npm - easy-psql-rbac - Versions diffs - 1.0.0 - Mend

easy-psql-rbac 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/README.md +303 -0
package/dist/badrequest.d.ts +5 -0
package/dist/badrequest.d.ts.map +1 -0
package/dist/badrequest.js +11 -0
package/dist/badrequest.js.map +1 -0
package/dist/forbidden.d.ts +5 -0
package/dist/forbidden.d.ts.map +1 -0
package/dist/forbidden.js +11 -0
package/dist/forbidden.js.map +1 -0
package/dist/index.d.ts +6 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +22 -0
package/dist/index.js.map +1 -0
package/dist/rbac.d.ts +152 -0
package/dist/rbac.d.ts.map +1 -0
package/dist/rbac.js +745 -0
package/dist/rbac.js.map +1 -0
package/dist/roleRegistry.d.ts +42 -0
package/dist/roleRegistry.d.ts.map +1 -0
package/dist/roleRegistry.js +195 -0
package/dist/roleRegistry.js.map +1 -0
package/dist/types.d.ts +44 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +16 -0
package/dist/types.js.map +1 -0
package/package.json +63 -0

package/README.md ADDED Viewed

@@ -0,0 +1,303 @@
+# easy-psql-rbac
+Role-based access control (RBAC) layer for [easy-psql](https://github.com/Dimitris-Tzilopoylos/easy-psql). Intercepts queries and enforces fine-grained permissions — column filtering, ownership rules, and server-side pre-conditions — based on the authenticated user's role.
+## Installation
+```bash
+npm install easy-psql-rbac
+```
+`easy-psql` is a peer dependency and must be installed separately:
+```bash
+npm install easy-psql
+```
+## Quick Start
+```typescript
+import { EasyPSQLRBAC } from "easy-psql-rbac";
+const rbac = new EasyPSQLRBAC();
+// Define roles
+rbac.withRole("viewer", (role) =>
+  role
+    .findMany("public", "posts", { columns: ["id", "title", "body"] })
+    .findOne("public", "posts",  { columns: ["id", "title", "body"] })
+);
+rbac.withRole("author", (role) =>
+  role
+    .findMany("public", "posts", {
+      columns: ["id", "title", "body", "author_id"],
+      ownership: { enabled: true, columns: ["author_id"] },
+    })
+    .createOne("public", "posts", {
+      columns: ["title", "body", "author_id"],
+      preConditions: { input: { author_id: null } }, // auto-set to user identity
+    })
+    .updateOne("public", "posts", {
+      columns: ["title", "body"],
+      ownership: { enabled: true, columns: ["author_id"] },
+    })
+    .deleteOne("public", "posts", {
+      ownership: { enabled: true, columns: ["author_id"] },
+    })
+);
+// Use with a request
+const user = { id: "user-123", roleId: "author" };
+const model = rbac.findManyModel({
+  schema: "public",
+  table: "posts",
+  user,
+  query: { select: { id: true, title: true }, where: {} },
+});
+// Executes with ownership filter: WHERE author_id = 'user-123'
+```
+## Core Concepts
+### Roles and Permissions
+Permissions are defined per **schema + table + operation**. Each permission entry controls:
+- **`columns`** — whitelist of columns the role may read or write
+- **`ownership`** — automatically scopes queries to the current user's rows
+- **`preConditions`** — server-side conditions injected at query time
+### Ownership Filtering
+When `ownership.enabled` is `true`, the library automatically appends a `WHERE` condition matching the specified columns to the current user's identity:
+```typescript
+ownership: {
+  enabled: true,
+  columns: ["author_id"],                       // column(s) to filter on
+  columnToUserFieldMapper: { author_id: "id" }, // which user field to match (default: userIdentityKey)
+}
+```
+For inserts, ownership columns are automatically set to the current user's identity value.
+### Pre-conditions
+Pre-conditions are server-side rules that cannot be overridden by clients:
+```typescript
+preConditions: {
+  where: { is_published: { _eq: true } },  // appended to every query's WHERE
+  input:  { tenant_id: "acme" },           // merged into every INSERT/UPDATE body
+}
+```
+## API Reference
+### `new EasyPSQLRBAC(options?)`
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `userIdentityKey` | `string` | `"id"` | Field on the user object used for ownership matching |
+```typescript
+const rbac = new EasyPSQLRBAC({ userIdentityKey: "userId" });
+```
+---
+### Role Definition
+#### `rbac.withRole(id, callback)`
+Registers or replaces a role. The callback receives a `RoleConfig` builder and must return it.
+```typescript
+rbac.withRole("admin", (role) =>
+  role
+    .findMany("public", "users", { columns: ["id", "email", "name"] })
+    .updateOne("public", "users", { columns: ["email", "name"] })
+);
+```
+#### `rbac.upsertRole(roleConfig)`
+Upserts a pre-built `RoleConfig` instance.
+#### `rbac.deleteRole(id)`
+Removes a role from the registry.
+---
+### `RoleConfig` Builder Methods
+Each method takes `(schema: string, table: string, permissions: EntityPermissions)` and returns the builder for chaining.
+| Method | Operation |
+|--------|-----------|
+| `.findMany(schema, table, permissions)` | SELECT multiple rows |
+| `.findOne(schema, table, permissions)` | SELECT single row |
+| `.aggregate(schema, table, permissions)` | Aggregate queries |
+| `.createOne(schema, table, permissions)` | INSERT single row |
+| `.createMany(schema, table, permissions)` | INSERT multiple rows |
+| `.updateOne(schema, table, permissions)` | UPDATE single row |
+| `.updateMany(schema, table, permissions)` | UPDATE multiple rows |
+| `.deleteOne(schema, table, permissions)` | DELETE single row |
+| `.deleteMany(schema, table, permissions)` | DELETE multiple rows |
+---
+### Query Model Methods
+Each model method sanitizes the incoming query/body against the role's permissions and returns an object ready to pass to the `easy-psql` engine.
+```typescript
+rbac.findManyModel({ schema, table, user, query?, connection?, bypass? })
+rbac.findOneModel({ schema, table, user, query?, connection?, bypass? })
+rbac.aggregateModel({ schema, table, user, query?, connection?, bypass? })
+rbac.createOneModel({ schema, table, user, body?, connection?, bypass? })
+rbac.createManyModel({ schema, table, user, body?, connection?, bypass? })
+rbac.updateOneModel({ schema, table, user, input?, connection?, bypass? })
+rbac.updateManyModel({ schema, table, user, input?, connection?, bypass? })
+rbac.deleteOneModel({ schema, table, user, query?, connection?, bypass? })
+rbac.deleteManyModel({ schema, table, user, query?, connection?, bypass? })
+```
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `schema` | `string` | PostgreSQL schema name |
+| `table` | `string` | Table name |
+| `user` | `User` | Authenticated user object with a `roleId` field |
+| `bypass` | `boolean` | Skip all RBAC checks (use for internal/admin operations) |
+| `connection` | any | Optional database connection override |
+---
+### `EntityPermissions` Shape
+```typescript
+interface EntityPermissions {
+  columns?: string[];
+  ownership?: {
+    enabled?: boolean;
+    columns?: string[];
+    columnToUserFieldMapper?: Record<string, string>;
+  };
+  preConditions?: {
+    where?: Record<string, any>;
+    input?: Record<string, any>;
+  };
+}
+```
+---
+### Errors
+| Class | HTTP Status | Thrown When |
+|-------|-------------|-------------|
+| `ForbiddenError` | 403 | User has no role, role doesn't exist, or role lacks permission for the operation |
+| `BadRequest` | 400 | Query contains columns or conditions the role is not allowed to use |
+```typescript
+import { ForbiddenError, BadRequest } from "easy-psql-rbac";
+try {
+  const model = rbac.findManyModel({ schema: "public", table: "users", user });
+} catch (err) {
+  if (err instanceof ForbiddenError) {
+    // respond 403
+  }
+  if (err instanceof BadRequest) {
+    // respond 400
+  }
+}
+```
+---
+## Advanced Usage
+### Multi-column Ownership
+```typescript
+rbac.withRole("member", (role) =>
+  role.findMany("public", "documents", {
+    columns: ["id", "title", "org_id", "owner_id"],
+    ownership: {
+      enabled: true,
+      columns: ["owner_id"],
+      columnToUserFieldMapper: { owner_id: "userId" },
+    },
+  })
+);
+```
+### Forced Server-side Values on Insert
+```typescript
+rbac.withRole("tenant-user", (role) =>
+  role.createOne("public", "records", {
+    columns: ["name", "data", "tenant_id"],
+    preConditions: {
+      input: { tenant_id: "fixed-tenant-id" }, // client cannot override this
+    },
+  })
+);
+```
+### Scoped Read with Pre-condition WHERE
+```typescript
+rbac.withRole("moderator", (role) =>
+  role.findMany("public", "reports", {
+    columns: ["id", "content", "status"],
+    preConditions: {
+      where: { status: { _eq: "pending" } },
+    },
+  })
+);
+```
+### Bypass for Internal Operations
+```typescript
+const model = rbac.deleteOneModel({
+  schema: "public",
+  table: "sessions",
+  user: adminUser,
+  bypass: true,
+  query: { where: { expired: { _eq: true } } },
+});
+```
+---
+## TypeScript
+The package ships with full TypeScript declarations. All types are exported from the main entry point:
+```typescript
+import {
+  EasyPSQLRBAC,
+  RoleRegistry,
+  RoleConfig,
+  ForbiddenError,
+  BadRequest,
+  AllowedEngineApiAccessTypes,
+  type EntityPermissions,
+  type RolePermissions,
+  type User,
+} from "easy-psql-rbac";
+```
+---
+## License
+ISC

package/dist/badrequest.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export declare class BadRequest extends Error {
+    readonly status = 400;
+    constructor(message?: string);
+}
+//# sourceMappingURL=badrequest.d.ts.map

package/dist/badrequest.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"badrequest.d.ts","sourceRoot":"","sources":["../src/badrequest.ts"],"names":[],"mappings":"AAAA,qBAAa,UAAW,SAAQ,KAAK;IACnC,QAAQ,CAAC,MAAM,OAAO;gBACV,OAAO,CAAC,EAAE,MAAM;CAG7B"}

package/dist/badrequest.js ADDED Viewed

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BadRequest = void 0;
+class BadRequest extends Error {
+    constructor(message) {
+        super(message);
+        this.status = 400;
+    }
+}
+exports.BadRequest = BadRequest;
+//# sourceMappingURL=badrequest.js.map

package/dist/badrequest.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"badrequest.js","sourceRoot":"","sources":["../src/badrequest.ts"],"names":[],"mappings":";;;AAAA,MAAa,UAAW,SAAQ,KAAK;IAEnC,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFR,WAAM,GAAG,GAAG,CAAC;IAGtB,CAAC;CACF;AALD,gCAKC"}

package/dist/forbidden.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+export declare class ForbiddenError extends Error {
+    status: 403;
+    constructor(message?: string);
+}
+//# sourceMappingURL=forbidden.d.ts.map

package/dist/forbidden.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"forbidden.d.ts","sourceRoot":"","sources":["../src/forbidden.ts"],"names":[],"mappings":"AAAA,qBAAa,cAAe,SAAQ,KAAK;IACvC,MAAM,EAAE,GAAG,CAAC;gBACA,OAAO,CAAC,EAAE,MAAM;CAI7B"}

package/dist/forbidden.js ADDED Viewed

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ForbiddenError = void 0;
+class ForbiddenError extends Error {
+    constructor(message) {
+        super(message);
+        this.status = 403;
+    }
+}
+exports.ForbiddenError = ForbiddenError;
+//# sourceMappingURL=forbidden.js.map

package/dist/forbidden.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"forbidden.js","sourceRoot":"","sources":["../src/forbidden.ts"],"names":[],"mappings":";;;AAAA,MAAa,cAAe,SAAQ,KAAK;IAEvC,YAAY,OAAgB;QAC1B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,MAAM,GAAG,GAAG,CAAC;IACpB,CAAC;CACF;AAND,wCAMC"}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export * from "./rbac";
+export * from "./badrequest";
+export * from "./forbidden";
+export * from "./types";
+export * from "./roleRegistry";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,QAAQ,CAAC;AACvB,cAAc,cAAc,CAAC;AAC7B,cAAc,aAAa,CAAC;AAC5B,cAAc,SAAS,CAAC;AACxB,cAAc,gBAAgB,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./rbac"), exports);
+__exportStar(require("./badrequest"), exports);
+__exportStar(require("./forbidden"), exports);
+__exportStar(require("./types"), exports);
+__exportStar(require("./roleRegistry"), exports);
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yCAAuB;AACvB,+CAA6B;AAC7B,8CAA4B;AAC5B,0CAAwB;AACxB,iDAA+B"}

package/dist/rbac.d.ts ADDED Viewed

@@ -0,0 +1,152 @@
+import { AllowedEngineApiAccessTypes, EntityPermissions, Model, RBACOptions, Relation, User } from "./types";
+import { RoleRegistry } from "./roleRegistry";
+export declare class EasyPSQLRBAC extends RoleRegistry {
+    options: RBACOptions;
+    constructor(options?: RBACOptions);
+    private assertUserIdentityKey;
+    private model;
+    roleBasedModel({ table, schema, connection, apiAccessType, bypass, input, user, }: {
+        table: string;
+        schema: string;
+        connection?: any;
+        apiAccessType: AllowedEngineApiAccessTypes;
+        bypass?: boolean;
+        input?: any;
+        user?: User;
+    }): any;
+    getUserRolePermissionsForEntity({ schema, table, user, apiAccessType, }: {
+        schema: string;
+        table: string;
+        user?: User;
+        apiAccessType: AllowedEngineApiAccessTypes;
+    }): EntityPermissions;
+    roleBasedSelectSanitization({ model, input, apiAccessType, user, entityPermissions, }: {
+        model: Model;
+        input: any;
+        apiAccessType: AllowedEngineApiAccessTypes;
+        user?: User;
+        entityPermissions: EntityPermissions;
+    }): void;
+    roleBasedInsertSanitization({ model, input, apiAccessType, user, entityPermissions, }: {
+        model: Model;
+        input: any;
+        apiAccessType: AllowedEngineApiAccessTypes;
+        user?: User;
+        entityPermissions: EntityPermissions;
+    }): void;
+    roleBasedUpdateSanitization({ model, input, apiAccessType, user, entityPermissions, }: {
+        model: Model;
+        input: any;
+        apiAccessType: AllowedEngineApiAccessTypes;
+        user?: User;
+        entityPermissions: EntityPermissions;
+    }): void;
+    roleBasedWhereSanitization({ model, where, apiAccessType, user, entityPermissions, }: {
+        model: Model;
+        where: any;
+        apiAccessType: AllowedEngineApiAccessTypes;
+        user?: User;
+        entityPermissions: EntityPermissions;
+    }): void;
+    roleBasedDeleteSanitization({ model, input, apiAccessType, user, entityPermissions, }: {
+        model: Model;
+        input: any;
+        apiAccessType: AllowedEngineApiAccessTypes;
+        user?: User;
+        entityPermissions: EntityPermissions;
+    }): void;
+    isColumnInRelationColumns({ relation, column, }: {
+        relation: Relation;
+        column: string;
+    }): boolean;
+    fastDeepClone<T = any>(obj: T): T;
+    mergeWhereWithPreConditions({ where, preConditions, }: {
+        where: any;
+        preConditions: any;
+    }): any;
+    findManyModel({ schema, table, connection, bypass, query, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        query?: any;
+        user?: User;
+    }): any;
+    findOneModel({ schema, table, connection, bypass, query, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        query?: any;
+        user?: User;
+    }): any;
+    aggregateModel({ schema, table, connection, bypass, query, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        query?: any;
+        user?: User;
+    }): any;
+    createManyModel({ schema, table, connection, bypass, body, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        body: any;
+        user?: User;
+    }): any;
+    createOneModel({ schema, table, connection, bypass, body, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        body: any;
+        user?: User;
+    }): any;
+    updateManyModel({ schema, table, connection, bypass, input, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        input: {
+            update: any;
+            where?: any;
+        };
+        user?: User;
+    }): any;
+    updateOneModel({ schema, table, connection, bypass, input, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        input: {
+            update: any;
+            where?: any;
+        };
+        user?: User;
+    }): any;
+    deleteManyModel({ schema, table, connection, bypass, input, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        input: {
+            where?: any;
+        };
+        user?: User;
+    }): any;
+    deleteOneModel({ schema, table, connection, bypass, input, user, }: {
+        schema: string;
+        table: string;
+        connection?: any;
+        bypass?: boolean;
+        input: {
+            where?: any;
+        };
+        user?: User;
+    }): any;
+    private toUserOwnershipColumnValueDefault;
+    private toUserOwnershipColumnNameMapper;
+}
+//# sourceMappingURL=rbac.d.ts.map

package/dist/rbac.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac.d.ts","sourceRoot":"","sources":["../src/rbac.ts"],"names":[],"mappings":"AAEA,OAAO,EACL,2BAA2B,EAC3B,iBAAiB,EACjB,KAAK,EACL,WAAW,EACX,QAAQ,EACR,IAAI,EACL,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE9C,qBAAa,YAAa,SAAQ,YAAY;IAC5C,OAAO,EAAE,WAAW,CAAC;gBACT,OAAO,CAAC,EAAE,WAAW;IASjC,OAAO,CAAC,qBAAqB;IAS7B,OAAO,CAAC,KAAK;IAYb,cAAc,CAAC,EACb,KAAK,EACL,MAAM,EACN,UAAU,EACV,aAAa,EACb,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,KAAK,EAAE,MAAM,CAAC;QACd,MAAM,EAAE,MAAM,CAAC;QACf,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,aAAa,EAAE,2BAA2B,CAAC;QAC3C,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,GAAG,CAAC;QACZ,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAuED,+BAA+B,CAAC,EAC9B,MAAM,EACN,KAAK,EACL,IAAI,EACJ,aAAa,GACd,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,IAAI,CAAC,EAAE,IAAI,CAAC;QACZ,aAAa,EAAE,2BAA2B,CAAC;KAC5C,GAAG,iBAAiB;IAOrB,2BAA2B,CAAC,EAC1B,KAAK,EACL,KAAK,EACL,aAAa,EACb,IAAI,EACJ,iBAAiB,GAClB,EAAE;QACD,KAAK,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,GAAG,CAAC;QACX,aAAa,EAAE,2BAA2B,CAAC;QAC3C,IAAI,CAAC,EAAE,IAAI,CAAC;QACZ,iBAAiB,EAAE,iBAAiB,CAAC;KACtC;IAuSD,2BAA2B,CAAC,EAC1B,KAAK,EACL,KAAK,EACL,aAAa,EACb,IAAI,EACJ,iBAAiB,GAClB,EAAE;QACD,KAAK,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,GAAG,CAAC;QACX,aAAa,EAAE,2BAA2B,CAAC;QAC3C,IAAI,CAAC,EAAE,IAAI,CAAC;QACZ,iBAAiB,EAAE,iBAAiB,CAAC;KACtC;IAmFD,2BAA2B,CAAC,EAC1B,KAAK,EACL,KAAK,EACL,aAAa,EACb,IAAI,EACJ,iBAAiB,GAClB,EAAE;QACD,KAAK,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,GAAG,CAAC;QACX,aAAa,EAAE,2BAA2B,CAAC;QAC3C,IAAI,CAAC,EAAE,IAAI,CAAC;QACZ,iBAAiB,EAAE,iBAAiB,CAAC;KACtC;IAyED,0BAA0B,CAAC,EACzB,KAAK,EACL,KAAK,EACL,aAAa,EACb,IAAI,EACJ,iBAAiB,GAClB,EAAE;QACD,KAAK,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,GAAG,CAAC;QACX,aAAa,EAAE,2BAA2B,CAAC;QAC3C,IAAI,CAAC,EAAE,IAAI,CAAC;QACZ,iBAAiB,EAAE,iBAAiB,CAAC;KACtC;IAkID,2BAA2B,CAAC,EAC1B,KAAK,EACL,KAAK,EACL,aAAa,EACb,IAAI,EACJ,iBAAiB,GAClB,EAAE;QACD,KAAK,EAAE,KAAK,CAAC;QACb,KAAK,EAAE,GAAG,CAAC;QACX,aAAa,EAAE,2BAA2B,CAAC;QAC3C,IAAI,CAAC,EAAE,IAAI,CAAC;QACZ,iBAAiB,EAAE,iBAAiB,CAAC;KACtC;IAqDD,yBAAyB,CAAC,EACxB,QAAQ,EACR,MAAM,GACP,EAAE;QACD,QAAQ,EAAE,QAAQ,CAAC;QACnB,MAAM,EAAE,MAAM,CAAC;KAChB;IAQD,aAAa,CAAC,CAAC,GAAG,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,CAAC;IAqBjC,2BAA2B,CAAC,EAC1B,KAAK,EACL,aAAa,GACd,EAAE;QACD,KAAK,EAAE,GAAG,CAAC;QACX,aAAa,EAAE,GAAG,CAAC;KACpB;IAqBD,aAAa,CAAC,EACZ,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,GAAG,CAAC;QACZ,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAcD,YAAY,CAAC,EACX,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,GAAG,CAAC;QACZ,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,cAAc,CAAC,EACb,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,CAAC,EAAE,GAAG,CAAC;QACZ,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,eAAe,CAAC,EACd,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,IAAI,EACJ,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,GAAG,CAAC;QACV,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,cAAc,CAAC,EACb,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,IAAI,EACJ,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,IAAI,EAAE,GAAG,CAAC;QACV,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,eAAe,CAAC,EACd,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,EAAE;YAAE,MAAM,EAAE,GAAG,CAAC;YAAC,KAAK,CAAC,EAAE,GAAG,CAAA;SAAE,CAAC;QACpC,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,cAAc,CAAC,EACb,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,EAAE;YAAE,MAAM,EAAE,GAAG,CAAC;YAAC,KAAK,CAAC,EAAE,GAAG,CAAA;SAAE,CAAC;QACpC,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,eAAe,CAAC,EACd,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,EAAE;YAAE,KAAK,CAAC,EAAE,GAAG,CAAA;SAAE,CAAC;QACvB,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,cAAc,CAAC,EACb,MAAM,EACN,KAAK,EACL,UAAU,EACV,MAAM,EACN,KAAK,EACL,IAAI,GACL,EAAE;QACD,MAAM,EAAE,MAAM,CAAC;QACf,KAAK,EAAE,MAAM,CAAC;QACd,UAAU,CAAC,EAAE,GAAG,CAAC;QACjB,MAAM,CAAC,EAAE,OAAO,CAAC;QACjB,KAAK,EAAE;YAAE,KAAK,CAAC,EAAE,GAAG,CAAA;SAAE,CAAC;QACvB,IAAI,CAAC,EAAE,IAAI,CAAC;KACb;IAaD,OAAO,CAAC,iCAAiC;IAIzC,OAAO,CAAC,+BAA+B;CAaxC"}