@clawdreyhepburn/carapace 0.3.2 ā†’ 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (37) hide show
  1. package/CHANGELOG.md +21 -0
  2. package/README.md +36 -1
  3. package/dist/cedar-engine-cedarling.d.ts +81 -0
  4. package/dist/cedar-engine-cedarling.js +651 -0
  5. package/dist/cedar-engine-cedarling.js.map +1 -0
  6. package/dist/cedar-engine.d.ts +77 -0
  7. package/dist/cedar-engine.js +374 -0
  8. package/dist/cedar-engine.js.map +1 -0
  9. package/dist/gui/html.d.ts +5 -0
  10. package/dist/gui/html.js +930 -0
  11. package/dist/gui/html.js.map +1 -0
  12. package/dist/gui/server.d.ts +28 -0
  13. package/dist/gui/server.js +159 -0
  14. package/dist/gui/server.js.map +1 -0
  15. package/dist/index.d.ts +46 -0
  16. package/dist/index.js +584 -0
  17. package/dist/index.js.map +1 -0
  18. package/dist/llm-proxy.d.ts +75 -0
  19. package/dist/llm-proxy.js +565 -0
  20. package/dist/llm-proxy.js.map +1 -0
  21. package/dist/mcp-aggregator.d.ts +29 -0
  22. package/dist/mcp-aggregator.js +144 -0
  23. package/dist/mcp-aggregator.js.map +1 -0
  24. package/dist/policy-source.d.ts +26 -0
  25. package/dist/policy-source.js +28 -0
  26. package/dist/policy-source.js.map +1 -0
  27. package/dist/types.d.ts +135 -0
  28. package/dist/types.js +5 -0
  29. package/dist/types.js.map +1 -0
  30. package/docs/carapace_proxy_tool_filter_flow_v3.svg +96 -0
  31. package/docs/ungated_ai_agent_capabilities.svg +143 -0
  32. package/package.json +1 -1
  33. package/src/gui/html.ts +14 -0
  34. package/src/gui/server.ts +7 -1
  35. package/src/index.ts +12 -0
  36. package/src/policy-source.ts +44 -0
  37. package/vitest.config.ts +8 -0
package/dist/index.js ADDED
@@ -0,0 +1,584 @@
1
+ /**
2
+ * Carapace ā€” OpenClaw Plugin
3
+ *
4
+ * Aggregates upstream MCP servers, enforces Cedar policies on tool access,
5
+ * and serves a local GUI for human oversight.
6
+ */
7
+ import { CedarlingEngine } from "./cedar-engine-cedarling.js";
8
+ import { McpAggregator } from "./mcp-aggregator.js";
9
+ import { ControlGui } from "./gui/server.js";
10
+ import { LlmProxy } from "./llm-proxy.js";
11
+ export { CarapacePolicySource } from "./policy-source.js";
12
+ export const id = "carapace";
13
+ export const name = "Carapace";
14
+ export default function register(api) {
15
+ const config = api.pluginConfig ?? {};
16
+ const logger = api.logger;
17
+ const cedar = new CedarlingEngine({
18
+ policyDir: config.policyDir ?? "~/.openclaw/mcp-policies/",
19
+ defaultPolicy: config.defaultPolicy ?? "allow-all",
20
+ verify: config.verify ?? false,
21
+ logger,
22
+ });
23
+ const aggregator = new McpAggregator({
24
+ servers: config.servers ?? {},
25
+ cedar,
26
+ logger,
27
+ });
28
+ const gui = new ControlGui({
29
+ port: config.guiPort ?? 19820,
30
+ aggregator,
31
+ cedar,
32
+ logger,
33
+ });
34
+ // --- LLM Proxy: intercept tool calls at the API level ---
35
+ const proxyConfig = config.proxy;
36
+ const proxy = proxyConfig?.enabled ? new LlmProxy({
37
+ port: proxyConfig.port ?? 19821,
38
+ upstream: {
39
+ anthropic: proxyConfig.upstream?.anthropic ? {
40
+ url: proxyConfig.upstream.anthropic.url ?? "https://api.anthropic.com",
41
+ apiKey: proxyConfig.upstream.anthropic.apiKey,
42
+ } : undefined,
43
+ openai: proxyConfig.upstream?.openai ? {
44
+ url: proxyConfig.upstream.openai.url ?? "https://api.openai.com",
45
+ apiKey: proxyConfig.upstream.openai.apiKey,
46
+ } : undefined,
47
+ },
48
+ cedar,
49
+ logger,
50
+ }) : null;
51
+ // --- Bypass detection: warn if built-in tools aren't denied ---
52
+ const BYPASS_TOOLS = ["exec", "web_fetch", "web_search"];
53
+ function checkForBypasses() {
54
+ // Read OpenClaw config to check tools.deny
55
+ try {
56
+ const { readFileSync, existsSync } = require("node:fs");
57
+ const { join } = require("node:path");
58
+ const { homedir } = require("node:os");
59
+ const configPath = join(homedir(), ".openclaw", "openclaw.json");
60
+ if (!existsSync(configPath))
61
+ return BYPASS_TOOLS;
62
+ const cfg = JSON.parse(readFileSync(configPath, "utf-8"));
63
+ const denied = cfg.tools?.deny ?? [];
64
+ return BYPASS_TOOLS.filter((t) => !denied.includes(t));
65
+ }
66
+ catch {
67
+ return BYPASS_TOOLS;
68
+ }
69
+ }
70
+ function patchConfigDenyTools() {
71
+ const { readFileSync, writeFileSync, existsSync } = require("node:fs");
72
+ const { join } = require("node:path");
73
+ const { homedir } = require("node:os");
74
+ const configPath = join(homedir(), ".openclaw", "openclaw.json");
75
+ let cfg = {};
76
+ if (existsSync(configPath)) {
77
+ cfg = JSON.parse(readFileSync(configPath, "utf-8"));
78
+ }
79
+ if (!cfg.tools)
80
+ cfg.tools = {};
81
+ if (!cfg.tools.deny)
82
+ cfg.tools.deny = [];
83
+ const alreadyDenied = BYPASS_TOOLS.filter((t) => cfg.tools.deny.includes(t));
84
+ const toAdd = BYPASS_TOOLS.filter((t) => !cfg.tools.deny.includes(t));
85
+ for (const tool of toAdd) {
86
+ cfg.tools.deny.push(tool);
87
+ }
88
+ if (toAdd.length > 0) {
89
+ writeFileSync(configPath, JSON.stringify(cfg, null, 2) + "\n", "utf-8");
90
+ }
91
+ return { patched: toAdd, alreadyDenied };
92
+ }
93
+ function patchConfigProxyBaseUrl() {
94
+ const { readFileSync, writeFileSync, existsSync } = require("node:fs");
95
+ const { join } = require("node:path");
96
+ const { homedir } = require("node:os");
97
+ const configPath = join(homedir(), ".openclaw", "openclaw.json");
98
+ if (!existsSync(configPath))
99
+ return { patched: [], alreadySet: [] };
100
+ const cfg = JSON.parse(readFileSync(configPath, "utf-8"));
101
+ const port = config.proxy?.port ?? 19821;
102
+ const proxyUrl = `http://127.0.0.1:${port}`;
103
+ // Figure out which providers have upstream keys configured
104
+ const providers = [];
105
+ if (config.proxy?.upstream?.anthropic)
106
+ providers.push("anthropic");
107
+ if (config.proxy?.upstream?.openai)
108
+ providers.push("openai");
109
+ const patched = [];
110
+ const alreadySet = [];
111
+ if (!cfg.models)
112
+ cfg.models = {};
113
+ if (!cfg.models.providers)
114
+ cfg.models.providers = {};
115
+ for (const provider of providers) {
116
+ if (!cfg.models.providers[provider])
117
+ cfg.models.providers[provider] = {};
118
+ if (cfg.models.providers[provider].baseUrl === proxyUrl) {
119
+ alreadySet.push(provider);
120
+ }
121
+ else {
122
+ cfg.models.providers[provider].baseUrl = proxyUrl;
123
+ patched.push(provider);
124
+ }
125
+ }
126
+ if (patched.length > 0) {
127
+ writeFileSync(configPath, JSON.stringify(cfg, null, 2) + "\n", "utf-8");
128
+ }
129
+ return { patched, alreadySet };
130
+ }
131
+ // --- Background service: connect to MCP servers and serve GUI ---
132
+ api.registerService({
133
+ id: "carapace",
134
+ async start() {
135
+ logger.info("Carapace starting...");
136
+ await cedar.init();
137
+ await aggregator.connectAll();
138
+ await gui.start();
139
+ logger.info(`Control GUI at http://localhost:${config.guiPort ?? 19820}`);
140
+ if (proxy) {
141
+ await proxy.start();
142
+ logger.info(`šŸ›”ļø LLM Proxy active on http://127.0.0.1:${proxyConfig.port ?? 19821} ā€” ` +
143
+ `all tool calls go through Cedar`);
144
+ }
145
+ else {
146
+ // Check for bypass vulnerabilities only when proxy is disabled
147
+ const bypasses = checkForBypasses();
148
+ if (bypasses.length > 0) {
149
+ logger.warn(`āš ļø BYPASS RISK: Built-in tools [${bypasses.join(", ")}] are NOT denied and LLM proxy is not enabled. ` +
150
+ `Agents can use these to bypass Carapace Cedar policies. ` +
151
+ `Enable the LLM proxy (recommended) or run "openclaw carapace setup" to deny built-in tools.`);
152
+ }
153
+ }
154
+ },
155
+ async stop() {
156
+ if (proxy)
157
+ await proxy.stop();
158
+ await gui.stop();
159
+ await aggregator.disconnectAll();
160
+ logger.info("Carapace stopped");
161
+ },
162
+ });
163
+ // --- Agent tool: list available MCP tools ---
164
+ api.registerTool({
165
+ name: "mcp_tools",
166
+ label: "MCP Tools (Carapace)",
167
+ description: "List all MCP tools available through the Carapace Cedar proxy, with their enabled/disabled status",
168
+ parameters: {
169
+ type: "object",
170
+ properties: {
171
+ server: {
172
+ type: "string",
173
+ description: "Filter by server name (optional)",
174
+ },
175
+ },
176
+ },
177
+ async execute(_toolCallId, params) {
178
+ const tools = aggregator.listTools(params.server);
179
+ return {
180
+ content: [
181
+ {
182
+ type: "text",
183
+ text: JSON.stringify(tools, null, 2),
184
+ },
185
+ ],
186
+ };
187
+ },
188
+ });
189
+ // --- Agent tool: invoke an MCP tool through the proxy ---
190
+ api.registerTool({
191
+ name: "mcp_call",
192
+ label: "MCP Call (Carapace)",
193
+ description: "Call an MCP tool through the Carapace Cedar proxy. The call is authorized by Cedar policies before reaching the upstream server.",
194
+ parameters: {
195
+ type: "object",
196
+ required: ["tool"],
197
+ properties: {
198
+ tool: {
199
+ type: "string",
200
+ description: 'Fully qualified tool name (e.g., "github/create_issue")',
201
+ },
202
+ arguments: {
203
+ type: "object",
204
+ description: "Arguments to pass to the tool",
205
+ },
206
+ },
207
+ },
208
+ async execute(_toolCallId, params) {
209
+ const { tool, arguments: args } = params;
210
+ // Authorize via Cedar
211
+ const decision = await cedar.authorize({
212
+ principal: 'Agent::"openclaw"',
213
+ action: 'Action::"call_tool"',
214
+ resource: `Tool::"${tool}"`,
215
+ context: args ? { arguments: args } : {},
216
+ });
217
+ if (decision.decision === "deny") {
218
+ return {
219
+ content: [
220
+ {
221
+ type: "text",
222
+ text: `DENIED by Cedar policy: ${tool}\nReason: ${decision.reasons.join(", ") || "default deny"}`,
223
+ },
224
+ ],
225
+ isError: true,
226
+ };
227
+ }
228
+ // Forward to upstream MCP server
229
+ const result = await aggregator.callTool(tool, args ?? {});
230
+ return result;
231
+ },
232
+ });
233
+ // --- Agent tool: execute a shell command through Cedar authorization ---
234
+ api.registerTool({
235
+ name: "carapace_exec",
236
+ label: "Shell Exec (Carapace)",
237
+ description: "Execute a shell command through the Carapace Cedar proxy. The command is authorized by Cedar policies before execution. Use this when you want Cedar-gated shell access.",
238
+ parameters: {
239
+ type: "object",
240
+ required: ["command"],
241
+ properties: {
242
+ command: {
243
+ type: "string",
244
+ description: "The shell command to execute (e.g., 'git status', 'npm install')",
245
+ },
246
+ workdir: {
247
+ type: "string",
248
+ description: "Working directory for the command (optional)",
249
+ },
250
+ timeout: {
251
+ type: "number",
252
+ description: "Timeout in seconds (default: 30)",
253
+ },
254
+ },
255
+ },
256
+ async execute(_toolCallId, params) {
257
+ const { command, workdir, timeout = 30 } = params;
258
+ // Extract the binary name for policy matching
259
+ const binary = command.trim().split(/\s+/)[0].replace(/^.*\//, "");
260
+ // Authorize via Cedar
261
+ const decision = await cedar.authorize({
262
+ principal: `Agent::"openclaw"`,
263
+ action: `Action::"exec_command"`,
264
+ resource: `Shell::"${binary}"`,
265
+ context: { args: command, workdir: workdir ?? "" },
266
+ });
267
+ if (decision.decision === "deny") {
268
+ return {
269
+ content: [
270
+ {
271
+ type: "text",
272
+ text: `DENIED by Cedar policy: shell command "${binary}"\nFull command: ${command}\nReason: ${decision.reasons.join(", ") || "default deny"}`,
273
+ },
274
+ ],
275
+ isError: true,
276
+ };
277
+ }
278
+ // Execute the command
279
+ try {
280
+ const { execSync } = await import("node:child_process");
281
+ const result = execSync(command, {
282
+ cwd: workdir,
283
+ timeout: timeout * 1000,
284
+ maxBuffer: 1024 * 1024,
285
+ encoding: "utf-8",
286
+ stdio: ["pipe", "pipe", "pipe"],
287
+ });
288
+ return {
289
+ content: [{ type: "text", text: result }],
290
+ };
291
+ }
292
+ catch (err) {
293
+ const output = err.stdout ?? err.stderr ?? err.message;
294
+ return {
295
+ content: [{ type: "text", text: `Command failed (exit ${err.status ?? "?"}): ${output}` }],
296
+ isError: true,
297
+ };
298
+ }
299
+ },
300
+ }, { optional: true });
301
+ // --- Agent tool: make an HTTP API call through Cedar authorization ---
302
+ api.registerTool({
303
+ name: "carapace_fetch",
304
+ label: "API Fetch (Carapace)",
305
+ description: "Make an HTTP API call through the Carapace Cedar proxy. The request is authorized by Cedar policies before being sent. Use this when you want Cedar-gated outbound API access.",
306
+ parameters: {
307
+ type: "object",
308
+ required: ["url"],
309
+ properties: {
310
+ url: {
311
+ type: "string",
312
+ description: "The URL to fetch",
313
+ },
314
+ method: {
315
+ type: "string",
316
+ description: "HTTP method (GET, POST, PUT, DELETE, PATCH). Default: GET",
317
+ },
318
+ headers: {
319
+ type: "object",
320
+ description: "HTTP headers to include",
321
+ },
322
+ body: {
323
+ type: "string",
324
+ description: "Request body (for POST/PUT/PATCH)",
325
+ },
326
+ timeout: {
327
+ type: "number",
328
+ description: "Timeout in seconds (default: 30)",
329
+ },
330
+ },
331
+ },
332
+ async execute(_toolCallId, params) {
333
+ const { url, method = "GET", headers = {}, body, timeout = 30 } = params;
334
+ // Extract domain for policy matching
335
+ let domain;
336
+ try {
337
+ domain = new URL(url).hostname;
338
+ }
339
+ catch {
340
+ return {
341
+ content: [{ type: "text", text: `Invalid URL: ${url}` }],
342
+ isError: true,
343
+ };
344
+ }
345
+ // Authorize via Cedar
346
+ const decision = await cedar.authorize({
347
+ principal: `Agent::"openclaw"`,
348
+ action: `Action::"call_api"`,
349
+ resource: `API::"${domain}"`,
350
+ context: { url, method, body: body ?? "" },
351
+ });
352
+ if (decision.decision === "deny") {
353
+ return {
354
+ content: [
355
+ {
356
+ type: "text",
357
+ text: `DENIED by Cedar policy: API call to "${domain}"\nURL: ${url}\nMethod: ${method}\nReason: ${decision.reasons.join(", ") || "default deny"}`,
358
+ },
359
+ ],
360
+ isError: true,
361
+ };
362
+ }
363
+ // Make the HTTP request
364
+ try {
365
+ const controller = new AbortController();
366
+ const timer = setTimeout(() => controller.abort(), timeout * 1000);
367
+ const response = await fetch(url, {
368
+ method,
369
+ headers,
370
+ body: body ?? undefined,
371
+ signal: controller.signal,
372
+ });
373
+ clearTimeout(timer);
374
+ const responseText = await response.text();
375
+ const truncated = responseText.length > 50000
376
+ ? responseText.slice(0, 50000) + "\n...[truncated]"
377
+ : responseText;
378
+ return {
379
+ content: [
380
+ {
381
+ type: "text",
382
+ text: `HTTP ${response.status} ${response.statusText}\n\n${truncated}`,
383
+ },
384
+ ],
385
+ isError: !response.ok,
386
+ };
387
+ }
388
+ catch (err) {
389
+ return {
390
+ content: [{ type: "text", text: `API call failed: ${err.message}` }],
391
+ isError: true,
392
+ };
393
+ }
394
+ },
395
+ }, { optional: true });
396
+ // --- CLI command ---
397
+ api.registerCli?.(({ program }) => {
398
+ const cmd = program.command("carapace").description("Carapace ā€” MCP tool authorization");
399
+ cmd.command("status").action(async () => {
400
+ const servers = aggregator.getServerStatus();
401
+ console.log("\nšŸ¦ž Carapace Status\n");
402
+ for (const [name, status] of Object.entries(servers)) {
403
+ const icon = status.connected ? "āœ…" : "āŒ";
404
+ console.log(` ${icon} ${name} ā€” ${status.toolCount} tools`);
405
+ }
406
+ const tools = aggregator.listTools();
407
+ const enabled = tools.filter((t) => t.enabled).length;
408
+ console.log(`\n ${enabled}/${tools.length} tools enabled`);
409
+ console.log(` GUI: http://localhost:${config.guiPort ?? 19820}`);
410
+ if (proxy) {
411
+ const stats = proxy.getStats();
412
+ console.log(`\n šŸ›”ļø LLM Proxy: http://127.0.0.1:${proxyConfig.port ?? 19821}`);
413
+ console.log(` Requests: ${stats.requests} | Tool calls evaluated: ${stats.toolCallsEvaluated} | Denied: ${stats.toolCallsDenied}`);
414
+ }
415
+ else {
416
+ console.log(`\n āš ļø LLM Proxy: disabled`);
417
+ }
418
+ console.log();
419
+ });
420
+ cmd.command("tools").action(async () => {
421
+ const tools = aggregator.listTools();
422
+ for (const tool of tools) {
423
+ const icon = tool.enabled ? "šŸŸ¢" : "šŸ”“";
424
+ console.log(` ${icon} ${tool.qualifiedName} ā€” ${tool.description}`);
425
+ }
426
+ });
427
+ cmd.command("verify").action(async () => {
428
+ const result = await cedar.verify();
429
+ if (result.ok) {
430
+ console.log("āœ… All policies verified");
431
+ }
432
+ else {
433
+ console.log("āš ļø Verification issues:");
434
+ for (const issue of result.issues) {
435
+ console.log(` - ${issue}`);
436
+ }
437
+ }
438
+ });
439
+ cmd.command("setup")
440
+ .description("Configure OpenClaw to route all traffic through Carapace")
441
+ .action(async () => {
442
+ console.log("\nšŸ¦ž Carapace Setup\n");
443
+ let anyChanges = false;
444
+ // 1. Deny built-in bypass tools
445
+ const bypasses = checkForBypasses();
446
+ if (bypasses.length > 0) {
447
+ console.log(" Denying built-in tools that bypass Cedar:");
448
+ const { patched, alreadyDenied } = patchConfigDenyTools();
449
+ if (alreadyDenied.length > 0) {
450
+ console.log(` Already denied: ${alreadyDenied.join(", ")}`);
451
+ }
452
+ if (patched.length > 0) {
453
+ console.log(` āœ… Added to tools.deny: ${patched.join(", ")}`);
454
+ anyChanges = true;
455
+ }
456
+ }
457
+ else {
458
+ console.log(" āœ… Built-in bypass tools already denied.");
459
+ }
460
+ // 2. Set up LLM proxy baseUrl if proxy is configured
461
+ if (config.proxy?.enabled) {
462
+ console.log("\n Configuring LLM proxy baseUrl:");
463
+ const { patched, alreadySet } = patchConfigProxyBaseUrl();
464
+ if (alreadySet.length > 0) {
465
+ console.log(` Already set: ${alreadySet.join(", ")}`);
466
+ }
467
+ if (patched.length > 0) {
468
+ console.log(` āœ… Set models.providers baseUrl for: ${patched.join(", ")}`);
469
+ anyChanges = true;
470
+ }
471
+ if (patched.length === 0 && alreadySet.length === 0) {
472
+ console.log(" āš ļø No upstream providers configured in proxy config.");
473
+ console.log(" Add proxy.upstream.anthropic or proxy.upstream.openai to your plugin config.");
474
+ }
475
+ }
476
+ else {
477
+ console.log("\n LLM proxy not enabled ā€” skipping baseUrl setup.");
478
+ console.log(" To enable, add proxy.enabled: true to your Carapace plugin config.");
479
+ }
480
+ if (anyChanges) {
481
+ console.log("\n Restart the gateway for changes to take effect:");
482
+ console.log(" openclaw gateway restart\n");
483
+ }
484
+ else {
485
+ console.log("\n āœ… Everything already configured. No changes needed.\n");
486
+ }
487
+ });
488
+ cmd.command("uninstall")
489
+ .description("Reverse all config changes made by Carapace (restores built-in tools)")
490
+ .action(async () => {
491
+ console.log("\nšŸ¦ž Carapace Uninstall\n");
492
+ console.log(" This reverses changes made by 'openclaw carapace setup'.\n");
493
+ try {
494
+ const { readFileSync, writeFileSync, existsSync } = require("node:fs");
495
+ const { join } = require("node:path");
496
+ const { homedir } = require("node:os");
497
+ const configPath = join(homedir(), ".openclaw", "openclaw.json");
498
+ if (!existsSync(configPath)) {
499
+ console.log(" No config file found. Nothing to undo.\n");
500
+ return;
501
+ }
502
+ const cfg = JSON.parse(readFileSync(configPath, "utf-8"));
503
+ let changed = false;
504
+ // Remove Carapace-added entries from tools.deny
505
+ if (cfg.tools?.deny) {
506
+ const before = cfg.tools.deny.length;
507
+ cfg.tools.deny = cfg.tools.deny.filter((t) => !BYPASS_TOOLS.includes(t));
508
+ if (cfg.tools.deny.length === 0)
509
+ delete cfg.tools.deny;
510
+ if (cfg.tools && Object.keys(cfg.tools).length === 0)
511
+ delete cfg.tools;
512
+ if (cfg.tools?.deny?.length !== before) {
513
+ changed = true;
514
+ console.log(` āœ… Removed [${BYPASS_TOOLS.join(", ")}] from tools.deny`);
515
+ console.log(" Built-in exec, web_fetch, and web_search are restored.");
516
+ }
517
+ }
518
+ // Remove models.providers baseUrl override if it points at the proxy
519
+ const proxyPort = cfg.plugins?.entries?.carapace?.config?.proxy?.port ?? 19821;
520
+ const proxyUrl = `http://127.0.0.1:${proxyPort}`;
521
+ if (cfg.models?.providers) {
522
+ for (const [name, provCfg] of Object.entries(cfg.models.providers)) {
523
+ if (provCfg?.baseUrl === proxyUrl) {
524
+ delete provCfg.baseUrl;
525
+ // Clean up empty objects
526
+ if (Object.keys(provCfg).length === 0)
527
+ delete cfg.models.providers[name];
528
+ changed = true;
529
+ console.log(` āœ… Removed baseUrl proxy override for ${name}`);
530
+ console.log(` ${name} will connect directly to its API again.`);
531
+ }
532
+ }
533
+ if (Object.keys(cfg.models.providers).length === 0)
534
+ delete cfg.models.providers;
535
+ if (cfg.models && Object.keys(cfg.models).length === 0)
536
+ delete cfg.models;
537
+ }
538
+ // Disable the plugin entry (don't delete ā€” user might want to re-enable)
539
+ if (cfg.plugins?.entries?.carapace?.enabled) {
540
+ cfg.plugins.entries.carapace.enabled = false;
541
+ changed = true;
542
+ console.log(" āœ… Disabled carapace plugin in config");
543
+ }
544
+ if (changed) {
545
+ writeFileSync(configPath, JSON.stringify(cfg, null, 2) + "\n", "utf-8");
546
+ console.log("\n Config updated. Restart the gateway for changes to take effect:");
547
+ console.log(" openclaw gateway restart\n");
548
+ console.log(" To fully remove the plugin files:");
549
+ console.log(" rm -rf ~/.openclaw/extensions/carapace\n");
550
+ }
551
+ else {
552
+ console.log(" No Carapace changes found in config. Nothing to undo.\n");
553
+ }
554
+ }
555
+ catch (err) {
556
+ console.log(` āŒ Error: ${err.message}\n`);
557
+ }
558
+ });
559
+ cmd.command("check")
560
+ .description("Check for bypass vulnerabilities (built-in tools that skip Cedar)")
561
+ .action(async () => {
562
+ console.log("\nšŸ¦ž Carapace Security Check\n");
563
+ const bypasses = checkForBypasses();
564
+ if (bypasses.length === 0) {
565
+ console.log(" āœ… No bypass vulnerabilities found.");
566
+ console.log(" All agent exec/fetch operations go through Cedar.\n");
567
+ }
568
+ else {
569
+ console.log(" āš ļø Bypass vulnerabilities found:\n");
570
+ for (const tool of bypasses) {
571
+ console.log(` šŸ”“ ${tool} ā€” agents can bypass Cedar policies via this tool`);
572
+ }
573
+ console.log(`\n Run "openclaw carapace setup" to fix.\n`);
574
+ }
575
+ });
576
+ }, { commands: ["carapace"] });
577
+ // --- Gateway RPC ---
578
+ api.registerGatewayMethod?.("carapace.status", ({ respond }) => {
579
+ const servers = aggregator.getServerStatus();
580
+ const tools = aggregator.listTools();
581
+ respond(true, { servers, toolCount: tools.length, enabledCount: tools.filter((t) => t.enabled).length });
582
+ });
583
+ }
584
+ //# sourceMappingURL=index.js.map
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAG1C,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAE1D,MAAM,CAAC,MAAM,EAAE,GAAG,UAAU,CAAC;AAC7B,MAAM,CAAC,MAAM,IAAI,GAAG,UAAU,CAAC;AA6B/B,MAAM,CAAC,OAAO,UAAU,QAAQ,CAAC,GAAsB;IACrD,MAAM,MAAM,GAAiB,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;IACpD,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC;IAE1B,MAAM,KAAK,GAAG,IAAI,eAAe,CAAC;QAChC,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,2BAA2B;QAC1D,aAAa,EAAE,MAAM,CAAC,aAAa,IAAI,WAAW;QAClD,MAAM,EAAE,MAAM,CAAC,MAAM,IAAI,KAAK;QAC9B,MAAM;KACP,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,IAAI,aAAa,CAAC;QACnC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,EAAE;QAC7B,KAAK;QACL,MAAM;KACP,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC;QACzB,IAAI,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;QAC7B,UAAU;QACV,KAAK;QACL,MAAM;KACP,CAAC,CAAC;IAEH,2DAA2D;IAC3D,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC;IACjC,MAAM,KAAK,GAAG,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;QAChD,IAAI,EAAE,WAAW,CAAC,IAAI,IAAI,KAAK;QAC/B,QAAQ,EAAE;YACR,SAAS,EAAE,WAAW,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC;gBAC3C,GAAG,EAAE,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,GAAG,IAAI,2BAA2B;gBACtE,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,SAAS,CAAC,MAAM;aAC9C,CAAC,CAAC,CAAC,SAAS;YACb,MAAM,EAAE,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC,CAAC;gBACrC,GAAG,EAAE,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,IAAI,wBAAwB;gBAChE,MAAM,EAAE,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM;aAC3C,CAAC,CAAC,CAAC,SAAS;SACd;QACD,KAAK;QACL,MAAM;KACP,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEV,iEAAiE;IACjE,MAAM,YAAY,GAAG,CAAC,MAAM,EAAE,WAAW,EAAE,YAAY,CAAC,CAAC;IAEzD,SAAS,gBAAgB;QACvB,2CAA2C;QAC3C,IAAI,CAAC;YACH,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;YACxD,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;YACtC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;YACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;YACjE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;gBAAE,OAAO,YAAY,CAAC;YACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;YAC1D,MAAM,MAAM,GAAa,GAAG,CAAC,KAAK,EAAE,IAAI,IAAI,EAAE,CAAC;YAC/C,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QACzD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,YAAY,CAAC;QACtB,CAAC;IACH,CAAC;IAED,SAAS,oBAAoB;QAC3B,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACvE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;QAEjE,IAAI,GAAG,GAAQ,EAAE,CAAC;QAClB,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAC3B,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,CAAC,GAAG,CAAC,KAAK;YAAE,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC;QAC/B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI;YAAE,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC;QAEzC,MAAM,aAAa,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7E,MAAM,KAAK,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAEtE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAC3C,CAAC;IAED,SAAS,uBAAuB;QAC9B,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACvE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;QAEjE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;QACpE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;QAE1D,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,EAAE,IAAI,IAAI,KAAK,CAAC;QACzC,MAAM,QAAQ,GAAG,oBAAoB,IAAI,EAAE,CAAC;QAE5C,2DAA2D;QAC3D,MAAM,SAAS,GAAa,EAAE,CAAC;QAC/B,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,SAAS;YAAE,SAAS,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnE,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM;YAAE,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAE7D,MAAM,OAAO,GAAa,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAa,EAAE,CAAC;QAEhC,IAAI,CAAC,GAAG,CAAC,MAAM;YAAE,GAAG,CAAC,MAAM,GAAG,EAAE,CAAC;QACjC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS;YAAE,GAAG,CAAC,MAAM,CAAC,SAAS,GAAG,EAAE,CAAC;QAErD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;YACjC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;YACzE,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;gBACxD,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC5B,CAAC;iBAAM,CAAC;gBACN,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,OAAO,GAAG,QAAQ,CAAC;gBAClD,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;QAC1E,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;IACjC,CAAC;IAED,mEAAmE;IACnE,GAAG,CAAC,eAAe,CAAC;QAClB,EAAE,EAAE,UAAU;QACd,KAAK,CAAC,KAAK;YACT,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACpC,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,MAAM,UAAU,CAAC,UAAU,EAAE,CAAC;YAC9B,MAAM,GAAG,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,mCAAmC,MAAM,CAAC,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC;YAE1E,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,WAAY,CAAC,IAAI,IAAI,KAAK,KAAK;oBAC5E,iCAAiC,CAClC,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,+DAA+D;gBAC/D,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;gBACpC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACxB,MAAM,CAAC,IAAI,CACT,oCAAoC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,iDAAiD;wBACxG,0DAA0D;wBAC1D,6FAA6F,CAC9F,CAAC;gBACJ,CAAC;YACH,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI;YACR,IAAI,KAAK;gBAAE,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;YAC9B,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,UAAU,CAAC,aAAa,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAClC,CAAC;KACF,CAAC,CAAC;IAEH,+CAA+C;IAC/C,GAAG,CAAC,YAAY,CAAC;QACf,IAAI,EAAE,WAAW;QACjB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EACT,mGAAmG;QACrG,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE;gBACV,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kCAAkC;iBAChD;aACF;SACF;QACD,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,MAA2B;YAC5D,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAClD,OAAO;gBACL,OAAO,EAAE;oBACP;wBACE,IAAI,EAAE,MAAM;wBACZ,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;qBACrC;iBACF;aACF,CAAC;QACJ,CAAC;KACF,CAAC,CAAC;IAEH,2DAA2D;IAC3D,GAAG,CAAC,YAAY,CAAC;QACf,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,qBAAqB;QAC5B,WAAW,EACT,kIAAkI;QACpI,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,MAAM,CAAC;YAClB,UAAU,EAAE;gBACV,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,yDAAyD;iBACvE;gBACD,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,+BAA+B;iBAC7C;aACF;SACF;QACD,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,MAA6D;YAC9F,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,MAAM,CAAC;YAEzC,sBAAsB;YACtB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC;gBACrC,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,qBAAqB;gBAC7B,QAAQ,EAAE,UAAU,IAAI,GAAG;gBAC3B,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE;aACzC,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACjC,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,2BAA2B,IAAI,aAAa,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,cAAc,EAAE;yBAClG;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,iCAAiC;YACjC,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,QAAQ,CAAC,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;YAC3D,OAAO,MAAM,CAAC;QAChB,CAAC;KACF,CAAC,CAAC;IAEH,0EAA0E;IAC1E,GAAG,CAAC,YAAY,CAAC;QACf,IAAI,EAAE,eAAe;QACrB,KAAK,EAAE,uBAAuB;QAC9B,WAAW,EACT,0KAA0K;QAC5K,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,SAAS,CAAC;YACrB,UAAU,EAAE;gBACV,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kEAAkE;iBAChF;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,8CAA8C;iBAC5D;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kCAAkC;iBAChD;aACF;SACF;QACD,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,MAA+D;YAChG,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC;YAElD,8CAA8C;YAC9C,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;YAEnE,sBAAsB;YACtB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC;gBACrC,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,wBAAwB;gBAChC,QAAQ,EAAE,WAAW,MAAM,GAAG;gBAC9B,OAAO,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,EAAE;aACnD,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACjC,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,0CAA0C,MAAM,oBAAoB,OAAO,aAAa,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,cAAc,EAAE;yBAC9I;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,sBAAsB;YACtB,IAAI,CAAC;gBACH,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;gBACxD,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,EAAE;oBAC/B,GAAG,EAAE,OAAO;oBACZ,OAAO,EAAE,OAAO,GAAG,IAAI;oBACvB,SAAS,EAAE,IAAI,GAAG,IAAI;oBACtB,QAAQ,EAAE,OAAO;oBACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;iBAChC,CAAC,CAAC;gBACH,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;iBAC1C,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC;gBACvD,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,wBAAwB,GAAG,CAAC,MAAM,IAAI,GAAG,MAAM,MAAM,EAAE,EAAE,CAAC;oBAC1F,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC;KACF,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAEvB,wEAAwE;IACxE,GAAG,CAAC,YAAY,CAAC;QACf,IAAI,EAAE,gBAAgB;QACtB,KAAK,EAAE,sBAAsB;QAC7B,WAAW,EACT,gLAAgL;QAClL,UAAU,EAAE;YACV,IAAI,EAAE,QAAQ;YACd,QAAQ,EAAE,CAAC,KAAK,CAAC;YACjB,UAAU,EAAE;gBACV,GAAG,EAAE;oBACH,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kBAAkB;iBAChC;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,2DAA2D;iBACzE;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,yBAAyB;iBACvC;gBACD,IAAI,EAAE;oBACJ,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,mCAAmC;iBACjD;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,WAAW,EAAE,kCAAkC;iBAChD;aACF;SACF;QACD,KAAK,CAAC,OAAO,CAAC,WAAmB,EAAE,MAElC;YACC,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,KAAK,EAAE,OAAO,GAAG,EAAE,EAAE,IAAI,EAAE,OAAO,GAAG,EAAE,EAAE,GAAG,MAAM,CAAC;YAEzE,qCAAqC;YACrC,IAAI,MAAc,CAAC;YACnB,IAAI,CAAC;gBACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC;YACjC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,EAAE,EAAE,CAAC;oBACxD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,sBAAsB;YACtB,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC;gBACrC,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,oBAAoB;gBAC5B,QAAQ,EAAE,SAAS,MAAM,GAAG;gBAC5B,OAAO,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,IAAI,EAAE,EAAE;aAC3C,CAAC,CAAC;YAEH,IAAI,QAAQ,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACjC,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,wCAAwC,MAAM,WAAW,GAAG,aAAa,MAAM,aAAa,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,cAAc,EAAE;yBAClJ;qBACF;oBACD,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;YAED,wBAAwB;YACxB,IAAI,CAAC;gBACH,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;gBACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,OAAO,GAAG,IAAI,CAAC,CAAC;gBAEnE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;oBAChC,MAAM;oBACN,OAAO;oBACP,IAAI,EAAE,IAAI,IAAI,SAAS;oBACvB,MAAM,EAAE,UAAU,CAAC,MAAM;iBAC1B,CAAC,CAAC;gBAEH,YAAY,CAAC,KAAK,CAAC,CAAC;gBAEpB,MAAM,YAAY,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;gBAC3C,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,GAAG,KAAK;oBAC3C,CAAC,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,GAAG,kBAAkB;oBACnD,CAAC,CAAC,YAAY,CAAC;gBAEjB,OAAO;oBACL,OAAO,EAAE;wBACP;4BACE,IAAI,EAAE,MAAM;4BACZ,IAAI,EAAE,QAAQ,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,UAAU,OAAO,SAAS,EAAE;yBACvE;qBACF;oBACD,OAAO,EAAE,CAAC,QAAQ,CAAC,EAAE;iBACtB,CAAC;YACJ,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO;oBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,oBAAoB,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC;oBACpE,OAAO,EAAE,IAAI;iBACd,CAAC;YACJ,CAAC;QACH,CAAC;KACF,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IAEvB,sBAAsB;IACtB,GAAG,CAAC,WAAW,EAAE,CACf,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;QACd,MAAM,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,WAAW,CAAC,mCAAmC,CAAC,CAAC;QAEzF,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;YACtC,MAAM,OAAO,GAAG,UAAU,CAAC,eAAe,EAAE,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;YACtC,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACrD,MAAM,IAAI,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;gBAC1C,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,IAAI,IAAI,MAAM,MAAM,CAAC,SAAS,QAAQ,CAAC,CAAC;YAC/D,CAAC;YACD,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;YACrC,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;YACtD,OAAO,CAAC,GAAG,CAAC,OAAO,OAAO,IAAI,KAAK,CAAC,MAAM,gBAAgB,CAAC,CAAC;YAC5D,OAAO,CAAC,GAAG,CAAC,2BAA2B,MAAM,CAAC,OAAO,IAAI,KAAK,EAAE,CAAC,CAAC;YAElE,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,CAAC;gBAC/B,OAAO,CAAC,GAAG,CAAC,wCAAwC,WAAY,CAAC,IAAI,IAAI,KAAK,EAAE,CAAC,CAAC;gBAClF,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,QAAQ,4BAA4B,KAAK,CAAC,kBAAkB,cAAc,KAAK,CAAC,eAAe,EAAE,CAAC,CAAC;YACtI,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;YAC7C,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,CAAC;QAChB,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;YACrC,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;YACrC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC;gBACxC,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,IAAI,IAAI,CAAC,aAAa,MAAM,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YACvE,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE;YACtC,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE,CAAC;YACpC,IAAI,MAAM,CAAC,EAAE,EAAE,CAAC;gBACd,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;YACzC,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;gBACxC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;oBAClC,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,EAAE,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;aACjB,WAAW,CAAC,0DAA0D,CAAC;aACvE,MAAM,CAAC,KAAK,IAAI,EAAE;YACjB,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC;YACrC,IAAI,UAAU,GAAG,KAAK,CAAC;YAEvB,gCAAgC;YAChC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;YACpC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;gBAC3D,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,GAAG,oBAAoB,EAAE,CAAC;gBAC1D,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC7B,OAAO,CAAC,GAAG,CAAC,uBAAuB,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBACjE,CAAC;gBACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,8BAA8B,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBAChE,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;YAC3D,CAAC;YAED,qDAAqD;YACrD,IAAI,MAAM,CAAC,KAAK,EAAE,OAAO,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,oCAAoC,CAAC,CAAC;gBAClD,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,uBAAuB,EAAE,CAAC;gBAC1D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBAC1B,OAAO,CAAC,GAAG,CAAC,oBAAoB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;gBAC3D,CAAC;gBACD,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACvB,OAAO,CAAC,GAAG,CAAC,2CAA2C,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBAC7E,UAAU,GAAG,IAAI,CAAC;gBACpB,CAAC;gBACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACpD,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;oBACzE,OAAO,CAAC,GAAG,CAAC,qFAAqF,CAAC,CAAC;gBACrG,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;YACtF,CAAC;YAED,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAC;gBACnE,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAChD,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC,CAAC,CAAC;QAEL,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC;aACrB,WAAW,CAAC,uEAAuE,CAAC;aACpF,MAAM,CAAC,KAAK,IAAI,EAAE;YACjB,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC;YACzC,OAAO,CAAC,GAAG,CAAC,8DAA8D,CAAC,CAAC;YAE5E,IAAI,CAAC;gBACH,MAAM,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;gBACvE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;gBACtC,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;gBACvC,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,eAAe,CAAC,CAAC;gBAEjE,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC5B,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;oBAC1D,OAAO;gBACT,CAAC;gBAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC;gBAC1D,IAAI,OAAO,GAAG,KAAK,CAAC;gBAEpB,gDAAgD;gBAChD,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC;oBACpB,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC;oBACrC,GAAG,CAAC,KAAK,CAAC,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;oBACjF,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC;wBAAE,OAAO,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;oBACvD,IAAI,GAAG,CAAC,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,MAAM,KAAK,CAAC;wBAAE,OAAO,GAAG,CAAC,KAAK,CAAC;oBACvE,IAAI,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,KAAK,MAAM,EAAE,CAAC;wBACvC,OAAO,GAAG,IAAI,CAAC;wBACf,OAAO,CAAC,GAAG,CAAC,gBAAgB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;wBACxE,OAAO,CAAC,GAAG,CAAC,6DAA6D,CAAC,CAAC;oBAC7E,CAAC;gBACH,CAAC;gBAED,qEAAqE;gBACrE,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,IAAI,KAAK,CAAC;gBAC/E,MAAM,QAAQ,GAAG,oBAAoB,SAAS,EAAE,CAAC;gBACjD,IAAI,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC;oBAC1B,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;wBACnE,IAAK,OAAe,EAAE,OAAO,KAAK,QAAQ,EAAE,CAAC;4BAC3C,OAAQ,OAAe,CAAC,OAAO,CAAC;4BAChC,yBAAyB;4BACzB,IAAI,MAAM,CAAC,IAAI,CAAC,OAAc,CAAC,CAAC,MAAM,KAAK,CAAC;gCAAE,OAAO,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;4BAChF,OAAO,GAAG,IAAI,CAAC;4BACf,OAAO,CAAC,GAAG,CAAC,0CAA0C,IAAI,EAAE,CAAC,CAAC;4BAC9D,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,0CAA0C,CAAC,CAAC;wBACtE,CAAC;oBACH,CAAC;oBACD,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,KAAK,CAAC;wBAAE,OAAO,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC;oBAChF,IAAI,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,MAAM,KAAK,CAAC;wBAAE,OAAO,GAAG,CAAC,MAAM,CAAC;gBAC5E,CAAC;gBAED,yEAAyE;gBACzE,IAAI,GAAG,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;oBAC5C,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,GAAG,KAAK,CAAC;oBAC7C,OAAO,GAAG,IAAI,CAAC;oBACf,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;gBACxD,CAAC;gBAED,IAAI,OAAO,EAAE,CAAC;oBACZ,aAAa,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,OAAO,CAAC,CAAC;oBACxE,OAAO,CAAC,GAAG,CAAC,qEAAqE,CAAC,CAAC;oBACnF,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;oBAC9C,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;oBACnD,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;gBAC9D,CAAC;qBAAM,CAAC;oBACN,OAAO,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;gBAC3E,CAAC;YAGH,CAAC;YAAC,OAAO,GAAQ,EAAE,CAAC;gBAClB,OAAO,CAAC,GAAG,CAAC,cAAc,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC,CAAC,CAAC;QAEL,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC;aACjB,WAAW,CAAC,mEAAmE,CAAC;aAChF,MAAM,CAAC,KAAK,IAAI,EAAE;YACjB,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;YAC9C,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;YACpC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,sCAAsC,CAAC,CAAC;gBACpD,OAAO,CAAC,GAAG,CAAC,uDAAuD,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACrD,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;oBAC5B,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,mDAAmD,CAAC,CAAC;gBACjF,CAAC;gBACD,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC,CAAC,CAAC;IACP,CAAC,EACD,EAAE,QAAQ,EAAE,CAAC,UAAU,CAAC,EAAE,CAC3B,CAAC;IAEF,sBAAsB;IACtB,GAAG,CAAC,qBAAqB,EAAE,CAAC,iBAAiB,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE;QAC7D,MAAM,OAAO,GAAG,UAAU,CAAC,eAAe,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,CAAC,MAAM,EAAE,YAAY,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3G,CAAC,CAAC,CAAC;AACL,CAAC"}