@aigrc/core 0.1.0 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (25) hide show
  1. package/dist/air/index.d.mts +1669 -0
  2. package/dist/air/index.d.ts +1669 -0
  3. package/dist/air/index.js +450 -0
  4. package/dist/air/index.js.map +1 -0
  5. package/dist/air/index.mjs +410 -0
  6. package/dist/air/index.mjs.map +1 -0
  7. package/dist/governance-lock/index.d.mts +903 -0
  8. package/dist/governance-lock/index.d.ts +903 -0
  9. package/dist/governance-lock/index.js +444 -0
  10. package/dist/governance-lock/index.js.map +1 -0
  11. package/dist/governance-lock/index.mjs +389 -0
  12. package/dist/governance-lock/index.mjs.map +1 -0
  13. package/dist/index.d.mts +467 -4
  14. package/dist/index.d.ts +467 -4
  15. package/dist/index.js +2213 -3
  16. package/dist/index.js.map +1 -1
  17. package/dist/index.mjs +2114 -2
  18. package/dist/index.mjs.map +1 -1
  19. package/dist/schemas/index.d.mts +1950 -29
  20. package/dist/schemas/index.d.ts +1950 -29
  21. package/dist/schemas/index.js +354 -1
  22. package/dist/schemas/index.js.map +1 -1
  23. package/dist/schemas/index.mjs +332 -1
  24. package/dist/schemas/index.mjs.map +1 -1
  25. package/package.json +11 -1
package/dist/air/index.js ADDED
@@ -0,0 +1,450 @@
1
+ "use strict";
2
+ var __defProp = Object.defineProperty;
3
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
4
+ var __getOwnPropNames = Object.getOwnPropertyNames;
5
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
6
+ var __export = (target, all) => {
7
+ for (var name in all)
8
+ __defProp(target, name, { get: all[name], enumerable: true });
9
+ };
10
+ var __copyProps = (to, from, except, desc) => {
11
+ if (from && typeof from === "object" || typeof from === "function") {
12
+ for (let key of __getOwnPropNames(from))
13
+ if (!__hasOwnProp.call(to, key) && key !== except)
14
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
15
+ }
16
+ return to;
17
+ };
18
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
19
+
20
+ // src/air/index.ts
21
+ var air_exports = {};
22
+ __export(air_exports, {
23
+ AIRBuildConstraintsSchema: () => AIRBuildConstraintsSchema,
24
+ AIRMetadataSchema: () => AIRMetadataSchema,
25
+ AIRModelSchema: () => AIRModelSchema,
26
+ AIRPIIFilterConfigSchema: () => AIRPIIFilterConfigSchema,
27
+ AIRPolicySourceSchema: () => AIRPolicySourceSchema,
28
+ AIRRegionSchema: () => AIRRegionSchema,
29
+ AIRRegistryConstraintsSchema: () => AIRRegistryConstraintsSchema,
30
+ AIRRuntimeConstraintsSchema: () => AIRRuntimeConstraintsSchema,
31
+ AIRSchema: () => AIRSchema,
32
+ AIRToxicityFilterConfigSchema: () => AIRToxicityFilterConfigSchema,
33
+ AIRVendorSchema: () => AIRVendorSchema,
34
+ createEmptyAIR: () => createEmptyAIR,
35
+ isModelAllowed: () => isModelAllowed,
36
+ isRegionAllowed: () => isRegionAllowed,
37
+ isVendorAllowed: () => isVendorAllowed,
38
+ validateAIR: () => validateAIR
39
+ });
40
+ module.exports = __toCommonJS(air_exports);
41
+ var import_zod = require("zod");
42
+ var AIRVendorSchema = import_zod.z.object({
43
+ /** Vendor identifier (e.g., "openai", "anthropic", "google") */
44
+ id: import_zod.z.string().min(1),
45
+ /** Human-readable vendor name */
46
+ name: import_zod.z.string().optional(),
47
+ /** Status of this vendor */
48
+ status: import_zod.z.enum(["approved", "pending", "blocked"]).default("pending"),
49
+ /** Optional approval ticket ID (Golden Thread) */
50
+ approval_ticket: import_zod.z.string().optional(),
51
+ /** When approval was granted */
52
+ approved_at: import_zod.z.string().datetime().optional(),
53
+ /** Who approved this vendor */
54
+ approved_by: import_zod.z.string().email().optional(),
55
+ /** Expiration date for approval */
56
+ expires_at: import_zod.z.string().datetime().optional(),
57
+ /** Vendor-specific notes */
58
+ notes: import_zod.z.string().optional()
59
+ });
60
+ var AIRModelSchema = import_zod.z.object({
61
+ /** Model identifier (e.g., "gpt-4", "claude-3-opus") */
62
+ id: import_zod.z.string().min(1),
63
+ /** Vendor that provides this model */
64
+ vendor_id: import_zod.z.string().min(1),
65
+ /** Human-readable model name */
66
+ name: import_zod.z.string().optional(),
67
+ /** Model version pattern (supports wildcards like "gpt-4*") */
68
+ version_pattern: import_zod.z.string().optional(),
69
+ /** Status of this model */
70
+ status: import_zod.z.enum(["approved", "pending", "blocked"]).default("pending"),
71
+ /** Maximum allowed parameters (for on-premise deployment considerations) */
72
+ max_parameters: import_zod.z.number().positive().optional(),
73
+ /** Risk level assigned to this model */
74
+ risk_level: import_zod.z.enum(["minimal", "limited", "high", "unacceptable"]).optional(),
75
+ /** Optional approval ticket ID */
76
+ approval_ticket: import_zod.z.string().optional(),
77
+ /** When approval was granted */
78
+ approved_at: import_zod.z.string().datetime().optional(),
79
+ /** Expiration date for approval */
80
+ expires_at: import_zod.z.string().datetime().optional(),
81
+ /** Model-specific notes */
82
+ notes: import_zod.z.string().optional()
83
+ });
84
+ var AIRRegionSchema = import_zod.z.object({
85
+ /** Region code (e.g., "us-east-1", "eu-west-1", "EU", "US") */
86
+ code: import_zod.z.string().min(1),
87
+ /** Human-readable region name */
88
+ name: import_zod.z.string().optional(),
89
+ /** Status of this region */
90
+ status: import_zod.z.enum(["allowed", "restricted", "blocked"]).default("allowed"),
91
+ /** Jurisdictions this region falls under (e.g., ["GDPR", "EU-AI-ACT"]) */
92
+ jurisdictions: import_zod.z.array(import_zod.z.string()).default([]),
93
+ /** Data residency requirements */
94
+ data_residency: import_zod.z.enum(["required", "preferred", "none"]).default("none"),
95
+ /** Notes about this region */
96
+ notes: import_zod.z.string().optional()
97
+ });
98
+ var AIRRegistryConstraintsSchema = import_zod.z.object({
99
+ /** List of approved vendors */
100
+ allowed_vendors: import_zod.z.array(AIRVendorSchema).default([]),
101
+ /** List of blocked vendors */
102
+ blocked_vendors: import_zod.z.array(import_zod.z.string()).default([]),
103
+ /** List of approved regions */
104
+ allowed_regions: import_zod.z.array(AIRRegionSchema).default([]),
105
+ /** List of blocked regions */
106
+ blocked_regions: import_zod.z.array(import_zod.z.string()).default([]),
107
+ /** List of approved models */
108
+ allowed_models: import_zod.z.array(AIRModelSchema).default([]),
109
+ /** List of blocked models (patterns supported) */
110
+ blocked_models: import_zod.z.array(import_zod.z.string()).default([]),
111
+ /** Maximum model parameters allowed */
112
+ max_model_parameters: import_zod.z.number().positive().optional(),
113
+ /** Require vendor approval before use */
114
+ require_vendor_approval: import_zod.z.boolean().default(true),
115
+ /** Require model approval before use */
116
+ require_model_approval: import_zod.z.boolean().default(true),
117
+ /** Default behavior for unknown vendors: "block" or "request_approval" */
118
+ unknown_vendor_behavior: import_zod.z.enum(["block", "request_approval"]).default("request_approval"),
119
+ /** Default behavior for unknown models */
120
+ unknown_model_behavior: import_zod.z.enum(["block", "request_approval"]).default("request_approval")
121
+ });
122
+ var AIRPIIFilterConfigSchema = import_zod.z.object({
123
+ /** Whether PII filtering is enabled */
124
+ enabled: import_zod.z.boolean().default(false),
125
+ /** PII types to filter (e.g., ["email", "phone", "ssn", "credit_card"]) */
126
+ filter_types: import_zod.z.array(import_zod.z.string()).default([]),
127
+ /** Action when PII is detected: "redact", "block", "warn", "audit" */
128
+ action: import_zod.z.enum(["redact", "block", "warn", "audit"]).default("warn"),
129
+ /** Custom patterns to detect (regex) */
130
+ custom_patterns: import_zod.z.array(import_zod.z.object({
131
+ name: import_zod.z.string(),
132
+ pattern: import_zod.z.string(),
133
+ action: import_zod.z.enum(["redact", "block", "warn", "audit"]).optional()
134
+ })).default([])
135
+ });
136
+ var AIRToxicityFilterConfigSchema = import_zod.z.object({
137
+ /** Whether toxicity filtering is enabled */
138
+ enabled: import_zod.z.boolean().default(false),
139
+ /** Toxicity threshold (0-1) */
140
+ threshold: import_zod.z.number().min(0).max(1).default(0.7),
141
+ /** Categories to filter (e.g., ["hate", "violence", "sexual"]) */
142
+ categories: import_zod.z.array(import_zod.z.string()).default([]),
143
+ /** Action when toxicity is detected */
144
+ action: import_zod.z.enum(["block", "warn", "audit"]).default("warn")
145
+ });
146
+ var AIRRuntimeConstraintsSchema = import_zod.z.object({
147
+ /** PII filtering configuration */
148
+ pii_filter: AIRPIIFilterConfigSchema.optional(),
149
+ /** Toxicity filtering configuration */
150
+ toxicity_filter: AIRToxicityFilterConfigSchema.optional(),
151
+ /** Data retention period in days (0 = no retention) */
152
+ data_retention_days: import_zod.z.number().int().min(0).default(90),
153
+ /** Whether to enable output watermarking */
154
+ watermark_enabled: import_zod.z.boolean().default(false),
155
+ /** Logging level: "none", "errors", "all" */
156
+ logging_level: import_zod.z.enum(["none", "errors", "all"]).default("all"),
157
+ /** Maximum tokens per request */
158
+ max_tokens_per_request: import_zod.z.number().int().positive().optional(),
159
+ /** Maximum requests per minute */
160
+ max_requests_per_minute: import_zod.z.number().int().positive().optional(),
161
+ /** Maximum cost per request in USD */
162
+ max_cost_per_request_usd: import_zod.z.number().positive().optional(),
163
+ /** Maximum cost per day in USD */
164
+ max_cost_per_day_usd: import_zod.z.number().positive().optional(),
165
+ /** Session timeout in seconds */
166
+ session_timeout_seconds: import_zod.z.number().int().positive().optional(),
167
+ /** Require human approval for specific actions */
168
+ human_approval_required: import_zod.z.array(import_zod.z.string()).default([]),
169
+ /** Kill switch configuration */
170
+ kill_switch: import_zod.z.object({
171
+ enabled: import_zod.z.boolean().default(true),
172
+ channel: import_zod.z.enum(["sse", "polling", "file"]).default("sse"),
173
+ poll_interval_ms: import_zod.z.number().int().positive().default(5e3)
174
+ }).optional(),
175
+ /** Grounding check configuration (prevent hallucination) */
176
+ grounding_check: import_zod.z.object({
177
+ enabled: import_zod.z.boolean().default(false),
178
+ confidence_threshold: import_zod.z.number().min(0).max(1).default(0.8),
179
+ action: import_zod.z.enum(["block", "warn", "audit"]).default("warn")
180
+ }).optional()
181
+ });
182
+ var AIRBuildConstraintsSchema = import_zod.z.object({
183
+ /** Require Golden Thread linkage (business justification) */
184
+ require_golden_thread: import_zod.z.boolean().default(true),
185
+ /** Require asset card for all AI assets */
186
+ require_asset_card: import_zod.z.boolean().default(true),
187
+ /** Require risk classification */
188
+ require_risk_classification: import_zod.z.boolean().default(true),
189
+ /** Require model card documentation */
190
+ require_model_card: import_zod.z.boolean().default(false),
191
+ /** Require security review for high-risk assets */
192
+ require_security_review: import_zod.z.boolean().default(false),
193
+ /** Minimum risk levels that require security review */
194
+ security_review_risk_levels: import_zod.z.array(import_zod.z.enum(["high", "unacceptable"])).default(["high", "unacceptable"]),
195
+ /** Require governance.lock file */
196
+ require_governance_lock: import_zod.z.boolean().default(true),
197
+ /** governance.lock must be signed */
198
+ require_lock_signature: import_zod.z.boolean().default(false),
199
+ /** Block merge on validation failure */
200
+ block_on_failure: import_zod.z.boolean().default(true),
201
+ /** Generate SARIF report for GitHub Security tab */
202
+ generate_sarif: import_zod.z.boolean().default(true),
203
+ /** Required approvals before deployment */
204
+ required_approvals: import_zod.z.array(import_zod.z.object({
205
+ role: import_zod.z.string(),
206
+ count: import_zod.z.number().int().positive().default(1)
207
+ })).default([]),
208
+ /** Allowed deployment environments */
209
+ allowed_environments: import_zod.z.array(import_zod.z.string()).default(["development", "staging", "production"]),
210
+ /** Environment-specific constraints */
211
+ environment_constraints: import_zod.z.record(import_zod.z.object({
212
+ require_approval: import_zod.z.boolean().default(false),
213
+ approvers: import_zod.z.array(import_zod.z.string()).default([]),
214
+ require_testing: import_zod.z.boolean().default(false),
215
+ test_coverage_threshold: import_zod.z.number().min(0).max(100).optional()
216
+ })).optional()
217
+ });
218
+ var AIRPolicySourceSchema = import_zod.z.object({
219
+ /** Unique identifier for this source */
220
+ id: import_zod.z.string().min(1),
221
+ /** Type of source: "pdf", "url", "confluence", "jira", "manual" */
222
+ type: import_zod.z.enum(["pdf", "url", "confluence", "jira", "manual"]),
223
+ /** URI to the source document */
224
+ uri: import_zod.z.string(),
225
+ /** SHA-256 hash of the source content */
226
+ content_hash: import_zod.z.string().regex(/^sha256:[a-f0-9]{64}$/),
227
+ /** When the source was last fetched */
228
+ fetched_at: import_zod.z.string().datetime(),
229
+ /** Title of the policy document */
230
+ title: import_zod.z.string().optional(),
231
+ /** Version of the policy document */
232
+ version: import_zod.z.string().optional(),
233
+ /** Confidence score of extraction (0-1) */
234
+ extraction_confidence: import_zod.z.number().min(0).max(1).optional()
235
+ });
236
+ var AIRMetadataSchema = import_zod.z.object({
237
+ /** When this AIR was generated */
238
+ generated_at: import_zod.z.string().datetime(),
239
+ /** Tool/system that generated this AIR */
240
+ generated_by: import_zod.z.string().default("aigrc-policy-compiler"),
241
+ /** Version of the policy compiler */
242
+ compiler_version: import_zod.z.string(),
243
+ /** Organization this AIR belongs to */
244
+ organization: import_zod.z.string().optional(),
245
+ /** Environment this AIR is for (e.g., "production", "staging") */
246
+ environment: import_zod.z.string().optional(),
247
+ /** Human-readable description */
248
+ description: import_zod.z.string().optional(),
249
+ /** Tags for categorization */
250
+ tags: import_zod.z.array(import_zod.z.string()).default([]),
251
+ /** Custom metadata fields */
252
+ custom: import_zod.z.record(import_zod.z.unknown()).optional()
253
+ });
254
+ var AIRSchema = import_zod.z.object({
255
+ /** Schema version for forward compatibility */
256
+ version: import_zod.z.literal("1.0"),
257
+ /** Unique identifier for this AIR */
258
+ id: import_zod.z.string().uuid(),
259
+ /** Human-readable name */
260
+ name: import_zod.z.string().min(1).max(200),
261
+ /** SHA-256 hash of this AIR (computed after serialization) */
262
+ hash: import_zod.z.string().regex(/^sha256:[a-f0-9]{64}$/).optional(),
263
+ /** Policy sources that contributed to this AIR */
264
+ policy_sources: import_zod.z.array(AIRPolicySourceSchema).default([]),
265
+ /** Registry constraints (vendor/model/region governance) */
266
+ registry: AIRRegistryConstraintsSchema.default({}),
267
+ /** Runtime constraints (execution-time governance) */
268
+ runtime: AIRRuntimeConstraintsSchema.default({}),
269
+ /** Build constraints (CI/CD governance) */
270
+ build: AIRBuildConstraintsSchema.default({}),
271
+ /** Metadata about this AIR */
272
+ metadata: AIRMetadataSchema,
273
+ /** When this AIR expires (forces re-compilation) */
274
+ expires_at: import_zod.z.string().datetime().optional(),
275
+ /** Digital signatures for verification */
276
+ signatures: import_zod.z.array(import_zod.z.object({
277
+ /** Signer identity (email or system ID) */
278
+ signer: import_zod.z.string(),
279
+ /** Algorithm used (RS256, ES256) */
280
+ algorithm: import_zod.z.enum(["RS256", "ES256"]),
281
+ /** Base64-encoded signature */
282
+ signature: import_zod.z.string(),
283
+ /** When the signature was created */
284
+ signed_at: import_zod.z.string().datetime(),
285
+ /** Key ID for verification */
286
+ key_id: import_zod.z.string().optional()
287
+ })).default([])
288
+ });
289
+ function createEmptyAIR(name, compilerVersion = "1.0.0") {
290
+ return {
291
+ version: "1.0",
292
+ id: crypto.randomUUID(),
293
+ name,
294
+ policy_sources: [],
295
+ registry: {
296
+ allowed_vendors: [],
297
+ blocked_vendors: [],
298
+ allowed_regions: [],
299
+ blocked_regions: [],
300
+ allowed_models: [],
301
+ blocked_models: [],
302
+ require_vendor_approval: true,
303
+ require_model_approval: true,
304
+ unknown_vendor_behavior: "request_approval",
305
+ unknown_model_behavior: "request_approval"
306
+ },
307
+ runtime: {
308
+ data_retention_days: 90,
309
+ watermark_enabled: false,
310
+ logging_level: "all",
311
+ human_approval_required: []
312
+ },
313
+ build: {
314
+ require_golden_thread: true,
315
+ require_asset_card: true,
316
+ require_risk_classification: true,
317
+ require_model_card: false,
318
+ require_security_review: false,
319
+ security_review_risk_levels: ["high", "unacceptable"],
320
+ require_governance_lock: true,
321
+ require_lock_signature: false,
322
+ block_on_failure: true,
323
+ generate_sarif: true,
324
+ required_approvals: [],
325
+ allowed_environments: ["development", "staging", "production"]
326
+ },
327
+ metadata: {
328
+ generated_at: (/* @__PURE__ */ new Date()).toISOString(),
329
+ generated_by: "aigrc-policy-compiler",
330
+ compiler_version: compilerVersion,
331
+ tags: []
332
+ },
333
+ signatures: []
334
+ };
335
+ }
336
+ function validateAIR(air) {
337
+ const result = AIRSchema.safeParse(air);
338
+ if (result.success) {
339
+ return { valid: true, errors: [] };
340
+ }
341
+ return {
342
+ valid: false,
343
+ errors: result.error.errors.map((e) => `${e.path.join(".")}: ${e.message}`)
344
+ };
345
+ }
346
+ function isVendorAllowed(vendorId, registry) {
347
+ if (registry.blocked_vendors.includes(vendorId)) {
348
+ return { allowed: false, reason: "Vendor is blocked", requiresApproval: false };
349
+ }
350
+ const allowedVendor = registry.allowed_vendors.find((v) => v.id === vendorId);
351
+ if (allowedVendor) {
352
+ if (allowedVendor.status === "approved") {
353
+ if (allowedVendor.expires_at && new Date(allowedVendor.expires_at) < /* @__PURE__ */ new Date()) {
354
+ return { allowed: false, reason: "Vendor approval has expired", requiresApproval: true };
355
+ }
356
+ return { allowed: true, reason: "Vendor is approved", requiresApproval: false };
357
+ }
358
+ if (allowedVendor.status === "pending") {
359
+ return { allowed: false, reason: "Vendor approval is pending", requiresApproval: true };
360
+ }
361
+ return { allowed: false, reason: "Vendor is blocked", requiresApproval: false };
362
+ }
363
+ if (registry.unknown_vendor_behavior === "block") {
364
+ return { allowed: false, reason: "Unknown vendor (blocked by policy)", requiresApproval: false };
365
+ }
366
+ return { allowed: false, reason: "Unknown vendor (requires approval)", requiresApproval: true };
367
+ }
368
+ function isModelAllowed(modelId, vendorId, registry) {
369
+ for (const pattern of registry.blocked_models) {
370
+ if (matchesPattern(modelId, pattern)) {
371
+ return { allowed: false, reason: `Model matches blocked pattern: ${pattern}`, requiresApproval: false };
372
+ }
373
+ }
374
+ const allowedModel = registry.allowed_models.find(
375
+ (m) => m.id === modelId && m.vendor_id === vendorId
376
+ );
377
+ if (allowedModel) {
378
+ if (allowedModel.status === "approved") {
379
+ if (allowedModel.expires_at && new Date(allowedModel.expires_at) < /* @__PURE__ */ new Date()) {
380
+ return { allowed: false, reason: "Model approval has expired", requiresApproval: true };
381
+ }
382
+ return { allowed: true, reason: "Model is approved", requiresApproval: false };
383
+ }
384
+ if (allowedModel.status === "pending") {
385
+ return { allowed: false, reason: "Model approval is pending", requiresApproval: true };
386
+ }
387
+ return { allowed: false, reason: "Model is blocked", requiresApproval: false };
388
+ }
389
+ const matchingModel = registry.allowed_models.find(
390
+ (m) => m.vendor_id === vendorId && m.version_pattern && matchesPattern(modelId, m.version_pattern)
391
+ );
392
+ if (matchingModel && matchingModel.status === "approved") {
393
+ return { allowed: true, reason: `Model matches approved pattern: ${matchingModel.version_pattern}`, requiresApproval: false };
394
+ }
395
+ if (registry.unknown_model_behavior === "block") {
396
+ return { allowed: false, reason: "Unknown model (blocked by policy)", requiresApproval: false };
397
+ }
398
+ return { allowed: false, reason: "Unknown model (requires approval)", requiresApproval: true };
399
+ }
400
+ function isRegionAllowed(regionCode, registry) {
401
+ if (registry.blocked_regions.includes(regionCode)) {
402
+ return { allowed: false, reason: "Region is blocked", dataResidency: "none" };
403
+ }
404
+ const allowedRegion = registry.allowed_regions.find((r) => r.code === regionCode);
405
+ if (allowedRegion) {
406
+ if (allowedRegion.status === "blocked") {
407
+ return { allowed: false, reason: "Region is blocked", dataResidency: "none" };
408
+ }
409
+ if (allowedRegion.status === "restricted") {
410
+ return { allowed: true, reason: "Region is restricted (requires approval)", dataResidency: allowedRegion.data_residency };
411
+ }
412
+ return { allowed: true, reason: "Region is allowed", dataResidency: allowedRegion.data_residency };
413
+ }
414
+ if (registry.allowed_regions.length === 0) {
415
+ return { allowed: true, reason: "No region restrictions", dataResidency: "none" };
416
+ }
417
+ return { allowed: false, reason: "Region not in allowed list", dataResidency: "none" };
418
+ }
419
+ function matchesPattern(value, pattern) {
420
+ if (pattern === "*") {
421
+ return true;
422
+ }
423
+ if (pattern.endsWith("*")) {
424
+ return value.startsWith(pattern.slice(0, -1));
425
+ }
426
+ if (pattern.startsWith("*")) {
427
+ return value.endsWith(pattern.slice(1));
428
+ }
429
+ return value === pattern;
430
+ }
431
+ // Annotate the CommonJS export names for ESM import in node:
432
+ 0 && (module.exports = {
433
+ AIRBuildConstraintsSchema,
434
+ AIRMetadataSchema,
435
+ AIRModelSchema,
436
+ AIRPIIFilterConfigSchema,
437
+ AIRPolicySourceSchema,
438
+ AIRRegionSchema,
439
+ AIRRegistryConstraintsSchema,
440
+ AIRRuntimeConstraintsSchema,
441
+ AIRSchema,
442
+ AIRToxicityFilterConfigSchema,
443
+ AIRVendorSchema,
444
+ createEmptyAIR,
445
+ isModelAllowed,
446
+ isRegionAllowed,
447
+ isVendorAllowed,
448
+ validateAIR
449
+ });
450
+ //# sourceMappingURL=index.js.map
package/dist/air/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/air/index.ts"],"sourcesContent":["/**\n * AIGRC Intermediate Representation (AIR)\n *\n * The AIR is a JSON/YAML schema that represents compiled policy constraints\n * in a format consumable by enforcement endpoints. It is the output of the\n * Policy Compiler and the input to the Supply Chain Firewall.\n *\n * @see I2E_Engine_Specification_v1.md Section 4.2.2\n * @module @aigrc/core/air\n */\n\nimport { z } from \"zod\";\n\n// ─────────────────────────────────────────────────────────────────\n// VENDOR SCHEMA\n// Defines an approved/blocked AI vendor\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRVendorSchema = z.object({\n /** Vendor identifier (e.g., \"openai\", \"anthropic\", \"google\") */\n id: z.string().min(1),\n /** Human-readable vendor name */\n name: z.string().optional(),\n /** Status of this vendor */\n status: z.enum([\"approved\", \"pending\", \"blocked\"]).default(\"pending\"),\n /** Optional approval ticket ID (Golden Thread) */\n approval_ticket: z.string().optional(),\n /** When approval was granted */\n approved_at: z.string().datetime().optional(),\n /** Who approved this vendor */\n approved_by: z.string().email().optional(),\n /** Expiration date for approval */\n expires_at: z.string().datetime().optional(),\n /** Vendor-specific notes */\n notes: z.string().optional(),\n});\n\nexport type AIRVendor = z.infer<typeof AIRVendorSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// MODEL SCHEMA\n// Defines an approved/blocked AI model\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRModelSchema = z.object({\n /** Model identifier (e.g., \"gpt-4\", \"claude-3-opus\") */\n id: z.string().min(1),\n /** Vendor that provides this model */\n vendor_id: z.string().min(1),\n /** Human-readable model name */\n name: z.string().optional(),\n /** Model version pattern (supports wildcards like \"gpt-4*\") */\n version_pattern: z.string().optional(),\n /** Status of this model */\n status: z.enum([\"approved\", \"pending\", \"blocked\"]).default(\"pending\"),\n /** Maximum allowed parameters (for on-premise deployment considerations) */\n max_parameters: z.number().positive().optional(),\n /** Risk level assigned to this model */\n risk_level: z.enum([\"minimal\", \"limited\", \"high\", \"unacceptable\"]).optional(),\n /** Optional approval ticket ID */\n approval_ticket: z.string().optional(),\n /** When approval was granted */\n approved_at: z.string().datetime().optional(),\n /** Expiration date for approval */\n expires_at: z.string().datetime().optional(),\n /** Model-specific notes */\n notes: z.string().optional(),\n});\n\nexport type AIRModel = z.infer<typeof AIRModelSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// REGION SCHEMA\n// Defines allowed/blocked deployment regions\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRRegionSchema = z.object({\n /** Region code (e.g., \"us-east-1\", \"eu-west-1\", \"EU\", \"US\") */\n code: z.string().min(1),\n /** Human-readable region name */\n name: z.string().optional(),\n /** Status of this region */\n status: z.enum([\"allowed\", \"restricted\", \"blocked\"]).default(\"allowed\"),\n /** Jurisdictions this region falls under (e.g., [\"GDPR\", \"EU-AI-ACT\"]) */\n jurisdictions: z.array(z.string()).default([]),\n /** Data residency requirements */\n data_residency: z.enum([\"required\", \"preferred\", \"none\"]).default(\"none\"),\n /** Notes about this region */\n notes: z.string().optional(),\n});\n\nexport type AIRRegion = z.infer<typeof AIRRegionSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// REGISTRY CONSTRAINTS SCHEMA\n// Controls vendor/model/region governance at procurement time\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRRegistryConstraintsSchema = z.object({\n /** List of approved vendors */\n allowed_vendors: z.array(AIRVendorSchema).default([]),\n /** List of blocked vendors */\n blocked_vendors: z.array(z.string()).default([]),\n /** List of approved regions */\n allowed_regions: z.array(AIRRegionSchema).default([]),\n /** List of blocked regions */\n blocked_regions: z.array(z.string()).default([]),\n /** List of approved models */\n allowed_models: z.array(AIRModelSchema).default([]),\n /** List of blocked models (patterns supported) */\n blocked_models: z.array(z.string()).default([]),\n /** Maximum model parameters allowed */\n max_model_parameters: z.number().positive().optional(),\n /** Require vendor approval before use */\n require_vendor_approval: z.boolean().default(true),\n /** Require model approval before use */\n require_model_approval: z.boolean().default(true),\n /** Default behavior for unknown vendors: \"block\" or \"request_approval\" */\n unknown_vendor_behavior: z.enum([\"block\", \"request_approval\"]).default(\"request_approval\"),\n /** Default behavior for unknown models */\n unknown_model_behavior: z.enum([\"block\", \"request_approval\"]).default(\"request_approval\"),\n});\n\nexport type AIRRegistryConstraints = z.infer<typeof AIRRegistryConstraintsSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// RUNTIME CONSTRAINTS SCHEMA\n// Controls runtime behavior of AI systems\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRPIIFilterConfigSchema = z.object({\n /** Whether PII filtering is enabled */\n enabled: z.boolean().default(false),\n /** PII types to filter (e.g., [\"email\", \"phone\", \"ssn\", \"credit_card\"]) */\n filter_types: z.array(z.string()).default([]),\n /** Action when PII is detected: \"redact\", \"block\", \"warn\", \"audit\" */\n action: z.enum([\"redact\", \"block\", \"warn\", \"audit\"]).default(\"warn\"),\n /** Custom patterns to detect (regex) */\n custom_patterns: z.array(z.object({\n name: z.string(),\n pattern: z.string(),\n action: z.enum([\"redact\", \"block\", \"warn\", \"audit\"]).optional(),\n })).default([]),\n});\n\nexport type AIRPIIFilterConfig = z.infer<typeof AIRPIIFilterConfigSchema>;\n\nexport const AIRToxicityFilterConfigSchema = z.object({\n /** Whether toxicity filtering is enabled */\n enabled: z.boolean().default(false),\n /** Toxicity threshold (0-1) */\n threshold: z.number().min(0).max(1).default(0.7),\n /** Categories to filter (e.g., [\"hate\", \"violence\", \"sexual\"]) */\n categories: z.array(z.string()).default([]),\n /** Action when toxicity is detected */\n action: z.enum([\"block\", \"warn\", \"audit\"]).default(\"warn\"),\n});\n\nexport type AIRToxicityFilterConfig = z.infer<typeof AIRToxicityFilterConfigSchema>;\n\nexport const AIRRuntimeConstraintsSchema = z.object({\n /** PII filtering configuration */\n pii_filter: AIRPIIFilterConfigSchema.optional(),\n /** Toxicity filtering configuration */\n toxicity_filter: AIRToxicityFilterConfigSchema.optional(),\n /** Data retention period in days (0 = no retention) */\n data_retention_days: z.number().int().min(0).default(90),\n /** Whether to enable output watermarking */\n watermark_enabled: z.boolean().default(false),\n /** Logging level: \"none\", \"errors\", \"all\" */\n logging_level: z.enum([\"none\", \"errors\", \"all\"]).default(\"all\"),\n /** Maximum tokens per request */\n max_tokens_per_request: z.number().int().positive().optional(),\n /** Maximum requests per minute */\n max_requests_per_minute: z.number().int().positive().optional(),\n /** Maximum cost per request in USD */\n max_cost_per_request_usd: z.number().positive().optional(),\n /** Maximum cost per day in USD */\n max_cost_per_day_usd: z.number().positive().optional(),\n /** Session timeout in seconds */\n session_timeout_seconds: z.number().int().positive().optional(),\n /** Require human approval for specific actions */\n human_approval_required: z.array(z.string()).default([]),\n /** Kill switch configuration */\n kill_switch: z.object({\n enabled: z.boolean().default(true),\n channel: z.enum([\"sse\", \"polling\", \"file\"]).default(\"sse\"),\n poll_interval_ms: z.number().int().positive().default(5000),\n }).optional(),\n /** Grounding check configuration (prevent hallucination) */\n grounding_check: z.object({\n enabled: z.boolean().default(false),\n confidence_threshold: z.number().min(0).max(1).default(0.8),\n action: z.enum([\"block\", \"warn\", \"audit\"]).default(\"warn\"),\n }).optional(),\n});\n\nexport type AIRRuntimeConstraints = z.infer<typeof AIRRuntimeConstraintsSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// BUILD CONSTRAINTS SCHEMA\n// Controls CI/CD and build-time governance\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRBuildConstraintsSchema = z.object({\n /** Require Golden Thread linkage (business justification) */\n require_golden_thread: z.boolean().default(true),\n /** Require asset card for all AI assets */\n require_asset_card: z.boolean().default(true),\n /** Require risk classification */\n require_risk_classification: z.boolean().default(true),\n /** Require model card documentation */\n require_model_card: z.boolean().default(false),\n /** Require security review for high-risk assets */\n require_security_review: z.boolean().default(false),\n /** Minimum risk levels that require security review */\n security_review_risk_levels: z.array(z.enum([\"high\", \"unacceptable\"])).default([\"high\", \"unacceptable\"]),\n /** Require governance.lock file */\n require_governance_lock: z.boolean().default(true),\n /** governance.lock must be signed */\n require_lock_signature: z.boolean().default(false),\n /** Block merge on validation failure */\n block_on_failure: z.boolean().default(true),\n /** Generate SARIF report for GitHub Security tab */\n generate_sarif: z.boolean().default(true),\n /** Required approvals before deployment */\n required_approvals: z.array(z.object({\n role: z.string(),\n count: z.number().int().positive().default(1),\n })).default([]),\n /** Allowed deployment environments */\n allowed_environments: z.array(z.string()).default([\"development\", \"staging\", \"production\"]),\n /** Environment-specific constraints */\n environment_constraints: z.record(z.object({\n require_approval: z.boolean().default(false),\n approvers: z.array(z.string()).default([]),\n require_testing: z.boolean().default(false),\n test_coverage_threshold: z.number().min(0).max(100).optional(),\n })).optional(),\n});\n\nexport type AIRBuildConstraints = z.infer<typeof AIRBuildConstraintsSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// POLICY SOURCE SCHEMA\n// References to source policy documents\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRPolicySourceSchema = z.object({\n /** Unique identifier for this source */\n id: z.string().min(1),\n /** Type of source: \"pdf\", \"url\", \"confluence\", \"jira\", \"manual\" */\n type: z.enum([\"pdf\", \"url\", \"confluence\", \"jira\", \"manual\"]),\n /** URI to the source document */\n uri: z.string(),\n /** SHA-256 hash of the source content */\n content_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/),\n /** When the source was last fetched */\n fetched_at: z.string().datetime(),\n /** Title of the policy document */\n title: z.string().optional(),\n /** Version of the policy document */\n version: z.string().optional(),\n /** Confidence score of extraction (0-1) */\n extraction_confidence: z.number().min(0).max(1).optional(),\n});\n\nexport type AIRPolicySource = z.infer<typeof AIRPolicySourceSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// AIR METADATA SCHEMA\n// Metadata about the AIR compilation\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRMetadataSchema = z.object({\n /** When this AIR was generated */\n generated_at: z.string().datetime(),\n /** Tool/system that generated this AIR */\n generated_by: z.string().default(\"aigrc-policy-compiler\"),\n /** Version of the policy compiler */\n compiler_version: z.string(),\n /** Organization this AIR belongs to */\n organization: z.string().optional(),\n /** Environment this AIR is for (e.g., \"production\", \"staging\") */\n environment: z.string().optional(),\n /** Human-readable description */\n description: z.string().optional(),\n /** Tags for categorization */\n tags: z.array(z.string()).default([]),\n /** Custom metadata fields */\n custom: z.record(z.unknown()).optional(),\n});\n\nexport type AIRMetadata = z.infer<typeof AIRMetadataSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// AIGRC INTERMEDIATE REPRESENTATION (AIR) SCHEMA\n// The complete AIR document format\n// ─────────────────────────────────────────────────────────────────\n\nexport const AIRSchema = z.object({\n /** Schema version for forward compatibility */\n version: z.literal(\"1.0\"),\n /** Unique identifier for this AIR */\n id: z.string().uuid(),\n /** Human-readable name */\n name: z.string().min(1).max(200),\n /** SHA-256 hash of this AIR (computed after serialization) */\n hash: z.string().regex(/^sha256:[a-f0-9]{64}$/).optional(),\n /** Policy sources that contributed to this AIR */\n policy_sources: z.array(AIRPolicySourceSchema).default([]),\n /** Registry constraints (vendor/model/region governance) */\n registry: AIRRegistryConstraintsSchema.default({}),\n /** Runtime constraints (execution-time governance) */\n runtime: AIRRuntimeConstraintsSchema.default({}),\n /** Build constraints (CI/CD governance) */\n build: AIRBuildConstraintsSchema.default({}),\n /** Metadata about this AIR */\n metadata: AIRMetadataSchema,\n /** When this AIR expires (forces re-compilation) */\n expires_at: z.string().datetime().optional(),\n /** Digital signatures for verification */\n signatures: z.array(z.object({\n /** Signer identity (email or system ID) */\n signer: z.string(),\n /** Algorithm used (RS256, ES256) */\n algorithm: z.enum([\"RS256\", \"ES256\"]),\n /** Base64-encoded signature */\n signature: z.string(),\n /** When the signature was created */\n signed_at: z.string().datetime(),\n /** Key ID for verification */\n key_id: z.string().optional(),\n })).default([]),\n});\n\nexport type AIR = z.infer<typeof AIRSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// HELPER FUNCTIONS\n// ─────────────────────────────────────────────────────────────────\n\n/**\n * Creates an empty AIR with default values\n */\nexport function createEmptyAIR(name: string, compilerVersion: string = \"1.0.0\"): AIR {\n return {\n version: \"1.0\",\n id: crypto.randomUUID(),\n name,\n policy_sources: [],\n registry: {\n allowed_vendors: [],\n blocked_vendors: [],\n allowed_regions: [],\n blocked_regions: [],\n allowed_models: [],\n blocked_models: [],\n require_vendor_approval: true,\n require_model_approval: true,\n unknown_vendor_behavior: \"request_approval\",\n unknown_model_behavior: \"request_approval\",\n },\n runtime: {\n data_retention_days: 90,\n watermark_enabled: false,\n logging_level: \"all\",\n human_approval_required: [],\n },\n build: {\n require_golden_thread: true,\n require_asset_card: true,\n require_risk_classification: true,\n require_model_card: false,\n require_security_review: false,\n security_review_risk_levels: [\"high\", \"unacceptable\"],\n require_governance_lock: true,\n require_lock_signature: false,\n block_on_failure: true,\n generate_sarif: true,\n required_approvals: [],\n allowed_environments: [\"development\", \"staging\", \"production\"],\n },\n metadata: {\n generated_at: new Date().toISOString(),\n generated_by: \"aigrc-policy-compiler\",\n compiler_version: compilerVersion,\n tags: [],\n },\n signatures: [],\n };\n}\n\n/**\n * Validates an AIR document\n */\nexport function validateAIR(air: unknown): { valid: boolean; errors: string[] } {\n const result = AIRSchema.safeParse(air);\n if (result.success) {\n return { valid: true, errors: [] };\n }\n return {\n valid: false,\n errors: result.error.errors.map(e => `${e.path.join(\".\")}: ${e.message}`),\n };\n}\n\n/**\n * Checks if a vendor is allowed by registry constraints\n */\nexport function isVendorAllowed(vendorId: string, registry: AIRRegistryConstraints): {\n allowed: boolean;\n reason: string;\n requiresApproval: boolean;\n} {\n // Check blocked list first\n if (registry.blocked_vendors.includes(vendorId)) {\n return { allowed: false, reason: \"Vendor is blocked\", requiresApproval: false };\n }\n\n // Check allowed list\n const allowedVendor = registry.allowed_vendors.find(v => v.id === vendorId);\n if (allowedVendor) {\n if (allowedVendor.status === \"approved\") {\n // Check expiration\n if (allowedVendor.expires_at && new Date(allowedVendor.expires_at) < new Date()) {\n return { allowed: false, reason: \"Vendor approval has expired\", requiresApproval: true };\n }\n return { allowed: true, reason: \"Vendor is approved\", requiresApproval: false };\n }\n if (allowedVendor.status === \"pending\") {\n return { allowed: false, reason: \"Vendor approval is pending\", requiresApproval: true };\n }\n return { allowed: false, reason: \"Vendor is blocked\", requiresApproval: false };\n }\n\n // Unknown vendor\n if (registry.unknown_vendor_behavior === \"block\") {\n return { allowed: false, reason: \"Unknown vendor (blocked by policy)\", requiresApproval: false };\n }\n return { allowed: false, reason: \"Unknown vendor (requires approval)\", requiresApproval: true };\n}\n\n/**\n * Checks if a model is allowed by registry constraints\n */\nexport function isModelAllowed(modelId: string, vendorId: string, registry: AIRRegistryConstraints): {\n allowed: boolean;\n reason: string;\n requiresApproval: boolean;\n} {\n // Check blocked models first (supports patterns)\n for (const pattern of registry.blocked_models) {\n if (matchesPattern(modelId, pattern)) {\n return { allowed: false, reason: `Model matches blocked pattern: ${pattern}`, requiresApproval: false };\n }\n }\n\n // Check allowed models\n const allowedModel = registry.allowed_models.find(m =>\n m.id === modelId && m.vendor_id === vendorId\n );\n if (allowedModel) {\n if (allowedModel.status === \"approved\") {\n if (allowedModel.expires_at && new Date(allowedModel.expires_at) < new Date()) {\n return { allowed: false, reason: \"Model approval has expired\", requiresApproval: true };\n }\n return { allowed: true, reason: \"Model is approved\", requiresApproval: false };\n }\n if (allowedModel.status === \"pending\") {\n return { allowed: false, reason: \"Model approval is pending\", requiresApproval: true };\n }\n return { allowed: false, reason: \"Model is blocked\", requiresApproval: false };\n }\n\n // Check version patterns for allowed models\n const matchingModel = registry.allowed_models.find(m =>\n m.vendor_id === vendorId &&\n m.version_pattern &&\n matchesPattern(modelId, m.version_pattern)\n );\n if (matchingModel && matchingModel.status === \"approved\") {\n return { allowed: true, reason: `Model matches approved pattern: ${matchingModel.version_pattern}`, requiresApproval: false };\n }\n\n // Unknown model\n if (registry.unknown_model_behavior === \"block\") {\n return { allowed: false, reason: \"Unknown model (blocked by policy)\", requiresApproval: false };\n }\n return { allowed: false, reason: \"Unknown model (requires approval)\", requiresApproval: true };\n}\n\n/**\n * Checks if a region is allowed by registry constraints\n */\nexport function isRegionAllowed(regionCode: string, registry: AIRRegistryConstraints): {\n allowed: boolean;\n reason: string;\n dataResidency: \"required\" | \"preferred\" | \"none\";\n} {\n // Check blocked regions first\n if (registry.blocked_regions.includes(regionCode)) {\n return { allowed: false, reason: \"Region is blocked\", dataResidency: \"none\" };\n }\n\n // Check allowed regions\n const allowedRegion = registry.allowed_regions.find(r => r.code === regionCode);\n if (allowedRegion) {\n if (allowedRegion.status === \"blocked\") {\n return { allowed: false, reason: \"Region is blocked\", dataResidency: \"none\" };\n }\n if (allowedRegion.status === \"restricted\") {\n return { allowed: true, reason: \"Region is restricted (requires approval)\", dataResidency: allowedRegion.data_residency };\n }\n return { allowed: true, reason: \"Region is allowed\", dataResidency: allowedRegion.data_residency };\n }\n\n // If no regions are explicitly allowed, allow all (except blocked)\n if (registry.allowed_regions.length === 0) {\n return { allowed: true, reason: \"No region restrictions\", dataResidency: \"none\" };\n }\n\n // Region not in allowed list\n return { allowed: false, reason: \"Region not in allowed list\", dataResidency: \"none\" };\n}\n\n/**\n * Simple pattern matching (supports wildcards)\n */\nfunction matchesPattern(value: string, pattern: string): boolean {\n if (pattern === \"*\") {\n return true;\n }\n if (pattern.endsWith(\"*\")) {\n return value.startsWith(pattern.slice(0, -1));\n }\n if (pattern.startsWith(\"*\")) {\n return value.endsWith(pattern.slice(1));\n }\n return value === pattern;\n}\n\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAWA,iBAAkB;AAOX,IAAM,kBAAkB,aAAE,OAAO;AAAA;AAAA,EAEtC,IAAI,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEpB,MAAM,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE1B,QAAQ,aAAE,KAAK,CAAC,YAAY,WAAW,SAAS,CAAC,EAAE,QAAQ,SAAS;AAAA;AAAA,EAEpE,iBAAiB,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAErC,aAAa,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE5C,aAAa,aAAE,OAAO,EAAE,MAAM,EAAE,SAAS;AAAA;AAAA,EAEzC,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE3C,OAAO,aAAE,OAAO,EAAE,SAAS;AAC7B,CAAC;AASM,IAAM,iBAAiB,aAAE,OAAO;AAAA;AAAA,EAErC,IAAI,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEpB,WAAW,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAE3B,MAAM,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE1B,iBAAiB,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAErC,QAAQ,aAAE,KAAK,CAAC,YAAY,WAAW,SAAS,CAAC,EAAE,QAAQ,SAAS;AAAA;AAAA,EAEpE,gBAAgB,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE/C,YAAY,aAAE,KAAK,CAAC,WAAW,WAAW,QAAQ,cAAc,CAAC,EAAE,SAAS;AAAA;AAAA,EAE5E,iBAAiB,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAErC,aAAa,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE5C,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE3C,OAAO,aAAE,OAAO,EAAE,SAAS;AAC7B,CAAC;AASM,IAAM,kBAAkB,aAAE,OAAO;AAAA;AAAA,EAEtC,MAAM,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEtB,MAAM,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE1B,QAAQ,aAAE,KAAK,CAAC,WAAW,cAAc,SAAS,CAAC,EAAE,QAAQ,SAAS;AAAA;AAAA,EAEtE,eAAe,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE7C,gBAAgB,aAAE,KAAK,CAAC,YAAY,aAAa,MAAM,CAAC,EAAE,QAAQ,MAAM;AAAA;AAAA,EAExE,OAAO,aAAE,OAAO,EAAE,SAAS;AAC7B,CAAC;AASM,IAAM,+BAA+B,aAAE,OAAO;AAAA;AAAA,EAEnD,iBAAiB,aAAE,MAAM,eAAe,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEpD,iBAAiB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE/C,iBAAiB,aAAE,MAAM,eAAe,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEpD,iBAAiB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE/C,gBAAgB,aAAE,MAAM,cAAc,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAElD,gBAAgB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE9C,sBAAsB,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAErD,yBAAyB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAEjD,wBAAwB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAEhD,yBAAyB,aAAE,KAAK,CAAC,SAAS,kBAAkB,CAAC,EAAE,QAAQ,kBAAkB;AAAA;AAAA,EAEzF,wBAAwB,aAAE,KAAK,CAAC,SAAS,kBAAkB,CAAC,EAAE,QAAQ,kBAAkB;AAC1F,CAAC;AASM,IAAM,2BAA2B,aAAE,OAAO;AAAA;AAAA,EAE/C,SAAS,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAElC,cAAc,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE5C,QAAQ,aAAE,KAAK,CAAC,UAAU,SAAS,QAAQ,OAAO,CAAC,EAAE,QAAQ,MAAM;AAAA;AAAA,EAEnE,iBAAiB,aAAE,MAAM,aAAE,OAAO;AAAA,IAChC,MAAM,aAAE,OAAO;AAAA,IACf,SAAS,aAAE,OAAO;AAAA,IAClB,QAAQ,aAAE,KAAK,CAAC,UAAU,SAAS,QAAQ,OAAO,CAAC,EAAE,SAAS;AAAA,EAChE,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAChB,CAAC;AAIM,IAAM,gCAAgC,aAAE,OAAO;AAAA;AAAA,EAEpD,SAAS,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAElC,WAAW,aAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAAA;AAAA,EAE/C,YAAY,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE1C,QAAQ,aAAE,KAAK,CAAC,SAAS,QAAQ,OAAO,CAAC,EAAE,QAAQ,MAAM;AAC3D,CAAC;AAIM,IAAM,8BAA8B,aAAE,OAAO;AAAA;AAAA,EAElD,YAAY,yBAAyB,SAAS;AAAA;AAAA,EAE9C,iBAAiB,8BAA8B,SAAS;AAAA;AAAA,EAExD,qBAAqB,aAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE;AAAA;AAAA,EAEvD,mBAAmB,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE5C,eAAe,aAAE,KAAK,CAAC,QAAQ,UAAU,KAAK,CAAC,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE9D,wBAAwB,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE7D,yBAAyB,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE9D,0BAA0B,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAEzD,sBAAsB,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAErD,yBAAyB,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE9D,yBAAyB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEvD,aAAa,aAAE,OAAO;AAAA,IACpB,SAAS,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,IACjC,SAAS,aAAE,KAAK,CAAC,OAAO,WAAW,MAAM,CAAC,EAAE,QAAQ,KAAK;AAAA,IACzD,kBAAkB,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,GAAI;AAAA,EAC5D,CAAC,EAAE,SAAS;AAAA;AAAA,EAEZ,iBAAiB,aAAE,OAAO;AAAA,IACxB,SAAS,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,IAClC,sBAAsB,aAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAAA,IAC1D,QAAQ,aAAE,KAAK,CAAC,SAAS,QAAQ,OAAO,CAAC,EAAE,QAAQ,MAAM;AAAA,EAC3D,CAAC,EAAE,SAAS;AACd,CAAC;AASM,IAAM,4BAA4B,aAAE,OAAO;AAAA;AAAA,EAEhD,uBAAuB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAE/C,oBAAoB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAE5C,6BAA6B,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAErD,oBAAoB,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE7C,yBAAyB,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAElD,6BAA6B,aAAE,MAAM,aAAE,KAAK,CAAC,QAAQ,cAAc,CAAC,CAAC,EAAE,QAAQ,CAAC,QAAQ,cAAc,CAAC;AAAA;AAAA,EAEvG,yBAAyB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAEjD,wBAAwB,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAEjD,kBAAkB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAE1C,gBAAgB,aAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAExC,oBAAoB,aAAE,MAAM,aAAE,OAAO;AAAA,IACnC,MAAM,aAAE,OAAO;AAAA,IACf,OAAO,aAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC;AAAA,EAC9C,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEd,sBAAsB,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,eAAe,WAAW,YAAY,CAAC;AAAA;AAAA,EAE1F,yBAAyB,aAAE,OAAO,aAAE,OAAO;AAAA,IACzC,kBAAkB,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,IAC3C,WAAW,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA,IACzC,iBAAiB,aAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA,IAC1C,yBAAyB,aAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC/D,CAAC,CAAC,EAAE,SAAS;AACf,CAAC;AASM,IAAM,wBAAwB,aAAE,OAAO;AAAA;AAAA,EAE5C,IAAI,aAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEpB,MAAM,aAAE,KAAK,CAAC,OAAO,OAAO,cAAc,QAAQ,QAAQ,CAAC;AAAA;AAAA,EAE3D,KAAK,aAAE,OAAO;AAAA;AAAA,EAEd,cAAc,aAAE,OAAO,EAAE,MAAM,uBAAuB;AAAA;AAAA,EAEtD,YAAY,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAEhC,OAAO,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE3B,SAAS,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE7B,uBAAuB,aAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,SAAS;AAC3D,CAAC;AASM,IAAM,oBAAoB,aAAE,OAAO;AAAA;AAAA,EAExC,cAAc,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAElC,cAAc,aAAE,OAAO,EAAE,QAAQ,uBAAuB;AAAA;AAAA,EAExD,kBAAkB,aAAE,OAAO;AAAA;AAAA,EAE3B,cAAc,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAElC,aAAa,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAEjC,aAAa,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAEjC,MAAM,aAAE,MAAM,aAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEpC,QAAQ,aAAE,OAAO,aAAE,QAAQ,CAAC,EAAE,SAAS;AACzC,CAAC;AASM,IAAM,YAAY,aAAE,OAAO;AAAA;AAAA,EAEhC,SAAS,aAAE,QAAQ,KAAK;AAAA;AAAA,EAExB,IAAI,aAAE,OAAO,EAAE,KAAK;AAAA;AAAA,EAEpB,MAAM,aAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG;AAAA;AAAA,EAE/B,MAAM,aAAE,OAAO,EAAE,MAAM,uBAAuB,EAAE,SAAS;AAAA;AAAA,EAEzD,gBAAgB,aAAE,MAAM,qBAAqB,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEzD,UAAU,6BAA6B,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEjD,SAAS,4BAA4B,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE/C,OAAO,0BAA0B,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE3C,UAAU;AAAA;AAAA,EAEV,YAAY,aAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE3C,YAAY,aAAE,MAAM,aAAE,OAAO;AAAA;AAAA,IAE3B,QAAQ,aAAE,OAAO;AAAA;AAAA,IAEjB,WAAW,aAAE,KAAK,CAAC,SAAS,OAAO,CAAC;AAAA;AAAA,IAEpC,WAAW,aAAE,OAAO;AAAA;AAAA,IAEpB,WAAW,aAAE,OAAO,EAAE,SAAS;AAAA;AAAA,IAE/B,QAAQ,aAAE,OAAO,EAAE,SAAS;AAAA,EAC9B,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC;AAChB,CAAC;AAWM,SAAS,eAAe,MAAc,kBAA0B,SAAc;AACnF,SAAO;AAAA,IACL,SAAS;AAAA,IACT,IAAI,OAAO,WAAW;AAAA,IACtB;AAAA,IACA,gBAAgB,CAAC;AAAA,IACjB,UAAU;AAAA,MACR,iBAAiB,CAAC;AAAA,MAClB,iBAAiB,CAAC;AAAA,MAClB,iBAAiB,CAAC;AAAA,MAClB,iBAAiB,CAAC;AAAA,MAClB,gBAAgB,CAAC;AAAA,MACjB,gBAAgB,CAAC;AAAA,MACjB,yBAAyB;AAAA,MACzB,wBAAwB;AAAA,MACxB,yBAAyB;AAAA,MACzB,wBAAwB;AAAA,IAC1B;AAAA,IACA,SAAS;AAAA,MACP,qBAAqB;AAAA,MACrB,mBAAmB;AAAA,MACnB,eAAe;AAAA,MACf,yBAAyB,CAAC;AAAA,IAC5B;AAAA,IACA,OAAO;AAAA,MACL,uBAAuB;AAAA,MACvB,oBAAoB;AAAA,MACpB,6BAA6B;AAAA,MAC7B,oBAAoB;AAAA,MACpB,yBAAyB;AAAA,MACzB,6BAA6B,CAAC,QAAQ,cAAc;AAAA,MACpD,yBAAyB;AAAA,MACzB,wBAAwB;AAAA,MACxB,kBAAkB;AAAA,MAClB,gBAAgB;AAAA,MAChB,oBAAoB,CAAC;AAAA,MACrB,sBAAsB,CAAC,eAAe,WAAW,YAAY;AAAA,IAC/D;AAAA,IACA,UAAU;AAAA,MACR,eAAc,oBAAI,KAAK,GAAE,YAAY;AAAA,MACrC,cAAc;AAAA,MACd,kBAAkB;AAAA,MAClB,MAAM,CAAC;AAAA,IACT;AAAA,IACA,YAAY,CAAC;AAAA,EACf;AACF;AAKO,SAAS,YAAY,KAAoD;AAC9E,QAAM,SAAS,UAAU,UAAU,GAAG;AACtC,MAAI,OAAO,SAAS;AAClB,WAAO,EAAE,OAAO,MAAM,QAAQ,CAAC,EAAE;AAAA,EACnC;AACA,SAAO;AAAA,IACL,OAAO;AAAA,IACP,QAAQ,OAAO,MAAM,OAAO,IAAI,OAAK,GAAG,EAAE,KAAK,KAAK,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE;AAAA,EAC1E;AACF;AAKO,SAAS,gBAAgB,UAAkB,UAIhD;AAEA,MAAI,SAAS,gBAAgB,SAAS,QAAQ,GAAG;AAC/C,WAAO,EAAE,SAAS,OAAO,QAAQ,qBAAqB,kBAAkB,MAAM;AAAA,EAChF;AAGA,QAAM,gBAAgB,SAAS,gBAAgB,KAAK,OAAK,EAAE,OAAO,QAAQ;AAC1E,MAAI,eAAe;AACjB,QAAI,cAAc,WAAW,YAAY;AAEvC,UAAI,cAAc,cAAc,IAAI,KAAK,cAAc,UAAU,IAAI,oBAAI,KAAK,GAAG;AAC/E,eAAO,EAAE,SAAS,OAAO,QAAQ,+BAA+B,kBAAkB,KAAK;AAAA,MACzF;AACA,aAAO,EAAE,SAAS,MAAM,QAAQ,sBAAsB,kBAAkB,MAAM;AAAA,IAChF;AACA,QAAI,cAAc,WAAW,WAAW;AACtC,aAAO,EAAE,SAAS,OAAO,QAAQ,8BAA8B,kBAAkB,KAAK;AAAA,IACxF;AACA,WAAO,EAAE,SAAS,OAAO,QAAQ,qBAAqB,kBAAkB,MAAM;AAAA,EAChF;AAGA,MAAI,SAAS,4BAA4B,SAAS;AAChD,WAAO,EAAE,SAAS,OAAO,QAAQ,sCAAsC,kBAAkB,MAAM;AAAA,EACjG;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,sCAAsC,kBAAkB,KAAK;AAChG;AAKO,SAAS,eAAe,SAAiB,UAAkB,UAIhE;AAEA,aAAW,WAAW,SAAS,gBAAgB;AAC7C,QAAI,eAAe,SAAS,OAAO,GAAG;AACpC,aAAO,EAAE,SAAS,OAAO,QAAQ,kCAAkC,OAAO,IAAI,kBAAkB,MAAM;AAAA,IACxG;AAAA,EACF;AAGA,QAAM,eAAe,SAAS,eAAe;AAAA,IAAK,OAChD,EAAE,OAAO,WAAW,EAAE,cAAc;AAAA,EACtC;AACA,MAAI,cAAc;AAChB,QAAI,aAAa,WAAW,YAAY;AACtC,UAAI,aAAa,cAAc,IAAI,KAAK,aAAa,UAAU,IAAI,oBAAI,KAAK,GAAG;AAC7E,eAAO,EAAE,SAAS,OAAO,QAAQ,8BAA8B,kBAAkB,KAAK;AAAA,MACxF;AACA,aAAO,EAAE,SAAS,MAAM,QAAQ,qBAAqB,kBAAkB,MAAM;AAAA,IAC/E;AACA,QAAI,aAAa,WAAW,WAAW;AACrC,aAAO,EAAE,SAAS,OAAO,QAAQ,6BAA6B,kBAAkB,KAAK;AAAA,IACvF;AACA,WAAO,EAAE,SAAS,OAAO,QAAQ,oBAAoB,kBAAkB,MAAM;AAAA,EAC/E;AAGA,QAAM,gBAAgB,SAAS,eAAe;AAAA,IAAK,OACjD,EAAE,cAAc,YAChB,EAAE,mBACF,eAAe,SAAS,EAAE,eAAe;AAAA,EAC3C;AACA,MAAI,iBAAiB,cAAc,WAAW,YAAY;AACxD,WAAO,EAAE,SAAS,MAAM,QAAQ,mCAAmC,cAAc,eAAe,IAAI,kBAAkB,MAAM;AAAA,EAC9H;AAGA,MAAI,SAAS,2BAA2B,SAAS;AAC/C,WAAO,EAAE,SAAS,OAAO,QAAQ,qCAAqC,kBAAkB,MAAM;AAAA,EAChG;AACA,SAAO,EAAE,SAAS,OAAO,QAAQ,qCAAqC,kBAAkB,KAAK;AAC/F;AAKO,SAAS,gBAAgB,YAAoB,UAIlD;AAEA,MAAI,SAAS,gBAAgB,SAAS,UAAU,GAAG;AACjD,WAAO,EAAE,SAAS,OAAO,QAAQ,qBAAqB,eAAe,OAAO;AAAA,EAC9E;AAGA,QAAM,gBAAgB,SAAS,gBAAgB,KAAK,OAAK,EAAE,SAAS,UAAU;AAC9E,MAAI,eAAe;AACjB,QAAI,cAAc,WAAW,WAAW;AACtC,aAAO,EAAE,SAAS,OAAO,QAAQ,qBAAqB,eAAe,OAAO;AAAA,IAC9E;AACA,QAAI,cAAc,WAAW,cAAc;AACzC,aAAO,EAAE,SAAS,MAAM,QAAQ,4CAA4C,eAAe,cAAc,eAAe;AAAA,IAC1H;AACA,WAAO,EAAE,SAAS,MAAM,QAAQ,qBAAqB,eAAe,cAAc,eAAe;AAAA,EACnG;AAGA,MAAI,SAAS,gBAAgB,WAAW,GAAG;AACzC,WAAO,EAAE,SAAS,MAAM,QAAQ,0BAA0B,eAAe,OAAO;AAAA,EAClF;AAGA,SAAO,EAAE,SAAS,OAAO,QAAQ,8BAA8B,eAAe,OAAO;AACvF;AAKA,SAAS,eAAe,OAAe,SAA0B;AAC/D,MAAI,YAAY,KAAK;AACnB,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,WAAO,MAAM,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,EAC9C;AACA,MAAI,QAAQ,WAAW,GAAG,GAAG;AAC3B,WAAO,MAAM,SAAS,QAAQ,MAAM,CAAC,CAAC;AAAA,EACxC;AACA,SAAO,UAAU;AACnB;","names":[]}