{"version":3,"sources":["../lib/index.ts","../lib/AccessTokenClient.ts","../lib/MetadataClientV1_0_13.ts","../lib/functions/AuthorizationUtil.ts","../lib/functions/notifications.ts","../lib/types/index.ts","../lib/functions/OpenIDUtils.ts","../lib/functions/AccessTokenUtil.ts","../lib/ProofOfPossessionBuilder.ts","../lib/functions/CredentialOfferCommons.ts","../lib/functions/dpopUtil.ts","../lib/AccessTokenClientV1_0_11.ts","../lib/AuthorizationCodeClient.ts","../lib/MetadataClient.ts","../lib/MetadataClientV1_0_11.ts","../lib/AuthorizationCodeClientV1_0_11.ts","../lib/CredentialRequestClient.ts","../lib/CredentialOfferClient.ts","../lib/CredentialOfferClientV1_0_11.ts","../lib/CredentialOfferClientV1_0_13.ts","../lib/CredentialRequestClientV1_0_11.ts","../lib/CredentialRequestClientBuilder.ts","../lib/CredentialRequestClientBuilderV1_0_11.ts","../lib/CredentialRequestClientBuilderV1_0_13.ts","../lib/OpenID4VCIClient.ts","../lib/OpenID4VCIClientV1_0_13.ts","../lib/OpenID4VCIClientV1_0_11.ts"],"sourcesContent":["import { VCI_LOGGERS } from '@sphereon/oid4vci-common'\nimport { ISimpleLogger } from '@sphereon/ssi-types'\n\nexport const LOG: ISimpleLogger = VCI_LOGGERS.get('sphereon:oid4vci:client')\n\nexport * from './AccessTokenClient'\nexport * from './AccessTokenClientV1_0_11'\nexport * from './AuthorizationCodeClient'\nexport * from './AuthorizationCodeClientV1_0_11'\nexport * from './CredentialRequestClient'\nexport * from './CredentialOfferClient'\nexport * from './CredentialOfferClientV1_0_11'\nexport * from './CredentialOfferClientV1_0_13'\nexport * from './CredentialRequestClientV1_0_11'\nexport * from './CredentialRequestClientBuilder'\nexport * from './CredentialRequestClientBuilderV1_0_13'\nexport * from './CredentialRequestClientBuilderV1_0_11'\nexport * from './functions'\nexport * from './MetadataClient'\nexport * from './MetadataClientV1_0_13'\nexport * from './MetadataClientV1_0_11'\nexport * from './OpenID4VCIClient'\nexport * from './OpenID4VCIClientV1_0_13'\nexport * from './OpenID4VCIClientV1_0_11'\nexport * from './ProofOfPossessionBuilder'\n","import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequest,\n AccessTokenRequestOpts,\n AccessTokenResponse,\n assertedUniformCredentialOffer,\n AuthorizationServerOpts,\n AuthzFlowType,\n convertJsonToURI,\n DPoPResponseParams,\n EndpointMetadata,\n formPost,\n getIssuerFromCredentialOfferPayload,\n GrantTypes,\n IssuerOpts,\n JsonURIMode,\n OpenIDResponse,\n PRE_AUTH_CODE_LITERAL,\n PRE_AUTH_GRANT_LITERAL,\n TokenErrorResponse,\n toUniformCredentialOfferRequest,\n TxCodeAndPinRequired,\n UniformCredentialOfferPayload,\n} from '@sphereon/oid4vci-common'\nimport { ObjectUtils } from '@sphereon/ssi-types'\n\nimport { MetadataClientV1_0_13 } from './MetadataClientV1_0_13'\nimport { createJwtBearerClientAssertion } from './functions'\nimport { shouldRetryTokenRequestWithDPoPNonce } from './functions/dpopUtil'\nimport { LOG } from './types'\n\nexport class AccessTokenClient {\n public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise> {\n const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts\n\n const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined\n const pinMetadata: TxCodeAndPinRequired | undefined = credentialOffer && this.getPinMetadata(credentialOffer.credential_offer)\n const issuer =\n opts.credentialIssuer ??\n (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : (metadata?.issuer as string))\n if (!issuer) {\n throw Error('Issuer required at this point')\n }\n const issuerOpts = {\n issuer,\n }\n\n return await this.acquireAccessTokenUsingRequest({\n accessTokenRequest: await this.createAccessTokenRequest({\n credentialOffer,\n asOpts,\n codeVerifier,\n code,\n redirectUri,\n pin,\n credentialIssuer: issuer,\n metadata,\n additionalParams: opts.additionalParams,\n pinMetadata,\n }),\n pinMetadata,\n metadata,\n asOpts,\n issuerOpts,\n createDPoPOpts: createDPoPOpts,\n })\n }\n\n public async acquireAccessTokenUsingRequest({\n accessTokenRequest,\n pinMetadata,\n metadata,\n asOpts,\n issuerOpts,\n createDPoPOpts,\n }: {\n accessTokenRequest: AccessTokenRequest\n pinMetadata?: TxCodeAndPinRequired\n metadata?: EndpointMetadata\n asOpts?: AuthorizationServerOpts\n issuerOpts?: IssuerOpts\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise> {\n this.validate(accessTokenRequest, pinMetadata)\n\n const requestTokenURL = AccessTokenClient.determineTokenURL({\n asOpts,\n issuerOpts,\n metadata: metadata\n ? metadata\n : issuerOpts?.fetchMetadata\n ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })\n : undefined,\n })\n\n const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0\n let dPoP = useDpop ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL)) : undefined\n\n let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined)\n\n let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce\n const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response)\n if (retryWithNonce.ok && createDPoPOpts) {\n createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce\n\n dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL))\n response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined)\n const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce')\n\n nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce\n }\n\n if (response.successBody && createDPoPOpts && response.successBody.token_type !== 'DPoP') {\n throw new Error('Invalid token type returned. Expected DPoP. Received: ' + response.successBody.token_type)\n }\n\n return {\n ...response,\n ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),\n }\n }\n\n public async createAccessTokenRequest(opts: Omit): Promise {\n const { asOpts, pin, codeVerifier, code, redirectUri } = opts\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n const credentialOfferRequest = opts.credentialOffer ? await toUniformCredentialOfferRequest(opts.credentialOffer) : undefined\n const request: Partial = { ...opts.additionalParams }\n if (asOpts?.clientOpts?.clientId) {\n request.client_id = asOpts.clientOpts.clientId\n }\n const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer\n await createJwtBearerClientAssertion(request, { ...opts, credentialIssuer })\n\n // Prefer AUTHORIZATION_CODE over PRE_AUTHORIZED_CODE_FLOW\n if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {\n request.grant_type = GrantTypes.AUTHORIZATION_CODE\n request.code = code\n request.redirect_uri = redirectUri\n\n if (codeVerifier) {\n request.code_verifier = codeVerifier\n }\n\n return request as AccessTokenRequest\n }\n\n if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {\n this.assertAlphanumericPin(opts.pinMetadata, pin)\n request.user_pin = pin\n request.tx_code = pin\n\n request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE\n // we actually know it is there because of the isPreAuthCode call\n request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL]\n\n return request as AccessTokenRequest\n }\n\n throw new Error('Credential offer request follows neither pre-authorized code nor authorization code flow requirements.')\n }\n\n private assertPreAuthorizedGrantType(grantType: GrantTypes): void {\n if (GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {\n throw new Error(\"grant type must be 'urn:ietf:params:oauth:grant-type:pre-authorized_code'\")\n }\n }\n\n private assertAuthorizationGrantType(grantType: GrantTypes): void {\n if (GrantTypes.AUTHORIZATION_CODE !== grantType) {\n throw new Error(\"grant type must be 'authorization_code'\")\n }\n }\n\n private getPinMetadata(requestPayload: UniformCredentialOfferPayload): TxCodeAndPinRequired {\n if (!requestPayload) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n const issuer = getIssuerFromCredentialOfferPayload(requestPayload)\n\n const grantDetails = requestPayload.grants?.[PRE_AUTH_GRANT_LITERAL]\n const isPinRequired = !!(grantDetails?.tx_code ?? false)\n\n LOG.warning(`Pin required for issuer ${issuer}: ${isPinRequired}`)\n return {\n txCode: grantDetails?.tx_code,\n isPinRequired,\n }\n }\n\n private assertAlphanumericPin(pinMeta?: TxCodeAndPinRequired, pin?: string): void {\n if (pinMeta && pinMeta.isPinRequired) {\n let regex\n\n if (pinMeta.txCode) {\n const { input_mode, length } = pinMeta.txCode\n\n if (input_mode === 'numeric') {\n // Create a regex for numeric input. If no length specified, allow any length of numeric input.\n regex = length ? new RegExp(`^\\\\d{1,${length}}$`) : /^\\d+$/\n } else if (input_mode === 'text') {\n // Create a regex for text input. If no length specified, allow any length of alphanumeric input.\n regex = length ? new RegExp(`^[a-zA-Z0-9]{1,${length}}$`) : /^[a-zA-Z0-9]+$/\n }\n }\n\n // Default regex for alphanumeric with no specific length limit if no input_mode is specified.\n regex = regex || /^[a-zA-Z0-9]+$|^[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+\\.[A-Za-z0-9-_]+$/\n\n if (!pin || !regex.test(pin)) {\n LOG.warning(\n `Pin is not valid. Expected format: ${pinMeta?.txCode?.input_mode || 'alphanumeric'}, Length: up to ${pinMeta?.txCode?.length || 'any number of'} characters`,\n )\n throw new Error('A valid pin must be present according to the specified transaction code requirements.')\n }\n } else if (pin) {\n LOG.warning('Pin set, whilst not required')\n throw new Error('Cannot set a pin when the pin is not required.')\n }\n }\n\n private assertNonEmptyPreAuthorizedCode(accessTokenRequest: AccessTokenRequest): void {\n if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL]) {\n LOG.warning(`No pre-authorized code present, whilst it is required`, accessTokenRequest)\n throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.')\n }\n }\n\n private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {\n if (!accessTokenRequest.code_verifier) {\n LOG.warning('No code_verifier present, whilst it is required', accessTokenRequest)\n throw new Error('Authorization flow requires the code_verifier to be present')\n }\n }\n\n private assertNonEmptyCode(accessTokenRequest: AccessTokenRequest): void {\n if (!accessTokenRequest.code) {\n LOG.warning('No code present, whilst it is required')\n throw new Error('Authorization flow requires the code to be present')\n }\n }\n\n private validate(accessTokenRequest: AccessTokenRequest, pinMeta?: TxCodeAndPinRequired): void {\n if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {\n this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type)\n this.assertNonEmptyPreAuthorizedCode(accessTokenRequest)\n this.assertAlphanumericPin(pinMeta, accessTokenRequest.tx_code ?? accessTokenRequest.user_pin)\n } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {\n this.assertAuthorizationGrantType(accessTokenRequest.grant_type)\n this.assertNonEmptyCodeVerifier(accessTokenRequest)\n this.assertNonEmptyCode(accessTokenRequest)\n } else {\n this.throwNotSupportedFlow()\n }\n }\n\n private async sendAuthCode(\n requestTokenURL: string,\n accessTokenRequest: AccessTokenRequest,\n opts?: { headers?: Record },\n ): Promise> {\n return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), {\n customHeaders: opts?.headers ? opts.headers : undefined,\n })\n }\n\n public static determineTokenURL({\n asOpts,\n issuerOpts,\n metadata,\n }: {\n asOpts?: AuthorizationServerOpts\n issuerOpts?: IssuerOpts\n metadata?: EndpointMetadata\n }): string {\n if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {\n throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present')\n }\n let url\n if (asOpts && asOpts.as) {\n url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint)\n } else if (metadata?.token_endpoint) {\n url = metadata.token_endpoint\n } else {\n if (!issuerOpts?.issuer) {\n throw Error('Either authorization server options, a token endpoint or issuer options are required at this point')\n }\n url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint)\n }\n\n if (!url || !ObjectUtils.isString(url)) {\n throw new Error('No authorization server token URL present. Cannot acquire access token')\n }\n LOG.debug(`Token endpoint determined to be ${url}`)\n return url\n }\n\n private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {\n if (allowInsecureEndpoints !== true && url.startsWith('http:')) {\n throw Error(\n `Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`,\n )\n }\n const hostname = url.replace(/https?:\\/\\//, '').replace(/\\/$/, '')\n const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token'\n const scheme = url.split('://')[0]\n return `${scheme ? scheme + '://' : 'https://'}${hostname}${endpoint}`\n }\n\n private throwNotSupportedFlow(): void {\n LOG.warning(`Only pre-authorized or authorization code flows supported.`)\n throw new Error('Only pre-authorized-code or authorization code flows are supported')\n }\n}\n","import {\n AuthorizationServerMetadata,\n AuthorizationServerType,\n CredentialIssuerMetadataV1_0_13,\n CredentialOfferPayloadV1_0_13,\n CredentialOfferRequestWithBaseUrl,\n EndpointMetadataResultV1_0_13,\n getIssuerFromCredentialOfferPayload,\n IssuerMetadataV1_0_13,\n OpenIDResponse,\n WellKnownEndpoints,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nimport { retrieveWellknown } from './functions'\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:metadata')\n\nexport class MetadataClientV1_0_13 {\n /**\n * Retrieve metadata using the Initiation obtained from a previous step\n *\n * @param credentialOffer\n */\n public static async retrieveAllMetadataFromCredentialOffer(\n credentialOffer: CredentialOfferRequestWithBaseUrl,\n ): Promise {\n return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer as CredentialOfferPayloadV1_0_13)\n }\n\n /**\n * Retrieve the metada using the initiation request obtained from a previous step\n * @param request\n */\n public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayloadV1_0_13): Promise {\n const issuer = getIssuerFromCredentialOfferPayload(request)\n if (issuer) {\n return MetadataClientV1_0_13.retrieveAllMetadata(issuer)\n }\n throw new Error(\"can't retrieve metadata from CredentialOfferRequest. No issuer field is present\")\n }\n\n /**\n * Retrieve all metadata from an issuer\n * @param issuer The issuer URL\n * @param opts\n */\n public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise {\n let token_endpoint: string | undefined\n let credential_endpoint: string | undefined\n let deferred_credential_endpoint: string | undefined\n let authorization_endpoint: string | undefined\n let authorization_challenge_endpoint: string | undefined\n let authorizationServerType: AuthorizationServerType = 'OID4VCI'\n let authorization_servers: string[] = [issuer]\n const oid4vciResponse = await MetadataClientV1_0_13.retrieveOpenID4VCIServerMetadata(issuer, { errorOnNotFound: false }) // We will handle errors later, given we will also try other metadata locations\n let credentialIssuerMetadata = oid4vciResponse?.successBody\n if (credentialIssuerMetadata) {\n logger.debug(`Issuer ${issuer} OID4VCI well-known server metadata\\r\\n${JSON.stringify(credentialIssuerMetadata)}`)\n credential_endpoint = credentialIssuerMetadata.credential_endpoint\n deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint\n if (credentialIssuerMetadata.token_endpoint) {\n token_endpoint = credentialIssuerMetadata.token_endpoint\n }\n authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint\n if (credentialIssuerMetadata.authorization_servers) {\n authorization_servers = credentialIssuerMetadata.authorization_servers\n }\n }\n // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OIDC IDP. Let's start with OIDC first\n // TODO: for now we're taking just the first one\n let response: OpenIDResponse = await retrieveWellknown(\n authorization_servers[0],\n WellKnownEndpoints.OPENID_CONFIGURATION,\n {\n errorOnNotFound: false,\n },\n )\n let authMetadata = response.successBody\n if (authMetadata) {\n logger.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`)\n authorizationServerType = 'OIDC'\n } else {\n // Now let's do OAuth2\n // TODO: for now we're taking just the first one\n response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false })\n authMetadata = response.successBody\n }\n if (!authMetadata) {\n // We will always throw an error, no matter whether the user provided the option not to, because this is bad.\n if (!authorization_servers.includes(issuer)) {\n throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`)\n }\n } else {\n if (!authorizationServerType) {\n authorizationServerType = 'OAuth 2.0'\n }\n logger.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`)\n if (!authMetadata.authorization_endpoint) {\n console.warn(\n `Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`,\n )\n } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {\n throw Error(\n `Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`,\n )\n }\n authorization_endpoint = authMetadata.authorization_endpoint\n if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {\n throw Error(\n `Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`,\n )\n }\n authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint\n if (!authMetadata.token_endpoint) {\n throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`)\n } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {\n throw Error(\n `Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`,\n )\n }\n token_endpoint = authMetadata.token_endpoint\n if (authMetadata.credential_endpoint) {\n if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {\n logger.debug(\n `Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`,\n )\n } else {\n credential_endpoint = authMetadata.credential_endpoint\n }\n }\n if (authMetadata.deferred_credential_endpoint) {\n if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {\n logger.debug(\n `Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`,\n )\n } else {\n deferred_credential_endpoint = authMetadata.deferred_credential_endpoint\n }\n }\n }\n\n if (!authorization_endpoint) {\n logger.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`)\n }\n if (!token_endpoint) {\n logger.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`)\n if (opts?.errorOnNotFound) {\n throw Error(`Could not deduce the token_endpoint for ${issuer}`)\n } else {\n token_endpoint = `${issuer}${issuer.endsWith('/') ? 'token' : '/token'}`\n }\n }\n if (!credential_endpoint) {\n logger.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`)\n if (opts?.errorOnNotFound) {\n throw Error(`Could not deduce the credential endpoint for ${issuer}`)\n } else {\n credential_endpoint = `${issuer}${issuer.endsWith('/') ? 'credential' : '/credential'}`\n }\n }\n\n if (!credentialIssuerMetadata && authMetadata) {\n // Apparently everything worked out and the issuer is exposing everything in oAuth2/OIDC well-knowns. Spec is vague about this situation, but we can support it\n credentialIssuerMetadata = authMetadata as CredentialIssuerMetadataV1_0_13\n }\n logger.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`)\n return {\n issuer,\n token_endpoint,\n credential_endpoint,\n deferred_credential_endpoint,\n authorization_server: authorization_servers[0],\n authorization_endpoint,\n authorization_challenge_endpoint,\n authorizationServerType,\n credentialIssuerMetadata: credentialIssuerMetadata,\n authorizationServerMetadata: authMetadata,\n }\n }\n\n /**\n * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata\n *\n * @param issuerHost The issuer hostname\n * @param opts\n */\n public static async retrieveOpenID4VCIServerMetadata(\n issuerHost: string,\n opts?: {\n errorOnNotFound?: boolean\n },\n ): Promise | undefined> {\n return retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, {\n errorOnNotFound: opts?.errorOnNotFound === undefined ? true : opts.errorOnNotFound,\n })\n }\n}\n","import { assertValidCodeVerifier, CodeChallengeMethod, createCodeChallenge, generateCodeVerifier, PKCEOpts } from '@sphereon/oid4vci-common'\n\nexport const generateMissingPKCEOpts = (pkce: PKCEOpts) => {\n if (pkce.disabled) {\n return pkce\n }\n if (!pkce.codeChallengeMethod) {\n pkce.codeChallengeMethod = CodeChallengeMethod.S256\n }\n if (!pkce.codeVerifier) {\n pkce.codeVerifier = generateCodeVerifier()\n }\n assertValidCodeVerifier(pkce.codeVerifier)\n if (!pkce.codeChallenge) {\n pkce.codeChallenge = createCodeChallenge(pkce.codeVerifier, pkce.codeChallengeMethod)\n }\n return pkce\n}\n","import { NotificationErrorResponse, NotificationRequest, NotificationResponseResult, post } from '@sphereon/oid4vci-common'\n\nimport { CredentialRequestOpts } from '../CredentialRequestClient'\nimport { LOG } from '../types'\n\nexport async function sendNotification(\n credentialRequestOpts: Partial,\n request: NotificationRequest,\n accessToken?: string,\n): Promise {\n LOG.info(`Sending status notification event '${request.event}' for id ${request.notification_id}`)\n if (!credentialRequestOpts.notificationEndpoint) {\n throw Error(`Cannot send notification when no notification endpoint is provided`)\n }\n const token = accessToken ?? credentialRequestOpts.token\n const response = await post(credentialRequestOpts.notificationEndpoint, JSON.stringify(request), {\n ...(token && { bearerToken: token }),\n })\n const error = response.errorBody?.error !== undefined\n const result = {\n error,\n response: error ? response.errorBody : undefined,\n }\n if (error) {\n LOG.warning(`Notification endpoint returned an error for event '${request.event}' and id ${request.notification_id}: ${response.errorBody}`)\n } else {\n LOG.debug(`Notification endpoint returned success for event '${request.event}' and id ${request.notification_id}`)\n }\n return result\n}\n","import { VCI_LOGGERS } from '@sphereon/oid4vci-common'\nimport { ISimpleLogger, LogMethod } from '@sphereon/ssi-types'\n\nexport const LOG: ISimpleLogger = VCI_LOGGERS.options('sphereon:oid4vci:client', { methods: [LogMethod.EVENT, LogMethod.DEBUG_PKG] }).get(\n 'sphereon:oid4vci:client',\n)\n","import { getJson, OpenIDResponse, WellKnownEndpoints } from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nconst logger = Loggers.DEFAULT.get('sphereon:openid4vci:openid-utils')\n/**\n * Allows to retrieve information from a well-known location\n *\n * @param host The host\n * @param endpointType The endpoint type, currently supports OID4VCI, OIDC and OAuth2 endpoint types\n * @param opts Options, like for instance whether an error should be thrown in case the endpoint doesn't exist\n */\nexport const retrieveWellknown = async (\n host: string,\n endpointType: WellKnownEndpoints,\n opts?: { errorOnNotFound?: boolean },\n): Promise> => {\n const result: OpenIDResponse = await getJson(`${host.endsWith('/') ? host.slice(0, -1) : host}${endpointType}`, {\n exceptionOnHttpErrorStatus: opts?.errorOnNotFound,\n })\n if (result.origResponse.status >= 400) {\n // We only get here when error on not found is false\n logger.debug(`host ${host} with endpoint type ${endpointType} status: ${result.origResponse.status}, ${result.origResponse.statusText}`)\n }\n return result\n}\n","import { uuidv4 } from '@sphereon/oid4vc-common'\nimport { AccessTokenRequest, AccessTokenRequestOpts, Jwt, OpenId4VCIVersion } from '@sphereon/oid4vci-common'\n\nimport { ProofOfPossessionBuilder } from '../ProofOfPossessionBuilder'\n\nexport const createJwtBearerClientAssertion = async (\n request: Partial,\n opts: AccessTokenRequestOpts & {\n version?: OpenId4VCIVersion\n },\n): Promise => {\n const { asOpts, credentialIssuer } = opts\n if (asOpts?.clientOpts?.clientAssertionType === 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer') {\n const { clientId = request.client_id, signCallbacks, alg } = asOpts.clientOpts\n let { kid } = asOpts.clientOpts\n if (!clientId) {\n return Promise.reject(Error(`Not client_id supplied, but client-assertion jwt-bearer requested.`))\n } else if (!kid) {\n return Promise.reject(Error(`No kid supplied, but client-assertion jwt-bearer requested.`))\n } else if (typeof signCallbacks?.signCallback !== 'function') {\n return Promise.reject(Error(`No sign callback supplied, but client-assertion jwt-bearer requested.`))\n } else if (!credentialIssuer) {\n return Promise.reject(Error(`No credential issuer supplied, but client-assertion jwt-bearer requested.`))\n }\n if (clientId.startsWith('http') && kid.includes('#')) {\n kid = kid.split('#')[1]\n }\n const jwt: Jwt = {\n header: {\n typ: 'JWT',\n kid,\n alg: alg ?? 'ES256',\n },\n payload: {\n iss: clientId,\n sub: clientId,\n aud: credentialIssuer,\n jti: uuidv4(),\n exp: Math.floor(Date.now()) / 1000 + 60,\n iat: Math.floor(Date.now()) / 1000 - 60,\n },\n }\n const pop = await ProofOfPossessionBuilder.fromJwt({\n jwt,\n callbacks: signCallbacks,\n version: opts.version ?? OpenId4VCIVersion.VER_1_0_13,\n mode: 'JWT',\n }).build()\n request.client_assertion_type = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n request.client_assertion = pop.jwt\n }\n}\n","import { JWK } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenResponse,\n Alg,\n createProofOfPossession,\n EndpointMetadata,\n Jwt,\n NO_JWT_PROVIDED,\n OpenId4VCIVersion,\n PoPMode,\n PROOF_CANT_BE_CONSTRUCTED,\n ProofOfPossession,\n ProofOfPossessionCallbacks,\n Typ,\n} from '@sphereon/oid4vci-common'\n\nexport class ProofOfPossessionBuilder {\n private readonly proof?: ProofOfPossession\n private readonly callbacks?: ProofOfPossessionCallbacks\n private readonly version: OpenId4VCIVersion\n private readonly mode: PoPMode = 'pop'\n\n private kid?: string\n private jwk?: JWK\n private aud?: string | string[]\n private clientId?: string\n private issuer?: string\n private jwt?: Jwt\n private alg?: string\n private jti?: string\n private cNonce?: string\n private typ?: Typ\n\n private constructor({\n proof,\n callbacks,\n jwt,\n accessTokenResponse,\n version,\n mode = 'pop',\n }: {\n proof?: ProofOfPossession\n callbacks?: ProofOfPossessionCallbacks\n accessTokenResponse?: AccessTokenResponse\n jwt?: Jwt\n version: OpenId4VCIVersion\n mode?: PoPMode\n }) {\n this.mode = mode\n this.proof = proof\n this.callbacks = callbacks\n this.version = version\n if (jwt) {\n this.withJwt(jwt)\n } else {\n this.withTyp(version < OpenId4VCIVersion.VER_1_0_11 || mode === 'JWT' ? 'JWT' : 'openid4vci-proof+jwt')\n }\n if (accessTokenResponse) {\n this.withAccessTokenResponse(accessTokenResponse)\n }\n }\n\n static manual({\n jwt,\n callbacks,\n version,\n mode = 'JWT',\n }: {\n jwt?: Jwt\n callbacks: ProofOfPossessionCallbacks\n version: OpenId4VCIVersion\n mode?: PoPMode\n }): ProofOfPossessionBuilder {\n return new ProofOfPossessionBuilder({ callbacks, jwt, version, mode })\n }\n\n static fromJwt({\n jwt,\n callbacks,\n version,\n mode = 'pop',\n }: {\n jwt: Jwt\n callbacks: ProofOfPossessionCallbacks\n version: OpenId4VCIVersion\n mode?: PoPMode\n }): ProofOfPossessionBuilder {\n return new ProofOfPossessionBuilder({ callbacks, jwt, version, mode })\n }\n\n static fromAccessTokenResponse({\n accessTokenResponse,\n callbacks,\n version,\n mode = 'pop',\n }: {\n accessTokenResponse: AccessTokenResponse\n callbacks: ProofOfPossessionCallbacks\n version: OpenId4VCIVersion\n mode?: PoPMode\n }): ProofOfPossessionBuilder {\n return new ProofOfPossessionBuilder({ callbacks, accessTokenResponse, version, mode })\n }\n\n static fromProof(proof: ProofOfPossession, version: OpenId4VCIVersion): ProofOfPossessionBuilder {\n return new ProofOfPossessionBuilder({ proof, version })\n }\n\n withAud(aud: string | string[]): this {\n this.aud = aud\n return this\n }\n\n withClientId(clientId: string): this {\n this.clientId = clientId\n return this\n }\n\n withKid(kid: string): this {\n this.kid = kid\n return this\n }\n\n withJWK(jwk: JWK): this {\n this.jwk = jwk\n return this\n }\n\n withIssuer(issuer: string): this {\n this.issuer = issuer\n return this\n }\n\n withAlg(alg: Alg | string): this {\n this.alg = alg\n return this\n }\n\n withJti(jti: string): this {\n this.jti = jti\n return this\n }\n\n withTyp(typ: Typ): this {\n if (this.mode === 'pop' && this.version >= OpenId4VCIVersion.VER_1_0_11) {\n if (!!typ && typ !== 'openid4vci-proof+jwt') {\n throw Error(`typ must be openid4vci-proof+jwt for version 1.0.11 and up. Provided: ${typ}`)\n }\n } else {\n if (!!typ && typ !== 'JWT') {\n throw Error(`typ must be jwt for version 1.0.10 and below. Provided: ${typ}`)\n }\n }\n this.typ = typ\n return this\n }\n\n withAccessTokenNonce(cNonce: string): this {\n this.cNonce = cNonce\n return this\n }\n\n withAccessTokenResponse(accessToken: AccessTokenResponse): this {\n if (accessToken.c_nonce) {\n this.withAccessTokenNonce(accessToken.c_nonce)\n }\n return this\n }\n\n withEndpointMetadata(endpointMetadata: EndpointMetadata): this {\n this.withIssuer(endpointMetadata.issuer)\n return this\n }\n\n withJwt(jwt: Jwt): this {\n if (!jwt) {\n throw new Error(NO_JWT_PROVIDED)\n }\n this.jwt = jwt\n if (!jwt.header) {\n throw Error(`No JWT header present`)\n } else if (!jwt.payload) {\n throw Error(`No JWT payload present`)\n }\n\n if (jwt.header.kid) {\n this.withKid(jwt.header.kid)\n }\n if (jwt.header.typ) {\n this.withTyp(jwt.header.typ as Typ)\n }\n if (!this.typ && this.version >= OpenId4VCIVersion.VER_1_0_11) {\n this.withTyp('openid4vci-proof+jwt')\n }\n this.withAlg(jwt.header.alg)\n\n if (Array.isArray(jwt.payload.aud)) {\n // Rather do this than take the first value, as it might be very hard to figure out why something is failing\n throw Error('We cannot handle multiple aud values currently')\n }\n\n if (jwt.payload) {\n if (jwt.payload.iss) this.mode === 'pop' ? this.withClientId(jwt.payload.iss) : this.withIssuer(jwt.payload.iss)\n if (jwt.payload.aud) this.mode === 'pop' ? this.withIssuer(jwt.payload.aud) : this.withAud(jwt.payload.aud)\n if (jwt.payload.jti) this.withJti(jwt.payload.jti)\n if (jwt.payload.nonce) this.withAccessTokenNonce(jwt.payload.nonce)\n }\n return this\n }\n\n public async build(): Promise {\n if (this.proof) {\n return Promise.resolve(this.proof)\n } else if (this.callbacks) {\n return await createProofOfPossession(\n this.mode,\n this.callbacks,\n {\n typ: this.typ ?? (this.version < OpenId4VCIVersion.VER_1_0_11 || this.mode === 'JWT' ? 'JWT' : 'openid4vci-proof+jwt'),\n kid: this.kid,\n jwk: this.jwk,\n jti: this.jti,\n alg: this.alg,\n aud: this.aud,\n issuer: this.issuer,\n clientId: this.clientId,\n ...(this.cNonce && { nonce: this.cNonce }),\n },\n this.jwt,\n )\n }\n throw new Error(PROOF_CANT_BE_CONSTRUCTED)\n }\n}\n","import {\n decodeJsonProperties,\n getClientIdFromCredentialOfferPayload,\n getURIComponentsAsArray,\n PRE_AUTH_CODE_LITERAL,\n PRE_AUTH_GRANT_LITERAL,\n UniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\nimport { fetch } from 'cross-fetch'\n\nexport function isUriEncoded(str: string): boolean {\n const pattern = /%[0-9A-F]{2}/i\n return pattern.test(str)\n}\n\nexport async function handleCredentialOfferUri(uri: string) {\n const uriObj = getURIComponentsAsArray(uri) as unknown as Record\n const credentialOfferUri = decodeURIComponent(uriObj['credential_offer_uri'])\n const decodedUri = isUriEncoded(credentialOfferUri) ? decodeURIComponent(credentialOfferUri) : credentialOfferUri\n const response = await fetch(decodedUri)\n\n if (!(response && response.status >= 200 && response.status < 400)) {\n return Promise.reject(`the credential offer URI endpoint call was not successful. http code ${response.status} - reason ${response.statusText}`)\n }\n\n if (response.headers.get('Content-Type')?.startsWith('application/json') === false) {\n return Promise.reject('the credential offer URI endpoint did not return content type application/json')\n }\n\n return {\n credential_offer: decodeJsonProperties(await response.json()),\n }\n}\n\nexport function constructBaseResponse(request: UniformCredentialOfferRequest, scheme: string, baseUrl: string) {\n const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer)\n const grants = request.credential_offer?.grants\n\n return {\n scheme,\n baseUrl,\n ...(clientId && { clientId }),\n ...request,\n ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),\n ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {\n preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],\n }),\n ...(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code && {\n txCode: request.credential_offer.grants[PRE_AUTH_GRANT_LITERAL].tx_code,\n }),\n }\n}\n","import { dpopTokenRequestNonceError } from '@sphereon/oid4vc-common'\nimport { OpenIDResponse } from '@sphereon/oid4vci-common'\n\nexport type RetryRequestWithDPoPNonce = { ok: true; dpopNonce: string } | { ok: false }\n\nexport function shouldRetryTokenRequestWithDPoPNonce(response: OpenIDResponse): RetryRequestWithDPoPNonce {\n if (!response.errorBody || response.errorBody.error !== dpopTokenRequestNonceError) {\n return { ok: false }\n }\n\n const dPoPNonce = response.origResponse.headers.get('DPoP-Nonce')\n if (!dPoPNonce) {\n throw new Error('Missing required DPoP-Nonce header.')\n }\n\n return { ok: true, dpopNonce: dPoPNonce }\n}\n\nexport function shouldRetryResourceRequestWithDPoPNonce(response: OpenIDResponse): RetryRequestWithDPoPNonce {\n if (!response.errorBody || response.origResponse.status !== 401) {\n return { ok: false }\n }\n\n const wwwAuthenticateHeader = response.origResponse.headers.get('WWW-Authenticate')\n if (!wwwAuthenticateHeader?.includes(dpopTokenRequestNonceError)) {\n return { ok: false }\n }\n\n const dPoPNonce = response.origResponse.headers.get('DPoP-Nonce')\n if (!dPoPNonce) {\n throw new Error('Missing required DPoP-Nonce header.')\n }\n\n return { ok: true, dpopNonce: dPoPNonce }\n}\n","import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequest,\n AccessTokenRequestOpts,\n AccessTokenResponse,\n assertedUniformCredentialOffer,\n AuthorizationServerOpts,\n AuthzFlowType,\n convertJsonToURI,\n CredentialOfferV1_0_11,\n CredentialOfferV1_0_13,\n DPoPResponseParams,\n EndpointMetadata,\n formPost,\n getIssuerFromCredentialOfferPayload,\n GrantTypes,\n IssuerOpts,\n JsonURIMode,\n OpenId4VCIVersion,\n OpenIDResponse,\n PRE_AUTH_CODE_LITERAL,\n PRE_AUTH_GRANT_LITERAL,\n TokenErrorResponse,\n toUniformCredentialOfferRequest,\n UniformCredentialOfferPayload,\n} from '@sphereon/oid4vci-common'\nimport { Loggers, ObjectUtils } from '@sphereon/ssi-types'\n\nimport { MetadataClientV1_0_13 } from './MetadataClientV1_0_13'\nimport { createJwtBearerClientAssertion } from './functions'\nimport { shouldRetryTokenRequestWithDPoPNonce } from './functions/dpopUtil'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:token')\n\nexport class AccessTokenClientV1_0_11 {\n public async acquireAccessToken(opts: AccessTokenRequestOpts): Promise> {\n const { asOpts, pin, codeVerifier, code, redirectUri, metadata, createDPoPOpts } = opts\n\n const credentialOffer = opts.credentialOffer ? await assertedUniformCredentialOffer(opts.credentialOffer) : undefined\n const isPinRequired = credentialOffer && this.isPinRequiredValue(credentialOffer.credential_offer)\n const issuer =\n opts.credentialIssuer ??\n (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : (metadata?.issuer as string))\n if (!issuer) {\n throw Error('Issuer required at this point')\n }\n const issuerOpts = {\n issuer,\n }\n\n return await this.acquireAccessTokenUsingRequest({\n accessTokenRequest: await this.createAccessTokenRequest({\n credentialOffer,\n asOpts,\n codeVerifier,\n code,\n redirectUri,\n pin,\n credentialIssuer: issuer,\n metadata,\n additionalParams: opts.additionalParams,\n pinMetadata: opts.pinMetadata,\n }),\n isPinRequired,\n metadata,\n asOpts,\n issuerOpts,\n createDPoPOpts,\n })\n }\n\n public async acquireAccessTokenUsingRequest({\n accessTokenRequest,\n isPinRequired,\n metadata,\n asOpts,\n createDPoPOpts,\n issuerOpts,\n }: {\n accessTokenRequest: AccessTokenRequest\n isPinRequired?: boolean\n metadata?: EndpointMetadata\n asOpts?: AuthorizationServerOpts\n issuerOpts?: IssuerOpts\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise> {\n this.validate(accessTokenRequest, isPinRequired)\n\n const requestTokenURL = AccessTokenClientV1_0_11.determineTokenURL({\n asOpts,\n issuerOpts,\n metadata: metadata\n ? metadata\n : issuerOpts?.fetchMetadata\n ? await MetadataClientV1_0_13.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })\n : undefined,\n })\n\n const useDpop = createDPoPOpts?.dPoPSigningAlgValuesSupported && createDPoPOpts.dPoPSigningAlgValuesSupported.length > 0\n let dPoP = useDpop ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL)) : undefined\n\n let response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined)\n\n let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce\n const retryWithNonce = shouldRetryTokenRequestWithDPoPNonce(response)\n if (retryWithNonce.ok && createDPoPOpts) {\n createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce\n\n dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, requestTokenURL))\n response = await this.sendAuthCode(requestTokenURL, accessTokenRequest, dPoP ? { headers: { dpop: dPoP } } : undefined)\n const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce')\n\n nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce\n }\n\n if (response.successBody && createDPoPOpts && response.successBody.token_type !== 'DPoP') {\n throw new Error('Invalid token type returned. Expected DPoP. Received: ' + response.successBody.token_type)\n }\n\n return {\n ...response,\n ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),\n }\n }\n\n public async createAccessTokenRequest(opts: Omit): Promise {\n const { asOpts, pin, codeVerifier, code, redirectUri } = opts\n const credentialOfferRequest = opts.credentialOffer\n ? await toUniformCredentialOfferRequest(opts.credentialOffer as CredentialOfferV1_0_11 | CredentialOfferV1_0_13)\n : undefined\n const request: Partial = { ...opts.additionalParams }\n const credentialIssuer = opts.credentialIssuer ?? credentialOfferRequest?.credential_offer?.credential_issuer ?? opts.metadata?.issuer\n\n if (asOpts?.clientOpts?.clientId) {\n request.client_id = asOpts.clientOpts.clientId\n }\n await createJwtBearerClientAssertion(request, { ...opts, version: OpenId4VCIVersion.VER_1_0_11, credentialIssuer })\n\n // Prefer AUTHORIZATION_CODE over PRE_AUTHORIZED_CODE_FLOW\n if (!credentialOfferRequest || credentialOfferRequest.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW)) {\n request.grant_type = GrantTypes.AUTHORIZATION_CODE\n request.code = code\n request.redirect_uri = redirectUri\n\n if (codeVerifier) {\n request.code_verifier = codeVerifier\n }\n\n return request as AccessTokenRequest\n }\n\n if (credentialOfferRequest?.supportedFlows.includes(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)) {\n this.assertNumericPin(this.isPinRequiredValue(credentialOfferRequest.credential_offer), pin)\n request.user_pin = pin\n\n request.grant_type = GrantTypes.PRE_AUTHORIZED_CODE\n // we actually know it is there because of the isPreAuthCode call\n request[PRE_AUTH_CODE_LITERAL] = credentialOfferRequest?.credential_offer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL]\n\n return request as AccessTokenRequest\n }\n throw new Error('Credential offer request does not follow neither pre-authorized code nor authorization code flow requirements.')\n }\n\n private assertPreAuthorizedGrantType(grantType: GrantTypes): void {\n if (GrantTypes.PRE_AUTHORIZED_CODE !== grantType) {\n throw new Error('grant type must be PRE_AUTH_GRANT_LITERAL')\n }\n }\n\n private assertAuthorizationGrantType(grantType: GrantTypes): void {\n if (GrantTypes.AUTHORIZATION_CODE !== grantType) {\n throw new Error(\"grant type must be 'authorization_code'\")\n }\n }\n\n private isPinRequiredValue(requestPayload: UniformCredentialOfferPayload): boolean {\n let isPinRequired = false\n if (!requestPayload) {\n throw new Error(TokenErrorResponse.invalid_request)\n }\n const issuer = getIssuerFromCredentialOfferPayload(requestPayload)\n if (requestPayload.grants?.[PRE_AUTH_GRANT_LITERAL]) {\n isPinRequired = requestPayload.grants[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false\n }\n logger.debug(`Pin required for issuer ${issuer}: ${isPinRequired}`)\n return isPinRequired\n }\n\n private assertNumericPin(isPinRequired?: boolean, pin?: string): void {\n if (isPinRequired) {\n if (!pin || !/^\\d{1,8}$/.test(pin)) {\n logger.debug(`Pin is not 1 to 8 digits long`)\n throw new Error('A valid pin consisting of maximal 8 numeric characters must be present.')\n }\n } else if (pin) {\n logger.debug(`Pin set, whilst not required`)\n throw new Error('Cannot set a pin, when the pin is not required.')\n }\n }\n\n private assertNonEmptyPreAuthorizedCode(accessTokenRequest: AccessTokenRequest): void {\n if (!accessTokenRequest[PRE_AUTH_CODE_LITERAL]) {\n logger.debug(`No pre-authorized code present, whilst it is required`)\n throw new Error('Pre-authorization must be proven by presenting the pre-authorized code. Code must be present.')\n }\n }\n\n private assertNonEmptyCodeVerifier(accessTokenRequest: AccessTokenRequest): void {\n if (!accessTokenRequest.code_verifier) {\n logger.debug('No code_verifier present, whilst it is required')\n throw new Error('Authorization flow requires the code_verifier to be present')\n }\n }\n\n private assertNonEmptyCode(accessTokenRequest: AccessTokenRequest): void {\n if (!accessTokenRequest.code) {\n logger.debug('No code present, whilst it is required')\n throw new Error('Authorization flow requires the code to be present')\n }\n }\n\n private validate(accessTokenRequest: AccessTokenRequest, isPinRequired?: boolean): void {\n if (accessTokenRequest.grant_type === GrantTypes.PRE_AUTHORIZED_CODE) {\n this.assertPreAuthorizedGrantType(accessTokenRequest.grant_type)\n this.assertNonEmptyPreAuthorizedCode(accessTokenRequest)\n this.assertNumericPin(isPinRequired, accessTokenRequest.user_pin)\n } else if (accessTokenRequest.grant_type === GrantTypes.AUTHORIZATION_CODE) {\n this.assertAuthorizationGrantType(accessTokenRequest.grant_type)\n this.assertNonEmptyCodeVerifier(accessTokenRequest)\n this.assertNonEmptyCode(accessTokenRequest)\n } else {\n this.throwNotSupportedFlow()\n }\n }\n\n private async sendAuthCode(\n requestTokenURL: string,\n accessTokenRequest: AccessTokenRequest,\n opts?: { headers?: Record },\n ): Promise> {\n return await formPost(requestTokenURL, convertJsonToURI(accessTokenRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), {\n customHeaders: opts?.headers ? opts.headers : undefined,\n })\n }\n\n public static determineTokenURL({\n asOpts,\n issuerOpts,\n metadata,\n }: {\n asOpts?: AuthorizationServerOpts\n issuerOpts?: IssuerOpts\n metadata?: EndpointMetadata\n }): string {\n if (!asOpts && !metadata?.token_endpoint && !issuerOpts) {\n throw new Error('Cannot determine token URL if no issuer, metadata and no Authorization Server values are present')\n }\n let url\n if (asOpts && asOpts.as) {\n url = this.creatTokenURLFromURL(asOpts.as, asOpts?.allowInsecureEndpoints, asOpts.tokenEndpoint)\n } else if (metadata?.token_endpoint) {\n url = metadata.token_endpoint\n } else {\n if (!issuerOpts?.issuer) {\n throw Error('Either authorization server options, a token endpoint or issuer options are required at this point')\n }\n url = this.creatTokenURLFromURL(issuerOpts.issuer, asOpts?.allowInsecureEndpoints, issuerOpts.tokenEndpoint)\n }\n\n if (!url || !ObjectUtils.isString(url)) {\n throw new Error('No authorization server token URL present. Cannot acquire access token')\n }\n logger.debug(`Token endpoint determined to be ${url}`)\n return url\n }\n\n private static creatTokenURLFromURL(url: string, allowInsecureEndpoints?: boolean, tokenEndpoint?: string): string {\n if (allowInsecureEndpoints !== true && url.startsWith('http:')) {\n throw Error(\n `Unprotected token endpoints are not allowed ${url}. Use the 'allowInsecureEndpoints' param if you really need this for dev/testing!`,\n )\n }\n const hostname = url.replace(/https?:\\/\\//, '').replace(/\\/$/, '')\n const endpoint = tokenEndpoint ? (tokenEndpoint.startsWith('/') ? tokenEndpoint : tokenEndpoint.substring(1)) : '/token'\n const scheme = url.split('://')[0]\n return `${scheme ? scheme + '://' : 'https://'}${hostname}${endpoint}`\n }\n\n private throwNotSupportedFlow(): void {\n logger.debug(`Only pre-authorized or authorization code flows supported.`)\n throw new Error('Only pre-authorized-code or authorization code flows are supported')\n }\n}\n","import {\n AuthorizationChallengeCodeResponse,\n AuthorizationChallengeRequestOpts,\n AuthorizationDetails,\n AuthorizationRequestOpts,\n CodeChallengeMethod,\n CommonAuthorizationChallengeRequest,\n convertJsonToURI,\n CreateRequestObjectMode,\n CredentialConfigurationSupportedV1_0_13,\n CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13,\n CredentialDefinitionJwtVcJsonV1_0_13,\n CredentialOfferPayloadV1_0_13,\n CredentialOfferRequestWithBaseUrl,\n determineSpecVersionFromOffer,\n EndpointMetadata,\n EndpointMetadataResultV1_0_13,\n formPost,\n IssuerOpts,\n isW3cCredentialSupported,\n JsonURIMode,\n Jwt,\n OpenId4VCIVersion,\n OpenIDResponse,\n PARMode,\n PKCEOpts,\n PushedAuthorizationResponse,\n RequestObjectOpts,\n ResponseType,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nimport { MetadataClient } from './MetadataClient'\nimport { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci')\n\nexport async function createSignedAuthRequestWhenNeeded(requestObject: Record, opts: RequestObjectOpts & { aud?: string }) {\n if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_URI) {\n throw Error(`Request Object Mode ${opts.requestObjectMode} is not supported yet`)\n } else if (opts.requestObjectMode === CreateRequestObjectMode.REQUEST_OBJECT) {\n if (typeof opts.signCallbacks?.signCallback !== 'function') {\n throw Error(`No request object sign callback found, whilst request object mode was set to ${opts.requestObjectMode}`)\n } else if (!opts.kid) {\n throw Error(`No kid found, whilst request object mode was set to ${opts.requestObjectMode}`)\n }\n let client_metadata: any\n if (opts.clientMetadata || opts.jwksUri) {\n client_metadata = opts.clientMetadata ?? {}\n if (opts.jwksUri) {\n client_metadata['jwks_uri'] = opts.jwksUri\n }\n }\n let authorization_details = requestObject['authorization_details']\n if (typeof authorization_details === 'string') {\n authorization_details = JSON.parse(requestObject.authorization_details)\n }\n if (!requestObject.aud && opts.aud) {\n requestObject.aud = opts.aud\n }\n const iss = requestObject.iss ?? opts.iss ?? requestObject.client_id\n\n const jwt: Jwt = {\n header: { alg: 'ES256', kid: opts.kid, typ: 'JWT' },\n payload: { ...requestObject, iss, authorization_details, ...(client_metadata && { client_metadata }) },\n }\n const pop = await ProofOfPossessionBuilder.fromJwt({\n jwt,\n callbacks: opts.signCallbacks,\n version: OpenId4VCIVersion.VER_1_0_11,\n mode: 'JWT',\n }).build()\n requestObject['request'] = pop.jwt\n }\n}\n\nfunction filterSupportedCredentials(\n credentialOffer: CredentialOfferPayloadV1_0_13,\n credentialsSupported?: Record,\n): (CredentialConfigurationSupportedV1_0_13 & { configuration_id: string })[] {\n if (!credentialOffer.credential_configuration_ids || !credentialsSupported) {\n return []\n }\n return Object.entries(credentialsSupported)\n .filter((entry) => credentialOffer.credential_configuration_ids?.includes(entry[0]))\n .map((entry) => {\n return { ...entry[1], configuration_id: entry[0] }\n })\n}\n\nexport const createAuthorizationRequestUrl = async ({\n pkce,\n endpointMetadata,\n authorizationRequest,\n credentialOffer,\n credentialConfigurationSupported,\n clientId,\n version,\n}: {\n pkce: PKCEOpts\n endpointMetadata: EndpointMetadataResultV1_0_13\n authorizationRequest: AuthorizationRequestOpts\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n credentialConfigurationSupported?: Record\n clientId?: string\n version?: OpenId4VCIVersion\n}): Promise => {\n function removeDisplayAndValueTypes(obj: any) {\n const newObj = { ...obj }\n for (const prop in newObj) {\n if (['display', 'value_type'].includes(prop)) {\n delete newObj[prop]\n } else if (typeof newObj[prop] === 'object') {\n newObj[prop] = removeDisplayAndValueTypes(newObj[prop])\n }\n }\n\n return newObj\n }\n\n const { redirectUri, requestObjectOpts = { requestObjectMode: CreateRequestObjectMode.NONE } } = authorizationRequest\n const client_id = clientId ?? authorizationRequest.clientId\n\n // Authorization server metadata takes precedence\n const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata\n\n let { authorizationDetails } = authorizationRequest\n const parMode = authorizationMetadata?.require_pushed_authorization_requests\n ? PARMode.REQUIRE\n : (authorizationRequest.parMode ?? (client_id ? PARMode.AUTO : PARMode.NEVER))\n // Scope and authorization_details can be used in the same authorization request\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param\n if (!authorizationRequest.scope && !authorizationDetails) {\n if (!credentialOffer) {\n throw Error('Please provide a scope or authorization_details if no credential offer is present')\n }\n if ('credentials' in credentialOffer.credential_offer) {\n throw new Error('CredentialOffer format is wrong.')\n }\n const ver = version ?? determineSpecVersionFromOffer(credentialOffer.credential_offer) ?? OpenId4VCIVersion.VER_1_0_13\n const creds =\n ver === OpenId4VCIVersion.VER_1_0_13\n ? filterSupportedCredentials(credentialOffer.credential_offer as CredentialOfferPayloadV1_0_13, credentialConfigurationSupported)\n : []\n\n authorizationDetails = creds.flatMap((cred) => {\n const locations = [credentialOffer?.credential_offer.credential_issuer ?? endpointMetadata.issuer]\n\n // TODO: credential_configuration_id seems to always be defined?\n const credential_configuration_id: string | undefined = cred.configuration_id\n const format = credential_configuration_id ? undefined : cred.format\n\n if (!credential_configuration_id && !cred.format) {\n throw Error('format is required in authorization details')\n }\n\n // SD-JWT VC\n const vct = cred.format === 'vc+sd-jwt' ? cred.vct : undefined\n const doctype = cred.format === 'mso_mdoc' ? cred.doctype : undefined\n\n // W3C credentials have a credential definition, the rest does not\n let credential_definition: undefined | Partial =\n undefined\n if (isW3cCredentialSupported(cred)) {\n credential_definition = {\n ...cred.credential_definition,\n // type: OPTIONAL. Array as defined in Appendix A.1.1.2. This claim contains the type values the Wallet requests authorization for at the Credential Issuer. It MUST be present if the claim format is present in the root of the authorization details object. It MUST not be present otherwise.\n // It meens we have a config_id, already mapping it to an explicit format and types\n type: format ? cred.credential_definition.type : undefined,\n credentialSubject: cred.credential_definition.credentialSubject\n ? removeDisplayAndValueTypes(cred.credential_definition.credentialSubject)\n : undefined,\n }\n }\n\n return {\n type: 'openid_credential',\n locations,\n ...(credential_definition && { credential_definition }),\n ...(credential_configuration_id && { credential_configuration_id }),\n ...(format && { format }),\n ...(vct && { vct, claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : undefined }),\n ...(doctype && { doctype, claims: cred.claims ? removeDisplayAndValueTypes(cred.claims) : undefined }),\n } as AuthorizationDetails\n })\n if (!authorizationDetails || authorizationDetails.length === 0) {\n throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`)\n }\n }\n if (!endpointMetadata?.authorization_endpoint) {\n throw Error('Server metadata does not contain authorization endpoint')\n }\n const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint\n\n let queryObj: Record | PushedAuthorizationResponse = {\n response_type: ResponseType.AUTH_CODE,\n ...(!pkce.disabled && {\n code_challenge_method: pkce.codeChallengeMethod ?? CodeChallengeMethod.S256,\n code_challenge: pkce.codeChallenge,\n }),\n authorization_details: JSON.stringify(handleAuthorizationDetails(endpointMetadata, authorizationDetails)),\n ...(redirectUri && { redirect_uri: redirectUri }),\n ...(client_id && { client_id }),\n\n ...(credentialOffer?.issuerState && {\n issuer_state: credentialOffer.issuerState,\n }),\n scope: authorizationRequest.scope,\n }\n\n if (credentialOffer?.issuerState) {\n /* We also pass it in as state, as this would allow an external AS without integration to return it back to the wallet */\n queryObj.state = credentialOffer?.issuerState\n }\n\n if (!parEndpoint && parMode === PARMode.REQUIRE) {\n throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`)\n } else if (parEndpoint && parMode !== PARMode.NEVER) {\n logger.debug(`USING PAR with endpoint ${parEndpoint}`)\n\n const parResponse = await formPost(\n parEndpoint,\n convertJsonToURI(queryObj, {\n mode: JsonURIMode.X_FORM_WWW_URLENCODED,\n uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state', 'state'],\n }),\n { contentType: 'application/x-www-form-urlencoded', accept: 'application/json' },\n )\n if (parResponse.errorBody || !parResponse.successBody) {\n if (parMode === PARMode.REQUIRE) {\n throw Error(`PAR error: ${parResponse.origResponse.statusText}`)\n }\n\n logger.debug('Falling back to regular request URI, since PAR failed', JSON.stringify(parResponse.errorBody))\n } else {\n logger.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`)\n queryObj = { /*response_type: ResponseType.AUTH_CODE,*/ client_id, request_uri: parResponse.successBody.request_uri }\n }\n }\n await createSignedAuthRequestWhenNeeded(queryObj, { ...requestObjectOpts, aud: endpointMetadata.authorization_server })\n\n logger.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2))\n const url = convertJsonToURI(queryObj, {\n baseUrl: endpointMetadata.authorization_endpoint,\n uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state', 'state'],\n // arrayTypeProperties: ['authorization_details'],\n mode: JsonURIMode.X_FORM_WWW_URLENCODED,\n // We do not add the version here, as this always needs to be form encoded\n })\n logger.debug(`Authorization Request URL: ${url}`)\n return url\n}\n\nconst handleAuthorizationDetails = (\n endpointMetadata: EndpointMetadataResultV1_0_13,\n authorizationDetails?: AuthorizationDetails | AuthorizationDetails[],\n): AuthorizationDetails | AuthorizationDetails[] | undefined => {\n if (authorizationDetails) {\n if (typeof authorizationDetails === 'string') {\n // backwards compat for older versions of the lib\n return authorizationDetails\n }\n if (Array.isArray(authorizationDetails)) {\n return authorizationDetails\n .filter((value) => typeof value !== 'string')\n .map((value) => handleLocations(endpointMetadata, typeof value === 'string' ? value : { ...value }))\n } else {\n return handleLocations(endpointMetadata, { ...authorizationDetails })\n }\n }\n return authorizationDetails\n}\n\nconst handleLocations = (endpointMetadata: EndpointMetadataResultV1_0_13, authorizationDetails: AuthorizationDetails) => {\n if (typeof authorizationDetails === 'string') {\n // backwards compat for older versions of the lib\n return authorizationDetails\n }\n if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {\n if (authorizationDetails.locations) {\n if (Array.isArray(authorizationDetails.locations)) {\n authorizationDetails.locations.push(endpointMetadata.issuer)\n } else {\n authorizationDetails.locations = [authorizationDetails.locations as string, endpointMetadata.issuer]\n }\n } else {\n authorizationDetails.locations = [endpointMetadata.issuer]\n }\n }\n return authorizationDetails\n}\n\nexport const acquireAuthorizationChallengeAuthCode = async (\n opts: AuthorizationChallengeRequestOpts,\n): Promise> => {\n const { metadata } = opts\n\n const issuer = opts.credentialIssuer ?? (opts?.metadata?.issuer as string)\n if (!issuer) {\n throw Error('Issuer required at this point')\n }\n\n const issuerOpts = {\n issuer,\n }\n\n return await acquireAuthorizationChallengeAuthCodeUsingRequest({\n authorizationChallengeRequest: await createAuthorizationChallengeRequest(opts),\n metadata,\n issuerOpts,\n })\n}\n\nexport const acquireAuthorizationChallengeAuthCodeUsingRequest = async (opts: {\n authorizationChallengeRequest: CommonAuthorizationChallengeRequest\n metadata?: EndpointMetadata\n issuerOpts?: IssuerOpts\n}): Promise> => {\n const { authorizationChallengeRequest, issuerOpts } = opts\n const metadata = opts?.metadata\n ? opts?.metadata\n : issuerOpts?.fetchMetadata\n ? await MetadataClient.retrieveAllMetadata(issuerOpts.issuer, { errorOnNotFound: false })\n : undefined\n const authorizationChallengeCodeUrl = metadata?.authorization_challenge_endpoint\n\n if (!authorizationChallengeCodeUrl) {\n return Promise.reject(Error('Cannot determine authorization challenge endpoint URL'))\n }\n\n const response = await sendAuthorizationChallengeRequest(authorizationChallengeCodeUrl, authorizationChallengeRequest)\n\n return response\n}\n\nexport const createAuthorizationChallengeRequest = async (opts: AuthorizationChallengeRequestOpts): Promise => {\n const { clientId, issuerState, authSession, scope, codeChallenge, codeChallengeMethod, presentationDuringIssuanceSession } = opts\n\n const request: CommonAuthorizationChallengeRequest = {\n client_id: clientId,\n issuer_state: issuerState,\n auth_session: authSession,\n scope,\n code_challenge: codeChallenge,\n code_challenge_method: codeChallengeMethod,\n presentation_during_issuance_session: presentationDuringIssuanceSession,\n }\n\n return request\n}\n\nexport const sendAuthorizationChallengeRequest = async (\n authorizationChallengeCodeUrl: string,\n authorizationChallengeRequest: CommonAuthorizationChallengeRequest,\n opts?: { headers?: Record },\n): Promise> => {\n return await formPost(authorizationChallengeCodeUrl, convertJsonToURI(authorizationChallengeRequest, { mode: JsonURIMode.X_FORM_WWW_URLENCODED }), {\n customHeaders: opts?.headers ? opts.headers : undefined,\n })\n}\n","import {\n AuthorizationServerMetadata,\n AuthorizationServerType,\n CredentialIssuerMetadataV1_0_11,\n CredentialIssuerMetadataV1_0_13,\n CredentialOfferPayload,\n CredentialOfferPayloadV1_0_13,\n CredentialOfferRequestWithBaseUrl,\n determineSpecVersionFromOffer,\n EndpointMetadataResultV1_0_11,\n EndpointMetadataResultV1_0_13,\n getIssuerFromCredentialOfferPayload,\n IssuerMetadataV1_0_08,\n OpenId4VCIVersion,\n OpenIDResponse,\n WellKnownEndpoints,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nimport { MetadataClientV1_0_11 } from './MetadataClientV1_0_11'\nimport { MetadataClientV1_0_13 } from './MetadataClientV1_0_13'\nimport { retrieveWellknown } from './functions'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:metadata')\n\nexport class MetadataClient {\n /**\n * Retrieve metadata using the Initiation obtained from a previous step\n *\n * @param credentialOffer\n */\n public static async retrieveAllMetadataFromCredentialOffer(\n credentialOffer: CredentialOfferRequestWithBaseUrl,\n ): Promise {\n if (determineSpecVersionFromOffer(credentialOffer.credential_offer) >= OpenId4VCIVersion.VER_1_0_13) {\n return await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(credentialOffer)\n } else {\n return await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(credentialOffer)\n }\n }\n\n /**\n * Retrieve the metada using the initiation request obtained from a previous step\n * @param request\n */\n public static async retrieveAllMetadataFromCredentialOfferRequest(\n request: CredentialOfferPayload,\n ): Promise {\n const issuer = getIssuerFromCredentialOfferPayload(request)\n if (issuer) {\n if (determineSpecVersionFromOffer(request) >= OpenId4VCIVersion.VER_1_0_13) {\n return MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOfferRequest(request as CredentialOfferPayloadV1_0_13)\n } else {\n return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(request)\n }\n }\n throw new Error(\"can't retrieve metadata from CredentialOfferRequest. No issuer field is present\")\n }\n\n /**\n * Retrieve all metadata from an issuer\n * @param issuer The issuer URL\n * @param opts\n */\n public static async retrieveAllMetadata(\n issuer: string,\n opts?: { errorOnNotFound: boolean },\n ): Promise {\n let token_endpoint: string | undefined\n let credential_endpoint: string | undefined\n let deferred_credential_endpoint: string | undefined\n let authorization_endpoint: string | undefined\n let authorization_challenge_endpoint: string | undefined\n let authorizationServerType: AuthorizationServerType = 'OID4VCI'\n let authorization_servers: string[] | undefined = [issuer]\n let authorization_server: string | undefined = undefined\n const oid4vciResponse = await MetadataClient.retrieveOpenID4VCIServerMetadata(issuer, { errorOnNotFound: false }) // We will handle errors later, given we will also try other metadata locations\n let credentialIssuerMetadata = oid4vciResponse?.successBody\n if (credentialIssuerMetadata) {\n logger.debug(`Issuer ${issuer} OID4VCI well-known server metadata\\r\\n${JSON.stringify(credentialIssuerMetadata)}`)\n credential_endpoint = credentialIssuerMetadata.credential_endpoint\n deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint\n ? (credentialIssuerMetadata.deferred_credential_endpoint as string)\n : undefined\n if (credentialIssuerMetadata.token_endpoint) {\n token_endpoint = credentialIssuerMetadata.token_endpoint\n }\n authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint\n if (credentialIssuerMetadata.authorization_servers) {\n authorization_servers = credentialIssuerMetadata.authorization_servers as string[]\n } else if (credentialIssuerMetadata.authorization_server) {\n authorization_server = credentialIssuerMetadata.authorization_server as string\n authorization_servers = [authorization_server]\n }\n }\n // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OIDC IDP. Let's start with OIDC first\n // TODO: for now we're taking just the first one\n let response: OpenIDResponse = await retrieveWellknown(\n authorization_servers[0],\n WellKnownEndpoints.OPENID_CONFIGURATION,\n {\n errorOnNotFound: false,\n },\n )\n let authMetadata = response.successBody\n if (authMetadata) {\n logger.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`)\n authorizationServerType = 'OIDC'\n } else {\n // Now let's do OAuth2\n // TODO: for now we're taking just the first one\n response = await retrieveWellknown(authorization_servers[0], WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false })\n authMetadata = response.successBody\n }\n if (!authMetadata) {\n // We will always throw an error, no matter whether the user provided the option not to, because this is bad.\n if (!authorization_servers.includes(issuer)) {\n throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_servers}, but that server did not provide metadata`)\n }\n } else {\n if (!authorizationServerType) {\n authorizationServerType = 'OAuth 2.0'\n }\n logger.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`)\n if (!authMetadata.authorization_endpoint) {\n console.warn(\n `Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`,\n )\n } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {\n throw Error(\n `Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`,\n )\n }\n authorization_endpoint = authMetadata.authorization_endpoint\n if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {\n throw Error(\n `Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`,\n )\n }\n authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint\n if (!authMetadata.token_endpoint) {\n throw Error(`Authorization Server ${authorization_servers} did not provide a token_endpoint`)\n } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {\n throw Error(\n `Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`,\n )\n }\n token_endpoint = authMetadata.token_endpoint\n if (authMetadata.credential_endpoint) {\n if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {\n logger.debug(\n `Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`,\n )\n } else {\n credential_endpoint = authMetadata.credential_endpoint\n }\n }\n if (authMetadata.deferred_credential_endpoint) {\n if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {\n logger.debug(\n `Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`,\n )\n } else {\n deferred_credential_endpoint = authMetadata.deferred_credential_endpoint\n }\n }\n }\n\n if (!authorization_endpoint) {\n logger.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`)\n }\n if (!token_endpoint) {\n logger.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`)\n if (opts?.errorOnNotFound) {\n throw Error(`Could not deduce the token_endpoint for ${issuer}`)\n } else {\n token_endpoint = `${issuer}${issuer.endsWith('/') ? 'token' : '/token'}`\n }\n }\n if (!credential_endpoint) {\n logger.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`)\n if (opts?.errorOnNotFound) {\n throw Error(`Could not deduce the credential endpoint for ${issuer}`)\n } else {\n credential_endpoint = `${issuer}${issuer.endsWith('/') ? 'credential' : '/credential'}`\n }\n }\n\n if (!credentialIssuerMetadata && authMetadata) {\n // Apparently everything worked out and the issuer is exposing everything in oAuth2/OIDC well-knowns. Spec is vague about this situation, but we can support it\n credentialIssuerMetadata = authorization_server\n ? (authMetadata as CredentialIssuerMetadataV1_0_11)\n : (authMetadata as CredentialIssuerMetadataV1_0_13)\n }\n logger.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`)\n\n return {\n issuer,\n token_endpoint,\n credential_endpoint,\n deferred_credential_endpoint,\n ...(authorization_server ? { authorization_server } : { authorization_servers: authorization_servers }),\n authorization_endpoint,\n authorization_challenge_endpoint,\n authorizationServerType,\n credentialIssuerMetadata: authorization_server\n ? (credentialIssuerMetadata as IssuerMetadataV1_0_08 & Partial)\n : (credentialIssuerMetadata as CredentialIssuerMetadataV1_0_13),\n authorizationServerMetadata: authMetadata,\n } as EndpointMetadataResultV1_0_13 | EndpointMetadataResultV1_0_11\n }\n\n /**\n * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata\n *\n * @param issuerHost The issuer hostname\n * @param opts\n */\n public static async retrieveOpenID4VCIServerMetadata(\n issuerHost: string,\n opts?: {\n errorOnNotFound?: boolean\n },\n ): Promise<\n | OpenIDResponse<\n CredentialIssuerMetadataV1_0_11 | CredentialIssuerMetadataV1_0_13 | (IssuerMetadataV1_0_08 & Partial)\n >\n | undefined\n > {\n return retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, {\n errorOnNotFound: opts?.errorOnNotFound === undefined ? true : opts.errorOnNotFound,\n })\n }\n}\n","import {\n AuthorizationServerMetadata,\n AuthorizationServerType,\n CredentialIssuerMetadataV1_0_11,\n CredentialOfferPayload,\n CredentialOfferRequestWithBaseUrl,\n EndpointMetadataResultV1_0_11,\n getIssuerFromCredentialOfferPayload,\n IssuerMetadataV1_0_08,\n OpenIDResponse,\n WellKnownEndpoints,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nimport { retrieveWellknown } from './functions/OpenIDUtils'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:metadata')\n\nexport class MetadataClientV1_0_11 {\n /**\n * Retrieve metadata using the Initiation obtained from a previous step\n *\n * @param credentialOffer\n */\n public static async retrieveAllMetadataFromCredentialOffer(\n credentialOffer: CredentialOfferRequestWithBaseUrl,\n ): Promise {\n return MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOfferRequest(credentialOffer.credential_offer)\n }\n\n /**\n * Retrieve the metada using the initiation request obtained from a previous step\n * @param request\n */\n public static async retrieveAllMetadataFromCredentialOfferRequest(request: CredentialOfferPayload): Promise {\n const issuer = getIssuerFromCredentialOfferPayload(request)\n if (issuer) {\n return MetadataClientV1_0_11.retrieveAllMetadata(issuer)\n }\n throw new Error(\"can't retrieve metadata from CredentialOfferRequest. No issuer field is present\")\n }\n\n /**\n * Retrieve all metadata from an issuer\n * @param issuer The issuer URL\n * @param opts\n */\n public static async retrieveAllMetadata(issuer: string, opts?: { errorOnNotFound: boolean }): Promise {\n let token_endpoint: string | undefined\n let credential_endpoint: string | undefined\n let deferred_credential_endpoint: string | undefined\n let authorization_endpoint: string | undefined\n let authorization_challenge_endpoint: string | undefined\n let authorizationServerType: AuthorizationServerType = 'OID4VCI'\n let authorization_server: string = issuer\n const oid4vciResponse = await MetadataClientV1_0_11.retrieveOpenID4VCIServerMetadata(issuer, { errorOnNotFound: false }) // We will handle errors later, given we will also try other metadata locations\n let credentialIssuerMetadata = oid4vciResponse?.successBody\n if (credentialIssuerMetadata) {\n logger.debug(`Issuer ${issuer} OID4VCI well-known server metadata\\r\\n${JSON.stringify(credentialIssuerMetadata)}`)\n credential_endpoint = credentialIssuerMetadata.credential_endpoint\n deferred_credential_endpoint = credentialIssuerMetadata.deferred_credential_endpoint\n if (credentialIssuerMetadata.token_endpoint) {\n token_endpoint = credentialIssuerMetadata.token_endpoint\n }\n authorization_challenge_endpoint = credentialIssuerMetadata.authorization_challenge_endpoint\n if (credentialIssuerMetadata.authorization_server) {\n authorization_server = credentialIssuerMetadata.authorization_server\n }\n if (credentialIssuerMetadata.authorization_endpoint) {\n authorization_endpoint = credentialIssuerMetadata.authorization_endpoint\n }\n }\n // No specific OID4VCI endpoint. Either can be an OAuth2 AS or an OIDC IDP. Let's start with OIDC first\n let response: OpenIDResponse = await retrieveWellknown(\n authorization_server,\n WellKnownEndpoints.OPENID_CONFIGURATION,\n {\n errorOnNotFound: false,\n },\n )\n let authMetadata = response.successBody\n if (authMetadata) {\n logger.debug(`Issuer ${issuer} has OpenID Connect Server metadata in well-known location`)\n authorizationServerType = 'OIDC'\n } else {\n // Now let's do OAuth2\n response = await retrieveWellknown(authorization_server, WellKnownEndpoints.OAUTH_AS, { errorOnNotFound: false })\n authMetadata = response.successBody\n }\n if (!authMetadata) {\n // We will always throw an error, no matter whether the user provided the option not to, because this is bad.\n if (issuer !== authorization_server) {\n throw Error(`Issuer ${issuer} provided a separate authorization server ${authorization_server}, but that server did not provide metadata`)\n }\n } else {\n if (!authorizationServerType) {\n authorizationServerType = 'OAuth 2.0'\n }\n logger.debug(`Issuer ${issuer} has ${authorizationServerType} Server metadata in well-known location`)\n if (!authMetadata.authorization_endpoint) {\n console.warn(\n `Issuer ${issuer} of type ${authorizationServerType} has no authorization_endpoint! Will use ${authorization_endpoint}. This only works for pre-authorized flows`,\n )\n } else if (authorization_endpoint && authMetadata.authorization_endpoint !== authorization_endpoint) {\n throw Error(\n `Credential issuer has a different authorization_endpoint (${authorization_endpoint}) from the Authorization Server (${authMetadata.authorization_endpoint})`,\n )\n }\n authorization_endpoint = authMetadata.authorization_endpoint\n if (authorization_challenge_endpoint && authMetadata.authorization_challenge_endpoint !== authorization_challenge_endpoint) {\n throw Error(\n `Credential issuer has a different authorization_challenge_endpoint (${authorization_challenge_endpoint}) from the Authorization Server (${authMetadata.authorization_challenge_endpoint})`,\n )\n }\n authorization_challenge_endpoint = authMetadata.authorization_challenge_endpoint\n if (!authMetadata.token_endpoint) {\n throw Error(`Authorization Server ${authorization_server} did not provide a token_endpoint`)\n } else if (token_endpoint && authMetadata.token_endpoint !== token_endpoint) {\n throw Error(\n `Credential issuer has a different token_endpoint (${token_endpoint}) from the Authorization Server (${authMetadata.token_endpoint})`,\n )\n }\n token_endpoint = authMetadata.token_endpoint\n if (authMetadata.credential_endpoint) {\n if (credential_endpoint && authMetadata.credential_endpoint !== credential_endpoint) {\n logger.debug(\n `Credential issuer has a different credential_endpoint (${credential_endpoint}) from the Authorization Server (${authMetadata.credential_endpoint}). Will use the issuer value`,\n )\n } else {\n credential_endpoint = authMetadata.credential_endpoint\n }\n }\n if (authMetadata.deferred_credential_endpoint) {\n if (deferred_credential_endpoint && authMetadata.deferred_credential_endpoint !== deferred_credential_endpoint) {\n logger.debug(\n `Credential issuer has a different deferred_credential_endpoint (${deferred_credential_endpoint}) from the Authorization Server (${authMetadata.deferred_credential_endpoint}). Will use the issuer value`,\n )\n } else {\n deferred_credential_endpoint = authMetadata.deferred_credential_endpoint\n }\n }\n }\n\n if (!authorization_endpoint) {\n logger.debug(`Issuer ${issuer} does not expose authorization_endpoint, so only pre-auth will be supported`)\n }\n if (!token_endpoint) {\n logger.debug(`Issuer ${issuer} does not have a token_endpoint listed in well-known locations!`)\n if (opts?.errorOnNotFound) {\n throw Error(`Could not deduce the token_endpoint for ${issuer}`)\n } else {\n token_endpoint = `${issuer}${issuer.endsWith('/') ? 'token' : '/token'}`\n }\n }\n if (!credential_endpoint) {\n logger.debug(`Issuer ${issuer} does not have a credential_endpoint listed in well-known locations!`)\n if (opts?.errorOnNotFound) {\n throw Error(`Could not deduce the credential endpoint for ${issuer}`)\n } else {\n credential_endpoint = `${issuer}${issuer.endsWith('/') ? 'credential' : '/credential'}`\n }\n }\n\n if (!credentialIssuerMetadata && authMetadata) {\n // Apparently everything worked out and the issuer is exposing everything in oAuth2/OIDC well-knowns. Spec is vague about this situation, but we can support it\n credentialIssuerMetadata = authMetadata as CredentialIssuerMetadataV1_0_11\n }\n logger.debug(`Issuer ${issuer} token endpoint ${token_endpoint}, credential endpoint ${credential_endpoint}`)\n return {\n issuer,\n token_endpoint,\n credential_endpoint,\n deferred_credential_endpoint,\n authorization_server,\n authorization_endpoint,\n authorization_challenge_endpoint,\n authorizationServerType,\n credentialIssuerMetadata: credentialIssuerMetadata as unknown as Partial & IssuerMetadataV1_0_08,\n authorizationServerMetadata: authMetadata,\n }\n }\n\n /**\n * Retrieve only the OID4VCI metadata for the issuer. So no OIDC/OAuth2 metadata\n *\n * @param issuerHost The issuer hostname\n */\n public static async retrieveOpenID4VCIServerMetadata(\n issuerHost: string,\n opts?: {\n errorOnNotFound?: boolean\n },\n ): Promise | undefined> {\n return retrieveWellknown(issuerHost, WellKnownEndpoints.OPENID4VCI_ISSUER, {\n errorOnNotFound: opts?.errorOnNotFound === undefined ? true : opts.errorOnNotFound,\n })\n }\n}\n","import {\n AuthorizationDetails,\n AuthorizationRequestOpts,\n CodeChallengeMethod,\n convertJsonToURI,\n CreateRequestObjectMode,\n CredentialOfferFormatV1_0_11,\n CredentialOfferPayloadV1_0_11,\n CredentialOfferRequestWithBaseUrl,\n CredentialsSupportedLegacy,\n EndpointMetadataResultV1_0_11,\n formPost,\n JsonURIMode,\n PARMode,\n PKCEOpts,\n PushedAuthorizationResponse,\n ResponseType,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nimport { createSignedAuthRequestWhenNeeded } from './AuthorizationCodeClient'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci')\n\nexport const createAuthorizationRequestUrlV1_0_11 = async ({\n pkce,\n endpointMetadata,\n authorizationRequest,\n credentialOffer,\n credentialsSupported,\n}: {\n pkce: PKCEOpts\n endpointMetadata: EndpointMetadataResultV1_0_11\n authorizationRequest: AuthorizationRequestOpts\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n credentialsSupported?: CredentialsSupportedLegacy[]\n}): Promise => {\n const { redirectUri, clientId, requestObjectOpts = { requestObjectMode: CreateRequestObjectMode.NONE } } = authorizationRequest\n let { scope, authorizationDetails } = authorizationRequest\n\n const parMode = endpointMetadata?.credentialIssuerMetadata?.require_pushed_authorization_requests\n ? PARMode.REQUIRE\n : (authorizationRequest.parMode ?? PARMode.AUTO)\n // Scope and authorization_details can be used in the same authorization request\n // https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-23#name-relationship-to-scope-param\n if (!scope && !authorizationDetails) {\n if (!credentialOffer) {\n throw Error('Please provide a scope or authorization_details if no credential offer is present')\n }\n const creds: (CredentialOfferFormatV1_0_11 | string)[] = (credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials\n\n // FIXME: complains about VCT for sd-jwt\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n authorizationDetails = creds\n .flatMap((cred) => (typeof cred === 'string' ? credentialsSupported : (cred as CredentialsSupportedLegacy)))\n .filter((cred) => !!cred)\n .map((cred) => {\n return {\n ...cred,\n type: 'openid_credential',\n locations: [endpointMetadata.issuer],\n\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n format: cred!.format,\n } satisfies AuthorizationDetails\n })\n if (!authorizationDetails || (Array.isArray(authorizationDetails) && authorizationDetails.length === 0)) {\n throw Error(`Could not create authorization details from credential offer. Please pass in explicit details`)\n }\n }\n if (!endpointMetadata?.authorization_endpoint) {\n throw Error('Server metadata does not contain authorization endpoint')\n }\n const parEndpoint = endpointMetadata.credentialIssuerMetadata?.pushed_authorization_request_endpoint\n\n // add 'openid' scope if not present\n if (!scope?.includes('openid')) {\n scope = ['openid', scope].filter((s) => !!s).join(' ')\n }\n\n let queryObj: { [key: string]: string } | PushedAuthorizationResponse = {\n response_type: ResponseType.AUTH_CODE,\n ...(!pkce.disabled && {\n code_challenge_method: pkce.codeChallengeMethod ?? CodeChallengeMethod.S256,\n code_challenge: pkce.codeChallenge,\n }),\n authorization_details: JSON.stringify(handleAuthorizationDetailsV1_0_11(endpointMetadata, authorizationDetails)),\n ...(redirectUri && { redirect_uri: redirectUri }),\n ...(clientId && { client_id: clientId }),\n ...(credentialOffer?.issuerState && { issuer_state: credentialOffer.issuerState }),\n scope,\n }\n\n if (!parEndpoint && parMode === PARMode.REQUIRE) {\n throw Error(`PAR mode is set to required by Authorization Server does not support PAR!`)\n } else if (parEndpoint && parMode !== PARMode.NEVER) {\n logger.debug(`USING PAR with endpoint ${parEndpoint}`)\n const parResponse = await formPost(\n parEndpoint,\n convertJsonToURI(queryObj, {\n mode: JsonURIMode.X_FORM_WWW_URLENCODED,\n uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state'],\n }),\n { contentType: 'application/x-www-form-urlencoded', accept: 'application/json' },\n )\n if (parResponse.errorBody || !parResponse.successBody) {\n console.log(JSON.stringify(parResponse.errorBody))\n console.log('Falling back to regular request URI, since PAR failed')\n if (parMode === PARMode.REQUIRE) {\n throw Error(`PAR error: ${parResponse.origResponse.statusText}`)\n }\n } else {\n logger.debug(`PAR response: ${JSON.stringify(parResponse.successBody, null, 2)}`)\n queryObj = { request_uri: parResponse.successBody.request_uri }\n }\n }\n await createSignedAuthRequestWhenNeeded(queryObj, { ...requestObjectOpts, aud: endpointMetadata.authorization_server })\n\n logger.debug(`Object that will become query params: ` + JSON.stringify(queryObj, null, 2))\n const url = convertJsonToURI(queryObj, {\n baseUrl: endpointMetadata.authorization_endpoint,\n uriTypeProperties: ['client_id', 'request_uri', 'redirect_uri', 'scope', 'authorization_details', 'issuer_state'],\n // arrayTypeProperties: ['authorization_details'],\n mode: JsonURIMode.X_FORM_WWW_URLENCODED,\n // We do not add the version here, as this always needs to be form encoded\n })\n logger.debug(`Authorization Request URL: ${url}`)\n return url\n}\n\nconst handleAuthorizationDetailsV1_0_11 = (\n endpointMetadata: EndpointMetadataResultV1_0_11,\n authorizationDetails?: AuthorizationDetails | AuthorizationDetails[],\n): AuthorizationDetails | AuthorizationDetails[] | undefined => {\n if (authorizationDetails) {\n if (typeof authorizationDetails === 'string') {\n // backwards compat for older versions of the lib\n return authorizationDetails\n }\n if (Array.isArray(authorizationDetails)) {\n return authorizationDetails\n .filter((value) => typeof value !== 'string')\n .map((value) => handleLocations(endpointMetadata, typeof value === 'string' ? value : { ...value }))\n } else {\n return handleLocations(endpointMetadata, { ...authorizationDetails })\n }\n }\n return authorizationDetails\n}\n\nconst handleLocations = (endpointMetadata: EndpointMetadataResultV1_0_11, authorizationDetails: AuthorizationDetails) => {\n if (typeof authorizationDetails === 'string') {\n // backwards compat for older versions of the lib\n return authorizationDetails\n }\n if (authorizationDetails && (endpointMetadata.credentialIssuerMetadata?.authorization_server || endpointMetadata.authorization_endpoint)) {\n if (authorizationDetails.locations) {\n if (Array.isArray(authorizationDetails.locations)) {\n authorizationDetails.locations.push(endpointMetadata.issuer)\n } else {\n authorizationDetails.locations = [authorizationDetails.locations as string, endpointMetadata.issuer]\n }\n } else {\n authorizationDetails.locations = [endpointMetadata.issuer]\n }\n }\n return authorizationDetails\n}\n","import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common'\nimport {\n acquireDeferredCredential,\n CredentialRequestV1_0_13,\n CredentialRequestWithoutProofV1_0_13,\n CredentialResponse,\n DPoPResponseParams,\n ExperimentalSubjectIssuance,\n getCredentialRequestForVersion,\n getUniformFormat,\n isDeferredCredentialResponse,\n isValidURL,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n OpenIDResponse,\n post,\n ProofOfPossession,\n UniformCredentialRequest,\n URL_NOT_VALID,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat, Loggers } from '@sphereon/ssi-types'\n\nimport { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11'\nimport { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13'\nimport { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder'\nimport { shouldRetryResourceRequestWithDPoPNonce } from './functions/dpopUtil'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:credential')\n\nexport interface CredentialRequestOpts {\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n credentialEndpoint: string\n notificationEndpoint?: string\n deferredCredentialEndpoint?: string\n credentialTypes?: string[]\n credentialIdentifier?: string\n format?: CredentialFormat | OID4VCICredentialFormat\n proof: ProofOfPossession\n token: string\n version: OpenId4VCIVersion\n subjectIssuance?: ExperimentalSubjectIssuance\n issuerState?: string\n}\n\nexport type CreateCredentialRequestOpts = {\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n context?: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n subjectIssuance?: ExperimentalSubjectIssuance\n version: OpenId4VCIVersion\n}\n\nexport async function buildProof(\n proofInput: ProofOfPossessionBuilder | ProofOfPossession,\n opts: {\n version: OpenId4VCIVersion\n cNonce?: string\n },\n) {\n if ('proof_type' in proofInput) {\n if (opts.cNonce) {\n throw Error(`Cnonce param is only supported when using a Proof of possession builder`)\n }\n return await ProofOfPossessionBuilder.fromProof(proofInput as ProofOfPossession, opts.version).build()\n }\n if (opts.cNonce) {\n proofInput.withAccessTokenNonce(opts.cNonce)\n }\n return await proofInput.build()\n}\n\nexport class CredentialRequestClient {\n private readonly _credentialRequestOpts: Partial\n private _isDeferred = false\n\n get credentialRequestOpts(): CredentialRequestOpts {\n return this._credentialRequestOpts as CredentialRequestOpts\n }\n\n public isDeferred(): boolean {\n return this._isDeferred\n }\n\n public getCredentialEndpoint(): string {\n return this.credentialRequestOpts.credentialEndpoint\n }\n\n public getDeferredCredentialEndpoint(): string | undefined {\n return this.credentialRequestOpts.deferredCredentialEndpoint\n }\n\n public constructor(builder: CredentialRequestClientBuilderV1_0_13 | CredentialRequestClientBuilderV1_0_11) {\n this._credentialRequestOpts = { ...builder }\n }\n\n /**\n * Typically you should not use this method, as it omits a proof from the request.\n * There are certain issuers that in specific circumstances can do without this proof, because they have other means of user binding\n * like using DPoP together with an authorization code flow. These are however rare, so you should be using the acquireCredentialsUsingProof normally\n * @param opts\n */\n public async acquireCredentialsWithoutProof(opts: {\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n context?: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n subjectIssuance?: ExperimentalSubjectIssuance\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise & { access_token: string }> {\n const { credentialIdentifier, credentialTypes, format, context, subjectIssuance } = opts\n\n const request = await this.createCredentialRequestWithoutProof({\n credentialTypes,\n context,\n format,\n version: this.version(),\n credentialIdentifier,\n subjectIssuance,\n })\n return await this.acquireCredentialsUsingRequestWithoutProof(request, opts.createDPoPOpts)\n }\n\n public async acquireCredentialsUsingProof(opts: {\n proofInput: ProofOfPossessionBuilder | ProofOfPossession\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n context?: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n subjectIssuance?: ExperimentalSubjectIssuance\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise & { access_token: string }> {\n const { credentialIdentifier, credentialTypes, proofInput, format, context, subjectIssuance } = opts\n\n const request = await this.createCredentialRequest({\n proofInput,\n credentialTypes,\n context,\n format,\n version: this.version(),\n credentialIdentifier,\n subjectIssuance,\n })\n return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts)\n }\n\n public async acquireCredentialsUsingRequestWithoutProof(\n uniformRequest: UniformCredentialRequest,\n createDPoPOpts?: CreateDPoPClientOpts,\n ): Promise & { access_token: string }> {\n return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts)\n }\n\n public async acquireCredentialsUsingRequest(\n uniformRequest: UniformCredentialRequest,\n createDPoPOpts?: CreateDPoPClientOpts,\n ): Promise & { access_token: string }> {\n return await this.acquireCredentialsUsingRequestImpl(uniformRequest, createDPoPOpts)\n }\n\n private async acquireCredentialsUsingRequestImpl(\n uniformRequest: UniformCredentialRequest & { proof?: ProofOfPossession },\n createDPoPOpts?: CreateDPoPClientOpts,\n ): Promise & { access_token: string }> {\n if (this.version() < OpenId4VCIVersion.VER_1_0_13) {\n throw new Error('Versions below v1.0.13 (draft 13) are not supported by the V13 credential request client.')\n }\n const request: CredentialRequestV1_0_13 = getCredentialRequestForVersion(uniformRequest, this.version()) as CredentialRequestV1_0_13\n const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint\n if (!isValidURL(credentialEndpoint)) {\n logger.debug(`Invalid credential endpoint: ${credentialEndpoint}`)\n throw new Error(URL_NOT_VALID)\n }\n logger.debug(`Acquiring credential(s) from: ${credentialEndpoint}`)\n logger.debug(`request\\n: ${JSON.stringify(request, null, 2)}`)\n const requestToken: string = this.credentialRequestOpts.token\n\n let dPoP = createDPoPOpts ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken })) : undefined\n\n let response = (await post(credentialEndpoint, JSON.stringify(request), {\n bearerToken: requestToken,\n ...(dPoP && { customHeaders: { dpop: dPoP } }),\n })) as OpenIDResponse & {\n access_token: string\n }\n\n let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce\n const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response)\n if (retryWithNonce.ok && createDPoPOpts) {\n createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce\n dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken }))\n\n response = (await post(credentialEndpoint, JSON.stringify(request), {\n bearerToken: requestToken,\n ...(createDPoPOpts && { customHeaders: { dpop: dPoP } }),\n })) as OpenIDResponse & {\n access_token: string\n }\n\n const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce')\n nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce\n }\n\n this._isDeferred = isDeferredCredentialResponse(response)\n if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {\n response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token })\n }\n response.access_token = requestToken\n\n if ((uniformRequest.credential_subject_issuance && response.successBody) || response.successBody?.credential_subject_issuance) {\n if (JSON.stringify(uniformRequest.credential_subject_issuance) !== JSON.stringify(response.successBody?.credential_subject_issuance)) {\n throw Error('Subject signing was requested, but issuer did not provide the options in its response')\n }\n }\n logger.debug(`Credential endpoint ${credentialEndpoint} response:\\r\\n${JSON.stringify(response, null, 2)}`)\n\n return {\n ...response,\n ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),\n }\n }\n\n public async acquireDeferredCredential(\n response: Pick,\n opts?: {\n bearerToken?: string\n },\n ): Promise & { access_token: string }> {\n const transactionId = response.transaction_id\n const bearerToken = response.acceptance_token ?? opts?.bearerToken\n const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint()\n if (!deferredCredentialEndpoint) {\n throw Error(`No deferred credential endpoint supplied.`)\n } else if (!bearerToken) {\n throw Error(`No bearer token present and refresh for defered endpoint not supported yet`)\n // todo updated bearer token with new c_nonce\n }\n return await acquireDeferredCredential({\n bearerToken,\n transactionId,\n deferredCredentialEndpoint,\n deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,\n deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS,\n })\n }\n\n public async createCredentialRequestWithoutProof(opts: CreateCredentialRequestOpts): Promise {\n return await this.createCredentialRequestImpl(opts)\n }\n\n public async createCredentialRequest(\n opts: CreateCredentialRequestOpts & {\n proofInput: ProofOfPossessionBuilder | ProofOfPossession\n },\n ): Promise {\n return await this.createCredentialRequestImpl(opts)\n }\n\n private async createCredentialRequestImpl(\n opts: CreateCredentialRequestOpts & {\n proofInput?: ProofOfPossessionBuilder | ProofOfPossession\n },\n ): Promise {\n const { proofInput, credentialIdentifier: credential_identifier } = opts\n let proof: ProofOfPossession | undefined = undefined\n if (proofInput) {\n proof = await buildProof(proofInput, opts)\n }\n if (credential_identifier) {\n if (opts.format || opts.credentialTypes || opts.context) {\n throw Error(`You cannot mix credential_identifier with format, credential types and/or context`)\n }\n return {\n credential_identifier,\n ...(proof && { proof }),\n }\n }\n const formatSelection = opts.format ?? this.credentialRequestOpts.format\n\n if (!formatSelection) {\n throw Error(`Format of credential to be issued is missing`)\n }\n const format = getUniformFormat(formatSelection)\n const typesSelection =\n opts?.credentialTypes && (typeof opts.credentialTypes === 'string' || opts.credentialTypes.length > 0)\n ? opts.credentialTypes\n : this.credentialRequestOpts.credentialTypes\n if (!typesSelection) {\n throw Error(`Credential type(s) need to be provided`)\n }\n const types = Array.isArray(typesSelection) ? typesSelection : [typesSelection]\n if (types.length === 0) {\n throw Error(`Credential type(s) need to be provided`)\n }\n const issuer_state = this.credentialRequestOpts.issuerState\n\n // TODO: we should move format specific logic\n if (format === 'jwt_vc_json' || format === 'jwt_vc') {\n return {\n credential_definition: {\n type: types,\n },\n format,\n ...(issuer_state && { issuer_state }),\n ...(proof && { proof }),\n ...opts.subjectIssuance,\n }\n } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {\n if (this.version() >= OpenId4VCIVersion.VER_1_0_12 && !opts.context) {\n throw Error('No @context value present, but it is required')\n }\n\n return {\n format,\n ...(issuer_state && { issuer_state }),\n ...(proof && { proof }),\n ...opts.subjectIssuance,\n\n credential_definition: {\n type: types,\n '@context': opts.context as string[],\n },\n }\n } else if (format === 'vc+sd-jwt') {\n if (types.length > 1) {\n throw Error(`Only a single credential type is supported for ${format}`)\n }\n return {\n format,\n ...(issuer_state && { issuer_state }),\n ...(proof && { proof }),\n vct: types[0],\n ...opts.subjectIssuance,\n }\n } else if (format === 'mso_mdoc') {\n if (types.length > 1) {\n throw Error(`Only a single credential type is supported for ${format}`)\n }\n return {\n format,\n ...(issuer_state && { issuer_state }),\n ...(proof && { proof }),\n doctype: types[0],\n ...opts.subjectIssuance,\n }\n }\n\n throw new Error(`Unsupported credential format: ${format}`)\n }\n\n private version(): OpenId4VCIVersion {\n return this.credentialRequestOpts?.version ?? OpenId4VCIVersion.VER_1_0_13\n }\n}\n","import {\n convertJsonToURI,\n convertURIToJsonObject,\n CredentialOffer,\n CredentialOfferPayload,\n CredentialOfferPayloadV1_0_09,\n CredentialOfferRequestWithBaseUrl,\n CredentialOfferV1_0_11,\n CredentialOfferV1_0_13,\n determineSpecVersionFromURI,\n OpenId4VCIVersion,\n PRE_AUTH_GRANT_LITERAL,\n toUniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\n\nimport { constructBaseResponse, handleCredentialOfferUri } from './functions'\nimport { LOG } from './types'\n\nexport class CredentialOfferClient {\n public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise {\n LOG.debug(`Credential Offer URI: ${uri}`)\n if (!uri.includes('?') || !uri.includes('://')) {\n LOG.debug(`Invalid Credential Offer URI: ${uri}`)\n throw Error(`Invalid Credential Offer Request`)\n }\n const scheme = uri.split('://')[0]\n const baseUrl = uri.split('?')[0]\n const version = determineSpecVersionFromURI(uri)\n LOG.log(`Offer URL determined to be of version ${version}`)\n let credentialOffer: CredentialOffer\n let credentialOfferPayload: CredentialOfferPayload\n // credential offer was introduced in draft 9 and credential_offer_uri in draft 11\n if (version < OpenId4VCIVersion.VER_1_0_11) {\n credentialOfferPayload = convertURIToJsonObject(uri, {\n arrayTypeProperties: ['credential_type'],\n requiredProperties: uri.includes('credential_offer=') ? ['credential_offer'] : ['issuer', 'credential_type'],\n }) as CredentialOfferPayloadV1_0_09\n credentialOffer = {\n credential_offer: credentialOfferPayload,\n }\n } else {\n if (uri.includes('credential_offer_uri')) {\n credentialOffer = (await handleCredentialOfferUri(uri)) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13\n } else {\n credentialOffer = convertURIToJsonObject(uri, {\n // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer\n arrayTypeProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],\n requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],\n }) as CredentialOfferV1_0_11 | CredentialOfferV1_0_13\n }\n if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {\n throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri) // cannot be reached since convertURIToJsonObject will check the params\n }\n }\n\n const request = await toUniformCredentialOfferRequest(credentialOffer, {\n ...opts,\n version,\n })\n\n return {\n ...constructBaseResponse(request, scheme, baseUrl),\n userPinRequired:\n request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ??\n !!request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ??\n false,\n }\n }\n\n public static toURI(\n requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,\n opts?: {\n version?: OpenId4VCIVersion\n },\n ): string {\n LOG.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`)\n const version = opts?.version ?? requestWithBaseUrl.version\n let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)\n ? requestWithBaseUrl.baseUrl\n : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`\n let param: string | undefined\n\n const isUri = requestWithBaseUrl.credential_offer_uri !== undefined\n\n if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {\n // v11 changed from encoding every param to a encoded json object with a credential_offer param key\n if (!baseUrl.includes('?')) {\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n } else {\n const split = baseUrl.split('?')\n if (split.length > 1 && split[1] !== '') {\n if (baseUrl.endsWith('&')) {\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n } else if (!baseUrl.endsWith('=')) {\n baseUrl += `&`\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n }\n }\n }\n }\n return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {\n baseUrl,\n arrayTypeProperties: isUri ? [] : ['credential_type'],\n uriTypeProperties: isUri\n ? ['credential_offer_uri']\n : version >= OpenId4VCIVersion.VER_1_0_13\n ? ['credential_issuer', 'credential_type']\n : ['issuer', 'credential_type'],\n param,\n version,\n })\n }\n}\n","import {\n convertJsonToURI,\n convertURIToJsonObject,\n CredentialOffer,\n CredentialOfferPayload,\n CredentialOfferPayloadV1_0_09,\n CredentialOfferRequestWithBaseUrl,\n CredentialOfferRequestWithBaseUrlV1_0_11,\n CredentialOfferV1_0_11,\n determineSpecVersionFromURI,\n getClientIdFromCredentialOfferPayload,\n OpenId4VCIVersion,\n PRE_AUTH_CODE_LITERAL,\n PRE_AUTH_GRANT_LITERAL,\n toUniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:offer')\n\nexport class CredentialOfferClientV1_0_11 {\n public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise {\n logger.debug(`Credential Offer URI: ${uri}`)\n if (!uri.includes('?') || !uri.includes('://')) {\n logger.debug(`Invalid Credential Offer URI: ${uri}`)\n throw Error(`Invalid Credential Offer Request`)\n }\n const scheme = uri.split('://')[0]\n const baseUrl = uri.split('?')[0]\n const version = determineSpecVersionFromURI(uri)\n let credentialOffer: CredentialOffer\n let credentialOfferPayload: CredentialOfferPayload\n if (version < OpenId4VCIVersion.VER_1_0_11) {\n credentialOfferPayload = convertURIToJsonObject(uri, {\n arrayTypeProperties: ['credential_type'],\n requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['issuer', 'credential_type='],\n }) as CredentialOfferPayloadV1_0_09\n credentialOffer = {\n credential_offer: credentialOfferPayload,\n }\n } else {\n credentialOffer = convertURIToJsonObject(uri, {\n arrayTypeProperties: ['credentials'],\n requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],\n }) as CredentialOfferV1_0_11\n if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {\n throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri) // cannot be reached since convertURIToJsonObject will check the params\n }\n }\n\n const request = await toUniformCredentialOfferRequest(credentialOffer, {\n ...opts,\n version,\n })\n const clientId = getClientIdFromCredentialOfferPayload(request.credential_offer)\n const grants = request.credential_offer?.grants\n\n return {\n scheme,\n baseUrl,\n ...(clientId && { clientId }),\n ...request,\n ...(grants?.authorization_code?.issuer_state && { issuerState: grants.authorization_code.issuer_state }),\n ...(grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] && {\n preAuthorizedCode: grants[PRE_AUTH_GRANT_LITERAL][PRE_AUTH_CODE_LITERAL],\n }),\n userPinRequired: !!(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.user_pin_required ?? false),\n }\n }\n\n public static toURI(\n requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,\n opts?: {\n version?: OpenId4VCIVersion\n },\n ): string {\n logger.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`)\n const version = opts?.version ?? requestWithBaseUrl.version\n let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)\n ? requestWithBaseUrl.baseUrl\n : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`\n let param: string | undefined\n\n const isUri = requestWithBaseUrl.credential_offer_uri !== undefined\n\n if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {\n // v11 changed from encoding every param to a encoded json object with a credential_offer param key\n if (!baseUrl.includes('?')) {\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n } else {\n const split = baseUrl.split('?')\n if (split.length > 1 && split[1] !== '') {\n if (baseUrl.endsWith('&')) {\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n } else if (!baseUrl.endsWith('=')) {\n baseUrl += `&`\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n }\n }\n }\n }\n return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {\n baseUrl,\n arrayTypeProperties: isUri ? [] : ['credential_type'],\n uriTypeProperties: isUri\n ? ['credential_offer_uri']\n : version >= OpenId4VCIVersion.VER_1_0_11\n ? ['credential_issuer', 'credential_type']\n : ['issuer', 'credential_type'],\n param,\n version,\n })\n }\n}\n","import {\n convertJsonToURI,\n convertURIToJsonObject,\n CredentialOffer,\n CredentialOfferRequestWithBaseUrl,\n CredentialOfferV1_0_13,\n determineSpecVersionFromURI,\n OpenId4VCIVersion,\n PRE_AUTH_GRANT_LITERAL,\n toUniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\nimport { Loggers } from '@sphereon/ssi-types'\n\nimport { constructBaseResponse, handleCredentialOfferUri } from './functions'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:offer')\n\nexport class CredentialOfferClientV1_0_13 {\n public static async fromURI(uri: string, opts?: { resolve?: boolean }): Promise {\n logger.debug(`Credential Offer URI: ${uri}`)\n if (!uri.includes('?') || !uri.includes('://')) {\n logger.debug(`Invalid Credential Offer URI: ${uri}`)\n throw Error(`Invalid Credential Offer Request`)\n }\n const scheme = uri.split('://')[0]\n const baseUrl = uri.split('?')[0]\n const version = determineSpecVersionFromURI(uri)\n let credentialOffer: CredentialOffer\n if (uri.includes('credential_offer_uri')) {\n // FIXME deduplicate\n credentialOffer = (await handleCredentialOfferUri(uri)) as CredentialOfferV1_0_13\n } else {\n credentialOffer = convertURIToJsonObject(uri, {\n // It must have the '=' sign after credential_offer otherwise the uri will get split at openid_credential_offer\n arrayTypeProperties: uri.includes('credential_offer_uri=')\n ? ['credential_configuration_ids', 'credential_offer_uri=']\n : ['credential_configuration_ids', 'credential_offer='],\n requiredProperties: uri.includes('credential_offer_uri=') ? ['credential_offer_uri='] : ['credential_offer='],\n }) as CredentialOfferV1_0_13\n }\n if (credentialOffer?.credential_offer_uri === undefined && !credentialOffer?.credential_offer) {\n throw Error('Either a credential_offer or credential_offer_uri should be present in ' + uri) // cannot be reached since convertURIToJsonObject will check the params\n }\n\n const request = await toUniformCredentialOfferRequest(credentialOffer, {\n ...opts,\n version,\n })\n\n return {\n ...constructBaseResponse(request, scheme, baseUrl),\n userPinRequired: !!(request.credential_offer?.grants?.[PRE_AUTH_GRANT_LITERAL]?.tx_code ?? false),\n }\n }\n\n public static toURI(\n requestWithBaseUrl: CredentialOfferRequestWithBaseUrl,\n opts?: {\n version?: OpenId4VCIVersion\n },\n ): string {\n logger.debug(`Credential Offer Request with base URL: ${JSON.stringify(requestWithBaseUrl)}`)\n const version = opts?.version ?? requestWithBaseUrl.version\n let baseUrl = requestWithBaseUrl.baseUrl.includes(requestWithBaseUrl.scheme)\n ? requestWithBaseUrl.baseUrl\n : `${requestWithBaseUrl.scheme.replace('://', '')}://${requestWithBaseUrl.baseUrl}`\n let param: string | undefined\n\n const isUri = requestWithBaseUrl.credential_offer_uri !== undefined\n\n if (version.valueOf() >= OpenId4VCIVersion.VER_1_0_11.valueOf()) {\n // v11 changed from encoding every param to a encoded json object with a credential_offer param key\n if (!baseUrl.includes('?')) {\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n } else {\n const split = baseUrl.split('?')\n if (split.length > 1 && split[1] !== '') {\n if (baseUrl.endsWith('&')) {\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n } else if (!baseUrl.endsWith('=')) {\n baseUrl += `&`\n param = isUri ? 'credential_offer_uri' : 'credential_offer'\n }\n }\n }\n }\n return convertJsonToURI(requestWithBaseUrl.credential_offer_uri ?? requestWithBaseUrl.original_credential_offer, {\n baseUrl,\n arrayTypeProperties: isUri ? [] : ['credential_type'],\n uriTypeProperties: isUri\n ? ['credential_offer_uri']\n : version >= OpenId4VCIVersion.VER_1_0_13\n ? ['credential_issuer', 'credential_type']\n : ['issuer', 'credential_type'],\n param,\n version,\n })\n }\n}\n","import { createDPoP, CreateDPoPClientOpts, getCreateDPoPOptions } from '@sphereon/oid4vc-common'\nimport {\n acquireDeferredCredential,\n CredentialResponse,\n DPoPResponseParams,\n getCredentialRequestForVersion,\n getUniformFormat,\n isDeferredCredentialResponse,\n isValidURL,\n JsonLdIssuerCredentialDefinition,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n OpenIDResponse,\n post,\n ProofOfPossession,\n UniformCredentialRequest,\n URL_NOT_VALID,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat, Loggers } from '@sphereon/ssi-types'\n\nimport { buildProof } from './CredentialRequestClient'\nimport { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11'\nimport { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder'\nimport { shouldRetryResourceRequestWithDPoPNonce } from './functions/dpopUtil'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:credential')\n\nexport interface CredentialRequestOptsV1_0_11 {\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n credentialEndpoint: string\n deferredCredentialEndpoint?: string\n credentialTypes: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n proof: ProofOfPossession\n token: string\n version: OpenId4VCIVersion\n}\n\nexport class CredentialRequestClientV1_0_11 {\n private readonly _credentialRequestOpts: Partial\n private _isDeferred = false\n\n get credentialRequestOpts(): CredentialRequestOptsV1_0_11 {\n return this._credentialRequestOpts as CredentialRequestOptsV1_0_11\n }\n\n public isDeferred(): boolean {\n return this._isDeferred\n }\n\n public getCredentialEndpoint(): string {\n return this.credentialRequestOpts.credentialEndpoint\n }\n\n public getDeferredCredentialEndpoint(): string | undefined {\n return this.credentialRequestOpts.deferredCredentialEndpoint\n }\n\n public constructor(builder: CredentialRequestClientBuilderV1_0_11) {\n this._credentialRequestOpts = { ...builder }\n }\n\n public async acquireCredentialsUsingProof(opts: {\n proofInput: ProofOfPossessionBuilder | ProofOfPossession\n credentialTypes?: string | string[]\n context?: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise & { access_token: string }> {\n const { credentialTypes, proofInput, format, context } = opts\n\n const request = await this.createCredentialRequest({ proofInput, credentialTypes, context, format, version: this.version() })\n return await this.acquireCredentialsUsingRequest(request, opts.createDPoPOpts)\n }\n\n public async acquireCredentialsUsingRequest(\n uniformRequest: UniformCredentialRequest,\n createDPoPOpts?: CreateDPoPClientOpts,\n ): Promise & { access_token: string }> {\n const request = getCredentialRequestForVersion(uniformRequest, this.version())\n const credentialEndpoint: string = this.credentialRequestOpts.credentialEndpoint\n if (!isValidURL(credentialEndpoint)) {\n logger.debug(`Invalid credential endpoint: ${credentialEndpoint}`)\n throw new Error(URL_NOT_VALID)\n }\n logger.debug(`Acquiring credential(s) from: ${credentialEndpoint}`)\n logger.debug(`request\\n: ${JSON.stringify(request, null, 2)}`)\n const requestToken: string = this.credentialRequestOpts.token\n\n let dPoP = createDPoPOpts ? await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken })) : undefined\n\n let response = (await post(credentialEndpoint, JSON.stringify(request), {\n bearerToken: requestToken,\n customHeaders: { ...(createDPoPOpts && { dpop: dPoP }) },\n })) as OpenIDResponse & {\n access_token: string\n }\n\n let nextDPoPNonce = createDPoPOpts?.jwtPayloadProps.nonce\n const retryWithNonce = shouldRetryResourceRequestWithDPoPNonce(response)\n if (retryWithNonce.ok && createDPoPOpts) {\n createDPoPOpts.jwtPayloadProps.nonce = retryWithNonce.dpopNonce\n dPoP = await createDPoP(getCreateDPoPOptions(createDPoPOpts, credentialEndpoint, { accessToken: requestToken }))\n\n response = (await post(credentialEndpoint, JSON.stringify(request), {\n bearerToken: requestToken,\n customHeaders: { ...(createDPoPOpts && { dpop: dPoP }) },\n })) as OpenIDResponse & {\n access_token: string\n }\n\n const successDPoPNonce = response.origResponse.headers.get('DPoP-Nonce')\n nextDPoPNonce = successDPoPNonce ?? retryWithNonce.dpopNonce\n }\n\n this._isDeferred = isDeferredCredentialResponse(response)\n if (this.isDeferred() && this.credentialRequestOpts.deferredCredentialAwait && response.successBody) {\n response = await this.acquireDeferredCredential(response.successBody, { bearerToken: this.credentialRequestOpts.token })\n }\n response.access_token = requestToken\n\n logger.debug(`Credential endpoint ${credentialEndpoint} response:\\r\\n${JSON.stringify(response, null, 2)}`)\n\n return {\n ...response,\n ...(nextDPoPNonce && { params: { dpop: { dpopNonce: nextDPoPNonce } } }),\n }\n }\n\n public async acquireDeferredCredential(\n response: Pick,\n opts?: {\n bearerToken?: string\n },\n ): Promise & { access_token: string }> {\n const transactionId = response.transaction_id\n const bearerToken = response.acceptance_token ?? opts?.bearerToken\n const deferredCredentialEndpoint = this.getDeferredCredentialEndpoint()\n if (!deferredCredentialEndpoint) {\n throw Error(`No deferred credential endpoint supplied.`)\n } else if (!bearerToken) {\n throw Error(`No bearer token present and refresh for defered endpoint not supported yet`)\n // todo updated bearer token with new c_nonce\n }\n return await acquireDeferredCredential({\n bearerToken,\n transactionId,\n deferredCredentialEndpoint,\n deferredCredentialAwait: this.credentialRequestOpts.deferredCredentialAwait,\n deferredCredentialIntervalInMS: this.credentialRequestOpts.deferredCredentialIntervalInMS,\n })\n }\n\n public async createCredentialRequest(opts: {\n proofInput: ProofOfPossessionBuilder | ProofOfPossession\n credentialTypes?: string | string[]\n context?: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n version: OpenId4VCIVersion\n }): Promise {\n const { proofInput } = opts\n const formatSelection = opts.format ?? this.credentialRequestOpts.format\n\n if (!formatSelection) {\n throw Error(`Format of credential to be issued is missing`)\n }\n const format = getUniformFormat(formatSelection)\n const typesSelection =\n opts?.credentialTypes && (typeof opts.credentialTypes === 'string' || opts.credentialTypes.length > 0)\n ? opts.credentialTypes\n : this.credentialRequestOpts.credentialTypes\n const types = Array.isArray(typesSelection) ? typesSelection : [typesSelection]\n if (types.length === 0) {\n throw Error(`Credential type(s) need to be provided`)\n }\n // FIXME: this is mixing up the type (as id) from v8/v9 and the types (from the vc.type) from v11\n else if (!this.isV11OrHigher() && types.length !== 1) {\n throw Error('Only a single credential type is supported for V8/V9')\n }\n const proof = await buildProof(proofInput, opts)\n\n // TODO: we should move format specific logic\n if (format === 'jwt_vc_json' || format === 'jwt_vc') {\n return {\n types,\n format,\n proof,\n }\n } else if (format === 'jwt_vc_json-ld' || format === 'ldp_vc') {\n if (this.version() >= OpenId4VCIVersion.VER_1_0_12 && !opts.context) {\n throw Error('No @context value present, but it is required')\n }\n\n return {\n format,\n proof,\n\n // Ignored because v11 does not have the context value, but it is required in v12\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n credential_definition: {\n types,\n ...(opts.context && { '@context': opts.context }),\n } as JsonLdIssuerCredentialDefinition,\n }\n } else if (format === 'vc+sd-jwt') {\n if (types.length > 1) {\n throw Error(`Only a single credential type is supported for ${format}`)\n }\n\n return {\n format,\n proof,\n vct: types[0],\n }\n } else if (format === 'mso_mdoc') {\n if (types.length > 1) {\n throw Error(`Only a single credential type is supported for ${format}`)\n }\n\n return {\n format,\n proof,\n doctype: types[0],\n }\n }\n\n throw new Error(`Unsupported format: ${format}`)\n }\n\n private version(): OpenId4VCIVersion {\n return this.credentialRequestOpts?.version ?? OpenId4VCIVersion.VER_1_0_11\n }\n\n private isV11OrHigher(): boolean {\n return this.version() >= OpenId4VCIVersion.VER_1_0_11\n }\n}\n","import {\n AccessTokenResponse,\n CredentialIssuerMetadata,\n CredentialIssuerMetadataV1_0_13,\n CredentialOfferRequestWithBaseUrl,\n determineSpecVersionFromOffer,\n EndpointMetadata,\n ExperimentalSubjectIssuance,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n UniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat } from '@sphereon/ssi-types'\n\nimport { CredentialOfferClient } from './CredentialOfferClient'\nimport { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11'\nimport { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13'\n\ntype CredentialRequestClientBuilderVersionSpecific = CredentialRequestClientBuilderV1_0_11 | CredentialRequestClientBuilderV1_0_13\n\nfunction isV1_0_13(builder: CredentialRequestClientBuilderVersionSpecific): builder is CredentialRequestClientBuilderV1_0_13 {\n return (builder as CredentialRequestClientBuilderV1_0_13).withCredentialIdentifier !== undefined\n}\n\nexport class CredentialRequestClientBuilder {\n private _builder: CredentialRequestClientBuilderVersionSpecific\n\n private constructor(builder: CredentialRequestClientBuilderVersionSpecific) {\n this._builder = builder\n }\n\n public static fromCredentialIssuer({\n credentialIssuer,\n metadata,\n version,\n credentialIdentifier,\n credentialTypes,\n }: {\n credentialIssuer: string\n metadata?: EndpointMetadata\n version?: OpenId4VCIVersion\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n }): CredentialRequestClientBuilder {\n const specVersion = version ?? OpenId4VCIVersion.VER_1_0_13\n let builder\n\n if (specVersion >= OpenId4VCIVersion.VER_1_0_13) {\n builder = CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({\n credentialIssuer,\n metadata,\n version,\n credentialIdentifier,\n credentialTypes,\n })\n } else {\n if (!credentialTypes || credentialTypes.length === 0) {\n throw new Error('CredentialTypes must be provided for v1_0_11')\n }\n builder = CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({\n credentialIssuer,\n metadata,\n version,\n credentialTypes,\n })\n }\n\n return new CredentialRequestClientBuilder(builder)\n }\n\n public static async fromURI({ uri, metadata }: { uri: string; metadata?: EndpointMetadata }): Promise {\n const offer = await CredentialOfferClient.fromURI(uri)\n return CredentialRequestClientBuilder.fromCredentialOfferRequest({\n request: offer,\n ...offer,\n metadata,\n version: offer.version,\n })\n }\n\n public static fromCredentialOfferRequest(opts: {\n request: UniformCredentialOfferRequest\n scheme?: string\n baseUrl?: string\n version?: OpenId4VCIVersion\n metadata?: EndpointMetadata\n }): CredentialRequestClientBuilder {\n const { request } = opts\n const version = opts.version ?? request.version ?? determineSpecVersionFromOffer(request.original_credential_offer)\n let builder\n\n if (version < OpenId4VCIVersion.VER_1_0_13) {\n builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest(opts)\n } else {\n builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest(opts)\n }\n\n return new CredentialRequestClientBuilder(builder)\n }\n\n public static fromCredentialOffer({\n credentialOffer,\n metadata,\n }: {\n credentialOffer: CredentialOfferRequestWithBaseUrl\n metadata?: EndpointMetadata\n }): CredentialRequestClientBuilder {\n const version = determineSpecVersionFromOffer(credentialOffer.credential_offer)\n let builder\n\n if (version < OpenId4VCIVersion.VER_1_0_13) {\n builder = CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({\n credentialOffer,\n metadata,\n })\n } else {\n builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({\n credentialOffer,\n metadata,\n })\n }\n\n return new CredentialRequestClientBuilder(builder)\n }\n\n public getVersion(): OpenId4VCIVersion | undefined {\n return this._builder.version\n }\n\n public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata | CredentialIssuerMetadataV1_0_13): this {\n if (isV1_0_13(this._builder)) {\n this._builder.withCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadataV1_0_13)\n } else {\n this._builder.withCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadata)\n }\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): this {\n this._builder.withCredentialEndpoint(credentialEndpoint)\n return this\n }\n\n public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata | CredentialIssuerMetadataV1_0_13): this {\n if (isV1_0_13(this._builder)) {\n this._builder.withDeferredCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadataV1_0_13)\n } else {\n this._builder.withDeferredCredentialEndpointFromMetadata(metadata as CredentialIssuerMetadata)\n }\n return this\n }\n\n public withDeferredCredentialEndpoint(deferredCredentialEndpoint: string): this {\n this._builder.withDeferredCredentialEndpoint(deferredCredentialEndpoint)\n return this\n }\n\n public withDeferredCredentialAwait(deferredCredentialAwait: boolean, deferredCredentialIntervalInMS?: number): this {\n this._builder.withDeferredCredentialAwait(deferredCredentialAwait, deferredCredentialIntervalInMS)\n return this\n }\n\n public withCredentialIdentifier(credentialIdentifier: string): this {\n if (this._builder.version === undefined || this._builder.version < OpenId4VCIVersion.VER_1_0_13) {\n throw new Error('Version of spec should be equal or higher than v1_0_13')\n }\n ;(this._builder as CredentialRequestClientBuilderV1_0_13).withCredentialIdentifier(credentialIdentifier)\n return this\n }\n\n public withIssuerState(issuerState?: string): this {\n this._builder.withIssuerState(issuerState)\n return this\n }\n public withCredentialType(credentialTypes: string | string[]): this {\n this._builder.withCredentialType(credentialTypes)\n return this\n }\n\n public withFormat(format: CredentialFormat | OID4VCICredentialFormat): this {\n this._builder.withFormat(format)\n return this\n }\n\n public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {\n this._builder.withSubjectIssuance(subjectIssuance)\n return this\n }\n\n public withToken(accessToken: string): this {\n this._builder.withToken(accessToken)\n return this\n }\n\n public withTokenFromResponse(response: AccessTokenResponse): this {\n this._builder.withTokenFromResponse(response)\n return this\n }\n\n public withVersion(version: OpenId4VCIVersion): this {\n this._builder.withVersion(version)\n return this\n }\n\n public build() {\n return this._builder.build()\n }\n}\n","import {\n AccessTokenResponse,\n CredentialIssuerMetadata,\n CredentialOfferPayloadV1_0_08,\n CredentialOfferPayloadV1_0_11,\n CredentialOfferRequestWithBaseUrl,\n determineSpecVersionFromOffer,\n EndpointMetadata,\n ExperimentalSubjectIssuance,\n getIssuerFromCredentialOfferPayload,\n getTypesFromOfferV1_0_11,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n UniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat } from '@sphereon/ssi-types'\n\nimport { CredentialOfferClientV1_0_11 } from './CredentialOfferClientV1_0_11'\nimport { CredentialRequestClientV1_0_11 } from './CredentialRequestClientV1_0_11'\n\nexport class CredentialRequestClientBuilderV1_0_11 {\n credentialEndpoint?: string\n deferredCredentialEndpoint?: string\n deferredCredentialAwait = false\n deferredCredentialIntervalInMS = 5000\n credentialTypes: string[] = []\n format?: CredentialFormat | OID4VCICredentialFormat\n token?: string\n version?: OpenId4VCIVersion\n subjectIssuance?: ExperimentalSubjectIssuance\n issuerState?: string\n\n public static fromCredentialIssuer({\n credentialIssuer,\n metadata,\n version,\n credentialTypes,\n }: {\n credentialIssuer: string\n metadata?: EndpointMetadata\n version?: OpenId4VCIVersion\n credentialTypes: string | string[]\n }): CredentialRequestClientBuilderV1_0_11 {\n const issuer = credentialIssuer\n const builder = new CredentialRequestClientBuilderV1_0_11()\n builder.withVersion(version ?? OpenId4VCIVersion.VER_1_0_11)\n builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`))\n if (metadata?.deferred_credential_endpoint) {\n builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint)\n }\n builder.withCredentialType(credentialTypes)\n return builder\n }\n\n public static async fromURI({ uri, metadata }: { uri: string; metadata?: EndpointMetadata }): Promise {\n const offer = await CredentialOfferClientV1_0_11.fromURI(uri)\n return CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({ request: offer, ...offer, metadata, version: offer.version })\n }\n\n public static fromCredentialOfferRequest(opts: {\n request: UniformCredentialOfferRequest\n scheme?: string\n baseUrl?: string\n version?: OpenId4VCIVersion\n metadata?: EndpointMetadata\n }): CredentialRequestClientBuilderV1_0_11 {\n const { request, metadata } = opts\n const version = opts.version ?? request.version ?? determineSpecVersionFromOffer(request.original_credential_offer)\n const builder = new CredentialRequestClientBuilderV1_0_11()\n const issuer = getIssuerFromCredentialOfferPayload(request.credential_offer) ?? (metadata?.issuer as string)\n builder.withVersion(version)\n builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`))\n if (metadata?.deferred_credential_endpoint) {\n builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint)\n }\n\n if (version <= OpenId4VCIVersion.VER_1_0_08) {\n //todo: This basically sets all types available during initiation. Probably the user only wants a subset. So do we want to do this?\n builder.withCredentialType((request.original_credential_offer as CredentialOfferPayloadV1_0_08).credential_type)\n } else if (version <= OpenId4VCIVersion.VER_1_0_11) {\n // todo: look whether this is correct\n builder.withCredentialType(getTypesFromOfferV1_0_11(request.credential_offer as CredentialOfferPayloadV1_0_11))\n }\n\n return builder\n }\n\n public static fromCredentialOffer({\n credentialOffer,\n metadata,\n }: {\n credentialOffer: CredentialOfferRequestWithBaseUrl\n metadata?: EndpointMetadata\n }): CredentialRequestClientBuilderV1_0_11 {\n return CredentialRequestClientBuilderV1_0_11.fromCredentialOfferRequest({\n request: credentialOffer,\n metadata,\n version: credentialOffer.version,\n })\n }\n\n public withIssuerState(issuerState?: string): this {\n this.issuerState = issuerState\n return this\n }\n\n public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata): this {\n this.credentialEndpoint = metadata.credential_endpoint\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): this {\n this.credentialEndpoint = credentialEndpoint\n return this\n }\n\n public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadata): this {\n this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint\n return this\n }\n\n public withDeferredCredentialEndpoint(deferredCredentialEndpoint: string): this {\n this.deferredCredentialEndpoint = deferredCredentialEndpoint\n return this\n }\n\n public withDeferredCredentialAwait(deferredCredentialAwait: boolean, deferredCredentialIntervalInMS?: number): this {\n this.deferredCredentialAwait = deferredCredentialAwait\n this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5000\n return this\n }\n\n public withCredentialType(credentialTypes: string | string[]): this {\n this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes]\n return this\n }\n\n public withFormat(format: CredentialFormat | OID4VCICredentialFormat): this {\n this.format = format\n return this\n }\n\n public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {\n this.subjectIssuance = subjectIssuance\n return this\n }\n\n public withToken(accessToken: string): this {\n this.token = accessToken\n return this\n }\n\n public withTokenFromResponse(response: AccessTokenResponse): this {\n this.token = response.access_token\n return this\n }\n\n public withVersion(version: OpenId4VCIVersion): this {\n this.version = version\n return this\n }\n\n public build(): CredentialRequestClientV1_0_11 {\n if (!this.version) {\n this.withVersion(OpenId4VCIVersion.VER_1_0_11)\n }\n return new CredentialRequestClientV1_0_11(this)\n }\n}\n","import {\n AccessTokenResponse,\n CredentialIssuerMetadataV1_0_13,\n CredentialOfferPayloadV1_0_13,\n CredentialOfferRequestWithBaseUrl,\n determineSpecVersionFromOffer,\n EndpointMetadata,\n ExperimentalSubjectIssuance,\n getIssuerFromCredentialOfferPayload,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n UniformCredentialOfferRequest,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat } from '@sphereon/ssi-types'\n\nimport { CredentialOfferClient } from './CredentialOfferClient'\nimport { CredentialRequestClient } from './CredentialRequestClient'\n\nexport class CredentialRequestClientBuilderV1_0_13 {\n credentialEndpoint?: string\n deferredCredentialEndpoint?: string\n deferredCredentialAwait = false\n deferredCredentialIntervalInMS = 5000\n credentialIdentifier?: string\n credentialTypes?: string[] = []\n format?: CredentialFormat | OID4VCICredentialFormat\n token?: string\n version?: OpenId4VCIVersion\n subjectIssuance?: ExperimentalSubjectIssuance\n issuerState?: string\n\n public static fromCredentialIssuer({\n credentialIssuer,\n metadata,\n version,\n credentialIdentifier,\n credentialTypes,\n }: {\n credentialIssuer: string\n metadata?: EndpointMetadata\n version?: OpenId4VCIVersion\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n }): CredentialRequestClientBuilderV1_0_13 {\n const issuer = credentialIssuer\n const builder = new CredentialRequestClientBuilderV1_0_13()\n builder.withVersion(version ?? OpenId4VCIVersion.VER_1_0_13)\n builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`))\n if (metadata?.deferred_credential_endpoint) {\n builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint)\n }\n if (credentialIdentifier) {\n builder.withCredentialIdentifier(credentialIdentifier)\n }\n if (credentialTypes) {\n builder.withCredentialType(credentialTypes)\n }\n return builder\n }\n\n public static async fromURI({ uri, metadata }: { uri: string; metadata?: EndpointMetadata }): Promise {\n const offer = await CredentialOfferClient.fromURI(uri)\n return CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({ request: offer, ...offer, metadata, version: offer.version })\n }\n\n public static fromCredentialOfferRequest(opts: {\n request: UniformCredentialOfferRequest\n scheme?: string\n baseUrl?: string\n version?: OpenId4VCIVersion\n metadata?: EndpointMetadata\n }): CredentialRequestClientBuilderV1_0_13 {\n const { request, metadata } = opts\n const version = opts.version ?? request.version ?? determineSpecVersionFromOffer(request.original_credential_offer)\n if (version < OpenId4VCIVersion.VER_1_0_13) {\n throw new Error('Versions below v1.0.13 (draft 13) are not supported.')\n }\n const builder = new CredentialRequestClientBuilderV1_0_13()\n const issuer = getIssuerFromCredentialOfferPayload(request.credential_offer) ?? (metadata?.issuer as string)\n builder.withVersion(version)\n builder.withCredentialEndpoint(metadata?.credential_endpoint ?? (issuer.endsWith('/') ? `${issuer}credential` : `${issuer}/credential`))\n if (metadata?.deferred_credential_endpoint) {\n builder.withDeferredCredentialEndpoint(metadata.deferred_credential_endpoint)\n }\n const ids: string[] = (request.credential_offer as CredentialOfferPayloadV1_0_13).credential_configuration_ids\n // if there's only one in the offer, we pre-select it. if not, you should provide the credentialType\n if (ids.length && ids.length === 1) {\n builder.withCredentialIdentifier(ids[0])\n }\n\n return builder\n }\n\n public static fromCredentialOffer({\n credentialOffer,\n metadata,\n }: {\n credentialOffer: CredentialOfferRequestWithBaseUrl\n metadata?: EndpointMetadata\n }): CredentialRequestClientBuilderV1_0_13 {\n const builder = CredentialRequestClientBuilderV1_0_13.fromCredentialOfferRequest({\n request: credentialOffer,\n metadata,\n version: credentialOffer.version,\n })\n\n return builder\n }\n\n public withCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {\n this.credentialEndpoint = metadata.credential_endpoint\n return this\n }\n\n public withCredentialEndpoint(credentialEndpoint: string): this {\n this.credentialEndpoint = credentialEndpoint\n return this\n }\n\n public withIssuerState(issuerState?: string): this {\n this.issuerState = issuerState\n return this\n }\n\n public withDeferredCredentialEndpointFromMetadata(metadata: CredentialIssuerMetadataV1_0_13): this {\n this.deferredCredentialEndpoint = metadata.deferred_credential_endpoint\n return this\n }\n\n public withDeferredCredentialEndpoint(deferredCredentialEndpoint: string): this {\n this.deferredCredentialEndpoint = deferredCredentialEndpoint\n return this\n }\n\n public withDeferredCredentialAwait(deferredCredentialAwait: boolean, deferredCredentialIntervalInMS?: number): this {\n this.deferredCredentialAwait = deferredCredentialAwait\n this.deferredCredentialIntervalInMS = deferredCredentialIntervalInMS ?? 5000\n return this\n }\n\n public withCredentialIdentifier(credentialIdentifier: string): this {\n this.credentialIdentifier = credentialIdentifier\n return this\n }\n\n public withCredentialType(credentialTypes: string | string[]): this {\n this.credentialTypes = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes]\n return this\n }\n\n public withFormat(format: CredentialFormat | OID4VCICredentialFormat): this {\n this.format = format\n return this\n }\n\n public withSubjectIssuance(subjectIssuance: ExperimentalSubjectIssuance): this {\n this.subjectIssuance = subjectIssuance\n return this\n }\n\n public withToken(accessToken: string): this {\n this.token = accessToken\n return this\n }\n\n public withTokenFromResponse(response: AccessTokenResponse): this {\n this.token = response.access_token\n return this\n }\n\n public withVersion(version: OpenId4VCIVersion): this {\n this.version = version\n return this\n }\n\n public build(): CredentialRequestClient {\n if (!this.version) {\n this.withVersion(OpenId4VCIVersion.VER_1_0_11)\n }\n return new CredentialRequestClient(this)\n }\n}\n","import { CreateDPoPClientOpts, JWK } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequestOpts,\n AccessTokenResponse,\n Alg,\n AuthorizationChallengeCodeResponse,\n AuthorizationChallengeErrorResponse,\n AuthorizationChallengeRequestOpts,\n AuthorizationRequestOpts,\n AuthorizationResponse,\n AuthorizationServerOpts,\n AuthzFlowType,\n CodeChallengeMethod,\n CredentialConfigurationSupported,\n CredentialConfigurationSupportedV1_0_13,\n CredentialOfferPayloadV1_0_08,\n CredentialOfferPayloadV1_0_11,\n CredentialOfferRequestWithBaseUrl,\n CredentialResponse,\n CredentialsSupportedLegacy,\n DefaultURISchemes,\n determineVersionsFromIssuerMetadata,\n DPoPResponseParams,\n EndpointMetadataResultV1_0_11,\n EndpointMetadataResultV1_0_13,\n ExperimentalSubjectIssuance,\n getClientIdFromCredentialOfferPayload,\n getIssuerFromCredentialOfferPayload,\n getSupportedCredentials,\n getTypesFromCredentialSupported,\n getTypesFromObject,\n KID_JWK_X5C_ERROR,\n NotificationRequest,\n NotificationResponseResult,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n PKCEOpts,\n ProofOfPossessionCallbacks,\n toAuthorizationResponsePayload,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat, Loggers } from '@sphereon/ssi-types'\n\nimport { AccessTokenClient } from './AccessTokenClient'\nimport { AccessTokenClientV1_0_11 } from './AccessTokenClientV1_0_11'\nimport { acquireAuthorizationChallengeAuthCode, createAuthorizationRequestUrl } from './AuthorizationCodeClient'\nimport { createAuthorizationRequestUrlV1_0_11 } from './AuthorizationCodeClientV1_0_11'\nimport { CredentialOfferClient } from './CredentialOfferClient'\nimport { CredentialRequestOpts } from './CredentialRequestClient'\nimport { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11'\nimport { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13'\nimport { MetadataClient } from './MetadataClient'\nimport { OpenID4VCIClientStateV1_0_11 } from './OpenID4VCIClientV1_0_11'\nimport { OpenID4VCIClientStateV1_0_13 } from './OpenID4VCIClientV1_0_13'\nimport { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder'\nimport { generateMissingPKCEOpts, sendNotification } from './functions'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci')\n\nexport type OpenID4VCIClientState = OpenID4VCIClientStateV1_0_11 | OpenID4VCIClientStateV1_0_13\n\nexport type EndpointMetadataResult = EndpointMetadataResultV1_0_11 | EndpointMetadataResultV1_0_13\n\nexport class OpenID4VCIClient {\n private readonly _state: OpenID4VCIClientState\n\n private constructor({\n credentialOffer,\n clientId,\n kid,\n alg,\n credentialIssuer,\n pkce,\n authorizationRequest,\n accessToken,\n jwk,\n endpointMetadata,\n accessTokenResponse,\n authorizationRequestOpts,\n authorizationCodeResponse,\n authorizationURL,\n }: {\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n kid?: string\n alg?: Alg | string\n clientId?: string\n credentialIssuer?: string\n pkce?: PKCEOpts\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n jwk?: JWK\n accessToken?: string\n endpointMetadata?: EndpointMetadataResult\n accessTokenResponse?: AccessTokenResponse\n authorizationRequestOpts?: AuthorizationRequestOpts\n authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse\n authorizationURL?: string\n }) {\n const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined)\n if (!issuer) {\n throw Error('No credential issuer supplied or deduced from offer')\n }\n this._state = {\n credentialOffer,\n credentialIssuer: issuer,\n kid,\n alg,\n // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id\n clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload(credentialOffer.credential_offer)) ?? kid?.split('#')[0],\n pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },\n authorizationRequestOpts,\n authorizationCodeResponse,\n accessToken,\n jwk,\n endpointMetadata: endpointMetadata?.credentialIssuerMetadata?.authorization_server\n ? (endpointMetadata as EndpointMetadataResultV1_0_11)\n : (endpointMetadata as EndpointMetadataResultV1_0_13 | undefined),\n accessTokenResponse,\n authorizationURL,\n } as OpenID4VCIClientState\n // Running syncAuthorizationRequestOpts later as it is using the state\n if (!this._state.authorizationRequestOpts) {\n this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest)\n }\n logger.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`)\n }\n\n public static async fromCredentialIssuer({\n kid,\n alg,\n retrieveServerMetadata,\n clientId,\n credentialIssuer,\n pkce,\n authorizationRequest,\n createAuthorizationRequestURL,\n endpointMetadata,\n }: {\n credentialIssuer: string\n kid?: string\n alg?: Alg | string\n retrieveServerMetadata?: boolean\n clientId?: string\n createAuthorizationRequestURL?: boolean\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n pkce?: PKCEOpts\n endpointMetadata?: EndpointMetadataResult\n }) {\n const client = new OpenID4VCIClient({\n kid,\n alg,\n clientId: clientId ?? authorizationRequest?.clientId,\n credentialIssuer,\n pkce,\n authorizationRequest,\n endpointMetadata,\n })\n if (retrieveServerMetadata === undefined || retrieveServerMetadata) {\n await client.retrieveServerMetadata()\n }\n if (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL) {\n await client.createAuthorizationRequestUrl({ authorizationRequest, pkce })\n }\n return client\n }\n\n public static async fromState({ state }: { state: OpenID4VCIClientState | string }): Promise {\n const clientState = typeof state === 'string' ? JSON.parse(state) : state\n\n return new OpenID4VCIClient(clientState)\n }\n\n public static async fromURI({\n uri,\n kid,\n alg,\n retrieveServerMetadata,\n clientId,\n pkce,\n createAuthorizationRequestURL,\n authorizationRequest,\n resolveOfferUri,\n endpointMetadata,\n }: {\n uri: string\n kid?: string\n alg?: Alg | string\n retrieveServerMetadata?: boolean\n createAuthorizationRequestURL?: boolean\n resolveOfferUri?: boolean\n pkce?: PKCEOpts\n clientId?: string\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n endpointMetadata?: EndpointMetadataResult\n }): Promise {\n const credentialOfferClient = await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri })\n const client = new OpenID4VCIClient({\n credentialOffer: credentialOfferClient,\n kid,\n alg,\n clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,\n pkce,\n authorizationRequest,\n endpointMetadata,\n })\n\n if (retrieveServerMetadata === undefined || retrieveServerMetadata) {\n await client.retrieveServerMetadata()\n }\n if (\n credentialOfferClient.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&\n (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL)\n ) {\n await client.createAuthorizationRequestUrl({ authorizationRequest, pkce })\n logger.debug(`Authorization Request URL: ${client._state.authorizationURL}`)\n }\n\n return client\n }\n\n /**\n * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)\n *\n * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device\n * @param opts\n */\n public async createAuthorizationRequestUrl(opts?: { authorizationRequest?: AuthorizationRequestOpts; pkce?: PKCEOpts }): Promise {\n if (!this._state.authorizationURL) {\n this.calculatePKCEOpts(opts?.pkce)\n this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest)\n if (!this._state.authorizationRequestOpts) {\n throw Error(`No Authorization Request options present or provided in this call`)\n }\n\n // todo: Probably can go with current logic in MetadataClient who will always set the authorization_endpoint when found\n // handling this because of the support for v1_0-08\n if (\n this._state.endpointMetadata?.credentialIssuerMetadata &&\n 'authorization_endpoint' in this._state.endpointMetadata.credentialIssuerMetadata\n ) {\n this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string\n }\n if (this.version() <= OpenId4VCIVersion.VER_1_0_11) {\n this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({\n pkce: this._state.pkce,\n endpointMetadata: this.endpointMetadata as EndpointMetadataResultV1_0_11,\n authorizationRequest: this._state.authorizationRequestOpts,\n credentialOffer: this.credentialOffer,\n credentialsSupported: Object.values(this.getCredentialsSupported(true)) as CredentialsSupportedLegacy[],\n })\n } else {\n this._state.authorizationURL = await createAuthorizationRequestUrl({\n pkce: this._state.pkce,\n endpointMetadata: this.endpointMetadata as EndpointMetadataResultV1_0_13,\n authorizationRequest: this._state.authorizationRequestOpts,\n credentialOffer: this.credentialOffer,\n credentialConfigurationSupported: this.getCredentialsSupported(false) as Record,\n })\n }\n }\n return this._state.authorizationURL\n }\n\n public async retrieveServerMetadata(): Promise {\n this.assertIssuerData()\n if (!this._state.endpointMetadata) {\n if (this.credentialOffer) {\n this._state.endpointMetadata = await MetadataClient.retrieveAllMetadataFromCredentialOffer(this.credentialOffer)\n } else if (this._state.credentialIssuer) {\n this._state.endpointMetadata = await MetadataClient.retrieveAllMetadata(this._state.credentialIssuer)\n } else {\n throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`)\n }\n }\n\n return this.endpointMetadata\n }\n\n private calculatePKCEOpts(pkce?: PKCEOpts) {\n this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce })\n }\n\n public async acquireAuthorizationChallengeCode(opts?: AuthorizationChallengeRequestOpts): Promise {\n const response = await acquireAuthorizationChallengeAuthCode({\n metadata: this.endpointMetadata,\n credentialIssuer: this.getIssuer(),\n clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,\n ...opts,\n })\n\n if (response.errorBody) {\n logger.debug(`Authorization code error:\\r\\n${JSON.stringify(response.errorBody)}`)\n const error = response.errorBody as AuthorizationChallengeErrorResponse\n return Promise.reject(error)\n } else if (!response.successBody) {\n logger.debug(`Authorization code error. No success body`)\n return Promise.reject(\n Error(\n `Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,\n ),\n )\n }\n\n return { ...response.successBody }\n }\n\n public async acquireAccessToken(\n opts?: Omit & {\n clientId?: string\n authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse // Pass in an auth response, either as URI/redirect, or object\n additionalRequestParams?: Record\n },\n ): Promise {\n const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {}\n let { redirectUri } = opts ?? {}\n\n const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code)\n\n if (opts?.codeVerifier) {\n this._state.pkce.codeVerifier = opts.codeVerifier\n }\n this.assertIssuerData()\n\n const asOpts: AuthorizationServerOpts = { ...opts?.asOpts }\n const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid\n const clientAssertionType =\n asOpts.clientOpts?.clientAssertionType ??\n (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === 'function'\n ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n : undefined)\n if (this.isEBSI() || (clientId && kid)) {\n if (!clientId) {\n throw Error(`Client id expected for EBSI`)\n }\n asOpts.clientOpts = {\n ...asOpts.clientOpts,\n clientId,\n ...(kid && { kid }),\n ...(clientAssertionType && { clientAssertionType }),\n signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks,\n }\n }\n\n if (clientId) {\n this._state.clientId = clientId\n if (!asOpts.clientOpts) {\n asOpts.clientOpts = { clientId }\n }\n asOpts.clientOpts.clientId = clientId\n }\n if (!this._state.accessTokenResponse) {\n const accessTokenClient = this.version() <= OpenId4VCIVersion.VER_1_0_12 ? new AccessTokenClientV1_0_11() : new AccessTokenClient()\n\n if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {\n console.log(\n `Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`,\n )\n }\n if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {\n redirectUri = this._state.authorizationRequestOpts.redirectUri\n }\n\n const response = await accessTokenClient.acquireAccessToken({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n credentialIssuer: this.getIssuer(),\n pin,\n ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),\n code,\n redirectUri,\n asOpts,\n ...(opts?.createDPoPOpts && { createDPoPOpts: opts.createDPoPOpts }),\n ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),\n })\n\n if (response.errorBody) {\n logger.debug(`Access token error:\\r\\n${JSON.stringify(response.errorBody)}`)\n throw Error(\n `Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${\n response.origResponse.status\n }`,\n )\n } else if (!response.successBody) {\n logger.debug(`Access token error. No success body`)\n throw Error(\n `Retrieving an access token from ${\n this._state.endpointMetadata?.token_endpoint\n } for issuer ${this.getIssuer()} failed as there was no success response body`,\n )\n }\n this._state.accessTokenResponse = response.successBody\n this._state.dpopResponseParams = response.params\n this._state.accessToken = response.successBody.access_token\n }\n\n return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) }\n }\n\n public async acquireCredentials({\n credentialTypes,\n context,\n proofCallbacks,\n format,\n kid,\n jwk,\n alg,\n jti,\n deferredCredentialAwait,\n deferredCredentialIntervalInMS,\n createDPoPOpts,\n }: {\n credentialTypes: string | string[]\n context?: string[]\n proofCallbacks: ProofOfPossessionCallbacks\n format?: CredentialFormat | OID4VCICredentialFormat\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n jti?: string\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n experimentalHolderIssuanceSupported?: boolean\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise {\n if ([jwk, kid].filter((v) => v !== undefined).length > 1) {\n throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`)\n }\n\n if (alg) this._state.alg = alg\n if (jwk) this._state.jwk = jwk\n if (kid) this._state.kid = kid\n\n let requestBuilder: CredentialRequestClientBuilderV1_0_13 | CredentialRequestClientBuilderV1_0_11\n if (this.version() < OpenId4VCIVersion.VER_1_0_13) {\n requestBuilder = this.credentialOffer\n ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n })\n : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({\n credentialIssuer: this.getIssuer(),\n credentialTypes,\n metadata: this.endpointMetadata,\n version: this.version(),\n })\n } else {\n requestBuilder = this.credentialOffer\n ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n })\n : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({\n credentialIssuer: this.getIssuer(),\n credentialTypes,\n metadata: this.endpointMetadata,\n version: this.version(),\n })\n }\n // If we are in an auth code flow, without a c nonce, we return the issuerState back to the issuer in case it is present\n const issuerState =\n this.issuerSupportedFlowTypes().includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&\n this._state.authorizationCodeResponse &&\n !this.accessTokenResponse?.c_nonce &&\n this._state.credentialOffer?.issuerState\n ? this._state.credentialOffer.issuerState\n : undefined\n requestBuilder.withIssuerState(issuerState)\n\n requestBuilder.withTokenFromResponse(this.accessTokenResponse)\n requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS)\n let subjectIssuance: ExperimentalSubjectIssuance | undefined\n if (this.endpointMetadata?.credentialIssuerMetadata) {\n const metadata = this.endpointMetadata.credentialIssuerMetadata\n const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes]\n\n if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {\n let typeSupported = false\n\n metadata.credentials_supported.forEach((supportedCredential) => {\n const subTypes = getTypesFromCredentialSupported(supportedCredential)\n if (\n subTypes.every((t, i) => types[i] === t) ||\n (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))\n ) {\n typeSupported = true\n if (supportedCredential.credential_subject_issuance) {\n subjectIssuance = { credential_subject_issuance: supportedCredential.credential_subject_issuance }\n }\n }\n })\n\n if (!typeSupported) {\n console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`)\n // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);\n }\n } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {\n const credentialsSupported = metadata.credentials_supported\n if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {\n throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`)\n }\n }\n // todo: Format check? We might end up with some disjoint type / format combinations supported by the server\n }\n if (subjectIssuance) {\n requestBuilder.withSubjectIssuance(subjectIssuance)\n }\n\n const credentialRequestClient = requestBuilder.build()\n const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({\n accessTokenResponse: this.accessTokenResponse,\n callbacks: proofCallbacks,\n version: this.version(),\n })\n .withIssuer(this.getIssuer())\n .withAlg(this.alg)\n\n if (this._state.jwk) {\n proofBuilder.withJWK(this._state.jwk)\n }\n if (this._state.kid) {\n proofBuilder.withKid(this._state.kid)\n }\n\n if (this.clientId) {\n proofBuilder.withClientId(this.clientId)\n }\n if (jti) {\n proofBuilder.withJti(jti)\n }\n const response = await credentialRequestClient.acquireCredentialsUsingProof({\n proofInput: proofBuilder,\n credentialTypes,\n context,\n format,\n subjectIssuance,\n createDPoPOpts,\n })\n this._state.dpopResponseParams = response.params\n if (response.errorBody) {\n logger.debug(`Credential request error:\\r\\n${JSON.stringify(response.errorBody)}`)\n throw Error(\n `Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${\n response.origResponse.status\n }`,\n )\n } else if (!response.successBody) {\n logger.debug(`Credential request error. No success body`)\n throw Error(\n `Retrieving a credential from ${\n this._state.endpointMetadata?.credential_endpoint\n } for issuer ${this.getIssuer()} failed as there was no success response body`,\n )\n }\n return { ...response.successBody, ...(this.dpopResponseParams && { params: this.dpopResponseParams }), access_token: response.access_token }\n }\n\n public async exportState(): Promise {\n return JSON.stringify(this._state)\n }\n\n getCredentialsSupported(\n restrictToInitiationTypes?: boolean,\n format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[],\n ): Record | Array {\n return getSupportedCredentials({\n issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,\n version: this.version(),\n format: format,\n types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : undefined,\n })\n }\n\n public async sendNotification(\n credentialRequestOpts: Partial,\n request: NotificationRequest,\n accessToken?: string,\n ): Promise {\n return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token)\n }\n\n getCredentialOfferTypes(): string[][] | undefined {\n if (!this.credentialOffer) {\n return []\n } else if (this.version() < OpenId4VCIVersion.VER_1_0_11) {\n const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08\n const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type\n const result: string[][] = []\n result[0] = types\n return result\n } else if (this.version() < OpenId4VCIVersion.VER_1_0_13) {\n return (this.credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials.map((c) => getTypesFromObject(c) ?? [])\n }\n // we don't have this for v13. v13 only has credential_configuration_ids which is not translatable to type\n return undefined\n }\n\n issuerSupportedFlowTypes(): AuthzFlowType[] {\n return (\n this.credentialOffer?.supportedFlows ??\n ((this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ?? this._state.endpointMetadata?.authorization_server)\n ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW]\n : [])\n )\n }\n\n isFlowTypeSupported(flowType: AuthzFlowType): boolean {\n return this.issuerSupportedFlowTypes().includes(flowType)\n }\n\n get authorizationURL(): string | undefined {\n return this._state.authorizationURL\n }\n\n public hasAuthorizationURL(): boolean {\n return !!this.authorizationURL\n }\n\n get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {\n return this._state.credentialOffer\n }\n\n public version(): OpenId4VCIVersion {\n if (this.credentialOffer?.version && this.credentialOffer.version !== OpenId4VCIVersion.VER_UNKNOWN) {\n return this.credentialOffer.version\n }\n const metadata = this._state.endpointMetadata\n if (metadata?.credentialIssuerMetadata) {\n const versions = determineVersionsFromIssuerMetadata(metadata.credentialIssuerMetadata)\n if (versions.length > 0 && !versions.includes(OpenId4VCIVersion.VER_UNKNOWN)) {\n return versions[0]\n }\n }\n return OpenId4VCIVersion.VER_1_0_13\n }\n\n public get endpointMetadata(): EndpointMetadataResult {\n this.assertServerMetadata()\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return this._state.endpointMetadata!\n }\n\n get kid(): string {\n this.assertIssuerData()\n if (!this._state.kid) {\n throw new Error('No value for kid is supplied')\n }\n return this._state.kid\n }\n\n get alg(): string {\n this.assertIssuerData()\n if (!this._state.alg) {\n throw new Error('No value for alg is supplied')\n }\n return this._state.alg\n }\n\n set clientId(value: string | undefined) {\n this._state.clientId = value\n }\n\n get clientId(): string | undefined {\n return this._state.clientId\n }\n\n public hasAccessTokenResponse(): boolean {\n return !!this._state.accessTokenResponse\n }\n\n get accessTokenResponse(): AccessTokenResponse {\n this.assertAccessToken()\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return this._state.accessTokenResponse!\n }\n\n get dpopResponseParams(): DPoPResponseParams | undefined {\n return this._state.dpopResponseParams\n }\n\n public getIssuer(): string {\n this.assertIssuerData()\n return this._state.credentialIssuer\n }\n\n public getAccessTokenEndpoint(): string {\n this.assertIssuerData()\n if (this.endpointMetadata) {\n return this.endpointMetadata.token_endpoint\n }\n return this.version() <= OpenId4VCIVersion.VER_1_0_12\n ? AccessTokenClientV1_0_11.determineTokenURL({ issuerOpts: { issuer: this.getIssuer() } })\n : AccessTokenClient.determineTokenURL({ issuerOpts: { issuer: this.getIssuer() } })\n }\n\n public getCredentialEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`\n }\n\n public getAuthorizationChallengeEndpoint(): string | undefined {\n this.assertIssuerData()\n return this.endpointMetadata?.authorization_challenge_endpoint\n }\n\n public hasAuthorizationChallengeEndpoint(): boolean {\n return !!this.getAuthorizationChallengeEndpoint()\n }\n\n public hasDeferredCredentialEndpoint(): boolean {\n return !!this.getAccessTokenEndpoint()\n }\n\n public getDeferredCredentialEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`\n }\n\n /**\n * Too bad we need a method like this, but EBSI is not exposing metadata\n */\n public isEBSI() {\n if (\n this.credentialOffer &&\n (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11)?.credentials?.find(\n (cred) =>\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n typeof cred !== 'string' && 'trust_framework' in cred && 'name' in cred.trust_framework && cred.trust_framework.name.includes('ebsi'),\n )\n ) {\n return true\n }\n // this.assertIssuerData();\n return (\n this.clientId?.includes('ebsi') ||\n this._state.kid?.includes('did:ebsi:') ||\n this.getIssuer().includes('ebsi') ||\n this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||\n this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')\n )\n }\n\n private assertIssuerData(): void {\n if (!this._state.credentialIssuer) {\n throw Error(`No credential issuer value present`)\n } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {\n throw Error(`No issuance initiation or credential offer present`)\n }\n }\n\n private assertServerMetadata(): void {\n if (!this._state.endpointMetadata) {\n throw Error('No server metadata')\n }\n }\n\n private assertAccessToken(): void {\n if (!this._state.accessTokenResponse) {\n throw Error(`No access token present`)\n }\n }\n\n private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {\n const requestObjectOpts = { ...this._state?.authorizationRequestOpts?.requestObjectOpts, ...opts?.requestObjectOpts }\n let authorizationRequestOpts = {\n ...this._state?.authorizationRequestOpts,\n ...opts,\n ...(requestObjectOpts && { requestObjectOpts }),\n } as AuthorizationRequestOpts\n if (!authorizationRequestOpts) {\n // We only set a redirectUri if no options are provided.\n // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.\n // Provide your own options if that is not desired!\n authorizationRequestOpts = { redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://` }\n }\n const clientId = authorizationRequestOpts.clientId ?? this._state.clientId\n // sync clientId\n this._state.clientId = clientId\n authorizationRequestOpts.clientId = clientId\n return authorizationRequestOpts\n }\n\n private getAuthorizationCode = (\n authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse,\n code?: string,\n ): string | undefined => {\n if (authorizationResponse) {\n this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(authorizationResponse) }\n } else if (code) {\n this._state.authorizationCodeResponse = { code }\n }\n\n return (\n (this._state.authorizationCodeResponse as AuthorizationResponse)?.code ??\n (this._state.authorizationCodeResponse as AuthorizationChallengeCodeResponse)?.authorization_code\n )\n }\n}\n","import { CreateDPoPClientOpts, JWK } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequestOpts,\n AccessTokenResponse,\n Alg,\n AuthorizationChallengeCodeResponse,\n AuthorizationChallengeErrorResponse,\n AuthorizationChallengeRequestOpts,\n AuthorizationRequestOpts,\n AuthorizationResponse,\n AuthorizationServerOpts,\n AuthzFlowType,\n CodeChallengeMethod,\n CredentialConfigurationSupportedV1_0_13,\n CredentialOfferPayloadV1_0_13,\n CredentialOfferRequestWithBaseUrl,\n CredentialResponse,\n DefaultURISchemes,\n DPoPResponseParams,\n EndpointMetadataResultV1_0_13,\n ExperimentalSubjectIssuance,\n getClientIdFromCredentialOfferPayload,\n getIssuerFromCredentialOfferPayload,\n getSupportedCredentials,\n getTypesFromCredentialSupported,\n KID_JWK_X5C_ERROR,\n NotificationRequest,\n NotificationResponseResult,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n PKCEOpts,\n ProofOfPossessionCallbacks,\n toAuthorizationResponsePayload,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat, Loggers } from '@sphereon/ssi-types'\n\nimport { AccessTokenClient } from './AccessTokenClient'\nimport { acquireAuthorizationChallengeAuthCode, createAuthorizationRequestUrl } from './AuthorizationCodeClient'\nimport { CredentialOfferClient } from './CredentialOfferClient'\nimport { CredentialRequestOpts } from './CredentialRequestClient'\nimport { CredentialRequestClientBuilderV1_0_13 } from './CredentialRequestClientBuilderV1_0_13'\nimport { MetadataClientV1_0_13 } from './MetadataClientV1_0_13'\nimport { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder'\nimport { generateMissingPKCEOpts, sendNotification } from './functions'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci')\n\nexport interface OpenID4VCIClientStateV1_0_13 {\n credentialIssuer: string\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n clientId?: string\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n endpointMetadata?: EndpointMetadataResultV1_0_13\n accessTokenResponse?: AccessTokenResponse\n dpopResponseParams?: DPoPResponseParams\n authorizationRequestOpts?: AuthorizationRequestOpts\n authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse\n pkce: PKCEOpts\n accessToken?: string\n authorizationURL?: string\n sendIssuerStateIfNoNonce?: boolean\n}\n\nexport class OpenID4VCIClientV1_0_13 {\n private readonly _state: OpenID4VCIClientStateV1_0_13\n\n private constructor({\n credentialOffer,\n clientId,\n kid,\n alg,\n credentialIssuer,\n pkce,\n authorizationRequest,\n accessToken,\n jwk,\n endpointMetadata,\n accessTokenResponse,\n authorizationRequestOpts,\n authorizationCodeResponse,\n authorizationURL,\n }: {\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n kid?: string\n alg?: Alg | string\n clientId?: string\n credentialIssuer?: string\n pkce?: PKCEOpts\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n jwk?: JWK\n accessToken?: string\n endpointMetadata?: EndpointMetadataResultV1_0_13\n accessTokenResponse?: AccessTokenResponse\n authorizationRequestOpts?: AuthorizationRequestOpts\n authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse\n authorizationURL?: string\n }) {\n const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined)\n if (!issuer) {\n throw Error('No credential issuer supplied or deduced from offer')\n }\n this._state = {\n credentialOffer,\n credentialIssuer: issuer,\n kid,\n alg,\n // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id\n clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload(credentialOffer.credential_offer)) ?? kid?.split('#')[0],\n pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },\n authorizationRequestOpts,\n authorizationCodeResponse,\n accessToken,\n jwk,\n endpointMetadata,\n accessTokenResponse,\n authorizationURL,\n }\n // Running syncAuthorizationRequestOpts later as it is using the state\n if (!this._state.authorizationRequestOpts) {\n this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest)\n }\n logger.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`)\n }\n\n public static async fromCredentialIssuer({\n kid,\n alg,\n retrieveServerMetadata,\n clientId,\n credentialIssuer,\n pkce,\n authorizationRequest,\n createAuthorizationRequestURL,\n }: {\n credentialIssuer: string\n kid?: string\n alg?: Alg | string\n retrieveServerMetadata?: boolean\n clientId?: string\n createAuthorizationRequestURL?: boolean\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n pkce?: PKCEOpts\n }) {\n const client = new OpenID4VCIClientV1_0_13({\n kid,\n alg,\n clientId: clientId ?? authorizationRequest?.clientId,\n credentialIssuer,\n pkce,\n authorizationRequest,\n })\n if (retrieveServerMetadata === undefined || retrieveServerMetadata) {\n await client.retrieveServerMetadata()\n }\n if (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL) {\n await client.createAuthorizationRequestUrl({ authorizationRequest, pkce })\n }\n return client\n }\n\n public static async fromState({ state }: { state: OpenID4VCIClientStateV1_0_13 | string }): Promise {\n const clientState = typeof state === 'string' ? JSON.parse(state) : state\n\n return new OpenID4VCIClientV1_0_13(clientState)\n }\n\n public static async fromURI({\n uri,\n kid,\n alg,\n retrieveServerMetadata,\n clientId,\n pkce,\n createAuthorizationRequestURL,\n authorizationRequest,\n resolveOfferUri,\n }: {\n uri: string\n kid?: string\n alg?: Alg | string\n retrieveServerMetadata?: boolean\n createAuthorizationRequestURL?: boolean\n resolveOfferUri?: boolean\n pkce?: PKCEOpts\n clientId?: string\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n }): Promise {\n const credentialOfferClient = await CredentialOfferClient.fromURI(uri, { resolve: resolveOfferUri })\n const client = new OpenID4VCIClientV1_0_13({\n credentialOffer: credentialOfferClient,\n kid,\n alg,\n clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,\n pkce,\n authorizationRequest,\n })\n\n if (retrieveServerMetadata === undefined || retrieveServerMetadata) {\n await client.retrieveServerMetadata()\n }\n if (\n credentialOfferClient.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&\n (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL)\n ) {\n await client.createAuthorizationRequestUrl({ authorizationRequest, pkce })\n logger.debug(`Authorization Request URL: ${client._state.authorizationURL}`)\n }\n\n return client\n }\n\n /**\n * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)\n *\n * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device\n * @param opts\n */\n public async createAuthorizationRequestUrl(opts?: { authorizationRequest?: AuthorizationRequestOpts; pkce?: PKCEOpts }): Promise {\n if (!this._state.authorizationURL) {\n this.calculatePKCEOpts(opts?.pkce)\n this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest)\n if (!this._state.authorizationRequestOpts) {\n throw Error(`No Authorization Request options present or provided in this call`)\n }\n\n // todo: Probably can go with current logic in MetadataClientV1_0_13 who will always set the authorization_endpoint when found\n // handling this because of the support for v1_0-08\n if (\n this._state.endpointMetadata?.credentialIssuerMetadata &&\n 'authorization_endpoint' in this._state.endpointMetadata.credentialIssuerMetadata\n ) {\n this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string\n }\n this._state.authorizationURL = await createAuthorizationRequestUrl({\n pkce: this._state.pkce,\n endpointMetadata: this.endpointMetadata,\n authorizationRequest: this._state.authorizationRequestOpts,\n credentialOffer: this.credentialOffer,\n credentialConfigurationSupported: this.getCredentialsSupported(),\n version: this.version(),\n })\n }\n return this._state.authorizationURL\n }\n\n public async retrieveServerMetadata(): Promise {\n this.assertIssuerData()\n if (!this._state.endpointMetadata) {\n if (this.credentialOffer) {\n this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadataFromCredentialOffer(this.credentialOffer)\n } else if (this._state.credentialIssuer) {\n this._state.endpointMetadata = await MetadataClientV1_0_13.retrieveAllMetadata(this._state.credentialIssuer)\n } else {\n throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`)\n }\n }\n\n return this.endpointMetadata\n }\n\n private calculatePKCEOpts(pkce?: PKCEOpts) {\n this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce })\n }\n\n public async acquireAuthorizationChallengeCode(opts?: AuthorizationChallengeRequestOpts): Promise {\n const response = await acquireAuthorizationChallengeAuthCode({\n metadata: this.endpointMetadata,\n credentialIssuer: this.getIssuer(),\n clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,\n ...opts,\n })\n\n if (response.errorBody) {\n logger.debug(`Authorization code error:\\r\\n${JSON.stringify(response.errorBody)}`)\n const error = response.errorBody as AuthorizationChallengeErrorResponse\n return Promise.reject(error)\n } else if (!response.successBody) {\n logger.debug(`Authorization code error. No success body`)\n return Promise.reject(\n Error(\n `Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,\n ),\n )\n }\n\n return { ...response.successBody }\n }\n\n public async acquireAccessToken(\n opts?: Omit & {\n clientId?: string\n authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse // Pass in an auth response, either as URI/redirect, or object\n additionalRequestParams?: Record\n },\n ): Promise {\n const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {}\n let { redirectUri } = opts ?? {}\n\n const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code)\n\n if (opts?.codeVerifier) {\n this._state.pkce.codeVerifier = opts.codeVerifier\n }\n this.assertIssuerData()\n const asOpts: AuthorizationServerOpts = { ...opts?.asOpts }\n const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid\n const clientAssertionType =\n asOpts.clientOpts?.clientAssertionType ??\n (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === 'function'\n ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n : undefined)\n if (this.isEBSI() || (clientId && kid)) {\n if (!clientId) {\n throw Error(`Client id expected for EBSI`)\n }\n asOpts.clientOpts = {\n ...asOpts.clientOpts,\n clientId,\n ...(kid && { kid }),\n ...(clientAssertionType && { clientAssertionType }),\n signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks,\n }\n }\n\n if (clientId) {\n this._state.clientId = clientId\n if (!asOpts.clientOpts) {\n asOpts.clientOpts = { clientId }\n }\n asOpts.clientOpts.clientId = clientId\n }\n if (!this._state.accessTokenResponse) {\n const accessTokenClient = new AccessTokenClient()\n\n if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {\n console.log(\n `Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`,\n )\n }\n if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {\n redirectUri = this._state.authorizationRequestOpts.redirectUri\n }\n const response = await accessTokenClient.acquireAccessToken({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n credentialIssuer: this.getIssuer(),\n pin,\n ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),\n code,\n redirectUri,\n asOpts,\n ...(opts?.createDPoPOpts && { createDPoPOpts: opts.createDPoPOpts }),\n ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),\n })\n\n if (response.errorBody) {\n logger.debug(`Access token error:\\r\\n${JSON.stringify(response.errorBody)}`)\n throw Error(\n `Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${\n response.origResponse.status\n }`,\n )\n } else if (!response.successBody) {\n logger.debug(`Access token error. No success body`)\n throw Error(\n `Retrieving an access token from ${\n this._state.endpointMetadata?.token_endpoint\n } for issuer ${this.getIssuer()} failed as there was no success response body`,\n )\n }\n this._state.accessTokenResponse = response.successBody\n this._state.dpopResponseParams = response.params\n this._state.accessToken = response.successBody.access_token\n }\n\n return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) }\n }\n\n public async acquireCredentialsWithoutProof(args: {\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n context?: string[]\n format?: CredentialFormat | OID4VCICredentialFormat\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n jti?: string\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n experimentalHolderIssuanceSupported?: boolean\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise {\n return await this.acquireCredentialsImpl(args)\n }\n public async acquireCredentials(args: {\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n context?: string[]\n proofCallbacks: ProofOfPossessionCallbacks\n format?: CredentialFormat | OID4VCICredentialFormat\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n jti?: string\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n experimentalHolderIssuanceSupported?: boolean\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise {\n return await this.acquireCredentialsImpl(args)\n }\n\n private async acquireCredentialsImpl({\n credentialIdentifier,\n credentialTypes,\n context,\n proofCallbacks,\n format,\n kid,\n jwk,\n alg,\n jti,\n deferredCredentialAwait,\n deferredCredentialIntervalInMS,\n createDPoPOpts,\n }: {\n credentialIdentifier?: string\n credentialTypes?: string | string[]\n context?: string[]\n proofCallbacks?: ProofOfPossessionCallbacks\n format?: CredentialFormat | OID4VCICredentialFormat\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n jti?: string\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n experimentalHolderIssuanceSupported?: boolean\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise {\n if ([jwk, kid].filter((v) => v !== undefined).length > 1) {\n throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`)\n }\n\n if (alg) this._state.alg = alg\n if (jwk) this._state.jwk = jwk\n if (kid) this._state.kid = kid\n\n const requestBuilder = this.credentialOffer\n ? CredentialRequestClientBuilderV1_0_13.fromCredentialOffer({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n })\n : CredentialRequestClientBuilderV1_0_13.fromCredentialIssuer({\n credentialIssuer: this.getIssuer(),\n credentialIdentifier: credentialIdentifier,\n metadata: this.endpointMetadata,\n version: this.version(),\n })\n // If we are in an auth code flow, without a c nonce, we return the issuerState back to the issuer in case it is present\n const issuerState =\n this.issuerSupportedFlowTypes().includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&\n this._state.authorizationCodeResponse &&\n !this.accessTokenResponse?.c_nonce &&\n this._state.credentialOffer?.issuerState\n ? this._state.credentialOffer.issuerState\n : undefined\n requestBuilder.withIssuerState(issuerState)\n requestBuilder.withTokenFromResponse(this.accessTokenResponse)\n requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS)\n let subjectIssuance: ExperimentalSubjectIssuance | undefined\n if (this.endpointMetadata?.credentialIssuerMetadata) {\n const metadata = this.endpointMetadata.credentialIssuerMetadata\n const types = credentialTypes ? (Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes]) : undefined\n\n if (credentialIdentifier) {\n if (typeof metadata.credential_configurations_supported !== 'object') {\n throw Error(\n `Credentials_supported should be an object, current ${typeof metadata.credential_configurations_supported} when credential_identifier is used`,\n )\n }\n const credentialsSupported = metadata.credential_configurations_supported\n if (!credentialsSupported || !credentialsSupported[credentialIdentifier]) {\n throw new Error(`Credential type ${credentialIdentifier} is not supported by issuer ${this.getIssuer()}`)\n }\n } else if (!types) {\n throw Error(`If no credential_identifier is used, we expect types`)\n } else if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {\n let typeSupported = false\n\n metadata.credentials_supported.forEach((supportedCredential) => {\n const subTypes = getTypesFromCredentialSupported(supportedCredential)\n if (\n subTypes.every((t, i) => types[i] === t) ||\n (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))\n ) {\n typeSupported = true\n if (supportedCredential.credential_subject_issuance) {\n subjectIssuance = { credential_subject_issuance: supportedCredential.credential_subject_issuance }\n }\n }\n })\n\n if (!typeSupported) {\n console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`)\n // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);\n }\n } else if (metadata.credential_configurations_supported && typeof metadata.credential_configurations_supported === 'object') {\n let typeSupported = false\n Object.values(metadata.credential_configurations_supported).forEach((supportedCredential) => {\n const subTypes = getTypesFromCredentialSupported(supportedCredential)\n if (\n subTypes.every((t, i) => types[i] === t) ||\n (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))\n ) {\n typeSupported = true\n }\n })\n\n if (!typeSupported) {\n throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`)\n }\n }\n // todo: Format check? We might end up with some disjoint type / format combinations supported by the server\n }\n if (subjectIssuance) {\n requestBuilder.withSubjectIssuance(subjectIssuance)\n }\n\n const credentialRequestClient = requestBuilder.build()\n\n let proofBuilder: ProofOfPossessionBuilder | undefined\n if (proofCallbacks) {\n proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({\n accessTokenResponse: this.accessTokenResponse,\n callbacks: proofCallbacks,\n version: this.version(),\n })\n .withIssuer(this.getIssuer())\n .withAlg(this.alg)\n\n if (this._state.jwk) {\n proofBuilder.withJWK(this._state.jwk)\n }\n if (this._state.kid) {\n proofBuilder.withKid(this._state.kid)\n }\n\n if (this.clientId) {\n proofBuilder.withClientId(this.clientId)\n }\n if (jti) {\n proofBuilder.withJti(jti)\n }\n }\n const request = proofBuilder\n ? await credentialRequestClient.createCredentialRequest({\n proofInput: proofBuilder,\n credentialTypes,\n context,\n format,\n version: this.version(),\n credentialIdentifier,\n subjectIssuance,\n })\n : await credentialRequestClient.createCredentialRequestWithoutProof({\n credentialTypes,\n context,\n format,\n version: this.version(),\n credentialIdentifier,\n subjectIssuance,\n })\n const response = await credentialRequestClient.acquireCredentialsUsingRequest(request, createDPoPOpts)\n this._state.dpopResponseParams = response.params\n if (response.errorBody) {\n logger.debug(`Credential request error:\\r\\n${JSON.stringify(response.errorBody)}`)\n throw Error(\n `Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${\n response.origResponse.status\n }`,\n )\n } else if (!response.successBody) {\n logger.debug(`Credential request error. No success body`)\n throw Error(\n `Retrieving a credential from ${\n this._state.endpointMetadata?.credential_endpoint\n } for issuer ${this.getIssuer()} failed as there was no success response body`,\n )\n }\n return { ...response.successBody, ...(this.dpopResponseParams && { params: this.dpopResponseParams }), access_token: response.access_token }\n }\n\n public async exportState(): Promise {\n return JSON.stringify(this._state)\n }\n\n getCredentialsSupported(\n format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[],\n ): Record {\n return getSupportedCredentials({\n issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,\n version: this.version(),\n format: format,\n types: undefined,\n }) as Record\n }\n\n public async sendNotification(\n credentialRequestOpts: Partial,\n request: NotificationRequest,\n accessToken?: string,\n ): Promise {\n return sendNotification(credentialRequestOpts, request, accessToken ?? this._state.accessToken ?? this._state.accessTokenResponse?.access_token)\n }\n\n /* getCredentialOfferTypes(): string[][] {\n if (!this.credentialOffer) {\n return [];\n } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {\n const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08;\n const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type;\n const result: string[][] = [];\n result[0] = types;\n return result;\n } else {\n return this.credentialOffer.credential_offer.credentials.map((c) => {\n if (typeof c === 'string') {\n return [c];\n } else if ('types' in c) {\n return c.types;\n } else if ('vct' in c) {\n return [c.vct];\n } else {\n return c.credential_definition.types;\n }\n });\n }\n }*/\n\n issuerSupportedFlowTypes(): AuthzFlowType[] {\n return (\n this.credentialOffer?.supportedFlows ??\n (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW] : [])\n )\n }\n\n isFlowTypeSupported(flowType: AuthzFlowType): boolean {\n return this.issuerSupportedFlowTypes().includes(flowType)\n }\n\n public hasAuthorizationURL(): boolean {\n return !!this.authorizationURL\n }\n\n get authorizationURL(): string | undefined {\n return this._state.authorizationURL\n }\n\n get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {\n return this._state.credentialOffer\n }\n\n public version(): OpenId4VCIVersion {\n return this.credentialOffer?.version ?? OpenId4VCIVersion.VER_1_0_13\n }\n\n public get endpointMetadata(): EndpointMetadataResultV1_0_13 {\n this.assertServerMetadata()\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return this._state.endpointMetadata!\n }\n\n get kid(): string {\n this.assertIssuerData()\n if (!this._state.kid) {\n throw new Error('No value for kid is supplied')\n }\n return this._state.kid\n }\n\n get alg(): string {\n this.assertIssuerData()\n if (!this._state.alg) {\n throw new Error('No value for alg is supplied')\n }\n return this._state.alg\n }\n\n set clientId(value: string | undefined) {\n this._state.clientId = value\n }\n\n get clientId(): string | undefined {\n return this._state.clientId\n }\n\n public hasAccessTokenResponse(): boolean {\n return !!this._state.accessTokenResponse\n }\n\n get accessTokenResponse(): AccessTokenResponse {\n this.assertAccessToken()\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return this._state.accessTokenResponse!\n }\n\n get dpopResponseParams(): DPoPResponseParams | undefined {\n return this._state.dpopResponseParams\n }\n\n public getIssuer(): string {\n this.assertIssuerData()\n return this._state.credentialIssuer\n }\n\n public getAccessTokenEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata\n ? this.endpointMetadata.token_endpoint\n : AccessTokenClient.determineTokenURL({ issuerOpts: { issuer: this.getIssuer() } })\n }\n\n public getCredentialEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`\n }\n\n public hasDeferredCredentialEndpoint(): boolean {\n return !!this.getAccessTokenEndpoint()\n }\n\n public getDeferredCredentialEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`\n }\n\n /**\n * Too bad we need a method like this, but EBSI is not exposing metadata\n */\n public isEBSI(): boolean {\n const credentialOffer = this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_13\n\n if (credentialOffer?.credential_configuration_ids) {\n const credentialConfigurations = this.endpointMetadata.credentialIssuerMetadata?.credential_configurations_supported\n\n if (credentialConfigurations) {\n const isEBSITrustFramework = credentialOffer.credential_configuration_ids\n .map((id) => credentialConfigurations[id])\n .filter(\n (config): config is CredentialConfigurationSupportedV1_0_13 =>\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n config !== undefined && 'trust_framework' in config && 'name' in config.trust_framework,\n )\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n .some((config) => config.trust_framework.name.includes('ebsi'))\n\n if (isEBSITrustFramework) {\n return true\n }\n }\n }\n\n return (\n this.clientId?.includes('ebsi') ||\n this._state.kid?.includes('did:ebsi:') ||\n this.getIssuer().includes('ebsi') ||\n this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||\n this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')\n )\n }\n\n private assertIssuerData(): void {\n if (!this._state.credentialIssuer) {\n throw Error(`No credential issuer value present`)\n } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {\n throw Error(`No issuance initiation or credential offer present`)\n }\n }\n\n private assertServerMetadata(): void {\n if (!this._state.endpointMetadata) {\n throw Error('No server metadata')\n }\n }\n\n private assertAccessToken(): void {\n if (!this._state.accessTokenResponse) {\n throw Error(`No access token present`)\n }\n }\n\n private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {\n let authorizationRequestOpts = { ...this._state?.authorizationRequestOpts, ...opts } as AuthorizationRequestOpts\n if (!authorizationRequestOpts) {\n // We only set a redirectUri if no options are provided.\n // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.\n // Provide your own options if that is not desired!\n authorizationRequestOpts = { redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://` }\n }\n const clientId = authorizationRequestOpts.clientId ?? this._state.clientId\n // sync clientId\n this._state.clientId = clientId\n authorizationRequestOpts.clientId = clientId\n return authorizationRequestOpts\n }\n\n private getAuthorizationCode = (\n authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse,\n code?: string,\n ): string | undefined => {\n if (authorizationResponse) {\n this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(authorizationResponse) }\n } else if (code) {\n this._state.authorizationCodeResponse = { code }\n }\n\n return (\n (this._state.authorizationCodeResponse as AuthorizationResponse)?.code ??\n (this._state.authorizationCodeResponse as AuthorizationChallengeCodeResponse)?.authorization_code\n )\n }\n}\n","import { CreateDPoPClientOpts, JWK } from '@sphereon/oid4vc-common'\nimport {\n AccessTokenRequestOpts,\n AccessTokenResponse,\n Alg,\n AuthorizationChallengeCodeResponse,\n AuthorizationChallengeErrorResponse,\n AuthorizationChallengeRequestOpts,\n AuthorizationRequestOpts,\n AuthorizationResponse,\n AuthorizationServerOpts,\n AuthzFlowType,\n CodeChallengeMethod,\n CredentialConfigurationSupported,\n CredentialOfferPayloadV1_0_08,\n CredentialOfferPayloadV1_0_11,\n CredentialOfferRequestWithBaseUrl,\n CredentialResponse,\n CredentialsSupportedLegacy,\n DefaultURISchemes,\n DPoPResponseParams,\n EndpointMetadataResultV1_0_11,\n getClientIdFromCredentialOfferPayload,\n getIssuerFromCredentialOfferPayload,\n getSupportedCredentials,\n getTypesFromCredentialSupported,\n getTypesFromObject,\n KID_JWK_X5C_ERROR,\n OID4VCICredentialFormat,\n OpenId4VCIVersion,\n PKCEOpts,\n ProofOfPossessionCallbacks,\n toAuthorizationResponsePayload,\n} from '@sphereon/oid4vci-common'\nimport { CredentialFormat, Loggers } from '@sphereon/ssi-types'\n\nimport { AccessTokenClientV1_0_11 } from './AccessTokenClientV1_0_11'\nimport { acquireAuthorizationChallengeAuthCode } from './AuthorizationCodeClient'\nimport { createAuthorizationRequestUrlV1_0_11 } from './AuthorizationCodeClientV1_0_11'\nimport { CredentialOfferClientV1_0_11 } from './CredentialOfferClientV1_0_11'\nimport { CredentialRequestClientBuilderV1_0_11 } from './CredentialRequestClientBuilderV1_0_11'\nimport { MetadataClientV1_0_11 } from './MetadataClientV1_0_11'\nimport { ProofOfPossessionBuilder } from './ProofOfPossessionBuilder'\nimport { generateMissingPKCEOpts } from './functions'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci')\n\nexport interface OpenID4VCIClientStateV1_0_11 {\n credentialIssuer: string\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n clientId?: string\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n endpointMetadata?: EndpointMetadataResultV1_0_11\n accessTokenResponse?: AccessTokenResponse\n dpopResponseParams?: DPoPResponseParams\n authorizationRequestOpts?: AuthorizationRequestOpts\n authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse\n pkce: PKCEOpts\n accessToken?: string\n authorizationURL?: string\n}\n\nexport class OpenID4VCIClientV1_0_11 {\n private readonly _state: OpenID4VCIClientStateV1_0_11\n\n private constructor({\n credentialOffer,\n clientId,\n kid,\n alg,\n credentialIssuer,\n pkce,\n authorizationRequest,\n jwk,\n endpointMetadata,\n accessTokenResponse,\n authorizationRequestOpts,\n authorizationCodeResponse,\n authorizationURL,\n }: {\n credentialOffer?: CredentialOfferRequestWithBaseUrl\n kid?: string\n alg?: Alg | string\n clientId?: string\n credentialIssuer?: string\n pkce?: PKCEOpts\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n jwk?: JWK\n endpointMetadata?: EndpointMetadataResultV1_0_11\n accessTokenResponse?: AccessTokenResponse\n authorizationRequestOpts?: AuthorizationRequestOpts\n authorizationCodeResponse?: AuthorizationResponse | AuthorizationChallengeCodeResponse\n authorizationURL?: string\n }) {\n const issuer = credentialIssuer ?? (credentialOffer ? getIssuerFromCredentialOfferPayload(credentialOffer.credential_offer) : undefined)\n if (!issuer) {\n throw Error('No credential issuer supplied or deduced from offer')\n }\n this._state = {\n credentialOffer,\n credentialIssuer: issuer,\n kid,\n alg,\n // TODO: We need to refactor this and always explicitly call createAuthorizationRequestUrl, so we can have a credential selection first and use the kid as a default for the client id\n clientId: clientId ?? (credentialOffer && getClientIdFromCredentialOfferPayload(credentialOffer.credential_offer)) ?? kid?.split('#')[0],\n pkce: { disabled: false, codeChallengeMethod: CodeChallengeMethod.S256, ...pkce },\n authorizationRequestOpts,\n authorizationCodeResponse,\n jwk,\n endpointMetadata,\n accessTokenResponse,\n authorizationURL,\n }\n // Running syncAuthorizationRequestOpts later as it is using the state\n if (!this._state.authorizationRequestOpts) {\n this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(authorizationRequest)\n }\n logger.debug(`Authorization req options: ${JSON.stringify(this._state.authorizationRequestOpts, null, 2)}`)\n }\n\n public static async fromCredentialIssuer({\n kid,\n alg,\n retrieveServerMetadata,\n clientId,\n credentialIssuer,\n pkce,\n authorizationRequest,\n createAuthorizationRequestURL,\n }: {\n credentialIssuer: string\n kid?: string\n alg?: Alg | string\n retrieveServerMetadata?: boolean\n clientId?: string\n createAuthorizationRequestURL?: boolean\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n pkce?: PKCEOpts\n }) {\n const client = new OpenID4VCIClientV1_0_11({\n kid,\n alg,\n clientId: clientId ?? authorizationRequest?.clientId,\n credentialIssuer,\n pkce,\n authorizationRequest,\n })\n if (retrieveServerMetadata === undefined || retrieveServerMetadata) {\n await client.retrieveServerMetadata()\n }\n if (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL) {\n await client.createAuthorizationRequestUrl({ authorizationRequest, pkce })\n }\n return client\n }\n\n public static async fromState({ state }: { state: OpenID4VCIClientStateV1_0_11 | string }): Promise {\n const clientState = typeof state === 'string' ? JSON.parse(state) : state\n\n return new OpenID4VCIClientV1_0_11(clientState)\n }\n\n public static async fromURI({\n uri,\n kid,\n alg,\n retrieveServerMetadata,\n clientId,\n pkce,\n createAuthorizationRequestURL,\n authorizationRequest,\n resolveOfferUri,\n }: {\n uri: string\n kid?: string\n alg?: Alg | string\n retrieveServerMetadata?: boolean\n createAuthorizationRequestURL?: boolean\n resolveOfferUri?: boolean\n pkce?: PKCEOpts\n clientId?: string\n authorizationRequest?: AuthorizationRequestOpts // Can be provided here, or when manually calling createAuthorizationUrl\n }): Promise {\n const credentialOfferClient = await CredentialOfferClientV1_0_11.fromURI(uri, { resolve: resolveOfferUri })\n const client = new OpenID4VCIClientV1_0_11({\n credentialOffer: credentialOfferClient,\n kid,\n alg,\n clientId: clientId ?? authorizationRequest?.clientId ?? credentialOfferClient.clientId,\n pkce,\n authorizationRequest,\n })\n\n if (retrieveServerMetadata === undefined || retrieveServerMetadata) {\n await client.retrieveServerMetadata()\n }\n if (\n credentialOfferClient.supportedFlows.includes(AuthzFlowType.AUTHORIZATION_CODE_FLOW) &&\n (createAuthorizationRequestURL === undefined || createAuthorizationRequestURL)\n ) {\n await client.createAuthorizationRequestUrl({ authorizationRequest, pkce })\n logger.debug(`Authorization Request URL: ${client._state.authorizationURL}`)\n }\n\n return client\n }\n\n /**\n * Allows you to create an Authorization Request URL when using an Authorization Code flow. This URL needs to be accessed using the front channel (browser)\n *\n * The Identity provider would present a login screen typically; after you authenticated, it would redirect to the provided redirectUri; which can be same device or cross-device\n * @param opts\n */\n public async createAuthorizationRequestUrl(opts?: { authorizationRequest?: AuthorizationRequestOpts; pkce?: PKCEOpts }): Promise {\n if (!this._state.authorizationURL) {\n this.calculatePKCEOpts(opts?.pkce)\n this._state.authorizationRequestOpts = this.syncAuthorizationRequestOpts(opts?.authorizationRequest)\n if (!this._state.authorizationRequestOpts) {\n throw Error(`No Authorization Request options present or provided in this call`)\n }\n\n // todo: Probably can go with current logic in MetadataClientV1_0_13 who will always set the authorization_endpoint when found\n // handling this because of the support for v1_0-08\n if (\n this._state.endpointMetadata?.credentialIssuerMetadata &&\n 'authorization_endpoint' in this._state.endpointMetadata.credentialIssuerMetadata\n ) {\n this._state.endpointMetadata.authorization_endpoint = this._state.endpointMetadata.credentialIssuerMetadata.authorization_endpoint as string\n }\n this._state.authorizationURL = await createAuthorizationRequestUrlV1_0_11({\n pkce: this._state.pkce,\n endpointMetadata: this.endpointMetadata,\n authorizationRequest: this._state.authorizationRequestOpts,\n credentialOffer: this.credentialOffer,\n credentialsSupported: Object.values(this.getCredentialsSupported()) as CredentialsSupportedLegacy[],\n })\n }\n return this._state.authorizationURL\n }\n\n public async retrieveServerMetadata(): Promise {\n this.assertIssuerData()\n if (!this._state.endpointMetadata) {\n if (this.credentialOffer) {\n this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadataFromCredentialOffer(this.credentialOffer)\n } else if (this._state.credentialIssuer) {\n this._state.endpointMetadata = await MetadataClientV1_0_11.retrieveAllMetadata(this._state.credentialIssuer)\n } else {\n throw Error(`Cannot retrieve issuer metadata without either a credential offer, or issuer value`)\n }\n }\n\n return this.endpointMetadata\n }\n\n private calculatePKCEOpts(pkce?: PKCEOpts) {\n this._state.pkce = generateMissingPKCEOpts({ ...this._state.pkce, ...pkce })\n }\n\n public async acquireAuthorizationChallengeCode(opts?: AuthorizationChallengeRequestOpts): Promise {\n const response = await acquireAuthorizationChallengeAuthCode({\n metadata: this.endpointMetadata,\n credentialIssuer: this.getIssuer(),\n clientId: this._state.clientId ?? this._state.authorizationRequestOpts?.clientId,\n ...opts,\n })\n\n if (response.errorBody) {\n logger.debug(`Authorization code error:\\r\\n${JSON.stringify(response.errorBody)}`)\n const error = response.errorBody as AuthorizationChallengeErrorResponse\n return Promise.reject(error)\n } else if (!response.successBody) {\n logger.debug(`Authorization code error. No success body`)\n return Promise.reject(\n Error(\n `Retrieving an authorization code token from ${this._state.endpointMetadata?.authorization_challenge_endpoint} for issuer ${this.getIssuer()} failed as there was no success response body`,\n ),\n )\n }\n\n return { ...response.successBody }\n }\n\n public async acquireAccessToken(\n opts?: Omit & {\n clientId?: string\n authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse // Pass in an auth response, either as URI/redirect, or object\n additionalRequestParams?: Record\n },\n ): Promise {\n const { pin, clientId = this._state.clientId ?? this._state.authorizationRequestOpts?.clientId } = opts ?? {}\n let { redirectUri } = opts ?? {}\n\n const code = this.getAuthorizationCode(opts?.authorizationResponse, opts?.code)\n\n if (opts?.codeVerifier) {\n this._state.pkce.codeVerifier = opts.codeVerifier\n }\n this.assertIssuerData()\n\n const asOpts: AuthorizationServerOpts = { ...opts?.asOpts }\n if (clientId) {\n this._state.clientId = clientId\n if (!asOpts.clientOpts) {\n asOpts.clientOpts = { clientId }\n }\n asOpts.clientOpts.clientId = clientId\n }\n if (!this._state.accessTokenResponse) {\n const accessTokenClient = new AccessTokenClientV1_0_11()\n\n if (redirectUri && redirectUri !== this._state.authorizationRequestOpts?.redirectUri) {\n console.log(\n `Redirect URI mismatch between access-token (${redirectUri}) and authorization request (${this._state.authorizationRequestOpts?.redirectUri}). According to the specification that is not allowed.`,\n )\n }\n if (this._state.authorizationRequestOpts?.redirectUri && !redirectUri) {\n redirectUri = this._state.authorizationRequestOpts.redirectUri\n }\n\n const kid = asOpts.clientOpts?.kid ?? this._state.kid ?? this._state.authorizationRequestOpts?.requestObjectOpts?.kid\n const clientAssertionType =\n asOpts.clientOpts?.clientAssertionType ??\n (kid && clientId && typeof asOpts.clientOpts?.signCallbacks?.signCallback === 'function'\n ? 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n : undefined)\n if (this.isEBSI() || (clientId && kid)) {\n if (!clientId) {\n throw Error(`Client id expected for EBSI`)\n }\n asOpts.clientOpts = {\n ...asOpts.clientOpts,\n clientId,\n ...(kid && { kid }),\n ...(clientAssertionType && { clientAssertionType }),\n signCallbacks: asOpts.clientOpts?.signCallbacks ?? this._state.authorizationRequestOpts?.requestObjectOpts?.signCallbacks,\n }\n }\n\n const response = await accessTokenClient.acquireAccessToken({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n credentialIssuer: this.getIssuer(),\n pin,\n ...(!this._state.pkce.disabled && { codeVerifier: this._state.pkce.codeVerifier }),\n code,\n redirectUri,\n asOpts,\n ...(opts?.createDPoPOpts && { createDPoPOpts: opts.createDPoPOpts }),\n ...(opts?.additionalRequestParams && { additionalParams: opts.additionalRequestParams }),\n })\n\n if (response.errorBody) {\n logger.debug(`Access token error:\\r\\n${JSON.stringify(response.errorBody)}`)\n throw Error(\n `Retrieving an access token from ${this._state.endpointMetadata?.token_endpoint} for issuer ${this.getIssuer()} failed with status: ${\n response.origResponse.status\n }`,\n )\n } else if (!response.successBody) {\n logger.debug(`Access token error. No success body`)\n throw Error(\n `Retrieving an access token from ${\n this._state.endpointMetadata?.token_endpoint\n } for issuer ${this.getIssuer()} failed as there was no success response body`,\n )\n }\n this._state.accessTokenResponse = response.successBody\n this._state.dpopResponseParams = response.params\n this._state.accessToken = response.successBody.access_token\n }\n\n return { ...this.accessTokenResponse, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) }\n }\n\n public async acquireCredentials({\n credentialTypes,\n context,\n proofCallbacks,\n format,\n kid,\n jwk,\n alg,\n jti,\n deferredCredentialAwait,\n deferredCredentialIntervalInMS,\n createDPoPOpts,\n }: {\n credentialTypes: string | string[]\n context?: string[]\n proofCallbacks: ProofOfPossessionCallbacks\n format?: CredentialFormat | OID4VCICredentialFormat\n kid?: string\n jwk?: JWK\n alg?: Alg | string\n jti?: string\n deferredCredentialAwait?: boolean\n deferredCredentialIntervalInMS?: number\n createDPoPOpts?: CreateDPoPClientOpts\n }): Promise {\n if ([jwk, kid].filter((v) => v !== undefined).length > 1) {\n throw new Error(KID_JWK_X5C_ERROR + `. jwk: ${jwk !== undefined}, kid: ${kid !== undefined}`)\n }\n\n if (alg) this._state.alg = alg\n if (jwk) this._state.jwk = jwk\n if (kid) this._state.kid = kid\n\n const requestBuilder = this.credentialOffer\n ? CredentialRequestClientBuilderV1_0_11.fromCredentialOffer({\n credentialOffer: this.credentialOffer,\n metadata: this.endpointMetadata,\n })\n : CredentialRequestClientBuilderV1_0_11.fromCredentialIssuer({\n credentialIssuer: this.getIssuer(),\n credentialTypes,\n metadata: this.endpointMetadata,\n version: this.version(),\n })\n\n requestBuilder.withTokenFromResponse(this.accessTokenResponse)\n requestBuilder.withDeferredCredentialAwait(deferredCredentialAwait ?? false, deferredCredentialIntervalInMS)\n if (this.endpointMetadata?.credentialIssuerMetadata) {\n const metadata = this.endpointMetadata.credentialIssuerMetadata\n const types = Array.isArray(credentialTypes) ? credentialTypes : [credentialTypes]\n\n if (metadata.credentials_supported && Array.isArray(metadata.credentials_supported)) {\n let typeSupported = false\n\n metadata.credentials_supported.forEach((supportedCredential) => {\n const subTypes = getTypesFromCredentialSupported(supportedCredential)\n if (\n subTypes.every((t, i) => types[i] === t) ||\n (types.length === 1 && (types[0] === supportedCredential.id || subTypes.includes(types[0])))\n ) {\n typeSupported = true\n }\n })\n\n if (!typeSupported) {\n console.log(`Not all credential types ${JSON.stringify(credentialTypes)} are present in metadata for ${this.getIssuer()}`)\n // throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`);\n }\n } else if (metadata.credentials_supported && !Array.isArray(metadata.credentials_supported)) {\n const credentialsSupported = metadata.credentials_supported\n if (types.some((type) => !metadata.credentials_supported || !credentialsSupported[type])) {\n throw Error(`Not all credential types ${JSON.stringify(credentialTypes)} are supported by issuer ${this.getIssuer()}`)\n }\n }\n // todo: Format check? We might end up with some disjoint type / format combinations supported by the server\n }\n const credentialRequestClient = requestBuilder.build()\n const proofBuilder = ProofOfPossessionBuilder.fromAccessTokenResponse({\n accessTokenResponse: this.accessTokenResponse,\n callbacks: proofCallbacks,\n version: this.version(),\n })\n .withIssuer(this.getIssuer())\n .withAlg(this.alg)\n\n if (this._state.jwk) {\n proofBuilder.withJWK(this._state.jwk)\n }\n if (this._state.kid) {\n proofBuilder.withKid(this._state.kid)\n }\n\n if (this.clientId) {\n proofBuilder.withClientId(this.clientId)\n }\n if (jti) {\n proofBuilder.withJti(jti)\n }\n const response = await credentialRequestClient.acquireCredentialsUsingProof({\n proofInput: proofBuilder,\n credentialTypes,\n context,\n format,\n createDPoPOpts,\n })\n this._state.dpopResponseParams = response.params\n if (response.errorBody) {\n logger.debug(`Credential request error:\\r\\n${JSON.stringify(response.errorBody)}`)\n throw Error(\n `Retrieving a credential from ${this._state.endpointMetadata?.credential_endpoint} for issuer ${this.getIssuer()} failed with status: ${\n response.origResponse.status\n }`,\n )\n } else if (!response.successBody) {\n logger.debug(`Credential request error. No success body`)\n throw Error(\n `Retrieving a credential from ${\n this._state.endpointMetadata?.credential_endpoint\n } for issuer ${this.getIssuer()} failed as there was no success response body`,\n )\n }\n return { ...response.successBody, ...(this.dpopResponseParams && { params: this.dpopResponseParams }) }\n }\n\n public async exportState(): Promise {\n return JSON.stringify(this._state)\n }\n\n // FIXME: We really should convert {\n return getSupportedCredentials({\n issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,\n version: this.version(),\n format: format,\n types: restrictToInitiationTypes ? this.getCredentialOfferTypes() : undefined,\n }) as Record\n }\n\n getCredentialsSupported(format?: (OID4VCICredentialFormat | string) | (OID4VCICredentialFormat | string)[]): CredentialConfigurationSupported[] {\n return getSupportedCredentials({\n issuerMetadata: this.endpointMetadata.credentialIssuerMetadata,\n version: this.version(),\n format: format,\n types: undefined,\n }) as CredentialConfigurationSupported[]\n }\n\n getCredentialOfferTypes(): string[][] {\n if (!this.credentialOffer) {\n return []\n } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_11) {\n const orig = this.credentialOffer.original_credential_offer as CredentialOfferPayloadV1_0_08\n const types: string[] = typeof orig.credential_type === 'string' ? [orig.credential_type] : orig.credential_type\n const result: string[][] = []\n result[0] = types\n return result\n } else if (this.credentialOffer.version < OpenId4VCIVersion.VER_1_0_13) {\n return (this.credentialOffer.credential_offer as CredentialOfferPayloadV1_0_11).credentials.map((c) => getTypesFromObject(c) ?? [])\n }\n // we don't support > V11\n throw Error(`This class only supports version 11 and lower! Version: ${this.version()}`)\n }\n\n issuerSupportedFlowTypes(): AuthzFlowType[] {\n return (\n this.credentialOffer?.supportedFlows ??\n (this._state.endpointMetadata?.credentialIssuerMetadata?.authorization_endpoint ? [AuthzFlowType.AUTHORIZATION_CODE_FLOW] : [])\n )\n }\n\n isFlowTypeSupported(flowType: AuthzFlowType): boolean {\n return this.issuerSupportedFlowTypes().includes(flowType)\n }\n\n get authorizationURL(): string | undefined {\n return this._state.authorizationURL\n }\n\n public hasAuthorizationURL(): boolean {\n return !!this.authorizationURL\n }\n\n get credentialOffer(): CredentialOfferRequestWithBaseUrl | undefined {\n return this._state.credentialOffer\n }\n\n public version(): OpenId4VCIVersion {\n return this.credentialOffer?.version ?? OpenId4VCIVersion.VER_1_0_11\n }\n\n public get endpointMetadata(): EndpointMetadataResultV1_0_11 {\n this.assertServerMetadata()\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return this._state.endpointMetadata!\n }\n\n get kid(): string {\n this.assertIssuerData()\n if (!this._state.kid) {\n throw new Error('No value for kid is supplied')\n }\n return this._state.kid\n }\n\n get alg(): string {\n this.assertIssuerData()\n if (!this._state.alg) {\n throw new Error('No value for alg is supplied')\n }\n return this._state.alg\n }\n\n set clientId(value: string | undefined) {\n this._state.clientId = value\n }\n\n get clientId(): string | undefined {\n return this._state.clientId\n }\n\n public hasAccessTokenResponse(): boolean {\n return !!this._state.accessTokenResponse\n }\n\n get accessTokenResponse(): AccessTokenResponse {\n this.assertAccessToken()\n // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n return this._state.accessTokenResponse!\n }\n\n get dpopResponseParams(): DPoPResponseParams | undefined {\n return this._state.dpopResponseParams\n }\n\n public getIssuer(): string {\n this.assertIssuerData()\n return this._state.credentialIssuer\n }\n\n public getAccessTokenEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata\n ? this.endpointMetadata.token_endpoint\n : AccessTokenClientV1_0_11.determineTokenURL({ issuerOpts: { issuer: this.getIssuer() } })\n }\n\n public getCredentialEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`\n }\n\n public hasDeferredCredentialEndpoint(): boolean {\n return !!this.getAccessTokenEndpoint()\n }\n\n public getDeferredCredentialEndpoint(): string {\n this.assertIssuerData()\n return this.endpointMetadata ? this.endpointMetadata.credential_endpoint : `${this.getIssuer()}/credential`\n }\n\n /**\n * Too bad we need a method like this, but EBSI is not exposing metadata\n */\n public isEBSI() {\n if (\n this.credentialOffer &&\n (this.credentialOffer?.credential_offer as CredentialOfferPayloadV1_0_11)?.credentials?.find(\n (cred) =>\n // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n // @ts-ignore\n typeof cred !== 'string' && 'trust_framework' in cred && 'name' in cred.trust_framework && cred.trust_framework.name.includes('ebsi'),\n )\n ) {\n return true\n }\n // this.assertIssuerData();\n return (\n this.clientId?.includes('ebsi') ||\n this._state.kid?.includes('did:ebsi:') ||\n this.getIssuer().includes('ebsi') ||\n this.endpointMetadata.credentialIssuerMetadata?.authorization_endpoint?.includes('ebsi.eu') ||\n this.endpointMetadata.credentialIssuerMetadata?.authorization_server?.includes('ebsi.eu')\n )\n }\n\n private assertIssuerData(): void {\n if (!this._state.credentialIssuer) {\n throw Error(`No credential issuer value present`)\n } else if (!this._state.credentialOffer && this._state.endpointMetadata && this.issuerSupportedFlowTypes().length === 0) {\n throw Error(`No issuance initiation or credential offer present`)\n }\n }\n\n private assertServerMetadata(): void {\n if (!this._state.endpointMetadata) {\n throw Error('No server metadata')\n }\n }\n\n private assertAccessToken(): void {\n if (!this._state.accessTokenResponse) {\n throw Error(`No access token present`)\n }\n }\n\n private syncAuthorizationRequestOpts(opts?: AuthorizationRequestOpts): AuthorizationRequestOpts {\n let authorizationRequestOpts = { ...this._state?.authorizationRequestOpts, ...opts } as AuthorizationRequestOpts\n if (!authorizationRequestOpts) {\n // We only set a redirectUri if no options are provided.\n // Note that this only works for mobile apps, that can handle a code query param on the default openid-credential-offer deeplink.\n // Provide your own options if that is not desired!\n authorizationRequestOpts = { redirectUri: `${DefaultURISchemes.CREDENTIAL_OFFER}://` }\n }\n const clientId = authorizationRequestOpts.clientId ?? this._state.clientId\n // sync clientId\n this._state.clientId = clientId\n authorizationRequestOpts.clientId = clientId\n return authorizationRequestOpts\n }\n\n private getAuthorizationCode = (\n authorizationResponse?: string | AuthorizationResponse | AuthorizationChallengeCodeResponse,\n code?: string,\n ): string | undefined => {\n if (authorizationResponse) {\n this._state.authorizationCodeResponse = { ...toAuthorizationResponsePayload(authorizationResponse) }\n } else if (code) {\n this._state.authorizationCodeResponse = { code }\n }\n\n return (\n (this._state.authorizationCodeResponse as AuthorizationResponse)?.code ??\n (this._state.authorizationCodeResponse as AuthorizationChallengeCodeResponse)?.authorization_code\n )\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;;;;;;aAAAA;EAAA;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAAAC,0BAA4B;;;ACA5B,IAAAC,wBAAuE;AACvE,IAAAC,yBAsBO;AACP,IAAAC,oBAA4B;;;ACxB5B,IAAAC,yBAWO;AACP,IAAAC,oBAAwB;;;ACZxB,4BAAkH;AAE3G,IAAMC,0BAA0B,wBAACC,SAAAA;AACtC,MAAIA,KAAKC,UAAU;AACjB,WAAOD;EACT;AACA,MAAI,CAACA,KAAKE,qBAAqB;AAC7BF,SAAKE,sBAAsBC,0CAAoBC;EACjD;AACA,MAAI,CAACJ,KAAKK,cAAc;AACtBL,SAAKK,mBAAeC,4CAAAA;EACtB;AACAC,qDAAwBP,KAAKK,YAAY;AACzC,MAAI,CAACL,KAAKQ,eAAe;AACvBR,SAAKQ,oBAAgBC,2CAAoBT,KAAKK,cAAcL,KAAKE,mBAAmB;EACtF;AACA,SAAOF;AACT,GAfuC;;;ACFvC,IAAAU,yBAAiG;;;ACAjG,IAAAC,yBAA4B;AAC5B,uBAAyC;AAElC,IAAMC,MAA6BC,mCAAYC,QAAQ,2BAA2B;EAAEC,SAAS;IAACC,2BAAUC;IAAOD,2BAAUE;;AAAW,CAAA,EAAGC,IAC5I,yBAAA;;;ADCF,eAAsBC,iBACpBC,uBACAC,SACAC,aAAoB;AAEpBC,MAAIC,KAAK,sCAAsCH,QAAQI,KAAK,YAAYJ,QAAQK,eAAe,EAAE;AACjG,MAAI,CAACN,sBAAsBO,sBAAsB;AAC/C,UAAMC,MAAM,oEAAoE;EAClF;AACA,QAAMC,QAAQP,eAAeF,sBAAsBS;AACnD,QAAMC,WAAW,UAAMC,6BAAgCX,sBAAsBO,sBAAsBK,KAAKC,UAAUZ,OAAAA,GAAU;IAC1H,GAAIQ,SAAS;MAAEK,aAAaL;IAAM;EACpC,CAAA;AACA,QAAMM,QAAQL,SAASM,WAAWD,UAAUE;AAC5C,QAAMC,SAAS;IACbH;IACAL,UAAUK,QAAQL,SAASM,YAAYC;EACzC;AACA,MAAIF,OAAO;AACTZ,QAAIgB,QAAQ,sDAAsDlB,QAAQI,KAAK,YAAYJ,QAAQK,eAAe,KAAKI,SAASM,SAAS,EAAE;EAC7I,OAAO;AACLb,QAAIiB,MAAM,qDAAqDnB,QAAQI,KAAK,YAAYJ,QAAQK,eAAe,EAAE;EACnH;AACA,SAAOY;AACT;AAxBsBnB;;;AELtB,IAAAsB,yBAA4D;AAC5D,IAAAC,oBAAwB;AAExB,IAAMC,SAASC,0BAAQC,QAAQC,IAAI,kCAAA;AAQ5B,IAAMC,oBAAoB,8BAC/BC,MACAC,cACAC,SAAAA;AAEA,QAAMC,SAA4B,UAAMC,gCAAQ,GAAGJ,KAAKK,SAAS,GAAA,IAAOL,KAAKM,MAAM,GAAG,EAAC,IAAKN,IAAAA,GAAOC,YAAAA,IAAgB;IACjHM,4BAA4BL,MAAMM;EACpC,CAAA;AACA,MAAIL,OAAOM,aAAaC,UAAU,KAAK;AAErCf,WAAOgB,MAAM,QAAQX,IAAAA,uBAA2BC,YAAAA,YAAwBE,OAAOM,aAAaC,MAAM,KAAKP,OAAOM,aAAaG,UAAU,EAAE;EACzI;AACA,SAAOT;AACT,GAbiC;;;ACXjC,2BAAuB;AACvB,IAAAU,yBAAmF;;;ACAnF,IAAAC,yBAaO;AAEA,IAAMC,2BAAN,MAAMA,0BAAAA;EAfb,OAeaA;;;EACMC;EACAC;EACAC;EACAC,OAAgB;EAEzBC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EACAC;EAER,YAAoB,EAClBb,OACAC,WACAQ,KACAK,qBACAZ,SACAC,OAAO,MAAK,GAQX;AACD,SAAKA,OAAOA;AACZ,SAAKH,QAAQA;AACb,SAAKC,YAAYA;AACjB,SAAKC,UAAUA;AACf,QAAIO,KAAK;AACP,WAAKM,QAAQN,GAAAA;IACf,OAAO;AACL,WAAKO,QAAQd,UAAUe,yCAAkBC,cAAcf,SAAS,QAAQ,QAAQ,sBAAA;IAClF;AACA,QAAIW,qBAAqB;AACvB,WAAKK,wBAAwBL,mBAAAA;IAC/B;EACF;EAEA,OAAOM,OAAO,EACZX,KACAR,WACAC,SACAC,OAAO,MAAK,GAMe;AAC3B,WAAO,IAAIJ,0BAAyB;MAAEE;MAAWQ;MAAKP;MAASC;IAAK,CAAA;EACtE;EAEA,OAAOkB,QAAQ,EACbZ,KACAR,WACAC,SACAC,OAAO,MAAK,GAMe;AAC3B,WAAO,IAAIJ,0BAAyB;MAAEE;MAAWQ;MAAKP;MAASC;IAAK,CAAA;EACtE;EAEA,OAAOmB,wBAAwB,EAC7BR,qBACAb,WACAC,SACAC,OAAO,MAAK,GAMe;AAC3B,WAAO,IAAIJ,0BAAyB;MAAEE;MAAWa;MAAqBZ;MAASC;IAAK,CAAA;EACtF;EAEA,OAAOoB,UAAUvB,OAA0BE,SAAsD;AAC/F,WAAO,IAAIH,0BAAyB;MAAEC;MAAOE;IAAQ,CAAA;EACvD;EAEAsB,QAAQlB,KAA8B;AACpC,SAAKA,MAAMA;AACX,WAAO;EACT;EAEAmB,aAAalB,UAAwB;AACnC,SAAKA,WAAWA;AAChB,WAAO;EACT;EAEAmB,QAAQtB,KAAmB;AACzB,SAAKA,MAAMA;AACX,WAAO;EACT;EAEAuB,QAAQtB,KAAgB;AACtB,SAAKA,MAAMA;AACX,WAAO;EACT;EAEAuB,WAAWpB,QAAsB;AAC/B,SAAKA,SAASA;AACd,WAAO;EACT;EAEAqB,QAAQnB,KAAyB;AAC/B,SAAKA,MAAMA;AACX,WAAO;EACT;EAEAoB,QAAQnB,KAAmB;AACzB,SAAKA,MAAMA;AACX,WAAO;EACT;EAEAK,QAAQH,KAAgB;AACtB,QAAI,KAAKV,SAAS,SAAS,KAAKD,WAAWe,yCAAkBC,YAAY;AACvE,UAAI,CAAC,CAACL,OAAOA,QAAQ,wBAAwB;AAC3C,cAAMkB,MAAM,yEAAyElB,GAAAA,EAAK;MAC5F;IACF,OAAO;AACL,UAAI,CAAC,CAACA,OAAOA,QAAQ,OAAO;AAC1B,cAAMkB,MAAM,2DAA2DlB,GAAAA,EAAK;MAC9E;IACF;AACA,SAAKA,MAAMA;AACX,WAAO;EACT;EAEAmB,qBAAqBpB,QAAsB;AACzC,SAAKA,SAASA;AACd,WAAO;EACT;EAEAO,wBAAwBc,aAAwC;AAC9D,QAAIA,YAAYC,SAAS;AACvB,WAAKF,qBAAqBC,YAAYC,OAAO;IAC/C;AACA,WAAO;EACT;EAEAC,qBAAqBC,kBAA0C;AAC7D,SAAKR,WAAWQ,iBAAiB5B,MAAM;AACvC,WAAO;EACT;EAEAO,QAAQN,KAAgB;AACtB,QAAI,CAACA,KAAK;AACR,YAAM,IAAIsB,MAAMM,sCAAAA;IAClB;AACA,SAAK5B,MAAMA;AACX,QAAI,CAACA,IAAI6B,QAAQ;AACf,YAAMP,MAAM,uBAAuB;IACrC,WAAW,CAACtB,IAAI8B,SAAS;AACvB,YAAMR,MAAM,wBAAwB;IACtC;AAEA,QAAItB,IAAI6B,OAAOlC,KAAK;AAClB,WAAKsB,QAAQjB,IAAI6B,OAAOlC,GAAG;IAC7B;AACA,QAAIK,IAAI6B,OAAOzB,KAAK;AAClB,WAAKG,QAAQP,IAAI6B,OAAOzB,GAAG;IAC7B;AACA,QAAI,CAAC,KAAKA,OAAO,KAAKX,WAAWe,yCAAkBC,YAAY;AAC7D,WAAKF,QAAQ,sBAAA;IACf;AACA,SAAKa,QAAQpB,IAAI6B,OAAO5B,GAAG;AAE3B,QAAI8B,MAAMC,QAAQhC,IAAI8B,QAAQjC,GAAG,GAAG;AAElC,YAAMyB,MAAM,gDAAA;IACd;AAEA,QAAItB,IAAI8B,SAAS;AACf,UAAI9B,IAAI8B,QAAQG,IAAK,MAAKvC,SAAS,QAAQ,KAAKsB,aAAahB,IAAI8B,QAAQG,GAAG,IAAI,KAAKd,WAAWnB,IAAI8B,QAAQG,GAAG;AAC/G,UAAIjC,IAAI8B,QAAQjC,IAAK,MAAKH,SAAS,QAAQ,KAAKyB,WAAWnB,IAAI8B,QAAQjC,GAAG,IAAI,KAAKkB,QAAQf,IAAI8B,QAAQjC,GAAG;AAC1G,UAAIG,IAAI8B,QAAQ5B,IAAK,MAAKmB,QAAQrB,IAAI8B,QAAQ5B,GAAG;AACjD,UAAIF,IAAI8B,QAAQI,MAAO,MAAKX,qBAAqBvB,IAAI8B,QAAQI,KAAK;IACpE;AACA,WAAO;EACT;EAEA,MAAaC,QAAoC;AAC/C,QAAI,KAAK5C,OAAO;AACd,aAAO6C,QAAQC,QAAQ,KAAK9C,KAAK;IACnC,WAAW,KAAKC,WAAW;AACzB,aAAO,UAAM8C,gDACX,KAAK5C,MACL,KAAKF,WACL;QACEY,KAAK,KAAKA,QAAQ,KAAKX,UAAUe,yCAAkBC,cAAc,KAAKf,SAAS,QAAQ,QAAQ;QAC/FC,KAAK,KAAKA;QACVC,KAAK,KAAKA;QACVM,KAAK,KAAKA;QACVD,KAAK,KAAKA;QACVJ,KAAK,KAAKA;QACVE,QAAQ,KAAKA;QACbD,UAAU,KAAKA;QACf,GAAI,KAAKK,UAAU;UAAE+B,OAAO,KAAK/B;QAAO;MAC1C,GACA,KAAKH,GAAG;IAEZ;AACA,UAAM,IAAIsB,MAAMiB,gDAAAA;EAClB;AACF;;;ADpOO,IAAMC,iCAAiC,8BAC5CC,SACAC,SAAAA;AAIA,QAAM,EAAEC,QAAQC,iBAAgB,IAAKF;AACrC,MAAIC,QAAQE,YAAYC,wBAAwB,0DAA0D;AACxG,UAAM,EAAEC,WAAWN,QAAQO,WAAWC,eAAeC,IAAG,IAAKP,OAAOE;AACpE,QAAI,EAAEM,IAAG,IAAKR,OAAOE;AACrB,QAAI,CAACE,UAAU;AACb,aAAOK,QAAQC,OAAOC,MAAM,oEAAoE,CAAA;IAClG,WAAW,CAACH,KAAK;AACf,aAAOC,QAAQC,OAAOC,MAAM,6DAA6D,CAAA;IAC3F,WAAW,OAAOL,eAAeM,iBAAiB,YAAY;AAC5D,aAAOH,QAAQC,OAAOC,MAAM,uEAAuE,CAAA;IACrG,WAAW,CAACV,kBAAkB;AAC5B,aAAOQ,QAAQC,OAAOC,MAAM,2EAA2E,CAAA;IACzG;AACA,QAAIP,SAASS,WAAW,MAAA,KAAWL,IAAIM,SAAS,GAAA,GAAM;AACpDN,YAAMA,IAAIO,MAAM,GAAA,EAAK,CAAA;IACvB;AACA,UAAMC,MAAW;MACfC,QAAQ;QACNC,KAAK;QACLV;QACAD,KAAKA,OAAO;MACd;MACAY,SAAS;QACPC,KAAKhB;QACLiB,KAAKjB;QACLkB,KAAKrB;QACLsB,SAAKC,6BAAAA;QACLC,KAAKC,KAAKC,MAAMC,KAAKC,IAAG,CAAA,IAAM,MAAO;QACrCC,KAAKJ,KAAKC,MAAMC,KAAKC,IAAG,CAAA,IAAM,MAAO;MACvC;IACF;AACA,UAAME,MAAM,MAAMC,yBAAyBC,QAAQ;MACjDjB;MACAkB,WAAW5B;MACX6B,SAASpC,KAAKoC,WAAWC,yCAAkBC;MAC3CC,MAAM;IACR,CAAA,EAAGC,MAAK;AACRzC,YAAQ0C,wBAAwB;AAChC1C,YAAQ2C,mBAAmBV,IAAIf;EACjC;AACF,GA9C8C;;;AEL9C,IAAA0B,yBAOO;AACP,yBAAsB;AAEf,SAASC,aAAaC,KAAW;AACtC,QAAMC,UAAU;AAChB,SAAOA,QAAQC,KAAKF,GAAAA;AACtB;AAHgBD;AAKhB,eAAsBI,yBAAyBC,KAAW;AACxD,QAAMC,aAASC,gDAAwBF,GAAAA;AACvC,QAAMG,qBAAqBC,mBAAmBH,OAAO,sBAAA,CAAuB;AAC5E,QAAMI,aAAaV,aAAaQ,kBAAAA,IAAsBC,mBAAmBD,kBAAAA,IAAsBA;AAC/F,QAAMG,WAAW,UAAMC,0BAAMF,UAAAA;AAE7B,MAAI,EAAEC,YAAYA,SAASE,UAAU,OAAOF,SAASE,SAAS,MAAM;AAClE,WAAOC,QAAQC,OAAO,wEAAwEJ,SAASE,MAAM,aAAaF,SAASK,UAAU,EAAE;EACjJ;AAEA,MAAIL,SAASM,QAAQC,IAAI,cAAA,GAAiBC,WAAW,kBAAA,MAAwB,OAAO;AAClF,WAAOL,QAAQC,OAAO,gFAAA;EACxB;AAEA,SAAO;IACLK,sBAAkBC,6CAAqB,MAAMV,SAASW,KAAI,CAAA;EAC5D;AACF;AAjBsBlB;AAmBf,SAASmB,sBAAsBC,SAAwCC,QAAgBC,SAAe;AAC3G,QAAMC,eAAWC,8DAAsCJ,QAAQJ,gBAAgB;AAC/E,QAAMS,SAASL,QAAQJ,kBAAkBS;AAEzC,SAAO;IACLJ;IACAC;IACA,GAAIC,YAAY;MAAEA;IAAS;IAC3B,GAAGH;IACH,GAAIK,QAAQC,oBAAoBC,gBAAgB;MAAEC,aAAaH,OAAOC,mBAAmBC;IAAa;IACtG,GAAIF,SAASI,6CAAAA,IAA0BC,4CAAAA,KAA0B;MAC/DC,mBAAmBN,OAAOI,6CAAAA,EAAwBC,4CAAAA;IACpD;IACA,GAAIV,QAAQJ,kBAAkBS,SAASI,6CAAAA,GAAyBG,WAAW;MACzEC,QAAQb,QAAQJ,iBAAiBS,OAAOI,6CAAAA,EAAwBG;IAClE;EACF;AACF;AAjBgBb;;;APnBhB,IAAMe,UAASC,0BAAQC,QAAQC,IAAI,2BAAA;AAE5B,IAAMC,wBAAN,MAAMA,uBAAAA;EAjBb,OAiBaA;;;;;;;;EAMX,aAAoBC,uCAClBC,iBACwC;AACxC,WAAOF,uBAAsBG,8CAA8CD,gBAAgBE,gBAAgB;EAC7G;;;;;EAMA,aAAoBD,8CAA8CE,SAAgF;AAChJ,UAAMC,aAASC,4DAAoCF,OAAAA;AACnD,QAAIC,QAAQ;AACV,aAAON,uBAAsBQ,oBAAoBF,MAAAA;IACnD;AACA,UAAM,IAAIG,MAAM,iFAAA;EAClB;;;;;;EAOA,aAAoBD,oBAAoBF,QAAgBI,MAA6E;AACnI,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC,0BAAmD;AACvD,QAAIC,wBAAkC;MAACX;;AACvC,UAAMY,kBAAkB,MAAMlB,uBAAsBmB,iCAAiCb,QAAQ;MAAEc,iBAAiB;IAAM,CAAA;AACtH,QAAIC,2BAA2BH,iBAAiBI;AAChD,QAAID,0BAA0B;AAC5BzB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA;EAAgDkB,KAAKC,UAAUJ,wBAAAA,CAAAA,EAA2B;AACjHT,4BAAsBS,yBAAyBT;AAC/CC,qCAA+BQ,yBAAyBR;AACxD,UAAIQ,yBAAyBV,gBAAgB;AAC3CA,yBAAiBU,yBAAyBV;MAC5C;AACAI,yCAAmCM,yBAAyBN;AAC5D,UAAIM,yBAAyBJ,uBAAuB;AAClDA,gCAAwBI,yBAAyBJ;MACnD;IACF;AAGA,QAAIS,WAAwD,MAAMC,kBAChEV,sBAAsB,CAAA,GACtBW,0CAAmBC,sBACnB;MACET,iBAAiB;IACnB,CAAA;AAEF,QAAIU,eAAeJ,SAASJ;AAC5B,QAAIQ,cAAc;AAChBlC,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,4DAAkE;AACzFU,gCAA0B;IAC5B,OAAO;AAGLU,iBAAW,MAAMC,kBAAkBV,sBAAsB,CAAA,GAAIW,0CAAmBG,UAAU;QAAEX,iBAAiB;MAAM,CAAA;AACnHU,qBAAeJ,SAASJ;IAC1B;AACA,QAAI,CAACQ,cAAc;AAEjB,UAAI,CAACb,sBAAsBe,SAAS1B,MAAAA,GAAS;AAC3C,cAAMG,MAAM,UAAUH,MAAAA,6CAAmDW,qBAAAA,4CAAiE;MAC5I;IACF,OAAO;AACL,UAAI,CAACD,yBAAyB;AAC5BA,kCAA0B;MAC5B;AACApB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,QAAcU,uBAAAA,yCAAgE;AACrG,UAAI,CAACc,aAAahB,wBAAwB;AACxCmB,gBAAQC,KACN,UAAU5B,MAAAA,YAAkBU,uBAAAA,4CAAmEF,sBAAAA,4CAAkE;MAErK,WAAWA,0BAA0BgB,aAAahB,2BAA2BA,wBAAwB;AACnG,cAAML,MACJ,6DAA6DK,sBAAAA,oCAA0DgB,aAAahB,sBAAsB,GAAG;MAEjK;AACAA,+BAAyBgB,aAAahB;AACtC,UAAIC,oCAAoCe,aAAaf,qCAAqCA,kCAAkC;AAC1H,cAAMN,MACJ,uEAAuEM,gCAAAA,oCAAoEe,aAAaf,gCAAgC,GAAG;MAE/L;AACAA,yCAAmCe,aAAaf;AAChD,UAAI,CAACe,aAAanB,gBAAgB;AAChC,cAAMF,MAAM,wBAAwBQ,qBAAAA,mCAAwD;MAC9F,WAAWN,kBAAkBmB,aAAanB,mBAAmBA,gBAAgB;AAC3E,cAAMF,MACJ,qDAAqDE,cAAAA,oCAAkDmB,aAAanB,cAAc,GAAG;MAEzI;AACAA,uBAAiBmB,aAAanB;AAC9B,UAAImB,aAAalB,qBAAqB;AACpC,YAAIA,uBAAuBkB,aAAalB,wBAAwBA,qBAAqB;AACnFhB,UAAAA,QAAO2B,MACL,0DAA0DX,mBAAAA,oCAAuDkB,aAAalB,mBAAmB,8BAA8B;QAEnL,OAAO;AACLA,gCAAsBkB,aAAalB;QACrC;MACF;AACA,UAAIkB,aAAajB,8BAA8B;AAC7C,YAAIA,gCAAgCiB,aAAajB,iCAAiCA,8BAA8B;AAC9GjB,UAAAA,QAAO2B,MACL,mEAAmEV,4BAAAA,oCAAgEiB,aAAajB,4BAA4B,8BAA8B;QAE9M,OAAO;AACLA,yCAA+BiB,aAAajB;QAC9C;MACF;IACF;AAEA,QAAI,CAACC,wBAAwB;AAC3BlB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,6EAAmF;IAC5G;AACA,QAAI,CAACK,gBAAgB;AACnBf,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,iEAAuE;AAC9F,UAAII,MAAMU,iBAAiB;AACzB,cAAMX,MAAM,2CAA2CH,MAAAA,EAAQ;MACjE,OAAO;AACLK,yBAAiB,GAAGL,MAAAA,GAASA,OAAO6B,SAAS,GAAA,IAAO,UAAU,QAAA;MAChE;IACF;AACA,QAAI,CAACvB,qBAAqB;AACxBhB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,sEAA4E;AACnG,UAAII,MAAMU,iBAAiB;AACzB,cAAMX,MAAM,gDAAgDH,MAAAA,EAAQ;MACtE,OAAO;AACLM,8BAAsB,GAAGN,MAAAA,GAASA,OAAO6B,SAAS,GAAA,IAAO,eAAe,aAAA;MAC1E;IACF;AAEA,QAAI,CAACd,4BAA4BS,cAAc;AAE7CT,iCAA2BS;IAC7B;AACAlC,IAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,mBAAyBK,cAAAA,yBAAuCC,mBAAAA,EAAqB;AAC5G,WAAO;MACLN;MACAK;MACAC;MACAC;MACAuB,sBAAsBnB,sBAAsB,CAAA;MAC5CH;MACAC;MACAC;MACAK;MACAgB,6BAA6BP;IAC/B;EACF;;;;;;;EAQA,aAAoBX,iCAClBmB,YACA5B,MAG4D;AAC5D,WAAOiB,kBAAkBW,YAAYV,0CAAmBW,mBAAmB;MACzEnB,iBAAiBV,MAAMU,oBAAoBoB,SAAY,OAAO9B,KAAKU;IACrE,CAAA;EACF;AACF;;;AQpMA,IAAAqB,wBAA2C;AAKpC,SAASC,qCAAqCC,UAA0C;AAC7F,MAAI,CAACA,SAASC,aAAaD,SAASC,UAAUC,UAAUC,kDAA4B;AAClF,WAAO;MAAEC,IAAI;IAAM;EACrB;AAEA,QAAMC,YAAYL,SAASM,aAAaC,QAAQC,IAAI,YAAA;AACpD,MAAI,CAACH,WAAW;AACd,UAAM,IAAII,MAAM,qCAAA;EAClB;AAEA,SAAO;IAAEL,IAAI;IAAMM,WAAWL;EAAU;AAC1C;AAXgBN;AAaT,SAASY,wCAAwCX,UAA0C;AAChG,MAAI,CAACA,SAASC,aAAaD,SAASM,aAAaM,WAAW,KAAK;AAC/D,WAAO;MAAER,IAAI;IAAM;EACrB;AAEA,QAAMS,wBAAwBb,SAASM,aAAaC,QAAQC,IAAI,kBAAA;AAChE,MAAI,CAACK,uBAAuBC,SAASX,gDAAAA,GAA6B;AAChE,WAAO;MAAEC,IAAI;IAAM;EACrB;AAEA,QAAMC,YAAYL,SAASM,aAAaC,QAAQC,IAAI,YAAA;AACpD,MAAI,CAACH,WAAW;AACd,UAAM,IAAII,MAAM,qCAAA;EAClB;AAEA,SAAO;IAAEL,IAAI;IAAMM,WAAWL;EAAU;AAC1C;AAhBgBM;;;ATaT,IAAMI,oBAAN,MAAMA,mBAAAA;EA/Bb,OA+BaA;;;EACX,MAAaC,mBAAmBC,MAAgG;AAC9H,UAAM,EAAEC,QAAQC,KAAKC,cAAcC,MAAMC,aAAaC,UAAUC,eAAc,IAAKP;AAEnF,UAAMQ,kBAAkBR,KAAKQ,kBAAkB,UAAMC,uDAA+BT,KAAKQ,eAAe,IAAIE;AAC5G,UAAMC,cAAgDH,mBAAmB,KAAKI,eAAeJ,gBAAgBK,gBAAgB;AAC7H,UAAMC,SACJd,KAAKe,qBACJP,sBAAkBQ,4DAAoCR,gBAAgBK,gBAAgB,IAAKP,UAAUQ;AACxG,QAAI,CAACA,QAAQ;AACX,YAAMG,MAAM,+BAAA;IACd;AACA,UAAMC,aAAa;MACjBJ;IACF;AAEA,WAAO,MAAM,KAAKK,+BAA+B;MAC/CC,oBAAoB,MAAM,KAAKC,yBAAyB;QACtDb;QACAP;QACAE;QACAC;QACAC;QACAH;QACAa,kBAAkBD;QAClBR;QACAgB,kBAAkBtB,KAAKsB;QACvBX;MACF,CAAA;MACAA;MACAL;MACAL;MACAiB;MACAX;IACF,CAAA;EACF;EAEA,MAAaY,+BAA+B,EAC1CC,oBACAT,aACAL,UACAL,QACAiB,YACAX,eAAc,GAQqD;AACnE,SAAKgB,SAASH,oBAAoBT,WAAAA;AAElC,UAAMa,kBAAkB1B,mBAAkB2B,kBAAkB;MAC1DxB;MACAiB;MACAZ,UAAUA,WACNA,WACAY,YAAYQ,gBACV,MAAMC,sBAAsBC,oBAAoBV,WAAWJ,QAAQ;QAAEe,iBAAiB;MAAM,CAAA,IAC5FnB;IACR,CAAA;AAEA,UAAMoB,UAAUvB,gBAAgBwB,iCAAiCxB,eAAewB,8BAA8BC,SAAS;AACvH,QAAIC,OAAOH,UAAU,UAAMI,sCAAWC,4CAAqB5B,gBAAgBiB,eAAAA,CAAAA,IAAoBd;AAE/F,QAAI0B,WAAW,MAAM,KAAKC,aAAab,iBAAiBJ,oBAAoBa,OAAO;MAAEK,SAAS;QAAEC,MAAMN;MAAK;IAAE,IAAIvB,MAAAA;AAEjH,QAAI8B,gBAAgBjC,gBAAgBkC,gBAAgBC;AACpD,UAAMC,iBAAiBC,qCAAqCR,QAAAA;AAC5D,QAAIO,eAAeE,MAAMtC,gBAAgB;AACvCA,qBAAekC,gBAAgBC,QAAQC,eAAeG;AAEtDb,aAAO,UAAMC,sCAAWC,4CAAqB5B,gBAAgBiB,eAAAA,CAAAA;AAC7DY,iBAAW,MAAM,KAAKC,aAAab,iBAAiBJ,oBAAoBa,OAAO;QAAEK,SAAS;UAAEC,MAAMN;QAAK;MAAE,IAAIvB,MAAAA;AAC7G,YAAMqC,mBAAmBX,SAASY,aAAaV,QAAQW,IAAI,YAAA;AAE3DT,sBAAgBO,oBAAoBJ,eAAeG;IACrD;AAEA,QAAIV,SAASc,eAAe3C,kBAAkB6B,SAASc,YAAYC,eAAe,QAAQ;AACxF,YAAM,IAAIlC,MAAM,2DAA2DmB,SAASc,YAAYC,UAAU;IAC5G;AAEA,WAAO;MACL,GAAGf;MACH,GAAII,iBAAiB;QAAEY,QAAQ;UAAEb,MAAM;YAAEO,WAAWN;UAAc;QAAE;MAAE;IACxE;EACF;EAEA,MAAanB,yBAAyBrB,MAAmF;AACvH,UAAM,EAAEC,QAAQC,KAAKC,cAAcC,MAAMC,YAAW,IAAKL;AAGzD,UAAMqD,yBAAyBrD,KAAKQ,kBAAkB,UAAM8C,wDAAgCtD,KAAKQ,eAAe,IAAIE;AACpH,UAAM6C,UAAuC;MAAE,GAAGvD,KAAKsB;IAAiB;AACxE,QAAIrB,QAAQuD,YAAYC,UAAU;AAChCF,cAAQG,YAAYzD,OAAOuD,WAAWC;IACxC;AACA,UAAM1C,mBAAmBf,KAAKe,oBAAoBsC,wBAAwBxC,kBAAkB8C,qBAAqB3D,KAAKM,UAAUQ;AAChI,UAAM8C,+BAA+BL,SAAS;MAAE,GAAGvD;MAAMe;IAAiB,CAAA;AAG1E,QAAI,CAACsC,0BAA0BA,uBAAuBQ,eAAeC,SAASC,qCAAcC,uBAAuB,GAAG;AACpHT,cAAQU,aAAaC,kCAAWC;AAChCZ,cAAQnD,OAAOA;AACfmD,cAAQa,eAAe/D;AAEvB,UAAIF,cAAc;AAChBoD,gBAAQc,gBAAgBlE;MAC1B;AAEA,aAAOoD;IACT;AAEA,QAAIF,wBAAwBQ,eAAeC,SAASC,qCAAcO,wBAAwB,GAAG;AAC3F,WAAKC,sBAAsBvE,KAAKW,aAAaT,GAAAA;AAC7CqD,cAAQiB,WAAWtE;AACnBqD,cAAQkB,UAAUvE;AAElBqD,cAAQU,aAAaC,kCAAWQ;AAEhCnB,cAAQoB,4CAAAA,IAAyBtB,wBAAwBxC,iBAAiB+D,SAASC,6CAAAA,IAA0BF,4CAAAA;AAE7G,aAAOpB;IACT;AAEA,UAAM,IAAItC,MAAM,wGAAA;EAClB;EAEQ6D,6BAA6BC,WAA6B;AAChE,QAAIb,kCAAWQ,wBAAwBK,WAAW;AAChD,YAAM,IAAI9D,MAAM,2EAAA;IAClB;EACF;EAEQ+D,6BAA6BD,WAA6B;AAChE,QAAIb,kCAAWC,uBAAuBY,WAAW;AAC/C,YAAM,IAAI9D,MAAM,yCAAA;IAClB;EACF;EAEQL,eAAeqE,gBAAqE;AAC1F,QAAI,CAACA,gBAAgB;AACnB,YAAM,IAAIhE,MAAMiE,0CAAmBC,eAAe;IACpD;AACA,UAAMrE,aAASE,4DAAoCiE,cAAAA;AAEnD,UAAMG,eAAeH,eAAeL,SAASC,6CAAAA;AAC7C,UAAMQ,gBAAgB,CAAC,EAAED,cAAcX,WAAW;AAElDa,QAAIC,QAAQ,2BAA2BzE,MAAAA,KAAWuE,aAAAA,EAAe;AACjE,WAAO;MACLG,QAAQJ,cAAcX;MACtBY;IACF;EACF;EAEQd,sBAAsBkB,SAAgCvF,KAAoB;AAChF,QAAIuF,WAAWA,QAAQJ,eAAe;AACpC,UAAIK;AAEJ,UAAID,QAAQD,QAAQ;AAClB,cAAM,EAAEG,YAAY3D,OAAM,IAAKyD,QAAQD;AAEvC,YAAIG,eAAe,WAAW;AAE5BD,kBAAQ1D,SAAS,IAAI4D,OAAO,UAAU5D,MAAAA,IAAU,IAAI;QACtD,WAAW2D,eAAe,QAAQ;AAEhCD,kBAAQ1D,SAAS,IAAI4D,OAAO,kBAAkB5D,MAAAA,IAAU,IAAI;QAC9D;MACF;AAGA0D,cAAQA,SAAS;AAEjB,UAAI,CAACxF,OAAO,CAACwF,MAAMG,KAAK3F,GAAAA,GAAM;AAC5BoF,YAAIC,QACF,sCAAsCE,SAASD,QAAQG,cAAc,cAAA,mBAAiCF,SAASD,QAAQxD,UAAU,eAAA,aAA4B;AAE/J,cAAM,IAAIf,MAAM,uFAAA;MAClB;IACF,WAAWf,KAAK;AACdoF,UAAIC,QAAQ,8BAAA;AACZ,YAAM,IAAItE,MAAM,gDAAA;IAClB;EACF;EAEQ6E,gCAAgC1E,oBAA8C;AACpF,QAAI,CAACA,mBAAmBuD,4CAAAA,GAAwB;AAC9CW,UAAIC,QAAQ,yDAAyDnE,kBAAAA;AACrE,YAAM,IAAIH,MAAM,+FAAA;IAClB;EACF;EAEQ8E,2BAA2B3E,oBAA8C;AAC/E,QAAI,CAACA,mBAAmBiD,eAAe;AACrCiB,UAAIC,QAAQ,mDAAmDnE,kBAAAA;AAC/D,YAAM,IAAIH,MAAM,6DAAA;IAClB;EACF;EAEQ+E,mBAAmB5E,oBAA8C;AACvE,QAAI,CAACA,mBAAmBhB,MAAM;AAC5BkF,UAAIC,QAAQ,wCAAA;AACZ,YAAM,IAAItE,MAAM,oDAAA;IAClB;EACF;EAEQM,SAASH,oBAAwCqE,SAAsC;AAC7F,QAAIrE,mBAAmB6C,eAAeC,kCAAWQ,qBAAqB;AACpE,WAAKI,6BAA6B1D,mBAAmB6C,UAAU;AAC/D,WAAK6B,gCAAgC1E,kBAAAA;AACrC,WAAKmD,sBAAsBkB,SAASrE,mBAAmBqD,WAAWrD,mBAAmBoD,QAAQ;IAC/F,WAAWpD,mBAAmB6C,eAAeC,kCAAWC,oBAAoB;AAC1E,WAAKa,6BAA6B5D,mBAAmB6C,UAAU;AAC/D,WAAK8B,2BAA2B3E,kBAAAA;AAChC,WAAK4E,mBAAmB5E,kBAAAA;IAC1B,OAAO;AACL,WAAK6E,sBAAqB;IAC5B;EACF;EAEA,MAAc5D,aACZb,iBACAJ,oBACApB,MACkE;AAClE,WAAO,UAAMkG,iCAAS1E,qBAAiB2E,yCAAiB/E,oBAAoB;MAAEgF,MAAMC,mCAAYC;IAAsB,CAAA,GAAI;MACxHC,eAAevG,MAAMsC,UAAUtC,KAAKsC,UAAU5B;IAChD,CAAA;EACF;EAEA,OAAce,kBAAkB,EAC9BxB,QACAiB,YACAZ,SAAQ,GAKC;AACT,QAAI,CAACL,UAAU,CAACK,UAAUkG,kBAAkB,CAACtF,YAAY;AACvD,YAAM,IAAID,MAAM,kGAAA;IAClB;AACA,QAAIwF;AACJ,QAAIxG,UAAUA,OAAOyG,IAAI;AACvBD,YAAM,KAAKE,qBAAqB1G,OAAOyG,IAAIzG,QAAQ2G,wBAAwB3G,OAAO4G,aAAa;IACjG,WAAWvG,UAAUkG,gBAAgB;AACnCC,YAAMnG,SAASkG;IACjB,OAAO;AACL,UAAI,CAACtF,YAAYJ,QAAQ;AACvB,cAAMG,MAAM,oGAAA;MACd;AACAwF,YAAM,KAAKE,qBAAqBzF,WAAWJ,QAAQb,QAAQ2G,wBAAwB1F,WAAW2F,aAAa;IAC7G;AAEA,QAAI,CAACJ,OAAO,CAACK,8BAAYC,SAASN,GAAAA,GAAM;AACtC,YAAM,IAAIxF,MAAM,wEAAA;IAClB;AACAqE,QAAI0B,MAAM,mCAAmCP,GAAAA,EAAK;AAClD,WAAOA;EACT;EAEA,OAAeE,qBAAqBF,KAAaG,wBAAkCC,eAAgC;AACjH,QAAID,2BAA2B,QAAQH,IAAIQ,WAAW,OAAA,GAAU;AAC9D,YAAMhG,MACJ,+CAA+CwF,GAAAA,mFAAsF;IAEzI;AACA,UAAMS,WAAWT,IAAIU,QAAQ,eAAe,EAAA,EAAIA,QAAQ,OAAO,EAAA;AAC/D,UAAMC,WAAWP,gBAAiBA,cAAcI,WAAW,GAAA,IAAOJ,gBAAgBA,cAAcQ,UAAU,CAAA,IAAM;AAChH,UAAMC,SAASb,IAAIc,MAAM,KAAA,EAAO,CAAA;AAChC,WAAO,GAAGD,SAASA,SAAS,QAAQ,UAAA,GAAaJ,QAAAA,GAAWE,QAAAA;EAC9D;EAEQnB,wBAA8B;AACpCX,QAAIC,QAAQ,4DAA4D;AACxE,UAAM,IAAItE,MAAM,oEAAA;EAClB;AACF;;;AUzTA,IAAAuG,wBAAuE;AACvE,IAAAC,0BAwBO;AACP,IAAAC,oBAAqC;AAMrC,IAAMC,UAASC,0BAAQC,QAAQC,IAAI,wBAAA;AAE5B,IAAMC,2BAAN,MAAMA,0BAAAA;EAlCb,OAkCaA;;;EACX,MAAaC,mBAAmBC,MAAgG;AAC9H,UAAM,EAAEC,QAAQC,KAAKC,cAAcC,MAAMC,aAAaC,UAAUC,eAAc,IAAKP;AAEnF,UAAMQ,kBAAkBR,KAAKQ,kBAAkB,UAAMC,wDAA+BT,KAAKQ,eAAe,IAAIE;AAC5G,UAAMC,gBAAgBH,mBAAmB,KAAKI,mBAAmBJ,gBAAgBK,gBAAgB;AACjG,UAAMC,SACJd,KAAKe,qBACJP,sBAAkBQ,6DAAoCR,gBAAgBK,gBAAgB,IAAKP,UAAUQ;AACxG,QAAI,CAACA,QAAQ;AACX,YAAMG,MAAM,+BAAA;IACd;AACA,UAAMC,aAAa;MACjBJ;IACF;AAEA,WAAO,MAAM,KAAKK,+BAA+B;MAC/CC,oBAAoB,MAAM,KAAKC,yBAAyB;QACtDb;QACAP;QACAE;QACAC;QACAC;QACAH;QACAa,kBAAkBD;QAClBR;QACAgB,kBAAkBtB,KAAKsB;QACvBC,aAAavB,KAAKuB;MACpB,CAAA;MACAZ;MACAL;MACAL;MACAiB;MACAX;IACF,CAAA;EACF;EAEA,MAAaY,+BAA+B,EAC1CC,oBACAT,eACAL,UACAL,QACAM,gBACAW,WAAU,GAQyD;AACnE,SAAKM,SAASJ,oBAAoBT,aAAAA;AAElC,UAAMc,kBAAkB3B,0BAAyB4B,kBAAkB;MACjEzB;MACAiB;MACAZ,UAAUA,WACNA,WACAY,YAAYS,gBACV,MAAMC,sBAAsBC,oBAAoBX,WAAWJ,QAAQ;QAAEgB,iBAAiB;MAAM,CAAA,IAC5FpB;IACR,CAAA;AAEA,UAAMqB,UAAUxB,gBAAgByB,iCAAiCzB,eAAeyB,8BAA8BC,SAAS;AACvH,QAAIC,OAAOH,UAAU,UAAMI,sCAAWC,4CAAqB7B,gBAAgBkB,eAAAA,CAAAA,IAAoBf;AAE/F,QAAI2B,WAAW,MAAM,KAAKC,aAAab,iBAAiBL,oBAAoBc,OAAO;MAAEK,SAAS;QAAEC,MAAMN;MAAK;IAAE,IAAIxB,MAAAA;AAEjH,QAAI+B,gBAAgBlC,gBAAgBmC,gBAAgBC;AACpD,UAAMC,iBAAiBC,qCAAqCR,QAAAA;AAC5D,QAAIO,eAAeE,MAAMvC,gBAAgB;AACvCA,qBAAemC,gBAAgBC,QAAQC,eAAeG;AAEtDb,aAAO,UAAMC,sCAAWC,4CAAqB7B,gBAAgBkB,eAAAA,CAAAA;AAC7DY,iBAAW,MAAM,KAAKC,aAAab,iBAAiBL,oBAAoBc,OAAO;QAAEK,SAAS;UAAEC,MAAMN;QAAK;MAAE,IAAIxB,MAAAA;AAC7G,YAAMsC,mBAAmBX,SAASY,aAAaV,QAAQ1C,IAAI,YAAA;AAE3D4C,sBAAgBO,oBAAoBJ,eAAeG;IACrD;AAEA,QAAIV,SAASa,eAAe3C,kBAAkB8B,SAASa,YAAYC,eAAe,QAAQ;AACxF,YAAM,IAAIlC,MAAM,2DAA2DoB,SAASa,YAAYC,UAAU;IAC5G;AAEA,WAAO;MACL,GAAGd;MACH,GAAII,iBAAiB;QAAEW,QAAQ;UAAEZ,MAAM;YAAEO,WAAWN;UAAc;QAAE;MAAE;IACxE;EACF;EAEA,MAAapB,yBAAyBrB,MAAmF;AACvH,UAAM,EAAEC,QAAQC,KAAKC,cAAcC,MAAMC,YAAW,IAAKL;AACzD,UAAMqD,yBAAyBrD,KAAKQ,kBAChC,UAAM8C,yDAAgCtD,KAAKQ,eAAe,IAC1DE;AACJ,UAAM6C,UAAuC;MAAE,GAAGvD,KAAKsB;IAAiB;AACxE,UAAMP,mBAAmBf,KAAKe,oBAAoBsC,wBAAwBxC,kBAAkB2C,qBAAqBxD,KAAKM,UAAUQ;AAEhI,QAAIb,QAAQwD,YAAYC,UAAU;AAChCH,cAAQI,YAAY1D,OAAOwD,WAAWC;IACxC;AACA,UAAME,+BAA+BL,SAAS;MAAE,GAAGvD;MAAM6D,SAASC,0CAAkBC;MAAYhD;IAAiB,CAAA;AAGjH,QAAI,CAACsC,0BAA0BA,uBAAuBW,eAAeC,SAASC,sCAAcC,uBAAuB,GAAG;AACpHZ,cAAQa,aAAaC,mCAAWC;AAChCf,cAAQnD,OAAOA;AACfmD,cAAQgB,eAAelE;AAEvB,UAAIF,cAAc;AAChBoD,gBAAQiB,gBAAgBrE;MAC1B;AAEA,aAAOoD;IACT;AAEA,QAAIF,wBAAwBW,eAAeC,SAASC,sCAAcO,wBAAwB,GAAG;AAC3F,WAAKC,iBAAiB,KAAK9D,mBAAmByC,uBAAuBxC,gBAAgB,GAAGX,GAAAA;AACxFqD,cAAQoB,WAAWzE;AAEnBqD,cAAQa,aAAaC,mCAAWO;AAEhCrB,cAAQsB,6CAAAA,IAAyBxB,wBAAwBxC,iBAAiBiE,SAASC,8CAAAA,IAA0BF,6CAAAA;AAE7G,aAAOtB;IACT;AACA,UAAM,IAAItC,MAAM,gHAAA;EAClB;EAEQ+D,6BAA6BC,WAA6B;AAChE,QAAIZ,mCAAWO,wBAAwBK,WAAW;AAChD,YAAM,IAAIhE,MAAM,2CAAA;IAClB;EACF;EAEQiE,6BAA6BD,WAA6B;AAChE,QAAIZ,mCAAWC,uBAAuBW,WAAW;AAC/C,YAAM,IAAIhE,MAAM,yCAAA;IAClB;EACF;EAEQL,mBAAmBuE,gBAAwD;AACjF,QAAIxE,gBAAgB;AACpB,QAAI,CAACwE,gBAAgB;AACnB,YAAM,IAAIlE,MAAMmE,2CAAmBC,eAAe;IACpD;AACA,UAAMvE,aAASE,6DAAoCmE,cAAAA;AACnD,QAAIA,eAAeL,SAASC,8CAAAA,GAAyB;AACnDpE,sBAAgBwE,eAAeL,OAAOC,8CAAAA,GAAyBO,qBAAqB;IACtF;AACA5F,IAAAA,QAAO6F,MAAM,2BAA2BzE,MAAAA,KAAWH,aAAAA,EAAe;AAClE,WAAOA;EACT;EAEQ+D,iBAAiB/D,eAAyBT,KAAoB;AACpE,QAAIS,eAAe;AACjB,UAAI,CAACT,OAAO,CAAC,YAAYsF,KAAKtF,GAAAA,GAAM;AAClCR,QAAAA,QAAO6F,MAAM,+BAA+B;AAC5C,cAAM,IAAItE,MAAM,yEAAA;MAClB;IACF,WAAWf,KAAK;AACdR,MAAAA,QAAO6F,MAAM,8BAA8B;AAC3C,YAAM,IAAItE,MAAM,iDAAA;IAClB;EACF;EAEQwE,gCAAgCrE,oBAA8C;AACpF,QAAI,CAACA,mBAAmByD,6CAAAA,GAAwB;AAC9CnF,MAAAA,QAAO6F,MAAM,uDAAuD;AACpE,YAAM,IAAItE,MAAM,+FAAA;IAClB;EACF;EAEQyE,2BAA2BtE,oBAA8C;AAC/E,QAAI,CAACA,mBAAmBoD,eAAe;AACrC9E,MAAAA,QAAO6F,MAAM,iDAAA;AACb,YAAM,IAAItE,MAAM,6DAAA;IAClB;EACF;EAEQ0E,mBAAmBvE,oBAA8C;AACvE,QAAI,CAACA,mBAAmBhB,MAAM;AAC5BV,MAAAA,QAAO6F,MAAM,wCAAA;AACb,YAAM,IAAItE,MAAM,oDAAA;IAClB;EACF;EAEQO,SAASJ,oBAAwCT,eAA+B;AACtF,QAAIS,mBAAmBgD,eAAeC,mCAAWO,qBAAqB;AACpE,WAAKI,6BAA6B5D,mBAAmBgD,UAAU;AAC/D,WAAKqB,gCAAgCrE,kBAAAA;AACrC,WAAKsD,iBAAiB/D,eAAeS,mBAAmBuD,QAAQ;IAClE,WAAWvD,mBAAmBgD,eAAeC,mCAAWC,oBAAoB;AAC1E,WAAKY,6BAA6B9D,mBAAmBgD,UAAU;AAC/D,WAAKsB,2BAA2BtE,kBAAAA;AAChC,WAAKuE,mBAAmBvE,kBAAAA;IAC1B,OAAO;AACL,WAAKwE,sBAAqB;IAC5B;EACF;EAEA,MAActD,aACZb,iBACAL,oBACApB,MAC8C;AAC9C,WAAO,UAAM6F,kCAASpE,qBAAiBqE,0CAAiB1E,oBAAoB;MAAE2E,MAAMC,oCAAYC;IAAsB,CAAA,GAAI;MACxHC,eAAelG,MAAMuC,UAAUvC,KAAKuC,UAAU7B;IAChD,CAAA;EACF;EAEA,OAAcgB,kBAAkB,EAC9BzB,QACAiB,YACAZ,SAAQ,GAKC;AACT,QAAI,CAACL,UAAU,CAACK,UAAU6F,kBAAkB,CAACjF,YAAY;AACvD,YAAM,IAAID,MAAM,kGAAA;IAClB;AACA,QAAImF;AACJ,QAAInG,UAAUA,OAAOoG,IAAI;AACvBD,YAAM,KAAKE,qBAAqBrG,OAAOoG,IAAIpG,QAAQsG,wBAAwBtG,OAAOuG,aAAa;IACjG,WAAWlG,UAAU6F,gBAAgB;AACnCC,YAAM9F,SAAS6F;IACjB,OAAO;AACL,UAAI,CAACjF,YAAYJ,QAAQ;AACvB,cAAMG,MAAM,oGAAA;MACd;AACAmF,YAAM,KAAKE,qBAAqBpF,WAAWJ,QAAQb,QAAQsG,wBAAwBrF,WAAWsF,aAAa;IAC7G;AAEA,QAAI,CAACJ,OAAO,CAACK,8BAAYC,SAASN,GAAAA,GAAM;AACtC,YAAM,IAAInF,MAAM,wEAAA;IAClB;AACAvB,IAAAA,QAAO6F,MAAM,mCAAmCa,GAAAA,EAAK;AACrD,WAAOA;EACT;EAEA,OAAeE,qBAAqBF,KAAaG,wBAAkCC,eAAgC;AACjH,QAAID,2BAA2B,QAAQH,IAAIO,WAAW,OAAA,GAAU;AAC9D,YAAM1F,MACJ,+CAA+CmF,GAAAA,mFAAsF;IAEzI;AACA,UAAMQ,WAAWR,IAAIS,QAAQ,eAAe,EAAA,EAAIA,QAAQ,OAAO,EAAA;AAC/D,UAAMC,WAAWN,gBAAiBA,cAAcG,WAAW,GAAA,IAAOH,gBAAgBA,cAAcO,UAAU,CAAA,IAAM;AAChH,UAAMC,SAASZ,IAAIa,MAAM,KAAA,EAAO,CAAA;AAChC,WAAO,GAAGD,SAASA,SAAS,QAAQ,UAAA,GAAaJ,QAAAA,GAAWE,QAAAA;EAC9D;EAEQlB,wBAA8B;AACpClG,IAAAA,QAAO6F,MAAM,4DAA4D;AACzE,UAAM,IAAItE,MAAM,oEAAA;EAClB;AACF;;;ACrSA,IAAAiG,0BA6BO;AACP,IAAAC,oBAAwB;;;AC9BxB,IAAAC,0BAgBO;AACP,IAAAC,oBAAwB;;;ACjBxB,IAAAC,0BAWO;AACP,IAAAC,oBAAwB;AAIxB,IAAMC,UAASC,0BAAQC,QAAQC,IAAI,2BAAA;AAE5B,IAAMC,wBAAN,MAAMA,uBAAAA;EAlBb,OAkBaA;;;;;;;;EAMX,aAAoBC,uCAClBC,iBACwC;AACxC,WAAOF,uBAAsBG,8CAA8CD,gBAAgBE,gBAAgB;EAC7G;;;;;EAMA,aAAoBD,8CAA8CE,SAAyE;AACzI,UAAMC,aAASC,6DAAoCF,OAAAA;AACnD,QAAIC,QAAQ;AACV,aAAON,uBAAsBQ,oBAAoBF,MAAAA;IACnD;AACA,UAAM,IAAIG,MAAM,iFAAA;EAClB;;;;;;EAOA,aAAoBD,oBAAoBF,QAAgBI,MAA6E;AACnI,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC,0BAAmD;AACvD,QAAIC,uBAA+BX;AACnC,UAAMY,kBAAkB,MAAMlB,uBAAsBmB,iCAAiCb,QAAQ;MAAEc,iBAAiB;IAAM,CAAA;AACtH,QAAIC,2BAA2BH,iBAAiBI;AAChD,QAAID,0BAA0B;AAC5BzB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA;EAAgDkB,KAAKC,UAAUJ,wBAAAA,CAAAA,EAA2B;AACjHT,4BAAsBS,yBAAyBT;AAC/CC,qCAA+BQ,yBAAyBR;AACxD,UAAIQ,yBAAyBV,gBAAgB;AAC3CA,yBAAiBU,yBAAyBV;MAC5C;AACAI,yCAAmCM,yBAAyBN;AAC5D,UAAIM,yBAAyBJ,sBAAsB;AACjDA,+BAAuBI,yBAAyBJ;MAClD;AACA,UAAII,yBAAyBP,wBAAwB;AACnDA,iCAAyBO,yBAAyBP;MACpD;IACF;AAEA,QAAIY,WAAwD,MAAMC,kBAChEV,sBACAW,2CAAmBC,sBACnB;MACET,iBAAiB;IACnB,CAAA;AAEF,QAAIU,eAAeJ,SAASJ;AAC5B,QAAIQ,cAAc;AAChBlC,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,4DAAkE;AACzFU,gCAA0B;IAC5B,OAAO;AAELU,iBAAW,MAAMC,kBAAkBV,sBAAsBW,2CAAmBG,UAAU;QAAEX,iBAAiB;MAAM,CAAA;AAC/GU,qBAAeJ,SAASJ;IAC1B;AACA,QAAI,CAACQ,cAAc;AAEjB,UAAIxB,WAAWW,sBAAsB;AACnC,cAAMR,MAAM,UAAUH,MAAAA,6CAAmDW,oBAAAA,4CAAgE;MAC3I;IACF,OAAO;AACL,UAAI,CAACD,yBAAyB;AAC5BA,kCAA0B;MAC5B;AACApB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,QAAcU,uBAAAA,yCAAgE;AACrG,UAAI,CAACc,aAAahB,wBAAwB;AACxCkB,gBAAQC,KACN,UAAU3B,MAAAA,YAAkBU,uBAAAA,4CAAmEF,sBAAAA,4CAAkE;MAErK,WAAWA,0BAA0BgB,aAAahB,2BAA2BA,wBAAwB;AACnG,cAAML,MACJ,6DAA6DK,sBAAAA,oCAA0DgB,aAAahB,sBAAsB,GAAG;MAEjK;AACAA,+BAAyBgB,aAAahB;AACtC,UAAIC,oCAAoCe,aAAaf,qCAAqCA,kCAAkC;AAC1H,cAAMN,MACJ,uEAAuEM,gCAAAA,oCAAoEe,aAAaf,gCAAgC,GAAG;MAE/L;AACAA,yCAAmCe,aAAaf;AAChD,UAAI,CAACe,aAAanB,gBAAgB;AAChC,cAAMF,MAAM,wBAAwBQ,oBAAAA,mCAAuD;MAC7F,WAAWN,kBAAkBmB,aAAanB,mBAAmBA,gBAAgB;AAC3E,cAAMF,MACJ,qDAAqDE,cAAAA,oCAAkDmB,aAAanB,cAAc,GAAG;MAEzI;AACAA,uBAAiBmB,aAAanB;AAC9B,UAAImB,aAAalB,qBAAqB;AACpC,YAAIA,uBAAuBkB,aAAalB,wBAAwBA,qBAAqB;AACnFhB,UAAAA,QAAO2B,MACL,0DAA0DX,mBAAAA,oCAAuDkB,aAAalB,mBAAmB,8BAA8B;QAEnL,OAAO;AACLA,gCAAsBkB,aAAalB;QACrC;MACF;AACA,UAAIkB,aAAajB,8BAA8B;AAC7C,YAAIA,gCAAgCiB,aAAajB,iCAAiCA,8BAA8B;AAC9GjB,UAAAA,QAAO2B,MACL,mEAAmEV,4BAAAA,oCAAgEiB,aAAajB,4BAA4B,8BAA8B;QAE9M,OAAO;AACLA,yCAA+BiB,aAAajB;QAC9C;MACF;IACF;AAEA,QAAI,CAACC,wBAAwB;AAC3BlB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,6EAAmF;IAC5G;AACA,QAAI,CAACK,gBAAgB;AACnBf,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,iEAAuE;AAC9F,UAAII,MAAMU,iBAAiB;AACzB,cAAMX,MAAM,2CAA2CH,MAAAA,EAAQ;MACjE,OAAO;AACLK,yBAAiB,GAAGL,MAAAA,GAASA,OAAO4B,SAAS,GAAA,IAAO,UAAU,QAAA;MAChE;IACF;AACA,QAAI,CAACtB,qBAAqB;AACxBhB,MAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,sEAA4E;AACnG,UAAII,MAAMU,iBAAiB;AACzB,cAAMX,MAAM,gDAAgDH,MAAAA,EAAQ;MACtE,OAAO;AACLM,8BAAsB,GAAGN,MAAAA,GAASA,OAAO4B,SAAS,GAAA,IAAO,eAAe,aAAA;MAC1E;IACF;AAEA,QAAI,CAACb,4BAA4BS,cAAc;AAE7CT,iCAA2BS;IAC7B;AACAlC,IAAAA,QAAO2B,MAAM,UAAUjB,MAAAA,mBAAyBK,cAAAA,yBAAuCC,mBAAAA,EAAqB;AAC5G,WAAO;MACLN;MACAK;MACAC;MACAC;MACAI;MACAH;MACAC;MACAC;MACAK;MACAc,6BAA6BL;IAC/B;EACF;;;;;;EAOA,aAAoBX,iCAClBiB,YACA1B,MAGsE;AACtE,WAAOiB,kBAAkBS,YAAYR,2CAAmBS,mBAAmB;MACzEjB,iBAAiBV,MAAMU,oBAAoBkB,SAAY,OAAO5B,KAAKU;IACrE,CAAA;EACF;AACF;;;AD9KA,IAAMmB,UAASC,0BAAQC,QAAQC,IAAI,2BAAA;AAE5B,IAAMC,iBAAN,MAAMA,gBAAAA;EAzBb,OAyBaA;;;;;;;;EAMX,aAAoBC,uCAClBC,iBACwE;AACxE,YAAIC,uDAA8BD,gBAAgBE,gBAAgB,KAAKC,0CAAkBC,YAAY;AACnG,aAAO,MAAMC,sBAAsBN,uCAAuCC,eAAAA;IAC5E,OAAO;AACL,aAAO,MAAMM,sBAAsBP,uCAAuCC,eAAAA;IAC5E;EACF;;;;;EAMA,aAAoBO,8CAClBC,SACwE;AACxE,UAAMC,aAASC,6DAAoCF,OAAAA;AACnD,QAAIC,QAAQ;AACV,cAAIR,uDAA8BO,OAAAA,KAAYL,0CAAkBC,YAAY;AAC1E,eAAOC,sBAAsBE,8CAA8CC,OAAAA;MAC7E,OAAO;AACL,eAAOF,sBAAsBC,8CAA8CC,OAAAA;MAC7E;IACF;AACA,UAAM,IAAIG,MAAM,iFAAA;EAClB;;;;;;EAOA,aAAoBC,oBAClBH,QACAI,MACwE;AACxE,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC;AACJ,QAAIC,0BAAmD;AACvD,QAAIC,wBAA8C;MAACX;;AACnD,QAAIY,uBAA2CC;AAC/C,UAAMC,kBAAkB,MAAMzB,gBAAe0B,iCAAiCf,QAAQ;MAAEgB,iBAAiB;IAAM,CAAA;AAC/G,QAAIC,2BAA2BH,iBAAiBI;AAChD,QAAID,0BAA0B;AAC5BhC,MAAAA,QAAOkC,MAAM,UAAUnB,MAAAA;EAAgDoB,KAAKC,UAAUJ,wBAAAA,CAAAA,EAA2B;AACjHX,4BAAsBW,yBAAyBX;AAC/CC,qCAA+BU,yBAAyBV,+BACnDU,yBAAyBV,+BAC1BM;AACJ,UAAII,yBAAyBZ,gBAAgB;AAC3CA,yBAAiBY,yBAAyBZ;MAC5C;AACAI,yCAAmCQ,yBAAyBR;AAC5D,UAAIQ,yBAAyBN,uBAAuB;AAClDA,gCAAwBM,yBAAyBN;MACnD,WAAWM,yBAAyBL,sBAAsB;AACxDA,+BAAuBK,yBAAyBL;AAChDD,gCAAwB;UAACC;;MAC3B;IACF;AAGA,QAAIU,WAAwD,MAAMC,kBAChEZ,sBAAsB,CAAA,GACtBa,2CAAmBC,sBACnB;MACET,iBAAiB;IACnB,CAAA;AAEF,QAAIU,eAAeJ,SAASJ;AAC5B,QAAIQ,cAAc;AAChBzC,MAAAA,QAAOkC,MAAM,UAAUnB,MAAAA,4DAAkE;AACzFU,gCAA0B;IAC5B,OAAO;AAGLY,iBAAW,MAAMC,kBAAkBZ,sBAAsB,CAAA,GAAIa,2CAAmBG,UAAU;QAAEX,iBAAiB;MAAM,CAAA;AACnHU,qBAAeJ,SAASJ;IAC1B;AACA,QAAI,CAACQ,cAAc;AAEjB,UAAI,CAACf,sBAAsBiB,SAAS5B,MAAAA,GAAS;AAC3C,cAAME,MAAM,UAAUF,MAAAA,6CAAmDW,qBAAAA,4CAAiE;MAC5I;IACF,OAAO;AACL,UAAI,CAACD,yBAAyB;AAC5BA,kCAA0B;MAC5B;AACAzB,MAAAA,QAAOkC,MAAM,UAAUnB,MAAAA,QAAcU,uBAAAA,yCAAgE;AACrG,UAAI,CAACgB,aAAalB,wBAAwB;AACxCqB,gBAAQC,KACN,UAAU9B,MAAAA,YAAkBU,uBAAAA,4CAAmEF,sBAAAA,4CAAkE;MAErK,WAAWA,0BAA0BkB,aAAalB,2BAA2BA,wBAAwB;AACnG,cAAMN,MACJ,6DAA6DM,sBAAAA,oCAA0DkB,aAAalB,sBAAsB,GAAG;MAEjK;AACAA,+BAAyBkB,aAAalB;AACtC,UAAIC,oCAAoCiB,aAAajB,qCAAqCA,kCAAkC;AAC1H,cAAMP,MACJ,uEAAuEO,gCAAAA,oCAAoEiB,aAAajB,gCAAgC,GAAG;MAE/L;AACAA,yCAAmCiB,aAAajB;AAChD,UAAI,CAACiB,aAAarB,gBAAgB;AAChC,cAAMH,MAAM,wBAAwBS,qBAAAA,mCAAwD;MAC9F,WAAWN,kBAAkBqB,aAAarB,mBAAmBA,gBAAgB;AAC3E,cAAMH,MACJ,qDAAqDG,cAAAA,oCAAkDqB,aAAarB,cAAc,GAAG;MAEzI;AACAA,uBAAiBqB,aAAarB;AAC9B,UAAIqB,aAAapB,qBAAqB;AACpC,YAAIA,uBAAuBoB,aAAapB,wBAAwBA,qBAAqB;AACnFrB,UAAAA,QAAOkC,MACL,0DAA0Db,mBAAAA,oCAAuDoB,aAAapB,mBAAmB,8BAA8B;QAEnL,OAAO;AACLA,gCAAsBoB,aAAapB;QACrC;MACF;AACA,UAAIoB,aAAanB,8BAA8B;AAC7C,YAAIA,gCAAgCmB,aAAanB,iCAAiCA,8BAA8B;AAC9GtB,UAAAA,QAAOkC,MACL,mEAAmEZ,4BAAAA,oCAAgEmB,aAAanB,4BAA4B,8BAA8B;QAE9M,OAAO;AACLA,yCAA+BmB,aAAanB;QAC9C;MACF;IACF;AAEA,QAAI,CAACC,wBAAwB;AAC3BvB,MAAAA,QAAOkC,MAAM,UAAUnB,MAAAA,6EAAmF;IAC5G;AACA,QAAI,CAACK,gBAAgB;AACnBpB,MAAAA,QAAOkC,MAAM,UAAUnB,MAAAA,iEAAuE;AAC9F,UAAII,MAAMY,iBAAiB;AACzB,cAAMd,MAAM,2CAA2CF,MAAAA,EAAQ;MACjE,OAAO;AACLK,yBAAiB,GAAGL,MAAAA,GAASA,OAAO+B,SAAS,GAAA,IAAO,UAAU,QAAA;MAChE;IACF;AACA,QAAI,CAACzB,qBAAqB;AACxBrB,MAAAA,QAAOkC,MAAM,UAAUnB,MAAAA,sEAA4E;AACnG,UAAII,MAAMY,iBAAiB;AACzB,cAAMd,MAAM,gDAAgDF,MAAAA,EAAQ;MACtE,OAAO;AACLM,8BAAsB,GAAGN,MAAAA,GAASA,OAAO+B,SAAS,GAAA,IAAO,eAAe,aAAA;MAC1E;IACF;AAEA,QAAI,CAACd,4BAA4BS,cAAc;AAE7CT,iCAA2BL,uBACtBc,eACAA;IACP;AACAzC,IAAAA,QAAOkC,MAAM,UAAUnB,MAAAA,mBAAyBK,cAAAA,yBAAuCC,mBAAAA,EAAqB;AAE5G,WAAO;MACLN;MACAK;MACAC;MACAC;MACA,GAAIK,uBAAuB;QAAEA;MAAqB,IAAI;QAAED;MAA6C;MACrGH;MACAC;MACAC;MACAO,0BAA0BL,uBACrBK,2BACAA;MACLe,6BAA6BN;IAC/B;EACF;;;;;;;EAQA,aAAoBX,iCAClBkB,YACA7B,MAQA;AACA,WAAOmB,kBAAkBU,YAAYT,2CAAmBU,mBAAmB;MACzElB,iBAAiBZ,MAAMY,oBAAoBH,SAAY,OAAOT,KAAKY;IACrE,CAAA;EACF;AACF;;;ADtMA,IAAMmB,UAASC,0BAAQC,QAAQC,IAAI,kBAAA;AAEnC,eAAsBC,kCAAkCC,eAAoCC,MAA0C;AACpI,MAAIA,KAAKC,sBAAsBC,gDAAwBC,aAAa;AAClE,UAAMC,MAAM,uBAAuBJ,KAAKC,iBAAiB,uBAAuB;EAClF,WAAWD,KAAKC,sBAAsBC,gDAAwBG,gBAAgB;AAC5E,QAAI,OAAOL,KAAKM,eAAeC,iBAAiB,YAAY;AAC1D,YAAMH,MAAM,gFAAgFJ,KAAKC,iBAAiB,EAAE;IACtH,WAAW,CAACD,KAAKQ,KAAK;AACpB,YAAMJ,MAAM,uDAAuDJ,KAAKC,iBAAiB,EAAE;IAC7F;AACA,QAAIQ;AACJ,QAAIT,KAAKU,kBAAkBV,KAAKW,SAAS;AACvCF,wBAAkBT,KAAKU,kBAAkB,CAAC;AAC1C,UAAIV,KAAKW,SAAS;AAChBF,wBAAgB,UAAA,IAAcT,KAAKW;MACrC;IACF;AACA,QAAIC,wBAAwBb,cAAc,uBAAA;AAC1C,QAAI,OAAOa,0BAA0B,UAAU;AAC7CA,8BAAwBC,KAAKC,MAAMf,cAAca,qBAAqB;IACxE;AACA,QAAI,CAACb,cAAcgB,OAAOf,KAAKe,KAAK;AAClChB,oBAAcgB,MAAMf,KAAKe;IAC3B;AACA,UAAMC,MAAMjB,cAAciB,OAAOhB,KAAKgB,OAAOjB,cAAckB;AAE3D,UAAMC,MAAW;MACfC,QAAQ;QAAEC,KAAK;QAASZ,KAAKR,KAAKQ;QAAKa,KAAK;MAAM;MAClDC,SAAS;QAAE,GAAGvB;QAAeiB;QAAKJ;QAAuB,GAAIH,mBAAmB;UAAEA;QAAgB;MAAG;IACvG;AACA,UAAMc,MAAM,MAAMC,yBAAyBC,QAAQ;MACjDP;MACAQ,WAAW1B,KAAKM;MAChBqB,SAASC,0CAAkBC;MAC3BC,MAAM;IACR,CAAA,EAAGC,MAAK;AACRhC,kBAAc,SAAA,IAAawB,IAAIL;EACjC;AACF;AArCsBpB;AAuCtB,SAASkC,2BACPC,iBACAC,sBAA8E;AAE9E,MAAI,CAACD,gBAAgBE,gCAAgC,CAACD,sBAAsB;AAC1E,WAAO,CAAA;EACT;AACA,SAAOE,OAAOC,QAAQH,oBAAAA,EACnBI,OAAO,CAACC,UAAUN,gBAAgBE,8BAA8BK,SAASD,MAAM,CAAA,CAAE,CAAA,EACjFE,IAAI,CAACF,UAAAA;AACJ,WAAO;MAAE,GAAGA,MAAM,CAAA;MAAIG,kBAAkBH,MAAM,CAAA;IAAG;EACnD,CAAA;AACJ;AAZSP;AAcF,IAAMW,gCAAgC,8BAAO,EAClDC,MACAC,kBACAC,sBACAb,iBACAc,kCACAC,UACArB,QAAO,MASR;AACC,WAASsB,2BAA2BC,KAAQ;AAC1C,UAAMC,SAAS;MAAE,GAAGD;IAAI;AACxB,eAAWE,QAAQD,QAAQ;AACzB,UAAI;QAAC;QAAW;QAAcX,SAASY,IAAAA,GAAO;AAC5C,eAAOD,OAAOC,IAAAA;MAChB,WAAW,OAAOD,OAAOC,IAAAA,MAAU,UAAU;AAC3CD,eAAOC,IAAAA,IAAQH,2BAA2BE,OAAOC,IAAAA,CAAK;MACxD;IACF;AAEA,WAAOD;EACT;AAXSF;AAaT,QAAM,EAAEI,aAAaC,oBAAoB;IAAErD,mBAAmBC,gDAAwBqD;EAAK,EAAC,IAAKT;AACjG,QAAM7B,YAAY+B,YAAYF,qBAAqBE;AAGnD,QAAMQ,wBAAwBX,iBAAiBY,+BAA+BZ,iBAAiBa;AAE/F,MAAI,EAAEC,qBAAoB,IAAKb;AAC/B,QAAMc,UAAUJ,uBAAuBK,wCACnCC,gCAAQC,UACPjB,qBAAqBc,YAAY3C,YAAY6C,gCAAQE,OAAOF,gCAAQG;AAGzE,MAAI,CAACnB,qBAAqBoB,SAAS,CAACP,sBAAsB;AACxD,QAAI,CAAC1B,iBAAiB;AACpB,YAAM7B,MAAM,mFAAA;IACd;AACA,QAAI,iBAAiB6B,gBAAgBkC,kBAAkB;AACrD,YAAM,IAAI/D,MAAM,kCAAA;IAClB;AACA,UAAMgE,MAAMzC,eAAW0C,uDAA8BpC,gBAAgBkC,gBAAgB,KAAKvC,0CAAkB0C;AAC5G,UAAMC,QACJH,QAAQxC,0CAAkB0C,aACtBtC,2BAA2BC,gBAAgBkC,kBAAmDpB,gCAAAA,IAC9F,CAAA;AAENY,2BAAuBY,MAAMC,QAAQ,CAACC,SAAAA;AACpC,YAAMC,YAAY;QAACzC,iBAAiBkC,iBAAiBQ,qBAAqB9B,iBAAiB+B;;AAG3F,YAAMC,8BAAkDJ,KAAK/B;AAC7D,YAAMoC,SAASD,8BAA8BE,SAAYN,KAAKK;AAE9D,UAAI,CAACD,+BAA+B,CAACJ,KAAKK,QAAQ;AAChD,cAAM1E,MAAM,6CAAA;MACd;AAGA,YAAM4E,MAAMP,KAAKK,WAAW,cAAcL,KAAKO,MAAMD;AACrD,YAAME,UAAUR,KAAKK,WAAW,aAAaL,KAAKQ,UAAUF;AAG5D,UAAIG,wBACFH;AACF,cAAII,kDAAyBV,IAAAA,GAAO;AAClCS,gCAAwB;UACtB,GAAGT,KAAKS;;;UAGRE,MAAMN,SAASL,KAAKS,sBAAsBE,OAAOL;UACjDM,mBAAmBZ,KAAKS,sBAAsBG,oBAC1CpC,2BAA2BwB,KAAKS,sBAAsBG,iBAAiB,IACvEN;QACN;MACF;AAEA,aAAO;QACLK,MAAM;QACNV;QACA,GAAIQ,yBAAyB;UAAEA;QAAsB;QACrD,GAAIL,+BAA+B;UAAEA;QAA4B;QACjE,GAAIC,UAAU;UAAEA;QAAO;QACvB,GAAIE,OAAO;UAAEA;UAAKM,QAAQb,KAAKa,SAASrC,2BAA2BwB,KAAKa,MAAM,IAAIP;QAAU;QAC5F,GAAIE,WAAW;UAAEA;UAASK,QAAQb,KAAKa,SAASrC,2BAA2BwB,KAAKa,MAAM,IAAIP;QAAU;MACtG;IACF,CAAA;AACA,QAAI,CAACpB,wBAAwBA,qBAAqB4B,WAAW,GAAG;AAC9D,YAAMnF,MAAM,+FAA+F;IAC7G;EACF;AACA,MAAI,CAACyC,kBAAkB2C,wBAAwB;AAC7C,UAAMpF,MAAM,yDAAA;EACd;AACA,QAAMqF,cAAcjC,uBAAuBkC;AAE3C,MAAIC,WAA8D;IAChEC,eAAeC,qCAAaC;IAC5B,GAAI,CAAClD,KAAKmD,YAAY;MACpBC,uBAAuBpD,KAAKqD,uBAAuBC,4CAAoBC;MACvEC,gBAAgBxD,KAAKyD;IACvB;IACAzF,uBAAuBC,KAAKyF,UAAUC,2BAA2B1D,kBAAkBc,oBAAAA,CAAAA;IACnF,GAAIN,eAAe;MAAEmD,cAAcnD;IAAY;IAC/C,GAAIpC,aAAa;MAAEA;IAAU;IAE7B,GAAIgB,iBAAiBwE,eAAe;MAClCC,cAAczE,gBAAgBwE;IAChC;IACAvC,OAAOpB,qBAAqBoB;EAC9B;AAEA,MAAIjC,iBAAiBwE,aAAa;AAEhCd,aAASgB,QAAQ1E,iBAAiBwE;EACpC;AAEA,MAAI,CAAChB,eAAe7B,YAAYE,gCAAQC,SAAS;AAC/C,UAAM3D,MAAM,2EAA2E;EACzF,WAAWqF,eAAe7B,YAAYE,gCAAQG,OAAO;AACnDvE,IAAAA,QAAOkH,MAAM,2BAA2BnB,WAAAA,EAAa;AAErD,UAAMoB,cAAc,UAAMC,kCACxBrB,iBACAsB,0CAAiBpB,UAAU;MACzB7D,MAAMkF,oCAAYC;MAClBC,mBAAmB;QAAC;QAAa;QAAe;QAAgB;QAAS;QAAyB;QAAgB;;IACpH,CAAA,GACA;MAAEC,aAAa;MAAqCC,QAAQ;IAAmB,CAAA;AAEjF,QAAIP,YAAYQ,aAAa,CAACR,YAAYS,aAAa;AACrD,UAAI1D,YAAYE,gCAAQC,SAAS;AAC/B,cAAM3D,MAAM,cAAcyG,YAAYU,aAAaC,UAAU,EAAE;MACjE;AAEA9H,MAAAA,QAAOkH,MAAM,yDAAyD/F,KAAKyF,UAAUO,YAAYQ,SAAS,CAAA;IAC5G,OAAO;AACL3H,MAAAA,QAAOkH,MAAM,iBAAiB/F,KAAKyF,UAAUO,YAAYS,aAAa,MAAM,CAAA,CAAA,EAAI;AAChF3B,iBAAW;QAA6C1E;QAAWwG,aAAaZ,YAAYS,YAAYG;MAAY;IACtH;EACF;AACA,QAAM3H,kCAAkC6F,UAAU;IAAE,GAAGrC;IAAmBvC,KAAK8B,iBAAiB6E;EAAqB,CAAA;AAErHhI,EAAAA,QAAOkH,MAAM,2CAA2C/F,KAAKyF,UAAUX,UAAU,MAAM,CAAA,CAAA;AACvF,QAAMgC,UAAMZ,0CAAiBpB,UAAU;IACrCiC,SAAS/E,iBAAiB2C;IAC1B0B,mBAAmB;MAAC;MAAa;MAAe;MAAgB;MAAS;MAAyB;MAAgB;;;IAElHpF,MAAMkF,oCAAYC;EAEpB,CAAA;AACAvH,EAAAA,QAAOkH,MAAM,8BAA8Be,GAAAA,EAAK;AAChD,SAAOA;AACT,GAjK6C;AAmK7C,IAAMpB,6BAA6B,wBACjC1D,kBACAc,yBAAAA;AAEA,MAAIA,sBAAsB;AACxB,QAAI,OAAOA,yBAAyB,UAAU;AAE5C,aAAOA;IACT;AACA,QAAIkE,MAAMC,QAAQnE,oBAAAA,GAAuB;AACvC,aAAOA,qBACJrB,OAAO,CAACyF,UAAU,OAAOA,UAAU,QAAA,EACnCtF,IAAI,CAACsF,UAAUC,gBAAgBnF,kBAAkB,OAAOkF,UAAU,WAAWA,QAAQ;QAAE,GAAGA;MAAM,CAAA,CAAA;IACrG,OAAO;AACL,aAAOC,gBAAgBnF,kBAAkB;QAAE,GAAGc;MAAqB,CAAA;IACrE;EACF;AACA,SAAOA;AACT,GAlBmC;AAoBnC,IAAMqE,kBAAkB,wBAACnF,kBAAiDc,yBAAAA;AACxE,MAAI,OAAOA,yBAAyB,UAAU;AAE5C,WAAOA;EACT;AACA,MAAIA,yBAAyBd,iBAAiBa,0BAA0BgE,wBAAwB7E,iBAAiB2C,yBAAyB;AACxI,QAAI7B,qBAAqBe,WAAW;AAClC,UAAImD,MAAMC,QAAQnE,qBAAqBe,SAAS,GAAG;AACjDf,6BAAqBe,UAAUuD,KAAKpF,iBAAiB+B,MAAM;MAC7D,OAAO;AACLjB,6BAAqBe,YAAY;UAACf,qBAAqBe;UAAqB7B,iBAAiB+B;;MAC/F;IACF,OAAO;AACLjB,2BAAqBe,YAAY;QAAC7B,iBAAiB+B;;IACrD;EACF;AACA,SAAOjB;AACT,GAjBwB;AAmBjB,IAAMuE,wCAAwC,8BACnDlI,SAAAA;AAEA,QAAM,EAAEmI,SAAQ,IAAKnI;AAErB,QAAM4E,SAAS5E,KAAKoI,oBAAqBpI,MAAMmI,UAAUvD;AACzD,MAAI,CAACA,QAAQ;AACX,UAAMxE,MAAM,+BAAA;EACd;AAEA,QAAMiI,aAAa;IACjBzD;EACF;AAEA,SAAO,MAAM0D,kDAAkD;IAC7DC,+BAA+B,MAAMC,oCAAoCxI,IAAAA;IACzEmI;IACAE;EACF,CAAA;AACF,GAnBqD;AAqB9C,IAAMC,oDAAoD,8BAAOtI,SAAAA;AAKtE,QAAM,EAAEuI,+BAA+BF,WAAU,IAAKrI;AACtD,QAAMmI,WAAWnI,MAAMmI,WACnBnI,MAAMmI,WACNE,YAAYI,gBACV,MAAMC,eAAeC,oBAAoBN,WAAWzD,QAAQ;IAAEgE,iBAAiB;EAAM,CAAA,IACrF7D;AACN,QAAM8D,gCAAgCV,UAAUW;AAEhD,MAAI,CAACD,+BAA+B;AAClC,WAAOE,QAAQC,OAAO5I,MAAM,uDAAA,CAAA;EAC9B;AAEA,QAAM6I,WAAW,MAAMC,kCAAkCL,+BAA+BN,6BAAAA;AAExF,SAAOU;AACT,GApBiE;AAsB1D,IAAMT,sCAAsC,8BAAOxI,SAAAA;AACxD,QAAM,EAAEgD,UAAUyD,aAAa0C,aAAajF,OAAOmC,eAAeJ,qBAAqBmD,kCAAiC,IAAKpJ;AAE7H,QAAMqJ,UAA+C;IACnDpI,WAAW+B;IACX0D,cAAcD;IACd6C,cAAcH;IACdjF;IACAkC,gBAAgBC;IAChBL,uBAAuBC;IACvBsD,sCAAsCH;EACxC;AAEA,SAAOC;AACT,GAdmD;AAgB5C,IAAMH,oCAAoC,8BAC/CL,+BACAN,+BACAvI,SAAAA;AAEA,SAAO,UAAM8G,kCAAS+B,mCAA+B9B,0CAAiBwB,+BAA+B;IAAEzG,MAAMkF,oCAAYC;EAAsB,CAAA,GAAI;IACjJuC,eAAexJ,MAAMyJ,UAAUzJ,KAAKyJ,UAAU1E;EAChD,CAAA;AACF,GARiD;;;AG/VjD,IAAA2E,0BAiBO;AACP,IAAAC,oBAAwB;AAIxB,IAAMC,UAASC,0BAAQC,QAAQC,IAAI,kBAAA;AAE5B,IAAMC,uCAAuC,8BAAO,EACzDC,MACAC,kBACAC,sBACAC,iBACAC,qBAAoB,MAOrB;AACC,QAAM,EAAEC,aAAaC,UAAUC,oBAAoB;IAAEC,mBAAmBC,gDAAwBC;EAAK,EAAC,IAAKR;AAC3G,MAAI,EAAES,OAAOC,qBAAoB,IAAKV;AAEtC,QAAMW,UAAUZ,kBAAkBa,0BAA0BC,wCACxDC,gCAAQC,UACPf,qBAAqBW,WAAWG,gCAAQE;AAG7C,MAAI,CAACP,SAAS,CAACC,sBAAsB;AACnC,QAAI,CAACT,iBAAiB;AACpB,YAAMgB,MAAM,mFAAA;IACd;AACA,UAAMC,QAAoDjB,gBAAgBkB,iBAAmDC;AAK7HV,2BAAuBQ,MACpBG,QAAQ,CAACC,SAAU,OAAOA,SAAS,WAAWpB,uBAAwBoB,IAAAA,EACtEC,OAAO,CAACD,SAAS,CAAC,CAACA,IAAAA,EACnBE,IAAI,CAACF,SAAAA;AACJ,aAAO;QACL,GAAGA;QACHG,MAAM;QACNC,WAAW;UAAC3B,iBAAiB4B;;;;QAI7BC,QAAQN,KAAMM;MAChB;IACF,CAAA;AACF,QAAI,CAAClB,wBAAyBmB,MAAMC,QAAQpB,oBAAAA,KAAyBA,qBAAqBqB,WAAW,GAAI;AACvG,YAAMd,MAAM,+FAA+F;IAC7G;EACF;AACA,MAAI,CAAClB,kBAAkBiC,wBAAwB;AAC7C,UAAMf,MAAM,yDAAA;EACd;AACA,QAAMgB,cAAclC,iBAAiBa,0BAA0BsB;AAG/D,MAAI,CAACzB,OAAO0B,SAAS,QAAA,GAAW;AAC9B1B,YAAQ;MAAC;MAAUA;MAAOc,OAAO,CAACa,MAAM,CAAC,CAACA,CAAAA,EAAGC,KAAK,GAAA;EACpD;AAEA,MAAIC,WAAoE;IACtEC,eAAeC,qCAAaC;IAC5B,GAAI,CAAC3C,KAAK4C,YAAY;MACpBC,uBAAuB7C,KAAK8C,uBAAuBC,4CAAoBC;MACvEC,gBAAgBjD,KAAKkD;IACvB;IACAC,uBAAuBC,KAAKC,UAAUC,kCAAkCrD,kBAAkBW,oBAAAA,CAAAA;IAC1F,GAAIP,eAAe;MAAEkD,cAAclD;IAAY;IAC/C,GAAIC,YAAY;MAAEkD,WAAWlD;IAAS;IACtC,GAAIH,iBAAiBsD,eAAe;MAAEC,cAAcvD,gBAAgBsD;IAAY;IAChF9C;EACF;AAEA,MAAI,CAACwB,eAAetB,YAAYG,gCAAQC,SAAS;AAC/C,UAAME,MAAM,2EAA2E;EACzF,WAAWgB,eAAetB,YAAYG,gCAAQ2C,OAAO;AACnDhE,IAAAA,QAAOiE,MAAM,2BAA2BzB,WAAAA,EAAa;AACrD,UAAM0B,cAAc,UAAMC,kCACxB3B,iBACA4B,0CAAiBvB,UAAU;MACzBwB,MAAMC,oCAAYC;MAClBC,mBAAmB;QAAC;QAAa;QAAe;QAAgB;QAAS;QAAyB;;IACpG,CAAA,GACA;MAAEC,aAAa;MAAqCC,QAAQ;IAAmB,CAAA;AAEjF,QAAIR,YAAYS,aAAa,CAACT,YAAYU,aAAa;AACrDC,cAAQC,IAAIrB,KAAKC,UAAUQ,YAAYS,SAAS,CAAA;AAChDE,cAAQC,IAAI,uDAAA;AACZ,UAAI5D,YAAYG,gCAAQC,SAAS;AAC/B,cAAME,MAAM,cAAc0C,YAAYa,aAAaC,UAAU,EAAE;MACjE;IACF,OAAO;AACLhF,MAAAA,QAAOiE,MAAM,iBAAiBR,KAAKC,UAAUQ,YAAYU,aAAa,MAAM,CAAA,CAAA,EAAI;AAChF/B,iBAAW;QAAEoC,aAAaf,YAAYU,YAAYK;MAAY;IAChE;EACF;AACA,QAAMC,kCAAkCrC,UAAU;IAAE,GAAGjC;IAAmBuE,KAAK7E,iBAAiB8E;EAAqB,CAAA;AAErHpF,EAAAA,QAAOiE,MAAM,2CAA2CR,KAAKC,UAAUb,UAAU,MAAM,CAAA,CAAA;AACvF,QAAMwC,UAAMjB,0CAAiBvB,UAAU;IACrCyC,SAAShF,iBAAiBiC;IAC1BiC,mBAAmB;MAAC;MAAa;MAAe;MAAgB;MAAS;MAAyB;;;IAElGH,MAAMC,oCAAYC;EAEpB,CAAA;AACAvE,EAAAA,QAAOiE,MAAM,8BAA8BoB,GAAAA,EAAK;AAChD,SAAOA;AACT,GA1GoD;AA4GpD,IAAM1B,oCAAoC,wBACxCrD,kBACAW,yBAAAA;AAEA,MAAIA,sBAAsB;AACxB,QAAI,OAAOA,yBAAyB,UAAU;AAE5C,aAAOA;IACT;AACA,QAAImB,MAAMC,QAAQpB,oBAAAA,GAAuB;AACvC,aAAOA,qBACJa,OAAO,CAACyD,UAAU,OAAOA,UAAU,QAAA,EACnCxD,IAAI,CAACwD,UAAUC,iBAAgBlF,kBAAkB,OAAOiF,UAAU,WAAWA,QAAQ;QAAE,GAAGA;MAAM,CAAA,CAAA;IACrG,OAAO;AACL,aAAOC,iBAAgBlF,kBAAkB;QAAE,GAAGW;MAAqB,CAAA;IACrE;EACF;AACA,SAAOA;AACT,GAlB0C;AAoB1C,IAAMuE,mBAAkB,wBAAClF,kBAAiDW,yBAAAA;AACxE,MAAI,OAAOA,yBAAyB,UAAU;AAE5C,WAAOA;EACT;AACA,MAAIA,yBAAyBX,iBAAiBa,0BAA0BiE,wBAAwB9E,iBAAiBiC,yBAAyB;AACxI,QAAItB,qBAAqBgB,WAAW;AAClC,UAAIG,MAAMC,QAAQpB,qBAAqBgB,SAAS,GAAG;AACjDhB,6BAAqBgB,UAAUwD,KAAKnF,iBAAiB4B,MAAM;MAC7D,OAAO;AACLjB,6BAAqBgB,YAAY;UAAChB,qBAAqBgB;UAAqB3B,iBAAiB4B;;MAC/F;IACF,OAAO;AACLjB,2BAAqBgB,YAAY;QAAC3B,iBAAiB4B;;IACrD;EACF;AACA,SAAOjB;AACT,GAjBwB;;;ACxJxB,IAAAyE,wBAAuE;AACvE,IAAAC,0BAkBO;AACP,IAAAC,qBAA0C;AAO1C,IAAMC,UAASC,2BAAQC,QAAQC,IAAI,6BAAA;AA2BnC,eAAsBC,WACpBC,YACAC,MAGC;AAED,MAAI,gBAAgBD,YAAY;AAC9B,QAAIC,KAAKC,QAAQ;AACf,YAAMC,MAAM,yEAAyE;IACvF;AACA,WAAO,MAAMC,yBAAyBC,UAAUL,YAAiCC,KAAKK,OAAO,EAAEC,MAAK;EACtG;AACA,MAAIN,KAAKC,QAAQ;AACfF,eAAWQ,qBAAqBP,KAAKC,MAAM;EAC7C;AACA,SAAO,MAAMF,WAAWO,MAAK;AAC/B;AAjBsBR;AAmBf,IAAMU,0BAAN,MAAMA;EAzEb,OAyEaA;;;EACMC;EACTC,cAAc;EAEtB,IAAIC,wBAA+C;AACjD,WAAO,KAAKF;EACd;EAEOG,aAAsB;AAC3B,WAAO,KAAKF;EACd;EAEOG,wBAAgC;AACrC,WAAO,KAAKF,sBAAsBG;EACpC;EAEOC,gCAAoD;AACzD,WAAO,KAAKJ,sBAAsBK;EACpC;EAEA,YAAmBC,SAAwF;AACzG,SAAKR,yBAAyB;MAAE,GAAGQ;IAAQ;EAC7C;;;;;;;EAQA,MAAaC,+BAA+BlB,MAOmD;AAC7F,UAAM,EAAEmB,sBAAsBC,iBAAiBC,QAAQC,SAASC,gBAAe,IAAKvB;AAEpF,UAAMwB,UAAU,MAAM,KAAKC,oCAAoC;MAC7DL;MACAE;MACAD;MACAhB,SAAS,KAAKA,QAAO;MACrBc;MACAI;IACF,CAAA;AACA,WAAO,MAAM,KAAKG,2CAA2CF,SAASxB,KAAK2B,cAAc;EAC3F;EAEA,MAAaC,6BAA6B5B,MAQqD;AAC7F,UAAM,EAAEmB,sBAAsBC,iBAAiBrB,YAAYsB,QAAQC,SAASC,gBAAe,IAAKvB;AAEhG,UAAMwB,UAAU,MAAM,KAAKK,wBAAwB;MACjD9B;MACAqB;MACAE;MACAD;MACAhB,SAAS,KAAKA,QAAO;MACrBc;MACAI;IACF,CAAA;AACA,WAAO,MAAM,KAAKO,+BAA+BN,SAASxB,KAAK2B,cAAc;EAC/E;EAEA,MAAaD,2CACXK,gBACAJ,gBAC4F;AAC5F,WAAO,MAAM,KAAKK,mCAAmCD,gBAAgBJ,cAAAA;EACvE;EAEA,MAAaG,+BACXC,gBACAJ,gBAC4F;AAC5F,WAAO,MAAM,KAAKK,mCAAmCD,gBAAgBJ,cAAAA;EACvE;EAEA,MAAcK,mCACZD,gBACAJ,gBAC4F;AAC5F,QAAI,KAAKtB,QAAO,IAAK4B,0CAAkBC,YAAY;AACjD,YAAM,IAAIhC,MAAM,2FAAA;IAClB;AACA,UAAMsB,cAAoCW,wDAA+BJ,gBAAgB,KAAK1B,QAAO,CAAA;AACrG,UAAMS,qBAA6B,KAAKH,sBAAsBG;AAC9D,QAAI,KAACsB,oCAAWtB,kBAAAA,GAAqB;AACnCpB,MAAAA,QAAO2C,MAAM,gCAAgCvB,kBAAAA,EAAoB;AACjE,YAAM,IAAIZ,MAAMoC,qCAAAA;IAClB;AACA5C,IAAAA,QAAO2C,MAAM,iCAAiCvB,kBAAAA,EAAoB;AAClEpB,IAAAA,QAAO2C,MAAM;IAAcE,KAAKC,UAAUhB,SAAS,MAAM,CAAA,CAAA,EAAI;AAC7D,UAAMiB,eAAuB,KAAK9B,sBAAsB+B;AAExD,QAAIC,OAAOhB,iBAAiB,UAAMiB,sCAAWC,4CAAqBlB,gBAAgBb,oBAAoB;MAAEgC,aAAaL;IAAa,CAAA,CAAA,IAAMM;AAExI,QAAIC,WAAY,UAAMC,8BAAKnC,oBAAoByB,KAAKC,UAAUhB,OAAAA,GAAU;MACtE0B,aAAaT;MACb,GAAIE,QAAQ;QAAEQ,eAAe;UAAEC,MAAMT;QAAK;MAAE;IAC9C,CAAA;AAIA,QAAIU,gBAAgB1B,gBAAgB2B,gBAAgBC;AACpD,UAAMC,iBAAiBC,wCAAwCT,QAAAA;AAC/D,QAAIQ,eAAeE,MAAM/B,gBAAgB;AACvCA,qBAAe2B,gBAAgBC,QAAQC,eAAeG;AACtDhB,aAAO,UAAMC,sCAAWC,4CAAqBlB,gBAAgBb,oBAAoB;QAAEgC,aAAaL;MAAa,CAAA,CAAA;AAE7GO,iBAAY,UAAMC,8BAAKnC,oBAAoByB,KAAKC,UAAUhB,OAAAA,GAAU;QAClE0B,aAAaT;QACb,GAAId,kBAAkB;UAAEwB,eAAe;YAAEC,MAAMT;UAAK;QAAE;MACxD,CAAA;AAIA,YAAMiB,mBAAmBZ,SAASa,aAAaC,QAAQjE,IAAI,YAAA;AAC3DwD,sBAAgBO,oBAAoBJ,eAAeG;IACrD;AAEA,SAAKjD,kBAAcqD,sDAA6Bf,QAAAA;AAChD,QAAI,KAAKpC,WAAU,KAAM,KAAKD,sBAAsBqD,2BAA2BhB,SAASiB,aAAa;AACnGjB,iBAAW,MAAM,KAAKkB,0BAA0BlB,SAASiB,aAAa;QAAEf,aAAa,KAAKvC,sBAAsB+B;MAAM,CAAA;IACxH;AACAM,aAASmB,eAAe1B;AAExB,QAAKV,eAAeqC,+BAA+BpB,SAASiB,eAAgBjB,SAASiB,aAAaG,6BAA6B;AAC7H,UAAI7B,KAAKC,UAAUT,eAAeqC,2BAA2B,MAAM7B,KAAKC,UAAUQ,SAASiB,aAAaG,2BAAAA,GAA8B;AACpI,cAAMlE,MAAM,uFAAA;MACd;IACF;AACAR,IAAAA,QAAO2C,MAAM,uBAAuBvB,kBAAAA;EAAmCyB,KAAKC,UAAUQ,UAAU,MAAM,CAAA,CAAA,EAAI;AAE1G,WAAO;MACL,GAAGA;MACH,GAAIK,iBAAiB;QAAEgB,QAAQ;UAAEjB,MAAM;YAAEO,WAAWN;UAAc;QAAE;MAAE;IACxE;EACF;EAEA,MAAaa,0BACXlB,UACAhD,MAGwE;AACxE,UAAMsE,gBAAgBtB,SAASuB;AAC/B,UAAMrB,cAAcF,SAASwB,oBAAoBxE,MAAMkD;AACvD,UAAMlC,6BAA6B,KAAKD,8BAA6B;AACrE,QAAI,CAACC,4BAA4B;AAC/B,YAAMd,MAAM,2CAA2C;IACzD,WAAW,CAACgD,aAAa;AACvB,YAAMhD,MAAM,4EAA4E;IAE1F;AACA,WAAO,UAAMgE,mDAA0B;MACrChB;MACAoB;MACAtD;MACAgD,yBAAyB,KAAKrD,sBAAsBqD;MACpDS,gCAAgC,KAAK9D,sBAAsB8D;IAC7D,CAAA;EACF;EAEA,MAAahD,oCAAoCzB,MAAkF;AACjI,WAAO,MAAM,KAAK0E,4BAA4B1E,IAAAA;EAChD;EAEA,MAAa6B,wBACX7B,MAGmC;AACnC,WAAO,MAAM,KAAK0E,4BAA4B1E,IAAAA;EAChD;EAEA,MAAc0E,4BACZ1E,MAGmC;AACnC,UAAM,EAAED,YAAYoB,sBAAsBwD,sBAAqB,IAAK3E;AACpE,QAAI4E,QAAuC7B;AAC3C,QAAIhD,YAAY;AACd6E,cAAQ,MAAM9E,WAAWC,YAAYC,IAAAA;IACvC;AACA,QAAI2E,uBAAuB;AACzB,UAAI3E,KAAKqB,UAAUrB,KAAKoB,mBAAmBpB,KAAKsB,SAAS;AACvD,cAAMpB,MAAM,mFAAmF;MACjG;AACA,aAAO;QACLyE;QACA,GAAIC,SAAS;UAAEA;QAAM;MACvB;IACF;AACA,UAAMC,kBAAkB7E,KAAKqB,UAAU,KAAKV,sBAAsBU;AAElE,QAAI,CAACwD,iBAAiB;AACpB,YAAM3E,MAAM,8CAA8C;IAC5D;AACA,UAAMmB,aAASyD,0CAAiBD,eAAAA;AAChC,UAAME,iBACJ/E,MAAMoB,oBAAoB,OAAOpB,KAAKoB,oBAAoB,YAAYpB,KAAKoB,gBAAgB4D,SAAS,KAChGhF,KAAKoB,kBACL,KAAKT,sBAAsBS;AACjC,QAAI,CAAC2D,gBAAgB;AACnB,YAAM7E,MAAM,wCAAwC;IACtD;AACA,UAAM+E,QAAQC,MAAMC,QAAQJ,cAAAA,IAAkBA,iBAAiB;MAACA;;AAChE,QAAIE,MAAMD,WAAW,GAAG;AACtB,YAAM9E,MAAM,wCAAwC;IACtD;AACA,UAAMkF,eAAe,KAAKzE,sBAAsB0E;AAGhD,QAAIhE,WAAW,iBAAiBA,WAAW,UAAU;AACnD,aAAO;QACLiE,uBAAuB;UACrBC,MAAMN;QACR;QACA5D;QACA,GAAI+D,gBAAgB;UAAEA;QAAa;QACnC,GAAIR,SAAS;UAAEA;QAAM;QACrB,GAAG5E,KAAKuB;MACV;IACF,WAAWF,WAAW,oBAAoBA,WAAW,UAAU;AAC7D,UAAI,KAAKhB,QAAO,KAAM4B,0CAAkBuD,cAAc,CAACxF,KAAKsB,SAAS;AACnE,cAAMpB,MAAM,+CAAA;MACd;AAEA,aAAO;QACLmB;QACA,GAAI+D,gBAAgB;UAAEA;QAAa;QACnC,GAAIR,SAAS;UAAEA;QAAM;QACrB,GAAG5E,KAAKuB;QAER+D,uBAAuB;UACrBC,MAAMN;UACN,YAAYjF,KAAKsB;QACnB;MACF;IACF,WAAWD,WAAW,aAAa;AACjC,UAAI4D,MAAMD,SAAS,GAAG;AACpB,cAAM9E,MAAM,kDAAkDmB,MAAAA,EAAQ;MACxE;AACA,aAAO;QACLA;QACA,GAAI+D,gBAAgB;UAAEA;QAAa;QACnC,GAAIR,SAAS;UAAEA;QAAM;QACrBa,KAAKR,MAAM,CAAA;QACX,GAAGjF,KAAKuB;MACV;IACF,WAAWF,WAAW,YAAY;AAChC,UAAI4D,MAAMD,SAAS,GAAG;AACpB,cAAM9E,MAAM,kDAAkDmB,MAAAA,EAAQ;MACxE;AACA,aAAO;QACLA;QACA,GAAI+D,gBAAgB;UAAEA;QAAa;QACnC,GAAIR,SAAS;UAAEA;QAAM;QACrBc,SAAST,MAAM,CAAA;QACf,GAAGjF,KAAKuB;MACV;IACF;AAEA,UAAM,IAAIrB,MAAM,kCAAkCmB,MAAAA,EAAQ;EAC5D;EAEQhB,UAA6B;AACnC,WAAO,KAAKM,uBAAuBN,WAAW4B,0CAAkBC;EAClE;AACF;;;AClWA,IAAAyD,0BAaO;AAKA,IAAMC,wBAAN,MAAMA;EAlBb,OAkBaA;;;EACX,aAAoBC,QAAQC,KAAaC,MAA0E;AACjHC,QAAIC,MAAM,yBAAyBH,GAAAA,EAAK;AACxC,QAAI,CAACA,IAAII,SAAS,GAAA,KAAQ,CAACJ,IAAII,SAAS,KAAA,GAAQ;AAC9CF,UAAIC,MAAM,iCAAiCH,GAAAA,EAAK;AAChD,YAAMK,MAAM,kCAAkC;IAChD;AACA,UAAMC,SAASN,IAAIO,MAAM,KAAA,EAAO,CAAA;AAChC,UAAMC,UAAUR,IAAIO,MAAM,GAAA,EAAK,CAAA;AAC/B,UAAME,cAAUC,qDAA4BV,GAAAA;AAC5CE,QAAIS,IAAI,yCAAyCF,OAAAA,EAAS;AAC1D,QAAIG;AACJ,QAAIC;AAEJ,QAAIJ,UAAUK,0CAAkBC,YAAY;AAC1CF,mCAAyBG,gDAAuBhB,KAAK;QACnDiB,qBAAqB;UAAC;;QACtBC,oBAAoBlB,IAAII,SAAS,mBAAA,IAAuB;UAAC;YAAsB;UAAC;UAAU;;MAC5F,CAAA;AACAQ,wBAAkB;QAChBO,kBAAkBN;MACpB;IACF,OAAO;AACL,UAAIb,IAAII,SAAS,sBAAA,GAAyB;AACxCQ,0BAAmB,MAAMQ,yBAAyBpB,GAAAA;MACpD,OAAO;AACLY,8BAAkBI,gDAAuBhB,KAAK;;UAE5CiB,qBAAqBjB,IAAII,SAAS,uBAAA,IAA2B;YAAC;cAA2B;YAAC;;UAC1Fc,oBAAoBlB,IAAII,SAAS,uBAAA,IAA2B;YAAC;cAA2B;YAAC;;QAC3F,CAAA;MACF;AACA,UAAIQ,iBAAiBS,yBAAyBC,UAAa,CAACV,iBAAiBO,kBAAkB;AAC7F,cAAMd,MAAM,4EAA4EL,GAAAA;MAC1F;IACF;AAEA,UAAMuB,UAAU,UAAMC,yDAAgCZ,iBAAiB;MACrE,GAAGX;MACHQ;IACF,CAAA;AAEA,WAAO;MACL,GAAGgB,sBAAsBF,SAASjB,QAAQE,OAAAA;MAC1CkB,iBACEH,QAAQJ,kBAAkBQ,SAASC,8CAAAA,GAAyBC,qBAC5D,CAAC,CAACN,QAAQJ,kBAAkBQ,SAASC,8CAAAA,GAAyBE,WAC9D;IACJ;EACF;EAEA,OAAcC,MACZC,oBACA/B,MAGQ;AACRC,QAAIC,MAAM,2CAA2C8B,KAAKC,UAAUF,kBAAAA,CAAAA,EAAqB;AACzF,UAAMvB,UAAUR,MAAMQ,WAAWuB,mBAAmBvB;AACpD,QAAID,UAAUwB,mBAAmBxB,QAAQJ,SAAS4B,mBAAmB1B,MAAM,IACvE0B,mBAAmBxB,UACnB,GAAGwB,mBAAmB1B,OAAO6B,QAAQ,OAAO,EAAA,CAAA,MAASH,mBAAmBxB,OAAO;AACnF,QAAI4B;AAEJ,UAAMC,QAAQL,mBAAmBX,yBAAyBC;AAE1D,QAAIb,QAAQ6B,QAAO,KAAMxB,0CAAkBC,WAAWuB,QAAO,GAAI;AAE/D,UAAI,CAAC9B,QAAQJ,SAAS,GAAA,GAAM;AAC1BgC,gBAAQC,QAAQ,yBAAyB;MAC3C,OAAO;AACL,cAAM9B,QAAQC,QAAQD,MAAM,GAAA;AAC5B,YAAIA,MAAMgC,SAAS,KAAKhC,MAAM,CAAA,MAAO,IAAI;AACvC,cAAIC,QAAQgC,SAAS,GAAA,GAAM;AACzBJ,oBAAQC,QAAQ,yBAAyB;UAC3C,WAAW,CAAC7B,QAAQgC,SAAS,GAAA,GAAM;AACjChC,uBAAW;AACX4B,oBAAQC,QAAQ,yBAAyB;UAC3C;QACF;MACF;IACF;AACA,eAAOI,0CAAiBT,mBAAmBX,wBAAwBW,mBAAmBU,2BAA2B;MAC/GlC;MACAS,qBAAqBoB,QAAQ,CAAA,IAAK;QAAC;;MACnCM,mBAAmBN,QACf;QAAC;UACD5B,WAAWK,0CAAkB8B,aAC3B;QAAC;QAAqB;UACtB;QAAC;QAAU;;MACjBR;MACA3B;IACF,CAAA;EACF;AACF;;;AChHA,IAAAoC,0BAeO;AACP,IAAAC,qBAAwB;AAExB,IAAMC,UAASC,2BAAQC,QAAQC,IAAI,wBAAA;AAE5B,IAAMC,+BAAN,MAAMA;EApBb,OAoBaA;;;EACX,aAAoBC,QAAQC,KAAaC,MAAiF;AACxHP,IAAAA,QAAOQ,MAAM,yBAAyBF,GAAAA,EAAK;AAC3C,QAAI,CAACA,IAAIG,SAAS,GAAA,KAAQ,CAACH,IAAIG,SAAS,KAAA,GAAQ;AAC9CT,MAAAA,QAAOQ,MAAM,iCAAiCF,GAAAA,EAAK;AACnD,YAAMI,MAAM,kCAAkC;IAChD;AACA,UAAMC,SAASL,IAAIM,MAAM,KAAA,EAAO,CAAA;AAChC,UAAMC,UAAUP,IAAIM,MAAM,GAAA,EAAK,CAAA;AAC/B,UAAME,cAAUC,qDAA4BT,GAAAA;AAC5C,QAAIU;AACJ,QAAIC;AACJ,QAAIH,UAAUI,0CAAkBC,YAAY;AAC1CF,mCAAyBG,gDAAuBd,KAAK;QACnDe,qBAAqB;UAAC;;QACtBC,oBAAoBhB,IAAIG,SAAS,uBAAA,IAA2B;UAAC;YAA2B;UAAC;UAAU;;MACrG,CAAA;AACAO,wBAAkB;QAChBO,kBAAkBN;MACpB;IACF,OAAO;AACLD,4BAAkBI,gDAAuBd,KAAK;QAC5Ce,qBAAqB;UAAC;;QACtBC,oBAAoBhB,IAAIG,SAAS,uBAAA,IAA2B;UAAC;YAA2B;UAAC;;MAC3F,CAAA;AACA,UAAIO,iBAAiBQ,yBAAyBC,UAAa,CAACT,iBAAiBO,kBAAkB;AAC7F,cAAMb,MAAM,4EAA4EJ,GAAAA;MAC1F;IACF;AAEA,UAAMoB,UAAU,UAAMC,yDAAgCX,iBAAiB;MACrE,GAAGT;MACHO;IACF,CAAA;AACA,UAAMc,eAAWC,+DAAsCH,QAAQH,gBAAgB;AAC/E,UAAMO,SAASJ,QAAQH,kBAAkBO;AAEzC,WAAO;MACLnB;MACAE;MACA,GAAIe,YAAY;QAAEA;MAAS;MAC3B,GAAGF;MACH,GAAII,QAAQC,oBAAoBC,gBAAgB;QAAEC,aAAaH,OAAOC,mBAAmBC;MAAa;MACtG,GAAIF,SAASI,8CAAAA,IAA0BC,6CAAAA,KAA0B;QAC/DC,mBAAmBN,OAAOI,8CAAAA,EAAwBC,6CAAAA;MACpD;MACAE,iBAAiB,CAAC,EAAEX,QAAQH,kBAAkBO,SAASI,8CAAAA,GAAyBI,qBAAqB;IACvG;EACF;EAEA,OAAcC,MACZC,oBACAjC,MAGQ;AACRP,IAAAA,QAAOQ,MAAM,2CAA2CiC,KAAKC,UAAUF,kBAAAA,CAAAA,EAAqB;AAC5F,UAAM1B,UAAUP,MAAMO,WAAW0B,mBAAmB1B;AACpD,QAAID,UAAU2B,mBAAmB3B,QAAQJ,SAAS+B,mBAAmB7B,MAAM,IACvE6B,mBAAmB3B,UACnB,GAAG2B,mBAAmB7B,OAAOgC,QAAQ,OAAO,EAAA,CAAA,MAASH,mBAAmB3B,OAAO;AACnF,QAAI+B;AAEJ,UAAMC,QAAQL,mBAAmBhB,yBAAyBC;AAE1D,QAAIX,QAAQgC,QAAO,KAAM5B,0CAAkBC,WAAW2B,QAAO,GAAI;AAE/D,UAAI,CAACjC,QAAQJ,SAAS,GAAA,GAAM;AAC1BmC,gBAAQC,QAAQ,yBAAyB;MAC3C,OAAO;AACL,cAAMjC,QAAQC,QAAQD,MAAM,GAAA;AAC5B,YAAIA,MAAMmC,SAAS,KAAKnC,MAAM,CAAA,MAAO,IAAI;AACvC,cAAIC,QAAQmC,SAAS,GAAA,GAAM;AACzBJ,oBAAQC,QAAQ,yBAAyB;UAC3C,WAAW,CAAChC,QAAQmC,SAAS,GAAA,GAAM;AACjCnC,uBAAW;AACX+B,oBAAQC,QAAQ,yBAAyB;UAC3C;QACF;MACF;IACF;AACA,eAAOI,0CAAiBT,mBAAmBhB,wBAAwBgB,mBAAmBU,2BAA2B;MAC/GrC;MACAQ,qBAAqBwB,QAAQ,CAAA,IAAK;QAAC;;MACnCM,mBAAmBN,QACf;QAAC;UACD/B,WAAWI,0CAAkBC,aAC3B;QAAC;QAAqB;UACtB;QAAC;QAAU;;MACjByB;MACA9B;IACF,CAAA;EACF;AACF;;;ACjHA,IAAAsC,0BAUO;AACP,IAAAC,qBAAwB;AAIxB,IAAMC,WAASC,2BAAQC,QAAQC,IAAI,wBAAA;AAE5B,IAAMC,+BAAN,MAAMA;EAjBb,OAiBaA;;;EACX,aAAoBC,QAAQC,KAAaC,MAA0E;AACjHP,IAAAA,SAAOQ,MAAM,yBAAyBF,GAAAA,EAAK;AAC3C,QAAI,CAACA,IAAIG,SAAS,GAAA,KAAQ,CAACH,IAAIG,SAAS,KAAA,GAAQ;AAC9CT,MAAAA,SAAOQ,MAAM,iCAAiCF,GAAAA,EAAK;AACnD,YAAMI,MAAM,kCAAkC;IAChD;AACA,UAAMC,SAASL,IAAIM,MAAM,KAAA,EAAO,CAAA;AAChC,UAAMC,UAAUP,IAAIM,MAAM,GAAA,EAAK,CAAA;AAC/B,UAAME,cAAUC,qDAA4BT,GAAAA;AAC5C,QAAIU;AACJ,QAAIV,IAAIG,SAAS,sBAAA,GAAyB;AAExCO,wBAAmB,MAAMC,yBAAyBX,GAAAA;IACpD,OAAO;AACLU,4BAAkBE,gDAAuBZ,KAAK;;QAE5Ca,qBAAqBb,IAAIG,SAAS,uBAAA,IAC9B;UAAC;UAAgC;YACjC;UAAC;UAAgC;;QACrCW,oBAAoBd,IAAIG,SAAS,uBAAA,IAA2B;UAAC;YAA2B;UAAC;;MAC3F,CAAA;IACF;AACA,QAAIO,iBAAiBK,yBAAyBC,UAAa,CAACN,iBAAiBO,kBAAkB;AAC7F,YAAMb,MAAM,4EAA4EJ,GAAAA;IAC1F;AAEA,UAAMkB,UAAU,UAAMC,yDAAgCT,iBAAiB;MACrE,GAAGT;MACHO;IACF,CAAA;AAEA,WAAO;MACL,GAAGY,sBAAsBF,SAASb,QAAQE,OAAAA;MAC1Cc,iBAAiB,CAAC,EAAEH,QAAQD,kBAAkBK,SAASC,8CAAAA,GAAyBC,WAAW;IAC7F;EACF;EAEA,OAAcC,MACZC,oBACAzB,MAGQ;AACRP,IAAAA,SAAOQ,MAAM,2CAA2CyB,KAAKC,UAAUF,kBAAAA,CAAAA,EAAqB;AAC5F,UAAMlB,UAAUP,MAAMO,WAAWkB,mBAAmBlB;AACpD,QAAID,UAAUmB,mBAAmBnB,QAAQJ,SAASuB,mBAAmBrB,MAAM,IACvEqB,mBAAmBnB,UACnB,GAAGmB,mBAAmBrB,OAAOwB,QAAQ,OAAO,EAAA,CAAA,MAASH,mBAAmBnB,OAAO;AACnF,QAAIuB;AAEJ,UAAMC,QAAQL,mBAAmBX,yBAAyBC;AAE1D,QAAIR,QAAQwB,QAAO,KAAMC,0CAAkBC,WAAWF,QAAO,GAAI;AAE/D,UAAI,CAACzB,QAAQJ,SAAS,GAAA,GAAM;AAC1B2B,gBAAQC,QAAQ,yBAAyB;MAC3C,OAAO;AACL,cAAMzB,QAAQC,QAAQD,MAAM,GAAA;AAC5B,YAAIA,MAAM6B,SAAS,KAAK7B,MAAM,CAAA,MAAO,IAAI;AACvC,cAAIC,QAAQ6B,SAAS,GAAA,GAAM;AACzBN,oBAAQC,QAAQ,yBAAyB;UAC3C,WAAW,CAACxB,QAAQ6B,SAAS,GAAA,GAAM;AACjC7B,uBAAW;AACXuB,oBAAQC,QAAQ,yBAAyB;UAC3C;QACF;MACF;IACF;AACA,eAAOM,0CAAiBX,mBAAmBX,wBAAwBW,mBAAmBY,2BAA2B;MAC/G/B;MACAM,qBAAqBkB,QAAQ,CAAA,IAAK;QAAC;;MACnCQ,mBAAmBR,QACf;QAAC;UACDvB,WAAWyB,0CAAkBO,aAC3B;QAAC;QAAqB;UACtB;QAAC;QAAU;;MACjBV;MACAtB;IACF,CAAA;EACF;AACF;;;AClGA,IAAAiC,wBAAuE;AACvE,IAAAC,0BAgBO;AACP,IAAAC,qBAA0C;AAO1C,IAAMC,WAASC,2BAAQC,QAAQC,IAAI,6BAAA;AAc5B,IAAMC,iCAAN,MAAMA;EAvCb,OAuCaA;;;EACMC;EACTC,cAAc;EAEtB,IAAIC,wBAAsD;AACxD,WAAO,KAAKF;EACd;EAEOG,aAAsB;AAC3B,WAAO,KAAKF;EACd;EAEOG,wBAAgC;AACrC,WAAO,KAAKF,sBAAsBG;EACpC;EAEOC,gCAAoD;AACzD,WAAO,KAAKJ,sBAAsBK;EACpC;EAEA,YAAmBC,SAAgD;AACjE,SAAKR,yBAAyB;MAAE,GAAGQ;IAAQ;EAC7C;EAEA,MAAaC,6BAA6BC,MAMqD;AAC7F,UAAM,EAAEC,iBAAiBC,YAAYC,QAAQC,QAAO,IAAKJ;AAEzD,UAAMK,UAAU,MAAM,KAAKC,wBAAwB;MAAEJ;MAAYD;MAAiBG;MAASD;MAAQI,SAAS,KAAKA,QAAO;IAAG,CAAA;AAC3H,WAAO,MAAM,KAAKC,+BAA+BH,SAASL,KAAKS,cAAc;EAC/E;EAEA,MAAaD,+BACXE,gBACAD,gBAC4F;AAC5F,UAAMJ,cAAUM,wDAA+BD,gBAAgB,KAAKH,QAAO,CAAA;AAC3E,UAAMZ,qBAA6B,KAAKH,sBAAsBG;AAC9D,QAAI,KAACiB,oCAAWjB,kBAAAA,GAAqB;AACnCV,MAAAA,SAAO4B,MAAM,gCAAgClB,kBAAAA,EAAoB;AACjE,YAAM,IAAImB,MAAMC,qCAAAA;IAClB;AACA9B,IAAAA,SAAO4B,MAAM,iCAAiClB,kBAAAA,EAAoB;AAClEV,IAAAA,SAAO4B,MAAM;IAAcG,KAAKC,UAAUZ,SAAS,MAAM,CAAA,CAAA,EAAI;AAC7D,UAAMa,eAAuB,KAAK1B,sBAAsB2B;AAExD,QAAIC,OAAOX,iBAAiB,UAAMY,sCAAWC,4CAAqBb,gBAAgBd,oBAAoB;MAAE4B,aAAaL;IAAa,CAAA,CAAA,IAAMM;AAExI,QAAIC,WAAY,UAAMC,8BAAK/B,oBAAoBqB,KAAKC,UAAUZ,OAAAA,GAAU;MACtEsB,aAAaT;MACbU,eAAe;QAAE,GAAInB,kBAAkB;UAAEoB,MAAMT;QAAK;MAAG;IACzD,CAAA;AAIA,QAAIU,gBAAgBrB,gBAAgBsB,gBAAgBC;AACpD,UAAMC,iBAAiBC,wCAAwCT,QAAAA;AAC/D,QAAIQ,eAAeE,MAAM1B,gBAAgB;AACvCA,qBAAesB,gBAAgBC,QAAQC,eAAeG;AACtDhB,aAAO,UAAMC,sCAAWC,4CAAqBb,gBAAgBd,oBAAoB;QAAE4B,aAAaL;MAAa,CAAA,CAAA;AAE7GO,iBAAY,UAAMC,8BAAK/B,oBAAoBqB,KAAKC,UAAUZ,OAAAA,GAAU;QAClEsB,aAAaT;QACbU,eAAe;UAAE,GAAInB,kBAAkB;YAAEoB,MAAMT;UAAK;QAAG;MACzD,CAAA;AAIA,YAAMiB,mBAAmBZ,SAASa,aAAaC,QAAQnD,IAAI,YAAA;AAC3D0C,sBAAgBO,oBAAoBJ,eAAeG;IACrD;AAEA,SAAK7C,kBAAciD,sDAA6Bf,QAAAA;AAChD,QAAI,KAAKhC,WAAU,KAAM,KAAKD,sBAAsBiD,2BAA2BhB,SAASiB,aAAa;AACnGjB,iBAAW,MAAM,KAAKkB,0BAA0BlB,SAASiB,aAAa;QAAEf,aAAa,KAAKnC,sBAAsB2B;MAAM,CAAA;IACxH;AACAM,aAASmB,eAAe1B;AAExBjC,IAAAA,SAAO4B,MAAM,uBAAuBlB,kBAAAA;EAAmCqB,KAAKC,UAAUQ,UAAU,MAAM,CAAA,CAAA,EAAI;AAE1G,WAAO;MACL,GAAGA;MACH,GAAIK,iBAAiB;QAAEe,QAAQ;UAAEhB,MAAM;YAAEO,WAAWN;UAAc;QAAE;MAAE;IACxE;EACF;EAEA,MAAaa,0BACXlB,UACAzB,MAGwE;AACxE,UAAM8C,gBAAgBrB,SAASsB;AAC/B,UAAMpB,cAAcF,SAASuB,oBAAoBhD,MAAM2B;AACvD,UAAM9B,6BAA6B,KAAKD,8BAA6B;AACrE,QAAI,CAACC,4BAA4B;AAC/B,YAAMiB,MAAM,2CAA2C;IACzD,WAAW,CAACa,aAAa;AACvB,YAAMb,MAAM,4EAA4E;IAE1F;AACA,WAAO,UAAM6B,mDAA0B;MACrChB;MACAmB;MACAjD;MACA4C,yBAAyB,KAAKjD,sBAAsBiD;MACpDQ,gCAAgC,KAAKzD,sBAAsByD;IAC7D,CAAA;EACF;EAEA,MAAa3C,wBAAwBN,MAMC;AACpC,UAAM,EAAEE,WAAU,IAAKF;AACvB,UAAMkD,kBAAkBlD,KAAKG,UAAU,KAAKX,sBAAsBW;AAElE,QAAI,CAAC+C,iBAAiB;AACpB,YAAMpC,MAAM,8CAA8C;IAC5D;AACA,UAAMX,aAASgD,0CAAiBD,eAAAA;AAChC,UAAME,iBACJpD,MAAMC,oBAAoB,OAAOD,KAAKC,oBAAoB,YAAYD,KAAKC,gBAAgBoD,SAAS,KAChGrD,KAAKC,kBACL,KAAKT,sBAAsBS;AACjC,UAAMqD,QAAQC,MAAMC,QAAQJ,cAAAA,IAAkBA,iBAAiB;MAACA;;AAChE,QAAIE,MAAMD,WAAW,GAAG;AACtB,YAAMvC,MAAM,wCAAwC;IACtD,WAES,CAAC,KAAK2C,cAAa,KAAMH,MAAMD,WAAW,GAAG;AACpD,YAAMvC,MAAM,sDAAA;IACd;AACA,UAAM4C,QAAQ,MAAMC,WAAWzD,YAAYF,IAAAA;AAG3C,QAAIG,WAAW,iBAAiBA,WAAW,UAAU;AACnD,aAAO;QACLmD;QACAnD;QACAuD;MACF;IACF,WAAWvD,WAAW,oBAAoBA,WAAW,UAAU;AAC7D,UAAI,KAAKI,QAAO,KAAMqD,0CAAkBC,cAAc,CAAC7D,KAAKI,SAAS;AACnE,cAAMU,MAAM,+CAAA;MACd;AAEA,aAAO;QACLX;QACAuD;;;;QAKAI,uBAAuB;UACrBR;UACA,GAAItD,KAAKI,WAAW;YAAE,YAAYJ,KAAKI;UAAQ;QACjD;MACF;IACF,WAAWD,WAAW,aAAa;AACjC,UAAImD,MAAMD,SAAS,GAAG;AACpB,cAAMvC,MAAM,kDAAkDX,MAAAA,EAAQ;MACxE;AAEA,aAAO;QACLA;QACAuD;QACAK,KAAKT,MAAM,CAAA;MACb;IACF,WAAWnD,WAAW,YAAY;AAChC,UAAImD,MAAMD,SAAS,GAAG;AACpB,cAAMvC,MAAM,kDAAkDX,MAAAA,EAAQ;MACxE;AAEA,aAAO;QACLA;QACAuD;QACAM,SAASV,MAAM,CAAA;MACjB;IACF;AAEA,UAAM,IAAIxC,MAAM,uBAAuBX,MAAAA,EAAQ;EACjD;EAEQI,UAA6B;AACnC,WAAO,KAAKf,uBAAuBe,WAAWqD,0CAAkBK;EAClE;EAEQR,gBAAyB;AAC/B,WAAO,KAAKlD,QAAO,KAAMqD,0CAAkBK;EAC7C;AACF;;;AC9OA,IAAAC,0BAWO;;;ACXP,IAAAC,0BAcO;AAMA,IAAMC,wCAAN,MAAMA,uCAAAA;EApBb,OAoBaA;;;EACXC;EACAC;EACAC,0BAA0B;EAC1BC,iCAAiC;EACjCC,kBAA4B,CAAA;EAC5BC;EACAC;EACAC;EACAC;EACAC;EAEA,OAAcC,qBAAqB,EACjCC,kBACAC,UACAL,SACAH,gBAAe,GAMyB;AACxC,UAAMS,SAASF;AACf,UAAMG,UAAU,IAAIf,uCAAAA;AACpBe,YAAQC,YAAYR,WAAWS,0CAAkBC,UAAU;AAC3DH,YAAQI,uBAAuBN,UAAUO,wBAAwBN,OAAOO,SAAS,GAAA,IAAO,GAAGP,MAAAA,eAAqB,GAAGA,MAAAA,cAAkB;AACrI,QAAID,UAAUS,8BAA8B;AAC1CP,cAAQQ,+BAA+BV,SAASS,4BAA4B;IAC9E;AACAP,YAAQS,mBAAmBnB,eAAAA;AAC3B,WAAOU;EACT;EAEA,aAAoBU,QAAQ,EAAEC,KAAKb,SAAQ,GAAkG;AAC3I,UAAMc,QAAQ,MAAMC,6BAA6BH,QAAQC,GAAAA;AACzD,WAAO1B,uCAAsC6B,2BAA2B;MAAEC,SAASH;MAAO,GAAGA;MAAOd;MAAUL,SAASmB,MAAMnB;IAAQ,CAAA;EACvI;EAEA,OAAcqB,2BAA2BE,MAMC;AACxC,UAAM,EAAED,SAASjB,SAAQ,IAAKkB;AAC9B,UAAMvB,UAAUuB,KAAKvB,WAAWsB,QAAQtB,eAAWwB,uDAA8BF,QAAQG,yBAAyB;AAClH,UAAMlB,UAAU,IAAIf,uCAAAA;AACpB,UAAMc,aAASoB,6DAAoCJ,QAAQK,gBAAgB,KAAMtB,UAAUC;AAC3FC,YAAQC,YAAYR,OAAAA;AACpBO,YAAQI,uBAAuBN,UAAUO,wBAAwBN,OAAOO,SAAS,GAAA,IAAO,GAAGP,MAAAA,eAAqB,GAAGA,MAAAA,cAAkB;AACrI,QAAID,UAAUS,8BAA8B;AAC1CP,cAAQQ,+BAA+BV,SAASS,4BAA4B;IAC9E;AAEA,QAAId,WAAWS,0CAAkBmB,YAAY;AAE3CrB,cAAQS,mBAAoBM,QAAQG,0BAA4DI,eAAe;IACjH,WAAW7B,WAAWS,0CAAkBC,YAAY;AAElDH,cAAQS,uBAAmBc,kDAAyBR,QAAQK,gBAAgB,CAAA;IAC9E;AAEA,WAAOpB;EACT;EAEA,OAAcwB,oBAAoB,EAChCC,iBACA3B,SAAQ,GAIgC;AACxC,WAAOb,uCAAsC6B,2BAA2B;MACtEC,SAASU;MACT3B;MACAL,SAASgC,gBAAgBhC;IAC3B,CAAA;EACF;EAEOiC,gBAAgB/B,aAA4B;AACjD,SAAKA,cAAcA;AACnB,WAAO;EACT;EAEOgC,mCAAmC7B,UAA0C;AAClF,SAAKZ,qBAAqBY,SAASO;AACnC,WAAO;EACT;EAEOD,uBAAuBlB,oBAAkC;AAC9D,SAAKA,qBAAqBA;AAC1B,WAAO;EACT;EAEO0C,2CAA2C9B,UAA0C;AAC1F,SAAKX,6BAA6BW,SAASS;AAC3C,WAAO;EACT;EAEOC,+BAA+BrB,4BAA0C;AAC9E,SAAKA,6BAA6BA;AAClC,WAAO;EACT;EAEO0C,4BAA4BzC,yBAAkCC,gCAA+C;AAClH,SAAKD,0BAA0BA;AAC/B,SAAKC,iCAAiCA,kCAAkC;AACxE,WAAO;EACT;EAEOoB,mBAAmBnB,iBAA0C;AAClE,SAAKA,kBAAkBwC,MAAMC,QAAQzC,eAAAA,IAAmBA,kBAAkB;MAACA;;AAC3E,WAAO;EACT;EAEO0C,WAAWzC,QAA0D;AAC1E,SAAKA,SAASA;AACd,WAAO;EACT;EAEO0C,oBAAoBvC,iBAAoD;AAC7E,SAAKA,kBAAkBA;AACvB,WAAO;EACT;EAEOwC,UAAUC,aAA2B;AAC1C,SAAK3C,QAAQ2C;AACb,WAAO;EACT;EAEOC,sBAAsBC,UAAqC;AAChE,SAAK7C,QAAQ6C,SAASC;AACtB,WAAO;EACT;EAEOrC,YAAYR,SAAkC;AACnD,SAAKA,UAAUA;AACf,WAAO;EACT;EAEO8C,QAAwC;AAC7C,QAAI,CAAC,KAAK9C,SAAS;AACjB,WAAKQ,YAAYC,0CAAkBC,UAAU;IAC/C;AACA,WAAO,IAAIqC,+BAA+B,IAAI;EAChD;AACF;;;ACxKA,IAAAC,0BAYO;AAMA,IAAMC,wCAAN,MAAMA,uCAAAA;EAlBb,OAkBaA;;;EACXC;EACAC;EACAC,0BAA0B;EAC1BC,iCAAiC;EACjCC;EACAC,kBAA6B,CAAA;EAC7BC;EACAC;EACAC;EACAC;EACAC;EAEA,OAAcC,qBAAqB,EACjCC,kBACAC,UACAL,SACAJ,sBACAC,gBAAe,GAOyB;AACxC,UAAMS,SAASF;AACf,UAAMG,UAAU,IAAIhB,uCAAAA;AACpBgB,YAAQC,YAAYR,WAAWS,0CAAkBC,UAAU;AAC3DH,YAAQI,uBAAuBN,UAAUO,wBAAwBN,OAAOO,SAAS,GAAA,IAAO,GAAGP,MAAAA,eAAqB,GAAGA,MAAAA,cAAkB;AACrI,QAAID,UAAUS,8BAA8B;AAC1CP,cAAQQ,+BAA+BV,SAASS,4BAA4B;IAC9E;AACA,QAAIlB,sBAAsB;AACxBW,cAAQS,yBAAyBpB,oBAAAA;IACnC;AACA,QAAIC,iBAAiB;AACnBU,cAAQU,mBAAmBpB,eAAAA;IAC7B;AACA,WAAOU;EACT;EAEA,aAAoBW,QAAQ,EAAEC,KAAKd,SAAQ,GAAkG;AAC3I,UAAMe,QAAQ,MAAMC,sBAAsBH,QAAQC,GAAAA;AAClD,WAAO5B,uCAAsC+B,2BAA2B;MAAEC,SAASH;MAAO,GAAGA;MAAOf;MAAUL,SAASoB,MAAMpB;IAAQ,CAAA;EACvI;EAEA,OAAcsB,2BAA2BE,MAMC;AACxC,UAAM,EAAED,SAASlB,SAAQ,IAAKmB;AAC9B,UAAMxB,UAAUwB,KAAKxB,WAAWuB,QAAQvB,eAAWyB,uDAA8BF,QAAQG,yBAAyB;AAClH,QAAI1B,UAAUS,0CAAkBC,YAAY;AAC1C,YAAM,IAAIiB,MAAM,sDAAA;IAClB;AACA,UAAMpB,UAAU,IAAIhB,uCAAAA;AACpB,UAAMe,aAASsB,6DAAoCL,QAAQM,gBAAgB,KAAMxB,UAAUC;AAC3FC,YAAQC,YAAYR,OAAAA;AACpBO,YAAQI,uBAAuBN,UAAUO,wBAAwBN,OAAOO,SAAS,GAAA,IAAO,GAAGP,MAAAA,eAAqB,GAAGA,MAAAA,cAAkB;AACrI,QAAID,UAAUS,8BAA8B;AAC1CP,cAAQQ,+BAA+BV,SAASS,4BAA4B;IAC9E;AACA,UAAMgB,MAAiBP,QAAQM,iBAAmDE;AAElF,QAAID,IAAIE,UAAUF,IAAIE,WAAW,GAAG;AAClCzB,cAAQS,yBAAyBc,IAAI,CAAA,CAAE;IACzC;AAEA,WAAOvB;EACT;EAEA,OAAc0B,oBAAoB,EAChCC,iBACA7B,SAAQ,GAIgC;AACxC,UAAME,UAAUhB,uCAAsC+B,2BAA2B;MAC/EC,SAASW;MACT7B;MACAL,SAASkC,gBAAgBlC;IAC3B,CAAA;AAEA,WAAOO;EACT;EAEO4B,mCAAmC9B,UAAiD;AACzF,SAAKb,qBAAqBa,SAASO;AACnC,WAAO;EACT;EAEOD,uBAAuBnB,oBAAkC;AAC9D,SAAKA,qBAAqBA;AAC1B,WAAO;EACT;EAEO4C,gBAAgBlC,aAA4B;AACjD,SAAKA,cAAcA;AACnB,WAAO;EACT;EAEOmC,2CAA2ChC,UAAiD;AACjG,SAAKZ,6BAA6BY,SAASS;AAC3C,WAAO;EACT;EAEOC,+BAA+BtB,4BAA0C;AAC9E,SAAKA,6BAA6BA;AAClC,WAAO;EACT;EAEO6C,4BAA4B5C,yBAAkCC,gCAA+C;AAClH,SAAKD,0BAA0BA;AAC/B,SAAKC,iCAAiCA,kCAAkC;AACxE,WAAO;EACT;EAEOqB,yBAAyBpB,sBAAoC;AAClE,SAAKA,uBAAuBA;AAC5B,WAAO;EACT;EAEOqB,mBAAmBpB,iBAA0C;AAClE,SAAKA,kBAAkB0C,MAAMC,QAAQ3C,eAAAA,IAAmBA,kBAAkB;MAACA;;AAC3E,WAAO;EACT;EAEO4C,WAAW3C,QAA0D;AAC1E,SAAKA,SAASA;AACd,WAAO;EACT;EAEO4C,oBAAoBzC,iBAAoD;AAC7E,SAAKA,kBAAkBA;AACvB,WAAO;EACT;EAEO0C,UAAUC,aAA2B;AAC1C,SAAK7C,QAAQ6C;AACb,WAAO;EACT;EAEOC,sBAAsBC,UAAqC;AAChE,SAAK/C,QAAQ+C,SAASC;AACtB,WAAO;EACT;EAEOvC,YAAYR,SAAkC;AACnD,SAAKA,UAAUA;AACf,WAAO;EACT;EAEOgD,QAAiC;AACtC,QAAI,CAAC,KAAKhD,SAAS;AACjB,WAAKQ,YAAYC,0CAAkBwC,UAAU;IAC/C;AACA,WAAO,IAAIC,wBAAwB,IAAI;EACzC;AACF;;;AFjKA,SAASC,UAAUC,SAAsD;AACvE,SAAQA,QAAkDC,6BAA6BC;AACzF;AAFSH;AAIF,IAAMI,iCAAN,MAAMA,gCAAAA;EAxBb,OAwBaA;;;EACHC;EAER,YAAoBJ,SAAwD;AAC1E,SAAKI,WAAWJ;EAClB;EAEA,OAAcK,qBAAqB,EACjCC,kBACAC,UACAC,SACAC,sBACAC,gBAAe,GAOkB;AACjC,UAAMC,cAAcH,WAAWI,0CAAkBC;AACjD,QAAIb;AAEJ,QAAIW,eAAeC,0CAAkBC,YAAY;AAC/Cb,gBAAUc,sCAAsCT,qBAAqB;QACnEC;QACAC;QACAC;QACAC;QACAC;MACF,CAAA;IACF,OAAO;AACL,UAAI,CAACA,mBAAmBA,gBAAgBK,WAAW,GAAG;AACpD,cAAM,IAAIC,MAAM,8CAAA;MAClB;AACAhB,gBAAUiB,sCAAsCZ,qBAAqB;QACnEC;QACAC;QACAC;QACAE;MACF,CAAA;IACF;AAEA,WAAO,IAAIP,gCAA+BH,OAAAA;EAC5C;EAEA,aAAoBkB,QAAQ,EAAEC,KAAKZ,SAAQ,GAA2F;AACpI,UAAMa,QAAQ,MAAMC,sBAAsBH,QAAQC,GAAAA;AAClD,WAAOhB,gCAA+BmB,2BAA2B;MAC/DC,SAASH;MACT,GAAGA;MACHb;MACAC,SAASY,MAAMZ;IACjB,CAAA;EACF;EAEA,OAAcc,2BAA2BE,MAMN;AACjC,UAAM,EAAED,QAAO,IAAKC;AACpB,UAAMhB,UAAUgB,KAAKhB,WAAWe,QAAQf,eAAWiB,uDAA8BF,QAAQG,yBAAyB;AAClH,QAAI1B;AAEJ,QAAIQ,UAAUI,0CAAkBC,YAAY;AAC1Cb,gBAAUiB,sCAAsCK,2BAA2BE,IAAAA;IAC7E,OAAO;AACLxB,gBAAUc,sCAAsCQ,2BAA2BE,IAAAA;IAC7E;AAEA,WAAO,IAAIrB,gCAA+BH,OAAAA;EAC5C;EAEA,OAAc2B,oBAAoB,EAChCC,iBACArB,SAAQ,GAIyB;AACjC,UAAMC,cAAUiB,uDAA8BG,gBAAgBC,gBAAgB;AAC9E,QAAI7B;AAEJ,QAAIQ,UAAUI,0CAAkBC,YAAY;AAC1Cb,gBAAUiB,sCAAsCU,oBAAoB;QAClEC;QACArB;MACF,CAAA;IACF,OAAO;AACLP,gBAAUc,sCAAsCa,oBAAoB;QAClEC;QACArB;MACF,CAAA;IACF;AAEA,WAAO,IAAIJ,gCAA+BH,OAAAA;EAC5C;EAEO8B,aAA4C;AACjD,WAAO,KAAK1B,SAASI;EACvB;EAEOuB,mCAAmCxB,UAA4E;AACpH,QAAIR,UAAU,KAAKK,QAAQ,GAAG;AAC5B,WAAKA,SAAS2B,mCAAmCxB,QAAAA;IACnD,OAAO;AACL,WAAKH,SAAS2B,mCAAmCxB,QAAAA;IACnD;AACA,WAAO;EACT;EAEOyB,uBAAuBC,oBAAkC;AAC9D,SAAK7B,SAAS4B,uBAAuBC,kBAAAA;AACrC,WAAO;EACT;EAEOC,2CAA2C3B,UAA4E;AAC5H,QAAIR,UAAU,KAAKK,QAAQ,GAAG;AAC5B,WAAKA,SAAS8B,2CAA2C3B,QAAAA;IAC3D,OAAO;AACL,WAAKH,SAAS8B,2CAA2C3B,QAAAA;IAC3D;AACA,WAAO;EACT;EAEO4B,+BAA+BC,4BAA0C;AAC9E,SAAKhC,SAAS+B,+BAA+BC,0BAAAA;AAC7C,WAAO;EACT;EAEOC,4BAA4BC,yBAAkCC,gCAA+C;AAClH,SAAKnC,SAASiC,4BAA4BC,yBAAyBC,8BAAAA;AACnE,WAAO;EACT;EAEOtC,yBAAyBQ,sBAAoC;AAClE,QAAI,KAAKL,SAASI,YAAYN,UAAa,KAAKE,SAASI,UAAUI,0CAAkBC,YAAY;AAC/F,YAAM,IAAIG,MAAM,wDAAA;IAClB;;AACE,SAAKZ,SAAmDH,yBAAyBQ,oBAAAA;AACnF,WAAO;EACT;EAEO+B,gBAAgBC,aAA4B;AACjD,SAAKrC,SAASoC,gBAAgBC,WAAAA;AAC9B,WAAO;EACT;EACOC,mBAAmBhC,iBAA0C;AAClE,SAAKN,SAASsC,mBAAmBhC,eAAAA;AACjC,WAAO;EACT;EAEOiC,WAAWC,QAA0D;AAC1E,SAAKxC,SAASuC,WAAWC,MAAAA;AACzB,WAAO;EACT;EAEOC,oBAAoBC,iBAAoD;AAC7E,SAAK1C,SAASyC,oBAAoBC,eAAAA;AAClC,WAAO;EACT;EAEOC,UAAUC,aAA2B;AAC1C,SAAK5C,SAAS2C,UAAUC,WAAAA;AACxB,WAAO;EACT;EAEOC,sBAAsBC,UAAqC;AAChE,SAAK9C,SAAS6C,sBAAsBC,QAAAA;AACpC,WAAO;EACT;EAEOC,YAAY3C,SAAkC;AACnD,SAAKJ,SAAS+C,YAAY3C,OAAAA;AAC1B,WAAO;EACT;EAEO4C,QAAQ;AACb,WAAO,KAAKhD,SAASgD,MAAK;EAC5B;AACF;;;AG9MA,IAAAC,0BAsCO;AACP,IAAAC,qBAA0C;AAgB1C,IAAMC,WAASC,2BAAQC,QAAQC,IAAI,kBAAA;AAM5B,IAAMC,mBAAN,MAAMA,kBAAAA;EA7Db,OA6DaA;;;EACMC;EAEjB,YAAoB,EAClBC,iBACAC,UACAC,KACAC,KACAC,kBACAC,MACAC,sBACAC,aACAC,KACAC,kBACAC,qBACAC,0BACAC,2BACAC,iBAAgB,GAgBf;AACD,UAAMC,SAASV,qBAAqBJ,sBAAkBe,6DAAoCf,gBAAgBgB,gBAAgB,IAAIC;AAC9H,QAAI,CAACH,QAAQ;AACX,YAAMI,MAAM,qDAAA;IACd;AACA,SAAKnB,SAAS;MACZC;MACAI,kBAAkBU;MAClBZ;MACAC;;MAEAF,UAAUA,aAAaD,uBAAmBmB,+DAAsCnB,gBAAgBgB,gBAAgB,MAAMd,KAAKkB,MAAM,GAAA,EAAK,CAAA;MACtIf,MAAM;QAAEgB,UAAU;QAAOC,qBAAqBC,4CAAoBC;QAAM,GAAGnB;MAAK;MAChFM;MACAC;MACAL;MACAC;MACAC,kBAAkBA,kBAAkBgB,0BAA0BC,uBACzDjB,mBACAA;MACLC;MACAG;IACF;AAEA,QAAI,CAAC,KAAKd,OAAOY,0BAA0B;AACzC,WAAKZ,OAAOY,2BAA2B,KAAKgB,6BAA6BrB,oBAAAA;IAC3E;AACAZ,IAAAA,SAAOkC,MAAM,8BAA8BC,KAAKC,UAAU,KAAK/B,OAAOY,0BAA0B,MAAM,CAAA,CAAA,EAAI;EAC5G;EAEA,aAAoBoB,qBAAqB,EACvC7B,KACAC,KACA6B,wBACA/B,UACAG,kBACAC,MACAC,sBACA2B,+BACAxB,iBAAgB,GAWf;AACD,UAAMyB,SAAS,IAAIpC,kBAAiB;MAClCI;MACAC;MACAF,UAAUA,YAAYK,sBAAsBL;MAC5CG;MACAC;MACAC;MACAG;IACF,CAAA;AACA,QAAIuB,2BAA2Bf,UAAae,wBAAwB;AAClE,YAAME,OAAOF,uBAAsB;IACrC;AACA,QAAIC,kCAAkChB,UAAagB,+BAA+B;AAChF,YAAMC,OAAOC,8BAA8B;QAAE7B;QAAsBD;MAAK,CAAA;IAC1E;AACA,WAAO6B;EACT;EAEA,aAAoBE,UAAU,EAAEC,MAAK,GAA0E;AAC7G,UAAMC,cAAc,OAAOD,UAAU,WAAWR,KAAKU,MAAMF,KAAAA,IAASA;AAEpE,WAAO,IAAIvC,kBAAiBwC,WAAAA;EAC9B;EAEA,aAAoBE,QAAQ,EAC1BC,KACAvC,KACAC,KACA6B,wBACA/B,UACAI,MACA4B,+BACA3B,sBACAoC,iBACAjC,iBAAgB,GAYY;AAC5B,UAAMkC,wBAAwB,MAAMC,sBAAsBJ,QAAQC,KAAK;MAAEI,SAASH;IAAgB,CAAA;AAClG,UAAMR,SAAS,IAAIpC,kBAAiB;MAClCE,iBAAiB2C;MACjBzC;MACAC;MACAF,UAAUA,YAAYK,sBAAsBL,YAAY0C,sBAAsB1C;MAC9EI;MACAC;MACAG;IACF,CAAA;AAEA,QAAIuB,2BAA2Bf,UAAae,wBAAwB;AAClE,YAAME,OAAOF,uBAAsB;IACrC;AACA,QACEW,sBAAsBG,eAAeC,SAASC,sCAAcC,uBAAuB,MAClFhB,kCAAkChB,UAAagB,gCAChD;AACA,YAAMC,OAAOC,8BAA8B;QAAE7B;QAAsBD;MAAK,CAAA;AACxEX,MAAAA,SAAOkC,MAAM,8BAA8BM,OAAOnC,OAAOc,gBAAgB,EAAE;IAC7E;AAEA,WAAOqB;EACT;;;;;;;EAQA,MAAaC,8BAA8Be,MAA8F;AACvI,QAAI,CAAC,KAAKnD,OAAOc,kBAAkB;AACjC,WAAKsC,kBAAkBD,MAAM7C,IAAAA;AAC7B,WAAKN,OAAOY,2BAA2B,KAAKgB,6BAA6BuB,MAAM5C,oBAAAA;AAC/E,UAAI,CAAC,KAAKP,OAAOY,0BAA0B;AACzC,cAAMO,MAAM,mEAAmE;MACjF;AAIA,UACE,KAAKnB,OAAOU,kBAAkBgB,4BAC9B,4BAA4B,KAAK1B,OAAOU,iBAAiBgB,0BACzD;AACA,aAAK1B,OAAOU,iBAAiB2C,yBAAyB,KAAKrD,OAAOU,iBAAiBgB,yBAAyB2B;MAC9G;AACA,UAAI,KAAKC,QAAO,KAAMC,0CAAkBC,YAAY;AAClD,aAAKxD,OAAOc,mBAAmB,MAAM2C,qCAAqC;UACxEnD,MAAM,KAAKN,OAAOM;UAClBI,kBAAkB,KAAKA;UACvBH,sBAAsB,KAAKP,OAAOY;UAClCX,iBAAiB,KAAKA;UACtByD,sBAAsBC,OAAOC,OAAO,KAAKC,wBAAwB,IAAA,CAAA;QACnE,CAAA;MACF,OAAO;AACL,aAAK7D,OAAOc,mBAAmB,MAAMsB,8BAA8B;UACjE9B,MAAM,KAAKN,OAAOM;UAClBI,kBAAkB,KAAKA;UACvBH,sBAAsB,KAAKP,OAAOY;UAClCX,iBAAiB,KAAKA;UACtB6D,kCAAkC,KAAKD,wBAAwB,KAAA;QACjE,CAAA;MACF;IACF;AACA,WAAO,KAAK7D,OAAOc;EACrB;EAEA,MAAamB,yBAA0D;AACrE,SAAK8B,iBAAgB;AACrB,QAAI,CAAC,KAAK/D,OAAOU,kBAAkB;AACjC,UAAI,KAAKT,iBAAiB;AACxB,aAAKD,OAAOU,mBAAmB,MAAMsD,eAAeC,uCAAuC,KAAKhE,eAAe;MACjH,WAAW,KAAKD,OAAOK,kBAAkB;AACvC,aAAKL,OAAOU,mBAAmB,MAAMsD,eAAeE,oBAAoB,KAAKlE,OAAOK,gBAAgB;MACtG,OAAO;AACL,cAAMc,MAAM,oFAAoF;MAClG;IACF;AAEA,WAAO,KAAKT;EACd;EAEQ0C,kBAAkB9C,MAAiB;AACzC,SAAKN,OAAOM,OAAO6D,wBAAwB;MAAE,GAAG,KAAKnE,OAAOM;MAAM,GAAGA;IAAK,CAAA;EAC5E;EAEA,MAAa8D,kCAAkCjB,MAAuF;AACpI,UAAMkB,WAAW,MAAMC,sCAAsC;MAC3DC,UAAU,KAAK7D;MACfL,kBAAkB,KAAKmE,UAAS;MAChCtE,UAAU,KAAKF,OAAOE,YAAY,KAAKF,OAAOY,0BAA0BV;MACxE,GAAGiD;IACL,CAAA;AAEA,QAAIkB,SAASI,WAAW;AACtB9E,MAAAA,SAAOkC,MAAM;EAAgCC,KAAKC,UAAUsC,SAASI,SAAS,CAAA,EAAG;AACjF,YAAMC,QAAQL,SAASI;AACvB,aAAOE,QAAQC,OAAOF,KAAAA;IACxB,WAAW,CAACL,SAASQ,aAAa;AAChClF,MAAAA,SAAOkC,MAAM,2CAA2C;AACxD,aAAO8C,QAAQC,OACbzD,MACE,+CAA+C,KAAKnB,OAAOU,kBAAkBoE,gCAAAA,eAA+C,KAAKN,UAAS,CAAA,+CAAiD,CAAA;IAGjM;AAEA,WAAO;MAAE,GAAGH,SAASQ;IAAY;EACnC;EAEA,MAAaE,mBACX5B,MAKgE;AAChE,UAAM,EAAE6B,KAAK9E,WAAW,KAAKF,OAAOE,YAAY,KAAKF,OAAOY,0BAA0BV,SAAQ,IAAKiD,QAAQ,CAAC;AAC5G,QAAI,EAAE8B,YAAW,IAAK9B,QAAQ,CAAC;AAE/B,UAAM+B,OAAO,KAAKC,qBAAqBhC,MAAMiC,uBAAuBjC,MAAM+B,IAAAA;AAE1E,QAAI/B,MAAMkC,cAAc;AACtB,WAAKrF,OAAOM,KAAK+E,eAAelC,KAAKkC;IACvC;AACA,SAAKtB,iBAAgB;AAErB,UAAMuB,SAAkC;MAAE,GAAGnC,MAAMmC;IAAO;AAC1D,UAAMnF,MAAMmF,OAAOC,YAAYpF,OAAO,KAAKH,OAAOG,OAAO,KAAKH,OAAOY,0BAA0B4E,mBAAmBrF;AAClH,UAAMsF,sBACJH,OAAOC,YAAYE,wBAClBtF,OAAOD,YAAY,OAAOoF,OAAOC,YAAYG,eAAeC,iBAAiB,aAC1E,2DACAzE;AACN,QAAI,KAAK0E,OAAM,KAAO1F,YAAYC,KAAM;AACtC,UAAI,CAACD,UAAU;AACb,cAAMiB,MAAM,6BAA6B;MAC3C;AACAmE,aAAOC,aAAa;QAClB,GAAGD,OAAOC;QACVrF;QACA,GAAIC,OAAO;UAAEA;QAAI;QACjB,GAAIsF,uBAAuB;UAAEA;QAAoB;QACjDC,eAAeJ,OAAOC,YAAYG,iBAAiB,KAAK1F,OAAOY,0BAA0B4E,mBAAmBE;MAC9G;IACF;AAEA,QAAIxF,UAAU;AACZ,WAAKF,OAAOE,WAAWA;AACvB,UAAI,CAACoF,OAAOC,YAAY;AACtBD,eAAOC,aAAa;UAAErF;QAAS;MACjC;AACAoF,aAAOC,WAAWrF,WAAWA;IAC/B;AACA,QAAI,CAAC,KAAKF,OAAOW,qBAAqB;AACpC,YAAMkF,oBAAoB,KAAKvC,QAAO,KAAMC,0CAAkBuC,aAAa,IAAIC,yBAAAA,IAA6B,IAAIC,kBAAAA;AAEhH,UAAIf,eAAeA,gBAAgB,KAAKjF,OAAOY,0BAA0BqE,aAAa;AACpFgB,gBAAQC,IACN,+CAA+CjB,WAAAA,gCAA2C,KAAKjF,OAAOY,0BAA0BqE,WAAAA,wDAAmE;MAEvM;AACA,UAAI,KAAKjF,OAAOY,0BAA0BqE,eAAe,CAACA,aAAa;AACrEA,sBAAc,KAAKjF,OAAOY,yBAAyBqE;MACrD;AAEA,YAAMZ,WAAW,MAAMwB,kBAAkBd,mBAAmB;QAC1D9E,iBAAiB,KAAKA;QACtBsE,UAAU,KAAK7D;QACfL,kBAAkB,KAAKmE,UAAS;QAChCQ;QACA,GAAI,CAAC,KAAKhF,OAAOM,KAAKgB,YAAY;UAAE+D,cAAc,KAAKrF,OAAOM,KAAK+E;QAAa;QAChFH;QACAD;QACAK;QACA,GAAInC,MAAMgD,kBAAkB;UAAEA,gBAAgBhD,KAAKgD;QAAe;QAClE,GAAIhD,MAAMiD,2BAA2B;UAAEC,kBAAkBlD,KAAKiD;QAAwB;MACxF,CAAA;AAEA,UAAI/B,SAASI,WAAW;AACtB9E,QAAAA,SAAOkC,MAAM;EAA0BC,KAAKC,UAAUsC,SAASI,SAAS,CAAA,EAAG;AAC3E,cAAMtD,MACJ,mCAAmC,KAAKnB,OAAOU,kBAAkB4F,cAAAA,eAA6B,KAAK9B,UAAS,CAAA,wBAC1GH,SAASkC,aAAaC,MAAM,EAC5B;MAEN,WAAW,CAACnC,SAASQ,aAAa;AAChClF,QAAAA,SAAOkC,MAAM,qCAAqC;AAClD,cAAMV,MACJ,mCACE,KAAKnB,OAAOU,kBAAkB4F,cAAAA,eACjB,KAAK9B,UAAS,CAAA,+CAAiD;MAElF;AACA,WAAKxE,OAAOW,sBAAsB0D,SAASQ;AAC3C,WAAK7E,OAAOyG,qBAAqBpC,SAASqC;AAC1C,WAAK1G,OAAOQ,cAAc6D,SAASQ,YAAY8B;IACjD;AAEA,WAAO;MAAE,GAAG,KAAKhG;MAAqB,GAAI,KAAK8F,sBAAsB;QAAEC,QAAQ,KAAKD;MAAmB;IAAG;EAC5G;EAEA,MAAaG,mBAAmB,EAC9BC,iBACAC,SACAC,gBACAC,QACA7G,KACAM,KACAL,KACA6G,KACAC,yBACAC,gCACAhB,eAAc,GAcwE;AACtF,QAAI;MAAC1F;MAAKN;MAAKiH,OAAO,CAACC,MAAMA,MAAMnG,MAAAA,EAAWoG,SAAS,GAAG;AACxD,YAAM,IAAInG,MAAMoG,4CAAoB,UAAU9G,QAAQS,MAAAA,UAAmBf,QAAQe,MAAAA,EAAW;IAC9F;AAEA,QAAId,IAAK,MAAKJ,OAAOI,MAAMA;AAC3B,QAAIK,IAAK,MAAKT,OAAOS,MAAMA;AAC3B,QAAIN,IAAK,MAAKH,OAAOG,MAAMA;AAE3B,QAAIqH;AACJ,QAAI,KAAKlE,QAAO,IAAKC,0CAAkBkE,YAAY;AACjDD,uBAAiB,KAAKvH,kBAClByH,sCAAsCC,oBAAoB;QACxD1H,iBAAiB,KAAKA;QACtBsE,UAAU,KAAK7D;MACjB,CAAA,IACAgH,sCAAsC1F,qBAAqB;QACzD3B,kBAAkB,KAAKmE,UAAS;QAChCqC;QACAtC,UAAU,KAAK7D;QACf4C,SAAS,KAAKA,QAAO;MACvB,CAAA;IACN,OAAO;AACLkE,uBAAiB,KAAKvH,kBAClB2H,sCAAsCD,oBAAoB;QACxD1H,iBAAiB,KAAKA;QACtBsE,UAAU,KAAK7D;MACjB,CAAA,IACAkH,sCAAsC5F,qBAAqB;QACzD3B,kBAAkB,KAAKmE,UAAS;QAChCqC;QACAtC,UAAU,KAAK7D;QACf4C,SAAS,KAAKA,QAAO;MACvB,CAAA;IACN;AAEA,UAAMuE,cACJ,KAAKC,yBAAwB,EAAG9E,SAASC,sCAAcC,uBAAuB,KAC9E,KAAKlD,OAAOa,6BACZ,CAAC,KAAKF,qBAAqBoH,WAC3B,KAAK/H,OAAOC,iBAAiB4H,cACzB,KAAK7H,OAAOC,gBAAgB4H,cAC5B3G;AACNsG,mBAAeQ,gBAAgBH,WAAAA;AAE/BL,mBAAeS,sBAAsB,KAAKtH,mBAAmB;AAC7D6G,mBAAeU,4BAA4BhB,2BAA2B,OAAOC,8BAAAA;AAC7E,QAAIgB;AACJ,QAAI,KAAKzH,kBAAkBgB,0BAA0B;AACnD,YAAM6C,WAAW,KAAK7D,iBAAiBgB;AACvC,YAAM0G,QAAQC,MAAMC,QAAQzB,eAAAA,IAAmBA,kBAAkB;QAACA;;AAElE,UAAItC,SAASgE,yBAAyBF,MAAMC,QAAQ/D,SAASgE,qBAAqB,GAAG;AACnF,YAAIC,gBAAgB;AAEpBjE,iBAASgE,sBAAsBE,QAAQ,CAACC,wBAAAA;AACtC,gBAAMC,eAAWC,yDAAgCF,mBAAAA;AACjD,cACEC,SAASE,MAAM,CAACC,GAAGC,MAAMX,MAAMW,CAAAA,MAAOD,CAAAA,KACrCV,MAAMd,WAAW,MAAMc,MAAM,CAAA,MAAOM,oBAAoBM,MAAML,SAAS3F,SAASoF,MAAM,CAAA,CAAE,IACzF;AACAI,4BAAgB;AAChB,gBAAIE,oBAAoBO,6BAA6B;AACnDd,gCAAkB;gBAAEc,6BAA6BP,oBAAoBO;cAA4B;YACnG;UACF;QACF,CAAA;AAEA,YAAI,CAACT,eAAe;AAClBvC,kBAAQC,IAAI,4BAA4BpE,KAAKC,UAAU8E,eAAAA,CAAAA,gCAAgD,KAAKrC,UAAS,CAAA,EAAI;QAE3H;MACF,WAAWD,SAASgE,yBAAyB,CAACF,MAAMC,QAAQ/D,SAASgE,qBAAqB,GAAG;AAC3F,cAAM7E,uBAAuBa,SAASgE;AACtC,YAAIH,MAAMc,KAAK,CAACC,SAAS,CAAC5E,SAASgE,yBAAyB,CAAC7E,qBAAqByF,IAAAA,CAAK,GAAG;AACxF,gBAAMhI,MAAM,4BAA4BW,KAAKC,UAAU8E,eAAAA,CAAAA,4BAA4C,KAAKrC,UAAS,CAAA,EAAI;QACvH;MACF;IAEF;AACA,QAAI2D,iBAAiB;AACnBX,qBAAe4B,oBAAoBjB,eAAAA;IACrC;AAEA,UAAMkB,0BAA0B7B,eAAe8B,MAAK;AACpD,UAAMC,eAAeC,yBAAyBC,wBAAwB;MACpE9I,qBAAqB,KAAKA;MAC1B+I,WAAW3C;MACXzD,SAAS,KAAKA,QAAO;IACvB,CAAA,EACGqG,WAAW,KAAKnF,UAAS,CAAA,EACzBoF,QAAQ,KAAKxJ,GAAG;AAEnB,QAAI,KAAKJ,OAAOS,KAAK;AACnB8I,mBAAaM,QAAQ,KAAK7J,OAAOS,GAAG;IACtC;AACA,QAAI,KAAKT,OAAOG,KAAK;AACnBoJ,mBAAaO,QAAQ,KAAK9J,OAAOG,GAAG;IACtC;AAEA,QAAI,KAAKD,UAAU;AACjBqJ,mBAAaQ,aAAa,KAAK7J,QAAQ;IACzC;AACA,QAAI+G,KAAK;AACPsC,mBAAaS,QAAQ/C,GAAAA;IACvB;AACA,UAAM5C,WAAW,MAAMgF,wBAAwBY,6BAA6B;MAC1EC,YAAYX;MACZ1C;MACAC;MACAE;MACAmB;MACAhC;IACF,CAAA;AACA,SAAKnG,OAAOyG,qBAAqBpC,SAASqC;AAC1C,QAAIrC,SAASI,WAAW;AACtB9E,MAAAA,SAAOkC,MAAM;EAAgCC,KAAKC,UAAUsC,SAASI,SAAS,CAAA,EAAG;AACjF,YAAMtD,MACJ,gCAAgC,KAAKnB,OAAOU,kBAAkByJ,mBAAAA,eAAkC,KAAK3F,UAAS,CAAA,wBAC5GH,SAASkC,aAAaC,MAAM,EAC5B;IAEN,WAAW,CAACnC,SAASQ,aAAa;AAChClF,MAAAA,SAAOkC,MAAM,2CAA2C;AACxD,YAAMV,MACJ,gCACE,KAAKnB,OAAOU,kBAAkByJ,mBAAAA,eACjB,KAAK3F,UAAS,CAAA,+CAAiD;IAElF;AACA,WAAO;MAAE,GAAGH,SAASQ;MAAa,GAAI,KAAK4B,sBAAsB;QAAEC,QAAQ,KAAKD;MAAmB;MAAIE,cAActC,SAASsC;IAAa;EAC7I;EAEA,MAAayD,cAA+B;AAC1C,WAAOtI,KAAKC,UAAU,KAAK/B,MAAM;EACnC;EAEA6D,wBACEwG,2BACArD,QACmG;AACnG,eAAOsD,iDAAwB;MAC7BC,gBAAgB,KAAK7J,iBAAiBgB;MACtC4B,SAAS,KAAKA,QAAO;MACrB0D;MACAoB,OAAOiC,4BAA4B,KAAKG,wBAAuB,IAAKtJ;IACtE,CAAA;EACF;EAEA,MAAauJ,iBACXC,uBACAC,SACAnK,aACqC;AACrC,WAAOiK,iBAAiBC,uBAAuBC,SAASnK,eAAe,KAAKR,OAAOQ,eAAe,KAAKR,OAAOW,qBAAqBgG,YAAAA;EACrI;EAEA6D,0BAAkD;AAChD,QAAI,CAAC,KAAKvK,iBAAiB;AACzB,aAAO,CAAA;IACT,WAAW,KAAKqD,QAAO,IAAKC,0CAAkBC,YAAY;AACxD,YAAMoH,OAAO,KAAK3K,gBAAgB4K;AAClC,YAAMzC,QAAkB,OAAOwC,KAAKE,oBAAoB,WAAW;QAACF,KAAKE;UAAmBF,KAAKE;AACjG,YAAMC,SAAqB,CAAA;AAC3BA,aAAO,CAAA,IAAK3C;AACZ,aAAO2C;IACT,WAAW,KAAKzH,QAAO,IAAKC,0CAAkBkE,YAAY;AACxD,aAAQ,KAAKxH,gBAAgBgB,iBAAmD+J,YAAYC,IAAI,CAACC,UAAMC,4CAAmBD,CAAAA,KAAM,CAAA,CAAE;IACpI;AAEA,WAAOhK;EACT;EAEA4G,2BAA4C;AAC1C,WACE,KAAK7H,iBAAiB8C,mBACpB,KAAK/C,OAAOU,kBAAkBgB,0BAA0B2B,0BAA0B,KAAKrD,OAAOU,kBAAkBiB,uBAC9G;MAACsB,sCAAcC;QACf,CAAA;EAER;EAEAkI,oBAAoBC,UAAkC;AACpD,WAAO,KAAKvD,yBAAwB,EAAG9E,SAASqI,QAAAA;EAClD;EAEA,IAAIvK,mBAAuC;AACzC,WAAO,KAAKd,OAAOc;EACrB;EAEOwK,sBAA+B;AACpC,WAAO,CAAC,CAAC,KAAKxK;EAChB;EAEA,IAAIb,kBAAiE;AACnE,WAAO,KAAKD,OAAOC;EACrB;EAEOqD,UAA6B;AAClC,QAAI,KAAKrD,iBAAiBqD,WAAW,KAAKrD,gBAAgBqD,YAAYC,0CAAkBgI,aAAa;AACnG,aAAO,KAAKtL,gBAAgBqD;IAC9B;AACA,UAAMiB,WAAW,KAAKvE,OAAOU;AAC7B,QAAI6D,UAAU7C,0BAA0B;AACtC,YAAM8J,eAAWC,6DAAoClH,SAAS7C,wBAAwB;AACtF,UAAI8J,SAASlE,SAAS,KAAK,CAACkE,SAASxI,SAASO,0CAAkBgI,WAAW,GAAG;AAC5E,eAAOC,SAAS,CAAA;MAClB;IACF;AACA,WAAOjI,0CAAkBkE;EAC3B;EAEA,IAAW/G,mBAA2C;AACpD,SAAKgL,qBAAoB;AAEzB,WAAO,KAAK1L,OAAOU;EACrB;EAEA,IAAIP,MAAc;AAChB,SAAK4D,iBAAgB;AACrB,QAAI,CAAC,KAAK/D,OAAOG,KAAK;AACpB,YAAM,IAAIgB,MAAM,8BAAA;IAClB;AACA,WAAO,KAAKnB,OAAOG;EACrB;EAEA,IAAIC,MAAc;AAChB,SAAK2D,iBAAgB;AACrB,QAAI,CAAC,KAAK/D,OAAOI,KAAK;AACpB,YAAM,IAAIe,MAAM,8BAAA;IAClB;AACA,WAAO,KAAKnB,OAAOI;EACrB;EAEA,IAAIF,SAASyL,OAA2B;AACtC,SAAK3L,OAAOE,WAAWyL;EACzB;EAEA,IAAIzL,WAA+B;AACjC,WAAO,KAAKF,OAAOE;EACrB;EAEO0L,yBAAkC;AACvC,WAAO,CAAC,CAAC,KAAK5L,OAAOW;EACvB;EAEA,IAAIA,sBAA2C;AAC7C,SAAKkL,kBAAiB;AAEtB,WAAO,KAAK7L,OAAOW;EACrB;EAEA,IAAI8F,qBAAqD;AACvD,WAAO,KAAKzG,OAAOyG;EACrB;EAEOjC,YAAoB;AACzB,SAAKT,iBAAgB;AACrB,WAAO,KAAK/D,OAAOK;EACrB;EAEOyL,yBAAiC;AACtC,SAAK/H,iBAAgB;AACrB,QAAI,KAAKrD,kBAAkB;AACzB,aAAO,KAAKA,iBAAiB4F;IAC/B;AACA,WAAO,KAAKhD,QAAO,KAAMC,0CAAkBuC,aACvCC,yBAAyBgG,kBAAkB;MAAEC,YAAY;QAAEjL,QAAQ,KAAKyD,UAAS;MAAG;IAAE,CAAA,IACtFwB,kBAAkB+F,kBAAkB;MAAEC,YAAY;QAAEjL,QAAQ,KAAKyD,UAAS;MAAG;IAAE,CAAA;EACrF;EAEOyH,wBAAgC;AACrC,SAAKlI,iBAAgB;AACrB,WAAO,KAAKrD,mBAAmB,KAAKA,iBAAiByJ,sBAAsB,GAAG,KAAK3F,UAAS,CAAA;EAC9F;EAEO0H,oCAAwD;AAC7D,SAAKnI,iBAAgB;AACrB,WAAO,KAAKrD,kBAAkBoE;EAChC;EAEOqH,oCAA6C;AAClD,WAAO,CAAC,CAAC,KAAKD,kCAAiC;EACjD;EAEOE,gCAAyC;AAC9C,WAAO,CAAC,CAAC,KAAKN,uBAAsB;EACtC;EAEOO,gCAAwC;AAC7C,SAAKtI,iBAAgB;AACrB,WAAO,KAAKrD,mBAAmB,KAAKA,iBAAiByJ,sBAAsB,GAAG,KAAK3F,UAAS,CAAA;EAC9F;;;;EAKOoB,SAAS;AACd,QACE,KAAK3F,mBACJ,KAAKA,iBAAiBgB,kBAAoD+J,aAAasB,KACtF,CAACC;;;MAGC,OAAOA,SAAS,YAAY,qBAAqBA,QAAQ,UAAUA,KAAKC,mBAAmBD,KAAKC,gBAAgBC,KAAKzJ,SAAS,MAAA;KAAA,GAElI;AACA,aAAO;IACT;AAEA,WACE,KAAK9C,UAAU8C,SAAS,MAAA,KACxB,KAAKhD,OAAOG,KAAK6C,SAAS,WAAA,KAC1B,KAAKwB,UAAS,EAAGxB,SAAS,MAAA,KAC1B,KAAKtC,iBAAiBgB,0BAA0B2B,wBAAwBL,SAAS,SAAA,KACjF,KAAKtC,iBAAiBgB,0BAA0BC,sBAAsBqB,SAAS,SAAA;EAEnF;EAEQe,mBAAyB;AAC/B,QAAI,CAAC,KAAK/D,OAAOK,kBAAkB;AACjC,YAAMc,MAAM,oCAAoC;IAClD,WAAW,CAAC,KAAKnB,OAAOC,mBAAmB,KAAKD,OAAOU,oBAAoB,KAAKoH,yBAAwB,EAAGR,WAAW,GAAG;AACvH,YAAMnG,MAAM,oDAAoD;IAClE;EACF;EAEQuK,uBAA6B;AACnC,QAAI,CAAC,KAAK1L,OAAOU,kBAAkB;AACjC,YAAMS,MAAM,oBAAA;IACd;EACF;EAEQ0K,oBAA0B;AAChC,QAAI,CAAC,KAAK7L,OAAOW,qBAAqB;AACpC,YAAMQ,MAAM,yBAAyB;IACvC;EACF;EAEQS,6BAA6BuB,MAA2D;AAC9F,UAAMqC,oBAAoB;MAAE,GAAG,KAAKxF,QAAQY,0BAA0B4E;MAAmB,GAAGrC,MAAMqC;IAAkB;AACpH,QAAI5E,2BAA2B;MAC7B,GAAG,KAAKZ,QAAQY;MAChB,GAAGuC;MACH,GAAIqC,qBAAqB;QAAEA;MAAkB;IAC/C;AACA,QAAI,CAAC5E,0BAA0B;AAI7BA,iCAA2B;QAAEqE,aAAa,GAAGyH,0CAAkBC,gBAAgB;MAAM;IACvF;AACA,UAAMzM,WAAWU,yBAAyBV,YAAY,KAAKF,OAAOE;AAElE,SAAKF,OAAOE,WAAWA;AACvBU,6BAAyBV,WAAWA;AACpC,WAAOU;EACT;EAEQuE,uBAAuB,wBAC7BC,uBACAF,SAAAA;AAEA,QAAIE,uBAAuB;AACzB,WAAKpF,OAAOa,4BAA4B;QAAE,OAAG+L,wDAA+BxH,qBAAAA;MAAuB;IACrG,WAAWF,MAAM;AACf,WAAKlF,OAAOa,4BAA4B;QAAEqE;MAAK;IACjD;AAEA,WACG,KAAKlF,OAAOa,2BAAqDqE,QACjE,KAAKlF,OAAOa,2BAAkEgM;EAEnF,GAd+B;AAejC;;;AC1xBA,IAAAC,0BAgCO;AACP,IAAAC,qBAA0C;AAW1C,IAAMC,WAASC,2BAAQC,QAAQC,IAAI,kBAAA;AAoB5B,IAAMC,0BAAN,MAAMA,yBAAAA;EAhEb,OAgEaA;;;EACMC;EAEjB,YAAoB,EAClBC,iBACAC,UACAC,KACAC,KACAC,kBACAC,MACAC,sBACAC,aACAC,KACAC,kBACAC,qBACAC,0BACAC,2BACAC,iBAAgB,GAgBf;AACD,UAAMC,SAASV,qBAAqBJ,sBAAkBe,6DAAoCf,gBAAgBgB,gBAAgB,IAAIC;AAC9H,QAAI,CAACH,QAAQ;AACX,YAAMI,MAAM,qDAAA;IACd;AACA,SAAKnB,SAAS;MACZC;MACAI,kBAAkBU;MAClBZ;MACAC;;MAEAF,UAAUA,aAAaD,uBAAmBmB,+DAAsCnB,gBAAgBgB,gBAAgB,MAAMd,KAAKkB,MAAM,GAAA,EAAK,CAAA;MACtIf,MAAM;QAAEgB,UAAU;QAAOC,qBAAqBC,4CAAoBC;QAAM,GAAGnB;MAAK;MAChFM;MACAC;MACAL;MACAC;MACAC;MACAC;MACAG;IACF;AAEA,QAAI,CAAC,KAAKd,OAAOY,0BAA0B;AACzC,WAAKZ,OAAOY,2BAA2B,KAAKc,6BAA6BnB,oBAAAA;IAC3E;AACAZ,IAAAA,SAAOgC,MAAM,8BAA8BC,KAAKC,UAAU,KAAK7B,OAAOY,0BAA0B,MAAM,CAAA,CAAA,EAAI;EAC5G;EAEA,aAAoBkB,qBAAqB,EACvC3B,KACAC,KACA2B,wBACA7B,UACAG,kBACAC,MACAC,sBACAyB,8BAA6B,GAU5B;AACD,UAAMC,SAAS,IAAIlC,yBAAwB;MACzCI;MACAC;MACAF,UAAUA,YAAYK,sBAAsBL;MAC5CG;MACAC;MACAC;IACF,CAAA;AACA,QAAIwB,2BAA2Bb,UAAaa,wBAAwB;AAClE,YAAME,OAAOF,uBAAsB;IACrC;AACA,QAAIC,kCAAkCd,UAAac,+BAA+B;AAChF,YAAMC,OAAOC,8BAA8B;QAAE3B;QAAsBD;MAAK,CAAA;IAC1E;AACA,WAAO2B;EACT;EAEA,aAAoBE,UAAU,EAAEC,MAAK,GAAwF;AAC3H,UAAMC,cAAc,OAAOD,UAAU,WAAWR,KAAKU,MAAMF,KAAAA,IAASA;AAEpE,WAAO,IAAIrC,yBAAwBsC,WAAAA;EACrC;EAEA,aAAoBE,QAAQ,EAC1BC,KACArC,KACAC,KACA2B,wBACA7B,UACAI,MACA0B,+BACAzB,sBACAkC,gBAAe,GAWoB;AACnC,UAAMC,wBAAwB,MAAMC,sBAAsBJ,QAAQC,KAAK;MAAEI,SAASH;IAAgB,CAAA;AAClG,UAAMR,SAAS,IAAIlC,yBAAwB;MACzCE,iBAAiByC;MACjBvC;MACAC;MACAF,UAAUA,YAAYK,sBAAsBL,YAAYwC,sBAAsBxC;MAC9EI;MACAC;IACF,CAAA;AAEA,QAAIwB,2BAA2Bb,UAAaa,wBAAwB;AAClE,YAAME,OAAOF,uBAAsB;IACrC;AACA,QACEW,sBAAsBG,eAAeC,SAASC,sCAAcC,uBAAuB,MAClFhB,kCAAkCd,UAAac,gCAChD;AACA,YAAMC,OAAOC,8BAA8B;QAAE3B;QAAsBD;MAAK,CAAA;AACxEX,MAAAA,SAAOgC,MAAM,8BAA8BM,OAAOjC,OAAOc,gBAAgB,EAAE;IAC7E;AAEA,WAAOmB;EACT;;;;;;;EAQA,MAAaC,8BAA8Be,MAA8F;AACvI,QAAI,CAAC,KAAKjD,OAAOc,kBAAkB;AACjC,WAAKoC,kBAAkBD,MAAM3C,IAAAA;AAC7B,WAAKN,OAAOY,2BAA2B,KAAKc,6BAA6BuB,MAAM1C,oBAAAA;AAC/E,UAAI,CAAC,KAAKP,OAAOY,0BAA0B;AACzC,cAAMO,MAAM,mEAAmE;MACjF;AAIA,UACE,KAAKnB,OAAOU,kBAAkByC,4BAC9B,4BAA4B,KAAKnD,OAAOU,iBAAiByC,0BACzD;AACA,aAAKnD,OAAOU,iBAAiB0C,yBAAyB,KAAKpD,OAAOU,iBAAiByC,yBAAyBC;MAC9G;AACA,WAAKpD,OAAOc,mBAAmB,MAAMoB,8BAA8B;QACjE5B,MAAM,KAAKN,OAAOM;QAClBI,kBAAkB,KAAKA;QACvBH,sBAAsB,KAAKP,OAAOY;QAClCX,iBAAiB,KAAKA;QACtBoD,kCAAkC,KAAKC,wBAAuB;QAC9DC,SAAS,KAAKA,QAAO;MACvB,CAAA;IACF;AACA,WAAO,KAAKvD,OAAOc;EACrB;EAEA,MAAaiB,yBAAiE;AAC5E,SAAKyB,iBAAgB;AACrB,QAAI,CAAC,KAAKxD,OAAOU,kBAAkB;AACjC,UAAI,KAAKT,iBAAiB;AACxB,aAAKD,OAAOU,mBAAmB,MAAM+C,sBAAsBC,uCAAuC,KAAKzD,eAAe;MACxH,WAAW,KAAKD,OAAOK,kBAAkB;AACvC,aAAKL,OAAOU,mBAAmB,MAAM+C,sBAAsBE,oBAAoB,KAAK3D,OAAOK,gBAAgB;MAC7G,OAAO;AACL,cAAMc,MAAM,oFAAoF;MAClG;IACF;AAEA,WAAO,KAAKT;EACd;EAEQwC,kBAAkB5C,MAAiB;AACzC,SAAKN,OAAOM,OAAOsD,wBAAwB;MAAE,GAAG,KAAK5D,OAAOM;MAAM,GAAGA;IAAK,CAAA;EAC5E;EAEA,MAAauD,kCAAkCZ,MAAuF;AACpI,UAAMa,WAAW,MAAMC,sCAAsC;MAC3DC,UAAU,KAAKtD;MACfL,kBAAkB,KAAK4D,UAAS;MAChC/D,UAAU,KAAKF,OAAOE,YAAY,KAAKF,OAAOY,0BAA0BV;MACxE,GAAG+C;IACL,CAAA;AAEA,QAAIa,SAASI,WAAW;AACtBvE,MAAAA,SAAOgC,MAAM;EAAgCC,KAAKC,UAAUiC,SAASI,SAAS,CAAA,EAAG;AACjF,YAAMC,QAAQL,SAASI;AACvB,aAAOE,QAAQC,OAAOF,KAAAA;IACxB,WAAW,CAACL,SAASQ,aAAa;AAChC3E,MAAAA,SAAOgC,MAAM,2CAA2C;AACxD,aAAOyC,QAAQC,OACblD,MACE,+CAA+C,KAAKnB,OAAOU,kBAAkB6D,gCAAAA,eAA+C,KAAKN,UAAS,CAAA,+CAAiD,CAAA;IAGjM;AAEA,WAAO;MAAE,GAAGH,SAASQ;IAAY;EACnC;EAEA,MAAaE,mBACXvB,MAKgE;AAChE,UAAM,EAAEwB,KAAKvE,WAAW,KAAKF,OAAOE,YAAY,KAAKF,OAAOY,0BAA0BV,SAAQ,IAAK+C,QAAQ,CAAC;AAC5G,QAAI,EAAEyB,YAAW,IAAKzB,QAAQ,CAAC;AAE/B,UAAM0B,OAAO,KAAKC,qBAAqB3B,MAAM4B,uBAAuB5B,MAAM0B,IAAAA;AAE1E,QAAI1B,MAAM6B,cAAc;AACtB,WAAK9E,OAAOM,KAAKwE,eAAe7B,KAAK6B;IACvC;AACA,SAAKtB,iBAAgB;AACrB,UAAMuB,SAAkC;MAAE,GAAG9B,MAAM8B;IAAO;AAC1D,UAAM5E,MAAM4E,OAAOC,YAAY7E,OAAO,KAAKH,OAAOG,OAAO,KAAKH,OAAOY,0BAA0BqE,mBAAmB9E;AAClH,UAAM+E,sBACJH,OAAOC,YAAYE,wBAClB/E,OAAOD,YAAY,OAAO6E,OAAOC,YAAYG,eAAeC,iBAAiB,aAC1E,2DACAlE;AACN,QAAI,KAAKmE,OAAM,KAAOnF,YAAYC,KAAM;AACtC,UAAI,CAACD,UAAU;AACb,cAAMiB,MAAM,6BAA6B;MAC3C;AACA4D,aAAOC,aAAa;QAClB,GAAGD,OAAOC;QACV9E;QACA,GAAIC,OAAO;UAAEA;QAAI;QACjB,GAAI+E,uBAAuB;UAAEA;QAAoB;QACjDC,eAAeJ,OAAOC,YAAYG,iBAAiB,KAAKnF,OAAOY,0BAA0BqE,mBAAmBE;MAC9G;IACF;AAEA,QAAIjF,UAAU;AACZ,WAAKF,OAAOE,WAAWA;AACvB,UAAI,CAAC6E,OAAOC,YAAY;AACtBD,eAAOC,aAAa;UAAE9E;QAAS;MACjC;AACA6E,aAAOC,WAAW9E,WAAWA;IAC/B;AACA,QAAI,CAAC,KAAKF,OAAOW,qBAAqB;AACpC,YAAM2E,oBAAoB,IAAIC,kBAAAA;AAE9B,UAAIb,eAAeA,gBAAgB,KAAK1E,OAAOY,0BAA0B8D,aAAa;AACpFc,gBAAQC,IACN,+CAA+Cf,WAAAA,gCAA2C,KAAK1E,OAAOY,0BAA0B8D,WAAAA,wDAAmE;MAEvM;AACA,UAAI,KAAK1E,OAAOY,0BAA0B8D,eAAe,CAACA,aAAa;AACrEA,sBAAc,KAAK1E,OAAOY,yBAAyB8D;MACrD;AACA,YAAMZ,WAAW,MAAMwB,kBAAkBd,mBAAmB;QAC1DvE,iBAAiB,KAAKA;QACtB+D,UAAU,KAAKtD;QACfL,kBAAkB,KAAK4D,UAAS;QAChCQ;QACA,GAAI,CAAC,KAAKzE,OAAOM,KAAKgB,YAAY;UAAEwD,cAAc,KAAK9E,OAAOM,KAAKwE;QAAa;QAChFH;QACAD;QACAK;QACA,GAAI9B,MAAMyC,kBAAkB;UAAEA,gBAAgBzC,KAAKyC;QAAe;QAClE,GAAIzC,MAAM0C,2BAA2B;UAAEC,kBAAkB3C,KAAK0C;QAAwB;MACxF,CAAA;AAEA,UAAI7B,SAASI,WAAW;AACtBvE,QAAAA,SAAOgC,MAAM;EAA0BC,KAAKC,UAAUiC,SAASI,SAAS,CAAA,EAAG;AAC3E,cAAM/C,MACJ,mCAAmC,KAAKnB,OAAOU,kBAAkBmF,cAAAA,eAA6B,KAAK5B,UAAS,CAAA,wBAC1GH,SAASgC,aAAaC,MAAM,EAC5B;MAEN,WAAW,CAACjC,SAASQ,aAAa;AAChC3E,QAAAA,SAAOgC,MAAM,qCAAqC;AAClD,cAAMR,MACJ,mCACE,KAAKnB,OAAOU,kBAAkBmF,cAAAA,eACjB,KAAK5B,UAAS,CAAA,+CAAiD;MAElF;AACA,WAAKjE,OAAOW,sBAAsBmD,SAASQ;AAC3C,WAAKtE,OAAOgG,qBAAqBlC,SAASmC;AAC1C,WAAKjG,OAAOQ,cAAcsD,SAASQ,YAAY4B;IACjD;AAEA,WAAO;MAAE,GAAG,KAAKvF;MAAqB,GAAI,KAAKqF,sBAAsB;QAAEC,QAAQ,KAAKD;MAAmB;IAAG;EAC5G;EAEA,MAAaG,+BAA+BC,MAae;AACzD,WAAO,MAAM,KAAKC,uBAAuBD,IAAAA;EAC3C;EACA,MAAaE,mBAAmBF,MAc2B;AACzD,WAAO,MAAM,KAAKC,uBAAuBD,IAAAA;EAC3C;EAEA,MAAcC,uBAAuB,EACnCE,sBACAC,iBACAC,SACAC,gBACAC,QACAxG,KACAM,KACAL,KACAwG,KACAC,yBACAC,gCACApB,eAAc,GAe2C;AACzD,QAAI;MAACjF;MAAKN;MAAK4G,OAAO,CAACC,MAAMA,MAAM9F,MAAAA,EAAW+F,SAAS,GAAG;AACxD,YAAM,IAAI9F,MAAM+F,4CAAoB,UAAUzG,QAAQS,MAAAA,UAAmBf,QAAQe,MAAAA,EAAW;IAC9F;AAEA,QAAId,IAAK,MAAKJ,OAAOI,MAAMA;AAC3B,QAAIK,IAAK,MAAKT,OAAOS,MAAMA;AAC3B,QAAIN,IAAK,MAAKH,OAAOG,MAAMA;AAE3B,UAAMgH,iBAAiB,KAAKlH,kBACxBmH,sCAAsCC,oBAAoB;MACxDpH,iBAAiB,KAAKA;MACtB+D,UAAU,KAAKtD;IACjB,CAAA,IACA0G,sCAAsCtF,qBAAqB;MACzDzB,kBAAkB,KAAK4D,UAAS;MAChCsC;MACAvC,UAAU,KAAKtD;MACf6C,SAAS,KAAKA,QAAO;IACvB,CAAA;AAEJ,UAAM+D,cACJ,KAAKC,yBAAwB,EAAGzE,SAASC,sCAAcC,uBAAuB,KAC9E,KAAKhD,OAAOa,6BACZ,CAAC,KAAKF,qBAAqB6G,WAC3B,KAAKxH,OAAOC,iBAAiBqH,cACzB,KAAKtH,OAAOC,gBAAgBqH,cAC5BpG;AACNiG,mBAAeM,gBAAgBH,WAAAA;AAC/BH,mBAAeO,sBAAsB,KAAK/G,mBAAmB;AAC7DwG,mBAAeQ,4BAA4Bd,2BAA2B,OAAOC,8BAAAA;AAC7E,QAAIc;AACJ,QAAI,KAAKlH,kBAAkByC,0BAA0B;AACnD,YAAMa,WAAW,KAAKtD,iBAAiByC;AACvC,YAAM0E,QAAQrB,kBAAmBsB,MAAMC,QAAQvB,eAAAA,IAAmBA,kBAAkB;QAACA;UAAoBtF;AAEzG,UAAIqF,sBAAsB;AACxB,YAAI,OAAOvC,SAASgE,wCAAwC,UAAU;AACpE,gBAAM7G,MACJ,sDAAsD,OAAO6C,SAASgE,mCAAmC,qCAAqC;QAElJ;AACA,cAAMC,uBAAuBjE,SAASgE;AACtC,YAAI,CAACC,wBAAwB,CAACA,qBAAqB1B,oBAAAA,GAAuB;AACxE,gBAAM,IAAIpF,MAAM,mBAAmBoF,oBAAAA,+BAAmD,KAAKtC,UAAS,CAAA,EAAI;QAC1G;MACF,WAAW,CAAC4D,OAAO;AACjB,cAAM1G,MAAM,sDAAsD;MACpE,WAAW6C,SAASkE,yBAAyBJ,MAAMC,QAAQ/D,SAASkE,qBAAqB,GAAG;AAC1F,YAAIC,gBAAgB;AAEpBnE,iBAASkE,sBAAsBE,QAAQ,CAACC,wBAAAA;AACtC,gBAAMC,eAAWC,yDAAgCF,mBAAAA;AACjD,cACEC,SAASE,MAAM,CAACC,GAAGC,MAAMb,MAAMa,CAAAA,MAAOD,CAAAA,KACrCZ,MAAMZ,WAAW,MAAMY,MAAM,CAAA,MAAOQ,oBAAoBM,MAAML,SAASxF,SAAS+E,MAAM,CAAA,CAAE,IACzF;AACAM,4BAAgB;AAChB,gBAAIE,oBAAoBO,6BAA6B;AACnDhB,gCAAkB;gBAAEgB,6BAA6BP,oBAAoBO;cAA4B;YACnG;UACF;QACF,CAAA;AAEA,YAAI,CAACT,eAAe;AAClB3C,kBAAQC,IAAI,4BAA4B7D,KAAKC,UAAU2E,eAAAA,CAAAA,gCAAgD,KAAKvC,UAAS,CAAA,EAAI;QAE3H;MACF,WAAWD,SAASgE,uCAAuC,OAAOhE,SAASgE,wCAAwC,UAAU;AAC3H,YAAIG,gBAAgB;AACpBU,eAAOC,OAAO9E,SAASgE,mCAAmC,EAAEI,QAAQ,CAACC,wBAAAA;AACnE,gBAAMC,eAAWC,yDAAgCF,mBAAAA;AACjD,cACEC,SAASE,MAAM,CAACC,GAAGC,MAAMb,MAAMa,CAAAA,MAAOD,CAAAA,KACrCZ,MAAMZ,WAAW,MAAMY,MAAM,CAAA,MAAOQ,oBAAoBM,MAAML,SAASxF,SAAS+E,MAAM,CAAA,CAAE,IACzF;AACAM,4BAAgB;UAClB;QACF,CAAA;AAEA,YAAI,CAACA,eAAe;AAClB,gBAAMhH,MAAM,4BAA4BS,KAAKC,UAAU2E,eAAAA,CAAAA,4BAA4C,KAAKvC,UAAS,CAAA,EAAI;QACvH;MACF;IAEF;AACA,QAAI2D,iBAAiB;AACnBT,qBAAe4B,oBAAoBnB,eAAAA;IACrC;AAEA,UAAMoB,0BAA0B7B,eAAe8B,MAAK;AAEpD,QAAIC;AACJ,QAAIxC,gBAAgB;AAClBwC,qBAAeC,yBAAyBC,wBAAwB;QAC9DzI,qBAAqB,KAAKA;QAC1B0I,WAAW3C;QACXnD,SAAS,KAAKA,QAAO;MACvB,CAAA,EACG+F,WAAW,KAAKrF,UAAS,CAAA,EACzBsF,QAAQ,KAAKnJ,GAAG;AAEnB,UAAI,KAAKJ,OAAOS,KAAK;AACnByI,qBAAaM,QAAQ,KAAKxJ,OAAOS,GAAG;MACtC;AACA,UAAI,KAAKT,OAAOG,KAAK;AACnB+I,qBAAaO,QAAQ,KAAKzJ,OAAOG,GAAG;MACtC;AAEA,UAAI,KAAKD,UAAU;AACjBgJ,qBAAaQ,aAAa,KAAKxJ,QAAQ;MACzC;AACA,UAAI0G,KAAK;AACPsC,qBAAaS,QAAQ/C,GAAAA;MACvB;IACF;AACA,UAAMgD,UAAUV,eACZ,MAAMF,wBAAwBa,wBAAwB;MACpDC,YAAYZ;MACZ1C;MACAC;MACAE;MACApD,SAAS,KAAKA,QAAO;MACrBgD;MACAqB;IACF,CAAA,IACA,MAAMoB,wBAAwBe,oCAAoC;MAChEvD;MACAC;MACAE;MACApD,SAAS,KAAKA,QAAO;MACrBgD;MACAqB;IACF,CAAA;AACJ,UAAM9D,WAAW,MAAMkF,wBAAwBgB,+BAA+BJ,SAASlE,cAAAA;AACvF,SAAK1F,OAAOgG,qBAAqBlC,SAASmC;AAC1C,QAAInC,SAASI,WAAW;AACtBvE,MAAAA,SAAOgC,MAAM;EAAgCC,KAAKC,UAAUiC,SAASI,SAAS,CAAA,EAAG;AACjF,YAAM/C,MACJ,gCAAgC,KAAKnB,OAAOU,kBAAkBuJ,mBAAAA,eAAkC,KAAKhG,UAAS,CAAA,wBAC5GH,SAASgC,aAAaC,MAAM,EAC5B;IAEN,WAAW,CAACjC,SAASQ,aAAa;AAChC3E,MAAAA,SAAOgC,MAAM,2CAA2C;AACxD,YAAMR,MACJ,gCACE,KAAKnB,OAAOU,kBAAkBuJ,mBAAAA,eACjB,KAAKhG,UAAS,CAAA,+CAAiD;IAElF;AACA,WAAO;MAAE,GAAGH,SAASQ;MAAa,GAAI,KAAK0B,sBAAsB;QAAEC,QAAQ,KAAKD;MAAmB;MAAIE,cAAcpC,SAASoC;IAAa;EAC7I;EAEA,MAAagE,cAA+B;AAC1C,WAAOtI,KAAKC,UAAU,KAAK7B,MAAM;EACnC;EAEAsD,wBACEqD,QACyD;AACzD,eAAOwD,iDAAwB;MAC7BC,gBAAgB,KAAK1J,iBAAiByC;MACtCI,SAAS,KAAKA,QAAO;MACrBoD;MACAkB,OAAO3G;IACT,CAAA;EACF;EAEA,MAAamJ,iBACXC,uBACAV,SACApJ,aACqC;AACrC,WAAO6J,iBAAiBC,uBAAuBV,SAASpJ,eAAe,KAAKR,OAAOQ,eAAe,KAAKR,OAAOW,qBAAqBuF,YAAAA;EACrI;;;;;;;;;;;;;;;;;;;;;;;;EA0BAqB,2BAA4C;AAC1C,WACE,KAAKtH,iBAAiB4C,mBACrB,KAAK7C,OAAOU,kBAAkByC,0BAA0BC,yBAAyB;MAACL,sCAAcC;QAA2B,CAAA;EAEhI;EAEAuH,oBAAoBC,UAAkC;AACpD,WAAO,KAAKjD,yBAAwB,EAAGzE,SAAS0H,QAAAA;EAClD;EAEOC,sBAA+B;AACpC,WAAO,CAAC,CAAC,KAAK3J;EAChB;EAEA,IAAIA,mBAAuC;AACzC,WAAO,KAAKd,OAAOc;EACrB;EAEA,IAAIb,kBAAiE;AACnE,WAAO,KAAKD,OAAOC;EACrB;EAEOsD,UAA6B;AAClC,WAAO,KAAKtD,iBAAiBsD,WAAWmH,0CAAkBC;EAC5D;EAEA,IAAWjK,mBAAkD;AAC3D,SAAKkK,qBAAoB;AAEzB,WAAO,KAAK5K,OAAOU;EACrB;EAEA,IAAIP,MAAc;AAChB,SAAKqD,iBAAgB;AACrB,QAAI,CAAC,KAAKxD,OAAOG,KAAK;AACpB,YAAM,IAAIgB,MAAM,8BAAA;IAClB;AACA,WAAO,KAAKnB,OAAOG;EACrB;EAEA,IAAIC,MAAc;AAChB,SAAKoD,iBAAgB;AACrB,QAAI,CAAC,KAAKxD,OAAOI,KAAK;AACpB,YAAM,IAAIe,MAAM,8BAAA;IAClB;AACA,WAAO,KAAKnB,OAAOI;EACrB;EAEA,IAAIF,SAAS2K,OAA2B;AACtC,SAAK7K,OAAOE,WAAW2K;EACzB;EAEA,IAAI3K,WAA+B;AACjC,WAAO,KAAKF,OAAOE;EACrB;EAEO4K,yBAAkC;AACvC,WAAO,CAAC,CAAC,KAAK9K,OAAOW;EACvB;EAEA,IAAIA,sBAA2C;AAC7C,SAAKoK,kBAAiB;AAEtB,WAAO,KAAK/K,OAAOW;EACrB;EAEA,IAAIqF,qBAAqD;AACvD,WAAO,KAAKhG,OAAOgG;EACrB;EAEO/B,YAAoB;AACzB,SAAKT,iBAAgB;AACrB,WAAO,KAAKxD,OAAOK;EACrB;EAEO2K,yBAAiC;AACtC,SAAKxH,iBAAgB;AACrB,WAAO,KAAK9C,mBACR,KAAKA,iBAAiBmF,iBACtBN,kBAAkB0F,kBAAkB;MAAEC,YAAY;QAAEnK,QAAQ,KAAKkD,UAAS;MAAG;IAAE,CAAA;EACrF;EAEOkH,wBAAgC;AACrC,SAAK3H,iBAAgB;AACrB,WAAO,KAAK9C,mBAAmB,KAAKA,iBAAiBuJ,sBAAsB,GAAG,KAAKhG,UAAS,CAAA;EAC9F;EAEOmH,gCAAyC;AAC9C,WAAO,CAAC,CAAC,KAAKJ,uBAAsB;EACtC;EAEOK,gCAAwC;AAC7C,SAAK7H,iBAAgB;AACrB,WAAO,KAAK9C,mBAAmB,KAAKA,iBAAiBuJ,sBAAsB,GAAG,KAAKhG,UAAS,CAAA;EAC9F;;;;EAKOoB,SAAkB;AACvB,UAAMpF,kBAAkB,KAAKA,iBAAiBgB;AAE9C,QAAIhB,iBAAiBqL,8BAA8B;AACjD,YAAMC,2BAA2B,KAAK7K,iBAAiByC,0BAA0B6E;AAEjF,UAAIuD,0BAA0B;AAC5B,cAAMC,uBAAuBvL,gBAAgBqL,6BAC1CG,IAAI,CAAC9C,OAAO4C,yBAAyB5C,EAAAA,CAAG,EACxC5B,OACC,CAAC2E;;;UAGCA,WAAWxK,UAAa,qBAAqBwK,UAAU,UAAUA,OAAOC;SAAe,EAI1FC,KAAK,CAACF,WAAWA,OAAOC,gBAAgBE,KAAK/I,SAAS,MAAA,CAAA;AAEzD,YAAI0I,sBAAsB;AACxB,iBAAO;QACT;MACF;IACF;AAEA,WACE,KAAKtL,UAAU4C,SAAS,MAAA,KACxB,KAAK9C,OAAOG,KAAK2C,SAAS,WAAA,KAC1B,KAAKmB,UAAS,EAAGnB,SAAS,MAAA,KAC1B,KAAKpC,iBAAiByC,0BAA0BC,wBAAwBN,SAAS,SAAA,KACjF,KAAKpC,iBAAiByC,0BAA0B2I,sBAAsBhJ,SAAS,SAAA;EAEnF;EAEQU,mBAAyB;AAC/B,QAAI,CAAC,KAAKxD,OAAOK,kBAAkB;AACjC,YAAMc,MAAM,oCAAoC;IAClD,WAAW,CAAC,KAAKnB,OAAOC,mBAAmB,KAAKD,OAAOU,oBAAoB,KAAK6G,yBAAwB,EAAGN,WAAW,GAAG;AACvH,YAAM9F,MAAM,oDAAoD;IAClE;EACF;EAEQyJ,uBAA6B;AACnC,QAAI,CAAC,KAAK5K,OAAOU,kBAAkB;AACjC,YAAMS,MAAM,oBAAA;IACd;EACF;EAEQ4J,oBAA0B;AAChC,QAAI,CAAC,KAAK/K,OAAOW,qBAAqB;AACpC,YAAMQ,MAAM,yBAAyB;IACvC;EACF;EAEQO,6BAA6BuB,MAA2D;AAC9F,QAAIrC,2BAA2B;MAAE,GAAG,KAAKZ,QAAQY;MAA0B,GAAGqC;IAAK;AACnF,QAAI,CAACrC,0BAA0B;AAI7BA,iCAA2B;QAAE8D,aAAa,GAAGqH,0CAAkBC,gBAAgB;MAAM;IACvF;AACA,UAAM9L,WAAWU,yBAAyBV,YAAY,KAAKF,OAAOE;AAElE,SAAKF,OAAOE,WAAWA;AACvBU,6BAAyBV,WAAWA;AACpC,WAAOU;EACT;EAEQgE,uBAAuB,wBAC7BC,uBACAF,SAAAA;AAEA,QAAIE,uBAAuB;AACzB,WAAK7E,OAAOa,4BAA4B;QAAE,OAAGoL,wDAA+BpH,qBAAAA;MAAuB;IACrG,WAAWF,MAAM;AACf,WAAK3E,OAAOa,4BAA4B;QAAE8D;MAAK;IACjD;AAEA,WACG,KAAK3E,OAAOa,2BAAqD8D,QACjE,KAAK3E,OAAOa,2BAAkEqL;EAEnF,GAd+B;AAejC;;;ACzzBA,IAAAC,0BAgCO;AACP,IAAAC,qBAA0C;AAW1C,IAAMC,WAASC,2BAAQC,QAAQC,IAAI,kBAAA;AAmB5B,IAAMC,0BAAN,MAAMA,yBAAAA;EA/Db,OA+DaA;;;EACMC;EAEjB,YAAoB,EAClBC,iBACAC,UACAC,KACAC,KACAC,kBACAC,MACAC,sBACAC,KACAC,kBACAC,qBACAC,0BACAC,2BACAC,iBAAgB,GAef;AACD,UAAMC,SAAST,qBAAqBJ,sBAAkBc,6DAAoCd,gBAAgBe,gBAAgB,IAAIC;AAC9H,QAAI,CAACH,QAAQ;AACX,YAAMI,MAAM,qDAAA;IACd;AACA,SAAKlB,SAAS;MACZC;MACAI,kBAAkBS;MAClBX;MACAC;;MAEAF,UAAUA,aAAaD,uBAAmBkB,+DAAsClB,gBAAgBe,gBAAgB,MAAMb,KAAKiB,MAAM,GAAA,EAAK,CAAA;MACtId,MAAM;QAAEe,UAAU;QAAOC,qBAAqBC,4CAAoBC;QAAM,GAAGlB;MAAK;MAChFK;MACAC;MACAJ;MACAC;MACAC;MACAG;IACF;AAEA,QAAI,CAAC,KAAKb,OAAOW,0BAA0B;AACzC,WAAKX,OAAOW,2BAA2B,KAAKc,6BAA6BlB,oBAAAA;IAC3E;AACAZ,IAAAA,SAAO+B,MAAM,8BAA8BC,KAAKC,UAAU,KAAK5B,OAAOW,0BAA0B,MAAM,CAAA,CAAA,EAAI;EAC5G;EAEA,aAAoBkB,qBAAqB,EACvC1B,KACAC,KACA0B,wBACA5B,UACAG,kBACAC,MACAC,sBACAwB,8BAA6B,GAU5B;AACD,UAAMC,SAAS,IAAIjC,yBAAwB;MACzCI;MACAC;MACAF,UAAUA,YAAYK,sBAAsBL;MAC5CG;MACAC;MACAC;IACF,CAAA;AACA,QAAIuB,2BAA2Bb,UAAaa,wBAAwB;AAClE,YAAME,OAAOF,uBAAsB;IACrC;AACA,QAAIC,kCAAkCd,UAAac,+BAA+B;AAChF,YAAMC,OAAOC,8BAA8B;QAAE1B;QAAsBD;MAAK,CAAA;IAC1E;AACA,WAAO0B;EACT;EAEA,aAAoBE,UAAU,EAAEC,MAAK,GAAwF;AAC3H,UAAMC,cAAc,OAAOD,UAAU,WAAWR,KAAKU,MAAMF,KAAAA,IAASA;AAEpE,WAAO,IAAIpC,yBAAwBqC,WAAAA;EACrC;EAEA,aAAoBE,QAAQ,EAC1BC,KACApC,KACAC,KACA0B,wBACA5B,UACAI,MACAyB,+BACAxB,sBACAiC,gBAAe,GAWoB;AACnC,UAAMC,wBAAwB,MAAMC,6BAA6BJ,QAAQC,KAAK;MAAEI,SAASH;IAAgB,CAAA;AACzG,UAAMR,SAAS,IAAIjC,yBAAwB;MACzCE,iBAAiBwC;MACjBtC;MACAC;MACAF,UAAUA,YAAYK,sBAAsBL,YAAYuC,sBAAsBvC;MAC9EI;MACAC;IACF,CAAA;AAEA,QAAIuB,2BAA2Bb,UAAaa,wBAAwB;AAClE,YAAME,OAAOF,uBAAsB;IACrC;AACA,QACEW,sBAAsBG,eAAeC,SAASC,sCAAcC,uBAAuB,MAClFhB,kCAAkCd,UAAac,gCAChD;AACA,YAAMC,OAAOC,8BAA8B;QAAE1B;QAAsBD;MAAK,CAAA;AACxEX,MAAAA,SAAO+B,MAAM,8BAA8BM,OAAOhC,OAAOa,gBAAgB,EAAE;IAC7E;AAEA,WAAOmB;EACT;;;;;;;EAQA,MAAaC,8BAA8Be,MAA8F;AACvI,QAAI,CAAC,KAAKhD,OAAOa,kBAAkB;AACjC,WAAKoC,kBAAkBD,MAAM1C,IAAAA;AAC7B,WAAKN,OAAOW,2BAA2B,KAAKc,6BAA6BuB,MAAMzC,oBAAAA;AAC/E,UAAI,CAAC,KAAKP,OAAOW,0BAA0B;AACzC,cAAMO,MAAM,mEAAmE;MACjF;AAIA,UACE,KAAKlB,OAAOS,kBAAkByC,4BAC9B,4BAA4B,KAAKlD,OAAOS,iBAAiByC,0BACzD;AACA,aAAKlD,OAAOS,iBAAiB0C,yBAAyB,KAAKnD,OAAOS,iBAAiByC,yBAAyBC;MAC9G;AACA,WAAKnD,OAAOa,mBAAmB,MAAMuC,qCAAqC;QACxE9C,MAAM,KAAKN,OAAOM;QAClBG,kBAAkB,KAAKA;QACvBF,sBAAsB,KAAKP,OAAOW;QAClCV,iBAAiB,KAAKA;QACtBoD,sBAAsBC,OAAOC,OAAO,KAAKC,wBAAuB,CAAA;MAClE,CAAA;IACF;AACA,WAAO,KAAKxD,OAAOa;EACrB;EAEA,MAAaiB,yBAAiE;AAC5E,SAAK2B,iBAAgB;AACrB,QAAI,CAAC,KAAKzD,OAAOS,kBAAkB;AACjC,UAAI,KAAKR,iBAAiB;AACxB,aAAKD,OAAOS,mBAAmB,MAAMiD,sBAAsBC,uCAAuC,KAAK1D,eAAe;MACxH,WAAW,KAAKD,OAAOK,kBAAkB;AACvC,aAAKL,OAAOS,mBAAmB,MAAMiD,sBAAsBE,oBAAoB,KAAK5D,OAAOK,gBAAgB;MAC7G,OAAO;AACL,cAAMa,MAAM,oFAAoF;MAClG;IACF;AAEA,WAAO,KAAKT;EACd;EAEQwC,kBAAkB3C,MAAiB;AACzC,SAAKN,OAAOM,OAAOuD,wBAAwB;MAAE,GAAG,KAAK7D,OAAOM;MAAM,GAAGA;IAAK,CAAA;EAC5E;EAEA,MAAawD,kCAAkCd,MAAuF;AACpI,UAAMe,WAAW,MAAMC,sCAAsC;MAC3DC,UAAU,KAAKxD;MACfJ,kBAAkB,KAAK6D,UAAS;MAChChE,UAAU,KAAKF,OAAOE,YAAY,KAAKF,OAAOW,0BAA0BT;MACxE,GAAG8C;IACL,CAAA;AAEA,QAAIe,SAASI,WAAW;AACtBxE,MAAAA,SAAO+B,MAAM;EAAgCC,KAAKC,UAAUmC,SAASI,SAAS,CAAA,EAAG;AACjF,YAAMC,QAAQL,SAASI;AACvB,aAAOE,QAAQC,OAAOF,KAAAA;IACxB,WAAW,CAACL,SAASQ,aAAa;AAChC5E,MAAAA,SAAO+B,MAAM,2CAA2C;AACxD,aAAO2C,QAAQC,OACbpD,MACE,+CAA+C,KAAKlB,OAAOS,kBAAkB+D,gCAAAA,eAA+C,KAAKN,UAAS,CAAA,+CAAiD,CAAA;IAGjM;AAEA,WAAO;MAAE,GAAGH,SAASQ;IAAY;EACnC;EAEA,MAAaE,mBACXzB,MAKgE;AAChE,UAAM,EAAE0B,KAAKxE,WAAW,KAAKF,OAAOE,YAAY,KAAKF,OAAOW,0BAA0BT,SAAQ,IAAK8C,QAAQ,CAAC;AAC5G,QAAI,EAAE2B,YAAW,IAAK3B,QAAQ,CAAC;AAE/B,UAAM4B,OAAO,KAAKC,qBAAqB7B,MAAM8B,uBAAuB9B,MAAM4B,IAAAA;AAE1E,QAAI5B,MAAM+B,cAAc;AACtB,WAAK/E,OAAOM,KAAKyE,eAAe/B,KAAK+B;IACvC;AACA,SAAKtB,iBAAgB;AAErB,UAAMuB,SAAkC;MAAE,GAAGhC,MAAMgC;IAAO;AAC1D,QAAI9E,UAAU;AACZ,WAAKF,OAAOE,WAAWA;AACvB,UAAI,CAAC8E,OAAOC,YAAY;AACtBD,eAAOC,aAAa;UAAE/E;QAAS;MACjC;AACA8E,aAAOC,WAAW/E,WAAWA;IAC/B;AACA,QAAI,CAAC,KAAKF,OAAOU,qBAAqB;AACpC,YAAMwE,oBAAoB,IAAIC,yBAAAA;AAE9B,UAAIR,eAAeA,gBAAgB,KAAK3E,OAAOW,0BAA0BgE,aAAa;AACpFS,gBAAQC,IACN,+CAA+CV,WAAAA,gCAA2C,KAAK3E,OAAOW,0BAA0BgE,WAAAA,wDAAmE;MAEvM;AACA,UAAI,KAAK3E,OAAOW,0BAA0BgE,eAAe,CAACA,aAAa;AACrEA,sBAAc,KAAK3E,OAAOW,yBAAyBgE;MACrD;AAEA,YAAMxE,MAAM6E,OAAOC,YAAY9E,OAAO,KAAKH,OAAOG,OAAO,KAAKH,OAAOW,0BAA0B2E,mBAAmBnF;AAClH,YAAMoF,sBACJP,OAAOC,YAAYM,wBAClBpF,OAAOD,YAAY,OAAO8E,OAAOC,YAAYO,eAAeC,iBAAiB,aAC1E,2DACAxE;AACN,UAAI,KAAKyE,OAAM,KAAOxF,YAAYC,KAAM;AACtC,YAAI,CAACD,UAAU;AACb,gBAAMgB,MAAM,6BAA6B;QAC3C;AACA8D,eAAOC,aAAa;UAClB,GAAGD,OAAOC;UACV/E;UACA,GAAIC,OAAO;YAAEA;UAAI;UACjB,GAAIoF,uBAAuB;YAAEA;UAAoB;UACjDC,eAAeR,OAAOC,YAAYO,iBAAiB,KAAKxF,OAAOW,0BAA0B2E,mBAAmBE;QAC9G;MACF;AAEA,YAAMzB,WAAW,MAAMmB,kBAAkBT,mBAAmB;QAC1DxE,iBAAiB,KAAKA;QACtBgE,UAAU,KAAKxD;QACfJ,kBAAkB,KAAK6D,UAAS;QAChCQ;QACA,GAAI,CAAC,KAAK1E,OAAOM,KAAKe,YAAY;UAAE0D,cAAc,KAAK/E,OAAOM,KAAKyE;QAAa;QAChFH;QACAD;QACAK;QACA,GAAIhC,MAAM2C,kBAAkB;UAAEA,gBAAgB3C,KAAK2C;QAAe;QAClE,GAAI3C,MAAM4C,2BAA2B;UAAEC,kBAAkB7C,KAAK4C;QAAwB;MACxF,CAAA;AAEA,UAAI7B,SAASI,WAAW;AACtBxE,QAAAA,SAAO+B,MAAM;EAA0BC,KAAKC,UAAUmC,SAASI,SAAS,CAAA,EAAG;AAC3E,cAAMjD,MACJ,mCAAmC,KAAKlB,OAAOS,kBAAkBqF,cAAAA,eAA6B,KAAK5B,UAAS,CAAA,wBAC1GH,SAASgC,aAAaC,MAAM,EAC5B;MAEN,WAAW,CAACjC,SAASQ,aAAa;AAChC5E,QAAAA,SAAO+B,MAAM,qCAAqC;AAClD,cAAMR,MACJ,mCACE,KAAKlB,OAAOS,kBAAkBqF,cAAAA,eACjB,KAAK5B,UAAS,CAAA,+CAAiD;MAElF;AACA,WAAKlE,OAAOU,sBAAsBqD,SAASQ;AAC3C,WAAKvE,OAAOiG,qBAAqBlC,SAASmC;AAC1C,WAAKlG,OAAOmG,cAAcpC,SAASQ,YAAY6B;IACjD;AAEA,WAAO;MAAE,GAAG,KAAK1F;MAAqB,GAAI,KAAKuF,sBAAsB;QAAEC,QAAQ,KAAKD;MAAmB;IAAG;EAC5G;EAEA,MAAaI,mBAAmB,EAC9BC,iBACAC,SACAC,gBACAC,QACAtG,KACAK,KACAJ,KACAsG,KACAC,yBACAC,gCACAjB,eAAc,GAagB;AAC9B,QAAI;MAACnF;MAAKL;MAAK0G,OAAO,CAACC,MAAMA,MAAM7F,MAAAA,EAAW8F,SAAS,GAAG;AACxD,YAAM,IAAI7F,MAAM8F,4CAAoB,UAAUxG,QAAQS,MAAAA,UAAmBd,QAAQc,MAAAA,EAAW;IAC9F;AAEA,QAAIb,IAAK,MAAKJ,OAAOI,MAAMA;AAC3B,QAAII,IAAK,MAAKR,OAAOQ,MAAMA;AAC3B,QAAIL,IAAK,MAAKH,OAAOG,MAAMA;AAE3B,UAAM8G,iBAAiB,KAAKhH,kBACxBiH,sCAAsCC,oBAAoB;MACxDlH,iBAAiB,KAAKA;MACtBgE,UAAU,KAAKxD;IACjB,CAAA,IACAyG,sCAAsCrF,qBAAqB;MACzDxB,kBAAkB,KAAK6D,UAAS;MAChCoC;MACArC,UAAU,KAAKxD;MACf2G,SAAS,KAAKA,QAAO;IACvB,CAAA;AAEJH,mBAAeI,sBAAsB,KAAK3G,mBAAmB;AAC7DuG,mBAAeK,4BAA4BX,2BAA2B,OAAOC,8BAAAA;AAC7E,QAAI,KAAKnG,kBAAkByC,0BAA0B;AACnD,YAAMe,WAAW,KAAKxD,iBAAiByC;AACvC,YAAMqE,QAAQC,MAAMC,QAAQnB,eAAAA,IAAmBA,kBAAkB;QAACA;;AAElE,UAAIrC,SAASyD,yBAAyBF,MAAMC,QAAQxD,SAASyD,qBAAqB,GAAG;AACnF,YAAIC,gBAAgB;AAEpB1D,iBAASyD,sBAAsBE,QAAQ,CAACC,wBAAAA;AACtC,gBAAMC,eAAWC,yDAAgCF,mBAAAA;AACjD,cACEC,SAASE,MAAM,CAACC,GAAGC,MAAMX,MAAMW,CAAAA,MAAOD,CAAAA,KACrCV,MAAMR,WAAW,MAAMQ,MAAM,CAAA,MAAOM,oBAAoBM,MAAML,SAASjF,SAAS0E,MAAM,CAAA,CAAE,IACzF;AACAI,4BAAgB;UAClB;QACF,CAAA;AAEA,YAAI,CAACA,eAAe;AAClBvC,kBAAQC,IAAI,4BAA4B1D,KAAKC,UAAU0E,eAAAA,CAAAA,gCAAgD,KAAKpC,UAAS,CAAA,EAAI;QAE3H;MACF,WAAWD,SAASyD,yBAAyB,CAACF,MAAMC,QAAQxD,SAASyD,qBAAqB,GAAG;AAC3F,cAAMrE,uBAAuBY,SAASyD;AACtC,YAAIH,MAAMa,KAAK,CAACC,SAAS,CAACpE,SAASyD,yBAAyB,CAACrE,qBAAqBgF,IAAAA,CAAK,GAAG;AACxF,gBAAMnH,MAAM,4BAA4BS,KAAKC,UAAU0E,eAAAA,CAAAA,4BAA4C,KAAKpC,UAAS,CAAA,EAAI;QACvH;MACF;IAEF;AACA,UAAMoE,0BAA0BrB,eAAesB,MAAK;AACpD,UAAMC,eAAeC,yBAAyBC,wBAAwB;MACpEhI,qBAAqB,KAAKA;MAC1BiI,WAAWnC;MACXY,SAAS,KAAKA,QAAO;IACvB,CAAA,EACGwB,WAAW,KAAK1E,UAAS,CAAA,EACzB2E,QAAQ,KAAKzI,GAAG;AAEnB,QAAI,KAAKJ,OAAOQ,KAAK;AACnBgI,mBAAaM,QAAQ,KAAK9I,OAAOQ,GAAG;IACtC;AACA,QAAI,KAAKR,OAAOG,KAAK;AACnBqI,mBAAaO,QAAQ,KAAK/I,OAAOG,GAAG;IACtC;AAEA,QAAI,KAAKD,UAAU;AACjBsI,mBAAaQ,aAAa,KAAK9I,QAAQ;IACzC;AACA,QAAIwG,KAAK;AACP8B,mBAAaS,QAAQvC,GAAAA;IACvB;AACA,UAAM3C,WAAW,MAAMuE,wBAAwBY,6BAA6B;MAC1EC,YAAYX;MACZlC;MACAC;MACAE;MACAd;IACF,CAAA;AACA,SAAK3F,OAAOiG,qBAAqBlC,SAASmC;AAC1C,QAAInC,SAASI,WAAW;AACtBxE,MAAAA,SAAO+B,MAAM;EAAgCC,KAAKC,UAAUmC,SAASI,SAAS,CAAA,EAAG;AACjF,YAAMjD,MACJ,gCAAgC,KAAKlB,OAAOS,kBAAkB2I,mBAAAA,eAAkC,KAAKlF,UAAS,CAAA,wBAC5GH,SAASgC,aAAaC,MAAM,EAC5B;IAEN,WAAW,CAACjC,SAASQ,aAAa;AAChC5E,MAAAA,SAAO+B,MAAM,2CAA2C;AACxD,YAAMR,MACJ,gCACE,KAAKlB,OAAOS,kBAAkB2I,mBAAAA,eACjB,KAAKlF,UAAS,CAAA,+CAAiD;IAElF;AACA,WAAO;MAAE,GAAGH,SAASQ;MAAa,GAAI,KAAK0B,sBAAsB;QAAEC,QAAQ,KAAKD;MAAmB;IAAG;EACxG;EAEA,MAAaoD,cAA+B;AAC1C,WAAO1H,KAAKC,UAAU,KAAK5B,MAAM;EACnC;;;;;EAMAsJ,2BACEC,2BACA9C,QACkD;AAClD,eAAO+C,iDAAwB;MAC7BC,gBAAgB,KAAKhJ,iBAAiByC;MACtCkE,SAAS,KAAKA,QAAO;MACrBX;MACAc,OAAOgC,4BAA4B,KAAKG,wBAAuB,IAAKzI;IACtE,CAAA;EACF;EAEAuC,wBAAwBiD,QAAwH;AAC9I,eAAO+C,iDAAwB;MAC7BC,gBAAgB,KAAKhJ,iBAAiByC;MACtCkE,SAAS,KAAKA,QAAO;MACrBX;MACAc,OAAOtG;IACT,CAAA;EACF;EAEAyI,0BAAsC;AACpC,QAAI,CAAC,KAAKzJ,iBAAiB;AACzB,aAAO,CAAA;IACT,WAAW,KAAKA,gBAAgBmH,UAAUuC,0CAAkBC,YAAY;AACtE,YAAMC,OAAO,KAAK5J,gBAAgB6J;AAClC,YAAMvC,QAAkB,OAAOsC,KAAKE,oBAAoB,WAAW;QAACF,KAAKE;UAAmBF,KAAKE;AACjG,YAAMC,SAAqB,CAAA;AAC3BA,aAAO,CAAA,IAAKzC;AACZ,aAAOyC;IACT,WAAW,KAAK/J,gBAAgBmH,UAAUuC,0CAAkBM,YAAY;AACtE,aAAQ,KAAKhK,gBAAgBe,iBAAmDkJ,YAAYC,IAAI,CAACC,UAAMC,4CAAmBD,CAAAA,KAAM,CAAA,CAAE;IACpI;AAEA,UAAMlJ,MAAM,2DAA2D,KAAKkG,QAAO,CAAA,EAAI;EACzF;EAEAkD,2BAA4C;AAC1C,WACE,KAAKrK,iBAAiB2C,mBACrB,KAAK5C,OAAOS,kBAAkByC,0BAA0BC,yBAAyB;MAACL,sCAAcC;QAA2B,CAAA;EAEhI;EAEAwH,oBAAoBC,UAAkC;AACpD,WAAO,KAAKF,yBAAwB,EAAGzH,SAAS2H,QAAAA;EAClD;EAEA,IAAI3J,mBAAuC;AACzC,WAAO,KAAKb,OAAOa;EACrB;EAEO4J,sBAA+B;AACpC,WAAO,CAAC,CAAC,KAAK5J;EAChB;EAEA,IAAIZ,kBAAiE;AACnE,WAAO,KAAKD,OAAOC;EACrB;EAEOmH,UAA6B;AAClC,WAAO,KAAKnH,iBAAiBmH,WAAWuC,0CAAkBC;EAC5D;EAEA,IAAWnJ,mBAAkD;AAC3D,SAAKiK,qBAAoB;AAEzB,WAAO,KAAK1K,OAAOS;EACrB;EAEA,IAAIN,MAAc;AAChB,SAAKsD,iBAAgB;AACrB,QAAI,CAAC,KAAKzD,OAAOG,KAAK;AACpB,YAAM,IAAIe,MAAM,8BAAA;IAClB;AACA,WAAO,KAAKlB,OAAOG;EACrB;EAEA,IAAIC,MAAc;AAChB,SAAKqD,iBAAgB;AACrB,QAAI,CAAC,KAAKzD,OAAOI,KAAK;AACpB,YAAM,IAAIc,MAAM,8BAAA;IAClB;AACA,WAAO,KAAKlB,OAAOI;EACrB;EAEA,IAAIF,SAASyK,OAA2B;AACtC,SAAK3K,OAAOE,WAAWyK;EACzB;EAEA,IAAIzK,WAA+B;AACjC,WAAO,KAAKF,OAAOE;EACrB;EAEO0K,yBAAkC;AACvC,WAAO,CAAC,CAAC,KAAK5K,OAAOU;EACvB;EAEA,IAAIA,sBAA2C;AAC7C,SAAKmK,kBAAiB;AAEtB,WAAO,KAAK7K,OAAOU;EACrB;EAEA,IAAIuF,qBAAqD;AACvD,WAAO,KAAKjG,OAAOiG;EACrB;EAEO/B,YAAoB;AACzB,SAAKT,iBAAgB;AACrB,WAAO,KAAKzD,OAAOK;EACrB;EAEOyK,yBAAiC;AACtC,SAAKrH,iBAAgB;AACrB,WAAO,KAAKhD,mBACR,KAAKA,iBAAiBqF,iBACtBX,yBAAyB4F,kBAAkB;MAAEC,YAAY;QAAElK,QAAQ,KAAKoD,UAAS;MAAG;IAAE,CAAA;EAC5F;EAEO+G,wBAAgC;AACrC,SAAKxH,iBAAgB;AACrB,WAAO,KAAKhD,mBAAmB,KAAKA,iBAAiB2I,sBAAsB,GAAG,KAAKlF,UAAS,CAAA;EAC9F;EAEOgH,gCAAyC;AAC9C,WAAO,CAAC,CAAC,KAAKJ,uBAAsB;EACtC;EAEOK,gCAAwC;AAC7C,SAAK1H,iBAAgB;AACrB,WAAO,KAAKhD,mBAAmB,KAAKA,iBAAiB2I,sBAAsB,GAAG,KAAKlF,UAAS,CAAA;EAC9F;;;;EAKOwB,SAAS;AACd,QACE,KAAKzF,mBACJ,KAAKA,iBAAiBe,kBAAoDkJ,aAAakB,KACtF,CAACC;;;MAGC,OAAOA,SAAS,YAAY,qBAAqBA,QAAQ,UAAUA,KAAKC,mBAAmBD,KAAKC,gBAAgBC,KAAK1I,SAAS,MAAA;KAAA,GAElI;AACA,aAAO;IACT;AAEA,WACE,KAAK3C,UAAU2C,SAAS,MAAA,KACxB,KAAK7C,OAAOG,KAAK0C,SAAS,WAAA,KAC1B,KAAKqB,UAAS,EAAGrB,SAAS,MAAA,KAC1B,KAAKpC,iBAAiByC,0BAA0BC,wBAAwBN,SAAS,SAAA,KACjF,KAAKpC,iBAAiByC,0BAA0BsI,sBAAsB3I,SAAS,SAAA;EAEnF;EAEQY,mBAAyB;AAC/B,QAAI,CAAC,KAAKzD,OAAOK,kBAAkB;AACjC,YAAMa,MAAM,oCAAoC;IAClD,WAAW,CAAC,KAAKlB,OAAOC,mBAAmB,KAAKD,OAAOS,oBAAoB,KAAK6J,yBAAwB,EAAGvD,WAAW,GAAG;AACvH,YAAM7F,MAAM,oDAAoD;IAClE;EACF;EAEQwJ,uBAA6B;AACnC,QAAI,CAAC,KAAK1K,OAAOS,kBAAkB;AACjC,YAAMS,MAAM,oBAAA;IACd;EACF;EAEQ2J,oBAA0B;AAChC,QAAI,CAAC,KAAK7K,OAAOU,qBAAqB;AACpC,YAAMQ,MAAM,yBAAyB;IACvC;EACF;EAEQO,6BAA6BuB,MAA2D;AAC9F,QAAIrC,2BAA2B;MAAE,GAAG,KAAKX,QAAQW;MAA0B,GAAGqC;IAAK;AACnF,QAAI,CAACrC,0BAA0B;AAI7BA,iCAA2B;QAAEgE,aAAa,GAAG8G,0CAAkBC,gBAAgB;MAAM;IACvF;AACA,UAAMxL,WAAWS,yBAAyBT,YAAY,KAAKF,OAAOE;AAElE,SAAKF,OAAOE,WAAWA;AACvBS,6BAAyBT,WAAWA;AACpC,WAAOS;EACT;EAEQkE,uBAAuB,wBAC7BC,uBACAF,SAAAA;AAEA,QAAIE,uBAAuB;AACzB,WAAK9E,OAAOY,4BAA4B;QAAE,OAAG+K,wDAA+B7G,qBAAAA;MAAuB;IACrG,WAAWF,MAAM;AACf,WAAK5E,OAAOY,4BAA4B;QAAEgE;MAAK;IACjD;AAEA,WACG,KAAK5E,OAAOY,2BAAqDgE,QACjE,KAAK5E,OAAOY,2BAAkEgL;EAEnF,GAd+B;AAejC;;;A1B3sBO,IAAMC,OAA6BC,oCAAYC,IAAI,yBAAA;","names":["LOG","import_oid4vci_common","import_oid4vc_common","import_oid4vci_common","import_ssi_types","import_oid4vci_common","import_ssi_types","generateMissingPKCEOpts","pkce","disabled","codeChallengeMethod","CodeChallengeMethod","S256","codeVerifier","generateCodeVerifier","assertValidCodeVerifier","codeChallenge","createCodeChallenge","import_oid4vci_common","import_oid4vci_common","LOG","VCI_LOGGERS","options","methods","LogMethod","EVENT","DEBUG_PKG","get","sendNotification","credentialRequestOpts","request","accessToken","LOG","info","event","notification_id","notificationEndpoint","Error","token","response","post","JSON","stringify","bearerToken","error","errorBody","undefined","result","warning","debug","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","retrieveWellknown","host","endpointType","opts","result","getJson","endsWith","slice","exceptionOnHttpErrorStatus","errorOnNotFound","origResponse","status","debug","statusText","import_oid4vci_common","import_oid4vci_common","ProofOfPossessionBuilder","proof","callbacks","version","mode","kid","jwk","aud","clientId","issuer","jwt","alg","jti","cNonce","typ","accessTokenResponse","withJwt","withTyp","OpenId4VCIVersion","VER_1_0_11","withAccessTokenResponse","manual","fromJwt","fromAccessTokenResponse","fromProof","withAud","withClientId","withKid","withJWK","withIssuer","withAlg","withJti","Error","withAccessTokenNonce","accessToken","c_nonce","withEndpointMetadata","endpointMetadata","NO_JWT_PROVIDED","header","payload","Array","isArray","iss","nonce","build","Promise","resolve","createProofOfPossession","PROOF_CANT_BE_CONSTRUCTED","createJwtBearerClientAssertion","request","opts","asOpts","credentialIssuer","clientOpts","clientAssertionType","clientId","client_id","signCallbacks","alg","kid","Promise","reject","Error","signCallback","startsWith","includes","split","jwt","header","typ","payload","iss","sub","aud","jti","uuidv4","exp","Math","floor","Date","now","iat","pop","ProofOfPossessionBuilder","fromJwt","callbacks","version","OpenId4VCIVersion","VER_1_0_13","mode","build","client_assertion_type","client_assertion","import_oid4vci_common","isUriEncoded","str","pattern","test","handleCredentialOfferUri","uri","uriObj","getURIComponentsAsArray","credentialOfferUri","decodeURIComponent","decodedUri","response","fetch","status","Promise","reject","statusText","headers","get","startsWith","credential_offer","decodeJsonProperties","json","constructBaseResponse","request","scheme","baseUrl","clientId","getClientIdFromCredentialOfferPayload","grants","authorization_code","issuer_state","issuerState","PRE_AUTH_GRANT_LITERAL","PRE_AUTH_CODE_LITERAL","preAuthorizedCode","tx_code","txCode","logger","Loggers","DEFAULT","get","MetadataClientV1_0_13","retrieveAllMetadataFromCredentialOffer","credentialOffer","retrieveAllMetadataFromCredentialOfferRequest","credential_offer","request","issuer","getIssuerFromCredentialOfferPayload","retrieveAllMetadata","Error","opts","token_endpoint","credential_endpoint","deferred_credential_endpoint","authorization_endpoint","authorization_challenge_endpoint","authorizationServerType","authorization_servers","oid4vciResponse","retrieveOpenID4VCIServerMetadata","errorOnNotFound","credentialIssuerMetadata","successBody","debug","JSON","stringify","response","retrieveWellknown","WellKnownEndpoints","OPENID_CONFIGURATION","authMetadata","OAUTH_AS","includes","console","warn","endsWith","authorization_server","authorizationServerMetadata","issuerHost","OPENID4VCI_ISSUER","undefined","import_oid4vc_common","shouldRetryTokenRequestWithDPoPNonce","response","errorBody","error","dpopTokenRequestNonceError","ok","dPoPNonce","origResponse","headers","get","Error","dpopNonce","shouldRetryResourceRequestWithDPoPNonce","status","wwwAuthenticateHeader","includes","AccessTokenClient","acquireAccessToken","opts","asOpts","pin","codeVerifier","code","redirectUri","metadata","createDPoPOpts","credentialOffer","assertedUniformCredentialOffer","undefined","pinMetadata","getPinMetadata","credential_offer","issuer","credentialIssuer","getIssuerFromCredentialOfferPayload","Error","issuerOpts","acquireAccessTokenUsingRequest","accessTokenRequest","createAccessTokenRequest","additionalParams","validate","requestTokenURL","determineTokenURL","fetchMetadata","MetadataClientV1_0_13","retrieveAllMetadata","errorOnNotFound","useDpop","dPoPSigningAlgValuesSupported","length","dPoP","createDPoP","getCreateDPoPOptions","response","sendAuthCode","headers","dpop","nextDPoPNonce","jwtPayloadProps","nonce","retryWithNonce","shouldRetryTokenRequestWithDPoPNonce","ok","dpopNonce","successDPoPNonce","origResponse","get","successBody","token_type","params","credentialOfferRequest","toUniformCredentialOfferRequest","request","clientOpts","clientId","client_id","credential_issuer","createJwtBearerClientAssertion","supportedFlows","includes","AuthzFlowType","AUTHORIZATION_CODE_FLOW","grant_type","GrantTypes","AUTHORIZATION_CODE","redirect_uri","code_verifier","PRE_AUTHORIZED_CODE_FLOW","assertAlphanumericPin","user_pin","tx_code","PRE_AUTHORIZED_CODE","PRE_AUTH_CODE_LITERAL","grants","PRE_AUTH_GRANT_LITERAL","assertPreAuthorizedGrantType","grantType","assertAuthorizationGrantType","requestPayload","TokenErrorResponse","invalid_request","grantDetails","isPinRequired","LOG","warning","txCode","pinMeta","regex","input_mode","RegExp","test","assertNonEmptyPreAuthorizedCode","assertNonEmptyCodeVerifier","assertNonEmptyCode","throwNotSupportedFlow","formPost","convertJsonToURI","mode","JsonURIMode","X_FORM_WWW_URLENCODED","customHeaders","token_endpoint","url","as","creatTokenURLFromURL","allowInsecureEndpoints","tokenEndpoint","ObjectUtils","isString","debug","startsWith","hostname","replace","endpoint","substring","scheme","split","import_oid4vc_common","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","AccessTokenClientV1_0_11","acquireAccessToken","opts","asOpts","pin","codeVerifier","code","redirectUri","metadata","createDPoPOpts","credentialOffer","assertedUniformCredentialOffer","undefined","isPinRequired","isPinRequiredValue","credential_offer","issuer","credentialIssuer","getIssuerFromCredentialOfferPayload","Error","issuerOpts","acquireAccessTokenUsingRequest","accessTokenRequest","createAccessTokenRequest","additionalParams","pinMetadata","validate","requestTokenURL","determineTokenURL","fetchMetadata","MetadataClientV1_0_13","retrieveAllMetadata","errorOnNotFound","useDpop","dPoPSigningAlgValuesSupported","length","dPoP","createDPoP","getCreateDPoPOptions","response","sendAuthCode","headers","dpop","nextDPoPNonce","jwtPayloadProps","nonce","retryWithNonce","shouldRetryTokenRequestWithDPoPNonce","ok","dpopNonce","successDPoPNonce","origResponse","successBody","token_type","params","credentialOfferRequest","toUniformCredentialOfferRequest","request","credential_issuer","clientOpts","clientId","client_id","createJwtBearerClientAssertion","version","OpenId4VCIVersion","VER_1_0_11","supportedFlows","includes","AuthzFlowType","AUTHORIZATION_CODE_FLOW","grant_type","GrantTypes","AUTHORIZATION_CODE","redirect_uri","code_verifier","PRE_AUTHORIZED_CODE_FLOW","assertNumericPin","user_pin","PRE_AUTHORIZED_CODE","PRE_AUTH_CODE_LITERAL","grants","PRE_AUTH_GRANT_LITERAL","assertPreAuthorizedGrantType","grantType","assertAuthorizationGrantType","requestPayload","TokenErrorResponse","invalid_request","user_pin_required","debug","test","assertNonEmptyPreAuthorizedCode","assertNonEmptyCodeVerifier","assertNonEmptyCode","throwNotSupportedFlow","formPost","convertJsonToURI","mode","JsonURIMode","X_FORM_WWW_URLENCODED","customHeaders","token_endpoint","url","as","creatTokenURLFromURL","allowInsecureEndpoints","tokenEndpoint","ObjectUtils","isString","startsWith","hostname","replace","endpoint","substring","scheme","split","import_oid4vci_common","import_ssi_types","import_oid4vci_common","import_ssi_types","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","MetadataClientV1_0_11","retrieveAllMetadataFromCredentialOffer","credentialOffer","retrieveAllMetadataFromCredentialOfferRequest","credential_offer","request","issuer","getIssuerFromCredentialOfferPayload","retrieveAllMetadata","Error","opts","token_endpoint","credential_endpoint","deferred_credential_endpoint","authorization_endpoint","authorization_challenge_endpoint","authorizationServerType","authorization_server","oid4vciResponse","retrieveOpenID4VCIServerMetadata","errorOnNotFound","credentialIssuerMetadata","successBody","debug","JSON","stringify","response","retrieveWellknown","WellKnownEndpoints","OPENID_CONFIGURATION","authMetadata","OAUTH_AS","console","warn","endsWith","authorizationServerMetadata","issuerHost","OPENID4VCI_ISSUER","undefined","logger","Loggers","DEFAULT","get","MetadataClient","retrieveAllMetadataFromCredentialOffer","credentialOffer","determineSpecVersionFromOffer","credential_offer","OpenId4VCIVersion","VER_1_0_13","MetadataClientV1_0_13","MetadataClientV1_0_11","retrieveAllMetadataFromCredentialOfferRequest","request","issuer","getIssuerFromCredentialOfferPayload","Error","retrieveAllMetadata","opts","token_endpoint","credential_endpoint","deferred_credential_endpoint","authorization_endpoint","authorization_challenge_endpoint","authorizationServerType","authorization_servers","authorization_server","undefined","oid4vciResponse","retrieveOpenID4VCIServerMetadata","errorOnNotFound","credentialIssuerMetadata","successBody","debug","JSON","stringify","response","retrieveWellknown","WellKnownEndpoints","OPENID_CONFIGURATION","authMetadata","OAUTH_AS","includes","console","warn","endsWith","authorizationServerMetadata","issuerHost","OPENID4VCI_ISSUER","logger","Loggers","DEFAULT","get","createSignedAuthRequestWhenNeeded","requestObject","opts","requestObjectMode","CreateRequestObjectMode","REQUEST_URI","Error","REQUEST_OBJECT","signCallbacks","signCallback","kid","client_metadata","clientMetadata","jwksUri","authorization_details","JSON","parse","aud","iss","client_id","jwt","header","alg","typ","payload","pop","ProofOfPossessionBuilder","fromJwt","callbacks","version","OpenId4VCIVersion","VER_1_0_11","mode","build","filterSupportedCredentials","credentialOffer","credentialsSupported","credential_configuration_ids","Object","entries","filter","entry","includes","map","configuration_id","createAuthorizationRequestUrl","pkce","endpointMetadata","authorizationRequest","credentialConfigurationSupported","clientId","removeDisplayAndValueTypes","obj","newObj","prop","redirectUri","requestObjectOpts","NONE","authorizationMetadata","authorizationServerMetadata","credentialIssuerMetadata","authorizationDetails","parMode","require_pushed_authorization_requests","PARMode","REQUIRE","AUTO","NEVER","scope","credential_offer","ver","determineSpecVersionFromOffer","VER_1_0_13","creds","flatMap","cred","locations","credential_issuer","issuer","credential_configuration_id","format","undefined","vct","doctype","credential_definition","isW3cCredentialSupported","type","credentialSubject","claims","length","authorization_endpoint","parEndpoint","pushed_authorization_request_endpoint","queryObj","response_type","ResponseType","AUTH_CODE","disabled","code_challenge_method","codeChallengeMethod","CodeChallengeMethod","S256","code_challenge","codeChallenge","stringify","handleAuthorizationDetails","redirect_uri","issuerState","issuer_state","state","debug","parResponse","formPost","convertJsonToURI","JsonURIMode","X_FORM_WWW_URLENCODED","uriTypeProperties","contentType","accept","errorBody","successBody","origResponse","statusText","request_uri","authorization_server","url","baseUrl","Array","isArray","value","handleLocations","push","acquireAuthorizationChallengeAuthCode","metadata","credentialIssuer","issuerOpts","acquireAuthorizationChallengeAuthCodeUsingRequest","authorizationChallengeRequest","createAuthorizationChallengeRequest","fetchMetadata","MetadataClient","retrieveAllMetadata","errorOnNotFound","authorizationChallengeCodeUrl","authorization_challenge_endpoint","Promise","reject","response","sendAuthorizationChallengeRequest","authSession","presentationDuringIssuanceSession","request","auth_session","presentation_during_issuance_session","customHeaders","headers","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","createAuthorizationRequestUrlV1_0_11","pkce","endpointMetadata","authorizationRequest","credentialOffer","credentialsSupported","redirectUri","clientId","requestObjectOpts","requestObjectMode","CreateRequestObjectMode","NONE","scope","authorizationDetails","parMode","credentialIssuerMetadata","require_pushed_authorization_requests","PARMode","REQUIRE","AUTO","Error","creds","credential_offer","credentials","flatMap","cred","filter","map","type","locations","issuer","format","Array","isArray","length","authorization_endpoint","parEndpoint","pushed_authorization_request_endpoint","includes","s","join","queryObj","response_type","ResponseType","AUTH_CODE","disabled","code_challenge_method","codeChallengeMethod","CodeChallengeMethod","S256","code_challenge","codeChallenge","authorization_details","JSON","stringify","handleAuthorizationDetailsV1_0_11","redirect_uri","client_id","issuerState","issuer_state","NEVER","debug","parResponse","formPost","convertJsonToURI","mode","JsonURIMode","X_FORM_WWW_URLENCODED","uriTypeProperties","contentType","accept","errorBody","successBody","console","log","origResponse","statusText","request_uri","createSignedAuthRequestWhenNeeded","aud","authorization_server","url","baseUrl","value","handleLocations","push","import_oid4vc_common","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","buildProof","proofInput","opts","cNonce","Error","ProofOfPossessionBuilder","fromProof","version","build","withAccessTokenNonce","CredentialRequestClient","_credentialRequestOpts","_isDeferred","credentialRequestOpts","isDeferred","getCredentialEndpoint","credentialEndpoint","getDeferredCredentialEndpoint","deferredCredentialEndpoint","builder","acquireCredentialsWithoutProof","credentialIdentifier","credentialTypes","format","context","subjectIssuance","request","createCredentialRequestWithoutProof","acquireCredentialsUsingRequestWithoutProof","createDPoPOpts","acquireCredentialsUsingProof","createCredentialRequest","acquireCredentialsUsingRequest","uniformRequest","acquireCredentialsUsingRequestImpl","OpenId4VCIVersion","VER_1_0_13","getCredentialRequestForVersion","isValidURL","debug","URL_NOT_VALID","JSON","stringify","requestToken","token","dPoP","createDPoP","getCreateDPoPOptions","accessToken","undefined","response","post","bearerToken","customHeaders","dpop","nextDPoPNonce","jwtPayloadProps","nonce","retryWithNonce","shouldRetryResourceRequestWithDPoPNonce","ok","dpopNonce","successDPoPNonce","origResponse","headers","isDeferredCredentialResponse","deferredCredentialAwait","successBody","acquireDeferredCredential","access_token","credential_subject_issuance","params","transactionId","transaction_id","acceptance_token","deferredCredentialIntervalInMS","createCredentialRequestImpl","credential_identifier","proof","formatSelection","getUniformFormat","typesSelection","length","types","Array","isArray","issuer_state","issuerState","credential_definition","type","VER_1_0_12","vct","doctype","import_oid4vci_common","CredentialOfferClient","fromURI","uri","opts","LOG","debug","includes","Error","scheme","split","baseUrl","version","determineSpecVersionFromURI","log","credentialOffer","credentialOfferPayload","OpenId4VCIVersion","VER_1_0_11","convertURIToJsonObject","arrayTypeProperties","requiredProperties","credential_offer","handleCredentialOfferUri","credential_offer_uri","undefined","request","toUniformCredentialOfferRequest","constructBaseResponse","userPinRequired","grants","PRE_AUTH_GRANT_LITERAL","user_pin_required","tx_code","toURI","requestWithBaseUrl","JSON","stringify","replace","param","isUri","valueOf","length","endsWith","convertJsonToURI","original_credential_offer","uriTypeProperties","VER_1_0_13","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","CredentialOfferClientV1_0_11","fromURI","uri","opts","debug","includes","Error","scheme","split","baseUrl","version","determineSpecVersionFromURI","credentialOffer","credentialOfferPayload","OpenId4VCIVersion","VER_1_0_11","convertURIToJsonObject","arrayTypeProperties","requiredProperties","credential_offer","credential_offer_uri","undefined","request","toUniformCredentialOfferRequest","clientId","getClientIdFromCredentialOfferPayload","grants","authorization_code","issuer_state","issuerState","PRE_AUTH_GRANT_LITERAL","PRE_AUTH_CODE_LITERAL","preAuthorizedCode","userPinRequired","user_pin_required","toURI","requestWithBaseUrl","JSON","stringify","replace","param","isUri","valueOf","length","endsWith","convertJsonToURI","original_credential_offer","uriTypeProperties","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","CredentialOfferClientV1_0_13","fromURI","uri","opts","debug","includes","Error","scheme","split","baseUrl","version","determineSpecVersionFromURI","credentialOffer","handleCredentialOfferUri","convertURIToJsonObject","arrayTypeProperties","requiredProperties","credential_offer_uri","undefined","credential_offer","request","toUniformCredentialOfferRequest","constructBaseResponse","userPinRequired","grants","PRE_AUTH_GRANT_LITERAL","tx_code","toURI","requestWithBaseUrl","JSON","stringify","replace","param","isUri","valueOf","OpenId4VCIVersion","VER_1_0_11","length","endsWith","convertJsonToURI","original_credential_offer","uriTypeProperties","VER_1_0_13","import_oid4vc_common","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","CredentialRequestClientV1_0_11","_credentialRequestOpts","_isDeferred","credentialRequestOpts","isDeferred","getCredentialEndpoint","credentialEndpoint","getDeferredCredentialEndpoint","deferredCredentialEndpoint","builder","acquireCredentialsUsingProof","opts","credentialTypes","proofInput","format","context","request","createCredentialRequest","version","acquireCredentialsUsingRequest","createDPoPOpts","uniformRequest","getCredentialRequestForVersion","isValidURL","debug","Error","URL_NOT_VALID","JSON","stringify","requestToken","token","dPoP","createDPoP","getCreateDPoPOptions","accessToken","undefined","response","post","bearerToken","customHeaders","dpop","nextDPoPNonce","jwtPayloadProps","nonce","retryWithNonce","shouldRetryResourceRequestWithDPoPNonce","ok","dpopNonce","successDPoPNonce","origResponse","headers","isDeferredCredentialResponse","deferredCredentialAwait","successBody","acquireDeferredCredential","access_token","params","transactionId","transaction_id","acceptance_token","deferredCredentialIntervalInMS","formatSelection","getUniformFormat","typesSelection","length","types","Array","isArray","isV11OrHigher","proof","buildProof","OpenId4VCIVersion","VER_1_0_12","credential_definition","vct","doctype","VER_1_0_11","import_oid4vci_common","import_oid4vci_common","CredentialRequestClientBuilderV1_0_11","credentialEndpoint","deferredCredentialEndpoint","deferredCredentialAwait","deferredCredentialIntervalInMS","credentialTypes","format","token","version","subjectIssuance","issuerState","fromCredentialIssuer","credentialIssuer","metadata","issuer","builder","withVersion","OpenId4VCIVersion","VER_1_0_11","withCredentialEndpoint","credential_endpoint","endsWith","deferred_credential_endpoint","withDeferredCredentialEndpoint","withCredentialType","fromURI","uri","offer","CredentialOfferClientV1_0_11","fromCredentialOfferRequest","request","opts","determineSpecVersionFromOffer","original_credential_offer","getIssuerFromCredentialOfferPayload","credential_offer","VER_1_0_08","credential_type","getTypesFromOfferV1_0_11","fromCredentialOffer","credentialOffer","withIssuerState","withCredentialEndpointFromMetadata","withDeferredCredentialEndpointFromMetadata","withDeferredCredentialAwait","Array","isArray","withFormat","withSubjectIssuance","withToken","accessToken","withTokenFromResponse","response","access_token","build","CredentialRequestClientV1_0_11","import_oid4vci_common","CredentialRequestClientBuilderV1_0_13","credentialEndpoint","deferredCredentialEndpoint","deferredCredentialAwait","deferredCredentialIntervalInMS","credentialIdentifier","credentialTypes","format","token","version","subjectIssuance","issuerState","fromCredentialIssuer","credentialIssuer","metadata","issuer","builder","withVersion","OpenId4VCIVersion","VER_1_0_13","withCredentialEndpoint","credential_endpoint","endsWith","deferred_credential_endpoint","withDeferredCredentialEndpoint","withCredentialIdentifier","withCredentialType","fromURI","uri","offer","CredentialOfferClient","fromCredentialOfferRequest","request","opts","determineSpecVersionFromOffer","original_credential_offer","Error","getIssuerFromCredentialOfferPayload","credential_offer","ids","credential_configuration_ids","length","fromCredentialOffer","credentialOffer","withCredentialEndpointFromMetadata","withIssuerState","withDeferredCredentialEndpointFromMetadata","withDeferredCredentialAwait","Array","isArray","withFormat","withSubjectIssuance","withToken","accessToken","withTokenFromResponse","response","access_token","build","VER_1_0_11","CredentialRequestClient","isV1_0_13","builder","withCredentialIdentifier","undefined","CredentialRequestClientBuilder","_builder","fromCredentialIssuer","credentialIssuer","metadata","version","credentialIdentifier","credentialTypes","specVersion","OpenId4VCIVersion","VER_1_0_13","CredentialRequestClientBuilderV1_0_13","length","Error","CredentialRequestClientBuilderV1_0_11","fromURI","uri","offer","CredentialOfferClient","fromCredentialOfferRequest","request","opts","determineSpecVersionFromOffer","original_credential_offer","fromCredentialOffer","credentialOffer","credential_offer","getVersion","withCredentialEndpointFromMetadata","withCredentialEndpoint","credentialEndpoint","withDeferredCredentialEndpointFromMetadata","withDeferredCredentialEndpoint","deferredCredentialEndpoint","withDeferredCredentialAwait","deferredCredentialAwait","deferredCredentialIntervalInMS","withIssuerState","issuerState","withCredentialType","withFormat","format","withSubjectIssuance","subjectIssuance","withToken","accessToken","withTokenFromResponse","response","withVersion","build","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","OpenID4VCIClient","_state","credentialOffer","clientId","kid","alg","credentialIssuer","pkce","authorizationRequest","accessToken","jwk","endpointMetadata","accessTokenResponse","authorizationRequestOpts","authorizationCodeResponse","authorizationURL","issuer","getIssuerFromCredentialOfferPayload","credential_offer","undefined","Error","getClientIdFromCredentialOfferPayload","split","disabled","codeChallengeMethod","CodeChallengeMethod","S256","credentialIssuerMetadata","authorization_server","syncAuthorizationRequestOpts","debug","JSON","stringify","fromCredentialIssuer","retrieveServerMetadata","createAuthorizationRequestURL","client","createAuthorizationRequestUrl","fromState","state","clientState","parse","fromURI","uri","resolveOfferUri","credentialOfferClient","CredentialOfferClient","resolve","supportedFlows","includes","AuthzFlowType","AUTHORIZATION_CODE_FLOW","opts","calculatePKCEOpts","authorization_endpoint","version","OpenId4VCIVersion","VER_1_0_11","createAuthorizationRequestUrlV1_0_11","credentialsSupported","Object","values","getCredentialsSupported","credentialConfigurationSupported","assertIssuerData","MetadataClient","retrieveAllMetadataFromCredentialOffer","retrieveAllMetadata","generateMissingPKCEOpts","acquireAuthorizationChallengeCode","response","acquireAuthorizationChallengeAuthCode","metadata","getIssuer","errorBody","error","Promise","reject","successBody","authorization_challenge_endpoint","acquireAccessToken","pin","redirectUri","code","getAuthorizationCode","authorizationResponse","codeVerifier","asOpts","clientOpts","requestObjectOpts","clientAssertionType","signCallbacks","signCallback","isEBSI","accessTokenClient","VER_1_0_12","AccessTokenClientV1_0_11","AccessTokenClient","console","log","createDPoPOpts","additionalRequestParams","additionalParams","token_endpoint","origResponse","status","dpopResponseParams","params","access_token","acquireCredentials","credentialTypes","context","proofCallbacks","format","jti","deferredCredentialAwait","deferredCredentialIntervalInMS","filter","v","length","KID_JWK_X5C_ERROR","requestBuilder","VER_1_0_13","CredentialRequestClientBuilderV1_0_11","fromCredentialOffer","CredentialRequestClientBuilderV1_0_13","issuerState","issuerSupportedFlowTypes","c_nonce","withIssuerState","withTokenFromResponse","withDeferredCredentialAwait","subjectIssuance","types","Array","isArray","credentials_supported","typeSupported","forEach","supportedCredential","subTypes","getTypesFromCredentialSupported","every","t","i","id","credential_subject_issuance","some","type","withSubjectIssuance","credentialRequestClient","build","proofBuilder","ProofOfPossessionBuilder","fromAccessTokenResponse","callbacks","withIssuer","withAlg","withJWK","withKid","withClientId","withJti","acquireCredentialsUsingProof","proofInput","credential_endpoint","exportState","restrictToInitiationTypes","getSupportedCredentials","issuerMetadata","getCredentialOfferTypes","sendNotification","credentialRequestOpts","request","orig","original_credential_offer","credential_type","result","credentials","map","c","getTypesFromObject","isFlowTypeSupported","flowType","hasAuthorizationURL","VER_UNKNOWN","versions","determineVersionsFromIssuerMetadata","assertServerMetadata","value","hasAccessTokenResponse","assertAccessToken","getAccessTokenEndpoint","determineTokenURL","issuerOpts","getCredentialEndpoint","getAuthorizationChallengeEndpoint","hasAuthorizationChallengeEndpoint","hasDeferredCredentialEndpoint","getDeferredCredentialEndpoint","find","cred","trust_framework","name","DefaultURISchemes","CREDENTIAL_OFFER","toAuthorizationResponsePayload","authorization_code","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","OpenID4VCIClientV1_0_13","_state","credentialOffer","clientId","kid","alg","credentialIssuer","pkce","authorizationRequest","accessToken","jwk","endpointMetadata","accessTokenResponse","authorizationRequestOpts","authorizationCodeResponse","authorizationURL","issuer","getIssuerFromCredentialOfferPayload","credential_offer","undefined","Error","getClientIdFromCredentialOfferPayload","split","disabled","codeChallengeMethod","CodeChallengeMethod","S256","syncAuthorizationRequestOpts","debug","JSON","stringify","fromCredentialIssuer","retrieveServerMetadata","createAuthorizationRequestURL","client","createAuthorizationRequestUrl","fromState","state","clientState","parse","fromURI","uri","resolveOfferUri","credentialOfferClient","CredentialOfferClient","resolve","supportedFlows","includes","AuthzFlowType","AUTHORIZATION_CODE_FLOW","opts","calculatePKCEOpts","credentialIssuerMetadata","authorization_endpoint","credentialConfigurationSupported","getCredentialsSupported","version","assertIssuerData","MetadataClientV1_0_13","retrieveAllMetadataFromCredentialOffer","retrieveAllMetadata","generateMissingPKCEOpts","acquireAuthorizationChallengeCode","response","acquireAuthorizationChallengeAuthCode","metadata","getIssuer","errorBody","error","Promise","reject","successBody","authorization_challenge_endpoint","acquireAccessToken","pin","redirectUri","code","getAuthorizationCode","authorizationResponse","codeVerifier","asOpts","clientOpts","requestObjectOpts","clientAssertionType","signCallbacks","signCallback","isEBSI","accessTokenClient","AccessTokenClient","console","log","createDPoPOpts","additionalRequestParams","additionalParams","token_endpoint","origResponse","status","dpopResponseParams","params","access_token","acquireCredentialsWithoutProof","args","acquireCredentialsImpl","acquireCredentials","credentialIdentifier","credentialTypes","context","proofCallbacks","format","jti","deferredCredentialAwait","deferredCredentialIntervalInMS","filter","v","length","KID_JWK_X5C_ERROR","requestBuilder","CredentialRequestClientBuilderV1_0_13","fromCredentialOffer","issuerState","issuerSupportedFlowTypes","c_nonce","withIssuerState","withTokenFromResponse","withDeferredCredentialAwait","subjectIssuance","types","Array","isArray","credential_configurations_supported","credentialsSupported","credentials_supported","typeSupported","forEach","supportedCredential","subTypes","getTypesFromCredentialSupported","every","t","i","id","credential_subject_issuance","Object","values","withSubjectIssuance","credentialRequestClient","build","proofBuilder","ProofOfPossessionBuilder","fromAccessTokenResponse","callbacks","withIssuer","withAlg","withJWK","withKid","withClientId","withJti","request","createCredentialRequest","proofInput","createCredentialRequestWithoutProof","acquireCredentialsUsingRequest","credential_endpoint","exportState","getSupportedCredentials","issuerMetadata","sendNotification","credentialRequestOpts","isFlowTypeSupported","flowType","hasAuthorizationURL","OpenId4VCIVersion","VER_1_0_13","assertServerMetadata","value","hasAccessTokenResponse","assertAccessToken","getAccessTokenEndpoint","determineTokenURL","issuerOpts","getCredentialEndpoint","hasDeferredCredentialEndpoint","getDeferredCredentialEndpoint","credential_configuration_ids","credentialConfigurations","isEBSITrustFramework","map","config","trust_framework","some","name","authorization_server","DefaultURISchemes","CREDENTIAL_OFFER","toAuthorizationResponsePayload","authorization_code","import_oid4vci_common","import_ssi_types","logger","Loggers","DEFAULT","get","OpenID4VCIClientV1_0_11","_state","credentialOffer","clientId","kid","alg","credentialIssuer","pkce","authorizationRequest","jwk","endpointMetadata","accessTokenResponse","authorizationRequestOpts","authorizationCodeResponse","authorizationURL","issuer","getIssuerFromCredentialOfferPayload","credential_offer","undefined","Error","getClientIdFromCredentialOfferPayload","split","disabled","codeChallengeMethod","CodeChallengeMethod","S256","syncAuthorizationRequestOpts","debug","JSON","stringify","fromCredentialIssuer","retrieveServerMetadata","createAuthorizationRequestURL","client","createAuthorizationRequestUrl","fromState","state","clientState","parse","fromURI","uri","resolveOfferUri","credentialOfferClient","CredentialOfferClientV1_0_11","resolve","supportedFlows","includes","AuthzFlowType","AUTHORIZATION_CODE_FLOW","opts","calculatePKCEOpts","credentialIssuerMetadata","authorization_endpoint","createAuthorizationRequestUrlV1_0_11","credentialsSupported","Object","values","getCredentialsSupported","assertIssuerData","MetadataClientV1_0_11","retrieveAllMetadataFromCredentialOffer","retrieveAllMetadata","generateMissingPKCEOpts","acquireAuthorizationChallengeCode","response","acquireAuthorizationChallengeAuthCode","metadata","getIssuer","errorBody","error","Promise","reject","successBody","authorization_challenge_endpoint","acquireAccessToken","pin","redirectUri","code","getAuthorizationCode","authorizationResponse","codeVerifier","asOpts","clientOpts","accessTokenClient","AccessTokenClientV1_0_11","console","log","requestObjectOpts","clientAssertionType","signCallbacks","signCallback","isEBSI","createDPoPOpts","additionalRequestParams","additionalParams","token_endpoint","origResponse","status","dpopResponseParams","params","accessToken","access_token","acquireCredentials","credentialTypes","context","proofCallbacks","format","jti","deferredCredentialAwait","deferredCredentialIntervalInMS","filter","v","length","KID_JWK_X5C_ERROR","requestBuilder","CredentialRequestClientBuilderV1_0_11","fromCredentialOffer","version","withTokenFromResponse","withDeferredCredentialAwait","types","Array","isArray","credentials_supported","typeSupported","forEach","supportedCredential","subTypes","getTypesFromCredentialSupported","every","t","i","id","some","type","credentialRequestClient","build","proofBuilder","ProofOfPossessionBuilder","fromAccessTokenResponse","callbacks","withIssuer","withAlg","withJWK","withKid","withClientId","withJti","acquireCredentialsUsingProof","proofInput","credential_endpoint","exportState","getCredentialsSupportedV11","restrictToInitiationTypes","getSupportedCredentials","issuerMetadata","getCredentialOfferTypes","OpenId4VCIVersion","VER_1_0_11","orig","original_credential_offer","credential_type","result","VER_1_0_13","credentials","map","c","getTypesFromObject","issuerSupportedFlowTypes","isFlowTypeSupported","flowType","hasAuthorizationURL","assertServerMetadata","value","hasAccessTokenResponse","assertAccessToken","getAccessTokenEndpoint","determineTokenURL","issuerOpts","getCredentialEndpoint","hasDeferredCredentialEndpoint","getDeferredCredentialEndpoint","find","cred","trust_framework","name","authorization_server","DefaultURISchemes","CREDENTIAL_OFFER","toAuthorizationResponsePayload","authorization_code","LOG","VCI_LOGGERS","get"]}