@clawdstrike/openclaw 0.1.0

package/dist/policy/validator.js

@@ -0,0 +1,409 @@
+import { validatePolicy as validateCanonicalPolicy } from '@clawdstrike/policy';
+export const POLICY_SCHEMA_VERSION = 'clawdstrike-v1.0';
+const SUPPORTED_CANONICAL_VERSIONS = new Set(['1.1.0', '1.2.0']);
+const VALID_EGRESS_MODES = new Set(['allowlist', 'denylist', 'open', 'deny_all']);
+const VALID_VIOLATION_ACTIONS = new Set(['cancel', 'warn', 'isolate', 'escalate']);
+const VALID_TIMEOUT_BEHAVIORS = new Set(['allow', 'deny', 'warn', 'defer']);
+const VALID_EXECUTION_MODES = new Set(['parallel', 'sequential', 'background']);
+const PLACEHOLDER_RE = /\$\{([^}]+)\}/g;
+const RESERVED_PACKAGES = new Set([
+    'clawdstrike-virustotal',
+    'clawdstrike-safe-browsing',
+    'clawdstrike-snyk',
+]);
+const POLICY_KEYS = new Set([
+    'version',
+    'extends',
+    'egress',
+    'filesystem',
+    'execution',
+    'tools',
+    'limits',
+    'guards',
+    'on_violation',
+]);
+const EGRESS_KEYS = new Set(['mode', 'allowed_domains', 'allowed_cidrs', 'denied_domains']);
+const FILESYSTEM_KEYS = new Set(['allowed_write_roots', 'allowed_read_paths', 'forbidden_paths']);
+const EXECUTION_KEYS = new Set(['allowed_commands', 'denied_patterns']);
+const TOOLS_KEYS = new Set(['allowed', 'denied']);
+const LIMITS_KEYS = new Set(['max_execution_seconds', 'max_memory_mb', 'max_output_bytes']);
+const GUARDS_KEYS = new Set(['forbidden_path', 'egress', 'secret_leak', 'patch_integrity', 'mcp_tool', 'custom']);
+function isPlainObject(value) {
+    return typeof value === 'object' && value !== null && !Array.isArray(value);
+}
+function ensureAllowedKeys(obj, field, allowed, errors) {
+    for (const key of Object.keys(obj)) {
+        if (!allowed.has(key)) {
+            errors.push(`${field} contains unknown field: ${key}`);
+        }
+    }
+}
+function ensureBoolean(value, field, errors) {
+    if (value === undefined)
+        return;
+    if (typeof value !== 'boolean') {
+        errors.push(`${field} must be a boolean`);
+    }
+}
+function ensureStringArray(value, field, errors, warnings) {
+    if (value === undefined)
+        return undefined;
+    if (!Array.isArray(value)) {
+        errors.push(`${field} must be an array of strings`);
+        return undefined;
+    }
+    const out = [];
+    for (let i = 0; i < value.length; i++) {
+        const item = value[i];
+        if (typeof item !== 'string') {
+            errors.push(`${field}[${i}] must be a string`);
+            continue;
+        }
+        if (item.includes('\u0000')) {
+            errors.push(`${field}[${i}] contains a null byte`);
+            continue;
+        }
+        out.push(item);
+    }
+    if (warnings && out.length === 0) {
+        warnings.push(`${field} is empty`);
+    }
+    return out;
+}
+function ensurePositiveNumber(value, field, errors) {
+    if (value === undefined)
+        return;
+    if (typeof value !== 'number' || !Number.isFinite(value) || value <= 0) {
+        errors.push(`${field} must be a positive number`);
+    }
+}
+export function validatePolicy(policy) {
+    const errors = [];
+    const warnings = [];
+    if (!isPlainObject(policy)) {
+        return { valid: false, errors: ['Policy must be an object'], warnings: [] };
+    }
+    ensureAllowedKeys(policy, 'policy', POLICY_KEYS, errors);
+    const p = policy;
+    if (p.version === undefined) {
+        errors.push(`version is required (expected: ${POLICY_SCHEMA_VERSION})`);
+    }
+    else if (typeof p.version !== 'string') {
+        errors.push('version must be a string');
+    }
+    else if (SUPPORTED_CANONICAL_VERSIONS.has(p.version)) {
+        const canonical = validateCanonicalPolicy(policy);
+        return {
+            valid: canonical.valid,
+            errors: canonical.errors,
+            warnings: canonical.warnings,
+        };
+    }
+    else if (p.version !== POLICY_SCHEMA_VERSION) {
+        errors.push(`unsupported policy version: ${p.version} (supported: ${POLICY_SCHEMA_VERSION}, 1.1.0, 1.2.0)`);
+    }
+    if (p.extends !== undefined && typeof p.extends !== 'string') {
+        errors.push('extends must be a string');
+    }
+    // Egress validation
+    if (p.egress !== undefined) {
+        if (!isPlainObject(p.egress)) {
+            errors.push('egress must be an object');
+        }
+        else {
+            ensureAllowedKeys(p.egress, 'egress', EGRESS_KEYS, errors);
+            const mode = p.egress.mode;
+            if (mode !== undefined && (!VALID_EGRESS_MODES.has(mode) || typeof mode !== 'string')) {
+                errors.push(`egress.mode must be one of: ${[...VALID_EGRESS_MODES].join(', ')}`);
+            }
+            const allowed = ensureStringArray(p.egress.allowed_domains, 'egress.allowed_domains', errors);
+            if (mode === 'allowlist' && allowed && allowed.length === 0) {
+                warnings.push('egress.allowlist with empty allowed_domains will deny all egress');
+            }
+            ensureStringArray(p.egress.denied_domains, 'egress.denied_domains', errors);
+            ensureStringArray(p.egress.allowed_cidrs, 'egress.allowed_cidrs', errors);
+        }
+    }
+    // Filesystem validation
+    if (p.filesystem !== undefined) {
+        if (!isPlainObject(p.filesystem)) {
+            errors.push('filesystem must be an object');
+        }
+        else {
+            ensureAllowedKeys(p.filesystem, 'filesystem', FILESYSTEM_KEYS, errors);
+            ensureStringArray(p.filesystem.allowed_write_roots, 'filesystem.allowed_write_roots', errors);
+            ensureStringArray(p.filesystem.allowed_read_paths, 'filesystem.allowed_read_paths', errors);
+            ensureStringArray(p.filesystem.forbidden_paths, 'filesystem.forbidden_paths', errors, warnings);
+        }
+    }
+    // Execution validation
+    if (p.execution !== undefined) {
+        if (!isPlainObject(p.execution)) {
+            errors.push('execution must be an object');
+        }
+        else {
+            ensureAllowedKeys(p.execution, 'execution', EXECUTION_KEYS, errors);
+            ensureStringArray(p.execution.allowed_commands, 'execution.allowed_commands', errors);
+            const patterns = ensureStringArray(p.execution.denied_patterns, 'execution.denied_patterns', errors);
+            if (patterns) {
+                for (const pattern of patterns) {
+                    try {
+                        // eslint-disable-next-line no-new
+                        new RegExp(pattern);
+                    }
+                    catch (err) {
+                        errors.push(`execution.denied_patterns contains invalid regex: ${pattern}`);
+                    }
+                }
+            }
+        }
+    }
+    // Tool policy validation
+    if (p.tools !== undefined) {
+        if (!isPlainObject(p.tools)) {
+            errors.push('tools must be an object');
+        }
+        else {
+            ensureAllowedKeys(p.tools, 'tools', TOOLS_KEYS, errors);
+            ensureStringArray(p.tools.allowed, 'tools.allowed', errors);
+            ensureStringArray(p.tools.denied, 'tools.denied', errors);
+        }
+    }
+    // Limits validation
+    if (p.limits !== undefined) {
+        if (!isPlainObject(p.limits)) {
+            errors.push('limits must be an object');
+        }
+        else {
+            ensureAllowedKeys(p.limits, 'limits', LIMITS_KEYS, errors);
+            ensurePositiveNumber(p.limits.max_execution_seconds, 'limits.max_execution_seconds', errors);
+            ensurePositiveNumber(p.limits.max_memory_mb, 'limits.max_memory_mb', errors);
+            ensurePositiveNumber(p.limits.max_output_bytes, 'limits.max_output_bytes', errors);
+        }
+    }
+    // Guard toggles validation
+    if (p.guards !== undefined) {
+        if (!isPlainObject(p.guards)) {
+            errors.push('guards must be an object');
+        }
+        else {
+            ensureAllowedKeys(p.guards, 'guards', GUARDS_KEYS, errors);
+            ensureBoolean(p.guards.forbidden_path, 'guards.forbidden_path', errors);
+            ensureBoolean(p.guards.egress, 'guards.egress', errors);
+            ensureBoolean(p.guards.secret_leak, 'guards.secret_leak', errors);
+            ensureBoolean(p.guards.patch_integrity, 'guards.patch_integrity', errors);
+            ensureBoolean(p.guards.mcp_tool, 'guards.mcp_tool', errors);
+            const custom = p.guards.custom;
+            if (custom !== undefined) {
+                if (!Array.isArray(custom)) {
+                    errors.push('guards.custom must be an array');
+                }
+                else {
+                    for (let i = 0; i < custom.length; i++) {
+                        validateCustomGuardSpec(custom[i], `guards.custom[${i}]`, errors);
+                    }
+                }
+            }
+        }
+    }
+    // Validate placeholders across the entire policy tree (fail closed on missing env).
+    validatePlaceholders(policy, 'policy', errors);
+    // on_violation validation
+    if (p.on_violation !== undefined) {
+        if (typeof p.on_violation !== 'string' || !VALID_VIOLATION_ACTIONS.has(p.on_violation)) {
+            errors.push(`on_violation must be one of: ${[...VALID_VIOLATION_ACTIONS].join(', ')}`);
+        }
+    }
+    return { valid: errors.length === 0, errors, warnings };
+}
+function validateCustomGuardSpec(value, base, errors) {
+    if (!isPlainObject(value)) {
+        errors.push(`${base} must be an object`);
+        return;
+    }
+    const pkg = value.package;
+    if (typeof pkg !== 'string' || pkg.trim() === '') {
+        errors.push(`${base}.package must be a non-empty string`);
+        return;
+    }
+    if (!RESERVED_PACKAGES.has(pkg)) {
+        errors.push(`${base}.package unsupported custom guard package: ${pkg}`);
+        return;
+    }
+    const enabled = value.enabled;
+    if (enabled !== undefined && typeof enabled !== 'boolean') {
+        errors.push(`${base}.enabled must be a boolean`);
+    }
+    const config = value.config;
+    if (config !== undefined && !isPlainObject(config)) {
+        errors.push(`${base}.config must be an object`);
+        return;
+    }
+    const cfg = (isPlainObject(config) ? config : {});
+    if (pkg === 'clawdstrike-virustotal') {
+        requireString(cfg, `${base}.config.api_key`, errors);
+    }
+    else if (pkg === 'clawdstrike-safe-browsing') {
+        requireString(cfg, `${base}.config.api_key`, errors);
+        requireString(cfg, `${base}.config.client_id`, errors);
+    }
+    else if (pkg === 'clawdstrike-snyk') {
+        requireString(cfg, `${base}.config.api_token`, errors);
+        requireString(cfg, `${base}.config.org_id`, errors);
+    }
+    const asyncCfg = value.async;
+    if (asyncCfg !== undefined) {
+        validateAsyncConfig(asyncCfg, `${base}.async`, errors);
+    }
+}
+function validateAsyncConfig(value, base, errors) {
+    if (!isPlainObject(value)) {
+        errors.push(`${base} must be an object`);
+        return;
+    }
+    const timeoutMs = value.timeout_ms;
+    if (timeoutMs !== undefined && (!isFiniteNumber(timeoutMs) || timeoutMs < 100 || timeoutMs > 300_000)) {
+        errors.push(`${base}.timeout_ms must be between 100 and 300000`);
+    }
+    const onTimeout = value.on_timeout;
+    if (onTimeout !== undefined && (typeof onTimeout !== 'string' || !VALID_TIMEOUT_BEHAVIORS.has(onTimeout))) {
+        errors.push(`${base}.on_timeout must be one of: ${[...VALID_TIMEOUT_BEHAVIORS].join(', ')}`);
+    }
+    const mode = value.execution_mode;
+    if (mode !== undefined && (typeof mode !== 'string' || !VALID_EXECUTION_MODES.has(mode))) {
+        errors.push(`${base}.execution_mode must be one of: ${[...VALID_EXECUTION_MODES].join(', ')}`);
+    }
+    if (value.rate_limit !== undefined) {
+        if (!isPlainObject(value.rate_limit)) {
+            errors.push(`${base}.rate_limit must be an object`);
+        }
+        else {
+            const rl = value.rate_limit;
+            const rps = rl.requests_per_second;
+            const rpm = rl.requests_per_minute;
+            if (rps !== undefined && (!isFiniteNumber(rps) || rps <= 0)) {
+                errors.push(`${base}.rate_limit.requests_per_second must be > 0`);
+            }
+            if (rpm !== undefined && (!isFiniteNumber(rpm) || rpm <= 0)) {
+                errors.push(`${base}.rate_limit.requests_per_minute must be > 0`);
+            }
+            if (rps !== undefined && rpm !== undefined) {
+                errors.push(`${base}.rate_limit must specify only one of requests_per_second or requests_per_minute`);
+            }
+            const burst = rl.burst;
+            if (burst !== undefined && (typeof burst !== 'number' || !Number.isInteger(burst) || burst < 1)) {
+                errors.push(`${base}.rate_limit.burst must be >= 1`);
+            }
+        }
+    }
+    if (value.cache !== undefined) {
+        if (!isPlainObject(value.cache)) {
+            errors.push(`${base}.cache must be an object`);
+        }
+        else {
+            const cache = value.cache;
+            const ttl = cache.ttl_seconds;
+            if (ttl !== undefined && (typeof ttl !== 'number' || !Number.isInteger(ttl) || ttl < 1)) {
+                errors.push(`${base}.cache.ttl_seconds must be >= 1`);
+            }
+            const max = cache.max_size_mb;
+            if (max !== undefined && (typeof max !== 'number' || !Number.isInteger(max) || max < 1)) {
+                errors.push(`${base}.cache.max_size_mb must be >= 1`);
+            }
+        }
+    }
+    if (value.circuit_breaker !== undefined) {
+        if (!isPlainObject(value.circuit_breaker)) {
+            errors.push(`${base}.circuit_breaker must be an object`);
+        }
+        else {
+            const cb = value.circuit_breaker;
+            const f = cb.failure_threshold;
+            if (f !== undefined && (typeof f !== 'number' || !Number.isInteger(f) || f < 1)) {
+                errors.push(`${base}.circuit_breaker.failure_threshold must be >= 1`);
+            }
+            const reset = cb.reset_timeout_ms;
+            if (reset !== undefined && (typeof reset !== 'number' || !Number.isInteger(reset) || reset < 1000)) {
+                errors.push(`${base}.circuit_breaker.reset_timeout_ms must be >= 1000`);
+            }
+            const s = cb.success_threshold;
+            if (s !== undefined && (typeof s !== 'number' || !Number.isInteger(s) || s < 1)) {
+                errors.push(`${base}.circuit_breaker.success_threshold must be >= 1`);
+            }
+        }
+    }
+    if (value.retry !== undefined) {
+        if (!isPlainObject(value.retry)) {
+            errors.push(`${base}.retry must be an object`);
+        }
+        else {
+            const retry = value.retry;
+            const mult = retry.multiplier;
+            if (mult !== undefined && (!isFiniteNumber(mult) || mult < 1)) {
+                errors.push(`${base}.retry.multiplier must be >= 1`);
+            }
+            const init = retry.initial_backoff_ms;
+            if (init !== undefined && (typeof init !== 'number' || !Number.isInteger(init) || init < 100)) {
+                errors.push(`${base}.retry.initial_backoff_ms must be >= 100`);
+            }
+            const max = retry.max_backoff_ms;
+            if (max !== undefined && (typeof max !== 'number' || !Number.isInteger(max) || max < 100)) {
+                errors.push(`${base}.retry.max_backoff_ms must be >= 100`);
+            }
+            if (typeof init === 'number' && typeof max === 'number' && max < init) {
+                errors.push(`${base}.retry.max_backoff_ms must be >= initial_backoff_ms`);
+            }
+        }
+    }
+}
+function requireString(obj, field, errors) {
+    const key = field.split('.').slice(-1)[0] ?? '';
+    const value = obj[key];
+    if (typeof value !== 'string' || value.trim() === '') {
+        errors.push(`${field} missing/invalid required string`);
+    }
+}
+function validatePlaceholders(value, base, errors) {
+    if (typeof value === 'string') {
+        for (const match of value.matchAll(PLACEHOLDER_RE)) {
+            const raw = match[1] ?? '';
+            const envName = envVarForPlaceholder(raw);
+            if (!envName.ok) {
+                errors.push(`${base}: ${envName.error}`);
+                continue;
+            }
+            if (process.env[envName.value] === undefined) {
+                errors.push(`${base}: missing environment variable ${envName.value}`);
+            }
+        }
+        return;
+    }
+    if (Array.isArray(value)) {
+        for (let i = 0; i < value.length; i++) {
+            validatePlaceholders(value[i], `${base}[${i}]`, errors);
+        }
+        return;
+    }
+    if (isPlainObject(value)) {
+        for (const [k, v] of Object.entries(value)) {
+            validatePlaceholders(v, `${base}.${k}`, errors);
+        }
+    }
+}
+function envVarForPlaceholder(raw) {
+    if (raw.startsWith('secrets.')) {
+        const name = raw.slice('secrets.'.length);
+        if (!name) {
+            return { ok: false, error: 'placeholder ${secrets.} is invalid' };
+        }
+        return { ok: true, value: name };
+    }
+    if (!raw) {
+        return { ok: false, error: 'placeholder ${} is invalid' };
+    }
+    return { ok: true, value: raw };
+}
+function isFiniteNumber(value) {
+    return typeof value === 'number' && Number.isFinite(value);
+}
+//# sourceMappingURL=validator.js.map

package/dist/policy/validator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validator.js","sourceRoot":"","sources":["../../src/policy/validator.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,IAAI,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AAEhF,MAAM,CAAC,MAAM,qBAAqB,GAAG,kBAAkB,CAAC;AACxD,MAAM,4BAA4B,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAEjE,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;AAClF,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC;AACnF,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAC5E,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC,CAAC;AAEhF,MAAM,cAAc,GAAG,gBAAgB,CAAC;AAExC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC;IAChC,wBAAwB;IACxB,2BAA2B;IAC3B,kBAAkB;CACnB,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,SAAS;IACT,SAAS;IACT,QAAQ;IACR,YAAY;IACZ,WAAW;IACX,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,cAAc;CACf,CAAC,CAAC;AAEH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAC5F,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,qBAAqB,EAAE,oBAAoB,EAAE,iBAAiB,CAAC,CAAC,CAAC;AAClG,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,kBAAkB,EAAE,iBAAiB,CAAC,CAAC,CAAC;AACxE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC;AAClD,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,uBAAuB,EAAE,eAAe,EAAE,kBAAkB,CAAC,CAAC,CAAC;AAC5F,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,gBAAgB,EAAE,QAAQ,EAAE,aAAa,EAAE,iBAAiB,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;AAElH,SAAS,aAAa,CAAC,KAAc;IACnC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,iBAAiB,CACxB,GAA4B,EAC5B,KAAa,EACb,OAAoB,EACpB,MAAgB;IAEhB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,4BAA4B,GAAG,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,KAAc,EACd,KAAa,EACb,MAAgB;IAEhB,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO;IAChC,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,oBAAoB,CAAC,CAAC;IAC5C,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAc,EACd,KAAa,EACb,MAAgB,EAChB,QAAmB;IAEnB,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,8BAA8B,CAAC,CAAC;QACpD,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC,oBAAoB,CAAC,CAAC;YAC/C,SAAS;QACX,CAAC;QACD,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC,wBAAwB,CAAC,CAAC;YACnD,SAAS;QACX,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjB,CAAC;IACD,IAAI,QAAQ,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC,GAAG,KAAK,WAAW,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,oBAAoB,CAC3B,KAAc,EACd,KAAa,EACb,MAAgB;IAEhB,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO;IAChC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,IAAI,CAAC,EAAE,CAAC;QACvE,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,4BAA4B,CAAC,CAAC;IACpD,CAAC;AACH,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,MAAe;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,0BAA0B,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IAC9E,CAAC;IAED,iBAAiB,CAAC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;IAEzD,MAAM,CAAC,GAAG,MAAgB,CAAC;IAE3B,IAAI,CAAC,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,kCAAkC,qBAAqB,GAAG,CAAC,CAAC;IAC1E,CAAC;SAAM,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC1C,CAAC;SAAM,IAAI,4BAA4B,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QACvD,MAAM,SAAS,GAAG,uBAAuB,CAAC,MAAa,CAAC,CAAC;QACzD,OAAO;YACL,KAAK,EAAE,SAAS,CAAC,KAAK;YACtB,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,QAAQ,EAAE,SAAS,CAAC,QAAQ;SAC7B,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,CAAC,OAAO,KAAK,qBAAqB,EAAE,CAAC;QAC/C,MAAM,CAAC,IAAI,CACT,+BAA+B,CAAC,CAAC,OAAO,gBAAgB,qBAAqB,iBAAiB,CAC/F,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,CAAC,OAAO,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC7D,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;IAC1C,CAAC;IAED,oBAAoB;IACpB,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3D,MAAM,IAAI,GAAI,CAAC,CAAC,MAAc,CAAC,IAAI,CAAC;YACpC,IAAI,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,OAAO,IAAI,KAAK,QAAQ,CAAC,EAAE,CAAC;gBACtF,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,GAAG,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACnF,CAAC;YAED,MAAM,OAAO,GAAG,iBAAiB,CAAE,CAAC,CAAC,MAAc,CAAC,eAAe,EAAE,wBAAwB,EAAE,MAAM,CAAC,CAAC;YACvG,IAAI,IAAI,KAAK,WAAW,IAAI,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC5D,QAAQ,CAAC,IAAI,CAAC,kEAAkE,CAAC,CAAC;YACpF,CAAC;YAED,iBAAiB,CAAE,CAAC,CAAC,MAAc,CAAC,cAAc,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;YACrF,iBAAiB,CAAE,CAAC,CAAC,MAAc,CAAC,aAAa,EAAE,sBAAsB,EAAE,MAAM,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;IAED,wBAAwB;IACxB,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;QAC9C,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,CAAC,CAAC,UAAU,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;YACvE,iBAAiB,CAAE,CAAC,CAAC,UAAkB,CAAC,mBAAmB,EAAE,gCAAgC,EAAE,MAAM,CAAC,CAAC;YACvG,iBAAiB,CAAE,CAAC,CAAC,UAAkB,CAAC,kBAAkB,EAAE,+BAA+B,EAAE,MAAM,CAAC,CAAC;YACrG,iBAAiB,CAAE,CAAC,CAAC,UAAkB,CAAC,eAAe,EAAE,4BAA4B,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;QAC3G,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,IAAI,CAAC,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QAC7C,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,CAAC,CAAC,SAAS,EAAE,WAAW,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;YACpE,iBAAiB,CAAE,CAAC,CAAC,SAAiB,CAAC,gBAAgB,EAAE,4BAA4B,EAAE,MAAM,CAAC,CAAC;YAE/F,MAAM,QAAQ,GAAG,iBAAiB,CAAE,CAAC,CAAC,SAAiB,CAAC,eAAe,EAAE,2BAA2B,EAAE,MAAM,CAAC,CAAC;YAC9G,IAAI,QAAQ,EAAE,CAAC;gBACb,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;oBAC/B,IAAI,CAAC;wBACH,kCAAkC;wBAClC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC;oBACtB,CAAC;oBAAC,OAAO,GAAG,EAAE,CAAC;wBACb,MAAM,CAAC,IAAI,CAAC,qDAAqD,OAAO,EAAE,CAAC,CAAC;oBAC9E,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;QACzC,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,CAAC,CAAC,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;YACxD,iBAAiB,CAAE,CAAC,CAAC,KAAa,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;YACrE,iBAAiB,CAAE,CAAC,CAAC,KAAa,CAAC,MAAM,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3D,oBAAoB,CAAE,CAAC,CAAC,MAAc,CAAC,qBAAqB,EAAE,8BAA8B,EAAE,MAAM,CAAC,CAAC;YACtG,oBAAoB,CAAE,CAAC,CAAC,MAAc,CAAC,aAAa,EAAE,sBAAsB,EAAE,MAAM,CAAC,CAAC;YACtF,oBAAoB,CAAE,CAAC,CAAC,MAAc,CAAC,gBAAgB,EAAE,yBAAyB,EAAE,MAAM,CAAC,CAAC;QAC9F,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC3B,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,0BAA0B,CAAC,CAAC;QAC1C,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;YAC3D,aAAa,CAAE,CAAC,CAAC,MAAc,CAAC,cAAc,EAAE,uBAAuB,EAAE,MAAM,CAAC,CAAC;YACjF,aAAa,CAAE,CAAC,CAAC,MAAc,CAAC,MAAM,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;YACjE,aAAa,CAAE,CAAC,CAAC,MAAc,CAAC,WAAW,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;YAC3E,aAAa,CAAE,CAAC,CAAC,MAAc,CAAC,eAAe,EAAE,wBAAwB,EAAE,MAAM,CAAC,CAAC;YACnF,aAAa,CAAE,CAAC,CAAC,MAAc,CAAC,QAAQ,EAAE,iBAAiB,EAAE,MAAM,CAAC,CAAC;YAErE,MAAM,MAAM,GAAI,CAAC,CAAC,MAAc,CAAC,MAAM,CAAC;YACxC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC3B,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,CAAC;gBAChD,CAAC;qBAAM,CAAC;oBACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;wBACvC,uBAAuB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,iBAAiB,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;oBACpE,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,oFAAoF;IACpF,oBAAoB,CAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAE/C,0BAA0B;IAC1B,IAAI,CAAC,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,OAAO,CAAC,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC,CAAC,YAAY,CAAC,EAAE,CAAC;YACvF,MAAM,CAAC,IAAI,CAAC,gCAAgC,CAAC,GAAG,uBAAuB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC1D,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAc,EAAE,IAAY,EAAE,MAAgB;IAC7E,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,oBAAoB,CAAC,CAAC;QACzC,OAAO;IACT,CAAC;IAED,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC;IAC1B,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,qCAAqC,CAAC,CAAC;QAC1D,OAAO;IACT,CAAC;IAED,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,8CAA8C,GAAG,EAAE,CAAC,CAAC;QACxE,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAC9B,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,OAAO,KAAK,SAAS,EAAE,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,4BAA4B,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;IAC5B,IAAI,MAAM,KAAK,SAAS,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;QACnD,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,2BAA2B,CAAC,CAAC;QAChD,OAAO;IACT,CAAC;IAED,MAAM,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAA4B,CAAC;IAC7E,IAAI,GAAG,KAAK,wBAAwB,EAAE,CAAC;QACrC,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,iBAAiB,EAAE,MAAM,CAAC,CAAC;IACvD,CAAC;SAAM,IAAI,GAAG,KAAK,2BAA2B,EAAE,CAAC;QAC/C,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,iBAAiB,EAAE,MAAM,CAAC,CAAC;QACrD,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,mBAAmB,EAAE,MAAM,CAAC,CAAC;IACzD,CAAC;SAAM,IAAI,GAAG,KAAK,kBAAkB,EAAE,CAAC;QACtC,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,mBAAmB,EAAE,MAAM,CAAC,CAAC;QACvD,aAAa,CAAC,GAAG,EAAE,GAAG,IAAI,gBAAgB,EAAE,MAAM,CAAC,CAAC;IACtD,CAAC;IAED,MAAM,QAAQ,GAAI,KAAa,CAAC,KAAK,CAAC;IACtC,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,mBAAmB,CAAC,QAAQ,EAAE,GAAG,IAAI,QAAQ,EAAE,MAAM,CAAC,CAAC;IACzD,CAAC;AACH,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAc,EAAE,IAAY,EAAE,MAAgB;IACzE,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,oBAAoB,CAAC,CAAC;QACzC,OAAO;IACT,CAAC;IAED,MAAM,SAAS,GAAI,KAAa,CAAC,UAAU,CAAC;IAC5C,IAAI,SAAS,KAAK,SAAS,IAAI,CAAC,CAAC,cAAc,CAAC,SAAS,CAAC,IAAI,SAAS,GAAG,GAAG,IAAI,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;QACtG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,4CAA4C,CAAC,CAAC;IACnE,CAAC;IAED,MAAM,SAAS,GAAI,KAAa,CAAC,UAAU,CAAC;IAC5C,IAAI,SAAS,KAAK,SAAS,IAAI,CAAC,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC;QAC1G,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,+BAA+B,CAAC,GAAG,uBAAuB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC/F,CAAC;IAED,MAAM,IAAI,GAAI,KAAa,CAAC,cAAc,CAAC;IAC3C,IAAI,IAAI,KAAK,SAAS,IAAI,CAAC,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACzF,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,mCAAmC,CAAC,GAAG,qBAAqB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjG,CAAC;IAED,IAAK,KAAa,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QAC5C,IAAI,CAAC,aAAa,CAAE,KAAa,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,+BAA+B,CAAC,CAAC;QACtD,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAI,KAAa,CAAC,UAAqC,CAAC;YAChE,MAAM,GAAG,GAAG,EAAE,CAAC,mBAAmB,CAAC;YACnC,MAAM,GAAG,GAAG,EAAE,CAAC,mBAAmB,CAAC;YACnC,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,6CAA6C,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,EAAE,CAAC;gBAC5D,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,6CAA6C,CAAC,CAAC;YACpE,CAAC;YACD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;gBAC3C,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,iFAAiF,CAAC,CAAC;YACxG,CAAC;YACD,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC;YACvB,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,EAAE,CAAC;gBAChG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,gCAAgC,CAAC,CAAC;YACvD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAK,KAAa,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,CAAC,aAAa,CAAE,KAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,0BAA0B,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAI,KAAa,CAAC,KAAgC,CAAC;YAC9D,MAAM,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC;YAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC;gBACxF,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,iCAAiC,CAAC,CAAC;YACxD,CAAC;YACD,MAAM,GAAG,GAAG,KAAK,CAAC,WAAW,CAAC;YAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,CAAC,EAAE,CAAC;gBACxF,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,iCAAiC,CAAC,CAAC;YACxD,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAK,KAAa,CAAC,eAAe,KAAK,SAAS,EAAE,CAAC;QACjD,IAAI,CAAC,aAAa,CAAE,KAAa,CAAC,eAAe,CAAC,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,oCAAoC,CAAC,CAAC;QAC3D,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAI,KAAa,CAAC,eAA0C,CAAC;YACrE,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC;YAC/B,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBAChF,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,iDAAiD,CAAC,CAAC;YACxE,CAAC;YACD,MAAM,KAAK,GAAG,EAAE,CAAC,gBAAgB,CAAC;YAClC,IAAI,KAAK,KAAK,SAAS,IAAI,CAAC,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC;gBACnG,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,mDAAmD,CAAC,CAAC;YAC1E,CAAC;YACD,MAAM,CAAC,GAAG,EAAE,CAAC,iBAAiB,CAAC;YAC/B,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;gBAChF,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,iDAAiD,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAK,KAAa,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QACvC,IAAI,CAAC,aAAa,CAAE,KAAa,CAAC,KAAK,CAAC,EAAE,CAAC;YACzC,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,0BAA0B,CAAC,CAAC;QACjD,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAI,KAAa,CAAC,KAAgC,CAAC;YAC9D,MAAM,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC;YAC9B,IAAI,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC;gBAC9D,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,gCAAgC,CAAC,CAAC;YACvD,CAAC;YACD,MAAM,IAAI,GAAG,KAAK,CAAC,kBAAkB,CAAC;YACtC,IAAI,IAAI,KAAK,SAAS,IAAI,CAAC,OAAO,IAAI,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC9F,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,0CAA0C,CAAC,CAAC;YACjE,CAAC;YACD,MAAM,GAAG,GAAG,KAAK,CAAC,cAAc,CAAC;YACjC,IAAI,GAAG,KAAK,SAAS,IAAI,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,CAAC,EAAE,CAAC;gBAC1F,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,sCAAsC,CAAC,CAAC;YAC7D,CAAC;YACD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,GAAG,IAAI,EAAE,CAAC;gBACtE,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,qDAAqD,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,GAA4B,EAAE,KAAa,EAAE,MAAgB;IAClF,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChD,MAAM,KAAK,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;IACvB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,kCAAkC,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAc,EAAE,IAAY,EAAE,MAAgB;IAC1E,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC3B,MAAM,OAAO,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;YAC1C,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;gBAChB,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;gBACzC,SAAS;YACX,CAAC;YACD,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;gBAC7C,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,kCAAkC,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,oBAAoB,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QAC1D,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,aAAa,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3C,oBAAoB,CAAC,CAAC,EAAE,GAAG,IAAI,IAAI,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,GAAW;IACvC,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC;QACpE,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;IACnC,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC;IAC5D,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC;AAClC,CAAC;AAED,SAAS,cAAc,CAAC,KAAc;IACpC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AAC7D,CAAC"}

package/dist/sanitizer/output-sanitizer.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Output sanitization (secrets + PII) for OpenClaw tool results.
+ *
+ * This is intentionally conservative and designed to be safe for logs/UI:
+ * - Never returns raw match text
+ * - Uses stable placeholder labels
+ */
+export type SanitizationFindingId = 'pii_email' | 'pii_phone' | 'pii_ssn' | 'pii_credit_card';
+export interface SanitizationResult {
+    sanitized: string;
+    redacted: boolean;
+    findings: SanitizationFindingId[];
+}
+export declare function sanitizeOutputText(text: string): SanitizationResult;
+//# sourceMappingURL=output-sanitizer.d.ts.map

package/dist/sanitizer/output-sanitizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-sanitizer.d.ts","sourceRoot":"","sources":["../../src/sanitizer/output-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,MAAM,MAAM,qBAAqB,GAC7B,WAAW,GACX,WAAW,GACX,SAAS,GACT,iBAAiB,CAAC;AAEtB,MAAM,WAAW,kBAAkB;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,qBAAqB,EAAE,CAAC;CACnC;AAiBD,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,CAyBnE"}

package/dist/sanitizer/output-sanitizer.js

@@ -0,0 +1,47 @@
+/**
+ * Output sanitization (secrets + PII) for OpenClaw tool results.
+ *
+ * This is intentionally conservative and designed to be safe for logs/UI:
+ * - Never returns raw match text
+ * - Uses stable placeholder labels
+ */
+const EMAIL_RE = /\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b/gi;
+const PHONE_RE = /\b(?:\+?1[\s.-]?)?\(?(?:[2-9][0-9]{2})\)?[\s.-]?[0-9]{3}[\s.-]?[0-9]{4}\b/g;
+const SSN_RE = /\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b/g;
+const CREDIT_CARD_RE = /\b(?:[0-9][ -]*?){13,19}\b/g;
+function redactAll(re, input, replacement) {
+    re.lastIndex = 0;
+    const hit = re.test(input);
+    re.lastIndex = 0;
+    if (!hit)
+        return { out: input, hit: false };
+    const out = input.replace(re, replacement);
+    re.lastIndex = 0;
+    return { out, hit: true };
+}
+export function sanitizeOutputText(text) {
+    let out = text;
+    const findings = [];
+    const email = redactAll(EMAIL_RE, out, '[REDACTED:email]');
+    out = email.out;
+    if (email.hit)
+        findings.push('pii_email');
+    const phone = redactAll(PHONE_RE, out, '[REDACTED:phone]');
+    out = phone.out;
+    if (phone.hit)
+        findings.push('pii_phone');
+    const ssn = redactAll(SSN_RE, out, '[REDACTED:ssn]');
+    out = ssn.out;
+    if (ssn.hit)
+        findings.push('pii_ssn');
+    const cc = redactAll(CREDIT_CARD_RE, out, '[REDACTED:credit_card]');
+    out = cc.out;
+    if (cc.hit)
+        findings.push('pii_credit_card');
+    return {
+        sanitized: out,
+        redacted: findings.length > 0,
+        findings,
+    };
+}
+//# sourceMappingURL=output-sanitizer.js.map

package/dist/sanitizer/output-sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"output-sanitizer.js","sourceRoot":"","sources":["../../src/sanitizer/output-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAcH,MAAM,QAAQ,GAAG,6CAA6C,CAAC;AAC/D,MAAM,QAAQ,GAAG,4EAA4E,CAAC;AAC9F,MAAM,MAAM,GAAG,iCAAiC,CAAC;AACjD,MAAM,cAAc,GAAG,6BAA6B,CAAC;AAErD,SAAS,SAAS,CAAC,EAAU,EAAE,KAAa,EAAE,WAAmB;IAC/D,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;IACjB,MAAM,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC3B,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;IACjB,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;IAC3C,EAAE,CAAC,SAAS,GAAG,CAAC,CAAC;IACjB,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,IAAI,GAAG,GAAG,IAAI,CAAC;IACf,MAAM,QAAQ,GAA4B,EAAE,CAAC;IAE7C,MAAM,KAAK,GAAG,SAAS,CAAC,QAAQ,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;IAC3D,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IAChB,IAAI,KAAK,CAAC,GAAG;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE1C,MAAM,KAAK,GAAG,SAAS,CAAC,QAAQ,EAAE,GAAG,EAAE,kBAAkB,CAAC,CAAC;IAC3D,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IAChB,IAAI,KAAK,CAAC,GAAG;QAAE,QAAQ,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAE1C,MAAM,GAAG,GAAG,SAAS,CAAC,MAAM,EAAE,GAAG,EAAE,gBAAgB,CAAC,CAAC;IACrD,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;IACd,IAAI,GAAG,CAAC,GAAG;QAAE,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAEtC,MAAM,EAAE,GAAG,SAAS,CAAC,cAAc,EAAE,GAAG,EAAE,wBAAwB,CAAC,CAAC;IACpE,GAAG,GAAG,EAAE,CAAC,GAAG,CAAC;IACb,IAAI,EAAE,CAAC,GAAG;QAAE,QAAQ,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE7C,OAAO;QACL,SAAS,EAAE,GAAG;QACd,QAAQ,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;QAC7B,QAAQ;KACT,CAAC;AACJ,CAAC"}

package/dist/security-prompt.d.ts

@@ -0,0 +1,3 @@
+import type { Policy } from './types.js';
+export declare function generateSecurityPrompt(policy: Policy): string;
+//# sourceMappingURL=security-prompt.d.ts.map

package/dist/security-prompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-prompt.d.ts","sourceRoot":"","sources":["../src/security-prompt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,YAAY,CAAC;AAEzC,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CA4E7D"}

package/dist/security-prompt.js

@@ -0,0 +1,70 @@
+export function generateSecurityPrompt(policy) {
+    const sections = [];
+    sections.push(`# Security Policy
+
+Your tool use is subject to clawdstrike guardrails at the tool boundary (not an OS sandbox). The following constraints apply:`);
+    // Network Access section
+    sections.push(`
+## Network Access`);
+    if (policy.egress?.mode === 'allowlist' && policy.egress.allowed_domains?.length) {
+        sections.push(`- Only these domains are allowed: ${policy.egress.allowed_domains.join(', ')}`);
+    }
+    else if (policy.egress?.mode === 'denylist' && policy.egress.denied_domains?.length) {
+        sections.push(`- These domains are blocked: ${policy.egress.denied_domains.join(', ')}`);
+    }
+    else if (policy.egress?.mode === 'deny_all') {
+        sections.push(`- All network access is BLOCKED`);
+    }
+    else {
+        sections.push(`- Network access follows default policy`);
+    }
+    // Forbidden Paths section
+    sections.push(`
+## Forbidden Paths`);
+    if (policy.filesystem?.forbidden_paths?.length) {
+        sections.push(`- These paths are FORBIDDEN and will be blocked:`);
+        for (const path of policy.filesystem.forbidden_paths) {
+            sections.push(`  - ${path}`);
+        }
+    }
+    else {
+        sections.push(`- Default protected paths: ~/.ssh, ~/.aws, ~/.gnupg, .env files`);
+    }
+    if (policy.filesystem?.allowed_write_roots?.length) {
+        sections.push(`- Writes are only allowed in: ${policy.filesystem.allowed_write_roots.join(', ')}`);
+    }
+    // Security Tools section
+    sections.push(`
+## Security Tools
+You have access to the \`policy_check\` tool. Use it BEFORE attempting:
+- File operations on unfamiliar paths
+- Network requests to unfamiliar domains
+- Execution of shell commands
+
+Example:
+\`\`\`
+policy_check({ action: "file_write", resource: "/etc/passwd" })
+-> { allowed: false, denied: true, warn: false, guard: "forbidden_path", message: "Denied by forbidden_path: …" }
+\`\`\``);
+    // Violation Handling section
+    const blockAction = policy.on_violation === 'cancel' ? 'BLOCKED' :
+        policy.on_violation === 'warn' ? 'logged with a warning' :
+            policy.on_violation === 'isolate' ? 'ISOLATED' :
+                policy.on_violation === 'escalate' ? 'ESCALATED' :
+                    'logged';
+    sections.push(`
+## Violation Handling
+When a security violation occurs:
+1. The operation will be ${blockAction}
+2. You will see an error message explaining why
+3. Try an alternative approach that respects the policy`);
+    // Tips section
+    sections.push(`
+## Tips
+- Prefer working within /workspace or /tmp
+- Use known package registries (npm, pypi, crates.io)
+- Never attempt to access credentials or keys
+- When unsure, use \`policy_check\` first`);
+    return sections.join('\n');
+}
+//# sourceMappingURL=security-prompt.js.map

package/dist/security-prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-prompt.js","sourceRoot":"","sources":["../src/security-prompt.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,sBAAsB,CAAC,MAAc;IACnD,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,QAAQ,CAAC,IAAI,CAAC;;8HAE8G,CAAC,CAAC;IAE9H,yBAAyB;IACzB,QAAQ,CAAC,IAAI,CAAC;kBACE,CAAC,CAAC;IAElB,IAAI,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,WAAW,IAAI,MAAM,CAAC,MAAM,CAAC,eAAe,EAAE,MAAM,EAAE,CAAC;QACjF,QAAQ,CAAC,IAAI,CAAC,qCAAqC,MAAM,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjG,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,UAAU,IAAI,MAAM,CAAC,MAAM,CAAC,cAAc,EAAE,MAAM,EAAE,CAAC;QACtF,QAAQ,CAAC,IAAI,CAAC,gCAAgC,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3F,CAAC;SAAM,IAAI,MAAM,CAAC,MAAM,EAAE,IAAI,KAAK,UAAU,EAAE,CAAC;QAC9C,QAAQ,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;IACnD,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;IAC3D,CAAC;IAED,0BAA0B;IAC1B,QAAQ,CAAC,IAAI,CAAC;mBACG,CAAC,CAAC;IAEnB,IAAI,MAAM,CAAC,UAAU,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC;QAC/C,QAAQ,CAAC,IAAI,CAAC,kDAAkD,CAAC,CAAC;QAClE,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,UAAU,CAAC,eAAe,EAAE,CAAC;YACrD,QAAQ,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;QAC/B,CAAC;IACH,CAAC;SAAM,CAAC;QACN,QAAQ,CAAC,IAAI,CAAC,iEAAiE,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,EAAE,mBAAmB,EAAE,MAAM,EAAE,CAAC;QACnD,QAAQ,CAAC,IAAI,CAAC,iCAAiC,MAAM,CAAC,UAAU,CAAC,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACrG,CAAC;IAED,yBAAyB;IACzB,QAAQ,CAAC,IAAI,CAAC;;;;;;;;;;;OAWT,CAAC,CAAC;IAEP,6BAA6B;IAC7B,MAAM,WAAW,GACf,MAAM,CAAC,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAC5C,MAAM,CAAC,YAAY,KAAK,MAAM,CAAC,CAAC,CAAC,uBAAuB,CAAC,CAAC;YACxD,MAAM,CAAC,YAAY,KAAK,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;gBAC9C,MAAM,CAAC,YAAY,KAAK,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;oBAChD,QAAQ,CAAC;IAEnB,QAAQ,CAAC,IAAI,CAAC;;;2BAGW,WAAW;;wDAEkB,CAAC,CAAC;IAExD,eAAe;IACf,QAAQ,CAAC,IAAI,CAAC;;;;;0CAK0B,CAAC,CAAC;IAE1C,OAAO,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC7B,CAAC"}

package/dist/tools/policy-check.d.ts

@@ -0,0 +1,10 @@
+import type { Decision, ClawdstrikeConfig, ToolDefinition } from '../types.js';
+import { PolicyEngine } from '../policy/engine.js';
+export type PolicyCheckAction = 'file_read' | 'file_write' | 'network' | 'network_egress' | 'command' | 'command_exec' | 'tool_call';
+export interface PolicyCheckResult extends Decision {
+    message: string;
+    suggestion?: string;
+}
+export declare function checkPolicy(config: ClawdstrikeConfig, action: PolicyCheckAction, resource: string): Promise<PolicyCheckResult>;
+export declare function policyCheckTool(engine: PolicyEngine): ToolDefinition;
+//# sourceMappingURL=policy-check.d.ts.map

package/dist/tools/policy-check.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-check.d.ts","sourceRoot":"","sources":["../../src/tools/policy-check.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAe,cAAc,EAAE,MAAM,aAAa,CAAC;AAC5F,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AAEnD,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,YAAY,GACZ,SAAS,GACT,gBAAgB,GAChB,SAAS,GACT,cAAc,GACd,WAAW,CAAC;AAEhB,MAAM,WAAW,iBAAkB,SAAQ,QAAQ;IACjD,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AA0FD,wBAAsB,WAAW,CAC/B,MAAM,EAAE,iBAAiB,EACzB,MAAM,EAAE,iBAAiB,EACzB,QAAQ,EAAE,MAAM,GACf,OAAO,CAAC,iBAAiB,CAAC,CAM5B;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,YAAY,GAAG,cAAc,CA+BpE"}