@cloud-copilot/iam-lens 0.1.107 → 0.1.109

package/dist/cjs/whoCan/principalArnFilter.js

@@ -0,0 +1,256 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.iamPatternToRegex = iamPatternToRegex;
+exports.buildPrincipalArnFilter = buildPrincipalArnFilter;
+exports.principalMatchesFilter = principalMatchesFilter;
+const iam_policy_1 = require("@cloud-copilot/iam-policy");
+const iam_utils_1 = require("@cloud-copilot/iam-utils");
+/**
+ * Set of condition operators that can be used with aws:PrincipalArn to
+ * constrain which principals are allowed. These are the base operators
+ * (lowercase) without set modifiers or IfExists.
+ */
+const ALLOW_PRINCIPAL_ARN_OPERATORS = new Set([
+    'stringlike',
+    'stringequals',
+    'arnlike',
+    'arnequals'
+]);
+/**
+ * Negative condition operators on `aws:PrincipalArn` in Deny statements.
+ * The deny applies to principals NOT matching the patterns, so the patterns
+ * become an allow-list (only those principals are worth simulating).
+ */
+const DENY_NEGATIVE_OPERATORS = new Set([
+    'stringnotlike',
+    'stringnotequals',
+    'arnnotlike',
+    'arnnotequals'
+]);
+/**
+ * Positive condition operators on `aws:PrincipalArn` in Deny statements.
+ * The deny applies to principals matching the patterns, so those principals
+ * can be skipped for the deny statement's actions.
+ */
+const DENY_POSITIVE_OPERATORS = new Set(['stringlike', 'stringequals', 'arnlike', 'arnequals']);
+/**
+ * Converts an IAM wildcard pattern to a case-sensitive anchored RegExp.
+ * Handles `*` (any characters) and `?` (single character) wildcards.
+ * Does not handle replacement variables — callers must ensure patterns
+ * with variables are excluded before calling this.
+ *
+ * @param pattern the IAM pattern string (e.g. `arn:aws:iam::*:role/ec2/*`)
+ * @returns an anchored case-sensitive RegExp
+ */
+function iamPatternToRegex(pattern) {
+    const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&');
+    const withWildcards = escaped.replace(/\*/g, '.*').replace(/\?/g, '.');
+    return new RegExp(`^${withWildcards}$`);
+}
+/**
+ * Checks whether any value in an array contains a replacement variable (`${...}`).
+ *
+ * @param values the condition values to check
+ * @returns true if any value contains a replacement variable
+ */
+function hasAnyReplacementVariable(values) {
+    return values.some((v) => v.includes('${'));
+}
+/**
+ * Builds a PrincipalArnFilter from a resource policy by extracting
+ * aws:PrincipalArn patterns from Allow statements with wildcard principals.
+ *
+ * The filter is only constructed if **every** wildcard-Allow statement has
+ * a usable aws:PrincipalArn condition. If any wildcard-Allow statement lacks
+ * one, the filter cannot safely exclude principals and undefined is returned.
+ *
+ * @param resourcePolicy the raw resource policy document, or undefined/null if none
+ * @returns a PrincipalArnFilter if filtering is possible, undefined otherwise
+ */
+function buildPrincipalArnFilter(resourcePolicy) {
+    if (!resourcePolicy) {
+        return undefined;
+    }
+    const policy = (0, iam_policy_1.loadPolicy)(resourcePolicy);
+    const allAllowPatterns = [];
+    const exemptAccounts = new Set();
+    let hasAnyWildcardAllow = false;
+    for (const statement of policy.statements()) {
+        if (!statement.isAllow()) {
+            continue;
+        }
+        // Check if this Allow statement has a wildcard principal, and collect
+        // explicit account principals whose accounts should be exempt from filtering
+        let hasWildcardPrincipal = false;
+        if (statement.isPrincipalStatement()) {
+            for (const principal of statement.principals()) {
+                if (principal.isWildcardPrincipal()) {
+                    hasWildcardPrincipal = true;
+                }
+                else if (principal.isAccountPrincipal()) {
+                    exemptAccounts.add(principal.accountId());
+                }
+            }
+        }
+        else if (statement.isNotPrincipalStatement()) {
+            // NotPrincipal Allow effectively allows everyone except the named principals,
+            // so it acts like a wildcard — we can't filter
+            return undefined;
+        }
+        if (!hasWildcardPrincipal) {
+            continue;
+        }
+        hasAnyWildcardAllow = true;
+        // Look for aws:PrincipalArn conditions with supported operators
+        let statementHasUsableFilter = false;
+        const conditions = statement.conditions();
+        for (const cond of conditions) {
+            if (cond.conditionKey().toLowerCase() !== 'aws:principalarn') {
+                continue;
+            }
+            const baseOp = cond.operation().baseOperator().toLowerCase();
+            if (!ALLOW_PRINCIPAL_ARN_OPERATORS.has(baseOp)) {
+                continue;
+            }
+            const values = cond.conditionValues();
+            // If any value has a replacement variable, ignore the entire condition
+            if (hasAnyReplacementVariable(values)) {
+                continue;
+            }
+            // All values count as a usable filter for the statement — even literal
+            // ARNs constrain which principals can match. However, only wildcard
+            // values are added as filter patterns; literal ARNs are already handled
+            // as specific principals by accountsToCheckBasedOnResourcePolicy.
+            for (const value of values) {
+                statementHasUsableFilter = true;
+                if (value.includes('*') || value.includes('?')) {
+                    allAllowPatterns.push(iamPatternToRegex(value));
+                }
+            }
+        }
+        // If this wildcard-Allow has no usable PrincipalArn condition,
+        // it could allow any principal — filtering is not safe
+        if (!statementHasUsableFilter) {
+            return undefined;
+        }
+    }
+    // --- Deny statement extraction ---
+    const denyDerivedAllowEntries = [];
+    const denyEntries = [];
+    for (const statement of policy.statements()) {
+        if (statement.isAllow())
+            continue;
+        if (!statement.isActionStatement())
+            continue;
+        if (!statement.isResourceStatement())
+            continue;
+        if (statement.isNotPrincipalStatement())
+            continue;
+        // Must have a wildcard principal
+        let hasWildcardPrincipal = false;
+        if (statement.isPrincipalStatement()) {
+            for (const principal of statement.principals()) {
+                if (principal.isWildcardPrincipal()) {
+                    hasWildcardPrincipal = true;
+                    break;
+                }
+            }
+        }
+        if (!hasWildcardPrincipal)
+            continue;
+        // Resource must include '*'
+        if (!statement.resources().some((r) => r.isAllResources()))
+            continue;
+        // Must have exactly one condition and it must be aws:PrincipalArn
+        const conditions = statement.conditions();
+        if (conditions.length !== 1)
+            continue;
+        const cond = conditions[0];
+        if (cond.conditionKey().toLowerCase() !== 'aws:principalarn')
+            continue;
+        if (cond.operation().isIfExists())
+            continue;
+        const values = cond.conditionValues();
+        if (hasAnyReplacementVariable(values))
+            continue;
+        const baseOp = cond.operation().baseOperator().toLowerCase();
+        const actionPatterns = statement.actions().map((a) => a.value());
+        const principalPatterns = values.map(iamPatternToRegex);
+        if (DENY_NEGATIVE_OPERATORS.has(baseOp)) {
+            denyDerivedAllowEntries.push({ actionPatterns, principalPatterns });
+        }
+        else if (DENY_POSITIVE_OPERATORS.has(baseOp)) {
+            denyEntries.push({ actionPatterns, principalPatterns });
+        }
+    }
+    // Return a filter if there's anything useful
+    const hasAllowPatterns = hasAnyWildcardAllow && allAllowPatterns.length > 0;
+    const hasDenyInfo = denyDerivedAllowEntries.length > 0 || denyEntries.length > 0;
+    if (!hasAllowPatterns && !hasDenyInfo) {
+        return undefined;
+    }
+    return {
+        allowPatterns: hasAllowPatterns ? allAllowPatterns : [],
+        denyDerivedAllowEntries,
+        denyEntries,
+        exemptAccounts
+    };
+}
+/**
+ * Checks whether an action matches any of the given action patterns using
+ * IAM wildcard semantics.
+ *
+ * @param action the action being simulated (e.g., 'secretsmanager:GetSecretValue')
+ * @param patterns the action patterns from a deny statement
+ * @returns true if the action matches at least one pattern
+ */
+function actionMatchesAnyPattern(action, patterns) {
+    return patterns.some((pattern) => (0, iam_utils_1.actionMatchesPattern)(action, pattern));
+}
+/**
+ * Tests whether a principal ARN passes the PrincipalArnFilter for a given action.
+ *
+ * Principals in the resource account or an exempt account bypass the positive
+ * allow-side filtering (allow patterns and deny-derived allow entries) because
+ * they may be granted access through account-level principal grants independent
+ * of any PrincipalArn conditions. However, they are still subject to deny-side
+ * filtering (deny entries) because an explicit deny in a resource policy applies
+ * regardless of the principal's account.
+ *
+ * @param principal the principal ARN to test
+ * @param action the action being simulated
+ * @param resourceAccount the account that owns the resource being checked
+ * @param filter the filter to apply
+ * @returns true if the principal should be simulated, false if it can be skipped
+ */
+function principalMatchesFilter(principal, action, resourceAccount, filter) {
+    const accountId = (0, iam_utils_1.splitArnParts)(principal).accountId;
+    const isExempt = accountId === resourceAccount || filter.exemptAccounts.has(accountId ?? '');
+    // Allow patterns from Allow statements: exempt principals bypass this check
+    // because they may be granted access through account-level principal grants
+    // independent of any PrincipalArn conditions on wildcard statements.
+    if (!isExempt && filter.allowPatterns.length > 0) {
+        if (!filter.allowPatterns.some((pattern) => pattern.test(principal)))
+            return false;
+    }
+    // Deny-derived filtering applies to ALL principals regardless of account.
+    // An explicit deny in a resource policy applies universally.
+    // For each deny-derived allow entry whose actions match,
+    // the principal must match at least one principal pattern
+    for (const entry of filter.denyDerivedAllowEntries) {
+        if (actionMatchesAnyPattern(action, entry.actionPatterns)) {
+            if (!entry.principalPatterns.some((p) => p.test(principal)))
+                return false;
+        }
+    }
+    // For each deny entry whose actions match,
+    // skip if the principal matches any principal pattern
+    for (const entry of filter.denyEntries) {
+        if (actionMatchesAnyPattern(action, entry.actionPatterns)) {
+            if (entry.principalPatterns.some((p) => p.test(principal)))
+                return false;
+        }
+    }
+    return true;
+}
+//# sourceMappingURL=principalArnFilter.js.map

package/dist/cjs/whoCan/principalArnFilter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"principalArnFilter.js","sourceRoot":"","sources":["../../../src/whoCan/principalArnFilter.ts"],"names":[],"mappings":";;AA4FA,8CAIC;AAuBD,0DA2IC;AA8BD,wDAoCC;AApUD,0DAAsD;AACtD,wDAA8E;AAE9E;;;;GAIG;AACH,MAAM,6BAA6B,GAAG,IAAI,GAAG,CAAC;IAC5C,YAAY;IACZ,cAAc;IACd,SAAS;IACT,WAAW;CACZ,CAAC,CAAA;AAEF;;;;GAIG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC;IACtC,eAAe;IACf,iBAAiB;IACjB,YAAY;IACZ,cAAc;CACf,CAAC,CAAA;AAEF;;;;GAIG;AACH,MAAM,uBAAuB,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,EAAE,cAAc,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC,CAAA;AAmD/F;;;;;;;;GAQG;AACH,SAAgB,iBAAiB,CAAC,OAAe;IAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAA;IAC5D,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAA;IACtE,OAAO,IAAI,MAAM,CAAC,IAAI,aAAa,GAAG,CAAC,CAAA;AACzC,CAAC;AAED;;;;;GAKG;AACH,SAAS,yBAAyB,CAAC,MAAgB;IACjD,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAA;AAC7C,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,uBAAuB,CAAC,cAAmB;IACzD,IAAI,CAAC,cAAc,EAAE,CAAC;QACpB,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,MAAM,MAAM,GAAG,IAAA,uBAAU,EAAC,cAAc,CAAC,CAAA;IACzC,MAAM,gBAAgB,GAAa,EAAE,CAAA;IACrC,MAAM,cAAc,GAAG,IAAI,GAAG,EAAU,CAAA;IACxC,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAE/B,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QAC5C,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,EAAE,CAAC;YACzB,SAAQ;QACV,CAAC;QAED,sEAAsE;QACtE,6EAA6E;QAC7E,IAAI,oBAAoB,GAAG,KAAK,CAAA;QAChC,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACrC,KAAK,MAAM,SAAS,IAAI,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC/C,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;oBACpC,oBAAoB,GAAG,IAAI,CAAA;gBAC7B,CAAC;qBAAM,IAAI,SAAS,CAAC,kBAAkB,EAAE,EAAE,CAAC;oBAC1C,cAAc,CAAC,GAAG,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,CAAA;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;aAAM,IAAI,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC;YAC/C,8EAA8E;YAC9E,+CAA+C;YAC/C,OAAO,SAAS,CAAA;QAClB,CAAC;QAED,IAAI,CAAC,oBAAoB,EAAE,CAAC;YAC1B,SAAQ;QACV,CAAC;QAED,mBAAmB,GAAG,IAAI,CAAA;QAE1B,gEAAgE;QAChE,IAAI,wBAAwB,GAAG,KAAK,CAAA;QACpC,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,EAAE,CAAA;QAEzC,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,CAAC;YAC9B,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,KAAK,kBAAkB,EAAE,CAAC;gBAC7D,SAAQ;YACV,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAA;YAC5D,IAAI,CAAC,6BAA6B,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/C,SAAQ;YACV,CAAC;YAED,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,EAAE,CAAA;YAErC,uEAAuE;YACvE,IAAI,yBAAyB,CAAC,MAAM,CAAC,EAAE,CAAC;gBACtC,SAAQ;YACV,CAAC;YAED,uEAAuE;YACvE,oEAAoE;YACpE,wEAAwE;YACxE,kEAAkE;YAClE,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;gBAC3B,wBAAwB,GAAG,IAAI,CAAA;gBAC/B,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC/C,gBAAgB,CAAC,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAA;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QAED,+DAA+D;QAC/D,uDAAuD;QACvD,IAAI,CAAC,wBAAwB,EAAE,CAAC;YAC9B,OAAO,SAAS,CAAA;QAClB,CAAC;IACH,CAAC;IAED,oCAAoC;IACpC,MAAM,uBAAuB,GAAsB,EAAE,CAAA;IACrD,MAAM,WAAW,GAAsB,EAAE,CAAA;IAEzC,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QAC5C,IAAI,SAAS,CAAC,OAAO,EAAE;YAAE,SAAQ;QACjC,IAAI,CAAC,SAAS,CAAC,iBAAiB,EAAE;YAAE,SAAQ;QAC5C,IAAI,CAAC,SAAS,CAAC,mBAAmB,EAAE;YAAE,SAAQ;QAC9C,IAAI,SAAS,CAAC,uBAAuB,EAAE;YAAE,SAAQ;QAEjD,iCAAiC;QACjC,IAAI,oBAAoB,GAAG,KAAK,CAAA;QAChC,IAAI,SAAS,CAAC,oBAAoB,EAAE,EAAE,CAAC;YACrC,KAAK,MAAM,SAAS,IAAI,SAAS,CAAC,UAAU,EAAE,EAAE,CAAC;gBAC/C,IAAI,SAAS,CAAC,mBAAmB,EAAE,EAAE,CAAC;oBACpC,oBAAoB,GAAG,IAAI,CAAA;oBAC3B,MAAK;gBACP,CAAC;YACH,CAAC;QACH,CAAC;QACD,IAAI,CAAC,oBAAoB;YAAE,SAAQ;QAEnC,4BAA4B;QAC5B,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,cAAc,EAAE,CAAC;YAAE,SAAQ;QAEpE,kEAAkE;QAClE,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,EAAE,CAAA;QACzC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,SAAQ;QAErC,MAAM,IAAI,GAAG,UAAU,CAAC,CAAC,CAAC,CAAA;QAC1B,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,KAAK,kBAAkB;YAAE,SAAQ;QACtE,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC,UAAU,EAAE;YAAE,SAAQ;QAE3C,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,EAAE,CAAA;QACrC,IAAI,yBAAyB,CAAC,MAAM,CAAC;YAAE,SAAQ;QAE/C,MAAM,MAAM,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC,YAAY,EAAE,CAAC,WAAW,EAAE,CAAA;QAC5D,MAAM,cAAc,GAAG,SAAS,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,EAAE,CAAC,CAAA;QAChE,MAAM,iBAAiB,GAAG,MAAM,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAA;QAEvD,IAAI,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACxC,uBAAuB,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,iBAAiB,EAAE,CAAC,CAAA;QACrE,CAAC;aAAM,IAAI,uBAAuB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/C,WAAW,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,iBAAiB,EAAE,CAAC,CAAA;QACzD,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,MAAM,gBAAgB,GAAG,mBAAmB,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,CAAA;IAC3E,MAAM,WAAW,GAAG,uBAAuB,CAAC,MAAM,GAAG,CAAC,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,CAAA;IAEhF,IAAI,CAAC,gBAAgB,IAAI,CAAC,WAAW,EAAE,CAAC;QACtC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO;QACL,aAAa,EAAE,gBAAgB,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE;QACvD,uBAAuB;QACvB,WAAW;QACX,cAAc;KACf,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAAC,MAAc,EAAE,QAAkB;IACjE,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAA,gCAAoB,EAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;AAC1E,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,SAAgB,sBAAsB,CACpC,SAAiB,EACjB,MAAc,EACd,eAAuB,EACvB,MAA0B;IAE1B,MAAM,SAAS,GAAG,IAAA,yBAAa,EAAC,SAAS,CAAC,CAAC,SAAS,CAAA;IACpD,MAAM,QAAQ,GAAG,SAAS,KAAK,eAAe,IAAI,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,SAAS,IAAI,EAAE,CAAC,CAAA;IAE5F,4EAA4E;IAC5E,4EAA4E;IAC5E,qEAAqE;IACrE,IAAI,CAAC,QAAQ,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjD,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAAE,OAAO,KAAK,CAAA;IACpF,CAAC;IAED,0EAA0E;IAC1E,6DAA6D;IAE7D,yDAAyD;IACzD,0DAA0D;IAC1D,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,uBAAuB,EAAE,CAAC;QACnD,IAAI,uBAAuB,CAAC,MAAM,EAAE,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAC1D,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAA;QAC3E,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,sDAAsD;IACtD,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvC,IAAI,uBAAuB,CAAC,MAAM,EAAE,KAAK,CAAC,cAAc,CAAC,EAAE,CAAC;YAC1D,IAAI,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;gBAAE,OAAO,KAAK,CAAA;QAC1E,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAA;AACb,CAAC"}

package/dist/cjs/whoCan/untrustingActions.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Get a set of actions that do not automatically trust the current account, in all lower case.
+ *
+ * @returns the set of actions that do not automatically trust the current account in all lower case
+ */
+export declare function actionsThatDoNotAutomaticallyTrustTheCurrentAccount(): Promise<Set<string>>;
+//# sourceMappingURL=untrustingActions.d.ts.map

package/dist/cjs/whoCan/untrustingActions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"untrustingActions.d.ts","sourceRoot":"","sources":["../../../src/whoCan/untrustingActions.ts"],"names":[],"mappings":"AAQA;;;;GAIG;AACH,wBAAsB,mDAAmD,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAmBhG"}

package/dist/cjs/whoCan/untrustingActions.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.actionsThatDoNotAutomaticallyTrustTheCurrentAccount = actionsThatDoNotAutomaticallyTrustTheCurrentAccount;
+const iam_data_1 = require("@cloud-copilot/iam-data");
+const kms = 'kms';
+const kmsKey = 'key';
+const stsAssumeRole = 'sts:AssumeRole';
+let cachedActions = undefined;
+/**
+ * Get a set of actions that do not automatically trust the current account, in all lower case.
+ *
+ * @returns the set of actions that do not automatically trust the current account in all lower case
+ */
+async function actionsThatDoNotAutomaticallyTrustTheCurrentAccount() {
+    if (cachedActions) {
+        return cachedActions;
+    }
+    const kmsActions = await (0, iam_data_1.iamActionsForService)(kms);
+    const allActions = new Set([stsAssumeRole.toLowerCase()]);
+    for (const action of kmsActions) {
+        const details = await (0, iam_data_1.iamActionDetails)(kms, action);
+        if (details.resourceTypes.length === 1 &&
+            details.resourceTypes.some((rt) => rt.name === kmsKey)) {
+            allActions.add(`${kms}:${action.toLowerCase()}`);
+        }
+    }
+    cachedActions = allActions;
+    return allActions;
+}
+//# sourceMappingURL=untrustingActions.js.map

package/dist/cjs/whoCan/untrustingActions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"untrustingActions.js","sourceRoot":"","sources":["../../../src/whoCan/untrustingActions.ts"],"names":[],"mappings":";;AAaA,kHAmBC;AAhCD,sDAAgF;AAEhF,MAAM,GAAG,GAAG,KAAK,CAAA;AACjB,MAAM,MAAM,GAAG,KAAK,CAAA;AACpB,MAAM,aAAa,GAAG,gBAAgB,CAAA;AAEtC,IAAI,aAAa,GAA4B,SAAS,CAAA;AAEtD;;;;GAIG;AACI,KAAK,UAAU,mDAAmD;IACvE,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,aAAa,CAAA;IACtB,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,IAAA,+BAAoB,EAAC,GAAG,CAAC,CAAA;IAClD,MAAM,UAAU,GAAG,IAAI,GAAG,CAAS,CAAC,aAAa,CAAC,WAAW,EAAE,CAAC,CAAC,CAAA;IACjE,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;QAChC,MAAM,OAAO,GAAG,MAAM,IAAA,2BAAgB,EAAC,GAAG,EAAE,MAAM,CAAC,CAAA;QACnD,IACE,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC;YAClC,OAAO,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,KAAK,MAAM,CAAC,EACtD,CAAC;YACD,UAAU,CAAC,GAAG,CAAC,GAAG,GAAG,IAAI,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC,CAAA;QAClD,CAAC;IACH,CAAC;IAED,aAAa,GAAG,UAAU,CAAA;IAC1B,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/dist/cjs/whoCan/whoCan.d.ts

@@ -1,8 +1,9 @@
 import { type TopLevelConfig } from '@cloud-copilot/iam-collect';
+import { IamCollectClient } from '../collect/client.js';
 import { type ClientFactoryPlugin } from '../collect/collect.js';
 import { type ResourceType } from '@cloud-copilot/iam-data';
+import { type Statement } from '@cloud-copilot/iam-policy';
 import { type RequestDenial, type RequestGrant } from '@cloud-copilot/iam-simulate';
-import { IamCollectClient } from '../collect/client.js';
 import { type S3AbacOverride } from '../utils/s3Abac.js';
 import { type LightRequestAnalysis } from './requestAnalysis.js';
 /**
@@ -71,6 +72,10 @@ export interface ResourceAccessRequest {
      * search space.
      */
     principalScope?: WhoCanPrincipalScope;
+    /**
+     * Whether to ignore an existing principal index. This is for testing purposes.
+     */
+    ignorePrincipalIndex?: boolean;
 }
 /**
  * Represents a resource pattern that is allowed for a principal, used when wildcards
@@ -199,6 +204,20 @@ export interface WhoCanResponse {
     principalsNotFound: string[];
     denyDetails?: WhoCanDenyDetail[] | undefined;
 }
+/**
+ * Processes a single whoCan request by creating a temporary WhoCanProcessor,
+ * enqueuing the request, waiting for it to settle, and shutting down. This
+ * preserves the original one-shot behavior where workers and cache are created
+ * and destroyed per call.
+ *
+ * For better performance when running multiple requests, use WhoCanProcessor
+ * directly to keep workers and cache alive across calls.
+ *
+ * @param collectConfigs the collect configurations for loading IAM data
+ * @param partition the AWS partition (e.g. 'aws', 'aws-cn')
+ * @param request the whoCan request parameters
+ * @returns the whoCan response with allowed principals and optional deny details
+ */
 export declare function whoCan(collectConfigs: TopLevelConfig[], partition: string, request: ResourceAccessRequest): Promise<WhoCanResponse>;
 export declare function uniqueAccountsToCheck(collectClient: IamCollectClient, accountsToCheck: AccountsToCheck): Promise<{
     accountsNotFound: string[];
@@ -212,9 +231,23 @@ export interface AccountsToCheck {
     specificPrincipals: string[];
     specificOrganizations: string[];
     specificOrganizationalUnits: string[];
+    /** Tracking flag indicating that an IfExists condition was found, meaning anonymous (unsigned) requests could match. */
+    checkAnonymous: boolean;
+    /** Whether any Allow statement has a wildcard principal or NotPrincipal, requiring all principals from the resource account to be checked. */
+    checkAllForCurrentAccount: boolean;
 }
+/**
+ * Determines whether a policy statement requires checking all principals from
+ * the resource account. This is true when the statement is an Allow with a
+ * wildcard principal (`*` or `{ AWS: "*" }`) or a `NotPrincipal` element,
+ * since either form could grant access to any principal in the resource account.
+ *
+ * @param statement - The policy statement to check.
+ * @returns `true` if the statement could allow any principal from the resource account.
+ */
+export declare function statementRequiresAllFromResourceAccount(statement: Statement): boolean;
 export declare function accountsToCheckBasedOnResourcePolicy(resourcePolicy: any, resourceAccount: string | undefined): Promise<AccountsToCheck>;
-export declare function actionsForWhoCan(request: ResourceAccessRequest): Promise<string[]>;
+export declare function actionsForWhoCan(request: Pick<ResourceAccessRequest, 'actions' | 'resource'>): Promise<string[]>;
 /**
  * Get the the possible resource types for an action and resource
  *

package/dist/cjs/whoCan/whoCan.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"whoCan.d.ts","sourceRoot":"","sources":["../../../src/whoCan/whoCan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAEhE,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,uBAAuB,CAAA;AAChE,OAAO,EAOL,KAAK,YAAY,EAClB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAUnF,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AAIvD,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAA;AASxD,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,sBAAsB,CAAA;AAEhE;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,2FAA2F;IAC3F,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;IACrB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAA;IACnB,0NAA0N;IAC1N,GAAG,CAAC,EAAE,MAAM,EAAE,CAAA;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAA;IAExB;;OAEG;IACH,OAAO,EAAE,MAAM,EAAE,CAAA;IAEjB;;OAEG;IACH,IAAI,CAAC,EAAE,OAAO,CAAA;IAEd;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAA;IAE/B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,mBAAmB,CAAC,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAA;IAEhE;;OAEG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAE7B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;IAE5B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,mBAAmB,CAAA;IAEzC;;;;OAIG;IACH,cAAc,CAAC,EAAE,oBAAoB,CAAA;CACtC;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IAEf;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IAEpB;;OAEG;IACH,UAAU,CAAC,EAAE,GAAG,CAAA;IAEhB;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;OAEG;IACH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAA;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IAEb;;;;OAIG;IACH,UAAU,CAAC,EAAE,GAAG,CAAA;IAEhB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;OAGG;IACH,eAAe,CAAC,EAAE,4BAA4B,EAAE,CAAA;IAEhD;;;;OAIG;IACH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAA;CACzB;AAED;;GAEG;AACH,UAAU,oBAAoB;IAC5B;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IAEf;;OAEG;IACH,MAAM,EAAE,MAAM,CAAA;CACf;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,oBAAoB;IAClE,IAAI,EAAE,QAAQ,CAAA;IAEd;;OAEG;IACH,OAAO,EAAE,aAAa,EAAE,CAAA;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAyB,SAAQ,oBAAoB;IACpE,IAAI,EAAE,UAAU,CAAA;IAEhB;;;;;;OAMG;IACH,eAAe,EAAE;QACf;;WAEG;QACH,OAAO,EAAE,MAAM,CAAA;QAEf;;WAEG;QACH,YAAY,EAAE,MAAM,CAAA;QAEpB;;WAEG;QACH,OAAO,EAAE,aAAa,EAAE,CAAA;KACzB,EAAE,CAAA;CACJ;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,sBAAsB,GAAG,wBAAwB,CAAA;AAEhF,MAAM,WAAW,cAAc;IAC7B,eAAe,EAAE,MAAM,CAAA;IACvB,OAAO,EAAE,aAAa,EAAE,CAAA;IACxB,kBAAkB,EAAE,OAAO,CAAA;IAC3B,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,2BAA2B,EAAE,MAAM,EAAE,CAAA;IACrC,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAA;CAC7C;AAeD,wBAAsB,MAAM,CAC1B,cAAc,EAAE,cAAc,EAAE,EAChC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,cAAc,CAAC,CAwRzB;AAoBD,wBAAsB,qBAAqB,CACzC,aAAa,EAAE,gBAAgB,EAC/B,eAAe,EAAE,eAAe,GAC/B,OAAO,CAAC;IACT,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,2BAA2B,EAAE,MAAM,EAAE,CAAA;IACrC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB,CAAC,CAiDD;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,OAAO,CAAA;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,2BAA2B,EAAE,MAAM,EAAE,CAAA;CACtC;AAED,wBAAsB,oCAAoC,CACxD,cAAc,EAAE,GAAG,EACnB,eAAe,EAAE,MAAM,GAAG,SAAS,GAClC,OAAO,CAAC,eAAe,CAAC,CA2E1B;AAED,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,qBAAqB,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BxF;AAED;;;;;;;GAOG;AACH,wBAAsB,2BAA2B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAsBxF;AAED,wBAAsB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAqBjG;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE;AAcD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,cAAc,EAAE,cAAc,QAyB/D"}
+{"version":3,"file":"whoCan.d.ts","sourceRoot":"","sources":["../../../src/whoCan/whoCan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAChE,OAAO,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACvD,OAAO,EAAE,KAAK,mBAAmB,EAAE,MAAM,uBAAuB,CAAA;AAChE,OAAO,EAOL,KAAK,YAAY,EAClB,MAAM,yBAAyB,CAAA;AAChC,OAAO,EAGL,KAAK,SAAS,EAEf,MAAM,2BAA2B,CAAA;AAClC,OAAO,EAAE,KAAK,aAAa,EAAE,KAAK,YAAY,EAAE,MAAM,6BAA6B,CAAA;AAGnF,OAAO,EAAE,KAAK,cAAc,EAAE,MAAM,oBAAoB,CAAA;AAExD,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,sBAAsB,CAAA;AAGhE;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,2FAA2F;IAC3F,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;IACrB,2DAA2D;IAC3D,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAA;IACnB,0NAA0N;IAC1N,GAAG,CAAC,EAAE,MAAM,EAAE,CAAA;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAA;IAEjB;;;;OAIG;IACH,eAAe,CAAC,EAAE,MAAM,CAAA;IAExB;;OAEG;IACH,OAAO,EAAE,MAAM,EAAE,CAAA;IAEjB;;OAEG;IACH,IAAI,CAAC,EAAE,OAAO,CAAA;IAEd;;OAEG;IACH,cAAc,CAAC,EAAE,cAAc,CAAA;IAE/B;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IAEtB;;OAEG;IACH,mBAAmB,CAAC,EAAE,CAAC,OAAO,EAAE,oBAAoB,KAAK,OAAO,CAAA;IAEhE;;OAEG;IACH,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAE7B;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAA;IAE5B;;;OAGG;IACH,mBAAmB,CAAC,EAAE,mBAAmB,CAAA;IAEzC;;;;OAIG;IACH,cAAc,CAAC,EAAE,oBAAoB,CAAA;IAErC;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;CAC/B;AAED;;;GAGG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IAEf;;OAEG;IACH,YAAY,EAAE,MAAM,CAAA;IAEpB;;OAEG;IACH,UAAU,CAAC,EAAE,GAAG,CAAA;IAEhB;;OAEG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;OAEG;IACH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAA;CACzB;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,MAAM,CAAA;IACjB,OAAO,EAAE,MAAM,CAAA;IACf,MAAM,EAAE,MAAM,CAAA;IACd,KAAK,EAAE,MAAM,CAAA;IAEb;;;;OAIG;IACH,UAAU,CAAC,EAAE,GAAG,CAAA;IAEhB;;;OAGG;IACH,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB;;;OAGG;IACH,oBAAoB,CAAC,EAAE,OAAO,CAAA;IAE9B;;;OAGG;IACH,eAAe,CAAC,EAAE,4BAA4B,EAAE,CAAA;IAEhD;;;;OAIG;IACH,OAAO,CAAC,EAAE,YAAY,EAAE,CAAA;CACzB;AAED;;GAEG;AACH,UAAU,oBAAoB;IAC5B;;OAEG;IACH,SAAS,EAAE,MAAM,CAAA;IAEjB;;OAEG;IACH,OAAO,EAAE,MAAM,CAAA;IAEf;;OAEG;IACH,MAAM,EAAE,MAAM,CAAA;CACf;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,oBAAoB;IAClE,IAAI,EAAE,QAAQ,CAAA;IAEd;;OAEG;IACH,OAAO,EAAE,aAAa,EAAE,CAAA;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,wBAAyB,SAAQ,oBAAoB;IACpE,IAAI,EAAE,UAAU,CAAA;IAEhB;;;;;;OAMG;IACH,eAAe,EAAE;QACf;;WAEG;QACH,OAAO,EAAE,MAAM,CAAA;QAEf;;WAEG;QACH,YAAY,EAAE,MAAM,CAAA;QAEpB;;WAEG;QACH,OAAO,EAAE,aAAa,EAAE,CAAA;KACzB,EAAE,CAAA;CACJ;AAED;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,sBAAsB,GAAG,wBAAwB,CAAA;AAEhF,MAAM,WAAW,cAAc;IAC7B,eAAe,EAAE,MAAM,CAAA;IACvB,OAAO,EAAE,aAAa,EAAE,CAAA;IACxB,kBAAkB,EAAE,OAAO,CAAA;IAC3B,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,2BAA2B,EAAE,MAAM,EAAE,CAAA;IACrC,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,WAAW,CAAC,EAAE,gBAAgB,EAAE,GAAG,SAAS,CAAA;CAC7C;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,MAAM,CAC1B,cAAc,EAAE,cAAc,EAAE,EAChC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,cAAc,CAAC,CA2CzB;AAED,wBAAsB,qBAAqB,CACzC,aAAa,EAAE,gBAAgB,EAC/B,eAAe,EAAE,eAAe,GAC/B,OAAO,CAAC;IACT,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,2BAA2B,EAAE,MAAM,EAAE,CAAA;IACrC,QAAQ,EAAE,MAAM,EAAE,CAAA;CACnB,CAAC,CAiDD;AAED,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE,OAAO,CAAA;IACpB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,qBAAqB,EAAE,MAAM,EAAE,CAAA;IAC/B,2BAA2B,EAAE,MAAM,EAAE,CAAA;IACrC,wHAAwH;IACxH,cAAc,EAAE,OAAO,CAAA;IACvB,8IAA8I;IAC9I,yBAAyB,EAAE,OAAO,CAAA;CACnC;AAoKD;;;;;;;;GAQG;AACH,wBAAgB,uCAAuC,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAYrF;AAED,wBAAsB,oCAAoC,CACxD,cAAc,EAAE,GAAG,EACnB,eAAe,EAAE,MAAM,GAAG,SAAS,GAClC,OAAO,CAAC,eAAe,CAAC,CAoJ1B;AAED,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,IAAI,CAAC,qBAAqB,EAAE,SAAS,GAAG,UAAU,CAAC,GAC3D,OAAO,CAAC,MAAM,EAAE,CAAC,CA4BnB;AAED;;;;;;;GAOG;AACH,wBAAsB,2BAA2B,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAsBxF;AAED,wBAAsB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC,CAqBjG;AAED;;;;;GAKG;AACH,wBAAgB,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAOrE;AAcD;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,cAAc,EAAE,cAAc,QAyB/D"}