /**\n * Default signing algorithm (if not specified in request)\n */\n defaultAlgorithm?: string;\n \n /**\n * HTTP client options (timeout, etc.)\n */\n httpOptions?: {\n timeout?: number;\n };\n}\n\n/**\n * Google Cloud KMS Signer Backend\n */\nexport class GcpKmsSigner implements SignerBackend {\n private readonly config: Required<Pick<GcpKmsSignerConfig, 'useWorkloadIdentity'>> & GcpKmsSignerConfig;\n private accessToken: string | null = null;\n private tokenExpiry: number = 0;\n\n constructor(config: GcpKmsSignerConfig) {\n this.config = {\n useWorkloadIdentity: false,\n ...config,\n };\n }\n\n getName(): string {\n return 'Google Cloud KMS';\n }\n\n isAvailable(): boolean {\n if (this.config.useWorkloadIdentity) {\n return true; // Workload identity always available in GCP environment\n }\n return !!this.config.credentials && !!this.config.projectId;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('GCP KMS signer not configured');\n }\n\n // Get access token\n const accessToken = await this.getAccessToken();\n \n // Map algorithm to GCP format\n const algorithm = this.mapAlgorithm(request.algorithm || this.config.defaultAlgorithm || 'EC_SIGN_P256_SHA256');\n \n // Build key resource name\n // Format: projects/{project}/locations/{location}/keyRings/{keyRing}/cryptoKeys/{keyName}\n const keyName = request.keyId.includes('/') \n ? request.keyId \n : `projects/${this.config.projectId}/locations/${this.config.location}/keyRings/${this.config.keyRing}/cryptoKeys/${request.keyId}`;\n \n // GCP KMS API endpoint\n const url = `https://cloudkms.googleapis.com/v1/${keyName}:asymmetricSign`;\n \n // Base64 encode message digest\n const messageBase64 = Buffer.from(request.message).toString('base64');\n\n const requestBody = {\n digest: {\n sha256: messageBase64, // GCP expects digest, not raw message\n },\n };\n\n const timeout = this.config.httpOptions?.timeout || 5000;\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), timeout);\n\n try {\n const response = await fetch(url, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'Authorization': `Bearer ${accessToken}`,\n },\n body: JSON.stringify(requestBody),\n signal: controller.signal,\n });\n\n clearTimeout(timeoutId);\n\n if (!response.ok) {\n const errorText = await response.text();\n throw new Error(`GCP KMS sign failed: ${response.status} ${errorText}`);\n }\n\n const data = await response.json() as GcpKmsSignResponse;\n\n if (!data.signature) {\n throw new Error('GCP KMS sign response missing signature');\n }\n\n // GCP returns signature as base64 string\n const signature = Buffer.from(data.signature, 'base64');\n\n return {\n signature,\n keyId: request.keyId,\n algorithm,\n metadata: {\n name: data.name,\n verifiedDigestCrc32c: data.verifiedDigestCrc32c,\n },\n };\n } catch (error: any) {\n clearTimeout(timeoutId);\n \n if (error.name === 'AbortError') {\n throw new Error('GCP KMS sign request timeout');\n }\n \n throw error;\n }\n }\n\n /**\n * Get GCP access token\n */\n private async getAccessToken(): Promise<string> {\n // Check if token is still valid (with 5 minute buffer)\n if (this.accessToken && Date.now() < this.tokenExpiry - 5 * 60 * 1000) {\n return this.accessToken;\n }\n\n if (this.config.useWorkloadIdentity) {\n // Use GCP metadata service\n const metadataUrl = 'http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token';\n \n const response = await fetch(metadataUrl, {\n method: 'GET',\n headers: {\n 'Metadata-Flavor': 'Google',\n },\n });\n\n if (!response.ok) {\n throw new Error(`GCP metadata service authentication failed: ${response.status}`);\n }\n\n const data = await response.json() as GcpKmsTokenResponse;\n this.accessToken = data.access_token;\n this.tokenExpiry = Date.now() + (data.expires_in * 1000);\n \n return data.access_token;\n } else {\n // Use service account credentials\n if (!this.config.credentials) {\n throw new Error('GCP credentials not configured');\n }\n\n // Service account authentication requires JWT signing\n // For production use, install @google-cloud/kms package:\n // npm install @google-cloud/kms\n // Then use: new kms.KeyManagementServiceClient({ credentials: this.config.credentials })\n // \n // For now, we support workload identity which is the recommended approach for GCP environments\n throw new Error('Service account authentication requires @google-cloud/kms SDK. Install it with: npm install @google-cloud/kms. Alternatively, use workload identity (recommended for GCP environments).');\n }\n }\n\n /**\n * Map algorithm string to GCP format\n */\n private mapAlgorithm(algorithm: string): string {\n const algorithmMap: Record<string, string> = {\n 'ECDSA_SHA_256': 'EC_SIGN_P256_SHA256',\n 'ECDSA_SHA_384': 'EC_SIGN_P384_SHA384',\n 'ECDSA_SHA_512': 'EC_SIGN_P512_SHA512',\n 'RSASSA_PSS_SHA_256': 'RSA_SIGN_PSS_2048_SHA256',\n 'RSASSA_PSS_SHA_384': 'RSA_SIGN_PSS_3072_SHA256',\n 'RSASSA_PSS_SHA_512': 'RSA_SIGN_PSS_4096_SHA256',\n 'RSASSA_PKCS1_V1_5_SHA_256': 'RSA_SIGN_PKCS1_2048_SHA256',\n 'RSASSA_PKCS1_V1_5_SHA_384': 'RSA_SIGN_PKCS1_3072_SHA256',\n 'RSASSA_PKCS1_V1_5_SHA_512': 'RSA_SIGN_PKCS1_4096_SHA256',\n };\n\n // If already in GCP format, return as-is\n if (algorithm.startsWith('EC_SIGN_') || algorithm.startsWith('RSA_SIGN_')) {\n return algorithm;\n }\n\n return algorithmMap[algorithm.toUpperCase()] || 'EC_SIGN_P256_SHA256';\n }\n}\n\n","/**\n * Fireblocks Signer Backend\n *\n * Implements SignerBackend for Fireblocks API.\n * Key ID format: fireblocks://vaultAccountId/assetId\n * Docs: https://developers.fireblocks.com/reference/post_transactions\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend.js';\nimport { createSign, createHash, randomBytes } from 'crypto';\n\nexport interface FireblocksSignerConfig {\n /** Fireblocks API base URL (default: https://api.fireblocks.io) */\n apiBaseUrl?: string;\n /** Fireblocks API key (API User ID) */\n apiKey: string;\n /** Fireblocks API secret (private key PEM) */\n apiSecret: string;\n /** Default vault account ID (optional) */\n vaultAccountId?: string;\n}\n\ninterface FireblocksTransactionRequest {\n operation: 'RAW';\n source: { type: 'VAULT_ACCOUNT'; id: string };\n assetId: string;\n note?: string;\n extraParameters?: {\n rawMessageData: {\n messages: Array<{ content: string }>;\n };\n };\n}\n\nexport class FireblocksSigner implements SignerBackend {\n private readonly config: FireblocksSignerConfig;\n private readonly apiBaseUrl: string;\n\n constructor(config: FireblocksSignerConfig) {\n this.config = config;\n this.apiBaseUrl = config.apiBaseUrl ?? 'https://api.fireblocks.io';\n }\n\n getName(): string {\n return 'Fireblocks';\n }\n\n isAvailable(): boolean {\n return !!this.config.apiKey && !!this.config.apiSecret;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.isAvailable()) {\n throw new Error('Fireblocks API key and secret required');\n }\n\n const keyIdMatch = request.keyId.match(/^fireblocks:\\/\\/([^/]+)\\/(.+)$/);\n if (!keyIdMatch) {\n throw new Error(\n 'Invalid Fireblocks keyId format. Expected: fireblocks://vaultAccountId/assetId'\n );\n }\n const [, vaultAccountId, assetId] = keyIdMatch;\n\n const messageHex =\n request.message instanceof Buffer\n ? request.message.toString('hex')\n : Buffer.from(request.message).toString('hex');\n const requestId =\n (request.options?.requestId as string) || (request as SignRequest & { requestId?: string }).requestId;\n\n const txRequest: FireblocksTransactionRequest = {\n operation: 'RAW',\n source: { type: 'VAULT_ACCOUNT', id: vaultAccountId },\n assetId,\n note: `Gate signing request: ${requestId ?? 'unknown'}`,\n extraParameters: {\n rawMessageData: {\n messages: [{ content: messageHex }],\n },\n },\n };\n\n const token = this.createAuthToken('/v1/transactions', JSON.stringify(txRequest));\n\n const response = await fetch(`${this.apiBaseUrl}/v1/transactions`, {\n method: 'POST',\n headers: {\n 'Content-Type': 'application/json',\n 'X-API-Key': this.config.apiKey,\n Authorization: `Bearer ${token}`,\n },\n body: JSON.stringify(txRequest),\n });\n\n if (!response.ok) {\n const error = await response.text();\n throw new Error(`Fireblocks API error: ${response.status} ${error}`);\n }\n\n const result = (await response.json()) as { id?: string; status?: string };\n const txId = result.id;\n if (!txId) {\n throw new Error('Fireblocks API did not return transaction id');\n }\n\n const signed = await this.pollTransaction(txId);\n const sigHex = signed?.signature ?? (signed as { signedMessages?: Array<{ signature?: string }> })?.signedMessages?.[0]?.signature;\n if (!sigHex) {\n throw new Error(`Fireblocks transaction ${txId} did not return signature`);\n }\n\n return {\n signature: Buffer.from(sigHex, 'hex'),\n keyId: request.keyId,\n algorithm: request.algorithm ?? 'ECDSA_SHA_256',\n };\n }\n\n /**\n * Create JWT for Fireblocks API (RS256, uri + bodyHash in payload).\n */\n private createAuthToken(uri: string, bodyJson?: string): string {\n const now = Math.floor(Date.now() / 1000);\n const nonce = randomBytes(16).toString('hex');\n const bodyHash = bodyJson\n ? createHash('sha256').update(bodyJson, 'utf8').digest('hex')\n : '';\n\n const payload = {\n uri,\n nonce,\n iat: now,\n exp: now + 30,\n sub: this.config.apiKey,\n bodyHash,\n };\n\n const header = { alg: 'RS256', typ: 'JWT' };\n const encodedHeader = base64UrlEncode(JSON.stringify(header));\n const encodedPayload = base64UrlEncode(JSON.stringify(payload));\n const signingInput = `${encodedHeader}.${encodedPayload}`;\n\n const sign = createSign('RSA-SHA256');\n sign.update(signingInput);\n const signature = sign.sign(this.config.apiSecret);\n const encodedSig = base64UrlEncode(signature);\n\n return `${signingInput}.${encodedSig}`;\n }\n\n private async pollTransaction(\n txId: string,\n maxAttempts = 30\n ): Promise<{ signature?: string; signedMessages?: Array<{ signature?: string }> }> {\n for (let i = 0; i < maxAttempts; i++) {\n const token = this.createAuthToken(`/v1/transactions/${txId}`);\n const response = await fetch(`${this.apiBaseUrl}/v1/transactions/${txId}`, {\n headers: {\n 'X-API-Key': this.config.apiKey,\n Authorization: `Bearer ${token}`,\n },\n });\n\n if (!response.ok) {\n throw new Error(`Failed to fetch transaction status: ${await response.text()}`);\n }\n\n const tx = (await response.json()) as {\n status?: string;\n signedMessages?: Array<{ signature?: string }>;\n signature?: string;\n };\n\n if (tx.status === 'COMPLETED') {\n return tx.signedMessages?.[0] ? { signature: tx.signedMessages[0].signature } : tx;\n }\n if (tx.status === 'FAILED' || tx.status === 'REJECTED') {\n throw new Error(`Fireblocks transaction ${txId} failed: ${tx.status}`);\n }\n\n await new Promise((r) => setTimeout(r, 1000));\n }\n\n throw new Error(\n `Fireblocks transaction ${txId} did not complete within ${maxAttempts} seconds`\n );\n }\n}\n\nfunction base64UrlEncode(input: string | Buffer): string {\n const raw =\n typeof input === 'string'\n ? Buffer.from(input, 'utf8').toString('base64')\n : input.toString('base64');\n return raw.replace(/\\+/g, '-').replace(/\\//g, '_').replace(/=+$/, '');\n}\n","/**\n * PKCS#11 session implementation using pkcs11js.\n *\n * When the optional dependency `pkcs11js` is installed, this class loads the\n * PKCS#11 library (e.g. SoftHSM2, Thales nShield, Utimaco, AWS CloudHSM),\n * opens a session, and performs sign operations. Without pkcs11js, use a\n * custom pkcs11Session in GenericHsmSigner or install: npm install pkcs11js\n */\n\nimport { createRequire } from 'module';\n\nconst require = createRequire(import.meta.url);\n\nexport interface Pkcs11SessionInitOptions {\n /** Slot index (default 0). Use when multiple tokens are present. */\n slotId?: number;\n}\n\nexport interface Pkcs11Session {\n initialize(libraryPath: string, pin: string, options?: Pkcs11SessionInitOptions): Promise<void>;\n sign(keyHandle: Buffer, mechanism: string, data: Buffer): Promise<Buffer>;\n close(): Promise<void>;\n}\n\nconst NOT_LINKED =\n 'PKCS#11 runtime not linked. Install pkcs11js (npm install pkcs11js) and ensure the HSM library path is correct, or provide a custom pkcs11Session to GenericHsmSigner.';\n\n/** Map mechanism names from GenericHsmSigner to pkcs11js CKM_* constants. */\nfunction mechanismToPkcs11(mechanism: string): number {\n switch (mechanism) {\n case 'CKM_ECDSA_SHA256':\n return getPkcs11().CKM_ECDSA_SHA256;\n case 'CKM_RSA_PKCS':\n // RSASSA PKCS#1 v1.5 with SHA-256: hash then sign (one-shot)\n return getPkcs11().CKM_SHA256_RSA_PKCS;\n default:\n throw new Error(`Unsupported PKCS#11 mechanism: ${mechanism}`);\n }\n}\n\n// Use any to avoid requiring pkcs11js at compile time (optional dependency)\nlet pkcs11Module: any = undefined;\n\nfunction getPkcs11(): any {\n if (pkcs11Module !== undefined) {\n if (pkcs11Module === null) throw new Error(NOT_LINKED);\n return pkcs11Module;\n }\n try {\n pkcs11Module = require('pkcs11js');\n return pkcs11Module;\n } catch {\n pkcs11Module = null;\n throw new Error(NOT_LINKED);\n }\n}\n\nexport class Pkcs11SessionImpl implements Pkcs11Session {\n private libPath: string = '';\n private pin: string = '';\n private pkcs11: any = null;\n private session: Buffer | null = null;\n private initialized = false;\n\n async initialize(libraryPath: string, pin: string, options?: Pkcs11SessionInitOptions): Promise<void> {\n const p = getPkcs11();\n this.libPath = libraryPath;\n this.pin = pin;\n this.pkcs11 = new p.PKCS11();\n this.pkcs11.load(libraryPath);\n this.pkcs11.C_Initialize();\n this.initialized = true;\n\n const slots = this.pkcs11.C_GetSlotList(true);\n if (!slots || slots.length === 0) {\n await this.close();\n throw new Error('PKCS#11: no token present in any slot');\n }\n const slotIndex = options?.slotId ?? 0;\n if (slotIndex < 0 || slotIndex >= slots.length) {\n await this.close();\n throw new Error(`PKCS#11: slotId ${slotIndex} out of range (0..${slots.length - 1})`);\n }\n const slot = slots[slotIndex];\n const flags = p.CKF_SERIAL_SESSION | p.CKF_RW_SESSION;\n this.session = this.pkcs11.C_OpenSession(slot, flags);\n this.pkcs11.C_Login(this.session, p.CKU_USER, pin);\n }\n\n async sign(keyHandle: Buffer, mechanism: string, data: Buffer): Promise<Buffer> {\n if (!this.pkcs11 || !this.session) {\n throw new Error('PKCS#11 session not initialized. Call initialize() first.');\n }\n const p = getPkcs11();\n const mechCode = mechanismToPkcs11(mechanism);\n this.pkcs11.C_SignInit(this.session, { mechanism: mechCode }, keyHandle);\n const maxSigLen = 512;\n const outData = Buffer.alloc(maxSigLen);\n const signature = this.pkcs11.C_Sign(this.session, data, outData);\n return Buffer.from(signature);\n }\n\n async close(): Promise<void> {\n if (!this.initialized) return;\n this.initialized = false;\n try {\n if (this.pkcs11 && this.session) {\n try {\n this.pkcs11.C_Logout(this.session);\n } catch {\n /* ignore */\n }\n try {\n this.pkcs11.C_CloseSession(this.session);\n } catch {\n /* ignore */\n }\n }\n if (this.pkcs11) {\n try {\n this.pkcs11.C_Finalize();\n } catch {\n /* ignore */\n }\n try {\n this.pkcs11.close();\n } catch {\n /* ignore */\n }\n }\n } finally {\n this.pkcs11 = null;\n this.session = null;\n }\n }\n}\n","/**\n * Generic HSM Signer Backend (PKCS#11)\n *\n * Abstraction for on-prem HSMs via PKCS#11 (Thales nShield, Utimaco, AWS CloudHSM, etc.).\n * Key ID format: hsm://<keyHandle> where keyHandle is hex-encoded.\n *\n * Requires a PKCS#11 session implementation. Use config.pkcs11Session for testing or\n * a real adapter; otherwise Pkcs11SessionImpl throws until a PKCS#11 library is linked.\n */\n\nimport { SignerBackend, SignRequest, SignResponse } from './SignerBackend.js';\nimport type { Pkcs11Session } from './pkcs11/Pkcs11SessionImpl.js';\nimport { Pkcs11SessionImpl } from './pkcs11/Pkcs11SessionImpl.js';\n\nexport interface GenericHsmSignerConfig {\n /** PKCS#11 library path (e.g. /usr/lib/libCryptoki2_64.so for Thales) */\n pkcs11LibraryPath: string;\n /** HSM slot ID (optional) */\n slotId?: number;\n /** PIN / password */\n pin: string;\n /** Optional: custom PKCS#11 session (for testing or custom HSM adapters) */\n pkcs11Session?: Pkcs11Session;\n}\n\nexport class GenericHsmSigner implements SignerBackend {\n private readonly config: GenericHsmSignerConfig;\n private session: Pkcs11Session | null = null;\n\n constructor(config: GenericHsmSignerConfig) {\n this.config = config;\n }\n\n getName(): string {\n return 'Generic HSM (PKCS#11)';\n }\n\n isAvailable(): boolean {\n return !!this.config.pkcs11LibraryPath && !!this.config.pin;\n }\n\n async sign(request: SignRequest): Promise<SignResponse> {\n if (!this.session) {\n this.session =\n this.config.pkcs11Session ??\n (await this.initializePkcs11Session());\n }\n\n const keyIdMatch = request.keyId.match(/^hsm:\\/\\/(.+)$/);\n if (!keyIdMatch) {\n throw new Error(\n 'Invalid HSM keyId format. Expected: hsm://keyHandle (hex-encoded) or hsm://keyLabel'\n );\n }\n const keyHandle = Buffer.from(keyIdMatch[1], 'hex');\n\n const mechanism = this.mapAlgorithmToMechanism(\n request.algorithm ?? 'ECDSA_SHA_256'\n );\n const message =\n request.message instanceof Buffer\n ? request.message\n : Buffer.from(request.message);\n\n const signature = await this.session.sign(keyHandle, mechanism, message);\n\n return {\n signature,\n keyId: request.keyId,\n algorithm: request.algorithm ?? 'ECDSA_SHA_256',\n };\n }\n\n private async initializePkcs11Session(): Promise<Pkcs11Session> {\n const session = new Pkcs11SessionImpl();\n await session.initialize(this.config.pkcs11LibraryPath, this.config.pin, {\n slotId: this.config.slotId,\n });\n return session;\n }\n\n private mapAlgorithmToMechanism(algorithm: string): string {\n switch (algorithm) {\n case 'ECDSA_SHA_256':\n return 'CKM_ECDSA_SHA256';\n case 'RSASSA_PKCS1_V1_5_SHA_256':\n return 'CKM_RSA_PKCS';\n default:\n throw new Error(`Unsupported algorithm for HSM: ${algorithm}`);\n }\n }\n\n /** Release the PKCS#11 session. Call when done to free resources. */\n async close(): Promise<void> {\n if (this.session) {\n await this.session.close();\n this.session = null;\n }\n }\n}\n"]}