xypriss 2.3.7 → 3.1.0

package/dist/cjs/src/middleware/built-in/security/RequestSignatureProtector.js

@@ -0,0 +1,465 @@
+'use strict';
+
+var Logger = require('../../../../shared/logger/Logger.js');
+var crypto = require('crypto');
+
+function _interopNamespaceDefault(e) {
+    var n = Object.create(null);
+    if (e) {
+        Object.keys(e).forEach(function (k) {
+            if (k !== 'default') {
+                var d = Object.getOwnPropertyDescriptor(e, k);
+                Object.defineProperty(n, k, d.get ? d : {
+                    enumerable: true,
+                    get: function () { return e[k]; }
+                });
+            }
+        });
+    }
+    n.default = e;
+    return Object.freeze(n);
+}
+
+var crypto__namespace = /*#__PURE__*/_interopNamespaceDefault(crypto);
+
+/**
+ * XyRS - XyPriss Request Signature Protector
+ * Validates request signatures for API authentication
+ * Uses a predefined header name with developer-configured secret value
+ * Enhanced with robust validation and security measures
+ */
+class RequestSignatureProtector {
+    constructor(options, logger) {
+        this.HEADER_NAME = "XP-Request-Sig";
+        this.failedAttempts = new Map();
+        this.CLEANUP_INTERVAL = 60000; // 1 minute
+        // Strict validation of required secret
+        this.validateSecret(options.secret, options.minSecretLength);
+        this.config = {
+            errorMessage: "Invalid or missing request signature",
+            statusCode: 401,
+            debug: false,
+            caseSensitive: true,
+            trimValue: true,
+            maxHeaderLength: 512,
+            maxFailedAttempts: 5,
+            blockDuration: 15 * 60 * 1000, // 15 minutes
+            minSecretLength: 32,
+            timingSafeComparison: true,
+            rejectSuspiciousPatterns: true,
+            ...options,
+        };
+        // Store hashed version of secret for additional security
+        this.SECRET_HASH = this.hashSecret(this.config.secret);
+        // Initialize logger
+        this.logger =
+            logger ||
+                new Logger.Logger({
+                    enabled: true,
+                    level: "debug",
+                    components: { security: true },
+                    types: { debug: true },
+                });
+        // Start cleanup timer for failed attempts tracking
+        this.startCleanupTimer();
+        this.logSecurityEvent("info", "XyRS initialized with strict validation");
+    }
+    /**
+     * Get the request signature middleware function
+     */
+    getMiddleware() {
+        return (req, res, next) => {
+            this.handleRequest(req, res, next);
+        };
+    }
+    /**
+     * Handle incoming request and validate signature
+     */
+    handleRequest(req, res, next) {
+        const clientId = this.extractClientIdentifier(req);
+        // Check if client is currently blocked
+        if (this.isClientBlocked(clientId)) {
+            return this.blockRequest(res, "RATE_LIMITED", "Too many failed authentication attempts. Temporarily blocked.", clientId);
+        }
+        if (this.config.debug) {
+            this.logger.debug("security", "XyRS validating request signature");
+        }
+        // Strict header extraction
+        const signature = this.extractSignatureHeader(req);
+        if (signature === null) {
+            this.recordFailedAttempt(clientId);
+            return this.blockRequest(res, "MISSING_SIGNATURE", `Required header '${this.HEADER_NAME}' is missing or malformed`, clientId);
+        }
+        // Length validation to prevent DoS
+        if (!this.validateHeaderLength(signature)) {
+            this.recordFailedAttempt(clientId);
+            return this.blockRequest(res, "INVALID_HEADER_LENGTH", `Header value exceeds maximum allowed length`, clientId);
+        }
+        // Suspicious pattern detection
+        if (this.config.rejectSuspiciousPatterns &&
+            this.containsSuspiciousPatterns(signature)) {
+            this.recordFailedAttempt(clientId);
+            return this.blockRequest(res, "SUSPICIOUS_PATTERN", `Header contains suspicious or malicious patterns`, clientId);
+        }
+        // Process signature value
+        const processedSignature = this.processSignatureValue(signature);
+        const expectedSignature = this.processSignatureValue(this.config.secret);
+        // Validate signature with timing-safe comparison
+        const isValid = this.compareSignatures(processedSignature, expectedSignature);
+        if (!isValid) {
+            this.recordFailedAttempt(clientId);
+            this.logSecurityEvent("warning", "Invalid signature attempt", {
+                clientId,
+                signatureLength: signature.length,
+            });
+            return this.blockRequest(res, "INVALID_SIGNATURE", `Header '${this.HEADER_NAME}' value does not match expected signature`, clientId);
+        }
+        // Signature is valid - clear any failed attempts
+        this.clearFailedAttempts(clientId);
+        if (this.config.debug) {
+            this.logger.debug("security", "XyRS signature validation passed");
+        }
+        next();
+    }
+    /**
+     * Extract client identifier for rate limiting (IP-based)
+     */
+    extractClientIdentifier(req) {
+        // Try multiple methods to get real IP
+        const ip = req.ip ||
+            req.headers["x-forwarded-for"]?.split(",")[0]?.trim() ||
+            req.headers["x-real-ip"] ||
+            req.connection?.remoteAddress ||
+            req.socket?.remoteAddress ||
+            "unknown";
+        return this.sanitizeClientId(ip);
+    }
+    /**
+     * Sanitize client identifier
+     */
+    sanitizeClientId(clientId) {
+        // Remove IPv6 prefix if present
+        let sanitized = clientId.replace(/^::ffff:/, "");
+        // Keep only alphanumeric, dots, colons, and hyphens
+        sanitized = sanitized.replace(/[^a-zA-Z0-9.:_-]/g, "");
+        return sanitized || "unknown";
+    }
+    /**
+     * Strictly extract signature header with no fallbacks
+     */
+    extractSignatureHeader(req) {
+        if (!req.headers || typeof req.headers !== "object") {
+            return null;
+        }
+        // Only check lowercase version (standard HTTP header convention)
+        const headerKey = this.HEADER_NAME.toLowerCase();
+        const signature = req.headers[headerKey];
+        // Strict type checking
+        if (typeof signature !== "string") {
+            return null;
+        }
+        // Reject empty or whitespace-only headers
+        if (signature.length === 0 || /^\s*$/.test(signature)) {
+            return null;
+        }
+        return signature;
+    }
+    /**
+     * Validate header length to prevent DoS attacks
+     */
+    validateHeaderLength(signature) {
+        return (signature.length > 0 &&
+            signature.length <= (this.config.maxHeaderLength || 512));
+    }
+    /**
+     * Detect suspicious patterns in header value
+     */
+    containsSuspiciousPatterns(signature) {
+        // Check for common attack patterns
+        const suspiciousPatterns = [
+            /[<>\"'`]/g, // HTML/Script injection characters
+            /\.\./g, // Path traversal
+            /[\x00-\x08\x0B\x0C\x0E-\x1F]/g, // Control characters
+            /\${.*}/g, // Template injection
+            /\|\||&&/g, // Command injection
+            /(\r\n|\n|\r)/g, // CRLF injection
+        ];
+        return suspiciousPatterns.some((pattern) => pattern.test(signature));
+    }
+    /**
+     * Process signature value based on configuration
+     */
+    processSignatureValue(value) {
+        return this.config.trimValue ? value.trim() : value;
+    }
+    /**
+     * Compare signatures with optional timing-safe comparison
+     */
+    compareSignatures(received, expected) {
+        // Always check lengths first (fast rejection)
+        if (received.length !== expected.length) {
+            return false;
+        }
+        if (this.config.timingSafeComparison) {
+            return this.timingSafeEqual(received, expected);
+        }
+        // Standard comparison
+        return this.config.caseSensitive
+            ? received === expected
+            : received.toLowerCase() === expected.toLowerCase();
+    }
+    /**
+     * Timing-safe string comparison to prevent timing attacks
+     */
+    timingSafeEqual(a, b) {
+        // Convert to buffers for timing-safe comparison
+        const bufA = Buffer.from(this.config.caseSensitive ? a : a.toLowerCase());
+        const bufB = Buffer.from(this.config.caseSensitive ? b : b.toLowerCase());
+        if (bufA.length !== bufB.length) {
+            return false;
+        }
+        try {
+            return crypto__namespace.timingSafeEqual(bufA, bufB);
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Check if client is currently blocked due to failed attempts
+     */
+    isClientBlocked(clientId) {
+        const attempt = this.failedAttempts.get(clientId);
+        if (!attempt || !attempt.blockedUntil) {
+            return false;
+        }
+        const now = Date.now();
+        if (now >= attempt.blockedUntil) {
+            // Block period expired
+            this.failedAttempts.delete(clientId);
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Record failed authentication attempt
+     */
+    recordFailedAttempt(clientId) {
+        const now = Date.now();
+        const attempt = this.failedAttempts.get(clientId) || {
+            count: 0,
+            blockedUntil: null,
+            lastAttempt: now,
+        };
+        attempt.count += 1;
+        attempt.lastAttempt = now;
+        // Block if threshold exceeded
+        if (attempt.count >= (this.config.maxFailedAttempts || 5)) {
+            attempt.blockedUntil = now + (this.config.blockDuration || 900000);
+            this.logSecurityEvent("warning", "Client blocked due to failed attempts", {
+                clientId,
+                attempts: attempt.count,
+                blockedUntil: new Date(attempt.blockedUntil).toISOString(),
+            });
+        }
+        this.failedAttempts.set(clientId, attempt);
+    }
+    /**
+     * Clear failed attempts for a client
+     */
+    clearFailedAttempts(clientId) {
+        this.failedAttempts.delete(clientId);
+    }
+    /**
+     * Validate secret meets security requirements
+     */
+    validateSecret(secret, minLength) {
+        const minLen = minLength || 32;
+        if (!secret || typeof secret !== "string") {
+            throw new Error("RequestSignatureProtector: secret is required and must be a string");
+        }
+        const trimmedSecret = secret.trim();
+        if (trimmedSecret.length === 0) {
+            throw new Error("RequestSignatureProtector: secret cannot be empty or whitespace-only");
+        }
+        if (trimmedSecret.length < minLen) {
+            throw new Error(`RequestSignatureProtector: secret must be at least ${minLen} characters long (current: ${trimmedSecret.length})`);
+        }
+        // Check for weak secrets
+        if (this.isWeakSecret(trimmedSecret)) {
+            throw new Error("RequestSignatureProtector: secret appears to be weak. Use a cryptographically strong random value.");
+        }
+    }
+    /**
+     * Detect weak/predictable secrets
+     */
+    isWeakSecret(secret) {
+        const weakPatterns = [
+            /^[0-9]+$/, // Only numbers
+            /^[a-zA-Z]+$/, // Only letters
+            /^(.)\1+$/, // Repeated character
+            /^(123|abc|password|secret|key|test|demo|admin)/i, // Common words
+            /^[a-f0-9]{32}$/i, // Looks like MD5 (weak)
+        ];
+        return weakPatterns.some((pattern) => pattern.test(secret));
+    }
+    /**
+     * Hash secret for internal verification
+     */
+    hashSecret(secret) {
+        return crypto__namespace.createHash("sha256").update(secret).digest("hex");
+    }
+    /**
+     * Start cleanup timer for failed attempts
+     */
+    startCleanupTimer() {
+        this.cleanupTimer = setInterval(() => {
+            this.cleanupExpiredAttempts();
+        }, this.CLEANUP_INTERVAL);
+        // Don't keep process alive for cleanup
+        if (this.cleanupTimer.unref) {
+            this.cleanupTimer.unref();
+        }
+    }
+    /**
+     * Clean up expired failed attempt records
+     */
+    cleanupExpiredAttempts() {
+        const now = Date.now();
+        const expiredClients = [];
+        for (const [clientId, attempt] of this.failedAttempts.entries()) {
+            // Remove if block expired and no recent attempts
+            if (attempt.blockedUntil &&
+                now >= attempt.blockedUntil &&
+                now - attempt.lastAttempt > this.CLEANUP_INTERVAL) {
+                expiredClients.push(clientId);
+            }
+        }
+        expiredClients.forEach((clientId) => this.failedAttempts.delete(clientId));
+    }
+    /**
+     * Block the request with appropriate error response
+     */
+    blockRequest(res, code, details, clientId) {
+        const isDevelopment = this.config.debug;
+        const response = {
+            error: isDevelopment
+                ? this.config.errorMessage
+                : "Authentication required",
+            timestamp: new Date().toISOString(),
+            code: "NEHONIX_XYRS_001",
+        };
+        // Add detailed info only in debug mode
+        if (isDevelopment) {
+            response.xyrs = {
+                module: "RequestSignature",
+                code,
+                details,
+                requiredHeader: this.HEADER_NAME,
+                hint: "Include the X-XyRS header with your configured secret value",
+            };
+        }
+        if (this.config.debug && clientId) {
+            this.logger.debug("security", "XyRS blocking request", {
+                code,
+                details,
+                clientId,
+                requiredHeader: this.HEADER_NAME,
+            });
+        }
+        res.status(this.config.statusCode).json(response);
+    }
+    /**
+     * Log security events
+     */
+    logSecurityEvent(level, message, metadata) {
+        if (this.config.debug) {
+            const logMethod = level === "error"
+                ? "error"
+                : level === "warning"
+                    ? "warn"
+                    : "debug";
+            this.logger[logMethod]("security", message, metadata);
+        }
+    }
+    /**
+     * Update configuration with strict validation
+     */
+    updateConfig(newConfig) {
+        if (newConfig.secret !== undefined) {
+            this.validateSecret(newConfig.secret, newConfig.minSecretLength);
+        }
+        this.config = { ...this.config, ...newConfig };
+    }
+    /**
+     * Get current configuration (without exposing the secret)
+     */
+    getConfig() {
+        return {
+            errorMessage: this.config.errorMessage,
+            statusCode: this.config.statusCode,
+            debug: this.config.debug,
+            caseSensitive: this.config.caseSensitive,
+            trimValue: this.config.trimValue,
+            hasSecret: !!this.config.secret,
+            maxHeaderLength: this.config.maxHeaderLength,
+            maxFailedAttempts: this.config.maxFailedAttempts,
+            blockDuration: this.config.blockDuration,
+            minSecretLength: this.config.minSecretLength,
+            timingSafeComparison: this.config.timingSafeComparison,
+            rejectSuspiciousPatterns: this.config.rejectSuspiciousPatterns,
+        };
+    }
+    /**
+     * Get the header name used for signatures
+     */
+    getHeaderName() {
+        return this.HEADER_NAME;
+    }
+    /**
+     * Validate if a signature would be accepted (for testing)
+     */
+    validateSignature(signature) {
+        if (!signature || typeof signature !== "string") {
+            return false;
+        }
+        if (!this.validateHeaderLength(signature)) {
+            return false;
+        }
+        if (this.config.rejectSuspiciousPatterns &&
+            this.containsSuspiciousPatterns(signature)) {
+            return false;
+        }
+        const processedSignature = this.processSignatureValue(signature);
+        const expectedSignature = this.processSignatureValue(this.config.secret);
+        return this.compareSignatures(processedSignature, expectedSignature);
+    }
+    /**
+     * Get statistics about failed attempts (for monitoring)
+     */
+    getSecurityStats() {
+        const now = Date.now();
+        let blockedCount = 0;
+        for (const attempt of this.failedAttempts.values()) {
+            if (attempt.blockedUntil && now < attempt.blockedUntil) {
+                blockedCount++;
+            }
+        }
+        return {
+            trackedClients: this.failedAttempts.size,
+            blockedClients: blockedCount,
+        };
+    }
+    /**
+     * Cleanup resources
+     */
+    destroy() {
+        if (this.cleanupTimer) {
+            clearInterval(this.cleanupTimer);
+        }
+        this.failedAttempts.clear();
+    }
+}
+
+exports.RequestSignatureProtector = RequestSignatureProtector;
+//# sourceMappingURL=RequestSignatureProtector.js.map

package/dist/cjs/src/middleware/built-in/security/RequestSignatureProtector.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"RequestSignatureProtector.js","sources":["../../../../../../src/middleware/built-in/security/RequestSignatureProtector.ts"],"sourcesContent":[null],"names":["Logger","crypto"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;AAKG;MAMU,yBAAyB,CAAA;IASlC,WAAY,CAAA,OAA+B,EAAE,MAAe,EAAA;QAP3C,IAAW,CAAA,WAAA,GAAG,gBAAgB,CAAC;AAExC,QAAA,IAAA,CAAA,cAAc,GAA+B,IAAI,GAAG,EAAE,CAAC;AAE9C,QAAA,IAAA,CAAA,gBAAgB,GAAG,KAAK,CAAC;;QAKtC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAE7D,IAAI,CAAC,MAAM,GAAG;AACV,YAAA,YAAY,EAAE,sCAAsC;AACpD,YAAA,UAAU,EAAE,GAAG;AACf,YAAA,KAAK,EAAE,KAAK;AACZ,YAAA,aAAa,EAAE,IAAI;AACnB,YAAA,SAAS,EAAE,IAAI;AACf,YAAA,eAAe,EAAE,GAAG;AACpB,YAAA,iBAAiB,EAAE,CAAC;AACpB,YAAA,aAAa,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;AAC7B,YAAA,eAAe,EAAE,EAAE;AACnB,YAAA,oBAAoB,EAAE,IAAI;AAC1B,YAAA,wBAAwB,EAAE,IAAI;AAC9B,YAAA,GAAG,OAAO;SACb,CAAC;;AAGF,QAAA,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;;AAGvD,QAAA,IAAI,CAAC,MAAM;YACP,MAAM;AACN,gBAAA,IAAIA,aAAM,CAAC;AACP,oBAAA,OAAO,EAAE,IAAI;AACb,oBAAA,KAAK,EAAE,OAAO;AACd,oBAAA,UAAU,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE;AAC9B,oBAAA,KAAK,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;AACzB,iBAAA,CAAC,CAAC;;QAGP,IAAI,CAAC,iBAAiB,EAAE,CAAC;AAEzB,QAAA,IAAI,CAAC,gBAAgB,CACjB,MAAM,EACN,yCAAyC,CAC5C,CAAC;KACL;AAED;;AAEG;IACI,aAAa,GAAA;AAChB,QAAA,OAAO,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,KAAI;YACrC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;AACvC,SAAC,CAAC;KACL;AAED;;AAEG;AACK,IAAA,aAAa,CAAC,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAA;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;;AAGnD,QAAA,IAAI,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE;AAChC,YAAA,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,cAAc,EACd,+DAA+D,EAC/D,QAAQ,CACX,CAAC;SACL;AAED,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,mCAAmC,CAAC,CAAC;SACtE;;QAGD,MAAM,SAAS,GAAG,IAAI,CAAC,sBAAsB,CAAC,GAAG,CAAC,CAAC;AAEnD,QAAA,IAAI,SAAS,KAAK,IAAI,EAAE;AACpB,YAAA,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AACnC,YAAA,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,mBAAmB,EACnB,CAAoB,iBAAA,EAAA,IAAI,CAAC,WAAW,CAAA,yBAAA,CAA2B,EAC/D,QAAQ,CACX,CAAC;SACL;;QAGD,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,EAAE;AACvC,YAAA,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AACnC,YAAA,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,uBAAuB,EACvB,CAA6C,2CAAA,CAAA,EAC7C,QAAQ,CACX,CAAC;SACL;;AAGD,QAAA,IACI,IAAI,CAAC,MAAM,CAAC,wBAAwB;AACpC,YAAA,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,EAC5C;AACE,YAAA,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AACnC,YAAA,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,oBAAoB,EACpB,CAAkD,gDAAA,CAAA,EAClD,QAAQ,CACX,CAAC;SACL;;QAGD,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC;AACjE,QAAA,MAAM,iBAAiB,GAAG,IAAI,CAAC,qBAAqB,CAChD,IAAI,CAAC,MAAM,CAAC,MAAM,CACrB,CAAC;;QAGF,MAAM,OAAO,GAAG,IAAI,CAAC,iBAAiB,CAClC,kBAAkB,EAClB,iBAAiB,CACpB,CAAC;QAEF,IAAI,CAAC,OAAO,EAAE;AACV,YAAA,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AACnC,YAAA,IAAI,CAAC,gBAAgB,CAAC,SAAS,EAAE,2BAA2B,EAAE;gBAC1D,QAAQ;gBACR,eAAe,EAAE,SAAS,CAAC,MAAM;AACpC,aAAA,CAAC,CAAC;AACH,YAAA,OAAO,IAAI,CAAC,YAAY,CACpB,GAAG,EACH,mBAAmB,EACnB,CAAW,QAAA,EAAA,IAAI,CAAC,WAAW,CAAA,yCAAA,CAA2C,EACtE,QAAQ,CACX,CAAC;SACL;;AAGD,QAAA,IAAI,CAAC,mBAAmB,CAAC,QAAQ,CAAC,CAAC;AAEnC,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;YACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,kCAAkC,CAAC,CAAC;SACrE;AAED,QAAA,IAAI,EAAE,CAAC;KACV;AAED;;AAEG;AACK,IAAA,uBAAuB,CAAC,GAAQ,EAAA;;AAEpC,QAAA,MAAM,EAAE,GACJ,GAAG,CAAC,EAAE;AACN,YAAA,GAAG,CAAC,OAAO,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;AACrD,YAAA,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC;YACxB,GAAG,CAAC,UAAU,EAAE,aAAa;YAC7B,GAAG,CAAC,MAAM,EAAE,aAAa;AACzB,YAAA,SAAS,CAAC;AAEd,QAAA,OAAO,IAAI,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;KACpC;AAED;;AAEG;AACK,IAAA,gBAAgB,CAAC,QAAgB,EAAA;;QAErC,IAAI,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;;QAEjD,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC,CAAC;QACvD,OAAO,SAAS,IAAI,SAAS,CAAC;KACjC;AAED;;AAEG;AACK,IAAA,sBAAsB,CAAC,GAAQ,EAAA;AACnC,QAAA,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,EAAE;AACjD,YAAA,OAAO,IAAI,CAAC;SACf;;QAGD,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;;AAGzC,QAAA,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE;AAC/B,YAAA,OAAO,IAAI,CAAC;SACf;;AAGD,QAAA,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;AACnD,YAAA,OAAO,IAAI,CAAC;SACf;AAED,QAAA,OAAO,SAAS,CAAC;KACpB;AAED;;AAEG;AACK,IAAA,oBAAoB,CAAC,SAAiB,EAAA;AAC1C,QAAA,QACI,SAAS,CAAC,MAAM,GAAG,CAAC;AACpB,YAAA,SAAS,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,CAAC,eAAe,IAAI,GAAG,CAAC,EAC1D;KACL;AAED;;AAEG;AACK,IAAA,0BAA0B,CAAC,SAAiB,EAAA;;AAEhD,QAAA,MAAM,kBAAkB,GAAG;AACvB,YAAA,WAAW;AACX,YAAA,OAAO;AACP,YAAA,+BAA+B;AAC/B,YAAA,SAAS;AACT,YAAA,UAAU;AACV,YAAA,eAAe;SAClB,CAAC;AAEF,QAAA,OAAO,kBAAkB,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC;KACxE;AAED;;AAEG;AACK,IAAA,qBAAqB,CAAC,KAAa,EAAA;AACvC,QAAA,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,KAAK,CAAC,IAAI,EAAE,GAAG,KAAK,CAAC;KACvD;AAED;;AAEG;IACK,iBAAiB,CAAC,QAAgB,EAAE,QAAgB,EAAA;;QAExD,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM,EAAE;AACrC,YAAA,OAAO,KAAK,CAAC;SAChB;AAED,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,oBAAoB,EAAE;YAClC,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;SACnD;;AAGD,QAAA,OAAO,IAAI,CAAC,MAAM,CAAC,aAAa;cAC1B,QAAQ,KAAK,QAAQ;cACrB,QAAQ,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,WAAW,EAAE,CAAC;KAC3D;AAED;;AAEG;IACK,eAAe,CAAC,CAAS,EAAE,CAAS,EAAA;;QAExC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CACpB,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAClD,CAAC;QACF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CACpB,IAAI,CAAC,MAAM,CAAC,aAAa,GAAG,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE,CAClD,CAAC;QAEF,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE;AAC7B,YAAA,OAAO,KAAK,CAAC;SAChB;AAED,QAAA,IAAI;YACA,OAAOC,iBAAM,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;SAC7C;AAAC,QAAA,MAAM;AACJ,YAAA,OAAO,KAAK,CAAC;SAChB;KACJ;AAED;;AAEG;AACK,IAAA,eAAe,CAAC,QAAgB,EAAA;QACpC,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE;AACnC,YAAA,OAAO,KAAK,CAAC;SAChB;AAED,QAAA,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;AACvB,QAAA,IAAI,GAAG,IAAI,OAAO,CAAC,YAAY,EAAE;;AAE7B,YAAA,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;AACrC,YAAA,OAAO,KAAK,CAAC;SAChB;AAED,QAAA,OAAO,IAAI,CAAC;KACf;AAED;;AAEG;AACK,IAAA,mBAAmB,CAAC,QAAgB,EAAA;AACxC,QAAA,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI;AACjD,YAAA,KAAK,EAAE,CAAC;AACR,YAAA,YAAY,EAAE,IAAI;AAClB,YAAA,WAAW,EAAE,GAAG;SACnB,CAAC;AAEF,QAAA,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;AACnB,QAAA,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC;;AAG1B,QAAA,IAAI,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,MAAM,CAAC,iBAAiB,IAAI,CAAC,CAAC,EAAE;AACvD,YAAA,OAAO,CAAC,YAAY,GAAG,GAAG,IAAI,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,CAAC;AACnE,YAAA,IAAI,CAAC,gBAAgB,CACjB,SAAS,EACT,uCAAuC,EACvC;gBACI,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,KAAK;gBACvB,YAAY,EAAE,IAAI,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE;AAC7D,aAAA,CACJ,CAAC;SACL;QAED,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;KAC9C;AAED;;AAEG;AACK,IAAA,mBAAmB,CAAC,QAAgB,EAAA;AACxC,QAAA,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;KACxC;AAED;;AAEG;IACK,cAAc,CAAC,MAAW,EAAE,SAAkB,EAAA;AAClD,QAAA,MAAM,MAAM,GAAG,SAAS,IAAI,EAAE,CAAC;QAE/B,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE;AACvC,YAAA,MAAM,IAAI,KAAK,CACX,oEAAoE,CACvE,CAAC;SACL;AAED,QAAA,MAAM,aAAa,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;AAEpC,QAAA,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE;AAC5B,YAAA,MAAM,IAAI,KAAK,CACX,sEAAsE,CACzE,CAAC;SACL;AAED,QAAA,IAAI,aAAa,CAAC,MAAM,GAAG,MAAM,EAAE;YAC/B,MAAM,IAAI,KAAK,CACX,CAAsD,mDAAA,EAAA,MAAM,CAA8B,2BAAA,EAAA,aAAa,CAAC,MAAM,CAAG,CAAA,CAAA,CACpH,CAAC;SACL;;AAGD,QAAA,IAAI,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,EAAE;AAClC,YAAA,MAAM,IAAI,KAAK,CACX,oGAAoG,CACvG,CAAC;SACL;KACJ;AAED;;AAEG;AACK,IAAA,YAAY,CAAC,MAAc,EAAA;AAC/B,QAAA,MAAM,YAAY,GAAG;AACjB,YAAA,UAAU;AACV,YAAA,aAAa;AACb,YAAA,UAAU;AACV,YAAA,iDAAiD;AACjD,YAAA,iBAAiB;SACpB,CAAC;AAEF,QAAA,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;KAC/D;AAED;;AAEG;AACK,IAAA,UAAU,CAAC,MAAc,EAAA;AAC7B,QAAA,OAAOA,iBAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;KACnE;AAED;;AAEG;IACK,iBAAiB,GAAA;AACrB,QAAA,IAAI,CAAC,YAAY,GAAG,WAAW,CAAC,MAAK;YACjC,IAAI,CAAC,sBAAsB,EAAE,CAAC;AAClC,SAAC,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;;AAG1B,QAAA,IAAI,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE;AACzB,YAAA,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;SAC7B;KACJ;AAED;;AAEG;IACK,sBAAsB,GAAA;AAC1B,QAAA,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,cAAc,GAAa,EAAE,CAAC;AAEpC,QAAA,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE;;YAE7D,IACI,OAAO,CAAC,YAAY;gBACpB,GAAG,IAAI,OAAO,CAAC,YAAY;gBAC3B,GAAG,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,gBAAgB,EACnD;AACE,gBAAA,cAAc,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;aACjC;SACJ;AAED,QAAA,cAAc,CAAC,OAAO,CAAC,CAAC,QAAQ,KAC5B,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,QAAQ,CAAC,CACvC,CAAC;KACL;AAED;;AAEG;AACK,IAAA,YAAY,CAChB,GAAQ,EACR,IAAY,EACZ,OAAgB,EAChB,QAAiB,EAAA;AAEjB,QAAA,MAAM,aAAa,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;AAExC,QAAA,MAAM,QAAQ,GAAQ;AAClB,YAAA,KAAK,EAAE,aAAa;AAChB,kBAAE,IAAI,CAAC,MAAM,CAAC,YAAY;AAC1B,kBAAE,yBAAyB;AAC/B,YAAA,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;AACnC,YAAA,IAAI,EAAE,kBAAkB;SAC3B,CAAC;;QAGF,IAAI,aAAa,EAAE;YACf,QAAQ,CAAC,IAAI,GAAG;AACZ,gBAAA,MAAM,EAAE,kBAAkB;gBAC1B,IAAI;gBACJ,OAAO;gBACP,cAAc,EAAE,IAAI,CAAC,WAAW;AAChC,gBAAA,IAAI,EAAE,6DAA6D;aACtE,CAAC;SACL;QAED,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,QAAQ,EAAE;YAC/B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,EAAE,uBAAuB,EAAE;gBACnD,IAAI;gBACJ,OAAO;gBACP,QAAQ;gBACR,cAAc,EAAE,IAAI,CAAC,WAAW;AACnC,aAAA,CAAC,CAAC;SACN;AAED,QAAA,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;KACrD;AAED;;AAEG;AACK,IAAA,gBAAgB,CACpB,KAAmC,EACnC,OAAe,EACf,QAAc,EAAA;AAEd,QAAA,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE;AACnB,YAAA,MAAM,SAAS,GACX,KAAK,KAAK,OAAO;AACb,kBAAE,OAAO;kBACP,KAAK,KAAK,SAAS;AACrB,sBAAE,MAAM;sBACN,OAAO,CAAC;AACjB,YAAA,IAAI,CAAC,MAAc,CAAC,SAAS,CAAC,CAAC,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;SAClE;KACJ;AAED;;AAEG;AACI,IAAA,YAAY,CAAC,SAA0C,EAAA;AAC1D,QAAA,IAAI,SAAS,CAAC,MAAM,KAAK,SAAS,EAAE;YAChC,IAAI,CAAC,cAAc,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,CAAC;SACpE;AAED,QAAA,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,GAAG,SAAS,EAAE,CAAC;KAClD;AAED;;AAEG;IACI,SAAS,GAAA;QAGZ,OAAO;AACH,YAAA,YAAY,EAAE,IAAI,CAAC,MAAM,CAAC,YAAY;AACtC,YAAA,UAAU,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU;AAClC,YAAA,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK;AACxB,YAAA,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;AACxC,YAAA,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS;AAChC,YAAA,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM;AAC/B,YAAA,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;AAC5C,YAAA,iBAAiB,EAAE,IAAI,CAAC,MAAM,CAAC,iBAAiB;AAChD,YAAA,aAAa,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa;AACxC,YAAA,eAAe,EAAE,IAAI,CAAC,MAAM,CAAC,eAAe;AAC5C,YAAA,oBAAoB,EAAE,IAAI,CAAC,MAAM,CAAC,oBAAoB;AACtD,YAAA,wBAAwB,EAAE,IAAI,CAAC,MAAM,CAAC,wBAAwB;SACjE,CAAC;KACL;AAED;;AAEG;IACI,aAAa,GAAA;QAChB,OAAO,IAAI,CAAC,WAAW,CAAC;KAC3B;AAED;;AAEG;AACI,IAAA,iBAAiB,CAAC,SAAiB,EAAA;QACtC,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE;AAC7C,YAAA,OAAO,KAAK,CAAC;SAChB;QAED,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,SAAS,CAAC,EAAE;AACvC,YAAA,OAAO,KAAK,CAAC;SAChB;AAED,QAAA,IACI,IAAI,CAAC,MAAM,CAAC,wBAAwB;AACpC,YAAA,IAAI,CAAC,0BAA0B,CAAC,SAAS,CAAC,EAC5C;AACE,YAAA,OAAO,KAAK,CAAC;SAChB;QAED,MAAM,kBAAkB,GAAG,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,CAAC;AACjE,QAAA,MAAM,iBAAiB,GAAG,IAAI,CAAC,qBAAqB,CAChD,IAAI,CAAC,MAAM,CAAC,MAAM,CACrB,CAAC;QAEF,OAAO,IAAI,CAAC,iBAAiB,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC;KACxE;AAED;;AAEG;IACI,gBAAgB,GAAA;AAInB,QAAA,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,YAAY,GAAG,CAAC,CAAC;QAErB,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,EAAE;YAChD,IAAI,OAAO,CAAC,YAAY,IAAI,GAAG,GAAG,OAAO,CAAC,YAAY,EAAE;AACpD,gBAAA,YAAY,EAAE,CAAC;aAClB;SACJ;QAED,OAAO;AACH,YAAA,cAAc,EAAE,IAAI,CAAC,cAAc,CAAC,IAAI;AACxC,YAAA,cAAc,EAAE,YAAY;SAC/B,CAAC;KACL;AAED;;AAEG;IACI,OAAO,GAAA;AACV,QAAA,IAAI,IAAI,CAAC,YAAY,EAAE;AACnB,YAAA,aAAa,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;SACpC;AACD,QAAA,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;KAC/B;AACJ;;;;"}