npm - kavachos - Versions diffs - 0.3.0 → 0.4.0 - Mend

kavachos 0.3.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/dist/a2a/index.d.ts +2 -2
package/dist/agent/index.d.ts +3 -3
package/dist/agent/index.js +4 -0
package/dist/agent/index.js.map +1 -1
package/dist/audit/index.d.ts +2 -2
package/dist/audit/index.js +4 -0
package/dist/audit/index.js.map +1 -1
package/dist/auth/index.d.ts +64 -3
package/dist/auth/index.js +91 -2
package/dist/auth/index.js.map +1 -1
package/dist/index.d.ts +32 -4
package/dist/index.js +851 -67
package/dist/index.js.map +1 -1
package/dist/mcp/index.d.ts +2 -2
package/dist/mcp/index.js +38 -1
package/dist/mcp/index.js.map +1 -1
package/dist/permission/index.d.ts +8 -3
package/dist/permission/index.js +68 -59
package/dist/permission/index.js.map +1 -1
package/dist/{types-BuHrZcjE.d.ts → types-BiUe9e8u.d.ts} +24 -0
package/dist/{types-B02D3kZy.d.ts → types-RJPOU4un.d.ts} +114 -2
package/dist/vc/index.d.ts +254 -65
package/dist/vc/index.js +160 -12
package/dist/vc/index.js.map +1 -1
package/package.json +2 -1

package/dist/permission/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../src/crypto/web-crypto.ts","../../src/db/schema.ts","../../src/permission/engine.ts","../../src/permission/templates.ts"],"names":["result"],"mappings":";;;;;;AAwEO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAkBqB,IAAI,WAAA;ACvFlB,IAAM,KAAA,GAAQ,YAAY,cAAA,EAAgB;AAAA,EAChD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,IAAA,EAAM,KAAK,MAAM,CAAA;AAAA,EACjB,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,MAAA,EAAO;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA;AAAA,EAC9B,gBAAA,EAAkB,KAAK,mBAAmB,CAAA;AAAA;AAAA,EAC1C,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA;AAAA,EAE5E,QAAQ,OAAA,CAAQ,QAAQ,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,oBAAoB,OAAA,CAAQ,sBAAsB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACvE,eAAe,OAAA,CAAQ,gBAAgB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA;AAAA,EAE5D,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,MAAA,EAAO;AAAA,EACpD,oBAAA,EAAsB,KAAK,wBAAwB,CAAA;AAAA,EACnD,wBAAA,EAA0B,KAAK,4BAA4B,CAAA;AAAA,EAC3D,aAAA,EAAe,KAAK,iBAAiB,CAAA;AAAA,EACrC,wBAAwB,OAAA,CAAQ,2BAAA,EAA6B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAClF,uBAAA,EAAyB,OAAA,CAAQ,6BAAA,EAA+B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CACjF,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,IAAA,CAAK,mBAAmB,CAAA,CAAE,MAAA,EAAO;AAAA,EAClD,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,uBAAA,EAAyB,KAAK,2BAA2B,CAAA;AAAA,EACzD,cAAA,EAAgB,KAAK,kBAAkB,CAAA;AAAA,EACvC,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,sBAAA,EAAwB,OAAA,CAAQ,4BAAA,EAA8B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAC/E,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA,EACf,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKM,IAAM,OAAA,GAAU,YAAY,gBAAA,EAAkB;AAAA,EACpD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAyB;AAAA,EACtE,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAW,CAAA,EAAG,CAAA,CACtD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAYM,IAAM,MAAA,GAAS,YAAY,eAAA,EAAiB;AAAA,EAClD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7E,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAK0B,YAAY,oBAAA,EAAsB;AAAA,EAC5D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA;AAAA,EACrE,WAAA,EAAa,KAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAgC;AAAA,EACnF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAa+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,KAAK,eAAe,CAAA,CAC/B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,SAAA,EAAW,KAAK,aAAa,CAAA,CAC3B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiC;AAAA,EAC9F,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC3C,UAAU,OAAA,CAAQ,WAAW,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAClD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,SAAA,GAAY,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,KAAK,YAAA,EAAc,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAChF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChF,MAAA,EAAQ,KAAK,QAAQ,CAAA;AAAA;AAAA,EACrB,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA,EACjC,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACxD,CAAC,CAAA;AAKM,IAAM,UAAA,GAAa,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,WAAA,EAAa,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACpE,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC;AAC5C,CAAC,CAAA;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,KAAA,EAAO,IAAA,CAAK,OAAA,EAAS,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACjE,YAAA,EAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,IAAI,CAAA;AAAA,EAClF,YAAA,EAAc,QAAQ,gBAAgB,CAAA;AAAA,EACtC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKuB,YAAY,iBAAA,EAAmB;AAAA,EACtD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,YAAA,GAAe,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,YAAA,EAAc,KAAK,eAAe,CAAA;AAAA;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,CAAA,CAC9C,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,oBAAoB,CAAC,CAAA;AAAA,EAChC,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,MAAM,MAAA,EAAQ,CAAA,CACpD,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,MAAM,CAAC,CAAA;AAAA,EAClB,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,qBAAqB,CAAA;AAAA,EAC/B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAM,CAAC,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,cAAc,CAAA;AAAA,EACxB,QAAA,EAAU,OAAA,CAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC1E,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,aAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACnD,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,MAAA,EAAO;AAAA,EAC3C,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,oBAAA,EAAsB,QAAQ,yBAAA,EAA2B,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACxF,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsC,YAAY,kCAAA,EAAoC;AAAA,EACtF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA;AAAA,EACjD,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,SAAA,EAAW,CAAA;AAAA;AAAA,EAC7E,QAAQ,IAAA,CAAK,SAAS,EAAE,UAAA,CAAW,MAAM,MAAM,EAAE,CAAA;AAAA;AAAA,EACjD,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAuB;AAAA,EAC1E,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAsB;AAAA,EACtF,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAS,QAAQ,GAAG,CAAA,CACtE,OAAA,EAAQ,CACR,QAAQ,MAAM,CAAA;AAAA,EAChB,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAA,EAAa,UAAU,GAAG,CAAA,CAClE,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAoByB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,KAAK,aAAa,CAAA;AAAA,EAC/B,OAAA,EAAS,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EACjC,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACzE,YAAA,EAAc,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiB;AAAA,EAChF,gBAAA,EAAkB,IAAA,CAAK,mBAAA,EAAqB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAC1D,OAAA,EAAQ,CACR,KAAA,EAA+B;AAAA,EACjC,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA,EACzB,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,SAAA,EAAW,KAAK,WAAA,EAAa,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC9E,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,UAAA,EAAY,QAAA,EAAU,SAAS,GAAG,CAAA,CAC3E,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,aAAa,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC1D,WAAA,EAAa,KAAK,cAAc,CAAA;AAAA,EAChC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAA,EAAO,OAAA,CAAQ,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,KAAA,EAAO,KAAK,OAAA,EAAS;AAAA,IACpB,MAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAA,EAAY,WAAW,UAAU;AAAA,GAChE,EAAE,OAAA,EAAQ;AAAA,EACX,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EACpF,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,aAAA,EAAe;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,YAAW,CACX,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,WAAA,EAAa,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAwB;AAAA,EACtF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,aAAA,GAAgB,YAAY,sBAAA,EAAwB;AAAA,EAChE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAEyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,QAAA,EAAU,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACvD,CAAC;AAE6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA,CAC1B,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,SAAA,EAAW,UAAA,EAAY,SAAS,GAAG,CAAA,CACjE,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAEuB,YAAY,kBAAA,EAAoB;AAAA,EACvD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA;AAC9D,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,cAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACrD,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,UAAA,EAAY,KAAK,YAAY,CAAA;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC5D,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC9B,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,MAAM,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvD,QAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACxC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsB,YAAY,iBAAA,EAAmB;AAAA,EACrD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,YAAY,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACzD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC9C,MAAA,EAAQ,KAAK,SAAS,CAAA;AAAA;AAAA,EACtB,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAgB,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC5C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACzC,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,OAAA,EAAS,KAAK,SAAA,EAAW;AAAA,IACxB,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAA,EAAkB,cAAc,QAAQ;AAAA,GAC/D,EAAE,OAAA,EAAQ;AAAA,EACX,UAAA,EAAY,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACvC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,cAAA,EAAgB,EAAE,OAAA;AAC3D,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAK,IAAA,CAAK,KAAK,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAClC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,KAAA,EAAO,KAAK,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzD,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7C,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACrD,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC5E,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAClF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACnE,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,oBAAoB,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,KAAA,EAAO,KAAK,OAAO,CAAA;AAAA,EACnB,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,WAAA,EAAa,QAAQ,cAAc,CAAA;AAAA,EACnC,YAAA,EAAc,QAAQ,eAAe,CAAA;AAAA;AAAA,EAErC,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAU,IAAA,CAAK,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,KAAK,CAAA;AAAA,EAClD,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,iBAAA,EAAmB,KAAK,qBAAqB,CAAA;AAAA;AAAA,EAC7C,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,aAAa,OAAA,CAAQ,cAAc,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACxD,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,SAAA,EAAW,WAAA,EAAa,SAAS,GAAG,CAAA,CAC5E,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAC/D,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EAC9E,OAAA,EAAS,KAAK,UAAU,CAAA;AAAA,EACxB,MAAA,EAAQ,KAAK,SAAS;AACvB,CAAC;AAK+B,YAAY,2BAAA,EAA6B;AAAA,EACxE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA;AAAA,EAE1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,IAAI,IAAA,CAAK,IAAI,CAAA,CAAE,OAAA,GAAU,UAAA,EAAW;AAAA,EACpC,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,WAAW,CAAA;AAAA,EAC1B,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKkC,YAAY,6BAAA,EAA+B;AAAA,EAC7E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,YAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACjD,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,YAAA,EAAc,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,CAAC,MAAA,EAAQ,SAAA,EAAW,aAAa,GAAG,CAAA,CAC1E,OAAA,EAAQ,CACR,QAAQ,aAAa,CAAA;AAAA,EACvB,cAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC5D,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA,EACrD,gBAAA,EAAkB,KAAK,oBAAoB,CAAA;AAAA,EAC3C,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvE,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,oBAAA,GAAuB,YAAY,+BAAA,EAAiC;AAAA,EAChF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,iBAAA,EAAmB,QAAQ,qBAAA,EAAuB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA;AAAA,EAEjF,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAK4B,YAAY,uBAAA,EAAyB;AAAA,EACjE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CACxB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,oBAAA,CAAqB,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEnE,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAM,OAAA,CAAQ,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACzC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;;;ACnxBD,SAAS,aAAA,CAAc,SAAiB,QAAA,EAA2B;AAClE,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAExC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC7C,IAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,IAAA,IAAI,IAAA,KAAS,KAAK,OAAO,IAAA;AACzB,IAAA,IAAI,IAAA,KAAS,aAAA,CAAc,CAAC,CAAA,EAAG,OAAO,KAAA;AAAA,EACvC;AAEA,EAAA,OAAO,YAAA,CAAa,WAAW,aAAA,CAAc,MAAA;AAC9C;AAKA,SAAS,WAAA,CAAY,gBAA0B,eAAA,EAAkC;AAChF,EAAA,OAAO,eAAe,QAAA,CAAS,eAAe,CAAA,IAAK,cAAA,CAAe,SAAS,GAAG,CAAA;AAC/E;AAKA,SAAS,UAAU,EAAA,EAA2B;AAC7C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC7B,IAAA,IAAI,MAAA,CAAO,MAAM,GAAG,CAAA,IAAK,MAAM,CAAA,IAAK,GAAA,GAAM,KAAK,OAAO,IAAA;AACtD,IAAA,MAAA,GAAU,UAAU,CAAA,GAAK,GAAA;AAAA,EAC1B;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACnB;AAMA,SAAS,cAAA,CAAe,OAAe,EAAA,EAAqB;AAC3D,EAAA,MAAM,UAAA,GAAa,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACpC,EAAA,IAAI,eAAe,EAAA,EAAI;AACtB,IAAA,OAAO,KAAA,KAAU,EAAA;AAAA,EAClB;AAEA,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA;AACxC,EAAA,MAAM,YAAY,QAAA,CAAS,KAAA,CAAM,MAAM,UAAA,GAAa,CAAC,GAAG,EAAE,CAAA;AAC1D,EAAA,IAAI,MAAA,CAAO,MAAM,SAAS,CAAA,IAAK,YAAY,CAAA,IAAK,SAAA,GAAY,IAAI,OAAO,KAAA;AAEvE,EAAA,MAAM,QAAA,GAAW,UAAU,MAAM,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,IAAI,QAAA,KAAa,IAAA,IAAQ,KAAA,KAAU,IAAA,EAAM,OAAO,KAAA;AAEhD,EAAA,MAAM,OAAO,SAAA,KAAc,CAAA,GAAI,IAAK,EAAC,IAAM,KAAK,SAAA,KAAgB,CAAA;AAChE,EAAA,OAAA,CAAQ,QAAA,GAAW,WAAW,KAAA,GAAQ,IAAA,CAAA;AACvC;AAKA,SAAS,WAAA,CAAY,WAAqB,EAAA,EAAqB;AAC9D,EAAA,OAAO,UAAU,IAAA,CAAK,CAAC,UAAU,cAAA,CAAe,KAAA,EAAO,EAAE,CAAC,CAAA;AAC3D;AAKA,SAAS,mBAAA,CACR,UACA,IAAA,EACsC;AACtC,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC/B,IAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAO,CAAA;AAEhC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAChD,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,KAAK,CAAA,EAAG;AACpD,QAAA,OAAO;AAAA,UACN,KAAA,EAAO,KAAA;AAAA,UACP,QAAQ,CAAA,UAAA,EAAa,GAAG,CAAA,SAAA,EAAY,KAAK,6BAA6B,OAAO,CAAA,CAAA;AAAA,SAC9E;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACtB;AAKA,eAAe,cAAA,CACd,EAAA,EACA,OAAA,EACA,QAAA,EACA,eAAA,EACiD;AACjD,EAAA,MAAM,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,GAAI,CAAA;AAEvD,EAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,UAAU,CAAA,CACf,KAAA;AAAA,IACA,GAAA;AAAA,MACC,EAAA,CAAG,UAAA,CAAW,OAAA,EAAS,OAAO,CAAA;AAAA,MAC9B,EAAA,CAAG,UAAA,CAAW,QAAA,EAAU,QAAQ,CAAA;AAAA,MAChC,GAAA,CAAI,UAAA,CAAW,WAAA,EAAa,UAAU;AAAA;AACvC,GACD;AAED,EAAA,MAAM,UAAA,GAAa,KAAK,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM,GAAA,GAAM,CAAA,CAAE,KAAA,EAAO,CAAC,CAAA;AAE3D,EAAA,IAAI,cAAc,eAAA,EAAiB;AAClC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,QAAQ,CAAA,qBAAA,EAAwB,UAAU,CAAA,CAAA,EAAI,eAAe,iCAAiC,QAAQ,CAAA,CAAA;AAAA,KACvG;AAAA,EACD;AAGA,EAAA,MAAM,aAAA,GAAgB,IAAI,IAAA,CAAK,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,IAAK,CAAA,GAAI,EAAA,GAAK,GAAA,CAAK,CAAA,IAAK,CAAA,GAAI,KAAK,GAAA,CAAK,CAAA;AACzF,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,OAAA,EAAQ,KAAM,aAAA,CAAc,OAAA,EAAS,CAAA;AAErF,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,MAAM,GACJ,MAAA,CAAO,UAAU,EACjB,GAAA,CAAI,EAAE,OAAO,QAAA,CAAS,KAAA,GAAQ,CAAA,EAAG,EACjC,KAAA,CAAM,EAAA,CAAG,WAAW,EAAA,EAAI,QAAA,CAAS,EAAE,CAAC,CAAA;AAAA,EACvC,CAAA,MAAO;AACN,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,MAClC,IAAI,UAAA,EAAW;AAAA,MACf,OAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAA,EAAa,aAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACP,CAAA;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAKO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,EAAA,EAAI,QAAA,EAAS,GAAI,MAAA;AAMzB,EAAA,eAAe,SAAA,CACd,OACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAU,UAAA,EAAW;AAG3B,IAAA,MAAM,kBAAA,GAAqB,MAAM,WAAA,CAAY,IAAA;AAAA,MAC5C,CAAC,CAAA,KAAM,aAAA,CAAc,CAAA,CAAE,QAAA,EAAU,OAAA,CAAQ,QAAQ,CAAA,IAAK,WAAA,CAAY,CAAA,CAAE,OAAA,EAAS,OAAA,CAAQ,MAAM;AAAA,KAC5F;AAEA,IAAA,IAAI,CAAC,kBAAA,EAAoB;AACxB,MAAA,MAAMA,OAAAA,GAA0B;AAAA,QAC/B,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,+BAA+B,KAAA,CAAM,IAAI,gBAAgB,OAAA,CAAQ,MAAM,CAAA,MAAA,EAAS,OAAA,CAAQ,QAAQ,CAAA,CAAA,CAAA;AAAA,QACxG;AAAA,OACD;AACA,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,MACnE;AACA,MAAA,OAAOA,OAAAA;AAAA,IACR;AAGA,IAAA,IAAI,mBAAmB,WAAA,EAAa;AACnC,MAAA,MAAM,mBAAmB,MAAM,mBAAA;AAAA,QAC9B,EAAA;AAAA,QACA,KAAA;AAAA,QACA,OAAA;AAAA,QACA,kBAAA,CAAmB;AAAA,OACpB;AACA,MAAA,IAAI,CAAC,iBAAiB,OAAA,EAAS;AAC9B,QAAA,MAAMA,OAAAA,GAA0B;AAAA,UAC/B,OAAA,EAAS,KAAA;AAAA,UACT,QAAQ,gBAAA,CAAiB,MAAA;AAAA,UACzB;AAAA,SACD;AACA,QAAA,IAAI,QAAA,EAAU;AACb,UAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,QACnE;AACA,QAAA,OAAOA,OAAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,MAAM,MAAA,GAA0B,EAAE,OAAA,EAAS,IAAA,EAAM,OAAA,EAAQ;AACzD,IAAA,IAAI,QAAA,EAAU;AACb,MAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAAS,MAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,IACnE;AACA,IAAA,OAAO,MAAA;AAAA,EACR;AAEA,EAAA,OAAO,EAAE,SAAA,EAAU;AACpB;AAEA,eAAe,mBAAA,CACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,WAAA,EACiD;AAEjD,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,MAAM,aAAa,MAAM,cAAA;AAAA,MACxB,EAAA;AAAA,MACA,KAAA,CAAM,EAAA;AAAA,MACN,OAAA,CAAQ,QAAA;AAAA,MACR,WAAA,CAAY;AAAA,KACb;AACA,IAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,MAAA,OAAO,UAAA;AAAA,IACR;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,kBAAA,IAAsB,OAAA,CAAQ,SAAA,EAAW;AACxD,IAAA,MAAM,aAAA,GAAgB,mBAAA,CAAoB,WAAA,CAAY,kBAAA,EAAoB,QAAQ,SAAS,CAAA;AAC3F,IAAA,IAAI,CAAC,cAAc,KAAA,EAAO;AACzB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,cAAc,MAAA,EAAO;AAAA,IACvD;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,MAAA,EAAQ;AAAA,KACT;AAAA,EACD;AAGA,EAAA,IAAI,YAAY,UAAA,EAAY;AAC3B,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAI,QAAA,EAAS;AAC3B,IAAA,MAAM,OAAA,GAAU,IAAI,UAAA,EAAW;AAC/B,IAAA,MAAM,cAAc,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA,EAAI,OAAO,OAAO,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEzF,IAAA,IAAI,cAAc,WAAA,CAAY,UAAA,CAAW,SAAS,WAAA,GAAc,WAAA,CAAY,WAAW,GAAA,EAAK;AAC3F,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,kCAAkC,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA,KAAA,EAAQ,WAAA,CAAY,WAAW,GAAG,CAAA;AAAA,OACzG;AAAA,IACD;AAAA,EACD;AAGA,EAAA,IAAI,WAAA,CAAY,WAAA,IAAe,WAAA,CAAY,WAAA,CAAY,SAAS,CAAA,EAAG;AAClE,IAAA,IAAI,CAAC,QAAQ,EAAA,EAAI;AAChB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ;AAAA,OACT;AAAA,IACD;AACA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,CAAY,WAAA,EAAa,OAAA,CAAQ,EAAE,CAAA,EAAG;AACtD,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,CAAA,oBAAA,EAAuB,OAAA,CAAQ,EAAE,CAAA,2CAAA;AAAA,OAC1C;AAAA,IACD;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAEA,eAAe,cACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACA,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,aAAa,IAAA,CAAK,KAAA,CAAM,WAAA,CAAY,GAAA,KAAQ,SAAS,CAAA;AAE3D,EAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,IACjC,EAAA,EAAI,OAAA;AAAA,IACJ,SAAS,KAAA,CAAM,EAAA;AAAA,IACf,QAAQ,KAAA,CAAM,OAAA;AAAA,IACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,UAAA,EAAY,OAAA,CAAQ,SAAA,IAAa,EAAC;AAAA,IAClC,MAAA,EAAQ,MAAA,CAAO,OAAA,GAAU,SAAA,GAAY,QAAA;AAAA,IACrC,MAAA,EAAQ,OAAO,MAAA,IAAU,IAAA;AAAA,IACzB,UAAA;AAAA,IACA,SAAA,sBAAe,IAAA,EAAK;AAAA,IACpB,EAAA,EAAI,OAAA,CAAQ,OAAA,EAAS,EAAA,IAAM,IAAA;AAAA,IAC3B,SAAA,EAAW,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAa;AAAA,GACzC,CAAA;AACF;;;AC7TO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAElC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,MAAM,CAAA,EAAG,CAAA;AAAA;AAAA,EAG/C,SAAA,EAAW,CAAC,EAAE,QAAA,EAAU,GAAA,EAAK,SAAS,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzD,KAAA,EAAO,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,GAAG,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,SAAS,CAAC,MAAA,EAAQ,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAG9D,OAAA,EAAS,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAGtE,eAAA,EAAiB;AAAA,IAChB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAM,CAAA;AAAA,MAChB,WAAA,EAAa,EAAE,eAAA,EAAiB,GAAA;AAAI;AACrC,GACD;AAAA;AAAA,EAGA,gBAAA,EAAkB;AAAA,IACjB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,GAAG,CAAA;AAAA,MACb,WAAA,EAAa,EAAE,eAAA,EAAiB,IAAA;AAAK;AACtC,GACD;AAAA;AAAA,EAGA,aAAA,EAAe;AAAA,IACd;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA;AAAA,MACpC,WAAA,EAAa,EAAE,UAAA,EAAY,EAAE,OAAO,OAAA,EAAS,GAAA,EAAK,SAAQ;AAAE;AAC7D;AAEF;AAQO,SAAS,sBAAsB,IAAA,EAA4C;AACjF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAA,CAAK,UAAU,mBAAA,CAAoB,IAAI,CAAC,CAAC,CAAA;AAC5D","file":"index.js","sourcesContent":["/*\n Web Crypto API utilities for KavachOS.\n \n This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n /\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/* Encode a Uint8Array as a lowercase hex string. /\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/* Decode a hex string into a Uint8Array. /\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) \|\| Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) \| lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). /\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/* Decode a base64url string into a Uint8Array. /\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/* Generate a v4 UUID using the globally available crypto.randomUUID(). /\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/* Generate cryptographically secure random bytes as a Uint8Array. /\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/* Generate cryptographically secure random bytes as a hex string. /\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string \| Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/* SHA-256 hash, returns hex string. /\nexport async function sha256(data: string \| Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/* SHA-256 hash, returns Uint8Array. /\nexport async function sha256Raw(data: string \| Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/* SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. /\nexport async function sha1(data: string \| Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/* Import a secret key for HMAC operations. /\nexport async function importHmacKey(\n\tkey: string \| Uint8Array,\n\thash: \"SHA-256\" \| \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/* HMAC-SHA256 sign, returns hex string. /\nexport async function hmacSha256(\n\tkey: string \| Uint8Array,\n\tdata: string \| Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/* HMAC-SHA256 sign, returns Uint8Array. /\nexport async function hmacSha256Raw(\n\tkey: string \| Uint8Array,\n\tdata: string \| Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/* HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). /\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/\n Hash a password using PBKDF2-SHA256.\n \n Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n /\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/*\n Verify a password against a stored PBKDF2 hash.\n \n Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n /\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 \|\| parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/*\n Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n /\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff \|= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n","import { integer, sqliteTable, text } from \"drizzle-orm/sqlite-core\";\n\n// ============================================================\n// Users (basic human identity - integrates with external auth)\n// ============================================================\nexport const users = sqliteTable(\"kavach_users\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull().unique(),\n\tname: text(\"name\"),\n\tusername: text(\"username\").unique(),\n\texternalId: text(\"external_id\"), // ID from external auth (better-auth, Auth.js, etc.)\n\texternalProvider: text(\"external_provider\"), // \"better-auth\", \"authjs\", \"clerk\", etc.\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\t// Admin ban fields (populated by admin module)\n\tbanned: integer(\"banned\").notNull().default(0),\n\tbanReason: text(\"ban_reason\"),\n\tbanExpiresAt: integer(\"ban_expires_at\", { mode: \"timestamp\" }),\n\tforcePasswordReset: integer(\"force_password_reset\").notNull().default(0),\n\temailVerified: integer(\"email_verified\").notNull().default(0),\n\t// Stripe integration fields (populated by kavach-stripe plugin)\n\tstripeCustomerId: text(\"stripe_customer_id\").unique(),\n\tstripeSubscriptionId: text(\"stripe_subscription_id\"),\n\tstripeSubscriptionStatus: text(\"stripe_subscription_status\"),\n\tstripePriceId: text(\"stripe_price_id\"),\n\tstripeCurrentPeriodEnd: integer(\"stripe_current_period_end\", { mode: \"timestamp\" }),\n\tstripeCancelAtPeriodEnd: integer(\"stripe_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\t// Polar integration fields (populated by kavach-polar plugin)\n\tpolarCustomerId: text(\"polar_customer_id\").unique(),\n\tpolarSubscriptionId: text(\"polar_subscription_id\"),\n\tpolarSubscriptionStatus: text(\"polar_subscription_status\"),\n\tpolarProductId: text(\"polar_product_id\"),\n\tpolarCurrentPeriodEnd: integer(\"polar_current_period_end\", { mode: \"timestamp\" }),\n\tpolarCancelAtPeriodEnd: integer(\"polar_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Tenants (multi-tenant isolation — must come before agents)\n// ============================================================\nexport const tenants = sqliteTable(\"kavach_tenants\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\tsettings: text(\"settings\", { mode: \"json\" }).$type<TenantSettingsRow>(),\n\tstatus: text(\"status\", { enum: [\"active\", \"suspended\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TenantSettingsRow {\n\tmaxAgents?: number;\n\tmaxDelegationDepth?: number;\n\tauditRetentionDays?: number;\n\tallowedAgentTypes?: string[];\n}\n\n// ============================================================\n// Agents (the core differentiator - AI agent identities)\n// ============================================================\nexport const agents = sqliteTable(\"kavach_agents\", {\n\tid: text(\"id\").primaryKey(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable, for multi-tenant scoping\n\tname: text(\"name\").notNull(),\n\ttype: text(\"type\", { enum: [\"autonomous\", \"delegated\", \"service\"] }).notNull(),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\ttokenHash: text(\"token_hash\").notNull(), // hashed agent token\n\ttokenPrefix: text(\"token_prefix\").notNull(), // first 8 chars for identification\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastActiveAt: integer(\"last_active_at\", { mode: \"timestamp\" }),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Permissions (scoped access control per agent)\n// ============================================================\nexport const permissions = sqliteTable(\"kavach_permissions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(), // e.g. \"mcp:github:\", \"tool:file_read\"\n\tactions: text(\"actions\", { mode: \"json\" }).notNull().$type<string[]>(), // [\"read\", \"write\", \"execute\"]\n\tconstraints: text(\"constraints\", { mode: \"json\" }).$type<PermissionConstraintsRow>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface PermissionConstraintsRow {\n\tmaxCallsPerHour?: number;\n\tallowedArgPatterns?: string[];\n\trequireApproval?: boolean;\n\ttimeWindow?: { start: string; end: string };\n\tipAllowlist?: string[];\n}\n\n// ============================================================\n// Delegation Chains (agent-to-agent permission delegation)\n// ============================================================\nexport const delegationChains = sqliteTable(\"kavach_delegation_chains\", {\n\tid: text(\"id\").primaryKey(),\n\tfromAgentId: text(\"from_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\ttoAgentId: text(\"to_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<DelegationPermissionRow[]>(),\n\tdepth: integer(\"depth\").notNull().default(1),\n\tmaxDepth: integer(\"max_depth\").notNull().default(3),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface DelegationPermissionRow {\n\tresource: string;\n\tactions: string[];\n}\n\n// ============================================================\n// Audit Logs (immutable record of every agent action)\n// ============================================================\nexport const auditLogs = sqliteTable(\"kavach_audit_logs\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(), // \"execute\", \"read\", \"write\", \"delete\"\n\tresource: text(\"resource\").notNull(), // \"mcp:github:create_issue\"\n\tparameters: text(\"parameters\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tresult: text(\"result\", { enum: [\"allowed\", \"denied\", \"rate_limited\"] }).notNull(),\n\treason: text(\"reason\"), // why denied/rate_limited\n\tdurationMs: integer(\"duration_ms\").notNull(),\n\ttokensCost: integer(\"tokens_cost\"),\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Rate Limit Counters (track per-agent call rates)\n// ============================================================\nexport const rateLimits = sqliteTable(\"kavach_rate_limits\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(),\n\twindowStart: integer(\"window_start\", { mode: \"timestamp\" }).notNull(),\n\tcount: integer(\"count\").notNull().default(0),\n});\n\n// ============================================================\n// MCP Servers (registered MCP servers)\n// ============================================================\nexport const mcpServers = sqliteTable(\"kavach_mcp_servers\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tendpoint: text(\"endpoint\").notNull().unique(),\n\ttools: text(\"tools\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tauthRequired: integer(\"auth_required\", { mode: \"boolean\" }).notNull().default(true),\n\trateLimitRpm: integer(\"rate_limit_rpm\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"inactive\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Sessions (human user sessions managed by KavachOS)\n// ============================================================\nexport const sessions = sqliteTable(\"kavach_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Clients (for MCP OAuth 2.1 - dynamic client registration)\n// ============================================================\nexport const oauthClients = sqliteTable(\"kavach_oauth_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecret: text(\"client_secret\"), // null for public clients\n\tclientName: text(\"client_name\"),\n\tclientUri: text(\"client_uri\"),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"authorization_code\"]),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"code\"]),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_basic\"),\n\ttype: text(\"type\", { enum: [\"public\", \"confidential\"] })\n\t\t.notNull()\n\t\t.default(\"confidential\"),\n\tdisabled: integer(\"disabled\", { mode: \"boolean\" }).notNull().default(false),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Access Tokens (issued tokens for MCP auth)\n// ============================================================\nexport const oauthAccessTokens = sqliteTable(\"kavach_oauth_access_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\taccessToken: text(\"access_token\").notNull().unique(),\n\trefreshToken: text(\"refresh_token\").unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tresource: text(\"resource\"), // RFC 8707 - audience binding\n\taccessTokenExpiresAt: integer(\"access_token_expires_at\", { mode: \"timestamp\" }).notNull(),\n\trefreshTokenExpiresAt: integer(\"refresh_token_expires_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Authorization Codes (temporary codes for code exchange)\n// ============================================================\nexport const oauthAuthorizationCodes = sqliteTable(\"kavach_oauth_authorization_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcode: text(\"code\").notNull().unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE\n\tcodeChallengeMethod: text(\"code_challenge_method\"), // \"S256\"\n\tresource: text(\"resource\"), // RFC 8707\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Budget Policies (agent execution budget caps)\n// ============================================================\nexport const budgetPolicies = sqliteTable(\"kavach_budget_policies\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\").references(() => agents.id, { onDelete: \"cascade\" }), // nullable\n\tuserId: text(\"user_id\").references(() => users.id), // nullable\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable\n\tlimits: text(\"limits\", { mode: \"json\" }).notNull().$type<BudgetLimitsRow>(),\n\tcurrentUsage: text(\"current_usage\", { mode: \"json\" }).notNull().$type<BudgetUsageRow>(),\n\taction: text(\"action\", { enum: [\"warn\", \"throttle\", \"block\", \"revoke\"] })\n\t\t.notNull()\n\t\t.default(\"warn\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"triggered\", \"disabled\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface BudgetLimitsRow {\n\tmaxTokensCostPerDay?: number;\n\tmaxTokensCostPerMonth?: number;\n\tmaxCallsPerDay?: number;\n\tmaxCallsPerMonth?: number;\n}\n\ninterface BudgetUsageRow {\n\ttokensCostToday: number;\n\ttokensCostThisMonth: number;\n\tcallsToday: number;\n\tcallsThisMonth: number;\n\tlastUpdated: string;\n}\n\n// ============================================================\n// Agent Capability Cards (A2A discovery)\n// ============================================================\nexport const agentCards = sqliteTable(\"kavach_agent_cards\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tdescription: text(\"description\"),\n\tversion: text(\"version\").notNull(),\n\tprotocols: text(\"protocols\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tcapabilities: text(\"capabilities\", { mode: \"json\" }).notNull().$type<unknown[]>(),\n\tauthRequirements: text(\"auth_requirements\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<Record<string, unknown>>(),\n\tendpoint: text(\"endpoint\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Approval Requests (CIBA async approval flows)\n// ============================================================\nexport const approvalRequests = sqliteTable(\"kavach_approval_requests\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(),\n\tresource: text(\"resource\").notNull(),\n\targuments: text(\"arguments\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tstatus: text(\"status\", { enum: [\"pending\", \"approved\", \"denied\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\trespondedAt: integer(\"responded_at\", { mode: \"timestamp\" }),\n\trespondedBy: text(\"responded_by\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trust Scores (graduated autonomy scoring)\n// ============================================================\nexport const trustScores = sqliteTable(\"kavach_trust_scores\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tscore: integer(\"score\").notNull(),\n\tlevel: text(\"level\", {\n\t\tenum: [\"untrusted\", \"limited\", \"standard\", \"trusted\", \"elevated\"],\n\t}).notNull(),\n\tfactors: text(\"factors\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tcomputedAt: integer(\"computed_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Magic Links (passwordless email login)\n// ============================================================\nexport const magicLinks = sqliteTable(\"kavach_magic_links\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\ttoken: text(\"token\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Email OTPs (one-time password login)\n// ============================================================\nexport const emailOtps = sqliteTable(\"kavach_email_otps\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// TOTP (Two-Factor Authentication)\n// ============================================================\nexport const totpRecords = sqliteTable(\"kavach_totp\", {\n\tuserId: text(\"user_id\")\n\t\t.primaryKey()\n\t\t.references(() => users.id),\n\tsecret: text(\"secret\").notNull(), // base32-encoded TOTP secret\n\tenabled: integer(\"enabled\", { mode: \"boolean\" }).notNull().default(false),\n\tbackupCodes: text(\"backup_codes\", { mode: \"json\" }).notNull().$type<TotpBackupCode[]>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TotpBackupCode {\n\thash: string;\n\tused: boolean;\n}\n\n// ============================================================\n// Organizations (multi-member org with RBAC)\n// ============================================================\nexport const organizations = sqliteTable(\"kavach_organizations\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgMembers = sqliteTable(\"kavach_org_members\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tjoinedAt: integer(\"joined_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgInvitations = sqliteTable(\"kavach_org_invitations\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\temail: text(\"email\").notNull(),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tinvitedBy: text(\"invited_by\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tstatus: text(\"status\", { enum: [\"pending\", \"accepted\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgRoles = sqliteTable(\"kavach_org_roles\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n});\n\n// ============================================================\n// Passkey Credentials (WebAuthn / FIDO2)\n// ============================================================\nexport const passkeyCredentials = sqliteTable(\"kavach_passkey_credentials\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tcredentialId: text(\"credential_id\").notNull().unique(),\n\tpublicKey: text(\"public_key\").notNull(), // base64url-encoded COSE key\n\tcounter: integer(\"counter\").notNull().default(0),\n\tdeviceName: text(\"device_name\"),\n\ttransports: text(\"transports\"), // JSON array, e.g. '[\"internal\",\"usb\"]'\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// SSO Connections (SAML / OIDC enterprise SSO)\n// ============================================================\nexport const ssoConnections = sqliteTable(\"kavach_sso_connections\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\").notNull(),\n\tproviderId: text(\"provider_id\").notNull(),\n\ttype: text(\"type\", { enum: [\"saml\", \"oidc\"] }).notNull(),\n\tdomain: text(\"domain\").notNull().unique(),\n\tenabled: integer(\"enabled\").notNull().default(1),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// API Keys (static bearer tokens with permission scopes)\n// ============================================================\nexport const apiKeys = sqliteTable(\"kavach_api_keys\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tname: text(\"name\").notNull(),\n\tkeyHash: text(\"key_hash\").notNull(),\n\tkeyPrefix: text(\"key_prefix\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Passkey Challenges (WebAuthn challenge state — short-lived)\n// ============================================================\nexport const passkeyChallenges = sqliteTable(\"kavach_passkey_challenges\", {\n\tid: text(\"id\").primaryKey(),\n\tchallenge: text(\"challenge\").notNull().unique(),\n\tuserId: text(\"user_id\"), // null for discoverable credential flows\n\ttype: text(\"type\", { enum: [\"registration\", \"authentication\"] }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Username Accounts (username + password auth)\n// ============================================================\nexport const usernameAccounts = sqliteTable(\"kavach_username_accounts\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tusername: text(\"username\").notNull().unique(),\n\tpasswordHash: text(\"password_hash\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Phone Verifications (SMS OTP)\n// ============================================================\nexport const phoneVerifications = sqliteTable(\"kavach_phone_verifications\", {\n\tid: text(\"id\").primaryKey(),\n\tphoneNumber: text(\"phone_number\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trusted Devices (skip 2FA on known devices for a time window)\n// ============================================================\nexport const trustedDevices = sqliteTable(\"kavach_trusted_devices\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tfingerprint: text(\"fingerprint\").notNull(), // HMAC-SHA256 of stable request headers\n\tlabel: text(\"label\").notNull(), // human-readable, e.g. \"Mac\", \"iPhone\"\n\ttrustedAt: integer(\"trusted_at\", { mode: \"timestamp\" }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// One-Time Tokens (email verify, password reset, invitation, custom)\n// ============================================================\nexport const oneTimeTokens = sqliteTable(\"kavach_one_time_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tpurpose: text(\"purpose\", {\n\t\tenum: [\"email-verify\", \"password-reset\", \"invitation\", \"custom\"],\n\t}).notNull(),\n\tidentifier: text(\"identifier\").notNull(), // email, userId, or any caller-supplied key\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Login History (last login method tracking per user)\n// ============================================================\nexport const loginHistory = sqliteTable(\"kavach_login_history\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tmethod: text(\"method\").notNull(), // LoginMethod — kept as text to support oauth:{provider} variants\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp_ms\" }).notNull(),\n});\n\n// ============================================================\n// Agent DIDs (W3C Decentralized Identifiers per agent)\n// ============================================================\nexport const agentDids = sqliteTable(\"kavach_agent_dids\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tdid: text(\"did\").notNull().unique(),\n\tmethod: text(\"method\", { enum: [\"key\", \"web\"] }).notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\").notNull(), // JSON-serialised JWK (public key only)\n\tdidDocument: text(\"did_document\").notNull(), // JSON-serialised DID Document\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Clients (apps authenticating against KavachOS IdP)\n// ============================================================\nexport const oidcClients = sqliteTable(\"kavach_oidc_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecretHash: text(\"client_secret_hash\").notNull(), // SHA-256 hex of the raw secret\n\tclientName: text(\"client_name\").notNull(),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tscopes: text(\"scopes\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_post\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Authorization Codes\n// ============================================================\nexport const oidcAuthCodes = sqliteTable(\"kavach_oidc_auth_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcodeHash: text(\"code_hash\").notNull().unique(), // SHA-256 hex of the raw code\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tnonce: text(\"nonce\"),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE S256\n\tcodeChallengeMethod: text(\"code_challenge_method\"),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Refresh Tokens\n// ============================================================\nexport const oidcRefreshTokens = sqliteTable(\"kavach_oidc_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\trevoked: integer(\"revoked\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Cost Events (per-agent cost attribution and observability)\n// ============================================================\nexport const costEvents = sqliteTable(\"kavach_cost_events\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\ttool: text(\"tool\").notNull(), // e.g. 'openai:gpt-4o', 'anthropic:claude-3-5-sonnet', 'mcp:github'\n\tinputTokens: integer(\"input_tokens\"),\n\toutputTokens: integer(\"output_tokens\"),\n\t/** Cost stored as integer microdollars (costUsd × 1_000_000) to avoid float drift /\n\tcostMicros: integer(\"cost_micros\").notNull(),\n\tcurrency: text(\"currency\").notNull().default(\"USD\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tdelegationChainId: text(\"delegation_chain_id\"), // null when not part of a chain\n\trecordedAt: integer(\"recorded_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Ephemeral Sessions (short-lived agent credentials for single-task use)\n// ============================================================\nexport const ephemeralSessions = sqliteTable(\"kavach_ephemeral_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmaxActions: integer(\"max_actions\"), // null = unlimited\n\tactionsUsed: integer(\"actions_used\").notNull().default(0),\n\tstatus: text(\"status\", { enum: [\"active\", \"expired\", \"exhausted\", \"revoked\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tauditGroupId: text(\"audit_group_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Stream Events (persisted SSE events for replay)\n// ============================================================\nexport const streamEvents = sqliteTable(\"kavach_stream_events\", {\n\tid: text(\"id\").primaryKey(),\n\ttype: text(\"type\").notNull(),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n\tdata: text(\"data\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tagentId: text(\"agent_id\"),\n\tuserId: text(\"user_id\"),\n});\n\n// ============================================================\n// JWT Session Refresh Tokens (general-purpose session plugin)\n// ============================================================\nexport const jwtRefreshTokens = sqliteTable(\"kavach_jwt_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\t/* SHA-256 hex of the raw refresh token. The raw token is never stored. /\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/* The user who owns this session. /\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/* True once the token has been used in a refresh or explicit revocation. /\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Resources (relationship-based access control — resource hierarchy)\n// ============================================================\nexport const rebacResources = sqliteTable(\"kavach_rebac_resources\", {\n\tid: text(\"id\").notNull().primaryKey(),\n\ttype: text(\"type\").notNull(), // 'org', 'workspace', 'project', 'document', etc.\n\tparentId: text(\"parent_id\"),\n\tparentType: text(\"parent_type\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Relationships (subject-relation-object tuples, Zanzibar style)\n// ============================================================\nexport const rebacRelationships = sqliteTable(\"kavach_rebac_relationships\", {\n\tid: text(\"id\").primaryKey(),\n\tsubjectType: text(\"subject_type\").notNull(), // 'user', 'agent', 'team', 'role'\n\tsubjectId: text(\"subject_id\").notNull(),\n\trelation: text(\"relation\").notNull(), // 'owner', 'editor', 'viewer', 'member', 'parent'\n\tobjectType: text(\"object_type\").notNull(),\n\tobjectId: text(\"object_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Instances (trusted remote KavachOS instances)\n// ============================================================\nexport const federationInstances = sqliteTable(\"kavach_federation_instances\", {\n\tid: text(\"id\").primaryKey(),\n\tinstanceId: text(\"instance_id\").notNull().unique(),\n\tinstanceUrl: text(\"instance_url\").notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\"), // JSON-serialised JWK (public key only)\n\ttrustLevel: text(\"trust_level\", { enum: [\"full\", \"limited\", \"verify-only\"] })\n\t\t.notNull()\n\t\t.default(\"verify-only\"),\n\tdiscoveredAt: integer(\"discovered_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Tokens (issued/received federation tokens for audit)\n// ============================================================\nexport const federationTokens = sqliteTable(\"kavach_federation_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenJti: text(\"token_jti\").notNull().unique(), // JWT ID for dedup\n\tagentId: text(\"agent_id\").notNull(),\n\tsourceInstanceId: text(\"source_instance_id\").notNull(),\n\ttargetInstanceId: text(\"target_instance_id\"),\n\tdirection: text(\"direction\", { enum: [\"issued\", \"received\"] }).notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttrustScore: integer(\"trust_score\"), // stored as integer 0-100\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Token Families (token rotation / reuse detection)\n// ============================================================\nexport const refreshTokenFamilies = sqliteTable(\"kavach_refresh_token_families\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/* Absolute session expiry — no rotation can extend beyond this date. /\n\tabsoluteExpiresAt: integer(\"absolute_expires_at\", { mode: \"timestamp\" }).notNull(),\n\t/* 0 = active, 1 = revoked (reuse detection or explicit logout). /\n\trevoked: integer(\"revoked\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Tokens (individual one-time-use tokens per family)\n// ============================================================\nexport const refreshTokens = sqliteTable(\"kavach_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\tfamilyId: text(\"family_id\")\n\t\t.notNull()\n\t\t.references(() => refreshTokenFamilies.id, { onDelete: \"cascade\" }),\n\t/* SHA-256 hash of the opaque token — never store the raw token. /\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/* 0 = unused, 1 = already consumed (one-time use). /\n\tused: integer(\"used\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n","import { and, eq, gte } from \"drizzle-orm\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs, rateLimits } from \"../db/schema.js\";\nimport type {\n\tAgentIdentity,\n\tAuthorizeRequest,\n\tAuthorizeResult,\n\tPermissionConstraints,\n} from \"../types.js\";\n\ninterface PermissionEngineConfig {\n\tdb: Database;\n\tauditAll: boolean;\n}\n\n/\n Match a resource pattern against a requested resource.\n \n Supports wildcards:\n * - \"mcp:github:\" matches \"mcp:github:create_issue\"\n - \"tool:\" matches \"tool:file_read\"\n - \"\" matches everything\n /\nfunction matchResource(pattern: string, resource: string): boolean {\n\tif (pattern === \"\") return true;\n\n\tconst patternParts = pattern.split(\":\");\n\tconst resourceParts = resource.split(\":\");\n\n\tfor (let i = 0; i < patternParts.length; i++) {\n\t\tconst part = patternParts[i];\n\t\tif (part === \"\") return true;\n\t\tif (part !== resourceParts[i]) return false;\n\t}\n\n\treturn patternParts.length === resourceParts.length;\n}\n\n/*\n Check if an action is allowed by a permission's actions list.\n /\nfunction matchAction(allowedActions: string[], requestedAction: string): boolean {\n\treturn allowedActions.includes(requestedAction) \|\| allowedActions.includes(\"\");\n}\n\n/*\n Parse an IPv4 address into a 32-bit integer.\n /\nfunction parseIPv4(ip: string): number \| null {\n\tconst parts = ip.split(\".\");\n\tif (parts.length !== 4) return null;\n\tlet result = 0;\n\tfor (const part of parts) {\n\t\tconst num = parseInt(part, 10);\n\t\tif (Number.isNaN(num) \|\| num < 0 \|\| num > 255) return null;\n\t\tresult = (result << 8) \| num;\n\t}\n\treturn result >>> 0;\n}\n\n/\n Check whether an IP matches a CIDR range or exact IP entry.\n * Supports both \"10.0.0.1\" and \"10.0.0.0/8\" notation (IPv4 only).\n /\nfunction matchesIPEntry(entry: string, ip: string): boolean {\n\tconst slashIndex = entry.indexOf(\"/\");\n\tif (slashIndex === -1) {\n\t\treturn entry === ip;\n\t}\n\n\tconst cidrIp = entry.slice(0, slashIndex);\n\tconst prefixLen = parseInt(entry.slice(slashIndex + 1), 10);\n\tif (Number.isNaN(prefixLen) \|\| prefixLen < 0 \|\| prefixLen > 32) return false;\n\n\tconst entryNum = parseIPv4(cidrIp);\n\tconst ipNum = parseIPv4(ip);\n\tif (entryNum === null \|\| ipNum === null) return false;\n\n\tconst mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;\n\treturn (entryNum & mask) === (ipNum & mask);\n}\n\n/\n Check whether an IP is in the allowlist (exact IPs or CIDR ranges).\n /\nfunction isIPAllowed(allowlist: string[], ip: string): boolean {\n\treturn allowlist.some((entry) => matchesIPEntry(entry, ip));\n}\n\n/\n Validate argument patterns against the request arguments.\n /\nfunction validateArgPatterns(\n\tpatterns: string[],\n\targs: Record<string, unknown>,\n): { valid: boolean; reason?: string } {\n\tfor (const pattern of patterns) {\n\t\tconst regex = new RegExp(pattern);\n\t\t// Check all string arguments against the pattern\n\t\tfor (const [key, value] of Object.entries(args)) {\n\t\t\tif (typeof value === \"string\" && !regex.test(value)) {\n\t\t\t\treturn {\n\t\t\t\t\tvalid: false,\n\t\t\t\t\treason: `Argument \"${key}\" value \"${value}\" does not match pattern \"${pattern}\"`,\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n\treturn { valid: true };\n}\n\n/\n Check rate limits for an agent on a specific resource.\n /\nasync function checkRateLimit(\n\tdb: Database,\n\tagentId: string,\n\tresource: string,\n\tmaxCallsPerHour: number,\n): Promise<{ allowed: boolean; reason?: string }> {\n\tconst oneHourAgo = new Date(Date.now() - 60 60 * 1000);\n\n\tconst rows = await db\n\t\t.select()\n\t\t.from(rateLimits)\n\t\t.where(\n\t\t\tand(\n\t\t\t\teq(rateLimits.agentId, agentId),\n\t\t\t\teq(rateLimits.resource, resource),\n\t\t\t\tgte(rateLimits.windowStart, oneHourAgo),\n\t\t\t),\n\t\t);\n\n\tconst totalCalls = rows.reduce((sum, r) => sum + r.count, 0);\n\n\tif (totalCalls >= maxCallsPerHour) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: `Rate limit exceeded: ${totalCalls}/${maxCallsPerHour} calls per hour for resource \"${resource}\"`,\n\t\t};\n\t}\n\n\t// Increment counter\n\tconst currentWindow = new Date(Math.floor(Date.now() / (5 * 60 * 1000)) * (5 * 60 * 1000)); // 5-min windows\n\tconst existing = rows.find((r) => r.windowStart.getTime() === currentWindow.getTime());\n\n\tif (existing) {\n\t\tawait db\n\t\t\t.update(rateLimits)\n\t\t\t.set({ count: existing.count + 1 })\n\t\t\t.where(eq(rateLimits.id, existing.id));\n\t} else {\n\t\tawait db.insert(rateLimits).values({\n\t\t\tid: generateId(),\n\t\t\tagentId,\n\t\t\tresource,\n\t\t\twindowStart: currentWindow,\n\t\t\tcount: 1,\n\t\t});\n\t}\n\n\treturn { allowed: true };\n}\n\n/*\n Create the permission/authorization engine.\n /\nexport function createPermissionEngine(config: PermissionEngineConfig) {\n\tconst { db, auditAll } = config;\n\n\t/\n\t Check if an agent is authorized to perform an action.\n\t * This is the core authorization function.\n\t /\n\tasync function authorize(\n\t\tagent: AgentIdentity,\n\t\trequest: AuthorizeRequest,\n\t): Promise<AuthorizeResult> {\n\t\tconst startTime = performance.now();\n\t\tconst auditId = generateId();\n\n\t\t// Find matching permission\n\t\tconst matchingPermission = agent.permissions.find(\n\t\t\t(p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action),\n\t\t);\n\n\t\tif (!matchingPermission) {\n\t\t\tconst result: AuthorizeResult = {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `No permission grants agent \"${agent.name}\" access to \"${request.action}\" on \"${request.resource}\"`,\n\t\t\t\tauditId,\n\t\t\t};\n\t\t\tif (auditAll) {\n\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t}\n\t\t\treturn result;\n\t\t}\n\n\t\t// Check constraints\n\t\tif (matchingPermission.constraints) {\n\t\t\tconst constraintResult = await evaluateConstraints(\n\t\t\t\tdb,\n\t\t\t\tagent,\n\t\t\t\trequest,\n\t\t\t\tmatchingPermission.constraints,\n\t\t\t);\n\t\t\tif (!constraintResult.allowed) {\n\t\t\t\tconst result: AuthorizeResult = {\n\t\t\t\t\tallowed: false,\n\t\t\t\t\treason: constraintResult.reason,\n\t\t\t\t\tauditId,\n\t\t\t\t};\n\t\t\t\tif (auditAll) {\n\t\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t}\n\t\t}\n\n\t\tconst result: AuthorizeResult = { allowed: true, auditId };\n\t\tif (auditAll) {\n\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t}\n\t\treturn result;\n\t}\n\n\treturn { authorize };\n}\n\nasync function evaluateConstraints(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tconstraints: PermissionConstraints,\n): Promise<{ allowed: boolean; reason?: string }> {\n\t// Rate limit check\n\tif (constraints.maxCallsPerHour) {\n\t\tconst rateResult = await checkRateLimit(\n\t\t\tdb,\n\t\t\tagent.id,\n\t\t\trequest.resource,\n\t\t\tconstraints.maxCallsPerHour,\n\t\t);\n\t\tif (!rateResult.allowed) {\n\t\t\treturn rateResult;\n\t\t}\n\t}\n\n\t// Argument pattern check\n\tif (constraints.allowedArgPatterns && request.arguments) {\n\t\tconst patternResult = validateArgPatterns(constraints.allowedArgPatterns, request.arguments);\n\t\tif (!patternResult.valid) {\n\t\t\treturn { allowed: false, reason: patternResult.reason };\n\t\t}\n\t}\n\n\t// Human-in-the-loop check\n\tif (constraints.requireApproval) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: \"This action requires human approval before execution\",\n\t\t};\n\t}\n\n\t// Time window check\n\tif (constraints.timeWindow) {\n\t\tconst now = new Date();\n\t\tconst hours = now.getHours();\n\t\tconst minutes = now.getMinutes();\n\t\tconst currentTime = `${String(hours).padStart(2, \"0\")}:${String(minutes).padStart(2, \"0\")}`;\n\n\t\tif (currentTime < constraints.timeWindow.start \|\| currentTime > constraints.timeWindow.end) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Action is only allowed between ${constraints.timeWindow.start} and ${constraints.timeWindow.end}`,\n\t\t\t};\n\t\t}\n\t}\n\n\t// IP allowlist check\n\tif (constraints.ipAllowlist && constraints.ipAllowlist.length > 0) {\n\t\tif (!request.ip) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"IP_NOT_ALLOWED: No IP address provided; resource requires an IP allowlist match\",\n\t\t\t};\n\t\t}\n\t\tif (!isIPAllowed(constraints.ipAllowlist, request.ip)) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `IP_NOT_ALLOWED: IP \"${request.ip}\" is not in the allowlist for this resource`,\n\t\t\t};\n\t\t}\n\t}\n\n\treturn { allowed: true };\n}\n\nasync function writeAuditLog(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tresult: AuthorizeResult,\n\tstartTime: number,\n\tauditId: string,\n): Promise<void> {\n\tconst durationMs = Math.round(performance.now() - startTime);\n\n\tawait db.insert(auditLogs).values({\n\t\tid: auditId,\n\t\tagentId: agent.id,\n\t\tuserId: agent.ownerId,\n\t\taction: request.action,\n\t\tresource: request.resource,\n\t\tparameters: request.arguments ?? {},\n\t\tresult: result.allowed ? \"allowed\" : \"denied\",\n\t\treason: result.reason ?? null,\n\t\tdurationMs,\n\t\ttimestamp: new Date(),\n\t\tip: request.context?.ip ?? null,\n\t\tuserAgent: request.context?.userAgent ?? null,\n\t});\n}\n","import type { Permission } from \"../types.js\";\n\n/\n Pre-built permission templates for common access patterns.\n * Use these as starting points when creating agents.\n /\nexport const permissionTemplates = {\n\t/* Read-only access to all resources /\n\treadonly: [{ resource: \"\", actions: [\"read\"] }] satisfies Permission[],\n\n\t/** Read and write access to all resources /\n\treadwrite: [{ resource: \"\", actions: [\"read\", \"write\"] }] satisfies Permission[],\n\n\t/** Full access to all resources and actions /\n\tadmin: [{ resource: \"\", actions: [\"\"] }] satisfies Permission[],\n\n\t/* Standard MCP tool access - read + execute /\n\tmcpBasic: [{ resource: \"mcp:\", actions: [\"read\", \"execute\"] }] satisfies Permission[],\n\n\t/** MCP tool access with write - read + write + execute /\n\tmcpFull: [{ resource: \"mcp:\", actions: [\"read\", \"write\", \"execute\"] }] satisfies Permission[],\n\n\t/** Rate-limited read access (100 calls/hour) /\n\trateLimitedRead: [\n\t\t{\n\t\t\tresource: \"\",\n\t\t\tactions: [\"read\"],\n\t\t\tconstraints: { maxCallsPerHour: 100 },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Approval-required access (human-in-the-loop for everything) /\n\tapprovalRequired: [\n\t\t{\n\t\t\tresource: \"\",\n\t\t\tactions: [\"\"],\n\t\t\tconstraints: { requireApproval: true },\n\t\t},\n\t] satisfies Permission[],\n\n\t/* Business hours only access (9am-5pm) /\n\tbusinessHours: [\n\t\t{\n\t\t\tresource: \"\",\n\t\t\tactions: [\"read\", \"write\", \"execute\"],\n\t\t\tconstraints: { timeWindow: { start: \"09:00\", end: \"17:00\" } },\n\t\t},\n\t] satisfies Permission[],\n} as const;\n\nexport type PermissionTemplateName = keyof typeof permissionTemplates;\n\n/*\n Get a permission template by name.\n * Returns a fresh copy of the permissions array.\n */\nexport function getPermissionTemplate(name: PermissionTemplateName): Permission[] {\n\treturn JSON.parse(JSON.stringify(permissionTemplates[name])) as Permission[];\n}\n"]}
1	+ {"version":3,"sources":["../../src/crypto/web-crypto.ts","../../src/db/schema.ts","../../src/policy/abac.ts","../../src/permission/engine.ts","../../src/permission/templates.ts"],"names":["result"],"mappings":";;;;AAwEO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAkBqB,IAAI,WAAA;ACvFlB,IAAM,KAAA,GAAQ,YAAY,cAAA,EAAgB;AAAA,EAChD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,IAAA,EAAM,KAAK,MAAM,CAAA;AAAA,EACjB,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,MAAA,EAAO;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA;AAAA,EAC9B,gBAAA,EAAkB,KAAK,mBAAmB,CAAA;AAAA;AAAA,EAC1C,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA;AAAA,EAE5E,QAAQ,OAAA,CAAQ,QAAQ,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,oBAAoB,OAAA,CAAQ,sBAAsB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACvE,eAAe,OAAA,CAAQ,gBAAgB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA;AAAA,EAE5D,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,MAAA,EAAO;AAAA,EACpD,oBAAA,EAAsB,KAAK,wBAAwB,CAAA;AAAA,EACnD,wBAAA,EAA0B,KAAK,4BAA4B,CAAA;AAAA,EAC3D,aAAA,EAAe,KAAK,iBAAiB,CAAA;AAAA,EACrC,wBAAwB,OAAA,CAAQ,2BAAA,EAA6B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAClF,uBAAA,EAAyB,OAAA,CAAQ,6BAAA,EAA+B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CACjF,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,IAAA,CAAK,mBAAmB,CAAA,CAAE,MAAA,EAAO;AAAA,EAClD,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,uBAAA,EAAyB,KAAK,2BAA2B,CAAA;AAAA,EACzD,cAAA,EAAgB,KAAK,kBAAkB,CAAA;AAAA,EACvC,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,sBAAA,EAAwB,OAAA,CAAQ,4BAAA,EAA8B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAC/E,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA,EACf,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKM,IAAM,OAAA,GAAU,YAAY,gBAAA,EAAkB;AAAA,EACpD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAyB;AAAA,EACtE,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAW,CAAA,EAAG,CAAA,CACtD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAYM,IAAM,MAAA,GAAS,YAAY,eAAA,EAAiB;AAAA,EAClD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7E,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAK0B,YAAY,oBAAA,EAAsB;AAAA,EAC5D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA;AAAA,EACrE,WAAA,EAAa,KAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAgC;AAAA;AAAA,EAEnF,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAa+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,KAAK,eAAe,CAAA,CAC/B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,SAAA,EAAW,KAAK,aAAa,CAAA,CAC3B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiC;AAAA,EAC9F,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC3C,UAAU,OAAA,CAAQ,WAAW,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAClD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,SAAA,GAAY,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,KAAK,YAAA,EAAc,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAChF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChF,MAAA,EAAQ,KAAK,QAAQ,CAAA;AAAA;AAAA,EACrB,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA,EACjC,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,OAAA,CAAQ,WAAA,EAAa,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC3E,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACxD,CAAC,CAAA;AAKM,IAAM,UAAA,GAAa,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,WAAA,EAAa,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACpE,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC;AAC5C,CAAC,CAAA;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,KAAA,EAAO,IAAA,CAAK,OAAA,EAAS,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACjE,YAAA,EAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,IAAI,CAAA;AAAA,EAClF,YAAA,EAAc,QAAQ,gBAAgB,CAAA;AAAA,EACtC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKuB,YAAY,iBAAA,EAAmB;AAAA,EACtD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,YAAA,GAAe,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,YAAA,EAAc,KAAK,eAAe,CAAA;AAAA;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,CAAA,CAC9C,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,oBAAoB,CAAC,CAAA;AAAA,EAChC,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,MAAM,MAAA,EAAQ,CAAA,CACpD,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,MAAM,CAAC,CAAA;AAAA,EAClB,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,qBAAqB,CAAA;AAAA,EAC/B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAM,CAAC,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,cAAc,CAAA;AAAA,EACxB,QAAA,EAAU,OAAA,CAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC1E,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,aAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACnD,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,MAAA,EAAO;AAAA,EAC3C,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,oBAAA,EAAsB,QAAQ,yBAAA,EAA2B,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACxF,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsC,YAAY,kCAAA,EAAoC;AAAA,EACtF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA;AAAA,EACjD,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,SAAA,EAAW,CAAA;AAAA;AAAA,EAC7E,QAAQ,IAAA,CAAK,SAAS,EAAE,UAAA,CAAW,MAAM,MAAM,EAAE,CAAA;AAAA;AAAA,EACjD,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAuB;AAAA,EAC1E,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAsB;AAAA,EACtF,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAS,QAAQ,GAAG,CAAA,CACtE,OAAA,EAAQ,CACR,QAAQ,MAAM,CAAA;AAAA,EAChB,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAA,EAAa,UAAU,GAAG,CAAA,CAClE,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAoByB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,KAAK,aAAa,CAAA;AAAA,EAC/B,OAAA,EAAS,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EACjC,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACzE,YAAA,EAAc,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiB;AAAA,EAChF,gBAAA,EAAkB,IAAA,CAAK,mBAAA,EAAqB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAC1D,OAAA,EAAQ,CACR,KAAA,EAA+B;AAAA,EACjC,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA,EACzB,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,SAAA,EAAW,KAAK,WAAA,EAAa,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC9E,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,UAAA,EAAY,QAAA,EAAU,SAAS,GAAG,CAAA,CAC3E,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,aAAa,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC1D,WAAA,EAAa,KAAK,cAAc,CAAA;AAAA,EAChC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAA,EAAO,OAAA,CAAQ,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,KAAA,EAAO,KAAK,OAAA,EAAS;AAAA,IACpB,MAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAA,EAAY,WAAW,UAAU;AAAA,GAChE,EAAE,OAAA,EAAQ;AAAA,EACX,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EACpF,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,aAAA,EAAe;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,YAAW,CACX,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,WAAA,EAAa,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAwB;AAAA,EACtF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,aAAA,GAAgB,YAAY,sBAAA,EAAwB;AAAA,EAChE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAEyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,QAAA,EAAU,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACvD,CAAC;AAE6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA,CAC1B,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,SAAA,EAAW,UAAA,EAAY,SAAS,GAAG,CAAA,CACjE,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAEuB,YAAY,kBAAA,EAAoB;AAAA,EACvD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA;AAC9D,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,cAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACrD,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,UAAA,EAAY,KAAK,YAAY,CAAA;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC5D,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC9B,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,MAAM,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvD,QAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACxC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsB,YAAY,iBAAA,EAAmB;AAAA,EACrD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,YAAY,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACzD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC9C,MAAA,EAAQ,KAAK,SAAS,CAAA;AAAA;AAAA,EACtB,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAgB,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC5C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACzC,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,OAAA,EAAS,KAAK,SAAA,EAAW;AAAA,IACxB,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAA,EAAkB,cAAc,QAAQ;AAAA,GAC/D,EAAE,OAAA,EAAQ;AAAA,EACX,UAAA,EAAY,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACvC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,cAAA,EAAgB,EAAE,OAAA;AAC3D,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAK,IAAA,CAAK,KAAK,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAClC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,KAAA,EAAO,KAAK,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzD,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7C,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACrD,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC5E,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAClF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACnE,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,oBAAoB,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,KAAA,EAAO,KAAK,OAAO,CAAA;AAAA,EACnB,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,WAAA,EAAa,QAAQ,cAAc,CAAA;AAAA,EACnC,YAAA,EAAc,QAAQ,eAAe,CAAA;AAAA;AAAA,EAErC,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAU,IAAA,CAAK,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,KAAK,CAAA;AAAA,EAClD,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,iBAAA,EAAmB,KAAK,qBAAqB,CAAA;AAAA;AAAA,EAC7C,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,aAAa,OAAA,CAAQ,cAAc,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACxD,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,SAAA,EAAW,WAAA,EAAa,SAAS,GAAG,CAAA,CAC5E,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAC/D,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EAC9E,OAAA,EAAS,KAAK,UAAU,CAAA;AAAA,EACxB,MAAA,EAAQ,KAAK,SAAS;AACvB,CAAC;AAK+B,YAAY,2BAAA,EAA6B;AAAA,EACxE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA;AAAA,EAE1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,IAAI,IAAA,CAAK,IAAI,CAAA,CAAE,OAAA,GAAU,UAAA,EAAW;AAAA,EACpC,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,WAAW,CAAA;AAAA,EAC1B,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKkC,YAAY,6BAAA,EAA+B;AAAA,EAC7E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,YAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACjD,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,YAAA,EAAc,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,CAAC,MAAA,EAAQ,SAAA,EAAW,aAAa,GAAG,CAAA,CAC1E,OAAA,EAAQ,CACR,QAAQ,aAAa,CAAA;AAAA,EACvB,cAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC5D,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA,EACrD,gBAAA,EAAkB,KAAK,oBAAoB,CAAA;AAAA,EAC3C,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvE,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,oBAAA,GAAuB,YAAY,+BAAA,EAAiC;AAAA,EAChF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,iBAAA,EAAmB,QAAQ,qBAAA,EAAuB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA;AAAA,EAEjF,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAK4B,YAAY,uBAAA,EAAyB;AAAA,EACjE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CACxB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,oBAAA,CAAqB,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEnE,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAM,OAAA,CAAQ,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACzC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AClxBM,SAAS,aAAA,CAAc,SAAiB,QAAA,EAA2B;AACzE,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA;AACtC,EAAA,MAAM,aAAA,GAAgB,QAAA,CAAS,KAAA,CAAM,GAAG,CAAA;AAExC,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,YAAA,CAAa,QAAQ,CAAA,EAAA,EAAK;AAC7C,IAAA,MAAM,IAAA,GAAO,aAAa,CAAC,CAAA;AAC3B,IAAA,IAAI,IAAA,KAAS,KAAK,OAAO,IAAA;AACzB,IAAA,IAAI,IAAA,KAAS,aAAA,CAAc,CAAC,CAAA,EAAG,OAAO,KAAA;AAAA,EACvC;AAEA,EAAA,OAAO,YAAA,CAAa,WAAW,aAAA,CAAc,MAAA;AAC9C;AAKO,SAAS,WAAA,CAAY,gBAA0B,eAAA,EAAkC;AACvF,EAAA,OAAO,eAAe,QAAA,CAAS,eAAe,CAAA,IAAK,cAAA,CAAe,SAAS,GAAG,CAAA;AAC/E;AAEA,SAAS,UAAU,EAAA,EAA2B;AAC7C,EAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAC/B,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACzB,IAAA,MAAM,GAAA,GAAM,QAAA,CAAS,IAAA,EAAM,EAAE,CAAA;AAC7B,IAAA,IAAI,MAAA,CAAO,MAAM,GAAG,CAAA,IAAK,MAAM,CAAA,IAAK,GAAA,GAAM,KAAK,OAAO,IAAA;AACtD,IAAA,MAAA,GAAU,UAAU,CAAA,GAAK,GAAA;AAAA,EAC1B;AACA,EAAA,OAAO,MAAA,KAAW,CAAA;AACnB;AAEA,SAAS,cAAA,CAAe,OAAe,EAAA,EAAqB;AAC3D,EAAA,MAAM,UAAA,GAAa,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA;AACpC,EAAA,IAAI,eAAe,EAAA,EAAI;AACtB,IAAA,OAAO,KAAA,KAAU,EAAA;AAAA,EAClB;AAEA,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,UAAU,CAAA;AACxC,EAAA,MAAM,YAAY,QAAA,CAAS,KAAA,CAAM,MAAM,UAAA,GAAa,CAAC,GAAG,EAAE,CAAA;AAC1D,EAAA,IAAI,MAAA,CAAO,MAAM,SAAS,CAAA,IAAK,YAAY,CAAA,IAAK,SAAA,GAAY,IAAI,OAAO,KAAA;AAEvE,EAAA,MAAM,QAAA,GAAW,UAAU,MAAM,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,UAAU,EAAE,CAAA;AAC1B,EAAA,IAAI,QAAA,KAAa,IAAA,IAAQ,KAAA,KAAU,IAAA,EAAM,OAAO,KAAA;AAEhD,EAAA,MAAM,OAAO,SAAA,KAAc,CAAA,GAAI,IAAK,EAAC,IAAM,KAAK,SAAA,KAAgB,CAAA;AAChE,EAAA,OAAA,CAAQ,QAAA,GAAW,WAAW,KAAA,GAAQ,IAAA,CAAA;AACvC;AAMO,SAAS,WAAA,CAAY,WAAqB,EAAA,EAAqB;AACrE,EAAA,OAAO,UAAU,IAAA,CAAK,CAAC,UAAU,cAAA,CAAe,KAAA,EAAO,EAAE,CAAC,CAAA;AAC3D;AAMO,SAAS,mBAAA,CACf,UACA,IAAA,EACsC;AACtC,EAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC/B,IAAA,MAAM,KAAA,GAAQ,IAAI,MAAA,CAAO,OAAO,CAAA;AAChC,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,KAAK,KAAK,MAAA,CAAO,OAAA,CAAQ,IAAI,CAAA,EAAG;AAChD,MAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,CAAC,KAAA,CAAM,IAAA,CAAK,KAAK,CAAA,EAAG;AACpD,QAAA,OAAO;AAAA,UACN,KAAA,EAAO,KAAA;AAAA,UACP,QAAQ,CAAA,UAAA,EAAa,GAAG,CAAA,SAAA,EAAY,KAAK,6BAA6B,OAAO,CAAA,CAAA;AAAA,SAC9E;AAAA,MACD;AAAA,IACD;AAAA,EACD;AACA,EAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AACtB;AAOA,eAAsB,cAAA,CACrB,EAAA,EACA,OAAA,EACA,QAAA,EACA,eAAA,EAC4B;AAC5B,EAAA,IAAI,CAAC,OAAA,EAAS;AACb,IAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AAAA,EACxB;AAEA,EAAA,MAAM,UAAA,GAAa,IAAI,IAAA,CAAK,IAAA,CAAK,KAAI,GAAI,EAAA,GAAK,KAAK,GAAI,CAAA;AAEvD,EAAA,MAAM,OAAO,MAAM,EAAA,CACjB,QAAO,CACP,IAAA,CAAK,UAAU,CAAA,CACf,KAAA;AAAA,IACA,GAAA;AAAA,MACC,EAAA,CAAG,UAAA,CAAW,OAAA,EAAS,OAAO,CAAA;AAAA,MAC9B,EAAA,CAAG,UAAA,CAAW,QAAA,EAAU,QAAQ,CAAA;AAAA,MAChC,GAAA,CAAI,UAAA,CAAW,WAAA,EAAa,UAAU;AAAA;AACvC,GACD;AAED,EAAA,MAAM,UAAA,GAAa,KAAK,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM,GAAA,GAAM,CAAA,CAAE,KAAA,EAAO,CAAC,CAAA;AAE3D,EAAA,IAAI,cAAc,eAAA,EAAiB;AAClC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,QAAQ,CAAA,qBAAA,EAAwB,UAAU,CAAA,CAAA,EAAI,eAAe,iCAAiC,QAAQ,CAAA,CAAA;AAAA,KACvG;AAAA,EACD;AAEA,EAAA,MAAM,aAAA,GAAgB,IAAI,IAAA,CAAK,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,IAAK,CAAA,GAAI,EAAA,GAAK,GAAA,CAAK,CAAA,IAAK,CAAA,GAAI,KAAK,GAAA,CAAK,CAAA;AACzF,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAA,CAAY,OAAA,EAAQ,KAAM,aAAA,CAAc,OAAA,EAAS,CAAA;AAErF,EAAA,IAAI,QAAA,EAAU;AACb,IAAA,MAAM,GACJ,MAAA,CAAO,UAAU,EACjB,GAAA,CAAI,EAAE,OAAO,QAAA,CAAS,KAAA,GAAQ,CAAA,EAAG,EACjC,KAAA,CAAM,EAAA,CAAG,WAAW,EAAA,EAAI,QAAA,CAAS,EAAE,CAAC,CAAA;AAAA,EACvC,CAAA,MAAO;AACN,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA,CAAO;AAAA,MAClC,IAAI,UAAA,EAAW;AAAA,MACf,OAAA;AAAA,MACA,QAAA;AAAA,MACA,WAAA,EAAa,aAAA;AAAA,MACb,KAAA,EAAO;AAAA,KACP,CAAA;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;AAOA,eAAsB,mBAAA,CACrB,EAAA,EACA,KAAA,EACA,WAAA,EAC4B;AAC5B,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,MAAM,aAAa,MAAM,cAAA;AAAA,MACxB,EAAA;AAAA,MACA,KAAA,CAAM,SAAA;AAAA,MACN,KAAA,CAAM,QAAA;AAAA,MACN,WAAA,CAAY;AAAA,KACb;AACA,IAAA,IAAI,CAAC,WAAW,OAAA,EAAS;AACxB,MAAA,OAAO,UAAA;AAAA,IACR;AAAA,EACD;AAEA,EAAA,IAAI,WAAA,CAAY,kBAAA,IAAsB,KAAA,CAAM,SAAA,EAAW;AACtD,IAAA,MAAM,aAAA,GAAgB,mBAAA,CAAoB,WAAA,CAAY,kBAAA,EAAoB,MAAM,SAAS,CAAA;AACzF,IAAA,IAAI,CAAC,cAAc,KAAA,EAAO;AACzB,MAAA,OAAO,EAAE,OAAA,EAAS,KAAA,EAAO,MAAA,EAAQ,cAAc,MAAA,EAAO;AAAA,IACvD;AAAA,EACD;AAEA,EAAA,IAAI,YAAY,eAAA,EAAiB;AAChC,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,MAAA,EAAQ;AAAA,KACT;AAAA,EACD;AAEA,EAAA,IAAI,YAAY,UAAA,EAAY;AAC3B,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,KAAA,GAAQ,IAAI,QAAA,EAAS;AAC3B,IAAA,MAAM,OAAA,GAAU,IAAI,UAAA,EAAW;AAC/B,IAAA,MAAM,cAAc,CAAA,EAAG,MAAA,CAAO,KAAK,CAAA,CAAE,SAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA,EAAI,OAAO,OAAO,CAAA,CAAE,QAAA,CAAS,CAAA,EAAG,GAAG,CAAC,CAAA,CAAA;AAEzF,IAAA,IAAI,cAAc,WAAA,CAAY,UAAA,CAAW,SAAS,WAAA,GAAc,WAAA,CAAY,WAAW,GAAA,EAAK;AAC3F,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,kCAAkC,WAAA,CAAY,UAAA,CAAW,KAAK,CAAA,KAAA,EAAQ,WAAA,CAAY,WAAW,GAAG,CAAA;AAAA,OACzG;AAAA,IACD;AAAA,EACD;AAEA,EAAA,IAAI,WAAA,CAAY,WAAA,IAAe,WAAA,CAAY,WAAA,CAAY,SAAS,CAAA,EAAG;AAClE,IAAA,IAAI,CAAC,MAAM,EAAA,EAAI;AACd,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ;AAAA,OACT;AAAA,IACD;AACA,IAAA,IAAI,CAAC,WAAA,CAAY,WAAA,CAAY,WAAA,EAAa,KAAA,CAAM,EAAE,CAAA,EAAG;AACpD,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,CAAA,oBAAA,EAAuB,KAAA,CAAM,EAAE,CAAA,2CAAA;AAAA,OACxC;AAAA,IACD;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AACxB;;;ACxNO,SAAS,uBAAuB,MAAA,EAAgC;AACtE,EAAA,MAAM,EAAE,EAAA,EAAI,QAAA,EAAS,GAAI,MAAA;AAEzB,EAAA,eAAe,SAAA,CACd,OACA,OAAA,EAC2B;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAU,UAAA,EAAW;AAE3B,IAAA,MAAM,kBAAA,GAAqB,MAAM,WAAA,CAAY,IAAA;AAAA,MAC5C,CAAC,CAAA,KAAM,aAAA,CAAc,CAAA,CAAE,QAAA,EAAU,OAAA,CAAQ,QAAQ,CAAA,IAAK,WAAA,CAAY,CAAA,CAAE,OAAA,EAAS,OAAA,CAAQ,MAAM;AAAA,KAC5F;AAEA,IAAA,IAAI,CAAC,kBAAA,EAAoB;AACxB,MAAA,MAAMA,OAAAA,GAA0B;AAAA,QAC/B,OAAA,EAAS,KAAA;AAAA,QACT,MAAA,EAAQ,+BAA+B,KAAA,CAAM,IAAI,gBAAgB,OAAA,CAAQ,MAAM,CAAA,MAAA,EAAS,OAAA,CAAQ,QAAQ,CAAA,CAAA,CAAA;AAAA,QACxG;AAAA,OACD;AACA,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,MACnE;AACA,MAAA,OAAOA,OAAAA;AAAA,IACR;AAEA,IAAA,IAAI,mBAAmB,WAAA,EAAa;AACnC,MAAA,MAAM,mBAAmB,MAAM,mBAAA;AAAA,QAC9B,EAAA;AAAA,QACA;AAAA,UACC,WAAW,KAAA,CAAM,EAAA;AAAA,UACjB,UAAU,OAAA,CAAQ,QAAA;AAAA,UAClB,WAAW,OAAA,CAAQ,SAAA;AAAA,UACnB,IAAI,OAAA,CAAQ;AAAA,SACb;AAAA,QACA,kBAAA,CAAmB;AAAA,OACpB;AACA,MAAA,IAAI,CAAC,iBAAiB,OAAA,EAAS;AAC9B,QAAA,MAAMA,OAAAA,GAA0B;AAAA,UAC/B,OAAA,EAAS,KAAA;AAAA,UACT,QAAQ,gBAAA,CAAiB,MAAA;AAAA,UACzB;AAAA,SACD;AACA,QAAA,IAAI,QAAA,EAAU;AACb,UAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAASA,OAAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,QACnE;AACA,QAAA,OAAOA,OAAAA;AAAA,MACR;AAAA,IACD;AAEA,IAAA,MAAM,MAAA,GAA0B,EAAE,OAAA,EAAS,IAAA,EAAM,OAAA,EAAQ;AACzD,IAAA,IAAI,QAAA,EAAU;AACb,MAAA,MAAM,cAAc,EAAA,EAAI,KAAA,EAAO,OAAA,EAAS,MAAA,EAAQ,WAAW,OAAO,CAAA;AAAA,IACnE;AACA,IAAA,OAAO,MAAA;AAAA,EACR;AAEA,EAAA,OAAO,EAAE,SAAA,EAAU;AACpB;AAEA,eAAe,cACd,EAAA,EACA,KAAA,EACA,OAAA,EACA,MAAA,EACA,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,aAAa,IAAA,CAAK,KAAA,CAAM,WAAA,CAAY,GAAA,KAAQ,SAAS,CAAA;AAE3D,EAAA,MAAM,EAAA,CAAG,MAAA,CAAO,SAAS,CAAA,CAAE,MAAA,CAAO;AAAA,IACjC,EAAA,EAAI,OAAA;AAAA,IACJ,SAAS,KAAA,CAAM,EAAA;AAAA,IACf,QAAQ,KAAA,CAAM,OAAA;AAAA,IACd,QAAQ,OAAA,CAAQ,MAAA;AAAA,IAChB,UAAU,OAAA,CAAQ,QAAA;AAAA,IAClB,UAAA,EAAY,OAAA,CAAQ,SAAA,IAAa,EAAC;AAAA,IAClC,MAAA,EAAQ,MAAA,CAAO,OAAA,GAAU,SAAA,GAAY,QAAA;AAAA,IACrC,MAAA,EAAQ,OAAO,MAAA,IAAU,IAAA;AAAA,IACzB,UAAA;AAAA,IACA,SAAA,sBAAe,IAAA,EAAK;AAAA,IACpB,EAAA,EAAI,OAAA,CAAQ,OAAA,EAAS,EAAA,IAAM,IAAA;AAAA,IAC3B,SAAA,EAAW,OAAA,CAAQ,OAAA,EAAS,SAAA,IAAa;AAAA,GACzC,CAAA;AACF;;;ACjGO,IAAM,mBAAA,GAAsB;AAAA;AAAA,EAElC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,MAAM,CAAA,EAAG,CAAA;AAAA;AAAA,EAG/C,SAAA,EAAW,CAAC,EAAE,QAAA,EAAU,GAAA,EAAK,SAAS,CAAC,MAAA,EAAQ,OAAO,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzD,KAAA,EAAO,CAAC,EAAE,QAAA,EAAU,KAAK,OAAA,EAAS,CAAC,GAAG,CAAA,EAAG,CAAA;AAAA;AAAA,EAGzC,QAAA,EAAU,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,SAAS,CAAC,MAAA,EAAQ,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAG9D,OAAA,EAAS,CAAC,EAAE,QAAA,EAAU,OAAA,EAAS,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA,EAAG,CAAA;AAAA;AAAA,EAGtE,eAAA,EAAiB;AAAA,IAChB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAM,CAAA;AAAA,MAChB,WAAA,EAAa,EAAE,eAAA,EAAiB,GAAA;AAAI;AACrC,GACD;AAAA;AAAA,EAGA,gBAAA,EAAkB;AAAA,IACjB;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,GAAG,CAAA;AAAA,MACb,WAAA,EAAa,EAAE,eAAA,EAAiB,IAAA;AAAK;AACtC,GACD;AAAA;AAAA,EAGA,aAAA,EAAe;AAAA,IACd;AAAA,MACC,QAAA,EAAU,GAAA;AAAA,MACV,OAAA,EAAS,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAA;AAAA,MACpC,WAAA,EAAa,EAAE,UAAA,EAAY,EAAE,OAAO,OAAA,EAAS,GAAA,EAAK,SAAQ;AAAE;AAC7D;AAEF;AAQO,SAAS,sBAAsB,IAAA,EAA4C;AACjF,EAAA,OAAO,KAAK,KAAA,CAAM,IAAA,CAAK,UAAU,mBAAA,CAAoB,IAAI,CAAC,CAAC,CAAA;AAC5D","file":"index.js","sourcesContent":["/*\n Web Crypto API utilities for KavachOS.\n \n This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n /\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/* Encode a Uint8Array as a lowercase hex string. /\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/* Decode a hex string into a Uint8Array. /\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) \|\| Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) \| lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). /\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/* Decode a base64url string into a Uint8Array. /\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/* Generate a v4 UUID using the globally available crypto.randomUUID(). /\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/* Generate cryptographically secure random bytes as a Uint8Array. /\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/* Generate cryptographically secure random bytes as a hex string. /\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string \| Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/* SHA-256 hash, returns hex string. /\nexport async function sha256(data: string \| Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/* SHA-256 hash, returns Uint8Array. /\nexport async function sha256Raw(data: string \| Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/* SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. /\nexport async function sha1(data: string \| Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/* Import a secret key for HMAC operations. /\nexport async function importHmacKey(\n\tkey: string \| Uint8Array,\n\thash: \"SHA-256\" \| \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/* HMAC-SHA256 sign, returns hex string. /\nexport async function hmacSha256(\n\tkey: string \| Uint8Array,\n\tdata: string \| Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/* HMAC-SHA256 sign, returns Uint8Array. /\nexport async function hmacSha256Raw(\n\tkey: string \| Uint8Array,\n\tdata: string \| Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/* HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). /\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/\n Hash a password using PBKDF2-SHA256.\n \n Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n /\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/*\n Verify a password against a stored PBKDF2 hash.\n \n Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n /\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 \|\| parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/*\n Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n /\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff \|= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n","import { integer, sqliteTable, text } from \"drizzle-orm/sqlite-core\";\n\n// ============================================================\n// Users (basic human identity - integrates with external auth)\n// ============================================================\nexport const users = sqliteTable(\"kavach_users\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull().unique(),\n\tname: text(\"name\"),\n\tusername: text(\"username\").unique(),\n\texternalId: text(\"external_id\"), // ID from external auth (better-auth, Auth.js, etc.)\n\texternalProvider: text(\"external_provider\"), // \"better-auth\", \"authjs\", \"clerk\", etc.\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\t// Admin ban fields (populated by admin module)\n\tbanned: integer(\"banned\").notNull().default(0),\n\tbanReason: text(\"ban_reason\"),\n\tbanExpiresAt: integer(\"ban_expires_at\", { mode: \"timestamp\" }),\n\tforcePasswordReset: integer(\"force_password_reset\").notNull().default(0),\n\temailVerified: integer(\"email_verified\").notNull().default(0),\n\t// Stripe integration fields (populated by kavach-stripe plugin)\n\tstripeCustomerId: text(\"stripe_customer_id\").unique(),\n\tstripeSubscriptionId: text(\"stripe_subscription_id\"),\n\tstripeSubscriptionStatus: text(\"stripe_subscription_status\"),\n\tstripePriceId: text(\"stripe_price_id\"),\n\tstripeCurrentPeriodEnd: integer(\"stripe_current_period_end\", { mode: \"timestamp\" }),\n\tstripeCancelAtPeriodEnd: integer(\"stripe_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\t// Polar integration fields (populated by kavach-polar plugin)\n\tpolarCustomerId: text(\"polar_customer_id\").unique(),\n\tpolarSubscriptionId: text(\"polar_subscription_id\"),\n\tpolarSubscriptionStatus: text(\"polar_subscription_status\"),\n\tpolarProductId: text(\"polar_product_id\"),\n\tpolarCurrentPeriodEnd: integer(\"polar_current_period_end\", { mode: \"timestamp\" }),\n\tpolarCancelAtPeriodEnd: integer(\"polar_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Tenants (multi-tenant isolation — must come before agents)\n// ============================================================\nexport const tenants = sqliteTable(\"kavach_tenants\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\tsettings: text(\"settings\", { mode: \"json\" }).$type<TenantSettingsRow>(),\n\tstatus: text(\"status\", { enum: [\"active\", \"suspended\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TenantSettingsRow {\n\tmaxAgents?: number;\n\tmaxDelegationDepth?: number;\n\tauditRetentionDays?: number;\n\tallowedAgentTypes?: string[];\n}\n\n// ============================================================\n// Agents (the core differentiator - AI agent identities)\n// ============================================================\nexport const agents = sqliteTable(\"kavach_agents\", {\n\tid: text(\"id\").primaryKey(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable, for multi-tenant scoping\n\tname: text(\"name\").notNull(),\n\ttype: text(\"type\", { enum: [\"autonomous\", \"delegated\", \"service\"] }).notNull(),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\ttokenHash: text(\"token_hash\").notNull(), // hashed agent token\n\ttokenPrefix: text(\"token_prefix\").notNull(), // first 8 chars for identification\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastActiveAt: integer(\"last_active_at\", { mode: \"timestamp\" }),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Permissions (scoped access control per agent)\n// ============================================================\nexport const permissions = sqliteTable(\"kavach_permissions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(), // e.g. \"mcp:github:\", \"tool:file_read\"\n\tactions: text(\"actions\", { mode: \"json\" }).notNull().$type<string[]>(), // [\"read\", \"write\", \"execute\"]\n\tconstraints: text(\"constraints\", { mode: \"json\" }).$type<PermissionConstraintsRow>(),\n\t// When set, the policy engine consults the ReBAC graph for this permission.\n\trelation: text(\"relation\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface PermissionConstraintsRow {\n\tmaxCallsPerHour?: number;\n\tallowedArgPatterns?: string[];\n\trequireApproval?: boolean;\n\ttimeWindow?: { start: string; end: string };\n\tipAllowlist?: string[];\n}\n\n// ============================================================\n// Delegation Chains (agent-to-agent permission delegation)\n// ============================================================\nexport const delegationChains = sqliteTable(\"kavach_delegation_chains\", {\n\tid: text(\"id\").primaryKey(),\n\tfromAgentId: text(\"from_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\ttoAgentId: text(\"to_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<DelegationPermissionRow[]>(),\n\tdepth: integer(\"depth\").notNull().default(1),\n\tmaxDepth: integer(\"max_depth\").notNull().default(3),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface DelegationPermissionRow {\n\tresource: string;\n\tactions: string[];\n}\n\n// ============================================================\n// Audit Logs (immutable record of every agent action)\n// ============================================================\nexport const auditLogs = sqliteTable(\"kavach_audit_logs\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(), // \"execute\", \"read\", \"write\", \"delete\"\n\tresource: text(\"resource\").notNull(), // \"mcp:github:create_issue\"\n\tparameters: text(\"parameters\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tresult: text(\"result\", { enum: [\"allowed\", \"denied\", \"rate_limited\"] }).notNull(),\n\treason: text(\"reason\"), // why denied/rate_limited\n\tdurationMs: integer(\"duration_ms\").notNull(),\n\ttokensCost: integer(\"tokens_cost\"),\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\t// True when this audit row corresponds to a policy-engine cache-hit evaluation.\n\tcacheHit: integer(\"cache_hit\", { mode: \"boolean\" }).notNull().default(false),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Rate Limit Counters (track per-agent call rates)\n// ============================================================\nexport const rateLimits = sqliteTable(\"kavach_rate_limits\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(),\n\twindowStart: integer(\"window_start\", { mode: \"timestamp\" }).notNull(),\n\tcount: integer(\"count\").notNull().default(0),\n});\n\n// ============================================================\n// MCP Servers (registered MCP servers)\n// ============================================================\nexport const mcpServers = sqliteTable(\"kavach_mcp_servers\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tendpoint: text(\"endpoint\").notNull().unique(),\n\ttools: text(\"tools\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tauthRequired: integer(\"auth_required\", { mode: \"boolean\" }).notNull().default(true),\n\trateLimitRpm: integer(\"rate_limit_rpm\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"inactive\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Sessions (human user sessions managed by KavachOS)\n// ============================================================\nexport const sessions = sqliteTable(\"kavach_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Clients (for MCP OAuth 2.1 - dynamic client registration)\n// ============================================================\nexport const oauthClients = sqliteTable(\"kavach_oauth_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecret: text(\"client_secret\"), // null for public clients\n\tclientName: text(\"client_name\"),\n\tclientUri: text(\"client_uri\"),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"authorization_code\"]),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"code\"]),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_basic\"),\n\ttype: text(\"type\", { enum: [\"public\", \"confidential\"] })\n\t\t.notNull()\n\t\t.default(\"confidential\"),\n\tdisabled: integer(\"disabled\", { mode: \"boolean\" }).notNull().default(false),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Access Tokens (issued tokens for MCP auth)\n// ============================================================\nexport const oauthAccessTokens = sqliteTable(\"kavach_oauth_access_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\taccessToken: text(\"access_token\").notNull().unique(),\n\trefreshToken: text(\"refresh_token\").unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tresource: text(\"resource\"), // RFC 8707 - audience binding\n\taccessTokenExpiresAt: integer(\"access_token_expires_at\", { mode: \"timestamp\" }).notNull(),\n\trefreshTokenExpiresAt: integer(\"refresh_token_expires_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Authorization Codes (temporary codes for code exchange)\n// ============================================================\nexport const oauthAuthorizationCodes = sqliteTable(\"kavach_oauth_authorization_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcode: text(\"code\").notNull().unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE\n\tcodeChallengeMethod: text(\"code_challenge_method\"), // \"S256\"\n\tresource: text(\"resource\"), // RFC 8707\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Budget Policies (agent execution budget caps)\n// ============================================================\nexport const budgetPolicies = sqliteTable(\"kavach_budget_policies\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\").references(() => agents.id, { onDelete: \"cascade\" }), // nullable\n\tuserId: text(\"user_id\").references(() => users.id), // nullable\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable\n\tlimits: text(\"limits\", { mode: \"json\" }).notNull().$type<BudgetLimitsRow>(),\n\tcurrentUsage: text(\"current_usage\", { mode: \"json\" }).notNull().$type<BudgetUsageRow>(),\n\taction: text(\"action\", { enum: [\"warn\", \"throttle\", \"block\", \"revoke\"] })\n\t\t.notNull()\n\t\t.default(\"warn\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"triggered\", \"disabled\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface BudgetLimitsRow {\n\tmaxTokensCostPerDay?: number;\n\tmaxTokensCostPerMonth?: number;\n\tmaxCallsPerDay?: number;\n\tmaxCallsPerMonth?: number;\n}\n\ninterface BudgetUsageRow {\n\ttokensCostToday: number;\n\ttokensCostThisMonth: number;\n\tcallsToday: number;\n\tcallsThisMonth: number;\n\tlastUpdated: string;\n}\n\n// ============================================================\n// Agent Capability Cards (A2A discovery)\n// ============================================================\nexport const agentCards = sqliteTable(\"kavach_agent_cards\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tdescription: text(\"description\"),\n\tversion: text(\"version\").notNull(),\n\tprotocols: text(\"protocols\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tcapabilities: text(\"capabilities\", { mode: \"json\" }).notNull().$type<unknown[]>(),\n\tauthRequirements: text(\"auth_requirements\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<Record<string, unknown>>(),\n\tendpoint: text(\"endpoint\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Approval Requests (CIBA async approval flows)\n// ============================================================\nexport const approvalRequests = sqliteTable(\"kavach_approval_requests\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(),\n\tresource: text(\"resource\").notNull(),\n\targuments: text(\"arguments\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tstatus: text(\"status\", { enum: [\"pending\", \"approved\", \"denied\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\trespondedAt: integer(\"responded_at\", { mode: \"timestamp\" }),\n\trespondedBy: text(\"responded_by\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trust Scores (graduated autonomy scoring)\n// ============================================================\nexport const trustScores = sqliteTable(\"kavach_trust_scores\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tscore: integer(\"score\").notNull(),\n\tlevel: text(\"level\", {\n\t\tenum: [\"untrusted\", \"limited\", \"standard\", \"trusted\", \"elevated\"],\n\t}).notNull(),\n\tfactors: text(\"factors\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tcomputedAt: integer(\"computed_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Magic Links (passwordless email login)\n// ============================================================\nexport const magicLinks = sqliteTable(\"kavach_magic_links\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\ttoken: text(\"token\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Email OTPs (one-time password login)\n// ============================================================\nexport const emailOtps = sqliteTable(\"kavach_email_otps\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// TOTP (Two-Factor Authentication)\n// ============================================================\nexport const totpRecords = sqliteTable(\"kavach_totp\", {\n\tuserId: text(\"user_id\")\n\t\t.primaryKey()\n\t\t.references(() => users.id),\n\tsecret: text(\"secret\").notNull(), // base32-encoded TOTP secret\n\tenabled: integer(\"enabled\", { mode: \"boolean\" }).notNull().default(false),\n\tbackupCodes: text(\"backup_codes\", { mode: \"json\" }).notNull().$type<TotpBackupCode[]>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TotpBackupCode {\n\thash: string;\n\tused: boolean;\n}\n\n// ============================================================\n// Organizations (multi-member org with RBAC)\n// ============================================================\nexport const organizations = sqliteTable(\"kavach_organizations\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgMembers = sqliteTable(\"kavach_org_members\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tjoinedAt: integer(\"joined_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgInvitations = sqliteTable(\"kavach_org_invitations\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\temail: text(\"email\").notNull(),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tinvitedBy: text(\"invited_by\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tstatus: text(\"status\", { enum: [\"pending\", \"accepted\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgRoles = sqliteTable(\"kavach_org_roles\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n});\n\n// ============================================================\n// Passkey Credentials (WebAuthn / FIDO2)\n// ============================================================\nexport const passkeyCredentials = sqliteTable(\"kavach_passkey_credentials\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tcredentialId: text(\"credential_id\").notNull().unique(),\n\tpublicKey: text(\"public_key\").notNull(), // base64url-encoded COSE key\n\tcounter: integer(\"counter\").notNull().default(0),\n\tdeviceName: text(\"device_name\"),\n\ttransports: text(\"transports\"), // JSON array, e.g. '[\"internal\",\"usb\"]'\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// SSO Connections (SAML / OIDC enterprise SSO)\n// ============================================================\nexport const ssoConnections = sqliteTable(\"kavach_sso_connections\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\").notNull(),\n\tproviderId: text(\"provider_id\").notNull(),\n\ttype: text(\"type\", { enum: [\"saml\", \"oidc\"] }).notNull(),\n\tdomain: text(\"domain\").notNull().unique(),\n\tenabled: integer(\"enabled\").notNull().default(1),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// API Keys (static bearer tokens with permission scopes)\n// ============================================================\nexport const apiKeys = sqliteTable(\"kavach_api_keys\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tname: text(\"name\").notNull(),\n\tkeyHash: text(\"key_hash\").notNull(),\n\tkeyPrefix: text(\"key_prefix\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Passkey Challenges (WebAuthn challenge state — short-lived)\n// ============================================================\nexport const passkeyChallenges = sqliteTable(\"kavach_passkey_challenges\", {\n\tid: text(\"id\").primaryKey(),\n\tchallenge: text(\"challenge\").notNull().unique(),\n\tuserId: text(\"user_id\"), // null for discoverable credential flows\n\ttype: text(\"type\", { enum: [\"registration\", \"authentication\"] }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Username Accounts (username + password auth)\n// ============================================================\nexport const usernameAccounts = sqliteTable(\"kavach_username_accounts\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tusername: text(\"username\").notNull().unique(),\n\tpasswordHash: text(\"password_hash\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Phone Verifications (SMS OTP)\n// ============================================================\nexport const phoneVerifications = sqliteTable(\"kavach_phone_verifications\", {\n\tid: text(\"id\").primaryKey(),\n\tphoneNumber: text(\"phone_number\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trusted Devices (skip 2FA on known devices for a time window)\n// ============================================================\nexport const trustedDevices = sqliteTable(\"kavach_trusted_devices\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tfingerprint: text(\"fingerprint\").notNull(), // HMAC-SHA256 of stable request headers\n\tlabel: text(\"label\").notNull(), // human-readable, e.g. \"Mac\", \"iPhone\"\n\ttrustedAt: integer(\"trusted_at\", { mode: \"timestamp\" }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// One-Time Tokens (email verify, password reset, invitation, custom)\n// ============================================================\nexport const oneTimeTokens = sqliteTable(\"kavach_one_time_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tpurpose: text(\"purpose\", {\n\t\tenum: [\"email-verify\", \"password-reset\", \"invitation\", \"custom\"],\n\t}).notNull(),\n\tidentifier: text(\"identifier\").notNull(), // email, userId, or any caller-supplied key\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Login History (last login method tracking per user)\n// ============================================================\nexport const loginHistory = sqliteTable(\"kavach_login_history\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tmethod: text(\"method\").notNull(), // LoginMethod — kept as text to support oauth:{provider} variants\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp_ms\" }).notNull(),\n});\n\n// ============================================================\n// Agent DIDs (W3C Decentralized Identifiers per agent)\n// ============================================================\nexport const agentDids = sqliteTable(\"kavach_agent_dids\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tdid: text(\"did\").notNull().unique(),\n\tmethod: text(\"method\", { enum: [\"key\", \"web\"] }).notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\").notNull(), // JSON-serialised JWK (public key only)\n\tdidDocument: text(\"did_document\").notNull(), // JSON-serialised DID Document\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Clients (apps authenticating against KavachOS IdP)\n// ============================================================\nexport const oidcClients = sqliteTable(\"kavach_oidc_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecretHash: text(\"client_secret_hash\").notNull(), // SHA-256 hex of the raw secret\n\tclientName: text(\"client_name\").notNull(),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tscopes: text(\"scopes\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_post\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Authorization Codes\n// ============================================================\nexport const oidcAuthCodes = sqliteTable(\"kavach_oidc_auth_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcodeHash: text(\"code_hash\").notNull().unique(), // SHA-256 hex of the raw code\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tnonce: text(\"nonce\"),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE S256\n\tcodeChallengeMethod: text(\"code_challenge_method\"),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Refresh Tokens\n// ============================================================\nexport const oidcRefreshTokens = sqliteTable(\"kavach_oidc_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\trevoked: integer(\"revoked\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Cost Events (per-agent cost attribution and observability)\n// ============================================================\nexport const costEvents = sqliteTable(\"kavach_cost_events\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\ttool: text(\"tool\").notNull(), // e.g. 'openai:gpt-4o', 'anthropic:claude-3-5-sonnet', 'mcp:github'\n\tinputTokens: integer(\"input_tokens\"),\n\toutputTokens: integer(\"output_tokens\"),\n\t/** Cost stored as integer microdollars (costUsd × 1_000_000) to avoid float drift /\n\tcostMicros: integer(\"cost_micros\").notNull(),\n\tcurrency: text(\"currency\").notNull().default(\"USD\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tdelegationChainId: text(\"delegation_chain_id\"), // null when not part of a chain\n\trecordedAt: integer(\"recorded_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Ephemeral Sessions (short-lived agent credentials for single-task use)\n// ============================================================\nexport const ephemeralSessions = sqliteTable(\"kavach_ephemeral_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmaxActions: integer(\"max_actions\"), // null = unlimited\n\tactionsUsed: integer(\"actions_used\").notNull().default(0),\n\tstatus: text(\"status\", { enum: [\"active\", \"expired\", \"exhausted\", \"revoked\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tauditGroupId: text(\"audit_group_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Stream Events (persisted SSE events for replay)\n// ============================================================\nexport const streamEvents = sqliteTable(\"kavach_stream_events\", {\n\tid: text(\"id\").primaryKey(),\n\ttype: text(\"type\").notNull(),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n\tdata: text(\"data\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tagentId: text(\"agent_id\"),\n\tuserId: text(\"user_id\"),\n});\n\n// ============================================================\n// JWT Session Refresh Tokens (general-purpose session plugin)\n// ============================================================\nexport const jwtRefreshTokens = sqliteTable(\"kavach_jwt_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\t/* SHA-256 hex of the raw refresh token. The raw token is never stored. /\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/* The user who owns this session. /\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/* True once the token has been used in a refresh or explicit revocation. /\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Resources (relationship-based access control — resource hierarchy)\n// ============================================================\nexport const rebacResources = sqliteTable(\"kavach_rebac_resources\", {\n\tid: text(\"id\").notNull().primaryKey(),\n\ttype: text(\"type\").notNull(), // 'org', 'workspace', 'project', 'document', etc.\n\tparentId: text(\"parent_id\"),\n\tparentType: text(\"parent_type\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Relationships (subject-relation-object tuples, Zanzibar style)\n// ============================================================\nexport const rebacRelationships = sqliteTable(\"kavach_rebac_relationships\", {\n\tid: text(\"id\").primaryKey(),\n\tsubjectType: text(\"subject_type\").notNull(), // 'user', 'agent', 'team', 'role'\n\tsubjectId: text(\"subject_id\").notNull(),\n\trelation: text(\"relation\").notNull(), // 'owner', 'editor', 'viewer', 'member', 'parent'\n\tobjectType: text(\"object_type\").notNull(),\n\tobjectId: text(\"object_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Instances (trusted remote KavachOS instances)\n// ============================================================\nexport const federationInstances = sqliteTable(\"kavach_federation_instances\", {\n\tid: text(\"id\").primaryKey(),\n\tinstanceId: text(\"instance_id\").notNull().unique(),\n\tinstanceUrl: text(\"instance_url\").notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\"), // JSON-serialised JWK (public key only)\n\ttrustLevel: text(\"trust_level\", { enum: [\"full\", \"limited\", \"verify-only\"] })\n\t\t.notNull()\n\t\t.default(\"verify-only\"),\n\tdiscoveredAt: integer(\"discovered_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Tokens (issued/received federation tokens for audit)\n// ============================================================\nexport const federationTokens = sqliteTable(\"kavach_federation_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenJti: text(\"token_jti\").notNull().unique(), // JWT ID for dedup\n\tagentId: text(\"agent_id\").notNull(),\n\tsourceInstanceId: text(\"source_instance_id\").notNull(),\n\ttargetInstanceId: text(\"target_instance_id\"),\n\tdirection: text(\"direction\", { enum: [\"issued\", \"received\"] }).notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttrustScore: integer(\"trust_score\"), // stored as integer 0-100\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Token Families (token rotation / reuse detection)\n// ============================================================\nexport const refreshTokenFamilies = sqliteTable(\"kavach_refresh_token_families\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/* Absolute session expiry — no rotation can extend beyond this date. /\n\tabsoluteExpiresAt: integer(\"absolute_expires_at\", { mode: \"timestamp\" }).notNull(),\n\t/* 0 = active, 1 = revoked (reuse detection or explicit logout). /\n\trevoked: integer(\"revoked\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Tokens (individual one-time-use tokens per family)\n// ============================================================\nexport const refreshTokens = sqliteTable(\"kavach_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\tfamilyId: text(\"family_id\")\n\t\t.notNull()\n\t\t.references(() => refreshTokenFamilies.id, { onDelete: \"cascade\" }),\n\t/* SHA-256 hash of the opaque token — never store the raw token. /\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/* 0 = unused, 1 = already consumed (one-time use). /\n\tused: integer(\"used\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n","/\n ABAC primitives: resource/action matching, IP allowlist, time windows,\n * rate limits, argument pattern validation. Extracted from the legacy\n * permission/engine.ts so both the legacy authorize() and the new unified\n * policy engine can share one implementation.\n /\n\nimport { and, eq, gte } from \"drizzle-orm\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { rateLimits } from \"../db/schema.js\";\nimport type { PermissionConstraints } from \"../types.js\";\n\nexport interface ConstraintEvaluationInput {\n\tsubjectId: string; // agent id used for rate-limit row keying; \"\" if subject has no agent\n\tresource: string;\n\targuments?: Record<string, unknown>;\n\tip?: string;\n}\n\nexport interface ConstraintResult {\n\tallowed: boolean;\n\treason?: string;\n}\n\n/\n Match a resource pattern against a requested resource.\n * Supports wildcards: \"mcp:github:\", \"tool:\", \"\".\n /\nexport function matchResource(pattern: string, resource: string): boolean {\n\tif (pattern === \"\") return true;\n\n\tconst patternParts = pattern.split(\":\");\n\tconst resourceParts = resource.split(\":\");\n\n\tfor (let i = 0; i < patternParts.length; i++) {\n\t\tconst part = patternParts[i];\n\t\tif (part === \"\") return true;\n\t\tif (part !== resourceParts[i]) return false;\n\t}\n\n\treturn patternParts.length === resourceParts.length;\n}\n\n/*\n Check if an action is allowed by a permission's actions list.\n /\nexport function matchAction(allowedActions: string[], requestedAction: string): boolean {\n\treturn allowedActions.includes(requestedAction) \|\| allowedActions.includes(\"\");\n}\n\nfunction parseIPv4(ip: string): number \| null {\n\tconst parts = ip.split(\".\");\n\tif (parts.length !== 4) return null;\n\tlet result = 0;\n\tfor (const part of parts) {\n\t\tconst num = parseInt(part, 10);\n\t\tif (Number.isNaN(num) \|\| num < 0 \|\| num > 255) return null;\n\t\tresult = (result << 8) \| num;\n\t}\n\treturn result >>> 0;\n}\n\nfunction matchesIPEntry(entry: string, ip: string): boolean {\n\tconst slashIndex = entry.indexOf(\"/\");\n\tif (slashIndex === -1) {\n\t\treturn entry === ip;\n\t}\n\n\tconst cidrIp = entry.slice(0, slashIndex);\n\tconst prefixLen = parseInt(entry.slice(slashIndex + 1), 10);\n\tif (Number.isNaN(prefixLen) \|\| prefixLen < 0 \|\| prefixLen > 32) return false;\n\n\tconst entryNum = parseIPv4(cidrIp);\n\tconst ipNum = parseIPv4(ip);\n\tif (entryNum === null \|\| ipNum === null) return false;\n\n\tconst mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;\n\treturn (entryNum & mask) === (ipNum & mask);\n}\n\n/*\n Check whether an IP is in the allowlist (exact IPs or CIDR ranges).\n * Exported for the legacy permission engine.\n /\nexport function isIPAllowed(allowlist: string[], ip: string): boolean {\n\treturn allowlist.some((entry) => matchesIPEntry(entry, ip));\n}\n\n/\n Validate request arguments against allowed regex patterns. All string-typed\n * argument values must match every pattern, otherwise the request is denied.\n /\nexport function validateArgPatterns(\n\tpatterns: string[],\n\targs: Record<string, unknown>,\n): { valid: boolean; reason?: string } {\n\tfor (const pattern of patterns) {\n\t\tconst regex = new RegExp(pattern);\n\t\tfor (const [key, value] of Object.entries(args)) {\n\t\t\tif (typeof value === \"string\" && !regex.test(value)) {\n\t\t\t\treturn {\n\t\t\t\t\tvalid: false,\n\t\t\t\t\treason: `Argument \"${key}\" value \"${value}\" does not match pattern \"${pattern}\"`,\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n\treturn { valid: true };\n}\n\n/\n Sliding-window rate limit check. Increments the per-agent counter as a\n * side effect when the request is allowed. Skipped entirely when subjectId\n * is empty (RBAC-only requests for human users do not consume agent quota).\n /\nexport async function checkRateLimit(\n\tdb: Database,\n\tagentId: string,\n\tresource: string,\n\tmaxCallsPerHour: number,\n): Promise<ConstraintResult> {\n\tif (!agentId) {\n\t\treturn { allowed: true };\n\t}\n\n\tconst oneHourAgo = new Date(Date.now() - 60 60 * 1000);\n\n\tconst rows = await db\n\t\t.select()\n\t\t.from(rateLimits)\n\t\t.where(\n\t\t\tand(\n\t\t\t\teq(rateLimits.agentId, agentId),\n\t\t\t\teq(rateLimits.resource, resource),\n\t\t\t\tgte(rateLimits.windowStart, oneHourAgo),\n\t\t\t),\n\t\t);\n\n\tconst totalCalls = rows.reduce((sum, r) => sum + r.count, 0);\n\n\tif (totalCalls >= maxCallsPerHour) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: `Rate limit exceeded: ${totalCalls}/${maxCallsPerHour} calls per hour for resource \"${resource}\"`,\n\t\t};\n\t}\n\n\tconst currentWindow = new Date(Math.floor(Date.now() / (5 * 60 * 1000)) * (5 * 60 * 1000));\n\tconst existing = rows.find((r) => r.windowStart.getTime() === currentWindow.getTime());\n\n\tif (existing) {\n\t\tawait db\n\t\t\t.update(rateLimits)\n\t\t\t.set({ count: existing.count + 1 })\n\t\t\t.where(eq(rateLimits.id, existing.id));\n\t} else {\n\t\tawait db.insert(rateLimits).values({\n\t\t\tid: generateId(),\n\t\t\tagentId,\n\t\t\tresource,\n\t\t\twindowStart: currentWindow,\n\t\t\tcount: 1,\n\t\t});\n\t}\n\n\treturn { allowed: true };\n}\n\n/*\n Evaluate every constraint on a permission. Returns the first failure, or\n * { allowed: true } if all pass. Constraint order: rate limit, arg patterns,\n * approval, time window, IP allowlist.\n /\nexport async function evaluateConstraints(\n\tdb: Database,\n\tinput: ConstraintEvaluationInput,\n\tconstraints: PermissionConstraints,\n): Promise<ConstraintResult> {\n\tif (constraints.maxCallsPerHour) {\n\t\tconst rateResult = await checkRateLimit(\n\t\t\tdb,\n\t\t\tinput.subjectId,\n\t\t\tinput.resource,\n\t\t\tconstraints.maxCallsPerHour,\n\t\t);\n\t\tif (!rateResult.allowed) {\n\t\t\treturn rateResult;\n\t\t}\n\t}\n\n\tif (constraints.allowedArgPatterns && input.arguments) {\n\t\tconst patternResult = validateArgPatterns(constraints.allowedArgPatterns, input.arguments);\n\t\tif (!patternResult.valid) {\n\t\t\treturn { allowed: false, reason: patternResult.reason };\n\t\t}\n\t}\n\n\tif (constraints.requireApproval) {\n\t\treturn {\n\t\t\tallowed: false,\n\t\t\treason: \"This action requires human approval before execution\",\n\t\t};\n\t}\n\n\tif (constraints.timeWindow) {\n\t\tconst now = new Date();\n\t\tconst hours = now.getHours();\n\t\tconst minutes = now.getMinutes();\n\t\tconst currentTime = `${String(hours).padStart(2, \"0\")}:${String(minutes).padStart(2, \"0\")}`;\n\n\t\tif (currentTime < constraints.timeWindow.start \|\| currentTime > constraints.timeWindow.end) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `Action is only allowed between ${constraints.timeWindow.start} and ${constraints.timeWindow.end}`,\n\t\t\t};\n\t\t}\n\t}\n\n\tif (constraints.ipAllowlist && constraints.ipAllowlist.length > 0) {\n\t\tif (!input.ip) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: \"IP_NOT_ALLOWED: No IP address provided; resource requires an IP allowlist match\",\n\t\t\t};\n\t\t}\n\t\tif (!isIPAllowed(constraints.ipAllowlist, input.ip)) {\n\t\t\treturn {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `IP_NOT_ALLOWED: IP \"${input.ip}\" is not in the allowlist for this resource`,\n\t\t\t};\n\t\t}\n\t}\n\n\treturn { allowed: true };\n}\n\n/\n Returns true when the constraint result depends on per-call state or input,\n * so the decision must NOT be cached:\n * - maxCallsPerHour: counter changes every call\n * - timeWindow: result flips at window boundaries\n * - allowedArgPatterns: result depends on context.arguments, which are not\n * part of the cache key. Caching could otherwise let safe-args permits\n * serve unsafe-args requests.\n /\nexport function isCacheUnsafe(constraints?: PermissionConstraints): boolean {\n\tif (!constraints) return false;\n\treturn (\n\t\tBoolean(constraints.maxCallsPerHour) \|\|\n\t\tBoolean(constraints.timeWindow) \|\|\n\t\t(Array.isArray(constraints.allowedArgPatterns) && constraints.allowedArgPatterns.length > 0)\n\t);\n}\n","import { generateId } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { auditLogs } from \"../db/schema.js\";\nimport { evaluateConstraints, matchAction, matchResource } from \"../policy/abac.js\";\nimport type { AgentIdentity, AuthorizeRequest, AuthorizeResult } from \"../types.js\";\n\ninterface PermissionEngineConfig {\n\tdb: Database;\n\tauditAll: boolean;\n}\n\n/\n Create the permission/authorization engine.\n \n This remains the public entry point used by adapters. The constraint and\n * matching primitives now live in policy/abac.ts so the new unified policy\n * engine can reuse them. A follow-on patch rewires this function to delegate\n * to policy/engine.ts; today it still performs direct-permission evaluation.\n /\nexport function createPermissionEngine(config: PermissionEngineConfig) {\n\tconst { db, auditAll } = config;\n\n\tasync function authorize(\n\t\tagent: AgentIdentity,\n\t\trequest: AuthorizeRequest,\n\t): Promise<AuthorizeResult> {\n\t\tconst startTime = performance.now();\n\t\tconst auditId = generateId();\n\n\t\tconst matchingPermission = agent.permissions.find(\n\t\t\t(p) => matchResource(p.resource, request.resource) && matchAction(p.actions, request.action),\n\t\t);\n\n\t\tif (!matchingPermission) {\n\t\t\tconst result: AuthorizeResult = {\n\t\t\t\tallowed: false,\n\t\t\t\treason: `No permission grants agent \"${agent.name}\" access to \"${request.action}\" on \"${request.resource}\"`,\n\t\t\t\tauditId,\n\t\t\t};\n\t\t\tif (auditAll) {\n\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t}\n\t\t\treturn result;\n\t\t}\n\n\t\tif (matchingPermission.constraints) {\n\t\t\tconst constraintResult = await evaluateConstraints(\n\t\t\t\tdb,\n\t\t\t\t{\n\t\t\t\t\tsubjectId: agent.id,\n\t\t\t\t\tresource: request.resource,\n\t\t\t\t\targuments: request.arguments,\n\t\t\t\t\tip: request.ip,\n\t\t\t\t},\n\t\t\t\tmatchingPermission.constraints,\n\t\t\t);\n\t\t\tif (!constraintResult.allowed) {\n\t\t\t\tconst result: AuthorizeResult = {\n\t\t\t\t\tallowed: false,\n\t\t\t\t\treason: constraintResult.reason,\n\t\t\t\t\tauditId,\n\t\t\t\t};\n\t\t\t\tif (auditAll) {\n\t\t\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t\t\t}\n\t\t\t\treturn result;\n\t\t\t}\n\t\t}\n\n\t\tconst result: AuthorizeResult = { allowed: true, auditId };\n\t\tif (auditAll) {\n\t\t\tawait writeAuditLog(db, agent, request, result, startTime, auditId);\n\t\t}\n\t\treturn result;\n\t}\n\n\treturn { authorize };\n}\n\nasync function writeAuditLog(\n\tdb: Database,\n\tagent: AgentIdentity,\n\trequest: AuthorizeRequest,\n\tresult: AuthorizeResult,\n\tstartTime: number,\n\tauditId: string,\n): Promise<void> {\n\tconst durationMs = Math.round(performance.now() - startTime);\n\n\tawait db.insert(auditLogs).values({\n\t\tid: auditId,\n\t\tagentId: agent.id,\n\t\tuserId: agent.ownerId,\n\t\taction: request.action,\n\t\tresource: request.resource,\n\t\tparameters: request.arguments ?? {},\n\t\tresult: result.allowed ? \"allowed\" : \"denied\",\n\t\treason: result.reason ?? null,\n\t\tdurationMs,\n\t\ttimestamp: new Date(),\n\t\tip: request.context?.ip ?? null,\n\t\tuserAgent: request.context?.userAgent ?? null,\n\t});\n}\n","import type { Permission } from \"../types.js\";\n\n/\n Pre-built permission templates for common access patterns.\n * Use these as starting points when creating agents.\n /\nexport const permissionTemplates = {\n\t/* Read-only access to all resources /\n\treadonly: [{ resource: \"\", actions: [\"read\"] }] satisfies Permission[],\n\n\t/** Read and write access to all resources /\n\treadwrite: [{ resource: \"\", actions: [\"read\", \"write\"] }] satisfies Permission[],\n\n\t/** Full access to all resources and actions /\n\tadmin: [{ resource: \"\", actions: [\"\"] }] satisfies Permission[],\n\n\t/* Standard MCP tool access - read + execute /\n\tmcpBasic: [{ resource: \"mcp:\", actions: [\"read\", \"execute\"] }] satisfies Permission[],\n\n\t/** MCP tool access with write - read + write + execute /\n\tmcpFull: [{ resource: \"mcp:\", actions: [\"read\", \"write\", \"execute\"] }] satisfies Permission[],\n\n\t/** Rate-limited read access (100 calls/hour) /\n\trateLimitedRead: [\n\t\t{\n\t\t\tresource: \"\",\n\t\t\tactions: [\"read\"],\n\t\t\tconstraints: { maxCallsPerHour: 100 },\n\t\t},\n\t] satisfies Permission[],\n\n\t/** Approval-required access (human-in-the-loop for everything) /\n\tapprovalRequired: [\n\t\t{\n\t\t\tresource: \"\",\n\t\t\tactions: [\"\"],\n\t\t\tconstraints: { requireApproval: true },\n\t\t},\n\t] satisfies Permission[],\n\n\t/* Business hours only access (9am-5pm) /\n\tbusinessHours: [\n\t\t{\n\t\t\tresource: \"\",\n\t\t\tactions: [\"read\", \"write\", \"execute\"],\n\t\t\tconstraints: { timeWindow: { start: \"09:00\", end: \"17:00\" } },\n\t\t},\n\t] satisfies Permission[],\n} as const;\n\nexport type PermissionTemplateName = keyof typeof permissionTemplates;\n\n/*\n Get a permission template by name.\n * Returns a fresh copy of the permissions array.\n */\nexport function getPermissionTemplate(name: PermissionTemplateName): Permission[] {\n\treturn JSON.parse(JSON.stringify(permissionTemplates[name])) as Permission[];\n}\n"]}

package/dist/{types-BuHrZcjE.d.ts → types-BiUe9e8u.d.ts} RENAMED Viewed

@@ -54,6 +54,30 @@ interface McpConfig {
     }>;
     /** Custom token claims generator */
     getAdditionalClaims?: (userId: string, scopes: string[]) => Promise<Record<string, unknown>>;
+    /**
+     * Emit IETF agentic JWT claims on issued access tokens.
+     *
+     * When true, any claims returned by `getAgenticContext` are embedded in
+     * the token payload using the registered draft-goswami-agentic-jwt-00 claim
+     * names. Claims with no available context value are omitted. Off by default.
+     *
+     * @default false
+     */
+    emitAgenticJwtClaims?: boolean;
+    /**
+     * Resolve agentic context for a given user at token issuance time.
+     *
+     * Called only when `emitAgenticJwtClaims` is true. Return only the claims
+     * you can populate; absent fields are skipped rather than fabricated.
+     *
+     * TODO(v3): wire this through kavach.ts so the trust module can provide
+     * trust_tier automatically without requiring the caller to implement it.
+     */
+    getAgenticContext?: (userId: string) => Promise<{
+        agentId?: string;
+        agentType?: "autonomous" | "delegated" | "supervised";
+        trustTier?: "unverified" | "low" | "standard" | "elevated" | "high";
+    }>;
 }
 interface McpServerMetadata {
     issuer: string;