@cloud-copilot/iam-lens 0.1.7 → 0.1.8

package/README.md

@@ -3,5 +3,255 @@
 [![NPM Version](https://img.shields.io/npm/v/@cloud-copilot/iam-lens.svg?logo=nodedotjs)](https://www.npmjs.com/package/@cloud-copilot/iam-lens) [![License: AGPL v3](https://img.shields.io/github/license/cloud-copilot/iam-lens)](LICENSE.txt) [![GuardDog](https://github.com/cloud-copilot/iam-lens/actions/workflows/guarddog.yml/badge.svg)](https://github.com/cloud-copilot/iam-lens/actions/workflows/guarddog.yml) [![Known Vulnerabilities](https://snyk.io/test/github/cloud-copilot/iam-lens/badge.svg?targetFile=package.json&style=flat-square)](https://snyk.io/test/github/cloud-copilot/iam-lens?targetFile=package.json)
 
 ## iam-lens
-Get visibility into your actual AWS IAM permissions.
 
+Get visibility into the actual IAM policies that apply in your AWS organizations and accounts. This will use your existing AWS IAM policies (downloaded via [iam-collect](https://github.com/cloud-copilot/iam-collect)) and evaluate the effective permissions.
+
+## Quick Start
+
+```bash
+# Install
+npm install -g @cloud-copilot/iam-collect @cloud-copilot/iam-lens
+
+# Download all IAM policies in your accounts
+iam-collect init
+iam-collect download
+
+# Simulate a request
+iam-lens simulate --principal arn:aws:iam::123456789012:role/ExampleRole --resource arn:aws:s3:::example-bucket/secret-file.txt --action s3:GetObject
+
+# Find out who can do something
+iam-lens who-can --resource arn:aws:s3:::example-bucket --actions s3:GetObject
+
+# Find out who can do all actions on a resource
+iam-lens who-can --resource arn:aws:iam::123456789012:role/ExampleRole
+```
+
+## What is iam-lens?
+
+iam-lens uses real IAM data from your AWS accounts (collected via [iam-collect](https://github.com/cloud-copilot/iam-collect)) and allows you to quickly simulate requests and discover the actual effective permissions that apply to a principal or resource.
+
+## Why use it?
+
+1. **Understand** what permissions are actually in place and why. See the policies that determine the outcome of a given request.
+2. **Verify** specific actions are allowed or not allowed for a principal or resource.
+3. **Discover** who can take action on a sensitive resource with a single command.
+4. **Audit** your IAM policies and ensure they are configured correctly.
+5. **Debug** permissions by simulating requests locally and iterate quickly without needing to deploy changes to your AWS environment.
+
+## Getting Started
+
+1. **Download Your Policies** Use [iam-collect](https://github.com/cloud-copilot/iam-collect) to download all your policies from all your AWS accounts. iam-collect is highly configurable and can be customized to collect the policies you need. It only downloads information to your file system or an S3 bucket, so you're in full control of your data.
+
+```bash
+npm install -g @cloud-copilot/iam-collect
+iam-collect init
+iam-collect download
+```
+
+To see the effect of SCPs and RCPs, you should download data from your management account; or an account with permissions do download organization information. Download data for member accounts you want to analyze. `iam-lens` will analyze cross-account and cross-organization requests if you have the data available.
+
+2. **Install iam-lens**
+
+```bash
+npm install -g @cloud-copilot/iam-lens
+```
+
+3. **Execute Commands** with `iam-lens` to simulate requests, discover permissions, and audit your IAM policies.
+
+Simulate a request:
+
+```bash
+iam-lens simulate --principal arn:aws:iam::123456789012:role/ExampleRole --resource arn:aws:s3:::example-bucket/secret-file.txt --action s3:GetObject
+```
+
+or
+
+Discover who can perform an action on a resource:
+
+```bash
+iam-lens who-can --resource arn:aws:iam::111111111111:role/ImportantRole --actions sts:AssumeRole iam:PassRole
+```
+
+## Commands
+
+### `simulate` - Simulate an IAM request
+
+```bash
+iam-lens simulate [options]
+```
+
+Evaluates whether a given principal can perform a specified action on a resource (or wildcard). Returns a decision (Allowed/ImplicitlyDenied/ExplicitlyDenied), and exits nonzero if you provided an `--expect` that doesn’t match the result.
+
+**Options:**
+
+| Flag                        | Description                                                                                                                                                                                         |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--principal <arn>`         | The principal the request is from. Can be a user, role, session, or AWS service.                                                                                                                    |
+| `--resource <arn>`          | The ARN of the resource to simulate access to. Ignore for wildcard-only actions (e.g. `s3:ListAllMyBuckets`).                                                                                       |
+| `--resourceAccountId <id>`  | The account ID of the resource, only required if it cannot be determined from the resource ARN.                                                                                                     |
+| `--action <service:action>` | The action to simulate; must be a valid IAM service and action such as `s3:ListBucket`.                                                                                                             |
+| `--context <key=value>`     | One or more context keys to use for the simulation. Keys are formatted as `key=value1,value2`. Multiple values can be separated by commas.                                                          |
+| `-v, --verbose`             | Enable verbose output for the simulation (prints evaluation steps and policy checks).                                                                                                               |
+| `--expect <result>`         | The expected outcome of the simulation. Valid values: `Allowed`, `ImplicitlyDenied`, `ExplicitlyDenied`, `AnyDeny`. If the result does not match the expect value, a non-zero exit code is returned |
+
+**Examples:**
+
+```bash
+# Simple simulate: can this role list objects in the bucket?
+iam-lens simulate \
+  --principal arn:aws:iam::111111111111:role/MyRole \
+  --resource arn:aws:s3:::my-bucket \
+  --action s3:ListBucket
+
+# Simulate a wildcard action (ListAllMyBuckets) – must supply resourceAccountId
+iam-lens simulate \
+  --principal arn:aws:iam::222222222222:user/Alice \
+  --action s3:ListAllMyBuckets \
+  --resourceAccountId 222222222222
+
+# Include context keys (e.g. resource tags or org IDs)
+iam-lens simulate \
+  --principal arn:aws:iam::333333333333:role/DevRole \
+  --resource arn:aws:sqs:us-east-1:333333333333:my-queue \
+  --action sqs:SendMessage \
+  --context aws:PrincipalOrgID=o-aaaaaaaaaa \
+  --context aws:ResourceTag/Env=prod,staging \
+  --verbose
+
+# Assert the result must be “Allowed”; exit code will be nonzero if not
+iam-lens simulate \
+  --principal arn:aws:iam::444444444444:role/ReadOnly \
+  --resource arn:aws:dynamodb:us-east-1:444444444444:table/Books \
+  --action dynamodb:Query \
+  --expect Allowed
+```
+
+### `who-can` - Find who can perform an action on a resource
+
+```bash
+iam-lens who-can [options]
+```
+
+Lists all principals in your IAM data who are allowed to perform one or more specified actions on a resource (or wildcard). If applicable it will check the resource policy to find cross-account permissions and AWS service principals.
+
+**Options:**
+
+| Flag                         | Description                                                                                                                                                                                                          |
+| ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--resource <arn>`           | The ARN of the resource to check permissions for. Ignore for wildcard-only actions (`iam:ListRoles`, etc.).                                                                                                          |
+| `--resourceAccount <id>`     | The account ID of the resource, only required if it cannot be determined from the resource ARN. Required for wildcard actions such as `s3:ListAllMyBuckets`                                                          |
+| `--actions <service:action>` | One or more actions to check, e.g. `s3:GetObject`. Specify as many actions as you want. If omitted it will analyze all valid actions for the resource. If no `--resource` is specified then actions must be entered. |
+
+**Examples:**
+
+```bash
+# Who can get objects from this bucket?
+iam-lens who-can \
+  --resource arn:aws:s3:::my-bucket \
+  --actions s3:GetObject
+
+# Who can list all IAM roles in any account? (wildcard action – no resource)
+iam-lens who-can \
+  --actions iam:ListRoles
+
+# Check multiple actions at once
+iam-lens who-can \
+  --resource arn:aws:dynamodb:us-east-1:555555555555:table/Books \
+  --actions dynamodb:Query,dynamodb:UpdateItem
+```
+
+**Global Options:**
+
+| Flag                       | Description                                                           | Default             |
+| -------------------------- | --------------------------------------------------------------------- | ------------------- |
+| `--collectConfigs <files>` | One or more `iam-collect` config files to use for fetching IAM data.  | `iam-collect.jsonc` |
+| `--partition <partition>`  | The AWS partition (`aws`, `aws-cn`, `aws-us-gov`). Defaults to `aws`. | `aws`               |
+
+## Context Keys
+
+Below are the context keys that iam-lens populates by default during simulation. These keys are set based on your principal, resource, and organization data. Any keys provided via `--context` will override the defaults.
+
+### Default Context Keys
+
+- **`aws:SecureTransport`**
+  Always set to `true` to indicate the request is using a secure channel.
+
+- **`aws:CurrentTime`**
+  ISO 8601 timestamp of when the simulation is run (e.g., `2025-06-01T12:34:56.789Z`).
+
+- **`aws:EpochTime`**
+  Unix epoch time in seconds (e.g., `1717290896`).
+
+#### Principal Context (if principal is an ARN)
+
+- **`aws:PrincipalArn`**
+  The full ARN of the principal (user, role, federated user, or service) being simulated.
+
+- **`aws:PrincipalAccount`**
+  The AWS account ID extracted from the principal ARN.
+
+- **`aws:PrincipalOrgId`** _(if the account is in an organization)_
+  The Organization ID that owns the principal’s account.
+
+- **`aws:PrincipalOrgPaths`** _(if the account is in an organization)_
+  A list containing a single string of the form `<OrgId>/<OU1>/<OU2>/…/` indicating the account’s path in the OU hierarchy.
+
+- **`aws:PrincipalTag/<TagKey>`**
+  For each tag on the IAM principal, a context key of the form `aws:PrincipalTag/<TagKey>` with its tag value.
+
+- **`aws:PrincipalIsAWSService`**
+  Set to `true` if the principal is an AWS service principal (e.g. `lambda.amazonaws.com`), otherwise `false`.
+
+- **`aws:PrincipalType`**
+  One of: `Account`, `User`, `FederatedUser`, `AssumedRole`, indicating the type of principal.
+
+- **`aws:userid`**
+  The unique identifier for the principal session:
+
+  - For a root principal: the account ID
+  - For a user: the IAM user’s unique ID (or `UNKNOWN` if not found)
+  - For a federated user: `<AccountId>:<FederatedName>`
+  - For an assumed role: `<RoleUniqueId>:<SessionName>`
+
+- **`aws:username`** _(only for IAM users)_
+  The IAM username portion of the principal ARN (e.g. `Alice`).
+
+- **`aws:PrincipalServiceName`** _(only for AWS service principals)_
+  The service principal string (e.g. `lambda.amazonaws.com`).
+
+- **`aws:SourceAccount`** _(only for AWS service principals)_
+  The account ID of the simulated resource, used when interpreting a service principal’s context.
+
+- **`aws:SourceOrgID`** _(only for AWS service principals)_
+  The organization ID of the simulated resource’s account (if any).
+
+- **`aws:SourceOrgPaths`** _(only for AWS service principals)_
+  The OU hierarchy path for the simulated resource’s account (if any).
+
+#### Resource Context (unless action is excluded)
+
+- **`aws:ResourceAccount`**
+  The AWS account ID of the simulated resource.
+
+- **`aws:ResourceOrgID`** _(if the resource account is in an organization)_
+  The Organization ID for the resource’s account.
+
+- **`aws:ResourceOrgPaths`** _(if the resource account is in an organization)_
+  A list containing a single string of the form `<OrgId>/<OU1>/<OU2>/…/` for the resource’s account.
+
+- **`aws:ResourceTag/<TagKey>`**
+  For each tag on the resource ARN, a context key `aws:ResourceTag/TagKey` with its tag value. **This is only for resources that are stored in your `iam-collect` data**, such as Roles, S3 Buckets, DynamoDB Tables, etc. For resources not stored in `iam-collect`, this key will not be set.
+
+### Overriding Default Context Keys
+
+Any context keys supplied via the `--context key=value[,value2,…]` option will override the defaults described above. For example:
+
+```bash
+iam-lens simulate \
+  --principal arn:aws:iam::123456789012:user/Alice \
+  --resource arn:aws:s3:::my-bucket \
+  --action s3:GetObject \
+  --context aws:CurrentTime=2025-01-01T00:00:00Z aws:PrincipalTag/Env=staging
+```
+
+In this case, `aws:CurrentTime` and `aws:PrincipalTag/Env` will use the provided values instead of what iam-lens would normally derive.

package/dist/cjs/cli.js

@@ -3,8 +3,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const cli_1 = require("@cloud-copilot/cli");
 const collect_js_1 = require("./collect/collect.js");
-const simulate_js_1 = require("./simulate.js");
+const simulate_js_1 = require("./simulate/simulate.js");
 const packageVersion_js_1 = require("./utils/packageVersion.js");
+const whoCan_js_1 = require("./whoCan/whoCan.js");
 const main = async () => {
     const version = await (0, packageVersion_js_1.iamLensVersion)();
     const cli = (0, cli_1.parseCliArguments)('iam-lens', {
@@ -24,12 +25,12 @@ const main = async () => {
                 resourceAccountId: {
                     type: 'string',
                     values: 'single',
-                    description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN. Ignore for wildcard actions'
+                    description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN.'
                 },
                 action: {
                     type: 'string',
                     values: 'single',
-                    description: 'The action to simulate; must be a valid IAM service and action such as `s3:GetObject`'
+                    description: 'The action to simulate; must be a valid IAM service and action such as `s3:ListBucket`'
                 },
                 context: {
                     type: 'string',
@@ -40,6 +41,32 @@ const main = async () => {
                     type: 'boolean',
                     description: 'Enable verbose output for the simulation',
                     character: 'v'
+                },
+                expect: {
+                    type: 'enum',
+                    values: 'single',
+                    validValues: ['Allowed', 'ImplicitlyDenied', 'ExplicitlyDenied', 'AnyDeny'],
+                    description: 'The expected result of the simulation, if the result does not match the expected response a non-zero exit code will be returned'
+                }
+            }
+        },
+        'who-can': {
+            description: 'Find who can perform an action on a resource',
+            options: {
+                resource: {
+                    type: 'string',
+                    values: 'single',
+                    description: 'The ARN of the resource to check permissions for. Ignore for wildcard actions'
+                },
+                resourceAccount: {
+                    type: 'string',
+                    values: 'single',
+                    description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN. Required for wildcard actions'
+                },
+                actions: {
+                    type: 'string',
+                    values: 'multiple',
+                    description: 'The action to check permissions for; must be a valid IAM service and action such as `s3:GetObject`'
                 }
             }
         }
@@ -64,9 +91,9 @@ const main = async () => {
         cli.args.collectConfigs.push('./iam-collect.jsonc');
     }
     const thePartition = cli.args.partition || 'aws';
+    const collectConfigs = await (0, collect_js_1.loadCollectConfigs)(cli.args.collectConfigs);
+    const collectClient = (0, collect_js_1.getCollectClient)(collectConfigs, thePartition);
     if (cli.subcommand === 'simulate') {
-        const collectConfigs = await (0, collect_js_1.loadCollectConfigs)(cli.args.collectConfigs);
-        const collectClient = (0, collect_js_1.getCollectClient)(collectConfigs, thePartition);
         const { principal, resource, resourceAccountId, action, context } = cli.args;
         const contextKeys = convertContextKeysToMap(context);
         const result = await (0, simulate_js_1.simulateRequest)({
@@ -76,10 +103,31 @@ const main = async () => {
             action: action,
             customContextKeys: contextKeys
         }, collectClient);
+        if (result.errors) {
+            console.error('Simulation Errors:');
+            console.log(JSON.stringify(result.errors, null, 2));
+            process.exit(1);
+        }
         console.log(`Simulation Result: ${result.analysis?.result}`);
         if (cli.args.verbose) {
             console.log(JSON.stringify(result, null, 2));
         }
+        if (!(0, simulate_js_1.resultMatchesExpectation)(cli.args.expect, result.analysis?.result)) {
+            process.exit(1);
+        }
+    }
+    else if (cli.subcommand === 'who-can') {
+        const { resource, resourceAccount, actions } = cli.args;
+        if (!resourceAccount && !resource && actions.length === 0) {
+            console.error('Error: At least 1) resource or 2) resource-account and actions must be provided for who-can command');
+            process.exit(1);
+        }
+        const results = await (0, whoCan_js_1.whoCan)(collectClient, {
+            resource: cli.args.resource,
+            actions: cli.args.actions,
+            resourceAccount: cli.args.resourceAccount
+        });
+        console.log(JSON.stringify(results, null, 2));
     }
 };
 main()

package/dist/cjs/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAAsD;AACtD,qDAA2E;AAE3E,+CAA+C;AAC/C,iEAA0D;AAE1D,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAc,GAAE,CAAA;IACtC,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,iBAAiB,EAAE;oBACjB,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,6HAA6H;iBAChI;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,uFAAuF;iBAC1F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAEhD,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,YAAY,CAAC,CAAA;QAEpE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC5E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAS;YACtB,eAAe,EAAE,iBAAiB;YAClC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAAsD;AACtD,qDAA2E;AAE3E,wDAAkF;AAClF,iEAA0D;AAC1D,kDAA2C;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAc,GAAE,CAAA;IACtC,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,iBAAiB,EAAE;oBACjB,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,iGAAiG;iBACpG;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,wFAAwF;iBAC3F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;oBAC3E,WAAW,EACT,iIAAiI;iBACpI;aACF;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,OAAO,EAAE;gBACP,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+EAA+E;iBAClF;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+HAA+H;iBAClI;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oGAAoG;iBACvG;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAChD,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,YAAY,CAAC,CAAA;IAEpE,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC5E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,iBAAiB;YAClC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC,IAAA,sCAAwB,EAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAO,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,kBAAM,EAAC,aAAa,EAAE;YAC1C,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;SAC1C,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/dist/cjs/collect/client.d.ts

@@ -55,15 +55,34 @@ interface OrganizationMetadata {
         TAG_POLICY?: boolean;
     };
 }
+interface OrgStructureNode {
+    children?: OrgStructure | undefined;
+    accounts?: string[] | undefined;
+}
+interface OrgStructure {
+    [key: string]: OrgStructureNode;
+}
+export interface IamCollectClientOptions {
+    enableCaching?: boolean;
+}
 export declare class IamCollectClient {
     private storageClient;
-    constructor(storageClient: AwsIamStore);
+    private _cache;
+    private _enableCaching;
+    constructor(storageClient: AwsIamStore, clientOptions?: IamCollectClientOptions);
+    private withCache;
     /**
      * Checks if an account exists in the store.
      * @param accountId The ID of the account to check.
      * @returns True if the account exists, false otherwise.
      */
     accountExists(accountId: string): Promise<boolean>;
+    /**
+     * Get all account IDs in the store.
+     *
+     * @returns all account IDs in the store
+     */
+    allAccounts(): Promise<string[]>;
     /**
      * Checks if a principal exists in the store.
      * @param principalArn The ARN of the principal to check.
@@ -121,7 +140,7 @@ export declare class IamCollectClient {
      * @param orgId The ID of the organization.
      * @returns The account data for the organization.
      */
-    getAccountDataForOrg(orgId: string): Promise<OrgAccounts>;
+    getAccountDataForOrg(orgId: string): Promise<OrgAccounts | undefined>;
     /**
      * Gets the org units data for an organization.
      * @param orgId The ID of the organization.
@@ -266,6 +285,22 @@ export declare class IamCollectClient {
      * @returns a unique ID for the resource, or undefined if not found
      */
     getUniqueIdForIamResource(resourceArn: string): Promise<string | undefined>;
+    /**
+     * Get the account IDs for an organization.
+     *
+     * @param organizationId the ID of the organization
+     * @returns a tuple containing a boolean indicating success and an array of account IDs
+     */
+    getAccountsForOrganization(organizationId: string): Promise<[boolean, string[]]>;
+    /**
+     * Get the organization structure or an organization.
+     *
+     * @param orgId the ID of the organization
+     * @returns returns the organization structure or undefined if not found
+     */
+    getOrganizationStructure(orgId: string): Promise<OrgStructure | undefined>;
+    getAccountsForOrgPath(orgId: string, ouIds: string[]): Promise<[boolean, string[]]>;
+    getAllPrincipalsInAccount(accountId: string): Promise<string[]>;
 }
 export {};
 //# sourceMappingURL=client.d.ts.map

package/dist/cjs/collect/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAIxD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC1C;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAOD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAOD,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;AAc7C,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAE9C,KAAK,aAAa,GAAG,MAAM,GAAG,MAAM,CAAA;AAEpC,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAA;QACnC,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,uBAAuB,CAAC,EAAE,OAAO,CAAA;QACjC,sBAAsB,CAAC,EAAE,OAAO,CAAA;QAChC,UAAU,CAAC,EAAE,OAAO,CAAA;KACrB,CAAA;CACF;AAQD,qBAAa,gBAAgB;IACf,OAAO,CAAC,aAAa;gBAAb,aAAa,EAAE,WAAW;IAE9C;;;;OAIG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxD;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU7D;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,+BAA+B,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAuCnC;;;;;OAKG;IACG,6BAA6B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBzE;;;;OAIG;IACG,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAU5E;;;;;OAKG;IACG,4BAA4B,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAM5F;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;;OAKG;IACG,wBAAwB,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAkBvB;;;;OAIG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAI/D;;;;OAIG;IACG,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI7D;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,aAAa,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,SAAS,CAAC;IAoBrB;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;;;OAMG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAavB;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAMxE;;;;OAIG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAS5E;;;;OAIG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IASzE;;;;OAIG;IACG,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBpF;;;;OAIG;IACG,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAU/E;;;;;OAKG;IACG,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAW1D;;;;;OAKG;IACG,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBtE,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAapE,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;;OAKG;IACG,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOpF;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAgB/F;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAQ/F;;;;;;OAMG;IACG,kBAAkB,CACtB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAQlC;;;;;;;OAOG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;CASlF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAIxD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC1C;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAWD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAOD,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;AAQ7C,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAE9C,KAAK,aAAa,GAAG,MAAM,GAAG,MAAM,CAAA;AAEpC,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAA;QACnC,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,uBAAuB,CAAC,EAAE,OAAO,CAAA;QACjC,sBAAsB,CAAC,EAAE,OAAO,CAAA;QAChC,UAAU,CAAC,EAAE,OAAO,CAAA;KACrB,CAAA;CACF;AAQD,UAAU,gBAAgB;IACxB,QAAQ,CAAC,EAAE,YAAY,GAAG,SAAS,CAAA;IACnC,QAAQ,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAChC;AAED,UAAU,YAAY;IACpB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAA;CAChC;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,CAAC,EAAE,OAAO,CAAA;CACxB;AAED,qBAAa,gBAAgB;IAKzB,OAAO,CAAC,aAAa;IAJvB,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,cAAc,CAAS;gBAGrB,aAAa,EAAE,WAAW,EAClC,aAAa,CAAC,EAAE,uBAAuB;YAM3B,SAAS;IAWvB;;;;OAIG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxD;;;;OAIG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAItC;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU7D;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,+BAA+B,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAyCnC;;;;;OAKG;IACG,6BAA6B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBzE;;;;OAIG;IACG,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAU5E;;;;;OAKG;IACG,4BAA4B,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAM5F;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;;OAKG;IACG,wBAAwB,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAkBvB;;;;OAIG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI3E;;;;OAIG;IACG,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI7D;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,aAAa,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,SAAS,CAAC;IAuBrB;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;;;OAMG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAavB;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAMxE;;;;OAIG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAS5E;;;;OAIG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IASzE;;;;OAIG;IACG,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAoBpF;;;;OAIG;IACG,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAU/E;;;;;OAKG;IACG,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAW1D;;;;;OAKG;IACG,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBtE,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAapE,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;;OAKG;IACG,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOpF;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAgB/F;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAQ/F;;;;;;OAMG;IACG,kBAAkB,CACtB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAQlC;;;;;;;OAOG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAUjF;;;;;OAKG;IACG,0BAA0B,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAStF;;;;;OAKG;IACG,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC;IAO1E,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAwCnF,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAetE"}