@cloud-copilot/iam-lens 0.1.7 → 0.1.9

package/README.md

@@ -3,5 +3,267 @@
 [![NPM Version](https://img.shields.io/npm/v/@cloud-copilot/iam-lens.svg?logo=nodedotjs)](https://www.npmjs.com/package/@cloud-copilot/iam-lens) [![License: AGPL v3](https://img.shields.io/github/license/cloud-copilot/iam-lens)](LICENSE.txt) [![GuardDog](https://github.com/cloud-copilot/iam-lens/actions/workflows/guarddog.yml/badge.svg)](https://github.com/cloud-copilot/iam-lens/actions/workflows/guarddog.yml) [![Known Vulnerabilities](https://snyk.io/test/github/cloud-copilot/iam-lens/badge.svg?targetFile=package.json&style=flat-square)](https://snyk.io/test/github/cloud-copilot/iam-lens?targetFile=package.json)
 
 ## iam-lens
-Get visibility into your actual AWS IAM permissions.
 
+Get visibility into the actual IAM permissions in your AWS organizations and accounts. Use your actual AWS IAM policies (downloaded via [iam-collect](https://github.com/cloud-copilot/iam-collect)) and evaluate the effective permissions.
+
+## Quick Start
+
+```bash
+# Install
+npm install -g @cloud-copilot/iam-collect @cloud-copilot/iam-lens
+
+# Download all IAM policies in your account using default credentials, run download once per account
+iam-collect init
+iam-collect download
+
+# Simulate a request
+iam-lens simulate --principal arn:aws:iam::123456789012:role/ExampleRole --resource arn:aws:s3:::example-bucket/secret-file.txt --action s3:GetObject
+
+# Find out who can do something
+iam-lens who-can --resource arn:aws:s3:::example-bucket --actions s3:ListBucket
+
+# Find out who can do all actions on a resource
+iam-lens who-can --resource arn:aws:s3:::example-bucket
+```
+
+## What is iam-lens?
+
+iam-lens uses real IAM data from your AWS accounts (collected via [iam-collect](https://github.com/cloud-copilot/iam-collect)) to quickly simulate requests and discover the real effective permissions that apply to a principal or resource.
+
+## Why use it?
+
+1. **Understand** what permissions are actually in place and why. See the policies that determine the outcome of a request.
+2. **Verify** what's allowed or not after everything is deployed.
+3. **Discover** who can take action on a sensitive resource with a single command.
+4. **Audit** your IAM policies and ensure they are configured correctly.
+5. **Debug** permissions by simulating requests locally and iterate quickly without needing to deploy changes to your AWS environment.
+
+## Getting Started
+
+1. **Download Your Policies** with [iam-collect](https://github.com/cloud-copilot/iam-collect) to get all your policies from all your AWS accounts. iam-collect is highly configurable and can be customized to collect the policies you need. It only downloads information to your file system or an S3 bucket, so you're in full control of your data.
+
+```bash
+npm install -g @cloud-copilot/iam-collect
+iam-collect init
+iam-collect download
+```
+
+To see the effect of SCPs and RCPs, you should download data from your management account; or an account with permissions to download organization information. Download data for member accounts you want to analyze. `iam-lens` will analyze cross-account and cross-organization requests if you have the data available.
+
+You can download information for as many accounts, organizations, and regions as you like. The more data you have, the more accurate your simulations will be.
+
+2. **Install iam-lens**
+
+```bash
+npm install -g @cloud-copilot/iam-lens
+```
+
+3. **Execute Commands** with `iam-lens` to simulate requests, discover permissions, and audit your IAM policies.
+
+Simulate a request:
+
+```bash
+iam-lens simulate --principal arn:aws:iam::123456789012:role/ExampleRole --resource arn:aws:s3:::example-bucket/secret-file.txt --action s3:GetObject
+```
+
+or
+
+Discover who can perform an action on a resource:
+
+```bash
+iam-lens who-can --resource arn:aws:iam::111111111111:role/ImportantRole --actions sts:AssumeRole iam:PassRole
+```
+
+## Commands
+
+### `simulate` - Simulate an IAM request
+
+```bash
+iam-lens simulate [options]
+```
+
+Evaluates whether a principal can perform a specified action on a resource (or wildcard). Returns a decision (Allowed/ImplicitlyDenied/ExplicitlyDenied), and exits nonzero if you provided an `--expect` that doesn’t match the result.
+
+**Options:**
+
+| Flag                        | Description                                                                                                                                                                                                                                                          |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--principal <arn>`         | The principal the request is from. Can be a user, role, session, or AWS service.                                                                                                                                                                                     |
+| `--resource <arn>`          | The ARN of the resource to simulate access to. Ignore for wildcard-only actions such as `s3:ListAllMyBuckets`.                                                                                                                                                       |
+| `--resource-account <id>`   | The account ID of the resource, only required if it cannot be determined from the resource ARN.                                                                                                                                                                      |
+| `--action <service:action>` | The action to simulate; must be a valid IAM service and action such as `s3:ListBucket`.                                                                                                                                                                              |
+| `--context <key=value>`     | One or more context keys to use for the simulation. Keys are formatted as `keyA=value1,value2 keyB=value1,value2`. Multiple keys are separated by spaces. Multiple values separated by commas. See [Context Keys](#context-keys) for what keys are set automatically |
+| `-v, --verbose`             | Enable verbose output for the simulation (exactly what statements applied or not and why).                                                                                                                                                                           |
+| `--expect <result>`         | Optional expected outcome of the simulation. Valid values are `Allowed`, `ImplicitlyDenied`, `ExplicitlyDenied`, `AnyDeny`. If the result does not match the expected value, a non-zero exit code is returned                                                        |
+
+**Examples:**
+
+```bash
+# Simple simulate: can this role list objects in the bucket?
+iam-lens simulate \
+  --principal arn:aws:iam::111111111111:role/MyRole \
+  --resource arn:aws:s3:::my-bucket \
+  --action s3:ListBucket
+
+# Simulate a wildcard action (ListAllMyBuckets) – this will assume the principals account
+iam-lens simulate \
+  --principal arn:aws:iam::222222222222:user/Alice \
+  --action s3:ListAllMyBuckets \
+
+# Include custom context keys
+iam-lens simulate \
+  --principal arn:aws:iam::333333333333:role/DevRole \
+  --resource arn:aws:sqs:us-east-1:333333333333:my-queue \
+  --action sqs:SendMessage \
+  --context aws:SourceVpc=vpc-1234567890abcdef0 \
+  --verbose
+
+# Assert the result must be “Allowed”; exit code will be nonzero if not
+iam-lens simulate \
+  --principal arn:aws:iam::444444444444:role/ReadOnly \
+  --resource arn:aws:dynamodb:us-east-1:444444444444:table/Books \
+  --action dynamodb:Query \
+  --expect Allowed
+```
+
+### `who-can` - Find who can perform an action on a resource
+
+```bash
+iam-lens who-can [options]
+```
+
+Lists all principals in your IAM data who are allowed to perform one or more specified actions on a resource (or wildcard). If applicable it will check the resource policy to find cross-account permissions and AWS service principals.
+
+**Options:**
+
+| Flag                         | Description                                                                                                                                                                                                            |
+| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `--resource <arn>`           | The ARN of the resource to check permissions for. Ignore for wildcard-only actions such as `iam:ListRoles`                                                                                                             |
+| `--resource-account <id>`    | The account ID of the resource, only required if it cannot be determined from the resource ARN. Required for wildcard actions such as `ec2:DescribeInstances`                                                          |
+| `--actions <service:action>` | One or more actions to check such as `s3:GetObject`. Specify as many actions as you want. If omitted it will analyze all valid actions for the resource. If no `--resource` is specified then actions must be entered. |
+
+**Examples:**
+
+```bash
+# Who can get this object?
+iam-lens who-can \
+  --resource arn:aws:s3:::my-bucket/secret-file.txt \
+  --actions s3:GetObject
+
+# Who can list all IAM roles in any account? (wildcard action – no resource)
+iam-lens who-can \
+  --resource-account 555555555555 \
+  --actions iam:ListRoles
+
+# Check multiple actions at once
+iam-lens who-can \
+  --resource arn:aws:dynamodb:us-east-1:555555555555:table/Books \
+  --actions dynamodb:Query dynamodb:UpdateItem
+```
+
+### Global Options:
+
+These options are available for all commands:
+
+| Flag                       | Description                                                           | Default             |
+| -------------------------- | --------------------------------------------------------------------- | ------------------- |
+| `--collectConfigs <files>` | One or more `iam-collect` config files to use for fetching IAM data.  | `iam-collect.jsonc` |
+| `--partition <partition>`  | The AWS partition (`aws`, `aws-cn`, `aws-us-gov`). Defaults to `aws`. | `aws`               |
+
+## Context Keys
+
+Below are the context keys that iam-lens populates by default during simulation. These keys are set based on your principal, resource, and organization data. Any keys provided via `--context` will override the defaults.
+
+### Default Context Keys
+
+- **`aws:SecureTransport`**
+  Always set to `true` to indicate the request is using a secure channel.
+
+- **`aws:CurrentTime`**
+  ISO 8601 timestamp of when the simulation is run (e.g., `2025-06-01T12:34:56.789Z`).
+
+- **`aws:EpochTime`**
+  Unix epoch time in seconds (e.g., `1717290896`).
+
+#### IAM Principal Context
+
+- **`aws:PrincipalArn`**
+  The full ARN of the principal (user, role, role session, or federated user) being simulated.
+
+- **`aws:PrincipalAccount`**
+  The AWS account ID extracted from the principal ARN.
+
+- **`aws:PrincipalOrgId`** _(if the account is in an organization)_
+  The Organization ID that owns the principal’s account.
+
+- **`aws:PrincipalOrgPaths`** _(if the account is in an organization)_
+  A list containing a single string of the form `<OrgId>/<OU1>/<OU2>/…/` indicating the account’s path in the OU hierarchy.
+
+- **`aws:PrincipalTag/<TagKey>`**
+  For each tag on the IAM principal, a context key of the form `aws:PrincipalTag/<TagKey>` with its tag value.
+
+- **`aws:PrincipalIsAWSService`**
+  Set to `false` for all IAM principals (users, roles, federated users).
+
+- **`aws:PrincipalType`**
+  One of: `Account`, `User`, `FederatedUser`, `AssumedRole`, indicating the type of principal.
+
+- **`aws:userid`**
+  The unique identifier for the principal session:
+
+  - For a root principal: the account ID
+  - For a user: the IAM user’s unique ID (or `UNKNOWN` if not found)
+  - For a federated user: `<AccountId>:<FederatedName>`
+  - For an assumed role: `<RoleUniqueId>:<SessionName>`
+
+  Setting `role-id:ec2-instance-id` for EC2 instances is not supported at this time.
+
+- **`aws:username`** _(only for IAM users)_
+  The IAM username portion of the principal ARN (e.g. `Alice`).
+
+#### Service Principal Context
+
+The following context keys are set when the principal is an AWS service (e.g., `lambda.amazonaws.com`, `ec2.amazonaws.com`):
+
+- **`aws:PrincipalServiceName`**
+  The service principal string (e.g. `lambda.amazonaws.com`).
+
+- **`aws:SourceAccount`**
+  The account ID of the resource.
+
+- **`aws:SourceOrgID`**
+  The organization ID of the resource’s account (if part of an organization).
+
+- **`aws:SourceOrgPaths`**
+  The OU hierarchy path for the resource’s account (if part of an organization).
+
+- **`aws:PrincipalIsAWSService`**
+  Set to `true` for all service principals. Set to `false` for all IAM principals (users, roles, federated users).
+
+#### Resource Context ([unless action is excluded](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourceaccount))
+
+- **`aws:ResourceAccount`**
+  The AWS account ID of the resource.
+
+- **`aws:ResourceOrgID`**
+  The Organization ID for the resource’s account (if part of an organization).
+
+- **`aws:ResourceOrgPaths`** _(if the resource account is in an organization)_
+  A list containing a single string of the form `<OrgId>/<OU1>/<OU2>/…/` for the resource’s account (if part of an organization).
+
+- **`aws:ResourceTag/<TagKey>`**
+  For each tag on the resource ARN, a context key `aws:ResourceTag/TagKey` with its tag value. **This is only for resources that are stored in your `iam-collect` data**, such as Roles, S3 Buckets, DynamoDB Tables, etc. For resources not stored in `iam-collect`, this key should be set manually.
+
+### Overriding Default Context Keys
+
+Any context keys supplied via the `--context key=value[,value2,…]` option will override the defaults described above. For example:
+
+```bash
+iam-lens simulate \
+  --principal arn:aws:iam::123456789012:user/Alice \
+  --resource arn:aws:s3:::my-bucket \
+  --action s3:GetObject \
+  --context aws:CurrentTime=2025-01-01T00:00:00Z aws:PrincipalTag/Env=staging
+```
+
+In this case, `aws:CurrentTime` and `aws:PrincipalTag/Env` will use the provided values instead of what iam-lens would normally derive.

package/dist/cjs/cli.js

@@ -3,8 +3,9 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const cli_1 = require("@cloud-copilot/cli");
 const collect_js_1 = require("./collect/collect.js");
-const simulate_js_1 = require("./simulate.js");
+const simulate_js_1 = require("./simulate/simulate.js");
 const packageVersion_js_1 = require("./utils/packageVersion.js");
+const whoCan_js_1 = require("./whoCan/whoCan.js");
 const main = async () => {
     const version = await (0, packageVersion_js_1.iamLensVersion)();
     const cli = (0, cli_1.parseCliArguments)('iam-lens', {
@@ -21,15 +22,15 @@ const main = async () => {
                     values: 'single',
                     description: 'The ARN of the resource to simulate access to. Ignore for wildcard actions'
                 },
-                resourceAccountId: {
+                resourceAccount: {
                     type: 'string',
                     values: 'single',
-                    description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN. Ignore for wildcard actions'
+                    description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN.'
                 },
                 action: {
                     type: 'string',
                     values: 'single',
-                    description: 'The action to simulate; must be a valid IAM service and action such as `s3:GetObject`'
+                    description: 'The action to simulate; must be a valid IAM service and action such as `s3:ListBucket`'
                 },
                 context: {
                     type: 'string',
@@ -40,6 +41,32 @@ const main = async () => {
                     type: 'boolean',
                     description: 'Enable verbose output for the simulation',
                     character: 'v'
+                },
+                expect: {
+                    type: 'enum',
+                    values: 'single',
+                    validValues: ['Allowed', 'ImplicitlyDenied', 'ExplicitlyDenied', 'AnyDeny'],
+                    description: 'The expected result of the simulation, if the result does not match the expected response a non-zero exit code will be returned'
+                }
+            }
+        },
+        'who-can': {
+            description: 'Find who can perform an action on a resource',
+            options: {
+                resource: {
+                    type: 'string',
+                    values: 'single',
+                    description: 'The ARN of the resource to check permissions for. Ignore for wildcard actions'
+                },
+                resourceAccount: {
+                    type: 'string',
+                    values: 'single',
+                    description: 'The account ID of the resource, only required if it cannot be determined from the resource ARN. Required for wildcard actions'
+                },
+                actions: {
+                    type: 'string',
+                    values: 'multiple',
+                    description: 'The action to check permissions for; must be a valid IAM service and action such as `s3:GetObject`'
                 }
             }
         }
@@ -64,22 +91,43 @@ const main = async () => {
         cli.args.collectConfigs.push('./iam-collect.jsonc');
     }
     const thePartition = cli.args.partition || 'aws';
+    const collectConfigs = await (0, collect_js_1.loadCollectConfigs)(cli.args.collectConfigs);
+    const collectClient = (0, collect_js_1.getCollectClient)(collectConfigs, thePartition);
     if (cli.subcommand === 'simulate') {
-        const collectConfigs = await (0, collect_js_1.loadCollectConfigs)(cli.args.collectConfigs);
-        const collectClient = (0, collect_js_1.getCollectClient)(collectConfigs, thePartition);
-        const { principal, resource, resourceAccountId, action, context } = cli.args;
+        const { principal, resource, resourceAccount, action, context } = cli.args;
         const contextKeys = convertContextKeysToMap(context);
         const result = await (0, simulate_js_1.simulateRequest)({
             principal: principal,
             resourceArn: resource,
-            resourceAccount: resourceAccountId,
+            resourceAccount: resourceAccount,
             action: action,
             customContextKeys: contextKeys
         }, collectClient);
+        if (result.errors) {
+            console.error('Simulation Errors:');
+            console.log(JSON.stringify(result.errors, null, 2));
+            process.exit(1);
+        }
         console.log(`Simulation Result: ${result.analysis?.result}`);
         if (cli.args.verbose) {
             console.log(JSON.stringify(result, null, 2));
         }
+        if (!(0, simulate_js_1.resultMatchesExpectation)(cli.args.expect, result.analysis?.result)) {
+            process.exit(1);
+        }
+    }
+    else if (cli.subcommand === 'who-can') {
+        const { resource, resourceAccount, actions } = cli.args;
+        if (!resourceAccount && !resource && actions.length === 0) {
+            console.error('Error: At least 1) resource or 2) resource-account and actions must be provided for who-can command');
+            process.exit(1);
+        }
+        const results = await (0, whoCan_js_1.whoCan)(collectClient, {
+            resource: cli.args.resource,
+            actions: cli.args.actions,
+            resourceAccount: cli.args.resourceAccount
+        });
+        console.log(JSON.stringify(results, null, 2));
     }
 };
 main()

package/dist/cjs/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAAsD;AACtD,qDAA2E;AAE3E,+CAA+C;AAC/C,iEAA0D;AAE1D,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAc,GAAE,CAAA;IACtC,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,iBAAiB,EAAE;oBACjB,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,6HAA6H;iBAChI;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,uFAAuF;iBAC1F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAEhD,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;QACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,YAAY,CAAC,CAAA;QAEpE,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC5E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAS;YACtB,eAAe,EAAE,iBAAiB;YAClC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;IACH,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,4CAAsD;AACtD,qDAA2E;AAE3E,wDAAkF;AAClF,iEAA0D;AAC1D,kDAA2C;AAE3C,MAAM,IAAI,GAAG,KAAK,IAAI,EAAE;IACtB,MAAM,OAAO,GAAG,MAAM,IAAA,kCAAc,GAAE,CAAA;IACtC,MAAM,GAAG,GAAG,IAAA,uBAAiB,EAC3B,UAAU,EACV;QACE,QAAQ,EAAE;YACR,WAAW,EAAE,yBAAyB;YACtC,OAAO,EAAE;gBACP,SAAS,EAAE;oBACT,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,yEAAyE;iBACvF;gBACD,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,4EAA4E;iBAC/E;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,iGAAiG;iBACpG;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,wFAAwF;iBAC3F;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oJAAoJ;iBACvJ;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,SAAS;oBACf,WAAW,EAAE,0CAA0C;oBACvD,SAAS,EAAE,GAAG;iBACf;gBACD,MAAM,EAAE;oBACN,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,QAAQ;oBAChB,WAAW,EAAE,CAAC,SAAS,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,SAAS,CAAC;oBAC3E,WAAW,EACT,iIAAiI;iBACpI;aACF;SACF;QACD,SAAS,EAAE;YACT,WAAW,EAAE,8CAA8C;YAC3D,OAAO,EAAE;gBACP,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+EAA+E;iBAClF;gBACD,eAAe,EAAE;oBACf,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,QAAQ;oBAChB,WAAW,EACT,+HAA+H;iBAClI;gBACD,OAAO,EAAE;oBACP,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,UAAU;oBAClB,WAAW,EACT,oGAAoG;iBACvG;aACF;SACF;KACF,EACD;QACE,cAAc,EAAE;YACd,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,4CAA4C;YACzD,MAAM,EAAE,UAAU;SACnB;QACD,SAAS,EAAE;YACT,IAAI,EAAE,QAAQ;YACd,WAAW,EAAE,sEAAsE;YACnF,MAAM,EAAE,QAAQ;SACjB;KACF,EACD;QACE,SAAS,EAAE,UAAU;QACrB,gBAAgB,EAAE,IAAI;QACtB,iBAAiB,EAAE,IAAI;QACvB,OAAO;KACR,CACF,CAAA;IAED,IAAI,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IACrD,CAAC;IACD,MAAM,YAAY,GAAG,GAAG,CAAC,IAAI,CAAC,SAAS,IAAI,KAAK,CAAA;IAChD,MAAM,cAAc,GAAG,MAAM,IAAA,+BAAkB,EAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACxE,MAAM,aAAa,GAAG,IAAA,6BAAgB,EAAC,cAAc,EAAE,YAAY,CAAC,CAAA;IAEpE,IAAI,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QAC1E,MAAM,WAAW,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAA;QAEpD,MAAM,MAAM,GAAG,MAAM,IAAA,6BAAe,EAClC;YACE,SAAS,EAAE,SAAU;YACrB,WAAW,EAAE,QAAQ;YACrB,eAAe,EAAE,eAAe;YAChC,MAAM,EAAE,MAAO;YACf,iBAAiB,EAAE,WAAW;SAC/B,EACD,aAAa,CACd,CAAA;QAED,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClB,OAAO,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;YACnC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAA;QAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YACrB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;QAC9C,CAAC;QAED,IAAI,CAAC,IAAA,sCAAwB,EAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAO,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;IACH,CAAC;SAAM,IAAI,GAAG,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACxC,MAAM,EAAE,QAAQ,EAAE,eAAe,EAAE,OAAO,EAAE,GAAG,GAAG,CAAC,IAAI,CAAA;QACvD,IAAI,CAAC,eAAe,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1D,OAAO,CAAC,KAAK,CACX,qGAAqG,CACtG,CAAA;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;QACjB,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,IAAA,kBAAM,EAAC,aAAa,EAAE;YAC1C,QAAQ,EAAE,GAAG,CAAC,IAAI,CAAC,QAAS;YAC5B,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,OAAQ;YAC1B,eAAe,EAAE,GAAG,CAAC,IAAI,CAAC,eAAe;SAC1C,CAAC,CAAA;QAEF,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;IAC/C,CAAC;AACH,CAAC,CAAA;AAED,IAAI,EAAE;KACH,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IACX,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC;KACD,IAAI,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC;KACd,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA;AAEpB;;;;;GAKG;AACH,SAAS,uBAAuB,CAAC,WAAqB;IACpD,MAAM,UAAU,GAAsC,EAAE,CAAA;IACxD,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,MAAM,CAAC,OAAO,EAAE,KAAK,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QACvC,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;YAC/B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAA;YAC9B,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAA;YACjC,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAA;AACnB,CAAC"}

package/dist/cjs/collect/client.d.ts

@@ -55,15 +55,34 @@ interface OrganizationMetadata {
         TAG_POLICY?: boolean;
     };
 }
+interface OrgStructureNode {
+    children?: OrgStructure | undefined;
+    accounts?: string[] | undefined;
+}
+interface OrgStructure {
+    [key: string]: OrgStructureNode;
+}
+export interface IamCollectClientOptions {
+    enableCaching?: boolean;
+}
 export declare class IamCollectClient {
     private storageClient;
-    constructor(storageClient: AwsIamStore);
+    private _cache;
+    private _enableCaching;
+    constructor(storageClient: AwsIamStore, clientOptions?: IamCollectClientOptions);
+    private withCache;
     /**
      * Checks if an account exists in the store.
      * @param accountId The ID of the account to check.
      * @returns True if the account exists, false otherwise.
      */
     accountExists(accountId: string): Promise<boolean>;
+    /**
+     * Get all account IDs in the store.
+     *
+     * @returns all account IDs in the store
+     */
+    allAccounts(): Promise<string[]>;
     /**
      * Checks if a principal exists in the store.
      * @param principalArn The ARN of the principal to check.
@@ -121,7 +140,7 @@ export declare class IamCollectClient {
      * @param orgId The ID of the organization.
      * @returns The account data for the organization.
      */
-    getAccountDataForOrg(orgId: string): Promise<OrgAccounts>;
+    getAccountDataForOrg(orgId: string): Promise<OrgAccounts | undefined>;
     /**
      * Gets the org units data for an organization.
      * @param orgId The ID of the organization.
@@ -266,6 +285,22 @@ export declare class IamCollectClient {
      * @returns a unique ID for the resource, or undefined if not found
      */
     getUniqueIdForIamResource(resourceArn: string): Promise<string | undefined>;
+    /**
+     * Get the account IDs for an organization.
+     *
+     * @param organizationId the ID of the organization
+     * @returns a tuple containing a boolean indicating success and an array of account IDs
+     */
+    getAccountsForOrganization(organizationId: string): Promise<[boolean, string[]]>;
+    /**
+     * Get the organization structure or an organization.
+     *
+     * @param orgId the ID of the organization
+     * @returns returns the organization structure or undefined if not found
+     */
+    getOrganizationStructure(orgId: string): Promise<OrgStructure | undefined>;
+    getAccountsForOrgPath(orgId: string, ouIds: string[]): Promise<[boolean, string[]]>;
+    getAllPrincipalsInAccount(accountId: string): Promise<string[]>;
 }
 export {};
 //# sourceMappingURL=client.d.ts.map

package/dist/cjs/collect/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAIxD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC1C;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAOD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAOD,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;AAc7C,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAE9C,KAAK,aAAa,GAAG,MAAM,GAAG,MAAM,CAAA;AAEpC,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAA;QACnC,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,uBAAuB,CAAC,EAAE,OAAO,CAAA;QACjC,sBAAsB,CAAC,EAAE,OAAO,CAAA;QAChC,UAAU,CAAC,EAAE,OAAO,CAAA;KACrB,CAAA;CACF;AAQD,qBAAa,gBAAgB;IACf,OAAO,CAAC,aAAa;gBAAb,aAAa,EAAE,WAAW;IAE9C;;;;OAIG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxD;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU7D;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,+BAA+B,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAuCnC;;;;;OAKG;IACG,6BAA6B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBzE;;;;OAIG;IACG,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAU5E;;;;;OAKG;IACG,4BAA4B,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAM5F;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;;OAKG;IACG,wBAAwB,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAkBvB;;;;OAIG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAI/D;;;;OAIG;IACG,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI7D;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,aAAa,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,SAAS,CAAC;IAoBrB;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;;;OAMG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAavB;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAMxE;;;;OAIG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAS5E;;;;OAIG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IASzE;;;;OAIG;IACG,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAiBpF;;;;OAIG;IACG,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAU/E;;;;;OAKG;IACG,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAW1D;;;;;OAKG;IACG,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBtE,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAapE,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;;OAKG;IACG,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOpF;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAgB/F;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAQ/F;;;;;;OAMG;IACG,kBAAkB,CACtB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAQlC;;;;;;;OAOG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;CASlF"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/collect/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAIxD,MAAM,WAAW,qBAAqB;IACpC,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,GAAG,CAAA;KAAE,EAAE,CAAA;CAC1C;AAED,UAAU,eAAe;IACvB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,kBAAkB,EAAE,MAAM,CAAA;IAC1B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAWD,MAAM,WAAW,SAAS;IACxB,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAOD,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,MAAM,CAAA;IACX,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,GAAG,CAAA;CACZ;AAED,UAAU,UAAU;IAClB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,WAAW,GAAG,MAAM,CAAC,MAAM,EAAE,UAAU,CAAC,CAAA;AAQ7C,UAAU,cAAc;IACtB,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,IAAI,EAAE,MAAM,EAAE,CAAA;IACd,IAAI,EAAE,MAAM,EAAE,CAAA;CACf;AAED,KAAK,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,CAAA;AAE9C,KAAK,aAAa,GAAG,MAAM,GAAG,MAAM,CAAA;AAEpC,UAAU,oBAAoB;IAC5B,EAAE,EAAE,MAAM,CAAA;IACV,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,QAAQ,EAAE;QACR,yBAAyB,CAAC,EAAE,OAAO,CAAA;QACnC,aAAa,CAAC,EAAE,OAAO,CAAA;QACvB,uBAAuB,CAAC,EAAE,OAAO,CAAA;QACjC,sBAAsB,CAAC,EAAE,OAAO,CAAA;QAChC,UAAU,CAAC,EAAE,OAAO,CAAA;KACrB,CAAA;CACF;AAQD,UAAU,gBAAgB;IACxB,QAAQ,CAAC,EAAE,YAAY,GAAG,SAAS,CAAA;IACnC,QAAQ,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAA;CAChC;AAED,UAAU,YAAY;IACpB,CAAC,GAAG,EAAE,MAAM,GAAG,gBAAgB,CAAA;CAChC;AAED,MAAM,WAAW,uBAAuB;IACtC,aAAa,CAAC,EAAE,OAAO,CAAA;CACxB;AAED,qBAAa,gBAAgB;IAKzB,OAAO,CAAC,aAAa;IAJvB,OAAO,CAAC,MAAM,CAA0B;IACxC,OAAO,CAAC,cAAc,CAAS;gBAGrB,aAAa,EAAE,WAAW,EAClC,aAAa,CAAC,EAAE,uBAAuB;YAM3B,SAAS;IAWvB;;;;OAIG;IACG,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAKxD;;;;OAIG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAItC;;;;OAIG;IACG,eAAe,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAU7D;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,+BAA+B,CACnC,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAyCnC;;;;;OAKG;IACG,6BAA6B,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAkBzE;;;;OAIG;IACG,sBAAsB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAU5E;;;;;OAKG;IACG,4BAA4B,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAM5F;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;;OAKG;IACG,wBAAwB,CAC5B,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAkBvB;;;;OAIG;IACG,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,GAAG,SAAS,CAAC;IAI3E;;;;OAIG;IACG,qBAAqB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;IAI7D;;;;;;OAMG;IACG,YAAY,CAChB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,aAAa,EACzB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,SAAS,CAAC;IAuBrB;;;;OAIG;IACG,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAIhE;;;;OAIG;IACG,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,EAAE,CAAC;IAIpF;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;;;OAMG;IACG,wBAAwB,CAC5B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,aAAa,GACxB,OAAO,CAAC,SAAS,EAAE,CAAC;IAavB;;;;;OAKG;IACG,iBAAiB,CAAC,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAI/E;;;;OAIG;IACG,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAMxE;;;;OAIG;IACG,qBAAqB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAS5E;;;;OAIG;IACG,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IASzE;;;;OAIG;IACG,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,gBAAgB,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAoBpF;;;;OAIG;IACG,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAU/E;;;;;OAKG;IACG,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;OAIG;IACG,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAW1D;;;;;OAKG;IACG,0BAA0B,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBtE,yBAAyB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAapE,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAkBpE,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAalE,6BAA6B,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,GAAG,SAAS,CAAC;IAgBxF;;;;;OAKG;IACG,uBAAuB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOpF;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAgB/F;;;;;;OAMG;IACG,uBAAuB,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,GAAG,SAAS,CAAC;IAQ/F;;;;;;OAMG;IACG,kBAAkB,CACtB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAQlC;;;;;;;OAOG;IACG,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;IAUjF;;;;;OAKG;IACG,0BAA0B,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAStF;;;;;OAKG;IACG,wBAAwB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,GAAG,SAAS,CAAC;IAO1E,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IAwCnF,yBAAyB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;CAetE"}