@blokjs/runner 0.6.21 → 0.7.0

package/dist/security/TLSConfig.js

@@ -1,550 +0,0 @@
-/**
- * TLS/SSL Configuration for Blok Framework
- *
- * Manages TLS certificate and cipher configuration for secure communications:
- * - Server-side TLS options for Node.js HTTPS/TLS servers
- * - Client-side TLS options for outbound connections
- * - Certificate validation (expiry, chain integrity, cipher strength)
- * - Certificate info parsing (subject, issuer, serial, fingerprint)
- * - Mutual TLS (mTLS) support with client certificate verification
- * - Self-signed certificate generation for development and testing
- *
- * @example
- * ```typescript
- * import { TLSConfig } from "@blokjs/runner";
- *
- * // Production TLS setup
- * const tls = new TLSConfig({
- *   certPath: "/etc/ssl/certs/server.crt",
- *   keyPath: "/etc/ssl/private/server.key",
- *   caPath: "/etc/ssl/certs/ca.crt",
- *   minVersion: "TLSv1.2",
- *   mutualTLS: { enabled: true, caPath: "/etc/ssl/certs/client-ca.crt" },
- * });
- *
- * // Use with Node.js HTTPS server
- * const serverOpts = tls.createServerOptions();
- * const server = https.createServer(serverOpts, app);
- *
- * // Validate certificates
- * const validation = tls.validate();
- * if (!validation.valid) {
- *   console.error("TLS validation failed:", validation.errors);
- * }
- *
- * // Generate self-signed cert for development
- * const { cert, key } = TLSConfig.generateSelfSigned({
- *   commonName: "localhost",
- *   days: 365,
- * });
- * ```
- */
-import { X509Certificate, createPrivateKey, createSign, randomBytes as cryptoRandomBytes, generateKeyPairSync, } from "node:crypto";
-import { existsSync, readFileSync } from "node:fs";
-// ---------------------------------------------------------------------------
-// Implementation
-// ---------------------------------------------------------------------------
-/**
- * Manages TLS/SSL configuration for secure communications.
- *
- * Supports server-side and client-side TLS setup, certificate inspection,
- * validation, mutual TLS, and self-signed certificate generation for
- * development environments.
- *
- * @example
- * ```typescript
- * const tls = new TLSConfig({
- *   certPath: "./certs/server.crt",
- *   keyPath: "./certs/server.key",
- * });
- *
- * if (tls.isExpiringSoon(30)) {
- *   console.warn("Certificate expires within 30 days!");
- * }
- * ```
- */
-export class TLSConfig {
-    options;
-    cachedCert;
-    cachedKey;
-    cachedCa;
-    /**
-     * Create a new TLSConfig instance.
-     *
-     * @param options - TLS configuration options
-     */
-    constructor(options) {
-        this.options = {
-            minVersion: "TLSv1.2",
-            maxVersion: "TLSv1.3",
-            rejectUnauthorized: true,
-            ...options,
-        };
-    }
-    // -----------------------------------------------------------------------
-    // Public API
-    // -----------------------------------------------------------------------
-    /**
-     * Create TLS options suitable for a Node.js HTTPS or TLS server.
-     *
-     * The returned object can be passed directly to
-     * `https.createServer(options)` or `tls.createServer(options)`.
-     *
-     * @returns TLS options for server-side use
-     * @throws {Error} If required certificate or key cannot be loaded
-     *
-     * @example
-     * ```typescript
-     * const serverOpts = tlsConfig.createServerOptions();
-     * const server = https.createServer(serverOpts, requestHandler);
-     * ```
-     */
-    createServerOptions() {
-        const cert = this.loadCert();
-        const key = this.loadKey();
-        const ca = this.loadCA();
-        const opts = {
-            cert,
-            key,
-            minVersion: this.options.minVersion,
-            maxVersion: this.options.maxVersion,
-        };
-        if (this.options.keyPassphrase) {
-            opts.passphrase = this.options.keyPassphrase;
-        }
-        if (ca) {
-            opts.ca = ca;
-        }
-        if (this.options.ciphers) {
-            opts.ciphers = this.options.ciphers;
-        }
-        // Mutual TLS: request and verify client certificates
-        if (this.options.mutualTLS?.enabled) {
-            opts.requestCert = true;
-            opts.rejectUnauthorized = this.options.mutualTLS.rejectUnauthorized ?? true;
-            const mTlsCa = this.loadMutualTLSCA();
-            if (mTlsCa) {
-                opts.ca = mTlsCa;
-            }
-        }
-        return opts;
-    }
-    /**
-     * Create TLS options suitable for outbound client connections.
-     *
-     * The returned object can be passed to `tls.connect(options)` or used
-     * with HTTPS client libraries.
-     *
-     * @returns TLS connection options for client-side use
-     *
-     * @example
-     * ```typescript
-     * const clientOpts = tlsConfig.createClientOptions();
-     * const socket = tls.connect(443, "example.com", clientOpts);
-     * ```
-     */
-    createClientOptions() {
-        const opts = {
-            minVersion: this.options.minVersion,
-            maxVersion: this.options.maxVersion,
-            rejectUnauthorized: this.options.rejectUnauthorized,
-        };
-        const ca = this.loadCA();
-        if (ca) {
-            opts.ca = ca;
-        }
-        // For mTLS, include client cert and key
-        if (this.options.mutualTLS?.enabled) {
-            const cert = this.loadCert();
-            const key = this.loadKey();
-            if (cert)
-                opts.cert = cert;
-            if (key)
-                opts.key = key;
-            if (this.options.keyPassphrase) {
-                opts.passphrase = this.options.keyPassphrase;
-            }
-        }
-        if (this.options.ciphers) {
-            opts.ciphers = this.options.ciphers;
-        }
-        return opts;
-    }
-    /**
-     * Validate the current TLS configuration.
-     *
-     * Checks for:
-     * - Certificate and key file existence
-     * - Certificate parsing validity
-     * - Certificate expiry (error if expired, warning if < 30 days)
-     * - Key/cert pair consistency
-     * - Mutual TLS CA availability
-     *
-     * @returns A {@link TLSValidationResult} with errors and warnings
-     *
-     * @example
-     * ```typescript
-     * const result = tlsConfig.validate();
-     * if (!result.valid) {
-     *   result.errors.forEach(e => console.error(e));
-     * }
-     * ```
-     */
-    validate() {
-        const errors = [];
-        const warnings = [];
-        // Check file existence
-        if (this.options.certPath && !existsSync(this.options.certPath)) {
-            errors.push(`Certificate file not found: ${this.options.certPath}`);
-        }
-        if (this.options.keyPath && !existsSync(this.options.keyPath)) {
-            errors.push(`Private key file not found: ${this.options.keyPath}`);
-        }
-        if (this.options.caPath && !existsSync(this.options.caPath)) {
-            warnings.push(`CA file not found: ${this.options.caPath}`);
-        }
-        // Validate certificate
-        try {
-            const certPem = this.loadCert();
-            if (certPem) {
-                const x509 = new X509Certificate(certPem);
-                const now = new Date();
-                const validTo = new Date(x509.validTo);
-                const validFrom = new Date(x509.validFrom);
-                if (now < validFrom) {
-                    errors.push(`Certificate is not yet valid (validFrom: ${validFrom.toISOString()})`);
-                }
-                if (now > validTo) {
-                    errors.push(`Certificate has expired (validTo: ${validTo.toISOString()})`);
-                }
-                else {
-                    const daysUntilExpiry = Math.floor((validTo.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
-                    if (daysUntilExpiry <= 30) {
-                        warnings.push(`Certificate expires in ${daysUntilExpiry} days (${validTo.toISOString()})`);
-                    }
-                }
-            }
-            else if (!this.options.cert && !this.options.certPath) {
-                errors.push("No certificate configured (cert or certPath required)");
-            }
-        }
-        catch (err) {
-            errors.push(`Failed to parse certificate: ${err instanceof Error ? err.message : String(err)}`);
-        }
-        // Validate private key
-        try {
-            const keyPem = this.loadKey();
-            if (keyPem) {
-                createPrivateKey({
-                    key: keyPem,
-                    passphrase: this.options.keyPassphrase,
-                });
-            }
-            else if (!this.options.key && !this.options.keyPath) {
-                errors.push("No private key configured (key or keyPath required)");
-            }
-        }
-        catch (err) {
-            errors.push(`Failed to parse private key: ${err instanceof Error ? err.message : String(err)}`);
-        }
-        // Validate mTLS CA
-        if (this.options.mutualTLS?.enabled) {
-            const mTlsCaPath = this.options.mutualTLS.caPath;
-            if (mTlsCaPath && !existsSync(mTlsCaPath) && !this.options.mutualTLS.ca) {
-                errors.push(`Mutual TLS CA file not found: ${mTlsCaPath}`);
-            }
-            if (!mTlsCaPath && !this.options.mutualTLS.ca) {
-                warnings.push("Mutual TLS enabled but no client CA configured");
-            }
-        }
-        return {
-            valid: errors.length === 0,
-            errors,
-            warnings,
-        };
-    }
-    /**
-     * Parse and return detailed information about the server certificate.
-     *
-     * @returns Parsed {@link CertificateInfo}
-     * @throws {Error} If no certificate is configured or parsing fails
-     *
-     * @example
-     * ```typescript
-     * const info = tlsConfig.getCertificateInfo();
-     * console.log(info.subject);   // "CN=example.com"
-     * console.log(info.validTo);   // Date object
-     * ```
-     */
-    getCertificateInfo() {
-        const certPem = this.loadCert();
-        if (!certPem) {
-            throw new Error("No certificate configured; cannot retrieve certificate info");
-        }
-        const x509 = new X509Certificate(certPem);
-        return {
-            subject: x509.subject,
-            issuer: x509.issuer,
-            validFrom: new Date(x509.validFrom),
-            validTo: new Date(x509.validTo),
-            serialNumber: x509.serialNumber,
-            fingerprint: x509.fingerprint256,
-        };
-    }
-    /**
-     * Check whether the server certificate expires within a given number of
-     * days.
-     *
-     * @param days - Number of days to check against
-     * @returns True if the certificate expires within the specified number of days
-     * @throws {Error} If no certificate is configured
-     *
-     * @example
-     * ```typescript
-     * if (tlsConfig.isExpiringSoon(30)) {
-     *   console.warn("Certificate expires within 30 days!");
-     * }
-     * ```
-     */
-    isExpiringSoon(days) {
-        const info = this.getCertificateInfo();
-        const now = new Date();
-        const msUntilExpiry = info.validTo.getTime() - now.getTime();
-        const daysUntilExpiry = msUntilExpiry / (1000 * 60 * 60 * 24);
-        return daysUntilExpiry <= days;
-    }
-    /**
-     * Generate a self-signed certificate for development and testing.
-     *
-     * This is a static method that does not require a TLSConfig instance.
-     * The generated certificate uses RSA key pair and SHA-256 signing.
-     *
-     * **WARNING**: Self-signed certificates should NEVER be used in production.
-     *
-     * @param opts - Self-signed certificate generation options
-     * @returns Object containing PEM-encoded certificate and private key
-     *
-     * @example
-     * ```typescript
-     * const { cert, key } = TLSConfig.generateSelfSigned({
-     *   commonName: "localhost",
-     *   days: 30,
-     *   bits: 2048,
-     * });
-     * ```
-     */
-    static generateSelfSigned(opts) {
-        const bits = opts.bits ?? 2048;
-        const days = opts.days ?? 365;
-        // Generate RSA key pair
-        const { privateKey, publicKey } = generateKeyPairSync("rsa", {
-            modulusLength: bits,
-            publicKeyEncoding: { type: "spki", format: "pem" },
-            privateKeyEncoding: { type: "pkcs8", format: "pem" },
-        });
-        // Build a minimal self-signed X.509 v3 certificate using Node.js crypto
-        // Node.js 20+ supports X509Certificate creation, but for broader
-        // compatibility we construct a PEM manually using the crypto module's
-        // sign capabilities.
-        //
-        // For simplicity, we use the `node:crypto` createSign API to produce
-        // a DER-encoded self-signed cert.  In practice, libraries like
-        // `selfsigned` or `node-forge` are often used.  This implementation
-        // provides a functional placeholder that works with Node.js built-ins.
-        // Serial number (20 bytes, positive)
-        const serial = cryptoRandomBytes(20);
-        serial[0] = serial[0] & 0x7f; // Ensure positive
-        const notBefore = new Date();
-        const notAfter = new Date(notBefore.getTime() + days * 24 * 60 * 60 * 1000);
-        // Construct a simplified ASN.1 DER self-signed certificate
-        // This uses a minimal approach; for production, use a proper library.
-        const cn = opts.commonName;
-        // Encode subject/issuer distinguished name
-        const encodeDN = (commonName) => {
-            const cnBytes = Buffer.from(commonName, "utf8");
-            // OID 2.5.4.3 (CN) = 55 04 03
-            const oid = Buffer.from([0x06, 0x03, 0x55, 0x04, 0x03]);
-            const cnValue = Buffer.concat([Buffer.from([0x0c, cnBytes.length]), cnBytes]);
-            const atv = Buffer.concat([oid, cnValue]);
-            const atvSeq = wrapSequence(atv);
-            const rdnSet = wrapSet(atvSeq);
-            return wrapSequence(rdnSet);
-        };
-        const encodeTime = (date) => {
-            const y = date.getUTCFullYear();
-            let timeStr;
-            let tag;
-            if (y < 2050) {
-                // UTCTime YYMMDDHHMMSSZ
-                timeStr = `${String(y % 100).padStart(2, "0") +
-                    String(date.getUTCMonth() + 1).padStart(2, "0") +
-                    String(date.getUTCDate()).padStart(2, "0") +
-                    String(date.getUTCHours()).padStart(2, "0") +
-                    String(date.getUTCMinutes()).padStart(2, "0") +
-                    String(date.getUTCSeconds()).padStart(2, "0")}Z`;
-                tag = 0x17;
-            }
-            else {
-                // GeneralizedTime YYYYMMDDHHMMSSZ
-                timeStr = `${String(y) +
-                    String(date.getUTCMonth() + 1).padStart(2, "0") +
-                    String(date.getUTCDate()).padStart(2, "0") +
-                    String(date.getUTCHours()).padStart(2, "0") +
-                    String(date.getUTCMinutes()).padStart(2, "0") +
-                    String(date.getUTCSeconds()).padStart(2, "0")}Z`;
-                tag = 0x18;
-            }
-            const bytes = Buffer.from(timeStr, "ascii");
-            return Buffer.concat([Buffer.from([tag, bytes.length]), bytes]);
-        };
-        const wrapSequence = (data) => {
-            return Buffer.concat([Buffer.from([0x30]), encodeLength(data.length), data]);
-        };
-        const wrapSet = (data) => {
-            return Buffer.concat([Buffer.from([0x31]), encodeLength(data.length), data]);
-        };
-        const encodeLength = (len) => {
-            if (len < 0x80)
-                return Buffer.from([len]);
-            if (len < 0x100)
-                return Buffer.from([0x81, len]);
-            return Buffer.from([0x82, (len >> 8) & 0xff, len & 0xff]);
-        };
-        const encodeInteger = (buf) => {
-            // Ensure positive: if high bit set, prepend 0x00
-            let data = buf;
-            if (data[0] & 0x80) {
-                data = Buffer.concat([Buffer.from([0x00]), data]);
-            }
-            return Buffer.concat([Buffer.from([0x02]), encodeLength(data.length), data]);
-        };
-        const encodeBitString = (data) => {
-            // Bit string: 0x03 <len> 0x00 <data>
-            const inner = Buffer.concat([Buffer.from([0x00]), data]);
-            return Buffer.concat([Buffer.from([0x03]), encodeLength(inner.length), inner]);
-        };
-        // Parse the public key from PEM (SPKI format)
-        const pubKeyDer = pemToDer(publicKey);
-        // Version: v3 (value 2), context-tagged [0] EXPLICIT
-        const version = Buffer.concat([Buffer.from([0xa0, 0x03, 0x02, 0x01, 0x02])]);
-        const serialNumber = encodeInteger(serial);
-        const subject = encodeDN(cn);
-        const issuer = encodeDN(cn); // Self-signed: issuer = subject
-        // Signature algorithm: sha256WithRSAEncryption (OID 1.2.840.113549.1.1.11)
-        const sigAlgOid = Buffer.from([0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b]);
-        const sigAlg = wrapSequence(Buffer.concat([sigAlgOid, Buffer.from([0x05, 0x00])]));
-        // Validity
-        const validity = wrapSequence(Buffer.concat([encodeTime(notBefore), encodeTime(notAfter)]));
-        // TBS Certificate
-        const tbsCertificate = wrapSequence(Buffer.concat([version, serialNumber, sigAlg, issuer, validity, subject, pubKeyDer]));
-        // Sign TBS
-        const signer = createSign("SHA256");
-        signer.update(tbsCertificate);
-        const signature = signer.sign(privateKey);
-        // Full certificate: SEQUENCE { tbsCert, sigAlg, signature }
-        const certDer = wrapSequence(Buffer.concat([tbsCertificate, sigAlg, encodeBitString(signature)]));
-        const certPem = derToPem(certDer, "CERTIFICATE");
-        return {
-            cert: certPem,
-            key: privateKey,
-        };
-    }
-    // -----------------------------------------------------------------------
-    // Private helpers
-    // -----------------------------------------------------------------------
-    /**
-     * Load the server certificate from file or inline PEM.
-     *
-     * @returns PEM string or undefined if not configured
-     */
-    loadCert() {
-        if (this.cachedCert)
-            return this.cachedCert;
-        if (this.options.cert) {
-            this.cachedCert = this.options.cert;
-        }
-        else if (this.options.certPath) {
-            this.cachedCert = readFileSync(this.options.certPath, "utf8");
-        }
-        return this.cachedCert;
-    }
-    /**
-     * Load the private key from file or inline PEM.
-     *
-     * @returns PEM string or undefined if not configured
-     */
-    loadKey() {
-        if (this.cachedKey)
-            return this.cachedKey;
-        if (this.options.key) {
-            this.cachedKey = this.options.key;
-        }
-        else if (this.options.keyPath) {
-            this.cachedKey = readFileSync(this.options.keyPath, "utf8");
-        }
-        return this.cachedKey;
-    }
-    /**
-     * Load the CA certificate from file or inline PEM.
-     *
-     * @returns PEM string or undefined if not configured
-     */
-    loadCA() {
-        if (this.cachedCa)
-            return this.cachedCa;
-        if (this.options.ca) {
-            this.cachedCa = this.options.ca;
-        }
-        else if (this.options.caPath) {
-            this.cachedCa = readFileSync(this.options.caPath, "utf8");
-        }
-        return this.cachedCa;
-    }
-    /**
-     * Load the mutual TLS CA certificate.
-     *
-     * @returns PEM string or undefined
-     */
-    loadMutualTLSCA() {
-        const mTls = this.options.mutualTLS;
-        if (!mTls)
-            return undefined;
-        if (mTls.ca)
-            return mTls.ca;
-        if (mTls.caPath)
-            return readFileSync(mTls.caPath, "utf8");
-        return undefined;
-    }
-}
-// ---------------------------------------------------------------------------
-// Utility functions
-// ---------------------------------------------------------------------------
-/**
- * Convert a PEM-encoded string to a DER Buffer.
- *
- * @param pem - PEM string with header/footer
- * @returns Raw DER bytes
- */
-function pemToDer(pem) {
-    const lines = pem
-        .split("\n")
-        .filter((l) => !l.startsWith("-----"))
-        .join("");
-    return Buffer.from(lines, "base64");
-}
-/**
- * Convert a DER Buffer to a PEM-encoded string.
- *
- * @param der - Raw DER bytes
- * @param label - PEM label (e.g. "CERTIFICATE", "PRIVATE KEY")
- * @returns PEM string
- */
-function derToPem(der, label) {
-    const b64 = der.toString("base64");
-    const lines = [];
-    for (let i = 0; i < b64.length; i += 64) {
-        lines.push(b64.slice(i, i + 64));
-    }
-    return `-----BEGIN ${label}-----\n${lines.join("\n")}\n-----END ${label}-----\n`;
-}
-//# sourceMappingURL=TLSConfig.js.map

package/dist/security/TLSConfig.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"TLSConfig.js","sourceRoot":"","sources":["../../src/security/TLSConfig.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,EACN,eAAe,EACf,gBAAgB,EAChB,UAAU,EACV,WAAW,IAAI,iBAAiB,EAChC,mBAAmB,GACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAkHnD,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,OAAO,SAAS;IACJ,OAAO,CAAmB;IACnC,UAAU,CAAqB;IAC/B,SAAS,CAAqB;IAC9B,QAAQ,CAAqB;IAErC;;;;OAIG;IACH,YAAY,OAAyB;QACpC,IAAI,CAAC,OAAO,GAAG;YACd,UAAU,EAAE,SAAS;YACrB,UAAU,EAAE,SAAS;YACrB,kBAAkB,EAAE,IAAI;YACxB,GAAG,OAAO;SACV,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,aAAa;IACb,0EAA0E;IAE1E;;;;;;;;;;;;;;OAcG;IACH,mBAAmB;QAClB,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;QAC3B,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QAEzB,MAAM,IAAI,GAAe;YACxB,IAAI;YACJ,GAAG;YACH,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;YACnC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;SACnC,CAAC;QAEF,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;QAC9C,CAAC;QAED,IAAI,EAAE,EAAE,CAAC;YACR,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACd,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;QACrC,CAAC;QAED,qDAAqD;QACrD,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC;YACrC,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;YACxB,IAAI,CAAC,kBAAkB,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,kBAAkB,IAAI,IAAI,CAAC;YAE5E,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;YACtC,IAAI,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,EAAE,GAAG,MAAM,CAAC;YAClB,CAAC;QACF,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAED;;;;;;;;;;;;;OAaG;IACH,mBAAmB;QAClB,MAAM,IAAI,GAAsB;YAC/B,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;YACnC,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,UAAU;YACnC,kBAAkB,EAAE,IAAI,CAAC,OAAO,CAAC,kBAAkB;SACnD,CAAC;QAEF,MAAM,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACzB,IAAI,EAAE,EAAE,CAAC;YACR,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACd,CAAC;QAED,wCAAwC;QACxC,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC;YACrC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC3B,IAAI,IAAI;gBAAE,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;YAC3B,IAAI,GAAG;gBAAE,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;YAExB,IAAI,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;gBAChC,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC;YAC9C,CAAC;QACF,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YAC1B,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;QACrC,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC;IAED;;;;;;;;;;;;;;;;;;;OAmBG;IACH,QAAQ;QACP,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,uBAAuB;QACvB,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC/D,MAAM,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QACpE,CAAC;QACD,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7D,QAAQ,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC5D,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC;YACJ,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChC,IAAI,OAAO,EAAE,CAAC;gBACb,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;gBAC1C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;gBACvC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAE3C,IAAI,GAAG,GAAG,SAAS,EAAE,CAAC;oBACrB,MAAM,CAAC,IAAI,CAAC,4CAA4C,SAAS,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;gBACrF,CAAC;gBAED,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC;oBACnB,MAAM,CAAC,IAAI,CAAC,qCAAqC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;gBAC5E,CAAC;qBAAM,CAAC;oBACP,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;oBAChG,IAAI,eAAe,IAAI,EAAE,EAAE,CAAC;wBAC3B,QAAQ,CAAC,IAAI,CAAC,0BAA0B,eAAe,UAAU,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;oBAC5F,CAAC;gBACF,CAAC;YACF,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;gBACzD,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;YACtE,CAAC;QACF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjG,CAAC;QAED,uBAAuB;QACvB,IAAI,CAAC;YACJ,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC;YAC9B,IAAI,MAAM,EAAE,CAAC;gBACZ,gBAAgB,CAAC;oBAChB,GAAG,EAAE,MAAM;oBACX,UAAU,EAAE,IAAI,CAAC,OAAO,CAAC,aAAa;iBACtC,CAAC,CAAC;YACJ,CAAC;iBAAM,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;gBACvD,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACpE,CAAC;QACF,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjG,CAAC;QAED,mBAAmB;QACnB,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,EAAE,CAAC;YACrC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC;YACjD,IAAI,UAAU,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;gBACzE,MAAM,CAAC,IAAI,CAAC,iCAAiC,UAAU,EAAE,CAAC,CAAC;YAC5D,CAAC;YACD,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;gBAC/C,QAAQ,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;YACjE,CAAC;QACF,CAAC;QAED,OAAO;YACN,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;YAC1B,MAAM;YACN,QAAQ;SACR,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,kBAAkB;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChC,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,6DAA6D,CAAC,CAAC;QAChF,CAAC;QAED,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;QAE1C,OAAO;YACN,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACnC,OAAO,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC;YAC/B,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,WAAW,EAAE,IAAI,CAAC,cAAc;SAChC,CAAC;IACH,CAAC;IAED;;;;;;;;;;;;;;OAcG;IACH,cAAc,CAAC,IAAY;QAC1B,MAAM,IAAI,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC;QAC7D,MAAM,eAAe,GAAG,aAAa,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QAC9D,OAAO,eAAe,IAAI,IAAI,CAAC;IAChC,CAAC;IAED;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,kBAAkB,CAAC,IAAuB;QAIhD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC;QAE9B,wBAAwB;QACxB,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,KAAK,EAAE;YAC5D,aAAa,EAAE,IAAI;YACnB,iBAAiB,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE;YAClD,kBAAkB,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE;SACpD,CAAC,CAAC;QAEH,wEAAwE;QACxE,iEAAiE;QACjE,sEAAsE;QACtE,qBAAqB;QACrB,EAAE;QACF,qEAAqE;QACrE,+DAA+D;QAC/D,oEAAoE;QACpE,uEAAuE;QAEvE,qCAAqC;QACrC,MAAM,MAAM,GAAG,iBAAiB,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,kBAAkB;QAEhD,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;QAC7B,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAE5E,2DAA2D;QAC3D,sEAAsE;QACtE,MAAM,EAAE,GAAG,IAAI,CAAC,UAAU,CAAC;QAE3B,2CAA2C;QAC3C,MAAM,QAAQ,GAAG,CAAC,UAAkB,EAAU,EAAE;YAC/C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;YAChD,8BAA8B;YAC9B,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;YACxD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;YAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;YACjC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;YAC/B,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC,CAAC;QAEF,MAAM,UAAU,GAAG,CAAC,IAAU,EAAU,EAAE;YACzC,MAAM,CAAC,GAAG,IAAI,CAAC,cAAc,EAAE,CAAC;YAChC,IAAI,OAAe,CAAC;YACpB,IAAI,GAAW,CAAC;YAChB,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;gBACd,wBAAwB;gBACxB,OAAO,GAAG,GACT,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAChC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC/C,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC3C,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC7C,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAC7C,GAAG,CAAC;gBACJ,GAAG,GAAG,IAAI,CAAC;YACZ,CAAC;iBAAM,CAAC;gBACP,kCAAkC;gBAClC,OAAO,GAAG,GACT,MAAM,CAAC,CAAC,CAAC;oBACT,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC/C,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC1C,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC3C,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC;oBAC7C,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAC7C,GAAG,CAAC;gBACJ,GAAG,GAAG,IAAI,CAAC;YACZ,CAAC;YACD,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;YAC5C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;QACjE,CAAC,CAAC;QAEF,MAAM,YAAY,GAAG,CAAC,IAAY,EAAU,EAAE;YAC7C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9E,CAAC,CAAC;QAEF,MAAM,OAAO,GAAG,CAAC,IAAY,EAAU,EAAE;YACxC,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9E,CAAC,CAAC;QAEF,MAAM,YAAY,GAAG,CAAC,GAAW,EAAU,EAAE;YAC5C,IAAI,GAAG,GAAG,IAAI;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1C,IAAI,GAAG,GAAG,KAAK;gBAAE,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YACjD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,EAAE,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC;QAC3D,CAAC,CAAC;QAEF,MAAM,aAAa,GAAG,CAAC,GAAW,EAAU,EAAE;YAC7C,iDAAiD;YACjD,IAAI,IAAI,GAAG,GAAG,CAAC;YACf,IAAI,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,EAAE,CAAC;gBACpB,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YACnD,CAAC;YACD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;QAC9E,CAAC,CAAC;QAEF,MAAM,eAAe,GAAG,CAAC,IAAY,EAAU,EAAE;YAChD,qCAAqC;YACrC,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;YACzD,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;QAChF,CAAC,CAAC;QAEF,8CAA8C;QAC9C,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAmB,CAAC,CAAC;QAEhD,qDAAqD;QACrD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAE7E,MAAM,YAAY,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC;QAC7B,MAAM,MAAM,GAAG,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC,gCAAgC;QAE7D,2EAA2E;QAC3E,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC;QAClG,MAAM,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEnF,WAAW;QACX,MAAM,QAAQ,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAE5F,kBAAkB;QAClB,MAAM,cAAc,GAAG,YAAY,CAClC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,YAAY,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC,CACpF,CAAC;QAEF,WAAW;QACX,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;QAC9B,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAE1C,4DAA4D;QAC5D,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,cAAc,EAAE,MAAM,EAAE,eAAe,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAElG,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QAEjD,OAAO;YACN,IAAI,EAAE,OAAO;YACb,GAAG,EAAE,UAAoB;SACzB,CAAC;IACH,CAAC;IAED,0EAA0E;IAC1E,kBAAkB;IAClB,0EAA0E;IAE1E;;;;OAIG;IACK,QAAQ;QACf,IAAI,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC,UAAU,CAAC;QAE5C,IAAI,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;YACvB,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC;QACrC,CAAC;aAAM,IAAI,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YAClC,IAAI,CAAC,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACK,OAAO;QACd,IAAI,IAAI,CAAC,SAAS;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC;QAE1C,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;YACtB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC;QACnC,CAAC;aAAM,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;YACjC,IAAI,CAAC,SAAS,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7D,CAAC;QACD,OAAO,IAAI,CAAC,SAAS,CAAC;IACvB,CAAC;IAED;;;;OAIG;IACK,MAAM;QACb,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO,IAAI,CAAC,QAAQ,CAAC;QAExC,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;YACrB,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACjC,CAAC;aAAM,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;YAChC,IAAI,CAAC,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC3D,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACK,eAAe;QACtB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC;QACpC,IAAI,CAAC,IAAI;YAAE,OAAO,SAAS,CAAC;QAE5B,IAAI,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAC,EAAE,CAAC;QAC5B,IAAI,IAAI,CAAC,MAAM;YAAE,OAAO,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC1D,OAAO,SAAS,CAAC;IAClB,CAAC;CACD;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E;;;;;GAKG;AACH,SAAS,QAAQ,CAAC,GAAW;IAC5B,MAAM,KAAK,GAAG,GAAG;SACf,KAAK,CAAC,IAAI,CAAC;SACX,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;SACrC,IAAI,CAAC,EAAE,CAAC,CAAC;IACX,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,SAAS,QAAQ,CAAC,GAAW,EAAE,KAAa;IAC3C,MAAM,GAAG,GAAG,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACnC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QACzC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,cAAc,KAAK,UAAU,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS,CAAC;AAClF,CAAC"}

package/dist/security/index.d.ts

@@ -1,81 +0,0 @@
-/**
- * Security Module for Blok Framework
- *
- * Provides authentication, authorization, audit logging, and secret management:
- * - AuthMiddleware: **Deprecated as of v0.4.1; removed in v0.5.** Use
- *   `jose`, `hono/jwt`, or `node-jsonwebtoken` at the workflow layer
- *   instead. See `docs/d/security/cookbook.mdx`.
- * - OAuthOIDCProvider: OAuth 2.0 / OIDC authentication with JWKS verification
- * - RBAC: Role-based access control with hierarchical roles
- * - ABAC: Attribute-based access control with policy engine
- * - AuditLogger: Comprehensive audit trail with multiple sinks
- * - SecretManager: Unified secret management across multiple providers
- * - EncryptionAtRest: AES-256-GCM encryption/decryption with key rotation
- * - PIIDetector: PII detection and masking for text and structured data
- * - TLSConfig: TLS/SSL configuration with mTLS and certificate management
- *
- * @example
- * ```typescript
- * import {
- *   AuthMiddleware,
- *   JWTAuthProvider,
- *   APIKeyAuthProvider,
- *   OAuthOIDCProvider,
- *   RBAC,
- *   createDefaultRBAC,
- *   AuditLogger,
- *   ConsoleAuditSink,
- *   FileAuditSink,
- *   SecretManager,
- *   EnvironmentSecretProvider,
- * } from "@blokjs/runner";
- *
- * // Set up auth
- * const auth = new AuthMiddleware({
- *   providers: [
- *     new OAuthOIDCProvider({
- *       issuerUrl: "https://auth.example.com",
- *       clientId: "my-app",
- *     }),
- *     new JWTAuthProvider({ secret: process.env.JWT_SECRET! }),
- *     new APIKeyAuthProvider({
- *       keys: new Map([["my-key", { name: "svc", roles: ["service"] }]]),
- *     }),
- *   ],
- * });
- *
- * // Set up RBAC
- * const rbac = createDefaultRBAC();
- *
- * // Set up audit logging
- * const audit = new AuditLogger({
- *   sinks: [new ConsoleAuditSink(), new FileAuditSink({ path: "./audit.log" })],
- * });
- *
- * // Set up secret management
- * const secrets = new SecretManager({
- *   providers: [
- *     { type: "environment", config: { prefix: "BLOK_SECRET_" } },
- *   ],
- *   cache: { enabled: true, ttlMs: 60_000, maxSize: 100 },
- * });
- * ```
- */
-export { AuthMiddleware, JWTAuthProvider, APIKeyAuthProvider, } from "./AuthMiddleware";
-export type { AuthMiddlewareConfig, AuthProvider, AuthIdentity, AuthRequest, AuthResult, JWTAuthProviderConfig, APIKeyAuthProviderConfig, APIKeyInfo, } from "./AuthMiddleware";
-export { RBAC, createDefaultRBAC } from "./RBAC";
-export type { Action, Permission, RoleDefinition, AccessCheckResult, RBACPolicy, } from "./RBAC";
-export { ABACEngine, createDefaultABAC } from "./ABAC";
-export type { ABACOperator, ABACEffect, ABACCondition, ABACConditionGroup, ABACPolicyTarget, ABACPolicy, SubjectAttributes, ResourceAttributes, EnvironmentAttributes, ABACRequest, ABACResult, } from "./ABAC";
-export { OAuthOIDCProvider, TokenCache } from "./OAuthProvider";
-export type { OAuthOIDCConfig, OIDCDiscoveryDocument, JWK, JWKS, TokenCacheStats, } from "./OAuthProvider";
-export { AuditLogger, ConsoleAuditSink, FileAuditSink, InMemoryAuditSink, } from "./AuditLogger";
-export type { AuditEntry, AuditCategory, AuditSeverity, AuditSink, AuditLoggerConfig, } from "./AuditLogger";
-export { SecretManager, EnvironmentSecretProvider, InMemorySecretProvider, VaultSecretProvider, AWSSecretsProvider, GCPSecretProvider, } from "./SecretManager";
-export type { SecretProvider, SecretMetadata, SecretAccessEvent, SecretManagerConfig, SecretCacheConfig, SecretProviderConfig, EnvironmentProviderConfig, InMemoryProviderConfig, VaultProviderConfig, AWSSecretsProviderConfig, GCPSecretProviderConfig, } from "./SecretManager";
-export { EncryptionAtRest } from "./EncryptionAtRest";
-export type { EncryptedPayload, EncryptionConfig, KeyDerivationConfig, } from "./EncryptionAtRest";
-export { PIIDetector, PIIType } from "./PIIDetector";
-export type { PIIPattern, PIIMatch, PIIScanResult, PIIDetectorConfig, } from "./PIIDetector";
-export { TLSConfig } from "./TLSConfig";
-export type { TLSConfigOptions, TLSValidationResult, CertificateInfo, SelfSignedOptions, MutualTLSOptions, } from "./TLSConfig";