{"version":3,"file":"explain-Dgj_78bE.cjs","names":["ops","resolveValue","isCondition","evalCondition","resolve","matchesAction","matchesResourceHierarchical","matchesResource"],"sources":["../src/core/conditions/conditions.ts","../src/core/explain/explain.libs.ts","../src/core/explain/explain.ts","../src/core/explain/index.ts"],"sourcesContent":["import type { AccessControl, IamPrimitives, IamRequest } from '../types'\nimport { evalCondition, isCondition, MAX_CONDITION_DEPTH, ops, resolveValue } from './conditions.libs'\n\n/**\n * Evaluate a single operator. Exposed for explain/trace functionality.\n *\n * @param op         - The operator to apply.\n * @param fieldValue - Left-hand side resolved from the request.\n * @param condValue  - Right-hand side from the condition.\n * @returns `true` when the operator predicate holds.\n */\nexport function evaluateOperator(\n  op: AccessControl.Operator,\n  fieldValue: IamPrimitives.AttributeValue,\n  condValue: IamPrimitives.AttributeValue,\n): boolean {\n  return ops[op](fieldValue, condValue)\n}\n\n/**\n * Resolve $-variable references in condition values against a request.\n *\n * @param req   - The access request providing resolution roots.\n * @param value - Raw condition value (possibly `$`-prefixed reference).\n * @returns The resolved value, or `value` unchanged when no resolution applies.\n */\nexport function resolveConditionValue(\n  req: IamRequest.IAccessRequest,\n  value: IamPrimitives.AttributeValue,\n): IamPrimitives.AttributeValue {\n  return resolveValue(req, value)\n}\n\n/** Evaluate a single condition or condition group item, dispatching to the appropriate handler. */\nfunction evalItem(\n  req: IamRequest.IAccessRequest,\n  item: AccessControl.ICondition | AccessControl.IConditionGroup,\n  depth: number,\n  caches?: { regex?: Map<string, RegExp>; path?: Map<string, string[] | null> },\n): boolean {\n  return isCondition(item) ? evalCondition(req, item, caches) : evalConditionGroup(req, item, depth, caches)\n}\n\n/**\n * Evaluates a condition group tree against an access request.\n *\n * Handles `all` (AND), `any` (OR), and `none` (NOT/NOR) groups recursively.\n * Fails closed (returns `false`) when nesting exceeds `MAX_CONDITION_DEPTH`.\n *\n * @param req   - The access request providing field values\n * @param group - The condition group to evaluate\n * @param depth - Current recursion depth (internal, do not set)\n * @returns Whether the condition group is satisfied\n */\nexport function evalConditionGroup(\n  req: IamRequest.IAccessRequest,\n  group: AccessControl.IConditionGroup,\n  depth = 0,\n  caches?: { regex?: Map<string, RegExp>; path?: Map<string, string[] | null> },\n): boolean {\n  if (depth >= MAX_CONDITION_DEPTH) {\n    return false // Deny when nesting is too deep -- fail closed\n  }\n\n  if ('all' in group) {\n    return group.all.every((item) => evalItem(req, item, depth + 1, caches))\n  }\n\n  if ('any' in group) {\n    return group.any.some((item) => evalItem(req, item, depth + 1, caches))\n  }\n\n  if ('none' in group) {\n    return !group.none.some((item) => evalItem(req, item, depth + 1, caches))\n  }\n\n  // Empty object {} = no conditions = unconditionally true\n  return true\n}\n","/** biome-ignore-all lint/style/noNonNullAssertion: index iteration guarded by length check. */\n\nimport { evaluateOperator, resolveConditionValue } from '../conditions'\nimport { matchesAction, matchesResource, matchesResourceHierarchical, resolve } from '../resolve'\nimport type { AccessControl, IamRequest } from '../types'\nimport type { Explain } from './explain.types'\n\n/** Maximum nesting depth for traced condition groups. */\nconst MAX_TRACE_DEPTH = 10\n\n/** Type guard that distinguishes a flat {@link AccessControl.ICondition} from a nested {@link AccessControl.IConditionGroup}. */\nfunction isCondition(item: AccessControl.ICondition | AccessControl.IConditionGroup): item is AccessControl.ICondition {\n  return 'field' in item\n}\n\n/** Trace a single leaf condition, capturing actual vs expected values and the result. */\nfunction traceLeaf(req: IamRequest.IAccessRequest, cond: AccessControl.ICondition): Explain.ILeafTrace {\n  const actual = resolve(req, cond.field)\n  const expected = resolveConditionValue(req, cond.value ?? null)\n  const result = evaluateOperator(cond.operator, actual, expected)\n  return { type: 'condition', field: cond.field, operator: cond.operator, expected, actual, result }\n}\n\n/** Trace a single condition item, dispatching to leaf or group tracer. */\nfunction traceItem(\n  req: IamRequest.IAccessRequest,\n  item: AccessControl.ICondition | AccessControl.IConditionGroup,\n  depth: number,\n): Explain.Trace {\n  return isCondition(item) ? traceLeaf(req, item) : traceGroup(req, item, depth)\n}\n\n/** Recursively trace a condition group, producing child traces for each item. */\nfunction traceGroup(\n  req: IamRequest.IAccessRequest,\n  group: AccessControl.IConditionGroup,\n  depth = 0,\n): Explain.IGroupTrace {\n  if (depth >= MAX_TRACE_DEPTH) {\n    return { type: 'group', logic: 'all', result: false, children: [] }\n  }\n\n  if ('all' in group) {\n    const children = group.all.map((item) => traceItem(req, item, depth + 1))\n    return { type: 'group', logic: 'all', result: children.every((c) => c.result), children }\n  }\n\n  if ('any' in group) {\n    const children = group.any.map((item) => traceItem(req, item, depth + 1))\n    return { type: 'group', logic: 'any', result: children.some((c) => c.result), children }\n  }\n\n  if ('none' in group) {\n    const children = group.none.map((item) => traceItem(req, item, depth + 1))\n    return { type: 'group', logic: 'none', result: children.every((c) => !c.result), children }\n  }\n\n  return { type: 'group', logic: 'all', result: false, children: [] }\n}\n\n/** Trace a single rule evaluation: action match, resource match, and condition tree. */\nfunction traceRule(rule: AccessControl.IRule, req: IamRequest.IAccessRequest): Explain.IRuleTrace {\n  const actionMatch = rule.actions.some((a) => matchesAction(a, req.action))\n\n  const resourceMatch = rule.resources.some((r) => {\n    if (r.includes('.') || req.resource.type.includes('.')) {\n      return matchesResourceHierarchical(r, req.resource.type)\n    }\n    return matchesResource(r, req.resource.type)\n  })\n\n  const conditions = traceGroup(req, rule.conditions)\n\n  return {\n    ruleId: rule.id,\n    description: rule.description,\n    effect: rule.effect,\n    priority: rule.priority,\n    actionMatch,\n    resourceMatch,\n    conditionsMet: conditions.result,\n    conditions,\n    matched: actionMatch && resourceMatch && conditions.result,\n  }\n}\n\n/** Apply a combining algorithm to matched rule traces, mirroring the evaluate module logic. */\nfunction applyCombiner(\n  algorithm: AccessControl.CombiningAlgorithm,\n  matched: readonly Explain.IRuleTrace[],\n  defaultEffect: AccessControl.Effect,\n): { effect: AccessControl.Effect; reason: string; decidingRuleId?: string } {\n  switch (algorithm) {\n    case 'deny-overrides': {\n      const deny = matched.find((r) => r.effect === 'deny')\n      if (deny) return { effect: 'deny', reason: `Denied by rule \"${deny.ruleId}\"`, decidingRuleId: deny.ruleId }\n      const allow = matched.find((r) => r.effect === 'allow')\n      if (allow) return { effect: 'allow', reason: `Allowed by rule \"${allow.ruleId}\"`, decidingRuleId: allow.ruleId }\n      return { effect: defaultEffect, reason: `No matching rules. Defaulted to ${defaultEffect}` }\n    }\n    case 'allow-overrides': {\n      const allow = matched.find((r) => r.effect === 'allow')\n      if (allow) return { effect: 'allow', reason: `Allowed by rule \"${allow.ruleId}\"`, decidingRuleId: allow.ruleId }\n      const deny = matched.find((r) => r.effect === 'deny')\n      if (deny) return { effect: 'deny', reason: `Denied by rule \"${deny.ruleId}\"`, decidingRuleId: deny.ruleId }\n      return { effect: defaultEffect, reason: `No matching rules. Defaulted to ${defaultEffect}` }\n    }\n    case 'first-match': {\n      if (matched.length === 0)\n        return { effect: defaultEffect, reason: `No matching rules. Defaulted to ${defaultEffect}` }\n      let first = matched[0]!\n      for (let i = 1; i < matched.length; i++) {\n        const cur = matched[i]!\n        if (cur.priority > first.priority) first = cur\n      }\n      return {\n        effect: first.effect,\n        reason: `First match: rule \"${first.ruleId}\" (${first.effect})`,\n        decidingRuleId: first.ruleId,\n      }\n    }\n    case 'highest-priority': {\n      let top: (typeof matched)[number] | undefined\n      for (const cur of matched) {\n        if (top === undefined || cur.priority > top.priority) top = cur\n      }\n      if (top !== undefined) {\n        return {\n          effect: top.effect,\n          reason: `Highest priority: rule \"${top.ruleId}\" (p=${top.priority})`,\n          decidingRuleId: top.ruleId,\n        }\n      }\n      return { effect: defaultEffect, reason: `No matching rules. Defaulted to ${defaultEffect}` }\n    }\n  }\n}\n\n/** Check whether a policy's target constraints match the request. */\nfunction policyTargetsMatch(policy: AccessControl.IPolicy, req: IamRequest.IAccessRequest): boolean {\n  if (!policy.targets) return true\n  const { actions, resources, roles } = policy.targets\n  if (actions?.length && !actions.some((a) => matchesAction(a, req.action))) return false\n  if (resources?.length && !resources.some((r) => matchesResource(r, req.resource.type))) return false\n  if (roles?.length) {\n    const subjectRoles = Array.isArray(req.subject.roles) ? req.subject.roles : []\n    if (!roles.some((role) => subjectRoles.includes(role))) return false\n  }\n  return true\n}\n\n/**\n * Trace a full policy evaluation: target matching, rule traces, and combining\n * algorithm result.\n *\n * @param policy        - The policy to trace.\n * @param req           - The access request being evaluated.\n * @param defaultEffect - Effect to record when no rule fires.\n * @returns An {@link Explain.IPolicyTrace} describing the policy's outcome.\n */\nexport function tracePolicy(\n  policy: AccessControl.IPolicy,\n  req: IamRequest.IAccessRequest,\n  defaultEffect: AccessControl.Effect,\n): Explain.IPolicyTrace {\n  const targetMatch = policyTargetsMatch(policy, req)\n\n  if (!targetMatch) {\n    return {\n      policyId: policy.id,\n      policyName: policy.name,\n      algorithm: policy.algorithm,\n      targetMatch: false,\n      rules: [],\n      result: defaultEffect,\n      reason: `Policy \"${policy.id}\" targets do not match. Defaulted to ${defaultEffect}`,\n    }\n  }\n\n  const ruleTraces = policy.rules.map((rule) => traceRule(rule, req))\n  const matched = ruleTraces.filter((r) => r.matched)\n  const { effect, reason, decidingRuleId } = applyCombiner(policy.algorithm, matched, defaultEffect)\n  const decidingRule = decidingRuleId ? policy.rules.find((r) => r.id === decidingRuleId) : undefined\n\n  return {\n    policyId: policy.id,\n    policyName: policy.name,\n    algorithm: policy.algorithm,\n    targetMatch: true,\n    rules: ruleTraces,\n    result: effect,\n    reason,\n    decidingRuleId,\n    decidingRule,\n  }\n}\n","import type { AccessControl, IamRequest } from '../types'\nimport { tracePolicy } from './explain.libs'\nimport type { Explain } from './explain.types'\n/**\n * Produce a detailed evaluation trace for debugging authorization decisions.\n * Every policy is traced (no short-circuit) so callers can see the full picture;\n * `combine` controls which trace produces the final {@link AccessControl.IDecision}.\n *\n * @param policies      All policies to trace.\n * @param request       The access request.\n * @param defaultEffect Effect when no rule fires inside any policy.\n * @param subjectInfo   Subject metadata (id, roles, scoped roles applied).\n * @param combine       Cross-policy combine strategy (defaults to `'and'`).\n * @returns A full {@link Explain.IResult} describing every policy trace and the final decision.\n */\nexport function explainEvaluation(\n  policies: AccessControl.IPolicy[],\n  request: IamRequest.IAccessRequest,\n  defaultEffect: AccessControl.Effect,\n  subjectInfo: Explain.ISubjectInfo,\n  combine: AccessControl.PolicyCombine = 'and',\n): Explain.IResult {\n  const start = performance.now()\n\n  const policyTraces = policies.map((p) => tracePolicy(p, request, defaultEffect))\n\n  let finalEffect: AccessControl.Effect = defaultEffect\n  let finalReason = 'No policies configured'\n  let finalPolicy: string | undefined\n  let finalRule: AccessControl.IRule | undefined\n\n  if (policies.length > 0) {\n    const decided = decideFinal(policyTraces, defaultEffect, combine)\n    finalEffect = decided.effect\n    finalReason = decided.reason\n    finalPolicy = decided.policy\n    finalRule = decided.rule\n  }\n\n  const decision: AccessControl.IDecision = {\n    allowed: finalEffect === 'allow',\n    effect: finalEffect,\n    rule: finalRule,\n    policy: finalPolicy,\n    reason: finalReason,\n    duration: performance.now() - start,\n    timestamp: Date.now(),\n  }\n\n  const summary = buildSummary(decision, policyTraces, subjectInfo, request)\n\n  return {\n    decision,\n    request: {\n      action: request.action,\n      resourceType: request.resource.type,\n      resourceId: request.resource.id,\n      scope: request.scope,\n    },\n    subject: {\n      id: subjectInfo.subjectId,\n      roles: subjectInfo.originalRoles,\n      scopedRolesApplied: subjectInfo.scopedRolesApplied,\n      attributes: request.subject.attributes,\n    },\n    policies: policyTraces,\n    summary,\n  }\n}\n\n/** Resolve the final decision across all policy traces under the given combine mode. */\nfunction decideFinal(\n  traces: readonly Explain.IPolicyTrace[],\n  defaultEffect: AccessControl.Effect,\n  combine: AccessControl.PolicyCombine,\n): { effect: AccessControl.Effect; reason: string; policy?: string; rule?: AccessControl.IRule } {\n  // NotApplicable traces (targets didn't match) are skipped in every mode  -\n  // they contribute nothing to the cross-policy combine.\n  const applicable = traces.filter((t) => t.targetMatch)\n\n  if (combine === 'and') {\n    let lastAllow: Explain.IPolicyTrace | null = null\n    for (const pt of applicable) {\n      if (pt.result !== 'allow') {\n        return { effect: 'deny', reason: pt.reason, policy: pt.policyId, rule: pt.decidingRule }\n      }\n      lastAllow = pt\n    }\n    if (lastAllow) {\n      return { effect: 'allow', reason: lastAllow.reason, policy: lastAllow.policyId, rule: lastAllow.decidingRule }\n    }\n  } else if (combine === 'allow-overrides') {\n    let lastDeny: Explain.IPolicyTrace | null = null\n    for (const pt of applicable) {\n      if (pt.result === 'allow') {\n        return { effect: 'allow', reason: pt.reason, policy: pt.policyId, rule: pt.decidingRule }\n      }\n      lastDeny = pt\n    }\n    if (lastDeny) {\n      return { effect: 'deny', reason: lastDeny.reason, policy: lastDeny.policyId, rule: lastDeny.decidingRule }\n    }\n  } else {\n    // first-applicable\n    for (const pt of applicable) {\n      if (pt.decidingRule) {\n        return { effect: pt.result, reason: pt.reason, policy: pt.policyId, rule: pt.decidingRule }\n      }\n    }\n  }\n  return {\n    effect: defaultEffect,\n    reason:\n      applicable.length === 0\n        ? `No applicable policy across ${traces.length} policies. Defaulted to ${defaultEffect}`\n        : `No matching rules across ${applicable.length} applicable policies. Defaulted to ${defaultEffect}`,\n  }\n}\n\n/** Build a human-readable multi-line summary of the evaluation trace. */\nfunction buildSummary(\n  decision: AccessControl.IDecision,\n  policyTraces: Explain.IPolicyTrace[],\n  info: Explain.ISubjectInfo,\n  req: IamRequest.IAccessRequest,\n): string {\n  const verb = decision.allowed ? 'ALLOWED' : 'DENIED'\n  const parts: string[] = []\n\n  // Header\n  parts.push(\n    `${verb}: \"${info.subjectId}\" attempting ${req.action} on ${req.resource.type}${req.scope ? ` [scope: ${req.scope}]` : ''}`,\n  )\n\n  // Roles\n  const roles = [...info.originalRoles]\n  if (info.scopedRolesApplied.length > 0) {\n    parts.push(`  Roles: [${roles.join(', ')}] + scoped: [${info.scopedRolesApplied.join(', ')}]`)\n  } else {\n    parts.push(`  Roles: [${roles.join(', ')}]`)\n  }\n\n  // Per-policy summary\n  for (const pt of policyTraces) {\n    const matched = pt.rules.filter((r) => r.matched).length\n    const total = pt.rules.length\n\n    if (!pt.targetMatch) {\n      parts.push(`  ${pt.policyId}: targets don't match (${pt.result})`)\n    } else if (pt.decidingRuleId) {\n      parts.push(`  ${pt.policyId} [${pt.algorithm}]: ${pt.reason} (${matched}/${total} rules matched)`)\n    } else {\n      parts.push(\n        `  ${pt.policyId} [${pt.algorithm}]: no matching rules. Defaulted to ${pt.result} (0/${total} rules evaluated)`,\n      )\n    }\n  }\n\n  // Final\n  parts.push(`  Result: ${decision.reason}`)\n\n  return parts.join('\\n')\n}\n","export { explainEvaluation } from './explain'\nexport type { Explain } from './explain.types'\n\n/**\n * Escape a value-derived string for safe inclusion in HTML.\n *\n * `Explain.IResult.summary` and condition-leaf `actual` / `expected` strings\n * carry operator-supplied policy names and request-attribute values verbatim.\n * If a consumer renders the explain trace into a debug panel, run those\n * untrusted strings through this helper first. Returns the same input with\n * `& < > \" '` replaced by their HTML entities.\n *\n * @param s - Untrusted string from explain output.\n * @returns HTML-safe escaped string.\n */\nexport function escapeHtml(s: string): string {\n  return s\n    .replace(/&/g, '&amp;')\n    .replace(/</g, '&lt;')\n    .replace(/>/g, '&gt;')\n    .replace(/\"/g, '&quot;')\n    .replace(/'/g, '&#39;')\n}\n"],"mappings":";;;;;;;;;;;AAWA,SAAgB,iBACd,IACA,YACA,WACS;CACT,OAAOA,4BAAI,GAAG,CAAC,YAAY,SAAS;AACtC;;;;;;;;AASA,SAAgB,sBACd,KACA,OAC8B;CAC9B,OAAOC,qCAAa,KAAK,KAAK;AAChC;;AAGA,SAAS,SACP,KACA,MACA,OACA,QACS;CACT,OAAOC,oCAAY,IAAI,IAAIC,sCAAc,KAAK,MAAM,MAAM,IAAI,mBAAmB,KAAK,MAAM,OAAO,MAAM;AAC3G;;;;;;;;;;;;AAaA,SAAgB,mBACd,KACA,OACA,QAAQ,GACR,QACS;CACT,IAAI,aACF,OAAO;CAGT,IAAI,SAAS,OACX,OAAO,MAAM,IAAI,OAAO,SAAS,SAAS,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;CAGzE,IAAI,SAAS,OACX,OAAO,MAAM,IAAI,MAAM,SAAS,SAAS,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;CAGxE,IAAI,UAAU,OACZ,OAAO,CAAC,MAAM,KAAK,MAAM,SAAS,SAAS,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;CAI1E,OAAO;AACT;;;;;;ACtEA,MAAM,kBAAkB;;AAGxB,SAAS,YAAY,MAAkG;CACrH,OAAO,WAAW;AACpB;;AAGA,SAAS,UAAU,KAAgC,MAAoD;CACrG,MAAM,SAASC,gCAAQ,KAAK,KAAK,KAAK;CACtC,MAAM,WAAW,sBAAsB,KAAK,KAAK,SAAS,IAAI;CAC9D,MAAM,SAAS,iBAAiB,KAAK,UAAU,QAAQ,QAAQ;CAC/D,OAAO;EAAE,MAAM;EAAa,OAAO,KAAK;EAAO,UAAU,KAAK;EAAU;EAAU;EAAQ;CAAO;AACnG;;AAGA,SAAS,UACP,KACA,MACA,OACe;CACf,OAAO,YAAY,IAAI,IAAI,UAAU,KAAK,IAAI,IAAI,WAAW,KAAK,MAAM,KAAK;AAC/E;;AAGA,SAAS,WACP,KACA,OACA,QAAQ,GACa;CACrB,IAAI,SAAS,iBACX,OAAO;EAAE,MAAM;EAAS,OAAO;EAAO,QAAQ;EAAO,UAAU,CAAC;CAAE;CAGpE,IAAI,SAAS,OAAO;EAClB,MAAM,WAAW,MAAM,IAAI,KAAK,SAAS,UAAU,KAAK,MAAM,QAAQ,CAAC,CAAC;EACxE,OAAO;GAAE,MAAM;GAAS,OAAO;GAAO,QAAQ,SAAS,OAAO,MAAM,EAAE,MAAM;GAAG;EAAS;CAC1F;CAEA,IAAI,SAAS,OAAO;EAClB,MAAM,WAAW,MAAM,IAAI,KAAK,SAAS,UAAU,KAAK,MAAM,QAAQ,CAAC,CAAC;EACxE,OAAO;GAAE,MAAM;GAAS,OAAO;GAAO,QAAQ,SAAS,MAAM,MAAM,EAAE,MAAM;GAAG;EAAS;CACzF;CAEA,IAAI,UAAU,OAAO;EACnB,MAAM,WAAW,MAAM,KAAK,KAAK,SAAS,UAAU,KAAK,MAAM,QAAQ,CAAC,CAAC;EACzE,OAAO;GAAE,MAAM;GAAS,OAAO;GAAQ,QAAQ,SAAS,OAAO,MAAM,CAAC,EAAE,MAAM;GAAG;EAAS;CAC5F;CAEA,OAAO;EAAE,MAAM;EAAS,OAAO;EAAO,QAAQ;EAAO,UAAU,CAAC;CAAE;AACpE;;AAGA,SAAS,UAAU,MAA2B,KAAoD;CAChG,MAAM,cAAc,KAAK,QAAQ,MAAM,MAAMC,sCAAc,GAAG,IAAI,MAAM,CAAC;CAEzE,MAAM,gBAAgB,KAAK,UAAU,MAAM,MAAM;EAC/C,IAAI,EAAE,SAAS,GAAG,KAAK,IAAI,SAAS,KAAK,SAAS,GAAG,GACnD,OAAOC,oDAA4B,GAAG,IAAI,SAAS,IAAI;EAEzD,OAAOC,wCAAgB,GAAG,IAAI,SAAS,IAAI;CAC7C,CAAC;CAED,MAAM,aAAa,WAAW,KAAK,KAAK,UAAU;CAElD,OAAO;EACL,QAAQ,KAAK;EACb,aAAa,KAAK;EAClB,QAAQ,KAAK;EACb,UAAU,KAAK;EACf;EACA;EACA,eAAe,WAAW;EAC1B;EACA,SAAS,eAAe,iBAAiB,WAAW;CACtD;AACF;;AAGA,SAAS,cACP,WACA,SACA,eAC2E;CAC3E,QAAQ,WAAR;EACE,KAAK,kBAAkB;GACrB,MAAM,OAAO,QAAQ,MAAM,MAAM,EAAE,WAAW,MAAM;GACpD,IAAI,MAAM,OAAO;IAAE,QAAQ;IAAQ,QAAQ,mBAAmB,KAAK,OAAO;IAAI,gBAAgB,KAAK;GAAO;GAC1G,MAAM,QAAQ,QAAQ,MAAM,MAAM,EAAE,WAAW,OAAO;GACtD,IAAI,OAAO,OAAO;IAAE,QAAQ;IAAS,QAAQ,oBAAoB,MAAM,OAAO;IAAI,gBAAgB,MAAM;GAAO;GAC/G,OAAO;IAAE,QAAQ;IAAe,QAAQ,mCAAmC;GAAgB;EAC7F;EACA,KAAK,mBAAmB;GACtB,MAAM,QAAQ,QAAQ,MAAM,MAAM,EAAE,WAAW,OAAO;GACtD,IAAI,OAAO,OAAO;IAAE,QAAQ;IAAS,QAAQ,oBAAoB,MAAM,OAAO;IAAI,gBAAgB,MAAM;GAAO;GAC/G,MAAM,OAAO,QAAQ,MAAM,MAAM,EAAE,WAAW,MAAM;GACpD,IAAI,MAAM,OAAO;IAAE,QAAQ;IAAQ,QAAQ,mBAAmB,KAAK,OAAO;IAAI,gBAAgB,KAAK;GAAO;GAC1G,OAAO;IAAE,QAAQ;IAAe,QAAQ,mCAAmC;GAAgB;EAC7F;EACA,KAAK,eAAe;GAClB,IAAI,QAAQ,WAAW,GACrB,OAAO;IAAE,QAAQ;IAAe,QAAQ,mCAAmC;GAAgB;GAC7F,IAAI,QAAQ,QAAQ;GACpB,KAAK,IAAI,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;IACvC,MAAM,MAAM,QAAQ;IACpB,IAAI,IAAI,WAAW,MAAM,UAAU,QAAQ;GAC7C;GACA,OAAO;IACL,QAAQ,MAAM;IACd,QAAQ,sBAAsB,MAAM,OAAO,KAAK,MAAM,OAAO;IAC7D,gBAAgB,MAAM;GACxB;EACF;EACA,KAAK,oBAAoB;GACvB,IAAI;GACJ,KAAK,MAAM,OAAO,SAChB,IAAI,QAAQ,UAAa,IAAI,WAAW,IAAI,UAAU,MAAM;GAE9D,IAAI,QAAQ,QACV,OAAO;IACL,QAAQ,IAAI;IACZ,QAAQ,2BAA2B,IAAI,OAAO,OAAO,IAAI,SAAS;IAClE,gBAAgB,IAAI;GACtB;GAEF,OAAO;IAAE,QAAQ;IAAe,QAAQ,mCAAmC;GAAgB;EAC7F;CACF;AACF;;AAGA,SAAS,mBAAmB,QAA+B,KAAyC;CAClG,IAAI,CAAC,OAAO,SAAS,OAAO;CAC5B,MAAM,EAAE,SAAS,WAAW,UAAU,OAAO;CAC7C,IAAI,SAAS,UAAU,CAAC,QAAQ,MAAM,MAAMF,sCAAc,GAAG,IAAI,MAAM,CAAC,GAAG,OAAO;CAClF,IAAI,WAAW,UAAU,CAAC,UAAU,MAAM,MAAME,wCAAgB,GAAG,IAAI,SAAS,IAAI,CAAC,GAAG,OAAO;CAC/F,IAAI,OAAO,QAAQ;EACjB,MAAM,eAAe,MAAM,QAAQ,IAAI,QAAQ,KAAK,IAAI,IAAI,QAAQ,QAAQ,CAAC;EAC7E,IAAI,CAAC,MAAM,MAAM,SAAS,aAAa,SAAS,IAAI,CAAC,GAAG,OAAO;CACjE;CACA,OAAO;AACT;;;;;;;;;;AAWA,SAAgB,YACd,QACA,KACA,eACsB;CAGtB,IAAI,CAFgB,mBAAmB,QAAQ,GAEhC,GACb,OAAO;EACL,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB,WAAW,OAAO;EAClB,aAAa;EACb,OAAO,CAAC;EACR,QAAQ;EACR,QAAQ,WAAW,OAAO,GAAG,uCAAuC;CACtE;CAGF,MAAM,aAAa,OAAO,MAAM,KAAK,SAAS,UAAU,MAAM,GAAG,CAAC;CAClE,MAAM,UAAU,WAAW,QAAQ,MAAM,EAAE,OAAO;CAClD,MAAM,EAAE,QAAQ,QAAQ,mBAAmB,cAAc,OAAO,WAAW,SAAS,aAAa;CACjG,MAAM,eAAe,iBAAiB,OAAO,MAAM,MAAM,MAAM,EAAE,OAAO,cAAc,IAAI;CAE1F,OAAO;EACL,UAAU,OAAO;EACjB,YAAY,OAAO;EACnB,WAAW,OAAO;EAClB,aAAa;EACb,OAAO;EACP,QAAQ;EACR;EACA;EACA;CACF;AACF;;;;;;;;;;;;;;;;ACpLA,SAAgB,kBACd,UACA,SACA,eACA,aACA,UAAuC,OACtB;CACjB,MAAM,QAAQ,YAAY,IAAI;CAE9B,MAAM,eAAe,SAAS,KAAK,MAAM,YAAY,GAAG,SAAS,aAAa,CAAC;CAE/E,IAAI,cAAoC;CACxC,IAAI,cAAc;CAClB,IAAI;CACJ,IAAI;CAEJ,IAAI,SAAS,SAAS,GAAG;EACvB,MAAM,UAAU,YAAY,cAAc,eAAe,OAAO;EAChE,cAAc,QAAQ;EACtB,cAAc,QAAQ;EACtB,cAAc,QAAQ;EACtB,YAAY,QAAQ;CACtB;CAEA,MAAM,WAAoC;EACxC,SAAS,gBAAgB;EACzB,QAAQ;EACR,MAAM;EACN,QAAQ;EACR,QAAQ;EACR,UAAU,YAAY,IAAI,IAAI;EAC9B,WAAW,KAAK,IAAI;CACtB;CAEA,MAAM,UAAU,aAAa,UAAU,cAAc,aAAa,OAAO;CAEzE,OAAO;EACL;EACA,SAAS;GACP,QAAQ,QAAQ;GAChB,cAAc,QAAQ,SAAS;GAC/B,YAAY,QAAQ,SAAS;GAC7B,OAAO,QAAQ;EACjB;EACA,SAAS;GACP,IAAI,YAAY;GAChB,OAAO,YAAY;GACnB,oBAAoB,YAAY;GAChC,YAAY,QAAQ,QAAQ;EAC9B;EACA,UAAU;EACV;CACF;AACF;;AAGA,SAAS,YACP,QACA,eACA,SAC+F;CAG/F,MAAM,aAAa,OAAO,QAAQ,MAAM,EAAE,WAAW;CAErD,IAAI,YAAY,OAAO;EACrB,IAAI,YAAyC;EAC7C,KAAK,MAAM,MAAM,YAAY;GAC3B,IAAI,GAAG,WAAW,SAChB,OAAO;IAAE,QAAQ;IAAQ,QAAQ,GAAG;IAAQ,QAAQ,GAAG;IAAU,MAAM,GAAG;GAAa;GAEzF,YAAY;EACd;EACA,IAAI,WACF,OAAO;GAAE,QAAQ;GAAS,QAAQ,UAAU;GAAQ,QAAQ,UAAU;GAAU,MAAM,UAAU;EAAa;CAEjH,OAAO,IAAI,YAAY,mBAAmB;EACxC,IAAI,WAAwC;EAC5C,KAAK,MAAM,MAAM,YAAY;GAC3B,IAAI,GAAG,WAAW,SAChB,OAAO;IAAE,QAAQ;IAAS,QAAQ,GAAG;IAAQ,QAAQ,GAAG;IAAU,MAAM,GAAG;GAAa;GAE1F,WAAW;EACb;EACA,IAAI,UACF,OAAO;GAAE,QAAQ;GAAQ,QAAQ,SAAS;GAAQ,QAAQ,SAAS;GAAU,MAAM,SAAS;EAAa;CAE7G,OAEE,KAAK,MAAM,MAAM,YACf,IAAI,GAAG,cACL,OAAO;EAAE,QAAQ,GAAG;EAAQ,QAAQ,GAAG;EAAQ,QAAQ,GAAG;EAAU,MAAM,GAAG;CAAa;CAIhG,OAAO;EACL,QAAQ;EACR,QACE,WAAW,WAAW,IAClB,+BAA+B,OAAO,OAAO,0BAA0B,kBACvE,4BAA4B,WAAW,OAAO,qCAAqC;CAC3F;AACF;;AAGA,SAAS,aACP,UACA,cACA,MACA,KACQ;CACR,MAAM,OAAO,SAAS,UAAU,YAAY;CAC5C,MAAM,QAAkB,CAAC;CAGzB,MAAM,KACJ,GAAG,KAAK,KAAK,KAAK,UAAU,eAAe,IAAI,OAAO,MAAM,IAAI,SAAS,OAAO,IAAI,QAAQ,YAAY,IAAI,MAAM,KAAK,IACzH;CAGA,MAAM,QAAQ,CAAC,GAAG,KAAK,aAAa;CACpC,IAAI,KAAK,mBAAmB,SAAS,GACnC,MAAM,KAAK,aAAa,MAAM,KAAK,IAAI,EAAE,eAAe,KAAK,mBAAmB,KAAK,IAAI,EAAE,EAAE;MAE7F,MAAM,KAAK,aAAa,MAAM,KAAK,IAAI,EAAE,EAAE;CAI7C,KAAK,MAAM,MAAM,cAAc;EAC7B,MAAM,UAAU,GAAG,MAAM,QAAQ,MAAM,EAAE,OAAO,CAAC,CAAC;EAClD,MAAM,QAAQ,GAAG,MAAM;EAEvB,IAAI,CAAC,GAAG,aACN,MAAM,KAAK,KAAK,GAAG,SAAS,yBAAyB,GAAG,OAAO,EAAE;OAC5D,IAAI,GAAG,gBACZ,MAAM,KAAK,KAAK,GAAG,SAAS,IAAI,GAAG,UAAU,KAAK,GAAG,OAAO,IAAI,QAAQ,GAAG,MAAM,gBAAgB;OAEjG,MAAM,KACJ,KAAK,GAAG,SAAS,IAAI,GAAG,UAAU,qCAAqC,GAAG,OAAO,MAAM,MAAM,kBAC/F;CAEJ;CAGA,MAAM,KAAK,aAAa,SAAS,QAAQ;CAEzC,OAAO,MAAM,KAAK,IAAI;AACxB;;;;;;;;;;;;;;;;ACnJA,SAAgB,WAAW,GAAmB;CAC5C,OAAO,EACJ,QAAQ,MAAM,OAAO,CAAC,CACtB,QAAQ,MAAM,MAAM,CAAC,CACrB,QAAQ,MAAM,MAAM,CAAC,CACrB,QAAQ,MAAM,QAAQ,CAAC,CACvB,QAAQ,MAAM,OAAO;AAC1B"}