kavachos 0.0.2 → 0.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (32) hide show
  1. package/dist/agent/index.d.ts +4 -5
  2. package/dist/agent/index.js +2 -2
  3. package/dist/audit/index.d.ts +3 -4
  4. package/dist/audit/index.js +2 -2
  5. package/dist/auth/index.d.ts +1719 -2
  6. package/dist/auth/index.js +2 -1
  7. package/dist/{chunk-I4J4KKKK.js → chunk-5DT4DN4Y.js} +9 -3
  8. package/dist/chunk-5DT4DN4Y.js.map +1 -0
  9. package/dist/chunk-KL6XW4S4.js +10774 -0
  10. package/dist/chunk-KL6XW4S4.js.map +1 -0
  11. package/dist/{chunk-DEVV32BE.js → chunk-OVGNZ5OX.js} +3 -3
  12. package/dist/{chunk-DEVV32BE.js.map → chunk-OVGNZ5OX.js.map} +1 -1
  13. package/dist/{chunk-N7VZO6SP.js → chunk-SJGSPIAD.js} +3 -3
  14. package/dist/{chunk-N7VZO6SP.js.map → chunk-SJGSPIAD.js.map} +1 -1
  15. package/dist/chunk-V66UUIA7.js +480 -0
  16. package/dist/chunk-V66UUIA7.js.map +1 -0
  17. package/dist/index.d.ts +1125 -14
  18. package/dist/index.js +2986 -111
  19. package/dist/index.js.map +1 -1
  20. package/dist/mcp/index.d.ts +2 -2
  21. package/dist/permission/index.d.ts +4 -5
  22. package/dist/permission/index.js +2 -2
  23. package/dist/types-Xk83hv4O.d.ts +7759 -0
  24. package/dist/{types-B4sQA44H.d.ts → types-mwupB57A.d.ts} +5 -5
  25. package/package.json +1 -1
  26. package/dist/chunk-7RKVTHFC.js +0 -96
  27. package/dist/chunk-7RKVTHFC.js.map +0 -1
  28. package/dist/chunk-I4J4KKKK.js.map +0 -1
  29. package/dist/chunk-UEE7OYLG.js +0 -161
  30. package/dist/chunk-UEE7OYLG.js.map +0 -1
  31. package/dist/types-WP-mKSdQ.d.ts +0 -2349
  32. package/dist/types-_7hIICee.d.ts +0 -52
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/db/database.ts","../src/db/migrations.ts","../src/delegation/delegation.ts","../src/session/session.ts","../src/kavach.ts","../src/openapi.ts"],"names":["drizzleSqlite","anyDb","randomUUID","and","eq"],"mappings":";;;;;;;;;;;;;;;;AAyDA,eAAsB,eAAe,MAAA,EAA2C;AAC/E,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,MAAA,GAAS,IAAI,aAAA,CAAc,MAAA,CAAO,GAAG,CAAA;AAC3C,IAAA,MAAA,CAAO,OAAO,oBAAoB,CAAA;AAClC,IAAA,MAAA,CAAO,OAAO,mBAAmB,CAAA;AACjC,IAAA,OAAOA,OAAA,CAAc,MAAA,EAAQ,EAAE,MAAA,EAAA,cAAA,EAAQ,CAAA;AAAA,EACxC;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,UAAA,EAAY;AAEnC,IAAA,MAAM,EAAE,MAAK,GAAI,MAAM,OAAO,IAAI,CAAA,CAAE,MAAM,MAAM;AAC/C,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD,CAAC,CAAA;AACD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,OAAO,2BAA2B,CAAA;AAE5D,IAAA,MAAM,OAAO,IAAI,IAAA,CAAK,EAAE,gBAAA,EAAkB,MAAA,CAAO,KAAK,CAAA;AAGtD,IAAA,OAAO,QAAQ,IAAI,CAAA;AAAA,EACpB;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,OAAA,EAAS;AAEhC,IAAA,MAAM,SAAS,MAAM,OAAO,gBAAgB,CAAA,CAAE,MAAM,MAAM;AACzD,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD,CAAC,CAAA;AACD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,OAAO,oBAAoB,CAAA;AAErD,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,UAAA,CAAW,MAAA,CAAO,GAAG,CAAA;AAGzC,IAAA,OAAO,QAAQ,IAAI,CAAA;AAAA,EACpB;AAEA,EAAA,MAAM,IAAI,KAAA;AAAA,IACT,CAAA,yCAAA,EAA6C,OAA0B,QAAQ,CAAA,kDAAA;AAAA,GAEhF;AACD;AASO,SAAS,mBAAmB,MAAA,EAAkC;AACpE,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA;AAAA,MACT,CAAA,wFAAA,EACiD,OAAO,QAAQ,CAAA,EAAA;AAAA,KACjE;AAAA,EACD;AACA,EAAA,MAAM,MAAA,GAAS,IAAI,aAAA,CAAc,MAAA,CAAO,GAAG,CAAA;AAC3C,EAAA,MAAA,CAAO,OAAO,oBAAoB,CAAA;AAClC,EAAA,MAAA,CAAO,OAAO,mBAAmB,CAAA;AACjC,EAAA,OAAOA,OAAA,CAAc,MAAA,EAAQ,EAAE,MAAA,EAAA,cAAA,EAAQ,CAAA;AACxC;;;ACrGA,SAAS,gBAAgB,QAAA,EAAgD;AACxE,EAAA,MAAM,aAAa,QAAA,KAAa,UAAA;AAChC,EAAA,MAAM,UAAU,QAAA,KAAa,OAAA;AAG7B,EAAA,MAAM,EAAA,GAAK,UAAA,GAAa,aAAA,GAAgB,OAAA,GAAU,aAAA,GAAgB,SAAA;AAElE,EAAA,MAAM,MAAA,GAAS,EAAA;AAEf,EAAA,MAAM,IAAA,GAAO,UAAA,GAAa,OAAA,GAAU,OAAA,GAAU,MAAA,GAAS,MAAA;AAEvD,EAAA,MAAM,IAAA,GAAO,UAAA,GAAa,SAAA,GAAY,OAAA,GAAU,YAAA,GAAe,SAAA;AAE/D,EAAA,MAAM,IAAA,GAAO,eAAA;AAEb,EAAA,OAAO;AAAA;AAAA;AAAA;AAAA,IAIN,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAMN,IAAI,CAAA;AAAA,cAAA,EACJ,EAAE,CAAA;AAAA,cAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAAA,EAQF,MAAM,CAAA;AAAA,kBAAA,EACN,MAAM,CAAA;AAAA,kBAAA,EACN,IAAI,CAAA;AAAA,kBAAA,EACJ,EAAE,CAAA;AAAA,kBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMpB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAIN,IAAI,CAAA;AAAA,cAAA,EACJ,IAAI,CAAA;AAAA,cAAA,EACJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAIJ,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAIJ,EAAE,CAAA;AAAA,gBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAML,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAOJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAIL,EAAE,CAAA;AAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAOjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,mBAAA,EAID,IAAI,CAAA;AAAA,mBAAA,EACJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,MAAA,GAAS,GAAG,CAAA;AAAA;AAAA;AAAA,mBAAA,EAGlD,EAAE,CAAA;AAAA,mBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMrB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA,aAAA,EAGP,EAAE,CAAA;AAAA,aAAA,EACF,IAAI,CAAA;AAAA,aAAA,EACJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8BAAA,EAMU,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA;AAAA;AAAA,8BAAA,EAGJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,8BAAA,EACnD,IAAI,CAAA;AAAA,8BAAA,EACJ,EAAE,CAAA;AAAA,8BAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhC,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BAAA,EAQQ,EAAE,CAAA;AAAA,4BAAA,EACF,MAAM,CAAA;AAAA,4BAAA,EACN,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAM9B,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAAA,EAUK,EAAE,CAAA;AAAA,yBAAA,EACF,EAAE,CAAA;AAAA,CAAA;AAAA,GAE5B;AACD;AAqBA,eAAsB,YAAA,CACrB,IACA,QAAA,EACgB;AAChB,EAAA,MAAM,UAAA,GAAa,gBAAgB,QAAQ,CAAA;AAE3C,EAAA,IAAI,aAAa,QAAA,EAAU;AAK1B,IAAA,MAAM,UAAW,EAAA,CAAW,OAAA;AAC5B,IAAA,IAAI,OAAA,EAAS,QAAQ,IAAA,EAAM;AAG1B,MAAA,OAAA,CAAQ,OAAO,IAAA,CAAK,CAAA,EAAG,WAAW,IAAA,CAAK,KAAK,CAAC,CAAA,CAAA,CAAG,CAAA;AAChD,MAAA;AAAA,IACD;AAGA,IAAA,MAAMC,MAAAA,GAAQ,EAAA;AACd,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAMA,MAAAA,CAAM,IAAI,GAAG,CAAA;AAAA,IACpB;AACA,IAAA;AAAA,EACD;AAMA,EAAA,MAAM,KAAA,GAAQ,EAAA;AAEd,EAAA,IAAI,aAAa,UAAA,EAAY;AAG5B,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,MAAM,GAAG,CAAA;AAAA,IACvB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,IAAI,aAAa,OAAA,EAAS;AAEzB,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,QAAQ,GAAG,CAAA;AAAA,IACzB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,QAAQ,CAAA,CAAA,CAAG,CAAA;AACnE;ACpRA,SAAS,kBAAA,CAAmB,aAA2B,UAAA,EAAmC;AACzF,EAAA,KAAA,MAAW,aAAa,UAAA,EAAY;AACnC,IAAA,MAAM,WAAA,GAAc,WAAA,CAAY,IAAA,CAAK,CAAC,CAAA,KAAM;AAE3C,MAAA,IAAI,CAAC,gBAAA,CAAiB,CAAA,CAAE,UAAU,SAAA,CAAU,QAAQ,GAAG,OAAO,KAAA;AAG9D,MAAA,KAAA,MAAW,MAAA,IAAU,UAAU,OAAA,EAAS;AACvC,QAAA,IAAI,CAAC,CAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,MAAM,CAAA,IAAK,CAAC,CAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,KAAA;AAAA,MACrE;AAEA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA;AAED,IAAA,IAAI,CAAC,aAAa,OAAO,KAAA;AAAA,EAC1B;AAEA,EAAA,OAAO,IAAA;AACR;AAQA,SAAS,gBAAA,CAAiB,gBAAwB,aAAA,EAAgC;AACjF,EAAA,IAAI,cAAA,KAAmB,KAAK,OAAO,IAAA;AACnC,EAAA,IAAI,cAAA,KAAmB,eAAe,OAAO,IAAA;AAE7C,EAAA,MAAM,WAAA,GAAc,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC5C,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,KAAA,CAAM,GAAG,CAAA;AAE1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,CAAY,QAAQ,CAAA,EAAA,EAAK;AAC5C,IAAA,IAAI,WAAA,CAAY,CAAC,CAAA,KAAM,GAAA,EAAK,OAAO,IAAA;AACnC,IAAA,IAAI,YAAY,CAAC,CAAA,KAAM,UAAA,CAAW,CAAC,GAAG,OAAO,KAAA;AAAA,EAC9C;AAEA,EAAA,OAAO,WAAA,CAAY,UAAU,UAAA,CAAW,MAAA;AACzC;AAMO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,QAAA,CACd,OACA,iBAAA,EAC2B;AAE3B,IAAA,IAAI,CAAC,kBAAA,CAAmB,iBAAA,EAAmB,KAAA,CAAM,WAAW,CAAA,EAAG;AAC9D,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD;AAGA,IAAA,MAAM,iBAAiB,MAAM,EAAA,CAC3B,QAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA;AAAA,MACA,GAAA,CAAI,EAAA,CAAG,gBAAA,CAAiB,SAAA,EAAW,KAAA,CAAM,SAAS,CAAA,EAAG,EAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,QAAQ,CAAC;AAAA,KAC3F;AAED,IAAA,MAAM,YAAA,GACL,cAAA,CAAe,MAAA,GAAS,CAAA,GAAI,KAAK,GAAA,CAAI,GAAG,cAAA,CAAe,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,KAAK,CAAC,IAAI,CAAA,GAAI,CAAA;AAEnF,IAAA,MAAM,QAAA,GAAW,MAAM,QAAA,IAAY,CAAA;AAEnC,IAAA,IAAI,eAAe,QAAA,EAAU;AAC5B,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,iBAAA,EAAoB,YAAY,CAAA,kCAAA,EAAqC,QAAQ,CAAA,2CAAA;AAAA,OAE9E;AAAA,IACD;AAEA,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,gBAAgB,CAAA,CAAE,MAAA,CAAO;AAAA,MACxC,EAAA;AAAA,MACA,aAAa,KAAA,CAAM,SAAA;AAAA,MACnB,WAAW,KAAA,CAAM,OAAA;AAAA,MACjB,WAAA,EAAa,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QAC1C,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,SAAS,CAAA,CAAE;AAAA,OACZ,CAAE,CAAA;AAAA,MACF,KAAA,EAAO,YAAA;AAAA,MACP,QAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,aAAa,KAAA,CAAM,WAAA;AAAA,MACnB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,KAAA,EAAO,YAAA;AAAA,MACP,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAKA,EAAA,eAAe,iBAAiB,OAAA,EAAgC;AAC/D,IAAA,MAAM,QAAQ,MAAM,EAAA,CAClB,MAAA,EAAO,CACP,KAAK,gBAAgB,CAAA,CACrB,KAAA,CAAM,EAAA,CAAG,iBAAiB,EAAA,EAAI,OAAO,CAAC,CAAA,CACtC,MAAM,CAAC,CAAA;AAET,IAAA,IAAI,CAAC,MAAM,CAAC,CAAA,QAAS,IAAI,KAAA,CAAM,CAAA,iBAAA,EAAoB,OAAO,CAAA,WAAA,CAAa,CAAA;AAGvE,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,gBAAgB,CAAA,CACvB,IAAI,EAAE,MAAA,EAAQ,SAAA,EAAW,EACzB,KAAA,CAAM,EAAA,CAAG,gBAAA,CAAiB,EAAA,EAAI,OAAO,CAAC,CAAA;AAGxC,IAAA,MAAM,cAAc,MAAM,EAAA,CACxB,QAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA;AAAA,MACA,GAAA;AAAA,QACC,GAAG,gBAAA,CAAiB,WAAA,EAAa,KAAA,CAAM,CAAC,EAAE,SAAS,CAAA;AAAA,QACnD,EAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,QAAQ;AAAA;AACrC,KACD;AAED,IAAA,KAAA,MAAW,SAAS,WAAA,EAAa;AAChC,MAAA,MAAM,gBAAA,CAAiB,MAAM,EAAE,CAAA;AAAA,IAChC;AAAA,EACD;AAKA,EAAA,eAAe,wBAAwB,OAAA,EAAwC;AAC9E,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CACnB,MAAA,GACA,IAAA,CAAK,gBAAgB,EACrB,KAAA,CAAM,GAAA,CAAI,GAAG,gBAAA,CAAiB,SAAA,EAAW,OAAO,CAAA,EAAG,EAAA,CAAG,iBAAiB,MAAA,EAAQ,QAAQ,CAAC,CAAC,CAAA;AAG3F,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,eAAe,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,GAAG,CAAA;AAG3D,IAAA,MAAM,iBAA+B,EAAC;AACtC,IAAA,KAAA,MAAW,SAAS,YAAA,EAAc;AACjC,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAM,WAAA,EAAa;AACrC,QAAA,cAAA,CAAe,IAAA,CAAK;AAAA,UACnB,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,SAAS,IAAA,CAAK;AAAA,SACd,CAAA;AAAA,MACF;AAAA,IACD;AAEA,IAAA,OAAO,cAAA;AAAA,EACR;AAKA,EAAA,eAAe,WAAW,OAAA,EAA6C;AACtE,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CACnB,MAAA,EAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA,CAAM,EAAA,CAAG,gBAAA,CAAiB,WAAA,EAAa,OAAO,CAAC,CAAA;AAEjD,IAAA,OAAO,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACzB,IAAI,CAAA,CAAE,EAAA;AAAA,MACN,WAAW,CAAA,CAAE,WAAA;AAAA,MACb,SAAS,CAAA,CAAE,SAAA;AAAA,MACX,WAAA,EAAa,CAAA,CAAE,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,QACtC,UAAU,CAAA,CAAE,QAAA;AAAA,QACZ,SAAS,CAAA,CAAE;AAAA,OACZ,CAAE,CAAA;AAAA,MACF,WAAW,CAAA,CAAE,SAAA;AAAA,MACb,OAAO,CAAA,CAAE,KAAA;AAAA,MACT,WAAW,CAAA,CAAE;AAAA,KACd,CAAE,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,EAAE,QAAA,EAAU,gBAAA,EAAkB,uBAAA,EAAyB,UAAA,EAAW;AAC1E;ACtGA,IAAM,uBAAA,GAA0B,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA;AAYxC,SAAS,oBAAA,CAAqB,QAAuB,EAAA,EAA8B;AACzF,EAAA,IAAI,CAAC,MAAA,CAAO,MAAA,IAAU,MAAA,CAAO,MAAA,CAAO,SAAS,EAAA,EAAI;AAChD,IAAA,MAAM,IAAI,MAAM,wDAAwD,CAAA;AAAA,EACzE;AAEA,EAAA,MAAM,MAAA,GAAS,OAAO,MAAA,IAAU,uBAAA;AAChC,EAAA,MAAM,WAAW,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,OAAO,MAAM,CAAA;AACvD,EAAA,MAAM,SAAA,GAAY,gBAAgB,QAAQ,CAAA;AAI1C,EAAA,SAAS,aAAa,GAAA,EAMV;AACX,IAAA,OAAO;AAAA,MACN,IAAI,GAAA,CAAI,EAAA;AAAA,MACR,QAAQ,GAAA,CAAI,MAAA;AAAA,MACZ,WAAW,GAAA,CAAI,SAAA;AAAA,MACf,WAAW,GAAA,CAAI,SAAA;AAAA,MACf,GAAI,GAAA,CAAI,QAAA,KAAa,QAAQ,EAAE,QAAA,EAAU,IAAI,QAAA;AAAS,KACvD;AAAA,EACD;AAIA,EAAA,eAAe,MAAA,CACd,QACA,QAAA,EAC+C;AAC/C,IAAA,MAAM,KAAKC,UAAAA,EAAW;AACtB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,SAAS,GAAI,CAAA;AAExD,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,QAAQ,CAAA,CAAE,MAAA,CAAO;AAAA,MAChC,EAAA;AAAA,MACA,MAAA;AAAA,MACA,SAAA;AAAA,MACA,UAAU,QAAA,IAAY,IAAA;AAAA,MACtB,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,MAAM,KAAA,GAAQ,MAAM,IAAI,OAAA,CAAQ,EAAE,GAAA,EAAK,EAAA,EAAI,CAAA,CACzC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,CAAA,CACnC,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,SAAA,CAAU,OAAA,EAAQ,GAAI,GAAI,CAAC,CAAA,CACxD,IAAA,CAAK,SAAS,CAAA;AAEhB,IAAA,MAAM,OAAA,GAAmB;AAAA,MACxB,EAAA;AAAA,MACA,MAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA,EAAW,GAAA;AAAA,MACX,GAAI,QAAA,KAAa,MAAA,IAAa,EAAE,QAAA;AAAS,KAC1C;AAEA,IAAA,OAAO,EAAE,SAAS,KAAA,EAAM;AAAA,EACzB;AAEA,EAAA,eAAe,SAAS,KAAA,EAAwC;AAC/D,IAAA,IAAI,SAAA;AAEJ,IAAA,IAAI;AACH,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,OAAO,SAAS,CAAA;AACpD,MAAA,IAAI,OAAO,OAAA,CAAQ,GAAA,KAAQ,YAAY,CAAC,OAAA,CAAQ,KAAK,OAAO,IAAA;AAC5D,MAAA,SAAA,GAAY,OAAA,CAAQ,GAAA;AAAA,IACrB,CAAA,CAAA,MAAQ;AACP,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CACjB,MAAA,GACA,IAAA,CAAK,QAAQ,CAAA,CACb,KAAA,CAAMC,IAAIC,EAAAA,CAAG,QAAA,CAAS,EAAA,EAAI,SAAS,CAAC,CAAC,CAAA;AAEvC,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAIjB,IAAA,IAAI,GAAA,CAAI,aAAa,GAAA,EAAK;AAEzB,MAAA,MAAM,EAAA,CAAG,OAAO,QAAQ,CAAA,CAAE,MAAMA,EAAAA,CAAG,QAAA,CAAS,EAAA,EAAI,SAAS,CAAC,CAAA;AAC1D,MAAA,OAAO,IAAA;AAAA,IACR;AAEA,IAAA,OAAO,aAAa,GAAG,CAAA;AAAA,EACxB;AAEA,EAAA,eAAe,OAAO,SAAA,EAAkC;AACvD,IAAA,MAAM,EAAA,CAAG,OAAO,QAAQ,CAAA,CAAE,MAAMA,EAAAA,CAAG,QAAA,CAAS,EAAA,EAAI,SAAS,CAAC,CAAA;AAAA,EAC3D;AAEA,EAAA,eAAe,UAAU,MAAA,EAA+B;AACvD,IAAA,MAAM,EAAA,CAAG,OAAO,QAAQ,CAAA,CAAE,MAAMA,EAAAA,CAAG,QAAA,CAAS,MAAA,EAAQ,MAAM,CAAC,CAAA;AAAA,EAC5D;AAEA,EAAA,eAAe,KAAK,MAAA,EAAoC;AACvD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CACjB,MAAA,GACA,IAAA,CAAK,QAAQ,CAAA,CACb,KAAA,CAAMD,IAAIC,EAAAA,CAAG,QAAA,CAAS,MAAA,EAAQ,MAAM,CAAC,CAAC,CAAA;AAIxC,IAAA,OAAO,IAAA,CACL,OAAO,CAAC,GAAA,KAAQ,IAAI,SAAA,GAAY,GAAG,CAAA,CACnC,IAAA,CAAK,CAAC,CAAA,EAAG,MAAM,CAAA,CAAE,SAAA,CAAU,SAAQ,GAAI,CAAA,CAAE,UAAU,OAAA,EAAS,CAAA,CAC5D,GAAA,CAAI,YAAY,CAAA;AAAA,EACnB;AAEA,EAAA,OAAO,EAAE,MAAA,EAAQ,QAAA,EAAU,MAAA,EAAQ,WAAW,IAAA,EAAK;AACpD;;;AClLA,eAAsB,aAAa,MAAA,EAAsB;AACxD,EAAA,MAAM,WAAA,GAAc,MAAA,CAAO,IAAA,EAAM,OAAA,IAAW,IAAA;AAE5C,EAAA,MAAM,EAAA,GAAK,MAAM,cAAA,CAAe,MAAA,CAAO,QAAQ,CAAA;AAI/C,EAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,cAAA,EAAgB;AACpC,IAAA,MAAM,YAAA,CAAa,EAAA,EAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA;AAAA,EAChD;AAEA,EAAA,MAAM,WAAA,GAAc;AAAA,IACnB,EAAA;AAAA,IACA,UAAA,EAAY,MAAA,CAAO,MAAA,EAAQ,UAAA,IAAc,EAAA;AAAA,IACzC,kBAAA,EAAoB,MAAA,CAAO,MAAA,EAAQ,kBAAA,IAAsB,EAAC;AAAA,IAC1D,WAAA,EAAa,MAAA,CAAO,MAAA,EAAQ,WAAA,IAAe;AAAA,GAC5C;AAEA,EAAA,MAAM,WAAA,GAAc,kBAAkB,WAAW,CAAA;AAEjD,EAAA,MAAM,mBAAmB,sBAAA,CAAuB;AAAA,IAC/C,EAAA;AAAA,IACA,QAAA,EAAU,MAAA,CAAO,MAAA,EAAQ,QAAA,IAAY;AAAA,GACrC,CAAA;AAED,EAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,EAAE,EAAA,EAAI,CAAA;AAE5C,EAAA,MAAM,gBAAA,GAAmB,sBAAA,CAAuB,EAAE,EAAA,EAAI,CAAA;AAGtD,EAAA,MAAM,cAAA,GAAwC,OAAO,IAAA,EAAM,OAAA,GACxD,qBAAqB,MAAA,CAAO,IAAA,CAAK,OAAA,EAAS,EAAE,CAAA,GAC5C,IAAA;AAGH,EAAA,eAAe,SAAA,CACd,OAAA,EACA,OAAA,EACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,GAAA,CAAI,OAAO,CAAA;AAC3C,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,UAAU,OAAO,CAAA,WAAA,CAAA;AAAA,QACzB,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,IAAI,KAAA,CAAM,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,QAAQ,CAAA,OAAA,EAAU,KAAA,CAAM,IAAI,CAAA,KAAA,EAAQ,MAAM,MAAM,CAAA,CAAA;AAAA,QAChD,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AAEA,IAAA,MAAM,kBAAoC,OAAA,GAAU,EAAE,GAAG,OAAA,EAAS,SAAQ,GAAI,OAAA;AAG9E,IAAA,MAAM,SAAA,GAAY,MAAM,gBAAA,CAAiB,SAAA,CAAU,OAAO,eAAe,CAAA;AACzE,IAAA,IAAI,SAAA,CAAU,SAAS,OAAO,SAAA;AAG9B,IAAA,MAAM,cAAA,GAAiB,MAAM,gBAAA,CAAiB,uBAAA,CAAwB,OAAO,CAAA;AAC7E,IAAA,IAAI,cAAA,CAAe,MAAA,KAAW,CAAA,EAAG,OAAO,SAAA;AAGxC,IAAA,MAAM,kBAAA,GAAqB,EAAE,GAAG,KAAA,EAAO,aAAa,cAAA,EAAe;AACnE,IAAA,MAAM,eAAA,GAAkB,MAAM,gBAAA,CAAiB,SAAA,CAAU,oBAAoB,eAAe,CAAA;AAC5F,IAAA,IAAI,eAAA,CAAgB,SAAS,OAAO,eAAA;AAGpC,IAAA,OAAO,SAAA;AAAA,EACR;AAGA,EAAA,eAAe,gBAAA,CACd,KAAA,EACA,OAAA,EACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,aAAA,CAAc,KAAK,CAAA;AACnD,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,gCAAA;AAAA,QACR,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,MAAM,kBAAoC,OAAA,GAAU,EAAE,GAAG,OAAA,EAAS,SAAQ,GAAI,OAAA;AAC9E,IAAA,OAAO,gBAAA,CAAiB,SAAA,CAAU,KAAA,EAAO,eAAe,CAAA;AAAA,EACzD;AAGA,EAAA,eAAe,SAAS,KAAA,EAAgD;AACvE,IAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,GAAA,CAAI,MAAM,SAAS,CAAA;AACzD,IAAA,IAAI,CAAC,aAAa,MAAM,IAAI,MAAM,CAAA,cAAA,EAAiB,KAAA,CAAM,SAAS,CAAA,WAAA,CAAa,CAAA;AAC/E,IAAA,IAAI,WAAA,CAAY,WAAW,QAAA,EAAU;AACpC,MAAA,MAAM,IAAI,MAAM,CAAA,cAAA,EAAiB,WAAA,CAAY,IAAI,CAAA,KAAA,EAAQ,WAAA,CAAY,MAAM,CAAA,CAAE,CAAA;AAAA,IAC9E;AACA,IAAA,OAAO,gBAAA,CAAiB,QAAA,CAAS,KAAA,EAAO,WAAA,CAAY,WAAW,CAAA;AAAA,EAChE;AAIA,EAAA,MAAM,WAAA,GAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOnB,MAAM,SAAS,KAAA,EAA2C;AACzD,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,MAAM,KAAKF,UAAAA,EAAW;AAEtB,MAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,QAClC,EAAA;AAAA,QACA,MAAM,KAAA,CAAM,IAAA;AAAA,QACZ,UAAU,KAAA,CAAM,QAAA;AAAA,QAChB,OAAO,KAAA,CAAM,KAAA;AAAA,QACb,YAAA,EAAc,MAAM,YAAA,IAAgB,IAAA;AAAA,QACpC,YAAA,EAAc,KAAA,CAAM,SAAA,EAAW,GAAA,IAAO,IAAA;AAAA,QACtC,MAAA,EAAQ,QAAA;AAAA,QACR,SAAA,EAAW,GAAA;AAAA,QACX,SAAA,EAAW;AAAA,OACX,CAAA;AAED,MAAA,OAAO;AAAA,QACN,EAAA;AAAA,QACA,MAAM,KAAA,CAAM,IAAA;AAAA,QACZ,UAAU,KAAA,CAAM,QAAA;AAAA,QAChB,OAAO,KAAA,CAAM,KAAA;AAAA,QACb,YAAA,EAAc,MAAM,YAAA,IAAgB,IAAA;AAAA,QACpC,SAAA,EAAW;AAAA,OACZ;AAAA,IACD,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,IAAA,GAA6B;AAClC,MAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,UAAU,CAAA;AAC9C,MAAA,OAAO,IAAA,CAAK,GAAA,CAAI,CAAC,GAAA,MAAS;AAAA,QACzB,IAAI,GAAA,CAAI,EAAA;AAAA,QACR,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,cAAc,GAAA,CAAI,YAAA;AAAA,QAClB,WAAW,GAAA,CAAI;AAAA,OAChB,CAAE,CAAA;AAAA,IACH,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,IAAI,EAAA,EAAuC;AAChD,MAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,UAAU,CAAA,CAAE,KAAA,CAAME,EAAAA,CAAG,UAAA,CAAW,EAAA,EAAI,EAAE,CAAC,CAAA;AAC3E,MAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,MAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,MAAA,OAAO;AAAA,QACN,IAAI,GAAA,CAAI,EAAA;AAAA,QACR,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,cAAc,GAAA,CAAI,YAAA;AAAA,QAClB,WAAW,GAAA,CAAI;AAAA,OAChB;AAAA,IACD;AAAA,GACD;AAEA,EAAA,OAAO;AAAA,IACN,KAAA,EAAO;AAAA,MACN,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,KAAK,WAAA,CAAY,GAAA;AAAA,MACjB,MAAM,WAAA,CAAY,IAAA;AAAA,MAClB,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,QAAQ,WAAA,CAAY,MAAA;AAAA,MACpB,eAAe,WAAA,CAAY;AAAA,KAC5B;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA,EAAY;AAAA,MACX,QAAQ,gBAAA,CAAiB,gBAAA;AAAA,MACzB,yBAAyB,gBAAA,CAAiB,uBAAA;AAAA,MAC1C,YAAY,gBAAA,CAAiB;AAAA,KAC9B;AAAA,IACA,KAAA,EAAO;AAAA,MACN,KAAA,EAAO,CAAC,MAAA,KAAwB,WAAA,CAAY,MAAM,MAAM,CAAA;AAAA,MACxD,MAAA,EAAQ,CAAC,OAAA,KAAgC,WAAA,CAAY,OAAO,OAAO,CAAA;AAAA,MACnE,OAAA,EAAS,CAAC,OAAA,KAAuC,WAAA,CAAY,QAAQ,OAAO;AAAA,KAC7E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,GAAA,EAAK,WAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBL,IAAA,EAAM;AAAA,MACL,MAAM,YAAY,OAAA,EAAgD;AACjE,QAAA,IAAI,CAAC,aAAa,OAAO,IAAA;AACzB,QAAA,OAAO,WAAA,CAAY,YAAY,OAAO,CAAA;AAAA,MACvC,CAAA;AAAA,MACA,OAAA,EAAS;AAAA,KACV;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,MAAM,YAAY,OAAA,EAAgD;AACjE,MAAA,IAAI,CAAC,aAAa,OAAO,IAAA;AACzB,MAAA,OAAO,WAAA,CAAY,YAAY,OAAO,CAAA;AAAA,IACvC,CAAA;AAAA;AAAA,IAEA;AAAA,GACD;AACD;;;AC7OO,SAAS,oBAAoB,OAAA,EAA+D;AAClG,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,uBAAA;AACpC,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,OAAA;AAEpC,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,OAAA;AAAA,IACT,IAAA,EAAM;AAAA,MACL,KAAA,EAAO,cAAA;AAAA,MACP,OAAA;AAAA,MACA,WAAA,EACC;AAAA,KACF;AAAA,IACA,SAAS,CAAC,EAAE,KAAK,OAAA,EAAS,WAAA,EAAa,uBAAuB,CAAA;AAAA,IAC9D,KAAA,EAAO;AAAA,MACN,SAAA,EAAW;AAAA,QACV,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,oBAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,qCAAA;AAAsC;AACvD;AACD,aACD;AAAA,YACA,KAAA,EAAO,EAAE,WAAA,EAAa,eAAA,EAAgB;AAAA,YACtC,KAAA,EAAO,EAAE,WAAA,EAAa,8BAAA;AAA+B;AACtD,SACD;AAAA,QACA,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,aAAA;AAAA,UACT,WAAA,EAAa,YAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY;AAAA,YACX,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC3E;AAAA,cACC,IAAA,EAAM,QAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,CAAA;AAAE,aAClE;AAAA,YACA;AAAA,cACC,IAAA,EAAM,MAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA;AAAE;AACxE,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,gBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,8BAA6B;AAAE;AACxE;AACD;AACD;AACD;AACD,OACD;AAAA,MACA,cAAA,EAAgB;AAAA,QACf,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,iBAAA;AAAA,UACT,WAAA,EAAa,UAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS,EAAE,kBAAA,EAAoB,EAAE,QAAQ,EAAE,IAAA,EAAM,4BAAA,EAA6B,EAAE;AAAE,aACnF;AAAA,YACA,KAAA,EAAO,EAAE,WAAA,EAAa,iBAAA;AAAkB;AACzC,SACD;AAAA,QACA,KAAA,EAAO;AAAA,UACN,OAAA,EAAS,cAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS,EAAE,kBAAA,EAAoB,EAAE,QAAQ,EAAE,IAAA,EAAM,4BAAA,EAA6B,EAAE;AAAE;AACnF;AACD,SACD;AAAA,QACA,MAAA,EAAQ;AAAA,UACP,OAAA,EAAS,cAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,WAAW,EAAE,KAAA,EAAO,EAAE,WAAA,EAAa,iBAAgB;AAAE;AACtD,OACD;AAAA,MACA,qBAAA,EAAuB;AAAA,QACtB,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,oBAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,kBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,uCAAsC;AAAE;AAC/E;AACD;AACD;AACD,OACD;AAAA,MACA,YAAA,EAAc;AAAA,QACb,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,2BAAA;AAAA,UACT,WAAA,EAAa,WAAA;AAAA,UACb,IAAA,EAAM,CAAC,eAAe,CAAA;AAAA,UACtB,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,sBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD,OACD;AAAA,MACA,kBAAA,EAAoB;AAAA,QACnB,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,0BAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,eAAe,CAAA;AAAA,UACtB,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,kBAAA,EAAoB;AAAA,gBACnB,MAAA,EAAQ;AAAA,kBACP,IAAA,EAAM,QAAA;AAAA,kBACN,UAAA,EAAY;AAAA,oBACX,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,oBACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,oBAC3B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA;AAAS,mBAC7B;AAAA,kBACA,QAAA,EAAU,CAAC,QAAA,EAAU,UAAU;AAAA;AAChC;AACD;AACD,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,sBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD,OACD;AAAA,MACA,QAAA,EAAU;AAAA,QACT,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,kBAAA;AAAA,UACT,WAAA,EAAa,YAAA;AAAA,UACb,IAAA,EAAM,CAAC,OAAO,CAAA;AAAA,UACd,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY;AAAA,YACX,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC5E,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC3E;AAAA,cACC,IAAA,EAAM,OAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY,aAC/C;AAAA,YACA;AAAA,cACC,IAAA,EAAM,OAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY,aAC/C;AAAA,YACA;AAAA,cACC,IAAA,EAAM,QAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA;AAAE,aACvE;AAAA,YACA,EAAE,IAAA,EAAM,OAAA,EAAS,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAU,EAAE;AAAA,YAC3E,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAU;AAAE,WAC7E;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,mBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC;AAAE;AAC7E;AACD;AACD;AACD;AACD,OACD;AAAA,MACA,cAAA,EAAgB;AAAA,QACf,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,yBAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,YAAY,CAAA;AAAA,UACnB,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,sCAAqC;AAAE;AAC9E,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,oBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD;AACD,KACD;AAAA,IACA,UAAA,EAAY;AAAA,MACX,OAAA,EAAS;AAAA,QACR,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,SAAA,EAAW,MAAA,EAAQ,QAAQ,aAAa,CAAA;AAAA,UACnD,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAE;AAAA,YACrE,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA;AAAS;AAC5B,SACD;AAAA,QACA,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA;AAAS;AAC5B,SACD;AAAA,QACA,KAAA,EAAO;AAAA,UACN,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAE;AAAA,YACrE,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,CAAA,EAAE;AAAA,YACjE,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD,SACD;AAAA,QACA,cAAA,EAAgB;AAAA,UACf,IAAA,EAAM,QAAA;AAAA,UACN,WAAA,EAAa,gEAAA;AAAA,UACb,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,KAAA,EAAO;AAAA,cACN,IAAA,EAAM,QAAA;AAAA,cACN,WAAA,EACC;AAAA,aACF;AAAA,YACA,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC;AAAE;AAClF,SACD;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,UAAA,EAAY,SAAS,CAAA;AAAA,UAChC,UAAA,EAAY;AAAA,YACX,QAAA,EAAU;AAAA,cACT,IAAA,EAAM,QAAA;AAAA,cACN,WAAA,EAAa;AAAA,aACd;AAAA,YACA,OAAA,EAAS;AAAA,cACR,IAAA,EAAM,OAAA;AAAA,cACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cACxB,WAAA,EAAa;AAAA,aACd;AAAA,YACA,WAAA,EAAa,EAAE,IAAA,EAAM,4CAAA;AAA6C;AACnE,SACD;AAAA,QACA,qBAAA,EAAuB;AAAA,UACtB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACnC,kBAAA,EAAoB,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS,EAAE;AAAA,YAC/D,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACnC,UAAA,EAAY;AAAA,cACX,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACX,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA,EAAe;AAAA,gBACrD,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA;AAAe;AACpD,aACD;AAAA,YACA,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS;AAAE;AACzD,SACD;AAAA,QACA,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,SAAA,EAAW,QAAA,EAAU,UAAU,CAAA;AAAA,UAC1C,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC3B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA;AAAS;AAC7B,SACD;AAAA,QACA,eAAA,EAAiB;AAAA,UAChB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC3B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,IAAA,EAAK;AAAA,YACzC,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA;AAAS;AAC3B,SACD;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC3B,UAAA,EAAY,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC7B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAE;AAAA,YACtE,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC9B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD,SACD;AAAA,QACA,aAAA,EAAe;AAAA,UACd,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,WAAA,EAAa,SAAA,EAAW,eAAe,WAAW,CAAA;AAAA,UAC7D,UAAA,EAAY;AAAA,YACX,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC5B,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,QAAA,EAAU,EAAE,IAAA,EAAM,SAAA;AAAU;AAC7B,SACD;AAAA,QACA,eAAA,EAAiB;AAAA,UAChB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC5B,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,KAAA,EAAO,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACzB,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD;AACD,OACD;AAAA,MACA,eAAA,EAAiB;AAAA,QAChB,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,MAAA;AAAA,UACN,MAAA,EAAQ,QAAA;AAAA,UACR,YAAA,EAAc;AAAA,SACf;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,MAAA;AAAA,UACN,MAAA,EAAQ,QAAA;AAAA,UACR,YAAA,EAAc;AAAA;AACf;AACD;AACD,GACD;AACD","file":"index.js","sourcesContent":["import BetterSqlite3 from \"better-sqlite3\";\nimport type { BetterSQLite3Database } from \"drizzle-orm/better-sqlite3\";\nimport { drizzle as drizzleSqlite } from \"drizzle-orm/better-sqlite3\";\nimport * as schema from \"./schema.js\";\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Type definitions\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * The fully-typed SQLite Drizzle database.\n * Postgres and MySQL connections are represented as `AnyDatabase` at the\n * adapter boundary because drizzle-orm exposes separate schema builders\n * (pg-core / mysql-core) that are incompatible with the SQLite schema\n * defined in schema.ts. Full multi-dialect Drizzle schema support is\n * planned for v0.2.0.\n */\nexport type Database = BetterSQLite3Database<typeof schema>;\n\n/**\n * A wider union used internally when the provider is postgres or mysql.\n * Using `unknown` with a discriminated tag keeps `any` contained to a\n * single adapter-boundary cast below.\n */\nexport type AnyDatabase =\n\t| { provider: \"sqlite\"; db: Database }\n\t| { provider: \"postgres\"; db: PostgresDatabase }\n\t| { provider: \"mysql\"; db: MySQLDatabase };\n\n// Import types lazily so the drivers stay optional peer deps.\n// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - drizzle pg/mysql types are not compatible with sqlite schema\ntype PostgresDatabase = any;\n// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - drizzle pg/mysql types are not compatible with sqlite schema\ntype MySQLDatabase = any;\n\nexport interface DatabaseConfig {\n\tprovider: \"sqlite\" | \"postgres\" | \"mysql\";\n\turl: string;\n\t/** Skip automatic table creation on init (default: false) */\n\tskipMigrations?: boolean;\n}\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Factory\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Create a database connection.\n *\n * - **SQLite** – fully typed Drizzle ORM via `better-sqlite3` (current default).\n * - **Postgres** – Drizzle connection via `drizzle-orm/node-postgres` + `pg` (peer dep).\n * - **MySQL** – Drizzle connection via `drizzle-orm/mysql2` + `mysql2` (peer dep).\n *\n * For Postgres and MySQL the return value is typed as `Database` for source\n * compatibility; the underlying Drizzle instance is created against the\n * correct driver. Full pg-core / mysql-core schema typings are planned for v0.2.0.\n */\nexport async function createDatabase(config: DatabaseConfig): Promise<Database> {\n\tif (config.provider === \"sqlite\") {\n\t\tconst sqlite = new BetterSqlite3(config.url);\n\t\tsqlite.pragma(\"journal_mode = WAL\");\n\t\tsqlite.pragma(\"foreign_keys = ON\");\n\t\treturn drizzleSqlite(sqlite, { schema });\n\t}\n\n\tif (config.provider === \"postgres\") {\n\t\t// Dynamic import keeps `pg` an optional peer dep.\n\t\tconst { Pool } = await import(\"pg\").catch(() => {\n\t\t\tthrow new Error(\n\t\t\t\t'KavachOS: provider \"postgres\" requires the \"pg\" package. ' +\n\t\t\t\t\t\"Install it with: npm install pg\",\n\t\t\t);\n\t\t});\n\t\tconst { drizzle } = await import(\"drizzle-orm/node-postgres\");\n\n\t\tconst pool = new Pool({ connectionString: config.url });\n\t\t// Cast to Database for API compatibility; full pg schema arrives in v0.2.0.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - cast pg drizzle to sqlite-typed Database\n\t\treturn drizzle(pool) as any as Database;\n\t}\n\n\tif (config.provider === \"mysql\") {\n\t\t// Dynamic import keeps `mysql2` an optional peer dep.\n\t\tconst mysql2 = await import(\"mysql2/promise\").catch(() => {\n\t\t\tthrow new Error(\n\t\t\t\t'KavachOS: provider \"mysql\" requires the \"mysql2\" package. ' +\n\t\t\t\t\t\"Install it with: npm install mysql2\",\n\t\t\t);\n\t\t});\n\t\tconst { drizzle } = await import(\"drizzle-orm/mysql2\");\n\n\t\tconst pool = mysql2.createPool(config.url);\n\t\t// Cast to Database for API compatibility; full mysql-core schema arrives in v0.2.0.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - cast pg drizzle to sqlite-typed Database\n\t\treturn drizzle(pool) as any as Database;\n\t}\n\n\tthrow new Error(\n\t\t`KavachOS: unsupported database provider \"${(config as DatabaseConfig).provider}\". ` +\n\t\t\t'Valid values are \"sqlite\", \"postgres\", \"mysql\".',\n\t);\n}\n\n/**\n * Synchronous SQLite-only factory kept for backwards compatibility with code\n * that cannot use async initialisation. Throws if a non-SQLite provider is\n * supplied.\n *\n * @deprecated Prefer the async `createDatabase()` which supports all providers.\n */\nexport function createDatabaseSync(config: DatabaseConfig): Database {\n\tif (config.provider !== \"sqlite\") {\n\t\tthrow new Error(\n\t\t\t`createDatabaseSync() only supports SQLite. ` +\n\t\t\t\t`Use the async createDatabase() for provider \"${config.provider}\".`,\n\t\t);\n\t}\n\tconst sqlite = new BetterSqlite3(config.url);\n\tsqlite.pragma(\"journal_mode = WAL\");\n\tsqlite.pragma(\"foreign_keys = ON\");\n\treturn drizzleSqlite(sqlite, { schema });\n}\n","import type { Database, DatabaseConfig } from \"./database.js\";\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Per-provider DDL helpers\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Returns CREATE TABLE statements for all 10 KavachOS tables, adapted to the\n * target SQL dialect.\n *\n * Dialect differences handled here:\n * - **Timestamps** – SQLite stores as INTEGER (Unix ms); Postgres uses\n * TIMESTAMPTZ; MySQL uses DATETIME(3).\n * - **JSON columns** – SQLite stores as TEXT; Postgres uses JSONB;\n * MySQL uses JSON.\n * - **Booleans** – SQLite stores as INTEGER (0/1); Postgres uses BOOLEAN;\n * MySQL uses TINYINT(1).\n * - **Auto-increment** – Not used here (IDs are application-generated UUIDs /\n * nanoids), so no SERIAL vs AUTO_INCREMENT difference applies.\n */\nfunction buildStatements(provider: DatabaseConfig[\"provider\"]): string[] {\n\tconst isPostgres = provider === \"postgres\";\n\tconst isMysql = provider === \"mysql\";\n\n\t// Timestamp column type\n\tconst ts = isPostgres ? \"TIMESTAMPTZ\" : isMysql ? \"DATETIME(3)\" : \"INTEGER\";\n\t// Nullable timestamp (same type, just no NOT NULL)\n\tconst tsNull = ts;\n\t// JSON column type\n\tconst json = isPostgres ? \"JSONB\" : isMysql ? \"JSON\" : \"TEXT\";\n\t// Boolean column type\n\tconst bool = isPostgres ? \"BOOLEAN\" : isMysql ? \"TINYINT(1)\" : \"INTEGER\";\n\t// IF NOT EXISTS is universally supported\n\tconst ifne = \"IF NOT EXISTS\";\n\n\treturn [\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_users\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_users (\n id TEXT NOT NULL PRIMARY KEY,\n email TEXT NOT NULL UNIQUE,\n name TEXT,\n external_id TEXT,\n external_provider TEXT,\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_agents\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_agents (\n id TEXT NOT NULL PRIMARY KEY,\n owner_id TEXT NOT NULL REFERENCES kavach_users(id),\n name TEXT NOT NULL,\n type TEXT NOT NULL,\n status TEXT NOT NULL DEFAULT 'active',\n token_hash TEXT NOT NULL,\n token_prefix TEXT NOT NULL,\n expires_at ${tsNull},\n last_active_at ${tsNull},\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_permissions\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_permissions (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n resource TEXT NOT NULL,\n actions ${json} NOT NULL,\n constraints ${json},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_delegation_chains\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_delegation_chains (\n id TEXT NOT NULL PRIMARY KEY,\n from_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n to_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n permissions ${json} NOT NULL,\n depth INTEGER NOT NULL DEFAULT 1,\n max_depth INTEGER NOT NULL DEFAULT 3,\n status TEXT NOT NULL DEFAULT 'active',\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_audit_logs\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_audit_logs (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n action TEXT NOT NULL,\n resource TEXT NOT NULL,\n parameters ${json},\n result TEXT NOT NULL,\n reason TEXT,\n duration_ms INTEGER NOT NULL,\n tokens_cost INTEGER,\n ip TEXT,\n user_agent TEXT,\n timestamp ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_rate_limits\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_rate_limits (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n resource TEXT NOT NULL,\n window_start ${ts} NOT NULL,\n count INTEGER NOT NULL DEFAULT 0\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_mcp_servers\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_mcp_servers (\n id TEXT NOT NULL PRIMARY KEY,\n name TEXT NOT NULL,\n endpoint TEXT NOT NULL UNIQUE,\n tools ${json} NOT NULL,\n auth_required ${bool} NOT NULL DEFAULT ${isPostgres ? \"TRUE\" : \"1\"},\n rate_limit_rpm INTEGER,\n status TEXT NOT NULL DEFAULT 'active',\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_sessions\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_sessions (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n expires_at ${ts} NOT NULL,\n metadata ${json},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_clients\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_clients (\n id TEXT NOT NULL PRIMARY KEY,\n client_id TEXT NOT NULL UNIQUE,\n client_secret TEXT,\n client_name TEXT,\n client_uri TEXT,\n redirect_uris ${json} NOT NULL,\n grant_types ${json} NOT NULL,\n response_types ${json} NOT NULL,\n token_endpoint_auth_method TEXT NOT NULL DEFAULT 'client_secret_basic',\n type TEXT NOT NULL DEFAULT 'confidential',\n disabled ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_access_tokens\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_access_tokens (\n id TEXT NOT NULL PRIMARY KEY,\n access_token TEXT NOT NULL UNIQUE,\n refresh_token TEXT UNIQUE,\n client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n scopes TEXT NOT NULL,\n resource TEXT,\n access_token_expires_at ${ts} NOT NULL,\n refresh_token_expires_at ${tsNull},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_authorization_codes\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_authorization_codes (\n id TEXT NOT NULL PRIMARY KEY,\n code TEXT NOT NULL UNIQUE,\n client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n redirect_uri TEXT NOT NULL,\n scopes TEXT NOT NULL,\n code_challenge TEXT,\n code_challenge_method TEXT,\n resource TEXT,\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\t];\n}\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Public API\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Create all KavachOS tables if they do not already exist.\n *\n * Uses `CREATE TABLE IF NOT EXISTS` so it is safe to call on every startup.\n * Tables are created in dependency order (no forward-reference FK issues).\n *\n * @param db Drizzle database instance returned by `createDatabase()`.\n * @param provider The database provider used to build the correct DDL syntax.\n *\n * @example\n * ```typescript\n * const db = await createDatabase({ provider: 'postgres', url: process.env.DATABASE_URL });\n * await createTables(db, 'postgres');\n * ```\n */\nexport async function createTables(\n\tdb: Database,\n\tprovider: DatabaseConfig[\"provider\"],\n): Promise<void> {\n\tconst statements = buildStatements(provider);\n\n\tif (provider === \"sqlite\") {\n\t\t// SQLite Drizzle exposes the underlying better-sqlite3 instance via\n\t\t// the `session` property. We use it for synchronous multi-statement\n\t\t// execution which is the most reliable path for DDL on SQLite.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: accessing internal drizzle session for raw DDL\n\t\tconst session = (db as any).session;\n\t\tif (session?.client?.exec) {\n\t\t\t// better-sqlite3 Database.exec() runs multiple statements separated\n\t\t\t// by semicolons in a single call.\n\t\t\tsession.client.exec(`${statements.join(\";\\n\")};`);\n\t\t\treturn;\n\t\t}\n\t\t// Fallback: run each statement individually via drizzle `run`.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: raw SQL fallback for DDL execution\n\t\tconst anyDb = db as any;\n\t\tfor (const sql of statements) {\n\t\t\tawait anyDb.run(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\t// Postgres and MySQL: execute each statement via the underlying pool/client.\n\t// We access the internal session to issue raw DDL since drizzle-orm/node-postgres\n\t// and drizzle-orm/mysql2 both expose `.session.client` (or `.client`).\n\t// biome-ignore lint/suspicious/noExplicitAny: raw DDL on pg/mysql adapter boundary\n\tconst anyDb = db as any;\n\n\tif (provider === \"postgres\") {\n\t\t// drizzle-orm/node-postgres wraps a `pg` Pool; the pool is at db.session.client\n\t\t// or accessible via db.$client depending on drizzle version.\n\t\tconst client: { query: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS createTables: cannot access underlying pg client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.query(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tif (provider === \"mysql\") {\n\t\t// drizzle-orm/mysql2 wraps a mysql2 Pool; exposed at db.$client.\n\t\tconst client: { execute: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS createTables: cannot access underlying mysql2 client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.execute(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tthrow new Error(`createTables: unsupported provider \"${provider}\"`);\n}\n","import { randomUUID } from \"node:crypto\";\nimport { and, eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { delegationChains } from \"../db/schema.js\";\nimport type { DelegateInput, DelegationChain, Permission } from \"../types.js\";\n\ninterface DelegationModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Verify that delegated permissions are a subset of the parent's permissions.\n * A child agent cannot have more permissions than its parent.\n */\nfunction isPermissionSubset(parentPerms: Permission[], childPerms: Permission[]): boolean {\n\tfor (const childPerm of childPerms) {\n\t\tconst parentMatch = parentPerms.find((p) => {\n\t\t\t// Check resource match (child must be same or more specific)\n\t\t\tif (!isResourceSubset(p.resource, childPerm.resource)) return false;\n\n\t\t\t// Check actions match (child must have same or fewer actions)\n\t\t\tfor (const action of childPerm.actions) {\n\t\t\t\tif (!p.actions.includes(action) && !p.actions.includes(\"*\")) return false;\n\t\t\t}\n\n\t\t\treturn true;\n\t\t});\n\n\t\tif (!parentMatch) return false;\n\t}\n\n\treturn true;\n}\n\n/**\n * Check if childResource is the same as or more specific than parentResource.\n * \"mcp:github:*\" contains \"mcp:github:read\"\n * \"mcp:*\" contains \"mcp:github:*\"\n * \"*\" contains everything\n */\nfunction isResourceSubset(parentResource: string, childResource: string): boolean {\n\tif (parentResource === \"*\") return true;\n\tif (parentResource === childResource) return true;\n\n\tconst parentParts = parentResource.split(\":\");\n\tconst childParts = childResource.split(\":\");\n\n\tfor (let i = 0; i < parentParts.length; i++) {\n\t\tif (parentParts[i] === \"*\") return true;\n\t\tif (parentParts[i] !== childParts[i]) return false;\n\t}\n\n\treturn parentParts.length <= childParts.length;\n}\n\n/**\n * Create the delegation module.\n * Handles agent-to-agent permission delegation with chain tracking.\n */\nexport function createDelegationModule(config: DelegationModuleConfig) {\n\tconst { db } = config;\n\n\tasync function delegate(\n\t\tinput: DelegateInput,\n\t\tparentPermissions: Permission[],\n\t): Promise<DelegationChain> {\n\t\t// Validate permissions are a subset\n\t\tif (!isPermissionSubset(parentPermissions, input.permissions)) {\n\t\t\tthrow new Error(\n\t\t\t\t\"Delegated permissions must be a subset of the parent agent's permissions. \" +\n\t\t\t\t\t\"A child agent cannot have more access than its parent.\",\n\t\t\t);\n\t\t}\n\n\t\t// Check delegation depth\n\t\tconst existingChains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(\n\t\t\t\tand(eq(delegationChains.toAgentId, input.fromAgent), eq(delegationChains.status, \"active\")),\n\t\t\t);\n\n\t\tconst currentDepth =\n\t\t\texistingChains.length > 0 ? Math.max(...existingChains.map((c) => c.depth)) + 1 : 1;\n\n\t\tconst maxDepth = input.maxDepth ?? 3;\n\n\t\tif (currentDepth > maxDepth) {\n\t\t\tthrow new Error(\n\t\t\t\t`Delegation depth ${currentDepth} exceeds maximum allowed depth of ${maxDepth}. ` +\n\t\t\t\t\t\"This prevents infinite delegation chains.\",\n\t\t\t);\n\t\t}\n\n\t\tconst id = randomUUID();\n\t\tconst now = new Date();\n\n\t\tawait db.insert(delegationChains).values({\n\t\t\tid,\n\t\t\tfromAgentId: input.fromAgent,\n\t\t\ttoAgentId: input.toAgent,\n\t\t\tpermissions: input.permissions.map((p) => ({\n\t\t\t\tresource: p.resource,\n\t\t\t\tactions: p.actions,\n\t\t\t})),\n\t\t\tdepth: currentDepth,\n\t\t\tmaxDepth,\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: input.expiresAt,\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\treturn {\n\t\t\tid,\n\t\t\tfromAgent: input.fromAgent,\n\t\t\ttoAgent: input.toAgent,\n\t\t\tpermissions: input.permissions,\n\t\t\texpiresAt: input.expiresAt,\n\t\t\tdepth: currentDepth,\n\t\t\tcreatedAt: now,\n\t\t};\n\t}\n\n\t/**\n\t * Revoke a delegation chain. Revoking a parent chain also revokes all children.\n\t */\n\tasync function revokeDelegation(chainId: string): Promise<void> {\n\t\tconst chain = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(eq(delegationChains.id, chainId))\n\t\t\t.limit(1);\n\n\t\tif (!chain[0]) throw new Error(`Delegation chain ${chainId} not found.`);\n\n\t\t// Revoke this chain\n\t\tawait db\n\t\t\t.update(delegationChains)\n\t\t\t.set({ status: \"revoked\" })\n\t\t\t.where(eq(delegationChains.id, chainId));\n\n\t\t// Cascade: revoke all chains where the to-agent of this chain is the from-agent\n\t\tconst childChains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(\n\t\t\t\tand(\n\t\t\t\t\teq(delegationChains.fromAgentId, chain[0].toAgentId),\n\t\t\t\t\teq(delegationChains.status, \"active\"),\n\t\t\t\t),\n\t\t\t);\n\n\t\tfor (const child of childChains) {\n\t\t\tawait revokeDelegation(child.id);\n\t\t}\n\t}\n\n\t/**\n\t * Get the effective permissions for an agent, including delegated permissions.\n\t */\n\tasync function getEffectivePermissions(agentId: string): Promise<Permission[]> {\n\t\tconst chains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(and(eq(delegationChains.toAgentId, agentId), eq(delegationChains.status, \"active\")));\n\n\t\t// Filter expired chains\n\t\tconst now = new Date();\n\t\tconst activeChains = chains.filter((c) => c.expiresAt > now);\n\n\t\t// Collect all delegated permissions\n\t\tconst delegatedPerms: Permission[] = [];\n\t\tfor (const chain of activeChains) {\n\t\t\tfor (const perm of chain.permissions) {\n\t\t\t\tdelegatedPerms.push({\n\t\t\t\t\tresource: perm.resource,\n\t\t\t\t\tactions: perm.actions,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\n\t\treturn delegatedPerms;\n\t}\n\n\t/**\n\t * List all delegation chains for an agent (as source or target).\n\t */\n\tasync function listChains(agentId: string): Promise<DelegationChain[]> {\n\t\tconst chains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(eq(delegationChains.fromAgentId, agentId));\n\n\t\treturn chains.map((c) => ({\n\t\t\tid: c.id,\n\t\t\tfromAgent: c.fromAgentId,\n\t\t\ttoAgent: c.toAgentId,\n\t\t\tpermissions: c.permissions.map((p) => ({\n\t\t\t\tresource: p.resource,\n\t\t\t\tactions: p.actions,\n\t\t\t})),\n\t\t\texpiresAt: c.expiresAt,\n\t\t\tdepth: c.depth,\n\t\t\tcreatedAt: c.createdAt,\n\t\t}));\n\t}\n\n\treturn { delegate, revokeDelegation, getEffectivePermissions, listChains };\n}\n","/**\n * Session management for KavachOS.\n *\n * Provides signed JWT session tokens backed by a `kavach_sessions` database\n * table. Each token carries the session ID as its `sub` claim; the full\n * session record (including metadata and expiry) lives in the database so\n * it can be revoked server-side at any time.\n *\n * Tokens are signed with HS256 via `jose` – the same library used for agent\n * JWT tokens elsewhere in KavachOS.\n *\n * @example\n * ```typescript\n * const kavach = await createKavach({ ... });\n * const sessions = kavach.auth.session;\n *\n * // On login\n * const { token } = await sessions.create(user.id, { role: 'admin' });\n * setCookie('kavach_session', token, { httpOnly: true, sameSite: 'lax' });\n *\n * // On each request\n * const session = await sessions.validate(token);\n * if (!session) return new Response('Unauthorized', { status: 401 });\n *\n * // On logout\n * await sessions.revoke(session.id);\n * ```\n */\n\nimport { createSecretKey, randomUUID } from \"node:crypto\";\nimport { and, eq } from \"drizzle-orm\";\nimport { jwtVerify, SignJWT } from \"jose\";\nimport type { Database } from \"../db/database.js\";\nimport { sessions } from \"../db/schema.js\";\n\n// ---------------------------------------------------------------------------\n// Public types\n// ---------------------------------------------------------------------------\n\nexport interface SessionConfig {\n\t/** Signing secret for session tokens. Must be at least 32 characters. */\n\tsecret: string;\n\t/**\n\t * Session lifetime in seconds.\n\t * Defaults to 604 800 (7 days).\n\t */\n\tmaxAge?: number;\n\t/**\n\t * Name of the cookie used to transport the session token.\n\t * Defaults to `kavach_session`.\n\t */\n\tcookieName?: string;\n}\n\nexport interface Session {\n\tid: string;\n\tuserId: string;\n\texpiresAt: Date;\n\tcreatedAt: Date;\n\tmetadata?: Record<string, unknown>;\n}\n\nexport interface SessionManager {\n\t/**\n\t * Create a new session for the given user.\n\t *\n\t * Persists the session to `kavach_sessions` and returns both the\n\t * session record and a signed JWT that the client should store (e.g. in a\n\t * `Set-Cookie` header).\n\t */\n\tcreate(\n\t\tuserId: string,\n\t\tmetadata?: Record<string, unknown>,\n\t): Promise<{ session: Session; token: string }>;\n\n\t/**\n\t * Validate a session token.\n\t *\n\t * Verifies the JWT signature, checks the database record exists, and\n\t * confirms the session has not expired. Returns `null` for any failure.\n\t */\n\tvalidate(token: string): Promise<Session | null>;\n\n\t/**\n\t * Revoke a single session by its ID.\n\t *\n\t * The session is deleted from the database; any token that encoded this\n\t * session ID will fail `validate()` immediately.\n\t */\n\trevoke(sessionId: string): Promise<void>;\n\n\t/**\n\t * Revoke all sessions for a user (e.g. on password change or account deletion).\n\t */\n\trevokeAll(userId: string): Promise<void>;\n\n\t/**\n\t * List all active sessions for a user, ordered by creation time descending.\n\t */\n\tlist(userId: string): Promise<Session[]>;\n}\n\n// ---------------------------------------------------------------------------\n// Default values\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days\n\n// ---------------------------------------------------------------------------\n// Factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a `SessionManager` backed by the `kavach_sessions` database table.\n *\n * @param config Session configuration (secret, maxAge, cookieName).\n * @param db The Drizzle database instance from `createDatabase()`.\n */\nexport function createSessionManager(config: SessionConfig, db: Database): SessionManager {\n\tif (!config.secret || config.secret.length < 32) {\n\t\tthrow new Error(\"SessionManager: secret must be at least 32 characters.\");\n\t}\n\n\tconst maxAge = config.maxAge ?? DEFAULT_MAX_AGE_SECONDS;\n\tconst keyBytes = new TextEncoder().encode(config.secret);\n\tconst keyObject = createSecretKey(keyBytes);\n\n\t// ── helpers ────────────────────────────────────────────────────────────\n\n\tfunction rowToSession(row: {\n\t\tid: string;\n\t\tuserId: string;\n\t\texpiresAt: Date;\n\t\tcreatedAt: Date;\n\t\tmetadata: Record<string, unknown> | null;\n\t}): Session {\n\t\treturn {\n\t\t\tid: row.id,\n\t\t\tuserId: row.userId,\n\t\t\texpiresAt: row.expiresAt,\n\t\t\tcreatedAt: row.createdAt,\n\t\t\t...(row.metadata !== null && { metadata: row.metadata }),\n\t\t};\n\t}\n\n\t// ── public API ─────────────────────────────────────────────────────────\n\n\tasync function create(\n\t\tuserId: string,\n\t\tmetadata?: Record<string, unknown>,\n\t): Promise<{ session: Session; token: string }> {\n\t\tconst id = randomUUID();\n\t\tconst now = new Date();\n\t\tconst expiresAt = new Date(now.getTime() + maxAge * 1000);\n\n\t\tawait db.insert(sessions).values({\n\t\t\tid,\n\t\t\tuserId,\n\t\t\texpiresAt,\n\t\t\tmetadata: metadata ?? null,\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\tconst token = await new SignJWT({ sub: id })\n\t\t\t.setProtectedHeader({ alg: \"HS256\" })\n\t\t\t.setIssuedAt()\n\t\t\t.setExpirationTime(Math.floor(expiresAt.getTime() / 1000))\n\t\t\t.sign(keyObject);\n\n\t\tconst session: Session = {\n\t\t\tid,\n\t\t\tuserId,\n\t\t\texpiresAt,\n\t\t\tcreatedAt: now,\n\t\t\t...(metadata !== undefined && { metadata }),\n\t\t};\n\n\t\treturn { session, token };\n\t}\n\n\tasync function validate(token: string): Promise<Session | null> {\n\t\tlet sessionId: string;\n\n\t\ttry {\n\t\t\tconst { payload } = await jwtVerify(token, keyObject);\n\t\t\tif (typeof payload.sub !== \"string\" || !payload.sub) return null;\n\t\t\tsessionId = payload.sub;\n\t\t} catch {\n\t\t\treturn null;\n\t\t}\n\n\t\tconst now = new Date();\n\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(sessions)\n\t\t\t.where(and(eq(sessions.id, sessionId)));\n\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\n\t\t// Belt-and-suspenders: also check DB expiry (token expiry is the same but\n\t\t// allows for clock skew during revokeAll / manual deletion flows).\n\t\tif (row.expiresAt <= now) {\n\t\t\t// Clean up expired row opportunistically.\n\t\t\tawait db.delete(sessions).where(eq(sessions.id, sessionId));\n\t\t\treturn null;\n\t\t}\n\n\t\treturn rowToSession(row);\n\t}\n\n\tasync function revoke(sessionId: string): Promise<void> {\n\t\tawait db.delete(sessions).where(eq(sessions.id, sessionId));\n\t}\n\n\tasync function revokeAll(userId: string): Promise<void> {\n\t\tawait db.delete(sessions).where(eq(sessions.userId, userId));\n\t}\n\n\tasync function list(userId: string): Promise<Session[]> {\n\t\tconst now = new Date();\n\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(sessions)\n\t\t\t.where(and(eq(sessions.userId, userId)));\n\n\t\t// Filter out expired sessions (they may not have been cleaned up yet)\n\t\t// and sort newest first.\n\t\treturn rows\n\t\t\t.filter((row) => row.expiresAt > now)\n\t\t\t.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime())\n\t\t\t.map(rowToSession);\n\t}\n\n\treturn { create, validate, revoke, revokeAll, list };\n}\n","import { randomUUID } from \"node:crypto\";\nimport { eq } from \"drizzle-orm\";\nimport { createAgentModule } from \"./agent/agent.js\";\nimport { createAuditModule } from \"./audit/audit.js\";\nimport type { ResolvedUser } from \"./auth/types.js\";\nimport { createDatabase } from \"./db/database.js\";\nimport { createTables } from \"./db/migrations.js\";\nimport { mcpServers } from \"./db/schema.js\";\nimport { createDelegationModule } from \"./delegation/delegation.js\";\nimport { createPermissionEngine } from \"./permission/engine.js\";\nimport type { SessionManager } from \"./session/session.js\";\nimport { createSessionManager } from \"./session/session.js\";\nimport type {\n\tAuditExportOptions,\n\tAuditFilter,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tDelegateInput,\n\tDelegationChain,\n\tKavachConfig,\n\tMcpServer,\n\tMcpServerInput,\n\tRequestContext,\n} from \"./types.js\";\n\n/**\n * Create a KavachOS instance.\n *\n * The factory is **async** so it can open database connections for Postgres\n * and MySQL (which require async driver initialisation) and optionally run\n * `CREATE TABLE IF NOT EXISTS` for all schema tables.\n *\n * @example SQLite (simplest)\n * ```typescript\n * import { createKavach } from 'kavachos';\n *\n * const kavach = await createKavach({\n * database: { provider: 'sqlite', url: 'kavach.db' },\n * });\n * ```\n *\n * @example Postgres\n * ```typescript\n * const kavach = await createKavach({\n * database: { provider: 'postgres', url: process.env.DATABASE_URL },\n * });\n * ```\n *\n * @example MySQL – skip auto-migration (tables managed externally)\n * ```typescript\n * const kavach = await createKavach({\n * database: {\n * provider: 'mysql',\n * url: process.env.DATABASE_URL,\n * skipMigrations: true,\n * },\n * });\n * ```\n */\nexport async function createKavach(config: KavachConfig) {\n\tconst authAdapter = config.auth?.adapter ?? null;\n\n\tconst db = await createDatabase(config.database);\n\n\t// Automatically create tables unless the caller has opted out.\n\t// Uses CREATE TABLE IF NOT EXISTS so it is safe to run every startup.\n\tif (!config.database.skipMigrations) {\n\t\tawait createTables(db, config.database.provider);\n\t}\n\n\tconst agentConfig = {\n\t\tdb,\n\t\tmaxPerUser: config.agents?.maxPerUser ?? 10,\n\t\tdefaultPermissions: config.agents?.defaultPermissions ?? [],\n\t\ttokenExpiry: config.agents?.tokenExpiry ?? \"24h\",\n\t};\n\n\tconst agentModule = createAgentModule(agentConfig);\n\n\tconst permissionEngine = createPermissionEngine({\n\t\tdb,\n\t\tauditAll: config.agents?.auditAll ?? true,\n\t});\n\n\tconst auditModule = createAuditModule({ db });\n\n\tconst delegationModule = createDelegationModule({ db });\n\n\t// Session manager – only created when the caller opts in via auth.session.\n\tconst sessionManager: SessionManager | null = config.auth?.session\n\t\t? createSessionManager(config.auth.session, db)\n\t\t: null;\n\n\t// Authorize: look up agent, check own permissions then delegated permissions\n\tasync function authorize(\n\t\tagentId: string,\n\t\trequest: AuthorizeRequest,\n\t\tcontext?: RequestContext,\n\t): Promise<AuthorizeResult> {\n\t\tconst agent = await agentModule.get(agentId);\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Agent \"${agentId}\" not found`,\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\tif (agent.status !== \"active\") {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Agent \"${agent.name}\" is ${agent.status}`,\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\n\t\tconst enrichedRequest: AuthorizeRequest = context ? { ...request, context } : request;\n\n\t\t// First check the agent's own permissions\n\t\tconst ownResult = await permissionEngine.authorize(agent, enrichedRequest);\n\t\tif (ownResult.allowed) return ownResult;\n\n\t\t// If own permissions deny, check effective permissions from delegation chains\n\t\tconst delegatedPerms = await delegationModule.getEffectivePermissions(agentId);\n\t\tif (delegatedPerms.length === 0) return ownResult;\n\n\t\t// Build a synthetic agent view with delegated permissions merged in\n\t\tconst agentWithDelegated = { ...agent, permissions: delegatedPerms };\n\t\tconst delegatedResult = await permissionEngine.authorize(agentWithDelegated, enrichedRequest);\n\t\tif (delegatedResult.allowed) return delegatedResult;\n\n\t\t// Both denied — return the original denial so the message references the agent by name\n\t\treturn ownResult;\n\t}\n\n\t// Authorize by token: validate token then check permissions\n\tasync function authorizeByToken(\n\t\ttoken: string,\n\t\trequest: AuthorizeRequest,\n\t\tcontext?: RequestContext,\n\t): Promise<AuthorizeResult> {\n\t\tconst agent = await agentModule.validateToken(token);\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"Invalid or expired agent token\",\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\tconst enrichedRequest: AuthorizeRequest = context ? { ...request, context } : request;\n\t\treturn permissionEngine.authorize(agent, enrichedRequest);\n\t}\n\n\t// Delegate: verify parent permissions then create chain\n\tasync function delegate(input: DelegateInput): Promise<DelegationChain> {\n\t\tconst parentAgent = await agentModule.get(input.fromAgent);\n\t\tif (!parentAgent) throw new Error(`Parent agent \"${input.fromAgent}\" not found`);\n\t\tif (parentAgent.status !== \"active\") {\n\t\t\tthrow new Error(`Parent agent \"${parentAgent.name}\" is ${parentAgent.status}`);\n\t\t}\n\t\treturn delegationModule.delegate(input, parentAgent.permissions);\n\t}\n\n\t// ── MCP server registry ─────────────────────────────────────────\n\t// Uses the kavach_mcp_servers table (defined in db/schema.ts).\n\tconst mcpRegistry = {\n\t\t/**\n\t\t * Register a new MCP tool server.\n\t\t *\n\t\t * Persists the server entry to the `kavach_mcp_servers` table.\n\t\t * The returned record includes the generated `id` and `createdAt`.\n\t\t */\n\t\tasync register(input: McpServerInput): Promise<McpServer> {\n\t\t\tconst now = new Date();\n\t\t\tconst id = randomUUID();\n\n\t\t\tawait db.insert(mcpServers).values({\n\t\t\t\tid,\n\t\t\t\tname: input.name,\n\t\t\t\tendpoint: input.endpoint,\n\t\t\t\ttools: input.tools,\n\t\t\t\tauthRequired: input.authRequired ?? true,\n\t\t\t\trateLimitRpm: input.rateLimit?.rpm ?? null,\n\t\t\t\tstatus: \"active\",\n\t\t\t\tcreatedAt: now,\n\t\t\t\tupdatedAt: now,\n\t\t\t});\n\n\t\t\treturn {\n\t\t\t\tid,\n\t\t\t\tname: input.name,\n\t\t\t\tendpoint: input.endpoint,\n\t\t\t\ttools: input.tools,\n\t\t\t\tauthRequired: input.authRequired ?? true,\n\t\t\t\tcreatedAt: now,\n\t\t\t};\n\t\t},\n\n\t\t/**\n\t\t * List all registered MCP servers (active and inactive).\n\t\t */\n\t\tasync list(): Promise<McpServer[]> {\n\t\t\tconst rows = await db.select().from(mcpServers);\n\t\t\treturn rows.map((row) => ({\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tendpoint: row.endpoint,\n\t\t\t\ttools: row.tools,\n\t\t\t\tauthRequired: row.authRequired,\n\t\t\t\tcreatedAt: row.createdAt,\n\t\t\t}));\n\t\t},\n\n\t\t/**\n\t\t * Get a single MCP server by ID. Returns null when not found.\n\t\t */\n\t\tasync get(id: string): Promise<McpServer | null> {\n\t\t\tconst rows = await db.select().from(mcpServers).where(eq(mcpServers.id, id));\n\t\t\tconst row = rows[0];\n\t\t\tif (!row) return null;\n\t\t\treturn {\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tendpoint: row.endpoint,\n\t\t\t\ttools: row.tools,\n\t\t\t\tauthRequired: row.authRequired,\n\t\t\t\tcreatedAt: row.createdAt,\n\t\t\t};\n\t\t},\n\t};\n\n\treturn {\n\t\tagent: {\n\t\t\tcreate: agentModule.create,\n\t\t\tget: agentModule.get,\n\t\t\tlist: agentModule.list,\n\t\t\tupdate: agentModule.update,\n\t\t\trevoke: agentModule.revoke,\n\t\t\trotate: agentModule.rotate,\n\t\t\tvalidateToken: agentModule.validateToken,\n\t\t},\n\t\tauthorize,\n\t\tauthorizeByToken,\n\t\tdelegate,\n\t\tdelegation: {\n\t\t\trevoke: delegationModule.revokeDelegation,\n\t\t\tgetEffectivePermissions: delegationModule.getEffectivePermissions,\n\t\t\tlistChains: delegationModule.listChains,\n\t\t},\n\t\taudit: {\n\t\t\tquery: (filter: AuditFilter) => auditModule.query(filter),\n\t\t\texport: (options: AuditExportOptions) => auditModule.export(options),\n\t\t\tcleanup: (options: { retentionDays: number }) => auditModule.cleanup(options),\n\t\t},\n\t\t/**\n\t\t * MCP server registration.\n\t\t *\n\t\t * Register and look up MCP tool servers. Uses the `kavach_mcp_servers`\n\t\t * database table — no separate in-memory store needed.\n\t\t */\n\t\tmcp: mcpRegistry,\n\t\t/**\n\t\t * Human auth integration.\n\t\t *\n\t\t * `resolveUser` extracts the authenticated human from an inbound HTTP\n\t\t * request via the configured adapter. `session` is a full session\n\t\t * manager (create / validate / revoke) when `auth.session` was passed\n\t\t * to `createKavach()`.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * app.use(async (req, res, next) => {\n\t\t * const user = await kavach.auth.resolveUser(req);\n\t\t * if (!user) return res.status(401).json({ error: 'Unauthorized' });\n\t\t * req.user = user;\n\t\t * next();\n\t\t * });\n\t\t * ```\n\t\t */\n\t\tauth: {\n\t\t\tasync resolveUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\t\tif (!authAdapter) return null;\n\t\t\t\treturn authAdapter.resolveUser(request);\n\t\t\t},\n\t\t\tsession: sessionManager,\n\t\t},\n\t\t/**\n\t\t * Resolve a human user from an incoming HTTP request.\n\t\t *\n\t\t * @deprecated Use `kavach.auth.resolveUser(request)` instead.\n\t\t */\n\t\tasync resolveUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\tif (!authAdapter) return null;\n\t\t\treturn authAdapter.resolveUser(request);\n\t\t},\n\t\t/** Direct database access for advanced usage */\n\t\tdb,\n\t};\n}\n\nexport type Kavach = Awaited<ReturnType<typeof createKavach>>;\n","/**\n * OpenAPI 3.1 specification generator for KavachOS REST API.\n *\n * This generates the spec that enables auto-generated SDKs\n * for Python, Go, Java, Rust, etc. via OpenAPI codegen tools.\n */\n\nexport interface OpenAPISpec {\n\topenapi: string;\n\tinfo: { title: string; version: string; description: string };\n\tservers: Array<{ url: string; description: string }>;\n\tpaths: Record<string, Record<string, PathOperation>>;\n\tcomponents: {\n\t\tschemas: Record<string, SchemaObject>;\n\t\tsecuritySchemes: Record<string, SecurityScheme>;\n\t};\n}\n\ninterface PathOperation {\n\tsummary: string;\n\toperationId: string;\n\ttags: string[];\n\tsecurity?: Array<Record<string, string[]>>;\n\tparameters?: ParameterObject[];\n\trequestBody?: { required: boolean; content: Record<string, { schema: SchemaRef }> };\n\tresponses: Record<\n\t\tstring,\n\t\t{ description: string; content?: Record<string, { schema: SchemaRef }> }\n\t>;\n}\n\ninterface ParameterObject {\n\tname: string;\n\tin: \"query\" | \"path\" | \"header\";\n\trequired: boolean;\n\tschema: SchemaRef;\n}\n\ninterface SecurityScheme {\n\ttype: string;\n\tscheme?: string;\n\tbearerFormat?: string;\n}\n\ntype SchemaRef = { $ref: string } | SchemaObject;\n\ninterface SchemaObject {\n\ttype?: string;\n\tproperties?: Record<string, SchemaRef>;\n\trequired?: string[];\n\titems?: SchemaRef;\n\tenum?: string[];\n\tdescription?: string;\n\tformat?: string;\n\tnullable?: boolean;\n}\n\n/**\n * Generate the full OpenAPI 3.1 specification for the KavachOS REST API.\n */\nexport function generateOpenAPISpec(options?: { baseUrl?: string; version?: string }): OpenAPISpec {\n\tconst baseUrl = options?.baseUrl ?? \"http://localhost:3000\";\n\tconst version = options?.version ?? \"0.0.1\";\n\n\treturn {\n\t\topenapi: \"3.1.0\",\n\t\tinfo: {\n\t\t\ttitle: \"KavachOS API\",\n\t\t\tversion,\n\t\t\tdescription:\n\t\t\t\t\"The Auth OS for AI Agents. Identity, permissions, delegation, and audit for the agentic era.\",\n\t\t},\n\t\tservers: [{ url: baseUrl, description: \"KavachOS API Server\" }],\n\t\tpaths: {\n\t\t\t\"/agents\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Create a new agent\",\n\t\t\t\t\toperationId: \"createAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/CreateAgentInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"201\": {\n\t\t\t\t\t\t\tdescription: \"Agent created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { $ref: \"#/components/schemas/AgentWithToken\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"400\": { description: \"Invalid input\" },\n\t\t\t\t\t\t\"429\": { description: \"Max agents per user exceeded\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"List agents\",\n\t\t\t\t\toperationId: \"listAgents\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [\n\t\t\t\t\t\t{ name: \"userId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"status\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"active\", \"revoked\", \"expired\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"type\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"List of agents\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { type: \"array\", items: { $ref: \"#/components/schemas/Agent\" } },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/agents/{id}\": {\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"Get agent by ID\",\n\t\t\t\t\toperationId: \"getAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Agent details\",\n\t\t\t\t\t\t\tcontent: { \"application/json\": { schema: { $ref: \"#/components/schemas/Agent\" } } },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"404\": { description: \"Agent not found\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tpatch: {\n\t\t\t\t\tsummary: \"Update agent\",\n\t\t\t\t\toperationId: \"updateAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/UpdateAgentInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Agent updated\",\n\t\t\t\t\t\t\tcontent: { \"application/json\": { schema: { $ref: \"#/components/schemas/Agent\" } } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tdelete: {\n\t\t\t\t\tsummary: \"Revoke agent\",\n\t\t\t\t\toperationId: \"revokeAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: { \"204\": { description: \"Agent revoked\" } },\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/agents/{id}/rotate\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Rotate agent token\",\n\t\t\t\t\toperationId: \"rotateAgentToken\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"New token issued\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AgentWithToken\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/authorize\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Authorize an agent action\",\n\t\t\t\t\toperationId: \"authorize\",\n\t\t\t\t\ttags: [\"Authorization\"],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeRequest\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Authorization result\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeResult\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/authorize/token\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Authorize by agent token\",\n\t\t\t\t\toperationId: \"authorizeByToken\",\n\t\t\t\t\ttags: [\"Authorization\"],\n\t\t\t\t\tsecurity: [{ AgentToken: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\targuments: { type: \"object\" },\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\trequired: [\"action\", \"resource\"],\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Authorization result\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeResult\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/audit\": {\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"Query audit logs\",\n\t\t\t\t\toperationId: \"queryAudit\",\n\t\t\t\t\ttags: [\"Audit\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [\n\t\t\t\t\t\t{ name: \"agentId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{ name: \"userId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"since\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"until\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"result\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"allowed\", \"denied\", \"rate_limited\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{ name: \"limit\", in: \"query\", required: false, schema: { type: \"integer\" } },\n\t\t\t\t\t\t{ name: \"offset\", in: \"query\", required: false, schema: { type: \"integer\" } },\n\t\t\t\t\t],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Audit log entries\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { type: \"array\", items: { $ref: \"#/components/schemas/AuditEntry\" } },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/delegations\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Create delegation chain\",\n\t\t\t\t\toperationId: \"createDelegation\",\n\t\t\t\t\ttags: [\"Delegation\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/DelegateInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"201\": {\n\t\t\t\t\t\t\tdescription: \"Delegation created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/DelegationChain\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tcomponents: {\n\t\t\tschemas: {\n\t\t\t\tCreateAgentInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"ownerId\", \"name\", \"type\", \"permissions\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\townerId: { type: \"string\" },\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tmetadata: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tUpdateAgentInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tmetadata: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAgent: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\townerId: { type: \"string\" },\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\tstatus: { type: \"string\", enum: [\"active\", \"revoked\", \"expired\"] },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tcreatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tupdatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAgentWithToken: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tdescription: \"Agent identity with the token (only returned on create/rotate)\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Agent token (kv_ prefix). Store securely - not retrievable after creation.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\" },\n\t\t\t\t\t\tstatus: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPermission: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"resource\", \"actions\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tresource: {\n\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\tdescription: \"Resource pattern (e.g. mcp:github:*, tool:file_read)\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tactions: {\n\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\titems: { type: \"string\" },\n\t\t\t\t\t\t\tdescription: \"Allowed actions (read, write, execute, delete, *)\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tconstraints: { $ref: \"#/components/schemas/PermissionConstraints\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPermissionConstraints: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tmaxCallsPerHour: { type: \"integer\" },\n\t\t\t\t\t\tallowedArgPatterns: { type: \"array\", items: { type: \"string\" } },\n\t\t\t\t\t\trequireApproval: { type: \"boolean\" },\n\t\t\t\t\t\ttimeWindow: {\n\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\tstart: { type: \"string\", description: \"HH:MM format\" },\n\t\t\t\t\t\t\t\tend: { type: \"string\", description: \"HH:MM format\" },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tipAllowlist: { type: \"array\", items: { type: \"string\" } },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorizeRequest: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"agentId\", \"action\", \"resource\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tagentId: { type: \"string\" },\n\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\targuments: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorizeResult: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tallowed: { type: \"boolean\" },\n\t\t\t\t\t\treason: { type: \"string\", nullable: true },\n\t\t\t\t\t\tauditId: { type: \"string\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuditEntry: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\tagentId: { type: \"string\" },\n\t\t\t\t\t\tuserId: { type: \"string\" },\n\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\tparameters: { type: \"object\" },\n\t\t\t\t\t\tresult: { type: \"string\", enum: [\"allowed\", \"denied\", \"rate_limited\"] },\n\t\t\t\t\t\tdurationMs: { type: \"integer\" },\n\t\t\t\t\t\ttimestamp: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDelegateInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"fromAgent\", \"toAgent\", \"permissions\", \"expiresAt\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tfromAgent: { type: \"string\" },\n\t\t\t\t\t\ttoAgent: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tmaxDepth: { type: \"integer\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDelegationChain: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\tfromAgent: { type: \"string\" },\n\t\t\t\t\t\ttoAgent: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\tdepth: { type: \"integer\" },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tcreatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsecuritySchemes: {\n\t\t\t\tBearerAuth: {\n\t\t\t\t\ttype: \"http\",\n\t\t\t\t\tscheme: \"bearer\",\n\t\t\t\t\tbearerFormat: \"JWT\",\n\t\t\t\t},\n\t\t\t\tAgentToken: {\n\t\t\t\t\ttype: \"http\",\n\t\t\t\t\tscheme: \"bearer\",\n\t\t\t\t\tbearerFormat: \"KavachOS Agent Token (kv_...)\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t};\n}\n"]}
1
+ {"version":3,"sources":["../src/analyzer/privilege.ts","../src/approval/approval.ts","../src/db/database.ts","../src/db/migrations.ts","../src/delegation/delegation.ts","../src/did/key-method.ts","../src/did/signing.ts","../src/did/web-method.ts","../src/did/module.ts","../src/email/templates.ts","../src/hooks/lifecycle.ts","../src/i18n/locales/en.ts","../src/i18n/i18n.ts","../src/i18n/locales/de.ts","../src/i18n/locales/es.ts","../src/i18n/locales/fr.ts","../src/i18n/locales/ja.ts","../src/i18n/locales/zh.ts","../src/plugin/router.ts","../src/plugin/runner.ts","../src/policies/budget.ts","../src/tenant/tenant.ts","../src/trust/scoring.ts","../src/kavach.ts","../src/openapi.ts","../src/session/cookie.ts","../src/session/csrf.ts","../src/session/manager.ts","../src/session/multi-session.ts","../src/webhooks/webhook.ts"],"names":["eq","and","drizzleSqlite","anyDb","p","randomUUID","locale","classifyViolation","code","ne","signPayload","createWebhookModule"],"mappings":";;;;;;;;;;;;;;;;;AA+BA,IAAM,qBAAA,GAAwB,EAAA;AAE9B,SAAS,WAAW,KAAA,EAAwB;AAC3C,EAAA,OAAO,KAAA,KAAU,OAAO,KAAA,CAAM,QAAA,CAAS,IAAI,CAAA,IAAK,KAAA,CAAM,SAAS,IAAI,CAAA;AACpE;AAEA,SAAS,YAAY,QAAA,EAA0D;AAC9E,EAAA,MAAM,cAAc,QAAA,CAAS,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,aAAa,UAAU,CAAA;AAClE,EAAA,MAAM,aAAA,GAAgB,SAAS,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,IAAA,KAAS,qBAAqB,CAAA,CAAE,MAAA;AAC/E,EAAA,MAAM,YAAA,GAAe,SAAS,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,QAAA,KAAa,SAAS,CAAA,CAAE,MAAA;AAEtE,EAAA,IAAI,WAAA,IAAe,aAAA,IAAiB,CAAA,EAAG,OAAO,gBAAA;AAC9C,EAAA,IAAI,aAAA,KAAkB,CAAA,IAAK,YAAA,IAAgB,CAAA,EAAG,OAAO,mBAAA;AACrD,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,CAAA,EAAG,OAAO,SAAA;AAClC,EAAA,OAAO,aAAA;AACR;AAEA,SAAS,oBAAA,CAAqB,UAA8B,aAAA,EAAsC;AACjG,EAAA,MAAM,OAAiB,EAAC;AAExB,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC/B,IAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,qBAAA,IAAyB,OAAA,CAAQ,UAAA,EAAY;AACjE,MAAA,MAAM,EAAE,QAAA,EAAU,OAAA,EAAQ,GAAI,OAAA,CAAQ,UAAA;AAGtC,MAAA,MAAM,YAAA,GAAe,QAAA,CAAS,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AACjD,MAAA,MAAM,YAAA,GAAe,CAAC,GAAG,aAAa,CAAA,CAAE,MAAA;AAAA,QAAO,CAAC,CAAA,KAC/C,YAAA,GAAe,CAAA,CAAE,UAAA,CAAW,YAAY,CAAA,GAAI;AAAA,OAC7C;AAEA,MAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC5B,QAAA,IAAA,CAAK,IAAA,CAAK,YAAY,QAAQ,CAAA,QAAA,EAAW,aAAa,IAAA,CAAK,IAAI,CAAC,CAAA,EAAA,CAAI,CAAA;AAAA,MACrE,CAAA,MAAO;AACN,QAAA,IAAA,CAAK,IAAA,CAAK,CAAA,oCAAA,EAAuC,QAAQ,CAAA,EAAA,CAAI,CAAA;AAAA,MAC9D;AAEA,MAAA,IAAI,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG;AAC1B,QAAA,MAAM,WAAA,GAAc,CAAC,MAAM,CAAA;AAC3B,QAAA,IAAA,CAAK,IAAA;AAAA,UACJ,iCAAiC,QAAQ,CAAA,0BAAA,EAA6B,WAAA,CAAY,IAAA,CAAK,IAAI,CAAC,CAAA;AAAA,SAC7F;AAAA,MACD;AAAA,IACD;AAEA,IAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,mBAAA,IAAuB,OAAA,CAAQ,UAAA,EAAY;AAC/D,MAAA,IAAA,CAAK,IAAA;AAAA,QACJ,CAAA,2BAAA,EAA8B,OAAA,CAAQ,UAAA,CAAW,QAAQ,2BAA2B,qBAAqB,CAAA,MAAA;AAAA,OAC1G;AAAA,IACD;AAEA,IAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,cAAA,IAAkB,OAAA,CAAQ,UAAA,EAAY;AAC1D,MAAA,MAAM,EAAE,QAAA,EAAS,GAAI,OAAA,CAAQ,UAAA;AAC7B,MAAA,MAAM,eAAe,CAAC,GAAG,aAAa,CAAA,CAAE,MAAA,CAAO,CAAC,CAAA,KAAM;AACrD,QAAA,MAAM,MAAA,GAAS,QAAA,CAAS,OAAA,CAAQ,OAAA,EAAS,EAAE,CAAA;AAC3C,QAAA,OAAO,CAAA,CAAE,WAAW,MAAM,CAAA;AAAA,MAC3B,CAAC,CAAA;AACD,MAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC5B,QAAA,IAAA,CAAK,IAAA;AAAA,UACJ,YAAY,QAAQ,CAAA,qCAAA,EAAwC,YAAA,CAAa,IAAA,CAAK,IAAI,CAAC,CAAA,EAAA;AAAA,SACpF;AAAA,MACD;AAAA,IACD;AAEA,IAAA,IAAI,OAAA,CAAQ,SAAS,gBAAA,EAAkB;AACtC,MAAA,IAAA,CAAK,KAAK,4DAA4D,CAAA;AAAA,IACvE;AAEA,IAAA,IAAI,OAAA,CAAQ,SAAS,WAAA,EAAa;AACjC,MAAA,IAAA,CAAK,KAAK,0EAA0E,CAAA;AAAA,IACrF;AAAA,EACD;AAGA,EAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,IAAI,CAAC,CAAA;AACzB;AAeO,SAAS,wBAAwB,EAAA,EAAc;AACrD,EAAA,eAAe,YAAA,CACd,SACA,OAAA,EAC6B;AAE7B,IAAA,MAAM,SAAA,GAAY,MAAM,EAAA,CACtB,MAAA,CAAO,EAAE,EAAA,EAAI,MAAA,CAAO,EAAA,EAAI,IAAA,EAAM,MAAA,CAAO,IAAA,EAAM,SAAA,EAAW,MAAA,CAAO,SAAA,EAAW,CAAA,CACxE,IAAA,CAAK,MAAM,CAAA,CACX,KAAA,CAAM,EAAA,CAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA,CAC5B,KAAA,CAAM,CAAC,CAAA;AAET,IAAA,MAAM,KAAA,GAAQ,UAAU,CAAC,CAAA;AACzB,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA;AAAA,QACA,SAAA,EAAW,SAAA;AAAA,QACX,KAAA,EAAO,aAAA;AAAA,QACP,UAAU,EAAC;AAAA,QACX,iBAAiB;AAAC,OACnB;AAAA,IACD;AAGA,IAAA,MAAM,QAAA,GAAW,MAAM,EAAA,CACrB,MAAA,CAAO;AAAA,MACP,UAAU,WAAA,CAAY,QAAA;AAAA,MACtB,SAAS,WAAA,CAAY,OAAA;AAAA,MACrB,aAAa,WAAA,CAAY;AAAA,KACzB,CAAA,CACA,IAAA,CAAK,WAAW,CAAA,CAChB,MAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AAExC,IAAA,MAAM,gBAAA,GACL,QAAA,CAAS,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACpB,UAAU,CAAA,CAAE,QAAA;AAAA,MACZ,SAAS,CAAA,CAAE,OAAA;AAAA,MACX,WAAA,EAAc,EAAE,WAAA,IAA6C;AAAA,KAC9D,CAAE,CAAA;AAGH,IAAA,MAAM,KAAA,GACL,OAAA,EAAS,KAAA,IAAS,IAAI,IAAA,CAAK,IAAA,CAAK,GAAA,EAAI,GAAI,qBAAA,GAAwB,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,GAAI,CAAA;AAEpF,IAAA,MAAM,SAAA,GAAY,MAAM,EAAA,CACtB,MAAA,CAAO,EAAE,QAAA,EAAU,SAAA,CAAU,QAAA,EAAU,MAAA,EAAQ,SAAA,CAAU,MAAA,EAAQ,CAAA,CACjE,IAAA,CAAK,SAAS,CAAA,CACd,KAAA,CAAM,GAAA,CAAI,EAAA,CAAG,SAAA,CAAU,OAAA,EAAS,OAAO,CAAA,EAAG,GAAA,CAAI,SAAA,CAAU,SAAA,EAAW,KAAK,CAAC,CAAC,CAAA;AAE5E,IAAA,MAAM,aAAA,GAAgB,IAAI,GAAA,CAAI,SAAA,CAAU,IAAI,CAAC,CAAA,KAAM,CAAA,CAAE,QAAQ,CAAC,CAAA;AAE9D,IAAA,MAAM,WAA+B,EAAC;AAGtC,IAAA,KAAA,MAAW,QAAQ,gBAAA,EAAkB;AAEpC,MAAA,MAAM,mBAAA,GAAsB,UAAA,CAAW,IAAA,CAAK,QAAQ,CAAA;AACpD,MAAA,MAAM,iBAAA,GAAoB,IAAA,CAAK,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA;AAEnD,MAAA,IAAI,uBAAuB,iBAAA,EAAmB;AAC7C,QAAA,QAAA,CAAS,IAAA,CAAK;AAAA,UACb,IAAA,EAAM,qBAAA;AAAA,UACN,QAAA,EAAU,UAAA;AAAA,UACV,WAAA,EAAa,sBACV,CAAA,sBAAA,EAAyB,IAAA,CAAK,QAAQ,CAAA,kBAAA,CAAA,GACtC,CAAA,aAAA,EAAgB,KAAK,QAAQ,CAAA,4BAAA,CAAA;AAAA,UAChC,YAAY,EAAE,QAAA,EAAU,KAAK,QAAA,EAAU,OAAA,EAAS,KAAK,OAAA;AAAQ,SAC7D,CAAA;AACD,QAAA;AAAA,MACD;AAGA,MAAA,MAAM,UAAU,CAAC,GAAG,aAAa,CAAA,CAAE,IAAA,CAAK,CAAC,IAAA,KAAS;AACjD,QAAA,IAAI,IAAA,CAAK,QAAA,KAAa,IAAA,EAAM,OAAO,IAAA;AAEnC,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,OAAA,CAAQ,SAAS,EAAE,CAAA;AAClD,QAAA,OAAO,IAAA,CAAK,WAAW,QAAQ,CAAA;AAAA,MAChC,CAAC,CAAA;AAED,MAAA,IAAI,CAAC,OAAA,EAAS;AACb,QAAA,QAAA,CAAS,IAAA,CAAK;AAAA,UACb,IAAA,EAAM,mBAAA;AAAA,UACN,QAAA,EAAU,SAAA;AAAA,UACV,WAAA,EAAa,CAAA,aAAA,EAAgB,IAAA,CAAK,QAAQ,oCAAoC,qBAAqB,CAAA,KAAA,CAAA;AAAA,UACnG,YAAY,EAAE,QAAA,EAAU,KAAK,QAAA,EAAU,OAAA,EAAS,KAAK,OAAA;AAAQ,SAC7D,CAAA;AAAA,MACF;AAIA,MAAA,IAAI,IAAA,CAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAChC,QAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,OAAA,CAAQ,SAAS,EAAE,CAAA;AAClD,QAAA,MAAM,WAAA,GAAc,CAAC,GAAG,aAAa,CAAA,CAAE,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,UAAA,CAAW,QAAQ,CAAC,CAAA;AAE3E,QAAA,IAAI,WAAA,CAAY,MAAA,GAAS,CAAA,IAAK,WAAA,CAAY,SAAS,CAAA,EAAG;AAErD,UAAA,MAAM,QAAA,GAAW,IAAA,CAAK,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AACxC,UAAA,IACC,QAAA,CAAS,MAAA,IAAU,CAAA,IACnB,WAAA,CAAY,MAAM,CAAC,CAAA,KAAM,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA,CAAE,MAAA,GAAS,QAAA,CAAS,MAAM,CAAA,EAC7D;AACD,YAAA,QAAA,CAAS,IAAA,CAAK;AAAA,cACb,IAAA,EAAM,cAAA;AAAA,cACN,QAAA,EAAU,SAAA;AAAA,cACV,WAAA,EAAa,gBAAgB,IAAA,CAAK,QAAQ,wCAAwC,WAAA,CAAY,IAAA,CAAK,IAAI,CAAC,CAAA,oBAAA,CAAA;AAAA,cACxG,YAAY,EAAE,QAAA,EAAU,KAAK,QAAA,EAAU,OAAA,EAAS,KAAK,OAAA;AAAQ,aAC7D,CAAA;AAAA,UACF;AAAA,QACD;AAAA,MACD;AAGA,MAAA,MAAM,cAAA,GACL,KAAK,WAAA,KACJ,IAAA,CAAK,YAAY,eAAA,KAAoB,MAAA,IACrC,KAAK,WAAA,CAAY,UAAA,KAAe,UAChC,IAAA,CAAK,WAAA,CAAY,oBAAoB,IAAA,IACpC,IAAA,CAAK,YAAY,WAAA,IAAe,IAAA,CAAK,WAAA,CAAY,WAAA,CAAY,MAAA,GAAS,CAAA,CAAA;AAEzE,MAAA,IAAI,CAAC,cAAA,EAAgB;AACpB,QAAA,QAAA,CAAS,IAAA,CAAK;AAAA,UACb,IAAA,EAAM,gBAAA;AAAA,UACN,QAAA,EAAU,MAAA;AAAA,UACV,WAAA,EAAa,CAAA,aAAA,EAAgB,IAAA,CAAK,QAAQ,CAAA,sDAAA,CAAA;AAAA,UAC1C,YAAY,EAAE,QAAA,EAAU,KAAK,QAAA,EAAU,OAAA,EAAS,KAAK,OAAA;AAAQ,SAC7D,CAAA;AAAA,MACF;AAAA,IACD;AAGA,IAAA,IAAI,CAAC,MAAM,SAAA,EAAW;AACrB,MAAA,QAAA,CAAS,IAAA,CAAK;AAAA,QACb,IAAA,EAAM,WAAA;AAAA,QACN,QAAA,EAAU,MAAA;AAAA,QACV,WAAA,EAAa;AAAA,OACb,CAAA;AAAA,IACF;AAEA,IAAA,MAAM,KAAA,GAAQ,YAAY,QAAQ,CAAA;AAClC,IAAA,MAAM,eAAA,GAAkB,oBAAA,CAAqB,QAAA,EAAU,aAAa,CAAA;AAEpE,IAAA,OAAO;AAAA,MACN,OAAA;AAAA,MACA,WAAW,KAAA,CAAM,IAAA;AAAA,MACjB,KAAA;AAAA,MACA,QAAA;AAAA,MACA;AAAA,KACD;AAAA,EACD;AAEA,EAAA,eAAe,WAAW,OAAA,EAA0D;AACnF,IAAA,MAAM,eAAe,MAAM,EAAA,CACzB,OAAO,EAAE,EAAA,EAAI,OAAO,EAAA,EAAI,CAAA,CACxB,IAAA,CAAK,MAAM,CAAA,CACX,KAAA,CAAM,GAAG,MAAA,CAAO,MAAA,EAAQ,QAAQ,CAAC,CAAA;AAEnC,IAAA,MAAM,OAAA,GAAU,MAAM,OAAA,CAAQ,GAAA,CAAI,YAAA,CAAa,GAAA,CAAI,CAAC,CAAA,KAAM,YAAA,CAAa,CAAA,CAAE,EAAA,EAAI,OAAO,CAAC,CAAC,CAAA;AAEtF,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,UAAA,GAAwC;AACtD,IAAA,MAAM,QAAA,GAAW,MAAM,UAAA,EAAW;AAElC,IAAA,MAAM,UAAkC,EAAC;AACzC,IAAA,IAAI,gBAAA,GAAmB,CAAA;AAEvB,IAAA,KAAA,MAAW,YAAY,QAAA,EAAU;AAChC,MAAA,OAAA,CAAQ,SAAS,KAAK,CAAA,GAAA,CAAK,QAAQ,QAAA,CAAS,KAAK,KAAK,CAAA,IAAK,CAAA;AAC3D,MAAA,gBAAA,IAAoB,QAAA,CAAS,SAAS,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,QAAA,KAAa,UAAU,CAAA,CAAE,MAAA;AAAA,IAChF;AAEA,IAAA,OAAO;AAAA,MACN,OAAO,QAAA,CAAS,MAAA;AAAA,MAChB,OAAA;AAAA,MACA;AAAA,KACD;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,YAAA,EAAc,UAAA,EAAY,UAAA,EAAW;AAC/C;AChRA,SAAS,cAAc,GAAA,EAA4D;AAClF,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,SAAA,EAAW,IAAI,SAAA,IAAa,MAAA;AAAA,IAC5B,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,WAAW,GAAA,CAAI,SAAA;AAAA,IACf,WAAA,EAAa,IAAI,WAAA,IAAe,MAAA;AAAA,IAChC,WAAA,EAAa,IAAI,WAAA,IAAe,MAAA;AAAA,IAChC,WAAW,GAAA,CAAI;AAAA,GAChB;AACD;AAEA,eAAe,aAAA,CAAc,KAAa,eAAA,EAAiD;AAC1F,EAAA,IAAI;AACH,IAAA,MAAM,MAAM,GAAA,EAAK;AAAA,MAChB,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS,EAAE,cAAA,EAAgB,kBAAA,EAAmB;AAAA,MAC9C,IAAA,EAAM,KAAK,SAAA,CAAU;AAAA,QACpB,KAAA,EAAO,iBAAA;AAAA,QACP,OAAA,EAAS;AAAA,UACR,GAAG,eAAA;AAAA,UACH,SAAA,EAAW,eAAA,CAAgB,SAAA,CAAU,WAAA,EAAY;AAAA,UACjD,SAAA,EAAW,eAAA,CAAgB,SAAA,CAAU,WAAA;AAAY;AAClD,OACA;AAAA,KACD,CAAA;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACD;AAiBO,SAAS,oBAAA,CAAqB,QAAwB,EAAA,EAAc;AAC1E,EAAA,MAAM,UAAA,GAAa,OAAO,GAAA,IAAO,GAAA;AAEjC,EAAA,eAAe,QAAQ,KAAA,EAMM;AAC5B,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,EAAA,GAAK,CAAA,IAAA,EAAO,UAAA,EAAY,CAAA,CAAA;AAC9B,IAAA,MAAM,YAAY,IAAI,IAAA,CAAK,IAAI,OAAA,EAAQ,GAAI,aAAa,GAAI,CAAA;AAE5D,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,gBAAgB,CAAA,CAAE,MAAA,CAAO;AAAA,MACxC,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,SAAA,EAAW,MAAM,SAAA,IAAa,IAAA;AAAA,MAC9B,MAAA,EAAQ,SAAA;AAAA,MACR,SAAA;AAAA,MACA,WAAA,EAAa,IAAA;AAAA,MACb,WAAA,EAAa,IAAA;AAAA,MACb,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,MAAM,eAAA,GAAmC;AAAA,MACxC,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,MAAA,EAAQ,SAAA;AAAA,MACR,SAAA;AAAA,MACA,SAAA,EAAW;AAAA,KACZ;AAGA,IAAA,IAAI,OAAO,UAAA,EAAY;AACtB,MAAA,KAAK,aAAA,CAAc,MAAA,CAAO,UAAA,EAAY,eAAe,CAAA;AAAA,IACtD;AACA,IAAA,IAAI,OAAO,gBAAA,EAAkB;AAC5B,MAAA,KAAK,MAAA,CAAO,iBAAiB,eAAe,CAAA;AAAA,IAC7C;AAEA,IAAA,OAAO,eAAA;AAAA,EACR;AAEA,EAAA,eAAe,OAAA,CACd,SAAA,EACA,SAAA,EACA,WAAA,EAC2B;AAC3B,IAAA,MAAM,OAAO,MAAM,EAAA,CACjB,MAAA,EAAO,CACP,KAAK,gBAAgB,CAAA,CACrB,KAAA,CAAMA,EAAAA,CAAG,iBAAiB,EAAA,EAAI,SAAS,CAAC,CAAA,CACxC,MAAM,CAAC,CAAA;AAET,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,GAAA,EAAK;AACT,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqB,SAAS,CAAA,WAAA,CAAa,CAAA;AAAA,IAC5D;AACA,IAAA,IAAI,GAAA,CAAI,WAAW,SAAA,EAAW;AAC7B,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,kBAAA,EAAqB,SAAS,CAAA,aAAA,EAAgB,GAAA,CAAI,MAAM,CAAA,sBAAA;AAAA,OACzD;AAAA,IACD;AAEA,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,EAAA,CACJ,OAAO,gBAAgB,CAAA,CACvB,IAAI,EAAE,MAAA,EAAQ,WAAW,WAAA,EAAa,GAAA,EAAK,aAAa,WAAA,IAAe,IAAA,EAAM,CAAA,CAC7E,KAAA,CAAMA,GAAG,gBAAA,CAAiB,EAAA,EAAI,SAAS,CAAC,CAAA;AAE1C,IAAA,OAAO,aAAA,CAAc;AAAA,MACpB,GAAG,GAAA;AAAA,MACH,MAAA,EAAQ,SAAA;AAAA,MACR,WAAA,EAAa,GAAA;AAAA,MACb,aAAa,WAAA,IAAe;AAAA,KAC5B,CAAA;AAAA,EACF;AAEA,EAAA,eAAe,OAAA,CAAQ,WAAmB,WAAA,EAAgD;AACzF,IAAA,OAAO,OAAA,CAAQ,SAAA,EAAW,UAAA,EAAY,WAAW,CAAA;AAAA,EAClD;AAEA,EAAA,eAAe,IAAA,CAAK,WAAmB,WAAA,EAAgD;AACtF,IAAA,OAAO,OAAA,CAAQ,SAAA,EAAW,QAAA,EAAU,WAAW,CAAA;AAAA,EAChD;AAEA,EAAA,eAAe,IAAI,SAAA,EAAoD;AACtE,IAAA,MAAM,OAAO,MAAM,EAAA,CACjB,MAAA,EAAO,CACP,KAAK,gBAAgB,CAAA,CACrB,KAAA,CAAMA,EAAAA,CAAG,iBAAiB,EAAA,EAAI,SAAS,CAAC,CAAA,CACxC,MAAM,CAAC,CAAA;AAET,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,IAAA,OAAO,cAAc,GAAG,CAAA;AAAA,EACzB;AAEA,EAAA,eAAe,YAAY,MAAA,EAA6C;AACvE,IAAA,MAAM,aAAa,CAACA,EAAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,SAAS,CAAC,CAAA;AAC1D,IAAA,IAAI,QAAQ,UAAA,CAAW,IAAA,CAAKA,GAAG,gBAAA,CAAiB,MAAA,EAAQ,MAAM,CAAC,CAAA;AAE/D,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CACjB,MAAA,EAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA,CAAMC,GAAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAE1B,IAAA,OAAO,IAAA,CAAK,IAAI,aAAa,CAAA;AAAA,EAC9B;AAEA,EAAA,eAAe,OAAA,GAAwC;AACtD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAGrB,IAAA,MAAM,WAAA,GAAc,MAAM,EAAA,CACxB,MAAA,CAAO,EAAE,IAAI,gBAAA,CAAiB,EAAA,EAAI,CAAA,CAClC,IAAA,CAAK,gBAAgB,EACrB,KAAA,CAAMA,GAAAA,CAAID,EAAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,SAAS,CAAA,EAAG,EAAA,CAAG,gBAAA,CAAiB,SAAA,EAAW,GAAG,CAAC,CAAC,CAAA;AAExF,IAAA,IAAI,YAAY,MAAA,KAAW,CAAA,EAAG,OAAO,EAAE,SAAS,CAAA,EAAE;AAElD,IAAA,MAAM,EAAA,CACJ,OAAO,gBAAgB,CAAA,CACvB,IAAI,EAAE,MAAA,EAAQ,SAAA,EAAW,CAAA,CACzB,KAAA,CAAMC,IAAID,EAAAA,CAAG,gBAAA,CAAiB,QAAQ,SAAS,CAAA,EAAG,GAAG,gBAAA,CAAiB,SAAA,EAAW,GAAG,CAAC,CAAC,CAAA;AAExF,IAAA,OAAO,EAAE,OAAA,EAAS,WAAA,CAAY,MAAA,EAAO;AAAA,EACtC;AAEA,EAAA,OAAO;AAAA,IACN,OAAA;AAAA,IACA,OAAA;AAAA,IACA,IAAA;AAAA,IACA,GAAA;AAAA,IACA,WAAA;AAAA,IACA;AAAA,GACD;AACD;ACtKA,eAAsB,eAAe,MAAA,EAA2C;AAC/E,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,MAAA,GAAS,IAAI,aAAA,CAAc,MAAA,CAAO,GAAG,CAAA;AAC3C,IAAA,MAAA,CAAO,OAAO,oBAAoB,CAAA;AAClC,IAAA,MAAA,CAAO,OAAO,mBAAmB,CAAA;AACjC,IAAA,OAAOE,OAAA,CAAc,MAAA,EAAQ,EAAE,MAAA,EAAA,cAAA,EAAQ,CAAA;AAAA,EACxC;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,UAAA,EAAY;AAEnC,IAAA,MAAM,EAAE,MAAK,GAAI,MAAM,OAAO,IAAI,CAAA,CAAE,MAAM,MAAM;AAC/C,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD,CAAC,CAAA;AACD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,OAAO,2BAA2B,CAAA;AAE5D,IAAA,MAAM,OAAO,IAAI,IAAA,CAAK,EAAE,gBAAA,EAAkB,MAAA,CAAO,KAAK,CAAA;AAGtD,IAAA,OAAO,QAAQ,IAAI,CAAA;AAAA,EACpB;AAEA,EAAA,IAAI,MAAA,CAAO,aAAa,OAAA,EAAS;AAEhC,IAAA,MAAM,SAAS,MAAM,OAAO,gBAAgB,CAAA,CAAE,MAAM,MAAM;AACzD,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD,CAAC,CAAA;AACD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,OAAO,oBAAoB,CAAA;AAErD,IAAA,MAAM,IAAA,GAAO,MAAA,CAAO,UAAA,CAAW,MAAA,CAAO,GAAG,CAAA;AAGzC,IAAA,OAAO,QAAQ,IAAI,CAAA;AAAA,EACpB;AAEA,EAAA,MAAM,IAAI,KAAA;AAAA,IACT,CAAA,yCAAA,EAA6C,OAA0B,QAAQ,CAAA,kDAAA;AAAA,GAEhF;AACD;AASO,SAAS,mBAAmB,MAAA,EAAkC;AACpE,EAAA,IAAI,MAAA,CAAO,aAAa,QAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA;AAAA,MACT,CAAA,wFAAA,EACiD,OAAO,QAAQ,CAAA,EAAA;AAAA,KACjE;AAAA,EACD;AACA,EAAA,MAAM,MAAA,GAAS,IAAI,aAAA,CAAc,MAAA,CAAO,GAAG,CAAA;AAC3C,EAAA,MAAA,CAAO,OAAO,oBAAoB,CAAA;AAClC,EAAA,MAAA,CAAO,OAAO,mBAAmB,CAAA;AACjC,EAAA,OAAOA,OAAA,CAAc,MAAA,EAAQ,EAAE,MAAA,EAAA,cAAA,EAAQ,CAAA;AACxC;;;ACrGA,SAAS,gBAAgB,QAAA,EAAgD;AACxE,EAAA,MAAM,aAAa,QAAA,KAAa,UAAA;AAChC,EAAA,MAAM,UAAU,QAAA,KAAa,OAAA;AAG7B,EAAA,MAAM,EAAA,GAAK,UAAA,GAAa,aAAA,GAAgB,OAAA,GAAU,aAAA,GAAgB,SAAA;AAElE,EAAA,MAAM,MAAA,GAAS,EAAA;AAEf,EAAA,MAAM,IAAA,GAAO,UAAA,GAAa,OAAA,GAAU,OAAA,GAAU,MAAA,GAAS,MAAA;AAEvD,EAAA,MAAM,IAAA,GAAO,UAAA,GAAa,SAAA,GAAY,OAAA,GAAU,YAAA,GAAe,SAAA;AAE/D,EAAA,MAAM,IAAA,GAAO,eAAA;AAEb,EAAA,OAAO;AAAA;AAAA;AAAA;AAAA,IAIN,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,uBAAA,EAOG,IAAI,CAAA;AAAA,uBAAA,EACJ,IAAI,CAAA,sBAAA,EAAyB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA;AAAA,uBAAA,EAEvD,MAAM,CAAA;AAAA,+BAAA,EACE,IAAI,CAAA,sBAAA,EAAyB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+BAAA,EAKvD,MAAM,CAAA;AAAA,+BAAA,EACN,IAAI,CAAA,sBAAA,EAAyB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,+BAAA,EAKvD,MAAM,CAAA;AAAA,+BAAA,EACN,IAAI,CAAA,sBAAA,EAAyB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,+BAAA,EACvD,EAAE,CAAA;AAAA,+BAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjC,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAIP,IAAI,CAAA;AAAA;AAAA,aAAA,EAEJ,EAAE,CAAA;AAAA,aAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,kBAAA,EASF,MAAM,CAAA;AAAA,kBAAA,EACN,MAAM,CAAA;AAAA,kBAAA,EACN,IAAI,CAAA;AAAA,kBAAA,EACJ,EAAE,CAAA;AAAA,kBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMpB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAIN,IAAI,CAAA;AAAA,cAAA,EACJ,IAAI,CAAA;AAAA,cAAA,EACJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAIJ,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAIJ,EAAE,CAAA;AAAA,gBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAML,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAOJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAIL,EAAE,CAAA;AAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAOjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,mBAAA,EAID,IAAI,CAAA;AAAA,mBAAA,EACJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,MAAA,GAAS,GAAG,CAAA;AAAA;AAAA;AAAA,mBAAA,EAGlD,EAAE,CAAA;AAAA,mBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMrB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA,aAAA,EAGP,EAAE,CAAA;AAAA,aAAA,EACF,IAAI,CAAA;AAAA,aAAA,EACJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8BAAA,EAMU,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA;AAAA;AAAA,8BAAA,EAGJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,8BAAA,EACnD,IAAI,CAAA;AAAA,8BAAA,EACJ,EAAE,CAAA;AAAA,8BAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhC,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4BAAA,EAQQ,EAAE,CAAA;AAAA,4BAAA,EACF,MAAM,CAAA;AAAA,4BAAA,EACN,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAM9B,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAAA,EAUK,EAAE,CAAA;AAAA,yBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAM3B,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAKJ,IAAI,CAAA;AAAA,gBAAA,EACJ,IAAI,CAAA;AAAA;AAAA;AAAA,gBAAA,EAGJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,oBAAA,EAMA,IAAI,CAAA;AAAA,oBAAA,EACJ,IAAI,CAAA;AAAA,oBAAA,EACJ,IAAI,CAAA;AAAA;AAAA,oBAAA,EAEJ,IAAI,CAAA;AAAA,oBAAA,EACJ,EAAE,CAAA;AAAA,oBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMtB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAMJ,IAAI,CAAA;AAAA;AAAA,gBAAA,EAEJ,EAAE,CAAA;AAAA,gBAAA,EACF,MAAM,CAAA;AAAA;AAAA,gBAAA,EAEN,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAIN,IAAI,CAAA;AAAA,cAAA,EACJ,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAKP,IAAI,CAAA;AAAA,aAAA,EACJ,EAAE,CAAA;AAAA,aAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,YAAA,EAKR,EAAE,CAAA;AAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAOd,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAOP,EAAE,CAAA;AAAA,aAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAIN,IAAI,CAAA;AAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAOlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAQJ,EAAE,CAAA;AAAA,gBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAKP,EAAE,CAAA;AAAA,aAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAKN,IAAI,CAAA;AAAA,cAAA,EACJ,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,cAAA,EACnD,EAAE,CAAA;AAAA,cAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,iBAAA,EAMH,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMnB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAIP,EAAE,CAAA;AAAA,aAAA,EACF,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,aAAA,EACnD,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAIP,EAAE,CAAA;AAAA;AAAA,aAAA,EAEF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMf,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA,eAAA,EAGL,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,eAAA,EACnD,IAAI,CAAA;AAAA,eAAA,EACJ,EAAE,CAAA;AAAA,eAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAON,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAML,IAAI,CAAA;AAAA,eAAA,EACJ,MAAM,CAAA;AAAA,eAAA,EACN,MAAM,CAAA;AAAA,eAAA,EACN,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,EAKJ,EAAE,CAAA;AAAA,gBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMlB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,eAAA,EAKL,EAAE,CAAA;AAAA,eAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMjB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAKN,EAAE,CAAA;AAAA,cAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,aAAA,EAMP,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA,IAEf,gBAAgB,IAAI,CAAA;AAAA,mDAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMpB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA,8BAAA,EAKU,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA,8BAAA,EACJ,IAAI,CAAA;AAAA;AAAA,8BAAA,EAEJ,EAAE,CAAA;AAAA,8BAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhC,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,yBAAA,EAUK,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,yBAAA,EACnD,EAAE,CAAA;AAAA,yBAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAM3B,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAMN,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,cAAA,EACnD,EAAE,CAAA;AAAA,cAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA;AAAA;AAAA;AAAA,IAMhB,gBAAgB,IAAI,CAAA;AAAA;AAAA;AAAA;AAAA,cAAA,EAIN,IAAI,CAAA,kBAAA,EAAqB,UAAA,GAAa,OAAA,GAAU,GAAG,CAAA;AAAA,cAAA,EACnD,EAAE,CAAA;AAAA,cAAA,EACF,EAAE,CAAA;AAAA,CAAA,CAAA;AAAA,IAEhB,gBAAgB,IAAI,CAAA;AAAA,wCAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAQrB;AACD;AAqBA,eAAsB,YAAA,CACrB,IACA,QAAA,EACgB;AAChB,EAAA,MAAM,UAAA,GAAa,gBAAgB,QAAQ,CAAA;AAE3C,EAAA,IAAI,aAAa,QAAA,EAAU;AAK1B,IAAA,MAAM,UAAW,EAAA,CAAW,OAAA;AAC5B,IAAA,IAAI,OAAA,EAAS,QAAQ,IAAA,EAAM;AAG1B,MAAA,OAAA,CAAQ,OAAO,IAAA,CAAK,CAAA,EAAG,WAAW,IAAA,CAAK,KAAK,CAAC,CAAA,CAAA,CAAG,CAAA;AAChD,MAAA;AAAA,IACD;AAGA,IAAA,MAAMC,MAAAA,GAAQ,EAAA;AACd,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAMA,MAAAA,CAAM,IAAI,GAAG,CAAA;AAAA,IACpB;AACA,IAAA;AAAA,EACD;AAMA,EAAA,MAAM,KAAA,GAAQ,EAAA;AAEd,EAAA,IAAI,aAAa,UAAA,EAAY;AAG5B,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,MAAM,GAAG,CAAA;AAAA,IACvB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,IAAI,aAAa,OAAA,EAAS;AAEzB,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,QAAQ,GAAG,CAAA;AAAA,IACzB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,CAAA,oCAAA,EAAuC,QAAQ,CAAA,CAAA,CAAG,CAAA;AACnE;AC9oBA,SAAS,kBAAA,CAAmB,aAA2B,UAAA,EAAmC;AACzF,EAAA,KAAA,MAAW,aAAa,UAAA,EAAY;AACnC,IAAA,MAAM,WAAA,GAAc,WAAA,CAAY,IAAA,CAAK,CAACC,EAAAA,KAAM;AAE3C,MAAA,IAAI,CAAC,gBAAA,CAAiBA,EAAAA,CAAE,UAAU,SAAA,CAAU,QAAQ,GAAG,OAAO,KAAA;AAG9D,MAAA,KAAA,MAAW,MAAA,IAAU,UAAU,OAAA,EAAS;AACvC,QAAA,IAAI,CAACA,EAAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,MAAM,CAAA,IAAK,CAACA,EAAAA,CAAE,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAAG,OAAO,KAAA;AAAA,MACrE;AAEA,MAAA,OAAO,IAAA;AAAA,IACR,CAAC,CAAA;AAED,IAAA,IAAI,CAAC,aAAa,OAAO,KAAA;AAAA,EAC1B;AAEA,EAAA,OAAO,IAAA;AACR;AAQA,SAAS,gBAAA,CAAiB,gBAAwB,aAAA,EAAgC;AACjF,EAAA,IAAI,cAAA,KAAmB,KAAK,OAAO,IAAA;AACnC,EAAA,IAAI,cAAA,KAAmB,eAAe,OAAO,IAAA;AAE7C,EAAA,MAAM,WAAA,GAAc,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAC5C,EAAA,MAAM,UAAA,GAAa,aAAA,CAAc,KAAA,CAAM,GAAG,CAAA;AAE1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,WAAA,CAAY,QAAQ,CAAA,EAAA,EAAK;AAC5C,IAAA,IAAI,WAAA,CAAY,CAAC,CAAA,KAAM,GAAA,EAAK,OAAO,IAAA;AACnC,IAAA,IAAI,YAAY,CAAC,CAAA,KAAM,UAAA,CAAW,CAAC,GAAG,OAAO,KAAA;AAAA,EAC9C;AAEA,EAAA,OAAO,WAAA,CAAY,UAAU,UAAA,CAAW,MAAA;AACzC;AAMO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,IAAG,GAAI,MAAA;AAEf,EAAA,eAAe,QAAA,CACd,OACA,iBAAA,EAC2B;AAE3B,IAAA,IAAI,CAAC,kBAAA,CAAmB,iBAAA,EAAmB,KAAA,CAAM,WAAW,CAAA,EAAG;AAC9D,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OAED;AAAA,IACD;AAGA,IAAA,MAAM,iBAAiB,MAAM,EAAA,CAC3B,QAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA;AAAA,MACAH,GAAAA,CAAID,EAAAA,CAAG,gBAAA,CAAiB,SAAA,EAAW,KAAA,CAAM,SAAS,CAAA,EAAGA,EAAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,QAAQ,CAAC;AAAA,KAC3F;AAED,IAAA,MAAM,YAAA,GACL,cAAA,CAAe,MAAA,GAAS,CAAA,GAAI,KAAK,GAAA,CAAI,GAAG,cAAA,CAAe,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAE,KAAK,CAAC,IAAI,CAAA,GAAI,CAAA;AAEnF,IAAA,MAAM,QAAA,GAAW,MAAM,QAAA,IAAY,CAAA;AAEnC,IAAA,IAAI,eAAe,QAAA,EAAU;AAC5B,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,iBAAA,EAAoB,YAAY,CAAA,kCAAA,EAAqC,QAAQ,CAAA,2CAAA;AAAA,OAE9E;AAAA,IACD;AAEA,IAAA,MAAM,KAAKK,UAAAA,EAAW;AACtB,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,gBAAgB,CAAA,CAAE,MAAA,CAAO;AAAA,MACxC,EAAA;AAAA,MACA,aAAa,KAAA,CAAM,SAAA;AAAA,MACnB,WAAW,KAAA,CAAM,OAAA;AAAA,MACjB,WAAA,EAAa,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAACD,EAAAA,MAAO;AAAA,QAC1C,UAAUA,EAAAA,CAAE,QAAA;AAAA,QACZ,SAASA,EAAAA,CAAE;AAAA,OACZ,CAAE,CAAA;AAAA,MACF,KAAA,EAAO,YAAA;AAAA,MACP,QAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,aAAa,KAAA,CAAM,WAAA;AAAA,MACnB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,KAAA,EAAO,YAAA;AAAA,MACP,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAKA,EAAA,eAAe,iBAAiB,OAAA,EAAgC;AAC/D,IAAA,MAAM,QAAQ,MAAM,EAAA,CAClB,MAAA,EAAO,CACP,KAAK,gBAAgB,CAAA,CACrB,KAAA,CAAMJ,EAAAA,CAAG,iBAAiB,EAAA,EAAI,OAAO,CAAC,CAAA,CACtC,MAAM,CAAC,CAAA;AAET,IAAA,IAAI,CAAC,MAAM,CAAC,CAAA,QAAS,IAAI,KAAA,CAAM,CAAA,iBAAA,EAAoB,OAAO,CAAA,WAAA,CAAa,CAAA;AAGvE,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,gBAAgB,CAAA,CACvB,IAAI,EAAE,MAAA,EAAQ,SAAA,EAAW,EACzB,KAAA,CAAMA,EAAAA,CAAG,gBAAA,CAAiB,EAAA,EAAI,OAAO,CAAC,CAAA;AAGxC,IAAA,MAAM,cAAc,MAAM,EAAA,CACxB,QAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA;AAAA,MACAC,GAAAA;AAAA,QACCD,GAAG,gBAAA,CAAiB,WAAA,EAAa,KAAA,CAAM,CAAC,EAAE,SAAS,CAAA;AAAA,QACnDA,EAAAA,CAAG,gBAAA,CAAiB,MAAA,EAAQ,QAAQ;AAAA;AACrC,KACD;AAED,IAAA,KAAA,MAAW,SAAS,WAAA,EAAa;AAChC,MAAA,MAAM,gBAAA,CAAiB,MAAM,EAAE,CAAA;AAAA,IAChC;AAAA,EACD;AAKA,EAAA,eAAe,wBAAwB,OAAA,EAAwC;AAC9E,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CACnB,MAAA,GACA,IAAA,CAAK,gBAAgB,EACrB,KAAA,CAAMC,GAAAA,CAAID,GAAG,gBAAA,CAAiB,SAAA,EAAW,OAAO,CAAA,EAAGA,EAAAA,CAAG,iBAAiB,MAAA,EAAQ,QAAQ,CAAC,CAAC,CAAA;AAG3F,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,eAAe,MAAA,CAAO,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,GAAG,CAAA;AAG3D,IAAA,MAAM,iBAA+B,EAAC;AACtC,IAAA,KAAA,MAAW,SAAS,YAAA,EAAc;AACjC,MAAA,KAAA,MAAW,IAAA,IAAQ,MAAM,WAAA,EAAa;AACrC,QAAA,cAAA,CAAe,IAAA,CAAK;AAAA,UACnB,UAAU,IAAA,CAAK,QAAA;AAAA,UACf,SAAS,IAAA,CAAK;AAAA,SACd,CAAA;AAAA,MACF;AAAA,IACD;AAEA,IAAA,OAAO,cAAA;AAAA,EACR;AAKA,EAAA,eAAe,WAAW,OAAA,EAA6C;AACtE,IAAA,MAAM,MAAA,GAAS,MAAM,EAAA,CACnB,MAAA,EAAO,CACP,IAAA,CAAK,gBAAgB,CAAA,CACrB,KAAA,CAAMA,EAAAA,CAAG,gBAAA,CAAiB,WAAA,EAAa,OAAO,CAAC,CAAA;AAEjD,IAAA,OAAO,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,MACzB,IAAI,CAAA,CAAE,EAAA;AAAA,MACN,WAAW,CAAA,CAAE,WAAA;AAAA,MACb,SAAS,CAAA,CAAE,SAAA;AAAA,MACX,WAAA,EAAa,CAAA,CAAE,WAAA,CAAY,GAAA,CAAI,CAACI,EAAAA,MAAO;AAAA,QACtC,UAAUA,EAAAA,CAAE,QAAA;AAAA,QACZ,SAASA,EAAAA,CAAE;AAAA,OACZ,CAAE,CAAA;AAAA,MACF,WAAW,CAAA,CAAE,SAAA;AAAA,MACb,OAAO,CAAA,CAAE,KAAA;AAAA,MACT,WAAW,CAAA,CAAE;AAAA,KACd,CAAE,CAAA;AAAA,EACH;AAEA,EAAA,OAAO,EAAE,QAAA,EAAU,gBAAA,EAAkB,uBAAA,EAAyB,UAAA,EAAW;AAC1E;AC5MA,IAAM,eAAA,GAAkB,4DAAA;AAMxB,SAAS,gBAAgB,KAAA,EAA2B;AAEnD,EAAA,IAAI,YAAA,GAAe,CAAA;AACnB,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,IAAI,SAAS,CAAA,EAAG;AAChB,IAAA,YAAA,EAAA;AAAA,EACD;AAGA,EAAA,MAAM,MAAA,GAAmB,CAAC,CAAC,CAAA;AAC3B,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,IAAI,KAAA,GAAQ,IAAA;AACZ,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,MAAA,KAAA,IAAA,CAAU,MAAA,CAAO,CAAC,CAAA,IAAK,CAAA,IAAK,GAAA;AAC5B,MAAA,MAAA,CAAO,CAAC,IAAI,KAAA,GAAQ,EAAA;AACpB,MAAA,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,EAAE,CAAA;AAAA,IAC9B;AACA,IAAA,OAAO,QAAQ,CAAA,EAAG;AACjB,MAAA,MAAA,CAAO,IAAA,CAAK,QAAQ,EAAE,CAAA;AACtB,MAAA,KAAA,GAAQ,IAAA,CAAK,KAAA,CAAM,KAAA,GAAQ,EAAE,CAAA;AAAA,IAC9B;AAAA,EACD;AAGA,EAAA,MAAM,MAAA,GAAS,MAAA,CACb,OAAA,EAAQ,CACR,GAAA,CAAI,CAAC,CAAA,KAAM,eAAA,CAAgB,CAAC,CAAA,IAAK,GAAG,CAAA,CACpC,KAAK,EAAE,CAAA;AAET,EAAA,OAAO,GAAA,CAAI,MAAA,CAAO,YAAY,CAAA,GAAI,MAAA;AACnC;AAMA,SAAS,iBAAiB,MAAA,EAA4B;AAErD,EAAA,MAAM,MAAA,GAAS,OAAO,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC1D,EAAA,MAAM,MAAA,GAAA,CAAU,CAAA,GAAK,MAAA,CAAO,MAAA,GAAS,CAAA,IAAM,CAAA;AAC3C,EAAA,MAAM,GAAA,GAAM,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,MAAM,CAAA;AAGtC,EAAA,MAAM,MAAA,GAAS,KAAK,GAAG,CAAA;AACvB,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAA,CAAO,MAAM,CAAA;AAC1C,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,KAAA,CAAM,CAAC,CAAA,GAAI,MAAA,CAAO,UAAA,CAAW,CAAC,CAAA;AAAA,EAC/B;AACA,EAAA,OAAO,KAAA;AACR;AASA,SAAS,qBAAqB,YAAA,EAAkC;AAC/D,EAAA,IAAI,CAAC,aAAa,CAAA,EAAG;AACpB,IAAA,MAAM,IAAI,MAAM,wCAAwC,CAAA;AAAA,EACzD;AACA,EAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,YAAA,CAAa,CAAC,CAAA;AAG9C,EAAA,MAAM,SAAS,IAAI,UAAA,CAAW,CAAC,GAAA,EAAM,CAAI,CAAC,CAAA;AAC1C,EAAA,MAAM,gBAAgB,IAAI,UAAA,CAAW,MAAA,CAAO,MAAA,GAAS,OAAO,MAAM,CAAA;AAClE,EAAA,aAAA,CAAc,IAAI,MAAM,CAAA;AACxB,EAAA,aAAA,CAAc,GAAA,CAAI,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAA;AAEvC,EAAA,OAAO,CAAA,SAAA,EAAY,eAAA,CAAgB,aAAa,CAAC,CAAA,CAAA;AAClD;AAKO,SAAS,gBAAA,CAAiB,KAAa,YAAA,EAAuC;AACpF,EAAA,MAAM,KAAA,GAAQ,GAAG,GAAG,CAAA,CAAA,EAAI,IAAI,KAAA,CAAM,UAAA,CAAW,MAAM,CAAC,CAAA,CAAA;AAEpD,EAAA,MAAM,kBAAA,GAAyC;AAAA,IAC9C,EAAA,EAAI,KAAA;AAAA,IACJ,IAAA,EAAM,gBAAA;AAAA,IACN,UAAA,EAAY,GAAA;AAAA,IACZ;AAAA,GACD;AAEA,EAAA,OAAO;AAAA,IACN,UAAA,EAAY,CAAC,8BAAA,EAAgC,8CAA8C,CAAA;AAAA,IAC3F,EAAA,EAAI,GAAA;AAAA,IACJ,UAAA,EAAY,GAAA;AAAA,IACZ,kBAAA,EAAoB,CAAC,kBAAkB,CAAA;AAAA,IACvC,cAAA,EAAgB,CAAC,KAAK,CAAA;AAAA,IACtB,eAAA,EAAiB,CAAC,KAAK,CAAA;AAAA,IACvB,oBAAA,EAAsB,CAAC,KAAK,CAAA;AAAA,IAC5B,oBAAA,EAAsB,CAAC,KAAK;AAAA,GAC7B;AACD;AASA,eAAsB,cAAA,GAAsC;AAC3D,EAAA,MAAM,EAAE,SAAA,EAAW,UAAA,EAAW,GAAI,MAAM,gBAAgB,OAAA,EAAS;AAAA,IAChE,GAAA,EAAK,SAAA;AAAA,IACL,WAAA,EAAa;AAAA,GACb,CAAA;AAED,EAAA,MAAM,YAAA,GAAe,MAAM,SAAA,CAAU,SAAS,CAAA;AAC9C,EAAA,MAAM,aAAA,GAAgB,MAAM,SAAA,CAAU,UAAU,CAAA;AAGhD,EAAA,YAAA,CAAa,GAAA,GAAM,SAAA;AACnB,EAAA,YAAA,CAAa,GAAA,GAAM,KAAA;AACnB,EAAA,aAAA,CAAc,GAAA,GAAM,SAAA;AACpB,EAAA,aAAA,CAAc,GAAA,GAAM,KAAA;AAEpB,EAAA,MAAM,GAAA,GAAM,qBAAqB,YAAY,CAAA;AAC7C,EAAA,MAAM,WAAA,GAAc,gBAAA,CAAiB,GAAA,EAAK,YAAY,CAAA;AAEtD,EAAA,OAAO;AAAA,IACN,GAAA;AAAA,IACA,YAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,GACD;AACD;AASO,SAAS,cAAc,GAAA,EAAiC;AAC9D,EAAA,IAAI,CAAC,GAAA,CAAI,UAAA,CAAW,WAAW,GAAG,OAAO,IAAA;AASzC,EAAA,MAAM,KAAA,GAAQ,GAAG,GAAG,CAAA,CAAA,EAAI,IAAI,KAAA,CAAM,UAAA,CAAW,MAAM,CAAC,CAAA,CAAA;AAEpD,EAAA,MAAM,kBAAA,GAAyC;AAAA,IAC9C,EAAA,EAAI,KAAA;AAAA,IACJ,IAAA,EAAM,gBAAA;AAAA,IACN,UAAA,EAAY,GAAA;AAAA;AAAA;AAAA,IAGZ,YAAA,EAAc,EAAE,GAAA,EAAK,KAAA,EAAO,KAAK,SAAA;AAAU,GAC5C;AAEA,EAAA,OAAO;AAAA,IACN,UAAA,EAAY,CAAC,8BAAA,EAAgC,8CAA8C,CAAA;AAAA,IAC3F,EAAA,EAAI,GAAA;AAAA,IACJ,UAAA,EAAY,GAAA;AAAA,IACZ,kBAAA,EAAoB,CAAC,kBAAkB,CAAA;AAAA,IACvC,cAAA,EAAgB,CAAC,KAAK,CAAA;AAAA,IACtB,eAAA,EAAiB,CAAC,KAAK,CAAA;AAAA,IACvB,oBAAA,EAAsB,CAAC,KAAK,CAAA;AAAA,IAC5B,oBAAA,EAAsB,CAAC,KAAK;AAAA,GAC7B;AACD;AC1KA,eAAsB,WAAA,CACrB,OAAA,EACA,aAAA,EACA,GAAA,EACyB;AACzB,EAAA,MAAM,UAAA,GAAa,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGzD,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,GAAA,CAAI,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAErD,EAAA,MAAM,MAAM,MAAM,IAAI,QAAQ,OAAO,CAAA,CACnC,mBAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,EACxC,SAAA,CAAU,GAAG,EACb,WAAA,EAAY,CACZ,KAAK,UAAU,CAAA;AAEjB,EAAA,OAAO;AAAA,IACN,GAAA;AAAA,IACA,OAAA;AAAA,IACA,MAAA,EAAQ;AAAA,GACT;AACD;AASA,eAAsB,aAAA,CACrB,KACA,YAAA,EAC8B;AAC9B,EAAA,IAAI;AACH,IAAA,MAAM,SAAA,GAAY,MAAM,SAAA,CAAU,YAAA,EAAc,OAAO,CAAA;AACvD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,IAAA,MAAM,SAAS,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,GAAW,QAAQ,GAAA,GAAM,KAAA,CAAA;AAG/D,IAAA,MAAM,EAAE,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,GAAA,EAAK,KAAK,GAAA,EAAK,GAAA,EAAK,GAAG,IAAA,EAAK,GAAI,OAAA;AACvD,IAAA,KAAK,GAAA;AACL,IAAA,KAAK,GAAA;AACL,IAAA,KAAK,GAAA;AACL,IAAA,KAAK,GAAA;AACL,IAAA,KAAK,GAAA;AACL,IAAA,KAAK,GAAA;AACL,IAAA,KAAK,GAAA;AAEL,IAAA,OAAO;AAAA,MACN,KAAA,EAAO,IAAA;AAAA,MACP,OAAA,EAAS,IAAA;AAAA,MACT;AAAA,KACD;AAAA,EACD,SAAS,GAAA,EAAK;AACb,IAAA,OAAO;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,KAAA,EAAO,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA,KAC7C;AAAA,EACD;AACD;AAQA,eAAsB,mBAAmB,OAAA,EAOrB;AACnB,EAAA,MAAM,EAAE,SAAS,GAAA,EAAK,aAAA,EAAe,cAAc,QAAA,EAAU,SAAA,GAAY,KAAI,GAAI,OAAA;AAEjF,EAAA,MAAM,UAAA,GAAa,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AACzD,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,GAAG,CAAA,CAAA,EAAI,GAAA,CAAI,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAErD,EAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,IAC3B,OAAA;AAAA,IACA,YAAA;AAAA,IACA,IAAA,EAAM;AAAA,GACN,CAAA,CACC,kBAAA,CAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,CAAA,CACxC,SAAA,CAAU,GAAG,CAAA,CACb,WAAW,OAAO,CAAA,CAClB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,SAAS,CAAA;AAE7D,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,OAAA,CAAQ,YAAY,QAAQ,CAAA;AAAA,EAC7B;AAEA,EAAA,OAAO,OAAA,CAAQ,KAAK,UAAU,CAAA;AAC/B;AAOA,eAAsB,kBAAA,CACrB,KACA,YAAA,EAOE;AACF,EAAA,IAAI;AACH,IAAA,MAAM,SAAA,GAAY,MAAM,SAAA,CAAU,YAAA,EAAc,OAAO,CAAA;AACvD,IAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,IAAA,MAAM,UAAU,OAAO,OAAA,CAAQ,OAAA,KAAY,QAAA,GAAW,QAAQ,OAAA,GAAU,KAAA,CAAA;AACxE,IAAA,MAAM,MAAM,OAAO,OAAA,CAAQ,GAAA,KAAQ,QAAA,GAAW,QAAQ,GAAA,GAAM,KAAA,CAAA;AAC5D,IAAA,MAAM,eAAe,KAAA,CAAM,OAAA,CAAQ,QAAQ,YAAY,CAAA,GACnD,QAAQ,YAAA,GACT,KAAA,CAAA;AAEH,IAAA,OAAO;AAAA,MACN,KAAA,EAAO,IAAA;AAAA,MACP,OAAA;AAAA,MACA,GAAA;AAAA,MACA;AAAA,KACD;AAAA,EACD,SAAS,GAAA,EAAK;AACb,IAAA,OAAO;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,KAAA,EAAO,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA,KAC7C;AAAA,EACD;AACD;;;ACxIA,SAAS,WAAA,CAAY,QAAsB,OAAA,EAAyB;AACnE,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,MAAA,CAAO,OAAA,CAAQ,OAAO,GAAG,CAAA;AAC/C,EAAA,IAAI,OAAO,IAAA,EAAM;AAChB,IAAA,MAAM,IAAA,GAAO,OAAO,IAAA,CAAK,OAAA,CAAQ,OAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,QAAA,EAAU,EAAE,CAAA;AACjE,IAAA,OAAO,CAAA,QAAA,EAAW,MAAM,CAAA,CAAA,EAAI,IAAI,IAAI,OAAO,CAAA,CAAA;AAAA,EAC5C;AACA,EAAA,OAAO,CAAA,QAAA,EAAW,MAAM,CAAA,CAAA,EAAI,OAAO,CAAA,CAAA;AACpC;AASA,eAAsB,cAAA,CAAe,QAAsB,OAAA,EAAsC;AAEhG,EAAA,MAAM,EAAE,YAAA,EAAc,aAAA,EAAc,GAAI,MAAM,cAAA,EAAe;AAE7D,EAAA,MAAM,GAAA,GAAM,WAAA,CAAY,MAAA,EAAQ,OAAO,CAAA;AACvC,EAAA,MAAM,WAAA,GAAc,gBAAA,CAAiB,GAAA,EAAK,YAAY,CAAA;AAEtD,EAAA,OAAO;AAAA,IACN,GAAA;AAAA,IACA,YAAA;AAAA,IACA,aAAA;AAAA,IACA;AAAA,GACD;AACD;AAQO,SAAS,aAAa,GAAA,EAAqB;AACjD,EAAA,IAAI,CAAC,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAChC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,0BAAA,EAA6B,GAAG,CAAA,CAAE,CAAA;AAAA,EACnD;AAGA,EAAA,MAAM,cAAA,GAAiB,GAAA,CAAI,KAAA,CAAM,UAAA,CAAW,MAAM,CAAA;AAClD,EAAA,MAAM,KAAA,GAAQ,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAGtC,EAAA,MAAM,UAAU,KAAA,CAAM,GAAA,CAAI,CAACA,EAAAA,KAAM,kBAAA,CAAmBA,EAAC,CAAC,CAAA;AAEtD,EAAA,IAAI,OAAA,CAAQ,WAAW,CAAA,EAAG;AAEzB,IAAA,OAAO,CAAA,QAAA,EAAW,OAAA,CAAQ,CAAC,CAAC,CAAA,qBAAA,CAAA;AAAA,EAC7B;AAGA,EAAA,MAAM,MAAA,GAAS,QAAQ,CAAC,CAAA;AACxB,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA;AACpC,EAAA,OAAO,WAAW,MAAM,CAAA,CAAA,EAAI,YAAA,CAAa,IAAA,CAAK,GAAG,CAAC,CAAA,SAAA,CAAA;AACnD;AAQA,eAAsB,cAAc,GAAA,EAA0C;AAC7E,EAAA,IAAI,GAAA;AACJ,EAAA,IAAI;AACH,IAAA,GAAA,GAAM,aAAa,GAAG,CAAA;AAAA,EACvB,CAAA,CAAA,MAAQ;AACP,IAAA,OAAO,IAAA;AAAA,EACR;AAEA,EAAA,IAAI;AACH,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MACjC,OAAA,EAAS,EAAE,MAAA,EAAQ,kBAAA;AAAmB,KACtC,CAAA;AAED,IAAA,IAAI,CAAC,QAAA,CAAS,EAAA,EAAI,OAAO,IAAA;AAEzB,IAAA,MAAM,GAAA,GAAO,MAAM,QAAA,CAAS,IAAA,EAAK;AAGjC,IAAA,IAAI,CAAC,GAAA,CAAI,UAAU,KAAK,CAAC,GAAA,CAAI,IAAI,OAAO,IAAA;AAExC,IAAA,OAAO,GAAA;AAAA,EACR,CAAA,CAAA,MAAQ;AACP,IAAA,OAAO,IAAA;AAAA,EACR;AACD;;;AC9EO,SAAS,eAAA,CAAgB,IAAc,MAAA,EAAiC;AAO9E,EAAA,eAAe,YACd,OAAA,EAC6D;AAC7D,IAAA,MAAM,OAAA,GAAU,MAAM,cAAA,EAAe;AAErC,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,MACjC,OAAA;AAAA,MACA,KAAK,OAAA,CAAQ,GAAA;AAAA,MACb,MAAA,EAAQ,KAAA;AAAA,MACR,YAAA,EAAc,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,YAAY,CAAA;AAAA,MACjD,WAAA,EAAa,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,WAAW,CAAA;AAAA,MAC/C,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,MAAM,QAAA,GAAqB;AAAA,MAC1B,OAAA;AAAA,MACA,KAAK,OAAA,CAAQ,GAAA;AAAA,MACb,MAAA,EAAQ,KAAA;AAAA,MACR,cAAc,OAAA,CAAQ,YAAA;AAAA,MACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,MACrB,SAAA,EAAW;AAAA,KACZ;AAEA,IAAA,OAAO,EAAE,QAAA,EAAU,aAAA,EAAe,OAAA,CAAQ,aAAA,EAAc;AAAA,EACzD;AAQA,EAAA,eAAe,YACd,OAAA,EAC6D;AAC7D,IAAA,IAAI,CAAC,QAAQ,GAAA,EAAK;AACjB,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,cAAA,CAAe,MAAA,CAAO,KAAK,OAAO,CAAA;AACxD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,MACjC,OAAA;AAAA,MACA,KAAK,OAAA,CAAQ,GAAA;AAAA,MACb,MAAA,EAAQ,KAAA;AAAA,MACR,YAAA,EAAc,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,YAAY,CAAA;AAAA,MACjD,WAAA,EAAa,IAAA,CAAK,SAAA,CAAU,OAAA,CAAQ,WAAW,CAAA;AAAA,MAC/C,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,MAAM,QAAA,GAAqB;AAAA,MAC1B,OAAA;AAAA,MACA,KAAK,OAAA,CAAQ,GAAA;AAAA,MACb,MAAA,EAAQ,KAAA;AAAA,MACR,cAAc,OAAA,CAAQ,YAAA;AAAA,MACtB,aAAa,OAAA,CAAQ,WAAA;AAAA,MACrB,SAAA,EAAW;AAAA,KACZ;AAEA,IAAA,OAAO,EAAE,QAAA,EAAU,aAAA,EAAe,OAAA,CAAQ,aAAA,EAAc;AAAA,EACzD;AAQA,EAAA,eAAe,QAAQ,GAAA,EAA0C;AAChE,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAC/B,MAAA,OAAO,cAAc,GAAG,CAAA;AAAA,IACzB;AACA,IAAA,IAAI,GAAA,CAAI,UAAA,CAAW,UAAU,CAAA,EAAG;AAC/B,MAAA,OAAO,cAAc,GAAG,CAAA;AAAA,IACzB;AACA,IAAA,OAAO,IAAA;AAAA,EACR;AAKA,EAAA,eAAe,YAAY,OAAA,EAA2C;AACrE,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,KAAA,CAAMJ,EAAAA,CAAG,SAAA,CAAU,OAAA,EAAS,OAAO,CAAC,CAAA;AACnF,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AAEjB,IAAA,OAAO;AAAA,MACN,SAAS,GAAA,CAAI,OAAA;AAAA,MACb,KAAK,GAAA,CAAI,GAAA;AAAA,MACT,QAAQ,GAAA,CAAI,MAAA;AAAA,MACZ,YAAA,EAAc,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACzC,WAAA,EAAa,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,WAAW,CAAA;AAAA,MACvC,WAAW,GAAA,CAAI;AAAA,KAChB;AAAA,EACD;AAOA,EAAA,eAAe,IAAA,CACd,OAAA,EACA,OAAA,EACA,aAAA,EACyB;AACzB,IAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY,OAAO,CAAA;AAC1C,IAAA,IAAI,CAAC,QAAA,EAAU;AACd,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,OAAO,CAAA,4BAAA,CAA8B,CAAA;AAAA,IACjF;AACA,IAAA,OAAO,WAAA,CAAY,OAAA,EAAS,aAAA,EAAe,QAAA,CAAS,GAAG,CAAA;AAAA,EACxD;AASA,EAAA,eAAe,MAAA,CAAO,KAAa,GAAA,EAA2C;AAC7E,IAAA,IAAI,CAAC,GAAA,EAAK;AACT,MAAA,OAAO;AAAA,QACN,KAAA,EAAO,KAAA;AAAA,QACP,KAAA,EAAO;AAAA,OACR;AAAA,IACD;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,KAAA,CAAMA,EAAAA,CAAG,SAAA,CAAU,GAAA,EAAK,GAAG,CAAC,CAAA;AAC3E,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,GAAA,EAAK;AACT,MAAA,OAAO;AAAA,QACN,KAAA,EAAO,KAAA;AAAA,QACP,KAAA,EAAO,uCAAuC,GAAG,CAAA,CAAA;AAAA,OAClD;AAAA,IACD;AAEA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAChD,IAAA,OAAO,aAAA,CAAc,KAAK,YAAY,CAAA;AAAA,EACvC;AAKA,EAAA,eAAe,2BAA2B,OAAA,EAMtB;AACnB,IAAA,MAAM,QAAA,GAAW,MAAM,WAAA,CAAY,OAAA,CAAQ,OAAO,CAAA;AAClD,IAAA,IAAI,CAAC,QAAA,EAAU;AACd,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,OAAA,CAAQ,OAAO,CAAA,4BAAA,CAA8B,CAAA;AAAA,IACzF;AAEA,IAAA,OAAO,kBAAA,CAAmB;AAAA,MACzB,SAAS,OAAA,CAAQ,OAAA;AAAA,MACjB,KAAK,QAAA,CAAS,GAAA;AAAA,MACd,eAAe,OAAA,CAAQ,aAAA;AAAA,MACvB,cAAc,OAAA,CAAQ,YAAA;AAAA,MACtB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,WAAW,OAAA,CAAQ;AAAA,KACnB,CAAA;AAAA,EACF;AAQA,EAAA,eAAe,2BACd,GAAA,EAC4D;AAE5D,IAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,iCAAA,EAAkC;AAAA,IACjE;AAEA,IAAA,IAAI,SAAA;AACJ,IAAA,IAAI;AACH,MAAA,MAAM,WAAA,GAAc,KAAA,CAAM,CAAC,CAAA,IAAK,EAAA;AAChC,MAAA,MAAM,MAAA,GAAS,YAAY,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,GAAG,CAAA;AAC/D,MAAA,MAAM,MAAA,GAAA,CAAU,CAAA,GAAK,MAAA,CAAO,MAAA,GAAS,CAAA,IAAM,CAAA;AAC3C,MAAA,MAAM,UAAU,IAAA,CAAK,MAAA,GAAS,GAAA,CAAI,MAAA,CAAO,MAAM,CAAC,CAAA;AAChD,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA;AACjC,MAAA,SAAA,GAAY,OAAO,MAAA,CAAO,GAAA,KAAQ,QAAA,GAAW,OAAO,GAAA,GAAM,KAAA,CAAA;AAAA,IAC3D,CAAA,CAAA,MAAQ;AACP,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,8BAAA,EAA+B;AAAA,IAC9D;AAEA,IAAA,IAAI,CAAC,SAAA,EAAW;AACf,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,yBAAA,EAA0B;AAAA,IACzD;AAEA,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,SAAS,CAAA,CAAE,KAAA,CAAMA,EAAAA,CAAG,SAAA,CAAU,GAAA,EAAK,SAAS,CAAC,CAAA;AACjF,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,GAAA,EAAK;AACT,MAAA,OAAO;AAAA,QACN,KAAA,EAAO,KAAA;AAAA,QACP,KAAA,EAAO,uCAAuC,SAAS,CAAA,CAAA;AAAA,OACxD;AAAA,IACD;AAEA,IAAA,MAAM,YAAA,GAAe,IAAA,CAAK,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAChD,IAAA,MAAM,MAAA,GAAS,MAAM,kBAAA,CAAmB,GAAA,EAAK,YAAY,CAAA;AAEzD,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AAClB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,KAAA,EAAO,OAAO,KAAA,EAAM;AAAA,IAC5C;AAEA,IAAA,OAAO;AAAA,MACN,KAAA,EAAO,IAAA;AAAA,MACP,QAAQ,MAAA,CAAO,GAAA;AAAA,MACf,OAAA,EAAS,MAAA;AAAA,MACT,cAAc,MAAA,CAAO;AAAA,KACtB;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,WAAA;AAAA,IACA,WAAA;AAAA,IACA,OAAA;AAAA,IACA,WAAA;AAAA,IACA,IAAA;AAAA,IACA,MAAA;AAAA,IACA,kBAAA,EAAoB,0BAAA;AAAA,IACpB,kBAAA,EAAoB;AAAA,GACrB;AACD;;;AChPA,IAAM,YAAA,GACL,iHAAA;AACD,IAAM,gBAAA,GACL,wFAAA;AACD,IAAM,aAAA,GAAgB,uCAAA;AACtB,IAAM,gBAAA,GACL,8EAAA;AACD,IAAM,WAAA,GAAc,eAAA;AACpB,IAAM,QAAA,GAAW,+DAAA;AACjB,IAAM,WAAA,GACL,4MAAA;AACD,IAAM,aAAA,GACL,gJAAA;AACD,IAAM,aAAA,GACL,8EAAA;AAED,SAAS,IAAA,CAAK,OAAA,EAAiB,KAAA,EAAe,IAAA,EAAsB;AACnE,EAAA,OAAO,CAAA;AAAA;AAAA,sGAAA,EAEgG,KAAK,CAAA;AAAA,aAAA,EAC9F,YAAY,CAAA;AAAA;AAAA,YAAA,EAEb,gBAAgB,CAAA;AAAA,cAAA,EACd,aAAa,CAAA,aAAA,EAAgB,gBAAgB,CAAA,EAAA,EAAK,OAAO,CAAA;AAAA,cAAA,EACzD,WAAW,KAAK,IAAI,CAAA;AAAA,cAAA,EACpB,aAAa,yDAAyD,OAAO,CAAA;AAAA;AAAA;AAAA;AAAA,OAAA,CAAA;AAK7F;AAEA,SAAS,EAAE,OAAA,EAAyB;AACnC,EAAA,OAAO,CAAA,UAAA,EAAa,QAAQ,CAAA,EAAA,EAAK,OAAO,CAAA,IAAA,CAAA;AACzC;AAEA,SAAS,MAAA,CAAO,KAAa,KAAA,EAAuB;AACnD,EAAA,OAAO,CAAA,mCAAA,EAAsC,GAAG,CAAA,SAAA,EAAY,aAAa,KAAK,KAAK,CAAA,QAAA,CAAA;AACpF;AAEA,SAAS,KAAK,KAAA,EAAuB;AACpC,EAAA,OAAO,CAAA,uCAAA,EAA0C,WAAW,CAAA,EAAA,EAAK,KAAK,CAAA,WAAA,CAAA;AACvE;AAMA,SAAS,oBAAA,CACR,OAAA,EACA,MAAA,EACA,IAAA,EACgB;AAChB,EAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,IAAS,EAAA;AAC5B,EAAA,MAAM,SAAA,GAAY,KAAK,SAAA,IAAa,CAAA,EAAG,MAAM,CAAA,cAAA,EAAiB,IAAA,CAAK,SAAS,EAAE,CAAA,CAAA;AAE9E,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,uBAAuB,OAAO,CAAA,CAAA;AAAA,IACvC,IAAA,EAAM;AAAA,MACL,CAAA,yBAAA,CAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,EAAA,EAAK,KAAA,GAAQ,CAAA,CAAA,EAAI,KAAK,KAAK,EAAE,CAAA,CAAA,CAAA;AAAA,MAC7B,CAAA,CAAA;AAAA,MACA,CAAA,4DAAA,CAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,SAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,2FAAA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,IACX,IAAA,EAAM,IAAA;AAAA,MACL,OAAA;AAAA,MACA,CAAA,iBAAA,CAAA;AAAA,MACA;AAAA,QACC,EAAE,CAAA,EAAA,EAAK,KAAA,GAAQ,YAAY,KAAK,CAAA,SAAA,CAAA,GAAc,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,QACnD,EAAE,4DAA4D,CAAA;AAAA,QAC9D,MAAA,CAAO,WAAW,cAAc,CAAA;AAAA,QAChC,CAAA,CAAE,CAAA,4BAAA,EAA+B,SAAS,CAAA,yBAAA,EAA4B,SAAS,CAAA,IAAA,CAAM,CAAA;AAAA,QACrF,CAAA;AAAA,UACC,CAAA,kGAAA;AAAA;AACD,OACD,CAAE,KAAK,EAAE;AAAA;AACV,GACD;AACD;AAEA,SAAS,qBAAA,CACR,OAAA,EACA,MAAA,EACA,IAAA,EACgB;AAChB,EAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,IAAS,EAAA;AAC5B,EAAA,MAAM,QAAA,GAAW,KAAK,QAAA,IAAY,CAAA,EAAG,MAAM,CAAA,sBAAA,EAAyB,IAAA,CAAK,SAAS,EAAE,CAAA,CAAA;AAEpF,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,yBAAyB,OAAO,CAAA,CAAA;AAAA,IACzC,IAAA,EAAM;AAAA,MACL,CAAA,mBAAA,CAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,EAAA,EAAK,KAAA,GAAQ,CAAA,CAAA,EAAI,KAAK,KAAK,EAAE,CAAA,CAAA,CAAA;AAAA,MAC7B,CAAA,CAAA;AAAA,MACA,CAAA,8EAAA,CAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,QAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,gGAAA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,IACX,IAAA,EAAM,IAAA;AAAA,MACL,OAAA;AAAA,MACA,CAAA,mBAAA,CAAA;AAAA,MACA;AAAA,QACC,EAAE,CAAA,EAAA,EAAK,KAAA,GAAQ,YAAY,KAAK,CAAA,SAAA,CAAA,GAAc,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,QACnD,EAAE,+CAA+C,CAAA;AAAA,QACjD,MAAA,CAAO,UAAU,gBAAgB,CAAA;AAAA,QACjC,CAAA,CAAE,CAAA,4BAAA,EAA+B,QAAQ,CAAA,yBAAA,EAA4B,QAAQ,CAAA,IAAA,CAAM,CAAA;AAAA,QACnF,CAAA;AAAA,UACC,CAAA,uGAAA;AAAA;AACD,OACD,CAAE,KAAK,EAAE;AAAA;AACV,GACD;AACD;AAEA,SAAS,iBAAA,CACR,OAAA,EACA,OAAA,EACA,IAAA,EACgB;AAChB,EAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,IAAS,EAAA;AAC5B,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,IAAO,EAAA;AAExB,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,cAAc,OAAO,CAAA,CAAA;AAAA,IAC9B,IAAA,EAAM;AAAA,MACL,cAAc,OAAO,CAAA,CAAA;AAAA,MACrB,CAAA,CAAA;AAAA,MACA,CAAA,EAAA,EAAK,KAAA,GAAQ,CAAA,CAAA,EAAI,KAAK,KAAK,EAAE,CAAA,CAAA,CAAA;AAAA,MAC7B,CAAA,CAAA;AAAA,MACA,CAAA,2GAAA,CAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,IACX,IAAA,EAAM,IAAA;AAAA,MACL,OAAA;AAAA,MACA,cAAc,OAAO,CAAA,CAAA;AAAA,MACrB;AAAA,QACC,EAAE,CAAA,EAAA,EAAK,KAAA,GAAQ,YAAY,KAAK,CAAA,SAAA,CAAA,GAAc,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,QACnD,CAAA;AAAA,UACC;AAAA,SACD;AAAA,QACA,MAAA,CAAO,GAAA,EAAK,CAAA,WAAA,EAAc,OAAO,CAAA,CAAE,CAAA;AAAA,QACnC,CAAA,CAAE,CAAA,4BAAA,EAA+B,GAAG,CAAA,yBAAA,EAA4B,GAAG,CAAA,IAAA,CAAM;AAAA,OAC1E,CAAE,KAAK,EAAE;AAAA;AACV,GACD;AACD;AAEA,SAAS,gBAAA,CACR,OAAA,EACA,OAAA,EACA,IAAA,EACgB;AAChB,EAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,IAAS,EAAA;AAC5B,EAAA,MAAM,OAAA,GAAU,KAAK,IAAA,IAAQ,EAAA;AAE7B,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,2BAA2B,OAAO,CAAA,CAAA;AAAA,IAC3C,IAAA,EAAM;AAAA,MACL,CAAA,sBAAA,CAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,EAAA,EAAK,KAAA,GAAQ,CAAA,CAAA,EAAI,KAAK,KAAK,EAAE,CAAA,CAAA,CAAA;AAAA,MAC7B,CAAA,CAAA;AAAA,MACA,QAAQ,OAAO,CAAA,sBAAA,CAAA;AAAA,MACf,CAAA,CAAA;AAAA,MACA,OAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,6DAAA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,IACX,IAAA,EAAM,IAAA;AAAA,MACL,OAAA;AAAA,MACA,CAAA,sBAAA,CAAA;AAAA,MACA;AAAA,QACC,EAAE,CAAA,EAAA,EAAK,KAAA,GAAQ,YAAY,KAAK,CAAA,SAAA,CAAA,GAAc,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,QACnD,CAAA,CAAE,CAAA,KAAA,EAAQ,OAAO,CAAA,sBAAA,CAAwB,CAAA;AAAA,QACzC,KAAK,OAAO,CAAA;AAAA,QACZ,EAAE,+DAA+D;AAAA,OAClE,CAAE,KAAK,EAAE;AAAA;AACV,GACD;AACD;AAEA,SAAS,kBAAA,CACR,OAAA,EACA,OAAA,EACA,IAAA,EACgB;AAChB,EAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,IAAS,EAAA;AAC5B,EAAA,MAAM,OAAA,GAAU,KAAK,OAAA,IAAW,iBAAA;AAChC,EAAA,MAAM,SAAA,GAAY,KAAK,SAAA,IAAa,EAAA;AAEpC,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,0BAA0B,OAAO,CAAA,CAAA;AAAA,IAC1C,IAAA,EAAM;AAAA,MACL,0BAA0B,OAAO,CAAA,CAAA;AAAA,MACjC,CAAA,CAAA;AAAA,MACA,CAAA,EAAA,EAAK,KAAA,GAAQ,CAAA,CAAA,EAAI,KAAK,KAAK,EAAE,CAAA,CAAA,CAAA;AAAA,MAC7B,CAAA,CAAA;AAAA,MACA,CAAA,4BAAA,EAA+B,OAAO,CAAA,IAAA,EAAO,OAAO,CAAA,iCAAA,CAAA;AAAA,MACpD,CAAA,CAAA;AAAA,MACA,SAAA;AAAA,MACA,CAAA,CAAA;AAAA,MACA,CAAA,qEAAA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,IACX,IAAA,EAAM,IAAA;AAAA,MACL,OAAA;AAAA,MACA,0BAA0B,OAAO,CAAA,CAAA;AAAA,MACjC;AAAA,QACC,EAAE,CAAA,EAAA,EAAK,KAAA,GAAQ,YAAY,KAAK,CAAA,SAAA,CAAA,GAAc,EAAE,CAAA,CAAA,CAAG,CAAA;AAAA,QACnD,CAAA,CAAE,CAAA,oCAAA,EAAuC,OAAO,CAAA,aAAA,EAAgB,OAAO,CAAA,CAAA,CAAG,CAAA;AAAA,QAC1E,MAAA,CAAO,WAAW,CAAA,iBAAA,CAAmB,CAAA;AAAA,QACrC,CAAA,CAAE,CAAA,4BAAA,EAA+B,SAAS,CAAA,yBAAA,EAA4B,SAAS,CAAA,IAAA,CAAM,CAAA;AAAA,QACrF,EAAE,8EAA8E;AAAA,OACjF,CAAE,KAAK,EAAE;AAAA;AACV,GACD;AACD;AAEA,SAAS,eAAA,CACR,OAAA,EACA,MAAA,EACA,IAAA,EACgB;AAChB,EAAA,MAAM,KAAA,GAAQ,KAAK,KAAA,IAAS,EAAA;AAC5B,EAAA,MAAM,IAAA,GAAO,KAAK,IAAA,IAAQ,KAAA;AAE1B,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,cAAc,OAAO,CAAA,CAAA;AAAA,IAC9B,IAAA,EAAM;AAAA,MACL,cAAc,OAAO,CAAA,CAAA;AAAA,MACrB,CAAA,CAAA;AAAA,MACA,MAAM,IAAI,CAAA,CAAA,CAAA;AAAA,MACV,CAAA,CAAA;AAAA,MACA,uCAAuC,MAAM,CAAA,gBAAA,CAAA;AAAA,MAC7C,CAAA,CAAA;AAAA,MACA,CAAA,+CAAA;AAAA,KACD,CAAE,KAAK,IAAI,CAAA;AAAA,IACX,IAAA,EAAM,IAAA;AAAA,MACL,OAAA;AAAA,MACA,cAAc,OAAO,CAAA,CAAA;AAAA,MACrB;AAAA,QACC,CAAA,CAAE,CAAA,WAAA,EAAc,IAAI,CAAA,UAAA,CAAY,CAAA;AAAA,QAChC,CAAA,CAAE,CAAA,kCAAA,EAAqC,OAAO,CAAA,CAAA,CAAG,CAAA;AAAA,QACjD,MAAA,CAAO,QAAQ,CAAA,WAAA,CAAa,CAAA;AAAA,QAC5B,EAAE,sDAAsD;AAAA,OACzD,CAAE,KAAK,EAAE;AAAA;AACV,GACD;AACD;AAUO,SAAS,oBAAA,CAAqB,MAAA,GAA8B,EAAC,EAAmB;AACtF,EAAA,MAAM,OAAA,GAAU,OAAO,OAAA,IAAW,UAAA;AAClC,EAAA,MAAM,MAAA,GAAS,OAAO,MAAA,IAAU,uBAAA;AAChC,EAAA,MAAM,SAAA,GAAY,MAAA,CAAO,SAAA,IAAa,EAAC;AAEvC,EAAA,SAAS,MAAA,CAAO,MAAyB,IAAA,EAA6C;AACrF,IAAA,MAAM,QAAA,GAAW,UAAU,IAAI,CAAA;AAC/B,IAAA,IAAI,QAAA,EAAU;AACb,MAAA,OAAO,SAAS,IAAI,CAAA;AAAA,IACrB;AAEA,IAAA,QAAQ,IAAA;AAAM,MACb,KAAK,cAAA;AACJ,QAAA,OAAO,oBAAA,CAAqB,OAAA,EAAS,MAAA,EAAQ,IAAI,CAAA;AAAA,MAClD,KAAK,eAAA;AACJ,QAAA,OAAO,qBAAA,CAAsB,OAAA,EAAS,MAAA,EAAQ,IAAI,CAAA;AAAA,MACnD,KAAK,WAAA;AACJ,QAAA,OAAO,iBAAA,CAAkB,OAAA,EAAS,MAAA,EAAQ,IAAI,CAAA;AAAA,MAC/C,KAAK,UAAA;AACJ,QAAA,OAAO,gBAAA,CAAiB,OAAA,EAAS,MAAA,EAAQ,IAAI,CAAA;AAAA,MAC9C,KAAK,YAAA;AACJ,QAAA,OAAO,kBAAA,CAAmB,OAAA,EAAS,MAAA,EAAQ,IAAI,CAAA;AAAA,MAChD,KAAK,SAAA;AACJ,QAAA,OAAO,eAAA,CAAgB,OAAA,EAAS,MAAA,EAAQ,IAAI,CAAA;AAAA;AAC9C,EACD;AAEA,EAAA,OAAO,EAAE,MAAA,EAAO;AACjB;;;ACjQO,SAAS,kBAAkB,MAAA,EAA2C;AAC5E,EAAA,MAAM,CAAA,GAAI,MAAA,EAAQ,WAAA,EAAY,IAAK,EAAA;AACnC,EAAA,IAAI,CAAA,CAAE,SAAS,MAAM,CAAA,IAAK,EAAE,QAAA,CAAS,cAAc,GAAG,OAAO,cAAA;AAC7D,EAAA,IAAI,CAAA,CAAE,SAAS,IAAI,CAAA,IAAK,EAAE,QAAA,CAAS,WAAW,GAAG,OAAO,YAAA;AACxD,EAAA,IAAI,CAAA,CAAE,SAAS,MAAM,CAAA,IAAK,EAAE,QAAA,CAAS,QAAQ,GAAG,OAAO,iBAAA;AACvD,EAAA,IAAI,CAAA,CAAE,QAAA,CAAS,UAAU,CAAA,EAAG,OAAO,mBAAA;AACnC,EAAA,OAAO,mBAAA;AACR;;;ACnEO,IAAM,EAAA,GAAsB;AAAA;AAAA,EAElC,yBAAA,EAA2B,4BAAA;AAAA,EAC3B,uBAAA,EAAyB,qDAAA;AAAA,EACzB,oBAAA,EAAsB,6DAAA;AAAA,EACtB,kBAAA,EAAoB,yDAAA;AAAA,EACpB,yBAAA,EAA2B,4CAAA;AAAA,EAC3B,mBAAA,EACC,8FAAA;AAAA,EACD,mBAAA,EAAqB,2CAAA;AAAA,EACrB,mBAAA,EAAqB,gDAAA;AAAA,EACrB,mBAAA,EAAqB,gDAAA;AAAA;AAAA,EAGrB,gBAAA,EAAkB,kBAAA;AAAA,EAClB,eAAA,EAAiB,uCAAA;AAAA,EACjB,qBAAA,EAAuB,uCAAA;AAAA,EACvB,wBAAA,EAA0B,wDAAA;AAAA;AAAA,EAG1B,uBAAA,EAAyB,wEAAA;AAAA,EACzB,0BAAA,EAA4B,+DAAA;AAAA,EAC5B,sBAAA,EAAwB,2DAAA;AAAA;AAAA,EAGxB,4BAAA,EAA8B,2BAAA;AAAA,EAC9B,6BAAA,EAA+B,qBAAA;AAAA,EAC/B,yBAAA,EAA2B,mBAAA;AAAA,EAC3B,mBAAA,EAAqB,oBAAA;AAAA,EACrB,0BAAA,EAA4B,2CAAA;AAAA,EAC5B,uBAAA,EAAyB,wBAAA;AAAA;AAAA,EAGzB,qBAAA,EAAuB,wCAAA;AAAA,EACvB,oBAAA,EAAsB,qCAAA;AAAA,EACtB,kBAAA,EAAoB;AACrB;;;AC2BA,SAAS,WAAA,CAAY,UAAkB,IAAA,EAAsC;AAC5E,EAAA,OAAO,QAAA,CAAS,OAAA,CAAQ,gBAAA,EAAkB,CAAC,OAAO,GAAA,KAAwB;AACzE,IAAA,OAAO,MAAA,CAAO,MAAA,CAAO,IAAA,EAAM,GAAG,CAAA,GAAK,KAAK,GAAG,CAAA,IAAK,KAAA,GAAS,CAAA,EAAA,EAAK,GAAG,CAAA,EAAA,CAAA;AAAA,EAClE,CAAC,CAAA;AACF;AAWA,SAAS,aAAA,CACR,SAAA,EACA,QAAA,EACA,aAAA,EACS;AACT,EAAA,IAAI,QAAA,CAAS,GAAA,CAAI,SAAS,CAAA,EAAG,OAAO,SAAA;AAEpC,EAAA,MAAM,MAAA,GAAS,SAAA,CAAU,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AACrC,EAAA,IAAI,MAAA,IAAU,QAAA,CAAS,GAAA,CAAI,MAAM,GAAG,OAAO,MAAA;AAE3C,EAAA,IAAI,QAAA,CAAS,GAAA,CAAI,aAAa,CAAA,EAAG,OAAO,aAAA;AAExC,EAAA,OAAO,IAAA;AACR;AAEO,SAAS,UAAA,CAAW,MAAA,GAAqB,EAAC,EAAe;AAC/D,EAAA,MAAM,aAAA,GAAgB,OAAO,aAAA,IAAiB,IAAA;AAG9C,EAAA,MAAM,QAAA,uBAAe,GAAA,EAAsC;AAG3D,EAAA,QAAA,CAAS,GAAA,CAAI,IAAA,EAAM,EAAE,GAAG,IAAI,CAAA;AAG5B,EAAA,IAAI,OAAO,YAAA,EAAc;AACxB,IAAA,KAAA,MAAW,CAAC,QAAQ,IAAI,CAAA,IAAK,OAAO,OAAA,CAAQ,MAAA,CAAO,YAAY,CAAA,EAAG;AACjE,MAAA,MAAM,QAAA,GAAW,QAAA,CAAS,GAAA,CAAI,MAAM,KAAK,EAAC;AAC1C,MAAA,QAAA,CAAS,IAAI,MAAA,EAAQ,EAAE,GAAG,QAAA,EAAU,GAAG,MAAM,CAAA;AAAA,IAC9C;AAAA,EACD;AAEA,EAAA,SAAS,MAAA,CAAO,KAA4B,MAAA,EAAwB;AACnE,IAAA,MAAM,QAAA,GAAW,aAAA,CAAc,MAAA,EAAQ,QAAA,EAAU,aAAa,CAAA;AAC9D,IAAA,MAAM,SAAA,GAAY,QAAA,CAAS,GAAA,CAAI,QAAQ,CAAA;AAEvC,IAAA,IAAI,SAAA,IAAa,OAAO,SAAA,EAAW;AAClC,MAAA,OAAO,UAAU,GAAG,CAAA;AAAA,IACrB;AAGA,IAAA,MAAM,UAAA,GAAa,QAAA,CAAS,GAAA,CAAI,IAAI,CAAA;AACpC,IAAA,IAAI,UAAA,IAAc,OAAO,UAAA,EAAY;AACpC,MAAA,OAAO,WAAW,GAAG,CAAA;AAAA,IACtB;AAGA,IAAA,OAAO,GAAA;AAAA,EACR;AAEA,EAAA,SAAS,CAAA,CACR,GAAA,EACA,YAAA,EACA,WAAA,EACS;AACT,IAAA,IAAI,OAAO,YAAA,KAAiB,QAAA,IAAY,YAAA,KAAiB,MAAA,EAAW;AAEnE,MAAA,MAAMM,UAAS,YAAA,IAAgB,aAAA;AAC/B,MAAA,OAAO,MAAA,CAAO,KAAKA,OAAM,CAAA;AAAA,IAC1B;AAGA,IAAA,MAAM,SAAS,WAAA,IAAe,aAAA;AAC9B,IAAA,MAAM,GAAA,GAAM,MAAA,CAAO,GAAA,EAAK,MAAM,CAAA;AAC9B,IAAA,OAAO,WAAA,CAAY,KAAK,YAAY,CAAA;AAAA,EACrC;AAEA,EAAA,SAAS,SAAA,CAAU,QAAgB,YAAA,EAA8C;AAChF,IAAA,MAAM,QAAA,GAAW,QAAA,CAAS,GAAA,CAAI,MAAM,KAAK,EAAC;AAC1C,IAAA,QAAA,CAAS,IAAI,MAAA,EAAQ,EAAE,GAAG,QAAA,EAAU,GAAG,cAAc,CAAA;AAAA,EACtD;AAEA,EAAA,SAAS,UAAA,GAAuB;AAC/B,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,QAAA,CAAS,IAAA,EAAM,CAAA;AAAA,EAClC;AAEA,EAAA,OAAO,EAAE,CAAA,EAAG,SAAA,EAAW,UAAA,EAAW;AACnC;;;AC3JO,IAAM,EAAA,GAAsB;AAAA;AAAA,EAElC,yBAAA,EAA2B,qDAAA;AAAA,EAC3B,uBAAA,EAAyB,mEAAA;AAAA,EACzB,oBAAA,EACC,6EAAA;AAAA,EACD,kBAAA,EAAoB,mEAAA;AAAA,EACpB,yBAAA,EAA2B,wDAAA;AAAA,EAC3B,mBAAA,EACC,iGAAA;AAAA,EACD,mBAAA,EAAqB,qDAAA;AAAA,EACrB,mBAAA,EAAqB,2DAAA;AAAA,EACrB,mBAAA,EAAqB,wDAAA;AAAA;AAAA,EAGrB,gBAAA,EAAkB,uBAAA;AAAA,EAClB,eAAA,EAAiB,8CAAA;AAAA,EACjB,qBAAA,EAAuB,4CAAA;AAAA,EACvB,wBAAA,EAA0B,uDAAA;AAAA;AAAA,EAG1B,uBAAA,EACC,yGAAA;AAAA,EACD,0BAAA,EACC,8EAAA;AAAA,EACD,sBAAA,EAAwB,4EAAA;AAAA;AAAA,EAGxB,4BAAA,EAA8B,mCAAA;AAAA,EAC9B,6BAAA,EAA+B,+BAAA;AAAA,EAC/B,yBAAA,EAA2B,mBAAA;AAAA,EAC3B,mBAAA,EAAqB,iBAAA;AAAA,EACrB,0BAAA,EAA4B,gDAAA;AAAA,EAC5B,uBAAA,EAAyB,4BAAA;AAAA;AAAA,EAGzB,qBAAA,EAAuB,yDAAA;AAAA,EACvB,oBAAA,EAAsB,8CAAA;AAAA,EACtB,kBAAA,EAAoB;AACrB;;;ACvCO,IAAM,EAAA,GAAsB;AAAA;AAAA,EAElC,yBAAA,EAA2B,oDAAA;AAAA,EAC3B,uBAAA,EAAyB,+EAAA;AAAA,EACzB,oBAAA,EAAsB,uEAAA;AAAA,EACtB,kBAAA,EAAoB,2EAAA;AAAA,EACpB,yBAAA,EAA2B,qDAAA;AAAA,EAC3B,mBAAA,EACC,yGAAA;AAAA,EACD,mBAAA,EAAqB,8CAAA;AAAA,EACrB,mBAAA,EAAqB,qDAAA;AAAA,EACrB,mBAAA,EAAqB,yDAAA;AAAA;AAAA,EAGrB,gBAAA,EAAkB,uBAAA;AAAA,EAClB,eAAA,EAAiB,4CAAA;AAAA,EACjB,qBAAA,EAAuB,kDAAA;AAAA,EACvB,wBAAA,EAA0B,0DAAA;AAAA;AAAA,EAG1B,uBAAA,EACC,4GAAA;AAAA,EACD,0BAAA,EAA4B,yEAAA;AAAA,EAC5B,sBAAA,EAAwB,yEAAA;AAAA;AAAA,EAGxB,4BAAA,EAA8B,mDAAA;AAAA,EAC9B,6BAAA,EAA+B,6BAAA;AAAA,EAC/B,yBAAA,EAA2B,qBAAA;AAAA,EAC3B,mBAAA,EAAqB,6BAAA;AAAA,EACrB,0BAAA,EAA4B,0CAAA;AAAA,EAC5B,uBAAA,EAAyB,0BAAA;AAAA;AAAA,EAGzB,qBAAA,EAAuB,wDAAA;AAAA,EACvB,oBAAA,EAAsB,kCAAA;AAAA,EACtB,kBAAA,EAAoB;AACrB;;;ACrCO,IAAM,EAAA,GAAsB;AAAA;AAAA,EAElC,yBAAA,EAA2B,2CAAA;AAAA,EAC3B,uBAAA,EAAyB,oEAAA;AAAA,EACzB,oBAAA,EACC,wFAAA;AAAA,EACD,kBAAA,EAAoB,gEAAA;AAAA,EACpB,yBAAA,EAA2B,wDAAA;AAAA,EAC3B,mBAAA,EACC,oHAAA;AAAA,EACD,mBAAA,EAAqB,8CAAA;AAAA,EACrB,mBAAA,EAAqB,4DAAA;AAAA,EACrB,mBAAA,EAAqB,6DAAA;AAAA;AAAA,EAGrB,gBAAA,EAAkB,oBAAA;AAAA,EAClB,eAAA,EAAiB,oDAAA;AAAA,EACjB,qBAAA,EAAuB,0CAAA;AAAA,EACvB,wBAAA,EAA0B,4DAAA;AAAA;AAAA,EAG1B,uBAAA,EACC,qGAAA;AAAA,EACD,0BAAA,EAA4B,gFAAA;AAAA,EAC5B,sBAAA,EAAwB,2EAAA;AAAA;AAAA,EAGxB,4BAAA,EAA8B,kCAAA;AAAA,EAC9B,6BAAA,EAA+B,qCAAA;AAAA,EAC/B,yBAAA,EAA2B,yBAAA;AAAA,EAC3B,mBAAA,EAAqB,8BAAA;AAAA,EACrB,0BAAA,EAA4B,0DAAA;AAAA,EAC5B,uBAAA,EAAyB,2BAAA;AAAA;AAAA,EAGzB,qBAAA,EAAuB,oDAAA;AAAA,EACvB,oBAAA,EAAsB,8CAAA;AAAA,EACtB,kBAAA,EAAoB;AACrB;;;ACtCO,IAAM,EAAA,GAAsB;AAAA;AAAA,EAElC,yBAAA,EAA2B,wJAAA;AAAA,EAC3B,uBAAA,EAAyB,8JAAA;AAAA,EACzB,oBAAA,EACC,sOAAA;AAAA,EACD,kBAAA,EAAoB,sKAAA;AAAA,EACpB,yBAAA,EAA2B,wJAAA;AAAA,EAC3B,mBAAA,EACC,6RAAA;AAAA,EACD,mBAAA,EAAqB,gOAAA;AAAA,EACrB,mBAAA,EAAqB,sIAAA;AAAA,EACrB,mBAAA,EAAqB,8GAAA;AAAA;AAAA,EAGrB,gBAAA,EAAkB,4FAAA;AAAA,EAClB,eAAA,EAAiB,4IAAA;AAAA,EACjB,qBAAA,EAAuB,4IAAA;AAAA,EACvB,wBAAA,EAA0B,8JAAA;AAAA;AAAA,EAG1B,uBAAA,EAAyB,oNAAA;AAAA,EACzB,0BAAA,EAA4B,0KAAA;AAAA,EAC5B,sBAAA,EAAwB,8JAAA;AAAA;AAAA,EAGxB,4BAAA,EAA8B,kGAAA;AAAA,EAC9B,6BAAA,EAA+B,8DAAA;AAAA,EAC/B,yBAAA,EAA2B,kDAAA;AAAA,EAC3B,mBAAA,EAAqB,kDAAA;AAAA,EACrB,0BAAA,EAA4B,qCAAA;AAAA,EAC5B,uBAAA,EAAyB,2CAAA;AAAA;AAAA,EAGzB,qBAAA,EAAuB,kJAAA;AAAA,EACvB,oBAAA,EAAsB,wGAAA;AAAA,EACtB,kBAAA,EAAoB;AACrB;;;ACrCO,IAAM,EAAA,GAAsB;AAAA;AAAA,EAElC,yBAAA,EAA2B,wDAAA;AAAA,EAC3B,uBAAA,EAAyB,kGAAA;AAAA,EACzB,oBAAA,EAAsB,oHAAA;AAAA,EACtB,kBAAA,EAAoB,sGAAA;AAAA,EACpB,yBAAA,EAA2B,oEAAA;AAAA,EAC3B,mBAAA,EAAqB,uKAAA;AAAA,EACrB,mBAAA,EAAqB,gFAAA;AAAA,EACrB,mBAAA,EAAqB,oEAAA;AAAA,EACrB,mBAAA,EAAqB,oEAAA;AAAA;AAAA,EAGrB,gBAAA,EAAkB,4CAAA;AAAA,EAClB,eAAA,EAAiB,gFAAA;AAAA,EACjB,qBAAA,EAAuB,sFAAA;AAAA,EACvB,wBAAA,EAA0B,gFAAA;AAAA;AAAA,EAG1B,uBAAA,EAAyB,oHAAA;AAAA,EACzB,0BAAA,EAA4B,oEAAA;AAAA,EAC5B,sBAAA,EAAwB,oEAAA;AAAA;AAAA,EAGxB,4BAAA,EAA8B,oEAAA;AAAA,EAC9B,6BAAA,EAA+B,sCAAA;AAAA,EAC/B,yBAAA,EAA2B,sCAAA;AAAA,EAC3B,mBAAA,EAAqB,kDAAA;AAAA,EACrB,0BAAA,EAA4B,wDAAA;AAAA,EAC5B,uBAAA,EAAyB,sCAAA;AAAA;AAAA,EAGzB,qBAAA,EAAuB,sFAAA;AAAA,EACvB,oBAAA,EAAsB,kDAAA;AAAA,EACtB,kBAAA,EAAoB;AACrB;;;ACzBA,SAAS,SAAA,CAAU,SAAiB,QAAA,EAAiD;AACpF,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,SAAA,GAAY,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAEpC,EAAA,IAAI,YAAA,CAAa,MAAA,KAAW,SAAA,CAAU,MAAA,EAAQ,OAAO,IAAA;AAErD,EAAA,MAAM,SAAiC,EAAC;AAExC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC7C,IAAA,MAAM,WAAA,GAAc,aAAa,CAAC,CAAA;AAClC,IAAA,MAAM,QAAA,GAAW,UAAU,CAAC,CAAA;AAE5B,IAAA,IAAI,WAAA,KAAgB,MAAA,IAAa,QAAA,KAAa,MAAA,EAAW,OAAO,IAAA;AAEhE,IAAA,IAAI,WAAA,CAAY,UAAA,CAAW,GAAG,CAAA,EAAG;AAEhC,MAAA,MAAM,SAAA,GAAY,WAAA,CAAY,KAAA,CAAM,CAAC,CAAA;AACrC,MAAA,MAAA,CAAO,SAAS,CAAA,GAAI,kBAAA,CAAmB,QAAQ,CAAA;AAAA,IAChD,CAAA,MAAA,IAAW,gBAAgB,QAAA,EAAU;AAEpC,MAAA,OAAO,IAAA;AAAA,IACR;AAAA,EACD;AAEA,EAAA,OAAO,MAAA;AACR;AASO,SAAS,mBAAmB,SAAA,EASjC;AACD,EAAA,OAAO;AAAA,IACN,MAAM,MAAA,CACL,OAAA,EACA,QAAA,EACA,WAAA,EAC2B;AAC3B,MAAA,MAAM,GAAA,GAAM,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAC/B,MAAA,IAAI,WAAW,GAAA,CAAI,QAAA;AAGnB,MAAA,MAAM,IAAA,GAAO,SAAS,QAAA,CAAS,GAAG,IAAI,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA,GAAI,QAAA;AAC9D,MAAA,IAAI,IAAA,IAAQ,QAAA,CAAS,UAAA,CAAW,IAAI,CAAA,EAAG;AACtC,QAAA,QAAA,GAAW,QAAA,CAAS,KAAA,CAAM,IAAA,CAAK,MAAM,CAAA,IAAK,GAAA;AAAA,MAC3C;AAGA,MAAA,IAAI,CAAC,QAAA,CAAS,UAAA,CAAW,GAAG,CAAA,EAAG;AAC9B,QAAA,QAAA,GAAW,IAAI,QAAQ,CAAA,CAAA;AAAA,MACxB;AACA,MAAA,IAAI,SAAS,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,QAAA,CAAS,GAAG,CAAA,EAAG;AAClD,QAAA,QAAA,GAAW,QAAA,CAAS,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAAA,MAChC;AAEA,MAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,CAAO,WAAA,EAAY;AAE1C,MAAA,KAAA,MAAW,YAAY,SAAA,EAAW;AACjC,QAAA,IAAI,QAAA,CAAS,WAAW,MAAA,EAAQ;AAEhC,QAAA,MAAM,MAAA,GAAS,SAAA,CAAU,QAAA,CAAS,IAAA,EAAM,QAAQ,CAAA;AAChD,QAAA,IAAI,WAAW,IAAA,EAAM;AAMrB,QAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AACvC,QAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,MAAM,CAAA,EAAG;AAClD,UAAA,WAAA,CAAY,YAAA,CAAa,GAAA,CAAI,CAAA,OAAA,EAAU,GAAG,IAAI,KAAK,CAAA;AAAA,QACpD;AAEA,QAAA,MAAM,kBAAkB,IAAI,OAAA,CAAQ,WAAA,CAAY,QAAA,IAAY,OAAO,CAAA;AAEnE,QAAA,OAAO,QAAA,CAAS,OAAA,CAAQ,eAAA,EAAiB,WAAW,CAAA;AAAA,MACrD;AAEA,MAAA,OAAO,IAAA;AAAA,IACR,CAAA;AAAA,IAEA,YAAA,GAAiC;AAChC,MAAA,OAAO,CAAC,GAAG,SAAS,CAAA;AAAA,IACrB;AAAA,GACD;AACD;;;ACrFA,eAAe,aAAA,CACd,EAAA,EACA,QAAA,EACA,UAAA,EACgB;AAChB,EAAA,IAAI,UAAA,CAAW,WAAW,CAAA,EAAG;AAE7B,EAAA,IAAI,aAAa,QAAA,EAAU;AAE1B,IAAA,MAAM,UAAW,EAAA,CAAW,OAAA;AAC5B,IAAA,IAAI,OAAA,EAAS,QAAQ,IAAA,EAAM;AAC1B,MAAA,OAAA,CAAQ,OAAO,IAAA,CAAK,CAAA,EAAG,WAAW,IAAA,CAAK,KAAK,CAAC,CAAA,CAAA,CAAG,CAAA;AAChD,MAAA;AAAA,IACD;AAEA,IAAA,MAAMH,MAAAA,GAAQ,EAAA;AACd,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAMA,MAAAA,CAAM,IAAI,GAAG,CAAA;AAAA,IACpB;AACA,IAAA;AAAA,EACD;AAGA,EAAA,MAAM,KAAA,GAAQ,EAAA;AAEd,EAAA,IAAI,aAAa,UAAA,EAAY;AAC5B,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,MAAM,GAAG,CAAA;AAAA,IACvB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,IAAI,aAAa,OAAA,EAAS;AACzB,IAAA,MAAM,MAAA,GACL,KAAA,CAAM,OAAA,IAAW,KAAA,CAAM,OAAA,EAAS,MAAA;AACjC,IAAA,IAAI,CAAC,MAAA,EAAQ;AACZ,MAAA,MAAM,IAAI,KAAA;AAAA,QACT;AAAA,OACD;AAAA,IACD;AACA,IAAA,KAAA,MAAW,OAAO,UAAA,EAAY;AAC7B,MAAA,MAAM,MAAA,CAAO,QAAQ,GAAG,CAAA;AAAA,IACzB;AACA,IAAA;AAAA,EACD;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,CAAA,qCAAA,EAAwC,QAAQ,CAAA,CAAA,CAAG,CAAA;AACpE;AAUA,eAAsB,iBAAA,CACrB,OAAA,EACA,EAAA,EACA,MAAA,EAC0B;AAC1B,EAAA,MAAM,QAAA,GAA2B;AAAA,IAChC,WAAW,EAAC;AAAA,IACZ,YAAY,EAAC;AAAA,IACb,KAAA,EAAO;AAAA,MACN,WAAW,EAAC;AAAA,MACZ,gBAAgB,EAAC;AAAA,MACjB,iBAAiB,EAAC;AAAA,MAClB,iBAAiB;AAAC,KACnB;AAAA,IACA,eAAe;AAAC,GACjB;AAEA,EAAA,KAAA,MAAW,UAAU,OAAA,EAAS;AAC7B,IAAA,MAAM,mBAA6B,EAAC;AAEpC,IAAA,MAAM,GAAA,GAAqB;AAAA,MAC1B,EAAA;AAAA,MACA,MAAA;AAAA,MACA,YAAY,QAAA,EAAgC;AAC3C,QAAA,QAAA,CAAS,SAAA,CAAU,KAAK,QAAQ,CAAA;AAAA,MACjC,CAAA;AAAA,MACA,aAAa,GAAA,EAAmB;AAC/B,QAAA,gBAAA,CAAiB,KAAK,GAAG,CAAA;AACzB,QAAA,QAAA,CAAS,UAAA,CAAW,KAAK,GAAG,CAAA;AAAA,MAC7B;AAAA,KACD;AAEA,IAAA,IAAI,OAAO,IAAA,EAAM;AAChB,MAAA,MAAM,MAAA,GAAS,MAAM,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA;AACpC,MAAA,IAAI,QAAQ,OAAA,EAAS;AACpB,QAAA,MAAA,CAAO,MAAA,CAAO,QAAA,CAAS,aAAA,EAAe,MAAA,CAAO,OAAO,CAAA;AAAA,MACrD;AAAA,IACD;AAGA,IAAA,IAAI,OAAO,KAAA,EAAO;AACjB,MAAA,IAAI,MAAA,CAAO,MAAM,SAAA,EAAW;AAC3B,QAAA,QAAA,CAAS,KAAA,CAAM,SAAA,CAAU,IAAA,CAAK,MAAA,CAAO,MAAM,SAAS,CAAA;AAAA,MACrD;AACA,MAAA,IAAI,MAAA,CAAO,MAAM,cAAA,EAAgB;AAChC,QAAA,QAAA,CAAS,KAAA,CAAM,cAAA,CAAe,IAAA,CAAK,MAAA,CAAO,MAAM,cAAc,CAAA;AAAA,MAC/D;AACA,MAAA,IAAI,MAAA,CAAO,MAAM,eAAA,EAAiB;AACjC,QAAA,QAAA,CAAS,KAAA,CAAM,eAAA,CAAgB,IAAA,CAAK,MAAA,CAAO,MAAM,eAAe,CAAA;AAAA,MACjE;AACA,MAAA,IAAI,MAAA,CAAO,MAAM,eAAA,EAAiB;AACjC,QAAA,QAAA,CAAS,KAAA,CAAM,eAAA,CAAgB,IAAA,CAAK,MAAA,CAAO,MAAM,eAAe,CAAA;AAAA,MACjE;AAAA,IACD;AAIA,IAAA,IAAI,gBAAA,CAAiB,SAAS,CAAA,EAAG;AAChC,MAAA,MAAM,aAAA,CAAc,EAAA,EAAI,MAAA,CAAO,QAAA,CAAS,UAAU,gBAAgB,CAAA;AAAA,IACnE;AAAA,EACD;AAEA,EAAA,OAAO,QAAA;AACR;ACxGA,SAAS,UAAA,GAA0B;AAClC,EAAA,OAAO;AAAA,IACN,eAAA,EAAiB,CAAA;AAAA,IACjB,mBAAA,EAAqB,CAAA;AAAA,IACrB,UAAA,EAAY,CAAA;AAAA,IACZ,cAAA,EAAgB,CAAA;AAAA,IAChB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACrC;AACD;AAEA,SAAS,YAAY,GAAA,EAUJ;AAChB,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,OAAA,EAAS,IAAI,OAAA,IAAW,MAAA;AAAA,IACxB,MAAA,EAAQ,IAAI,MAAA,IAAU,MAAA;AAAA,IACtB,QAAA,EAAU,IAAI,QAAA,IAAY,MAAA;AAAA,IAC1B,MAAA,EAAS,GAAA,CAAI,MAAA,IAA2B,EAAC;AAAA,IACzC,YAAA,EAAe,GAAA,CAAI,YAAA,IAAgC,UAAA,EAAW;AAAA,IAC9D,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,WAAW,GAAA,CAAI;AAAA,GAChB;AACD;AAMA,SAAS,UAAA,CAAW,QAAsB,KAAA,EAA6B;AACtE,EAAA,IAAI,OAAO,cAAA,KAAmB,MAAA,IAAa,MAAM,UAAA,IAAc,MAAA,CAAO,gBAAgB,OAAO,IAAA;AAC7F,EAAA,IAAI,MAAA,CAAO,gBAAA,KAAqB,MAAA,IAAa,KAAA,CAAM,kBAAkB,MAAA,CAAO,gBAAA;AAC3E,IAAA,OAAO,IAAA;AACR,EAAA,IACC,MAAA,CAAO,mBAAA,KAAwB,MAAA,IAC/B,KAAA,CAAM,mBAAmB,MAAA,CAAO,mBAAA;AAEhC,IAAA,OAAO,IAAA;AACR,EAAA,IACC,MAAA,CAAO,qBAAA,KAA0B,MAAA,IACjC,KAAA,CAAM,uBAAuB,MAAA,CAAO,qBAAA;AAEpC,IAAA,OAAO,IAAA;AACR,EAAA,OAAO,KAAA;AACR;AAEO,SAAS,mBAAmB,EAAA,EAAc;AAChD,EAAA,eAAe,OAAO,KAAA,EAAiD;AACtE,IAAA,MAAM,KAAK,CAAA,IAAA,EAAOE,UAAAA,GAAa,OAAA,CAAQ,IAAA,EAAM,EAAE,CAAC,CAAA,CAAA;AAChD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,QAAQ,UAAA,EAAW;AAEzB,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,cAAc,CAAA,CAAE,MAAA,CAAO;AAAA,MACtC,EAAA;AAAA,MACA,OAAA,EAAS,MAAM,OAAA,IAAW,IAAA;AAAA,MAC1B,MAAA,EAAQ,MAAM,MAAA,IAAU,IAAA;AAAA,MACxB,QAAA,EAAU,MAAM,QAAA,IAAY,IAAA;AAAA,MAC5B,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,YAAA,EAAc,KAAA;AAAA,MACd,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,YAAA,EAAc,KAAA;AAAA,MACd,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAEA,EAAA,eAAe,IAAI,QAAA,EAAgD;AAClE,IAAA,MAAM,OAAO,MAAM,EAAA,CACjB,MAAA,EAAO,CACP,KAAK,cAAc,CAAA,CACnB,KAAA,CAAML,EAAAA,CAAG,eAAe,EAAA,EAAI,QAAQ,CAAC,CAAA,CACrC,MAAM,CAAC,CAAA;AACT,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,IAAA,OAAO,YAAY,GAAG,CAAA;AAAA,EACvB;AAEA,EAAA,eAAe,KAAK,OAAA,EAAkD;AACrE,IAAA,IAAI,QAAQ,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,cAAc,EAAE,QAAA,EAAS;AAEtD,IAAA,MAAM,aAAa,EAAC;AACpB,IAAA,IAAI,OAAA,EAAS,YAAY,MAAA,EAAW;AACnC,MAAA,UAAA,CAAW,IAAA;AAAA,QACV,EAAA,CAAGA,EAAAA,CAAG,cAAA,CAAe,OAAA,EAAS,OAAA,CAAQ,OAAO,CAAA,EAAG,MAAA,CAAO,cAAA,CAAe,OAAO,CAAC;AAAA,OAC/E;AAAA,IACD;AACA,IAAA,IAAI,OAAA,EAAS,WAAW,MAAA,EAAW;AAClC,MAAA,UAAA,CAAW,IAAA,CAAK,EAAA,CAAGA,EAAAA,CAAG,cAAA,CAAe,MAAA,EAAQ,OAAA,CAAQ,MAAM,CAAA,EAAG,MAAA,CAAO,cAAA,CAAe,MAAM,CAAC,CAAC,CAAA;AAAA,IAC7F;AACA,IAAA,IAAI,OAAA,EAAS,aAAa,MAAA,EAAW;AACpC,MAAA,UAAA,CAAW,IAAA;AAAA,QACV,EAAA,CAAGA,EAAAA,CAAG,cAAA,CAAe,QAAA,EAAU,OAAA,CAAQ,QAAQ,CAAA,EAAG,MAAA,CAAO,cAAA,CAAe,QAAQ,CAAC;AAAA,OAClF;AAAA,IACD;AAEA,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAMC,GAAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IACvC;AAEA,IAAA,MAAM,OAAO,MAAM,KAAA;AACnB,IAAA,OAAO,IAAA,CAAK,IAAI,WAAW,CAAA;AAAA,EAC5B;AAEA,EAAA,eAAe,MAAA,CAAO,UAAkB,OAAA,EAAuD;AAC9F,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,QAAQ,CAAA;AACnC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,YAAA,CAAc,CAAA;AAEhE,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,cAAc,CAAA,CACrB,GAAA,CAAI;AAAA,MACJ,MAAA,EAAQ,OAAA,CAAQ,MAAA,IAAU,QAAA,CAAS,MAAA;AAAA,MACnC,YAAA,EAAc,OAAA,CAAQ,YAAA,IAAgB,QAAA,CAAS,YAAA;AAAA,MAC/C,MAAA,EAAQ,OAAA,CAAQ,MAAA,IAAU,QAAA,CAAS,MAAA;AAAA,MACnC,MAAA,EAAQ,OAAA,CAAQ,MAAA,IAAU,QAAA,CAAS;AAAA,KACnC,CAAA,CACA,KAAA,CAAMD,GAAG,cAAA,CAAe,EAAA,EAAI,QAAQ,CAAC,CAAA;AAEvC,IAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,QAAQ,CAAA;AAClC,IAAA,IAAI,CAAC,OAAA,EAAS,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,2BAAA,CAA6B,CAAA;AAC9E,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,OAAO,QAAA,EAAiC;AACtD,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,QAAQ,CAAA;AACnC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,YAAA,CAAc,CAAA;AAEhE,IAAA,MAAM,EAAA,CAAG,OAAO,cAAc,CAAA,CAAE,MAAMA,EAAAA,CAAG,cAAA,CAAe,EAAA,EAAI,QAAQ,CAAC,CAAA;AAAA,EACtE;AASA,EAAA,eAAe,WAAA,CACd,SACA,UAAA,EACwE;AAGxE,IAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,cAAc,CAAA,CACnB,KAAA;AAAA,MACAC,GAAAA;AAAA,QACC,EAAA,CAAG,cAAA,CAAe,MAAA,EAAQ,UAAU,CAAA;AAAA,QACpC,EAAA,CAAGD,GAAG,cAAA,CAAe,OAAA,EAAS,OAAO,CAAA,EAAG,MAAA,CAAO,cAAA,CAAe,OAAO,CAAC;AAAA;AACvE,KACD;AAED,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACvB,MAAA,MAAM,MAAA,GAAS,YAAY,GAAG,CAAA;AAC9B,MAAA,MAAM,KAAA,GAAQ,EAAE,GAAG,MAAA,CAAO,YAAA,EAAa;AAGvC,MAAA,IAAI,eAAe,MAAA,EAAW;AAC7B,QAAA,KAAA,CAAM,eAAA,IAAmB,UAAA;AACzB,QAAA,KAAA,CAAM,mBAAA,IAAuB,UAAA;AAAA,MAC9B;AAEA,MAAA,IAAI,UAAA,CAAW,MAAA,CAAO,MAAA,EAAQ,KAAK,CAAA,EAAG;AACrC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,OAAO,MAAA,KAAW,MAAA;AAAA,UAC3B,QAAQ,CAAA,eAAA,EAAkB,MAAA,CAAO,EAAE,CAAA,oBAAA,EAAuB,OAAO,MAAM,CAAA,CAAA,CAAA;AAAA,UACvE;AAAA,SACD;AAAA,MACD;AAAA,IACD;AAEA,IAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AAAA,EACxB;AAQA,EAAA,eAAe,WAAA,CAAY,SAAiB,UAAA,EAAoC;AAC/E,IAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,cAAc,CAAA,CACnB,KAAA;AAAA,MACAC,GAAAA;AAAA,QACC,EAAA,CAAG,cAAA,CAAe,MAAA,EAAQ,UAAU,CAAA;AAAA,QACpC,EAAA,CAAGD,GAAG,cAAA,CAAe,OAAA,EAAS,OAAO,CAAA,EAAG,MAAA,CAAO,cAAA,CAAe,OAAO,CAAC;AAAA;AACvE,KACD;AAED,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACvB,MAAA,MAAM,MAAA,GAAS,YAAY,GAAG,CAAA;AAC9B,MAAA,MAAM,KAAA,GAAqB;AAAA,QAC1B,eAAA,EAAiB,MAAA,CAAO,YAAA,CAAa,eAAA,IAAmB,UAAA,IAAc,CAAA,CAAA;AAAA,QACtE,mBAAA,EAAqB,MAAA,CAAO,YAAA,CAAa,mBAAA,IAAuB,UAAA,IAAc,CAAA,CAAA;AAAA,QAC9E,UAAA,EAAY,MAAA,CAAO,YAAA,CAAa,UAAA,GAAa,CAAA;AAAA,QAC7C,cAAA,EAAgB,MAAA,CAAO,YAAA,CAAa,cAAA,GAAiB,CAAA;AAAA,QACrD,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AAEA,MAAA,MAAM,QAAA,GAAW,UAAA,CAAW,MAAA,CAAO,MAAA,EAAQ,KAAK,CAAA;AAChD,MAAA,MAAM,SAAA,GAAY,QAAA,GAAW,WAAA,GAAc,MAAA,CAAO,MAAA;AAElD,MAAA,MAAM,GACJ,MAAA,CAAO,cAAc,EACrB,GAAA,CAAI,EAAE,cAAc,KAAA,EAAO,MAAA,EAAQ,SAAA,EAAW,EAC9C,KAAA,CAAMA,EAAAA,CAAG,eAAe,EAAA,EAAI,MAAA,CAAO,EAAE,CAAC,CAAA;AAAA,IACzC;AAAA,EACD;AAGA,EAAA,eAAe,UAAA,GAAyC;AACvD,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,cAAc,CAAA;AAClD,IAAA,IAAI,KAAA,GAAQ,CAAA;AAEZ,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACvB,MAAA,MAAM,MAAA,GAAS,YAAY,GAAG,CAAA;AAC9B,MAAA,MAAM,KAAA,GAAqB;AAAA,QAC1B,GAAG,MAAA,CAAO,YAAA;AAAA,QACV,eAAA,EAAiB,CAAA;AAAA,QACjB,UAAA,EAAY,CAAA;AAAA,QACZ,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AAGA,MAAA,MAAM,aAAA,GAAgB,UAAA,CAAW,MAAA,CAAO,MAAA,EAAQ,KAAK,CAAA;AACrD,MAAA,MAAM,YAAY,aAAA,GACf,WAAA,GACA,OAAO,MAAA,KAAW,WAAA,GACjB,WACA,MAAA,CAAO,MAAA;AAEX,MAAA,MAAM,GACJ,MAAA,CAAO,cAAc,EACrB,GAAA,CAAI,EAAE,cAAc,KAAA,EAAO,MAAA,EAAQ,SAAA,EAAW,EAC9C,KAAA,CAAMA,EAAAA,CAAG,eAAe,EAAA,EAAI,MAAA,CAAO,EAAE,CAAC,CAAA;AAExC,MAAA,KAAA,EAAA;AAAA,IACD;AAEA,IAAA,OAAO,EAAE,KAAA,EAAM;AAAA,EAChB;AAGA,EAAA,eAAe,YAAA,GAA2C;AACzD,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,cAAc,CAAA;AAClD,IAAA,IAAI,KAAA,GAAQ,CAAA;AAEZ,IAAA,KAAA,MAAW,OAAO,IAAA,EAAM;AACvB,MAAA,MAAM,MAAA,GAAS,YAAY,GAAG,CAAA;AAC9B,MAAA,MAAM,KAAA,GAAqB;AAAA,QAC1B,GAAG,MAAA,CAAO,YAAA;AAAA,QACV,mBAAA,EAAqB,CAAA;AAAA,QACrB,cAAA,EAAgB,CAAA;AAAA,QAChB,WAAA,EAAA,iBAAa,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACrC;AAEA,MAAA,MAAM,aAAA,GAAgB,UAAA,CAAW,MAAA,CAAO,MAAA,EAAQ,KAAK,CAAA;AACrD,MAAA,MAAM,YAAY,aAAA,GACf,WAAA,GACA,OAAO,MAAA,KAAW,WAAA,GACjB,WACA,MAAA,CAAO,MAAA;AAEX,MAAA,MAAM,GACJ,MAAA,CAAO,cAAc,EACrB,GAAA,CAAI,EAAE,cAAc,KAAA,EAAO,MAAA,EAAQ,SAAA,EAAW,EAC9C,KAAA,CAAMA,EAAAA,CAAG,eAAe,EAAA,EAAI,MAAA,CAAO,EAAE,CAAC,CAAA;AAExC,MAAA,KAAA,EAAA;AAAA,IACD;AAEA,IAAA,OAAO,EAAE,KAAA,EAAM;AAAA,EAChB;AAEA,EAAA,OAAO,EAAE,QAAQ,GAAA,EAAK,IAAA,EAAM,QAAQ,MAAA,EAAQ,WAAA,EAAa,WAAA,EAAa,UAAA,EAAY,YAAA,EAAa;AAChG;AC3TA,SAAS,SAAA,GAAoB;AAC5B,EAAA,OAAO,4BAAA;AACR;AAEA,SAAS,YAAY,GAAA,EAQV;AACV,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,MAAM,GAAA,CAAI,IAAA;AAAA,IACV,MAAM,GAAA,CAAI,IAAA;AAAA,IACV,QAAA,EAAW,GAAA,CAAI,QAAA,IAA+B,EAAC;AAAA,IAC/C,QAAQ,GAAA,CAAI,MAAA;AAAA,IACZ,WAAW,GAAA,CAAI,SAAA;AAAA,IACf,WAAW,GAAA,CAAI;AAAA,GAChB;AACD;AAEO,SAAS,mBAAmB,EAAA,EAAc;AAChD,EAAA,eAAe,OAAO,KAAA,EAA2C;AAChE,IAAA,IAAI,CAAC,SAAA,EAAU,CAAE,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA,EAAG;AAClC,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,cAAA,EAAiB,MAAM,IAAI,CAAA,oDAAA;AAAA,OAC5B;AAAA,IACD;AAEA,IAAA,MAAM,WAAW,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,OAAO,CAAA,CAAE,KAAA,CAAMA,EAAAA,CAAG,QAAQ,IAAA,EAAM,KAAA,CAAM,IAAI,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AAE5F,IAAA,IAAI,QAAA,CAAS,SAAS,CAAA,EAAG;AACxB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqB,KAAA,CAAM,IAAI,CAAA,iBAAA,CAAmB,CAAA;AAAA,IACnE;AAEA,IAAA,MAAM,KAAK,CAAA,IAAA,EAAOK,UAAAA,GAAa,OAAA,CAAQ,IAAA,EAAM,EAAE,CAAC,CAAA,CAAA;AAChD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,QAAA,GAA2B,KAAA,CAAM,QAAA,IAAY,EAAC;AAEpD,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,OAAO,CAAA,CAAE,MAAA,CAAO;AAAA,MAC/B,EAAA;AAAA,MACA,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,QAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACX,CAAA;AAED,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,QAAA;AAAA,MACA,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAEA,EAAA,eAAe,IAAI,QAAA,EAA0C;AAC5D,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,OAAO,CAAA,CAAE,KAAA,CAAML,EAAAA,CAAG,QAAQ,EAAA,EAAI,QAAQ,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACpF,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,IAAA,OAAO,YAAY,GAAG,CAAA;AAAA,EACvB;AAEA,EAAA,eAAe,UAAU,IAAA,EAAsC;AAC9D,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,OAAO,CAAA,CAAE,KAAA,CAAMA,EAAAA,CAAG,QAAQ,IAAA,EAAM,IAAI,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AAClF,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,IAAA,OAAO,YAAY,GAAG,CAAA;AAAA,EACvB;AAEA,EAAA,eAAe,IAAA,GAA0B;AACxC,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,OAAO,CAAA;AAC3C,IAAA,OAAO,IAAA,CAAK,IAAI,WAAW,CAAA;AAAA,EAC5B;AAEA,EAAA,eAAe,MAAA,CAAO,UAAkB,OAAA,EAAsD;AAC7F,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,QAAQ,CAAA;AACnC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,YAAA,CAAc,CAAA;AAEhE,IAAA,IAAI,QAAQ,IAAA,KAAS,MAAA,IAAa,OAAA,CAAQ,IAAA,KAAS,SAAS,IAAA,EAAM;AACjE,MAAA,IAAI,CAAC,SAAA,EAAU,CAAE,IAAA,CAAK,OAAA,CAAQ,IAAI,CAAA,EAAG;AACpC,QAAA,MAAM,IAAI,KAAA;AAAA,UACT,CAAA,cAAA,EAAiB,QAAQ,IAAI,CAAA,oDAAA;AAAA,SAC9B;AAAA,MACD;AACA,MAAA,MAAM,WAAW,MAAM,EAAA,CACrB,MAAA,EAAO,CACP,KAAK,OAAO,CAAA,CACZ,KAAA,CAAMA,EAAAA,CAAG,QAAQ,IAAA,EAAM,OAAA,CAAQ,IAAI,CAAC,CAAA,CACpC,MAAM,CAAC,CAAA;AACT,MAAA,IAAI,QAAA,CAAS,SAAS,CAAA,EAAG;AACxB,QAAA,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqB,OAAA,CAAQ,IAAI,CAAA,iBAAA,CAAmB,CAAA;AAAA,MACrE;AAAA,IACD;AAEA,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,OAAO,CAAA,CACd,GAAA,CAAI;AAAA,MACJ,IAAA,EAAM,OAAA,CAAQ,IAAA,IAAQ,QAAA,CAAS,IAAA;AAAA,MAC/B,IAAA,EAAM,OAAA,CAAQ,IAAA,IAAQ,QAAA,CAAS,IAAA;AAAA,MAC/B,QAAA,EAAU,OAAA,CAAQ,QAAA,GACf,EAAE,GAAG,QAAA,CAAS,QAAA,EAAU,GAAG,OAAA,CAAQ,QAAA,EAAS,GAC5C,QAAA,CAAS,QAAA;AAAA,MACZ,SAAA,EAAW;AAAA,KACX,CAAA,CACA,KAAA,CAAMA,GAAG,OAAA,CAAQ,EAAA,EAAI,QAAQ,CAAC,CAAA;AAEhC,IAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,QAAQ,CAAA;AAClC,IAAA,IAAI,CAAC,OAAA,EAAS,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,2BAAA,CAA6B,CAAA;AAC9E,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,QAAQ,QAAA,EAAiC;AACvD,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,QAAQ,CAAA;AACnC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,YAAA,CAAc,CAAA;AAEhE,IAAA,MAAM,GACJ,MAAA,CAAO,OAAO,EACd,GAAA,CAAI,EAAE,QAAQ,WAAA,EAAa,SAAA,sBAAe,IAAA,EAAK,EAAG,CAAA,CAClD,KAAA,CAAMA,GAAG,OAAA,CAAQ,EAAA,EAAI,QAAQ,CAAC,CAAA;AAAA,EACjC;AAEA,EAAA,eAAe,SAAS,QAAA,EAAiC;AACxD,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,QAAQ,CAAA;AACnC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,QAAQ,CAAA,YAAA,CAAc,CAAA;AAEhE,IAAA,MAAM,GACJ,MAAA,CAAO,OAAO,EACd,GAAA,CAAI,EAAE,QAAQ,QAAA,EAAU,SAAA,sBAAe,IAAA,EAAK,EAAG,CAAA,CAC/C,KAAA,CAAMA,GAAG,OAAA,CAAQ,EAAA,EAAI,QAAQ,CAAC,CAAA;AAAA,EACjC;AAEA,EAAA,OAAO,EAAE,MAAA,EAAQ,GAAA,EAAK,WAAW,IAAA,EAAM,MAAA,EAAQ,SAAS,QAAA,EAAS;AAClE;AC5IA,IAAM,kBAAA,GAAqB;AAAA,EAC1B,SAAA,EAAW,EAAA;AAAA,EACX,OAAA,EAAS,EAAA;AAAA,EACT,QAAA,EAAU,EAAA;AAAA,EACV,OAAA,EAAS,EAAA;AAAA,EACT,QAAA,EAAU;AACX,CAAA;AAEA,SAAS,YAAA,CAAa,OAAe,UAAA,EAA4D;AAChG,EAAA,IAAI,KAAA,IAAS,UAAA,CAAW,QAAA,EAAU,OAAO,UAAA;AACzC,EAAA,IAAI,KAAA,IAAS,UAAA,CAAW,OAAA,EAAS,OAAO,SAAA;AACxC,EAAA,IAAI,KAAA,IAAS,UAAA,CAAW,QAAA,EAAU,OAAO,UAAA;AACzC,EAAA,IAAI,KAAA,IAAS,UAAA,CAAW,OAAA,EAAS,OAAO,SAAA;AACxC,EAAA,OAAO,WAAA;AACR;AAEA,SAAS,KAAA,CAAM,KAAA,EAAe,GAAA,EAAa,GAAA,EAAqB;AAC/D,EAAA,OAAO,KAAK,GAAA,CAAI,GAAA,EAAK,KAAK,GAAA,CAAI,GAAA,EAAK,KAAK,CAAC,CAAA;AAC1C;AAEA,SAAS,WAAW,GAAA,EAAkD;AACrE,EAAA,MAAM,UAAU,GAAA,CAAI,OAAA;AACpB,EAAA,OAAO;AAAA,IACN,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,OAAO,GAAA,CAAI,KAAA;AAAA,IACX,OAAO,GAAA,CAAI,KAAA;AAAA,IACX,OAAA;AAAA,IACA,UAAA,EAAY,GAAA,CAAI,UAAA,CAAW,WAAA;AAAY,GACxC;AACD;AAgBO,SAAS,iBAAA,CAAkB,QAAqB,EAAA,EAAc;AACpE,EAAA,MAAM,aAAa,EAAE,GAAG,kBAAA,EAAoB,GAAG,OAAO,UAAA,EAAW;AAEjE,EAAA,eAAe,aAAa,OAAA,EAAsC;AACjE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAGrB,IAAA,MAAM,SAAA,GAAY,MAAM,EAAA,CACtB,MAAA,CAAO,EAAE,SAAA,EAAW,MAAA,CAAO,WAAW,CAAA,CACtC,KAAK,MAAM,CAAA,CACX,MAAMA,EAAAA,CAAG,MAAA,CAAO,IAAI,OAAO,CAAC,CAAA,CAC5B,KAAA,CAAM,CAAC,CAAA;AAET,IAAA,MAAM,QAAA,GAAW,UAAU,CAAC,CAAA;AAC5B,IAAA,MAAM,SAAA,GAAY,QAAA,GAAA,CACd,GAAA,CAAI,OAAA,EAAQ,GAAI,QAAA,CAAS,SAAA,CAAU,OAAA,EAAQ,KAAM,GAAA,GAAO,EAAA,GAAK,EAAA,GAAK,EAAA,CAAA,GACnE,CAAA;AAGH,IAAA,MAAM,OAAA,GAAU,MAAM,EAAA,CACpB,MAAA,CAAO;AAAA,MACP,QAAQ,SAAA,CAAU,MAAA;AAAA,MAClB,QAAQ,SAAA,CAAU,MAAA;AAAA,MAClB,WAAW,SAAA,CAAU;AAAA,KACrB,CAAA,CACA,IAAA,CAAK,SAAS,CAAA,CACd,MAAMA,EAAAA,CAAG,SAAA,CAAU,OAAA,EAAS,OAAO,CAAC,CAAA;AAEtC,IAAA,MAAM,aAAa,OAAA,CAAQ,MAAA;AAC3B,IAAA,MAAM,OAAA,GAAU,QAAQ,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,MAAA,KAAW,SAAS,CAAA,CAAE,MAAA;AAC9D,IAAA,MAAM,MAAA,GAAS,QAAQ,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,MAAA,KAAW,QAAQ,CAAA,CAAE,MAAA;AAE5D,IAAA,MAAM,WAAA,GAAc,UAAA,GAAa,CAAA,GAAK,OAAA,GAAU,aAAc,GAAA,GAAM,GAAA;AACpE,IAAA,MAAM,UAAA,GAAa,UAAA,GAAa,CAAA,GAAK,MAAA,GAAS,aAAc,GAAA,GAAM,CAAA;AAGlE,IAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM;AAC1C,MAAA,IAAI,CAAA,CAAE,MAAA,KAAW,QAAA,EAAU,OAAO,KAAA;AAClC,MAAA,MAAM,MAAA,GAAS,EAAE,MAAA,IAAU,EAAA;AAC3B,MAAA,OACC,MAAA,CAAO,QAAA,CAAS,0BAA0B,CAAA,IAC1C,OAAO,WAAA,EAAY,CAAE,QAAA,CAAS,WAAW,CAAA,IACzC,MAAA,CAAO,WAAA,EAAY,CAAE,SAAS,YAAY,CAAA;AAAA,IAE5C,CAAC,CAAA,CAAE,MAAA;AAGH,IAAA,MAAM,aAAA,GAAgB,QACpB,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,MAAA,KAAW,QAAQ,CAAA,CACnC,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,SAAA,CAAU,OAAA,KAAY,CAAA,CAAE,SAAA,CAAU,SAAS,CAAA;AAC9D,IAAA,MAAM,aAAA,GAAgB,aAAA,CAAc,CAAC,CAAA,EAAG,UAAU,WAAA,EAAY;AAG9D,IAAA,IAAI,KAAA,GAAQ,EAAA;AACZ,IAAA,KAAA,IAAS,KAAK,GAAA,CAAI,EAAA,EAAI,KAAK,KAAA,CAAM,OAAA,GAAU,GAAG,CAAC,CAAA;AAC/C,IAAA,KAAA,IAAS,MAAA,GAAS,CAAA;AAClB,IAAA,KAAA,IAAS,YAAA,GAAe,EAAA;AACxB,IAAA,IAAI,SAAA,GAAY,IAAI,KAAA,IAAS,EAAA;AAAA,SAAA,IACpB,SAAA,GAAY,GAAG,KAAA,IAAS,CAAA;AAEjC,IAAA,KAAA,GAAQ,MAAM,IAAA,CAAK,KAAA,CAAM,KAAK,CAAA,EAAG,GAAG,GAAG,CAAA;AACvC,IAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,EAAO,UAAU,CAAA;AAE5C,IAAA,MAAM,OAAA,GAAiC;AAAA,MACtC,WAAA,EAAa,IAAA,CAAK,KAAA,CAAM,WAAA,GAAc,EAAE,CAAA,GAAI,EAAA;AAAA,MAC5C,UAAA,EAAY,IAAA,CAAK,KAAA,CAAM,UAAA,GAAa,EAAE,CAAA,GAAI,EAAA;AAAA,MAC1C,SAAA,EAAW,IAAA,CAAK,KAAA,CAAM,SAAA,GAAY,EAAE,CAAA,GAAI,EAAA;AAAA,MACxC,UAAA;AAAA,MACA,YAAA;AAAA,MACA;AAAA,KACD;AAGA,IAAA,MAAM,YAAA,GAAe,MAAM,EAAA,CACzB,MAAA,CAAO,EAAE,OAAA,EAAS,WAAA,CAAY,SAAS,CAAA,CACvC,KAAK,WAAW,CAAA,CAChB,MAAMA,EAAAA,CAAG,WAAA,CAAY,SAAS,OAAO,CAAC,CAAA,CACtC,KAAA,CAAM,CAAC,CAAA;AAET,IAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC5B,MAAA,MAAM,GACJ,MAAA,CAAO,WAAW,EAClB,GAAA,CAAI,EAAE,OAAO,KAAA,EAAO,OAAA,EAAS,UAAA,EAAY,GAAA,EAAK,CAAA,CAC9C,KAAA,CAAMA,GAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AAAA,IACzC,CAAA,MAAO;AACN,MAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA,CAAO;AAAA,QACnC,OAAA;AAAA,QACA,KAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA;AAAA,QACA,UAAA,EAAY;AAAA,OACZ,CAAA;AAAA,IACF;AAEA,IAAA,OAAO;AAAA,MACN,OAAA;AAAA,MACA,KAAA;AAAA,MACA,KAAA;AAAA,MACA,OAAA;AAAA,MACA,UAAA,EAAY,IAAI,WAAA;AAAY,KAC7B;AAAA,EACD;AAEA,EAAA,eAAe,SAAS,OAAA,EAA6C;AACpE,IAAA,MAAM,OAAO,MAAM,EAAA,CACjB,MAAA,EAAO,CACP,KAAK,WAAW,CAAA,CAChB,KAAA,CAAMA,EAAAA,CAAG,YAAY,OAAA,EAAS,OAAO,CAAC,CAAA,CACtC,MAAM,CAAC,CAAA;AAET,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,IAAA,OAAO,WAAW,GAAG,CAAA;AAAA,EACtB;AAEA,EAAA,eAAe,UAAA,GAAoC;AAClD,IAAA,MAAM,eAAe,MAAM,EAAA,CACzB,OAAO,EAAE,EAAA,EAAI,OAAO,EAAA,EAAI,CAAA,CACxB,IAAA,CAAK,MAAM,CAAA,CACX,KAAA,CAAMA,GAAG,MAAA,CAAO,MAAA,EAAQ,QAAQ,CAAC,CAAA;AAEnC,IAAA,MAAM,UAAwB,EAAC;AAC/B,IAAA,KAAA,MAAW,SAAS,YAAA,EAAc;AACjC,MAAA,MAAM,KAAA,GAAQ,MAAM,YAAA,CAAa,KAAA,CAAM,EAAE,CAAA;AACzC,MAAA,OAAA,CAAQ,KAAK,KAAK,CAAA;AAAA,IACnB;AACA,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,UAAU,OAAA,EAAwE;AAChG,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,WAAW,CAAA;AAC/C,IAAA,IAAI,MAAA,GAAS,IAAA,CAAK,GAAA,CAAI,UAAU,CAAA;AAEhC,IAAA,IAAI,SAAS,KAAA,EAAO;AACnB,MAAA,MAAA,GAAS,OAAO,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,KAAA,KAAU,QAAQ,KAAK,CAAA;AAAA,IACxD;AACA,IAAA,IAAI,OAAA,EAAS,aAAa,MAAA,EAAW;AACpC,MAAA,MAAM,MAAM,OAAA,CAAQ,QAAA;AACpB,MAAA,MAAA,GAAS,OAAO,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,SAAS,GAAG,CAAA;AAAA,IAC7C;AAEA,IAAA,OAAO,MAAA;AAAA,EACR;AAEA,EAAA,OAAO;AAAA,IACN,YAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA;AAAA,IACA;AAAA,GACD;AACD;;;AClKA,SAASO,mBAAkB,MAAA,EAA2C;AACrE,EAAA,MAAM,CAAA,GAAI,MAAA,EAAQ,WAAA,EAAY,IAAK,EAAA;AACnC,EAAA,IAAI,CAAA,CAAE,SAAS,MAAM,CAAA,IAAK,EAAE,QAAA,CAAS,cAAc,GAAG,OAAO,cAAA;AAC7D,EAAA,IAAI,CAAA,CAAE,SAAS,IAAI,CAAA,IAAK,EAAE,QAAA,CAAS,WAAW,GAAG,OAAO,YAAA;AACxD,EAAA,IAAI,CAAA,CAAE,SAAS,MAAM,CAAA,IAAK,EAAE,QAAA,CAAS,QAAQ,GAAG,OAAO,iBAAA;AACvD,EAAA,IAAI,CAAA,CAAE,QAAA,CAAS,UAAU,CAAA,EAAG,OAAO,mBAAA;AACnC,EAAA,OAAO,mBAAA;AACR;AAoCA,eAAsB,aAAa,MAAA,EAAsB;AACxD,EAAA,MAAM,WAAA,GAAc,MAAA,CAAO,IAAA,EAAM,OAAA,IAAW,IAAA;AAE5C,EAAA,MAAM,EAAA,GAAK,MAAM,cAAA,CAAe,MAAA,CAAO,QAAQ,CAAA;AAI/C,EAAA,IAAI,CAAC,MAAA,CAAO,QAAA,CAAS,cAAA,EAAgB;AACpC,IAAA,MAAM,YAAA,CAAa,EAAA,EAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,CAAA;AAAA,EAChD;AAEA,EAAA,MAAM,WAAA,GAAc;AAAA,IACnB,EAAA;AAAA,IACA,UAAA,EAAY,MAAA,CAAO,MAAA,EAAQ,UAAA,IAAc,EAAA;AAAA,IACzC,kBAAA,EAAoB,MAAA,CAAO,MAAA,EAAQ,kBAAA,IAAsB,EAAC;AAAA,IAC1D,WAAA,EAAa,MAAA,CAAO,MAAA,EAAQ,WAAA,IAAe;AAAA,GAC5C;AAEA,EAAA,MAAM,WAAA,GAAc,kBAAkB,WAAW,CAAA;AAEjD,EAAA,MAAM,mBAAmB,sBAAA,CAAuB;AAAA,IAC/C,EAAA;AAAA,IACA,QAAA,EAAU,MAAA,CAAO,MAAA,EAAQ,QAAA,IAAY;AAAA,GACrC,CAAA;AAED,EAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,EAAE,EAAA,EAAI,CAAA;AAE5C,EAAA,MAAM,gBAAA,GAAmB,sBAAA,CAAuB,EAAE,EAAA,EAAI,CAAA;AAGtD,EAAA,MAAM,cAAA,GAAwC,OAAO,IAAA,EAAM,OAAA,GACxD,qBAAqB,MAAA,CAAO,IAAA,CAAK,OAAA,EAAS,EAAE,CAAA,GAC5C,IAAA;AAGH,EAAA,MAAM,iBAAA,GAAoB,wBAAwB,EAAE,CAAA;AAGpD,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,IAAS,EAAC;AAE/B,EAAA,MAAM,YAAA,GAAe,mBAAmB,EAAE,CAAA;AAE1C,EAAA,MAAM,YAAA,GAAe,mBAAmB,EAAE,CAAA;AAG1C,EAAA,MAAM,iBAAiB,oBAAA,CAAqB,MAAA,CAAO,QAAA,IAAY,IAAI,EAAE,CAAA;AAGrE,EAAA,MAAM,WAAA,GAAc,iBAAA,CAAkB,EAAC,EAAG,EAAE,CAAA;AAG5C,EAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,EAAA,EAAI,MAAA,CAAO,GAAG,CAAA;AAIhD,EAAA,MAAM,eAAA,GACL,OAAO,SAAA,IAAa,cAAA,GACjB,sBAAsB,MAAA,CAAO,SAAA,EAAW,EAAA,EAAI,cAAc,CAAA,GAC1D,IAAA;AAIJ,EAAA,MAAM,cAAA,GACL,OAAO,QAAA,IAAY,cAAA,GAChB,qBAAqB,MAAA,CAAO,QAAA,EAAU,EAAA,EAAI,cAAc,CAAA,GACxD,IAAA;AAGJ,EAAA,MAAM,aAAgC,MAAA,CAAO,IAAA,GAAO,iBAAiB,MAAA,CAAO,IAAA,EAAM,EAAE,CAAA,GAAI,IAAA;AAGxF,EAAA,MAAM,gBAAsC,MAAA,CAAO,OAAA,GAChD,oBAAoB,MAAA,CAAO,OAAA,EAAS,EAAE,CAAA,GACtC,IAAA;AAGH,EAAA,MAAM,YAA8B,MAAA,CAAO,GAAA,GAAM,gBAAgB,MAAA,CAAO,GAAA,EAAK,EAAE,CAAA,GAAI,IAAA;AAGnF,EAAA,MAAM,YAA8B,MAAA,CAAO,GAAA,GAAM,gBAAgB,MAAA,CAAO,GAAA,EAAK,EAAE,CAAA,GAAI,IAAA;AAGnF,EAAA,MAAM,WAAA,GAAkC,OAAO,KAAA,GAC5C,iBAAA,CAAkB,OAAO,KAAA,EAAO,EAAA,EAAI,cAAc,CAAA,GAClD,IAAA;AAGH,EAAA,MAAM,sBAAkD,MAAA,CAAO,OAAA,GAC5D,0BAA0B,MAAA,CAAO,OAAA,EAAS,EAAE,CAAA,GAC5C,IAAA;AAGH,EAAA,MAAM,cAAA,GACL,OAAO,QAAA,IAAY,cAAA,GAChB,yBAAyB,MAAA,CAAO,QAAA,EAAU,EAAA,EAAI,cAAc,CAAA,GAC5D,IAAA;AAGJ,EAAA,MAAM,WAAA,GACL,OAAO,KAAA,IAAS,cAAA,GAAiB,sBAAsB,MAAA,CAAO,KAAA,EAAO,EAAA,EAAI,cAAc,CAAA,GAAI,IAAA;AAG5F,EAAA,MAAM,gBAAsC,MAAA,CAAO,OAAA,GAChD,mBAAA,CAAoB,MAAA,CAAO,OAAO,CAAA,GAClC,IAAA;AAGH,EAAA,MAAM,aAAA,GACL,MAAA,CAAO,QAAA,IAAY,MAAA,CAAO,QAAA,CAAS,SAAS,CAAA,GAAI,mBAAA,CAAoB,MAAA,CAAO,QAAQ,CAAA,GAAI,IAAA;AAIxF,EAAA,MAAM,cAAA,GAAiB,MAAM,iBAAA,CAAkB,MAAA,CAAO,WAAW,EAAC,EAAG,IAAI,MAAM,CAAA;AAI/E,EAAA,MAAM,WAAA,GAA+B;AAAA,IACpC,EAAA;AAAA,IACA,MAAM,QAAQ,OAAA,EAAgD;AAC7D,MAAA,IAAI,CAAC,aAAa,OAAO,IAAA;AACzB,MAAA,OAAO,WAAA,CAAY,YAAY,OAAO,CAAA;AAAA,IACvC,CAAA;AAAA,IACA,MAAM,WAAW,KAAA,EAAe;AAC/B,MAAA,IAAI,CAAC,gBAAgB,OAAO,IAAA;AAC5B,MAAA,OAAO,cAAA,CAAe,SAAS,KAAK,CAAA;AAAA,IACrC;AAAA,GACD;AAEA,EAAA,MAAM,YAAA,GAAe,kBAAA,CAAmB,cAAA,CAAe,SAAS,CAAA;AAGhE,EAAA,eAAe,SAAA,CACd,OAAA,EACA,OAAA,EACA,OAAA,EAC2B;AAE3B,IAAA,IAAI,MAAM,eAAA,EAAiB;AAC1B,MAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM,eAAA,CAAgB;AAAA,QAC3C,OAAA;AAAA,QACA,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,WAAW,OAAA,CAAQ;AAAA,OACnB,CAAA;AACD,MAAA,IAAI,OAAA,IAAW,CAAC,OAAA,CAAQ,KAAA,EAAO;AAC9B,QAAA,MAAM,MAAA,GAAS,QAAQ,MAAA,IAAU,iCAAA;AACjC,QAAA,KAAK,MAAM,WAAA,GAAc;AAAA,UACxB,IAAA,EAAMA,mBAAkB,MAAM,CAAA;AAAA,UAC9B,OAAA;AAAA,UACA,QAAQ,OAAA,CAAQ,MAAA;AAAA,UAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,UAClB;AAAA,SACA,CAAA;AACD,QAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,SAAS,EAAA,EAAG;AAAA,MAC9C;AAAA,IACD;AAEA,IAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,GAAA,CAAI,OAAO,CAAA;AAC3C,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,UAAU,OAAO,CAAA,WAAA,CAAA;AAAA,QACzB,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,IAAI,KAAA,CAAM,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,QAAQ,CAAA,OAAA,EAAU,KAAA,CAAM,IAAI,CAAA,KAAA,EAAQ,MAAM,MAAM,CAAA,CAAA;AAAA,QAChD,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AAEA,IAAA,MAAM,kBAAoC,OAAA,GAAU,EAAE,GAAG,OAAA,EAAS,SAAQ,GAAI,OAAA;AAG9E,IAAA,MAAM,SAAA,GAAY,MAAM,gBAAA,CAAiB,SAAA,CAAU,OAAO,eAAe,CAAA;AAEzE,IAAA,IAAI,WAAA;AAEJ,IAAA,IAAI,UAAU,OAAA,EAAS;AACtB,MAAA,WAAA,GAAc,SAAA;AAAA,IACf,CAAA,MAAO;AAEN,MAAA,MAAM,cAAA,GAAiB,MAAM,gBAAA,CAAiB,uBAAA,CAAwB,OAAO,CAAA;AAE7E,MAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAChC,QAAA,WAAA,GAAc,SAAA;AAAA,MACf,CAAA,MAAO;AAEN,QAAA,MAAM,kBAAA,GAAqB,EAAE,GAAG,KAAA,EAAO,aAAa,cAAA,EAAe;AACnE,QAAA,MAAM,eAAA,GAAkB,MAAM,gBAAA,CAAiB,SAAA;AAAA,UAC9C,kBAAA;AAAA,UACA;AAAA,SACD;AAEA,QAAA,WAAA,GAAc,eAAA,CAAgB,UAAU,eAAA,GAAkB,SAAA;AAAA,MAC3D;AAAA,IACD;AAGA,IAAA,KAAK,MAAM,cAAA,GAAiB;AAAA,MAC3B,OAAA;AAAA,MACA,QAAQ,OAAA,CAAQ,MAAA;AAAA,MAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,MAAA,EAAQ;AAAA,QACP,SAAS,WAAA,CAAY,OAAA;AAAA,QACrB,QAAQ,WAAA,CAAY,MAAA;AAAA,QACpB,SAAS,WAAA,CAAY;AAAA;AACtB,KACA,CAAA;AAGD,IAAA,IAAI,CAAC,YAAY,OAAA,EAAS;AACzB,MAAA,KAAK,MAAM,WAAA,GAAc;AAAA,QACxB,IAAA,EAAMA,kBAAAA,CAAkB,WAAA,CAAY,MAAM,CAAA;AAAA,QAC1C,OAAA;AAAA,QACA,QAAQ,OAAA,CAAQ,MAAA;AAAA,QAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,MAAA,EAAQ,YAAY,MAAA,IAAU;AAAA,OAC9B,CAAA;AAAA,IACF;AAEA,IAAA,OAAO,WAAA;AAAA,EACR;AAGA,EAAA,eAAe,gBAAA,CACd,KAAA,EACA,OAAA,EACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,aAAA,CAAc,KAAK,CAAA;AACnD,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,gCAAA;AAAA,QACR,OAAA,EAAS;AAAA,OACV;AAAA,IACD;AACA,IAAA,MAAM,kBAAoC,OAAA,GAAU,EAAE,GAAG,OAAA,EAAS,SAAQ,GAAI,OAAA;AAC9E,IAAA,OAAO,gBAAA,CAAiB,SAAA,CAAU,KAAA,EAAO,eAAe,CAAA;AAAA,EACzD;AAGA,EAAA,eAAe,SAAS,KAAA,EAAgD;AACvE,IAAA,MAAM,WAAA,GAAc,MAAM,WAAA,CAAY,GAAA,CAAI,MAAM,SAAS,CAAA;AACzD,IAAA,IAAI,CAAC,aAAa,MAAM,IAAI,MAAM,CAAA,cAAA,EAAiB,KAAA,CAAM,SAAS,CAAA,WAAA,CAAa,CAAA;AAC/E,IAAA,IAAI,WAAA,CAAY,WAAW,QAAA,EAAU;AACpC,MAAA,MAAM,IAAI,MAAM,CAAA,cAAA,EAAiB,WAAA,CAAY,IAAI,CAAA,KAAA,EAAQ,WAAA,CAAY,MAAM,CAAA,CAAE,CAAA;AAAA,IAC9E;AACA,IAAA,OAAO,gBAAA,CAAiB,QAAA,CAAS,KAAA,EAAO,WAAA,CAAY,WAAW,CAAA;AAAA,EAChE;AAGA,EAAA,MAAM,UAAA,GAAa;AAAA,IAClB,MAAM,UACF,IAAA,EACqC;AACxC,MAAA,MAAM,CAAC,KAAK,CAAA,GAAI,IAAA;AAEhB,MAAA,IAAI,MAAM,iBAAA,EAAmB;AAC5B,QAAA,MAAM,OAAA,GAAU,MAAM,KAAA,CAAM,iBAAA,CAAkB,KAAK,CAAA;AACnD,QAAA,IAAI,OAAA,IAAW,CAAC,OAAA,CAAQ,KAAA,EAAO;AAC9B,UAAA,MAAM,IAAI,KAAA,CAAM,OAAA,CAAQ,MAAA,IAAU,kDAAkD,CAAA;AAAA,QACrF;AAAA,MACD;AAEA,MAAA,MAAM,KAAA,GAAQ,MAAM,WAAA,CAAY,MAAA,CAAO,KAAK,CAAA;AAE5C,MAAA,KAAK,KAAA,CAAM,mBAAmB,KAAK,CAAA;AAEnC,MAAA,OAAO,KAAA;AAAA,IACR,CAAA;AAAA,IAEA,MAAM,OAAO,OAAA,EAAwD;AACpE,MAAA,MAAM,WAAA,CAAY,OAAO,OAAO,CAAA;AAChC,MAAA,KAAK,KAAA,CAAM,gBAAgB,OAAO,CAAA;AAAA,IACnC,CAAA;AAAA,IAEA,MAAM,UACF,IAAA,EACqC;AACxC,MAAA,OAAO,WAAA,CAAY,MAAA,CAAO,GAAG,IAAI,CAAA;AAAA,IAClC,CAAA;AAAA,IAEA,KAAK,WAAA,CAAY,GAAA;AAAA,IACjB,MAAM,WAAA,CAAY,IAAA;AAAA,IAClB,QAAQ,WAAA,CAAY,MAAA;AAAA,IACpB,eAAe,WAAA,CAAY;AAAA,GAC5B;AAIA,EAAA,MAAM,WAAA,GAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOnB,MAAM,SAAS,KAAA,EAA2C;AACzD,MAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,MAAA,MAAM,KAAKF,UAAAA,EAAW;AAEtB,MAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,QAClC,EAAA;AAAA,QACA,MAAM,KAAA,CAAM,IAAA;AAAA,QACZ,UAAU,KAAA,CAAM,QAAA;AAAA,QAChB,OAAO,KAAA,CAAM,KAAA;AAAA,QACb,YAAA,EAAc,MAAM,YAAA,IAAgB,IAAA;AAAA,QACpC,YAAA,EAAc,KAAA,CAAM,SAAA,EAAW,GAAA,IAAO,IAAA;AAAA,QACtC,MAAA,EAAQ,QAAA;AAAA,QACR,SAAA,EAAW,GAAA;AAAA,QACX,SAAA,EAAW;AAAA,OACX,CAAA;AAED,MAAA,OAAO;AAAA,QACN,EAAA;AAAA,QACA,MAAM,KAAA,CAAM,IAAA;AAAA,QACZ,UAAU,KAAA,CAAM,QAAA;AAAA,QAChB,OAAO,KAAA,CAAM,KAAA;AAAA,QACb,YAAA,EAAc,MAAM,YAAA,IAAgB,IAAA;AAAA,QACpC,SAAA,EAAW;AAAA,OACZ;AAAA,IACD,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,IAAA,GAA6B;AAClC,MAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,UAAU,CAAA;AAC9C,MAAA,OAAO,IAAA,CAAK,GAAA,CAAI,CAAC,GAAA,MAAS;AAAA,QACzB,IAAI,GAAA,CAAI,EAAA;AAAA,QACR,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,cAAc,GAAA,CAAI,YAAA;AAAA,QAClB,WAAW,GAAA,CAAI;AAAA,OAChB,CAAE,CAAA;AAAA,IACH,CAAA;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,IAAI,EAAA,EAAuC;AAChD,MAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,UAAU,CAAA,CAAE,KAAA,CAAML,EAAAA,CAAG,UAAA,CAAW,EAAA,EAAI,EAAE,CAAC,CAAA;AAC3E,MAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,MAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,MAAA,OAAO;AAAA,QACN,IAAI,GAAA,CAAI,EAAA;AAAA,QACR,MAAM,GAAA,CAAI,IAAA;AAAA,QACV,UAAU,GAAA,CAAI,QAAA;AAAA,QACd,OAAO,GAAA,CAAI,KAAA;AAAA,QACX,cAAc,GAAA,CAAI,YAAA;AAAA,QAClB,WAAW,GAAA,CAAI;AAAA,OAChB;AAAA,IACD;AAAA,GACD;AAEA,EAAA,OAAO;AAAA,IACN,KAAA,EAAO,UAAA;AAAA,IACP,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA,EAAY;AAAA,MACX,QAAQ,gBAAA,CAAiB,gBAAA;AAAA,MACzB,yBAAyB,gBAAA,CAAiB,uBAAA;AAAA,MAC1C,YAAY,gBAAA,CAAiB;AAAA,KAC9B;AAAA,IACA,KAAA,EAAO;AAAA,MACN,KAAA,EAAO,CAAC,MAAA,KAAwB,WAAA,CAAY,MAAM,MAAM,CAAA;AAAA,MACxD,MAAA,EAAQ,CAAC,OAAA,KAAgC,WAAA,CAAY,OAAO,OAAO,CAAA;AAAA,MACnE,OAAA,EAAS,CAAC,OAAA,KAAuC,WAAA,CAAY,QAAQ,OAAO;AAAA,KAC7E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOA,GAAA,EAAK,WAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOL,QAAA,EAAU;AAAA,MACT,cAAc,iBAAA,CAAkB,YAAA;AAAA,MAChC,YAAY,iBAAA,CAAkB,UAAA;AAAA,MAC9B,YAAY,iBAAA,CAAkB;AAAA,KAC/B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAmBA,IAAA,EAAM;AAAA,MACL,MAAM,YAAY,OAAA,EAAgD;AACjE,QAAA,IAAI,CAAC,aAAa,OAAO,IAAA;AACzB,QAAA,OAAO,WAAA,CAAY,YAAY,OAAO,CAAA;AAAA,MACvC,CAAA;AAAA,MACA,OAAA,EAAS;AAAA,KACV;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAMA,MAAM,YAAY,OAAA,EAAgD;AACjE,MAAA,IAAI,CAAC,aAAa,OAAO,IAAA;AACzB,MAAA,OAAO,WAAA,CAAY,YAAY,OAAO,CAAA;AAAA,IACvC,CAAA;AAAA;AAAA,IAEA,EAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQA,MAAA,EAAQ,YAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAQR,QAAA,EAAU,YAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOV,QAAA,EAAU,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAOV,KAAA,EAAO,WAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAeP,GAAA,EAAK,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAcL,SAAA,EAAW,eAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaX,QAAA,EAAU,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAkBV,IAAA,EAAM,UAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAsBN,OAAA,EAAS,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYT,GAAA,EAAK,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYL,GAAA,EAAK,SAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYL,KAAA,EAAO,WAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYP,OAAA,EAAS,mBAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaT,QAAA,EAAU,cAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAaV,KAAA,EAAO,WAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAYP,OAAA,EAAS,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAWT,QAAA,EAAU,aAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAkBV,OAAA,EAAS;AAAA;AAAA,MAER,aAAA,CAAc,OAAA,EAAkB,QAAA,GAAW,EAAA,EAA8B;AACxE,QAAA,OAAO,YAAA,CAAa,MAAA,CAAO,OAAA,EAAS,QAAA,EAAU,WAAW,CAAA;AAAA,MAC1D,CAAA;AAAA;AAAA,MAEA,YAAA,GAAe;AACd,QAAA,OAAO,aAAa,YAAA,EAAa;AAAA,MAClC,CAAA;AAAA;AAAA,MAEA,UAAA,GAAsC;AACrC,QAAA,OAAO,EAAE,GAAG,cAAA,CAAe,aAAA,EAAc;AAAA,MAC1C,CAAA;AAAA;AAAA,MAEA,QAAA,EAAU;AAAA;AACX,GACD;AACD;;;AC9sBO,SAAS,oBAAoB,OAAA,EAA+D;AAClG,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,uBAAA;AACpC,EAAA,MAAM,OAAA,GAAU,SAAS,OAAA,IAAW,OAAA;AAEpC,EAAA,OAAO;AAAA,IACN,OAAA,EAAS,OAAA;AAAA,IACT,IAAA,EAAM;AAAA,MACL,KAAA,EAAO,cAAA;AAAA,MACP,OAAA;AAAA,MACA,WAAA,EACC;AAAA,KACF;AAAA,IACA,SAAS,CAAC,EAAE,KAAK,OAAA,EAAS,WAAA,EAAa,uBAAuB,CAAA;AAAA,IAC9D,KAAA,EAAO;AAAA,MACN,SAAA,EAAW;AAAA,QACV,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,oBAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,qCAAA;AAAsC;AACvD;AACD,aACD;AAAA,YACA,KAAA,EAAO,EAAE,WAAA,EAAa,eAAA,EAAgB;AAAA,YACtC,KAAA,EAAO,EAAE,WAAA,EAAa,8BAAA;AAA+B;AACtD,SACD;AAAA,QACA,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,aAAA;AAAA,UACT,WAAA,EAAa,YAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY;AAAA,YACX,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC3E;AAAA,cACC,IAAA,EAAM,QAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,CAAA;AAAE,aAClE;AAAA,YACA;AAAA,cACC,IAAA,EAAM,MAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA;AAAE;AACxE,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,gBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,8BAA6B;AAAE;AACxE;AACD;AACD;AACD;AACD,OACD;AAAA,MACA,cAAA,EAAgB;AAAA,QACf,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,iBAAA;AAAA,UACT,WAAA,EAAa,UAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS,EAAE,kBAAA,EAAoB,EAAE,QAAQ,EAAE,IAAA,EAAM,4BAAA,EAA6B,EAAE;AAAE,aACnF;AAAA,YACA,KAAA,EAAO,EAAE,WAAA,EAAa,iBAAA;AAAkB;AACzC,SACD;AAAA,QACA,KAAA,EAAO;AAAA,UACN,OAAA,EAAS,cAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,eAAA;AAAA,cACb,OAAA,EAAS,EAAE,kBAAA,EAAoB,EAAE,QAAQ,EAAE,IAAA,EAAM,4BAAA,EAA6B,EAAE;AAAE;AACnF;AACD,SACD;AAAA,QACA,MAAA,EAAQ;AAAA,UACP,OAAA,EAAS,cAAA;AAAA,UACT,WAAA,EAAa,aAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,WAAW,EAAE,KAAA,EAAO,EAAE,WAAA,EAAa,iBAAgB;AAAE;AACtD,OACD;AAAA,MACA,qBAAA,EAAuB;AAAA,QACtB,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,oBAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,QAAQ,CAAA;AAAA,UACf,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY,CAAC,EAAE,IAAA,EAAM,MAAM,EAAA,EAAI,MAAA,EAAQ,QAAA,EAAU,IAAA,EAAM,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,IAAY,CAAA;AAAA,UACnF,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,kBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,uCAAsC;AAAE;AAC/E;AACD;AACD;AACD,OACD;AAAA,MACA,YAAA,EAAc;AAAA,QACb,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,2BAAA;AAAA,UACT,WAAA,EAAa,WAAA;AAAA,UACb,IAAA,EAAM,CAAC,eAAe,CAAA;AAAA,UACtB,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,yCAAwC;AAAE;AACjF,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,sBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD,OACD;AAAA,MACA,kBAAA,EAAoB;AAAA,QACnB,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,0BAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,eAAe,CAAA;AAAA,UACtB,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,kBAAA,EAAoB;AAAA,gBACnB,MAAA,EAAQ;AAAA,kBACP,IAAA,EAAM,QAAA;AAAA,kBACN,UAAA,EAAY;AAAA,oBACX,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,oBACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,oBAC3B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA;AAAS,mBAC7B;AAAA,kBACA,QAAA,EAAU,CAAC,QAAA,EAAU,UAAU;AAAA;AAChC;AACD;AACD,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,sBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD,OACD;AAAA,MACA,QAAA,EAAU;AAAA,QACT,GAAA,EAAK;AAAA,UACJ,OAAA,EAAS,kBAAA;AAAA,UACT,WAAA,EAAa,YAAA;AAAA,UACb,IAAA,EAAM,CAAC,OAAO,CAAA;AAAA,UACd,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,UAAA,EAAY;AAAA,YACX,EAAE,IAAA,EAAM,SAAA,EAAW,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC5E,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS,EAAE;AAAA,YAC3E;AAAA,cACC,IAAA,EAAM,OAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY,aAC/C;AAAA,YACA;AAAA,cACC,IAAA,EAAM,OAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY,aAC/C;AAAA,YACA;AAAA,cACC,IAAA,EAAM,QAAA;AAAA,cACN,EAAA,EAAI,OAAA;AAAA,cACJ,QAAA,EAAU,KAAA;AAAA,cACV,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA;AAAE,aACvE;AAAA,YACA,EAAE,IAAA,EAAM,OAAA,EAAS,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAU,EAAE;AAAA,YAC3E,EAAE,IAAA,EAAM,QAAA,EAAU,EAAA,EAAI,OAAA,EAAS,QAAA,EAAU,KAAA,EAAO,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAU;AAAE,WAC7E;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,mBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,kBAAA,EAAoB;AAAA,kBACnB,MAAA,EAAQ,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC;AAAE;AAC7E;AACD;AACD;AACD;AACD,OACD;AAAA,MACA,cAAA,EAAgB;AAAA,QACf,IAAA,EAAM;AAAA,UACL,OAAA,EAAS,yBAAA;AAAA,UACT,WAAA,EAAa,kBAAA;AAAA,UACb,IAAA,EAAM,CAAC,YAAY,CAAA;AAAA,UACnB,UAAU,CAAC,EAAE,UAAA,EAAY,IAAI,CAAA;AAAA,UAC7B,WAAA,EAAa;AAAA,YACZ,QAAA,EAAU,IAAA;AAAA,YACV,OAAA,EAAS;AAAA,cACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,sCAAqC;AAAE;AAC9E,WACD;AAAA,UACA,SAAA,EAAW;AAAA,YACV,KAAA,EAAO;AAAA,cACN,WAAA,EAAa,oBAAA;AAAA,cACb,OAAA,EAAS;AAAA,gBACR,oBAAoB,EAAE,MAAA,EAAQ,EAAE,IAAA,EAAM,wCAAuC;AAAE;AAChF;AACD;AACD;AACD;AACD,KACD;AAAA,IACA,UAAA,EAAY;AAAA,MACX,OAAA,EAAS;AAAA,QACR,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,SAAA,EAAW,MAAA,EAAQ,QAAQ,aAAa,CAAA;AAAA,UACnD,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAE;AAAA,YACrE,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA;AAAS;AAC5B,SACD;AAAA,QACA,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA;AAAS;AAC5B,SACD;AAAA,QACA,KAAA,EAAO;AAAA,UACN,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAE;AAAA,YACrE,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,CAAA,EAAE;AAAA,YACjE,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,WAAW,EAAE,IAAA,EAAM,UAAU,MAAA,EAAQ,WAAA,EAAa,UAAU,IAAA,EAAK;AAAA,YACjE,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD,SACD;AAAA,QACA,cAAA,EAAgB;AAAA,UACf,IAAA,EAAM,QAAA;AAAA,UACN,WAAA,EAAa,gEAAA;AAAA,UACb,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,KAAA,EAAO;AAAA,cACN,IAAA,EAAM,QAAA;AAAA,cACN,WAAA,EACC;AAAA,aACF;AAAA,YACA,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,IAAA,EAAM,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACvB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC;AAAE;AAClF,SACD;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,UAAA,EAAY,SAAS,CAAA;AAAA,UAChC,UAAA,EAAY;AAAA,YACX,QAAA,EAAU;AAAA,cACT,IAAA,EAAM,QAAA;AAAA,cACN,WAAA,EAAa;AAAA,aACd;AAAA,YACA,OAAA,EAAS;AAAA,cACR,IAAA,EAAM,OAAA;AAAA,cACN,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,cACxB,WAAA,EAAa;AAAA,aACd;AAAA,YACA,WAAA,EAAa,EAAE,IAAA,EAAM,4CAAA;AAA6C;AACnE,SACD;AAAA,QACA,qBAAA,EAAuB;AAAA,UACtB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACnC,kBAAA,EAAoB,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS,EAAE;AAAA,YAC/D,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACnC,UAAA,EAAY;AAAA,cACX,IAAA,EAAM,QAAA;AAAA,cACN,UAAA,EAAY;AAAA,gBACX,KAAA,EAAO,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA,EAAe;AAAA,gBACrD,GAAA,EAAK,EAAE,IAAA,EAAM,QAAA,EAAU,aAAa,cAAA;AAAe;AACpD,aACD;AAAA,YACA,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,UAAS;AAAE;AACzD,SACD;AAAA,QACA,gBAAA,EAAkB;AAAA,UACjB,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,SAAA,EAAW,QAAA,EAAU,UAAU,CAAA;AAAA,UAC1C,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC3B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA;AAAS;AAC7B,SACD;AAAA,QACA,eAAA,EAAiB;AAAA,UAChB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,OAAA,EAAS,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC3B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,UAAU,IAAA,EAAK;AAAA,YACzC,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA;AAAS;AAC3B,SACD;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACzB,QAAA,EAAU,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC3B,UAAA,EAAY,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC7B,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAA,EAAU,MAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAE;AAAA,YACtE,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YAC9B,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD,SACD;AAAA,QACA,aAAA,EAAe;AAAA,UACd,IAAA,EAAM,QAAA;AAAA,UACN,QAAA,EAAU,CAAC,WAAA,EAAa,SAAA,EAAW,eAAe,WAAW,CAAA;AAAA,UAC7D,UAAA,EAAY;AAAA,YACX,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC5B,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,QAAA,EAAU,EAAE,IAAA,EAAM,SAAA;AAAU;AAC7B,SACD;AAAA,QACA,eAAA,EAAiB;AAAA,UAChB,IAAA,EAAM,QAAA;AAAA,UACN,UAAA,EAAY;AAAA,YACX,EAAA,EAAI,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YACrB,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC5B,OAAA,EAAS,EAAE,IAAA,EAAM,QAAA,EAAS;AAAA,YAC1B,WAAA,EAAa,EAAE,IAAA,EAAM,OAAA,EAAS,OAAO,EAAE,IAAA,EAAM,mCAAkC,EAAE;AAAA,YACjF,KAAA,EAAO,EAAE,IAAA,EAAM,SAAA,EAAU;AAAA,YACzB,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA,EAAY;AAAA,YACjD,SAAA,EAAW,EAAE,IAAA,EAAM,QAAA,EAAU,QAAQ,WAAA;AAAY;AAClD;AACD,OACD;AAAA,MACA,eAAA,EAAiB;AAAA,QAChB,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,MAAA;AAAA,UACN,MAAA,EAAQ,QAAA;AAAA,UACR,YAAA,EAAc;AAAA,SACf;AAAA,QACA,UAAA,EAAY;AAAA,UACX,IAAA,EAAM,MAAA;AAAA,UACN,MAAA,EAAQ,QAAA;AAAA,UACR,YAAA,EAAc;AAAA;AACf;AACD;AACD,GACD;AACD;;;ACzaA,IAAM,gBAAgB,OAAO,OAAA,KAAY,WAAA,IAAe,OAAA,CAAQ,IAAI,QAAA,KAAa,YAAA;AAEjF,IAAM,eAAA,GAEF;AAAA,EACH,QAAA,EAAU,IAAA;AAAA,EACV,MAAA,EAAQ,aAAA;AAAA,EACR,QAAA,EAAU,KAAA;AAAA,EACV,IAAA,EAAM;AACP,CAAA;AAcO,SAAS,eAAA,CAAgB,IAAA,EAAc,KAAA,EAAe,OAAA,EAAiC;AAC7F,EAAA,kBAAA,CAAmB,IAAI,CAAA;AAEvB,EAAA,MAAM,IAAA,GAAO,EAAE,GAAG,eAAA,EAAiB,GAAG,OAAA,EAAQ;AAC9C,EAAA,MAAM,KAAA,GAAkB,CAAC,CAAA,EAAG,IAAI,IAAI,kBAAA,CAAmB,KAAK,CAAC,CAAA,CAAE,CAAA;AAE/D,EAAA,IAAI,IAAA,CAAK,QAAA,EAAU,KAAA,CAAM,IAAA,CAAK,UAAU,CAAA;AACxC,EAAA,IAAI,IAAA,CAAK,MAAA,EAAQ,KAAA,CAAM,IAAA,CAAK,QAAQ,CAAA;AAEpC,EAAA,MAAM,QAAA,GAAW,KAAK,QAAA,IAAY,KAAA;AAClC,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,SAAA,EAAY,UAAA,CAAW,QAAQ,CAAC,CAAA,CAAE,CAAA;AAE7C,EAAA,MAAM,IAAA,GAAO,KAAK,IAAA,IAAQ,GAAA;AAC1B,EAAA,KAAA,CAAM,IAAA,CAAK,CAAA,KAAA,EAAQ,IAAI,CAAA,CAAE,CAAA;AAEzB,EAAA,IAAI,SAAS,MAAA,EAAQ,KAAA,CAAM,KAAK,CAAA,OAAA,EAAU,OAAA,CAAQ,MAAM,CAAA,CAAE,CAAA;AAE1D,EAAA,IAAI,OAAA,EAAS,WAAW,MAAA,EAAW;AAClC,IAAA,KAAA,CAAM,IAAA,CAAK,CAAA,QAAA,EAAW,OAAA,CAAQ,MAAM,CAAA,CAAE,CAAA;AAEtC,IAAA,MAAM,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,OAAA,CAAQ,SAAS,GAAI,CAAA;AAC9D,IAAA,KAAA,CAAM,IAAA,CAAK,CAAA,QAAA,EAAW,UAAA,CAAW,WAAA,EAAa,CAAA,CAAE,CAAA;AAAA,EACjD,CAAA,MAAA,IAAW,SAAS,OAAA,EAAS;AAC5B,IAAA,KAAA,CAAM,KAAK,CAAA,QAAA,EAAW,OAAA,CAAQ,OAAA,CAAQ,WAAA,EAAa,CAAA,CAAE,CAAA;AAAA,EACtD;AAEA,EAAA,IAAI,OAAA,EAAS,WAAA,EAAa,KAAA,CAAM,IAAA,CAAK,aAAa,CAAA;AAElD,EAAA,OAAO,KAAA,CAAM,KAAK,IAAI,CAAA;AACvB;AAMO,SAAS,uBAAA,CACf,MACA,OAAA,EACS;AACT,EAAA,OAAO,eAAA,CAAgB,MAAM,EAAA,EAAI;AAAA,IAChC,GAAG,OAAA;AAAA,IACH,MAAA,EAAQ,CAAA;AAAA,IACR,OAAA,kBAAS,IAAI,IAAA,CAAK,CAAC;AAAA,GACnB,CAAA;AACF;AAcO,SAAS,aAAa,MAAA,EAAwC;AACpE,EAAA,MAAM,SAAiC,EAAC;AAExC,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,MAAA,CAAO,IAAA,IAAQ,OAAO,MAAA;AAEtC,EAAA,KAAA,MAAW,IAAA,IAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,CAAA,EAAG;AACrC,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA;AAChC,IAAA,IAAI,YAAY,EAAA,EAAI;AAEpB,IAAA,MAAM,OAAO,IAAA,CAAK,KAAA,CAAM,CAAA,EAAG,OAAO,EAAE,IAAA,EAAK;AACzC,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,OAAA,GAAU,CAAC,EAAE,IAAA,EAAK;AAEzC,IAAA,IAAI,CAAC,IAAA,EAAM;AAEX,IAAA,IAAI;AACH,MAAA,MAAA,CAAO,IAAI,CAAA,GAAI,kBAAA,CAAmB,GAAG,CAAA;AAAA,IACtC,CAAA,CAAA,MAAQ;AAAA,IAER;AAAA,EACD;AAEA,EAAA,OAAO,MAAA;AACR;AAOO,SAAS,SAAA,CAAU,QAAgB,IAAA,EAAkC;AAC3E,EAAA,OAAO,YAAA,CAAa,MAAM,CAAA,CAAE,IAAI,CAAA;AACjC;AAKO,SAAS,wBAAwB,OAAA,EAA0C;AACjF,EAAA,OAAO,aAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,KAAK,EAAE,CAAA;AACxD;AAMA,SAAS,WAAW,CAAA,EAAmB;AACtC,EAAA,OAAO,CAAA,CAAE,OAAO,CAAC,CAAA,CAAE,aAAY,GAAI,CAAA,CAAE,MAAM,CAAC,CAAA;AAC7C;AAGA,IAAM,sBAAA,GAAyB,yBAAA;AAM/B,SAAS,mBAAmB,IAAA,EAAoB;AAC/C,EAAA,IAAI,CAAC,IAAA,EAAM;AACV,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,EACjD;AACA,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,IAAA,CAAK,QAAQ,CAAA,EAAA,EAAK;AACrC,IAAA,MAAMQ,KAAAA,GAAO,IAAA,CAAK,UAAA,CAAW,CAAC,CAAA;AAE9B,IAAA,IAAIA,KAAAA,IAAQ,EAAA,IAAMA,KAAAA,KAAS,GAAA,EAAK;AAC/B,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,IACjD;AAAA,EACD;AACA,EAAA,IAAI,sBAAA,CAAuB,IAAA,CAAK,IAAI,CAAA,EAAG;AACtC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sBAAA,EAAyB,IAAI,CAAA,CAAA,CAAG,CAAA;AAAA,EACjD;AACD;;;ACjJA,IAAM,iBAAA,GAAoB,EAAA;AAUnB,SAAS,iBAAA,GAA4B;AAC3C,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,iBAAiB,CAAA;AAC9C,EAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,EAAA,OAAO,sBAAsB,KAAK,CAAA;AACnC;AAgBO,SAAS,iBAAA,CAAkB,cAAsB,WAAA,EAA2C;AAClG,EAAA,IAAI,CAAC,YAAA,IAAgB,CAAC,WAAA,EAAa;AAClC,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,oBAAA,EAAqB;AAAA,EACrD;AAEA,EAAA,IAAI,CAAC,eAAA,CAAgB,YAAA,EAAc,WAAW,CAAA,EAAG;AAChD,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,qBAAA,EAAsB;AAAA,EACtD;AAEA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACtB;AAuBO,SAAS,cAAA,CACf,OAAA,EACA,cAAA,EACA,kBAAA,GAAqB,KAAA,EACE;AACvB,EAAA,MAAM,UAAA,GAAa,cAAA,CAAe,GAAA,CAAI,eAAe,CAAA;AAErD,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AAEjD,EAAA,IAAI,YAAA,EAAc;AACjB,IAAA,IAAI,iBAAiB,MAAA,EAAQ;AAC5B,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,wBAAA,EAAyB;AAAA,IACzD;AACA,IAAA,MAAM,aAAA,GAAgB,gBAAgB,YAAY,CAAA;AAClD,IAAA,IAAI,UAAA,CAAW,QAAA,CAAS,aAAa,CAAA,EAAG;AACvC,MAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,IACtB;AACA,IAAA,OAAO;AAAA,MACN,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ,WAAW,YAAY,CAAA,4BAAA;AAAA,KAChC;AAAA,EACD;AAGA,EAAA,MAAM,aAAA,GAAgB,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,SAAS,CAAA;AAEnD,EAAA,IAAI,aAAA,EAAe;AAClB,IAAA,IAAI;AACH,MAAA,MAAM,gBAAgB,eAAA,CAAgB,IAAI,GAAA,CAAI,aAAa,EAAE,MAAM,CAAA;AACnE,MAAA,IAAI,UAAA,CAAW,QAAA,CAAS,aAAa,CAAA,EAAG;AACvC,QAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,MACtB;AACA,MAAA,OAAO;AAAA,QACN,KAAA,EAAO,KAAA;AAAA,QACP,MAAA,EAAQ,mBAAmB,aAAa,CAAA,4BAAA;AAAA,OACzC;AAAA,IACD,CAAA,CAAA,MAAQ;AACP,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,0BAAA,EAA2B;AAAA,IAC3D;AAAA,EACD;AAGA,EAAA,IAAI,kBAAA,EAAoB;AACvB,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACtB;AACA,EAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,qCAAA,EAAsC;AACtE;AASA,SAAS,gBAAgB,MAAA,EAAwB;AAChD,EAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,EAAE,EAAE,WAAA,EAAY;AAC9C;AASA,SAAS,eAAA,CAAgB,GAAW,CAAA,EAAoB;AACvD,EAAA,MAAM,MAAA,GAAS,IAAI,WAAA,EAAY,CAAE,OAAO,CAAC,CAAA;AACzC,EAAA,MAAM,MAAA,GAAS,IAAI,WAAA,EAAY,CAAE,OAAO,CAAC,CAAA;AAEzC,EAAA,IAAI,MAAA,CAAO,MAAA,KAAW,MAAA,CAAO,MAAA,EAAQ;AAEpC,IAAA,IAAI,KAAA,GAAQ,CAAA;AACZ,IAAA,MAAM,MAAM,IAAA,CAAK,GAAA,CAAI,MAAA,CAAO,MAAA,EAAQ,OAAO,MAAM,CAAA;AACjD,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,EAAK,CAAA,EAAA,EAAK;AAC7B,MAAA,KAAA,IAAA,CAAU,OAAO,CAAC,CAAA,IAAK,CAAA,KAAM,MAAA,CAAO,CAAC,CAAA,IAAK,CAAA,CAAA;AAAA,IAC3C;AAEA,IAAA,OAAO,KAAA;AAAA,EACR;AAEA,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,MAAA,CAAO,QAAQ,CAAA,EAAA,EAAK;AACvC,IAAA,IAAA,IAAA,CAAS,OAAO,CAAC,CAAA,IAAK,CAAA,KAAM,MAAA,CAAO,CAAC,CAAA,IAAK,CAAA,CAAA;AAAA,EAC1C;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AACjB;AAOA,SAAS,sBAAsB,KAAA,EAA2B;AAEzD,EAAA,IAAI,OAAO,WAAW,WAAA,EAAa;AAClC,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,KAAK,CAAA,CAAE,SAAS,WAAW,CAAA;AAAA,EAC/C;AAEA,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAA,IAAU,MAAA,CAAO,aAAa,IAAI,CAAA;AAAA,EACnC;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,MAAM,EAAE,CAAA;AAC7E;ACpEA,IAAM,oBAAA,GAAuB,gBAAA;AAC7B,IAAM,uBAAA,GAA0B,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK,CAAA;AAcxC,SAAS,0BAAA,CACf,QACA,EAAA,EACuB;AACvB,EAAA,MAAM,WAAA,GAAc,OAAO,WAAA,IAAe,oBAAA;AAC1C,EAAA,MAAM,UAAA,GAAa,OAAO,MAAA,IAAU,uBAAA;AACpC,EAAA,MAAM,WAAA,GAAc,OAAO,WAAA,IAAe,IAAA;AAE1C,EAAA,MAAM,GAAA,GAAM,oBAAA,CAAqB,MAAA,EAAQ,EAAE,CAAA;AAG3C,EAAA,MAAM,cAAA,GAAgC;AAAA,IACrC,QAAA,EAAU,IAAA;AAAA,IACV,QAAA,EAAU,KAAA;AAAA,IACV,IAAA,EAAM,GAAA;AAAA,IACN,GAAG,MAAA,CAAO,aAAA;AAAA,IACV,MAAA,EAAQ;AAAA,GACT;AAEA,EAAA,SAAS,eAAe,KAAA,EAAuB;AAC9C,IAAA,OAAO,eAAA,CAAgB,WAAA,EAAa,KAAA,EAAO,cAAc,CAAA;AAAA,EAC1D;AAEA,EAAA,SAAS,iBAAA,GAA4B;AACpC,IAAA,MAAM,EAAE,MAAA,EAAQ,KAAA,EAAO,GAAG,MAAK,GAAI,cAAA;AACnC,IAAA,OAAO,uBAAA,CAAwB,aAAa,IAAI,CAAA;AAAA,EACjD;AAIA,EAAA,eAAe,aAAA,CACd,QACA,QAAA,EAC+B;AAC/B,IAAA,MAAM,EAAE,SAAS,KAAA,EAAM,GAAI,MAAM,GAAA,CAAI,MAAA,CAAO,QAAQ,QAAQ,CAAA;AAC5D,IAAA,OAAO,EAAE,OAAA,EAAS,eAAA,EAAiB,cAAA,CAAe,KAAK,CAAA,EAAE;AAAA,EAC1D;AAEA,EAAA,eAAe,gBAAgB,YAAA,EAAsD;AACpF,IAAA,MAAM,KAAA,GAAQ,SAAA,CAAU,YAAA,EAAc,WAAW,CAAA;AACjD,IAAA,IAAI,CAAC,KAAA,EAAO;AACX,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,mBAAA,EAAqB,IAAA,EAAK;AAAA,IACnD;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA;AACxC,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,mBAAA,EAAqB,IAAA,EAAK;AAAA,IACnD;AAGA,IAAA,IAAI,WAAA,EAAa;AAChB,MAAA,MAAM,SAAA,GAAY,MAAM,cAAA,CAAe,OAAA,CAAQ,EAAE,CAAA;AACjD,MAAA,IAAI,SAAA,EAAW;AACd,QAAA,OAAO,EAAE,OAAA,EAAS,SAAA,CAAU,OAAA,EAAS,mBAAA,EAAqB,UAAU,eAAA,EAAgB;AAAA,MACrF;AAAA,IACD;AAEA,IAAA,OAAO,EAAE,OAAA,EAAS,mBAAA,EAAqB,IAAA,EAAK;AAAA,EAC7C;AAEA,EAAA,eAAe,eACd,SAAA,EACgE;AAKhE,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CACjB,MAAA,GACA,IAAA,CAAK,QAAa,CAAA,CAClB,KAAA,CAAMP,IAAID,EAAAA,CAAG,QAAA,CAAc,EAAA,EAAI,SAAS,CAAC,CAAC,CAAA;AAE5C,IAAA,MAAM,GAAA,GAAM,KAAK,CAAC,CAAA;AAClB,IAAA,IAAI,CAAC,KAAK,OAAO,IAAA;AACjB,IAAA,IAAI,GAAA,CAAI,SAAA,oBAAa,IAAI,IAAA,IAAQ,OAAO,IAAA;AAKxC,IAAA,MAAM,EAAA,CAAG,OAAO,QAAa,CAAA,CAAE,MAAMA,EAAAA,CAAG,QAAA,CAAc,EAAA,EAAI,SAAS,CAAC,CAAA;AACpE,IAAA,MAAM,EAAE,OAAA,EAAS,UAAA,EAAY,OAAO,QAAA,EAAS,GAAI,MAAM,GAAA,CAAI,MAAA;AAAA,MAC1D,GAAA,CAAI,MAAA;AAAA,MACJ,IAAI,QAAA,IAAY;AAAA,KACjB;AAEA,IAAA,OAAO,EAAE,OAAA,EAAS,UAAA,EAAY,eAAA,EAAiB,cAAA,CAAe,QAAQ,CAAA,EAAE;AAAA,EACzE;AAEA,EAAA,eAAe,cAAc,SAAA,EAA4D;AACxF,IAAA,MAAM,GAAA,CAAI,OAAO,SAAS,CAAA;AAC1B,IAAA,OAAO,EAAE,kBAAA,EAAoB,iBAAA,EAAkB,EAAE;AAAA,EAClD;AAEA,EAAA,eAAe,kBAAkB,MAAA,EAAyD;AACzF,IAAA,MAAM,GAAA,CAAI,UAAU,MAAM,CAAA;AAC1B,IAAA,OAAO,EAAE,kBAAA,EAAoB,iBAAA,EAAkB,EAAE;AAAA,EAClD;AAEA,EAAA,eAAe,aAAa,MAAA,EAAoC;AAC/D,IAAA,OAAO,GAAA,CAAI,KAAK,MAAM,CAAA;AAAA,EACvB;AAEA,EAAA,SAAS,iBAAA,GAA4B;AACpC,IAAA,OAAO,iBAAA,EAAkB;AAAA,EAC1B;AAEA,EAAA,OAAO;AAAA,IACN,aAAA;AAAA,IACA,eAAA;AAAA,IACA,cAAA;AAAA,IACA,aAAA;AAAA,IACA,iBAAA;AAAA,IACA,YAAA;AAAA,IACA,iBAAA;AAAA,IACA;AAAA,GACD;AACD;ACvMO,IAAM,sBAAA,GAAN,cAAqC,KAAA,CAAM;AAAA,EACxC,IAAA,GAAO,uBAAA;AAAA,EAChB,WAAA,CAAY,QAAgB,GAAA,EAAa;AACxC,IAAA,KAAA,CAAM,CAAA,KAAA,EAAQ,MAAM,CAAA,4BAAA,EAA+B,GAAG,CAAA,oBAAA,CAAsB,CAAA;AAAA,EAC7E;AACD;AAWA,SAAS,eAAe,EAAA,EAAmD;AAC1E,EAAA,IAAI,CAAC,IAAI,OAAO,MAAA;AAGhB,EAAA,IAAI,EAAA;AACJ,EAAA,IAAI,mBAAA,CAAoB,IAAA,CAAK,EAAE,CAAA,EAAG;AACjC,IAAA,EAAA,GAAK,KAAA;AAAA,EACN,CAAA,MAAA,IAAW,UAAA,CAAW,IAAA,CAAK,EAAE,CAAA,EAAG;AAC/B,IAAA,EAAA,GAAK,SAAA;AAAA,EACN,CAAA,MAAA,IAAW,qBAAA,CAAsB,IAAA,CAAK,EAAE,CAAA,EAAG;AAC1C,IAAA,EAAA,GAAK,OAAA;AAAA,EACN,CAAA,MAAA,IAAW,UAAA,CAAW,IAAA,CAAK,EAAE,CAAA,EAAG;AAC/B,IAAA,EAAA,GAAK,SAAA;AAAA,EACN,CAAA,MAAA,IAAW,QAAA,CAAS,IAAA,CAAK,EAAE,CAAA,EAAG;AAC7B,IAAA,EAAA,GAAK,OAAA;AAAA,EACN,CAAA,MAAO;AACN,IAAA,EAAA,GAAK,YAAA;AAAA,EACN;AAGA,EAAA,IAAI,OAAA;AACJ,EAAA,IAAI,QAAA,CAAS,IAAA,CAAK,EAAE,CAAA,EAAG;AACtB,IAAA,OAAA,GAAU,MAAA;AAAA,EACX,CAAA,MAAA,IAAW,SAAS,IAAA,CAAK,EAAE,KAAK,QAAA,CAAS,IAAA,CAAK,EAAE,CAAA,EAAG;AAClD,IAAA,OAAA,GAAU,OAAA;AAAA,EACX,CAAA,MAAA,IAAW,YAAA,CAAa,IAAA,CAAK,EAAE,CAAA,EAAG;AACjC,IAAA,OAAA,GAAU,SAAA;AAAA,EACX,CAAA,MAAA,IAAW,YAAY,IAAA,CAAK,EAAE,KAAK,CAAC,WAAA,CAAY,IAAA,CAAK,EAAE,CAAA,EAAG;AACzD,IAAA,OAAA,GAAU,QAAA;AAAA,EACX,CAAA,MAAA,IAAW,YAAY,IAAA,CAAK,EAAE,KAAK,CAAC,SAAA,CAAU,IAAA,CAAK,EAAE,CAAA,EAAG;AACvD,IAAA,OAAA,GAAU,QAAA;AAAA,EACX,CAAA,MAAA,IAAW,SAAA,CAAU,IAAA,CAAK,EAAE,CAAA,EAAG;AAC9B,IAAA,OAAA,GAAU,MAAA;AAAA,EACX,CAAA,MAAA,IAAW,kBAAA,CAAmB,IAAA,CAAK,EAAE,CAAA,EAAG;AACvC,IAAA,OAAA,GAAU,QAAA;AAAA,EACX,CAAA,MAAO;AACN,IAAA,OAAA,GAAU,SAAA;AAAA,EACX;AAEA,EAAA,OAAO,CAAA,EAAG,OAAO,CAAA,IAAA,EAAO,EAAE,CAAA,CAAA;AAC3B;AAMA,SAAS,iBAAiB,GAAA,EAKV;AACf,EAAA,MAAM,QAAA,GAAW,IAAI,QAAA,IAAY,MAAA;AAGjC,EAAA,MAAM,SAAS,QAAA,IAAY,OAAO,SAAS,MAAA,KAAW,QAAA,GAAW,SAAS,MAAA,GAAS,MAAA;AACnF,EAAA,MAAM,KAAK,QAAA,IAAY,OAAO,SAAS,EAAA,KAAO,QAAA,GAAW,SAAS,EAAA,GAAK,MAAA;AAGvE,EAAA,IAAI,aAAA;AACJ,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,MAAM,EAAE,MAAA,EAAQ,EAAA,EAAI,IAAI,EAAA,EAAI,GAAG,MAAK,GAAI,QAAA;AAGxC,IAAA,aAAA,GAAgB,OAAO,IAAA,CAAK,IAAI,CAAA,CAAE,MAAA,GAAS,IAAI,IAAA,GAAO,MAAA;AAAA,EACvD;AAEA,EAAA,OAAO;AAAA,IACN,IAAI,GAAA,CAAI,EAAA;AAAA,IACR,WAAW,GAAA,CAAI,SAAA;AAAA,IACf,WAAW,GAAA,CAAI,SAAA;AAAA,IACf,GAAI,aAAA,KAAkB,MAAA,IAAa,EAAE,UAAU,aAAA,EAAc;AAAA,IAC7D,GAAI,MAAA,KAAW,MAAA,IAAa,EAAE,MAAA,EAAO;AAAA,IACrC,GAAI,EAAA,KAAO,MAAA,IAAa,EAAE,EAAA;AAAG,GAC9B;AACD;AAMO,SAAS,wBAAA,CACf,MAAA,EACA,EAAA,EACA,cAAA,EACqB;AACrB,EAAA,MAAM,WAAA,GAAc,OAAO,WAAA,IAAe,EAAA;AAC1C,EAAA,MAAM,gBAAA,GAAmB,OAAO,gBAAA,IAAoB,cAAA;AAEpD,EAAA,eAAe,aAAa,MAAA,EAAwC;AACnE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,QAAQ,CAAA,CAAE,KAAA,CAAMA,EAAAA,CAAG,QAAA,CAAS,MAAA,EAAQ,MAAM,CAAC,CAAA;AAE/E,IAAA,OAAO,IAAA,CACL,OAAO,CAAC,CAAA,KAAM,EAAE,SAAA,GAAY,GAAG,CAAA,CAC/B,IAAA,CAAK,CAAC,CAAA,EAAG,MAAM,CAAA,CAAE,SAAA,CAAU,SAAQ,GAAI,CAAA,CAAE,UAAU,OAAA,EAAS,CAAA,CAC5D,GAAA,CAAI,gBAAgB,CAAA;AAAA,EACvB;AAEA,EAAA,eAAe,cAAc,SAAA,EAAkC;AAC9D,IAAA,MAAM,cAAA,CAAe,OAAO,SAAS,CAAA;AAAA,EACtC;AAEA,EAAA,eAAe,mBAAA,CAAoB,QAAgB,gBAAA,EAA2C;AAC7F,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAGrB,IAAA,MAAM,UAAA,GAAa,MAAM,EAAA,CACvB,MAAA,CAAO,EAAE,EAAA,EAAI,QAAA,CAAS,EAAA,EAAI,SAAA,EAAW,QAAA,CAAS,SAAA,EAAW,CAAA,CACzD,IAAA,CAAK,QAAQ,CAAA,CACb,KAAA,CAAMC,GAAAA,CAAID,EAAAA,CAAG,QAAA,CAAS,MAAA,EAAQ,MAAM,CAAA,EAAGS,EAAAA,CAAG,QAAA,CAAS,EAAA,EAAI,gBAAgB,CAAC,CAAC,CAAA;AAE3E,IAAA,MAAM,SAAA,GAAY,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,GAAY,GAAG,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA;AAE7E,IAAA,KAAA,MAAW,MAAM,SAAA,EAAW;AAC3B,MAAA,MAAM,cAAA,CAAe,OAAO,EAAE,CAAA;AAAA,IAC/B;AAEA,IAAA,OAAO,SAAA,CAAU,MAAA;AAAA,EAClB;AAEA,EAAA,eAAe,gBAAgB,MAAA,EAAiC;AAC/D,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CACjB,MAAA,CAAO,EAAE,EAAA,EAAI,QAAA,CAAS,IAAI,SAAA,EAAW,QAAA,CAAS,WAAW,CAAA,CACzD,KAAK,QAAQ,CAAA,CACb,MAAMT,EAAAA,CAAG,QAAA,CAAS,MAAA,EAAQ,MAAM,CAAC,CAAA;AAEnC,IAAA,OAAO,KAAK,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,SAAA,GAAY,GAAG,CAAA,CAAE,MAAA;AAAA,EAC9C;AAEA,EAAA,eAAe,oBAAoB,MAAA,EAA+B;AACjE,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,IAAA,GAAO,MAAM,EAAA,CACjB,MAAA,CAAO,EAAE,IAAI,QAAA,CAAS,EAAA,EAAI,SAAA,EAAW,QAAA,CAAS,SAAA,EAAW,SAAA,EAAW,SAAS,SAAA,EAAW,CAAA,CACxF,IAAA,CAAK,QAAQ,CAAA,CACb,MAAMA,EAAAA,CAAG,QAAA,CAAS,MAAA,EAAQ,MAAM,CAAC,CAAA;AAEnC,IAAA,MAAM,cAAA,GAAiB,KACrB,MAAA,CAAO,CAAC,MAAM,CAAA,CAAE,SAAA,GAAY,GAAG,CAAA,CAC/B,IAAA,CAAK,CAAC,CAAA,EAAG,CAAA,KAAM,EAAE,SAAA,CAAU,OAAA,KAAY,CAAA,CAAE,SAAA,CAAU,SAAS,CAAA;AAE9D,IAAA,IAAI,cAAA,CAAe,SAAS,WAAA,EAAa;AAEzC,IAAA,IAAI,qBAAqB,QAAA,EAAU;AAClC,MAAA,MAAM,IAAI,sBAAA,CAAuB,MAAA,EAAQ,WAAW,CAAA;AAAA,IACrD;AAGA,IAAA,MAAM,UAAU,cAAA,CAAe,KAAA,CAAM,GAAG,cAAA,CAAe,MAAA,GAAS,cAAc,CAAC,CAAA;AAC/E,IAAA,KAAA,MAAW,KAAK,OAAA,EAAS;AACxB,MAAA,MAAM,cAAA,CAAe,MAAA,CAAO,CAAA,CAAE,EAAE,CAAA;AAAA,IACjC;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,YAAA,EAAc,aAAA,EAAe,mBAAA,EAAqB,iBAAiB,mBAAA,EAAoB;AACjG;AAgBO,SAAS,oBAAA,CACf,SACA,KAAA,EAC0B;AAC1B,EAAA,MAAM,EAAA,GAAK,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,YAAY,CAAA;AAC3C,EAAA,MAAM,KACL,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,iBAAiB,GAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,GAAG,IAAA,EAAK,IAC5D,QAAQ,OAAA,CAAQ,GAAA,CAAI,WAAW,CAAA,IAC/B,MAAA;AAED,EAAA,MAAM,MAAA,GAAS,eAAe,EAAE,CAAA;AAEhC,EAAA,OAAO;AAAA,IACN,GAAI,MAAA,KAAW,MAAA,IAAa,EAAE,MAAA,EAAO;AAAA,IACrC,GAAI,EAAA,KAAO,MAAA,IAAa,EAAE,EAAA,EAAG;AAAA,IAC7B,GAAG;AAAA,GACJ;AACD;;;AC9OA,SAAS,UAAA,GAAqB;AAC7B,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,EAAE,CAAA;AAC/B,EAAA,MAAA,CAAO,gBAAgB,KAAK,CAAA;AAC5B,EAAA,OAAO,KAAA,CAAM,IAAA,CAAK,KAAA,EAAO,CAAC,MAAM,CAAA,CAAE,QAAA,CAAS,EAAE,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAE,KAAK,EAAE,CAAA;AACzE;AAEA,eAAeU,YAAAA,CAAY,QAAgB,IAAA,EAA+B;AACzE,EAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY;AAChC,EAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,CAAO,MAAM,CAAA;AACrC,EAAA,MAAM,WAAA,GAAc,OAAA,CAAQ,MAAA,CAAO,IAAI,CAAA;AAEvC,EAAA,MAAM,GAAA,GAAM,MAAM,MAAA,CAAO,MAAA,CAAO,SAAA;AAAA,IAC/B,KAAA;AAAA,IACA,OAAA;AAAA,IACA,EAAE,IAAA,EAAM,MAAA,EAAQ,IAAA,EAAM,SAAA,EAAU;AAAA,IAChC,KAAA;AAAA,IACA,CAAC,MAAM;AAAA,GACR;AAEA,EAAA,MAAM,YAAY,MAAM,MAAA,CAAO,OAAO,IAAA,CAAK,MAAA,EAAQ,KAAK,WAAW,CAAA;AACnE,EAAA,MAAM,MAAM,KAAA,CAAM,IAAA,CAAK,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG,CAAC,CAAA,KAAM,CAAA,CAAE,SAAS,EAAE,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAE,IAAA;AAAA,IACzF;AAAA,GACD;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACrB;AAEA,eAAe,eACd,GAAA,EACA,KAAA,EACA,SACA,UAAA,EACA,SAAA,EACA,WACA,SAAA,EACqE;AACrE,EAAA,IAAI;AACH,IAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,MACjC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACR,cAAA,EAAgB,kBAAA;AAAA,QAChB,gBAAA,EAAkB,KAAA;AAAA,QAClB,mBAAA,EAAqB,UAAA;AAAA,QACrB,oBAAA,EAAsB,SAAA;AAAA,QACtB,oBAAA,EAAsB;AAAA,OACvB;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA;AAAA,MAC5B,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,SAAS;AAAA,KACrC,CAAA;AACD,IAAA,OAAO,EAAE,OAAA,EAAS,QAAA,CAAS,EAAA,EAAI,UAAA,EAAY,SAAS,MAAA,EAAO;AAAA,EAC5D,SAAS,GAAA,EAAK;AACb,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAO,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA,KAC7C;AAAA,EACD;AACD;AAEA,eAAe,iBAAA,CACd,GAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACgB;AAChB,EAAA,MAAM,aAAa,UAAA,EAAW;AAC9B,EAAA,MAAM,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AACzC,EAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA;AACnC,EAAA,MAAM,SAAA,GAAY,MAAMA,YAAAA,CAAY,MAAA,CAAO,QAAQ,IAAI,CAAA;AAEvD,EAAA,MAAM,MAAA,GAAS,CAAC,GAAA,EAAM,GAAA,EAAM,GAAI,CAAA;AAEhC,EAAA,KAAA,IAAS,OAAA,GAAU,CAAA,EAAG,OAAA,GAAU,MAAA,CAAO,YAAY,OAAA,EAAA,EAAW;AAC7D,IAAA,IAAI,UAAU,CAAA,EAAG;AAChB,MAAA,MAAM,IAAI,OAAA,CAAc,CAAC,OAAA,KAAY,UAAA,CAAW,OAAA,EAAS,MAAA,CAAO,OAAA,GAAU,CAAC,CAAA,IAAK,GAAI,CAAC,CAAA;AAAA,IACtF;AAEA,IAAA,MAAM,SAAS,MAAM,cAAA;AAAA,MACpB,GAAA;AAAA,MACA,KAAA;AAAA,MACA,OAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA;AAAA,MACA,MAAA,CAAO;AAAA,KACR;AAEA,IAAA,IAAI,OAAO,OAAA,EAAS;AACnB,MAAA;AAAA,IACD;AAAA,EACD;AACD;AAEO,SAASC,qBAAoB,MAAA,EAAsC;AACzE,EAAA,MAAM,cAAA,GAA0C;AAAA,IAC/C,QAAQ,MAAA,CAAO,MAAA;AAAA,IACf,UAAA,EAAY,OAAO,UAAA,IAAc,CAAA;AAAA,IACjC,SAAA,EAAW,OAAO,SAAA,IAAa;AAAA,GAChC;AAEA,EAAA,MAAM,aAAA,uBAAoB,GAAA,EAAiC;AAE3D,EAAA,eAAe,SAAA,CAAU,KAAa,MAAA,EAAsD;AAC3F,IAAA,MAAM,GAAA,GAA2B;AAAA,MAChC,IAAI,UAAA,EAAW;AAAA,MACf,GAAA;AAAA,MACA,MAAA;AAAA,MACA,MAAA,EAAQ,IAAA;AAAA,MACR,SAAA,sBAAe,IAAA;AAAK,KACrB;AACA,IAAA,aAAA,CAAc,GAAA,CAAI,GAAA,CAAI,EAAA,EAAI,GAAG,CAAA;AAC7B,IAAA,OAAO,GAAA;AAAA,EACR;AAEA,EAAA,eAAe,YAAY,cAAA,EAAuC;AACjE,IAAA,aAAA,CAAc,OAAO,cAAc,CAAA;AAAA,EACpC;AAEA,EAAA,eAAe,IAAA,GAAuC;AACrD,IAAA,OAAO,KAAA,CAAM,IAAA,CAAK,aAAA,CAAc,MAAA,EAAQ,CAAA;AAAA,EACzC;AAEA,EAAA,SAAS,QAAA,CAAS,OAAqB,OAAA,EAAwC;AAC9E,IAAA,MAAM,WAAW,KAAA,CAAM,IAAA,CAAK,aAAA,CAAc,MAAA,EAAQ,CAAA,CAAE,MAAA;AAAA,MACnD,CAAC,GAAA,KAAQ,GAAA,CAAI,UAAU,GAAA,CAAI,MAAA,CAAO,SAAS,KAAK;AAAA,KACjD;AAEA,IAAA,KAAA,MAAW,OAAO,QAAA,EAAU;AAE3B,MAAA,KAAK,iBAAA,CAAkB,GAAA,CAAI,GAAA,EAAK,KAAA,EAAO,SAAS,cAAc,CAAA;AAAA,IAC/D;AAAA,EACD;AAEA,EAAA,eAAe,KACd,cAAA,EACqE;AACrE,IAAA,MAAM,GAAA,GAAM,aAAA,CAAc,GAAA,CAAI,cAAc,CAAA;AAC5C,IAAA,IAAI,CAAC,GAAA,EAAK;AACT,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,KAAA,EAAO,wBAAA,EAAyB;AAAA,IAC1D;AAEA,IAAA,MAAM,aAAa,UAAA,EAAW;AAC9B,IAAA,MAAM,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AACzC,IAAA,MAAM,WAAA,GAAc,EAAE,KAAA,EAAO,MAAA,EAAQ,gBAAgB,SAAA,EAAU;AAC/D,IAAA,MAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,WAAW,CAAA;AACvC,IAAA,MAAM,SAAA,GAAY,MAAMD,YAAAA,CAAY,cAAA,CAAe,QAAQ,IAAI,CAAA;AAE/D,IAAA,OAAO,cAAA;AAAA,MACN,GAAA,CAAI,GAAA;AAAA,MACJ,YAAA;AAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA;AAAA,MACA,cAAA,CAAe;AAAA,KAChB;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,SAAA,EAAW,WAAA,EAAa,IAAA,EAAM,UAAU,IAAA,EAAK;AACvD;AAMA,eAAsB,sBAAA,CACrB,MAAA,EACA,OAAA,EACA,SAAA,EACmB;AACnB,EAAA,MAAM,QAAA,GAAW,MAAMA,YAAAA,CAAY,MAAA,EAAQ,OAAO,CAAA;AAElD,EAAA,IAAI,QAAA,CAAS,MAAA,KAAW,SAAA,CAAU,MAAA,EAAQ,OAAO,KAAA;AACjD,EAAA,MAAM,CAAA,GAAI,IAAI,WAAA,EAAY,CAAE,OAAO,QAAQ,CAAA;AAC3C,EAAA,MAAM,CAAA,GAAI,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AAC5C,EAAA,IAAI,IAAA,GAAO,CAAA;AACX,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,CAAA,CAAE,QAAQ,CAAA,EAAA,EAAK;AAClC,IAAA,IAAA,IAAA,CAAS,EAAE,CAAC,CAAA,IAAK,CAAA,KAAM,CAAA,CAAE,CAAC,CAAA,IAAK,CAAA,CAAA;AAAA,EAChC;AACA,EAAA,OAAO,IAAA,KAAS,CAAA;AACjB","file":"index.js","sourcesContent":["import { and, eq, gte } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { agents, auditLogs, permissions } from \"../db/schema.js\";\nimport type { Permission } from \"../types.js\";\n\nexport interface PrivilegeFinding {\n\ttype:\n\t\t| \"wildcard_permission\"\n\t\t| \"unused_permission\"\n\t\t| \"overly_broad\"\n\t\t| \"no_constraints\"\n\t\t| \"no_expiry\";\n\tseverity: \"info\" | \"warning\" | \"critical\";\n\tdescription: string;\n\tpermission?: { resource: string; actions: string[] };\n}\n\nexport interface PrivilegeAnalysis {\n\tagentId: string;\n\tagentName: string;\n\tscore: \"minimal\" | \"appropriate\" | \"over-permissioned\" | \"wildcard-heavy\";\n\tfindings: PrivilegeFinding[];\n\trecommendations: string[];\n}\n\nexport interface PrivilegeSummary {\n\ttotal: number;\n\tbyScore: Record<string, number>;\n\tcriticalFindings: number;\n}\n\nconst DEFAULT_LOOKBACK_DAYS = 30;\n\nfunction isWildcard(value: string): boolean {\n\treturn value === \"*\" || value.endsWith(\":*\") || value.endsWith(\"/*\");\n}\n\nfunction deriveScore(findings: PrivilegeFinding[]): PrivilegeAnalysis[\"score\"] {\n\tconst hasCritical = findings.some((f) => f.severity === \"critical\");\n\tconst wildcardCount = findings.filter((f) => f.type === \"wildcard_permission\").length;\n\tconst warningCount = findings.filter((f) => f.severity === \"warning\").length;\n\n\tif (hasCritical || wildcardCount >= 2) return \"wildcard-heavy\";\n\tif (wildcardCount === 1 || warningCount >= 2) return \"over-permissioned\";\n\tif (findings.length === 0) return \"minimal\";\n\treturn \"appropriate\";\n}\n\nfunction buildRecommendations(findings: PrivilegeFinding[], usedResources: Set<string>): string[] {\n\tconst recs: string[] = [];\n\n\tfor (const finding of findings) {\n\t\tif (finding.type === \"wildcard_permission\" && finding.permission) {\n\t\t\tconst { resource, actions } = finding.permission;\n\t\t\t// Strip the trailing wildcard to get the namespace prefix.\n\t\t\t// \"mcp:*\" → \"mcp\", \"*\" → \"\" (match everything), \"mcp:github:*\" → \"mcp:github\"\n\t\t\tconst wildcardBase = resource.replace(/:?\\*$/, \"\");\n\t\t\tconst relevantUsed = [...usedResources].filter((r) =>\n\t\t\t\twildcardBase ? r.startsWith(wildcardBase) : true,\n\t\t\t);\n\n\t\t\tif (relevantUsed.length > 0) {\n\t\t\t\trecs.push(`Narrow \\`${resource}\\` to \\`${relevantUsed.join(\", \")}\\``);\n\t\t\t} else {\n\t\t\t\trecs.push(`Remove unused wildcard permission \\`${resource}\\``);\n\t\t\t}\n\n\t\t\tif (actions.includes(\"*\")) {\n\t\t\t\tconst usedActions = [\"read\"]; // conservative fallback\n\t\t\t\trecs.push(\n\t\t\t\t\t`Replace wildcard actions on \\`${resource}\\` with explicit actions: ${usedActions.join(\", \")}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tif (finding.type === \"unused_permission\" && finding.permission) {\n\t\t\trecs.push(\n\t\t\t\t`Remove unused permission \\`${finding.permission.resource}\\` (no activity in last ${DEFAULT_LOOKBACK_DAYS} days)`,\n\t\t\t);\n\t\t}\n\n\t\tif (finding.type === \"overly_broad\" && finding.permission) {\n\t\t\tconst { resource } = finding.permission;\n\t\t\tconst relevantUsed = [...usedResources].filter((r) => {\n\t\t\t\tconst prefix = resource.replace(/:?\\*$/, \"\");\n\t\t\t\treturn r.startsWith(prefix);\n\t\t\t});\n\t\t\tif (relevantUsed.length > 0) {\n\t\t\t\trecs.push(\n\t\t\t\t\t`Narrow \\`${resource}\\` to the specific resources used: \\`${relevantUsed.join(\", \")}\\``,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tif (finding.type === \"no_constraints\") {\n\t\t\trecs.push(\"Add rate limits or approval gates to sensitive permissions\");\n\t\t}\n\n\t\tif (finding.type === \"no_expiry\") {\n\t\t\trecs.push(\"Set an expiry date on this agent to enforce periodic credential rotation\");\n\t\t}\n\t}\n\n\t// Deduplicate\n\treturn [...new Set(recs)];\n}\n\n/**\n * Create the least-privilege analyzer.\n *\n * Scans agent permissions against actual audit log usage and surfaces\n * over-permissioned agents, wildcards, and unused grants.\n *\n * @example\n * ```typescript\n * const analyzer = createPrivilegeAnalyzer(db);\n * const report = await analyzer.analyzeAgent('agent-123');\n * console.log(report.score, report.recommendations);\n * ```\n */\nexport function createPrivilegeAnalyzer(db: Database) {\n\tasync function analyzeAgent(\n\t\tagentId: string,\n\t\toptions?: { since?: Date },\n\t): Promise<PrivilegeAnalysis> {\n\t\t// Fetch agent info\n\t\tconst agentRows = await db\n\t\t\t.select({ id: agents.id, name: agents.name, expiresAt: agents.expiresAt })\n\t\t\t.from(agents)\n\t\t\t.where(eq(agents.id, agentId))\n\t\t\t.limit(1);\n\n\t\tconst agent = agentRows[0];\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tagentId,\n\t\t\t\tagentName: \"unknown\",\n\t\t\t\tscore: \"appropriate\",\n\t\t\t\tfindings: [],\n\t\t\t\trecommendations: [],\n\t\t\t};\n\t\t}\n\n\t\t// Fetch permissions\n\t\tconst permRows = await db\n\t\t\t.select({\n\t\t\t\tresource: permissions.resource,\n\t\t\t\tactions: permissions.actions,\n\t\t\t\tconstraints: permissions.constraints,\n\t\t\t})\n\t\t\t.from(permissions)\n\t\t\t.where(eq(permissions.agentId, agentId));\n\n\t\tconst agentPermissions: Array<Permission & { constraints: Permission[\"constraints\"] }> =\n\t\t\tpermRows.map((r) => ({\n\t\t\t\tresource: r.resource,\n\t\t\t\tactions: r.actions,\n\t\t\t\tconstraints: (r.constraints as Permission[\"constraints\"]) ?? undefined,\n\t\t\t}));\n\n\t\t// Fetch audit log usage\n\t\tconst since =\n\t\t\toptions?.since ?? new Date(Date.now() - DEFAULT_LOOKBACK_DAYS * 24 * 60 * 60 * 1000);\n\n\t\tconst auditRows = await db\n\t\t\t.select({ resource: auditLogs.resource, action: auditLogs.action })\n\t\t\t.from(auditLogs)\n\t\t\t.where(and(eq(auditLogs.agentId, agentId), gte(auditLogs.timestamp, since)));\n\n\t\tconst usedResources = new Set(auditRows.map((r) => r.resource));\n\n\t\tconst findings: PrivilegeFinding[] = [];\n\n\t\t// Check each permission\n\t\tfor (const perm of agentPermissions) {\n\t\t\t// wildcard_permission: resource or action is a wildcard\n\t\t\tconst hasWildcardResource = isWildcard(perm.resource);\n\t\t\tconst hasWildcardAction = perm.actions.includes(\"*\");\n\n\t\t\tif (hasWildcardResource || hasWildcardAction) {\n\t\t\t\tfindings.push({\n\t\t\t\t\ttype: \"wildcard_permission\",\n\t\t\t\t\tseverity: \"critical\",\n\t\t\t\t\tdescription: hasWildcardResource\n\t\t\t\t\t\t? `Permission resource \\`${perm.resource}\\` uses a wildcard`\n\t\t\t\t\t\t: `Permission \\`${perm.resource}\\` has wildcard action \\`*\\``,\n\t\t\t\t\tpermission: { resource: perm.resource, actions: perm.actions },\n\t\t\t\t});\n\t\t\t\tcontinue; // skip further checks for this permission — wildcard covers all\n\t\t\t}\n\n\t\t\t// unused_permission: resource never appears in audit logs\n\t\t\tconst wasUsed = [...usedResources].some((used) => {\n\t\t\t\tif (perm.resource === used) return true;\n\t\t\t\t// permission covers a namespace, check if any used resource falls under it\n\t\t\t\tconst permBase = perm.resource.replace(/:?\\*$/, \"\");\n\t\t\t\treturn used.startsWith(permBase);\n\t\t\t});\n\n\t\t\tif (!wasUsed) {\n\t\t\t\tfindings.push({\n\t\t\t\t\ttype: \"unused_permission\",\n\t\t\t\t\tseverity: \"warning\",\n\t\t\t\t\tdescription: `Permission \\`${perm.resource}\\` has not been used in the last ${DEFAULT_LOOKBACK_DAYS} days`,\n\t\t\t\t\tpermission: { resource: perm.resource, actions: perm.actions },\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// overly_broad: permission matches a broad prefix but only specific sub-resources are used\n\t\t\t// e.g. permission is \"mcp:*\" but only \"mcp:github:repos\" is used\n\t\t\tif (perm.resource.includes(\":\")) {\n\t\t\t\tconst permBase = perm.resource.replace(/:?\\*$/, \"\");\n\t\t\t\tconst coveredUsed = [...usedResources].filter((r) => r.startsWith(permBase));\n\n\t\t\t\tif (coveredUsed.length > 0 && coveredUsed.length < 3) {\n\t\t\t\t\t// Only a few specific resources used — we can be more precise\n\t\t\t\t\tconst segments = perm.resource.split(\":\");\n\t\t\t\t\tif (\n\t\t\t\t\t\tsegments.length <= 2 &&\n\t\t\t\t\t\tcoveredUsed.every((r) => r.split(\":\").length > segments.length)\n\t\t\t\t\t) {\n\t\t\t\t\t\tfindings.push({\n\t\t\t\t\t\t\ttype: \"overly_broad\",\n\t\t\t\t\t\t\tseverity: \"warning\",\n\t\t\t\t\t\t\tdescription: `Permission \\`${perm.resource}\\` is broader than necessary; only \\`${coveredUsed.join(\", \")}\\` was actually used`,\n\t\t\t\t\t\t\tpermission: { resource: perm.resource, actions: perm.actions },\n\t\t\t\t\t\t});\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// no_constraints: permission has no rate limits, time windows, or approval gates\n\t\t\tconst hasConstraints =\n\t\t\t\tperm.constraints &&\n\t\t\t\t(perm.constraints.maxCallsPerHour !== undefined ||\n\t\t\t\t\tperm.constraints.timeWindow !== undefined ||\n\t\t\t\t\tperm.constraints.requireApproval === true ||\n\t\t\t\t\t(perm.constraints.ipAllowlist && perm.constraints.ipAllowlist.length > 0));\n\n\t\t\tif (!hasConstraints) {\n\t\t\t\tfindings.push({\n\t\t\t\t\ttype: \"no_constraints\",\n\t\t\t\t\tseverity: \"info\",\n\t\t\t\t\tdescription: `Permission \\`${perm.resource}\\` has no rate limits, time windows, or approval gates`,\n\t\t\t\t\tpermission: { resource: perm.resource, actions: perm.actions },\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\n\t\t// no_expiry: agent has no expiresAt\n\t\tif (!agent.expiresAt) {\n\t\t\tfindings.push({\n\t\t\t\ttype: \"no_expiry\",\n\t\t\t\tseverity: \"info\",\n\t\t\t\tdescription: \"Agent has no expiry date set\",\n\t\t\t});\n\t\t}\n\n\t\tconst score = deriveScore(findings);\n\t\tconst recommendations = buildRecommendations(findings, usedResources);\n\n\t\treturn {\n\t\t\tagentId,\n\t\t\tagentName: agent.name,\n\t\t\tscore,\n\t\t\tfindings,\n\t\t\trecommendations,\n\t\t};\n\t}\n\n\tasync function analyzeAll(options?: { since?: Date }): Promise<PrivilegeAnalysis[]> {\n\t\tconst activeAgents = await db\n\t\t\t.select({ id: agents.id })\n\t\t\t.from(agents)\n\t\t\t.where(eq(agents.status, \"active\"));\n\n\t\tconst results = await Promise.all(activeAgents.map((a) => analyzeAgent(a.id, options)));\n\n\t\treturn results;\n\t}\n\n\tasync function getSummary(): Promise<PrivilegeSummary> {\n\t\tconst analyses = await analyzeAll();\n\n\t\tconst byScore: Record<string, number> = {};\n\t\tlet criticalFindings = 0;\n\n\t\tfor (const analysis of analyses) {\n\t\t\tbyScore[analysis.score] = (byScore[analysis.score] ?? 0) + 1;\n\t\t\tcriticalFindings += analysis.findings.filter((f) => f.severity === \"critical\").length;\n\t\t}\n\n\t\treturn {\n\t\t\ttotal: analyses.length,\n\t\t\tbyScore,\n\t\t\tcriticalFindings,\n\t\t};\n\t}\n\n\treturn { analyzeAgent, analyzeAll, getSummary };\n}\n\nexport type PrivilegeAnalyzer = ReturnType<typeof createPrivilegeAnalyzer>;\n","import { randomUUID } from \"node:crypto\";\nimport { and, eq, lt } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { approvalRequests } from \"../db/schema.js\";\n\nexport interface ApprovalRequest {\n\tid: string;\n\tagentId: string;\n\tuserId: string;\n\taction: string;\n\tresource: string;\n\targuments?: Record<string, unknown>;\n\tstatus: \"pending\" | \"approved\" | \"denied\" | \"expired\";\n\texpiresAt: Date;\n\trespondedAt?: Date;\n\trespondedBy?: string;\n\tcreatedAt: Date;\n}\n\nexport interface ApprovalConfig {\n\t/** How long approval requests stay valid (seconds, default: 300 = 5 min) */\n\tttl?: number;\n\t/** Webhook URL to notify when approval is needed */\n\twebhookUrl?: string;\n\t/** Custom notification handler */\n\tonApprovalNeeded?: (request: ApprovalRequest) => Promise<void>;\n}\n\nfunction rowToApproval(row: typeof approvalRequests.$inferSelect): ApprovalRequest {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId,\n\t\tuserId: row.userId,\n\t\taction: row.action,\n\t\tresource: row.resource,\n\t\targuments: row.arguments ?? undefined,\n\t\tstatus: row.status,\n\t\texpiresAt: row.expiresAt,\n\t\trespondedAt: row.respondedAt ?? undefined,\n\t\trespondedBy: row.respondedBy ?? undefined,\n\t\tcreatedAt: row.createdAt,\n\t};\n}\n\nasync function notifyWebhook(url: string, approvalRequest: ApprovalRequest): Promise<void> {\n\ttry {\n\t\tawait fetch(url, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\t\tbody: JSON.stringify({\n\t\t\t\tevent: \"approval_needed\",\n\t\t\t\trequest: {\n\t\t\t\t\t...approvalRequest,\n\t\t\t\t\texpiresAt: approvalRequest.expiresAt.toISOString(),\n\t\t\t\t\tcreatedAt: approvalRequest.createdAt.toISOString(),\n\t\t\t\t},\n\t\t\t}),\n\t\t});\n\t} catch {\n\t\t// Webhook delivery failures are non-fatal — the request is already persisted.\n\t}\n}\n\n/**\n * Create the CIBA-style async approval module.\n *\n * When a permission constraint fires `requireApproval`, callers can create a\n * pending request, notify a human via webhook or custom handler, and later\n * resolve it with `approve` / `deny`.\n *\n * @example\n * ```typescript\n * const approval = createApprovalModule({ ttl: 600, webhookUrl: 'https://...' }, db);\n * const req = await approval.request({ agentId, userId, action: 'write', resource: 'file:*' });\n * // ... human approves via UI ...\n * await approval.approve(req.id, 'human@example.com');\n * ```\n */\nexport function createApprovalModule(config: ApprovalConfig, db: Database) {\n\tconst ttlSeconds = config.ttl ?? 300;\n\n\tasync function request(input: {\n\t\tagentId: string;\n\t\tuserId: string;\n\t\taction: string;\n\t\tresource: string;\n\t\targuments?: Record<string, unknown>;\n\t}): Promise<ApprovalRequest> {\n\t\tconst now = new Date();\n\t\tconst id = `apr_${randomUUID()}`;\n\t\tconst expiresAt = new Date(now.getTime() + ttlSeconds * 1000);\n\n\t\tawait db.insert(approvalRequests).values({\n\t\t\tid,\n\t\t\tagentId: input.agentId,\n\t\t\tuserId: input.userId,\n\t\t\taction: input.action,\n\t\t\tresource: input.resource,\n\t\t\targuments: input.arguments ?? null,\n\t\t\tstatus: \"pending\",\n\t\t\texpiresAt,\n\t\t\trespondedAt: null,\n\t\t\trespondedBy: null,\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\tconst approvalRequest: ApprovalRequest = {\n\t\t\tid,\n\t\t\tagentId: input.agentId,\n\t\t\tuserId: input.userId,\n\t\t\taction: input.action,\n\t\t\tresource: input.resource,\n\t\t\targuments: input.arguments,\n\t\t\tstatus: \"pending\",\n\t\t\texpiresAt,\n\t\t\tcreatedAt: now,\n\t\t};\n\n\t\t// Notify asynchronously — do not await so caller is not blocked on webhook latency\n\t\tif (config.webhookUrl) {\n\t\t\tvoid notifyWebhook(config.webhookUrl, approvalRequest);\n\t\t}\n\t\tif (config.onApprovalNeeded) {\n\t\t\tvoid config.onApprovalNeeded(approvalRequest);\n\t\t}\n\n\t\treturn approvalRequest;\n\t}\n\n\tasync function resolve(\n\t\trequestId: string,\n\t\tnewStatus: \"approved\" | \"denied\",\n\t\trespondedBy?: string,\n\t): Promise<ApprovalRequest> {\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(approvalRequests)\n\t\t\t.where(eq(approvalRequests.id, requestId))\n\t\t\t.limit(1);\n\n\t\tconst row = rows[0];\n\t\tif (!row) {\n\t\t\tthrow new Error(`Approval request \"${requestId}\" not found`);\n\t\t}\n\t\tif (row.status !== \"pending\") {\n\t\t\tthrow new Error(\n\t\t\t\t`Approval request \"${requestId}\" is already ${row.status} and cannot be updated`,\n\t\t\t);\n\t\t}\n\n\t\tconst now = new Date();\n\t\tawait db\n\t\t\t.update(approvalRequests)\n\t\t\t.set({ status: newStatus, respondedAt: now, respondedBy: respondedBy ?? null })\n\t\t\t.where(eq(approvalRequests.id, requestId));\n\n\t\treturn rowToApproval({\n\t\t\t...row,\n\t\t\tstatus: newStatus,\n\t\t\trespondedAt: now,\n\t\t\trespondedBy: respondedBy ?? null,\n\t\t});\n\t}\n\n\tasync function approve(requestId: string, respondedBy?: string): Promise<ApprovalRequest> {\n\t\treturn resolve(requestId, \"approved\", respondedBy);\n\t}\n\n\tasync function deny(requestId: string, respondedBy?: string): Promise<ApprovalRequest> {\n\t\treturn resolve(requestId, \"denied\", respondedBy);\n\t}\n\n\tasync function get(requestId: string): Promise<ApprovalRequest | null> {\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(approvalRequests)\n\t\t\t.where(eq(approvalRequests.id, requestId))\n\t\t\t.limit(1);\n\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\t\treturn rowToApproval(row);\n\t}\n\n\tasync function listPending(userId?: string): Promise<ApprovalRequest[]> {\n\t\tconst conditions = [eq(approvalRequests.status, \"pending\")];\n\t\tif (userId) conditions.push(eq(approvalRequests.userId, userId));\n\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(approvalRequests)\n\t\t\t.where(and(...conditions));\n\n\t\treturn rows.map(rowToApproval);\n\t}\n\n\tasync function cleanup(): Promise<{ expired: number }> {\n\t\tconst now = new Date();\n\n\t\t// Find pending requests that have expired\n\t\tconst expiredRows = await db\n\t\t\t.select({ id: approvalRequests.id })\n\t\t\t.from(approvalRequests)\n\t\t\t.where(and(eq(approvalRequests.status, \"pending\"), lt(approvalRequests.expiresAt, now)));\n\n\t\tif (expiredRows.length === 0) return { expired: 0 };\n\n\t\tawait db\n\t\t\t.update(approvalRequests)\n\t\t\t.set({ status: \"expired\" })\n\t\t\t.where(and(eq(approvalRequests.status, \"pending\"), lt(approvalRequests.expiresAt, now)));\n\n\t\treturn { expired: expiredRows.length };\n\t}\n\n\treturn {\n\t\trequest,\n\t\tapprove,\n\t\tdeny,\n\t\tget,\n\t\tlistPending,\n\t\tcleanup,\n\t};\n}\n\nexport type ApprovalModule = ReturnType<typeof createApprovalModule>;\n","import BetterSqlite3 from \"better-sqlite3\";\nimport type { BetterSQLite3Database } from \"drizzle-orm/better-sqlite3\";\nimport { drizzle as drizzleSqlite } from \"drizzle-orm/better-sqlite3\";\nimport * as schema from \"./schema.js\";\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Type definitions\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * The fully-typed SQLite Drizzle database.\n * Postgres and MySQL connections are represented as `AnyDatabase` at the\n * adapter boundary because drizzle-orm exposes separate schema builders\n * (pg-core / mysql-core) that are incompatible with the SQLite schema\n * defined in schema.ts. Full multi-dialect Drizzle schema support is\n * planned for v0.2.0.\n */\nexport type Database = BetterSQLite3Database<typeof schema>;\n\n/**\n * A wider union used internally when the provider is postgres or mysql.\n * Using `unknown` with a discriminated tag keeps `any` contained to a\n * single adapter-boundary cast below.\n */\nexport type AnyDatabase =\n\t| { provider: \"sqlite\"; db: Database }\n\t| { provider: \"postgres\"; db: PostgresDatabase }\n\t| { provider: \"mysql\"; db: MySQLDatabase };\n\n// Import types lazily so the drivers stay optional peer deps.\n// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - drizzle pg/mysql types are not compatible with sqlite schema\ntype PostgresDatabase = any;\n// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - drizzle pg/mysql types are not compatible with sqlite schema\ntype MySQLDatabase = any;\n\nexport interface DatabaseConfig {\n\tprovider: \"sqlite\" | \"postgres\" | \"mysql\";\n\turl: string;\n\t/** Skip automatic table creation on init (default: false) */\n\tskipMigrations?: boolean;\n}\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Factory\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Create a database connection.\n *\n * - **SQLite** – fully typed Drizzle ORM via `better-sqlite3` (current default).\n * - **Postgres** – Drizzle connection via `drizzle-orm/node-postgres` + `pg` (peer dep).\n * - **MySQL** – Drizzle connection via `drizzle-orm/mysql2` + `mysql2` (peer dep).\n *\n * For Postgres and MySQL the return value is typed as `Database` for source\n * compatibility; the underlying Drizzle instance is created against the\n * correct driver. Full pg-core / mysql-core schema typings are planned for v0.2.0.\n */\nexport async function createDatabase(config: DatabaseConfig): Promise<Database> {\n\tif (config.provider === \"sqlite\") {\n\t\tconst sqlite = new BetterSqlite3(config.url);\n\t\tsqlite.pragma(\"journal_mode = WAL\");\n\t\tsqlite.pragma(\"foreign_keys = ON\");\n\t\treturn drizzleSqlite(sqlite, { schema });\n\t}\n\n\tif (config.provider === \"postgres\") {\n\t\t// Dynamic import keeps `pg` an optional peer dep.\n\t\tconst { Pool } = await import(\"pg\").catch(() => {\n\t\t\tthrow new Error(\n\t\t\t\t'KavachOS: provider \"postgres\" requires the \"pg\" package. ' +\n\t\t\t\t\t\"Install it with: npm install pg\",\n\t\t\t);\n\t\t});\n\t\tconst { drizzle } = await import(\"drizzle-orm/node-postgres\");\n\n\t\tconst pool = new Pool({ connectionString: config.url });\n\t\t// Cast to Database for API compatibility; full pg schema arrives in v0.2.0.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - cast pg drizzle to sqlite-typed Database\n\t\treturn drizzle(pool) as any as Database;\n\t}\n\n\tif (config.provider === \"mysql\") {\n\t\t// Dynamic import keeps `mysql2` an optional peer dep.\n\t\tconst mysql2 = await import(\"mysql2/promise\").catch(() => {\n\t\t\tthrow new Error(\n\t\t\t\t'KavachOS: provider \"mysql\" requires the \"mysql2\" package. ' +\n\t\t\t\t\t\"Install it with: npm install mysql2\",\n\t\t\t);\n\t\t});\n\t\tconst { drizzle } = await import(\"drizzle-orm/mysql2\");\n\n\t\tconst pool = mysql2.createPool(config.url);\n\t\t// Cast to Database for API compatibility; full mysql-core schema arrives in v0.2.0.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: adapter boundary - cast pg drizzle to sqlite-typed Database\n\t\treturn drizzle(pool) as any as Database;\n\t}\n\n\tthrow new Error(\n\t\t`KavachOS: unsupported database provider \"${(config as DatabaseConfig).provider}\". ` +\n\t\t\t'Valid values are \"sqlite\", \"postgres\", \"mysql\".',\n\t);\n}\n\n/**\n * Synchronous SQLite-only factory kept for backwards compatibility with code\n * that cannot use async initialisation. Throws if a non-SQLite provider is\n * supplied.\n *\n * @deprecated Prefer the async `createDatabase()` which supports all providers.\n */\nexport function createDatabaseSync(config: DatabaseConfig): Database {\n\tif (config.provider !== \"sqlite\") {\n\t\tthrow new Error(\n\t\t\t`createDatabaseSync() only supports SQLite. ` +\n\t\t\t\t`Use the async createDatabase() for provider \"${config.provider}\".`,\n\t\t);\n\t}\n\tconst sqlite = new BetterSqlite3(config.url);\n\tsqlite.pragma(\"journal_mode = WAL\");\n\tsqlite.pragma(\"foreign_keys = ON\");\n\treturn drizzleSqlite(sqlite, { schema });\n}\n","import type { Database, DatabaseConfig } from \"./database.js\";\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Per-provider DDL helpers\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Returns CREATE TABLE statements for all KavachOS tables, adapted to the\n * target SQL dialect.\n *\n * Dialect differences handled here:\n * - **Timestamps** – SQLite stores as INTEGER (Unix ms); Postgres uses\n * TIMESTAMPTZ; MySQL uses DATETIME(3).\n * - **JSON columns** – SQLite stores as TEXT; Postgres uses JSONB;\n * MySQL uses JSON.\n * - **Booleans** – SQLite stores as INTEGER (0/1); Postgres uses BOOLEAN;\n * MySQL uses TINYINT(1).\n * - **Auto-increment** – Not used here (IDs are application-generated UUIDs /\n * nanoids), so no SERIAL vs AUTO_INCREMENT difference applies.\n */\nfunction buildStatements(provider: DatabaseConfig[\"provider\"]): string[] {\n\tconst isPostgres = provider === \"postgres\";\n\tconst isMysql = provider === \"mysql\";\n\n\t// Timestamp column type\n\tconst ts = isPostgres ? \"TIMESTAMPTZ\" : isMysql ? \"DATETIME(3)\" : \"INTEGER\";\n\t// Nullable timestamp (same type, just no NOT NULL)\n\tconst tsNull = ts;\n\t// JSON column type\n\tconst json = isPostgres ? \"JSONB\" : isMysql ? \"JSON\" : \"TEXT\";\n\t// Boolean column type\n\tconst bool = isPostgres ? \"BOOLEAN\" : isMysql ? \"TINYINT(1)\" : \"INTEGER\";\n\t// IF NOT EXISTS is universally supported\n\tconst ifne = \"IF NOT EXISTS\";\n\n\treturn [\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_users\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_users (\n id TEXT NOT NULL PRIMARY KEY,\n email TEXT NOT NULL UNIQUE,\n username TEXT UNIQUE,\n name TEXT,\n external_id TEXT,\n external_provider TEXT,\n metadata ${json},\n banned ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n ban_reason TEXT,\n ban_expires_at ${tsNull},\n force_password_reset ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n stripe_customer_id TEXT UNIQUE,\n stripe_subscription_id TEXT,\n stripe_subscription_status TEXT,\n stripe_price_id TEXT,\n stripe_current_period_end ${tsNull},\n stripe_cancel_at_period_end ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n polar_customer_id TEXT UNIQUE,\n polar_subscription_id TEXT,\n polar_subscription_status TEXT,\n polar_product_id TEXT,\n polar_current_period_end ${tsNull},\n polar_cancel_at_period_end ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_tenants (must come before kavach_agents – agents FK to tenants)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_tenants (\n id TEXT NOT NULL PRIMARY KEY,\n name TEXT NOT NULL,\n slug TEXT NOT NULL UNIQUE,\n settings ${json},\n status TEXT NOT NULL DEFAULT 'active',\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_agents\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_agents (\n id TEXT NOT NULL PRIMARY KEY,\n owner_id TEXT NOT NULL REFERENCES kavach_users(id),\n tenant_id TEXT REFERENCES kavach_tenants(id),\n name TEXT NOT NULL,\n type TEXT NOT NULL,\n status TEXT NOT NULL DEFAULT 'active',\n token_hash TEXT NOT NULL,\n token_prefix TEXT NOT NULL,\n expires_at ${tsNull},\n last_active_at ${tsNull},\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_permissions\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_permissions (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n resource TEXT NOT NULL,\n actions ${json} NOT NULL,\n constraints ${json},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_delegation_chains\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_delegation_chains (\n id TEXT NOT NULL PRIMARY KEY,\n from_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n to_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n permissions ${json} NOT NULL,\n depth INTEGER NOT NULL DEFAULT 1,\n max_depth INTEGER NOT NULL DEFAULT 3,\n status TEXT NOT NULL DEFAULT 'active',\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_audit_logs\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_audit_logs (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n action TEXT NOT NULL,\n resource TEXT NOT NULL,\n parameters ${json},\n result TEXT NOT NULL,\n reason TEXT,\n duration_ms INTEGER NOT NULL,\n tokens_cost INTEGER,\n ip TEXT,\n user_agent TEXT,\n timestamp ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_rate_limits\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_rate_limits (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n resource TEXT NOT NULL,\n window_start ${ts} NOT NULL,\n count INTEGER NOT NULL DEFAULT 0\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_mcp_servers\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_mcp_servers (\n id TEXT NOT NULL PRIMARY KEY,\n name TEXT NOT NULL,\n endpoint TEXT NOT NULL UNIQUE,\n tools ${json} NOT NULL,\n auth_required ${bool} NOT NULL DEFAULT ${isPostgres ? \"TRUE\" : \"1\"},\n rate_limit_rpm INTEGER,\n status TEXT NOT NULL DEFAULT 'active',\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_sessions\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_sessions (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n expires_at ${ts} NOT NULL,\n metadata ${json},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_clients\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_clients (\n id TEXT NOT NULL PRIMARY KEY,\n client_id TEXT NOT NULL UNIQUE,\n client_secret TEXT,\n client_name TEXT,\n client_uri TEXT,\n redirect_uris ${json} NOT NULL,\n grant_types ${json} NOT NULL,\n response_types ${json} NOT NULL,\n token_endpoint_auth_method TEXT NOT NULL DEFAULT 'client_secret_basic',\n type TEXT NOT NULL DEFAULT 'confidential',\n disabled ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_access_tokens\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_access_tokens (\n id TEXT NOT NULL PRIMARY KEY,\n access_token TEXT NOT NULL UNIQUE,\n refresh_token TEXT UNIQUE,\n client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n scopes TEXT NOT NULL,\n resource TEXT,\n access_token_expires_at ${ts} NOT NULL,\n refresh_token_expires_at ${tsNull},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oauth_authorization_codes\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oauth_authorization_codes (\n id TEXT NOT NULL PRIMARY KEY,\n code TEXT NOT NULL UNIQUE,\n client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n redirect_uri TEXT NOT NULL,\n scopes TEXT NOT NULL,\n code_challenge TEXT,\n code_challenge_method TEXT,\n resource TEXT,\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_budget_policies\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_budget_policies (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT REFERENCES kavach_agents(id) ON DELETE CASCADE,\n user_id TEXT REFERENCES kavach_users(id),\n tenant_id TEXT REFERENCES kavach_tenants(id),\n limits ${json} NOT NULL,\n current_usage ${json} NOT NULL,\n action TEXT NOT NULL DEFAULT 'warn',\n status TEXT NOT NULL DEFAULT 'active',\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_agent_cards (A2A discovery)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_agent_cards (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n name TEXT NOT NULL,\n description TEXT,\n version TEXT NOT NULL,\n protocols ${json} NOT NULL,\n capabilities ${json} NOT NULL,\n auth_requirements ${json} NOT NULL,\n endpoint TEXT,\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_approval_requests (CIBA async approval flows)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_approval_requests (\n id TEXT NOT NULL PRIMARY KEY,\n agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n action TEXT NOT NULL,\n resource TEXT NOT NULL,\n arguments ${json},\n status TEXT NOT NULL DEFAULT 'pending',\n expires_at ${ts} NOT NULL,\n responded_at ${tsNull},\n responded_by TEXT,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_trust_scores (graduated autonomy scoring)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_trust_scores (\n agent_id TEXT NOT NULL PRIMARY KEY REFERENCES kavach_agents(id) ON DELETE CASCADE,\n score INTEGER NOT NULL,\n level TEXT NOT NULL,\n factors ${json} NOT NULL,\n computed_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_organizations\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_organizations (\n id TEXT NOT NULL PRIMARY KEY,\n name TEXT NOT NULL,\n slug TEXT NOT NULL UNIQUE,\n owner_id TEXT NOT NULL REFERENCES kavach_users(id),\n metadata ${json},\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_org_members\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_org_members (\n id TEXT NOT NULL PRIMARY KEY,\n org_id TEXT NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n role TEXT NOT NULL DEFAULT 'member',\n joined_at ${ts} NOT NULL,\n UNIQUE(org_id, user_id)\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_org_invitations\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_org_invitations (\n id TEXT NOT NULL PRIMARY KEY,\n org_id TEXT NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,\n email TEXT NOT NULL,\n role TEXT NOT NULL DEFAULT 'member',\n invited_by TEXT NOT NULL REFERENCES kavach_users(id),\n status TEXT NOT NULL DEFAULT 'pending',\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_org_roles\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_org_roles (\n id TEXT NOT NULL PRIMARY KEY,\n org_id TEXT NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,\n name TEXT NOT NULL,\n permissions ${json} NOT NULL,\n UNIQUE(org_id, name)\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_passkey_credentials (WebAuthn / FIDO2 passkeys)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_passkey_credentials (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n credential_id TEXT NOT NULL UNIQUE,\n public_key TEXT NOT NULL,\n counter INTEGER NOT NULL DEFAULT 0,\n device_name TEXT,\n transports TEXT,\n created_at ${ts} NOT NULL,\n last_used_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_passkey_challenges (short-lived WebAuthn challenges)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_passkey_challenges (\n id TEXT NOT NULL PRIMARY KEY,\n challenge TEXT NOT NULL UNIQUE,\n user_id TEXT,\n type TEXT NOT NULL,\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_one_time_tokens (email verify, password reset, invitation)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_one_time_tokens (\n id TEXT NOT NULL PRIMARY KEY,\n token_hash TEXT NOT NULL UNIQUE,\n purpose TEXT NOT NULL,\n identifier TEXT NOT NULL,\n metadata ${json},\n used ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_agent_dids (W3C Decentralized Identifiers per agent)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_agent_dids (\n agent_id TEXT NOT NULL PRIMARY KEY REFERENCES kavach_agents(id) ON DELETE CASCADE,\n did TEXT NOT NULL UNIQUE,\n method TEXT NOT NULL,\n public_key_jwk TEXT NOT NULL,\n did_document TEXT NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_magic_links (passwordless email login)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_magic_links (\n id TEXT NOT NULL PRIMARY KEY,\n email TEXT NOT NULL,\n token TEXT NOT NULL UNIQUE,\n expires_at ${ts} NOT NULL,\n used ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_email_otps (one-time password login)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_email_otps (\n id TEXT NOT NULL PRIMARY KEY,\n email TEXT NOT NULL,\n code_hash TEXT NOT NULL,\n expires_at ${ts} NOT NULL,\n attempts INTEGER NOT NULL DEFAULT 0,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_totp (TOTP two-factor authentication)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_totp (\n user_id TEXT NOT NULL PRIMARY KEY REFERENCES kavach_users(id),\n secret TEXT NOT NULL,\n enabled ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n backup_codes ${json} NOT NULL,\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_sso_connections (SAML 2.0 / OIDC enterprise SSO)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_sso_connections (\n id TEXT NOT NULL PRIMARY KEY,\n org_id TEXT NOT NULL,\n provider_id TEXT NOT NULL,\n type TEXT NOT NULL,\n domain TEXT NOT NULL UNIQUE,\n enabled INTEGER NOT NULL DEFAULT 1,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_api_keys (static bearer tokens with permission scopes)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_api_keys (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id),\n name TEXT NOT NULL,\n key_hash TEXT NOT NULL,\n key_prefix TEXT NOT NULL,\n permissions ${json} NOT NULL,\n expires_at ${tsNull},\n last_used_at ${tsNull},\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_username_accounts (username + password auth)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_username_accounts (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,\n username TEXT NOT NULL UNIQUE,\n password_hash TEXT NOT NULL,\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_phone_verifications (SMS OTP)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_phone_verifications (\n id TEXT NOT NULL PRIMARY KEY,\n phone_number TEXT NOT NULL,\n code_hash TEXT NOT NULL,\n attempts INTEGER NOT NULL DEFAULT 0,\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_trusted_devices (skip 2FA on trusted devices for a window)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_trusted_devices (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,\n fingerprint TEXT NOT NULL,\n label TEXT NOT NULL,\n trusted_at ${ts} NOT NULL,\n expires_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_login_history (last-login method tracking per user)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_login_history (\n id TEXT NOT NULL PRIMARY KEY,\n user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,\n method TEXT NOT NULL,\n ip TEXT,\n user_agent TEXT,\n timestamp ${ts} NOT NULL\n)`,\n\t\t`CREATE INDEX ${ifne} kavach_login_history_user_ts\n ON kavach_login_history (user_id, timestamp DESC)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oidc_clients (OIDC Provider — registered relying parties)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oidc_clients (\n id TEXT NOT NULL PRIMARY KEY,\n client_id TEXT NOT NULL UNIQUE,\n client_secret_hash TEXT NOT NULL,\n client_name TEXT NOT NULL,\n redirect_uris ${json} NOT NULL,\n grant_types ${json} NOT NULL,\n response_types ${json} NOT NULL,\n scopes ${json} NOT NULL,\n token_endpoint_auth_method TEXT NOT NULL DEFAULT 'client_secret_post',\n created_at ${ts} NOT NULL,\n updated_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oidc_auth_codes (OIDC Provider — authorization codes)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oidc_auth_codes (\n id TEXT NOT NULL PRIMARY KEY,\n code_hash TEXT NOT NULL UNIQUE,\n client_id TEXT NOT NULL,\n user_id TEXT NOT NULL,\n redirect_uri TEXT NOT NULL,\n scopes TEXT NOT NULL,\n nonce TEXT,\n code_challenge TEXT,\n code_challenge_method TEXT,\n used ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_oidc_refresh_tokens (OIDC Provider — refresh tokens)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_oidc_refresh_tokens (\n id TEXT NOT NULL PRIMARY KEY,\n token_hash TEXT NOT NULL UNIQUE,\n client_id TEXT NOT NULL,\n user_id TEXT NOT NULL,\n scopes TEXT NOT NULL,\n revoked ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_jwt_refresh_tokens (JWT session plugin — general purpose)\n\t\t// ------------------------------------------------------------------\n\t\t`CREATE TABLE ${ifne} kavach_jwt_refresh_tokens (\n id TEXT NOT NULL PRIMARY KEY,\n token_hash TEXT NOT NULL UNIQUE,\n user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,\n used ${bool} NOT NULL DEFAULT ${isPostgres ? \"FALSE\" : \"0\"},\n expires_at ${ts} NOT NULL,\n created_at ${ts} NOT NULL\n)`,\n\t\t`CREATE INDEX ${ifne} kavach_jwt_refresh_tokens_user_id\n ON kavach_jwt_refresh_tokens (user_id)`,\n\n\t\t// ------------------------------------------------------------------\n\t\t// kavach_users ban columns (ALTER TABLE IF NOT EXISTS — safe no-ops)\n\t\t// These are appended as separate ALTER statements for existing DBs.\n\t\t// For SQLite we use a separate migration path since SQLite ALTER is limited.\n\t\t// ------------------------------------------------------------------\n\t];\n}\n\n// ──────────────────────────────────────────────────────────────────────────────\n// Public API\n// ──────────────────────────────────────────────────────────────────────────────\n\n/**\n * Create all KavachOS tables if they do not already exist.\n *\n * Uses `CREATE TABLE IF NOT EXISTS` so it is safe to call on every startup.\n * Tables are created in dependency order (no forward-reference FK issues).\n *\n * @param db Drizzle database instance returned by `createDatabase()`.\n * @param provider The database provider used to build the correct DDL syntax.\n *\n * @example\n * ```typescript\n * const db = await createDatabase({ provider: 'postgres', url: process.env.DATABASE_URL });\n * await createTables(db, 'postgres');\n * ```\n */\nexport async function createTables(\n\tdb: Database,\n\tprovider: DatabaseConfig[\"provider\"],\n): Promise<void> {\n\tconst statements = buildStatements(provider);\n\n\tif (provider === \"sqlite\") {\n\t\t// SQLite Drizzle exposes the underlying better-sqlite3 instance via\n\t\t// the `session` property. We use it for synchronous multi-statement\n\t\t// execution which is the most reliable path for DDL on SQLite.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: accessing internal drizzle session for raw DDL\n\t\tconst session = (db as any).session;\n\t\tif (session?.client?.exec) {\n\t\t\t// better-sqlite3 Database.exec() runs multiple statements separated\n\t\t\t// by semicolons in a single call.\n\t\t\tsession.client.exec(`${statements.join(\";\\n\")};`);\n\t\t\treturn;\n\t\t}\n\t\t// Fallback: run each statement individually via drizzle `run`.\n\t\t// biome-ignore lint/suspicious/noExplicitAny: raw SQL fallback for DDL execution\n\t\tconst anyDb = db as any;\n\t\tfor (const sql of statements) {\n\t\t\tawait anyDb.run(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\t// Postgres and MySQL: execute each statement via the underlying pool/client.\n\t// We access the internal session to issue raw DDL since drizzle-orm/node-postgres\n\t// and drizzle-orm/mysql2 both expose `.session.client` (or `.client`).\n\t// biome-ignore lint/suspicious/noExplicitAny: raw DDL on pg/mysql adapter boundary\n\tconst anyDb = db as any;\n\n\tif (provider === \"postgres\") {\n\t\t// drizzle-orm/node-postgres wraps a `pg` Pool; the pool is at db.session.client\n\t\t// or accessible via db.$client depending on drizzle version.\n\t\tconst client: { query: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS createTables: cannot access underlying pg client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.query(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tif (provider === \"mysql\") {\n\t\t// drizzle-orm/mysql2 wraps a mysql2 Pool; exposed at db.$client.\n\t\tconst client: { execute: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS createTables: cannot access underlying mysql2 client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.execute(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tthrow new Error(`createTables: unsupported provider \"${provider}\"`);\n}\n","import { randomUUID } from \"node:crypto\";\nimport { and, eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { delegationChains } from \"../db/schema.js\";\nimport type { DelegateInput, DelegationChain, Permission } from \"../types.js\";\n\ninterface DelegationModuleConfig {\n\tdb: Database;\n}\n\n/**\n * Verify that delegated permissions are a subset of the parent's permissions.\n * A child agent cannot have more permissions than its parent.\n */\nfunction isPermissionSubset(parentPerms: Permission[], childPerms: Permission[]): boolean {\n\tfor (const childPerm of childPerms) {\n\t\tconst parentMatch = parentPerms.find((p) => {\n\t\t\t// Check resource match (child must be same or more specific)\n\t\t\tif (!isResourceSubset(p.resource, childPerm.resource)) return false;\n\n\t\t\t// Check actions match (child must have same or fewer actions)\n\t\t\tfor (const action of childPerm.actions) {\n\t\t\t\tif (!p.actions.includes(action) && !p.actions.includes(\"*\")) return false;\n\t\t\t}\n\n\t\t\treturn true;\n\t\t});\n\n\t\tif (!parentMatch) return false;\n\t}\n\n\treturn true;\n}\n\n/**\n * Check if childResource is the same as or more specific than parentResource.\n * \"mcp:github:*\" contains \"mcp:github:read\"\n * \"mcp:*\" contains \"mcp:github:*\"\n * \"*\" contains everything\n */\nfunction isResourceSubset(parentResource: string, childResource: string): boolean {\n\tif (parentResource === \"*\") return true;\n\tif (parentResource === childResource) return true;\n\n\tconst parentParts = parentResource.split(\":\");\n\tconst childParts = childResource.split(\":\");\n\n\tfor (let i = 0; i < parentParts.length; i++) {\n\t\tif (parentParts[i] === \"*\") return true;\n\t\tif (parentParts[i] !== childParts[i]) return false;\n\t}\n\n\treturn parentParts.length <= childParts.length;\n}\n\n/**\n * Create the delegation module.\n * Handles agent-to-agent permission delegation with chain tracking.\n */\nexport function createDelegationModule(config: DelegationModuleConfig) {\n\tconst { db } = config;\n\n\tasync function delegate(\n\t\tinput: DelegateInput,\n\t\tparentPermissions: Permission[],\n\t): Promise<DelegationChain> {\n\t\t// Validate permissions are a subset\n\t\tif (!isPermissionSubset(parentPermissions, input.permissions)) {\n\t\t\tthrow new Error(\n\t\t\t\t\"Delegated permissions must be a subset of the parent agent's permissions. \" +\n\t\t\t\t\t\"A child agent cannot have more access than its parent.\",\n\t\t\t);\n\t\t}\n\n\t\t// Check delegation depth\n\t\tconst existingChains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(\n\t\t\t\tand(eq(delegationChains.toAgentId, input.fromAgent), eq(delegationChains.status, \"active\")),\n\t\t\t);\n\n\t\tconst currentDepth =\n\t\t\texistingChains.length > 0 ? Math.max(...existingChains.map((c) => c.depth)) + 1 : 1;\n\n\t\tconst maxDepth = input.maxDepth ?? 3;\n\n\t\tif (currentDepth > maxDepth) {\n\t\t\tthrow new Error(\n\t\t\t\t`Delegation depth ${currentDepth} exceeds maximum allowed depth of ${maxDepth}. ` +\n\t\t\t\t\t\"This prevents infinite delegation chains.\",\n\t\t\t);\n\t\t}\n\n\t\tconst id = randomUUID();\n\t\tconst now = new Date();\n\n\t\tawait db.insert(delegationChains).values({\n\t\t\tid,\n\t\t\tfromAgentId: input.fromAgent,\n\t\t\ttoAgentId: input.toAgent,\n\t\t\tpermissions: input.permissions.map((p) => ({\n\t\t\t\tresource: p.resource,\n\t\t\t\tactions: p.actions,\n\t\t\t})),\n\t\t\tdepth: currentDepth,\n\t\t\tmaxDepth,\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: input.expiresAt,\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\treturn {\n\t\t\tid,\n\t\t\tfromAgent: input.fromAgent,\n\t\t\ttoAgent: input.toAgent,\n\t\t\tpermissions: input.permissions,\n\t\t\texpiresAt: input.expiresAt,\n\t\t\tdepth: currentDepth,\n\t\t\tcreatedAt: now,\n\t\t};\n\t}\n\n\t/**\n\t * Revoke a delegation chain. Revoking a parent chain also revokes all children.\n\t */\n\tasync function revokeDelegation(chainId: string): Promise<void> {\n\t\tconst chain = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(eq(delegationChains.id, chainId))\n\t\t\t.limit(1);\n\n\t\tif (!chain[0]) throw new Error(`Delegation chain ${chainId} not found.`);\n\n\t\t// Revoke this chain\n\t\tawait db\n\t\t\t.update(delegationChains)\n\t\t\t.set({ status: \"revoked\" })\n\t\t\t.where(eq(delegationChains.id, chainId));\n\n\t\t// Cascade: revoke all chains where the to-agent of this chain is the from-agent\n\t\tconst childChains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(\n\t\t\t\tand(\n\t\t\t\t\teq(delegationChains.fromAgentId, chain[0].toAgentId),\n\t\t\t\t\teq(delegationChains.status, \"active\"),\n\t\t\t\t),\n\t\t\t);\n\n\t\tfor (const child of childChains) {\n\t\t\tawait revokeDelegation(child.id);\n\t\t}\n\t}\n\n\t/**\n\t * Get the effective permissions for an agent, including delegated permissions.\n\t */\n\tasync function getEffectivePermissions(agentId: string): Promise<Permission[]> {\n\t\tconst chains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(and(eq(delegationChains.toAgentId, agentId), eq(delegationChains.status, \"active\")));\n\n\t\t// Filter expired chains\n\t\tconst now = new Date();\n\t\tconst activeChains = chains.filter((c) => c.expiresAt > now);\n\n\t\t// Collect all delegated permissions\n\t\tconst delegatedPerms: Permission[] = [];\n\t\tfor (const chain of activeChains) {\n\t\t\tfor (const perm of chain.permissions) {\n\t\t\t\tdelegatedPerms.push({\n\t\t\t\t\tresource: perm.resource,\n\t\t\t\t\tactions: perm.actions,\n\t\t\t\t});\n\t\t\t}\n\t\t}\n\n\t\treturn delegatedPerms;\n\t}\n\n\t/**\n\t * List all delegation chains for an agent (as source or target).\n\t */\n\tasync function listChains(agentId: string): Promise<DelegationChain[]> {\n\t\tconst chains = await db\n\t\t\t.select()\n\t\t\t.from(delegationChains)\n\t\t\t.where(eq(delegationChains.fromAgentId, agentId));\n\n\t\treturn chains.map((c) => ({\n\t\t\tid: c.id,\n\t\t\tfromAgent: c.fromAgentId,\n\t\t\ttoAgent: c.toAgentId,\n\t\t\tpermissions: c.permissions.map((p) => ({\n\t\t\t\tresource: p.resource,\n\t\t\t\tactions: p.actions,\n\t\t\t})),\n\t\t\texpiresAt: c.expiresAt,\n\t\t\tdepth: c.depth,\n\t\t\tcreatedAt: c.createdAt,\n\t\t}));\n\t}\n\n\treturn { delegate, revokeDelegation, getEffectivePermissions, listChains };\n}\n","import { exportJWK, generateKeyPair } from \"jose\";\nimport type { DidDocument, DidKeyPair, VerificationMethod } from \"./types.js\";\n\n// Bitcoin base58 alphabet (same as multibase base58btc)\nconst BASE58_ALPHABET = \"123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz\";\n\n/**\n * Encode a Uint8Array to base58btc string.\n * Implements Bitcoin's base58 encoding algorithm.\n */\nfunction base58btcEncode(bytes: Uint8Array): string {\n\t// Count leading zero bytes — each maps to '1' in base58\n\tlet leadingZeros = 0;\n\tfor (const byte of bytes) {\n\t\tif (byte !== 0) break;\n\t\tleadingZeros++;\n\t}\n\n\t// Convert big-endian byte array to a big integer via positional arithmetic\n\tconst digits: number[] = [0];\n\tfor (const byte of bytes) {\n\t\tlet carry = byte;\n\t\tfor (let i = 0; i < digits.length; i++) {\n\t\t\tcarry += (digits[i] ?? 0) * 256;\n\t\t\tdigits[i] = carry % 58;\n\t\t\tcarry = Math.floor(carry / 58);\n\t\t}\n\t\twhile (carry > 0) {\n\t\t\tdigits.push(carry % 58);\n\t\t\tcarry = Math.floor(carry / 58);\n\t\t}\n\t}\n\n\t// Convert digit array (little-endian) to string (big-endian)\n\tconst result = digits\n\t\t.reverse()\n\t\t.map((d) => BASE58_ALPHABET[d] ?? \"1\")\n\t\t.join(\"\");\n\n\treturn \"1\".repeat(leadingZeros) + result;\n}\n\n/**\n * Decode a base64url string to raw bytes (Uint8Array).\n * Works without Node.js Buffer — uses atob after padding normalisation.\n */\nfunction base64urlToBytes(b64url: string): Uint8Array {\n\t// Restore standard base64 padding and characters\n\tconst padded = b64url.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\tconst padLen = (4 - (padded.length % 4)) % 4;\n\tconst b64 = padded + \"=\".repeat(padLen);\n\n\t// atob is available in both Node.js 16+ (global) and browsers\n\tconst binary = atob(b64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n/**\n * Derive the multibase-encoded did:key identifier from an Ed25519 public key.\n *\n * Encoding: base58btc(multicodec_ed25519_prefix || raw_public_key_bytes)\n * Ed25519 multicodec prefix: 0xed 0x01\n * The resulting multibase string is prefixed with 'z' (base58btc indicator).\n */\nfunction publicKeyJwkToDidKey(publicKeyJwk: JsonWebKey): string {\n\tif (!publicKeyJwk.x) {\n\t\tthrow new Error(\"Ed25519 JWK must have an 'x' parameter\");\n\t}\n\tconst rawKey = base64urlToBytes(publicKeyJwk.x);\n\n\t// Ed25519 multicodec prefix\n\tconst prefix = new Uint8Array([0xed, 0x01]);\n\tconst multicodecKey = new Uint8Array(prefix.length + rawKey.length);\n\tmulticodecKey.set(prefix);\n\tmulticodecKey.set(rawKey, prefix.length);\n\n\treturn `did:key:z${base58btcEncode(multicodecKey)}`;\n}\n\n/**\n * Build a W3C DID Document for a did:key identifier.\n */\nexport function buildDidDocument(did: string, publicKeyJwk: JsonWebKey): DidDocument {\n\tconst keyId = `${did}#${did.slice(\"did:key:\".length)}`;\n\n\tconst verificationMethod: VerificationMethod = {\n\t\tid: keyId,\n\t\ttype: \"JsonWebKey2020\",\n\t\tcontroller: did,\n\t\tpublicKeyJwk,\n\t};\n\n\treturn {\n\t\t\"@context\": [\"https://www.w3.org/ns/did/v1\", \"https://w3id.org/security/suites/jws-2020/v1\"],\n\t\tid: did,\n\t\tcontroller: did,\n\t\tverificationMethod: [verificationMethod],\n\t\tauthentication: [keyId],\n\t\tassertionMethod: [keyId],\n\t\tcapabilityInvocation: [keyId],\n\t\tcapabilityDelegation: [keyId],\n\t};\n}\n\n/**\n * Generate a new did:key identity using Ed25519.\n *\n * Returns the DID, key pair (JWK format), and auto-generated DID document.\n * The private key is returned to the caller and must be stored securely —\n * it is never persisted by KavachOS.\n */\nexport async function generateDidKey(): Promise<DidKeyPair> {\n\tconst { publicKey, privateKey } = await generateKeyPair(\"EdDSA\", {\n\t\tcrv: \"Ed25519\",\n\t\textractable: true,\n\t});\n\n\tconst publicKeyJwk = await exportJWK(publicKey);\n\tconst privateKeyJwk = await exportJWK(privateKey);\n\n\t// Ensure the JWK has the curve set (jose may omit it)\n\tpublicKeyJwk.crv = \"Ed25519\";\n\tpublicKeyJwk.kty = \"OKP\";\n\tprivateKeyJwk.crv = \"Ed25519\";\n\tprivateKeyJwk.kty = \"OKP\";\n\n\tconst did = publicKeyJwkToDidKey(publicKeyJwk);\n\tconst didDocument = buildDidDocument(did, publicKeyJwk);\n\n\treturn {\n\t\tdid,\n\t\tpublicKeyJwk,\n\t\tprivateKeyJwk,\n\t\tdidDocument,\n\t};\n}\n\n/**\n * Resolve a did:key to its DID document.\n *\n * did:key is self-describing — the public key is embedded in the identifier\n * via multibase(multicodec(raw_key)), so resolution is purely local.\n * Returns null if the DID is malformed.\n */\nexport function resolveDidKey(did: string): DidDocument | null {\n\tif (!did.startsWith(\"did:key:z\")) return null;\n\n\t// We reconstruct the DID document by building it from the DID itself.\n\t// The public key bytes could be decoded, but for the document we only\n\t// need the DID string and a placeholder JWK — the key ID references\n\t// the full DID which encodes the key material.\n\t//\n\t// For a proper verifier, callers should use verifyPayload() which\n\t// accepts the public key JWK directly.\n\tconst keyId = `${did}#${did.slice(\"did:key:\".length)}`;\n\n\tconst verificationMethod: VerificationMethod = {\n\t\tid: keyId,\n\t\ttype: \"JsonWebKey2020\",\n\t\tcontroller: did,\n\t\t// Public key JWK is not reconstructed here — callers who need to verify\n\t\t// signatures supply the JWK separately via verifyPayload().\n\t\tpublicKeyJwk: { kty: \"OKP\", crv: \"Ed25519\" },\n\t};\n\n\treturn {\n\t\t\"@context\": [\"https://www.w3.org/ns/did/v1\", \"https://w3id.org/security/suites/jws-2020/v1\"],\n\t\tid: did,\n\t\tcontroller: did,\n\t\tverificationMethod: [verificationMethod],\n\t\tauthentication: [keyId],\n\t\tassertionMethod: [keyId],\n\t\tcapabilityInvocation: [keyId],\n\t\tcapabilityDelegation: [keyId],\n\t};\n}\n","import { importJWK, jwtVerify, SignJWT } from \"jose\";\nimport type { SignedPayload, VerificationResult } from \"./types.js\";\n\n/**\n * Sign a payload as a compact JWS using the agent's DID private key.\n *\n * The JWT header embeds the DID as `iss` and the key fragment as `kid`.\n * Algorithm is always EdDSA (Ed25519).\n */\nexport async function signPayload(\n\tpayload: Record<string, unknown>,\n\tprivateKeyJwk: JsonWebKey,\n\tdid: string,\n): Promise<SignedPayload> {\n\tconst privateKey = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t// The kid is the fragment identifier within the DID document\n\tconst kid = `${did}#${did.split(\":\").pop() ?? \"key-1\"}`;\n\n\tconst jws = await new SignJWT(payload)\n\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t.setIssuer(did)\n\t\t.setIssuedAt()\n\t\t.sign(privateKey);\n\n\treturn {\n\t\tjws,\n\t\tpayload,\n\t\tissuer: did,\n\t};\n}\n\n/**\n * Verify a signed payload using a known public key JWK.\n *\n * Extracts the DID from the `iss` claim and returns the decoded payload\n * on success. Callers are responsible for resolving the correct public key\n * from the DID document before calling this function.\n */\nexport async function verifyPayload(\n\tjws: string,\n\tpublicKeyJwk: JsonWebKey,\n): Promise<VerificationResult> {\n\ttry {\n\t\tconst publicKey = await importJWK(publicKeyJwk, \"EdDSA\");\n\t\tconst { payload } = await jwtVerify(jws, publicKey);\n\n\t\tconst issuer = typeof payload.iss === \"string\" ? payload.iss : undefined;\n\n\t\t// Omit standard JWT claims from the returned payload object\n\t\tconst { iss, iat, exp, nbf, jti, aud, sub, ...rest } = payload;\n\t\tvoid iss;\n\t\tvoid iat;\n\t\tvoid exp;\n\t\tvoid nbf;\n\t\tvoid jti;\n\t\tvoid aud;\n\t\tvoid sub;\n\n\t\treturn {\n\t\t\tvalid: true,\n\t\t\tpayload: rest as Record<string, unknown>,\n\t\t\tissuer,\n\t\t};\n\t} catch (err) {\n\t\treturn {\n\t\t\tvalid: false,\n\t\t\terror: err instanceof Error ? err.message : \"Verification failed\",\n\t\t};\n\t}\n}\n\n/**\n * Create a verifiable presentation JWT.\n *\n * The presentation proves the agent's identity and lists the capabilities\n * they are asserting. It is audience-bound and short-lived by default.\n */\nexport async function createPresentation(options: {\n\tagentId: string;\n\tdid: string;\n\tprivateKeyJwk: JsonWebKey;\n\tcapabilities: string[];\n\taudience?: string;\n\texpiresIn?: number; // seconds, default 300\n}): Promise<string> {\n\tconst { agentId, did, privateKeyJwk, capabilities, audience, expiresIn = 300 } = options;\n\n\tconst privateKey = await importJWK(privateKeyJwk, \"EdDSA\");\n\tconst kid = `${did}#${did.split(\":\").pop() ?? \"key-1\"}`;\n\n\tconst builder = new SignJWT({\n\t\tagentId,\n\t\tcapabilities,\n\t\ttype: \"VerifiablePresentation\",\n\t})\n\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t.setIssuer(did)\n\t\t.setSubject(agentId)\n\t\t.setIssuedAt()\n\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + expiresIn);\n\n\tif (audience) {\n\t\tbuilder.setAudience(audience);\n\t}\n\n\treturn builder.sign(privateKey);\n}\n\n/**\n * Verify a presentation JWT and extract the claims.\n *\n * Returns the agentId, DID, and capabilities on success.\n */\nexport async function verifyPresentation(\n\tjwt: string,\n\tpublicKeyJwk: JsonWebKey,\n): Promise<{\n\tvalid: boolean;\n\tagentId?: string;\n\tdid?: string;\n\tcapabilities?: string[];\n\terror?: string;\n}> {\n\ttry {\n\t\tconst publicKey = await importJWK(publicKeyJwk, \"EdDSA\");\n\t\tconst { payload } = await jwtVerify(jwt, publicKey);\n\n\t\tconst agentId = typeof payload.agentId === \"string\" ? payload.agentId : undefined;\n\t\tconst did = typeof payload.iss === \"string\" ? payload.iss : undefined;\n\t\tconst capabilities = Array.isArray(payload.capabilities)\n\t\t\t? (payload.capabilities as string[])\n\t\t\t: undefined;\n\n\t\treturn {\n\t\t\tvalid: true,\n\t\t\tagentId,\n\t\t\tdid,\n\t\t\tcapabilities,\n\t\t};\n\t} catch (err) {\n\t\treturn {\n\t\t\tvalid: false,\n\t\t\terror: err instanceof Error ? err.message : \"Presentation verification failed\",\n\t\t};\n\t}\n}\n","import { buildDidDocument, generateDidKey } from \"./key-method.js\";\nimport type { DidDocument, DidKeyPair, DidWebConfig } from \"./types.js\";\n\n/**\n * Build a did:web DID string from a config and agent ID.\n *\n * Spec: https://w3c-ccg.github.io/did-method-web/\n * did:web:example.com → root document\n * did:web:example.com:agents:123 → path-based document\n */\nfunction buildDidWeb(config: DidWebConfig, agentId: string): string {\n\tconst domain = config.domain.replace(/\\//g, \":\");\n\tif (config.path) {\n\t\tconst path = config.path.replace(/\\//g, \":\").replace(/^:|:$/g, \"\");\n\t\treturn `did:web:${domain}:${path}:${agentId}`;\n\t}\n\treturn `did:web:${domain}:${agentId}`;\n}\n\n/**\n * Generate a did:web identity for an agent.\n *\n * Internally generates an Ed25519 key pair and builds a DID document\n * using the did:web identifier derived from the domain config.\n * The private key is returned to the caller and must be stored securely.\n */\nexport async function generateDidWeb(config: DidWebConfig, agentId: string): Promise<DidKeyPair> {\n\t// Generate the underlying Ed25519 key material\n\tconst { publicKeyJwk, privateKeyJwk } = await generateDidKey();\n\n\tconst did = buildDidWeb(config, agentId);\n\tconst didDocument = buildDidDocument(did, publicKeyJwk);\n\n\treturn {\n\t\tdid,\n\t\tpublicKeyJwk,\n\t\tprivateKeyJwk,\n\t\tdidDocument,\n\t};\n}\n\n/**\n * Get the HTTPS URL where a did:web document should be hosted.\n *\n * did:web:example.com → https://example.com/.well-known/did.json\n * did:web:example.com:agents:123 → https://example.com/agents/123/did.json\n */\nexport function getDidWebUrl(did: string): string {\n\tif (!did.startsWith(\"did:web:\")) {\n\t\tthrow new Error(`Not a did:web identifier: ${did}`);\n\t}\n\n\t// Strip the method prefix\n\tconst methodSpecific = did.slice(\"did:web:\".length);\n\tconst parts = methodSpecific.split(\":\");\n\n\t// URL-decode each component (colons are percent-encoded path separators in the spec)\n\tconst decoded = parts.map((p) => decodeURIComponent(p));\n\n\tif (decoded.length === 1) {\n\t\t// Root DID: did:web:example.com → /.well-known/did.json\n\t\treturn `https://${decoded[0]}/.well-known/did.json`;\n\t}\n\n\t// Path-based DID: did:web:example.com:agents:123 → /agents/123/did.json\n\tconst domain = decoded[0];\n\tconst pathSegments = decoded.slice(1);\n\treturn `https://${domain}/${pathSegments.join(\"/\")}/did.json`;\n}\n\n/**\n * Resolve a did:web by fetching the DID document from the web.\n *\n * Returns null if the fetch fails or the document is malformed.\n * In production, callers should add caching and error handling.\n */\nexport async function resolveDidWeb(did: string): Promise<DidDocument | null> {\n\tlet url: string;\n\ttry {\n\t\turl = getDidWebUrl(did);\n\t} catch {\n\t\treturn null;\n\t}\n\n\ttry {\n\t\tconst response = await fetch(url, {\n\t\t\theaders: { Accept: \"application/json\" },\n\t\t});\n\n\t\tif (!response.ok) return null;\n\n\t\tconst doc = (await response.json()) as DidDocument;\n\n\t\t// Basic sanity check — must have @context and id\n\t\tif (!doc[\"@context\"] || !doc.id) return null;\n\n\t\treturn doc;\n\t} catch {\n\t\treturn null;\n\t}\n}\n","import { eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { agentDids } from \"../db/schema.js\";\nimport { generateDidKey, resolveDidKey } from \"./key-method.js\";\nimport { createPresentation, signPayload, verifyPayload, verifyPresentation } from \"./signing.js\";\nimport type {\n\tAgentDid,\n\tDidDocument,\n\tDidWebConfig,\n\tSignedPayload,\n\tVerificationResult,\n} from \"./types.js\";\nimport { generateDidWeb, resolveDidWeb } from \"./web-method.js\";\n\n/**\n * Create the DID module.\n *\n * Provides W3C DID generation (did:key and did:web), storage of the public\n * key + DID document in the database, and signing / verification helpers.\n * Private keys are never stored — they are returned to the caller on\n * generation and must be stored securely elsewhere.\n */\nexport function createDidModule(db: Database, config?: { web?: DidWebConfig }) {\n\t/**\n\t * Generate a did:key identity for an agent.\n\t *\n\t * Stores the public key and DID document in `kavach_agent_dids`.\n\t * Returns the private key to the caller — it is not persisted.\n\t */\n\tasync function generateKey(\n\t\tagentId: string,\n\t): Promise<{ agentDid: AgentDid; privateKeyJwk: JsonWebKey }> {\n\t\tconst keyPair = await generateDidKey();\n\n\t\tconst now = new Date();\n\n\t\tawait db.insert(agentDids).values({\n\t\t\tagentId,\n\t\t\tdid: keyPair.did,\n\t\t\tmethod: \"key\",\n\t\t\tpublicKeyJwk: JSON.stringify(keyPair.publicKeyJwk),\n\t\t\tdidDocument: JSON.stringify(keyPair.didDocument),\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\tconst agentDid: AgentDid = {\n\t\t\tagentId,\n\t\t\tdid: keyPair.did,\n\t\t\tmethod: \"key\",\n\t\t\tpublicKeyJwk: keyPair.publicKeyJwk,\n\t\t\tdidDocument: keyPair.didDocument,\n\t\t\tcreatedAt: now,\n\t\t};\n\n\t\treturn { agentDid, privateKeyJwk: keyPair.privateKeyJwk };\n\t}\n\n\t/**\n\t * Generate a did:web identity for an agent.\n\t *\n\t * Requires `config.web` to be set with a domain.\n\t * Stores the public key and DID document in `kavach_agent_dids`.\n\t */\n\tasync function generateWeb(\n\t\tagentId: string,\n\t): Promise<{ agentDid: AgentDid; privateKeyJwk: JsonWebKey }> {\n\t\tif (!config?.web) {\n\t\t\tthrow new Error(\n\t\t\t\t\"did:web requires a web config (domain). Pass { web: { domain: 'example.com' } } to createDidModule().\",\n\t\t\t);\n\t\t}\n\n\t\tconst keyPair = await generateDidWeb(config.web, agentId);\n\t\tconst now = new Date();\n\n\t\tawait db.insert(agentDids).values({\n\t\t\tagentId,\n\t\t\tdid: keyPair.did,\n\t\t\tmethod: \"web\",\n\t\t\tpublicKeyJwk: JSON.stringify(keyPair.publicKeyJwk),\n\t\t\tdidDocument: JSON.stringify(keyPair.didDocument),\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\tconst agentDid: AgentDid = {\n\t\t\tagentId,\n\t\t\tdid: keyPair.did,\n\t\t\tmethod: \"web\",\n\t\t\tpublicKeyJwk: keyPair.publicKeyJwk,\n\t\t\tdidDocument: keyPair.didDocument,\n\t\t\tcreatedAt: now,\n\t\t};\n\n\t\treturn { agentDid, privateKeyJwk: keyPair.privateKeyJwk };\n\t}\n\n\t/**\n\t * Resolve any DID to its DID document.\n\t *\n\t * - did:key → resolved locally from the identifier encoding\n\t * - did:web → fetched from the HTTPS well-known URL\n\t */\n\tasync function resolve(did: string): Promise<DidDocument | null> {\n\t\tif (did.startsWith(\"did:key:\")) {\n\t\t\treturn resolveDidKey(did);\n\t\t}\n\t\tif (did.startsWith(\"did:web:\")) {\n\t\t\treturn resolveDidWeb(did);\n\t\t}\n\t\treturn null;\n\t}\n\n\t/**\n\t * Get the stored DID record for an agent, or null if none exists.\n\t */\n\tasync function getAgentDid(agentId: string): Promise<AgentDid | null> {\n\t\tconst rows = await db.select().from(agentDids).where(eq(agentDids.agentId, agentId));\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\n\t\treturn {\n\t\t\tagentId: row.agentId,\n\t\t\tdid: row.did,\n\t\t\tmethod: row.method as \"key\" | \"web\",\n\t\t\tpublicKeyJwk: JSON.parse(row.publicKeyJwk) as JsonWebKey,\n\t\t\tdidDocument: JSON.parse(row.didDocument) as DidDocument,\n\t\t\tcreatedAt: row.createdAt,\n\t\t};\n\t}\n\n\t/**\n\t * Sign a payload using the private key provided by the caller.\n\t *\n\t * The agent's stored DID is used as the issuer (`iss` claim).\n\t */\n\tasync function sign(\n\t\tagentId: string,\n\t\tpayload: Record<string, unknown>,\n\t\tprivateKeyJwk: JsonWebKey,\n\t): Promise<SignedPayload> {\n\t\tconst agentDid = await getAgentDid(agentId);\n\t\tif (!agentDid) {\n\t\t\tthrow new Error(`No DID found for agent \"${agentId}\". Call generateKey() first.`);\n\t\t}\n\t\treturn signPayload(payload, privateKeyJwk, agentDid.did);\n\t}\n\n\t/**\n\t * Verify a JWS signature.\n\t *\n\t * When `did` is provided, the public key is looked up from the database.\n\t * Otherwise the caller must provide a public key JWK directly — use the\n\t * lower-level `verifyPayload()` from signing.ts in that case.\n\t */\n\tasync function verify(jws: string, did?: string): Promise<VerificationResult> {\n\t\tif (!did) {\n\t\t\treturn {\n\t\t\t\tvalid: false,\n\t\t\t\terror: \"A DID is required to look up the public key for verification.\",\n\t\t\t};\n\t\t}\n\n\t\tconst rows = await db.select().from(agentDids).where(eq(agentDids.did, did));\n\t\tconst row = rows[0];\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tvalid: false,\n\t\t\t\terror: `No stored public key found for DID \"${did}\"`,\n\t\t\t};\n\t\t}\n\n\t\tconst publicKeyJwk = JSON.parse(row.publicKeyJwk) as JsonWebKey;\n\t\treturn verifyPayload(jws, publicKeyJwk);\n\t}\n\n\t/**\n\t * Create a verifiable presentation JWT for an agent.\n\t */\n\tasync function createPresentationForAgent(options: {\n\t\tagentId: string;\n\t\tprivateKeyJwk: JsonWebKey;\n\t\tcapabilities: string[];\n\t\taudience?: string;\n\t\texpiresIn?: number;\n\t}): Promise<string> {\n\t\tconst agentDid = await getAgentDid(options.agentId);\n\t\tif (!agentDid) {\n\t\t\tthrow new Error(`No DID found for agent \"${options.agentId}\". Call generateKey() first.`);\n\t\t}\n\n\t\treturn createPresentation({\n\t\t\tagentId: options.agentId,\n\t\t\tdid: agentDid.did,\n\t\t\tprivateKeyJwk: options.privateKeyJwk,\n\t\t\tcapabilities: options.capabilities,\n\t\t\taudience: options.audience,\n\t\t\texpiresIn: options.expiresIn,\n\t\t});\n\t}\n\n\t/**\n\t * Verify a presentation JWT.\n\t *\n\t * Looks up the public key from the stored DID document in the database.\n\t * The DID is extracted from the `iss` claim in the JWT header.\n\t */\n\tasync function verifyPresentationForAgent(\n\t\tjwt: string,\n\t): Promise<VerificationResult & { capabilities?: string[] }> {\n\t\t// Decode header/payload without verification to extract the issuer DID\n\t\tconst parts = jwt.split(\".\");\n\t\tif (parts.length !== 3) {\n\t\t\treturn { valid: false, error: \"Malformed JWT: expected 3 parts\" };\n\t\t}\n\n\t\tlet issuerDid: string | undefined;\n\t\ttry {\n\t\t\tconst payloadPart = parts[1] ?? \"\";\n\t\t\tconst padded = payloadPart.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t\t\tconst padLen = (4 - (padded.length % 4)) % 4;\n\t\t\tconst decoded = atob(padded + \"=\".repeat(padLen));\n\t\t\tconst claims = JSON.parse(decoded) as Record<string, unknown>;\n\t\t\tissuerDid = typeof claims.iss === \"string\" ? claims.iss : undefined;\n\t\t} catch {\n\t\t\treturn { valid: false, error: \"Failed to decode JWT payload\" };\n\t\t}\n\n\t\tif (!issuerDid) {\n\t\t\treturn { valid: false, error: \"JWT missing 'iss' claim\" };\n\t\t}\n\n\t\tconst rows = await db.select().from(agentDids).where(eq(agentDids.did, issuerDid));\n\t\tconst row = rows[0];\n\t\tif (!row) {\n\t\t\treturn {\n\t\t\t\tvalid: false,\n\t\t\t\terror: `No stored public key found for DID \"${issuerDid}\"`,\n\t\t\t};\n\t\t}\n\n\t\tconst publicKeyJwk = JSON.parse(row.publicKeyJwk) as JsonWebKey;\n\t\tconst result = await verifyPresentation(jwt, publicKeyJwk);\n\n\t\tif (!result.valid) {\n\t\t\treturn { valid: false, error: result.error };\n\t\t}\n\n\t\treturn {\n\t\t\tvalid: true,\n\t\t\tissuer: result.did,\n\t\t\tpayload: undefined,\n\t\t\tcapabilities: result.capabilities,\n\t\t};\n\t}\n\n\treturn {\n\t\tgenerateKey,\n\t\tgenerateWeb,\n\t\tresolve,\n\t\tgetAgentDid,\n\t\tsign,\n\t\tverify,\n\t\tcreatePresentation: createPresentationForAgent,\n\t\tverifyPresentation: verifyPresentationForAgent,\n\t};\n}\n\nexport type DidModule = ReturnType<typeof createDidModule>;\n","export interface EmailTemplate {\n\tsubject: string;\n\ttext: string;\n\thtml: string;\n}\n\nexport type EmailTemplateName =\n\t| \"verification\"\n\t| \"passwordReset\"\n\t| \"magicLink\"\n\t| \"emailOtp\"\n\t| \"invitation\"\n\t| \"welcome\";\n\nexport interface EmailTemplateConfig {\n\tappName?: string;\n\tappUrl?: string;\n\t/** Custom templates override defaults */\n\ttemplates?: Partial<Record<EmailTemplateName, (vars: Record<string, string>) => EmailTemplate>>;\n}\n\n// ---------------------------------------------------------------------------\n// HTML helpers\n// ---------------------------------------------------------------------------\n\nconst OUTER_STYLES =\n\t'font-family:Inter,-apple-system,BlinkMacSystemFont,\"Segoe UI\",sans-serif;background:#f4f4f5;margin:0;padding:0;';\nconst CONTAINER_STYLES =\n\t\"max-width:560px;margin:32px auto;background:#ffffff;border-radius:8px;overflow:hidden;\";\nconst HEADER_STYLES = \"background:#C9A84C;padding:24px 32px;\";\nconst HEADER_H1_STYLES =\n\t\"color:#ffffff;margin:0;font-size:20px;font-weight:600;letter-spacing:-0.3px;\";\nconst BODY_STYLES = \"padding:32px;\";\nconst P_STYLES = \"margin:0 0 16px;color:#3f3f46;font-size:15px;line-height:1.6;\";\nconst CODE_STYLES =\n\t\"display:inline-block;background:#fef9ec;border:1px solid #e9c97e;border-radius:6px;padding:12px 24px;font-family:JetBrains Mono,monospace;font-size:24px;font-weight:700;letter-spacing:4px;color:#8B6914;\";\nconst BUTTON_STYLES =\n\t\"display:inline-block;background:#C9A84C;color:#ffffff;text-decoration:none;padding:12px 24px;border-radius:6px;font-size:15px;font-weight:600;\";\nconst FOOTER_STYLES =\n\t\"border-top:1px solid #e4e4e7;padding:16px 32px;color:#a1a1aa;font-size:13px;\";\n\nfunction html(appName: string, title: string, body: string): string {\n\treturn `<!DOCTYPE html>\n<html lang=\"en\">\n<head><meta charset=\"UTF-8\"><meta name=\"viewport\" content=\"width=device-width,initial-scale=1\"><title>${title}</title></head>\n<body style=\"${OUTER_STYLES}\">\n<table width=\"100%\" cellpadding=\"0\" cellspacing=\"0\" border=\"0\"><tr><td>\n<div style=\"${CONTAINER_STYLES}\">\n <div style=\"${HEADER_STYLES}\"><h1 style=\"${HEADER_H1_STYLES}\">${appName}</h1></div>\n <div style=\"${BODY_STYLES}\">${body}</div>\n <div style=\"${FOOTER_STYLES}\">You received this email because of activity on your ${appName} account.</div>\n</div>\n</td></tr></table>\n</body>\n</html>`;\n}\n\nfunction p(content: string): string {\n\treturn `<p style=\"${P_STYLES}\">${content}</p>`;\n}\n\nfunction button(url: string, label: string): string {\n\treturn `<p style=\"margin:24px 0;\"><a href=\"${url}\" style=\"${BUTTON_STYLES}\">${label}</a></p>`;\n}\n\nfunction code(value: string): string {\n\treturn `<p style=\"margin:24px 0;\"><span style=\"${CODE_STYLES}\">${value}</span></p>`;\n}\n\n// ---------------------------------------------------------------------------\n// Built-in template factories\n// ---------------------------------------------------------------------------\n\nfunction verificationTemplate(\n\tappName: string,\n\tappUrl: string,\n\tvars: Record<string, string>,\n): EmailTemplate {\n\tconst email = vars.email ?? \"\";\n\tconst verifyUrl = vars.verifyUrl ?? `${appUrl}/verify?token=${vars.token ?? \"\"}`;\n\n\treturn {\n\t\tsubject: `Verify your email - ${appName}`,\n\t\ttext: [\n\t\t\t`Verify your email address`,\n\t\t\t``,\n\t\t\t`Hi${email ? ` ${email}` : \"\"},`,\n\t\t\t``,\n\t\t\t`Please verify your email address by visiting the link below:`,\n\t\t\t``,\n\t\t\tverifyUrl,\n\t\t\t``,\n\t\t\t`This link expires in 24 hours. If you did not create an account, you can ignore this email.`,\n\t\t].join(\"\\n\"),\n\t\thtml: html(\n\t\t\tappName,\n\t\t\t`Verify your email`,\n\t\t\t[\n\t\t\t\tp(`Hi${email ? ` <strong>${email}</strong>` : \"\"},`),\n\t\t\t\tp(\"Please verify your email address to complete your sign-up.\"),\n\t\t\t\tbutton(verifyUrl, \"Verify email\"),\n\t\t\t\tp(`Or copy this link: <a href=\"${verifyUrl}\" style=\"color:#C9A84C;\">${verifyUrl}</a>`),\n\t\t\t\tp(\n\t\t\t\t\t`This link expires in 24 hours. If you did not create an account, you can safely ignore this email.`,\n\t\t\t\t),\n\t\t\t].join(\"\"),\n\t\t),\n\t};\n}\n\nfunction passwordResetTemplate(\n\tappName: string,\n\tappUrl: string,\n\tvars: Record<string, string>,\n): EmailTemplate {\n\tconst email = vars.email ?? \"\";\n\tconst resetUrl = vars.resetUrl ?? `${appUrl}/reset-password?token=${vars.token ?? \"\"}`;\n\n\treturn {\n\t\tsubject: `Reset your password - ${appName}`,\n\t\ttext: [\n\t\t\t`Reset your password`,\n\t\t\t``,\n\t\t\t`Hi${email ? ` ${email}` : \"\"},`,\n\t\t\t``,\n\t\t\t`We received a request to reset your password. Click the link below to proceed:`,\n\t\t\t``,\n\t\t\tresetUrl,\n\t\t\t``,\n\t\t\t`This link expires in 1 hour. If you did not request a password reset, you can ignore this email.`,\n\t\t].join(\"\\n\"),\n\t\thtml: html(\n\t\t\tappName,\n\t\t\t`Reset your password`,\n\t\t\t[\n\t\t\t\tp(`Hi${email ? ` <strong>${email}</strong>` : \"\"},`),\n\t\t\t\tp(\"We received a request to reset your password.\"),\n\t\t\t\tbutton(resetUrl, \"Reset password\"),\n\t\t\t\tp(`Or copy this link: <a href=\"${resetUrl}\" style=\"color:#C9A84C;\">${resetUrl}</a>`),\n\t\t\t\tp(\n\t\t\t\t\t`This link expires in 1 hour. If you did not request a password reset, you can safely ignore this email.`,\n\t\t\t\t),\n\t\t\t].join(\"\"),\n\t\t),\n\t};\n}\n\nfunction magicLinkTemplate(\n\tappName: string,\n\t_appUrl: string,\n\tvars: Record<string, string>,\n): EmailTemplate {\n\tconst email = vars.email ?? \"\";\n\tconst url = vars.url ?? \"\";\n\n\treturn {\n\t\tsubject: `Sign in to ${appName}`,\n\t\ttext: [\n\t\t\t`Sign in to ${appName}`,\n\t\t\t``,\n\t\t\t`Hi${email ? ` ${email}` : \"\"},`,\n\t\t\t``,\n\t\t\t`Click the link below to sign in to your account. This link expires in 15 minutes and can only be used once.`,\n\t\t\t``,\n\t\t\turl,\n\t\t].join(\"\\n\"),\n\t\thtml: html(\n\t\t\tappName,\n\t\t\t`Sign in to ${appName}`,\n\t\t\t[\n\t\t\t\tp(`Hi${email ? ` <strong>${email}</strong>` : \"\"},`),\n\t\t\t\tp(\n\t\t\t\t\t\"Click the button below to sign in. This link expires in 15 minutes and can only be used once.\",\n\t\t\t\t),\n\t\t\t\tbutton(url, `Sign in to ${appName}`),\n\t\t\t\tp(`Or copy this link: <a href=\"${url}\" style=\"color:#C9A84C;\">${url}</a>`),\n\t\t\t].join(\"\"),\n\t\t),\n\t};\n}\n\nfunction emailOtpTemplate(\n\tappName: string,\n\t_appUrl: string,\n\tvars: Record<string, string>,\n): EmailTemplate {\n\tconst email = vars.email ?? \"\";\n\tconst otpCode = vars.code ?? \"\";\n\n\treturn {\n\t\tsubject: `Your verification code: ${otpCode}`,\n\t\ttext: [\n\t\t\t`Your verification code`,\n\t\t\t``,\n\t\t\t`Hi${email ? ` ${email}` : \"\"},`,\n\t\t\t``,\n\t\t\t`Your ${appName} verification code is:`,\n\t\t\t``,\n\t\t\totpCode,\n\t\t\t``,\n\t\t\t`This code expires in 10 minutes. Do not share it with anyone.`,\n\t\t].join(\"\\n\"),\n\t\thtml: html(\n\t\t\tappName,\n\t\t\t`Your verification code`,\n\t\t\t[\n\t\t\t\tp(`Hi${email ? ` <strong>${email}</strong>` : \"\"},`),\n\t\t\t\tp(`Your ${appName} verification code is:`),\n\t\t\t\tcode(otpCode),\n\t\t\t\tp(\"This code expires in 10 minutes. Do not share it with anyone.\"),\n\t\t\t].join(\"\"),\n\t\t),\n\t};\n}\n\nfunction invitationTemplate(\n\tappName: string,\n\t_appUrl: string,\n\tvars: Record<string, string>,\n): EmailTemplate {\n\tconst email = vars.email ?? \"\";\n\tconst orgName = vars.orgName ?? \"an organization\";\n\tconst inviteUrl = vars.inviteUrl ?? \"\";\n\n\treturn {\n\t\tsubject: `You've been invited to ${orgName}`,\n\t\ttext: [\n\t\t\t`You've been invited to ${orgName}`,\n\t\t\t``,\n\t\t\t`Hi${email ? ` ${email}` : \"\"},`,\n\t\t\t``,\n\t\t\t`You've been invited to join ${orgName} on ${appName}. Click the link below to accept:`,\n\t\t\t``,\n\t\t\tinviteUrl,\n\t\t\t``,\n\t\t\t`If you were not expecting this invitation, you can ignore this email.`,\n\t\t].join(\"\\n\"),\n\t\thtml: html(\n\t\t\tappName,\n\t\t\t`You've been invited to ${orgName}`,\n\t\t\t[\n\t\t\t\tp(`Hi${email ? ` <strong>${email}</strong>` : \"\"},`),\n\t\t\t\tp(`You've been invited to join <strong>${orgName}</strong> on ${appName}.`),\n\t\t\t\tbutton(inviteUrl, `Accept invitation`),\n\t\t\t\tp(`Or copy this link: <a href=\"${inviteUrl}\" style=\"color:#C9A84C;\">${inviteUrl}</a>`),\n\t\t\t\tp(\"If you were not expecting this invitation, you can safely ignore this email.\"),\n\t\t\t].join(\"\"),\n\t\t),\n\t};\n}\n\nfunction welcomeTemplate(\n\tappName: string,\n\tappUrl: string,\n\tvars: Record<string, string>,\n): EmailTemplate {\n\tconst email = vars.email ?? \"\";\n\tconst name = vars.name ?? email;\n\n\treturn {\n\t\tsubject: `Welcome to ${appName}`,\n\t\ttext: [\n\t\t\t`Welcome to ${appName}`,\n\t\t\t``,\n\t\t\t`Hi ${name},`,\n\t\t\t``,\n\t\t\t`Your account is ready. Head over to ${appUrl} to get started.`,\n\t\t\t``,\n\t\t\t`If you have any questions, reply to this email.`,\n\t\t].join(\"\\n\"),\n\t\thtml: html(\n\t\t\tappName,\n\t\t\t`Welcome to ${appName}`,\n\t\t\t[\n\t\t\t\tp(`Hi <strong>${name}</strong>,`),\n\t\t\t\tp(`Your account is ready. Welcome to ${appName}.`),\n\t\t\t\tbutton(appUrl, `Get started`),\n\t\t\t\tp(\"If you have any questions, just reply to this email.\"),\n\t\t\t].join(\"\"),\n\t\t),\n\t};\n}\n\n// ---------------------------------------------------------------------------\n// Public factory\n// ---------------------------------------------------------------------------\n\nexport interface EmailTemplates {\n\trender(name: EmailTemplateName, vars: Record<string, string>): EmailTemplate;\n}\n\nexport function createEmailTemplates(config: EmailTemplateConfig = {}): EmailTemplates {\n\tconst appName = config.appName ?? \"KavachOS\";\n\tconst appUrl = config.appUrl ?? \"http://localhost:3000\";\n\tconst overrides = config.templates ?? {};\n\n\tfunction render(name: EmailTemplateName, vars: Record<string, string>): EmailTemplate {\n\t\tconst override = overrides[name];\n\t\tif (override) {\n\t\t\treturn override(vars);\n\t\t}\n\n\t\tswitch (name) {\n\t\t\tcase \"verification\":\n\t\t\t\treturn verificationTemplate(appName, appUrl, vars);\n\t\t\tcase \"passwordReset\":\n\t\t\t\treturn passwordResetTemplate(appName, appUrl, vars);\n\t\t\tcase \"magicLink\":\n\t\t\t\treturn magicLinkTemplate(appName, appUrl, vars);\n\t\t\tcase \"emailOtp\":\n\t\t\t\treturn emailOtpTemplate(appName, appUrl, vars);\n\t\t\tcase \"invitation\":\n\t\t\t\treturn invitationTemplate(appName, appUrl, vars);\n\t\t\tcase \"welcome\":\n\t\t\t\treturn welcomeTemplate(appName, appUrl, vars);\n\t\t}\n\t}\n\n\treturn { render };\n}\n","import type { AgentIdentity, CreateAgentInput } from \"../types.js\";\n\nexport interface KavachHooks {\n\t/**\n\t * Fires before authorize() — can block the request by returning\n\t * `{ allow: false, reason: '...' }`. Return `void` or `{ allow: true }`\n\t * to let the request proceed.\n\t */\n\tbeforeAuthorize?: (context: {\n\t\tagentId: string;\n\t\taction: string;\n\t\tresource: string;\n\t\targuments?: Record<string, unknown>;\n\t}) => Promise<{ allow: boolean; reason?: string } | undefined>;\n\n\t/** Fires after authorize() with the final result. */\n\tafterAuthorize?: (context: {\n\t\tagentId: string;\n\t\taction: string;\n\t\tresource: string;\n\t\tresult: { allowed: boolean; reason?: string; auditId: string };\n\t}) => Promise<void>;\n\n\t/** Fires before agent creation — return `{ allow: false }` to block. */\n\tbeforeAgentCreate?: (\n\t\tinput: CreateAgentInput,\n\t) => Promise<{ allow: boolean; reason?: string } | undefined>;\n\n\t/** Fires after an agent is successfully created. */\n\tafterAgentCreate?: (agent: AgentIdentity) => Promise<void>;\n\n\t/** Fires when an agent is revoked. */\n\tonAgentRevoke?: (agentId: string) => Promise<void>;\n\n\t/**\n\t * Fires when a policy violation is detected (denied, rate-limited, etc.).\n\t */\n\tonViolation?: (violation: {\n\t\ttype:\n\t\t\t| \"permission_denied\"\n\t\t\t| \"rate_limited\"\n\t\t\t| \"ip_blocked\"\n\t\t\t| \"time_restricted\"\n\t\t\t| \"approval_required\";\n\t\tagentId: string;\n\t\taction: string;\n\t\tresource: string;\n\t\treason: string;\n\t}) => Promise<void>;\n}\n\nexport type ViolationType =\n\t| \"permission_denied\"\n\t| \"rate_limited\"\n\t| \"ip_blocked\"\n\t| \"time_restricted\"\n\t| \"approval_required\";\n\n/**\n * Map an authorization denial reason string to a violation type.\n * Falls back to 'permission_denied' when no more specific match is found.\n */\nexport function classifyViolation(reason: string | undefined): ViolationType {\n\tconst r = reason?.toLowerCase() ?? \"\";\n\tif (r.includes(\"rate\") || r.includes(\"rate_limited\")) return \"rate_limited\";\n\tif (r.includes(\"ip\") || r.includes(\"allowlist\")) return \"ip_blocked\";\n\tif (r.includes(\"time\") || r.includes(\"window\")) return \"time_restricted\";\n\tif (r.includes(\"approval\")) return \"approval_required\";\n\treturn \"permission_denied\";\n}\n","import type { TranslationKeys } from \"../i18n.js\";\n\nexport const en: TranslationKeys = {\n\t// Auth errors\n\t\"auth.invalidCredentials\": \"Invalid email or password.\",\n\t\"auth.emailNotVerified\": \"Please verify your email address before signing in.\",\n\t\"auth.accountLocked\": \"Your account has been locked. Contact support to unlock it.\",\n\t\"auth.rateLimited\": \"Too many requests. Try again in {{retryAfter}} seconds.\",\n\t\"auth.emailAlreadyExists\": \"An account with that email already exists.\",\n\t\"auth.weakPassword\":\n\t\t\"Password is too weak. Use at least 8 characters with a mix of letters, numbers, and symbols.\",\n\t\"auth.tokenExpired\": \"This link has expired. Request a new one.\",\n\t\"auth.tokenInvalid\": \"This link is invalid or has already been used.\",\n\t\"auth.unauthorized\": \"You are not authorized to perform this action.\",\n\n\t// Agent errors\n\t\"agent.notFound\": \"Agent not found.\",\n\t\"agent.revoked\": \"This agent's access has been revoked.\",\n\t\"agent.limitExceeded\": \"Agent limit reached for this account.\",\n\t\"agent.permissionDenied\": \"Agent does not have permission to perform this action.\",\n\n\t// 2FA\n\t\"twoFactor.invalidCode\": \"Invalid verification code. Check your authenticator app and try again.\",\n\t\"twoFactor.alreadyEnabled\": \"Two-factor authentication is already enabled on this account.\",\n\t\"twoFactor.notEnabled\": \"Two-factor authentication is not enabled on this account.\",\n\n\t// Email subjects\n\t\"email.verification.subject\": \"Verify your email address\",\n\t\"email.passwordReset.subject\": \"Reset your password\",\n\t\"email.magicLink.subject\": \"Your sign-in link\",\n\t\"email.otp.subject\": \"Your one-time code\",\n\t\"email.invitation.subject\": \"You have been invited to join {{orgName}}\",\n\t\"email.welcome.subject\": \"Welcome to {{appName}}\",\n\n\t// General\n\t\"general.serverError\": \"Something went wrong. Try again later.\",\n\t\"general.badRequest\": \"The request could not be processed.\",\n\t\"general.notFound\": \"The requested resource was not found.\",\n};\n","import { en } from \"./locales/en.js\";\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface TranslationKeys {\n\t// Auth errors\n\t\"auth.invalidCredentials\": string;\n\t\"auth.emailNotVerified\": string;\n\t\"auth.accountLocked\": string;\n\t\"auth.rateLimited\": string;\n\t\"auth.emailAlreadyExists\": string;\n\t\"auth.weakPassword\": string;\n\t\"auth.tokenExpired\": string;\n\t\"auth.tokenInvalid\": string;\n\t\"auth.unauthorized\": string;\n\n\t// Agent errors\n\t\"agent.notFound\": string;\n\t\"agent.revoked\": string;\n\t\"agent.limitExceeded\": string;\n\t\"agent.permissionDenied\": string;\n\n\t// 2FA\n\t\"twoFactor.invalidCode\": string;\n\t\"twoFactor.alreadyEnabled\": string;\n\t\"twoFactor.notEnabled\": string;\n\n\t// Email subjects\n\t\"email.verification.subject\": string;\n\t\"email.passwordReset.subject\": string;\n\t\"email.magicLink.subject\": string;\n\t\"email.otp.subject\": string;\n\t\"email.invitation.subject\": string;\n\t\"email.welcome.subject\": string;\n\n\t// General\n\t\"general.serverError\": string;\n\t\"general.badRequest\": string;\n\t\"general.notFound\": string;\n}\n\nexport interface I18nConfig {\n\t/** Default locale (default: \"en\") */\n\tdefaultLocale?: string;\n\t/** Custom translations merged on top of built-in defaults */\n\ttranslations?: Record<string, Partial<TranslationKeys>>;\n}\n\nexport interface I18nModule {\n\t/** Get a translated string, optionally for a specific locale */\n\tt(key: keyof TranslationKeys, locale?: string): string;\n\t/** Get a translated string with variable interpolation */\n\tt(key: keyof TranslationKeys, vars: Record<string, string>, locale?: string): string;\n\t/** Add or replace translations for a locale at runtime */\n\taddLocale(locale: string, translations: Partial<TranslationKeys>): void;\n\t/** Return all registered locale codes */\n\tgetLocales(): string[];\n}\n\n// ---------------------------------------------------------------------------\n// Implementation\n// ---------------------------------------------------------------------------\n\nfunction interpolate(template: string, vars: Record<string, string>): string {\n\treturn template.replace(/\\{\\{(\\w+)\\}\\}/g, (match, key: string): string => {\n\t\treturn Object.hasOwn(vars, key) ? (vars[key] ?? match) : `{{${key}}}`;\n\t});\n}\n\n/**\n * Resolve the best matching locale from the registry.\n *\n * Priority:\n * 1. Exact match (e.g. \"en-US\")\n * 2. Language prefix match (e.g. \"en\" when \"en-US\" is not registered)\n * 3. Default locale\n * 4. \"en\" hardcoded fallback\n */\nfunction resolveLocale(\n\trequested: string,\n\tregistry: Map<string, Partial<TranslationKeys>>,\n\tdefaultLocale: string,\n): string {\n\tif (registry.has(requested)) return requested;\n\n\tconst prefix = requested.split(\"-\")[0];\n\tif (prefix && registry.has(prefix)) return prefix;\n\n\tif (registry.has(defaultLocale)) return defaultLocale;\n\n\treturn \"en\";\n}\n\nexport function createI18n(config: I18nConfig = {}): I18nModule {\n\tconst defaultLocale = config.defaultLocale ?? \"en\";\n\n\t// Single Map — reads never mutate it (addLocale replaces the entry).\n\tconst registry = new Map<string, Partial<TranslationKeys>>();\n\n\t// Always seed English built-ins first.\n\tregistry.set(\"en\", { ...en });\n\n\t// Merge any caller-supplied translations.\n\tif (config.translations) {\n\t\tfor (const [locale, keys] of Object.entries(config.translations)) {\n\t\t\tconst existing = registry.get(locale) ?? {};\n\t\t\tregistry.set(locale, { ...existing, ...keys });\n\t\t}\n\t}\n\n\tfunction lookup(key: keyof TranslationKeys, locale: string): string {\n\t\tconst resolved = resolveLocale(locale, registry, defaultLocale);\n\t\tconst localeMap = registry.get(resolved);\n\n\t\tif (localeMap && key in localeMap) {\n\t\t\treturn localeMap[key] as string;\n\t\t}\n\n\t\t// Fall back to English built-ins before returning the key itself.\n\t\tconst englishMap = registry.get(\"en\");\n\t\tif (englishMap && key in englishMap) {\n\t\t\treturn englishMap[key] as string;\n\t\t}\n\n\t\t// Last resort: return the key so callers always get a string.\n\t\treturn key;\n\t}\n\n\tfunction t(\n\t\tkey: keyof TranslationKeys,\n\t\tvarsOrLocale?: Record<string, string> | string,\n\t\tmaybeLocale?: string,\n\t): string {\n\t\tif (typeof varsOrLocale === \"string\" || varsOrLocale === undefined) {\n\t\t\t// Overload: t(key, locale?)\n\t\t\tconst locale = varsOrLocale ?? defaultLocale;\n\t\t\treturn lookup(key, locale);\n\t\t}\n\n\t\t// Overload: t(key, vars, locale?)\n\t\tconst locale = maybeLocale ?? defaultLocale;\n\t\tconst raw = lookup(key, locale);\n\t\treturn interpolate(raw, varsOrLocale);\n\t}\n\n\tfunction addLocale(locale: string, translations: Partial<TranslationKeys>): void {\n\t\tconst existing = registry.get(locale) ?? {};\n\t\tregistry.set(locale, { ...existing, ...translations });\n\t}\n\n\tfunction getLocales(): string[] {\n\t\treturn Array.from(registry.keys());\n\t}\n\n\treturn { t, addLocale, getLocales };\n}\n","import type { TranslationKeys } from \"../i18n.js\";\n\nexport const de: TranslationKeys = {\n\t// Auth errors\n\t\"auth.invalidCredentials\": \"Ungültige E-Mail-Adresse oder falsches Passwort.\",\n\t\"auth.emailNotVerified\": \"Bitte bestätige deine E-Mail-Adresse, bevor du dich anmeldest.\",\n\t\"auth.accountLocked\":\n\t\t\"Dein Konto wurde gesperrt. Wende dich an den Support, um es freizuschalten.\",\n\t\"auth.rateLimited\": \"Zu viele Anfragen. Versuche es in {{retryAfter}} Sekunden erneut.\",\n\t\"auth.emailAlreadyExists\": \"Ein Konto mit dieser E-Mail-Adresse existiert bereits.\",\n\t\"auth.weakPassword\":\n\t\t\"Das Passwort ist zu schwach. Verwende mindestens 8 Zeichen mit Buchstaben, Zahlen und Symbolen.\",\n\t\"auth.tokenExpired\": \"Dieser Link ist abgelaufen. Fordere einen neuen an.\",\n\t\"auth.tokenInvalid\": \"Dieser Link ist ungültig oder wurde bereits verwendet.\",\n\t\"auth.unauthorized\": \"Du bist nicht berechtigt, diese Aktion auszuführen.\",\n\n\t// Agent errors\n\t\"agent.notFound\": \"Agent nicht gefunden.\",\n\t\"agent.revoked\": \"Der Zugriff dieses Agenten wurde widerrufen.\",\n\t\"agent.limitExceeded\": \"Agentenlimit für dieses Konto erreicht.\",\n\t\"agent.permissionDenied\": \"Der Agent hat keine Berechtigung für diese Aktion.\",\n\n\t// 2FA\n\t\"twoFactor.invalidCode\":\n\t\t\"Ungültiger Bestätigungscode. Überprüfe deine Authentifizierungs-App und versuche es erneut.\",\n\t\"twoFactor.alreadyEnabled\":\n\t\t\"Die Zwei-Faktor-Authentifizierung ist für dieses Konto bereits aktiviert.\",\n\t\"twoFactor.notEnabled\": \"Die Zwei-Faktor-Authentifizierung ist für dieses Konto nicht aktiviert.\",\n\n\t// Email subjects\n\t\"email.verification.subject\": \"Bestätige deine E-Mail-Adresse\",\n\t\"email.passwordReset.subject\": \"Setze dein Passwort zurück\",\n\t\"email.magicLink.subject\": \"Dein Anmelde-Link\",\n\t\"email.otp.subject\": \"Dein Einmalcode\",\n\t\"email.invitation.subject\": \"Du wurdest eingeladen, {{orgName}} beizutreten\",\n\t\"email.welcome.subject\": \"Willkommen bei {{appName}}\",\n\n\t// General\n\t\"general.serverError\": \"Etwas ist schiefgelaufen. Versuche es später erneut.\",\n\t\"general.badRequest\": \"Die Anfrage konnte nicht verarbeitet werden.\",\n\t\"general.notFound\": \"Die angeforderte Ressource wurde nicht gefunden.\",\n};\n","import type { TranslationKeys } from \"../i18n.js\";\n\nexport const es: TranslationKeys = {\n\t// Auth errors\n\t\"auth.invalidCredentials\": \"Correo electrónico o contraseña incorrectos.\",\n\t\"auth.emailNotVerified\": \"Verifica tu dirección de correo electrónico antes de iniciar sesión.\",\n\t\"auth.accountLocked\": \"Tu cuenta ha sido bloqueada. Contacta con soporte para desbloquearla.\",\n\t\"auth.rateLimited\": \"Demasiadas solicitudes. Inténtalo de nuevo en {{retryAfter}} segundos.\",\n\t\"auth.emailAlreadyExists\": \"Ya existe una cuenta con ese correo electrónico.\",\n\t\"auth.weakPassword\":\n\t\t\"La contraseña es demasiado débil. Usa al menos 8 caracteres con letras, números y símbolos.\",\n\t\"auth.tokenExpired\": \"Este enlace ha caducado. Solicita uno nuevo.\",\n\t\"auth.tokenInvalid\": \"Este enlace no es válido o ya ha sido utilizado.\",\n\t\"auth.unauthorized\": \"No tienes autorización para realizar esta acción.\",\n\n\t// Agent errors\n\t\"agent.notFound\": \"Agente no encontrado.\",\n\t\"agent.revoked\": \"El acceso de este agente ha sido revocado.\",\n\t\"agent.limitExceeded\": \"Límite de agentes alcanzado para esta cuenta.\",\n\t\"agent.permissionDenied\": \"El agente no tiene permiso para realizar esta acción.\",\n\n\t// 2FA\n\t\"twoFactor.invalidCode\":\n\t\t\"Código de verificación incorrecto. Comprueba tu aplicación autenticadora e inténtalo de nuevo.\",\n\t\"twoFactor.alreadyEnabled\": \"La autenticación de dos factores ya está activada en esta cuenta.\",\n\t\"twoFactor.notEnabled\": \"La autenticación de dos factores no está activada en esta cuenta.\",\n\n\t// Email subjects\n\t\"email.verification.subject\": \"Verifica tu dirección de correo electrónico\",\n\t\"email.passwordReset.subject\": \"Restablece tu contraseña\",\n\t\"email.magicLink.subject\": \"Tu enlace de acceso\",\n\t\"email.otp.subject\": \"Tu código de un solo uso\",\n\t\"email.invitation.subject\": \"Has sido invitado a unirte a {{orgName}}\",\n\t\"email.welcome.subject\": \"Bienvenido a {{appName}}\",\n\n\t// General\n\t\"general.serverError\": \"Algo salió mal. Inténtalo de nuevo más tarde.\",\n\t\"general.badRequest\": \"La solicitud no pudo procesarse.\",\n\t\"general.notFound\": \"El recurso solicitado no fue encontrado.\",\n};\n","import type { TranslationKeys } from \"../i18n.js\";\n\nexport const fr: TranslationKeys = {\n\t// Auth errors\n\t\"auth.invalidCredentials\": \"Adresse e-mail ou mot de passe incorrect.\",\n\t\"auth.emailNotVerified\": \"Veuillez vérifier votre adresse e-mail avant de vous connecter.\",\n\t\"auth.accountLocked\":\n\t\t\"Votre compte a été verrouillé. Contactez le support pour le déverrouiller.\",\n\t\"auth.rateLimited\": \"Trop de tentatives. Réessayez dans {{retryAfter}} secondes.\",\n\t\"auth.emailAlreadyExists\": \"Un compte avec cette adresse e-mail existe déjà.\",\n\t\"auth.weakPassword\":\n\t\t\"Le mot de passe est trop faible. Utilisez au moins 8 caractères avec des lettres, des chiffres et des symboles.\",\n\t\"auth.tokenExpired\": \"Ce lien a expiré. Demandez-en un nouveau.\",\n\t\"auth.tokenInvalid\": \"Ce lien est invalide ou a déjà été utilisé.\",\n\t\"auth.unauthorized\": \"Vous n'êtes pas autorisé à effectuer cette action.\",\n\n\t// Agent errors\n\t\"agent.notFound\": \"Agent introuvable.\",\n\t\"agent.revoked\": \"L'accès de cet agent a été révoqué.\",\n\t\"agent.limitExceeded\": \"Limite d'agents atteinte pour ce compte.\",\n\t\"agent.permissionDenied\": \"L'agent n'est pas autorisé à effectuer cette action.\",\n\n\t// 2FA\n\t\"twoFactor.invalidCode\":\n\t\t\"Code de vérification invalide. Vérifiez votre application d'authentification et réessayez.\",\n\t\"twoFactor.alreadyEnabled\": \"L'authentification à deux facteurs est déjà activée sur ce compte.\",\n\t\"twoFactor.notEnabled\": \"L'authentification à deux facteurs n'est pas activée sur ce compte.\",\n\n\t// Email subjects\n\t\"email.verification.subject\": \"Vérifiez votre adresse e-mail\",\n\t\"email.passwordReset.subject\": \"Réinitialisez votre mot de passe\",\n\t\"email.magicLink.subject\": \"Votre lien de connexion\",\n\t\"email.otp.subject\": \"Votre code à usage unique\",\n\t\"email.invitation.subject\": \"Vous avez été invité à rejoindre {{orgName}}\",\n\t\"email.welcome.subject\": \"Bienvenue sur {{appName}}\",\n\n\t// General\n\t\"general.serverError\": \"Une erreur s'est produite. Réessayez plus tard.\",\n\t\"general.badRequest\": \"La requête n'a pas pu être traitée.\",\n\t\"general.notFound\": \"La ressource demandée est introuvable.\",\n};\n","import type { TranslationKeys } from \"../i18n.js\";\n\nexport const ja: TranslationKeys = {\n\t// Auth errors\n\t\"auth.invalidCredentials\": \"メールアドレスまたはパスワードが正しくありません。\",\n\t\"auth.emailNotVerified\": \"サインインする前にメールアドレスを確認してください。\",\n\t\"auth.accountLocked\":\n\t\t\"アカウントがロックされています。サポートに連絡してロックを解除してください。\",\n\t\"auth.rateLimited\": \"リクエストが多すぎます。{{retryAfter}}秒後に再試行してください。\",\n\t\"auth.emailAlreadyExists\": \"そのメールアドレスのアカウントはすでに存在します。\",\n\t\"auth.weakPassword\":\n\t\t\"パスワードが弱すぎます。文字、数字、記号を組み合わせた8文字以上のパスワードを使用してください。\",\n\t\"auth.tokenExpired\": \"このリンクの有効期限が切れています。新しいリンクをリクエストしてください。\",\n\t\"auth.tokenInvalid\": \"このリンクは無効か、すでに使用されています。\",\n\t\"auth.unauthorized\": \"この操作を実行する権限がありません。\",\n\n\t// Agent errors\n\t\"agent.notFound\": \"エージェントが見つかりません。\",\n\t\"agent.revoked\": \"このエージェントのアクセスが取り消されました。\",\n\t\"agent.limitExceeded\": \"このアカウントのエージェント上限に達しました。\",\n\t\"agent.permissionDenied\": \"エージェントにはこの操作を実行する権限がありません。\",\n\n\t// 2FA\n\t\"twoFactor.invalidCode\": \"確認コードが正しくありません。認証アプリを確認して再試行してください。\",\n\t\"twoFactor.alreadyEnabled\": \"このアカウントでは二要素認証がすでに有効になっています。\",\n\t\"twoFactor.notEnabled\": \"このアカウントでは二要素認証が有効になっていません。\",\n\n\t// Email subjects\n\t\"email.verification.subject\": \"メールアドレスを確認してください\",\n\t\"email.passwordReset.subject\": \"パスワードをリセット\",\n\t\"email.magicLink.subject\": \"サインインリンク\",\n\t\"email.otp.subject\": \"ワンタイムコード\",\n\t\"email.invitation.subject\": \"{{orgName}}への招待\",\n\t\"email.welcome.subject\": \"{{appName}}へようこそ\",\n\n\t// General\n\t\"general.serverError\": \"問題が発生しました。後でもう一度お試しください。\",\n\t\"general.badRequest\": \"リクエストを処理できませんでした。\",\n\t\"general.notFound\": \"リクエストされたリソースが見つかりません。\",\n};\n","import type { TranslationKeys } from \"../i18n.js\";\n\nexport const zh: TranslationKeys = {\n\t// Auth errors\n\t\"auth.invalidCredentials\": \"邮箱或密码不正确。\",\n\t\"auth.emailNotVerified\": \"请在登录前验证您的电子邮件地址。\",\n\t\"auth.accountLocked\": \"您的账户已被锁定,请联系支持团队解锁。\",\n\t\"auth.rateLimited\": \"请求过于频繁,请在 {{retryAfter}} 秒后重试。\",\n\t\"auth.emailAlreadyExists\": \"该邮箱地址已注册账户。\",\n\t\"auth.weakPassword\": \"密码强度不足,请使用至少 8 位包含字母、数字和符号的密码。\",\n\t\"auth.tokenExpired\": \"此链接已过期,请重新申请。\",\n\t\"auth.tokenInvalid\": \"此链接无效或已被使用。\",\n\t\"auth.unauthorized\": \"您没有权限执行此操作。\",\n\n\t// Agent errors\n\t\"agent.notFound\": \"未找到该代理。\",\n\t\"agent.revoked\": \"该代理的访问权限已被撤销。\",\n\t\"agent.limitExceeded\": \"已达到该账户的代理数量上限。\",\n\t\"agent.permissionDenied\": \"代理没有执行此操作的权限。\",\n\n\t// 2FA\n\t\"twoFactor.invalidCode\": \"验证码无效,请检查您的验证应用并重试。\",\n\t\"twoFactor.alreadyEnabled\": \"该账户已启用双重验证。\",\n\t\"twoFactor.notEnabled\": \"该账户未启用双重验证。\",\n\n\t// Email subjects\n\t\"email.verification.subject\": \"请验证您的电子邮件地址\",\n\t\"email.passwordReset.subject\": \"重置您的密码\",\n\t\"email.magicLink.subject\": \"您的登录链接\",\n\t\"email.otp.subject\": \"您的一次性验证码\",\n\t\"email.invitation.subject\": \"您已被邀请加入 {{orgName}}\",\n\t\"email.welcome.subject\": \"欢迎使用 {{appName}}\",\n\n\t// General\n\t\"general.serverError\": \"出现了一些问题,请稍后再试。\",\n\t\"general.badRequest\": \"无法处理该请求。\",\n\t\"general.notFound\": \"未找到请求的资源。\",\n};\n","import type { EndpointContext, PluginEndpoint } from \"./types.js\";\n\n/**\n * Match a URL pathname against a route pattern that may contain colon params.\n *\n * Returns a record of captured param values when matched, or null when the\n * pattern does not match the path.\n *\n * @example\n * matchPath('/auth/verify/:token', '/auth/verify/abc123')\n * // => { token: 'abc123' }\n */\nfunction matchPath(pattern: string, pathname: string): Record<string, string> | null {\n\tconst patternParts = pattern.split(\"/\");\n\tconst pathParts = pathname.split(\"/\");\n\n\tif (patternParts.length !== pathParts.length) return null;\n\n\tconst params: Record<string, string> = {};\n\n\tfor (let i = 0; i < patternParts.length; i++) {\n\t\tconst patternPart = patternParts[i];\n\t\tconst pathPart = pathParts[i];\n\n\t\tif (patternPart === undefined || pathPart === undefined) return null;\n\n\t\tif (patternPart.startsWith(\":\")) {\n\t\t\t// Colon param — capture the value\n\t\t\tconst paramName = patternPart.slice(1);\n\t\t\tparams[paramName] = decodeURIComponent(pathPart);\n\t\t} else if (patternPart !== pathPart) {\n\t\t\t// Literal segment mismatch\n\t\t\treturn null;\n\t\t}\n\t}\n\n\treturn params;\n}\n\n/**\n * Create a plugin router that matches requests to registered plugin endpoints.\n *\n * The router strips `basePath` from the request URL before matching so plugins\n * register paths relative to the mount point (e.g. `/auth/sign-in` instead\n * of `/api/kavach/auth/sign-in`).\n */\nexport function createPluginRouter(endpoints: PluginEndpoint[]): {\n\t/** Try to handle a request. Returns Response if matched, null if not. */\n\thandle: (\n\t\trequest: Request,\n\t\tbasePath: string,\n\t\tendpointCtx: EndpointContext,\n\t) => Promise<Response | null>;\n\t/** Get all registered endpoints (for adapter mounting) */\n\tgetEndpoints: () => PluginEndpoint[];\n} {\n\treturn {\n\t\tasync handle(\n\t\t\trequest: Request,\n\t\t\tbasePath: string,\n\t\t\tendpointCtx: EndpointContext,\n\t\t): Promise<Response | null> {\n\t\t\tconst url = new URL(request.url);\n\t\t\tlet pathname = url.pathname;\n\n\t\t\t// Strip basePath prefix, normalising trailing slash differences\n\t\t\tconst base = basePath.endsWith(\"/\") ? basePath.slice(0, -1) : basePath;\n\t\t\tif (base && pathname.startsWith(base)) {\n\t\t\t\tpathname = pathname.slice(base.length) || \"/\";\n\t\t\t}\n\n\t\t\t// Normalise: ensure single leading slash, no trailing slash (except root)\n\t\t\tif (!pathname.startsWith(\"/\")) {\n\t\t\t\tpathname = `/${pathname}`;\n\t\t\t}\n\t\t\tif (pathname.length > 1 && pathname.endsWith(\"/\")) {\n\t\t\t\tpathname = pathname.slice(0, -1);\n\t\t\t}\n\n\t\t\tconst method = request.method.toUpperCase() as PluginEndpoint[\"method\"];\n\n\t\t\tfor (const endpoint of endpoints) {\n\t\t\t\tif (endpoint.method !== method) continue;\n\n\t\t\t\tconst params = matchPath(endpoint.path, pathname);\n\t\t\t\tif (params === null) continue;\n\n\t\t\t\t// Attach matched path params to the request URL so handlers can read\n\t\t\t\t// them via `new URL(request.url).searchParams` or a dedicated helper.\n\t\t\t\t// We inject them as search params prefixed with `_param_` to avoid\n\t\t\t\t// collisions with real query params while keeping this zero-dep.\n\t\t\t\tconst enrichedUrl = new URL(request.url);\n\t\t\t\tfor (const [key, value] of Object.entries(params)) {\n\t\t\t\t\tenrichedUrl.searchParams.set(`_param_${key}`, value);\n\t\t\t\t}\n\n\t\t\t\tconst enrichedRequest = new Request(enrichedUrl.toString(), request);\n\n\t\t\t\treturn endpoint.handler(enrichedRequest, endpointCtx);\n\t\t\t}\n\n\t\t\treturn null;\n\t\t},\n\n\t\tgetEndpoints(): PluginEndpoint[] {\n\t\t\treturn [...endpoints];\n\t\t},\n\t};\n}\n","import type { Database, DatabaseConfig } from \"../db/database.js\";\nimport type { KavachConfig } from \"../types.js\";\nimport type { KavachPlugin, PluginContext, PluginEndpoint } from \"./types.js\";\n\nexport interface PluginRegistry {\n\tendpoints: PluginEndpoint[];\n\tmigrations: string[];\n\thooks: {\n\t\tonRequest: Array<NonNullable<KavachPlugin[\"hooks\"]>[\"onRequest\"]>;\n\t\tonAuthenticate: Array<NonNullable<KavachPlugin[\"hooks\"]>[\"onAuthenticate\"]>;\n\t\tonSessionCreate: Array<NonNullable<KavachPlugin[\"hooks\"]>[\"onSessionCreate\"]>;\n\t\tonSessionRevoke: Array<NonNullable<KavachPlugin[\"hooks\"]>[\"onSessionRevoke\"]>;\n\t};\n\tpluginContext: Record<string, unknown>;\n}\n\n/**\n * Run plugin migrations against the database.\n *\n * Follows the same pattern as createTables() — raw DDL executed against the\n * underlying driver. Only CREATE TABLE IF NOT EXISTS statements should be\n * passed here; plugins are responsible for making their DDL idempotent.\n */\nasync function runMigrations(\n\tdb: Database,\n\tprovider: DatabaseConfig[\"provider\"],\n\tstatements: string[],\n): Promise<void> {\n\tif (statements.length === 0) return;\n\n\tif (provider === \"sqlite\") {\n\t\t// biome-ignore lint/suspicious/noExplicitAny: accessing internal drizzle session for raw DDL\n\t\tconst session = (db as any).session;\n\t\tif (session?.client?.exec) {\n\t\t\tsession.client.exec(`${statements.join(\";\\n\")};`);\n\t\t\treturn;\n\t\t}\n\t\t// biome-ignore lint/suspicious/noExplicitAny: raw SQL fallback for DDL execution\n\t\tconst anyDb = db as any;\n\t\tfor (const sql of statements) {\n\t\t\tawait anyDb.run(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\t// biome-ignore lint/suspicious/noExplicitAny: raw DDL on pg/mysql adapter boundary\n\tconst anyDb = db as any;\n\n\tif (provider === \"postgres\") {\n\t\tconst client: { query: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS plugin migrations: cannot access underlying pg client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.query(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tif (provider === \"mysql\") {\n\t\tconst client: { execute: (sql: string) => Promise<unknown> } =\n\t\t\tanyDb.$client ?? anyDb.session?.client;\n\t\tif (!client) {\n\t\t\tthrow new Error(\n\t\t\t\t\"KavachOS plugin migrations: cannot access underlying mysql2 client from Drizzle instance.\",\n\t\t\t);\n\t\t}\n\t\tfor (const sql of statements) {\n\t\t\tawait client.execute(sql);\n\t\t}\n\t\treturn;\n\t}\n\n\tthrow new Error(`runMigrations: unsupported provider \"${provider}\"`);\n}\n\n/**\n * Initialize all plugins and collect their endpoints, migrations, and hooks\n * into a single registry.\n *\n * Calls each plugin's `init()` in registration order. Migrations collected\n * during init are executed before the registry is returned so that any\n * subsequent requests can immediately use plugin tables.\n */\nexport async function initializePlugins(\n\tplugins: KavachPlugin[],\n\tdb: Database,\n\tconfig: KavachConfig,\n): Promise<PluginRegistry> {\n\tconst registry: PluginRegistry = {\n\t\tendpoints: [],\n\t\tmigrations: [],\n\t\thooks: {\n\t\t\tonRequest: [],\n\t\t\tonAuthenticate: [],\n\t\t\tonSessionCreate: [],\n\t\t\tonSessionRevoke: [],\n\t\t},\n\t\tpluginContext: {},\n\t};\n\n\tfor (const plugin of plugins) {\n\t\tconst pluginMigrations: string[] = [];\n\n\t\tconst ctx: PluginContext = {\n\t\t\tdb,\n\t\t\tconfig,\n\t\t\taddEndpoint(endpoint: PluginEndpoint): void {\n\t\t\t\tregistry.endpoints.push(endpoint);\n\t\t\t},\n\t\t\taddMigration(sql: string): void {\n\t\t\t\tpluginMigrations.push(sql);\n\t\t\t\tregistry.migrations.push(sql);\n\t\t\t},\n\t\t};\n\n\t\tif (plugin.init) {\n\t\t\tconst result = await plugin.init(ctx);\n\t\t\tif (result?.context) {\n\t\t\t\tObject.assign(registry.pluginContext, result.context);\n\t\t\t}\n\t\t}\n\n\t\t// Collect lifecycle hooks\n\t\tif (plugin.hooks) {\n\t\t\tif (plugin.hooks.onRequest) {\n\t\t\t\tregistry.hooks.onRequest.push(plugin.hooks.onRequest);\n\t\t\t}\n\t\t\tif (plugin.hooks.onAuthenticate) {\n\t\t\t\tregistry.hooks.onAuthenticate.push(plugin.hooks.onAuthenticate);\n\t\t\t}\n\t\t\tif (plugin.hooks.onSessionCreate) {\n\t\t\t\tregistry.hooks.onSessionCreate.push(plugin.hooks.onSessionCreate);\n\t\t\t}\n\t\t\tif (plugin.hooks.onSessionRevoke) {\n\t\t\t\tregistry.hooks.onSessionRevoke.push(plugin.hooks.onSessionRevoke);\n\t\t\t}\n\t\t}\n\n\t\t// Run this plugin's migrations before moving to the next plugin so\n\t\t// later plugins can rely on tables created by earlier ones.\n\t\tif (pluginMigrations.length > 0) {\n\t\t\tawait runMigrations(db, config.database.provider, pluginMigrations);\n\t\t}\n\t}\n\n\treturn registry;\n}\n","import { randomUUID } from \"node:crypto\";\nimport { and, eq, isNull, ne, or } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { budgetPolicies } from \"../db/schema.js\";\n\nexport interface BudgetPolicy {\n\tid: string; // pol_...\n\tagentId?: string; // null = applies to all agents\n\tuserId?: string; // null = applies to all users\n\ttenantId?: string; // null = applies globally\n\tlimits: BudgetLimits;\n\tcurrentUsage: BudgetUsage;\n\taction: \"warn\" | \"throttle\" | \"block\" | \"revoke\";\n\tstatus: \"active\" | \"triggered\" | \"disabled\";\n\tcreatedAt: Date;\n}\n\nexport interface BudgetLimits {\n\tmaxTokensCostPerDay?: number;\n\tmaxTokensCostPerMonth?: number;\n\tmaxCallsPerDay?: number;\n\tmaxCallsPerMonth?: number;\n}\n\nexport interface BudgetUsage {\n\ttokensCostToday: number;\n\ttokensCostThisMonth: number;\n\tcallsToday: number;\n\tcallsThisMonth: number;\n\tlastUpdated: string;\n}\n\nexport interface CreatePolicyInput {\n\tagentId?: string;\n\tuserId?: string;\n\ttenantId?: string;\n\tlimits: BudgetLimits;\n\taction: \"warn\" | \"throttle\" | \"block\" | \"revoke\";\n}\n\nexport interface PolicyFilters {\n\tagentId?: string;\n\tuserId?: string;\n\ttenantId?: string;\n}\n\nfunction emptyUsage(): BudgetUsage {\n\treturn {\n\t\ttokensCostToday: 0,\n\t\ttokensCostThisMonth: 0,\n\t\tcallsToday: 0,\n\t\tcallsThisMonth: 0,\n\t\tlastUpdated: new Date().toISOString(),\n\t};\n}\n\nfunction rowToPolicy(row: {\n\tid: string;\n\tagentId: string | null;\n\tuserId: string | null;\n\ttenantId: string | null;\n\tlimits: unknown;\n\tcurrentUsage: unknown;\n\taction: string;\n\tstatus: string;\n\tcreatedAt: Date;\n}): BudgetPolicy {\n\treturn {\n\t\tid: row.id,\n\t\tagentId: row.agentId ?? undefined,\n\t\tuserId: row.userId ?? undefined,\n\t\ttenantId: row.tenantId ?? undefined,\n\t\tlimits: (row.limits as BudgetLimits) ?? {},\n\t\tcurrentUsage: (row.currentUsage as BudgetUsage) ?? emptyUsage(),\n\t\taction: row.action as BudgetPolicy[\"action\"],\n\t\tstatus: row.status as BudgetPolicy[\"status\"],\n\t\tcreatedAt: row.createdAt,\n\t};\n}\n\n/**\n * Check whether usage exceeds any defined limit.\n * Returns true when a limit is defined and the usage value meets or exceeds it.\n */\nfunction isExceeded(limits: BudgetLimits, usage: BudgetUsage): boolean {\n\tif (limits.maxCallsPerDay !== undefined && usage.callsToday >= limits.maxCallsPerDay) return true;\n\tif (limits.maxCallsPerMonth !== undefined && usage.callsThisMonth >= limits.maxCallsPerMonth)\n\t\treturn true;\n\tif (\n\t\tlimits.maxTokensCostPerDay !== undefined &&\n\t\tusage.tokensCostToday >= limits.maxTokensCostPerDay\n\t)\n\t\treturn true;\n\tif (\n\t\tlimits.maxTokensCostPerMonth !== undefined &&\n\t\tusage.tokensCostThisMonth >= limits.maxTokensCostPerMonth\n\t)\n\t\treturn true;\n\treturn false;\n}\n\nexport function createPolicyModule(db: Database) {\n\tasync function create(input: CreatePolicyInput): Promise<BudgetPolicy> {\n\t\tconst id = `pol_${randomUUID().replace(/-/g, \"\")}`;\n\t\tconst now = new Date();\n\t\tconst usage = emptyUsage();\n\n\t\tawait db.insert(budgetPolicies).values({\n\t\t\tid,\n\t\t\tagentId: input.agentId ?? null,\n\t\t\tuserId: input.userId ?? null,\n\t\t\ttenantId: input.tenantId ?? null,\n\t\t\tlimits: input.limits,\n\t\t\tcurrentUsage: usage,\n\t\t\taction: input.action,\n\t\t\tstatus: \"active\",\n\t\t\tcreatedAt: now,\n\t\t});\n\n\t\treturn {\n\t\t\tid,\n\t\t\tagentId: input.agentId,\n\t\t\tuserId: input.userId,\n\t\t\ttenantId: input.tenantId,\n\t\t\tlimits: input.limits,\n\t\t\tcurrentUsage: usage,\n\t\t\taction: input.action,\n\t\t\tstatus: \"active\",\n\t\t\tcreatedAt: now,\n\t\t};\n\t}\n\n\tasync function get(policyId: string): Promise<BudgetPolicy | null> {\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(budgetPolicies)\n\t\t\t.where(eq(budgetPolicies.id, policyId))\n\t\t\t.limit(1);\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\t\treturn rowToPolicy(row);\n\t}\n\n\tasync function list(filters?: PolicyFilters): Promise<BudgetPolicy[]> {\n\t\tlet query = db.select().from(budgetPolicies).$dynamic();\n\n\t\tconst conditions = [];\n\t\tif (filters?.agentId !== undefined) {\n\t\t\tconditions.push(\n\t\t\t\tor(eq(budgetPolicies.agentId, filters.agentId), isNull(budgetPolicies.agentId)),\n\t\t\t);\n\t\t}\n\t\tif (filters?.userId !== undefined) {\n\t\t\tconditions.push(or(eq(budgetPolicies.userId, filters.userId), isNull(budgetPolicies.userId)));\n\t\t}\n\t\tif (filters?.tenantId !== undefined) {\n\t\t\tconditions.push(\n\t\t\t\tor(eq(budgetPolicies.tenantId, filters.tenantId), isNull(budgetPolicies.tenantId)),\n\t\t\t);\n\t\t}\n\n\t\tif (conditions.length > 0) {\n\t\t\tquery = query.where(and(...conditions));\n\t\t}\n\n\t\tconst rows = await query;\n\t\treturn rows.map(rowToPolicy);\n\t}\n\n\tasync function update(policyId: string, updates: Partial<BudgetPolicy>): Promise<BudgetPolicy> {\n\t\tconst existing = await get(policyId);\n\t\tif (!existing) throw new Error(`Policy \"${policyId}\" not found.`);\n\n\t\tawait db\n\t\t\t.update(budgetPolicies)\n\t\t\t.set({\n\t\t\t\tlimits: updates.limits ?? existing.limits,\n\t\t\t\tcurrentUsage: updates.currentUsage ?? existing.currentUsage,\n\t\t\t\taction: updates.action ?? existing.action,\n\t\t\t\tstatus: updates.status ?? existing.status,\n\t\t\t})\n\t\t\t.where(eq(budgetPolicies.id, policyId));\n\n\t\tconst updated = await get(policyId);\n\t\tif (!updated) throw new Error(`Policy \"${policyId}\" disappeared after update.`);\n\t\treturn updated;\n\t}\n\n\tasync function remove(policyId: string): Promise<void> {\n\t\tconst existing = await get(policyId);\n\t\tif (!existing) throw new Error(`Policy \"${policyId}\" not found.`);\n\n\t\tawait db.delete(budgetPolicies).where(eq(budgetPolicies.id, policyId));\n\t}\n\n\t/**\n\t * Check whether an agent is within budget.\n\t *\n\t * Finds all active policies applicable to the agent (by agentId or global)\n\t * and evaluates current usage against each limit. Returns the first policy\n\t * that is exceeded, or `{ allowed: true }` when all are within limits.\n\t */\n\tasync function checkBudget(\n\t\tagentId: string,\n\t\ttokensCost?: number,\n\t): Promise<{ allowed: boolean; reason?: string; policy?: BudgetPolicy }> {\n\t\t// Fetch policies that apply: exact agent match or global (null agentId).\n\t\t// Include both \"active\" and \"triggered\" — only \"disabled\" policies are skipped.\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(budgetPolicies)\n\t\t\t.where(\n\t\t\t\tand(\n\t\t\t\t\tne(budgetPolicies.status, \"disabled\"),\n\t\t\t\t\tor(eq(budgetPolicies.agentId, agentId), isNull(budgetPolicies.agentId)),\n\t\t\t\t),\n\t\t\t);\n\n\t\tfor (const row of rows) {\n\t\t\tconst policy = rowToPolicy(row);\n\t\t\tconst usage = { ...policy.currentUsage };\n\n\t\t\t// Speculatively include the incoming tokensCost for the check\n\t\t\tif (tokensCost !== undefined) {\n\t\t\t\tusage.tokensCostToday += tokensCost;\n\t\t\t\tusage.tokensCostThisMonth += tokensCost;\n\t\t\t}\n\n\t\t\tif (isExceeded(policy.limits, usage)) {\n\t\t\t\treturn {\n\t\t\t\t\tallowed: policy.action === \"warn\",\n\t\t\t\t\treason: `Budget policy \"${policy.id}\" exceeded (action: ${policy.action})`,\n\t\t\t\t\tpolicy,\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\treturn { allowed: true };\n\t}\n\n\t/**\n\t * Increment usage counters for an agent.\n\t *\n\t * Updates all active policies that apply to the given agent.\n\t * Also transitions policies to \"triggered\" status when a limit is breached.\n\t */\n\tasync function recordUsage(agentId: string, tokensCost?: number): Promise<void> {\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(budgetPolicies)\n\t\t\t.where(\n\t\t\t\tand(\n\t\t\t\t\tne(budgetPolicies.status, \"disabled\"),\n\t\t\t\t\tor(eq(budgetPolicies.agentId, agentId), isNull(budgetPolicies.agentId)),\n\t\t\t\t),\n\t\t\t);\n\n\t\tfor (const row of rows) {\n\t\t\tconst policy = rowToPolicy(row);\n\t\t\tconst usage: BudgetUsage = {\n\t\t\t\ttokensCostToday: policy.currentUsage.tokensCostToday + (tokensCost ?? 0),\n\t\t\t\ttokensCostThisMonth: policy.currentUsage.tokensCostThisMonth + (tokensCost ?? 0),\n\t\t\t\tcallsToday: policy.currentUsage.callsToday + 1,\n\t\t\t\tcallsThisMonth: policy.currentUsage.callsThisMonth + 1,\n\t\t\t\tlastUpdated: new Date().toISOString(),\n\t\t\t};\n\n\t\t\tconst exceeded = isExceeded(policy.limits, usage);\n\t\t\tconst newStatus = exceeded ? \"triggered\" : policy.status;\n\n\t\t\tawait db\n\t\t\t\t.update(budgetPolicies)\n\t\t\t\t.set({ currentUsage: usage, status: newStatus })\n\t\t\t\t.where(eq(budgetPolicies.id, policy.id));\n\t\t}\n\t}\n\n\t/** Reset daily counters (callsToday, tokensCostToday) on all policies. */\n\tasync function resetDaily(): Promise<{ reset: number }> {\n\t\tconst rows = await db.select().from(budgetPolicies);\n\t\tlet reset = 0;\n\n\t\tfor (const row of rows) {\n\t\t\tconst policy = rowToPolicy(row);\n\t\t\tconst usage: BudgetUsage = {\n\t\t\t\t...policy.currentUsage,\n\t\t\t\ttokensCostToday: 0,\n\t\t\t\tcallsToday: 0,\n\t\t\t\tlastUpdated: new Date().toISOString(),\n\t\t\t};\n\n\t\t\t// Re-evaluate status now that daily counts are zeroed\n\t\t\tconst stillExceeded = isExceeded(policy.limits, usage);\n\t\t\tconst newStatus = stillExceeded\n\t\t\t\t? \"triggered\"\n\t\t\t\t: policy.status === \"triggered\"\n\t\t\t\t\t? \"active\"\n\t\t\t\t\t: policy.status;\n\n\t\t\tawait db\n\t\t\t\t.update(budgetPolicies)\n\t\t\t\t.set({ currentUsage: usage, status: newStatus })\n\t\t\t\t.where(eq(budgetPolicies.id, policy.id));\n\n\t\t\treset++;\n\t\t}\n\n\t\treturn { reset };\n\t}\n\n\t/** Reset monthly counters (callsThisMonth, tokensCostThisMonth) on all policies. */\n\tasync function resetMonthly(): Promise<{ reset: number }> {\n\t\tconst rows = await db.select().from(budgetPolicies);\n\t\tlet reset = 0;\n\n\t\tfor (const row of rows) {\n\t\t\tconst policy = rowToPolicy(row);\n\t\t\tconst usage: BudgetUsage = {\n\t\t\t\t...policy.currentUsage,\n\t\t\t\ttokensCostThisMonth: 0,\n\t\t\t\tcallsThisMonth: 0,\n\t\t\t\tlastUpdated: new Date().toISOString(),\n\t\t\t};\n\n\t\t\tconst stillExceeded = isExceeded(policy.limits, usage);\n\t\t\tconst newStatus = stillExceeded\n\t\t\t\t? \"triggered\"\n\t\t\t\t: policy.status === \"triggered\"\n\t\t\t\t\t? \"active\"\n\t\t\t\t\t: policy.status;\n\n\t\t\tawait db\n\t\t\t\t.update(budgetPolicies)\n\t\t\t\t.set({ currentUsage: usage, status: newStatus })\n\t\t\t\t.where(eq(budgetPolicies.id, policy.id));\n\n\t\t\treset++;\n\t\t}\n\n\t\treturn { reset };\n\t}\n\n\treturn { create, get, list, update, remove, checkBudget, recordUsage, resetDaily, resetMonthly };\n}\n","import { randomUUID } from \"node:crypto\";\nimport { eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { tenants } from \"../db/schema.js\";\n\nexport interface Tenant {\n\tid: string; // tnt_...\n\tname: string;\n\tslug: string; // URL-safe identifier\n\tsettings: TenantSettings;\n\tstatus: \"active\" | \"suspended\";\n\tcreatedAt: Date;\n\tupdatedAt: Date;\n}\n\nexport interface TenantSettings {\n\tmaxAgents?: number; // override global default\n\tmaxDelegationDepth?: number;\n\tauditRetentionDays?: number;\n\tallowedAgentTypes?: string[];\n}\n\nexport interface CreateTenantInput {\n\tname: string;\n\tslug: string;\n\tsettings?: Partial<TenantSettings>;\n}\n\nfunction slugRegex(): RegExp {\n\treturn /^[a-z0-9]+(?:-[a-z0-9]+)*$/;\n}\n\nfunction rowToTenant(row: {\n\tid: string;\n\tname: string;\n\tslug: string;\n\tsettings: unknown;\n\tstatus: string;\n\tcreatedAt: Date;\n\tupdatedAt: Date;\n}): Tenant {\n\treturn {\n\t\tid: row.id,\n\t\tname: row.name,\n\t\tslug: row.slug,\n\t\tsettings: (row.settings as TenantSettings) ?? {},\n\t\tstatus: row.status as Tenant[\"status\"],\n\t\tcreatedAt: row.createdAt,\n\t\tupdatedAt: row.updatedAt,\n\t};\n}\n\nexport function createTenantModule(db: Database) {\n\tasync function create(input: CreateTenantInput): Promise<Tenant> {\n\t\tif (!slugRegex().test(input.slug)) {\n\t\t\tthrow new Error(\n\t\t\t\t`Invalid slug \"${input.slug}\". Use lowercase letters, numbers, and hyphens only.`,\n\t\t\t);\n\t\t}\n\n\t\tconst existing = await db.select().from(tenants).where(eq(tenants.slug, input.slug)).limit(1);\n\n\t\tif (existing.length > 0) {\n\t\t\tthrow new Error(`Tenant with slug \"${input.slug}\" already exists.`);\n\t\t}\n\n\t\tconst id = `tnt_${randomUUID().replace(/-/g, \"\")}`;\n\t\tconst now = new Date();\n\t\tconst settings: TenantSettings = input.settings ?? {};\n\n\t\tawait db.insert(tenants).values({\n\t\t\tid,\n\t\t\tname: input.name,\n\t\t\tslug: input.slug,\n\t\t\tsettings,\n\t\t\tstatus: \"active\",\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t});\n\n\t\treturn {\n\t\t\tid,\n\t\t\tname: input.name,\n\t\t\tslug: input.slug,\n\t\t\tsettings,\n\t\t\tstatus: \"active\",\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t};\n\t}\n\n\tasync function get(tenantId: string): Promise<Tenant | null> {\n\t\tconst rows = await db.select().from(tenants).where(eq(tenants.id, tenantId)).limit(1);\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\t\treturn rowToTenant(row);\n\t}\n\n\tasync function getBySlug(slug: string): Promise<Tenant | null> {\n\t\tconst rows = await db.select().from(tenants).where(eq(tenants.slug, slug)).limit(1);\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\t\treturn rowToTenant(row);\n\t}\n\n\tasync function list(): Promise<Tenant[]> {\n\t\tconst rows = await db.select().from(tenants);\n\t\treturn rows.map(rowToTenant);\n\t}\n\n\tasync function update(tenantId: string, updates: Partial<CreateTenantInput>): Promise<Tenant> {\n\t\tconst existing = await get(tenantId);\n\t\tif (!existing) throw new Error(`Tenant \"${tenantId}\" not found.`);\n\n\t\tif (updates.slug !== undefined && updates.slug !== existing.slug) {\n\t\t\tif (!slugRegex().test(updates.slug)) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`Invalid slug \"${updates.slug}\". Use lowercase letters, numbers, and hyphens only.`,\n\t\t\t\t);\n\t\t\t}\n\t\t\tconst conflict = await db\n\t\t\t\t.select()\n\t\t\t\t.from(tenants)\n\t\t\t\t.where(eq(tenants.slug, updates.slug))\n\t\t\t\t.limit(1);\n\t\t\tif (conflict.length > 0) {\n\t\t\t\tthrow new Error(`Tenant with slug \"${updates.slug}\" already exists.`);\n\t\t\t}\n\t\t}\n\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(tenants)\n\t\t\t.set({\n\t\t\t\tname: updates.name ?? existing.name,\n\t\t\t\tslug: updates.slug ?? existing.slug,\n\t\t\t\tsettings: updates.settings\n\t\t\t\t\t? { ...existing.settings, ...updates.settings }\n\t\t\t\t\t: existing.settings,\n\t\t\t\tupdatedAt: now,\n\t\t\t})\n\t\t\t.where(eq(tenants.id, tenantId));\n\n\t\tconst updated = await get(tenantId);\n\t\tif (!updated) throw new Error(`Tenant \"${tenantId}\" disappeared after update.`);\n\t\treturn updated;\n\t}\n\n\tasync function suspend(tenantId: string): Promise<void> {\n\t\tconst existing = await get(tenantId);\n\t\tif (!existing) throw new Error(`Tenant \"${tenantId}\" not found.`);\n\n\t\tawait db\n\t\t\t.update(tenants)\n\t\t\t.set({ status: \"suspended\", updatedAt: new Date() })\n\t\t\t.where(eq(tenants.id, tenantId));\n\t}\n\n\tasync function activate(tenantId: string): Promise<void> {\n\t\tconst existing = await get(tenantId);\n\t\tif (!existing) throw new Error(`Tenant \"${tenantId}\" not found.`);\n\n\t\tawait db\n\t\t\t.update(tenants)\n\t\t\t.set({ status: \"active\", updatedAt: new Date() })\n\t\t\t.where(eq(tenants.id, tenantId));\n\t}\n\n\treturn { create, get, getBySlug, list, update, suspend, activate };\n}\n","import { eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { agents, auditLogs, trustScores } from \"../db/schema.js\";\n\nexport interface TrustScore {\n\tagentId: string;\n\tscore: number;\n\tlevel: \"untrusted\" | \"limited\" | \"standard\" | \"trusted\" | \"elevated\";\n\tfactors: {\n\t\tsuccessRate: number;\n\t\tdenialRate: number;\n\t\tageInDays: number;\n\t\ttotalCalls: number;\n\t\tanomalyCount: number;\n\t\tlastViolation?: string;\n\t};\n\tcomputedAt: string;\n}\n\nexport interface TrustConfig {\n\t/** Score thresholds for levels */\n\tthresholds?: {\n\t\tuntrusted: number;\n\t\tlimited: number;\n\t\tstandard: number;\n\t\ttrusted: number;\n\t\televated: number;\n\t};\n}\n\nconst DEFAULT_THRESHOLDS = {\n\tuntrusted: 20,\n\tlimited: 40,\n\tstandard: 60,\n\ttrusted: 80,\n\televated: 95,\n};\n\nfunction scoreToLevel(score: number, thresholds: typeof DEFAULT_THRESHOLDS): TrustScore[\"level\"] {\n\tif (score >= thresholds.elevated) return \"elevated\";\n\tif (score >= thresholds.trusted) return \"trusted\";\n\tif (score >= thresholds.standard) return \"standard\";\n\tif (score >= thresholds.limited) return \"limited\";\n\treturn \"untrusted\";\n}\n\nfunction clamp(value: number, min: number, max: number): number {\n\treturn Math.max(min, Math.min(max, value));\n}\n\nfunction rowToScore(row: typeof trustScores.$inferSelect): TrustScore {\n\tconst factors = row.factors as TrustScore[\"factors\"];\n\treturn {\n\t\tagentId: row.agentId,\n\t\tscore: row.score,\n\t\tlevel: row.level as TrustScore[\"level\"],\n\t\tfactors,\n\t\tcomputedAt: row.computedAt.toISOString(),\n\t};\n}\n\n/**\n * Create the graduated autonomy trust scoring module.\n *\n * Scores are derived from audit log history — success rate, denial rate,\n * agent age, total call volume, and anomaly count all feed into a 0-100\n * score mapped to five trust levels.\n *\n * @example\n * ```typescript\n * const trust = createTrustModule({}, db);\n * const score = await trust.computeScore(agentId);\n * console.log(score.level); // 'standard'\n * ```\n */\nexport function createTrustModule(config: TrustConfig, db: Database) {\n\tconst thresholds = { ...DEFAULT_THRESHOLDS, ...config.thresholds };\n\n\tasync function computeScore(agentId: string): Promise<TrustScore> {\n\t\tconst now = new Date();\n\n\t\t// Fetch agent creation date for age calculation\n\t\tconst agentRows = await db\n\t\t\t.select({ createdAt: agents.createdAt })\n\t\t\t.from(agents)\n\t\t\t.where(eq(agents.id, agentId))\n\t\t\t.limit(1);\n\n\t\tconst agentRow = agentRows[0];\n\t\tconst ageInDays = agentRow\n\t\t\t? (now.getTime() - agentRow.createdAt.getTime()) / (1000 * 60 * 60 * 24)\n\t\t\t: 0;\n\n\t\t// Aggregate audit stats for this agent\n\t\tconst allLogs = await db\n\t\t\t.select({\n\t\t\t\tresult: auditLogs.result,\n\t\t\t\treason: auditLogs.reason,\n\t\t\t\ttimestamp: auditLogs.timestamp,\n\t\t\t})\n\t\t\t.from(auditLogs)\n\t\t\t.where(eq(auditLogs.agentId, agentId));\n\n\t\tconst totalCalls = allLogs.length;\n\t\tconst allowed = allLogs.filter((r) => r.result === \"allowed\").length;\n\t\tconst denied = allLogs.filter((r) => r.result === \"denied\").length;\n\n\t\tconst successRate = totalCalls > 0 ? (allowed / totalCalls) * 100 : 100;\n\t\tconst denialRate = totalCalls > 0 ? (denied / totalCalls) * 100 : 0;\n\n\t\t// Detect anomaly count: privilege escalation attempts in audit logs\n\t\tconst anomalyCount = allLogs.filter((r) => {\n\t\t\tif (r.result !== \"denied\") return false;\n\t\t\tconst reason = r.reason ?? \"\";\n\t\t\treturn (\n\t\t\t\treason.includes(\"INSUFFICIENT_PERMISSIONS\") ||\n\t\t\t\treason.toLowerCase().includes(\"privilege\") ||\n\t\t\t\treason.toLowerCase().includes(\"escalation\")\n\t\t\t);\n\t\t}).length;\n\n\t\t// Last violation timestamp\n\t\tconst violationLogs = allLogs\n\t\t\t.filter((r) => r.result === \"denied\")\n\t\t\t.sort((a, b) => b.timestamp.getTime() - a.timestamp.getTime());\n\t\tconst lastViolation = violationLogs[0]?.timestamp.toISOString();\n\n\t\t// Score formula\n\t\tlet score = 50;\n\t\tscore += Math.min(25, Math.floor(allowed / 100)); // +1 per 100 successful calls, max +25\n\t\tscore -= denied * 5; // -5 per denial\n\t\tscore -= anomalyCount * 10; // -10 per anomaly\n\t\tif (ageInDays > 30) score += 10;\n\t\telse if (ageInDays > 7) score += 5;\n\n\t\tscore = clamp(Math.round(score), 0, 100);\n\t\tconst level = scoreToLevel(score, thresholds);\n\n\t\tconst factors: TrustScore[\"factors\"] = {\n\t\t\tsuccessRate: Math.round(successRate * 10) / 10,\n\t\t\tdenialRate: Math.round(denialRate * 10) / 10,\n\t\t\tageInDays: Math.round(ageInDays * 10) / 10,\n\t\t\ttotalCalls,\n\t\t\tanomalyCount,\n\t\t\tlastViolation,\n\t\t};\n\n\t\t// Upsert into trust_scores table\n\t\tconst existingRows = await db\n\t\t\t.select({ agentId: trustScores.agentId })\n\t\t\t.from(trustScores)\n\t\t\t.where(eq(trustScores.agentId, agentId))\n\t\t\t.limit(1);\n\n\t\tif (existingRows.length > 0) {\n\t\t\tawait db\n\t\t\t\t.update(trustScores)\n\t\t\t\t.set({ score, level, factors, computedAt: now })\n\t\t\t\t.where(eq(trustScores.agentId, agentId));\n\t\t} else {\n\t\t\tawait db.insert(trustScores).values({\n\t\t\t\tagentId,\n\t\t\t\tscore,\n\t\t\t\tlevel,\n\t\t\t\tfactors,\n\t\t\t\tcomputedAt: now,\n\t\t\t});\n\t\t}\n\n\t\treturn {\n\t\t\tagentId,\n\t\t\tscore,\n\t\t\tlevel,\n\t\t\tfactors,\n\t\t\tcomputedAt: now.toISOString(),\n\t\t};\n\t}\n\n\tasync function getScore(agentId: string): Promise<TrustScore | null> {\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(trustScores)\n\t\t\t.where(eq(trustScores.agentId, agentId))\n\t\t\t.limit(1);\n\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\t\treturn rowToScore(row);\n\t}\n\n\tasync function computeAll(): Promise<TrustScore[]> {\n\t\tconst activeAgents = await db\n\t\t\t.select({ id: agents.id })\n\t\t\t.from(agents)\n\t\t\t.where(eq(agents.status, \"active\"));\n\n\t\tconst results: TrustScore[] = [];\n\t\tfor (const agent of activeAgents) {\n\t\t\tconst score = await computeScore(agent.id);\n\t\t\tresults.push(score);\n\t\t}\n\t\treturn results;\n\t}\n\n\tasync function getScores(filters?: { level?: string; minScore?: number }): Promise<TrustScore[]> {\n\t\tconst rows = await db.select().from(trustScores);\n\t\tlet scores = rows.map(rowToScore);\n\n\t\tif (filters?.level) {\n\t\t\tscores = scores.filter((s) => s.level === filters.level);\n\t\t}\n\t\tif (filters?.minScore !== undefined) {\n\t\t\tconst min = filters.minScore;\n\t\t\tscores = scores.filter((s) => s.score >= min);\n\t\t}\n\n\t\treturn scores;\n\t}\n\n\treturn {\n\t\tcomputeScore,\n\t\tgetScore,\n\t\tcomputeAll,\n\t\tgetScores,\n\t};\n}\n\nexport type TrustModule = ReturnType<typeof createTrustModule>;\n","import { randomUUID } from \"node:crypto\";\nimport { eq } from \"drizzle-orm\";\nimport { createAgentModule } from \"./agent/agent.js\";\nimport { createPrivilegeAnalyzer } from \"./analyzer/privilege.js\";\nimport { createApprovalModule } from \"./approval/approval.js\";\nimport { createAuditModule } from \"./audit/audit.js\";\nimport type { AdminModule } from \"./auth/admin.js\";\nimport { createAdminModule } from \"./auth/admin.js\";\nimport type { ApiKeyManagerModule } from \"./auth/api-key-manager.js\";\nimport { createApiKeyManagerModule } from \"./auth/api-key-manager.js\";\nimport type { CaptchaModule } from \"./auth/captcha.js\";\nimport { createCaptchaModule } from \"./auth/captcha.js\";\nimport type { EmailOtpModule } from \"./auth/email-otp.js\";\nimport { createEmailOtpModule } from \"./auth/email-otp.js\";\nimport type { MagicLinkModule } from \"./auth/magic-link.js\";\nimport { createMagicLinkModule } from \"./auth/magic-link.js\";\nimport type { OrgModule } from \"./auth/organization.js\";\nimport { createOrgModule } from \"./auth/organization.js\";\nimport type { PasskeyModule } from \"./auth/passkey.js\";\nimport { createPasskeyModule } from \"./auth/passkey.js\";\nimport type { PhoneAuthModule } from \"./auth/phone.js\";\nimport { createPhoneAuthModule } from \"./auth/phone.js\";\nimport type { SsoModule } from \"./auth/sso.js\";\nimport { createSsoModule } from \"./auth/sso.js\";\nimport type { TotpModule } from \"./auth/totp.js\";\nimport { createTotpModule } from \"./auth/totp.js\";\nimport type { ResolvedUser } from \"./auth/types.js\";\nimport type { UsernameAuthModule } from \"./auth/username.js\";\nimport { createUsernameAuthModule } from \"./auth/username.js\";\nimport type { WebhookModule } from \"./auth/webhooks.js\";\nimport { createWebhookModule } from \"./auth/webhooks.js\";\nimport { createDatabase } from \"./db/database.js\";\nimport { createTables } from \"./db/migrations.js\";\nimport { mcpServers } from \"./db/schema.js\";\nimport { createDelegationModule } from \"./delegation/delegation.js\";\nimport { createDidModule } from \"./did/module.js\";\nimport type { ViolationType } from \"./hooks/lifecycle.js\";\nimport { createPermissionEngine } from \"./permission/engine.js\";\nimport { createPluginRouter } from \"./plugin/router.js\";\nimport { initializePlugins } from \"./plugin/runner.js\";\nimport type { EndpointContext } from \"./plugin/types.js\";\nimport { createPolicyModule } from \"./policies/budget.js\";\nimport type { SessionManager } from \"./session/session.js\";\nimport { createSessionManager } from \"./session/session.js\";\nimport { createTenantModule } from \"./tenant/tenant.js\";\nimport { createTrustModule } from \"./trust/scoring.js\";\nimport type {\n\tAuditExportOptions,\n\tAuditFilter,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tDelegateInput,\n\tDelegationChain,\n\tKavachConfig,\n\tMcpServer,\n\tMcpServerInput,\n\tRequestContext,\n} from \"./types.js\";\n\n/**\n * Map an authorization denial reason string to a violation type.\n * Falls back to 'permission_denied' when no more specific match is found.\n */\nfunction classifyViolation(reason: string | undefined): ViolationType {\n\tconst r = reason?.toLowerCase() ?? \"\";\n\tif (r.includes(\"rate\") || r.includes(\"rate_limited\")) return \"rate_limited\";\n\tif (r.includes(\"ip\") || r.includes(\"allowlist\")) return \"ip_blocked\";\n\tif (r.includes(\"time\") || r.includes(\"window\")) return \"time_restricted\";\n\tif (r.includes(\"approval\")) return \"approval_required\";\n\treturn \"permission_denied\";\n}\n\n/**\n * Create a KavachOS instance.\n *\n * The factory is **async** so it can open database connections for Postgres\n * and MySQL (which require async driver initialisation) and optionally run\n * `CREATE TABLE IF NOT EXISTS` for all schema tables.\n *\n * @example SQLite (simplest)\n * ```typescript\n * import { createKavach } from 'kavachos';\n *\n * const kavach = await createKavach({\n * database: { provider: 'sqlite', url: 'kavach.db' },\n * });\n * ```\n *\n * @example Postgres\n * ```typescript\n * const kavach = await createKavach({\n * database: { provider: 'postgres', url: process.env.DATABASE_URL },\n * });\n * ```\n *\n * @example MySQL – skip auto-migration (tables managed externally)\n * ```typescript\n * const kavach = await createKavach({\n * database: {\n * provider: 'mysql',\n * url: process.env.DATABASE_URL,\n * skipMigrations: true,\n * },\n * });\n * ```\n */\nexport async function createKavach(config: KavachConfig) {\n\tconst authAdapter = config.auth?.adapter ?? null;\n\n\tconst db = await createDatabase(config.database);\n\n\t// Automatically create tables unless the caller has opted out.\n\t// Uses CREATE TABLE IF NOT EXISTS so it is safe to run every startup.\n\tif (!config.database.skipMigrations) {\n\t\tawait createTables(db, config.database.provider);\n\t}\n\n\tconst agentConfig = {\n\t\tdb,\n\t\tmaxPerUser: config.agents?.maxPerUser ?? 10,\n\t\tdefaultPermissions: config.agents?.defaultPermissions ?? [],\n\t\ttokenExpiry: config.agents?.tokenExpiry ?? \"24h\",\n\t};\n\n\tconst agentModule = createAgentModule(agentConfig);\n\n\tconst permissionEngine = createPermissionEngine({\n\t\tdb,\n\t\tauditAll: config.agents?.auditAll ?? true,\n\t});\n\n\tconst auditModule = createAuditModule({ db });\n\n\tconst delegationModule = createDelegationModule({ db });\n\n\t// Session manager – only created when the caller opts in via auth.session.\n\tconst sessionManager: SessionManager | null = config.auth?.session\n\t\t? createSessionManager(config.auth.session, db)\n\t\t: null;\n\n\t// Privilege analyzer — always available via kavach.analyzer.\n\tconst privilegeAnalyzer = createPrivilegeAnalyzer(db);\n\n\t// Lifecycle hooks from config.\n\tconst hooks = config.hooks ?? {};\n\n\tconst tenantModule = createTenantModule(db);\n\n\tconst policyModule = createPolicyModule(db);\n\n\t// Approval module — CIBA-style async human approval flows\n\tconst approvalModule = createApprovalModule(config.approval ?? {}, db);\n\n\t// Trust module — graduated autonomy scoring\n\tconst trustModule = createTrustModule({}, db);\n\n\t// DID module — W3C Decentralized Identifiers for agents\n\tconst didModule = createDidModule(db, config.did);\n\n\t// Magic link — only created when the caller provides config.magicLink.\n\t// Requires a session manager to issue sessions on verification.\n\tconst magicLinkModule: MagicLinkModule | null =\n\t\tconfig.magicLink && sessionManager\n\t\t\t? createMagicLinkModule(config.magicLink, db, sessionManager)\n\t\t\t: null;\n\n\t// Email OTP — only created when the caller provides config.emailOtp.\n\t// Requires a session manager to issue sessions on verification.\n\tconst emailOtpModule: EmailOtpModule | null =\n\t\tconfig.emailOtp && sessionManager\n\t\t\t? createEmailOtpModule(config.emailOtp, db, sessionManager)\n\t\t\t: null;\n\n\t// TOTP — only created when the caller provides config.totp.\n\tconst totpModule: TotpModule | null = config.totp ? createTotpModule(config.totp, db) : null;\n\n\t// Passkey — only created when the caller provides config.passkey.\n\tconst passkeyModule: PasskeyModule | null = config.passkey\n\t\t? createPasskeyModule(config.passkey, db)\n\t\t: null;\n\n\t// Org — only created when the caller provides config.org.\n\tconst orgModule: OrgModule | null = config.org ? createOrgModule(config.org, db) : null;\n\n\t// SSO — only created when the caller provides config.sso.\n\tconst ssoModule: SsoModule | null = config.sso ? createSsoModule(config.sso, db) : null;\n\n\t// Admin — only created when the caller provides config.admin.\n\tconst adminModule: AdminModule | null = config.admin\n\t\t? createAdminModule(config.admin, db, sessionManager)\n\t\t: null;\n\n\t// API Keys — only created when the caller provides config.apiKeys.\n\tconst apiKeyManagerModule: ApiKeyManagerModule | null = config.apiKeys\n\t\t? createApiKeyManagerModule(config.apiKeys, db)\n\t\t: null;\n\n\t// Username auth — only created when the caller provides config.username.\n\tconst usernameModule: UsernameAuthModule | null =\n\t\tconfig.username && sessionManager\n\t\t\t? createUsernameAuthModule(config.username, db, sessionManager)\n\t\t\t: null;\n\n\t// Phone auth — only created when the caller provides config.phone.\n\tconst phoneModule: PhoneAuthModule | null =\n\t\tconfig.phone && sessionManager ? createPhoneAuthModule(config.phone, db, sessionManager) : null;\n\n\t// Captcha — only created when the caller provides config.captcha.\n\tconst captchaModule: CaptchaModule | null = config.captcha\n\t\t? createCaptchaModule(config.captcha)\n\t\t: null;\n\n\t// Webhooks — only created when the caller provides config.webhooks.\n\tconst webhookModule: WebhookModule | null =\n\t\tconfig.webhooks && config.webhooks.length > 0 ? createWebhookModule(config.webhooks) : null;\n\n\t// Plugin system — runs after core modules so plugins can depend on them.\n\t// Plugins may register endpoints, run migrations, and collect lifecycle hooks.\n\tconst pluginRegistry = await initializePlugins(config.plugins ?? [], db, config);\n\n\t// Build an EndpointContext that plugins can use inside their handlers.\n\t// We capture sessionManager in closure so it's available if configured.\n\tconst endpointCtx: EndpointContext = {\n\t\tdb,\n\t\tasync getUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\tif (!authAdapter) return null;\n\t\t\treturn authAdapter.resolveUser(request);\n\t\t},\n\t\tasync getSession(token: string) {\n\t\t\tif (!sessionManager) return null;\n\t\t\treturn sessionManager.validate(token);\n\t\t},\n\t};\n\n\tconst pluginRouter = createPluginRouter(pluginRegistry.endpoints);\n\n\t// Authorize: look up agent, check own permissions then delegated permissions\n\tasync function authorize(\n\t\tagentId: string,\n\t\trequest: AuthorizeRequest,\n\t\tcontext?: RequestContext,\n\t): Promise<AuthorizeResult> {\n\t\t// beforeAuthorize hook — may block the request before any DB work\n\t\tif (hooks.beforeAuthorize) {\n\t\t\tconst verdict = await hooks.beforeAuthorize({\n\t\t\t\tagentId,\n\t\t\t\taction: request.action,\n\t\t\t\tresource: request.resource,\n\t\t\t\targuments: request.arguments,\n\t\t\t});\n\t\t\tif (verdict && !verdict.allow) {\n\t\t\t\tconst reason = verdict.reason ?? \"Blocked by beforeAuthorize hook\";\n\t\t\t\tvoid hooks.onViolation?.({\n\t\t\t\t\ttype: classifyViolation(reason),\n\t\t\t\t\tagentId,\n\t\t\t\t\taction: request.action,\n\t\t\t\t\tresource: request.resource,\n\t\t\t\t\treason,\n\t\t\t\t});\n\t\t\t\treturn { allowed: false, reason, auditId: \"\" };\n\t\t\t}\n\t\t}\n\n\t\tconst agent = await agentModule.get(agentId);\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Agent \"${agentId}\" not found`,\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\tif (agent.status !== \"active\") {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Agent \"${agent.name}\" is ${agent.status}`,\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\n\t\tconst enrichedRequest: AuthorizeRequest = context ? { ...request, context } : request;\n\n\t\t// First check the agent's own permissions\n\t\tconst ownResult = await permissionEngine.authorize(agent, enrichedRequest);\n\n\t\tlet finalResult: AuthorizeResult;\n\n\t\tif (ownResult.allowed) {\n\t\t\tfinalResult = ownResult;\n\t\t} else {\n\t\t\t// If own permissions deny, check effective permissions from delegation chains\n\t\t\tconst delegatedPerms = await delegationModule.getEffectivePermissions(agentId);\n\n\t\t\tif (delegatedPerms.length === 0) {\n\t\t\t\tfinalResult = ownResult;\n\t\t\t} else {\n\t\t\t\t// Build a synthetic agent view with delegated permissions merged in\n\t\t\t\tconst agentWithDelegated = { ...agent, permissions: delegatedPerms };\n\t\t\t\tconst delegatedResult = await permissionEngine.authorize(\n\t\t\t\t\tagentWithDelegated,\n\t\t\t\t\tenrichedRequest,\n\t\t\t\t);\n\t\t\t\t// Both denied — return the original denial so the message references the agent by name\n\t\t\t\tfinalResult = delegatedResult.allowed ? delegatedResult : ownResult;\n\t\t\t}\n\t\t}\n\n\t\t// afterAuthorize hook\n\t\tvoid hooks.afterAuthorize?.({\n\t\t\tagentId,\n\t\t\taction: request.action,\n\t\t\tresource: request.resource,\n\t\t\tresult: {\n\t\t\t\tallowed: finalResult.allowed,\n\t\t\t\treason: finalResult.reason,\n\t\t\t\tauditId: finalResult.auditId,\n\t\t\t},\n\t\t});\n\n\t\t// onViolation hook when the request was denied\n\t\tif (!finalResult.allowed) {\n\t\t\tvoid hooks.onViolation?.({\n\t\t\t\ttype: classifyViolation(finalResult.reason),\n\t\t\t\tagentId,\n\t\t\t\taction: request.action,\n\t\t\t\tresource: request.resource,\n\t\t\t\treason: finalResult.reason ?? \"Authorization denied\",\n\t\t\t});\n\t\t}\n\n\t\treturn finalResult;\n\t}\n\n\t// Authorize by token: validate token then check permissions\n\tasync function authorizeByToken(\n\t\ttoken: string,\n\t\trequest: AuthorizeRequest,\n\t\tcontext?: RequestContext,\n\t): Promise<AuthorizeResult> {\n\t\tconst agent = await agentModule.validateToken(token);\n\t\tif (!agent) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"Invalid or expired agent token\",\n\t\t\t\tauditId: \"\",\n\t\t\t};\n\t\t}\n\t\tconst enrichedRequest: AuthorizeRequest = context ? { ...request, context } : request;\n\t\treturn permissionEngine.authorize(agent, enrichedRequest);\n\t}\n\n\t// Delegate: verify parent permissions then create chain\n\tasync function delegate(input: DelegateInput): Promise<DelegationChain> {\n\t\tconst parentAgent = await agentModule.get(input.fromAgent);\n\t\tif (!parentAgent) throw new Error(`Parent agent \"${input.fromAgent}\" not found`);\n\t\tif (parentAgent.status !== \"active\") {\n\t\t\tthrow new Error(`Parent agent \"${parentAgent.name}\" is ${parentAgent.status}`);\n\t\t}\n\t\treturn delegationModule.delegate(input, parentAgent.permissions);\n\t}\n\n\t// Agent facade with hooks wired in\n\tconst agentProxy = {\n\t\tasync create(\n\t\t\t...args: Parameters<typeof agentModule.create>\n\t\t): ReturnType<typeof agentModule.create> {\n\t\t\tconst [input] = args;\n\n\t\t\tif (hooks.beforeAgentCreate) {\n\t\t\t\tconst verdict = await hooks.beforeAgentCreate(input);\n\t\t\t\tif (verdict && !verdict.allow) {\n\t\t\t\t\tthrow new Error(verdict.reason ?? \"Agent creation blocked by beforeAgentCreate hook\");\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst agent = await agentModule.create(input);\n\n\t\t\tvoid hooks.afterAgentCreate?.(agent);\n\n\t\t\treturn agent;\n\t\t},\n\n\t\tasync revoke(agentId: string): ReturnType<typeof agentModule.revoke> {\n\t\t\tawait agentModule.revoke(agentId);\n\t\t\tvoid hooks.onAgentRevoke?.(agentId);\n\t\t},\n\n\t\tasync rotate(\n\t\t\t...args: Parameters<typeof agentModule.rotate>\n\t\t): ReturnType<typeof agentModule.rotate> {\n\t\t\treturn agentModule.rotate(...args);\n\t\t},\n\n\t\tget: agentModule.get,\n\t\tlist: agentModule.list,\n\t\tupdate: agentModule.update,\n\t\tvalidateToken: agentModule.validateToken,\n\t};\n\n\t// ── MCP server registry ─────────────────────────────────────────\n\t// Uses the kavach_mcp_servers table (defined in db/schema.ts).\n\tconst mcpRegistry = {\n\t\t/**\n\t\t * Register a new MCP tool server.\n\t\t *\n\t\t * Persists the server entry to the `kavach_mcp_servers` table.\n\t\t * The returned record includes the generated `id` and `createdAt`.\n\t\t */\n\t\tasync register(input: McpServerInput): Promise<McpServer> {\n\t\t\tconst now = new Date();\n\t\t\tconst id = randomUUID();\n\n\t\t\tawait db.insert(mcpServers).values({\n\t\t\t\tid,\n\t\t\t\tname: input.name,\n\t\t\t\tendpoint: input.endpoint,\n\t\t\t\ttools: input.tools,\n\t\t\t\tauthRequired: input.authRequired ?? true,\n\t\t\t\trateLimitRpm: input.rateLimit?.rpm ?? null,\n\t\t\t\tstatus: \"active\",\n\t\t\t\tcreatedAt: now,\n\t\t\t\tupdatedAt: now,\n\t\t\t});\n\n\t\t\treturn {\n\t\t\t\tid,\n\t\t\t\tname: input.name,\n\t\t\t\tendpoint: input.endpoint,\n\t\t\t\ttools: input.tools,\n\t\t\t\tauthRequired: input.authRequired ?? true,\n\t\t\t\tcreatedAt: now,\n\t\t\t};\n\t\t},\n\n\t\t/**\n\t\t * List all registered MCP servers (active and inactive).\n\t\t */\n\t\tasync list(): Promise<McpServer[]> {\n\t\t\tconst rows = await db.select().from(mcpServers);\n\t\t\treturn rows.map((row) => ({\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tendpoint: row.endpoint,\n\t\t\t\ttools: row.tools,\n\t\t\t\tauthRequired: row.authRequired,\n\t\t\t\tcreatedAt: row.createdAt,\n\t\t\t}));\n\t\t},\n\n\t\t/**\n\t\t * Get a single MCP server by ID. Returns null when not found.\n\t\t */\n\t\tasync get(id: string): Promise<McpServer | null> {\n\t\t\tconst rows = await db.select().from(mcpServers).where(eq(mcpServers.id, id));\n\t\t\tconst row = rows[0];\n\t\t\tif (!row) return null;\n\t\t\treturn {\n\t\t\t\tid: row.id,\n\t\t\t\tname: row.name,\n\t\t\t\tendpoint: row.endpoint,\n\t\t\t\ttools: row.tools,\n\t\t\t\tauthRequired: row.authRequired,\n\t\t\t\tcreatedAt: row.createdAt,\n\t\t\t};\n\t\t},\n\t};\n\n\treturn {\n\t\tagent: agentProxy,\n\t\tauthorize,\n\t\tauthorizeByToken,\n\t\tdelegate,\n\t\tdelegation: {\n\t\t\trevoke: delegationModule.revokeDelegation,\n\t\t\tgetEffectivePermissions: delegationModule.getEffectivePermissions,\n\t\t\tlistChains: delegationModule.listChains,\n\t\t},\n\t\taudit: {\n\t\t\tquery: (filter: AuditFilter) => auditModule.query(filter),\n\t\t\texport: (options: AuditExportOptions) => auditModule.export(options),\n\t\t\tcleanup: (options: { retentionDays: number }) => auditModule.cleanup(options),\n\t\t},\n\t\t/**\n\t\t * MCP server registration.\n\t\t *\n\t\t * Register and look up MCP tool servers. Uses the `kavach_mcp_servers`\n\t\t * database table — no separate in-memory store needed.\n\t\t */\n\t\tmcp: mcpRegistry,\n\t\t/**\n\t\t * Least-privilege analyzer.\n\t\t *\n\t\t * Compare agent permissions against actual audit log usage to surface\n\t\t * wildcards, unused grants, and over-permissioned identities.\n\t\t */\n\t\tanalyzer: {\n\t\t\tanalyzeAgent: privilegeAnalyzer.analyzeAgent,\n\t\t\tanalyzeAll: privilegeAnalyzer.analyzeAll,\n\t\t\tgetSummary: privilegeAnalyzer.getSummary,\n\t\t},\n\t\t/**\n\t\t * Human auth integration.\n\t\t *\n\t\t * `resolveUser` extracts the authenticated human from an inbound HTTP\n\t\t * request via the configured adapter. `session` is a full session\n\t\t * manager (create / validate / revoke) when `auth.session` was passed\n\t\t * to `createKavach()`.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * app.use(async (req, res, next) => {\n\t\t * const user = await kavach.auth.resolveUser(req);\n\t\t * if (!user) return res.status(401).json({ error: 'Unauthorized' });\n\t\t * req.user = user;\n\t\t * next();\n\t\t * });\n\t\t * ```\n\t\t */\n\t\tauth: {\n\t\t\tasync resolveUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\t\tif (!authAdapter) return null;\n\t\t\t\treturn authAdapter.resolveUser(request);\n\t\t\t},\n\t\t\tsession: sessionManager,\n\t\t},\n\t\t/**\n\t\t * Resolve a human user from an incoming HTTP request.\n\t\t *\n\t\t * @deprecated Use `kavach.auth.resolveUser(request)` instead.\n\t\t */\n\t\tasync resolveUser(request: Request): Promise<ResolvedUser | null> {\n\t\t\tif (!authAdapter) return null;\n\t\t\treturn authAdapter.resolveUser(request);\n\t\t},\n\t\t/** Direct database access for advanced usage */\n\t\tdb,\n\t\t/**\n\t\t * Multi-tenant isolation.\n\t\t *\n\t\t * Create and manage tenants (organizations) that share a single\n\t\t * KavachOS instance with full data isolation. Agents can be scoped\n\t\t * to a tenant via `tenantId`.\n\t\t */\n\t\ttenant: tenantModule,\n\t\t/**\n\t\t * Agent execution budget policies.\n\t\t *\n\t\t * Set spending caps (token cost, call counts) per agent, user, or\n\t\t * tenant. Exceeded policies trigger a configurable action: warn,\n\t\t * throttle, block, or revoke.\n\t\t */\n\t\tpolicies: policyModule,\n\t\t/**\n\t\t * CIBA-style async human approval flows.\n\t\t *\n\t\t * Create pending approval requests, notify humans via webhook or\n\t\t * custom handler, and resolve them with approve / deny.\n\t\t */\n\t\tapproval: approvalModule,\n\t\t/**\n\t\t * Graduated autonomy trust scoring.\n\t\t *\n\t\t * Compute and persist 0-100 trust scores derived from audit history,\n\t\t * mapped to five levels: untrusted, limited, standard, trusted, elevated.\n\t\t */\n\t\ttrust: trustModule,\n\t\t/**\n\t\t * W3C Decentralized Identifiers (DID) for agents.\n\t\t *\n\t\t * Generate did:key or did:web identities, sign payloads, and verify\n\t\t * signatures. Private keys are never stored — they are returned to\n\t\t * the caller on generation and must be stored securely.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const { agentDid, privateKeyJwk } = await kavach.did.generateKey(agentId);\n\t\t * const signed = await kavach.did.sign(agentId, { action: 'read' }, privateKeyJwk);\n\t\t * const result = await kavach.did.verify(signed.jws, agentDid.did);\n\t\t * ```\n\t\t */\n\t\tdid: didModule,\n\t\t/**\n\t\t * Magic link (passwordless email) authentication.\n\t\t *\n\t\t * Null when `magicLink` config was not provided or `auth.session` is not\n\t\t * configured (sessions are required to issue tokens on verification).\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * // In your route handler\n\t\t * const response = await kavach.magicLink?.handleRequest(request);\n\t\t * if (response) return response;\n\t\t * ```\n\t\t */\n\t\tmagicLink: magicLinkModule,\n\t\t/**\n\t\t * Email OTP (one-time password) authentication.\n\t\t *\n\t\t * Null when `emailOtp` config was not provided or `auth.session` is not\n\t\t * configured.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const response = await kavach.emailOtp?.handleRequest(request);\n\t\t * if (response) return response;\n\t\t * ```\n\t\t */\n\t\temailOtp: emailOtpModule,\n\t\t/**\n\t\t * TOTP two-factor authentication.\n\t\t *\n\t\t * Null when `totp` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * // On setup (show QR code to user)\n\t\t * const { secret, uri, backupCodes } = await kavach.totp.setup(userId);\n\t\t *\n\t\t * // After user scans QR and enters code\n\t\t * const { enabled } = await kavach.totp.enable(userId, totpCode);\n\t\t *\n\t\t * // On login (after password check)\n\t\t * const { valid } = await kavach.totp.verify(userId, totpCode);\n\t\t * ```\n\t\t */\n\t\ttotp: totpModule,\n\t\t/**\n\t\t * Passkey / WebAuthn authentication.\n\t\t *\n\t\t * Null when `passkey` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * // Registration — step 1: get options, send to browser\n\t\t * const options = await kavach.passkey.getRegistrationOptions(userId, userName);\n\t\t *\n\t\t * // Registration — step 2: verify browser response\n\t\t * const { credential } = await kavach.passkey.verifyRegistration(userId, response);\n\t\t *\n\t\t * // Authentication — step 1: get options\n\t\t * const options = await kavach.passkey.getAuthenticationOptions(userId);\n\t\t *\n\t\t * // Authentication — step 2: verify browser response\n\t\t * const result = await kavach.passkey.verifyAuthentication(response);\n\t\t * if (result) console.log('Authenticated user:', result.userId);\n\t\t * ```\n\t\t */\n\t\tpasskey: passkeyModule,\n\t\t/**\n\t\t * Organizations + RBAC.\n\t\t *\n\t\t * Null when `org` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const org = await kavach.org?.create({ name: 'Acme', slug: 'acme', ownerId: userId });\n\t\t * const allowed = await kavach.org?.hasPermission(org.id, userId, 'agents:create');\n\t\t * ```\n\t\t */\n\t\torg: orgModule,\n\t\t/**\n\t\t * SSO (SAML 2.0 + OIDC) enterprise authentication.\n\t\t *\n\t\t * Null when `sso` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const conn = await kavach.sso?.createConnection({ orgId, providerId: 'okta', type: 'saml', domain: 'acme.com' });\n\t\t * const url = await kavach.sso?.getSamlAuthUrl(conn.id);\n\t\t * ```\n\t\t */\n\t\tsso: ssoModule,\n\t\t/**\n\t\t * Admin module.\n\t\t *\n\t\t * Null when `admin` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * await kavach.admin?.banUser(userId, 'Spam');\n\t\t * const { session } = await kavach.admin?.impersonate(adminId, userId);\n\t\t * ```\n\t\t */\n\t\tadmin: adminModule,\n\t\t/**\n\t\t * API key management.\n\t\t *\n\t\t * Null when `apiKeys` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const { key, apiKey } = await kavach.apiKeys?.create({ userId, name: 'CI', permissions: ['agents:read'] });\n\t\t * const result = await kavach.apiKeys?.validate(key);\n\t\t * ```\n\t\t */\n\t\tapiKeys: apiKeyManagerModule,\n\t\t/**\n\t\t * Username + password authentication.\n\t\t *\n\t\t * Null when `username` config was not provided or `auth.session` is not\n\t\t * configured (sessions are required to issue tokens on sign-in/up).\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const response = await kavach.username?.handleRequest(request);\n\t\t * if (response) return response;\n\t\t * ```\n\t\t */\n\t\tusername: usernameModule,\n\t\t/**\n\t\t * Phone number (SMS OTP) authentication.\n\t\t *\n\t\t * Null when `phone` config was not provided or `auth.session` is not\n\t\t * configured.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const response = await kavach.phone?.handleRequest(request);\n\t\t * if (response) return response;\n\t\t * ```\n\t\t */\n\t\tphone: phoneModule,\n\t\t/**\n\t\t * Captcha integration (reCAPTCHA, hCaptcha, Cloudflare Turnstile).\n\t\t *\n\t\t * Null when `captcha` config was not provided.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * const result = await kavach.captcha?.verify(token, ip);\n\t\t * if (!result?.success) return new Response('Captcha failed', { status: 403 });\n\t\t * ```\n\t\t */\n\t\tcaptcha: captchaModule,\n\t\t/**\n\t\t * Webhook system.\n\t\t *\n\t\t * Null when `webhooks` config was not provided or the array is empty.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * kavach.webhooks?.emit('user.created', { userId: user.id });\n\t\t * ```\n\t\t */\n\t\twebhooks: webhookModule,\n\t\t/**\n\t\t * Plugin system.\n\t\t *\n\t\t * Route incoming HTTP requests through plugin-registered endpoints,\n\t\t * retrieve all endpoints for adapter mounting, or access plugin-provided\n\t\t * context values.\n\t\t *\n\t\t * @example\n\t\t * ```typescript\n\t\t * // In a framework adapter\n\t\t * app.all('/kavach/*', async (req) => {\n\t\t * const response = await kavach.plugins.handleRequest(req);\n\t\t * if (response) return response;\n\t\t * return new Response('Not Found', { status: 404 });\n\t\t * });\n\t\t * ```\n\t\t */\n\t\tplugins: {\n\t\t\t/** Route a request through plugin endpoints. Returns null if no plugin handles it. */\n\t\t\thandleRequest(request: Request, basePath = \"\"): Promise<Response | null> {\n\t\t\t\treturn pluginRouter.handle(request, basePath, endpointCtx);\n\t\t\t},\n\t\t\t/** Get all endpoints registered by plugins (for framework adapter mounting). */\n\t\t\tgetEndpoints() {\n\t\t\t\treturn pluginRouter.getEndpoints();\n\t\t\t},\n\t\t\t/** Get the merged plugin context (values returned from plugin init). */\n\t\t\tgetContext(): Record<string, unknown> {\n\t\t\t\treturn { ...pluginRegistry.pluginContext };\n\t\t\t},\n\t\t\t/** Access the raw plugin registry (hooks, migrations, etc.). */\n\t\t\tregistry: pluginRegistry,\n\t\t},\n\t};\n}\n\nexport type Kavach = Awaited<ReturnType<typeof createKavach>>;\n","/**\n * OpenAPI 3.1 specification generator for KavachOS REST API.\n *\n * This generates the spec that enables auto-generated SDKs\n * for Python, Go, Java, Rust, etc. via OpenAPI codegen tools.\n */\n\nexport interface OpenAPISpec {\n\topenapi: string;\n\tinfo: { title: string; version: string; description: string };\n\tservers: Array<{ url: string; description: string }>;\n\tpaths: Record<string, Record<string, PathOperation>>;\n\tcomponents: {\n\t\tschemas: Record<string, SchemaObject>;\n\t\tsecuritySchemes: Record<string, SecurityScheme>;\n\t};\n}\n\ninterface PathOperation {\n\tsummary: string;\n\toperationId: string;\n\ttags: string[];\n\tsecurity?: Array<Record<string, string[]>>;\n\tparameters?: ParameterObject[];\n\trequestBody?: { required: boolean; content: Record<string, { schema: SchemaRef }> };\n\tresponses: Record<\n\t\tstring,\n\t\t{ description: string; content?: Record<string, { schema: SchemaRef }> }\n\t>;\n}\n\ninterface ParameterObject {\n\tname: string;\n\tin: \"query\" | \"path\" | \"header\";\n\trequired: boolean;\n\tschema: SchemaRef;\n}\n\ninterface SecurityScheme {\n\ttype: string;\n\tscheme?: string;\n\tbearerFormat?: string;\n}\n\ntype SchemaRef = { $ref: string } | SchemaObject;\n\ninterface SchemaObject {\n\ttype?: string;\n\tproperties?: Record<string, SchemaRef>;\n\trequired?: string[];\n\titems?: SchemaRef;\n\tenum?: string[];\n\tdescription?: string;\n\tformat?: string;\n\tnullable?: boolean;\n}\n\n/**\n * Generate the full OpenAPI 3.1 specification for the KavachOS REST API.\n */\nexport function generateOpenAPISpec(options?: { baseUrl?: string; version?: string }): OpenAPISpec {\n\tconst baseUrl = options?.baseUrl ?? \"http://localhost:3000\";\n\tconst version = options?.version ?? \"0.0.1\";\n\n\treturn {\n\t\topenapi: \"3.1.0\",\n\t\tinfo: {\n\t\t\ttitle: \"KavachOS API\",\n\t\t\tversion,\n\t\t\tdescription:\n\t\t\t\t\"The Auth OS for AI Agents. Identity, permissions, delegation, and audit for the agentic era.\",\n\t\t},\n\t\tservers: [{ url: baseUrl, description: \"KavachOS API Server\" }],\n\t\tpaths: {\n\t\t\t\"/agents\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Create a new agent\",\n\t\t\t\t\toperationId: \"createAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/CreateAgentInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"201\": {\n\t\t\t\t\t\t\tdescription: \"Agent created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { $ref: \"#/components/schemas/AgentWithToken\" },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"400\": { description: \"Invalid input\" },\n\t\t\t\t\t\t\"429\": { description: \"Max agents per user exceeded\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"List agents\",\n\t\t\t\t\toperationId: \"listAgents\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [\n\t\t\t\t\t\t{ name: \"userId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"status\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"active\", \"revoked\", \"expired\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"type\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"List of agents\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { type: \"array\", items: { $ref: \"#/components/schemas/Agent\" } },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/agents/{id}\": {\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"Get agent by ID\",\n\t\t\t\t\toperationId: \"getAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Agent details\",\n\t\t\t\t\t\t\tcontent: { \"application/json\": { schema: { $ref: \"#/components/schemas/Agent\" } } },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t\"404\": { description: \"Agent not found\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tpatch: {\n\t\t\t\t\tsummary: \"Update agent\",\n\t\t\t\t\toperationId: \"updateAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/UpdateAgentInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Agent updated\",\n\t\t\t\t\t\t\tcontent: { \"application/json\": { schema: { $ref: \"#/components/schemas/Agent\" } } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tdelete: {\n\t\t\t\t\tsummary: \"Revoke agent\",\n\t\t\t\t\toperationId: \"revokeAgent\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: { \"204\": { description: \"Agent revoked\" } },\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/agents/{id}/rotate\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Rotate agent token\",\n\t\t\t\t\toperationId: \"rotateAgentToken\",\n\t\t\t\t\ttags: [\"Agents\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [{ name: \"id\", in: \"path\", required: true, schema: { type: \"string\" } }],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"New token issued\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AgentWithToken\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/authorize\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Authorize an agent action\",\n\t\t\t\t\toperationId: \"authorize\",\n\t\t\t\t\ttags: [\"Authorization\"],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeRequest\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Authorization result\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeResult\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/authorize/token\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Authorize by agent token\",\n\t\t\t\t\toperationId: \"authorizeByToken\",\n\t\t\t\t\ttags: [\"Authorization\"],\n\t\t\t\t\tsecurity: [{ AgentToken: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\tschema: {\n\t\t\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\t\t\t\t\targuments: { type: \"object\" },\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\trequired: [\"action\", \"resource\"],\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Authorization result\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/AuthorizeResult\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/audit\": {\n\t\t\t\tget: {\n\t\t\t\t\tsummary: \"Query audit logs\",\n\t\t\t\t\toperationId: \"queryAudit\",\n\t\t\t\t\ttags: [\"Audit\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\tparameters: [\n\t\t\t\t\t\t{ name: \"agentId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{ name: \"userId\", in: \"query\", required: false, schema: { type: \"string\" } },\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"since\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"until\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\tname: \"result\",\n\t\t\t\t\t\t\tin: \"query\",\n\t\t\t\t\t\t\trequired: false,\n\t\t\t\t\t\t\tschema: { type: \"string\", enum: [\"allowed\", \"denied\", \"rate_limited\"] },\n\t\t\t\t\t\t},\n\t\t\t\t\t\t{ name: \"limit\", in: \"query\", required: false, schema: { type: \"integer\" } },\n\t\t\t\t\t\t{ name: \"offset\", in: \"query\", required: false, schema: { type: \"integer\" } },\n\t\t\t\t\t],\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"200\": {\n\t\t\t\t\t\t\tdescription: \"Audit log entries\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": {\n\t\t\t\t\t\t\t\t\tschema: { type: \"array\", items: { $ref: \"#/components/schemas/AuditEntry\" } },\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\t\"/delegations\": {\n\t\t\t\tpost: {\n\t\t\t\t\tsummary: \"Create delegation chain\",\n\t\t\t\t\toperationId: \"createDelegation\",\n\t\t\t\t\ttags: [\"Delegation\"],\n\t\t\t\t\tsecurity: [{ BearerAuth: [] }],\n\t\t\t\t\trequestBody: {\n\t\t\t\t\t\trequired: true,\n\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/DelegateInput\" } },\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t\tresponses: {\n\t\t\t\t\t\t\"201\": {\n\t\t\t\t\t\t\tdescription: \"Delegation created\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\t\"application/json\": { schema: { $ref: \"#/components/schemas/DelegationChain\" } },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t\tcomponents: {\n\t\t\tschemas: {\n\t\t\t\tCreateAgentInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"ownerId\", \"name\", \"type\", \"permissions\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\townerId: { type: \"string\" },\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tmetadata: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tUpdateAgentInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tmetadata: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAgent: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\townerId: { type: \"string\" },\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\", enum: [\"autonomous\", \"delegated\", \"service\"] },\n\t\t\t\t\t\tstatus: { type: \"string\", enum: [\"active\", \"revoked\", \"expired\"] },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\", nullable: true },\n\t\t\t\t\t\tcreatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tupdatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAgentWithToken: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tdescription: \"Agent identity with the token (only returned on create/rotate)\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\ttoken: {\n\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\tdescription:\n\t\t\t\t\t\t\t\t\"Agent token (kv_ prefix). Store securely - not retrievable after creation.\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tname: { type: \"string\" },\n\t\t\t\t\t\ttype: { type: \"string\" },\n\t\t\t\t\t\tstatus: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPermission: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"resource\", \"actions\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tresource: {\n\t\t\t\t\t\t\ttype: \"string\",\n\t\t\t\t\t\t\tdescription: \"Resource pattern (e.g. mcp:github:*, tool:file_read)\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tactions: {\n\t\t\t\t\t\t\ttype: \"array\",\n\t\t\t\t\t\t\titems: { type: \"string\" },\n\t\t\t\t\t\t\tdescription: \"Allowed actions (read, write, execute, delete, *)\",\n\t\t\t\t\t\t},\n\t\t\t\t\t\tconstraints: { $ref: \"#/components/schemas/PermissionConstraints\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tPermissionConstraints: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tmaxCallsPerHour: { type: \"integer\" },\n\t\t\t\t\t\tallowedArgPatterns: { type: \"array\", items: { type: \"string\" } },\n\t\t\t\t\t\trequireApproval: { type: \"boolean\" },\n\t\t\t\t\t\ttimeWindow: {\n\t\t\t\t\t\t\ttype: \"object\",\n\t\t\t\t\t\t\tproperties: {\n\t\t\t\t\t\t\t\tstart: { type: \"string\", description: \"HH:MM format\" },\n\t\t\t\t\t\t\t\tend: { type: \"string\", description: \"HH:MM format\" },\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t\tipAllowlist: { type: \"array\", items: { type: \"string\" } },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorizeRequest: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"agentId\", \"action\", \"resource\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tagentId: { type: \"string\" },\n\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\targuments: { type: \"object\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuthorizeResult: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tallowed: { type: \"boolean\" },\n\t\t\t\t\t\treason: { type: \"string\", nullable: true },\n\t\t\t\t\t\tauditId: { type: \"string\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tAuditEntry: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\tagentId: { type: \"string\" },\n\t\t\t\t\t\tuserId: { type: \"string\" },\n\t\t\t\t\t\taction: { type: \"string\" },\n\t\t\t\t\t\tresource: { type: \"string\" },\n\t\t\t\t\t\tparameters: { type: \"object\" },\n\t\t\t\t\t\tresult: { type: \"string\", enum: [\"allowed\", \"denied\", \"rate_limited\"] },\n\t\t\t\t\t\tdurationMs: { type: \"integer\" },\n\t\t\t\t\t\ttimestamp: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDelegateInput: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\trequired: [\"fromAgent\", \"toAgent\", \"permissions\", \"expiresAt\"],\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tfromAgent: { type: \"string\" },\n\t\t\t\t\t\ttoAgent: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tmaxDepth: { type: \"integer\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\tDelegationChain: {\n\t\t\t\t\ttype: \"object\",\n\t\t\t\t\tproperties: {\n\t\t\t\t\t\tid: { type: \"string\" },\n\t\t\t\t\t\tfromAgent: { type: \"string\" },\n\t\t\t\t\t\ttoAgent: { type: \"string\" },\n\t\t\t\t\t\tpermissions: { type: \"array\", items: { $ref: \"#/components/schemas/Permission\" } },\n\t\t\t\t\t\tdepth: { type: \"integer\" },\n\t\t\t\t\t\texpiresAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t\tcreatedAt: { type: \"string\", format: \"date-time\" },\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsecuritySchemes: {\n\t\t\t\tBearerAuth: {\n\t\t\t\t\ttype: \"http\",\n\t\t\t\t\tscheme: \"bearer\",\n\t\t\t\t\tbearerFormat: \"JWT\",\n\t\t\t\t},\n\t\t\t\tAgentToken: {\n\t\t\t\t\ttype: \"http\",\n\t\t\t\t\tscheme: \"bearer\",\n\t\t\t\t\tbearerFormat: \"KavachOS Agent Token (kv_...)\",\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t};\n}\n","/**\n * Cookie serialization and parsing utilities for KavachOS.\n *\n * Pure functions that work with Web API `Request`/`Response` objects and\n * raw header strings. No framework dependencies.\n */\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport type SameSite = \"strict\" | \"lax\" | \"none\";\n\nexport interface CookieOptions {\n\t/** Prevents JavaScript access to the cookie. Default: true. */\n\thttpOnly?: boolean;\n\t/**\n\t * Restricts transmission to HTTPS. Default: true in production\n\t * (when `NODE_ENV === 'production'`), false otherwise.\n\t */\n\tsecure?: boolean;\n\t/** Controls cross-site sending. Default: 'lax'. */\n\tsameSite?: SameSite;\n\t/** Cookie scope path. Default: '/'. */\n\tpath?: string;\n\t/** Cookie scope domain (omitted when not set). */\n\tdomain?: string;\n\t/** Lifetime in seconds from now. Sets both Max-Age and Expires. */\n\tmaxAge?: number;\n\t/** Absolute expiry date (overridden by maxAge when both are set). */\n\texpires?: Date;\n\t/** Partitioned attribute (CHIPS). */\n\tpartitioned?: boolean;\n}\n\n// ---------------------------------------------------------------------------\n// Defaults\n// ---------------------------------------------------------------------------\n\nconst IS_PRODUCTION = typeof process !== \"undefined\" && process.env.NODE_ENV === \"production\";\n\nconst DEFAULT_OPTIONS: Required<\n\tOmit<CookieOptions, \"domain\" | \"maxAge\" | \"expires\" | \"partitioned\">\n> = {\n\thttpOnly: true,\n\tsecure: IS_PRODUCTION,\n\tsameSite: \"lax\",\n\tpath: \"/\",\n};\n\n// ---------------------------------------------------------------------------\n// Serialization\n// ---------------------------------------------------------------------------\n\n/**\n * Serialize a cookie name/value pair into a `Set-Cookie` header string.\n *\n * @param name Cookie name. Must be a valid cookie-name token.\n * @param value Cookie value. Will be percent-encoded.\n * @param options Cookie attributes. Defaults to `httpOnly=true`, `secure`\n * based on `NODE_ENV`, `sameSite=lax`, `path=/`.\n */\nexport function serializeCookie(name: string, value: string, options?: CookieOptions): string {\n\tvalidateCookieName(name);\n\n\tconst opts = { ...DEFAULT_OPTIONS, ...options };\n\tconst parts: string[] = [`${name}=${encodeURIComponent(value)}`];\n\n\tif (opts.httpOnly) parts.push(\"HttpOnly\");\n\tif (opts.secure) parts.push(\"Secure\");\n\n\tconst sameSite = opts.sameSite ?? \"lax\";\n\tparts.push(`SameSite=${capitalize(sameSite)}`);\n\n\tconst path = opts.path ?? \"/\";\n\tparts.push(`Path=${path}`);\n\n\tif (options?.domain) parts.push(`Domain=${options.domain}`);\n\n\tif (options?.maxAge !== undefined) {\n\t\tparts.push(`Max-Age=${options.maxAge}`);\n\t\t// Also set Expires for older clients.\n\t\tconst expiryDate = new Date(Date.now() + options.maxAge * 1000);\n\t\tparts.push(`Expires=${expiryDate.toUTCString()}`);\n\t} else if (options?.expires) {\n\t\tparts.push(`Expires=${options.expires.toUTCString()}`);\n\t}\n\n\tif (options?.partitioned) parts.push(\"Partitioned\");\n\n\treturn parts.join(\"; \");\n}\n\n/**\n * Serialize a deletion cookie (zero Max-Age, past Expires) that will\n * instruct browsers to remove the named cookie.\n */\nexport function serializeCookieDeletion(\n\tname: string,\n\toptions?: Omit<CookieOptions, \"maxAge\" | \"expires\">,\n): string {\n\treturn serializeCookie(name, \"\", {\n\t\t...options,\n\t\tmaxAge: 0,\n\t\texpires: new Date(0),\n\t});\n}\n\n// ---------------------------------------------------------------------------\n// Parsing\n// ---------------------------------------------------------------------------\n\n/**\n * Parse a `Cookie` request header string into a name → value map.\n *\n * Values are percent-decoded. Unknown or malformed pairs are skipped\n * silently so that a single bad cookie does not break the entire request.\n *\n * @param header The raw value of the `Cookie` header (e.g. `\"a=1; b=2\"`).\n */\nexport function parseCookies(header: string): Record<string, string> {\n\tconst result: Record<string, string> = {};\n\n\tif (!header || !header.trim()) return result;\n\n\tfor (const pair of header.split(\";\")) {\n\t\tconst eqIndex = pair.indexOf(\"=\");\n\t\tif (eqIndex === -1) continue;\n\n\t\tconst name = pair.slice(0, eqIndex).trim();\n\t\tconst raw = pair.slice(eqIndex + 1).trim();\n\n\t\tif (!name) continue;\n\n\t\ttry {\n\t\t\tresult[name] = decodeURIComponent(raw);\n\t\t} catch {\n\t\t\t// Malformed percent-encoding — skip this cookie.\n\t\t}\n\t}\n\n\treturn result;\n}\n\n/**\n * Extract a single cookie value from a `Cookie` header string.\n *\n * Returns `undefined` when the cookie is absent.\n */\nexport function getCookie(header: string, name: string): string | undefined {\n\treturn parseCookies(header)[name];\n}\n\n/**\n * Extract cookies from a Web API `Request` object.\n */\nexport function parseCookiesFromRequest(request: Request): Record<string, string> {\n\treturn parseCookies(request.headers.get(\"cookie\") ?? \"\");\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\nfunction capitalize(s: string): string {\n\treturn s.charAt(0).toUpperCase() + s.slice(1);\n}\n\n// RFC 6265 §4.1.1 separator characters (excluding control chars, handled separately)\nconst COOKIE_NAME_SEPARATORS = /[\\s()<>@,;:\\\\\"/[\\]?={}]/;\n\n/**\n * Validate that a cookie name follows RFC 6265 §4.1.1.\n * Throws for names containing control characters (0x00–0x1f, 0x7f) or separators.\n */\nfunction validateCookieName(name: string): void {\n\tif (!name) {\n\t\tthrow new Error(`Invalid cookie name: \"${name}\"`);\n\t}\n\tfor (let i = 0; i < name.length; i++) {\n\t\tconst code = name.charCodeAt(i);\n\t\t// Reject control characters (0x00–0x1f) and DEL (0x7f).\n\t\tif (code <= 31 || code === 127) {\n\t\t\tthrow new Error(`Invalid cookie name: \"${name}\"`);\n\t\t}\n\t}\n\tif (COOKIE_NAME_SEPARATORS.test(name)) {\n\t\tthrow new Error(`Invalid cookie name: \"${name}\"`);\n\t}\n}\n","/**\n * CSRF protection utilities for KavachOS.\n *\n * Implements two complementary defences:\n *\n * 1. **Origin/Referer validation** — checks the inbound request's `Origin`\n * (or `Referer` as fallback) against a caller-supplied allowlist. This\n * alone blocks the vast majority of CSRF attacks from browser clients.\n *\n * 2. **Double-submit cookie pattern** — a random token is stored in a cookie\n * AND submitted by the client as a request header (or body field). The\n * server verifies both values match using a timing-safe comparison.\n *\n * Use origin validation first; fall back to token comparison when the origin\n * header is absent (e.g. same-origin requests on some browsers, server-side\n * fetch).\n *\n * @example\n * ```typescript\n * import { generateCsrfToken, validateCsrfToken, validateOrigin } from './csrf.js';\n *\n * // On form render: store token in cookie, embed in hidden field.\n * const token = await generateCsrfToken();\n *\n * // On form submit:\n * const originOk = validateOrigin(request, ['https://app.example.com']);\n * const tokenOk = validateCsrfToken(submittedToken, cookieToken);\n * if (!originOk && !tokenOk) throw new Error('CSRF check failed');\n * ```\n */\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface CsrfValidationResult {\n\tvalid: boolean;\n\treason?: string;\n}\n\n// ---------------------------------------------------------------------------\n// Token generation\n// ---------------------------------------------------------------------------\n\nconst TOKEN_BYTE_LENGTH = 32;\n\n/**\n * Generate a cryptographically random CSRF token.\n *\n * Uses `crypto.getRandomValues` (Web Crypto API) so it works in both\n * Node.js ≥ 19 and browser/edge runtimes.\n *\n * Returns a URL-safe base64 string (~43 chars).\n */\nexport function generateCsrfToken(): string {\n\tconst bytes = new Uint8Array(TOKEN_BYTE_LENGTH);\n\tcrypto.getRandomValues(bytes);\n\treturn uint8ArrayToBase64Url(bytes);\n}\n\n// ---------------------------------------------------------------------------\n// Token validation — double-submit cookie pattern\n// ---------------------------------------------------------------------------\n\n/**\n * Validate a CSRF token from the request against the value stored in the\n * cookie using a constant-time comparison to prevent timing attacks.\n *\n * Both `requestToken` and `cookieToken` must be non-empty strings produced\n * by `generateCsrfToken()`. Any mismatch returns `{ valid: false }`.\n *\n * @param requestToken Token submitted with the request (header / body).\n * @param cookieToken Token read from the CSRF cookie.\n */\nexport function validateCsrfToken(requestToken: string, cookieToken: string): CsrfValidationResult {\n\tif (!requestToken || !cookieToken) {\n\t\treturn { valid: false, reason: \"Missing CSRF token\" };\n\t}\n\n\tif (!timingSafeEqual(requestToken, cookieToken)) {\n\t\treturn { valid: false, reason: \"CSRF token mismatch\" };\n\t}\n\n\treturn { valid: true };\n}\n\n// ---------------------------------------------------------------------------\n// Origin validation\n// ---------------------------------------------------------------------------\n\n/**\n * Validate the `Origin` (or `Referer` fallback) header of an incoming\n * request against a list of trusted origins.\n *\n * Rules:\n * - If `Origin` is present and matches a trusted origin → valid.\n * - If `Origin` is `\"null\"` (opaque origin) → invalid.\n * - If `Origin` is absent, falls back to the `Referer` header.\n * - If neither header is present → result depends on `allowMissingOrigin`.\n *\n * @param request Incoming Web API `Request`.\n * @param trustedOrigins Array of allowed origins, e.g. `['https://app.example.com']`.\n * Trailing slashes are stripped before comparison.\n * @param allowMissingOrigin When `true`, requests without an `Origin` or\n * `Referer` header are considered valid (useful for\n * server-to-server calls). Defaults to `false`.\n */\nexport function validateOrigin(\n\trequest: Request,\n\ttrustedOrigins: string[],\n\tallowMissingOrigin = false,\n): CsrfValidationResult {\n\tconst normalised = trustedOrigins.map(normaliseOrigin);\n\n\tconst originHeader = request.headers.get(\"origin\");\n\n\tif (originHeader) {\n\t\tif (originHeader === \"null\") {\n\t\t\treturn { valid: false, reason: \"Opaque origin rejected\" };\n\t\t}\n\t\tconst requestOrigin = normaliseOrigin(originHeader);\n\t\tif (normalised.includes(requestOrigin)) {\n\t\t\treturn { valid: true };\n\t\t}\n\t\treturn {\n\t\t\tvalid: false,\n\t\t\treason: `Origin \"${originHeader}\" is not in the trusted list`,\n\t\t};\n\t}\n\n\t// Fall back to Referer when Origin is absent.\n\tconst refererHeader = request.headers.get(\"referer\");\n\n\tif (refererHeader) {\n\t\ttry {\n\t\t\tconst refererOrigin = normaliseOrigin(new URL(refererHeader).origin);\n\t\t\tif (normalised.includes(refererOrigin)) {\n\t\t\t\treturn { valid: true };\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tvalid: false,\n\t\t\t\treason: `Referer origin \"${refererOrigin}\" is not in the trusted list`,\n\t\t\t};\n\t\t} catch {\n\t\t\treturn { valid: false, reason: \"Malformed Referer header\" };\n\t\t}\n\t}\n\n\t// Neither header present.\n\tif (allowMissingOrigin) {\n\t\treturn { valid: true };\n\t}\n\treturn { valid: false, reason: \"No Origin or Referer header present\" };\n}\n\n// ---------------------------------------------------------------------------\n// Internal helpers\n// ---------------------------------------------------------------------------\n\n/**\n * Strip trailing slash and lowercase the scheme+host for stable comparison.\n */\nfunction normaliseOrigin(origin: string): string {\n\treturn origin.replace(/\\/$/, \"\").toLowerCase();\n}\n\n/**\n * Constant-time string comparison to prevent timing side-channels.\n *\n * Compares character-by-character without short-circuiting. Always touches\n * every character of the longer string so the execution time does not leak\n * which prefix matches.\n */\nfunction timingSafeEqual(a: string, b: string): boolean {\n\tconst aBytes = new TextEncoder().encode(a);\n\tconst bBytes = new TextEncoder().encode(b);\n\n\tif (aBytes.length !== bBytes.length) {\n\t\t// Still iterate to avoid early-exit timing leak on length mismatch.\n\t\tlet _diff = 0;\n\t\tconst max = Math.max(aBytes.length, bBytes.length);\n\t\tfor (let i = 0; i < max; i++) {\n\t\t\t_diff |= (aBytes[i] ?? 0) ^ (bBytes[i] ?? 0);\n\t\t}\n\t\t// Length mismatch always fails, but we ran the loop for timing safety.\n\t\treturn false;\n\t}\n\n\tlet diff = 0;\n\tfor (let i = 0; i < aBytes.length; i++) {\n\t\tdiff |= (aBytes[i] ?? 0) ^ (bBytes[i] ?? 0);\n\t}\n\treturn diff === 0;\n}\n\n/**\n * Encode a `Uint8Array` as URL-safe base64 (no padding).\n *\n * Works in Node.js ≥ 16 and browser/edge runtimes without any dependencies.\n */\nfunction uint8ArrayToBase64Url(bytes: Uint8Array): string {\n\t// In Node.js we can use Buffer for speed; in other runtimes we fall back.\n\tif (typeof Buffer !== \"undefined\") {\n\t\treturn Buffer.from(bytes).toString(\"base64url\");\n\t}\n\t// Browser/edge fallback via btoa.\n\tlet binary = \"\";\n\tfor (const byte of bytes) {\n\t\tbinary += String.fromCharCode(byte);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=/g, \"\");\n}\n","/**\n * Cookie-aware session manager for KavachOS.\n *\n * Wraps the lower-level `createSessionManager` with cookie serialization and\n * optional CSRF protection so callers work with `Request`/`Response` objects\n * directly rather than managing raw tokens and headers themselves.\n *\n * @example\n * ```typescript\n * import { createCookieSessionManager } from './manager.js';\n *\n * const sessions = createCookieSessionManager(\n * { secret: process.env.SESSION_SECRET },\n * db,\n * );\n *\n * // On login\n * const { session, setCookieHeader } = await sessions.createSession(user.id);\n * return new Response(null, {\n * status: 302,\n * headers: { Location: '/dashboard', 'Set-Cookie': setCookieHeader },\n * });\n *\n * // On each request\n * const session = await sessions.validateSession(request.headers.get('cookie') ?? '');\n * if (!session) return new Response('Unauthorized', { status: 401 });\n *\n * // On logout\n * const deleteCookie = sessions.buildLogoutCookie();\n * return new Response(null, {\n * status: 302,\n * headers: { Location: '/login', 'Set-Cookie': deleteCookie },\n * });\n * ```\n */\n\nimport { and, eq } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { sessions as sessionsTable } from \"../db/schema.js\";\nimport type { CookieOptions } from \"./cookie.js\";\nimport { getCookie, serializeCookie, serializeCookieDeletion } from \"./cookie.js\";\nimport type { Session, SessionConfig, SessionManager } from \"./session.js\";\nimport { createSessionManager } from \"./session.js\";\n\n// ---------------------------------------------------------------------------\n// Types\n// ---------------------------------------------------------------------------\n\nexport interface CookieSessionConfig extends SessionConfig {\n\t/**\n\t * Name of the session cookie.\n\t * Defaults to `\"kavach_session\"`.\n\t */\n\tsessionName?: string;\n\n\t/**\n\t * Additional cookie attributes applied when setting the session cookie.\n\t * `maxAge` is derived from `SessionConfig.maxAge` when not explicitly set.\n\t */\n\tcookieOptions?: Omit<CookieOptions, \"maxAge\">;\n\n\t/**\n\t * When `true`, `validateSession` automatically refreshes the session\n\t * expiry on every successful validation. Defaults to `true`.\n\t */\n\tautoRefresh?: boolean;\n}\n\nexport interface CreateSessionResult {\n\t/** The persisted session record. */\n\tsession: Session;\n\t/** Ready-to-use `Set-Cookie` header value. */\n\tsetCookieHeader: string;\n}\n\nexport interface ValidateSessionResult {\n\t/** The valid session, or `null` when the cookie is absent/invalid/expired. */\n\tsession: Session | null;\n\t/**\n\t * When `autoRefresh` is enabled and the session was valid, the refreshed\n\t * `Set-Cookie` header to forward to the client. `null` otherwise.\n\t */\n\trefreshCookieHeader: string | null;\n}\n\nexport interface CookieSessionManager {\n\t/**\n\t * Create a new session for the given user and return the session record\n\t * together with a `Set-Cookie` header string ready to attach to a response.\n\t */\n\tcreateSession(userId: string, metadata?: Record<string, unknown>): Promise<CreateSessionResult>;\n\n\t/**\n\t * Parse the `Cookie` header, look up the session in the database, and\n\t * verify it has not expired.\n\t *\n\t * When `autoRefresh` is enabled the session is extended on each valid\n\t * request and a new `Set-Cookie` header is returned for forwarding.\n\t *\n\t * @param cookieHeader Raw value of the `Cookie` request header.\n\t */\n\tvalidateSession(cookieHeader: string): Promise<ValidateSessionResult>;\n\n\t/**\n\t * Extend the session expiry to `now + maxAge`.\n\t *\n\t * Returns the updated session and a fresh `Set-Cookie` header.\n\t * Returns `null` when the session does not exist.\n\t */\n\trefreshSession(sessionId: string): Promise<{ session: Session; setCookieHeader: string } | null>;\n\n\t/**\n\t * Delete a session by ID (server-side) and return a deletion cookie that\n\t * will clear the browser cookie on the next response.\n\t */\n\trevokeSession(sessionId: string): Promise<{ deleteCookieHeader: string }>;\n\n\t/**\n\t * Revoke all sessions for the given user.\n\t *\n\t * Returns a deletion cookie header for clearing the current browser cookie.\n\t */\n\trevokeAllSessions(userId: string): Promise<{ deleteCookieHeader: string }>;\n\n\t/**\n\t * List all non-expired sessions for a user, newest first.\n\t */\n\tlistSessions(userId: string): Promise<Session[]>;\n\n\t/**\n\t * Build a `Set-Cookie` header that deletes the session cookie on the client\n\t * without any database operation. Useful in error paths.\n\t */\n\tbuildLogoutCookie(): string;\n\n\t/** Expose the underlying low-level session manager for advanced usage. */\n\traw: SessionManager;\n}\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\nconst DEFAULT_SESSION_NAME = \"kavach_session\";\nconst DEFAULT_MAX_AGE_SECONDS = 60 * 60 * 24 * 7; // 7 days\n\n// ---------------------------------------------------------------------------\n// Factory\n// ---------------------------------------------------------------------------\n\n/**\n * Create a cookie-aware session manager.\n *\n * Internally delegates all DB operations to `createSessionManager`.\n *\n * @param config Cookie-aware session configuration.\n * @param db Drizzle database instance from `createDatabase()`.\n */\nexport function createCookieSessionManager(\n\tconfig: CookieSessionConfig,\n\tdb: Database,\n): CookieSessionManager {\n\tconst sessionName = config.sessionName ?? DEFAULT_SESSION_NAME;\n\tconst maxAgeSecs = config.maxAge ?? DEFAULT_MAX_AGE_SECONDS;\n\tconst autoRefresh = config.autoRefresh ?? true;\n\n\tconst raw = createSessionManager(config, db);\n\n\t// Base cookie attributes shared across all cookie operations.\n\tconst baseCookieOpts: CookieOptions = {\n\t\thttpOnly: true,\n\t\tsameSite: \"lax\",\n\t\tpath: \"/\",\n\t\t...config.cookieOptions,\n\t\tmaxAge: maxAgeSecs,\n\t};\n\n\tfunction buildSetCookie(token: string): string {\n\t\treturn serializeCookie(sessionName, token, baseCookieOpts);\n\t}\n\n\tfunction buildDeleteCookie(): string {\n\t\tconst { maxAge: _omit, ...rest } = baseCookieOpts;\n\t\treturn serializeCookieDeletion(sessionName, rest);\n\t}\n\n\t// ── public API ────────────────────────────────────────────────────────\n\n\tasync function createSession(\n\t\tuserId: string,\n\t\tmetadata?: Record<string, unknown>,\n\t): Promise<CreateSessionResult> {\n\t\tconst { session, token } = await raw.create(userId, metadata);\n\t\treturn { session, setCookieHeader: buildSetCookie(token) };\n\t}\n\n\tasync function validateSession(cookieHeader: string): Promise<ValidateSessionResult> {\n\t\tconst token = getCookie(cookieHeader, sessionName);\n\t\tif (!token) {\n\t\t\treturn { session: null, refreshCookieHeader: null };\n\t\t}\n\n\t\tconst session = await raw.validate(token);\n\t\tif (!session) {\n\t\t\treturn { session: null, refreshCookieHeader: null };\n\t\t}\n\n\t\t// Auto-refresh: extend expiry and return a fresh cookie.\n\t\tif (autoRefresh) {\n\t\t\tconst refreshed = await refreshSession(session.id);\n\t\t\tif (refreshed) {\n\t\t\t\treturn { session: refreshed.session, refreshCookieHeader: refreshed.setCookieHeader };\n\t\t\t}\n\t\t}\n\n\t\treturn { session, refreshCookieHeader: null };\n\t}\n\n\tasync function refreshSession(\n\t\tsessionId: string,\n\t): Promise<{ session: Session; setCookieHeader: string } | null> {\n\t\t// Look up the session row directly via the shared `db` instance.\n\t\t// `raw.validate()` is token-based so we cannot use it here — only the\n\t\t// sessionId is available at this call site.\n\n\t\tconst rows = await db\n\t\t\t.select()\n\t\t\t.from(sessionsTable)\n\t\t\t.where(and(eq(sessionsTable.id, sessionId)));\n\n\t\tconst row = rows[0];\n\t\tif (!row) return null;\n\t\tif (row.expiresAt <= new Date()) return null;\n\n\t\t// Delete the old session and issue a fresh one so the new signed JWT\n\t\t// reflects the updated expiry. This keeps the session count stable\n\t\t// and avoids the need to re-sign a token at this layer.\n\t\tawait db.delete(sessionsTable).where(eq(sessionsTable.id, sessionId));\n\t\tconst { session: newSession, token: newToken } = await raw.create(\n\t\t\trow.userId,\n\t\t\trow.metadata ?? undefined,\n\t\t);\n\n\t\treturn { session: newSession, setCookieHeader: buildSetCookie(newToken) };\n\t}\n\n\tasync function revokeSession(sessionId: string): Promise<{ deleteCookieHeader: string }> {\n\t\tawait raw.revoke(sessionId);\n\t\treturn { deleteCookieHeader: buildDeleteCookie() };\n\t}\n\n\tasync function revokeAllSessions(userId: string): Promise<{ deleteCookieHeader: string }> {\n\t\tawait raw.revokeAll(userId);\n\t\treturn { deleteCookieHeader: buildDeleteCookie() };\n\t}\n\n\tasync function listSessions(userId: string): Promise<Session[]> {\n\t\treturn raw.list(userId);\n\t}\n\n\tfunction buildLogoutCookie(): string {\n\t\treturn buildDeleteCookie();\n\t}\n\n\treturn {\n\t\tcreateSession,\n\t\tvalidateSession,\n\t\trefreshSession,\n\t\trevokeSession,\n\t\trevokeAllSessions,\n\t\tlistSessions,\n\t\tbuildLogoutCookie,\n\t\traw,\n\t};\n}\n","/**\n * Multi-session support for KavachOS.\n *\n * Allows users to maintain multiple concurrent sessions (phone, laptop, tablet)\n * with optional per-user session caps. When the cap is reached, the oldest\n * session is evicted automatically (configurable).\n *\n * Uses the existing `kavach_sessions` table — no additional schema required.\n *\n * @example\n * ```typescript\n * const multiSession = createMultiSessionModule(\n * { maxSessions: 5, overflowStrategy: 'evict-oldest' },\n * db,\n * sessionManager,\n * );\n *\n * // List all active sessions for a user\n * const sessionList = await multiSession.listSessions(userId);\n *\n * // Sign out everywhere except here\n * const count = await multiSession.revokeOtherSessions(userId, currentSessionId);\n * ```\n */\n\nimport { and, eq, ne } from \"drizzle-orm\";\nimport type { Database } from \"../db/database.js\";\nimport { sessions } from \"../db/schema.js\";\nimport type { SessionManager } from \"./session.js\";\n\n// ---------------------------------------------------------------------------\n// Public types\n// ---------------------------------------------------------------------------\n\nexport interface MultiSessionConfig {\n\t/** Max concurrent sessions per user (default: 10) */\n\tmaxSessions?: number;\n\t/** Strategy when max is reached (default: 'evict-oldest') */\n\toverflowStrategy?: \"reject\" | \"evict-oldest\";\n}\n\nexport interface SessionInfo {\n\tid: string;\n\tcreatedAt: Date;\n\texpiresAt: Date;\n\tmetadata?: Record<string, unknown>;\n\t/** Human-readable device string extracted from User-Agent, e.g. \"Chrome on macOS\" */\n\tdevice?: string;\n\t/** IP address recorded at session creation */\n\tip?: string;\n}\n\nexport interface MultiSessionModule {\n\t/** List all non-expired sessions for a user, newest first. */\n\tlistSessions(userId: string): Promise<SessionInfo[]>;\n\t/** Revoke a single session by ID. */\n\trevokeSession(sessionId: string): Promise<void>;\n\t/** Revoke every session except the given one. Returns the count revoked. */\n\trevokeOtherSessions(userId: string, currentSessionId: string): Promise<number>;\n\t/** Return the count of active (non-expired) sessions for a user. */\n\tgetSessionCount(userId: string): Promise<number>;\n\t/**\n\t * Enforce the session cap before creating a new session.\n\t *\n\t * Call this before `sessionManager.create()`. If the cap is reached:\n\t * - `evict-oldest` deletes the oldest session and resolves.\n\t * - `reject` throws a `MultiSessionLimitError`.\n\t */\n\tenforceSessionLimit(userId: string): Promise<void>;\n}\n\n// ---------------------------------------------------------------------------\n// Errors\n// ---------------------------------------------------------------------------\n\nexport class MultiSessionLimitError extends Error {\n\treadonly code = \"SESSION_LIMIT_REACHED\";\n\tconstructor(userId: string, max: number) {\n\t\tsuper(`User ${userId} has reached the maximum of ${max} concurrent sessions`);\n\t}\n}\n\n// ---------------------------------------------------------------------------\n// User-Agent parsing\n// ---------------------------------------------------------------------------\n\n/**\n * Extract a short device description from a User-Agent string.\n * Returns strings like \"Chrome on macOS\", \"Safari on iOS\", \"Firefox on Windows\".\n * Falls back to \"Unknown\" when the UA cannot be parsed.\n */\nfunction parseUserAgent(ua: string | undefined | null): string | undefined {\n\tif (!ua) return undefined;\n\n\t// OS detection (order matters — iOS before macOS)\n\tlet os: string;\n\tif (/iphone|ipad|ipod/i.test(ua)) {\n\t\tos = \"iOS\";\n\t} else if (/android/i.test(ua)) {\n\t\tos = \"Android\";\n\t} else if (/macintosh|mac os x/i.test(ua)) {\n\t\tos = \"macOS\";\n\t} else if (/windows/i.test(ua)) {\n\t\tos = \"Windows\";\n\t} else if (/linux/i.test(ua)) {\n\t\tos = \"Linux\";\n\t} else {\n\t\tos = \"Unknown OS\";\n\t}\n\n\t// Browser / client detection\n\tlet browser: string;\n\tif (/edg\\//i.test(ua)) {\n\t\tbrowser = \"Edge\";\n\t} else if (/opr\\//i.test(ua) || /opera/i.test(ua)) {\n\t\tbrowser = \"Opera\";\n\t} else if (/firefox\\//i.test(ua)) {\n\t\tbrowser = \"Firefox\";\n\t} else if (/chrome\\//i.test(ua) && !/chromium/i.test(ua)) {\n\t\tbrowser = \"Chrome\";\n\t} else if (/safari\\//i.test(ua) && !/chrome/i.test(ua)) {\n\t\tbrowser = \"Safari\";\n\t} else if (/curl\\//i.test(ua)) {\n\t\tbrowser = \"curl\";\n\t} else if (/python-requests/i.test(ua)) {\n\t\tbrowser = \"Python\";\n\t} else {\n\t\tbrowser = \"Unknown\";\n\t}\n\n\treturn `${browser} on ${os}`;\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\nfunction rowToSessionInfo(row: {\n\tid: string;\n\tcreatedAt: Date;\n\texpiresAt: Date;\n\tmetadata: Record<string, unknown> | null;\n}): SessionInfo {\n\tconst metadata = row.metadata ?? undefined;\n\n\t// Pull device/ip out of metadata if they were stored there.\n\tconst device = metadata && typeof metadata.device === \"string\" ? metadata.device : undefined;\n\tconst ip = metadata && typeof metadata.ip === \"string\" ? metadata.ip : undefined;\n\n\t// Build clean metadata without internal fields.\n\tlet cleanMetadata: Record<string, unknown> | undefined;\n\tif (metadata) {\n\t\tconst { device: _d, ip: _i, ...rest } = metadata;\n\t\tvoid _d;\n\t\tvoid _i;\n\t\tcleanMetadata = Object.keys(rest).length > 0 ? rest : undefined;\n\t}\n\n\treturn {\n\t\tid: row.id,\n\t\tcreatedAt: row.createdAt,\n\t\texpiresAt: row.expiresAt,\n\t\t...(cleanMetadata !== undefined && { metadata: cleanMetadata }),\n\t\t...(device !== undefined && { device }),\n\t\t...(ip !== undefined && { ip }),\n\t};\n}\n\n// ---------------------------------------------------------------------------\n// Factory\n// ---------------------------------------------------------------------------\n\nexport function createMultiSessionModule(\n\tconfig: MultiSessionConfig,\n\tdb: Database,\n\tsessionManager: SessionManager,\n): MultiSessionModule {\n\tconst maxSessions = config.maxSessions ?? 10;\n\tconst overflowStrategy = config.overflowStrategy ?? \"evict-oldest\";\n\n\tasync function listSessions(userId: string): Promise<SessionInfo[]> {\n\t\tconst now = new Date();\n\n\t\tconst rows = await db.select().from(sessions).where(eq(sessions.userId, userId));\n\n\t\treturn rows\n\t\t\t.filter((r) => r.expiresAt > now)\n\t\t\t.sort((a, b) => b.createdAt.getTime() - a.createdAt.getTime())\n\t\t\t.map(rowToSessionInfo);\n\t}\n\n\tasync function revokeSession(sessionId: string): Promise<void> {\n\t\tawait sessionManager.revoke(sessionId);\n\t}\n\n\tasync function revokeOtherSessions(userId: string, currentSessionId: string): Promise<number> {\n\t\tconst now = new Date();\n\n\t\t// Query all sessions for this user except the current one, including expiresAt.\n\t\tconst activeRows = await db\n\t\t\t.select({ id: sessions.id, expiresAt: sessions.expiresAt })\n\t\t\t.from(sessions)\n\t\t\t.where(and(eq(sessions.userId, userId), ne(sessions.id, currentSessionId)));\n\n\t\tconst activeIds = activeRows.filter((r) => r.expiresAt > now).map((r) => r.id);\n\n\t\tfor (const id of activeIds) {\n\t\t\tawait sessionManager.revoke(id);\n\t\t}\n\n\t\treturn activeIds.length;\n\t}\n\n\tasync function getSessionCount(userId: string): Promise<number> {\n\t\tconst now = new Date();\n\n\t\tconst rows = await db\n\t\t\t.select({ id: sessions.id, expiresAt: sessions.expiresAt })\n\t\t\t.from(sessions)\n\t\t\t.where(eq(sessions.userId, userId));\n\n\t\treturn rows.filter((r) => r.expiresAt > now).length;\n\t}\n\n\tasync function enforceSessionLimit(userId: string): Promise<void> {\n\t\tconst now = new Date();\n\n\t\tconst rows = await db\n\t\t\t.select({ id: sessions.id, expiresAt: sessions.expiresAt, createdAt: sessions.createdAt })\n\t\t\t.from(sessions)\n\t\t\t.where(eq(sessions.userId, userId));\n\n\t\tconst activeSessions = rows\n\t\t\t.filter((r) => r.expiresAt > now)\n\t\t\t.sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime()); // oldest first\n\n\t\tif (activeSessions.length < maxSessions) return;\n\n\t\tif (overflowStrategy === \"reject\") {\n\t\t\tthrow new MultiSessionLimitError(userId, maxSessions);\n\t\t}\n\n\t\t// evict-oldest: remove oldest sessions until we are below the cap.\n\t\tconst toEvict = activeSessions.slice(0, activeSessions.length - maxSessions + 1);\n\t\tfor (const s of toEvict) {\n\t\t\tawait sessionManager.revoke(s.id);\n\t\t}\n\t}\n\n\treturn { listSessions, revokeSession, revokeOtherSessions, getSessionCount, enforceSessionLimit };\n}\n\n// ---------------------------------------------------------------------------\n// Utility: enrich session metadata with device info from a Request\n// ---------------------------------------------------------------------------\n\n/**\n * Build metadata to pass to `sessionManager.create()` that includes\n * device info extracted from the incoming request.\n *\n * @example\n * ```typescript\n * const meta = buildSessionMetadata(request, { role: 'admin' });\n * const { token } = await sessionManager.create(userId, meta);\n * ```\n */\nexport function buildSessionMetadata(\n\trequest: Request,\n\textra?: Record<string, unknown>,\n): Record<string, unknown> {\n\tconst ua = request.headers.get(\"user-agent\");\n\tconst ip =\n\t\trequest.headers.get(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ??\n\t\trequest.headers.get(\"x-real-ip\") ??\n\t\tundefined;\n\n\tconst device = parseUserAgent(ua);\n\n\treturn {\n\t\t...(device !== undefined && { device }),\n\t\t...(ip !== undefined && { ip }),\n\t\t...extra,\n\t};\n}\n","export type WebhookEvent =\n\t| \"user.created\"\n\t| \"user.deleted\"\n\t| \"user.updated\"\n\t| \"agent.created\"\n\t| \"agent.revoked\"\n\t| \"agent.rotated\"\n\t| \"session.created\"\n\t| \"session.revoked\"\n\t| \"auth.login\"\n\t| \"auth.logout\"\n\t| \"auth.failed\"\n\t| \"delegation.created\"\n\t| \"delegation.revoked\"\n\t| \"org.created\"\n\t| \"org.member.added\"\n\t| \"org.member.removed\";\n\nexport interface WebhookConfig {\n\t/** Signing secret for HMAC-SHA256 webhook signatures */\n\tsecret: string;\n\t/** Max delivery attempts (default: 3) */\n\tmaxRetries?: number;\n\t/** Timeout per delivery in ms (default: 10000) */\n\ttimeoutMs?: number;\n}\n\nexport interface WebhookSubscription {\n\tid: string;\n\turl: string;\n\tevents: WebhookEvent[];\n\tactive: boolean;\n\tcreatedAt: Date;\n}\n\nexport interface WebhookModule {\n\tsubscribe(url: string, events: WebhookEvent[]): Promise<WebhookSubscription>;\n\tunsubscribe(subscriptionId: string): Promise<void>;\n\tlist(): Promise<WebhookSubscription[]>;\n\t/** Dispatch an event to all matching subscribers (fire-and-forget) */\n\tdispatch(event: WebhookEvent, payload: Record<string, unknown>): void;\n\t/** Test a webhook URL */\n\ttest(subscriptionId: string): Promise<{ success: boolean; statusCode?: number; error?: string }>;\n}\n\nfunction generateId(): string {\n\tconst bytes = new Uint8Array(16);\n\tcrypto.getRandomValues(bytes);\n\treturn Array.from(bytes, (b) => b.toString(16).padStart(2, \"0\")).join(\"\");\n}\n\nasync function signPayload(secret: string, body: string): Promise<string> {\n\tconst encoder = new TextEncoder();\n\tconst keyData = encoder.encode(secret);\n\tconst messageData = encoder.encode(body);\n\n\tconst key = await crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tkeyData,\n\t\t{ name: \"HMAC\", hash: \"SHA-256\" },\n\t\tfalse,\n\t\t[\"sign\"],\n\t);\n\n\tconst signature = await crypto.subtle.sign(\"HMAC\", key, messageData);\n\tconst hex = Array.from(new Uint8Array(signature), (b) => b.toString(16).padStart(2, \"0\")).join(\n\t\t\"\",\n\t);\n\treturn `sha256=${hex}`;\n}\n\nasync function deliverWebhook(\n\turl: string,\n\tevent: WebhookEvent,\n\tpayload: Record<string, unknown>,\n\tdeliveryId: string,\n\ttimestamp: string,\n\tsignature: string,\n\ttimeoutMs: number,\n): Promise<{ success: boolean; statusCode?: number; error?: string }> {\n\ttry {\n\t\tconst response = await fetch(url, {\n\t\t\tmethod: \"POST\",\n\t\t\theaders: {\n\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\"x-kavach-event\": event,\n\t\t\t\t\"x-kavach-delivery\": deliveryId,\n\t\t\t\t\"x-kavach-timestamp\": timestamp,\n\t\t\t\t\"x-kavach-signature\": signature,\n\t\t\t},\n\t\t\tbody: JSON.stringify(payload),\n\t\t\tsignal: AbortSignal.timeout(timeoutMs),\n\t\t});\n\t\treturn { success: response.ok, statusCode: response.status };\n\t} catch (err) {\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: err instanceof Error ? err.message : \"Unknown error\",\n\t\t};\n\t}\n}\n\nasync function dispatchWithRetry(\n\turl: string,\n\tevent: WebhookEvent,\n\tpayload: Record<string, unknown>,\n\tconfig: Required<WebhookConfig>,\n): Promise<void> {\n\tconst deliveryId = generateId();\n\tconst timestamp = new Date().toISOString();\n\tconst body = JSON.stringify(payload);\n\tconst signature = await signPayload(config.secret, body);\n\n\tconst delays = [1000, 2000, 4000];\n\n\tfor (let attempt = 0; attempt < config.maxRetries; attempt++) {\n\t\tif (attempt > 0) {\n\t\t\tawait new Promise<void>((resolve) => setTimeout(resolve, delays[attempt - 1] ?? 4000));\n\t\t}\n\n\t\tconst result = await deliverWebhook(\n\t\t\turl,\n\t\t\tevent,\n\t\t\tpayload,\n\t\t\tdeliveryId,\n\t\t\ttimestamp,\n\t\t\tsignature,\n\t\t\tconfig.timeoutMs,\n\t\t);\n\n\t\tif (result.success) {\n\t\t\treturn;\n\t\t}\n\t}\n}\n\nexport function createWebhookModule(config: WebhookConfig): WebhookModule {\n\tconst resolvedConfig: Required<WebhookConfig> = {\n\t\tsecret: config.secret,\n\t\tmaxRetries: config.maxRetries ?? 3,\n\t\ttimeoutMs: config.timeoutMs ?? 10000,\n\t};\n\n\tconst subscriptions = new Map<string, WebhookSubscription>();\n\n\tasync function subscribe(url: string, events: WebhookEvent[]): Promise<WebhookSubscription> {\n\t\tconst sub: WebhookSubscription = {\n\t\t\tid: generateId(),\n\t\t\turl,\n\t\t\tevents,\n\t\t\tactive: true,\n\t\t\tcreatedAt: new Date(),\n\t\t};\n\t\tsubscriptions.set(sub.id, sub);\n\t\treturn sub;\n\t}\n\n\tasync function unsubscribe(subscriptionId: string): Promise<void> {\n\t\tsubscriptions.delete(subscriptionId);\n\t}\n\n\tasync function list(): Promise<WebhookSubscription[]> {\n\t\treturn Array.from(subscriptions.values());\n\t}\n\n\tfunction dispatch(event: WebhookEvent, payload: Record<string, unknown>): void {\n\t\tconst matching = Array.from(subscriptions.values()).filter(\n\t\t\t(sub) => sub.active && sub.events.includes(event),\n\t\t);\n\n\t\tfor (const sub of matching) {\n\t\t\t// fire-and-forget\n\t\t\tvoid dispatchWithRetry(sub.url, event, payload, resolvedConfig);\n\t\t}\n\t}\n\n\tasync function test(\n\t\tsubscriptionId: string,\n\t): Promise<{ success: boolean; statusCode?: number; error?: string }> {\n\t\tconst sub = subscriptions.get(subscriptionId);\n\t\tif (!sub) {\n\t\t\treturn { success: false, error: \"Subscription not found\" };\n\t\t}\n\n\t\tconst deliveryId = generateId();\n\t\tconst timestamp = new Date().toISOString();\n\t\tconst pingPayload = { event: \"ping\", subscriptionId, timestamp };\n\t\tconst body = JSON.stringify(pingPayload);\n\t\tconst signature = await signPayload(resolvedConfig.secret, body);\n\n\t\treturn deliverWebhook(\n\t\t\tsub.url,\n\t\t\t\"auth.login\", // placeholder event type for test delivery\n\t\t\tpingPayload,\n\t\t\tdeliveryId,\n\t\t\ttimestamp,\n\t\t\tsignature,\n\t\t\tresolvedConfig.timeoutMs,\n\t\t);\n\t}\n\n\treturn { subscribe, unsubscribe, list, dispatch, test };\n}\n\n/**\n * Verify an incoming webhook signature.\n * Returns true if the signature matches the payload and secret.\n */\nexport async function verifyWebhookSignature(\n\tsecret: string,\n\trawBody: string,\n\tsignature: string,\n): Promise<boolean> {\n\tconst expected = await signPayload(secret, rawBody);\n\t// Constant-time comparison\n\tif (expected.length !== signature.length) return false;\n\tconst a = new TextEncoder().encode(expected);\n\tconst b = new TextEncoder().encode(signature);\n\tlet diff = 0;\n\tfor (let i = 0; i < a.length; i++) {\n\t\tdiff |= (a[i] ?? 0) ^ (b[i] ?? 0);\n\t}\n\treturn diff === 0;\n}\n"]}