{"version":3,"sources":["../src/cli/utils/governance/surface.ts","../src/cli/utils/governance/cli-api.ts"],"sourcesContent":["/**\n * Mirror of `GovernanceCallSurface` from the langwatch app\n * (ee/governance/services/auditSurface.ts). Kept as a hand-written\n * type alias rather than imported because the CLI package doesn't\n * pull from the langwatch source tree.\n *\n * The CLI only ever sends \"cli\" — the other values are documented\n * here so the type stays informational + so any future SDK regen\n * targeting governance audit metadata picks up the canonical set.\n */\nexport type GovernanceCallSurface = \"trpc\" | \"hono\" | \"cli\" | \"mcp\";\n\nexport const CLI_SURFACE_HEADER = \"X-LangWatch-Surface\" as const;\nexport const CLI_SURFACE_VALUE: GovernanceCallSurface = \"cli\";\n","/**\n * Thin REST client for governance endpoints used by the\n * `langwatch governance ...` CLI namespace.\n *\n * Two transports live in this file:\n *\n *   1. `/api/auth/cli/governance/*` — CLI-specific read proxies for\n *      activity monitor + status that pre-date the public REST\n *      surface. Read-only.\n *   2. `/api/governance/*` — the public REST contract for\n *      IngestionTemplate CRUD plus the device-session ingestion-key\n *      mint route. The CLI sends `X-LangWatch-Surface: cli` so audit\n *      rows land with `metadata.surface = 'cli'` per @audit-uniform.\n */\n\nimport { type GovernanceConfig } from \"./config\";\nimport type { PlatformToolPolicyMap } from \"./platform-tool-policy\";\nimport {\n  CLI_SURFACE_HEADER,\n  CLI_SURFACE_VALUE,\n} from \"./surface\";\n\nexport interface IngestionSourceSummary {\n  id: string;\n  name: string;\n  sourceType: string;\n  description: string | null;\n  status: string;\n  lastEventAt: string | null;\n  createdAt: string;\n  archivedAt: string | null;\n}\n\nexport interface ActivityEventDetailRow {\n  eventId: string;\n  eventType: string;\n  actor: string;\n  action: string;\n  target: string;\n  costUsd: number;\n  tokensInput: number;\n  tokensOutput: number;\n  eventTimestampIso: string;\n  ingestedAtIso: string;\n  rawPayload: string;\n}\n\nexport interface SourceHealthMetrics {\n  events24h: number;\n  events7d: number;\n  events30d: number;\n  lastSuccessIso: string | null;\n}\n\nexport interface GovernanceSetupState {\n  hasPersonalVKs: boolean;\n  hasRoutingPolicies: boolean;\n  hasIngestionSources: boolean;\n  hasAnomalyRules: boolean;\n  hasRecentActivity: boolean;\n  governanceActive: boolean;\n}\n\nexport class GovernanceCliError extends Error {\n  constructor(\n    public readonly status: number,\n    public readonly code: string,\n    message: string,\n  ) {\n    super(message);\n    this.name = \"GovernanceCliError\";\n  }\n}\n\nexport interface CliApiOptions {\n  fetchImpl?: typeof fetch;\n}\n\nasync function getJSON<T>(\n  cfg: GovernanceConfig,\n  path: string,\n  opts: CliApiOptions = {},\n): Promise<T> {\n  if (!cfg.access_token) {\n    throw new GovernanceCliError(\n      401,\n      \"not_logged_in\",\n      \"Not logged in. Run `langwatch login --device` first.\",\n    );\n  }\n  const url = cfg.control_plane_url.replace(/\\/+$/, \"\") + path;\n  const f = opts.fetchImpl ?? fetch;\n  const res = await f(url, {\n    method: \"GET\",\n    headers: {\n      Authorization: `Bearer ${cfg.access_token}`,\n      Accept: \"application/json\",\n    },\n  });\n  if (res.status === 401) {\n    throw new GovernanceCliError(\n      401,\n      \"unauthorized\",\n      \"Session expired — run `langwatch login --device` again\",\n    );\n  }\n  if (res.status === 402) {\n    const body = (await res.json().catch(() => ({}))) as {\n      error_description?: string;\n      upgrade_url?: string;\n    };\n    const description =\n      body.error_description ?? \"This feature requires an Enterprise plan\";\n    const upgrade = body.upgrade_url\n      ? `\\n\\n  Upgrade your organization at:\\n    ${body.upgrade_url}`\n      : \"\";\n    throw new GovernanceCliError(\n      402,\n      \"payment_required\",\n      `${description}${upgrade}`,\n    );\n  }\n  if (res.status === 404) {\n    const body = (await res.json().catch(() => ({}))) as {\n      error_description?: string;\n    };\n    throw new GovernanceCliError(\n      404,\n      \"not_found\",\n      body.error_description ?? \"Not found\",\n    );\n  }\n  if (!res.ok) {\n    const body = await res.text().catch(() => \"\");\n    throw new GovernanceCliError(\n      res.status,\n      \"other\",\n      `${res.status} ${body.slice(0, 200)}`,\n    );\n  }\n  return (await res.json()) as T;\n}\n\nexport async function listIngestionSources(\n  cfg: GovernanceConfig,\n  options: { includeArchived?: boolean } & CliApiOptions = {},\n): Promise<IngestionSourceSummary[]> {\n  const qs = options.includeArchived ? \"?include_archived=1\" : \"\";\n  const body = await getJSON<{ sources: IngestionSourceSummary[] }>(\n    cfg,\n    `/api/auth/cli/governance/ingest/sources${qs}`,\n    options,\n  );\n  return body.sources;\n}\n\nexport async function getEventsForSource(\n  cfg: GovernanceConfig,\n  sourceId: string,\n  options: { limit?: number; beforeIso?: string } & CliApiOptions = {},\n): Promise<ActivityEventDetailRow[]> {\n  const params = new URLSearchParams();\n  if (options.limit) params.set(\"limit\", String(options.limit));\n  if (options.beforeIso) params.set(\"before_iso\", options.beforeIso);\n  const qs = params.toString() ? `?${params.toString()}` : \"\";\n  const body = await getJSON<{ events: ActivityEventDetailRow[] }>(\n    cfg,\n    `/api/auth/cli/governance/ingest/sources/${encodeURIComponent(\n      sourceId,\n    )}/events${qs}`,\n    options,\n  );\n  return body.events;\n}\n\nexport async function getSourceHealth(\n  cfg: GovernanceConfig,\n  sourceId: string,\n  options: CliApiOptions = {},\n): Promise<{\n  source: { id: string; name: string; status: string };\n  health: SourceHealthMetrics;\n}> {\n  return getJSON(\n    cfg,\n    `/api/auth/cli/governance/ingest/sources/${encodeURIComponent(\n      sourceId,\n    )}/health`,\n    options,\n  );\n}\n\nexport async function getGovernanceStatus(\n  cfg: GovernanceConfig,\n  options: CliApiOptions = {},\n): Promise<{ setup: GovernanceSetupState }> {\n  return getJSON(cfg, `/api/auth/cli/governance/status`, options);\n}\n\n/**\n * A coding assistant the member can run via `langwatch <slug>`. Sourced from\n * the org's published coding_assistant catalog tiles, so the CLI only offers\n * tools the org actually publishes.\n */\nexport interface CliBootstrapTool {\n  slug: string;\n  displayName: string;\n}\n\n/**\n * A model provider the member can mint a personal virtual key for. Sourced\n * from the org's published model_provider catalog tiles. Distinct from a\n * tool: a provider backs a virtual key, a tool is a coding assistant you run.\n */\nexport interface CliBootstrapProvider {\n  name: string;\n  displayName: string;\n  configured: boolean;\n}\n\nexport interface CliBootstrapBudget {\n  monthlyLimitUsd: number | null;\n  monthlyUsedUsd: number;\n  period: string;\n}\n\nexport interface CliBootstrapResponse {\n  /**\n   * Coding assistants the member can run via `langwatch <slug>`. Empty when\n   * the org has published no coding-assistant tiles; the ceremony then falls\n   * back to its built-in default wrapper list. `undefined` on legacy servers\n   * without the field (same fallback).\n   */\n  tools?: CliBootstrapTool[];\n  providers: CliBootstrapProvider[];\n  /**\n   * Provider families (e.g. \"openai\") for which the org has a live, enabled\n   * credential the caller can reach - independent of whether a model_provider\n   * catalog tile was published. This is what the gateway can actually route\n   * through, so the wrapper preflight gates the gateway path on this, NOT on\n   * `providers` (which is the admin-curated mint-your-own-VK catalog).\n   * `undefined` on legacy servers without the field; the wrapper then falls\n   * back to the `providers` tile list for the check.\n   */\n  gatewayProviders?: string[];\n  budget: CliBootstrapBudget;\n  /**\n   * Server-authoritative gateway base URL. Sourced from the backend's\n   * `LW_GATEWAY_BASE_URL` (or its self-hosted/SaaS-aware fallback).\n   * Older self-hosted servers without this field fall back to the\n   * CLI's local config default — so undefined is the legacy shape, not\n   * an error.\n   */\n  gatewayUrl?: string;\n  /**\n   * First org admin's email (by createdAt). Rendered as a mailto in\n   * wrapper preflight failure messages so non-admin users get a real\n   * contact path instead of a vague \"ask your admin\". `null` when the\n   * org has no admin yet; `undefined` on legacy servers without the\n   * field (CLI falls back to a generic line).\n   */\n  adminEmail?: string | null;\n  /**\n   * Per-(org, tool) path policy map (claude/codex/gemini/opencode/cursor\n   * → {allowVk, allowOtelDirect}). The CLI caches this into\n   * `cfg.tool_policies` so the wrapper gates path selection on the org's\n   * admin choices. `undefined` on legacy servers without the field; the\n   * wrapper then falls back to hardcoded defaults.\n   */\n  toolPolicies?: PlatformToolPolicyMap;\n}\n\n/**\n * Fetch the Storyboard Screen 4 ceremony enrichment data —\n * inheritable providers + the user's effective monthly budget.\n *\n * Backend tRPC source: `api.user.cliBootstrap` (Sergey 32cad11ae).\n * REST adapter: `/api/auth/cli/bootstrap` (queued backend follow-up).\n *\n * Graceful degrade: returns null on 404 (older self-hosted server\n * without the REST endpoint) so the CLI ceremony falls back to the\n * basic header + try-it block. Other errors still throw so they can\n * be logged at the call site.\n */\nexport async function getCliBootstrap(\n  cfg: GovernanceConfig,\n  options: CliApiOptions = {},\n): Promise<CliBootstrapResponse | null> {\n  try {\n    return await getJSON<CliBootstrapResponse>(\n      cfg,\n      `/api/auth/cli/bootstrap`,\n      options,\n    );\n  } catch (err) {\n    if (err instanceof GovernanceCliError && err.status === 404) {\n      return null;\n    }\n    throw err;\n  }\n}\n\n// ── Public REST: /api/governance/* ─────────────────────────────────────────\n//\n// IngestionTemplate CRUD Hono routes. Wire shape is snake_case in/out.\n// All mutating calls send X-LangWatch-Surface: cli per @audit-uniform.\n\nexport interface IngestionTemplateRow {\n  id: string;\n  organization_id: string | null;\n  slug: string;\n  source_type: string;\n  display_name: string;\n  description: string | null;\n  icon_asset: string | null;\n  credential_schema: string | null;\n  ottl_rules: string;\n  platform_published: boolean;\n  enabled: boolean;\n}\n\ntype RestMethod = \"GET\" | \"POST\" | \"PATCH\" | \"DELETE\";\n\nasync function requestREST<T>(\n  cfg: GovernanceConfig,\n  method: RestMethod,\n  path: string,\n  options: { body?: unknown; mutating?: boolean } & CliApiOptions = {},\n): Promise<T> {\n  if (!cfg.access_token) {\n    throw new GovernanceCliError(\n      401,\n      \"not_logged_in\",\n      \"Not logged in. Run `langwatch login --device` first.\",\n    );\n  }\n  const url = cfg.control_plane_url.replace(/\\/+$/, \"\") + path;\n  const f = options.fetchImpl ?? fetch;\n  const headers: Record<string, string> = {\n    Authorization: `Bearer ${cfg.access_token}`,\n    Accept: \"application/json\",\n  };\n  if (options.mutating) {\n    headers[CLI_SURFACE_HEADER] = CLI_SURFACE_VALUE;\n  }\n  if (options.body !== undefined) {\n    headers[\"Content-Type\"] = \"application/json\";\n  }\n  const res = await f(url, {\n    method,\n    headers,\n    body: options.body !== undefined ? JSON.stringify(options.body) : undefined,\n  });\n  if (res.status === 204) return undefined as T;\n  if (res.status === 401) {\n    throw new GovernanceCliError(\n      401,\n      \"unauthorized\",\n      \"Session expired — run `langwatch login --device` again\",\n    );\n  }\n  if (res.status === 403) {\n    const body = (await res.json().catch(() => ({}))) as {\n      error?: { message?: string; code?: string };\n    };\n    throw new GovernanceCliError(\n      403,\n      body.error?.code ?? \"forbidden\",\n      body.error?.message ?? \"Forbidden\",\n    );\n  }\n  if (res.status === 404) {\n    const body = (await res.json().catch(() => ({}))) as {\n      error?: { message?: string };\n    };\n    throw new GovernanceCliError(\n      404,\n      \"not_found\",\n      body.error?.message ?? \"Not found\",\n    );\n  }\n  if (!res.ok) {\n    const body = await res.text().catch(() => \"\");\n    throw new GovernanceCliError(\n      res.status,\n      \"other\",\n      `${res.status} ${body.slice(0, 200)}`,\n    );\n  }\n  return (await res.json()) as T;\n}\n\n// Ingestion key minting ------------------------------------------------------\n\n/**\n * Mint a personal-project ingest-only ApiKey (the `sk-lw-<...>` shape)\n * for a wrapped tool. Returns the plaintext key (shown once) plus the\n * OTLP endpoint the caller should point the tool's exporter at.\n *\n * Device-session adapter route under /api/auth/cli/governance/* so the\n * wrapper's auto-mint flow works with the device-session\n * cfg.access_token (lw_at_*). The public REST mounted under\n * createProjectApp rejects Bearer access tokens with 401, so the CLI\n * uses the mirror route, same as the (now-retired) binding flow did.\n */\nexport async function mintIngestionKey(\n  cfg: GovernanceConfig,\n  sourceType: string,\n  options: CliApiOptions = {},\n): Promise<{ token: string; prefix: string; endpoint: string }> {\n  return requestREST<{ token: string; prefix: string; endpoint: string }>(\n    cfg,\n    \"POST\",\n    \"/api/auth/cli/governance/ingestion-key\",\n    { ...options, body: { source_type: sourceType }, mutating: true },\n  );\n}\n\n\n/**\n * Extracts the 16-char lookupId from an ingestion token.\n * Token format: `ik-lw-{16-char lookupId}_{secret}`.\n * Returns the lookupId string, or undefined when the token doesn't match the\n * expected format (older token shapes, malformed cache entries).\n */\nexport function extractLookupIdFromToken(token: string): string | undefined {\n  const match = /^ik-lw-([^_]+)_/.exec(token);\n  return match?.[1];\n}\n\n// Ingestion key listing -------------------------------------------------------\n\n/**\n * Lists all live (non-revoked) personal-project ingestion keys for the\n * caller's org. Used as a cache-liveness preflight (#4755): before reusing a\n * locally cached token, the wrapper calls this to confirm the key is still\n * active. If the server resolves and the cached lookupId is absent → the key\n * was revoked → mint fresh. If the call rejects (offline / older server) →\n * reuse the cache as-is (offline-first fallback).\n */\nexport async function listIngestionKeys(\n  cfg: GovernanceConfig,\n  options: CliApiOptions = {},\n): Promise<{ sourceType: string; lookupId: string }[]> {\n  const body = await requestREST<{\n    keys: Array<{\n      source_type: string;\n      lookup_id: string;\n      ingestion_template_id: string | null;\n    }>;\n  }>(cfg, \"GET\", \"/api/auth/cli/governance/ingestion-keys\", options);\n  return body.keys.map((k) => ({\n    sourceType: k.source_type,\n    lookupId: k.lookup_id,\n  }));\n}\n\n// IngestionTemplate verbs ----------------------------------------------------\n\nexport async function adminListIngestionTemplates(\n  cfg: GovernanceConfig,\n  options: CliApiOptions = {},\n): Promise<IngestionTemplateRow[]> {\n  const body = await requestREST<{ ingestion_templates: IngestionTemplateRow[] }>(\n    cfg,\n    \"GET\",\n    \"/api/governance/ingestion-templates/admin\",\n    options,\n  );\n  return body.ingestion_templates;\n}\n\nexport async function getIngestionTemplate(\n  cfg: GovernanceConfig,\n  id: string,\n  options: CliApiOptions = {},\n): Promise<IngestionTemplateRow> {\n  const body = await requestREST<{ ingestion_template: IngestionTemplateRow }>(\n    cfg,\n    \"GET\",\n    `/api/governance/ingestion-templates/${encodeURIComponent(id)}`,\n    options,\n  );\n  return body.ingestion_template;\n}\n\nexport async function createIngestionTemplate(\n  cfg: GovernanceConfig,\n  input: {\n    source_type: string;\n    display_name: string;\n    description?: string;\n    icon_asset?: string;\n    credential_schema?: \"otlp_token\" | \"static_api_key\" | \"agent_id\" | null;\n    ottl_rules?: string;\n  },\n  options: CliApiOptions = {},\n): Promise<IngestionTemplateRow> {\n  const body = await requestREST<{ ingestion_template: IngestionTemplateRow }>(\n    cfg,\n    \"POST\",\n    \"/api/governance/ingestion-templates\",\n    { ...options, body: input, mutating: true },\n  );\n  return body.ingestion_template;\n}\n\nexport async function updateIngestionTemplateOttlRules(\n  cfg: GovernanceConfig,\n  id: string,\n  ottlRules: string,\n  options: CliApiOptions = {},\n): Promise<IngestionTemplateRow> {\n  const body = await requestREST<{ ingestion_template: IngestionTemplateRow }>(\n    cfg,\n    \"PATCH\",\n    `/api/governance/ingestion-templates/${encodeURIComponent(id)}/ottl-rules`,\n    { ...options, body: { ottl_rules: ottlRules }, mutating: true },\n  );\n  return body.ingestion_template;\n}\n\nexport async function archiveIngestionTemplate(\n  cfg: GovernanceConfig,\n  id: string,\n  options: CliApiOptions = {},\n): Promise<{ ok: true }> {\n  return requestREST<{ ok: true }>(\n    cfg,\n    \"DELETE\",\n    `/api/governance/ingestion-templates/${encodeURIComponent(id)}`,\n    { ...options, mutating: true },\n  );\n}\n\nexport async function cloneIngestionTemplateFromPlatform(\n  cfg: GovernanceConfig,\n  sourceTemplateId: string,\n  options: CliApiOptions = {},\n): Promise<IngestionTemplateRow> {\n  const body = await requestREST<{ ingestion_template: IngestionTemplateRow }>(\n    cfg,\n    \"POST\",\n    \"/api/governance/ingestion-templates/clone-from-platform\",\n    {\n      ...options,\n      body: { source_template_id: sourceTemplateId },\n      mutating: true,\n    },\n  );\n  return body.ingestion_template;\n}\n"],"mappings":";;;;;;AAYO,IAAM,qBAAqB;AAC3B,IAAM,oBAA2C;;;ACkDjD,IAAM,qBAAN,cAAiC,MAAM;AAAA,EAC5C,YACkB,QACA,MAChB,SACA;AACA,UAAM,OAAO;AAJG;AACA;AAIhB,SAAK,OAAO;AAAA,EACd;AACF;AAMA,eAAe,QACb,KACA,MACA,OAAsB,CAAC,GACX;AAlFd;AAmFE,MAAI,CAAC,IAAI,cAAc;AACrB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACA,QAAM,MAAM,IAAI,kBAAkB,QAAQ,QAAQ,EAAE,IAAI;AACxD,QAAM,KAAI,UAAK,cAAL,YAAkB;AAC5B,QAAM,MAAM,MAAM,EAAE,KAAK;AAAA,IACvB,QAAQ;AAAA,IACR,SAAS;AAAA,MACP,eAAe,UAAU,IAAI,YAAY;AAAA,MACzC,QAAQ;AAAA,IACV;AAAA,EACF,CAAC;AACD,MAAI,IAAI,WAAW,KAAK;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACA,MAAI,IAAI,WAAW,KAAK;AACtB,UAAM,OAAQ,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAI/C,UAAM,eACJ,UAAK,sBAAL,YAA0B;AAC5B,UAAM,UAAU,KAAK,cACjB;AAAA;AAAA;AAAA,MAA4C,KAAK,WAAW,KAC5D;AACJ,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA,GAAG,WAAW,GAAG,OAAO;AAAA,IAC1B;AAAA,EACF;AACA,MAAI,IAAI,WAAW,KAAK;AACtB,UAAM,OAAQ,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAG/C,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,OACA,UAAK,sBAAL,YAA0B;AAAA,IAC5B;AAAA,EACF;AACA,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,UAAM,IAAI;AAAA,MACR,IAAI;AAAA,MACJ;AAAA,MACA,GAAG,IAAI,MAAM,IAAI,KAAK,MAAM,GAAG,GAAG,CAAC;AAAA,IACrC;AAAA,EACF;AACA,SAAQ,MAAM,IAAI,KAAK;AACzB;AAEA,eAAsB,qBACpB,KACA,UAAyD,CAAC,GACvB;AACnC,QAAM,KAAK,QAAQ,kBAAkB,wBAAwB;AAC7D,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA,0CAA0C,EAAE;AAAA,IAC5C;AAAA,EACF;AACA,SAAO,KAAK;AACd;AAEA,eAAsB,mBACpB,KACA,UACA,UAAkE,CAAC,GAChC;AACnC,QAAM,SAAS,IAAI,gBAAgB;AACnC,MAAI,QAAQ,MAAO,QAAO,IAAI,SAAS,OAAO,QAAQ,KAAK,CAAC;AAC5D,MAAI,QAAQ,UAAW,QAAO,IAAI,cAAc,QAAQ,SAAS;AACjE,QAAM,KAAK,OAAO,SAAS,IAAI,IAAI,OAAO,SAAS,CAAC,KAAK;AACzD,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA,2CAA2C;AAAA,MACzC;AAAA,IACF,CAAC,UAAU,EAAE;AAAA,IACb;AAAA,EACF;AACA,SAAO,KAAK;AACd;AAEA,eAAsB,gBACpB,KACA,UACA,UAAyB,CAAC,GAIzB;AACD,SAAO;AAAA,IACL;AAAA,IACA,2CAA2C;AAAA,MACzC;AAAA,IACF,CAAC;AAAA,IACD;AAAA,EACF;AACF;AAEA,eAAsB,oBACpB,KACA,UAAyB,CAAC,GACgB;AAC1C,SAAO,QAAQ,KAAK,mCAAmC,OAAO;AAChE;AAuFA,eAAsB,gBACpB,KACA,UAAyB,CAAC,GACY;AACtC,MAAI;AACF,WAAO,MAAM;AAAA,MACX;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF,SAAS,KAAK;AACZ,QAAI,eAAe,sBAAsB,IAAI,WAAW,KAAK;AAC3D,aAAO;AAAA,IACT;AACA,UAAM;AAAA,EACR;AACF;AAuBA,eAAe,YACb,KACA,QACA,MACA,UAAkE,CAAC,GACvD;AAxUd;AAyUE,MAAI,CAAC,IAAI,cAAc;AACrB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACA,QAAM,MAAM,IAAI,kBAAkB,QAAQ,QAAQ,EAAE,IAAI;AACxD,QAAM,KAAI,aAAQ,cAAR,YAAqB;AAC/B,QAAM,UAAkC;AAAA,IACtC,eAAe,UAAU,IAAI,YAAY;AAAA,IACzC,QAAQ;AAAA,EACV;AACA,MAAI,QAAQ,UAAU;AACpB,YAAQ,kBAAkB,IAAI;AAAA,EAChC;AACA,MAAI,QAAQ,SAAS,QAAW;AAC9B,YAAQ,cAAc,IAAI;AAAA,EAC5B;AACA,QAAM,MAAM,MAAM,EAAE,KAAK;AAAA,IACvB;AAAA,IACA;AAAA,IACA,MAAM,QAAQ,SAAS,SAAY,KAAK,UAAU,QAAQ,IAAI,IAAI;AAAA,EACpE,CAAC;AACD,MAAI,IAAI,WAAW,IAAK,QAAO;AAC/B,MAAI,IAAI,WAAW,KAAK;AACtB,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACA,MAAI,IAAI,WAAW,KAAK;AACtB,UAAM,OAAQ,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAG/C,UAAM,IAAI;AAAA,MACR;AAAA,OACA,gBAAK,UAAL,mBAAY,SAAZ,YAAoB;AAAA,OACpB,gBAAK,UAAL,mBAAY,YAAZ,YAAuB;AAAA,IACzB;AAAA,EACF;AACA,MAAI,IAAI,WAAW,KAAK;AACtB,UAAM,OAAQ,MAAM,IAAI,KAAK,EAAE,MAAM,OAAO,CAAC,EAAE;AAG/C,UAAM,IAAI;AAAA,MACR;AAAA,MACA;AAAA,OACA,gBAAK,UAAL,mBAAY,YAAZ,YAAuB;AAAA,IACzB;AAAA,EACF;AACA,MAAI,CAAC,IAAI,IAAI;AACX,UAAM,OAAO,MAAM,IAAI,KAAK,EAAE,MAAM,MAAM,EAAE;AAC5C,UAAM,IAAI;AAAA,MACR,IAAI;AAAA,MACJ;AAAA,MACA,GAAG,IAAI,MAAM,IAAI,KAAK,MAAM,GAAG,GAAG,CAAC;AAAA,IACrC;AAAA,EACF;AACA,SAAQ,MAAM,IAAI,KAAK;AACzB;AAeA,eAAsB,iBACpB,KACA,YACA,UAAyB,CAAC,GACoC;AAC9D,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA,iCAAK,UAAL,EAAc,MAAM,EAAE,aAAa,WAAW,GAAG,UAAU,KAAK;AAAA,EAClE;AACF;AASO,SAAS,yBAAyB,OAAmC;AAC1E,QAAM,QAAQ,kBAAkB,KAAK,KAAK;AAC1C,SAAO,+BAAQ;AACjB;AAYA,eAAsB,kBACpB,KACA,UAAyB,CAAC,GAC2B;AACrD,QAAM,OAAO,MAAM,YAMhB,KAAK,OAAO,2CAA2C,OAAO;AACjE,SAAO,KAAK,KAAK,IAAI,CAAC,OAAO;AAAA,IAC3B,YAAY,EAAE;AAAA,IACd,UAAU,EAAE;AAAA,EACd,EAAE;AACJ;AAIA,eAAsB,4BACpB,KACA,UAAyB,CAAC,GACO;AACjC,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACA,SAAO,KAAK;AACd;AAEA,eAAsB,qBACpB,KACA,IACA,UAAyB,CAAC,GACK;AAC/B,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,uCAAuC,mBAAmB,EAAE,CAAC;AAAA,IAC7D;AAAA,EACF;AACA,SAAO,KAAK;AACd;AAEA,eAAsB,wBACpB,KACA,OAQA,UAAyB,CAAC,GACK;AAC/B,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA,iCAAK,UAAL,EAAc,MAAM,OAAO,UAAU,KAAK;AAAA,EAC5C;AACA,SAAO,KAAK;AACd;AAEA,eAAsB,iCACpB,KACA,IACA,WACA,UAAyB,CAAC,GACK;AAC/B,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA,uCAAuC,mBAAmB,EAAE,CAAC;AAAA,IAC7D,iCAAK,UAAL,EAAc,MAAM,EAAE,YAAY,UAAU,GAAG,UAAU,KAAK;AAAA,EAChE;AACA,SAAO,KAAK;AACd;AAEA,eAAsB,yBACpB,KACA,IACA,UAAyB,CAAC,GACH;AACvB,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,uCAAuC,mBAAmB,EAAE,CAAC;AAAA,IAC7D,iCAAK,UAAL,EAAc,UAAU,KAAK;AAAA,EAC/B;AACF;AAEA,eAAsB,mCACpB,KACA,kBACA,UAAyB,CAAC,GACK;AAC/B,QAAM,OAAO,MAAM;AAAA,IACjB;AAAA,IACA;AAAA,IACA;AAAA,IACA,iCACK,UADL;AAAA,MAEE,MAAM,EAAE,oBAAoB,iBAAiB;AAAA,MAC7C,UAAU;AAAA,IACZ;AAAA,EACF;AACA,SAAO,KAAK;AACd;","names":[]}