couchloop-eq-mcp 1.0.0

package/dist/server/oauth/pkce.d.ts

@@ -0,0 +1,61 @@
+/**
+ * PKCE Challenge data structure
+ */
+export interface PKCEChallenge {
+    challenge: string;
+    method: 'S256' | 'plain';
+    clientId: string;
+    expiresAt: Date;
+    createdAt: Date;
+}
+/**
+ * PKCE (Proof Key for Code Exchange) Manager
+ * Implements RFC 7636 for OAuth 2.0 public clients
+ * Prevents authorization code interception attacks
+ */
+export declare class PKCEManager {
+    private challenges;
+    private readonly MIN_VERIFIER_LENGTH;
+    private readonly MAX_VERIFIER_LENGTH;
+    private readonly CHALLENGE_TTL;
+    /**
+     * Generate a cryptographically secure code verifier
+     * According to RFC 7636, must be 43-128 characters
+     */
+    generateVerifier(): string;
+    /**
+     * Generate code challenge from verifier
+     * S256 is mandatory in OAuth 2.1, plain is deprecated
+     */
+    generateChallenge(verifier: string, method?: 'S256' | 'plain'): string;
+    /**
+     * Store PKCE challenge for later verification
+     */
+    storeChallenge(authorizationCode: string, challenge: string, method: 'S256' | 'plain', clientId: string): Promise<void>;
+    /**
+     * Validate PKCE verifier against stored challenge
+     * Uses constant-time comparison to prevent timing attacks
+     */
+    validatePKCE(authorizationCode: string, verifier: string, clientId: string): Promise<boolean>;
+    /**
+     * Get stored challenge (for testing/debugging)
+     */
+    getChallenge(authorizationCode: string): PKCEChallenge | undefined;
+    /**
+     * Clean up expired challenges to prevent memory leak
+     */
+    private cleanupExpiredChallenges;
+    /**
+     * Clear all challenges (for testing)
+     */
+    clearAll(): void;
+    /**
+     * Get statistics about stored challenges
+     */
+    getStats(): {
+        total: number;
+        expired: number;
+    };
+}
+export declare const pkceManager: PKCEManager;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/server/oauth/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../../src/server/oauth/pkce.ts"],"names":[],"mappings":"AAGA;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,IAAI,CAAC;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;;;GAIG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,UAAU,CAAoC;IACtD,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAM;IAC1C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAO;IAC3C,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAkB;IAEhD;;;OAGG;IACH,gBAAgB,IAAI,MAAM;IAc1B;;;OAGG;IACH,iBAAiB,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,GAAE,MAAM,GAAG,OAAgB,GAAG,MAAM;IAe9E;;OAEG;IACG,cAAc,CAClB,iBAAiB,EAAE,MAAM,EACzB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GAAG,OAAO,EACxB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,IAAI,CAAC;IAgBhB;;;OAGG;IACG,YAAY,CAChB,iBAAiB,EAAE,MAAM,EACzB,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,OAAO,CAAC;IAqDnB;;OAEG;IACH,YAAY,CAAC,iBAAiB,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIlE;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAgBhC;;OAEG;IACH,QAAQ,IAAI,IAAI;IAKhB;;OAEG;IACH,QAAQ,IAAI;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE;CAe/C;AAGD,eAAO,MAAM,WAAW,aAAoB,CAAC"}

package/dist/server/oauth/pkce.js

@@ -0,0 +1,157 @@
+import { createHash, randomBytes } from 'crypto';
+import { logger } from '../../utils/logger.js';
+/**
+ * PKCE (Proof Key for Code Exchange) Manager
+ * Implements RFC 7636 for OAuth 2.0 public clients
+ * Prevents authorization code interception attacks
+ */
+export class PKCEManager {
+    challenges = new Map();
+    MIN_VERIFIER_LENGTH = 43;
+    MAX_VERIFIER_LENGTH = 128;
+    CHALLENGE_TTL = 10 * 60 * 1000; // 10 minutes
+    /**
+     * Generate a cryptographically secure code verifier
+     * According to RFC 7636, must be 43-128 characters
+     */
+    generateVerifier() {
+        // Generate 32 bytes (will produce 43 chars in base64url)
+        const buffer = randomBytes(32);
+        const verifier = buffer.toString('base64url');
+        if (verifier.length < this.MIN_VERIFIER_LENGTH ||
+            verifier.length > this.MAX_VERIFIER_LENGTH) {
+            throw new Error('Generated verifier length is out of bounds');
+        }
+        logger.debug(`Generated PKCE verifier of length ${verifier.length}`);
+        return verifier;
+    }
+    /**
+     * Generate code challenge from verifier
+     * S256 is mandatory in OAuth 2.1, plain is deprecated
+     */
+    generateChallenge(verifier, method = 'S256') {
+        if (method === 'plain') {
+            logger.warn('Using plain PKCE method is not recommended and will be deprecated');
+            return verifier;
+        }
+        // S256 = BASE64URL(SHA256(verifier))
+        const hash = createHash('sha256')
+            .update(verifier, 'ascii')
+            .digest('base64url');
+        logger.debug(`Generated S256 PKCE challenge`);
+        return hash;
+    }
+    /**
+     * Store PKCE challenge for later verification
+     */
+    async storeChallenge(authorizationCode, challenge, method, clientId) {
+        // Clean up expired challenges
+        this.cleanupExpiredChallenges();
+        const pkceChallenge = {
+            challenge,
+            method,
+            clientId,
+            createdAt: new Date(),
+            expiresAt: new Date(Date.now() + this.CHALLENGE_TTL),
+        };
+        this.challenges.set(authorizationCode, pkceChallenge);
+        logger.info(`Stored PKCE challenge for authorization code ${authorizationCode.substring(0, 8)}...`);
+    }
+    /**
+     * Validate PKCE verifier against stored challenge
+     * Uses constant-time comparison to prevent timing attacks
+     */
+    async validatePKCE(authorizationCode, verifier, clientId) {
+        const storedChallenge = this.challenges.get(authorizationCode);
+        if (!storedChallenge) {
+            logger.warn(`No PKCE challenge found for authorization code ${authorizationCode.substring(0, 8)}...`);
+            return false;
+        }
+        // Check expiration
+        if (new Date() > storedChallenge.expiresAt) {
+            logger.warn(`PKCE challenge expired for authorization code ${authorizationCode.substring(0, 8)}...`);
+            this.challenges.delete(authorizationCode);
+            return false;
+        }
+        // Verify client ID matches
+        if (storedChallenge.clientId !== clientId) {
+            logger.error(`Client ID mismatch in PKCE validation. Expected: ${storedChallenge.clientId}, Got: ${clientId}`);
+            return false;
+        }
+        // Compute challenge from provided verifier
+        const computedChallenge = this.generateChallenge(verifier, storedChallenge.method);
+        // Use constant-time comparison to prevent timing attacks
+        const storedBuffer = Buffer.from(storedChallenge.challenge, 'ascii');
+        const computedBuffer = Buffer.from(computedChallenge, 'ascii');
+        if (storedBuffer.length !== computedBuffer.length) {
+            logger.warn(`PKCE challenge length mismatch`);
+            return false;
+        }
+        let isValid;
+        try {
+            // crypto.timingSafeEqual throws if buffers are different lengths
+            isValid = storedBuffer.length === computedBuffer.length &&
+                crypto.timingSafeEqual(storedBuffer, computedBuffer);
+        }
+        catch {
+            isValid = false;
+        }
+        if (isValid) {
+            logger.info(`PKCE validation successful for authorization code ${authorizationCode.substring(0, 8)}...`);
+            // Remove used challenge
+            this.challenges.delete(authorizationCode);
+        }
+        else {
+            logger.warn(`PKCE validation failed for authorization code ${authorizationCode.substring(0, 8)}...`);
+        }
+        return isValid;
+    }
+    /**
+     * Get stored challenge (for testing/debugging)
+     */
+    getChallenge(authorizationCode) {
+        return this.challenges.get(authorizationCode);
+    }
+    /**
+     * Clean up expired challenges to prevent memory leak
+     */
+    cleanupExpiredChallenges() {
+        const now = new Date();
+        let cleaned = 0;
+        for (const [code, challenge] of this.challenges.entries()) {
+            if (now > challenge.expiresAt) {
+                this.challenges.delete(code);
+                cleaned++;
+            }
+        }
+        if (cleaned > 0) {
+            logger.debug(`Cleaned up ${cleaned} expired PKCE challenges`);
+        }
+    }
+    /**
+     * Clear all challenges (for testing)
+     */
+    clearAll() {
+        this.challenges.clear();
+        logger.debug('Cleared all PKCE challenges');
+    }
+    /**
+     * Get statistics about stored challenges
+     */
+    getStats() {
+        const now = new Date();
+        let expired = 0;
+        for (const challenge of this.challenges.values()) {
+            if (now > challenge.expiresAt) {
+                expired++;
+            }
+        }
+        return {
+            total: this.challenges.size,
+            expired,
+        };
+    }
+}
+// Export singleton instance
+export const pkceManager = new PKCEManager();
+//# sourceMappingURL=pkce.js.map

package/dist/server/oauth/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../../src/server/oauth/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACjD,OAAO,EAAE,MAAM,EAAE,MAAM,uBAAuB,CAAC;AAa/C;;;;GAIG;AACH,MAAM,OAAO,WAAW;IACd,UAAU,GAAG,IAAI,GAAG,EAAyB,CAAC;IACrC,mBAAmB,GAAG,EAAE,CAAC;IACzB,mBAAmB,GAAG,GAAG,CAAC;IAC1B,aAAa,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,aAAa;IAE9D;;;OAGG;IACH,gBAAgB;QACd,yDAAyD;QACzD,MAAM,MAAM,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAE9C,IAAI,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,mBAAmB;YAC1C,QAAQ,CAAC,MAAM,GAAG,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC/C,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACH,iBAAiB,CAAC,QAAgB,EAAE,SAA2B,MAAM;QACnE,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;YACvB,MAAM,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;YACjF,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,qCAAqC;QACrC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC;aAC9B,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC;aACzB,MAAM,CAAC,WAAW,CAAC,CAAC;QAEvB,MAAM,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAC9C,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,cAAc,CAClB,iBAAyB,EACzB,SAAiB,EACjB,MAAwB,EACxB,QAAgB;QAEhB,8BAA8B;QAC9B,IAAI,CAAC,wBAAwB,EAAE,CAAC;QAEhC,MAAM,aAAa,GAAkB;YACnC,SAAS;YACT,MAAM;YACN,QAAQ;YACR,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,aAAa,CAAC;SACrD,CAAC;QAEF,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,iBAAiB,EAAE,aAAa,CAAC,CAAC;QACtD,MAAM,CAAC,IAAI,CAAC,gDAAgD,iBAAiB,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACtG,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,YAAY,CAChB,iBAAyB,EACzB,QAAgB,EAChB,QAAgB;QAEhB,MAAM,eAAe,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;QAE/D,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,kDAAkD,iBAAiB,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACtG,OAAO,KAAK,CAAC;QACf,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,IAAI,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,CAAC;YAC3C,MAAM,CAAC,IAAI,CAAC,iDAAiD,iBAAiB,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACrG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,2BAA2B;QAC3B,IAAI,eAAe,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,CAAC,KAAK,CAAC,oDAAoD,eAAe,CAAC,QAAQ,UAAU,QAAQ,EAAE,CAAC,CAAC;YAC/G,OAAO,KAAK,CAAC;QACf,CAAC;QAED,2CAA2C;QAC3C,MAAM,iBAAiB,GAAG,IAAI,CAAC,iBAAiB,CAAC,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;QAEnF,yDAAyD;QACzD,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACrE,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QAE/D,IAAI,YAAY,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;YAC9C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,IAAI,OAAgB,CAAC;QACrB,IAAI,CAAC;YACH,iEAAiE;YACjE,OAAO,GAAG,YAAY,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM;gBAC7C,MAAM,CAAC,eAAe,CAAC,YAAY,EAAE,cAAc,CAAC,CAAC;QACjE,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,GAAG,KAAK,CAAC;QAClB,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,IAAI,CAAC,qDAAqD,iBAAiB,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;YACzG,wBAAwB;YACxB,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,iDAAiD,iBAAiB,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;QACvG,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,iBAAyB;QACpC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;IAChD,CAAC;IAED;;OAEG;IACK,wBAAwB;QAC9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1D,IAAI,GAAG,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;gBAC9B,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;gBAC7B,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;YAChB,MAAM,CAAC,KAAK,CAAC,cAAc,OAAO,0BAA0B,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,CAAC,UAAU,CAAC,KAAK,EAAE,CAAC;QACxB,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;IAC9C,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC,CAAC;QAEhB,KAAK,MAAM,SAAS,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,EAAE,CAAC;YACjD,IAAI,GAAG,GAAG,SAAS,CAAC,SAAS,EAAE,CAAC;gBAC9B,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI,CAAC,UAAU,CAAC,IAAI;YAC3B,OAAO;SACR,CAAC;IACJ,CAAC;CACF;AAED,4BAA4B;AAC5B,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC"}

package/dist/server/oauth/providers/base.d.ts

@@ -0,0 +1,147 @@
+import { JWK } from 'jose';
+/**
+ * OAuth token response structure
+ */
+export interface TokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in?: number;
+    refresh_token?: string;
+    id_token?: string;
+    scope?: string;
+}
+/**
+ * User information from OAuth provider
+ */
+export interface UserInfo {
+    id: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+    locale?: string;
+    provider: string;
+    raw?: Record<string, any>;
+}
+/**
+ * ID Token claims (OpenID Connect)
+ */
+export interface IdTokenClaims {
+    iss: string;
+    sub: string;
+    aud: string | string[];
+    exp: number;
+    iat: number;
+    nonce?: string;
+    email?: string;
+    email_verified?: boolean;
+    name?: string;
+    picture?: string;
+    [key: string]: any;
+}
+/**
+ * Provider configuration
+ */
+export interface ProviderConfig {
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+    scopes?: string[];
+    additionalParams?: Record<string, string>;
+}
+/**
+ * Abstract base class for OAuth providers
+ * Implements common OAuth 2.0/OIDC functionality
+ */
+export declare abstract class OAuthProvider {
+    abstract readonly name: string;
+    abstract readonly authorizationUrl: string;
+    abstract readonly tokenUrl: string;
+    abstract readonly userInfoUrl: string;
+    abstract readonly revokeUrl?: string;
+    abstract readonly jwksUrl?: string;
+    protected config: ProviderConfig;
+    private jwksCache;
+    private readonly JWKS_CACHE_TTL;
+    constructor(config: ProviderConfig);
+    /**
+     * Build authorization URL with required parameters
+     */
+    buildAuthorizationUrl(params: {
+        state: string;
+        codeChallenge?: string;
+        codeChallengeMethod?: string;
+        nonce?: string;
+        scope?: string;
+        additionalParams?: Record<string, string>;
+    }): string;
+    /**
+     * Exchange authorization code for tokens
+     */
+    exchangeCode(code: string, codeVerifier?: string): Promise<TokenResponse>;
+    /**
+     * Refresh access token
+     */
+    refreshToken(refreshToken: string): Promise<TokenResponse>;
+    /**
+     * Get user information from provider
+     */
+    getUserInfo(accessToken: string): Promise<UserInfo>;
+    /**
+     * Revoke token (if supported by provider)
+     */
+    revokeToken(token: string, tokenType?: 'access_token' | 'refresh_token'): Promise<void>;
+    /**
+     * Validate ID token (OpenID Connect)
+     */
+    protected validateIdToken(idToken: string): Promise<IdTokenClaims>;
+    /**
+     * Get JWKS from provider (with caching)
+     */
+    protected getJWKS(): Promise<{
+        keys: JWK[];
+    }>;
+    /**
+     * Validate redirect URI
+     */
+    protected validateRedirectUri(uri: string): boolean;
+    /**
+     * Get default scopes for this provider
+     */
+    protected abstract getDefaultScopes(): string[];
+    /**
+     * Get expected issuer for ID token validation
+     */
+    protected abstract getExpectedIssuer(): string;
+    /**
+     * Normalize user info to common format
+     */
+    protected abstract normalizeUserInfo(data: any): UserInfo;
+    /**
+     * Additional ID token claims validation
+     */
+    protected validateIdTokenClaims(claims: IdTokenClaims): void;
+    /**
+     * Handle provider-specific errors
+     */
+    protected handleProviderError(error: any): never;
+}
+/**
+ * Provider factory
+ */
+export declare class ProviderFactory {
+    private static providers;
+    /**
+     * Register a provider
+     */
+    static register(name: string, providerClass: typeof OAuthProvider): void;
+    /**
+     * Create provider instance
+     */
+    static create(name: string, config: ProviderConfig): OAuthProvider;
+    /**
+     * Get list of registered providers
+     */
+    static getProviders(): string[];
+}
+//# sourceMappingURL=base.d.ts.map

package/dist/server/oauth/providers/base.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"base.d.ts","sourceRoot":"","sources":["../../../../src/server/oauth/providers/base.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwB,GAAG,EAAE,MAAM,MAAM,CAAC;AAIjD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,GAAG,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAC3C;AAED;;;GAGG;AACH,8BAAsB,aAAa;IACjC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC;IAC3C,QAAQ,CAAC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IACtC,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAEnC,SAAS,CAAC,MAAM,EAAE,cAAc,CAAC;IACjC,OAAO,CAAC,SAAS,CAAkD;IACnE,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAW;gBAE9B,MAAM,EAAE,cAAc;IAIlC;;OAEG;IACH,qBAAqB,CAAC,MAAM,EAAE;QAC5B,KAAK,EAAE,MAAM,CAAC;QACd,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC3C,GAAG,MAAM;IA0CV;;OAEG;IACG,YAAY,CAChB,IAAI,EAAE,MAAM,EACZ,YAAY,CAAC,EAAE,MAAM,GACpB,OAAO,CAAC,aAAa,CAAC;IA6CzB;;OAEG;IACG,YAAY,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAkChE;;OAEG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IA0BzD;;OAEG;IACG,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,GAAE,cAAc,GAAG,eAAgC,GAAG,OAAO,CAAC,IAAI,CAAC;IAgC7G;;OAEG;cACa,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAwCxE;;OAEG;cACa,OAAO,IAAI,OAAO,CAAC;QAAE,IAAI,EAAE,GAAG,EAAE,CAAA;KAAE,CAAC;IAiCnD;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAInD;;OAEG;IACH,SAAS,CAAC,QAAQ,CAAC,gBAAgB,IAAI,MAAM,EAAE;IAE/C;;OAEG;IACH,SAAS,CAAC,QAAQ,CAAC,iBAAiB,IAAI,MAAM;IAE9C;;OAEG;IACH,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,IAAI,EAAE,GAAG,GAAG,QAAQ;IAEzD;;OAEG;IACH,SAAS,CAAC,qBAAqB,CAAC,MAAM,EAAE,aAAa,GAAG,IAAI;IAe5D;;OAEG;IACH,SAAS,CAAC,mBAAmB,CAAC,KAAK,EAAE,GAAG,GAAG,KAAK;CAIjD;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,SAAS,CAA2C;IAEnE;;OAEG;IACH,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,aAAa,GAAG,IAAI;IAKxE;;OAEG;IACH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,cAAc,GAAG,aAAa;IAWlE;;OAEG;IACH,MAAM,CAAC,YAAY,IAAI,MAAM,EAAE;CAGhC"}