FRE-651: CEO coordination notes for founder bio/headshot assets

node_modules/@clerk/backend/dist/jwt/algorithms.d.ts

@@ -0,0 +1,3 @@
+export declare const algs: string[];
+export declare function getCryptoAlgorithm(algorithmName: string): RsaHashedImportParams;
+//# sourceMappingURL=algorithms.d.ts.map

node_modules/@clerk/backend/dist/jwt/algorithms.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"algorithms.d.ts","sourceRoot":"","sources":["../../src/jwt/algorithms.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,IAAI,UAAyB,CAAC;AAE3C,wBAAgB,kBAAkB,CAAC,aAAa,EAAE,MAAM,GAAG,qBAAqB,CAY/E"}

node_modules/@clerk/backend/dist/jwt/assertions.d.ts

@@ -0,0 +1,10 @@
+export type IssuerResolver = string | ((iss: string) => boolean);
+export declare const assertAudienceClaim: (aud?: unknown, audience?: unknown) => void;
+export declare const assertHeaderType: (typ?: unknown, allowedTypes?: string | string[]) => void;
+export declare const assertHeaderAlgorithm: (alg: string) => void;
+export declare const assertSubClaim: (sub?: string) => void;
+export declare const assertAuthorizedPartiesClaim: (azp?: string, authorizedParties?: string[]) => void;
+export declare const assertExpirationClaim: (exp: number, clockSkewInMs: number) => void;
+export declare const assertActivationClaim: (nbf: number | undefined, clockSkewInMs: number) => void;
+export declare const assertIssuedAtClaim: (iat: number | undefined, clockSkewInMs: number) => void;
+//# sourceMappingURL=assertions.d.ts.map

node_modules/@clerk/backend/dist/jwt/assertions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"assertions.d.ts","sourceRoot":"","sources":["../../src/jwt/assertions.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,CAAC;AAMjE,eAAO,MAAM,mBAAmB,GAAI,MAAM,OAAO,EAAE,WAAW,OAAO,SAsCpE,CAAC;AAEF,eAAO,MAAM,gBAAgB,GAAI,MAAM,OAAO,EAAE,eAAc,MAAM,GAAG,MAAM,EAAU,SAatF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,SAQhD,CAAC;AAEF,eAAO,MAAM,cAAc,GAAI,MAAM,MAAM,SAQ1C,CAAC;AAEF,eAAO,MAAM,4BAA4B,GAAI,MAAM,MAAM,EAAE,oBAAoB,MAAM,EAAE,SAWtF,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,EAAE,eAAe,MAAM,SAoBvE,CAAC;AAEF,eAAO,MAAM,qBAAqB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAwBnF,CAAC;AAEF,eAAO,MAAM,mBAAmB,GAAI,KAAK,MAAM,GAAG,SAAS,EAAE,eAAe,MAAM,SAwBjF,CAAC"}

node_modules/@clerk/backend/dist/jwt/cryptoKeys.d.ts

@@ -0,0 +1,2 @@
+export declare function importKey(key: JsonWebKey | string, algorithm: RsaHashedImportParams, keyUsage: 'verify' | 'sign'): Promise<CryptoKey>;
+//# sourceMappingURL=cryptoKeys.d.ts.map

node_modules/@clerk/backend/dist/jwt/cryptoKeys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cryptoKeys.d.ts","sourceRoot":"","sources":["../../src/jwt/cryptoKeys.ts"],"names":[],"mappings":"AAuBA,wBAAgB,SAAS,CACvB,GAAG,EAAE,UAAU,GAAG,MAAM,EACxB,SAAS,EAAE,qBAAqB,EAChC,QAAQ,EAAE,QAAQ,GAAG,MAAM,GAC1B,OAAO,CAAC,SAAS,CAAC,CASpB"}

node_modules/@clerk/backend/dist/jwt/index.d.ts

@@ -0,0 +1,7 @@
+export type { VerifyJwtOptions } from './verifyJwt';
+export type { SignJwtOptions } from './signJwt';
+export declare const verifyJwt: (token: string, options: import("./verifyJwt").VerifyJwtOptions) => Promise<NonNullable<import("@clerk/shared/types").JwtPayload | undefined>>;
+export declare const decodeJwt: (token: string) => import("@clerk/shared/types").Jwt;
+export declare const signJwt: (payload: Record<string, unknown>, key: string | JsonWebKey, options: import("./signJwt").SignJwtOptions) => Promise<string>;
+export declare const hasValidSignature: (jwt: import("@clerk/shared/types").Jwt, key: string | JsonWebKey) => Promise<NonNullable<boolean | undefined>>;
+//# sourceMappingURL=index.d.ts.map

node_modules/@clerk/backend/dist/jwt/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/jwt/index.ts"],"names":[],"mappings":"AAIA,YAAY,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACpD,YAAY,EAAE,cAAc,EAAE,MAAM,WAAW,CAAC;AAKhD,eAAO,MAAM,SAAS,gJAA+B,CAAC;AACtD,eAAO,MAAM,SAAS,sDAAmC,CAAC;AAE1D,eAAO,MAAM,OAAO,8HAA6B,CAAC;AAClD,eAAO,MAAM,iBAAiB,iHAAuC,CAAC"}

node_modules/@clerk/backend/dist/jwt/index.js

@@ -0,0 +1,544 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/jwt/index.ts
+var jwt_exports = {};
+__export(jwt_exports, {
+  decodeJwt: () => decodeJwt2,
+  hasValidSignature: () => hasValidSignature2,
+  signJwt: () => signJwt2,
+  verifyJwt: () => verifyJwt2
+});
+module.exports = __toCommonJS(jwt_exports);
+
+// src/jwt/legacyReturn.ts
+function withLegacyReturn(cb) {
+  return async (...args) => {
+    const { data, errors } = await cb(...args);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+}
+function withLegacySyncReturn(cb) {
+  return (...args) => {
+    const { data, errors } = cb(...args);
+    if (errors) {
+      throw errors[0];
+    }
+    return data;
+  };
+}
+
+// src/errors.ts
+var import_error = require("@clerk/shared/error");
+var import_error2 = require("@clerk/shared/error");
+var TokenVerificationErrorReason = {
+  TokenExpired: "token-expired",
+  TokenInvalid: "token-invalid",
+  TokenInvalidAlgorithm: "token-invalid-algorithm",
+  TokenInvalidAuthorizedParties: "token-invalid-authorized-parties",
+  TokenInvalidSignature: "token-invalid-signature",
+  TokenNotActiveYet: "token-not-active-yet",
+  TokenIatInTheFuture: "token-iat-in-the-future",
+  TokenVerificationFailed: "token-verification-failed",
+  InvalidSecretKey: "secret-key-invalid",
+  LocalJWKMissing: "jwk-local-missing",
+  RemoteJWKFailedToLoad: "jwk-remote-failed-to-load",
+  RemoteJWKInvalid: "jwk-remote-invalid",
+  RemoteJWKMissing: "jwk-remote-missing",
+  JWKFailedToResolve: "jwk-failed-to-resolve",
+  JWKKidMismatch: "jwk-kid-mismatch"
+};
+var TokenVerificationErrorAction = {
+  ContactSupport: "Contact support@clerk.com",
+  EnsureClerkJWT: "Make sure that this is a valid Clerk-generated JWT.",
+  SetClerkJWTKey: "Set the CLERK_JWT_KEY environment variable.",
+  SetClerkSecretKey: "Set the CLERK_SECRET_KEY environment variable.",
+  EnsureClockSync: "Make sure your system clock is in sync (e.g. turn off and on automatic time synchronization)."
+};
+var TokenVerificationError = class _TokenVerificationError extends Error {
+  constructor({
+    action,
+    message,
+    reason
+  }) {
+    super(message);
+    Object.setPrototypeOf(this, _TokenVerificationError.prototype);
+    this.reason = reason;
+    this.message = message;
+    this.action = action;
+  }
+  getFullMessage() {
+    return `${[this.message, this.action].filter((m) => m).join(" ")} (reason=${this.reason}, token-carrier=${this.tokenCarrier})`;
+  }
+};
+var SignJWTError = class extends Error {
+};
+var _MachineTokenVerificationError = class _MachineTokenVerificationError extends import_error.ClerkError {
+  constructor({
+    message,
+    code,
+    status,
+    action
+  }) {
+    super({ message, code });
+    Object.setPrototypeOf(this, _MachineTokenVerificationError.prototype);
+    this.status = status;
+    this.action = action;
+  }
+  // Keep message unformatted, matching ClerkAPIResponseError's approach
+  static formatMessage(_name, msg, _code, _docsUrl) {
+    return msg;
+  }
+  getFullMessage() {
+    return `${this.message} (code=${this.code}, status=${this.status || "n/a"})`;
+  }
+};
+_MachineTokenVerificationError.kind = "MachineTokenVerificationError";
+var MachineTokenVerificationError = _MachineTokenVerificationError;
+
+// src/runtime.ts
+var import_crypto = require("#crypto");
+var globalFetch = fetch.bind(globalThis);
+var runtime = {
+  crypto: import_crypto.webcrypto,
+  get fetch() {
+    return process.env.NODE_ENV === "test" ? fetch : globalFetch;
+  },
+  AbortController: globalThis.AbortController,
+  Blob: globalThis.Blob,
+  FormData: globalThis.FormData,
+  Headers: globalThis.Headers,
+  Request: globalThis.Request,
+  Response: globalThis.Response
+};
+
+// src/util/rfc4648.ts
+var base64url = {
+  parse(string, opts) {
+    return parse(string, base64UrlEncoding, opts);
+  },
+  stringify(data, opts) {
+    return stringify(data, base64UrlEncoding, opts);
+  }
+};
+var base64UrlEncoding = {
+  chars: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_",
+  bits: 6
+};
+function parse(string, encoding, opts = {}) {
+  if (!encoding.codes) {
+    encoding.codes = {};
+    for (let i = 0; i < encoding.chars.length; ++i) {
+      encoding.codes[encoding.chars[i]] = i;
+    }
+  }
+  if (!opts.loose && string.length * encoding.bits & 7) {
+    throw new SyntaxError("Invalid padding");
+  }
+  let end = string.length;
+  while (string[end - 1] === "=") {
+    --end;
+    if (!opts.loose && !((string.length - end) * encoding.bits & 7)) {
+      throw new SyntaxError("Invalid padding");
+    }
+  }
+  const out = new (opts.out ?? Uint8Array)(end * encoding.bits / 8 | 0);
+  let bits = 0;
+  let buffer = 0;
+  let written = 0;
+  for (let i = 0; i < end; ++i) {
+    const value = encoding.codes[string[i]];
+    if (value === void 0) {
+      throw new SyntaxError("Invalid character " + string[i]);
+    }
+    buffer = buffer << encoding.bits | value;
+    bits += encoding.bits;
+    if (bits >= 8) {
+      bits -= 8;
+      out[written++] = 255 & buffer >> bits;
+    }
+  }
+  if (bits >= encoding.bits || 255 & buffer << 8 - bits) {
+    throw new SyntaxError("Unexpected end of data");
+  }
+  return out;
+}
+function stringify(data, encoding, opts = {}) {
+  const { pad = true } = opts;
+  const mask = (1 << encoding.bits) - 1;
+  let out = "";
+  let bits = 0;
+  let buffer = 0;
+  for (let i = 0; i < data.length; ++i) {
+    buffer = buffer << 8 | 255 & data[i];
+    bits += 8;
+    while (bits > encoding.bits) {
+      bits -= encoding.bits;
+      out += encoding.chars[mask & buffer >> bits];
+    }
+  }
+  if (bits) {
+    out += encoding.chars[mask & buffer << encoding.bits - bits];
+  }
+  if (pad) {
+    while (out.length * encoding.bits & 7) {
+      out += "=";
+    }
+  }
+  return out;
+}
+
+// src/jwt/algorithms.ts
+var algToHash = {
+  RS256: "SHA-256",
+  RS384: "SHA-384",
+  RS512: "SHA-512"
+};
+var RSA_ALGORITHM_NAME = "RSASSA-PKCS1-v1_5";
+var jwksAlgToCryptoAlg = {
+  RS256: RSA_ALGORITHM_NAME,
+  RS384: RSA_ALGORITHM_NAME,
+  RS512: RSA_ALGORITHM_NAME
+};
+var algs = Object.keys(algToHash);
+function getCryptoAlgorithm(algorithmName) {
+  const hash = algToHash[algorithmName];
+  const name = jwksAlgToCryptoAlg[algorithmName];
+  if (!hash || !name) {
+    throw new Error(`Unsupported algorithm ${algorithmName}, expected one of ${algs.join(",")}.`);
+  }
+  return {
+    hash: { name: algToHash[algorithmName] },
+    name: jwksAlgToCryptoAlg[algorithmName]
+  };
+}
+
+// src/jwt/cryptoKeys.ts
+var import_isomorphicAtob = require("@clerk/shared/isomorphicAtob");
+function pemToBuffer(secret) {
+  const trimmed = secret.replace(/-----BEGIN.*?-----/g, "").replace(/-----END.*?-----/g, "").replace(/\s/g, "");
+  const decoded = (0, import_isomorphicAtob.isomorphicAtob)(trimmed);
+  const buffer = new ArrayBuffer(decoded.length);
+  const bufView = new Uint8Array(buffer);
+  for (let i = 0, strLen = decoded.length; i < strLen; i++) {
+    bufView[i] = decoded.charCodeAt(i);
+  }
+  return bufView;
+}
+function importKey(key, algorithm, keyUsage) {
+  if (typeof key === "object") {
+    return runtime.crypto.subtle.importKey("jwk", key, algorithm, false, [keyUsage]);
+  }
+  const keyData = pemToBuffer(key);
+  const format = keyUsage === "sign" ? "pkcs8" : "spki";
+  return runtime.crypto.subtle.importKey(format, keyData, algorithm, false, [keyUsage]);
+}
+
+// src/jwt/signJwt.ts
+function encodeJwtData(value) {
+  const stringified = JSON.stringify(value);
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(stringified);
+  return base64url.stringify(encoded, { pad: false });
+}
+async function signJwt(payload, key, options) {
+  if (!options.algorithm) {
+    throw new Error("No algorithm specified");
+  }
+  const encoder = new TextEncoder();
+  const algorithm = getCryptoAlgorithm(options.algorithm);
+  if (!algorithm) {
+    return {
+      errors: [new SignJWTError(`Unsupported algorithm ${options.algorithm}`)]
+    };
+  }
+  const cryptoKey = await importKey(key, algorithm, "sign");
+  const header = options.header || { typ: "JWT" };
+  header.alg = options.algorithm;
+  payload.iat = Math.floor(Date.now() / 1e3);
+  const encodedHeader = encodeJwtData(header);
+  const encodedPayload = encodeJwtData(payload);
+  const firstPart = `${encodedHeader}.${encodedPayload}`;
+  try {
+    const signature = await runtime.crypto.subtle.sign(algorithm, cryptoKey, encoder.encode(firstPart));
+    const encodedSignature = `${firstPart}.${base64url.stringify(new Uint8Array(signature), { pad: false })}`;
+    return { data: encodedSignature };
+  } catch (error) {
+    return { errors: [new SignJWTError(error?.message)] };
+  }
+}
+
+// src/jwt/assertions.ts
+var isArrayString = (s) => {
+  return Array.isArray(s) && s.length > 0 && s.every((a) => typeof a === "string");
+};
+var assertAudienceClaim = (aud, audience) => {
+  const audienceList = [audience].flat().filter((a) => !!a);
+  const audList = [aud].flat().filter((a) => !!a);
+  const shouldVerifyAudience = audienceList.length > 0 && audList.length > 0;
+  if (!shouldVerifyAudience) {
+    return;
+  }
+  if (typeof aud === "string") {
+    if (!audienceList.includes(aud)) {
+      throw new TokenVerificationError({
+        action: TokenVerificationErrorAction.EnsureClerkJWT,
+        reason: TokenVerificationErrorReason.TokenVerificationFailed,
+        message: `Invalid JWT audience claim (aud) ${JSON.stringify(aud)}. Is not included in "${JSON.stringify(
+          audienceList
+        )}".`
+      });
+    }
+  } else if (isArrayString(aud)) {
+    if (!aud.some((a) => audienceList.includes(a))) {
+      throw new TokenVerificationError({
+        action: TokenVerificationErrorAction.EnsureClerkJWT,
+        reason: TokenVerificationErrorReason.TokenVerificationFailed,
+        message: `Invalid JWT audience claim array (aud) ${JSON.stringify(aud)}. Is not included in "${JSON.stringify(
+          audienceList
+        )}".`
+      });
+    }
+  }
+};
+var assertHeaderType = (typ, allowedTypes = "JWT") => {
+  if (typeof typ === "undefined") {
+    return;
+  }
+  const allowed = Array.isArray(allowedTypes) ? allowedTypes : [allowedTypes];
+  if (!allowed.includes(typ)) {
+    throw new TokenVerificationError({
+      action: TokenVerificationErrorAction.EnsureClerkJWT,
+      reason: TokenVerificationErrorReason.TokenInvalid,
+      message: `Invalid JWT type ${JSON.stringify(typ)}. Expected "${allowed.join(", ")}".`
+    });
+  }
+};
+var assertHeaderAlgorithm = (alg) => {
+  if (!algs.includes(alg)) {
+    throw new TokenVerificationError({
+      action: TokenVerificationErrorAction.EnsureClerkJWT,
+      reason: TokenVerificationErrorReason.TokenInvalidAlgorithm,
+      message: `Invalid JWT algorithm ${JSON.stringify(alg)}. Supported: ${algs}.`
+    });
+  }
+};
+var assertSubClaim = (sub) => {
+  if (typeof sub !== "string") {
+    throw new TokenVerificationError({
+      action: TokenVerificationErrorAction.EnsureClerkJWT,
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Subject claim (sub) is required and must be a string. Received ${JSON.stringify(sub)}.`
+    });
+  }
+};
+var assertAuthorizedPartiesClaim = (azp, authorizedParties) => {
+  if (!azp || !authorizedParties || authorizedParties.length === 0) {
+    return;
+  }
+  if (!authorizedParties.includes(azp)) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenInvalidAuthorizedParties,
+      message: `Invalid JWT Authorized party claim (azp) ${JSON.stringify(azp)}. Expected "${authorizedParties}".`
+    });
+  }
+};
+var assertExpirationClaim = (exp, clockSkewInMs) => {
+  if (typeof exp !== "number") {
+    throw new TokenVerificationError({
+      action: TokenVerificationErrorAction.EnsureClerkJWT,
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT expiry date claim (exp) ${JSON.stringify(exp)}. Expected number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const expiryDate = /* @__PURE__ */ new Date(0);
+  expiryDate.setUTCSeconds(exp);
+  const expired = expiryDate.getTime() <= currentDate.getTime() - clockSkewInMs;
+  if (expired) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenExpired,
+      message: `JWT is expired. Expiry date: ${expiryDate.toUTCString()}, Current date: ${currentDate.toUTCString()}.`
+    });
+  }
+};
+var assertActivationClaim = (nbf, clockSkewInMs) => {
+  if (typeof nbf === "undefined") {
+    return;
+  }
+  if (typeof nbf !== "number") {
+    throw new TokenVerificationError({
+      action: TokenVerificationErrorAction.EnsureClerkJWT,
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT not before date claim (nbf) ${JSON.stringify(nbf)}. Expected number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const notBeforeDate = /* @__PURE__ */ new Date(0);
+  notBeforeDate.setUTCSeconds(nbf);
+  const early = notBeforeDate.getTime() > currentDate.getTime() + clockSkewInMs;
+  if (early) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenNotActiveYet,
+      message: `JWT cannot be used prior to not before date claim (nbf). Not before date: ${notBeforeDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
+    });
+  }
+};
+var assertIssuedAtClaim = (iat, clockSkewInMs) => {
+  if (typeof iat === "undefined") {
+    return;
+  }
+  if (typeof iat !== "number") {
+    throw new TokenVerificationError({
+      action: TokenVerificationErrorAction.EnsureClerkJWT,
+      reason: TokenVerificationErrorReason.TokenVerificationFailed,
+      message: `Invalid JWT issued at date claim (iat) ${JSON.stringify(iat)}. Expected number.`
+    });
+  }
+  const currentDate = new Date(Date.now());
+  const issuedAtDate = /* @__PURE__ */ new Date(0);
+  issuedAtDate.setUTCSeconds(iat);
+  const postIssued = issuedAtDate.getTime() > currentDate.getTime() + clockSkewInMs;
+  if (postIssued) {
+    throw new TokenVerificationError({
+      reason: TokenVerificationErrorReason.TokenIatInTheFuture,
+      message: `JWT issued at date claim (iat) is in the future. Issued at date: ${issuedAtDate.toUTCString()}; Current date: ${currentDate.toUTCString()};`
+    });
+  }
+};
+
+// src/jwt/verifyJwt.ts
+var DEFAULT_CLOCK_SKEW_IN_MS = 5 * 1e3;
+async function hasValidSignature(jwt, key) {
+  const { header, signature, raw } = jwt;
+  const encoder = new TextEncoder();
+  const data = encoder.encode([raw.header, raw.payload].join("."));
+  const algorithm = getCryptoAlgorithm(header.alg);
+  try {
+    const cryptoKey = await importKey(key, algorithm, "verify");
+    const verified = await runtime.crypto.subtle.verify(algorithm.name, cryptoKey, signature, data);
+    return { data: verified };
+  } catch (error) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: error?.message
+        })
+      ]
+    };
+  }
+}
+function decodeJwt(token) {
+  const tokenParts = (token || "").toString().split(".");
+  if (tokenParts.length !== 3) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalid,
+          message: `Invalid JWT form. A JWT consists of three parts separated by dots.`
+        })
+      ]
+    };
+  }
+  const [rawHeader, rawPayload, rawSignature] = tokenParts;
+  const decoder = new TextDecoder();
+  const header = JSON.parse(decoder.decode(base64url.parse(rawHeader, { loose: true })));
+  const payload = JSON.parse(decoder.decode(base64url.parse(rawPayload, { loose: true })));
+  const signature = base64url.parse(rawSignature, { loose: true });
+  const data = {
+    header,
+    payload,
+    signature,
+    raw: {
+      header: rawHeader,
+      payload: rawPayload,
+      signature: rawSignature,
+      text: token
+    }
+  };
+  return { data };
+}
+async function verifyJwt(token, options) {
+  const { audience, authorizedParties, clockSkewInMs, key, headerType } = options;
+  const clockSkew = typeof clockSkewInMs === "number" && Number.isFinite(clockSkewInMs) ? clockSkewInMs : DEFAULT_CLOCK_SKEW_IN_MS;
+  const { data: decoded, errors } = decodeJwt(token);
+  if (errors) {
+    return { errors };
+  }
+  const { header, payload } = decoded;
+  try {
+    const { typ, alg } = header;
+    assertHeaderType(typ, headerType);
+    assertHeaderAlgorithm(alg);
+  } catch (err) {
+    return { errors: [err] };
+  }
+  const { data: signatureValid, errors: signatureErrors } = await hasValidSignature(decoded, key);
+  if (signatureErrors) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          action: TokenVerificationErrorAction.EnsureClerkJWT,
+          reason: TokenVerificationErrorReason.TokenVerificationFailed,
+          message: `Error verifying JWT signature. ${signatureErrors[0]}`
+        })
+      ]
+    };
+  }
+  if (!signatureValid) {
+    return {
+      errors: [
+        new TokenVerificationError({
+          reason: TokenVerificationErrorReason.TokenInvalidSignature,
+          message: "JWT signature is invalid."
+        })
+      ]
+    };
+  }
+  try {
+    const { azp, sub, aud, iat, exp, nbf } = payload;
+    assertSubClaim(sub);
+    assertAudienceClaim([aud], [audience]);
+    assertAuthorizedPartiesClaim(azp, authorizedParties);
+    assertExpirationClaim(exp, clockSkew);
+    assertActivationClaim(nbf, clockSkew);
+    assertIssuedAtClaim(iat, clockSkew);
+  } catch (err) {
+    return { errors: [err] };
+  }
+  return { data: payload };
+}
+
+// src/jwt/index.ts
+var verifyJwt2 = withLegacyReturn(verifyJwt);
+var decodeJwt2 = withLegacySyncReturn(decodeJwt);
+var signJwt2 = withLegacyReturn(signJwt);
+var hasValidSignature2 = withLegacyReturn(hasValidSignature);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  decodeJwt,
+  hasValidSignature,
+  signJwt,
+  verifyJwt
+});
+//# sourceMappingURL=index.js.map

node_modules/@clerk/backend/dist/jwt/index.mjs

@@ -0,0 +1,64 @@
+import {
+  withLegacyReturn,
+  withLegacySyncReturn
+} from "../chunk-P263NW7Z.mjs";
+import {
+  base64url,
+  decodeJwt,
+  getCryptoAlgorithm,
+  hasValidSignature,
+  importKey,
+  runtime,
+  verifyJwt
+} from "../chunk-HVNR6UQP.mjs";
+import {
+  SignJWTError
+} from "../chunk-RZ7A7F6X.mjs";
+import "../chunk-TOROEX6P.mjs";
+
+// src/jwt/signJwt.ts
+function encodeJwtData(value) {
+  const stringified = JSON.stringify(value);
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(stringified);
+  return base64url.stringify(encoded, { pad: false });
+}
+async function signJwt(payload, key, options) {
+  if (!options.algorithm) {
+    throw new Error("No algorithm specified");
+  }
+  const encoder = new TextEncoder();
+  const algorithm = getCryptoAlgorithm(options.algorithm);
+  if (!algorithm) {
+    return {
+      errors: [new SignJWTError(`Unsupported algorithm ${options.algorithm}`)]
+    };
+  }
+  const cryptoKey = await importKey(key, algorithm, "sign");
+  const header = options.header || { typ: "JWT" };
+  header.alg = options.algorithm;
+  payload.iat = Math.floor(Date.now() / 1e3);
+  const encodedHeader = encodeJwtData(header);
+  const encodedPayload = encodeJwtData(payload);
+  const firstPart = `${encodedHeader}.${encodedPayload}`;
+  try {
+    const signature = await runtime.crypto.subtle.sign(algorithm, cryptoKey, encoder.encode(firstPart));
+    const encodedSignature = `${firstPart}.${base64url.stringify(new Uint8Array(signature), { pad: false })}`;
+    return { data: encodedSignature };
+  } catch (error) {
+    return { errors: [new SignJWTError(error?.message)] };
+  }
+}
+
+// src/jwt/index.ts
+var verifyJwt2 = withLegacyReturn(verifyJwt);
+var decodeJwt2 = withLegacySyncReturn(decodeJwt);
+var signJwt2 = withLegacyReturn(signJwt);
+var hasValidSignature2 = withLegacyReturn(hasValidSignature);
+export {
+  decodeJwt2 as decodeJwt,
+  hasValidSignature2 as hasValidSignature,
+  signJwt2 as signJwt,
+  verifyJwt2 as verifyJwt
+};
+//# sourceMappingURL=index.mjs.map

node_modules/@clerk/backend/dist/jwt/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/jwt/signJwt.ts","../../src/jwt/index.ts"],"sourcesContent":["import { SignJWTError } from '../errors';\nimport { runtime } from '../runtime';\nimport { base64url } from '../util/rfc4648';\nimport { getCryptoAlgorithm } from './algorithms';\nimport { importKey } from './cryptoKeys';\nimport type { JwtReturnType } from './types';\n\nexport interface SignJwtOptions {\n  algorithm?: string;\n  header?: Record<string, unknown>;\n}\n\nfunction encodeJwtData(value: unknown): string {\n  const stringified = JSON.stringify(value);\n  const encoder = new TextEncoder();\n  const encoded = encoder.encode(stringified);\n  return base64url.stringify(encoded, { pad: false });\n}\n\n/**\n * Signs a JSON Web Token (JWT) with the given payload, key, and options.\n * This function is intended to be used *internally* by other Clerk packages and typically\n * should not be used directly.\n *\n * @internal\n * @param payload The payload to include in the JWT.\n * @param key The key to use for signing the JWT. Can be a string or a JsonWebKey.\n * @param options The options to use for signing the JWT.\n * @returns A Promise that resolves to the signed JWT string.\n * @throws An error if no algorithm is specified or if the specified algorithm is unsupported.\n * @throws An error if there is an issue with importing the key or signing the JWT.\n */\nexport async function signJwt(\n  payload: Record<string, unknown>,\n  key: string | JsonWebKey,\n  options: SignJwtOptions,\n): Promise<JwtReturnType<string, Error>> {\n  if (!options.algorithm) {\n    throw new Error('No algorithm specified');\n  }\n  const encoder = new TextEncoder();\n\n  const algorithm = getCryptoAlgorithm(options.algorithm);\n  if (!algorithm) {\n    return {\n      errors: [new SignJWTError(`Unsupported algorithm ${options.algorithm}`)],\n    };\n  }\n\n  const cryptoKey = await importKey(key, algorithm, 'sign');\n  const header = options.header || { typ: 'JWT' };\n\n  header.alg = options.algorithm;\n  payload.iat = Math.floor(Date.now() / 1000);\n\n  const encodedHeader = encodeJwtData(header);\n  const encodedPayload = encodeJwtData(payload);\n  const firstPart = `${encodedHeader}.${encodedPayload}`;\n\n  try {\n    const signature = await runtime.crypto.subtle.sign(algorithm, cryptoKey, encoder.encode(firstPart));\n    const encodedSignature = `${firstPart}.${base64url.stringify(new Uint8Array(signature), { pad: false })}`;\n    return { data: encodedSignature };\n  } catch (error) {\n    return { errors: [new SignJWTError((error as Error)?.message)] };\n  }\n}\n","import { withLegacyReturn, withLegacySyncReturn } from './legacyReturn';\nimport { signJwt as _signJwt } from './signJwt';\nimport { decodeJwt as _decodeJwt, hasValidSignature as _hasValidSignature, verifyJwt as _verifyJwt } from './verifyJwt';\n\nexport type { VerifyJwtOptions } from './verifyJwt';\nexport type { SignJwtOptions } from './signJwt';\n\n// Introduce compatibility layer to avoid more breaking changes\n// TODO(dimkl): This (probably be drop in the next major version)\n\nexport const verifyJwt = withLegacyReturn(_verifyJwt);\nexport const decodeJwt = withLegacySyncReturn(_decodeJwt);\n\nexport const signJwt = withLegacyReturn(_signJwt);\nexport const hasValidSignature = withLegacyReturn(_hasValidSignature);\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAYA,SAAS,cAAc,OAAwB;AAC7C,QAAM,cAAc,KAAK,UAAU,KAAK;AACxC,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,UAAU,QAAQ,OAAO,WAAW;AAC1C,SAAO,UAAU,UAAU,SAAS,EAAE,KAAK,MAAM,CAAC;AACpD;AAeA,eAAsB,QACpB,SACA,KACA,SACuC;AACvC,MAAI,CAAC,QAAQ,WAAW;AACtB,UAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AACA,QAAM,UAAU,IAAI,YAAY;AAEhC,QAAM,YAAY,mBAAmB,QAAQ,SAAS;AACtD,MAAI,CAAC,WAAW;AACd,WAAO;AAAA,MACL,QAAQ,CAAC,IAAI,aAAa,yBAAyB,QAAQ,SAAS,EAAE,CAAC;AAAA,IACzE;AAAA,EACF;AAEA,QAAM,YAAY,MAAM,UAAU,KAAK,WAAW,MAAM;AACxD,QAAM,SAAS,QAAQ,UAAU,EAAE,KAAK,MAAM;AAE9C,SAAO,MAAM,QAAQ;AACrB,UAAQ,MAAM,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAE1C,QAAM,gBAAgB,cAAc,MAAM;AAC1C,QAAM,iBAAiB,cAAc,OAAO;AAC5C,QAAM,YAAY,GAAG,aAAa,IAAI,cAAc;AAEpD,MAAI;AACF,UAAM,YAAY,MAAM,QAAQ,OAAO,OAAO,KAAK,WAAW,WAAW,QAAQ,OAAO,SAAS,CAAC;AAClG,UAAM,mBAAmB,GAAG,SAAS,IAAI,UAAU,UAAU,IAAI,WAAW,SAAS,GAAG,EAAE,KAAK,MAAM,CAAC,CAAC;AACvG,WAAO,EAAE,MAAM,iBAAiB;AAAA,EAClC,SAAS,OAAO;AACd,WAAO,EAAE,QAAQ,CAAC,IAAI,aAAc,OAAiB,OAAO,CAAC,EAAE;AAAA,EACjE;AACF;;;ACxDO,IAAMA,aAAY,iBAAiB,SAAU;AAC7C,IAAMC,aAAY,qBAAqB,SAAU;AAEjD,IAAMC,WAAU,iBAAiB,OAAQ;AACzC,IAAMC,qBAAoB,iBAAiB,iBAAkB;","names":["verifyJwt","decodeJwt","signJwt","hasValidSignature"]}

node_modules/@clerk/backend/dist/jwt/legacyReturn.d.ts

@@ -0,0 +1,4 @@
+import type { JwtReturnType } from './types';
+export declare function withLegacyReturn<T extends (...args: any[]) => Promise<JwtReturnType<any, any>>>(cb: T): (...args: Parameters<T>) => Promise<NonNullable<Awaited<ReturnType<T>>["data"]>> | never;
+export declare function withLegacySyncReturn<T extends (...args: any[]) => JwtReturnType<any, any>>(cb: T): (...args: Parameters<T>) => NonNullable<Awaited<ReturnType<T>>["data"]> | never;
+//# sourceMappingURL=legacyReturn.d.ts.map

node_modules/@clerk/backend/dist/jwt/legacyReturn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"legacyReturn.d.ts","sourceRoot":"","sources":["../../src/jwt/legacyReturn.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAG7C,wBAAgB,gBAAgB,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,OAAO,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,IACtF,GAAG,MAAM,UAAU,CAAC,CAAC,CAAC,KAAG,OAAO,CAAC,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,KAAK,CAOpG;AAGD,wBAAgB,oBAAoB,CAAC,CAAC,SAAS,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,KAAK,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,EAAE,EAAE,CAAC,IACvF,GAAG,MAAM,UAAU,CAAC,CAAC,CAAC,KAAG,WAAW,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,KAAK,CAOrF"}

node_modules/@clerk/backend/dist/jwt/signJwt.d.ts

@@ -0,0 +1,20 @@
+import type { JwtReturnType } from './types';
+export interface SignJwtOptions {
+    algorithm?: string;
+    header?: Record<string, unknown>;
+}
+/**
+ * Signs a JSON Web Token (JWT) with the given payload, key, and options.
+ * This function is intended to be used *internally* by other Clerk packages and typically
+ * should not be used directly.
+ *
+ * @internal
+ * @param payload The payload to include in the JWT.
+ * @param key The key to use for signing the JWT. Can be a string or a JsonWebKey.
+ * @param options The options to use for signing the JWT.
+ * @returns A Promise that resolves to the signed JWT string.
+ * @throws An error if no algorithm is specified or if the specified algorithm is unsupported.
+ * @throws An error if there is an issue with importing the key or signing the JWT.
+ */
+export declare function signJwt(payload: Record<string, unknown>, key: string | JsonWebKey, options: SignJwtOptions): Promise<JwtReturnType<string, Error>>;
+//# sourceMappingURL=signJwt.d.ts.map

node_modules/@clerk/backend/dist/jwt/signJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/signJwt.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAE7C,MAAM,WAAW,cAAc;IAC7B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AASD;;;;;;;;;;;;GAYG;AACH,wBAAsB,OAAO,CAC3B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,GAAG,EAAE,MAAM,GAAG,UAAU,EACxB,OAAO,EAAE,cAAc,GACtB,OAAO,CAAC,aAAa,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC,CA8BvC"}

node_modules/@clerk/backend/dist/jwt/types.d.ts

@@ -0,0 +1,18 @@
+import type { MachineTokenType } from '../tokens/tokenTypes';
+export type JwtReturnType<R, E extends Error> = {
+    data: R;
+    errors?: undefined;
+} | {
+    data?: undefined;
+    errors: [E];
+};
+export type MachineTokenReturnType<R, E extends Error> = {
+    data: R;
+    tokenType: MachineTokenType;
+    errors?: undefined;
+} | {
+    data?: undefined;
+    tokenType: MachineTokenType;
+    errors: [E];
+};
+//# sourceMappingURL=types.d.ts.map

node_modules/@clerk/backend/dist/jwt/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/jwt/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,MAAM,MAAM,aAAa,CAAC,CAAC,EAAE,CAAC,SAAS,KAAK,IACxC;IACE,IAAI,EAAE,CAAC,CAAC;IACR,MAAM,CAAC,EAAE,SAAS,CAAC;CACpB,GACD;IACE,IAAI,CAAC,EAAE,SAAS,CAAC;IACjB,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;CACb,CAAC;AAEN,MAAM,MAAM,sBAAsB,CAAC,CAAC,EAAE,CAAC,SAAS,KAAK,IACjD;IACE,IAAI,EAAE,CAAC,CAAC;IACR,SAAS,EAAE,gBAAgB,CAAC;IAC5B,MAAM,CAAC,EAAE,SAAS,CAAC;CACpB,GACD;IACE,IAAI,CAAC,EAAE,SAAS,CAAC;IACjB,SAAS,EAAE,gBAAgB,CAAC;IAC5B,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;CACb,CAAC"}

node_modules/@clerk/backend/dist/jwt/verifyJwt.d.ts

@@ -0,0 +1,38 @@
+import type { Jwt, JwtPayload } from '@clerk/shared/types';
+import { TokenVerificationError } from '../errors';
+import type { JwtReturnType } from './types';
+export declare function hasValidSignature(jwt: Jwt, key: JsonWebKey | string): Promise<JwtReturnType<boolean, Error>>;
+export declare function decodeJwt(token: string): JwtReturnType<Jwt, TokenVerificationError>;
+/**
+ * @inline
+ */
+export type VerifyJwtOptions = {
+    /**
+     * A string or list of [audiences](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3). If passed, it is checked against the `aud` claim in the token.
+     */
+    audience?: string | string[];
+    /**
+     * An allowlist of origins to verify against, to protect your application from the subdomain cookie leaking attack.
+     * @example
+     * ```ts
+     * ['http://localhost:3000', 'https://example.com']
+     * ```
+     */
+    authorizedParties?: string[];
+    /**
+     * Specifies the allowed time difference (in milliseconds) between the Clerk server (which generates the token) and the clock of the user's application server when validating a token.
+     * @default 5000
+     */
+    clockSkewInMs?: number;
+    /**
+     * @internal
+     */
+    key: JsonWebKey | string;
+    /**
+     * A string or list of allowed [header types](https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.9).
+     * @default 'JWT'
+     */
+    headerType?: string | string[];
+};
+export declare function verifyJwt(token: string, options: VerifyJwtOptions): Promise<JwtReturnType<JwtPayload, TokenVerificationError>>;
+//# sourceMappingURL=verifyJwt.d.ts.map

node_modules/@clerk/backend/dist/jwt/verifyJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyJwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AAE3D,OAAO,EAAE,sBAAsB,EAA8D,MAAM,WAAW,CAAC;AAe/G,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAI7C,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAqBlH;AAED,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,aAAa,CAAC,GAAG,EAAE,sBAAsB,CAAC,CAkDnF;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG;IAC7B;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC7B;;;;;;OAMG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;OAEG;IACH,GAAG,EAAE,UAAU,GAAG,MAAM,CAAC;IACzB;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;CAChC,CAAC;AAEF,wBAAsB,SAAS,CAC7B,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,gBAAgB,GACxB,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC,CA8D5D"}

node_modules/@clerk/backend/dist/jwt/verifyMachineJwt.d.ts

@@ -0,0 +1,19 @@
+import type { Jwt } from '@clerk/shared/types';
+import { IdPOAuthAccessToken } from '../api/resources/IdPOAuthAccessToken';
+import { M2MToken } from '../api/resources/M2MToken';
+import { MachineTokenVerificationError } from '../errors';
+import type { MachineTokenReturnType } from '../jwt/types';
+import type { LoadClerkJWKFromRemoteOptions } from '../tokens/keys';
+export type JwtMachineVerifyOptions = Pick<LoadClerkJWKFromRemoteOptions, 'secretKey' | 'apiUrl' | 'skipJwksCache'> & {
+    jwtKey?: string;
+    clockSkewInMs?: number;
+};
+/**
+ * Verifies a pre-decoded M2M JWT (identified by `sub` starting with `mch_`).
+ */
+export declare function verifyM2MJwt(token: string, decoded: Jwt, options: JwtMachineVerifyOptions): Promise<MachineTokenReturnType<M2MToken, MachineTokenVerificationError>>;
+/**
+ * Verifies a pre-decoded OAuth access token JWT (identified by `typ: at+jwt` or `application/at+jwt`).
+ */
+export declare function verifyOAuthJwt(token: string, decoded: Jwt, options: JwtMachineVerifyOptions): Promise<MachineTokenReturnType<IdPOAuthAccessToken, MachineTokenVerificationError>>;
+//# sourceMappingURL=verifyMachineJwt.d.ts.map

node_modules/@clerk/backend/dist/jwt/verifyMachineJwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifyMachineJwt.d.ts","sourceRoot":"","sources":["../../src/jwt/verifyMachineJwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAc,MAAM,qBAAqB,CAAC;AAE3D,OAAO,EAAE,mBAAmB,EAAE,MAAM,sCAAsC,CAAC;AAC3E,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AACrD,OAAO,EACL,6BAA6B,EAG9B,MAAM,WAAW,CAAC;AACnB,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,cAAc,CAAC;AAE3D,OAAO,KAAK,EAAE,6BAA6B,EAAE,MAAM,gBAAgB,CAAC;AAKpE,MAAM,MAAM,uBAAuB,GAAG,IAAI,CAAC,6BAA6B,EAAE,WAAW,GAAG,QAAQ,GAAG,eAAe,CAAC,GAAG;IACpH,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AA6DF;;GAEG;AACH,wBAAsB,YAAY,CAChC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,GAAG,EACZ,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,sBAAsB,CAAC,QAAQ,EAAE,6BAA6B,CAAC,CAAC,CAY1E;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,GAAG,EACZ,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,sBAAsB,CAAC,mBAAmB,EAAE,6BAA6B,CAAC,CAAC,CAYrF"}