@amtp/protocol 1.0.1

package/dist/server/security.js

@@ -0,0 +1,368 @@
+"use strict";
+/**
+ * AMTP Security Utilities
+ * Centralized security utilities for the AMTP protocol
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeFreeText = exports.sanitizeHttpMethod = exports.sanitizeEndpoint = exports.sanitizeActionId = exports.isValidCsrfToken = exports.generateCsrfToken = exports.csrfHeaderName = exports.isValidSessionId = exports.readBodyWithLimit = exports.DEFAULT_MAX_BODY_SIZE = exports.SecurityError = exports.MAX_SESSION_LIFETIME_MS = exports.DEFAULT_SESSION_TIMEOUT_MS = exports.InMemoryRateLimiter = exports.AMTP_SECURITY_HEADERS = exports.validateTextField = exports.sanitizeHtml = exports.validateUrl = exports.XSS_PATTERNS = exports.ALLOWED_URL_SCHEMES = exports.generateSecureRequestId = exports.AMTP_REQUEST_ID_PREFIX = exports.generateSecureSessionId = exports.AMTP_SESSION_ID_PREFIX = exports.secureRandomString = void 0;
+const stream_1 = require("stream");
+// ---- CRYPTO-HARDENED RANDOM GENERATION ----
+/**
+ * Generate a cryptographically secure random string
+ * Replaces Math.random()-based session and request IDs
+ */
+function secureRandomString(length = 24) {
+    return crypto.getRandomValues(new Uint8Array(length))
+        .reduce((str, byte) => str + byte.toString(16).padStart(2, "0"), "");
+}
+exports.secureRandomString = secureRandomString;
+/** Session ID prefix for AMTP */
+exports.AMTP_SESSION_ID_PREFIX = "sess_";
+/** Generate a secure AMTP session ID */
+function generateSecureSessionId() {
+    return `${exports.AMTP_SESSION_ID_PREFIX}${secureRandomString(20)}`;
+}
+exports.generateSecureSessionId = generateSecureSessionId;
+/** Request ID prefix for AMTP */
+exports.AMTP_REQUEST_ID_PREFIX = "req_";
+/** Generate a secure AMTP request ID */
+function generateSecureRequestId() {
+    return `${exports.AMTP_REQUEST_ID_PREFIX}${Date.now()}_${secureRandomString(8)}`;
+}
+exports.generateSecureRequestId = generateSecureRequestId;
+// ---- ALLOWLIST / BLOCKLIST ----
+/** Allowed redirect schemes — block javascript:, data:, file:, vbscript: */
+exports.ALLOWED_URL_SCHEMES = new Set(["http", "https"]);
+/** Dangerous HTML/script patterns in markdown content */
+exports.XSS_PATTERNS = [
+    /<script[\s\S]*?>/gi,
+    /javascript:/gi,
+    /on\w+\s*=\s*["'][^"']*["']/gi,
+    /<iframe[\s\S]*?>/gi,
+    /<object[\s\S]*?>/gi,
+    /<embed[\s\S]*?>/gi,
+    /<svg[\s\S]*?onload/gi,
+    /eval\s*\(/gi,
+    /document\.cookie/gi,
+];
+// ---- URL VALIDATION & SANITIZATION ----
+/**
+ * Parse and validate a URL against SSRF / open-redirect patterns.
+ * Returns the validated URL string or throws.
+ */
+function validateUrl(value, baseUrl) {
+    const trimmed = value.trim();
+    if (!trimmed) {
+        throw new SecurityError("URL must not be empty", "INVALID_URL", 400);
+    }
+    let parsed;
+    try {
+        // Resolve relative URLs against baseUrl if provided
+        if (baseUrl && !/^https?:\/\//i.test(trimmed)) {
+            // Guard against path-traversal within the origin
+            parsed = new URL(trimmed, baseUrl);
+        }
+        else {
+            parsed = new URL(trimmed);
+        }
+    }
+    catch {
+        throw new SecurityError(`Unparseable URL: ${trimmed}`, "INVALID_URL", 400);
+    }
+    if (!exports.ALLOWED_URL_SCHEMES.has(parsed.protocol.replace(":", ""))) {
+        throw new SecurityError(`Disallowed URL scheme: ${parsed.protocol}`, "DISALLOWED_SCHEME", 400);
+    }
+    return parsed.toString();
+}
+exports.validateUrl = validateUrl;
+// ---- INPUT SANITIZATION ----
+/**
+ * Strip potentially dangerous HTML/script content from a string
+ * Returns the sanitized string and a boolean indicating whether
+ * anything was removed.
+ */
+function sanitizeHtml(input) {
+    let cleaned = input;
+    for (const pattern of exports.XSS_PATTERNS) {
+        if (pattern.test(cleaned)) {
+            cleaned = cleaned.replace(pattern, "");
+        }
+    }
+    return cleaned;
+}
+exports.sanitizeHtml = sanitizeHtml;
+/**
+ * Validate a string field (non-empty, no control characters, max length)
+ */
+function validateTextField(value, options = {}) {
+    const { minLength = 1, maxLength = 10000, fieldName = "field" } = options;
+    if (value.length < minLength) {
+        throw new SecurityError(`${fieldName} too short (min ${minLength})`, "INPUT_TOO_SHORT", 400);
+    }
+    if (value.length > maxLength) {
+        throw new SecurityError(`${fieldName} too long (max ${maxLength})`, "INPUT_TOO_LONG", 413);
+    }
+    return value;
+}
+exports.validateTextField = validateTextField;
+// ---- SECURITY HEADERS ----
+/** Common security response headers for AMTP endpoints */
+exports.AMTP_SECURITY_HEADERS = {
+    "X-Content-Type-Options": "nosniff",
+    "X-Frame-Options": "DENY",
+    "X-XSS-Protection": "1; mode=block",
+    "Referrer-Policy": "strict-origin-when-cross-origin",
+};
+// ---- SCOPE / RATE-LIMIT GUARD ----
+/**
+ * Map of IP -> { count, resetAt } used in in-memory rate limiting.
+ * Callers should reset expired entries periodically.
+ */
+class InMemoryRateLimiter {
+    constructor(windowMs, maxRequests) {
+        this.windowMs = windowMs;
+        this.maxRequests = maxRequests;
+        this.map = new Map();
+    }
+    /**
+     * Returns true if the request is within the allowed rate limit,
+     * false if it should be rejected with 429.
+     */
+    check(ip) {
+        const now = Date.now();
+        const entry = this.map.get(ip);
+        if (!entry || now >= entry.resetAt) {
+            this.map.set(ip, { count: 1, resetAt: now + this.windowMs });
+            return true;
+        }
+        if (entry.count >= this.maxRequests) {
+            return false;
+        }
+        entry.count++;
+        return true;
+    }
+    /**
+     * Compute Retry-After (seconds) for a rejected IP.
+     */
+    retryAfterSeconds(ip) {
+        const entry = this.map.get(ip);
+        if (!entry)
+            return 0;
+        return Math.max(0, Math.ceil((entry.resetAt - Date.now()) / 1000));
+    }
+    /**
+     * Prune stale entries from the store.
+     */
+    prune() {
+        const now = Date.now();
+        for (const [key, entry] of this.map) {
+            if (now >= entry.resetAt) {
+                this.map.delete(key);
+            }
+        }
+    }
+}
+exports.InMemoryRateLimiter = InMemoryRateLimiter;
+// ---- SESSION SECURITY ----
+/** Default session timeout: 24 hours */
+exports.DEFAULT_SESSION_TIMEOUT_MS = 24 * 60 * 60 * 1000;
+/** Absolute cap for any session lifetime regardless of extensions */
+exports.MAX_SESSION_LIFETIME_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+// ---- CUSTOM SECURITY ERROR CLASS ----
+class SecurityError extends Error {
+    constructor(message, code, statusCode) {
+        super(`[${code}] ${message}`);
+        this.code = code;
+        this.statusCode = statusCode;
+        this.name = "SecurityError";
+    }
+}
+exports.SecurityError = SecurityError;
+// ---- BODY/PAYLOAD GUARD ----
+/** Default maximum request body size: 1 MB */
+exports.DEFAULT_MAX_BODY_SIZE = 1024 * 1024;
+/**
+ * Wrap a request/stream body consumer so it stops after maxBytes.
+ * Returns the accumulated string (truncated) and a flag indicating truncation.
+ * Supports: string, browser ReadableStream, Node.js Readable.
+ */
+async function readBodyWithLimit(body, maxBytes = exports.DEFAULT_MAX_BODY_SIZE) {
+    const chunks = [];
+    let total = 0;
+    let truncated = false;
+    if (body instanceof ReadableStream) {
+        const reader = body.getReader();
+        // eslint-disable-next-line no-constant-condition
+        while (true) {
+            const { value, done } = await reader.read();
+            if (done)
+                break;
+            if (value) {
+                total += value.byteLength;
+                if (total <= maxBytes) {
+                    chunks.push(Buffer.from(value));
+                }
+                else {
+                    truncated = true;
+                    break;
+                }
+            }
+        }
+    }
+    else if (body instanceof stream_1.Readable) {
+        for await (const chunk of body) {
+            const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+            total += buf.length;
+            if (total <= maxBytes) {
+                chunks.push(buf);
+            }
+            else {
+                truncated = true;
+                body.destroy();
+                break;
+            }
+        }
+    }
+    else if (typeof body === "string") {
+        total = Buffer.byteLength(body);
+        if (total <= maxBytes) {
+            return { body, truncated: false };
+        }
+        return { body: Buffer.from(body, "utf8").slice(0, maxBytes).toString(), truncated: true };
+    }
+    return { body: Buffer.concat(chunks).toString("utf8"), truncated };
+}
+exports.readBodyWithLimit = readBodyWithLimit;
+// ---- ID VALIDATION ----
+const SESSION_ID_REGEX = /^sess_[a-f0-9]+$/;
+/**
+ * Returns true if the string looks like a valid AMTP session ID.
+ */
+function isValidSessionId(sessionId) {
+    if (!sessionId)
+        return false;
+    return SESSION_ID_REGEX.test(sessionId);
+}
+exports.isValidSessionId = isValidSessionId;
+// ---- CSRF ----
+const CSRF_HEADER = "x-amtp-csrf-token";
+/**
+ * Returns the CSRF token header name.
+ */
+function csrfHeaderName() {
+    return CSRF_HEADER;
+}
+exports.csrfHeaderName = csrfHeaderName;
+/**
+ * Returns the value for a new CSRF token.
+ * Note: The actual token-to-session binding is managed externally (see SessionManager).
+ * This generates the token value only.
+ */
+function generateCsrfToken(_sessionId) {
+    return `csrf_${secureRandomString(16)}`;
+}
+exports.generateCsrfToken = generateCsrfToken;
+/**
+ * Validate that a CSRF token is non-empty and properly formatted.
+ */
+function isValidCsrfToken(token) {
+    if (!token)
+        return false;
+    return /^csrf_[a-f0-9]{32}$/.test(token);
+}
+exports.isValidCsrfToken = isValidCsrfToken;
+// ============================================================
+// PROMPT INJECTION RESISTANCE — STRICT ACTION / FORM PARSING
+// ============================================================
+/**
+ * Strictly sanitize an action identifier.
+ * Only [A-Z0-9_] allowed, must start with letter, max 64 chars.
+ * This prevents injection of new actions, newlines, or control chars
+ * into the machine-readable action contract.
+ */
+function sanitizeActionId(raw) {
+    const trimmed = raw.trim();
+    // Fast path: already clean
+    if (/^[A-Z][A-Z0-9_]{0,63}$/i.test(trimmed)) {
+        return trimmed.toUpperCase();
+    }
+    // Relaxed path for common copy-paste (brackets + spaces only)
+    const relaxed = trimmed.replace(/[[\]\s]/g, "").toUpperCase();
+    if (/^[A-Z][A-Z0-9_]{0,63}$/.test(relaxed)) {
+        return relaxed;
+    }
+    throw new SecurityError("Invalid action identifier — must match [A-Z][A-Z0-9_]+ (no injection allowed)", "INVALID_ACTION_ID", 400);
+}
+exports.sanitizeActionId = sanitizeActionId;
+/**
+ * Strictly sanitize an endpoint path for actions/forms.
+ * Only safe path characters. No query strings, fragments, or protocol.
+ */
+function sanitizeEndpoint(raw) {
+    const trimmed = raw.trim();
+    // Reject anything containing query strings, fragments, or obvious bad chars
+    if (/[?#]/.test(trimmed) || /[<>"'\s]/.test(trimmed)) {
+        throw new SecurityError("Invalid endpoint — query strings, fragments or special chars not allowed", "INVALID_ENDPOINT", 400);
+    }
+    // Remove any protocol or host if accidentally present
+    let cleaned = trimmed.replace(/^[a-zA-Z]+:\/\/[^/]+/, "");
+    // Keep only path-safe characters
+    cleaned = cleaned.replace(/[^a-zA-Z0-9/_-]/g, "").slice(0, 256);
+    if (!/^\/[a-zA-Z0-9/_-]*$/.test(cleaned) || cleaned.length < 1) {
+        throw new SecurityError("Invalid endpoint — must be a clean path starting with /", "INVALID_ENDPOINT", 400);
+    }
+    return cleaned;
+}
+exports.sanitizeEndpoint = sanitizeEndpoint;
+/**
+ * Strictly validate and normalize HTTP method.
+ */
+function sanitizeHttpMethod(raw) {
+    const method = raw.trim().toUpperCase();
+    const allowed = ["GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"];
+    if (!allowed.includes(method)) {
+        throw new SecurityError(`Invalid HTTP method: ${raw}`, "INVALID_METHOD", 400);
+    }
+    return method;
+}
+exports.sanitizeHttpMethod = sanitizeHttpMethod;
+/**
+ * Sanitize free-text fields (descriptions, labels, help text) that will be
+ * shown to or used in prompts for LLMs/agents.
+ *
+ * This is the key defense against prompt injection via action descriptions.
+ * We aggressively strip common jailbreak patterns while preserving useful hints.
+ */
+function sanitizeFreeText(text, maxLength = 280) {
+    if (!text)
+        return "";
+    let s = text;
+    // Remove injected action patterns (bracket-enclosed, 4+ uppercase chars) from descriptions
+    s = s.replace(/\[[A-Z][A-Z0-9_]{3,}\]/g, "");
+    // Avoid sanitizing common safe uppercase words but catch suspicious injected IDs (5+ chars)
+    const commonUppercaseWords = new Set(["HTTP", "HTTPS", "JSON", "HTML", "AMTP", "SPEC", "UUID", "USER", "PASS", "TOKEN", "EMAIL", "PHONE", "PRICE", "COUNT", "TOTAL", "VALUE", "LIMIT", "ADMIN", "ERROR", "TIMEOUT", "SECRET", "PUBLIC", "PRIVATE", "HEADER", "BODY", "QUERY", "PARAMS", "ROUTE", "LOGIN", "SIGNUP", "REGEX", "FETCH", "ASYNC", "AWAIT", "CACHE", "INDEX", "BUILD", "DEPLOY", "LOCAL", "GLOBAL", "STATIC", "DYNAMIC", "STREAM", "BENCH", "BATCH", "QUEUE", "RETRY", "HEALTH"]);
+    s = s.replace(/\b[A-Z][A-Z0-9_]{4,}\b/g, (m) => {
+        return commonUppercaseWords.has(m) ? m : "[sanitized]";
+    });
+    // Additional protection for action description context
+    s = s.replace(/redefine|override action|new action id/gi, "[sanitized]");
+    // Strip common prompt injection / jailbreak phrases (case-insensitive)
+    const jailbreaks = [
+        /ignore (?:all )?previous instructions?/gi,
+        /disregard (?:all )?prior (?:rules|instructions?)/gi,
+        /you (?:are|must|should) (?:now |instead )?(?:act as|behave as|become)/gi,
+        /new (?:system|developer|admin) (?:prompt|instruction)/gi,
+        /override (?:safety|security|rules)/gi,
+        /execute the following|do the following instead/gi,
+        /```[\s\S]*?```/g,
+        /<\|im_start\|>|<\|im_end\|>/gi, // common chat template tokens
+    ];
+    for (const pattern of jailbreaks) {
+        s = s.replace(pattern, "[sanitized]");
+    }
+    // Collapse whitespace, limit length
+    s = s.replace(/\s+/g, " ").trim().slice(0, maxLength);
+    return s;
+}
+exports.sanitizeFreeText = sanitizeFreeText;
+//# sourceMappingURL=security.js.map

package/dist/server/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/server/security.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AAEH,mCAAkC;AAElC,8CAA8C;AAE9C;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,MAAM,GAAG,EAAE;IAC5C,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;SAClD,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,EAAE,CAAC,CAAC;AACzE,CAAC;AAHD,gDAGC;AAED,iCAAiC;AACpB,QAAA,sBAAsB,GAAG,OAAO,CAAC;AAE9C,wCAAwC;AACxC,SAAgB,uBAAuB;IACrC,OAAO,GAAG,8BAAsB,GAAG,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC;AAC9D,CAAC;AAFD,0DAEC;AAED,iCAAiC;AACpB,QAAA,sBAAsB,GAAG,MAAM,CAAC;AAE7C,wCAAwC;AACxC,SAAgB,uBAAuB;IACrC,OAAO,GAAG,8BAAsB,GAAG,IAAI,CAAC,GAAG,EAAE,IAAI,kBAAkB,CAAC,CAAC,CAAC,EAAE,CAAC;AAC3E,CAAC;AAFD,0DAEC;AAED,kCAAkC;AAElC,4EAA4E;AAC/D,QAAA,mBAAmB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAE9D,yDAAyD;AAC5C,QAAA,YAAY,GAAG;IAC1B,oBAAoB;IACpB,eAAe;IACf,8BAA8B;IAC9B,oBAAoB;IACpB,oBAAoB;IACpB,mBAAmB;IACnB,sBAAsB;IACtB,aAAa;IACb,oBAAoB;CACrB,CAAC;AAEF,0CAA0C;AAE1C;;;GAGG;AACH,SAAgB,WAAW,CAAC,KAAa,EAAE,OAAgB;IACzD,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAE7B,IAAI,CAAC,OAAO,EAAE;QACZ,MAAM,IAAI,aAAa,CAAC,uBAAuB,EAAE,aAAa,EAAE,GAAG,CAAC,CAAC;KACtE;IAED,IAAI,MAAW,CAAC;IAChB,IAAI;QACF,oDAAoD;QACpD,IAAI,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YAC7C,iDAAiD;YACjD,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;SACpC;aAAM;YACL,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;SAC3B;KACF;IAAC,MAAM;QACN,MAAM,IAAI,aAAa,CAAC,oBAAoB,OAAO,EAAE,EAAE,aAAa,EAAE,GAAG,CAAC,CAAC;KAC5E;IAED,IAAI,CAAC,2BAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,EAAE;QAC9D,MAAM,IAAI,aAAa,CACrB,0BAA0B,MAAM,CAAC,QAAQ,EAAE,EAC3C,mBAAmB,EACnB,GAAG,CACJ,CAAC;KACH;IAED,OAAO,MAAM,CAAC,QAAQ,EAAE,CAAC;AAC3B,CAAC;AA7BD,kCA6BC;AAED,+BAA+B;AAE/B;;;;GAIG;AACH,SAAgB,YAAY,CAAC,KAAa;IACxC,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,MAAM,OAAO,IAAI,oBAAY,EAAE;QAClC,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YACzB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;SACxC;KACF;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAVD,oCAUC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,KAAa,EACb,UAA0E,EAAE;IAE5E,MAAM,EAAE,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,KAAK,EAAE,SAAS,GAAG,OAAO,EAAE,GAAG,OAAO,CAAC;IAC1E,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE;QAC5B,MAAM,IAAI,aAAa,CACrB,GAAG,SAAS,mBAAmB,SAAS,GAAG,EAC3C,iBAAiB,EACjB,GAAG,CACJ,CAAC;KACH;IACD,IAAI,KAAK,CAAC,MAAM,GAAG,SAAS,EAAE;QAC5B,MAAM,IAAI,aAAa,CACrB,GAAG,SAAS,kBAAkB,SAAS,GAAG,EAC1C,gBAAgB,EAChB,GAAG,CACJ,CAAC;KACH;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AApBD,8CAoBC;AAED,6BAA6B;AAE7B,0DAA0D;AAC7C,QAAA,qBAAqB,GAA2B;IAC3D,wBAAwB,EAAE,SAAS;IACnC,iBAAiB,EAAE,MAAM;IACzB,kBAAkB,EAAE,eAAe;IACnC,iBAAiB,EAAE,iCAAiC;CACrD,CAAC;AAEF,qCAAqC;AAErC;;;GAGG;AACH,MAAa,mBAAmB;IAG9B,YAAoB,QAAgB,EAAU,WAAmB;QAA7C,aAAQ,GAAR,QAAQ,CAAQ;QAAU,gBAAW,GAAX,WAAW,CAAQ;QAFzD,QAAG,GAAoD,IAAI,GAAG,EAAE,CAAC;IAEL,CAAC;IAErE;;;OAGG;IACH,KAAK,CAAC,EAAU;QACd,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAE/B,IAAI,CAAC,KAAK,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE;YAClC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC7D,OAAO,IAAI,CAAC;SACb;QAED,IAAI,KAAK,CAAC,KAAK,IAAI,IAAI,CAAC,WAAW,EAAE;YACnC,OAAO,KAAK,CAAC;SACd;QAED,KAAK,CAAC,KAAK,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,EAAU;QAC1B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAC/B,IAAI,CAAC,KAAK;YAAE,OAAO,CAAC,CAAC;QACrB,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC;IACrE,CAAC;IAED;;OAEG;IACH,KAAK;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,GAAG,EAAE;YACnC,IAAI,GAAG,IAAI,KAAK,CAAC,OAAO,EAAE;gBACxB,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;aACtB;SACF;IACH,CAAC;CACF;AA9CD,kDA8CC;AAED,6BAA6B;AAE7B,wCAAwC;AAC3B,QAAA,0BAA0B,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAC9D,qEAAqE;AACxD,QAAA,uBAAuB,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,SAAS;AAEzE,wCAAwC;AAExC,MAAa,aAAc,SAAQ,KAAK;IACtC,YACE,OAAe,EACC,IAAY,EACZ,UAAkB;QAElC,KAAK,CAAC,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAHd,SAAI,GAAJ,IAAI,CAAQ;QACZ,eAAU,GAAV,UAAU,CAAQ;QAGlC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AATD,sCASC;AAED,+BAA+B;AAE/B,8CAA8C;AACjC,QAAA,qBAAqB,GAAG,IAAI,GAAG,IAAI,CAAC;AAEjD;;;;GAIG;AACI,KAAK,UAAU,iBAAiB,CACrC,IAAS,EACT,WAAmB,6BAAqB;IAExC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,IAAI,IAAI,YAAY,cAAc,EAAE;QAClC,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChC,iDAAiD;QACjD,OAAO,IAAI,EAAE;YACX,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAEhB,IAAI,KAAK,EAAE;gBACT,KAAK,IAAI,KAAK,CAAC,UAAU,CAAC;gBAC1B,IAAI,KAAK,IAAI,QAAQ,EAAE;oBACrB,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;iBACjC;qBAAM;oBACL,SAAS,GAAG,IAAI,CAAC;oBACjB,MAAM;iBACP;aACF;SACF;KACF;SAAM,IAAI,IAAI,YAAY,iBAAQ,EAAE;QACnC,IAAI,KAAK,EAAE,MAAM,KAAK,IAAI,IAAI,EAAE;YAC9B,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChE,KAAK,IAAI,GAAG,CAAC,MAAM,CAAC;YACpB,IAAI,KAAK,IAAI,QAAQ,EAAE;gBACrB,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;aAClB;iBAAM;gBACL,SAAS,GAAG,IAAI,CAAC;gBACjB,IAAI,CAAC,OAAO,EAAE,CAAC;gBACf,MAAM;aACP;SACF;KACF;SAAM,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE;QACnC,KAAK,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,KAAK,IAAI,QAAQ,EAAE;YACrB,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;SACnC;QACD,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;KAC3F;IAED,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,CAAC;AACrE,CAAC;AA9CD,8CA8CC;AAED,0BAA0B;AAE1B,MAAM,gBAAgB,GAAG,kBAAkB,CAAC;AAE5C;;GAEG;AACH,SAAgB,gBAAgB,CAAC,SAAoC;IACnE,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,OAAO,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;AAC1C,CAAC;AAHD,4CAGC;AAED,iBAAiB;AAEjB,MAAM,WAAW,GAAG,mBAAmB,CAAC;AAExC;;GAEG;AACH,SAAgB,cAAc;IAC5B,OAAO,WAAW,CAAC;AACrB,CAAC;AAFD,wCAEC;AAED;;;;GAIG;AACH,SAAgB,iBAAiB,CAAC,UAAkB;IAClD,OAAO,QAAQ,kBAAkB,CAAC,EAAE,CAAC,EAAE,CAAC;AAC1C,CAAC;AAFD,8CAEC;AAED;;GAEG;AACH,SAAgB,gBAAgB,CAAC,KAAgC;IAC/D,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,OAAO,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC3C,CAAC;AAHD,4CAGC;AAED,+DAA+D;AAC/D,6DAA6D;AAC7D,+DAA+D;AAE/D;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,GAAW;IAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAE3B,2BAA2B;IAC3B,IAAI,yBAAyB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC3C,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC;KAC9B;IAED,8DAA8D;IAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9D,IAAI,wBAAwB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC1C,OAAO,OAAO,CAAC;KAChB;IAED,MAAM,IAAI,aAAa,CACrB,+EAA+E,EAC/E,mBAAmB,EACnB,GAAG,CACJ,CAAC;AACJ,CAAC;AAnBD,4CAmBC;AAED;;;GAGG;AACH,SAAgB,gBAAgB,CAAC,GAAW;IAC1C,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAE3B,4EAA4E;IAC5E,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QACpD,MAAM,IAAI,aAAa,CACrB,0EAA0E,EAC1E,kBAAkB,EAClB,GAAG,CACJ,CAAC;KACH;IAED,sDAAsD;IACtD,IAAI,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,sBAAsB,EAAE,EAAE,CAAC,CAAC;IAE1D,iCAAiC;IACjC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAEhE,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE;QAC9D,MAAM,IAAI,aAAa,CACrB,yDAAyD,EACzD,kBAAkB,EAClB,GAAG,CACJ,CAAC;KACH;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AA1BD,4CA0BC;AAED;;GAEG;AACH,SAAgB,kBAAkB,CAAC,GAAW;IAC5C,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACxC,MAAM,OAAO,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IAC7E,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE;QAC7B,MAAM,IAAI,aAAa,CACrB,wBAAwB,GAAG,EAAE,EAC7B,gBAAgB,EAChB,GAAG,CACJ,CAAC;KACH;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAXD,gDAWC;AAED;;;;;;GAMG;AACH,SAAgB,gBAAgB,CAAC,IAAY,EAAE,SAAS,GAAG,GAAG;IAC5D,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,CAAC;IAErB,IAAI,CAAC,GAAG,IAAI,CAAC;IAEb,2FAA2F;IAC3F,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC;IAC7C,4FAA4F;IAC5F,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9d,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,yBAAyB,EAAE,CAAC,CAAC,EAAE,EAAE;QAC7C,OAAO,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,uDAAuD;IACvD,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,0CAA0C,EAAE,aAAa,CAAC,CAAC;IAEzE,uEAAuE;IACvE,MAAM,UAAU,GAAG;QACjB,0CAA0C;QAC1C,oDAAoD;QACpD,yEAAyE;QACzE,yDAAyD;QACzD,sCAAsC;QACtC,kDAAkD;QAClD,iBAAiB;QACjB,+BAA+B,EAAE,8BAA8B;KAChE,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,UAAU,EAAE;QAChC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;KACvC;IAED,oCAAoC;IACpC,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAEtD,OAAO,CAAC,CAAC;AACX,CAAC;AApCD,4CAoCC"}