npm - varlock - Versions diffs - 1.1.0 → 1.3.0 - Mend

varlock 1.1.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (137) hide show

package/dist/audit.command-LLD5UIAW.js +16 -0
package/dist/audit.command-LLD5UIAW.js.map +1 -0
package/dist/auto-load.js +6 -6
package/dist/{chunk-QSYH5IDD.js → chunk-5DRCCFKV.js} +3 -3
package/dist/{chunk-QSYH5IDD.js.map → chunk-5DRCCFKV.js.map} +1 -1
package/dist/{chunk-E3F6QKDZ.js → chunk-C5LW5EET.js} +6 -6
package/dist/{chunk-E3F6QKDZ.js.map → chunk-C5LW5EET.js.map} +1 -1
package/dist/chunk-CESFJIM4.js +198 -0
package/dist/chunk-CESFJIM4.js.map +1 -0
package/dist/{chunk-5DUWGI2N.js → chunk-DIPEXEIL.js} +3 -3
package/dist/{chunk-5DUWGI2N.js.map → chunk-DIPEXEIL.js.map} +1 -1
package/dist/{chunk-SDN53OAC.js → chunk-F6ZYIWAR.js} +160 -72
package/dist/chunk-F6ZYIWAR.js.map +1 -0
package/dist/{chunk-2PFIYNFA.js → chunk-FA5SNEKN.js} +30 -13
package/dist/chunk-FA5SNEKN.js.map +1 -0
package/dist/{chunk-XWYFSG46.js → chunk-GKN3UJNE.js} +651 -821
package/dist/chunk-GKN3UJNE.js.map +1 -0
package/dist/{chunk-TQXYC3G3.js → chunk-HH647LSU.js} +5 -5
package/dist/{chunk-TQXYC3G3.js.map → chunk-HH647LSU.js.map} +1 -1
package/dist/{chunk-6RF54KKR.js → chunk-HMWAOBZR.js} +78 -24
package/dist/chunk-HMWAOBZR.js.map +1 -0
package/dist/{chunk-H6NILU2I.js → chunk-INGOLNLE.js} +4 -4
package/dist/{chunk-H6NILU2I.js.map → chunk-INGOLNLE.js.map} +1 -1
package/dist/{chunk-JIUWL2NT.js → chunk-IO2OGZQU.js} +9 -9
package/dist/chunk-IO2OGZQU.js.map +1 -0
package/dist/chunk-IRXBCLL2.js +2045 -0
package/dist/chunk-IRXBCLL2.js.map +1 -0
package/dist/{chunk-QP7TS4SU.js → chunk-JOGGSYT2.js} +6 -6
package/dist/chunk-JOGGSYT2.js.map +1 -0
package/dist/{chunk-F6RTQ5QX.js → chunk-KFALDUEO.js} +3 -3
package/dist/{chunk-F6RTQ5QX.js.map → chunk-KFALDUEO.js.map} +1 -1
package/dist/{chunk-VN4LKYXR.js → chunk-KI5QLKPU.js} +6 -6
package/dist/{chunk-VN4LKYXR.js.map → chunk-KI5QLKPU.js.map} +1 -1
package/dist/{chunk-JUPAI2X4.js → chunk-M6QE3D2O.js} +7 -7
package/dist/{chunk-JUPAI2X4.js.map → chunk-M6QE3D2O.js.map} +1 -1
package/dist/{chunk-CDLU5P62.js → chunk-MPHVA4WC.js} +3 -3
package/dist/{chunk-CDLU5P62.js.map → chunk-MPHVA4WC.js.map} +1 -1
package/dist/{chunk-U2O3AUM2.js → chunk-NW4KR67N.js} +8 -8
package/dist/{chunk-U2O3AUM2.js.map → chunk-NW4KR67N.js.map} +1 -1
package/dist/{chunk-S5O4AAVX.js → chunk-OGGTDFVX.js} +8 -8
package/dist/{chunk-S5O4AAVX.js.map → chunk-OGGTDFVX.js.map} +1 -1
package/dist/chunk-P33JXOU6.js +523 -0
package/dist/chunk-P33JXOU6.js.map +1 -0
package/dist/{chunk-R73FENLU.js → chunk-QDEAHBCB.js} +3 -3
package/dist/{chunk-R73FENLU.js.map → chunk-QDEAHBCB.js.map} +1 -1
package/dist/{chunk-RBFS2QGC.js → chunk-RQZZDYWL.js} +8 -8
package/dist/{chunk-RBFS2QGC.js.map → chunk-RQZZDYWL.js.map} +1 -1
package/dist/{chunk-MGWUDHT5.js → chunk-UUJK65RS.js} +11 -3
package/dist/chunk-UUJK65RS.js.map +1 -0
package/dist/{chunk-A6THM3IR.js → chunk-WJLMLKSG.js} +5 -5
package/dist/{chunk-A6THM3IR.js.map → chunk-WJLMLKSG.js.map} +1 -1
package/dist/{chunk-YO6WHPM4.js → chunk-WTBUNHUJ.js} +5 -5
package/dist/{chunk-YO6WHPM4.js.map → chunk-WTBUNHUJ.js.map} +1 -1
package/dist/chunk-XUY3HAO2.js +171 -0
package/dist/chunk-XUY3HAO2.js.map +1 -0
package/dist/{chunk-ZJNDICC4.js → chunk-XXSPHSF7.js} +6 -6
package/dist/{chunk-ZJNDICC4.js.map → chunk-XXSPHSF7.js.map} +1 -1
package/dist/{chunk-GURKQO4J.js → chunk-YWTIKDGU.js} +7 -2
package/dist/chunk-YWTIKDGU.js.map +1 -0
package/dist/{chunk-F5H5MJ6U.js → chunk-ZTFQ7ZVH.js} +2 -5
package/dist/chunk-ZTFQ7ZVH.js.map +1 -0
package/dist/cli/cli-executable.js +54 -51
package/dist/cli/cli-executable.js.map +1 -1
package/dist/config-item-SQFJ2BJ2.js +7 -0
package/dist/{config-item-6LTV4PNH.js.map → config-item-SQFJ2BJ2.js.map} +1 -1
package/dist/dist-ZBZ52DPW.js +4 -0
package/dist/{dist-WGIHRGBZ.js.map → dist-ZBZ52DPW.js.map} +1 -1
package/dist/dotenv-compat.js +6 -6
package/dist/encrypt.command-WISNYCTG.js +14 -0
package/dist/{encrypt.command-F2OTB6HD.js.map → encrypt.command-WISNYCTG.js.map} +1 -1
package/dist/{env-graph-iNQyTcya.d.ts → env-graph-DImkUkjl.d.ts} +30 -19
package/dist/explain.command-THO6CRHD.js +15 -0
package/dist/{explain.command-TEIPRC7Q.js.map → explain.command-THO6CRHD.js.map} +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +14 -15
package/dist/index.js.map +1 -1
package/dist/init.command-3EDACW36.js +14 -0
package/dist/{init.command-5LP3UFKD.js.map → init.command-3EDACW36.js.map} +1 -1
package/dist/install-plugin.command-MXBZTBTE.js +13 -0
package/dist/{install-plugin.command-X7RSLPUJ.js.map → install-plugin.command-MXBZTBTE.js.map} +1 -1
package/dist/lib/exec-sync-varlock.js +1 -1
package/dist/load.command-XRABTXAE.js +15 -0
package/dist/{load.command-7SQRDQ3E.js.map → load.command-XRABTXAE.js.map} +1 -1
package/dist/lock.command-O5MPBQ2I.js +7 -0
package/dist/{lock.command-4LTGMJA3.js.map → lock.command-O5MPBQ2I.js.map} +1 -1
package/dist/plugin-lib.d.ts +2 -2
package/dist/plugin-lib.js +2 -2
package/dist/printenv.command-DLCI4IPZ.js +15 -0
package/dist/{printenv.command-ON7RMFEU.js.map → printenv.command-DLCI4IPZ.js.map} +1 -1
package/dist/reveal.command-6BTK3FJZ.js +15 -0
package/dist/{reveal.command-BW6XYVXH.js.map → reveal.command-6BTK3FJZ.js.map} +1 -1
package/dist/run.command-5CIHZECD.js +16 -0
package/dist/{run.command-5QADABYL.js.map → run.command-5CIHZECD.js.map} +1 -1
package/dist/runtime/env.d.ts +1 -1
package/dist/runtime/env.js +1 -1
package/dist/runtime/init-edge.cjs +9 -1
package/dist/runtime/init-server.cjs +9 -1
package/dist/runtime/patch-console.js +2 -2
package/dist/runtime/patch-response.js +2 -2
package/dist/runtime/patch-server-response.js +2 -2
package/dist/scan.command-PW3OOLQY.js +16 -0
package/dist/{scan.command-ZVW3XAUG.js.map → scan.command-PW3OOLQY.js.map} +1 -1
package/dist/telemetry.command-TZDNG2WR.js +13 -0
package/dist/{telemetry.command-PY6E4QSH.js.map → telemetry.command-TZDNG2WR.js.map} +1 -1
package/dist/typegen.command-QD26Q3MP.js +14 -0
package/dist/{typegen.command-KZ4O5IKQ.js.map → typegen.command-QD26Q3MP.js.map} +1 -1
package/native-bins/darwin/VarlockEnclave.app/Contents/CodeResources +0 -0
package/native-bins/darwin/VarlockEnclave.app/Contents/MacOS/varlock-local-encrypt +0 -0
package/native-bins/win32-x64/varlock-local-encrypt.exe +0 -0
package/package.json +2 -2
package/dist/chunk-2PFIYNFA.js.map +0 -1
package/dist/chunk-6RF54KKR.js.map +0 -1
package/dist/chunk-7GFD2ATN.js +0 -136
package/dist/chunk-7GFD2ATN.js.map +0 -1
package/dist/chunk-F5H5MJ6U.js.map +0 -1
package/dist/chunk-GURKQO4J.js.map +0 -1
package/dist/chunk-HDKXXS2X.js +0 -1959
package/dist/chunk-HDKXXS2X.js.map +0 -1
package/dist/chunk-JIUWL2NT.js.map +0 -1
package/dist/chunk-MGWUDHT5.js.map +0 -1
package/dist/chunk-QP7TS4SU.js.map +0 -1
package/dist/chunk-SDN53OAC.js.map +0 -1
package/dist/chunk-XWYFSG46.js.map +0 -1
package/dist/config-item-6LTV4PNH.js +0 -7
package/dist/dist-WGIHRGBZ.js +0 -4
package/dist/encrypt.command-F2OTB6HD.js +0 -14
package/dist/explain.command-TEIPRC7Q.js +0 -15
package/dist/init.command-5LP3UFKD.js +0 -13
package/dist/install-plugin.command-X7RSLPUJ.js +0 -13
package/dist/load.command-7SQRDQ3E.js +0 -15
package/dist/lock.command-4LTGMJA3.js +0 -7
package/dist/printenv.command-ON7RMFEU.js +0 -15
package/dist/reveal.command-BW6XYVXH.js +0 -15
package/dist/run.command-5QADABYL.js +0 -16
package/dist/scan.command-ZVW3XAUG.js +0 -16
package/dist/telemetry.command-PY6E4QSH.js +0 -13
package/dist/typegen.command-KZ4O5IKQ.js +0 -15

package/dist/chunk-YWTIKDGU.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/lib/local-encrypt/binary-resolver.ts","../src/lib/local-encrypt/daemon-client.ts","../src/lib/local-encrypt/crypto.ts","../src/lib/local-encrypt/file-backend.ts","../src/lib/local-encrypt/index.ts"],"names":["__dirname","debug","path","fs","DEFAULT_KEY_ID","keyExists","generateKey","encryptValue","result","decryptValue"],"mappings":";;;;;;;;;AAiBA,IAAMA,cAAY,IAAA,CAAK,OAAA,CAAQ,aAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAC,CAAA;AAG7D,SAAS,MAAM,GAAA,EAAa;AAC1B,EAAA,IAAI,OAAA,CAAQ,IAAI,aAAA,EAAe;AAC7B,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,0BAAA,EAA6B,GAAG;AAAA,CAAI,CAAA;AAAA,EAC3D;AACF;AAJS,MAAA,CAAA,KAAA,EAAA,OAAA,CAAA;AAMT,IAAM,WAAA,GAAc,uBAAA;AACpB,IAAM,gBAAA,GAAmB,oBAAA;AAMzB,SAAS,kBAAA,GAA6B;AACpC,EAAA,IAAI,GAAA,GAAMA,WAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,EAAI,CAAA,EAAA,EAAK;AAC3B,IAAA,MAAM,WAAA,GAAc,IAAA,CAAK,IAAA,CAAK,GAAA,EAAK,cAAc,CAAA;AACjD,IAAA,IAAI,EAAA,CAAG,UAAA,CAAW,WAAW,CAAA,EAAG;AAC9B,MAAA,IAAI;AACF,QAAA,MAAM,UAAU,IAAA,CAAK,KAAA,CAAM,GAAG,YAAA,CAAa,WAAA,EAAa,OAAO,CAAC,CAAA;AAChE,QAAA,IAAI,OAAA,CAAQ,IAAA,KAAS,SAAA,EAAW,OAAO,GAAA;AAAA,MACzC,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AACA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA;AAC/B,IAAA,IAAI,WAAW,GAAA,EAAK;AACpB,IAAA,GAAA,GAAM,MAAA;AAAA,EACR;AAGA,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQA,WAAA,EAAW,IAAA,EAAM,MAAM,IAAI,CAAA;AACjD;AAnBS,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AAsBT,SAAS,qBAAA,GAAgC;AACvC,EAAA,IAAI,QAAQ,QAAA,KAAa,OAAA,IAAW,OAAM,EAAG,OAAO,GAAG,WAAW,CAAA,IAAA,CAAA;AAClE,EAAA,OAAO,WAAA;AACT;AAHS,MAAA,CAAA,qBAAA,EAAA,uBAAA,CAAA;AAMT,SAAS,kBAAA,GAA6B;AACpC,EAAA,IAAI,OAAA,CAAQ,QAAA,KAAa,QAAA,EAAU,OAAO,QAAA;AAC1C,EAAA,IAAI,QAAQ,QAAA,KAAa,OAAA,EAAS,OAAO,CAAA,MAAA,EAAS,QAAQ,IAAI,CAAA,CAAA;AAE9D,EAAA,IAAI,KAAA,IAAS,OAAO,WAAA;AACpB,EAAA,OAAO,CAAA,EAAG,OAAA,CAAQ,QAAQ,CAAA,CAAA,EAAI,QAAQ,IAAI,CAAA,CAAA;AAC5C;AANS,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AAWT,SAAS,mBAAmB,GAAA,EAAiC;AAE3D,EAAA,MAAM,gBAAgB,IAAA,CAAK,IAAA,CAAK,KAAK,gBAAA,EAAkB,UAAA,EAAY,SAAS,WAAW,CAAA;AACvF,EAAA,IAAI,EAAA,CAAG,UAAA,CAAW,aAAa,CAAA,EAAG,OAAO,aAAA;AAGzC,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,GAAA,EAAK,WAAW,CAAA;AAC3C,EAAA,IAAI,EAAA,CAAG,UAAA,CAAW,QAAQ,CAAA,EAAG,OAAO,QAAA;AAEpC,EAAA,OAAO,MAAA;AACT;AAVS,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AAeT,SAAS,sBAAsB,GAAA,EAAiC;AAC9D,EAAA,MAAM,UAAA,GAAa,IAAA,CAAK,IAAA,CAAK,GAAA,EAAK,uBAAuB,CAAA;AACzD,EAAA,IAAI,EAAA,CAAG,UAAA,CAAW,UAAU,CAAA,EAAG,OAAO,UAAA;AACtC,EAAA,OAAO,MAAA;AACT;AAJS,MAAA,CAAA,qBAAA,EAAA,uBAAA,CAAA;AAST,SAAS,qBAAqB,GAAA,EAAiC;AAC7D,EAAA,IAAI,OAAA,CAAQ,QAAA,KAAa,QAAA,EAAU,OAAO,mBAAmB,GAAG,CAAA;AAChE,EAAA,OAAO,sBAAsB,GAAG,CAAA;AAClC;AAHS,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAUT,SAAS,iBAAA,GAAwC;AAC/C,EAAA,MAAM,UAAU,IAAA,CAAK,OAAA,CAAQ,GAAG,YAAA,CAAa,OAAA,CAAQ,QAAQ,CAAC,CAAA;AAG9D,EAAA,MAAM,OAAA,GAAU,qBAAqB,OAAO,CAAA;AAC5C,EAAA,IAAI,SAAS,OAAO,OAAA;AAGpB,EAAA,MAAM,UAAA,GAAa,IAAA,CAAK,IAAA,CAAK,OAAA,EAAS,MAAM,SAAS,CAAA;AACrD,EAAA,OAAO,qBAAqB,UAAU,CAAA;AACxC;AAVS,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AAgBT,SAAS,iBAAA,GAAwC;AAC/C,EAAA,MAAM,cAAc,kBAAA,EAAmB;AACvC,EAAA,MAAM,gBAAgB,IAAA,CAAK,IAAA,CAAK,WAAA,EAAa,aAAA,EAAe,oBAAoB,CAAA;AAChF,EAAA,IAAI,GAAG,UAAA,CAAW,aAAa,CAAA,EAAG,OAAO,qBAAqB,aAAa,CAAA;AAG3E,EAAA,MAAM,qBAAA,GAAwB,KAAK,IAAA,CAAK,IAAA,CAAK,QAAQ,WAAW,CAAA,EAAG,aAAA,EAAe,kBAAA,EAAoB,CAAA;AACtG,EAAA,IAAI,GAAG,UAAA,CAAW,qBAAqB,CAAA,EAAG,OAAO,qBAAqB,qBAAqB,CAAA;AAE3F,EAAA,OAAO,MAAA;AACT;AAVS,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AAgBT,SAAS,kBAAA,GAAyC;AAChD,EAAA,IAAI,GAAA,GAAMA,WAAA;AACV,EAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,EAAI,CAAA,EAAA,EAAK;AAC3B,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,OAAA,CAAQ,GAAG,CAAA;AAC/B,IAAA,IAAI,WAAW,GAAA,EAAK;AACpB,IAAA,GAAA,GAAM,MAAA;AAGN,IAAA,IAAI,OAAA,CAAQ,aAAa,QAAA,EAAU;AACjC,MAAA,MAAM,UAAA,GAAa,KAAK,IAAA,CAAK,GAAA,EAAK,YAAY,yBAAA,EAA2B,OAAA,EAAS,QAAA,EAAU,SAAA,EAAW,gBAAgB,CAAA;AACvH,MAAA,IAAI,EAAA,CAAG,UAAA,CAAW,UAAU,CAAA,EAAG,OAAO,UAAA;AAAA,IACxC;AAGA,IAAA,MAAM,SAAA,GAAY,KAAK,IAAA,CAAK,GAAA,EAAK,YAAY,wBAAA,EAA0B,QAAA,EAAU,SAAA,EAAW,qBAAA,EAAuB,CAAA;AACnH,IAAA,IAAI,EAAA,CAAG,UAAA,CAAW,SAAS,CAAA,EAAG,OAAO,SAAA;AAAA,EACvC;AAEA,EAAA,OAAO,MAAA;AACT;AAnBS,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AA0BT,SAAS,iBAAiB,UAAA,EAA4B;AACpD,EAAA,IAAI;AACF,IAAA,EAAA,CAAG,UAAA,CAAW,UAAA,EAAY,EAAA,CAAG,SAAA,CAAU,IAAI,CAAA;AAAA,EAC7C,CAAA,CAAA,MAAQ;AAEN,IAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,MAAA,EAAA,CAAG,SAAA,CAAU,YAAY,GAAK,CAAA;AAAA,IAChC;AAAA,EACF;AACA,EAAA,OAAO,UAAA;AACT;AAVS,MAAA,CAAA,gBAAA,EAAA,kBAAA,CAAA;AAgBT,IAAI,iBAAA,GAA+C,IAAA;AAE5C,SAAS,mBAAA,GAA0C;AACxD,EAAA,IAAI,iBAAA,KAAsB,MAAM,OAAO,iBAAA;AAEvC,EAAA,IAAI,OAAA,CAAQ,IAAI,uCAAA,EAAyC;AACvD,IAAA,KAAA,CAAM,yFAAoF,CAAA;AAC1F,IAAA,iBAAA,GAAoB,MAAA;AACpB,IAAA,OAAO,MAAA;AAAA,EACT;AAEA,EAAA,KAAA,CAAM,CAAA,oBAAA,EAAuB,OAAA,CAAQ,QAAQ,CAAA,QAAA,EAAW,KAAA,EAAO,CAAA,aAAA,EAAgB,qBAAA,EAAuB,CAAA,SAAA,EAAY,kBAAA,EAAoB,CAAA,CAAE,CAAA;AAExI,EAAA,MAAM,aAAa,iBAAA,EAAkB;AACrC,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,KAAA,CAAM,CAAA,0BAAA,EAA6B,UAAU,CAAA,CAAE,CAAA;AAC/C,IAAA,iBAAA,GAAoB,iBAAiB,UAAU,CAAA;AAC/C,IAAA,OAAO,iBAAA;AAAA,EACT;AAEA,EAAA,MAAM,aAAa,iBAAA,EAAkB;AACrC,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,KAAA,CAAM,CAAA,0BAAA,EAA6B,UAAU,CAAA,CAAE,CAAA;AAC/C,IAAA,iBAAA,GAAoB,iBAAiB,UAAU,CAAA;AAC/C,IAAA,OAAO,iBAAA;AAAA,EACT;AAEA,EAAA,MAAM,cAAc,kBAAA,EAAmB;AACvC,EAAA,IAAI,WAAA,EAAa;AACf,IAAA,KAAA,CAAM,CAAA,2BAAA,EAA8B,WAAW,CAAA,CAAE,CAAA;AACjD,IAAA,iBAAA,GAAoB,iBAAiB,WAAW,CAAA;AAChD,IAAA,OAAO,iBAAA;AAAA,EACT;AAEA,EAAA,KAAA,CAAM,iDAAiD,CAAA;AACvD,EAAA,KAAA,CAAM,sBAAsB,IAAA,CAAK,OAAA,CAAQ,OAAA,CAAQ,QAAQ,CAAC,CAAA,CAAE,CAAA;AAC5D,EAAA,MAAM,cAAc,kBAAA,EAAmB;AACvC,EAAA,KAAA,CAAM,CAAA,mBAAA,EAAsB,KAAK,IAAA,CAAK,WAAA,EAAa,eAAe,kBAAA,EAAoB,CAAC,CAAA,CAAE,CAAA;AACzF,EAAA,iBAAA,GAAoB,MAAA;AACpB,EAAA,OAAO,MAAA;AACT;AAtCgB,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;AC1JhB,IAAM,eAAA,GAAkB,GAAA;AAOxB,IAAM,oBAAA,GAAuB,GAAA;AAE7B,IAAM,yBAAyB,CAAA,GAAI,GAAA;AAEnC,IAAM,aAAA,GAAgB,GAAA;AAEtB,SAASC,OAAM,GAAA,EAAa;AAC1B,EAAA,IAAI,OAAA,CAAQ,IAAI,aAAA,EAAe;AAC7B,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,wBAAA,EAA2B,GAAG;AAAA,CAAI,CAAA;AAAA,EACzD;AACF;AAJS,MAAA,CAAAA,MAAAA,EAAA,OAAA,CAAA;AAeT,SAAS,kBAAkB,GAAA,EAAsB;AAC/C,EAAA,IAAI;AACF,IAAA,OAAA,CAAQ,IAAA,CAAK,KAAK,SAAS,CAAA;AAAA,EAC7B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,MAAM,KAAA,GAAQ,KAAK,GAAA,EAAI;AACvB,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,KAAA,GAAQ,aAAA,EAAe;AACzC,IAAA,IAAI;AACF,MAAA,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAC,CAAA;AAAA,IACrB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK,IAAI,UAAA,CAAW,IAAI,iBAAA,CAAkB,CAAC,CAAC,CAAA,EAAG,CAAA,EAAG,CAAA,EAAG,GAAG,CAAA;AAAA,EAClE;AAGA,EAAAA,MAAAA,CAAM,CAAA,WAAA,EAAc,GAAG,CAAA,2CAAA,CAA6C,CAAA;AACpE,EAAA,IAAI;AACF,IAAA,OAAA,CAAQ,IAAA,CAAK,KAAK,SAAS,CAAA;AAAA,EAC7B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,IAAA;AAAA,EACT;AAGA,EAAA,MAAM,SAAA,GAAY,KAAK,GAAA,EAAI;AAC3B,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA,GAAY,GAAA,EAAK;AACnC,IAAA,IAAI;AACF,MAAA,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAC,CAAA;AAAA,IACrB,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,IAAA;AAAA,IACT;AACA,IAAA,OAAA,CAAQ,IAAA,CAAK,IAAI,UAAA,CAAW,IAAI,iBAAA,CAAkB,CAAC,CAAC,CAAA,EAAG,CAAA,EAAG,CAAA,EAAG,EAAE,CAAA;AAAA,EACjE;AAIA,EAAAA,MAAAA,CAAM,CAAA,WAAA,EAAc,GAAG,CAAA,+EAAA,CAA4E,CAAA;AACnG,EAAA,OAAO,KAAA;AACT;AA1CS,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AA4CT,SAAS,YAAA,GAAuB;AAC9B,EAAA,OAAOC,IAAAA,CAAK,IAAA,CAAK,iBAAA,EAAkB,EAAG,eAAe,CAAA;AACvD;AAFS,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;AAIT,SAAS,aAAA,GAAwB;AAC/B,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAEhC,IAAA,OAAO,oCAAA;AAAA,EACT;AACA,EAAA,OAAOA,IAAAA,CAAK,IAAA,CAAK,YAAA,EAAa,EAAG,aAAa,CAAA;AAChD;AANS,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AAQT,SAAS,WAAA,GAAsB;AAC7B,EAAA,OAAO,CAAA,EAAG,eAAe,CAAA,KAAA,CAAA;AAC3B;AAFS,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AAIT,SAAS,UAAA,GAAqB;AAC5B,EAAA,OAAOA,IAAAA,CAAK,IAAA,CAAK,YAAA,EAAa,EAAG,YAAY,CAAA;AAC/C;AAFS,MAAA,CAAA,UAAA,EAAA,YAAA,CAAA;AAIT,SAAS,iBAAA,GAA4B;AACnC,EAAA,OAAOA,IAAAA,CAAK,IAAA,CAAK,YAAA,EAAa,EAAG,aAAa,CAAA;AAChD;AAFS,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AAKT,SAAS,mBAAA,GAAqC;AAC5C,EAAA,MAAM,KAAA,GAAQ,CAAC,UAAA,EAAW,EAAG,mBAAmB,CAAA;AAChD,EAAA,IAAI,OAAA,CAAQ,aAAa,OAAA,EAAS;AAChC,IAAA,KAAA,CAAM,IAAA,CAAK,aAAA,EAAc,EAAG,WAAA,EAAa,CAAA;AAAA,EAC3C;AACA,EAAA,OAAO,KAAA;AACT;AANS,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;AAST,SAAS,kBAAA,GAA2B;AAClC,EAAA,KAAA,MAAW,IAAA,IAAQ,qBAAoB,EAAG;AACxC,IAAA,IAAI;AACF,MAAAC,EAAAA,CAAG,WAAW,IAAI,CAAA;AAAA,IACpB,CAAA,CAAA,MAAQ;AAAA,IAAe;AAAA,EACzB;AACF;AANS,MAAA,CAAA,kBAAA,EAAA,oBAAA,CAAA;AAgBT,SAAS,sBAAA,GAA6C;AACpD,EAAA,MAAM,WAAW,iBAAA,EAAkB;AACnC,EAAA,MAAM,UAAU,UAAA,EAAW;AAE3B,EAAA,IAAI,IAAA;AACJ,EAAA,IAAI;AACF,IAAA,IAAA,GAAO,KAAK,KAAA,CAAMA,EAAAA,CAAG,YAAA,CAAa,QAAA,EAAU,OAAO,CAAC,CAAA;AAAA,EACtD,CAAA,CAAA,MAAQ;AAAA,EAER;AAEA,EAAA,MAAM,oBAAoB,mBAAA,EAAoB;AAC9C,EAAA,IAAI,CAAC,mBAAmB,OAAO,MAAA;AAE/B,EAAA,IAAI,IAAA,EAAM;AAER,IAAA,IAAI,iBAAA,KAAsB,KAAK,UAAA,EAAY;AACzC,MAAAF,OAAM,CAAA,4BAAA,EAA+B,IAAA,CAAK,UAAU,CAAA,QAAA,EAAM,iBAAiB,CAAA,CAAE,CAAA;AAAA,IAC/E,CAAA,MAAO;AAEL,MAAA,IAAI;AACF,QAAA,MAAM,IAAA,GAAOE,EAAAA,CAAG,QAAA,CAAS,iBAAiB,CAAA;AAC1C,QAAA,IAAI,IAAA,CAAK,OAAA,KAAY,IAAA,CAAK,aAAA,EAAe;AACvC,UAAAF,OAAM,mDAA8C,CAAA;AACpD,UAAA,OAAO,KAAA,CAAA;AAAA,QACT;AACA,QAAAA,OAAM,CAAA,6BAAA,EAAgC,IAAA,CAAK,aAAa,CAAA,QAAA,EAAM,IAAA,CAAK,OAAO,CAAA,CAAE,CAAA;AAAA,MAC9E,CAAA,CAAA,MAAQ;AACN,QAAA,OAAO,MAAA;AAAA,MACT;AAAA,IACF;AAAA,EACF,CAAA,MAAO;AACL,IAAAA,OAAM,6DAAwD,CAAA;AAAA,EAChE;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,GAAA,GAAM,SAASE,EAAAA,CAAG,YAAA,CAAa,SAAS,OAAO,CAAA,CAAE,IAAA,EAAK,EAAG,EAAE,CAAA;AACjE,IAAA,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAC,CAAA;AACnB,IAAA,OAAO,GAAA;AAAA,EACT,CAAA,CAAA,MAAQ;AAEN,IAAAF,OAAM,0DAAqD,CAAA;AAC3D,IAAA,kBAAA,EAAmB;AACnB,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AA9CS,MAAA,CAAA,sBAAA,EAAA,wBAAA,CAAA;AAiDT,SAAS,gBAAgB,UAAA,EAA0B;AACjD,EAAA,IAAI;AACF,IAAA,MAAM,IAAA,GAAOE,EAAAA,CAAG,QAAA,CAAS,UAAU,CAAA;AACnC,IAAAA,EAAAA,CAAG,aAAA,CAAc,iBAAA,EAAkB,EAAG,KAAK,SAAA,CAAU;AAAA,MACnD,UAAA;AAAA,MACA,eAAe,IAAA,CAAK;AAAA,KACrB,CAAC,CAAA;AAAA,EACJ,CAAA,CAAA,MAAQ;AAAA,EAER;AACF;AAVS,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAYF,IAAM,eAAN,MAAmB;AAAA,EAnN1B;AAmN0B,IAAA,MAAA,CAAA,IAAA,EAAA,cAAA,CAAA;AAAA;AAAA,EAChB,MAAA,GAA4B,IAAA;AAAA,EAC5B,YAAA,uBAAmB,GAAA,EAGxB;AAAA,EACK,WAAA,GAAc,KAAA;AAAA,EACd,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA;AAAA,EACvB,iBAAA,GAA0C,IAAA;AAAA;AAAA,EAE1C,oBAAA,GAAuB,KAAA;AAAA,EAE/B,MAAM,eAAA,GAAiC;AACrC,IAAA,IAAI,IAAA,CAAK,WAAA,IAAe,IAAA,CAAK,MAAA,EAAQ;AAIrC,IAAA,IAAI,IAAA,CAAK,iBAAA,EAAmB,OAAO,IAAA,CAAK,iBAAA;AAExC,IAAA,IAAA,CAAK,iBAAA,GAAoB,KAAK,SAAA,EAAU;AACxC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,iBAAA;AAAA,IACb,CAAA,SAAE;AACA,MAAA,IAAA,CAAK,iBAAA,GAAoB,IAAA;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAA,GAA+B;AACnC,IAAA,IAAI,IAAA,CAAK,WAAA,IAAe,IAAA,CAAK,MAAA,EAAQ,OAAO,IAAA;AAC5C,IAAA,MAAM,aAAa,aAAA,EAAc;AACjC,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,gBAAgB,UAAU,CAAA;AACrC,MAAA,OAAO,IAAA;AAAA,IACT,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,KAAA;AAAA,IACT;AAAA,EACF;AAAA,EAEA,MAAc,SAAA,GAA2B;AACvC,IAAA,MAAM,aAAa,aAAA,EAAc;AAGjC,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,oBAAA,GAAuB,MAAA,GAAY,sBAAA,EAAuB;AAChF,IAAA,IAAI,QAAA,EAAU;AACZ,MAAAF,MAAAA,CAAM,CAAA,0BAAA,EAA6B,QAAQ,CAAA,gCAAA,CAA6B,CAAA;AACxE,MAAA,iBAAA,CAAkB,QAAQ,CAAA;AAC1B,MAAA,kBAAA,EAAmB;AAAA,IACrB,CAAA,MAAO;AACL,MAAA,IAAI;AACF,QAAA,MAAM,IAAA,CAAK,gBAAgB,UAAU,CAAA;AACrC,QAAA;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,KAAK,WAAA,EAAY;AAAA,IACzB,SAAS,GAAA,EAAK;AAGZ,MAAAA,OAAM,CAAA,oBAAA,EAAuB,GAAA,YAAe,QAAQ,GAAA,CAAI,OAAA,GAAU,GAAG,CAAA,CAAE,CAAA;AACvE,MAAA,MAAM,IAAI,OAAA,CAAc,CAAC,CAAA,KAAM;AAC7B,QAAA,UAAA,CAAW,GAAG,GAAI,CAAA;AAAA,MACpB,CAAC,CAAA;AAAA,IACH;AACA,IAAA,MAAM,IAAA,CAAK,gBAAgB,UAAU,CAAA;AAAA,EACvC;AAAA,EAEA,MAAM,OAAA,CAAQ,UAAA,EAAoB,KAAA,GAAQ,iBAAA,EAAoC;AAC5E,IAAA,OAAO,IAAA,CAAK,UAAU,YAAY;AAChC,MAAA,MAAM,KAAK,eAAA,EAAgB;AAC3B,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY;AAAA,QACpC,MAAA,EAAQ,SAAA;AAAA,QACR,OAAA,EAAS,EAAE,UAAA,EAAY,KAAA;AAAM,SAC5B,oBAAoB,CAAA;AACvB,MAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,MAAA,IAAI,MAAA,IAAU,OAAO,MAAA,KAAW,QAAA,IAAY,WAAW,MAAA,EAAQ;AAC7D,QAAA,MAAM,IAAI,KAAA,CAAM,MAAA,CAAO,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MACtC;AACA,MAAA,OAAO,OAAO,MAAM,CAAA;AAAA,IACtB,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,aAAa,IAAA,EAIa;AAC9B,IAAA,OAAO,IAAA,CAAK,UAAU,YAAY;AAChC,MAAA,MAAM,KAAK,eAAA,EAAgB;AAC3B,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY;AAAA,UACpC,MAAA,EAAQ,eAAA;AAAA,UACR,OAAA,EAAS;AAAA,YACP,SAAS,IAAA,EAAM,OAAA;AAAA,YACf,SAAS,IAAA,EAAM,OAAA;AAAA,YACf,OAAO,IAAA,EAAM;AAAA;AACf,WACC,sBAAsB,CAAA;AACzB,QAAA,IAAI,MAAA,IAAU,OAAO,MAAA,KAAW,QAAA,IAAY,gBAAgB,MAAA,EAAQ;AAClE,UAAA,OAAO,MAAA,CAAO,UAAA;AAAA,QAChB;AACA,QAAA,OAAO,KAAA,CAAA;AAAA,MACT,SAAS,GAAA,EAAK;AACZ,QAAA,IAAI,GAAA,YAAe,KAAA,IAAS,GAAA,CAAI,OAAA,KAAY,aAAa,OAAO,MAAA;AAChE,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,iBAAA,GAAmC;AACvC,IAAA,OAAO,IAAA,CAAK,UAAU,YAAY;AAChC,MAAA,MAAM,KAAK,eAAA,EAAgB;AAC3B,MAAA,MAAM,IAAA,CAAK,WAAA,CAAY,EAAE,MAAA,EAAQ,sBAAsB,CAAA;AAAA,IACzD,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,YAAY,IAAA,EAAkG;AAClH,IAAA,OAAO,IAAA,CAAK,UAAU,YAAY;AAChC,MAAA,MAAM,KAAK,eAAA,EAAgB;AAG3B,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY;AAAA,QACpC,MAAA,EAAQ,cAAA;AAAA,QACR,OAAA,EAAS;AAAA,SACR,oBAAoB,CAAA;AACvB,MAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,MAAA,IAAI,MAAA,IAAU,OAAO,MAAA,KAAW,QAAA,IAAY,WAAW,MAAA,EAAQ;AAC7D,QAAA,MAAM,IAAI,KAAA,CAAM,MAAA,CAAO,MAAA,CAAO,KAAK,CAAC,CAAA;AAAA,MACtC;AACA,MAAA,OAAO,OAAO,MAAM,CAAA;AAAA,IACtB,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,eAAe,IAAA,EAAgF;AACnG,IAAA,OAAO,IAAA,CAAK,UAAU,YAAY;AAChC,MAAA,MAAM,KAAK,eAAA,EAAgB;AAC3B,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY;AAAA,QACpC,MAAA,EAAQ,iBAAA;AAAA,QACR,OAAA,EAAS,QAAQ;AAAC,OACnB,CAAA;AACD,MAAA,OAAQ,UAAU,EAAC;AAAA,IACrB,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,aAAa,IAAA,EAAmE;AACpF,IAAA,OAAO,IAAA,CAAK,UAAU,YAAY;AAChC,MAAA,MAAM,KAAK,eAAA,EAAgB;AAC3B,MAAA,IAAI;AACF,QAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY;AAAA,UACpC,MAAA,EAAQ,eAAA;AAAA,UACR,OAAA,EAAS,EAAE,OAAA,EAAS,IAAA,EAAM,OAAA;AAAQ,WACjC,sBAAsB,CAAA;AACzB,QAAA,IAAI,MAAA,IAAU,OAAO,MAAA,KAAW,QAAA,IAAY,aAAa,MAAA,EAAQ;AAC/D,UAAA,OAAO,MAAA;AAAA,QACT;AACA,QAAA,OAAO,KAAA,CAAA;AAAA,MACT,SAAS,GAAA,EAAK;AACZ,QAAA,IAAI,GAAA,YAAe,KAAA,IAAS,GAAA,CAAI,OAAA,KAAY,aAAa,OAAO,MAAA;AAChE,QAAA,MAAM,GAAA;AAAA,MACR;AAAA,IACF,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,OAAA,GAAgB;AACd,IAAA,KAAA,MAAW,EAAE,MAAA,EAAO,IAAK,IAAA,CAAK,YAAA,CAAa,QAAO,EAAG;AACnD,MAAA,MAAA,CAAO,IAAI,KAAA,CAAM,mBAAmB,CAAC,CAAA;AAAA,IACvC;AACA,IAAA,IAAA,CAAK,aAAa,KAAA,EAAM;AACxB,IAAA,IAAA,CAAK,QAAQ,GAAA,EAAI;AACjB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AACd,IAAA,IAAA,CAAK,WAAA,GAAc,KAAA;AACnB,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAc,UAAa,EAAA,EAAkC;AAC3D,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,EAAA,EAAG;AAAA,IAClB,SAAS,GAAA,EAAK;AACZ,MAAA,MAAM,GAAA,GAAM,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,EAAA;AACjD,MAAA,MAAM,WAAA,GAAc,GAAA,CAAI,QAAA,CAAS,WAAW,CAAA,IACvC,GAAA,CAAI,QAAA,CAAS,mBAAmB,CAAA,IAChC,GAAA,CAAI,QAAA,CAAS,eAAe,CAAA;AACjC,MAAA,IAAI,CAAC,aAAa,MAAM,GAAA;AAExB,MAAAA,MAAAA,CAAM,CAAA,iCAAA,EAAoC,GAAG,CAAA,CAAE,CAAA;AAC/C,MAAA,IAAA,CAAK,YAAA,EAAa;AAClB,MAAA,MAAM,KAAK,eAAA,EAAgB;AAC3B,MAAA,OAAO,MAAM,EAAA,EAAG;AAAA,IAClB;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMQ,YAAA,GAAqB;AAC3B,IAAA,IAAA,CAAK,OAAA,EAAQ;AACb,IAAA,IAAA,CAAK,oBAAA,GAAuB,KAAA;AAG5B,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,QAAA,CAASE,EAAAA,CAAG,YAAA,CAAa,UAAA,IAAc,OAAO,CAAA,CAAE,IAAA,EAAK,EAAG,EAAE,CAAA;AACtE,MAAA,iBAAA,CAAkB,GAAG,CAAA;AAAA,IACvB,CAAA,CAAA,MAAQ;AAAA,IAAoC;AAG5C,IAAA,kBAAA,EAAmB;AAAA,EACrB;AAAA,EAEQ,gBAAgB,UAAA,EAAmC;AACzD,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,MAAA,GAAS,IAAI,GAAA,CAAI,MAAA,EAAO;AAC9B,MAAA,MAAM,OAAA,GAAU,WAAW,MAAM;AAC/B,QAAA,MAAA,CAAO,OAAA,EAAQ;AACf,QAAA,MAAA,CAAO,IAAI,KAAA,CAAM,oBAAoB,CAAC,CAAA;AAAA,MACxC,GAAG,GAAI,CAAA;AAEP,MAAA,MAAA,CAAO,EAAA,CAAG,WAAW,MAAM;AACzB,QAAA,YAAA,CAAa,OAAO,CAAA;AACpB,QAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,QAAA,IAAA,CAAK,WAAA,GAAc,IAAA;AACnB,QAAA,IAAA,CAAK,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA;AAC5B,QAAA,OAAA,EAAQ;AAAA,MACV,CAAC,CAAA;AAED,MAAA,MAAA,CAAO,EAAA,CAAG,MAAA,EAAQ,CAAC,IAAA,KAAiB;AAClC,QAAA,IAAA,CAAK,WAAW,IAAI,CAAA;AAAA,MACtB,CAAC,CAAA;AAED,MAAA,MAAA,CAAO,EAAA,CAAG,OAAA,EAAS,CAAC,GAAA,KAAQ;AAC1B,QAAA,YAAA,CAAa,OAAO,CAAA;AACpB,QAAA,IAAA,CAAK,WAAA,GAAc,KAAA;AACnB,QAAA,MAAA,CAAO,GAAG,CAAA;AAAA,MACZ,CAAC,CAAA;AAED,MAAA,MAAA,CAAO,EAAA,CAAG,SAAS,MAAM;AACvB,QAAA,IAAA,CAAK,WAAA,GAAc,KAAA;AACnB,QAAA,IAAA,CAAK,MAAA,GAAS,IAAA;AAEd,QAAA,KAAA,MAAW,EAAE,MAAA,EAAQ,GAAA,MAAS,IAAA,CAAK,YAAA,CAAa,QAAO,EAAG;AACxD,UAAA,GAAA,CAAI,IAAI,KAAA,CAAM,0BAA0B,CAAC,CAAA;AAAA,QAC3C;AACA,QAAA,IAAA,CAAK,aAAa,KAAA,EAAM;AACxB,QAAA,IAAA,CAAK,MAAA,GAAS,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA;AAAA,MAC9B,CAAC,CAAA;AAED,MAAA,MAAA,CAAO,QAAQ,UAAU,CAAA;AAAA,IAC3B,CAAC,CAAA;AAAA,EACH;AAAA,EAEQ,WAAW,IAAA,EAAoB;AACrC,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA,CAAO,CAAC,IAAA,CAAK,MAAA,EAAQ,IAAI,CAAC,CAAA;AAE/C,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,CAAA,EAAG;AAC9B,MAAA,MAAM,aAAA,GAAgB,IAAA,CAAK,MAAA,CAAO,YAAA,CAAa,CAAC,CAAA;AAChD,MAAA,IAAI,IAAA,CAAK,MAAA,CAAO,MAAA,GAAS,CAAA,GAAI,aAAA,EAAe;AAE5C,MAAA,MAAM,cAAc,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,CAAA,EAAG,IAAI,aAAa,CAAA;AAC7D,MAAA,IAAA,CAAK,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,IAAI,aAAa,CAAA;AAEpD,MAAA,IAAI;AACF,QAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,WAAA,CAAY,UAAU,CAAA;AACjD,QAAA,IAAI,QAAQ,EAAA,IAAM,IAAA,CAAK,aAAa,GAAA,CAAI,OAAA,CAAQ,EAAE,CAAA,EAAG;AACnD,UAAA,MAAM,EAAE,OAAA,EAAS,GAAA,EAAK,MAAA,EAAQ,GAAA,KAAQ,IAAA,CAAK,YAAA,CAAa,GAAA,CAAI,OAAA,CAAQ,EAAE,CAAA;AACtE,UAAA,IAAA,CAAK,YAAA,CAAa,MAAA,CAAO,OAAA,CAAQ,EAAE,CAAA;AACnC,UAAA,IAAI,QAAQ,KAAA,EAAO;AACjB,YAAA,GAAA,CAAI,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAC,CAAA;AAAA,UAC9B,CAAA,MAAO;AACL,YAAA,GAAA,CAAI,QAAQ,MAAM,CAAA;AAAA,UACpB;AAAA,QACF;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,WAAA,CAAY,OAAA,EAA8B,SAAA,GAAY,eAAA,EAA+B;AAC3F,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,IAAI,CAAC,IAAA,CAAK,WAAA,IAAe,CAAC,KAAK,MAAA,EAAQ;AACrC,QAAA,MAAA,CAAO,IAAI,KAAA,CAAM,yBAAyB,CAAC,CAAA;AAC3C,QAAA;AAAA,MACF;AAEA,MAAA,MAAM,SAAA,GAAY,CAAA,EAAG,IAAA,CAAK,GAAA,GAAM,QAAA,CAAS,EAAE,CAAC,CAAA,CAAA,EAAI,OAAO,WAAA,CAAY,CAAC,CAAA,CAAE,QAAA,CAAS,KAAK,CAAC,CAAA,CAAA;AACrF,MAAA,MAAM,aAAA,GAAgB,EAAE,GAAG,OAAA,EAAS,IAAI,SAAA,EAAU;AAClD,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,SAAA,CAAU,aAAa,CAAA;AAC7C,MAAA,MAAM,YAAA,GAAe,MAAA,CAAO,IAAA,CAAK,QAAA,EAAU,OAAO,CAAA;AAElD,MAAA,MAAM,SAAA,GAAY,MAAA,CAAO,KAAA,CAAM,CAAC,CAAA;AAChC,MAAA,SAAA,CAAU,aAAA,CAAc,YAAA,CAAa,MAAA,EAAQ,CAAC,CAAA;AAG9C,MAAA,MAAM,OAAA,GAAU,WAAW,MAAM;AAC/B,QAAA,IAAA,CAAK,YAAA,CAAa,OAAO,SAAS,CAAA;AAClC,QAAA,MAAA,CAAO,IAAI,MAAM,CAAA,+BAAA,EAAkC,SAAS,eAAe,OAAA,CAAQ,MAAM,GAAG,CAAC,CAAA;AAAA,MAC/F,GAAG,SAAS,CAAA;AAEZ,MAAA,IAAA,CAAK,YAAA,CAAa,IAAI,SAAA,EAAW;AAAA,QAC/B,OAAA,0BAAU,KAAA,KAAU;AAClB,UAAA,YAAA,CAAa,OAAO,CAAA;AACpB,UAAA,OAAA,CAAQ,KAAK,CAAA;AAAA,QACf,CAAA,EAHS,SAAA,CAAA;AAAA,QAIT,MAAA,0BAAS,GAAA,KAAQ;AACf,UAAA,YAAA,CAAa,OAAO,CAAA;AACpB,UAAA,MAAA,CAAO,GAAG,CAAA;AAAA,QACZ,CAAA,EAHQ,QAAA;AAAA,OAIT,CAAA;AACD,MAAA,IAAA,CAAK,MAAA,CAAO,MAAM,MAAA,CAAO,MAAA,CAAO,CAAC,SAAA,EAAW,YAAY,CAAC,CAAC,CAAA;AAAA,IAC5D,CAAC,CAAA;AAAA,EACH;AAAA,EAEA,MAAc,WAAA,GAA6B;AAMzC,IAAA,IAAI,OAAM,EAAG;AACX,MAAA,MAAM,IAAI,KAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,MAAM,aAAa,mBAAA,EAAoB;AACvC,IAAA,IAAI,CAAC,UAAA,EAAY;AACf,MAAA,MAAM,IAAI,MAAM,+DAA0D,CAAA;AAAA,IAC5E;AAEA,IAAA,MAAM,aAAa,aAAA,EAAc;AACjC,IAAA,MAAM,UAAU,UAAA,EAAW;AAC3B,IAAA,MAAM,SAAA,GAAY,QAAQ,QAAA,KAAa,OAAA;AAGvC,IAAA,IAAI,CAAC,SAAA,EAAW;AACd,MAAAA,EAAAA,CAAG,UAAUD,IAAAA,CAAK,OAAA,CAAQ,UAAU,CAAA,EAAG,EAAE,SAAA,EAAW,IAAA,EAAM,CAAA;AAAA,IAC5D;AACA,IAAAC,EAAAA,CAAG,UAAUD,IAAAA,CAAK,OAAA,CAAQ,OAAO,CAAA,EAAG,EAAE,SAAA,EAAW,IAAA,EAAM,CAAA;AAGvD,IAAA,IAAIC,EAAAA,CAAG,UAAA,CAAW,OAAO,CAAA,EAAG;AAC1B,MAAA,IAAI;AACF,QAAA,MAAM,GAAA,GAAM,SAASA,EAAAA,CAAG,YAAA,CAAa,SAAS,OAAO,CAAA,CAAE,IAAA,EAAK,EAAG,EAAE,CAAA;AACjE,QAAA,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAC,CAAA;AAGnB,QAAA,IAAI;AACF,UAAA,MAAM,IAAA,CAAK,gBAAgB,UAAU,CAAA;AACrC,UAAA;AAAA,QACF,CAAA,CAAA,MAAQ;AAEN,UAAAF,MAAAA,CAAM,CAAA,WAAA,EAAc,GAAG,CAAA,6CAAA,CAA0C,CAAA;AACjE,UAAA,iBAAA,CAAkB,GAAG,CAAA;AAAA,QACvB;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF;AAGA,IAAA,kBAAA,EAAmB;AACnB,IAAA,IAAI,CAAC,SAAA,IAAaE,EAAAA,CAAG,UAAA,CAAW,UAAU,CAAA,EAAG;AAC3C,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,sCAAA,EAAyC,UAAU,CAAA,CAAE,CAAA;AAAA,IACvE;AAEA,IAAA,OAAO,IAAI,OAAA,CAAQ,CAAC,OAAA,EAAS,MAAA,KAAW;AACtC,MAAA,MAAM,KAAA,GAAQ,MAAM,UAAA,EAAY;AAAA,QAC9B,QAAA;AAAA,QACA,eAAA;AAAA,QACA,UAAA;AAAA,QACA,YAAA;AAAA,QACA;AAAA,OACF,EAAG;AAAA,QACD,QAAA,EAAU,IAAA;AAAA,QACV,KAAA,EAAO,CAAC,QAAA,EAAU,MAAA,EAAQ,MAAM;AAAA,OACjC,CAAA;AAED,MAAA,MAAM,OAAA,GAAU,WAAW,MAAM;AAC/B,QAAA,MAAA,CAAO,IAAI,KAAA,CAAM,uCAAuC,CAAC,CAAA;AAAA,MAC3D,GAAG,GAAK,CAAA;AAER,MAAA,IAAI,UAAA,GAAa,EAAA;AACjB,MAAA,IAAI,UAAA,GAAa,EAAA;AAEjB,MAAA,KAAA,CAAM,MAAA,CAAQ,EAAA,CAAG,MAAA,EAAQ,CAAC,IAAA,KAAiB;AACzC,QAAA,UAAA,IAAc,KAAK,QAAA,EAAS;AAC5B,QAAA,IAAI;AACF,UAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,UAAU,CAAA;AACpC,UAAA,IAAI,OAAO,KAAA,EAAO;AAChB,YAAA,YAAA,CAAa,OAAO,CAAA;AACpB,YAAA,eAAA,CAAgB,UAAU,CAAA;AAC1B,YAAA,IAAA,CAAK,oBAAA,GAAuB,IAAA;AAC5B,YAAA,KAAA,CAAM,KAAA,EAAM;AACZ,YAAA,KAAA,CAAM,OAAQ,OAAA,EAAQ;AACtB,YAAA,KAAA,CAAM,OAAQ,OAAA,EAAQ;AACtB,YAAA,OAAA,EAAQ;AAAA,UACV;AAAA,QACF,CAAA,CAAA,MAAQ;AAAA,QAER;AAAA,MACF,CAAC,CAAA;AAED,MAAA,KAAA,CAAM,MAAA,CAAQ,EAAA,CAAG,MAAA,EAAQ,CAAC,IAAA,KAAiB;AACzC,QAAA,UAAA,IAAc,KAAK,QAAA,EAAS;AAAA,MAC9B,CAAC,CAAA;AAED,MAAA,KAAA,CAAM,EAAA,CAAG,OAAA,EAAS,CAAC,GAAA,KAAQ;AACzB,QAAA,YAAA,CAAa,OAAO,CAAA;AACpB,QAAA,MAAA,CAAO,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,GAAA,CAAI,OAAO,EAAE,CAAC,CAAA;AAAA,MAC5D,CAAC,CAAA;AAED,MAAA,KAAA,CAAM,EAAA,CAAG,MAAA,EAAQ,CAAC,IAAA,KAAS;AACzB,QAAA,YAAA,CAAa,OAAO,CAAA;AACpB,QAAA,IAAI,SAAS,CAAA,EAAG;AACd,UAAA,MAAM,OAAA,GAAU;AAAA,YACd,WAAW,IAAA,EAAK,IAAK,CAAA,QAAA,EAAW,UAAA,CAAW,MAAM,CAAA,CAAA;AAAA,YACjD,WAAW,IAAA,EAAK,IAAK,CAAA,QAAA,EAAW,UAAA,CAAW,MAAM,CAAA,CAAA;AAAA,YACjD,WAAW,UAAU,CAAA,CAAA;AAAA,YACrB,WAAW,UAAU,CAAA;AAAA,WACvB,CAAE,MAAA,CAAO,OAAO,CAAA,CAAE,KAAK,IAAI,CAAA;AAC3B,UAAA,MAAA,CAAO,IAAI,KAAA,CAAM,CAAA,wBAAA,EAA2B,IAAI;AAAA,EAAK,OAAO,EAAE,CAAC,CAAA;AAAA,QACjE;AAAA,MACF,CAAC,CAAA;AAAA,IACH,CAAC,CAAA;AAAA,EACH;AACF,CAAA;ACznBA,IAAM,SAAS,SAAA,CAAU,MAAA;AAEzB,IAAM,eAAA,GAAkB,CAAA;AACxB,IAAM,SAAA,GAAY,IAAI,WAAA,EAAY,CAAE,OAAO,kBAAkB,CAAA;AAC7D,IAAM,YAAA,GAAe,EAAE,IAAA,EAAM,MAAA,EAAQ,YAAY,OAAA,EAAQ;AAGzD,IAAM,iBAAA,GAAoB,EAAA;AAC1B,IAAM,YAAA,GAAe,EAAA;AACrB,IAAM,UAAA,GAAa,EAAA;AACnB,IAAM,aAAA,GAAgB,IAAI,iBAAA,GAAoB,YAAA;AAK9C,IAAM,EAAA,mBAAK,MAAA,CAAA,CAAC,IAAA,KAAmC,IAAA,EAApC,IAAA,CAAA;AAaX,SAAS,iBAAiB,OAAA,EAAwC;AAChE,EAAA,MAAM,WAAA,GAAc,QAAQ,MAAA,CAAO,CAAC,KAAK,CAAA,KAAM,GAAA,GAAM,CAAA,CAAE,MAAA,EAAQ,CAAC,CAAA;AAChE,EAAA,MAAM,MAAA,GAAS,IAAI,UAAA,CAAW,WAAW,CAAA;AACzC,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,KAAA,MAAW,OAAO,OAAA,EAAS;AACzB,IAAA,MAAA,CAAO,GAAA,CAAI,KAAK,MAAM,CAAA;AACtB,IAAA,MAAA,IAAU,GAAA,CAAI,MAAA;AAAA,EAChB;AACA,EAAA,OAAO,MAAA;AACT;AATS,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AAWT,SAAS,eAAe,MAAA,EAA0C;AAChE,EAAA,IAAI,kBAAkB,UAAA,EAAY;AAChC,IAAA,OAAO,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,MAAA,EAAQ,MAAA,CAAO,YAAY,MAAA,CAAO,UAAU,CAAA,CAAE,QAAA,CAAS,QAAQ,CAAA;AAAA,EAC3F;AACA,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,MAAM,CAAA,CAAE,SAAS,QAAQ,CAAA;AAC9C;AALS,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAOT,SAAS,cAAc,MAAA,EAA4B;AACjD,EAAA,MAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,QAAQ,CAAA;AACxC,EAAA,OAAO,IAAI,UAAA,CAAW,GAAA,CAAI,QAAQ,GAAA,CAAI,UAAA,EAAY,IAAI,UAAU,CAAA;AAClE;AAHS,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AAcT,eAAe,UAAA,CACb,GAAA,EACA,IAAA,EACA,IAAA,EACA,eAAA,EACqB;AAErB,EAAA,MAAM,UAAU,MAAM,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,GAAG,IAAI,CAAA,EAAG,EAAE,IAAA,EAAM,QAAQ,IAAA,EAAM,SAAA,IAAa,KAAA,EAAO,CAAC,MAAM,CAAC,CAAA;AAC1G,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,MAAM,MAAA,CAAO,IAAA,CAAK,MAAA,EAAQ,OAAA,EAAS,EAAA,CAAG,GAAG,CAAC,CAAC,CAAA;AAGtE,EAAA,MAAM,SAAS,MAAM,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,GAAG,GAAG,CAAA,EAAG,EAAE,IAAA,EAAM,QAAQ,IAAA,EAAM,SAAA,IAAa,KAAA,EAAO,CAAC,MAAM,CAAC,CAAA;AACxG,EAAA,MAAM,GAAA,GAAM,IAAI,UAAA,CAAW,eAAe,CAAA;AAC1C,EAAA,IAAI,CAAA,GAAI,IAAI,UAAA,CAAW,CAAC,CAAA;AACxB,EAAA,IAAI,MAAA,GAAS,CAAA;AACb,EAAA,IAAI,OAAA,GAAU,CAAA;AAEd,EAAA,OAAO,SAAS,eAAA,EAAiB;AAC/B,IAAA,MAAM,KAAA,GAAQ,cAAc,CAAA,EAAG,IAAA,EAAM,IAAI,UAAA,CAAW,CAAC,OAAO,CAAC,CAAC,CAAA;AAC9D,IAAA,CAAA,GAAI,IAAI,UAAA,CAAW,MAAM,MAAA,CAAO,IAAA,CAAK,QAAQ,MAAA,EAAQ,EAAA,CAAG,KAAK,CAAC,CAAC,CAAA;AAC/D,IAAA,GAAA,CAAI,GAAA,CAAI,CAAA,CAAE,KAAA,CAAM,CAAA,EAAG,IAAA,CAAK,GAAA,CAAI,CAAA,CAAE,MAAA,EAAQ,eAAA,GAAkB,MAAM,CAAC,CAAA,EAAG,MAAM,CAAA;AACxE,IAAA,MAAA,IAAU,CAAA,CAAE,MAAA;AACZ,IAAA,OAAA,EAAA;AAAA,EACF;AAEA,EAAA,OAAO,GAAA;AACT;AA1Be,MAAA,CAAA,UAAA,EAAA,YAAA,CAAA;AA+Bf,eAAe,gBAAgB,MAAA,EAAoC;AACjE,EAAA,OAAO,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,EAAA,CAAG,aAAA,CAAc,MAAM,CAAC,CAAA,EAAG,YAAA,EAAc,IAAA,EAAM,EAAE,CAAA;AAClF;AAFe,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAKf,eAAe,iBAAiB,MAAA,EAAoC;AAClE,EAAA,OAAO,MAAA,CAAO,SAAA,CAAU,OAAA,EAAS,EAAA,CAAG,aAAA,CAAc,MAAM,CAAC,CAAA,EAAG,YAAA,EAAc,IAAA,EAAM,CAAC,YAAY,CAAC,CAAA;AAChG;AAFe,MAAA,CAAA,gBAAA,EAAA,kBAAA,CAAA;AAKf,eAAsB,aAAA,GAAoC;AACxD,EAAA,MAAM,OAAA,GAAU,MAAM,MAAA,CAAO,WAAA,CAAY,cAAc,IAAA,EAAM,CAAC,YAAY,CAAC,CAAA;AAE3E,EAAA,MAAM,eAAe,MAAM,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,QAAQ,SAAS,CAAA;AACpE,EAAA,MAAM,kBAAkB,MAAM,MAAA,CAAO,SAAA,CAAU,OAAA,EAAS,QAAQ,UAAU,CAAA;AAE1E,EAAA,OAAO;AAAA,IACL,SAAA,EAAW,eAAe,YAAY,CAAA;AAAA,IACtC,UAAA,EAAY,eAAe,eAAe;AAAA,GAC5C;AACF;AAVsB,MAAA,CAAA,aAAA,EAAA,eAAA,CAAA;AAqBtB,eAAsB,OAAA,CAAQ,iBAAyB,SAAA,EAAoC;AACzF,EAAA,MAAM,kBAAA,GAAqB,MAAM,eAAA,CAAgB,eAAe,CAAA;AAChE,EAAA,MAAM,kBAAA,GAAqB,cAAc,eAAe,CAAA;AAGxD,EAAA,MAAM,gBAAA,GAAmB,MAAM,MAAA,CAAO,WAAA,CAAY,cAAc,IAAA,EAAM,CAAC,YAAY,CAAC,CAAA;AACpF,EAAA,MAAM,kBAAA,GAAqB,IAAI,UAAA,CAAW,MAAM,OAAO,SAAA,CAAU,KAAA,EAAO,gBAAA,CAAiB,SAAS,CAAC,CAAA;AAGnG,EAAA,MAAM,gBAAA,GAAmB,MAAM,MAAA,CAAO,UAAA;AAAA,IACpC,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,kBAAA,EAAmB;AAAA,IAC3C,gBAAA,CAAiB,UAAA;AAAA,IACjB;AAAA,GACF;AACA,EAAA,MAAM,YAAA,GAAe,IAAI,UAAA,CAAW,gBAAgB,CAAA;AAGpD,EAAA,MAAM,IAAA,GAAO,aAAA,CAAc,kBAAA,EAAoB,kBAAkB,CAAA;AACjE,EAAA,MAAM,SAAS,MAAM,UAAA,CAAW,YAAA,EAAc,SAAA,EAAW,MAAM,EAAE,CAAA;AAGjE,EAAA,MAAM,QAAQ,SAAA,CAAU,eAAA,CAAgB,IAAI,UAAA,CAAW,YAAY,CAAC,CAAA;AACpE,EAAA,MAAM,cAAA,GAAiB,IAAI,WAAA,EAAY,CAAE,OAAO,SAAS,CAAA;AAEzD,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,EAAA,CAAG,MAAM,CAAA,EAAG,SAAA,EAAW,KAAA,EAAO,CAAC,SAAS,CAAC,CAAA;AACzF,EAAA,MAAM,YAAY,IAAI,UAAA;AAAA,IACpB,MAAM,MAAA,CAAO,OAAA,CAAQ,EAAE,IAAA,EAAM,WAAW,EAAA,EAAI,EAAA,CAAG,KAAK,CAAA,EAAG,WAAW,UAAA,GAAa,CAAA,IAAK,SAAA,EAAW,EAAA,CAAG,cAAc,CAAC;AAAA,GACnH;AAGA,EAAA,MAAM,aAAa,SAAA,CAAU,KAAA,CAAM,CAAA,EAAG,SAAA,CAAU,SAAS,UAAU,CAAA;AACnE,EAAA,MAAM,GAAA,GAAM,SAAA,CAAU,KAAA,CAAM,SAAA,CAAU,SAAS,UAAU,CAAA;AAGzD,EAAA,MAAM,OAAA,GAAU,aAAA;AAAA,IACd,IAAI,UAAA,CAAW,CAAC,eAAe,CAAC,CAAA;AAAA,IAChC,kBAAA;AAAA,IACA,KAAA;AAAA,IACA,UAAA;AAAA,IACA;AAAA,GACF;AAEA,EAAA,OAAO,eAAe,OAAO,CAAA;AAC/B;AA3CsB,MAAA,CAAA,OAAA,EAAA,SAAA,CAAA;AAuDtB,eAAsB,OAAA,CACpB,gBAAA,EACA,eAAA,EACA,gBAAA,EACiB;AACjB,EAAA,MAAM,YAAA,GAAe,cAAc,gBAAgB,CAAA;AAEnD,EAAA,IAAI,YAAA,CAAa,UAAA,GAAa,aAAA,GAAgB,UAAA,EAAY;AACxD,IAAA,MAAM,IAAI,MAAM,mBAAmB,CAAA;AAAA,EACrC;AAGA,EAAA,MAAM,OAAA,GAAU,aAAa,CAAC,CAAA;AAC9B,EAAA,IAAI,YAAY,eAAA,EAAiB;AAC/B,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,6BAAA,EAAgC,OAAO,CAAA,CAAE,CAAA;AAAA,EAC3D;AAEA,EAAA,MAAM,kBAAA,GAAqB,YAAA,CAAa,KAAA,CAAM,CAAA,EAAG,IAAI,iBAAiB,CAAA;AACtE,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,CAAA,GAAI,mBAAmB,aAAa,CAAA;AACrE,EAAA,MAAM,gBAAA,GAAmB,YAAA,CAAa,KAAA,CAAM,aAAa,CAAA;AAEzD,EAAA,IAAI,gBAAA,CAAiB,SAAS,UAAA,EAAY;AACxC,IAAA,MAAM,IAAI,MAAM,2BAA2B,CAAA;AAAA,EAC7C;AAGA,EAAA,MAAM,UAAA,GAAa,MAAM,gBAAA,CAAiB,gBAAgB,CAAA;AAC1D,EAAA,MAAM,kBAAA,GAAqB,MAAM,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,EAAA,CAAG,kBAAkB,CAAA,EAAG,YAAA,EAAc,IAAA,EAAM,EAAE,CAAA;AAGvG,EAAA,MAAM,kBAAA,GAAqB,cAAc,eAAe,CAAA;AAGxD,EAAA,MAAM,gBAAA,GAAmB,MAAM,MAAA,CAAO,UAAA;AAAA,IACpC,EAAE,IAAA,EAAM,MAAA,EAAQ,MAAA,EAAQ,kBAAA,EAAmB;AAAA,IAC3C,UAAA;AAAA,IACA;AAAA,GACF;AACA,EAAA,MAAM,YAAA,GAAe,IAAI,UAAA,CAAW,gBAAgB,CAAA;AAGpD,EAAA,MAAM,IAAA,GAAO,aAAA,CAAc,kBAAA,EAAoB,kBAAkB,CAAA;AACjE,EAAA,MAAM,SAAS,MAAM,UAAA,CAAW,YAAA,EAAc,SAAA,EAAW,MAAM,EAAE,CAAA;AAIjE,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,SAAA,CAAU,KAAA,EAAO,EAAA,CAAG,MAAM,CAAA,EAAG,SAAA,EAAW,KAAA,EAAO,CAAC,SAAS,CAAC,CAAA;AACzF,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,OAAA;AAAA,MAC7B,EAAE,MAAM,SAAA,EAAW,EAAA,EAAI,GAAG,KAAK,CAAA,EAAG,SAAA,EAAW,UAAA,GAAa,CAAA,EAAE;AAAA,MAC5D,SAAA;AAAA,MACA,GAAG,gBAAgB;AAAA;AAAA,KACrB;AACA,IAAA,OAAO,IAAI,WAAA,EAAY,CAAE,MAAA,CAAO,SAAS,CAAA;AAAA,EAC3C,SAAS,GAAA,EAAK;AACZ,IAAA,MAAM,IAAI,KAAA;AAAA,MACR,yBAAA;AAAA,MACA,EAAE,OAAO,GAAA;AAAI,KACf;AAAA,EACF;AACF;AA5DsB,MAAA,CAAA,OAAA,EAAA,SAAA,CAAA;;;ACnLtB,IAAM,gBAAA,GAAmB,oBAAA;AACzB,IAAM,cAAA,GAAiB,iBAAA;AAWvB,SAAS,eAAA,GAA0B;AACjC,EAAA,OAAOD,IAAAA,CAAK,IAAA,CAAK,iBAAA,EAAkB,EAAG,gBAAgB,CAAA;AACxD;AAFS,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAIT,SAAS,eAAe,KAAA,EAAuB;AAC7C,EAAA,OAAOA,KAAK,IAAA,CAAK,eAAA,EAAgB,EAAG,CAAA,EAAG,KAAK,CAAA,KAAA,CAAO,CAAA;AACrD;AAFS,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAMF,SAAS,SAAA,CAAU,QAAgB,cAAA,EAAyB;AACjE,EAAA,OAAOC,EAAAA,CAAG,UAAA,CAAW,cAAA,CAAe,KAAK,CAAC,CAAA;AAC5C;AAFgB,MAAA,CAAA,SAAA,EAAA,WAAA,CAAA;AAIhB,eAAsB,WAAA,CAAY,QAAgB,cAAA,EAA+D;AAC/G,EAAA,MAAM,OAAA,GAAU,MAAM,aAAA,EAAc;AAEpC,EAAA,MAAM,MAAA,GAAwB;AAAA,IAC5B,KAAA;AAAA,IACA,WAAW,OAAA,CAAQ,SAAA;AAAA,IACnB,YAAY,OAAA,CAAQ,UAAA;AAAA,IACpB,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,GACpC;AAEA,EAAA,MAAM,eAAe,eAAA,EAAgB;AACrC,EAAAA,GAAG,SAAA,CAAU,YAAA,EAAc,EAAE,SAAA,EAAW,MAAM,CAAA;AAE9C,EAAA,MAAM,QAAA,GAAW,eAAe,KAAK,CAAA;AACrC,EAAAA,EAAAA,CAAG,aAAA,CAAc,QAAA,EAAU,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,IAAA,EAAM,CAAC,CAAA,EAAG,EAAE,IAAA,EAAM,GAAA,EAAO,CAAA;AAE3E,EAAA,OAAO,EAAE,KAAA,EAAO,SAAA,EAAW,OAAA,CAAQ,SAAA,EAAU;AAC/C;AAjBsB,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AA0CtB,SAAS,YAAY,KAAA,EAA8B;AACjD,EAAA,MAAM,QAAA,GAAW,eAAe,KAAK,CAAA;AACrC,EAAA,IAAI,CAACA,EAAAA,CAAG,UAAA,CAAW,QAAQ,CAAA,EAAG;AAC5B,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,eAAA,EAAkB,KAAK,CAAA,CAAE,CAAA;AAAA,EAC3C;AACA,EAAA,MAAM,IAAA,GAAOA,EAAAA,CAAG,YAAA,CAAa,QAAA,EAAU,OAAO,CAAA;AAC9C,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAI9B,EAAA,MAAM,UAAA,GAAa,OAAO,UAAA,KACpB,MAAA,CAAO,eAAe,MAAA,GAAS,MAAA,CAAO,mBAAA,GAAsB,MAAA,CAAA,IAC7D,MAAA,CAAO,mBAAA;AAEZ,EAAA,IAAI,CAAC,MAAA,CAAO,SAAA,IAAa,CAAC,UAAA,EAAY;AACpC,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,iCAAA,EAAoC,KAAK,CAAA,CAAE,CAAA;AAAA,EAC7D;AAEA,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,OAAO,KAAA,IAAS,KAAA;AAAA,IACvB,WAAW,MAAA,CAAO,SAAA;AAAA,IAClB,UAAA;AAAA,IACA,WAAW,MAAA,CAAO,SAAA,IAAA,iBAAa,IAAI,IAAA,IAAO,WAAA,EAAY;AAAA,IACtD,YAAY,MAAA,CAAO,UAAA;AAAA,IACnB,qBAAqB,MAAA,CAAO;AAAA,GAC9B;AACF;AA1BS,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA;AA4BT,SAAS,aAAa,KAAA,EAAuB;AAC3C,EAAA,OAAO,WAAA,CAAY,KAAK,CAAA,CAAE,SAAA;AAC5B;AAFS,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;AAMT,eAAsB,YAAA,CAAa,SAAA,EAAmB,KAAA,GAAgB,cAAA,EAAiC;AACrG,EAAA,MAAM,SAAA,GAAY,aAAa,KAAK,CAAA;AACpC,EAAA,OAAO,OAAA,CAAQ,WAAW,SAAS,CAAA;AACrC;AAHsB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;AAKtB,eAAsB,YAAA,CAAa,UAAA,EAAoB,KAAA,GAAgB,cAAA,EAAiC;AACtG,EAAA,MAAM,MAAA,GAAS,YAAY,KAAK,CAAA;AAChC,EAAA,OAAO,OAAA,CAAQ,MAAA,CAAO,UAAA,EAAY,MAAA,CAAO,WAAW,UAAU,CAAA;AAChE;AAHsB,MAAA,CAAA,YAAA,EAAA,cAAA,CAAA;;;AClGtB,IAAMC,eAAAA,GAAiB,iBAAA;AAGvB,SAASH,OAAM,GAAA,EAAa;AAC1B,EAAA,IAAI,OAAA,CAAQ,IAAI,aAAA,EAAe;AAC7B,IAAA,OAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,CAAA,wBAAA,EAA2B,GAAG;AAAA,CAAI,CAAA;AAAA,EACzD;AACF;AAJS,MAAA,CAAAA,MAAAA,EAAA,OAAA,CAAA;AAWT,IAAI,gBAAA;AACJ,SAAS,gBAAA,GAA2B;AAClC,EAAA,IAAI,kBAAkB,OAAO,gBAAA;AAC7B,EAAA,IAAI;AACF,IAAA,MAAM,OAAA,GAAUE,EAAAA,CAAG,YAAA,CAAa,iBAAiB,CAAA;AACjD,IAAA,IAAI,OAAA,IAAW,OAAA,CAAQ,UAAA,CAAW,OAAO,CAAA,EAAG;AAC1C,MAAA,gBAAA,GAAmB,OAAA;AACnB,MAAA,OAAO,OAAA;AAAA,IACT;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AAKA,EAAA,IAAI;AACF,IAAA,MAAM,KAAA,GAAuB,CAAC,OAAA,CAAQ,GAAG,CAAA;AACzC,IAAA,IAAI,UAAU,OAAA,CAAQ,GAAA;AACtB,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,EAAA,EAAI,CAAA,EAAA,EAAK;AAC3B,MAAA,MAAM,OAAOA,EAAAA,CAAG,YAAA,CAAa,CAAA,MAAA,EAAS,OAAO,SAAS,OAAO,CAAA;AAC7D,MAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,IAAI,CAAA;AAC9B,MAAA,IAAI,MAAA,CAAO,SAAS,CAAA,EAAG;AACvB,MAAA,MAAM,IAAA,GAAO,QAAA,CAAS,MAAA,CAAO,CAAC,CAAA,CAAE,MAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,EAAE,CAAA;AACjD,MAAA,IAAI,CAAC,IAAA,IAAQ,IAAA,IAAQ,CAAA,EAAG;AACxB,MAAA,KAAA,CAAM,KAAK,IAAI,CAAA;AACf,MAAA,OAAA,GAAU,IAAA;AAAA,IACZ;AACA,IAAA,IAAI,KAAA,CAAM,UAAU,CAAA,EAAG;AACrB,MAAA,MAAM,QAAA,GAAW,KAAA,CAAM,KAAA,CAAM,MAAA,GAAS,CAAC,CAAA;AAEvC,MAAA,IAAI,SAAA,GAAY,CAAA;AAChB,MAAA,IAAI;AACF,QAAA,MAAM,YAAYA,EAAAA,CAAG,YAAA,CAAa,CAAA,MAAA,EAAS,QAAQ,SAAS,OAAO,CAAA;AACnE,QAAA,MAAM,WAAA,GAAc,SAAA,CAAU,KAAA,CAAM,IAAI,CAAA;AACxC,QAAA,IAAI,WAAA,CAAY,UAAU,CAAA,EAAG;AAC3B,UAAA,SAAA,GAAY,QAAA,CAAS,WAAA,CAAY,CAAC,CAAA,CAAE,KAAA,CAAM,GAAG,CAAA,CAAE,EAAE,CAAA,EAAG,EAAE,CAAA,IAAK,CAAA;AAAA,QAC7D;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAAe;AACvB,MAAA,gBAAA,GAAmB,CAAA,MAAA,EAAS,QAAQ,CAAA,CAAA,EAAI,SAAS,CAAA,CAAA;AACjD,MAAA,OAAO,gBAAA;AAAA,IACT;AAAA,EACF,CAAA,CAAA,MAAQ;AAAA,EAER;AACA,EAAA,gBAAA,GAAmB,CAAA,IAAA,EAAO,QAAQ,GAAG,CAAA,CAAA;AACrC,EAAA,OAAO,gBAAA;AACT;AA9CS,MAAA,CAAA,gBAAA,EAAA,kBAAA,CAAA;AAgDT,IAAI,2BAAA,GAA8B,KAAA;AAElC,SAAS,qBAAqB,SAAA,EAAuC;AACnE,EAAA,IAAI,CAAC,KAAA,EAAM,EAAG,OAAO,MAAA;AACrB,EAAA,IAAI;AACF,IAAA,OAAO,YAAA,CAAa,SAAA,EAAW,CAAC,IAAA,EAAM,SAAS,CAAA,EAAG;AAAA,MAChD,QAAA,EAAU,OAAA;AAAA,MACV,OAAA,EAAS;AAAA,KACV,EAAE,IAAA,EAAK;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAAF,OAAM,CAAA,6BAAA,EAAgC,GAAA,YAAe,QAAQ,GAAA,CAAI,OAAA,GAAU,GAAG,CAAA,CAAE,CAAA;AAChF,IAAA,OAAO,MAAA;AAAA,EACT;AACF;AAXS,MAAA,CAAA,oBAAA,EAAA,sBAAA,CAAA;AAaT,SAAS,gCAAgC,UAAA,EAA6B;AACpE,EAAA,IAAI,2BAAA,EAA6B;AAC/B,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,WAAA,GAAc,qBAAqB,UAAU,CAAA;AACnD,EAAA,IAAI,CAAC,WAAA,EAAa;AAChB,IAAA,OAAO,KAAA;AAAA,EACT;AAKA,EAAA,MAAM,WAAA,GAAc,WAAA,CAAY,UAAA,CAAW,GAAA,EAAK,IAAI,CAAA;AACpD,EAAA,MAAM,QAAA,GAAW,gDAAgD,WAAW,CAAA,8BAAA,CAAA;AAC5E,EAAA,MAAM,IAAA,GAAO,UAAU,gBAAA,EAAkB;AAAA,IACvC,YAAA;AAAA,IACA,iBAAA;AAAA,IACA,kBAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA;AAAA,IACA;AAAA,GACF,EAAG;AAAA,IACD,QAAA,EAAU,OAAA;AAAA,IACV,OAAA,EAAS;AAAA,GACV,CAAA;AAED,EAAA,IAAI,KAAK,KAAA,EAAO;AACd,IAAAA,MAAAA,CAAM,CAAA,mDAAA,EAAsD,IAAA,CAAK,KAAA,CAAM,OAAO,CAAA,CAAE,CAAA;AAChF,IAAA,OAAO,KAAA;AAAA,EACT;AACA,EAAA,IAAI,IAAA,CAAK,WAAW,CAAA,EAAG;AACrB,IAAAA,MAAAA,CAAM,CAAA,iDAAA,EAAoD,IAAA,CAAK,MAAM,CAAA,EAAA,EAAA,CAAM,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,IAAU,EAAA,EAAI,IAAA,EAAM,CAAA,CAAE,CAAA;AACrH,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAAA,OAAM,sEAAsE,CAAA;AAC5E,EAAA,2BAAA,GAA8B,IAAA;AAC9B,EAAA,OAAO,IAAA;AACT;AAvCS,MAAA,CAAA,+BAAA,EAAA,iCAAA,CAAA;AAyCT,SAAS,wBAAA,CAAyB,UAAA,EAAoB,SAAA,GAAoB,GAAA,EAAgB;AACxF,EAAA,MAAM,IAAA,GAAO,SAAA,CAAU,UAAA,EAAY,CAAC,aAAa,CAAA,EAAG;AAAA,IAClD,QAAA,EAAU,OAAA;AAAA,IACV,OAAA,EAAS;AAAA,GACV,CAAA;AAED,EAAA,IAAI,IAAA,CAAK,KAAA,IAAS,IAAA,CAAK,MAAA,KAAW,CAAA,EAAG;AACnC,IAAA,OAAO,KAAA;AAAA,EACT;AAEA,EAAA,IAAI;AACF,IAAA,MAAM,SAAS,IAAA,CAAK,KAAA,CAAA,CAAO,KAAK,MAAA,IAAU,EAAA,EAAI,MAAM,CAAA;AACpD,IAAA,OAAO,OAAO,KAAA,KAAU,IAAA;AAAA,EAC1B,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,KAAA;AAAA,EACT;AACF;AAhBS,MAAA,CAAA,wBAAA,EAAA,0BAAA,CAAA;AAkBT,SAAS,2BAAA,CAA4B,UAAA,EAAoB,SAAA,GAAoB,IAAA,EAAiB;AAC5F,EAAA,MAAM,QAAA,GAAW,IAAA,CAAK,GAAA,EAAI,GAAI,SAAA;AAE9B,EAAA,OAAO,IAAA,CAAK,GAAA,EAAI,GAAI,QAAA,EAAU;AAC5B,IAAA,IAAI,wBAAA,CAAyB,UAAU,CAAA,EAAG;AACxC,MAAAA,OAAM,8CAA8C,CAAA;AACpD,MAAA,OAAO,IAAA;AAAA,IACT;AAEA,IAAA,OAAA,CAAQ,IAAA,CAAK,IAAI,UAAA,CAAW,IAAI,iBAAA,CAAkB,CAAC,CAAC,CAAA,EAAG,CAAA,EAAG,CAAA,EAAG,GAAG,CAAA;AAAA,EAClE;AAEA,EAAAA,OAAM,qEAAqE,CAAA;AAC3E,EAAA,OAAO,KAAA;AACT;AAdS,MAAA,CAAA,2BAAA,EAAA,6BAAA,CAAA;AAkBT,SAAS,eAAA,CAAgB,MAAqB,IAAA,EAAqC;AACjF,EAAA,MAAM,aAAa,mBAAA,EAAoB;AACvC,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAAA,OAAM,kCAAkC,CAAA;AACxC,IAAA,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAAA,EAC3C;AACA,EAAAA,MAAAA,CAAM,oBAAoB,UAAU,CAAA,CAAA,EAAI,KAAK,IAAA,CAAK,GAAG,CAAC,CAAA,CAAE,CAAA;AACxD,EAAA,MAAM,MAAA,GAAS,YAAA,CAAa,UAAA,EAAY,IAAA,EAAM;AAAA,IAC5C,QAAA,EAAU,OAAA;AAAA,IACV,OAAA,EAAS,MAAM,OAAA,IAAW;AAAA,GAC3B,EAAE,IAAA,EAAK;AACR,EAAAA,OAAM,CAAA,wBAAA,EAA2B,MAAA,CAAO,MAAM,CAAA,EAAG,GAAG,CAAC,CAAA,CAAE,CAAA;AACvD,EAAA,OAAO,MAAA;AACT;AAbS,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAeT,SAAS,mBAAA,CAAiD,MAAqB,IAAA,EAAgC;AAC7G,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,IAAA,EAAM,IAAI,CAAA;AACzC,EAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,MAAM,CAAA;AAChC,EAAA,IAAI,OAAO,KAAA,EAAO;AAChB,IAAA,MAAM,IAAI,KAAA,CAAM,MAAA,CAAO,KAAK,CAAA;AAAA,EAC9B;AACA,EAAA,OAAO,MAAA;AACT;AAPS,MAAA,CAAA,mBAAA,EAAA,qBAAA,CAAA;AAWT,IAAI,iBAAA;AAEJ,IAAI,gBAAA;AAEJ,SAAS,iBAAA,GAAoE;AAC3E,EAAA,MAAM,aAAa,mBAAA,EAAoB;AACvC,EAAAA,MAAAA,CAAM,CAAA,8BAAA,EAAiC,UAAA,IAAc,WAAW,CAAA,QAAA,EAAW,OAAO,CAAA,WAAA,EAAc,OAAA,CAAQ,QAAQ,CAAA,CAAE,CAAA;AAClH,EAAA,IAAI,CAAC,UAAA,EAAY;AAEf,IAAA,MAAM,cAAA,GAAiB,CAAC,QAAA,EAAU,OAAA,EAAS,OAAO,CAAA,CAAE,QAAA,CAAS,QAAQ,QAAQ,CAAA;AAC7E,IAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,cAAA,EAAe;AAAA,EACxC;AAGA,EAAA,IAAI,OAAM,EAAG,OAAO,EAAE,IAAA,EAAM,aAAA,EAAe,gBAAgB,KAAA,EAAM;AAEjE,EAAA,QAAQ,QAAQ,QAAA;AAAU,IACxB,KAAK,QAAA;AAAU,MAAA,OAAO,EAAE,IAAA,EAAM,gBAAA,EAAkB,cAAA,EAAgB,KAAA,EAAM;AAAA,IACtE,KAAK,OAAA;AAAS,MAAA,OAAO,EAAE,IAAA,EAAM,aAAA,EAAe,cAAA,EAAgB,KAAA,EAAM;AAAA,IAClE,KAAK,OAAA;AAAS,MAAA,OAAO,EAAE,IAAA,EAAM,WAAA,EAAa,cAAA,EAAgB,KAAA,EAAM;AAAA,IAChE;AAAS,MAAA,OAAO,EAAE,IAAA,EAAM,MAAA,EAAQ,cAAA,EAAgB,KAAA,EAAM;AAAA;AAE1D;AAlBS,MAAA,CAAA,iBAAA,EAAA,mBAAA,CAAA;AAqBF,SAAS,cAAA,GAA8B;AAC5C,EAAA,IAAI,mBAAmB,OAAO,iBAAA;AAE9B,EAAA,MAAM,EAAE,IAAA,EAAM,cAAA,EAAe,GAAI,iBAAA,EAAkB;AACnD,EAAA,MAAM,UAAA,GAAa,IAAA,KAAS,MAAA,GAAS,mBAAA,EAAoB,GAAI,MAAA;AAE7D,EAAA,IAAI,IAAA,KAAS,UAAU,UAAA,EAAY;AAEjC,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,mBAAA,CAAwC,CAAC,QAAQ,CAAC,CAAA;AACjE,MAAAA,OAAM,CAAA,8CAAA,EAAiD,MAAA,CAAO,cAAc,CAAA,qBAAA,EAAwB,OAAO,kBAAkB,CAAA,UAAA,EAAa,MAAA,CAAO,OAAO,UAAU,MAAA,CAAO,IAAA,EAAM,IAAA,CAAK,GAAG,CAAC,CAAA,CAAE,CAAA;AAC1L,MAAA,gBAAA,GAAmB,MAAA,CAAO,IAAA;AAC1B,MAAA,iBAAA,GAAoB;AAAA,QAClB,IAAA;AAAA,QACA,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,gBAAgB,MAAA,CAAO,cAAA;AAAA,QACvB,oBAAoB,MAAA,CAAO,kBAAA;AAAA,QAC3B;AAAA,OACF;AAAA,IACF,SAAS,GAAA,EAAK;AAEZ,MAAAA,OAAM,CAAA,uCAAA,EAA0C,GAAA,YAAe,QAAQ,GAAA,CAAI,OAAA,GAAU,GAAG,CAAA,CAAE,CAAA;AAC1F,MAAA,iBAAA,GAAoB;AAAA,QAClB,IAAA;AAAA,QACA,UAAU,OAAA,CAAQ,QAAA;AAAA,QAClB,gBAAgB,IAAA,KAAS,gBAAA;AAAA,QACzB,oBAAoB,IAAA,KAAS,gBAAA;AAAA,QAC7B;AAAA,OACF;AAAA,IACF;AAAA,EACF,CAAA,MAAO;AACL,IAAAA,MAAAA,CAAM,4CAA4C,IAAI,CAAA,aAAA,EAAgB,cAAc,MAAM,CAAA,iBAAA,EAAoB,cAAc,CAAA,CAAA,CAAG,CAAA;AAC/H,IAAA,IAAI,cAAA,IAAkB,CAAC,OAAA,CAAQ,GAAA,CAAI,uCAAA,EAAyC;AAC1E,MAAA,OAAA,CAAQ,MAAA,CAAO,KAAA;AAAA,QACb;AAAA,OACF;AAAA,IACF;AACA,IAAA,iBAAA,GAAoB;AAAA,MAClB,IAAA;AAAA,MACA,UAAU,OAAA,CAAQ,QAAA;AAAA,MAClB,cAAA,EAAgB,KAAA;AAAA,MAChB,kBAAA,EAAoB,KAAA;AAAA,MACpB,UAAA,EAAY,MAAA;AAAA,MACZ;AAAA,KACF;AAAA,EACF;AAEA,EAAAA,MAAAA,CAAM,CAAA,mCAAA,EAAsC,iBAAA,CAAmB,IAAI,CAAA,YAAA,EAAe,kBAAmB,kBAAkB,CAAA,WAAA,EAAc,iBAAA,CAAmB,cAAc,CAAA,CAAE,CAAA;AACxK,EAAA,OAAO,iBAAA;AACT;AAjDgB,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AAqDhB,IAAI,YAAA;AAEG,SAAS,eAAA,GAAgC;AAC9C,EAAA,YAAA,KAAiB,IAAI,YAAA,EAAa;AAClC,EAAA,OAAO,YAAA;AACT;AAHgB,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA;AAQT,SAASI,UAAAA,CAAU,QAAgBD,eAAAA,EAAyB;AACjE,EAAA,MAAM,UAAU,cAAA,EAAe;AAC/B,EAAA,IAAI,OAAA,CAAQ,SAAS,MAAA,EAAQ;AAC3B,IAAA,OAAmB,UAAU,KAAK,CAAA;AAAA,EACpC;AAEA,EAAA,IAAI,gBAAA,EAAkB;AACpB,IAAAH,MAAAA,CAAM,CAAA,wCAAA,EAA2C,KAAK,CAAA,CAAE,CAAA;AACxD,IAAA,OAAO,gBAAA,CAAiB,SAAS,KAAK,CAAA;AAAA,EACxC;AACA,EAAA,MAAM,SAAS,mBAAA,CAAyC,CAAC,YAAA,EAAc,UAAA,EAAY,KAAK,CAAC,CAAA;AACzF,EAAA,OAAO,MAAA,CAAO,MAAA;AAChB;AAZgB,MAAA,CAAAI,UAAAA,EAAA,WAAA,CAAA;AAehB,eAAsBC,YAAAA,CAAY,QAAgBF,eAAAA,EAA+D;AAC/G,EAAA,MAAM,UAAU,cAAA,EAAe;AAC/B,EAAA,IAAI,OAAA,CAAQ,SAAS,MAAA,EAAQ;AAC3B,IAAA,OAAmB,YAAY,KAAK,CAAA;AAAA,EACtC;AACA,EAAA,OAAO,mBAAA,CAA0D,CAAC,cAAA,EAAgB,UAAA,EAAY,KAAK,CAAC,CAAA;AACtG;AANsB,MAAA,CAAAE,YAAAA,EAAA,aAAA,CAAA;AAStB,eAAsB,SAAA,CAAU,QAAgBF,eAAAA,EAA+B;AAC7E,EAAA,IAAI,CAACC,UAAAA,CAAU,KAAK,CAAA,EAAG;AACrB,IAAA,MAAMC,aAAY,KAAK,CAAA;AAAA,EACzB;AACF;AAJsB,MAAA,CAAA,SAAA,EAAA,WAAA,CAAA;AActB,eAAsBC,aAAAA,CAAa,SAAA,EAAmB,KAAA,GAAgBH,eAAAA,EAAiC;AACrG,EAAA,MAAM,UAAU,cAAA,EAAe;AAC/B,EAAA,IAAI,OAAA,CAAQ,SAAS,MAAA,EAAQ;AAC3B,IAAA,OAAmB,YAAA,CAAa,WAAW,KAAK,CAAA;AAAA,EAClD;AAEA,EAAA,MAAM,WAAW,MAAA,CAAO,IAAA,CAAK,WAAW,OAAO,CAAA,CAAE,SAAS,QAAQ,CAAA;AAClE,EAAA,IAAI,OAAM,EAAG;AAEX,IAAA,MAAM,aAAa,mBAAA,EAAoB;AACvC,IAAA,IAAI,CAAC,UAAA,EAAY,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAC1D,IAAA,MAAM,IAAA,GAAO,UAAU,UAAA,EAAY,CAAC,WAAW,UAAA,EAAY,KAAA,EAAO,cAAc,CAAA,EAAG;AAAA,MACjF,KAAA,EAAO,QAAA;AAAA,MACP,QAAA,EAAU,OAAA;AAAA,MACV,OAAA,EAAS;AAAA,KACV,CAAA;AACD,IAAA,IAAI,IAAA,CAAK,KAAA,EAAO,MAAM,IAAA,CAAK,KAAA;AAC3B,IAAA,MAAMI,UAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA;AAC5C,IAAA,IAAIA,QAAO,KAAA,EAAO,MAAM,IAAI,KAAA,CAAMA,QAAO,KAAK,CAAA;AAC9C,IAAA,OAAOA,OAAAA,CAAO,UAAA;AAAA,EAChB;AACA,EAAA,MAAM,MAAA,GAAS,oBAA4C,CAAC,SAAA,EAAW,YAAY,KAAA,EAAO,QAAA,EAAU,QAAQ,CAAC,CAAA;AAC7G,EAAA,OAAO,MAAA,CAAO,UAAA;AAChB;AAvBsB,MAAA,CAAAD,aAAAA,EAAA,cAAA,CAAA;AAgCtB,eAAsBE,aAAAA,CAAa,UAAA,EAAoB,KAAA,GAAgBL,eAAAA,EAAiC;AACtG,EAAA,MAAM,UAAU,cAAA,EAAe;AAC/B,EAAA,IAAI,OAAA,CAAQ,SAAS,MAAA,EAAQ;AAC3B,IAAAH,OAAM,kCAAkC,CAAA;AACxC,IAAA,OAAmB,YAAA,CAAa,YAAY,KAAK,CAAA;AAAA,EACnD;AAIA,EAAA,IAAI,QAAQ,kBAAA,EAAoB;AAC9B,IAAA,IAAI,OAAM,EAAG;AACX,MAAAA,OAAM,uDAAuD,CAAA;AAC7D,MAAA,MAAM,aAAa,mBAAA,EAAoB;AACvC,MAAA,IAAI,CAAC,UAAA,EAAY,MAAM,IAAI,MAAM,yBAAyB,CAAA;AAC1D,MAAA,MAAM,kBAAA,GAAqB,wBAAA,CAAyB,UAAA,EAAY,IAAK,CAAA;AACrE,MAAA,MAAM,gBAAA,GAAmB,kBAAA,IAAsB,+BAAA,CAAgC,UAAU,CAAA;AACzF,MAAA,IAAI,CAAC,sBAAsB,gBAAA,EAAkB;AAC3C,QAAA,2BAAA,CAA4B,UAAU,CAAA;AAAA,MACxC;AAIA,MAAA,MAAM,YAAA,GAAe,KAAK,SAAA,CAAU;AAAA,QAClC,IAAA,EAAM,UAAA;AAAA,QACN,OAAO,gBAAA;AAAiB,OACzB,CAAA;AACD,MAAA,MAAM,YAAA,mBAAe,MAAA,CAAA,CAAC,OAAA,KAAoB,SAAA,CAAU,UAAA,EAAY,CAAC,SAAA,EAAW,UAAA,EAAY,KAAA,EAAO,cAAA,EAAgB,cAAc,CAAA,EAAG;AAAA,QAC9H,KAAA,EAAO,YAAA;AAAA,QACP,QAAA,EAAU,OAAA;AAAA,QACV;AAAA,OACD,CAAA,EAJoB,cAAA,CAAA;AAMrB,MAAA,IAAI,IAAA,GAAO,YAAA,CAAa,gBAAA,GAAmB,IAAA,GAAU,GAAM,CAAA;AAE3D,MAAA,MAAM,UAAU,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,IAAU,IAAI,IAAA,EAAK;AACvD,MAAA,MAAM,QAAA,GAAW,IAAA,CAAK,KAAA,IAAU,IAAA,CAAK,MAAgC,IAAA,KAAS,WAAA;AAC9E,MAAA,MAAM,aAAa,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,IAAK,KAAK,MAAA,KAAW,CAAA;AAC1D,MAAA,MAAM,wBAAA,GAA2B,QAAA,IAC5B,iGAAA,CAAkG,IAAA,CAAK,MAAM,CAAA;AAElH,MAAA,IAAI,cAAc,wBAAA,EAA0B;AAC1C,QAAAA,OAAM,CAAA,+FAAA,EAAkG,MAAA,CAAO,MAAM,CAAA,EAAG,GAAG,CAAC,CAAA,CAAE,CAAA;AAC9H,QAAA,IAAI,+BAAA,CAAgC,UAAU,CAAA,EAAG;AAE/C,UAAA,IAAA,GAAO,aAAa,IAAO,CAAA;AAAA,QAC7B;AAAA,MACF;AAEA,MAAA,IAAI,IAAA,CAAK,KAAA,EAAO,MAAM,IAAA,CAAK,KAAA;AAC3B,MAAA,IAAI,IAAA,CAAK,WAAW,CAAA,EAAG;AACrB,QAAA,MAAM,eAAe,IAAA,CAAK,MAAA,IAAU,IAAA,CAAK,MAAA,IAAU,IAAI,IAAA,EAAK;AAC5D,QAAA,IAAI;AACF,UAAA,MAAM,MAAA,GAAS,IAAA,CAAK,KAAA,CAAM,WAAW,CAAA;AACrC,UAAA,IAAI,OAAO,KAAA,EAAO,MAAM,IAAI,KAAA,CAAM,OAAO,KAAK,CAAA;AAAA,QAChD,CAAA,CAAA,MAAQ;AAAA,QAAiB;AAEzB,QAAA,MAAM,WAAA,GAAc,qBAAqB,UAAU,CAAA;AACnD,QAAA,MAAM,YAAY,WAAA,GACd;AAAA;AAAA,qCAAA,EAAmF,WAAW,CAAA,cAAA,CAAA,GAC9F,EAAA;AACJ,QAAA,MAAM,IAAI,MAAM,CAAA,qBAAA,EAAwB,IAAA,CAAK,MAAM,CAAA,GAAA,EAAM,WAAW,CAAA,EAAG,SAAS,CAAA,CAAE,CAAA;AAAA,MACpF;AAEA,MAAA,MAAMO,UAAS,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,MAAA,CAAO,MAAM,CAAA;AAC5C,MAAA,IAAIA,QAAO,KAAA,EAAO,MAAM,IAAI,KAAA,CAAMA,QAAO,KAAK,CAAA;AAC9C,MAAAP,MAAAA,CAAM,CAAA,2BAAA,EAA8B,IAAA,CAAK,MAAA,CAAO,IAAA,GAAO,KAAA,CAAM,CAAA,EAAG,GAAG,CAAC,CAAA,CAAE,CAAA;AACtE,MAAA,OAAOO,OAAAA,CAAO,SAAA;AAAA,IAChB;AACA,IAAAP,OAAM,mDAAmD,CAAA;AACzD,IAAA,MAAM,SAAS,eAAA,EAAgB;AAC/B,IAAA,OAAO,MAAA,CAAO,OAAA,CAAQ,UAAA,EAAY,KAAK,CAAA;AAAA,EACzC;AAGA,EAAAA,OAAM,8CAA8C,CAAA;AACpD,EAAA,MAAM,MAAA,GAAS,oBAA2C,CAAC,SAAA,EAAW,YAAY,KAAA,EAAO,QAAA,EAAU,UAAU,CAAC,CAAA;AAC9G,EAAA,OAAO,MAAA,CAAO,SAAA;AAChB;AA7EsB,MAAA,CAAAQ,aAAAA,EAAA,cAAA,CAAA;AAmFtB,eAAsB,WAAA,GAA6B;AACjD,EAAA,MAAM,UAAU,cAAA,EAAe;AAC/B,EAAA,IAAI,CAAC,QAAQ,kBAAA,EAAoB;AACjC,EAAA,MAAM,SAAS,eAAA,EAAgB;AAC/B,EAAA,MAAM,SAAA,GAAY,MAAM,MAAA,CAAO,UAAA,EAAW;AAC1C,EAAA,IAAI,CAAC,SAAA,EAAW;AACd,IAAA,MAAM,IAAI,MAAM,iCAAiC,CAAA;AAAA,EACnD;AACA,EAAA,MAAM,OAAO,iBAAA,EAAkB;AACjC;AATsB,MAAA,CAAA,WAAA,EAAA,aAAA,CAAA","file":"chunk-YWTIKDGU.js","sourcesContent":["/**\n * Resolves the path to the platform-specific native helper binary.\n *\n * Resolution order:\n * 1. SEA sibling: same directory as the running varlock binary (install.sh, standalone)\n * 1b. SEA libexec: ../libexec/ relative to the binary (homebrew convention)\n * 2. Bundled in npm package: native-bins/<platform>[-<arch>]/ within the varlock package\n * 3. Dev fallback: walk up from __dirname to find build output\n *\n * Returns undefined if no binary is found (file-based fallback will be used instead).\n */\n\nimport path from 'node:path';\nimport fs from 'node:fs';\nimport { fileURLToPath } from 'node:url';\nimport { isWSL } from './wsl-detect';\n\nconst __dirname = path.dirname(fileURLToPath(import.meta.url));\n\n/** Debug logger — prints to stderr when VARLOCK_DEBUG is set */\nfunction debug(msg: string) {\n if (process.env.VARLOCK_DEBUG) {\n process.stderr.write(`[varlock:binary-resolver] ${msg}\\n`);\n }\n}\n\nconst BINARY_NAME = 'varlock-local-encrypt';\nconst MACOS_APP_BUNDLE = 'VarlockEnclave.app';\n\n/**\n * Resolve the varlock package root by walking up from this module until we\n * find package.json with name=varlock. This is robust across src/dist layouts.\n */\nfunction resolvePackageRoot(): string {\n let dir = __dirname;\n for (let i = 0; i < 10; i++) {\n const pkgJsonPath = path.join(dir, 'package.json');\n if (fs.existsSync(pkgJsonPath)) {\n try {\n const pkgJson = JSON.parse(fs.readFileSync(pkgJsonPath, 'utf-8')) as { name?: string };\n if (pkgJson.name === 'varlock') return dir;\n } catch {\n // Ignore invalid/unreadable package.json and continue walking upward\n }\n }\n const parent = path.dirname(dir);\n if (parent === dir) break;\n dir = parent;\n }\n\n // Last-resort fallback for unexpected layouts.\n return path.resolve(__dirname, '..', '..', '..');\n}\n\n/** Get the binary name for the current platform */\nfunction getPlatformBinaryName(): string {\n if (process.platform === 'win32' || isWSL()) return `${BINARY_NAME}.exe`;\n return BINARY_NAME;\n}\n\n/** Get the subdirectory name within native-bins/ for the current platform */\nfunction getNativeBinSubdir(): string {\n if (process.platform === 'darwin') return 'darwin';\n if (process.platform === 'win32') return `win32-${process.arch}`;\n // WSL2: use the Windows binary for DPAPI + Windows Hello support\n if (isWSL()) return 'win32-x64';\n return `${process.platform}-${process.arch}`;\n}\n\n/**\n * Resolve the macOS .app bundle binary path, or fall back to bare binary.\n */\nfunction resolveMacOSBinary(dir: string): string | undefined {\n // Try .app bundle first (needed for custom Touch ID icon)\n const appBundlePath = path.join(dir, MACOS_APP_BUNDLE, 'Contents', 'MacOS', BINARY_NAME);\n if (fs.existsSync(appBundlePath)) return appBundlePath;\n\n // Fall back to bare binary\n const barePath = path.join(dir, BINARY_NAME);\n if (fs.existsSync(barePath)) return barePath;\n\n return undefined;\n}\n\n/**\n * Resolve the binary path for Linux/Windows.\n */\nfunction resolveStandardBinary(dir: string): string | undefined {\n const binaryPath = path.join(dir, getPlatformBinaryName());\n if (fs.existsSync(binaryPath)) return binaryPath;\n return undefined;\n}\n\n/**\n * Resolve binary from a directory, handling macOS .app bundle vs standard binary.\n */\nfunction resolveBinaryFromDir(dir: string): string | undefined {\n if (process.platform === 'darwin') return resolveMacOSBinary(dir);\n return resolveStandardBinary(dir);\n}\n\n/**\n * Strategy 1: Look for the binary next to the running varlock binary,\n * then check ../libexec/ (homebrew convention for internal helpers).\n * This is the primary path for binary/SEA distribution.\n */\nfunction resolveSeaSibling(): string | undefined {\n const execDir = path.dirname(fs.realpathSync(process.execPath));\n\n // 1a. Same directory as the binary (install.sh, standalone archives)\n const sibling = resolveBinaryFromDir(execDir);\n if (sibling) return sibling;\n\n // 1b. ../libexec/ relative to the binary (homebrew layout)\n const libexecDir = path.join(execDir, '..', 'libexec');\n return resolveBinaryFromDir(libexecDir);\n}\n\n/**\n * Strategy 2: Look for the binary bundled in the varlock npm package.\n * native-bins/<platform-subdir>/\n */\nfunction resolveNpmBundled(): string | undefined {\n const packageRoot = resolvePackageRoot();\n const nativeBinsDir = path.join(packageRoot, 'native-bins', getNativeBinSubdir());\n if (fs.existsSync(nativeBinsDir)) return resolveBinaryFromDir(nativeBinsDir);\n\n // Legacy/alternate layout: native-bins as a sibling of the package root.\n const adjacentNativeBinsDir = path.join(path.dirname(packageRoot), 'native-bins', getNativeBinSubdir());\n if (fs.existsSync(adjacentNativeBinsDir)) return resolveBinaryFromDir(adjacentNativeBinsDir);\n\n return undefined;\n}\n\n/**\n * Strategy 3: Development fallback — look for build output in the monorepo.\n * Walks up from __dirname looking for native binary build output\n */\nfunction resolveDevFallback(): string | undefined {\n let dir = __dirname;\n for (let i = 0; i < 10; i++) {\n const parent = path.dirname(dir);\n if (parent === dir) break;\n dir = parent;\n\n // Check for Swift build output (macOS)\n if (process.platform === 'darwin') {\n const swiftBuild = path.join(dir, 'packages', 'encryption-binary-swift', 'swift', '.build', 'release', 'VarlockEnclave');\n if (fs.existsSync(swiftBuild)) return swiftBuild;\n }\n\n // Check for Rust build output (Linux/Windows)\n const rustBuild = path.join(dir, 'packages', 'encryption-binary-rust', 'target', 'release', getPlatformBinaryName());\n if (fs.existsSync(rustBuild)) return rustBuild;\n }\n\n return undefined;\n}\n\n/**\n * Ensure the binary at the given path is executable.\n * GitHub Actions artifact upload/download strips execute permissions,\n * and some extraction tools may do the same.\n */\nfunction ensureExecutable(binaryPath: string): string {\n try {\n fs.accessSync(binaryPath, fs.constants.X_OK);\n } catch {\n // Not executable — try to fix it\n if (process.platform !== 'win32') {\n fs.chmodSync(binaryPath, 0o755);\n }\n }\n return binaryPath;\n}\n\n/**\n * Resolve the native helper binary path.\n * Returns undefined if no binary is found — caller should fall back to pure JS.\n */\nlet _cachedBinaryPath: string | undefined | null = null; // null = not yet resolved\n\nexport function resolveNativeBinary(): string | undefined {\n if (_cachedBinaryPath !== null) return _cachedBinaryPath;\n\n if (process.env._VARLOCK_FORCE_FILE_ENCRYPTION_FALLBACK) {\n debug('_VARLOCK_FORCE_FILE_ENCRYPTION_FALLBACK is set — skipping native binary resolution');\n _cachedBinaryPath = undefined;\n return undefined;\n }\n\n debug(`resolving: platform=${process.platform}, isWSL=${isWSL()}, binaryName=${getPlatformBinaryName()}, subdir=${getNativeBinSubdir()}`);\n\n const seaSibling = resolveSeaSibling();\n if (seaSibling) {\n debug(`resolved via SEA sibling: ${seaSibling}`);\n _cachedBinaryPath = ensureExecutable(seaSibling);\n return _cachedBinaryPath;\n }\n\n const npmBundled = resolveNpmBundled();\n if (npmBundled) {\n debug(`resolved via npm bundled: ${npmBundled}`);\n _cachedBinaryPath = ensureExecutable(npmBundled);\n return _cachedBinaryPath;\n }\n\n const devFallback = resolveDevFallback();\n if (devFallback) {\n debug(`resolved via dev fallback: ${devFallback}`);\n _cachedBinaryPath = ensureExecutable(devFallback);\n return _cachedBinaryPath;\n }\n\n debug('NOT FOUND: no binary resolved from any strategy');\n debug(` SEA sibling dir: ${path.dirname(process.execPath)}`);\n const packageRoot = resolvePackageRoot();\n debug(` npm bundled dir: ${path.join(packageRoot, 'native-bins', getNativeBinSubdir())}`);\n _cachedBinaryPath = undefined;\n return undefined;\n}\n","/**\n * Daemon client for communicating with the native encryption helper binary.\n *\n * Handles daemon lifecycle (spawn, connect, reconnect) and IPC messaging\n * using the 4-byte LE length-prefixed JSON protocol.\n *\n * - macOS/Linux: Unix domain socket\n * - Windows: named pipe (TODO)\n *\n * Generalized from the secure-enclave plugin's EnclaveDaemonClient.\n *\n * Note: WSL2 cannot connect to the Windows named-pipe daemon from the Linux\n * side. All WSL2 code paths that need biometric operations must bypass this\n * client and invoke the Windows binary directly (e.g. via --via-daemon).\n */\n\nimport net from 'node:net';\nimport path from 'node:path';\nimport fs from 'node:fs';\nimport crypto from 'node:crypto';\nimport { spawn } from 'node:child_process';\n\nimport { getUserVarlockDir } from '../user-config-dir';\nimport { resolveNativeBinary } from './binary-resolver';\nimport { isWSL } from './wsl-detect';\nimport type { KeychainItemMeta, KeychainItemRef } from './types';\n\n/** Timeout for daemon IPC messages that don't involve user interaction */\nconst SEND_TIMEOUT_MS = 30_000;\n/**\n * Timeout for messages that may trigger biometric auth (Touch ID).\n * Must exceed the Swift-side biometric timeout (60s) so the TS client\n * doesn't kill the daemon while Touch ID is still waiting for the user.\n * Killing mid-biometric can leave the process stuck in kernel UE state.\n */\nconst BIOMETRIC_TIMEOUT_MS = 90_000;\n/** Timeout for interactive messages (GUI dialogs for secret input, keychain picker) */\nconst INTERACTIVE_TIMEOUT_MS = 5 * 60_000;\n/** How long to wait for SIGTERM before escalating to SIGKILL */\nconst KILL_GRACE_MS = 2_000;\n\nfunction debug(msg: string) {\n if (process.env.VARLOCK_DEBUG) {\n process.stderr.write(`[varlock:daemon-client] ${msg}\\n`);\n }\n}\n\n/**\n * Kill a daemon process, escalating from SIGTERM to SIGKILL if it doesn't\n * die within KILL_GRACE_MS. Handles the case where the process is already dead.\n *\n * Returns true if the process is confirmed dead, false if it's stuck in an\n * unkillable state (e.g. macOS UE/uninterruptible Secure Enclave wait).\n * Callers should clean up state files and proceed regardless — a zombie\n * with no socket file is effectively dead.\n */\nfunction killDaemonProcess(pid: number): boolean {\n try {\n process.kill(pid, 'SIGTERM');\n } catch {\n return true; // already dead\n }\n\n // Poll briefly to see if SIGTERM was effective\n const start = Date.now();\n while (Date.now() - start < KILL_GRACE_MS) {\n try {\n process.kill(pid, 0);\n } catch {\n return true; // process exited\n }\n // Busy-wait in small increments (this is a rare recovery path)\n Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 100);\n }\n\n // Still alive — force kill\n debug(`daemon pid ${pid} didn't respond to SIGTERM, sending SIGKILL`);\n try {\n process.kill(pid, 'SIGKILL');\n } catch {\n return true; // already dead\n }\n\n // Give SIGKILL a moment to take effect\n const killStart = Date.now();\n while (Date.now() - killStart < 500) {\n try {\n process.kill(pid, 0);\n } catch {\n return true; // process exited\n }\n Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 50);\n }\n\n // Process is unkillable (UE state — stuck in kernel, e.g. Secure Enclave).\n // It's harmless once we remove the socket/PID files; it will clear on reboot.\n debug(`daemon pid ${pid} is unkillable (likely in uninterruptible kernel wait) — proceeding anyway`);\n return false;\n}\n\nfunction getSocketDir(): string {\n return path.join(getUserVarlockDir(), 'local-encrypt');\n}\n\nfunction getSocketPath(): string {\n if (process.platform === 'win32') {\n // Windows named pipe — fixed name shared by all varlock processes\n return '\\\\\\\\.\\\\pipe\\\\varlock-local-encrypt';\n }\n return path.join(getSocketDir(), 'daemon.sock');\n}\n\nfunction getLockPath(): string {\n return `${getSocketPath()}.lock`;\n}\n\nfunction getPidPath(): string {\n return path.join(getSocketDir(), 'daemon.pid');\n}\n\nfunction getDaemonInfoPath(): string {\n return path.join(getSocketDir(), 'daemon.info');\n}\n\n/** All state files that should be cleaned up when resetting daemon state */\nfunction getDaemonStateFiles(): Array<string> {\n const files = [getPidPath(), getDaemonInfoPath()];\n if (process.platform !== 'win32') {\n files.push(getSocketPath(), getLockPath());\n }\n return files;\n}\n\n/** Remove all daemon state files, ignoring errors */\nfunction cleanupDaemonFiles(): void {\n for (const file of getDaemonStateFiles()) {\n try {\n fs.unlinkSync(file);\n } catch { /* ignore */ }\n }\n}\n\n/**\n * Check whether the currently running daemon was spawned from the same binary\n * we would spawn now. Compares the resolved binary path and its mtime against\n * the values recorded in daemon.info when the daemon was last started.\n *\n * Returns the stale PID (to kill) if there's a mismatch or no info file\n * exists (daemon predates version tracking), or undefined if daemon is current.\n */\nfunction checkDaemonBinaryStale(): number | undefined {\n const infoPath = getDaemonInfoPath();\n const pidPath = getPidPath();\n\n let info: { binaryPath: string; binaryMtimeMs: number } | undefined;\n try {\n info = JSON.parse(fs.readFileSync(infoPath, 'utf-8'));\n } catch {\n // No info file — daemon predates version tracking, treat as stale\n }\n\n const currentBinaryPath = resolveNativeBinary();\n if (!currentBinaryPath) return undefined; // no binary available at all\n\n if (info) {\n // Path changed (e.g. new npm install, different resolution strategy)\n if (currentBinaryPath !== info.binaryPath) {\n debug(`daemon binary path changed: ${info.binaryPath} → ${currentBinaryPath}`);\n } else {\n // Same path — check if the file was updated in place\n try {\n const stat = fs.statSync(currentBinaryPath);\n if (stat.mtimeMs === info.binaryMtimeMs) {\n debug('daemon binary is current — no restart needed');\n return undefined; // same binary, daemon is current\n }\n debug(`daemon binary mtime changed: ${info.binaryMtimeMs} → ${stat.mtimeMs}`);\n } catch {\n return undefined; // can't stat, assume OK\n }\n }\n } else {\n debug('no daemon.info file — treating running daemon as stale');\n }\n\n // Binary changed — read PID so caller can kill the stale daemon\n try {\n const pid = parseInt(fs.readFileSync(pidPath, 'utf-8').trim(), 10);\n process.kill(pid, 0); // verify process is alive\n return pid;\n } catch {\n // Process already gone — clean up stale files so spawnDaemon starts clean\n debug('stale PID file points to dead process — cleaning up');\n cleanupDaemonFiles();\n return undefined;\n }\n}\n\n/** Write daemon.info recording which binary was used to spawn the daemon */\nfunction writeDaemonInfo(binaryPath: string): void {\n try {\n const stat = fs.statSync(binaryPath);\n fs.writeFileSync(getDaemonInfoPath(), JSON.stringify({\n binaryPath,\n binaryMtimeMs: stat.mtimeMs,\n }));\n } catch {\n // Non-fatal — version checking just won't work this time\n }\n}\n\nexport class DaemonClient {\n private socket: net.Socket | null = null;\n private messageQueue = new Map<string, {\n resolve: (value: any) => void;\n reject: (error: Error) => void;\n }>();\n private isConnected = false;\n private buffer = Buffer.alloc(0);\n private connectingPromise: Promise<void> | null = null;\n /** Set after we spawn a daemon in this process — skip stale check to avoid restart loops */\n private spawnedInThisProcess = false;\n\n async ensureConnected(): Promise<void> {\n if (this.isConnected && this.socket) return;\n\n // Deduplicate concurrent ensureConnected calls — multiple varlock() items\n // may resolve concurrently and all call decrypt → ensureConnected\n if (this.connectingPromise) return this.connectingPromise;\n\n this.connectingPromise = this.doConnect();\n try {\n await this.connectingPromise;\n } finally {\n this.connectingPromise = null;\n }\n }\n\n /**\n * Try to connect to an existing daemon without spawning a new one.\n * Returns true if connected, false if no daemon is running.\n */\n async tryConnect(): Promise<boolean> {\n if (this.isConnected && this.socket) return true;\n const socketPath = getSocketPath();\n try {\n await this.connectToSocket(socketPath);\n return true;\n } catch {\n return false;\n }\n }\n\n private async doConnect(): Promise<void> {\n const socketPath = getSocketPath();\n\n // Check if a running daemon was spawned from a stale binary\n const stalePid = this.spawnedInThisProcess ? undefined : checkDaemonBinaryStale();\n if (stalePid) {\n debug(`killing stale daemon (pid ${stalePid}) — binary has been updated`);\n killDaemonProcess(stalePid);\n cleanupDaemonFiles();\n } else {\n try {\n await this.connectToSocket(socketPath);\n return;\n } catch {\n // Daemon not running, spawn it\n }\n }\n\n try {\n await this.spawnDaemon();\n } catch (err) {\n // Another process may have won the race to spawn the daemon.\n // Wait briefly for it to be ready, then try connecting.\n debug(`spawnDaemon failed: ${err instanceof Error ? err.message : err}`);\n await new Promise<void>((r) => {\n setTimeout(r, 1000);\n });\n }\n await this.connectToSocket(socketPath);\n }\n\n async decrypt(ciphertext: string, keyId = 'varlock-default'): Promise<string> {\n return this.withRetry(async () => {\n await this.ensureConnected();\n const result = await this.sendMessage({\n action: 'decrypt',\n payload: { ciphertext, keyId },\n }, BIOMETRIC_TIMEOUT_MS);\n if (typeof result === 'string') return result;\n if (result && typeof result === 'object' && 'error' in result) {\n throw new Error(String(result.error));\n }\n return String(result);\n });\n }\n\n async promptSecret(opts?: {\n itemKey?: string;\n message?: string;\n keyId?: string;\n }): Promise<string | undefined> {\n return this.withRetry(async () => {\n await this.ensureConnected();\n try {\n const result = await this.sendMessage({\n action: 'prompt-secret',\n payload: {\n itemKey: opts?.itemKey,\n message: opts?.message,\n keyId: opts?.keyId,\n },\n }, INTERACTIVE_TIMEOUT_MS);\n if (result && typeof result === 'object' && 'ciphertext' in result) {\n return result.ciphertext as string;\n }\n return undefined;\n } catch (err) {\n if (err instanceof Error && err.message === 'cancelled') return undefined;\n throw err;\n }\n });\n }\n\n async invalidateSession(): Promise<void> {\n return this.withRetry(async () => {\n await this.ensureConnected();\n await this.sendMessage({ action: 'invalidate-session' });\n });\n }\n\n async keychainGet(opts: { service?: string; account?: string; keychain?: string; field?: string }): Promise<string> {\n return this.withRetry(async () => {\n await this.ensureConnected();\n // Password reads may trigger biometric; metadata field reads won't,\n // but we use the biometric timeout for both since it's harmless.\n const result = await this.sendMessage({\n action: 'keychain-get',\n payload: opts,\n }, BIOMETRIC_TIMEOUT_MS);\n if (typeof result === 'string') return result;\n if (result && typeof result === 'object' && 'error' in result) {\n throw new Error(String(result.error));\n }\n return String(result);\n });\n }\n\n async keychainSearch(opts?: { query?: string; keychain?: string }): Promise<Array<KeychainItemMeta>> {\n return this.withRetry(async () => {\n await this.ensureConnected();\n const result = await this.sendMessage({\n action: 'keychain-search',\n payload: opts ?? {},\n });\n return (result ?? []) as Array<KeychainItemMeta>;\n });\n }\n\n async keychainPick(opts?: { itemKey?: string }): Promise<KeychainItemRef | undefined> {\n return this.withRetry(async () => {\n await this.ensureConnected();\n try {\n const result = await this.sendMessage({\n action: 'keychain-pick',\n payload: { itemKey: opts?.itemKey },\n }, INTERACTIVE_TIMEOUT_MS);\n if (result && typeof result === 'object' && 'service' in result) {\n return result as KeychainItemRef;\n }\n return undefined;\n } catch (err) {\n if (err instanceof Error && err.message === 'cancelled') return undefined;\n throw err;\n }\n });\n }\n\n cleanup(): void {\n for (const { reject } of this.messageQueue.values()) {\n reject(new Error('Connection closed'));\n }\n this.messageQueue.clear();\n this.socket?.end();\n this.socket = null;\n this.isConnected = false;\n this.buffer = Buffer.alloc(0);\n }\n\n // -- Private --\n\n /**\n * Run an async operation, and on recoverable failure (timeout, connection\n * closed) clean up, reconnect to the daemon, and retry once.\n */\n private async withRetry<T>(fn: () => Promise<T>): Promise<T> {\n try {\n return await fn();\n } catch (err) {\n const msg = err instanceof Error ? err.message : '';\n const recoverable = msg.includes('timed out')\n || msg.includes('connection closed')\n || msg.includes('Not connected');\n if (!recoverable) throw err;\n\n debug(`recoverable error, reconnecting: ${msg}`);\n this.forceCleanup();\n await this.ensureConnected();\n return await fn();\n }\n }\n\n /**\n * Aggressive cleanup: kill the daemon process if we know its PID,\n * then reset client state so the next ensureConnected spawns fresh.\n */\n private forceCleanup(): void {\n this.cleanup();\n this.spawnedInThisProcess = false; // allow stale-binary check on reconnect\n\n // Try to kill the daemon by PID so we don't reconnect to a broken process\n try {\n const pid = parseInt(fs.readFileSync(getPidPath(), 'utf-8').trim(), 10);\n killDaemonProcess(pid);\n } catch { /* no PID file or already dead */ }\n\n // Remove stale files so spawnDaemon starts clean\n cleanupDaemonFiles();\n }\n\n private connectToSocket(socketPath: string): Promise<void> {\n return new Promise((resolve, reject) => {\n const socket = new net.Socket();\n const timeout = setTimeout(() => {\n socket.destroy();\n reject(new Error('Connection timeout'));\n }, 5000);\n\n socket.on('connect', () => {\n clearTimeout(timeout);\n this.socket = socket;\n this.isConnected = true;\n this.buffer = Buffer.alloc(0);\n resolve();\n });\n\n socket.on('data', (data: Buffer) => {\n this.handleData(data);\n });\n\n socket.on('error', (err) => {\n clearTimeout(timeout);\n this.isConnected = false;\n reject(err);\n });\n\n socket.on('close', () => {\n this.isConnected = false;\n this.socket = null;\n // Reject all pending messages so callers don't hang\n for (const { reject: rej } of this.messageQueue.values()) {\n rej(new Error('Daemon connection closed'));\n }\n this.messageQueue.clear();\n this.buffer = Buffer.alloc(0);\n });\n\n socket.connect(socketPath);\n });\n }\n\n private handleData(data: Buffer): void {\n this.buffer = Buffer.concat([this.buffer, data]);\n\n while (this.buffer.length >= 4) {\n const messageLength = this.buffer.readUInt32LE(0);\n if (this.buffer.length < 4 + messageLength) break;\n\n const messageData = this.buffer.subarray(4, 4 + messageLength);\n this.buffer = this.buffer.subarray(4 + messageLength);\n\n try {\n const message = JSON.parse(messageData.toString());\n if (message.id && this.messageQueue.has(message.id)) {\n const { resolve: res, reject: rej } = this.messageQueue.get(message.id)!;\n this.messageQueue.delete(message.id);\n if (message.error) {\n rej(new Error(message.error));\n } else {\n res(message.result);\n }\n }\n } catch {\n // Ignore malformed messages\n }\n }\n }\n\n private sendMessage(message: Record<string, any>, timeoutMs = SEND_TIMEOUT_MS): Promise<any> {\n return new Promise((resolve, reject) => {\n if (!this.isConnected || !this.socket) {\n reject(new Error('Not connected to daemon'));\n return;\n }\n\n const messageId = `${Date.now().toString(36)}-${crypto.randomBytes(4).toString('hex')}`;\n const messageWithId = { ...message, id: messageId };\n const jsonData = JSON.stringify(messageWithId);\n const messageBytes = Buffer.from(jsonData, 'utf-8');\n\n const lengthBuf = Buffer.alloc(4);\n lengthBuf.writeUInt32LE(messageBytes.length, 0);\n\n // Timeout to prevent hanging forever on a stuck daemon\n const timeout = setTimeout(() => {\n this.messageQueue.delete(messageId);\n reject(new Error(`Daemon message timed out after ${timeoutMs}ms (action: ${message.action})`));\n }, timeoutMs);\n\n this.messageQueue.set(messageId, {\n resolve: (value) => {\n clearTimeout(timeout);\n resolve(value);\n },\n reject: (err) => {\n clearTimeout(timeout);\n reject(err);\n },\n });\n this.socket.write(Buffer.concat([lengthBuf, messageBytes]));\n });\n }\n\n private async spawnDaemon(): Promise<void> {\n // WSL2: the Windows daemon listens on a Windows named pipe that Linux\n // sockets cannot connect to. All WSL2 biometric operations must bypass\n // DaemonClient and invoke the Windows binary directly via --via-daemon.\n // If we somehow reach this point on WSL2, fail fast with a clear message\n // rather than spawning a broken daemon or hanging indefinitely.\n if (isWSL()) {\n throw new Error(\n 'DaemonClient is not supported on WSL2. The Windows encryption daemon uses a Windows named pipe that Linux socket APIs cannot connect to. Use the Windows binary directly instead.',\n );\n }\n\n const binaryPath = resolveNativeBinary();\n if (!binaryPath) {\n throw new Error('Native encryption binary not found — cannot start daemon');\n }\n\n const socketPath = getSocketPath();\n const pidPath = getPidPath();\n const isWindows = process.platform === 'win32';\n\n // Ensure PID directory exists (don't mkdir for Windows pipe paths)\n if (!isWindows) {\n fs.mkdirSync(path.dirname(socketPath), { recursive: true });\n }\n fs.mkdirSync(path.dirname(pidPath), { recursive: true });\n\n // Check for existing daemon via PID\n if (fs.existsSync(pidPath)) {\n try {\n const pid = parseInt(fs.readFileSync(pidPath, 'utf-8').trim(), 10);\n process.kill(pid, 0); // Throws if process doesn't exist\n\n // Process is alive — verify it's actually responsive on the socket\n try {\n await this.connectToSocket(socketPath);\n return; // daemon is alive and accepting connections\n } catch {\n // Alive but socket unresponsive — kill it and respawn\n debug(`daemon pid ${pid} alive but socket unresponsive — killing`);\n killDaemonProcess(pid);\n }\n } catch {\n // Stale PID file — clean up both PID and socket\n }\n }\n\n // Clean up stale files before spawning\n cleanupDaemonFiles();\n if (!isWindows && fs.existsSync(socketPath)) {\n throw new Error(`Failed to clean up stale socket file: ${socketPath}`);\n }\n\n return new Promise((resolve, reject) => {\n const child = spawn(binaryPath, [\n 'daemon',\n '--socket-path',\n socketPath,\n '--pid-path',\n pidPath,\n ], {\n detached: true,\n stdio: ['ignore', 'pipe', 'pipe'],\n });\n\n const timeout = setTimeout(() => {\n reject(new Error('Daemon failed to start within timeout'));\n }, 10000);\n\n let stdoutData = '';\n let stderrData = '';\n\n child.stdout!.on('data', (data: Buffer) => {\n stdoutData += data.toString();\n try {\n const parsed = JSON.parse(stdoutData);\n if (parsed.ready) {\n clearTimeout(timeout);\n writeDaemonInfo(binaryPath);\n this.spawnedInThisProcess = true;\n child.unref();\n child.stdout!.destroy();\n child.stderr!.destroy();\n resolve();\n }\n } catch {\n // Incomplete JSON, keep buffering\n }\n });\n\n child.stderr!.on('data', (data: Buffer) => {\n stderrData += data.toString();\n });\n\n child.on('error', (err) => {\n clearTimeout(timeout);\n reject(new Error(`Failed to spawn daemon: ${err.message}`));\n });\n\n child.on('exit', (code) => {\n clearTimeout(timeout);\n if (code !== 0) {\n const details = [\n stderrData.trim() && `stderr: ${stderrData.trim()}`,\n stdoutData.trim() && `stdout: ${stdoutData.trim()}`,\n `binary: ${binaryPath}`,\n `socket: ${socketPath}`,\n ].filter(Boolean).join('\\n');\n reject(new Error(`Daemon exited with code ${code}\\n${details}`));\n }\n });\n });\n }\n}\n","/**\n * Pure JS ECIES implementation using Node.js Web Crypto API.\n *\n * Wire-compatible with the Swift Secure Enclave implementation:\n * - P-256 ECDH key agreement\n * - HKDF-SHA256 (salt: \"varlock-ecies-v1\", info: ephemeralPub || recipientPub)\n * - AES-256-GCM with random 12-byte nonce\n * - Payload: version(1) | ephemeralPubKey(65) | nonce(12) | ciphertext(N) | tag(16)\n *\n * Adapted from PR #19's apple-crypto.ts, modified to match the custom ECIES scheme\n * used by the Swift SecureEnclaveManager rather than Apple's built-in variant.\n */\n\nimport { webcrypto } from 'node:crypto';\n\nconst subtle = webcrypto.subtle;\n\nconst PAYLOAD_VERSION = 0x01;\nconst HKDF_SALT = new TextEncoder().encode('varlock-ecies-v1');\nconst EC_ALGORITHM = { name: 'ECDH', namedCurve: 'P-256' };\n\n/** Uncompressed P-256 public key is 65 bytes (0x04 || x(32) || y(32)) */\nconst PUBLIC_KEY_LENGTH = 65;\nconst NONCE_LENGTH = 12;\nconst TAG_LENGTH = 16;\nconst HEADER_LENGTH = 1 + PUBLIC_KEY_LENGTH + NONCE_LENGTH; // version + pubkey + nonce\n\n// Bun's types are stricter about BufferSource (requires ArrayBuffer, not ArrayBufferLike).\n// This type assertion is safe — we always work with standard ArrayBuffers.\n\nconst bs = (data: Uint8Array | ArrayBuffer) => data as any;\n\n// ── Key types ──────────────────────────────────────────────────────────\n\nexport interface EcKeyPair {\n /** Base64-encoded uncompressed P-256 public key (65 bytes raw) */\n publicKey: string;\n /** Base64-encoded PKCS8 private key */\n privateKey: string;\n}\n\n// ── Utilities ──────────────────────────────────────────────────────────\n\nfunction concatBuffers(...buffers: Array<Uint8Array>): Uint8Array {\n const totalLength = buffers.reduce((sum, b) => sum + b.length, 0);\n const result = new Uint8Array(totalLength);\n let offset = 0;\n for (const buf of buffers) {\n result.set(buf, offset);\n offset += buf.length;\n }\n return result;\n}\n\nfunction bufferToBase64(buffer: ArrayBuffer | Uint8Array): string {\n if (buffer instanceof Uint8Array) {\n return Buffer.from(buffer.buffer, buffer.byteOffset, buffer.byteLength).toString('base64');\n }\n return Buffer.from(buffer).toString('base64');\n}\n\nfunction base64ToUint8(base64: string): Uint8Array {\n const buf = Buffer.from(base64, 'base64');\n return new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);\n}\n\n// ── HKDF-SHA256 ────────────────────────────────────────────────────────\n\n/**\n * HKDF-SHA256 (RFC 5869) — matches the Swift SecureEnclaveManager.deriveKey implementation.\n *\n * We implement this manually rather than using Web Crypto's built-in HKDF because\n * the Web Crypto HKDF requires importing the input key material as a CryptoKey,\n * which adds complexity. This manual implementation is a direct port of the Swift code.\n */\nasync function hkdfSha256(\n ikm: Uint8Array,\n salt: Uint8Array,\n info: Uint8Array,\n outputByteCount: number,\n): Promise<Uint8Array> {\n // HKDF-Extract: PRK = HMAC-SHA256(salt, IKM)\n const saltKey = await subtle.importKey('raw', bs(salt), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);\n const prk = new Uint8Array(await subtle.sign('HMAC', saltKey, bs(ikm)));\n\n // HKDF-Expand: OKM = T(1) || T(2) || ...\n const prkKey = await subtle.importKey('raw', bs(prk), { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);\n const okm = new Uint8Array(outputByteCount);\n let t = new Uint8Array(0);\n let offset = 0;\n let counter = 1;\n\n while (offset < outputByteCount) {\n const input = concatBuffers(t, info, new Uint8Array([counter]));\n t = new Uint8Array(await subtle.sign('HMAC', prkKey, bs(input)));\n okm.set(t.slice(0, Math.min(t.length, outputByteCount - offset)), offset);\n offset += t.length;\n counter++;\n }\n\n return okm;\n}\n\n// ── Key management ─────────────────────────────────────────────────────\n\n/** Import a public key from its base64-encoded uncompressed representation. */\nasync function importPublicKey(base64: string): Promise<CryptoKey> {\n return subtle.importKey('raw', bs(base64ToUint8(base64)), EC_ALGORITHM, true, []);\n}\n\n/** Import a private key from its base64-encoded PKCS8 representation. */\nasync function importPrivateKey(base64: string): Promise<CryptoKey> {\n return subtle.importKey('pkcs8', bs(base64ToUint8(base64)), EC_ALGORITHM, true, ['deriveBits']);\n}\n\n/** Generate a new P-256 ECDH key pair. */\nexport async function createKeyPair(): Promise<EcKeyPair> {\n const keyPair = await subtle.generateKey(EC_ALGORITHM, true, ['deriveBits']);\n\n const publicKeyRaw = await subtle.exportKey('raw', keyPair.publicKey);\n const privateKeyPkcs8 = await subtle.exportKey('pkcs8', keyPair.privateKey);\n\n return {\n publicKey: bufferToBase64(publicKeyRaw),\n privateKey: bufferToBase64(privateKeyPkcs8),\n };\n}\n\n// ── ECIES encrypt ──────────────────────────────────────────────────────\n\n/**\n * Encrypt plaintext using ECIES with the recipient's public key.\n *\n * @param publicKeyBase64 - Base64-encoded uncompressed P-256 public key (65 bytes raw)\n * @param plaintext - UTF-8 string to encrypt\n * @returns Base64-encoded ciphertext payload\n */\nexport async function encrypt(publicKeyBase64: string, plaintext: string): Promise<string> {\n const recipientPublicKey = await importPublicKey(publicKeyBase64);\n const recipientPubKeyRaw = base64ToUint8(publicKeyBase64);\n\n // Generate ephemeral key pair\n const ephemeralKeyPair = await subtle.generateKey(EC_ALGORITHM, true, ['deriveBits']);\n const ephemeralPubKeyRaw = new Uint8Array(await subtle.exportKey('raw', ephemeralKeyPair.publicKey));\n\n // ECDH: ephemeral private × recipient public → shared secret (32 bytes for P-256)\n const sharedSecretBits = await subtle.deriveBits(\n { name: 'ECDH', public: recipientPublicKey },\n ephemeralKeyPair.privateKey,\n 256,\n );\n const sharedSecret = new Uint8Array(sharedSecretBits);\n\n // HKDF-SHA256 → AES-256 key\n const info = concatBuffers(ephemeralPubKeyRaw, recipientPubKeyRaw);\n const aesKey = await hkdfSha256(sharedSecret, HKDF_SALT, info, 32);\n\n // AES-256-GCM encrypt\n const nonce = webcrypto.getRandomValues(new Uint8Array(NONCE_LENGTH));\n const plaintextBytes = new TextEncoder().encode(plaintext);\n\n const cryptoKey = await subtle.importKey('raw', bs(aesKey), 'AES-GCM', false, ['encrypt']);\n const encrypted = new Uint8Array(\n await subtle.encrypt({ name: 'AES-GCM', iv: bs(nonce), tagLength: TAG_LENGTH * 8 }, cryptoKey, bs(plaintextBytes)),\n );\n\n // Web Crypto appends the tag to ciphertext — split them to match Swift format\n const ciphertext = encrypted.slice(0, encrypted.length - TAG_LENGTH);\n const tag = encrypted.slice(encrypted.length - TAG_LENGTH);\n\n // Assemble payload: version(1) | ephemeralPub(65) | nonce(12) | ciphertext(N) | tag(16)\n const payload = concatBuffers(\n new Uint8Array([PAYLOAD_VERSION]),\n ephemeralPubKeyRaw,\n nonce,\n ciphertext,\n tag,\n );\n\n return bufferToBase64(payload);\n}\n\n// ── ECIES decrypt ──────────────────────────────────────────────────────\n\n/**\n * Decrypt ciphertext using ECIES with the recipient's private key.\n *\n * @param privateKeyBase64 - Base64-encoded PKCS8 private key\n * @param publicKeyBase64 - Base64-encoded uncompressed P-256 public key of the recipient\n * @param ciphertextBase64 - Base64-encoded ciphertext payload\n * @returns Decrypted UTF-8 string\n */\nexport async function decrypt(\n privateKeyBase64: string,\n publicKeyBase64: string,\n ciphertextBase64: string,\n): Promise<string> {\n const payloadBytes = base64ToUint8(ciphertextBase64);\n\n if (payloadBytes.byteLength < HEADER_LENGTH + TAG_LENGTH) {\n throw new Error('Payload too short');\n }\n\n // Parse payload\n const version = payloadBytes[0];\n if (version !== PAYLOAD_VERSION) {\n throw new Error(`Unsupported payload version: ${version}`);\n }\n\n const ephemeralPubKeyRaw = payloadBytes.slice(1, 1 + PUBLIC_KEY_LENGTH);\n const nonce = payloadBytes.slice(1 + PUBLIC_KEY_LENGTH, HEADER_LENGTH);\n const ciphertextAndTag = payloadBytes.slice(HEADER_LENGTH);\n\n if (ciphertextAndTag.length < TAG_LENGTH) {\n throw new Error('Payload too short for tag');\n }\n\n // Import keys\n const privateKey = await importPrivateKey(privateKeyBase64);\n const ephemeralPublicKey = await subtle.importKey('raw', bs(ephemeralPubKeyRaw), EC_ALGORITHM, true, []);\n\n // Recipient public key bytes for HKDF info\n const recipientPubKeyRaw = base64ToUint8(publicKeyBase64);\n\n // ECDH: recipient private × ephemeral public → shared secret\n const sharedSecretBits = await subtle.deriveBits(\n { name: 'ECDH', public: ephemeralPublicKey },\n privateKey,\n 256,\n );\n const sharedSecret = new Uint8Array(sharedSecretBits);\n\n // HKDF-SHA256 → AES-256 key (must match encrypt side)\n const info = concatBuffers(ephemeralPubKeyRaw, recipientPubKeyRaw);\n const aesKey = await hkdfSha256(sharedSecret, HKDF_SALT, info, 32);\n\n // AES-256-GCM decrypt\n // Web Crypto expects ciphertext + tag concatenated\n const cryptoKey = await subtle.importKey('raw', bs(aesKey), 'AES-GCM', false, ['decrypt']);\n try {\n const decrypted = await subtle.decrypt(\n { name: 'AES-GCM', iv: bs(nonce), tagLength: TAG_LENGTH * 8 },\n cryptoKey,\n bs(ciphertextAndTag), // already ciphertext || tag\n );\n return new TextDecoder().decode(decrypted);\n } catch (err) {\n throw new Error(\n 'Unable to decrypt value',\n { cause: err },\n );\n }\n}\n","/**\n * File-based local encryption backend.\n *\n * Stores P-256 ECDH key pairs as JSON files on disk with restricted permissions.\n * Uses the pure JS ECIES implementation for all crypto operations.\n * Works on all platforms — no native binary required.\n */\n\nimport fs from 'node:fs';\nimport path from 'node:path';\nimport { getUserVarlockDir } from '../user-config-dir';\nimport { createKeyPair, encrypt, decrypt } from './crypto';\n\nconst KEY_STORE_SUBDIR = 'local-encrypt/keys';\nconst DEFAULT_KEY_ID = 'varlock-default';\n\ninterface StoredKeyPair {\n keyId: string;\n publicKey: string;\n privateKey: string;\n protectedPrivateKey?: string;\n protection?: 'none' | string;\n createdAt: string;\n}\n\nfunction getKeyStorePath(): string {\n return path.join(getUserVarlockDir(), KEY_STORE_SUBDIR);\n}\n\nfunction getKeyFilePath(keyId: string): string {\n return path.join(getKeyStorePath(), `${keyId}.json`);\n}\n\n// ── Key management ─────────────────────────────────────────────────────\n\nexport function keyExists(keyId: string = DEFAULT_KEY_ID): boolean {\n return fs.existsSync(getKeyFilePath(keyId));\n}\n\nexport async function generateKey(keyId: string = DEFAULT_KEY_ID): Promise<{ keyId: string; publicKey: string }> {\n const keyPair = await createKeyPair();\n\n const stored: StoredKeyPair = {\n keyId,\n publicKey: keyPair.publicKey,\n privateKey: keyPair.privateKey,\n createdAt: new Date().toISOString(),\n };\n\n const keyStorePath = getKeyStorePath();\n fs.mkdirSync(keyStorePath, { recursive: true });\n\n const filePath = getKeyFilePath(keyId);\n fs.writeFileSync(filePath, JSON.stringify(stored, null, 2), { mode: 0o600 });\n\n return { keyId, publicKey: keyPair.publicKey };\n}\n\nexport function deleteKey(keyId: string = DEFAULT_KEY_ID): boolean {\n const filePath = getKeyFilePath(keyId);\n try {\n fs.unlinkSync(filePath);\n return true;\n } catch {\n return false;\n }\n}\n\nexport function listKeys(): Array<string> {\n const keyStorePath = getKeyStorePath();\n try {\n return fs.readdirSync(keyStorePath)\n .filter((f) => f.endsWith('.json'))\n .map((f) => f.slice(0, -5));\n } catch {\n return [];\n }\n}\n\n// ── Internal key loading ───────────────────────────────────────────────\n\nfunction loadKeyPair(keyId: string): StoredKeyPair {\n const filePath = getKeyFilePath(keyId);\n if (!fs.existsSync(filePath)) {\n throw new Error(`Key not found: ${keyId}`);\n }\n const data = fs.readFileSync(filePath, 'utf-8');\n const parsed = JSON.parse(data) as Partial<StoredKeyPair>;\n\n // Back-compat: older key files store private material under\n // `protectedPrivateKey` with `protection: \"none\"`.\n const privateKey = parsed.privateKey\n ?? (parsed.protection === 'none' ? parsed.protectedPrivateKey : undefined)\n ?? parsed.protectedPrivateKey;\n\n if (!parsed.publicKey || !privateKey) {\n throw new Error(`Invalid key file format for key: ${keyId}`);\n }\n\n return {\n keyId: parsed.keyId || keyId,\n publicKey: parsed.publicKey,\n privateKey,\n createdAt: parsed.createdAt || new Date().toISOString(),\n protection: parsed.protection,\n protectedPrivateKey: parsed.protectedPrivateKey,\n };\n}\n\nfunction getPublicKey(keyId: string): string {\n return loadKeyPair(keyId).publicKey;\n}\n\n// ── Encrypt / Decrypt ──────────────────────────────────────────────────\n\nexport async function encryptValue(plaintext: string, keyId: string = DEFAULT_KEY_ID): Promise<string> {\n const publicKey = getPublicKey(keyId);\n return encrypt(publicKey, plaintext);\n}\n\nexport async function decryptValue(ciphertext: string, keyId: string = DEFAULT_KEY_ID): Promise<string> {\n const stored = loadKeyPair(keyId);\n return decrypt(stored.privateKey, stored.publicKey, ciphertext);\n}\n","/**\n * Cross-platform local encryption for varlock.\n *\n * Provides a unified API for encrypting/decrypting secrets using the best\n * available backend on the current platform:\n *\n * 1. macOS Secure Enclave (Swift binary) — hardware-backed, Touch ID\n * 2. Windows TPM/Hello (Rust binary) — hardware-backed, Windows Hello (TODO)\n * 3. Linux TPM2 (Rust binary) — hardware-backed (TODO)\n * 4. File-based (pure JS) — universal fallback, no native binary needed\n */\n\nimport { execFileSync, spawnSync } from 'node:child_process';\nimport fs from 'node:fs';\nimport { resolveNativeBinary } from './binary-resolver';\nimport { DaemonClient } from './daemon-client';\nimport * as fileBackend from './file-backend';\nimport { isWSL } from './wsl-detect';\nimport type { BackendInfo, BackendType, NativeStatusResult } from './types';\n\nexport type { BackendInfo, BackendType } from './types';\n\nconst DEFAULT_KEY_ID = 'varlock-default';\n\n/** Debug logger — prints to stderr when VARLOCK_DEBUG is set */\nfunction debug(msg: string) {\n if (process.env.VARLOCK_DEBUG) {\n process.stderr.write(`[varlock:local-encrypt] ${msg}\\n`);\n }\n}\n\n/**\n * Get a session identifier for biometric session scoping (WSL only).\n * Prefers the controlling terminal; falls back to a stable ancestor PID\n * found by walking the process tree (mirrors the macOS Swift daemon logic).\n */\nlet _cachedSessionId: string | undefined;\nfunction getSelfSessionId(): string {\n if (_cachedSessionId) return _cachedSessionId;\n try {\n const ttyPath = fs.readlinkSync('/proc/self/fd/0');\n if (ttyPath && ttyPath.startsWith('/dev/')) {\n _cachedSessionId = ttyPath;\n return ttyPath;\n }\n } catch {\n // Not available\n }\n // No TTY — walk the process tree to find a stable ancestor.\n // Uses the same grandchild-of-app-root logic as the macOS daemon:\n // build ancestry chain up to PID 1, then use the process 2 levels\n // below the top (the grandchild of the app root).\n try {\n const chain: Array<number> = [process.pid];\n let current = process.pid;\n for (let i = 0; i < 64; i++) {\n const stat = fs.readFileSync(`/proc/${current}/stat`, 'utf-8');\n const fields = stat.split(') ');\n if (fields.length < 2) break;\n const ppid = parseInt(fields[1].split(' ')[1], 10);\n if (!ppid || ppid <= 1) break;\n chain.push(ppid);\n current = ppid;\n }\n if (chain.length >= 4) {\n const scopePid = chain[chain.length - 3];\n // Include start time for PID-reuse resistance (field 21 after comm in /proc/stat)\n let startTime = 0;\n try {\n const scopeStat = fs.readFileSync(`/proc/${scopePid}/stat`, 'utf-8');\n const scopeFields = scopeStat.split(') ');\n if (scopeFields.length >= 2) {\n startTime = parseInt(scopeFields[1].split(' ')[19], 10) || 0;\n }\n } catch { /* ignore */ }\n _cachedSessionId = `ptree:${scopePid}:${startTime}`;\n return _cachedSessionId;\n }\n } catch {\n // Not available\n }\n _cachedSessionId = `pid:${process.pid}`;\n return _cachedSessionId;\n}\n\nlet _wslDaemonPrestartAttempted = false;\n\nfunction toWindowsPathFromWsl(pathInWsl: string): string | undefined {\n if (!isWSL()) return undefined;\n try {\n return execFileSync('wslpath', ['-w', pathInWsl], {\n encoding: 'utf-8',\n timeout: 10_000,\n }).trim();\n } catch (err) {\n debug(`toWindowsPathFromWsl failed: ${err instanceof Error ? err.message : err}`);\n return undefined;\n }\n}\n\nfunction tryPrestartWindowsDaemonFromWsl(binaryPath: string): boolean {\n if (_wslDaemonPrestartAttempted) {\n return true;\n }\n\n const windowsPath = toWindowsPathFromWsl(binaryPath);\n if (!windowsPath) {\n return false;\n }\n\n // Ask native PowerShell to seed the daemon in the interactive desktop\n // session. This returns quickly; the follow-up decrypt call has a longer\n // timeout and the helper's own daemon retry path to absorb startup latency.\n const escapedPath = windowsPath.replaceAll(\"'\", \"''\");\n const psScript = `Start-Process -WindowStyle Hidden -FilePath '${escapedPath}' -ArgumentList 'start-daemon'`;\n const proc = spawnSync('powershell.exe', [\n '-NoProfile',\n '-NonInteractive',\n '-ExecutionPolicy',\n 'Bypass',\n '-Command',\n psScript,\n ], {\n encoding: 'utf-8',\n timeout: 20_000,\n });\n\n if (proc.error) {\n debug(`tryPrestartWindowsDaemonFromWsl: powershell error: ${proc.error.message}`);\n return false;\n }\n if (proc.status !== 0) {\n debug(`tryPrestartWindowsDaemonFromWsl: powershell exit ${proc.status}: ${(proc.stderr || proc.stdout || '').trim()}`);\n return false;\n }\n\n debug('tryPrestartWindowsDaemonFromWsl: start-daemon invoked via PowerShell');\n _wslDaemonPrestartAttempted = true;\n return true;\n}\n\nfunction pingWindowsDaemonFromWsl(binaryPath: string, timeoutMs: number = 2_000): boolean {\n const proc = spawnSync(binaryPath, ['ping-daemon'], {\n encoding: 'utf-8',\n timeout: timeoutMs,\n });\n\n if (proc.error || proc.status !== 0) {\n return false;\n }\n\n try {\n const parsed = JSON.parse((proc.stdout || '').trim()) as { ready?: boolean };\n return parsed.ready === true;\n } catch {\n return false;\n }\n}\n\nfunction waitForWindowsDaemonFromWsl(binaryPath: string, timeoutMs: number = 12_000): boolean {\n const deadline = Date.now() + timeoutMs;\n\n while (Date.now() < deadline) {\n if (pingWindowsDaemonFromWsl(binaryPath)) {\n debug('waitForWindowsDaemonFromWsl: daemon is ready');\n return true;\n }\n\n Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 150);\n }\n\n debug('waitForWindowsDaemonFromWsl: timed out waiting for daemon readiness');\n return false;\n}\n\n// ── Native binary one-shot commands ────────────────────────────────────\n\nfunction runNativeBinary(args: Array<string>, opts?: { timeout?: number }): string {\n const binaryPath = resolveNativeBinary();\n if (!binaryPath) {\n debug('runNativeBinary: no binary found');\n throw new Error('Native binary not found');\n }\n debug(`runNativeBinary: ${binaryPath} ${args.join(' ')}`);\n const output = execFileSync(binaryPath, args, {\n encoding: 'utf-8',\n timeout: opts?.timeout ?? 30_000,\n }).trim();\n debug(`runNativeBinary result: ${output.slice(0, 200)}`);\n return output;\n}\n\nfunction runNativeBinaryJson<T = Record<string, unknown>>(args: Array<string>, opts?: { timeout?: number }): T {\n const output = runNativeBinary(args, opts);\n const parsed = JSON.parse(output);\n if (parsed.error) {\n throw new Error(parsed.error);\n }\n return parsed as T;\n}\n\n// ── Backend detection ──────────────────────────────────────────────────\n\nlet cachedBackendInfo: BackendInfo | undefined;\n/** Keys reported by the status command — avoids a separate key-exists .exe spawn on WSL2 */\nlet cachedStatusKeys: Array<string> | undefined;\n\nfunction detectBackendType(): { type: BackendType; isFileFallback: boolean } {\n const binaryPath = resolveNativeBinary();\n debug(`detectBackendType: binaryPath=${binaryPath ?? 'NOT FOUND'}, isWSL=${isWSL()}, platform=${process.platform}`);\n if (!binaryPath) {\n // All supported platforms (macOS, Windows, Linux, WSL2) should have a native binary\n const isFileFallback = ['darwin', 'win32', 'linux'].includes(process.platform);\n return { type: 'file', isFileFallback };\n }\n\n // WSL2 uses the Windows binary for DPAPI + Windows Hello\n if (isWSL()) return { type: 'windows-tpm', isFileFallback: false };\n\n switch (process.platform) {\n case 'darwin': return { type: 'secure-enclave', isFileFallback: false };\n case 'win32': return { type: 'windows-tpm', isFileFallback: false };\n case 'linux': return { type: 'linux-tpm', isFileFallback: false };\n default: return { type: 'file', isFileFallback: false };\n }\n}\n\n/** Get information about the active encryption backend. */\nexport function getBackendInfo(): BackendInfo {\n if (cachedBackendInfo) return cachedBackendInfo;\n\n const { type, isFileFallback } = detectBackendType();\n const binaryPath = type !== 'file' ? resolveNativeBinary() : undefined;\n\n if (type !== 'file' && binaryPath) {\n // Query the native binary for its actual capabilities\n try {\n const status = runNativeBinaryJson<NativeStatusResult>(['status']);\n debug(`getBackendInfo: status result: hardwareBacked=${status.hardwareBacked}, biometricAvailable=${status.biometricAvailable}, backend=${status.backend}, keys=${status.keys?.join(',')}`);\n cachedStatusKeys = status.keys;\n cachedBackendInfo = {\n type,\n platform: process.platform,\n hardwareBacked: status.hardwareBacked,\n biometricAvailable: status.biometricAvailable,\n binaryPath,\n };\n } catch (err) {\n // Binary failed — fall back to reasonable defaults\n debug(`getBackendInfo: status command failed: ${err instanceof Error ? err.message : err}`);\n cachedBackendInfo = {\n type,\n platform: process.platform,\n hardwareBacked: type === 'secure-enclave',\n biometricAvailable: type === 'secure-enclave',\n binaryPath,\n };\n }\n } else {\n debug(`getBackendInfo: using file backend (type=${type}, binaryPath=${binaryPath ?? 'none'}, isFileFallback=${isFileFallback})`);\n if (isFileFallback && !process.env._VARLOCK_FORCE_FILE_ENCRYPTION_FALLBACK) {\n process.stderr.write(\n '[varlock] Warning: native encryption binary not found, falling back to file-based encryption (not hardware-backed)\\n',\n );\n }\n cachedBackendInfo = {\n type,\n platform: process.platform,\n hardwareBacked: false,\n biometricAvailable: false,\n binaryPath: undefined,\n isFileFallback,\n };\n }\n\n debug(`getBackendInfo: final result: type=${cachedBackendInfo!.type}, biometric=${cachedBackendInfo!.biometricAvailable}, hwBacked=${cachedBackendInfo!.hardwareBacked}`);\n return cachedBackendInfo!;\n}\n\n// ── Daemon client (singleton for biometric-enabled backends) ───────────\n\nlet daemonClient: DaemonClient | undefined;\n\nexport function getDaemonClient(): DaemonClient {\n daemonClient ||= new DaemonClient();\n return daemonClient;\n}\n\n// ── Key management ─────────────────────────────────────────────────────\n\n/** Check if a key exists. */\nexport function keyExists(keyId: string = DEFAULT_KEY_ID): boolean {\n const backend = getBackendInfo();\n if (backend.type === 'file') {\n return fileBackend.keyExists(keyId);\n }\n // Use cached keys from status command to avoid an extra .exe spawn (significant on WSL2)\n if (cachedStatusKeys) {\n debug(`keyExists: using cached status keys for ${keyId}`);\n return cachedStatusKeys.includes(keyId);\n }\n const result = runNativeBinaryJson<{ exists: boolean }>(['key-exists', '--key-id', keyId]);\n return result.exists;\n}\n\n/** Generate a new encryption key. */\nexport async function generateKey(keyId: string = DEFAULT_KEY_ID): Promise<{ keyId: string; publicKey: string }> {\n const backend = getBackendInfo();\n if (backend.type === 'file') {\n return fileBackend.generateKey(keyId);\n }\n return runNativeBinaryJson<{ keyId: string; publicKey: string }>(['generate-key', '--key-id', keyId]);\n}\n\n/** Ensure a key exists, generating one if necessary. */\nexport async function ensureKey(keyId: string = DEFAULT_KEY_ID): Promise<void> {\n if (!keyExists(keyId)) {\n await generateKey(keyId);\n }\n}\n\n// ── Encrypt / Decrypt ──────────────────────────────────────────────────\n\n/**\n * Encrypt a plaintext value.\n *\n * For hardware-backed backends, encryption uses the public key only (no biometric needed).\n * For file-based backend, uses the pure JS ECIES implementation.\n */\nexport async function encryptValue(plaintext: string, keyId: string = DEFAULT_KEY_ID): Promise<string> {\n const backend = getBackendInfo();\n if (backend.type === 'file') {\n return fileBackend.encryptValue(plaintext, keyId);\n }\n // Native binary encrypt (one-shot, no biometric needed for encrypt)\n const b64Input = Buffer.from(plaintext, 'utf-8').toString('base64');\n if (isWSL()) {\n // On WSL2, pass data via stdin to avoid arg mangling across the WSL/Windows boundary\n const binaryPath = resolveNativeBinary();\n if (!binaryPath) throw new Error('Native binary not found');\n const proc = spawnSync(binaryPath, ['encrypt', '--key-id', keyId, '--data-stdin'], {\n input: b64Input,\n encoding: 'utf-8',\n timeout: 30_000,\n });\n if (proc.error) throw proc.error;\n const result = JSON.parse(proc.stdout.trim());\n if (result.error) throw new Error(result.error);\n return result.ciphertext;\n }\n const result = runNativeBinaryJson<{ ciphertext: string }>(['encrypt', '--key-id', keyId, '--data', b64Input]);\n return result.ciphertext;\n}\n\n/**\n * Decrypt a ciphertext value.\n *\n * For biometric-enabled backends (macOS Secure Enclave, Windows Hello),\n * uses the daemon client for session caching (avoids repeated biometric prompts).\n * For file-based backend, uses the pure JS ECIES implementation.\n */\nexport async function decryptValue(ciphertext: string, keyId: string = DEFAULT_KEY_ID): Promise<string> {\n const backend = getBackendInfo();\n if (backend.type === 'file') {\n debug('decryptValue: using file backend');\n return fileBackend.decryptValue(ciphertext, keyId);\n }\n\n // Use daemon client for biometric backends (session caching)\n // In WSL2, the .exe handles daemon management internally via --via-daemon\n if (backend.biometricAvailable) {\n if (isWSL()) {\n debug('decryptValue: WSL2 biometric decrypt via --via-daemon');\n const binaryPath = resolveNativeBinary();\n if (!binaryPath) throw new Error('Native binary not found');\n const daemonAlreadyReady = pingWindowsDaemonFromWsl(binaryPath, 1_500);\n const daemonPrestarted = daemonAlreadyReady || tryPrestartWindowsDaemonFromWsl(binaryPath);\n if (!daemonAlreadyReady && daemonPrestarted) {\n waitForWindowsDaemonFromWsl(binaryPath);\n }\n // Use spawnSync with stdin to avoid exposing ciphertext or session\n // identity in process listings (visible via tasklist/procfs).\n // Stdin JSON includes both the data and the session ID for session scoping.\n const stdinPayload = JSON.stringify({\n data: ciphertext,\n ttyId: getSelfSessionId(),\n });\n const runViaDaemon = (timeout: number) => spawnSync(binaryPath, ['decrypt', '--key-id', keyId, '--data-stdin', '--via-daemon'], {\n input: stdinPayload,\n encoding: 'utf-8',\n timeout,\n });\n\n let proc = runViaDaemon(daemonPrestarted ? 120_000 : 60_000);\n\n const output = (proc.stdout || proc.stderr || '').trim();\n const timedOut = proc.error && (proc.error as NodeJS.ErrnoException).code === 'ETIMEDOUT';\n const needsRetry = Boolean(proc.error) || proc.status !== 0;\n const likelyDaemonStartupIssue = timedOut\n || /daemon is not running|daemon did not become ready within timeout|schtasks|windows hello daemon/i.test(output);\n\n if (needsRetry && likelyDaemonStartupIssue) {\n debug(`decryptValue: via-daemon startup issue detected; attempting native start-daemon bridge. output=${output.slice(0, 180)}`);\n if (tryPrestartWindowsDaemonFromWsl(binaryPath)) {\n // Give the daemon a little more room on first auth after bridge start.\n proc = runViaDaemon(120_000);\n }\n }\n\n if (proc.error) throw proc.error;\n if (proc.status !== 0) {\n const finalOutput = (proc.stdout || proc.stderr || '').trim();\n try {\n const parsed = JSON.parse(finalOutput);\n if (parsed.error) throw new Error(parsed.error);\n } catch { /* not JSON */ }\n\n const windowsPath = toWindowsPathFromWsl(binaryPath);\n const setupHint = windowsPath\n ? `\\nHint: In native Windows PowerShell run:\\n Start-Process -WindowStyle Hidden \"${windowsPath}\" start-daemon`\n : '';\n throw new Error(`Decrypt failed (exit ${proc.status}): ${finalOutput}${setupHint}`);\n }\n\n const result = JSON.parse(proc.stdout.trim());\n if (result.error) throw new Error(result.error);\n debug(`decryptValue: WSL2 result: ${proc.stdout.trim().slice(0, 100)}`);\n return result.plaintext;\n }\n debug('decryptValue: biometric decrypt via daemon client');\n const client = getDaemonClient();\n return client.decrypt(ciphertext, keyId);\n }\n\n // Non-biometric native backend (e.g., Linux TPM without polkit) — one-shot\n debug('decryptValue: non-biometric one-shot decrypt');\n const result = runNativeBinaryJson<{ plaintext: string }>(['decrypt', '--key-id', keyId, '--data', ciphertext]);\n return result.plaintext;\n}\n\n/**\n * Invalidate the biometric session, requiring re-authentication for next decrypt.\n * Connects to the running daemon without spawning one (varlock lock runs in a separate process).\n */\nexport async function lockSession(): Promise<void> {\n const backend = getBackendInfo();\n if (!backend.biometricAvailable) return;\n const client = getDaemonClient();\n const connected = await client.tryConnect();\n if (!connected) {\n throw new Error('No encryption daemon is running');\n }\n await client.invalidateSession();\n}\n"]}

package/dist/{chunk-F5H5MJ6U.js → chunk-ZTFQ7ZVH.js} RENAMED Viewed

@@ -33,9 +33,6 @@ var VarlockExecError = class extends Error {
     this.stderr = stderr;
     this.exitCode = exitCode;
   }
-  stdout;
-  stderr;
-  exitCode;
   static {
     __name(this, "VarlockExecError");
   }
@@ -102,5 +99,5 @@ function execSyncVarlock(command, opts) {
 __name(execSyncVarlock, "execSyncVarlock");
 export { VarlockExecError, execSyncVarlock };
-//# sourceMappingURL=chunk-F5H5MJ6U.js.map
-//# sourceMappingURL=chunk-F5H5MJ6U.js.map
+//# sourceMappingURL=chunk-ZTFQ7ZVH.js.map
+//# sourceMappingURL=chunk-ZTFQ7ZVH.js.map

package/dist/chunk-ZTFQ7ZVH.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"sources":["../src/lib/exec-sync-varlock.ts"],"names":["errAny"],"mappings":";;;;;;AASA,IAAM,QAAA,GAAW,GAAG,QAAA,EAAS;AAC7B,IAAM,SAAA,GAAY,QAAA,CAAS,KAAA,CAAM,OAAO,CAAA;AAOxC,SAAS,eAAe,QAAA,EAAiC;AAGvD,EAAA,MAAM,WAAW,SAAA,GAAY,CAAC,eAAe,aAAa,CAAA,GAAI,CAAC,SAAS,CAAA;AAExE,EAAA,IAAI,UAAA,GAAa,QAAA;AACjB,EAAA,OAAO,UAAA,EAAY;AACjB,IAAA,MAAM,eAAA,GAAkB,IAAA,CAAK,IAAA,CAAK,UAAA,EAAY,gBAAgB,MAAM,CAAA;AACpE,IAAA,IAAI,EAAA,CAAG,UAAA,CAAW,eAAe,CAAA,EAAG;AAClC,MAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,QAAA,MAAM,mBAAA,GAAsB,IAAA,CAAK,IAAA,CAAK,eAAA,EAAiB,OAAO,CAAA;AAC9D,QAAA,IAAI,EAAA,CAAG,UAAA,CAAW,mBAAmB,CAAA,EAAG;AACtC,UAAA,OAAO,mBAAA;AAAA,QACT;AAAA,MACF;AAAA,IAIF;AACA,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,OAAA,CAAQ,UAAU,CAAA;AACzC,IAAA,IAAI,cAAc,UAAA,EAAY;AAC9B,IAAA,UAAA,GAAa,SAAA;AAAA,EACf;AACA,EAAA,OAAO,IAAA;AACT;AAxBS,MAAA,CAAA,cAAA,EAAA,gBAAA,CAAA;AA4BF,IAAM,gBAAA,GAAN,cAA+B,KAAA,CAAM;AAAA,EAC1C,WAAA,CACE,OAAA,EACO,MAAA,EACA,MAAA,EACA,QAAA,EACP;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAJN,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AACA,IAAA,IAAA,CAAA,QAAA,GAAA,QAAA;AAAA,EAGT;AAAA,EArDF;AA6C4C,IAAA,MAAA,CAAA,IAAA,EAAA,kBAAA,CAAA;AAAA;AAS5C;AAgCO,SAAS,eAAA,CACd,SACA,IAAA,EAC4B;AAC5B,EAAA,IAAI;AAIF,IAAA,IAAI;AACF,MAAA,MAAM,MAAA,GAAS,QAAA,CAAS,CAAA,QAAA,EAAW,OAAO,CAAA,CAAA,EAAI;AAAA,QAC5C,GAAG,IAAA,EAAM,GAAA,IAAO,EAAE,GAAA,EAAK,KAAK,GAAA,EAAI;AAAA,QAChC,GAAG,IAAA,EAAM,GAAA,IAAO,EAAE,GAAA,EAAK,KAAK,GAAA,EAAI;AAAA,QAChC,KAAA,EAAO;AAAA,OACR,CAAA;AACD,MAAA,OAAO,IAAA,EAAM,UAAA,GACT,EAAE,MAAA,EAAQ,MAAA,CAAO,QAAA,EAAS,EAAG,MAAA,EAAQ,EAAA,EAAG,GACxC,MAAA,CAAO,QAAA,EAAS;AAAA,IACtB,SAAS,GAAA,EAAK;AAGZ,MAAA,IAAI,CAAC,aAAc,GAAA,CAAY,MAAA,KAAW,OAAQ,GAAA,CAAY,IAAA,KAAS,UAAU,MAAM,GAAA;AAAA,IAEzF;AAQA,IAAA,MAAM,SAAS,IAAA,EAAM,GAAA,GAAM,MAAA,CAAO,IAAA,CAAK,GAAG,CAAA,GAAI,KAAA,CAAA;AAC9C,IAAA,MAAM,UAAA,GAAa;AAAA,MACjB,GAAI,MAAA,GAAS,CAAC,MAAM,IAAI,EAAC;AAAA,MACzB,GAAI,IAAA,EAAM,SAAA,GAAY,CAAC,IAAA,CAAK,SAAS,IAAI,EAAC;AAAA,MAC1C,QAAQ,GAAA;AAAI,KACd;AAEA,IAAA,KAAA,MAAW,YAAY,UAAA,EAAY;AACjC,MAAA,MAAM,WAAA,GAAc,eAAe,QAAQ,CAAA;AAC3C,MAAA,IAAI,WAAA,EAAa;AAEf,QAAA,MAAM,UAAA,GAAa,WAAA,CAAY,QAAA,CAAS,MAAM,CAAA;AAC9C,QAAA,MAAM,SAAS,YAAA,CAAa,WAAA,EAAa,OAAA,CAAQ,KAAA,CAAM,GAAG,CAAA,EAAG;AAAA,UAC3D,GAAG,IAAA;AAAA,UACH,KAAA,EAAO,MAAA;AAAA,UACP,GAAI,UAAA,IAAc,EAAE,KAAA,EAAO,IAAA;AAAK,SACjC,CAAA;AACD,QAAA,OAAO,IAAA,EAAM,UAAA,GACT,EAAE,MAAA,EAAQ,MAAA,CAAO,QAAA,EAAS,EAAG,MAAA,EAAQ,EAAA,EAAG,GACxC,MAAA,CAAO,QAAA,EAAS;AAAA,MACtB;AAAA,IACF;AACA,IAAA,MAAM,IAAI,MAAM,mCAAmC,CAAA;AAAA,EACrD,SAAS,GAAA,EAAK;AAEZ,IAAA,IAAI,MAAM,UAAA,EAAY;AACpB,MAAA,IAAI,GAAA,YAAe,kBAAkB,MAAM,GAAA;AAC3C,MAAA,MAAMA,OAAAA,GAAS,GAAA;AAEf,MAAA,IAAIA,OAAAA,CAAO,UAAU,IAAA,EAAM;AACzB,QAAA,MAAM,IAAI,gBAAA;AAAA,UACR,CAAA,QAAA,EAAW,OAAO,CAAA,mBAAA,EAAsBA,OAAAA,CAAO,MAAM,CAAA,CAAA,CAAA;AAAA,UACrDA,OAAAA,CAAO,MAAA,EAAQ,QAAA,EAAS,IAAK,EAAA;AAAA,UAC7BA,OAAAA,CAAO,MAAA,EAAQ,QAAA,EAAS,IAAK,EAAA;AAAA,UAC7BA,QAAO,MAAA,IAAU;AAAA,SACnB;AAAA,MACF;AACA,MAAA,MAAM,GAAA;AAAA,IACR;AAGA,IAAA,MAAM,MAAA,GAAS,GAAA;AACf,IAAA,IAAI,MAAM,eAAA,EAAiB;AAEzB,MAAA,IAAI,OAAO,MAAA,EAAQ,OAAA,CAAQ,IAAI,MAAA,CAAO,MAAA,CAAO,UAAU,CAAA;AACvD,MAAA,IAAI,OAAO,MAAA,EAAQ,OAAA,CAAQ,MAAM,MAAA,CAAO,MAAA,CAAO,UAAU,CAAA;AAEzD,MAAA,IAAI,CAAC,MAAA,CAAO,MAAA,IAAU,CAAC,OAAO,MAAA,EAAQ;AACpC,QAAA,OAAA,CAAQ,MAAM,MAAM,CAAA;AAAA,MACtB;AAAA,IACF;AACA,IAAA,IAAI,MAAM,WAAA,EAAa;AACrB,MAAA,OAAA,CAAQ,IAAA,CAAM,GAAA,CAAY,MAAA,IAAU,CAAC,CAAA;AAAA,IACvC;AACA,IAAA,MAAM,GAAA;AAAA,EACR;AACF;AAtFgB,MAAA,CAAA,eAAA,EAAA,iBAAA,CAAA","file":"chunk-ZTFQ7ZVH.js","sourcesContent":["import path from 'node:path';\nimport fs from 'node:fs';\nimport os from 'node:os';\nimport { execFileSync, execSync } from 'node:child_process';\n\n// weird tsup issue using `typeof execSync` from node:child_process\n// see https://github.com/egoist/tsup/issues/1367\nimport type { execSync as execSyncType } from 'child_process';\n\nconst platform = os.platform();\nconst isWindows = platform.match(/^win/i);\n\n\n/**\n * Walk up the directory tree from startDir looking for a node_modules/.bin/varlock binary.\n * Returns the full path to the binary if found, or null if not found.\n */\nfunction findVarlockBin(startDir: string): string | null {\n // On Windows, npm creates varlock.exe while pnpm only creates varlock.cmd\n // (and a shell script). Check .exe first, then fall back to .cmd.\n const binNames = isWindows ? ['varlock.exe', 'varlock.cmd'] : ['varlock'];\n\n let currentDir = startDir;\n while (currentDir) {\n const possibleBinPath = path.join(currentDir, 'node_modules', '.bin');\n if (fs.existsSync(possibleBinPath)) {\n for (const binName of binNames) {\n const possibleVarlockPath = path.join(possibleBinPath, binName);\n if (fs.existsSync(possibleVarlockPath)) {\n return possibleVarlockPath;\n }\n }\n // Found a .bin directory but varlock is not in it - keep walking up.\n // In a monorepo the root node_modules/.bin may exist without varlock,\n // which is installed only in a sub-package.\n }\n const parentDir = path.dirname(currentDir);\n if (parentDir === currentDir) break;\n currentDir = parentDir;\n }\n return null;\n}\n\n\n/** Error thrown by `execSyncVarlock` when the CLI exits with a non-zero status code and `fullResult` is enabled. */\nexport class VarlockExecError extends Error {\n constructor(\n message: string,\n public stdout: string,\n public stderr: string,\n public exitCode: number,\n ) {\n super(message);\n }\n}\n\nexport type ExecVarlockResult = { stdout: string, stderr: string };\n\ntype ExecSyncVarlockOpts = Parameters<typeof execSyncType>[1] & {\n exitOnError?: boolean,\n showLogsOnError?: boolean,\n /**\n * Additional directory to start searching for the varlock binary from.\n * Searched before process.cwd(). Pass `import.meta.dirname` from the\n * call-site so that in monorepos the binary installed next to the\n * importing package is found even when cwd is an unrelated workspace root.\n */\n callerDir?: string,\n /**\n * When true, return `{ stdout, stderr }` instead of just the stdout string,\n * and throw `VarlockExecError` (with `.stdout`, `.stderr`, `.exitCode`) on failure\n * instead of the raw execSync error.\n */\n fullResult?: boolean,\n};\n\n/**\n * Small helper to call execSync and call the varlock cli.\n *\n * When the user runs via a package manager, it will inject node_modules/.bin into PATH\n * but otherwise we may need to try to find that path ourselves.\n *\n * @returns stdout as a string by default, or `{ stdout, stderr }` when `fullResult: true`\n */\nexport function execSyncVarlock(command: string, opts?: ExecSyncVarlockOpts & { fullResult?: false }): string;\nexport function execSyncVarlock(command: string, opts: ExecSyncVarlockOpts & { fullResult: true }): ExecVarlockResult;\nexport function execSyncVarlock(\n command: string,\n opts?: ExecSyncVarlockOpts,\n): string | ExecVarlockResult {\n try {\n // in most cases, user will be running via their package manager\n // and a package.json script (ie `pnpm run start`)\n // which will inject node_modules/.bin into PATH\n try {\n const result = execSync(`varlock ${command}`, {\n ...opts?.env && { env: opts.env },\n ...opts?.cwd && { cwd: opts.cwd },\n stdio: 'pipe',\n });\n return opts?.fullResult\n ? { stdout: result.toString(), stderr: '' }\n : result.toString();\n } catch (err) {\n // code 127 means not found (on linux only)\n // ENOENT from execSync means that a shell was not found\n if (!isWindows && (err as any).status !== 127 && (err as any).code !== 'ENOENT') throw err;\n // on windows, we'll just do the extra checks anyway\n }\n\n // if varlock was not found, it either means it is not installed\n // or we must find the path to node_modules/.bin ourselves.\n // Search from cwd (if provided), callerDir, then process.cwd().\n // This handles monorepo setups where cwd may be an unrelated workspace\n // root while varlock is only installed in a sub-package - the callerDir\n // supplied by auto-load.ts points inside that sub-package's node_modules.\n const cwdStr = opts?.cwd ? String(opts.cwd) : undefined;\n const searchDirs = [\n ...(cwdStr ? [cwdStr] : []),\n ...(opts?.callerDir ? [opts.callerDir] : []),\n process.cwd(),\n ];\n\n for (const startDir of searchDirs) {\n const varlockPath = findVarlockBin(startDir);\n if (varlockPath) {\n // .cmd files are batch scripts that must be run through cmd.exe\n const needsShell = varlockPath.endsWith('.cmd');\n const result = execFileSync(varlockPath, command.split(' '), {\n ...opts,\n stdio: 'pipe',\n ...(needsShell && { shell: true }),\n });\n return opts?.fullResult\n ? { stdout: result.toString(), stderr: '' }\n : result.toString();\n }\n }\n throw new Error('Unable to find varlock executable');\n } catch (err) {\n // In fullResult mode, wrap the error as VarlockExecError with structured fields\n if (opts?.fullResult) {\n if (err instanceof VarlockExecError) throw err; // already wrapped\n const errAny = err as any;\n // execSync/execFileSync attach stdout/stderr Buffers on the error\n if (errAny.status != null) {\n throw new VarlockExecError(\n `varlock ${command} failed (exit code ${errAny.status})`,\n errAny.stdout?.toString() ?? '',\n errAny.stderr?.toString() ?? '',\n errAny.status ?? 1,\n );\n }\n throw err; // not a process error (e.g. \"Unable to find varlock executable\")\n }\n\n // Legacy behavior for non-fullResult callers\n const errAny = err as any;\n if (opts?.showLogsOnError) {\n /* eslint-disable no-console */\n if (errAny.stdout) console.log(errAny.stdout.toString());\n if (errAny.stderr) console.error(errAny.stderr.toString());\n\n if (!errAny.stdout && !errAny.stderr) {\n console.error(errAny);\n }\n }\n if (opts?.exitOnError) {\n process.exit((err as any).status ?? 1);\n }\n throw err;\n }\n}\n"]}

package/dist/cli/cli-executable.js CHANGED Viewed

@@ -1,30 +1,32 @@
-import { commandSpec as commandSpec$c } from '../chunk-A6THM3IR.js';
-import { commandSpec as commandSpec$4 } from '../chunk-JIUWL2NT.js';
-import { commandSpec as commandSpec$5 } from '../chunk-QSYH5IDD.js';
-import { commandSpec as commandSpec$6 } from '../chunk-RBFS2QGC.js';
+import { commandSpec as commandSpec$d } from '../chunk-WJLMLKSG.js';
+import { commandSpec as commandSpec$b } from '../chunk-CESFJIM4.js';
+import { commandSpec as commandSpec$4 } from '../chunk-IO2OGZQU.js';
+import { commandSpec as commandSpec$5 } from '../chunk-5DRCCFKV.js';
+import { commandSpec as commandSpec$6 } from '../chunk-RQZZDYWL.js';
 import { commandSpec as commandSpec$8 } from '../chunk-GJ7PTJM4.js';
-import { commandSpec as commandSpec$9 } from '../chunk-YO6WHPM4.js';
-import { commandSpec as commandSpec$7 } from '../chunk-S5O4AAVX.js';
-import { commandSpec as commandSpec$a } from '../chunk-U2O3AUM2.js';
+import { commandSpec as commandSpec$9 } from '../chunk-WTBUNHUJ.js';
+import { commandSpec as commandSpec$7 } from '../chunk-OGGTDFVX.js';
+import { commandSpec as commandSpec$a } from '../chunk-NW4KR67N.js';
 import '../chunk-GXNQVEXD.js';
-import { commandSpec as commandSpec$b } from '../chunk-TQXYC3G3.js';
-import { commandSpec } from '../chunk-SDN53OAC.js';
-import { fmt } from '../chunk-H6NILU2I.js';
-import { commandSpec as commandSpec$1 } from '../chunk-6RF54KKR.js';
-import { commandSpec as commandSpec$2 } from '../chunk-VN4LKYXR.js';
-import { commandSpec as commandSpec$3 } from '../chunk-ZJNDICC4.js';
-import { cli } from '../chunk-4A54P4EM.js';
-import { checkBunVersion } from '../chunk-CDLU5P62.js';
-import { InvalidEnvError } from '../chunk-7GFD2ATN.js';
-import '../chunk-E3F6QKDZ.js';
-import '../chunk-GURKQO4J.js';
+import { commandSpec as commandSpec$c } from '../chunk-HH647LSU.js';
+import { commandSpec } from '../chunk-F6ZYIWAR.js';
+import '../chunk-P33JXOU6.js';
+import { fmt } from '../chunk-INGOLNLE.js';
+import { commandSpec as commandSpec$1 } from '../chunk-HMWAOBZR.js';
+import { commandSpec as commandSpec$2 } from '../chunk-KI5QLKPU.js';
+import { commandSpec as commandSpec$3 } from '../chunk-XXSPHSF7.js';
 import { gracefulExit, asyncExitHook } from '../chunk-CHQDS2PI.js';
-import { CliExitError } from '../chunk-QP7TS4SU.js';
-import { ansis_default } from '../chunk-XWYFSG46.js';
+import { cli } from '../chunk-4A54P4EM.js';
+import { checkBunVersion } from '../chunk-MPHVA4WC.js';
+import { InvalidEnvError } from '../chunk-XUY3HAO2.js';
+import '../chunk-C5LW5EET.js';
+import '../chunk-YWTIKDGU.js';
+import { CliExitError } from '../chunk-JOGGSYT2.js';
+import { ansis_default } from '../chunk-GKN3UJNE.js';
 import { getUserVarlockDir } from '../chunk-O3WTD6L4.js';
-import '../chunk-HDKXXS2X.js';
-import { createDebug } from '../chunk-2PFIYNFA.js';
-import '../chunk-MGWUDHT5.js';
+import '../chunk-IRXBCLL2.js';
+import { createDebug } from '../chunk-FA5SNEKN.js';
+import '../chunk-UUJK65RS.js';
 import '../chunk-XLYSNOR3.js';
 import { __commonJS, __name, __toESM } from '../chunk-6PEHRAEP.js';
 import os2 from 'os';
@@ -35,7 +37,7 @@ import process2 from 'process';
 // ../../node_modules/.bun/ci-info@4.4.0/node_modules/ci-info/vendors.json
 var require_vendors = __commonJS({
-  "../../node_modules/.bun/ci-info@4.4.0/node_modules/ci-info/vendors.json"(exports$1, module) {
+  "../../node_modules/.bun/ci-info@4.4.0/node_modules/ci-info/vendors.json"(exports, module) {
     module.exports = [
       {
         name: "Agola CI",
@@ -404,33 +406,33 @@ var require_vendors = __commonJS({
 // ../../node_modules/.bun/ci-info@4.4.0/node_modules/ci-info/index.js
 var require_ci_info = __commonJS({
-  "../../node_modules/.bun/ci-info@4.4.0/node_modules/ci-info/index.js"(exports$1) {
+  "../../node_modules/.bun/ci-info@4.4.0/node_modules/ci-info/index.js"(exports) {
     var vendors = require_vendors();
     var env = process.env;
-    Object.defineProperty(exports$1, "_vendors", {
+    Object.defineProperty(exports, "_vendors", {
       value: vendors.map(function(v) {
         return v.constant;
       })
     });
-    exports$1.name = null;
-    exports$1.isPR = null;
-    exports$1.id = null;
+    exports.name = null;
+    exports.isPR = null;
+    exports.id = null;
     if (env.CI !== "false") {
       vendors.forEach(function(vendor) {
         const envs = Array.isArray(vendor.env) ? vendor.env : [vendor.env];
         const isCI2 = envs.every(function(obj) {
           return checkEnv(obj);
         });
-        exports$1[vendor.constant] = isCI2;
+        exports[vendor.constant] = isCI2;
         if (!isCI2) {
           return;
         }
-        exports$1.name = vendor.name;
-        exports$1.isPR = checkPR(vendor);
-        exports$1.id = vendor.constant;
+        exports.name = vendor.name;
+        exports.isPR = checkPR(vendor);
+        exports.id = vendor.constant;
       });
     }
-    exports$1.isCI = !!(env.CI !== "false" && // Bypass all checks if CI env is explicitly set to 'false'
+    exports.isCI = !!(env.CI !== "false" && // Bypass all checks if CI env is explicitly set to 'false'
     (env.BUILD_ID || // Jenkins, Cloudbees
     env.BUILD_NUMBER || // Jenkins, TeamCity
     env.CI || // Travis CI, CircleCI, Cirrus CI, Gitlab CI, Appveyor, CodeShip, dsari, Cloudflare Pages/Workers
@@ -440,7 +442,7 @@ var require_ci_info = __commonJS({
     env.CI_NAME || // Codeship and others
     env.CONTINUOUS_INTEGRATION || // Travis CI, Cirrus CI
     env.RUN_ID || // TaskCluster, dsari
-    exports$1.name || false));
+    exports.name || false));
     function checkEnv(obj) {
       if (typeof obj === "string") return !!env[obj];
       if ("env" in obj) {
@@ -600,7 +602,7 @@ var is_wsl_default = process2.env.__IS_WSL_TEST__ ? isWsl : isWsl();
 // package.json
 var package_default = {
   name: "varlock",
-  version: "1.1.0",
+  version: "1.3.0",
   description: "AI-safe .env files: Schemas for agents, Secrets for humans.",
   main: "index.js",
   type: "module",
@@ -987,10 +989,10 @@ __name(trackCommand, "trackCommand");
 // src/cli/cli-executable.ts
 var versionId = package_default.version;
-function buildLazyCommand(commandSpec14, loadCommandFn) {
-  const commandName = commandSpec14.name;
+function buildLazyCommand(commandSpec15, loadCommandFn) {
+  const commandName = commandSpec15.name;
   return {
-    ...commandSpec14,
+    ...commandSpec15,
     run: /* @__PURE__ */ __name(async (...args) => {
       await trackCommand(commandName, { command: commandName });
       const commandSpecAndFn = await loadCommandFn();
@@ -1000,19 +1002,20 @@ function buildLazyCommand(commandSpec14, loadCommandFn) {
 }
 __name(buildLazyCommand, "buildLazyCommand");
 var subCommands = /* @__PURE__ */ new Map();
-subCommands.set("init", buildLazyCommand(commandSpec, async () => await import('../init.command-5LP3UFKD.js')));
-subCommands.set("load", buildLazyCommand(commandSpec$1, async () => await import('../load.command-7SQRDQ3E.js')));
-subCommands.set("run", buildLazyCommand(commandSpec$2, async () => await import('../run.command-5QADABYL.js')));
-subCommands.set("printenv", buildLazyCommand(commandSpec$3, async () => await import('../printenv.command-ON7RMFEU.js')));
-subCommands.set("encrypt", buildLazyCommand(commandSpec$4, async () => await import('../encrypt.command-F2OTB6HD.js')));
-subCommands.set("lock", buildLazyCommand(commandSpec$5, async () => await import('../lock.command-4LTGMJA3.js')));
-subCommands.set("reveal", buildLazyCommand(commandSpec$6, async () => await import('../reveal.command-BW6XYVXH.js')));
-subCommands.set("explain", buildLazyCommand(commandSpec$7, async () => await import('../explain.command-TEIPRC7Q.js')));
+subCommands.set("init", buildLazyCommand(commandSpec, async () => await import('../init.command-3EDACW36.js')));
+subCommands.set("load", buildLazyCommand(commandSpec$1, async () => await import('../load.command-XRABTXAE.js')));
+subCommands.set("run", buildLazyCommand(commandSpec$2, async () => await import('../run.command-5CIHZECD.js')));
+subCommands.set("printenv", buildLazyCommand(commandSpec$3, async () => await import('../printenv.command-DLCI4IPZ.js')));
+subCommands.set("encrypt", buildLazyCommand(commandSpec$4, async () => await import('../encrypt.command-WISNYCTG.js')));
+subCommands.set("lock", buildLazyCommand(commandSpec$5, async () => await import('../lock.command-O5MPBQ2I.js')));
+subCommands.set("reveal", buildLazyCommand(commandSpec$6, async () => await import('../reveal.command-6BTK3FJZ.js')));
+subCommands.set("explain", buildLazyCommand(commandSpec$7, async () => await import('../explain.command-THO6CRHD.js')));
 subCommands.set("help", buildLazyCommand(commandSpec$8, async () => await import('../help.command-7E52XAOO.js')));
-subCommands.set("telemetry", buildLazyCommand(commandSpec$9, async () => await import('../telemetry.command-PY6E4QSH.js')));
-subCommands.set("scan", buildLazyCommand(commandSpec$a, async () => await import('../scan.command-ZVW3XAUG.js')));
-subCommands.set("typegen", buildLazyCommand(commandSpec$b, async () => await import('../typegen.command-KZ4O5IKQ.js')));
-subCommands.set("install-plugin", buildLazyCommand(commandSpec$c, async () => await import('../install-plugin.command-X7RSLPUJ.js')));
+subCommands.set("telemetry", buildLazyCommand(commandSpec$9, async () => await import('../telemetry.command-TZDNG2WR.js')));
+subCommands.set("scan", buildLazyCommand(commandSpec$a, async () => await import('../scan.command-PW3OOLQY.js')));
+subCommands.set("audit", buildLazyCommand(commandSpec$b, async () => await import('../audit.command-LLD5UIAW.js')));
+subCommands.set("typegen", buildLazyCommand(commandSpec$c, async () => await import('../typegen.command-QD26Q3MP.js')));
+subCommands.set("install-plugin", buildLazyCommand(commandSpec$d, async () => await import('../install-plugin.command-MXBZTBTE.js')));
 (/* @__PURE__ */ __name(async function go() {
   try {
     try {