wcz-test 7.2.2 → 7.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { permissions } from 'virtual:wcz-layout';
|
|
1
|
+
import { scopes as definedScopes, permissions } from 'virtual:wcz-layout';
|
|
2
2
|
import { User } from '../models/User';
|
|
3
|
-
export declare const authMiddleware: (
|
|
3
|
+
export declare const authMiddleware: (permissionKey: keyof typeof permissions) => import('@tanstack/start-client-core').RequestMiddlewareAfterServer<{}, undefined, {
|
|
4
4
|
user: User;
|
|
5
5
|
}>;
|
|
6
|
-
export declare const serverFnAccessTokenMiddleware: import('@tanstack/start-client-core').FunctionMiddlewareAfterClient<{}, unknown, undefined, undefined, undefined>;
|
|
6
|
+
export declare const serverFnAccessTokenMiddleware: (scopeKey: keyof typeof definedScopes) => import('@tanstack/start-client-core').FunctionMiddlewareAfterClient<{}, unknown, undefined, undefined, undefined>;
|
package/dist/middleware.js
CHANGED
|
@@ -1069,15 +1069,15 @@ const nt = (e) => k().server(async ({
|
|
|
1069
1069
|
user: i
|
|
1070
1070
|
}
|
|
1071
1071
|
});
|
|
1072
|
-
}), at = k({
|
|
1072
|
+
}), at = (e) => k({
|
|
1073
1073
|
type: "function"
|
|
1074
1074
|
}).client(async ({
|
|
1075
|
-
next:
|
|
1075
|
+
next: t
|
|
1076
1076
|
}) => {
|
|
1077
|
-
const
|
|
1078
|
-
return
|
|
1077
|
+
const r = await ne(e);
|
|
1078
|
+
return t({
|
|
1079
1079
|
headers: {
|
|
1080
|
-
Authorization: `Bearer ${
|
|
1080
|
+
Authorization: `Bearer ${r}`
|
|
1081
1081
|
}
|
|
1082
1082
|
});
|
|
1083
1083
|
});
|
package/dist/middleware.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"middleware.js","sources":["../node_modules/jose/dist/webapi/lib/buffer_utils.js","../node_modules/jose/dist/webapi/lib/base64.js","../node_modules/jose/dist/webapi/util/base64url.js","../node_modules/jose/dist/webapi/util/errors.js","../node_modules/jose/dist/webapi/lib/crypto_key.js","../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../node_modules/jose/dist/webapi/lib/is_key_like.js","../node_modules/jose/dist/webapi/lib/is_disjoint.js","../node_modules/jose/dist/webapi/lib/is_object.js","../node_modules/jose/dist/webapi/lib/check_key_length.js","../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../node_modules/jose/dist/webapi/key/import.js","../node_modules/jose/dist/webapi/lib/validate_crit.js","../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../node_modules/jose/dist/webapi/lib/is_jwk.js","../node_modules/jose/dist/webapi/lib/normalize_key.js","../node_modules/jose/dist/webapi/lib/check_key_type.js","../node_modules/jose/dist/webapi/lib/subtle_dsa.js","../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js","../node_modules/jose/dist/webapi/lib/verify.js","../node_modules/jose/dist/webapi/jws/flattened/verify.js","../node_modules/jose/dist/webapi/jws/compact/verify.js","../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../node_modules/jose/dist/webapi/jwt/verify.js","../node_modules/jose/dist/webapi/jwks/local.js","../node_modules/jose/dist/webapi/jwks/remote.js","../src/middleware/authMiddleware.ts"],"sourcesContent":["export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","export function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","export function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { isObject } from './is_object.js';\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { isJWK } from './is_jwk.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg === 'ES256' && namedCurve === 'P-256') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES384' && namedCurve === 'P-384') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES512' && namedCurve === 'P-521') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './is_jwk.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nexport function subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport async function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { isObject } from '../../lib/is_object.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n let signature;\n try {\n signature = b64u(jws.signature);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the signature');\n }\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n try {\n payload = b64u(jws.payload);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the payload');\n }\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './is_object.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/is_object.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.1.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) ||\n !isObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createMiddleware } from \"@tanstack/react-start\";\r\nimport * as jose from \"jose\";\r\nimport { permissions } from \"virtual:wcz-layout\";\r\nimport { clientEnv } from \"~/env\";\r\nimport { getAccessToken } from \"~/lib/auth/msalClient\";\r\nimport { TokenPayload } from \"~/models/TokenPayload\";\r\nimport { User } from \"~/models/User\";\r\n\r\nexport const authMiddleware = (key: keyof typeof permissions) => createMiddleware()\r\n .server(async ({ next, request }) => {\r\n const accessToken = request.headers.get(\"Authorization\");\r\n\r\n if (!accessToken?.startsWith(\"Bearer \"))\r\n throw new Error(\"Unauthorized: Missing access token or invalid Authorization header\");\r\n\r\n const tokenPayload = await verifyToken(accessToken.substring(7));\r\n\r\n const user: User = {\r\n id: tokenPayload.sub,\r\n name: tokenPayload.name.split(\"/\")[0],\r\n email: tokenPayload.preferred_username.toLowerCase(),\r\n groups: tokenPayload.groups ?? [],\r\n department: tokenPayload.department || \"\",\r\n employeeId: tokenPayload.employeeId || \"\",\r\n hasPermission: (key: keyof typeof permissions) => {\r\n const allowedGroups = permissions[key];\r\n return allowedGroups.some(k => (tokenPayload.groups ?? []).includes(k));\r\n }\r\n }\r\n\r\n if (!user.hasPermission(key))\r\n throw new Error(`Forbidden: User ${user.name} is not authorized to access this resource`);\r\n\r\n return next({ context: { user } });\r\n });\r\n\r\nexport const serverFnAccessTokenMiddleware = createMiddleware({ type: \"function\" })\r\n .client(async ({ next }) => {\r\n const accessToken = await getAccessToken(\"appstore\");\r\n return next({\r\n headers: {\r\n Authorization: `Bearer ${accessToken}`,\r\n }\r\n });\r\n });\r\n\r\nasync function verifyToken(token: string): Promise<TokenPayload> {\r\n const { payload } = await jose.jwtVerify(token, getJWKS(), {\r\n issuer: `https://login.microsoftonline.com/${clientEnv.VITE_ENTRA_TENANT_ID}/v2.0`,\r\n audience: clientEnv.VITE_ENTRA_CLIENT_ID,\r\n });\r\n return payload as unknown as TokenPayload;\r\n}\r\n\r\nlet jwksCache: ReturnType<typeof jose.createRemoteJWKSet> | null = null;\r\n\r\nfunction getJWKS() {\r\n jwksCache ??= jose.createRemoteJWKSet(new URL(`https://login.microsoftonline.com/${process.env.ENTRA_TENANT_ID}/discovery/v2.0/keys`));\r\n return jwksCache;\r\n}\r\n"],"names":["encoder","decoder","concat","buffers","size","acc","length","buf","i","buffer","encode","string","bytes","code","decodeBase64","encoded","binary","decode","input","JOSEError","message","options","JWTClaimValidationFailed","payload","claim","reason","JWTExpired","JOSEAlgNotAllowed","JOSENotSupported","JWSInvalid","JWTInvalid","JWKSInvalid","JWKSNoMatchingKey","JWKSMultipleMatchingKeys","JWKSTimeout","JWSSignatureVerificationFailed","unusable","name","prop","isAlgorithm","algorithm","getHashLength","hash","getNamedCurve","alg","checkUsage","key","usage","checkSigCryptoKey","expected","msg","actual","types","last","invalidKeyInput","withAlg","isCryptoKey","isKeyObject","isKeyLike","isDisjoint","headers","sources","header","parameters","parameter","isObjectLike","value","isObject","proto","checkKeyLength","modulusLength","subtleMapping","jwk","keyUsages","jwkToKey","keyData","importJWK","ext","decodeBase64URL","validateCrit","Err","recognizedDefault","recognizedOption","protectedHeader","joseHeader","recognized","validateAlgorithms","option","algorithms","s","isJWK","isPrivateJWK","isPublicJWK","isSecretJWK","cache","handleJWK","freeze","cached","cryptoKey","handleKeyObject","keyObject","isPublic","extractable","namedCurve","normalizeKey","err","tag","jwkMatchesOp","expectedKeyOp","symmetricTypeCheck","jwk.isJWK","jwk.isSecretJWK","asymmetricTypeCheck","jwk.isPrivateJWK","jwk.isPublicJWK","checkKeyType","subtleAlgorithm","getSigKey","verify","signature","data","flattenedVerify","jws","parsedProt","b64u","extensions","b64","resolvedKey","k","result","compactVerify","verified","epoch","date","minute","hour","day","week","year","REGEX","secs","str","matched","unit","numericDate","normalizeTyp","checkAudiencePresence","audPayload","audOption","validateClaimsSet","encodedPayload","typ","requiredClaims","issuer","subject","audience","maxTokenAge","presenceCheck","tolerance","currentDate","now","age","max","jwtVerify","jwt","getKtyFromAlg","isJWKSLike","jwks","isJWKLike","LocalJWKSet","#jwks","#cached","token","kid","kty","candidates","candidate","error","_cached","importWithAlgCache","createLocalJWKSet","set","localJWKSet","isCloudflareWorkers","USER_AGENT","customFetch","fetchJwks","url","signal","fetchImpl","response","jwksCache","isFreshJwksCache","cacheMaxAge","RemoteJWKSet","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#jwksTimestamp","#pendingFetch","#headers","#customFetch","#local","#cache","json","createRemoteJWKSet","remoteJWKSet","authMiddleware","createMiddleware","server","next","request","accessToken","get","startsWith","Error","tokenPayload","verifyToken","substring","user","id","sub","split","email","preferred_username","toLowerCase","groups","department","employeeId","hasPermission","permissions","some","includes","context","serverFnAccessTokenMiddleware","type","client","getAccessToken","Authorization","jose","getJWKS","clientEnv","VITE_ENTRA_TENANT_ID","VITE_ENTRA_CLIENT_ID","URL","process","env","ENTRA_TENANT_ID"],"mappings":";;;;AAAO,MAAMA,IAAU,IAAI,YAAW,GACzBC,IAAU,IAAI,YAAW;AAE/B,SAASC,MAAUC,GAAS;AAC/B,QAAMC,IAAOD,EAAQ,OAAO,CAACE,GAAK,EAAE,QAAAC,QAAaD,IAAMC,GAAQ,CAAC,GAC1DC,IAAM,IAAI,WAAWH,CAAI;AAC/B,MAAII,IAAI;AACR,aAAWC,KAAUN;AACjB,IAAAI,EAAI,IAAIE,GAAQD,CAAC,GACjBA,KAAKC,EAAO;AAEhB,SAAOF;AACX;AAoBO,SAASG,EAAOC,GAAQ;AAC3B,QAAMC,IAAQ,IAAI,WAAWD,EAAO,MAAM;AAC1C,WAASH,IAAI,GAAGA,IAAIG,EAAO,QAAQH,KAAK;AACpC,UAAMK,IAAOF,EAAO,WAAWH,CAAC;AAChC,QAAIK,IAAO;AACP,YAAM,IAAI,UAAU,0CAA0C;AAElE,IAAAD,EAAMJ,CAAC,IAAIK;AAAA,EACf;AACA,SAAOD;AACX;AC/BO,SAASE,GAAaC,GAAS;AAClC,MAAI,WAAW;AACX,WAAO,WAAW,WAAWA,CAAO;AAExC,QAAMC,IAAS,KAAKD,CAAO,GACrBH,IAAQ,IAAI,WAAWI,EAAO,MAAM;AAC1C,WAASR,IAAI,GAAGA,IAAIQ,EAAO,QAAQR;AAC/B,IAAAI,EAAMJ,CAAC,IAAIQ,EAAO,WAAWR,CAAC;AAElC,SAAOI;AACX;ACnBO,SAASK,EAAOC,GAAO;AAC1B,MAAI,WAAW;AACX,WAAO,WAAW,WAAW,OAAOA,KAAU,WAAWA,IAAQjB,EAAQ,OAAOiB,CAAK,GAAG;AAAA,MACpF,UAAU;AAAA,IACtB,CAAS;AAEL,MAAIH,IAAUG;AACd,EAAIH,aAAmB,eACnBA,IAAUd,EAAQ,OAAOc,CAAO,IAEpCA,IAAUA,EAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACtD,MAAI;AACA,WAAOD,GAAaC,CAAO;AAAA,EAC/B,QACM;AACF,UAAM,IAAI,UAAU,mDAAmD;AAAA,EAC3E;AACJ;ACnBO,MAAMI,UAAkB,MAAM;AAAA,EACjC,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,GAASC,GAAS;AAC1B,UAAMD,GAASC,CAAO,GACtB,KAAK,OAAO,KAAK,YAAY,MAC7B,MAAM,oBAAoB,MAAM,KAAK,WAAW;AAAA,EACpD;AACJ;AACO,MAAMC,UAAiCH,EAAU;AAAA,EACpD,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAYC,GAASG,GAASC,IAAQ,eAAeC,IAAS,eAAe;AACzE,UAAML,GAAS,EAAE,OAAO,EAAE,OAAAI,GAAO,QAAAC,GAAQ,SAAAF,EAAO,GAAI,GACpD,KAAK,QAAQC,GACb,KAAK,SAASC,GACd,KAAK,UAAUF;AAAA,EACnB;AACJ;AACO,MAAMG,UAAmBP,EAAU;AAAA,EACtC,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAYC,GAASG,GAASC,IAAQ,eAAeC,IAAS,eAAe;AACzE,UAAML,GAAS,EAAE,OAAO,EAAE,OAAAI,GAAO,QAAAC,GAAQ,SAAAF,EAAO,GAAI,GACpD,KAAK,QAAQC,GACb,KAAK,SAASC,GACd,KAAK,UAAUF;AAAA,EACnB;AACJ;AACO,MAAMI,WAA0BR,EAAU;AAAA,EAC7C,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AACO,MAAMS,UAAyBT,EAAU;AAAA,EAC5C,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AAYO,MAAMU,UAAmBV,EAAU;AAAA,EACtC,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AACO,MAAMW,UAAmBX,EAAU;AAAA,EACtC,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AAKO,MAAMY,UAAoBZ,EAAU;AAAA,EACvC,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AACO,MAAMa,UAA0Bb,EAAU;AAAA,EAC7C,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,mDAAmDC,GAAS;AAC9E,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AACO,MAAMY,WAAiCd,EAAU;AAAA,EACpD,CAAC,OAAO,aAAa;AAAA,EACrB,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,wDAAwDC,GAAS;AACnF,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AACO,MAAMa,WAAoBf,EAAU;AAAA,EACvC,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,qBAAqBC,GAAS;AAChD,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AACO,MAAMc,WAAuChB,EAAU;AAAA,EAC1D,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,iCAAiCC,GAAS;AAC5D,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AClGA,MAAMe,IAAW,CAACC,GAAMC,IAAO,qBAAqB,IAAI,UAAU,kDAAkDA,CAAI,YAAYD,CAAI,EAAE,GACpIE,IAAc,CAACC,GAAWH,MAASG,EAAU,SAASH;AAC5D,SAASI,EAAcC,GAAM;AACzB,SAAO,SAASA,EAAK,KAAK,MAAM,CAAC,GAAG,EAAE;AAC1C;AACA,SAASC,GAAcC,GAAK;AACxB,UAAQA,GAAG;AAAA,IACP,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAI,MAAM,aAAa;AAAA,EACzC;AACA;AACA,SAASC,GAAWC,GAAKC,GAAO;AAC5B,MAAa,CAACD,EAAI,OAAO,SAASC,CAAK;AACnC,UAAM,IAAI,UAAU,sEAAsEA,CAAK,GAAG;AAE1G;AACO,SAASC,GAAkBF,GAAKF,GAAKG,GAAO;AAC/C,UAAQH,GAAG;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACL,EAAYO,EAAI,WAAW,MAAM;AAClC,cAAMV,EAAS,MAAM;AACzB,YAAMa,IAAW,SAASL,EAAI,MAAM,CAAC,GAAG,EAAE;AAE1C,UADeH,EAAcK,EAAI,UAAU,IAAI,MAChCG;AACX,cAAMb,EAAS,OAAOa,CAAQ,IAAI,gBAAgB;AACtD;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACV,EAAYO,EAAI,WAAW,mBAAmB;AAC/C,cAAMV,EAAS,mBAAmB;AACtC,YAAMa,IAAW,SAASL,EAAI,MAAM,CAAC,GAAG,EAAE;AAE1C,UADeH,EAAcK,EAAI,UAAU,IAAI,MAChCG;AACX,cAAMb,EAAS,OAAOa,CAAQ,IAAI,gBAAgB;AACtD;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACV,EAAYO,EAAI,WAAW,SAAS;AACrC,cAAMV,EAAS,SAAS;AAC5B,YAAMa,IAAW,SAASL,EAAI,MAAM,CAAC,GAAG,EAAE;AAE1C,UADeH,EAAcK,EAAI,UAAU,IAAI,MAChCG;AACX,cAAMb,EAAS,OAAOa,CAAQ,IAAI,gBAAgB;AACtD;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACV,EAAYO,EAAI,WAAW,SAAS;AACrC,cAAMV,EAAS,SAAS;AAC5B;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,aAAa;AACd,UAAI,CAACG,EAAYO,EAAI,WAAWF,CAAG;AAC/B,cAAMR,EAASQ,CAAG;AACtB;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACL,EAAYO,EAAI,WAAW,OAAO;AACnC,cAAMV,EAAS,OAAO;AAC1B,YAAMa,IAAWN,GAAcC,CAAG;AAElC,UADeE,EAAI,UAAU,eACdG;AACX,cAAMb,EAASa,GAAU,sBAAsB;AACnD;AAAA,IACJ;AAAA,IACA;AACI,YAAM,IAAI,UAAU,2CAA2C;AAAA,EAC3E;AACI,EAAAJ,GAAWC,GAAKC,CAAK;AACzB;ACrFA,SAAS3B,EAAQ8B,GAAKC,MAAWC,GAAO;AAEpC,MADAA,IAAQA,EAAM,OAAO,OAAO,GACxBA,EAAM,SAAS,GAAG;AAClB,UAAMC,IAAOD,EAAM,IAAG;AACtB,IAAAF,KAAO,eAAeE,EAAM,KAAK,IAAI,CAAC,QAAQC,CAAI;AAAA,EACtD,MACK,CAAID,EAAM,WAAW,IACtBF,KAAO,eAAeE,EAAM,CAAC,CAAC,OAAOA,EAAM,CAAC,CAAC,MAG7CF,KAAO,WAAWE,EAAM,CAAC,CAAC;AAE9B,SAAID,KAAU,OACVD,KAAO,aAAaC,CAAM,KAErB,OAAOA,KAAW,cAAcA,EAAO,OAC5CD,KAAO,sBAAsBC,EAAO,IAAI,KAEnC,OAAOA,KAAW,YAAYA,KAAU,QACzCA,EAAO,aAAa,SACpBD,KAAO,4BAA4BC,EAAO,YAAY,IAAI,KAG3DD;AACX;AACO,MAAMI,KAAkB,CAACH,MAAWC,MAAUhC,EAAQ,gBAAgB+B,GAAQ,GAAGC,CAAK,GAChFG,IAAU,CAACX,GAAKO,MAAWC,MAAUhC,EAAQ,eAAewB,CAAG,uBAAuBO,GAAQ,GAAGC,CAAK,GCrBtGI,IAAc,CAACV,MAAQ;AAChC,MAAIA,IAAM,OAAO,WAAW,MAAM;AAC9B,WAAO;AACX,MAAI;AACA,WAAOA,aAAe;AAAA,EAC1B,QACM;AACF,WAAO;AAAA,EACX;AACJ,GACaW,IAAc,CAACX,MAAQA,IAAM,OAAO,WAAW,MAAM,aACrDY,IAAY,CAACZ,MAAQU,EAAYV,CAAG,KAAKW,EAAYX,CAAG;AChB9D,SAASa,MAAcC,GAAS;AACnC,QAAMC,IAAUD,EAAQ,OAAO,OAAO;AACtC,MAAIC,EAAQ,WAAW,KAAKA,EAAQ,WAAW;AAC3C,WAAO;AAEX,MAAIxD;AACJ,aAAWyD,KAAUD,GAAS;AAC1B,UAAME,IAAa,OAAO,KAAKD,CAAM;AACrC,QAAI,CAACzD,KAAOA,EAAI,SAAS,GAAG;AACxB,MAAAA,IAAM,IAAI,IAAI0D,CAAU;AACxB;AAAA,IACJ;AACA,eAAWC,KAAaD,GAAY;AAChC,UAAI1D,EAAI,IAAI2D,CAAS;AACjB,eAAO;AAEX,MAAA3D,EAAI,IAAI2D,CAAS;AAAA,IACrB;AAAA,EACJ;AACA,SAAO;AACX;ACpBA,MAAMC,KAAe,CAACC,MAAU,OAAOA,KAAU,YAAYA,MAAU;AAChE,SAASC,EAASjD,GAAO;AAC5B,MAAI,CAAC+C,GAAa/C,CAAK,KAAK,OAAO,UAAU,SAAS,KAAKA,CAAK,MAAM;AAClE,WAAO;AAEX,MAAI,OAAO,eAAeA,CAAK,MAAM;AACjC,WAAO;AAEX,MAAIkD,IAAQlD;AACZ,SAAO,OAAO,eAAekD,CAAK,MAAM;AACpC,IAAAA,IAAQ,OAAO,eAAeA,CAAK;AAEvC,SAAO,OAAO,eAAelD,CAAK,MAAMkD;AAC5C;ACbO,SAASC,GAAezB,GAAKE,GAAK;AACrC,MAAIF,EAAI,WAAW,IAAI,KAAKA,EAAI,WAAW,IAAI,GAAG;AAC9C,UAAM,EAAE,eAAA0B,MAAkBxB,EAAI;AAC9B,QAAI,OAAOwB,KAAkB,YAAYA,IAAgB;AACrD,YAAM,IAAI,UAAU,GAAG1B,CAAG,uDAAuD;AAAA,EAEzF;AACJ;ACNA,SAAS2B,GAAcC,GAAK;AACxB,MAAIhC,GACAiC;AACJ,UAAQD,EAAI,KAAG;AAAA,IACX,KAAK,OAAO;AACR,cAAQA,EAAI,KAAG;AAAA,QACX,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAMgC,EAAI,IAAG,GAC3BC,IAAYD,EAAI,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ;AAC3C;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA,KAAK,OAAO;AACR,cAAQ4C,EAAI,KAAG;AAAA,QACX,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,WAAW,MAAM,OAAOgC,EAAI,IAAI,MAAM,EAAE,CAAC,GAAE,GAC/DC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,qBAAqB,MAAM,OAAOgC,EAAI,IAAI,MAAM,EAAE,CAAC,GAAE,GACzEC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY;AAAA,YACR,MAAM;AAAA,YACN,MAAM,OAAO,SAASgC,EAAI,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC;AAAA,UACzE,GACoBC,IAAYD,EAAI,IAAI,CAAC,WAAW,WAAW,IAAI,CAAC,WAAW,SAAS;AACpE;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA,KAAK,MAAM;AACP,cAAQ4C,EAAI,KAAG;AAAA,QACX,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,SAAS,YAAY,QAAO,GAChDiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,SAAS,YAAY,QAAO,GAChDiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,SAAS,YAAY,QAAO,GAChDiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,QAAQ,YAAYgC,EAAI,IAAG,GAC/CC,IAAYD,EAAI,IAAI,CAAC,YAAY,IAAI,CAAA;AACrC;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA,KAAK,OAAO;AACR,cAAQ4C,EAAI,KAAG;AAAA,QACX,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,UAAS,GAC7BiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAMgC,EAAI,IAAG,GAC3BC,IAAYD,EAAI,IAAI,CAAC,YAAY,IAAI,CAAA;AACrC;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA;AACI,YAAM,IAAIA,EAAiB,6DAA6D;AAAA,EACpG;AACI,SAAO,EAAE,WAAAY,GAAW,WAAAiC,EAAS;AACjC;AACO,eAAeC,EAASF,GAAK;AAChC,MAAI,CAACA,EAAI;AACL,UAAM,IAAI,UAAU,0DAA0D;AAElF,QAAM,EAAE,WAAAhC,GAAW,WAAAiC,MAAcF,GAAcC,CAAG,GAC5CG,IAAU,EAAE,GAAGH,EAAG;AACxB,SAAIG,EAAQ,QAAQ,SAChB,OAAOA,EAAQ,KAEnB,OAAOA,EAAQ,KACR,OAAO,OAAO,UAAU,OAAOA,GAASnC,GAAWgC,EAAI,OAAQ,EAAAA,EAAI,KAAKA,EAAI,OAAsBA,EAAI,WAAWC,CAAS;AACrI;ACrFO,eAAeG,GAAUJ,GAAK5B,GAAKvB,GAAS;AAC/C,MAAI,CAAC8C,EAASK,CAAG;AACb,UAAM,IAAI,UAAU,uBAAuB;AAE/C,MAAIK;AAGJ,UAFAjC,MAAQ4B,EAAI,KACZK,MAAgCL,EAAI,KAC5BA,EAAI,KAAG;AAAA,IACX,KAAK;AACD,UAAI,OAAOA,EAAI,KAAM,YAAY,CAACA,EAAI;AAClC,cAAM,IAAI,UAAU,yCAAyC;AAEjE,aAAOM,EAAgBN,EAAI,CAAC;AAAA,IAChC,KAAK;AACD,UAAI,SAASA,KAAOA,EAAI,QAAQ;AAC5B,cAAM,IAAI5C,EAAiB,oEAAoE;AAEnG,aAAO8C,EAAS,EAAE,GAAGF,GAAK,KAAA5B,GAAK,KAAAiC,EAAG,CAAE;AAAA,IACxC,KAAK,OAAO;AACR,UAAI,OAAOL,EAAI,OAAQ,YAAY,CAACA,EAAI;AACpC,cAAM,IAAI,UAAU,2CAA2C;AAEnE,UAAI5B,MAAQ,UAAaA,MAAQ4B,EAAI;AACjC,cAAM,IAAI,UAAU,uCAAuC;AAE/D,aAAOE,EAAS,EAAE,GAAGF,GAAK,KAAAK,EAAG,CAAE;AAAA,IACnC;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AACD,aAAOH,EAAS,EAAE,GAAGF,GAAK,KAAA5B,GAAK,KAAAiC,EAAG,CAAE;AAAA,IACxC;AACI,YAAM,IAAIjD,EAAiB,8CAA8C;AAAA,EACrF;AACA;ACvDO,SAASmD,GAAaC,GAAKC,GAAmBC,GAAkBC,GAAiBC,GAAY;AAChG,MAAIA,EAAW,SAAS,UAAaD,GAAiB,SAAS;AAC3D,UAAM,IAAIH,EAAI,gEAAgE;AAElF,MAAI,CAACG,KAAmBA,EAAgB,SAAS;AAC7C,WAAO,oBAAI,IAAG;AAElB,MAAI,CAAC,MAAM,QAAQA,EAAgB,IAAI,KACnCA,EAAgB,KAAK,WAAW,KAChCA,EAAgB,KAAK,KAAK,CAACjE,MAAU,OAAOA,KAAU,YAAYA,EAAM,WAAW,CAAC;AACpF,UAAM,IAAI8D,EAAI,uFAAuF;AAEzG,MAAIK;AACJ,EAAIH,MAAqB,SACrBG,IAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQH,CAAgB,GAAG,GAAGD,EAAkB,QAAO,CAAE,CAAC,IAG1FI,IAAaJ;AAEjB,aAAWjB,KAAamB,EAAgB,MAAM;AAC1C,QAAI,CAACE,EAAW,IAAIrB,CAAS;AACzB,YAAM,IAAIpC,EAAiB,+BAA+BoC,CAAS,qBAAqB;AAE5F,QAAIoB,EAAWpB,CAAS,MAAM;AAC1B,YAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,cAAc;AAExE,QAAIqB,EAAW,IAAIrB,CAAS,KAAKmB,EAAgBnB,CAAS,MAAM;AAC5D,YAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,+BAA+B;AAAA,EAE7F;AACA,SAAO,IAAI,IAAImB,EAAgB,IAAI;AACvC;AChCO,SAASG,GAAmBC,GAAQC,GAAY;AACnD,MAAIA,MAAe,WACd,CAAC,MAAM,QAAQA,CAAU,KAAKA,EAAW,KAAK,CAACC,MAAM,OAAOA,KAAM,QAAQ;AAC3E,UAAM,IAAI,UAAU,IAAIF,CAAM,sCAAsC;AAExE,MAAKC;AAGL,WAAO,IAAI,IAAIA,CAAU;AAC7B;ACRO,MAAME,IAAQ,CAAC5C,MAAQqB,EAASrB,CAAG,KAAK,OAAOA,EAAI,OAAQ,UACrD6C,KAAe,CAAC7C,MAAQA,EAAI,QAAQ,UAC3CA,EAAI,QAAQ,SAAS,OAAOA,EAAI,QAAS,YAAa,OAAOA,EAAI,KAAM,WAChE8C,KAAc,CAAC9C,MAAQA,EAAI,QAAQ,SAASA,EAAI,MAAM,UAAaA,EAAI,SAAS,QAChF+C,KAAc,CAAC/C,MAAQA,EAAI,QAAQ,SAAS,OAAOA,EAAI,KAAM;ACD1E,IAAIgD;AACJ,MAAMC,IAAY,OAAOjD,GAAK0B,GAAK5B,GAAKoD,IAAS,OAAU;AACvD,EAAAF,MAAU,oBAAI,QAAO;AACrB,MAAIG,IAASH,EAAM,IAAIhD,CAAG;AAC1B,MAAImD,IAASrD,CAAG;AACZ,WAAOqD,EAAOrD,CAAG;AAErB,QAAMsD,IAAY,MAAMxB,EAAS,EAAE,GAAGF,GAAK,KAAA5B,EAAG,CAAE;AAChD,SAAIoD,KACA,OAAO,OAAOlD,CAAG,GAChBmD,IAIDA,EAAOrD,CAAG,IAAIsD,IAHdJ,EAAM,IAAIhD,GAAK,EAAE,CAACF,CAAG,GAAGsD,EAAS,CAAE,GAKhCA;AACX,GACMC,KAAkB,CAACC,GAAWxD,MAAQ;AACxC,EAAAkD,MAAU,oBAAI,QAAO;AACrB,MAAIG,IAASH,EAAM,IAAIM,CAAS;AAChC,MAAIH,IAASrD,CAAG;AACZ,WAAOqD,EAAOrD,CAAG;AAErB,QAAMyD,IAAWD,EAAU,SAAS,UAC9BE,IAAc,EAAAD;AACpB,MAAIH;AACJ,MAAIE,EAAU,sBAAsB,UAAU;AAC1C,YAAQxD,GAAG;AAAA,MACP,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD;AAAA,MACJ;AACI,cAAM,IAAI,UAAU,4DAA4D;AAAA,IAChG;AACQ,IAAAsD,IAAYE,EAAU,YAAYA,EAAU,mBAAmBE,GAAaD,IAAW,CAAA,IAAK,CAAC,YAAY,CAAC;AAAA,EAC9G;AACA,MAAID,EAAU,sBAAsB,WAAW;AAC3C,QAAIxD,MAAQ,WAAWA,MAAQ;AAC3B,YAAM,IAAI,UAAU,4DAA4D;AAEpF,IAAAsD,IAAYE,EAAU,YAAYA,EAAU,mBAAmBE,GAAa;AAAA,MACxED,IAAW,WAAW;AAAA,IAClC,CAAS;AAAA,EACL;AACA,UAAQD,EAAU,mBAAiB;AAAA,IAC/B,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,aAAa;AACd,UAAIxD,MAAQwD,EAAU,kBAAkB,YAAW;AAC/C,cAAM,IAAI,UAAU,4DAA4D;AAEpF,MAAAF,IAAYE,EAAU,YAAYA,EAAU,mBAAmBE,GAAa;AAAA,QACxED,IAAW,WAAW;AAAA,MACtC,CAAa;AAAA,IACL;AAAA,EACR;AACI,MAAID,EAAU,sBAAsB,OAAO;AACvC,QAAI1D;AACJ,YAAQE,GAAG;AAAA,MACP,KAAK;AACD,QAAAF,IAAO;AACP;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAO;AACP;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAO;AACP;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAO;AACP;AAAA,MACJ;AACI,cAAM,IAAI,UAAU,4DAA4D;AAAA,IAChG;AACQ,QAAIE,EAAI,WAAW,UAAU;AACzB,aAAOwD,EAAU,YAAY;AAAA,QACzB,MAAM;AAAA,QACN,MAAA1D;AAAA,MAChB,GAAe4D,GAAaD,IAAW,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC;AAExD,IAAAH,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAMxD,EAAI,WAAW,IAAI,IAAI,YAAY;AAAA,MACzC,MAAAF;AAAA,IACZ,GAAW4D,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC;AAAA,EAClD;AACA,MAAID,EAAU,sBAAsB,MAAM;AAMtC,UAAMG,KALO,oBAAI,IAAI;AAAA,MACjB,CAAC,cAAc,OAAO;AAAA,MACtB,CAAC,aAAa,OAAO;AAAA,MACrB,CAAC,aAAa,OAAO;AAAA,IACjC,CAAS,GACuB,IAAIH,EAAU,sBAAsB,UAAU;AACtE,QAAI,CAACG;AACD,YAAM,IAAI,UAAU,4DAA4D;AAEpF,IAAI3D,MAAQ,WAAW2D,MAAe,YAClCL,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC,IAE9CzD,MAAQ,WAAW2D,MAAe,YAClCL,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC,IAE9CzD,MAAQ,WAAW2D,MAAe,YAClCL,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC,IAE9CzD,EAAI,WAAW,SAAS,MACxBsD,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAaD,IAAW,KAAK,CAAC,YAAY,CAAC;AAAA,EAEtD;AACA,MAAI,CAACH;AACD,UAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAKD,IAIDA,EAAOrD,CAAG,IAAIsD,IAHdJ,EAAM,IAAIM,GAAW,EAAE,CAACxD,CAAG,GAAGsD,EAAS,CAAE,GAKtCA;AACX;AACO,eAAeM,GAAa1D,GAAKF,GAAK;AAIzC,MAHIE,aAAe,cAGfU,EAAYV,CAAG;AACf,WAAOA;AAEX,MAAIW,EAAYX,CAAG,GAAG;AAClB,QAAIA,EAAI,SAAS;AACb,aAAOA,EAAI,OAAM;AAErB,QAAI,iBAAiBA,KAAO,OAAOA,EAAI,eAAgB;AACnD,UAAI;AACA,eAAOqD,GAAgBrD,GAAKF,CAAG;AAAA,MACnC,SACO6D,GAAK;AACR,YAAIA,aAAe;AACf,gBAAMA;AAAA,MAEd;AAEJ,QAAIjC,IAAM1B,EAAI,OAAO,EAAE,QAAQ,MAAK,CAAE;AACtC,WAAOiD,EAAUjD,GAAK0B,GAAK5B,CAAG;AAAA,EAClC;AACA,MAAI8C,EAAM5C,CAAG;AACT,WAAIA,EAAI,IACG7B,EAAO6B,EAAI,CAAC,IAEhBiD,EAAUjD,GAAKA,GAAKF,GAAK,EAAI;AAExC,QAAM,IAAI,MAAM,aAAa;AACjC;AC5KA,MAAM8D,IAAM,CAAC5D,MAAQA,IAAM,OAAO,WAAW,GACvC6D,IAAe,CAAC/D,GAAKE,GAAKC,MAAU;AACtC,MAAID,EAAI,QAAQ,QAAW;AACvB,QAAIG;AACJ,YAAQF,GAAK;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACD,QAAAE,IAAW;AACX;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAW;AACX;AAAA,IAChB;AACQ,QAAIH,EAAI,QAAQG;AACZ,YAAM,IAAI,UAAU,sDAAsDA,CAAQ,gBAAgB;AAAA,EAE1G;AACA,MAAIH,EAAI,QAAQ,UAAaA,EAAI,QAAQF;AACrC,UAAM,IAAI,UAAU,sDAAsDA,CAAG,gBAAgB;AAEjG,MAAI,MAAM,QAAQE,EAAI,OAAO,GAAG;AAC5B,QAAI8D;AACJ,YAAQ,IAAI;AAAA,MACR,KAAyB7D,MAAU;AAAA,MACnC,KAAKH,MAAQ;AAAA,MACb,KAAKA,EAAI,SAAS,QAAQ;AACtB,QAAAgE,IAAgB7D;AAChB;AAAA,MACJ,KAAKH,EAAI,WAAW,OAAO;AACvB,QAAAgE,IAAgB;AAChB;AAAA,MACJ,KAAK,0BAA0B,KAAKhE,CAAG;AACnC,QAAI,CAACA,EAAI,SAAS,KAAK,KAAKA,EAAI,SAAS,IAAI,IACzCgE,IAAkD,cAGlDA,IAAgB7D;AAEpB;AAAA,MACJ,KAAKA,MAAU;AACX,QAAA6D,IAAgB;AAChB;AAAA,MACJ,KAAK7D,MAAU;AACX,QAAA6D,IAAgBhE,EAAI,WAAW,KAAK,IAAI,cAAc;AACtD;AAAA,IAChB;AACQ,QAAIgE,KAAiB9D,EAAI,SAAS,WAAW8D,CAAa,MAAM;AAC5D,YAAM,IAAI,UAAU,+DAA+DA,CAAa,gBAAgB;AAAA,EAExH;AACA,SAAO;AACX,GACMC,KAAqB,CAACjE,GAAKE,GAAKC,MAAU;AAC5C,MAAI,EAAAD,aAAe,aAEnB;AAAA,QAAIgE,EAAUhE,CAAG,GAAG;AAChB,UAAIiE,GAAgBjE,CAAG,KAAK6D,EAAa/D,GAAKE,GAAKC,CAAK;AACpD;AACJ,YAAM,IAAI,UAAU,yHAAyH;AAAA,IACjJ;AACA,QAAI,CAACW,EAAUZ,CAAG;AACd,YAAM,IAAI,UAAUQ,EAAgBV,GAAKE,GAAK,aAAa,aAAa,gBAAgB,YAAY,CAAC;AAEzG,QAAIA,EAAI,SAAS;AACb,YAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,8DAA8D;AAAA;AAErG,GACMkE,KAAsB,CAACpE,GAAKE,GAAKC,MAAU;AAC7C,MAAI+D,EAAUhE,CAAG;AACb,YAAQC,GAAK;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACD,YAAIkE,GAAiBnE,CAAG,KAAK6D,EAAa/D,GAAKE,GAAKC,CAAK;AACrD;AACJ,cAAM,IAAI,UAAU,uDAAuD;AAAA,MAC/E,KAAK;AAAA,MACL,KAAK;AACD,YAAImE,GAAgBpE,CAAG,KAAK6D,EAAa/D,GAAKE,GAAKC,CAAK;AACpD;AACJ,cAAM,IAAI,UAAU,sDAAsD;AAAA,IAC1F;AAEI,MAAI,CAACW,EAAUZ,CAAG;AACd,UAAM,IAAI,UAAUQ,EAAgBV,GAAKE,GAAK,aAAa,aAAa,cAAc,CAAC;AAE3F,MAAIA,EAAI,SAAS;AACb,UAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,mEAAmE;AAEtG,MAAIA,EAAI,SAAS;AACb,YAAQC,GAAK;AAAA,MACT,KAAK;AACD,cAAM,IAAI,UAAU,GAAG2D,EAAI5D,CAAG,CAAC,uEAAuE;AAAA,MAC1G,KAAK;AACD,cAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,0EAA0E;AAAA,IACzH;AAEI,MAAIA,EAAI,SAAS;AACb,YAAQC,GAAK;AAAA,MACT,KAAK;AACD,cAAM,IAAI,UAAU,GAAG2D,EAAI5D,CAAG,CAAC,wEAAwE;AAAA,MAC3G,KAAK;AACD,cAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,yEAAyE;AAAA,IACxH;AAEA;AACO,SAASqE,GAAavE,GAAKE,GAAKC,GAAO;AAC1C,UAAQH,EAAI,UAAU,GAAG,CAAC,GAAC;AAAA,IACvB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAiE,GAAmBjE,GAAKE,GAAKC,CAAK;AAClC;AAAA,IACJ;AACI,MAAAiE,GAAoBpE,GAAKE,GAAKC,CAAK;AAAA,EAC/C;AACA;ACxHO,SAASqE,GAAgBxE,GAAKJ,GAAW;AAC5C,QAAME,IAAO,OAAOE,EAAI,MAAM,EAAE,CAAC;AACjC,UAAQA,GAAG;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAF,GAAM,MAAM,OAAM;AAAA,IAC/B,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAA,GAAM,MAAM,WAAW,YAAY,SAASE,EAAI,MAAM,EAAE,GAAG,EAAE,KAAK,EAAC;AAAA,IAChF,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAF,GAAM,MAAM,oBAAmB;AAAA,IAC5C,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAA,GAAM,MAAM,SAAS,YAAYF,EAAU,WAAU;AAAA,IAClE,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAM,UAAS;AAAA,IAC5B,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAMI,EAAG;AAAA,IACtB;AACI,YAAM,IAAIhB,EAAiB,OAAOgB,CAAG,6DAA6D;AAAA,EAC9G;AACA;AC5BO,eAAeyE,GAAUzE,GAAKE,GAAKC,GAAO;AAC7C,MAAID,aAAe,YAAY;AAC3B,QAAI,CAACF,EAAI,WAAW,IAAI;AACpB,YAAM,IAAI,UAAUU,GAAgBR,GAAK,aAAa,aAAa,cAAc,CAAC;AAEtF,WAAO,OAAO,OAAO,UAAU,OAAOA,GAAK,EAAE,MAAM,OAAOF,EAAI,MAAM,EAAE,CAAC,IAAI,MAAM,OAAM,GAAI,IAAO,CAACG,CAAK,CAAC;AAAA,EAC7G;AACA,SAAAC,GAAkBF,GAAKF,GAAKG,CAAK,GAC1BD;AACX;ACRO,eAAewE,GAAO1E,GAAKE,GAAKyE,GAAWC,GAAM;AACpD,QAAMtB,IAAY,MAAMmB,GAAUzE,GAAKE,GAAK,QAAQ;AACpD,EAAAuB,GAAezB,GAAKsD,CAAS;AAC7B,QAAM1D,IAAY4E,GAAgBxE,GAAKsD,EAAU,SAAS;AAC1D,MAAI;AACA,WAAO,MAAM,OAAO,OAAO,OAAO1D,GAAW0D,GAAWqB,GAAWC,CAAI;AAAA,EAC3E,QACM;AACF,WAAO;AAAA,EACX;AACJ;ACHO,eAAeC,GAAgBC,GAAK5E,GAAKzB,GAAS;AACrD,MAAI,CAAC8C,EAASuD,CAAG;AACb,UAAM,IAAI7F,EAAW,iCAAiC;AAE1D,MAAI6F,EAAI,cAAc,UAAaA,EAAI,WAAW;AAC9C,UAAM,IAAI7F,EAAW,uEAAuE;AAEhG,MAAI6F,EAAI,cAAc,UAAa,OAAOA,EAAI,aAAc;AACxD,UAAM,IAAI7F,EAAW,qCAAqC;AAE9D,MAAI6F,EAAI,YAAY;AAChB,UAAM,IAAI7F,EAAW,qBAAqB;AAE9C,MAAI,OAAO6F,EAAI,aAAc;AACzB,UAAM,IAAI7F,EAAW,yCAAyC;AAElE,MAAI6F,EAAI,WAAW,UAAa,CAACvD,EAASuD,EAAI,MAAM;AAChD,UAAM,IAAI7F,EAAW,uCAAuC;AAEhE,MAAI8F,IAAa,CAAA;AACjB,MAAID,EAAI;AACJ,QAAI;AACA,YAAMvC,KAAkByC,EAAKF,EAAI,SAAS;AAC1C,MAAAC,IAAa,KAAK,MAAM1H,EAAQ,OAAOkF,EAAe,CAAC;AAAA,IAC3D,QACM;AACF,YAAM,IAAItD,EAAW,iCAAiC;AAAA,IAC1D;AAEJ,MAAI,CAAC8B,GAAWgE,GAAYD,EAAI,MAAM;AAClC,UAAM,IAAI7F,EAAW,2EAA2E;AAEpG,QAAMuD,IAAa;AAAA,IACf,GAAGuC;AAAA,IACH,GAAGD,EAAI;AAAA,EACf,GACUG,IAAa9C,GAAalD,GAAY,oBAAI,IAAI,CAAC,CAAC,OAAO,EAAI,CAAC,CAAC,GAAGR,GAAS,MAAMsG,GAAYvC,CAAU;AAC3G,MAAI0C,IAAM;AACV,MAAID,EAAW,IAAI,KAAK,MACpBC,IAAMH,EAAW,KACb,OAAOG,KAAQ;AACf,UAAM,IAAIjG,EAAW,yEAAyE;AAGtG,QAAM,EAAE,KAAAe,EAAG,IAAKwC;AAChB,MAAI,OAAOxC,KAAQ,YAAY,CAACA;AAC5B,UAAM,IAAIf,EAAW,2DAA2D;AAEpF,QAAM2D,IAAanE,KAAWiE,GAAmB,cAAcjE,EAAQ,UAAU;AACjF,MAAImE,KAAc,CAACA,EAAW,IAAI5C,CAAG;AACjC,UAAM,IAAIjB,GAAkB,sDAAsD;AAEtF,MAAImG;AACA,QAAI,OAAOJ,EAAI,WAAY;AACvB,YAAM,IAAI7F,EAAW,8BAA8B;AAAA,aAGlD,OAAO6F,EAAI,WAAY,YAAY,EAAEA,EAAI,mBAAmB;AACjE,UAAM,IAAI7F,EAAW,wDAAwD;AAEjF,MAAIkG,IAAc;AAClB,EAAI,OAAOjF,KAAQ,eACfA,IAAM,MAAMA,EAAI6E,GAAYD,CAAG,GAC/BK,IAAc,KAElBZ,GAAavE,GAAKE,GAAK,QAAQ;AAC/B,QAAM0E,IAAOtH,GAAOwH,EAAI,cAAc,SAAYhH,EAAOgH,EAAI,SAAS,IAAI,IAAI,WAAU,GAAIhH,EAAO,GAAG,GAAG,OAAOgH,EAAI,WAAY,WAC1HI,IACIpH,EAAOgH,EAAI,OAAO,IAClB1H,EAAQ,OAAO0H,EAAI,OAAO,IAC9BA,EAAI,OAAO;AACjB,MAAIH;AACJ,MAAI;AACA,IAAAA,IAAYK,EAAKF,EAAI,SAAS;AAAA,EAClC,QACM;AACF,UAAM,IAAI7F,EAAW,0CAA0C;AAAA,EACnE;AACA,QAAMmG,IAAI,MAAMxB,GAAa1D,GAAKF,CAAG;AAErC,MAAI,CADa,MAAM0E,GAAO1E,GAAKoF,GAAGT,GAAWC,CAAI;AAEjD,UAAM,IAAIrF,GAA8B;AAE5C,MAAIZ;AACJ,MAAIuG;AACA,QAAI;AACA,MAAAvG,IAAUqG,EAAKF,EAAI,OAAO;AAAA,IAC9B,QACM;AACF,YAAM,IAAI7F,EAAW,wCAAwC;AAAA,IACjE;AAAA,MAEC,CAAI,OAAO6F,EAAI,WAAY,WAC5BnG,IAAUvB,EAAQ,OAAO0H,EAAI,OAAO,IAGpCnG,IAAUmG,EAAI;AAElB,QAAMO,IAAS,EAAE,SAAA1G,EAAO;AAOxB,SANImG,EAAI,cAAc,WAClBO,EAAO,kBAAkBN,IAEzBD,EAAI,WAAW,WACfO,EAAO,oBAAoBP,EAAI,SAE/BK,IACO,EAAE,GAAGE,GAAQ,KAAKD,EAAC,IAEvBC;AACX;ACpHO,eAAeC,GAAcR,GAAK5E,GAAKzB,GAAS;AAInD,MAHIqG,aAAe,eACfA,IAAMzH,EAAQ,OAAOyH,CAAG,IAExB,OAAOA,KAAQ;AACf,UAAM,IAAI7F,EAAW,4CAA4C;AAErE,QAAM,EAAE,GAAGsD,GAAiB,GAAG5D,GAAS,GAAGgG,GAAW,QAAAjH,EAAM,IAAKoH,EAAI,MAAM,GAAG;AAC9E,MAAIpH,MAAW;AACX,UAAM,IAAIuB,EAAW,qBAAqB;AAE9C,QAAMsG,IAAW,MAAMV,GAAgB,EAAE,SAAAlG,GAAS,WAAW4D,GAAiB,WAAAoC,EAAS,GAAIzE,GAAKzB,CAAO,GACjG4G,IAAS,EAAE,SAASE,EAAS,SAAS,iBAAiBA,EAAS,gBAAe;AACrF,SAAI,OAAOrF,KAAQ,aACR,EAAE,GAAGmF,GAAQ,KAAKE,EAAS,IAAG,IAElCF;AACX;ACjBA,MAAMG,KAAQ,CAACC,MAAS,KAAK,MAAMA,EAAK,QAAO,IAAK,GAAI,GAClDC,IAAS,IACTC,KAAOD,IAAS,IAChBE,IAAMD,KAAO,IACbE,KAAOD,IAAM,GACbE,KAAOF,IAAM,QACbG,KAAQ;AACP,SAASC,EAAKC,GAAK;AACtB,QAAMC,IAAUH,GAAM,KAAKE,CAAG;AAC9B,MAAI,CAACC,KAAYA,EAAQ,CAAC,KAAKA,EAAQ,CAAC;AACpC,UAAM,IAAI,UAAU,4BAA4B;AAEpD,QAAM5E,IAAQ,WAAW4E,EAAQ,CAAC,CAAC,GAC7BC,IAAOD,EAAQ,CAAC,EAAE,YAAW;AACnC,MAAIE;AACJ,UAAQD,GAAI;AAAA,IACR,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAC,IAAc,KAAK,MAAM9E,CAAK;AAC9B;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAA8E,IAAc,KAAK,MAAM9E,IAAQoE,CAAM;AACvC;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAU,IAAc,KAAK,MAAM9E,IAAQqE,EAAI;AACrC;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAS,IAAc,KAAK,MAAM9E,IAAQsE,CAAG;AACpC;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAQ,IAAc,KAAK,MAAM9E,IAAQuE,EAAI;AACrC;AAAA,IACJ;AACI,MAAAO,IAAc,KAAK,MAAM9E,IAAQwE,EAAI;AACrC;AAAA,EACZ;AACI,SAAII,EAAQ,CAAC,MAAM,OAAOA,EAAQ,CAAC,MAAM,QAC9B,CAACE,IAELA;AACX;AAOA,MAAMC,IAAe,CAAC/E,MACdA,EAAM,SAAS,GAAG,IACXA,EAAM,YAAW,IAErB,eAAeA,EAAM,YAAW,CAAE,IAEvCgF,KAAwB,CAACC,GAAYC,MACnC,OAAOD,KAAe,WACfC,EAAU,SAASD,CAAU,IAEpC,MAAM,QAAQA,CAAU,IACjBC,EAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAID,CAAU,CAAC,CAAC,IAE9D;AAEJ,SAASE,GAAkBlE,GAAiBmE,GAAgBjI,IAAU,CAAA,GAAI;AAC7E,MAAIE;AACJ,MAAI;AACA,IAAAA,IAAU,KAAK,MAAMtB,EAAQ,OAAOqJ,CAAc,CAAC;AAAA,EACvD,QACM;AAAA,EACN;AACA,MAAI,CAACnF,EAAS5C,CAAO;AACjB,UAAM,IAAIO,EAAW,gDAAgD;AAEzE,QAAM,EAAE,KAAAyH,EAAG,IAAKlI;AAChB,MAAIkI,MACC,OAAOpE,EAAgB,OAAQ,YAC5B8D,EAAa9D,EAAgB,GAAG,MAAM8D,EAAaM,CAAG;AAC1D,UAAM,IAAIjI,EAAyB,qCAAqCC,GAAS,OAAO,cAAc;AAE1G,QAAM,EAAE,gBAAAiI,IAAiB,IAAI,QAAAC,GAAQ,SAAAC,GAAS,UAAAC,GAAU,aAAAC,EAAW,IAAKvI,GAClEwI,IAAgB,CAAC,GAAGL,CAAc;AACxC,EAAII,MAAgB,UAChBC,EAAc,KAAK,KAAK,GACxBF,MAAa,UACbE,EAAc,KAAK,KAAK,GACxBH,MAAY,UACZG,EAAc,KAAK,KAAK,GACxBJ,MAAW,UACXI,EAAc,KAAK,KAAK;AAC5B,aAAWrI,KAAS,IAAI,IAAIqI,EAAc,QAAO,CAAE;AAC/C,QAAI,EAAErI,KAASD;AACX,YAAM,IAAID,EAAyB,qBAAqBE,CAAK,WAAWD,GAASC,GAAO,SAAS;AAGzG,MAAIiI,KACA,EAAE,MAAM,QAAQA,CAAM,IAAIA,IAAS,CAACA,CAAM,GAAG,SAASlI,EAAQ,GAAG;AACjE,UAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,cAAc;AAErG,MAAImI,KAAWnI,EAAQ,QAAQmI;AAC3B,UAAM,IAAIpI,EAAyB,gCAAgCC,GAAS,OAAO,cAAc;AAErG,MAAIoI,KACA,CAACT,GAAsB3H,EAAQ,KAAK,OAAOoI,KAAa,WAAW,CAACA,CAAQ,IAAIA,CAAQ;AACxF,UAAM,IAAIrI,EAAyB,gCAAgCC,GAAS,OAAO,cAAc;AAErG,MAAIuI;AACJ,UAAQ,OAAOzI,EAAQ,gBAAc;AAAA,IACjC,KAAK;AACD,MAAAyI,IAAYlB,EAAKvH,EAAQ,cAAc;AACvC;AAAA,IACJ,KAAK;AACD,MAAAyI,IAAYzI,EAAQ;AACpB;AAAA,IACJ,KAAK;AACD,MAAAyI,IAAY;AACZ;AAAA,IACJ;AACI,YAAM,IAAI,UAAU,oCAAoC;AAAA,EACpE;AACI,QAAM,EAAE,aAAAC,EAAW,IAAK1I,GAClB2I,IAAM5B,GAAM2B,KAAe,oBAAI,KAAI,CAAE;AAC3C,OAAKxI,EAAQ,QAAQ,UAAaqI,MAAgB,OAAOrI,EAAQ,OAAQ;AACrE,UAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,SAAS;AAEhG,MAAIA,EAAQ,QAAQ,QAAW;AAC3B,QAAI,OAAOA,EAAQ,OAAQ;AACvB,YAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,SAAS;AAEhG,QAAIA,EAAQ,MAAMyI,IAAMF;AACpB,YAAM,IAAIxI,EAAyB,sCAAsCC,GAAS,OAAO,cAAc;AAAA,EAE/G;AACA,MAAIA,EAAQ,QAAQ,QAAW;AAC3B,QAAI,OAAOA,EAAQ,OAAQ;AACvB,YAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,SAAS;AAEhG,QAAIA,EAAQ,OAAOyI,IAAMF;AACrB,YAAM,IAAIpI,EAAW,sCAAsCH,GAAS,OAAO,cAAc;AAAA,EAEjG;AACA,MAAIqI,GAAa;AACb,UAAMK,IAAMD,IAAMzI,EAAQ,KACpB2I,IAAM,OAAON,KAAgB,WAAWA,IAAchB,EAAKgB,CAAW;AAC5E,QAAIK,IAAMH,IAAYI;AAClB,YAAM,IAAIxI,EAAW,4DAA4DH,GAAS,OAAO,cAAc;AAEnH,QAAI0I,IAAM,IAAIH;AACV,YAAM,IAAIxI,EAAyB,iEAAiEC,GAAS,OAAO,cAAc;AAAA,EAE1I;AACA,SAAOA;AACX;ACrKO,eAAe4I,GAAUC,GAAKtH,GAAKzB,GAAS;AAC/C,QAAM8G,IAAW,MAAMD,GAAckC,GAAKtH,GAAKzB,CAAO;AACtD,MAAI8G,EAAS,gBAAgB,MAAM,SAAS,KAAK,KAAKA,EAAS,gBAAgB,QAAQ;AACnF,UAAM,IAAIrG,EAAW,qCAAqC;AAG9D,QAAMmG,IAAS,EAAE,SADDoB,GAAkBlB,EAAS,iBAAiBA,EAAS,SAAS9G,CAAO,GAC3D,iBAAiB8G,EAAS,gBAAe;AACnE,SAAI,OAAOrF,KAAQ,aACR,EAAE,GAAGmF,GAAQ,KAAKE,EAAS,IAAG,IAElCF;AACX;ACXA,SAASoC,GAAczH,GAAK;AACxB,UAAQ,OAAOA,KAAQ,YAAYA,EAAI,MAAM,GAAG,CAAC,GAAC;AAAA,IAC9C,KAAK;AAAA,IACL,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIhB,EAAiB,gDAAgD;AAAA,EACvF;AACA;AACA,SAAS0I,GAAWC,GAAM;AACtB,SAAQA,KACJ,OAAOA,KAAS,YAChB,MAAM,QAAQA,EAAK,IAAI,KACvBA,EAAK,KAAK,MAAMC,EAAS;AACjC;AACA,SAASA,GAAU1H,GAAK;AACpB,SAAOqB,EAASrB,CAAG;AACvB;AACA,MAAM2H,GAAY;AAAA,EACdC;AAAA,EACAC,KAAU,oBAAI,QAAO;AAAA,EACrB,YAAYJ,GAAM;AACd,QAAI,CAACD,GAAWC,CAAI;AAChB,YAAM,IAAIxI,EAAY,4BAA4B;AAEtD,SAAK2I,KAAQ,gBAAgBH,CAAI;AAAA,EACrC;AAAA,EACA,OAAO;AACH,WAAO,KAAKG;AAAA,EAChB;AAAA,EACA,MAAM,OAAOvF,GAAiByF,GAAO;AACjC,UAAM,EAAE,KAAAhI,GAAK,KAAAiI,EAAG,IAAK,EAAE,GAAG1F,GAAiB,GAAGyF,GAAO,OAAM,GACrDE,IAAMT,GAAczH,CAAG,GACvBmI,IAAa,KAAKL,GAAM,KAAK,OAAO,CAAClG,MAAQ;AAC/C,UAAIwG,IAAYF,MAAQtG,EAAI;AAa5B,UAZIwG,KAAa,OAAOH,KAAQ,aAC5BG,IAAYH,MAAQrG,EAAI,MAExBwG,MAAc,OAAOxG,EAAI,OAAQ,YAAYsG,MAAQ,WACrDE,IAAYpI,MAAQ4B,EAAI,MAExBwG,KAAa,OAAOxG,EAAI,OAAQ,aAChCwG,IAAYxG,EAAI,QAAQ,QAExBwG,KAAa,MAAM,QAAQxG,EAAI,OAAO,MACtCwG,IAAYxG,EAAI,QAAQ,SAAS,QAAQ,IAEzCwG;AACA,gBAAQpI,GAAG;AAAA,UACP,KAAK;AACD,YAAAoI,IAAYxG,EAAI,QAAQ;AACxB;AAAA,UACJ,KAAK;AACD,YAAAwG,IAAYxG,EAAI,QAAQ;AACxB;AAAA,UACJ,KAAK;AACD,YAAAwG,IAAYxG,EAAI,QAAQ;AACxB;AAAA,UACJ,KAAK;AAAA,UACL,KAAK;AACD,YAAAwG,IAAYxG,EAAI,QAAQ;AACxB;AAAA,QACxB;AAEY,aAAOwG;AAAA,IACX,CAAC,GACK,EAAE,GAAGxG,GAAK,QAAAlE,EAAM,IAAKyK;AAC3B,QAAIzK,MAAW;AACX,YAAM,IAAI0B,EAAiB;AAE/B,QAAI1B,MAAW,GAAG;AACd,YAAM2K,IAAQ,IAAIhJ,GAAwB,GACpCiJ,IAAU,KAAKP;AACrB,YAAAM,EAAM,OAAO,aAAa,IAAI,mBAAmB;AAC7C,mBAAWzG,KAAOuG;AACd,cAAI;AACA,kBAAM,MAAMI,EAAmBD,GAAS1G,GAAK5B,CAAG;AAAA,UACpD,QACM;AAAA,UAAE;AAAA,MAEhB,GACMqI;AAAA,IACV;AACA,WAAOE,EAAmB,KAAKR,IAASnG,GAAK5B,CAAG;AAAA,EACpD;AACJ;AACA,eAAeuI,EAAmBrF,GAAOtB,GAAK5B,GAAK;AAC/C,QAAMqD,IAASH,EAAM,IAAItB,CAAG,KAAKsB,EAAM,IAAItB,GAAK,CAAA,CAAE,EAAE,IAAIA,CAAG;AAC3D,MAAIyB,EAAOrD,CAAG,MAAM,QAAW;AAC3B,UAAME,IAAM,MAAM8B,GAAU,EAAE,GAAGJ,GAAK,KAAK,GAAI,GAAI5B,CAAG;AACtD,QAAIE,aAAe,cAAcA,EAAI,SAAS;AAC1C,YAAM,IAAIf,EAAY,8CAA8C;AAExE,IAAAkE,EAAOrD,CAAG,IAAIE;AAAA,EAClB;AACA,SAAOmD,EAAOrD,CAAG;AACrB;AACO,SAASwI,EAAkBb,GAAM;AACpC,QAAMc,IAAM,IAAIZ,GAAYF,CAAI,GAC1Be,IAAc,OAAOnG,GAAiByF,MAAUS,EAAI,OAAOlG,GAAiByF,CAAK;AACvF,gBAAO,iBAAiBU,GAAa;AAAA,IACjC,MAAM;AAAA,MACF,OAAO,MAAM,gBAAgBD,EAAI,KAAI,CAAE;AAAA,MACvC,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,UAAU;AAAA,IACtB;AAAA,EACA,CAAK,GACMC;AACX;ACnHA,SAASC,KAAsB;AAC3B,SAAQ,OAAO,gBAAkB,OAC5B,OAAO,YAAc,OAAe,UAAU,cAAc,wBAC5D,OAAO,cAAgB,OAAe,gBAAgB;AAC/D;AACA,IAAIC;AAAA,CACA,OAAO,YAAc,OAAe,CAAC,UAAU,WAAW,aAAa,cAAc,OAGrFA,IAAa;AAEV,MAAMC,KAAc,uBAAM;AACjC,eAAeC,GAAUC,GAAK/H,GAASgI,GAAQC,IAAY,OAAO;AAC9D,QAAMC,IAAW,MAAMD,EAAUF,GAAK;AAAA,IAClC,QAAQ;AAAA,IACR,QAAAC;AAAA,IACA,UAAU;AAAA,IACV,SAAAhI;AAAA,EACR,CAAK,EAAE,MAAM,CAAC6C,MAAQ;AACd,UAAIA,EAAI,SAAS,iBACP,IAAIvE,GAAW,IAEnBuE;AAAA,EACV,CAAC;AACD,MAAIqF,EAAS,WAAW;AACpB,UAAM,IAAI3K,EAAU,yDAAyD;AAEjF,MAAI;AACA,WAAO,MAAM2K,EAAS,KAAI;AAAA,EAC9B,QACM;AACF,UAAM,IAAI3K,EAAU,4DAA4D;AAAA,EACpF;AACJ;AACO,MAAM4K,IAAY,uBAAM;AAC/B,SAASC,GAAiB9K,GAAO+K,GAAa;AAO1C,SANI,SAAO/K,KAAU,YAAYA,MAAU,QAGvC,EAAE,SAASA,MAAU,OAAOA,EAAM,OAAQ,YAAY,KAAK,IAAG,IAAKA,EAAM,OAAO+K,KAGhF,EAAE,UAAU/K,MACZ,CAACiD,EAASjD,EAAM,IAAI,KACpB,CAAC,MAAM,QAAQA,EAAM,KAAK,IAAI,KAC9B,CAAC,MAAM,UAAU,MAAM,KAAKA,EAAM,KAAK,MAAMiD,CAAQ;AAI7D;AACA,MAAM+H,GAAa;AAAA,EACfC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACA,YAAYjB,GAAKtK,GAAS;AACtB,QAAI,EAAEsK,aAAe;AACjB,YAAM,IAAI,UAAU,gCAAgC;AAExD,SAAKQ,KAAO,IAAI,IAAIR,EAAI,IAAI,GAC5B,KAAKS,KACD,OAAO/K,GAAS,mBAAoB,WAAWA,GAAS,kBAAkB,KAC9E,KAAKgL,KACD,OAAOhL,GAAS,oBAAqB,WAAWA,GAAS,mBAAmB,KAChF,KAAKiL,KAAe,OAAOjL,GAAS,eAAgB,WAAWA,GAAS,cAAc,KACtF,KAAKoL,KAAW,IAAI,QAAQpL,GAAS,OAAO,GACxCmK,KAAc,CAAC,KAAKiB,GAAS,IAAI,YAAY,KAC7C,KAAKA,GAAS,IAAI,cAAcjB,CAAU,GAEzC,KAAKiB,GAAS,IAAI,QAAQ,MAC3B,KAAKA,GAAS,IAAI,UAAU,kBAAkB,GAC9C,KAAKA,GAAS,OAAO,UAAU,0BAA0B,IAE7D,KAAKC,KAAerL,IAAUoK,EAAW,GACrCpK,IAAU0K,CAAS,MAAM,WACzB,KAAKa,KAASvL,IAAU0K,CAAS,GAC7BC,GAAiB3K,IAAU0K,CAAS,GAAG,KAAKO,EAAY,MACxD,KAAKC,KAAiB,KAAKK,GAAO,KAClC,KAAKD,KAASvB,EAAkB,KAAKwB,GAAO,IAAI;AAAA,EAG5D;AAAA,EACA,eAAe;AACX,WAAO,CAAC,CAAC,KAAKJ;AAAA,EAClB;AAAA,EACA,cAAc;AACV,WAAO,OAAO,KAAKD,MAAmB,WAChC,KAAK,IAAG,IAAK,KAAKA,KAAiB,KAAKF,KACxC;AAAA,EACV;AAAA,EACA,QAAQ;AACJ,WAAO,OAAO,KAAKE,MAAmB,WAChC,KAAK,IAAG,IAAK,KAAKA,KAAiB,KAAKD,KACxC;AAAA,EACV;AAAA,EACA,OAAO;AACH,WAAO,KAAKK,IAAQ,KAAI;AAAA,EAC5B;AAAA,EACA,MAAM,OAAOxH,GAAiByF,GAAO;AACjC,KAAI,CAAC,KAAK+B,MAAU,CAAC,KAAK,MAAK,MAC3B,MAAM,KAAK,OAAM;AAErB,QAAI;AACA,aAAO,MAAM,KAAKA,GAAOxH,GAAiByF,CAAK;AAAA,IACnD,SACOnE,GAAK;AACR,UAAIA,aAAezE,KACX,KAAK,YAAW,MAAO;AACvB,qBAAM,KAAK,OAAM,GACV,KAAK2K,GAAOxH,GAAiByF,CAAK;AAGjD,YAAMnE;AAAA,IACV;AAAA,EACJ;AAAA,EACA,MAAM,SAAS;AACX,IAAI,KAAK+F,MAAiBjB,SACtB,KAAKiB,KAAgB,SAEzB,KAAKA,OAAkBd,GAAU,KAAKS,GAAK,MAAM,KAAKM,IAAU,YAAY,QAAQ,KAAKL,EAAgB,GAAG,KAAKM,EAAY,EACxH,KAAK,CAACG,MAAS;AAChB,WAAKF,KAASvB,EAAkByB,CAAI,GAChC,KAAKD,OACL,KAAKA,GAAO,MAAM,KAAK,IAAG,GAC1B,KAAKA,GAAO,OAAOC,IAEvB,KAAKN,KAAiB,KAAK,IAAG,GAC9B,KAAKC,KAAgB;AAAA,IACzB,CAAC,EACI,MAAM,CAAC/F,MAAQ;AAChB,iBAAK+F,KAAgB,QACf/F;AAAA,IACV,CAAC,GACD,MAAM,KAAK+F;AAAA,EACf;AACJ;AACO,SAASM,GAAmBnB,GAAKtK,GAAS;AAC7C,QAAMgK,IAAM,IAAIa,GAAaP,GAAKtK,CAAO,GACnC0L,IAAe,OAAO5H,GAAiByF,MAAUS,EAAI,OAAOlG,GAAiByF,CAAK;AACxF,gBAAO,iBAAiBmC,GAAc;AAAA,IAClC,aAAa;AAAA,MACT,KAAK,MAAM1B,EAAI,YAAW;AAAA,MAC1B,YAAY;AAAA,MACZ,cAAc;AAAA,IAC1B;AAAA,IACQ,OAAO;AAAA,MACH,KAAK,MAAMA,EAAI,MAAK;AAAA,MACpB,YAAY;AAAA,MACZ,cAAc;AAAA,IAC1B;AAAA,IACQ,QAAQ;AAAA,MACJ,OAAO,MAAMA,EAAI,OAAM;AAAA,MACvB,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,UAAU;AAAA,IACtB;AAAA,IACQ,WAAW;AAAA,MACP,KAAK,MAAMA,EAAI,aAAY;AAAA,MAC3B,YAAY;AAAA,MACZ,cAAc;AAAA,IAC1B;AAAA,IACQ,MAAM;AAAA,MACF,OAAO,MAAMA,EAAI,KAAI;AAAA,MACrB,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,UAAU;AAAA,IACtB;AAAA,EACA,CAAK,GACM0B;AACX;AC1KO,MAAMC,KAAiBA,CAAClK,MAAkCmK,EAAAA,EAC5DC,OAAO,OAAO;AAAA,EAAEC,MAAAA;AAAAA,EAAMC,SAAAA;AAAQ,MAAM;AACjC,QAAMC,IAAcD,EAAQxJ,QAAQ0J,IAAI,eAAe;AAEvD,MAAI,CAACD,GAAaE,WAAW,SAAS,EAClC,OAAM,IAAIC,MAAM,oEAAoE;AAExF,QAAMC,IAAe,MAAMC,GAAYL,EAAYM,UAAU,CAAC,CAAC,GAEzDC,IAAa;AAAA,IACfC,IAAIJ,EAAaK;AAAAA,IACjBzL,MAAMoL,EAAapL,KAAK0L,MAAM,GAAG,EAAE,CAAC;AAAA,IACpCC,OAAOP,EAAaQ,mBAAmBC,YAAAA;AAAAA,IACvCC,QAAQV,EAAaU,UAAU,CAAA;AAAA,IAC/BC,YAAYX,EAAaW,cAAc;AAAA,IACvCC,YAAYZ,EAAaY,cAAc;AAAA,IACvCC,eAAeA,CAACxL,MACUyL,GAAYzL,CAAG,EAChB0L,KAAKxG,CAAAA,OAAMyF,EAAaU,UAAU,CAAA,GAAIM,SAASzG,CAAC,CAAC;AAAA,EAC1E;AAGJ,MAAI,CAAC4F,EAAKU,cAAcxL,CAAG,EACvB,OAAM,IAAI0K,MAAM,mBAAmBI,EAAKvL,IAAI,4CAA4C;AAE5F,SAAO8K,EAAK;AAAA,IAAEuB,SAAS;AAAA,MAAEd,MAAAA;AAAAA,IAAAA;AAAAA,EAAK,CAAG;AACrC,CAAC,GAEQe,KAAgC1B,EAAiB;AAAA,EAAE2B,MAAM;AAAW,CAAC,EAC7EC,OAAO,OAAO;AAAA,EAAE1B,MAAAA;AAAK,MAAM;AACxB,QAAME,IAAc,MAAMyB,GAAe,UAAU;AACnD,SAAO3B,EAAK;AAAA,IACRvJ,SAAS;AAAA,MACLmL,eAAe,UAAU1B,CAAW;AAAA,IAAA;AAAA,EACxC,CACH;AACL,CAAC;AAEL,eAAeK,GAAY9C,GAAsC;AAC7D,QAAM;AAAA,IAAErJ,SAAAA;AAAAA,EAAAA,IAAY,MAAMyN,GAAepE,GAAOqE,MAAW;AAAA,IACvDxF,QAAQ,qCAAqCyF,EAAUC,oBAAoB;AAAA,IAC3ExF,UAAUuF,EAAUE;AAAAA,EAAAA,CACvB;AACD,SAAO7N;AACX;AAEA,IAAIwK,IAA+D;AAEnE,SAASkD,KAAU;AACflD,SAAAA,MAAciD,GAAwB,IAAIK,IAAI,qCAAqCC,QAAQC,IAAIC,eAAe,sBAAsB,CAAC,GAC9HzD;AACX;","x_google_ignoreList":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]}
|
|
1
|
+
{"version":3,"file":"middleware.js","sources":["../node_modules/jose/dist/webapi/lib/buffer_utils.js","../node_modules/jose/dist/webapi/lib/base64.js","../node_modules/jose/dist/webapi/util/base64url.js","../node_modules/jose/dist/webapi/util/errors.js","../node_modules/jose/dist/webapi/lib/crypto_key.js","../node_modules/jose/dist/webapi/lib/invalid_key_input.js","../node_modules/jose/dist/webapi/lib/is_key_like.js","../node_modules/jose/dist/webapi/lib/is_disjoint.js","../node_modules/jose/dist/webapi/lib/is_object.js","../node_modules/jose/dist/webapi/lib/check_key_length.js","../node_modules/jose/dist/webapi/lib/jwk_to_key.js","../node_modules/jose/dist/webapi/key/import.js","../node_modules/jose/dist/webapi/lib/validate_crit.js","../node_modules/jose/dist/webapi/lib/validate_algorithms.js","../node_modules/jose/dist/webapi/lib/is_jwk.js","../node_modules/jose/dist/webapi/lib/normalize_key.js","../node_modules/jose/dist/webapi/lib/check_key_type.js","../node_modules/jose/dist/webapi/lib/subtle_dsa.js","../node_modules/jose/dist/webapi/lib/get_sign_verify_key.js","../node_modules/jose/dist/webapi/lib/verify.js","../node_modules/jose/dist/webapi/jws/flattened/verify.js","../node_modules/jose/dist/webapi/jws/compact/verify.js","../node_modules/jose/dist/webapi/lib/jwt_claims_set.js","../node_modules/jose/dist/webapi/jwt/verify.js","../node_modules/jose/dist/webapi/jwks/local.js","../node_modules/jose/dist/webapi/jwks/remote.js","../src/middleware/authMiddleware.ts"],"sourcesContent":["export const encoder = new TextEncoder();\nexport const decoder = new TextDecoder();\nconst MAX_INT32 = 2 ** 32;\nexport function concat(...buffers) {\n const size = buffers.reduce((acc, { length }) => acc + length, 0);\n const buf = new Uint8Array(size);\n let i = 0;\n for (const buffer of buffers) {\n buf.set(buffer, i);\n i += buffer.length;\n }\n return buf;\n}\nfunction writeUInt32BE(buf, value, offset) {\n if (value < 0 || value >= MAX_INT32) {\n throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);\n }\n buf.set([value >>> 24, value >>> 16, value >>> 8, value & 0xff], offset);\n}\nexport function uint64be(value) {\n const high = Math.floor(value / MAX_INT32);\n const low = value % MAX_INT32;\n const buf = new Uint8Array(8);\n writeUInt32BE(buf, high, 0);\n writeUInt32BE(buf, low, 4);\n return buf;\n}\nexport function uint32be(value) {\n const buf = new Uint8Array(4);\n writeUInt32BE(buf, value);\n return buf;\n}\nexport function encode(string) {\n const bytes = new Uint8Array(string.length);\n for (let i = 0; i < string.length; i++) {\n const code = string.charCodeAt(i);\n if (code > 127) {\n throw new TypeError('non-ASCII string encountered in encode()');\n }\n bytes[i] = code;\n }\n return bytes;\n}\n","export function encodeBase64(input) {\n if (Uint8Array.prototype.toBase64) {\n return input.toBase64();\n }\n const CHUNK_SIZE = 0x8000;\n const arr = [];\n for (let i = 0; i < input.length; i += CHUNK_SIZE) {\n arr.push(String.fromCharCode.apply(null, input.subarray(i, i + CHUNK_SIZE)));\n }\n return btoa(arr.join(''));\n}\nexport function decodeBase64(encoded) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(encoded);\n }\n const binary = atob(encoded);\n const bytes = new Uint8Array(binary.length);\n for (let i = 0; i < binary.length; i++) {\n bytes[i] = binary.charCodeAt(i);\n }\n return bytes;\n}\n","import { encoder, decoder } from '../lib/buffer_utils.js';\nimport { encodeBase64, decodeBase64 } from '../lib/base64.js';\nexport function decode(input) {\n if (Uint8Array.fromBase64) {\n return Uint8Array.fromBase64(typeof input === 'string' ? input : decoder.decode(input), {\n alphabet: 'base64url',\n });\n }\n let encoded = input;\n if (encoded instanceof Uint8Array) {\n encoded = decoder.decode(encoded);\n }\n encoded = encoded.replace(/-/g, '+').replace(/_/g, '/');\n try {\n return decodeBase64(encoded);\n }\n catch {\n throw new TypeError('The input to be decoded is not correctly encoded.');\n }\n}\nexport function encode(input) {\n let unencoded = input;\n if (typeof unencoded === 'string') {\n unencoded = encoder.encode(unencoded);\n }\n if (Uint8Array.prototype.toBase64) {\n return unencoded.toBase64({ alphabet: 'base64url', omitPadding: true });\n }\n return encodeBase64(unencoded).replace(/=/g, '').replace(/\\+/g, '-').replace(/\\//g, '_');\n}\n","export class JOSEError extends Error {\n static code = 'ERR_JOSE_GENERIC';\n code = 'ERR_JOSE_GENERIC';\n constructor(message, options) {\n super(message, options);\n this.name = this.constructor.name;\n Error.captureStackTrace?.(this, this.constructor);\n }\n}\nexport class JWTClaimValidationFailed extends JOSEError {\n static code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n code = 'ERR_JWT_CLAIM_VALIDATION_FAILED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JWTExpired extends JOSEError {\n static code = 'ERR_JWT_EXPIRED';\n code = 'ERR_JWT_EXPIRED';\n claim;\n reason;\n payload;\n constructor(message, payload, claim = 'unspecified', reason = 'unspecified') {\n super(message, { cause: { claim, reason, payload } });\n this.claim = claim;\n this.reason = reason;\n this.payload = payload;\n }\n}\nexport class JOSEAlgNotAllowed extends JOSEError {\n static code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n code = 'ERR_JOSE_ALG_NOT_ALLOWED';\n}\nexport class JOSENotSupported extends JOSEError {\n static code = 'ERR_JOSE_NOT_SUPPORTED';\n code = 'ERR_JOSE_NOT_SUPPORTED';\n}\nexport class JWEDecryptionFailed extends JOSEError {\n static code = 'ERR_JWE_DECRYPTION_FAILED';\n code = 'ERR_JWE_DECRYPTION_FAILED';\n constructor(message = 'decryption operation failed', options) {\n super(message, options);\n }\n}\nexport class JWEInvalid extends JOSEError {\n static code = 'ERR_JWE_INVALID';\n code = 'ERR_JWE_INVALID';\n}\nexport class JWSInvalid extends JOSEError {\n static code = 'ERR_JWS_INVALID';\n code = 'ERR_JWS_INVALID';\n}\nexport class JWTInvalid extends JOSEError {\n static code = 'ERR_JWT_INVALID';\n code = 'ERR_JWT_INVALID';\n}\nexport class JWKInvalid extends JOSEError {\n static code = 'ERR_JWK_INVALID';\n code = 'ERR_JWK_INVALID';\n}\nexport class JWKSInvalid extends JOSEError {\n static code = 'ERR_JWKS_INVALID';\n code = 'ERR_JWKS_INVALID';\n}\nexport class JWKSNoMatchingKey extends JOSEError {\n static code = 'ERR_JWKS_NO_MATCHING_KEY';\n code = 'ERR_JWKS_NO_MATCHING_KEY';\n constructor(message = 'no applicable key found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSMultipleMatchingKeys extends JOSEError {\n [Symbol.asyncIterator];\n static code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';\n constructor(message = 'multiple matching keys found in the JSON Web Key Set', options) {\n super(message, options);\n }\n}\nexport class JWKSTimeout extends JOSEError {\n static code = 'ERR_JWKS_TIMEOUT';\n code = 'ERR_JWKS_TIMEOUT';\n constructor(message = 'request timed out', options) {\n super(message, options);\n }\n}\nexport class JWSSignatureVerificationFailed extends JOSEError {\n static code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n code = 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';\n constructor(message = 'signature verification failed', options) {\n super(message, options);\n }\n}\n","const unusable = (name, prop = 'algorithm.name') => new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);\nconst isAlgorithm = (algorithm, name) => algorithm.name === name;\nfunction getHashLength(hash) {\n return parseInt(hash.name.slice(4), 10);\n}\nfunction getNamedCurve(alg) {\n switch (alg) {\n case 'ES256':\n return 'P-256';\n case 'ES384':\n return 'P-384';\n case 'ES512':\n return 'P-521';\n default:\n throw new Error('unreachable');\n }\n}\nfunction checkUsage(key, usage) {\n if (usage && !key.usages.includes(usage)) {\n throw new TypeError(`CryptoKey does not support this operation, its usages must include ${usage}.`);\n }\n}\nexport function checkSigCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512': {\n if (!isAlgorithm(key.algorithm, 'HMAC'))\n throw unusable('HMAC');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'RS256':\n case 'RS384':\n case 'RS512': {\n if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))\n throw unusable('RSASSA-PKCS1-v1_5');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'PS256':\n case 'PS384':\n case 'PS512': {\n if (!isAlgorithm(key.algorithm, 'RSA-PSS'))\n throw unusable('RSA-PSS');\n const expected = parseInt(alg.slice(2), 10);\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n case 'Ed25519':\n case 'EdDSA': {\n if (!isAlgorithm(key.algorithm, 'Ed25519'))\n throw unusable('Ed25519');\n break;\n }\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87': {\n if (!isAlgorithm(key.algorithm, alg))\n throw unusable(alg);\n break;\n }\n case 'ES256':\n case 'ES384':\n case 'ES512': {\n if (!isAlgorithm(key.algorithm, 'ECDSA'))\n throw unusable('ECDSA');\n const expected = getNamedCurve(alg);\n const actual = key.algorithm.namedCurve;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.namedCurve');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\nexport function checkEncCryptoKey(key, alg, usage) {\n switch (alg) {\n case 'A128GCM':\n case 'A192GCM':\n case 'A256GCM': {\n if (!isAlgorithm(key.algorithm, 'AES-GCM'))\n throw unusable('AES-GCM');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'A128KW':\n case 'A192KW':\n case 'A256KW': {\n if (!isAlgorithm(key.algorithm, 'AES-KW'))\n throw unusable('AES-KW');\n const expected = parseInt(alg.slice(1, 4), 10);\n const actual = key.algorithm.length;\n if (actual !== expected)\n throw unusable(expected, 'algorithm.length');\n break;\n }\n case 'ECDH': {\n switch (key.algorithm.name) {\n case 'ECDH':\n case 'X25519':\n break;\n default:\n throw unusable('ECDH or X25519');\n }\n break;\n }\n case 'PBES2-HS256+A128KW':\n case 'PBES2-HS384+A192KW':\n case 'PBES2-HS512+A256KW':\n if (!isAlgorithm(key.algorithm, 'PBKDF2'))\n throw unusable('PBKDF2');\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512': {\n if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))\n throw unusable('RSA-OAEP');\n const expected = parseInt(alg.slice(9), 10) || 1;\n const actual = getHashLength(key.algorithm.hash);\n if (actual !== expected)\n throw unusable(`SHA-${expected}`, 'algorithm.hash');\n break;\n }\n default:\n throw new TypeError('CryptoKey does not support this operation');\n }\n checkUsage(key, usage);\n}\n","function message(msg, actual, ...types) {\n types = types.filter(Boolean);\n if (types.length > 2) {\n const last = types.pop();\n msg += `one of type ${types.join(', ')}, or ${last}.`;\n }\n else if (types.length === 2) {\n msg += `one of type ${types[0]} or ${types[1]}.`;\n }\n else {\n msg += `of type ${types[0]}.`;\n }\n if (actual == null) {\n msg += ` Received ${actual}`;\n }\n else if (typeof actual === 'function' && actual.name) {\n msg += ` Received function ${actual.name}`;\n }\n else if (typeof actual === 'object' && actual != null) {\n if (actual.constructor?.name) {\n msg += ` Received an instance of ${actual.constructor.name}`;\n }\n }\n return msg;\n}\nexport const invalidKeyInput = (actual, ...types) => message('Key must be ', actual, ...types);\nexport const withAlg = (alg, actual, ...types) => message(`Key for the ${alg} algorithm must be `, actual, ...types);\n","export function assertCryptoKey(key) {\n if (!isCryptoKey(key)) {\n throw new Error('CryptoKey instance expected');\n }\n}\nexport const isCryptoKey = (key) => {\n if (key?.[Symbol.toStringTag] === 'CryptoKey')\n return true;\n try {\n return key instanceof CryptoKey;\n }\n catch {\n return false;\n }\n};\nexport const isKeyObject = (key) => key?.[Symbol.toStringTag] === 'KeyObject';\nexport const isKeyLike = (key) => isCryptoKey(key) || isKeyObject(key);\n","export function isDisjoint(...headers) {\n const sources = headers.filter(Boolean);\n if (sources.length === 0 || sources.length === 1) {\n return true;\n }\n let acc;\n for (const header of sources) {\n const parameters = Object.keys(header);\n if (!acc || acc.size === 0) {\n acc = new Set(parameters);\n continue;\n }\n for (const parameter of parameters) {\n if (acc.has(parameter)) {\n return false;\n }\n acc.add(parameter);\n }\n }\n return true;\n}\n","const isObjectLike = (value) => typeof value === 'object' && value !== null;\nexport function isObject(input) {\n if (!isObjectLike(input) || Object.prototype.toString.call(input) !== '[object Object]') {\n return false;\n }\n if (Object.getPrototypeOf(input) === null) {\n return true;\n }\n let proto = input;\n while (Object.getPrototypeOf(proto) !== null) {\n proto = Object.getPrototypeOf(proto);\n }\n return Object.getPrototypeOf(input) === proto;\n}\n","export function checkKeyLength(alg, key) {\n if (alg.startsWith('RS') || alg.startsWith('PS')) {\n const { modulusLength } = key.algorithm;\n if (typeof modulusLength !== 'number' || modulusLength < 2048) {\n throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);\n }\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nfunction subtleMapping(jwk) {\n let algorithm;\n let keyUsages;\n switch (jwk.kty) {\n case 'AKP': {\n switch (jwk.alg) {\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n algorithm = { name: jwk.alg };\n keyUsages = jwk.priv ? ['sign'] : ['verify'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'RSA': {\n switch (jwk.alg) {\n case 'PS256':\n case 'PS384':\n case 'PS512':\n algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RS256':\n case 'RS384':\n case 'RS512':\n algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'RSA-OAEP':\n case 'RSA-OAEP-256':\n case 'RSA-OAEP-384':\n case 'RSA-OAEP-512':\n algorithm = {\n name: 'RSA-OAEP',\n hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`,\n };\n keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'EC': {\n switch (jwk.alg) {\n case 'ES256':\n algorithm = { name: 'ECDSA', namedCurve: 'P-256' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES384':\n algorithm = { name: 'ECDSA', namedCurve: 'P-384' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ES512':\n algorithm = { name: 'ECDSA', namedCurve: 'P-521' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: 'ECDH', namedCurve: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n case 'OKP': {\n switch (jwk.alg) {\n case 'Ed25519':\n case 'EdDSA':\n algorithm = { name: 'Ed25519' };\n keyUsages = jwk.d ? ['sign'] : ['verify'];\n break;\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n algorithm = { name: jwk.crv };\n keyUsages = jwk.d ? ['deriveBits'] : [];\n break;\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"alg\" (Algorithm) Parameter value');\n }\n break;\n }\n default:\n throw new JOSENotSupported('Invalid or unsupported JWK \"kty\" (Key Type) Parameter value');\n }\n return { algorithm, keyUsages };\n}\nexport async function jwkToKey(jwk) {\n if (!jwk.alg) {\n throw new TypeError('\"alg\" argument is required when \"jwk.alg\" is not present');\n }\n const { algorithm, keyUsages } = subtleMapping(jwk);\n const keyData = { ...jwk };\n if (keyData.kty !== 'AKP') {\n delete keyData.alg;\n }\n delete keyData.use;\n return crypto.subtle.importKey('jwk', keyData, algorithm, jwk.ext ?? (jwk.d || jwk.priv ? false : true), jwk.key_ops ?? keyUsages);\n}\n","import { decode as decodeBase64URL } from '../util/base64url.js';\nimport { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';\nimport { jwkToKey } from '../lib/jwk_to_key.js';\nimport { JOSENotSupported } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nexport async function importSPKI(spki, alg, options) {\n if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {\n throw new TypeError('\"spki\" must be SPKI formatted string');\n }\n return fromSPKI(spki, alg, options);\n}\nexport async function importX509(x509, alg, options) {\n if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {\n throw new TypeError('\"x509\" must be X.509 formatted string');\n }\n return fromX509(x509, alg, options);\n}\nexport async function importPKCS8(pkcs8, alg, options) {\n if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {\n throw new TypeError('\"pkcs8\" must be PKCS#8 formatted string');\n }\n return fromPKCS8(pkcs8, alg, options);\n}\nexport async function importJWK(jwk, alg, options) {\n if (!isObject(jwk)) {\n throw new TypeError('JWK must be an object');\n }\n let ext;\n alg ??= jwk.alg;\n ext ??= options?.extractable ?? jwk.ext;\n switch (jwk.kty) {\n case 'oct':\n if (typeof jwk.k !== 'string' || !jwk.k) {\n throw new TypeError('missing \"k\" (Key Value) Parameter value');\n }\n return decodeBase64URL(jwk.k);\n case 'RSA':\n if ('oth' in jwk && jwk.oth !== undefined) {\n throw new JOSENotSupported('RSA JWK \"oth\" (Other Primes Info) Parameter value is not supported');\n }\n return jwkToKey({ ...jwk, alg, ext });\n case 'AKP': {\n if (typeof jwk.alg !== 'string' || !jwk.alg) {\n throw new TypeError('missing \"alg\" (Algorithm) Parameter value');\n }\n if (alg !== undefined && alg !== jwk.alg) {\n throw new TypeError('JWK alg and alg option value mismatch');\n }\n return jwkToKey({ ...jwk, ext });\n }\n case 'EC':\n case 'OKP':\n return jwkToKey({ ...jwk, alg, ext });\n default:\n throw new JOSENotSupported('Unsupported \"kty\" (Key Type) Parameter value');\n }\n}\n","import { JOSENotSupported, JWEInvalid, JWSInvalid } from '../util/errors.js';\nexport function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {\n if (joseHeader.crit !== undefined && protectedHeader?.crit === undefined) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be integrity protected');\n }\n if (!protectedHeader || protectedHeader.crit === undefined) {\n return new Set();\n }\n if (!Array.isArray(protectedHeader.crit) ||\n protectedHeader.crit.length === 0 ||\n protectedHeader.crit.some((input) => typeof input !== 'string' || input.length === 0)) {\n throw new Err('\"crit\" (Critical) Header Parameter MUST be an array of non-empty strings when present');\n }\n let recognized;\n if (recognizedOption !== undefined) {\n recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);\n }\n else {\n recognized = recognizedDefault;\n }\n for (const parameter of protectedHeader.crit) {\n if (!recognized.has(parameter)) {\n throw new JOSENotSupported(`Extension Header Parameter \"${parameter}\" is not recognized`);\n }\n if (joseHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" is missing`);\n }\n if (recognized.get(parameter) && protectedHeader[parameter] === undefined) {\n throw new Err(`Extension Header Parameter \"${parameter}\" MUST be integrity protected`);\n }\n }\n return new Set(protectedHeader.crit);\n}\n","export function validateAlgorithms(option, algorithms) {\n if (algorithms !== undefined &&\n (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== 'string'))) {\n throw new TypeError(`\"${option}\" option must be an array of strings`);\n }\n if (!algorithms) {\n return undefined;\n }\n return new Set(algorithms);\n}\n","import { isObject } from './is_object.js';\nexport const isJWK = (key) => isObject(key) && typeof key.kty === 'string';\nexport const isPrivateJWK = (key) => key.kty !== 'oct' &&\n ((key.kty === 'AKP' && typeof key.priv === 'string') || typeof key.d === 'string');\nexport const isPublicJWK = (key) => key.kty !== 'oct' && key.d === undefined && key.priv === undefined;\nexport const isSecretJWK = (key) => key.kty === 'oct' && typeof key.k === 'string';\n","import { isJWK } from './is_jwk.js';\nimport { decode } from '../util/base64url.js';\nimport { jwkToKey } from './jwk_to_key.js';\nimport { isCryptoKey, isKeyObject } from './is_key_like.js';\nlet cache;\nconst handleJWK = async (key, jwk, alg, freeze = false) => {\n cache ||= new WeakMap();\n let cached = cache.get(key);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const cryptoKey = await jwkToKey({ ...jwk, alg });\n if (freeze)\n Object.freeze(key);\n if (!cached) {\n cache.set(key, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nconst handleKeyObject = (keyObject, alg) => {\n cache ||= new WeakMap();\n let cached = cache.get(keyObject);\n if (cached?.[alg]) {\n return cached[alg];\n }\n const isPublic = keyObject.type === 'public';\n const extractable = isPublic ? true : false;\n let cryptoKey;\n if (keyObject.asymmetricKeyType === 'x25519') {\n switch (alg) {\n case 'ECDH-ES':\n case 'ECDH-ES+A128KW':\n case 'ECDH-ES+A192KW':\n case 'ECDH-ES+A256KW':\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);\n }\n if (keyObject.asymmetricKeyType === 'ed25519') {\n if (alg !== 'EdDSA' && alg !== 'Ed25519') {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n switch (keyObject.asymmetricKeyType) {\n case 'ml-dsa-44':\n case 'ml-dsa-65':\n case 'ml-dsa-87': {\n if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [\n isPublic ? 'verify' : 'sign',\n ]);\n }\n }\n if (keyObject.asymmetricKeyType === 'rsa') {\n let hash;\n switch (alg) {\n case 'RSA-OAEP':\n hash = 'SHA-1';\n break;\n case 'RS256':\n case 'PS256':\n case 'RSA-OAEP-256':\n hash = 'SHA-256';\n break;\n case 'RS384':\n case 'PS384':\n case 'RSA-OAEP-384':\n hash = 'SHA-384';\n break;\n case 'RS512':\n case 'PS512':\n case 'RSA-OAEP-512':\n hash = 'SHA-512';\n break;\n default:\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg.startsWith('RSA-OAEP')) {\n return keyObject.toCryptoKey({\n name: 'RSA-OAEP',\n hash,\n }, extractable, isPublic ? ['encrypt'] : ['decrypt']);\n }\n cryptoKey = keyObject.toCryptoKey({\n name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',\n hash,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (keyObject.asymmetricKeyType === 'ec') {\n const nist = new Map([\n ['prime256v1', 'P-256'],\n ['secp384r1', 'P-384'],\n ['secp521r1', 'P-521'],\n ]);\n const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);\n if (!namedCurve) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (alg === 'ES256' && namedCurve === 'P-256') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES384' && namedCurve === 'P-384') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg === 'ES512' && namedCurve === 'P-521') {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDSA',\n namedCurve,\n }, extractable, [isPublic ? 'verify' : 'sign']);\n }\n if (alg.startsWith('ECDH-ES')) {\n cryptoKey = keyObject.toCryptoKey({\n name: 'ECDH',\n namedCurve,\n }, extractable, isPublic ? [] : ['deriveBits']);\n }\n }\n if (!cryptoKey) {\n throw new TypeError('given KeyObject instance cannot be used for this algorithm');\n }\n if (!cached) {\n cache.set(keyObject, { [alg]: cryptoKey });\n }\n else {\n cached[alg] = cryptoKey;\n }\n return cryptoKey;\n};\nexport async function normalizeKey(key, alg) {\n if (key instanceof Uint8Array) {\n return key;\n }\n if (isCryptoKey(key)) {\n return key;\n }\n if (isKeyObject(key)) {\n if (key.type === 'secret') {\n return key.export();\n }\n if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {\n try {\n return handleKeyObject(key, alg);\n }\n catch (err) {\n if (err instanceof TypeError) {\n throw err;\n }\n }\n }\n let jwk = key.export({ format: 'jwk' });\n return handleJWK(key, jwk, alg);\n }\n if (isJWK(key)) {\n if (key.k) {\n return decode(key.k);\n }\n return handleJWK(key, key, alg, true);\n }\n throw new Error('unreachable');\n}\n","import { withAlg as invalidKeyInput } from './invalid_key_input.js';\nimport { isKeyLike } from './is_key_like.js';\nimport * as jwk from './is_jwk.js';\nconst tag = (key) => key?.[Symbol.toStringTag];\nconst jwkMatchesOp = (alg, key, usage) => {\n if (key.use !== undefined) {\n let expected;\n switch (usage) {\n case 'sign':\n case 'verify':\n expected = 'sig';\n break;\n case 'encrypt':\n case 'decrypt':\n expected = 'enc';\n break;\n }\n if (key.use !== expected) {\n throw new TypeError(`Invalid key for this operation, its \"use\" must be \"${expected}\" when present`);\n }\n }\n if (key.alg !== undefined && key.alg !== alg) {\n throw new TypeError(`Invalid key for this operation, its \"alg\" must be \"${alg}\" when present`);\n }\n if (Array.isArray(key.key_ops)) {\n let expectedKeyOp;\n switch (true) {\n case usage === 'sign' || usage === 'verify':\n case alg === 'dir':\n case alg.includes('CBC-HS'):\n expectedKeyOp = usage;\n break;\n case alg.startsWith('PBES2'):\n expectedKeyOp = 'deriveBits';\n break;\n case /^A\\d{3}(?:GCM)?(?:KW)?$/.test(alg):\n if (!alg.includes('GCM') && alg.endsWith('KW')) {\n expectedKeyOp = usage === 'encrypt' ? 'wrapKey' : 'unwrapKey';\n }\n else {\n expectedKeyOp = usage;\n }\n break;\n case usage === 'encrypt' && alg.startsWith('RSA'):\n expectedKeyOp = 'wrapKey';\n break;\n case usage === 'decrypt':\n expectedKeyOp = alg.startsWith('RSA') ? 'unwrapKey' : 'deriveBits';\n break;\n }\n if (expectedKeyOp && key.key_ops?.includes?.(expectedKeyOp) === false) {\n throw new TypeError(`Invalid key for this operation, its \"key_ops\" must include \"${expectedKeyOp}\" when present`);\n }\n }\n return true;\n};\nconst symmetricTypeCheck = (alg, key, usage) => {\n if (key instanceof Uint8Array)\n return;\n if (jwk.isJWK(key)) {\n if (jwk.isSecretJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for symmetric algorithms must have JWK \"kty\" (Key Type) equal to \"oct\" and the JWK \"k\" (Key Value) present`);\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key', 'Uint8Array'));\n }\n if (key.type !== 'secret') {\n throw new TypeError(`${tag(key)} instances for symmetric algorithms must be of type \"secret\"`);\n }\n};\nconst asymmetricTypeCheck = (alg, key, usage) => {\n if (jwk.isJWK(key)) {\n switch (usage) {\n case 'decrypt':\n case 'sign':\n if (jwk.isPrivateJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a private JWK`);\n case 'encrypt':\n case 'verify':\n if (jwk.isPublicJWK(key) && jwkMatchesOp(alg, key, usage))\n return;\n throw new TypeError(`JSON Web Key for this operation must be a public JWK`);\n }\n }\n if (!isKeyLike(key)) {\n throw new TypeError(invalidKeyInput(alg, key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n if (key.type === 'secret') {\n throw new TypeError(`${tag(key)} instances for asymmetric algorithms must not be of type \"secret\"`);\n }\n if (key.type === 'public') {\n switch (usage) {\n case 'sign':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm signing must be of type \"private\"`);\n case 'decrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm decryption must be of type \"private\"`);\n }\n }\n if (key.type === 'private') {\n switch (usage) {\n case 'verify':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm verifying must be of type \"public\"`);\n case 'encrypt':\n throw new TypeError(`${tag(key)} instances for asymmetric algorithm encryption must be of type \"public\"`);\n }\n }\n};\nexport function checkKeyType(alg, key, usage) {\n switch (alg.substring(0, 2)) {\n case 'A1':\n case 'A2':\n case 'di':\n case 'HS':\n case 'PB':\n symmetricTypeCheck(alg, key, usage);\n break;\n default:\n asymmetricTypeCheck(alg, key, usage);\n }\n}\n","import { JOSENotSupported } from '../util/errors.js';\nexport function subtleAlgorithm(alg, algorithm) {\n const hash = `SHA-${alg.slice(-3)}`;\n switch (alg) {\n case 'HS256':\n case 'HS384':\n case 'HS512':\n return { hash, name: 'HMAC' };\n case 'PS256':\n case 'PS384':\n case 'PS512':\n return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 };\n case 'RS256':\n case 'RS384':\n case 'RS512':\n return { hash, name: 'RSASSA-PKCS1-v1_5' };\n case 'ES256':\n case 'ES384':\n case 'ES512':\n return { hash, name: 'ECDSA', namedCurve: algorithm.namedCurve };\n case 'Ed25519':\n case 'EdDSA':\n return { name: 'Ed25519' };\n case 'ML-DSA-44':\n case 'ML-DSA-65':\n case 'ML-DSA-87':\n return { name: alg };\n default:\n throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);\n }\n}\n","import { checkSigCryptoKey } from './crypto_key.js';\nimport { invalidKeyInput } from './invalid_key_input.js';\nexport async function getSigKey(alg, key, usage) {\n if (key instanceof Uint8Array) {\n if (!alg.startsWith('HS')) {\n throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));\n }\n return crypto.subtle.importKey('raw', key, { hash: `SHA-${alg.slice(-3)}`, name: 'HMAC' }, false, [usage]);\n }\n checkSigCryptoKey(key, alg, usage);\n return key;\n}\n","import { subtleAlgorithm } from './subtle_dsa.js';\nimport { checkKeyLength } from './check_key_length.js';\nimport { getSigKey } from './get_sign_verify_key.js';\nexport async function verify(alg, key, signature, data) {\n const cryptoKey = await getSigKey(alg, key, 'verify');\n checkKeyLength(alg, cryptoKey);\n const algorithm = subtleAlgorithm(alg, cryptoKey.algorithm);\n try {\n return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);\n }\n catch {\n return false;\n }\n}\n","import { decode as b64u } from '../../util/base64url.js';\nimport { verify } from '../../lib/verify.js';\nimport { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';\nimport { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';\nimport { isDisjoint } from '../../lib/is_disjoint.js';\nimport { isObject } from '../../lib/is_object.js';\nimport { checkKeyType } from '../../lib/check_key_type.js';\nimport { validateCrit } from '../../lib/validate_crit.js';\nimport { validateAlgorithms } from '../../lib/validate_algorithms.js';\nimport { normalizeKey } from '../../lib/normalize_key.js';\nexport async function flattenedVerify(jws, key, options) {\n if (!isObject(jws)) {\n throw new JWSInvalid('Flattened JWS must be an object');\n }\n if (jws.protected === undefined && jws.header === undefined) {\n throw new JWSInvalid('Flattened JWS must have either of the \"protected\" or \"header\" members');\n }\n if (jws.protected !== undefined && typeof jws.protected !== 'string') {\n throw new JWSInvalid('JWS Protected Header incorrect type');\n }\n if (jws.payload === undefined) {\n throw new JWSInvalid('JWS Payload missing');\n }\n if (typeof jws.signature !== 'string') {\n throw new JWSInvalid('JWS Signature missing or incorrect type');\n }\n if (jws.header !== undefined && !isObject(jws.header)) {\n throw new JWSInvalid('JWS Unprotected Header incorrect type');\n }\n let parsedProt = {};\n if (jws.protected) {\n try {\n const protectedHeader = b64u(jws.protected);\n parsedProt = JSON.parse(decoder.decode(protectedHeader));\n }\n catch {\n throw new JWSInvalid('JWS Protected Header is invalid');\n }\n }\n if (!isDisjoint(parsedProt, jws.header)) {\n throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');\n }\n const joseHeader = {\n ...parsedProt,\n ...jws.header,\n };\n const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);\n let b64 = true;\n if (extensions.has('b64')) {\n b64 = parsedProt.b64;\n if (typeof b64 !== 'boolean') {\n throw new JWSInvalid('The \"b64\" (base64url-encode payload) Header Parameter must be a boolean');\n }\n }\n const { alg } = joseHeader;\n if (typeof alg !== 'string' || !alg) {\n throw new JWSInvalid('JWS \"alg\" (Algorithm) Header Parameter missing or invalid');\n }\n const algorithms = options && validateAlgorithms('algorithms', options.algorithms);\n if (algorithms && !algorithms.has(alg)) {\n throw new JOSEAlgNotAllowed('\"alg\" (Algorithm) Header Parameter value not allowed');\n }\n if (b64) {\n if (typeof jws.payload !== 'string') {\n throw new JWSInvalid('JWS Payload must be a string');\n }\n }\n else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {\n throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');\n }\n let resolvedKey = false;\n if (typeof key === 'function') {\n key = await key(parsedProt, jws);\n resolvedKey = true;\n }\n checkKeyType(alg, key, 'verify');\n const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'\n ? b64\n ? encode(jws.payload)\n : encoder.encode(jws.payload)\n : jws.payload);\n let signature;\n try {\n signature = b64u(jws.signature);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the signature');\n }\n const k = await normalizeKey(key, alg);\n const verified = await verify(alg, k, signature, data);\n if (!verified) {\n throw new JWSSignatureVerificationFailed();\n }\n let payload;\n if (b64) {\n try {\n payload = b64u(jws.payload);\n }\n catch {\n throw new JWSInvalid('Failed to base64url decode the payload');\n }\n }\n else if (typeof jws.payload === 'string') {\n payload = encoder.encode(jws.payload);\n }\n else {\n payload = jws.payload;\n }\n const result = { payload };\n if (jws.protected !== undefined) {\n result.protectedHeader = parsedProt;\n }\n if (jws.header !== undefined) {\n result.unprotectedHeader = jws.header;\n }\n if (resolvedKey) {\n return { ...result, key: k };\n }\n return result;\n}\n","import { flattenedVerify } from '../flattened/verify.js';\nimport { JWSInvalid } from '../../util/errors.js';\nimport { decoder } from '../../lib/buffer_utils.js';\nexport async function compactVerify(jws, key, options) {\n if (jws instanceof Uint8Array) {\n jws = decoder.decode(jws);\n }\n if (typeof jws !== 'string') {\n throw new JWSInvalid('Compact JWS must be a string or Uint8Array');\n }\n const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split('.');\n if (length !== 3) {\n throw new JWSInvalid('Invalid Compact JWS');\n }\n const verified = await flattenedVerify({ payload, protected: protectedHeader, signature }, key, options);\n const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';\nimport { encoder, decoder } from './buffer_utils.js';\nimport { isObject } from './is_object.js';\nconst epoch = (date) => Math.floor(date.getTime() / 1000);\nconst minute = 60;\nconst hour = minute * 60;\nconst day = hour * 24;\nconst week = day * 7;\nconst year = day * 365.25;\nconst REGEX = /^(\\+|\\-)? ?(\\d+|\\d+\\.\\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;\nexport function secs(str) {\n const matched = REGEX.exec(str);\n if (!matched || (matched[4] && matched[1])) {\n throw new TypeError('Invalid time period format');\n }\n const value = parseFloat(matched[2]);\n const unit = matched[3].toLowerCase();\n let numericDate;\n switch (unit) {\n case 'sec':\n case 'secs':\n case 'second':\n case 'seconds':\n case 's':\n numericDate = Math.round(value);\n break;\n case 'minute':\n case 'minutes':\n case 'min':\n case 'mins':\n case 'm':\n numericDate = Math.round(value * minute);\n break;\n case 'hour':\n case 'hours':\n case 'hr':\n case 'hrs':\n case 'h':\n numericDate = Math.round(value * hour);\n break;\n case 'day':\n case 'days':\n case 'd':\n numericDate = Math.round(value * day);\n break;\n case 'week':\n case 'weeks':\n case 'w':\n numericDate = Math.round(value * week);\n break;\n default:\n numericDate = Math.round(value * year);\n break;\n }\n if (matched[1] === '-' || matched[4] === 'ago') {\n return -numericDate;\n }\n return numericDate;\n}\nfunction validateInput(label, input) {\n if (!Number.isFinite(input)) {\n throw new TypeError(`Invalid ${label} input`);\n }\n return input;\n}\nconst normalizeTyp = (value) => {\n if (value.includes('/')) {\n return value.toLowerCase();\n }\n return `application/${value.toLowerCase()}`;\n};\nconst checkAudiencePresence = (audPayload, audOption) => {\n if (typeof audPayload === 'string') {\n return audOption.includes(audPayload);\n }\n if (Array.isArray(audPayload)) {\n return audOption.some(Set.prototype.has.bind(new Set(audPayload)));\n }\n return false;\n};\nexport function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {\n let payload;\n try {\n payload = JSON.parse(decoder.decode(encodedPayload));\n }\n catch {\n }\n if (!isObject(payload)) {\n throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');\n }\n const { typ } = options;\n if (typ &&\n (typeof protectedHeader.typ !== 'string' ||\n normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {\n throw new JWTClaimValidationFailed('unexpected \"typ\" JWT header value', payload, 'typ', 'check_failed');\n }\n const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;\n const presenceCheck = [...requiredClaims];\n if (maxTokenAge !== undefined)\n presenceCheck.push('iat');\n if (audience !== undefined)\n presenceCheck.push('aud');\n if (subject !== undefined)\n presenceCheck.push('sub');\n if (issuer !== undefined)\n presenceCheck.push('iss');\n for (const claim of new Set(presenceCheck.reverse())) {\n if (!(claim in payload)) {\n throw new JWTClaimValidationFailed(`missing required \"${claim}\" claim`, payload, claim, 'missing');\n }\n }\n if (issuer &&\n !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {\n throw new JWTClaimValidationFailed('unexpected \"iss\" claim value', payload, 'iss', 'check_failed');\n }\n if (subject && payload.sub !== subject) {\n throw new JWTClaimValidationFailed('unexpected \"sub\" claim value', payload, 'sub', 'check_failed');\n }\n if (audience &&\n !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {\n throw new JWTClaimValidationFailed('unexpected \"aud\" claim value', payload, 'aud', 'check_failed');\n }\n let tolerance;\n switch (typeof options.clockTolerance) {\n case 'string':\n tolerance = secs(options.clockTolerance);\n break;\n case 'number':\n tolerance = options.clockTolerance;\n break;\n case 'undefined':\n tolerance = 0;\n break;\n default:\n throw new TypeError('Invalid clockTolerance option type');\n }\n const { currentDate } = options;\n const now = epoch(currentDate || new Date());\n if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {\n throw new JWTClaimValidationFailed('\"iat\" claim must be a number', payload, 'iat', 'invalid');\n }\n if (payload.nbf !== undefined) {\n if (typeof payload.nbf !== 'number') {\n throw new JWTClaimValidationFailed('\"nbf\" claim must be a number', payload, 'nbf', 'invalid');\n }\n if (payload.nbf > now + tolerance) {\n throw new JWTClaimValidationFailed('\"nbf\" claim timestamp check failed', payload, 'nbf', 'check_failed');\n }\n }\n if (payload.exp !== undefined) {\n if (typeof payload.exp !== 'number') {\n throw new JWTClaimValidationFailed('\"exp\" claim must be a number', payload, 'exp', 'invalid');\n }\n if (payload.exp <= now - tolerance) {\n throw new JWTExpired('\"exp\" claim timestamp check failed', payload, 'exp', 'check_failed');\n }\n }\n if (maxTokenAge) {\n const age = now - payload.iat;\n const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);\n if (age - tolerance > max) {\n throw new JWTExpired('\"iat\" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');\n }\n if (age < 0 - tolerance) {\n throw new JWTClaimValidationFailed('\"iat\" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');\n }\n }\n return payload;\n}\nexport class JWTClaimsBuilder {\n #payload;\n constructor(payload) {\n if (!isObject(payload)) {\n throw new TypeError('JWT Claims Set MUST be an object');\n }\n this.#payload = structuredClone(payload);\n }\n data() {\n return encoder.encode(JSON.stringify(this.#payload));\n }\n get iss() {\n return this.#payload.iss;\n }\n set iss(value) {\n this.#payload.iss = value;\n }\n get sub() {\n return this.#payload.sub;\n }\n set sub(value) {\n this.#payload.sub = value;\n }\n get aud() {\n return this.#payload.aud;\n }\n set aud(value) {\n this.#payload.aud = value;\n }\n set jti(value) {\n this.#payload.jti = value;\n }\n set nbf(value) {\n if (typeof value === 'number') {\n this.#payload.nbf = validateInput('setNotBefore', value);\n }\n else if (value instanceof Date) {\n this.#payload.nbf = validateInput('setNotBefore', epoch(value));\n }\n else {\n this.#payload.nbf = epoch(new Date()) + secs(value);\n }\n }\n set exp(value) {\n if (typeof value === 'number') {\n this.#payload.exp = validateInput('setExpirationTime', value);\n }\n else if (value instanceof Date) {\n this.#payload.exp = validateInput('setExpirationTime', epoch(value));\n }\n else {\n this.#payload.exp = epoch(new Date()) + secs(value);\n }\n }\n set iat(value) {\n if (value === undefined) {\n this.#payload.iat = epoch(new Date());\n }\n else if (value instanceof Date) {\n this.#payload.iat = validateInput('setIssuedAt', epoch(value));\n }\n else if (typeof value === 'string') {\n this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));\n }\n else {\n this.#payload.iat = validateInput('setIssuedAt', value);\n }\n }\n}\n","import { compactVerify } from '../jws/compact/verify.js';\nimport { validateClaimsSet } from '../lib/jwt_claims_set.js';\nimport { JWTInvalid } from '../util/errors.js';\nexport async function jwtVerify(jwt, key, options) {\n const verified = await compactVerify(jwt, key, options);\n if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {\n throw new JWTInvalid('JWTs MUST NOT use unencoded payload');\n }\n const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);\n const result = { payload, protectedHeader: verified.protectedHeader };\n if (typeof key === 'function') {\n return { ...result, key: verified.key };\n }\n return result;\n}\n","import { importJWK } from '../key/import.js';\nimport { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';\nimport { isObject } from '../lib/is_object.js';\nfunction getKtyFromAlg(alg) {\n switch (typeof alg === 'string' && alg.slice(0, 2)) {\n case 'RS':\n case 'PS':\n return 'RSA';\n case 'ES':\n return 'EC';\n case 'Ed':\n return 'OKP';\n case 'ML':\n return 'AKP';\n default:\n throw new JOSENotSupported('Unsupported \"alg\" value for a JSON Web Key Set');\n }\n}\nfunction isJWKSLike(jwks) {\n return (jwks &&\n typeof jwks === 'object' &&\n Array.isArray(jwks.keys) &&\n jwks.keys.every(isJWKLike));\n}\nfunction isJWKLike(key) {\n return isObject(key);\n}\nclass LocalJWKSet {\n #jwks;\n #cached = new WeakMap();\n constructor(jwks) {\n if (!isJWKSLike(jwks)) {\n throw new JWKSInvalid('JSON Web Key Set malformed');\n }\n this.#jwks = structuredClone(jwks);\n }\n jwks() {\n return this.#jwks;\n }\n async getKey(protectedHeader, token) {\n const { alg, kid } = { ...protectedHeader, ...token?.header };\n const kty = getKtyFromAlg(alg);\n const candidates = this.#jwks.keys.filter((jwk) => {\n let candidate = kty === jwk.kty;\n if (candidate && typeof kid === 'string') {\n candidate = kid === jwk.kid;\n }\n if (candidate && (typeof jwk.alg === 'string' || kty === 'AKP')) {\n candidate = alg === jwk.alg;\n }\n if (candidate && typeof jwk.use === 'string') {\n candidate = jwk.use === 'sig';\n }\n if (candidate && Array.isArray(jwk.key_ops)) {\n candidate = jwk.key_ops.includes('verify');\n }\n if (candidate) {\n switch (alg) {\n case 'ES256':\n candidate = jwk.crv === 'P-256';\n break;\n case 'ES384':\n candidate = jwk.crv === 'P-384';\n break;\n case 'ES512':\n candidate = jwk.crv === 'P-521';\n break;\n case 'Ed25519':\n case 'EdDSA':\n candidate = jwk.crv === 'Ed25519';\n break;\n }\n }\n return candidate;\n });\n const { 0: jwk, length } = candidates;\n if (length === 0) {\n throw new JWKSNoMatchingKey();\n }\n if (length !== 1) {\n const error = new JWKSMultipleMatchingKeys();\n const _cached = this.#cached;\n error[Symbol.asyncIterator] = async function* () {\n for (const jwk of candidates) {\n try {\n yield await importWithAlgCache(_cached, jwk, alg);\n }\n catch { }\n }\n };\n throw error;\n }\n return importWithAlgCache(this.#cached, jwk, alg);\n }\n}\nasync function importWithAlgCache(cache, jwk, alg) {\n const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);\n if (cached[alg] === undefined) {\n const key = await importJWK({ ...jwk, ext: true }, alg);\n if (key instanceof Uint8Array || key.type !== 'public') {\n throw new JWKSInvalid('JSON Web Key Set members must be public keys');\n }\n cached[alg] = key;\n }\n return cached[alg];\n}\nexport function createLocalJWKSet(jwks) {\n const set = new LocalJWKSet(jwks);\n const localJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(localJWKSet, {\n jwks: {\n value: () => structuredClone(set.jwks()),\n enumerable: false,\n configurable: false,\n writable: false,\n },\n });\n return localJWKSet;\n}\n","import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js';\nimport { createLocalJWKSet } from './local.js';\nimport { isObject } from '../lib/is_object.js';\nfunction isCloudflareWorkers() {\n return (typeof WebSocketPair !== 'undefined' ||\n (typeof navigator !== 'undefined' && navigator.userAgent === 'Cloudflare-Workers') ||\n (typeof EdgeRuntime !== 'undefined' && EdgeRuntime === 'vercel'));\n}\nlet USER_AGENT;\nif (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {\n const NAME = 'jose';\n const VERSION = 'v6.1.3';\n USER_AGENT = `${NAME}/${VERSION}`;\n}\nexport const customFetch = Symbol();\nasync function fetchJwks(url, headers, signal, fetchImpl = fetch) {\n const response = await fetchImpl(url, {\n method: 'GET',\n signal,\n redirect: 'manual',\n headers,\n }).catch((err) => {\n if (err.name === 'TimeoutError') {\n throw new JWKSTimeout();\n }\n throw err;\n });\n if (response.status !== 200) {\n throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');\n }\n try {\n return await response.json();\n }\n catch {\n throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');\n }\n}\nexport const jwksCache = Symbol();\nfunction isFreshJwksCache(input, cacheMaxAge) {\n if (typeof input !== 'object' || input === null) {\n return false;\n }\n if (!('uat' in input) || typeof input.uat !== 'number' || Date.now() - input.uat >= cacheMaxAge) {\n return false;\n }\n if (!('jwks' in input) ||\n !isObject(input.jwks) ||\n !Array.isArray(input.jwks.keys) ||\n !Array.prototype.every.call(input.jwks.keys, isObject)) {\n return false;\n }\n return true;\n}\nclass RemoteJWKSet {\n #url;\n #timeoutDuration;\n #cooldownDuration;\n #cacheMaxAge;\n #jwksTimestamp;\n #pendingFetch;\n #headers;\n #customFetch;\n #local;\n #cache;\n constructor(url, options) {\n if (!(url instanceof URL)) {\n throw new TypeError('url must be an instance of URL');\n }\n this.#url = new URL(url.href);\n this.#timeoutDuration =\n typeof options?.timeoutDuration === 'number' ? options?.timeoutDuration : 5000;\n this.#cooldownDuration =\n typeof options?.cooldownDuration === 'number' ? options?.cooldownDuration : 30000;\n this.#cacheMaxAge = typeof options?.cacheMaxAge === 'number' ? options?.cacheMaxAge : 600000;\n this.#headers = new Headers(options?.headers);\n if (USER_AGENT && !this.#headers.has('User-Agent')) {\n this.#headers.set('User-Agent', USER_AGENT);\n }\n if (!this.#headers.has('accept')) {\n this.#headers.set('accept', 'application/json');\n this.#headers.append('accept', 'application/jwk-set+json');\n }\n this.#customFetch = options?.[customFetch];\n if (options?.[jwksCache] !== undefined) {\n this.#cache = options?.[jwksCache];\n if (isFreshJwksCache(options?.[jwksCache], this.#cacheMaxAge)) {\n this.#jwksTimestamp = this.#cache.uat;\n this.#local = createLocalJWKSet(this.#cache.jwks);\n }\n }\n }\n pendingFetch() {\n return !!this.#pendingFetch;\n }\n coolingDown() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cooldownDuration\n : false;\n }\n fresh() {\n return typeof this.#jwksTimestamp === 'number'\n ? Date.now() < this.#jwksTimestamp + this.#cacheMaxAge\n : false;\n }\n jwks() {\n return this.#local?.jwks();\n }\n async getKey(protectedHeader, token) {\n if (!this.#local || !this.fresh()) {\n await this.reload();\n }\n try {\n return await this.#local(protectedHeader, token);\n }\n catch (err) {\n if (err instanceof JWKSNoMatchingKey) {\n if (this.coolingDown() === false) {\n await this.reload();\n return this.#local(protectedHeader, token);\n }\n }\n throw err;\n }\n }\n async reload() {\n if (this.#pendingFetch && isCloudflareWorkers()) {\n this.#pendingFetch = undefined;\n }\n this.#pendingFetch ||= fetchJwks(this.#url.href, this.#headers, AbortSignal.timeout(this.#timeoutDuration), this.#customFetch)\n .then((json) => {\n this.#local = createLocalJWKSet(json);\n if (this.#cache) {\n this.#cache.uat = Date.now();\n this.#cache.jwks = json;\n }\n this.#jwksTimestamp = Date.now();\n this.#pendingFetch = undefined;\n })\n .catch((err) => {\n this.#pendingFetch = undefined;\n throw err;\n });\n await this.#pendingFetch;\n }\n}\nexport function createRemoteJWKSet(url, options) {\n const set = new RemoteJWKSet(url, options);\n const remoteJWKSet = async (protectedHeader, token) => set.getKey(protectedHeader, token);\n Object.defineProperties(remoteJWKSet, {\n coolingDown: {\n get: () => set.coolingDown(),\n enumerable: true,\n configurable: false,\n },\n fresh: {\n get: () => set.fresh(),\n enumerable: true,\n configurable: false,\n },\n reload: {\n value: () => set.reload(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n reloading: {\n get: () => set.pendingFetch(),\n enumerable: true,\n configurable: false,\n },\n jwks: {\n value: () => set.jwks(),\n enumerable: true,\n configurable: false,\n writable: false,\n },\n });\n return remoteJWKSet;\n}\n","import { createMiddleware } from \"@tanstack/react-start\";\r\nimport * as jose from \"jose\";\r\nimport { scopes as definedScopes, permissions } from \"virtual:wcz-layout\";\r\nimport { clientEnv } from \"~/env\";\r\nimport { getAccessToken } from \"~/lib/auth/msalClient\";\r\nimport { TokenPayload } from \"~/models/TokenPayload\";\r\nimport { User } from \"~/models/User\";\r\n\r\nexport const authMiddleware = (permissionKey: keyof typeof permissions) => createMiddleware()\r\n .server(async ({ next, request }) => {\r\n const accessToken = request.headers.get(\"Authorization\");\r\n\r\n if (!accessToken?.startsWith(\"Bearer \"))\r\n throw new Error(\"Unauthorized: Missing access token or invalid Authorization header\");\r\n\r\n const tokenPayload = await verifyToken(accessToken.substring(7));\r\n\r\n const user: User = {\r\n id: tokenPayload.sub,\r\n name: tokenPayload.name.split(\"/\")[0],\r\n email: tokenPayload.preferred_username.toLowerCase(),\r\n groups: tokenPayload.groups ?? [],\r\n department: tokenPayload.department || \"\",\r\n employeeId: tokenPayload.employeeId || \"\",\r\n hasPermission: (permissionKey: keyof typeof permissions) => {\r\n const allowedGroups = permissions[permissionKey];\r\n return allowedGroups.some(k => (tokenPayload.groups ?? []).includes(k));\r\n }\r\n }\r\n\r\n if (!user.hasPermission(permissionKey))\r\n throw new Error(`Forbidden: User ${user.name} is not authorized to access this resource`);\r\n\r\n return next({ context: { user } });\r\n });\r\n\r\nexport const serverFnAccessTokenMiddleware = (scopeKey: keyof typeof definedScopes) => createMiddleware({ type: \"function\" })\r\n .client(async ({ next }) => {\r\n const accessToken = await getAccessToken(scopeKey);\r\n return next({\r\n headers: {\r\n Authorization: `Bearer ${accessToken}`,\r\n }\r\n });\r\n });\r\n\r\nasync function verifyToken(token: string): Promise<TokenPayload> {\r\n const { payload } = await jose.jwtVerify(token, getJWKS(), {\r\n issuer: `https://login.microsoftonline.com/${clientEnv.VITE_ENTRA_TENANT_ID}/v2.0`,\r\n audience: clientEnv.VITE_ENTRA_CLIENT_ID,\r\n });\r\n return payload as unknown as TokenPayload;\r\n}\r\n\r\nlet jwksCache: ReturnType<typeof jose.createRemoteJWKSet> | null = null;\r\n\r\nfunction getJWKS() {\r\n jwksCache ??= jose.createRemoteJWKSet(new URL(`https://login.microsoftonline.com/${process.env.ENTRA_TENANT_ID}/discovery/v2.0/keys`));\r\n return jwksCache;\r\n}\r\n"],"names":["encoder","decoder","concat","buffers","size","acc","length","buf","i","buffer","encode","string","bytes","code","decodeBase64","encoded","binary","decode","input","JOSEError","message","options","JWTClaimValidationFailed","payload","claim","reason","JWTExpired","JOSEAlgNotAllowed","JOSENotSupported","JWSInvalid","JWTInvalid","JWKSInvalid","JWKSNoMatchingKey","JWKSMultipleMatchingKeys","JWKSTimeout","JWSSignatureVerificationFailed","unusable","name","prop","isAlgorithm","algorithm","getHashLength","hash","getNamedCurve","alg","checkUsage","key","usage","checkSigCryptoKey","expected","msg","actual","types","last","invalidKeyInput","withAlg","isCryptoKey","isKeyObject","isKeyLike","isDisjoint","headers","sources","header","parameters","parameter","isObjectLike","value","isObject","proto","checkKeyLength","modulusLength","subtleMapping","jwk","keyUsages","jwkToKey","keyData","importJWK","ext","decodeBase64URL","validateCrit","Err","recognizedDefault","recognizedOption","protectedHeader","joseHeader","recognized","validateAlgorithms","option","algorithms","s","isJWK","isPrivateJWK","isPublicJWK","isSecretJWK","cache","handleJWK","freeze","cached","cryptoKey","handleKeyObject","keyObject","isPublic","extractable","namedCurve","normalizeKey","err","tag","jwkMatchesOp","expectedKeyOp","symmetricTypeCheck","jwk.isJWK","jwk.isSecretJWK","asymmetricTypeCheck","jwk.isPrivateJWK","jwk.isPublicJWK","checkKeyType","subtleAlgorithm","getSigKey","verify","signature","data","flattenedVerify","jws","parsedProt","b64u","extensions","b64","resolvedKey","k","result","compactVerify","verified","epoch","date","minute","hour","day","week","year","REGEX","secs","str","matched","unit","numericDate","normalizeTyp","checkAudiencePresence","audPayload","audOption","validateClaimsSet","encodedPayload","typ","requiredClaims","issuer","subject","audience","maxTokenAge","presenceCheck","tolerance","currentDate","now","age","max","jwtVerify","jwt","getKtyFromAlg","isJWKSLike","jwks","isJWKLike","LocalJWKSet","#jwks","#cached","token","kid","kty","candidates","candidate","error","_cached","importWithAlgCache","createLocalJWKSet","set","localJWKSet","isCloudflareWorkers","USER_AGENT","customFetch","fetchJwks","url","signal","fetchImpl","response","jwksCache","isFreshJwksCache","cacheMaxAge","RemoteJWKSet","#url","#timeoutDuration","#cooldownDuration","#cacheMaxAge","#jwksTimestamp","#pendingFetch","#headers","#customFetch","#local","#cache","json","createRemoteJWKSet","remoteJWKSet","authMiddleware","permissionKey","createMiddleware","server","next","request","accessToken","get","startsWith","Error","tokenPayload","verifyToken","substring","user","id","sub","split","email","preferred_username","toLowerCase","groups","department","employeeId","hasPermission","permissions","some","includes","context","serverFnAccessTokenMiddleware","scopeKey","type","client","getAccessToken","Authorization","jose","getJWKS","clientEnv","VITE_ENTRA_TENANT_ID","VITE_ENTRA_CLIENT_ID","URL","process","env","ENTRA_TENANT_ID"],"mappings":";;;;AAAO,MAAMA,IAAU,IAAI,YAAW,GACzBC,IAAU,IAAI,YAAW;AAE/B,SAASC,MAAUC,GAAS;AAC/B,QAAMC,IAAOD,EAAQ,OAAO,CAACE,GAAK,EAAE,QAAAC,QAAaD,IAAMC,GAAQ,CAAC,GAC1DC,IAAM,IAAI,WAAWH,CAAI;AAC/B,MAAII,IAAI;AACR,aAAWC,KAAUN;AACjB,IAAAI,EAAI,IAAIE,GAAQD,CAAC,GACjBA,KAAKC,EAAO;AAEhB,SAAOF;AACX;AAoBO,SAASG,EAAOC,GAAQ;AAC3B,QAAMC,IAAQ,IAAI,WAAWD,EAAO,MAAM;AAC1C,WAASH,IAAI,GAAGA,IAAIG,EAAO,QAAQH,KAAK;AACpC,UAAMK,IAAOF,EAAO,WAAWH,CAAC;AAChC,QAAIK,IAAO;AACP,YAAM,IAAI,UAAU,0CAA0C;AAElE,IAAAD,EAAMJ,CAAC,IAAIK;AAAA,EACf;AACA,SAAOD;AACX;AC/BO,SAASE,GAAaC,GAAS;AAClC,MAAI,WAAW;AACX,WAAO,WAAW,WAAWA,CAAO;AAExC,QAAMC,IAAS,KAAKD,CAAO,GACrBH,IAAQ,IAAI,WAAWI,EAAO,MAAM;AAC1C,WAASR,IAAI,GAAGA,IAAIQ,EAAO,QAAQR;AAC/B,IAAAI,EAAMJ,CAAC,IAAIQ,EAAO,WAAWR,CAAC;AAElC,SAAOI;AACX;ACnBO,SAASK,EAAOC,GAAO;AAC1B,MAAI,WAAW;AACX,WAAO,WAAW,WAAW,OAAOA,KAAU,WAAWA,IAAQjB,EAAQ,OAAOiB,CAAK,GAAG;AAAA,MACpF,UAAU;AAAA,IACtB,CAAS;AAEL,MAAIH,IAAUG;AACd,EAAIH,aAAmB,eACnBA,IAAUd,EAAQ,OAAOc,CAAO,IAEpCA,IAAUA,EAAQ,QAAQ,MAAM,GAAG,EAAE,QAAQ,MAAM,GAAG;AACtD,MAAI;AACA,WAAOD,GAAaC,CAAO;AAAA,EAC/B,QACM;AACF,UAAM,IAAI,UAAU,mDAAmD;AAAA,EAC3E;AACJ;ACnBO,MAAMI,UAAkB,MAAM;AAAA,EACjC,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,GAASC,GAAS;AAC1B,UAAMD,GAASC,CAAO,GACtB,KAAK,OAAO,KAAK,YAAY,MAC7B,MAAM,oBAAoB,MAAM,KAAK,WAAW;AAAA,EACpD;AACJ;AACO,MAAMC,UAAiCH,EAAU;AAAA,EACpD,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAYC,GAASG,GAASC,IAAQ,eAAeC,IAAS,eAAe;AACzE,UAAML,GAAS,EAAE,OAAO,EAAE,OAAAI,GAAO,QAAAC,GAAQ,SAAAF,EAAO,GAAI,GACpD,KAAK,QAAQC,GACb,KAAK,SAASC,GACd,KAAK,UAAUF;AAAA,EACnB;AACJ;AACO,MAAMG,UAAmBP,EAAU;AAAA,EACtC,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP;AAAA,EACA;AAAA,EACA;AAAA,EACA,YAAYC,GAASG,GAASC,IAAQ,eAAeC,IAAS,eAAe;AACzE,UAAML,GAAS,EAAE,OAAO,EAAE,OAAAI,GAAO,QAAAC,GAAQ,SAAAF,EAAO,GAAI,GACpD,KAAK,QAAQC,GACb,KAAK,SAASC,GACd,KAAK,UAAUF;AAAA,EACnB;AACJ;AACO,MAAMI,WAA0BR,EAAU;AAAA,EAC7C,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AACO,MAAMS,UAAyBT,EAAU;AAAA,EAC5C,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AAYO,MAAMU,UAAmBV,EAAU;AAAA,EACtC,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AACO,MAAMW,UAAmBX,EAAU;AAAA,EACtC,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AAKO,MAAMY,UAAoBZ,EAAU;AAAA,EACvC,OAAO,OAAO;AAAA,EACd,OAAO;AACX;AACO,MAAMa,UAA0Bb,EAAU;AAAA,EAC7C,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,mDAAmDC,GAAS;AAC9E,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AACO,MAAMY,WAAiCd,EAAU;AAAA,EACpD,CAAC,OAAO,aAAa;AAAA,EACrB,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,wDAAwDC,GAAS;AACnF,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AACO,MAAMa,WAAoBf,EAAU;AAAA,EACvC,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,qBAAqBC,GAAS;AAChD,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AACO,MAAMc,WAAuChB,EAAU;AAAA,EAC1D,OAAO,OAAO;AAAA,EACd,OAAO;AAAA,EACP,YAAYC,IAAU,iCAAiCC,GAAS;AAC5D,UAAMD,GAASC,CAAO;AAAA,EAC1B;AACJ;AClGA,MAAMe,IAAW,CAACC,GAAMC,IAAO,qBAAqB,IAAI,UAAU,kDAAkDA,CAAI,YAAYD,CAAI,EAAE,GACpIE,IAAc,CAACC,GAAWH,MAASG,EAAU,SAASH;AAC5D,SAASI,EAAcC,GAAM;AACzB,SAAO,SAASA,EAAK,KAAK,MAAM,CAAC,GAAG,EAAE;AAC1C;AACA,SAASC,GAAcC,GAAK;AACxB,UAAQA,GAAG;AAAA,IACP,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAI,MAAM,aAAa;AAAA,EACzC;AACA;AACA,SAASC,GAAWC,GAAKC,GAAO;AAC5B,MAAa,CAACD,EAAI,OAAO,SAASC,CAAK;AACnC,UAAM,IAAI,UAAU,sEAAsEA,CAAK,GAAG;AAE1G;AACO,SAASC,GAAkBF,GAAKF,GAAKG,GAAO;AAC/C,UAAQH,GAAG;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACL,EAAYO,EAAI,WAAW,MAAM;AAClC,cAAMV,EAAS,MAAM;AACzB,YAAMa,IAAW,SAASL,EAAI,MAAM,CAAC,GAAG,EAAE;AAE1C,UADeH,EAAcK,EAAI,UAAU,IAAI,MAChCG;AACX,cAAMb,EAAS,OAAOa,CAAQ,IAAI,gBAAgB;AACtD;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACV,EAAYO,EAAI,WAAW,mBAAmB;AAC/C,cAAMV,EAAS,mBAAmB;AACtC,YAAMa,IAAW,SAASL,EAAI,MAAM,CAAC,GAAG,EAAE;AAE1C,UADeH,EAAcK,EAAI,UAAU,IAAI,MAChCG;AACX,cAAMb,EAAS,OAAOa,CAAQ,IAAI,gBAAgB;AACtD;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACV,EAAYO,EAAI,WAAW,SAAS;AACrC,cAAMV,EAAS,SAAS;AAC5B,YAAMa,IAAW,SAASL,EAAI,MAAM,CAAC,GAAG,EAAE;AAE1C,UADeH,EAAcK,EAAI,UAAU,IAAI,MAChCG;AACX,cAAMb,EAAS,OAAOa,CAAQ,IAAI,gBAAgB;AACtD;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACV,EAAYO,EAAI,WAAW,SAAS;AACrC,cAAMV,EAAS,SAAS;AAC5B;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,aAAa;AACd,UAAI,CAACG,EAAYO,EAAI,WAAWF,CAAG;AAC/B,cAAMR,EAASQ,CAAG;AACtB;AAAA,IACJ;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,SAAS;AACV,UAAI,CAACL,EAAYO,EAAI,WAAW,OAAO;AACnC,cAAMV,EAAS,OAAO;AAC1B,YAAMa,IAAWN,GAAcC,CAAG;AAElC,UADeE,EAAI,UAAU,eACdG;AACX,cAAMb,EAASa,GAAU,sBAAsB;AACnD;AAAA,IACJ;AAAA,IACA;AACI,YAAM,IAAI,UAAU,2CAA2C;AAAA,EAC3E;AACI,EAAAJ,GAAWC,GAAKC,CAAK;AACzB;ACrFA,SAAS3B,EAAQ8B,GAAKC,MAAWC,GAAO;AAEpC,MADAA,IAAQA,EAAM,OAAO,OAAO,GACxBA,EAAM,SAAS,GAAG;AAClB,UAAMC,IAAOD,EAAM,IAAG;AACtB,IAAAF,KAAO,eAAeE,EAAM,KAAK,IAAI,CAAC,QAAQC,CAAI;AAAA,EACtD,MACK,CAAID,EAAM,WAAW,IACtBF,KAAO,eAAeE,EAAM,CAAC,CAAC,OAAOA,EAAM,CAAC,CAAC,MAG7CF,KAAO,WAAWE,EAAM,CAAC,CAAC;AAE9B,SAAID,KAAU,OACVD,KAAO,aAAaC,CAAM,KAErB,OAAOA,KAAW,cAAcA,EAAO,OAC5CD,KAAO,sBAAsBC,EAAO,IAAI,KAEnC,OAAOA,KAAW,YAAYA,KAAU,QACzCA,EAAO,aAAa,SACpBD,KAAO,4BAA4BC,EAAO,YAAY,IAAI,KAG3DD;AACX;AACO,MAAMI,KAAkB,CAACH,MAAWC,MAAUhC,EAAQ,gBAAgB+B,GAAQ,GAAGC,CAAK,GAChFG,IAAU,CAACX,GAAKO,MAAWC,MAAUhC,EAAQ,eAAewB,CAAG,uBAAuBO,GAAQ,GAAGC,CAAK,GCrBtGI,IAAc,CAACV,MAAQ;AAChC,MAAIA,IAAM,OAAO,WAAW,MAAM;AAC9B,WAAO;AACX,MAAI;AACA,WAAOA,aAAe;AAAA,EAC1B,QACM;AACF,WAAO;AAAA,EACX;AACJ,GACaW,IAAc,CAACX,MAAQA,IAAM,OAAO,WAAW,MAAM,aACrDY,IAAY,CAACZ,MAAQU,EAAYV,CAAG,KAAKW,EAAYX,CAAG;AChB9D,SAASa,MAAcC,GAAS;AACnC,QAAMC,IAAUD,EAAQ,OAAO,OAAO;AACtC,MAAIC,EAAQ,WAAW,KAAKA,EAAQ,WAAW;AAC3C,WAAO;AAEX,MAAIxD;AACJ,aAAWyD,KAAUD,GAAS;AAC1B,UAAME,IAAa,OAAO,KAAKD,CAAM;AACrC,QAAI,CAACzD,KAAOA,EAAI,SAAS,GAAG;AACxB,MAAAA,IAAM,IAAI,IAAI0D,CAAU;AACxB;AAAA,IACJ;AACA,eAAWC,KAAaD,GAAY;AAChC,UAAI1D,EAAI,IAAI2D,CAAS;AACjB,eAAO;AAEX,MAAA3D,EAAI,IAAI2D,CAAS;AAAA,IACrB;AAAA,EACJ;AACA,SAAO;AACX;ACpBA,MAAMC,KAAe,CAACC,MAAU,OAAOA,KAAU,YAAYA,MAAU;AAChE,SAASC,EAASjD,GAAO;AAC5B,MAAI,CAAC+C,GAAa/C,CAAK,KAAK,OAAO,UAAU,SAAS,KAAKA,CAAK,MAAM;AAClE,WAAO;AAEX,MAAI,OAAO,eAAeA,CAAK,MAAM;AACjC,WAAO;AAEX,MAAIkD,IAAQlD;AACZ,SAAO,OAAO,eAAekD,CAAK,MAAM;AACpC,IAAAA,IAAQ,OAAO,eAAeA,CAAK;AAEvC,SAAO,OAAO,eAAelD,CAAK,MAAMkD;AAC5C;ACbO,SAASC,GAAezB,GAAKE,GAAK;AACrC,MAAIF,EAAI,WAAW,IAAI,KAAKA,EAAI,WAAW,IAAI,GAAG;AAC9C,UAAM,EAAE,eAAA0B,MAAkBxB,EAAI;AAC9B,QAAI,OAAOwB,KAAkB,YAAYA,IAAgB;AACrD,YAAM,IAAI,UAAU,GAAG1B,CAAG,uDAAuD;AAAA,EAEzF;AACJ;ACNA,SAAS2B,GAAcC,GAAK;AACxB,MAAIhC,GACAiC;AACJ,UAAQD,EAAI,KAAG;AAAA,IACX,KAAK,OAAO;AACR,cAAQA,EAAI,KAAG;AAAA,QACX,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAMgC,EAAI,IAAG,GAC3BC,IAAYD,EAAI,OAAO,CAAC,MAAM,IAAI,CAAC,QAAQ;AAC3C;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA,KAAK,OAAO;AACR,cAAQ4C,EAAI,KAAG;AAAA,QACX,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,WAAW,MAAM,OAAOgC,EAAI,IAAI,MAAM,EAAE,CAAC,GAAE,GAC/DC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,qBAAqB,MAAM,OAAOgC,EAAI,IAAI,MAAM,EAAE,CAAC,GAAE,GACzEC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY;AAAA,YACR,MAAM;AAAA,YACN,MAAM,OAAO,SAASgC,EAAI,IAAI,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC;AAAA,UACzE,GACoBC,IAAYD,EAAI,IAAI,CAAC,WAAW,WAAW,IAAI,CAAC,WAAW,SAAS;AACpE;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA,KAAK,MAAM;AACP,cAAQ4C,EAAI,KAAG;AAAA,QACX,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,SAAS,YAAY,QAAO,GAChDiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,SAAS,YAAY,QAAO,GAChDiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,SAAS,YAAY,QAAO,GAChDiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,QAAQ,YAAYgC,EAAI,IAAG,GAC/CC,IAAYD,EAAI,IAAI,CAAC,YAAY,IAAI,CAAA;AACrC;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA,KAAK,OAAO;AACR,cAAQ4C,EAAI,KAAG;AAAA,QACX,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAM,UAAS,GAC7BiC,IAAYD,EAAI,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ;AACxC;AAAA,QACJ,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AAAA,QACL,KAAK;AACD,UAAAhC,IAAY,EAAE,MAAMgC,EAAI,IAAG,GAC3BC,IAAYD,EAAI,IAAI,CAAC,YAAY,IAAI,CAAA;AACrC;AAAA,QACJ;AACI,gBAAM,IAAI5C,EAAiB,8DAA8D;AAAA,MAC7G;AACY;AAAA,IACJ;AAAA,IACA;AACI,YAAM,IAAIA,EAAiB,6DAA6D;AAAA,EACpG;AACI,SAAO,EAAE,WAAAY,GAAW,WAAAiC,EAAS;AACjC;AACO,eAAeC,EAASF,GAAK;AAChC,MAAI,CAACA,EAAI;AACL,UAAM,IAAI,UAAU,0DAA0D;AAElF,QAAM,EAAE,WAAAhC,GAAW,WAAAiC,MAAcF,GAAcC,CAAG,GAC5CG,IAAU,EAAE,GAAGH,EAAG;AACxB,SAAIG,EAAQ,QAAQ,SAChB,OAAOA,EAAQ,KAEnB,OAAOA,EAAQ,KACR,OAAO,OAAO,UAAU,OAAOA,GAASnC,GAAWgC,EAAI,OAAQ,EAAAA,EAAI,KAAKA,EAAI,OAAsBA,EAAI,WAAWC,CAAS;AACrI;ACrFO,eAAeG,GAAUJ,GAAK5B,GAAKvB,GAAS;AAC/C,MAAI,CAAC8C,EAASK,CAAG;AACb,UAAM,IAAI,UAAU,uBAAuB;AAE/C,MAAIK;AAGJ,UAFAjC,MAAQ4B,EAAI,KACZK,MAAgCL,EAAI,KAC5BA,EAAI,KAAG;AAAA,IACX,KAAK;AACD,UAAI,OAAOA,EAAI,KAAM,YAAY,CAACA,EAAI;AAClC,cAAM,IAAI,UAAU,yCAAyC;AAEjE,aAAOM,EAAgBN,EAAI,CAAC;AAAA,IAChC,KAAK;AACD,UAAI,SAASA,KAAOA,EAAI,QAAQ;AAC5B,cAAM,IAAI5C,EAAiB,oEAAoE;AAEnG,aAAO8C,EAAS,EAAE,GAAGF,GAAK,KAAA5B,GAAK,KAAAiC,EAAG,CAAE;AAAA,IACxC,KAAK,OAAO;AACR,UAAI,OAAOL,EAAI,OAAQ,YAAY,CAACA,EAAI;AACpC,cAAM,IAAI,UAAU,2CAA2C;AAEnE,UAAI5B,MAAQ,UAAaA,MAAQ4B,EAAI;AACjC,cAAM,IAAI,UAAU,uCAAuC;AAE/D,aAAOE,EAAS,EAAE,GAAGF,GAAK,KAAAK,EAAG,CAAE;AAAA,IACnC;AAAA,IACA,KAAK;AAAA,IACL,KAAK;AACD,aAAOH,EAAS,EAAE,GAAGF,GAAK,KAAA5B,GAAK,KAAAiC,EAAG,CAAE;AAAA,IACxC;AACI,YAAM,IAAIjD,EAAiB,8CAA8C;AAAA,EACrF;AACA;ACvDO,SAASmD,GAAaC,GAAKC,GAAmBC,GAAkBC,GAAiBC,GAAY;AAChG,MAAIA,EAAW,SAAS,UAAaD,GAAiB,SAAS;AAC3D,UAAM,IAAIH,EAAI,gEAAgE;AAElF,MAAI,CAACG,KAAmBA,EAAgB,SAAS;AAC7C,WAAO,oBAAI,IAAG;AAElB,MAAI,CAAC,MAAM,QAAQA,EAAgB,IAAI,KACnCA,EAAgB,KAAK,WAAW,KAChCA,EAAgB,KAAK,KAAK,CAACjE,MAAU,OAAOA,KAAU,YAAYA,EAAM,WAAW,CAAC;AACpF,UAAM,IAAI8D,EAAI,uFAAuF;AAEzG,MAAIK;AACJ,EAAIH,MAAqB,SACrBG,IAAa,IAAI,IAAI,CAAC,GAAG,OAAO,QAAQH,CAAgB,GAAG,GAAGD,EAAkB,QAAO,CAAE,CAAC,IAG1FI,IAAaJ;AAEjB,aAAWjB,KAAamB,EAAgB,MAAM;AAC1C,QAAI,CAACE,EAAW,IAAIrB,CAAS;AACzB,YAAM,IAAIpC,EAAiB,+BAA+BoC,CAAS,qBAAqB;AAE5F,QAAIoB,EAAWpB,CAAS,MAAM;AAC1B,YAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,cAAc;AAExE,QAAIqB,EAAW,IAAIrB,CAAS,KAAKmB,EAAgBnB,CAAS,MAAM;AAC5D,YAAM,IAAIgB,EAAI,+BAA+BhB,CAAS,+BAA+B;AAAA,EAE7F;AACA,SAAO,IAAI,IAAImB,EAAgB,IAAI;AACvC;AChCO,SAASG,GAAmBC,GAAQC,GAAY;AACnD,MAAIA,MAAe,WACd,CAAC,MAAM,QAAQA,CAAU,KAAKA,EAAW,KAAK,CAACC,MAAM,OAAOA,KAAM,QAAQ;AAC3E,UAAM,IAAI,UAAU,IAAIF,CAAM,sCAAsC;AAExE,MAAKC;AAGL,WAAO,IAAI,IAAIA,CAAU;AAC7B;ACRO,MAAME,IAAQ,CAAC5C,MAAQqB,EAASrB,CAAG,KAAK,OAAOA,EAAI,OAAQ,UACrD6C,KAAe,CAAC7C,MAAQA,EAAI,QAAQ,UAC3CA,EAAI,QAAQ,SAAS,OAAOA,EAAI,QAAS,YAAa,OAAOA,EAAI,KAAM,WAChE8C,KAAc,CAAC9C,MAAQA,EAAI,QAAQ,SAASA,EAAI,MAAM,UAAaA,EAAI,SAAS,QAChF+C,KAAc,CAAC/C,MAAQA,EAAI,QAAQ,SAAS,OAAOA,EAAI,KAAM;ACD1E,IAAIgD;AACJ,MAAMC,IAAY,OAAOjD,GAAK0B,GAAK5B,GAAKoD,IAAS,OAAU;AACvD,EAAAF,MAAU,oBAAI,QAAO;AACrB,MAAIG,IAASH,EAAM,IAAIhD,CAAG;AAC1B,MAAImD,IAASrD,CAAG;AACZ,WAAOqD,EAAOrD,CAAG;AAErB,QAAMsD,IAAY,MAAMxB,EAAS,EAAE,GAAGF,GAAK,KAAA5B,EAAG,CAAE;AAChD,SAAIoD,KACA,OAAO,OAAOlD,CAAG,GAChBmD,IAIDA,EAAOrD,CAAG,IAAIsD,IAHdJ,EAAM,IAAIhD,GAAK,EAAE,CAACF,CAAG,GAAGsD,EAAS,CAAE,GAKhCA;AACX,GACMC,KAAkB,CAACC,GAAWxD,MAAQ;AACxC,EAAAkD,MAAU,oBAAI,QAAO;AACrB,MAAIG,IAASH,EAAM,IAAIM,CAAS;AAChC,MAAIH,IAASrD,CAAG;AACZ,WAAOqD,EAAOrD,CAAG;AAErB,QAAMyD,IAAWD,EAAU,SAAS,UAC9BE,IAAc,EAAAD;AACpB,MAAIH;AACJ,MAAIE,EAAU,sBAAsB,UAAU;AAC1C,YAAQxD,GAAG;AAAA,MACP,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD;AAAA,MACJ;AACI,cAAM,IAAI,UAAU,4DAA4D;AAAA,IAChG;AACQ,IAAAsD,IAAYE,EAAU,YAAYA,EAAU,mBAAmBE,GAAaD,IAAW,CAAA,IAAK,CAAC,YAAY,CAAC;AAAA,EAC9G;AACA,MAAID,EAAU,sBAAsB,WAAW;AAC3C,QAAIxD,MAAQ,WAAWA,MAAQ;AAC3B,YAAM,IAAI,UAAU,4DAA4D;AAEpF,IAAAsD,IAAYE,EAAU,YAAYA,EAAU,mBAAmBE,GAAa;AAAA,MACxED,IAAW,WAAW;AAAA,IAClC,CAAS;AAAA,EACL;AACA,UAAQD,EAAU,mBAAiB;AAAA,IAC/B,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK,aAAa;AACd,UAAIxD,MAAQwD,EAAU,kBAAkB,YAAW;AAC/C,cAAM,IAAI,UAAU,4DAA4D;AAEpF,MAAAF,IAAYE,EAAU,YAAYA,EAAU,mBAAmBE,GAAa;AAAA,QACxED,IAAW,WAAW;AAAA,MACtC,CAAa;AAAA,IACL;AAAA,EACR;AACI,MAAID,EAAU,sBAAsB,OAAO;AACvC,QAAI1D;AACJ,YAAQE,GAAG;AAAA,MACP,KAAK;AACD,QAAAF,IAAO;AACP;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAO;AACP;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAO;AACP;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAO;AACP;AAAA,MACJ;AACI,cAAM,IAAI,UAAU,4DAA4D;AAAA,IAChG;AACQ,QAAIE,EAAI,WAAW,UAAU;AACzB,aAAOwD,EAAU,YAAY;AAAA,QACzB,MAAM;AAAA,QACN,MAAA1D;AAAA,MAChB,GAAe4D,GAAaD,IAAW,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC;AAExD,IAAAH,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAMxD,EAAI,WAAW,IAAI,IAAI,YAAY;AAAA,MACzC,MAAAF;AAAA,IACZ,GAAW4D,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC;AAAA,EAClD;AACA,MAAID,EAAU,sBAAsB,MAAM;AAMtC,UAAMG,KALO,oBAAI,IAAI;AAAA,MACjB,CAAC,cAAc,OAAO;AAAA,MACtB,CAAC,aAAa,OAAO;AAAA,MACrB,CAAC,aAAa,OAAO;AAAA,IACjC,CAAS,GACuB,IAAIH,EAAU,sBAAsB,UAAU;AACtE,QAAI,CAACG;AACD,YAAM,IAAI,UAAU,4DAA4D;AAEpF,IAAI3D,MAAQ,WAAW2D,MAAe,YAClCL,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC,IAE9CzD,MAAQ,WAAW2D,MAAe,YAClCL,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC,IAE9CzD,MAAQ,WAAW2D,MAAe,YAClCL,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAa,CAACD,IAAW,WAAW,MAAM,CAAC,IAE9CzD,EAAI,WAAW,SAAS,MACxBsD,IAAYE,EAAU,YAAY;AAAA,MAC9B,MAAM;AAAA,MACN,YAAAG;AAAA,IAChB,GAAeD,GAAaD,IAAW,KAAK,CAAC,YAAY,CAAC;AAAA,EAEtD;AACA,MAAI,CAACH;AACD,UAAM,IAAI,UAAU,4DAA4D;AAEpF,SAAKD,IAIDA,EAAOrD,CAAG,IAAIsD,IAHdJ,EAAM,IAAIM,GAAW,EAAE,CAACxD,CAAG,GAAGsD,EAAS,CAAE,GAKtCA;AACX;AACO,eAAeM,GAAa1D,GAAKF,GAAK;AAIzC,MAHIE,aAAe,cAGfU,EAAYV,CAAG;AACf,WAAOA;AAEX,MAAIW,EAAYX,CAAG,GAAG;AAClB,QAAIA,EAAI,SAAS;AACb,aAAOA,EAAI,OAAM;AAErB,QAAI,iBAAiBA,KAAO,OAAOA,EAAI,eAAgB;AACnD,UAAI;AACA,eAAOqD,GAAgBrD,GAAKF,CAAG;AAAA,MACnC,SACO6D,GAAK;AACR,YAAIA,aAAe;AACf,gBAAMA;AAAA,MAEd;AAEJ,QAAIjC,IAAM1B,EAAI,OAAO,EAAE,QAAQ,MAAK,CAAE;AACtC,WAAOiD,EAAUjD,GAAK0B,GAAK5B,CAAG;AAAA,EAClC;AACA,MAAI8C,EAAM5C,CAAG;AACT,WAAIA,EAAI,IACG7B,EAAO6B,EAAI,CAAC,IAEhBiD,EAAUjD,GAAKA,GAAKF,GAAK,EAAI;AAExC,QAAM,IAAI,MAAM,aAAa;AACjC;AC5KA,MAAM8D,IAAM,CAAC5D,MAAQA,IAAM,OAAO,WAAW,GACvC6D,IAAe,CAAC/D,GAAKE,GAAKC,MAAU;AACtC,MAAID,EAAI,QAAQ,QAAW;AACvB,QAAIG;AACJ,YAAQF,GAAK;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACD,QAAAE,IAAW;AACX;AAAA,MACJ,KAAK;AAAA,MACL,KAAK;AACD,QAAAA,IAAW;AACX;AAAA,IAChB;AACQ,QAAIH,EAAI,QAAQG;AACZ,YAAM,IAAI,UAAU,sDAAsDA,CAAQ,gBAAgB;AAAA,EAE1G;AACA,MAAIH,EAAI,QAAQ,UAAaA,EAAI,QAAQF;AACrC,UAAM,IAAI,UAAU,sDAAsDA,CAAG,gBAAgB;AAEjG,MAAI,MAAM,QAAQE,EAAI,OAAO,GAAG;AAC5B,QAAI8D;AACJ,YAAQ,IAAI;AAAA,MACR,KAAyB7D,MAAU;AAAA,MACnC,KAAKH,MAAQ;AAAA,MACb,KAAKA,EAAI,SAAS,QAAQ;AACtB,QAAAgE,IAAgB7D;AAChB;AAAA,MACJ,KAAKH,EAAI,WAAW,OAAO;AACvB,QAAAgE,IAAgB;AAChB;AAAA,MACJ,KAAK,0BAA0B,KAAKhE,CAAG;AACnC,QAAI,CAACA,EAAI,SAAS,KAAK,KAAKA,EAAI,SAAS,IAAI,IACzCgE,IAAkD,cAGlDA,IAAgB7D;AAEpB;AAAA,MACJ,KAAKA,MAAU;AACX,QAAA6D,IAAgB;AAChB;AAAA,MACJ,KAAK7D,MAAU;AACX,QAAA6D,IAAgBhE,EAAI,WAAW,KAAK,IAAI,cAAc;AACtD;AAAA,IAChB;AACQ,QAAIgE,KAAiB9D,EAAI,SAAS,WAAW8D,CAAa,MAAM;AAC5D,YAAM,IAAI,UAAU,+DAA+DA,CAAa,gBAAgB;AAAA,EAExH;AACA,SAAO;AACX,GACMC,KAAqB,CAACjE,GAAKE,GAAKC,MAAU;AAC5C,MAAI,EAAAD,aAAe,aAEnB;AAAA,QAAIgE,EAAUhE,CAAG,GAAG;AAChB,UAAIiE,GAAgBjE,CAAG,KAAK6D,EAAa/D,GAAKE,GAAKC,CAAK;AACpD;AACJ,YAAM,IAAI,UAAU,yHAAyH;AAAA,IACjJ;AACA,QAAI,CAACW,EAAUZ,CAAG;AACd,YAAM,IAAI,UAAUQ,EAAgBV,GAAKE,GAAK,aAAa,aAAa,gBAAgB,YAAY,CAAC;AAEzG,QAAIA,EAAI,SAAS;AACb,YAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,8DAA8D;AAAA;AAErG,GACMkE,KAAsB,CAACpE,GAAKE,GAAKC,MAAU;AAC7C,MAAI+D,EAAUhE,CAAG;AACb,YAAQC,GAAK;AAAA,MACT,KAAK;AAAA,MACL,KAAK;AACD,YAAIkE,GAAiBnE,CAAG,KAAK6D,EAAa/D,GAAKE,GAAKC,CAAK;AACrD;AACJ,cAAM,IAAI,UAAU,uDAAuD;AAAA,MAC/E,KAAK;AAAA,MACL,KAAK;AACD,YAAImE,GAAgBpE,CAAG,KAAK6D,EAAa/D,GAAKE,GAAKC,CAAK;AACpD;AACJ,cAAM,IAAI,UAAU,sDAAsD;AAAA,IAC1F;AAEI,MAAI,CAACW,EAAUZ,CAAG;AACd,UAAM,IAAI,UAAUQ,EAAgBV,GAAKE,GAAK,aAAa,aAAa,cAAc,CAAC;AAE3F,MAAIA,EAAI,SAAS;AACb,UAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,mEAAmE;AAEtG,MAAIA,EAAI,SAAS;AACb,YAAQC,GAAK;AAAA,MACT,KAAK;AACD,cAAM,IAAI,UAAU,GAAG2D,EAAI5D,CAAG,CAAC,uEAAuE;AAAA,MAC1G,KAAK;AACD,cAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,0EAA0E;AAAA,IACzH;AAEI,MAAIA,EAAI,SAAS;AACb,YAAQC,GAAK;AAAA,MACT,KAAK;AACD,cAAM,IAAI,UAAU,GAAG2D,EAAI5D,CAAG,CAAC,wEAAwE;AAAA,MAC3G,KAAK;AACD,cAAM,IAAI,UAAU,GAAG4D,EAAI5D,CAAG,CAAC,yEAAyE;AAAA,IACxH;AAEA;AACO,SAASqE,GAAavE,GAAKE,GAAKC,GAAO;AAC1C,UAAQH,EAAI,UAAU,GAAG,CAAC,GAAC;AAAA,IACvB,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAiE,GAAmBjE,GAAKE,GAAKC,CAAK;AAClC;AAAA,IACJ;AACI,MAAAiE,GAAoBpE,GAAKE,GAAKC,CAAK;AAAA,EAC/C;AACA;ACxHO,SAASqE,GAAgBxE,GAAKJ,GAAW;AAC5C,QAAME,IAAO,OAAOE,EAAI,MAAM,EAAE,CAAC;AACjC,UAAQA,GAAG;AAAA,IACP,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAF,GAAM,MAAM,OAAM;AAAA,IAC/B,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAA,GAAM,MAAM,WAAW,YAAY,SAASE,EAAI,MAAM,EAAE,GAAG,EAAE,KAAK,EAAC;AAAA,IAChF,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAF,GAAM,MAAM,oBAAmB;AAAA,IAC5C,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAAA,GAAM,MAAM,SAAS,YAAYF,EAAU,WAAU;AAAA,IAClE,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAM,UAAS;AAAA,IAC5B,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,aAAO,EAAE,MAAMI,EAAG;AAAA,IACtB;AACI,YAAM,IAAIhB,EAAiB,OAAOgB,CAAG,6DAA6D;AAAA,EAC9G;AACA;AC5BO,eAAeyE,GAAUzE,GAAKE,GAAKC,GAAO;AAC7C,MAAID,aAAe,YAAY;AAC3B,QAAI,CAACF,EAAI,WAAW,IAAI;AACpB,YAAM,IAAI,UAAUU,GAAgBR,GAAK,aAAa,aAAa,cAAc,CAAC;AAEtF,WAAO,OAAO,OAAO,UAAU,OAAOA,GAAK,EAAE,MAAM,OAAOF,EAAI,MAAM,EAAE,CAAC,IAAI,MAAM,OAAM,GAAI,IAAO,CAACG,CAAK,CAAC;AAAA,EAC7G;AACA,SAAAC,GAAkBF,GAAKF,GAAKG,CAAK,GAC1BD;AACX;ACRO,eAAewE,GAAO1E,GAAKE,GAAKyE,GAAWC,GAAM;AACpD,QAAMtB,IAAY,MAAMmB,GAAUzE,GAAKE,GAAK,QAAQ;AACpD,EAAAuB,GAAezB,GAAKsD,CAAS;AAC7B,QAAM1D,IAAY4E,GAAgBxE,GAAKsD,EAAU,SAAS;AAC1D,MAAI;AACA,WAAO,MAAM,OAAO,OAAO,OAAO1D,GAAW0D,GAAWqB,GAAWC,CAAI;AAAA,EAC3E,QACM;AACF,WAAO;AAAA,EACX;AACJ;ACHO,eAAeC,GAAgBC,GAAK5E,GAAKzB,GAAS;AACrD,MAAI,CAAC8C,EAASuD,CAAG;AACb,UAAM,IAAI7F,EAAW,iCAAiC;AAE1D,MAAI6F,EAAI,cAAc,UAAaA,EAAI,WAAW;AAC9C,UAAM,IAAI7F,EAAW,uEAAuE;AAEhG,MAAI6F,EAAI,cAAc,UAAa,OAAOA,EAAI,aAAc;AACxD,UAAM,IAAI7F,EAAW,qCAAqC;AAE9D,MAAI6F,EAAI,YAAY;AAChB,UAAM,IAAI7F,EAAW,qBAAqB;AAE9C,MAAI,OAAO6F,EAAI,aAAc;AACzB,UAAM,IAAI7F,EAAW,yCAAyC;AAElE,MAAI6F,EAAI,WAAW,UAAa,CAACvD,EAASuD,EAAI,MAAM;AAChD,UAAM,IAAI7F,EAAW,uCAAuC;AAEhE,MAAI8F,IAAa,CAAA;AACjB,MAAID,EAAI;AACJ,QAAI;AACA,YAAMvC,KAAkByC,EAAKF,EAAI,SAAS;AAC1C,MAAAC,IAAa,KAAK,MAAM1H,EAAQ,OAAOkF,EAAe,CAAC;AAAA,IAC3D,QACM;AACF,YAAM,IAAItD,EAAW,iCAAiC;AAAA,IAC1D;AAEJ,MAAI,CAAC8B,GAAWgE,GAAYD,EAAI,MAAM;AAClC,UAAM,IAAI7F,EAAW,2EAA2E;AAEpG,QAAMuD,IAAa;AAAA,IACf,GAAGuC;AAAA,IACH,GAAGD,EAAI;AAAA,EACf,GACUG,IAAa9C,GAAalD,GAAY,oBAAI,IAAI,CAAC,CAAC,OAAO,EAAI,CAAC,CAAC,GAAGR,GAAS,MAAMsG,GAAYvC,CAAU;AAC3G,MAAI0C,IAAM;AACV,MAAID,EAAW,IAAI,KAAK,MACpBC,IAAMH,EAAW,KACb,OAAOG,KAAQ;AACf,UAAM,IAAIjG,EAAW,yEAAyE;AAGtG,QAAM,EAAE,KAAAe,EAAG,IAAKwC;AAChB,MAAI,OAAOxC,KAAQ,YAAY,CAACA;AAC5B,UAAM,IAAIf,EAAW,2DAA2D;AAEpF,QAAM2D,IAAanE,KAAWiE,GAAmB,cAAcjE,EAAQ,UAAU;AACjF,MAAImE,KAAc,CAACA,EAAW,IAAI5C,CAAG;AACjC,UAAM,IAAIjB,GAAkB,sDAAsD;AAEtF,MAAImG;AACA,QAAI,OAAOJ,EAAI,WAAY;AACvB,YAAM,IAAI7F,EAAW,8BAA8B;AAAA,aAGlD,OAAO6F,EAAI,WAAY,YAAY,EAAEA,EAAI,mBAAmB;AACjE,UAAM,IAAI7F,EAAW,wDAAwD;AAEjF,MAAIkG,IAAc;AAClB,EAAI,OAAOjF,KAAQ,eACfA,IAAM,MAAMA,EAAI6E,GAAYD,CAAG,GAC/BK,IAAc,KAElBZ,GAAavE,GAAKE,GAAK,QAAQ;AAC/B,QAAM0E,IAAOtH,GAAOwH,EAAI,cAAc,SAAYhH,EAAOgH,EAAI,SAAS,IAAI,IAAI,WAAU,GAAIhH,EAAO,GAAG,GAAG,OAAOgH,EAAI,WAAY,WAC1HI,IACIpH,EAAOgH,EAAI,OAAO,IAClB1H,EAAQ,OAAO0H,EAAI,OAAO,IAC9BA,EAAI,OAAO;AACjB,MAAIH;AACJ,MAAI;AACA,IAAAA,IAAYK,EAAKF,EAAI,SAAS;AAAA,EAClC,QACM;AACF,UAAM,IAAI7F,EAAW,0CAA0C;AAAA,EACnE;AACA,QAAMmG,IAAI,MAAMxB,GAAa1D,GAAKF,CAAG;AAErC,MAAI,CADa,MAAM0E,GAAO1E,GAAKoF,GAAGT,GAAWC,CAAI;AAEjD,UAAM,IAAIrF,GAA8B;AAE5C,MAAIZ;AACJ,MAAIuG;AACA,QAAI;AACA,MAAAvG,IAAUqG,EAAKF,EAAI,OAAO;AAAA,IAC9B,QACM;AACF,YAAM,IAAI7F,EAAW,wCAAwC;AAAA,IACjE;AAAA,MAEC,CAAI,OAAO6F,EAAI,WAAY,WAC5BnG,IAAUvB,EAAQ,OAAO0H,EAAI,OAAO,IAGpCnG,IAAUmG,EAAI;AAElB,QAAMO,IAAS,EAAE,SAAA1G,EAAO;AAOxB,SANImG,EAAI,cAAc,WAClBO,EAAO,kBAAkBN,IAEzBD,EAAI,WAAW,WACfO,EAAO,oBAAoBP,EAAI,SAE/BK,IACO,EAAE,GAAGE,GAAQ,KAAKD,EAAC,IAEvBC;AACX;ACpHO,eAAeC,GAAcR,GAAK5E,GAAKzB,GAAS;AAInD,MAHIqG,aAAe,eACfA,IAAMzH,EAAQ,OAAOyH,CAAG,IAExB,OAAOA,KAAQ;AACf,UAAM,IAAI7F,EAAW,4CAA4C;AAErE,QAAM,EAAE,GAAGsD,GAAiB,GAAG5D,GAAS,GAAGgG,GAAW,QAAAjH,EAAM,IAAKoH,EAAI,MAAM,GAAG;AAC9E,MAAIpH,MAAW;AACX,UAAM,IAAIuB,EAAW,qBAAqB;AAE9C,QAAMsG,IAAW,MAAMV,GAAgB,EAAE,SAAAlG,GAAS,WAAW4D,GAAiB,WAAAoC,EAAS,GAAIzE,GAAKzB,CAAO,GACjG4G,IAAS,EAAE,SAASE,EAAS,SAAS,iBAAiBA,EAAS,gBAAe;AACrF,SAAI,OAAOrF,KAAQ,aACR,EAAE,GAAGmF,GAAQ,KAAKE,EAAS,IAAG,IAElCF;AACX;ACjBA,MAAMG,KAAQ,CAACC,MAAS,KAAK,MAAMA,EAAK,QAAO,IAAK,GAAI,GAClDC,IAAS,IACTC,KAAOD,IAAS,IAChBE,IAAMD,KAAO,IACbE,KAAOD,IAAM,GACbE,KAAOF,IAAM,QACbG,KAAQ;AACP,SAASC,EAAKC,GAAK;AACtB,QAAMC,IAAUH,GAAM,KAAKE,CAAG;AAC9B,MAAI,CAACC,KAAYA,EAAQ,CAAC,KAAKA,EAAQ,CAAC;AACpC,UAAM,IAAI,UAAU,4BAA4B;AAEpD,QAAM5E,IAAQ,WAAW4E,EAAQ,CAAC,CAAC,GAC7BC,IAAOD,EAAQ,CAAC,EAAE,YAAW;AACnC,MAAIE;AACJ,UAAQD,GAAI;AAAA,IACR,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAC,IAAc,KAAK,MAAM9E,CAAK;AAC9B;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAA8E,IAAc,KAAK,MAAM9E,IAAQoE,CAAM;AACvC;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAU,IAAc,KAAK,MAAM9E,IAAQqE,EAAI;AACrC;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAS,IAAc,KAAK,MAAM9E,IAAQsE,CAAG;AACpC;AAAA,IACJ,KAAK;AAAA,IACL,KAAK;AAAA,IACL,KAAK;AACD,MAAAQ,IAAc,KAAK,MAAM9E,IAAQuE,EAAI;AACrC;AAAA,IACJ;AACI,MAAAO,IAAc,KAAK,MAAM9E,IAAQwE,EAAI;AACrC;AAAA,EACZ;AACI,SAAII,EAAQ,CAAC,MAAM,OAAOA,EAAQ,CAAC,MAAM,QAC9B,CAACE,IAELA;AACX;AAOA,MAAMC,IAAe,CAAC/E,MACdA,EAAM,SAAS,GAAG,IACXA,EAAM,YAAW,IAErB,eAAeA,EAAM,YAAW,CAAE,IAEvCgF,KAAwB,CAACC,GAAYC,MACnC,OAAOD,KAAe,WACfC,EAAU,SAASD,CAAU,IAEpC,MAAM,QAAQA,CAAU,IACjBC,EAAU,KAAK,IAAI,UAAU,IAAI,KAAK,IAAI,IAAID,CAAU,CAAC,CAAC,IAE9D;AAEJ,SAASE,GAAkBlE,GAAiBmE,GAAgBjI,IAAU,CAAA,GAAI;AAC7E,MAAIE;AACJ,MAAI;AACA,IAAAA,IAAU,KAAK,MAAMtB,EAAQ,OAAOqJ,CAAc,CAAC;AAAA,EACvD,QACM;AAAA,EACN;AACA,MAAI,CAACnF,EAAS5C,CAAO;AACjB,UAAM,IAAIO,EAAW,gDAAgD;AAEzE,QAAM,EAAE,KAAAyH,EAAG,IAAKlI;AAChB,MAAIkI,MACC,OAAOpE,EAAgB,OAAQ,YAC5B8D,EAAa9D,EAAgB,GAAG,MAAM8D,EAAaM,CAAG;AAC1D,UAAM,IAAIjI,EAAyB,qCAAqCC,GAAS,OAAO,cAAc;AAE1G,QAAM,EAAE,gBAAAiI,IAAiB,IAAI,QAAAC,GAAQ,SAAAC,GAAS,UAAAC,GAAU,aAAAC,EAAW,IAAKvI,GAClEwI,IAAgB,CAAC,GAAGL,CAAc;AACxC,EAAII,MAAgB,UAChBC,EAAc,KAAK,KAAK,GACxBF,MAAa,UACbE,EAAc,KAAK,KAAK,GACxBH,MAAY,UACZG,EAAc,KAAK,KAAK,GACxBJ,MAAW,UACXI,EAAc,KAAK,KAAK;AAC5B,aAAWrI,KAAS,IAAI,IAAIqI,EAAc,QAAO,CAAE;AAC/C,QAAI,EAAErI,KAASD;AACX,YAAM,IAAID,EAAyB,qBAAqBE,CAAK,WAAWD,GAASC,GAAO,SAAS;AAGzG,MAAIiI,KACA,EAAE,MAAM,QAAQA,CAAM,IAAIA,IAAS,CAACA,CAAM,GAAG,SAASlI,EAAQ,GAAG;AACjE,UAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,cAAc;AAErG,MAAImI,KAAWnI,EAAQ,QAAQmI;AAC3B,UAAM,IAAIpI,EAAyB,gCAAgCC,GAAS,OAAO,cAAc;AAErG,MAAIoI,KACA,CAACT,GAAsB3H,EAAQ,KAAK,OAAOoI,KAAa,WAAW,CAACA,CAAQ,IAAIA,CAAQ;AACxF,UAAM,IAAIrI,EAAyB,gCAAgCC,GAAS,OAAO,cAAc;AAErG,MAAIuI;AACJ,UAAQ,OAAOzI,EAAQ,gBAAc;AAAA,IACjC,KAAK;AACD,MAAAyI,IAAYlB,EAAKvH,EAAQ,cAAc;AACvC;AAAA,IACJ,KAAK;AACD,MAAAyI,IAAYzI,EAAQ;AACpB;AAAA,IACJ,KAAK;AACD,MAAAyI,IAAY;AACZ;AAAA,IACJ;AACI,YAAM,IAAI,UAAU,oCAAoC;AAAA,EACpE;AACI,QAAM,EAAE,aAAAC,EAAW,IAAK1I,GAClB2I,IAAM5B,GAAM2B,KAAe,oBAAI,KAAI,CAAE;AAC3C,OAAKxI,EAAQ,QAAQ,UAAaqI,MAAgB,OAAOrI,EAAQ,OAAQ;AACrE,UAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,SAAS;AAEhG,MAAIA,EAAQ,QAAQ,QAAW;AAC3B,QAAI,OAAOA,EAAQ,OAAQ;AACvB,YAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,SAAS;AAEhG,QAAIA,EAAQ,MAAMyI,IAAMF;AACpB,YAAM,IAAIxI,EAAyB,sCAAsCC,GAAS,OAAO,cAAc;AAAA,EAE/G;AACA,MAAIA,EAAQ,QAAQ,QAAW;AAC3B,QAAI,OAAOA,EAAQ,OAAQ;AACvB,YAAM,IAAID,EAAyB,gCAAgCC,GAAS,OAAO,SAAS;AAEhG,QAAIA,EAAQ,OAAOyI,IAAMF;AACrB,YAAM,IAAIpI,EAAW,sCAAsCH,GAAS,OAAO,cAAc;AAAA,EAEjG;AACA,MAAIqI,GAAa;AACb,UAAMK,IAAMD,IAAMzI,EAAQ,KACpB2I,IAAM,OAAON,KAAgB,WAAWA,IAAchB,EAAKgB,CAAW;AAC5E,QAAIK,IAAMH,IAAYI;AAClB,YAAM,IAAIxI,EAAW,4DAA4DH,GAAS,OAAO,cAAc;AAEnH,QAAI0I,IAAM,IAAIH;AACV,YAAM,IAAIxI,EAAyB,iEAAiEC,GAAS,OAAO,cAAc;AAAA,EAE1I;AACA,SAAOA;AACX;ACrKO,eAAe4I,GAAUC,GAAKtH,GAAKzB,GAAS;AAC/C,QAAM8G,IAAW,MAAMD,GAAckC,GAAKtH,GAAKzB,CAAO;AACtD,MAAI8G,EAAS,gBAAgB,MAAM,SAAS,KAAK,KAAKA,EAAS,gBAAgB,QAAQ;AACnF,UAAM,IAAIrG,EAAW,qCAAqC;AAG9D,QAAMmG,IAAS,EAAE,SADDoB,GAAkBlB,EAAS,iBAAiBA,EAAS,SAAS9G,CAAO,GAC3D,iBAAiB8G,EAAS,gBAAe;AACnE,SAAI,OAAOrF,KAAQ,aACR,EAAE,GAAGmF,GAAQ,KAAKE,EAAS,IAAG,IAElCF;AACX;ACXA,SAASoC,GAAczH,GAAK;AACxB,UAAQ,OAAOA,KAAQ,YAAYA,EAAI,MAAM,GAAG,CAAC,GAAC;AAAA,IAC9C,KAAK;AAAA,IACL,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX,KAAK;AACD,aAAO;AAAA,IACX;AACI,YAAM,IAAIhB,EAAiB,gDAAgD;AAAA,EACvF;AACA;AACA,SAAS0I,GAAWC,GAAM;AACtB,SAAQA,KACJ,OAAOA,KAAS,YAChB,MAAM,QAAQA,EAAK,IAAI,KACvBA,EAAK,KAAK,MAAMC,EAAS;AACjC;AACA,SAASA,GAAU1H,GAAK;AACpB,SAAOqB,EAASrB,CAAG;AACvB;AACA,MAAM2H,GAAY;AAAA,EACdC;AAAA,EACAC,KAAU,oBAAI,QAAO;AAAA,EACrB,YAAYJ,GAAM;AACd,QAAI,CAACD,GAAWC,CAAI;AAChB,YAAM,IAAIxI,EAAY,4BAA4B;AAEtD,SAAK2I,KAAQ,gBAAgBH,CAAI;AAAA,EACrC;AAAA,EACA,OAAO;AACH,WAAO,KAAKG;AAAA,EAChB;AAAA,EACA,MAAM,OAAOvF,GAAiByF,GAAO;AACjC,UAAM,EAAE,KAAAhI,GAAK,KAAAiI,EAAG,IAAK,EAAE,GAAG1F,GAAiB,GAAGyF,GAAO,OAAM,GACrDE,IAAMT,GAAczH,CAAG,GACvBmI,IAAa,KAAKL,GAAM,KAAK,OAAO,CAAClG,MAAQ;AAC/C,UAAIwG,IAAYF,MAAQtG,EAAI;AAa5B,UAZIwG,KAAa,OAAOH,KAAQ,aAC5BG,IAAYH,MAAQrG,EAAI,MAExBwG,MAAc,OAAOxG,EAAI,OAAQ,YAAYsG,MAAQ,WACrDE,IAAYpI,MAAQ4B,EAAI,MAExBwG,KAAa,OAAOxG,EAAI,OAAQ,aAChCwG,IAAYxG,EAAI,QAAQ,QAExBwG,KAAa,MAAM,QAAQxG,EAAI,OAAO,MACtCwG,IAAYxG,EAAI,QAAQ,SAAS,QAAQ,IAEzCwG;AACA,gBAAQpI,GAAG;AAAA,UACP,KAAK;AACD,YAAAoI,IAAYxG,EAAI,QAAQ;AACxB;AAAA,UACJ,KAAK;AACD,YAAAwG,IAAYxG,EAAI,QAAQ;AACxB;AAAA,UACJ,KAAK;AACD,YAAAwG,IAAYxG,EAAI,QAAQ;AACxB;AAAA,UACJ,KAAK;AAAA,UACL,KAAK;AACD,YAAAwG,IAAYxG,EAAI,QAAQ;AACxB;AAAA,QACxB;AAEY,aAAOwG;AAAA,IACX,CAAC,GACK,EAAE,GAAGxG,GAAK,QAAAlE,EAAM,IAAKyK;AAC3B,QAAIzK,MAAW;AACX,YAAM,IAAI0B,EAAiB;AAE/B,QAAI1B,MAAW,GAAG;AACd,YAAM2K,IAAQ,IAAIhJ,GAAwB,GACpCiJ,IAAU,KAAKP;AACrB,YAAAM,EAAM,OAAO,aAAa,IAAI,mBAAmB;AAC7C,mBAAWzG,KAAOuG;AACd,cAAI;AACA,kBAAM,MAAMI,EAAmBD,GAAS1G,GAAK5B,CAAG;AAAA,UACpD,QACM;AAAA,UAAE;AAAA,MAEhB,GACMqI;AAAA,IACV;AACA,WAAOE,EAAmB,KAAKR,IAASnG,GAAK5B,CAAG;AAAA,EACpD;AACJ;AACA,eAAeuI,EAAmBrF,GAAOtB,GAAK5B,GAAK;AAC/C,QAAMqD,IAASH,EAAM,IAAItB,CAAG,KAAKsB,EAAM,IAAItB,GAAK,CAAA,CAAE,EAAE,IAAIA,CAAG;AAC3D,MAAIyB,EAAOrD,CAAG,MAAM,QAAW;AAC3B,UAAME,IAAM,MAAM8B,GAAU,EAAE,GAAGJ,GAAK,KAAK,GAAI,GAAI5B,CAAG;AACtD,QAAIE,aAAe,cAAcA,EAAI,SAAS;AAC1C,YAAM,IAAIf,EAAY,8CAA8C;AAExE,IAAAkE,EAAOrD,CAAG,IAAIE;AAAA,EAClB;AACA,SAAOmD,EAAOrD,CAAG;AACrB;AACO,SAASwI,EAAkBb,GAAM;AACpC,QAAMc,IAAM,IAAIZ,GAAYF,CAAI,GAC1Be,IAAc,OAAOnG,GAAiByF,MAAUS,EAAI,OAAOlG,GAAiByF,CAAK;AACvF,gBAAO,iBAAiBU,GAAa;AAAA,IACjC,MAAM;AAAA,MACF,OAAO,MAAM,gBAAgBD,EAAI,KAAI,CAAE;AAAA,MACvC,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,UAAU;AAAA,IACtB;AAAA,EACA,CAAK,GACMC;AACX;ACnHA,SAASC,KAAsB;AAC3B,SAAQ,OAAO,gBAAkB,OAC5B,OAAO,YAAc,OAAe,UAAU,cAAc,wBAC5D,OAAO,cAAgB,OAAe,gBAAgB;AAC/D;AACA,IAAIC;AAAA,CACA,OAAO,YAAc,OAAe,CAAC,UAAU,WAAW,aAAa,cAAc,OAGrFA,IAAa;AAEV,MAAMC,KAAc,uBAAM;AACjC,eAAeC,GAAUC,GAAK/H,GAASgI,GAAQC,IAAY,OAAO;AAC9D,QAAMC,IAAW,MAAMD,EAAUF,GAAK;AAAA,IAClC,QAAQ;AAAA,IACR,QAAAC;AAAA,IACA,UAAU;AAAA,IACV,SAAAhI;AAAA,EACR,CAAK,EAAE,MAAM,CAAC6C,MAAQ;AACd,UAAIA,EAAI,SAAS,iBACP,IAAIvE,GAAW,IAEnBuE;AAAA,EACV,CAAC;AACD,MAAIqF,EAAS,WAAW;AACpB,UAAM,IAAI3K,EAAU,yDAAyD;AAEjF,MAAI;AACA,WAAO,MAAM2K,EAAS,KAAI;AAAA,EAC9B,QACM;AACF,UAAM,IAAI3K,EAAU,4DAA4D;AAAA,EACpF;AACJ;AACO,MAAM4K,IAAY,uBAAM;AAC/B,SAASC,GAAiB9K,GAAO+K,GAAa;AAO1C,SANI,SAAO/K,KAAU,YAAYA,MAAU,QAGvC,EAAE,SAASA,MAAU,OAAOA,EAAM,OAAQ,YAAY,KAAK,IAAG,IAAKA,EAAM,OAAO+K,KAGhF,EAAE,UAAU/K,MACZ,CAACiD,EAASjD,EAAM,IAAI,KACpB,CAAC,MAAM,QAAQA,EAAM,KAAK,IAAI,KAC9B,CAAC,MAAM,UAAU,MAAM,KAAKA,EAAM,KAAK,MAAMiD,CAAQ;AAI7D;AACA,MAAM+H,GAAa;AAAA,EACfC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACAC;AAAA,EACA,YAAYjB,GAAKtK,GAAS;AACtB,QAAI,EAAEsK,aAAe;AACjB,YAAM,IAAI,UAAU,gCAAgC;AAExD,SAAKQ,KAAO,IAAI,IAAIR,EAAI,IAAI,GAC5B,KAAKS,KACD,OAAO/K,GAAS,mBAAoB,WAAWA,GAAS,kBAAkB,KAC9E,KAAKgL,KACD,OAAOhL,GAAS,oBAAqB,WAAWA,GAAS,mBAAmB,KAChF,KAAKiL,KAAe,OAAOjL,GAAS,eAAgB,WAAWA,GAAS,cAAc,KACtF,KAAKoL,KAAW,IAAI,QAAQpL,GAAS,OAAO,GACxCmK,KAAc,CAAC,KAAKiB,GAAS,IAAI,YAAY,KAC7C,KAAKA,GAAS,IAAI,cAAcjB,CAAU,GAEzC,KAAKiB,GAAS,IAAI,QAAQ,MAC3B,KAAKA,GAAS,IAAI,UAAU,kBAAkB,GAC9C,KAAKA,GAAS,OAAO,UAAU,0BAA0B,IAE7D,KAAKC,KAAerL,IAAUoK,EAAW,GACrCpK,IAAU0K,CAAS,MAAM,WACzB,KAAKa,KAASvL,IAAU0K,CAAS,GAC7BC,GAAiB3K,IAAU0K,CAAS,GAAG,KAAKO,EAAY,MACxD,KAAKC,KAAiB,KAAKK,GAAO,KAClC,KAAKD,KAASvB,EAAkB,KAAKwB,GAAO,IAAI;AAAA,EAG5D;AAAA,EACA,eAAe;AACX,WAAO,CAAC,CAAC,KAAKJ;AAAA,EAClB;AAAA,EACA,cAAc;AACV,WAAO,OAAO,KAAKD,MAAmB,WAChC,KAAK,IAAG,IAAK,KAAKA,KAAiB,KAAKF,KACxC;AAAA,EACV;AAAA,EACA,QAAQ;AACJ,WAAO,OAAO,KAAKE,MAAmB,WAChC,KAAK,IAAG,IAAK,KAAKA,KAAiB,KAAKD,KACxC;AAAA,EACV;AAAA,EACA,OAAO;AACH,WAAO,KAAKK,IAAQ,KAAI;AAAA,EAC5B;AAAA,EACA,MAAM,OAAOxH,GAAiByF,GAAO;AACjC,KAAI,CAAC,KAAK+B,MAAU,CAAC,KAAK,MAAK,MAC3B,MAAM,KAAK,OAAM;AAErB,QAAI;AACA,aAAO,MAAM,KAAKA,GAAOxH,GAAiByF,CAAK;AAAA,IACnD,SACOnE,GAAK;AACR,UAAIA,aAAezE,KACX,KAAK,YAAW,MAAO;AACvB,qBAAM,KAAK,OAAM,GACV,KAAK2K,GAAOxH,GAAiByF,CAAK;AAGjD,YAAMnE;AAAA,IACV;AAAA,EACJ;AAAA,EACA,MAAM,SAAS;AACX,IAAI,KAAK+F,MAAiBjB,SACtB,KAAKiB,KAAgB,SAEzB,KAAKA,OAAkBd,GAAU,KAAKS,GAAK,MAAM,KAAKM,IAAU,YAAY,QAAQ,KAAKL,EAAgB,GAAG,KAAKM,EAAY,EACxH,KAAK,CAACG,MAAS;AAChB,WAAKF,KAASvB,EAAkByB,CAAI,GAChC,KAAKD,OACL,KAAKA,GAAO,MAAM,KAAK,IAAG,GAC1B,KAAKA,GAAO,OAAOC,IAEvB,KAAKN,KAAiB,KAAK,IAAG,GAC9B,KAAKC,KAAgB;AAAA,IACzB,CAAC,EACI,MAAM,CAAC/F,MAAQ;AAChB,iBAAK+F,KAAgB,QACf/F;AAAA,IACV,CAAC,GACD,MAAM,KAAK+F;AAAA,EACf;AACJ;AACO,SAASM,GAAmBnB,GAAKtK,GAAS;AAC7C,QAAMgK,IAAM,IAAIa,GAAaP,GAAKtK,CAAO,GACnC0L,IAAe,OAAO5H,GAAiByF,MAAUS,EAAI,OAAOlG,GAAiByF,CAAK;AACxF,gBAAO,iBAAiBmC,GAAc;AAAA,IAClC,aAAa;AAAA,MACT,KAAK,MAAM1B,EAAI,YAAW;AAAA,MAC1B,YAAY;AAAA,MACZ,cAAc;AAAA,IAC1B;AAAA,IACQ,OAAO;AAAA,MACH,KAAK,MAAMA,EAAI,MAAK;AAAA,MACpB,YAAY;AAAA,MACZ,cAAc;AAAA,IAC1B;AAAA,IACQ,QAAQ;AAAA,MACJ,OAAO,MAAMA,EAAI,OAAM;AAAA,MACvB,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,UAAU;AAAA,IACtB;AAAA,IACQ,WAAW;AAAA,MACP,KAAK,MAAMA,EAAI,aAAY;AAAA,MAC3B,YAAY;AAAA,MACZ,cAAc;AAAA,IAC1B;AAAA,IACQ,MAAM;AAAA,MACF,OAAO,MAAMA,EAAI,KAAI;AAAA,MACrB,YAAY;AAAA,MACZ,cAAc;AAAA,MACd,UAAU;AAAA,IACtB;AAAA,EACA,CAAK,GACM0B;AACX;AC1KO,MAAMC,KAAiBA,CAACC,MAA4CC,EAAAA,EACtEC,OAAO,OAAO;AAAA,EAAEC,MAAAA;AAAAA,EAAMC,SAAAA;AAAQ,MAAM;AACjC,QAAMC,IAAcD,EAAQzJ,QAAQ2J,IAAI,eAAe;AAEvD,MAAI,CAACD,GAAaE,WAAW,SAAS,EAClC,OAAM,IAAIC,MAAM,oEAAoE;AAExF,QAAMC,IAAe,MAAMC,GAAYL,EAAYM,UAAU,CAAC,CAAC,GAEzDC,IAAa;AAAA,IACfC,IAAIJ,EAAaK;AAAAA,IACjB1L,MAAMqL,EAAarL,KAAK2L,MAAM,GAAG,EAAE,CAAC;AAAA,IACpCC,OAAOP,EAAaQ,mBAAmBC,YAAAA;AAAAA,IACvCC,QAAQV,EAAaU,UAAU,CAAA;AAAA,IAC/BC,YAAYX,EAAaW,cAAc;AAAA,IACvCC,YAAYZ,EAAaY,cAAc;AAAA,IACvCC,eAAeA,CAACtB,MACUuB,GAAYvB,CAAa,EAC1BwB,KAAKzG,CAAAA,OAAM0F,EAAaU,UAAU,CAAA,GAAIM,SAAS1G,CAAC,CAAC;AAAA,EAC1E;AAGJ,MAAI,CAAC6F,EAAKU,cAActB,CAAa,EACjC,OAAM,IAAIQ,MAAM,mBAAmBI,EAAKxL,IAAI,4CAA4C;AAE5F,SAAO+K,EAAK;AAAA,IAAEuB,SAAS;AAAA,MAAEd,MAAAA;AAAAA,IAAAA;AAAAA,EAAK,CAAG;AACrC,CAAC,GAEQe,KAAgCA,CAACC,MAAyC3B,EAAiB;AAAA,EAAE4B,MAAM;AAAW,CAAC,EACvHC,OAAO,OAAO;AAAA,EAAE3B,MAAAA;AAAK,MAAM;AACxB,QAAME,IAAc,MAAM0B,GAAeH,CAAQ;AACjD,SAAOzB,EAAK;AAAA,IACRxJ,SAAS;AAAA,MACLqL,eAAe,UAAU3B,CAAW;AAAA,IAAA;AAAA,EACxC,CACH;AACL,CAAC;AAEL,eAAeK,GAAY/C,GAAsC;AAC7D,QAAM;AAAA,IAAErJ,SAAAA;AAAAA,EAAAA,IAAY,MAAM2N,GAAetE,GAAOuE,MAAW;AAAA,IACvD1F,QAAQ,qCAAqC2F,EAAUC,oBAAoB;AAAA,IAC3E1F,UAAUyF,EAAUE;AAAAA,EAAAA,CACvB;AACD,SAAO/N;AACX;AAEA,IAAIwK,IAA+D;AAEnE,SAASoD,KAAU;AACfpD,SAAAA,MAAcmD,GAAwB,IAAIK,IAAI,qCAAqCC,QAAQC,IAAIC,eAAe,sBAAsB,CAAC,GAC9H3D;AACX;","x_google_ignoreList":[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25]}
|