{"version":3,"sources":["../src/events.ts","../src/server.ts","../src/http/app.ts","../src/http/identity.ts","../src/http/parsing.ts","../src/http/responses.ts","../src/integrations.ts","../src/rotation.ts","../src/access-control.ts"],"sourcesContent":["export type KtSecretEvent = {\n  type: 'created' | 'updated' | 'deleted' | 'accessed' | 'expired';\n  secretId: string;\n  tenant: string;\n  timestamp: Date;\n  actor: string;\n  metadata?: Record<string, unknown>;\n};\n\nexport type SecretNotifier = {\n  notify(event: KtSecretEvent): Promise<void>;\n};\n\nexport class WebhookNotifier implements SecretNotifier {\n  constructor(\n    private readonly webhookUrl: string,\n    private readonly headers?: Record<string, string>\n  ) {}\n\n  async notify(event: KtSecretEvent): Promise<void> {\n    try {\n      const response = await fetch(this.webhookUrl, {\n        method: 'POST',\n        headers: {\n          // eslint-disable-next-line @typescript-eslint/naming-convention -- HTTP header name is standardized\n          'Content-Type': 'application/json',\n          ...this.headers,\n        },\n        body: JSON.stringify(event),\n      });\n\n      if (!response.ok) {\n        console.warn(`Webhook notification failed: ${response.status} ${response.statusText}`);\n      }\n    } catch (error) {\n      console.warn('Webhook notification error:', error);\n    }\n  }\n}\n\nexport class CompositeNotifier implements SecretNotifier {\n  constructor(private readonly notifiers: SecretNotifier[]) {}\n\n  async notify(event: KtSecretEvent): Promise<void> {\n    await Promise.allSettled(this.notifiers.map((notifier) => notifier.notify(event)));\n  }\n}\n","import { Command } from 'commander';\n\nimport { buildApp } from './http/app';\nimport type { ServerOptions } from './http/options';\n\nexport { buildApp };\n\nexport function serve(options: ServerOptions): void {\n  const app = buildApp(options);\n  const port = options.port ?? 8080;\n  app.listen(port, () => {\n    console.info(`Secrets server listening on port ${port}`);\n  });\n}\n\nif (require.main === module) {\n  const program = new Command();\n  program\n    .option('--store <path>', 'path to secret store (for file storage)', './data/secrets.json')\n    .option('--audit-log <path>', 'path to audit log', './data/audit.log')\n    .requiredOption('--master-key <value>', 'master key for encryption')\n    .option('--tenant <name>', 'tenant identifier', 'default')\n    .option('--port <number>', 'port to listen on', (value) => parseInt(value, 10), 8080)\n    .option('--storage <type>', 'storage backend (file, s3, gcp, postgres)', 'file')\n    .option('--s3-bucket <bucket>', 'S3 bucket name for S3 storage')\n    .option('--s3-region <region>', 'AWS region for S3 storage')\n    .option('--gcp-bucket <bucket>', 'GCP bucket name for GCP storage')\n    .option('--gcp-project-id <projectId>', 'GCP project ID for GCP storage')\n    .option('--db-connection-string <conn>', 'PostgreSQL connection string for database storage')\n    .option('--webhook-url <url>', 'webhook URL for event notifications');\n\n  program.action((options) => {\n    serve({\n      storePath: options.store,\n      masterKey: options.masterKey,\n      auditLogPath: options.auditLog,\n      tenant: options.tenant,\n      port: options.port,\n      storage: options.storage,\n      s3Bucket: options.s3Bucket,\n      s3Region: options.s3Region,\n      gcpBucket: options.gcpBucket,\n      gcpProjectId: options.gcpProjectId,\n      dbConnectionString: options.dbConnectionString,\n      webhookUrl: options.webhookUrl,\n    });\n  });\n\n  program.parse(process.argv);\n}\n","import express, { type Request, type Response } from 'express';\n\nimport { Identity } from '../domain';\nimport { type SecretNotifier, WebhookNotifier } from '../events';\nimport { SecretManager } from '../manager';\nimport {\n  FileSecretStore,\n  GCPStorageSecretStore,\n  PostgreSQLSecretStore,\n  S3SecretStore,\n  type SecretStore,\n  type SecretStoreConfig,\n} from '../storage';\nimport { createIdentityFromRequest } from './identity';\nimport type { ServerOptions } from './options';\nimport {\n  parseCreateSecretPayload,\n  parseUpdateSecretPayload,\n  requireRouteParameter,\n} from './parsing';\nimport { errorToStatus, sendError } from './responses';\n\ntype AsyncRouteHandler = (request: Request, response: Response) => Promise<void>;\n\nfunction wrapAsync(handler: AsyncRouteHandler): (request: Request, response: Response) => void {\n  return (request: Request, response: Response) => {\n    void handler(request, response);\n  };\n}\n\nfunction createStore(options: ServerOptions, baseConfig: SecretStoreConfig): SecretStore {\n  const storage = options.storage ?? 'file';\n  switch (storage) {\n    case 's3': {\n      if (!options.s3Bucket || !options.s3Region) {\n        throw new Error('S3 bucket and region are required for S3 storage');\n      }\n      return new S3SecretStore({\n        ...baseConfig,\n        bucket: options.s3Bucket,\n        region: options.s3Region,\n      });\n    }\n    case 'gcp': {\n      if (!options.gcpBucket) {\n        throw new Error('GCP bucket is required for GCP storage');\n      }\n      return new GCPStorageSecretStore({\n        ...baseConfig,\n        bucket: options.gcpBucket,\n        ...(options.gcpProjectId ? { projectId: options.gcpProjectId } : {}),\n      });\n    }\n    case 'postgres': {\n      if (!options.dbConnectionString) {\n        throw new Error('Database connection string is required for PostgreSQL storage');\n      }\n      return new PostgreSQLSecretStore({\n        ...baseConfig,\n        connectionString: options.dbConnectionString,\n      });\n    }\n    case 'file': {\n      return new FileSecretStore(options.storePath, baseConfig);\n    }\n  }\n}\n\nfunction createManager(options: ServerOptions): { manager: SecretManager; tenant: string } {\n  const tenant = options.tenant ?? 'default';\n  const baseConfig: SecretStoreConfig = {\n    masterKey: options.masterKey,\n    ...(options.auditLogPath ? { auditLogPath: options.auditLogPath } : {}),\n  };\n\n  const store = createStore(options, baseConfig);\n\n  let eventNotifier: SecretNotifier | undefined;\n  if (options.webhookUrl) {\n    eventNotifier = new WebhookNotifier(options.webhookUrl, options.webhookHeaders);\n  }\n\n  return { manager: new SecretManager(store, eventNotifier), tenant };\n}\n\nconst subjectHeader = 'x-subject';\nconst routeHealth = '/healthz';\nconst routeSecrets = '/secrets';\nconst routeSecretById = '/secrets/:id';\nconst rolesAll = ['admin', 'writer', 'reader'] as const;\n\nfunction registerHealthRoute(app: express.Express): void {\n  app.get(routeHealth, (_request: Request, response: Response) => {\n    response.json({ status: 'ok' });\n  });\n}\n\nfunction registerListSecretsRoute(\n  app: express.Express,\n  manager: SecretManager,\n  identityFromRequest: (request: Request) => Identity\n): void {\n  app.get(\n    routeSecrets,\n    wrapAsync(async (request: Request, response: Response) => {\n      try {\n        const secrets = await manager.listSecrets(identityFromRequest(request));\n        response.json(\n          secrets.map((secret) => ({\n            id: secret.id,\n            name: secret.name,\n            version: secret.latestVersion().version,\n          }))\n        );\n      } catch (error: unknown) {\n        sendError(response, errorToStatus(error, 403), error);\n      }\n    })\n  );\n}\n\nfunction registerGetSecretRoute(\n  app: express.Express,\n  manager: SecretManager,\n  identityFromRequest: (request: Request) => Identity\n): void {\n  app.get(\n    routeSecretById,\n    wrapAsync(async (request: Request, response: Response) => {\n      try {\n        const secretId = requireRouteParameter(request, 'id');\n        const secret = await manager.getSecret(secretId, identityFromRequest(request));\n        response.json({\n          id: secret.id,\n          name: secret.name,\n          version: secret.latestVersion().version,\n          value: secret.latestVersion().value,\n        });\n      } catch (error: unknown) {\n        sendError(response, errorToStatus(error, 403), error);\n      }\n    })\n  );\n}\n\nfunction registerCreateSecretRoute(\n  app: express.Express,\n  manager: SecretManager,\n  tenant: string\n): void {\n  app.post(\n    routeSecrets,\n    wrapAsync(async (request: Request, response: Response) => {\n      try {\n        const { name, value, description, policy, ttl } = parseCreateSecretPayload(request.body);\n        const actor = new Identity(request.header(subjectHeader) ?? 'http', [...rolesAll], tenant);\n        const secret = await manager.createSecret(\n          name,\n          value,\n          policy,\n          actor,\n          description,\n          undefined,\n          ttl\n        );\n        response.status(201).json({ id: secret.id, version: secret.latestVersion().version });\n      } catch (error: unknown) {\n        sendError(response, errorToStatus(error, 400), error);\n      }\n    })\n  );\n}\n\nfunction registerUpdateSecretRoute(\n  app: express.Express,\n  manager: SecretManager,\n  tenant: string\n): void {\n  app.put(\n    routeSecretById,\n    wrapAsync(async (request: Request, response: Response) => {\n      try {\n        const secretId = requireRouteParameter(request, 'id');\n        const { value, ttl } = parseUpdateSecretPayload(request.body);\n        const actor = new Identity(request.header(subjectHeader) ?? 'http', ['writer'], tenant);\n        const secret = await manager.putSecret(secretId, value, actor, ttl);\n        response.json({ version: secret.latestVersion().version });\n      } catch (error: unknown) {\n        sendError(response, errorToStatus(error, 400), error);\n      }\n    })\n  );\n}\n\nfunction registerDeleteSecretRoute(\n  app: express.Express,\n  manager: SecretManager,\n  tenant: string\n): void {\n  app.delete(\n    routeSecretById,\n    wrapAsync(async (request: Request, response: Response) => {\n      try {\n        const secretId = requireRouteParameter(request, 'id');\n        const actor = new Identity(request.header(subjectHeader) ?? 'http', ['admin'], tenant);\n        await manager.deleteSecret(secretId, actor);\n        response.json({ deleted: secretId });\n      } catch (error: unknown) {\n        sendError(response, errorToStatus(error, 404), error);\n      }\n    })\n  );\n}\n\nfunction registerRoutes(\n  app: express.Express,\n  manager: SecretManager,\n  tenant: string,\n  identityFromRequest: (request: Request) => Identity\n): void {\n  registerHealthRoute(app);\n  registerListSecretsRoute(app, manager, identityFromRequest);\n  registerGetSecretRoute(app, manager, identityFromRequest);\n  registerCreateSecretRoute(app, manager, tenant);\n  registerUpdateSecretRoute(app, manager, tenant);\n  registerDeleteSecretRoute(app, manager, tenant);\n}\n\nexport function buildApp(options: ServerOptions): express.Express {\n  const { manager, tenant } = createManager(options);\n  const app = express();\n  app.use(express.json());\n\n  const identityFromRequest = createIdentityFromRequest(tenant);\n  registerRoutes(app, manager, tenant, identityFromRequest);\n\n  return app;\n}\n","import type { Request } from 'express';\n\nimport { Identity } from '../domain';\n\nexport function createIdentityFromRequest(tenant: string): (request: Request) => Identity {\n  return (request: Request) => {\n    const subject = request.header('x-subject') ?? 'http';\n    const rolesHeader = request.header('x-roles') ?? 'reader';\n    const roles = rolesHeader\n      .split(',')\n      .map((role) => role.trim())\n      .filter(Boolean);\n    return new Identity(subject, roles, tenant);\n  };\n}\n","import type { Request } from 'express';\n\nimport { Policy } from '../domain';\n\ntype PolicyPayload = Partial<{\n  name: unknown;\n  description: unknown;\n  rotationDays: unknown;\n  minLength: unknown;\n  forbidPatterns: unknown;\n  allowedCidrs: unknown;\n}>;\n\ntype SecretCreatePayload = Partial<{\n  name: unknown;\n  value: unknown;\n  description: unknown;\n  policy: unknown;\n  ttl: unknown;\n}>;\n\ntype SecretUpdatePayload = Partial<{\n  value: unknown;\n  ttl: unknown;\n}>;\n\nexport function requireRouteParameter(request: Request, name: string): string {\n  const value = request.params[name];\n  if (typeof value !== 'string' || !value) {\n    throw new Error(`${name} is required`);\n  }\n  return value;\n}\n\nexport function requireStringBodyField(payload: Record<string, unknown>, name: string): string {\n  const value = payload[name];\n  if (typeof value !== 'string' || !value) {\n    throw new Error(`${name} is required`);\n  }\n  return value;\n}\n\nfunction toPolicyPayload(payload: unknown): PolicyPayload {\n  return typeof payload === 'object' && payload !== null ? (payload as PolicyPayload) : {};\n}\n\nexport function parsePolicy(payload: unknown): Policy {\n  const policyPayload = toPolicyPayload(payload);\n  const name = typeof policyPayload.name === 'string' ? policyPayload.name : 'default';\n  const description =\n    typeof policyPayload.description === 'string' ? policyPayload.description : 'created via http';\n  const rotationDays =\n    typeof policyPayload.rotationDays === 'number' ? policyPayload.rotationDays : 90;\n  const minLength = typeof policyPayload.minLength === 'number' ? policyPayload.minLength : 16;\n\n  const forbidPatterns = Array.isArray(policyPayload.forbidPatterns)\n    ? (policyPayload.forbidPatterns.filter((entry) => typeof entry === 'string') as string[])\n    : undefined;\n  const allowedCidrs = Array.isArray(policyPayload.allowedCidrs)\n    ? (policyPayload.allowedCidrs.filter((entry) => typeof entry === 'string') as string[])\n    : undefined;\n\n  return new Policy(name, description, rotationDays, minLength, forbidPatterns, allowedCidrs);\n}\n\nexport function parseCreateSecretPayload(body: unknown): {\n  name: string;\n  value: string;\n  description?: string;\n  policy: Policy;\n  ttl?: number;\n} {\n  const payload: SecretCreatePayload =\n    typeof body === 'object' && body !== null ? (body as SecretCreatePayload) : {};\n  const dictionary = payload as unknown as Record<string, unknown>;\n  const name = requireStringBodyField(dictionary, 'name');\n  const value = requireStringBodyField(dictionary, 'value');\n  const description = typeof payload.description === 'string' ? payload.description : undefined;\n  const policy = parsePolicy(payload.policy);\n  const ttl = typeof payload.ttl === 'number' ? payload.ttl : undefined;\n  return {\n    name,\n    value,\n    ...(typeof description === 'string' ? { description } : {}),\n    policy,\n    ...(typeof ttl === 'number' ? { ttl } : {}),\n  };\n}\n\nexport function parseUpdateSecretPayload(body: unknown): { value: string; ttl?: number } {\n  const payload: SecretUpdatePayload =\n    typeof body === 'object' && body !== null ? (body as SecretUpdatePayload) : {};\n  const dictionary = payload as unknown as Record<string, unknown>;\n  const value = requireStringBodyField(dictionary, 'value');\n  const ttl = typeof payload.ttl === 'number' ? payload.ttl : undefined;\n  return {\n    value,\n    ...(typeof ttl === 'number' ? { ttl } : {}),\n  };\n}\n","import type { Response } from 'express';\n\nexport function sendError(response: Response, status: number, error: unknown): void {\n  const message = error instanceof Error ? error.message : 'unknown error';\n  response.status(status).json({ error: message });\n}\n\nexport function errorToStatus(error: unknown, defaultStatus: number): number {\n  if (!(error instanceof Error)) {\n    return defaultStatus;\n  }\n  if (error.message.includes('not found')) {\n    return 404;\n  }\n  if (error.message.includes('required role') || error.message.includes('Tenant mismatch')) {\n    return 403;\n  }\n  return defaultStatus;\n}\n","import type { Identity, Secret } from './domain';\nimport type { SecretManager } from './manager';\n\nexport type CloudIntegration = {\n  name: string;\n  syncSecretToCloud(secret: Secret, manager: SecretManager, actor: Identity): Promise<void>;\n  validateConfiguration(): Promise<boolean>;\n};\n\nexport class AWSIAMIntegration implements CloudIntegration {\n  name = 'aws-iam';\n\n  constructor(\n    private readonly config: {\n      region: string;\n      accessKeyId?: string;\n      secretAccessKey?: string;\n      roleArn?: string;\n    }\n  ) {}\n\n  syncSecretToCloud(secret: Secret, manager: SecretManager, actor: Identity): Promise<void> {\n    // This would integrate with AWS IAM to create/update user access keys\n    // For now, this is a placeholder implementation\n    console.info(`Syncing secret ${secret.id} to AWS IAM with config:`, this.config);\n    console.info(`Manager and actor:`, { manager: !!manager, actor: actor.subject });\n    return Promise.resolve();\n  }\n\n  validateConfiguration(): Promise<boolean> {\n    // Validate AWS credentials and permissions\n    try {\n      // In real implementation, test AWS API access\n      return Promise.resolve(true);\n    } catch {\n      return Promise.resolve(false);\n    }\n  }\n}\n\nexport class GCPIAMIntegration implements CloudIntegration {\n  name = 'gcp-iam';\n\n  constructor(\n    private readonly config: {\n      projectId?: string;\n      keyFilename?: string;\n      serviceAccountEmail?: string;\n    }\n  ) {}\n\n  syncSecretToCloud(secret: Secret, manager: SecretManager, actor: Identity): Promise<void> {\n    console.info(`Syncing secret ${secret.id} to GCP IAM with config:`, this.config);\n    console.info(`Manager and actor:`, { manager: !!manager, actor: actor.subject });\n    return Promise.resolve();\n  }\n\n  validateConfiguration(): Promise<boolean> {\n    try {\n      // In real implementation, test GCP API access\n      return Promise.resolve(true);\n    } catch {\n      return Promise.resolve(false);\n    }\n  }\n}\n\nexport class KubernetesIntegration implements CloudIntegration {\n  name = 'kubernetes';\n\n  constructor(\n    private readonly config: {\n      kubeconfig?: string;\n      namespace?: string;\n      serviceAccountName?: string;\n    }\n  ) {}\n\n  syncSecretToCloud(secret: Secret, manager: SecretManager, actor: Identity): Promise<void> {\n    console.info(`Syncing secret ${secret.id} to Kubernetes with config:`, this.config);\n    console.info(`Manager and actor:`, { manager: !!manager, actor: actor.subject });\n    return Promise.resolve();\n  }\n\n  validateConfiguration(): Promise<boolean> {\n    try {\n      // In real implementation, test Kubernetes API access\n      return Promise.resolve(true);\n    } catch {\n      return Promise.resolve(false);\n    }\n  }\n}\n\nexport class IntegrationManager {\n  private readonly integrations = new Map<string, CloudIntegration>();\n\n  registerIntegration(integration: CloudIntegration): void {\n    this.integrations.set(integration.name, integration);\n  }\n\n  getIntegration(name: string): CloudIntegration | undefined {\n    return this.integrations.get(name);\n  }\n\n  async syncSecretToCloud(\n    integrationName: string,\n    secret: Secret,\n    manager: SecretManager,\n    actor: Identity\n  ): Promise<void> {\n    const integration = this.integrations.get(integrationName);\n    if (!integration) {\n      throw new Error(`Integration ${integrationName} not found`);\n    }\n\n    await integration.syncSecretToCloud(secret, manager, actor);\n  }\n\n  async validateAllIntegrations(): Promise<{ [name: string]: boolean }> {\n    const results: { [name: string]: boolean } = {};\n\n    for (const [name, integration] of this.integrations) {\n      results[name] = await integration.validateConfiguration();\n    }\n\n    return results;\n  }\n}\n","import type { Identity } from './domain';\nimport type { SecretManager } from './manager';\n\nexport type RotationSchedule = {\n  secretId: string;\n  nextRotation: Date;\n  rotationWindow?: {\n    start: string; // HH:MM format\n    end: string; // HH:MM format\n    timezone: string;\n  };\n  maxRetries: number;\n  retryCount: number;\n  lastRotationAttempt?: Date;\n  lastRotationError?: string;\n};\n\nexport type RotationConfig = {\n  checkIntervalMs: number;\n  maxConcurrentRotations: number;\n  defaultMaxRetries: number;\n  notificationWebhook?: string;\n};\n\nexport class RotationScheduler {\n  private readonly schedules = new Map<string, RotationSchedule>();\n  private intervalId: NodeJS.Timeout | undefined;\n  private isRunning = false;\n\n  constructor(\n    private readonly manager: SecretManager,\n    private readonly config: RotationConfig,\n    private readonly actor: Identity\n  ) {}\n\n  start(): void {\n    if (this.isRunning) {\n      return;\n    }\n\n    this.isRunning = true;\n    this.intervalId = setInterval(() => {\n      void this.checkAndRotateSecrets();\n    }, this.config.checkIntervalMs);\n\n    console.info(`Rotation scheduler started with ${this.config.checkIntervalMs}ms interval`);\n  }\n\n  stop(): void {\n    if (this.intervalId) {\n      clearInterval(this.intervalId);\n      this.intervalId = undefined;\n    }\n    this.isRunning = false;\n    console.info('Rotation scheduler stopped');\n  }\n\n  addSchedule(secretId: string, rotationWindow?: RotationSchedule['rotationWindow']): void {\n    const schedule: RotationSchedule = {\n      secretId,\n      nextRotation: this.calculateNextRotation(),\n      ...(rotationWindow && { rotationWindow }),\n      maxRetries: this.config.defaultMaxRetries,\n      retryCount: 0,\n    };\n    this.schedules.set(secretId, schedule);\n  }\n\n  removeSchedule(secretId: string): void {\n    this.schedules.delete(secretId);\n  }\n\n  getSchedule(secretId: string): RotationSchedule | undefined {\n    return this.schedules.get(secretId);\n  }\n\n  private async checkAndRotateSecrets(): Promise<void> {\n    const now = new Date();\n    const secretsToRotate: RotationSchedule[] = [];\n\n    for (const schedule of this.schedules.values()) {\n      if (this.shouldRotate(schedule, now)) {\n        secretsToRotate.push(schedule);\n      }\n    }\n\n    // Limit concurrent rotations\n    const batch = secretsToRotate.slice(0, this.config.maxConcurrentRotations);\n\n    for (const schedule of batch) {\n      try {\n        await this.rotateSecret(schedule);\n      } catch (error) {\n        console.error(`Failed to rotate secret ${schedule.secretId}:`, error);\n        await this.handleRotationFailure(schedule, error);\n      }\n    }\n  }\n\n  private shouldRotate(schedule: RotationSchedule, now: Date): boolean {\n    if (now < schedule.nextRotation) {\n      return false;\n    }\n\n    // Check rotation window if specified\n    if (schedule.rotationWindow) {\n      const currentTime = now.toLocaleTimeString('en-US', {\n        hour12: false,\n        timeZone: schedule.rotationWindow.timezone,\n      });\n\n      const start = schedule.rotationWindow.start;\n      const end = schedule.rotationWindow.end;\n\n      if (start < end) {\n        // Same day window\n        return currentTime >= start && currentTime <= end;\n      } else {\n        // Overnight window\n        return currentTime >= start || currentTime <= end;\n      }\n    }\n\n    return true;\n  }\n\n  private async rotateSecret(schedule: RotationSchedule): Promise<void> {\n    console.info(`Rotating secret ${schedule.secretId}`);\n\n    await this.manager.rotate(schedule.secretId, this.actor);\n\n    // Update schedule\n    schedule.nextRotation = this.calculateNextRotation();\n    schedule.retryCount = 0;\n    schedule.lastRotationAttempt = new Date();\n    delete schedule.lastRotationError;\n\n    console.info(`Successfully rotated secret ${schedule.secretId}`);\n\n    // Notify success\n    if (this.config.notificationWebhook) {\n      await this.notifyRotationSuccess(schedule);\n    }\n  }\n\n  private async handleRotationFailure(schedule: RotationSchedule, error: unknown): Promise<void> {\n    schedule.retryCount++;\n    schedule.lastRotationAttempt = new Date();\n    schedule.lastRotationError = error instanceof Error ? error.message : String(error);\n\n    if (schedule.retryCount < schedule.maxRetries) {\n      // Exponential backoff\n      const delayMs = 2 ** schedule.retryCount * 60000; // 1min, 2min, 4min, etc.\n      schedule.nextRotation = new Date(Date.now() + delayMs);\n      console.info(`Will retry rotation for secret ${schedule.secretId} in ${delayMs}ms`);\n    } else {\n      console.error(`Max retries exceeded for secret ${schedule.secretId}`);\n      // Notify failure\n      if (this.config.notificationWebhook) {\n        await this.notifyRotationFailure(schedule);\n      }\n    }\n  }\n\n  private calculateNextRotation(): Date {\n    // Default to 90 days from now (can be customized per secret)\n    return new Date(Date.now() + 90 * 24 * 60 * 60 * 1000);\n  }\n\n  private async notifyRotationSuccess(schedule: RotationSchedule): Promise<void> {\n    if (!this.config.notificationWebhook) {\n      return;\n    }\n\n    try {\n      await fetch(this.config.notificationWebhook, {\n        method: 'POST',\n        headers: {\n          // eslint-disable-next-line @typescript-eslint/naming-convention -- HTTP header name is standardized\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          event: 'rotation_success',\n          secretId: schedule.secretId,\n          timestamp: new Date().toISOString(),\n          nextRotation: schedule.nextRotation.toISOString(),\n        }),\n      });\n    } catch (error) {\n      console.error('Failed to send rotation success notification:', error);\n    }\n  }\n\n  private async notifyRotationFailure(schedule: RotationSchedule): Promise<void> {\n    if (!this.config.notificationWebhook) {\n      return;\n    }\n\n    try {\n      await fetch(this.config.notificationWebhook, {\n        method: 'POST',\n        headers: {\n          // eslint-disable-next-line @typescript-eslint/naming-convention -- HTTP header name is standardized\n          'Content-Type': 'application/json',\n        },\n        body: JSON.stringify({\n          event: 'rotation_failure',\n          secretId: schedule.secretId,\n          timestamp: new Date().toISOString(),\n          error: schedule.lastRotationError,\n          retryCount: schedule.retryCount,\n          maxRetries: schedule.maxRetries,\n        }),\n      });\n    } catch (error) {\n      console.error('Failed to send rotation failure notification:', error);\n    }\n  }\n}\n","import type { Identity } from './domain';\n\nexport type AccessConditionValue =\n  | string\n  | number\n  | boolean\n  | null\n  | Date\n  | unknown[]\n  | Record<string, unknown>;\n\nexport type AccessRule = {\n  id: string;\n  resource: string;\n  action: string;\n  conditions: AccessCondition[];\n  effect: 'allow' | 'deny';\n};\n\nexport type AccessCondition = {\n  type: 'time' | 'ip' | 'role' | 'custom';\n  operator: 'equals' | 'in' | 'between' | 'matches';\n  value: AccessConditionValue;\n};\n\nexport type AccessRequest = {\n  subject: string;\n  resource: string;\n  action: string;\n  context: {\n    ip?: string;\n    time?: Date;\n    roles?: string[];\n    custom?: Record<string, unknown>;\n  };\n};\n\nexport class AccessControlManager {\n  private rules: AccessRule[] = [];\n\n  addRule(rule: AccessRule): void {\n    this.rules.push(rule);\n  }\n\n  removeRule(ruleId: string): void {\n    this.rules = this.rules.filter((r) => r.id !== ruleId);\n  }\n\n  evaluateAccess(request: AccessRequest): Promise<boolean> {\n    // Default deny\n    let finalDecision = false;\n\n    for (const rule of this.rules) {\n      if (this.ruleMatches(request, rule)) {\n        if (rule.effect === 'allow') {\n          finalDecision = true;\n        } else if (rule.effect === 'deny') {\n          return Promise.resolve(false); // Explicit deny overrides allow\n        }\n      }\n    }\n\n    return Promise.resolve(finalDecision);\n  }\n\n  private ruleMatches(request: AccessRequest, rule: AccessRule): boolean {\n    // Check resource and action match\n    if (rule.resource !== '*' && rule.resource !== request.resource) {\n      return false;\n    }\n\n    if (rule.action !== '*' && rule.action !== request.action) {\n      return false;\n    }\n\n    // Check all conditions\n    for (const condition of rule.conditions) {\n      if (!this.conditionMatches(request, condition)) {\n        return false;\n      }\n    }\n\n    return true;\n  }\n\n  private conditionMatches(request: AccessRequest, condition: AccessCondition): boolean {\n    const contextValue = this.getContextValue(request, condition.type);\n\n    switch (condition.operator) {\n      case 'equals':\n        return contextValue === condition.value;\n      case 'in':\n        return this.matchesInCondition(condition, contextValue);\n      case 'between':\n        return this.matchesBetweenCondition(condition, contextValue);\n      case 'matches':\n        return this.matchesRegexCondition(condition, contextValue);\n      default:\n        return false;\n    }\n  }\n\n  private matchesInCondition(condition: AccessCondition, contextValue: unknown): boolean {\n    const allowedValues = condition.value;\n    if (!Array.isArray(allowedValues)) {\n      return false;\n    }\n\n    if (condition.type === 'role') {\n      const roles = Array.isArray(contextValue) ? contextValue : [];\n      return roles.some((role) => allowedValues.includes(role));\n    }\n\n    return allowedValues.includes(contextValue);\n  }\n\n  private matchesBetweenCondition(condition: AccessCondition, contextValue: unknown): boolean {\n    const betweenValues = condition.value;\n    if (!Array.isArray(betweenValues) || betweenValues.length !== 2) {\n      return false;\n    }\n    if (\n      typeof betweenValues[0] !== 'number' ||\n      typeof betweenValues[1] !== 'number' ||\n      typeof contextValue !== 'number'\n    ) {\n      return false;\n    }\n    return contextValue >= betweenValues[0] && contextValue <= betweenValues[1];\n  }\n\n  private matchesRegexCondition(condition: AccessCondition, contextValue: unknown): boolean {\n    if (typeof condition.value !== 'string' || typeof contextValue !== 'string') {\n      return false;\n    }\n    // eslint-disable-next-line security/detect-non-literal-regexp -- rule patterns can be configured dynamically\n    const regex = new RegExp(condition.value);\n    return regex.test(contextValue);\n  }\n\n  private getContextValue(request: AccessRequest, type: AccessCondition['type']): unknown {\n    switch (type) {\n      case 'time':\n        return (request.context.time ?? new Date()).getHours();\n      case 'ip':\n        return request.context.ip;\n      case 'role':\n        return request.context.roles ?? [];\n      case 'custom':\n        return request.context.custom;\n      default:\n        return null;\n    }\n  }\n\n  createTimeBasedRule(\n    id: string,\n    resource: string,\n    action: string,\n    startHour: number,\n    endHour: number\n  ): AccessRule {\n    return {\n      id,\n      resource,\n      action,\n      effect: 'allow',\n      conditions: [\n        {\n          type: 'time',\n          operator: 'between',\n          value: [startHour, endHour],\n        },\n      ],\n    };\n  }\n\n  createIPRestrictionRule(\n    id: string,\n    resource: string,\n    action: string,\n    allowedIPs: string[]\n  ): AccessRule {\n    return {\n      id,\n      resource,\n      action,\n      effect: 'allow',\n      conditions: [\n        {\n          type: 'ip',\n          operator: 'in',\n          value: allowedIPs,\n        },\n      ],\n    };\n  }\n\n  createRoleBasedRule(\n    id: string,\n    resource: string,\n    action: string,\n    requiredRoles: string[]\n  ): AccessRule {\n    return {\n      id,\n      resource,\n      action,\n      effect: 'allow',\n      conditions: [\n        {\n          type: 'role',\n          operator: 'in',\n          value: requiredRoles,\n        },\n      ],\n    };\n  }\n\n  listRules(): AccessRule[] {\n    return [...this.rules];\n  }\n}\n\nexport class SessionManager {\n  private readonly sessions: Map<string, Session> = new Map();\n\n  constructor(private readonly sessionTimeoutMs = 3600000) {} // 1 hour default\n\n  createSession(identity: Identity, metadata: Record<string, unknown> = {}): string {\n    const sessionId = this.generateSessionId();\n    const session: Session = {\n      id: sessionId,\n      identity,\n      createdAt: new Date(),\n      lastActivity: new Date(),\n      expiresAt: new Date(Date.now() + this.sessionTimeoutMs),\n      metadata,\n      isActive: true,\n    };\n\n    this.sessions.set(sessionId, session);\n    return sessionId;\n  }\n\n  getSession(sessionId: string): Session | undefined {\n    const session = this.sessions.get(sessionId);\n    if (!session) {\n      return undefined;\n    }\n\n    // Check if session is expired\n    if (session.expiresAt.getTime() < Date.now()) {\n      this.invalidateSession(sessionId);\n      return undefined;\n    }\n\n    // Update last activity\n    session.lastActivity = new Date();\n    return session;\n  }\n\n  extendSession(sessionId: string): boolean {\n    const session = this.sessions.get(sessionId);\n    if (!session?.isActive) {\n      return false;\n    }\n\n    session.expiresAt = new Date(Date.now() + this.sessionTimeoutMs);\n    session.lastActivity = new Date();\n    return true;\n  }\n\n  invalidateSession(sessionId: string): void {\n    const session = this.sessions.get(sessionId);\n    if (session) {\n      session.isActive = false;\n      // Keep session for audit purposes but mark as inactive\n    }\n  }\n\n  cleanupExpiredSessions(): void {\n    const now = Date.now();\n    for (const [sessionId, session] of this.sessions) {\n      if (session.expiresAt.getTime() < now || !session.isActive) {\n        this.sessions.delete(sessionId);\n      }\n    }\n  }\n\n  listActiveSessions(): Session[] {\n    return Array.from(this.sessions.values()).filter((s) => s.isActive);\n  }\n\n  private generateSessionId(): string {\n    return `session_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;\n  }\n}\n\nexport type Session = {\n  id: string;\n  identity: Identity;\n  createdAt: Date;\n  lastActivity: Date;\n  expiresAt: Date;\n  metadata: Record<string, unknown>;\n  isActive: boolean;\n};\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaO,IAAM,kBAAN,MAAgD;AAAA,EACrD,YACmB,YACA,SACjB;AAFiB;AACA;AAAA,EAChB;AAAA,EAEH,MAAM,OAAO,OAAqC;AAChD,QAAI;AACF,YAAM,WAAW,MAAM,MAAM,KAAK,YAAY;AAAA,QAC5C,QAAQ;AAAA,QACR,SAAS;AAAA;AAAA,UAEP,gBAAgB;AAAA,UAChB,GAAG,KAAK;AAAA,QACV;AAAA,QACA,MAAM,KAAK,UAAU,KAAK;AAAA,MAC5B,CAAC;AAED,UAAI,CAAC,SAAS,IAAI;AAChB,gBAAQ,KAAK,gCAAgC,SAAS,MAAM,IAAI,SAAS,UAAU,EAAE;AAAA,MACvF;AAAA,IACF,SAAS,OAAO;AACd,cAAQ,KAAK,+BAA+B,KAAK;AAAA,IACnD;AAAA,EACF;AACF;AAEO,IAAM,oBAAN,MAAkD;AAAA,EACvD,YAA6B,WAA6B;AAA7B;AAAA,EAA8B;AAAA,EAE3D,MAAM,OAAO,OAAqC;AAChD,UAAM,QAAQ,WAAW,KAAK,UAAU,IAAI,CAAC,aAAa,SAAS,OAAO,KAAK,CAAC,CAAC;AAAA,EACnF;AACF;;;AC9CA,SAAS,eAAe;;;ACAxB,OAAO,aAA8C;;;ACI9C,SAAS,0BAA0B,QAAgD;AACxF,SAAO,CAAC,YAAqB;AAC3B,UAAM,UAAU,QAAQ,OAAO,WAAW,KAAK;AAC/C,UAAM,cAAc,QAAQ,OAAO,SAAS,KAAK;AACjD,UAAM,QAAQ,YACX,MAAM,GAAG,EACT,IAAI,CAAC,SAAS,KAAK,KAAK,CAAC,EACzB,OAAO,OAAO;AACjB,WAAO,IAAI,SAAS,SAAS,OAAO,MAAM;AAAA,EAC5C;AACF;;;ACYO,SAAS,sBAAsB,SAAkB,MAAsB;AAC5E,QAAM,QAAQ,QAAQ,OAAO,IAAI;AACjC,MAAI,OAAO,UAAU,YAAY,CAAC,OAAO;AACvC,UAAM,IAAI,MAAM,GAAG,IAAI,cAAc;AAAA,EACvC;AACA,SAAO;AACT;AAEO,SAAS,uBAAuB,SAAkC,MAAsB;AAC7F,QAAM,QAAQ,QAAQ,IAAI;AAC1B,MAAI,OAAO,UAAU,YAAY,CAAC,OAAO;AACvC,UAAM,IAAI,MAAM,GAAG,IAAI,cAAc;AAAA,EACvC;AACA,SAAO;AACT;AAEA,SAAS,gBAAgB,SAAiC;AACxD,SAAO,OAAO,YAAY,YAAY,YAAY,OAAQ,UAA4B,CAAC;AACzF;AAEO,SAAS,YAAY,SAA0B;AACpD,QAAM,gBAAgB,gBAAgB,OAAO;AAC7C,QAAM,OAAO,OAAO,cAAc,SAAS,WAAW,cAAc,OAAO;AAC3E,QAAM,cACJ,OAAO,cAAc,gBAAgB,WAAW,cAAc,cAAc;AAC9E,QAAM,eACJ,OAAO,cAAc,iBAAiB,WAAW,cAAc,eAAe;AAChF,QAAM,YAAY,OAAO,cAAc,cAAc,WAAW,cAAc,YAAY;AAE1F,QAAM,iBAAiB,MAAM,QAAQ,cAAc,cAAc,IAC5D,cAAc,eAAe,OAAO,CAAC,UAAU,OAAO,UAAU,QAAQ,IACzE;AACJ,QAAM,eAAe,MAAM,QAAQ,cAAc,YAAY,IACxD,cAAc,aAAa,OAAO,CAAC,UAAU,OAAO,UAAU,QAAQ,IACvE;AAEJ,SAAO,IAAI,OAAO,MAAM,aAAa,cAAc,WAAW,gBAAgB,YAAY;AAC5F;AAEO,SAAS,yBAAyB,MAMvC;AACA,QAAM,UACJ,OAAO,SAAS,YAAY,SAAS,OAAQ,OAA+B,CAAC;AAC/E,QAAM,aAAa;AACnB,QAAM,OAAO,uBAAuB,YAAY,MAAM;AACtD,QAAM,QAAQ,uBAAuB,YAAY,OAAO;AACxD,QAAM,cAAc,OAAO,QAAQ,gBAAgB,WAAW,QAAQ,cAAc;AACpF,QAAM,SAAS,YAAY,QAAQ,MAAM;AACzC,QAAM,MAAM,OAAO,QAAQ,QAAQ,WAAW,QAAQ,MAAM;AAC5D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,GAAI,OAAO,gBAAgB,WAAW,EAAE,YAAY,IAAI,CAAC;AAAA,IACzD;AAAA,IACA,GAAI,OAAO,QAAQ,WAAW,EAAE,IAAI,IAAI,CAAC;AAAA,EAC3C;AACF;AAEO,SAAS,yBAAyB,MAAgD;AACvF,QAAM,UACJ,OAAO,SAAS,YAAY,SAAS,OAAQ,OAA+B,CAAC;AAC/E,QAAM,aAAa;AACnB,QAAM,QAAQ,uBAAuB,YAAY,OAAO;AACxD,QAAM,MAAM,OAAO,QAAQ,QAAQ,WAAW,QAAQ,MAAM;AAC5D,SAAO;AAAA,IACL;AAAA,IACA,GAAI,OAAO,QAAQ,WAAW,EAAE,IAAI,IAAI,CAAC;AAAA,EAC3C;AACF;;;ACjGO,SAAS,UAAU,UAAoB,QAAgB,OAAsB;AAClF,QAAM,UAAU,iBAAiB,QAAQ,MAAM,UAAU;AACzD,WAAS,OAAO,MAAM,EAAE,KAAK,EAAE,OAAO,QAAQ,CAAC;AACjD;AAEO,SAAS,cAAc,OAAgB,eAA+B;AAC3E,MAAI,EAAE,iBAAiB,QAAQ;AAC7B,WAAO;AAAA,EACT;AACA,MAAI,MAAM,QAAQ,SAAS,WAAW,GAAG;AACvC,WAAO;AAAA,EACT;AACA,MAAI,MAAM,QAAQ,SAAS,eAAe,KAAK,MAAM,QAAQ,SAAS,iBAAiB,GAAG;AACxF,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;AHMA,SAAS,UAAU,SAA4E;AAC7F,SAAO,CAAC,SAAkB,aAAuB;AAC/C,SAAK,QAAQ,SAAS,QAAQ;AAAA,EAChC;AACF;AAEA,SAAS,YAAY,SAAwB,YAA4C;AACvF,QAAM,UAAU,QAAQ,WAAW;AACnC,UAAQ,SAAS;AAAA,IACf,KAAK,MAAM;AACT,UAAI,CAAC,QAAQ,YAAY,CAAC,QAAQ,UAAU;AAC1C,cAAM,IAAI,MAAM,kDAAkD;AAAA,MACpE;AACA,aAAO,IAAI,cAAc;AAAA,QACvB,GAAG;AAAA,QACH,QAAQ,QAAQ;AAAA,QAChB,QAAQ,QAAQ;AAAA,MAClB,CAAC;AAAA,IACH;AAAA,IACA,KAAK,OAAO;AACV,UAAI,CAAC,QAAQ,WAAW;AACtB,cAAM,IAAI,MAAM,wCAAwC;AAAA,MAC1D;AACA,aAAO,IAAI,sBAAsB;AAAA,QAC/B,GAAG;AAAA,QACH,QAAQ,QAAQ;AAAA,QAChB,GAAI,QAAQ,eAAe,EAAE,WAAW,QAAQ,aAAa,IAAI,CAAC;AAAA,MACpE,CAAC;AAAA,IACH;AAAA,IACA,KAAK,YAAY;AACf,UAAI,CAAC,QAAQ,oBAAoB;AAC/B,cAAM,IAAI,MAAM,+DAA+D;AAAA,MACjF;AACA,aAAO,IAAI,sBAAsB;AAAA,QAC/B,GAAG;AAAA,QACH,kBAAkB,QAAQ;AAAA,MAC5B,CAAC;AAAA,IACH;AAAA,IACA,KAAK,QAAQ;AACX,aAAO,IAAI,gBAAgB,QAAQ,WAAW,UAAU;AAAA,IAC1D;AAAA,EACF;AACF;AAEA,SAAS,cAAc,SAAoE;AACzF,QAAM,SAAS,QAAQ,UAAU;AACjC,QAAM,aAAgC;AAAA,IACpC,WAAW,QAAQ;AAAA,IACnB,GAAI,QAAQ,eAAe,EAAE,cAAc,QAAQ,aAAa,IAAI,CAAC;AAAA,EACvE;AAEA,QAAM,QAAQ,YAAY,SAAS,UAAU;AAE7C,MAAI;AACJ,MAAI,QAAQ,YAAY;AACtB,oBAAgB,IAAI,gBAAgB,QAAQ,YAAY,QAAQ,cAAc;AAAA,EAChF;AAEA,SAAO,EAAE,SAAS,IAAI,cAAc,OAAO,aAAa,GAAG,OAAO;AACpE;AAEA,IAAM,gBAAgB;AACtB,IAAM,cAAc;AACpB,IAAM,eAAe;AACrB,IAAM,kBAAkB;AACxB,IAAM,WAAW,CAAC,SAAS,UAAU,QAAQ;AAE7C,SAAS,oBAAoB,KAA4B;AACvD,MAAI,IAAI,aAAa,CAAC,UAAmB,aAAuB;AAC9D,aAAS,KAAK,EAAE,QAAQ,KAAK,CAAC;AAAA,EAChC,CAAC;AACH;AAEA,SAAS,yBACP,KACA,SACA,qBACM;AACN,MAAI;AAAA,IACF;AAAA,IACA,UAAU,OAAO,SAAkB,aAAuB;AACxD,UAAI;AACF,cAAM,UAAU,MAAM,QAAQ,YAAY,oBAAoB,OAAO,CAAC;AACtE,iBAAS;AAAA,UACP,QAAQ,IAAI,CAAC,YAAY;AAAA,YACvB,IAAI,OAAO;AAAA,YACX,MAAM,OAAO;AAAA,YACb,SAAS,OAAO,cAAc,EAAE;AAAA,UAClC,EAAE;AAAA,QACJ;AAAA,MACF,SAAS,OAAgB;AACvB,kBAAU,UAAU,cAAc,OAAO,GAAG,GAAG,KAAK;AAAA,MACtD;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,SAAS,uBACP,KACA,SACA,qBACM;AACN,MAAI;AAAA,IACF;AAAA,IACA,UAAU,OAAO,SAAkB,aAAuB;AACxD,UAAI;AACF,cAAM,WAAW,sBAAsB,SAAS,IAAI;AACpD,cAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,oBAAoB,OAAO,CAAC;AAC7E,iBAAS,KAAK;AAAA,UACZ,IAAI,OAAO;AAAA,UACX,MAAM,OAAO;AAAA,UACb,SAAS,OAAO,cAAc,EAAE;AAAA,UAChC,OAAO,OAAO,cAAc,EAAE;AAAA,QAChC,CAAC;AAAA,MACH,SAAS,OAAgB;AACvB,kBAAU,UAAU,cAAc,OAAO,GAAG,GAAG,KAAK;AAAA,MACtD;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,SAAS,0BACP,KACA,SACA,QACM;AACN,MAAI;AAAA,IACF;AAAA,IACA,UAAU,OAAO,SAAkB,aAAuB;AACxD,UAAI;AACF,cAAM,EAAE,MAAM,OAAO,aAAa,QAAQ,IAAI,IAAI,yBAAyB,QAAQ,IAAI;AACvF,cAAM,QAAQ,IAAI,SAAS,QAAQ,OAAO,aAAa,KAAK,QAAQ,CAAC,GAAG,QAAQ,GAAG,MAAM;AACzF,cAAM,SAAS,MAAM,QAAQ;AAAA,UAC3B;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,QACF;AACA,iBAAS,OAAO,GAAG,EAAE,KAAK,EAAE,IAAI,OAAO,IAAI,SAAS,OAAO,cAAc,EAAE,QAAQ,CAAC;AAAA,MACtF,SAAS,OAAgB;AACvB,kBAAU,UAAU,cAAc,OAAO,GAAG,GAAG,KAAK;AAAA,MACtD;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,SAAS,0BACP,KACA,SACA,QACM;AACN,MAAI;AAAA,IACF;AAAA,IACA,UAAU,OAAO,SAAkB,aAAuB;AACxD,UAAI;AACF,cAAM,WAAW,sBAAsB,SAAS,IAAI;AACpD,cAAM,EAAE,OAAO,IAAI,IAAI,yBAAyB,QAAQ,IAAI;AAC5D,cAAM,QAAQ,IAAI,SAAS,QAAQ,OAAO,aAAa,KAAK,QAAQ,CAAC,QAAQ,GAAG,MAAM;AACtF,cAAM,SAAS,MAAM,QAAQ,UAAU,UAAU,OAAO,OAAO,GAAG;AAClE,iBAAS,KAAK,EAAE,SAAS,OAAO,cAAc,EAAE,QAAQ,CAAC;AAAA,MAC3D,SAAS,OAAgB;AACvB,kBAAU,UAAU,cAAc,OAAO,GAAG,GAAG,KAAK;AAAA,MACtD;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,SAAS,0BACP,KACA,SACA,QACM;AACN,MAAI;AAAA,IACF;AAAA,IACA,UAAU,OAAO,SAAkB,aAAuB;AACxD,UAAI;AACF,cAAM,WAAW,sBAAsB,SAAS,IAAI;AACpD,cAAM,QAAQ,IAAI,SAAS,QAAQ,OAAO,aAAa,KAAK,QAAQ,CAAC,OAAO,GAAG,MAAM;AACrF,cAAM,QAAQ,aAAa,UAAU,KAAK;AAC1C,iBAAS,KAAK,EAAE,SAAS,SAAS,CAAC;AAAA,MACrC,SAAS,OAAgB;AACvB,kBAAU,UAAU,cAAc,OAAO,GAAG,GAAG,KAAK;AAAA,MACtD;AAAA,IACF,CAAC;AAAA,EACH;AACF;AAEA,SAAS,eACP,KACA,SACA,QACA,qBACM;AACN,sBAAoB,GAAG;AACvB,2BAAyB,KAAK,SAAS,mBAAmB;AAC1D,yBAAuB,KAAK,SAAS,mBAAmB;AACxD,4BAA0B,KAAK,SAAS,MAAM;AAC9C,4BAA0B,KAAK,SAAS,MAAM;AAC9C,4BAA0B,KAAK,SAAS,MAAM;AAChD;AAEO,SAAS,SAAS,SAAyC;AAChE,QAAM,EAAE,SAAS,OAAO,IAAI,cAAc,OAAO;AACjD,QAAM,MAAM,QAAQ;AACpB,MAAI,IAAI,QAAQ,KAAK,CAAC;AAEtB,QAAM,sBAAsB,0BAA0B,MAAM;AAC5D,iBAAe,KAAK,SAAS,QAAQ,mBAAmB;AAExD,SAAO;AACT;;;ADtOO,SAAS,MAAM,SAA8B;AAClD,QAAM,MAAM,SAAS,OAAO;AAC5B,QAAM,OAAO,QAAQ,QAAQ;AAC7B,MAAI,OAAO,MAAM,MAAM;AACrB,YAAQ,KAAK,oCAAoC,IAAI,EAAE;AAAA,EACzD,CAAC;AACH;AAEA,IAAI,UAAQ,SAAS,QAAQ;AAC3B,QAAM,UAAU,IAAI,QAAQ;AAC5B,UACG,OAAO,kBAAkB,2CAA2C,qBAAqB,EACzF,OAAO,sBAAsB,qBAAqB,kBAAkB,EACpE,eAAe,wBAAwB,2BAA2B,EAClE,OAAO,mBAAmB,qBAAqB,SAAS,EACxD,OAAO,mBAAmB,qBAAqB,CAAC,UAAU,SAAS,OAAO,EAAE,GAAG,IAAI,EACnF,OAAO,oBAAoB,6CAA6C,MAAM,EAC9E,OAAO,wBAAwB,+BAA+B,EAC9D,OAAO,wBAAwB,2BAA2B,EAC1D,OAAO,yBAAyB,iCAAiC,EACjE,OAAO,gCAAgC,gCAAgC,EACvE,OAAO,iCAAiC,mDAAmD,EAC3F,OAAO,uBAAuB,qCAAqC;AAEtE,UAAQ,OAAO,CAAC,YAAY;AAC1B,UAAM;AAAA,MACJ,WAAW,QAAQ;AAAA,MACnB,WAAW,QAAQ;AAAA,MACnB,cAAc,QAAQ;AAAA,MACtB,QAAQ,QAAQ;AAAA,MAChB,MAAM,QAAQ;AAAA,MACd,SAAS,QAAQ;AAAA,MACjB,UAAU,QAAQ;AAAA,MAClB,UAAU,QAAQ;AAAA,MAClB,WAAW,QAAQ;AAAA,MACnB,cAAc,QAAQ;AAAA,MACtB,oBAAoB,QAAQ;AAAA,MAC5B,YAAY,QAAQ;AAAA,IACtB,CAAC;AAAA,EACH,CAAC;AAED,UAAQ,MAAM,QAAQ,IAAI;AAC5B;;;AKxCO,IAAM,oBAAN,MAAoD;AAAA,EAGzD,YACmB,QAMjB;AANiB;AAHnB,gCAAO;AAAA,EASJ;AAAA,EAEH,kBAAkB,QAAgB,SAAwB,OAAgC;AAGxF,YAAQ,KAAK,kBAAkB,OAAO,EAAE,4BAA4B,KAAK,MAAM;AAC/E,YAAQ,KAAK,sBAAsB,EAAE,SAAS,CAAC,CAAC,SAAS,OAAO,MAAM,QAAQ,CAAC;AAC/E,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEA,wBAA0C;AAExC,QAAI;AAEF,aAAO,QAAQ,QAAQ,IAAI;AAAA,IAC7B,QAAQ;AACN,aAAO,QAAQ,QAAQ,KAAK;AAAA,IAC9B;AAAA,EACF;AACF;AAEO,IAAM,oBAAN,MAAoD;AAAA,EAGzD,YACmB,QAKjB;AALiB;AAHnB,gCAAO;AAAA,EAQJ;AAAA,EAEH,kBAAkB,QAAgB,SAAwB,OAAgC;AACxF,YAAQ,KAAK,kBAAkB,OAAO,EAAE,4BAA4B,KAAK,MAAM;AAC/E,YAAQ,KAAK,sBAAsB,EAAE,SAAS,CAAC,CAAC,SAAS,OAAO,MAAM,QAAQ,CAAC;AAC/E,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEA,wBAA0C;AACxC,QAAI;AAEF,aAAO,QAAQ,QAAQ,IAAI;AAAA,IAC7B,QAAQ;AACN,aAAO,QAAQ,QAAQ,KAAK;AAAA,IAC9B;AAAA,EACF;AACF;AAEO,IAAM,wBAAN,MAAwD;AAAA,EAG7D,YACmB,QAKjB;AALiB;AAHnB,gCAAO;AAAA,EAQJ;AAAA,EAEH,kBAAkB,QAAgB,SAAwB,OAAgC;AACxF,YAAQ,KAAK,kBAAkB,OAAO,EAAE,+BAA+B,KAAK,MAAM;AAClF,YAAQ,KAAK,sBAAsB,EAAE,SAAS,CAAC,CAAC,SAAS,OAAO,MAAM,QAAQ,CAAC;AAC/E,WAAO,QAAQ,QAAQ;AAAA,EACzB;AAAA,EAEA,wBAA0C;AACxC,QAAI;AAEF,aAAO,QAAQ,QAAQ,IAAI;AAAA,IAC7B,QAAQ;AACN,aAAO,QAAQ,QAAQ,KAAK;AAAA,IAC9B;AAAA,EACF;AACF;AAEO,IAAM,qBAAN,MAAyB;AAAA,EAAzB;AACL,wBAAiB,gBAAe,oBAAI,IAA8B;AAAA;AAAA,EAElE,oBAAoB,aAAqC;AACvD,SAAK,aAAa,IAAI,YAAY,MAAM,WAAW;AAAA,EACrD;AAAA,EAEA,eAAe,MAA4C;AACzD,WAAO,KAAK,aAAa,IAAI,IAAI;AAAA,EACnC;AAAA,EAEA,MAAM,kBACJ,iBACA,QACA,SACA,OACe;AACf,UAAM,cAAc,KAAK,aAAa,IAAI,eAAe;AACzD,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,MAAM,eAAe,eAAe,YAAY;AAAA,IAC5D;AAEA,UAAM,YAAY,kBAAkB,QAAQ,SAAS,KAAK;AAAA,EAC5D;AAAA,EAEA,MAAM,0BAAgE;AACpE,UAAM,UAAuC,CAAC;AAE9C,eAAW,CAAC,MAAM,WAAW,KAAK,KAAK,cAAc;AACnD,cAAQ,IAAI,IAAI,MAAM,YAAY,sBAAsB;AAAA,IAC1D;AAEA,WAAO;AAAA,EACT;AACF;;;ACxGO,IAAM,oBAAN,MAAwB;AAAA,EAK7B,YACmB,SACA,QACA,OACjB;AAHiB;AACA;AACA;AAPnB,wBAAiB,aAAY,oBAAI,IAA8B;AAC/D,wBAAQ;AACR,wBAAQ,aAAY;AAAA,EAMjB;AAAA,EAEH,QAAc;AACZ,QAAI,KAAK,WAAW;AAClB;AAAA,IACF;AAEA,SAAK,YAAY;AACjB,SAAK,aAAa,YAAY,MAAM;AAClC,WAAK,KAAK,sBAAsB;AAAA,IAClC,GAAG,KAAK,OAAO,eAAe;AAE9B,YAAQ,KAAK,mCAAmC,KAAK,OAAO,eAAe,aAAa;AAAA,EAC1F;AAAA,EAEA,OAAa;AACX,QAAI,KAAK,YAAY;AACnB,oBAAc,KAAK,UAAU;AAC7B,WAAK,aAAa;AAAA,IACpB;AACA,SAAK,YAAY;AACjB,YAAQ,KAAK,4BAA4B;AAAA,EAC3C;AAAA,EAEA,YAAY,UAAkB,gBAA2D;AACvF,UAAM,WAA6B;AAAA,MACjC;AAAA,MACA,cAAc,KAAK,sBAAsB;AAAA,MACzC,GAAI,kBAAkB,EAAE,eAAe;AAAA,MACvC,YAAY,KAAK,OAAO;AAAA,MACxB,YAAY;AAAA,IACd;AACA,SAAK,UAAU,IAAI,UAAU,QAAQ;AAAA,EACvC;AAAA,EAEA,eAAe,UAAwB;AACrC,SAAK,UAAU,OAAO,QAAQ;AAAA,EAChC;AAAA,EAEA,YAAY,UAAgD;AAC1D,WAAO,KAAK,UAAU,IAAI,QAAQ;AAAA,EACpC;AAAA,EAEA,MAAc,wBAAuC;AACnD,UAAM,MAAM,oBAAI,KAAK;AACrB,UAAM,kBAAsC,CAAC;AAE7C,eAAW,YAAY,KAAK,UAAU,OAAO,GAAG;AAC9C,UAAI,KAAK,aAAa,UAAU,GAAG,GAAG;AACpC,wBAAgB,KAAK,QAAQ;AAAA,MAC/B;AAAA,IACF;AAGA,UAAM,QAAQ,gBAAgB,MAAM,GAAG,KAAK,OAAO,sBAAsB;AAEzE,eAAW,YAAY,OAAO;AAC5B,UAAI;AACF,cAAM,KAAK,aAAa,QAAQ;AAAA,MAClC,SAAS,OAAO;AACd,gBAAQ,MAAM,2BAA2B,SAAS,QAAQ,KAAK,KAAK;AACpE,cAAM,KAAK,sBAAsB,UAAU,KAAK;AAAA,MAClD;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,aAAa,UAA4B,KAAoB;AACnE,QAAI,MAAM,SAAS,cAAc;AAC/B,aAAO;AAAA,IACT;AAGA,QAAI,SAAS,gBAAgB;AAC3B,YAAM,cAAc,IAAI,mBAAmB,SAAS;AAAA,QAClD,QAAQ;AAAA,QACR,UAAU,SAAS,eAAe;AAAA,MACpC,CAAC;AAED,YAAM,QAAQ,SAAS,eAAe;AACtC,YAAM,MAAM,SAAS,eAAe;AAEpC,UAAI,QAAQ,KAAK;AAEf,eAAO,eAAe,SAAS,eAAe;AAAA,MAChD,OAAO;AAEL,eAAO,eAAe,SAAS,eAAe;AAAA,MAChD;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEA,MAAc,aAAa,UAA2C;AACpE,YAAQ,KAAK,mBAAmB,SAAS,QAAQ,EAAE;AAEnD,UAAM,KAAK,QAAQ,OAAO,SAAS,UAAU,KAAK,KAAK;AAGvD,aAAS,eAAe,KAAK,sBAAsB;AACnD,aAAS,aAAa;AACtB,aAAS,sBAAsB,oBAAI,KAAK;AACxC,WAAO,SAAS;AAEhB,YAAQ,KAAK,+BAA+B,SAAS,QAAQ,EAAE;AAG/D,QAAI,KAAK,OAAO,qBAAqB;AACnC,YAAM,KAAK,sBAAsB,QAAQ;AAAA,IAC3C;AAAA,EACF;AAAA,EAEA,MAAc,sBAAsB,UAA4B,OAA+B;AAC7F,aAAS;AACT,aAAS,sBAAsB,oBAAI,KAAK;AACxC,aAAS,oBAAoB,iBAAiB,QAAQ,MAAM,UAAU,OAAO,KAAK;AAElF,QAAI,SAAS,aAAa,SAAS,YAAY;AAE7C,YAAM,UAAU,KAAK,SAAS,aAAa;AAC3C,eAAS,eAAe,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO;AACrD,cAAQ,KAAK,kCAAkC,SAAS,QAAQ,OAAO,OAAO,IAAI;AAAA,IACpF,OAAO;AACL,cAAQ,MAAM,mCAAmC,SAAS,QAAQ,EAAE;AAEpE,UAAI,KAAK,OAAO,qBAAqB;AACnC,cAAM,KAAK,sBAAsB,QAAQ;AAAA,MAC3C;AAAA,IACF;AAAA,EACF;AAAA,EAEQ,wBAA8B;AAEpC,WAAO,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,KAAK,KAAK,GAAI;AAAA,EACvD;AAAA,EAEA,MAAc,sBAAsB,UAA2C;AAC7E,QAAI,CAAC,KAAK,OAAO,qBAAqB;AACpC;AAAA,IACF;AAEA,QAAI;AACF,YAAM,MAAM,KAAK,OAAO,qBAAqB;AAAA,QAC3C,QAAQ;AAAA,QACR,SAAS;AAAA;AAAA,UAEP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,UAClC,cAAc,SAAS,aAAa,YAAY;AAAA,QAClD,CAAC;AAAA,MACH,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,MAAM,iDAAiD,KAAK;AAAA,IACtE;AAAA,EACF;AAAA,EAEA,MAAc,sBAAsB,UAA2C;AAC7E,QAAI,CAAC,KAAK,OAAO,qBAAqB;AACpC;AAAA,IACF;AAEA,QAAI;AACF,YAAM,MAAM,KAAK,OAAO,qBAAqB;AAAA,QAC3C,QAAQ;AAAA,QACR,SAAS;AAAA;AAAA,UAEP,gBAAgB;AAAA,QAClB;AAAA,QACA,MAAM,KAAK,UAAU;AAAA,UACnB,OAAO;AAAA,UACP,UAAU,SAAS;AAAA,UACnB,YAAW,oBAAI,KAAK,GAAE,YAAY;AAAA,UAClC,OAAO,SAAS;AAAA,UAChB,YAAY,SAAS;AAAA,UACrB,YAAY,SAAS;AAAA,QACvB,CAAC;AAAA,MACH,CAAC;AAAA,IACH,SAAS,OAAO;AACd,cAAQ,MAAM,iDAAiD,KAAK;AAAA,IACtE;AAAA,EACF;AACF;;;ACrLO,IAAM,uBAAN,MAA2B;AAAA,EAA3B;AACL,wBAAQ,SAAsB,CAAC;AAAA;AAAA,EAE/B,QAAQ,MAAwB;AAC9B,SAAK,MAAM,KAAK,IAAI;AAAA,EACtB;AAAA,EAEA,WAAW,QAAsB;AAC/B,SAAK,QAAQ,KAAK,MAAM,OAAO,CAAC,MAAM,EAAE,OAAO,MAAM;AAAA,EACvD;AAAA,EAEA,eAAe,SAA0C;AAEvD,QAAI,gBAAgB;AAEpB,eAAW,QAAQ,KAAK,OAAO;AAC7B,UAAI,KAAK,YAAY,SAAS,IAAI,GAAG;AACnC,YAAI,KAAK,WAAW,SAAS;AAC3B,0BAAgB;AAAA,QAClB,WAAW,KAAK,WAAW,QAAQ;AACjC,iBAAO,QAAQ,QAAQ,KAAK;AAAA,QAC9B;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,QAAQ,aAAa;AAAA,EACtC;AAAA,EAEQ,YAAY,SAAwB,MAA2B;AAErE,QAAI,KAAK,aAAa,OAAO,KAAK,aAAa,QAAQ,UAAU;AAC/D,aAAO;AAAA,IACT;AAEA,QAAI,KAAK,WAAW,OAAO,KAAK,WAAW,QAAQ,QAAQ;AACzD,aAAO;AAAA,IACT;AAGA,eAAW,aAAa,KAAK,YAAY;AACvC,UAAI,CAAC,KAAK,iBAAiB,SAAS,SAAS,GAAG;AAC9C,eAAO;AAAA,MACT;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA,EAEQ,iBAAiB,SAAwB,WAAqC;AACpF,UAAM,eAAe,KAAK,gBAAgB,SAAS,UAAU,IAAI;AAEjE,YAAQ,UAAU,UAAU;AAAA,MAC1B,KAAK;AACH,eAAO,iBAAiB,UAAU;AAAA,MACpC,KAAK;AACH,eAAO,KAAK,mBAAmB,WAAW,YAAY;AAAA,MACxD,KAAK;AACH,eAAO,KAAK,wBAAwB,WAAW,YAAY;AAAA,MAC7D,KAAK;AACH,eAAO,KAAK,sBAAsB,WAAW,YAAY;AAAA,MAC3D;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA,EAEQ,mBAAmB,WAA4B,cAAgC;AACrF,UAAM,gBAAgB,UAAU;AAChC,QAAI,CAAC,MAAM,QAAQ,aAAa,GAAG;AACjC,aAAO;AAAA,IACT;AAEA,QAAI,UAAU,SAAS,QAAQ;AAC7B,YAAM,QAAQ,MAAM,QAAQ,YAAY,IAAI,eAAe,CAAC;AAC5D,aAAO,MAAM,KAAK,CAAC,SAAS,cAAc,SAAS,IAAI,CAAC;AAAA,IAC1D;AAEA,WAAO,cAAc,SAAS,YAAY;AAAA,EAC5C;AAAA,EAEQ,wBAAwB,WAA4B,cAAgC;AAC1F,UAAM,gBAAgB,UAAU;AAChC,QAAI,CAAC,MAAM,QAAQ,aAAa,KAAK,cAAc,WAAW,GAAG;AAC/D,aAAO;AAAA,IACT;AACA,QACE,OAAO,cAAc,CAAC,MAAM,YAC5B,OAAO,cAAc,CAAC,MAAM,YAC5B,OAAO,iBAAiB,UACxB;AACA,aAAO;AAAA,IACT;AACA,WAAO,gBAAgB,cAAc,CAAC,KAAK,gBAAgB,cAAc,CAAC;AAAA,EAC5E;AAAA,EAEQ,sBAAsB,WAA4B,cAAgC;AACxF,QAAI,OAAO,UAAU,UAAU,YAAY,OAAO,iBAAiB,UAAU;AAC3E,aAAO;AAAA,IACT;AAEA,UAAM,QAAQ,IAAI,OAAO,UAAU,KAAK;AACxC,WAAO,MAAM,KAAK,YAAY;AAAA,EAChC;AAAA,EAEQ,gBAAgB,SAAwB,MAAwC;AACtF,YAAQ,MAAM;AAAA,MACZ,KAAK;AACH,gBAAQ,QAAQ,QAAQ,QAAQ,oBAAI,KAAK,GAAG,SAAS;AAAA,MACvD,KAAK;AACH,eAAO,QAAQ,QAAQ;AAAA,MACzB,KAAK;AACH,eAAO,QAAQ,QAAQ,SAAS,CAAC;AAAA,MACnC,KAAK;AACH,eAAO,QAAQ,QAAQ;AAAA,MACzB;AACE,eAAO;AAAA,IACX;AAAA,EACF;AAAA,EAEA,oBACE,IACA,UACA,QACA,WACA,SACY;AACZ,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,YAAY;AAAA,QACV;AAAA,UACE,MAAM;AAAA,UACN,UAAU;AAAA,UACV,OAAO,CAAC,WAAW,OAAO;AAAA,QAC5B;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,wBACE,IACA,UACA,QACA,YACY;AACZ,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,YAAY;AAAA,QACV;AAAA,UACE,MAAM;AAAA,UACN,UAAU;AAAA,UACV,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,oBACE,IACA,UACA,QACA,eACY;AACZ,WAAO;AAAA,MACL;AAAA,MACA;AAAA,MACA;AAAA,MACA,QAAQ;AAAA,MACR,YAAY;AAAA,QACV;AAAA,UACE,MAAM;AAAA,UACN,UAAU;AAAA,UACV,OAAO;AAAA,QACT;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,YAA0B;AACxB,WAAO,CAAC,GAAG,KAAK,KAAK;AAAA,EACvB;AACF;AAEO,IAAM,iBAAN,MAAqB;AAAA,EAG1B,YAA6B,mBAAmB,MAAS;AAA5B;AAF7B,wBAAiB,YAAiC,oBAAI,IAAI;AAAA,EAEA;AAAA;AAAA,EAE1D,cAAc,UAAoB,WAAoC,CAAC,GAAW;AAChF,UAAM,YAAY,KAAK,kBAAkB;AACzC,UAAM,UAAmB;AAAA,MACvB,IAAI;AAAA,MACJ;AAAA,MACA,WAAW,oBAAI,KAAK;AAAA,MACpB,cAAc,oBAAI,KAAK;AAAA,MACvB,WAAW,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,gBAAgB;AAAA,MACtD;AAAA,MACA,UAAU;AAAA,IACZ;AAEA,SAAK,SAAS,IAAI,WAAW,OAAO;AACpC,WAAO;AAAA,EACT;AAAA,EAEA,WAAW,WAAwC;AACjD,UAAM,UAAU,KAAK,SAAS,IAAI,SAAS;AAC3C,QAAI,CAAC,SAAS;AACZ,aAAO;AAAA,IACT;AAGA,QAAI,QAAQ,UAAU,QAAQ,IAAI,KAAK,IAAI,GAAG;AAC5C,WAAK,kBAAkB,SAAS;AAChC,aAAO;AAAA,IACT;AAGA,YAAQ,eAAe,oBAAI,KAAK;AAChC,WAAO;AAAA,EACT;AAAA,EAEA,cAAc,WAA4B;AACxC,UAAM,UAAU,KAAK,SAAS,IAAI,SAAS;AAC3C,QAAI,CAAC,SAAS,UAAU;AACtB,aAAO;AAAA,IACT;AAEA,YAAQ,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,gBAAgB;AAC/D,YAAQ,eAAe,oBAAI,KAAK;AAChC,WAAO;AAAA,EACT;AAAA,EAEA,kBAAkB,WAAyB;AACzC,UAAM,UAAU,KAAK,SAAS,IAAI,SAAS;AAC3C,QAAI,SAAS;AACX,cAAQ,WAAW;AAAA,IAErB;AAAA,EACF;AAAA,EAEA,yBAA+B;AAC7B,UAAM,MAAM,KAAK,IAAI;AACrB,eAAW,CAAC,WAAW,OAAO,KAAK,KAAK,UAAU;AAChD,UAAI,QAAQ,UAAU,QAAQ,IAAI,OAAO,CAAC,QAAQ,UAAU;AAC1D,aAAK,SAAS,OAAO,SAAS;AAAA,MAChC;AAAA,IACF;AAAA,EACF;AAAA,EAEA,qBAAgC;AAC9B,WAAO,MAAM,KAAK,KAAK,SAAS,OAAO,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,QAAQ;AAAA,EACpE;AAAA,EAEQ,oBAA4B;AAClC,WAAO,WAAW,KAAK,IAAI,CAAC,IAAI,KAAK,OAAO,EAAE,SAAS,EAAE,EAAE,OAAO,GAAG,CAAC,CAAC;AAAA,EACzE;AACF;","names":[]}