@agirails/sdk 2.0.1-beta → 2.0.2

package/dist/utils/index.js

@@ -0,0 +1,51 @@
+"use strict";
+/**
+ * ACTP SDK Utilities
+ *
+ * This module exports all utility classes for the ACTP SDK.
+ *
+ * @module utils
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DisputeWindow = exports.State = exports.Bytes32 = exports.Address = exports.Deadline = exports.USDC = exports.createUsedAttestationTracker = exports.FileBasedUsedAttestationTracker = exports.InMemoryUsedAttestationTracker = exports.createReceivedNonceTracker = exports.SetBasedReceivedNonceTracker = exports.InMemoryReceivedNonceTracker = exports.shutdownSDK = exports.registerDisposable = exports.onShutdown = exports.sdkLifecycle = exports.SDKLifecycle = exports.sdkMetrics = exports.sdkLogger = exports.MetricsCollector = exports.Logger = exports.APIProtector = exports.CircuitBreaker = exports.RateLimiter = exports.withRecoveryGuidance = exports.ErrorRecoveryGuide = void 0;
+// Error Recovery (HIGH-6)
+var ErrorRecoveryGuide_1 = require("./ErrorRecoveryGuide");
+Object.defineProperty(exports, "ErrorRecoveryGuide", { enumerable: true, get: function () { return ErrorRecoveryGuide_1.ErrorRecoveryGuide; } });
+Object.defineProperty(exports, "withRecoveryGuidance", { enumerable: true, get: function () { return ErrorRecoveryGuide_1.withRecoveryGuidance; } });
+// Rate Limiting & Circuit Breaker (M-4, M-5)
+var RateLimiter_1 = require("./RateLimiter");
+Object.defineProperty(exports, "RateLimiter", { enumerable: true, get: function () { return RateLimiter_1.RateLimiter; } });
+Object.defineProperty(exports, "CircuitBreaker", { enumerable: true, get: function () { return RateLimiter_1.CircuitBreaker; } });
+Object.defineProperty(exports, "APIProtector", { enumerable: true, get: function () { return RateLimiter_1.APIProtector; } });
+// Logging & Metrics (M-6, M-7)
+var Logger_1 = require("./Logger");
+Object.defineProperty(exports, "Logger", { enumerable: true, get: function () { return Logger_1.Logger; } });
+Object.defineProperty(exports, "MetricsCollector", { enumerable: true, get: function () { return Logger_1.MetricsCollector; } });
+Object.defineProperty(exports, "sdkLogger", { enumerable: true, get: function () { return Logger_1.sdkLogger; } });
+Object.defineProperty(exports, "sdkMetrics", { enumerable: true, get: function () { return Logger_1.sdkMetrics; } });
+// SDK Lifecycle (M-8)
+var SDKLifecycle_1 = require("./SDKLifecycle");
+Object.defineProperty(exports, "SDKLifecycle", { enumerable: true, get: function () { return SDKLifecycle_1.SDKLifecycle; } });
+Object.defineProperty(exports, "sdkLifecycle", { enumerable: true, get: function () { return SDKLifecycle_1.sdkLifecycle; } });
+Object.defineProperty(exports, "onShutdown", { enumerable: true, get: function () { return SDKLifecycle_1.onShutdown; } });
+Object.defineProperty(exports, "registerDisposable", { enumerable: true, get: function () { return SDKLifecycle_1.registerDisposable; } });
+Object.defineProperty(exports, "shutdownSDK", { enumerable: true, get: function () { return SDKLifecycle_1.shutdownSDK; } });
+// Nonce Tracking (Security)
+var ReceivedNonceTracker_1 = require("./ReceivedNonceTracker");
+Object.defineProperty(exports, "InMemoryReceivedNonceTracker", { enumerable: true, get: function () { return ReceivedNonceTracker_1.InMemoryReceivedNonceTracker; } });
+Object.defineProperty(exports, "SetBasedReceivedNonceTracker", { enumerable: true, get: function () { return ReceivedNonceTracker_1.SetBasedReceivedNonceTracker; } });
+Object.defineProperty(exports, "createReceivedNonceTracker", { enumerable: true, get: function () { return ReceivedNonceTracker_1.createReceivedNonceTracker; } });
+// Attestation Tracking (Security)
+var UsedAttestationTracker_1 = require("./UsedAttestationTracker");
+Object.defineProperty(exports, "InMemoryUsedAttestationTracker", { enumerable: true, get: function () { return UsedAttestationTracker_1.InMemoryUsedAttestationTracker; } });
+Object.defineProperty(exports, "FileBasedUsedAttestationTracker", { enumerable: true, get: function () { return UsedAttestationTracker_1.FileBasedUsedAttestationTracker; } });
+Object.defineProperty(exports, "createUsedAttestationTracker", { enumerable: true, get: function () { return UsedAttestationTracker_1.createUsedAttestationTracker; } });
+// Helper Utilities (L-7)
+var Helpers_1 = require("./Helpers");
+Object.defineProperty(exports, "USDC", { enumerable: true, get: function () { return Helpers_1.USDC; } });
+Object.defineProperty(exports, "Deadline", { enumerable: true, get: function () { return Helpers_1.Deadline; } });
+Object.defineProperty(exports, "Address", { enumerable: true, get: function () { return Helpers_1.Address; } });
+Object.defineProperty(exports, "Bytes32", { enumerable: true, get: function () { return Helpers_1.Bytes32; } });
+Object.defineProperty(exports, "State", { enumerable: true, get: function () { return Helpers_1.State; } });
+Object.defineProperty(exports, "DisputeWindow", { enumerable: true, get: function () { return Helpers_1.DisputeWindow; } });
+//# sourceMappingURL=index.js.map

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,0BAA0B;AAC1B,2DAM8B;AAL5B,wHAAA,kBAAkB,OAAA;AAClB,0HAAA,oBAAoB,OAAA;AAMtB,6CAA6C;AAC7C,6CASuB;AARrB,0GAAA,WAAW,OAAA;AACX,6GAAA,cAAc,OAAA;AACd,2GAAA,YAAY,OAAA;AAQd,+BAA+B;AAC/B,mCASkB;AARhB,gGAAA,MAAM,OAAA;AACN,0GAAA,gBAAgB,OAAA;AAChB,mGAAA,SAAS,OAAA;AACT,oGAAA,UAAU,OAAA;AAOZ,sBAAsB;AACtB,+CAUwB;AATtB,4GAAA,YAAY,OAAA;AACZ,4GAAA,YAAY,OAAA;AACZ,0GAAA,UAAU,OAAA;AACV,kHAAA,kBAAkB,OAAA;AAClB,2GAAA,WAAW,OAAA;AAOb,4BAA4B;AAC5B,+DAMgC;AAL9B,oIAAA,4BAA4B,OAAA;AAC5B,oIAAA,4BAA4B,OAAA;AAC5B,kIAAA,0BAA0B,OAAA;AAK5B,kCAAkC;AAClC,mEAKkC;AAJhC,wIAAA,8BAA8B,OAAA;AAC9B,yIAAA,+BAA+B,OAAA;AAC/B,sIAAA,4BAA4B,OAAA;AAI9B,yBAAyB;AACzB,qCAOmB;AANjB,+FAAA,IAAI,OAAA;AACJ,mGAAA,QAAQ,OAAA;AACR,kGAAA,OAAO,OAAA;AACP,kGAAA,OAAO,OAAA;AACP,gGAAA,KAAK,OAAA;AACL,wGAAA,aAAa,OAAA"}

package/dist/utils/security.d.ts

@@ -0,0 +1,147 @@
+/**
+ * Security Utilities for ACTP SDK
+ *
+ * SECURITY FIXES:
+ * - H-7: Constant-time string comparison (timing attack prevention)
+ * - H-6: Path traversal prevention
+ * - H-2: Input validation and sanitization
+ * - C-3: Safe JSON parsing with schema validation
+ *
+ * @module utils/security
+ */
+/**
+ * H-7: Constant-time string comparison to prevent timing attacks
+ *
+ * Never use === for comparing signatures, hashes, or other security-sensitive strings
+ * as it can leak timing information that attackers can exploit.
+ *
+ * @param a - First string to compare
+ * @param b - Second string to compare
+ * @returns true if strings are equal, false otherwise
+ */
+export declare function timingSafeEqual(a: string, b: string): boolean;
+/**
+ * H-6: Validate and sanitize directory path to prevent path traversal
+ *
+ * Ensures that the provided path:
+ * 1. Does not contain '..' sequences
+ * 2. Resolves to a location within the allowed base directory
+ * 3. Does not follow symlinks (optional)
+ *
+ * @param requestedPath - The path to validate
+ * @param baseDirectory - The base directory to restrict paths to
+ * @returns Sanitized absolute path
+ * @throws Error if path is invalid or contains traversal attempts
+ */
+export declare function validatePath(requestedPath: string, baseDirectory: string): string;
+/**
+ * H-2: Validate and sanitize service name
+ *
+ * Ensures service name:
+ * 1. Contains only safe characters (alphanumeric, dash, dot, underscore)
+ * 2. Does not exceed maximum length
+ * 3. Does not contain special characters that could cause injection
+ *
+ * @param serviceName - The service name to validate
+ * @returns Sanitized service name
+ * @throws Error if service name is invalid
+ */
+export declare function validateServiceName(serviceName: string): string;
+/**
+ * H-5: Validate Ethereum address format
+ *
+ * Ensures address:
+ * 1. Is a valid hex string
+ * 2. Has correct length (42 chars including '0x' prefix)
+ * 3. Uses valid checksum if provided (EIP-55)
+ *
+ * @param address - The Ethereum address to validate
+ * @returns true if address is valid, false otherwise
+ */
+export declare function isValidAddress(address: string): boolean;
+/**
+ * C-3: Safe JSON parsing with schema validation
+ *
+ * Prevents code injection and prototype pollution attacks by:
+ * 1. Safely parsing JSON with error handling
+ * 2. Validating the parsed object against an expected schema
+ * 3. Removing __proto__, constructor, and prototype properties
+ * 4. Returning only whitelisted fields
+ *
+ * @param jsonString - The JSON string to parse
+ * @param schema - Expected schema (object with field names and types)
+ * @returns Parsed and validated object, or null if invalid
+ */
+export declare function safeJSONParse<T = any>(jsonString: string, schema?: Record<string, string>): T | null;
+/**
+ * LRU (Least Recently Used) cache with maximum size
+ * Used for preventing unbounded memory growth
+ *
+ * @template K - Key type
+ * @template V - Value type
+ */
+export declare class LRUCache<K, V> {
+    private cache;
+    private readonly maxSize;
+    constructor(maxSize?: number);
+    /**
+     * Get value from cache
+     *
+     * @param key - Cache key
+     * @returns Cached value or undefined
+     */
+    get(key: K): V | undefined;
+    /**
+     * Set value in cache
+     *
+     * @param key - Cache key
+     * @param value - Value to cache
+     */
+    set(key: K, value: V): void;
+    /**
+     * Check if key exists in cache
+     *
+     * SECURITY FIX (N-1): Use Map's native has() instead of get()
+     * to avoid modifying LRU order on read-only operations.
+     *
+     * @param key - Cache key
+     * @returns true if key exists
+     */
+    has(key: K): boolean;
+    /**
+     * Delete key from cache
+     *
+     * @param key - Cache key
+     */
+    delete(key: K): void;
+    /**
+     * Clear all entries
+     */
+    clear(): void;
+    /**
+     * Get current cache size
+     */
+    get size(): number;
+    /**
+     * Get all values from cache
+     *
+     * SECURITY FIX (N-2): Add iterator support for LRUCache.
+     * Returns values in LRU order (oldest to newest).
+     *
+     * @returns Array of all cached values
+     */
+    values(): V[];
+    /**
+     * Get all keys from cache
+     *
+     * @returns Array of all cached keys
+     */
+    keys(): K[];
+    /**
+     * Get all entries from cache
+     *
+     * @returns Array of all cached [key, value] pairs
+     */
+    entries(): [K, V][];
+}
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAkB7D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,YAAY,CAAC,aAAa,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,GAAG,MAAM,CA4BjF;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,mBAAmB,CAAC,WAAW,EAAE,MAAM,GAAG,MAAM,CAgC/D;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAyBvD;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,CAAC,GAAG,GAAG,EACnC,UAAU,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B,CAAC,GAAG,IAAI,CAoEV;AAqCD;;;;;;GAMG;AACH,qBAAa,QAAQ,CAAC,CAAC,EAAE,CAAC;IACxB,OAAO,CAAC,KAAK,CAAmB;IAChC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;gBAErB,OAAO,GAAE,MAAa;IAOlC;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,GAAG,SAAS;IAU1B;;;;;OAKG;IACH,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,IAAI;IAmB3B;;;;;;;;OAQG;IACH,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,OAAO;IAIpB;;;;OAIG;IACH,MAAM,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI;IAIpB;;OAEG;IACH,KAAK,IAAI,IAAI;IAIb;;OAEG;IACH,IAAI,IAAI,IAAI,MAAM,CAEjB;IAED;;;;;;;OAOG;IACH,MAAM,IAAI,CAAC,EAAE;IAIb;;;;OAIG;IACH,IAAI,IAAI,CAAC,EAAE;IAIX;;;;OAIG;IACH,OAAO,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;CAGpB"}

package/dist/utils/security.js

@@ -0,0 +1,391 @@
+"use strict";
+/**
+ * Security Utilities for ACTP SDK
+ *
+ * SECURITY FIXES:
+ * - H-7: Constant-time string comparison (timing attack prevention)
+ * - H-6: Path traversal prevention
+ * - H-2: Input validation and sanitization
+ * - C-3: Safe JSON parsing with schema validation
+ *
+ * @module utils/security
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LRUCache = exports.safeJSONParse = exports.isValidAddress = exports.validateServiceName = exports.validatePath = exports.timingSafeEqual = void 0;
+const crypto = __importStar(require("crypto"));
+const path = __importStar(require("path"));
+/**
+ * H-7: Constant-time string comparison to prevent timing attacks
+ *
+ * Never use === for comparing signatures, hashes, or other security-sensitive strings
+ * as it can leak timing information that attackers can exploit.
+ *
+ * @param a - First string to compare
+ * @param b - Second string to compare
+ * @returns true if strings are equal, false otherwise
+ */
+function timingSafeEqual(a, b) {
+    if (typeof a !== 'string' || typeof b !== 'string') {
+        return false;
+    }
+    // Convert to buffers for crypto.timingSafeEqual
+    const bufA = Buffer.from(a);
+    const bufB = Buffer.from(b);
+    // If lengths differ, still use timingSafeEqual to prevent timing leaks
+    if (bufA.length !== bufB.length) {
+        // Compare against a dummy buffer of the same length to maintain constant time
+        const dummy = Buffer.alloc(bufA.length);
+        crypto.timingSafeEqual(bufA, dummy);
+        return false;
+    }
+    return crypto.timingSafeEqual(bufA, bufB);
+}
+exports.timingSafeEqual = timingSafeEqual;
+/**
+ * H-6: Validate and sanitize directory path to prevent path traversal
+ *
+ * Ensures that the provided path:
+ * 1. Does not contain '..' sequences
+ * 2. Resolves to a location within the allowed base directory
+ * 3. Does not follow symlinks (optional)
+ *
+ * @param requestedPath - The path to validate
+ * @param baseDirectory - The base directory to restrict paths to
+ * @returns Sanitized absolute path
+ * @throws Error if path is invalid or contains traversal attempts
+ */
+function validatePath(requestedPath, baseDirectory) {
+    // Check for null bytes (can be used to bypass security checks)
+    if (requestedPath.includes('\0')) {
+        throw new Error('Invalid path: null byte detected');
+    }
+    // Normalize the path BEFORE checking for '..'
+    // This prevents tricks like '.../...//' or 'foo/../../../etc/passwd'
+    const normalized = path.normalize(requestedPath);
+    // Check for '..' sequences after normalization
+    if (normalized.includes('..')) {
+        throw new Error('Invalid path: path traversal detected (..)');
+    }
+    // Resolve to absolute path
+    const absolute = path.resolve(baseDirectory, normalized);
+    // Ensure the resolved path is still within the base directory
+    // This prevents attacks like:
+    // - Symlink following to escape the directory
+    // - Absolute paths that ignore the base directory
+    const normalizedBase = path.resolve(baseDirectory);
+    if (!absolute.startsWith(normalizedBase + path.sep) && absolute !== normalizedBase) {
+        throw new Error(`Invalid path: resolved path '${absolute}' is outside base directory '${normalizedBase}'`);
+    }
+    return absolute;
+}
+exports.validatePath = validatePath;
+/**
+ * H-2: Validate and sanitize service name
+ *
+ * Ensures service name:
+ * 1. Contains only safe characters (alphanumeric, dash, dot, underscore)
+ * 2. Does not exceed maximum length
+ * 3. Does not contain special characters that could cause injection
+ *
+ * @param serviceName - The service name to validate
+ * @returns Sanitized service name
+ * @throws Error if service name is invalid
+ */
+function validateServiceName(serviceName) {
+    if (!serviceName || typeof serviceName !== 'string') {
+        throw new Error('Invalid service name: must be a non-empty string');
+    }
+    // Trim whitespace
+    const trimmed = serviceName.trim();
+    // Check length (max 256 chars)
+    if (trimmed.length === 0) {
+        throw new Error('Invalid service name: cannot be empty');
+    }
+    if (trimmed.length > 256) {
+        throw new Error('Invalid service name: exceeds maximum length of 256 characters');
+    }
+    // Validate format: alphanumeric, dash, dot, underscore only
+    // This prevents injection attacks and ensures compatibility across systems
+    const validPattern = /^[a-zA-Z0-9._-]+$/;
+    if (!validPattern.test(trimmed)) {
+        throw new Error('Invalid service name: only alphanumeric characters, dots, dashes, and underscores are allowed');
+    }
+    // Prevent names that could cause issues
+    if (trimmed === '.' || trimmed === '..' || trimmed.startsWith('.')) {
+        throw new Error('Invalid service name: cannot start with a dot');
+    }
+    return trimmed;
+}
+exports.validateServiceName = validateServiceName;
+/**
+ * H-5: Validate Ethereum address format
+ *
+ * Ensures address:
+ * 1. Is a valid hex string
+ * 2. Has correct length (42 chars including '0x' prefix)
+ * 3. Uses valid checksum if provided (EIP-55)
+ *
+ * @param address - The Ethereum address to validate
+ * @returns true if address is valid, false otherwise
+ */
+function isValidAddress(address) {
+    if (!address || typeof address !== 'string') {
+        return false;
+    }
+    // Must start with 0x
+    if (!address.startsWith('0x')) {
+        return false;
+    }
+    // Must be exactly 42 characters (0x + 40 hex chars)
+    if (address.length !== 42) {
+        return false;
+    }
+    // Must contain only valid hex characters
+    const hexPattern = /^0x[a-fA-F0-9]{40}$/;
+    if (!hexPattern.test(address)) {
+        return false;
+    }
+    // Note: Full EIP-55 checksum validation would be more complex
+    // For now, we just validate format. In production, consider using ethers.utils.getAddress()
+    return true;
+}
+exports.isValidAddress = isValidAddress;
+/**
+ * C-3: Safe JSON parsing with schema validation
+ *
+ * Prevents code injection and prototype pollution attacks by:
+ * 1. Safely parsing JSON with error handling
+ * 2. Validating the parsed object against an expected schema
+ * 3. Removing __proto__, constructor, and prototype properties
+ * 4. Returning only whitelisted fields
+ *
+ * @param jsonString - The JSON string to parse
+ * @param schema - Expected schema (object with field names and types)
+ * @returns Parsed and validated object, or null if invalid
+ */
+function safeJSONParse(jsonString, schema) {
+    if (!jsonString || typeof jsonString !== 'string') {
+        return null;
+    }
+    // SECURITY FIX (C-3): Check JSON size to prevent DoS attacks
+    const MAX_JSON_SIZE = 1000000; // 1MB
+    if (jsonString.length > MAX_JSON_SIZE) {
+        return null;
+    }
+    let parsed;
+    try {
+        // Basic JSON parsing
+        parsed = JSON.parse(jsonString);
+    }
+    catch (error) {
+        // Invalid JSON
+        return null;
+    }
+    // Ensure we got an object (not a primitive or array at the top level)
+    if (typeof parsed !== 'object' || parsed === null) {
+        return null;
+    }
+    // Remove dangerous properties that could be used for prototype pollution
+    const dangerous = ['__proto__', 'constructor', 'prototype'];
+    for (const key of dangerous) {
+        delete parsed[key];
+    }
+    // If schema is provided, validate and whitelist
+    if (schema) {
+        const validated = {};
+        for (const [field, expectedType] of Object.entries(schema)) {
+            const value = parsed[field];
+            // Skip if field doesn't exist
+            if (value === undefined) {
+                continue;
+            }
+            // Type check
+            const actualType = Array.isArray(value) ? 'array' : typeof value;
+            if (actualType !== expectedType && expectedType !== 'any') {
+                // Type mismatch - skip this field
+                continue;
+            }
+            // Recursively sanitize nested objects
+            if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+                validated[field] = sanitizeObject(value);
+            }
+            else if (Array.isArray(value)) {
+                validated[field] = value.map((item) => typeof item === 'object' && item !== null ? sanitizeObject(item) : item);
+            }
+            else {
+                validated[field] = value;
+            }
+        }
+        return validated;
+    }
+    // No schema - return sanitized object
+    return sanitizeObject(parsed);
+}
+exports.safeJSONParse = safeJSONParse;
+/**
+ * Recursively sanitize an object by removing dangerous properties
+ *
+ * @param obj - Object to sanitize
+ * @returns Sanitized object
+ */
+function sanitizeObject(obj) {
+    if (typeof obj !== 'object' || obj === null) {
+        return obj;
+    }
+    const sanitized = {};
+    const dangerous = ['__proto__', 'constructor', 'prototype'];
+    for (const [key, value] of Object.entries(obj)) {
+        // Skip dangerous keys
+        if (dangerous.includes(key)) {
+            continue;
+        }
+        // Recursively sanitize nested objects
+        if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
+            sanitized[key] = sanitizeObject(value);
+        }
+        else if (Array.isArray(value)) {
+            sanitized[key] = value.map((item) => typeof item === 'object' && item !== null ? sanitizeObject(item) : item);
+        }
+        else {
+            sanitized[key] = value;
+        }
+    }
+    return sanitized;
+}
+/**
+ * LRU (Least Recently Used) cache with maximum size
+ * Used for preventing unbounded memory growth
+ *
+ * @template K - Key type
+ * @template V - Value type
+ */
+class LRUCache {
+    constructor(maxSize = 1000) {
+        this.cache = new Map();
+        if (maxSize <= 0) {
+            throw new Error('LRU cache maxSize must be positive');
+        }
+        this.maxSize = maxSize;
+    }
+    /**
+     * Get value from cache
+     *
+     * @param key - Cache key
+     * @returns Cached value or undefined
+     */
+    get(key) {
+        const value = this.cache.get(key);
+        if (value !== undefined) {
+            // Move to end (most recently used)
+            this.cache.delete(key);
+            this.cache.set(key, value);
+        }
+        return value;
+    }
+    /**
+     * Set value in cache
+     *
+     * @param key - Cache key
+     * @param value - Value to cache
+     */
+    set(key, value) {
+        // Delete if already exists (to update position)
+        if (this.cache.has(key)) {
+            this.cache.delete(key);
+        }
+        // Evict oldest if at capacity
+        if (this.cache.size >= this.maxSize) {
+            const firstKey = this.cache.keys().next().value;
+            // TypeScript doesn't know that Map iterator always returns defined values when size > 0
+            // But we check size >= maxSize above, so this is safe
+            if (firstKey !== undefined) {
+                this.cache.delete(firstKey);
+            }
+        }
+        this.cache.set(key, value);
+    }
+    /**
+     * Check if key exists in cache
+     *
+     * SECURITY FIX (N-1): Use Map's native has() instead of get()
+     * to avoid modifying LRU order on read-only operations.
+     *
+     * @param key - Cache key
+     * @returns true if key exists
+     */
+    has(key) {
+        return this.cache.has(key);
+    }
+    /**
+     * Delete key from cache
+     *
+     * @param key - Cache key
+     */
+    delete(key) {
+        this.cache.delete(key);
+    }
+    /**
+     * Clear all entries
+     */
+    clear() {
+        this.cache.clear();
+    }
+    /**
+     * Get current cache size
+     */
+    get size() {
+        return this.cache.size;
+    }
+    /**
+     * Get all values from cache
+     *
+     * SECURITY FIX (N-2): Add iterator support for LRUCache.
+     * Returns values in LRU order (oldest to newest).
+     *
+     * @returns Array of all cached values
+     */
+    values() {
+        return Array.from(this.cache.values());
+    }
+    /**
+     * Get all keys from cache
+     *
+     * @returns Array of all cached keys
+     */
+    keys() {
+        return Array.from(this.cache.keys());
+    }
+    /**
+     * Get all entries from cache
+     *
+     * @returns Array of all cached [key, value] pairs
+     */
+    entries() {
+        return Array.from(this.cache.entries());
+    }
+}
+exports.LRUCache = LRUCache;
+//# sourceMappingURL=security.js.map

package/dist/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;;;;;;;;;;;;;;;;;;;;;;;;AAEH,+CAAiC;AACjC,2CAA6B;AAE7B;;;;;;;;;GASG;AACH,SAAgB,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;QACnD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gDAAgD;IAChD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAE5B,uEAAuE;IACvE,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,8EAA8E;QAC9E,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QACpC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAlBD,0CAkBC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,YAAY,CAAC,aAAqB,EAAE,aAAqB;IACvE,+DAA+D;IAC/D,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;IAED,8CAA8C;IAC9C,qEAAqE;IACrE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;IAEjD,+CAA+C;IAC/C,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IAED,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;IAEzD,8DAA8D;IAC9D,8BAA8B;IAC9B,8CAA8C;IAC9C,kDAAkD;IAClD,MAAM,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACnD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,QAAQ,KAAK,cAAc,EAAE,CAAC;QACnF,MAAM,IAAI,KAAK,CAAC,gCAAgC,QAAQ,gCAAgC,cAAc,GAAG,CAAC,CAAC;IAC7G,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AA5BD,oCA4BC;AAED;;;;;;;;;;;GAWG;AACH,SAAgB,mBAAmB,CAAC,WAAmB;IACrD,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;IACtE,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;IAEnC,+BAA+B;IAC/B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IAED,4DAA4D;IAC5D,2EAA2E;IAC3E,MAAM,YAAY,GAAG,mBAAmB,CAAC;IACzC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,+FAA+F,CAChG,CAAC;IACJ,CAAC;IAED,wCAAwC;IACxC,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,IAAI,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAhCD,kDAgCC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,cAAc,CAAC,OAAe;IAC5C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,KAAK,CAAC;IACf,CAAC;IAED,qBAAqB;IACrB,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oDAAoD;IACpD,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,yCAAyC;IACzC,MAAM,UAAU,GAAG,qBAAqB,CAAC;IACzC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,8DAA8D;IAC9D,4FAA4F;IAE5F,OAAO,IAAI,CAAC;AACd,CAAC;AAzBD,wCAyBC;AAED;;;;;;;;;;;;GAYG;AACH,SAAgB,aAAa,CAC3B,UAAkB,EAClB,MAA+B;IAE/B,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,6DAA6D;IAC7D,MAAM,aAAa,GAAG,OAAS,CAAC,CAAC,MAAM;IACvC,IAAI,UAAU,CAAC,MAAM,GAAG,aAAa,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,MAAW,CAAC;IAEhB,IAAI,CAAC;QACH,qBAAqB;QACrB,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAe;QACf,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sEAAsE;IACtE,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;IAC5D,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAED,gDAAgD;IAChD,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,SAAS,GAAwB,EAAE,CAAC;QAE1C,KAAK,MAAM,CAAC,KAAK,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAE5B,8BAA8B;YAC9B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,SAAS;YACX,CAAC;YAED,aAAa;YACb,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC;YACjE,IAAI,UAAU,KAAK,YAAY,IAAI,YAAY,KAAK,KAAK,EAAE,CAAC;gBAC1D,kCAAkC;gBAClC,SAAS;YACX,CAAC;YAED,sCAAsC;YACtC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzE,SAAS,CAAC,KAAK,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;YAC3C,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,SAAS,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CACpC,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CACxE,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,SAAS,CAAC,KAAK,CAAC,GAAG,KAAK,CAAC;YAC3B,CAAC;QACH,CAAC;QAED,OAAO,SAAc,CAAC;IACxB,CAAC;IAED,sCAAsC;IACtC,OAAO,cAAc,CAAC,MAAM,CAAM,CAAC;AACrC,CAAC;AAvED,sCAuEC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,GAAQ;IAC9B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,SAAS,GAAwB,EAAE,CAAC;IAC1C,MAAM,SAAS,GAAG,CAAC,WAAW,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;IAE5D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,sBAAsB;QACtB,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,sCAAsC;QACtC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzE,SAAS,CAAC,GAAG,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC;QACzC,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChC,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAClC,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CACxE,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,MAAa,QAAQ;IAInB,YAAY,UAAkB,IAAI;QAH1B,UAAK,GAAG,IAAI,GAAG,EAAQ,CAAC;QAI9B,IAAI,OAAO,IAAI,CAAC,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;;;;OAKG;IACH,GAAG,CAAC,GAAM;QACR,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,mCAAmC;YACnC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACvB,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAC7B,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED;;;;;OAKG;IACH,GAAG,CAAC,GAAM,EAAE,KAAQ;QAClB,gDAAgD;QAChD,IAAI,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACzB,CAAC;QAED,8BAA8B;QAC9B,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC;YAChD,wFAAwF;YACxF,sDAAsD;YACtD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC7B,CAAC;IAED;;;;;;;;OAQG;IACH,GAAG,CAAC,GAAM;QACR,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED;;;;OAIG;IACH,MAAM,CAAC,GAAM;QACX,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACzB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,IAAI,IAAI;QACN,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;IACzB,CAAC;IAED;;;;;;;OAOG;IACH,MAAM;QACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACzC,CAAC;IAED;;;;OAIG;IACH,IAAI;QACF,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;IACvC,CAAC;IAED;;;;OAIG;IACH,OAAO;QACL,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1C,CAAC;CACF;AArHD,4BAqHC"}

package/dist/utils/validation.d.ts

@@ -1,6 +1,46 @@
+/**
+ * Input validation utilities
+ */
+/**
+ * Validate Ethereum address
+ */
 export declare function validateAddress(address: string, fieldName?: string): void;
+/**
+ * Validate amount (must be > 0)
+ */
 export declare function validateAmount(amount: bigint, _fieldName?: string): void;
+/**
+ * Validate deadline (must be future timestamp)
+ */
 export declare function validateDeadline(deadline: number, fieldName?: string): void;
+/**
+ * Validate dispute window (max 30 days per spec)
+ */
 export declare function validateDisputeWindow(disputeWindow: number, fieldName?: string): void;
+/**
+ * Validate transaction ID format
+ */
 export declare function validateTxId(txId: string, fieldName?: string): void;
+/**
+ * Validate endpoint URL (for AgentRegistry)
+ *
+ * SECURITY FIX (H-1): Enhanced SSRF protection with DNS resolution
+ *
+ * Security checks:
+ * - Valid URL format
+ * - HTTPS or IPFS protocols only
+ * - Maximum length 256 characters
+ * - DNS resolution check (hostname → IP validation)
+ * - No private/local IP addresses (SSRF protection)
+ * - Blocks AWS metadata endpoint (169.254.169.254)
+ * - Fail-secure: if DNS lookup fails, reject
+ *
+ * **CRITICAL**: This function is now ASYNC due to DNS resolution.
+ * All callers MUST await this function.
+ *
+ * @param endpoint - URL to validate
+ * @param fieldName - Field name for error messages
+ * @throws {ValidationError} If endpoint is invalid or points to private IP
+ */
+export declare function validateEndpointURL(endpoint: string, fieldName?: string): Promise<void>;
 //# sourceMappingURL=validation.d.ts.map

package/dist/utils/validation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAcA,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,GAAE,MAAkB,GAAG,IAAI,CAQpF;AAKD,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,GAAE,MAAiB,GAAG,IAAI,CASlF;AAKD,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,GAAE,MAAmB,GAAG,IAAI,CASvF;AAKD,wBAAgB,qBAAqB,CACnC,aAAa,EAAE,MAAM,EACrB,SAAS,GAAE,MAAwB,GAClC,IAAI,CAaN;AAKD,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,GAAE,MAAe,GAAG,IAAI,CAI3E"}
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAOA;;GAEG;AAEH;;GAEG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,GAAE,MAAkB,GAAG,IAAI,CAQpF;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,GAAE,MAAiB,GAAG,IAAI,CASlF;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,GAAE,MAAmB,GAAG,IAAI,CASvF;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,aAAa,EAAE,MAAM,EACrB,SAAS,GAAE,MAAwB,GAClC,IAAI,CAaN;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,GAAE,MAAe,GAAG,IAAI,CAI3E;AAwDD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,GAAE,MAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuFzG"}