@aigrc/core 0.1.0 → 0.2.0

package/dist/governance-lock/index.mjs

@@ -0,0 +1,389 @@
+// src/governance-lock/index.ts
+import { z } from "zod";
+import * as yaml from "yaml";
+var GovernanceLockSignatureSchema = z.object({
+  /** Signer identity (email or system ID) */
+  signer: z.string().min(1),
+  /** Role of the signer (e.g., "CISO", "PolicyOwner", "SecurityLead") */
+  role: z.string().optional(),
+  /** Algorithm used: RS256 (RSA-SHA256) or ES256 (ECDSA-P256) */
+  algorithm: z.enum(["RS256", "ES256"]),
+  /** Base64-encoded signature */
+  signature: z.string().min(1),
+  /** When the signature was created */
+  signed_at: z.string().datetime(),
+  /** Key ID for key rotation support */
+  key_id: z.string().optional(),
+  /** Expiration of this signature (optional, separate from lock expiration) */
+  expires_at: z.string().datetime().optional(),
+  /** Certificate chain for verification (optional) */
+  certificate_chain: z.array(z.string()).optional()
+});
+var GovernanceLockPolicySourceSchema = z.object({
+  /** Unique identifier for this source */
+  id: z.string().min(1),
+  /** Type of source */
+  type: z.enum(["pdf", "url", "confluence", "jira", "manual"]),
+  /** URI to the source document */
+  uri: z.string(),
+  /** SHA-256 hash of the source content at time of compilation */
+  content_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/),
+  /** When the source was fetched */
+  fetched_at: z.string().datetime(),
+  /** Title of the policy document */
+  title: z.string().optional(),
+  /** Version of the policy document */
+  version: z.string().optional()
+});
+var GovernanceLockRegistryConstraintsSchema = z.object({
+  /** List of approved vendor IDs */
+  allowed_vendor_ids: z.array(z.string()).default([]),
+  /** List of blocked vendor IDs */
+  blocked_vendor_ids: z.array(z.string()).default([]),
+  /** List of approved region codes */
+  allowed_region_codes: z.array(z.string()).default([]),
+  /** List of blocked region codes */
+  blocked_region_codes: z.array(z.string()).default([]),
+  /** List of approved model patterns */
+  allowed_model_patterns: z.array(z.string()).default([]),
+  /** List of blocked model patterns */
+  blocked_model_patterns: z.array(z.string()).default([]),
+  /** Maximum model parameters allowed */
+  max_model_parameters: z.number().positive().optional()
+});
+var GovernanceLockRuntimeConstraintsSchema = z.object({
+  /** Whether PII filtering is required */
+  pii_filter_enabled: z.boolean().default(false),
+  /** PII filter action */
+  pii_filter_action: z.enum(["redact", "block", "warn", "audit"]).optional(),
+  /** Whether toxicity filtering is required */
+  toxicity_filter_enabled: z.boolean().default(false),
+  /** Toxicity threshold */
+  toxicity_threshold: z.number().min(0).max(1).optional(),
+  /** Data retention period in days */
+  data_retention_days: z.number().int().min(0).default(90),
+  /** Whether watermarking is required */
+  watermark_enabled: z.boolean().default(false),
+  /** Logging level */
+  logging_level: z.enum(["none", "errors", "all"]).default("all"),
+  /** Maximum tokens per request */
+  max_tokens_per_request: z.number().int().positive().optional(),
+  /** Maximum cost per day in USD */
+  max_cost_per_day_usd: z.number().positive().optional(),
+  /** Kill switch enabled */
+  kill_switch_enabled: z.boolean().default(true)
+});
+var GovernanceLockBuildConstraintsSchema = z.object({
+  /** Require Golden Thread linkage */
+  require_golden_thread: z.boolean().default(true),
+  /** Require asset card */
+  require_asset_card: z.boolean().default(true),
+  /** Require risk classification */
+  require_risk_classification: z.boolean().default(true),
+  /** Require model card */
+  require_model_card: z.boolean().default(false),
+  /** Require security review for high risk */
+  require_security_review: z.boolean().default(false),
+  /** Block merge on validation failure */
+  block_on_failure: z.boolean().default(true),
+  /** Generate SARIF report */
+  generate_sarif: z.boolean().default(true),
+  /** Allowed environments */
+  allowed_environments: z.array(z.string()).default(["development", "staging", "production"])
+});
+var GovernanceLockConstraintsSchema = z.object({
+  /** Registry constraints (vendor/model/region) */
+  registry: GovernanceLockRegistryConstraintsSchema.default({}),
+  /** Runtime constraints */
+  runtime: GovernanceLockRuntimeConstraintsSchema.default({}),
+  /** Build constraints */
+  build: GovernanceLockBuildConstraintsSchema.default({})
+});
+var GovernanceLockSchema = z.object({
+  /** Schema version for forward compatibility */
+  version: z.literal("1.0"),
+  /** When this lock file was generated */
+  generated_at: z.string().datetime(),
+  /** SHA-256 hash of the compiled policy (AIR) */
+  policy_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/),
+  /** Name of this policy lock */
+  name: z.string().min(1).max(200).optional(),
+  /** Description of this lock file */
+  description: z.string().max(500).optional(),
+  /** Policy sources that contributed to this lock */
+  policy_sources: z.array(GovernanceLockPolicySourceSchema).default([]),
+  /** Compiled constraints (subset of AIR) */
+  constraints: GovernanceLockConstraintsSchema.default({}),
+  /** Digital signatures from policy owners */
+  signatures: z.array(GovernanceLockSignatureSchema).default([]),
+  /** When this lock file expires (forces re-compilation) */
+  expires_at: z.string().datetime(),
+  /** Tool/system that generated this lock */
+  generated_by: z.string().default("aigrc-policy-compiler"),
+  /** Version of the generator */
+  generator_version: z.string().default("1.0.0"),
+  /** Organization this lock belongs to */
+  organization: z.string().optional(),
+  /** Environment this lock is for */
+  environment: z.string().optional(),
+  /** Reference to the full AIR document (optional) */
+  air_reference: z.object({
+    /** AIR document ID */
+    id: z.string().uuid(),
+    /** AIR document location (URI) */
+    location: z.string().optional(),
+    /** AIR document hash */
+    hash: z.string().regex(/^sha256:[a-f0-9]{64}$/)
+  }).optional(),
+  /** Custom metadata fields */
+  metadata: z.record(z.unknown()).optional()
+});
+async function computeHash(data) {
+  const encoder = new TextEncoder();
+  const dataBuffer = encoder.encode(data);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", dataBuffer);
+  const hashArray = Array.from(new Uint8Array(hashBuffer));
+  const hashHex = hashArray.map((b) => b.toString(16).padStart(2, "0")).join("");
+  return `sha256:${hashHex}`;
+}
+async function createGovernanceLock(air, options = {}) {
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(now);
+  expiresAt.setDate(expiresAt.getDate() + (options.expiresInDays ?? 30));
+  const airForHashing = { ...air, signatures: [] };
+  const policyHash = await computeHash(JSON.stringify(airForHashing));
+  const constraints = {
+    registry: {
+      allowed_vendor_ids: air.registry.allowed_vendors.map((v) => v.id),
+      blocked_vendor_ids: air.registry.blocked_vendors,
+      allowed_region_codes: air.registry.allowed_regions.map((r) => r.code),
+      blocked_region_codes: air.registry.blocked_regions,
+      allowed_model_patterns: air.registry.allowed_models.map((m) => m.version_pattern ?? m.id),
+      blocked_model_patterns: air.registry.blocked_models,
+      max_model_parameters: air.registry.max_model_parameters
+    },
+    runtime: {
+      pii_filter_enabled: air.runtime.pii_filter?.enabled ?? false,
+      pii_filter_action: air.runtime.pii_filter?.action,
+      toxicity_filter_enabled: air.runtime.toxicity_filter?.enabled ?? false,
+      toxicity_threshold: air.runtime.toxicity_filter?.threshold,
+      data_retention_days: air.runtime.data_retention_days,
+      watermark_enabled: air.runtime.watermark_enabled,
+      logging_level: air.runtime.logging_level,
+      max_tokens_per_request: air.runtime.max_tokens_per_request,
+      max_cost_per_day_usd: air.runtime.max_cost_per_day_usd,
+      kill_switch_enabled: air.runtime.kill_switch?.enabled ?? true
+    },
+    build: {
+      require_golden_thread: air.build.require_golden_thread,
+      require_asset_card: air.build.require_asset_card,
+      require_risk_classification: air.build.require_risk_classification,
+      require_model_card: air.build.require_model_card,
+      require_security_review: air.build.require_security_review,
+      block_on_failure: air.build.block_on_failure,
+      generate_sarif: air.build.generate_sarif,
+      allowed_environments: air.build.allowed_environments
+    }
+  };
+  const policySources = air.policy_sources.map((s) => ({
+    id: s.id,
+    type: s.type,
+    uri: s.uri,
+    content_hash: s.content_hash,
+    fetched_at: s.fetched_at,
+    title: s.title,
+    version: s.version
+  }));
+  return {
+    version: "1.0",
+    generated_at: now.toISOString(),
+    policy_hash: policyHash,
+    name: options.name ?? air.name,
+    description: options.description,
+    policy_sources: policySources,
+    constraints,
+    signatures: [],
+    expires_at: expiresAt.toISOString(),
+    generated_by: air.metadata.generated_by,
+    generator_version: air.metadata.compiler_version,
+    organization: options.organization ?? air.metadata.organization,
+    environment: options.environment ?? air.metadata.environment,
+    air_reference: {
+      id: air.id,
+      hash: policyHash
+    }
+  };
+}
+function validateGovernanceLock(lock, options = {}) {
+  const errors = [];
+  const warnings = [];
+  const parseResult = GovernanceLockSchema.safeParse(lock);
+  if (!parseResult.success) {
+    return {
+      valid: false,
+      errors: parseResult.error.errors.map((e) => `${e.path.join(".")}: ${e.message}`),
+      warnings: [],
+      expired: false,
+      daysUntilExpiration: 0,
+      signed: false,
+      validSignatureCount: 0,
+      policyHashValid: false
+    };
+  }
+  const parsed = parseResult.data;
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(parsed.expires_at);
+  const daysUntilExpiration = Math.ceil((expiresAt.getTime() - now.getTime()) / (1e3 * 60 * 60 * 24));
+  const expired = expiresAt < now;
+  if (options.checkExpiration !== false && expired) {
+    errors.push(`Lock file expired on ${parsed.expires_at}`);
+  }
+  if (daysUntilExpiration > 0 && daysUntilExpiration <= 7) {
+    warnings.push(`Lock file expires in ${daysUntilExpiration} days`);
+  }
+  const signed = parsed.signatures.length > 0;
+  if (options.requireSignatures && !signed) {
+    errors.push("Lock file requires at least one signature");
+  }
+  let validSignatureCount = 0;
+  for (const sig of parsed.signatures) {
+    if (sig.expires_at) {
+      const sigExpiresAt = new Date(sig.expires_at);
+      if (sigExpiresAt < now) {
+        warnings.push(`Signature from ${sig.signer} has expired`);
+      } else {
+        validSignatureCount++;
+      }
+    } else {
+      validSignatureCount++;
+    }
+  }
+  let policyHashValid = true;
+  if (options.expectedPolicyHash) {
+    if (parsed.policy_hash !== options.expectedPolicyHash) {
+      errors.push(`Policy hash mismatch: expected ${options.expectedPolicyHash}, got ${parsed.policy_hash}`);
+      policyHashValid = false;
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors,
+    warnings,
+    expired,
+    daysUntilExpiration,
+    signed,
+    validSignatureCount,
+    policyHashValid
+  };
+}
+function parseGovernanceLockYAML(content) {
+  const parsed = yaml.parse(content);
+  return GovernanceLockSchema.parse(parsed);
+}
+function parseGovernanceLockJSON(content) {
+  const parsed = JSON.parse(content);
+  return GovernanceLockSchema.parse(parsed);
+}
+function serializeGovernanceLockYAML(lock) {
+  return yaml.stringify(lock, {
+    indent: 2,
+    lineWidth: 120
+  });
+}
+function serializeGovernanceLockJSON(lock, pretty = true) {
+  return pretty ? JSON.stringify(lock, null, 2) : JSON.stringify(lock);
+}
+function isGovernanceLockExpired(lock) {
+  return new Date(lock.expires_at) < /* @__PURE__ */ new Date();
+}
+function getDaysUntilExpiration(lock) {
+  const now = /* @__PURE__ */ new Date();
+  const expiresAt = new Date(lock.expires_at);
+  return Math.ceil((expiresAt.getTime() - now.getTime()) / (1e3 * 60 * 60 * 24));
+}
+function isVendorAllowedByLock(vendorId, lock) {
+  const { registry } = lock.constraints;
+  if (registry.blocked_vendor_ids.includes(vendorId)) {
+    return false;
+  }
+  if (registry.allowed_vendor_ids.length > 0) {
+    return registry.allowed_vendor_ids.includes(vendorId);
+  }
+  return true;
+}
+function isModelAllowedByLock(modelId, lock) {
+  const { registry } = lock.constraints;
+  for (const pattern of registry.blocked_model_patterns) {
+    if (matchesPattern(modelId, pattern)) {
+      return false;
+    }
+  }
+  if (registry.allowed_model_patterns.length > 0) {
+    return registry.allowed_model_patterns.some(
+      (pattern) => matchesPattern(modelId, pattern)
+    );
+  }
+  return true;
+}
+function isRegionAllowedByLock(regionCode, lock) {
+  const { registry } = lock.constraints;
+  if (registry.blocked_region_codes.includes(regionCode)) {
+    return false;
+  }
+  if (registry.allowed_region_codes.length > 0) {
+    return registry.allowed_region_codes.includes(regionCode);
+  }
+  return true;
+}
+function matchesPattern(value, pattern) {
+  if (pattern === "*") {
+    return true;
+  }
+  if (pattern.endsWith("*")) {
+    return value.startsWith(pattern.slice(0, -1));
+  }
+  if (pattern.startsWith("*")) {
+    return value.endsWith(pattern.slice(1));
+  }
+  return value === pattern;
+}
+function createSigningPayload(lock) {
+  const forSigning = {
+    version: lock.version,
+    generated_at: lock.generated_at,
+    policy_hash: lock.policy_hash,
+    expires_at: lock.expires_at,
+    constraints: lock.constraints
+  };
+  return JSON.stringify(forSigning);
+}
+function addSignature(lock, signature) {
+  return {
+    ...lock,
+    signatures: [...lock.signatures, signature]
+  };
+}
+export {
+  GovernanceLockBuildConstraintsSchema,
+  GovernanceLockConstraintsSchema,
+  GovernanceLockPolicySourceSchema,
+  GovernanceLockRegistryConstraintsSchema,
+  GovernanceLockRuntimeConstraintsSchema,
+  GovernanceLockSchema,
+  GovernanceLockSignatureSchema,
+  addSignature,
+  computeHash,
+  createGovernanceLock,
+  createSigningPayload,
+  getDaysUntilExpiration,
+  isGovernanceLockExpired,
+  isModelAllowedByLock,
+  isRegionAllowedByLock,
+  isVendorAllowedByLock,
+  parseGovernanceLockJSON,
+  parseGovernanceLockYAML,
+  serializeGovernanceLockJSON,
+  serializeGovernanceLockYAML,
+  validateGovernanceLock
+};
+//# sourceMappingURL=index.mjs.map

package/dist/governance-lock/index.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/governance-lock/index.ts"],"sourcesContent":["/**\n * governance.lock File Format\n *\n * The governance.lock file pins policy version to code version, similar to\n * package-lock.json. It is generated by the Policy Compiler and verified\n * by the Supply Chain Firewall in IDE, CI/CD, and runtime.\n *\n * @see I2E_Engine_Specification_v1.md Section 4.2.3\n * @module @aigrc/core/governance-lock\n */\n\nimport { z } from \"zod\";\nimport * as yaml from \"yaml\";\nimport type { AIR, AIRPolicySource } from \"../air\";\n\n// ─────────────────────────────────────────────────────────────────\n// SIGNATURE SCHEMA\n// Cryptographic signatures from policy owners\n// ─────────────────────────────────────────────────────────────────\n\nexport const GovernanceLockSignatureSchema = z.object({\n  /** Signer identity (email or system ID) */\n  signer: z.string().min(1),\n  /** Role of the signer (e.g., \"CISO\", \"PolicyOwner\", \"SecurityLead\") */\n  role: z.string().optional(),\n  /** Algorithm used: RS256 (RSA-SHA256) or ES256 (ECDSA-P256) */\n  algorithm: z.enum([\"RS256\", \"ES256\"]),\n  /** Base64-encoded signature */\n  signature: z.string().min(1),\n  /** When the signature was created */\n  signed_at: z.string().datetime(),\n  /** Key ID for key rotation support */\n  key_id: z.string().optional(),\n  /** Expiration of this signature (optional, separate from lock expiration) */\n  expires_at: z.string().datetime().optional(),\n  /** Certificate chain for verification (optional) */\n  certificate_chain: z.array(z.string()).optional(),\n});\n\nexport type GovernanceLockSignature = z.infer<typeof GovernanceLockSignatureSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// POLICY SOURCE REFERENCE SCHEMA\n// References to source policy documents with integrity hashes\n// ─────────────────────────────────────────────────────────────────\n\nexport const GovernanceLockPolicySourceSchema = z.object({\n  /** Unique identifier for this source */\n  id: z.string().min(1),\n  /** Type of source */\n  type: z.enum([\"pdf\", \"url\", \"confluence\", \"jira\", \"manual\"]),\n  /** URI to the source document */\n  uri: z.string(),\n  /** SHA-256 hash of the source content at time of compilation */\n  content_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/),\n  /** When the source was fetched */\n  fetched_at: z.string().datetime(),\n  /** Title of the policy document */\n  title: z.string().optional(),\n  /** Version of the policy document */\n  version: z.string().optional(),\n});\n\nexport type GovernanceLockPolicySource = z.infer<typeof GovernanceLockPolicySourceSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// COMPILED CONSTRAINTS SCHEMA\n// Subset of AIR constraints included in governance.lock\n// ─────────────────────────────────────────────────────────────────\n\nexport const GovernanceLockRegistryConstraintsSchema = z.object({\n  /** List of approved vendor IDs */\n  allowed_vendor_ids: z.array(z.string()).default([]),\n  /** List of blocked vendor IDs */\n  blocked_vendor_ids: z.array(z.string()).default([]),\n  /** List of approved region codes */\n  allowed_region_codes: z.array(z.string()).default([]),\n  /** List of blocked region codes */\n  blocked_region_codes: z.array(z.string()).default([]),\n  /** List of approved model patterns */\n  allowed_model_patterns: z.array(z.string()).default([]),\n  /** List of blocked model patterns */\n  blocked_model_patterns: z.array(z.string()).default([]),\n  /** Maximum model parameters allowed */\n  max_model_parameters: z.number().positive().optional(),\n});\n\nexport type GovernanceLockRegistryConstraints = z.infer<typeof GovernanceLockRegistryConstraintsSchema>;\n\nexport const GovernanceLockRuntimeConstraintsSchema = z.object({\n  /** Whether PII filtering is required */\n  pii_filter_enabled: z.boolean().default(false),\n  /** PII filter action */\n  pii_filter_action: z.enum([\"redact\", \"block\", \"warn\", \"audit\"]).optional(),\n  /** Whether toxicity filtering is required */\n  toxicity_filter_enabled: z.boolean().default(false),\n  /** Toxicity threshold */\n  toxicity_threshold: z.number().min(0).max(1).optional(),\n  /** Data retention period in days */\n  data_retention_days: z.number().int().min(0).default(90),\n  /** Whether watermarking is required */\n  watermark_enabled: z.boolean().default(false),\n  /** Logging level */\n  logging_level: z.enum([\"none\", \"errors\", \"all\"]).default(\"all\"),\n  /** Maximum tokens per request */\n  max_tokens_per_request: z.number().int().positive().optional(),\n  /** Maximum cost per day in USD */\n  max_cost_per_day_usd: z.number().positive().optional(),\n  /** Kill switch enabled */\n  kill_switch_enabled: z.boolean().default(true),\n});\n\nexport type GovernanceLockRuntimeConstraints = z.infer<typeof GovernanceLockRuntimeConstraintsSchema>;\n\nexport const GovernanceLockBuildConstraintsSchema = z.object({\n  /** Require Golden Thread linkage */\n  require_golden_thread: z.boolean().default(true),\n  /** Require asset card */\n  require_asset_card: z.boolean().default(true),\n  /** Require risk classification */\n  require_risk_classification: z.boolean().default(true),\n  /** Require model card */\n  require_model_card: z.boolean().default(false),\n  /** Require security review for high risk */\n  require_security_review: z.boolean().default(false),\n  /** Block merge on validation failure */\n  block_on_failure: z.boolean().default(true),\n  /** Generate SARIF report */\n  generate_sarif: z.boolean().default(true),\n  /** Allowed environments */\n  allowed_environments: z.array(z.string()).default([\"development\", \"staging\", \"production\"]),\n});\n\nexport type GovernanceLockBuildConstraints = z.infer<typeof GovernanceLockBuildConstraintsSchema>;\n\nexport const GovernanceLockConstraintsSchema = z.object({\n  /** Registry constraints (vendor/model/region) */\n  registry: GovernanceLockRegistryConstraintsSchema.default({}),\n  /** Runtime constraints */\n  runtime: GovernanceLockRuntimeConstraintsSchema.default({}),\n  /** Build constraints */\n  build: GovernanceLockBuildConstraintsSchema.default({}),\n});\n\nexport type GovernanceLockConstraints = z.infer<typeof GovernanceLockConstraintsSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// GOVERNANCE.LOCK SCHEMA\n// The complete governance.lock file format\n// ─────────────────────────────────────────────────────────────────\n\nexport const GovernanceLockSchema = z.object({\n  /** Schema version for forward compatibility */\n  version: z.literal(\"1.0\"),\n  /** When this lock file was generated */\n  generated_at: z.string().datetime(),\n  /** SHA-256 hash of the compiled policy (AIR) */\n  policy_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/),\n  /** Name of this policy lock */\n  name: z.string().min(1).max(200).optional(),\n  /** Description of this lock file */\n  description: z.string().max(500).optional(),\n  /** Policy sources that contributed to this lock */\n  policy_sources: z.array(GovernanceLockPolicySourceSchema).default([]),\n  /** Compiled constraints (subset of AIR) */\n  constraints: GovernanceLockConstraintsSchema.default({}),\n  /** Digital signatures from policy owners */\n  signatures: z.array(GovernanceLockSignatureSchema).default([]),\n  /** When this lock file expires (forces re-compilation) */\n  expires_at: z.string().datetime(),\n  /** Tool/system that generated this lock */\n  generated_by: z.string().default(\"aigrc-policy-compiler\"),\n  /** Version of the generator */\n  generator_version: z.string().default(\"1.0.0\"),\n  /** Organization this lock belongs to */\n  organization: z.string().optional(),\n  /** Environment this lock is for */\n  environment: z.string().optional(),\n  /** Reference to the full AIR document (optional) */\n  air_reference: z.object({\n    /** AIR document ID */\n    id: z.string().uuid(),\n    /** AIR document location (URI) */\n    location: z.string().optional(),\n    /** AIR document hash */\n    hash: z.string().regex(/^sha256:[a-f0-9]{64}$/),\n  }).optional(),\n  /** Custom metadata fields */\n  metadata: z.record(z.unknown()).optional(),\n});\n\nexport type GovernanceLock = z.infer<typeof GovernanceLockSchema>;\n\n// ─────────────────────────────────────────────────────────────────\n// VALIDATION RESULT SCHEMA\n// Result of validating a governance.lock file\n// ─────────────────────────────────────────────────────────────────\n\nexport interface GovernanceLockValidationResult {\n  /** Whether the lock file is valid */\n  valid: boolean;\n  /** Validation errors */\n  errors: string[];\n  /** Validation warnings */\n  warnings: string[];\n  /** Whether the lock file has expired */\n  expired: boolean;\n  /** Days until expiration (negative if expired) */\n  daysUntilExpiration: number;\n  /** Whether signatures are present */\n  signed: boolean;\n  /** Number of valid signatures */\n  validSignatureCount: number;\n  /** Whether policy hash is valid */\n  policyHashValid: boolean;\n}\n\n// ─────────────────────────────────────────────────────────────────\n// HELPER FUNCTIONS\n// ─────────────────────────────────────────────────────────────────\n\n/**\n * Computes SHA-256 hash of a string\n */\nasync function computeHash(data: string): Promise<string> {\n  // Use Web Crypto API (works in Node.js 18+ and browsers)\n  const encoder = new TextEncoder();\n  const dataBuffer = encoder.encode(data);\n  const hashBuffer = await crypto.subtle.digest(\"SHA-256\", dataBuffer);\n  const hashArray = Array.from(new Uint8Array(hashBuffer));\n  const hashHex = hashArray.map(b => b.toString(16).padStart(2, \"0\")).join(\"\");\n  return `sha256:${hashHex}`;\n}\n\n/**\n * Creates a governance.lock from an AIR document\n */\nexport async function createGovernanceLock(\n  air: AIR,\n  options: {\n    expiresInDays?: number;\n    name?: string;\n    description?: string;\n    organization?: string;\n    environment?: string;\n  } = {}\n): Promise<GovernanceLock> {\n  const now = new Date();\n  const expiresAt = new Date(now);\n  expiresAt.setDate(expiresAt.getDate() + (options.expiresInDays ?? 30));\n\n  // Compute policy hash from AIR content (excluding signatures)\n  const airForHashing = { ...air, signatures: [] };\n  const policyHash = await computeHash(JSON.stringify(airForHashing));\n\n  // Extract simplified constraints from AIR\n  const constraints: GovernanceLockConstraints = {\n    registry: {\n      allowed_vendor_ids: air.registry.allowed_vendors.map(v => v.id),\n      blocked_vendor_ids: air.registry.blocked_vendors,\n      allowed_region_codes: air.registry.allowed_regions.map(r => r.code),\n      blocked_region_codes: air.registry.blocked_regions,\n      allowed_model_patterns: air.registry.allowed_models.map(m => m.version_pattern ?? m.id),\n      blocked_model_patterns: air.registry.blocked_models,\n      max_model_parameters: air.registry.max_model_parameters,\n    },\n    runtime: {\n      pii_filter_enabled: air.runtime.pii_filter?.enabled ?? false,\n      pii_filter_action: air.runtime.pii_filter?.action,\n      toxicity_filter_enabled: air.runtime.toxicity_filter?.enabled ?? false,\n      toxicity_threshold: air.runtime.toxicity_filter?.threshold,\n      data_retention_days: air.runtime.data_retention_days,\n      watermark_enabled: air.runtime.watermark_enabled,\n      logging_level: air.runtime.logging_level,\n      max_tokens_per_request: air.runtime.max_tokens_per_request,\n      max_cost_per_day_usd: air.runtime.max_cost_per_day_usd,\n      kill_switch_enabled: air.runtime.kill_switch?.enabled ?? true,\n    },\n    build: {\n      require_golden_thread: air.build.require_golden_thread,\n      require_asset_card: air.build.require_asset_card,\n      require_risk_classification: air.build.require_risk_classification,\n      require_model_card: air.build.require_model_card,\n      require_security_review: air.build.require_security_review,\n      block_on_failure: air.build.block_on_failure,\n      generate_sarif: air.build.generate_sarif,\n      allowed_environments: air.build.allowed_environments,\n    },\n  };\n\n  // Map AIR policy sources to lock format\n  const policySources: GovernanceLockPolicySource[] = air.policy_sources.map(s => ({\n    id: s.id,\n    type: s.type,\n    uri: s.uri,\n    content_hash: s.content_hash,\n    fetched_at: s.fetched_at,\n    title: s.title,\n    version: s.version,\n  }));\n\n  return {\n    version: \"1.0\",\n    generated_at: now.toISOString(),\n    policy_hash: policyHash,\n    name: options.name ?? air.name,\n    description: options.description,\n    policy_sources: policySources,\n    constraints,\n    signatures: [],\n    expires_at: expiresAt.toISOString(),\n    generated_by: air.metadata.generated_by,\n    generator_version: air.metadata.compiler_version,\n    organization: options.organization ?? air.metadata.organization,\n    environment: options.environment ?? air.metadata.environment,\n    air_reference: {\n      id: air.id,\n      hash: policyHash,\n    },\n  };\n}\n\n/**\n * Validates a governance.lock file\n */\nexport function validateGovernanceLock(\n  lock: unknown,\n  options: {\n    /** Whether to check expiration */\n    checkExpiration?: boolean;\n    /** Whether to require signatures */\n    requireSignatures?: boolean;\n    /** Expected policy hash (for integrity check) */\n    expectedPolicyHash?: string;\n  } = {}\n): GovernanceLockValidationResult {\n  const errors: string[] = [];\n  const warnings: string[] = [];\n\n  // Parse and validate schema\n  const parseResult = GovernanceLockSchema.safeParse(lock);\n  if (!parseResult.success) {\n    return {\n      valid: false,\n      errors: parseResult.error.errors.map(e => `${e.path.join(\".\")}: ${e.message}`),\n      warnings: [],\n      expired: false,\n      daysUntilExpiration: 0,\n      signed: false,\n      validSignatureCount: 0,\n      policyHashValid: false,\n    };\n  }\n\n  const parsed = parseResult.data;\n  const now = new Date();\n  const expiresAt = new Date(parsed.expires_at);\n  const daysUntilExpiration = Math.ceil((expiresAt.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));\n  const expired = expiresAt < now;\n\n  // Check expiration\n  if (options.checkExpiration !== false && expired) {\n    errors.push(`Lock file expired on ${parsed.expires_at}`);\n  }\n\n  // Warn if expiring soon (within 7 days)\n  if (daysUntilExpiration > 0 && daysUntilExpiration <= 7) {\n    warnings.push(`Lock file expires in ${daysUntilExpiration} days`);\n  }\n\n  // Check signatures\n  const signed = parsed.signatures.length > 0;\n  if (options.requireSignatures && !signed) {\n    errors.push(\"Lock file requires at least one signature\");\n  }\n\n  // Check signature expiration\n  let validSignatureCount = 0;\n  for (const sig of parsed.signatures) {\n    if (sig.expires_at) {\n      const sigExpiresAt = new Date(sig.expires_at);\n      if (sigExpiresAt < now) {\n        warnings.push(`Signature from ${sig.signer} has expired`);\n      } else {\n        validSignatureCount++;\n      }\n    } else {\n      validSignatureCount++;\n    }\n  }\n\n  // Check policy hash\n  let policyHashValid = true;\n  if (options.expectedPolicyHash) {\n    if (parsed.policy_hash !== options.expectedPolicyHash) {\n      errors.push(`Policy hash mismatch: expected ${options.expectedPolicyHash}, got ${parsed.policy_hash}`);\n      policyHashValid = false;\n    }\n  }\n\n  return {\n    valid: errors.length === 0,\n    errors,\n    warnings,\n    expired,\n    daysUntilExpiration,\n    signed,\n    validSignatureCount,\n    policyHashValid,\n  };\n}\n\n/**\n * Parses a governance.lock file from YAML string\n */\nexport function parseGovernanceLockYAML(content: string): GovernanceLock {\n  const parsed = yaml.parse(content);\n  return GovernanceLockSchema.parse(parsed);\n}\n\n/**\n * Parses a governance.lock file from JSON string\n */\nexport function parseGovernanceLockJSON(content: string): GovernanceLock {\n  const parsed = JSON.parse(content);\n  return GovernanceLockSchema.parse(parsed);\n}\n\n/**\n * Serializes a governance.lock to YAML\n */\nexport function serializeGovernanceLockYAML(lock: GovernanceLock): string {\n  return yaml.stringify(lock, {\n    indent: 2,\n    lineWidth: 120,\n  });\n}\n\n/**\n * Serializes a governance.lock to JSON\n */\nexport function serializeGovernanceLockJSON(lock: GovernanceLock, pretty = true): string {\n  return pretty ? JSON.stringify(lock, null, 2) : JSON.stringify(lock);\n}\n\n/**\n * Checks if a governance.lock file is expired\n */\nexport function isGovernanceLockExpired(lock: GovernanceLock): boolean {\n  return new Date(lock.expires_at) < new Date();\n}\n\n/**\n * Gets the number of days until a governance.lock expires\n */\nexport function getDaysUntilExpiration(lock: GovernanceLock): number {\n  const now = new Date();\n  const expiresAt = new Date(lock.expires_at);\n  return Math.ceil((expiresAt.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));\n}\n\n/**\n * Checks if a vendor is allowed by the governance.lock\n */\nexport function isVendorAllowedByLock(vendorId: string, lock: GovernanceLock): boolean {\n  const { registry } = lock.constraints;\n\n  // Check blocked list first\n  if (registry.blocked_vendor_ids.includes(vendorId)) {\n    return false;\n  }\n\n  // Check allowed list (if specified)\n  if (registry.allowed_vendor_ids.length > 0) {\n    return registry.allowed_vendor_ids.includes(vendorId);\n  }\n\n  // If no allowed list, allow by default (except blocked)\n  return true;\n}\n\n/**\n * Checks if a model is allowed by the governance.lock\n */\nexport function isModelAllowedByLock(modelId: string, lock: GovernanceLock): boolean {\n  const { registry } = lock.constraints;\n\n  // Check blocked patterns\n  for (const pattern of registry.blocked_model_patterns) {\n    if (matchesPattern(modelId, pattern)) {\n      return false;\n    }\n  }\n\n  // Check allowed patterns (if specified)\n  if (registry.allowed_model_patterns.length > 0) {\n    return registry.allowed_model_patterns.some(pattern =>\n      matchesPattern(modelId, pattern)\n    );\n  }\n\n  // If no allowed list, allow by default (except blocked)\n  return true;\n}\n\n/**\n * Checks if a region is allowed by the governance.lock\n */\nexport function isRegionAllowedByLock(regionCode: string, lock: GovernanceLock): boolean {\n  const { registry } = lock.constraints;\n\n  // Check blocked list first\n  if (registry.blocked_region_codes.includes(regionCode)) {\n    return false;\n  }\n\n  // Check allowed list (if specified)\n  if (registry.allowed_region_codes.length > 0) {\n    return registry.allowed_region_codes.includes(regionCode);\n  }\n\n  // If no allowed list, allow by default (except blocked)\n  return true;\n}\n\n/**\n * Simple pattern matching (supports wildcards)\n */\nfunction matchesPattern(value: string, pattern: string): boolean {\n  if (pattern === \"*\") {\n    return true;\n  }\n  if (pattern.endsWith(\"*\")) {\n    return value.startsWith(pattern.slice(0, -1));\n  }\n  if (pattern.startsWith(\"*\")) {\n    return value.endsWith(pattern.slice(1));\n  }\n  return value === pattern;\n}\n\n/**\n * Creates a canonical string for signing\n */\nexport function createSigningPayload(lock: GovernanceLock): string {\n  // Create a deterministic representation excluding signatures\n  const forSigning = {\n    version: lock.version,\n    generated_at: lock.generated_at,\n    policy_hash: lock.policy_hash,\n    expires_at: lock.expires_at,\n    constraints: lock.constraints,\n  };\n  return JSON.stringify(forSigning);\n}\n\n/**\n * Adds a signature to a governance.lock\n * Note: Actual cryptographic signing is delegated to external libraries\n */\nexport function addSignature(\n  lock: GovernanceLock,\n  signature: GovernanceLockSignature\n): GovernanceLock {\n  return {\n    ...lock,\n    signatures: [...lock.signatures, signature],\n  };\n}\n\n/**\n * Computes a hash for integrity verification\n */\nexport { computeHash };\n"],"mappings":";AAWA,SAAS,SAAS;AAClB,YAAY,UAAU;AAQf,IAAM,gCAAgC,EAAE,OAAO;AAAA;AAAA,EAEpD,QAAQ,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAExB,MAAM,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE1B,WAAW,EAAE,KAAK,CAAC,SAAS,OAAO,CAAC;AAAA;AAAA,EAEpC,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAE3B,WAAW,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE/B,QAAQ,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE5B,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE3C,mBAAmB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAClD,CAAC;AASM,IAAM,mCAAmC,EAAE,OAAO;AAAA;AAAA,EAEvD,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC;AAAA;AAAA,EAEpB,MAAM,EAAE,KAAK,CAAC,OAAO,OAAO,cAAc,QAAQ,QAAQ,CAAC;AAAA;AAAA,EAE3D,KAAK,EAAE,OAAO;AAAA;AAAA,EAEd,cAAc,EAAE,OAAO,EAAE,MAAM,uBAAuB;AAAA;AAAA,EAEtD,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAEhC,OAAO,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAE3B,SAAS,EAAE,OAAO,EAAE,SAAS;AAC/B,CAAC;AASM,IAAM,0CAA0C,EAAE,OAAO;AAAA;AAAA,EAE9D,oBAAoB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAElD,oBAAoB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAElD,sBAAsB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEpD,sBAAsB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEpD,wBAAwB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEtD,wBAAwB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEtD,sBAAsB,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AACvD,CAAC;AAIM,IAAM,yCAAyC,EAAE,OAAO;AAAA;AAAA,EAE7D,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE7C,mBAAmB,EAAE,KAAK,CAAC,UAAU,SAAS,QAAQ,OAAO,CAAC,EAAE,SAAS;AAAA;AAAA,EAEzE,yBAAyB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAElD,oBAAoB,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA;AAAA,EAEtD,qBAAqB,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,QAAQ,EAAE;AAAA;AAAA,EAEvD,mBAAmB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE5C,eAAe,EAAE,KAAK,CAAC,QAAQ,UAAU,KAAK,CAAC,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE9D,wBAAwB,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAE7D,sBAAsB,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA;AAAA,EAErD,qBAAqB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAC/C,CAAC;AAIM,IAAM,uCAAuC,EAAE,OAAO;AAAA;AAAA,EAE3D,uBAAuB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAE/C,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAE5C,6BAA6B,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAErD,oBAAoB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAE7C,yBAAyB,EAAE,QAAQ,EAAE,QAAQ,KAAK;AAAA;AAAA,EAElD,kBAAkB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAE1C,gBAAgB,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA;AAAA,EAExC,sBAAsB,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,QAAQ,CAAC,eAAe,WAAW,YAAY,CAAC;AAC5F,CAAC;AAIM,IAAM,kCAAkC,EAAE,OAAO;AAAA;AAAA,EAEtD,UAAU,wCAAwC,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE5D,SAAS,uCAAuC,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE1D,OAAO,qCAAqC,QAAQ,CAAC,CAAC;AACxD,CAAC;AASM,IAAM,uBAAuB,EAAE,OAAO;AAAA;AAAA,EAE3C,SAAS,EAAE,QAAQ,KAAK;AAAA;AAAA,EAExB,cAAc,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAElC,aAAa,EAAE,OAAO,EAAE,MAAM,uBAAuB;AAAA;AAAA,EAErD,MAAM,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA;AAAA,EAE1C,aAAa,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA;AAAA,EAE1C,gBAAgB,EAAE,MAAM,gCAAgC,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEpE,aAAa,gCAAgC,QAAQ,CAAC,CAAC;AAAA;AAAA,EAEvD,YAAY,EAAE,MAAM,6BAA6B,EAAE,QAAQ,CAAC,CAAC;AAAA;AAAA,EAE7D,YAAY,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAEhC,cAAc,EAAE,OAAO,EAAE,QAAQ,uBAAuB;AAAA;AAAA,EAExD,mBAAmB,EAAE,OAAO,EAAE,QAAQ,OAAO;AAAA;AAAA,EAE7C,cAAc,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAElC,aAAa,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,EAEjC,eAAe,EAAE,OAAO;AAAA;AAAA,IAEtB,IAAI,EAAE,OAAO,EAAE,KAAK;AAAA;AAAA,IAEpB,UAAU,EAAE,OAAO,EAAE,SAAS;AAAA;AAAA,IAE9B,MAAM,EAAE,OAAO,EAAE,MAAM,uBAAuB;AAAA,EAChD,CAAC,EAAE,SAAS;AAAA;AAAA,EAEZ,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,EAAE,SAAS;AAC3C,CAAC;AAmCD,eAAe,YAAY,MAA+B;AAExD,QAAM,UAAU,IAAI,YAAY;AAChC,QAAM,aAAa,QAAQ,OAAO,IAAI;AACtC,QAAM,aAAa,MAAM,OAAO,OAAO,OAAO,WAAW,UAAU;AACnE,QAAM,YAAY,MAAM,KAAK,IAAI,WAAW,UAAU,CAAC;AACvD,QAAM,UAAU,UAAU,IAAI,OAAK,EAAE,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AAC3E,SAAO,UAAU,OAAO;AAC1B;AAKA,eAAsB,qBACpB,KACA,UAMI,CAAC,GACoB;AACzB,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,YAAY,IAAI,KAAK,GAAG;AAC9B,YAAU,QAAQ,UAAU,QAAQ,KAAK,QAAQ,iBAAiB,GAAG;AAGrE,QAAM,gBAAgB,EAAE,GAAG,KAAK,YAAY,CAAC,EAAE;AAC/C,QAAM,aAAa,MAAM,YAAY,KAAK,UAAU,aAAa,CAAC;AAGlE,QAAM,cAAyC;AAAA,IAC7C,UAAU;AAAA,MACR,oBAAoB,IAAI,SAAS,gBAAgB,IAAI,OAAK,EAAE,EAAE;AAAA,MAC9D,oBAAoB,IAAI,SAAS;AAAA,MACjC,sBAAsB,IAAI,SAAS,gBAAgB,IAAI,OAAK,EAAE,IAAI;AAAA,MAClE,sBAAsB,IAAI,SAAS;AAAA,MACnC,wBAAwB,IAAI,SAAS,eAAe,IAAI,OAAK,EAAE,mBAAmB,EAAE,EAAE;AAAA,MACtF,wBAAwB,IAAI,SAAS;AAAA,MACrC,sBAAsB,IAAI,SAAS;AAAA,IACrC;AAAA,IACA,SAAS;AAAA,MACP,oBAAoB,IAAI,QAAQ,YAAY,WAAW;AAAA,MACvD,mBAAmB,IAAI,QAAQ,YAAY;AAAA,MAC3C,yBAAyB,IAAI,QAAQ,iBAAiB,WAAW;AAAA,MACjE,oBAAoB,IAAI,QAAQ,iBAAiB;AAAA,MACjD,qBAAqB,IAAI,QAAQ;AAAA,MACjC,mBAAmB,IAAI,QAAQ;AAAA,MAC/B,eAAe,IAAI,QAAQ;AAAA,MAC3B,wBAAwB,IAAI,QAAQ;AAAA,MACpC,sBAAsB,IAAI,QAAQ;AAAA,MAClC,qBAAqB,IAAI,QAAQ,aAAa,WAAW;AAAA,IAC3D;AAAA,IACA,OAAO;AAAA,MACL,uBAAuB,IAAI,MAAM;AAAA,MACjC,oBAAoB,IAAI,MAAM;AAAA,MAC9B,6BAA6B,IAAI,MAAM;AAAA,MACvC,oBAAoB,IAAI,MAAM;AAAA,MAC9B,yBAAyB,IAAI,MAAM;AAAA,MACnC,kBAAkB,IAAI,MAAM;AAAA,MAC5B,gBAAgB,IAAI,MAAM;AAAA,MAC1B,sBAAsB,IAAI,MAAM;AAAA,IAClC;AAAA,EACF;AAGA,QAAM,gBAA8C,IAAI,eAAe,IAAI,QAAM;AAAA,IAC/E,IAAI,EAAE;AAAA,IACN,MAAM,EAAE;AAAA,IACR,KAAK,EAAE;AAAA,IACP,cAAc,EAAE;AAAA,IAChB,YAAY,EAAE;AAAA,IACd,OAAO,EAAE;AAAA,IACT,SAAS,EAAE;AAAA,EACb,EAAE;AAEF,SAAO;AAAA,IACL,SAAS;AAAA,IACT,cAAc,IAAI,YAAY;AAAA,IAC9B,aAAa;AAAA,IACb,MAAM,QAAQ,QAAQ,IAAI;AAAA,IAC1B,aAAa,QAAQ;AAAA,IACrB,gBAAgB;AAAA,IAChB;AAAA,IACA,YAAY,CAAC;AAAA,IACb,YAAY,UAAU,YAAY;AAAA,IAClC,cAAc,IAAI,SAAS;AAAA,IAC3B,mBAAmB,IAAI,SAAS;AAAA,IAChC,cAAc,QAAQ,gBAAgB,IAAI,SAAS;AAAA,IACnD,aAAa,QAAQ,eAAe,IAAI,SAAS;AAAA,IACjD,eAAe;AAAA,MACb,IAAI,IAAI;AAAA,MACR,MAAM;AAAA,IACR;AAAA,EACF;AACF;AAKO,SAAS,uBACd,MACA,UAOI,CAAC,GAC2B;AAChC,QAAM,SAAmB,CAAC;AAC1B,QAAM,WAAqB,CAAC;AAG5B,QAAM,cAAc,qBAAqB,UAAU,IAAI;AACvD,MAAI,CAAC,YAAY,SAAS;AACxB,WAAO;AAAA,MACL,OAAO;AAAA,MACP,QAAQ,YAAY,MAAM,OAAO,IAAI,OAAK,GAAG,EAAE,KAAK,KAAK,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE;AAAA,MAC7E,UAAU,CAAC;AAAA,MACX,SAAS;AAAA,MACT,qBAAqB;AAAA,MACrB,QAAQ;AAAA,MACR,qBAAqB;AAAA,MACrB,iBAAiB;AAAA,IACnB;AAAA,EACF;AAEA,QAAM,SAAS,YAAY;AAC3B,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,YAAY,IAAI,KAAK,OAAO,UAAU;AAC5C,QAAM,sBAAsB,KAAK,MAAM,UAAU,QAAQ,IAAI,IAAI,QAAQ,MAAM,MAAO,KAAK,KAAK,GAAG;AACnG,QAAM,UAAU,YAAY;AAG5B,MAAI,QAAQ,oBAAoB,SAAS,SAAS;AAChD,WAAO,KAAK,wBAAwB,OAAO,UAAU,EAAE;AAAA,EACzD;AAGA,MAAI,sBAAsB,KAAK,uBAAuB,GAAG;AACvD,aAAS,KAAK,wBAAwB,mBAAmB,OAAO;AAAA,EAClE;AAGA,QAAM,SAAS,OAAO,WAAW,SAAS;AAC1C,MAAI,QAAQ,qBAAqB,CAAC,QAAQ;AACxC,WAAO,KAAK,2CAA2C;AAAA,EACzD;AAGA,MAAI,sBAAsB;AAC1B,aAAW,OAAO,OAAO,YAAY;AACnC,QAAI,IAAI,YAAY;AAClB,YAAM,eAAe,IAAI,KAAK,IAAI,UAAU;AAC5C,UAAI,eAAe,KAAK;AACtB,iBAAS,KAAK,kBAAkB,IAAI,MAAM,cAAc;AAAA,MAC1D,OAAO;AACL;AAAA,MACF;AAAA,IACF,OAAO;AACL;AAAA,IACF;AAAA,EACF;AAGA,MAAI,kBAAkB;AACtB,MAAI,QAAQ,oBAAoB;AAC9B,QAAI,OAAO,gBAAgB,QAAQ,oBAAoB;AACrD,aAAO,KAAK,kCAAkC,QAAQ,kBAAkB,SAAS,OAAO,WAAW,EAAE;AACrG,wBAAkB;AAAA,IACpB;AAAA,EACF;AAEA,SAAO;AAAA,IACL,OAAO,OAAO,WAAW;AAAA,IACzB;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;AAKO,SAAS,wBAAwB,SAAiC;AACvE,QAAM,SAAc,WAAM,OAAO;AACjC,SAAO,qBAAqB,MAAM,MAAM;AAC1C;AAKO,SAAS,wBAAwB,SAAiC;AACvE,QAAM,SAAS,KAAK,MAAM,OAAO;AACjC,SAAO,qBAAqB,MAAM,MAAM;AAC1C;AAKO,SAAS,4BAA4B,MAA8B;AACxE,SAAY,eAAU,MAAM;AAAA,IAC1B,QAAQ;AAAA,IACR,WAAW;AAAA,EACb,CAAC;AACH;AAKO,SAAS,4BAA4B,MAAsB,SAAS,MAAc;AACvF,SAAO,SAAS,KAAK,UAAU,MAAM,MAAM,CAAC,IAAI,KAAK,UAAU,IAAI;AACrE;AAKO,SAAS,wBAAwB,MAA+B;AACrE,SAAO,IAAI,KAAK,KAAK,UAAU,IAAI,oBAAI,KAAK;AAC9C;AAKO,SAAS,uBAAuB,MAA8B;AACnE,QAAM,MAAM,oBAAI,KAAK;AACrB,QAAM,YAAY,IAAI,KAAK,KAAK,UAAU;AAC1C,SAAO,KAAK,MAAM,UAAU,QAAQ,IAAI,IAAI,QAAQ,MAAM,MAAO,KAAK,KAAK,GAAG;AAChF;AAKO,SAAS,sBAAsB,UAAkB,MAA+B;AACrF,QAAM,EAAE,SAAS,IAAI,KAAK;AAG1B,MAAI,SAAS,mBAAmB,SAAS,QAAQ,GAAG;AAClD,WAAO;AAAA,EACT;AAGA,MAAI,SAAS,mBAAmB,SAAS,GAAG;AAC1C,WAAO,SAAS,mBAAmB,SAAS,QAAQ;AAAA,EACtD;AAGA,SAAO;AACT;AAKO,SAAS,qBAAqB,SAAiB,MAA+B;AACnF,QAAM,EAAE,SAAS,IAAI,KAAK;AAG1B,aAAW,WAAW,SAAS,wBAAwB;AACrD,QAAI,eAAe,SAAS,OAAO,GAAG;AACpC,aAAO;AAAA,IACT;AAAA,EACF;AAGA,MAAI,SAAS,uBAAuB,SAAS,GAAG;AAC9C,WAAO,SAAS,uBAAuB;AAAA,MAAK,aAC1C,eAAe,SAAS,OAAO;AAAA,IACjC;AAAA,EACF;AAGA,SAAO;AACT;AAKO,SAAS,sBAAsB,YAAoB,MAA+B;AACvF,QAAM,EAAE,SAAS,IAAI,KAAK;AAG1B,MAAI,SAAS,qBAAqB,SAAS,UAAU,GAAG;AACtD,WAAO;AAAA,EACT;AAGA,MAAI,SAAS,qBAAqB,SAAS,GAAG;AAC5C,WAAO,SAAS,qBAAqB,SAAS,UAAU;AAAA,EAC1D;AAGA,SAAO;AACT;AAKA,SAAS,eAAe,OAAe,SAA0B;AAC/D,MAAI,YAAY,KAAK;AACnB,WAAO;AAAA,EACT;AACA,MAAI,QAAQ,SAAS,GAAG,GAAG;AACzB,WAAO,MAAM,WAAW,QAAQ,MAAM,GAAG,EAAE,CAAC;AAAA,EAC9C;AACA,MAAI,QAAQ,WAAW,GAAG,GAAG;AAC3B,WAAO,MAAM,SAAS,QAAQ,MAAM,CAAC,CAAC;AAAA,EACxC;AACA,SAAO,UAAU;AACnB;AAKO,SAAS,qBAAqB,MAA8B;AAEjE,QAAM,aAAa;AAAA,IACjB,SAAS,KAAK;AAAA,IACd,cAAc,KAAK;AAAA,IACnB,aAAa,KAAK;AAAA,IAClB,YAAY,KAAK;AAAA,IACjB,aAAa,KAAK;AAAA,EACpB;AACA,SAAO,KAAK,UAAU,UAAU;AAClC;AAMO,SAAS,aACd,MACA,WACgB;AAChB,SAAO;AAAA,IACL,GAAG;AAAA,IACH,YAAY,CAAC,GAAG,KAAK,YAAY,SAAS;AAAA,EAC5C;AACF;","names":[]}