run402 1.54.2 → 1.54.4

package/lib/webhooks.mjs

@@ -1,6 +1,7 @@
 import { resolveProjectId } from "./config.mjs";
 import { getSdk } from "./sdk.mjs";
 import { reportSdkError, fail } from "./sdk-errors.mjs";
+import { validateWebhookUrl } from "./argparse.mjs";
 
 const HELP = `run402 email webhooks — Manage mailbox webhooks
 
@@ -121,6 +122,11 @@ async function update(args) {
   if (!url && !eventsRaw) {
     fail({ code: "BAD_USAGE", message: "Provide at least --url or --events" });
   }
+  // GH-192: scheme-only local validation. Server-side SSRF defenses are out
+  // of scope for the CLI (private-IP / DNS rebinding / IMDS belongs on the
+  // gateway). `validateWebhookUrl` is a no-op when `url` is null/undefined,
+  // so partial updates that change only `--events` still work.
+  validateWebhookUrl(url, "--url");
 
   try {
     const data = await getSdk().email.webhooks.update(projectId, webhookId, {
@@ -146,6 +152,10 @@ async function register(args) {
       hint: "run402 email webhooks register --url <url> --events <e1,e2>",
     });
   }
+  // GH-192: validate scheme locally before any network call. Catches
+  // javascript:/file:/http:/data: schemes that the gateway would reject
+  // anyway, but with a friendlier round-trip-free error.
+  validateWebhookUrl(url, "--url");
   if (!eventsRaw) {
     fail({
       code: "BAD_USAGE",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "run402",
-  "version": "1.54.2",
+  "version": "1.54.4",
   "description": "CLI for Run402 — provision Postgres databases, deploy static sites, generate images, and manage wallets via x402 and MPP micropayments.",
   "type": "module",
   "bin": {

package/sdk/core-dist/allowance-auth.js

@@ -87,6 +87,11 @@ export function formatSIWEMessage(opts, address) {
  * @param path - API path (e.g. "/projects/v1") used to build the SIWE uri field.
  */
 export function getAllowanceAuthHeaders(path, allowancePath) {
+    // GH-194: readAllowance throws on a malformed-shape allowance file. The
+    // CLI's higher-level readAllowance wrapper surfaces this as a structured
+    // BAD_ALLOWANCE_FILE envelope; here we preserve the public contract that
+    // this helper returns SIWxAuthHeaders | null. Re-throw so callers above
+    // the CLI's wrapper (e.g. SDK paid-fetch) can decide whether to swallow it.
     const allowance = readAllowance(allowancePath);
     if (!allowance || !allowance.address || !allowance.privateKey)
         return null;

package/sdk/core-dist/allowance.js

@@ -2,16 +2,64 @@ import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSy
 import { dirname, join } from "node:path";
 import { randomBytes } from "node:crypto";
 import { getAllowancePath } from "./config.js";
+// 0x-prefixed 40-hex EVM address.
+const ADDRESS_RE = /^0x[a-fA-F0-9]{40}$/;
+// 0x-prefixed 64-hex secp256k1 private key (32 bytes).
+const PRIVATE_KEY_RE = /^0x[a-fA-F0-9]{64}$/;
+/**
+ * Load the agent allowance from disk.
+ *
+ * Returns `null` for the two "no allowance configured" cases:
+ *   - the file does not exist
+ *   - the file exists but is not parseable JSON (preserve existing UX —
+ *     consumers print "no_allowance" and tell the user to run init)
+ *
+ * Throws a structured `Error` (GH-194) when the file parses as JSON but the
+ * shape is wrong (missing/wrong-type/wrong-length fields). Without this guard
+ * downstream callers crash with raw stack traces:
+ *   - `cli/lib/status.mjs` reaches for `allowance.address.toLowerCase()`
+ *     and crashes with `TypeError: Cannot read properties of undefined`.
+ *   - `core/src/allowance-auth.ts` passes a malformed `privateKey` to
+ *     `@noble/curves` which throws "expected 32 bytes, got N".
+ *
+ * The CLI's `cli/lib/config.mjs:readAllowance()` wrapper and the MCP
+ * `src/tools/{status,init}.ts` callers translate the throw into their own
+ * structured envelopes (`code: BAD_ALLOWANCE_FILE`).
+ */
 export function readAllowance(path) {
     const p = path ?? getAllowancePath();
     if (!existsSync(p))
         return null;
+    let raw;
     try {
-        return JSON.parse(readFileSync(p, "utf-8"));
+        raw = readFileSync(p, "utf-8");
     }
     catch {
         return null;
     }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch {
+        // Preserve historical UX — completely unparseable input reads as "no
+        // allowance configured" rather than as an error. Consumers already handle
+        // null with a friendly "run 'run402 init'" message.
+        return null;
+    }
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error(`allowance.json must contain a JSON object (got ${Array.isArray(parsed) ? "array" : parsed === null ? "null" : typeof parsed}). Back up the file and run 'run402 init' to recreate it.`);
+    }
+    const data = parsed;
+    if (typeof data.address !== "string" || !ADDRESS_RE.test(data.address)) {
+        throw new Error("allowance.json missing valid 'address' (expected 0x-prefixed 40-hex string). " +
+            "Back up the file and run 'run402 init' to recreate it.");
+    }
+    if (typeof data.privateKey !== "string" || !PRIVATE_KEY_RE.test(data.privateKey)) {
+        throw new Error("allowance.json missing valid 'privateKey' (expected 0x-prefixed 64-hex string). " +
+            "Back up the file and run 'run402 init' to recreate it.");
+    }
+    return data;
 }
 export function saveAllowance(data, path) {
     const p = path ?? getAllowancePath();

package/sdk/core-dist/config.js

@@ -1,8 +1,39 @@
 import { homedir } from "node:os";
 import { join } from "node:path";
 import { existsSync, renameSync, mkdirSync } from "node:fs";
+const DEFAULT_API_BASE = "https://api.run402.com";
+/**
+ * Validate a user-supplied API base URL. Throws a clear error message that
+ * names the env var when the URL is malformed or uses a scheme other than
+ * http(s). Empty string is treated as "set but empty" (almost always a
+ * templating mishap) and emits a stderr warning before falling back to
+ * `fallback`.
+ *
+ * Returns the validated URL string (unchanged) or `null` if the env var was
+ * unset.
+ */
+function validateApiBase(envVar, raw, fallback) {
+    if (raw == null)
+        return null;
+    if (raw === "") {
+        process.stderr.write(`warning: ${envVar} is set but empty - using default. Unset the env var to suppress this warning.\n`);
+        return fallback;
+    }
+    let u;
+    try {
+        u = new URL(raw);
+    }
+    catch {
+        throw new Error(`${envVar} is not a valid URL: ${JSON.stringify(raw)}. Expected an http(s) URL like https://api.run402.com.`);
+    }
+    if (u.protocol !== "https:" && u.protocol !== "http:") {
+        throw new Error(`${envVar} must use http(s):, got ${u.protocol} (full value: ${JSON.stringify(raw)}).`);
+    }
+    return raw;
+}
 export function getApiBase() {
-    return process.env.RUN402_API_BASE || "https://api.run402.com";
+    const validated = validateApiBase("RUN402_API_BASE", process.env.RUN402_API_BASE, DEFAULT_API_BASE);
+    return validated ?? DEFAULT_API_BASE;
 }
 /**
  * API base for the deploy-v2 routes. Defaults to the same value as
@@ -12,7 +43,9 @@ export function getApiBase() {
  * should not need this override.
  */
 export function getDeployApiBase() {
-    return process.env.RUN402_DEPLOY_API_BASE || getApiBase();
+    const fallback = getApiBase();
+    const validated = validateApiBase("RUN402_DEPLOY_API_BASE", process.env.RUN402_DEPLOY_API_BASE, fallback);
+    return validated ?? fallback;
 }
 export function getConfigDir() {
     return process.env.RUN402_CONFIG_DIR || join(homedir(), ".config", "run402");

package/sdk/core-dist/wallet-auth.js

@@ -0,0 +1,62 @@
+/**
+ * Wallet auth helper — generates EIP-191 signature headers for Run402 API.
+ * Uses @noble/curves (lighter than viem) for signing.
+ */
+import { secp256k1 } from "@noble/curves/secp256k1.js";
+import { keccak_256 } from "@noble/hashes/sha3.js";
+import { bytesToHex } from "@noble/hashes/utils.js";
+import { readWallet } from "./wallet.js";
+/**
+ * EIP-191 personal_sign: sign a message with the wallet's private key.
+ */
+function personalSign(privateKeyHex, address, message) {
+    const msgBytes = new TextEncoder().encode(message);
+    const prefix = new TextEncoder().encode(`\x19Ethereum Signed Message:\n${msgBytes.length}`);
+    const prefixed = new Uint8Array(prefix.length + msgBytes.length);
+    prefixed.set(prefix);
+    prefixed.set(msgBytes, prefix.length);
+    const hash = keccak_256(prefixed);
+    const pkHex = privateKeyHex.startsWith("0x")
+        ? privateKeyHex.slice(2)
+        : privateKeyHex;
+    const pkBytes = Uint8Array.from(Buffer.from(pkHex, "hex"));
+    const rawSig = secp256k1.sign(hash, pkBytes);
+    const sig = secp256k1.Signature.fromBytes(rawSig);
+    // Determine recovery bit by trying both and matching the address
+    let recovery = 0;
+    for (const v of [0, 1]) {
+        try {
+            const recovered = sig.addRecoveryBit(v).recoverPublicKey(hash);
+            const pubBytes = recovered.toBytes(false).slice(1); // uncompressed, drop 04 prefix
+            const addrBytes = keccak_256(pubBytes).slice(-20);
+            if ("0x" + bytesToHex(addrBytes) === address.toLowerCase()) {
+                recovery = v;
+                break;
+            }
+        }
+        catch {
+            continue;
+        }
+    }
+    const r = sig.r.toString(16).padStart(64, "0");
+    const s = sig.s.toString(16).padStart(64, "0");
+    const vHex = (recovery + 27).toString(16).padStart(2, "0");
+    return "0x" + r + s + vHex;
+}
+/**
+ * Get wallet auth headers for the Run402 API.
+ * Returns null if no wallet is configured.
+ */
+export function getWalletAuthHeaders(walletPath) {
+    const wallet = readWallet(walletPath);
+    if (!wallet || !wallet.address || !wallet.privateKey)
+        return null;
+    const timestamp = Math.floor(Date.now() / 1000).toString();
+    const signature = personalSign(wallet.privateKey, wallet.address, `run402:${timestamp}`);
+    return {
+        "X-Run402-Wallet": wallet.address,
+        "X-Run402-Signature": signature,
+        "X-Run402-Timestamp": timestamp,
+    };
+}
+//# sourceMappingURL=wallet-auth.js.map

package/sdk/core-dist/wallet.js

@@ -0,0 +1,25 @@
+import { readFileSync, writeFileSync, mkdirSync, existsSync, chmodSync, renameSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { randomBytes } from "node:crypto";
+import { getWalletPath } from "./config.js";
+export function readWallet(path) {
+    const p = path ?? getWalletPath();
+    if (!existsSync(p))
+        return null;
+    try {
+        return JSON.parse(readFileSync(p, "utf-8"));
+    }
+    catch {
+        return null;
+    }
+}
+export function saveWallet(data, path) {
+    const p = path ?? getWalletPath();
+    const dir = dirname(p);
+    mkdirSync(dir, { recursive: true });
+    const tmp = join(dir, `.wallet.${randomBytes(4).toString("hex")}.tmp`);
+    writeFileSync(tmp, JSON.stringify(data, null, 2), { mode: 0o600 });
+    renameSync(tmp, p);
+    chmodSync(p, 0o600);
+}
+//# sourceMappingURL=wallet.js.map

package/sdk/dist/node/paid-fetch.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"paid-fetch.d.ts","sourceRoot":"","sources":["../../src/node/paid-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,KAAK,OAAO,GAAG,OAAO,UAAU,CAAC,KAAK,CAAC;AAgCvC,wBAAsB,cAAc,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAyE9D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAW7C"}
+{"version":3,"file":"paid-fetch.d.ts","sourceRoot":"","sources":["../../src/node/paid-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,KAAK,OAAO,GAAG,OAAO,UAAU,CAAC,KAAK,CAAC;AAgCvC,wBAAsB,cAAc,IAAI,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAmF9D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,OAAO,CAW7C"}

package/sdk/dist/node/paid-fetch.js

@@ -37,7 +37,18 @@ async function checkBalance(publicClient, tokenAddress, walletAddress) {
     }
 }
 export async function setupPaidFetch() {
-    const allowance = readAllowance();
+    // GH-194: readAllowance throws on a malformed-shape file. The SDK's
+    // contract is graceful degradation here (return null and let the caller
+    // fall back to unwrapped fetch), so swallow the error — the CLI's own
+    // readAllowance wrapper has already surfaced a structured envelope to
+    // the user.
+    let allowance;
+    try {
+        allowance = readAllowance();
+    }
+    catch {
+        return null;
+    }
     if (!allowance)
         return null;
     try {

package/sdk/dist/node/paid-fetch.js.map

@@ -1 +1 @@
-{"version":3,"file":"paid-fetch.js","sourceRoot":"","sources":["../../src/node/paid-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAI7D,MAAM,QAAQ,GAAG;IACf;QACE,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,UAAU;QAChB,eAAe,EAAE,MAAM;QACvB,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAC9C,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;KACzC;CACO,CAAC;AACX,MAAM,YAAY,GAAG,4CAA4C,CAAC;AAClE,MAAM,YAAY,GAAG,4CAA4C,CAAC;AAElE,KAAK,UAAU,YAAY,CACzB,YAAkE,EAClE,YAAoB,EACpB,aAAqB;IAErB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,YAAY,CAAC;YAC1C,OAAO,EAAE,YAAY;YACrB,GAAG,EAAE,QAAQ;YACb,YAAY,EAAE,WAAW;YACzB,IAAI,EAAE,CAAC,aAAa,CAAC;SACtB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,MAAM,SAAS,GAAG,aAAa,EAAE,CAAC;IAClC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5B,IAAI,CAAC;QACH,IAAI,SAAS,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,aAAa,CAAC;YAC9B,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAGvE,CAAC;YACF,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;YAC9D,MAAM,OAAO,GAAG,mBAAmB,CAAC,SAAS,CAAC,UAA2B,CAAC,CAAC;YAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;gBACvB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;aAC9B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,uCAAuC;QACvC,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAC9D,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACzE,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAClE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,OAAO,GAAG,mBAAmB,CAAC,SAAS,CAAC,UAA2B,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,kBAAkB,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QAC7E,MAAM,aAAa,GAAG,kBAAkB,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QAEpF,MAAM,CAAC,cAAc,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACzD,YAAY,CAAC,aAAsB,EAAE,YAAY,EAAE,SAAS,CAAC,OAAO,CAAC;YACrE,YAAY,CAAC,aAAsB,EAAE,YAAY,EAAE,SAAS,CAAC,OAAO,CAAC;SACtE,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,UAAU,EAG5B,CAAC;QACF,MAAM,CAAC,QAAQ,CACb,aAAa,EACb,IAAI,cAAc,CAAC,iBAAiB,CAAC,OAAO,EAAE,aAAsB,CAAC,CAAC,CACvE,CAAC;QACF,MAAM,CAAC,QAAQ,CACb,cAAc,EACd,IAAI,cAAc,CAAC,iBAAiB,CAAC,OAAO,EAAE,aAAsB,CAAC,CAAC,CACvE,CAAC;QAEF,IAAI,cAAc,GAAG,CAAC,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YAC7C,yEAAyE;YACzE,sEAAsE;YACtE,uEAAuE;YACvE,mBAAmB;YACnB,MAAM,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;oBACvB,MAAM,KAAK,GAAG,CAA0C,CAAC;oBACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC;oBAC3C,IAAI,KAAK,CAAC,OAAO,KAAK,aAAa;wBAAE,OAAO,cAAc,IAAI,QAAQ,CAAC;oBACvE,IAAI,KAAK,CAAC,OAAO,KAAK,cAAc;wBAAE,OAAO,cAAc,IAAI,QAAQ,CAAC;oBACxE,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAED,uEAAuE;QACvE,2EAA2E;QAC3E,MAAM,YAAY,GAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC7E,OAAO,oBAAoB,CAAC,YAAY,EAAE,MAAe,CAAY,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,MAAkC,CAAC;IACvC,OAAO,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAC3B,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;QAClC,CAAC;QACD,uEAAuE;QACvE,yDAAyD;QACzD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC"}
+{"version":3,"file":"paid-fetch.js","sourceRoot":"","sources":["../../src/node/paid-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,8BAA8B,CAAC;AAI7D,MAAM,QAAQ,GAAG;IACf;QACE,IAAI,EAAE,WAAW;QACjB,IAAI,EAAE,UAAU;QAChB,eAAe,EAAE,MAAM;QACvB,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;QAC9C,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;KACzC;CACO,CAAC;AACX,MAAM,YAAY,GAAG,4CAA4C,CAAC;AAClE,MAAM,YAAY,GAAG,4CAA4C,CAAC;AAElE,KAAK,UAAU,YAAY,CACzB,YAAkE,EAClE,YAAoB,EACpB,aAAqB;IAErB,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC,YAAY,CAAC;YAC1C,OAAO,EAAE,YAAY;YACrB,GAAG,EAAE,QAAQ;YACb,YAAY,EAAE,WAAW;YACzB,IAAI,EAAE,CAAC,aAAa,CAAC;SACtB,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,oEAAoE;IACpE,wEAAwE;IACxE,sEAAsE;IACtE,sEAAsE;IACtE,YAAY;IACZ,IAAI,SAAS,CAAC;IACd,IAAI,CAAC;QACH,SAAS,GAAG,aAAa,EAAE,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAE5B,IAAI,CAAC;QACH,IAAI,SAAS,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,aAAa,CAAC;YAC9B,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,MAAM,MAAM,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAGvE,CAAC;YACF,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;YAC9D,MAAM,OAAO,GAAG,mBAAmB,CAAC,SAAS,CAAC,UAA2B,CAAC,CAAC;YAC3E,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC;gBACvB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC;aAC9B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC;QACpB,CAAC;QAED,uCAAuC;QACvC,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAC9D,MAAM,EAAE,kBAAkB,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1D,MAAM,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QAC1D,MAAM,EAAE,UAAU,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;QACzE,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAClE,MAAM,EAAE,iBAAiB,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;QAExD,MAAM,OAAO,GAAG,mBAAmB,CAAC,SAAS,CAAC,UAA2B,CAAC,CAAC;QAC3E,MAAM,aAAa,GAAG,kBAAkB,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QAC7E,MAAM,aAAa,GAAG,kBAAkB,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;QAEpF,MAAM,CAAC,cAAc,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;YACzD,YAAY,CAAC,aAAsB,EAAE,YAAY,EAAE,SAAS,CAAC,OAAO,CAAC;YACrE,YAAY,CAAC,aAAsB,EAAE,YAAY,EAAE,SAAS,CAAC,OAAO,CAAC;SACtE,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,IAAI,UAAU,EAG5B,CAAC;QACF,MAAM,CAAC,QAAQ,CACb,aAAa,EACb,IAAI,cAAc,CAAC,iBAAiB,CAAC,OAAO,EAAE,aAAsB,CAAC,CAAC,CACvE,CAAC;QACF,MAAM,CAAC,QAAQ,CACb,cAAc,EACd,IAAI,cAAc,CAAC,iBAAiB,CAAC,OAAO,EAAE,aAAsB,CAAC,CAAC,CACvE,CAAC;QAEF,IAAI,cAAc,GAAG,CAAC,IAAI,cAAc,GAAG,CAAC,EAAE,CAAC;YAC7C,yEAAyE;YACzE,sEAAsE;YACtE,uEAAuE;YACvE,mBAAmB;YACnB,MAAM,CAAC,cAAc,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE;gBACvC,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;oBACvB,MAAM,KAAK,GAAG,CAA0C,CAAC;oBACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC;oBAC3C,IAAI,KAAK,CAAC,OAAO,KAAK,aAAa;wBAAE,OAAO,cAAc,IAAI,QAAQ,CAAC;oBACvE,IAAI,KAAK,CAAC,OAAO,KAAK,cAAc;wBAAE,OAAO,cAAc,IAAI,QAAQ,CAAC;oBACxE,OAAO,KAAK,CAAC;gBACf,CAAC,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;QAED,uEAAuE;QACvE,2EAA2E;QAC3E,MAAM,YAAY,GAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QAC7E,OAAO,oBAAoB,CAAC,YAAY,EAAE,MAAe,CAAY,CAAC;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,MAAkC,CAAC;IACvC,OAAO,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAC3B,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,MAAM,GAAG,MAAM,cAAc,EAAE,CAAC;QAClC,CAAC;QACD,uEAAuE;QACvE,yDAAyD;QACzD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACvC,OAAO,UAAU,CAAC,KAAK,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC"}