sentri 1.1.2 → 2.0.0

package/dist/services/auth.d.ts

@@ -1,85 +0,0 @@
-import type { AssignRolesResult, AuthConfig, AuthResult, LoginInput, RefreshResult, RegisterInput, RegisterResult } from '../types/auth.js';
-/**
- * Register a new user.
- *
- * Validates that every requested role is in `validRoles`, rejects duplicate
- * identifiers, hashes the password with bcrypt, creates the user record via
- * the adapter, and returns the created user.
- *
- * No tokens are issued — the caller should invoke `login` after registration
- * if immediate authentication is desired.
- *
- * @param input - Registration data: identifier, plain-text password, and optional roles.
- * @param config - Auth configuration containing the adapter and role definitions.
- * @returns `{ success: true, user }` on success, or `{ success: false, error }` with
- *   code `INVALID_ROLE` or `USER_ALREADY_EXISTS` on failure.
- */
-export declare function register(input: RegisterInput, config: AuthConfig): Promise<RegisterResult>;
-/**
- * Authenticate an existing user by identifier and plain-text password.
- *
- * Looks up the user, verifies the password with bcrypt, creates a new session,
- * and issues a JWT access token + refresh token pair. The access token embeds
- * the session ID so that `protect()` can reject it immediately after logout
- * without waiting for the token to expire.
- *
- * The failure response always uses code `INVALID_CREDENTIALS` regardless of
- * whether the identifier or the password was wrong, preventing user enumeration.
- *
- * @param input - Login data: identifier and plain-text password.
- * @param config - Auth configuration containing the adapter and JWT settings.
- * @returns `{ success: true, accessToken, refreshToken, user }` on success, or
- *   `{ success: false, error }` with code `INVALID_CREDENTIALS` on failure.
- */
-export declare function login(input: LoginInput, config: AuthConfig): Promise<AuthResult>;
-/**
- * Exchange a valid refresh token for a new access + refresh token pair.
- *
- * Implements **session rotation**: the old session is deleted and a fresh
- * session is created, so each refresh token is single-use. An attacker
- * replaying a stolen refresh token after it has already been rotated will
- * find the session gone.
- *
- * @param refreshToken - The JWT refresh token (typically from an httpOnly cookie).
- * @param config - Auth configuration containing the adapter and JWT settings.
- * @returns `{ success: true, accessToken, refreshToken, user }` on success, or
- *   `{ success: false, error }` with code `UNAUTHORIZED`, `TOKEN_EXPIRED`, or
- *   `TOKEN_INVALID` on failure.
- */
-export declare function refresh(refreshToken: string, config: AuthConfig): Promise<RefreshResult>;
-/**
- * Invalidate a single session identified by a refresh token.
- *
- * Safe to call even when the token is already expired or invalid — the JWT
- * parse failure is silently swallowed and the function resolves normally.
- * This makes logout idempotent from the client's perspective.
- *
- * @param refreshToken - The JWT refresh token bound to the session to revoke.
- * @param config - Auth configuration containing the adapter and JWT settings.
- */
-export declare function logout(refreshToken: string, config: AuthConfig): Promise<void>;
-/**
- * Delete all sessions for a user, effectively logging them out of every device.
- *
- * Delegates to `adapter.session.deleteAllForUser`. No token is required — the
- * router route that calls this function is already guarded by `protect()`.
- *
- * @param userId - The user's primary key as stored in the database.
- * @param config - Auth configuration containing the adapter.
- */
-export declare function logoutAll(userId: string, config: AuthConfig): Promise<void>;
-/**
- * Add roles to a user account, merging them with any existing roles.
- *
- * Validates that every role in `rolesToAdd` is listed in `config.validRoles`.
- * The resulting role set is deduplicated before being persisted via
- * `adapter.user.updateRoles`.
- *
- * @param userId - The primary key of the user to update.
- * @param rolesToAdd - Role names to assign. Must all be present in `validRoles`.
- * @param config - Auth configuration containing the adapter and role definitions.
- * @returns `{ success: true, user }` on success, or `{ success: false, error }` with
- *   code `INVALID_ROLE` or `USER_NOT_FOUND` on failure.
- */
-export declare function assignRoles(userId: string, rolesToAdd: string[], config: AuthConfig): Promise<AssignRolesResult>;
-//# sourceMappingURL=auth.d.ts.map

package/dist/services/auth.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,UAAU,EAAE,UAAU,EAAE,aAAa,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAE5I;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,QAAQ,CAC5B,KAAK,EAAE,aAAa,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,cAAc,CAAC,CAoBzB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,KAAK,CACzB,KAAK,EAAE,UAAU,EACjB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,UAAU,CAAC,CAqBrB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,OAAO,CAC3B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,aAAa,CAAC,CA+BxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,MAAM,CAC1B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAQf;AAED;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,MAAM,EACd,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,IAAI,CAAC,CAEf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,MAAM,EACd,UAAU,EAAE,MAAM,EAAE,EACpB,MAAM,EAAE,UAAU,GACjB,OAAO,CAAC,iBAAiB,CAAC,CAiB5B"}

package/dist/services/auth.js

@@ -1,173 +0,0 @@
-import { SentriError } from '../errors/AuthError.js';
-import { hashPassword, verifyPassword } from '../libs/hash.js';
-import { signAccessToken, signRefreshToken, verifyRefreshToken } from '../libs/token.js';
-import { resolveConfig, parseExpiry } from '../libs/config.js';
-/**
- * Register a new user.
- *
- * Validates that every requested role is in `validRoles`, rejects duplicate
- * identifiers, hashes the password with bcrypt, creates the user record via
- * the adapter, and returns the created user.
- *
- * No tokens are issued — the caller should invoke `login` after registration
- * if immediate authentication is desired.
- *
- * @param input - Registration data: identifier, plain-text password, and optional roles.
- * @param config - Auth configuration containing the adapter and role definitions.
- * @returns `{ success: true, user }` on success, or `{ success: false, error }` with
- *   code `INVALID_ROLE` or `USER_ALREADY_EXISTS` on failure.
- */
-export async function register(input, config) {
-    const resolved = resolveConfig(config);
-    const requestedRoles = input.roles ?? [];
-    const invalidRoles = requestedRoles.filter((r) => !resolved.validRoles.includes(r));
-    if (invalidRoles.length > 0) {
-        return { success: false, error: new SentriError('INVALID_ROLE', `Invalid roles: ${invalidRoles.join(', ')}`) };
-    }
-    const identifier = input.identifier.trim();
-    const existing = await resolved.adapter.user.findByIdentifier(identifier);
-    if (existing) {
-        return { success: false, error: new SentriError('USER_ALREADY_EXISTS', 'User already exists') };
-    }
-    const passwordHash = await hashPassword(input.password, resolved.saltRounds);
-    const created = await resolved.adapter.user.create({ identifier, passwordHash, roles: requestedRoles });
-    const user = { id: created.id, identifier, roles: requestedRoles };
-    return { success: true, user };
-}
-/**
- * Authenticate an existing user by identifier and plain-text password.
- *
- * Looks up the user, verifies the password with bcrypt, creates a new session,
- * and issues a JWT access token + refresh token pair. The access token embeds
- * the session ID so that `protect()` can reject it immediately after logout
- * without waiting for the token to expire.
- *
- * The failure response always uses code `INVALID_CREDENTIALS` regardless of
- * whether the identifier or the password was wrong, preventing user enumeration.
- *
- * @param input - Login data: identifier and plain-text password.
- * @param config - Auth configuration containing the adapter and JWT settings.
- * @returns `{ success: true, accessToken, refreshToken, user }` on success, or
- *   `{ success: false, error }` with code `INVALID_CREDENTIALS` on failure.
- */
-export async function login(input, config) {
-    const resolved = resolveConfig(config);
-    const found = await resolved.adapter.user.findByIdentifier(input.identifier.trim());
-    if (!found) {
-        return { success: false, error: new SentriError('INVALID_CREDENTIALS', 'Invalid credentials') };
-    }
-    const valid = await verifyPassword(input.password, found.passwordHash);
-    if (!valid) {
-        return { success: false, error: new SentriError('INVALID_CREDENTIALS', 'Invalid credentials') };
-    }
-    const expiresAt = new Date(Date.now() + parseExpiry(resolved.refreshExpiresIn));
-    const session = await resolved.adapter.session.create({ userId: found.id, expiresAt });
-    const user = { id: found.id, identifier: found.identifier, roles: found.roles };
-    // Embed sessionId in the access token so protect() can invalidate it on logout.
-    const accessToken = signAccessToken({ ...user, sessionId: session.id }, config);
-    const refreshToken = signRefreshToken(session.id, config);
-    return { success: true, accessToken, refreshToken, user };
-}
-/**
- * Exchange a valid refresh token for a new access + refresh token pair.
- *
- * Implements **session rotation**: the old session is deleted and a fresh
- * session is created, so each refresh token is single-use. An attacker
- * replaying a stolen refresh token after it has already been rotated will
- * find the session gone.
- *
- * @param refreshToken - The JWT refresh token (typically from an httpOnly cookie).
- * @param config - Auth configuration containing the adapter and JWT settings.
- * @returns `{ success: true, accessToken, refreshToken, user }` on success, or
- *   `{ success: false, error }` with code `UNAUTHORIZED`, `TOKEN_EXPIRED`, or
- *   `TOKEN_INVALID` on failure.
- */
-export async function refresh(refreshToken, config) {
-    const resolved = resolveConfig(config);
-    let sessionId;
-    try {
-        ({ sessionId } = verifyRefreshToken(refreshToken, config));
-    }
-    catch (err) {
-        if (err instanceof SentriError)
-            return { success: false, error: err };
-        return { success: false, error: new SentriError('TOKEN_INVALID', 'Invalid refresh token') };
-    }
-    const session = await resolved.adapter.session.findById(sessionId);
-    if (!session) {
-        return { success: false, error: new SentriError('UNAUTHORIZED', 'Session not found or revoked') };
-    }
-    if (session.expiresAt < new Date()) {
-        await resolved.adapter.session.delete(sessionId);
-        return { success: false, error: new SentriError('TOKEN_EXPIRED', 'Session has expired') };
-    }
-    // rotate: delete old session, create new one
-    await resolved.adapter.session.delete(sessionId);
-    const expiresAt = new Date(Date.now() + parseExpiry(resolved.refreshExpiresIn));
-    const newSession = await resolved.adapter.session.create({ userId: session.userId, expiresAt });
-    const user = { id: session.user.id, identifier: session.user.identifier, roles: session.user.roles };
-    // Embed new sessionId in the rotated access token.
-    const newAccessToken = signAccessToken({ ...user, sessionId: newSession.id }, config);
-    const newRefreshToken = signRefreshToken(newSession.id, config);
-    return { success: true, accessToken: newAccessToken, refreshToken: newRefreshToken, user };
-}
-/**
- * Invalidate a single session identified by a refresh token.
- *
- * Safe to call even when the token is already expired or invalid — the JWT
- * parse failure is silently swallowed and the function resolves normally.
- * This makes logout idempotent from the client's perspective.
- *
- * @param refreshToken - The JWT refresh token bound to the session to revoke.
- * @param config - Auth configuration containing the adapter and JWT settings.
- */
-export async function logout(refreshToken, config) {
-    let sessionId;
-    try {
-        ({ sessionId } = verifyRefreshToken(refreshToken, config));
-    }
-    catch {
-        return; // already invalid, nothing to revoke
-    }
-    await resolveConfig(config).adapter.session.delete(sessionId);
-}
-/**
- * Delete all sessions for a user, effectively logging them out of every device.
- *
- * Delegates to `adapter.session.deleteAllForUser`. No token is required — the
- * router route that calls this function is already guarded by `protect()`.
- *
- * @param userId - The user's primary key as stored in the database.
- * @param config - Auth configuration containing the adapter.
- */
-export async function logoutAll(userId, config) {
-    await resolveConfig(config).adapter.session.deleteAllForUser(userId);
-}
-/**
- * Add roles to a user account, merging them with any existing roles.
- *
- * Validates that every role in `rolesToAdd` is listed in `config.validRoles`.
- * The resulting role set is deduplicated before being persisted via
- * `adapter.user.updateRoles`.
- *
- * @param userId - The primary key of the user to update.
- * @param rolesToAdd - Role names to assign. Must all be present in `validRoles`.
- * @param config - Auth configuration containing the adapter and role definitions.
- * @returns `{ success: true, user }` on success, or `{ success: false, error }` with
- *   code `INVALID_ROLE` or `USER_NOT_FOUND` on failure.
- */
-export async function assignRoles(userId, rolesToAdd, config) {
-    const resolved = resolveConfig(config);
-    const invalidRoles = rolesToAdd.filter((role) => !resolved.validRoles.includes(role));
-    if (invalidRoles.length > 0) {
-        return { success: false, error: new SentriError('INVALID_ROLE', `Invalid roles: ${invalidRoles.join(', ')}`) };
-    }
-    const found = await resolved.adapter.user.findById(userId);
-    if (!found) {
-        return { success: false, error: new SentriError('USER_NOT_FOUND', 'User not found') };
-    }
-    const mergedRoles = Array.from(new Set([...found.roles, ...rolesToAdd]));
-    await resolved.adapter.user.updateRoles(userId, mergedRoles);
-    return { success: true, user: { id: found.id, identifier: found.identifier, roles: mergedRoles } };
-}
-//# sourceMappingURL=auth.js.map

package/dist/services/auth.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../src/services/auth.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAC/D,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AACzF,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAG/D;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,KAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,cAAc,GAAG,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC;IACzC,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IACpF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IACjH,CAAC;IAED,MAAM,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,QAAQ,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAC1E,IAAI,QAAQ,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAClG,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC7E,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC,CAAC;IAExG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,cAAc,EAAE,CAAC;IACnE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AACjC,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,KAAK,CACzB,KAAiB,EACjB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC;IACpF,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAClG,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC;IACvE,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,qBAAqB,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAClG,CAAC;IAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAEvF,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC;IAChF,gFAAgF;IAChF,MAAM,WAAW,GAAG,eAAe,CAAC,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IAChF,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAC1D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,OAAO,CAC3B,YAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,GAAG,YAAY,WAAW;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;QACtE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,eAAe,EAAE,uBAAuB,CAAC,EAAE,CAAC;IAC9F,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IACnE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,cAAc,EAAE,8BAA8B,CAAC,EAAE,CAAC;IACpG,CAAC;IAED,IAAI,OAAO,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACnC,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACjD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,eAAe,EAAE,qBAAqB,CAAC,EAAE,CAAC;IAC5F,CAAC;IAED,6CAA6C;IAC7C,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAChF,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC,CAAC;IAEhG,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,EAAE,OAAO,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;IACrG,mDAAmD;IACnD,MAAM,cAAc,GAAG,eAAe,CAAC,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IACtF,MAAM,eAAe,GAAG,gBAAgB,CAAC,UAAU,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,EAAE,IAAI,EAAE,CAAC;AAC7F,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,YAAoB,EACpB,MAAkB;IAElB,IAAI,SAAiB,CAAC;IACtB,IAAI,CAAC;QACH,CAAC,EAAE,SAAS,EAAE,GAAG,kBAAkB,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,qCAAqC;IAC/C,CAAC;IACD,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAc,EACd,MAAkB;IAElB,MAAM,aAAa,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAc,EACd,UAAoB,EACpB,MAAkB;IAElB,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,MAAM,YAAY,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IACtF,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,cAAc,EAAE,kBAAkB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;IACjH,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAC3D,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,WAAW,CAAC,gBAAgB,EAAE,gBAAgB,CAAC,EAAE,CAAC;IACxF,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;IACzE,MAAM,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;IAE7D,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE,UAAU,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,CAAC;AACrG,CAAC"}