claude-flow-novice 1.6.2 → 1.6.4

package/.claude-flow-novice/dist/src/web/security/security-middleware.js

@@ -0,0 +1,379 @@
+/**
+ * Security Middleware - Comprehensive security controls for web applications
+ * Provides CSRF protection, CSP headers, input validation, and secure cookie handling
+ */ import { randomBytes } from 'crypto';
+export class SecurityMiddleware {
+    config;
+    logger;
+    csrfTokens = {};
+    rateLimitMap = new Map();
+    cleanupInterval;
+    constructor(config, logger){
+        this.config = config;
+        this.logger = logger;
+        // Start cleanup interval for expired tokens and rate limits
+        this.cleanupInterval = setInterval(()=>{
+            this.cleanupExpiredTokens();
+            this.cleanupExpiredRateLimits();
+        }, 60000); // Run every minute
+    }
+    /**
+   * Generate CSRF token for session
+   */ generateCSRFToken(sessionId) {
+        const token = randomBytes(32).toString('hex');
+        const expires = Date.now() + this.config.csrfTokenExpiry * 1000;
+        this.csrfTokens[sessionId] = {
+            token,
+            expires
+        };
+        this.logger.debug('CSRF token generated', {
+            sessionId
+        });
+        return token;
+    }
+    /**
+   * Validate CSRF token
+   */ validateCSRFToken(sessionId, providedToken) {
+        const storedToken = this.csrfTokens[sessionId];
+        if (!storedToken) {
+            this.logger.warn('No CSRF token found for session', {
+                sessionId
+            });
+            return false;
+        }
+        if (Date.now() > storedToken.expires) {
+            delete this.csrfTokens[sessionId];
+            this.logger.warn('CSRF token expired', {
+                sessionId
+            });
+            return false;
+        }
+        const isValid = storedToken.token === providedToken;
+        if (!isValid) {
+            this.logger.warn('Invalid CSRF token', {
+                sessionId
+            });
+        }
+        return isValid;
+    }
+    /**
+   * Content Security Policy middleware
+   */ contentSecurityPolicy = (req, res, next)=>{
+        if (!this.config.cspEnabled) {
+            return next();
+        }
+        const cspHeader = [
+            "default-src 'self'",
+            "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net",
+            "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+            "font-src 'self' https://fonts.gstatic.com",
+            "img-src 'self' data: https: blob:",
+            "connect-src 'self' ws: wss: https:",
+            "frame-src 'none'",
+            "object-src 'none'",
+            "base-uri 'self'",
+            "form-action 'self'",
+            "frame-ancestors 'none'",
+            "upgrade-insecure-requests",
+            "block-all-mixed-content"
+        ].join('; ');
+        res.setHeader('Content-Security-Policy', cspHeader);
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+        res.setHeader('X-Frame-Options', 'DENY');
+        res.setHeader('X-XSS-Protection', '1; mode=block');
+        res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+        res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=()');
+        next();
+    };
+    /**
+   * CSRF protection middleware
+   */ csrfProtection = (req, res, next)=>{
+        if (!this.config.csrfEnabled) {
+            return next();
+        }
+        // Skip CSRF for GET, HEAD, OPTIONS requests
+        if ([
+            'GET',
+            'HEAD',
+            'OPTIONS'
+        ].includes(req.method)) {
+            return next();
+        }
+        const sessionId = this.getSessionId(req);
+        if (!sessionId) {
+            this.logger.warn('No session ID found for CSRF validation', {
+                method: req.method,
+                url: req.url
+            });
+            return res.status(401).json({
+                error: 'Session required'
+            });
+        }
+        const token = req.get('X-CSRF-Token') || req.body?.csrfToken;
+        if (!token) {
+            this.logger.warn('No CSRF token provided', {
+                sessionId,
+                method: req.method,
+                url: req.url
+            });
+            return res.status(403).json({
+                error: 'CSRF token required'
+            });
+        }
+        if (!this.validateCSRFToken(sessionId, token)) {
+            this.logger.warn('Invalid CSRF token provided', {
+                sessionId,
+                method: req.method,
+                url: req.url
+            });
+            return res.status(403).json({
+                error: 'Invalid CSRF token'
+            });
+        }
+        // Generate new token after successful validation
+        const newToken = this.generateCSRFToken(sessionId);
+        res.set('X-CSRF-Token', newToken);
+        next();
+    };
+    /**
+   * Rate limiting middleware
+   */ rateLimiting = (req, res, next)=>{
+        if (!this.config.rateLimitingEnabled) {
+            return next();
+        }
+        const key = this.getRateLimitKey(req);
+        const now = Date.now();
+        const entry = this.rateLimitMap.get(key);
+        if (!entry) {
+            this.rateLimitMap.set(key, {
+                count: 1,
+                lastReset: now
+            });
+            return next();
+        }
+        // Reset counter if window has expired
+        if (now - entry.lastReset > this.config.rateLimitWindow * 1000) {
+            this.rateLimitMap.set(key, {
+                count: 1,
+                lastReset: now
+            });
+            return next();
+        }
+        // Check if rate limit exceeded
+        if (entry.count >= this.config.rateLimitMax) {
+            this.logger.warn('Rate limit exceeded', {
+                key,
+                count: entry.count,
+                limit: this.config.rateLimitMax,
+                window: this.config.rateLimitWindow
+            });
+            res.set({
+                'X-RateLimit-Limit': this.config.rateLimitMax.toString(),
+                'X-RateLimit-Remaining': '0',
+                'X-RateLimit-Reset': new Date(entry.lastReset + this.config.rateLimitWindow * 1000).toISOString()
+            });
+            return res.status(429).json({
+                error: 'Too many requests',
+                retryAfter: this.config.rateLimitWindow
+            });
+        }
+        // Increment counter
+        entry.count++;
+        res.set({
+            'X-RateLimit-Limit': this.config.rateLimitMax.toString(),
+            'X-RateLimit-Remaining': (this.config.rateLimitMax - entry.count).toString(),
+            'X-RateLimit-Reset': new Date(entry.lastReset + this.config.rateLimitWindow * 1000).toISOString()
+        });
+        next();
+    };
+    /**
+   * Secure cookies middleware
+   */ secureCookies = (req, res, next)=>{
+        // This should be used when setting cookies
+        const originalCookie = res.cookie;
+        res.cookie = (name, value, options)=>{
+            const secureOptions = {
+                httpOnly: true,
+                secure: this.config.secureCookies,
+                sameSite: this.config.sameSiteCookies,
+                ...options
+            };
+            return originalCookie.call(res, name, value, secureOptions);
+        };
+        next();
+    };
+    /**
+   * Origin validation middleware
+   */ originValidation = (req, res, next)=>{
+        const origin = req.get('Origin') || req.get('Referer');
+        // Skip for same-origin requests
+        if (!origin || this.isSameOrigin(req, origin)) {
+            return next();
+        }
+        if (!this.config.allowedOrigins.includes(origin)) {
+            this.logger.warn('Invalid origin', {
+                origin,
+                method: req.method,
+                url: req.url,
+                ip: req.ip
+            });
+            return res.status(403).json({
+                error: 'Origin not allowed'
+            });
+        }
+        res.set('Access-Control-Allow-Origin', origin);
+        res.set('Access-Control-Allow-Credentials', 'true');
+        res.set('Vary', 'Origin');
+        next();
+    };
+    /**
+   * Input validation middleware
+   */ inputValidation = (req, res, next)=>{
+        // Validate JSON payloads
+        if (req.is('json') && req.body) {
+            const jsonStr = JSON.stringify(req.body);
+            // Check payload size (limit to 1MB)
+            if (jsonStr.length > 1024 * 1024) {
+                this.logger.warn('Request payload too large', {
+                    size: jsonStr.length,
+                    limit: 1024 * 1024
+                });
+                return res.status(413).json({
+                    error: 'Request payload too large'
+                });
+            }
+            // Check for potential XSS in string values
+            const xssPatterns = [
+                /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi,
+                /javascript:/gi,
+                /on\w+\s*=/gi
+            ];
+            const sanitizeValue = (value)=>{
+                if (typeof value === 'string') {
+                    for (const pattern of xssPatterns){
+                        if (pattern.test(value)) {
+                            this.logger.warn('Potential XSS detected in input', {
+                                value: value.substring(0, 100)
+                            });
+                            throw new Error('Invalid input detected');
+                        }
+                    }
+                    return value;
+                } else if (Array.isArray(value)) {
+                    return value.map(sanitizeValue);
+                } else if (typeof value === 'object' && value !== null) {
+                    const sanitized = {};
+                    for (const [key, val] of Object.entries(value)){
+                        sanitized[key] = sanitizeValue(val);
+                    }
+                    return sanitized;
+                }
+                return value;
+            };
+            try {
+                req.body = sanitizeValue(req.body);
+            } catch (error) {
+                return res.status(400).json({
+                    error: 'Invalid input detected'
+                });
+            }
+        }
+        next();
+    };
+    /**
+   * Cleanup expired CSRF tokens
+   */ cleanupExpiredTokens() {
+        const now = Date.now();
+        let cleaned = 0;
+        for (const [sessionId, token] of Object.entries(this.csrfTokens)){
+            if (now > token.expires) {
+                delete this.csrfTokens[sessionId];
+                cleaned++;
+            }
+        }
+        if (cleaned > 0) {
+            this.logger.debug('Cleaned up expired CSRF tokens', {
+                count: cleaned
+            });
+        }
+    }
+    /**
+   * Cleanup expired rate limits
+   */ cleanupExpiredRateLimits() {
+        const now = Date.now();
+        const windowMs = this.config.rateLimitWindow * 1000;
+        let cleaned = 0;
+        for (const [key, entry] of this.rateLimitMap.entries()){
+            if (now - entry.lastReset > windowMs * 2) {
+                this.rateLimitMap.delete(key);
+                cleaned++;
+            }
+        }
+        if (cleaned > 0) {
+            this.logger.debug('Cleaned up expired rate limits', {
+                count: cleaned
+            });
+        }
+    }
+    /**
+   * Get session ID from request
+   */ getSessionId(req) {
+        // Try to get session ID from various sources
+        return req.session?.id || req.sessionID || req.get('Authorization')?.replace('Bearer ', '') || null;
+    }
+    /**
+   * Get rate limiting key for request
+   */ getRateLimitKey(req) {
+        const ip = req.ip || req.connection.remoteAddress || 'unknown';
+        const sessionId = this.getSessionId(req);
+        return sessionId ? `session:${sessionId}` : `ip:${ip}`;
+    }
+    /**
+   * Check if request is same-origin
+   */ isSameOrigin(req, origin) {
+        const host = req.get('Host');
+        if (!host) return false;
+        const protocol = req.protocol;
+        const expectedOrigin = `${protocol}://${host}`;
+        return origin === expectedOrigin || origin.startsWith(expectedOrigin);
+    }
+    /**
+   * Cleanup resources
+   */ destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+        }
+        this.csrfTokens = {};
+        this.rateLimitMap.clear();
+    }
+    /**
+   * Get security statistics
+   */ getStats() {
+        return {
+            activeCSRFtokens: Object.keys(this.csrfTokens).length,
+            activeRateLimits: this.rateLimitMap.size,
+            config: {
+                ...this.config
+            }
+        };
+    }
+}
+// Default security configuration
+export const defaultSecurityConfig = {
+    csrfEnabled: true,
+    cspEnabled: true,
+    rateLimitingEnabled: true,
+    allowedOrigins: [
+        'http://localhost:3000',
+        'http://localhost:3001',
+        'https://localhost:3000',
+        'https://localhost:3001'
+    ],
+    csrfTokenExpiry: 3600,
+    rateLimitWindow: 900,
+    rateLimitMax: 100,
+    secureCookies: process.env.NODE_ENV === 'production',
+    sameSiteCookies: 'strict'
+};
+
+//# sourceMappingURL=security-middleware.js.map

package/.claude-flow-novice/dist/src/web/security/security-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../../../src/web/security/security-middleware.ts"],"names":["randomBytes","SecurityMiddleware","csrfTokens","rateLimitMap","Map","cleanupInterval","config","logger","setInterval","cleanupExpiredTokens","cleanupExpiredRateLimits","generateCSRFToken","sessionId","token","toString","expires","Date","now","csrfTokenExpiry","debug","validateCSRFToken","providedToken","storedToken","warn","isValid","contentSecurityPolicy","req","res","next","cspEnabled","cspHeader","join","setHeader","csrfProtection","csrfEnabled","includes","method","getSessionId","url","status","json","error","get","body","csrfToken","newToken","set","rateLimiting","rateLimitingEnabled","key","getRateLimitKey","entry","count","lastReset","rateLimitWindow","rateLimitMax","limit","window","toISOString","retryAfter","secureCookies","originalCookie","cookie","name","value","options","secureOptions","httpOnly","secure","sameSite","sameSiteCookies","call","originValidation","origin","isSameOrigin","allowedOrigins","ip","inputValidation","is","jsonStr","JSON","stringify","length","size","xssPatterns","sanitizeValue","pattern","test","substring","Error","Array","isArray","map","sanitized","val","Object","entries","cleaned","windowMs","delete","session","id","sessionID","replace","connection","remoteAddress","host","protocol","expectedOrigin","startsWith","destroy","clearInterval","clear","getStats","activeCSRFtokens","keys","activeRateLimits","defaultSecurityConfig","process","env","NODE_ENV"],"mappings":"AAAA;;;CAGC,GAGD,SAAqBA,WAAW,QAAQ,SAAS;AA2BjD,OAAO,MAAMC;;;IACHC,aAAyB,CAAC,EAAE;IAC5BC,eAAe,IAAIC,MAA8B;IACjDC,gBAAgC;IAExC,YACE,AAAQC,MAAsB,EAC9B,AAAQC,MAAe,CACvB;aAFQD,SAAAA;aACAC,SAAAA;QAER,4DAA4D;QAC5D,IAAI,CAACF,eAAe,GAAGG,YAAY;YACjC,IAAI,CAACC,oBAAoB;YACzB,IAAI,CAACC,wBAAwB;QAC/B,GAAG,QAAQ,mBAAmB;IAChC;IAEA;;GAEC,GACDC,kBAAkBC,SAAiB,EAAU;QAC3C,MAAMC,QAAQb,YAAY,IAAIc,QAAQ,CAAC;QACvC,MAAMC,UAAUC,KAAKC,GAAG,KAAM,IAAI,CAACX,MAAM,CAACY,eAAe,GAAG;QAE5D,IAAI,CAAChB,UAAU,CAACU,UAAU,GAAG;YAAEC;YAAOE;QAAQ;QAE9C,IAAI,CAACR,MAAM,CAACY,KAAK,CAAC,wBAAwB;YAAEP;QAAU;QACtD,OAAOC;IACT;IAEA;;GAEC,GACDO,kBAAkBR,SAAiB,EAAES,aAAqB,EAAW;QACnE,MAAMC,cAAc,IAAI,CAACpB,UAAU,CAACU,UAAU;QAE9C,IAAI,CAACU,aAAa;YAChB,IAAI,CAACf,MAAM,CAACgB,IAAI,CAAC,mCAAmC;gBAAEX;YAAU;YAChE,OAAO;QACT;QAEA,IAAII,KAAKC,GAAG,KAAKK,YAAYP,OAAO,EAAE;YACpC,OAAO,IAAI,CAACb,UAAU,CAACU,UAAU;YACjC,IAAI,CAACL,MAAM,CAACgB,IAAI,CAAC,sBAAsB;gBAAEX;YAAU;YACnD,OAAO;QACT;QAEA,MAAMY,UAAUF,YAAYT,KAAK,KAAKQ;QACtC,IAAI,CAACG,SAAS;YACZ,IAAI,CAACjB,MAAM,CAACgB,IAAI,CAAC,sBAAsB;gBAAEX;YAAU;QACrD;QAEA,OAAOY;IACT;IAEA;;GAEC,GACDC,wBAAwB,CAACC,KAAcC,KAAeC;QACpD,IAAI,CAAC,IAAI,CAACtB,MAAM,CAACuB,UAAU,EAAE;YAC3B,OAAOD;QACT;QAEA,MAAME,YAAY;YAChB;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;YACA;SACD,CAACC,IAAI,CAAC;QAEPJ,IAAIK,SAAS,CAAC,2BAA2BF;QACzCH,IAAIK,SAAS,CAAC,0BAA0B;QACxCL,IAAIK,SAAS,CAAC,mBAAmB;QACjCL,IAAIK,SAAS,CAAC,oBAAoB;QAClCL,IAAIK,SAAS,CAAC,mBAAmB;QACjCL,IAAIK,SAAS,CAAC,sBACZ;QAGFJ;IACF,EAAE;IAEF;;GAEC,GACDK,iBAAiB,CAACP,KAAcC,KAAeC;QAC7C,IAAI,CAAC,IAAI,CAACtB,MAAM,CAAC4B,WAAW,EAAE;YAC5B,OAAON;QACT;QAEA,4CAA4C;QAC5C,IAAI;YAAC;YAAO;YAAQ;SAAU,CAACO,QAAQ,CAACT,IAAIU,MAAM,GAAG;YACnD,OAAOR;QACT;QAEA,MAAMhB,YAAY,IAAI,CAACyB,YAAY,CAACX;QACpC,IAAI,CAACd,WAAW;YACd,IAAI,CAACL,MAAM,CAACgB,IAAI,CAAC,2CAA2C;gBAC1Da,QAAQV,IAAIU,MAAM;gBAClBE,KAAKZ,IAAIY,GAAG;YACd;YACA,OAAOX,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;gBAAEC,OAAO;YAAmB;QAC1D;QAEA,MAAM5B,QAAQa,IAAIgB,GAAG,CAAC,mBAAmBhB,IAAIiB,IAAI,EAAEC;QAEnD,IAAI,CAAC/B,OAAO;YACV,IAAI,CAACN,MAAM,CAACgB,IAAI,CAAC,0BAA0B;gBACzCX;gBACAwB,QAAQV,IAAIU,MAAM;gBAClBE,KAAKZ,IAAIY,GAAG;YACd;YACA,OAAOX,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;gBAAEC,OAAO;YAAsB;QAC7D;QAEA,IAAI,CAAC,IAAI,CAACrB,iBAAiB,CAACR,WAAWC,QAAQ;YAC7C,IAAI,CAACN,MAAM,CAACgB,IAAI,CAAC,+BAA+B;gBAC9CX;gBACAwB,QAAQV,IAAIU,MAAM;gBAClBE,KAAKZ,IAAIY,GAAG;YACd;YACA,OAAOX,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;gBAAEC,OAAO;YAAqB;QAC5D;QAEA,iDAAiD;QACjD,MAAMI,WAAW,IAAI,CAAClC,iBAAiB,CAACC;QACxCe,IAAImB,GAAG,CAAC,gBAAgBD;QAExBjB;IACF,EAAE;IAEF;;GAEC,GACDmB,eAAe,CAACrB,KAAcC,KAAeC;QAC3C,IAAI,CAAC,IAAI,CAACtB,MAAM,CAAC0C,mBAAmB,EAAE;YACpC,OAAOpB;QACT;QAEA,MAAMqB,MAAM,IAAI,CAACC,eAAe,CAACxB;QACjC,MAAMT,MAAMD,KAAKC,GAAG;QACpB,MAAMkC,QAAQ,IAAI,CAAChD,YAAY,CAACuC,GAAG,CAACO;QAEpC,IAAI,CAACE,OAAO;YACV,IAAI,CAAChD,YAAY,CAAC2C,GAAG,CAACG,KAAK;gBAAEG,OAAO;gBAAGC,WAAWpC;YAAI;YACtD,OAAOW;QACT;QAEA,sCAAsC;QACtC,IAAIX,MAAMkC,MAAME,SAAS,GAAG,IAAI,CAAC/C,MAAM,CAACgD,eAAe,GAAG,MAAM;YAC9D,IAAI,CAACnD,YAAY,CAAC2C,GAAG,CAACG,KAAK;gBAAEG,OAAO;gBAAGC,WAAWpC;YAAI;YACtD,OAAOW;QACT;QAEA,+BAA+B;QAC/B,IAAIuB,MAAMC,KAAK,IAAI,IAAI,CAAC9C,MAAM,CAACiD,YAAY,EAAE;YAC3C,IAAI,CAAChD,MAAM,CAACgB,IAAI,CAAC,uBAAuB;gBACtC0B;gBACAG,OAAOD,MAAMC,KAAK;gBAClBI,OAAO,IAAI,CAAClD,MAAM,CAACiD,YAAY;gBAC/BE,QAAQ,IAAI,CAACnD,MAAM,CAACgD,eAAe;YACrC;YAEA3B,IAAImB,GAAG,CAAC;gBACN,qBAAqB,IAAI,CAACxC,MAAM,CAACiD,YAAY,CAACzC,QAAQ;gBACtD,yBAAyB;gBACzB,qBAAqB,IAAIE,KAAKmC,MAAME,SAAS,GAAG,IAAI,CAAC/C,MAAM,CAACgD,eAAe,GAAG,MAAMI,WAAW;YACjG;YAEA,OAAO/B,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;gBAC1BC,OAAO;gBACPkB,YAAY,IAAI,CAACrD,MAAM,CAACgD,eAAe;YACzC;QACF;QAEA,oBAAoB;QACpBH,MAAMC,KAAK;QAEXzB,IAAImB,GAAG,CAAC;YACN,qBAAqB,IAAI,CAACxC,MAAM,CAACiD,YAAY,CAACzC,QAAQ;YACtD,yBAAyB,AAAC,CAAA,IAAI,CAACR,MAAM,CAACiD,YAAY,GAAGJ,MAAMC,KAAK,AAAD,EAAGtC,QAAQ;YAC1E,qBAAqB,IAAIE,KAAKmC,MAAME,SAAS,GAAG,IAAI,CAAC/C,MAAM,CAACgD,eAAe,GAAG,MAAMI,WAAW;QACjG;QAEA9B;IACF,EAAE;IAEF;;GAEC,GACDgC,gBAAgB,CAAClC,KAAcC,KAAeC;QAC5C,2CAA2C;QAC3C,MAAMiC,iBAAiBlC,IAAImC,MAAM;QAEjCnC,IAAImC,MAAM,GAAG,CAACC,MAAcC,OAAeC;YACzC,MAAMC,gBAAgB;gBACpBC,UAAU;gBACVC,QAAQ,IAAI,CAAC9D,MAAM,CAACsD,aAAa;gBACjCS,UAAU,IAAI,CAAC/D,MAAM,CAACgE,eAAe;gBACrC,GAAGL,OAAO;YACZ;YAEA,OAAOJ,eAAeU,IAAI,CAAC5C,KAAKoC,MAAMC,OAAOE;QAC/C;QAEAtC;IACF,EAAE;IAEF;;GAEC,GACD4C,mBAAmB,CAAC9C,KAAcC,KAAeC;QAC/C,MAAM6C,SAAS/C,IAAIgB,GAAG,CAAC,aAAahB,IAAIgB,GAAG,CAAC;QAE5C,gCAAgC;QAChC,IAAI,CAAC+B,UAAU,IAAI,CAACC,YAAY,CAAChD,KAAK+C,SAAS;YAC7C,OAAO7C;QACT;QAEA,IAAI,CAAC,IAAI,CAACtB,MAAM,CAACqE,cAAc,CAACxC,QAAQ,CAACsC,SAAS;YAChD,IAAI,CAAClE,MAAM,CAACgB,IAAI,CAAC,kBAAkB;gBACjCkD;gBACArC,QAAQV,IAAIU,MAAM;gBAClBE,KAAKZ,IAAIY,GAAG;gBACZsC,IAAIlD,IAAIkD,EAAE;YACZ;YAEA,OAAOjD,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;gBAAEC,OAAO;YAAqB;QAC5D;QAEAd,IAAImB,GAAG,CAAC,+BAA+B2B;QACvC9C,IAAImB,GAAG,CAAC,oCAAoC;QAC5CnB,IAAImB,GAAG,CAAC,QAAQ;QAEhBlB;IACF,EAAE;IAEF;;GAEC,GACDiD,kBAAkB,CAACnD,KAAcC,KAAeC;QAC9C,yBAAyB;QACzB,IAAIF,IAAIoD,EAAE,CAAC,WAAWpD,IAAIiB,IAAI,EAAE;YAC9B,MAAMoC,UAAUC,KAAKC,SAAS,CAACvD,IAAIiB,IAAI;YAEvC,oCAAoC;YACpC,IAAIoC,QAAQG,MAAM,GAAG,OAAO,MAAM;gBAChC,IAAI,CAAC3E,MAAM,CAACgB,IAAI,CAAC,6BAA6B;oBAC5C4D,MAAMJ,QAAQG,MAAM;oBACpB1B,OAAO,OAAO;gBAChB;gBACA,OAAO7B,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;oBAAEC,OAAO;gBAA4B;YACnE;YAEA,2CAA2C;YAC3C,MAAM2C,cAAc;gBAClB;gBACA;gBACA;aACD;YAED,MAAMC,gBAAgB,CAACrB;gBACrB,IAAI,OAAOA,UAAU,UAAU;oBAC7B,KAAK,MAAMsB,WAAWF,YAAa;wBACjC,IAAIE,QAAQC,IAAI,CAACvB,QAAQ;4BACvB,IAAI,CAACzD,MAAM,CAACgB,IAAI,CAAC,mCAAmC;gCAClDyC,OAAOA,MAAMwB,SAAS,CAAC,GAAG;4BAC5B;4BACA,MAAM,IAAIC,MAAM;wBAClB;oBACF;oBACA,OAAOzB;gBACT,OAAO,IAAI0B,MAAMC,OAAO,CAAC3B,QAAQ;oBAC/B,OAAOA,MAAM4B,GAAG,CAACP;gBACnB,OAAO,IAAI,OAAOrB,UAAU,YAAYA,UAAU,MAAM;oBACtD,MAAM6B,YAAiB,CAAC;oBACxB,KAAK,MAAM,CAAC5C,KAAK6C,IAAI,IAAIC,OAAOC,OAAO,CAAChC,OAAQ;wBAC9C6B,SAAS,CAAC5C,IAAI,GAAGoC,cAAcS;oBACjC;oBACA,OAAOD;gBACT;gBACA,OAAO7B;YACT;YAEA,IAAI;gBACFtC,IAAIiB,IAAI,GAAG0C,cAAc3D,IAAIiB,IAAI;YACnC,EAAE,OAAOF,OAAO;gBACd,OAAOd,IAAIY,MAAM,CAAC,KAAKC,IAAI,CAAC;oBAAEC,OAAO;gBAAyB;YAChE;QACF;QAEAb;IACF,EAAE;IAEF;;GAEC,GACD,AAAQnB,uBAA6B;QACnC,MAAMQ,MAAMD,KAAKC,GAAG;QACpB,IAAIgF,UAAU;QAEd,KAAK,MAAM,CAACrF,WAAWC,MAAM,IAAIkF,OAAOC,OAAO,CAAC,IAAI,CAAC9F,UAAU,EAAG;YAChE,IAAIe,MAAMJ,MAAME,OAAO,EAAE;gBACvB,OAAO,IAAI,CAACb,UAAU,CAACU,UAAU;gBACjCqF;YACF;QACF;QAEA,IAAIA,UAAU,GAAG;YACf,IAAI,CAAC1F,MAAM,CAACY,KAAK,CAAC,kCAAkC;gBAAEiC,OAAO6C;YAAQ;QACvE;IACF;IAEA;;GAEC,GACD,AAAQvF,2BAAiC;QACvC,MAAMO,MAAMD,KAAKC,GAAG;QACpB,MAAMiF,WAAW,IAAI,CAAC5F,MAAM,CAACgD,eAAe,GAAG;QAC/C,IAAI2C,UAAU;QAEd,KAAK,MAAM,CAAChD,KAAKE,MAAM,IAAI,IAAI,CAAChD,YAAY,CAAC6F,OAAO,GAAI;YACtD,IAAI/E,MAAMkC,MAAME,SAAS,GAAG6C,WAAW,GAAG;gBACxC,IAAI,CAAC/F,YAAY,CAACgG,MAAM,CAAClD;gBACzBgD;YACF;QACF;QAEA,IAAIA,UAAU,GAAG;YACf,IAAI,CAAC1F,MAAM,CAACY,KAAK,CAAC,kCAAkC;gBAAEiC,OAAO6C;YAAQ;QACvE;IACF;IAEA;;GAEC,GACD,AAAQ5D,aAAaX,GAAY,EAAiB;QAChD,6CAA6C;QAC7C,OAAOA,IAAI0E,OAAO,EAAEC,MAAM3E,IAAI4E,SAAS,IAAI5E,IAAIgB,GAAG,CAAC,kBAAkB6D,QAAQ,WAAW,OAAO;IACjG;IAEA;;GAEC,GACD,AAAQrD,gBAAgBxB,GAAY,EAAU;QAC5C,MAAMkD,KAAKlD,IAAIkD,EAAE,IAAIlD,IAAI8E,UAAU,CAACC,aAAa,IAAI;QACrD,MAAM7F,YAAY,IAAI,CAACyB,YAAY,CAACX;QACpC,OAAOd,YAAY,CAAC,QAAQ,EAAEA,WAAW,GAAG,CAAC,GAAG,EAAEgE,IAAI;IACxD;IAEA;;GAEC,GACD,AAAQF,aAAahD,GAAY,EAAE+C,MAAc,EAAW;QAC1D,MAAMiC,OAAOhF,IAAIgB,GAAG,CAAC;QACrB,IAAI,CAACgE,MAAM,OAAO;QAElB,MAAMC,WAAWjF,IAAIiF,QAAQ;QAC7B,MAAMC,iBAAiB,GAAGD,SAAS,GAAG,EAAED,MAAM;QAE9C,OAAOjC,WAAWmC,kBAAkBnC,OAAOoC,UAAU,CAACD;IACxD;IAEA;;GAEC,GACDE,UAAgB;QACd,IAAI,IAAI,CAACzG,eAAe,EAAE;YACxB0G,cAAc,IAAI,CAAC1G,eAAe;QACpC;QACA,IAAI,CAACH,UAAU,GAAG,CAAC;QACnB,IAAI,CAACC,YAAY,CAAC6G,KAAK;IACzB;IAEA;;GAEC,GACDC,WAIE;QACA,OAAO;YACLC,kBAAkBnB,OAAOoB,IAAI,CAAC,IAAI,CAACjH,UAAU,EAAEgF,MAAM;YACrDkC,kBAAkB,IAAI,CAACjH,YAAY,CAACgF,IAAI;YACxC7E,QAAQ;gBAAE,GAAG,IAAI,CAACA,MAAM;YAAC;QAC3B;IACF;AACF;AAEA,iCAAiC;AACjC,OAAO,MAAM+G,wBAAwC;IACnDnF,aAAa;IACbL,YAAY;IACZmB,qBAAqB;IACrB2B,gBAAgB;QACd;QACA;QACA;QACA;KACD;IACDzD,iBAAiB;IACjBoC,iBAAiB;IACjBC,cAAc;IACdK,eAAe0D,QAAQC,GAAG,CAACC,QAAQ,KAAK;IACxClD,iBAAiB;AACnB,EAAE"}