veryfront 0.1.73 → 0.1.75

package/esm/src/security/sandbox/project-worker.d.ts

@@ -0,0 +1,61 @@
+import type { WorkerPermissions } from "./worker-permissions.js";
+import type { WorkerRequest, WorkerResponse } from "./worker-types.js";
+export interface ProjectWorkerOptions {
+    projectId: string;
+    permissions: WorkerPermissions;
+    requestTimeoutMs: number;
+}
+/**
+ * Status of a project worker.
+ */
+export type WorkerStatus = "idle" | "busy" | "crashed" | "terminated";
+export declare class ProjectWorker {
+    readonly projectId: string;
+    private worker;
+    private pending;
+    private streamHandlers;
+    private requestTimeoutMs;
+    private permissions;
+    private _requestCount;
+    private _lastActivityAt;
+    private _status;
+    constructor(options: ProjectWorkerOptions);
+    get status(): WorkerStatus;
+    get requestCount(): number;
+    get lastActivityAt(): number;
+    get hasPendingRequests(): boolean;
+    /**
+     * Start the worker. Idempotent — safe to call if already running.
+     */
+    start(): void;
+    /**
+     * Execute a request in this worker. Returns a typed response.
+     */
+    execute(request: WorkerRequest): Promise<WorkerResponse>;
+    /**
+     * Execute a streaming request. Returns a ReadableStream that yields
+     * chunks as they arrive from the Worker via postMessage.
+     *
+     * Used for streaming SSR where the Worker sends chunks progressively.
+     * Falls back to a single-chunk stream if the Worker returns a non-streaming
+     * response (ssr-result with full HTML).
+     */
+    executeStream(request: WorkerRequest): ReadableStream<Uint8Array>;
+    /**
+     * Health check — send a ping and wait for pong.
+     */
+    isHealthy(timeoutMs?: number): Promise<boolean>;
+    /**
+     * Clear the worker's module cache. Used for dev mode hot reload.
+     */
+    clearModuleCache(): void;
+    /**
+     * Terminate the worker. Rejects all pending requests.
+     */
+    terminate(): void;
+    private getWorkerScriptUrl;
+    private handleMessage;
+    private updateIdleStatus;
+    private rejectAllPending;
+}
+//# sourceMappingURL=project-worker.d.ts.map

package/esm/src/security/sandbox/project-worker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"project-worker.d.ts","sourceRoot":"","sources":["../../../../src/src/security/sandbox/project-worker.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AACjE,OAAO,KAAK,EACV,aAAa,EACb,cAAc,EAGf,MAAM,mBAAmB,CAAC;AAU3B,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,iBAAiB,CAAC;IAC/B,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AAcD;;GAEG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,GAAG,YAAY,CAAC;AAEtE,qBAAa,aAAa;IACxB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,OAAO,CAAqC;IACpD,OAAO,CAAC,cAAc,CAAoC;IAC1D,OAAO,CAAC,gBAAgB,CAAS;IACjC,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,aAAa,CAAK;IAC1B,OAAO,CAAC,eAAe,CAAc;IACrC,OAAO,CAAC,OAAO,CAAwB;gBAE3B,OAAO,EAAE,oBAAoB;IAMzC,IAAI,MAAM,IAAI,YAAY,CAEzB;IAED,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED,IAAI,cAAc,IAAI,MAAM,CAE3B;IAED,IAAI,kBAAkB,IAAI,OAAO,CAEhC;IAED;;OAEG;IACH,KAAK,IAAI,IAAI;IA+Bb;;OAEG;IACH,OAAO,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,cAAc,CAAC;IAqCxD;;;;;;;OAOG;IACH,aAAa,CAAC,OAAO,EAAE,aAAa,GAAG,cAAc,CAAC,UAAU,CAAC;IAgGjE;;OAEG;IACG,SAAS,CAAC,SAAS,SAAQ,GAAG,OAAO,CAAC,OAAO,CAAC;IA+BpD;;OAEG;IACH,gBAAgB,IAAI,IAAI;IAKxB;;OAEG;IACH,SAAS,IAAI,IAAI;IAuBjB,OAAO,CAAC,kBAAkB;IAc1B,OAAO,CAAC,aAAa;IA+CrB,OAAO,CAAC,gBAAgB;IAMxB,OAAO,CAAC,gBAAgB;CAazB"}

package/esm/src/security/sandbox/project-worker.js

@@ -0,0 +1,318 @@
+/**
+ * Project Worker
+ *
+ * Wraps a single Deno Worker for one project. Manages the Worker lifecycle,
+ * sends/receives structured messages, enforces per-request timeouts,
+ * and serializes errors across the Worker boundary.
+ *
+ * @module security/sandbox/project-worker
+ */
+import * as dntShim from "../../../_dnt.shims.js";
+import { serverLogger } from "../../utils/index.js";
+import { isCompiledBinary } from "../../utils/index.js";
+import { withSpan } from "../../observability/tracing/otlp-setup.js";
+import { TIMEOUT_ERROR, UNKNOWN_ERROR } from "../../errors/index.js";
+const logger = serverLogger.component("project-worker");
+export class ProjectWorker {
+    projectId;
+    worker = null;
+    pending = new Map();
+    streamHandlers = new Map();
+    requestTimeoutMs;
+    permissions;
+    _requestCount = 0;
+    _lastActivityAt = Date.now();
+    _status = "idle";
+    constructor(options) {
+        this.projectId = options.projectId;
+        this.permissions = options.permissions;
+        this.requestTimeoutMs = options.requestTimeoutMs;
+    }
+    get status() {
+        return this._status;
+    }
+    get requestCount() {
+        return this._requestCount;
+    }
+    get lastActivityAt() {
+        return this._lastActivityAt;
+    }
+    get hasPendingRequests() {
+        return this.pending.size > 0;
+    }
+    /**
+     * Start the worker. Idempotent — safe to call if already running.
+     */
+    start() {
+        if (this.worker)
+            return;
+        const workerUrl = this.getWorkerScriptUrl();
+        const workerOptions = {
+            type: "module",
+            name: `project-worker-${this.projectId}`,
+            deno: { permissions: this.permissions },
+        };
+        // @ts-ignore - Deno Worker accepts extended options
+        this.worker = new Worker(workerUrl, workerOptions);
+        this._status = "idle";
+        this.worker.onmessage = (event) => {
+            this.handleMessage(event.data);
+        };
+        this.worker.onerror = (event) => {
+            logger.error("Worker error", {
+                projectId: this.projectId,
+                error: event.message ?? String(event),
+            });
+            this._status = "crashed";
+            this.rejectAllPending("Worker crashed");
+        };
+        logger.debug("Worker started", { projectId: this.projectId });
+    }
+    /**
+     * Execute a request in this worker. Returns a typed response.
+     */
+    execute(request) {
+        return withSpan("worker.execute", () => {
+            if (!this.worker || this._status === "crashed" || this._status === "terminated") {
+                return Promise.reject(UNKNOWN_ERROR.create({ detail: `Worker not available (status: ${this._status})` }));
+            }
+            this._requestCount++;
+            this._lastActivityAt = Date.now();
+            this._status = "busy";
+            return new Promise((resolve, reject) => {
+                const timer = dntShim.setTimeout(() => {
+                    this.pending.delete(request.id);
+                    this.updateIdleStatus();
+                    reject(TIMEOUT_ERROR.create({
+                        detail: `Worker request timed out after ${this.requestTimeoutMs}ms`,
+                    }));
+                }, this.requestTimeoutMs);
+                this.pending.set(request.id, { resolve, reject, timer });
+                this.worker.postMessage(request);
+            });
+        }, {
+            "worker.projectId": this.projectId,
+            "worker.requestType": request.type,
+            "worker.requestId": request.id,
+        });
+    }
+    /**
+     * Execute a streaming request. Returns a ReadableStream that yields
+     * chunks as they arrive from the Worker via postMessage.
+     *
+     * Used for streaming SSR where the Worker sends chunks progressively.
+     * Falls back to a single-chunk stream if the Worker returns a non-streaming
+     * response (ssr-result with full HTML).
+     */
+    executeStream(request) {
+        if (!this.worker || this._status === "crashed" || this._status === "terminated") {
+            throw UNKNOWN_ERROR.create({ detail: `Worker not available (status: ${this._status})` });
+        }
+        this._requestCount++;
+        this._lastActivityAt = Date.now();
+        this._status = "busy";
+        const requestId = request.id;
+        const encoder = new TextEncoder();
+        return new ReadableStream({
+            start: (controller) => {
+                let timer = dntShim.setTimeout(() => {
+                    this.streamHandlers.delete(requestId);
+                    this.pending.delete(requestId);
+                    this.updateIdleStatus();
+                    controller.error(TIMEOUT_ERROR.create({
+                        detail: `Worker stream timed out after ${this.requestTimeoutMs}ms`,
+                    }));
+                }, this.requestTimeoutMs);
+                const resetTimer = () => {
+                    clearTimeout(timer);
+                    timer = dntShim.setTimeout(() => {
+                        this.streamHandlers.delete(requestId);
+                        this.pending.delete(requestId);
+                        this.updateIdleStatus();
+                        controller.error(TIMEOUT_ERROR.create({
+                            detail: `Worker stream timed out after ${this.requestTimeoutMs}ms`,
+                        }));
+                    }, this.requestTimeoutMs);
+                };
+                // Register a stream handler for this request
+                this.streamHandlers.set(requestId, {
+                    onChunk: (chunk) => {
+                        resetTimer();
+                        controller.enqueue(chunk);
+                    },
+                    onEnd: () => {
+                        clearTimeout(timer);
+                        this.streamHandlers.delete(requestId);
+                        this.pending.delete(requestId);
+                        this.updateIdleStatus();
+                        controller.close();
+                    },
+                    onError: (error) => {
+                        clearTimeout(timer);
+                        this.streamHandlers.delete(requestId);
+                        this.pending.delete(requestId);
+                        this.updateIdleStatus();
+                        controller.error(error);
+                    },
+                });
+                // Also register in pending for non-streaming responses (fallback)
+                this.pending.set(requestId, {
+                    resolve: (response) => {
+                        clearTimeout(timer);
+                        this.streamHandlers.delete(requestId);
+                        this.pending.delete(requestId);
+                        this.updateIdleStatus();
+                        // If we get an ssr-result, emit it as a single chunk
+                        if (response.type === "ssr-result") {
+                            controller.enqueue(encoder.encode(response.html));
+                            controller.close();
+                        }
+                        else if (response.type === "error") {
+                            const err = new Error(response.error.message);
+                            err.name = response.error.name;
+                            controller.error(err);
+                        }
+                        else {
+                            controller.close();
+                        }
+                    },
+                    reject: (error) => {
+                        clearTimeout(timer);
+                        this.streamHandlers.delete(requestId);
+                        this.pending.delete(requestId);
+                        this.updateIdleStatus();
+                        controller.error(error);
+                    },
+                    timer,
+                });
+                this.worker.postMessage(request);
+            },
+        });
+    }
+    /**
+     * Health check — send a ping and wait for pong.
+     */
+    async isHealthy(timeoutMs = 5_000) {
+        if (!this.worker || this._status === "crashed" || this._status === "terminated") {
+            return false;
+        }
+        const id = dntShim.crypto.randomUUID();
+        return new Promise((resolve) => {
+            const timer = dntShim.setTimeout(() => {
+                this.pending.delete(id);
+                resolve(false);
+            }, timeoutMs);
+            this.pending.set(id, {
+                resolve: () => {
+                    clearTimeout(timer);
+                    this.pending.delete(id);
+                    resolve(true);
+                },
+                reject: () => {
+                    clearTimeout(timer);
+                    this.pending.delete(id);
+                    resolve(false);
+                },
+                timer,
+            });
+            this.worker.postMessage({ type: "ping", id });
+        });
+    }
+    /**
+     * Clear the worker's module cache. Used for dev mode hot reload.
+     */
+    clearModuleCache() {
+        if (!this.worker || this._status === "crashed" || this._status === "terminated")
+            return;
+        this.worker.postMessage({ type: "clear-cache" });
+    }
+    /**
+     * Terminate the worker. Rejects all pending requests.
+     */
+    terminate() {
+        if (!this.worker)
+            return;
+        this._status = "terminated";
+        this.rejectAllPending("Worker terminated");
+        try {
+            this.worker.terminate();
+        }
+        catch (error) {
+            logger.debug("Worker terminate failed", {
+                projectId: this.projectId,
+                error,
+            });
+        }
+        this.worker = null;
+        logger.debug("Worker terminated", { projectId: this.projectId });
+    }
+    // -----------------------------------------------------------------------
+    // Private
+    // -----------------------------------------------------------------------
+    getWorkerScriptUrl() {
+        // In compiled binary mode, use a data URL because blob URLs don't work
+        // See: deno-sandbox.ts for the same pattern
+        if (isCompiledBinary()) {
+            // For compiled binaries, we'd need to inline the worker script.
+            // For now, fall through to the import.meta.resolve path which works
+            // in development and standard Deno execution.
+        }
+        // Use import.meta.resolve to get the absolute URL of the worker script.
+        // This works in both `deno run` and `deno compile` contexts.
+        return globalThis[Symbol.for("import-meta-ponyfill-esmodule")](import.meta).resolve("./worker-script.ts");
+    }
+    handleMessage(data) {
+        if (data.type === "pong") {
+            const pending = this.pending.get(data.id);
+            if (pending) {
+                clearTimeout(pending.timer);
+                pending.resolve(data);
+                this.pending.delete(data.id);
+            }
+            return;
+        }
+        // Handle streaming SSR chunks
+        if (data.type === "stream-chunk") {
+            const handler = this.streamHandlers.get(data.id);
+            if (handler)
+                handler.onChunk(data.chunk);
+            return;
+        }
+        if (data.type === "stream-end") {
+            const handler = this.streamHandlers.get(data.id);
+            if (handler)
+                handler.onEnd();
+            return;
+        }
+        const response = data;
+        const pending = this.pending.get(response.id);
+        if (!pending) {
+            logger.warn("Received response for unknown request", {
+                projectId: this.projectId,
+                id: response.id,
+            });
+            return;
+        }
+        clearTimeout(pending.timer);
+        this.pending.delete(response.id);
+        this.updateIdleStatus();
+        pending.resolve(response);
+    }
+    updateIdleStatus() {
+        if (this.pending.size === 0 && this._status === "busy") {
+            this._status = "idle";
+        }
+    }
+    rejectAllPending(reason) {
+        for (const [id, pending] of this.pending) {
+            clearTimeout(pending.timer);
+            pending.reject(UNKNOWN_ERROR.create({ detail: reason }));
+            this.pending.delete(id);
+        }
+        // Clean up stream handlers
+        for (const [id, handler] of this.streamHandlers) {
+            handler.onError(UNKNOWN_ERROR.create({ detail: reason }));
+            this.streamHandlers.delete(id);
+        }
+    }
+}

package/esm/src/security/sandbox/worker-permissions.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Worker Permission Builder
+ *
+ * Builds scoped Deno Worker permissions for per-project isolation.
+ * Each project worker gets the minimum required permissions.
+ *
+ * @module security/sandbox/worker-permissions
+ */
+export interface WorkerPermissions {
+    read: string[] | boolean;
+    write: boolean;
+    net: boolean;
+    env: boolean;
+    run: boolean;
+    ffi: boolean;
+    sys: boolean;
+}
+/**
+ * Build scoped permissions for a project worker.
+ *
+ * - read: restricted to the project temp dir (transformed modules) and cache dirs
+ * - write: denied (workers produce output via postMessage, not filesystem)
+ * - net: allowed (data fetchers and API routes may call external APIs)
+ * - env: allowed (user code reads API keys and config from environment)
+ * - run: denied (no subprocess spawning from user code)
+ * - ffi: denied (no native code from user code)
+ * - sys: denied (no system info access from user code)
+ */
+export declare function buildWorkerPermissions(readPaths: string[]): WorkerPermissions;
+//# sourceMappingURL=worker-permissions.d.ts.map

package/esm/src/security/sandbox/worker-permissions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker-permissions.d.ts","sourceRoot":"","sources":["../../../../src/src/security/sandbox/worker-permissions.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IACzB,KAAK,EAAE,OAAO,CAAC;IACf,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;CACd;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,MAAM,EAAE,GAClB,iBAAiB,CAmCnB"}

package/esm/src/security/sandbox/worker-permissions.js

@@ -0,0 +1,60 @@
+/**
+ * Worker Permission Builder
+ *
+ * Builds scoped Deno Worker permissions for per-project isolation.
+ * Each project worker gets the minimum required permissions.
+ *
+ * @module security/sandbox/worker-permissions
+ */
+/**
+ * Deno Worker permission object.
+ * See: https://docs.deno.com/runtime/fundamentals/permissions/
+ */
+import * as dntShim from "../../../_dnt.shims.js";
+/**
+ * Build scoped permissions for a project worker.
+ *
+ * - read: restricted to the project temp dir (transformed modules) and cache dirs
+ * - write: denied (workers produce output via postMessage, not filesystem)
+ * - net: allowed (data fetchers and API routes may call external APIs)
+ * - env: allowed (user code reads API keys and config from environment)
+ * - run: denied (no subprocess spawning from user code)
+ * - ffi: denied (no native code from user code)
+ * - sys: denied (no system info access from user code)
+ */
+export function buildWorkerPermissions(readPaths) {
+    // In compiled binaries, user modules import from the VFS temp dir which
+    // is outside the project directory. Rather than trying to enumerate all
+    // read paths, grant full read access — the security boundary is enforced
+    // by denying write/run/ffi/sys, not by restricting reads.
+    // Check for compiled binary by testing if execPath is NOT "deno"/"deno.exe"
+    try {
+        const exec = typeof dntShim.Deno !== "undefined" ? dntShim.Deno.execPath?.() : undefined;
+        if (exec) {
+            const name = exec.split(/[/\\]/).pop()?.toLowerCase() ?? "";
+            if (name !== "deno" && name !== "deno.exe") {
+                return {
+                    read: true,
+                    write: false,
+                    net: true,
+                    env: true,
+                    run: false,
+                    ffi: false,
+                    sys: false,
+                };
+            }
+        }
+    }
+    catch {
+        // execPath may not be available
+    }
+    return {
+        read: readPaths.length > 0 ? readPaths : false,
+        write: false,
+        net: true,
+        env: true,
+        run: false,
+        ffi: false,
+        sys: false,
+    };
+}

package/esm/src/security/sandbox/worker-pool.d.ts

@@ -0,0 +1,87 @@
+import { ProjectWorker } from "./project-worker.js";
+import type { WorkerPoolConfig, WorkerRequest, WorkerResponse } from "./worker-types.js";
+export declare class WorkerPool {
+    private pool;
+    private recycling;
+    private config;
+    private cleanupInterval;
+    private healthCheckInterval;
+    constructor(config?: Partial<WorkerPoolConfig>);
+    /**
+     * Get or create a worker for the given project.
+     */
+    getOrCreateWorker(projectId: string, readPaths: string[]): ProjectWorker;
+    /**
+     * Execute a request in a project worker. Convenience method that
+     * combines getOrCreateWorker + execute.
+     */
+    execute(projectId: string, readPaths: string[], request: WorkerRequest): Promise<WorkerResponse>;
+    /**
+     * Evict a specific project's worker.
+     */
+    evictWorker(projectId: string): void;
+    /**
+     * Get pool statistics for monitoring.
+     */
+    getStats(): {
+        poolSize: number;
+        maxPoolSize: number;
+        memoryBudgetMb: number;
+        workers: Record<string, {
+            status: string;
+            requestCount: number;
+            hasPending: boolean;
+            idleMs: number;
+            ageMs: number;
+        }>;
+    };
+    /**
+     * Get aggregate metrics suitable for Prometheus exposition.
+     */
+    getMetrics(): {
+        /** Current number of active workers */
+        workerPoolSize: number;
+        /** Number of workers at capacity (max pool size) */
+        workerPoolCapacity: number;
+        /** Total requests processed across all workers */
+        totalRequestsProcessed: number;
+        /** Number of workers with pending requests (busy) */
+        busyWorkers: number;
+        /** Number of crashed workers (cleaned up at next health check) */
+        crashedWorkers: number;
+    };
+    /**
+     * Shutdown the pool. Terminates all workers and stops timers.
+     */
+    shutdown(): void;
+    private startCleanup;
+    private startHealthChecks;
+    private evictIdleWorkers;
+    private evictIfNeeded;
+    private checkHealth;
+    /**
+     * Evict workers when the process is under memory pressure.
+     * Uses the global heap stats — if heap usage is above a threshold,
+     * evict idle workers starting with the oldest to free memory.
+     */
+    private evictUnderMemoryPressure;
+}
+/**
+ * Whether worker isolation is enabled for API routes.
+ * Controlled by WORKER_ISOLATION_API=1 (or WORKER_ISOLATION_ENABLED=1 as master switch).
+ */
+export declare function isWorkerIsolationEnabled(): boolean;
+/**
+ * Whether worker isolation is enabled for data fetchers (getServerData).
+ * Controlled by WORKER_ISOLATION_DATA=1 (requires WORKER_ISOLATION_ENABLED=1).
+ */
+export declare function isDataIsolationEnabled(): boolean;
+/**
+ * Whether worker isolation is enabled for SSR rendering.
+ * Controlled by WORKER_ISOLATION_SSR=1 (requires WORKER_ISOLATION_ENABLED=1).
+ */
+export declare function isSSRIsolationEnabled(): boolean;
+export declare function getWorkerPool(): WorkerPool;
+/** Reset the singleton and cached flags — for testing only */
+export declare function __resetPoolForTests(): void;
+//# sourceMappingURL=worker-pool.d.ts.map

package/esm/src/security/sandbox/worker-pool.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"worker-pool.d.ts","sourceRoot":"","sources":["../../../../src/src/security/sandbox/worker-pool.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAEpD,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAWzF,qBAAa,UAAU;IACrB,OAAO,CAAC,IAAI,CAAgC;IAC5C,OAAO,CAAC,SAAS,CAAqB;IACtC,OAAO,CAAC,MAAM,CAAmB;IAEjC,OAAO,CAAC,eAAe,CAAqD;IAC5E,OAAO,CAAC,mBAAmB,CAAqD;gBAEpE,MAAM,GAAE,OAAO,CAAC,gBAAgB,CAAM;IAMlD;;OAEG;IACH,iBAAiB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,aAAa;IA0CxE;;;OAGG;IACH,OAAO,CACL,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EAAE,EACnB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,cAAc,CAAC;IAkD1B;;OAEG;IACH,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI;IAUpC;;OAEG;IACH,QAAQ,IAAI;QACV,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,EAAE,MAAM,CAAC;QACpB,cAAc,EAAE,MAAM,CAAC;QACvB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE;YACtB,MAAM,EAAE,MAAM,CAAC;YACf,YAAY,EAAE,MAAM,CAAC;YACrB,UAAU,EAAE,OAAO,CAAC;YACpB,MAAM,EAAE,MAAM,CAAC;YACf,KAAK,EAAE,MAAM,CAAC;SACf,CAAC,CAAC;KACJ;IA4BD;;OAEG;IACH,UAAU,IAAI;QACZ,uCAAuC;QACvC,cAAc,EAAE,MAAM,CAAC;QACvB,oDAAoD;QACpD,kBAAkB,EAAE,MAAM,CAAC;QAC3B,kDAAkD;QAClD,sBAAsB,EAAE,MAAM,CAAC;QAC/B,qDAAqD;QACrD,WAAW,EAAE,MAAM,CAAC;QACpB,kEAAkE;QAClE,cAAc,EAAE,MAAM,CAAC;KACxB;IAoBD;;OAEG;IACH,QAAQ,IAAI,IAAI;IAgBhB,OAAO,CAAC,YAAY;IASpB,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,gBAAgB;IAmBxB,OAAO,CAAC,aAAa;YA4BP,WAAW;IAmBzB;;;;OAIG;IACH,OAAO,CAAC,wBAAwB;CA8BjC;AAqBD;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,OAAO,CAGlD;AAED;;;GAGG;AACH,wBAAgB,sBAAsB,IAAI,OAAO,CAGhD;AAED;;;GAGG;AACH,wBAAgB,qBAAqB,IAAI,OAAO,CAG/C;AAKD,wBAAgB,aAAa,IAAI,UAAU,CAiB1C;AAED,8DAA8D;AAC9D,wBAAgB,mBAAmB,IAAI,IAAI,CAO1C"}