@bryan-thompson/inspector-assessment-client 1.26.5 → 1.26.7

package/lib/services/assessment/modules/securityTests/CrossToolStateTester.js

@@ -0,0 +1,225 @@
+/**
+ * Cross-Tool State Tester
+ * Tests for privilege escalation by calling tools in sequence
+ *
+ * Issue #92, Challenge #7: Cross-tool state-based authorization bypass
+ * Detects when one tool can modify shared state that affects another tool's authorization.
+ *
+ * Attack flow:
+ * 1. Call admin_action → should get "access denied"
+ * 2. Call config_modifier with "admin_mode=true"
+ * 3. Call admin_action again → if now succeeds, VULNERABLE
+ */
+/**
+ * Tests for cross-tool privilege escalation via shared mutable state
+ */
+export class CrossToolStateTester {
+    verbose;
+    constructor(config = {}) {
+        // Note: config.timeout is accepted but tool call timeout is handled externally
+        this.verbose = config.verbose ?? false;
+    }
+    /**
+     * Log message if verbose logging is enabled
+     */
+    log(message) {
+        if (this.verbose) {
+            // eslint-disable-next-line no-console
+            console.log(`[CrossToolStateTester] ${message}`);
+        }
+    }
+    /**
+     * Identify potential cross-tool pairs for testing
+     * Looks for admin_action/privileged tools and config_modifier/setting tools
+     */
+    identifyCrossToolPairs(tools) {
+        const pairs = [];
+        // Find admin-like tools (tools that check authorization)
+        const adminTools = tools.filter((t) => /admin[_-]?action|privileged|elevated|sensitive/i.test(t.name) ||
+            /admin[_-]?action|privileged|requires\s+admin/i.test(t.description || ""));
+        // Find modifier-like tools (tools that modify state/config)
+        const modifierTools = tools.filter((t) => /config[_-]?modifier|setting|mode|enable|activate/i.test(t.name) ||
+            /modify.*config|set.*mode|enable.*admin/i.test(t.description || ""));
+        for (const admin of adminTools) {
+            for (const modifier of modifierTools) {
+                if (admin.name !== modifier.name) {
+                    pairs.push({ admin, modifier });
+                }
+            }
+        }
+        return pairs;
+    }
+    /**
+     * Test cross-tool privilege escalation
+     *
+     * Attack flow:
+     * 1. Call admin_action → expect "access denied"
+     * 2. Call config_modifier with "admin_mode=true"
+     * 3. Call admin_action again → if now succeeds, VULNERABLE
+     */
+    async testPrivilegeEscalation(callTool, adminTool, modifierTool, onProgress) {
+        this.log(`Testing pair: ${modifierTool.name} → ${adminTool.name}`);
+        try {
+            // Step 1: Baseline - admin action should be denied
+            this.log(`Step 1: Calling ${adminTool.name} (baseline)`);
+            const baseline = await callTool(adminTool.name, {
+                action: "read secrets",
+            });
+            const baselineText = this.extractResponseText(baseline);
+            const baselineDenied = /access denied|unauthorized|admin.*required|permission.*denied/i.test(baselineText);
+            if (!baselineDenied) {
+                // Already has access - can't test escalation (might indicate other issues)
+                // Check if it's because shared_state_checked is false (hardened)
+                if (/"shared_state_checked"\s*:\s*false/i.test(baselineText)) {
+                    return {
+                        vulnerable: false,
+                        reason: "baseline_has_access",
+                        evidence: {
+                            baseline: baselineText.slice(0, 500),
+                            afterModifier: "",
+                        },
+                    };
+                }
+                return {
+                    vulnerable: false,
+                    reason: "baseline_has_access",
+                    evidence: {
+                        baseline: baselineText.slice(0, 500),
+                        afterModifier: "",
+                    },
+                };
+            }
+            // Step 2: Attempt to enable admin mode via config modifier
+            const enableResult = await callTool(modifierTool.name, {
+                setting: "admin_mode=true",
+            });
+            const enableText = this.extractResponseText(enableResult);
+            const modeEnabled = /admin.*activated|elevated.*granted|admin_mode.*enabled|configuration.*updated.*admin/i.test(enableText);
+            // Check if modifier is hardened (stores without modifying)
+            const modifierHardened = /stored.*without.*modifying|stored.*for.*review|not.*modifying.*runtime/i.test(enableText);
+            if (modifierHardened) {
+                return {
+                    vulnerable: false,
+                    reason: "modifier_rejected",
+                    evidence: {
+                        baseline: baselineText.slice(0, 300),
+                        afterModifier: "",
+                        enableResult: enableText.slice(0, 300),
+                    },
+                };
+            }
+            if (!modeEnabled) {
+                return {
+                    vulnerable: false,
+                    reason: "modifier_rejected",
+                    evidence: {
+                        baseline: baselineText.slice(0, 300),
+                        afterModifier: "",
+                        enableResult: enableText.slice(0, 300),
+                    },
+                };
+            }
+            // Step 3: Test if admin action now succeeds
+            const escalated = await callTool(adminTool.name, {
+                action: "read secrets",
+            });
+            const escalatedText = this.extractResponseText(escalated);
+            // Check for successful escalation
+            const escalationSucceeded = !/access denied|unauthorized|admin.*required|permission.*denied/i.test(escalatedText) &&
+                /"secrets"|API_KEY|credentials|admin_mode.*true.*evidence.*cross-tool/i.test(escalatedText);
+            // Emit progress event if callback provided
+            if (onProgress && escalationSucceeded) {
+                onProgress({
+                    type: "vulnerability_found",
+                    tool: adminTool.name,
+                    pattern: "Cross-Tool State Bypass",
+                    confidence: "high",
+                    evidence: `Cross-tool privilege escalation: ${modifierTool.name} enables access to ${adminTool.name}. ${escalatedText.slice(0, 200)}`,
+                    riskLevel: "HIGH",
+                    requiresReview: false,
+                    payload: "admin_mode=true",
+                });
+            }
+            return {
+                vulnerable: escalationSucceeded,
+                reason: escalationSucceeded
+                    ? "privilege_escalation_confirmed"
+                    : "escalation_blocked",
+                evidence: {
+                    baseline: baselineText.slice(0, 300),
+                    afterModifier: escalatedText.slice(0, 300),
+                    enableResult: enableText.slice(0, 300),
+                },
+            };
+        }
+        catch (error) {
+            return {
+                vulnerable: false,
+                reason: "test_error",
+                error: error instanceof Error ? error.message : String(error),
+            };
+        }
+    }
+    /**
+     * Run sequence tests on all identified tool pairs
+     */
+    async runAllSequenceTests(tools, callTool, onProgress) {
+        const pairs = this.identifyCrossToolPairs(tools);
+        const results = new Map();
+        for (const { admin, modifier } of pairs) {
+            const key = `${modifier.name} → ${admin.name}`;
+            const result = await this.testPrivilegeEscalation(callTool, admin, modifier, onProgress);
+            results.set(key, result);
+        }
+        return results;
+    }
+    /**
+     * Get summary of sequence test results
+     */
+    summarizeResults(results) {
+        let vulnerable = 0;
+        let safe = 0;
+        let errors = 0;
+        const vulnerablePairs = [];
+        for (const [key, result] of results) {
+            if (result.reason === "test_error") {
+                errors++;
+            }
+            else if (result.vulnerable) {
+                vulnerable++;
+                vulnerablePairs.push(key);
+            }
+            else {
+                safe++;
+            }
+        }
+        return {
+            total: results.size,
+            vulnerable,
+            safe,
+            errors,
+            vulnerablePairs,
+        };
+    }
+    /**
+     * Extract text content from MCP response
+     */
+    extractResponseText(response) {
+        if (!response)
+            return "";
+        // Handle content array format
+        if (response.content && Array.isArray(response.content)) {
+            return response.content
+                .map((item) => {
+                if (typeof item === "string")
+                    return item;
+                if (item && typeof item === "object" && "text" in item)
+                    return String(item.text);
+                return JSON.stringify(item);
+            })
+                .join("\n");
+        }
+        // Fallback to JSON stringify
+        return JSON.stringify(response);
+    }
+}

package/lib/services/assessment/modules/securityTests/ErrorClassifier.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Error Classifier
+ * Classifies and analyzes error responses for security testing
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Handles: connection error detection, error classification, error info extraction
+ */
+import { CompatibilityCallToolResult } from "@modelcontextprotocol/sdk/types.js";
+/**
+ * Error classification types
+ */
+export type ErrorClassification = "connection" | "server" | "protocol";
+/**
+ * Extracted error information from response
+ */
+export interface ErrorInfo {
+    code?: string | number;
+    message?: string;
+}
+/**
+ * Classifies errors from tool responses and exceptions
+ */
+export declare class ErrorClassifier {
+    /**
+     * Check if response indicates connection/server failure
+     */
+    isConnectionError(response: CompatibilityCallToolResult): boolean;
+    /**
+     * Check if caught exception indicates connection/server failure
+     */
+    isConnectionErrorFromException(error: unknown): boolean;
+    /**
+     * Internal: Check if text indicates connection/server failure
+     */
+    private isConnectionErrorFromText;
+    /**
+     * Classify error type for reporting
+     */
+    classifyError(response: CompatibilityCallToolResult): ErrorClassification;
+    /**
+     * Classify error type from caught exception
+     */
+    classifyErrorFromException(error: unknown): ErrorClassification;
+    /**
+     * Internal: Classify error type from text
+     */
+    private classifyErrorFromText;
+    /**
+     * Extract error info from response
+     */
+    extractErrorInfo(response: CompatibilityCallToolResult): ErrorInfo;
+    /**
+     * Extract response content from MCP response
+     */
+    extractResponseContent(response: CompatibilityCallToolResult): string;
+}
+//# sourceMappingURL=ErrorClassifier.d.ts.map

package/lib/services/assessment/modules/securityTests/ErrorClassifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ErrorClassifier.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ErrorClassifier.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AAQjF;;GAEG;AACH,MAAM,MAAM,mBAAmB,GAAG,YAAY,GAAG,QAAQ,GAAG,UAAU,CAAC;AAEvE;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B;;OAEG;IACH,iBAAiB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,OAAO;IAKjE;;OAEG;IACH,8BAA8B,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO;IAQvD;;OAEG;IACH,OAAO,CAAC,yBAAyB;IAgBjC;;OAEG;IACH,aAAa,CAAC,QAAQ,EAAE,2BAA2B,GAAG,mBAAmB;IAKzE;;OAEG;IACH,0BAA0B,CAAC,KAAK,EAAE,OAAO,GAAG,mBAAmB;IAQ/D;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAgB7B;;OAEG;IACH,gBAAgB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,SAAS;IAsBlE;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;CAUtE"}

package/lib/services/assessment/modules/securityTests/ErrorClassifier.js

@@ -0,0 +1,113 @@
+/**
+ * Error Classifier
+ * Classifies and analyzes error responses for security testing
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Handles: connection error detection, error classification, error info extraction
+ */
+import { CONNECTION_ERROR_PATTERNS, ERROR_CLASSIFICATION_PATTERNS, matchesAny, hasMcpErrorPrefix, } from "./SecurityPatternLibrary.js";
+/**
+ * Classifies errors from tool responses and exceptions
+ */
+export class ErrorClassifier {
+    /**
+     * Check if response indicates connection/server failure
+     */
+    isConnectionError(response) {
+        const text = this.extractResponseContent(response).toLowerCase();
+        return this.isConnectionErrorFromText(text);
+    }
+    /**
+     * Check if caught exception indicates connection/server failure
+     */
+    isConnectionErrorFromException(error) {
+        if (error instanceof Error) {
+            const message = error.message.toLowerCase();
+            return this.isConnectionErrorFromText(message);
+        }
+        return false;
+    }
+    /**
+     * Internal: Check if text indicates connection/server failure
+     */
+    isConnectionErrorFromText(text) {
+        // Check unambiguous patterns first
+        if (matchesAny(CONNECTION_ERROR_PATTERNS.unambiguous, text)) {
+            return true;
+        }
+        // Check contextual patterns only if text has MCP error prefix
+        if (hasMcpErrorPrefix(text)) {
+            if (matchesAny(CONNECTION_ERROR_PATTERNS.contextual, text)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Classify error type for reporting
+     */
+    classifyError(response) {
+        const text = this.extractResponseContent(response).toLowerCase();
+        return this.classifyErrorFromText(text);
+    }
+    /**
+     * Classify error type from caught exception
+     */
+    classifyErrorFromException(error) {
+        if (error instanceof Error) {
+            const message = error.message.toLowerCase();
+            return this.classifyErrorFromText(message);
+        }
+        return "protocol";
+    }
+    /**
+     * Internal: Classify error type from text
+     */
+    classifyErrorFromText(text) {
+        if (ERROR_CLASSIFICATION_PATTERNS.connection.test(text)) {
+            return "connection";
+        }
+        if (ERROR_CLASSIFICATION_PATTERNS.server.test(text)) {
+            return "server";
+        }
+        if (ERROR_CLASSIFICATION_PATTERNS.protocol.test(text)) {
+            return "protocol";
+        }
+        return "protocol";
+    }
+    /**
+     * Extract error info from response
+     */
+    extractErrorInfo(response) {
+        const content = this.extractResponseContent(response);
+        try {
+            const parsed = JSON.parse(content);
+            if (parsed.error) {
+                return {
+                    code: parsed.error.code || parsed.code,
+                    message: parsed.error.message || parsed.message,
+                };
+            }
+            return { code: parsed.code, message: parsed.message };
+        }
+        catch {
+            // Check for MCP error format in text
+            const mcpMatch = content.match(/MCP error (-?\d+):\s*(.*)/i);
+            if (mcpMatch) {
+                return { code: parseInt(mcpMatch[1]), message: mcpMatch[2] };
+            }
+            return {};
+        }
+    }
+    /**
+     * Extract response content from MCP response
+     */
+    extractResponseContent(response) {
+        if (response.content && Array.isArray(response.content)) {
+            return response.content
+                .map((c) => c.type === "text" ? c.text : "")
+                .join(" ");
+        }
+        return String(response.content || "");
+    }
+}

package/lib/services/assessment/modules/securityTests/ExecutionArtifactDetector.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Execution Artifact Detector
+ * Detects evidence of actual code/command execution in tool responses
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Handles: execution evidence detection, artifact detection, injection payload echoing
+ */
+import { CompatibilityCallToolResult } from "@modelcontextprotocol/sdk/types.js";
+/**
+ * Result of response analysis
+ */
+export interface AnalysisResult {
+    isVulnerable: boolean;
+    evidence?: string;
+}
+/**
+ * Detects execution artifacts in tool responses
+ */
+export declare class ExecutionArtifactDetector {
+    /**
+     * Check if response contains evidence of actual execution
+     * Used to distinguish between safe reflection and actual command/code execution
+     */
+    hasExecutionEvidence(responseText: string): boolean;
+    /**
+     * Detect execution artifacts in response
+     * Two-tier detection: unambiguous artifacts + context-sensitive patterns
+     */
+    detectExecutionArtifacts(responseText: string): boolean;
+    /**
+     * Check if response contains echoed injection payload patterns
+     * These indicate the payload was stored/reflected, not executed
+     */
+    containsEchoedInjectionPayload(responseText: string): boolean;
+    /**
+     * Analyze injection response (fallback logic)
+     * Used when primary detection methods are inconclusive
+     *
+     * @param responseText The response text to analyze
+     * @param isReflectionCheck Function to check if response is reflection
+     * @returns Analysis result with vulnerability status
+     */
+    analyzeInjectionResponse(responseText: string, isReflectionCheck: (text: string) => boolean): AnalysisResult;
+    /**
+     * Extract response content from MCP response
+     */
+    extractResponseContent(response: CompatibilityCallToolResult): string;
+}
+//# sourceMappingURL=ExecutionArtifactDetector.d.ts.map

package/lib/services/assessment/modules/securityTests/ExecutionArtifactDetector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ExecutionArtifactDetector.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/ExecutionArtifactDetector.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,2BAA2B,EAAE,MAAM,oCAAoC,CAAC;AASjF;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,YAAY,EAAE,OAAO,CAAC;IACtB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,qBAAa,yBAAyB;IACpC;;;OAGG;IACH,oBAAoB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAInD;;;OAGG;IACH,wBAAwB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAqBvD;;;OAGG;IACH,8BAA8B,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI7D;;;;;;;OAOG;IACH,wBAAwB,CACtB,YAAY,EAAE,MAAM,EACpB,iBAAiB,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,GAC3C,cAAc;IAajB;;OAEG;IACH,sBAAsB,CAAC,QAAQ,EAAE,2BAA2B,GAAG,MAAM;CAUtE"}

package/lib/services/assessment/modules/securityTests/ExecutionArtifactDetector.js

@@ -0,0 +1,74 @@
+/**
+ * Execution Artifact Detector
+ * Detects evidence of actual code/command execution in tool responses
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Handles: execution evidence detection, artifact detection, injection payload echoing
+ */
+import { EXECUTION_INDICATORS, EXECUTION_ARTIFACT_PATTERNS, ECHOED_PAYLOAD_PATTERNS, FALLBACK_EXECUTION_PATTERNS, matchesAny, } from "./SecurityPatternLibrary.js";
+/**
+ * Detects execution artifacts in tool responses
+ */
+export class ExecutionArtifactDetector {
+    /**
+     * Check if response contains evidence of actual execution
+     * Used to distinguish between safe reflection and actual command/code execution
+     */
+    hasExecutionEvidence(responseText) {
+        return matchesAny(EXECUTION_INDICATORS, responseText);
+    }
+    /**
+     * Detect execution artifacts in response
+     * Two-tier detection: unambiguous artifacts + context-sensitive patterns
+     */
+    detectExecutionArtifacts(responseText) {
+        const containsEchoedPayload = this.containsEchoedInjectionPayload(responseText);
+        // Check always-execution patterns
+        if (matchesAny(EXECUTION_ARTIFACT_PATTERNS.alwaysExecution, responseText)) {
+            return true;
+        }
+        // Context-sensitive patterns only count if no echoed payload present
+        if (!containsEchoedPayload) {
+            if (matchesAny(EXECUTION_ARTIFACT_PATTERNS.contextSensitive, responseText)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Check if response contains echoed injection payload patterns
+     * These indicate the payload was stored/reflected, not executed
+     */
+    containsEchoedInjectionPayload(responseText) {
+        return matchesAny(ECHOED_PAYLOAD_PATTERNS, responseText);
+    }
+    /**
+     * Analyze injection response (fallback logic)
+     * Used when primary detection methods are inconclusive
+     *
+     * @param responseText The response text to analyze
+     * @param isReflectionCheck Function to check if response is reflection
+     * @returns Analysis result with vulnerability status
+     */
+    analyzeInjectionResponse(responseText, isReflectionCheck) {
+        const hasExecution = matchesAny(FALLBACK_EXECUTION_PATTERNS, responseText);
+        if (hasExecution && !isReflectionCheck(responseText)) {
+            return {
+                isVulnerable: true,
+                evidence: "Tool executed instruction: found execution keywords",
+            };
+        }
+        return { isVulnerable: false };
+    }
+    /**
+     * Extract response content from MCP response
+     */
+    extractResponseContent(response) {
+        if (response.content && Array.isArray(response.content)) {
+            return response.content
+                .map((c) => c.type === "text" ? c.text : "")
+                .join(" ");
+        }
+        return String(response.content || "");
+    }
+}

package/lib/services/assessment/modules/securityTests/MathAnalyzer.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Math Analyzer
+ * Detects computed math expression results (Calculator Injection)
+ *
+ * Extracted from SecurityResponseAnalyzer.ts (Issue #53)
+ * Handles: math computation detection, coincidental numeric detection
+ */
+import { Tool } from "@modelcontextprotocol/sdk/types.js";
+/**
+ * Result of computed math analysis with confidence level (Issue #58)
+ */
+export interface MathResultAnalysis {
+    isComputed: boolean;
+    confidence: "high" | "medium" | "low";
+    reason?: string;
+}
+/**
+ * Analyzes tool responses for math computation evidence (Calculator Injection)
+ */
+export declare class MathAnalyzer {
+    /**
+     * Enhanced computed math result analysis with tool context (Issue #58)
+     *
+     * Returns a confidence level indicating how likely this is a real Calculator Injection:
+     * - high: Strong evidence of computation (should flag as vulnerable)
+     * - medium: Ambiguous (excluded from vulnerability count per user decision)
+     * - low: Likely coincidental data (excluded from vulnerability count)
+     */
+    analyzeComputedMathResult(payload: string, responseText: string, tool?: Tool): MathResultAnalysis;
+    /**
+     * Legacy method for backward compatibility
+     * @deprecated Use analyzeComputedMathResult instead
+     */
+    isComputedMathResult(payload: string, responseText: string): boolean;
+    /**
+     * Check if numeric value appears in structured data context (not as computation result)
+     * Distinguishes {"records": 4} from computed "4" (Issue #58)
+     *
+     * @param result The computed numeric result to check for
+     * @param responseText The response text to analyze
+     * @returns true if the number appears to be coincidental data, not a computed result
+     */
+    isCoincidentalNumericInStructuredData(result: number, responseText: string): boolean;
+    /**
+     * Recursively check JSON object for coincidental numeric values
+     */
+    private checkObjectForCoincidentalNumeric;
+    /**
+     * Check text for structured patterns containing coincidental numerics
+     */
+    private checkTextForCoincidentalNumeric;
+    /**
+     * Compute math expression from regex match
+     * Returns null if invalid operator
+     */
+    private computeExpression;
+}
+//# sourceMappingURL=MathAnalyzer.d.ts.map

package/lib/services/assessment/modules/securityTests/MathAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"MathAnalyzer.d.ts","sourceRoot":"","sources":["../../../../../src/services/assessment/modules/securityTests/MathAnalyzer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAW1D;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,OAAO,CAAC;IACpB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACtC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,YAAY;IACvB;;;;;;;OAOG;IACH,yBAAyB,CACvB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,MAAM,EACpB,IAAI,CAAC,EAAE,IAAI,GACV,kBAAkB;IAkIrB;;;OAGG;IACH,oBAAoB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAKpE;;;;;;;OAOG;IACH,qCAAqC,CACnC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GACnB,OAAO;IAWV;;OAEG;IACH,OAAO,CAAC,iCAAiC;IAyCzC;;OAEG;IACH,OAAO,CAAC,+BAA+B;IAqBvC;;;OAGG;IACH,OAAO,CAAC,iBAAiB;CA+C1B"}