@aria-cli/tools 1.0.11 → 1.0.13

package/dist-cjs/executors/shell-safety.js

@@ -1,479 +0,0 @@
-"use strict";
-/**
- * @aria/tools - Shell command risk classifier
- *
- * Statically classifies shell commands into risk tiers to gate execution:
- * - "safe"     : read-only, execute immediately without approval
- * - "moderate" : requires runtime policy handling (approval, allowlist, or autorun)
- * - "blocked"  : catastrophic, hard-denied — never execute
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.BLOCKED_PATTERNS = void 0;
-exports.classifyCommand = classifyCommand;
-exports.classifyExecInvocation = classifyExecInvocation;
-/** Read-only single-word commands that never modify state. */
-const SAFE_SINGLE = new Set([
-    "ls",
-    "cat",
-    "head",
-    "tail",
-    "wc",
-    "file",
-    "stat",
-    "grep",
-    "rg",
-    "find",
-    "which",
-    "whereis",
-    "echo",
-    "date",
-    "whoami",
-    "pwd",
-    "printenv",
-    "uname",
-    "hostname",
-]);
-/** Read-only multi-word command prefixes (order: longest match first). */
-const SAFE_MULTI = [
-    "git stash list",
-    "git status",
-    "git log",
-    "git diff",
-    "git show",
-    "git blame",
-    "git branch",
-    "git remote",
-    "git tag",
-    "node --version",
-    "npm --version",
-    "pnpm --version",
-    "python --version",
-    "pnpm list",
-    "npm list",
-];
-/** Patterns that are unconditionally blocked — catastrophic risk. */
-exports.BLOCKED_PATTERNS = [
-    /rm\s+(?:--?[A-Za-z0-9-]+\s+)*\/(?:\s|$)/, // rm targeting filesystem root (/)
-    /rm\s+(?:--?[A-Za-z0-9-]+\s+)*\/\*(?:\s|$)/, // rm targeting root wildcard (/*)
-    /rm\s+(?:--?[A-Za-z0-9-]+\s+)*\.(?:\s|$)/, // rm . (current dir wipe, not ./subdir)
-    /rm\s+(?:--?[A-Za-z0-9-]+\s+)*~(?:[a-zA-Z]\w*)?(?:\/\*)?(?:\s|$)/, // rm ~ (bare home), ~/* (home wildcard), ~user (other user home)
-    /rm\s+(?:--?[A-Za-z0-9-]+\s+)*\$HOME\b/, // rm with $HOME variable
-    /rm\s+(?:--?[A-Za-z0-9-]+\s+)*\*(?:\s|$)/, // rm with bare wildcard (rm -rf *)
-    />\s*\/dev\/(?:sd[a-z]|nvme\d+|vd[a-z])\b/, // write to block devices
-    /mkfs/, // format filesystems
-    /dd\s+.*(?:if=|of=)/, // raw disk reads/writes
-    /chmod\s+(?:-R\s+)?777\b/, // world-writable permissions
-    /curl[\s\S]*\|\s*(ba)?sh/, // pipe-to-shell (including newline-obfuscated variants)
-    /wget[\s\S]*\|\s*(ba)?sh/, // pipe-to-shell (including newline-obfuscated variants)
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*eval\b/, // shell eval injection
-    // Inline execution (sh -c, python -c, node -e, etc.) downgraded to moderate.
-    // These are legitimate developer operations — dangerous payloads are still
-    // caught by other blocked patterns (rm /, curl|sh, fork bombs, etc.).
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*shutdown\b/, // system shutdown
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*reboot\b/, // system reboot
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*halt\b/, // system halt
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*init\s+0\b/, // init runlevel poweroff
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*systemctl\s+(?:poweroff|halt|reboot)\b/, // systemctl power controls
-    // kill downgraded to moderate — legitimate process management (kill PID, kill -0)
-    // is a normal developer operation. Catastrophic kill (kill -9 1) is still caught
-    // by the PID-1 pattern below. See shell-safety.test.ts for coverage.
-    /(?:^|[;&|]\s*|\$\(|`|\()\s*(?:(?:env|command)\s+)*kill\s+(?:-\d+\s+|-[A-Z]+\s+)*\b1\b/, // kill PID 1 (init) — catastrophic
-    // ${...} parameter expansion downgraded to moderate — standard bash operations
-    // like ${VAR}, ${#VAR} (length), ${VAR:-default} are common developer patterns.
-    // Truly dangerous expansions (${VAR:=$(cmd)}) are caught by other patterns
-    // (eval, curl|sh, etc.) or by the subshell/backtick check in classifyCommand.
-    /:\(\)\{\s*:\|:&\s*\};:/, // fork bomb
-    /\bsudo\b/, // privilege escalation
-    /git\s+push\s+.*--force(?!-with-lease)\b/, // force push (allow --force-with-lease)
-    /git\s+push(?:\s+-[A-Za-z]*f[A-Za-z]*\b|\s+.*\s-[A-Za-z]*f[A-Za-z]*\b)/, // short force flags (-f, -uf, etc.)
-    /git\s+reset\s+--hard/, // hard reset
-];
-/**
- * Returns true if the raw command text matches any blocked pattern.
- */
-function isBlocked(raw) {
-    const withoutHeredocs = stripHeredocBodies(raw);
-    const withoutQuotedLiterals = stripSingleAndDoubleQuotedLiterals(withoutHeredocs);
-    return exports.BLOCKED_PATTERNS.some((re) => re.test(withoutQuotedLiterals));
-}
-/**
- * Strip heredoc bodies so that blocked-pattern checks don't fire on
- * data content inside heredocs.  Supports both quoted and unquoted
- * delimiters: `<< 'EOF'`, `<< "EOF"`, `<< EOF`, `<<-EOF`.
- *
- * Only the body between the delimiter lines is replaced with spaces;
- * the shell command on the `<<` line and the closing delimiter are
- * preserved so other pattern checks still apply to the command itself.
- */
-function stripHeredocBodies(raw) {
-    // Match << (optional dash) then optional quotes around the delimiter word
-    const heredocRe = /<<-?\s*(?:'([^']+)'|"([^"]+)"|(\w+))/g;
-    let result = raw;
-    let match;
-    // Collect all heredoc markers first, then strip from the end backwards
-    // so index positions remain valid.
-    const markers = [];
-    while ((match = heredocRe.exec(raw)) !== null) {
-        const delimiter = match[1] ?? match[2] ?? match[3] ?? "";
-        if (!delimiter)
-            continue;
-        // Body starts after the next newline following the << marker
-        const afterMarker = raw.indexOf("\n", match.index);
-        if (afterMarker === -1)
-            continue;
-        const bodyStart = afterMarker + 1;
-        // Find the closing delimiter: must be on its own line (with optional
-        // leading whitespace for <<- heredocs).
-        const closingRe = new RegExp(`^\\s*${delimiter.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")}\\s*$`, "m");
-        const bodySlice = raw.slice(bodyStart);
-        const closingMatch = closingRe.exec(bodySlice);
-        if (!closingMatch)
-            continue;
-        const bodyEnd = bodyStart + closingMatch.index;
-        markers.push({ delimiter, bodyStart, bodyEnd });
-    }
-    // Strip bodies from last to first to preserve indices
-    for (let i = markers.length - 1; i >= 0; i--) {
-        const { bodyStart, bodyEnd } = markers[i];
-        const body = result.slice(bodyStart, bodyEnd);
-        result = result.slice(0, bodyStart) + body.replace(/[^\n]/g, " ") + result.slice(bodyEnd);
-    }
-    return result;
-}
-/**
- * Remove single-quoted and double-quoted literal text from a command so
- * blocked-pattern checks don't fire on plain quoted prose like:
- *   echo "please do not run rm -rf /"
- */
-function stripSingleAndDoubleQuotedLiterals(raw) {
-    let result = "";
-    let inSingle = false;
-    let inDouble = false;
-    let escaped = false;
-    for (let i = 0; i < raw.length; i++) {
-        const ch = raw[i];
-        if (inSingle) {
-            if (ch === "'") {
-                inSingle = false;
-                result += " ";
-            }
-            else {
-                result += " ";
-            }
-            continue;
-        }
-        if (inDouble) {
-            if (escaped) {
-                escaped = false;
-                result += " ";
-                continue;
-            }
-            if (ch === "\\") {
-                escaped = true;
-                result += " ";
-                continue;
-            }
-            if (ch === '"') {
-                inDouble = false;
-                result += " ";
-            }
-            else {
-                result += " ";
-            }
-            continue;
-        }
-        if (ch === "'") {
-            inSingle = true;
-            result += " ";
-            continue;
-        }
-        if (ch === '"') {
-            inDouble = true;
-            result += " ";
-            continue;
-        }
-        result += ch;
-    }
-    return result;
-}
-/**
- * Strip an optional absolute-path prefix from a token
- * so `/usr/bin/rm` is treated the same as `rm`.
- */
-function stripPathPrefix(token) {
-    const i = token.lastIndexOf("/");
-    return i === -1 ? token : token.slice(i + 1);
-}
-function hasUnquotedSubshellOrBacktick(command) {
-    let inSingle = false;
-    let inDouble = false;
-    let escaped = false;
-    for (let i = 0; i < command.length; i++) {
-        const ch = command[i];
-        const next = command[i + 1];
-        if (inSingle) {
-            if (ch === "'")
-                inSingle = false;
-            continue;
-        }
-        if (inDouble) {
-            if (escaped) {
-                escaped = false;
-                continue;
-            }
-            if (ch === "\\") {
-                escaped = true;
-                continue;
-            }
-            if (ch === '"') {
-                inDouble = false;
-                continue;
-            }
-            if (ch === "`" || (ch === "$" && next === "(")) {
-                return true;
-            }
-            continue;
-        }
-        if (escaped) {
-            escaped = false;
-            continue;
-        }
-        if (ch === "\\") {
-            escaped = true;
-            continue;
-        }
-        if (ch === "'") {
-            inSingle = true;
-            continue;
-        }
-        if (ch === '"') {
-            inDouble = true;
-            continue;
-        }
-        if (ch === "`" || (ch === "$" && next === "(")) {
-            return true;
-        }
-    }
-    return false;
-}
-function splitTopLevelChain(command) {
-    const parts = [];
-    let current = "";
-    let inSingle = false;
-    let inDouble = false;
-    let escaped = false;
-    for (let i = 0; i < command.length; i++) {
-        const ch = command[i];
-        const next = command[i + 1];
-        if (inSingle) {
-            current += ch;
-            if (ch === "'")
-                inSingle = false;
-            continue;
-        }
-        if (inDouble) {
-            current += ch;
-            if (escaped) {
-                escaped = false;
-                continue;
-            }
-            if (ch === "\\") {
-                escaped = true;
-                continue;
-            }
-            if (ch === '"')
-                inDouble = false;
-            continue;
-        }
-        if (escaped) {
-            current += ch;
-            escaped = false;
-            continue;
-        }
-        if (ch === "\\") {
-            current += ch;
-            escaped = true;
-            continue;
-        }
-        if (ch === "'") {
-            current += ch;
-            inSingle = true;
-            continue;
-        }
-        if (ch === '"') {
-            current += ch;
-            inDouble = true;
-            continue;
-        }
-        const isSeparator = ch === ";" ||
-            ch === "\n" ||
-            ch === "\r" ||
-            (ch === "&" && next === "&") ||
-            (ch === "|" && next === "|");
-        if (isSeparator) {
-            parts.push(current.trim());
-            current = "";
-            if ((ch === "&" || ch === "|") && next === ch) {
-                i += 1;
-            }
-            continue;
-        }
-        current += ch;
-    }
-    parts.push(current.trim());
-    return parts;
-}
-function splitTopLevelPipes(command) {
-    const parts = [];
-    let current = "";
-    let inSingle = false;
-    let inDouble = false;
-    let escaped = false;
-    for (let i = 0; i < command.length; i++) {
-        const ch = command[i];
-        const next = command[i + 1];
-        const prev = i > 0 ? command[i - 1] : "";
-        if (inSingle) {
-            current += ch;
-            if (ch === "'")
-                inSingle = false;
-            continue;
-        }
-        if (inDouble) {
-            current += ch;
-            if (escaped) {
-                escaped = false;
-                continue;
-            }
-            if (ch === "\\") {
-                escaped = true;
-                continue;
-            }
-            if (ch === '"')
-                inDouble = false;
-            continue;
-        }
-        if (escaped) {
-            current += ch;
-            escaped = false;
-            continue;
-        }
-        if (ch === "\\") {
-            current += ch;
-            escaped = true;
-            continue;
-        }
-        if (ch === "'") {
-            current += ch;
-            inSingle = true;
-            continue;
-        }
-        if (ch === '"') {
-            current += ch;
-            inDouble = true;
-            continue;
-        }
-        if (ch === "|" && next !== "|" && prev !== "|") {
-            parts.push(current.trim());
-            current = "";
-            continue;
-        }
-        current += ch;
-    }
-    parts.push(current.trim());
-    return parts;
-}
-/**
- * Matches shell output redirection operators that WRITE to the filesystem.
- * Excludes 2>&1 (stderr-to-stdout merge) which is read-only.
- *
- * Matches: >, >>, 2> (not followed by &), &>
- * Does NOT match: 2>&1, <, <<
- */
-const REDIRECTION_RE = /(?:>>|(?:^|[^2])>(?!&)|2>(?!&)|&>)/;
-/**
- * Determine whether a single simple command (no pipes/chains) is safe.
- * Returns true only when the command prefix is in the safe lists
- * AND the segment contains no output redirection.
- */
-function isSegmentSafe(segment) {
-    const trimmed = segment.trim();
-    if (trimmed === "")
-        return false;
-    // Output redirection makes any command non-safe
-    if (REDIRECTION_RE.test(trimmed))
-        return false;
-    // Multi-word safe match first (e.g. "git status")
-    for (const prefix of SAFE_MULTI) {
-        if (trimmed === prefix || trimmed.startsWith(prefix + " "))
-            return true;
-    }
-    // Single-word: first token, path-stripped
-    const firstToken = trimmed.split(/\s+/)[0] ?? "";
-    return SAFE_SINGLE.has(stripPathPrefix(firstToken));
-}
-/**
- * Classify a shell command's risk level.
- *
- * - "safe"     — skip approval, execute immediately
- * - "moderate" — handle via runtime policy (approval, allowlist, or autorun)
- * - "blocked"  — never execute, return error immediately
- */
-function classifyCommand(command) {
-    const trimmed = command.trim();
-    // Empty / whitespace-only — can't determine intent
-    if (trimmed === "")
-        return "moderate";
-    // 0. Strip heredoc bodies once, upfront, so every downstream check
-    //    (whole-command, per-segment, per-pipe) operates on the sanitised text.
-    //    This prevents heredoc *data* from triggering blocked patterns.
-    const stripped = stripHeredocBodies(trimmed);
-    // 1. Check blocked patterns on the entire raw command
-    if (isBlocked(stripped))
-        return "blocked";
-    // 2. Subshells / backticks — can't statically analyze safely.
-    // Check before splitting to avoid quote-unaware false positives.
-    if (hasUnquotedSubshellOrBacktick(stripped))
-        return "moderate";
-    // 3. Split on chain operators (&&, ||, ;, newline) outside quoted strings.
-    const chainSegments = splitTopLevelChain(stripped);
-    for (const seg of chainSegments) {
-        if (isBlocked(seg))
-            return "blocked";
-    }
-    // 4. Split each chain segment on top-level pipes and check.
-    const allSegments = [];
-    for (const seg of chainSegments) {
-        const piped = splitTopLevelPipes(seg);
-        for (const p of piped) {
-            if (isBlocked(p))
-                return "blocked";
-            allSegments.push(p);
-        }
-    }
-    // 5. Env-var assignment prefix (VAR=val command)
-    if (/^[A-Za-z_]\w*=/.test(trimmed))
-        return "moderate";
-    // 6. Check if ALL segments are safe (filter empty segments from chain splitting)
-    const nonEmpty = allSegments.filter((s) => s.trim() !== "");
-    if (nonEmpty.length > 0 && nonEmpty.every(isSegmentSafe))
-        return "safe";
-    // 7. Default — needs approval
-    return "moderate";
-}
-const EXPLICIT_SHELLS = new Set(["sh", "bash", "zsh", "ksh", "dash", "ash", "fish"]);
-/**
- * Classify argv-based process execution (spawn/exec) with shell-aware behavior.
- *
- * When callers explicitly invoke a shell interpreter with `-c`, classify the
- * payload command text itself. This preserves catastrophic-command blocking
- * while avoiding false positives that would block every `bash -c ...` call.
- */
-function classifyExecInvocation(program, args = []) {
-    const shellName = stripPathPrefix(program).toLowerCase();
-    if (EXPLICIT_SHELLS.has(shellName) && args[0] === "-c" && typeof args[1] === "string") {
-        return classifyCommand(args[1]);
-    }
-    return classifyCommand([program, ...args].join(" "));
-}
-//# sourceMappingURL=shell-safety.js.map

package/dist-cjs/executors/shell-safety.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"shell-safety.js","sourceRoot":"","sources":["../../src/executors/shell-safety.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAkcH,0CA2CC;AAWD,wDAOC;AA3fD,8DAA8D;AAC9D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,IAAI;IACJ,KAAK;IACL,MAAM;IACN,MAAM;IACN,IAAI;IACJ,MAAM;IACN,MAAM;IACN,MAAM;IACN,IAAI;IACJ,MAAM;IACN,OAAO;IACP,SAAS;IACT,MAAM;IACN,MAAM;IACN,QAAQ;IACR,KAAK;IACL,UAAU;IACV,OAAO;IACP,UAAU;CACX,CAAC,CAAC;AAEH,0EAA0E;AAC1E,MAAM,UAAU,GAAa;IAC3B,gBAAgB;IAChB,YAAY;IACZ,SAAS;IACT,UAAU;IACV,UAAU;IACV,WAAW;IACX,YAAY;IACZ,YAAY;IACZ,SAAS;IACT,gBAAgB;IAChB,eAAe;IACf,gBAAgB;IAChB,kBAAkB;IAClB,WAAW;IACX,UAAU;CACX,CAAC;AAEF,qEAAqE;AACxD,QAAA,gBAAgB,GAAa;IACxC,yCAAyC,EAAE,mCAAmC;IAC9E,2CAA2C,EAAE,kCAAkC;IAC/E,yCAAyC,EAAE,wCAAwC;IACnF,iEAAiE,EAAE,iEAAiE;IACpI,uCAAuC,EAAE,yBAAyB;IAClE,yCAAyC,EAAE,mCAAmC;IAC9E,0CAA0C,EAAE,yBAAyB;IACrE,MAAM,EAAE,qBAAqB;IAC7B,oBAAoB,EAAE,wBAAwB;IAC9C,yBAAyB,EAAE,6BAA6B;IACxD,yBAAyB,EAAE,wDAAwD;IACnF,yBAAyB,EAAE,wDAAwD;IACnF,0DAA0D,EAAE,uBAAuB;IACnF,6EAA6E;IAC7E,2EAA2E;IAC3E,sEAAsE;IACtE,8DAA8D,EAAE,kBAAkB;IAClF,4DAA4D,EAAE,gBAAgB;IAC9E,0DAA0D,EAAE,cAAc;IAC1E,8DAA8D,EAAE,yBAAyB;IACzF,0FAA0F,EAAE,2BAA2B;IACvH,kFAAkF;IAClF,iFAAiF;IACjF,qEAAqE;IACrE,uFAAuF,EAAE,mCAAmC;IAC5H,+EAA+E;IAC/E,gFAAgF;IAChF,2EAA2E;IAC3E,8EAA8E;IAC9E,wBAAwB,EAAE,YAAY;IACtC,UAAU,EAAE,uBAAuB;IACnC,yCAAyC,EAAE,wCAAwC;IACnF,uEAAuE,EAAE,oCAAoC;IAC7G,sBAAsB,EAAE,aAAa;CACtC,CAAC;AAEF;;GAEG;AACH,SAAS,SAAS,CAAC,GAAW;IAC5B,MAAM,eAAe,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAChD,MAAM,qBAAqB,GAAG,kCAAkC,CAAC,eAAe,CAAC,CAAC;IAClF,OAAO,wBAAgB,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC,CAAC;AACvE,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,kBAAkB,CAAC,GAAW;IACrC,0EAA0E;IAC1E,MAAM,SAAS,GAAG,uCAAuC,CAAC;IAC1D,IAAI,MAAM,GAAG,GAAG,CAAC;IACjB,IAAI,KAA6B,CAAC;IAElC,uEAAuE;IACvE,mCAAmC;IACnC,MAAM,OAAO,GAAqE,EAAE,CAAC;IAErF,OAAO,CAAC,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC9C,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACzD,IAAI,CAAC,SAAS;YAAE,SAAS;QAEzB,6DAA6D;QAC7D,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;QACnD,IAAI,WAAW,KAAK,CAAC,CAAC;YAAE,SAAS;QACjC,MAAM,SAAS,GAAG,WAAW,GAAG,CAAC,CAAC;QAElC,qEAAqE;QACrE,wCAAwC;QACxC,MAAM,SAAS,GAAG,IAAI,MAAM,CAC1B,QAAQ,SAAS,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,OAAO,EAC/D,GAAG,CACJ,CAAC;QACF,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,YAAY,GAAG,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,CAAC,YAAY;YAAE,SAAS;QAE5B,MAAM,OAAO,GAAG,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC;QAC/C,OAAO,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,sDAAsD;IACtD,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC7C,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAC9C,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,SAAS,kCAAkC,CAAC,GAAW;IACrD,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;QAEnB,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBACf,QAAQ,GAAG,KAAK,CAAC;gBACjB,MAAM,IAAI,GAAG,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,CAAC;YAChB,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,GAAG,KAAK,CAAC;gBAChB,MAAM,IAAI,GAAG,CAAC;gBACd,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,OAAO,GAAG,IAAI,CAAC;gBACf,MAAM,IAAI,GAAG,CAAC;gBACd,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBACf,QAAQ,GAAG,KAAK,CAAC;gBACjB,MAAM,IAAI,GAAG,CAAC;YAChB,CAAC;iBAAM,CAAC;gBACN,MAAM,IAAI,GAAG,CAAC;YAChB,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,QAAQ,GAAG,IAAI,CAAC;YAChB,MAAM,IAAI,GAAG,CAAC;YACd,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,QAAQ,GAAG,IAAI,CAAC;YAChB,MAAM,IAAI,GAAG,CAAC;YACd,SAAS;QACX,CAAC;QAED,MAAM,IAAI,EAAE,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,CAAC,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACjC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,SAAS,6BAA6B,CAAC,OAAe;IACpD,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QACvB,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAE5B,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACjC,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,GAAG,KAAK,CAAC;gBAChB,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,OAAO,GAAG,IAAI,CAAC;gBACf,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;gBACf,QAAQ,GAAG,KAAK,CAAC;gBACjB,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;gBAC/C,OAAO,IAAI,CAAC;YACd,CAAC;YACD,SAAS;QACX,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,OAAO,GAAG,IAAI,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QACvB,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAE5B,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACjC,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,GAAG,KAAK,CAAC;gBAChB,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,OAAO,GAAG,IAAI,CAAC;gBACf,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACjC,SAAS;QACX,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,EAAE,CAAC;YACd,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,OAAO,IAAI,EAAE,CAAC;YACd,OAAO,GAAG,IAAI,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,OAAO,IAAI,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,OAAO,IAAI,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QAED,MAAM,WAAW,GACf,EAAE,KAAK,GAAG;YACV,EAAE,KAAK,IAAI;YACX,EAAE,KAAK,IAAI;YACX,CAAC,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC;YAC5B,CAAC,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,CAAC;QAC/B,IAAI,WAAW,EAAE,CAAC;YAChB,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3B,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,CAAC,IAAI,IAAI,KAAK,EAAE,EAAE,CAAC;gBAC9C,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;YACD,SAAS;QACX,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,OAAO,GAAG,EAAE,CAAC;IACjB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,QAAQ,GAAG,KAAK,CAAC;IACrB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;QACvB,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;QAC5B,MAAM,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEzC,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACjC,SAAS;QACX,CAAC;QAED,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,IAAI,EAAE,CAAC;YACd,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,GAAG,KAAK,CAAC;gBAChB,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;gBAChB,OAAO,GAAG,IAAI,CAAC;gBACf,SAAS;YACX,CAAC;YACD,IAAI,EAAE,KAAK,GAAG;gBAAE,QAAQ,GAAG,KAAK,CAAC;YACjC,SAAS;QACX,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,IAAI,EAAE,CAAC;YACd,OAAO,GAAG,KAAK,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,OAAO,IAAI,EAAE,CAAC;YACd,OAAO,GAAG,IAAI,CAAC;YACf,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,OAAO,IAAI,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QACD,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,OAAO,IAAI,EAAE,CAAC;YACd,QAAQ,GAAG,IAAI,CAAC;YAChB,SAAS;QACX,CAAC;QAED,IAAI,EAAE,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,EAAE,CAAC;YAC/C,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC3B,OAAO,GAAG,EAAE,CAAC;YACb,SAAS;QACX,CAAC;QAED,OAAO,IAAI,EAAE,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,MAAM,cAAc,GAAG,oCAAoC,CAAC;AAE5D;;;;GAIG;AACH,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAEjC,gDAAgD;IAChD,IAAI,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,KAAK,CAAC;IAE/C,kDAAkD;IAClD,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,IAAI,OAAO,KAAK,MAAM,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC1E,CAAC;IAED,0CAA0C;IAC1C,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IACjD,OAAO,WAAW,CAAC,GAAG,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC;AACtD,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,eAAe,CAAC,OAAe;IAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IAE/B,mDAAmD;IACnD,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,UAAU,CAAC;IAEtC,mEAAmE;IACnE,4EAA4E;IAC5E,oEAAoE;IACpE,MAAM,QAAQ,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAE7C,sDAAsD;IACtD,IAAI,SAAS,CAAC,QAAQ,CAAC;QAAE,OAAO,SAAS,CAAC;IAE1C,8DAA8D;IAC9D,iEAAiE;IACjE,IAAI,6BAA6B,CAAC,QAAQ,CAAC;QAAE,OAAO,UAAU,CAAC;IAE/D,2EAA2E;IAC3E,MAAM,aAAa,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IACnD,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,IAAI,SAAS,CAAC,GAAG,CAAC;YAAE,OAAO,SAAS,CAAC;IACvC,CAAC;IAED,4DAA4D;IAC5D,MAAM,WAAW,GAAa,EAAE,CAAC;IACjC,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,MAAM,KAAK,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;QACtC,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;YACtB,IAAI,SAAS,CAAC,CAAC,CAAC;gBAAE,OAAO,SAAS,CAAC;YACnC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,IAAI,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC;QAAE,OAAO,UAAU,CAAC;IAEtD,iFAAiF;IACjF,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5D,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC;QAAE,OAAO,MAAM,CAAC;IAExE,8BAA8B;IAC9B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC;AAErF;;;;;;GAMG;AACH,SAAgB,sBAAsB,CAAC,OAAe,EAAE,OAAiB,EAAE;IACzE,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IACzD,IAAI,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,OAAO,IAAI,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;QACtF,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IAED,OAAO,eAAe,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;AACvD,CAAC"}