kavachos 0.3.0 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/dist/a2a/index.d.ts +2 -2
  2. package/dist/agent/index.d.ts +3 -3
  3. package/dist/agent/index.js +4 -0
  4. package/dist/agent/index.js.map +1 -1
  5. package/dist/audit/index.d.ts +2 -2
  6. package/dist/audit/index.js +4 -0
  7. package/dist/audit/index.js.map +1 -1
  8. package/dist/auth/index.d.ts +34 -3
  9. package/dist/auth/index.js +91 -2
  10. package/dist/auth/index.js.map +1 -1
  11. package/dist/index.d.ts +33 -4
  12. package/dist/index.js +851 -67
  13. package/dist/index.js.map +1 -1
  14. package/dist/mcp/index.d.ts +2 -2
  15. package/dist/mcp/index.js +38 -1
  16. package/dist/mcp/index.js.map +1 -1
  17. package/dist/permission/index.d.ts +8 -3
  18. package/dist/permission/index.js +68 -59
  19. package/dist/permission/index.js.map +1 -1
  20. package/dist/standards/index.d.ts +139 -0
  21. package/dist/standards/index.js +72 -0
  22. package/dist/standards/index.js.map +1 -0
  23. package/dist/{types-BuHrZcjE.d.ts → types-BiUe9e8u.d.ts} +24 -0
  24. package/dist/{types-B02D3kZy.d.ts → types-RJPOU4un.d.ts} +114 -2
  25. package/dist/vc/index.d.ts +254 -65
  26. package/dist/vc/index.js +160 -12
  27. package/dist/vc/index.js.map +1 -1
  28. package/package.json +7 -1
package/dist/a2a/index.d.ts CHANGED
@@ -1,7 +1,7 @@
1
1
  import * as jose from 'jose';
2
- import { A as AgentIdentity } from '../types-B02D3kZy.js';
2
+ import { A as AgentIdentity } from '../types-RJPOU4un.js';
3
3
  import { z } from 'zod';
4
- import { R as Result } from '../types-BuHrZcjE.js';
4
+ import { R as Result } from '../types-BiUe9e8u.js';
5
5
  import 'drizzle-orm/sqlite-core';
6
6
  import '../redirect/index.js';
7
7
 
package/dist/agent/index.d.ts CHANGED
@@ -1,7 +1,7 @@
1
- import { D as Database, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput } from '../types-B02D3kZy.js';
2
- export { Y as AgentConfig } from '../types-B02D3kZy.js';
1
+ import { D as Database, C as CreateAgentInput, A as AgentIdentity, h as AgentFilter, U as UpdateAgentInput } from '../types-RJPOU4un.js';
2
+ export { a0 as AgentConfig } from '../types-RJPOU4un.js';
3
3
  import 'drizzle-orm/sqlite-core';
4
- import '../types-BuHrZcjE.js';
4
+ import '../types-BiUe9e8u.js';
5
5
  import 'zod';
6
6
  import '../redirect/index.js';
7
7
 
package/dist/agent/index.js CHANGED
@@ -112,6 +112,8 @@ var permissions = sqliteTable("kavach_permissions", {
112
112
  actions: text("actions", { mode: "json" }).notNull().$type(),
113
113
  // ["read", "write", "execute"]
114
114
  constraints: text("constraints", { mode: "json" }).$type(),
115
+ // When set, the policy engine consults the ReBAC graph for this permission.
116
+ relation: text("relation"),
115
117
  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
116
118
  });
117
119
  sqliteTable("kavach_delegation_chains", {
@@ -141,6 +143,8 @@ sqliteTable("kavach_audit_logs", {
141
143
  tokensCost: integer("tokens_cost"),
142
144
  ip: text("ip"),
143
145
  userAgent: text("user_agent"),
146
+ // True when this audit row corresponds to a policy-engine cache-hit evaluation.
147
+ cacheHit: integer("cache_hit", { mode: "boolean" }).notNull().default(false),
144
148
  timestamp: integer("timestamp", { mode: "timestamp" }).notNull()
145
149
  });
146
150
  sqliteTable("kavach_rate_limits", {
package/dist/agent/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../../src/crypto/web-crypto.ts","../../src/db/schema.ts","../../src/agent/agent.ts"],"names":[],"mappings":";;;;;;AAYA,IAAM,SAAA,GAAY,kBAAA;AAGX,SAAS,MAAM,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAM,CAAC,CAAA;AACjB,IAAA,GAAA,IAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACvB,IAAA,GAAA,IAAO,SAAA,CAAU,IAAI,EAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACR;AAoBO,SAAS,YAAY,KAAA,EAA2B;AACtD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAA,IAAU,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC9E;AAuBO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAGO,SAAS,YAAY,MAAA,EAA4B;AACvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,UAAA,CAAW,MAAA,CAAO,gBAAgB,KAAK,CAAA;AACvC,EAAA,OAAO,KAAA;AACR;AAWA,IAAM,YAAA,GAAe,IAAI,WAAA,EAAY;AAErC,SAAS,QAAQ,IAAA,EAAwC;AACxD,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,MAAA,CAAO,IAAI,CAAA;AACxC,IAAA,OAAQ,QAAQ,MAAA,CAAuB,KAAA;AAAA,MACtC,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,EACD;AACA,EAAA,OAAQ,IAAA,CAAK,OAAuB,KAAA,CAAM,IAAA,CAAK,YAAY,IAAA,CAAK,UAAA,GAAa,KAAK,UAAU,CAAA;AAC7F;AAOA,eAAsB,OAAO,IAAA,EAA4C;AACxE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AC5GO,IAAM,KAAA,GAAQ,YAAY,cAAA,EAAgB;AAAA,EAChD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,IAAA,EAAM,KAAK,MAAM,CAAA;AAAA,EACjB,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,MAAA,EAAO;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA;AAAA,EAC9B,gBAAA,EAAkB,KAAK,mBAAmB,CAAA;AAAA;AAAA,EAC1C,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA;AAAA,EAE5E,QAAQ,OAAA,CAAQ,QAAQ,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,oBAAoB,OAAA,CAAQ,sBAAsB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACvE,eAAe,OAAA,CAAQ,gBAAgB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA;AAAA,EAE5D,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,MAAA,EAAO;AAAA,EACpD,oBAAA,EAAsB,KAAK,wBAAwB,CAAA;AAAA,EACnD,wBAAA,EAA0B,KAAK,4BAA4B,CAAA;AAAA,EAC3D,aAAA,EAAe,KAAK,iBAAiB,CAAA;AAAA,EACrC,wBAAwB,OAAA,CAAQ,2BAAA,EAA6B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAClF,uBAAA,EAAyB,OAAA,CAAQ,6BAAA,EAA+B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CACjF,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,IAAA,CAAK,mBAAmB,CAAA,CAAE,MAAA,EAAO;AAAA,EAClD,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,uBAAA,EAAyB,KAAK,2BAA2B,CAAA;AAAA,EACzD,cAAA,EAAgB,KAAK,kBAAkB,CAAA;AAAA,EACvC,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,sBAAA,EAAwB,OAAA,CAAQ,4BAAA,EAA8B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAC/E,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA,EACf,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKM,IAAM,OAAA,GAAU,YAAY,gBAAA,EAAkB;AAAA,EACpD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAyB;AAAA,EACtE,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAW,CAAA,EAAG,CAAA,CACtD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAYM,IAAM,MAAA,GAAS,YAAY,eAAA,EAAiB;AAAA,EAClD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7E,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKM,IAAM,WAAA,GAAc,YAAY,oBAAA,EAAsB;AAAA,EAC5D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA;AAAA,EACrE,WAAA,EAAa,KAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAgC;AAAA,EACnF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAa+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,KAAK,eAAe,CAAA,CAC/B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,SAAA,EAAW,KAAK,aAAa,CAAA,CAC3B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiC;AAAA,EAC9F,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC3C,UAAU,OAAA,CAAQ,WAAW,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAClD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,KAAK,YAAA,EAAc,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAChF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChF,MAAA,EAAQ,KAAK,QAAQ,CAAA;AAAA;AAAA,EACrB,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA,EACjC,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACxD,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,WAAA,EAAa,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACpE,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC;AAC5C,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,KAAA,EAAO,IAAA,CAAK,OAAA,EAAS,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACjE,YAAA,EAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,IAAI,CAAA;AAAA,EAClF,YAAA,EAAc,QAAQ,gBAAgB,CAAA;AAAA,EACtC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKuB,YAAY,iBAAA,EAAmB;AAAA,EACtD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,YAAA,GAAe,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,YAAA,EAAc,KAAK,eAAe,CAAA;AAAA;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,CAAA,CAC9C,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,oBAAoB,CAAC,CAAA;AAAA,EAChC,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,MAAM,MAAA,EAAQ,CAAA,CACpD,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,MAAM,CAAC,CAAA;AAAA,EAClB,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,qBAAqB,CAAA;AAAA,EAC/B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAM,CAAC,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,cAAc,CAAA;AAAA,EACxB,QAAA,EAAU,OAAA,CAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC1E,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,aAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACnD,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,MAAA,EAAO;AAAA,EAC3C,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,oBAAA,EAAsB,QAAQ,yBAAA,EAA2B,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACxF,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsC,YAAY,kCAAA,EAAoC;AAAA,EACtF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA;AAAA,EACjD,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,SAAA,EAAW,CAAA;AAAA;AAAA,EAC7E,QAAQ,IAAA,CAAK,SAAS,EAAE,UAAA,CAAW,MAAM,MAAM,EAAE,CAAA;AAAA;AAAA,EACjD,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAuB;AAAA,EAC1E,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAsB;AAAA,EACtF,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAS,QAAQ,GAAG,CAAA,CACtE,OAAA,EAAQ,CACR,QAAQ,MAAM,CAAA;AAAA,EAChB,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAA,EAAa,UAAU,GAAG,CAAA,CAClE,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAoByB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,KAAK,aAAa,CAAA;AAAA,EAC/B,OAAA,EAAS,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EACjC,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACzE,YAAA,EAAc,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiB;AAAA,EAChF,gBAAA,EAAkB,IAAA,CAAK,mBAAA,EAAqB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAC1D,OAAA,EAAQ,CACR,KAAA,EAA+B;AAAA,EACjC,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA,EACzB,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,SAAA,EAAW,KAAK,WAAA,EAAa,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC9E,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,UAAA,EAAY,QAAA,EAAU,SAAS,GAAG,CAAA,CAC3E,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,aAAa,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC1D,WAAA,EAAa,KAAK,cAAc,CAAA;AAAA,EAChC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAA,EAAO,OAAA,CAAQ,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,KAAA,EAAO,KAAK,OAAA,EAAS;AAAA,IACpB,MAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAA,EAAY,WAAW,UAAU;AAAA,GAChE,EAAE,OAAA,EAAQ;AAAA,EACX,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EACpF,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,aAAA,EAAe;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,YAAW,CACX,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,WAAA,EAAa,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAwB;AAAA,EACtF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,aAAA,GAAgB,YAAY,sBAAA,EAAwB;AAAA,EAChE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAEyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,QAAA,EAAU,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACvD,CAAC;AAE6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA,CAC1B,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,SAAA,EAAW,UAAA,EAAY,SAAS,GAAG,CAAA,CACjE,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAEuB,YAAY,kBAAA,EAAoB;AAAA,EACvD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA;AAC9D,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,cAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACrD,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,UAAA,EAAY,KAAK,YAAY,CAAA;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC5D,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC9B,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,MAAM,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvD,QAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACxC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsB,YAAY,iBAAA,EAAmB;AAAA,EACrD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,YAAY,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACzD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC9C,MAAA,EAAQ,KAAK,SAAS,CAAA;AAAA;AAAA,EACtB,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAgB,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC5C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACzC,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,OAAA,EAAS,KAAK,SAAA,EAAW;AAAA,IACxB,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAA,EAAkB,cAAc,QAAQ;AAAA,GAC/D,EAAE,OAAA,EAAQ;AAAA,EACX,UAAA,EAAY,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACvC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,cAAA,EAAgB,EAAE,OAAA;AAC3D,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAK,IAAA,CAAK,KAAK,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAClC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,KAAA,EAAO,KAAK,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzD,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7C,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACrD,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC5E,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAClF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACnE,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,oBAAoB,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,KAAA,EAAO,KAAK,OAAO,CAAA;AAAA,EACnB,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,WAAA,EAAa,QAAQ,cAAc,CAAA;AAAA,EACnC,YAAA,EAAc,QAAQ,eAAe,CAAA;AAAA;AAAA,EAErC,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAU,IAAA,CAAK,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,KAAK,CAAA;AAAA,EAClD,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,iBAAA,EAAmB,KAAK,qBAAqB,CAAA;AAAA;AAAA,EAC7C,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,aAAa,OAAA,CAAQ,cAAc,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACxD,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,SAAA,EAAW,WAAA,EAAa,SAAS,GAAG,CAAA,CAC5E,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAC/D,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EAC9E,OAAA,EAAS,KAAK,UAAU,CAAA;AAAA,EACxB,MAAA,EAAQ,KAAK,SAAS;AACvB,CAAC;AAK+B,YAAY,2BAAA,EAA6B;AAAA,EACxE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA;AAAA,EAE1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,IAAI,IAAA,CAAK,IAAI,CAAA,CAAE,OAAA,GAAU,UAAA,EAAW;AAAA,EACpC,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,WAAW,CAAA;AAAA,EAC1B,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKkC,YAAY,6BAAA,EAA+B;AAAA,EAC7E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,YAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACjD,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,YAAA,EAAc,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,CAAC,MAAA,EAAQ,SAAA,EAAW,aAAa,GAAG,CAAA,CAC1E,OAAA,EAAQ,CACR,QAAQ,aAAa,CAAA;AAAA,EACvB,cAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC5D,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA,EACrD,gBAAA,EAAkB,KAAK,oBAAoB,CAAA;AAAA,EAC3C,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvE,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,oBAAA,GAAuB,YAAY,+BAAA,EAAiC;AAAA,EAChF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,iBAAA,EAAmB,QAAQ,qBAAA,EAAuB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA;AAAA,EAEjF,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAK4B,YAAY,uBAAA,EAAyB;AAAA,EACjE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CACxB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,oBAAA,CAAqB,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEnE,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAM,OAAA,CAAQ,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACzC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;;;ACjxBD,eAAe,kBAAA,GAA+E;AAC7F,EAAA,MAAM,UAAA,GAAa,YAAY,EAAE,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,CAAA,GAAA,EAAM,WAAA,CAAY,UAAU,CAAC,CAAA,CAAA;AAC3C,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,KAAK,CAAA;AAC/B,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAChC,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO;AAC9B;AAEA,SAAS,iBAAiB,MAAA,EAAsB;AAC/C,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAA,EAAO;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,MAAM,CAAA,qCAAA,CAAuC,CAAA;AAAA,EAC9F;AACA,EAAA,MAAM,QAAQ,MAAA,CAAO,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AACpD,EAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,EAAA,MAAM,WAAA,GAAsC;AAAA,IAC3C,CAAA,EAAG,GAAA;AAAA,IACH,GAAG,EAAA,GAAK,GAAA;AAAA,IACR,CAAA,EAAG,KAAK,EAAA,GAAK,GAAA;AAAA,IACb,CAAA,EAAG,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK;AAAA,GACnB;AACA,EAAA,OAAO,IAAI,IAAA,CAAK,GAAA,GAAM,SAAS,WAAA,CAAY,IAAc,KAAK,CAAA,CAAE,CAAA;AACjE;AAMO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,EAAA,EAAI,UAAA,EAAY,WAAA,EAAY,GAAI,MAAA;AAExC,EAAA,eAAe,OAAO,KAAA,EAAqE;AAE1F,IAAA,MAAM,QAAA,GAAW,MAAM,EAAA,CACrB,MAAA,GACA,IAAA,CAAK,MAAM,EACX,KAAA,CAAM,GAAA,CAAI,GAAG,MAAA,CAAO,OAAA,EAAS,MAAM,OAAO,CAAA,EAAG,GAAG,MAAA,CAAO,MAAA,EAAQ,QAAQ,CAAC,CAAC,CAAA;AAE3E,IAAA,IAAI,QAAA,CAAS,UAAU,UAAA,EAAY;AAClC,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,KAAA,EAAQ,KAAA,CAAM,OAAO,CAAA,4BAAA,EAA+B,UAAU,CAAA,eAAA;AAAA,OAC/D;AAAA,IACD;AAEA,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO,GAAI,MAAM,kBAAA,EAAmB;AACzD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,OAAA,GAAU,KAAA,CAAM,SAAA,IAAa,gBAAA,CAAiB,WAAW,CAAA;AAG/D,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,MAAM,CAAA,CAAE,MAAA,CAAO;AAAA,MAC9B,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,IAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,MAAA;AAAA,MACb,SAAA,EAAW,OAAA;AAAA,MACX,QAAA,EAAU,KAAA,CAAM,QAAA,IAAY,EAAC;AAAA,MAC7B,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACX,CAAA;AAGD,IAAA,IAAI,KAAA,CAAM,WAAA,CAAY,MAAA,GAAS,CAAA,EAAG;AACjC,MAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA;AAAA,QAC5B,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,UAC7B,IAAI,UAAA,EAAW;AAAA,UACf,OAAA,EAAS,EAAA;AAAA,UACT,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,SAAS,CAAA,CAAE,OAAA;AAAA,UACX,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,UAC9B,SAAA,EAAW;AAAA,SACZ,CAAE;AAAA,OACH;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA;AAAA,MACA,aAAa,KAAA,CAAM,WAAA;AAAA,MACnB,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,OAAA;AAAA,MACX,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAEA,EAAA,eAAe,IAAI,OAAA,EAAgD;AAClE,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,MAAM,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,OAAO,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACjF,IAAA,MAAM,KAAA,GAAQ,KAAK,CAAC,CAAA;AACpB,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AAExF,IAAA,OAAO;AAAA,MACN,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,MAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA;AAAA,MACP,WAAA,EAAa,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACnC,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB;AAAA,EACD;AAEA,EAAA,eAAe,KAAK,MAAA,EAAgD;AACnE,IAAA,IAAI,QAAQ,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,MAAM,EAAE,QAAA,EAAS;AAE9C,IAAA,MAAM,aAAa,EAAC;AACpB,IAAA,IAAI,MAAA,EAAQ,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,OAAA,EAAS,MAAA,CAAO,MAAM,CAAC,CAAA;AACrE,IAAA,IAAI,MAAA,EAAQ,UAAU,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,QAAA,EAAU,MAAA,CAAO,QAAQ,CAAC,CAAA;AAC1E,IAAA,IAAI,MAAA,EAAQ,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACpE,IAAA,IAAI,MAAA,EAAQ,MAAM,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,IAAA,EAAM,MAAA,CAAO,IAAI,CAAC,CAAA;AAE9D,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IACvC;AAEA,IAAA,MAAM,OAAO,MAAM,KAAA;AAGnB,IAAA,MAAM,WAAW,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA;AACrC,IAAA,MAAM,YAAA,uBAAmB,GAAA,EAA0B;AACnD,IAAA,KAAA,MAAW,MAAM,QAAA,EAAU;AAC1B,MAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,EAAE,CAAC,CAAA;AACnF,MAAA,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,KAAA,CAAM,GAAA,CAAI,YAAY,CAAC,CAAA;AAAA,IAC7C;AAEA,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,CAAC,KAAA,MAAW;AAAA,MAC3B,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,MAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA,MACP,aAAa,YAAA,CAAa,GAAA,CAAI,KAAA,CAAM,EAAE,KAAK,EAAC;AAAA,MAC5C,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB,CAAE,CAAA;AAAA,EACH;AAEA,EAAA,eAAe,MAAA,CAAO,SAAiB,KAAA,EAAiD;AACvF,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAE5D,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,MAAM,CAAA,CACb,GAAA,CAAI;AAAA,MACJ,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,QAAA,CAAS,IAAA;AAAA,MAC7B,SAAA,EAAW,KAAA,CAAM,SAAA,IAAa,QAAA,CAAS,SAAA;AAAA,MACvC,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,SAAA,EAAW;AAAA,KACX,CAAA,CACA,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAG9B,IAAA,IAAI,MAAM,WAAA,EAAa;AACtB,MAAA,MAAM,EAAA,CAAG,OAAO,WAAW,CAAA,CAAE,MAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AACnE,MAAA,IAAI,KAAA,CAAM,WAAA,CAAY,MAAA,GAAS,CAAA,EAAG;AACjC,QAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA;AAAA,UAC5B,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,YAC7B,IAAI,UAAA,EAAW;AAAA,YACf,OAAA;AAAA,YACA,UAAU,CAAA,CAAE,QAAA;AAAA,YACZ,SAAS,CAAA,CAAE,OAAA;AAAA,YACX,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,YAC9B,SAAA,EAAW;AAAA,WACZ,CAAE;AAAA,SACH;AAAA,MACD;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,OAAO,CAAA;AACjC,IAAA,IAAI,CAAC,OAAA,EAAS,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,0BAAA,CAA4B,CAAA;AAC1E,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,OAAO,OAAA,EAAgC;AACrD,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAE5D,IAAA,MAAM,GACJ,MAAA,CAAO,MAAM,EACb,GAAA,CAAI,EAAE,QAAQ,SAAA,EAAW,SAAA,sBAAe,IAAA,EAAK,EAAG,CAAA,CAChD,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,EAC/B;AAEA,EAAA,eAAe,OAAO,OAAA,EAA6D;AAClF,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAC5D,IAAA,IAAI,SAAS,MAAA,KAAW,QAAA;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,QAAA,CAAS,MAAM,CAAA,OAAA,CAAS,CAAA;AAEpE,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO,GAAI,MAAM,kBAAA,EAAmB;AACzD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,GACJ,MAAA,CAAO,MAAM,EACb,GAAA,CAAI,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,QAAQ,SAAA,EAAW,GAAA,EAAK,CAAA,CAC5D,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAE9B,IAAA,OAAO,EAAE,GAAG,QAAA,EAAU,KAAA,EAAO,WAAW,GAAA,EAAI;AAAA,EAC7C;AAMA,EAAA,eAAe,cAAc,KAAA,EAA8C;AAC1E,IAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,KAAK,CAAA;AAC/B,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,MAAM,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,OAAO,SAAA,EAAW,IAAI,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACrF,IAAA,MAAM,KAAA,GAAQ,KAAK,CAAC,CAAA;AACpB,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,QAAA,EAAU,OAAO,IAAA;AAGtC,IAAA,IAAI,MAAM,SAAA,IAAa,KAAA,CAAM,SAAA,mBAAY,IAAI,MAAK,EAAG;AACpD,MAAA,MAAM,EAAA,CACJ,OAAO,MAAM,CAAA,CACb,IAAI,EAAE,MAAA,EAAQ,WAAW,SAAA,kBAAW,IAAI,MAAK,EAAG,EAChD,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,KAAA,CAAM,EAAE,CAAC,CAAA;AAC/B,MAAA,OAAO,IAAA;AAAA,IACR;AAGA,IAAA,MAAM,GAAG,MAAA,CAAO,MAAM,EAAE,GAAA,CAAI,EAAE,8BAAc,IAAI,IAAA,EAAK,EAAG,EAAE,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,KAAA,CAAM,EAAE,CAAC,CAAA;AAEvF,IAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,KAAA,CAAM,EAAE,CAAC,CAAA;AAEzF,IAAA,OAAO;AAAA,MACN,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,MAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA,MACP,WAAA,EAAa,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACnC,MAAA,EAAQ,QAAA;AAAA,MACR,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAM,MAAA,EAAQ,MAAA,EAAQ,QAAQ,aAAA,EAAc;AACnE;AAEA,SAAS,aAAa,GAAA,EAIP;AACd,EAAA,OAAO;AAAA,IACN,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,WAAA,EAAc,IAAI,WAAA,IAA6C;AAAA,GAChE;AACD","file":"index.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n","import { integer, sqliteTable, text } from \"drizzle-orm/sqlite-core\";\n\n// ============================================================\n// Users (basic human identity - integrates with external auth)\n// ============================================================\nexport const users = sqliteTable(\"kavach_users\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull().unique(),\n\tname: text(\"name\"),\n\tusername: text(\"username\").unique(),\n\texternalId: text(\"external_id\"), // ID from external auth (better-auth, Auth.js, etc.)\n\texternalProvider: text(\"external_provider\"), // \"better-auth\", \"authjs\", \"clerk\", etc.\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\t// Admin ban fields (populated by admin module)\n\tbanned: integer(\"banned\").notNull().default(0),\n\tbanReason: text(\"ban_reason\"),\n\tbanExpiresAt: integer(\"ban_expires_at\", { mode: \"timestamp\" }),\n\tforcePasswordReset: integer(\"force_password_reset\").notNull().default(0),\n\temailVerified: integer(\"email_verified\").notNull().default(0),\n\t// Stripe integration fields (populated by kavach-stripe plugin)\n\tstripeCustomerId: text(\"stripe_customer_id\").unique(),\n\tstripeSubscriptionId: text(\"stripe_subscription_id\"),\n\tstripeSubscriptionStatus: text(\"stripe_subscription_status\"),\n\tstripePriceId: text(\"stripe_price_id\"),\n\tstripeCurrentPeriodEnd: integer(\"stripe_current_period_end\", { mode: \"timestamp\" }),\n\tstripeCancelAtPeriodEnd: integer(\"stripe_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\t// Polar integration fields (populated by kavach-polar plugin)\n\tpolarCustomerId: text(\"polar_customer_id\").unique(),\n\tpolarSubscriptionId: text(\"polar_subscription_id\"),\n\tpolarSubscriptionStatus: text(\"polar_subscription_status\"),\n\tpolarProductId: text(\"polar_product_id\"),\n\tpolarCurrentPeriodEnd: integer(\"polar_current_period_end\", { mode: \"timestamp\" }),\n\tpolarCancelAtPeriodEnd: integer(\"polar_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Tenants (multi-tenant isolation — must come before agents)\n// ============================================================\nexport const tenants = sqliteTable(\"kavach_tenants\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\tsettings: text(\"settings\", { mode: \"json\" }).$type<TenantSettingsRow>(),\n\tstatus: text(\"status\", { enum: [\"active\", \"suspended\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TenantSettingsRow {\n\tmaxAgents?: number;\n\tmaxDelegationDepth?: number;\n\tauditRetentionDays?: number;\n\tallowedAgentTypes?: string[];\n}\n\n// ============================================================\n// Agents (the core differentiator - AI agent identities)\n// ============================================================\nexport const agents = sqliteTable(\"kavach_agents\", {\n\tid: text(\"id\").primaryKey(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable, for multi-tenant scoping\n\tname: text(\"name\").notNull(),\n\ttype: text(\"type\", { enum: [\"autonomous\", \"delegated\", \"service\"] }).notNull(),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\ttokenHash: text(\"token_hash\").notNull(), // hashed agent token\n\ttokenPrefix: text(\"token_prefix\").notNull(), // first 8 chars for identification\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastActiveAt: integer(\"last_active_at\", { mode: \"timestamp\" }),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Permissions (scoped access control per agent)\n// ============================================================\nexport const permissions = sqliteTable(\"kavach_permissions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(), // e.g. \"mcp:github:*\", \"tool:file_read\"\n\tactions: text(\"actions\", { mode: \"json\" }).notNull().$type<string[]>(), // [\"read\", \"write\", \"execute\"]\n\tconstraints: text(\"constraints\", { mode: \"json\" }).$type<PermissionConstraintsRow>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface PermissionConstraintsRow {\n\tmaxCallsPerHour?: number;\n\tallowedArgPatterns?: string[];\n\trequireApproval?: boolean;\n\ttimeWindow?: { start: string; end: string };\n\tipAllowlist?: string[];\n}\n\n// ============================================================\n// Delegation Chains (agent-to-agent permission delegation)\n// ============================================================\nexport const delegationChains = sqliteTable(\"kavach_delegation_chains\", {\n\tid: text(\"id\").primaryKey(),\n\tfromAgentId: text(\"from_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\ttoAgentId: text(\"to_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<DelegationPermissionRow[]>(),\n\tdepth: integer(\"depth\").notNull().default(1),\n\tmaxDepth: integer(\"max_depth\").notNull().default(3),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface DelegationPermissionRow {\n\tresource: string;\n\tactions: string[];\n}\n\n// ============================================================\n// Audit Logs (immutable record of every agent action)\n// ============================================================\nexport const auditLogs = sqliteTable(\"kavach_audit_logs\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(), // \"execute\", \"read\", \"write\", \"delete\"\n\tresource: text(\"resource\").notNull(), // \"mcp:github:create_issue\"\n\tparameters: text(\"parameters\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tresult: text(\"result\", { enum: [\"allowed\", \"denied\", \"rate_limited\"] }).notNull(),\n\treason: text(\"reason\"), // why denied/rate_limited\n\tdurationMs: integer(\"duration_ms\").notNull(),\n\ttokensCost: integer(\"tokens_cost\"),\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Rate Limit Counters (track per-agent call rates)\n// ============================================================\nexport const rateLimits = sqliteTable(\"kavach_rate_limits\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(),\n\twindowStart: integer(\"window_start\", { mode: \"timestamp\" }).notNull(),\n\tcount: integer(\"count\").notNull().default(0),\n});\n\n// ============================================================\n// MCP Servers (registered MCP servers)\n// ============================================================\nexport const mcpServers = sqliteTable(\"kavach_mcp_servers\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tendpoint: text(\"endpoint\").notNull().unique(),\n\ttools: text(\"tools\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tauthRequired: integer(\"auth_required\", { mode: \"boolean\" }).notNull().default(true),\n\trateLimitRpm: integer(\"rate_limit_rpm\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"inactive\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Sessions (human user sessions managed by KavachOS)\n// ============================================================\nexport const sessions = sqliteTable(\"kavach_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Clients (for MCP OAuth 2.1 - dynamic client registration)\n// ============================================================\nexport const oauthClients = sqliteTable(\"kavach_oauth_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecret: text(\"client_secret\"), // null for public clients\n\tclientName: text(\"client_name\"),\n\tclientUri: text(\"client_uri\"),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"authorization_code\"]),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"code\"]),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_basic\"),\n\ttype: text(\"type\", { enum: [\"public\", \"confidential\"] })\n\t\t.notNull()\n\t\t.default(\"confidential\"),\n\tdisabled: integer(\"disabled\", { mode: \"boolean\" }).notNull().default(false),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Access Tokens (issued tokens for MCP auth)\n// ============================================================\nexport const oauthAccessTokens = sqliteTable(\"kavach_oauth_access_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\taccessToken: text(\"access_token\").notNull().unique(),\n\trefreshToken: text(\"refresh_token\").unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tresource: text(\"resource\"), // RFC 8707 - audience binding\n\taccessTokenExpiresAt: integer(\"access_token_expires_at\", { mode: \"timestamp\" }).notNull(),\n\trefreshTokenExpiresAt: integer(\"refresh_token_expires_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Authorization Codes (temporary codes for code exchange)\n// ============================================================\nexport const oauthAuthorizationCodes = sqliteTable(\"kavach_oauth_authorization_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcode: text(\"code\").notNull().unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE\n\tcodeChallengeMethod: text(\"code_challenge_method\"), // \"S256\"\n\tresource: text(\"resource\"), // RFC 8707\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Budget Policies (agent execution budget caps)\n// ============================================================\nexport const budgetPolicies = sqliteTable(\"kavach_budget_policies\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\").references(() => agents.id, { onDelete: \"cascade\" }), // nullable\n\tuserId: text(\"user_id\").references(() => users.id), // nullable\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable\n\tlimits: text(\"limits\", { mode: \"json\" }).notNull().$type<BudgetLimitsRow>(),\n\tcurrentUsage: text(\"current_usage\", { mode: \"json\" }).notNull().$type<BudgetUsageRow>(),\n\taction: text(\"action\", { enum: [\"warn\", \"throttle\", \"block\", \"revoke\"] })\n\t\t.notNull()\n\t\t.default(\"warn\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"triggered\", \"disabled\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface BudgetLimitsRow {\n\tmaxTokensCostPerDay?: number;\n\tmaxTokensCostPerMonth?: number;\n\tmaxCallsPerDay?: number;\n\tmaxCallsPerMonth?: number;\n}\n\ninterface BudgetUsageRow {\n\ttokensCostToday: number;\n\ttokensCostThisMonth: number;\n\tcallsToday: number;\n\tcallsThisMonth: number;\n\tlastUpdated: string;\n}\n\n// ============================================================\n// Agent Capability Cards (A2A discovery)\n// ============================================================\nexport const agentCards = sqliteTable(\"kavach_agent_cards\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tdescription: text(\"description\"),\n\tversion: text(\"version\").notNull(),\n\tprotocols: text(\"protocols\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tcapabilities: text(\"capabilities\", { mode: \"json\" }).notNull().$type<unknown[]>(),\n\tauthRequirements: text(\"auth_requirements\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<Record<string, unknown>>(),\n\tendpoint: text(\"endpoint\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Approval Requests (CIBA async approval flows)\n// ============================================================\nexport const approvalRequests = sqliteTable(\"kavach_approval_requests\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(),\n\tresource: text(\"resource\").notNull(),\n\targuments: text(\"arguments\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tstatus: text(\"status\", { enum: [\"pending\", \"approved\", \"denied\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\trespondedAt: integer(\"responded_at\", { mode: \"timestamp\" }),\n\trespondedBy: text(\"responded_by\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trust Scores (graduated autonomy scoring)\n// ============================================================\nexport const trustScores = sqliteTable(\"kavach_trust_scores\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tscore: integer(\"score\").notNull(),\n\tlevel: text(\"level\", {\n\t\tenum: [\"untrusted\", \"limited\", \"standard\", \"trusted\", \"elevated\"],\n\t}).notNull(),\n\tfactors: text(\"factors\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tcomputedAt: integer(\"computed_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Magic Links (passwordless email login)\n// ============================================================\nexport const magicLinks = sqliteTable(\"kavach_magic_links\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\ttoken: text(\"token\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Email OTPs (one-time password login)\n// ============================================================\nexport const emailOtps = sqliteTable(\"kavach_email_otps\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// TOTP (Two-Factor Authentication)\n// ============================================================\nexport const totpRecords = sqliteTable(\"kavach_totp\", {\n\tuserId: text(\"user_id\")\n\t\t.primaryKey()\n\t\t.references(() => users.id),\n\tsecret: text(\"secret\").notNull(), // base32-encoded TOTP secret\n\tenabled: integer(\"enabled\", { mode: \"boolean\" }).notNull().default(false),\n\tbackupCodes: text(\"backup_codes\", { mode: \"json\" }).notNull().$type<TotpBackupCode[]>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TotpBackupCode {\n\thash: string;\n\tused: boolean;\n}\n\n// ============================================================\n// Organizations (multi-member org with RBAC)\n// ============================================================\nexport const organizations = sqliteTable(\"kavach_organizations\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgMembers = sqliteTable(\"kavach_org_members\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tjoinedAt: integer(\"joined_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgInvitations = sqliteTable(\"kavach_org_invitations\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\temail: text(\"email\").notNull(),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tinvitedBy: text(\"invited_by\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tstatus: text(\"status\", { enum: [\"pending\", \"accepted\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgRoles = sqliteTable(\"kavach_org_roles\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n});\n\n// ============================================================\n// Passkey Credentials (WebAuthn / FIDO2)\n// ============================================================\nexport const passkeyCredentials = sqliteTable(\"kavach_passkey_credentials\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tcredentialId: text(\"credential_id\").notNull().unique(),\n\tpublicKey: text(\"public_key\").notNull(), // base64url-encoded COSE key\n\tcounter: integer(\"counter\").notNull().default(0),\n\tdeviceName: text(\"device_name\"),\n\ttransports: text(\"transports\"), // JSON array, e.g. '[\"internal\",\"usb\"]'\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// SSO Connections (SAML / OIDC enterprise SSO)\n// ============================================================\nexport const ssoConnections = sqliteTable(\"kavach_sso_connections\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\").notNull(),\n\tproviderId: text(\"provider_id\").notNull(),\n\ttype: text(\"type\", { enum: [\"saml\", \"oidc\"] }).notNull(),\n\tdomain: text(\"domain\").notNull().unique(),\n\tenabled: integer(\"enabled\").notNull().default(1),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// API Keys (static bearer tokens with permission scopes)\n// ============================================================\nexport const apiKeys = sqliteTable(\"kavach_api_keys\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tname: text(\"name\").notNull(),\n\tkeyHash: text(\"key_hash\").notNull(),\n\tkeyPrefix: text(\"key_prefix\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Passkey Challenges (WebAuthn challenge state — short-lived)\n// ============================================================\nexport const passkeyChallenges = sqliteTable(\"kavach_passkey_challenges\", {\n\tid: text(\"id\").primaryKey(),\n\tchallenge: text(\"challenge\").notNull().unique(),\n\tuserId: text(\"user_id\"), // null for discoverable credential flows\n\ttype: text(\"type\", { enum: [\"registration\", \"authentication\"] }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Username Accounts (username + password auth)\n// ============================================================\nexport const usernameAccounts = sqliteTable(\"kavach_username_accounts\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tusername: text(\"username\").notNull().unique(),\n\tpasswordHash: text(\"password_hash\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Phone Verifications (SMS OTP)\n// ============================================================\nexport const phoneVerifications = sqliteTable(\"kavach_phone_verifications\", {\n\tid: text(\"id\").primaryKey(),\n\tphoneNumber: text(\"phone_number\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trusted Devices (skip 2FA on known devices for a time window)\n// ============================================================\nexport const trustedDevices = sqliteTable(\"kavach_trusted_devices\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tfingerprint: text(\"fingerprint\").notNull(), // HMAC-SHA256 of stable request headers\n\tlabel: text(\"label\").notNull(), // human-readable, e.g. \"Mac\", \"iPhone\"\n\ttrustedAt: integer(\"trusted_at\", { mode: \"timestamp\" }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// One-Time Tokens (email verify, password reset, invitation, custom)\n// ============================================================\nexport const oneTimeTokens = sqliteTable(\"kavach_one_time_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tpurpose: text(\"purpose\", {\n\t\tenum: [\"email-verify\", \"password-reset\", \"invitation\", \"custom\"],\n\t}).notNull(),\n\tidentifier: text(\"identifier\").notNull(), // email, userId, or any caller-supplied key\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Login History (last login method tracking per user)\n// ============================================================\nexport const loginHistory = sqliteTable(\"kavach_login_history\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tmethod: text(\"method\").notNull(), // LoginMethod — kept as text to support oauth:{provider} variants\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp_ms\" }).notNull(),\n});\n\n// ============================================================\n// Agent DIDs (W3C Decentralized Identifiers per agent)\n// ============================================================\nexport const agentDids = sqliteTable(\"kavach_agent_dids\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tdid: text(\"did\").notNull().unique(),\n\tmethod: text(\"method\", { enum: [\"key\", \"web\"] }).notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\").notNull(), // JSON-serialised JWK (public key only)\n\tdidDocument: text(\"did_document\").notNull(), // JSON-serialised DID Document\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Clients (apps authenticating against KavachOS IdP)\n// ============================================================\nexport const oidcClients = sqliteTable(\"kavach_oidc_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecretHash: text(\"client_secret_hash\").notNull(), // SHA-256 hex of the raw secret\n\tclientName: text(\"client_name\").notNull(),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tscopes: text(\"scopes\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_post\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Authorization Codes\n// ============================================================\nexport const oidcAuthCodes = sqliteTable(\"kavach_oidc_auth_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcodeHash: text(\"code_hash\").notNull().unique(), // SHA-256 hex of the raw code\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tnonce: text(\"nonce\"),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE S256\n\tcodeChallengeMethod: text(\"code_challenge_method\"),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Refresh Tokens\n// ============================================================\nexport const oidcRefreshTokens = sqliteTable(\"kavach_oidc_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\trevoked: integer(\"revoked\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Cost Events (per-agent cost attribution and observability)\n// ============================================================\nexport const costEvents = sqliteTable(\"kavach_cost_events\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\ttool: text(\"tool\").notNull(), // e.g. 'openai:gpt-4o', 'anthropic:claude-3-5-sonnet', 'mcp:github'\n\tinputTokens: integer(\"input_tokens\"),\n\toutputTokens: integer(\"output_tokens\"),\n\t/** Cost stored as integer microdollars (costUsd × 1_000_000) to avoid float drift */\n\tcostMicros: integer(\"cost_micros\").notNull(),\n\tcurrency: text(\"currency\").notNull().default(\"USD\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tdelegationChainId: text(\"delegation_chain_id\"), // null when not part of a chain\n\trecordedAt: integer(\"recorded_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Ephemeral Sessions (short-lived agent credentials for single-task use)\n// ============================================================\nexport const ephemeralSessions = sqliteTable(\"kavach_ephemeral_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmaxActions: integer(\"max_actions\"), // null = unlimited\n\tactionsUsed: integer(\"actions_used\").notNull().default(0),\n\tstatus: text(\"status\", { enum: [\"active\", \"expired\", \"exhausted\", \"revoked\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tauditGroupId: text(\"audit_group_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Stream Events (persisted SSE events for replay)\n// ============================================================\nexport const streamEvents = sqliteTable(\"kavach_stream_events\", {\n\tid: text(\"id\").primaryKey(),\n\ttype: text(\"type\").notNull(),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n\tdata: text(\"data\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tagentId: text(\"agent_id\"),\n\tuserId: text(\"user_id\"),\n});\n\n// ============================================================\n// JWT Session Refresh Tokens (general-purpose session plugin)\n// ============================================================\nexport const jwtRefreshTokens = sqliteTable(\"kavach_jwt_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\t/** SHA-256 hex of the raw refresh token. The raw token is never stored. */\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/** The user who owns this session. */\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/** True once the token has been used in a refresh or explicit revocation. */\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Resources (relationship-based access control — resource hierarchy)\n// ============================================================\nexport const rebacResources = sqliteTable(\"kavach_rebac_resources\", {\n\tid: text(\"id\").notNull().primaryKey(),\n\ttype: text(\"type\").notNull(), // 'org', 'workspace', 'project', 'document', etc.\n\tparentId: text(\"parent_id\"),\n\tparentType: text(\"parent_type\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Relationships (subject-relation-object tuples, Zanzibar style)\n// ============================================================\nexport const rebacRelationships = sqliteTable(\"kavach_rebac_relationships\", {\n\tid: text(\"id\").primaryKey(),\n\tsubjectType: text(\"subject_type\").notNull(), // 'user', 'agent', 'team', 'role'\n\tsubjectId: text(\"subject_id\").notNull(),\n\trelation: text(\"relation\").notNull(), // 'owner', 'editor', 'viewer', 'member', 'parent'\n\tobjectType: text(\"object_type\").notNull(),\n\tobjectId: text(\"object_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Instances (trusted remote KavachOS instances)\n// ============================================================\nexport const federationInstances = sqliteTable(\"kavach_federation_instances\", {\n\tid: text(\"id\").primaryKey(),\n\tinstanceId: text(\"instance_id\").notNull().unique(),\n\tinstanceUrl: text(\"instance_url\").notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\"), // JSON-serialised JWK (public key only)\n\ttrustLevel: text(\"trust_level\", { enum: [\"full\", \"limited\", \"verify-only\"] })\n\t\t.notNull()\n\t\t.default(\"verify-only\"),\n\tdiscoveredAt: integer(\"discovered_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Tokens (issued/received federation tokens for audit)\n// ============================================================\nexport const federationTokens = sqliteTable(\"kavach_federation_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenJti: text(\"token_jti\").notNull().unique(), // JWT ID for dedup\n\tagentId: text(\"agent_id\").notNull(),\n\tsourceInstanceId: text(\"source_instance_id\").notNull(),\n\ttargetInstanceId: text(\"target_instance_id\"),\n\tdirection: text(\"direction\", { enum: [\"issued\", \"received\"] }).notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttrustScore: integer(\"trust_score\"), // stored as integer 0-100\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Token Families (token rotation / reuse detection)\n// ============================================================\nexport const refreshTokenFamilies = sqliteTable(\"kavach_refresh_token_families\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/** Absolute session expiry — no rotation can extend beyond this date. */\n\tabsoluteExpiresAt: integer(\"absolute_expires_at\", { mode: \"timestamp\" }).notNull(),\n\t/** 0 = active, 1 = revoked (reuse detection or explicit logout). */\n\trevoked: integer(\"revoked\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Tokens (individual one-time-use tokens per family)\n// ============================================================\nexport const refreshTokens = sqliteTable(\"kavach_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\tfamilyId: text(\"family_id\")\n\t\t.notNull()\n\t\t.references(() => refreshTokenFamilies.id, { onDelete: \"cascade\" }),\n\t/** SHA-256 hash of the opaque token — never store the raw token. */\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/** 0 = unused, 1 = already consumed (one-time use). */\n\tused: integer(\"used\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n","import { and, eq } from \"drizzle-orm\";\nimport { generateId, randomBytes, sha256, toBase64Url } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { agents, permissions } from \"../db/schema.js\";\nimport type {\n\tAgentFilter,\n\tAgentIdentity,\n\tCreateAgentInput,\n\tPermission,\n\tUpdateAgentInput,\n} from \"../types.js\";\n\ninterface AgentModuleConfig {\n\tdb: Database;\n\tmaxPerUser: number;\n\tdefaultPermissions: string[];\n\ttokenExpiry: string;\n}\n\n/**\n * Generate a secure agent token.\n * Returns { token, hash, prefix } where:\n * - token: the full token (given to the agent, never stored)\n * - hash: SHA-256 hash (stored in DB)\n * - prefix: first 8 chars (for identification in logs/UI)\n */\nasync function generateAgentToken(): Promise<{ token: string; hash: string; prefix: string }> {\n\tconst tokenBytes = randomBytes(32);\n\tconst token = `kv_${toBase64Url(tokenBytes)}`;\n\tconst hash = await sha256(token);\n\tconst prefix = token.slice(0, 11); // \"kv_\" + 8 chars\n\treturn { token, hash, prefix };\n}\n\nfunction parseTokenExpiry(expiry: string): Date {\n\tconst now = Date.now();\n\tconst match = expiry.match(/^(\\d+)([smhd])$/);\n\tif (!match) {\n\t\tthrow new Error(`Invalid token expiry format: ${expiry}. Use format like \"24h\", \"7d\", \"30m\".`);\n\t}\n\tconst value = Number.parseInt(match[1] as string, 10);\n\tconst unit = match[2];\n\tconst multipliers: Record<string, number> = {\n\t\ts: 1000,\n\t\tm: 60 * 1000,\n\t\th: 60 * 60 * 1000,\n\t\td: 24 * 60 * 60 * 1000,\n\t};\n\treturn new Date(now + value * (multipliers[unit as string] ?? 0));\n}\n\n/**\n * Create the agent identity module.\n * Handles CRUD operations for AI agent identities.\n */\nexport function createAgentModule(config: AgentModuleConfig) {\n\tconst { db, maxPerUser, tokenExpiry } = config;\n\n\tasync function create(input: CreateAgentInput): Promise<AgentIdentity & { token: string }> {\n\t\t// Check max agents per user\n\t\tconst existing = await db\n\t\t\t.select()\n\t\t\t.from(agents)\n\t\t\t.where(and(eq(agents.ownerId, input.ownerId), eq(agents.status, \"active\")));\n\n\t\tif (existing.length >= maxPerUser) {\n\t\t\tthrow new Error(\n\t\t\t\t`User ${input.ownerId} has reached the maximum of ${maxPerUser} active agents.`,\n\t\t\t);\n\t\t}\n\n\t\tconst id = generateId();\n\t\tconst { token, hash, prefix } = await generateAgentToken();\n\t\tconst now = new Date();\n\t\tconst expires = input.expiresAt ?? parseTokenExpiry(tokenExpiry);\n\n\t\t// Insert agent\n\t\tawait db.insert(agents).values({\n\t\t\tid,\n\t\t\townerId: input.ownerId,\n\t\t\ttenantId: input.tenantId ?? null,\n\t\t\tname: input.name,\n\t\t\ttype: input.type,\n\t\t\tstatus: \"active\",\n\t\t\ttokenHash: hash,\n\t\t\ttokenPrefix: prefix,\n\t\t\texpiresAt: expires,\n\t\t\tmetadata: input.metadata ?? {},\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t});\n\n\t\t// Insert permissions\n\t\tif (input.permissions.length > 0) {\n\t\t\tawait db.insert(permissions).values(\n\t\t\t\tinput.permissions.map((p) => ({\n\t\t\t\t\tid: generateId(),\n\t\t\t\t\tagentId: id,\n\t\t\t\t\tresource: p.resource,\n\t\t\t\t\tactions: p.actions,\n\t\t\t\t\tconstraints: p.constraints ?? null,\n\t\t\t\t\tcreatedAt: now,\n\t\t\t\t})),\n\t\t\t);\n\t\t}\n\n\t\treturn {\n\t\t\tid,\n\t\t\townerId: input.ownerId,\n\t\t\ttenantId: input.tenantId,\n\t\t\tname: input.name,\n\t\t\ttype: input.type,\n\t\t\ttoken,\n\t\t\tpermissions: input.permissions,\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: expires,\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t};\n\t}\n\n\tasync function get(agentId: string): Promise<AgentIdentity | null> {\n\t\tconst rows = await db.select().from(agents).where(eq(agents.id, agentId)).limit(1);\n\t\tconst agent = rows[0];\n\t\tif (!agent) return null;\n\n\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, agentId));\n\n\t\treturn {\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\ttenantId: agent.tenantId ?? undefined,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\", // never return token after creation\n\t\t\tpermissions: perms.map(toPermission),\n\t\t\tstatus: agent.status as AgentIdentity[\"status\"],\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t};\n\t}\n\n\tasync function list(filter?: AgentFilter): Promise<AgentIdentity[]> {\n\t\tlet query = db.select().from(agents).$dynamic();\n\n\t\tconst conditions = [];\n\t\tif (filter?.userId) conditions.push(eq(agents.ownerId, filter.userId));\n\t\tif (filter?.tenantId) conditions.push(eq(agents.tenantId, filter.tenantId));\n\t\tif (filter?.status) conditions.push(eq(agents.status, filter.status));\n\t\tif (filter?.type) conditions.push(eq(agents.type, filter.type));\n\n\t\tif (conditions.length > 0) {\n\t\t\tquery = query.where(and(...conditions));\n\t\t}\n\n\t\tconst rows = await query;\n\n\t\t// Load permissions for all agents\n\t\tconst agentIds = rows.map((r) => r.id);\n\t\tconst permsByAgent = new Map<string, Permission[]>();\n\t\tfor (const id of agentIds) {\n\t\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, id));\n\t\t\tpermsByAgent.set(id, perms.map(toPermission));\n\t\t}\n\n\t\treturn rows.map((agent) => ({\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\ttenantId: agent.tenantId ?? undefined,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\",\n\t\t\tpermissions: permsByAgent.get(agent.id) ?? [],\n\t\t\tstatus: agent.status as AgentIdentity[\"status\"],\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t}));\n\t}\n\n\tasync function update(agentId: string, input: UpdateAgentInput): Promise<AgentIdentity> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({\n\t\t\t\tname: input.name ?? existing.name,\n\t\t\t\texpiresAt: input.expiresAt ?? existing.expiresAt,\n\t\t\t\tmetadata: input.metadata,\n\t\t\t\tupdatedAt: now,\n\t\t\t})\n\t\t\t.where(eq(agents.id, agentId));\n\n\t\t// Replace permissions if provided\n\t\tif (input.permissions) {\n\t\t\tawait db.delete(permissions).where(eq(permissions.agentId, agentId));\n\t\t\tif (input.permissions.length > 0) {\n\t\t\t\tawait db.insert(permissions).values(\n\t\t\t\t\tinput.permissions.map((p) => ({\n\t\t\t\t\t\tid: generateId(),\n\t\t\t\t\t\tagentId,\n\t\t\t\t\t\tresource: p.resource,\n\t\t\t\t\t\tactions: p.actions,\n\t\t\t\t\t\tconstraints: p.constraints ?? null,\n\t\t\t\t\t\tcreatedAt: now,\n\t\t\t\t\t})),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tconst updated = await get(agentId);\n\t\tif (!updated) throw new Error(`Agent ${agentId} disappeared after update.`);\n\t\treturn updated;\n\t}\n\n\tasync function revoke(agentId: string): Promise<void> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({ status: \"revoked\", updatedAt: new Date() })\n\t\t\t.where(eq(agents.id, agentId));\n\t}\n\n\tasync function rotate(agentId: string): Promise<AgentIdentity & { token: string }> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\t\tif (existing.status !== \"active\")\n\t\t\tthrow new Error(`Cannot rotate token for ${existing.status} agent.`);\n\n\t\tconst { token, hash, prefix } = await generateAgentToken();\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({ tokenHash: hash, tokenPrefix: prefix, updatedAt: now })\n\t\t\t.where(eq(agents.id, agentId));\n\n\t\treturn { ...existing, token, updatedAt: now };\n\t}\n\n\t/**\n\t * Validate an agent token and return the agent identity.\n\t * Used internally by the authorization engine.\n\t */\n\tasync function validateToken(token: string): Promise<AgentIdentity | null> {\n\t\tconst hash = await sha256(token);\n\t\tconst rows = await db.select().from(agents).where(eq(agents.tokenHash, hash)).limit(1);\n\t\tconst agent = rows[0];\n\t\tif (!agent) return null;\n\n\t\t// Check status\n\t\tif (agent.status !== \"active\") return null;\n\n\t\t// Check expiry\n\t\tif (agent.expiresAt && agent.expiresAt < new Date()) {\n\t\t\tawait db\n\t\t\t\t.update(agents)\n\t\t\t\t.set({ status: \"expired\", updatedAt: new Date() })\n\t\t\t\t.where(eq(agents.id, agent.id));\n\t\t\treturn null;\n\t\t}\n\n\t\t// Update last active\n\t\tawait db.update(agents).set({ lastActiveAt: new Date() }).where(eq(agents.id, agent.id));\n\n\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, agent.id));\n\n\t\treturn {\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\ttenantId: agent.tenantId ?? undefined,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\",\n\t\t\tpermissions: perms.map(toPermission),\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t};\n\t}\n\n\treturn { create, get, list, update, revoke, rotate, validateToken };\n}\n\nfunction toPermission(row: {\n\tresource: string;\n\tactions: string[];\n\tconstraints: unknown;\n}): Permission {\n\treturn {\n\t\tresource: row.resource,\n\t\tactions: row.actions,\n\t\tconstraints: (row.constraints as Permission[\"constraints\"]) ?? undefined,\n\t};\n}\n"]}
1
+ {"version":3,"sources":["../../src/crypto/web-crypto.ts","../../src/db/schema.ts","../../src/agent/agent.ts"],"names":[],"mappings":";;;;;;AAYA,IAAM,SAAA,GAAY,kBAAA;AAGX,SAAS,MAAM,KAAA,EAA2B;AAChD,EAAA,IAAI,GAAA,GAAM,EAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAM,CAAA,GAAI,MAAM,CAAC,CAAA;AACjB,IAAA,GAAA,IAAO,SAAA,CAAU,KAAK,CAAC,CAAA;AACvB,IAAA,GAAA,IAAO,SAAA,CAAU,IAAI,EAAI,CAAA;AAAA,EAC1B;AACA,EAAA,OAAO,GAAA;AACR;AAoBO,SAAS,YAAY,KAAA,EAA2B;AACtD,EAAA,IAAI,MAAA,GAAS,EAAA;AACb,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,KAAA,CAAM,QAAQ,CAAA,EAAA,EAAK;AACtC,IAAA,MAAA,IAAU,MAAA,CAAO,YAAA,CAAa,KAAA,CAAM,CAAC,CAAW,CAAA;AAAA,EACjD;AACA,EAAA,OAAO,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAAE,OAAA,CAAQ,OAAO,EAAE,CAAA;AAC9E;AAuBO,SAAS,UAAA,GAAqB;AACpC,EAAA,OAAO,UAAA,CAAW,OAAO,UAAA,EAAW;AACrC;AAGO,SAAS,YAAY,MAAA,EAA4B;AACvD,EAAA,MAAM,KAAA,GAAQ,IAAI,UAAA,CAAW,MAAM,CAAA;AACnC,EAAA,UAAA,CAAW,MAAA,CAAO,gBAAgB,KAAK,CAAA;AACvC,EAAA,OAAO,KAAA;AACR;AAWA,IAAM,YAAA,GAAe,IAAI,WAAA,EAAY;AAErC,SAAS,QAAQ,IAAA,EAAwC;AACxD,EAAA,IAAI,OAAO,SAAS,QAAA,EAAU;AAC7B,IAAA,MAAM,OAAA,GAAU,YAAA,CAAa,MAAA,CAAO,IAAI,CAAA;AACxC,IAAA,OAAQ,QAAQ,MAAA,CAAuB,KAAA;AAAA,MACtC,OAAA,CAAQ,UAAA;AAAA,MACR,OAAA,CAAQ,aAAa,OAAA,CAAQ;AAAA,KAC9B;AAAA,EACD;AACA,EAAA,OAAQ,IAAA,CAAK,OAAuB,KAAA,CAAM,IAAA,CAAK,YAAY,IAAA,CAAK,UAAA,GAAa,KAAK,UAAU,CAAA;AAC7F;AAOA,eAAsB,OAAO,IAAA,EAA4C;AACxE,EAAA,MAAM,MAAA,GAAS,MAAM,UAAA,CAAW,MAAA,CAAO,OAAO,MAAA,CAAO,SAAA,EAAW,OAAA,CAAQ,IAAI,CAAC,CAAA;AAC7E,EAAA,OAAO,KAAA,CAAM,IAAI,UAAA,CAAW,MAAM,CAAC,CAAA;AACpC;AC5GO,IAAM,KAAA,GAAQ,YAAY,cAAA,EAAgB;AAAA,EAChD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,IAAA,EAAM,KAAK,MAAM,CAAA;AAAA,EACjB,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,MAAA,EAAO;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA;AAAA,EAC9B,gBAAA,EAAkB,KAAK,mBAAmB,CAAA;AAAA;AAAA,EAC1C,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA;AAAA,EAE5E,QAAQ,OAAA,CAAQ,QAAQ,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,oBAAoB,OAAA,CAAQ,sBAAsB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACvE,eAAe,OAAA,CAAQ,gBAAgB,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA;AAAA,EAE5D,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,MAAA,EAAO;AAAA,EACpD,oBAAA,EAAsB,KAAK,wBAAwB,CAAA;AAAA,EACnD,wBAAA,EAA0B,KAAK,4BAA4B,CAAA;AAAA,EAC3D,aAAA,EAAe,KAAK,iBAAiB,CAAA;AAAA,EACrC,wBAAwB,OAAA,CAAQ,2BAAA,EAA6B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAClF,uBAAA,EAAyB,OAAA,CAAQ,6BAAA,EAA+B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CACjF,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA;AAAA,EAEf,eAAA,EAAiB,IAAA,CAAK,mBAAmB,CAAA,CAAE,MAAA,EAAO;AAAA,EAClD,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,uBAAA,EAAyB,KAAK,2BAA2B,CAAA;AAAA,EACzD,cAAA,EAAgB,KAAK,kBAAkB,CAAA;AAAA,EACvC,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,sBAAA,EAAwB,OAAA,CAAQ,4BAAA,EAA8B,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAC/E,OAAA,EAAQ,CACR,OAAA,CAAQ,KAAK,CAAA;AAAA,EACf,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKM,IAAM,OAAA,GAAU,YAAY,gBAAA,EAAkB;AAAA,EACpD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAyB;AAAA,EACtE,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAW,CAAA,EAAG,CAAA,CACtD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAYM,IAAM,MAAA,GAAS,YAAY,eAAA,EAAiB;AAAA,EAClD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,YAAA,EAAc,WAAA,EAAa,SAAS,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7E,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,cAAc,OAAA,CAAQ,gBAAA,EAAkB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC7D,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKM,IAAM,WAAA,GAAc,YAAY,oBAAA,EAAsB;AAAA,EAC5D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA;AAAA,EACrE,WAAA,EAAa,KAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAAgC;AAAA;AAAA,EAEnF,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAa+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,KAAK,eAAe,CAAA,CAC/B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,SAAA,EAAW,KAAK,aAAa,CAAA,CAC3B,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiC;AAAA,EAC9F,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC3C,UAAU,OAAA,CAAQ,WAAW,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAClD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,SAAA,EAAW,SAAS,GAAG,CAAA,CAC/D,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAE,CAAA;AAAA,EAC5B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,KAAK,YAAA,EAAc,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAChF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChF,MAAA,EAAQ,KAAK,QAAQ,CAAA;AAAA;AAAA,EACrB,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA,EACjC,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,OAAA,CAAQ,WAAA,EAAa,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC3E,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACxD,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,WAAA,EAAa,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACpE,OAAO,OAAA,CAAQ,OAAO,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC;AAC5C,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,KAAA,EAAO,IAAA,CAAK,OAAA,EAAS,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACjE,YAAA,EAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,IAAI,CAAA;AAAA,EAClF,YAAA,EAAc,QAAQ,gBAAgB,CAAA;AAAA,EACtC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKuB,YAAY,iBAAA,EAAmB;AAAA,EACtD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,YAAA,GAAe,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,YAAA,EAAc,KAAK,eAAe,CAAA;AAAA;AAAA,EAClC,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,MAAA,EAAQ,CAAA,CAC9C,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,oBAAoB,CAAC,CAAA;AAAA,EAChC,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,MAAM,MAAA,EAAQ,CAAA,CACpD,OAAA,GACA,KAAA,EAAgB,CAChB,OAAA,CAAQ,CAAC,MAAM,CAAC,CAAA;AAAA,EAClB,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,qBAAqB,CAAA;AAAA,EAC/B,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,MAAM,CAAC,QAAA,EAAU,cAAc,CAAA,EAAG,CAAA,CACrD,OAAA,EAAQ,CACR,QAAQ,cAAc,CAAA;AAAA,EACxB,QAAA,EAAU,OAAA,CAAQ,UAAA,EAAY,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAC1E,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,aAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACnD,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,MAAA,EAAO;AAAA,EAC3C,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,oBAAA,EAAsB,QAAQ,yBAAA,EAA2B,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EACxF,uBAAuB,OAAA,CAAQ,0BAAA,EAA4B,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAChF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsC,YAAY,kCAAA,EAAoC;AAAA,EACtF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,QAAA,EAAU,KAAK,WAAW,CAAA,CACxB,SAAQ,CACR,UAAA,CAAW,MAAM,YAAA,CAAa,QAAQ,CAAA;AAAA,EACxC,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA;AAAA,EACjD,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA;AAAA,EACzB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,SAAA,EAAW,CAAA;AAAA;AAAA,EAC7E,QAAQ,IAAA,CAAK,SAAS,EAAE,UAAA,CAAW,MAAM,MAAM,EAAE,CAAA;AAAA;AAAA,EACjD,UAAU,IAAA,CAAK,WAAW,EAAE,UAAA,CAAW,MAAM,QAAQ,EAAE,CAAA;AAAA;AAAA,EACvD,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAuB;AAAA,EAC1E,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAsB;AAAA,EACtF,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,UAAA,EAAY,OAAA,EAAS,QAAQ,GAAG,CAAA,CACtE,OAAA,EAAQ,CACR,QAAQ,MAAM,CAAA;AAAA,EAChB,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,QAAA,EAAU,WAAA,EAAa,UAAU,GAAG,CAAA,CAClE,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAoByB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,KAAK,aAAa,CAAA;AAAA,EAC/B,OAAA,EAAS,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EACjC,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACzE,YAAA,EAAc,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAiB;AAAA,EAChF,gBAAA,EAAkB,IAAA,CAAK,mBAAA,EAAqB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAC1D,OAAA,EAAQ,CACR,KAAA,EAA+B;AAAA,EACjC,QAAA,EAAU,KAAK,UAAU,CAAA;AAAA,EACzB,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC/B,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EACnC,SAAA,EAAW,KAAK,WAAA,EAAa,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC9E,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,SAAA,EAAW,UAAA,EAAY,QAAA,EAAU,SAAS,GAAG,CAAA,CAC3E,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,aAAa,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC1D,WAAA,EAAa,KAAK,cAAc,CAAA;AAAA,EAChC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAA,EAAO,OAAA,CAAQ,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,KAAA,EAAO,KAAK,OAAA,EAAS;AAAA,IACpB,MAAM,CAAC,WAAA,EAAa,SAAA,EAAW,UAAA,EAAY,WAAW,UAAU;AAAA,GAChE,EAAE,OAAA,EAAQ;AAAA,EACX,OAAA,EAAS,IAAA,CAAK,SAAA,EAAW,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EACpF,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,OAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACtC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,aAAA,EAAe;AAAA,EACrD,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,YAAW,CACX,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,WAAA,EAAa,IAAA,CAAK,cAAA,EAAgB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAwB;AAAA,EACtF,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAUM,IAAM,aAAA,GAAgB,YAAY,sBAAA,EAAwB;AAAA,EAChE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACpC,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAEyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,QAAA,EAAU,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACvD,CAAC;AAE6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7B,MAAM,IAAA,CAAK,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,QAAQ,CAAA;AAAA,EAC7C,SAAA,EAAW,KAAK,YAAY,CAAA,CAC1B,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,MAAM,CAAC,SAAA,EAAW,UAAA,EAAY,SAAS,GAAG,CAAA,CACjE,OAAA,EAAQ,CACR,QAAQ,SAAS,CAAA;AAAA,EACnB,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAEuB,YAAY,kBAAA,EAAoB;AAAA,EACvD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAClB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,aAAA,CAAc,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EAC5D,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA;AAC9D,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,cAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACrD,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACtC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,UAAA,EAAY,KAAK,YAAY,CAAA;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,cAAA,EAAgB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC5D,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC9B,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,MAAA,EAAQ,MAAM,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvD,QAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACxC,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKsB,YAAY,iBAAA,EAAmB;AAAA,EACrD,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,KAAK,SAAS,CAAA,CACpB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,WAAW,OAAA,CAAQ,YAAA,EAAc,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACtD,YAAY,OAAA,CAAQ,cAAA,EAAgB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EACzD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC9C,MAAA,EAAQ,KAAK,SAAS,CAAA;AAAA;AAAA,EACtB,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAgB,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,UAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC5C,YAAA,EAAc,IAAA,CAAK,eAAe,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC5C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,UAAU,OAAA,CAAQ,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACjD,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,WAAA,EAAa,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACzC,KAAA,EAAO,IAAA,CAAK,OAAO,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,OAAA,EAAS,KAAK,SAAA,EAAW;AAAA,IACxB,IAAA,EAAM,CAAC,cAAA,EAAgB,gBAAA,EAAkB,cAAc,QAAQ;AAAA,GAC/D,EAAE,OAAA,EAAQ;AAAA,EACX,UAAA,EAAY,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACvC,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACpD,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,EAAA,EAAI,KAAK,IAAI,CAAA;AAAA,EACb,SAAA,EAAW,KAAK,YAAY,CAAA;AAAA,EAC5B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,cAAA,EAAgB,EAAE,OAAA;AAC3D,CAAC;AAKwB,YAAY,mBAAA,EAAqB;AAAA,EACzD,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,UAAA,EAAW,CACX,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,KAAK,IAAA,CAAK,KAAK,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAClC,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,KAAA,EAAO,KAAK,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACzD,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC7C,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK0B,YAAY,qBAAA,EAAuB;AAAA,EAC7D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC7C,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACrD,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,YAAA,EAAc,IAAA,CAAK,eAAA,EAAiB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAChF,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC5E,aAAA,EAAe,IAAA,CAAK,gBAAA,EAAkB,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAClF,MAAA,EAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EACnE,yBAAyB,IAAA,CAAK,4BAA4B,EACxD,OAAA,EAAQ,CACR,QAAQ,oBAAoB,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK4B,YAAY,wBAAA,EAA0B;AAAA,EAClE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,KAAA,EAAO,KAAK,OAAO,CAAA;AAAA,EACnB,aAAA,EAAe,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACpC,mBAAA,EAAqB,KAAK,uBAAuB,CAAA;AAAA,EACjD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKgC,YAAY,4BAAA,EAA8B;AAAA,EAC1E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC/C,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CAAE,OAAA,EAAQ;AAAA,EAChC,MAAA,EAAQ,IAAA,CAAK,QAAQ,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC/B,OAAA,EAAS,OAAA,CAAQ,SAAA,EAAW,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EACxE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKyB,YAAY,oBAAA,EAAsB;AAAA,EAC3D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,WAAA,EAAa,QAAQ,cAAc,CAAA;AAAA,EACnC,YAAA,EAAc,QAAQ,eAAe,CAAA;AAAA;AAAA,EAErC,UAAA,EAAY,OAAA,CAAQ,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3C,UAAU,IAAA,CAAK,UAAU,EAAE,OAAA,EAAQ,CAAE,QAAQ,KAAK,CAAA;AAAA,EAClD,QAAA,EAAU,KAAK,UAAA,EAAY,EAAE,MAAM,MAAA,EAAQ,EAAE,KAAA,EAA+B;AAAA,EAC5E,iBAAA,EAAmB,KAAK,qBAAqB,CAAA;AAAA;AAAA,EAC7C,UAAA,EAAY,QAAQ,aAAA,EAAe,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AAC3D,CAAC;AAKgC,YAAY,2BAAA,EAA6B;AAAA,EACzE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CACtB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,MAAA,CAAO,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA,EACrD,OAAA,EAAS,KAAK,UAAU,CAAA,CACtB,SAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAE,CAAA;AAAA,EAC3B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,aAAa,OAAA,CAAQ,cAAc,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACxD,QAAQ,IAAA,CAAK,QAAA,EAAU,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,SAAA,EAAW,WAAA,EAAa,SAAS,GAAG,CAAA,CAC5E,OAAA,EAAQ,CACR,QAAQ,QAAQ,CAAA;AAAA,EAClB,YAAA,EAAc,IAAA,CAAK,gBAAgB,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC7C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK2B,YAAY,sBAAA,EAAwB;AAAA,EAC/D,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC3B,SAAA,EAAW,QAAQ,WAAA,EAAa,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAC/D,IAAA,EAAM,IAAA,CAAK,MAAA,EAAQ,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAA+B;AAAA,EAC9E,OAAA,EAAS,KAAK,UAAU,CAAA;AAAA,EACxB,MAAA,EAAQ,KAAK,SAAS;AACvB,CAAC;AAK+B,YAAY,2BAAA,EAA6B;AAAA,EACxE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA;AAAA,EAE1B,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,IAAA,EAAM,OAAA,CAAQ,MAAA,EAAQ,EAAE,IAAA,EAAM,SAAA,EAAW,CAAA,CAAE,OAAA,EAAQ,CAAE,OAAA,CAAQ,KAAK,CAAA;AAAA,EAClE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK6B,YAAY,wBAAA,EAA0B;AAAA,EACnE,IAAI,IAAA,CAAK,IAAI,CAAA,CAAE,OAAA,GAAU,UAAA,EAAW;AAAA,EACpC,IAAA,EAAM,IAAA,CAAK,MAAM,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC3B,QAAA,EAAU,KAAK,WAAW,CAAA;AAAA,EAC1B,UAAA,EAAY,KAAK,aAAa,CAAA;AAAA,EAC9B,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKiC,YAAY,4BAAA,EAA8B;AAAA,EAC3E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EAC1C,SAAA,EAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,EAAQ;AAAA,EACtC,QAAA,EAAU,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,EAAQ;AAAA,EACxC,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,EAAQ;AAAA,EACpC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKkC,YAAY,6BAAA,EAA+B;AAAA,EAC7E,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,YAAY,IAAA,CAAK,aAAa,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA,EACjD,WAAA,EAAa,IAAA,CAAK,cAAc,CAAA,CAAE,OAAA,EAAQ;AAAA,EAC1C,YAAA,EAAc,KAAK,gBAAgB,CAAA;AAAA;AAAA,EACnC,UAAA,EAAY,IAAA,CAAK,aAAA,EAAe,EAAE,MAAM,CAAC,MAAA,EAAQ,SAAA,EAAW,aAAa,GAAG,CAAA,CAC1E,OAAA,EAAQ,CACR,QAAQ,aAAa,CAAA;AAAA,EACvB,cAAc,OAAA,CAAQ,eAAA,EAAiB,EAAE,IAAA,EAAM,aAAa,CAAA;AAAA,EAC5D,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAK+B,YAAY,0BAAA,EAA4B;AAAA,EACvE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,UAAU,IAAA,CAAK,WAAW,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAC7C,OAAA,EAAS,IAAA,CAAK,UAAU,CAAA,CAAE,OAAA,EAAQ;AAAA,EAClC,gBAAA,EAAkB,IAAA,CAAK,oBAAoB,CAAA,CAAE,OAAA,EAAQ;AAAA,EACrD,gBAAA,EAAkB,KAAK,oBAAoB,CAAA;AAAA,EAC3C,SAAA,EAAW,IAAA,CAAK,WAAA,EAAa,EAAE,IAAA,EAAM,CAAC,QAAA,EAAU,UAAU,CAAA,EAAG,CAAA,CAAE,OAAA,EAAQ;AAAA,EACvE,WAAA,EAAa,IAAA,CAAK,aAAA,EAAe,EAAE,IAAA,EAAM,QAAQ,CAAA,CAAE,OAAA,EAAQ,CAAE,KAAA,EAAgB;AAAA,EAC7E,UAAA,EAAY,QAAQ,aAAa,CAAA;AAAA;AAAA,EACjC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;AAKM,IAAM,oBAAA,GAAuB,YAAY,+BAAA,EAAiC;AAAA,EAChF,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,MAAA,EAAQ,IAAA,CAAK,SAAS,CAAA,CACpB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,KAAA,CAAM,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEpD,iBAAA,EAAmB,QAAQ,qBAAA,EAAuB,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA;AAAA,EAEjF,SAAS,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EAC/C,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC,CAAA;AAK4B,YAAY,uBAAA,EAAyB;AAAA,EACjE,EAAA,EAAI,IAAA,CAAK,IAAI,CAAA,CAAE,UAAA,EAAW;AAAA,EAC1B,QAAA,EAAU,IAAA,CAAK,WAAW,CAAA,CACxB,OAAA,EAAQ,CACR,UAAA,CAAW,MAAM,oBAAA,CAAqB,EAAA,EAAI,EAAE,QAAA,EAAU,WAAW,CAAA;AAAA;AAAA,EAEnE,WAAW,IAAA,CAAK,YAAY,CAAA,CAAE,OAAA,GAAU,MAAA,EAAO;AAAA;AAAA,EAE/C,MAAM,OAAA,CAAQ,MAAM,EAAE,OAAA,EAAQ,CAAE,QAAQ,CAAC,CAAA;AAAA,EACzC,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA,EAAQ;AAAA,EAChE,SAAA,EAAW,QAAQ,YAAA,EAAc,EAAE,MAAM,WAAA,EAAa,EAAE,OAAA;AACzD,CAAC;;;ACrxBD,eAAe,kBAAA,GAA+E;AAC7F,EAAA,MAAM,UAAA,GAAa,YAAY,EAAE,CAAA;AACjC,EAAA,MAAM,KAAA,GAAQ,CAAA,GAAA,EAAM,WAAA,CAAY,UAAU,CAAC,CAAA,CAAA;AAC3C,EAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,KAAK,CAAA;AAC/B,EAAA,MAAM,MAAA,GAAS,KAAA,CAAM,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAChC,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO;AAC9B;AAEA,SAAS,iBAAiB,MAAA,EAAsB;AAC/C,EAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,EAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,KAAA,CAAM,iBAAiB,CAAA;AAC5C,EAAA,IAAI,CAAC,KAAA,EAAO;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,MAAM,CAAA,qCAAA,CAAuC,CAAA;AAAA,EAC9F;AACA,EAAA,MAAM,QAAQ,MAAA,CAAO,QAAA,CAAS,KAAA,CAAM,CAAC,GAAa,EAAE,CAAA;AACpD,EAAA,MAAM,IAAA,GAAO,MAAM,CAAC,CAAA;AACpB,EAAA,MAAM,WAAA,GAAsC;AAAA,IAC3C,CAAA,EAAG,GAAA;AAAA,IACH,GAAG,EAAA,GAAK,GAAA;AAAA,IACR,CAAA,EAAG,KAAK,EAAA,GAAK,GAAA;AAAA,IACb,CAAA,EAAG,EAAA,GAAK,EAAA,GAAK,EAAA,GAAK;AAAA,GACnB;AACA,EAAA,OAAO,IAAI,IAAA,CAAK,GAAA,GAAM,SAAS,WAAA,CAAY,IAAc,KAAK,CAAA,CAAE,CAAA;AACjE;AAMO,SAAS,kBAAkB,MAAA,EAA2B;AAC5D,EAAA,MAAM,EAAE,EAAA,EAAI,UAAA,EAAY,WAAA,EAAY,GAAI,MAAA;AAExC,EAAA,eAAe,OAAO,KAAA,EAAqE;AAE1F,IAAA,MAAM,QAAA,GAAW,MAAM,EAAA,CACrB,MAAA,GACA,IAAA,CAAK,MAAM,EACX,KAAA,CAAM,GAAA,CAAI,GAAG,MAAA,CAAO,OAAA,EAAS,MAAM,OAAO,CAAA,EAAG,GAAG,MAAA,CAAO,MAAA,EAAQ,QAAQ,CAAC,CAAC,CAAA;AAE3E,IAAA,IAAI,QAAA,CAAS,UAAU,UAAA,EAAY;AAClC,MAAA,MAAM,IAAI,KAAA;AAAA,QACT,CAAA,KAAA,EAAQ,KAAA,CAAM,OAAO,CAAA,4BAAA,EAA+B,UAAU,CAAA,eAAA;AAAA,OAC/D;AAAA,IACD;AAEA,IAAA,MAAM,KAAK,UAAA,EAAW;AACtB,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO,GAAI,MAAM,kBAAA,EAAmB;AACzD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AACrB,IAAA,MAAM,OAAA,GAAU,KAAA,CAAM,SAAA,IAAa,gBAAA,CAAiB,WAAW,CAAA;AAG/D,IAAA,MAAM,EAAA,CAAG,MAAA,CAAO,MAAM,CAAA,CAAE,MAAA,CAAO;AAAA,MAC9B,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,IAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,MAAA;AAAA,MACb,SAAA,EAAW,OAAA;AAAA,MACX,QAAA,EAAU,KAAA,CAAM,QAAA,IAAY,EAAC;AAAA,MAC7B,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACX,CAAA;AAGD,IAAA,IAAI,KAAA,CAAM,WAAA,CAAY,MAAA,GAAS,CAAA,EAAG;AACjC,MAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA;AAAA,QAC5B,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,UAC7B,IAAI,UAAA,EAAW;AAAA,UACf,OAAA,EAAS,EAAA;AAAA,UACT,UAAU,CAAA,CAAE,QAAA;AAAA,UACZ,SAAS,CAAA,CAAE,OAAA;AAAA,UACX,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,UAC9B,SAAA,EAAW;AAAA,SACZ,CAAE;AAAA,OACH;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,EAAA;AAAA,MACA,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA;AAAA,MACA,aAAa,KAAA,CAAM,WAAA;AAAA,MACnB,MAAA,EAAQ,QAAA;AAAA,MACR,SAAA,EAAW,OAAA;AAAA,MACX,SAAA,EAAW,GAAA;AAAA,MACX,SAAA,EAAW;AAAA,KACZ;AAAA,EACD;AAEA,EAAA,eAAe,IAAI,OAAA,EAAgD;AAClE,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,MAAM,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,OAAO,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACjF,IAAA,MAAM,KAAA,GAAQ,KAAK,CAAC,CAAA;AACpB,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAEnB,IAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AAExF,IAAA,OAAO;AAAA,MACN,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,MAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA;AAAA,MACP,WAAA,EAAa,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACnC,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB;AAAA,EACD;AAEA,EAAA,eAAe,KAAK,MAAA,EAAgD;AACnE,IAAA,IAAI,QAAQ,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,MAAM,EAAE,QAAA,EAAS;AAE9C,IAAA,MAAM,aAAa,EAAC;AACpB,IAAA,IAAI,MAAA,EAAQ,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,OAAA,EAAS,MAAA,CAAO,MAAM,CAAC,CAAA;AACrE,IAAA,IAAI,MAAA,EAAQ,UAAU,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,QAAA,EAAU,MAAA,CAAO,QAAQ,CAAC,CAAA;AAC1E,IAAA,IAAI,MAAA,EAAQ,QAAQ,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,MAAA,EAAQ,MAAA,CAAO,MAAM,CAAC,CAAA;AACpE,IAAA,IAAI,MAAA,EAAQ,MAAM,UAAA,CAAW,IAAA,CAAK,GAAG,MAAA,CAAO,IAAA,EAAM,MAAA,CAAO,IAAI,CAAC,CAAA;AAE9D,IAAA,IAAI,UAAA,CAAW,SAAS,CAAA,EAAG;AAC1B,MAAA,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAA,CAAI,GAAG,UAAU,CAAC,CAAA;AAAA,IACvC;AAEA,IAAA,MAAM,OAAO,MAAM,KAAA;AAGnB,IAAA,MAAM,WAAW,IAAA,CAAK,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA;AACrC,IAAA,MAAM,YAAA,uBAAmB,GAAA,EAA0B;AACnD,IAAA,KAAA,MAAW,MAAM,QAAA,EAAU;AAC1B,MAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,EAAE,CAAC,CAAA;AACnF,MAAA,YAAA,CAAa,GAAA,CAAI,EAAA,EAAI,KAAA,CAAM,GAAA,CAAI,YAAY,CAAC,CAAA;AAAA,IAC7C;AAEA,IAAA,OAAO,IAAA,CAAK,GAAA,CAAI,CAAC,KAAA,MAAW;AAAA,MAC3B,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,MAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA,MACP,aAAa,YAAA,CAAa,GAAA,CAAI,KAAA,CAAM,EAAE,KAAK,EAAC;AAAA,MAC5C,QAAQ,KAAA,CAAM,MAAA;AAAA,MACd,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB,CAAE,CAAA;AAAA,EACH;AAEA,EAAA,eAAe,MAAA,CAAO,SAAiB,KAAA,EAAiD;AACvF,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAE5D,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,EAAA,CACJ,MAAA,CAAO,MAAM,CAAA,CACb,GAAA,CAAI;AAAA,MACJ,IAAA,EAAM,KAAA,CAAM,IAAA,IAAQ,QAAA,CAAS,IAAA;AAAA,MAC7B,SAAA,EAAW,KAAA,CAAM,SAAA,IAAa,QAAA,CAAS,SAAA;AAAA,MACvC,UAAU,KAAA,CAAM,QAAA;AAAA,MAChB,SAAA,EAAW;AAAA,KACX,CAAA,CACA,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAG9B,IAAA,IAAI,MAAM,WAAA,EAAa;AACtB,MAAA,MAAM,EAAA,CAAG,OAAO,WAAW,CAAA,CAAE,MAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,OAAO,CAAC,CAAA;AACnE,MAAA,IAAI,KAAA,CAAM,WAAA,CAAY,MAAA,GAAS,CAAA,EAAG;AACjC,QAAA,MAAM,EAAA,CAAG,MAAA,CAAO,WAAW,CAAA,CAAE,MAAA;AAAA,UAC5B,KAAA,CAAM,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,MAAO;AAAA,YAC7B,IAAI,UAAA,EAAW;AAAA,YACf,OAAA;AAAA,YACA,UAAU,CAAA,CAAE,QAAA;AAAA,YACZ,SAAS,CAAA,CAAE,OAAA;AAAA,YACX,WAAA,EAAa,EAAE,WAAA,IAAe,IAAA;AAAA,YAC9B,SAAA,EAAW;AAAA,WACZ,CAAE;AAAA,SACH;AAAA,MACD;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAAU,MAAM,GAAA,CAAI,OAAO,CAAA;AACjC,IAAA,IAAI,CAAC,OAAA,EAAS,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,0BAAA,CAA4B,CAAA;AAC1E,IAAA,OAAO,OAAA;AAAA,EACR;AAEA,EAAA,eAAe,OAAO,OAAA,EAAgC;AACrD,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAE5D,IAAA,MAAM,GACJ,MAAA,CAAO,MAAM,EACb,GAAA,CAAI,EAAE,QAAQ,SAAA,EAAW,SAAA,sBAAe,IAAA,EAAK,EAAG,CAAA,CAChD,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAAA,EAC/B;AAEA,EAAA,eAAe,OAAO,OAAA,EAA6D;AAClF,IAAA,MAAM,QAAA,GAAW,MAAM,GAAA,CAAI,OAAO,CAAA;AAClC,IAAA,IAAI,CAAC,QAAA,EAAU,MAAM,IAAI,KAAA,CAAM,CAAA,MAAA,EAAS,OAAO,CAAA,WAAA,CAAa,CAAA;AAC5D,IAAA,IAAI,SAAS,MAAA,KAAW,QAAA;AACvB,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,QAAA,CAAS,MAAM,CAAA,OAAA,CAAS,CAAA;AAEpE,IAAA,MAAM,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAO,GAAI,MAAM,kBAAA,EAAmB;AACzD,IAAA,MAAM,GAAA,uBAAU,IAAA,EAAK;AAErB,IAAA,MAAM,GACJ,MAAA,CAAO,MAAM,EACb,GAAA,CAAI,EAAE,WAAW,IAAA,EAAM,WAAA,EAAa,QAAQ,SAAA,EAAW,GAAA,EAAK,CAAA,CAC5D,KAAA,CAAM,GAAG,MAAA,CAAO,EAAA,EAAI,OAAO,CAAC,CAAA;AAE9B,IAAA,OAAO,EAAE,GAAG,QAAA,EAAU,KAAA,EAAO,WAAW,GAAA,EAAI;AAAA,EAC7C;AAMA,EAAA,eAAe,cAAc,KAAA,EAA8C;AAC1E,IAAA,MAAM,IAAA,GAAO,MAAM,MAAA,CAAO,KAAK,CAAA;AAC/B,IAAA,MAAM,OAAO,MAAM,EAAA,CAAG,MAAA,EAAO,CAAE,KAAK,MAAM,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,OAAO,SAAA,EAAW,IAAI,CAAC,CAAA,CAAE,MAAM,CAAC,CAAA;AACrF,IAAA,MAAM,KAAA,GAAQ,KAAK,CAAC,CAAA;AACpB,IAAA,IAAI,CAAC,OAAO,OAAO,IAAA;AAGnB,IAAA,IAAI,KAAA,CAAM,MAAA,KAAW,QAAA,EAAU,OAAO,IAAA;AAGtC,IAAA,IAAI,MAAM,SAAA,IAAa,KAAA,CAAM,SAAA,mBAAY,IAAI,MAAK,EAAG;AACpD,MAAA,MAAM,EAAA,CACJ,OAAO,MAAM,CAAA,CACb,IAAI,EAAE,MAAA,EAAQ,WAAW,SAAA,kBAAW,IAAI,MAAK,EAAG,EAChD,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,KAAA,CAAM,EAAE,CAAC,CAAA;AAC/B,MAAA,OAAO,IAAA;AAAA,IACR;AAGA,IAAA,MAAM,GAAG,MAAA,CAAO,MAAM,EAAE,GAAA,CAAI,EAAE,8BAAc,IAAI,IAAA,EAAK,EAAG,EAAE,KAAA,CAAM,EAAA,CAAG,OAAO,EAAA,EAAI,KAAA,CAAM,EAAE,CAAC,CAAA;AAEvF,IAAA,MAAM,KAAA,GAAQ,MAAM,EAAA,CAAG,MAAA,GAAS,IAAA,CAAK,WAAW,CAAA,CAAE,KAAA,CAAM,EAAA,CAAG,WAAA,CAAY,OAAA,EAAS,KAAA,CAAM,EAAE,CAAC,CAAA;AAEzF,IAAA,OAAO;AAAA,MACN,IAAI,KAAA,CAAM,EAAA;AAAA,MACV,SAAS,KAAA,CAAM,OAAA;AAAA,MACf,QAAA,EAAU,MAAM,QAAA,IAAY,MAAA;AAAA,MAC5B,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,MAAM,KAAA,CAAM,IAAA;AAAA,MACZ,KAAA,EAAO,EAAA;AAAA,MACP,WAAA,EAAa,KAAA,CAAM,GAAA,CAAI,YAAY,CAAA;AAAA,MACnC,MAAA,EAAQ,QAAA;AAAA,MACR,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM,SAAA;AAAA,MACjB,WAAW,KAAA,CAAM;AAAA,KAClB;AAAA,EACD;AAEA,EAAA,OAAO,EAAE,MAAA,EAAQ,GAAA,EAAK,MAAM,MAAA,EAAQ,MAAA,EAAQ,QAAQ,aAAA,EAAc;AACnE;AAEA,SAAS,aAAa,GAAA,EAIP;AACd,EAAA,OAAO;AAAA,IACN,UAAU,GAAA,CAAI,QAAA;AAAA,IACd,SAAS,GAAA,CAAI,OAAA;AAAA,IACb,WAAA,EAAc,IAAI,WAAA,IAA6C;AAAA,GAChE;AACD","file":"index.js","sourcesContent":["/**\n * Web Crypto API utilities for KavachOS.\n *\n * This module uses ONLY the Web Crypto API (globalThis.crypto) which is\n * available natively in Cloudflare Workers, Deno, Bun, and Node 20+.\n * No `node:crypto` imports are used, making the core package edge-compatible.\n */\n\n// ---------------------------------------------------------------------------\n// Encoding helpers\n// ---------------------------------------------------------------------------\n\nconst HEX_CHARS = \"0123456789abcdef\";\n\n/** Encode a Uint8Array as a lowercase hex string. */\nexport function toHex(bytes: Uint8Array): string {\n\tlet hex = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst b = bytes[i] as number;\n\t\thex += HEX_CHARS[b >> 4] as string;\n\t\thex += HEX_CHARS[b & 0x0f] as string;\n\t}\n\treturn hex;\n}\n\n/** Decode a hex string into a Uint8Array. */\nexport function fromHex(hex: string): Uint8Array {\n\tif (hex.length % 2 !== 0) {\n\t\tthrow new Error(\"fromHex: hex string must have even length\");\n\t}\n\tconst bytes = new Uint8Array(hex.length / 2);\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tconst hi = parseInt(hex[i * 2] as string, 16);\n\t\tconst lo = parseInt(hex[i * 2 + 1] as string, 16);\n\t\tif (Number.isNaN(hi) || Number.isNaN(lo)) {\n\t\t\tthrow new Error(`fromHex: invalid hex character at position ${i * 2}`);\n\t\t}\n\t\tbytes[i] = (hi << 4) | lo;\n\t}\n\treturn bytes;\n}\n\n/** Encode a Uint8Array as a base64url string (no padding). */\nexport function toBase64Url(bytes: Uint8Array): string {\n\tlet binary = \"\";\n\tfor (let i = 0; i < bytes.length; i++) {\n\t\tbinary += String.fromCharCode(bytes[i] as number);\n\t}\n\treturn btoa(binary).replace(/\\+/g, \"-\").replace(/\\//g, \"_\").replace(/=+$/, \"\");\n}\n\n/** Decode a base64url string into a Uint8Array. */\nexport function fromBase64Url(b64: string): Uint8Array {\n\t// Restore standard base64\n\tlet base64 = b64.replace(/-/g, \"+\").replace(/_/g, \"/\");\n\t// Add padding\n\twhile (base64.length % 4 !== 0) {\n\t\tbase64 += \"=\";\n\t}\n\tconst binary = atob(base64);\n\tconst bytes = new Uint8Array(binary.length);\n\tfor (let i = 0; i < binary.length; i++) {\n\t\tbytes[i] = binary.charCodeAt(i);\n\t}\n\treturn bytes;\n}\n\n// ---------------------------------------------------------------------------\n// Random generation\n// ---------------------------------------------------------------------------\n\n/** Generate a v4 UUID using the globally available crypto.randomUUID(). */\nexport function generateId(): string {\n\treturn globalThis.crypto.randomUUID();\n}\n\n/** Generate cryptographically secure random bytes as a Uint8Array. */\nexport function randomBytes(length: number): Uint8Array {\n\tconst bytes = new Uint8Array(length);\n\tglobalThis.crypto.getRandomValues(bytes);\n\treturn bytes;\n}\n\n/** Generate cryptographically secure random bytes as a hex string. */\nexport function randomBytesHex(length: number): string {\n\treturn toHex(randomBytes(length));\n}\n\n// ---------------------------------------------------------------------------\n// Text encoding helper (internal)\n// ---------------------------------------------------------------------------\n\nconst TEXT_ENCODER = new TextEncoder();\n\nfunction toBytes(data: string | Uint8Array): ArrayBuffer {\n\tif (typeof data === \"string\") {\n\t\tconst encoded = TEXT_ENCODER.encode(data);\n\t\treturn (encoded.buffer as ArrayBuffer).slice(\n\t\t\tencoded.byteOffset,\n\t\t\tencoded.byteOffset + encoded.byteLength,\n\t\t);\n\t}\n\treturn (data.buffer as ArrayBuffer).slice(data.byteOffset, data.byteOffset + data.byteLength);\n}\n\n// ---------------------------------------------------------------------------\n// Hashing\n// ---------------------------------------------------------------------------\n\n/** SHA-256 hash, returns hex string. */\nexport async function sha256(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n/** SHA-256 hash, returns Uint8Array. */\nexport async function sha256Raw(data: string | Uint8Array): Promise<Uint8Array> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-256\", toBytes(data));\n\treturn new Uint8Array(digest);\n}\n\n/** SHA-1 hash, returns hex string. Needed for HIBP k-anonymity. */\nexport async function sha1(data: string | Uint8Array): Promise<string> {\n\tconst digest = await globalThis.crypto.subtle.digest(\"SHA-1\", toBytes(data));\n\treturn toHex(new Uint8Array(digest));\n}\n\n// ---------------------------------------------------------------------------\n// HMAC\n// ---------------------------------------------------------------------------\n\n/** Import a secret key for HMAC operations. */\nexport async function importHmacKey(\n\tkey: string | Uint8Array,\n\thash: \"SHA-256\" | \"SHA-1\" = \"SHA-256\",\n): Promise<CryptoKey> {\n\tconst keyData = typeof key === \"string\" ? TEXT_ENCODER.encode(key) : key;\n\treturn globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\t(keyData.buffer as ArrayBuffer).slice(\n\t\t\tkeyData.byteOffset,\n\t\t\tkeyData.byteOffset + keyData.byteLength,\n\t\t),\n\t\t{ name: \"HMAC\", hash: { name: hash } },\n\t\tfalse,\n\t\t[\"sign\", \"verify\"],\n\t);\n}\n\n/** HMAC-SHA256 sign, returns hex string. */\nexport async function hmacSha256(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<string> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn toHex(new Uint8Array(signature));\n}\n\n/** HMAC-SHA256 sign, returns Uint8Array. */\nexport async function hmacSha256Raw(\n\tkey: string | Uint8Array,\n\tdata: string | Uint8Array,\n): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-256\");\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, toBytes(data));\n\treturn new Uint8Array(signature);\n}\n\n/** HMAC-SHA1 sign, returns Uint8Array (needed for TOTP per RFC 6238). */\nexport async function hmacSha1Raw(key: Uint8Array, data: Uint8Array): Promise<Uint8Array> {\n\tconst cryptoKey = await importHmacKey(key, \"SHA-1\");\n\tconst buf = (data.buffer as ArrayBuffer).slice(\n\t\tdata.byteOffset,\n\t\tdata.byteOffset + data.byteLength,\n\t);\n\tconst signature = await globalThis.crypto.subtle.sign(\"HMAC\", cryptoKey, buf);\n\treturn new Uint8Array(signature);\n}\n\n// ---------------------------------------------------------------------------\n// PBKDF2 password hashing\n// ---------------------------------------------------------------------------\n\nconst PBKDF2_ITERATIONS = 100_000; // CF Workers caps at 100K; OWASP recommends 600K for Node.js\nconst PBKDF2_KEY_LENGTH = 64; // bytes\nconst PBKDF2_SALT_LENGTH = 32; // bytes\n\n/**\n * Hash a password using PBKDF2-SHA256.\n *\n * Returns a string in the format: `pbkdf2:iterations:salt_hex:hash_hex`\n * which is safe to store in the database.\n */\nexport async function pbkdf2Hash(\n\tpassword: string,\n\tsalt?: Uint8Array,\n\titerations?: number,\n): Promise<string> {\n\tconst actualSalt = salt ?? randomBytes(PBKDF2_SALT_LENGTH);\n\tconst actualIterations = iterations ?? PBKDF2_ITERATIONS;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (actualSalt.buffer as ArrayBuffer).slice(\n\t\tactualSalt.byteOffset,\n\t\tactualSalt.byteOffset + actualSalt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations: actualIterations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tPBKDF2_KEY_LENGTH * 8,\n\t);\n\n\treturn `pbkdf2:${actualIterations}:${toHex(actualSalt)}:${toHex(new Uint8Array(derived))}`;\n}\n\n/**\n * Verify a password against a stored PBKDF2 hash.\n *\n * Supports the `pbkdf2:iterations:salt:hash` format produced by `pbkdf2Hash`.\n */\nexport async function pbkdf2Verify(password: string, stored: string): Promise<boolean> {\n\tconst parts = stored.split(\":\");\n\tif (parts.length !== 4 || parts[0] !== \"pbkdf2\") {\n\t\treturn false;\n\t}\n\n\tconst iterations = parseInt(parts[1] as string, 10);\n\tconst salt = fromHex(parts[2] as string);\n\tconst storedHash = fromHex(parts[3] as string);\n\n\tif (Number.isNaN(iterations)) return false;\n\n\tconst keyMaterial = await globalThis.crypto.subtle.importKey(\n\t\t\"raw\",\n\t\tTEXT_ENCODER.encode(password),\n\t\t\"PBKDF2\",\n\t\tfalse,\n\t\t[\"deriveBits\"],\n\t);\n\n\tconst saltBuf = (salt.buffer as ArrayBuffer).slice(\n\t\tsalt.byteOffset,\n\t\tsalt.byteOffset + salt.byteLength,\n\t);\n\tconst derived = await globalThis.crypto.subtle.deriveBits(\n\t\t{\n\t\t\tname: \"PBKDF2\",\n\t\t\tsalt: saltBuf,\n\t\t\titerations,\n\t\t\thash: \"SHA-256\",\n\t\t},\n\t\tkeyMaterial,\n\t\tstoredHash.length * 8,\n\t);\n\n\treturn constantTimeEqual(new Uint8Array(derived), storedHash);\n}\n\n// ---------------------------------------------------------------------------\n// Constant-time comparison\n// ---------------------------------------------------------------------------\n\n/**\n * Constant-time comparison of two Uint8Arrays.\n * Returns false immediately if lengths differ (length is not secret).\n */\nexport function constantTimeEqual(a: Uint8Array, b: Uint8Array): boolean {\n\tif (a.byteLength !== b.byteLength) {\n\t\treturn false;\n\t}\n\tlet diff = 0;\n\tfor (let i = 0; i < a.byteLength; i++) {\n\t\tdiff |= (a[i] as number) ^ (b[i] as number);\n\t}\n\treturn diff === 0;\n}\n","import { integer, sqliteTable, text } from \"drizzle-orm/sqlite-core\";\n\n// ============================================================\n// Users (basic human identity - integrates with external auth)\n// ============================================================\nexport const users = sqliteTable(\"kavach_users\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull().unique(),\n\tname: text(\"name\"),\n\tusername: text(\"username\").unique(),\n\texternalId: text(\"external_id\"), // ID from external auth (better-auth, Auth.js, etc.)\n\texternalProvider: text(\"external_provider\"), // \"better-auth\", \"authjs\", \"clerk\", etc.\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\t// Admin ban fields (populated by admin module)\n\tbanned: integer(\"banned\").notNull().default(0),\n\tbanReason: text(\"ban_reason\"),\n\tbanExpiresAt: integer(\"ban_expires_at\", { mode: \"timestamp\" }),\n\tforcePasswordReset: integer(\"force_password_reset\").notNull().default(0),\n\temailVerified: integer(\"email_verified\").notNull().default(0),\n\t// Stripe integration fields (populated by kavach-stripe plugin)\n\tstripeCustomerId: text(\"stripe_customer_id\").unique(),\n\tstripeSubscriptionId: text(\"stripe_subscription_id\"),\n\tstripeSubscriptionStatus: text(\"stripe_subscription_status\"),\n\tstripePriceId: text(\"stripe_price_id\"),\n\tstripeCurrentPeriodEnd: integer(\"stripe_current_period_end\", { mode: \"timestamp\" }),\n\tstripeCancelAtPeriodEnd: integer(\"stripe_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\t// Polar integration fields (populated by kavach-polar plugin)\n\tpolarCustomerId: text(\"polar_customer_id\").unique(),\n\tpolarSubscriptionId: text(\"polar_subscription_id\"),\n\tpolarSubscriptionStatus: text(\"polar_subscription_status\"),\n\tpolarProductId: text(\"polar_product_id\"),\n\tpolarCurrentPeriodEnd: integer(\"polar_current_period_end\", { mode: \"timestamp\" }),\n\tpolarCancelAtPeriodEnd: integer(\"polar_cancel_at_period_end\", { mode: \"boolean\" })\n\t\t.notNull()\n\t\t.default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Tenants (multi-tenant isolation — must come before agents)\n// ============================================================\nexport const tenants = sqliteTable(\"kavach_tenants\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\tsettings: text(\"settings\", { mode: \"json\" }).$type<TenantSettingsRow>(),\n\tstatus: text(\"status\", { enum: [\"active\", \"suspended\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TenantSettingsRow {\n\tmaxAgents?: number;\n\tmaxDelegationDepth?: number;\n\tauditRetentionDays?: number;\n\tallowedAgentTypes?: string[];\n}\n\n// ============================================================\n// Agents (the core differentiator - AI agent identities)\n// ============================================================\nexport const agents = sqliteTable(\"kavach_agents\", {\n\tid: text(\"id\").primaryKey(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable, for multi-tenant scoping\n\tname: text(\"name\").notNull(),\n\ttype: text(\"type\", { enum: [\"autonomous\", \"delegated\", \"service\"] }).notNull(),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\ttokenHash: text(\"token_hash\").notNull(), // hashed agent token\n\ttokenPrefix: text(\"token_prefix\").notNull(), // first 8 chars for identification\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastActiveAt: integer(\"last_active_at\", { mode: \"timestamp\" }),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Permissions (scoped access control per agent)\n// ============================================================\nexport const permissions = sqliteTable(\"kavach_permissions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(), // e.g. \"mcp:github:*\", \"tool:file_read\"\n\tactions: text(\"actions\", { mode: \"json\" }).notNull().$type<string[]>(), // [\"read\", \"write\", \"execute\"]\n\tconstraints: text(\"constraints\", { mode: \"json\" }).$type<PermissionConstraintsRow>(),\n\t// When set, the policy engine consults the ReBAC graph for this permission.\n\trelation: text(\"relation\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface PermissionConstraintsRow {\n\tmaxCallsPerHour?: number;\n\tallowedArgPatterns?: string[];\n\trequireApproval?: boolean;\n\ttimeWindow?: { start: string; end: string };\n\tipAllowlist?: string[];\n}\n\n// ============================================================\n// Delegation Chains (agent-to-agent permission delegation)\n// ============================================================\nexport const delegationChains = sqliteTable(\"kavach_delegation_chains\", {\n\tid: text(\"id\").primaryKey(),\n\tfromAgentId: text(\"from_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\ttoAgentId: text(\"to_agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<DelegationPermissionRow[]>(),\n\tdepth: integer(\"depth\").notNull().default(1),\n\tmaxDepth: integer(\"max_depth\").notNull().default(3),\n\tstatus: text(\"status\", { enum: [\"active\", \"revoked\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface DelegationPermissionRow {\n\tresource: string;\n\tactions: string[];\n}\n\n// ============================================================\n// Audit Logs (immutable record of every agent action)\n// ============================================================\nexport const auditLogs = sqliteTable(\"kavach_audit_logs\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(), // \"execute\", \"read\", \"write\", \"delete\"\n\tresource: text(\"resource\").notNull(), // \"mcp:github:create_issue\"\n\tparameters: text(\"parameters\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tresult: text(\"result\", { enum: [\"allowed\", \"denied\", \"rate_limited\"] }).notNull(),\n\treason: text(\"reason\"), // why denied/rate_limited\n\tdurationMs: integer(\"duration_ms\").notNull(),\n\ttokensCost: integer(\"tokens_cost\"),\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\t// True when this audit row corresponds to a policy-engine cache-hit evaluation.\n\tcacheHit: integer(\"cache_hit\", { mode: \"boolean\" }).notNull().default(false),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Rate Limit Counters (track per-agent call rates)\n// ============================================================\nexport const rateLimits = sqliteTable(\"kavach_rate_limits\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tresource: text(\"resource\").notNull(),\n\twindowStart: integer(\"window_start\", { mode: \"timestamp\" }).notNull(),\n\tcount: integer(\"count\").notNull().default(0),\n});\n\n// ============================================================\n// MCP Servers (registered MCP servers)\n// ============================================================\nexport const mcpServers = sqliteTable(\"kavach_mcp_servers\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tendpoint: text(\"endpoint\").notNull().unique(),\n\ttools: text(\"tools\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tauthRequired: integer(\"auth_required\", { mode: \"boolean\" }).notNull().default(true),\n\trateLimitRpm: integer(\"rate_limit_rpm\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"inactive\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Sessions (human user sessions managed by KavachOS)\n// ============================================================\nexport const sessions = sqliteTable(\"kavach_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Clients (for MCP OAuth 2.1 - dynamic client registration)\n// ============================================================\nexport const oauthClients = sqliteTable(\"kavach_oauth_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecret: text(\"client_secret\"), // null for public clients\n\tclientName: text(\"client_name\"),\n\tclientUri: text(\"client_uri\"),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"authorization_code\"]),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<string[]>()\n\t\t.default([\"code\"]),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_basic\"),\n\ttype: text(\"type\", { enum: [\"public\", \"confidential\"] })\n\t\t.notNull()\n\t\t.default(\"confidential\"),\n\tdisabled: integer(\"disabled\", { mode: \"boolean\" }).notNull().default(false),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Access Tokens (issued tokens for MCP auth)\n// ============================================================\nexport const oauthAccessTokens = sqliteTable(\"kavach_oauth_access_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\taccessToken: text(\"access_token\").notNull().unique(),\n\trefreshToken: text(\"refresh_token\").unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tresource: text(\"resource\"), // RFC 8707 - audience binding\n\taccessTokenExpiresAt: integer(\"access_token_expires_at\", { mode: \"timestamp\" }).notNull(),\n\trefreshTokenExpiresAt: integer(\"refresh_token_expires_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OAuth Authorization Codes (temporary codes for code exchange)\n// ============================================================\nexport const oauthAuthorizationCodes = sqliteTable(\"kavach_oauth_authorization_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcode: text(\"code\").notNull().unique(),\n\tclientId: text(\"client_id\")\n\t\t.notNull()\n\t\t.references(() => oauthClients.clientId),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE\n\tcodeChallengeMethod: text(\"code_challenge_method\"), // \"S256\"\n\tresource: text(\"resource\"), // RFC 8707\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Budget Policies (agent execution budget caps)\n// ============================================================\nexport const budgetPolicies = sqliteTable(\"kavach_budget_policies\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\").references(() => agents.id, { onDelete: \"cascade\" }), // nullable\n\tuserId: text(\"user_id\").references(() => users.id), // nullable\n\ttenantId: text(\"tenant_id\").references(() => tenants.id), // nullable\n\tlimits: text(\"limits\", { mode: \"json\" }).notNull().$type<BudgetLimitsRow>(),\n\tcurrentUsage: text(\"current_usage\", { mode: \"json\" }).notNull().$type<BudgetUsageRow>(),\n\taction: text(\"action\", { enum: [\"warn\", \"throttle\", \"block\", \"revoke\"] })\n\t\t.notNull()\n\t\t.default(\"warn\"),\n\tstatus: text(\"status\", { enum: [\"active\", \"triggered\", \"disabled\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface BudgetLimitsRow {\n\tmaxTokensCostPerDay?: number;\n\tmaxTokensCostPerMonth?: number;\n\tmaxCallsPerDay?: number;\n\tmaxCallsPerMonth?: number;\n}\n\ninterface BudgetUsageRow {\n\ttokensCostToday: number;\n\ttokensCostThisMonth: number;\n\tcallsToday: number;\n\tcallsThisMonth: number;\n\tlastUpdated: string;\n}\n\n// ============================================================\n// Agent Capability Cards (A2A discovery)\n// ============================================================\nexport const agentCards = sqliteTable(\"kavach_agent_cards\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tdescription: text(\"description\"),\n\tversion: text(\"version\").notNull(),\n\tprotocols: text(\"protocols\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tcapabilities: text(\"capabilities\", { mode: \"json\" }).notNull().$type<unknown[]>(),\n\tauthRequirements: text(\"auth_requirements\", { mode: \"json\" })\n\t\t.notNull()\n\t\t.$type<Record<string, unknown>>(),\n\tendpoint: text(\"endpoint\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Approval Requests (CIBA async approval flows)\n// ============================================================\nexport const approvalRequests = sqliteTable(\"kavach_approval_requests\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\taction: text(\"action\").notNull(),\n\tresource: text(\"resource\").notNull(),\n\targuments: text(\"arguments\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tstatus: text(\"status\", { enum: [\"pending\", \"approved\", \"denied\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\trespondedAt: integer(\"responded_at\", { mode: \"timestamp\" }),\n\trespondedBy: text(\"responded_by\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trust Scores (graduated autonomy scoring)\n// ============================================================\nexport const trustScores = sqliteTable(\"kavach_trust_scores\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tscore: integer(\"score\").notNull(),\n\tlevel: text(\"level\", {\n\t\tenum: [\"untrusted\", \"limited\", \"standard\", \"trusted\", \"elevated\"],\n\t}).notNull(),\n\tfactors: text(\"factors\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tcomputedAt: integer(\"computed_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Magic Links (passwordless email login)\n// ============================================================\nexport const magicLinks = sqliteTable(\"kavach_magic_links\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\ttoken: text(\"token\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Email OTPs (one-time password login)\n// ============================================================\nexport const emailOtps = sqliteTable(\"kavach_email_otps\", {\n\tid: text(\"id\").primaryKey(),\n\temail: text(\"email\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// TOTP (Two-Factor Authentication)\n// ============================================================\nexport const totpRecords = sqliteTable(\"kavach_totp\", {\n\tuserId: text(\"user_id\")\n\t\t.primaryKey()\n\t\t.references(() => users.id),\n\tsecret: text(\"secret\").notNull(), // base32-encoded TOTP secret\n\tenabled: integer(\"enabled\", { mode: \"boolean\" }).notNull().default(false),\n\tbackupCodes: text(\"backup_codes\", { mode: \"json\" }).notNull().$type<TotpBackupCode[]>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\ninterface TotpBackupCode {\n\thash: string;\n\tused: boolean;\n}\n\n// ============================================================\n// Organizations (multi-member org with RBAC)\n// ============================================================\nexport const organizations = sqliteTable(\"kavach_organizations\", {\n\tid: text(\"id\").primaryKey(),\n\tname: text(\"name\").notNull(),\n\tslug: text(\"slug\").notNull().unique(),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgMembers = sqliteTable(\"kavach_org_members\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tjoinedAt: integer(\"joined_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgInvitations = sqliteTable(\"kavach_org_invitations\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\temail: text(\"email\").notNull(),\n\trole: text(\"role\").notNull().default(\"member\"),\n\tinvitedBy: text(\"invited_by\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tstatus: text(\"status\", { enum: [\"pending\", \"accepted\", \"expired\"] })\n\t\t.notNull()\n\t\t.default(\"pending\"),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\nexport const orgRoles = sqliteTable(\"kavach_org_roles\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\")\n\t\t.notNull()\n\t\t.references(() => organizations.id, { onDelete: \"cascade\" }),\n\tname: text(\"name\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n});\n\n// ============================================================\n// Passkey Credentials (WebAuthn / FIDO2)\n// ============================================================\nexport const passkeyCredentials = sqliteTable(\"kavach_passkey_credentials\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tcredentialId: text(\"credential_id\").notNull().unique(),\n\tpublicKey: text(\"public_key\").notNull(), // base64url-encoded COSE key\n\tcounter: integer(\"counter\").notNull().default(0),\n\tdeviceName: text(\"device_name\"),\n\ttransports: text(\"transports\"), // JSON array, e.g. '[\"internal\",\"usb\"]'\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// SSO Connections (SAML / OIDC enterprise SSO)\n// ============================================================\nexport const ssoConnections = sqliteTable(\"kavach_sso_connections\", {\n\tid: text(\"id\").primaryKey(),\n\torgId: text(\"org_id\").notNull(),\n\tproviderId: text(\"provider_id\").notNull(),\n\ttype: text(\"type\", { enum: [\"saml\", \"oidc\"] }).notNull(),\n\tdomain: text(\"domain\").notNull().unique(),\n\tenabled: integer(\"enabled\").notNull().default(1),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// API Keys (static bearer tokens with permission scopes)\n// ============================================================\nexport const apiKeys = sqliteTable(\"kavach_api_keys\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\tname: text(\"name\").notNull(),\n\tkeyHash: text(\"key_hash\").notNull(),\n\tkeyPrefix: text(\"key_prefix\").notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }),\n\tlastUsedAt: integer(\"last_used_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Passkey Challenges (WebAuthn challenge state — short-lived)\n// ============================================================\nexport const passkeyChallenges = sqliteTable(\"kavach_passkey_challenges\", {\n\tid: text(\"id\").primaryKey(),\n\tchallenge: text(\"challenge\").notNull().unique(),\n\tuserId: text(\"user_id\"), // null for discoverable credential flows\n\ttype: text(\"type\", { enum: [\"registration\", \"authentication\"] }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Username Accounts (username + password auth)\n// ============================================================\nexport const usernameAccounts = sqliteTable(\"kavach_username_accounts\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tusername: text(\"username\").notNull().unique(),\n\tpasswordHash: text(\"password_hash\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Phone Verifications (SMS OTP)\n// ============================================================\nexport const phoneVerifications = sqliteTable(\"kavach_phone_verifications\", {\n\tid: text(\"id\").primaryKey(),\n\tphoneNumber: text(\"phone_number\").notNull(),\n\tcodeHash: text(\"code_hash\").notNull(),\n\tattempts: integer(\"attempts\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Trusted Devices (skip 2FA on known devices for a time window)\n// ============================================================\nexport const trustedDevices = sqliteTable(\"kavach_trusted_devices\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tfingerprint: text(\"fingerprint\").notNull(), // HMAC-SHA256 of stable request headers\n\tlabel: text(\"label\").notNull(), // human-readable, e.g. \"Mac\", \"iPhone\"\n\ttrustedAt: integer(\"trusted_at\", { mode: \"timestamp\" }).notNull(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// One-Time Tokens (email verify, password reset, invitation, custom)\n// ============================================================\nexport const oneTimeTokens = sqliteTable(\"kavach_one_time_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tpurpose: text(\"purpose\", {\n\t\tenum: [\"email-verify\", \"password-reset\", \"invitation\", \"custom\"],\n\t}).notNull(),\n\tidentifier: text(\"identifier\").notNull(), // email, userId, or any caller-supplied key\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Login History (last login method tracking per user)\n// ============================================================\nexport const loginHistory = sqliteTable(\"kavach_login_history\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\tmethod: text(\"method\").notNull(), // LoginMethod — kept as text to support oauth:{provider} variants\n\tip: text(\"ip\"),\n\tuserAgent: text(\"user_agent\"),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp_ms\" }).notNull(),\n});\n\n// ============================================================\n// Agent DIDs (W3C Decentralized Identifiers per agent)\n// ============================================================\nexport const agentDids = sqliteTable(\"kavach_agent_dids\", {\n\tagentId: text(\"agent_id\")\n\t\t.primaryKey()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\tdid: text(\"did\").notNull().unique(),\n\tmethod: text(\"method\", { enum: [\"key\", \"web\"] }).notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\").notNull(), // JSON-serialised JWK (public key only)\n\tdidDocument: text(\"did_document\").notNull(), // JSON-serialised DID Document\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Clients (apps authenticating against KavachOS IdP)\n// ============================================================\nexport const oidcClients = sqliteTable(\"kavach_oidc_clients\", {\n\tid: text(\"id\").primaryKey(),\n\tclientId: text(\"client_id\").notNull().unique(),\n\tclientSecretHash: text(\"client_secret_hash\").notNull(), // SHA-256 hex of the raw secret\n\tclientName: text(\"client_name\").notNull(),\n\tredirectUris: text(\"redirect_uris\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tgrantTypes: text(\"grant_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tresponseTypes: text(\"response_types\", { mode: \"json\" }).notNull().$type<string[]>(),\n\tscopes: text(\"scopes\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttokenEndpointAuthMethod: text(\"token_endpoint_auth_method\")\n\t\t.notNull()\n\t\t.default(\"client_secret_post\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Authorization Codes\n// ============================================================\nexport const oidcAuthCodes = sqliteTable(\"kavach_oidc_auth_codes\", {\n\tid: text(\"id\").primaryKey(),\n\tcodeHash: text(\"code_hash\").notNull().unique(), // SHA-256 hex of the raw code\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tredirectUri: text(\"redirect_uri\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\tnonce: text(\"nonce\"),\n\tcodeChallenge: text(\"code_challenge\"), // PKCE S256\n\tcodeChallengeMethod: text(\"code_challenge_method\"),\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// OIDC Provider — Refresh Tokens\n// ============================================================\nexport const oidcRefreshTokens = sqliteTable(\"kavach_oidc_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenHash: text(\"token_hash\").notNull().unique(), // SHA-256 hex of the raw token\n\tclientId: text(\"client_id\").notNull(),\n\tuserId: text(\"user_id\").notNull(),\n\tscopes: text(\"scopes\").notNull(), // space-separated\n\trevoked: integer(\"revoked\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Cost Events (per-agent cost attribution and observability)\n// ============================================================\nexport const costEvents = sqliteTable(\"kavach_cost_events\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\ttool: text(\"tool\").notNull(), // e.g. 'openai:gpt-4o', 'anthropic:claude-3-5-sonnet', 'mcp:github'\n\tinputTokens: integer(\"input_tokens\"),\n\toutputTokens: integer(\"output_tokens\"),\n\t/** Cost stored as integer microdollars (costUsd × 1_000_000) to avoid float drift */\n\tcostMicros: integer(\"cost_micros\").notNull(),\n\tcurrency: text(\"currency\").notNull().default(\"USD\"),\n\tmetadata: text(\"metadata\", { mode: \"json\" }).$type<Record<string, unknown>>(),\n\tdelegationChainId: text(\"delegation_chain_id\"), // null when not part of a chain\n\trecordedAt: integer(\"recorded_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Ephemeral Sessions (short-lived agent credentials for single-task use)\n// ============================================================\nexport const ephemeralSessions = sqliteTable(\"kavach_ephemeral_sessions\", {\n\tid: text(\"id\").primaryKey(),\n\tagentId: text(\"agent_id\")\n\t\t.notNull()\n\t\t.references(() => agents.id, { onDelete: \"cascade\" }),\n\townerId: text(\"owner_id\")\n\t\t.notNull()\n\t\t.references(() => users.id),\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tmaxActions: integer(\"max_actions\"), // null = unlimited\n\tactionsUsed: integer(\"actions_used\").notNull().default(0),\n\tstatus: text(\"status\", { enum: [\"active\", \"expired\", \"exhausted\", \"revoked\"] })\n\t\t.notNull()\n\t\t.default(\"active\"),\n\tauditGroupId: text(\"audit_group_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Stream Events (persisted SSE events for replay)\n// ============================================================\nexport const streamEvents = sqliteTable(\"kavach_stream_events\", {\n\tid: text(\"id\").primaryKey(),\n\ttype: text(\"type\").notNull(),\n\ttimestamp: integer(\"timestamp\", { mode: \"timestamp\" }).notNull(),\n\tdata: text(\"data\", { mode: \"json\" }).notNull().$type<Record<string, unknown>>(),\n\tagentId: text(\"agent_id\"),\n\tuserId: text(\"user_id\"),\n});\n\n// ============================================================\n// JWT Session Refresh Tokens (general-purpose session plugin)\n// ============================================================\nexport const jwtRefreshTokens = sqliteTable(\"kavach_jwt_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\t/** SHA-256 hex of the raw refresh token. The raw token is never stored. */\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/** The user who owns this session. */\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/** True once the token has been used in a refresh or explicit revocation. */\n\tused: integer(\"used\", { mode: \"boolean\" }).notNull().default(false),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Resources (relationship-based access control — resource hierarchy)\n// ============================================================\nexport const rebacResources = sqliteTable(\"kavach_rebac_resources\", {\n\tid: text(\"id\").notNull().primaryKey(),\n\ttype: text(\"type\").notNull(), // 'org', 'workspace', 'project', 'document', etc.\n\tparentId: text(\"parent_id\"),\n\tparentType: text(\"parent_type\"),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// ReBAC Relationships (subject-relation-object tuples, Zanzibar style)\n// ============================================================\nexport const rebacRelationships = sqliteTable(\"kavach_rebac_relationships\", {\n\tid: text(\"id\").primaryKey(),\n\tsubjectType: text(\"subject_type\").notNull(), // 'user', 'agent', 'team', 'role'\n\tsubjectId: text(\"subject_id\").notNull(),\n\trelation: text(\"relation\").notNull(), // 'owner', 'editor', 'viewer', 'member', 'parent'\n\tobjectType: text(\"object_type\").notNull(),\n\tobjectId: text(\"object_id\").notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Instances (trusted remote KavachOS instances)\n// ============================================================\nexport const federationInstances = sqliteTable(\"kavach_federation_instances\", {\n\tid: text(\"id\").primaryKey(),\n\tinstanceId: text(\"instance_id\").notNull().unique(),\n\tinstanceUrl: text(\"instance_url\").notNull(),\n\tpublicKeyJwk: text(\"public_key_jwk\"), // JSON-serialised JWK (public key only)\n\ttrustLevel: text(\"trust_level\", { enum: [\"full\", \"limited\", \"verify-only\"] })\n\t\t.notNull()\n\t\t.default(\"verify-only\"),\n\tdiscoveredAt: integer(\"discovered_at\", { mode: \"timestamp\" }),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n\tupdatedAt: integer(\"updated_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Federation Tokens (issued/received federation tokens for audit)\n// ============================================================\nexport const federationTokens = sqliteTable(\"kavach_federation_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\ttokenJti: text(\"token_jti\").notNull().unique(), // JWT ID for dedup\n\tagentId: text(\"agent_id\").notNull(),\n\tsourceInstanceId: text(\"source_instance_id\").notNull(),\n\ttargetInstanceId: text(\"target_instance_id\"),\n\tdirection: text(\"direction\", { enum: [\"issued\", \"received\"] }).notNull(),\n\tpermissions: text(\"permissions\", { mode: \"json\" }).notNull().$type<string[]>(),\n\ttrustScore: integer(\"trust_score\"), // stored as integer 0-100\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Token Families (token rotation / reuse detection)\n// ============================================================\nexport const refreshTokenFamilies = sqliteTable(\"kavach_refresh_token_families\", {\n\tid: text(\"id\").primaryKey(),\n\tuserId: text(\"user_id\")\n\t\t.notNull()\n\t\t.references(() => users.id, { onDelete: \"cascade\" }),\n\t/** Absolute session expiry — no rotation can extend beyond this date. */\n\tabsoluteExpiresAt: integer(\"absolute_expires_at\", { mode: \"timestamp\" }).notNull(),\n\t/** 0 = active, 1 = revoked (reuse detection or explicit logout). */\n\trevoked: integer(\"revoked\").notNull().default(0),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n\n// ============================================================\n// Refresh Tokens (individual one-time-use tokens per family)\n// ============================================================\nexport const refreshTokens = sqliteTable(\"kavach_refresh_tokens\", {\n\tid: text(\"id\").primaryKey(),\n\tfamilyId: text(\"family_id\")\n\t\t.notNull()\n\t\t.references(() => refreshTokenFamilies.id, { onDelete: \"cascade\" }),\n\t/** SHA-256 hash of the opaque token — never store the raw token. */\n\ttokenHash: text(\"token_hash\").notNull().unique(),\n\t/** 0 = unused, 1 = already consumed (one-time use). */\n\tused: integer(\"used\").notNull().default(0),\n\texpiresAt: integer(\"expires_at\", { mode: \"timestamp\" }).notNull(),\n\tcreatedAt: integer(\"created_at\", { mode: \"timestamp\" }).notNull(),\n});\n","import { and, eq } from \"drizzle-orm\";\nimport { generateId, randomBytes, sha256, toBase64Url } from \"../crypto/web-crypto.js\";\nimport type { Database } from \"../db/database.js\";\nimport { agents, permissions } from \"../db/schema.js\";\nimport type {\n\tAgentFilter,\n\tAgentIdentity,\n\tCreateAgentInput,\n\tPermission,\n\tUpdateAgentInput,\n} from \"../types.js\";\n\ninterface AgentModuleConfig {\n\tdb: Database;\n\tmaxPerUser: number;\n\tdefaultPermissions: string[];\n\ttokenExpiry: string;\n}\n\n/**\n * Generate a secure agent token.\n * Returns { token, hash, prefix } where:\n * - token: the full token (given to the agent, never stored)\n * - hash: SHA-256 hash (stored in DB)\n * - prefix: first 8 chars (for identification in logs/UI)\n */\nasync function generateAgentToken(): Promise<{ token: string; hash: string; prefix: string }> {\n\tconst tokenBytes = randomBytes(32);\n\tconst token = `kv_${toBase64Url(tokenBytes)}`;\n\tconst hash = await sha256(token);\n\tconst prefix = token.slice(0, 11); // \"kv_\" + 8 chars\n\treturn { token, hash, prefix };\n}\n\nfunction parseTokenExpiry(expiry: string): Date {\n\tconst now = Date.now();\n\tconst match = expiry.match(/^(\\d+)([smhd])$/);\n\tif (!match) {\n\t\tthrow new Error(`Invalid token expiry format: ${expiry}. Use format like \"24h\", \"7d\", \"30m\".`);\n\t}\n\tconst value = Number.parseInt(match[1] as string, 10);\n\tconst unit = match[2];\n\tconst multipliers: Record<string, number> = {\n\t\ts: 1000,\n\t\tm: 60 * 1000,\n\t\th: 60 * 60 * 1000,\n\t\td: 24 * 60 * 60 * 1000,\n\t};\n\treturn new Date(now + value * (multipliers[unit as string] ?? 0));\n}\n\n/**\n * Create the agent identity module.\n * Handles CRUD operations for AI agent identities.\n */\nexport function createAgentModule(config: AgentModuleConfig) {\n\tconst { db, maxPerUser, tokenExpiry } = config;\n\n\tasync function create(input: CreateAgentInput): Promise<AgentIdentity & { token: string }> {\n\t\t// Check max agents per user\n\t\tconst existing = await db\n\t\t\t.select()\n\t\t\t.from(agents)\n\t\t\t.where(and(eq(agents.ownerId, input.ownerId), eq(agents.status, \"active\")));\n\n\t\tif (existing.length >= maxPerUser) {\n\t\t\tthrow new Error(\n\t\t\t\t`User ${input.ownerId} has reached the maximum of ${maxPerUser} active agents.`,\n\t\t\t);\n\t\t}\n\n\t\tconst id = generateId();\n\t\tconst { token, hash, prefix } = await generateAgentToken();\n\t\tconst now = new Date();\n\t\tconst expires = input.expiresAt ?? parseTokenExpiry(tokenExpiry);\n\n\t\t// Insert agent\n\t\tawait db.insert(agents).values({\n\t\t\tid,\n\t\t\townerId: input.ownerId,\n\t\t\ttenantId: input.tenantId ?? null,\n\t\t\tname: input.name,\n\t\t\ttype: input.type,\n\t\t\tstatus: \"active\",\n\t\t\ttokenHash: hash,\n\t\t\ttokenPrefix: prefix,\n\t\t\texpiresAt: expires,\n\t\t\tmetadata: input.metadata ?? {},\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t});\n\n\t\t// Insert permissions\n\t\tif (input.permissions.length > 0) {\n\t\t\tawait db.insert(permissions).values(\n\t\t\t\tinput.permissions.map((p) => ({\n\t\t\t\t\tid: generateId(),\n\t\t\t\t\tagentId: id,\n\t\t\t\t\tresource: p.resource,\n\t\t\t\t\tactions: p.actions,\n\t\t\t\t\tconstraints: p.constraints ?? null,\n\t\t\t\t\tcreatedAt: now,\n\t\t\t\t})),\n\t\t\t);\n\t\t}\n\n\t\treturn {\n\t\t\tid,\n\t\t\townerId: input.ownerId,\n\t\t\ttenantId: input.tenantId,\n\t\t\tname: input.name,\n\t\t\ttype: input.type,\n\t\t\ttoken,\n\t\t\tpermissions: input.permissions,\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: expires,\n\t\t\tcreatedAt: now,\n\t\t\tupdatedAt: now,\n\t\t};\n\t}\n\n\tasync function get(agentId: string): Promise<AgentIdentity | null> {\n\t\tconst rows = await db.select().from(agents).where(eq(agents.id, agentId)).limit(1);\n\t\tconst agent = rows[0];\n\t\tif (!agent) return null;\n\n\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, agentId));\n\n\t\treturn {\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\ttenantId: agent.tenantId ?? undefined,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\", // never return token after creation\n\t\t\tpermissions: perms.map(toPermission),\n\t\t\tstatus: agent.status as AgentIdentity[\"status\"],\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t};\n\t}\n\n\tasync function list(filter?: AgentFilter): Promise<AgentIdentity[]> {\n\t\tlet query = db.select().from(agents).$dynamic();\n\n\t\tconst conditions = [];\n\t\tif (filter?.userId) conditions.push(eq(agents.ownerId, filter.userId));\n\t\tif (filter?.tenantId) conditions.push(eq(agents.tenantId, filter.tenantId));\n\t\tif (filter?.status) conditions.push(eq(agents.status, filter.status));\n\t\tif (filter?.type) conditions.push(eq(agents.type, filter.type));\n\n\t\tif (conditions.length > 0) {\n\t\t\tquery = query.where(and(...conditions));\n\t\t}\n\n\t\tconst rows = await query;\n\n\t\t// Load permissions for all agents\n\t\tconst agentIds = rows.map((r) => r.id);\n\t\tconst permsByAgent = new Map<string, Permission[]>();\n\t\tfor (const id of agentIds) {\n\t\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, id));\n\t\t\tpermsByAgent.set(id, perms.map(toPermission));\n\t\t}\n\n\t\treturn rows.map((agent) => ({\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\ttenantId: agent.tenantId ?? undefined,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\",\n\t\t\tpermissions: permsByAgent.get(agent.id) ?? [],\n\t\t\tstatus: agent.status as AgentIdentity[\"status\"],\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t}));\n\t}\n\n\tasync function update(agentId: string, input: UpdateAgentInput): Promise<AgentIdentity> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({\n\t\t\t\tname: input.name ?? existing.name,\n\t\t\t\texpiresAt: input.expiresAt ?? existing.expiresAt,\n\t\t\t\tmetadata: input.metadata,\n\t\t\t\tupdatedAt: now,\n\t\t\t})\n\t\t\t.where(eq(agents.id, agentId));\n\n\t\t// Replace permissions if provided\n\t\tif (input.permissions) {\n\t\t\tawait db.delete(permissions).where(eq(permissions.agentId, agentId));\n\t\t\tif (input.permissions.length > 0) {\n\t\t\t\tawait db.insert(permissions).values(\n\t\t\t\t\tinput.permissions.map((p) => ({\n\t\t\t\t\t\tid: generateId(),\n\t\t\t\t\t\tagentId,\n\t\t\t\t\t\tresource: p.resource,\n\t\t\t\t\t\tactions: p.actions,\n\t\t\t\t\t\tconstraints: p.constraints ?? null,\n\t\t\t\t\t\tcreatedAt: now,\n\t\t\t\t\t})),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\tconst updated = await get(agentId);\n\t\tif (!updated) throw new Error(`Agent ${agentId} disappeared after update.`);\n\t\treturn updated;\n\t}\n\n\tasync function revoke(agentId: string): Promise<void> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({ status: \"revoked\", updatedAt: new Date() })\n\t\t\t.where(eq(agents.id, agentId));\n\t}\n\n\tasync function rotate(agentId: string): Promise<AgentIdentity & { token: string }> {\n\t\tconst existing = await get(agentId);\n\t\tif (!existing) throw new Error(`Agent ${agentId} not found.`);\n\t\tif (existing.status !== \"active\")\n\t\t\tthrow new Error(`Cannot rotate token for ${existing.status} agent.`);\n\n\t\tconst { token, hash, prefix } = await generateAgentToken();\n\t\tconst now = new Date();\n\n\t\tawait db\n\t\t\t.update(agents)\n\t\t\t.set({ tokenHash: hash, tokenPrefix: prefix, updatedAt: now })\n\t\t\t.where(eq(agents.id, agentId));\n\n\t\treturn { ...existing, token, updatedAt: now };\n\t}\n\n\t/**\n\t * Validate an agent token and return the agent identity.\n\t * Used internally by the authorization engine.\n\t */\n\tasync function validateToken(token: string): Promise<AgentIdentity | null> {\n\t\tconst hash = await sha256(token);\n\t\tconst rows = await db.select().from(agents).where(eq(agents.tokenHash, hash)).limit(1);\n\t\tconst agent = rows[0];\n\t\tif (!agent) return null;\n\n\t\t// Check status\n\t\tif (agent.status !== \"active\") return null;\n\n\t\t// Check expiry\n\t\tif (agent.expiresAt && agent.expiresAt < new Date()) {\n\t\t\tawait db\n\t\t\t\t.update(agents)\n\t\t\t\t.set({ status: \"expired\", updatedAt: new Date() })\n\t\t\t\t.where(eq(agents.id, agent.id));\n\t\t\treturn null;\n\t\t}\n\n\t\t// Update last active\n\t\tawait db.update(agents).set({ lastActiveAt: new Date() }).where(eq(agents.id, agent.id));\n\n\t\tconst perms = await db.select().from(permissions).where(eq(permissions.agentId, agent.id));\n\n\t\treturn {\n\t\t\tid: agent.id,\n\t\t\townerId: agent.ownerId,\n\t\t\ttenantId: agent.tenantId ?? undefined,\n\t\t\tname: agent.name,\n\t\t\ttype: agent.type as AgentIdentity[\"type\"],\n\t\t\ttoken: \"\",\n\t\t\tpermissions: perms.map(toPermission),\n\t\t\tstatus: \"active\",\n\t\t\texpiresAt: agent.expiresAt,\n\t\t\tcreatedAt: agent.createdAt,\n\t\t\tupdatedAt: agent.updatedAt,\n\t\t};\n\t}\n\n\treturn { create, get, list, update, revoke, rotate, validateToken };\n}\n\nfunction toPermission(row: {\n\tresource: string;\n\tactions: string[];\n\tconstraints: unknown;\n}): Permission {\n\treturn {\n\t\tresource: row.resource,\n\t\tactions: row.actions,\n\t\tconstraints: (row.constraints as Permission[\"constraints\"]) ?? undefined,\n\t};\n}\n"]}
package/dist/audit/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
- import { D as Database, k as AuditFilter, l as AuditEntry, m as AuditExportOptions } from '../types-B02D3kZy.js';
1
+ import { D as Database, k as AuditFilter, l as AuditEntry, m as AuditExportOptions } from '../types-RJPOU4un.js';
2
2
  import 'drizzle-orm/sqlite-core';
3
- import '../types-BuHrZcjE.js';
3
+ import '../types-BiUe9e8u.js';
4
4
  import 'zod';
5
5
  import '../redirect/index.js';
6
6
 
package/dist/audit/index.js CHANGED
@@ -70,6 +70,8 @@ sqliteTable("kavach_permissions", {
70
70
  actions: text("actions", { mode: "json" }).notNull().$type(),
71
71
  // ["read", "write", "execute"]
72
72
  constraints: text("constraints", { mode: "json" }).$type(),
73
+ // When set, the policy engine consults the ReBAC graph for this permission.
74
+ relation: text("relation"),
73
75
  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
74
76
  });
75
77
  sqliteTable("kavach_delegation_chains", {
@@ -99,6 +101,8 @@ var auditLogs = sqliteTable("kavach_audit_logs", {
99
101
  tokensCost: integer("tokens_cost"),
100
102
  ip: text("ip"),
101
103
  userAgent: text("user_agent"),
104
+ // True when this audit row corresponds to a policy-engine cache-hit evaluation.
105
+ cacheHit: integer("cache_hit", { mode: "boolean" }).notNull().default(false),
102
106
  timestamp: integer("timestamp", { mode: "timestamp" }).notNull()
103
107
  });
104
108
  sqliteTable("kavach_rate_limits", {