@anthropic-ai/sandbox-runtime 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +497 -0
- package/dist/cli.d.ts +3 -0
- package/dist/cli.d.ts.map +1 -0
- package/dist/cli.js +75 -0
- package/dist/cli.js.map +1 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +4 -0
- package/dist/index.js.map +1 -0
- package/dist/sandbox/http-proxy.d.ts +7 -0
- package/dist/sandbox/http-proxy.d.ts.map +1 -0
- package/dist/sandbox/http-proxy.js +118 -0
- package/dist/sandbox/http-proxy.js.map +1 -0
- package/dist/sandbox/linux-sandbox-utils.d.ts +60 -0
- package/dist/sandbox/linux-sandbox-utils.d.ts.map +1 -0
- package/dist/sandbox/linux-sandbox-utils.js +333 -0
- package/dist/sandbox/linux-sandbox-utils.js.map +1 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts +53 -0
- package/dist/sandbox/macos-sandbox-utils.d.ts.map +1 -0
- package/dist/sandbox/macos-sandbox-utils.js +496 -0
- package/dist/sandbox/macos-sandbox-utils.js.map +1 -0
- package/dist/sandbox/sandbox-manager.d.ts +34 -0
- package/dist/sandbox/sandbox-manager.d.ts.map +1 -0
- package/dist/sandbox/sandbox-manager.js +655 -0
- package/dist/sandbox/sandbox-manager.js.map +1 -0
- package/dist/sandbox/sandbox-schemas.d.ts +93 -0
- package/dist/sandbox/sandbox-schemas.d.ts.map +1 -0
- package/dist/sandbox/sandbox-schemas.js +231 -0
- package/dist/sandbox/sandbox-schemas.js.map +1 -0
- package/dist/sandbox/sandbox-utils.d.ts +49 -0
- package/dist/sandbox/sandbox-utils.d.ts.map +1 -0
- package/dist/sandbox/sandbox-utils.js +345 -0
- package/dist/sandbox/sandbox-utils.js.map +1 -0
- package/dist/sandbox/sandbox-violation-store.d.ts +19 -0
- package/dist/sandbox/sandbox-violation-store.d.ts.map +1 -0
- package/dist/sandbox/sandbox-violation-store.js +54 -0
- package/dist/sandbox/sandbox-violation-store.js.map +1 -0
- package/dist/sandbox/socks-proxy.d.ts +13 -0
- package/dist/sandbox/socks-proxy.d.ts.map +1 -0
- package/dist/sandbox/socks-proxy.js +95 -0
- package/dist/sandbox/socks-proxy.js.map +1 -0
- package/dist/utils/debug.d.ts +7 -0
- package/dist/utils/debug.d.ts.map +1 -0
- package/dist/utils/debug.js +22 -0
- package/dist/utils/debug.js.map +1 -0
- package/dist/utils/exec.d.ts +13 -0
- package/dist/utils/exec.d.ts.map +1 -0
- package/dist/utils/exec.js +38 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/platform.d.ts +6 -0
- package/dist/utils/platform.d.ts.map +1 -0
- package/dist/utils/platform.js +16 -0
- package/dist/utils/platform.js.map +1 -0
- package/dist/utils/ripgrep.d.ts +16 -0
- package/dist/utils/ripgrep.d.ts.map +1 -0
- package/dist/utils/ripgrep.js +57 -0
- package/dist/utils/ripgrep.js.map +1 -0
- package/dist/utils/settings.d.ts +147 -0
- package/dist/utils/settings.d.ts.map +1 -0
- package/dist/utils/settings.js +244 -0
- package/dist/utils/settings.js.map +1 -0
- package/package.json +72 -0
|
@@ -0,0 +1,655 @@
|
|
|
1
|
+
import { createHttpProxyServer } from './http-proxy.js';
|
|
2
|
+
import { createSocksProxyServer } from './socks-proxy.js';
|
|
3
|
+
import { logForDebugging } from '../utils/debug.js';
|
|
4
|
+
import { getPlatform } from '../utils/platform.js';
|
|
5
|
+
import * as fs from 'fs';
|
|
6
|
+
import { WEB_FETCH_TOOL_NAME, FILE_EDIT_TOOL_NAME, FILE_READ_TOOL_NAME, } from '../utils/settings.js';
|
|
7
|
+
import { getSettings, permissionRuleValueFromString } from '../utils/settings.js';
|
|
8
|
+
import { wrapCommandWithSandboxLinux, initializeLinuxNetworkBridge, hasLinuxSandboxDependenciesSync, } from './linux-sandbox-utils.js';
|
|
9
|
+
import { wrapCommandWithSandboxMacOS, startMacOSSandboxLogMonitor, hasMacOSSandboxDependenciesSync, } from './macos-sandbox-utils.js';
|
|
10
|
+
import { getDefaultWritePaths, containsGlobChars, removeTrailingGlobSuffix, } from './sandbox-utils.js';
|
|
11
|
+
import { SandboxViolationStore } from './sandbox-violation-store.js';
|
|
12
|
+
import { EOL } from 'node:os';
|
|
13
|
+
// ============================================================================
|
|
14
|
+
// Private Module State
|
|
15
|
+
// ============================================================================
|
|
16
|
+
let httpProxyServer;
|
|
17
|
+
let socksProxyServer;
|
|
18
|
+
let managerContext;
|
|
19
|
+
let initializationPromise;
|
|
20
|
+
let cleanupRegistered = false;
|
|
21
|
+
let logMonitorShutdown;
|
|
22
|
+
const sandboxViolationStore = new SandboxViolationStore();
|
|
23
|
+
// ============================================================================
|
|
24
|
+
// Private Helper Functions (not exported)
|
|
25
|
+
// ============================================================================
|
|
26
|
+
function registerCleanup() {
|
|
27
|
+
if (cleanupRegistered) {
|
|
28
|
+
return;
|
|
29
|
+
}
|
|
30
|
+
const cleanupHandler = () => reset().catch(e => {
|
|
31
|
+
logForDebugging(`Cleanup failed in registerCleanup ${e}`, {
|
|
32
|
+
level: 'error',
|
|
33
|
+
});
|
|
34
|
+
});
|
|
35
|
+
process.once('exit', cleanupHandler);
|
|
36
|
+
process.once('SIGINT', cleanupHandler);
|
|
37
|
+
process.once('SIGTERM', cleanupHandler);
|
|
38
|
+
cleanupRegistered = true;
|
|
39
|
+
}
|
|
40
|
+
function getWebFetchRules(behavior) {
|
|
41
|
+
const settings = getSettings();
|
|
42
|
+
if (!settings?.permissions) {
|
|
43
|
+
return [];
|
|
44
|
+
}
|
|
45
|
+
const rulesArray = settings.permissions[behavior] || [];
|
|
46
|
+
return rulesArray.filter(ruleString => {
|
|
47
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
48
|
+
return (rule.toolName === WEB_FETCH_TOOL_NAME &&
|
|
49
|
+
rule.ruleContent?.startsWith('domain:'));
|
|
50
|
+
});
|
|
51
|
+
}
|
|
52
|
+
function matchesWebFetchRule(hostname, ruleString) {
|
|
53
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
54
|
+
if (rule.toolName !== WEB_FETCH_TOOL_NAME ||
|
|
55
|
+
!rule.ruleContent?.startsWith('domain:')) {
|
|
56
|
+
return false;
|
|
57
|
+
}
|
|
58
|
+
const domainPattern = rule.ruleContent.substring('domain:'.length);
|
|
59
|
+
// Support wildcard patterns like *.example.com
|
|
60
|
+
// This matches any subdomain but not the base domain itself
|
|
61
|
+
if (domainPattern.startsWith('*.')) {
|
|
62
|
+
const baseDomain = domainPattern.substring(2); // Remove '*.'
|
|
63
|
+
return hostname.toLowerCase().endsWith('.' + baseDomain.toLowerCase());
|
|
64
|
+
}
|
|
65
|
+
// Exact match for non-wildcard patterns
|
|
66
|
+
return hostname.toLowerCase() === domainPattern.toLowerCase();
|
|
67
|
+
}
|
|
68
|
+
function getFileEditRules(behavior) {
|
|
69
|
+
const settings = getSettings();
|
|
70
|
+
if (!settings?.permissions) {
|
|
71
|
+
return [];
|
|
72
|
+
}
|
|
73
|
+
const rulesArray = settings.permissions[behavior] || [];
|
|
74
|
+
return rulesArray.filter(ruleString => {
|
|
75
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
76
|
+
return rule.toolName === FILE_EDIT_TOOL_NAME;
|
|
77
|
+
});
|
|
78
|
+
}
|
|
79
|
+
function getFileReadRules(behavior) {
|
|
80
|
+
const settings = getSettings();
|
|
81
|
+
if (!settings?.permissions) {
|
|
82
|
+
return [];
|
|
83
|
+
}
|
|
84
|
+
const rulesArray = settings.permissions[behavior] || [];
|
|
85
|
+
// Get rules for Read tool
|
|
86
|
+
return rulesArray.filter(ruleString => {
|
|
87
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
88
|
+
return rule.toolName === FILE_READ_TOOL_NAME;
|
|
89
|
+
});
|
|
90
|
+
}
|
|
91
|
+
async function filterNetworkRequest(port, host, sandboxAskCallback) {
|
|
92
|
+
// Check WebFetch permission rules (port-agnostic, hostname only)
|
|
93
|
+
const denyRules = getWebFetchRules('deny');
|
|
94
|
+
for (const rule of denyRules) {
|
|
95
|
+
if (matchesWebFetchRule(host, rule)) {
|
|
96
|
+
logForDebugging(`Denied by WebFetch rule: ${host}:${port}`);
|
|
97
|
+
return false;
|
|
98
|
+
}
|
|
99
|
+
}
|
|
100
|
+
const allowRules = getWebFetchRules('allow');
|
|
101
|
+
for (const rule of allowRules) {
|
|
102
|
+
if (matchesWebFetchRule(host, rule)) {
|
|
103
|
+
logForDebugging(`Allowed by WebFetch rule: ${host}:${port}`);
|
|
104
|
+
return true;
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
// No matching rules - ask user or deny
|
|
108
|
+
if (!sandboxAskCallback) {
|
|
109
|
+
logForDebugging(`No matching WebFetch rule, denying: ${host}:${port}`);
|
|
110
|
+
return false;
|
|
111
|
+
}
|
|
112
|
+
logForDebugging(`No matching WebFetch rule, asking user: ${host}:${port}`);
|
|
113
|
+
try {
|
|
114
|
+
const userAllowed = await sandboxAskCallback({ host, port });
|
|
115
|
+
if (userAllowed) {
|
|
116
|
+
logForDebugging(`User allowed: ${host}:${port}`);
|
|
117
|
+
return true;
|
|
118
|
+
}
|
|
119
|
+
else {
|
|
120
|
+
logForDebugging(`User denied: ${host}:${port}`);
|
|
121
|
+
return false;
|
|
122
|
+
}
|
|
123
|
+
}
|
|
124
|
+
catch (error) {
|
|
125
|
+
logForDebugging(`Error in permission callback: ${error}`, {
|
|
126
|
+
level: 'error',
|
|
127
|
+
});
|
|
128
|
+
return false;
|
|
129
|
+
}
|
|
130
|
+
}
|
|
131
|
+
async function startHttpProxyServer(sandboxAskCallback) {
|
|
132
|
+
httpProxyServer = createHttpProxyServer({
|
|
133
|
+
filter: (port, host) => filterNetworkRequest(port, host, sandboxAskCallback),
|
|
134
|
+
});
|
|
135
|
+
return new Promise((resolve, reject) => {
|
|
136
|
+
if (!httpProxyServer) {
|
|
137
|
+
reject(new Error('HTTP proxy server undefined before listen'));
|
|
138
|
+
return;
|
|
139
|
+
}
|
|
140
|
+
const server = httpProxyServer;
|
|
141
|
+
server.once('error', reject);
|
|
142
|
+
server.once('listening', () => {
|
|
143
|
+
const address = server.address();
|
|
144
|
+
if (address && typeof address === 'object') {
|
|
145
|
+
server.unref();
|
|
146
|
+
logForDebugging(`HTTP proxy listening on localhost:${address.port}`);
|
|
147
|
+
resolve(address.port);
|
|
148
|
+
}
|
|
149
|
+
else {
|
|
150
|
+
reject(new Error('Failed to get proxy server address'));
|
|
151
|
+
}
|
|
152
|
+
});
|
|
153
|
+
server.listen(0, '127.0.0.1');
|
|
154
|
+
});
|
|
155
|
+
}
|
|
156
|
+
async function startSocksProxyServer(sandboxAskCallback) {
|
|
157
|
+
socksProxyServer = createSocksProxyServer({
|
|
158
|
+
filter: (port, host) => filterNetworkRequest(port, host, sandboxAskCallback),
|
|
159
|
+
});
|
|
160
|
+
return new Promise((resolve, reject) => {
|
|
161
|
+
if (!socksProxyServer) {
|
|
162
|
+
// This is mostly just for the typechecker
|
|
163
|
+
reject(new Error('SOCKS proxy server undefined before listen'));
|
|
164
|
+
return;
|
|
165
|
+
}
|
|
166
|
+
socksProxyServer
|
|
167
|
+
.listen(0, '127.0.0.1')
|
|
168
|
+
.then((port) => {
|
|
169
|
+
socksProxyServer?.unref();
|
|
170
|
+
resolve(port);
|
|
171
|
+
})
|
|
172
|
+
.catch(reject);
|
|
173
|
+
});
|
|
174
|
+
}
|
|
175
|
+
async function startHttpProxyOrUseExistingPort(providedPort, sandboxAskCallback) {
|
|
176
|
+
if (providedPort !== undefined) {
|
|
177
|
+
logForDebugging(`Using provided HTTP proxy port: ${providedPort}`);
|
|
178
|
+
return providedPort;
|
|
179
|
+
}
|
|
180
|
+
const port = await startHttpProxyServer(sandboxAskCallback);
|
|
181
|
+
logForDebugging(`Started HTTP proxy server on port ${port}`);
|
|
182
|
+
return port;
|
|
183
|
+
}
|
|
184
|
+
async function startSocksProxyOrUseExistingPort(providedPort, sandboxAskCallback) {
|
|
185
|
+
if (providedPort !== undefined) {
|
|
186
|
+
logForDebugging(`Using provided SOCKS proxy port: ${providedPort}`);
|
|
187
|
+
return providedPort;
|
|
188
|
+
}
|
|
189
|
+
const port = await startSocksProxyServer(sandboxAskCallback);
|
|
190
|
+
logForDebugging(`Started SOCKS proxy server on port ${port}`);
|
|
191
|
+
return port;
|
|
192
|
+
}
|
|
193
|
+
// ============================================================================
|
|
194
|
+
// Public Module Functions (will be exported via namespace)
|
|
195
|
+
// ============================================================================
|
|
196
|
+
async function initialize(sandboxAskCallback, enableLogMonitor = false) {
|
|
197
|
+
if (!isSandboxingEnabled()) {
|
|
198
|
+
return;
|
|
199
|
+
}
|
|
200
|
+
// Return if already initializing
|
|
201
|
+
if (initializationPromise) {
|
|
202
|
+
await initializationPromise;
|
|
203
|
+
return;
|
|
204
|
+
}
|
|
205
|
+
const settings = getSettings();
|
|
206
|
+
// Start log monitor for macOS if enabled and sandboxing is enabled
|
|
207
|
+
if (enableLogMonitor && getPlatform() === 'macos' && isSandboxingEnabled()) {
|
|
208
|
+
logMonitorShutdown = startMacOSSandboxLogMonitor(sandboxViolationStore.addViolation.bind(sandboxViolationStore), getIgnoreViolations());
|
|
209
|
+
logForDebugging('Started macOS sandbox log monitor');
|
|
210
|
+
}
|
|
211
|
+
// Register cleanup handlers first time
|
|
212
|
+
registerCleanup();
|
|
213
|
+
// Initialize network infrastructure
|
|
214
|
+
// Network filtering is based on WebFetch permission rules, so proxy servers
|
|
215
|
+
// must always be initialized when sandbox is enabled
|
|
216
|
+
initializationPromise = (async () => {
|
|
217
|
+
try {
|
|
218
|
+
// Check if ports are provided in settings
|
|
219
|
+
const providedHttpProxyPort = settings.sandbox?.network?.httpProxyPort;
|
|
220
|
+
const providedSocksProxyPort = settings.sandbox?.network?.socksProxyPort;
|
|
221
|
+
// Start proxy servers in parallel, using provided ports when available
|
|
222
|
+
const [httpProxyPort, socksProxyPort] = await Promise.all([
|
|
223
|
+
startHttpProxyOrUseExistingPort(providedHttpProxyPort, sandboxAskCallback),
|
|
224
|
+
startSocksProxyOrUseExistingPort(providedSocksProxyPort, sandboxAskCallback),
|
|
225
|
+
]);
|
|
226
|
+
// Initialize platform-specific infrastructure
|
|
227
|
+
let linuxBridge;
|
|
228
|
+
if (getPlatform() === 'linux') {
|
|
229
|
+
linuxBridge = await initializeLinuxNetworkBridge(httpProxyPort, socksProxyPort);
|
|
230
|
+
}
|
|
231
|
+
const context = {
|
|
232
|
+
httpProxyPort,
|
|
233
|
+
socksProxyPort,
|
|
234
|
+
linuxBridge,
|
|
235
|
+
};
|
|
236
|
+
managerContext = context;
|
|
237
|
+
logForDebugging('Network infrastructure initialized');
|
|
238
|
+
return context;
|
|
239
|
+
}
|
|
240
|
+
catch (error) {
|
|
241
|
+
// Clear state on error so initialization can be retried
|
|
242
|
+
initializationPromise = undefined;
|
|
243
|
+
managerContext = undefined;
|
|
244
|
+
reset().catch(e => {
|
|
245
|
+
logForDebugging(`Cleanup failed in initializationPromise ${e}`, {
|
|
246
|
+
level: 'error',
|
|
247
|
+
});
|
|
248
|
+
});
|
|
249
|
+
throw error;
|
|
250
|
+
}
|
|
251
|
+
})();
|
|
252
|
+
await initializationPromise;
|
|
253
|
+
}
|
|
254
|
+
function isSupportedPlatform(platform) {
|
|
255
|
+
const supportedPlatforms = ['macos', 'linux'];
|
|
256
|
+
return supportedPlatforms.includes(platform);
|
|
257
|
+
}
|
|
258
|
+
function isSandboxingEnabled() {
|
|
259
|
+
// Sandboxing is not supported on Windows
|
|
260
|
+
if (!isSupportedPlatform(getPlatform())) {
|
|
261
|
+
return false;
|
|
262
|
+
}
|
|
263
|
+
// On Linux, check if required dependencies are available
|
|
264
|
+
if (getPlatform() === 'linux' && !hasLinuxSandboxDependenciesSync()) {
|
|
265
|
+
console.error('Sandbox disabled: Required dependencies not found. Please install: bwrap, socat, and ripgrep');
|
|
266
|
+
console.error(' Install with: apt install bubblewrap socat ripgrep');
|
|
267
|
+
return false;
|
|
268
|
+
}
|
|
269
|
+
// On macOS, check if required dependencies are available
|
|
270
|
+
if (getPlatform() === 'macos' && !hasMacOSSandboxDependenciesSync()) {
|
|
271
|
+
console.error('Sandbox disabled: ripgrep (rg) not found. Please install ripgrep.');
|
|
272
|
+
console.error(' Install with: brew install ripgrep');
|
|
273
|
+
return false;
|
|
274
|
+
}
|
|
275
|
+
// Sandbox is always enabled (unless platform is not supported or dependencies are missing)
|
|
276
|
+
return true;
|
|
277
|
+
}
|
|
278
|
+
function getFsReadConfig() {
|
|
279
|
+
// Build read config from Read permission deny rules
|
|
280
|
+
const denyRules = getFileReadRules('deny');
|
|
281
|
+
const denyPaths = denyRules
|
|
282
|
+
.map(ruleString => {
|
|
283
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
284
|
+
return rule.ruleContent || null;
|
|
285
|
+
})
|
|
286
|
+
.filter((path) => path !== null)
|
|
287
|
+
.map(path => {
|
|
288
|
+
// Normalize by removing trailing /** for consistency
|
|
289
|
+
return removeTrailingGlobSuffix(path);
|
|
290
|
+
})
|
|
291
|
+
.filter(path => {
|
|
292
|
+
// On Linux, filter out glob patterns since they're not fully supported
|
|
293
|
+
// (trailing /** already removed by normalization above)
|
|
294
|
+
if (getPlatform() === 'linux') {
|
|
295
|
+
if (containsGlobChars(path)) {
|
|
296
|
+
logForDebugging(`Skipping glob pattern on Linux: ${path}`);
|
|
297
|
+
return false;
|
|
298
|
+
}
|
|
299
|
+
}
|
|
300
|
+
return true;
|
|
301
|
+
});
|
|
302
|
+
return {
|
|
303
|
+
denyOnly: denyPaths,
|
|
304
|
+
};
|
|
305
|
+
}
|
|
306
|
+
function getFsWriteConfig() {
|
|
307
|
+
// Build write config from Edit permission allow/deny rules
|
|
308
|
+
const allowRules = getFileEditRules('allow');
|
|
309
|
+
const allowPaths = allowRules
|
|
310
|
+
.map(ruleString => {
|
|
311
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
312
|
+
return rule.ruleContent || null;
|
|
313
|
+
})
|
|
314
|
+
.filter((path) => path !== null)
|
|
315
|
+
.map(path => {
|
|
316
|
+
// Normalize by removing trailing /** for consistency
|
|
317
|
+
return removeTrailingGlobSuffix(path);
|
|
318
|
+
})
|
|
319
|
+
.filter(path => {
|
|
320
|
+
// On Linux, filter out glob patterns since they're not fully supported
|
|
321
|
+
// (trailing /** already removed by normalization above)
|
|
322
|
+
if (getPlatform() === 'linux') {
|
|
323
|
+
if (containsGlobChars(path)) {
|
|
324
|
+
logForDebugging(`Skipping glob pattern on Linux: ${path}`);
|
|
325
|
+
return false;
|
|
326
|
+
}
|
|
327
|
+
}
|
|
328
|
+
return true;
|
|
329
|
+
});
|
|
330
|
+
// Get Edit deny rules - these become the denyWithinAllow paths
|
|
331
|
+
const denyRules = getFileEditRules('deny');
|
|
332
|
+
const denyPaths = denyRules
|
|
333
|
+
.map(ruleString => {
|
|
334
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
335
|
+
return rule.ruleContent || null;
|
|
336
|
+
})
|
|
337
|
+
.filter((path) => path !== null)
|
|
338
|
+
.map(path => {
|
|
339
|
+
// Normalize by removing trailing /** for consistency
|
|
340
|
+
return removeTrailingGlobSuffix(path);
|
|
341
|
+
})
|
|
342
|
+
.filter(path => {
|
|
343
|
+
// On Linux, filter out glob patterns since they're not fully supported
|
|
344
|
+
// (trailing /** already removed by normalization above)
|
|
345
|
+
if (getPlatform() === 'linux') {
|
|
346
|
+
if (containsGlobChars(path)) {
|
|
347
|
+
logForDebugging(`Skipping glob pattern on Linux: ${path}`);
|
|
348
|
+
return false;
|
|
349
|
+
}
|
|
350
|
+
}
|
|
351
|
+
return true;
|
|
352
|
+
});
|
|
353
|
+
// Build allowOnly list: default paths + Edit allow rules
|
|
354
|
+
const allowOnly = [...getDefaultWritePaths(), ...allowPaths];
|
|
355
|
+
return {
|
|
356
|
+
allowOnly,
|
|
357
|
+
denyWithinAllow: denyPaths,
|
|
358
|
+
};
|
|
359
|
+
}
|
|
360
|
+
function getNetworkRestrictionConfig() {
|
|
361
|
+
// Build network config from WebFetch permission allow/deny rules
|
|
362
|
+
const allowRules = getWebFetchRules('allow');
|
|
363
|
+
const allowedHosts = allowRules
|
|
364
|
+
.map(ruleString => {
|
|
365
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
366
|
+
// Extract domain from "domain:example.com" format
|
|
367
|
+
if (rule.ruleContent?.startsWith('domain:')) {
|
|
368
|
+
return rule.ruleContent.substring('domain:'.length);
|
|
369
|
+
}
|
|
370
|
+
return null;
|
|
371
|
+
})
|
|
372
|
+
.filter((host) => host !== null);
|
|
373
|
+
const denyRules = getWebFetchRules('deny');
|
|
374
|
+
const deniedHosts = denyRules
|
|
375
|
+
.map(ruleString => {
|
|
376
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
377
|
+
// Extract domain from "domain:example.com" format
|
|
378
|
+
if (rule.ruleContent?.startsWith('domain:')) {
|
|
379
|
+
return rule.ruleContent.substring('domain:'.length);
|
|
380
|
+
}
|
|
381
|
+
return null;
|
|
382
|
+
})
|
|
383
|
+
.filter((host) => host !== null);
|
|
384
|
+
return {
|
|
385
|
+
...(allowedHosts.length > 0 && { allowedHosts }),
|
|
386
|
+
...(deniedHosts.length > 0 && { deniedHosts }),
|
|
387
|
+
};
|
|
388
|
+
}
|
|
389
|
+
function getAllowUnixSockets() {
|
|
390
|
+
const settings = getSettings();
|
|
391
|
+
return settings.sandbox?.network?.allowUnixSockets;
|
|
392
|
+
}
|
|
393
|
+
function getAllowLocalBinding() {
|
|
394
|
+
const settings = getSettings();
|
|
395
|
+
return settings.sandbox?.network?.allowLocalBinding;
|
|
396
|
+
}
|
|
397
|
+
function getIgnoreViolations() {
|
|
398
|
+
const settings = getSettings();
|
|
399
|
+
return settings.sandbox?.ignoreViolations;
|
|
400
|
+
}
|
|
401
|
+
function getEnableWeakerNestedSandbox() {
|
|
402
|
+
const settings = getSettings();
|
|
403
|
+
return settings.sandbox?.enableWeakerNestedSandbox;
|
|
404
|
+
}
|
|
405
|
+
function getProxyPort() {
|
|
406
|
+
return managerContext?.httpProxyPort;
|
|
407
|
+
}
|
|
408
|
+
function getSocksProxyPort() {
|
|
409
|
+
return managerContext?.socksProxyPort;
|
|
410
|
+
}
|
|
411
|
+
function getLinuxHttpSocketPath() {
|
|
412
|
+
return managerContext?.linuxBridge?.httpSocketPath;
|
|
413
|
+
}
|
|
414
|
+
function getLinuxSocksSocketPath() {
|
|
415
|
+
return managerContext?.linuxBridge?.socksSocketPath;
|
|
416
|
+
}
|
|
417
|
+
/**
|
|
418
|
+
* Wait for network initialization to complete if already in progress
|
|
419
|
+
* Returns true if initialized successfully, false otherwise
|
|
420
|
+
*/
|
|
421
|
+
async function waitForNetworkInitialization() {
|
|
422
|
+
if (!isSandboxingEnabled()) {
|
|
423
|
+
return false;
|
|
424
|
+
}
|
|
425
|
+
if (initializationPromise) {
|
|
426
|
+
try {
|
|
427
|
+
await initializationPromise;
|
|
428
|
+
return true;
|
|
429
|
+
}
|
|
430
|
+
catch {
|
|
431
|
+
return false;
|
|
432
|
+
}
|
|
433
|
+
}
|
|
434
|
+
return managerContext !== undefined;
|
|
435
|
+
}
|
|
436
|
+
async function wrapWithSandbox(command) {
|
|
437
|
+
// If no sandboxing is enabled, return command as-is
|
|
438
|
+
if (!isSandboxingEnabled()) {
|
|
439
|
+
return command;
|
|
440
|
+
}
|
|
441
|
+
const platform = getPlatform();
|
|
442
|
+
const isSandboxed = isSandboxingEnabled();
|
|
443
|
+
// Wait for network initialization if needed
|
|
444
|
+
if (isSandboxed) {
|
|
445
|
+
await waitForNetworkInitialization();
|
|
446
|
+
}
|
|
447
|
+
switch (platform) {
|
|
448
|
+
case 'macos':
|
|
449
|
+
return await wrapCommandWithSandboxMacOS({
|
|
450
|
+
command,
|
|
451
|
+
httpProxyPort: getProxyPort(),
|
|
452
|
+
socksProxyPort: getSocksProxyPort(),
|
|
453
|
+
readConfig: getFsReadConfig(),
|
|
454
|
+
writeConfig: getFsWriteConfig(),
|
|
455
|
+
needsNetworkRestriction: true,
|
|
456
|
+
allowUnixSockets: getAllowUnixSockets(),
|
|
457
|
+
allowLocalBinding: getAllowLocalBinding(),
|
|
458
|
+
ignoreViolations: getIgnoreViolations(),
|
|
459
|
+
});
|
|
460
|
+
case 'linux':
|
|
461
|
+
return wrapCommandWithSandboxLinux({
|
|
462
|
+
command,
|
|
463
|
+
hasNetworkRestrictions: true,
|
|
464
|
+
hasFilesystemRestrictions: true,
|
|
465
|
+
httpSocketPath: getLinuxHttpSocketPath(),
|
|
466
|
+
socksSocketPath: getLinuxSocksSocketPath(),
|
|
467
|
+
httpProxyPort: managerContext?.httpProxyPort,
|
|
468
|
+
socksProxyPort: managerContext?.socksProxyPort,
|
|
469
|
+
readConfig: getFsReadConfig(),
|
|
470
|
+
writeConfig: getFsWriteConfig(),
|
|
471
|
+
enableWeakerNestedSandbox: getEnableWeakerNestedSandbox(),
|
|
472
|
+
});
|
|
473
|
+
default:
|
|
474
|
+
// Unsupported platform - this should not happen since isSandboxingEnabled() checks platform support
|
|
475
|
+
throw new Error(`Sandbox configuration is not supported on platform: ${platform}`);
|
|
476
|
+
}
|
|
477
|
+
}
|
|
478
|
+
async function reset() {
|
|
479
|
+
// Stop log monitor
|
|
480
|
+
if (logMonitorShutdown) {
|
|
481
|
+
logMonitorShutdown();
|
|
482
|
+
logMonitorShutdown = undefined;
|
|
483
|
+
}
|
|
484
|
+
if (managerContext?.linuxBridge) {
|
|
485
|
+
const { httpSocketPath, socksSocketPath, httpBridgeProcess, socksBridgeProcess, } = managerContext.linuxBridge;
|
|
486
|
+
// Kill HTTP bridge
|
|
487
|
+
if (httpBridgeProcess.pid && !httpBridgeProcess.killed) {
|
|
488
|
+
try {
|
|
489
|
+
process.kill(httpBridgeProcess.pid, 'SIGTERM');
|
|
490
|
+
logForDebugging('Killed HTTP bridge process');
|
|
491
|
+
}
|
|
492
|
+
catch (err) {
|
|
493
|
+
if (err.code !== 'ESRCH') {
|
|
494
|
+
logForDebugging(`Error killing HTTP bridge: ${err}`, {
|
|
495
|
+
level: 'error',
|
|
496
|
+
});
|
|
497
|
+
}
|
|
498
|
+
}
|
|
499
|
+
}
|
|
500
|
+
// Kill SOCKS bridge
|
|
501
|
+
if (socksBridgeProcess.pid && !socksBridgeProcess.killed) {
|
|
502
|
+
try {
|
|
503
|
+
process.kill(socksBridgeProcess.pid, 'SIGTERM');
|
|
504
|
+
logForDebugging('Killed SOCKS bridge process');
|
|
505
|
+
}
|
|
506
|
+
catch (err) {
|
|
507
|
+
if (err.code !== 'ESRCH') {
|
|
508
|
+
logForDebugging(`Error killing SOCKS bridge: ${err}`, {
|
|
509
|
+
level: 'error',
|
|
510
|
+
});
|
|
511
|
+
}
|
|
512
|
+
}
|
|
513
|
+
}
|
|
514
|
+
// Clean up sockets
|
|
515
|
+
if (httpSocketPath) {
|
|
516
|
+
try {
|
|
517
|
+
fs.rmSync(httpSocketPath, { force: true });
|
|
518
|
+
logForDebugging('Cleaned up HTTP socket');
|
|
519
|
+
}
|
|
520
|
+
catch (err) {
|
|
521
|
+
logForDebugging(`HTTP socket cleanup error: ${err}`, {
|
|
522
|
+
level: 'error',
|
|
523
|
+
});
|
|
524
|
+
}
|
|
525
|
+
}
|
|
526
|
+
if (socksSocketPath) {
|
|
527
|
+
try {
|
|
528
|
+
fs.rmSync(socksSocketPath, { force: true });
|
|
529
|
+
logForDebugging('Cleaned up SOCKS socket');
|
|
530
|
+
}
|
|
531
|
+
catch (err) {
|
|
532
|
+
logForDebugging(`SOCKS socket cleanup error: ${err}`, {
|
|
533
|
+
level: 'error',
|
|
534
|
+
});
|
|
535
|
+
}
|
|
536
|
+
}
|
|
537
|
+
}
|
|
538
|
+
// Close servers in parallel
|
|
539
|
+
const closePromises = [];
|
|
540
|
+
if (httpProxyServer) {
|
|
541
|
+
const server = httpProxyServer; // Capture reference to avoid TypeScript error
|
|
542
|
+
const httpClose = new Promise(resolve => {
|
|
543
|
+
server.close(error => {
|
|
544
|
+
if (error && error.message !== 'Server is not running.') {
|
|
545
|
+
logForDebugging(`Error closing HTTP proxy server: ${error.message}`, {
|
|
546
|
+
level: 'error',
|
|
547
|
+
});
|
|
548
|
+
}
|
|
549
|
+
resolve();
|
|
550
|
+
});
|
|
551
|
+
});
|
|
552
|
+
closePromises.push(httpClose);
|
|
553
|
+
}
|
|
554
|
+
if (socksProxyServer) {
|
|
555
|
+
const socksClose = socksProxyServer.close().catch((error) => {
|
|
556
|
+
logForDebugging(`Error closing SOCKS proxy server: ${error.message}`, {
|
|
557
|
+
level: 'error',
|
|
558
|
+
});
|
|
559
|
+
});
|
|
560
|
+
closePromises.push(socksClose);
|
|
561
|
+
}
|
|
562
|
+
// Wait for all servers to close
|
|
563
|
+
await Promise.all(closePromises);
|
|
564
|
+
// Clear references
|
|
565
|
+
httpProxyServer = undefined;
|
|
566
|
+
socksProxyServer = undefined;
|
|
567
|
+
managerContext = undefined;
|
|
568
|
+
initializationPromise = undefined;
|
|
569
|
+
}
|
|
570
|
+
function getSandboxViolationStore() {
|
|
571
|
+
return sandboxViolationStore;
|
|
572
|
+
}
|
|
573
|
+
function annotateStderrWithSandboxFailures(command, stderr) {
|
|
574
|
+
if (!isSandboxingEnabled()) {
|
|
575
|
+
return stderr;
|
|
576
|
+
}
|
|
577
|
+
const violations = sandboxViolationStore.getViolationsForCommand(command);
|
|
578
|
+
if (violations.length === 0) {
|
|
579
|
+
return stderr;
|
|
580
|
+
}
|
|
581
|
+
let annotated = stderr;
|
|
582
|
+
annotated += EOL + '<sandbox_violations>' + EOL;
|
|
583
|
+
for (const violation of violations) {
|
|
584
|
+
annotated += violation.line + EOL;
|
|
585
|
+
}
|
|
586
|
+
annotated += '</sandbox_violations>';
|
|
587
|
+
return annotated;
|
|
588
|
+
}
|
|
589
|
+
/**
|
|
590
|
+
* Returns glob patterns from Edit/Read permission rules that are not
|
|
591
|
+
* fully supported on Linux. Returns empty array on macOS or when
|
|
592
|
+
* sandboxing is disabled.
|
|
593
|
+
*
|
|
594
|
+
* Patterns ending with /** are excluded since they work as subpaths.
|
|
595
|
+
*/
|
|
596
|
+
function getLinuxGlobPatternWarnings() {
|
|
597
|
+
// Only warn on Linux with sandboxing enabled
|
|
598
|
+
// macOS supports glob patterns via regex conversion
|
|
599
|
+
if (getPlatform() !== 'linux' || !isSandboxingEnabled()) {
|
|
600
|
+
return [];
|
|
601
|
+
}
|
|
602
|
+
const settings = getSettings();
|
|
603
|
+
if (!settings?.permissions) {
|
|
604
|
+
return [];
|
|
605
|
+
}
|
|
606
|
+
const globPatterns = [];
|
|
607
|
+
// Check allow and deny rules for glob patterns
|
|
608
|
+
for (const behavior of ['allow', 'deny']) {
|
|
609
|
+
const rules = settings.permissions[behavior] || [];
|
|
610
|
+
for (const ruleString of rules) {
|
|
611
|
+
const rule = permissionRuleValueFromString(ruleString);
|
|
612
|
+
// Only check Edit and Read rules (file operations)
|
|
613
|
+
if ((rule.toolName === 'Edit' || rule.toolName === 'Read') &&
|
|
614
|
+
rule.ruleContent) {
|
|
615
|
+
// Strip trailing /** since that's just a subpath (directory and everything under it)
|
|
616
|
+
const pathWithoutTrailingStar = removeTrailingGlobSuffix(rule.ruleContent);
|
|
617
|
+
// Only warn if there are still glob characters after removing trailing /**
|
|
618
|
+
if (containsGlobChars(pathWithoutTrailingStar)) {
|
|
619
|
+
globPatterns.push(ruleString);
|
|
620
|
+
}
|
|
621
|
+
}
|
|
622
|
+
}
|
|
623
|
+
}
|
|
624
|
+
return globPatterns;
|
|
625
|
+
}
|
|
626
|
+
// ============================================================================
|
|
627
|
+
// Export as Namespace with Interface
|
|
628
|
+
// ============================================================================
|
|
629
|
+
/**
|
|
630
|
+
* Global sandbox manager that handles both network and filesystem restrictions
|
|
631
|
+
* for this session. This runs outside of the sandbox, on the host machine.
|
|
632
|
+
*/
|
|
633
|
+
export const SandboxManager = {
|
|
634
|
+
initialize,
|
|
635
|
+
isSupportedPlatform,
|
|
636
|
+
isSandboxingEnabled,
|
|
637
|
+
getFsReadConfig,
|
|
638
|
+
getFsWriteConfig,
|
|
639
|
+
getNetworkRestrictionConfig,
|
|
640
|
+
getAllowUnixSockets,
|
|
641
|
+
getAllowLocalBinding,
|
|
642
|
+
getIgnoreViolations,
|
|
643
|
+
getEnableWeakerNestedSandbox,
|
|
644
|
+
getProxyPort,
|
|
645
|
+
getSocksProxyPort,
|
|
646
|
+
getLinuxHttpSocketPath,
|
|
647
|
+
getLinuxSocksSocketPath,
|
|
648
|
+
waitForNetworkInitialization,
|
|
649
|
+
wrapWithSandbox,
|
|
650
|
+
reset,
|
|
651
|
+
getSandboxViolationStore,
|
|
652
|
+
annotateStderrWithSandboxFailures,
|
|
653
|
+
getLinuxGlobPatternWarnings,
|
|
654
|
+
};
|
|
655
|
+
//# sourceMappingURL=sandbox-manager.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sandbox-manager.js","sourceRoot":"","sources":["../../src/sandbox/sandbox-manager.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAA;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAA;AAEzD,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAA;AACnD,OAAO,EAAE,WAAW,EAAiB,MAAM,sBAAsB,CAAA;AACjE,OAAO,KAAK,EAAE,MAAM,IAAI,CAAA;AACxB,OAAO,EACL,mBAAmB,EACnB,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,sBAAsB,CAAA;AAC7B,OAAO,EAAE,WAAW,EAAE,6BAA6B,EAAE,MAAM,sBAAsB,CAAA;AAQjF,OAAO,EACL,2BAA2B,EAC3B,4BAA4B,EAC5B,+BAA+B,GAEhC,MAAM,0BAA0B,CAAA;AACjC,OAAO,EACL,2BAA2B,EAC3B,2BAA2B,EAC3B,+BAA+B,GAChC,MAAM,0BAA0B,CAAA;AACjC,OAAO,EACL,oBAAoB,EACpB,iBAAiB,EACjB,wBAAwB,GACzB,MAAM,oBAAoB,CAAA;AAC3B,OAAO,EAAE,qBAAqB,EAAE,MAAM,8BAA8B,CAAA;AACpE,OAAO,EAAE,GAAG,EAAE,MAAM,SAAS,CAAA;AAQ7B,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E,IAAI,eAAqE,CAAA;AACzE,IAAI,gBAA+C,CAAA;AACnD,IAAI,cAAqD,CAAA;AACzD,IAAI,qBAAqE,CAAA;AACzE,IAAI,iBAAiB,GAAG,KAAK,CAAA;AAC7B,IAAI,kBAA4C,CAAA;AAChD,MAAM,qBAAqB,GAAG,IAAI,qBAAqB,EAAE,CAAA;AAEzD,+EAA+E;AAC/E,0CAA0C;AAC1C,+EAA+E;AAE/E,SAAS,eAAe;IACtB,IAAI,iBAAiB,EAAE,CAAC;QACtB,OAAM;IACR,CAAC;IACD,MAAM,cAAc,GAAG,GAAG,EAAE,CAC1B,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;QAChB,eAAe,CAAC,qCAAqC,CAAC,EAAE,EAAE;YACxD,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IACJ,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;IACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAA;IACtC,OAAO,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAA;IACvC,iBAAiB,GAAG,IAAI,CAAA;AAC1B,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAkC;IAC1D,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;IAEvD,OAAO,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE;QACpC,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,OAAO,CACL,IAAI,CAAC,QAAQ,KAAK,mBAAmB;YACrC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,CACxC,CAAA;IACH,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAgB,EAAE,UAAkB;IAC/D,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;IACtD,IACE,IAAI,CAAC,QAAQ,KAAK,mBAAmB;QACrC,CAAC,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,EACxC,CAAC;QACD,OAAO,KAAK,CAAA;IACd,CAAC;IACD,MAAM,aAAa,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;IAElE,+CAA+C;IAC/C,4DAA4D;IAC5D,IAAI,aAAa,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACnC,MAAM,UAAU,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,CAAA,CAAC,cAAc;QAC5D,OAAO,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,GAAG,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC,CAAA;IACxE,CAAC;IAED,wCAAwC;IACxC,OAAO,QAAQ,CAAC,WAAW,EAAE,KAAK,aAAa,CAAC,WAAW,EAAE,CAAA;AAC/D,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAkC;IAC1D,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;IAEvD,OAAO,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE;QACpC,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,QAAQ,KAAK,mBAAmB,CAAA;IAC9C,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,QAAkC;IAC1D,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,UAAU,GAAG,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;IAEvD,0BAA0B;IAC1B,OAAO,UAAU,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE;QACpC,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,QAAQ,KAAK,mBAAmB,CAAA;IAC9C,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,IAAY,EACZ,IAAY,EACZ,kBAAuC;IAEvC,iEAAiE;IACjE,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAC1C,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YACpC,eAAe,CAAC,4BAA4B,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAC3D,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC5C,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;QAC9B,IAAI,mBAAmB,CAAC,IAAI,EAAE,IAAI,CAAC,EAAE,CAAC;YACpC,eAAe,CAAC,6BAA6B,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAC5D,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,eAAe,CAAC,uCAAuC,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;QACtE,OAAO,KAAK,CAAA;IACd,CAAC;IAED,eAAe,CAAC,2CAA2C,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;IAC1E,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,MAAM,kBAAkB,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,CAAA;QAC5D,IAAI,WAAW,EAAE,CAAC;YAChB,eAAe,CAAC,iBAAiB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAChD,OAAO,IAAI,CAAA;QACb,CAAC;aAAM,CAAC;YACN,eAAe,CAAC,gBAAgB,IAAI,IAAI,IAAI,EAAE,CAAC,CAAA;YAC/C,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,iCAAiC,KAAK,EAAE,EAAE;YACxD,KAAK,EAAE,OAAO;SACf,CAAC,CAAA;QACF,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,oBAAoB,CACjC,kBAAuC;IAEvC,eAAe,GAAG,qBAAqB,CAAC;QACtC,MAAM,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CACrC,oBAAoB,CAAC,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC;KACvD,CAAC,CAAA;IAEF,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC,CAAA;YAC9D,OAAM;QACR,CAAC;QAED,MAAM,MAAM,GAAG,eAAe,CAAA;QAE9B,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;QAC5B,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,EAAE;YAC5B,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAA;YAChC,IAAI,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAC3C,MAAM,CAAC,KAAK,EAAE,CAAA;gBACd,eAAe,CAAC,qCAAqC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAA;gBACpE,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;YACvB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC,CAAA;YACzD,CAAC;QACH,CAAC,CAAC,CAAA;QAEF,MAAM,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC,CAAA;IAC/B,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,qBAAqB,CAClC,kBAAuC;IAEvC,gBAAgB,GAAG,sBAAsB,CAAC;QACxC,MAAM,EAAE,CAAC,IAAY,EAAE,IAAY,EAAE,EAAE,CACrC,oBAAoB,CAAC,IAAI,EAAE,IAAI,EAAE,kBAAkB,CAAC;KACvD,CAAC,CAAA;IAEF,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,0CAA0C;YAC1C,MAAM,CAAC,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC,CAAA;YAC/D,OAAM;QACR,CAAC;QAED,gBAAgB;aACb,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC;aACtB,IAAI,CAAC,CAAC,IAAY,EAAE,EAAE;YACrB,gBAAgB,EAAE,KAAK,EAAE,CAAA;YACzB,OAAO,CAAC,IAAI,CAAC,CAAA;QACf,CAAC,CAAC;aACD,KAAK,CAAC,MAAM,CAAC,CAAA;IAClB,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,KAAK,UAAU,+BAA+B,CAC5C,YAAgC,EAChC,kBAAuC;IAEvC,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,eAAe,CAAC,mCAAmC,YAAY,EAAE,CAAC,CAAA;QAClE,OAAO,YAAY,CAAA;IACrB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,oBAAoB,CAAC,kBAAkB,CAAC,CAAA;IAC3D,eAAe,CAAC,qCAAqC,IAAI,EAAE,CAAC,CAAA;IAC5D,OAAO,IAAI,CAAA;AACb,CAAC;AAED,KAAK,UAAU,gCAAgC,CAC7C,YAAgC,EAChC,kBAAuC;IAEvC,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;QAC/B,eAAe,CAAC,oCAAoC,YAAY,EAAE,CAAC,CAAA;QACnE,OAAO,YAAY,CAAA;IACrB,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,qBAAqB,CAAC,kBAAkB,CAAC,CAAA;IAC5D,eAAe,CAAC,sCAAsC,IAAI,EAAE,CAAC,CAAA;IAC7D,OAAO,IAAI,CAAA;AACb,CAAC;AAED,+EAA+E;AAC/E,2DAA2D;AAC3D,+EAA+E;AAE/E,KAAK,UAAU,UAAU,CACvB,kBAAuC,EACvC,gBAAgB,GAAG,KAAK;IAExB,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC3B,OAAM;IACR,CAAC;IAED,iCAAiC;IACjC,IAAI,qBAAqB,EAAE,CAAC;QAC1B,MAAM,qBAAqB,CAAA;QAC3B,OAAM;IACR,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAE9B,mEAAmE;IACnE,IAAI,gBAAgB,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,mBAAmB,EAAE,EAAE,CAAC;QAC3E,kBAAkB,GAAG,2BAA2B,CAC9C,qBAAqB,CAAC,YAAY,CAAC,IAAI,CAAC,qBAAqB,CAAC,EAC9D,mBAAmB,EAAE,CACtB,CAAA;QACD,eAAe,CAAC,mCAAmC,CAAC,CAAA;IACtD,CAAC;IAED,uCAAuC;IACvC,eAAe,EAAE,CAAA;IAEjB,oCAAoC;IACpC,4EAA4E;IAC5E,qDAAqD;IACrD,qBAAqB,GAAG,CAAC,KAAK,IAAI,EAAE;QAClC,IAAI,CAAC;YACH,0CAA0C;YAC1C,MAAM,qBAAqB,GAAG,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,aAAa,CAAA;YACtE,MAAM,sBAAsB,GAAG,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,CAAA;YAExE,uEAAuE;YACvE,MAAM,CAAC,aAAa,EAAE,cAAc,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBACxD,+BAA+B,CAC7B,qBAAqB,EACrB,kBAAkB,CACnB;gBACD,gCAAgC,CAC9B,sBAAsB,EACtB,kBAAkB,CACnB;aACF,CAAC,CAAA;YAEF,8CAA8C;YAC9C,IAAI,WAAkD,CAAA;YACtD,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;gBAC9B,WAAW,GAAG,MAAM,4BAA4B,CAC9C,aAAa,EACb,cAAc,CACf,CAAA;YACH,CAAC;YAED,MAAM,OAAO,GAA8B;gBACzC,aAAa;gBACb,cAAc;gBACd,WAAW;aACZ,CAAA;YACD,cAAc,GAAG,OAAO,CAAA;YACxB,eAAe,CAAC,oCAAoC,CAAC,CAAA;YACrD,OAAO,OAAO,CAAA;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,wDAAwD;YACxD,qBAAqB,GAAG,SAAS,CAAA;YACjC,cAAc,GAAG,SAAS,CAAA;YAC1B,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;gBAChB,eAAe,CAAC,2CAA2C,CAAC,EAAE,EAAE;oBAC9D,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;YACJ,CAAC,CAAC,CAAA;YACF,MAAM,KAAK,CAAA;QACb,CAAC;IACH,CAAC,CAAC,EAAE,CAAA;IAEJ,MAAM,qBAAqB,CAAA;AAC7B,CAAC;AAED,SAAS,mBAAmB,CAAC,QAAkB;IAC7C,MAAM,kBAAkB,GAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;IACzD,OAAO,kBAAkB,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,mBAAmB;IAC1B,yCAAyC;IACzC,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACxC,OAAO,KAAK,CAAA;IACd,CAAC;IAED,yDAAyD;IACzD,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,CAAC,+BAA+B,EAAE,EAAE,CAAC;QACpE,OAAO,CAAC,KAAK,CACX,8FAA8F,CAC/F,CAAA;QACD,OAAO,CAAC,KAAK,CAAC,sDAAsD,CAAC,CAAA;QACrE,OAAO,KAAK,CAAA;IACd,CAAC;IAED,yDAAyD;IACzD,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,CAAC,+BAA+B,EAAE,EAAE,CAAC;QACpE,OAAO,CAAC,KAAK,CACX,mEAAmE,CACpE,CAAA;QACD,OAAO,CAAC,KAAK,CAAC,sCAAsC,CAAC,CAAA;QACrD,OAAO,KAAK,CAAA;IACd,CAAC;IAED,2FAA2F;IAC3F,OAAO,IAAI,CAAA;AACb,CAAC;AAGD,SAAS,eAAe;IACtB,oDAAoD;IACpD,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAE1C,MAAM,SAAS,GAAG,SAAS;SACxB,GAAG,CAAC,UAAU,CAAC,EAAE;QAChB,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,WAAW,IAAI,IAAI,CAAA;IACjC,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC;SAC/C,GAAG,CAAC,IAAI,CAAC,EAAE;QACV,qDAAqD;QACrD,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAA;IACvC,CAAC,CAAC;SACD,MAAM,CAAC,IAAI,CAAC,EAAE;QACb,uEAAuE;QACvE,wDAAwD;QACxD,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,eAAe,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAA;gBAC1D,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEJ,OAAO;QACL,QAAQ,EAAE,SAAS;KACpB,CAAA;AACH,CAAC;AAED,SAAS,gBAAgB;IACvB,2DAA2D;IAC3D,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC5C,MAAM,UAAU,GAAG,UAAU;SAC1B,GAAG,CAAC,UAAU,CAAC,EAAE;QAChB,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,WAAW,IAAI,IAAI,CAAA;IACjC,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC;SAC/C,GAAG,CAAC,IAAI,CAAC,EAAE;QACV,qDAAqD;QACrD,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAA;IACvC,CAAC,CAAC;SACD,MAAM,CAAC,IAAI,CAAC,EAAE;QACb,uEAAuE;QACvE,wDAAwD;QACxD,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,eAAe,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAA;gBAC1D,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEJ,+DAA+D;IAC/D,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAC1C,MAAM,SAAS,GAAG,SAAS;SACxB,GAAG,CAAC,UAAU,CAAC,EAAE;QAChB,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,OAAO,IAAI,CAAC,WAAW,IAAI,IAAI,CAAA;IACjC,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC;SAC/C,GAAG,CAAC,IAAI,CAAC,EAAE;QACV,qDAAqD;QACrD,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAA;IACvC,CAAC,CAAC;SACD,MAAM,CAAC,IAAI,CAAC,EAAE;QACb,uEAAuE;QACvE,wDAAwD;QACxD,IAAI,WAAW,EAAE,KAAK,OAAO,EAAE,CAAC;YAC9B,IAAI,iBAAiB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC5B,eAAe,CAAC,mCAAmC,IAAI,EAAE,CAAC,CAAA;gBAC1D,OAAO,KAAK,CAAA;YACd,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC,CAAA;IAEJ,yDAAyD;IACzD,MAAM,SAAS,GAAG,CAAC,GAAG,oBAAoB,EAAE,EAAE,GAAG,UAAU,CAAC,CAAA;IAE5D,OAAO;QACL,SAAS;QACT,eAAe,EAAE,SAAS;KAC3B,CAAA;AACH,CAAC;AAED,SAAS,2BAA2B;IAClC,iEAAiE;IACjE,MAAM,UAAU,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC5C,MAAM,YAAY,GAAG,UAAU;SAC5B,GAAG,CAAC,UAAU,CAAC,EAAE;QAChB,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,kDAAkD;QAClD,IAAI,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;QACrD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;IAElD,MAAM,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAA;IAC1C,MAAM,WAAW,GAAG,SAAS;SAC1B,GAAG,CAAC,UAAU,CAAC,EAAE;QAChB,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;QACtD,kDAAkD;QAClD,IAAI,IAAI,CAAC,WAAW,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5C,OAAO,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAA;QACrD,CAAC;QACD,OAAO,IAAI,CAAA;IACb,CAAC,CAAC;SACD,MAAM,CAAC,CAAC,IAAI,EAAkB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAA;IAElD,OAAO;QACL,GAAG,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;QAChD,GAAG,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,CAAC;KAC/C,CAAA;AACH,CAAC;AAED,SAAS,mBAAmB;IAC1B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,OAAO,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,gBAAgB,CAAA;AACpD,CAAC;AAED,SAAS,oBAAoB;IAC3B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,OAAO,QAAQ,CAAC,OAAO,EAAE,OAAO,EAAE,iBAAiB,CAAA;AACrD,CAAC;AAED,SAAS,mBAAmB;IAC1B,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,OAAO,QAAQ,CAAC,OAAO,EAAE,gBAAgB,CAAA;AAC3C,CAAC;AAED,SAAS,4BAA4B;IACnC,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,OAAO,QAAQ,CAAC,OAAO,EAAE,yBAAyB,CAAA;AACpD,CAAC;AAED,SAAS,YAAY;IACnB,OAAO,cAAc,EAAE,aAAa,CAAA;AACtC,CAAC;AAED,SAAS,iBAAiB;IACxB,OAAO,cAAc,EAAE,cAAc,CAAA;AACvC,CAAC;AAED,SAAS,sBAAsB;IAC7B,OAAO,cAAc,EAAE,WAAW,EAAE,cAAc,CAAA;AACpD,CAAC;AAED,SAAS,uBAAuB;IAC9B,OAAO,cAAc,EAAE,WAAW,EAAE,eAAe,CAAA;AACrD,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,4BAA4B;IACzC,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC3B,OAAO,KAAK,CAAA;IACd,CAAC;IACD,IAAI,qBAAqB,EAAE,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,qBAAqB,CAAA;YAC3B,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IACD,OAAO,cAAc,KAAK,SAAS,CAAA;AACrC,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAAe;IAC5C,oDAAoD;IACpD,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,MAAM,WAAW,GAAG,mBAAmB,EAAE,CAAA;IAEzC,4CAA4C;IAC5C,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,4BAA4B,EAAE,CAAA;IACtC,CAAC;IAED,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,OAAO;YACV,OAAO,MAAM,2BAA2B,CAAC;gBACvC,OAAO;gBACP,aAAa,EAAE,YAAY,EAAE;gBAC7B,cAAc,EAAE,iBAAiB,EAAE;gBACnC,UAAU,EAAE,eAAe,EAAE;gBAC7B,WAAW,EAAE,gBAAgB,EAAE;gBAC/B,uBAAuB,EAAE,IAAI;gBAC7B,gBAAgB,EAAE,mBAAmB,EAAE;gBACvC,iBAAiB,EAAE,oBAAoB,EAAE;gBACzC,gBAAgB,EAAE,mBAAmB,EAAE;aACxC,CAAC,CAAA;QAEJ,KAAK,OAAO;YACV,OAAO,2BAA2B,CAAC;gBACjC,OAAO;gBACP,sBAAsB,EAAE,IAAI;gBAC5B,yBAAyB,EAAE,IAAI;gBAC/B,cAAc,EAAE,sBAAsB,EAAE;gBACxC,eAAe,EAAE,uBAAuB,EAAE;gBAC1C,aAAa,EAAE,cAAc,EAAE,aAAa;gBAC5C,cAAc,EAAE,cAAc,EAAE,cAAc;gBAC9C,UAAU,EAAE,eAAe,EAAE;gBAC7B,WAAW,EAAE,gBAAgB,EAAE;gBAC/B,yBAAyB,EAAE,4BAA4B,EAAE;aAC1D,CAAC,CAAA;QAEJ;YACE,oGAAoG;YACpG,MAAM,IAAI,KAAK,CACb,uDAAuD,QAAQ,EAAE,CAClE,CAAA;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,KAAK;IAClB,mBAAmB;IACnB,IAAI,kBAAkB,EAAE,CAAC;QACvB,kBAAkB,EAAE,CAAA;QACpB,kBAAkB,GAAG,SAAS,CAAA;IAChC,CAAC;IAED,IAAI,cAAc,EAAE,WAAW,EAAE,CAAC;QAChC,MAAM,EACJ,cAAc,EACd,eAAe,EACf,iBAAiB,EACjB,kBAAkB,GACnB,GAAG,cAAc,CAAC,WAAW,CAAA;QAE9B,mBAAmB;QACnB,IAAI,iBAAiB,CAAC,GAAG,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,CAAC;YACvD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAC9C,eAAe,CAAC,4BAA4B,CAAC,CAAA;YAC/C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBACpD,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE;wBACnD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,kBAAkB,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC;YACzD,IAAI,CAAC;gBACH,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,SAAS,CAAC,CAAA;gBAC/C,eAAe,CAAC,6BAA6B,CAAC,CAAA;YAChD,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAK,GAA6B,CAAC,IAAI,KAAK,OAAO,EAAE,CAAC;oBACpD,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE;wBACpD,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,cAAc,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC1C,eAAe,CAAC,wBAAwB,CAAC,CAAA;YAC3C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,eAAe,CAAC,8BAA8B,GAAG,EAAE,EAAE;oBACnD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;QAED,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,CAAC;gBACH,EAAE,CAAC,MAAM,CAAC,eAAe,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAA;gBAC3C,eAAe,CAAC,yBAAyB,CAAC,CAAA;YAC5C,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,eAAe,CAAC,+BAA+B,GAAG,EAAE,EAAE;oBACpD,KAAK,EAAE,OAAO;iBACf,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,aAAa,GAAoB,EAAE,CAAA;IAEzC,IAAI,eAAe,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,eAAe,CAAA,CAAC,8CAA8C;QAC7E,MAAM,SAAS,GAAG,IAAI,OAAO,CAAO,OAAO,CAAC,EAAE;YAC5C,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;gBACnB,IAAI,KAAK,IAAI,KAAK,CAAC,OAAO,KAAK,wBAAwB,EAAE,CAAC;oBACxD,eAAe,CAAC,oCAAoC,KAAK,CAAC,OAAO,EAAE,EAAE;wBACnE,KAAK,EAAE,OAAO;qBACf,CAAC,CAAA;gBACJ,CAAC;gBACD,OAAO,EAAE,CAAA;YACX,CAAC,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QACF,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC/B,CAAC;IAED,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,UAAU,GAAG,gBAAgB,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,CAAC,KAAY,EAAE,EAAE;YACjE,eAAe,CAAC,qCAAqC,KAAK,CAAC,OAAO,EAAE,EAAE;gBACpE,KAAK,EAAE,OAAO;aACf,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;QACF,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;IAChC,CAAC;IAED,gCAAgC;IAChC,MAAM,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAA;IAEhC,mBAAmB;IACnB,eAAe,GAAG,SAAS,CAAA;IAC3B,gBAAgB,GAAG,SAAS,CAAA;IAC5B,cAAc,GAAG,SAAS,CAAA;IAC1B,qBAAqB,GAAG,SAAS,CAAA;AACnC,CAAC;AAED,SAAS,wBAAwB;IAC/B,OAAO,qBAAqB,CAAA;AAC9B,CAAC;AAED,SAAS,iCAAiC,CACxC,OAAe,EACf,MAAc;IAEd,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAC3B,OAAO,MAAM,CAAA;IACf,CAAC;IAED,MAAM,UAAU,GAAG,qBAAqB,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAA;IACzE,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,OAAO,MAAM,CAAA;IACf,CAAC;IAED,IAAI,SAAS,GAAG,MAAM,CAAA;IACtB,SAAS,IAAI,GAAG,GAAG,sBAAsB,GAAG,GAAG,CAAA;IAC/C,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,SAAS,IAAI,SAAS,CAAC,IAAI,GAAG,GAAG,CAAA;IACnC,CAAC;IACD,SAAS,IAAI,uBAAuB,CAAA;IAEpC,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,2BAA2B;IAClC,6CAA6C;IAC7C,oDAAoD;IACpD,IAAI,WAAW,EAAE,KAAK,OAAO,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACxD,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,QAAQ,GAAG,WAAW,EAAE,CAAA;IAC9B,IAAI,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,YAAY,GAAa,EAAE,CAAA;IAEjC,+CAA+C;IAC/C,KAAK,MAAM,QAAQ,IAAI,CAAC,OAAO,EAAE,MAAM,CAAU,EAAE,CAAC;QAClD,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAA;QAClD,KAAK,MAAM,UAAU,IAAI,KAAK,EAAE,CAAC;YAC/B,MAAM,IAAI,GAAG,6BAA6B,CAAC,UAAU,CAAC,CAAA;YAEtD,mDAAmD;YACnD,IACE,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC;gBACtD,IAAI,CAAC,WAAW,EAChB,CAAC;gBACD,qFAAqF;gBACrF,MAAM,uBAAuB,GAAG,wBAAwB,CACtD,IAAI,CAAC,WAAW,CACjB,CAAA;gBAED,2EAA2E;gBAC3E,IAAI,iBAAiB,CAAC,uBAAuB,CAAC,EAAE,CAAC;oBAC/C,YAAY,CAAC,IAAI,CAAC,UAAU,CAAC,CAAA;gBAC/B,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAA;AACrB,CAAC;AAmCD,+EAA+E;AAC/E,qCAAqC;AACrC,+EAA+E;AAE/E;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C,UAAU;IACV,mBAAmB;IACnB,mBAAmB;IACnB,eAAe;IACf,gBAAgB;IAChB,2BAA2B;IAC3B,mBAAmB;IACnB,oBAAoB;IACpB,mBAAmB;IACnB,4BAA4B;IAC5B,YAAY;IACZ,iBAAiB;IACjB,sBAAsB;IACtB,uBAAuB;IACvB,4BAA4B;IAC5B,eAAe;IACf,KAAK;IACL,wBAAwB;IACxB,iCAAiC;IACjC,2BAA2B;CACnB,CAAA"}
|