@attestry/sdk 0.6.0

package/dist/resources/audit-log.js

@@ -0,0 +1,629 @@
+// ─── AuditLog resource ──────────────────────────────────────────────────────
+//
+// Wraps the audit-log SIEM export surface (Prompt C.4) + the org-wide
+// audit-log hash-chain verifier (session 19):
+//
+//   - GET /api/v1/audit-log/export         NDJSON / ECS / CEF stream of audit_log rows
+//   - GET /api/v1/audit-chain/verify       Org-wide hash-chain integrity verdict
+//
+// First non-decisions resource on `@attestry/sdk`. Sibling to
+// `IncidentsResource`, `DecisionsResource`, `ChatResource`. Two
+// public methods today (`export` + `verifyChain`); the resource class
+// is the landing pad for future audit-log methods if/when the kernel
+// adds them.
+//
+// **`verifyChain()` vs `decisions.verifyChain()`** — DISTINCT surfaces:
+//   - `decisions.verifyChain(systemId)` — verifies a SINGLE system's
+//     decision chain (per-system hash-chain integrity). Takes a UUID
+//     path parameter; emits `ChainVerificationResult` with per-record
+//     tampered/broken arrays. Used for security/ops signals on a
+//     specific system.
+//   - `auditLog.verifyChain()` — verifies the entire ORG's audit log
+//     chain (org-wide tamper-evidence). Takes NO arguments; emits
+//     `AuditChainVerificationResult` with one `brokenAt` UUID (if any).
+//     Used by compliance auditors for end-to-end audit-log integrity.
+// Different responsibility, different kernel route, different consumer
+// audience. The two methods complement each other.
+//
+// Dual-auth admin scope: the kernel route gates on
+// `requireSessionOrApiKey(request, { sessionRoles: ["admin"],
+// apiKeyPermissions: [API_KEY_PERMISSIONS.ADMIN] })` (verified at
+// `src/app/api/v1/audit-log/export/route.ts:66-68`) — the identical
+// dual-auth pattern the abacPolicies cluster uses. The SDK's transport
+// always sends `x-api-key`, so the api-key path is the only one
+// reachable from SDK consumers: **HTTP 401** for no / invalid /
+// expired api-key, **HTTP 403** for a VALID api-key whose permissions
+// do NOT include `ADMIN`. The two are DISTINCT.
+//
+// (Corrected — session-22 hostile review #2. The prior comment claimed
+// "HTTP 401 for both no-auth AND insufficient-permission"; that
+// mis-read the kernel TEST at `audit-log/export/__tests__/route.test.ts`,
+// which MOCKS `AuthError(401)` and never exercises the real
+// `requireSessionOrApiKey` middleware. The middleware's
+// `requireApiKeyWithPermission` path returns 403 for the
+// insufficient-permission case — same surface as every abacPolicies
+// method.)
+//
+// Three wire formats:
+//   - `jsonl` (default): one JSON object per line, structured
+//     `AuditLogRecord` shape. SDK validates wire shape strictly and
+//     yields parsed objects.
+//   - `ecs`: one Elastic Common Schema 8.x event per line (JSON-encoded).
+//     Rides the same `application/x-ndjson` content-type as `jsonl` —
+//     consumers parse the ECS shape themselves; SDK yields `unknown`.
+//   - `cef`: one ArcSight CEF v0 line per row. Plain text, NOT JSON.
+//     Content-Type: `text/plain`. SDK yields raw `string`.
+//
+// Cursor pagination via response HEADER (`x-attestry-next-cursor`) —
+// NOT a body trailer (asymmetric with `decisions.export`). The SDK
+// auto-paginates by default: the iterator transparently fetches the
+// next page whenever the current page exhausts and the kernel emitted
+// a next-cursor header. Single-page behavior is opt-in via
+// `autoPaginate: false`.
+//
+// Compound cursor format: `<ISO-8601-UTC>:<UUID>`. Bare ISO is a legacy
+// fallback (may skip same-microsecond rows; documented kernel behavior).
+import { AttestryError } from "../errors.js";
+import { parseLinesResponse } from "../lines-parser.js";
+import { parseNDJSONResponse } from "../ndjson-parser.js";
+import { readInputField } from "./safe-input-read.js";
+// Module-load snapshot of `Object.hasOwn` — defends against a
+// late-loading hostile/buggy npm dependency that overrides the global
+// (e.g., `Object.hasOwn = () => true`). Without the snapshot, the
+// prototype-pollution defenses in `validateAuditChainVerificationResponse`
+// would use whatever Object.hasOwn the dependency replaced it with at
+// request time. Snapshotting at module load captures the original
+// implementation BEFORE most consumer code has a chance to monkey-
+// patch.
+//
+// Mirror of `batch.ts` / `gate.ts` / `check.ts` / `compliance-check.ts`
+// pattern. Used on the response side of `verifyChain()` (this method
+// has no input; the input-side defense is N/A — no fields to guard).
+// Carry-forward of session-16 second-hostile-review MEDIUM #3 +
+// session-17 build-round baked-in pattern.
+const objectHasOwn = Object.hasOwn;
+/**
+ * Public closed-enum of supported wire formats. Mirrors the kernel's
+ * `VALID_FORMATS` const at `src/lib/audit-log/export-helpers.ts:15-19`.
+ * Drift-pinned in `src/lib/incidents/__tests__/sdk-drift.test.ts`.
+ *
+ * Forward-compat: when a future format is added (e.g., `csv`), bump the
+ * SDK minor version and extend this array. The kernel's parseFormat
+ * function returns 400 for any value outside this set; the SDK
+ * pre-rejects invalid values synchronously as `TypeError` (build-round
+ * D5 — closed-enum input validates at the SDK boundary so the failure
+ * is faster + clearer than waiting for the server's 400).
+ */
+export const AUDIT_LOG_EXPORT_FORMATS = Object.freeze([
+    "jsonl",
+    "ecs",
+    "cef",
+]);
+/**
+ * AuditLog resource — sibling to `IncidentsResource`, `DecisionsResource`,
+ * `ChatResource`. Today wraps two endpoints (`export` + `verifyChain`);
+ * the class is the landing pad for future audit-log methods.
+ */
+export class AuditLogResource {
+    client;
+    constructor(client) {
+        this.client = client;
+    }
+    export(input, options) {
+        // Top-level shape — when provided, must be a non-null, non-array
+        // object. typeof null === "object" and typeof [] === "object", so
+        // guard both explicitly. Unlike decisions.export (which requires
+        // `input.systemId`), auditLog.export's input is OPTIONAL — `()`
+        // and `(undefined)` are both valid.
+        if (input !== undefined) {
+            if (input === null || typeof input !== "object" || Array.isArray(input)) {
+                throw new TypeError("auditLog.export: `input` must be an object when provided");
+            }
+            // Snapshot each input field via `readInputField` — a throwing
+            // accessor surfaces as the documented synchronous `TypeError`
+            // rather than the getter's raw exception (session-22 hostile
+            // review #1 — the SDK-wide MEDIUM-1 getter-throws fix). The
+            // export helper below still receives the original `input` (a
+            // throwing getter is caught here first, so it is never reached).
+            const format = readInputField(input, "format", "auditLog.export");
+            const cursor = readInputField(input, "cursor", "auditLog.export");
+            const limit = readInputField(input, "limit", "auditLog.export");
+            const autoPaginate = readInputField(input, "autoPaginate", "auditLog.export");
+            // format: closed enum. Pre-reject invalid values synchronously
+            // (faster + clearer than waiting for server's 400). Build-round D5.
+            if (format !== undefined) {
+                if (typeof format !== "string" ||
+                    !AUDIT_LOG_EXPORT_FORMATS.includes(format)) {
+                    throw new TypeError(`auditLog.export: \`format\` must be one of ${AUDIT_LOG_EXPORT_FORMATS.join(", ")} when provided`);
+                }
+            }
+            // cursor: non-empty string + lone-surrogate guard.
+            if (cursor !== undefined) {
+                if (typeof cursor !== "string" || cursor.length === 0) {
+                    throw new TypeError("auditLog.export: `cursor` must be a non-empty string when provided");
+                }
+                assertEncodableQueryString(cursor, "cursor", "auditLog.export");
+            }
+            // limit: positive finite integer. NaN / Infinity / fractional /
+            // <= 0 rejected. Stricter than kernel's silent coerce-to-1000
+            // (build-round D4).
+            if (limit !== undefined) {
+                if (typeof limit !== "number" ||
+                    !Number.isInteger(limit) ||
+                    limit <= 0) {
+                    throw new TypeError("auditLog.export: `limit` must be a positive integer when provided");
+                }
+            }
+            // autoPaginate: strict boolean.
+            if (autoPaginate !== undefined && typeof autoPaginate !== "boolean") {
+                throw new TypeError("auditLog.export: `autoPaginate` must be a boolean when provided");
+            }
+        }
+        return runAuditLogExport(this.client, input, options);
+    }
+    /**
+     * Verify the integrity of the org's audit-log hash chain. Returns
+     * an `AuditChainVerificationResult` describing whether the chain is
+     * intact, and (when broken) the UUID of the entry where verification
+     * failed.
+     *
+     * Wraps `GET /api/v1/audit-chain/verify` — no input, no query
+     * parameters, no body. The caller's org is implicit from auth; the
+     * kernel fetches up to 5000 audit-log entries ordered ascending by
+     * timestamp and runs `verifyAuditChain()` on them.
+     *
+     * **API-key auth scope** (uses `requireApiKey` DIRECT — distinct
+     * from BOTH siblings): the kernel route calls `requireApiKey(request)`
+     * at `route.ts:31` with NO permission scoping AND NO subsequent
+     * role check. Any valid API key for the org can verify the chain.
+     * Returns **HTTP 401** for no/invalid API key; the `requireApiKey`
+     * branch does NOT distinguish "no key" from "invalid key". **Note**:
+     * `auditLog.export` ALSO calls `requireApiKey(request)` directly at
+     * its route but then performs a separate role/permission check
+     * (ADMIN-only — see audit-log/export route). `verifyChain()` is
+     * distinct: NO role check, NO permission filter. The 403 path is
+     * unreachable for this route, and ALL valid api-keys in the org
+     * succeed (in contrast to `auditLog.export` where only ADMIN keys
+     * succeed).
+     *
+     * **Kernel-side invariant (session-19 review-3 L2 carry-forward)**:
+     * the route at `route.ts:32` reads `apiKeyUser.orgId` and passes
+     * it directly to the Drizzle `eq(schema.auditLog.orgId, orgId)`
+     * filter without a null-guard. The SDK assumes the kernel's
+     * `requireApiKey` returns an `ApiKeyUser` with a non-null `orgId`
+     * (i.e., the `apiKeys` table's `orgId` column is NOT NULL). If
+     * a future schema migration relaxes that constraint, the route
+     * could match zero rows on a malformed key and return a vacuous-
+     * truth `valid: true` verdict, masking actual chain tampering.
+     * This is a kernel-side hardening concern (SDK cannot detect
+     * it from the wire); flagged here so a future kernel-hardening
+     * audit knows to add a runtime guard in `requireApiKey`.
+     *
+     * **CRITICAL contract — does NOT throw on `valid: false`** (carry-
+     * forward invariant #12). The kernel returns HTTP 200 with
+     * `valid: false` on a tampered chain; the SDK MUST resolve the
+     * Promise with the verdict body. Top-level structural failures
+     * (auth, rate limit, internal) throw `AttestryAPIError`. Mirror of
+     * `decisions.verifyChain`'s same contract.
+     *
+     * **NO `writeAuditLog` side effect** — the verifier is quiet
+     * (asymmetric with `gate.evaluate` / `batch.submit` which both write
+     * audit-log entries). Writing to the audit log while verifying it
+     * would be ironic; the kernel team avoided this. `auditLog.verifyChain`
+     * is a pure read.
+     *
+     * **Silent kernel-side truncation at 5000 entries** (invariant #50).
+     * The kernel's audit-log fetch is capped at 5000 entries
+     * (`route.ts:51`: `.limit(5000)`). For an org with more than 5000
+     * audit-log entries, only the OLDEST 5000 are verified by this call.
+     * The kernel does NOT emit a "truncated" flag — `totalEntries`
+     * equals the number of rows fetched, NOT the org's full audit-log
+     * row count. **Documented kernel surface gap**; the SDK does NOT
+     * mask. Consumers with high-volume audit logs should be aware that
+     * the kernel's verifier sees a stale window of the chain. A future
+     * kernel pagination or higher limit would be additive (the SDK
+     * forwards `totalEntries` verbatim).
+     *
+     * **Kernel-side 30-second timeout** (`maxDuration = 30` at
+     * `route.ts:14`). The SDK does NOT enforce a client-side timeout
+     * (consumers manage via `options.signal`), but the kernel's
+     * function-runtime cap bounds the verification latency on the
+     * server side. Cron-job consumers should budget call latency
+     * relative to this cap — a near-5000-entry verification can take
+     * tens of seconds under high SHA-256 load. A future kernel raise
+     * (e.g., 30 → 60s) would relax this cap; downstream cron-job
+     * sizing assumptions should be revisited.
+     *
+     * **Pollution-safe discriminator pattern** — branch on
+     * `result.valid` (closed-enum boolean) to detect a broken chain,
+     * NOT on `result.brokenAt === undefined`. The kernel emits
+     * `brokenAt` as an OWN-PROPERTY of the response only when the
+     * chain is broken; on a valid chain it's omitted entirely (kernel
+     * uses a conditional spread at `route.ts:72`). Under
+     * `Object.prototype.brokenAt = <value>` pollution, the equality
+     * check walks the prototype and reads the polluted value —
+     * returning false (i.e., "field is present") even when the
+     * own-property is genuinely absent. The SDK's response-side
+     * validator uses `Object.hasOwn` (snapshotted at module load) to
+     * defend against this; consumers should use `result.valid`
+     * directly. Carry-forward of session-17 first-hostile-review
+     * MEDIUM #3 + session-18 build-round baked-in pattern.
+     *
+     * **Errors** — ordered by kernel firing precedence (rate-limit →
+     * auth-pass-or-401 → DB fetch → verifier → 500-catchall):
+     *   - `AttestryAPIError` (status 429) — rate limit FIRES FIRST
+     *     (auto-retried by default — invariant #18; per-IP rate-limit
+     *     key `audit-chain-verify:${ip}` against the standard
+     *     `apiLimiter`).
+     *   - `AttestryAPIError` (status 401) — no API key OR invalid key.
+     *     Single 401 surface (NO 403 — the route has no permission
+     *     filter). Surfaces only when `requireApiKey` throws an
+     *     `AuthError`; the route's catch (route.ts:74-77) propagates
+     *     `error.statusCode` (401 for `AuthError`).
+     *   - `AttestryAPIError` (status 500) — internal kernel error
+     *     (scrubbed message via `internalErrorResponse`). Surfaces
+     *     when the DB connection drops mid-fetch, the verifier
+     *     throws, OR `requireApiKey`'s INFRASTRUCTURE fails (e.g., a
+     *     DB error during the API-key lookup, not an auth-rejection;
+     *     non-`AuthError` errors fall through to the route's
+     *     `internalErrorResponse` catchall at route.ts:78).
+     *   - `AttestryError` ("request aborted by caller") — caller-
+     *     supplied `options.signal` fired (pre-aborted or mid-flight).
+     *   - `AttestryError` (P2 hardening) — kernel response failed
+     *     SDK-side shape validation. See "Response-shape validation"
+     *     below.
+     *   - `AttestryAPIError` (P3 hardening) — kernel response had a
+     *     wrong Content-Type (transport-level guard).
+     *
+     * **Notably ABSENT from the error surface**:
+     *   - **No 400** — this method has no input; nothing to reject for
+     *     malformed input. The route doesn't parse query params or
+     *     body.
+     *   - **No 402 plan-limit** — verifyChain is a READ; no quota.
+     *   - **No 403** — no permission filter on the route (any key with
+     *     a valid org binding succeeds). Asymmetric with
+     *     `auditLog.export` (which gates on ADMIN role).
+     *   - **No 404** — orgId is implicit from auth; no path/query
+     *     parameters that could mismatch.
+     *   - **No 413** — the kernel's `.limit(5000)` silently caps the
+     *     fetch; oversize orgs see a truncated verification (NOT a
+     *     413). Documented kernel surface gap.
+     *   - **No 422** — no Zod schema (no body, no query).
+     *   - **No TypeError from SDK** — this method has no input to
+     *     validate.
+     *
+     * **Response-shape validation** (P2 hardening — symmetric defense
+     * on response side via the module-load `objectHasOwn` snapshot;
+     * mirror of `batch.ts` / `gate.ts` patterns):
+     *   - Rejects with `AttestryError` if the response isn't a non-null,
+     *     non-array object.
+     *   - Rejects if `valid` isn't a boolean.
+     *   - Rejects if `entriesVerified` / `totalEntries` aren't numbers.
+     *   - Rejects if `firstEntry` / `lastEntry` aren't `null` OR a
+     *     string.
+     *   - Rejects if `brokenAt` is OWN-PROPERTY present but NOT a
+     *     string. (When absent, the field is forward-compatibly
+     *     undefined — kernel omits it on valid chains.)
+     *   - Each response field read goes through the module-load
+     *     `objectHasOwn` snapshot — defends against
+     *     `Object.prototype.<field>` pollution masking a missing field.
+     *
+     * **Transport-shape validation** (P3 hardening):
+     *   - Rejects with `AttestryAPIError` if the kernel responds with
+     *     a non-`application/json` Content-Type. NOTE: `valid: false`
+     *     is a normal 200 response and resolves the promise (carry-
+     *     forward invariant #12); only structural failures throw.
+     *
+     * @example Detect a tampered audit log
+     * ```ts
+     * const verdict = await client.auditLog.verifyChain();
+     * if (!verdict.valid) {
+     *   // brokenAt is an OWN-PROPERTY only on broken chains.
+     *   await notifySecurity({
+     *     entryId: verdict.brokenAt,
+     *     verifiedUpTo: verdict.entriesVerified,
+     *     totalEntries: verdict.totalEntries,
+     *   });
+     * }
+     * console.log(`Verified ${verdict.entriesVerified}/${verdict.totalEntries} entries`);
+     * ```
+     *
+     * @example Schedule periodic verification (cron job)
+     * ```ts
+     * // Run hourly from a cron — surfaces tampering within an hour
+     * // of occurrence (high-frequency monitoring for compliance-
+     * // critical orgs).
+     * try {
+     *   const verdict = await client.auditLog.verifyChain();
+     *   if (!verdict.valid) {
+     *     await pageOncall({ brokenAt: verdict.brokenAt });
+     *   }
+     * } catch (err) {
+     *   if (err instanceof AttestryAPIError && err.status === 429) {
+     *     // Back off — verifier is rate-limited per IP.
+     *     return;
+     *   }
+     *   throw err;
+     * }
+     * ```
+     */
+    verifyChain(options) {
+        // No input → no SDK-side input validation. Mirror of decisions'
+        // `verifyChain(systemId)` minus the path-segment validation.
+        return this.client
+            ._request({
+            method: "GET",
+            path: "/api/v1/audit-chain/verify",
+            options,
+        })
+            .then((result) => validateAuditChainVerificationResponse(result));
+    }
+}
+/**
+ * Synchronously verify a query-string value is encodable via
+ * `encodeURIComponent`. Mirrors the helper at `decisions.ts` (carry-
+ * forward invariant #32 — URIError defect-class is uniformly handled).
+ *
+ * Duplicated rather than shared because cross-resource imports between
+ * `audit-log.ts` and `decisions.ts` would create a graph cycle hazard
+ * — both files want to remain leaf-resource modules. A future SDK
+ * refactor may extract validation helpers to a shared module
+ * (e.g., `src/validate.ts`) when a third caller shows up; for now the
+ * duplication is intentional and documented.
+ */
+function assertEncodableQueryString(value, fieldName, methodName) {
+    try {
+        encodeURIComponent(value);
+    }
+    catch (err) {
+        throw new TypeError(`${methodName}: \`${fieldName}\` contains invalid UTF-16 sequences (${
+        // encodeURIComponent always throws URIError (an Error subclass),
+        // so the String(err) branch is unreachable. Defense-in-depth
+        // marker for the v8 coverage tool.
+        /* v8 ignore next */
+        err instanceof Error ? err.message : String(err)})`, { cause: err });
+    }
+}
+/**
+ * Internal — async generator backing `auditLog.export`. Lazy: the
+ * request is NOT issued until the first iteration.
+ *
+ * Auto-pagination loop: each iteration fetches one page; in
+ * `autoPaginate: true` (the default), continues until the kernel stops
+ * emitting `x-attestry-next-cursor`. Each page's INITIAL fetch goes
+ * through the retry middleware (429 + Retry-After). Mid-stream errors
+ * bubble per invariant #20.
+ *
+ * Format dispatch:
+ *   - `cef` → `parseLinesResponse` (raw line splitter; yields strings)
+ *   - `jsonl` → `parseNDJSONResponse` + per-row shape validation; yields
+ *     `AuditLogRecord`. The SDK is the typed boundary — a malformed row
+ *     (schema bug, version skew) throws `AttestryError` rather than
+ *     yielding `undefined as string`.
+ *   - `ecs` → `parseNDJSONResponse`; yields `unknown` (consumer parses
+ *     ECS event shape themselves).
+ */
+async function* runAuditLogExport(client, input, options) {
+    const format = input?.format ?? "jsonl";
+    const autoPaginate = input?.autoPaginate ?? true;
+    // The transport's `expectedContentType` guard runs per-request;
+    // jsonl/ecs ride `application/x-ndjson`, cef rides `text/plain`.
+    // Drives both the `Accept:` request header AND the response
+    // content-type fail-fast guard (single source of truth).
+    const expectedContentType = format === "cef" ? "text/plain" : "application/x-ndjson";
+    let cursor = input?.cursor;
+    while (true) {
+        // Build query — `format` always, `cursor` and `limit` only when
+        // provided. `encodeQuery` skips `undefined` values.
+        const query = {
+            format,
+            cursor,
+            limit: input?.limit,
+        };
+        const response = await client._streamRequest({
+            path: "/api/v1/audit-log/export",
+            query,
+            options,
+            expectedContentType,
+        });
+        if (format === "cef") {
+            // Raw line splitter — yields strings.
+            for await (const line of parseLinesResponse(response)) {
+                yield line;
+            }
+        }
+        else if (format === "ecs") {
+            // ECS rides NDJSON; SDK doesn't enforce ECS shape — consumers
+            // parse via their own ECS schema. Forward-compatible with
+            // future ECS-version additions.
+            for await (const raw of parseNDJSONResponse(response)) {
+                yield raw;
+            }
+        }
+        else {
+            // jsonl — validate AuditLogRecord shape per row.
+            for await (const raw of parseNDJSONResponse(response)) {
+                // Every NDJSON line must be a JSON object — neither primitives
+                // nor arrays nor nulls are valid rows. Defensive: kernel always
+                // emits objects, but a parser yielding e.g. a bare number would
+                // otherwise pass through as `frame` of type `unknown`.
+                if (raw === null || typeof raw !== "object" || Array.isArray(raw)) {
+                    throw new AttestryError("auditLog.export: NDJSON line was not a JSON object");
+                }
+                const obj = raw;
+                // Validate per-row shape. The SDK is the typed boundary — a
+                // malformed row (schema bug, version skew) throws here rather
+                // than yielding `undefined as string` to the caller. Same
+                // invariant as decisions.export's per-record validation.
+                if (typeof obj.id !== "string" ||
+                    typeof obj.timestamp !== "string" ||
+                    typeof obj.orgId !== "string" ||
+                    (obj.userId !== null && typeof obj.userId !== "string") ||
+                    typeof obj.action !== "string" ||
+                    (obj.resourceType !== null && typeof obj.resourceType !== "string") ||
+                    (obj.resourceId !== null && typeof obj.resourceId !== "string") ||
+                    // `details` is `unknown` (jsonb) — pass through as-is.
+                    (obj.ipAddress !== null && typeof obj.ipAddress !== "string") ||
+                    (obj.userAgent !== null && typeof obj.userAgent !== "string") ||
+                    (obj.sessionId !== null && typeof obj.sessionId !== "string") ||
+                    (obj.entryHash !== null && typeof obj.entryHash !== "string") ||
+                    (obj.previousEntryHash !== null &&
+                        typeof obj.previousEntryHash !== "string")) {
+                    throw new AttestryError("auditLog.export: NDJSON record missing required fields or wrong type");
+                }
+                yield {
+                    id: obj.id,
+                    timestamp: obj.timestamp,
+                    orgId: obj.orgId,
+                    userId: obj.userId,
+                    action: obj.action,
+                    resourceType: obj.resourceType,
+                    resourceId: obj.resourceId,
+                    details: obj.details,
+                    ipAddress: obj.ipAddress,
+                    userAgent: obj.userAgent,
+                    sessionId: obj.sessionId,
+                    entryHash: obj.entryHash,
+                    previousEntryHash: obj.previousEntryHash,
+                };
+            }
+        }
+        // Pagination decision. The cursor lives in the response HEADER
+        // (NOT a body trailer — asymmetric with decisions.export, build-
+        // round D8). After draining the body, read the header. If absent
+        // OR autoPaginate is false, exit. Otherwise feed the cursor back
+        // into the next page's query.
+        const nextCursor = response.headers.get("x-attestry-next-cursor");
+        if (!autoPaginate || nextCursor === null) {
+            return;
+        }
+        cursor = nextCursor;
+    }
+}
+/**
+ * P2 hardening: validate the `verifyChain()` response's 5 always-
+ * present fields plus the optional `brokenAt` field. Symmetric
+ * prototype-pollution defense — read EACH field via the module-load
+ * `objectHasOwn` snapshot so a hostile npm dep polluting
+ * `Object.prototype.<field>` cannot mask a kernel regression that
+ * drops the field (per session-16 second-hostile-review MEDIUM #3
+ * carry-forward — defense applied on the response boundary even when
+ * the input boundary is empty).
+ *
+ * Returns the validated `result` (typed `AuditChainVerificationResult`)
+ * on success; throws `AttestryError` on any shape violation. Extracted
+ * as a free function so the resource method body stays focused on
+ * request construction.
+ *
+ * **`brokenAt` is INTENTIONALLY omitted from the wire on valid chains**
+ * — the kernel uses a conditional spread
+ * `...(result.brokenAtId ? { brokenAt: result.brokenAtId } : {})` at
+ * `route.ts:72`. When `valid: true`, the field is NOT an own-property
+ * of the response. The validator checks `objectHasOwn` BEFORE
+ * type-checking, so absent-and-untyped is forward-compatible —
+ * present-but-non-string is the actual regression signal.
+ *
+ * **Number-field validation is `typeof X === "number"` ONLY**
+ * (session-19 review-2 LOW-2 carry-forward — faithful-courier
+ * documented asymmetry). The check accepts `NaN`, `Infinity`,
+ * `-Infinity`, `-0`, and `MAX_SAFE_INTEGER+1` (which loses
+ * precision) — these would all pass `typeof === "number"`. This
+ * is INTENTIONAL: JSON.parse on a kernel-emitted JSON string can
+ * NEVER produce NaN / Infinity (JSON spec doesn't represent them);
+ * `-0` and large numbers round-trip with whatever precision the
+ * JSON gave. Tightening to `Number.isFinite` / `Number.isInteger`
+ * would be a stricter contract than the kernel emits — the SDK
+ * stays faithful-courier on numbers (symmetric with batch /
+ * decisions / gate's response validators). **If a future wire
+ * format (msgpack, CBOR) is added, this asymmetry must be
+ * revisited** — the new wire could carry NaN literally, and the
+ * faithful-courier semantic would leak NaN to consumers.
+ *
+ * **Single-field rejection semantics** (session-19 review-3 M1
+ * carry-forward — UX/diagnostic clarification). The validator
+ * checks fields SEQUENTIALLY in declaration order (valid →
+ * entriesVerified → totalEntries → firstEntry → lastEntry →
+ * brokenAt) and throws on the FIRST failing field. If a kernel
+ * regression drops MULTIPLE fields at once, the consumer sees
+ * ONLY the first failing field's diagnostic — they must fix
+ * the fixture and re-run to surface the next failure. This
+ * matches batch.ts / gate.ts / check.ts patterns (project
+ * convention for response-shape validators); accumulating into
+ * a multi-field message would diverge from the rest of the SDK.
+ * Trade-off accepted: consistency-with-project-pattern wins
+ * over single-cycle full-diagnostic.
+ */
+function validateAuditChainVerificationResponse(result) {
+    if (result === null ||
+        typeof result !== "object" ||
+        Array.isArray(result)) {
+        throw new AttestryError(`auditLog.verifyChain: expected an object response from the kernel ` +
+            `(got ${describeType(result)})`);
+    }
+    const obj = result;
+    const valid = objectHasOwn(obj, "valid") ? obj.valid : undefined;
+    if (typeof valid !== "boolean") {
+        throw new AttestryError(`auditLog.verifyChain: expected response.valid to be a boolean ` +
+            `(got ${describeType(valid)})`);
+    }
+    const entriesVerified = objectHasOwn(obj, "entriesVerified")
+        ? obj.entriesVerified
+        : undefined;
+    if (typeof entriesVerified !== "number") {
+        throw new AttestryError(`auditLog.verifyChain: expected response.entriesVerified to be a number ` +
+            `(got ${describeType(entriesVerified)})`);
+    }
+    const totalEntries = objectHasOwn(obj, "totalEntries")
+        ? obj.totalEntries
+        : undefined;
+    if (typeof totalEntries !== "number") {
+        throw new AttestryError(`auditLog.verifyChain: expected response.totalEntries to be a number ` +
+            `(got ${describeType(totalEntries)})`);
+    }
+    const firstEntry = objectHasOwn(obj, "firstEntry")
+        ? obj.firstEntry
+        : undefined;
+    if (firstEntry !== null && typeof firstEntry !== "string") {
+        throw new AttestryError(`auditLog.verifyChain: expected response.firstEntry to be a string or null ` +
+            `(got ${describeType(firstEntry)})`);
+    }
+    const lastEntry = objectHasOwn(obj, "lastEntry")
+        ? obj.lastEntry
+        : undefined;
+    if (lastEntry !== null && typeof lastEntry !== "string") {
+        throw new AttestryError(`auditLog.verifyChain: expected response.lastEntry to be a string or null ` +
+            `(got ${describeType(lastEntry)})`);
+    }
+    // `brokenAt` is OPTIONAL — kernel omits it entirely on valid chains.
+    // Only enforce the type guard when the field is an own-property of
+    // the response. Absent-AND-untyped is the valid-chain shape.
+    if (objectHasOwn(obj, "brokenAt")) {
+        const brokenAt = obj.brokenAt;
+        if (typeof brokenAt !== "string") {
+            throw new AttestryError(`auditLog.verifyChain: expected response.brokenAt to be a string when present ` +
+                `(got ${describeType(brokenAt)})`);
+        }
+    }
+    return result;
+}
+/**
+ * Human-readable type description for error messages. Distinguishes
+ * `null` and `array` from generic `object`. Duplicated in
+ * `decisions.ts`, `incidents.ts`, `regulatory-changes.ts`,
+ * `compliance-check.ts`, `check.ts`, `gate.ts`, `batch.ts` per
+ * project pattern (small helper, leaf-resource modules, no shared
+ * module yet).
+ *
+ * All four branches are reachable through `validateAuditChainVerificationResponse`'s
+ * call sites: top-level shape check (null + array + non-object scalar),
+ * per-field type guards (each field's `describeType(<wrong type>)`
+ * exercised by tests).
+ */
+function describeType(value) {
+    if (value === null)
+        return "null";
+    if (Array.isArray(value))
+        return "array";
+    return typeof value;
+}
+//# sourceMappingURL=audit-log.js.map

package/dist/resources/audit-log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit-log.js","sourceRoot":"","sources":["../../src/resources/audit-log.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,sEAAsE;AACtE,8CAA8C;AAC9C,EAAE;AACF,uFAAuF;AACvF,iFAAiF;AACjF,EAAE;AACF,8DAA8D;AAC9D,gEAAgE;AAChE,sEAAsE;AACtE,qEAAqE;AACrE,aAAa;AACb,EAAE;AACF,wEAAwE;AACxE,qEAAqE;AACrE,qEAAqE;AACrE,sEAAsE;AACtE,iEAAiE;AACjE,uBAAuB;AACvB,qEAAqE;AACrE,kEAAkE;AAClE,wEAAwE;AACxE,sEAAsE;AACtE,uEAAuE;AACvE,mDAAmD;AACnD,EAAE;AACF,mDAAmD;AACnD,8DAA8D;AAC9D,kEAAkE;AAClE,oEAAoE;AACpE,uEAAuE;AACvE,gEAAgE;AAChE,gEAAgE;AAChE,sEAAsE;AACtE,gDAAgD;AAChD,EAAE;AACF,uEAAuE;AACvE,gEAAgE;AAChE,0EAA0E;AAC1E,4DAA4D;AAC5D,wDAAwD;AACxD,yDAAyD;AACzD,oEAAoE;AACpE,WAAW;AACX,EAAE;AACF,sBAAsB;AACtB,8DAA8D;AAC9D,oEAAoE;AACpE,6BAA6B;AAC7B,0EAA0E;AAC1E,sEAAsE;AACtE,sEAAsE;AACtE,qEAAqE;AACrE,2DAA2D;AAC3D,EAAE;AACF,qEAAqE;AACrE,mEAAmE;AACnE,oEAAoE;AACpE,sEAAsE;AACtE,2DAA2D;AAC3D,yBAAyB;AACzB,EAAE;AACF,wEAAwE;AACxE,yEAAyE;AAGzE,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAEtD,8DAA8D;AAC9D,sEAAsE;AACtE,kEAAkE;AAClE,2EAA2E;AAC3E,sEAAsE;AACtE,kEAAkE;AAClE,mEAAmE;AACnE,SAAS;AACT,EAAE;AACF,wEAAwE;AACxE,qEAAqE;AACrE,qEAAqE;AACrE,gEAAgE;AAChE,2CAA2C;AAC3C,MAAM,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;AAEnC;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,MAAM,CAAC,MAAM,CAAC;IACpD,OAAO;IACP,KAAK;IACL,KAAK;CACG,CAAC,CAAC;AA0OZ;;;;GAIG;AACH,MAAM,OAAO,gBAAgB;IACE;IAA7B,YAA6B,MAAsB;QAAtB,WAAM,GAAN,MAAM,CAAgB;IAAG,CAAC;IA2JvD,MAAM,CACJ,KAA2B,EAC3B,OAAwB;QAExB,iEAAiE;QACjE,kEAAkE;QAClE,iEAAiE;QACjE,gEAAgE;QAChE,oCAAoC;QACpC,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxE,MAAM,IAAI,SAAS,CAAC,0DAA0D,CAAC,CAAC;YAClF,CAAC;YACD,8DAA8D;YAC9D,8DAA8D;YAC9D,6DAA6D;YAC7D,4DAA4D;YAC5D,6DAA6D;YAC7D,iEAAiE;YACjE,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC;YAClE,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC;YAClE,MAAM,KAAK,GAAG,cAAc,CAAC,KAAK,EAAE,OAAO,EAAE,iBAAiB,CAAC,CAAC;YAChE,MAAM,YAAY,GAAG,cAAc,CACjC,KAAK,EACL,cAAc,EACd,iBAAiB,CAClB,CAAC;YACF,+DAA+D;YAC/D,oEAAoE;YACpE,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,IACE,OAAO,MAAM,KAAK,QAAQ;oBAC1B,CAAE,wBAA8C,CAAC,QAAQ,CAAC,MAAM,CAAC,EACjE,CAAC;oBACD,MAAM,IAAI,SAAS,CACjB,8CAA8C,wBAAwB,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAClG,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,mDAAmD;YACnD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACtD,MAAM,IAAI,SAAS,CACjB,oEAAoE,CACrE,CAAC;gBACJ,CAAC;gBACD,0BAA0B,CAAC,MAAM,EAAE,QAAQ,EAAE,iBAAiB,CAAC,CAAC;YAClE,CAAC;YACD,gEAAgE;YAChE,8DAA8D;YAC9D,oBAAoB;YACpB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxB,IACE,OAAO,KAAK,KAAK,QAAQ;oBACzB,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;oBACxB,KAAK,IAAI,CAAC,EACV,CAAC;oBACD,MAAM,IAAI,SAAS,CACjB,mEAAmE,CACpE,CAAC;gBACJ,CAAC;YACH,CAAC;YACD,gCAAgC;YAChC,IAAI,YAAY,KAAK,SAAS,IAAI,OAAO,YAAY,KAAK,SAAS,EAAE,CAAC;gBACpE,MAAM,IAAI,SAAS,CACjB,iEAAiE,CAClE,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO,iBAAiB,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IACxD,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAyLG;IACH,WAAW,CACT,OAAwB;QAExB,gEAAgE;QAChE,6DAA6D;QAC7D,OAAO,IAAI,CAAC,MAAM;aACf,QAAQ,CAA+B;YACtC,MAAM,EAAE,KAAK;YACb,IAAI,EAAE,4BAA4B;YAClC,OAAO;SACR,CAAC;aACD,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,sCAAsC,CAAC,MAAM,CAAC,CAAC,CAAC;IACtE,CAAC;CACF;AAED;;;;;;;;;;;GAWG;AACH,SAAS,0BAA0B,CACjC,KAAa,EACb,SAAiB,EACjB,UAAkB;IAElB,IAAI,CAAC;QACH,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,SAAS,CACjB,GAAG,UAAU,OAAO,SAAS,yCAAyC;QACpE,iEAAiE;QACjE,6DAA6D;QAC7D,mCAAmC;QACnC,oBAAoB;QACpB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CACjD,GAAG,EACH,EAAE,KAAK,EAAE,GAAG,EAAE,CACf,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,KAAK,SAAS,CAAC,CAAC,iBAAiB,CAC/B,MAAsB,EACtB,KAAsC,EACtC,OAAmC;IAEnC,MAAM,MAAM,GAAyB,KAAK,EAAE,MAAM,IAAI,OAAO,CAAC;IAC9D,MAAM,YAAY,GAAG,KAAK,EAAE,YAAY,IAAI,IAAI,CAAC;IAEjD,gEAAgE;IAChE,iEAAiE;IACjE,4DAA4D;IAC5D,yDAAyD;IACzD,MAAM,mBAAmB,GACvB,MAAM,KAAK,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,sBAAsB,CAAC;IAE3D,IAAI,MAAM,GAAuB,KAAK,EAAE,MAAM,CAAC;IAE/C,OAAO,IAAI,EAAE,CAAC;QACZ,gEAAgE;QAChE,oDAAoD;QACpD,MAAM,KAAK,GAAgD;YACzD,MAAM;YACN,MAAM;YACN,KAAK,EAAE,KAAK,EAAE,KAAK;SACpB,CAAC;QAEF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,cAAc,CAAC;YAC3C,IAAI,EAAE,0BAA0B;YAChC,KAAK;YACL,OAAO;YACP,mBAAmB;SACpB,CAAC,CAAC;QAEH,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YACrB,sCAAsC;YACtC,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtD,MAAM,IAAI,CAAC;YACb,CAAC;QACH,CAAC;aAAM,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;YAC5B,8DAA8D;YAC9D,0DAA0D;YAC1D,gCAAgC;YAChC,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtD,MAAM,GAAG,CAAC;YACZ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,iDAAiD;YACjD,IAAI,KAAK,EAAE,MAAM,GAAG,IAAI,mBAAmB,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACtD,+DAA+D;gBAC/D,gEAAgE;gBAChE,gEAAgE;gBAChE,uDAAuD;gBACvD,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;oBAClE,MAAM,IAAI,aAAa,CACrB,oDAAoD,CACrD,CAAC;gBACJ,CAAC;gBACD,MAAM,GAAG,GAAG,GAA8B,CAAC;gBAC3C,4DAA4D;gBAC5D,8DAA8D;gBAC9D,0DAA0D;gBAC1D,yDAAyD;gBACzD,IACE,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ;oBAC1B,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;oBACjC,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ;oBAC7B,CAAC,GAAG,CAAC,MAAM,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC;oBACvD,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ;oBAC9B,CAAC,GAAG,CAAC,YAAY,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,YAAY,KAAK,QAAQ,CAAC;oBACnE,CAAC,GAAG,CAAC,UAAU,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,QAAQ,CAAC;oBAC/D,uDAAuD;oBACvD,CAAC,GAAG,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC;oBAC7D,CAAC,GAAG,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC;oBAC7D,CAAC,GAAG,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC;oBAC7D,CAAC,GAAG,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ,CAAC;oBAC7D,CAAC,GAAG,CAAC,iBAAiB,KAAK,IAAI;wBAC7B,OAAO,GAAG,CAAC,iBAAiB,KAAK,QAAQ,CAAC,EAC5C,CAAC;oBACD,MAAM,IAAI,aAAa,CACrB,sEAAsE,CACvE,CAAC;gBACJ,CAAC;gBACD,MAAM;oBACJ,EAAE,EAAE,GAAG,CAAC,EAAE;oBACV,SAAS,EAAE,GAAG,CAAC,SAAS;oBACxB,KAAK,EAAE,GAAG,CAAC,KAAK;oBAChB,MAAM,EAAE,GAAG,CAAC,MAAuB;oBACnC,MAAM,EAAE,GAAG,CAAC,MAAM;oBAClB,YAAY,EAAE,GAAG,CAAC,YAA6B;oBAC/C,UAAU,EAAE,GAAG,CAAC,UAA2B;oBAC3C,OAAO,EAAE,GAAG,CAAC,OAAO;oBACpB,SAAS,EAAE,GAAG,CAAC,SAA0B;oBACzC,SAAS,EAAE,GAAG,CAAC,SAA0B;oBACzC,SAAS,EAAE,GAAG,CAAC,SAA0B;oBACzC,SAAS,EAAE,GAAG,CAAC,SAA0B;oBACzC,iBAAiB,EAAE,GAAG,CAAC,iBAAkC;iBAC1D,CAAC;YACJ,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,iEAAiE;QACjE,iEAAiE;QACjE,iEAAiE;QACjE,8BAA8B;QAC9B,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QAClE,IAAI,CAAC,YAAY,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACzC,OAAO;QACT,CAAC;QACD,MAAM,GAAG,UAAU,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoDG;AACH,SAAS,sCAAsC,CAC7C,MAAe;IAEf,IACE,MAAM,KAAK,IAAI;QACf,OAAO,MAAM,KAAK,QAAQ;QAC1B,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EACrB,CAAC;QACD,MAAM,IAAI,aAAa,CACrB,oEAAoE;YAClE,QAAQ,YAAY,CAAC,MAAM,CAAC,GAAG,CAClC,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,MAAiC,CAAC;IAE9C,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IACjE,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,IAAI,aAAa,CACrB,gEAAgE;YAC9D,QAAQ,YAAY,CAAC,KAAK,CAAC,GAAG,CACjC,CAAC;IACJ,CAAC;IACD,MAAM,eAAe,GAAG,YAAY,CAAC,GAAG,EAAE,iBAAiB,CAAC;QAC1D,CAAC,CAAC,GAAG,CAAC,eAAe;QACrB,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,OAAO,eAAe,KAAK,QAAQ,EAAE,CAAC;QACxC,MAAM,IAAI,aAAa,CACrB,yEAAyE;YACvE,QAAQ,YAAY,CAAC,eAAe,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IACD,MAAM,YAAY,GAAG,YAAY,CAAC,GAAG,EAAE,cAAc,CAAC;QACpD,CAAC,CAAC,GAAG,CAAC,YAAY;QAClB,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,OAAO,YAAY,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,IAAI,aAAa,CACrB,sEAAsE;YACpE,QAAQ,YAAY,CAAC,YAAY,CAAC,GAAG,CACxC,CAAC;IACJ,CAAC;IACD,MAAM,UAAU,GAAG,YAAY,CAAC,GAAG,EAAE,YAAY,CAAC;QAChD,CAAC,CAAC,GAAG,CAAC,UAAU;QAChB,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,UAAU,KAAK,IAAI,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAC1D,MAAM,IAAI,aAAa,CACrB,4EAA4E;YAC1E,QAAQ,YAAY,CAAC,UAAU,CAAC,GAAG,CACtC,CAAC;IACJ,CAAC;IACD,MAAM,SAAS,GAAG,YAAY,CAAC,GAAG,EAAE,WAAW,CAAC;QAC9C,CAAC,CAAC,GAAG,CAAC,SAAS;QACf,CAAC,CAAC,SAAS,CAAC;IACd,IAAI,SAAS,KAAK,IAAI,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxD,MAAM,IAAI,aAAa,CACrB,2EAA2E;YACzE,QAAQ,YAAY,CAAC,SAAS,CAAC,GAAG,CACrC,CAAC;IACJ,CAAC;IACD,qEAAqE;IACrE,mEAAmE;IACnE,6DAA6D;IAC7D,IAAI,YAAY,CAAC,GAAG,EAAE,UAAU,CAAC,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC;QAC9B,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACjC,MAAM,IAAI,aAAa,CACrB,+EAA+E;gBAC7E,QAAQ,YAAY,CAAC,QAAQ,CAAC,GAAG,CACpC,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,MAAsC,CAAC;AAChD,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,YAAY,CAAC,KAAc;IAClC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IACzC,OAAO,OAAO,KAAK,CAAC;AACtB,CAAC"}