{"version":3,"file":"index.cjs","names":["IAM_METHOD_ACTION_MAP","iamDefaultCsrfCheck","iamRunAdminAuthz","iamWithAdminAudit"],"sources":["../../../src/server/next/index.ts"],"sourcesContent":["/**\n * IamNext.js App Router server-side integration.\n *\n * Covers:\n *   - API route wrappers (Route Handlers)\n *   - Server Component helpers\n *   - IamNext.js Middleware integration\n *   - Permission map generation for client hydration\n */\n\nimport type { IamEngine } from '../../core'\nimport type { AccessControl, IamClient, IamRequest } from '../../core/types'\nimport {\n  IAM_METHOD_ACTION_MAP,\n  type IamAdminAudit,\n  iamDefaultCsrfCheck,\n  iamNoticeCsrfDefaultIfNeeded,\n  iamRunAdminAuthz,\n  iamWithAdminAudit,\n} from '../generic'\n\n/** IamNext.js route handler context with params. */\ntype RouteContext = { params: Promise<Record<string, string>> | Record<string, string> }\n/** IamNext.js App Router route handler signature. */\ntype RouteHandler = (req: Request, ctx: RouteContext) => Promise<Response>\n\n/** IamNext.js server integration types. Type-only namespace - zero bundle cost. */\nexport namespace IamNext {\n  /**\n   * Describes options for {@link withIamAccess}.\n   *\n   * Every extractor has a sensible default.\n   *\n   * @template TScope - Constrains valid scope strings.\n   */\n  export interface IWithAccessOptions<TScope extends string = string> {\n    /** Extracts the current user ID from the request. */\n    getUserId?: (req: Request) => string | null | Promise<string | null>\n    /** Extracts environment context (IP, user-agent, etc.) from the request. */\n    getEnvironment?: (req: Request) => IamRequest.IEnvironment\n    /** Applies a scope to the access check. */\n    scope?: TScope\n    /** Handles thrown errors during evaluation (defaults to 500 JSON). */\n    onError?: (err: Error, req: Request) => Response\n  }\n\n  /**\n   * Describes options for {@link createIamNextMiddleware}.\n   *\n   * `rules` and `getUserId` are required.\n   *\n   * @template TAction - Constrains valid action strings.\n   * @template TResource - Constrains valid resource strings.\n   * @template TScope - Constrains valid scope strings.\n   */\n  export interface IMiddlewareOptions<\n    TAction extends string = string,\n    TResource extends string = string,\n    TScope extends string = string,\n  > {\n    /** Maps URL patterns to required permissions. */\n    rules: Array<{\n      /** Specifies the regex or string prefix used to match the path. */\n      pattern: string | RegExp\n      /** Specifies the required action; inferred from HTTP method when omitted. */\n      action?: TAction\n      /** Specifies the resource type for this route. */\n      resource: TResource\n      /** Optional scope applied to the check. */\n      scope?: TScope\n    }>\n    /** Extracts the current user ID from the request. */\n    getUserId: (req: Request) => string | null | Promise<string | null>\n    /** Handles thrown errors during evaluation (defaults to 500 JSON). */\n    onError?: (err: Error, req: Request) => Response\n  }\n\n  /**\n   * Required guard callback for admin Route Handlers.\n   *\n   * Same threat model as the IamExpress `adminRouter`: any handler that writes\n   * policies or roles must be gated.\n   */\n  export type IAdminAuthorize = (req: Request) => boolean | Promise<boolean>\n\n  /** Describes options for {@link createIamAdminHandlers}. `authorize` is required. */\n  export interface IAdminOptions extends IamAdminAudit.IOptions {\n    /** Required. Runs before every admin handler (read or write). */\n    authorize: IAdminAuthorize\n    /** Overrides the 401 unauthorized response. */\n    onUnauthorized?: (req: Request) => Response\n    /** Overrides the 500 internal error response. */\n    onError?: (err: Error, req: Request) => Response\n    /**\n     * Optional audit hook fired AFTER every mutation handler (PUT/POST/\n     * DELETE/PATCH) completes - success or failure. The hook is\n     * fire-and-forget: a slow or throwing implementation never blocks the\n     * request and can never alter the response. GET handlers do not fire it.\n     *\n     * See {@link IamAdminAudit.IOptions} for additional hardening knobs:\n     * `redactPath`, `onAuditHookError`, and `includeErrorMessage`.\n     */\n    onAdminMutation?: IamAdminAudit.Hook\n  }\n}\n\n/**\n * Wraps a IamNext.js App Router route handler with an access check.\n *\n * Returns 401 when no user is present, 403 when denied, and otherwise invokes\n * the wrapped handler.\n *\n * @template TAction - Constrains valid action strings.\n * @template TResource - Constrains valid resource strings.\n * @template TRole - Constrains valid role strings.\n * @template TScope - Constrains valid scope strings.\n * @param engine - Provides the access engine to consult.\n * @param action - Specifies the action being performed.\n * @param resourceType - Specifies the resource type required for the check.\n * @param handler - Provides the downstream route handler invoked on allow.\n * @param opts - Configures optional extractors and `scope` override.\n * @returns A wrapped route handler.\n * @example\n * ```ts\n * export const DELETE = withIamAccess(engine, 'delete', 'post', async (req, ctx) => {\n *   const { id } = await ctx.params\n *   return Response.json({ deleted: id })\n * })\n * ```\n */\nexport function withIamAccess<\n  TAction extends string = string,\n  TResource extends string = string,\n  TRole extends string = string,\n  TScope extends string = string,\n>(\n  engine: IamEngine<TAction, TResource, TRole, TScope>,\n  action: TAction,\n  resourceType: TResource,\n  handler: RouteHandler,\n  opts: IamNext.IWithAccessOptions<TScope> = {},\n): RouteHandler {\n  // getUserId required; header-derived identity is spoofable.\n  if (!opts.getUserId) {\n    throw new Error(\n      '[@gentleduck/iam:next] opts.getUserId is required - deriving identity from request headers is unsafe. ' +\n        'Wire it from your auth middleware (cookie session, JWT, etc.).',\n    )\n  }\n  const {\n    getUserId,\n    getEnvironment = (req) => ({\n      ip: req.headers.get('x-forwarded-for') ?? undefined,\n      userAgent: req.headers.get('user-agent') ?? undefined,\n      timestamp: Date.now(),\n    }),\n    scope,\n    onError = () => Response.json({ error: 'Internal server error' }, { status: 500 }),\n  } = opts\n\n  return async (req, ctx) => {\n    const userId = await getUserId(req)\n    if (!userId) {\n      return Response.json({ error: 'Unauthorized' }, { status: 401 })\n    }\n\n    try {\n      const params = ctx.params instanceof Promise ? await ctx.params : ctx.params\n      const resourceId = params?.id\n\n      const allowed = await engine.can(\n        userId,\n        action,\n        { type: resourceType, id: resourceId, attributes: {} },\n        getEnvironment(req),\n        scope,\n      )\n\n      if (!allowed) {\n        return Response.json({ error: 'Forbidden' }, { status: 403 })\n      }\n\n      return handler(req, ctx)\n    } catch (err) {\n      return onError(err instanceof Error ? err : new Error(String(err)), req)\n    }\n  }\n}\n\n/**\n * Returns whether `subjectId` can perform `(action, resourceType)`.\n *\n * Designed for use inside Server Components or server actions.\n *\n * @template TAction - Constrains valid action strings.\n * @template TResource - Constrains valid resource strings.\n * @template TRole - Constrains valid role strings.\n * @template TScope - Constrains valid scope strings.\n * @param engine - Provides the access engine to consult.\n * @param subjectId - Identifies the subject performing the action.\n * @param action - Specifies the action being performed.\n * @param resourceType - Specifies the resource type required for the check.\n * @param resourceId - Optional resource instance ID.\n * @param scope - Optional scope constraint.\n * @returns Resolves to `true` when allowed and `false` otherwise.\n */\nexport async function checkIamAccess<\n  TAction extends string = string,\n  TResource extends string = string,\n  TRole extends string = string,\n  TScope extends string = string,\n>(\n  engine: IamEngine<TAction, TResource, TRole, TScope>,\n  subjectId: string,\n  action: TAction,\n  resourceType: TResource,\n  resourceId?: string,\n  scope?: TScope,\n): Promise<boolean> {\n  return engine.can(\n    subjectId,\n    action,\n    {\n      type: resourceType,\n      id: resourceId,\n      attributes: {},\n    },\n    undefined,\n    scope,\n  )\n}\n\n/**\n * Builds a {@link IamClient.PermissionMap} for a Server Component or layout.\n *\n * Pass the result to the React `AccessProvider` on the client side.\n *\n * @template TAction - Constrains valid action strings.\n * @template TResource - Constrains valid resource strings.\n * @template TRole - Constrains valid role strings.\n * @template TScope - Constrains valid scope strings.\n * @param engine - Provides the access engine to consult.\n * @param subjectId - Identifies the subject whose permissions are computed.\n * @param checks - Lists the permission tuples to evaluate.\n * @returns A permission map keyed by `(action, resource, scope)` tuple.\n */\nexport async function getIamPermissions<\n  TAction extends string = string,\n  TResource extends string = string,\n  TRole extends string = string,\n  TScope extends string = string,\n>(\n  engine: IamEngine<TAction, TResource, TRole, TScope>,\n  subjectId: string,\n  checks: readonly IamClient.IPermissionCheck<TAction, TResource, TScope>[],\n): Promise<IamClient.PermissionMap<TAction, TResource, TScope>> {\n  return engine.permissions(subjectId, checks)\n}\n\n/**\n * Builds a IamNext.js Edge Middleware matcher that protects routes by a list of\n * pattern-keyed rules.\n *\n * Returns `null` when the request passes or no rule matches; otherwise returns\n * a `Response` (401/403/500).\n *\n * @template TAction - Constrains valid action strings.\n * @template TResource - Constrains valid resource strings.\n * @template TRole - Constrains valid role strings.\n * @template TScope - Constrains valid scope strings.\n * @param engine - Provides the access engine to consult.\n * @param opts - Provides the rule list, user extractor, and optional error handler.\n * @returns An `async (req) => Response | null` suitable for use inside `middleware.ts`.\n * @example\n * ```ts\n * // NEVER trust user-supplied headers for identity. Derive from a verified\n * // source: cookie session, JWT, or your auth library.\n * const mw = createIamNextMiddleware(engine, {\n *   rules: [{ pattern: '/admin', resource: 'admin' }],\n *   getUserId: async (req) => {\n *     const session = await getServerSession(req)\n *     return session?.user?.id ?? null\n *   },\n * })\n * export const middleware = async (req: Request) => (await mw(req)) ?? NextResponse.next()\n * ```\n */\nexport function createIamNextMiddleware<\n  TAction extends string = string,\n  TResource extends string = string,\n  TRole extends string = string,\n  TScope extends string = string,\n>(engine: IamEngine<TAction, TResource, TRole, TScope>, opts: IamNext.IMiddlewareOptions<TAction, TResource, TScope>) {\n  const { onError = () => Response.json({ error: 'Internal server error' }, { status: 500 }) } = opts\n\n  return async (req: Request): Promise<Response | null> => {\n    const url = new URL(req.url)\n    const path = url.pathname\n\n    const matchedRule = opts.rules.find((r) => {\n      if (typeof r.pattern === 'string') {\n        return path.startsWith(r.pattern)\n      }\n      return r.pattern.test(path)\n    })\n\n    if (!matchedRule) return null\n\n    const userId = await opts.getUserId(req)\n    if (!userId) {\n      return Response.json({ error: 'Unauthorized' }, { status: 401 })\n    }\n\n    try {\n      const action = matchedRule.action ?? (IAM_METHOD_ACTION_MAP[req.method] as TAction) ?? ('read' as TAction)\n\n      const allowed = await engine.can(\n        userId,\n        action,\n        {\n          type: matchedRule.resource,\n          attributes: {},\n        },\n        undefined,\n        matchedRule.scope,\n      )\n\n      if (!allowed) {\n        return Response.json({ error: 'Forbidden' }, { status: 403 })\n      }\n\n      return null\n    } catch (err) {\n      return onError(err instanceof Error ? err : new Error(String(err)), req)\n    }\n  }\n}\n\n/**\n * Builds pre-bound admin Route Handlers for IamNext.js App Router.\n *\n * Every handler runs `authorize(req)` first; failure replies 401. Throws at\n * construction time when `opts.authorize` is missing.\n *\n * @template TAction - Constrains valid action strings.\n * @template TResource - Constrains valid resource strings.\n * @template TRole - Constrains valid role strings.\n * @template TScope - Constrains valid scope strings.\n * @param engine - Provides the access engine whose `admin` operations are exposed.\n * @param opts - Must include `authorize`.\n * @returns Object with `listPolicies`, `listRoles`, `savePolicy`, `saveRole`, `assignRole`, `revokeRole`.\n * @throws Error when `opts.authorize` is not a function.\n * @example\n * ```ts\n * // app/api/admin/policies/route.ts\n * const h = createIamAdminHandlers(engine, {\n *   authorize: (req) => isAdminToken(req),\n *   onAdminMutation: (e) => auditLog.write(e),\n * })\n * export const GET = h.listPolicies\n * export const PUT = h.savePolicy\n * ```\n * @example\n * Rate limiting is out of scope; compose at the framework layer with the\n * caller's middleware of choice. Pseudocode:\n * ```ts\n * // middleware.ts\n * export const middleware = async (req: Request) => {\n *   if (req.nextUrl.pathname.startsWith('/api/admin/')) {\n *     const blocked = await adminRateLimit(req)\n *     if (blocked) return blocked\n *   }\n * }\n * ```\n */\nexport function createIamAdminHandlers<\n  TAction extends string = string,\n  TResource extends string = string,\n  TRole extends string = string,\n  TScope extends string = string,\n>(engine: IamEngine<TAction, TResource, TRole, TScope>, opts: IamNext.IAdminOptions) {\n  if (!opts || typeof opts.authorize !== 'function') {\n    throw new Error('[@gentleduck/iam] createIamAdminHandlers requires an `authorize` callback.')\n  }\n  const { authorize, onAdminMutation, redactPath, onAuditHookError, includeErrorMessage, csrfCheck } = opts\n  // Default to the built-in Sec-Fetch-Site check; pass `false` to disable.\n  const effectiveCsrfCheck = csrfCheck === false ? null : (csrfCheck ?? iamDefaultCsrfCheck)\n  iamNoticeCsrfDefaultIfNeeded(csrfCheck !== undefined)\n  const onUnauthorized = opts.onUnauthorized ?? (() => Response.json({ error: 'Unauthorized' }, { status: 401 }))\n  const onError = opts.onError ?? (() => Response.json({ error: 'Internal server error' }, { status: 500 }))\n\n  /** Read gate: no audit emission. */\n  const gate =\n    <P>(fn: (req: Request, ctx: { params: Promise<P> | P }) => Promise<Response>) =>\n    async (req: Request, ctx: { params: Promise<P> | P }): Promise<Response> => {\n      try {\n        if (!(await authorize(req))) return onUnauthorized(req)\n        return await fn(req, ctx)\n      } catch (err) {\n        return onError(err instanceof Error ? err : new Error(String(err)), req)\n      }\n    }\n\n  /**\n   * Mutation gate: identical to {@link gate} but emits an `onAdminMutation`\n   * event after the handler resolves or rejects. Uses try/finally so the\n   * hook fires even when the handler throws.\n   */\n  const mutate =\n    <P>(\n      action: IamAdminAudit.Action,\n      target: IamAdminAudit.Target,\n      getTargetId: ((req: Request, params: P) => string | undefined) | undefined,\n      fn: (req: Request, ctx: { params: Promise<P> | P }) => Promise<Response>,\n    ) =>\n    async (req: Request, ctx: { params: Promise<P> | P }): Promise<Response> => {\n      // Shared CSRF + authorize phase.\n      const authz = await iamRunAdminAuthz(req, effectiveCsrfCheck, authorize)\n      if (authz.phase === 'forbidden') return Response.json({ error: 'Forbidden (CSRF check failed)' }, { status: 403 })\n      if (authz.phase === 'unauthorized') return onUnauthorized(req)\n      if (authz.phase === 'error') return onError(authz.error, req)\n      let resolvedParams: P | undefined\n      try {\n        resolvedParams = (ctx.params instanceof Promise ? await ctx.params : ctx.params) as P\n      } catch (err) {\n        return onError(err instanceof Error ? err : new Error(String(err)), req)\n      }\n      let path = ''\n      try {\n        path = new URL(req.url).pathname\n      } catch {\n        path = req.url\n      }\n      try {\n        return await iamWithAdminAudit(\n          {\n            actor: authz.actor,\n            action,\n            target,\n            targetId: resolvedParams !== undefined ? getTargetId?.(req, resolvedParams) : undefined,\n            method: req.method,\n            path,\n            onAdminMutation,\n            redactPath,\n            onAuditHookError,\n            includeErrorMessage,\n          },\n          () => fn(req, { params: resolvedParams as P }),\n        )\n      } catch (err) {\n        return onError(err instanceof Error ? err : new Error(String(err)), req)\n      }\n    }\n\n  return {\n    listPolicies: gate(async () => Response.json(await engine.admin.listPolicies())),\n    listRoles: gate(async () => Response.json(await engine.admin.listRoles())),\n    savePolicy: mutate<Record<string, string>>('replace', 'policy', undefined, async (req) => {\n      const body = (await req.json()) as AccessControl.IPolicy<TAction, TResource, TRole>\n      await engine.admin.savePolicy(body)\n      return Response.json({ ok: true })\n    }),\n    saveRole: mutate<Record<string, string>>('replace', 'role', undefined, async (req) => {\n      const body = (await req.json()) as AccessControl.IRole<TAction, TResource, TRole, TScope>\n      await engine.admin.saveRole(body)\n      return Response.json({ ok: true })\n    }),\n    assignRole: mutate<{ id: string }>(\n      'create',\n      'role-assignment',\n      (_req, params) => params.id,\n      async (req, ctx) => {\n        const params = ctx.params instanceof Promise ? await ctx.params : ctx.params\n        const body = (await req.json()) as { roleId: TRole; scope?: TScope }\n        await engine.admin.assignRole((params as { id: string }).id, body.roleId, body.scope)\n        return Response.json({ ok: true })\n      },\n    ),\n    revokeRole: mutate<{ id: string; roleId: string }>(\n      'delete',\n      'role-assignment',\n      (_req, params) => params.id,\n      async (_req, ctx) => {\n        const params = ctx.params instanceof Promise ? await ctx.params : ctx.params\n        const { id, roleId } = params as { id: string; roleId: string }\n        await engine.admin.revokeRole(id, roleId as TRole)\n        return Response.json({ ok: true })\n      },\n    ),\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkIA,SAAgB,cAMd,QACA,QACA,cACA,SACA,OAA2C,CAAC,GAC9B;CAEd,IAAI,CAAC,KAAK,WACR,MAAM,IAAI,MACR,sKAEF;CAEF,MAAM,EACJ,WACA,kBAAkB,SAAS;EACzB,IAAI,IAAI,QAAQ,IAAI,iBAAiB,KAAK;EAC1C,WAAW,IAAI,QAAQ,IAAI,YAAY,KAAK;EAC5C,WAAW,KAAK,IAAI;CACtB,IACA,OACA,gBAAgB,SAAS,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC,MAC/E;CAEJ,OAAO,OAAO,KAAK,QAAQ;EACzB,MAAM,SAAS,MAAM,UAAU,GAAG;EAClC,IAAI,CAAC,QACH,OAAO,SAAS,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;EAGjE,IAAI;GAEF,MAAM,cADS,IAAI,kBAAkB,UAAU,MAAM,IAAI,SAAS,IAAI,OAC7C,EAAE;GAU3B,IAAI,CAAC,MARiB,OAAO,IAC3B,QACA,QACA;IAAE,MAAM;IAAc,IAAI;IAAY,YAAY,CAAC;GAAE,GACrD,eAAe,GAAG,GAClB,KACF,GAGE,OAAO,SAAS,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;GAG9D,OAAO,QAAQ,KAAK,GAAG;EACzB,SAAS,KAAK;GACZ,OAAO,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG;EACzE;CACF;AACF;;;;;;;;;;;;;;;;;;AAmBA,eAAsB,eAMpB,QACA,WACA,QACA,cACA,YACA,OACkB;CAClB,OAAO,OAAO,IACZ,WACA,QACA;EACE,MAAM;EACN,IAAI;EACJ,YAAY,CAAC;CACf,GACA,QACA,KACF;AACF;;;;;;;;;;;;;;;AAgBA,eAAsB,kBAMpB,QACA,WACA,QAC8D;CAC9D,OAAO,OAAO,YAAY,WAAW,MAAM;AAC7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA8BA,SAAgB,wBAKd,QAAsD,MAA8D;CACpH,MAAM,EAAE,gBAAgB,SAAS,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC,MAAM;CAE/F,OAAO,OAAO,QAA2C;EAEvD,MAAM,OAAO,IADG,IAAI,IAAI,GACT,CAAC,CAAC;EAEjB,MAAM,cAAc,KAAK,MAAM,MAAM,MAAM;GACzC,IAAI,OAAO,EAAE,YAAY,UACvB,OAAO,KAAK,WAAW,EAAE,OAAO;GAElC,OAAO,EAAE,QAAQ,KAAK,IAAI;EAC5B,CAAC;EAED,IAAI,CAAC,aAAa,OAAO;EAEzB,MAAM,SAAS,MAAM,KAAK,UAAU,GAAG;EACvC,IAAI,CAAC,QACH,OAAO,SAAS,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;EAGjE,IAAI;GACF,MAAM,SAAS,YAAY,UAAWA,mDAAsB,IAAI,WAAwB;GAaxF,IAAI,CAAC,MAXiB,OAAO,IAC3B,QACA,QACA;IACE,MAAM,YAAY;IAClB,YAAY,CAAC;GACf,GACA,QACA,YAAY,KACd,GAGE,OAAO,SAAS,KAAK,EAAE,OAAO,YAAY,GAAG,EAAE,QAAQ,IAAI,CAAC;GAG9D,OAAO;EACT,SAAS,KAAK;GACZ,OAAO,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG;EACzE;CACF;AACF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuCA,SAAgB,uBAKd,QAAsD,MAA6B;CACnF,IAAI,CAAC,QAAQ,OAAO,KAAK,cAAc,YACrC,MAAM,IAAI,MAAM,4EAA4E;CAE9F,MAAM,EAAE,WAAW,iBAAiB,YAAY,kBAAkB,qBAAqB,cAAc;CAErG,MAAM,qBAAqB,cAAc,QAAQ,OAAQ,aAAaC;CACtE,0DAA6B,cAAc,MAAS;CACpD,MAAM,iBAAiB,KAAK,yBAAyB,SAAS,KAAK,EAAE,OAAO,eAAe,GAAG,EAAE,QAAQ,IAAI,CAAC;CAC7G,MAAM,UAAU,KAAK,kBAAkB,SAAS,KAAK,EAAE,OAAO,wBAAwB,GAAG,EAAE,QAAQ,IAAI,CAAC;;CAGxG,MAAM,QACA,OACJ,OAAO,KAAc,QAAuD;EAC1E,IAAI;GACF,IAAI,CAAE,MAAM,UAAU,GAAG,GAAI,OAAO,eAAe,GAAG;GACtD,OAAO,MAAM,GAAG,KAAK,GAAG;EAC1B,SAAS,KAAK;GACZ,OAAO,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG;EACzE;CACF;;;;;;CAOF,MAAM,UAEF,QACA,QACA,aACA,OAEF,OAAO,KAAc,QAAuD;EAE1E,MAAM,QAAQ,MAAMC,8CAAiB,KAAK,oBAAoB,SAAS;EACvE,IAAI,MAAM,UAAU,aAAa,OAAO,SAAS,KAAK,EAAE,OAAO,gCAAgC,GAAG,EAAE,QAAQ,IAAI,CAAC;EACjH,IAAI,MAAM,UAAU,gBAAgB,OAAO,eAAe,GAAG;EAC7D,IAAI,MAAM,UAAU,SAAS,OAAO,QAAQ,MAAM,OAAO,GAAG;EAC5D,IAAI;EACJ,IAAI;GACF,iBAAkB,IAAI,kBAAkB,UAAU,MAAM,IAAI,SAAS,IAAI;EAC3E,SAAS,KAAK;GACZ,OAAO,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG;EACzE;EACA,IAAI,OAAO;EACX,IAAI;GACF,OAAO,IAAI,IAAI,IAAI,GAAG,CAAC,CAAC;EAC1B,QAAQ;GACN,OAAO,IAAI;EACb;EACA,IAAI;GACF,OAAO,MAAMC,+CACX;IACE,OAAO,MAAM;IACb;IACA;IACA,UAAU,mBAAmB,SAAY,cAAc,KAAK,cAAc,IAAI;IAC9E,QAAQ,IAAI;IACZ;IACA;IACA;IACA;IACA;GACF,SACM,GAAG,KAAK,EAAE,QAAQ,eAAoB,CAAC,CAC/C;EACF,SAAS,KAAK;GACZ,OAAO,QAAQ,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC,GAAG,GAAG;EACzE;CACF;CAEF,OAAO;EACL,cAAc,KAAK,YAAY,SAAS,KAAK,MAAM,OAAO,MAAM,aAAa,CAAC,CAAC;EAC/E,WAAW,KAAK,YAAY,SAAS,KAAK,MAAM,OAAO,MAAM,UAAU,CAAC,CAAC;EACzE,YAAY,OAA+B,WAAW,UAAU,QAAW,OAAO,QAAQ;GACxF,MAAM,OAAQ,MAAM,IAAI,KAAK;GAC7B,MAAM,OAAO,MAAM,WAAW,IAAI;GAClC,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EACnC,CAAC;EACD,UAAU,OAA+B,WAAW,QAAQ,QAAW,OAAO,QAAQ;GACpF,MAAM,OAAQ,MAAM,IAAI,KAAK;GAC7B,MAAM,OAAO,MAAM,SAAS,IAAI;GAChC,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EACnC,CAAC;EACD,YAAY,OACV,UACA,oBACC,MAAM,WAAW,OAAO,IACzB,OAAO,KAAK,QAAQ;GAClB,MAAM,SAAS,IAAI,kBAAkB,UAAU,MAAM,IAAI,SAAS,IAAI;GACtE,MAAM,OAAQ,MAAM,IAAI,KAAK;GAC7B,MAAM,OAAO,MAAM,WAAY,OAA0B,IAAI,KAAK,QAAQ,KAAK,KAAK;GACpF,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EACnC,CACF;EACA,YAAY,OACV,UACA,oBACC,MAAM,WAAW,OAAO,IACzB,OAAO,MAAM,QAAQ;GAEnB,MAAM,EAAE,IAAI,WADG,IAAI,kBAAkB,UAAU,MAAM,IAAI,SAAS,IAAI;GAEtE,MAAM,OAAO,MAAM,WAAW,IAAI,MAAe;GACjD,OAAO,SAAS,KAAK,EAAE,IAAI,KAAK,CAAC;EACnC,CACF;CACF;AACF"}