evlog 2.13.0 → 2.14.1

package/dist/{types-DbzDln7O.d.mts → audit-CTIviX3P.d.mts}

@@ -363,7 +363,97 @@ interface LoggerConfig {
   _suppressDrainWarning?: boolean;
 }
 /**
- * Base structure for all wide events
+ * Audit actor — who initiated the action.
+ *
+ * `type` covers the most common actor families. `id` is required and should be
+ * a stable identifier (user id, service name, API key id, agent id). `model`,
+ * `tools`, `reason`, and `promptId` are filled when `type === 'agent'` and
+ * mirror the AI SDK fields already used by `evlog/ai`.
+ */
+interface AuditActor {
+  type: 'user' | 'system' | 'api' | 'agent';
+  id: string;
+  displayName?: string;
+  email?: string;
+  model?: string;
+  tools?: string[];
+  reason?: string;
+  promptId?: string;
+}
+/**
+ * Audit target — the resource the action was performed on.
+ *
+ * `type` is a free-form string (e.g. `'invoice'`, `'user'`, `'subscription'`)
+ * narrowed by {@link defineAuditAction}. Additional fields are allowed for
+ * resource-specific metadata (e.g. `tenantId`, `path`, `previousOwnerId`).
+ */
+interface AuditTarget {
+  type: string;
+  id: string;
+  [key: string]: unknown;
+}
+/**
+ * Reserved audit fields on the wide event.
+ *
+ * Set via `log.audit({ ... })`, `log.set({ audit: { ... } })`, or the
+ * standalone `audit({ ... })` helper. Downstream filters on `audit IS NOT NULL`.
+ *
+ * - `outcome` — `'success' | 'failure' | 'denied'`. `'denied'` records an
+ *   AuthZ-denied action (often forgotten but exactly what auditors want).
+ * - `changes.before/after` — the diff for mutating actions. Use
+ *   {@link auditDiff} to produce a redact-aware compact JSON Patch.
+ * - `causationId` / `correlationId` — chain related actions (admin action →
+ *   system reactions). Set by callers, propagated by `auditEnricher` when
+ *   available on the request.
+ * - `signature` / `prevHash` — populated by the {@link signed} drain wrapper.
+ *   Never set by application code.
+ * - `idempotencyKey` — derived deterministically by `log.audit()` so retries
+ *   across drains are safe.
+ * - `context` — request/runtime context auto-populated by {@link auditEnricher}
+ *   (`requestId`, `traceId`, `ip`, `userAgent`, `tenantId`).
+ */
+interface AuditFields {
+  /** Action name. Convention: `'<resource>.<verb>'`, e.g. `'invoice.refund'`. */
+  action: string;
+  actor: AuditActor;
+  target?: AuditTarget;
+  outcome: 'success' | 'failure' | 'denied';
+  /** Human-readable explanation, especially required for `outcome: 'denied'`. */
+  reason?: string;
+  /** Before/after snapshots for mutating actions. */
+  changes?: {
+    before?: unknown;
+    after?: unknown;
+  };
+  /** ID of the action that caused this one. */
+  causationId?: string;
+  /** ID shared by every action in the same logical operation. */
+  correlationId?: string;
+  /** Schema version of the audit envelope. Defaults to `1` when omitted by the caller. */
+  version?: number;
+  /** Set by `log.audit()` as a stable hash for safe retries across drains. */
+  idempotencyKey?: string;
+  /** Request/runtime context — populated by `auditEnricher`. */
+  context?: {
+    requestId?: string;
+    traceId?: string;
+    ip?: string;
+    userAgent?: string;
+    tenantId?: string;
+    [key: string]: unknown;
+  };
+  /** HMAC signature of the event when wrapped with `signed({ strategy: 'hmac' })`. */
+  signature?: string;
+  /** Previous event hash when wrapped with `signed({ strategy: 'hash-chain' })`. */
+  prevHash?: string;
+  /** Hash of the current event when wrapped with `signed({ strategy: 'hash-chain' })`. */
+  hash?: string;
+}
+/**
+ * Base structure for all wide events.
+ *
+ * Augment via `declare module 'evlog'` to add app-specific top-level fields.
+ * `audit` is reserved for {@link AuditFields}.
  */
 interface BaseWideEvent {
   timestamp: string;
@@ -373,6 +463,7 @@ interface BaseWideEvent {
   version?: string;
   commitHash?: string;
   region?: string;
+  audit?: AuditFields;
 }
 /**
  * Wide event with arbitrary additional fields
@@ -508,6 +599,34 @@ interface RequestLogger<T extends object = Record<string, unknown>> {
    * ```
    */
   fork?: (label: string, fn: () => void | Promise<void>) => void;
+  /**
+   * Record an audit event on this wide event. Strictly equivalent to
+   * `log.set({ audit: { ... } })` plus tail-sample force-keep.
+   *
+   * Use `log.audit.deny(reason, fields)` for AuthZ-denied actions — most teams
+   * forget to log denials but they are exactly what auditors and security teams
+   * ask for.
+   *
+   * Available on every logger returned by `createLogger()` / `createRequestLogger()`
+   * and on framework loggers exposed via `useLogger()` / `c.get('log')` etc.
+   *
+   * @example
+   * ```ts
+   * log.audit({
+   *   action: 'invoice.refund',
+   *   actor: { type: 'user', id: user.id, email: user.email },
+   *   target: { type: 'invoice', id: 'inv_889' },
+   *   outcome: 'success',
+   *   reason: 'Customer requested refund',
+   * })
+   * ```
+   */
+  audit?: AuditLoggerMethod;
+}
+/** @internal Forward-declaration to avoid a circular import with `audit.ts`. */
+interface AuditLoggerMethod {
+  (input: AuditInput): void;
+  deny: (reason: string, input: Omit<AuditInput, 'outcome' | 'reason'>) => void;
 }
 /**
  * Log level type
@@ -581,6 +700,16 @@ interface RequestLoggerOptions {
   method?: string;
   path?: string;
   requestId?: string;
+  /**
+   * Registers async drain work with the host runtime so it can finish after the
+   * HTTP response is returned. Required on **Cloudflare Workers** (and similar
+   * edge runtimes): without this, `initLogger({ drain })` + `log.emit()` may
+   * never complete outbound HTTP to observability backends.
+   *
+   * Pass the same function you would pass to `ExecutionContext#waitUntil`, e.g.
+   * `context.waitUntil.bind(context)` from a Workers `fetch` handler.
+   */
+  waitUntil?: (promise: Promise<unknown>) => void;
 }
 /**
  * H3 event context with evlog logger attached
@@ -630,5 +759,382 @@ interface ParsedError {
   raw: unknown;
 }
 //#endregion
-export { TailSamplingCondition as C, WideEvent as E, ServerEvent as S, TransportConfig as T, RequestLogger as _, EnvironmentContext as a, SamplingConfig as b, H3EventContext as c, Log as d, LogLevel as f, RequestLogEntry as g, RedactConfig as h, EnrichContext as i, IngestPayload as l, ParsedError as m, DeepPartial as n, ErrorOptions as o, LoggerConfig as p, DrainContext as r, FieldContext as s, BaseWideEvent as t, InternalFields as u, RequestLoggerOptions as v, TailSamplingContext as w, SamplingRates as x, RouteConfig as y };
-//# sourceMappingURL=types-DbzDln7O.d.mts.map
+//#region src/audit.d.ts
+/**
+ * Current version of the audit envelope. Bumped when `AuditFields` evolves
+ * in a backward-incompatible way so downstream pipelines can branch on it.
+ */
+declare const AUDIT_SCHEMA_VERSION = 1;
+/**
+ * Input accepted by `log.audit()`, `audit()`, and `withAudit()`.
+ *
+ * `outcome` defaults to `'success'`. Internal fields populated by the audit
+ * pipeline (`idempotencyKey`, `context`, `signature`, `prevHash`, `hash`) are
+ * stripped — pass them through `log.set({ audit })` if you really need to.
+ */
+interface AuditInput {
+  action: string;
+  actor: AuditActor;
+  target?: AuditTarget;
+  outcome?: AuditFields['outcome'];
+  reason?: string;
+  changes?: AuditFields['changes'];
+  causationId?: string;
+  correlationId?: string;
+  version?: number;
+}
+/**
+ * Build a normalised {@link AuditFields} from caller input. Defaults:
+ * - `outcome` → `'success'`
+ * - `version` → {@link AUDIT_SCHEMA_VERSION}
+ *
+ * `idempotencyKey` is filled at emit time with the event timestamp so retries
+ * stay deterministic.
+ */
+declare function buildAuditFields(input: AuditInput): AuditFields;
+/**
+ * Add audit semantics to an existing {@link RequestLogger}.
+ *
+ * Mutates the logger in place by adding an `audit` method (with a `.deny()`
+ * sub-method). Strictly equivalent to calling `log.set({ audit: ... })` plus
+ * `_forceKeep` on emit. Idempotent: calling twice on the same logger only
+ * attaches the methods once.
+ *
+ * @example
+ * ```ts
+ * const log = withAuditMethods(createLogger())
+ * log.audit({
+ *   action: 'invoice.refund',
+ *   actor: { type: 'user', id: user.id },
+ *   target: { type: 'invoice', id: 'inv_889' },
+ * })
+ * ```
+ */
+declare function withAuditMethods<T extends object = Record<string, unknown>>(logger: RequestLogger<T>): AuditableLogger<T>;
+/**
+ * Logger augmented with `.audit()` / `.audit.deny()` helpers.
+ */
+type AuditableLogger<T extends object = Record<string, unknown>> = RequestLogger<T> & {
+  audit: AuditMethod<T>;
+};
+/** Method shape attached to {@link AuditableLogger}. */
+interface AuditMethod<T extends object = Record<string, unknown>> {
+  (input: AuditInput): void;
+  /**
+   * Record an AuthZ-denied action. Forces `outcome: 'denied'` and requires
+   * a human-readable `reason`. Most teams forget to log denials — they are
+   * exactly what auditors and security teams ask for.
+   */
+  deny: (reason: string, input: Omit<AuditInput, 'outcome' | 'reason'>) => void;
+}
+/**
+ * Standalone audit emitter for non-request contexts (jobs, scripts, CLIs).
+ *
+ * Creates a one-shot logger, sets the audit fields, and emits immediately.
+ * The event is force-kept past tail sampling. Returns the emitted wide event,
+ * or `null` if logging is globally disabled.
+ *
+ * @example
+ * ```ts
+ * import { audit } from 'evlog'
+ *
+ * audit({
+ *   action: 'cron.cleanup',
+ *   actor: { type: 'system', id: 'cron' },
+ *   target: { type: 'job', id: 'cleanup-stale-sessions' },
+ *   outcome: 'success',
+ * })
+ * ```
+ */
+declare function audit(input: AuditInput): WideEvent | null;
+/**
+ * Wrap a function so its outcome (success / failure / denied) is automatically
+ * audited.
+ *
+ * Behaviour:
+ * - If `fn` resolves, an audit event with `outcome: 'success'` is emitted.
+ * - If `fn` throws an `EvlogError` (or any error) with `status === 403`, the
+ *   audit event is recorded as `'denied'` with the error message as `reason`.
+ * - Any other thrown error produces `outcome: 'failure'` and re-throws.
+ *
+ * Use {@link AuditDeniedError} to signal denial without an HTTP status.
+ *
+ * @example
+ * ```ts
+ * const refundInvoice = withAudit(
+ *   { action: 'invoice.refund', target: (input) => ({ type: 'invoice', id: input.id }) },
+ *   async (input: { id: string }, ctx: { actor: AuditActor }) => {
+ *     await db.invoices.refund(input.id)
+ *   }
+ * )
+ *
+ * await refundInvoice({ id: 'inv_889' }, { actor: { type: 'user', id: user.id } })
+ * ```
+ */
+declare function withAudit<TInput, TOutput>(options: WithAuditOptions<TInput>, fn: (input: TInput, ctx: WithAuditContext) => Promise<TOutput> | TOutput): (input: TInput, ctx: WithAuditContext) => Promise<TOutput>;
+/**
+ * Throw inside a {@link withAudit} body to mark the action as `outcome: 'denied'`
+ * regardless of the underlying HTTP status. The constructor message becomes the
+ * audit `reason`.
+ */
+declare class AuditDeniedError extends Error {
+  constructor(reason: string);
+}
+/** Options for {@link withAudit}. `target` may be derived from the input. */
+interface WithAuditOptions<TInput> {
+  action: string;
+  target?: AuditTarget | ((input: TInput) => AuditTarget | undefined);
+}
+/**
+ * Runtime context required by a {@link withAudit}-wrapped function.
+ * The actor is always required; correlation IDs are optional.
+ */
+interface WithAuditContext {
+  actor: AuditActor;
+  causationId?: string;
+  correlationId?: string;
+}
+/**
+ * Compute a compact, redact-aware diff between two objects for the
+ * `changes` field. Output is a JSON Patch-style array (RFC 6902 subset:
+ * `add`, `remove`, `replace`) — small enough to ship over the wire.
+ *
+ * Object keys whose name matches one of the `redactPaths` (dot-notation, e.g.
+ * `'user.password'`, `'card.cvv'`) are replaced with `'[REDACTED]'` so PII
+ * never leaks through the diff.
+ *
+ * @example
+ * ```ts
+ * log.audit({
+ *   action: 'user.update',
+ *   actor: { type: 'user', id: user.id },
+ *   target: { type: 'user', id: 'usr_42' },
+ *   changes: auditDiff(before, after, { redactPaths: ['password'] }),
+ * })
+ * ```
+ */
+declare function auditDiff(before: unknown, after: unknown, options?: AuditDiffOptions): {
+  before?: unknown;
+  after?: unknown;
+  patch: AuditPatchOp[];
+};
+/** Single JSON Patch operation produced by {@link auditDiff}. */
+interface AuditPatchOp {
+  op: 'add' | 'remove' | 'replace';
+  path: string;
+  value?: unknown;
+}
+/** Options for {@link auditDiff}. */
+interface AuditDiffOptions {
+  /** Object keys (dot-notation) whose values should be replaced with `[REDACTED]`. */
+  redactPaths?: string[];
+  /** Custom replacement string. @default '[REDACTED]' */
+  replacement?: string;
+  /** Include the full redacted `before` snapshot alongside the patch. */
+  includeBefore?: boolean;
+  /** Include the full redacted `after` snapshot alongside the patch. */
+  includeAfter?: boolean;
+}
+/**
+ * Define a typed audit action with an optional fixed target type.
+ *
+ * Returns a curried helper that fills in the action name (and target shape
+ * if provided) so call sites stay terse and the action set is discoverable
+ * in one place.
+ *
+ * @example
+ * ```ts
+ * const refund = defineAuditAction('invoice.refund', { target: 'invoice' })
+ *
+ * log.audit(refund({
+ *   actor: { type: 'user', id: user.id },
+ *   target: { id: 'inv_889' }, // type inferred as 'invoice'
+ *   outcome: 'success',
+ * }))
+ * ```
+ */
+declare function defineAuditAction<TTargetType extends string | undefined = undefined>(action: string, options?: {
+  target?: TTargetType;
+}): DefinedAuditAction<TTargetType>;
+/**
+ * Return type of {@link defineAuditAction}. Accepts a partial input (no
+ * `action`, target type pre-filled when provided).
+ */
+type DefinedAuditAction<TTargetType extends string | undefined> = (input: TTargetType extends string ? Omit<AuditInput, 'action' | 'target'> & {
+  target?: Omit<AuditTarget, 'type'> & {
+    type?: TTargetType;
+  };
+} : Omit<AuditInput, 'action'>) => AuditInput;
+/**
+ * Test helper that captures every audit event emitted while it is active.
+ *
+ * Returns `{ events, restore, expect }`:
+ * - `events` — live array of captured `AuditFields`, populated as audits fire.
+ * - `restore()` — uninstall the collector. Call from `afterEach()`.
+ * - `expect.toIncludeAuditOf(matcher)` — assertion helper used inside `expect`
+ *   blocks, returns `true` if at least one captured event matches.
+ *
+ * Only captures audits going through `log.audit()` and the standalone
+ * `audit()` function. Events emitted via raw `log.set({ audit })` skip the
+ * collector by design — wrap them with `log.audit()` to make them visible to
+ * tests.
+ *
+ * @example
+ * ```ts
+ * const captured = mockAudit()
+ * await refundInvoice('inv_889')
+ * expect(captured.events).toHaveLength(1)
+ * expect(captured.toIncludeAuditOf({ action: 'invoice.refund' })).toBe(true)
+ * captured.restore()
+ * ```
+ */
+declare function mockAudit(): MockAudit;
+/** Result of {@link mockAudit}. */
+interface MockAudit {
+  events: AuditFields[];
+  restore: () => void;
+  toIncludeAuditOf: (matcher: AuditMatcher) => boolean;
+}
+/** Partial structural matcher for {@link MockAudit.toIncludeAuditOf}. */
+interface AuditMatcher {
+  action?: string | RegExp;
+  outcome?: AuditFields['outcome'];
+  actor?: Partial<AuditActor>;
+  target?: Partial<AuditTarget>;
+}
+/** Shape of the optional better-auth bridge for the audit enricher. */
+interface AuditEnricherBetterAuthBridge {
+  /** Read the current authenticated session for this request, if any. */
+  getSession: (ctx: EnrichContext) => Promise<AuditActor | null | undefined> | AuditActor | null | undefined;
+}
+/** Options for {@link auditEnricher}. */
+interface AuditEnricherOptions {
+  /**
+   * Resolve the tenant id for the current request. The result is stored at
+   * `event.audit.context.tenantId`. Multi-tenant SaaS gets isolation by default.
+   */
+  tenantId?: (ctx: EnrichContext) => string | undefined;
+  /**
+   * Bridge to populate `event.audit.actor` from the authenticated session.
+   * Only used when the application has not already filled `actor`.
+   */
+  bridge?: AuditEnricherBetterAuthBridge;
+  /** When true, overwrite existing context fields. @default false */
+  overwrite?: boolean;
+}
+/**
+ * Enrich audit-bearing wide events with request, runtime, and tenant context.
+ *
+ * Runs only when `event.audit` is present — every other event passes through
+ * untouched. Populates:
+ * - `event.audit.context.requestId` from `ctx.request.requestId`
+ * - `event.audit.context.traceId`   from `event.traceId`
+ * - `event.audit.context.ip`        from `x-forwarded-for` / `x-real-ip`
+ * - `event.audit.context.userAgent` from `user-agent`
+ * - `event.audit.context.tenantId`  from `options.tenantId(ctx)`
+ *
+ * Optionally fills `event.audit.actor` from the better-auth bridge when the
+ * caller did not provide one. Anything else (custom actor strategies,
+ * extra context) belongs in a custom enricher — replace this one entirely.
+ */
+declare function auditEnricher(options?: AuditEnricherOptions): (ctx: EnrichContext) => void | Promise<void>;
+/** Options accepted by {@link auditOnly}. */
+interface AuditOnlyOptions {
+  /**
+   * When true, the wrapper awaits the wrapped drain so the event is flushed
+   * before the request resolves. Use for crash-safe audit storage.
+   * @default false
+   */
+  await?: boolean;
+}
+/** Drain function signature accepted by all wrappers. Matches `LoggerConfig['drain']`. */
+type DrainFn = (ctx: DrainContext) => void | Promise<void>;
+/**
+ * Wrap any drain so it only receives events that carry an `audit` field.
+ *
+ * Use to route audit events to dedicated storage (separate Axiom dataset,
+ * append-only Postgres table, FS journal) without affecting your main drain.
+ *
+ * Per-sink failure isolation comes from `initLogger({ drain: [...] })`: each
+ * drain in the array is invoked independently, so a crashed Axiom call never
+ * blocks the FS audit drain.
+ *
+ * @example
+ * ```ts
+ * import { initLogger, auditOnly } from 'evlog'
+ * import { createAxiomDrain } from 'evlog/axiom'
+ * import { createFsDrain } from 'evlog/fs'
+ *
+ * initLogger({
+ *   drain: [
+ *     createAxiomDrain({ dataset: 'logs' }),
+ *     auditOnly(createFsDrain({ dir: '.audit' }), { await: true }),
+ *   ],
+ * })
+ * ```
+ */
+declare function auditOnly(drain: DrainFn, options?: AuditOnlyOptions): DrainFn;
+/** Pluggable persistence for the hash-chain state. */
+interface SignedChainState {
+  /** Load the previous hash from durable storage, or `null` on first run. */
+  load: () => Promise<string | null> | string | null;
+  /** Persist the latest hash so the chain survives process restarts. */
+  save: (hash: string) => Promise<void> | void;
+}
+/** Options for {@link signed}. Pick a strategy at construction time. */
+type SignedOptions = {
+  strategy: 'hmac';
+  secret: string;
+  algorithm?: 'sha256' | 'sha512';
+} | {
+  strategy: 'hash-chain';
+  state?: SignedChainState;
+  algorithm?: 'sha256' | 'sha512';
+};
+/**
+ * Wrap a drain so every event passing through gains tamper-evident integrity.
+ *
+ * - `'hmac'` — adds `event.audit.signature` (HMAC of the canonical event).
+ * - `'hash-chain'` — adds `event.audit.prevHash` and `event.audit.hash` so the
+ *   sequence of events forms a verifiable chain. State persists in memory
+ *   by default; pass a `state: { load, save }` for cross-process / durable
+ *   chains (Redis, file, Postgres).
+ *
+ * The signature is computed before the event is forwarded to the wrapped
+ * drain — combine with {@link auditOnly} when you only want integrity for
+ * audit events.
+ *
+ * @example
+ * ```ts
+ * import { initLogger, auditOnly, signed } from 'evlog'
+ * import { createFsDrain } from 'evlog/fs'
+ *
+ * initLogger({
+ *   drain: auditOnly(
+ *     signed(createFsDrain({ dir: '.audit' }), { strategy: 'hash-chain' }),
+ *     { await: true },
+ *   ),
+ * })
+ * ```
+ */
+declare function signed(drain: DrainFn, options: SignedOptions): DrainFn;
+/**
+ * Strict redact preset for audit events.
+ *
+ * Combine with the user's existing redact configuration via spread:
+ * `initLogger({ redact: { paths: [...auditRedactPreset.paths!, ...mine] } })`.
+ *
+ * Hardens PII handling:
+ * - Drops `Authorization` and `Cookie` headers anywhere they appear.
+ * - Drops common credential field names (`password`, `passwordHash`, `token`,
+ *   `apiKey`, `secret`, `accessToken`, `refreshToken`, `cardNumber`, `cvv`,
+ *   `ssn`).
+ *
+ * Built-in pattern maskers (email, credit card, …) keep their default
+ * behaviour — partial masking, not full redaction — so audit trails retain
+ * enough signal to be useful.
+ */
+declare const auditRedactPreset: RedactConfig;
+//#endregion
+export { SamplingRates as $, AuditFields as A, H3EventContext as B, buildAuditFields as C, withAudit as D, signed as E, DrainContext as F, LoggerConfig as G, InternalFields as H, EnrichContext as I, RequestLogEntry as J, ParsedError as K, EnvironmentContext as L, AuditTarget as M, BaseWideEvent as N, withAuditMethods as O, DeepPartial as P, SamplingConfig as Q, ErrorOptions as R, auditRedactPreset as S, mockAudit as T, Log as U, IngestPayload as V, LogLevel as W, RequestLoggerOptions as X, RequestLogger as Y, RouteConfig as Z, WithAuditOptions as _, AuditInput as a, auditEnricher as b, AuditOnlyOptions as c, DefinedAuditAction as d, ServerEvent as et, DrainFn as f, WithAuditContext as g, SignedOptions as h, AuditEnricherOptions as i, WideEvent as it, AuditLoggerMethod as j, AuditActor as k, AuditPatchOp as l, SignedChainState as m, AuditDeniedError as n, TailSamplingContext as nt, AuditMatcher as o, MockAudit as p, RedactConfig as q, AuditDiffOptions as r, TransportConfig as rt, AuditMethod as s, AUDIT_SCHEMA_VERSION as t, TailSamplingCondition as tt, AuditableLogger as u, audit as v, defineAuditAction as w, auditOnly as x, auditDiff as y, FieldContext as z };
+//# sourceMappingURL=audit-CTIviX3P.d.mts.map

package/dist/audit-CTIviX3P.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-CTIviX3P.d.mts","names":[],"sources":["../src/types.ts","../src/audit.ts"],"mappings":";;YAGY,iBAAA;IAqpBc;;;;;;;;;;;;;IAvoBtB,iBAAA,GAAoB,GAAA,EAAK,mBAAA,YAA+B,OAAA;IAAA;;;;;;;;;;;IAaxD,cAAA,GAAiB,GAAA,EAAK,aAAA,YAAyB,OAAA;IAkBK;;;;;;;;;;;;;;;;IAApD,aAAA,GAAgB,GAAA,EAAK,YAAA,YAAwB,OAAA;EAAA;AAAA;AAAA;EAAA,UAKrC,iBAAA;IACR,iBAAA,GAAoB,GAAA,EAAK,mBAAA,YAA+B,OAAA;IACxD,cAAA,GAAiB,GAAA,EAAK,aAAA,YAAyB,OAAA;IAC/C,aAAA,GAAgB,GAAA,EAAK,YAAA,YAAwB,OAAA;EAAA;AAAA;;AAOjD;;UAAiB,eAAA;EAiBiB;;;;EAZhC,OAAA;EAYgC;;AAMlC;;EAZE,QAAA;EAY4B;;;;EAN5B,WAAA,GAAc,kBAAA;AAAA;AAmBhB;;;AAAA,UAbiB,aAAA;EACf,SAAA;EACA,KAAA;EAAA,CACC,GAAA;AAAA;;;;;;;;UAUc,YAAA;EAqBJ;EAnBX,KAAA;EAmB2B;EAjB3B,QAAA,GAAW,MAAA;EAiB6B;AAM1C;;;;;;;EAdE,QAAA,WAAmB,KAAA;EAsBd;;AAOP;;;EAvBE,WAAA;EAyBA;EAvBA,QAAA,GAAW,KAAA,EAAO,MAAA,GAAS,KAAA;AAAA;;;AAkC7B;UA5BiB,aAAA;;EAEf,IAAA;EA4BA;EA1BA,IAAA;EA8BA;EA5BA,KAAA;EAgCA;EA9BA,KAAA;AAAA;;;AA0CF;;UAnCiB,qBAAA;EAqCR;EAnCP,MAAA;EA+CY;EA7CZ,QAAA;EA6CkB;EA3ClB,IAAA;AAAA;;;;;UAOe,mBAAA;EAgCL;EA9BV,MAAA;EAiCE;EA/BF,QAAA;EAgCY;EA9BZ,IAAA;EA8BkB;EA5BlB,MAAA;EAoC2B;EAlC3B,OAAA,EAAS,MAAA;EA4CO;;;;EAvChB,UAAA;AAAA;;;;;UAOe,aAAA;EAsCA;EApCf,KAAA,EAAO,SAAA;;EAEP,OAAA;IACE,MAAA;IACA,IAAA;IACA,SAAA;EAAA;EAqE0B;EAlE5B,OAAA,GAAU,MAAA;EAwEK;EAtEf,QAAA;IACE,MAAA;IACA,OAAA,GAAU,MAAA;EAAA;AAAA;;;;;UAQG,YAAA;EA0Ef;EAxEA,KAAA,EAAO,SAAA;EA4EP;EA1EA,OAAA;IACE,MAAA;IACA,IAAA;IACA,SAAA;EAAA;EAqFY;EAlFd,OAAA,GAAU,MAAA;AAAA;;;;UAMK,cAAA;EAqK8B;;;;;;;;;;;;;;;;;;EAlJ7C,KAAA,GAAQ,aAAA;EAoJR;;;AAWF;;;;;;;;;;;;;;EA5IE,IAAA,GAAO,qBAAA;AAAA;;;;UAMQ,WAAA;EA2Jd;EAzJD,OAAA;AAAA;AAgLF;;;AAAA,UA1KiB,kBAAA;EA4Kf;EA1KA,OAAA;EA2KO;EAzKP,WAAA;EA0KS;EAxKT,OAAA;EA2KA;EAzKA,UAAA;EA2KY;EAzKZ,MAAA;AAAA;;;;UAMe,YAAA;EA8Kb;;;;;EAxKF,OAAA;EAgLA;EA9KA,GAAA,GAAM,OAAA,CAAQ,kBAAA;EAkLd;EAhLA,MAAA;EAgLI;EA9KJ,QAAA,GAAW,cAAA;EAuLiB;;;;;;EAhL5B,QAAA,GAAW,QAAA;EAqLX;;;;;EA/KA,SAAA;EAkLmB;AAMrB;;;;;AAMA;EAtLE,MAAA;EAsLqB;;;;;;;;;;;;;;;;;;;;;;;;;AAUvB;;;;;;EAhKE,MAAA,aAAmB,YAAA;EAmKL;;;;;AAUhB;;;;;;;;;AAYA;;;;;;;;;;;;;;;;;EAzJE,KAAA,IAAS,GAAA,EAAK,YAAA,YAAwB,OAAA;EA0JqB;EAxJ3D,qBAAA;AAAA;;;;;;;;;UAWe,UAAA;EACf,IAAA;EACA,EAAA;EACA,WAAA;EACA,KAAA;EACA,KAAA;EACA,KAAA;EACA,MAAA;EACA,QAAA;AAAA;;;;;;;;UAUe,WAAA;EACf,IAAA;EACA,EAAA;EAAA,CACC,GAAA;AAAA;;;;;;;;;;;;;;;;;;;;;UAuBc,WAAA;EAkLG;EAhLlB,MAAA;EACA,KAAA,EAAO,UAAA;EACP,MAAA,GAAS,WAAA;EACT,OAAA;EAkMwC;EAhMxC,MAAA;EAwNA;EAtNA,OAAA;IAAY,MAAA;IAAkB,KAAA;EAAA;EA0NE;EAxNhC,WAAA;EAwNgC;EAtNhC,aAAA;EAwN8B;EAtN9B,OAAA;EAsNkC;EApNlC,cAAA;EAmNC;EAjND,OAAA;IACE,SAAA;IACA,OAAA;IACA,EAAA;IACA,SAAA;IACA,QAAA;IAAA,CACC,GAAA;EAAA;EAkNe;EA/MlB,SAAA;EA+MkB;EA7MlB,QAAA;EAwNe;EAtNf,IAAA;AAAA;;;;;;;UASe,aAAA;EACf,SAAA;EACA,KAAA;EACA,OAAA;EACA,WAAA;EACA,OAAA;EACA,UAAA;EACA,MAAA;EACA,KAAA,GAAQ,WAAA;AAAA;;;;KAME,SAAA,GAAY,aAAA,GAAgB,MAAA;;;;;KAM5B,WAAA,MAAiB,CAAA,SAAU,KAAA,YACnC,CAAA,GACA,CAAA,gCACgB,CAAA,IAAK,WAAA,CAAY,CAAA,CAAE,CAAA,OACjC,CAAA;;;;;UAMW,cAAA;EACf,MAAA;EACA,OAAA;EACA,WAAA,GAAc,eAAA;EAkOG;EAhOjB,SAAA;EAmNA;EAjNA,gBAAA;AAAA;;;;UAMe,eAAA;EACf,KAAA;EACA,OAAA;EACA,SAAA;AAAA;;;;;;;KASU,YAAA,oBAAgC,MAAA,qBAC1C,WAAA,CAAY,IAAA,CAAK,CAAA,QAAS,cAAA,KAAmB,cAAA;;;;;AAoO/C;;;;;;;;;;;;;;AAgBA;;;;;;;;;;;;;;;;;UA/MiB,aAAA,oBAAiC,MAAA;EA0N9C;;;;;;;;EAjNF,GAAA,GAAM,OAAA,EAAS,YAAA,CAAa,CAAA;EAoNT;AAMrB;;;;EAnNE,KAAA,GAAQ,KAAA,EAAO,KAAA,WAAgB,OAAA,GAAU,YAAA,CAAa,CAAA;EAqNtD;;;;;EA9MA,IAAA,GAAO,OAAA,UAAiB,OAAA,GAAU,YAAA,CAAa,CAAA;EAkN5C;;;;AC5xBL;EDilBE,IAAA,GAAO,OAAA,UAAiB,OAAA,GAAU,YAAA,CAAa,CAAA;;;;ACxkBjD;;;;EDilBE,IAAA,GAAO,SAAA,GAAY,YAAA,CAAa,CAAA;IAAO,UAAA;EAAA,MAA2B,SAAA;EC3kB7C;;;EDglBrB,UAAA,QAAkB,YAAA,CAAa,CAAA,IAAK,MAAA;ECplB7B;;;;;;;;;;;;;AAuET;;;;;;EDkiBE,IAAA,IAAQ,KAAA,UAAe,EAAA,eAAiB,OAAA;ECliBsB;;AA4ChE;;;;;;;;;;;;;;;;;;;AA+BA;ED+eE,KAAA,GAAQ,iBAAA;AAAA;;UAIO,iBAAA;EAAA,CACd,KAAA,EAD+B,UAAA;EAEhC,IAAA,GAAO,MAAA,UAAgB,KAAA,EAAO,IAAA,CADM,UAAA;AAAA;;;;KAO1B,QAAA;;;;;;;;ACxfZ;;UDmgBiB,GAAA;ECngB+B;;;;;EDygB9C,IAAA,CAAK,GAAA,UAAa,OAAA;EAClB,IAAA,CAAK,KAAA,EAAO,MAAA;EC1gBkC;;;;;EDihB9C,KAAA,CAAM,GAAA,UAAa,OAAA;EACnB,KAAA,CAAM,KAAA,EAAO,MAAA;EC3gBU;;;AAsBzB;;ED4fE,IAAA,CAAK,GAAA,UAAa,OAAA;EAClB,IAAA,CAAK,KAAA,EAAO,MAAA;EC7fe;;;;;EDogB3B,KAAA,CAAM,GAAA,UAAa,OAAA;EACnB,KAAA,CAAM,KAAA,EAAO,MAAA;AAAA;;;;UAME,YAAA;ECzeuC;ED2etD,OAAA;EC3eiE;ED6ejE,MAAA;EC5esB;ED8etB,GAAA;EC9e2C;EDgf3C,GAAA;EChfkD;EDkflD,IAAA;ECrfgC;EDufhC,KAAA,GAAQ,KAAA;ECtfkB;;;;ED2f1B,QAAA,GAAW,MAAA;AAAA;;;;UAMI,oBAAA;EACf,MAAA;EACA,IAAA;EACA,SAAA;EClgBiB;;;;;AAqCnB;;;;EDueE,SAAA,IAAa,OAAA,EAAS,OAAA;AAAA;;;;UAMP,cAAA;EACf,GAAA,GAAM,aAAA;EACN,SAAA;EACA,MAAA;ECpegC;EDsehC,eAAA;ECtesD;EDwetD,aAAA;EC1egC;ED4ehC,gBAAA;EAAA,CACC,GAAA;AAAA;;;;UAMc,WAAA;EACf,MAAA;EACA,IAAA;EACA,OAAA,EAAS,cAAA;IC5eF,yED8eL,UAAA;MACE,OAAA;QACE,SAAA,GAAY,OAAA,EAAS,OAAA;MAAA;IAAA,GC9ed;IDkfX,SAAA,IAAa,OAAA,EAAS,OAAA;EAAA;EAExB,IAAA;IAAS,GAAA;MAAQ,UAAA;IAAA;EAAA;EACjB,QAAA,GAAW,QAAA;AAAA;;;;UAMI,WAAA;EACf,OAAA;EACA,MAAA;EACA,GAAA;EACA,GAAA;EACA,IAAA;EACA,GAAA;AAAA;;;AA3IwB;;;;AAAA,cCjpBb,oBAAA;;;;;;;;UASI,UAAA;EACf,MAAA;EACA,KAAA,EAAO,UAAA;EACP,MAAA,GAAS,WAAA;EACT,OAAA,GAAU,WAAA;EACV,MAAA;EACA,OAAA,GAAU,WAAA;EACV,WAAA;EACA,aAAA;EACA,OAAA;AAAA;;;;;ADuBsD;;;;iBCyCxC,gBAAA,CAAiB,KAAA,EAAO,UAAA,GAAa,WAAA;;;;;;;;;;;;;;;;;;;iBA4CrC,gBAAA,oBAAoC,MAAA,kBAAA,CAAyB,MAAA,EAAQ,aAAA,CAAc,CAAA,IAAK,eAAA,CAAgB,CAAA;;;;KA+B5G,eAAA,oBAAmC,MAAA,qBAA2B,aAAA,CAAc,CAAA;EAAO,KAAA,EAAO,WAAA,CAAY,CAAA;AAAA;;UAGjG,WAAA,oBAA+B,MAAA;EAAA,CAC7C,KAAA,EAAO,UAAA;EDxFR;;;;AAMF;ECwFE,IAAA,GAAO,MAAA,UAAgB,KAAA,EAAO,IAAA,CAAK,UAAA;AAAA;;;;;;;AD3ErC;;;;;;;;;;;;;iBCiGgB,KAAA,CAAM,KAAA,EAAO,UAAA,GAAa,SAAA;;;;;;;;ADtE1C;;;;;;;;;;AAeA;;;;;;;iBCuFgB,SAAA,iBAAA,CACd,OAAA,EAAS,gBAAA,CAAiB,MAAA,GAC1B,EAAA,GAAK,KAAA,EAAO,MAAA,EAAQ,GAAA,EAAK,gBAAA,KAAqB,OAAA,CAAQ,OAAA,IAAW,OAAA,IAC/D,KAAA,EAAO,MAAA,EAAQ,GAAA,EAAK,gBAAA,KAAqB,OAAA,CAAQ,OAAA;;AD7ErD;;;;cCkHa,gBAAA,SAAyB,KAAA;cAExB,MAAA;AAAA;;UAQG,gBAAA;EACf,MAAA;EACA,MAAA,GAAS,WAAA,KAAgB,KAAA,EAAO,MAAA,KAAW,WAAA;AAAA;;ADxG7C;;;UC+GiB,gBAAA;EACf,KAAA,EAAO,UAAA;EACP,WAAA;EACA,aAAA;AAAA;;;;;;;;;;;;;;;AD5FF;;;;;iBCkHgB,SAAA,CACd,MAAA,WACA,KAAA,WACA,OAAA,GAAS,gBAAA;EACN,MAAA;EAAkB,KAAA;EAAiB,KAAA,EAAO,YAAA;AAAA;;UAkE9B,YAAA;EACf,EAAA;EACA,IAAA;EACA,KAAA;AAAA;;UAIe,gBAAA;ED5Jf;EC8JA,WAAA;ED3IA;EC6IA,WAAA;ED7I4B;EC+I5B,aAAA;EDzIe;EC2If,YAAA;AAAA;;;ADnIF;;;;;;;;;;;AAgBA;;;;;iBCwIgB,iBAAA,oDAAA,CACd,MAAA,UACA,OAAA;EAAY,MAAA,GAAS,WAAA;AAAA,IACpB,kBAAA,CAAmB,WAAA;;;;;KAkBV,kBAAA,4CACV,KAAA,EAAO,WAAA,kBACH,IAAA,CAAK,UAAA;EAAqC,MAAA,GAAS,IAAA,CAAK,WAAA;IAAyB,IAAA,GAAO,WAAA;EAAA;AAAA,IACxF,IAAA,CAAK,UAAA,gBACN,UAAA;;;;;;;;;;;;;;;;ADnDL;;;;;;;;iBC4EgB,SAAA,CAAA,GAAa,SAAA;;UAmBZ,SAAA;EACf,MAAA,EAAQ,WAAA;EACR,OAAA;EACA,gBAAA,GAAmB,OAAA,EAAS,YAAA;AAAA;;UAIb,YAAA;EACf,MAAA,YAAkB,MAAA;EAClB,OAAA,GAAU,WAAA;EACV,KAAA,GAAQ,OAAA,CAAQ,UAAA;EAChB,MAAA,GAAS,OAAA,CAAQ,WAAA;AAAA;;UAqDF,6BAAA;ED1Ge;EC4G9B,UAAA,GAAa,GAAA,EAAK,aAAA,KAAkB,OAAA,CAAQ,UAAA,uBAAiC,UAAA;AAAA;;UAI9D,oBAAA;EDtGf;;;;EC2GA,QAAA,IAAY,GAAA,EAAK,aAAA;EDtGf;;;;EC2GF,MAAA,GAAS,6BAAA;EDnGL;ECqGJ,SAAA;AAAA;;;;;;;;;;;;;;;AD9EF;iBCgGgB,aAAA,CAAc,OAAA,GAAS,oBAAA,IAA6B,GAAA,EAAK,aAAA,YAAyB,OAAA;;UA6CjF,gBAAA;ED7I6B;AAM9C;;;;EC6IE,KAAA;AAAA;;KAIU,OAAA,IAAW,GAAA,EAAK,YAAA,YAAwB,OAAA;;;;;;;;;;;;;;;;;;;;ADvIpD;;;;;iBCiKgB,SAAA,CAAU,KAAA,EAAO,OAAA,EAAS,OAAA,GAAS,gBAAA,GAAwB,OAAA;;UAY1D,gBAAA;EDxKf;EC0KA,IAAA,QAAY,OAAA;EDxKI;EC0KhB,IAAA,GAAO,IAAA,aAAiB,OAAA;AAAA;;KAId,aAAA;EACN,QAAA;EAAkB,MAAA;EAAgB,SAAA;AAAA;EAClC,QAAA;EAAwB,KAAA,GAAQ,gBAAA;EAAkB,SAAA;AAAA;;;;;;;;;;;;;;;;;;;ADxHxD;;;;;;;;iBCoJgB,MAAA,CAAO,KAAA,EAAO,OAAA,EAAS,OAAA,EAAS,aAAA,GAAgB,OAAA;;;;;;;;;;;;;;;;;cAwHnD,iBAAA,EAAmB,YAAA"}