@agentlensai/server 0.7.0 → 0.9.0

package/dist/lib/redaction/secret-detection-layer.js

@@ -0,0 +1,79 @@
+/**
+ * Layer 1: Secret Detection (Story 2.1)
+ */
+import { ACTIVE_SECRET_PATTERNS, detectHighEntropyStrings } from './secret-patterns.js';
+export class SecretDetectionLayer {
+    name = 'secret_detection';
+    order = 100;
+    process(input, _context) {
+        const findings = [];
+        let output = input;
+        let secretIndex = 0;
+        // Collect all matches with their positions (work on original input for offsets)
+        const allMatches = [];
+        // Regex-based detection
+        for (const pattern of ACTIVE_SECRET_PATTERNS) {
+            const globalRegex = new RegExp(pattern.regex.source, pattern.regex.flags + (pattern.regex.flags.includes('g') ? '' : 'g'));
+            let match;
+            while ((match = globalRegex.exec(input)) !== null) {
+                allMatches.push({
+                    start: match.index,
+                    end: match.index + match[0].length,
+                    category: pattern.category,
+                    confidence: pattern.confidence,
+                    patternName: pattern.name,
+                });
+            }
+        }
+        // High-entropy detection
+        const entropyMatches = detectHighEntropyStrings(input);
+        for (const em of entropyMatches) {
+            // Skip if already covered by a regex match
+            const alreadyCovered = allMatches.some(m => m.start <= em.start && m.end >= em.end);
+            if (!alreadyCovered) {
+                allMatches.push({
+                    start: em.start,
+                    end: em.end,
+                    category: 'high_entropy_string',
+                    confidence: Math.min(0.6 + (em.entropy - 4.5) * 0.1, 0.9),
+                    patternName: 'entropy_detection',
+                });
+            }
+        }
+        // Sort by start position descending to replace from end (preserves offsets)
+        allMatches.sort((a, b) => b.start - a.start);
+        // Deduplicate overlapping matches (keep highest confidence)
+        const deduped = [];
+        for (const m of allMatches) {
+            const overlaps = deduped.some(d => m.start < d.end && m.end > d.start);
+            if (!overlaps) {
+                deduped.push(m);
+            }
+        }
+        // Sort ascending for findings reporting, but replace descending
+        const sortedForFindings = [...deduped].sort((a, b) => a.start - b.start);
+        const replacements = new Map();
+        for (const m of sortedForFindings) {
+            secretIndex++;
+            const replacement = `[SECRET_REDACTED_${secretIndex}]`;
+            replacements.set(m, replacement);
+            findings.push({
+                layer: 'secret_detection',
+                category: m.category,
+                originalLength: m.end - m.start,
+                replacement,
+                startOffset: m.start,
+                endOffset: m.end,
+                confidence: m.confidence,
+            });
+        }
+        // Apply replacements from end to start
+        const descending = [...deduped].sort((a, b) => b.start - a.start);
+        for (const m of descending) {
+            const replacement = replacements.get(m);
+            output = output.slice(0, m.start) + replacement + output.slice(m.end);
+        }
+        return { output, findings, blocked: false };
+    }
+}
+//# sourceMappingURL=secret-detection-layer.js.map

package/dist/lib/redaction/secret-detection-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-detection-layer.js","sourceRoot":"","sources":["../../../src/lib/redaction/secret-detection-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAQH,OAAO,EAAE,sBAAsB,EAAE,wBAAwB,EAAE,MAAM,sBAAsB,CAAC;AAExF,MAAM,OAAO,oBAAoB;IACtB,IAAI,GAAG,kBAA2B,CAAC;IACnC,KAAK,GAAG,GAAG,CAAC;IAErB,OAAO,CAAC,KAAa,EAAE,QAA0B;QAC/C,MAAM,QAAQ,GAAuB,EAAE,CAAC;QACxC,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,IAAI,WAAW,GAAG,CAAC,CAAC;QAEpB,gFAAgF;QAChF,MAAM,UAAU,GAMX,EAAE,CAAC;QAER,wBAAwB;QACxB,KAAK,MAAM,OAAO,IAAI,sBAAsB,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC3H,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClD,UAAU,CAAC,IAAI,CAAC;oBACd,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBAClC,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;oBAC9B,WAAW,EAAE,OAAO,CAAC,IAAI;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,cAAc,GAAG,wBAAwB,CAAC,KAAK,CAAC,CAAC;QACvD,KAAK,MAAM,EAAE,IAAI,cAAc,EAAE,CAAC;YAChC,2CAA2C;YAC3C,MAAM,cAAc,GAAG,UAAU,CAAC,IAAI,CACpC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC,GAAG,CAC5C,CAAC;YACF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,UAAU,CAAC,IAAI,CAAC;oBACd,KAAK,EAAE,EAAE,CAAC,KAAK;oBACf,GAAG,EAAE,EAAE,CAAC,GAAG;oBACX,QAAQ,EAAE,qBAAqB;oBAC/B,UAAU,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,GAAG,EAAE,GAAG,CAAC;oBACzD,WAAW,EAAE,mBAAmB;iBACjC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,4EAA4E;QAC5E,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAE7C,4DAA4D;QAC5D,MAAM,OAAO,GAAsB,EAAE,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAC3B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CACxC,CAAC;YACF,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACd,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,MAAM,iBAAiB,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACzE,MAAM,YAAY,GAAG,IAAI,GAAG,EAAgC,CAAC;QAE7D,KAAK,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;YAClC,WAAW,EAAE,CAAC;YACd,MAAM,WAAW,GAAG,oBAAoB,WAAW,GAAG,CAAC;YACvD,YAAY,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;YACjC,QAAQ,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,kBAAkB;gBACzB,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,cAAc,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK;gBAC/B,WAAW;gBACX,WAAW,EAAE,CAAC,CAAC,KAAK;gBACpB,SAAS,EAAE,CAAC,CAAC,GAAG;gBAChB,UAAU,EAAE,CAAC,CAAC,UAAU;aACzB,CAAC,CAAC;QACL,CAAC;QAED,uCAAuC;QACvC,MAAM,UAAU,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAClE,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,MAAM,WAAW,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC,CAAE,CAAC;YACzC,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACxE,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC9C,CAAC;CACF"}

package/dist/lib/redaction/secret-patterns.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Secret Detection Patterns & Entropy Calculator (Story 2.1, Layer 1)
+ */
+export interface SecretPattern {
+    name: string;
+    category: string;
+    regex: RegExp;
+    confidence: number;
+}
+export declare const SECRET_PATTERNS: SecretPattern[];
+export declare const ACTIVE_SECRET_PATTERNS: SecretPattern[];
+/**
+ * Shannon entropy of a string (bits per character).
+ */
+export declare function shannonEntropy(s: string): number;
+/**
+ * Detect high-entropy strings that may be unknown secrets.
+ * Scans with a sliding window approach.
+ */
+export declare function detectHighEntropyStrings(text: string, options?: {
+    minLength?: number;
+    maxLength?: number;
+    entropyThreshold?: number;
+}): Array<{
+    start: number;
+    end: number;
+    entropy: number;
+}>;
+//# sourceMappingURL=secret-patterns.d.ts.map

package/dist/lib/redaction/secret-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-patterns.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/secret-patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,eAAO,MAAM,eAAe,EAAE,aAAa,EA0G1C,CAAC;AAGF,eAAO,MAAM,sBAAsB,iBAAmD,CAAC;AAEvF;;GAEG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAYhD;AAMD;;;GAGG;AACH,wBAAgB,wBAAwB,CACtC,IAAI,EAAE,MAAM,EACZ,OAAO,GAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAA;CAAO,GAClF,KAAK,CAAC;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CA6BxD"}

package/dist/lib/redaction/secret-patterns.js

@@ -0,0 +1,133 @@
+/**
+ * Secret Detection Patterns & Entropy Calculator (Story 2.1, Layer 1)
+ */
+export const SECRET_PATTERNS = [
+    // ─── OpenAI ─────────────────────────────────────────
+    { name: 'openai_api_key', category: 'api_key', regex: /sk-[a-zA-Z0-9]{20,}/, confidence: 0.95 },
+    { name: 'openai_org', category: 'api_key', regex: /org-[a-zA-Z0-9]{20,}/, confidence: 0.85 },
+    // ─── Anthropic ──────────────────────────────────────
+    { name: 'anthropic_api_key', category: 'api_key', regex: /sk-ant-[a-zA-Z0-9\-]{20,}/, confidence: 0.95 },
+    // ─── GitHub ─────────────────────────────────────────
+    { name: 'github_pat', category: 'api_key', regex: /ghp_[a-zA-Z0-9]{36}/, confidence: 0.95 },
+    { name: 'github_oauth', category: 'api_key', regex: /gho_[a-zA-Z0-9]{36}/, confidence: 0.95 },
+    { name: 'github_app_token', category: 'api_key', regex: /(?:ghu|ghs|ghr)_[a-zA-Z0-9]{36}/, confidence: 0.95 },
+    // ─── AWS ────────────────────────────────────────────
+    { name: 'aws_access_key', category: 'api_key', regex: /AKIA[0-9A-Z]{16}/, confidence: 0.95 },
+    { name: 'aws_secret_key', category: 'api_key', regex: /(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*[A-Za-z0-9/+=]{40}/, confidence: 0.95 },
+    // ─── Stripe ─────────────────────────────────────────
+    { name: 'stripe_live_key', category: 'api_key', regex: /sk_live_[a-zA-Z0-9]{20,}/, confidence: 0.95 },
+    { name: 'stripe_test_key', category: 'api_key', regex: /sk_test_[a-zA-Z0-9]{20,}/, confidence: 0.90 },
+    { name: 'stripe_publishable', category: 'api_key', regex: /pk_(?:live|test)_[a-zA-Z0-9]{20,}/, confidence: 0.90 },
+    { name: 'stripe_restricted', category: 'api_key', regex: /rk_(?:live|test)_[a-zA-Z0-9]{20,}/, confidence: 0.90 },
+    // ─── Slack ──────────────────────────────────────────
+    { name: 'slack_token', category: 'api_key', regex: /xox[bpras]-[a-zA-Z0-9\-]+/, confidence: 0.95 },
+    { name: 'slack_webhook', category: 'api_key', regex: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/, confidence: 0.95 },
+    // ─── Google ─────────────────────────────────────────
+    { name: 'google_api_key', category: 'api_key', regex: /AIza[0-9A-Za-z\-_]{35}/, confidence: 0.90 },
+    { name: 'google_oauth_client', category: 'api_key', regex: /[0-9]+-[a-z0-9_]{32}\.apps\.googleusercontent\.com/, confidence: 0.90 },
+    // ─── Azure ──────────────────────────────────────────
+    { name: 'azure_subscription', category: 'api_key', regex: /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/, confidence: 0.3 },
+    // ─── Twilio ─────────────────────────────────────────
+    { name: 'twilio_api_key', category: 'api_key', regex: /SK[a-f0-9]{32}/, confidence: 0.85 },
+    { name: 'twilio_account_sid', category: 'api_key', regex: /AC[a-f0-9]{32}/, confidence: 0.85 },
+    // ─── SendGrid ───────────────────────────────────────
+    { name: 'sendgrid_api_key', category: 'api_key', regex: /SG\.[a-zA-Z0-9_\-]{22}\.[a-zA-Z0-9_\-]{43}/, confidence: 0.95 },
+    // ─── Mailgun ────────────────────────────────────────
+    { name: 'mailgun_api_key', category: 'api_key', regex: /key-[a-zA-Z0-9]{32}/, confidence: 0.85 },
+    // ─── Heroku ─────────────────────────────────────────
+    { name: 'heroku_api_key', category: 'api_key', regex: /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/, confidence: 0.3 },
+    // ─── npm ────────────────────────────────────────────
+    { name: 'npm_token', category: 'api_key', regex: /npm_[a-zA-Z0-9]{36}/, confidence: 0.95 },
+    // ─── PyPI ───────────────────────────────────────────
+    { name: 'pypi_token', category: 'api_key', regex: /pypi-[a-zA-Z0-9\-_]{50,}/, confidence: 0.95 },
+    // ─── Discord ────────────────────────────────────────
+    { name: 'discord_token', category: 'api_key', regex: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27,}/, confidence: 0.90 },
+    { name: 'discord_webhook', category: 'api_key', regex: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/\d+\/[\w-]+/, confidence: 0.95 },
+    // ─── Telegram ───────────────────────────────────────
+    { name: 'telegram_bot_token', category: 'api_key', regex: /\d{8,10}:[A-Za-z0-9_-]{35}/, confidence: 0.85 },
+    // ─── Bearer / Basic Auth ────────────────────────────
+    { name: 'bearer_token', category: 'auth_token', regex: /Bearer\s+[a-zA-Z0-9._~+\/=-]{20,}/, confidence: 0.90 },
+    { name: 'basic_auth', category: 'auth_token', regex: /Basic\s+[a-zA-Z0-9+\/=]{10,}/, confidence: 0.90 },
+    // ─── URL with credentials ──────────────────────────
+    { name: 'url_password', category: 'auth_token', regex: /\/\/[^:\/\s]+:[^@\/\s]+@[^\/\s]+/, confidence: 0.95 },
+    // ─── Private Keys ──────────────────────────────────
+    { name: 'private_key', category: 'private_key', regex: /-----BEGIN\s+(?:RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE KEY-----/, confidence: 0.99 },
+    // ─── Connection Strings ─────────────────────────────
+    { name: 'connection_string', category: 'connection_string', regex: /(?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp|mssql):\/\/[^\s]+/, confidence: 0.90 },
+    // ─── JWT ────────────────────────────────────────────
+    { name: 'jwt', category: 'auth_token', regex: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/, confidence: 0.85 },
+    // ─── HashiCorp Vault ────────────────────────────────
+    { name: 'vault_token', category: 'api_key', regex: /hvs\.[a-zA-Z0-9_-]{24,}/, confidence: 0.90 },
+    // ─── Datadog ────────────────────────────────────────
+    { name: 'datadog_api_key', category: 'api_key', regex: /dd[a-f0-9]{40}/, confidence: 0.80 },
+    // ─── Supabase ───────────────────────────────────────
+    { name: 'supabase_key', category: 'api_key', regex: /sbp_[a-f0-9]{40}/, confidence: 0.90 },
+    // ─── Vercel ─────────────────────────────────────────
+    { name: 'vercel_token', category: 'api_key', regex: /vercel_[a-zA-Z0-9]{24,}/, confidence: 0.90 },
+    // ─── Linear ─────────────────────────────────────────
+    { name: 'linear_api_key', category: 'api_key', regex: /lin_api_[a-zA-Z0-9]{40,}/, confidence: 0.90 },
+    // ─── Shopify ────────────────────────────────────────
+    { name: 'shopify_token', category: 'api_key', regex: /shpat_[a-fA-F0-9]{32}/, confidence: 0.90 },
+    { name: 'shopify_secret', category: 'api_key', regex: /shpss_[a-fA-F0-9]{32}/, confidence: 0.90 },
+    // ─── Cloudflare ─────────────────────────────────────
+    { name: 'cloudflare_api_token', category: 'api_key', regex: /[a-zA-Z0-9_]{40}/, confidence: 0.2 }, // low confidence - too generic alone
+    // ─── Generic password assignment ────────────────────
+    { name: 'password_assignment', category: 'password', regex: /(?:password|passwd|pwd|secret|token|api_key|apikey)['"]?\s*[=:]\s*['"]?[^\s'"<>]{8,}['"]?/i, confidence: 0.80 },
+    // XML-style password: <password>value</password>
+    { name: 'xml_password', category: 'password', regex: /<(?:password|secret|token|api[_-]?key)>([^<]{8,})<\//i, confidence: 0.80 },
+    // SQL PASSWORD keyword: PASSWORD 'value'
+    { name: 'sql_password', category: 'password', regex: /PASSWORD\s+['"]([^'"]{8,})['"]/i, confidence: 0.80 },
+];
+// Only use patterns with confidence >= threshold (skip very generic ones)
+export const ACTIVE_SECRET_PATTERNS = SECRET_PATTERNS.filter(p => p.confidence >= 0.5);
+/**
+ * Shannon entropy of a string (bits per character).
+ */
+export function shannonEntropy(s) {
+    if (s.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const c of s) {
+        freq.set(c, (freq.get(c) ?? 0) + 1);
+    }
+    let entropy = 0;
+    for (const count of freq.values()) {
+        const p = count / s.length;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+// Hex and base64 character sets for entropy detection
+const HEX_RE = /^[a-fA-F0-9]+$/;
+const BASE64_RE = /^[a-zA-Z0-9+\/=_-]+$/;
+/**
+ * Detect high-entropy strings that may be unknown secrets.
+ * Scans with a sliding window approach.
+ */
+export function detectHighEntropyStrings(text, options = {}) {
+    const minLen = options.minLength ?? 20;
+    const maxLen = options.maxLength ?? 128;
+    const threshold = options.entropyThreshold ?? 4.5;
+    const results = [];
+    // Find candidate tokens (non-whitespace sequences)
+    const tokenRegex = /[^\s,;:(){}\[\]<>"'`]+/g;
+    let match;
+    while ((match = tokenRegex.exec(text)) !== null) {
+        const token = match[0];
+        if (token.length < minLen || token.length > maxLen)
+            continue;
+        // Only consider hex-like or base64-like strings
+        if (!HEX_RE.test(token) && !BASE64_RE.test(token))
+            continue;
+        const entropy = shannonEntropy(token);
+        if (entropy >= threshold) {
+            results.push({
+                start: match.index,
+                end: match.index + token.length,
+                entropy,
+            });
+        }
+    }
+    return results;
+}
+//# sourceMappingURL=secret-patterns.js.map

package/dist/lib/redaction/secret-patterns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-patterns.js","sourceRoot":"","sources":["../../../src/lib/redaction/secret-patterns.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,MAAM,CAAC,MAAM,eAAe,GAAoB;IAC9C,uDAAuD;IACvD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,EAAE;IAC/F,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,sBAAsB,EAAE,UAAU,EAAE,IAAI,EAAE;IAE5F,uDAAuD;IACvD,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,2BAA2B,EAAE,UAAU,EAAE,IAAI,EAAE;IAExG,uDAAuD;IACvD,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,EAAE;IAC3F,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,EAAE;IAC7F,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,iCAAiC,EAAE,UAAU,EAAE,IAAI,EAAE;IAE7G,uDAAuD;IACvD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,IAAI,EAAE;IAC5F,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,6EAA6E,EAAE,UAAU,EAAE,IAAI,EAAE;IAEvJ,uDAAuD;IACvD,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,0BAA0B,EAAE,UAAU,EAAE,IAAI,EAAE;IACrG,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,0BAA0B,EAAE,UAAU,EAAE,IAAI,EAAE;IACrG,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,mCAAmC,EAAE,UAAU,EAAE,IAAI,EAAE;IACjH,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,mCAAmC,EAAE,UAAU,EAAE,IAAI,EAAE;IAEhH,uDAAuD;IACvD,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,2BAA2B,EAAE,UAAU,EAAE,IAAI,EAAE;IAClG,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,sFAAsF,EAAE,UAAU,EAAE,IAAI,EAAE;IAE/J,uDAAuD;IACvD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,wBAAwB,EAAE,UAAU,EAAE,IAAI,EAAE;IAClG,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,oDAAoD,EAAE,UAAU,EAAE,IAAI,EAAE;IAEnI,uDAAuD;IACvD,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,8DAA8D,EAAE,UAAU,EAAE,GAAG,EAAE;IAE3I,uDAAuD;IACvD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,IAAI,EAAE;IAC1F,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,IAAI,EAAE;IAE9F,uDAAuD;IACvD,EAAE,IAAI,EAAE,kBAAkB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,4CAA4C,EAAE,UAAU,EAAE,IAAI,EAAE;IAExH,uDAAuD;IACvD,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,EAAE;IAEhG,uDAAuD;IACvD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,8DAA8D,EAAE,UAAU,EAAE,GAAG,EAAE;IAEvI,uDAAuD;IACvD,EAAE,IAAI,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,IAAI,EAAE;IAE1F,uDAAuD;IACvD,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,0BAA0B,EAAE,UAAU,EAAE,IAAI,EAAE;IAEhG,uDAAuD;IACvD,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,2CAA2C,EAAE,UAAU,EAAE,IAAI,EAAE;IACpH,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,4DAA4D,EAAE,UAAU,EAAE,IAAI,EAAE;IAEvI,uDAAuD;IACvD,EAAE,IAAI,EAAE,oBAAoB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,4BAA4B,EAAE,UAAU,EAAE,IAAI,EAAE;IAE1G,uDAAuD;IACvD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,mCAAmC,EAAE,UAAU,EAAE,IAAI,EAAE;IAC9G,EAAE,IAAI,EAAE,YAAY,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,8BAA8B,EAAE,UAAU,EAAE,IAAI,EAAE;IAEvG,sDAAsD;IACtD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,kCAAkC,EAAE,UAAU,EAAE,IAAI,EAAE;IAE7G,sDAAsD;IACtD,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,aAAa,EAAE,KAAK,EAAE,kEAAkE,EAAE,UAAU,EAAE,IAAI,EAAE;IAE7I,uDAAuD;IACvD,EAAE,IAAI,EAAE,mBAAmB,EAAE,QAAQ,EAAE,mBAAmB,EAAE,KAAK,EAAE,yEAAyE,EAAE,UAAU,EAAE,IAAI,EAAE;IAEhK,uDAAuD;IACvD,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,kEAAkE,EAAE,UAAU,EAAE,IAAI,EAAE;IAEpI,uDAAuD;IACvD,EAAE,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,yBAAyB,EAAE,UAAU,EAAE,IAAI,EAAE;IAEhG,uDAAuD;IACvD,EAAE,IAAI,EAAE,iBAAiB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,gBAAgB,EAAE,UAAU,EAAE,IAAI,EAAE;IAE3F,uDAAuD;IACvD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,IAAI,EAAE;IAE1F,uDAAuD;IACvD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,yBAAyB,EAAE,UAAU,EAAE,IAAI,EAAE;IAEjG,uDAAuD;IACvD,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,0BAA0B,EAAE,UAAU,EAAE,IAAI,EAAE;IAEpG,uDAAuD;IACvD,EAAE,IAAI,EAAE,eAAe,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,UAAU,EAAE,IAAI,EAAE;IAChG,EAAE,IAAI,EAAE,gBAAgB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,uBAAuB,EAAE,UAAU,EAAE,IAAI,EAAE;IAEjG,uDAAuD;IACvD,EAAE,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,EAAE,kBAAkB,EAAE,UAAU,EAAE,GAAG,EAAE,EAAE,qCAAqC;IAExI,uDAAuD;IACvD,EAAE,IAAI,EAAE,qBAAqB,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,4FAA4F,EAAE,UAAU,EAAE,IAAI,EAAE;IAE5K,iDAAiD;IACjD,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,uDAAuD,EAAE,UAAU,EAAE,IAAI,EAAE;IAEhI,yCAAyC;IACzC,EAAE,IAAI,EAAE,cAAc,EAAE,QAAQ,EAAE,UAAU,EAAE,KAAK,EAAE,iCAAiC,EAAE,UAAU,EAAE,IAAI,EAAE;CAC3G,CAAC;AAEF,0EAA0E;AAC1E,MAAM,CAAC,MAAM,sBAAsB,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC;AAEvF;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,CAAS;IACtC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAC7B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;QAClB,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC;QAC3B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,sDAAsD;AACtD,MAAM,MAAM,GAAG,gBAAgB,CAAC;AAChC,MAAM,SAAS,GAAG,sBAAsB,CAAC;AAEzC;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,IAAY,EACZ,UAAiF,EAAE;IAEnF,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,IAAI,EAAE,CAAC;IACvC,MAAM,MAAM,GAAG,OAAO,CAAC,SAAS,IAAI,GAAG,CAAC;IACxC,MAAM,SAAS,GAAG,OAAO,CAAC,gBAAgB,IAAI,GAAG,CAAC;IAElD,MAAM,OAAO,GAA2D,EAAE,CAAC;IAE3E,mDAAmD;IACnD,MAAM,UAAU,GAAG,yBAAyB,CAAC;IAC7C,IAAI,KAA6B,CAAC;IAElC,OAAO,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAChD,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACvB,IAAI,KAAK,CAAC,MAAM,GAAG,MAAM,IAAI,KAAK,CAAC,MAAM,GAAG,MAAM;YAAE,SAAS;QAE7D,gDAAgD;QAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,SAAS;QAE5D,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,OAAO,IAAI,SAAS,EAAE,CAAC;YACzB,OAAO,CAAC,IAAI,CAAC;gBACX,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,MAAM;gBAC/B,OAAO;aACR,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/lib/redaction/semantic-denylist-layer.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 5: Semantic Deny List (Story 2.2)
+ */
+import type { RedactionLayer, RedactionLayerResult, RedactionContext } from '@agentlensai/core';
+export declare class SemanticDenyListLayer implements RedactionLayer {
+    readonly name: "semantic_denylist";
+    readonly order = 500;
+    process(input: string, context: RedactionContext): RedactionLayerResult;
+}
+//# sourceMappingURL=semantic-denylist-layer.d.ts.map

package/dist/lib/redaction/semantic-denylist-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semantic-denylist-layer.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/semantic-denylist-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAE3B,qBAAa,qBAAsB,YAAW,cAAc;IAC1D,QAAQ,CAAC,IAAI,EAAG,mBAAmB,CAAU;IAC7C,QAAQ,CAAC,KAAK,OAAO;IAErB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,gBAAgB,GAAG,oBAAoB;CA2DxE"}

package/dist/lib/redaction/semantic-denylist-layer.js

@@ -0,0 +1,64 @@
+/**
+ * Layer 5: Semantic Deny List (Story 2.2)
+ */
+export class SemanticDenyListLayer {
+    name = 'semantic_denylist';
+    order = 500;
+    process(input, context) {
+        const findings = [];
+        for (const pattern of context.denyListPatterns) {
+            let matched = false;
+            let matchStart = -1;
+            let matchEnd = -1;
+            let matchedText = '';
+            if (pattern.startsWith('/') && pattern.lastIndexOf('/') > 0) {
+                // Regex pattern: /pattern/flags
+                const lastSlash = pattern.lastIndexOf('/');
+                const regexBody = pattern.slice(1, lastSlash);
+                const flags = pattern.slice(lastSlash + 1);
+                try {
+                    const regex = new RegExp(regexBody, flags.includes('i') ? 'gi' : 'g');
+                    const match = regex.exec(input);
+                    if (match) {
+                        matched = true;
+                        matchStart = match.index;
+                        matchEnd = match.index + match[0].length;
+                        matchedText = match[0];
+                    }
+                }
+                catch {
+                    // Invalid regex — skip
+                }
+            }
+            else {
+                // Plain text match (case-insensitive)
+                const idx = input.toLowerCase().indexOf(pattern.toLowerCase());
+                if (idx !== -1) {
+                    matched = true;
+                    matchStart = idx;
+                    matchEnd = idx + pattern.length;
+                    matchedText = input.slice(idx, idx + pattern.length);
+                }
+            }
+            if (matched) {
+                findings.push({
+                    layer: 'semantic_denylist',
+                    category: 'denied_content',
+                    originalLength: matchedText.length,
+                    replacement: '',
+                    startOffset: matchStart,
+                    endOffset: matchEnd,
+                    confidence: 1.0,
+                });
+                return {
+                    output: input,
+                    findings,
+                    blocked: true,
+                    blockReason: `Content matched deny-list pattern: ${pattern}`,
+                };
+            }
+        }
+        return { output: input, findings, blocked: false };
+    }
+}
+//# sourceMappingURL=semantic-denylist-layer.js.map

package/dist/lib/redaction/semantic-denylist-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semantic-denylist-layer.js","sourceRoot":"","sources":["../../../src/lib/redaction/semantic-denylist-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,mBAA4B,CAAC;IACpC,KAAK,GAAG,GAAG,CAAC;IAErB,OAAO,CAAC,KAAa,EAAE,OAAyB;QAC9C,MAAM,QAAQ,GAAuB,EAAE,CAAC;QAExC,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;YAC/C,IAAI,OAAO,GAAG,KAAK,CAAC;YACpB,IAAI,UAAU,GAAG,CAAC,CAAC,CAAC;YACpB,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC;YAClB,IAAI,WAAW,GAAG,EAAE,CAAC;YAErB,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC5D,gCAAgC;gBAChC,MAAM,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;gBAC3C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;gBAC9C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;gBAC3C,IAAI,CAAC;oBACH,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;oBACtE,MAAM,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBAChC,IAAI,KAAK,EAAE,CAAC;wBACV,OAAO,GAAG,IAAI,CAAC;wBACf,UAAU,GAAG,KAAK,CAAC,KAAK,CAAC;wBACzB,QAAQ,GAAG,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;wBACzC,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACzB,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,uBAAuB;gBACzB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,sCAAsC;gBACtC,MAAM,GAAG,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;gBAC/D,IAAI,GAAG,KAAK,CAAC,CAAC,EAAE,CAAC;oBACf,OAAO,GAAG,IAAI,CAAC;oBACf,UAAU,GAAG,GAAG,CAAC;oBACjB,QAAQ,GAAG,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC;oBAChC,WAAW,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;gBACvD,CAAC;YACH,CAAC;YAED,IAAI,OAAO,EAAE,CAAC;gBACZ,QAAQ,CAAC,IAAI,CAAC;oBACZ,KAAK,EAAE,mBAAmB;oBAC1B,QAAQ,EAAE,gBAAgB;oBAC1B,cAAc,EAAE,WAAW,CAAC,MAAM;oBAClC,WAAW,EAAE,EAAE;oBACf,WAAW,EAAE,UAAU;oBACvB,SAAS,EAAE,QAAQ;oBACnB,UAAU,EAAE,GAAG;iBAChB,CAAC,CAAC;gBAEH,OAAO;oBACL,MAAM,EAAE,KAAK;oBACb,QAAQ;oBACR,OAAO,EAAE,IAAI;oBACb,WAAW,EAAE,sCAAsC,OAAO,EAAE;iBAC7D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IACrD,CAAC;CACF"}

package/dist/lib/redaction/tenant-deidentification-layer.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Layer 4: Tenant De-identification (Story 2.2)
+ */
+import type { RedactionLayer, RedactionLayerResult, RedactionContext } from '@agentlensai/core';
+export declare class TenantDeidentificationLayer implements RedactionLayer {
+    readonly name: "tenant_deidentification";
+    readonly order = 400;
+    process(input: string, context: RedactionContext): RedactionLayerResult;
+}
+//# sourceMappingURL=tenant-deidentification-layer.d.ts.map

package/dist/lib/redaction/tenant-deidentification-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-deidentification-layer.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/tenant-deidentification-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAK3B,qBAAa,2BAA4B,YAAW,cAAc;IAChE,QAAQ,CAAC,IAAI,EAAG,yBAAyB,CAAU;IACnD,QAAQ,CAAC,KAAK,OAAO;IAErB,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,gBAAgB,GAAG,oBAAoB;CA2DxE"}

package/dist/lib/redaction/tenant-deidentification-layer.js

@@ -0,0 +1,64 @@
+/**
+ * Layer 4: Tenant De-identification (Story 2.2)
+ */
+// UUID v4 pattern
+const UUID_RE = /\b[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\b/gi;
+export class TenantDeidentificationLayer {
+    name = 'tenant_deidentification';
+    order = 400;
+    process(input, context) {
+        const findings = [];
+        let output = input;
+        // Build list of terms to strip
+        const terms = [];
+        if (context.tenantId)
+            terms.push(context.tenantId);
+        if (context.agentId)
+            terms.push(context.agentId);
+        terms.push(...context.knownTenantTerms);
+        // Filter empty/very short terms (avoid stripping single chars)
+        const validTerms = terms.filter(t => t.length >= 3);
+        // Sort by length descending to replace longer terms first
+        validTerms.sort((a, b) => b.length - a.length);
+        for (const term of validTerms) {
+            const escaped = term.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+            const regex = new RegExp(escaped, 'gi');
+            let match;
+            while ((match = regex.exec(output)) !== null) {
+                findings.push({
+                    layer: 'tenant_deidentification',
+                    category: 'tenant_term',
+                    originalLength: match[0].length,
+                    replacement: '[TENANT_ENTITY]',
+                    startOffset: match.index,
+                    endOffset: match.index + match[0].length,
+                    confidence: 0.90,
+                });
+            }
+            output = output.replace(regex, '[TENANT_ENTITY]');
+        }
+        // Strip UUIDs (could be tenant/agent/user IDs)
+        const uuidRegex = new RegExp(UUID_RE.source, 'gi');
+        let uuidMatch;
+        const uuidMatches = [];
+        while ((uuidMatch = uuidRegex.exec(output)) !== null) {
+            uuidMatches.push({ start: uuidMatch.index, end: uuidMatch.index + uuidMatch[0].length });
+        }
+        // Replace UUIDs from end
+        for (let i = uuidMatches.length - 1; i >= 0; i--) {
+            const m = uuidMatches[i];
+            findings.push({
+                layer: 'tenant_deidentification',
+                category: 'uuid',
+                originalLength: m.end - m.start,
+                replacement: '[TENANT_ENTITY]',
+                startOffset: m.start,
+                endOffset: m.end,
+                confidence: 0.85,
+            });
+            output = output.slice(0, m.start) + '[TENANT_ENTITY]' + output.slice(m.end);
+        }
+        return { output, findings, blocked: false };
+    }
+}
+//# sourceMappingURL=tenant-deidentification-layer.js.map

package/dist/lib/redaction/tenant-deidentification-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenant-deidentification-layer.js","sourceRoot":"","sources":["../../../src/lib/redaction/tenant-deidentification-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,kBAAkB;AAClB,MAAM,OAAO,GAAG,oEAAoE,CAAC;AAErF,MAAM,OAAO,2BAA2B;IAC7B,IAAI,GAAG,yBAAkC,CAAC;IAC1C,KAAK,GAAG,GAAG,CAAC;IAErB,OAAO,CAAC,KAAa,EAAE,OAAyB;QAC9C,MAAM,QAAQ,GAAuB,EAAE,CAAC;QACxC,IAAI,MAAM,GAAG,KAAK,CAAC;QAEnB,+BAA+B;QAC/B,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,IAAI,OAAO,CAAC,QAAQ;YAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACnD,IAAI,OAAO,CAAC,OAAO;YAAE,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAAC;QAExC,+DAA+D;QAC/D,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,CAAC,CAAC;QAEpD,0DAA0D;QAC1D,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC;QAE/C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;YAC5D,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YACxC,IAAI,KAA6B,CAAC;YAClC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC;oBACZ,KAAK,EAAE,yBAAyB;oBAChC,QAAQ,EAAE,aAAa;oBACvB,cAAc,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBAC/B,WAAW,EAAE,iBAAiB;oBAC9B,WAAW,EAAE,KAAK,CAAC,KAAK;oBACxB,SAAS,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBACxC,UAAU,EAAE,IAAI;iBACjB,CAAC,CAAC;YACL,CAAC;YACD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;QACpD,CAAC;QAED,+CAA+C;QAC/C,MAAM,SAAS,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;QACnD,IAAI,SAAiC,CAAC;QACtC,MAAM,WAAW,GAA0C,EAAE,CAAC;QAC9D,OAAO,CAAC,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YACrD,WAAW,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,CAAC,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3F,CAAC;QAED,yBAAyB;QACzB,KAAK,IAAI,CAAC,GAAG,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YACjD,MAAM,CAAC,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,yBAAyB;gBAChC,QAAQ,EAAE,MAAM;gBAChB,cAAc,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK;gBAC/B,WAAW,EAAE,iBAAiB;gBAC9B,WAAW,EAAE,CAAC,CAAC,KAAK;gBACpB,SAAS,EAAE,CAAC,CAAC,GAAG;gBAChB,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;YACH,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,iBAAiB,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC9E,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC9C,CAAC;CACF"}

package/dist/lib/redaction/url-path-scrubbing-layer.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Layer 3: URL/Path Scrubbing (Story 2.1)
+ */
+import type { RedactionLayer, RedactionLayerResult, RedactionContext } from '@agentlensai/core';
+/** Default public domain allowlist — URLs to these domains are preserved */
+export declare const DEFAULT_PUBLIC_DOMAINS: Set<string>;
+export declare class UrlPathScrubbingLayer implements RedactionLayer {
+    readonly name: "url_path_scrubbing";
+    readonly order = 300;
+    private readonly allowlist;
+    constructor(publicDomainAllowlist?: string[]);
+    process(input: string, _context: RedactionContext): RedactionLayerResult;
+}
+//# sourceMappingURL=url-path-scrubbing-layer.d.ts.map

package/dist/lib/redaction/url-path-scrubbing-layer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-path-scrubbing-layer.d.ts","sourceRoot":"","sources":["../../../src/lib/redaction/url-path-scrubbing-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EACV,cAAc,EACd,oBAAoB,EACpB,gBAAgB,EAEjB,MAAM,mBAAmB,CAAC;AAE3B,4EAA4E;AAC5E,eAAO,MAAM,sBAAsB,aAoBjC,CAAC;AAmDH,qBAAa,qBAAsB,YAAW,cAAc;IAC1D,QAAQ,CAAC,IAAI,EAAG,oBAAoB,CAAU;IAC9C,QAAQ,CAAC,KAAK,OAAO;IAErB,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAc;gBAE5B,qBAAqB,CAAC,EAAE,MAAM,EAAE;IAM5C,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,gBAAgB,GAAG,oBAAoB;CAuFzE"}

package/dist/lib/redaction/url-path-scrubbing-layer.js

@@ -0,0 +1,156 @@
+/**
+ * Layer 3: URL/Path Scrubbing (Story 2.1)
+ */
+/** Default public domain allowlist — URLs to these domains are preserved */
+export const DEFAULT_PUBLIC_DOMAINS = new Set([
+    'github.com', 'gitlab.com', 'bitbucket.org',
+    'stackoverflow.com', 'stackexchange.com',
+    'docs.python.org', 'docs.rs', 'pkg.go.dev',
+    'npmjs.com', 'pypi.org', 'crates.io',
+    'developer.mozilla.org', 'mdn.io',
+    'wikipedia.org', 'en.wikipedia.org',
+    'google.com', 'youtube.com',
+    'medium.com', 'dev.to',
+    'reddit.com', 'news.ycombinator.com',
+    'twitter.com', 'x.com',
+    'microsoft.com', 'docs.microsoft.com', 'learn.microsoft.com',
+    'aws.amazon.com', 'docs.aws.amazon.com',
+    'cloud.google.com',
+    'azure.microsoft.com',
+    'docker.com', 'hub.docker.com',
+    'kubernetes.io',
+    'vercel.com', 'netlify.com', 'heroku.com',
+    'openai.com', 'platform.openai.com',
+    'anthropic.com', 'docs.anthropic.com',
+]);
+const PRIVATE_IP_RE = /\b(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3})\b/g;
+const UNIX_PATH_RE = /(?:\/(?:home|Users|var|etc|tmp|opt|usr|root|srv|mnt|proc|dev|sys|run))\/?[^\s,;:)"'`\]}>]*/g;
+const WINDOWS_PATH_RE = /[A-Z]:\\[^\s,;:)"'`\]}>]*/g;
+const UNC_PATH_RE = /\\\\[a-zA-Z0-9._-]+\\[^\s,;:)"'`\]}>]*/g;
+const URL_RE = /https?:\/\/[^\s,;)"'`\]}>]+/g;
+const INTERNAL_HOST_PATTERNS = [
+    /\.local\b/i,
+    /\.internal\b/i,
+    /\.corp\b/i,
+    /\.private\b/i,
+    /\.lan\b/i,
+    /\.intranet\b/i,
+    /\.compute\.internal\b/i,
+    /localhost/i,
+];
+function extractHostFromUrl(url) {
+    try {
+        const parsed = new URL(url);
+        return parsed.hostname;
+    }
+    catch {
+        // Try extracting manually
+        const match = url.match(/https?:\/\/([^/:]+)/);
+        return match?.[1] ?? null;
+    }
+}
+function isPrivateIP(host) {
+    return /^(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|127\.\d{1,3}\.\d{1,3}\.\d{1,3})$/.test(host);
+}
+function isInternalHost(host) {
+    if (isPrivateIP(host))
+        return true;
+    return INTERNAL_HOST_PATTERNS.some(p => p.test(host));
+}
+function isPublicDomain(host, allowlist) {
+    // Check exact match and parent domains
+    const parts = host.split('.');
+    for (let i = 0; i < parts.length - 1; i++) {
+        const domain = parts.slice(i).join('.');
+        if (allowlist.has(domain))
+            return true;
+    }
+    return false;
+}
+export class UrlPathScrubbingLayer {
+    name = 'url_path_scrubbing';
+    order = 300;
+    allowlist;
+    constructor(publicDomainAllowlist) {
+        this.allowlist = publicDomainAllowlist
+            ? new Set([...DEFAULT_PUBLIC_DOMAINS, ...publicDomainAllowlist])
+            : DEFAULT_PUBLIC_DOMAINS;
+    }
+    process(input, _context) {
+        const findings = [];
+        const replacements = [];
+        // Detect URLs
+        const urlRegex = new RegExp(URL_RE.source, 'g');
+        let match;
+        while ((match = urlRegex.exec(input)) !== null) {
+            const url = match[0];
+            const host = extractHostFromUrl(url);
+            if (host && !isPublicDomain(host, this.allowlist)) {
+                if (isInternalHost(host) || !host.includes('.') || host === 'localhost') {
+                    replacements.push({
+                        start: match.index,
+                        end: match.index + url.length,
+                        replacement: '[INTERNAL_URL]',
+                        category: 'internal_url',
+                    });
+                }
+            }
+        }
+        // Detect private IPs (standalone, not in URLs already matched)
+        const ipRegex = new RegExp(PRIVATE_IP_RE.source, 'g');
+        while ((match = ipRegex.exec(input)) !== null) {
+            const alreadyCovered = replacements.some(r => match.index >= r.start && match.index < r.end);
+            if (!alreadyCovered) {
+                replacements.push({
+                    start: match.index,
+                    end: match.index + match[0].length,
+                    replacement: '[PRIVATE_IP]',
+                    category: 'private_ip',
+                });
+            }
+        }
+        // Detect file paths
+        for (const pathRe of [UNIX_PATH_RE, WINDOWS_PATH_RE, UNC_PATH_RE]) {
+            const re = new RegExp(pathRe.source, pathRe.flags);
+            while ((match = re.exec(input)) !== null) {
+                const alreadyCovered = replacements.some(r => match.index >= r.start && match.index < r.end);
+                if (!alreadyCovered) {
+                    replacements.push({
+                        start: match.index,
+                        end: match.index + match[0].length,
+                        replacement: '[FILE_PATH]',
+                        category: 'file_path',
+                    });
+                }
+            }
+        }
+        // Deduplicate overlapping
+        replacements.sort((a, b) => b.start - a.start);
+        const deduped = [];
+        for (const r of replacements) {
+            if (!deduped.some(d => r.start < d.end && r.end > d.start)) {
+                deduped.push(r);
+            }
+        }
+        // Record findings ascending
+        const ascending = [...deduped].sort((a, b) => a.start - b.start);
+        for (const r of ascending) {
+            findings.push({
+                layer: 'url_path_scrubbing',
+                category: r.category,
+                originalLength: r.end - r.start,
+                replacement: r.replacement,
+                startOffset: r.start,
+                endOffset: r.end,
+                confidence: 0.90,
+            });
+        }
+        // Apply replacements descending
+        let output = input;
+        for (const r of deduped) {
+            output = output.slice(0, r.start) + r.replacement + output.slice(r.end);
+        }
+        return { output, findings, blocked: false };
+    }
+}
+//# sourceMappingURL=url-path-scrubbing-layer.js.map

package/dist/lib/redaction/url-path-scrubbing-layer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"url-path-scrubbing-layer.js","sourceRoot":"","sources":["../../../src/lib/redaction/url-path-scrubbing-layer.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,4EAA4E;AAC5E,MAAM,CAAC,MAAM,sBAAsB,GAAG,IAAI,GAAG,CAAC;IAC5C,YAAY,EAAE,YAAY,EAAE,eAAe;IAC3C,mBAAmB,EAAE,mBAAmB;IACxC,iBAAiB,EAAE,SAAS,EAAE,YAAY;IAC1C,WAAW,EAAE,UAAU,EAAE,WAAW;IACpC,uBAAuB,EAAE,QAAQ;IACjC,eAAe,EAAE,kBAAkB;IACnC,YAAY,EAAE,aAAa;IAC3B,YAAY,EAAE,QAAQ;IACtB,YAAY,EAAE,sBAAsB;IACpC,aAAa,EAAE,OAAO;IACtB,eAAe,EAAE,oBAAoB,EAAE,qBAAqB;IAC5D,gBAAgB,EAAE,qBAAqB;IACvC,kBAAkB;IAClB,qBAAqB;IACrB,YAAY,EAAE,gBAAgB;IAC9B,eAAe;IACf,YAAY,EAAE,aAAa,EAAE,YAAY;IACzC,YAAY,EAAE,qBAAqB;IACnC,eAAe,EAAE,oBAAoB;CACtC,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,8IAA8I,CAAC;AAErK,MAAM,YAAY,GAAG,6FAA6F,CAAC;AACnH,MAAM,eAAe,GAAG,4BAA4B,CAAC;AACrD,MAAM,WAAW,GAAG,yCAAyC,CAAC;AAE9D,MAAM,MAAM,GAAG,8BAA8B,CAAC;AAE9C,MAAM,sBAAsB,GAAG;IAC7B,YAAY;IACZ,eAAe;IACf,WAAW;IACX,cAAc;IACd,UAAU;IACV,eAAe;IACf,wBAAwB;IACxB,YAAY;CACb,CAAC;AAEF,SAAS,kBAAkB,CAAC,GAAW;IACrC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,OAAO,MAAM,CAAC,QAAQ,CAAC;IACzB,CAAC;IAAC,MAAM,CAAC;QACP,0BAA0B;QAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC;QAC/C,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,OAAO,2IAA2I,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAChK,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,IAAI,WAAW,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,cAAc,CAAC,IAAY,EAAE,SAAsB;IAC1D,uCAAuC;IACvC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IACzC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,OAAO,qBAAqB;IACvB,IAAI,GAAG,oBAA6B,CAAC;IACrC,KAAK,GAAG,GAAG,CAAC;IAEJ,SAAS,CAAc;IAExC,YAAY,qBAAgC;QAC1C,IAAI,CAAC,SAAS,GAAG,qBAAqB;YACpC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,sBAAsB,EAAE,GAAG,qBAAqB,CAAC,CAAC;YAChE,CAAC,CAAC,sBAAsB,CAAC;IAC7B,CAAC;IAED,OAAO,CAAC,KAAa,EAAE,QAA0B;QAC/C,MAAM,QAAQ,GAAuB,EAAE,CAAC;QACxC,MAAM,YAAY,GAAiF,EAAE,CAAC;QAEtG,cAAc;QACd,MAAM,QAAQ,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAChD,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC/C,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACrB,MAAM,IAAI,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACrC,IAAI,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;gBAClD,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;oBACxE,YAAY,CAAC,IAAI,CAAC;wBAChB,KAAK,EAAE,KAAK,CAAC,KAAK;wBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,MAAM;wBAC7B,WAAW,EAAE,gBAAgB;wBAC7B,QAAQ,EAAE,cAAc;qBACzB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QACtD,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,CAAC,KAAM,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,IAAI,KAAM,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,CACrD,CAAC;YACF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACpB,YAAY,CAAC,IAAI,CAAC;oBAChB,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;oBAClC,WAAW,EAAE,cAAc;oBAC3B,QAAQ,EAAE,YAAY;iBACvB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,KAAK,MAAM,MAAM,IAAI,CAAC,YAAY,EAAE,eAAe,EAAE,WAAW,CAAC,EAAE,CAAC;YAClE,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YACnD,OAAO,CAAC,KAAK,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBACzC,MAAM,cAAc,GAAG,YAAY,CAAC,IAAI,CACtC,CAAC,CAAC,EAAE,CAAC,KAAM,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,IAAI,KAAM,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,CACrD,CAAC;gBACF,IAAI,CAAC,cAAc,EAAE,CAAC;oBACpB,YAAY,CAAC,IAAI,CAAC;wBAChB,KAAK,EAAE,KAAK,CAAC,KAAK;wBAClB,GAAG,EAAE,KAAK,CAAC,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM;wBAClC,WAAW,EAAE,aAAa;wBAC1B,QAAQ,EAAE,WAAW;qBACtB,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,0BAA0B;QAC1B,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAC/C,MAAM,OAAO,GAAwB,EAAE,CAAC;QACxC,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;YAC7B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;QACH,CAAC;QAED,4BAA4B;QAC5B,MAAM,SAAS,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QACjE,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,oBAAoB;gBAC3B,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpB,cAAc,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK;gBAC/B,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,WAAW,EAAE,CAAC,CAAC,KAAK;gBACpB,SAAS,EAAE,CAAC,CAAC,GAAG;gBAChB,UAAU,EAAE,IAAI;aACjB,CAAC,CAAC;QACL,CAAC;QAED,gCAAgC;QAChC,IAAI,MAAM,GAAG,KAAK,CAAC;QACnB,KAAK,MAAM,CAAC,IAAI,OAAO,EAAE,CAAC;YACxB,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC9C,CAAC;CACF"}