expediate 1.0.4 → 1.0.6

package/dist/middleware.js

@@ -0,0 +1,647 @@
+/* Copyright 2021 Fabien Bavent
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included
+ * in all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+'use strict';
+import * as crypto from 'crypto';
+import * as zlib from 'zlib';
+// ---------------------------------------------------------------------------
+// Internal helpers
+// ---------------------------------------------------------------------------
+/**
+ * Convert a string or Buffer value to a `Buffer`.
+ *
+ * @param chunk    - The data to convert.
+ * @param encoding - Character encoding to use when `chunk` is a string.
+ * @returns        A `Buffer` containing the bytes of `chunk`.
+ */
+function toBuffer(chunk, encoding = 'utf8') {
+    return Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, encoding);
+}
+/**
+ * Response compression middleware.
+ *
+ * Reads the `Accept-Encoding` request header and transparently compresses the
+ * response body using Brotli, gzip, or deflate (tested in that preference
+ * order).  Responses whose total body is smaller than `threshold` bytes are
+ * sent uncompressed to avoid wasting CPU on tiny payloads.
+ *
+ * The middleware monkey-patches `res.write` and `res.end` so that all
+ * downstream code (including `res.json`, `res.send`, and manual writes)
+ * passes through the compressor without any changes to handler code.
+ *
+ * The `Content-Encoding` and `Vary: Accept-Encoding` headers are set
+ * automatically.  `Content-Length` is removed because the compressed length
+ * cannot be known in advance.
+ *
+ * @param opts - Optional compression settings.
+ * @returns    An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * const app = createRouter();
+ * app.use(compress());                     // at the top — must come first
+ * app.get('/api/data', (_req, res) => res.json(bigPayload));
+ * ```
+ */
+export function compress(opts) {
+    const threshold = opts?.threshold ?? 1024;
+    const brEnabled = opts?.br !== false;
+    const brotliQuality = opts?.brotliQuality ?? 4;
+    const gzipLevel = opts?.gzipLevel ?? zlib.constants.Z_DEFAULT_COMPRESSION;
+    return (req, res, next) => {
+        // User-supplied filter.
+        if (opts?.filter && !opts.filter(req, res))
+            return next();
+        const ae = (req.headers['accept-encoding']) ?? '';
+        // Negotiate encoding: Brotli > gzip > deflate.
+        let compressor = null;
+        let encoding = '';
+        if (brEnabled && /\bbr\b/.test(ae)) {
+            compressor = zlib.createBrotliCompress({
+                params: { [zlib.constants.BROTLI_PARAM_QUALITY]: brotliQuality },
+            });
+            encoding = 'br';
+        }
+        else if (/\bgzip\b/.test(ae)) {
+            compressor = zlib.createGzip({ level: gzipLevel });
+            encoding = 'gzip';
+        }
+        else if (/\bdeflate\b/.test(ae)) {
+            compressor = zlib.createDeflate({ level: gzipLevel });
+            encoding = 'deflate';
+        }
+        if (!compressor)
+            return next();
+        const comp = compressor;
+        const rawRes = res;
+        // Capture original write / end before we override them.
+        const origWrite = rawRes.write.bind(rawRes);
+        const origEnd = rawRes.end.bind(rawRes);
+        // Route compressor output back to the raw socket.
+        comp.on('data', (chunk) => { origWrite(chunk); });
+        comp.on('end', () => { origEnd(); });
+        comp.on('error', (e) => {
+            console.error('[compress] stream error:', e.message);
+            if (!rawRes.writableEnded)
+                origEnd();
+        });
+        // Buffer incoming data so we can decide compress vs bypass at end().
+        const pending = [];
+        let totalBytes = 0;
+        let decided = false; // true once we committed to compress or bypass
+        let doCompress = false;
+        /**
+         * Commit to compression: flush all buffered pending data to the compressor
+         * and mark `decided = true, doCompress = true`.
+         *
+         * @param andEnd - When `true`, also call `comp.end()` to flush and close
+         *                 the compressor after writing pending data.
+         */
+        const startCompressing = (andEnd) => {
+            decided = true;
+            doCompress = true;
+            res.setHeader('Content-Encoding', encoding);
+            res.setHeader('Vary', 'Accept-Encoding');
+            res.removeHeader('Content-Length');
+            for (const buf of pending)
+                comp.write(buf);
+            if (andEnd)
+                comp.end();
+        };
+        /**
+         * Commit to bypassing compression (total bytes below threshold).
+         * Undoes the tentative headers and writes buffered data directly.
+         */
+        const skipCompression = () => {
+            decided = true;
+            doCompress = false;
+            comp.destroy();
+            if (totalBytes > 0)
+                res.setHeader('Content-Length', totalBytes);
+            for (const buf of pending)
+                origWrite(buf);
+        };
+        // Override res.write.
+        res.write = (chunk, encOrCb, _cb) => {
+            const enc = typeof encOrCb === 'string' ? encOrCb : 'utf8';
+            const buf = toBuffer(chunk, enc);
+            if (decided) {
+                // Already committed — write directly to the right destination.
+                return doCompress ? comp.write(buf) : origWrite(buf);
+            }
+            pending.push(buf);
+            totalBytes += buf.length;
+            // Crossed threshold mid-stream: start compression now.
+            if (totalBytes >= threshold)
+                startCompressing(false);
+            return true;
+        };
+        // Override res.end.
+        res.end = (chunk, encOrCb, _cb) => {
+            if (typeof chunk === 'function')
+                chunk = undefined;
+            if (typeof encOrCb === 'function')
+                encOrCb = undefined;
+            if (chunk != null) {
+                const enc = typeof encOrCb === 'string' ? encOrCb : 'utf8';
+                const buf = toBuffer(chunk, enc);
+                if (decided) {
+                    if (doCompress)
+                        comp.write(buf);
+                    else
+                        origWrite(buf);
+                }
+                else {
+                    pending.push(buf);
+                    totalBytes += buf.length;
+                }
+            }
+            if (!decided) {
+                if (totalBytes >= threshold)
+                    startCompressing(true);
+                else {
+                    skipCompression();
+                    origEnd();
+                }
+            }
+            else if (doCompress) {
+                comp.end();
+            }
+            else {
+                origEnd();
+            }
+            return rawRes;
+        };
+        next();
+    };
+}
+/**
+ * Request ID middleware.
+ *
+ * Attaches a unique identifier to every request as `req.id` and echoes it
+ * back in the response header (default: `X-Request-ID`).  The ID is taken
+ * from the incoming header when `allowFromHeader` is `true` (the default);
+ * otherwise a new UUID is generated with `crypto.randomUUID()`.
+ *
+ * Use `req.id` in log statements and error responses to correlate distributed
+ * traces back to a single originating request.
+ *
+ * @param opts - Optional configuration.
+ * @returns    An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * app.use(requestId());
+ * app.use(logger()); // logger can now include req.id in output
+ * app.get('/health', (req, res) => res.json({ id: req.id, status: 'ok' }));
+ * ```
+ */
+export function requestId(opts) {
+    const header = (opts?.header ?? 'x-request-id').toLowerCase();
+    const allowFromHeader = opts?.allowFromHeader !== false;
+    const generator = opts?.generator ?? (() => crypto.randomUUID());
+    return (req, res, next) => {
+        const incoming = req.headers[header];
+        const id = (allowFromHeader && incoming) ? incoming : generator();
+        req.id = id;
+        res.setHeader(header, id);
+        next();
+    };
+}
+/**
+ * In-memory sliding-window rate limiting middleware.
+ *
+ * Uses a `Map<key, timestamp[]>` to track request timestamps per client.
+ * On each request the list is pruned to the current window, then checked
+ * against `max`.  No external dependencies are required.
+ *
+ * **Caveats:**
+ * - State is held in memory and is lost on process restart.
+ * - Not suitable for multi-process deployments without a shared store.
+ *
+ * @param opts - Rate-limit configuration.  `windowMs` and `max` are required.
+ * @returns    An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * // Max 100 requests per minute per IP:
+ * app.use(rateLimit({ windowMs: 60_000, max: 100 }));
+ *
+ * // Stricter limit on a specific route:
+ * app.post('/auth/login', rateLimit({ windowMs: 60_000, max: 5 }), loginHandler);
+ * ```
+ */
+export function rateLimit(opts) {
+    const windowMs = opts.windowMs;
+    const max = opts.max;
+    const keyBy = opts.keyBy ?? ((req) => req.ip ?? '');
+    const message = opts.message ?? 'Too Many Requests';
+    const statusCode = opts.statusCode ?? 429;
+    const sendHeaders = opts.headers !== false;
+    // Map<clientKey, requestTimestamps[]>
+    const store = new Map();
+    return (req, res, next) => {
+        const key = keyBy(req);
+        const now = Date.now();
+        const windowStart = now - windowMs;
+        // Prune expired timestamps for this key.
+        const timestamps = (store.get(key) ?? []).filter((t) => t > windowStart);
+        timestamps.push(now);
+        store.set(key, timestamps);
+        const count = timestamps.length;
+        const remaining = Math.max(0, max - count);
+        // Reset = when the oldest request in the current window will fall out.
+        const resetAt = timestamps.length > 0
+            ? Math.ceil((timestamps[0] + windowMs) / 1000)
+            : Math.ceil((now + windowMs) / 1000);
+        if (sendHeaders) {
+            res.setHeader('X-RateLimit-Limit', String(max));
+            res.setHeader('X-RateLimit-Remaining', String(remaining));
+            res.setHeader('X-RateLimit-Reset', String(resetAt));
+        }
+        if (count > max) {
+            res.setHeader('Retry-After', String(Math.ceil(windowMs / 1000)));
+            res.statusCode = statusCode;
+            res.end(message);
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Response caching header middleware.
+ *
+ * Sets `Cache-Control`, and optionally `Expires` and `Vary` response headers
+ * based on the supplied options.  All directives are optional — only the
+ * ones you specify are included in the header value.
+ *
+ * Mount at the router level for a global default, or on individual routes to
+ * apply per-route caching policies.
+ *
+ * @param opts - Cache policy options.
+ * @returns    An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * // Global: 5-minute browser cache, CDN-agnostic
+ * app.use(cacheControl({ maxAge: 300, public: true }));
+ *
+ * // Per-route: content-addressed asset, cache forever
+ * app.get('/static/app.:hash.js', cacheControl({ maxAge: 31_536_000, immutable: true }), serveStatic('public'));
+ *
+ * // No caching at all
+ * app.use('/api', cacheControl({ noStore: true }));
+ * ```
+ */
+export function cacheControl(opts = {}) {
+    // Pre-compute the Cache-Control value — it is the same for every response.
+    const directives = [];
+    if (opts.private)
+        directives.push('private');
+    if (opts.public)
+        directives.push('public');
+    if (opts.noStore)
+        directives.push('no-store');
+    if (opts.noCache)
+        directives.push('no-cache');
+    if (opts.mustRevalidate)
+        directives.push('must-revalidate');
+    if (opts.immutable)
+        directives.push('immutable');
+    if (opts.maxAge != null)
+        directives.push(`max-age=${opts.maxAge}`);
+    if (opts.sMaxAge != null)
+        directives.push(`s-maxage=${opts.sMaxAge}`);
+    const cacheControlValue = directives.join(', ');
+    const varyValue = Array.isArray(opts.vary)
+        ? opts.vary.join(', ')
+        : (opts.vary ?? null);
+    return (_req, res, next) => {
+        if (cacheControlValue)
+            res.setHeader('Cache-Control', cacheControlValue);
+        if (opts.maxAge != null) {
+            const expires = new Date(Date.now() + opts.maxAge * 1000);
+            res.setHeader('Expires', expires.toUTCString());
+        }
+        if (varyValue)
+            res.setHeader('Vary', varyValue);
+        next();
+    };
+}
+/** HTTP methods that do not mutate server state and require no CSRF check. */
+const SAFE_CSRF_METHODS = new Set(['GET', 'HEAD', 'OPTIONS', 'TRACE']);
+/**
+ * CSRF protection middleware (double-submit cookie pattern).
+ *
+ * On every request the middleware:
+ * 1. Reads (or generates) a random 256-bit hex token stored in a cookie.
+ * 2. Attaches `req.csrfToken()` so handlers can embed the token in forms /
+ *    single-page applications.
+ * 3. For state-mutating requests (POST / PUT / PATCH / DELETE) it validates
+ *    that the `X-CSRF-Token` header (or `_csrf` body field) matches the
+ *    cookie value, responding **403** on mismatch.
+ *
+ * The cookie is **not** `HttpOnly` so that browser JavaScript can read the
+ * value and include it in subsequent AJAX request headers.
+ *
+ * @param opts - Optional configuration.
+ * @returns    An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * app.use(csrf());
+ * app.get('/form', (req, res) =>
+ *   res.send(`<input type="hidden" name="_csrf" value="${req.csrfToken!()}">`));
+ * app.post('/submit', (req, res) => res.send('ok')); // validated automatically
+ * ```
+ */
+export function csrf(opts) {
+    const cookieName = opts?.cookieName ?? '_csrf';
+    const headerName = (opts?.headerName ?? 'x-csrf-token').toLowerCase();
+    const fieldName = opts?.fieldName ?? '_csrf';
+    const secure = opts?.secure ?? false;
+    const sameSite = opts?.sameSite ?? 'Strict';
+    return (req, res, next) => {
+        // Generate or reuse existing token from the incoming cookie.
+        const existing = req.cookies?.[cookieName];
+        const token = (typeof existing === 'string' && existing.length > 0)
+            ? existing
+            : crypto.randomBytes(32).toString('hex');
+        // Refresh the cookie when we generated a new token.
+        if (!existing) {
+            let cookieStr = `${cookieName}=${token}; Path=/; SameSite=${sameSite}`;
+            if (secure)
+                cookieStr += '; Secure';
+            // Append without clobbering other Set-Cookie headers.
+            const prev = res.getHeader('Set-Cookie');
+            if (prev == null)
+                res.setHeader('Set-Cookie', cookieStr);
+            else if (Array.isArray(prev))
+                res.setHeader('Set-Cookie', [...prev, cookieStr]);
+            else
+                res.setHeader('Set-Cookie', [prev, cookieStr]);
+        }
+        // Expose helper so handlers can embed the token in responses.
+        req.csrfToken = () => token;
+        // Safe methods skip validation entirely.
+        if (SAFE_CSRF_METHODS.has(req.method ?? ''))
+            return next();
+        // Validate: prefer header, fall back to parsed body field.
+        const submitted = req.headers[headerName] ??
+            (req.body?.[fieldName]) ??
+            '';
+        if (!submitted || submitted !== token) {
+            res.statusCode = 403;
+            res.end('Forbidden: invalid CSRF token');
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Security-hardening response headers middleware.
+ *
+ * Sets a sensible baseline of HTTP response headers that reduce the attack
+ * surface for common web vulnerabilities (clickjacking, MIME sniffing, XSS,
+ * etc.).  Every header can be individually disabled or overridden.
+ *
+ * Mount once at the top of the router so all responses are covered:
+ *
+ * ```ts
+ * app.use(securityHeaders());
+ * ```
+ *
+ * **Headers set by default:**
+ *
+ * | Header                    | Default value                              |
+ * |---------------------------|--------------------------------------------|
+ * | Strict-Transport-Security | max-age=15552000; includeSubDomains        |
+ * | X-Frame-Options           | SAMEORIGIN                                 |
+ * | X-Content-Type-Options    | nosniff                                    |
+ * | Referrer-Policy           | strict-origin-when-cross-origin            |
+ * | Permissions-Policy        | geolocation=(), microphone=(), camera=()   |
+ * | X-XSS-Protection          | 0                                          |
+ *
+ * @param opts - Per-header overrides.  Omit to use all defaults.
+ * @returns    An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * // Disable HSTS on a plain-HTTP development server:
+ * app.use(securityHeaders({ hsts: false }));
+ *
+ * // Deny all framing (not just same-origin):
+ * app.use(securityHeaders({ frameOptions: 'DENY' }));
+ *
+ * // Custom Permissions-Policy:
+ * app.use(securityHeaders({
+ *   permissionsPolicy: 'geolocation=(), payment=(self)',
+ * }));
+ * ```
+ */
+// ===========================================================================
+// 7 · conditionalGet — RFC 7232 conditional GET / 304 Not Modified
+// ===========================================================================
+/**
+ * Determine whether a cached response is still fresh according to RFC 7232.
+ *
+ * Evaluation priority:
+ * 1. **`If-None-Match`** — compared against the `ETag` header using weak
+ *    comparison (the `W/` prefix is stripped from both sides before matching).
+ *    The wildcard `*` matches any ETag.
+ * 2. **`If-Modified-Since`** — only consulted when `If-None-Match` is absent.
+ *    The response is fresh when `Last-Modified ≤ If-Modified-Since`.
+ *
+ * Returns `false` when neither condition applies so the full response is sent.
+ *
+ * @param etag         - The current value of the `ETag` response header.
+ * @param lastModified - The current value of the `Last-Modified` response header.
+ * @param ifNoneMatch  - The `If-None-Match` request header value (or array).
+ * @param ifModSince   - The `If-Modified-Since` request header value (or array).
+ */
+function isFreshResponse(etag, lastModified, ifNoneMatch, ifModSince) {
+    const inm = Array.isArray(ifNoneMatch) ? ifNoneMatch[0] : ifNoneMatch;
+    if (inm) {
+        if (!etag)
+            return false;
+        // `*` is a wildcard that matches any entity-tag.
+        if (inm.trim() === '*')
+            return true;
+        // Weak comparison: strip the W/ prefix before comparing quoted tag values.
+        const normalize = (tag) => tag.startsWith('W/') ? tag.slice(2) : tag;
+        const tags = inm.split(',').map((t) => normalize(t.trim()));
+        return tags.includes(normalize(etag));
+    }
+    const ims = Array.isArray(ifModSince) ? ifModSince[0] : ifModSince;
+    if (ims && lastModified) {
+        const imsMs = new Date(ims).getTime();
+        const lmMs = new Date(lastModified).getTime();
+        if (!isNaN(imsMs) && !isNaN(lmMs))
+            return lmMs <= imsMs;
+    }
+    return false;
+}
+/**
+ * Conditional GET middleware (RFC 7232).
+ *
+ * Transparently handles `If-None-Match` and `If-Modified-Since` request
+ * headers.  When the response carries an `ETag` or `Last-Modified` header and
+ * the client's cached copy is still fresh, the middleware short-circuits with
+ * **304 Not Modified** — stripping the response body and content-related
+ * headers — instead of sending the full response.
+ *
+ * Mount this middleware **before** the route handler. The route handler runs
+ * normally and can call `res.etag()` / `res.json()` / `res.send()` as usual;
+ * the middleware intercepts the outgoing writes and decides whether to replace
+ * the response with a 304.
+ *
+ * ```ts
+ * app.get('/api/user/:id', conditionalGet(), (req, res) => {
+ *   const user = getUser(req.params.id);
+ *   res.etag(user.updatedAt.toISOString());
+ *   res.json(user); // → 304 if ETag matches If-None-Match
+ * });
+ * ```
+ *
+ * **RFC 7232 compliance:**
+ * - `If-None-Match` is evaluated first (takes priority over `If-Modified-Since`).
+ * - Weak comparison is used for ETag matching (the `W/` prefix is ignored).
+ * - 304 responses strip `Content-Type`, `Content-Length`, and
+ *   `Content-Encoding`, but retain `ETag`, `Cache-Control`, `Vary`, and
+ *   `Last-Modified`.
+ * - Only GET and HEAD are eligible for 304 responses; other methods are
+ *   passed through unchanged.
+ *
+ * @returns An Express-compatible middleware function.
+ *
+ * @example
+ * ```ts
+ * // With ETag
+ * app.get('/resource', conditionalGet(), (req, res) => {
+ *   res.etag('v1.0').json({ value: 42 });
+ * });
+ *
+ * // With Last-Modified
+ * app.get('/file', conditionalGet(), (req, res) => {
+ *   res.setHeader('Last-Modified', new Date().toUTCString());
+ *   res.send(fileContent);
+ * });
+ * ```
+ */
+export function conditionalGet() {
+    return (req, res, next) => {
+        // Only GET and HEAD can yield a 304 Not Modified.
+        const method = req.method ?? 'GET';
+        if (method !== 'GET' && method !== 'HEAD')
+            return next();
+        const rawRes = res;
+        const origWrite = rawRes.write.bind(rawRes);
+        const origEnd = rawRes.end.bind(rawRes);
+        // Buffer all outgoing body data until we can check freshness at end().
+        const pending = [];
+        res.write = (chunk, encOrCb, _cb) => {
+            const enc = typeof encOrCb === 'string' ? encOrCb : 'utf8';
+            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, enc);
+            pending.push(buf);
+            return true;
+        };
+        res.end = (chunk, encOrCb, _cb) => {
+            if (typeof chunk === 'function')
+                chunk = undefined;
+            if (typeof encOrCb === 'function')
+                encOrCb = undefined;
+            // Buffer any final chunk passed directly to end().
+            if (chunk != null) {
+                const enc = typeof encOrCb === 'string' ? encOrCb : 'utf8';
+                const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, enc);
+                pending.push(buf);
+            }
+            // Read the freshness-relevant headers set by the route handler.
+            const etag = rawRes.getHeader('etag');
+            const lastMod = rawRes.getHeader('last-modified');
+            const ifNoneMatch = req.headers['if-none-match'];
+            const ifModSince = req.headers['if-modified-since'];
+            if (isFreshResponse(etag, lastMod, ifNoneMatch, ifModSince)) {
+                // RFC 7232 §4.1: 304 response MUST NOT include a message body.
+                // Strip content-related headers; retain ETag, Cache-Control, Vary, Last-Modified.
+                rawRes.removeHeader('content-type');
+                rawRes.removeHeader('content-length');
+                rawRes.removeHeader('content-encoding');
+                rawRes.statusCode = 304;
+                origEnd();
+            }
+            else {
+                // Not fresh — flush buffered body and end normally.
+                for (const buf of pending)
+                    origWrite(buf);
+                origEnd();
+            }
+            return rawRes;
+        };
+        next();
+    };
+}
+export function securityHeaders(opts) {
+    // Pre-compute all header values once at middleware-creation time.
+    const headers = [];
+    // Strict-Transport-Security
+    const hsts = opts?.hsts;
+    if (hsts !== false) {
+        const h = typeof hsts === 'object' ? hsts : {};
+        const maxAge = h.maxAge ?? 15_552_000;
+        const subdomain = h.includeSubDomains !== false;
+        let value = `max-age=${maxAge}`;
+        if (subdomain)
+            value += '; includeSubDomains';
+        if (h.preload)
+            value += '; preload';
+        headers.push(['Strict-Transport-Security', value]);
+    }
+    // X-Frame-Options
+    const fo = opts?.frameOptions;
+    if (fo !== false) {
+        headers.push(['X-Frame-Options', fo ?? 'SAMEORIGIN']);
+    }
+    // X-Content-Type-Options
+    if (opts?.contentTypeOptions !== false) {
+        headers.push(['X-Content-Type-Options', 'nosniff']);
+    }
+    // Referrer-Policy
+    const rp = opts?.referrerPolicy;
+    if (rp !== false) {
+        headers.push(['Referrer-Policy', typeof rp === 'string' ? rp : 'strict-origin-when-cross-origin']);
+    }
+    // Permissions-Policy
+    const pp = opts?.permissionsPolicy;
+    if (pp !== false) {
+        headers.push(['Permissions-Policy', typeof pp === 'string' ? pp : 'geolocation=(), microphone=(), camera=()']);
+    }
+    // X-XSS-Protection
+    const xxp = opts?.xssProtection;
+    if (xxp !== false) {
+        headers.push(['X-XSS-Protection', typeof xxp === 'string' ? xxp : '0']);
+    }
+    return (_req, res, next) => {
+        for (const [name, value] of headers)
+            res.setHeader(name, value);
+        next();
+    };
+}
+//# sourceMappingURL=middleware.js.map

package/dist/middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"middleware.js","sourceRoot":"","sources":["../src/middleware.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AACH,YAAY,CAAC;AAEb,OAAO,KAAK,MAAM,MAAM,QAAQ,CAAC;AAEjC,OAAO,KAAK,IAAI,MAAQ,MAAM,CAAC;AA8B/B,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;GAMG;AACH,SAAS,QAAQ,CAAC,KAAsB,EAAE,WAA2B,MAAM;IACzE,OAAO,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;AACvE,CAAC;AAgED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAsB;IAC7C,MAAM,SAAS,GAAM,IAAI,EAAE,SAAS,IAAO,IAAI,CAAC;IAChD,MAAM,SAAS,GAAM,IAAI,EAAE,EAAE,KAAe,KAAK,CAAC;IAClD,MAAM,aAAa,GAAG,IAAI,EAAE,aAAa,IAAI,CAAC,CAAC;IAC/C,MAAM,SAAS,GAAM,IAAI,EAAE,SAAS,IAAO,IAAI,CAAC,SAAS,CAAC,qBAAqB,CAAC;IAEhF,OAAO,CAAC,GAAkB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC3E,wBAAwB;QACxB,IAAI,IAAI,EAAE,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC;YAAE,OAAO,IAAI,EAAE,CAAC;QAE1D,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAE,CAAC,IAAI,EAAE,CAAC;QAEnD,+CAA+C;QAC/C,IAAI,UAAU,GAA0D,IAAI,CAAC;QAC7E,IAAI,QAAQ,GAAG,EAAE,CAAC;QAElB,IAAI,SAAS,IAAI,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACnC,UAAU,GAAG,IAAI,CAAC,oBAAoB,CAAC;gBACrC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC,EAAE,aAAa,EAAE;aACjE,CAAC,CAAC;YACH,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;aAAM,IAAI,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAC/B,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;YACnD,QAAQ,GAAG,MAAM,CAAC;QACpB,CAAC;aAAM,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAClC,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAC;YACtD,QAAQ,GAAG,SAAS,CAAC;QACvB,CAAC;QAED,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,EAAE,CAAC;QAE/B,MAAM,IAAI,GAAK,UAAU,CAAC;QAC1B,MAAM,MAAM,GAAG,GAAqC,CAAC;QAErD,wDAAwD;QACxD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAK,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE1C,kDAAkD;QAClD,IAAI,CAAC,EAAE,CAAC,MAAM,EAAG,CAAC,KAAa,EAAE,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,EAAE,CAAC,KAAK,EAAI,GAAgB,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACpD,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,CAAQ,EAAO,EAAE;YACjC,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC;YACrD,IAAI,CAAC,MAAM,CAAC,aAAa;gBAAE,OAAO,EAAE,CAAC;QACvC,CAAC,CAAC,CAAC;QAEH,qEAAqE;QACrE,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,IAAI,OAAO,GAAM,KAAK,CAAC,CAAC,+CAA+C;QACvE,IAAI,UAAU,GAAG,KAAK,CAAC;QAEvB;;;;;;WAMG;QACH,MAAM,gBAAgB,GAAG,CAAC,MAAe,EAAQ,EAAE;YACjD,OAAO,GAAM,IAAI,CAAC;YAClB,UAAU,GAAG,IAAI,CAAC;YAClB,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,QAAQ,CAAC,CAAC;YAC5C,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;YACzC,GAAG,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;YACnC,KAAK,MAAM,GAAG,IAAI,OAAO;gBAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,MAAM;gBAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QACzB,CAAC,CAAC;QAEF;;;WAGG;QACH,MAAM,eAAe,GAAG,GAAS,EAAE;YACjC,OAAO,GAAM,IAAI,CAAC;YAClB,UAAU,GAAG,KAAK,CAAC;YACnB,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,IAAI,UAAU,GAAG,CAAC;gBAAE,GAAG,CAAC,SAAS,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;YAChE,KAAK,MAAM,GAAG,IAAI,OAAO;gBAAE,SAAS,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC,CAAC;QAEF,sBAAsB;QACrB,GAAW,CAAC,KAAK,GAAG,CACnB,KAAsB,EACtB,OAAyD,EACzD,GAAkC,EACzB,EAAE;YACX,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3D,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YAEjC,IAAI,OAAO,EAAE,CAAC;gBACZ,+DAA+D;gBAC/D,OAAO,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YACvD,CAAC;YAED,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClB,UAAU,IAAI,GAAG,CAAC,MAAM,CAAC;YAEzB,uDAAuD;YACvD,IAAI,UAAU,IAAI,SAAS;gBAAE,gBAAgB,CAAC,KAAK,CAAC,CAAC;YAErD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAEF,oBAAoB;QACnB,GAAW,CAAC,GAAG,GAAG,CACjB,KAAsC,EACtC,OAAuC,EACvC,GAAgB,EACK,EAAE;YACvB,IAAI,OAAO,KAAK,KAAO,UAAU;gBAAE,KAAK,GAAK,SAAS,CAAC;YACvD,IAAI,OAAO,OAAO,KAAK,UAAU;gBAAE,OAAO,GAAG,SAAS,CAAC;YAEvD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;gBAClB,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;gBAC3D,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBAEjC,IAAI,OAAO,EAAE,CAAC;oBACZ,IAAI,UAAU;wBAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;;wBAChB,SAAS,CAAC,GAAG,CAAC,CAAC;gBACjC,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;oBAClB,UAAU,IAAI,GAAG,CAAC,MAAM,CAAC;gBAC3B,CAAC;YACH,CAAC;YAED,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,IAAI,UAAU,IAAI,SAAS;oBAAE,gBAAgB,CAAC,IAAI,CAAC,CAAC;qBAC/C,CAAC;oBAAC,eAAe,EAAE,CAAC;oBAAC,OAAO,EAAE,CAAC;gBAAC,CAAC;YACxC,CAAC;iBAAM,IAAI,UAAU,EAAE,CAAC;gBACtB,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,CAAC;iBAAM,CAAC;gBACN,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC;QAEF,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAmCD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,SAAS,CAAC,IAAuB;IAC/C,MAAM,MAAM,GAAW,CAAC,IAAI,EAAE,MAAM,IAAI,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;IACtE,MAAM,eAAe,GAAG,IAAI,EAAE,eAAe,KAAK,KAAK,CAAC;IACxD,MAAM,SAAS,GAAQ,IAAI,EAAE,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IAEtE,OAAO,CAAC,GAAkB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC3E,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAuB,CAAC;QAC3D,MAAM,EAAE,GAAG,CAAC,eAAe,IAAI,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,EAAE,CAAC;QAElE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC;QACZ,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAE1B,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAwDD;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,SAAS,CAAC,IAAsB;IAC9C,MAAM,QAAQ,GAAK,IAAI,CAAC,QAAQ,CAAC;IACjC,MAAM,GAAG,GAAU,IAAI,CAAC,GAAG,CAAC;IAC5B,MAAM,KAAK,GAAQ,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;IACzD,MAAM,OAAO,GAAM,IAAI,CAAC,OAAO,IAAO,mBAAmB,CAAC;IAC1D,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC;IAC1C,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,KAAK,KAAK,CAAC;IAE3C,sCAAsC;IACtC,MAAM,KAAK,GAAG,IAAI,GAAG,EAAoB,CAAC;IAE1C,OAAO,CAAC,GAAkB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC3E,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,QAAQ,CAAC;QAEnC,yCAAyC;QACzC,MAAM,UAAU,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC;QACzE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QAE3B,MAAM,KAAK,GAAO,UAAU,CAAC,MAAM,CAAC;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,GAAG,KAAK,CAAC,CAAC;QAC3C,uEAAuE;QACvE,MAAM,OAAO,GAAK,UAAU,CAAC,MAAM,GAAG,CAAC;YACrC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,IAAI,CAAC;YAC9C,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,GAAG,GAAG,QAAQ,CAAC,GAAG,IAAI,CAAC,CAAC;QAEvC,IAAI,WAAW,EAAE,CAAC;YAChB,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAM,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;YACpD,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;YAC1D,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAM,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAChB,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;YACjE,GAAG,CAAC,UAAU,GAAG,UAAU,CAAC;YAC5B,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YACjB,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAkED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,YAAY,CAAC,OAA4B,EAAE;IACzD,2EAA2E;IAC3E,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,IAAI,IAAI,CAAC,OAAO;QAAS,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACpD,IAAI,IAAI,CAAC,MAAM;QAAU,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,IAAI,CAAC,OAAO;QAAS,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrD,IAAI,IAAI,CAAC,OAAO;QAAS,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrD,IAAI,IAAI,CAAC,cAAc;QAAE,UAAU,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC5D,IAAI,IAAI,CAAC,SAAS;QAAO,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACtD,IAAI,IAAI,CAAC,MAAM,IAAK,IAAI;QAAE,UAAU,CAAC,IAAI,CAAC,WAAW,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;IACpE,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI;QAAE,UAAU,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IAEtE,MAAM,iBAAiB,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;QACxC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;QACtB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC;IAExB,OAAO,CAAC,IAAmB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC5E,IAAI,iBAAiB;YAAE,GAAG,CAAC,SAAS,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;QAEzE,IAAI,IAAI,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC;YACxB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC;YAC1D,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;QAClD,CAAC;QAED,IAAI,SAAS;YAAE,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;QAEhD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAiDD,8EAA8E;AAC9E,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;AAEvE;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,IAAI,CAAC,IAAkB;IACrC,MAAM,UAAU,GAAG,IAAI,EAAE,UAAU,IAAI,OAAO,CAAC;IAC/C,MAAM,UAAU,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;IACtE,MAAM,SAAS,GAAI,IAAI,EAAE,SAAS,IAAK,OAAO,CAAC;IAC/C,MAAM,MAAM,GAAO,IAAI,EAAE,MAAM,IAAQ,KAAK,CAAC;IAC7C,MAAM,QAAQ,GAAK,IAAI,EAAE,QAAQ,IAAM,QAAQ,CAAC;IAEhD,OAAO,CAAC,GAAkB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC3E,6DAA6D;QAC7D,MAAM,QAAQ,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,UAAU,CAAuB,CAAC;QACjE,MAAM,KAAK,GAAM,CAAC,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;YACpE,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;QAE3C,oDAAoD;QACpD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,IAAI,SAAS,GAAG,GAAG,UAAU,IAAI,KAAK,sBAAsB,QAAQ,EAAE,CAAC;YACvE,IAAI,MAAM;gBAAE,SAAS,IAAI,UAAU,CAAC;YACpC,sDAAsD;YACtD,MAAM,IAAI,GAAG,GAAG,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;YACzC,IAAI,IAAI,IAAI,IAAI;gBAAc,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC;iBAChE,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC;gBAAE,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,GAAG,IAAI,EAAE,SAAS,CAAC,CAAC,CAAC;;gBAClD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE,CAAC,IAAc,EAAE,SAAS,CAAC,CAAC,CAAC;QACzF,CAAC;QAED,8DAA8D;QAC9D,GAAG,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC;QAE5B,yCAAyC;QACzC,IAAI,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,IAAI,EAAE,CAAC;YAAE,OAAO,IAAI,EAAE,CAAC;QAE3D,2DAA2D;QAC3D,MAAM,SAAS,GACZ,GAAG,CAAC,OAAO,CAAC,UAAU,CAAwB;YAC/C,CAAE,GAAG,CAAC,IAA2C,EAAE,CAAC,SAAS,CAAC,CAAC;YAC/D,EAAE,CAAC;QAEL,IAAI,CAAC,SAAS,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;YACtC,GAAG,CAAC,UAAU,GAAG,GAAG,CAAC;YACrB,GAAG,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAgFD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AACH,8EAA8E;AAC9E,mEAAmE;AACnE,8EAA8E;AAE9E;;;;;;;;;;;;;;;;GAgBG;AACH,SAAS,eAAe,CACtB,IAAgC,EAChC,YAAgC,EAChC,WAA2C,EAC3C,UAA2C;IAE3C,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAEtE,IAAI,GAAG,EAAE,CAAC;QACR,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QACxB,iDAAiD;QACjD,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,GAAG;YAAE,OAAO,IAAI,CAAC;QACpC,2EAA2E;QAC3E,MAAM,SAAS,GAAG,CAAC,GAAW,EAAE,EAAE,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;QAC7E,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IACnE,IAAI,GAAG,IAAI,YAAY,EAAE,CAAC;QACxB,MAAM,KAAK,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,CAAC;QACtC,MAAM,IAAI,GAAI,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE,CAAC;QAC/C,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,OAAO,IAAI,IAAI,KAAK,CAAC;IAC1D,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8CG;AACH,MAAM,UAAU,cAAc;IAC5B,OAAO,CAAC,GAAkB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC3E,kDAAkD;QAClD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;QACnC,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,EAAE,CAAC;QAEzD,MAAM,MAAM,GAAG,GAAqC,CAAC;QACrD,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC5C,MAAM,OAAO,GAAK,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAE1C,uEAAuE;QACvE,MAAM,OAAO,GAAa,EAAE,CAAC;QAE5B,GAAW,CAAC,KAAK,GAAG,CACnB,KAAsB,EACtB,OAAyD,EACzD,GAAkC,EACzB,EAAE;YACX,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;YACrE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC,CAAC;QAED,GAAW,CAAC,GAAG,GAAG,CACjB,KAAsC,EACtC,OAAuC,EACvC,GAAgB,EACK,EAAE;YACvB,IAAI,OAAO,KAAK,KAAO,UAAU;gBAAE,KAAK,GAAK,SAAS,CAAC;YACvD,IAAI,OAAO,OAAO,KAAK,UAAU;gBAAE,OAAO,GAAG,SAAS,CAAC;YAEvD,mDAAmD;YACnD,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;gBAClB,MAAM,GAAG,GAAG,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;gBAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;gBACrE,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACpB,CAAC;YAED,gEAAgE;YAChE,MAAM,IAAI,GAAU,MAAM,CAAC,SAAS,CAAC,MAAM,CAAgC,CAAC;YAC5E,MAAM,OAAO,GAAO,MAAM,CAAC,SAAS,CAAC,eAAe,CAAuB,CAAC;YAC5E,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YACjD,MAAM,UAAU,GAAI,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;YAErD,IAAI,eAAe,CAAC,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU,CAAC,EAAE,CAAC;gBAC5D,+DAA+D;gBAC/D,kFAAkF;gBAClF,MAAM,CAAC,YAAY,CAAC,cAAc,CAAC,CAAC;gBACpC,MAAM,CAAC,YAAY,CAAC,gBAAgB,CAAC,CAAC;gBACtC,MAAM,CAAC,YAAY,CAAC,kBAAkB,CAAC,CAAC;gBACxC,MAAM,CAAC,UAAU,GAAG,GAAG,CAAC;gBACxB,OAAO,EAAE,CAAC;YACZ,CAAC;iBAAM,CAAC;gBACN,oDAAoD;gBACpD,KAAK,MAAM,GAAG,IAAI,OAAO;oBAAE,SAAS,CAAC,GAAG,CAAC,CAAC;gBAC1C,OAAO,EAAE,CAAC;YACZ,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC;QAEF,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,IAA6B;IAC3D,kEAAkE;IAClE,MAAM,OAAO,GAAuB,EAAE,CAAC;IAEvC,4BAA4B;IAC5B,MAAM,IAAI,GAAG,IAAI,EAAE,IAAI,CAAC;IACxB,IAAI,IAAI,KAAK,KAAK,EAAE,CAAC;QACnB,MAAM,CAAC,GAAG,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAK,CAAC,CAAC,MAAM,IAAc,UAAU,CAAC;QAClD,MAAM,SAAS,GAAG,CAAC,CAAC,iBAAiB,KAAK,KAAK,CAAC;QAChD,IAAI,KAAK,GAAG,WAAW,MAAM,EAAE,CAAC;QAChC,IAAI,SAAS;YAAG,KAAK,IAAI,qBAAqB,CAAC;QAC/C,IAAI,CAAC,CAAC,OAAO;YAAG,KAAK,IAAI,WAAW,CAAC;QACrC,OAAO,CAAC,IAAI,CAAC,CAAC,2BAA2B,EAAE,KAAK,CAAC,CAAC,CAAC;IACrD,CAAC;IAED,kBAAkB;IAClB,MAAM,EAAE,GAAG,IAAI,EAAE,YAAY,CAAC;IAC9B,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,iBAAiB,EAAE,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC;IACxD,CAAC;IAED,yBAAyB;IACzB,IAAI,IAAI,EAAE,kBAAkB,KAAK,KAAK,EAAE,CAAC;QACvC,OAAO,CAAC,IAAI,CAAC,CAAC,wBAAwB,EAAE,SAAS,CAAC,CAAC,CAAC;IACtD,CAAC;IAED,kBAAkB;IAClB,MAAM,EAAE,GAAG,IAAI,EAAE,cAAc,CAAC;IAChC,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,iBAAiB,EAAE,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,iCAAiC,CAAC,CAAC,CAAC;IACrG,CAAC;IAED,qBAAqB;IACrB,MAAM,EAAE,GAAG,IAAI,EAAE,iBAAiB,CAAC;IACnC,IAAI,EAAE,KAAK,KAAK,EAAE,CAAC;QACjB,OAAO,CAAC,IAAI,CAAC,CAAC,oBAAoB,EAAE,OAAO,EAAE,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,0CAA0C,CAAC,CAAC,CAAC;IACjH,CAAC;IAED,mBAAmB;IACnB,MAAM,GAAG,GAAG,IAAI,EAAE,aAAa,CAAC;IAChC,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,CAAC,kBAAkB,EAAE,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1E,CAAC;IAED,OAAO,CAAC,IAAmB,EAAE,GAAmB,EAAE,IAAkB,EAAQ,EAAE;QAC5E,KAAK,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,OAAO;YAAE,GAAG,CAAC,SAAS,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChE,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}