@datasynx/agentic-ai-cartography 2.2.0 → 2.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (23) hide show
  1. package/dist/api-bin.js +24 -0
  2. package/dist/api-bin.js.map +1 -0
  3. package/dist/{chunk-BNDCY2RI.js → chunk-7QEBFMN4.js} +47 -2441
  4. package/dist/chunk-7QEBFMN4.js.map +1 -0
  5. package/dist/chunk-7VZH5PFV.js +1134 -0
  6. package/dist/chunk-7VZH5PFV.js.map +1 -0
  7. package/dist/chunk-B2AKONVW.js +2465 -0
  8. package/dist/chunk-B2AKONVW.js.map +1 -0
  9. package/dist/cli.js +34 -9
  10. package/dist/cli.js.map +1 -1
  11. package/dist/index.cjs +1282 -107
  12. package/dist/index.cjs.map +1 -1
  13. package/dist/index.d.cts +283 -2
  14. package/dist/index.d.ts +283 -2
  15. package/dist/index.js +1218 -65
  16. package/dist/index.js.map +1 -1
  17. package/dist/mcp-bin.js +2 -1
  18. package/dist/mcp-bin.js.map +1 -1
  19. package/package.json +8 -5
  20. package/scripts/gen-api-schemas.ts +29 -0
  21. package/scripts/sync-version.mjs +51 -0
  22. package/server.json +2 -2
  23. package/dist/chunk-BNDCY2RI.js.map +0 -1
package/dist/chunk-BNDCY2RI.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/tools.ts","../src/sanitize.ts","../src/scanners/cloud-util.ts","../src/scanners/cloud-aws.ts","../src/scanners/cloud-gcp.ts","../src/scanners/cloud-azure.ts","../src/scanners/k8s.ts","../src/scanners/databases.ts","../src/db.ts","../src/compliance/types.ts","../src/compliance/engine.ts","../src/diff.ts","../src/anomaly.ts","../src/scanners/spi.ts","../src/scanners/types.ts","../src/scanners/bookmarks.ts","../src/scanners/installed-apps.ts","../src/scanners/ports.ts","../src/scanners/confidence.ts","../src/scanners/connections.ts","../src/scanners/service-config.ts","../src/scanners/registry.ts","../src/scanners/loader.ts","../src/discovery/local.ts","../src/compliance/rulesets/baseline.ts","../src/compliance/rulesets/cis.ts","../src/compliance/rulesets/soc2.ts","../src/compliance/rulesets/iso27001.ts","../src/compliance/rulesets/registry.ts","../src/sinks/stdout.ts","../src/sinks/webhook.ts","../src/sinks/index.ts","../src/drift.ts","../src/orgkey.ts","../src/anonymize.ts","../src/mcp/server.ts","../src/nlq/resolve.ts","../src/mcp/transports.ts","../src/semantic/hash.ts","../src/semantic/embeddings.ts","../src/semantic/store.ts","../src/semantic/search.ts","../src/store/sqlite.ts","../src/central/ingest.ts","../src/central/merge.ts","../src/central/anonymization.ts","../src/central/server.ts","../src/mcp/start.ts"],"sourcesContent":["import { z } from 'zod';\nimport type { CartographyDB } from './db.js';\nimport { NODE_TYPES, EDGE_RELATIONSHIPS } from './types.js';\nimport { sanitizeUntrusted } from './sanitize.js';\nimport { scanAllBookmarks, scanAllHistory } from './bookmarks.js';\nimport { logDebug } from './logger.js';\nimport {\n IS_WIN, IS_MAC, IS_LINUX, HOME, PLATFORM,\n run, commandExists, findFiles, dbScanDirs,\n scanListeningPorts, scanProcesses,\n scanWindowsPrograms, scanWindowsDbServices,\n} from './platform.js';\nimport type { Scanner, ScanContext } from './scanners/types.js';\nimport { cloudAwsScanner } from './scanners/cloud-aws.js';\nimport { cloudGcpScanner } from './scanners/cloud-gcp.js';\nimport { cloudAzureScanner } from './scanners/cloud-azure.js';\nimport { k8sScanner } from './scanners/k8s.js';\nimport { databasesScanner } from './scanners/databases.js';\n\n// Type-only import — no runtime dependency on SDK at module parse time\nimport type { McpServerConfig } from '@anthropic-ai/claude-agent-sdk';\n\n/**\n * Circuit breaker for sequential CLI scans.\n * After `threshold` consecutive failures, remaining commands are skipped.\n */\nexport function createScanRunner(\n runFn: (cmd: string, opts?: { timeout?: number; env?: NodeJS.ProcessEnv }) => string,\n opts: { timeout?: number; env?: NodeJS.ProcessEnv; threshold?: number } = {},\n) {\n const threshold = opts.threshold ?? 3;\n let consecutiveFailures = 0;\n let tripped = false;\n\n return (cmd: string): string => {\n if (tripped) {\n logDebug(`Circuit breaker: skipping \"${cmd}\" (${consecutiveFailures} consecutive failures)`);\n return '(skipped — circuit breaker: too many consecutive failures)';\n }\n const result = runFn(cmd, { timeout: opts.timeout ?? 20_000, env: opts.env });\n if (!result) {\n consecutiveFailures++;\n if (consecutiveFailures >= threshold) {\n tripped = true;\n logDebug(`Circuit breaker tripped after ${threshold} failures, last command: \"${cmd}\"`);\n }\n return '(error or not available)';\n }\n consecutiveFailures = 0;\n return result;\n };\n}\n\nexport interface CartographyToolsOptions {\n /** Called when the agent needs a human answer. Return the user's response. */\n onAskUser?: (question: string, context?: string) => Promise<string>;\n /** Max characters of a single tool response (sanitized + truncated). Default 100 000. */\n maxResponseBytes?: number;\n}\n\n/**\n * Sanitize untrusted scan output (strip invisible/control characters) and cap it\n * at `max` characters so a single verbose scan can never blow the agent's context\n * window. Appends an explicit truncation notice when clamped.\n */\nexport function clampText(raw: string, max: number): string {\n const clean = sanitizeUntrusted(raw);\n if (clean.length <= max) return clean;\n return clean.slice(0, max) +\n `\\n\\n… [output truncated: ${clean.length - max} more characters omitted — narrow the scan (e.g. a namespace/region/hint) or query the catalog instead]`;\n}\n\nexport function stripSensitive(target: string): string {\n const raw = target.trim();\n if (!raw) return raw;\n try {\n const url = new URL(raw.startsWith('http') ? raw : `tcp://${raw}`);\n const stripped = `${url.hostname}${url.port ? ':' + url.port : ''}`;\n return stripped || raw;\n } catch {\n const stripped = raw\n .replace(/\\/.*$/, '')\n .replace(/\\?.*$/, '')\n .replace(/@.*:/, ':');\n return stripped || raw;\n }\n}\n\n// ── Argument hardening for shell-backed scan tools ───────────────────────────\n\n/**\n * Strict patterns for the cloud/k8s scan parameters that get spliced into a\n * shell command. `run()` re-checks the final command against the read-only\n * allowlist, but values are validated here first so an injection payload never\n * reaches the shell — not even a read-only one (e.g. `; cat ~/.ssh/id_rsa`)\n * that the allowlist would otherwise permit and which could disclose files.\n */\nexport const SCAN_ARG_PATTERNS = {\n 'k8s-namespace': /^[a-z0-9]([-a-z0-9]*[a-z0-9])?$/,\n 'aws-region': /^[A-Za-z0-9-]+$/,\n 'aws-profile': /^[A-Za-z0-9_.-]+$/,\n 'gcp-project': /^[a-z0-9][a-z0-9.-]*(:[a-z0-9][a-z0-9-]*)?$/,\n 'azure-subscription': /^[0-9a-fA-F-]+$/,\n 'azure-resource-group': /^[A-Za-z0-9_.()-]+$/,\n} as const;\n\nexport type ScanArgKind = keyof typeof SCAN_ARG_PATTERNS;\n\n/** Throw if `value` fails the strict pattern for `kind`; otherwise return it. */\nexport function assertSafeScanArg(kind: ScanArgKind, value: string): string {\n if (!SCAN_ARG_PATTERNS[kind].test(value)) {\n throw new Error(`Invalid ${kind} \"${value}\": contains characters that are not allowed`);\n }\n return value;\n}\n\n/** Redact `user:password@` credentials embedded in any URL/DSN-like string. */\nexport function redactSecrets(value: string): string {\n return value.replace(/([a-z][a-z0-9+.-]*:\\/\\/[^:@/\\s]+):[^@/\\s]+@/gi, '$1:***@');\n}\n\n/** Recursively redact secrets from arbitrary metadata before persistence. */\nexport function redactValue(value: unknown): unknown {\n if (typeof value === 'string') return redactSecrets(value);\n if (Array.isArray(value)) return value.map(redactValue);\n if (value && typeof value === 'object') {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value as Record<string, unknown>)) out[k] = redactValue(v);\n return out;\n }\n return value;\n}\n\n/**\n * Tool annotations — untrusted hints for MCP hosts (host-side gating), never a\n * security boundary. Mirror the server-side query tools in src/mcp/server.ts.\n */\nconst READ_SCAN = { readOnlyHint: true, openWorldHint: true } as const; // scanners reach external/system state\nconst READ_LOCAL = { readOnlyHint: true, openWorldHint: false } as const; // reads the local catalog / asks the user\nconst WRITE_CATALOG = { readOnlyHint: false, destructiveHint: false, idempotentHint: true, openWorldHint: false } as const;\n\n/** The MCP text-content shape every tool handler returns. */\nexport interface ToolResult {\n content: { type: 'text'; text: string }[];\n}\n\n/**\n * Provider-neutral tool definition: a zod input shape plus a handler that returns\n * the MCP text-content shape. This is the single source of truth for the discovery\n * tools — the Claude provider wraps these via the SDK `tool()` factory, while\n * OpenAI/Ollama convert `inputShape` to JSON Schema and call `handler` directly.\n */\nexport interface AgentTool {\n name: string;\n description: string;\n /** Raw zod shape (ZodRawShape) for the tool input. */\n inputShape: z.ZodRawShape;\n /** Host-side gating hints (never a security boundary). */\n annotations: Record<string, boolean>;\n handler: (args: Record<string, unknown>) => Promise<ToolResult>;\n}\n\n/**\n * Build the discovery tool handlers with **no** SDK dependency. Returns the same\n * handler bodies used by the Claude path, exposed neutrally so any provider can\n * reuse them. `buildCartographyToolDefinitions` wraps these for the Claude SDK.\n */\nexport async function buildCartographyToolHandlers(\n db: CartographyDB,\n sessionId: string,\n opts: CartographyToolsOptions = {},\n): Promise<AgentTool[]> {\n const maxResponseBytes = opts.maxResponseBytes ?? 100_000;\n /** Wrap sanitized + truncated scan output in the MCP text-content shape. */\n const textResult = (raw: string): ToolResult => ({ content: [{ type: 'text' as const, text: clampText(raw, maxResponseBytes) }] });\n\n /**\n * Run a registry {@link Scanner} as an agent tool: detect → scan → return a\n * structured node summary plus the raw report. The deterministic scanners are\n * the single source of truth for cloud/k8s/db discovery; this wrapper delegates\n * to them so the agent path stays in lock-step with `run_discovery`.\n */\n const runScannerTool = async (scanner: Scanner, hint: string): Promise<ToolResult> => {\n const ctx: ScanContext = { hint, platform: PLATFORM, run };\n if (!(await scanner.detect(ctx))) return textResult(`(${scanner.title}: CLI not available)`);\n const result = await scanner.scan(ctx);\n const structured = `=== NODES (${result.nodes.length}) / EDGES (${result.edges.length}) ===\\n` +\n JSON.stringify({ nodes: result.nodes, edges: result.edges });\n return textResult([structured, result.report ?? ''].filter(Boolean).join('\\n\\n'));\n };\n\n /** Local declarative helper mirroring the SDK `tool()` signature, but SDK-free. */\n const tool = (\n name: string,\n description: string,\n inputShape: z.ZodRawShape,\n handler: (args: Record<string, unknown>) => Promise<ToolResult>,\n extra: { annotations: Record<string, boolean> },\n ): AgentTool => ({ name, description, inputShape, annotations: extra.annotations, handler });\n\n const tools: AgentTool[] = [\n tool('save_node', 'Save an infrastructure node to the catalog', {\n id: z.string(),\n type: z.enum(NODE_TYPES),\n name: z.string(),\n discoveredVia: z.string(),\n confidence: z.number().min(0).max(1),\n metadata: z.record(z.string(), z.unknown()).optional(),\n tags: z.array(z.string()).optional(),\n domain: z.string().optional().describe('Business domain, e.g. \"Marketing\", \"Finance\"'),\n subDomain: z.string().optional().describe('Sub-domain, e.g. \"Forecast client orders\"'),\n qualityScore: z.number().min(0).max(100).optional().describe('Data quality score 0–100'),\n }, async (args) => {\n const node = {\n id: stripSensitive(args['id'] as string),\n type: args['type'] as typeof NODE_TYPES[number],\n name: args['name'] as string,\n discoveredVia: args['discoveredVia'] as string,\n confidence: args['confidence'] as number,\n metadata: redactValue((args['metadata'] as Record<string, unknown>) ?? {}) as Record<string, unknown>,\n tags: (args['tags'] as string[]) ?? [],\n domain: args['domain'] as string | undefined,\n subDomain: args['subDomain'] as string | undefined,\n qualityScore: args['qualityScore'] as number | undefined,\n };\n db.upsertNode(sessionId, node);\n return { content: [{ type: 'text', text: `✓ Node: ${node.id}` }] };\n }, { annotations: WRITE_CATALOG }),\n\n tool('save_edge', 'Save a relationship (edge) between two nodes — ALWAYS save edges when connections are clear', {\n sourceId: z.string(),\n targetId: z.string(),\n relationship: z.enum(EDGE_RELATIONSHIPS),\n evidence: z.string(),\n confidence: z.number().min(0).max(1),\n }, async (args) => {\n db.insertEdge(sessionId, {\n sourceId: args['sourceId'] as string,\n targetId: args['targetId'] as string,\n relationship: args['relationship'] as typeof EDGE_RELATIONSHIPS[number],\n evidence: redactSecrets(args['evidence'] as string),\n confidence: args['confidence'] as number,\n });\n return { content: [{ type: 'text', text: `✓ ${args['sourceId']}→${args['targetId']}` }] };\n }, { annotations: WRITE_CATALOG }),\n\n tool('get_catalog', 'Get the current catalog — use before save_node to avoid duplicates', {\n includeEdges: z.boolean().default(true),\n }, async (args) => {\n const nodes = db.getNodes(sessionId);\n const edges = (args['includeEdges'] as boolean) ? db.getEdges(sessionId) : [];\n return {\n content: [{\n type: 'text',\n text: JSON.stringify({\n count: { nodes: nodes.length, edges: edges.length },\n nodeIds: nodes.map(n => n.id),\n }),\n }],\n };\n }, { annotations: READ_LOCAL }),\n\n tool('ask_user', 'Ask the user a question — for clarifications, missing context, or consent (e.g. before scanning browser history)', {\n question: z.string().describe('The question for the user (clear and specific)'),\n context: z.string().optional().describe('Optional context explaining why this is relevant'),\n }, async (args) => {\n const question = args['question'] as string;\n const context = args['context'] as string | undefined;\n\n if (opts.onAskUser) {\n const answer = await opts.onAskUser(question, context);\n return { content: [{ type: 'text', text: answer }] };\n }\n\n // Fallback when not interactive (piped input, daemon, etc.)\n return {\n content: [{ type: 'text', text: '(Non-interactive mode — please continue without this information)' }],\n };\n }, { annotations: READ_LOCAL }),\n\n tool('scan_bookmarks', 'Scan all browser bookmarks — hostnames only, no personal data (Chrome, Chromium, Edge, Brave, Vivaldi, Opera, Firefox)', {\n minConfidence: z.number().min(0).max(1).default(0.5).optional(),\n }, async () => {\n const hosts = await scanAllBookmarks();\n return {\n content: [{\n type: 'text',\n text: JSON.stringify({\n count: hosts.length,\n hosts: hosts.map(h => ({\n hostname: h.hostname,\n port: h.port,\n protocol: h.protocol,\n source: h.source,\n })),\n note: 'Hostnames only — no paths, no personal data. Classify each as a business tool (save_node) or ignore (social media, news, shopping).',\n }),\n }],\n };\n }, { annotations: READ_SCAN }),\n\n tool('scan_browser_history', 'Scan browser history — anonymized hostnames + visit frequency. ALWAYS call ask_user for consent before using this tool.', {\n minVisits: z.number().min(1).default(3).optional().describe('Minimum visit count to include a host (filters rarely-visited sites)'),\n }, async (args) => {\n const minVisits = (args['minVisits'] as number | undefined) ?? 3;\n const hosts = await scanAllHistory();\n const filtered = hosts.filter(h => h.visitCount >= minVisits);\n return {\n content: [{\n type: 'text',\n text: JSON.stringify({\n count: filtered.length,\n note: 'Anonymized — hostnames only, no URLs, no paths, no personal data. Classify business tools as saas_tool nodes.',\n hosts: filtered.map(h => ({\n hostname: h.hostname,\n visitCount: h.visitCount,\n protocol: h.protocol,\n source: h.source,\n })),\n }),\n }],\n };\n }, { annotations: READ_SCAN }),\n\n tool('scan_local_databases', 'Scan for local database files and running DB servers — PostgreSQL databases, MySQL, SQLite files from installed apps', {\n deep: z.boolean().default(false).optional().describe('Also search home directory recursively for SQLite/DB files (slower)'),\n }, async (args) => {\n const deep = (args['deep'] as boolean | undefined) ?? false;\n return runScannerTool(databasesScanner, deep ? 'deep' : '');\n }, { annotations: READ_SCAN }),\n\n tool('scan_k8s_resources', 'Scan Kubernetes cluster via kubectl — 100% readonly (get, describe)', {\n namespace: z.string().regex(SCAN_ARG_PATTERNS['k8s-namespace'], 'invalid Kubernetes namespace').optional().describe('Filter by namespace — empty = all namespaces'),\n }, async (args) => {\n const ns = args['namespace'] as string | undefined;\n if (ns) assertSafeScanArg('k8s-namespace', ns);\n return runScannerTool(k8sScanner, ns ? `namespace=${ns}` : '');\n }, { annotations: READ_SCAN }),\n\n tool('scan_aws_resources', 'Scan AWS infrastructure via AWS CLI — 100% readonly (describe, list)', {\n region: z.string().regex(SCAN_ARG_PATTERNS['aws-region'], 'invalid AWS region').optional().describe('AWS Region — default: AWS_DEFAULT_REGION or profile'),\n profile: z.string().regex(SCAN_ARG_PATTERNS['aws-profile'], 'invalid AWS profile').optional().describe('AWS CLI profile'),\n }, async (args) => {\n const region = args['region'] as string | undefined;\n const profile = args['profile'] as string | undefined;\n if (region) assertSafeScanArg('aws-region', region);\n if (profile) assertSafeScanArg('aws-profile', profile);\n const hint = [region ? `region=${region}` : '', profile ? `profile=${profile}` : ''].filter(Boolean).join(' ');\n return runScannerTool(cloudAwsScanner, hint);\n }, { annotations: READ_SCAN }),\n\n tool('scan_gcp_resources', 'Scan Google Cloud Platform via gcloud CLI — 100% readonly (list, describe)', {\n project: z.string().regex(SCAN_ARG_PATTERNS['gcp-project'], 'invalid GCP project id').optional().describe('GCP Project ID — default: current gcloud project'),\n }, async (args) => {\n const project = args['project'] as string | undefined;\n if (project) assertSafeScanArg('gcp-project', project);\n return runScannerTool(cloudGcpScanner, project ? `project=${project}` : '');\n }, { annotations: READ_SCAN }),\n\n tool('scan_azure_resources', 'Scan Azure infrastructure via az CLI — 100% readonly (list, show)', {\n subscription: z.string().regex(SCAN_ARG_PATTERNS['azure-subscription'], 'invalid Azure subscription id').optional().describe('Azure Subscription ID'),\n resourceGroup: z.string().regex(SCAN_ARG_PATTERNS['azure-resource-group'], 'invalid Azure resource group').optional().describe('Filter by resource group'),\n }, async (args) => {\n const sub = args['subscription'] as string | undefined;\n const rg = args['resourceGroup'] as string | undefined;\n if (sub) assertSafeScanArg('azure-subscription', sub);\n if (rg) assertSafeScanArg('azure-resource-group', rg);\n const hint = [sub ? `subscription=${sub}` : '', rg ? `resource-group=${rg}` : ''].filter(Boolean).join(' ');\n return runScannerTool(cloudAzureScanner, hint);\n }, { annotations: READ_SCAN }),\n\n tool('scan_installed_apps', 'Scan all installed apps and tools — IDEs, office, dev tools, business apps, databases', {\n searchHint: z.string().optional().describe('Optional search term to find specific tools (e.g. \"hubspot windsurf cursor\")'),\n }, async (args) => {\n const hint = args['searchHint'] as string | undefined;\n const results: Record<string, string> = {};\n results['PLATFORM'] = `${PLATFORM} (${IS_WIN ? 'Windows' : IS_MAC ? 'macOS' : 'Linux'})`;\n\n if (IS_MAC) {\n // macOS: scan /Applications\n results['APPLICATIONS'] = run('ls /Applications/ 2>/dev/null | head -200') || '(empty)';\n results['USER_APPLICATIONS'] = run('ls ~/Applications/ 2>/dev/null | head -100') || '(empty)';\n // Homebrew\n results['BREW_CASKS'] = run('brew list --cask 2>/dev/null | head -100') || '(brew not installed)';\n results['BREW_FORMULAE'] = run('brew list --formula 2>/dev/null | head -150') || '(brew not installed)';\n // Spotlight — find .app bundles\n results['SPOTLIGHT_APPS'] = run('mdfind \"kMDItemKind == \\'Application\\'\" 2>/dev/null | grep -v \"^/System\" | grep -v \"^/Library/Apple\" | head -100') || '(Spotlight not available)';\n } else if (IS_LINUX) {\n // Linux: dpkg, snap, flatpak, .desktop files\n results['DPKG'] = run('dpkg --list 2>/dev/null | awk \\'{print $2}\\' | head -200') || '(dpkg not available)';\n results['SNAP'] = run('snap list 2>/dev/null | head -50') || '(snap not available)';\n results['FLATPAK'] = run('flatpak list 2>/dev/null | head -50') || '(flatpak not available)';\n results['DESKTOP_FILES'] = run('ls /usr/share/applications/*.desktop ~/.local/share/applications/*.desktop 2>/dev/null | xargs -I{} basename {} .desktop 2>/dev/null | head -100') || '(no .desktop files)';\n results['RPM'] = run('rpm -qa 2>/dev/null | head -200') || '(rpm not available)';\n } else if (IS_WIN) {\n // Windows: winget, registry, Get-Package\n results['WINGET'] = run('winget list --accept-source-agreements', { timeout: 20_000 }) || '(winget not available)';\n results['INSTALLED_PROGRAMS'] = scanWindowsPrograms() || '(registry scan failed)';\n // Chocolatey\n results['CHOCO'] = run('choco list --local-only', { timeout: 15_000 }) || '(chocolatey not installed)';\n // Scoop\n results['SCOOP'] = run('scoop list', { timeout: 15_000 }) || '(scoop not installed)';\n }\n\n // ── Check known dev/business tools via cross-platform commandExists ──\n const knownTools = [\n // IDEs & Editors\n 'code', 'code-insiders', 'cursor', 'windsurf', 'zed', 'vim', 'nvim', 'emacs', 'nano', 'sublime_text', 'atom',\n 'idea', 'webstorm', 'pycharm', 'goland', 'datagrip', 'clion', 'rider', 'phpstorm', 'rubymine', 'appcode',\n // Dev Tools\n 'git', 'gh', 'docker', 'docker-compose', 'podman', 'kubectl', 'helm', 'terraform', 'ansible',\n 'node', 'npm', 'npx', 'yarn', 'pnpm', 'bun', 'deno',\n 'python', 'python3', 'pip', 'pip3', 'pipenv', 'poetry', 'conda',\n 'ruby', 'gem', 'bundler', 'rails',\n 'java', 'mvn', 'gradle', 'kotlin',\n 'go', 'cargo', 'rustc',\n 'php', 'composer',\n 'dotnet',\n // Databases\n 'psql', 'mysql', 'mysqladmin', 'mongo', 'mongosh', 'redis-cli', 'sqlite3', 'clickhouse-client',\n // Cloud CLIs\n 'aws', 'gcloud', 'az', 'heroku', 'fly', 'vercel', 'netlify', 'wrangler',\n // Infra\n 'vagrant', 'packer', 'consul', 'vault', 'nomad',\n // Communication / SaaS\n 'slack', 'discord', 'zoom', 'teams', 'skype', 'telegram', 'signal',\n // Browsers\n 'google-chrome', 'chromium', 'firefox', 'safari', 'brave', 'opera', 'edge',\n // Windows-specific\n ...(IS_WIN ? ['pwsh', 'powershell', 'wsl', 'winget', 'choco', 'scoop', 'notepad++'] : []),\n // Monitoring / Analytics\n 'datadog-agent', 'newrelic-agent', 'prometheus', 'grafana-cli',\n // Other tools\n 'ngrok', 'stripe', 'supabase', 'neon',\n ];\n\n const found: string[] = [];\n const notFound: string[] = [];\n for (const t of knownTools) {\n const r = commandExists(t);\n if (r) found.push(`${t}: ${r}`);\n else notFound.push(t);\n }\n results['TOOLS_FOUND'] = found.join('\\n') || '(none found)';\n results['TOOLS_NOT_FOUND'] = notFound.join(', ');\n\n // Hint-based search: targeted lookup for user-specified tools\n if (hint) {\n const terms = hint.split(/[\\s,]+/).filter(Boolean);\n const hintResults: string[] = [];\n for (const term of terms) {\n const safe = term.replace(/[^a-zA-Z0-9._-]/g, '');\n if (!safe) continue;\n // First try commandExists\n const cmdPath = commandExists(safe);\n if (cmdPath) {\n hintResults.push(`${term}: ${cmdPath}`);\n continue;\n }\n // Platform-specific fallback search\n let fallback = '';\n if (IS_WIN) {\n fallback = run(\n `Get-ChildItem -Path 'C:\\\\Program Files','C:\\\\Program Files (x86)','${HOME}\\\\AppData\\\\Local\\\\Programs' ` +\n `-Recurse -Depth 3 -Filter '*${safe}*' -ErrorAction SilentlyContinue | ` +\n `Select-Object -First 5 -ExpandProperty FullName`,\n { timeout: 10_000 },\n );\n } else if (IS_MAC) {\n fallback = run(`mdfind -name \"${safe}\" 2>/dev/null | head -5`);\n } else {\n fallback = run(`find /usr/bin /usr/local/bin /opt/homebrew/bin ~/.local/bin /Applications ~/Applications 2>/dev/null -iname \"*${safe}*\" -maxdepth 3 2>/dev/null | head -5`);\n }\n hintResults.push(fallback ? `${term}: ${fallback}` : `${term}: (not found)`);\n }\n results['HINT_SEARCH'] = hintResults.join('\\n');\n }\n\n const out = Object.entries(results)\n .map(([k, v]) => `=== ${k} ===\\n${v}`)\n .join('\\n\\n');\n\n return textResult(out);\n }, { annotations: READ_SCAN }),\n ];\n\n return tools;\n}\n\n/**\n * Build the in-process discovery tool definitions for the Claude SDK (with\n * read/write annotations). Wraps the neutral handlers from\n * `buildCartographyToolHandlers` through the SDK `tool()` factory, preserving the\n * exact behavior the Claude path has always had. Exposed for host-side gating and\n * structural tests; consumed by `createCartographyTools`.\n */\nexport async function buildCartographyToolDefinitions(\n db: CartographyDB,\n sessionId: string,\n opts: CartographyToolsOptions = {},\n) {\n // Dynamically import the SDK so a missing package doesn't crash at load time.\n const { tool } = await import('@anthropic-ai/claude-agent-sdk');\n const handlers = await buildCartographyToolHandlers(db, sessionId, opts);\n // The neutral handler signature (Record<string,unknown> → ToolResult) is structurally\n // compatible with the SDK's per-tool callback; the cast bridges the generic gap.\n type SdkHandler = Parameters<typeof tool>[3];\n return handlers.map((t) =>\n tool(t.name, t.description, t.inputShape, t.handler as unknown as SdkHandler, { annotations: t.annotations }),\n );\n}\n\nexport async function createCartographyTools(\n db: CartographyDB,\n sessionId: string,\n opts: CartographyToolsOptions = {},\n): Promise<McpServerConfig> {\n const { createSdkMcpServer } = await import('@anthropic-ai/claude-agent-sdk');\n const tools = await buildCartographyToolDefinitions(db, sessionId, opts);\n return createSdkMcpServer({ name: 'cartography', version: '0.1.0', tools });\n}\n","/**\n * Sanitization of untrusted text before it enters the catalog or an LLM context\n * window. Discovery ingests text from sources outside our control — browser\n * bookmark titles, command output, scanner reports — which can carry hidden\n * prompt-injection payloads using invisible Unicode (zero-width spaces,\n * bidi/format controls, soft hyphens) or stray control characters.\n *\n * `sanitizeUntrusted` strips those while preserving ordinary whitespace\n * (tab/0x09, line feed/0x0A, carriage return/0x0D) and NFC-normalizes the\n * result. It is a no-op for normal ASCII/printable text.\n *\n * The set of stripped code points is defined numerically (below) rather than as\n * a regex of literal invisible characters, so the source stays pure ASCII and\n * auditable.\n */\n\n// Inclusive code-point ranges to remove.\nconst STRIP_RANGES: ReadonlyArray<readonly [number, number]> = [\n // C0 controls except 0x09 (tab), 0x0A (LF), 0x0D (CR)\n [0x00, 0x08], [0x0b, 0x0c], [0x0e, 0x1f],\n [0x7f, 0x7f], // DEL\n [0x80, 0x9f], // C1 controls\n [0x00ad, 0x00ad], // soft hyphen\n [0x200b, 0x200f], // ZWSP, ZWNJ, ZWJ, LRM, RLM\n [0x202a, 0x202e], // bidi embeddings & overrides\n [0x2060, 0x2064], // word joiner, invisible math operators\n [0x2066, 0x2069], // bidi isolates\n [0x206a, 0x206f], // deprecated format characters\n [0xfeff, 0xfeff], // BOM / ZWNBSP\n];\n\nconst STRIP = new Set<number>();\nfor (const [start, end] of STRIP_RANGES) {\n for (let cp = start; cp <= end; cp++) STRIP.add(cp);\n}\n\n/** Strip invisible/control characters and NFC-normalize untrusted text. */\nexport function sanitizeUntrusted(text: string): string {\n if (!text) return text;\n let out = '';\n for (const ch of text.normalize('NFC')) {\n if (!STRIP.has(ch.codePointAt(0) as number)) out += ch;\n }\n return out;\n}\n\n/** Recursively apply `sanitizeUntrusted` to every string in an arbitrary value. */\nexport function sanitizeValue(value: unknown): unknown {\n if (typeof value === 'string') return sanitizeUntrusted(value);\n if (Array.isArray(value)) return value.map(sanitizeValue);\n if (value && typeof value === 'object') {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value as Record<string, unknown>)) out[k] = sanitizeValue(v);\n return out;\n }\n return value;\n}\n","/**\n * Shared helpers for the cloud / k8s / database scanners.\n *\n * These keep the provider scanners (`cloud-aws`, `cloud-gcp`, `cloud-azure`,\n * `k8s`, `databases`) small and consistent: JSON parsing that never throws,\n * provider-parameter extraction from the single `ScanContext.hint` channel\n * (validated against the same strict patterns the agent tools use), and the\n * `=== KEY ===` report formatter so the structured + raw-report output shape\n * stays identical to the legacy agent-tool reports.\n */\n\nimport { assertSafeScanArg, type ScanArgKind } from '../tools.js';\n\n/**\n * Parse JSON CLI output. Returns `undefined` for empty output, our sentinel\n * placeholders (`(error or not available)`, `(skipped …)`), or malformed JSON —\n * it never throws, so a scanner degrades to \"no nodes\" instead of crashing the\n * discovery run.\n */\nexport function safeJson<T = unknown>(raw: string): T | undefined {\n const s = raw.trim();\n if (!s || s.startsWith('(')) return undefined;\n try {\n return JSON.parse(s) as T;\n } catch {\n return undefined;\n }\n}\n\n/** Provider parameters parsed out of a {@link ScanContext.hint}. */\nexport interface ScanHintParams {\n namespace?: string;\n region?: string;\n profile?: string;\n project?: string;\n subscription?: string;\n resourceGroup?: string;\n /** Leftover non-`key=value` terms (back-compat with the installed-apps hint use). */\n free: string;\n}\n\n/** Recognised `key=value` hint keys → the strict {@link ScanArgKind} that validates them. */\nconst HINT_ARG_KINDS: Record<string, ScanArgKind> = {\n namespace: 'k8s-namespace',\n region: 'aws-region',\n profile: 'aws-profile',\n project: 'gcp-project',\n subscription: 'azure-subscription',\n 'resource-group': 'azure-resource-group',\n};\n\n/**\n * Parse `key=value` provider parameters from a `ScanContext.hint`, validating\n * each value against its strict pattern via {@link assertSafeScanArg} (throws on\n * an injection payload — even a read-only one the allowlist would otherwise\n * permit). Unknown tokens flow through to {@link ScanHintParams.free} unchanged.\n */\nexport function parseScanHint(hint: string | undefined): ScanHintParams {\n const out: ScanHintParams = { free: '' };\n const free: string[] = [];\n for (const tok of (hint ?? '').split(/[\\s,]+/).filter(Boolean)) {\n const eq = tok.indexOf('=');\n if (eq <= 0) {\n free.push(tok);\n continue;\n }\n const key = tok.slice(0, eq);\n const value = tok.slice(eq + 1);\n const kind = HINT_ARG_KINDS[key];\n if (!kind) {\n free.push(tok);\n continue;\n }\n assertSafeScanArg(kind, value);\n if (key === 'resource-group') out.resourceGroup = value;\n else if (key === 'namespace') out.namespace = value;\n else if (key === 'region') out.region = value;\n else if (key === 'profile') out.profile = value;\n else if (key === 'project') out.project = value;\n else if (key === 'subscription') out.subscription = value;\n }\n out.free = free.join(' ');\n return out;\n}\n\n/** Render `=== KEY ===\\n…` report sections (the legacy agent-tool report shape). */\nexport function buildReport(sections: Array<[string, string]>): string {\n return sections.map(([k, v]) => `=== ${k} ===\\n${v}`).join('\\n\\n');\n}\n","/**\n * AWS infrastructure scanner.\n *\n * Read-only AWS CLI discovery (`describe`/`list` actions, JSON output) mapped to\n * deterministic nodes. Detection is a cheap `commandExists('aws')` check, so an\n * absent CLI skips the scanner without throwing. Every command stays within the\n * read-only allowlist's `aws` gate and uses `--output json` for stable parsing.\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport { commandExists } from '../platform.js';\nimport { createScanRunner, redactValue } from '../tools.js';\nimport { safeJson, parseScanHint, buildReport } from './cloud-util.js';\n\ninterface Ec2Instance {\n InstanceId?: string;\n InstanceType?: string;\n State?: { Name?: string };\n PrivateIpAddress?: string;\n}\ninterface Ec2Result {\n Reservations?: Array<{ Instances?: Ec2Instance[] }>;\n}\ninterface RdsInstance {\n DBInstanceIdentifier?: string;\n Engine?: string;\n DBInstanceStatus?: string;\n Endpoint?: { Address?: string; Port?: number };\n}\ninterface RdsResult {\n DBInstances?: RdsInstance[];\n}\ninterface CacheCluster {\n CacheClusterId?: string;\n Engine?: string;\n CacheClusterStatus?: string;\n}\ninterface CacheResult {\n CacheClusters?: CacheCluster[];\n}\ninterface EksResult {\n clusters?: string[];\n}\ninterface LoadBalancer {\n LoadBalancerName?: string;\n DNSName?: string;\n Type?: string;\n State?: { Code?: string };\n}\ninterface ElbResult {\n LoadBalancers?: LoadBalancer[];\n}\n\nexport const cloudAwsScanner: Scanner = {\n id: 'cloud-aws',\n title: 'AWS infrastructure',\n platforms: 'all',\n allowedCommands: ['aws'],\n detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)('aws')),\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const { region, profile } = parseScanHint(ctx.hint);\n const env: NodeJS.ProcessEnv = region ? { ...process.env, AWS_DEFAULT_REGION: region } : process.env;\n const pf = profile ? ` --profile ${profile}` : '';\n const runA = createScanRunner((c) => ctx.run(c, { timeout: 20_000, env }), { threshold: 3 });\n\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n const report: Array<[string, string]> = [];\n\n report.push(['IDENTITY', runA(`aws sts get-caller-identity${pf} --output json`)]);\n\n const ec2Raw = runA(`aws ec2 describe-instances${pf} --output json`);\n report.push(['EC2', ec2Raw]);\n const ec2 = safeJson<Ec2Result>(ec2Raw);\n for (const r of ec2?.Reservations ?? []) {\n for (const i of r.Instances ?? []) {\n const id = String(i.InstanceId ?? '');\n if (!id) continue;\n nodes.push({\n id: `host:aws:${id}`,\n type: 'host',\n name: id,\n discoveredVia: 'aws-ec2',\n confidence: 0.95,\n tags: ['cloud', 'aws', 'ec2'],\n metadata: redactValue({ instanceType: i.InstanceType, state: i.State?.Name, privateIp: i.PrivateIpAddress }) as Record<string, unknown>,\n });\n }\n }\n\n const rdsRaw = runA(`aws rds describe-db-instances${pf} --output json`);\n report.push(['RDS', rdsRaw]);\n const rds = safeJson<RdsResult>(rdsRaw);\n for (const db of rds?.DBInstances ?? []) {\n const id = String(db.DBInstanceIdentifier ?? '');\n if (!id) continue;\n nodes.push({\n id: `database_server:rds:${id}`,\n type: 'database_server',\n name: id,\n discoveredVia: 'aws-rds',\n confidence: 0.95,\n tags: ['cloud', 'aws', 'rds'],\n metadata: redactValue({ engine: db.Engine, status: db.DBInstanceStatus, endpoint: db.Endpoint?.Address, port: db.Endpoint?.Port }) as Record<string, unknown>,\n });\n }\n\n const cacheRaw = runA(`aws elasticache describe-cache-clusters${pf} --output json`);\n report.push(['ELASTICACHE', cacheRaw]);\n const cache = safeJson<CacheResult>(cacheRaw);\n for (const c of cache?.CacheClusters ?? []) {\n const id = String(c.CacheClusterId ?? '');\n if (!id) continue;\n nodes.push({\n id: `cache_server:aws:${id}`,\n type: 'cache_server',\n name: id,\n discoveredVia: 'aws-elasticache',\n confidence: 0.95,\n tags: ['cloud', 'aws', 'elasticache'],\n metadata: redactValue({ engine: c.Engine, status: c.CacheClusterStatus }) as Record<string, unknown>,\n });\n }\n\n const eksRaw = runA(`aws eks list-clusters${pf} --output json`);\n report.push(['EKS', eksRaw]);\n const eks = safeJson<EksResult>(eksRaw);\n for (const name of eks?.clusters ?? []) {\n if (!name) continue;\n nodes.push({\n id: `k8s_cluster:eks:${name}`,\n type: 'k8s_cluster',\n name,\n discoveredVia: 'aws-eks',\n confidence: 0.95,\n tags: ['cloud', 'aws', 'eks', 'kubernetes'],\n metadata: { provider: 'eks' },\n });\n }\n\n const elbRaw = runA(`aws elbv2 describe-load-balancers${pf} --output json`);\n report.push(['ELB_V2', elbRaw]);\n const elb = safeJson<ElbResult>(elbRaw);\n for (const lb of elb?.LoadBalancers ?? []) {\n const dns = String(lb.DNSName ?? '');\n if (!dns) continue;\n nodes.push({\n id: `web_service:aws:${dns}`,\n type: 'web_service',\n name: lb.LoadBalancerName ?? dns,\n discoveredVia: 'aws-elbv2',\n confidence: 0.9,\n tags: ['cloud', 'aws', 'elb'],\n metadata: redactValue({ dnsName: dns, type: lb.Type, state: lb.State?.Code }) as Record<string, unknown>,\n });\n }\n\n return { nodes, edges, report: buildReport(report) };\n },\n};\n","/**\n * Google Cloud Platform scanner.\n *\n * Read-only `gcloud … list` discovery with `--format=json` for stable parsing,\n * mapped to deterministic nodes. Detection is `commandExists('gcloud')`; an\n * absent CLI skips the scanner. Every command stays within the read-only\n * allowlist's `gcloud` gate.\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport { commandExists } from '../platform.js';\nimport { createScanRunner, redactValue } from '../tools.js';\nimport { safeJson, parseScanHint, buildReport } from './cloud-util.js';\n\ninterface ComputeInstance {\n name?: string;\n machineType?: string;\n status?: string;\n zone?: string;\n}\ninterface SqlInstance {\n name?: string;\n databaseVersion?: string;\n state?: string;\n region?: string;\n}\ninterface GkeCluster {\n name?: string;\n status?: string;\n location?: string;\n}\ninterface RedisInstance {\n name?: string;\n tier?: string;\n state?: string;\n}\ninterface RunService {\n metadata?: { name?: string };\n status?: { url?: string };\n}\ninterface PubsubTopic {\n name?: string;\n}\n\n/** gcloud `machineType`/`zone`/`name` are often full resource URLs — keep the last path segment. */\nfunction lastSegment(value: string | undefined): string | undefined {\n if (!value) return undefined;\n const parts = value.split('/');\n return parts[parts.length - 1] || value;\n}\n\nexport const cloudGcpScanner: Scanner = {\n id: 'cloud-gcp',\n title: 'Google Cloud Platform infrastructure',\n platforms: 'all',\n allowedCommands: ['gcloud'],\n detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)('gcloud')),\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const { project } = parseScanHint(ctx.hint);\n const pf = project ? ` --project ${project}` : '';\n const runG = createScanRunner((c) => ctx.run(c, { timeout: 20_000 }), { threshold: 3 });\n\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n const report: Array<[string, string]> = [];\n\n report.push(['IDENTITY', runG(`gcloud config list account --format=json`)]);\n\n const computeRaw = runG(`gcloud compute instances list${pf} --format=json`);\n report.push(['COMPUTE_INSTANCES', computeRaw]);\n for (const i of safeJson<ComputeInstance[]>(computeRaw) ?? []) {\n const name = String(i.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `host:gcp:${name}`,\n type: 'host',\n name,\n discoveredVia: 'gcp-compute',\n confidence: 0.95,\n tags: ['cloud', 'gcp', 'compute'],\n metadata: { machineType: lastSegment(i.machineType), status: i.status, zone: lastSegment(i.zone) },\n });\n }\n\n const sqlRaw = runG(`gcloud sql instances list${pf} --format=json`);\n report.push(['SQL_INSTANCES', sqlRaw]);\n for (const s of safeJson<SqlInstance[]>(sqlRaw) ?? []) {\n const name = String(s.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `database_server:gcp-sql:${name}`,\n type: 'database_server',\n name,\n discoveredVia: 'gcp-sql',\n confidence: 0.95,\n tags: ['cloud', 'gcp', 'cloudsql'],\n metadata: { engine: s.databaseVersion, state: s.state, region: s.region },\n });\n }\n\n const gkeRaw = runG(`gcloud container clusters list${pf} --format=json`);\n report.push(['GKE_CLUSTERS', gkeRaw]);\n for (const c of safeJson<GkeCluster[]>(gkeRaw) ?? []) {\n const name = String(c.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `k8s_cluster:gke:${name}`,\n type: 'k8s_cluster',\n name,\n discoveredVia: 'gcp-gke',\n confidence: 0.95,\n tags: ['cloud', 'gcp', 'gke', 'kubernetes'],\n metadata: { status: c.status, location: c.location },\n });\n }\n\n const redisRaw = runG(`gcloud redis instances list --regions=-${pf} --format=json`);\n report.push(['REDIS', redisRaw]);\n for (const r of safeJson<RedisInstance[]>(redisRaw) ?? []) {\n const name = lastSegment(String(r.name ?? ''));\n if (!name) continue;\n nodes.push({\n id: `cache_server:gcp:${name}`,\n type: 'cache_server',\n name,\n discoveredVia: 'gcp-redis',\n confidence: 0.95,\n tags: ['cloud', 'gcp', 'memorystore'],\n metadata: { tier: r.tier, state: r.state },\n });\n }\n\n const runRaw = runG(`gcloud run services list --platform managed${pf} --format=json`);\n report.push(['CLOUD_RUN', runRaw]);\n for (const svc of safeJson<RunService[]>(runRaw) ?? []) {\n const name = String(svc.metadata?.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `web_service:gcp-run:${name}`,\n type: 'web_service',\n name,\n discoveredVia: 'gcp-run',\n confidence: 0.9,\n tags: ['cloud', 'gcp', 'cloudrun'],\n metadata: redactValue({ url: svc.status?.url }) as Record<string, unknown>,\n });\n }\n\n const pubsubRaw = runG(`gcloud pubsub topics list${pf} --format=json`);\n report.push(['PUBSUB', pubsubRaw]);\n for (const t of safeJson<PubsubTopic[]>(pubsubRaw) ?? []) {\n const name = lastSegment(String(t.name ?? ''));\n if (!name) continue;\n nodes.push({\n id: `topic:gcp:${name}`,\n type: 'topic',\n name,\n discoveredVia: 'gcp-pubsub',\n confidence: 0.9,\n tags: ['cloud', 'gcp', 'pubsub'],\n metadata: { fullName: t.name },\n });\n }\n\n return { nodes, edges, report: buildReport(report) };\n },\n};\n","/**\n * Azure infrastructure scanner.\n *\n * Read-only `az … list/show` discovery with `--output json` for stable parsing,\n * mapped to deterministic nodes. Detection is `commandExists('az')`; an absent\n * CLI skips the scanner. Subscription / resource-group scoping comes from the\n * hint. Every command stays within the read-only allowlist's `az` gate.\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport { commandExists } from '../platform.js';\nimport { createScanRunner, redactValue } from '../tools.js';\nimport { safeJson, parseScanHint, buildReport } from './cloud-util.js';\n\ninterface AzVm {\n name?: string;\n location?: string;\n hardwareProfile?: { vmSize?: string };\n powerState?: string;\n}\ninterface AzAks {\n name?: string;\n location?: string;\n kubernetesVersion?: string;\n provisioningState?: string;\n}\ninterface AzSqlServer {\n name?: string;\n location?: string;\n version?: string;\n}\ninterface AzPostgres {\n name?: string;\n location?: string;\n version?: string;\n}\ninterface AzRedis {\n name?: string;\n location?: string;\n provisioningState?: string;\n}\ninterface AzWebApp {\n name?: string;\n defaultHostName?: string;\n state?: string;\n}\n\nexport const cloudAzureScanner: Scanner = {\n id: 'cloud-azure',\n title: 'Azure infrastructure',\n platforms: 'all',\n allowedCommands: ['az'],\n detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)('az')),\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const { subscription, resourceGroup } = parseScanHint(ctx.hint);\n const sf = subscription ? ` --subscription ${subscription}` : '';\n const rf = resourceGroup ? ` --resource-group ${resourceGroup}` : '';\n const scope = `${sf}${rf}`;\n const runZ = createScanRunner((c) => ctx.run(c, { timeout: 20_000 }), { threshold: 3 });\n\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n const report: Array<[string, string]> = [];\n\n report.push(['IDENTITY', runZ(`az account show --output json${sf}`)]);\n\n const vmRaw = runZ(`az vm list${scope} --output json`);\n report.push(['VMS', vmRaw]);\n for (const vm of safeJson<AzVm[]>(vmRaw) ?? []) {\n const name = String(vm.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `host:azure:${name}`,\n type: 'host',\n name,\n discoveredVia: 'azure-vm',\n confidence: 0.95,\n tags: ['cloud', 'azure', 'vm'],\n metadata: { vmSize: vm.hardwareProfile?.vmSize, location: vm.location, powerState: vm.powerState },\n });\n }\n\n const aksRaw = runZ(`az aks list${scope} --output json`);\n report.push(['AKS', aksRaw]);\n for (const aks of safeJson<AzAks[]>(aksRaw) ?? []) {\n const name = String(aks.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `k8s_cluster:aks:${name}`,\n type: 'k8s_cluster',\n name,\n discoveredVia: 'azure-aks',\n confidence: 0.95,\n tags: ['cloud', 'azure', 'aks', 'kubernetes'],\n metadata: { location: aks.location, version: aks.kubernetesVersion, state: aks.provisioningState },\n });\n }\n\n const sqlRaw = runZ(`az sql server list${scope} --output json`);\n report.push(['SQL_SERVERS', sqlRaw]);\n for (const s of safeJson<AzSqlServer[]>(sqlRaw) ?? []) {\n const name = String(s.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `database_server:azure-sql:${name}`,\n type: 'database_server',\n name,\n discoveredVia: 'azure-sql',\n confidence: 0.95,\n tags: ['cloud', 'azure', 'sql'],\n metadata: { engine: 'sqlserver', location: s.location, version: s.version },\n });\n }\n\n const pgRaw = runZ(`az postgres server list${scope} --output json`);\n report.push(['POSTGRES', pgRaw]);\n for (const p of safeJson<AzPostgres[]>(pgRaw) ?? []) {\n const name = String(p.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `database_server:azure-postgres:${name}`,\n type: 'database_server',\n name,\n discoveredVia: 'azure-postgres',\n confidence: 0.95,\n tags: ['cloud', 'azure', 'postgres'],\n metadata: { engine: 'postgresql', location: p.location, version: p.version },\n });\n }\n\n const redisRaw = runZ(`az redis list${scope} --output json`);\n report.push(['REDIS', redisRaw]);\n for (const r of safeJson<AzRedis[]>(redisRaw) ?? []) {\n const name = String(r.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `cache_server:azure:${name}`,\n type: 'cache_server',\n name,\n discoveredVia: 'azure-redis',\n confidence: 0.95,\n tags: ['cloud', 'azure', 'redis'],\n metadata: { location: r.location, state: r.provisioningState },\n });\n }\n\n const webRaw = runZ(`az webapp list${scope} --output json`);\n report.push(['WEBAPPS', webRaw]);\n for (const w of safeJson<AzWebApp[]>(webRaw) ?? []) {\n const name = String(w.name ?? '');\n if (!name) continue;\n nodes.push({\n id: `web_service:azure:${name}`,\n type: 'web_service',\n name,\n discoveredVia: 'azure-webapp',\n confidence: 0.9,\n tags: ['cloud', 'azure', 'webapp'],\n metadata: redactValue({ hostName: w.defaultHostName, state: w.state }) as Record<string, unknown>,\n });\n }\n\n return { nodes, edges, report: buildReport(report) };\n },\n};\n","/**\n * Kubernetes scanner.\n *\n * Read-only `kubectl get … -o json` discovery mapped to deterministic nodes and\n * edges. Detection is `commandExists('kubectl')`; an absent CLI skips the\n * scanner. The cluster node anchors `contains` edges to its hosts and pods, and\n * a `connects_to` edge is emitted from a service to a running pod when the pod's\n * labels match the service's selector — only when both endpoints are in the\n * result set (the driver prunes dangling edges anyway). Pod enumeration is\n * bounded to keep `run_discovery` latency predictable on large clusters.\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport { commandExists } from '../platform.js';\nimport { createScanRunner } from '../tools.js';\nimport { safeJson, parseScanHint, buildReport } from './cloud-util.js';\n\nconst MAX_PODS = 200;\n\ninterface KubeListItem {\n metadata?: { name?: string; namespace?: string; labels?: Record<string, string> };\n}\ninterface KubeList<T extends KubeListItem = KubeListItem> {\n items?: T[];\n}\ninterface ServiceItem extends KubeListItem {\n spec?: { selector?: Record<string, string>; type?: string; clusterIP?: string };\n}\ninterface PodItem extends KubeListItem {\n spec?: { nodeName?: string };\n status?: { phase?: string };\n}\n\n/** True when every key/value in `selector` is present in `labels`. */\nfunction selectorMatches(selector: Record<string, string>, labels: Record<string, string>): boolean {\n const keys = Object.keys(selector);\n if (keys.length === 0) return false;\n return keys.every((k) => labels[k] === selector[k]);\n}\n\nexport const k8sScanner: Scanner = {\n id: 'k8s',\n title: 'Kubernetes resources',\n platforms: 'all',\n allowedCommands: ['kubectl'],\n detect: (ctx) => Boolean((ctx.commandExists ?? commandExists)('kubectl')),\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const { namespace } = parseScanHint(ctx.hint);\n const nsFlag = namespace ? `-n ${namespace}` : '--all-namespaces';\n const runK = createScanRunner((c) => ctx.run(c, { timeout: 15_000 }), { threshold: 3 });\n\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n const report: Array<[string, string]> = [];\n const nodeIds = new Set<string>();\n const add = (n: DiscoveryNode): void => {\n if (nodeIds.has(n.id)) return;\n nodeIds.add(n.id);\n nodes.push(n);\n };\n\n const contextRaw = runK('kubectl config current-context').trim();\n report.push(['CONTEXT', contextRaw]);\n // The circuit breaker returns a `(…)` sentinel on empty output — never a cluster name.\n const context = contextRaw.startsWith('(') ? '' : contextRaw;\n const clusterName = context || 'current';\n const clusterId = `k8s_cluster:${clusterName}`;\n add({\n id: clusterId,\n type: 'k8s_cluster',\n name: clusterName,\n discoveredVia: 'kubectl-context',\n confidence: 0.95,\n tags: ['kubernetes', 'cluster'],\n metadata: { context: clusterName },\n });\n\n const nodesRaw = runK('kubectl get nodes -o json');\n report.push(['NODES', nodesRaw]);\n for (const item of safeJson<KubeList>(nodesRaw)?.items ?? []) {\n const name = String(item.metadata?.name ?? '');\n if (!name) continue;\n const id = `host:k8s:${name}`;\n add({\n id,\n type: 'host',\n name,\n discoveredVia: 'kubectl-node',\n confidence: 0.9,\n tags: ['kubernetes', 'node'],\n metadata: { cluster: clusterName },\n });\n edges.push({ sourceId: clusterId, targetId: id, relationship: 'contains', evidence: 'kubectl get nodes', confidence: 0.9 });\n }\n\n const svcRaw = runK(`kubectl get services ${nsFlag} -o json`);\n report.push(['SERVICES', svcRaw]);\n const services = safeJson<KubeList<ServiceItem>>(svcRaw)?.items ?? [];\n for (const svc of services) {\n const name = String(svc.metadata?.name ?? '');\n const ns = String(svc.metadata?.namespace ?? 'default');\n if (!name) continue;\n add({\n id: `web_service:k8s:${ns}/${name}`,\n type: 'web_service',\n name: `${ns}/${name}`,\n discoveredVia: 'kubectl-service',\n confidence: 0.9,\n tags: ['kubernetes', 'service'],\n metadata: { namespace: ns, type: svc.spec?.type, clusterIP: svc.spec?.clusterIP },\n });\n }\n\n const podsRaw = runK(`kubectl get pods ${nsFlag} --field-selector=status.phase=Running -o json`);\n report.push(['PODS_RUNNING', podsRaw]);\n const allPods = safeJson<KubeList<PodItem>>(podsRaw)?.items ?? [];\n const pods = allPods.slice(0, MAX_PODS);\n if (allPods.length > MAX_PODS) {\n report.push(['PODS_OVERFLOW', `${allPods.length} running pods found; first ${MAX_PODS} catalogued`]);\n }\n for (const pod of pods) {\n const name = String(pod.metadata?.name ?? '');\n const ns = String(pod.metadata?.namespace ?? 'default');\n if (!name) continue;\n const podId = `pod:${ns}/${name}`;\n add({\n id: podId,\n type: 'pod',\n name: `${ns}/${name}`,\n discoveredVia: 'kubectl-pod',\n confidence: 0.9,\n tags: ['kubernetes', 'pod'],\n metadata: { namespace: ns, node: pod.spec?.nodeName },\n });\n edges.push({ sourceId: clusterId, targetId: podId, relationship: 'contains', evidence: 'kubectl get pods', confidence: 0.9 });\n\n // service → pod when the pod's labels match a same-namespace service selector.\n const labels = pod.metadata?.labels ?? {};\n for (const svc of services) {\n const svcNs = String(svc.metadata?.namespace ?? 'default');\n if (svcNs !== ns) continue;\n const selector = svc.spec?.selector;\n if (!selector || !selectorMatches(selector, labels)) continue;\n const svcId = `web_service:k8s:${svcNs}/${String(svc.metadata?.name ?? '')}`;\n edges.push({ sourceId: svcId, targetId: podId, relationship: 'connects_to', evidence: 'label selector match', confidence: 0.85 });\n }\n }\n\n return { nodes, edges, report: buildReport(report) };\n },\n};\n","/**\n * Local database scanner.\n *\n * Probes locally-installed DB clients (read-only) and discovers SQLite files in\n * app-data directories, mapping reachable servers to deterministic nodes. Each\n * client is only probed when present (`commandExists`), so an absent CLI never\n * throws and never produces a node. The expensive home-directory / config-file\n * find is opt-in via the `deep` hint token, keeping the default deterministic\n * `run_discovery` path fast. Connection strings are credential-redacted before\n * persistence.\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport {\n IS_WIN, HOME, commandExists, findFiles, dbScanDirs, scanWindowsDbServices,\n} from '../platform.js';\nimport { redactValue } from '../tools.js';\nimport { parseScanHint, buildReport } from './cloud-util.js';\n\n/** Extract a basename from an absolute path (cross-platform). */\nfunction baseName(path: string): string {\n const parts = path.split(/[\\\\/]/);\n return parts[parts.length - 1] || path;\n}\n\nexport const databasesScanner: Scanner = {\n id: 'databases',\n title: 'Local database servers',\n platforms: 'all',\n allowedCommands: ['psql', 'mysql', 'mongosh', 'redis-cli', 'sqlite3', 'pg_lsclusters', 'find', 'head', 'grep', 'awk', 'Get-Service', 'Get-ChildItem', 'Select-Object', 'Where-Object'],\n detect: (ctx) => {\n const exists = ctx.commandExists ?? commandExists;\n return ['psql', 'mysql', 'mongosh', 'redis-cli'].some((c) => Boolean(exists(c)));\n },\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const exists = ctx.commandExists ?? commandExists;\n const run = (cmd: string, opts?: { timeout?: number }) => ctx.run(cmd, { timeout: opts?.timeout ?? 10_000 });\n const deep = parseScanHint(ctx.hint).free.split(/\\s+/).includes('deep');\n\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n const report: Array<[string, string]> = [];\n const seen = new Set<string>();\n const add = (n: DiscoveryNode): void => {\n if (seen.has(n.id)) return;\n seen.add(n.id);\n nodes.push(n);\n };\n\n // ── PostgreSQL ──\n if (exists('psql')) {\n const out = IS_WIN\n ? run('psql -lqt')\n : run('psql -lqt 2>/dev/null | grep -v \"template0\\\\|template1\" | awk \\'{print $1}\\' | grep -v \"^$\\\\|^|\"');\n report.push(['POSTGRES_DATABASES', out || '(psql not running or requires auth)']);\n if (out) {\n const databases = out.split('\\n').map((l) => l.trim()).filter(Boolean);\n add({\n id: 'database_server:postgresql:localhost',\n type: 'database_server',\n name: 'PostgreSQL (localhost)',\n discoveredVia: 'psql',\n confidence: 0.9,\n tags: ['local', 'postgresql'],\n metadata: redactValue({ engine: 'postgresql', host: 'localhost', databases }) as Record<string, unknown>,\n });\n }\n if (!IS_WIN) {\n const clusters = run('pg_lsclusters 2>/dev/null');\n if (clusters) report.push(['POSTGRES_CLUSTERS', clusters]);\n }\n }\n\n // ── MySQL / MariaDB ──\n if (exists('mysql')) {\n const out = IS_WIN\n ? run('mysql --connect-timeout=3 -e \"SHOW DATABASES;\"')\n : run('mysql --connect-timeout=3 -e \"SHOW DATABASES;\" 2>/dev/null');\n report.push(['MYSQL_DATABASES', out || '(mysql not running or requires auth)']);\n if (out) {\n const databases = out.split('\\n').map((l) => l.trim()).filter((l) => l && l !== 'Database');\n add({\n id: 'database_server:mysql:localhost',\n type: 'database_server',\n name: 'MySQL (localhost)',\n discoveredVia: 'mysql',\n confidence: 0.9,\n tags: ['local', 'mysql'],\n metadata: redactValue({ engine: 'mysql', host: 'localhost', databases }) as Record<string, unknown>,\n });\n }\n }\n\n // ── MongoDB ── (JSON output — no arrow function, so it passes the allowlist)\n if (exists('mongosh')) {\n const evalExpr = 'JSON.stringify(db.adminCommand({listDatabases:1}))';\n const out = IS_WIN\n ? run(`mongosh --quiet --eval \"${evalExpr}\"`)\n : run(`mongosh --quiet --eval \"${evalExpr}\" 2>/dev/null`);\n report.push(['MONGODB_DATABASES', out || '(mongosh not available)']);\n if (out) {\n add({\n id: 'database_server:mongodb:localhost',\n type: 'database_server',\n name: 'MongoDB (localhost)',\n discoveredVia: 'mongosh',\n confidence: 0.9,\n tags: ['local', 'mongodb'],\n metadata: { engine: 'mongodb', host: 'localhost' },\n });\n }\n }\n\n // ── Redis ──\n if (exists('redis-cli')) {\n const out = IS_WIN\n ? run('redis-cli info server')\n : run('redis-cli info server 2>/dev/null | head -5');\n report.push(['REDIS_INFO', out || '(redis-cli not available)']);\n if (out) {\n add({\n id: 'cache_server:redis:localhost',\n type: 'cache_server',\n name: 'Redis (localhost)',\n discoveredVia: 'redis-cli',\n confidence: 0.9,\n tags: ['local', 'redis'],\n metadata: { engine: 'redis', host: 'localhost' },\n });\n }\n }\n\n // ── SQLite files in app-data directories ──\n const appDirs = dbScanDirs();\n if (appDirs.length > 0) {\n const out = findFiles(appDirs, ['*.sqlite', '*.sqlite3', '*.db'], 4, 80);\n report.push(['SQLITE_APP_FILES', out || '(none found)']);\n for (const path of out.split('\\n').map((l) => l.trim()).filter(Boolean)) {\n const base = baseName(path);\n add({\n id: `database:sqlite:${base}`,\n type: 'database',\n name: base,\n discoveredVia: 'sqlite-file',\n confidence: 0.7,\n tags: ['local', 'sqlite'],\n metadata: redactValue({ path }) as Record<string, unknown>,\n });\n }\n }\n\n // ── Windows DB services (port-based detection is covered by local-ports) ──\n if (IS_WIN) {\n report.push(['DB_SERVICES', scanWindowsDbServices() || '(no database services found)']);\n }\n\n // ── Opt-in expensive scans (gated by the `deep` hint token) ──\n if (deep) {\n const deepOut = IS_WIN\n ? run(\n `Get-ChildItem -Path '${HOME}' -Recurse -Depth 6 -Include '*.sqlite','*.sqlite3','*.db' -ErrorAction SilentlyContinue | ` +\n `Where-Object { $_.FullName -notmatch 'node_modules|\\\\.git' } | ` +\n `Select-Object -First 100 -ExpandProperty FullName`,\n )\n : run(`find \"${HOME}\" -maxdepth 6 \\\\( -name \"*.sqlite\" -o -name \"*.sqlite3\" -o -name \"*.db\" \\\\) -not -path \"*/node_modules/*\" -not -path \"*/.git/*\" 2>/dev/null | head -100`, { timeout: 30_000 });\n report.push(['SQLITE_DEEP_SCAN', deepOut || '(none found)']);\n for (const path of deepOut.split('\\n').map((l) => l.trim()).filter(Boolean)) {\n const base = baseName(path);\n add({\n id: `database:sqlite:${base}`,\n type: 'database',\n name: base,\n discoveredVia: 'sqlite-deep-scan',\n confidence: 0.6,\n tags: ['local', 'sqlite', 'deep'],\n metadata: redactValue({ path }) as Record<string, unknown>,\n });\n }\n const configOut = IS_WIN\n ? run(\n `Get-ChildItem -Path '${HOME}' -Recurse -Depth 4 -Include '.env','.env.local','database.yml','database.json','docker-compose.yml' -ErrorAction SilentlyContinue | ` +\n `Select-Object -First 20 -ExpandProperty FullName`,\n { timeout: 15_000 },\n )\n : run(`find \"${HOME}\" -maxdepth 4 \\\\( -name \".env\" -o -name \".env.local\" -o -name \"database.yml\" -o -name \"database.json\" -o -name \"docker-compose.yml\" \\\\) 2>/dev/null | head -20`, { timeout: 15_000 });\n report.push(['DB_CONFIG_FILES', configOut || '(none found)']);\n }\n\n return { nodes, edges, report: buildReport(report) };\n },\n};\n","import Database from 'better-sqlite3';\nimport { mkdirSync } from 'node:fs';\nimport { dirname } from 'node:path';\nimport { createHash } from 'node:crypto';\nimport { z } from 'zod';\nimport { NODE_TYPES, EDGE_RELATIONSHIPS, NODE_TYPE_GROUPS, SharingLevelSchema, CostEntrySchema } from './types.js';\nimport type {\n CartographyConfig, DiscoveryNode, DiscoveryEdge,\n NodeRow, EdgeRow, SessionRow, Connection, Contributor, TopologyDiff, DriftRunRow,\n SharingLevel, SharingPolicy, PendingShareRow, PendingStatus, CostEntry,\n} from './types.js';\n\nimport { scoreTopology } from './compliance/engine.js';\nimport type { Ruleset, ComplianceReport } from './compliance/types.js';\n\n/** Attribution applied by an enrichment pass (3.3). `null` clears the field; `undefined` leaves it unchanged. */\nexport interface NodeAttribution {\n owner?: string | null;\n cost?: CostEntry | null;\n}\nimport { diffTopology } from './diff.js';\nimport type { TopologyDelta } from './diff.js';\nimport { detectAnomalies, newAnomalies, DEFAULT_ANOMALY_THRESHOLDS } from './anomaly.js';\nimport type { Anomaly, AnomalyThresholds, AnomalyConfig } from './types.js';\nimport { sanitizeUntrusted, sanitizeValue } from './sanitize.js';\nimport { hostname, osUser, machineId } from './platform.js';\n\n/** Default tenant for single-user / pre-migration installs. */\nexport const DEFAULT_TENANT = 'local';\n\n/**\n * Normalize an untrusted tenant id: strip invisible/control characters, trim,\n * cap length, and enforce a conservative key charset. Falls back to DEFAULT_TENANT\n * when the input is missing or invalid. The tenant is a data-scoping partition key\n * (not an auth boundary — RBAC is Phase 4), so the rule is shared by the DB and MCP\n * layers via this one helper.\n */\nexport function normalizeTenant(raw?: string | null): string {\n if (raw == null) return DEFAULT_TENANT;\n const cleaned = sanitizeUntrusted(String(raw)).trim().slice(0, 128);\n return /^[\\w.@:+-]{1,128}$/.test(cleaned) ? cleaned : DEFAULT_TENANT;\n}\n\n// ── Global node identity (2.9) ───────────────────────────────────────────────\n\n/** Default ports stripped during id normalization. */\nconst DEFAULT_PORTS = /:(80|443)$/;\n\n/**\n * Deterministic, pure normalization of a node id so the same logical resource\n * yields the same key across machines: trim, lowercase, collapse internal\n * whitespace, strip a single trailing default port (:80/:443).\n */\nexport function normalizeId(id: string): string {\n return id.trim().toLowerCase().replace(/\\s+/g, ' ').replace(DEFAULT_PORTS, '');\n}\n\n/** Stable subset of metadata that feeds the content hash. */\nconst KEY_META_KEYS = ['host', 'port', 'path', 'url'] as const;\n\n/**\n * Extract only the stable key-meta subset (`host`/`port`/`path`/`url`) from a\n * metadata blob (pure). Never the whole blob, which carries machine-local noise\n * such as timestamps and absolute paths.\n */\nexport function keyMetaOf(metadata: Record<string, unknown>): Record<string, unknown> {\n const out: Record<string, unknown> = {};\n for (const k of KEY_META_KEYS) {\n if (metadata[k] != null) out[k] = metadata[k];\n }\n return out;\n}\n\n/**\n * Secondary dedup key: sha256 over type + normalized name + sorted key-meta.\n * Catches `id` drift between machines for the same logical resource. Truncated\n * to 32 hex chars (128 bits) — ample for collision resistance at org scale.\n */\nexport function contentHash(type: string, name: string, keyMeta: Record<string, unknown>): string {\n const ordered = Object.keys(keyMeta).sort().map((k) => `${k}=${String(keyMeta[k])}`).join('|');\n const payload = `${type}␞${name.trim().toLowerCase()}␞${ordered}`;\n return createHash('sha256').update(payload).digest('hex').slice(0, 32);\n}\n\n/**\n * Human-readable primary identity: org-scoped normalized id (`{org}:{normalizedId}`).\n * `org` is the session's normalized tenant (2.8's partition) — the `'_'` sentinel\n * isolates org-less sessions into their own namespace so two organizations never\n * collapse onto one logical node even with identical infra.\n */\nexport function globalId(organization: string | undefined, id: string): string {\n const org = organization && organization.trim() ? organization.trim() : '_';\n return `${org}:${normalizeId(id)}`;\n}\n\n/** Parse a JSON column, falling back to `fallback` if the stored value is corrupt. */\nfunction safeJsonParse<T>(raw: string, fallback: T): T {\n try {\n return JSON.parse(raw) as T;\n } catch {\n return fallback;\n }\n}\n\n// ── Row validation schemas ──────────────────────────────────────────────────\n\nconst SessionRowSchema = z.object({\n id: z.string(),\n mode: z.literal('discover'),\n started_at: z.string(),\n completed_at: z.string().nullable().optional(),\n config: z.string(),\n name: z.string().nullable().optional(),\n tenant: z.string().default(DEFAULT_TENANT),\n hostname: z.string().nullable().optional(),\n user: z.string().nullable().optional(),\n machine_id: z.string().nullable().optional(),\n organization: z.string().nullable().optional(),\n last_scanned_at: z.string().nullable().optional(),\n});\n\nconst NodeRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n type: z.enum(NODE_TYPES),\n name: z.string(),\n discovered_via: z.string().nullable().optional(),\n discovered_at: z.string(),\n path_id: z.string().nullable().optional(),\n depth: z.number().default(0),\n confidence: z.number().default(0.5),\n metadata: z.string().default('{}'),\n tags: z.string().default('[]'),\n domain: z.string().nullable().optional(),\n sub_domain: z.string().nullable().optional(),\n quality_score: z.number().nullable().optional(),\n owner: z.string().nullable().optional(),\n cost: z.string().nullable().optional(),\n global_id: z.string().nullable().optional(),\n content_hash: z.string().nullable().optional(),\n});\n\n/** Row shape of the `node_contributors` child table (2.9). */\nconst ContributorRowSchema = z.object({\n global_id: z.string(),\n machine_id: z.string(),\n hostname: z.string(),\n user: z.string(),\n organization: z.string().nullable().optional(),\n at: z.string(),\n confidence: z.number().default(0.5),\n});\n\n/** Row shape of the `drift_runs` table (2.5 scheduled discovery). */\nconst DriftRunRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n base_session_id: z.string().nullable().optional(),\n ran_at: z.string(),\n nodes_added: z.number(),\n nodes_removed: z.number(),\n nodes_changed: z.number(),\n edges_added: z.number(),\n edges_removed: z.number(),\n delta: z.string(),\n});\n\nconst EdgeRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n source_id: z.string(),\n target_id: z.string(),\n relationship: z.enum(EDGE_RELATIONSHIPS),\n evidence: z.string().nullable().optional(),\n confidence: z.number().default(0.5),\n discovered_at: z.string(),\n});\n\n/** Row shape of the `pending_shares` review queue (2.11). */\nconst PendingShareRowSchema = z.object({\n content_hash: z.string(),\n session_id: z.string(),\n node_id: z.string().nullable().optional(),\n kind: z.enum(['node', 'edge']),\n payload: z.string(),\n status: z.enum(['pending', 'approved', 'shared', 'withheld']),\n decided_by: z.enum(['user', 'rule']).nullable().optional(),\n created_at: z.string(),\n decided_at: z.string().nullable().optional(),\n shared_at: z.string().nullable().optional(),\n});\n\nconst EventRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n task_id: z.string().nullable().optional(),\n timestamp: z.string(),\n event_type: z.string(),\n process: z.string(),\n pid: z.number(),\n target: z.string().nullable().optional(),\n target_type: z.string().nullable().optional(),\n port: z.number().nullable().optional(),\n duration_ms: z.number().nullable().optional(),\n command: z.string().nullable().optional(),\n result_bytes: z.number().nullable().optional(),\n});\n\nconst TaskRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n description: z.string().nullable().optional(),\n started_at: z.string(),\n completed_at: z.string().nullable().optional(),\n steps: z.string().default('[]'),\n involved_services: z.string().default('[]'),\n status: z.enum(['active', 'completed', 'cancelled']),\n});\n\nconst WorkflowRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n name: z.string().nullable().optional(),\n pattern: z.string(),\n task_ids: z.string().default('[]'),\n occurrences: z.number().default(1),\n first_seen: z.string(),\n last_seen: z.string(),\n avg_duration_ms: z.number().nullable().optional(),\n involved_services: z.string().default('[]'),\n});\n\nconst ConnectionRowSchema = z.object({\n id: z.string(),\n session_id: z.string(),\n source_asset_id: z.string(),\n target_asset_id: z.string(),\n type: z.string().nullable().optional(),\n created_at: z.string(),\n});\n\nexport interface ConnectionRow extends Connection {\n sessionId: string;\n createdAt: string;\n}\n\n/** Aggregate, low-token index of a topology — used for progressive disclosure. */\nexport interface GraphSummary {\n sessionId: string;\n totals: { nodes: number; edges: number };\n nodesByType: Record<string, number>;\n nodesByDomain: Record<string, number>;\n edgesByRelationship: Record<string, number>;\n topConnected: Array<{ id: string; name: string; type: string; degree: number }>;\n /** Standing structural anomalies (orphans / shadow-IT), computed at read time (3.6). */\n anomalies: Anomaly[];\n /** Distinct machines that contributed to this session's nodes (2.9 attribution). */\n contributors: number;\n /** Cost rolled up by domain, bucketed by (currency, period) — never FX-normalized (3.3). */\n costByDomain: Array<{ domain: string; currency: string; period: string; total: number; nodes: number }>;\n /** Cost rolled up by owner, bucketed by (currency, period) (3.3). */\n costByOwner: Array<{ owner: string; currency: string; period: string; total: number; nodes: number }>;\n /** Nodes carrying a cost vs. total — attribution coverage (3.3). */\n costCoverage: { withCost: number; total: number };\n}\n\n/**\n * Org-wide aggregate index (2.12) — the central-collector analogue of\n * {@link GraphSummary}. Scoped to a single tenant (`org`) rather than one session,\n * so it merges every machine's contribution into one organization-wide topology.\n */\nexport interface OrgSummary {\n org: string;\n totals: { nodes: number; edges: number };\n nodesByType: Record<string, number>;\n nodesByDomain: Record<string, number>;\n edgesByRelationship: Record<string, number>;\n topConnected: Array<{ id: string; name: string; type: string; degree: number }>;\n /** Distinct machines that contributed to this org's nodes (2.9 attribution, org-wide). */\n contributors: number;\n}\n\n/** Map a node type to its semantic group (or 'other' if ungrouped). */\nfunction typeGroup(type: string): string {\n for (const [group, types] of Object.entries(NODE_TYPE_GROUPS)) {\n if ((types as readonly string[]).includes(type)) return group;\n }\n return 'other';\n}\n\n/**\n * Derive a deterministic, human-friendly session label from its graph summary,\n * e.g. `\"infra+data · 42 nodes · 2026-06-11\"`. Pure: same summary + timestamp\n * always yields the same name. No LLM call.\n */\nexport function deriveSessionName(summary: GraphSummary, startedAt: string): string {\n const date = startedAt.slice(0, 10);\n const count = summary.totals.nodes;\n if (count === 0) return `empty · 0 nodes · ${date}`;\n\n const byGroup = new Map<string, number>();\n for (const [type, n] of Object.entries(summary.nodesByType)) {\n const g = typeGroup(type);\n byGroup.set(g, (byGroup.get(g) ?? 0) + n);\n }\n const topGroups = [...byGroup.entries()]\n .sort((a, b) => b[1] - a[1] || a[0].localeCompare(b[0]))\n .slice(0, 2)\n .map(([g]) => g);\n\n const noun = count === 1 ? 'node' : 'nodes';\n return `${topGroups.join('+')} · ${count} ${noun} · ${date}`;\n}\n\n/** Result of a recursive dependency traversal. */\nexport interface TraversalResult {\n root?: NodeRow;\n direction: 'downstream' | 'upstream' | 'both';\n maxDepth: number;\n nodes: Array<NodeRow & { depth: number }>;\n edges: EdgeRow[];\n}\n\n// ── DB Row Types ──\n\nexport interface EventRow {\n id: string;\n sessionId: string;\n taskId?: string;\n timestamp: string;\n eventType: string;\n process: string;\n pid: number;\n target?: string;\n targetType?: string;\n port?: number;\n durationMs?: number;\n command?: string;\n resultBytes?: number;\n}\n\nexport interface TaskRow {\n id: string;\n sessionId: string;\n description?: string;\n startedAt: string;\n completedAt?: string;\n steps: string;\n involvedServices: string;\n status: 'active' | 'completed' | 'cancelled';\n}\n\nexport interface WorkflowRow {\n id: string;\n sessionId: string;\n name?: string;\n pattern: string;\n taskIds: string;\n occurrences: number;\n firstSeen: string;\n lastSeen: string;\n avgDurationMs: number;\n involvedServices: string;\n}\n\nconst SCHEMA = `\nPRAGMA journal_mode = WAL;\nPRAGMA foreign_keys = ON;\nPRAGMA busy_timeout = 5000;\n\nCREATE TABLE IF NOT EXISTS sessions (\n id TEXT PRIMARY KEY,\n mode TEXT NOT NULL CHECK (mode IN ('discover')),\n started_at TEXT NOT NULL,\n completed_at TEXT,\n config TEXT NOT NULL DEFAULT '{}',\n name TEXT,\n tenant TEXT NOT NULL DEFAULT 'local',\n hostname TEXT,\n user TEXT,\n machine_id TEXT,\n organization TEXT,\n last_scanned_at TEXT\n);\n\nCREATE TABLE IF NOT EXISTS nodes (\n id TEXT NOT NULL,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n type TEXT NOT NULL,\n name TEXT NOT NULL,\n discovered_via TEXT,\n discovered_at TEXT NOT NULL,\n path_id TEXT,\n depth INTEGER DEFAULT 0,\n confidence REAL DEFAULT 0.5,\n metadata TEXT NOT NULL DEFAULT '{}',\n tags TEXT NOT NULL DEFAULT '[]',\n domain TEXT,\n sub_domain TEXT,\n quality_score REAL,\n owner TEXT,\n cost TEXT,\n tenant TEXT NOT NULL DEFAULT 'local',\n global_id TEXT,\n content_hash TEXT,\n PRIMARY KEY (id, session_id)\n);\n\nCREATE TABLE IF NOT EXISTS connections (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n source_asset_id TEXT NOT NULL,\n target_asset_id TEXT NOT NULL,\n type TEXT,\n created_at TEXT NOT NULL,\n tenant TEXT NOT NULL DEFAULT 'local'\n);\n\nCREATE TABLE IF NOT EXISTS edges (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n source_id TEXT NOT NULL,\n target_id TEXT NOT NULL,\n relationship TEXT NOT NULL,\n evidence TEXT,\n confidence REAL DEFAULT 0.5,\n discovered_at TEXT NOT NULL,\n tenant TEXT NOT NULL DEFAULT 'local'\n);\n\nCREATE TABLE IF NOT EXISTS activity_events (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n task_id TEXT,\n timestamp TEXT NOT NULL,\n event_type TEXT NOT NULL,\n process TEXT NOT NULL,\n pid INTEGER NOT NULL,\n target TEXT,\n target_type TEXT,\n port INTEGER,\n duration_ms INTEGER,\n command TEXT,\n result_bytes INTEGER,\n tenant TEXT NOT NULL DEFAULT 'local'\n);\n\nCREATE TABLE IF NOT EXISTS tasks (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n description TEXT,\n started_at TEXT NOT NULL,\n completed_at TEXT,\n steps TEXT NOT NULL DEFAULT '[]',\n involved_services TEXT NOT NULL DEFAULT '[]',\n status TEXT DEFAULT 'active' CHECK (status IN ('active','completed','cancelled')),\n tenant TEXT NOT NULL DEFAULT 'local'\n);\n\nCREATE TABLE IF NOT EXISTS workflows (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n name TEXT,\n pattern TEXT NOT NULL,\n task_ids TEXT NOT NULL DEFAULT '[]',\n occurrences INTEGER DEFAULT 1,\n first_seen TEXT NOT NULL,\n last_seen TEXT NOT NULL,\n avg_duration_ms INTEGER,\n involved_services TEXT NOT NULL DEFAULT '[]',\n tenant TEXT NOT NULL DEFAULT 'local'\n);\n\nCREATE TABLE IF NOT EXISTS node_approvals (\n pattern TEXT PRIMARY KEY,\n action TEXT NOT NULL CHECK (action IN ('save','ignore','auto')),\n created_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS sharing_policy (\n pattern TEXT PRIMARY KEY, -- '*' row holds the global default\n level TEXT NOT NULL CHECK (level IN ('none','anonymized','full')),\n created_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS pseudonym_reversal (\n token TEXT PRIMARY KEY,\n ciphertext TEXT NOT NULL, -- base64(iv ‖ tag ‖ AES-256-GCM(plaintext)) under reversalKey(orgKey)\n created_at TEXT NOT NULL\n);\n\nCREATE TABLE IF NOT EXISTS pending_shares (\n content_hash TEXT PRIMARY KEY, -- sha256 over the policy-transformed payload (stable dedup key)\n session_id TEXT NOT NULL REFERENCES sessions(id),\n node_id TEXT, -- original node id (NULL for edge rows)\n kind TEXT NOT NULL CHECK (kind IN ('node','edge')),\n payload TEXT NOT NULL, -- JSON of the already-anonymized projection (exactly what would leave)\n status TEXT NOT NULL CHECK (status IN ('pending','approved','shared','withheld')),\n decided_by TEXT CHECK (decided_by IN ('user','rule')),\n created_at TEXT NOT NULL,\n decided_at TEXT,\n shared_at TEXT\n);\n\nCREATE TABLE IF NOT EXISTS node_contributors (\n global_id TEXT NOT NULL,\n machine_id TEXT NOT NULL,\n hostname TEXT NOT NULL,\n user TEXT NOT NULL,\n organization TEXT,\n at TEXT NOT NULL,\n confidence REAL NOT NULL DEFAULT 0.5,\n PRIMARY KEY (global_id, machine_id)\n);\n\nCREATE TABLE IF NOT EXISTS drift_runs (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n base_session_id TEXT,\n ran_at TEXT NOT NULL,\n nodes_added INTEGER NOT NULL,\n nodes_removed INTEGER NOT NULL,\n nodes_changed INTEGER NOT NULL,\n edges_added INTEGER NOT NULL,\n edges_removed INTEGER NOT NULL,\n delta TEXT NOT NULL\n);\n\nCREATE INDEX IF NOT EXISTS idx_nodes_session ON nodes(session_id);\nCREATE INDEX IF NOT EXISTS idx_nodes_type ON nodes(session_id, type);\nCREATE INDEX IF NOT EXISTS idx_edges_session ON edges(session_id);\nCREATE INDEX IF NOT EXISTS idx_edges_source ON edges(session_id, source_id);\nCREATE INDEX IF NOT EXISTS idx_edges_target ON edges(session_id, target_id);\nCREATE INDEX IF NOT EXISTS idx_events_session ON activity_events(session_id);\nCREATE INDEX IF NOT EXISTS idx_events_task ON activity_events(task_id);\nCREATE INDEX IF NOT EXISTS idx_tasks_session ON tasks(session_id);\nCREATE INDEX IF NOT EXISTS idx_connections_session ON connections(session_id);\nCREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id);\nCREATE INDEX IF NOT EXISTS idx_sessions_tenant ON sessions(tenant);\nCREATE INDEX IF NOT EXISTS idx_nodes_tenant_session ON nodes(tenant, session_id);\nCREATE INDEX IF NOT EXISTS idx_edges_tenant_session ON edges(tenant, session_id);\nCREATE INDEX IF NOT EXISTS idx_nodes_global ON nodes(global_id);\nCREATE INDEX IF NOT EXISTS idx_nodes_content ON nodes(content_hash);\nCREATE INDEX IF NOT EXISTS idx_contrib_global ON node_contributors(global_id);\nCREATE INDEX IF NOT EXISTS idx_drift_runs_session ON drift_runs(session_id);\nCREATE INDEX IF NOT EXISTS idx_drift_runs_ran_at ON drift_runs(ran_at);\nCREATE INDEX IF NOT EXISTS idx_pending_status ON pending_shares(status);\nCREATE INDEX IF NOT EXISTS idx_pending_session ON pending_shares(session_id);\nCREATE INDEX IF NOT EXISTS idx_nodes_tenant_global ON nodes(tenant, global_id);\nCREATE INDEX IF NOT EXISTS idx_nodes_tenant_content ON nodes(tenant, content_hash);\nCREATE INDEX IF NOT EXISTS idx_contrib_org ON node_contributors(organization, global_id);\nCREATE INDEX IF NOT EXISTS idx_nodes_owner ON nodes(session_id, owner);\n`;\n\nexport class CartographyDB {\n private db: Database.Database;\n /** 3.6 anomaly settings; defaults apply when no `anomaly` config is supplied. */\n private readonly anomalyEnabled: boolean;\n private readonly anomalyThresholds: AnomalyThresholds;\n\n constructor(dbPath: string, opts?: { anomaly?: AnomalyConfig }) {\n mkdirSync(dirname(dbPath), { recursive: true });\n this.db = new Database(dbPath);\n this.db.pragma('journal_mode = WAL');\n this.db.pragma('foreign_keys = ON');\n this.db.pragma('busy_timeout = 5000');\n this.anomalyEnabled = opts?.anomaly?.enabled ?? true;\n this.anomalyThresholds = opts?.anomaly ?? DEFAULT_ANOMALY_THRESHOLDS;\n this.migrate();\n }\n\n private migrate(): void {\n const version = (this.db.pragma('user_version', { simple: true }) as number);\n if (version === 0) {\n this.db.exec(SCHEMA);\n this.db.pragma('user_version = 14');\n return;\n } else if (version === 1) {\n // v1 → v2: add hex map columns to nodes + connections table\n const cols = (this.db.prepare(\"PRAGMA table_info(nodes)\").all() as Array<{ name: string }>).map(c => c.name);\n if (!cols.includes('domain')) this.db.exec('ALTER TABLE nodes ADD COLUMN domain TEXT');\n if (!cols.includes('sub_domain')) this.db.exec('ALTER TABLE nodes ADD COLUMN sub_domain TEXT');\n if (!cols.includes('quality_score')) this.db.exec('ALTER TABLE nodes ADD COLUMN quality_score REAL');\n this.db.exec(`\n CREATE TABLE IF NOT EXISTS connections (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n source_asset_id TEXT NOT NULL,\n target_asset_id TEXT NOT NULL,\n type TEXT,\n created_at TEXT NOT NULL\n );\n CREATE INDEX IF NOT EXISTS idx_connections_session ON connections(session_id);\n CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id);\n `);\n this.db.pragma('user_version = 3');\n }\n if (version === 2) {\n // v2 → v3: add composite index for connection upsert lookups\n this.db.exec('CREATE INDEX IF NOT EXISTS idx_connections_lookup ON connections(session_id, source_asset_id, target_asset_id)');\n this.db.pragma('user_version = 3');\n }\n // v3 → v4: add graph-traversal indexes (idempotent for any pre-v4 DB)\n const current = this.db.pragma('user_version', { simple: true }) as number;\n if (current < 4) {\n this.db.exec(`\n CREATE INDEX IF NOT EXISTS idx_nodes_type ON nodes(session_id, type);\n CREATE INDEX IF NOT EXISTS idx_edges_source ON edges(session_id, source_id);\n CREATE INDEX IF NOT EXISTS idx_edges_target ON edges(session_id, target_id);\n `);\n this.db.pragma('user_version = 4');\n }\n // v4 → v5: human-friendly session names (idempotent column add)\n const v4 = this.db.pragma('user_version', { simple: true }) as number;\n if (v4 < 5) {\n const cols = (this.db.prepare(\"PRAGMA table_info(sessions)\").all() as Array<{ name: string }>).map(c => c.name);\n if (!cols.includes('name')) this.db.exec('ALTER TABLE sessions ADD COLUMN name TEXT');\n this.db.pragma('user_version = 5');\n }\n // v5 → v6: audit-log columns on activity_events (idempotent column adds)\n const v5 = this.db.pragma('user_version', { simple: true }) as number;\n if (v5 < 6) {\n const cols = (this.db.prepare(\"PRAGMA table_info(activity_events)\").all() as Array<{ name: string }>).map(c => c.name);\n if (!cols.includes('command')) this.db.exec('ALTER TABLE activity_events ADD COLUMN command TEXT');\n if (!cols.includes('result_bytes')) this.db.exec('ALTER TABLE activity_events ADD COLUMN result_bytes INTEGER');\n this.db.pragma('user_version = 6');\n }\n // v6 → v7: tenant partition column on every session-scoped table (idempotent column adds).\n // `ALTER TABLE … ADD COLUMN tenant TEXT NOT NULL DEFAULT 'local'` backfills every existing\n // row with the default, so a v6 single-tenant DB upgrades in place with no data loss.\n const v6 = this.db.pragma('user_version', { simple: true }) as number;\n if (v6 < 7) {\n const tables = ['sessions', 'nodes', 'edges', 'connections', 'activity_events', 'tasks', 'workflows'] as const;\n for (const t of tables) {\n const cols = (this.db.prepare(`PRAGMA table_info(${t})`).all() as Array<{ name: string }>).map((c) => c.name);\n // PRAGMA table_info returns no rows for a non-existent table; skip those\n // (a real v6 catalog always has every table — this guards partial fixtures).\n if (cols.length > 0 && !cols.includes('tenant')) {\n this.db.exec(`ALTER TABLE ${t} ADD COLUMN tenant TEXT NOT NULL DEFAULT '${DEFAULT_TENANT}'`);\n }\n }\n const hasTable = (name: string): boolean =>\n (this.db.prepare(`PRAGMA table_info(${name})`).all() as unknown[]).length > 0;\n if (hasTable('sessions')) this.db.exec('CREATE INDEX IF NOT EXISTS idx_sessions_tenant ON sessions(tenant)');\n if (hasTable('nodes')) this.db.exec('CREATE INDEX IF NOT EXISTS idx_nodes_tenant_session ON nodes(tenant, session_id)');\n if (hasTable('edges')) this.db.exec('CREATE INDEX IF NOT EXISTS idx_edges_tenant_session ON edges(tenant, session_id)');\n this.db.pragma('user_version = 7');\n }\n // v7 → v8: source attribution + global node identity + contributor list (2.9).\n // Additive only: new session/node columns are nullable, `node_contributors` is new,\n // so a v7 (tenant-aware) DB upgrades in place with no data loss. `global_id`/\n // `content_hash` backfill lazily on the next upsertNode (no destructive backfill).\n const v7 = this.db.pragma('user_version', { simple: true }) as number;\n if (v7 < 8) {\n const sc = (this.db.prepare('PRAGMA table_info(sessions)').all() as Array<{ name: string }>).map((c) => c.name);\n if (sc.length > 0) {\n for (const col of ['hostname', 'user', 'machine_id', 'organization']) {\n if (!sc.includes(col)) this.db.exec(`ALTER TABLE sessions ADD COLUMN ${col} TEXT`);\n }\n }\n const nc = (this.db.prepare('PRAGMA table_info(nodes)').all() as Array<{ name: string }>).map((c) => c.name);\n if (nc.length > 0) {\n if (!nc.includes('global_id')) this.db.exec('ALTER TABLE nodes ADD COLUMN global_id TEXT');\n if (!nc.includes('content_hash')) this.db.exec('ALTER TABLE nodes ADD COLUMN content_hash TEXT');\n }\n this.db.exec(`\n CREATE TABLE IF NOT EXISTS node_contributors (\n global_id TEXT NOT NULL,\n machine_id TEXT NOT NULL,\n hostname TEXT NOT NULL,\n user TEXT NOT NULL,\n organization TEXT,\n at TEXT NOT NULL,\n confidence REAL NOT NULL DEFAULT 0.5,\n PRIMARY KEY (global_id, machine_id)\n );\n CREATE INDEX IF NOT EXISTS idx_contrib_global ON node_contributors(global_id);\n `);\n // Node indexes only when `nodes` exists (guards partial fixtures, mirroring 2.8).\n if (nc.length > 0) {\n this.db.exec(`\n CREATE INDEX IF NOT EXISTS idx_nodes_global ON nodes(global_id);\n CREATE INDEX IF NOT EXISTS idx_nodes_content ON nodes(content_hash);\n `);\n }\n this.db.pragma('user_version = 8');\n }\n // v8 → v9: incremental-discovery observability (2.1). Adds nullable\n // `sessions.last_scanned_at` so an in-place rescan records when it last ran.\n // Additive/nullable: a v8 DB upgrades in place with no data loss and old rows\n // keep `last_scanned_at = NULL` until their next rescan.\n const v8 = this.db.pragma('user_version', { simple: true }) as number;\n if (v8 < 9) {\n const sc = (this.db.prepare('PRAGMA table_info(sessions)').all() as Array<{ name: string }>).map((c) => c.name);\n // PRAGMA table_info returns no rows for a non-existent table; skip those\n // (a real v8 catalog always has `sessions` — this guards partial fixtures).\n if (sc.length > 0 && !sc.includes('last_scanned_at')) {\n this.db.exec('ALTER TABLE sessions ADD COLUMN last_scanned_at TEXT');\n }\n this.db.pragma('user_version = 9');\n }\n // v9 → v10: per-run drift persistence for scheduled discovery (2.5). Additive\n // only — a new `drift_runs` table + two indexes; no existing table is altered,\n // so a v9 DB upgrades in place with no data loss. Idempotent via IF NOT EXISTS.\n const v9 = this.db.pragma('user_version', { simple: true }) as number;\n if (v9 < 10) {\n this.db.exec(`\n CREATE TABLE IF NOT EXISTS drift_runs (\n id TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n base_session_id TEXT,\n ran_at TEXT NOT NULL,\n nodes_added INTEGER NOT NULL,\n nodes_removed INTEGER NOT NULL,\n nodes_changed INTEGER NOT NULL,\n edges_added INTEGER NOT NULL,\n edges_removed INTEGER NOT NULL,\n delta TEXT NOT NULL\n );\n CREATE INDEX IF NOT EXISTS idx_drift_runs_session ON drift_runs(session_id);\n CREATE INDEX IF NOT EXISTS idx_drift_runs_ran_at ON drift_runs(ran_at);\n `);\n this.db.pragma('user_version = 10');\n }\n // v10 → v11: persistent consent policy + admin-reversible anonymization (2.10).\n // Additive only — two new standalone tables (`sharing_policy`, `pseudonym_reversal`),\n // no existing table is altered, so a v10 DB upgrades in place with no data loss.\n // Idempotent via IF NOT EXISTS. The org key lives on disk (`~/.cartography/org-key`),\n // never in the DB; only the AES-256-GCM ciphertext of reversal plaintexts is stored.\n const v10 = this.db.pragma('user_version', { simple: true }) as number;\n if (v10 < 11) {\n this.db.exec(`\n CREATE TABLE IF NOT EXISTS sharing_policy (\n pattern TEXT PRIMARY KEY,\n level TEXT NOT NULL CHECK (level IN ('none','anonymized','full')),\n created_at TEXT NOT NULL\n );\n CREATE TABLE IF NOT EXISTS pseudonym_reversal (\n token TEXT PRIMARY KEY,\n ciphertext TEXT NOT NULL,\n created_at TEXT NOT NULL\n );\n `);\n this.db.pragma('user_version = 11');\n }\n // v11 → v12: central-DB pending-review queue (2.11). Additive only — one new\n // standalone `pending_shares` table + two indexes; no existing table is altered,\n // so a v11 DB upgrades in place with no data loss. Idempotent via IF NOT EXISTS.\n // Nothing is ever pushed without an explicit approval/remembered rule, so an\n // unconfigured install never writes to this table.\n const v11 = this.db.pragma('user_version', { simple: true }) as number;\n if (v11 < 12) {\n this.db.exec(`\n CREATE TABLE IF NOT EXISTS pending_shares (\n content_hash TEXT PRIMARY KEY,\n session_id TEXT NOT NULL REFERENCES sessions(id),\n node_id TEXT,\n kind TEXT NOT NULL CHECK (kind IN ('node','edge')),\n payload TEXT NOT NULL,\n status TEXT NOT NULL CHECK (status IN ('pending','approved','shared','withheld')),\n decided_by TEXT CHECK (decided_by IN ('user','rule')),\n created_at TEXT NOT NULL,\n decided_at TEXT,\n shared_at TEXT\n );\n CREATE INDEX IF NOT EXISTS idx_pending_status ON pending_shares(status);\n CREATE INDEX IF NOT EXISTS idx_pending_session ON pending_shares(session_id);\n `);\n this.db.pragma('user_version = 12');\n }\n // v12 → v13: central-collector ingest substrate (2.12). Additive only — three\n // new indexes that make the org-scoped merge lookups (by `(tenant, global_id)`\n // primary and `(tenant, content_hash)` secondary) and the org-wide contributor\n // count O(log n) at organization scale. No existing table is altered and the\n // `org`/`global_id`/`content_hash` columns + `node_contributors` table already\n // exist from 2.8/2.9, so a v12 DB upgrades in place with no data loss.\n // Idempotent via IF NOT EXISTS; the indexes only attach when `nodes` exists\n // (guards partial fixtures, mirroring the 2.8/2.9 blocks above).\n const v12 = this.db.pragma('user_version', { simple: true }) as number;\n if (v12 < 13) {\n const hasNodes = (this.db.prepare('PRAGMA table_info(nodes)').all() as unknown[]).length > 0;\n if (hasNodes) {\n this.db.exec(`\n CREATE INDEX IF NOT EXISTS idx_nodes_tenant_global ON nodes(tenant, global_id);\n CREATE INDEX IF NOT EXISTS idx_nodes_tenant_content ON nodes(tenant, content_hash);\n `);\n }\n const hasContrib = (this.db.prepare('PRAGMA table_info(node_contributors)').all() as unknown[]).length > 0;\n if (hasContrib) {\n this.db.exec('CREATE INDEX IF NOT EXISTS idx_contrib_org ON node_contributors(organization, global_id)');\n }\n this.db.pragma('user_version = 13');\n }\n // v13 → v14: cost-attribution columns on nodes (3.3). Additive, idempotent\n // `table_info`-guarded ALTERs + an owner index; old rows read back as\n // owner/cost = NULL → undefined. No data is rewritten.\n const v13 = this.db.pragma('user_version', { simple: true }) as number;\n if (v13 < 14) {\n const hasNodes = (this.db.prepare('PRAGMA table_info(nodes)').all() as Array<{ name: string }>);\n if (hasNodes.length > 0) {\n const cols = hasNodes.map((c) => c.name);\n if (!cols.includes('owner')) this.db.exec('ALTER TABLE nodes ADD COLUMN owner TEXT');\n if (!cols.includes('cost')) this.db.exec('ALTER TABLE nodes ADD COLUMN cost TEXT');\n this.db.exec('CREATE INDEX IF NOT EXISTS idx_nodes_owner ON nodes(session_id, owner)');\n }\n this.db.pragma('user_version = 14');\n }\n }\n\n close(): void {\n this.db.pragma('optimize');\n this.db.close();\n }\n\n /**\n * Advanced: the underlying better-sqlite3 connection. Used by the optional\n * semantic-search layer to load the `sqlite-vec` extension and manage its\n * virtual table. Prefer the typed methods above for everything else.\n */\n rawConnection(): Database.Database {\n return this.db;\n }\n\n // ── Sessions ────────────────────────────\n\n /**\n * Create a discovery session, stamping its tenant from (in precedence order)\n * the explicit `tenantId` arg → `config.organization` → DEFAULT_TENANT. The\n * tenant is normalized once here; every child row written under this session\n * inherits it via {@link tenantOf}.\n */\n createSession(mode: 'discover', config: CartographyConfig, tenantId?: string): string {\n const id = crypto.randomUUID();\n const tenant = normalizeTenant(tenantId ?? config.organization);\n // 2.9 source attribution: stamp where/who ran the discovery. `organization` is\n // the raw provenance value; `tenant` (2.8) is its normalized partition form.\n this.db.prepare(\n `INSERT INTO sessions (id, mode, started_at, config, tenant, hostname, user, machine_id, organization)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`\n ).run(\n id, mode, new Date().toISOString(), JSON.stringify(config), tenant,\n hostname(), osUser(), machineId(), config.organization ?? null,\n );\n return id;\n }\n\n /** The tenant that owns a session (DEFAULT_TENANT if the session is unknown). */\n private tenantOf(sessionId: string): string {\n const r = this.db.prepare('SELECT tenant FROM sessions WHERE id = ?').get(sessionId) as { tenant?: string } | undefined;\n return r?.tenant ?? DEFAULT_TENANT;\n }\n\n endSession(id: string): void {\n this.db.prepare('UPDATE sessions SET completed_at = ? WHERE id = ?')\n .run(new Date().toISOString(), id);\n }\n\n getSession(id: string): SessionRow | undefined {\n const row = this.db.prepare('SELECT * FROM sessions WHERE id = ?').get(id) as Record<string, unknown> | undefined;\n return row ? this.mapSession(row) : undefined;\n }\n\n /**\n * Resolve the newest session, optionally constrained to a `mode` and/or\n * `tenantId`. Omitting `tenantId` preserves the original (unscoped) behavior;\n * passing one returns only that tenant's sessions, which is how the tenant\n * boundary is enforced at session resolution.\n */\n getLatestSession(mode?: string, tenantId?: string): SessionRow | undefined {\n const clauses: string[] = [];\n const params: unknown[] = [];\n if (mode) { clauses.push('mode = ?'); params.push(mode); }\n if (tenantId !== undefined) { clauses.push('tenant = ?'); params.push(tenantId); }\n const where = clauses.length ? `WHERE ${clauses.join(' AND ')} ` : '';\n const row = this.db.prepare(`SELECT * FROM sessions ${where}ORDER BY rowid DESC LIMIT 1`).get(...params) as Record<string, unknown> | undefined;\n return row ? this.mapSession(row) : undefined;\n }\n\n getSessions(tenantId?: string): SessionRow[] {\n const rows = tenantId !== undefined\n ? this.db.prepare('SELECT * FROM sessions WHERE tenant = ? ORDER BY rowid DESC').all(tenantId) as Record<string, unknown>[]\n : this.db.prepare('SELECT * FROM sessions ORDER BY rowid DESC').all() as Record<string, unknown>[];\n return rows.map(r => this.mapSession(r));\n }\n\n private mapSession(r: Record<string, unknown>): SessionRow {\n const v = SessionRowSchema.parse(r);\n return {\n id: v.id,\n mode: v.mode,\n startedAt: v.started_at,\n completedAt: v.completed_at ?? undefined,\n config: v.config,\n name: v.name ?? undefined,\n tenant: v.tenant,\n hostname: v.hostname ?? undefined,\n user: v.user ?? undefined,\n machineId: v.machine_id ?? undefined,\n organization: v.organization ?? undefined,\n lastScannedAt: v.last_scanned_at ?? undefined,\n };\n }\n\n /** Record that a session was (re-)scanned now (ISO 8601 UTC). */\n touchSession(id: string): void {\n this.db.prepare('UPDATE sessions SET last_scanned_at = ? WHERE id = ?')\n .run(new Date().toISOString(), id);\n }\n\n /** Set (or clear) a session's human-friendly name. */\n setSessionName(id: string, name: string): void {\n this.db.prepare('UPDATE sessions SET name = ? WHERE id = ?').run(name, id);\n }\n\n /**\n * Compare two discovery sessions and report drift (added/removed/changed nodes\n * and added/removed edges). Read-only; no schema changes. Throws if either\n * session id does not exist.\n */\n diffSessions(baseId: string, currentId: string): TopologyDiff {\n const base = this.getSession(baseId);\n if (!base) throw new Error(`Base session not found: ${baseId}`);\n const current = this.getSession(currentId);\n if (!current) throw new Error(`Current session not found: ${currentId}`);\n\n const baseData = { nodes: this.getNodes(baseId), edges: this.getEdges(baseId) };\n const curData = { nodes: this.getNodes(currentId), edges: this.getEdges(currentId) };\n const delta = diffTopology(baseData, curData);\n\n // 3.6: anomalies new in `current` vs `base` — the delta a scheduled sink (3.1)\n // alerts on. Reuses each session's summary degree computation (no extra query).\n const baseAnoms = this.getGraphSummary(baseId).anomalies;\n const curAnoms = this.getGraphSummary(currentId).anomalies;\n\n return {\n base: { sessionId: baseId, startedAt: base.startedAt, nodeCount: baseData.nodes.length, edgeCount: baseData.edges.length },\n current: { sessionId: currentId, startedAt: current.startedAt, nodeCount: curData.nodes.length, edgeCount: curData.edges.length },\n ...delta,\n anomalies: { base: baseAnoms, current: curAnoms, added: newAnomalies(baseAnoms, curAnoms) },\n };\n }\n\n /**\n * Score a session against a compliance ruleset (3.4) — a thin wrapper over the\n * pure `scoreTopology` engine (mirrors `diffSessions`). Throws only when the\n * session id is unknown; the engine never throws on data shape.\n */\n scoreSession(sessionId: string, ruleset: Ruleset, opts?: { now?: string }): ComplianceReport {\n if (!this.getSession(sessionId)) throw new Error(`Session not found: ${sessionId}`);\n return scoreTopology({ nodes: this.getNodes(sessionId), edges: this.getEdges(sessionId) }, ruleset, opts);\n }\n\n // ── Scheduled discovery: prior-session selection + drift runs (2.5) ──────────\n\n /**\n * The most recent session of `mode` (and optionally `tenantId`) other than\n * `excludeId`. Used by scheduled discovery to pick an unambiguous diff base\n * (newest-first by `rowid`), avoiding the `getLatestSession` just-created-session\n * ambiguity. Returns `undefined` when no such prior session exists.\n */\n getPreviousSession(excludeId: string, mode?: string, tenantId?: string): SessionRow | undefined {\n const clauses: string[] = ['id != ?'];\n const params: unknown[] = [excludeId];\n if (mode) { clauses.push('mode = ?'); params.push(mode); }\n if (tenantId !== undefined) { clauses.push('tenant = ?'); params.push(tenantId); }\n const row = this.db\n .prepare(`SELECT * FROM sessions WHERE ${clauses.join(' AND ')} ORDER BY rowid DESC LIMIT 1`)\n .get(...params) as Record<string, unknown> | undefined;\n return row ? this.mapSession(row) : undefined;\n }\n\n /**\n * Persist one scheduled-discovery drift run: the summary counts plus the full\n * {@link TopologyDelta} (for audit/replay). Returns the generated row id.\n * `ranAt` is stamped now (ISO 8601 UTC).\n */\n recordDriftRun(sessionId: string, baseSessionId: string | undefined, delta: TopologyDelta): string {\n const id = crypto.randomUUID();\n const s = delta.summary;\n this.db.prepare(`\n INSERT INTO drift_runs\n (id, session_id, base_session_id, ran_at,\n nodes_added, nodes_removed, nodes_changed, edges_added, edges_removed, delta)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n id, sessionId, baseSessionId ?? null, new Date().toISOString(),\n s.nodesAdded, s.nodesRemoved, s.nodesChanged, s.edgesAdded, s.edgesRemoved,\n JSON.stringify(delta),\n );\n return id;\n }\n\n /** Recent drift runs, newest-first (`LIMIT`, default 50). */\n getDriftRuns(limit = 50): DriftRunRow[] {\n const rows = this.db\n .prepare('SELECT * FROM drift_runs ORDER BY rowid DESC LIMIT ?')\n .all(Math.max(1, Math.floor(limit))) as Record<string, unknown>[];\n return rows.map((r) => this.mapDriftRun(r));\n }\n\n /** The most recent drift run, or `undefined` when none has been recorded. */\n getLatestDriftRun(): DriftRunRow | undefined {\n const row = this.db\n .prepare('SELECT * FROM drift_runs ORDER BY rowid DESC LIMIT 1')\n .get() as Record<string, unknown> | undefined;\n return row ? this.mapDriftRun(row) : undefined;\n }\n\n private mapDriftRun(r: Record<string, unknown>): DriftRunRow {\n const v = DriftRunRowSchema.parse(r);\n const emptyDelta: TopologyDelta = {\n nodes: { added: [], removed: [], changed: [], unchanged: 0 },\n edges: { added: [], removed: [], unchanged: 0 },\n summary: { nodesAdded: 0, nodesRemoved: 0, nodesChanged: 0, edgesAdded: 0, edgesRemoved: 0 },\n };\n return {\n id: v.id,\n sessionId: v.session_id,\n baseSessionId: v.base_session_id ?? undefined,\n ranAt: v.ran_at,\n summary: {\n nodesAdded: v.nodes_added,\n nodesRemoved: v.nodes_removed,\n nodesChanged: v.nodes_changed,\n edgesAdded: v.edges_added,\n edgesRemoved: v.edges_removed,\n },\n delta: safeJsonParse<TopologyDelta>(v.delta, emptyDelta),\n };\n }\n\n // ── Nodes ───────────────────────────────\n\n upsertNode(sessionId: string, node: DiscoveryNode, depth = 0, attribution?: Contributor): void {\n // Sanitize untrusted free-text before it enters the catalog (and later an LLM\n // context): strip invisible/control characters that could hide prompt injection.\n const tenant = this.tenantOf(sessionId);\n\n // 2.9 global identity. The org-scope is the session's tenant (2.8's normalized\n // organization partition), so two organizations never collapse onto one node.\n const ch = contentHash(node.type, node.name, keyMetaOf(node.metadata ?? {}));\n // Catch id drift first: a different node.id from another machine that hashes to\n // the same content under the same tenant reuses that existing logical identity.\n const drift = this.db.prepare(\n `SELECT global_id FROM nodes\n WHERE content_hash = ? AND COALESCE(global_id, '') LIKE ?\n LIMIT 1`,\n ).get(ch, `${globalId(tenant, '')}%`) as { global_id: string } | undefined;\n const gid = drift?.global_id ?? globalId(tenant, node.id);\n\n this.db.prepare(`\n INSERT OR REPLACE INTO nodes\n (id, session_id, type, name, discovered_via, discovered_at, depth, confidence, metadata, tags,\n domain, sub_domain, quality_score, owner, cost, tenant, global_id, content_hash)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n node.id, sessionId, node.type, sanitizeUntrusted(node.name), node.discoveredVia,\n new Date().toISOString(), depth, node.confidence,\n JSON.stringify(sanitizeValue(node.metadata ?? {})),\n JSON.stringify((node.tags ?? []).map(sanitizeUntrusted)),\n node.domain != null ? sanitizeUntrusted(node.domain) : null,\n node.subDomain != null ? sanitizeUntrusted(node.subDomain) : null,\n node.qualityScore ?? null,\n node.owner != null ? sanitizeUntrusted(node.owner) : null,\n node.cost ? JSON.stringify(CostEntrySchema.parse(node.cost)) : null,\n tenant, gid, ch,\n );\n\n if (attribution) {\n // (global_id, machine_id) conflict → keep highest confidence + latest observation.\n // Free-text attribution is sanitized like name/tags (it may enter an LLM context).\n this.db.prepare(`\n INSERT INTO node_contributors (global_id, machine_id, hostname, user, organization, at, confidence)\n VALUES (?, ?, ?, ?, ?, ?, ?)\n ON CONFLICT(global_id, machine_id) DO UPDATE SET\n confidence = MAX(confidence, excluded.confidence),\n at = excluded.at,\n hostname = excluded.hostname,\n user = excluded.user,\n organization = excluded.organization\n `).run(\n gid, attribution.machineId,\n sanitizeUntrusted(attribution.hostname), sanitizeUntrusted(attribution.user),\n attribution.organization != null ? sanitizeUntrusted(attribution.organization) : null,\n attribution.at, attribution.confidence,\n );\n }\n }\n\n /** All contributors that observed a logical node, ordered by observation time. */\n getContributors(globalId: string): Contributor[] {\n const rows = this.db.prepare(\n 'SELECT * FROM node_contributors WHERE global_id = ? ORDER BY at',\n ).all(globalId) as Record<string, unknown>[];\n return rows.map((r) => {\n const v = ContributorRowSchema.parse(r);\n return {\n machineId: v.machine_id,\n hostname: v.hostname,\n user: v.user,\n organization: v.organization ?? undefined,\n at: v.at,\n confidence: v.confidence,\n };\n });\n }\n\n getNodes(sessionId: string, opts?: { limit?: number; offset?: number }): NodeRow[] {\n let sql = 'SELECT * FROM nodes WHERE session_id = ?';\n if (opts?.limit) {\n sql += ` LIMIT ${opts.limit}`;\n if (opts.offset) sql += ` OFFSET ${opts.offset}`;\n }\n const rows = this.db.prepare(sql).all(sessionId) as Record<string, unknown>[];\n return rows.map(r => this.mapNode(r));\n }\n\n getNodeCount(sessionId: string): number {\n const row = this.db.prepare('SELECT COUNT(*) as cnt FROM nodes WHERE session_id = ?').get(sessionId) as { cnt: number };\n return row.cnt;\n }\n\n private mapNode(r: Record<string, unknown>): NodeRow {\n const v = NodeRowSchema.parse(r);\n return {\n id: v.id,\n sessionId: v.session_id,\n type: v.type,\n name: v.name,\n discoveredVia: v.discovered_via ?? '',\n discoveredAt: v.discovered_at,\n depth: v.depth,\n confidence: v.confidence,\n metadata: safeJsonParse<Record<string, unknown>>(v.metadata, {}),\n tags: safeJsonParse<string[]>(v.tags, []),\n pathId: v.path_id ?? undefined,\n domain: v.domain ?? undefined,\n subDomain: v.sub_domain ?? undefined,\n qualityScore: v.quality_score ?? undefined,\n owner: v.owner ?? undefined,\n cost: v.cost ? safeJsonParse<CostEntry | undefined>(v.cost, undefined) : undefined,\n globalId: v.global_id ?? undefined,\n contentHash: v.content_hash ?? undefined,\n };\n }\n\n /**\n * Update only the cost/owner of an existing node, without touching any other\n * field (unlike upsertNode's INSERT OR REPLACE) — the idempotent enrichment\n * primitive (3.3). `undefined` leaves a field unchanged; `null` clears it.\n * No-op (returns false) if the node is absent. Cost is re-validated before write.\n */\n enrichNodeAttribution(sessionId: string, nodeId: string, attr: NodeAttribution): boolean {\n const sets: string[] = [];\n const vals: unknown[] = [];\n if (attr.owner !== undefined) {\n sets.push('owner = ?');\n vals.push(attr.owner == null ? null : sanitizeUntrusted(attr.owner));\n }\n if (attr.cost !== undefined) {\n sets.push('cost = ?');\n vals.push(attr.cost == null ? null : JSON.stringify(CostEntrySchema.parse(attr.cost)));\n }\n if (sets.length === 0) return false;\n const info = this.db.prepare(\n `UPDATE nodes SET ${sets.join(', ')} WHERE session_id = ? AND id = ?`,\n ).run(...vals, sessionId, nodeId);\n return info.changes > 0;\n }\n\n deleteNode(sessionId: string, nodeId: string): void {\n this.db.prepare('DELETE FROM nodes WHERE session_id = ? AND id = ?').run(sessionId, nodeId);\n // Remove orphaned edges\n this.db.prepare(\n 'DELETE FROM edges WHERE session_id = ? AND (source_id = ? OR target_id = ?)'\n ).run(sessionId, nodeId, nodeId);\n }\n\n // ── Edges ───────────────────────────────\n\n insertEdge(sessionId: string, edge: DiscoveryEdge): void {\n const id = crypto.randomUUID();\n const tenant = this.tenantOf(sessionId);\n this.db.prepare(`\n INSERT OR IGNORE INTO edges\n (id, session_id, source_id, target_id, relationship, evidence, confidence, discovered_at, tenant)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n id, sessionId, edge.sourceId, edge.targetId,\n edge.relationship, sanitizeUntrusted(edge.evidence), edge.confidence,\n new Date().toISOString(), tenant,\n );\n }\n\n /**\n * Delete every edge matching the logical key (source, target, relationship)\n * within a session. `insertEdge` writes a random PK, so logical identity is the\n * only way to prune an edge that disappeared while both endpoints survived.\n */\n deleteEdgeByKey(sessionId: string, sourceId: string, targetId: string, relationship: string): void {\n this.db.prepare(\n 'DELETE FROM edges WHERE session_id = ? AND source_id = ? AND target_id = ? AND relationship = ?'\n ).run(sessionId, sourceId, targetId, relationship);\n }\n\n /**\n * Apply a precomputed {@link TopologyDelta} to one session in a single\n * transaction (2.1 incremental discovery): prune removed nodes (cascading their\n * edges via {@link deleteNode}), upsert added/changed nodes, delete removed edges\n * by logical key, insert added edges, and stamp `last_scanned_at`. Unchanged rows\n * are left untouched (stable `discovered_at`).\n *\n * `attribution` (2.9) is forwarded to every added/changed node's upsert so a\n * rescan keeps/appends the running machine's contributor instead of leaving it\n * out. Unchanged nodes are not re-upserted, so their existing contributors\n * survive the rescan. `NodeRow extends DiscoveryNode`, so the delta rows pass\n * straight into `upsertNode` with no mapper.\n */\n applyTopologyDelta(sessionId: string, delta: TopologyDelta, attribution?: Contributor): void {\n const apply = this.db.transaction(() => {\n for (const n of delta.nodes.removed) this.deleteNode(sessionId, n.id); // cascades orphan edges\n for (const n of delta.nodes.added) {\n this.upsertNode(sessionId, n, n.depth, attribution ? { ...attribution, confidence: n.confidence } : undefined);\n }\n for (const c of delta.nodes.changed) {\n this.upsertNode(sessionId, c.after, c.after.depth, attribution ? { ...attribution, confidence: c.after.confidence } : undefined);\n }\n for (const e of delta.edges.removed) this.deleteEdgeByKey(sessionId, e.sourceId, e.targetId, e.relationship);\n for (const e of delta.edges.added) this.insertEdge(sessionId, e);\n this.touchSession(sessionId);\n });\n apply();\n }\n\n getEdges(sessionId: string, opts?: { limit?: number; offset?: number }): EdgeRow[] {\n let sql = 'SELECT * FROM edges WHERE session_id = ?';\n if (opts?.limit) {\n sql += ` LIMIT ${opts.limit}`;\n if (opts.offset) sql += ` OFFSET ${opts.offset}`;\n }\n const rows = this.db.prepare(sql).all(sessionId) as Record<string, unknown>[];\n return rows.map(r => {\n const v = EdgeRowSchema.parse(r);\n return {\n id: v.id,\n sessionId: v.session_id,\n sourceId: v.source_id,\n targetId: v.target_id,\n relationship: v.relationship,\n evidence: v.evidence ?? '',\n confidence: v.confidence,\n discoveredAt: v.discovered_at,\n };\n });\n }\n\n // ── Events ──────────────────────────────\n\n insertEvent(\n sessionId: string,\n event: Pick<EventRow, 'eventType' | 'process' | 'pid' | 'target' | 'targetType' | 'port'>\n & Partial<Pick<EventRow, 'command' | 'resultBytes'>>,\n taskId?: string,\n ): void {\n const id = crypto.randomUUID();\n const tenant = this.tenantOf(sessionId);\n this.db.prepare(`\n INSERT INTO activity_events\n (id, session_id, task_id, timestamp, event_type, process, pid, target, target_type, port, command, result_bytes, tenant)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n id, sessionId, taskId ?? null, new Date().toISOString(),\n event.eventType, event.process, event.pid,\n event.target ?? null, event.targetType ?? null, event.port ?? null,\n event.command ?? null, event.resultBytes ?? null, tenant,\n );\n }\n\n getEvents(sessionId: string, since?: string): EventRow[] {\n const rows = since\n ? this.db.prepare('SELECT * FROM activity_events WHERE session_id = ? AND timestamp > ? ORDER BY timestamp').all(sessionId, since) as Record<string, unknown>[]\n : this.db.prepare('SELECT * FROM activity_events WHERE session_id = ? ORDER BY timestamp').all(sessionId) as Record<string, unknown>[];\n return rows.map(r => {\n const v = EventRowSchema.parse(r);\n return {\n id: v.id,\n sessionId: v.session_id,\n taskId: v.task_id ?? undefined,\n timestamp: v.timestamp,\n eventType: v.event_type,\n process: v.process,\n pid: v.pid,\n target: v.target ?? undefined,\n targetType: v.target_type ?? undefined,\n port: v.port ?? undefined,\n durationMs: v.duration_ms ?? undefined,\n command: v.command ?? undefined,\n resultBytes: v.result_bytes ?? undefined,\n };\n });\n }\n\n // ── Tasks ───────────────────────────────\n\n startTask(sessionId: string, description?: string): string {\n const id = crypto.randomUUID();\n const tenant = this.tenantOf(sessionId);\n this.db.prepare(`\n INSERT INTO tasks (id, session_id, description, started_at, steps, involved_services, status, tenant)\n VALUES (?, ?, ?, ?, '[]', '[]', 'active', ?)\n `).run(id, sessionId, description ?? null, new Date().toISOString(), tenant);\n return id;\n }\n\n endCurrentTask(sessionId: string): void {\n this.db.prepare(`\n UPDATE tasks SET status = 'completed', completed_at = ?\n WHERE session_id = ? AND status = 'active'\n `).run(new Date().toISOString(), sessionId);\n }\n\n updateTaskDescription(sessionId: string, description: string): void {\n this.db.prepare(`\n UPDATE tasks SET description = ?\n WHERE session_id = ? AND status = 'active'\n `).run(description, sessionId);\n }\n\n getActiveTask(sessionId: string): TaskRow | undefined {\n const row = this.db.prepare(\n \"SELECT * FROM tasks WHERE session_id = ? AND status = 'active' LIMIT 1\"\n ).get(sessionId) as Record<string, unknown> | undefined;\n return row ? this.mapTask(row) : undefined;\n }\n\n getTasks(sessionId: string): TaskRow[] {\n const rows = this.db.prepare('SELECT * FROM tasks WHERE session_id = ? ORDER BY started_at').all(sessionId) as Record<string, unknown>[];\n return rows.map(r => this.mapTask(r));\n }\n\n private mapTask(r: Record<string, unknown>): TaskRow {\n const v = TaskRowSchema.parse(r);\n return {\n id: v.id,\n sessionId: v.session_id,\n description: v.description ?? undefined,\n startedAt: v.started_at,\n completedAt: v.completed_at ?? undefined,\n steps: v.steps,\n involvedServices: v.involved_services,\n status: v.status,\n };\n }\n\n // ── Workflows ───────────────────────────\n\n insertWorkflow(sessionId: string, data: Omit<WorkflowRow, 'id'>): void {\n const id = crypto.randomUUID();\n const tenant = this.tenantOf(sessionId);\n this.db.prepare(`\n INSERT INTO workflows\n (id, session_id, name, pattern, task_ids, occurrences,\n first_seen, last_seen, avg_duration_ms, involved_services, tenant)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n id, sessionId, data.name ?? null, data.pattern,\n data.taskIds, data.occurrences,\n data.firstSeen, data.lastSeen, data.avgDurationMs,\n data.involvedServices, tenant,\n );\n }\n\n getWorkflows(sessionId: string): WorkflowRow[] {\n const rows = this.db.prepare('SELECT * FROM workflows WHERE session_id = ?').all(sessionId) as Record<string, unknown>[];\n return rows.map(r => {\n const v = WorkflowRowSchema.parse(r);\n return {\n id: v.id,\n sessionId: v.session_id,\n name: v.name ?? undefined,\n pattern: v.pattern,\n taskIds: v.task_ids,\n occurrences: v.occurrences,\n firstSeen: v.first_seen,\n lastSeen: v.last_seen,\n avgDurationMs: v.avg_duration_ms ?? 0,\n involvedServices: v.involved_services,\n };\n });\n }\n\n // ── Connections (user-created hex map links) ─────────────────────────────\n\n upsertConnection(sessionId: string, conn: Omit<Connection, 'id'>): string {\n // Idempotent: same source+target+type = same connection\n const existing = this.db.prepare(\n 'SELECT id FROM connections WHERE session_id = ? AND source_asset_id = ? AND target_asset_id = ?'\n ).get(sessionId, conn.sourceAssetId, conn.targetAssetId) as { id: string } | undefined;\n if (existing) return existing.id;\n const id = crypto.randomUUID();\n const tenant = this.tenantOf(sessionId);\n this.db.prepare(`\n INSERT INTO connections (id, session_id, source_asset_id, target_asset_id, type, created_at, tenant)\n VALUES (?, ?, ?, ?, ?, ?, ?)\n `).run(id, sessionId, conn.sourceAssetId, conn.targetAssetId, conn.type ?? null, new Date().toISOString(), tenant);\n return id;\n }\n\n getConnections(sessionId: string): ConnectionRow[] {\n const rows = this.db.prepare('SELECT * FROM connections WHERE session_id = ?').all(sessionId) as Record<string, unknown>[];\n return rows.map(r => {\n const v = ConnectionRowSchema.parse(r);\n return {\n id: v.id,\n sessionId: v.session_id,\n sourceAssetId: v.source_asset_id,\n targetAssetId: v.target_asset_id,\n type: v.type ?? undefined,\n createdAt: v.created_at,\n };\n });\n }\n\n deleteConnection(sessionId: string, connectionId: string): void {\n this.db.prepare('DELETE FROM connections WHERE session_id = ? AND id = ?').run(sessionId, connectionId);\n }\n\n // ── Approvals ───────────────────────────\n\n setApproval(pattern: string, action: 'save' | 'ignore' | 'auto'): void {\n this.db.prepare(`\n INSERT OR REPLACE INTO node_approvals (pattern, action, created_at) VALUES (?, ?, ?)\n `).run(pattern, action, new Date().toISOString());\n }\n\n getApproval(pattern: string): string | undefined {\n const row = this.db.prepare('SELECT action FROM node_approvals WHERE pattern = ?').get(pattern) as { action: string } | undefined;\n return row?.action;\n }\n\n // ── Sharing policy (2.10 consent) ───────────────────────────────────────────\n\n /**\n * Set (or replace) the sharing level for a pattern. The `'*'` pattern is the\n * global default; any other pattern is an override (glob over the node id).\n * Validated via {@link SharingLevelSchema} before write; `created_at` is ISO UTC.\n */\n setSharingLevel(pattern: string, level: SharingLevel): void {\n const valid = SharingLevelSchema.parse(level);\n this.db.prepare(\n 'INSERT OR REPLACE INTO sharing_policy (pattern, level, created_at) VALUES (?, ?, ?)',\n ).run(pattern, valid, new Date().toISOString());\n }\n\n /**\n * The full sharing policy: the `'*'` row resolves to `defaultLevel` (`'none'`\n * when absent — the opt-in floor), every other row becomes an override. The\n * glob-precedence resolution itself lives in `src/sharing.ts` so it is unit\n * testable in isolation; this returns the raw policy it consumes.\n */\n getSharingPolicy(): SharingPolicy {\n const rows = this.db.prepare('SELECT pattern, level FROM sharing_policy').all() as Array<{ pattern: string; level: string }>;\n let defaultLevel: SharingLevel = 'none';\n const overrides: { pattern: string; level: SharingLevel }[] = [];\n for (const r of rows) {\n const level = SharingLevelSchema.parse(r.level);\n if (r.pattern === '*') defaultLevel = level;\n else overrides.push({ pattern: r.pattern, level });\n }\n return { defaultLevel, overrides };\n }\n\n /** Remove a pattern override. The global default (`'*'`) cannot be cleared this way. */\n clearSharingOverride(pattern: string): void {\n this.db.prepare(\"DELETE FROM sharing_policy WHERE pattern = ? AND pattern != '*'\").run(pattern);\n }\n\n // ── Pseudonym reversal map (2.10 admin-reversible anonymization) ─────────────\n\n /**\n * Persist the encrypted plaintext behind a pseudonym token. Idempotent: the\n * token is deterministic, so repeated writes `INSERT OR REPLACE` and never grow\n * the table. `ciphertext` is base64(iv ‖ tag ‖ AES-256-GCM(plaintext)).\n */\n saveReversal(token: string, ciphertext: string): void {\n this.db.prepare(\n 'INSERT OR REPLACE INTO pseudonym_reversal (token, ciphertext, created_at) VALUES (?, ?, ?)',\n ).run(token, ciphertext, new Date().toISOString());\n }\n\n /** Read the stored ciphertext for a pseudonym token (admin reversal path). */\n getReversal(token: string): string | undefined {\n const row = this.db.prepare('SELECT ciphertext FROM pseudonym_reversal WHERE token = ?').get(token) as { ciphertext: string } | undefined;\n return row?.ciphertext;\n }\n\n // ── Pending-review share queue (2.11 central-DB sync) ────────────────────────\n\n /**\n * Enqueue one proposed share item. Idempotent via `INSERT OR IGNORE` on the\n * `content_hash` PK: re-classifying the same (transformed) item never duplicates\n * a row nor resets an existing decision. `payload` is the already-policy-\n * transformed projection (the exact bytes a push would send) — never raw node\n * data for `anonymized`/`none` items.\n */\n enqueuePending(item: {\n contentHash: string;\n sessionId: string;\n nodeId?: string;\n kind: 'node' | 'edge';\n payload: unknown;\n status: PendingStatus;\n decidedBy?: 'user' | 'rule';\n }): void {\n const now = new Date().toISOString();\n const decided = item.status === 'pending' ? null : now;\n this.db.prepare(`\n INSERT OR IGNORE INTO pending_shares\n (content_hash, session_id, node_id, kind, payload, status, decided_by, created_at, decided_at)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n item.contentHash, item.sessionId, item.nodeId ?? null, item.kind,\n JSON.stringify(item.payload), item.status, item.decidedBy ?? null, now, decided,\n );\n }\n\n /** Queued share items, optionally filtered by status and/or session. */\n getPendingShares(filter?: { status?: PendingStatus; sessionId?: string }): PendingShareRow[] {\n const clauses: string[] = [];\n const params: unknown[] = [];\n if (filter?.status) { clauses.push('status = ?'); params.push(filter.status); }\n if (filter?.sessionId) { clauses.push('session_id = ?'); params.push(filter.sessionId); }\n const where = clauses.length ? `WHERE ${clauses.join(' AND ')} ` : '';\n const rows = this.db.prepare(`SELECT * FROM pending_shares ${where}ORDER BY rowid`).all(...params) as Record<string, unknown>[];\n return rows.map((r) => this.mapPendingShare(r));\n }\n\n /** Queue size by status (every status key present, zero-filled). */\n countPendingByStatus(): Record<PendingStatus, number> {\n const out: Record<PendingStatus, number> = { pending: 0, approved: 0, shared: 0, withheld: 0 };\n const rows = this.db.prepare('SELECT status, COUNT(*) c FROM pending_shares GROUP BY status').all() as Array<{ status: string; c: number }>;\n for (const r of rows) {\n if (r.status in out) out[r.status as PendingStatus] = r.c;\n }\n return out;\n }\n\n /** `content_hash` values already pushed (status `shared`) — for re-share suppression. */\n getSharedHashes(): Set<string> {\n const rows = this.db.prepare(\"SELECT content_hash FROM pending_shares WHERE status = 'shared'\").all() as Array<{ content_hash: string }>;\n return new Set(rows.map((r) => r.content_hash));\n }\n\n /**\n * Transition one queued item. Stamps `decided_at` on any non-`pending` status and\n * `shared_at` when moving to `shared`. `decidedBy` records the actor (`'user'` or\n * `'rule'`) for the audit trail.\n */\n setPendingStatus(contentHash: string, status: PendingStatus, decidedBy?: 'user' | 'rule'): void {\n const now = new Date().toISOString();\n const sharedAt = status === 'shared' ? now : null;\n this.db.prepare(`\n UPDATE pending_shares\n SET status = ?, decided_by = COALESCE(?, decided_by), decided_at = ?, shared_at = COALESCE(?, shared_at)\n WHERE content_hash = ?\n `).run(status, decidedBy ?? null, now, sharedAt, contentHash);\n }\n\n /** Approved items cleared to push (FIFO), optionally capped by `limit`. */\n getApprovedShares(limit?: number): PendingShareRow[] {\n let sql = \"SELECT * FROM pending_shares WHERE status = 'approved' ORDER BY rowid\";\n if (limit) sql += ` LIMIT ${Math.max(1, Math.floor(limit))}`;\n const rows = this.db.prepare(sql).all() as Record<string, unknown>[];\n return rows.map((r) => this.mapPendingShare(r));\n }\n\n private mapPendingShare(r: Record<string, unknown>): PendingShareRow {\n const v = PendingShareRowSchema.parse(r);\n return {\n contentHash: v.content_hash,\n sessionId: v.session_id,\n nodeId: v.node_id ?? undefined,\n kind: v.kind,\n payload: safeJsonParse<unknown>(v.payload, null),\n status: v.status,\n decidedBy: v.decided_by ?? undefined,\n createdAt: v.created_at,\n decidedAt: v.decided_at ?? undefined,\n sharedAt: v.shared_at ?? undefined,\n };\n }\n\n // ── Pruning ──────────────────────────────\n\n /**\n * Delete a session and all its associated data (nodes, edges, events, tasks, workflows, connections).\n */\n deleteSession(sessionId: string): void {\n this.db.prepare('DELETE FROM connections WHERE session_id = ?').run(sessionId);\n this.db.prepare('DELETE FROM workflows WHERE session_id = ?').run(sessionId);\n this.db.prepare('DELETE FROM activity_events WHERE session_id = ?').run(sessionId);\n this.db.prepare('DELETE FROM tasks WHERE session_id = ?').run(sessionId);\n this.db.prepare('DELETE FROM edges WHERE session_id = ?').run(sessionId);\n this.db.prepare('DELETE FROM nodes WHERE session_id = ?').run(sessionId);\n this.db.prepare('DELETE FROM sessions WHERE id = ?').run(sessionId);\n }\n\n /**\n * Prune sessions older than the given ISO date string. Returns count of deleted sessions.\n */\n pruneSessions(olderThan: string): number {\n const rows = this.db.prepare(\n 'SELECT id FROM sessions WHERE started_at < ?'\n ).all(olderThan) as { id: string }[];\n for (const row of rows) {\n this.deleteSession(row.id);\n }\n return rows.length;\n }\n\n // ── Graph queries (read-only context layer) ─────────────────────────────────\n\n /** Fetch a single node by id within a session. */\n getNode(sessionId: string, nodeId: string): NodeRow | undefined {\n const row = this.db.prepare('SELECT * FROM nodes WHERE session_id = ? AND id = ?')\n .get(sessionId, nodeId) as Record<string, unknown> | undefined;\n return row ? this.mapNode(row) : undefined;\n }\n\n /** Batch-fetch nodes by id, keyed for O(1) lookup. Chunked to stay under SQLite's bind-variable limit. */\n getNodesByIds(sessionId: string, ids: readonly string[]): Map<string, NodeRow> {\n const out = new Map<string, NodeRow>();\n for (let i = 0; i < ids.length; i += 900) {\n const chunk = ids.slice(i, i + 900);\n const placeholders = chunk.map(() => '?').join(',');\n const rows = this.db.prepare(\n `SELECT * FROM nodes WHERE session_id = ? AND id IN (${placeholders})`,\n ).all(sessionId, ...chunk) as Record<string, unknown>[];\n for (const r of rows) { const n = this.mapNode(r); out.set(n.id, n); }\n }\n return out;\n }\n\n /** Fetch all nodes of one or more types. */\n getNodesByType(sessionId: string, types: readonly string[]): NodeRow[] {\n if (types.length === 0) return [];\n const placeholders = types.map(() => '?').join(',');\n const rows = this.db.prepare(\n `SELECT * FROM nodes WHERE session_id = ? AND type IN (${placeholders})`,\n ).all(sessionId, ...types) as Record<string, unknown>[];\n return rows.map(r => this.mapNode(r));\n }\n\n /**\n * Lexical search over node id, name, domain, sub-domain and tags.\n * Case-insensitive substring match — the deterministic fallback for semantic search.\n */\n searchNodes(sessionId: string, query: string, opts?: { types?: readonly string[]; limit?: number }): NodeRow[] {\n const q = `%${query.trim().toLowerCase()}%`;\n const params: unknown[] = [sessionId, q, q, q, q, q];\n let sql = `\n SELECT * FROM nodes\n WHERE session_id = ?\n AND (\n lower(id) LIKE ? OR lower(name) LIKE ?\n OR lower(COALESCE(domain, '')) LIKE ?\n OR lower(COALESCE(sub_domain, '')) LIKE ?\n OR lower(tags) LIKE ?\n )`;\n if (opts?.types && opts.types.length > 0) {\n sql += ` AND type IN (${opts.types.map(() => '?').join(',')})`;\n params.push(...opts.types);\n }\n sql += ' ORDER BY confidence DESC';\n if (opts?.limit) sql += ` LIMIT ${Math.max(1, Math.floor(opts.limit))}`;\n const rows = this.db.prepare(sql).all(...params) as Record<string, unknown>[];\n return rows.map(r => this.mapNode(r));\n }\n\n /**\n * Traverse the dependency graph from a node using a recursive CTE with a\n * path-based cycle guard. `downstream` follows source→target (what the node\n * depends on / points to); `upstream` follows target→source (what depends on it).\n */\n getDependencies(\n sessionId: string,\n nodeId: string,\n opts: { direction?: 'downstream' | 'upstream' | 'both'; maxDepth?: number } = {},\n ): TraversalResult {\n const direction = opts.direction ?? 'downstream';\n const maxDepth = Math.max(1, Math.min(opts.maxDepth ?? 8, 64));\n const root = this.getNode(sessionId, nodeId);\n\n const depthById = new Map<string, number>();\n const collect = (dir: 'downstream' | 'upstream'): void => {\n // SEP = newline; node ids never contain newlines, so the path guard is collision-free.\n const [from, to] = dir === 'downstream' ? ['source_id', 'target_id'] : ['target_id', 'source_id'];\n const sql = `\n WITH RECURSIVE walk(node_id, depth, path) AS (\n SELECT ?, 0, char(10) || ? || char(10)\n UNION ALL\n SELECT e.${to}, w.depth + 1, w.path || e.${to} || char(10)\n FROM edges e JOIN walk w ON e.${from} = w.node_id\n WHERE e.session_id = ?\n AND w.depth < ?\n AND instr(w.path, char(10) || e.${to} || char(10)) = 0\n )\n SELECT node_id, MIN(depth) AS depth FROM walk WHERE node_id != ? GROUP BY node_id`;\n const rows = this.db.prepare(sql).all(nodeId, nodeId, sessionId, maxDepth, nodeId) as Array<{ node_id: string; depth: number }>;\n for (const r of rows) {\n const prev = depthById.get(r.node_id);\n if (prev === undefined || r.depth < prev) depthById.set(r.node_id, r.depth);\n }\n };\n\n if (direction === 'both') { collect('downstream'); collect('upstream'); }\n else collect(direction);\n\n const byId = this.getNodesByIds(sessionId, [...depthById.keys()]);\n const nodes = [...depthById.entries()]\n .map(([id, depth]) => { const n = byId.get(id); return n ? { ...n, depth } : undefined; })\n .filter((n): n is NodeRow & { depth: number } => n !== undefined)\n .sort((a, b) => a.depth - b.depth);\n\n // Edges that lie within the reached subgraph (including the root).\n const reachable = new Set<string>([nodeId, ...depthById.keys()]);\n const edges = this.getEdges(sessionId).filter(e => reachable.has(e.sourceId) && reachable.has(e.targetId));\n\n return { root, direction, maxDepth, nodes, edges };\n }\n\n /** Lightweight aggregate index of the whole topology — the progressive-disclosure summary. */\n getGraphSummary(sessionId: string): GraphSummary {\n const totals = {\n nodes: (this.db.prepare('SELECT COUNT(*) c FROM nodes WHERE session_id = ?').get(sessionId) as { c: number }).c,\n edges: (this.db.prepare('SELECT COUNT(*) c FROM edges WHERE session_id = ?').get(sessionId) as { c: number }).c,\n };\n const byType: Record<string, number> = {};\n for (const r of this.db.prepare('SELECT type, COUNT(*) c FROM nodes WHERE session_id = ? GROUP BY type').all(sessionId) as Array<{ type: string; c: number }>) {\n byType[r.type] = r.c;\n }\n const byDomain: Record<string, number> = {};\n for (const r of this.db.prepare(\"SELECT COALESCE(domain, '(none)') d, COUNT(*) c FROM nodes WHERE session_id = ? GROUP BY d\").all(sessionId) as Array<{ d: string; c: number }>) {\n byDomain[r.d] = r.c;\n }\n const byRelationship: Record<string, number> = {};\n for (const r of this.db.prepare('SELECT relationship rel, COUNT(*) c FROM edges WHERE session_id = ? GROUP BY rel').all(sessionId) as Array<{ rel: string; c: number }>) {\n byRelationship[r.rel] = r.c;\n }\n // 3.6: degree for ALL nodes in one aggregate (the old top-10 query dropped the\n // LIMIT). The same rows feed `topConnected` and the per-node degree map the\n // anomaly engine consumes — no second scan.\n const degreeRows = this.db.prepare(`\n SELECT n.id, n.name, n.type, n.confidence, COUNT(e.id) AS degree\n FROM nodes n\n LEFT JOIN edges e ON e.session_id = n.session_id AND (e.source_id = n.id OR e.target_id = n.id)\n WHERE n.session_id = ?\n GROUP BY n.id, n.name, n.type\n `).all(sessionId) as Array<{ id: string; name: string; type: string; confidence: number; degree: number }>;\n\n const degree = new Map<string, number>();\n for (const r of degreeRows) degree.set(r.id, r.degree);\n\n // Reproduces the old `degree DESC, confidence DESC` order + a stable id tiebreaker.\n const topConnected = [...degreeRows]\n .sort((a, b) => b.degree - a.degree || b.confidence - a.confidence || a.id.localeCompare(b.id))\n .slice(0, 10)\n .map(({ id, name, type, degree }) => ({ id, name, type, degree }));\n\n const anomalies = this.anomalyEnabled\n ? detectAnomalies(this.getNodes(sessionId), degree, this.anomalyThresholds)\n : [];\n\n // 2.9: distinct machines that contributed to this session's nodes (by global_id).\n const contributors = (this.db.prepare(`\n SELECT COUNT(DISTINCT c.machine_id) AS n\n FROM node_contributors c\n JOIN nodes n ON n.global_id = c.global_id\n WHERE n.session_id = ?\n `).get(sessionId) as { n: number }).n;\n\n // 3.3 FinOps rollups — bucketed by (currency, period) so mixed currencies/periods\n // are never silently summed; only cost-bearing rows are scanned.\n const costByDomain = this.db.prepare(`\n SELECT COALESCE(domain, '(none)') domain,\n json_extract(cost, '$.currency') currency,\n json_extract(cost, '$.period') period,\n SUM(json_extract(cost, '$.amount')) total,\n COUNT(*) nodes\n FROM nodes\n WHERE session_id = ? AND cost IS NOT NULL\n GROUP BY domain, currency, period\n ORDER BY total DESC\n `).all(sessionId) as GraphSummary['costByDomain'];\n const costByOwner = this.db.prepare(`\n SELECT COALESCE(owner, '(unowned)') owner,\n json_extract(cost, '$.currency') currency,\n json_extract(cost, '$.period') period,\n SUM(json_extract(cost, '$.amount')) total,\n COUNT(*) nodes\n FROM nodes\n WHERE session_id = ? AND cost IS NOT NULL\n GROUP BY owner, currency, period\n ORDER BY total DESC\n `).all(sessionId) as GraphSummary['costByOwner'];\n const withCost = (this.db.prepare(\n 'SELECT COUNT(*) c FROM nodes WHERE session_id = ? AND cost IS NOT NULL',\n ).get(sessionId) as { c: number }).c;\n\n return {\n sessionId, totals, nodesByType: byType, nodesByDomain: byDomain,\n edgesByRelationship: byRelationship, topConnected, anomalies, contributors,\n costByDomain, costByOwner, costCoverage: { withCost, total: totals.nodes },\n };\n }\n\n // ── Central collector store (2.12) ──────────────────────────────────────────\n\n /**\n * Resolve (creating once) the synthetic collector session that owns every\n * central node/edge for a tenant. Central nodes are merged by `(org, global_id)`,\n * not by session, so they live under a single deterministic session id\n * (`central:{org}`) — this satisfies the existing `(id, session_id)` node PK and\n * the `session_id` foreign key without a destructive schema change. Idempotent.\n */\n ensureCentralSession(org: string): string {\n const tenant = normalizeTenant(org);\n const id = `central:${tenant}`;\n const existing = this.db.prepare('SELECT id FROM sessions WHERE id = ?').get(id) as { id: string } | undefined;\n if (existing) return id;\n this.db.prepare(\n `INSERT INTO sessions (id, mode, started_at, config, tenant, organization)\n VALUES (?, 'discover', ?, '{}', ?, ?)`\n ).run(id, new Date().toISOString(), tenant, org);\n return id;\n }\n\n /**\n * Find an existing central node within a tenant by its primary identity\n * (`global_id`), returning its stored `id` so a merge keeps a single row.\n */\n findCentralNodeIdByGlobalId(org: string, gid: string): string | undefined {\n const tenant = normalizeTenant(org);\n const row = this.db.prepare(\n 'SELECT id FROM nodes WHERE tenant = ? AND global_id = ? LIMIT 1',\n ).get(tenant, gid) as { id: string } | undefined;\n return row?.id;\n }\n\n /**\n * Secondary merge lookup: an existing central node in the tenant whose\n * `content_hash` matches (catches `id` drift between machines for the same\n * logical resource). Returns its stored `id` and `global_id`.\n */\n findCentralNodeByContentHash(org: string, ch: string): { id: string; globalId: string } | undefined {\n const tenant = normalizeTenant(org);\n const row = this.db.prepare(\n 'SELECT id, global_id FROM nodes WHERE tenant = ? AND content_hash = ? LIMIT 1',\n ).get(tenant, ch) as { id: string; global_id: string | null } | undefined;\n if (!row || row.global_id == null) return undefined;\n return { id: row.id, globalId: row.global_id };\n }\n\n /**\n * Merge one incoming node into the central store for a tenant and append the\n * contributor (2.12). Resolves identity by `(tenant, global_id)` primary, then\n * `(tenant, content_hash)` secondary; on a hit it keeps the existing row's id\n * (so the logical node stays a single row), unions tags, keeps the higher\n * confidence, and merges metadata (incoming values win on key conflict). The\n * incoming `globalId`/`contentHash` are precomputed by the merge core so they\n * are consistent with what the lookups used. Returns whether a new row was\n * created or an existing one was merged. Runs in one transaction.\n */\n upsertCentralNode(\n org: string,\n node: DiscoveryNode,\n identity: { globalId: string; contentHash: string },\n contributor: Contributor,\n ): 'created' | 'merged' {\n const tenant = normalizeTenant(org);\n const sessionId = this.ensureCentralSession(tenant);\n const txn = this.db.transaction((): 'created' | 'merged' => {\n // Resolve the merge target: primary by global_id, secondary by content_hash.\n let targetId = this.findCentralNodeIdByGlobalId(tenant, identity.globalId);\n let outcome: 'created' | 'merged' = 'merged';\n if (!targetId) {\n const byHash = this.findCentralNodeByContentHash(tenant, identity.contentHash);\n targetId = byHash?.id;\n }\n if (!targetId) { targetId = node.id; outcome = 'created'; }\n\n const existing = this.getCentralNode(tenant, sessionId, targetId);\n // Union tags + metadata and keep the higher confidence (mirrors local.ts:44).\n const mergedTags = Array.from(new Set([...(existing?.tags ?? []), ...(node.tags ?? [])]));\n const mergedMeta = { ...(existing?.metadata ?? {}), ...(node.metadata ?? {}) };\n const confidence = Math.max(existing?.confidence ?? 0, node.confidence);\n\n this.db.prepare(`\n INSERT OR REPLACE INTO nodes\n (id, session_id, type, name, discovered_via, discovered_at, depth, confidence, metadata, tags,\n domain, sub_domain, quality_score, tenant, global_id, content_hash)\n VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)\n `).run(\n targetId, sessionId, node.type, sanitizeUntrusted(node.name), node.discoveredVia,\n existing?.discoveredAt ?? new Date().toISOString(), 0, confidence,\n JSON.stringify(sanitizeValue(mergedMeta)),\n JSON.stringify(mergedTags.map(sanitizeUntrusted)),\n node.domain != null ? sanitizeUntrusted(node.domain) : (existing?.domain ?? null),\n node.subDomain != null ? sanitizeUntrusted(node.subDomain) : (existing?.subDomain ?? null),\n node.qualityScore ?? existing?.qualityScore ?? null,\n tenant, identity.globalId, identity.contentHash,\n );\n\n // Append/update the contributor (keyed by (global_id, machine_id)).\n this.db.prepare(`\n INSERT INTO node_contributors (global_id, machine_id, hostname, user, organization, at, confidence)\n VALUES (?, ?, ?, ?, ?, ?, ?)\n ON CONFLICT(global_id, machine_id) DO UPDATE SET\n confidence = MAX(confidence, excluded.confidence),\n at = excluded.at,\n hostname = excluded.hostname,\n user = excluded.user,\n organization = excluded.organization\n `).run(\n identity.globalId, contributor.machineId,\n sanitizeUntrusted(contributor.hostname), sanitizeUntrusted(contributor.user),\n contributor.organization != null ? sanitizeUntrusted(contributor.organization) : tenant,\n contributor.at, contributor.confidence,\n );\n return outcome;\n });\n return txn();\n }\n\n /** Insert an edge into the central store for a tenant (idempotent on logical key). */\n insertCentralEdge(org: string, edge: DiscoveryEdge): void {\n const tenant = normalizeTenant(org);\n const sessionId = this.ensureCentralSession(tenant);\n // Skip a logical duplicate (insertEdge writes a random PK, so INSERT OR IGNORE\n // never dedups by (source,target,relationship) on its own).\n const dup = this.db.prepare(\n 'SELECT 1 FROM edges WHERE tenant = ? AND source_id = ? AND target_id = ? AND relationship = ? LIMIT 1',\n ).get(tenant, edge.sourceId, edge.targetId, edge.relationship);\n if (dup) return;\n this.insertEdge(sessionId, edge);\n }\n\n /** A central node by tenant + stored id (the merge target after identity resolution). */\n getCentralNode(org: string, sessionId: string, nodeId: string): NodeRow | undefined {\n const tenant = normalizeTenant(org);\n const row = this.db.prepare(\n 'SELECT * FROM nodes WHERE tenant = ? AND session_id = ? AND id = ?',\n ).get(tenant, sessionId, nodeId) as Record<string, unknown> | undefined;\n return row ? this.mapNode(row) : undefined;\n }\n\n /** All contributors for a logical (global_id) node across an org. */\n getContributorsByGlobalId(gid: string): Contributor[] {\n return this.getContributors(gid);\n }\n\n /**\n * Org-wide aggregate summary (2.12) — the central analogue of\n * {@link getGraphSummary}, scoped `WHERE tenant = ?` so it merges every machine's\n * contribution into one organization-wide view. Cross-tenant isolation is\n * structural: org A's rows never appear in org B's counts.\n */\n getOrgSummary(org: string): OrgSummary {\n const tenant = normalizeTenant(org);\n const totals = {\n nodes: (this.db.prepare('SELECT COUNT(*) c FROM nodes WHERE tenant = ?').get(tenant) as { c: number }).c,\n edges: (this.db.prepare('SELECT COUNT(*) c FROM edges WHERE tenant = ?').get(tenant) as { c: number }).c,\n };\n const byType: Record<string, number> = {};\n for (const r of this.db.prepare('SELECT type, COUNT(*) c FROM nodes WHERE tenant = ? GROUP BY type').all(tenant) as Array<{ type: string; c: number }>) {\n byType[r.type] = r.c;\n }\n const byDomain: Record<string, number> = {};\n for (const r of this.db.prepare(\"SELECT COALESCE(domain, '(none)') d, COUNT(*) c FROM nodes WHERE tenant = ? GROUP BY d\").all(tenant) as Array<{ d: string; c: number }>) {\n byDomain[r.d] = r.c;\n }\n const byRelationship: Record<string, number> = {};\n for (const r of this.db.prepare('SELECT relationship rel, COUNT(*) c FROM edges WHERE tenant = ? GROUP BY rel').all(tenant) as Array<{ rel: string; c: number }>) {\n byRelationship[r.rel] = r.c;\n }\n const topConnected = (this.db.prepare(`\n SELECT n.id, n.name, n.type, COUNT(e.id) AS degree\n FROM nodes n\n LEFT JOIN edges e ON e.tenant = n.tenant AND (e.source_id = n.id OR e.target_id = n.id)\n WHERE n.tenant = ?\n GROUP BY n.id, n.name, n.type\n ORDER BY degree DESC, n.confidence DESC\n LIMIT 10\n `).all(tenant) as Array<{ id: string; name: string; type: string; degree: number }>);\n // Distinct machines that contributed to this org's nodes (org-wide attribution).\n const contributors = (this.db.prepare(`\n SELECT COUNT(DISTINCT c.machine_id) AS n\n FROM node_contributors c\n JOIN nodes n ON n.global_id = c.global_id\n WHERE n.tenant = ?\n `).get(tenant) as { n: number }).n;\n\n return { org: tenant, totals, nodesByType: byType, nodesByDomain: byDomain, edgesByRelationship: byRelationship, topConnected, contributors };\n }\n\n // ── Stats ───────────────────────────────\n\n getStats(sessionId: string): { nodes: number; edges: number; events: number; tasks: number } {\n const nodes = (this.db.prepare('SELECT COUNT(*) as c FROM nodes WHERE session_id = ?').get(sessionId) as { c: number }).c;\n const edges = (this.db.prepare('SELECT COUNT(*) as c FROM edges WHERE session_id = ?').get(sessionId) as { c: number }).c;\n const events = (this.db.prepare('SELECT COUNT(*) as c FROM activity_events WHERE session_id = ?').get(sessionId) as { c: number }).c;\n const tasks = (this.db.prepare('SELECT COUNT(*) as c FROM tasks WHERE session_id = ?').get(sessionId) as { c: number }).c;\n return { nodes, edges, events, tasks };\n }\n}\n","/**\n * Compliance scoring (3.4) — schemas + types.\n *\n * Rulesets are **declarative data** (a serializable `RuleCheck` expression tree)\n * interpreted by a single trusted engine — never executable predicate code. `field`\n * and `pattern` are closed enums, so a ruleset can neither reach arbitrary node\n * properties nor inject a ReDoS-prone regex. Every bundled ruleset is\n * `RulesetSchema.parse`d at module load (fail-fast on malformed data).\n */\n\nimport { z } from 'zod';\nimport { NODE_TYPES, NODE_TYPE_GROUPS } from '../types.js';\n\n/** Keys of NODE_TYPE_GROUPS — the semantic scopes a rule may target. */\nexport const NODE_TYPE_GROUP_KEYS = Object.keys(NODE_TYPE_GROUPS) as Array<keyof typeof NODE_TYPE_GROUPS>;\n\n/** Which nodes a rule applies to. Empty scope (no groups/types) = all nodes. */\nexport const RuleScopeSchema = z.object({\n groups: z.array(z.enum(NODE_TYPE_GROUP_KEYS as [string, ...string[]])).optional(),\n types: z.array(z.enum(NODE_TYPES)).optional(),\n});\nexport type RuleScope = z.infer<typeof RuleScopeSchema>;\n\n/** Closed set of node fields a condition may read (no prototype/field injection). */\nexport const FieldPathSchema = z.enum([\n 'type', 'name', 'domain', 'subDomain', 'confidence', 'qualityScore',\n 'owner', 'tags', 'metadataKeys', 'metadataValues',\n]);\nexport type FieldPath = z.infer<typeof FieldPathSchema>;\n\n/** Engine-owned named regexes — a ruleset can never supply a raw pattern. */\nexport const PATTERN_NAMES = ['dsn_with_credentials', 'owner_key', 'public_exposure'] as const;\n\nexport const ConditionSchema = z.object({\n field: FieldPathSchema,\n op: z.enum(['present', 'absent', 'lt', 'lte', 'gt', 'gte', 'eq', 'includes', 'matches']),\n value: z.union([z.string(), z.number()]).optional(),\n pattern: z.enum(PATTERN_NAMES).optional(),\n});\nexport type Condition = z.infer<typeof ConditionSchema>;\n\n/** A serializable check: a leaf Condition or an all/any/not combinator. */\nexport type RuleCheck =\n | Condition\n | { all: RuleCheck[] }\n | { any: RuleCheck[] }\n | { not: RuleCheck };\n\nexport const RuleCheckSchema: z.ZodType<RuleCheck> = z.lazy(() =>\n z.union([\n ConditionSchema,\n z.object({ all: z.array(RuleCheckSchema) }),\n z.object({ any: z.array(RuleCheckSchema) }),\n z.object({ not: RuleCheckSchema }),\n ]),\n);\n\nexport const SEVERITIES = ['critical', 'high', 'medium', 'low'] as const;\nexport const SeveritySchema = z.enum(SEVERITIES);\nexport type Severity = z.infer<typeof SeveritySchema>;\n\n/** Severity → score weight (decision #5). */\nexport const SEVERITY_WEIGHT: Record<Severity, number> = { critical: 4, high: 3, medium: 2, low: 1 };\n\nexport const ComplianceRuleSchema = z.object({\n id: z.string(),\n control: z.string().describe('External control id, e.g. \"CIS-1.4\"'),\n framework: z.enum(['CIS', 'SOC2', 'ISO27001', 'baseline']),\n title: z.string(),\n severity: SeveritySchema,\n rationale: z.string(),\n scope: RuleScopeSchema,\n /**\n * Optional applicability predicate (decision #7): a scoped node is only counted\n * when this is absent or evaluates true — so a rule needing a signal that's absent\n * everywhere becomes `not_applicable` rather than failing on sparse data.\n */\n applicableWhen: RuleCheckSchema.optional(),\n check: RuleCheckSchema,\n});\nexport type ComplianceRule = z.infer<typeof ComplianceRuleSchema>;\n\nexport const RulesetSchema = z.object({\n name: z.string(),\n version: z.string(),\n framework: z.string(),\n description: z.string(),\n rules: z.array(ComplianceRuleSchema).min(1),\n}).superRefine((rs, ctx) => {\n const seen = new Set<string>();\n for (const r of rs.rules) {\n if (seen.has(r.id)) ctx.addIssue({ code: 'custom', message: `duplicate rule id: ${r.id}`, path: ['rules'] });\n seen.add(r.id);\n }\n});\nexport type Ruleset = z.infer<typeof RulesetSchema>;\n\nexport const ControlResultSchema = z.object({\n ruleId: z.string(),\n control: z.string(),\n framework: z.string(),\n severity: SeveritySchema,\n status: z.enum(['pass', 'fail', 'not_applicable']),\n applicableCount: z.number().int(),\n passedCount: z.number().int(),\n failingNodeIds: z.array(z.string()),\n});\nexport type ControlResult = z.infer<typeof ControlResultSchema>;\n\nexport const ComplianceReportSchema = z.object({\n rulesetName: z.string(),\n rulesetVersion: z.string(),\n generatedAt: z.string(),\n score: z.number().min(0).max(100).nullable(),\n status: z.enum(['pass', 'fail', 'not_applicable']),\n totals: z.object({\n rules: z.number(), applicable: z.number(), passed: z.number(),\n failed: z.number(), notApplicable: z.number(),\n }),\n bySeverity: z.record(SeveritySchema, z.object({ passed: z.number(), failed: z.number() })),\n controls: z.array(ControlResultSchema),\n gaps: z.array(z.object({\n ruleId: z.string(), control: z.string(), severity: SeveritySchema,\n title: z.string(), nodeIds: z.array(z.string()),\n })),\n});\nexport type ComplianceReport = z.infer<typeof ComplianceReportSchema>;\n","/**\n * Compliance scoring engine (3.4) — pure, deterministic, DB-free.\n *\n * `scoreTopology({nodes, edges}, ruleset)` mirrors `diffTopology`'s shape: plain\n * arrays in, a structured `ComplianceReport` out. The engine is the only trusted\n * evaluator of the declarative `RuleCheck` DSL — no `eval`, no ruleset-supplied\n * code or regex. Iteration order is stabilised (nodes + rules sorted by id) so the\n * report is byte-stable for a fixed `now`.\n */\n\nimport type { NodeRow, EdgeRow } from '../types.js';\nimport { NODE_TYPE_GROUPS } from '../types.js';\nimport { redactSecrets } from '../tools.js';\nimport {\n RulesetSchema, SEVERITY_WEIGHT, SEVERITIES,\n} from './types.js';\nimport type {\n Ruleset, ComplianceRule, ComplianceReport, ControlResult, Condition, RuleCheck, Severity, FieldPath,\n} from './types.js';\n\nexport interface ComplianceInput { nodes: NodeRow[]; edges: EdgeRow[]; }\n\n/** Engine-owned named regexes (a ruleset references these by name, never supplies one). */\nconst OWNER_KEY_RE = /^(owner|team|maintainer|contact|owned[-_]?by)$/i;\nconst PUBLIC_EXPOSURE_RE = /(^|[^0-9])0\\.0\\.0\\.0(\\/0)?|public|internet|exposed/i;\n\n/** Read a closed-enum field off a node as a comparable value. */\nfunction readField(node: NodeRow, field: FieldPath): unknown {\n switch (field) {\n case 'type': return node.type;\n case 'name': return node.name;\n case 'domain': return node.domain;\n case 'subDomain': return node.subDomain;\n case 'confidence': return node.confidence;\n case 'qualityScore': return node.qualityScore;\n case 'owner': return node.owner;\n case 'tags': return node.tags;\n case 'metadataKeys': return Object.keys(node.metadata ?? {});\n case 'metadataValues': return Object.values(node.metadata ?? {}).map((v) => (typeof v === 'string' ? v : JSON.stringify(v)));\n }\n}\n\n/** True if `value` \"has content\": non-empty array/string, defined number/other. */\nfunction isPresent(value: unknown): boolean {\n if (value === undefined || value === null) return false;\n if (Array.isArray(value)) return value.length > 0;\n if (typeof value === 'string') return value.length > 0;\n return true;\n}\n\nfunction matchesPattern(value: unknown, pattern: NonNullable<Condition['pattern']>): boolean {\n const test = (s: string): boolean => {\n switch (pattern) {\n case 'dsn_with_credentials': return redactSecrets(s) !== s; // a credential was present\n case 'owner_key': return OWNER_KEY_RE.test(s);\n case 'public_exposure': return PUBLIC_EXPOSURE_RE.test(s);\n }\n };\n if (Array.isArray(value)) return value.some((v) => typeof v === 'string' && test(v));\n return typeof value === 'string' && test(value);\n}\n\nexport function evaluateCondition(node: NodeRow, cond: Condition): boolean {\n const v = readField(node, cond.field);\n switch (cond.op) {\n case 'present': return isPresent(v);\n case 'absent': return !isPresent(v);\n case 'lt': return typeof v === 'number' && typeof cond.value === 'number' && v < cond.value;\n case 'lte': return typeof v === 'number' && typeof cond.value === 'number' && v <= cond.value;\n case 'gt': return typeof v === 'number' && typeof cond.value === 'number' && v > cond.value;\n case 'gte': return typeof v === 'number' && typeof cond.value === 'number' && v >= cond.value;\n case 'eq': return v === cond.value;\n case 'includes': return Array.isArray(v) && cond.value !== undefined && v.includes(cond.value as never);\n case 'matches': return cond.pattern !== undefined && matchesPattern(v, cond.pattern);\n }\n}\n\nexport function evaluateCheck(node: NodeRow, check: RuleCheck): boolean {\n if ('all' in check) return check.all.every((c) => evaluateCheck(node, c));\n if ('any' in check) return check.any.some((c) => evaluateCheck(node, c));\n if ('not' in check) return !evaluateCheck(node, check.not);\n return evaluateCondition(node, check);\n}\n\n/** Expand a rule's scope to the set of node types it targets (empty = all types). */\nfunction scopedTypes(rule: ComplianceRule): Set<string> | null {\n const { groups, types } = rule.scope;\n if ((!groups || groups.length === 0) && (!types || types.length === 0)) return null; // all\n const out = new Set<string>();\n for (const g of groups ?? []) for (const t of NODE_TYPE_GROUPS[g as keyof typeof NODE_TYPE_GROUPS]) out.add(t);\n for (const t of types ?? []) out.add(t);\n return out;\n}\n\n/** Nodes a rule applies to: scope-matched AND (applicableWhen absent or true). */\nfunction applicableNodes(nodes: NodeRow[], rule: ComplianceRule): NodeRow[] {\n const types = scopedTypes(rule);\n return nodes.filter((n) =>\n (types === null || types.has(n.type)) &&\n (rule.applicableWhen === undefined || evaluateCheck(n, rule.applicableWhen)),\n );\n}\n\nexport function evaluateRule(input: ComplianceInput, rule: ComplianceRule): ControlResult {\n const applicable = applicableNodes(input.nodes, rule);\n const base = { ruleId: rule.id, control: rule.control, framework: rule.framework, severity: rule.severity };\n if (applicable.length === 0) {\n return { ...base, status: 'not_applicable', applicableCount: 0, passedCount: 0, failingNodeIds: [] };\n }\n const failingNodeIds = applicable.filter((n) => !evaluateCheck(n, rule.check)).map((n) => n.id).sort();\n return {\n ...base,\n status: failingNodeIds.length === 0 ? 'pass' : 'fail',\n applicableCount: applicable.length,\n passedCount: applicable.length - failingNodeIds.length,\n failingNodeIds,\n };\n}\n\n/**\n * Score a topology against a ruleset. `score = round(100 × Σweight(passed applicable) /\n * Σweight(applicable))`, weighted by severity, with not-applicable controls excluded\n * from the denominator. `score = null` / `status = 'not_applicable'` when nothing applies.\n */\nexport function scoreTopology(input: ComplianceInput, ruleset: Ruleset, opts?: { now?: string }): ComplianceReport {\n const nodes = [...input.nodes].sort((a, b) => (a.id < b.id ? -1 : a.id > b.id ? 1 : 0));\n const rules = [...ruleset.rules].sort((a, b) => (a.id < b.id ? -1 : a.id > b.id ? 1 : 0));\n const controls = rules.map((r) => evaluateRule({ nodes, edges: input.edges }, r));\n\n const bySeverity = Object.fromEntries(SEVERITIES.map((s) => [s, { passed: 0, failed: 0 }])) as ComplianceReport['bySeverity'];\n let applicable = 0, passed = 0, failed = 0, notApplicable = 0;\n let weightTotal = 0, weightPassed = 0;\n const gaps: ComplianceReport['gaps'] = [];\n\n for (const c of controls) {\n const w = SEVERITY_WEIGHT[c.severity as Severity];\n if (c.status === 'not_applicable') { notApplicable++; continue; }\n applicable++;\n weightTotal += w;\n if (c.status === 'pass') { passed++; weightPassed += w; bySeverity[c.severity].passed++; }\n else {\n failed++; bySeverity[c.severity].failed++;\n const rule = rules.find((r) => r.id === c.ruleId)!;\n gaps.push({ ruleId: c.ruleId, control: c.control, severity: c.severity, title: rule.title, nodeIds: c.failingNodeIds });\n }\n }\n\n const score = applicable === 0 ? null : Math.round((100 * weightPassed) / weightTotal);\n const status: ComplianceReport['status'] = applicable === 0 ? 'not_applicable' : failed === 0 ? 'pass' : 'fail';\n\n return {\n rulesetName: ruleset.name,\n rulesetVersion: ruleset.version,\n generatedAt: opts?.now ?? new Date().toISOString(),\n score,\n status,\n totals: { rules: rules.length, applicable, passed, failed, notApplicable },\n bySeverity,\n controls,\n gaps,\n };\n}\n\n/** Validate raw ruleset data (used by the registry and any future import path). */\nexport function loadRuleset(raw: unknown): Ruleset {\n return RulesetSchema.parse(raw);\n}\n","/**\n * Topology diffing — pure, deterministic comparison of two discovery snapshots.\n *\n * This module knows nothing about the database; it operates on plain\n * node/edge arrays so it can be unit-tested in isolation and reused by the\n * CLI, the MCP server, and the exporter. Drift is detected on a stable\n * projection of node fields (see DRIFT_FIELDS); `confidence` is reported but\n * never on its own marks a node as changed.\n */\n\nimport type { NodeRow, EdgeRow, NodeChange, DriftField } from './types.js';\nimport { DRIFT_FIELDS } from './types.js';\n\n/** Logical identity of an edge within a session: source + target + relationship. */\nconst edgeKey = (e: EdgeRow): string => `${e.sourceId}\u0000${e.targetId}\u0000${e.relationship}`;\n\n/** Deterministic JSON serialization with recursively sorted object keys. */\nexport function stableStringify(value: unknown): string {\n if (value === null || typeof value !== 'object') return JSON.stringify(value) ?? 'null';\n if (Array.isArray(value)) return `[${value.map(stableStringify).join(',')}]`;\n const keys = Object.keys(value as Record<string, unknown>).sort();\n return `{${keys.map((k) => `${JSON.stringify(k)}:${stableStringify((value as Record<string, unknown>)[k])}`).join(',')}}`;\n}\n\n/** Return the subset of DRIFT_FIELDS that differ between two nodes (order-independent). */\nfunction driftedFields(a: NodeRow, b: NodeRow): DriftField[] {\n const changed: DriftField[] = [];\n for (const f of DRIFT_FIELDS) {\n if (f === 'tags') {\n if ([...a.tags].sort().join('\u0000') !== [...b.tags].sort().join('\u0000')) changed.push(f);\n } else if (f === 'metadata' || f === 'cost') {\n // `cost` is an object (3.3); a reference compare via `!==` would always mis-fire.\n if (stableStringify(a[f]) !== stableStringify(b[f])) changed.push(f);\n } else if (a[f] !== b[f]) {\n changed.push(f);\n }\n }\n return changed;\n}\n\nexport interface TopologyInput {\n nodes: NodeRow[];\n edges: EdgeRow[];\n}\n\nexport interface TopologyDelta {\n nodes: { added: NodeRow[]; removed: NodeRow[]; changed: NodeChange[]; unchanged: number };\n edges: { added: EdgeRow[]; removed: EdgeRow[]; unchanged: number };\n summary: {\n nodesAdded: number; nodesRemoved: number; nodesChanged: number;\n edgesAdded: number; edgesRemoved: number;\n };\n}\n\n/**\n * Compute the delta from `base` to `current`. Nodes are keyed by `id`, edges by\n * (source, target, relationship). Pure: same inputs always yield the same output.\n */\nexport function diffTopology(base: TopologyInput, current: TopologyInput): TopologyDelta {\n const baseNodes = new Map(base.nodes.map((n) => [n.id, n]));\n const curNodes = new Map(current.nodes.map((n) => [n.id, n]));\n\n const added: NodeRow[] = [];\n const removed: NodeRow[] = [];\n const changed: NodeChange[] = [];\n let unchangedNodes = 0;\n\n for (const [id, after] of curNodes) {\n const before = baseNodes.get(id);\n if (!before) {\n added.push(after);\n continue;\n }\n const fields = driftedFields(before, after);\n if (fields.length > 0) {\n changed.push({ id, before, after, changedFields: fields, confidenceDelta: after.confidence - before.confidence });\n } else {\n unchangedNodes++;\n }\n }\n for (const [id, before] of baseNodes) {\n if (!curNodes.has(id)) removed.push(before);\n }\n\n const baseEdges = new Map(base.edges.map((e) => [edgeKey(e), e]));\n const curEdges = new Map(current.edges.map((e) => [edgeKey(e), e]));\n const edgesAdded: EdgeRow[] = [];\n const edgesRemoved: EdgeRow[] = [];\n let unchangedEdges = 0;\n for (const [k, e] of curEdges) {\n if (baseEdges.has(k)) unchangedEdges++;\n else edgesAdded.push(e);\n }\n for (const [k, e] of baseEdges) {\n if (!curEdges.has(k)) edgesRemoved.push(e);\n }\n\n return {\n nodes: { added, removed, changed, unchanged: unchangedNodes },\n edges: { added: edgesAdded, removed: edgesRemoved, unchanged: unchangedEdges },\n summary: {\n nodesAdded: added.length,\n nodesRemoved: removed.length,\n nodesChanged: changed.length,\n edgesAdded: edgesAdded.length,\n edgesRemoved: edgesRemoved.length,\n },\n };\n}\n","/**\n * Anomaly detection (3.6) — pure, deterministic flagging of standing structural risk.\n *\n * Knows nothing about the database; operates on plain `NodeRow[]` + an in-memory\n * degree map so it can be unit-tested in isolation and reused by the CLI, the MCP\n * server, and the scheduled-scan alert path (3.1). Same topology always yields the\n * same anomalies with identical `reason` strings (mirrors `deriveSessionName`). No\n * LLM, no I/O, no dependency. `reason` interpolates only the structured `nodeId` and\n * numeric scores — never raw node name/metadata (prompt-injection safe).\n */\n\nimport type { NodeRow, Anomaly, AnomalyThresholds, AnomalySeverity } from './types.js';\nimport { NODE_TYPE_GROUPS, DEFAULT_ANOMALY_THRESHOLDS } from './types.js';\n\nexport { DEFAULT_ANOMALY_THRESHOLDS };\n\n/** Node types in a managed family; anything else (incl. 'unknown') is shadow-IT-eligible. */\nconst MANAGED_TYPES: ReadonlySet<string> = new Set(Object.values(NODE_TYPE_GROUPS).flat());\n\n/** True when a node has no business domain ('(none)' is the summary's sentinel). */\nfunction hasNoDomain(n: NodeRow): boolean {\n return n.domain == null || n.domain === '' || n.domain === '(none)';\n}\n\n/** Flag zero/weak-degree nodes. degree 0 → high; 1..orphanWeakDegree → low. */\nexport function detectOrphans(\n nodes: NodeRow[],\n degree: ReadonlyMap<string, number>,\n thresholds: AnomalyThresholds = DEFAULT_ANOMALY_THRESHOLDS,\n): Anomaly[] {\n const out: Anomaly[] = [];\n for (const n of nodes) {\n const d = degree.get(n.id) ?? 0;\n if (d === 0) {\n out.push({ nodeId: n.id, kind: 'orphan', severity: 'high', reason: 'zero-degree node (no edges)' });\n } else if (d <= thresholds.orphanWeakDegree) {\n out.push({ nodeId: n.id, kind: 'orphan', severity: 'low', reason: `weakly-connected node (degree ${d})` });\n }\n }\n return out;\n}\n\n/** Flag unmanaged-type or undomained low-confidence/quality nodes. */\nexport function detectShadowIt(\n nodes: NodeRow[],\n thresholds: AnomalyThresholds = DEFAULT_ANOMALY_THRESHOLDS,\n): Anomaly[] {\n const out: Anomaly[] = [];\n for (const n of nodes) {\n if (!MANAGED_TYPES.has(n.type)) {\n out.push({ nodeId: n.id, kind: 'shadow-it', severity: 'medium', reason: `unmanaged node type \"${n.type}\"` });\n continue;\n }\n if (hasNoDomain(n)) {\n const lowConf = n.confidence < thresholds.shadowConfidence;\n const lowQual = n.qualityScore != null && n.qualityScore < thresholds.shadowQuality;\n if (lowConf || lowQual) {\n const sev: AnomalySeverity = lowConf && lowQual ? 'high' : 'medium';\n const parts: string[] = [];\n if (lowConf) parts.push(`low confidence ${n.confidence.toFixed(2)}`);\n if (lowQual) parts.push(`low quality ${n.qualityScore}`);\n out.push({ nodeId: n.id, kind: 'shadow-it', severity: sev, reason: `${parts.join(' and ')} with no business domain` });\n }\n }\n }\n return out;\n}\n\n/** Aggregate + stable sort (nodeId, then kind). Returns [] for an empty topology. */\nexport function detectAnomalies(\n nodes: NodeRow[],\n degree: ReadonlyMap<string, number>,\n thresholds: AnomalyThresholds = DEFAULT_ANOMALY_THRESHOLDS,\n): Anomaly[] {\n return [...detectOrphans(nodes, degree, thresholds), ...detectShadowIt(nodes, thresholds)]\n .sort((a, b) => a.nodeId.localeCompare(b.nodeId) || a.kind.localeCompare(b.kind));\n}\n\n/** Anomalies present in `current` but absent in `base`, keyed by (nodeId, kind). Pure & order-stable. */\nexport function newAnomalies(base: Anomaly[], current: Anomaly[]): Anomaly[] {\n const seen = new Set(base.map((a) => `${a.nodeId}|${a.kind}`));\n return current.filter((a) => !seen.has(`${a.nodeId}|${a.kind}`));\n}\n","/**\n * Public Scanner SPI — the documented extension contract for out-of-tree\n * `@datasynx/scanner-*` packages.\n *\n * A plugin package default-exports `definePlugin({ name, register })`. Its\n * `register(api)` calls `api.registerScanner(scanner)` for each scanner it\n * provides. The core validates, namespaces (`plugin:<pkg>:<id>`), command-gates\n * and freezes each registered scanner — a plugin never imports core internals\n * beyond the published types here. Loading is opt-in (`config.plugins`) and a\n * broken plugin is isolated, never aborting discovery.\n */\n\nimport { z } from 'zod';\nimport type { Scanner } from './types.js';\n\n/** The only surface a plugin's `register()` touches. */\nexport interface ScannerPluginApi {\n /** Register a scanner the host will namespace, command-gate, and freeze. */\n registerScanner(scanner: Scanner): void;\n}\n\n/** The default-exported shape a `@datasynx/scanner-*` package implements. */\nexport interface ScannerPlugin {\n /** Human-readable plugin name (informational; the package name is the identity). */\n name: string;\n /** Register the plugin's scanners through the host-provided API. */\n register(api: ScannerPluginApi): void;\n}\n\n/**\n * Identity helper a plugin author default-exports. It only narrows the type so\n * editors guide authoring; it adds no runtime behaviour.\n */\nexport function definePlugin(plugin: ScannerPlugin): ScannerPlugin {\n return plugin;\n}\n\n/**\n * Zod shape validating a {@link Scanner} produced by an external plugin.\n * `platforms` uses the concrete `Platform` literals so an invalid platform is\n * rejected at registration; `detect`/`scan` are validated as callables only\n * (their async signatures cannot be expressed in zod) — behavioural safety comes\n * from the gated `ctx.run` wrapper plus the per-scanner runtime try/catch.\n */\nexport const ScannerShape = z.object({\n id: z.string().min(1),\n title: z.string().min(1),\n platforms: z.union([\n z.literal('all'),\n z.array(z.enum(['linux', 'darwin', 'win32'])).nonempty(),\n ]),\n allowedCommands: z.array(z.string().min(1)).optional(),\n detect: z.custom<Scanner['detect']>((v) => typeof v === 'function', {\n message: 'detect must be a function',\n }),\n scan: z.custom<Scanner['scan']>((v) => typeof v === 'function', {\n message: 'scan must be a function',\n }),\n});\n\n/**\n * Validate an unknown value as a {@link Scanner}; throws `ZodError` on mismatch.\n * Returns the original value (the parsed result discards the live function\n * references), so the caller keeps the real `detect`/`scan` closures.\n */\nexport function validateScanner(value: unknown): Scanner {\n ScannerShape.parse(value);\n return value as Scanner;\n}\n","/**\n * Scanner plugin contract.\n *\n * A scanner detects whether it applies to the current machine, then produces a\n * read-only {@link ScanResult}: deterministic nodes/edges where the data is\n * structured enough, plus an optional raw report for an LLM to classify further.\n *\n * Modeled on Steampipe plugins / Backstage processors: new sources can be added\n * (in-tree or via `@datasynx/scanner-*` packages) and registered without forking\n * the core. Each scanner declares the commands it needs, feeding the safety layer.\n */\n\nimport type { Platform } from '../platform.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport type { BookmarkHost } from '../bookmarks.js';\nimport { checkReadOnly } from '../allowlist.js';\nimport { validateScanner } from './spi.js';\n\nexport interface ScanContext {\n /** Optional focus hint from the caller (e.g. tool names to look for). */\n hint?: string;\n /** The current platform. */\n platform: Platform;\n /** Allowlist-gated command runner (returns '' on error/blocked). */\n run: (cmd: string, opts?: { timeout?: number; env?: NodeJS.ProcessEnv }) => string;\n /**\n * Injectable seam: resolve a command to its path ('' if absent). Defaults to the\n * real `commandExists` when omitted. Lets scanners run deterministically in tests.\n */\n commandExists?: (cmd: string) => string;\n /** Injectable seam: raw listening-port output. Defaults to `scanListeningPorts`. */\n scanListeningPorts?: () => string;\n /** Injectable seam: raw established-connection output (3.2). Defaults to `scanEstablishedConnections`. */\n scanEstablishedConnections?: () => string;\n /** Injectable seam: cross-platform file search (3.2). Defaults to `findFiles`. */\n findFiles?: (dirs: string[], patterns: string[], maxDepth: number, limit: number) => string;\n /** Injectable seam: browser-bookmark host source. Defaults to `scanAllBookmarks`. */\n scanBookmarks?: () => Promise<BookmarkHost[]>;\n}\n\nexport interface ScanResult {\n /** Deterministically classified nodes. */\n nodes: DiscoveryNode[];\n /** Deterministically classified edges. */\n edges: DiscoveryEdge[];\n /** Optional raw text report for LLM-driven classification. */\n report?: string;\n}\n\nexport interface Scanner {\n /** Stable id, e.g. \"bookmarks\", \"installed-apps\", \"cloud-aws\". */\n id: string;\n /** Human-readable title. */\n title: string;\n /** Platforms this scanner supports, or 'all'. */\n platforms: Platform[] | 'all';\n /** Read-only commands this scanner may run (declared for the safety layer/docs). */\n allowedCommands?: string[];\n /** Cheap check whether the scanner applies here (e.g. a CLI is installed). */\n detect(ctx: ScanContext): boolean | Promise<boolean>;\n /** Perform the read-only scan. */\n scan(ctx: ScanContext): Promise<ScanResult>;\n}\n\n/** A typed registry of scanners with lazy, platform-aware selection. */\nexport class ScannerRegistry {\n private scanners = new Map<string, Scanner>();\n\n register(scanner: Scanner): this {\n if (this.scanners.has(scanner.id)) throw new Error(`scanner already registered: ${scanner.id}`);\n this.scanners.set(scanner.id, scanner);\n return this;\n }\n\n /**\n * Register a {@link Scanner} produced by an external plugin package. Validates\n * the shape (throws `ZodError` on mismatch), namespaces the id to\n * `plugin:<pkg>:<id>` (avoiding collisions with built-ins and across plugins),\n * wraps `scan()` so the scanner's `ctx.run` is gated by its declared\n * `allowedCommands` intersected with the central read-only allowlist\n * ({@link checkReadOnly}), and freezes the wrapper. Reuses the duplicate-id\n * guard in {@link register}.\n *\n * The gated runner delegates the actual execution to the host-supplied\n * `ctx.run` (the platform runner), so the global read-only floor still applies\n * and `allowedCommands` is a *second*, scanner-scoped least-privilege boundary.\n * A command runs only if its leading executable is declared AND the whole\n * command passes `checkReadOnly`; otherwise the runner returns `''` (the\n * documented \"blocked → ''\" contract).\n */\n registerExternal(pkg: string, scanner: Scanner): this {\n const valid = validateScanner(scanner);\n const id = `plugin:${pkg}:${valid.id}`;\n const declared = valid.allowedCommands ?? [];\n const wrapped: Scanner = Object.freeze({\n id,\n title: valid.title,\n platforms: valid.platforms,\n allowedCommands: declared,\n detect: (ctx: ScanContext) => valid.detect(ctx),\n scan: (ctx: ScanContext) =>\n valid.scan({\n ...ctx,\n run: (cmd, opts) => {\n const exe = cmd.trim().split(/\\s+/)[0] ?? '';\n if (!declared.includes(exe)) return '';\n if (!checkReadOnly(cmd).allowed) return '';\n return ctx.run(cmd, opts);\n },\n }),\n });\n return this.register(wrapped);\n }\n\n get(id: string): Scanner | undefined {\n return this.scanners.get(id);\n }\n\n list(): Scanner[] {\n return [...this.scanners.values()];\n }\n\n /** Scanners whose `platforms` include the given platform. */\n forPlatform(platform: Platform): Scanner[] {\n return this.list().filter((s) => s.platforms === 'all' || s.platforms.includes(platform));\n }\n}\n","import type { Scanner, ScanResult } from './types.js';\nimport type { DiscoveryNode } from '../types.js';\nimport { scanAllBookmarks } from '../bookmarks.js';\n\n/**\n * Hostname substrings that indicate a personal site — never catalogued, and the\n * hard floor for the 2.10 sharing policy (a personal host is forced to `'none'`\n * regardless of policy). Single-sourced here and shared via {@link isPersonalHost}\n * so the never-share list never forks.\n */\nexport const PERSONAL = [\n 'facebook.', 'instagram.', 'twitter.', 'x.com', 'tiktok.', 'reddit.', 'youtube.', 'netflix.',\n 'spotify.', 'twitch.', 'pinterest.', 'snapchat.', 'whatsapp.', 'amazon.', 'ebay.', 'aliexpress.',\n 'cnn.', 'bbc.', 'nytimes.', 'espn.', 'booking.', 'airbnb.', 'tripadvisor.', 'wikipedia.',\n];\n\n/** True when `host` matches a PERSONAL substring (case-insensitive). */\nexport function isPersonalHost(host: string): boolean {\n const h = host.toLowerCase();\n return PERSONAL.some((p) => h.includes(p));\n}\n\n/** Well-known business/SaaS hostnames → catalogued as saas_tool. */\nconst BUSINESS = [\n 'github.', 'gitlab.', 'bitbucket.', 'atlassian.', 'jira.', 'confluence.', 'notion.', 'linear.',\n 'slack.', 'zoom.', 'figma.', 'miro.', 'vercel.', 'netlify.', 'heroku.', 'datadog', 'sentry.',\n 'grafana.', 'pagerduty.', 'aws.amazon.', 'console.cloud.google', 'portal.azure', 'cloudflare.',\n 'hubspot.', 'salesforce.', 'stripe.', 'twilio.', 'sendgrid.', 'mailchimp.', 'segment.', 'mixpanel.',\n 'amplitude.', 'looker.', 'tableau.', 'snowflake.', 'databricks.', 'mongodb.', 'redis.', 'elastic.',\n 'openai.', 'anthropic.', 'huggingface.', 'docker.', 'npmjs.', 'pypi.', 'circleci.', 'travis-ci.',\n 'jenkins.', 'terraform.', 'hashicorp.', 'okta.', 'auth0.', '1password.', 'asana.', 'trello.', 'monday.',\n];\n\nfunction classify(hostname: string): { type: DiscoveryNode['type']; confidence: number } | null {\n const h = hostname.toLowerCase();\n if (isPersonalHost(h)) return null;\n if (BUSINESS.some((b) => h.includes(b))) return { type: 'saas_tool', confidence: 0.7 };\n // Internal/custom hosts (IPs or *.company.tld with non-standard ports) → web_service\n if (/^\\d+\\.\\d+\\.\\d+\\.\\d+$/.test(h) || /\\.(internal|local|corp|lan)\\b/.test(h)) {\n return { type: 'web_service', confidence: 0.6 };\n }\n return null; // unknown public host — leave for LLM-driven classification\n}\n\nexport const bookmarksScanner: Scanner = {\n id: 'bookmarks',\n title: 'Browser bookmarks',\n platforms: 'all',\n detect: () => true,\n async scan(ctx): Promise<ScanResult> {\n const hosts = await (ctx.scanBookmarks ?? scanAllBookmarks)();\n const seen = new Set<string>();\n const nodes: DiscoveryNode[] = [];\n for (const host of hosts) {\n const klass = classify(host.hostname);\n if (!klass) continue;\n const id = `${klass.type}:${host.hostname}`;\n if (seen.has(id)) continue;\n seen.add(id);\n nodes.push({\n id, type: klass.type, name: host.hostname, discoveredVia: 'bookmark',\n confidence: klass.confidence, tags: ['bookmark'],\n metadata: { protocol: host.protocol, ...(host.port ? { port: host.port } : {}) },\n });\n }\n return { nodes, edges: [] };\n },\n};\n","import type { Scanner, ScanResult } from './types.js';\nimport type { DiscoveryNode } from '../types.js';\nimport { commandExists } from '../platform.js';\n\n/** Known CLIs/tools grouped by category — detected deterministically via `commandExists`. */\nconst KNOWN_TOOLS: Record<string, string[]> = {\n ide: ['code', 'code-insiders', 'cursor', 'windsurf', 'zed', 'nvim', 'vim', 'emacs', 'idea', 'webstorm', 'pycharm', 'goland', 'datagrip', 'clion', 'rider', 'phpstorm'],\n 'dev-tool': ['git', 'gh', 'docker', 'docker-compose', 'podman', 'kubectl', 'helm', 'terraform', 'ansible', 'vagrant', 'packer', 'consul', 'vault', 'nomad'],\n runtime: ['node', 'npm', 'pnpm', 'yarn', 'bun', 'deno', 'python', 'python3', 'pip', 'poetry', 'ruby', 'rails', 'java', 'mvn', 'gradle', 'go', 'cargo', 'rustc', 'php', 'composer', 'dotnet'],\n database: ['psql', 'mysql', 'mongosh', 'redis-cli', 'sqlite3', 'clickhouse-client'],\n cloud: ['aws', 'gcloud', 'az', 'heroku', 'fly', 'vercel', 'netlify', 'wrangler', 'supabase'],\n browser: ['google-chrome', 'chromium', 'firefox', 'brave', 'opera'],\n observability: ['prometheus', 'grafana-cli', 'datadog-agent', 'newrelic-agent'],\n};\n\nexport const installedAppsScanner: Scanner = {\n id: 'installed-apps',\n title: 'Installed apps & developer tools',\n platforms: 'all',\n allowedCommands: ['which', 'command', 'Get-Command'],\n detect: () => true,\n async scan(ctx): Promise<ScanResult> {\n const nodes: DiscoveryNode[] = [];\n const hintTerms = (ctx.hint ?? '').toLowerCase().split(/[\\s,]+/).filter(Boolean);\n for (const [category, tools] of Object.entries(KNOWN_TOOLS)) {\n for (const tool of tools) {\n const path = (ctx.commandExists ?? commandExists)(tool);\n if (!path) continue;\n const boosted = hintTerms.some((t) => tool.includes(t));\n nodes.push({\n id: `saas_tool:${tool}`,\n type: 'saas_tool',\n name: tool,\n discoveredVia: 'installed-app',\n confidence: boosted ? 0.95 : 0.9,\n tags: [category],\n metadata: { category, path },\n });\n }\n }\n return { nodes, edges: [] };\n },\n};\n","import type { Scanner, ScanResult } from './types.js';\nimport type { DiscoveryNode, NodeType } from '../types.js';\nimport { scanListeningPorts } from '../platform.js';\n\n/** Well-known listening ports → node type + service name. */\nexport const PORT_MAP: Record<number, { type: NodeType; service: string }> = {\n 5432: { type: 'database_server', service: 'postgresql' },\n 3306: { type: 'database_server', service: 'mysql' },\n 1433: { type: 'database_server', service: 'sqlserver' },\n 27017: { type: 'database_server', service: 'mongodb' },\n 9200: { type: 'database_server', service: 'elasticsearch' },\n 6379: { type: 'cache_server', service: 'redis' },\n 11211: { type: 'cache_server', service: 'memcached' },\n 9092: { type: 'message_broker', service: 'kafka' },\n 5672: { type: 'message_broker', service: 'rabbitmq' },\n 4222: { type: 'message_broker', service: 'nats' },\n 9090: { type: 'web_service', service: 'prometheus' },\n 3000: { type: 'web_service', service: 'http-app' },\n 8080: { type: 'web_service', service: 'http-app' },\n 8000: { type: 'web_service', service: 'http-app' },\n 80: { type: 'web_service', service: 'http' },\n 443: { type: 'web_service', service: 'https' },\n 8200: { type: 'web_service', service: 'vault' },\n 8500: { type: 'web_service', service: 'consul' },\n 2379: { type: 'web_service', service: 'etcd' },\n 5601: { type: 'web_service', service: 'kibana' },\n 15672: { type: 'web_service', service: 'rabbitmq-management' },\n};\n\n/** Extract distinct listening port numbers from ss/lsof/PowerShell output. */\nexport function extractListeningPorts(raw: string): number[] {\n const ports = new Set<number>();\n for (const m of raw.matchAll(/[:.](\\d{2,5})\\b/g)) {\n const p = Number(m[1]);\n if (p in PORT_MAP) ports.add(p);\n }\n return [...ports];\n}\n\nexport const portsScanner: Scanner = {\n id: 'local-ports',\n title: 'Local listening ports',\n platforms: 'all',\n allowedCommands: ['ss', 'lsof', 'Get-NetTCPConnection'],\n detect: () => true,\n async scan(ctx): Promise<ScanResult> {\n const raw = (ctx.scanListeningPorts ?? scanListeningPorts)();\n const nodes: DiscoveryNode[] = [];\n for (const port of extractListeningPorts(raw)) {\n const { type, service } = PORT_MAP[port]!;\n nodes.push({\n id: `${type}:localhost:${port}`,\n type,\n name: `${service} (:${port})`,\n discoveredVia: 'listening-port',\n confidence: 0.9,\n tags: ['local', service],\n metadata: { port, service, host: 'localhost' },\n });\n }\n return { nodes, edges: [] };\n },\n};\n","/**\n * Confidence rubric for inferred dependency edges (3.2).\n *\n * A single source of truth so every scanner that infers an edge draws its\n * `confidence` from the same strictly-ordered tier set, and downstream consumers\n * (compliance 3.4, anomaly 3.6) can rank evidence quality consistently. All values\n * are in `(0,1]`; confidence is never fabricated — an absent evidence source yields\n * no edge rather than a low-confidence guess.\n */\n\n/** Evidence tiers for inferred dependency edges, strongest first. */\nexport type EvidenceKind =\n | 'established-connection'\n | 'config-declared'\n | 'connection-string'\n | 'co-location';\n\n/** Single source of truth for edge confidence. Strictly ordered, all in (0,1]. */\nexport const CONFIDENCE: Record<EvidenceKind, number> = {\n 'established-connection': 0.85,\n 'config-declared': 0.7,\n 'connection-string': 0.6,\n 'co-location': 0.4,\n};\n\n/** Build a self-describing, auditable evidence string with an ISO-8601 UTC stamp. */\nexport function evidenceLine(kind: EvidenceKind, detail: string): string {\n return `[${kind}] ${detail} @ ${new Date().toISOString()}`;\n}\n","/**\n * Established-connections scanner (3.2).\n *\n * Reads the host's live TCP connections (read-only) and infers `connects_to`\n * edges from a single local `host:localhost` node to any recognized listening\n * service (`${type}:localhost:${port}` from {@link PORT_MAP}). The server-side\n * node is only kept when `portsScanner` also mapped that port in the same run —\n * the in-batch endpoint gate in `runLocalDiscovery` drops edges to ports nothing\n * is listening on (graceful degradation, never an error).\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge } from '../types.js';\nimport { PORT_MAP } from './ports.js';\nimport { CONFIDENCE, evidenceLine } from './confidence.js';\nimport { scanEstablishedConnections } from '../platform.js';\n\nexport interface EstablishedConn { localPort: number; remoteHost: string; remotePort: number; }\n\nconst PORT_RE = /^\\d{1,5}$/;\n\n/** Parse a `host:port` token (IPv4 or `[v6]:port`) into `{ host, port }` or null. */\nfunction splitHostPort(token: string): { host: string; port: number } | null {\n const t = token.trim();\n if (!t) return null;\n const idx = t.lastIndexOf(':');\n if (idx <= 0) return null;\n const host = t.slice(0, idx).replace(/^\\[|\\]$/g, '');\n const portStr = t.slice(idx + 1);\n if (!PORT_RE.test(portStr)) return null;\n const port = Number(portStr);\n if (port < 1 || port > 65535) return null;\n return { host, port };\n}\n\n/**\n * Parse established connections from `ss -tnp`, `lsof -nP`, or PowerShell output\n * (pure, host-independent). Deduplicates and silently ignores unparseable rows.\n *\n * Recognized shapes:\n * - ss: `ESTAB 0 0 127.0.0.1:54321 127.0.0.1:5432 …`\n * - lsof: `node 1 u … TCP 127.0.0.1:54321->127.0.0.1:5432 (ESTABLISHED)`\n * - PS: `127.0.0.1:54321 -> 127.0.0.1:5432`\n */\nexport function parseEstablished(raw: string): EstablishedConn[] {\n const out: EstablishedConn[] = [];\n const seen = new Set<string>();\n const push = (local: { host: string; port: number }, remote: { host: string; port: number }): void => {\n const key = `${local.port}->${remote.host}:${remote.port}`;\n if (seen.has(key)) return;\n seen.add(key);\n out.push({ localPort: local.port, remoteHost: remote.host, remotePort: remote.port });\n };\n\n for (const line of raw.split(/\\r?\\n/)) {\n const l = line.trim();\n if (!l) continue;\n\n // lsof / PowerShell arrow form: local->remote or local -> remote\n const arrow = l.match(/([^\\s]+:\\d{1,5})\\s*->\\s*([^\\s(]+:\\d{1,5})/);\n if (arrow) {\n const local = splitHostPort(arrow[1]);\n const remote = splitHostPort(arrow[2]);\n if (local && remote) push(local, remote);\n continue;\n }\n\n // ss form: whitespace-separated columns; the last two host:port columns are local+peer.\n if (/^ESTAB\\b/i.test(l) || /\\bESTAB\\b/i.test(l)) {\n const cols = l.split(/\\s+/).filter(Boolean);\n const hostPorts = cols\n .map((c) => splitHostPort(c))\n .filter((x): x is { host: string; port: number } => x !== null);\n if (hostPorts.length >= 2) {\n const local = hostPorts[hostPorts.length - 2];\n const remote = hostPorts[hostPorts.length - 1];\n push(local, remote);\n }\n }\n }\n return out;\n}\n\nexport const connectionsScanner: Scanner = {\n id: 'local-connections',\n title: 'Local established connections',\n platforms: 'all',\n allowedCommands: ['ss', 'lsof', 'netstat', 'Get-NetTCPConnection'],\n detect: () => true,\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const conns = parseEstablished((ctx.scanEstablishedConnections ?? scanEstablishedConnections)());\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n if (conns.length === 0) return { nodes, edges };\n\n // One stable self node so the in-batch endpoint gate can anchor client-side edges.\n const selfId = 'host:localhost';\n nodes.push({\n id: selfId,\n type: 'host',\n name: 'localhost',\n discoveredVia: 'established-connection',\n confidence: 0.9,\n metadata: { host: 'localhost' },\n tags: ['local'],\n });\n\n const seenEdge = new Set<string>();\n for (const c of conns) {\n const svc = PORT_MAP[c.remotePort];\n if (!svc) continue; // only connect to recognized services\n const targetId = `${svc.type}:localhost:${c.remotePort}`;\n if (seenEdge.has(targetId)) continue;\n seenEdge.add(targetId);\n edges.push({\n sourceId: selfId,\n targetId,\n relationship: 'connects_to',\n evidence: evidenceLine('established-connection', `${c.localPort} -> ${c.remoteHost}:${c.remotePort}`),\n confidence: CONFIDENCE['established-connection'],\n });\n }\n return { nodes, edges };\n },\n};\n","/**\n * Service & reverse-proxy config scanner (3.2).\n *\n * Infers *declared* dependency edges from local config without running any service:\n * - connection-string env vars (`DATABASE_URL`, `REDIS_URL`, …) → `reads_from` /\n * `depends_on` to `${type}:localhost:${port}`, confidence `connection-string` (0.6);\n * - nginx `upstream` / `proxy_pass` host:port → `depends_on`, confidence `config-declared` (0.7);\n * - docker-compose `depends_on:` → `container:<svc> depends_on container:<dep>`, 0.7.\n *\n * **Security boundary:** connection strings routinely embed credentials and\n * `sanitizeUntrusted` (applied later in `insertEdge`) is NOT a credential filter, so\n * this scanner redacts userinfo / `password=` *before* the value reaches `evidence`.\n */\n\nimport type { Scanner, ScanContext, ScanResult } from './types.js';\nimport type { DiscoveryNode, DiscoveryEdge, EdgeRelationship } from '../types.js';\nimport { PORT_MAP } from './ports.js';\nimport { CONFIDENCE, evidenceLine } from './confidence.js';\nimport { findFiles, IS_WIN } from '../platform.js';\n\n/** Connection-string env var names worth inferring an edge from. */\nconst CONN_VAR_RE = /^(DATABASE_URL|[A-Z0-9_]*_DATABASE_URL|REDIS_URL|[A-Z0-9_]*_REDIS_URL|MONGO_URL|MONGODB_URI|AMQP_URL|[A-Z0-9_]*_URL)$/;\n\n/**\n * Connection-string scheme → well-known port. Deliberately **excludes** `http`/\n * `https`: a generic `FOO_URL=https://example.com` is a web link, not a service\n * dependency, and inferring `reads_from` from it would fabricate edges (e.g. CI's\n * `GITHUB_SERVER_URL`). Only datastore/broker schemes qualify.\n */\nconst SCHEME_PORT: Record<string, number> = {\n postgres: 5432, postgresql: 5432, mysql: 3306, mongodb: 27017, redis: 6379,\n amqp: 5672, kafka: 9092, elasticsearch: 9200,\n};\n\n/** Directories to search for service config, platform-appropriate + cwd. */\nfunction configDirs(): string[] {\n const dirs = [process.cwd()];\n if (!IS_WIN) dirs.push('/etc/nginx', '/etc/nginx/conf.d');\n return dirs;\n}\n\n/**\n * Replace credentials in a connection string with `****` (the security boundary).\n * Strips the `user:pass@` userinfo and any `password=`/`pwd=` query token.\n */\nexport function redactConnectionString(url: string): string {\n return url\n // Match the userinfo up to the *last* `@` before the path (`[^/\\s]+`, greedy),\n // so a password containing a literal `@` (e.g. `root:p@ss@host`) is fully redacted.\n .replace(/(\\b[a-z][a-z0-9+.-]*:\\/\\/)([^/\\s]+)@/i, (_m, scheme: string) => `${scheme}****@`)\n .replace(/\\b(password|pwd)=([^&\\s]+)/gi, '$1=****');\n}\n\n/**\n * Parse nginx `upstream { server host:port; }` and `proxy_pass http://host:port`\n * directives into `{ host, port }` targets (pure, host-independent).\n */\nexport function parseNginxUpstreams(raw: string): { host: string; port: number }[] {\n const out: { host: string; port: number }[] = [];\n const seen = new Set<string>();\n const add = (host: string, port: number): void => {\n const key = `${host}:${port}`;\n if (seen.has(key)) return;\n seen.add(key);\n out.push({ host, port });\n };\n for (const m of raw.matchAll(/\\bserver\\s+([a-zA-Z0-9_.-]+):(\\d{1,5})/g)) add(m[1], Number(m[2]));\n for (const m of raw.matchAll(/\\bproxy_pass\\s+https?:\\/\\/([a-zA-Z0-9_.-]+):(\\d{1,5})/g)) add(m[1], Number(m[2]));\n return out;\n}\n\n/**\n * Parse docker-compose `depends_on:` blocks (both list and map form) into a\n * `{ service, dependsOn[] }` array (pure). Indentation-based, dependency-free.\n */\nexport function parseComposeDeps(raw: string): { service: string; dependsOn: string[] }[] {\n const lines = raw.split(/\\r?\\n/);\n const result: { service: string; dependsOn: string[] }[] = [];\n let inServices = false;\n let servicesIndent = -1;\n let current: { service: string; dependsOn: string[] } | null = null;\n let serviceIndent = -1;\n let inDeps = false;\n let depsIndent = -1;\n\n const indentOf = (s: string): number => s.length - s.trimStart().length;\n\n for (const rawLine of lines) {\n if (!rawLine.trim() || rawLine.trim().startsWith('#')) continue;\n const indent = indentOf(rawLine);\n const trimmed = rawLine.trim();\n\n if (/^services:\\s*$/.test(trimmed)) { inServices = true; servicesIndent = indent; continue; }\n if (!inServices) continue;\n if (indent <= servicesIndent && !/^services:/.test(trimmed)) { inServices = false; current = null; inDeps = false; continue; }\n\n // A service header: `<name>:` at the services' child indent. This always ends\n // any open depends_on block (dep items are *more* indented than the service),\n // so it must take precedence even when inDeps is still true.\n const svcMatch = trimmed.match(/^([a-zA-Z0-9._-]+):\\s*$/);\n const isServiceHeader = !!svcMatch && indent > servicesIndent && (serviceIndent === -1 || indent === serviceIndent);\n if (isServiceHeader) {\n current = { service: svcMatch![1], dependsOn: [] };\n result.push(current);\n serviceIndent = indent;\n inDeps = false;\n continue;\n }\n if (!current) continue;\n\n if (/^depends_on:/.test(trimmed)) {\n inDeps = true;\n depsIndent = indent;\n // inline list form: depends_on: [a, b]\n const inline = trimmed.match(/^depends_on:\\s*\\[(.*)\\]\\s*$/);\n if (inline) {\n for (const dep of inline[1].split(',').map((d) => d.trim().replace(/['\"]/g, '')).filter(Boolean)) {\n current.dependsOn.push(dep);\n }\n inDeps = false;\n }\n continue;\n }\n\n if (inDeps) {\n if (indent <= depsIndent) { inDeps = false; }\n else {\n const listItem = trimmed.match(/^-\\s*([a-zA-Z0-9._-]+)\\s*$/); // - dep\n const mapItem = trimmed.match(/^([a-zA-Z0-9._-]+):\\s*$/); // dep: (long form)\n const dep = listItem?.[1] ?? mapItem?.[1];\n if (dep) { if (!current.dependsOn.includes(dep)) current.dependsOn.push(dep); continue; }\n }\n }\n }\n return result;\n}\n\n/**\n * Map a connection-string env var to a candidate edge (pure). Returns the\n * relationship, the target service port, and a **credential-redacted** evidence\n * string — or null when the scheme/port is not recognized.\n */\nexport function parseConnectionString(name: string, url: string):\n { relationship: EdgeRelationship; service: string; port: number; evidence: string } | null {\n const m = url.match(/^([a-z][a-z0-9+.-]*):\\/\\//i);\n if (!m) return null;\n const scheme = m[1].toLowerCase();\n if (!(scheme in SCHEME_PORT)) return null; // datastore/broker schemes only — never http(s)\n const portMatch = url.match(/:\\/\\/[^/]*?:(\\d{1,5})(?:[/?]|$)/);\n const port = portMatch ? Number(portMatch[1]) : SCHEME_PORT[scheme];\n if (!port || !(port in PORT_MAP)) return null;\n\n // postgres/mysql/mongo/redis → reads_from (conservative; writes_to is never\n // inferred to avoid fabricating certainty). amqp/kafka → depends_on.\n const relationship: EdgeRelationship =\n scheme === 'amqp' || scheme === 'kafka' ? 'depends_on' : 'reads_from';\n const redacted = redactConnectionString(url);\n return {\n relationship,\n service: PORT_MAP[port].service,\n port,\n evidence: evidenceLine('connection-string', `${name}=${redacted}`),\n };\n}\n\n/**\n * True only when an env var's **value** is a real datastore/broker connection\n * string (not merely a `*_URL`-shaped name). Value-based so a generic web `*_URL`\n * (e.g. CI's `GITHUB_SERVER_URL`) never makes the scanner self-activate.\n */\nfunction hasConnVar(env: string): boolean {\n for (const line of env.split(/\\r?\\n/)) {\n const eq = line.indexOf('=');\n if (eq <= 0) continue;\n const name = line.slice(0, eq).trim();\n if (!CONN_VAR_RE.test(name)) continue;\n if (parseConnectionString(name, line.slice(eq + 1).trim())) return true;\n }\n return false;\n}\n\nexport const serviceConfigScanner: Scanner = {\n id: 'service-config',\n title: 'Service & reverse-proxy config',\n platforms: 'all',\n allowedCommands: ['cat', 'grep', 'find', 'printenv', 'ls', 'Get-ChildItem'],\n detect(ctx: ScanContext): boolean {\n const files = (ctx.findFiles ?? findFiles)(configDirs(), ['*.conf', 'nginx.conf', 'docker-compose.y*ml', 'compose.y*ml'], 4, 50);\n if (files.trim().length > 0) return true;\n return hasConnVar(ctx.run('printenv'));\n },\n async scan(ctx: ScanContext): Promise<ScanResult> {\n const nodes: DiscoveryNode[] = [];\n const edges: DiscoveryEdge[] = [];\n const selfId = 'host:localhost';\n let selfEmitted = false;\n const emitSelf = (): void => {\n if (selfEmitted) return;\n selfEmitted = true;\n nodes.push({ id: selfId, type: 'host', name: 'localhost', discoveredVia: 'service-config', confidence: 0.9, metadata: { host: 'localhost' }, tags: ['local'] });\n };\n\n // ── Connection-string env vars ──────────────────────────────────────────\n for (const line of ctx.run('printenv').split(/\\r?\\n/)) {\n const eq = line.indexOf('=');\n if (eq <= 0) continue;\n const name = line.slice(0, eq).trim();\n const value = line.slice(eq + 1).trim();\n if (!CONN_VAR_RE.test(name)) continue;\n const parsed = parseConnectionString(name, value);\n if (!parsed) continue;\n emitSelf();\n edges.push({\n sourceId: selfId,\n targetId: `${PORT_MAP[parsed.port].type}:localhost:${parsed.port}`,\n relationship: parsed.relationship,\n evidence: parsed.evidence,\n confidence: CONFIDENCE['connection-string'],\n });\n }\n\n // ── nginx upstream / proxy_pass ─────────────────────────────────────────\n const findFilesFn = ctx.findFiles ?? findFiles;\n const nginxFiles = findFilesFn(configDirs(), ['*.conf', 'nginx.conf'], 4, 50)\n .split(/\\r?\\n/).map((s) => s.trim()).filter(Boolean);\n for (const file of nginxFiles) {\n const content = ctx.run(`cat \"${file}\"`);\n if (!content) continue;\n for (const { host, port } of parseNginxUpstreams(content)) {\n if (!(port in PORT_MAP)) continue;\n emitSelf();\n edges.push({\n sourceId: selfId,\n targetId: `${PORT_MAP[port].type}:localhost:${port}`,\n relationship: 'depends_on',\n evidence: evidenceLine('config-declared', `nginx ${file}: ${host}:${port}`),\n confidence: CONFIDENCE['config-declared'],\n });\n }\n }\n\n // ── docker-compose depends_on ───────────────────────────────────────────\n const composeFiles = findFilesFn(configDirs(), ['docker-compose.y*ml', 'compose.y*ml'], 4, 50)\n .split(/\\r?\\n/).map((s) => s.trim()).filter(Boolean);\n for (const file of composeFiles) {\n const content = ctx.run(`cat \"${file}\"`);\n if (!content) continue;\n for (const { service, dependsOn } of parseComposeDeps(content)) {\n if (dependsOn.length === 0) continue;\n const srcId = `container:${service}`;\n nodes.push({ id: srcId, type: 'container', name: service, discoveredVia: 'service-config', confidence: 0.7, metadata: { compose: file }, tags: ['compose'] });\n for (const dep of dependsOn) {\n const depId = `container:${dep}`;\n nodes.push({ id: depId, type: 'container', name: dep, discoveredVia: 'service-config', confidence: 0.7, metadata: { compose: file }, tags: ['compose'] });\n edges.push({\n sourceId: srcId,\n targetId: depId,\n relationship: 'depends_on',\n evidence: evidenceLine('config-declared', `compose ${file}: ${service} depends_on ${dep}`),\n confidence: CONFIDENCE['config-declared'],\n });\n }\n }\n }\n\n return { nodes, edges };\n },\n};\n","import { ScannerRegistry } from './types.js';\nimport { bookmarksScanner } from './bookmarks.js';\nimport { installedAppsScanner } from './installed-apps.js';\nimport { portsScanner } from './ports.js';\nimport { cloudAwsScanner } from './cloud-aws.js';\nimport { cloudGcpScanner } from './cloud-gcp.js';\nimport { cloudAzureScanner } from './cloud-azure.js';\nimport { k8sScanner } from './k8s.js';\nimport { databasesScanner } from './databases.js';\nimport { connectionsScanner } from './connections.js';\nimport { serviceConfigScanner } from './service-config.js';\n\nexport { ScannerRegistry } from './types.js';\nexport type { Scanner, ScanContext, ScanResult } from './types.js';\nexport { bookmarksScanner } from './bookmarks.js';\nexport { installedAppsScanner } from './installed-apps.js';\nexport { portsScanner, extractListeningPorts, PORT_MAP } from './ports.js';\nexport { cloudAwsScanner } from './cloud-aws.js';\nexport { cloudGcpScanner } from './cloud-gcp.js';\nexport { cloudAzureScanner } from './cloud-azure.js';\nexport { k8sScanner } from './k8s.js';\nexport { databasesScanner } from './databases.js';\nexport { connectionsScanner, parseEstablished } from './connections.js';\nexport type { EstablishedConn } from './connections.js';\nexport {\n serviceConfigScanner, parseNginxUpstreams, parseComposeDeps, parseConnectionString, redactConnectionString,\n} from './service-config.js';\nexport { CONFIDENCE, evidenceLine } from './confidence.js';\nexport type { EvidenceKind } from './confidence.js';\nexport { safeJson, parseScanHint, buildReport } from './cloud-util.js';\nexport type { ScanHintParams } from './cloud-util.js';\nexport { definePlugin, validateScanner, ScannerShape } from './spi.js';\nexport type { ScannerPlugin, ScannerPluginApi } from './spi.js';\n\n/** A registry pre-loaded with the built-in deterministic scanners. */\nexport function defaultRegistry(): ScannerRegistry {\n return new ScannerRegistry()\n .register(bookmarksScanner)\n .register(installedAppsScanner)\n .register(portsScanner)\n .register(cloudAwsScanner)\n .register(cloudGcpScanner)\n .register(cloudAzureScanner)\n .register(k8sScanner)\n .register(databasesScanner)\n .register(connectionsScanner)\n .register(serviceConfigScanner);\n}\n","/**\n * Opt-in scanner-plugin loader.\n *\n * Resolves the explicitly configured plugin package names (consent-first: no\n * filesystem auto-scan), dynamically `import()`s each in its own try/catch, and\n * registers its scanners through {@link ScannerRegistry.registerExternal}\n * (validated, namespaced, command-gated, frozen). One bad plugin — a\n * non-resolvable name, a missing/invalid default export, a `register()` that\n * throws, or a malformed scanner that fails zod validation — is logged via\n * `logWarn` and skipped. It never aborts discovery (optional-deps degrade\n * pattern, mirroring `src/semantic/search.ts`).\n */\n\nimport { logInfo, logWarn } from '../logger.js';\nimport type { ScannerRegistry } from './types.js';\nimport type { ScannerPlugin, ScannerPluginApi } from './spi.js';\n\n/**\n * Load each configured plugin package into the given registry. Returns the\n * package names that loaded and registered successfully (for audit/reporting).\n */\nexport async function loadPlugins(\n registry: ScannerRegistry,\n pkgs: readonly string[],\n): Promise<string[]> {\n const loaded: string[] = [];\n for (const pkg of pkgs) {\n try {\n const mod = (await import(pkg)) as { default?: ScannerPlugin };\n const plugin = mod.default;\n if (!plugin || typeof plugin.register !== 'function') {\n logWarn('scanner plugin missing default export', { pkg });\n continue;\n }\n const api: ScannerPluginApi = {\n registerScanner: (scanner) => {\n registry.registerExternal(pkg, scanner);\n },\n };\n plugin.register(api);\n loaded.push(pkg);\n logInfo('scanner plugin loaded', { pkg, name: plugin.name });\n } catch (err) {\n logWarn('scanner plugin load failed (skipped)', {\n pkg,\n error: err instanceof Error ? err.message : String(err),\n });\n }\n }\n return loaded;\n}\n","/**\n * Deterministic, LLM-free local discovery.\n *\n * Runs every applicable scanner from a {@link ScannerRegistry}, deduplicates and\n * persists the resulting nodes/edges, and returns counts. This is what powers the\n * MCP `run_discovery` tool without requiring any model — the host LLM can then\n * enrich the catalog via the read tools. (The Claude-driven loop in agent.ts\n * remains available as the optional, richer turnkey path.)\n */\n\nimport type { CartographyDB } from '../db.js';\nimport type { DiscoveryNode, DiscoveryEdge, Contributor } from '../types.js';\nimport { diffTopology } from '../diff.js';\nimport type { TopologyInput, TopologyDelta } from '../diff.js';\nimport { PLATFORM, run, commandExists, scanListeningPorts, scanEstablishedConnections, findFiles } from '../platform.js';\nimport { scanAllBookmarks } from '../bookmarks.js';\nimport { defaultRegistry, ScannerRegistry } from '../scanners/registry.js';\nimport { loadPlugins } from '../scanners/loader.js';\nimport type { ScanContext } from '../scanners/types.js';\n\nexport interface LocalDiscoveryOptions {\n hint?: string;\n registry?: ScannerRegistry;\n /**\n * Opt-in scanner plugin package names to load (consent-first). Honoured only\n * when no explicit `registry` is supplied — an injected registry is used\n * verbatim, so tests and advanced callers stay in full control.\n */\n plugins?: string[];\n /** Called after each scanner with a short progress line. */\n onProgress?: (line: string) => void;\n /**\n * Override individual {@link ScanContext} fields. Production omits this and the\n * real platform helpers are used; tests inject deterministic sources\n * (`commandExists`, `scanListeningPorts`, `scanBookmarks`) so the built-in\n * scanners run against known inputs without depending on the host.\n */\n ctx?: Partial<ScanContext>;\n /**\n * `'replace'` (default) preserves today's append-all behavior: every scanned\n * node/edge is upserted/inserted into the session. `'update'` (2.1 incremental\n * discovery) reads the session's prior state, diffs it against the current scan,\n * and applies only the delta — upserting changed/added, pruning removed (nodes\n * and edges), and stamping `last_scanned_at`. Same `session_id` either way.\n */\n mode?: 'replace' | 'update';\n}\n\nexport interface LocalDiscoveryResult {\n nodes: number;\n edges: number;\n scanners: string[];\n /** Present only in `'update'` mode: the delta applied to the session (2.1). */\n delta?: TopologyDelta;\n}\n\n/**\n * Lift scanner `DiscoveryNode`/`DiscoveryEdge` output into the `NodeRow`/`EdgeRow`\n * shape {@link diffTopology} compares. Only the `DRIFT_FIELDS` (node) and the\n * `(sourceId, targetId, relationship)` logical key (edge) are read by the diff, so\n * `id`/`depth`/`discoveredAt` carry placeholders the diff ignores. Nodes keep the\n * raw `id` so they key against the prior state's `getNodes` ids correctly.\n */\nfunction projectScan(sessionId: string, nodes: DiscoveryNode[], edges: DiscoveryEdge[]): TopologyInput {\n const ts = new Date().toISOString();\n return {\n nodes: nodes.map((n) => ({\n ...n, sessionId, discoveredAt: ts, depth: 0,\n tags: n.tags ?? [], metadata: n.metadata ?? {},\n })),\n edges: edges.map((e) => ({ ...e, id: '', sessionId, discoveredAt: ts })),\n };\n}\n\nexport async function runLocalDiscovery(\n db: CartographyDB,\n sessionId: string,\n opts: LocalDiscoveryOptions = {},\n): Promise<LocalDiscoveryResult> {\n const registry = opts.registry ?? defaultRegistry();\n // Load opt-in plugins only onto the default registry — never mutate an\n // explicitly injected one. A broken plugin is logged + skipped, never fatal.\n if (!opts.registry && opts.plugins && opts.plugins.length > 0) {\n await loadPlugins(registry, opts.plugins);\n }\n const ctx: ScanContext = { hint: opts.hint, platform: PLATFORM, run, commandExists, scanListeningPorts, scanEstablishedConnections, findFiles, scanBookmarks: scanAllBookmarks, ...opts.ctx };\n\n const nodes = new Map<string, DiscoveryNode>();\n const edges: DiscoveryEdge[] = [];\n const ran: string[] = [];\n\n for (const scanner of registry.forPlatform(PLATFORM)) {\n try {\n if (!(await scanner.detect(ctx))) continue;\n const result = await scanner.scan(ctx);\n ran.push(scanner.id);\n for (const node of result.nodes) {\n // Keep the highest-confidence record on id collision.\n const prev = nodes.get(node.id);\n if (!prev || node.confidence > prev.confidence) nodes.set(node.id, node);\n }\n edges.push(...result.edges);\n opts.onProgress?.(`${scanner.title}: +${result.nodes.length} nodes`);\n } catch (err) {\n opts.onProgress?.(`${scanner.title}: failed (${err instanceof Error ? err.message : String(err)})`);\n }\n }\n\n // 2.9: derive a Contributor once from the (attributed) session row so the same\n // logical node accumulates one contributor per machine instead of being clobbered.\n const session = db.getSession(sessionId);\n const baseAttribution: Omit<Contributor, 'confidence'> | undefined = session?.machineId\n ? {\n machineId: session.machineId,\n hostname: session.hostname ?? 'unknown-host',\n user: session.user ?? 'unknown-user',\n organization: session.tenant,\n at: new Date().toISOString(),\n }\n : undefined;\n\n // Only persist edges whose endpoints exist (matches the replace-mode invariant).\n const validEdges = edges.filter((e) => nodes.has(e.sourceId) && nodes.has(e.targetId));\n\n if (opts.mode === 'update') {\n // Incremental rescan (2.1): diff the current scan against the session's prior\n // state and apply only the delta — keeping the same session_id, pruning gone\n // entities, and preserving 2.9 contributors on unchanged nodes (they are not\n // re-upserted) while appending the running machine's contributor to changed/\n // added nodes via `attribution`.\n const prior: TopologyInput = { nodes: db.getNodes(sessionId), edges: db.getEdges(sessionId) };\n const current = projectScan(sessionId, [...nodes.values()], validEdges);\n const delta = diffTopology(prior, current);\n db.applyTopologyDelta(\n sessionId, delta,\n baseAttribution ? { ...baseAttribution, confidence: 0.5 } : undefined,\n );\n return { nodes: current.nodes.length, edges: current.edges.length, scanners: ran, delta };\n }\n\n // replace (default): existing append-all behavior, unchanged.\n for (const node of nodes.values()) {\n db.upsertNode(\n sessionId, node, 0,\n baseAttribution ? { ...baseAttribution, confidence: node.confidence } : undefined,\n );\n }\n for (const edge of validEdges) db.insertEdge(sessionId, edge);\n\n return { nodes: nodes.size, edges: validEdges.length, scanners: ran };\n}\n\n/**\n * Adapter matching the MCP `DiscoveryFn` signature. When no explicit `registry`\n * is provided, the opt-in `plugins` list is loaded onto the default registry on\n * each discovery run (so late-installed plugins are picked up).\n */\nexport function localDiscoveryFn(registry?: ScannerRegistry, plugins?: string[]) {\n return async (db: CartographyDB, sessionId: string, opts: { hint?: string; mode?: 'replace' | 'update' }) => {\n const r = await runLocalDiscovery(db, sessionId, { hint: opts.hint, mode: opts.mode, registry, plugins });\n return { nodes: r.nodes, edges: r.edges, ...(r.delta ? { delta: r.delta } : {}) };\n };\n}\n","/**\n * Baseline compliance ruleset (3.4) — the acceptance target.\n *\n * Scored against signals available today (node type/group, domain, confidence,\n * owner, metadata DSNs). Validated by `RulesetSchema.parse` at load (fail-fast).\n */\n\nimport { RulesetSchema } from '../types.js';\nimport type { Ruleset } from '../types.js';\n\nexport const baseline: Ruleset = RulesetSchema.parse({\n name: 'baseline',\n version: '1.0.0',\n framework: 'baseline',\n description: 'Deterministic baseline hygiene controls scored against signals available today.',\n rules: [\n {\n id: 'BASE-1', control: 'BASE-1', framework: 'baseline', severity: 'medium',\n title: 'Asset has an owner', rationale: 'Every asset should have a clear owning team/person for accountability.',\n scope: {},\n check: { any: [\n { field: 'owner', op: 'present' },\n { field: 'domain', op: 'present' },\n { field: 'tags', op: 'matches', pattern: 'owner_key' },\n { field: 'metadataKeys', op: 'matches', pattern: 'owner_key' },\n ] },\n },\n {\n id: 'BASE-2', control: 'BASE-2', framework: 'baseline', severity: 'low',\n title: 'Service/data asset is assigned a business domain', rationale: 'Domain assignment enables blast-radius and ownership analysis.',\n scope: { groups: ['data', 'web'] },\n check: { field: 'domain', op: 'present' },\n },\n {\n id: 'BASE-3', control: 'BASE-3', framework: 'baseline', severity: 'high',\n title: 'Critical asset is discovered with adequate confidence', rationale: 'Low-confidence critical assets indicate incomplete or unreliable discovery.',\n scope: { groups: ['data', 'infra'] },\n check: { field: 'confidence', op: 'gte', value: 0.5 },\n },\n {\n id: 'BASE-4', control: 'BASE-4', framework: 'baseline', severity: 'critical',\n title: 'No embedded credentials / plaintext DSN in metadata', rationale: 'A connection string with embedded credentials is a direct secret-exposure risk.',\n scope: {},\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'dsn_with_credentials' } },\n },\n {\n id: 'BASE-5', control: 'BASE-5', framework: 'baseline', severity: 'medium',\n title: 'Data store carries an acceptable quality score', rationale: 'Where a quality score exists, a low score flags an under-governed data store.',\n scope: { groups: ['data'] },\n applicableWhen: { field: 'qualityScore', op: 'present' },\n check: { field: 'qualityScore', op: 'gte', value: 50 },\n },\n ],\n});\n","/**\n * CIS starter subset (3.4) — NOT a certified CIS Benchmark. A small, illustrative\n * subset that resolves the `cis` ruleset name; full coverage is plugin/community work.\n */\n\nimport { RulesetSchema } from '../types.js';\nimport type { Ruleset } from '../types.js';\n\nexport const cis: Ruleset = RulesetSchema.parse({\n name: 'cis',\n version: '0.1.0',\n framework: 'CIS',\n description: 'CIS starter subset — illustrative controls, not a certified benchmark.',\n rules: [\n {\n id: 'CIS-1.1', control: 'CIS-1.1', framework: 'CIS', severity: 'critical',\n title: 'No plaintext credentials in service configuration', rationale: 'CIS hardening forbids embedded secrets in config/metadata.',\n scope: {},\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'dsn_with_credentials' } },\n },\n {\n id: 'CIS-2.1', control: 'CIS-2.1', framework: 'CIS', severity: 'high',\n title: 'Data store is not publicly exposed', rationale: 'Data stores should not bind to public/0.0.0.0 addresses.',\n scope: { groups: ['data'] },\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'public_exposure' } },\n },\n {\n id: 'CIS-3.1', control: 'CIS-3.1', framework: 'CIS', severity: 'medium',\n title: 'Asset inventory has an accountable owner', rationale: 'CIS asset management requires an assigned owner.',\n scope: {},\n check: { any: [{ field: 'owner', op: 'present' }, { field: 'metadataKeys', op: 'matches', pattern: 'owner_key' }] },\n },\n ],\n});\n","/**\n * SOC 2 starter subset (3.4) — NOT a certified SOC 2 control set. Illustrative\n * controls that resolve the `soc2` ruleset name; full coverage is community work.\n */\n\nimport { RulesetSchema } from '../types.js';\nimport type { Ruleset } from '../types.js';\n\nexport const soc2: Ruleset = RulesetSchema.parse({\n name: 'soc2',\n version: '0.1.0',\n framework: 'SOC2',\n description: 'SOC 2 starter subset — illustrative controls, not a certified control set.',\n rules: [\n {\n id: 'CC6.1', control: 'CC6.1', framework: 'SOC2', severity: 'critical',\n title: 'Logical access — no embedded credentials', rationale: 'CC6.1 logical access controls preclude plaintext secrets in config.',\n scope: {},\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'dsn_with_credentials' } },\n },\n {\n id: 'CC6.6', control: 'CC6.6', framework: 'SOC2', severity: 'high',\n title: 'Boundary protection — data stores not public', rationale: 'CC6.6 requires protection of system boundaries from external access.',\n scope: { groups: ['data'] },\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'public_exposure' } },\n },\n {\n id: 'CC1.2', control: 'CC1.2', framework: 'SOC2', severity: 'medium',\n title: 'Accountability — asset has an owner', rationale: 'CC1.2 establishes accountability; assets need an assigned owner.',\n scope: {},\n check: { any: [{ field: 'owner', op: 'present' }, { field: 'domain', op: 'present' }] },\n },\n ],\n});\n","/**\n * ISO/IEC 27001 starter subset (3.4) — NOT a certified Annex A control set.\n * Illustrative controls that resolve the `iso27001` ruleset name.\n */\n\nimport { RulesetSchema } from '../types.js';\nimport type { Ruleset } from '../types.js';\n\nexport const iso27001: Ruleset = RulesetSchema.parse({\n name: 'iso27001',\n version: '0.1.0',\n framework: 'ISO27001',\n description: 'ISO/IEC 27001 Annex A starter subset — illustrative, not certified.',\n rules: [\n {\n id: 'A.8.1', control: 'A.8.1', framework: 'ISO27001', severity: 'medium',\n title: 'Inventory of assets — ownership assigned', rationale: 'A.8.1 requires an inventory of assets each with an identified owner.',\n scope: {},\n check: { any: [{ field: 'owner', op: 'present' }, { field: 'metadataKeys', op: 'matches', pattern: 'owner_key' }] },\n },\n {\n id: 'A.8.12', control: 'A.8.12', framework: 'ISO27001', severity: 'critical',\n title: 'Data leakage prevention — no embedded secrets', rationale: 'A.8.12 mandates measures against data leakage such as exposed credentials.',\n scope: {},\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'dsn_with_credentials' } },\n },\n {\n id: 'A.8.20', control: 'A.8.20', framework: 'ISO27001', severity: 'high',\n title: 'Network security — data stores not publicly exposed', rationale: 'A.8.20 requires networks to be secured; data stores should not be public.',\n scope: { groups: ['data'] },\n check: { not: { field: 'metadataValues', op: 'matches', pattern: 'public_exposure' } },\n },\n ],\n});\n","/**\n * Bundled ruleset registry (3.4). All rulesets are plain data, validated at load.\n */\n\nimport type { Ruleset } from '../types.js';\nimport { baseline } from './baseline.js';\nimport { cis } from './cis.js';\nimport { soc2 } from './soc2.js';\nimport { iso27001 } from './iso27001.js';\n\nconst RULESETS: Record<string, Ruleset> = { baseline, cis, soc2, iso27001 };\n\n/** Resolve a bundled ruleset by name, or `undefined` (callers degrade, never throw). */\nexport function getRuleset(name: string): Ruleset | undefined {\n return RULESETS[name];\n}\n\n/** List the bundled rulesets (name/version/framework/rule count) for help + degrade messages. */\nexport function listRulesets(): Array<{ name: string; version: string; framework: string; ruleCount: number }> {\n return Object.values(RULESETS).map((r) => ({ name: r.name, version: r.version, framework: r.framework, ruleCount: r.rules.length }));\n}\n\nexport { baseline, cis, soc2, iso27001 };\n","import type { DriftSink } from './types.js';\nimport type { DriftAlert } from '../types.js';\nimport { redactValue } from '../tools.js';\nimport { logInfo } from '../logger.js';\n\n/**\n * Default sink: writes one severity-tagged, credential-redacted JSON line to\n * **stdout** (the data channel) and a one-line diagnostic to **stderr**, keeping\n * the stdout/stderr discipline the rest of the CLI follows. Fully local — no\n * network egress.\n */\nexport class StdoutSink implements DriftSink {\n readonly name = 'stdout';\n\n async emit(alert: DriftAlert): Promise<void> {\n process.stdout.write(JSON.stringify(redactValue(alert)) + '\\n');\n logInfo('drift alert emitted', { sink: this.name, severity: alert.severity, items: alert.items.length });\n }\n}\n","import type { DriftSink } from './types.js';\nimport type { DriftAlert } from '../types.js';\nimport { redactValue, stripSensitive } from '../tools.js';\nimport { logWarn, logError } from '../logger.js';\n\nexport interface WebhookSinkOptions {\n url: string;\n token?: string;\n timeoutMs?: number;\n}\n\n/** Loopback hosts for which a plaintext `http:` webhook is permitted (local dev). */\nconst LOOPBACK_HOSTS = new Set(['localhost', '127.0.0.1', '[::1]', '::1']);\n\n/**\n * True if `url` is safe to POST to: `https:`, or `http:` only to a loopback host,\n * or any scheme when the documented `CARTOGRAPHY_ALLOW_INSECURE_SYNC=1` escape\n * hatch (test-only) is set. An unparseable URL is treated as insecure. Mirrors the\n * 2.11 `pushDeltas` guard so the drift feature never silently exfiltrates over the\n * wire in plaintext.\n */\nexport function isSecureWebhookUrl(url: string, env: NodeJS.ProcessEnv = process.env): boolean {\n if (env.CARTOGRAPHY_ALLOW_INSECURE_SYNC === '1') return true;\n let parsed: URL;\n try {\n parsed = new URL(url);\n } catch {\n return false;\n }\n if (parsed.protocol === 'https:') return true;\n if (parsed.protocol === 'http:' && LOOPBACK_HOSTS.has(parsed.hostname)) return true;\n return false;\n}\n\n/**\n * Outbound sink: POSTs the alert as JSON to an operator-configured endpoint. The\n * first and only outbound network surface of the drift feature — off by default\n * (constructed only when a `webhook` sink is explicitly configured). Hardened:\n * - the body is **always** `redactValue(alert)`, so no `user:password@` secret\n * leaves the process;\n * - only `stripSensitive(url)` (host:port) is ever logged — never the full URL,\n * the bearer token, or the body;\n * - the target must be `https:` (SSRF / plaintext-exfil guard) — a plaintext\n * `http:` URL is refused unless the host is loopback or the documented\n * `CARTOGRAPHY_ALLOW_INSECURE_SYNC=1` escape hatch is set (mirrors `pushDeltas`);\n * - degrades to a logged no-op when `fetch` is unavailable or the URL is empty;\n * - never throws (the runner owns retry/abort policy).\n */\nexport class WebhookSink implements DriftSink {\n readonly name = 'webhook';\n\n constructor(private readonly opts: WebhookSinkOptions) {}\n\n async emit(alert: DriftAlert): Promise<void> {\n if (typeof fetch !== 'function') {\n logWarn('webhook sink unavailable: global fetch missing', { sink: this.name });\n return;\n }\n const { url, token, timeoutMs } = this.opts;\n if (!url) {\n logWarn('webhook sink unavailable: no url configured', { sink: this.name });\n return;\n }\n if (!isSecureWebhookUrl(url)) {\n logWarn('webhook sink refused: insecure scheme (use https:// or a loopback host)', {\n sink: this.name,\n host: stripSensitive(url),\n });\n return;\n }\n try {\n const res = await fetch(url, {\n method: 'POST',\n headers: {\n 'content-type': 'application/json',\n ...(token ? { authorization: `Bearer ${token}` } : {}),\n },\n body: JSON.stringify(redactValue(alert)),\n signal: AbortSignal.timeout(timeoutMs ?? 10_000),\n });\n if (!res.ok) {\n logError('webhook sink failed', { sink: this.name, host: stripSensitive(url), status: res.status });\n }\n } catch (err) {\n logError('webhook sink failed', {\n sink: this.name,\n host: stripSensitive(url),\n reason: err instanceof Error ? err.message : String(err),\n });\n }\n }\n}\n","import type { DriftConfig } from '../types.js';\nimport type { DriftSink } from './types.js';\nimport { StdoutSink } from './stdout.js';\nimport { WebhookSink } from './webhook.js';\n\n/**\n * Construct sinks from config. Absent/empty config → `[new StdoutSink()]` (the\n * local default). A webhook sink's token falls back to `CARTOGRAPHY_DRIFT_TOKEN`\n * when not given explicitly (mirroring `CARTOGRAPHY_HTTP_TOKEN`). A webhook entry\n * without a url is skipped defensively (the schema already rejects it).\n */\nexport function buildSinks(drift?: DriftConfig): DriftSink[] {\n const configs = drift?.sinks && drift.sinks.length > 0 ? drift.sinks : [{ type: 'stdout' as const }];\n const sinks: DriftSink[] = [];\n for (const s of configs) {\n if (s.type === 'webhook') {\n if (!s.url) continue;\n sinks.push(new WebhookSink({\n url: s.url,\n token: s.token ?? process.env.CARTOGRAPHY_DRIFT_TOKEN,\n timeoutMs: s.timeoutMs,\n }));\n } else {\n sinks.push(new StdoutSink());\n }\n }\n return sinks.length > 0 ? sinks : [new StdoutSink()];\n}\n\nexport { StdoutSink } from './stdout.js';\nexport { WebhookSink, isSecureWebhookUrl } from './webhook.js';\nexport type { DriftSink } from './types.js';\nexport type { WebhookSinkOptions } from './webhook.js';\n","/**\n * Drift classification + dispatch (3.1).\n *\n * Layered on top of the pure topology delta (`diffTopology` → `db.diffSessions`):\n * `classifyDrift` turns a `TopologyDiff` into a severity-ranked `DriftAlert`\n * (deterministic, DB-agnostic, exhaustively unit-testable), and `runDrift` is the\n * one-shot runner — the seam scheduled discovery (2.5) calls after a scan — that\n * resolves the latest two sessions, classifies, threshold-filters, fans out to the\n * configured sinks (one sink's failure never aborts the others), and writes an\n * audit event. No new tables, no migration; read-only except the audit row.\n */\n\nimport type {\n TopologyDiff, DriftAlert, DriftAlertItem, Severity, NodeChange, CartographyConfig,\n} from './types.js';\nimport { SEVERITIES } from './types.js';\nimport type { CartographyDB } from './db.js';\nimport { stableStringify } from './diff.js';\nimport { redactValue } from './tools.js';\nimport { buildSinks } from './sinks/index.js';\nimport { logInfo, logWarn, logError } from './logger.js';\nimport { SECURITY_METADATA_KEYS } from './types.js';\n\n/** Return the highest severity among items; `info` for an empty list. */\nexport function maxSeverity(items: DriftAlertItem[]): Severity {\n let rank = 0;\n for (const it of items) {\n const r = SEVERITIES.indexOf(it.severity);\n if (r > rank) rank = r;\n }\n return SEVERITIES[rank];\n}\n\nconst SECURITY_KEY_SET = new Set<string>(SECURITY_METADATA_KEYS);\n\n/**\n * Names of the metadata keys whose value changed and which warrant escalation to\n * `critical`. Empty unless the node-changed touched `metadata` and a\n * security-relevant key (case-insensitive) actually differs before→after.\n */\nexport function securityRelevantChange(change: NodeChange): string[] {\n if (!change.changedFields.includes('metadata')) return [];\n const before = change.before.metadata ?? {};\n const after = change.after.metadata ?? {};\n const keys = new Set<string>([...Object.keys(before), ...Object.keys(after)]);\n const triggered: string[] = [];\n for (const k of keys) {\n if (!SECURITY_KEY_SET.has(k.toLowerCase())) continue;\n if (stableStringify((before as Record<string, unknown>)[k]) !== stableStringify((after as Record<string, unknown>)[k])) {\n triggered.push(k);\n }\n }\n return triggered.sort();\n}\n\n/** Logical reference for an edge item: `source -rel-> target`. */\nconst edgeRef = (sourceId: string, rel: string, targetId: string): string =>\n `${sourceId} -${rel}-> ${targetId}`;\n\n/**\n * Classify a topology diff into a severity-tagged alert. Pure & deterministic\n * (only `generatedAt` depends on `now`). Rules:\n * - node-removed, edge-removed → warning (lost capability / connectivity)\n * - node-changed touching a security metadata → critical\n * key\n * - node-changed (other fields) → info\n * - node-added, edge-added → info\n * Overall severity = maxSeverity(items).\n */\nexport function classifyDrift(diff: TopologyDiff, now: Date = new Date()): DriftAlert {\n const items: DriftAlertItem[] = [];\n\n for (const n of diff.nodes.added) {\n items.push({ kind: 'node-added', ref: n.id, label: n.name, nodeType: n.type, severity: 'info' });\n }\n for (const n of diff.nodes.removed) {\n items.push({ kind: 'node-removed', ref: n.id, label: n.name, nodeType: n.type, severity: 'warning' });\n }\n for (const c of diff.nodes.changed) {\n const securityFields = securityRelevantChange(c);\n const severity: Severity = securityFields.length > 0 ? 'critical' : 'info';\n items.push({\n kind: 'node-changed',\n ref: c.id,\n label: c.after.name,\n nodeType: c.after.type,\n severity,\n changedFields: c.changedFields,\n ...(securityFields.length > 0 ? { securityFields } : {}),\n });\n }\n for (const e of diff.edges.added) {\n items.push({\n kind: 'edge-added',\n ref: edgeRef(e.sourceId, e.relationship, e.targetId),\n label: `${e.sourceId} → ${e.targetId}`,\n severity: 'info',\n });\n }\n for (const e of diff.edges.removed) {\n items.push({\n kind: 'edge-removed',\n ref: edgeRef(e.sourceId, e.relationship, e.targetId),\n label: `${e.sourceId} → ${e.targetId}`,\n severity: 'warning',\n });\n }\n\n return {\n base: diff.base,\n current: diff.current,\n summary: diff.summary,\n severity: maxSeverity(items),\n items,\n generatedAt: now.toISOString(),\n };\n}\n\n/** Drop items strictly below `min`; recompute the overall severity over what's kept. */\nexport function filterBySeverity(alert: DriftAlert, min: Severity): DriftAlert {\n const minRank = SEVERITIES.indexOf(min);\n const items = alert.items.filter((it) => SEVERITIES.indexOf(it.severity) >= minRank);\n return { ...alert, items, severity: maxSeverity(items) };\n}\n\nexport interface RunDriftOptions { base?: string; current?: string; minSeverity?: Severity; }\n\n/**\n * Resolve base/current (newest-first `getSessions`, like the CLI/MCP surfaces),\n * classify, filter below `minSeverity`, dispatch to all configured sinks\n * (`Promise.allSettled` — one sink failure never aborts the others), and record an\n * audit event. Returns the alert, or `null` when fewer than two sessions exist\n * (graceful no-op). The seam scheduled discovery (2.5) calls post-scan.\n */\nexport async function runDrift(\n db: CartographyDB, config: CartographyConfig, opts: RunDriftOptions = {},\n): Promise<DriftAlert | null> {\n // getSessions() is newest-first (rowid DESC): [0] = latest, [1] = previous.\n const sessions = db.getSessions();\n const currentId = opts.current ?? sessions[0]?.id;\n const baseId = opts.base ?? sessions[1]?.id;\n if (!baseId || !currentId) {\n logInfo('drift: fewer than two sessions, skipping');\n return null;\n }\n if (baseId === currentId) {\n logWarn('drift: base and current session are the same, skipping', { session: currentId });\n return null;\n }\n\n const diff = db.diffSessions(baseId, currentId);\n let alert = classifyDrift(diff);\n alert = filterBySeverity(alert, opts.minSeverity ?? config.drift?.minSeverity ?? 'info');\n\n const sinks = buildSinks(config.drift);\n const results = await Promise.allSettled(sinks.map((s) => s.emit(alert)));\n results.forEach((r, i) => {\n if (r.status === 'rejected') {\n logError('drift sink rejected', {\n sink: sinks[i]?.name,\n reason: r.reason instanceof Error ? r.reason.message : String(r.reason),\n });\n }\n });\n\n // Audit (no migration): reuses existing activity_events columns.\n db.insertEvent(currentId, {\n eventType: 'drift_alert_dispatched',\n process: 'drift',\n pid: process.pid,\n command: JSON.stringify(redactValue({\n base: baseId,\n current: currentId,\n severity: alert.severity,\n items: alert.items.length,\n sinks: sinks.map((s) => s.name),\n })),\n });\n\n return alert;\n}\n","/**\n * Org-key lifecycle for the 2.10 anonymization layer.\n *\n * The org key is the single secret that makes pseudonyms deterministic across\n * machines (so a central merge collapses the same host to one token) and\n * admin-reversible (only the key holder can invert a pseudonym). It lives on disk\n * at `~/.cartography/org-key` (mode 0600), **never** in the SQLite catalog, never\n * in any log line, and never in an export. The returned key is HKDF-namespaced by\n * `organization`, so two organizations sharing one machine derive non-colliding\n * keys (and therefore non-colliding tokens + isolated reversal maps).\n *\n * Zero new dependencies: HMAC/AES/HKDF/randomBytes all come from `node:crypto`.\n */\n\nimport { randomBytes, hkdfSync } from 'node:crypto';\nimport { existsSync, mkdirSync, readFileSync, writeFileSync, statSync } from 'node:fs';\nimport { homedir } from 'node:os';\nimport { dirname, join } from 'node:path';\nimport { logInfo, logWarn } from './logger.js';\n\nexport interface OrgKeyOptions {\n /** Organization namespace; absent ⇒ the `'default'` namespace. */\n organization?: string;\n /** Override the on-disk key path (tests / non-default data dirs). */\n keyPath?: string;\n}\n\n/** Default org-key file path: `~/.cartography/org-key`. */\nexport function orgKeyPath(home: string = homedir()): string {\n return join(home, '.cartography', 'org-key');\n}\n\n/** Bytes of the org-key file: 32 random bytes stored hex. */\nconst KEY_BYTES = 32;\n\n/** Read the raw file secret, or lazily create it (32 random bytes, hex, mode 0600). */\nfunction loadFileSecret(path: string): Buffer {\n if (existsSync(path)) {\n // Warn (never throw) if the key file is group/world-readable — it must be 0600.\n try {\n const mode = statSync(path).mode & 0o777;\n if (mode & 0o077) {\n logWarn('org-key file is not 0600 — restrict it: chmod 600 ' + path);\n }\n } catch {\n /* stat failure is non-fatal; fall through to the read */\n }\n const hex = readFileSync(path, 'utf8').trim();\n const buf = Buffer.from(hex, 'hex');\n if (buf.length === KEY_BYTES) return buf;\n // Corrupt/short key material: regenerate rather than derive a weak key.\n logWarn('org-key file was malformed — regenerating a fresh org key');\n }\n mkdirSync(dirname(path), { recursive: true });\n const secret = randomBytes(KEY_BYTES);\n writeFileSync(path, secret.toString('hex'), { mode: 0o600 });\n logInfo('created org key at ~/.cartography/org-key (mode 0600) — distribute to admins out-of-band');\n return secret;\n}\n\n/**\n * Load (or lazily create) the org key, HKDF-namespaced by `organization`. The\n * on-disk secret is a single random value; per-org keys are derived from it so\n * the same file serves multiple orgs without collision. Pure of side effects\n * beyond the lazy file creation; never logs the key material.\n */\nexport function loadOrgKey(opts: OrgKeyOptions = {}): Buffer {\n const path = opts.keyPath ?? orgKeyPath();\n const secret = loadFileSecret(path);\n const info = opts.organization && opts.organization.trim() ? opts.organization.trim() : 'default';\n return Buffer.from(hkdfSync('sha256', secret, Buffer.alloc(0), info, KEY_BYTES));\n}\n\n/**\n * Rotate the org key: overwrite the on-disk secret with fresh random bytes and\n * return the new derived key. Reversal entries written under the old key become\n * unrecoverable by design — callers are warned at the stderr level.\n */\nexport function rotateOrgKey(opts: OrgKeyOptions = {}): Buffer {\n const path = opts.keyPath ?? orgKeyPath();\n mkdirSync(dirname(path), { recursive: true });\n const secret = randomBytes(KEY_BYTES);\n writeFileSync(path, secret.toString('hex'), { mode: 0o600 });\n logWarn('org key rotated — pseudonym_reversal entries created under the previous key are now UNRECOVERABLE');\n const info = opts.organization && opts.organization.trim() ? opts.organization.trim() : 'default';\n return Buffer.from(hkdfSync('sha256', secret, Buffer.alloc(0), info, KEY_BYTES));\n}\n\n/** Subkey for HMAC pseudonym tokens (distinct domain from the reversal cipher key). */\nexport function hmacKey(orgKey: Buffer): Buffer {\n return Buffer.from(hkdfSync('sha256', orgKey, Buffer.from('cartography-hmac-v1'), 'hmac', 32));\n}\n\n/** Subkey for AES-256-GCM reversal-map encryption (distinct domain from the HMAC key). */\nexport function reversalKey(orgKey: Buffer): Buffer {\n return Buffer.from(hkdfSync('sha256', orgKey, Buffer.from('cartography-reversal-v1'), 'reversal', 32));\n}\n","/**\n * Org-keyed, admin-reversible pseudonymization (2.10 `anonymized` sharing level).\n *\n * Identifying fragments — private IPs, file paths, `user@host` pairs, and bare\n * hostnames — are replaced by a deterministic token\n * `anon:{kind}:{base32(first 12 bytes of HMAC-SHA256(hmacKey, plaintext))}`\n * so the same input + org key always yields the same token (a central merge then\n * collapses the same host across machines). The token is one-way for anyone\n * without the org key (HMAC preimage resistance + a 32-byte secret); an admin\n * holding the key can invert it via an AES-256-GCM reversal map.\n *\n * Topology shape is preserved: {@link pseudonymize} mirrors `redactValue`\n * (`src/tools.ts`) — it walks structure, rewriting only leaf strings; it never\n * adds, removes, or reorders keys/array elements.\n *\n * Zero new dependencies — all crypto is `node:crypto`.\n */\n\nimport { createHmac, createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';\nimport { hmacKey, reversalKey } from './orgkey.js';\nimport { logError } from './logger.js';\nimport type { CartographyDB } from './db.js';\n\n/** The kinds of identifying fragment we tokenize. The prefix keeps namespaces legible + non-colliding. */\nexport type FragmentKind = 'host' | 'user' | 'path' | 'ip';\n\n/**\n * RFC-1918 private IPv4 ranges: 10/8, 172.16/12, 192.168/16. Only private IPs are\n * pseudonymized — public IPs are not identifying of an employee's machine and are\n * left intact (so topology against public infra still reads).\n */\nexport const PRIVATE_IP =\n /\\b(?:10(?:\\.\\d{1,3}){3}|192\\.168(?:\\.\\d{1,3}){2}|172\\.(?:1[6-9]|2\\d|3[01])(?:\\.\\d{1,3}){2})\\b/g;\n\n/** A hostname/domain label run, e.g. `db-01.internal.acme.lan` (≥2 dot-separated labels). */\nconst HOSTNAME = /\\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\\.)+[a-z]{2,}\\b/gi;\n\n/** An absolute POSIX path (`/home/alice/...`) or Windows path (`C:\\Users\\alice\\...`). */\nconst POSIX_PATH = /(?:^|(?<=\\s|=|:|\"|'|\\())(\\/[A-Za-z0-9._-]+(?:\\/[A-Za-z0-9._-]+)+)/g;\nconst WIN_PATH = /\\b[A-Za-z]:\\\\[A-Za-z0-9._\\\\-]+/g;\n\n/** RFC-4648 base32 (no padding) of the first 12 bytes of a digest → 20 lowercase chars. */\nconst B32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';\nfunction base32(buf: Buffer): string {\n let bits = 0;\n let value = 0;\n let out = '';\n for (const byte of buf) {\n value = (value << 8) | byte;\n bits += 8;\n while (bits >= 5) {\n out += B32_ALPHABET[(value >>> (bits - 5)) & 31];\n bits -= 5;\n }\n }\n if (bits > 0) out += B32_ALPHABET[(value << (5 - bits)) & 31];\n return out;\n}\n\n/** GCM ciphertext layout: base64( iv[12] ‖ tag[16] ‖ ciphertext ). */\nfunction encryptPlaintext(plaintext: string, key: Buffer): string {\n const iv = randomBytes(12);\n const cipher = createCipheriv('aes-256-gcm', key, iv);\n const ct = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);\n const tag = cipher.getAuthTag();\n return Buffer.concat([iv, tag, ct]).toString('base64');\n}\n\nfunction decryptPlaintext(encoded: string, key: Buffer): string | undefined {\n try {\n const raw = Buffer.from(encoded, 'base64');\n const iv = raw.subarray(0, 12);\n const tag = raw.subarray(12, 28);\n const ct = raw.subarray(28);\n const decipher = createDecipheriv('aes-256-gcm', key, iv);\n decipher.setAuthTag(tag);\n return Buffer.concat([decipher.update(ct), decipher.final()]).toString('utf8');\n } catch {\n // GCM auth failure (tampered / wrong key) — fail closed, never throw raw.\n return undefined;\n }\n}\n\n/**\n * Deterministic token for one identifying fragment. When `db` is supplied, the\n * plaintext is AES-256-GCM-encrypted under `reversalKey(orgKey)` and persisted so\n * an admin can later invert the token. Idempotent: the token is deterministic, so\n * re-encrypting the same fragment `INSERT OR REPLACE`s the same row.\n */\nexport function pseudonymizeFragment(plaintext: string, kind: FragmentKind, orgKey: Buffer, db?: CartographyDB): string {\n const digest = createHmac('sha256', hmacKey(orgKey)).update(plaintext).digest();\n const token = `anon:${kind}:${base32(digest.subarray(0, 12))}`;\n if (db) db.saveReversal(token, encryptPlaintext(plaintext, reversalKey(orgKey)));\n return token;\n}\n\n/**\n * Pseudonymize the identifying fragments inside a single string — private IPs,\n * file paths, `user@host` pairs, and bare hostnames — leaving structure-irrelevant\n * text intact. Order matters: paths and IPs are matched before hostnames so an IP\n * or a path segment is never mis-tokenized as a host.\n */\nexport function pseudonymizeString(s: string, orgKey: Buffer, db?: CartographyDB): string {\n let out = s;\n // 1. Private IPs (most specific; also subsumed by paths/hosts if left late).\n out = out.replace(PRIVATE_IP, (m) => pseudonymizeFragment(m, 'ip', orgKey, db));\n // 2. Windows + POSIX absolute paths.\n out = out.replace(WIN_PATH, (m) => pseudonymizeFragment(m, 'path', orgKey, db));\n out = out.replace(POSIX_PATH, (m) => pseudonymizeFragment(m, 'path', orgKey, db));\n // 3. user@host — tokenize the user and the host independently so both invert.\n out = out.replace(/\\b([a-z0-9._-]+)@((?:[a-z0-9-]+\\.)+[a-z]{2,})\\b/gi, (_m, user: string, host: string) =>\n `${pseudonymizeFragment(user, 'user', orgKey, db)}@${pseudonymizeFragment(host, 'host', orgKey, db)}`,\n );\n // 4. Remaining bare hostnames/domains.\n out = out.replace(HOSTNAME, (m) => pseudonymizeFragment(m, 'host', orgKey, db));\n return out;\n}\n\n/**\n * Recursive, structure-preserving walker — same shape as `redactValue`\n * (`src/tools.ts`): strings → {@link pseudonymizeString}, arrays → map,\n * objects → per-value recurse, primitives → unchanged. Object keys are left\n * verbatim (they are schema, not data), so topology shape is invariant.\n */\nexport function pseudonymize(value: unknown, orgKey: Buffer, db?: CartographyDB): unknown {\n if (typeof value === 'string') return pseudonymizeString(value, orgKey, db);\n if (Array.isArray(value)) return value.map((v) => pseudonymize(v, orgKey, db));\n if (value && typeof value === 'object') {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value as Record<string, unknown>)) out[k] = pseudonymize(v, orgKey, db);\n return out;\n }\n return value;\n}\n\n/**\n * Admin reversal: decrypt the original plaintext behind a pseudonym token, or\n * `undefined` when the token is unknown or the ciphertext fails GCM authentication\n * (tampered or produced under a different / rotated org key).\n */\nexport function reversePseudonym(token: string, orgKey: Buffer, db: CartographyDB): string | undefined {\n const encoded = db.getReversal(token);\n if (encoded == null) return undefined;\n const plaintext = decryptPlaintext(encoded, reversalKey(orgKey));\n if (plaintext === undefined) {\n logError('reversePseudonym: ciphertext failed authentication (tampered or wrong/rotated org key)');\n }\n return plaintext;\n}\n","/**\n * The Cartography MCP server — the package's primary, LLM-agnostic interface.\n *\n * It exposes the discovered infrastructure topology as Model Context Protocol\n * **Resources** (read-only context, progressive disclosure), a small set of query\n * **Tools** (parameterized lookups), and reusable **Prompts**. Any MCP host —\n * Claude Code, Cursor, Cline, Windsurf, the Vercel AI SDK, LangGraph — can drive\n * it; the package never needs to know which model is in use.\n */\n\nimport { McpServer, ResourceTemplate } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport { z } from 'zod';\nimport { CartographyDB, deriveSessionName, normalizeTenant } from '../db.js';\nimport type { GraphSummary, OrgSummary } from '../db.js';\nimport { defaultConfig, NODE_TYPES, NODE_TYPE_GROUPS } from '../types.js';\nimport type { NodeRow } from '../types.js';\nimport type { TopologyDelta } from '../diff.js';\nimport { classifyDrift, filterBySeverity } from '../drift.js';\nimport { redactValue } from '../tools.js';\nimport { getRuleset, listRulesets } from '../compliance/rulesets/registry.js';\nimport { parseNlQuery, executeNlQuery } from '../nlq/index.js';\n\nconst SERVER_NAME = 'cartography';\nconst SERVER_VERSION = '2.2.0';\n\nconst SERVICE_TYPES = NODE_TYPE_GROUPS.web;\nconst DATA_TYPES = NODE_TYPE_GROUPS.data;\n\n/** A pluggable search backend; defaults to lexical search, can be upgraded to semantic. */\nexport type SearchFn = (\n db: CartographyDB,\n sessionId: string,\n query: string,\n opts: { types?: readonly string[]; limit: number },\n) => Promise<Array<{ node: NodeRow; score?: number }>>;\n\n/** A pluggable discovery backend invoked by the `run_discovery` tool. */\nexport type DiscoveryFn = (\n db: CartographyDB,\n sessionId: string,\n opts: { hint?: string; mode?: 'replace' | 'update' },\n) => Promise<{ nodes: number; edges: number; delta?: TopologyDelta }>;\n\nexport interface CreateMcpServerOptions {\n /** Database instance. If omitted, one is opened at `config.dbPath`. */\n db?: CartographyDB;\n /** Path to the SQLite catalog (used when `db` is not provided). */\n dbPath?: string;\n /** Session to serve: a session id, or `'latest'` (default) for the newest discovery. */\n session?: string | 'latest';\n /**\n * Tenant/organization whose topology this server serves. Defaults to DEFAULT_TENANT\n * (`'local'`). Session resolution is scoped to this tenant, so a server bound to one\n * tenant never surfaces another tenant's sessions/nodes/edges. This is a data-scoping\n * partition, not an authorization boundary (RBAC is Phase 4).\n */\n tenant?: string;\n /** Semantic/lexical search backend. Defaults to lexical `searchNodes`. */\n search?: SearchFn;\n /** Discovery backend for `run_discovery`/`refresh`. Optional. */\n discovery?: DiscoveryFn;\n /**\n * Central-collector org (2.12). When set, `get_summary` returns the org-wide,\n * cross-machine merged summary (`db.getOrgSummary(org)`) instead of the single-\n * session view. Used by server-mode; unset preserves the local single-session\n * behaviour exactly. The org is normalized to a tenant.\n */\n org?: string;\n}\n\nconst lexicalSearch: SearchFn = async (db, sessionId, query, opts) =>\n db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));\n\n/** Compact projection of a node for tool results (token-economical). */\nfunction compactNode(n: NodeRow): Record<string, unknown> {\n return {\n id: n.id,\n type: n.type,\n name: n.name,\n confidence: n.confidence,\n ...(n.domain ? { domain: n.domain } : {}),\n ...(n.tags.length ? { tags: n.tags } : {}),\n };\n}\n\nfunction json(data: unknown) {\n return { content: [{ type: 'text' as const, text: JSON.stringify(data, null, 2) }] };\n}\n\n/** True for the org-wide (central-collector) summary shape. */\nfunction isOrgSummary(s: GraphSummary | OrgSummary): s is OrgSummary {\n return 'org' in s;\n}\n\nfunction summaryText(s: GraphSummary | OrgSummary): string {\n const header = isOrgSummary(s)\n ? `# Organization topology — org ${s.org} (${s.contributors} contributor${s.contributors === 1 ? '' : 's'})`\n : `# Infrastructure topology — session ${s.sessionId}`;\n const lines = [\n header,\n ``,\n `Totals: ${s.totals.nodes} nodes, ${s.totals.edges} edges`,\n ``,\n `Nodes by type:`,\n ...Object.entries(s.nodesByType).sort((a, b) => b[1] - a[1]).map(([t, c]) => ` - ${t}: ${c}`),\n ``,\n `Nodes by domain:`,\n ...Object.entries(s.nodesByDomain).sort((a, b) => b[1] - a[1]).map(([d, c]) => ` - ${d}: ${c}`),\n ``,\n `Edges by relationship:`,\n ...Object.entries(s.edgesByRelationship).sort((a, b) => b[1] - a[1]).map(([r, c]) => ` - ${r}: ${c}`),\n ``,\n `Most connected:`,\n ...s.topConnected.map((n) => ` - ${n.id} (${n.type}) — degree ${n.degree}`),\n // 3.6 anomalies — single-session GraphSummary only.\n ...(!isOrgSummary(s)\n ? [``, `Anomalies (${s.anomalies.length}):`,\n ...(s.anomalies.length === 0\n ? [' - none']\n : s.anomalies.slice(0, 20).map((a) => ` - [${a.severity}] ${a.kind}: ${a.nodeId} — ${a.reason}`))]\n : []),\n // 3.3 cost section — only for the single-session GraphSummary, and only when costs exist.\n ...(!isOrgSummary(s) && s.costByDomain.length\n ? [``, `Cost by domain:`, ...s.costByDomain.map((c) => ` - ${c.domain} [${c.currency}/${c.period}]: ${c.total} (${c.nodes} nodes)`)]\n : []),\n ...(!isOrgSummary(s) && s.costCoverage.withCost\n ? [``, `Cost coverage: ${s.costCoverage.withCost}/${s.costCoverage.total} nodes attributed`]\n : []),\n ``,\n `Read cartography://nodes/{id} or cartography://dependencies/{id} for detail.`,\n ];\n return lines.join('\\n');\n}\n\n/**\n * Build a fully-configured Cartography MCP server. Call `.connect(transport)` to run it.\n */\nexport function createMcpServer(opts: CreateMcpServerOptions = {}): McpServer {\n const db = opts.db ?? new CartographyDB(opts.dbPath ?? defaultConfig().dbPath);\n const search = opts.search ?? lexicalSearch;\n const tenant = normalizeTenant(opts.tenant);\n // Central-collector org (2.12): when set, get_summary serves the org-wide merged\n // view; otherwise the single-session view is preserved unchanged.\n const org = opts.org !== undefined ? normalizeTenant(opts.org) : undefined;\n\n /**\n * Resolve the served session id at call time (so late discoveries are picked up),\n * scoped to the served `tenant`. An explicit session id must belong to the served\n * tenant or it resolves to undefined — so a client bound to tenant A can never read\n * a session owned by tenant B, even by naming its id.\n */\n const resolveSession = (): string | undefined => {\n if (opts.session && opts.session !== 'latest') {\n const s = db.getSession(opts.session);\n return s && s.tenant === tenant ? s.id : undefined;\n }\n return db.getLatestSession('discover', tenant)?.id ?? db.getLatestSession(undefined, tenant)?.id;\n };\n\n const server = new McpServer(\n { name: SERVER_NAME, version: SERVER_VERSION },\n {\n capabilities: { resources: { subscribe: true, listChanged: true }, tools: {}, prompts: {}, logging: {} },\n instructions:\n 'Cartography exposes a discovered infrastructure/SaaS topology. Start by reading ' +\n 'cartography://graph/summary for a low-token overview, then drill into specific nodes ' +\n 'via cartography://nodes/{id} or query with the query_infrastructure / get_dependencies tools.',\n },\n );\n\n // ── Resources (read-only context, progressive disclosure) ──────────────────\n\n server.registerResource(\n 'graph-summary',\n 'cartography://graph/summary',\n { title: 'Topology summary', description: 'Low-token aggregate index of the whole landscape — read this first.', mimeType: 'text/markdown' },\n (uri) => {\n if (org !== undefined) {\n return { contents: [{ uri: uri.href, mimeType: 'text/markdown', text: summaryText(db.getOrgSummary(org)) }] };\n }\n const sid = resolveSession();\n if (!sid) return { contents: [{ uri: uri.href, mimeType: 'text/markdown', text: 'No discovery session found. Run discovery first.' }] };\n return { contents: [{ uri: uri.href, mimeType: 'text/markdown', text: summaryText(db.getGraphSummary(sid)) }] };\n },\n );\n\n server.registerResource(\n 'cost-summary',\n 'cartography://cost/summary',\n { title: 'Cost summary', description: 'Cost rolled up by domain and owner (currency/period-bucketed).', mimeType: 'application/json' },\n (uri) => {\n const sid = resolveSession();\n if (!sid) return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({ error: 'No discovery session found.' }) }] };\n const s = db.getGraphSummary(sid);\n return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({ costByDomain: s.costByDomain, costByOwner: s.costByOwner, costCoverage: s.costCoverage }, null, 2) }] };\n },\n );\n\n server.registerResource(\n 'nodes-index',\n 'cartography://nodes',\n { title: 'Node index', description: 'Lightweight list of all nodes (id, type, name only).', mimeType: 'application/json' },\n (uri) => {\n const sid = resolveSession();\n const nodes = sid ? db.getNodes(sid) : [];\n return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({ count: nodes.length, nodes: nodes.map((n) => ({ id: n.id, type: n.type, name: n.name })) }, null, 2) }] };\n },\n );\n\n server.registerResource(\n 'node-detail',\n new ResourceTemplate('cartography://nodes/{id}', { list: undefined }),\n { title: 'Node detail', description: 'Full node record plus its incident edges.', mimeType: 'application/json' },\n (uri, variables) => {\n const sid = resolveSession();\n const id = decodeURIComponent(String(variables['id']));\n const node = sid ? db.getNode(sid, id) : undefined;\n if (!node) return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({ error: `node not found: ${id}` }) }] };\n const edges = db.getEdges(sid!).filter((e) => e.sourceId === id || e.targetId === id);\n return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({ node, edges }, null, 2) }] };\n },\n );\n\n const typedListResource = (name: string, uri: string, title: string, types: readonly string[]) =>\n server.registerResource(name, uri, { title, description: `Nodes of type: ${types.join(', ')}.`, mimeType: 'application/json' }, (u) => {\n const sid = resolveSession();\n const nodes = sid ? db.getNodesByType(sid, types) : [];\n return { contents: [{ uri: u.href, mimeType: 'application/json', text: JSON.stringify({ count: nodes.length, nodes: nodes.map(compactNode) }, null, 2) }] };\n });\n\n typedListResource('services', 'cartography://services', 'Services', SERVICE_TYPES);\n typedListResource('databases', 'cartography://databases', 'Data stores', DATA_TYPES);\n\n server.registerResource(\n 'dependencies',\n new ResourceTemplate('cartography://dependencies/{id}', { list: undefined }),\n { title: 'Dependencies', description: 'Transitive downstream dependencies of a node.', mimeType: 'application/json' },\n (uri, variables) => {\n const sid = resolveSession();\n const id = decodeURIComponent(String(variables['id']));\n if (!sid) return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({ error: 'no session' }) }] };\n const r = db.getDependencies(sid, id, { direction: 'downstream', maxDepth: 8 });\n return { contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify({\n root: id,\n count: r.nodes.length,\n nodes: r.nodes.map((n) => ({ ...compactNode(n), depth: n.depth })),\n edges: r.edges.map((e) => ({ from: e.sourceId, to: e.targetId, rel: e.relationship, confidence: e.confidence, evidence: e.evidence })),\n }, null, 2) }] };\n },\n );\n\n server.registerResource(\n 'sessions',\n 'cartography://sessions',\n { title: 'Discovery sessions', description: 'All discovery sessions in the catalog.', mimeType: 'application/json' },\n (uri) => ({ contents: [{ uri: uri.href, mimeType: 'application/json', text: JSON.stringify(db.getSessions(tenant), null, 2) }] }),\n );\n\n // ── Tools (model-controlled queries) ───────────────────────────────────────\n\n /** Annotations shared by every read-only query tool (untrusted hints, never a security boundary). */\n const readOnly = { readOnlyHint: true, openWorldHint: false } as const;\n\n server.registerTool(\n 'get_summary',\n { title: 'Get topology summary', description: 'Low-token overview of the whole landscape (counts, types, domains, most-connected, anomalies).', inputSchema: {}, annotations: readOnly },\n () => {\n if (org !== undefined) return json(db.getOrgSummary(org));\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n return json(db.getGraphSummary(sid));\n },\n );\n\n server.registerTool(\n 'get_cost_summary',\n { title: 'Get cost summary', description: 'FinOps rollup: cost by domain and owner, currency/period-bucketed (3.3).', inputSchema: {}, annotations: readOnly },\n () => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const s = db.getGraphSummary(sid);\n return json({ costByDomain: s.costByDomain, costByOwner: s.costByOwner, costCoverage: s.costCoverage });\n },\n );\n\n server.registerTool(\n 'query_infrastructure',\n {\n title: 'Query infrastructure',\n description: 'Search the topology by name/id/domain (optionally filtered by node type). Returns compact node records.',\n inputSchema: {\n query: z.string().describe('Free-text query, e.g. \"postgres\", \"auth\", \"github\"'),\n types: z.array(z.enum(NODE_TYPES)).optional().describe('Restrict to these node types'),\n limit: z.number().int().min(1).max(200).default(25).optional(),\n },\n annotations: readOnly,\n },\n async (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const results = await search(db, sid, args.query, { types: args.types, limit: args.limit ?? 25 });\n return json({ count: results.length, results: results.map((r) => ({ ...compactNode(r.node), ...(r.score !== undefined ? { score: r.score } : {}) })) });\n },\n );\n\n server.registerTool(\n 'search_topology',\n {\n title: 'Search topology (semantic)',\n description: 'Find nodes related to a concept by meaning (semantic search when available, lexical otherwise).',\n inputSchema: { query: z.string(), limit: z.number().int().min(1).max(100).default(10).optional() },\n annotations: readOnly,\n },\n async (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const results = await search(db, sid, args.query, { limit: args.limit ?? 10 });\n return json({ count: results.length, results: results.map((r) => ({ ...compactNode(r.node), ...(r.score !== undefined ? { score: r.score } : {}) })) });\n },\n );\n\n server.registerTool(\n 'list_services',\n {\n title: 'List services',\n description: 'List discovered services or data stores.',\n inputSchema: { kind: z.enum(['services', 'databases', 'all']).default('all').optional() },\n annotations: readOnly,\n },\n (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const kind = args.kind ?? 'all';\n const types = kind === 'services' ? SERVICE_TYPES : kind === 'databases' ? DATA_TYPES : [...SERVICE_TYPES, ...DATA_TYPES];\n return json(db.getNodesByType(sid, types).map(compactNode));\n },\n );\n\n server.registerTool(\n 'get_node',\n { title: 'Get node', description: 'Fetch a single node with its incident edges.', inputSchema: { id: z.string() }, annotations: readOnly },\n (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const node = db.getNode(sid, args.id);\n if (!node) return json({ error: `node not found: ${args.id}` });\n const edges = db.getEdges(sid).filter((e) => e.sourceId === args.id || e.targetId === args.id);\n return json({ node, edges });\n },\n );\n\n server.registerTool(\n 'get_dependencies',\n {\n title: 'Get dependencies',\n description: 'Traverse the dependency graph from a node (downstream/upstream/both) with a depth limit.',\n inputSchema: {\n id: z.string(),\n direction: z.enum(['downstream', 'upstream', 'both']).default('downstream').optional(),\n maxDepth: z.number().int().min(1).max(64).default(8).optional(),\n minConfidence: z.number().min(0).max(1).optional().describe('Drop edges below this confidence (0..1).'),\n },\n annotations: readOnly,\n },\n (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const r = db.getDependencies(sid, args.id, { direction: args.direction ?? 'downstream', maxDepth: args.maxDepth ?? 8 });\n const minConfidence = args.minConfidence ?? 0;\n return json({\n root: r.root ? compactNode(r.root) : null,\n direction: r.direction,\n count: r.nodes.length,\n nodes: r.nodes.map((n) => ({ ...compactNode(n), depth: n.depth })),\n edges: r.edges\n .filter((e) => e.confidence >= minConfidence)\n .map((e) => ({ from: e.sourceId, to: e.targetId, rel: e.relationship, confidence: e.confidence, evidence: e.evidence })),\n });\n },\n );\n\n server.registerTool(\n 'query_natural_language',\n {\n title: 'Query in natural language',\n description:\n 'Answer a plain-English topology question (e.g. \"services that depend on the payments DB\"). ' +\n 'Deterministically parses the question into a structured intent, then anchors via search and ' +\n 'traverses dependencies, applying any node-type filter to the results. Echoes the parsed ' +\n 'intent for explainability. Read-only, LLM-free.',\n inputSchema: {\n query: z.string().min(1).max(1000).describe('Natural-language question about the topology'),\n maxDepth: z.number().int().min(1).max(64).default(8).optional(),\n },\n annotations: readOnly,\n },\n async (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const intent = parseNlQuery(args.query);\n const r = await executeNlQuery(db, sid, search, intent, { maxDepth: args.maxDepth ?? 8 });\n return json({\n intent: {\n query: r.intent.query, subjectQuery: r.intent.subjectQuery,\n relation: r.intent.relation, direction: r.intent.direction ?? null,\n typeFilter: r.intent.typeFilter ?? null, degraded: r.intent.degraded,\n },\n anchors: r.anchors.map((a) => ({ ...compactNode(a.node), ...(a.score !== undefined ? { score: a.score } : {}) })),\n count: r.nodes.length,\n nodes: r.nodes.map((n) => ({ ...compactNode(n), ...(n.depth !== undefined ? { depth: n.depth } : {}) })),\n paths: r.paths.map((e) => ({ from: e.sourceId, to: e.targetId, rel: e.relationship })),\n });\n },\n );\n\n server.registerTool(\n 'diff_topology',\n {\n title: 'Diff topology (drift detection)',\n description:\n 'Compare two discovery sessions and report added/removed/changed nodes and added/removed edges, ' +\n 'plus newly-appearing structural anomalies (3.6). ' +\n 'Defaults to the two most recent sessions (base = second-most-recent, current = most-recent).',\n inputSchema: {\n base: z.string().optional().describe('Baseline session id (default: second-most-recent session)'),\n current: z.string().optional().describe('Current session id (default: most-recent session)'),\n },\n annotations: readOnly,\n },\n (args) => {\n // getSessions(tenant) is ordered newest-first (rowid DESC): [0] = latest, [1] = previous.\n const sessions = db.getSessions(tenant);\n const currentId = args.current ?? sessions[0]?.id;\n const baseId = args.base ?? sessions[1]?.id;\n if (!baseId || !currentId) return json({ error: 'Need at least two discovery sessions to diff.' });\n if (baseId === currentId) return json({ error: 'Base and current session are the same.' });\n const d = db.diffSessions(baseId, currentId);\n return json({\n base: d.base,\n current: d.current,\n summary: d.summary,\n nodes: {\n added: d.nodes.added.map(compactNode),\n removed: d.nodes.removed.map(compactNode),\n changed: d.nodes.changed.map((c) => ({ ...compactNode(c.after), changedFields: c.changedFields })),\n },\n edges: {\n added: d.edges.added.map((e) => ({ from: e.sourceId, to: e.targetId, rel: e.relationship })),\n removed: d.edges.removed.map((e) => ({ from: e.sourceId, to: e.targetId, rel: e.relationship })),\n },\n anomalies: {\n added: d.anomalies.added,\n baseCount: d.anomalies.base.length,\n currentCount: d.anomalies.current.length,\n },\n });\n },\n );\n\n server.registerTool(\n 'classify_drift',\n {\n title: 'Classify drift (severity-ranked drift detection)',\n description:\n 'Compare two discovery sessions and return a severity-classified drift alert ' +\n '(info|warning|critical per item plus an overall severity). Defaults to the two most recent. ' +\n 'Read-only: never dispatches to sinks.',\n inputSchema: {\n base: z.string().optional().describe('Baseline session id (default: second-most-recent)'),\n current: z.string().optional().describe('Current session id (default: most-recent)'),\n minSeverity: z.enum(['info', 'warning', 'critical']).optional().describe('Drop items below this severity'),\n },\n annotations: readOnly,\n },\n (args) => {\n // getSessions(tenant) is newest-first (rowid DESC): [0] = latest, [1] = previous.\n const sessions = db.getSessions(tenant);\n const currentId = args.current ?? sessions[0]?.id;\n const baseId = args.base ?? sessions[1]?.id;\n if (!baseId || !currentId) return json({ error: 'Need at least two discovery sessions to diff.' });\n if (baseId === currentId) return json({ error: 'Base and current session are the same.' });\n let alert = classifyDrift(db.diffSessions(baseId, currentId));\n if (args.minSeverity) alert = filterBySeverity(alert, args.minSeverity);\n return json(redactValue(alert));\n },\n );\n\n server.registerTool(\n 'score_compliance',\n {\n title: 'Score compliance',\n description:\n 'Grade the served session against a compliance ruleset (baseline/cis/soc2/iso27001 starter ' +\n 'sets) and list gaps with the node ids that caused them. Read-only; never throws.',\n inputSchema: {\n ruleset: z.string().default('baseline').optional().describe('Ruleset name (default: baseline)'),\n session: z.string().optional().describe('Session id (default: the served session)'),\n },\n annotations: readOnly,\n },\n (args) => {\n const sid = args.session ?? resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const name = args.ruleset ?? 'baseline';\n const rs = getRuleset(name);\n if (!rs) return json({ error: `Unknown ruleset: ${name}`, available: listRulesets().map((r) => r.name) });\n return json(db.scoreSession(sid, rs));\n },\n );\n\n server.registerTool(\n 'get_activity_events',\n {\n title: 'Get activity events (audit trail)',\n description: 'Recent executed tool calls and their result sizes for the current session.',\n inputSchema: { limit: z.number().int().min(1).max(500).default(50).optional() },\n annotations: readOnly,\n },\n (args) => {\n const sid = resolveSession();\n if (!sid) return json({ error: 'No discovery session found.' });\n const events = db.getEvents(sid).slice(-(args.limit ?? 50));\n return json({ count: events.length, events });\n },\n );\n\n if (opts.discovery) {\n const discovery = opts.discovery;\n server.registerTool(\n 'run_discovery',\n {\n title: 'Run discovery',\n description: 'Scan the local system (read-only) and update the catalog. Returns counts of nodes/edges found. Pass `update: true` to rescan the served session in place and return the delta (2.1 incremental discovery).',\n inputSchema: {\n hint: z.string().optional().describe('Optional focus, e.g. tool names to look for'),\n update: z.boolean().optional().describe('Rescan the served session in place and return the delta instead of creating a new session'),\n },\n // Scans read-only but writes results to the local catalog, so not a read-only tool; never destructive.\n annotations: { readOnlyHint: false, destructiveHint: false, openWorldHint: true },\n },\n async (args) => {\n let sid = resolveSession();\n if (args.update) {\n // Incremental rescan needs an existing served session; never silently create one.\n if (!sid) return json({ error: 'No session to update; run discovery first.' });\n } else if (!sid) {\n sid = db.createSession('discover', defaultConfig(), tenant);\n }\n const result = await discovery(db, sid, { hint: args.hint, mode: args.update ? 'update' : 'replace' });\n // Give the session a deterministic, human-friendly name once it has content.\n // The `!sess.name` guard means an in-place rescan never clobbers a name.\n const sess = db.getSession(sid);\n if (sess && !sess.name) db.setSessionName(sid, deriveSessionName(db.getGraphSummary(sid), sess.startedAt));\n server.server.sendResourceUpdated({ uri: 'cartography://graph/summary' }).catch((err: unknown) => {\n process.stderr.write(`[cartography-mcp] resource update notification failed: ${err instanceof Error ? err.message : String(err)}\\n`);\n });\n server.server.sendResourceListChanged?.();\n return json({\n session: sid, nodes: result.nodes, edges: result.edges,\n ...(result.delta ? { summary: result.delta.summary } : {}),\n });\n },\n );\n }\n\n // ── Prompts (user-controlled templates) ────────────────────────────────────\n\n server.registerPrompt(\n 'audit-attack-surface',\n { title: 'Audit attack surface', description: 'Review the discovered topology for externally-reachable services and risky dependencies.' },\n () => ({\n messages: [{\n role: 'user', content: { type: 'text', text:\n 'Read cartography://graph/summary and cartography://services. Identify externally-reachable ' +\n 'services, data stores with broad inbound dependencies, and any node with low confidence that ' +\n 'warrants verification. Use get_dependencies to assess blast radius. Summarize the attack surface ' +\n 'and concrete hardening recommendations.' } }],\n }),\n );\n\n server.registerPrompt(\n 'map-service-dependencies',\n {\n title: 'Map service dependencies',\n description: 'Produce a dependency map for a given service.',\n argsSchema: { service: z.string().describe('Service node id or name') },\n },\n (args) => ({\n messages: [{\n role: 'user', content: { type: 'text', text:\n `Use query_infrastructure to locate \"${args.service}\", then get_dependencies (direction=both) to ` +\n `map everything it depends on and everything that depends on it. Present the result as a clear ` +\n `dependency tree and call out single points of failure.` } }],\n }),\n );\n\n server.registerPrompt(\n 'compare-environments',\n { title: 'Compare environments', description: 'Summarize infrastructure drift between two discovery snapshots.' },\n () => ({\n messages: [{\n role: 'user', content: { type: 'text', text:\n 'Call diff_topology to compare the two most recent discovery sessions. Summarize what was added, ' +\n 'removed, and changed. Flag newly externally-reachable services and removed dependencies that could ' +\n 'indicate an outage or decommission. Recommend what an operator should verify.' } }],\n }),\n );\n\n server.registerPrompt(\n 'onboard-to-system',\n { title: 'Onboard to system', description: 'Explain the system landscape to a new engineer.' },\n () => ({\n messages: [{\n role: 'user', content: { type: 'text', text:\n 'Read cartography://graph/summary, then cartography://services and cartography://databases. ' +\n 'Write a concise onboarding briefing for a new engineer: what the major systems are, how they ' +\n 'connect, which data stores are central, and where to look first.' } }],\n }),\n );\n\n server.registerPrompt(\n 'find-single-points-of-failure',\n { title: 'Find single points of failure', description: 'Rank chokepoints whose loss has the largest blast radius.' },\n () => ({\n messages: [{\n role: 'user', content: { type: 'text', text:\n 'Call get_summary and read topConnected (the most-connected nodes). For each, call get_dependencies ' +\n '(direction=both) to measure how many services depend on it. Identify single points of failure — nodes ' +\n 'whose loss would disconnect or degrade the largest blast radius — rank them by impact, and recommend ' +\n 'redundancy or mitigation for each.' } }],\n }),\n );\n\n server.registerPrompt(\n 'generate-runbook',\n {\n title: 'Generate operations runbook',\n description: 'Produce an operations/onboarding runbook from the topology.',\n argsSchema: { service: z.string().optional().describe('Optional service id/name to scope the runbook') },\n },\n (args) => ({\n messages: [{\n role: 'user', content: { type: 'text', text: args.service\n ? `Use query_infrastructure to locate \"${args.service}\", then get_dependencies (direction=both). Write an ` +\n `operations runbook for it: purpose, upstream/downstream dependencies, startup/shutdown order, health ` +\n `checks, common failure modes, and escalation steps.`\n : 'Read cartography://graph/summary, then call get_summary and list_services. Write a system-wide operations ' +\n 'runbook: major components, how they connect, critical data stores, startup/shutdown order, health checks, ' +\n 'and where an on-call engineer should look first.' } }],\n }),\n );\n\n return server;\n}\n","/**\n * Natural-language topology query resolver (3.5) — deterministic, LLM-free.\n *\n * Turns a plain-English question (\"services that depend on the payments DB\") into a\n * structured intent, then composes the existing primitives — the injected `SearchFn`\n * (semantic↔lexical degradation inherited for free) + `db.getDependencies` + a\n * post-traversal type filter — and echoes the parsed intent for explainability.\n * No LLM, no new exec path, read-only. The NL string is sanitized + length-clamped\n * (ReDoS-safe: only linear, anchored patterns).\n */\n\nimport type { CartographyDB } from '../db.js';\nimport type { NodeRow, EdgeRow, NodeType } from '../types.js';\nimport { NODE_TYPE_GROUPS } from '../types.js';\nimport type { SearchFn } from '../mcp/server.js';\nimport { sanitizeUntrusted } from '../sanitize.js';\nimport { logDebug } from '../logger.js';\n\n/** The relationship the operator asked about, in resolver-native terms. */\nexport type NlRelation = 'depends-on' | 'depended-on-by' | 'connected-to' | 'list';\n\n/** Maps a parsed relation to the `db.getDependencies` direction. Single source of truth. */\nexport const RELATION_TO_DIRECTION = {\n 'depends-on': 'downstream',\n 'depended-on-by': 'upstream',\n 'connected-to': 'both',\n 'list': undefined,\n} as const satisfies Record<NlRelation, 'downstream' | 'upstream' | 'both' | undefined>;\n\n/** Structured intent parsed from a natural-language question. */\nexport interface NlIntent {\n readonly query: string;\n readonly subjectQuery: string;\n readonly relation: NlRelation;\n readonly direction?: 'downstream' | 'upstream' | 'both';\n /** Concrete node types the *result* set is restricted to (post-traversal), if any. */\n readonly typeFilter?: readonly NodeType[];\n /** True when no relation pattern matched and we degraded to a search-only list. */\n readonly degraded: boolean;\n}\n\nexport interface NlQueryResult {\n readonly intent: NlIntent;\n readonly anchors: Array<{ node: NodeRow; score?: number }>;\n readonly nodes: Array<NodeRow & { depth?: number }>;\n readonly paths: EdgeRow[];\n}\n\nexport interface NlQueryOptions {\n readonly maxDepth?: number;\n readonly anchorLimit?: number;\n}\n\nconst MAX_QUERY_LEN = 1000;\n\n/** Plural/group words → concrete node-type sets (applied to the *result* set). */\nconst GROUP_WORDS: ReadonlyArray<readonly [RegExp, readonly NodeType[]]> = [\n [/\\bservices?\\b/i, NODE_TYPE_GROUPS.web],\n [/\\b(?:databases?|datastores?|data ?stores?)\\b/i, NODE_TYPE_GROUPS.data],\n [/\\b(?:queues?|topics?|brokers?|messaging)\\b/i, NODE_TYPE_GROUPS.messaging],\n [/\\b(?:hosts?|containers?|pods?|clusters?|infra(?:structure)?)\\b/i, NODE_TYPE_GROUPS.infra],\n [/\\bsaas\\b/i, NODE_TYPE_GROUPS.saas],\n];\n\n// Relation patterns (bounded, anchored, no nested quantifiers → ReDoS-free). Each\n// captures a named `subject` group; UPSTREAM also has an implicit leading clause.\nconst UPSTREAM: RegExp[] = [\n /^(?:.*?)\\b(?:that|which)\\s+depends?\\s+(?:on|upon)\\s+(?<subject>.+)$/i,\n /^(?:.*?)\\bdepending\\s+(?:on|upon)\\s+(?<subject>.+)$/i,\n /^(?:.*?)\\b(?:that|which)\\s+relies?\\s+on\\s+(?<subject>.+)$/i,\n /^\\s*what\\s+depends?\\s+(?:on|upon)\\s+(?<subject>.+)$/i,\n];\nconst DOWNSTREAM: RegExp[] = [\n /\\bwhat\\s+(?:does|do)\\s+(?<subject>.+?)\\s+depend\\s+(?:on|upon)\\b/i,\n /^(?<subject>.+?)['’]s\\s+dependencies\\b/i,\n /\\bdependencies\\s+of\\s+(?<subject>.+)$/i,\n /^(?<subject>.+?)\\s+dependencies\\b/i,\n /^(?<subject>.+?)\\s+depends?\\s+(?:on|upon)\\s+.*$/i,\n];\nconst CONNECTED: RegExp[] = [\n /\\bwhat\\s+is\\s+connected\\s+to\\s+(?<subject>.+)$/i,\n /\\b(?:connected|related|linked)\\s+to\\s+(?<subject>.+)$/i,\n /\\btalks?\\s+to\\s+(?<subject>.+)$/i,\n];\n\nfunction firstMatch(query: string, pats: RegExp[]): string | null {\n for (const re of pats) {\n const m = query.match(re);\n if (m?.groups?.subject) return m.groups.subject;\n }\n return null;\n}\n\nfunction cleanSubject(s: string): string {\n return s.replace(/[?.!,]+\\s*$/g, '').replace(/^\\s*(?:the|a|an|my|our|all)\\s+/i, '').trim();\n}\n\nfunction detectTypeFilter(text: string): readonly NodeType[] | undefined {\n const set = new Set<NodeType>();\n for (const [re, types] of GROUP_WORDS) if (re.test(text)) for (const t of types) set.add(t);\n return set.size > 0 ? [...set] : undefined;\n}\n\n/** Parse a natural-language question into a structured {@link NlIntent}. Pure & deterministic. */\nexport function parseNlQuery(raw: string): NlIntent {\n const query = sanitizeUntrusted(raw).slice(0, MAX_QUERY_LEN).trim();\n\n let relation: NlRelation = 'list';\n let subj = firstMatch(query, UPSTREAM);\n if (subj !== null) relation = 'depended-on-by';\n else if ((subj = firstMatch(query, DOWNSTREAM)) !== null) relation = 'depends-on';\n else if ((subj = firstMatch(query, CONNECTED)) !== null) relation = 'connected-to';\n\n const degraded = subj === null;\n const subjectQuery = cleanSubject(subj ?? query);\n // Type filter from the non-subject portion (relational) or the whole query (list),\n // so \"DB\" inside the subject never pollutes a \"services …\" result filter.\n const scanText = subj === null ? query : query.replace(subj, ' ');\n const typeFilter = detectTypeFilter(scanText);\n\n // optional LLM assist seam: a future AgentProvider could re-parse `query` here when relation === 'list'.\n return { query, subjectQuery, relation, direction: RELATION_TO_DIRECTION[relation], typeFilter, degraded };\n}\n\n/** Execute a parsed intent: anchor via `search`, traverse, then filter results by type. */\nexport async function executeNlQuery(\n db: CartographyDB,\n sessionId: string,\n search: SearchFn,\n intent: NlIntent,\n opts: NlQueryOptions = {},\n): Promise<NlQueryResult> {\n const anchorLimit = opts.anchorLimit ?? 5;\n\n // 'list': search-only — apply the type filter to the anchor search (no traversal).\n if (intent.relation === 'list') {\n const anchors = await search(db, sessionId, intent.subjectQuery, { types: intent.typeFilter, limit: anchorLimit });\n logDebug('nlq.execute', { relation: 'list', typeFilter: intent.typeFilter?.length ?? 0, anchors: anchors.length });\n return { intent, anchors, nodes: anchors.map((a) => a.node), paths: [] };\n }\n\n // Relational: anchor on the subject WITHOUT a type filter (the anchor is the subject,\n // not the result type); apply the type filter to the *traversal results*.\n const anchors = await search(db, sessionId, intent.subjectQuery, { limit: anchorLimit });\n if (anchors.length === 0) {\n logDebug('nlq.execute', { relation: intent.relation, anchors: 0, results: 0 });\n return { intent, anchors, nodes: [], paths: [] };\n }\n const root = anchors[0].node; // top hit (search orders by score, then confidence)\n const trav = db.getDependencies(sessionId, root.id, { direction: intent.direction, maxDepth: opts.maxDepth ?? 8 });\n const allow = intent.typeFilter ? new Set<string>(intent.typeFilter) : undefined;\n const nodes = allow ? trav.nodes.filter((n) => allow.has(n.type)) : trav.nodes;\n\n logDebug('nlq.execute', {\n relation: intent.relation, direction: intent.direction,\n typeFilter: intent.typeFilter?.length ?? 0, anchors: anchors.length, results: nodes.length,\n });\n return { intent, anchors, nodes, paths: trav.edges };\n}\n\n/** Convenience: parse + execute in one call. */\nexport async function resolveNlQuery(\n db: CartographyDB, sessionId: string, search: SearchFn, raw: string, opts?: NlQueryOptions,\n): Promise<NlQueryResult> {\n return executeNlQuery(db, sessionId, search, parseNlQuery(raw), opts);\n}\n","/**\n * Transport bindings for the Cartography MCP server.\n *\n * - **stdio**: the local-first default — zero network, every client supports it.\n * - **Streamable HTTP**: a single `/mcp` endpoint for team/remote use, bound to\n * localhost with DNS-rebinding protection. The deprecated SSE transport is not used.\n */\n\nimport { randomUUID } from 'node:crypto';\nimport http from 'node:http';\nimport { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';\nimport { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';\nimport type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\n\n/** Connect a server over stdio (resolves when the transport closes). */\nexport async function runStdio(server: McpServer): Promise<void> {\n const transport = new StdioServerTransport();\n await server.connect(transport);\n}\n\nexport interface HttpOptions {\n port?: number;\n host?: string;\n /** Extra allowed Host headers (defaults to localhost:port variants). */\n allowedHosts?: string[];\n /** Allowed Origin headers (defaults to none → same-origin only). */\n allowedOrigins?: string[];\n /**\n * Shared secret required in the `Authorization: Bearer <token>` header.\n * Mandatory when binding a non-loopback host; optional (and enforced when\n * present) on loopback.\n */\n token?: string;\n /**\n * Central-collector ingest hook (2.12). When set, an authenticated `POST /ingest`\n * **write** route is exposed: it inherits the *same* bearer auth and non-loopback\n * host-allowlist guards as `/mcp` (the route adds no separate hardening path), size-\n * caps the body, parses JSON, and returns the hook's `{ status, body }`. When unset,\n * `/ingest` 404s exactly like any other path — the collector stays dark by default.\n */\n onIngest?: (body: unknown) => { status: number; body: unknown };\n}\n\n/** Max ingest body size (5 MB). A larger POST /ingest is refused with 413 before parsing. */\nconst MAX_INGEST_BYTES = 5 * 1024 * 1024;\n\n/**\n * Read a size-capped request body. On overflow it stops buffering and drains the\n * rest of the stream (rather than resetting the socket), so the caller can still\n * write a clean 413 response that the client receives.\n */\nasync function readCappedBody(req: http.IncomingMessage, cap: number): Promise<{ overflow: boolean; value: unknown }> {\n const chunks: Buffer[] = [];\n let total = 0;\n let overflow = false;\n for await (const chunk of req) {\n if (overflow) continue; // drain remaining data without buffering\n const buf = chunk as Buffer;\n total += buf.length;\n if (total > cap) { overflow = true; chunks.length = 0; continue; }\n chunks.push(buf);\n }\n if (overflow) return { overflow: true, value: undefined };\n if (chunks.length === 0) return { overflow: false, value: undefined };\n try { return { overflow: false, value: JSON.parse(Buffer.concat(chunks).toString('utf8')) }; }\n catch { return { overflow: false, value: undefined }; }\n}\n\n/** Constant-time comparison to avoid leaking the token via timing. */\nfunction timingSafeEqual(a: string, b: string): boolean {\n if (a.length !== b.length) return false;\n let diff = 0;\n for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);\n return diff === 0;\n}\n\n/** Extract the bearer token from an Authorization header, if present. */\nfunction bearerToken(header: string | undefined): string | undefined {\n if (!header) return undefined;\n const m = /^Bearer\\s+(.+)$/i.exec(header.trim());\n return m ? m[1] : undefined;\n}\n\nasync function readJsonBody(req: http.IncomingMessage): Promise<unknown> {\n const chunks: Buffer[] = [];\n for await (const chunk of req) chunks.push(chunk as Buffer);\n if (chunks.length === 0) return undefined;\n try { return JSON.parse(Buffer.concat(chunks).toString('utf8')); } catch { return undefined; }\n}\n\n/**\n * Start a Streamable HTTP server. A fresh MCP server instance is created per\n * session via `factory`, so multiple clients can connect concurrently.\n */\n/** Loopback hosts are safe to bind without an explicit Host allowlist. */\nconst LOOPBACK_HOSTS = new Set(['127.0.0.1', 'localhost', '::1', '[::1]']);\n\nexport async function runHttp(factory: () => McpServer, opts: HttpOptions = {}): Promise<http.Server> {\n const host = opts.host ?? '127.0.0.1';\n const port = opts.port ?? 3737;\n\n const isLoopback = LOOPBACK_HOSTS.has(host);\n\n // CVE-2025-66414: a server reachable beyond loopback must declare which Host\n // headers it trusts, or DNS-rebinding protection cannot do its job. Refuse to\n // start an exposed server with the permissive localhost defaults.\n if (!isLoopback && opts.allowedHosts === undefined) {\n throw new Error(\n `Refusing to bind a non-loopback host (${host}) without an explicit allowedHosts allowlist. ` +\n `Pass { allowedHosts: ['your.public.host:port'] } to opt in, or bind 127.0.0.1 for local-only use.`,\n );\n }\n\n // A network-reachable endpoint must be authenticated. Without a token, anyone\n // who can reach the host could invoke the scanning tools.\n if (!isLoopback && !opts.token) {\n throw new Error(\n `Refusing to bind a non-loopback host (${host}) without an auth token. ` +\n `Pass { token } (or --token / CARTOGRAPHY_HTTP_TOKEN) so requests must carry 'Authorization: Bearer <token>'.`,\n );\n }\n\n const allowedHosts = opts.allowedHosts ?? [`${host}:${port}`, `localhost:${port}`, `127.0.0.1:${port}`];\n const token = opts.token;\n const transports = new Map<string, StreamableHTTPServerTransport>();\n\n const httpServer = http.createServer(async (req, res) => {\n try {\n const url = req.url ?? '';\n const isIngest = url.startsWith('/ingest') && opts.onIngest !== undefined;\n // Only `/mcp` (read) and, when enabled, `/ingest` (write) are routed; all else 404s\n // — so an unset `onIngest` keeps the collector dark (the write surface never appears).\n if (!url.startsWith('/mcp') && !isIngest) { res.writeHead(404, { 'content-type': 'application/json' }).end('{\"error\":\"not found\"}'); return; }\n\n // Authenticate before touching any session/transport state OR ingest. The ingest\n // route inherits the SAME bearer check + non-loopback guards as /mcp — no separate path.\n if (token) {\n const provided = bearerToken(req.headers['authorization']);\n if (!provided || !timingSafeEqual(provided, token)) {\n res.writeHead(401, { 'content-type': 'application/json', 'www-authenticate': 'Bearer' })\n .end('{\"error\":\"unauthorized\"}');\n return;\n }\n }\n\n // Central-collector ingest (2.12): an authenticated write route, dark unless onIngest is set.\n if (isIngest) {\n // DNS-rebinding protection (CVE-2025-66414): /mcp gets this from the SDK\n // transport's `allowedHosts`, but /ingest returns before the transport runs,\n // so it must validate the Host header itself to inherit the SAME guard.\n const hostHeader = (req.headers['host'] ?? '').toLowerCase();\n if (!allowedHosts.some((h) => h.toLowerCase() === hostHeader)) {\n res.writeHead(403, { 'content-type': 'application/json' }).end('{\"error\":\"host not allowed\"}');\n return;\n }\n const onIngest = opts.onIngest!;\n if (req.method !== 'POST') {\n res.writeHead(405, { 'content-type': 'application/json', 'allow': 'POST' }).end('{\"error\":\"method not allowed\"}');\n return;\n }\n const { overflow, value } = await readCappedBody(req, MAX_INGEST_BYTES);\n if (overflow) { res.writeHead(413, { 'content-type': 'application/json' }).end('{\"error\":\"payload too large\"}'); return; }\n const out = onIngest(value);\n res.writeHead(out.status, { 'content-type': 'application/json' }).end(JSON.stringify(out.body));\n return;\n }\n\n const sessionId = req.headers['mcp-session-id'] as string | undefined;\n const existing = sessionId ? transports.get(sessionId) : undefined;\n\n if (existing) {\n const body = req.method === 'POST' ? await readJsonBody(req) : undefined;\n await existing.handleRequest(req, res, body);\n return;\n }\n\n if (req.method !== 'POST') {\n res.writeHead(400, { 'content-type': 'application/json' }).end('{\"error\":\"missing or unknown mcp-session-id\"}');\n return;\n }\n\n // New session: initialize a transport + server instance.\n const body = await readJsonBody(req);\n const transport: StreamableHTTPServerTransport = new StreamableHTTPServerTransport({\n sessionIdGenerator: () => randomUUID(),\n enableDnsRebindingProtection: true,\n allowedHosts,\n ...(opts.allowedOrigins ? { allowedOrigins: opts.allowedOrigins } : {}),\n onsessioninitialized: (id: string) => { transports.set(id, transport); },\n });\n transport.onclose = () => { if (transport.sessionId) transports.delete(transport.sessionId); };\n await factory().connect(transport);\n await transport.handleRequest(req, res, body);\n } catch (err) {\n process.stderr.write(`[cartography-mcp] HTTP request failed: ${err instanceof Error ? err.message : String(err)}\\n`);\n if (!res.headersSent) res.writeHead(500, { 'content-type': 'application/json' }).end('{\"error\":\"internal error\"}');\n }\n });\n\n await new Promise<void>((resolve) => httpServer.listen(port, host, resolve));\n return httpServer;\n}\n","/** FNV-1a (32-bit) — the shared content hash used by the embeddings and vector store. */\nexport function fnv1a(s: string): number {\n let h = 0x811c9dc5;\n for (let i = 0; i < s.length; i++) {\n h ^= s.charCodeAt(i);\n h = Math.imul(h, 0x01000193);\n }\n return h >>> 0;\n}\n","/**\n * Embedding providers for semantic search.\n *\n * The default provider runs a small sentence-transformer locally via\n * `@huggingface/transformers` (no API key, offline after first download), keeping\n * the package LLM-agnostic. Everything is a lazy import so installs that never use\n * semantic search pay no cost and need no native model.\n */\n\nimport { fnv1a } from './hash.js';\n\n/** Produces fixed-dimension embeddings for a batch of texts. */\nexport interface EmbeddingProvider {\n readonly id: string;\n readonly dimensions: number;\n embed(texts: string[]): Promise<Float32Array[]>;\n}\n\n/**\n * Local sentence-transformer embedder (Xenova/all-MiniLM-L6-v2, 384 dims).\n * Returns `undefined` if `@huggingface/transformers` is not installed or the\n * model cannot be loaded, so callers can fall back to lexical search.\n */\nexport async function createLocalEmbedder(\n model = 'Xenova/all-MiniLM-L6-v2',\n): Promise<EmbeddingProvider | undefined> {\n try {\n // Cast the specifier to defeat static module resolution: the type build must\n // not require this optional native dep to be installed. We assert the minimal\n // surface we use instead — the runtime import is unchanged.\n const tf = (await import('@huggingface/transformers' as string)) as {\n pipeline(\n task: string,\n model: string,\n ): Promise<(text: string, opts: { pooling: string; normalize: boolean }) => Promise<{ data: unknown }>>;\n };\n const extractor = await tf.pipeline('feature-extraction', model);\n return {\n id: `local:${model}`,\n dimensions: 384,\n async embed(texts: string[]): Promise<Float32Array[]> {\n const out: Float32Array[] = [];\n for (const text of texts) {\n const tensor = await extractor(text, { pooling: 'mean', normalize: true });\n out.push(Float32Array.from(tensor.data as Iterable<number>));\n }\n return out;\n },\n };\n } catch {\n return undefined;\n }\n}\n\n/**\n * A deterministic, dependency-free hashing embedder (bag-of-character-ngrams).\n * Not as good as a transformer, but offline, instant, and useful as a fallback\n * and for tests. Produces L2-normalized vectors.\n */\nexport function createHashEmbedder(dimensions = 256): EmbeddingProvider {\n return {\n id: `hash:${dimensions}`,\n dimensions,\n async embed(texts: string[]): Promise<Float32Array[]> {\n return texts.map((text) => hashEmbed(text, dimensions));\n },\n };\n}\n\nfunction hashEmbed(text: string, dim: number): Float32Array {\n const v = new Float32Array(dim);\n const tokens = text.toLowerCase().match(/[a-z0-9]+/g) ?? [];\n for (const tok of tokens) {\n // hash the token and its char trigrams into buckets\n for (const gram of [tok, ...trigrams(tok)]) {\n const h = fnv1a(gram);\n v[h % dim] += 1;\n }\n }\n let norm = 0;\n for (const x of v) norm += x * x;\n norm = Math.sqrt(norm) || 1;\n for (let i = 0; i < dim; i++) v[i] = v[i]! / norm;\n return v;\n}\n\nfunction trigrams(s: string): string[] {\n if (s.length < 3) return [];\n const out: string[] = [];\n for (let i = 0; i <= s.length - 3; i++) out.push(s.slice(i, i + 3));\n return out;\n}\n","/**\n * Vector store backed by `sqlite-vec`. Stores one embedding per node in a `vec0`\n * virtual table living inside the same SQLite catalog, with incremental indexing\n * (content-hashed) so re-runs only embed what changed.\n */\n\nimport type { CartographyDB } from '../db.js';\nimport type { NodeRow } from '../types.js';\nimport type { EmbeddingProvider } from './embeddings.js';\nimport { fnv1a } from './hash.js';\n\n/** Text used to represent a node for embedding. */\nexport function nodeText(n: NodeRow): string {\n const desc = typeof n.metadata?.['description'] === 'string' ? (n.metadata['description'] as string) : '';\n const category = typeof n.metadata?.['category'] === 'string' ? (n.metadata['category'] as string) : '';\n return [n.name, n.id.replace(/[:_]/g, ' '), `type ${n.type}`, n.domain ?? '', n.subDomain ?? '', category, n.tags.join(' '), desc]\n .filter(Boolean).join(' — ');\n}\n\nfunction hash(s: string): string {\n return fnv1a(s).toString(16);\n}\n\nfunction toBuffer(v: Float32Array): Buffer {\n return Buffer.from(v.buffer, v.byteOffset, v.byteLength);\n}\n\nexport class VectorStore {\n private loaded = false;\n\n constructor(private db: CartographyDB, private embedder: EmbeddingProvider) {}\n\n /** Load sqlite-vec and ensure the schema exists. Returns false if unavailable. */\n async init(): Promise<boolean> {\n if (this.loaded) return true;\n try {\n const conn = this.db.rawConnection();\n // Cast the specifier so the type build doesn't require this optional native\n // dep to be installed; runtime import is unchanged.\n const sqliteVec = (await import('sqlite-vec' as string)) as { load(db: unknown): void };\n sqliteVec.load(conn);\n conn.exec(`\n CREATE TABLE IF NOT EXISTS vec_index (\n rowid INTEGER PRIMARY KEY AUTOINCREMENT,\n session_id TEXT NOT NULL,\n node_id TEXT NOT NULL,\n hash TEXT NOT NULL,\n UNIQUE(session_id, node_id)\n );\n CREATE TABLE IF NOT EXISTS vec_meta (key TEXT PRIMARY KEY, value TEXT NOT NULL);\n `);\n // Recreate the vector table if the embedding dimensions changed.\n const dimRow = conn.prepare(\"SELECT value FROM vec_meta WHERE key = 'dims'\").get() as { value: string } | undefined;\n const dims = this.embedder.dimensions;\n if (dimRow && Number(dimRow.value) !== dims) {\n conn.exec('DROP TABLE IF EXISTS vec_nodes; DELETE FROM vec_index;');\n }\n conn.exec(`CREATE VIRTUAL TABLE IF NOT EXISTS vec_nodes USING vec0(embedding float[${dims}])`);\n conn.prepare('INSERT OR REPLACE INTO vec_meta(key, value) VALUES (?, ?)').run('dims', String(dims));\n conn.prepare('INSERT OR REPLACE INTO vec_meta(key, value) VALUES (?, ?)').run('embedder', this.embedder.id);\n this.loaded = true;\n return true;\n } catch {\n return false;\n }\n }\n\n /** Incrementally embed and index any new/changed nodes for a session. */\n async index(sessionId: string): Promise<{ embedded: number; total: number }> {\n if (!(await this.init())) return { embedded: 0, total: 0 };\n const conn = this.db.rawConnection();\n const nodes = this.db.getNodes(sessionId);\n\n const getRow = conn.prepare('SELECT rowid, hash FROM vec_index WHERE session_id = ? AND node_id = ?');\n const insIndex = conn.prepare('INSERT INTO vec_index (session_id, node_id, hash) VALUES (?, ?, ?)');\n const updHash = conn.prepare('UPDATE vec_index SET hash = ? WHERE rowid = ?');\n const delVec = conn.prepare('DELETE FROM vec_nodes WHERE rowid = ?');\n const insVec = conn.prepare('INSERT INTO vec_nodes (rowid, embedding) VALUES (?, ?)');\n\n const pending: Array<{ rowid: bigint; text: string }> = [];\n for (const n of nodes) {\n const text = nodeText(n);\n const h = hash(`${this.embedder.id}:${text}`);\n const existing = getRow.get(sessionId, n.id) as { rowid: number; hash: string } | undefined;\n if (existing) {\n if (existing.hash === h) continue;\n updHash.run(h, existing.rowid);\n delVec.run(BigInt(existing.rowid));\n pending.push({ rowid: BigInt(existing.rowid), text });\n } else {\n const info = insIndex.run(sessionId, n.id, h);\n pending.push({ rowid: BigInt(info.lastInsertRowid as number), text });\n }\n }\n\n if (pending.length > 0) {\n const vectors = await this.embedder.embed(pending.map((p) => p.text));\n const tx = conn.transaction(() => {\n pending.forEach((p, i) => insVec.run(p.rowid, toBuffer(vectors[i]!)));\n });\n tx();\n }\n return { embedded: pending.length, total: nodes.length };\n }\n\n /** k-nearest-neighbour search within a session. Returns node ids + distances. */\n async search(sessionId: string, query: string, k: number): Promise<Array<{ nodeId: string; distance: number }>> {\n if (!(await this.init())) return [];\n await this.index(sessionId);\n const conn = this.db.rawConnection();\n const [qv] = await this.embedder.embed([query]);\n if (!qv) return [];\n\n // Pure-vec KNN scan (most compatible form), then map rowids and filter by\n // session in JS. Over-fetch so cross-session neighbours don't crowd out hits.\n const overfetch = Math.max(k * 5, k);\n const knn = conn.prepare(\n 'SELECT rowid, distance FROM vec_nodes WHERE embedding MATCH ? ORDER BY distance LIMIT ?',\n ).all(toBuffer(qv), overfetch) as Array<{ rowid: number; distance: number }>;\n\n const meta = conn.prepare('SELECT node_id AS nodeId, session_id AS sessionId FROM vec_index WHERE rowid = ?');\n const out: Array<{ nodeId: string; distance: number }> = [];\n for (const row of knn) {\n const m = meta.get(row.rowid) as { nodeId: string; sessionId: string } | undefined;\n if (m && m.sessionId === sessionId) out.push({ nodeId: m.nodeId, distance: row.distance });\n if (out.length >= k) break;\n }\n return out;\n }\n}\n","/**\n * Semantic search backend for the MCP server. Wraps a {@link VectorStore} and\n * degrades gracefully to lexical search when embeddings/sqlite-vec are unavailable\n * or return nothing.\n */\n\nimport type { CartographyDB } from '../db.js';\nimport type { NodeRow } from '../types.js';\nimport type { SearchFn } from '../mcp/server.js';\nimport type { EmbeddingProvider } from './embeddings.js';\nimport { createLocalEmbedder } from './embeddings.js';\nimport { VectorStore } from './store.js';\n\nconst lexical = (db: CartographyDB, sessionId: string, query: string, opts: { types?: readonly string[]; limit: number }) =>\n db.searchNodes(sessionId, query, { types: opts.types, limit: opts.limit }).map((node) => ({ node }));\n\n/** A lexical-only {@link SearchFn} — the fallback when no embedder/vector store is available. */\nconst lexicalSearch = (): SearchFn => async (d, sid, q, opts) => lexical(d, sid, q, opts);\n\n/** Options for {@link createSemanticSearch}. */\nexport interface SemanticSearchOptions {\n /** Logger for mode/degradation diagnostics (stderr). No-op if omitted. */\n log?: (msg: string) => void;\n}\n\n/**\n * Build a {@link SearchFn} that prefers semantic (vector) search and falls back to\n * lexical. Pass an explicit embedder, or let it lazily load the local transformer\n * (returns a lexical-only function if none is available). Pass `opts.log` to record\n * which mode was resolved — semantic readiness or the reason it degraded to lexical.\n */\nexport async function createSemanticSearch(\n db: CartographyDB,\n embedder?: EmbeddingProvider,\n opts: SemanticSearchOptions = {},\n): Promise<SearchFn> {\n const log = opts.log;\n const provider = embedder ?? (await createLocalEmbedder());\n if (!provider) {\n log?.('semantic search: embeddings unavailable (@huggingface/transformers not installed or failed to load) — using lexical search');\n return lexicalSearch();\n }\n const store = new VectorStore(db, provider);\n const ok = await store.init();\n if (!ok) {\n log?.('semantic search: vector store unavailable (sqlite-vec not installed or failed to load) — using lexical search');\n return lexicalSearch();\n }\n log?.('semantic search: ready');\n\n return async (d, sid, query, queryOpts): Promise<Array<{ node: NodeRow; score?: number }>> => {\n const hits = await store.search(sid, query, queryOpts.limit);\n if (hits.length === 0) return lexical(d, sid, query, queryOpts);\n // Materialize only the hit nodes, not the whole session.\n const byId = d.getNodesByIds(sid, hits.map((h) => h.nodeId));\n const results: Array<{ node: NodeRow; score?: number }> = [];\n for (const h of hits) {\n const node = byId.get(h.nodeId);\n if (!node) continue; // vector outlived its node (deleted since last index)\n if (queryOpts.types && queryOpts.types.length > 0 && !queryOpts.types.includes(node.type)) continue;\n // cosine distance → similarity score in [0,1]\n results.push({ node, score: Math.max(0, 1 - h.distance / 2) });\n }\n return results.length > 0 ? results : lexical(d, sid, query, queryOpts);\n };\n}\n\nexport { VectorStore } from './store.js';\nexport { createLocalEmbedder, createHashEmbedder } from './embeddings.js';\nexport type { EmbeddingProvider } from './embeddings.js';\n","/**\n * `SqliteStoreBackend` — the default (and currently only) {@link StoreBackend}\n * implementation for the central collector (2.12).\n *\n * It is a thin adapter over `CartographyDB`: the schema, migrations, and merge SQL\n * all live in `src/db.ts` (the single owner of the catalog), so this class only\n * forwards the org-scoped central operations. Constructing it adds no new state and\n * no new schema — the zero-config local SQLite path is byte-for-byte unchanged.\n *\n * A graph/Postgres backend (4.3) implements the same interface without changing the\n * ingest orchestration that consumes it.\n */\n\nimport type { CartographyDB, OrgSummary } from '../db.js';\nimport type { DiscoveryNode, DiscoveryEdge, Contributor } from '../types.js';\nimport type { StoreBackend, NodeIdentity } from './backend.js';\n\nexport class SqliteStoreBackend implements StoreBackend {\n constructor(private readonly db: CartographyDB) {}\n\n upsertNode(org: string, node: DiscoveryNode, identity: NodeIdentity, contributor: Contributor): 'created' | 'merged' {\n return this.db.upsertCentralNode(org, node, identity, contributor);\n }\n\n insertEdge(org: string, edge: DiscoveryEdge): void {\n this.db.insertCentralEdge(org, edge);\n }\n\n getSummary(org: string): OrgSummary {\n return this.db.getOrgSummary(org);\n }\n\n getContributors(globalId: string): Contributor[] {\n return this.db.getContributorsByGlobalId(globalId);\n }\n\n /**\n * No-op: the wrapped `CartographyDB` is owned by the caller (it is shared with the\n * read-side MCP server in server-mode), so the backend never closes it. The caller\n * closes the `CartographyDB` directly.\n */\n close(): void {\n /* connection lifecycle is owned by the caller */\n }\n}\n","/**\n * Ingest orchestration for the central collector (2.12).\n *\n * Consumes the 2.11 PUSH ENVELOPE verbatim —\n * `{ schemaVersion: 1, org?, items: [{ contentHash, kind: 'node'|'edge', payload }] }`\n * — and merges it into the tenant-partitioned central store. The pipeline is:\n *\n * 1. **Validate** the envelope shape (zod). A malformed envelope is rejected whole;\n * nothing is persisted (the HTTP layer turns this into a 400).\n * 2. **Re-validate anonymization** per node (`revalidateAnonymized`) — the client is\n * not trusted. In `reject` mode a node with any identifying fragment is dropped\n * and counted; in `strip` mode it is scrubbed and persisted. Either way a\n * structured WARN is logged with the violation path + action.\n * 3. **Merge** each node by `(org, globalId)` primary + `(org, contentHash)` secondary\n * with a contributor union (`store.upsertNode`), and insert edges (`store.insertEdge`)\n * only when both endpoints survived re-validation.\n * 4. **Log** one structured INFO with the per-ingest counts.\n *\n * The contributor `at` is stamped server-side (`new Date().toISOString()`) — never\n * trusted from the client. The envelope MAY carry a `contributor`/`anonymizationLevel`\n * extension (2.9/2.10); absent, the collector derives a conservative default and\n * re-validates at the `anonymized` level (the safe assumption).\n */\n\nimport { z } from 'zod';\nimport { NodeSchema, EdgeSchema } from '../types.js';\nimport type { Contributor } from '../types.js';\nimport { logInfo, logWarn } from '../logger.js';\nimport type { StoreBackend } from '../store/backend.js';\nimport { computeIdentity } from './merge.js';\nimport { revalidateAnonymized } from './anonymization.js';\nimport type { AnonymizationLevel } from './anonymization.js';\n\n/** Wire-format version this collector accepts (the 2.11 `PUSH_SCHEMA_VERSION`). */\nexport const INGEST_SCHEMA_VERSION = 1 as const;\n\n/** Hard cap on items per envelope — bounds memory before the per-delta transaction. */\nconst MAX_ITEMS = 50_000;\n\n/** Optional source-attribution extension an envelope may carry (2.9). */\nconst ContributorSchema = z.object({\n machineId: z.string().min(1),\n hostname: z.string().default('unknown'),\n user: z.string().default('unknown'),\n confidence: z.number().min(0).max(1).default(0.5),\n});\n\n/**\n * The ingest envelope — the 2.11 push contract, plus optional `contributor` /\n * `anonymizationLevel` extension fields (read when present; never required). `org`\n * is optional in the wire format; the collector falls back to its `defaultOrg`.\n */\nexport const IngestEnvelopeSchema = z.object({\n schemaVersion: z.literal(INGEST_SCHEMA_VERSION),\n org: z.string().min(1).optional(),\n items: z.array(z.object({\n contentHash: z.string(),\n kind: z.enum(['node', 'edge']),\n payload: z.unknown(),\n })).max(MAX_ITEMS),\n // Extensions (forward-compatible; 2.11 does not yet send these).\n contributor: ContributorSchema.optional(),\n anonymizationLevel: z.enum(['none', 'anonymized', 'full']).optional(),\n});\nexport type IngestEnvelope = z.infer<typeof IngestEnvelopeSchema>;\n\n/** Per-ingest outcome counts (the 200 response body). */\nexport interface IngestResult {\n org: string;\n /** Nodes persisted (created + merged). */\n accepted: number;\n /** Nodes that collapsed onto an existing logical node. */\n merged: number;\n /** Nodes dropped for anonymization violations (reject mode). */\n rejected: number;\n /** Edges persisted. */\n edges: number;\n /** Total anonymization violations detected across all nodes. */\n violations: number;\n}\n\nexport interface IngestOptions {\n /** `reject` (default) drops nodes with violations; `strip` scrubs and keeps them. */\n anonMode?: 'reject' | 'strip';\n /** Tenant used when the envelope omits `org`. */\n defaultOrg?: string;\n}\n\n/**\n * Ingest one validated envelope into the store. Returns the outcome counts.\n * The caller (HTTP handler) wraps this in try/catch; the store's per-node upsert is\n * itself transactional, so a single bad node never half-writes a row.\n */\nexport function ingestEnvelope(store: StoreBackend, envelope: IngestEnvelope, opts: IngestOptions = {}): IngestResult {\n const anonMode = opts.anonMode ?? 'reject';\n const org = envelope.org ?? opts.defaultOrg ?? 'local';\n const level: AnonymizationLevel = envelope.anonymizationLevel ?? 'anonymized';\n const at = new Date().toISOString();\n const contributor: Contributor = {\n machineId: envelope.contributor?.machineId ?? 'unknown',\n hostname: envelope.contributor?.hostname ?? 'unknown',\n user: envelope.contributor?.user ?? 'unknown',\n organization: org,\n at,\n confidence: envelope.contributor?.confidence ?? 0.5,\n };\n\n let accepted = 0;\n let merged = 0;\n let rejected = 0;\n let edges = 0;\n let violations = 0;\n /** Node ids that survived re-validation — an edge persists only if both endpoints did. */\n const acceptedNodeIds = new Set<string>();\n\n for (const item of envelope.items) {\n if (item.kind !== 'node') continue;\n const parsed = NodeSchema.safeParse(item.payload);\n if (!parsed.success) {\n rejected += 1;\n logWarn('ingest: dropped malformed node payload', { org, contentHash: item.contentHash });\n continue;\n }\n const node = parsed.data;\n const check = revalidateAnonymized(node, level, anonMode);\n if (check.violations.length > 0) {\n violations += check.violations.length;\n // The node id cannot be safely scrubbed — masking it to `***` would destroy the\n // merge identity (global_id derives from id). So an id-borne violation forces a\n // reject even in `strip` mode; strip only ever masks the safely-maskable leaves.\n const idViolation = check.violations.some((v) => v.path === 'id');\n if (anonMode === 'reject' || idViolation) {\n rejected += 1;\n logWarn('ingest: rejected node with un-anonymized fragments', {\n org, nodeId: node.id, action: 'reject',\n mode: anonMode, idViolation,\n kinds: check.violations.map((v) => `${v.path}:${v.kind}`),\n });\n continue;\n }\n logWarn('ingest: scrubbed un-anonymized fragments from node', {\n org, nodeId: node.id, action: 'strip',\n kinds: check.violations.map((v) => `${v.path}:${v.kind}`),\n });\n }\n const safe = check.node;\n const identity = computeIdentity(org, safe);\n const outcome = store.upsertNode(org, safe, identity, { ...contributor, confidence: safe.confidence });\n accepted += 1;\n if (outcome === 'merged') merged += 1;\n acceptedNodeIds.add(safe.id);\n }\n\n for (const item of envelope.items) {\n if (item.kind !== 'edge') continue;\n const parsed = EdgeSchema.safeParse(item.payload);\n if (!parsed.success) {\n logWarn('ingest: dropped malformed edge payload', { org, contentHash: item.contentHash });\n continue;\n }\n const edge = parsed.data;\n // Persist an edge only when both endpoints survived this envelope's node ingest.\n // An edge-only envelope (no nodes) trusts its endpoints exist from a prior ingest.\n if (acceptedNodeIds.size > 0 && (!acceptedNodeIds.has(edge.sourceId) || !acceptedNodeIds.has(edge.targetId))) {\n continue;\n }\n store.insertEdge(org, edge);\n edges += 1;\n }\n\n logInfo('ingest', { org, accepted, merged, rejected, edges, violations, level, anonMode });\n return { org, accepted, merged, rejected, edges, violations };\n}\n","/**\n * Global-identity merge core for the central collector (2.12) — pure, no I/O.\n *\n * The merge *keys* (`normalizeId`, `contentHash`, `keyMetaOf`, `globalId`) already\n * exist in `src/db.ts` from the 2.9 identity work; this module re-exports them so\n * the central collector has one import surface, and adds {@link computeIdentity} —\n * the small adapter that turns one incoming `DiscoveryNode` into the precomputed\n * `(globalId, contentHash)` pair the {@link StoreBackend} merge consumes.\n *\n * The merge *resolution* (primary by `(org, globalId)`, secondary by\n * `(org, contentHash)`, contributor union, max-confidence) lives in the store\n * (`CartographyDB.upsertCentralNode`) because it needs the existing row — keeping\n * the SQL next to the schema. This module is the deterministic key derivation that\n * both the client (push) and the server (ingest) must agree on.\n */\n\nimport { normalizeId, contentHash, keyMetaOf, globalId } from '../db.js';\nimport type { DiscoveryNode } from '../types.js';\nimport type { NodeIdentity } from '../store/backend.js';\n\nexport { normalizeId, contentHash, keyMetaOf, globalId };\n\n/**\n * Derive the precomputed merge identity for one incoming node under `org`:\n * - `globalId` = `{org}:{normalizeId(node.id)}` (primary key; the org-scope ensures\n * two organizations never collapse onto one logical node).\n * - `contentHash` = sha256 over `type + normalized name + sorted key-meta` (secondary\n * key; catches `id` drift between machines for the same logical resource).\n *\n * Pure and deterministic: the same node + org always yields the same identity, on\n * any machine. This is the contract the client (2.11 push) and the server (ingest)\n * share so a content hash computed on the client matches the one the server recomputes.\n */\nexport function computeIdentity(org: string, node: DiscoveryNode): NodeIdentity {\n return {\n globalId: globalId(org, node.id),\n contentHash: contentHash(node.type, node.name, keyMetaOf(node.metadata ?? {})),\n };\n}\n","/**\n * Server-side anonymization re-validation for the central collector (2.12).\n *\n * **Don't trust the client.** The client (2.10) is supposed to pseudonymize\n * identifying fragments before pushing at the `anonymized` sharing level, but the\n * collector independently re-checks every incoming payload and rejects or scrubs any\n * un-anonymized identifying fragment it finds. This is defense-in-depth: a buggy,\n * outdated, or malicious client cannot leak raw identifiers into the org-wide store.\n *\n * The walker mirrors `redactValue`/`pseudonymize` (it rewrites only leaf strings;\n * structure is invariant). What it flags at the `anonymized` level:\n * - **private-ip** — RFC-1918 / loopback IPv4 (`src/anonymize.ts:PRIVATE_IP` + 127/8).\n * - **absolute-path**— POSIX (`/home/alice/...`) or Windows (`C:\\Users\\alice\\...`) paths.\n * - **username** — the user segment of `/home/<u>`, `/Users/<u>`, `C:\\Users\\<u>`.\n * - **hostname** — multi-label FQDNs (`db-01.internal.acme.lan`), AND the known\n * 2.10 residual: **bare single-label internal hostnames** (e.g. `db-prod-01`) that\n * the client's multi-label-only HOSTNAME regex never tokenizes. A token already in\n * `anon:{kind}:{base32}` form is recognized as anonymized and never flagged.\n *\n * At the `none` / `full` levels nothing is claimed to be anonymized, so re-validation\n * is a no-op (returns no violations): the employee consented to share at that level.\n */\n\nimport { PRIVATE_IP } from '../anonymize.js';\nimport type { DiscoveryNode } from '../types.js';\n\n/** The anonymization level claimed by an ingest envelope (mirrors `SharingLevel`). */\nexport type AnonymizationLevel = 'none' | 'anonymized' | 'full';\n\n/** A detected un-anonymized identifying fragment, with its location for logging. */\nexport interface AnonViolation {\n /** JSON path to the offending leaf, e.g. `metadata.host`. */\n path: string;\n kind: 'hostname' | 'username' | 'absolute-path' | 'private-ip';\n}\n\n/** Loopback IPv4 (127.0.0.0/8) — identifying of a local machine; client never tokenizes it. */\nconst LOOPBACK_IP = /\\b127(?:\\.\\d{1,3}){3}\\b/g;\n\n/** Multi-label FQDN/domain (≥2 dot-separated labels) — the shape 2.10 tokenizes. */\nconst FQDN = /\\b(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\\.)+[a-z]{2,}\\b/gi;\n\n/** POSIX absolute path and the user segment of a home dir. */\nconst POSIX_PATH = /(?:^|(?<=\\s|=|:|\"|'|\\())(\\/[A-Za-z0-9._-]+(?:\\/[A-Za-z0-9._-]+)+)/g;\nconst WIN_PATH = /\\b[A-Za-z]:\\\\[A-Za-z0-9._\\\\-]+/g;\nconst HOME_USER = /(?:\\/home\\/|\\/Users\\/|[A-Za-z]:\\\\Users\\\\)([A-Za-z0-9._-]+)/g;\n\n/**\n * A bare single-label internal hostname — the known 2.10 residual. We only flag a\n * single label when it *looks* like an internal host: it contains a hyphen or a\n * digit run (e.g. `db-01`, `web2`, `prod-db`) so we do not false-positive ordinary\n * English words used as a `name`. An already-pseudonymized `anon:...` token has a\n * colon and is excluded by construction. Matched only when the whole string (after\n * trimming) is one such label — embedded prose is left alone to avoid over-scrubbing.\n */\nconst BARE_INTERNAL_HOST = /^[a-z0-9]+(?:-[a-z0-9]+)+$|^[a-z]+\\d+$|^\\d+[a-z]+$/i;\n\n/** A pseudonym token produced by 2.10 (`anon:host:abc…`) — already anonymized. */\nconst ANON_TOKEN = /^anon:(?:host|user|path|ip):[a-z2-7]+$/;\n\n/** Detect identifying fragments in a single leaf string at the `anonymized` level. */\nfunction violationsInString(s: string, path: string): AnonViolation[] {\n const out: AnonViolation[] = [];\n const trimmed = s.trim();\n if (trimmed === '' || ANON_TOKEN.test(trimmed)) return out;\n\n if (PRIVATE_IP.test(s) || LOOPBACK_IP.test(s)) out.push({ path, kind: 'private-ip' });\n PRIVATE_IP.lastIndex = 0; LOOPBACK_IP.lastIndex = 0;\n\n if (HOME_USER.test(s)) out.push({ path, kind: 'username' });\n HOME_USER.lastIndex = 0;\n\n if (WIN_PATH.test(s) || POSIX_PATH.test(s)) out.push({ path, kind: 'absolute-path' });\n WIN_PATH.lastIndex = 0; POSIX_PATH.lastIndex = 0;\n\n if (FQDN.test(s)) out.push({ path, kind: 'hostname' });\n FQDN.lastIndex = 0;\n\n // The residual: a bare single-label internal hostname not already caught above.\n if (out.length === 0 && BARE_INTERNAL_HOST.test(trimmed)) out.push({ path, kind: 'hostname' });\n\n return out;\n}\n\n/**\n * Recursively collect every anonymization violation in a value at the given level.\n * Pure. At `none`/`full` returns `[]` (no anonymization is claimed). Object keys are\n * schema, not data, so only values are inspected; `path` accumulates the location.\n */\nexport function findAnonViolations(value: unknown, level: AnonymizationLevel, path = ''): AnonViolation[] {\n if (level !== 'anonymized') return [];\n return collect(value, path);\n}\n\nfunction collect(value: unknown, path: string): AnonViolation[] {\n if (typeof value === 'string') return violationsInString(value, path || '(root)');\n if (Array.isArray(value)) return value.flatMap((v, i) => collect(v, `${path}[${i}]`));\n if (value && typeof value === 'object') {\n return Object.entries(value as Record<string, unknown>).flatMap(([k, v]) => collect(v, path ? `${path}.${k}` : k));\n }\n return [];\n}\n\n/** Mask every leaf string that contains a violation to `***` (structure-preserving). */\nfunction scrub(value: unknown, path: string): unknown {\n if (typeof value === 'string') return violationsInString(value, path || '(root)').length > 0 ? '***' : value;\n if (Array.isArray(value)) return value.map((v, i) => scrub(v, `${path}[${i}]`));\n if (value && typeof value === 'object') {\n const out: Record<string, unknown> = {};\n for (const [k, v] of Object.entries(value as Record<string, unknown>)) out[k] = scrub(v, path ? `${path}.${k}` : k);\n return out;\n }\n return value;\n}\n\n/**\n * Re-validate one node against its claimed anonymization level (2.12).\n *\n * - `mode: 'reject'` (default, strict) — returns the node unchanged plus the\n * violations; the caller drops a node with any violation and never persists it.\n * - `mode: 'strip'` (lenient) — returns a sanitized node (offending leaves masked to\n * `***`) plus the violations (for logging), so the topology shape survives while\n * the identifying fragments do not.\n *\n * Pure: no I/O, no logging (the caller logs). At `none`/`full` it is a pass-through.\n */\nexport function revalidateAnonymized(\n node: DiscoveryNode,\n level: AnonymizationLevel,\n mode: 'reject' | 'strip',\n): { node: DiscoveryNode; violations: AnonViolation[] } {\n const violations = [\n ...findAnonViolations(node.name, level, 'name'),\n ...findAnonViolations(node.id, level, 'id'),\n ...findAnonViolations(node.metadata ?? {}, level, 'metadata'),\n ...findAnonViolations(node.tags ?? [], level, 'tags'),\n ...findAnonViolations(node.domain ?? '', level, 'domain'),\n ...findAnonViolations(node.subDomain ?? '', level, 'subDomain'),\n ];\n if (violations.length === 0 || mode === 'reject') return { node, violations };\n // strip mode: mask the offending leaves while preserving structure.\n const scrubbed: DiscoveryNode = {\n ...node,\n name: scrub(node.name, 'name') as string,\n metadata: scrub(node.metadata ?? {}, 'metadata') as Record<string, unknown>,\n tags: (node.tags ?? []).map((t, i) => scrub(t, `tags[${i}]`) as string),\n ...(node.domain != null ? { domain: scrub(node.domain, 'domain') as string } : {}),\n ...(node.subDomain != null ? { subDomain: scrub(node.subDomain, 'subDomain') as string } : {}),\n };\n return { node: scrubbed, violations };\n}\n","/**\n * The central-collector ingest HTTP surface (2.12).\n *\n * {@link createIngestHandler} produces the request handler that the Streamable-HTTP\n * transport mounts at `POST /ingest` when server-mode is on. It is deliberately a\n * pure `(body) => { status, body }` function with no socket of its own, so it can be\n * unit-tested directly without binding a port (the transport owns auth, the\n * non-loopback host allowlist, and the body size cap — see `src/mcp/transports.ts`).\n *\n * Validation is fail-closed: a malformed envelope yields 400 (no writes); an internal\n * error yields 500; only a valid envelope runs `ingestEnvelope` and returns 200 with\n * the {@link IngestResult}. The bearer token is enforced by the transport before this\n * handler ever runs, so the handler never sees (and never logs) the token.\n */\n\nimport type { StoreBackend } from '../store/backend.js';\nimport { IngestEnvelopeSchema, ingestEnvelope } from './ingest.js';\nimport type { IngestResult, IngestOptions } from './ingest.js';\nimport { logWarn } from '../logger.js';\n\n/** A transport-agnostic HTTP-ish response: a status code and a JSON-serializable body. */\nexport interface IngestResponse {\n status: number;\n body: unknown;\n}\n\nexport type IngestHandler = (body: unknown) => IngestResponse;\n\n/**\n * Build the `/ingest` handler over a {@link StoreBackend}. The handler validates the\n * 2.11 push envelope, runs ingest (re-validating anonymization first), and maps the\n * outcome to an HTTP status:\n * - 400 — envelope failed `IngestEnvelopeSchema` (no writes).\n * - 500 — ingest threw (the store's per-node transaction rolls that node back).\n * - 200 — {@link IngestResult}.\n */\nexport function createIngestHandler(store: StoreBackend, opts: IngestOptions = {}): IngestHandler {\n return (body: unknown): IngestResponse => {\n const parsed = IngestEnvelopeSchema.safeParse(body);\n if (!parsed.success) {\n const issues = parsed.error.issues.map((i) => `${i.path.join('.') || '(root)'}: ${i.message}`);\n logWarn('ingest: rejected invalid envelope', { issues });\n return { status: 400, body: { error: 'invalid envelope', issues } };\n }\n try {\n const result: IngestResult = ingestEnvelope(store, parsed.data, opts);\n return { status: 200, body: result };\n } catch (err) {\n logWarn('ingest: failed', { error: err instanceof Error ? err.message : String(err) });\n return { status: 500, body: { error: 'ingest failed' } };\n }\n };\n}\n","/**\n * Shared entry logic for launching the Cartography MCP server, used by both the\n * dedicated `cartography-mcp` binary and the `mcp` CLI sub-command.\n *\n * Wires in semantic search (lazy, falls back to lexical) and deterministic local\n * discovery (no LLM required). All logging goes to stderr so stdout stays a clean\n * MCP protocol channel.\n */\n\nimport { CartographyDB, normalizeTenant } from '../db.js';\nimport { defaultConfig } from '../types.js';\nimport { createMcpServer } from './server.js';\nimport type { SearchFn } from './server.js';\nimport { runStdio, runHttp } from './transports.js';\nimport { createSemanticSearch } from '../semantic/search.js';\nimport { localDiscoveryFn } from '../discovery/local.js';\nimport { SqliteStoreBackend } from '../store/sqlite.js';\nimport { createIngestHandler } from '../central/server.js';\n\nexport interface StartMcpOptions {\n dbPath?: string;\n session?: string | 'latest';\n /** Tenant/organization whose topology to serve. Defaults to `'local'`. */\n tenant?: string;\n /** `http` runs Streamable HTTP; otherwise stdio (default). */\n transport?: 'stdio' | 'http';\n port?: number;\n host?: string;\n /** Trusted Host headers when binding a non-loopback host (DNS-rebinding allowlist). */\n allowedHosts?: string[];\n /** Bearer token required on HTTP requests. Mandatory for a non-loopback bind. */\n token?: string;\n /** Enable semantic (vector) search. Default true; degrades to lexical if unavailable. */\n semantic?: boolean;\n /** Opt-in scanner plugin package names to load for `run_discovery` (or `CARTOGRAPHY_PLUGINS`). */\n plugins?: string[];\n /**\n * Run as a central collector (2.12): expose the authenticated `POST /ingest` write\n * route and serve the org-wide `get_summary`. OFF by default — the collector is\n * self-hostable and strictly opt-in (no phone-home). Server-mode implies HTTP.\n */\n serverMode?: boolean;\n /** Anonymization re-validation mode for ingest: `reject` (default) or `strip`. */\n anonMode?: 'reject' | 'strip';\n /** Logger (stderr). */\n log?: (msg: string) => void;\n}\n\nexport interface ParsedMcpArgs extends StartMcpOptions {\n /** `--help`/`-h` was passed; the caller should print usage and exit 0. */\n help?: boolean;\n}\n\n/**\n * Parse the `cartography-mcp` argv into StartMcpOptions. Kept here (not in the\n * binary) so it can be unit-tested without triggering the binary's side effects.\n */\nexport function parseMcpArgs(argv: string[]): ParsedMcpArgs {\n const opts: ParsedMcpArgs = {};\n for (let i = 0; i < argv.length; i++) {\n const a = argv[i];\n if (a === '--http') opts.transport = 'http';\n else if (a === '--stdio') opts.transport = 'stdio';\n else if (a === '--no-semantic') opts.semantic = false;\n else if (a === '--port') opts.port = Number(argv[++i]);\n else if (a === '--host') opts.host = argv[++i];\n else if (a === '--allowed-hosts') opts.allowedHosts = (argv[++i] ?? '').split(',').map((h) => h.trim()).filter(Boolean);\n else if (a === '--token') opts.token = argv[++i];\n else if (a === '--db') opts.dbPath = argv[++i];\n else if (a === '--session') opts.session = argv[++i];\n else if (a === '--tenant' || a === '--org') opts.tenant = argv[++i];\n else if (a === '--plugins') opts.plugins = (argv[++i] ?? '').split(',').map((p) => p.trim()).filter(Boolean);\n else if (a === '--server-mode') opts.serverMode = true;\n else if (a === '--anon-mode') { const m = argv[++i]; if (m === 'reject' || m === 'strip') opts.anonMode = m; }\n else if (a === '--help' || a === '-h') opts.help = true;\n }\n return opts;\n}\n\nexport async function startMcp(opts: StartMcpOptions = {}): Promise<void> {\n const log = opts.log ?? ((m: string) => process.stderr.write(m + '\\n'));\n const db = new CartographyDB(opts.dbPath ?? defaultConfig().dbPath);\n\n let search: SearchFn | undefined;\n if (opts.semantic !== false) {\n search = await createSemanticSearch(db, undefined, { log });\n }\n const plugins =\n opts.plugins ??\n (process.env['CARTOGRAPHY_PLUGINS']\n ? process.env['CARTOGRAPHY_PLUGINS'].split(',').map((p) => p.trim()).filter(Boolean)\n : []);\n const discovery = localDiscoveryFn(undefined, plugins);\n\n const tenant = normalizeTenant(opts.tenant);\n\n // Central collector (2.12): server-mode exposes an authenticated /ingest write route\n // and serves the org-wide summary. OFF unless --server-mode; never enabled by env.\n // Server-mode implies HTTP (the ingest surface is networked).\n const serverMode = opts.serverMode === true;\n const org = serverMode ? tenant : undefined;\n const factory = () => createMcpServer({ db, session: opts.session ?? 'latest', tenant, search, discovery, ...(org !== undefined ? { org } : {}) });\n\n const transport = serverMode ? 'http' : opts.transport;\n\n if (transport === 'http') {\n const port = opts.port ?? 3737;\n const host = opts.host ?? '127.0.0.1';\n // CARTOGRAPHY_CENTRAL_TOKEN is accepted as an alias for the collector's bearer.\n const token = opts.token ?? process.env['CARTOGRAPHY_HTTP_TOKEN'] ?? process.env['CARTOGRAPHY_CENTRAL_TOKEN'];\n let onIngest: ((body: unknown) => { status: number; body: unknown }) | undefined;\n if (serverMode) {\n const store = new SqliteStoreBackend(db);\n const anonMode = opts.anonMode ?? 'reject';\n onIngest = createIngestHandler(store, { anonMode, defaultOrg: tenant });\n }\n await runHttp(factory, {\n port,\n host,\n ...(opts.allowedHosts ? { allowedHosts: opts.allowedHosts } : {}),\n ...(token ? { token } : {}),\n ...(onIngest ? { onIngest } : {}),\n });\n const modeNote = serverMode ? ` [central collector: POST /ingest enabled, anon-mode=${opts.anonMode ?? 'reject'}]` : '';\n log(`Cartography MCP server (Streamable HTTP) on http://${host}:${port}/mcp${token ? ' (auth: bearer token required)' : ''} (tenant: ${tenant})${modeNote}`);\n } else {\n log(`Cartography MCP server (stdio) ready (tenant: ${tenant})`);\n await runStdio(factory());\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,SAAS,SAAS;;;ACiBlB,IAAM,eAAyD;AAAA;AAAA,EAE7D,CAAC,GAAM,CAAI;AAAA,EAAG,CAAC,IAAM,EAAI;AAAA,EAAG,CAAC,IAAM,EAAI;AAAA,EACvC,CAAC,KAAM,GAAI;AAAA;AAAA,EACX,CAAC,KAAM,GAAI;AAAA;AAAA,EACX,CAAC,KAAQ,GAAM;AAAA;AAAA,EACf,CAAC,MAAQ,IAAM;AAAA;AAAA,EACf,CAAC,MAAQ,IAAM;AAAA;AAAA,EACf,CAAC,MAAQ,IAAM;AAAA;AAAA,EACf,CAAC,MAAQ,IAAM;AAAA;AAAA,EACf,CAAC,MAAQ,IAAM;AAAA;AAAA,EACf,CAAC,OAAQ,KAAM;AAAA;AACjB;AAEA,IAAM,QAAQ,oBAAI,IAAY;AAC9B,WAAW,CAAC,OAAO,GAAG,KAAK,cAAc;AACvC,WAAS,KAAK,OAAO,MAAM,KAAK,KAAM,OAAM,IAAI,EAAE;AACpD;AAGO,SAAS,kBAAkB,MAAsB;AACtD,MAAI,CAAC,KAAM,QAAO;AAClB,MAAI,MAAM;AACV,aAAW,MAAM,KAAK,UAAU,KAAK,GAAG;AACtC,QAAI,CAAC,MAAM,IAAI,GAAG,YAAY,CAAC,CAAW,EAAG,QAAO;AAAA,EACtD;AACA,SAAO;AACT;AAGO,SAAS,cAAc,OAAyB;AACrD,MAAI,OAAO,UAAU,SAAU,QAAO,kBAAkB,KAAK;AAC7D,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,IAAI,aAAa;AACxD,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,MAA+B,CAAC;AACtC,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAgC,EAAG,KAAI,CAAC,IAAI,cAAc,CAAC;AAC/F,WAAO;AAAA,EACT;AACA,SAAO;AACT;;;ACrCO,SAAS,SAAsB,KAA4B;AAChE,QAAM,IAAI,IAAI,KAAK;AACnB,MAAI,CAAC,KAAK,EAAE,WAAW,GAAG,EAAG,QAAO;AACpC,MAAI;AACF,WAAO,KAAK,MAAM,CAAC;AAAA,EACrB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAeA,IAAM,iBAA8C;AAAA,EAClD,WAAW;AAAA,EACX,QAAQ;AAAA,EACR,SAAS;AAAA,EACT,SAAS;AAAA,EACT,cAAc;AAAA,EACd,kBAAkB;AACpB;AAQO,SAAS,cAAc,MAA0C;AACtE,QAAM,MAAsB,EAAE,MAAM,GAAG;AACvC,QAAM,OAAiB,CAAC;AACxB,aAAW,QAAQ,QAAQ,IAAI,MAAM,QAAQ,EAAE,OAAO,OAAO,GAAG;AAC9D,UAAM,KAAK,IAAI,QAAQ,GAAG;AAC1B,QAAI,MAAM,GAAG;AACX,WAAK,KAAK,GAAG;AACb;AAAA,IACF;AACA,UAAM,MAAM,IAAI,MAAM,GAAG,EAAE;AAC3B,UAAM,QAAQ,IAAI,MAAM,KAAK,CAAC;AAC9B,UAAM,OAAO,eAAe,GAAG;AAC/B,QAAI,CAAC,MAAM;AACT,WAAK,KAAK,GAAG;AACb;AAAA,IACF;AACA,sBAAkB,MAAM,KAAK;AAC7B,QAAI,QAAQ,iBAAkB,KAAI,gBAAgB;AAAA,aACzC,QAAQ,YAAa,KAAI,YAAY;AAAA,aACrC,QAAQ,SAAU,KAAI,SAAS;AAAA,aAC/B,QAAQ,UAAW,KAAI,UAAU;AAAA,aACjC,QAAQ,UAAW,KAAI,UAAU;AAAA,aACjC,QAAQ,eAAgB,KAAI,eAAe;AAAA,EACtD;AACA,MAAI,OAAO,KAAK,KAAK,GAAG;AACxB,SAAO;AACT;AAGO,SAAS,YAAY,UAA2C;AACrE,SAAO,SAAS,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC;AAAA,EAAS,CAAC,EAAE,EAAE,KAAK,MAAM;AACnE;;;AClCO,IAAM,kBAA2B;AAAA,EACtC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,KAAK;AAAA,EACvB,QAAQ,CAAC,QAAQ,SAAS,IAAI,iBAAiB,eAAe,KAAK,CAAC;AAAA,EACpE,MAAM,KAAK,KAAuC;AAChD,UAAM,EAAE,QAAQ,QAAQ,IAAI,cAAc,IAAI,IAAI;AAClD,UAAM,MAAyB,SAAS,EAAE,GAAG,QAAQ,KAAK,oBAAoB,OAAO,IAAI,QAAQ;AACjG,UAAM,KAAK,UAAU,cAAc,OAAO,KAAK;AAC/C,UAAM,OAAO,iBAAiB,CAAC,MAAM,IAAI,IAAI,GAAG,EAAE,SAAS,KAAQ,IAAI,CAAC,GAAG,EAAE,WAAW,EAAE,CAAC;AAE3F,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,UAAM,SAAkC,CAAC;AAEzC,WAAO,KAAK,CAAC,YAAY,KAAK,8BAA8B,EAAE,gBAAgB,CAAC,CAAC;AAEhF,UAAM,SAAS,KAAK,6BAA6B,EAAE,gBAAgB;AACnE,WAAO,KAAK,CAAC,OAAO,MAAM,CAAC;AAC3B,UAAM,MAAM,SAAoB,MAAM;AACtC,eAAW,KAAK,KAAK,gBAAgB,CAAC,GAAG;AACvC,iBAAW,KAAK,EAAE,aAAa,CAAC,GAAG;AACjC,cAAM,KAAK,OAAO,EAAE,cAAc,EAAE;AACpC,YAAI,CAAC,GAAI;AACT,cAAM,KAAK;AAAA,UACT,IAAI,YAAY,EAAE;AAAA,UAClB,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,OAAO,KAAK;AAAA,UAC5B,UAAU,YAAY,EAAE,cAAc,EAAE,cAAc,OAAO,EAAE,OAAO,MAAM,WAAW,EAAE,iBAAiB,CAAC;AAAA,QAC7G,CAAC;AAAA,MACH;AAAA,IACF;AAEA,UAAM,SAAS,KAAK,gCAAgC,EAAE,gBAAgB;AACtE,WAAO,KAAK,CAAC,OAAO,MAAM,CAAC;AAC3B,UAAM,MAAM,SAAoB,MAAM;AACtC,eAAW,MAAM,KAAK,eAAe,CAAC,GAAG;AACvC,YAAM,KAAK,OAAO,GAAG,wBAAwB,EAAE;AAC/C,UAAI,CAAC,GAAI;AACT,YAAM,KAAK;AAAA,QACT,IAAI,uBAAuB,EAAE;AAAA,QAC7B,MAAM;AAAA,QACN,MAAM;AAAA,QACN,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,KAAK;AAAA,QAC5B,UAAU,YAAY,EAAE,QAAQ,GAAG,QAAQ,QAAQ,GAAG,kBAAkB,UAAU,GAAG,UAAU,SAAS,MAAM,GAAG,UAAU,KAAK,CAAC;AAAA,MACnI,CAAC;AAAA,IACH;AAEA,UAAM,WAAW,KAAK,0CAA0C,EAAE,gBAAgB;AAClF,WAAO,KAAK,CAAC,eAAe,QAAQ,CAAC;AACrC,UAAM,QAAQ,SAAsB,QAAQ;AAC5C,eAAW,KAAK,OAAO,iBAAiB,CAAC,GAAG;AAC1C,YAAM,KAAK,OAAO,EAAE,kBAAkB,EAAE;AACxC,UAAI,CAAC,GAAI;AACT,YAAM,KAAK;AAAA,QACT,IAAI,oBAAoB,EAAE;AAAA,QAC1B,MAAM;AAAA,QACN,MAAM;AAAA,QACN,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,aAAa;AAAA,QACpC,UAAU,YAAY,EAAE,QAAQ,EAAE,QAAQ,QAAQ,EAAE,mBAAmB,CAAC;AAAA,MAC1E,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,wBAAwB,EAAE,gBAAgB;AAC9D,WAAO,KAAK,CAAC,OAAO,MAAM,CAAC;AAC3B,UAAM,MAAM,SAAoB,MAAM;AACtC,eAAW,QAAQ,KAAK,YAAY,CAAC,GAAG;AACtC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,mBAAmB,IAAI;AAAA,QAC3B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,OAAO,YAAY;AAAA,QAC1C,UAAU,EAAE,UAAU,MAAM;AAAA,MAC9B,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,oCAAoC,EAAE,gBAAgB;AAC1E,WAAO,KAAK,CAAC,UAAU,MAAM,CAAC;AAC9B,UAAM,MAAM,SAAoB,MAAM;AACtC,eAAW,MAAM,KAAK,iBAAiB,CAAC,GAAG;AACzC,YAAM,MAAM,OAAO,GAAG,WAAW,EAAE;AACnC,UAAI,CAAC,IAAK;AACV,YAAM,KAAK;AAAA,QACT,IAAI,mBAAmB,GAAG;AAAA,QAC1B,MAAM;AAAA,QACN,MAAM,GAAG,oBAAoB;AAAA,QAC7B,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,KAAK;AAAA,QAC5B,UAAU,YAAY,EAAE,SAAS,KAAK,MAAM,GAAG,MAAM,OAAO,GAAG,OAAO,KAAK,CAAC;AAAA,MAC9E,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,OAAO,OAAO,QAAQ,YAAY,MAAM,EAAE;AAAA,EACrD;AACF;;;AClHA,SAAS,YAAY,OAA+C;AAClE,MAAI,CAAC,MAAO,QAAO;AACnB,QAAM,QAAQ,MAAM,MAAM,GAAG;AAC7B,SAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AACpC;AAEO,IAAM,kBAA2B;AAAA,EACtC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,QAAQ;AAAA,EAC1B,QAAQ,CAAC,QAAQ,SAAS,IAAI,iBAAiB,eAAe,QAAQ,CAAC;AAAA,EACvE,MAAM,KAAK,KAAuC;AAChD,UAAM,EAAE,QAAQ,IAAI,cAAc,IAAI,IAAI;AAC1C,UAAM,KAAK,UAAU,cAAc,OAAO,KAAK;AAC/C,UAAM,OAAO,iBAAiB,CAAC,MAAM,IAAI,IAAI,GAAG,EAAE,SAAS,IAAO,CAAC,GAAG,EAAE,WAAW,EAAE,CAAC;AAEtF,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,UAAM,SAAkC,CAAC;AAEzC,WAAO,KAAK,CAAC,YAAY,KAAK,0CAA0C,CAAC,CAAC;AAE1E,UAAM,aAAa,KAAK,gCAAgC,EAAE,gBAAgB;AAC1E,WAAO,KAAK,CAAC,qBAAqB,UAAU,CAAC;AAC7C,eAAW,KAAK,SAA4B,UAAU,KAAK,CAAC,GAAG;AAC7D,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,YAAY,IAAI;AAAA,QACpB,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,SAAS;AAAA,QAChC,UAAU,EAAE,aAAa,YAAY,EAAE,WAAW,GAAG,QAAQ,EAAE,QAAQ,MAAM,YAAY,EAAE,IAAI,EAAE;AAAA,MACnG,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,4BAA4B,EAAE,gBAAgB;AAClE,WAAO,KAAK,CAAC,iBAAiB,MAAM,CAAC;AACrC,eAAW,KAAK,SAAwB,MAAM,KAAK,CAAC,GAAG;AACrD,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,2BAA2B,IAAI;AAAA,QACnC,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,UAAU;AAAA,QACjC,UAAU,EAAE,QAAQ,EAAE,iBAAiB,OAAO,EAAE,OAAO,QAAQ,EAAE,OAAO;AAAA,MAC1E,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,iCAAiC,EAAE,gBAAgB;AACvE,WAAO,KAAK,CAAC,gBAAgB,MAAM,CAAC;AACpC,eAAW,KAAK,SAAuB,MAAM,KAAK,CAAC,GAAG;AACpD,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,mBAAmB,IAAI;AAAA,QAC3B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,OAAO,YAAY;AAAA,QAC1C,UAAU,EAAE,QAAQ,EAAE,QAAQ,UAAU,EAAE,SAAS;AAAA,MACrD,CAAC;AAAA,IACH;AAEA,UAAM,WAAW,KAAK,0CAA0C,EAAE,gBAAgB;AAClF,WAAO,KAAK,CAAC,SAAS,QAAQ,CAAC;AAC/B,eAAW,KAAK,SAA0B,QAAQ,KAAK,CAAC,GAAG;AACzD,YAAM,OAAO,YAAY,OAAO,EAAE,QAAQ,EAAE,CAAC;AAC7C,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,oBAAoB,IAAI;AAAA,QAC5B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,aAAa;AAAA,QACpC,UAAU,EAAE,MAAM,EAAE,MAAM,OAAO,EAAE,MAAM;AAAA,MAC3C,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,8CAA8C,EAAE,gBAAgB;AACpF,WAAO,KAAK,CAAC,aAAa,MAAM,CAAC;AACjC,eAAW,OAAO,SAAuB,MAAM,KAAK,CAAC,GAAG;AACtD,YAAM,OAAO,OAAO,IAAI,UAAU,QAAQ,EAAE;AAC5C,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,uBAAuB,IAAI;AAAA,QAC/B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,UAAU;AAAA,QACjC,UAAU,YAAY,EAAE,KAAK,IAAI,QAAQ,IAAI,CAAC;AAAA,MAChD,CAAC;AAAA,IACH;AAEA,UAAM,YAAY,KAAK,4BAA4B,EAAE,gBAAgB;AACrE,WAAO,KAAK,CAAC,UAAU,SAAS,CAAC;AACjC,eAAW,KAAK,SAAwB,SAAS,KAAK,CAAC,GAAG;AACxD,YAAM,OAAO,YAAY,OAAO,EAAE,QAAQ,EAAE,CAAC;AAC7C,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,aAAa,IAAI;AAAA,QACrB,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO,QAAQ;AAAA,QAC/B,UAAU,EAAE,UAAU,EAAE,KAAK;AAAA,MAC/B,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,OAAO,OAAO,QAAQ,YAAY,MAAM,EAAE;AAAA,EACrD;AACF;;;ACvHO,IAAM,oBAA6B;AAAA,EACxC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,IAAI;AAAA,EACtB,QAAQ,CAAC,QAAQ,SAAS,IAAI,iBAAiB,eAAe,IAAI,CAAC;AAAA,EACnE,MAAM,KAAK,KAAuC;AAChD,UAAM,EAAE,cAAc,cAAc,IAAI,cAAc,IAAI,IAAI;AAC9D,UAAM,KAAK,eAAe,mBAAmB,YAAY,KAAK;AAC9D,UAAM,KAAK,gBAAgB,qBAAqB,aAAa,KAAK;AAClE,UAAM,QAAQ,GAAG,EAAE,GAAG,EAAE;AACxB,UAAM,OAAO,iBAAiB,CAAC,MAAM,IAAI,IAAI,GAAG,EAAE,SAAS,IAAO,CAAC,GAAG,EAAE,WAAW,EAAE,CAAC;AAEtF,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,UAAM,SAAkC,CAAC;AAEzC,WAAO,KAAK,CAAC,YAAY,KAAK,gCAAgC,EAAE,EAAE,CAAC,CAAC;AAEpE,UAAM,QAAQ,KAAK,aAAa,KAAK,gBAAgB;AACrD,WAAO,KAAK,CAAC,OAAO,KAAK,CAAC;AAC1B,eAAW,MAAM,SAAiB,KAAK,KAAK,CAAC,GAAG;AAC9C,YAAM,OAAO,OAAO,GAAG,QAAQ,EAAE;AACjC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,cAAc,IAAI;AAAA,QACtB,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,SAAS,IAAI;AAAA,QAC7B,UAAU,EAAE,QAAQ,GAAG,iBAAiB,QAAQ,UAAU,GAAG,UAAU,YAAY,GAAG,WAAW;AAAA,MACnG,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,cAAc,KAAK,gBAAgB;AACvD,WAAO,KAAK,CAAC,OAAO,MAAM,CAAC;AAC3B,eAAW,OAAO,SAAkB,MAAM,KAAK,CAAC,GAAG;AACjD,YAAM,OAAO,OAAO,IAAI,QAAQ,EAAE;AAClC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,mBAAmB,IAAI;AAAA,QAC3B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,SAAS,OAAO,YAAY;AAAA,QAC5C,UAAU,EAAE,UAAU,IAAI,UAAU,SAAS,IAAI,mBAAmB,OAAO,IAAI,kBAAkB;AAAA,MACnG,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,qBAAqB,KAAK,gBAAgB;AAC9D,WAAO,KAAK,CAAC,eAAe,MAAM,CAAC;AACnC,eAAW,KAAK,SAAwB,MAAM,KAAK,CAAC,GAAG;AACrD,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,6BAA6B,IAAI;AAAA,QACrC,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,SAAS,KAAK;AAAA,QAC9B,UAAU,EAAE,QAAQ,aAAa,UAAU,EAAE,UAAU,SAAS,EAAE,QAAQ;AAAA,MAC5E,CAAC;AAAA,IACH;AAEA,UAAM,QAAQ,KAAK,0BAA0B,KAAK,gBAAgB;AAClE,WAAO,KAAK,CAAC,YAAY,KAAK,CAAC;AAC/B,eAAW,KAAK,SAAuB,KAAK,KAAK,CAAC,GAAG;AACnD,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,kCAAkC,IAAI;AAAA,QAC1C,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,SAAS,UAAU;AAAA,QACnC,UAAU,EAAE,QAAQ,cAAc,UAAU,EAAE,UAAU,SAAS,EAAE,QAAQ;AAAA,MAC7E,CAAC;AAAA,IACH;AAEA,UAAM,WAAW,KAAK,gBAAgB,KAAK,gBAAgB;AAC3D,WAAO,KAAK,CAAC,SAAS,QAAQ,CAAC;AAC/B,eAAW,KAAK,SAAoB,QAAQ,KAAK,CAAC,GAAG;AACnD,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,sBAAsB,IAAI;AAAA,QAC9B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,SAAS,OAAO;AAAA,QAChC,UAAU,EAAE,UAAU,EAAE,UAAU,OAAO,EAAE,kBAAkB;AAAA,MAC/D,CAAC;AAAA,IACH;AAEA,UAAM,SAAS,KAAK,iBAAiB,KAAK,gBAAgB;AAC1D,WAAO,KAAK,CAAC,WAAW,MAAM,CAAC;AAC/B,eAAW,KAAK,SAAqB,MAAM,KAAK,CAAC,GAAG;AAClD,YAAM,OAAO,OAAO,EAAE,QAAQ,EAAE;AAChC,UAAI,CAAC,KAAM;AACX,YAAM,KAAK;AAAA,QACT,IAAI,qBAAqB,IAAI;AAAA,QAC7B,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,SAAS,QAAQ;AAAA,QACjC,UAAU,YAAY,EAAE,UAAU,EAAE,iBAAiB,OAAO,EAAE,MAAM,CAAC;AAAA,MACvE,CAAC;AAAA,IACH;AAEA,WAAO,EAAE,OAAO,OAAO,QAAQ,YAAY,MAAM,EAAE;AAAA,EACrD;AACF;;;ACnJA,IAAM,WAAW;AAiBjB,SAAS,gBAAgB,UAAkC,QAAyC;AAClG,QAAM,OAAO,OAAO,KAAK,QAAQ;AACjC,MAAI,KAAK,WAAW,EAAG,QAAO;AAC9B,SAAO,KAAK,MAAM,CAAC,MAAM,OAAO,CAAC,MAAM,SAAS,CAAC,CAAC;AACpD;AAEO,IAAM,aAAsB;AAAA,EACjC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,SAAS;AAAA,EAC3B,QAAQ,CAAC,QAAQ,SAAS,IAAI,iBAAiB,eAAe,SAAS,CAAC;AAAA,EACxE,MAAM,KAAK,KAAuC;AAChD,UAAM,EAAE,UAAU,IAAI,cAAc,IAAI,IAAI;AAC5C,UAAM,SAAS,YAAY,MAAM,SAAS,KAAK;AAC/C,UAAM,OAAO,iBAAiB,CAAC,MAAM,IAAI,IAAI,GAAG,EAAE,SAAS,KAAO,CAAC,GAAG,EAAE,WAAW,EAAE,CAAC;AAEtF,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,UAAM,SAAkC,CAAC;AACzC,UAAM,UAAU,oBAAI,IAAY;AAChC,UAAM,MAAM,CAAC,MAA2B;AACtC,UAAI,QAAQ,IAAI,EAAE,EAAE,EAAG;AACvB,cAAQ,IAAI,EAAE,EAAE;AAChB,YAAM,KAAK,CAAC;AAAA,IACd;AAEA,UAAM,aAAa,KAAK,gCAAgC,EAAE,KAAK;AAC/D,WAAO,KAAK,CAAC,WAAW,UAAU,CAAC;AAEnC,UAAM,UAAU,WAAW,WAAW,GAAG,IAAI,KAAK;AAClD,UAAM,cAAc,WAAW;AAC/B,UAAM,YAAY,eAAe,WAAW;AAC5C,QAAI;AAAA,MACF,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,MAAM;AAAA,MACN,eAAe;AAAA,MACf,YAAY;AAAA,MACZ,MAAM,CAAC,cAAc,SAAS;AAAA,MAC9B,UAAU,EAAE,SAAS,YAAY;AAAA,IACnC,CAAC;AAED,UAAM,WAAW,KAAK,2BAA2B;AACjD,WAAO,KAAK,CAAC,SAAS,QAAQ,CAAC;AAC/B,eAAW,QAAQ,SAAmB,QAAQ,GAAG,SAAS,CAAC,GAAG;AAC5D,YAAM,OAAO,OAAO,KAAK,UAAU,QAAQ,EAAE;AAC7C,UAAI,CAAC,KAAM;AACX,YAAM,KAAK,YAAY,IAAI;AAC3B,UAAI;AAAA,QACF;AAAA,QACA,MAAM;AAAA,QACN;AAAA,QACA,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,cAAc,MAAM;AAAA,QAC3B,UAAU,EAAE,SAAS,YAAY;AAAA,MACnC,CAAC;AACD,YAAM,KAAK,EAAE,UAAU,WAAW,UAAU,IAAI,cAAc,YAAY,UAAU,qBAAqB,YAAY,IAAI,CAAC;AAAA,IAC5H;AAEA,UAAM,SAAS,KAAK,wBAAwB,MAAM,UAAU;AAC5D,WAAO,KAAK,CAAC,YAAY,MAAM,CAAC;AAChC,UAAM,WAAW,SAAgC,MAAM,GAAG,SAAS,CAAC;AACpE,eAAW,OAAO,UAAU;AAC1B,YAAM,OAAO,OAAO,IAAI,UAAU,QAAQ,EAAE;AAC5C,YAAM,KAAK,OAAO,IAAI,UAAU,aAAa,SAAS;AACtD,UAAI,CAAC,KAAM;AACX,UAAI;AAAA,QACF,IAAI,mBAAmB,EAAE,IAAI,IAAI;AAAA,QACjC,MAAM;AAAA,QACN,MAAM,GAAG,EAAE,IAAI,IAAI;AAAA,QACnB,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,cAAc,SAAS;AAAA,QAC9B,UAAU,EAAE,WAAW,IAAI,MAAM,IAAI,MAAM,MAAM,WAAW,IAAI,MAAM,UAAU;AAAA,MAClF,CAAC;AAAA,IACH;AAEA,UAAM,UAAU,KAAK,oBAAoB,MAAM,gDAAgD;AAC/F,WAAO,KAAK,CAAC,gBAAgB,OAAO,CAAC;AACrC,UAAM,UAAU,SAA4B,OAAO,GAAG,SAAS,CAAC;AAChE,UAAM,OAAO,QAAQ,MAAM,GAAG,QAAQ;AACtC,QAAI,QAAQ,SAAS,UAAU;AAC7B,aAAO,KAAK,CAAC,iBAAiB,GAAG,QAAQ,MAAM,8BAA8B,QAAQ,aAAa,CAAC;AAAA,IACrG;AACA,eAAW,OAAO,MAAM;AACtB,YAAM,OAAO,OAAO,IAAI,UAAU,QAAQ,EAAE;AAC5C,YAAM,KAAK,OAAO,IAAI,UAAU,aAAa,SAAS;AACtD,UAAI,CAAC,KAAM;AACX,YAAM,QAAQ,OAAO,EAAE,IAAI,IAAI;AAC/B,UAAI;AAAA,QACF,IAAI;AAAA,QACJ,MAAM;AAAA,QACN,MAAM,GAAG,EAAE,IAAI,IAAI;AAAA,QACnB,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,cAAc,KAAK;AAAA,QAC1B,UAAU,EAAE,WAAW,IAAI,MAAM,IAAI,MAAM,SAAS;AAAA,MACtD,CAAC;AACD,YAAM,KAAK,EAAE,UAAU,WAAW,UAAU,OAAO,cAAc,YAAY,UAAU,oBAAoB,YAAY,IAAI,CAAC;AAG5H,YAAM,SAAS,IAAI,UAAU,UAAU,CAAC;AACxC,iBAAW,OAAO,UAAU;AAC1B,cAAM,QAAQ,OAAO,IAAI,UAAU,aAAa,SAAS;AACzD,YAAI,UAAU,GAAI;AAClB,cAAM,WAAW,IAAI,MAAM;AAC3B,YAAI,CAAC,YAAY,CAAC,gBAAgB,UAAU,MAAM,EAAG;AACrD,cAAM,QAAQ,mBAAmB,KAAK,IAAI,OAAO,IAAI,UAAU,QAAQ,EAAE,CAAC;AAC1E,cAAM,KAAK,EAAE,UAAU,OAAO,UAAU,OAAO,cAAc,eAAe,UAAU,wBAAwB,YAAY,KAAK,CAAC;AAAA,MAClI;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,OAAO,QAAQ,YAAY,MAAM,EAAE;AAAA,EACrD;AACF;;;AClIA,SAAS,SAAS,MAAsB;AACtC,QAAM,QAAQ,KAAK,MAAM,OAAO;AAChC,SAAO,MAAM,MAAM,SAAS,CAAC,KAAK;AACpC;AAEO,IAAM,mBAA4B;AAAA,EACvC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,QAAQ,SAAS,WAAW,aAAa,WAAW,iBAAiB,QAAQ,QAAQ,QAAQ,OAAO,eAAe,iBAAiB,iBAAiB,cAAc;AAAA,EACrL,QAAQ,CAAC,QAAQ;AACf,UAAM,SAAS,IAAI,iBAAiB;AACpC,WAAO,CAAC,QAAQ,SAAS,WAAW,WAAW,EAAE,KAAK,CAAC,MAAM,QAAQ,OAAO,CAAC,CAAC,CAAC;AAAA,EACjF;AAAA,EACA,MAAM,KAAK,KAAuC;AAChD,UAAM,SAAS,IAAI,iBAAiB;AACpC,UAAMA,OAAM,CAAC,KAAa,SAAgC,IAAI,IAAI,KAAK,EAAE,SAAS,MAAM,WAAW,IAAO,CAAC;AAC3G,UAAM,OAAO,cAAc,IAAI,IAAI,EAAE,KAAK,MAAM,KAAK,EAAE,SAAS,MAAM;AAEtE,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,UAAM,SAAkC,CAAC;AACzC,UAAM,OAAO,oBAAI,IAAY;AAC7B,UAAM,MAAM,CAAC,MAA2B;AACtC,UAAI,KAAK,IAAI,EAAE,EAAE,EAAG;AACpB,WAAK,IAAI,EAAE,EAAE;AACb,YAAM,KAAK,CAAC;AAAA,IACd;AAGA,QAAI,OAAO,MAAM,GAAG;AAClB,YAAM,MAAM,SACRA,KAAI,WAAW,IACfA,KAAI,gGAAkG;AAC1G,aAAO,KAAK,CAAC,sBAAsB,OAAO,qCAAqC,CAAC;AAChF,UAAI,KAAK;AACP,cAAM,YAAY,IAAI,MAAM,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACrE,YAAI;AAAA,UACF,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,YAAY;AAAA,UAC5B,UAAU,YAAY,EAAE,QAAQ,cAAc,MAAM,aAAa,UAAU,CAAC;AAAA,QAC9E,CAAC;AAAA,MACH;AACA,UAAI,CAAC,QAAQ;AACX,cAAM,WAAWA,KAAI,2BAA2B;AAChD,YAAI,SAAU,QAAO,KAAK,CAAC,qBAAqB,QAAQ,CAAC;AAAA,MAC3D;AAAA,IACF;AAGA,QAAI,OAAO,OAAO,GAAG;AACnB,YAAM,MAAM,SACRA,KAAI,gDAAgD,IACpDA,KAAI,4DAA4D;AACpE,aAAO,KAAK,CAAC,mBAAmB,OAAO,sCAAsC,CAAC;AAC9E,UAAI,KAAK;AACP,cAAM,YAAY,IAAI,MAAM,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,CAAC,MAAM,KAAK,MAAM,UAAU;AAC1F,YAAI;AAAA,UACF,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,OAAO;AAAA,UACvB,UAAU,YAAY,EAAE,QAAQ,SAAS,MAAM,aAAa,UAAU,CAAC;AAAA,QACzE,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,OAAO,SAAS,GAAG;AACrB,YAAM,WAAW;AACjB,YAAM,MAAM,SACRA,KAAI,2BAA2B,QAAQ,GAAG,IAC1CA,KAAI,2BAA2B,QAAQ,eAAe;AAC1D,aAAO,KAAK,CAAC,qBAAqB,OAAO,yBAAyB,CAAC;AACnE,UAAI,KAAK;AACP,YAAI;AAAA,UACF,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,SAAS;AAAA,UACzB,UAAU,EAAE,QAAQ,WAAW,MAAM,YAAY;AAAA,QACnD,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,OAAO,WAAW,GAAG;AACvB,YAAM,MAAM,SACRA,KAAI,uBAAuB,IAC3BA,KAAI,6CAA6C;AACrD,aAAO,KAAK,CAAC,cAAc,OAAO,2BAA2B,CAAC;AAC9D,UAAI,KAAK;AACP,YAAI;AAAA,UACF,IAAI;AAAA,UACJ,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,OAAO;AAAA,UACvB,UAAU,EAAE,QAAQ,SAAS,MAAM,YAAY;AAAA,QACjD,CAAC;AAAA,MACH;AAAA,IACF;AAGA,UAAM,UAAU,WAAW;AAC3B,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,MAAM,UAAU,SAAS,CAAC,YAAY,aAAa,MAAM,GAAG,GAAG,EAAE;AACvE,aAAO,KAAK,CAAC,oBAAoB,OAAO,cAAc,CAAC;AACvD,iBAAW,QAAQ,IAAI,MAAM,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,GAAG;AACvE,cAAM,OAAO,SAAS,IAAI;AAC1B,YAAI;AAAA,UACF,IAAI,mBAAmB,IAAI;AAAA,UAC3B,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,QAAQ;AAAA,UACxB,UAAU,YAAY,EAAE,KAAK,CAAC;AAAA,QAChC,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI,QAAQ;AACV,aAAO,KAAK,CAAC,eAAe,sBAAsB,KAAK,8BAA8B,CAAC;AAAA,IACxF;AAGA,QAAI,MAAM;AACR,YAAM,UAAU,SACZA;AAAA,QACE,wBAAwB,IAAI;AAAA,MAG9B,IACAA,KAAI,SAAS,IAAI,2JAA2J,EAAE,SAAS,IAAO,CAAC;AACnM,aAAO,KAAK,CAAC,oBAAoB,WAAW,cAAc,CAAC;AAC3D,iBAAW,QAAQ,QAAQ,MAAM,IAAI,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,GAAG;AAC3E,cAAM,OAAO,SAAS,IAAI;AAC1B,YAAI;AAAA,UACF,IAAI,mBAAmB,IAAI;AAAA,UAC3B,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY;AAAA,UACZ,MAAM,CAAC,SAAS,UAAU,MAAM;AAAA,UAChC,UAAU,YAAY,EAAE,KAAK,CAAC;AAAA,QAChC,CAAC;AAAA,MACH;AACA,YAAM,YAAY,SACdA;AAAA,QACE,wBAAwB,IAAI;AAAA,QAE5B,EAAE,SAAS,KAAO;AAAA,MACpB,IACAA,KAAI,SAAS,IAAI,kKAAkK,EAAE,SAAS,KAAO,CAAC;AAC1M,aAAO,KAAK,CAAC,mBAAmB,aAAa,cAAc,CAAC;AAAA,IAC9D;AAEA,WAAO,EAAE,OAAO,OAAO,QAAQ,YAAY,MAAM,EAAE;AAAA,EACrD;AACF;;;APrKO,SAAS,iBACd,OACA,OAA0E,CAAC,GAC3E;AACA,QAAM,YAAY,KAAK,aAAa;AACpC,MAAI,sBAAsB;AAC1B,MAAI,UAAU;AAEd,SAAO,CAAC,QAAwB;AAC9B,QAAI,SAAS;AACX,eAAS,8BAA8B,GAAG,MAAM,mBAAmB,wBAAwB;AAC3F,aAAO;AAAA,IACT;AACA,UAAM,SAAS,MAAM,KAAK,EAAE,SAAS,KAAK,WAAW,KAAQ,KAAK,KAAK,IAAI,CAAC;AAC5E,QAAI,CAAC,QAAQ;AACX;AACA,UAAI,uBAAuB,WAAW;AACpC,kBAAU;AACV,iBAAS,iCAAiC,SAAS,6BAA6B,GAAG,GAAG;AAAA,MACxF;AACA,aAAO;AAAA,IACT;AACA,0BAAsB;AACtB,WAAO;AAAA,EACT;AACF;AAcO,SAAS,UAAU,KAAa,KAAqB;AAC1D,QAAM,QAAQ,kBAAkB,GAAG;AACnC,MAAI,MAAM,UAAU,IAAK,QAAO;AAChC,SAAO,MAAM,MAAM,GAAG,GAAG,IACvB;AAAA;AAAA,4BAA4B,MAAM,SAAS,GAAG;AAClD;AAEO,SAAS,eAAe,QAAwB;AACrD,QAAM,MAAM,OAAO,KAAK;AACxB,MAAI,CAAC,IAAK,QAAO;AACjB,MAAI;AACF,UAAM,MAAM,IAAI,IAAI,IAAI,WAAW,MAAM,IAAI,MAAM,SAAS,GAAG,EAAE;AACjE,UAAM,WAAW,GAAG,IAAI,QAAQ,GAAG,IAAI,OAAO,MAAM,IAAI,OAAO,EAAE;AACjE,WAAO,YAAY;AAAA,EACrB,QAAQ;AACN,UAAM,WAAW,IACd,QAAQ,SAAS,EAAE,EACnB,QAAQ,SAAS,EAAE,EACnB,QAAQ,QAAQ,GAAG;AACtB,WAAO,YAAY;AAAA,EACrB;AACF;AAWO,IAAM,oBAAoB;AAAA,EAC/B,iBAAiB;AAAA,EACjB,cAAc;AAAA,EACd,eAAe;AAAA,EACf,eAAe;AAAA,EACf,sBAAsB;AAAA,EACtB,wBAAwB;AAC1B;AAKO,SAAS,kBAAkB,MAAmB,OAAuB;AAC1E,MAAI,CAAC,kBAAkB,IAAI,EAAE,KAAK,KAAK,GAAG;AACxC,UAAM,IAAI,MAAM,WAAW,IAAI,KAAK,KAAK,6CAA6C;AAAA,EACxF;AACA,SAAO;AACT;AAGO,SAAS,cAAc,OAAuB;AACnD,SAAO,MAAM,QAAQ,iDAAiD,SAAS;AACjF;AAGO,SAAS,YAAY,OAAyB;AACnD,MAAI,OAAO,UAAU,SAAU,QAAO,cAAc,KAAK;AACzD,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,IAAI,WAAW;AACtD,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,MAA+B,CAAC;AACtC,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAgC,EAAG,KAAI,CAAC,IAAI,YAAY,CAAC;AAC7F,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAMA,IAAM,YAAY,EAAE,cAAc,MAAM,eAAe,KAAK;AAC5D,IAAM,aAAa,EAAE,cAAc,MAAM,eAAe,MAAM;AAC9D,IAAM,gBAAgB,EAAE,cAAc,OAAO,iBAAiB,OAAO,gBAAgB,MAAM,eAAe,MAAM;AA4BhH,eAAsB,6BACpB,IACA,WACA,OAAgC,CAAC,GACX;AACtB,QAAM,mBAAmB,KAAK,oBAAoB;AAElD,QAAM,aAAa,CAAC,SAA6B,EAAE,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,UAAU,KAAK,gBAAgB,EAAE,CAAC,EAAE;AAQhI,QAAM,iBAAiB,OAAO,SAAkB,SAAsC;AACpF,UAAM,MAAmB,EAAE,MAAM,UAAU,UAAU,IAAI;AACzD,QAAI,CAAE,MAAM,QAAQ,OAAO,GAAG,EAAI,QAAO,WAAW,IAAI,QAAQ,KAAK,sBAAsB;AAC3F,UAAM,SAAS,MAAM,QAAQ,KAAK,GAAG;AACrC,UAAM,aAAa,cAAc,OAAO,MAAM,MAAM,cAAc,OAAO,MAAM,MAAM;AAAA,IACnF,KAAK,UAAU,EAAE,OAAO,OAAO,OAAO,OAAO,OAAO,MAAM,CAAC;AAC7D,WAAO,WAAW,CAAC,YAAY,OAAO,UAAU,EAAE,EAAE,OAAO,OAAO,EAAE,KAAK,MAAM,CAAC;AAAA,EAClF;AAGA,QAAM,OAAO,CACX,MACA,aACA,YACA,SACA,WACe,EAAE,MAAM,aAAa,YAAY,aAAa,MAAM,aAAa,QAAQ;AAE1F,QAAM,QAAqB;AAAA,IACzB,KAAK,aAAa,8CAA8C;AAAA,MAC9D,IAAI,EAAE,OAAO;AAAA,MACb,MAAM,EAAE,KAAK,UAAU;AAAA,MACvB,MAAM,EAAE,OAAO;AAAA,MACf,eAAe,EAAE,OAAO;AAAA,MACxB,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC;AAAA,MACnC,UAAU,EAAE,OAAO,EAAE,OAAO,GAAG,EAAE,QAAQ,CAAC,EAAE,SAAS;AAAA,MACrD,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,SAAS;AAAA,MACnC,QAAQ,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,8CAA8C;AAAA,MACrF,WAAW,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,2CAA2C;AAAA,MACrF,cAAc,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS,EAAE,SAAS,+BAA0B;AAAA,IACzF,GAAG,OAAO,SAAS;AACjB,YAAM,OAAO;AAAA,QACX,IAAI,eAAe,KAAK,IAAI,CAAW;AAAA,QACvC,MAAM,KAAK,MAAM;AAAA,QACjB,MAAM,KAAK,MAAM;AAAA,QACjB,eAAe,KAAK,eAAe;AAAA,QACnC,YAAY,KAAK,YAAY;AAAA,QAC7B,UAAU,YAAa,KAAK,UAAU,KAAiC,CAAC,CAAC;AAAA,QACzE,MAAO,KAAK,MAAM,KAAkB,CAAC;AAAA,QACrC,QAAQ,KAAK,QAAQ;AAAA,QACrB,WAAW,KAAK,WAAW;AAAA,QAC3B,cAAc,KAAK,cAAc;AAAA,MACnC;AACA,SAAG,WAAW,WAAW,IAAI;AAC7B,aAAO,EAAE,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,gBAAW,KAAK,EAAE,GAAG,CAAC,EAAE;AAAA,IACnE,GAAG,EAAE,aAAa,cAAc,CAAC;AAAA,IAEjC,KAAK,aAAa,oGAA+F;AAAA,MAC/G,UAAU,EAAE,OAAO;AAAA,MACnB,UAAU,EAAE,OAAO;AAAA,MACnB,cAAc,EAAE,KAAK,kBAAkB;AAAA,MACvC,UAAU,EAAE,OAAO;AAAA,MACnB,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC;AAAA,IACrC,GAAG,OAAO,SAAS;AACjB,SAAG,WAAW,WAAW;AAAA,QACvB,UAAU,KAAK,UAAU;AAAA,QACzB,UAAU,KAAK,UAAU;AAAA,QACzB,cAAc,KAAK,cAAc;AAAA,QACjC,UAAU,cAAc,KAAK,UAAU,CAAW;AAAA,QAClD,YAAY,KAAK,YAAY;AAAA,MAC/B,CAAC;AACD,aAAO,EAAE,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,UAAK,KAAK,UAAU,CAAC,SAAI,KAAK,UAAU,CAAC,GAAG,CAAC,EAAE;AAAA,IAC1F,GAAG,EAAE,aAAa,cAAc,CAAC;AAAA,IAEjC,KAAK,eAAe,2EAAsE;AAAA,MACxF,cAAc,EAAE,QAAQ,EAAE,QAAQ,IAAI;AAAA,IACxC,GAAG,OAAO,SAAS;AACjB,YAAM,QAAQ,GAAG,SAAS,SAAS;AACnC,YAAM,QAAS,KAAK,cAAc,IAAgB,GAAG,SAAS,SAAS,IAAI,CAAC;AAC5E,aAAO;AAAA,QACL,SAAS,CAAC;AAAA,UACR,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACnB,OAAO,EAAE,OAAO,MAAM,QAAQ,OAAO,MAAM,OAAO;AAAA,YAClD,SAAS,MAAM,IAAI,OAAK,EAAE,EAAE;AAAA,UAC9B,CAAC;AAAA,QACH,CAAC;AAAA,MACH;AAAA,IACF,GAAG,EAAE,aAAa,WAAW,CAAC;AAAA,IAE9B,KAAK,YAAY,yHAAoH;AAAA,MACnI,UAAU,EAAE,OAAO,EAAE,SAAS,gDAAgD;AAAA,MAC9E,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,kDAAkD;AAAA,IAC5F,GAAG,OAAO,SAAS;AACjB,YAAM,WAAW,KAAK,UAAU;AAChC,YAAM,UAAU,KAAK,SAAS;AAE9B,UAAI,KAAK,WAAW;AAClB,cAAM,SAAS,MAAM,KAAK,UAAU,UAAU,OAAO;AACrD,eAAO,EAAE,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,OAAO,CAAC,EAAE;AAAA,MACrD;AAGA,aAAO;AAAA,QACL,SAAS,CAAC,EAAE,MAAM,QAAQ,MAAM,yEAAoE,CAAC;AAAA,MACvG;AAAA,IACF,GAAG,EAAE,aAAa,WAAW,CAAC;AAAA,IAE9B,KAAK,kBAAkB,+HAA0H;AAAA,MAC/I,eAAe,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG,EAAE,SAAS;AAAA,IAChE,GAAG,YAAY;AACb,YAAM,QAAQ,MAAM,iBAAiB;AACrC,aAAO;AAAA,QACL,SAAS,CAAC;AAAA,UACR,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACnB,OAAO,MAAM;AAAA,YACb,OAAO,MAAM,IAAI,QAAM;AAAA,cACrB,UAAU,EAAE;AAAA,cACZ,MAAM,EAAE;AAAA,cACR,UAAU,EAAE;AAAA,cACZ,QAAQ,EAAE;AAAA,YACZ,EAAE;AAAA,YACF,MAAM;AAAA,UACR,CAAC;AAAA,QACH,CAAC;AAAA,MACH;AAAA,IACF,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,wBAAwB,gIAA2H;AAAA,MACtJ,WAAW,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,QAAQ,CAAC,EAAE,SAAS,EAAE,SAAS,sEAAsE;AAAA,IACpI,GAAG,OAAO,SAAS;AACjB,YAAM,YAAa,KAAK,WAAW,KAA4B;AAC/D,YAAM,QAAQ,MAAM,eAAe;AACnC,YAAM,WAAW,MAAM,OAAO,OAAK,EAAE,cAAc,SAAS;AAC5D,aAAO;AAAA,QACL,SAAS,CAAC;AAAA,UACR,MAAM;AAAA,UACN,MAAM,KAAK,UAAU;AAAA,YACnB,OAAO,SAAS;AAAA,YAChB,MAAM;AAAA,YACN,OAAO,SAAS,IAAI,QAAM;AAAA,cACxB,UAAU,EAAE;AAAA,cACZ,YAAY,EAAE;AAAA,cACd,UAAU,EAAE;AAAA,cACZ,QAAQ,EAAE;AAAA,YACZ,EAAE;AAAA,UACJ,CAAC;AAAA,QACH,CAAC;AAAA,MACH;AAAA,IACF,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,wBAAwB,6HAAwH;AAAA,MACnJ,MAAM,EAAE,QAAQ,EAAE,QAAQ,KAAK,EAAE,SAAS,EAAE,SAAS,qEAAqE;AAAA,IAC5H,GAAG,OAAO,SAAS;AACjB,YAAM,OAAQ,KAAK,MAAM,KAA6B;AACtD,aAAO,eAAe,kBAAkB,OAAO,SAAS,EAAE;AAAA,IAC5D,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,sBAAsB,4EAAuE;AAAA,MAChG,WAAW,EAAE,OAAO,EAAE,MAAM,kBAAkB,eAAe,GAAG,8BAA8B,EAAE,SAAS,EAAE,SAAS,mDAA8C;AAAA,IACpK,GAAG,OAAO,SAAS;AACjB,YAAM,KAAK,KAAK,WAAW;AAC3B,UAAI,GAAI,mBAAkB,iBAAiB,EAAE;AAC7C,aAAO,eAAe,YAAY,KAAK,aAAa,EAAE,KAAK,EAAE;AAAA,IAC/D,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,sBAAsB,6EAAwE;AAAA,MACjG,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,YAAY,GAAG,oBAAoB,EAAE,SAAS,EAAE,SAAS,0DAAqD;AAAA,MACzJ,SAAS,EAAE,OAAO,EAAE,MAAM,kBAAkB,aAAa,GAAG,qBAAqB,EAAE,SAAS,EAAE,SAAS,iBAAiB;AAAA,IAC1H,GAAG,OAAO,SAAS;AACjB,YAAM,SAAS,KAAK,QAAQ;AAC5B,YAAM,UAAU,KAAK,SAAS;AAC9B,UAAI,OAAQ,mBAAkB,cAAc,MAAM;AAClD,UAAI,QAAS,mBAAkB,eAAe,OAAO;AACrD,YAAM,OAAO,CAAC,SAAS,UAAU,MAAM,KAAK,IAAI,UAAU,WAAW,OAAO,KAAK,EAAE,EAAE,OAAO,OAAO,EAAE,KAAK,GAAG;AAC7G,aAAO,eAAe,iBAAiB,IAAI;AAAA,IAC7C,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,sBAAsB,mFAA8E;AAAA,MACvG,SAAS,EAAE,OAAO,EAAE,MAAM,kBAAkB,aAAa,GAAG,wBAAwB,EAAE,SAAS,EAAE,SAAS,uDAAkD;AAAA,IAC9J,GAAG,OAAO,SAAS;AACjB,YAAM,UAAU,KAAK,SAAS;AAC9B,UAAI,QAAS,mBAAkB,eAAe,OAAO;AACrD,aAAO,eAAe,iBAAiB,UAAU,WAAW,OAAO,KAAK,EAAE;AAAA,IAC5E,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,wBAAwB,0EAAqE;AAAA,MAChG,cAAc,EAAE,OAAO,EAAE,MAAM,kBAAkB,oBAAoB,GAAG,+BAA+B,EAAE,SAAS,EAAE,SAAS,uBAAuB;AAAA,MACpJ,eAAe,EAAE,OAAO,EAAE,MAAM,kBAAkB,sBAAsB,GAAG,8BAA8B,EAAE,SAAS,EAAE,SAAS,0BAA0B;AAAA,IAC3J,GAAG,OAAO,SAAS;AACjB,YAAM,MAAM,KAAK,cAAc;AAC/B,YAAM,KAAK,KAAK,eAAe;AAC/B,UAAI,IAAK,mBAAkB,sBAAsB,GAAG;AACpD,UAAI,GAAI,mBAAkB,wBAAwB,EAAE;AACpD,YAAM,OAAO,CAAC,MAAM,gBAAgB,GAAG,KAAK,IAAI,KAAK,kBAAkB,EAAE,KAAK,EAAE,EAAE,OAAO,OAAO,EAAE,KAAK,GAAG;AAC1G,aAAO,eAAe,mBAAmB,IAAI;AAAA,IAC/C,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,IAE7B,KAAK,uBAAuB,8FAAyF;AAAA,MACnH,YAAY,EAAE,OAAO,EAAE,SAAS,EAAE,SAAS,8EAA8E;AAAA,IAC3H,GAAG,OAAO,SAAS;AACjB,YAAM,OAAO,KAAK,YAAY;AAC9B,YAAM,UAAkC,CAAC;AACzC,cAAQ,UAAU,IAAI,GAAG,QAAQ,KAAK,SAAS,YAAY,SAAS,UAAU,OAAO;AAErF,UAAI,QAAQ;AAEV,gBAAQ,cAAc,IAAI,IAAI,2CAA2C,KAAK;AAC9E,gBAAQ,mBAAmB,IAAI,IAAI,4CAA4C,KAAK;AAEpF,gBAAQ,YAAY,IAAI,IAAI,0CAA0C,KAAK;AAC3E,gBAAQ,eAAe,IAAI,IAAI,6CAA6C,KAAK;AAEjF,gBAAQ,gBAAgB,IAAI,IAAI,gHAAkH,KAAK;AAAA,MACzJ,WAAW,UAAU;AAEnB,gBAAQ,MAAM,IAAI,IAAI,wDAA0D,KAAK;AACrF,gBAAQ,MAAM,IAAI,IAAI,kCAAkC,KAAK;AAC7D,gBAAQ,SAAS,IAAI,IAAI,qCAAqC,KAAK;AACnE,gBAAQ,eAAe,IAAI,IAAI,kJAAkJ,KAAK;AACtL,gBAAQ,KAAK,IAAI,IAAI,iCAAiC,KAAK;AAAA,MAC7D,WAAW,QAAQ;AAEjB,gBAAQ,QAAQ,IAAI,IAAI,0CAA0C,EAAE,SAAS,IAAO,CAAC,KAAK;AAC1F,gBAAQ,oBAAoB,IAAI,oBAAoB,KAAK;AAEzD,gBAAQ,OAAO,IAAI,IAAI,2BAA2B,EAAE,SAAS,KAAO,CAAC,KAAK;AAE1E,gBAAQ,OAAO,IAAI,IAAI,cAAc,EAAE,SAAS,KAAO,CAAC,KAAK;AAAA,MAC/D;AAGA,YAAM,aAAa;AAAA;AAAA,QAEjB;AAAA,QAAQ;AAAA,QAAiB;AAAA,QAAU;AAAA,QAAY;AAAA,QAAO;AAAA,QAAO;AAAA,QAAQ;AAAA,QAAS;AAAA,QAAQ;AAAA,QAAgB;AAAA,QACtG;AAAA,QAAQ;AAAA,QAAY;AAAA,QAAW;AAAA,QAAU;AAAA,QAAY;AAAA,QAAS;AAAA,QAAS;AAAA,QAAY;AAAA,QAAY;AAAA;AAAA,QAE/F;AAAA,QAAO;AAAA,QAAM;AAAA,QAAU;AAAA,QAAkB;AAAA,QAAU;AAAA,QAAW;AAAA,QAAQ;AAAA,QAAa;AAAA,QACnF;AAAA,QAAQ;AAAA,QAAO;AAAA,QAAO;AAAA,QAAQ;AAAA,QAAQ;AAAA,QAAO;AAAA,QAC7C;AAAA,QAAU;AAAA,QAAW;AAAA,QAAO;AAAA,QAAQ;AAAA,QAAU;AAAA,QAAU;AAAA,QACxD;AAAA,QAAQ;AAAA,QAAO;AAAA,QAAW;AAAA,QAC1B;AAAA,QAAQ;AAAA,QAAO;AAAA,QAAU;AAAA,QACzB;AAAA,QAAM;AAAA,QAAS;AAAA,QACf;AAAA,QAAO;AAAA,QACP;AAAA;AAAA,QAEA;AAAA,QAAQ;AAAA,QAAS;AAAA,QAAc;AAAA,QAAS;AAAA,QAAW;AAAA,QAAa;AAAA,QAAW;AAAA;AAAA,QAE3E;AAAA,QAAO;AAAA,QAAU;AAAA,QAAM;AAAA,QAAU;AAAA,QAAO;AAAA,QAAU;AAAA,QAAW;AAAA;AAAA,QAE7D;AAAA,QAAW;AAAA,QAAU;AAAA,QAAU;AAAA,QAAS;AAAA;AAAA,QAExC;AAAA,QAAS;AAAA,QAAW;AAAA,QAAQ;AAAA,QAAS;AAAA,QAAS;AAAA,QAAY;AAAA;AAAA,QAE1D;AAAA,QAAiB;AAAA,QAAY;AAAA,QAAW;AAAA,QAAU;AAAA,QAAS;AAAA,QAAS;AAAA;AAAA,QAEpE,GAAI,SAAS,CAAC,QAAQ,cAAc,OAAO,UAAU,SAAS,SAAS,WAAW,IAAI,CAAC;AAAA;AAAA,QAEvF;AAAA,QAAiB;AAAA,QAAkB;AAAA,QAAc;AAAA;AAAA,QAEjD;AAAA,QAAS;AAAA,QAAU;AAAA,QAAY;AAAA,MACjC;AAEA,YAAM,QAAkB,CAAC;AACzB,YAAM,WAAqB,CAAC;AAC5B,iBAAW,KAAK,YAAY;AAC1B,cAAM,IAAI,cAAc,CAAC;AACzB,YAAI,EAAG,OAAM,KAAK,GAAG,CAAC,KAAK,CAAC,EAAE;AAAA,YACzB,UAAS,KAAK,CAAC;AAAA,MACtB;AACA,cAAQ,aAAa,IAAI,MAAM,KAAK,IAAI,KAAK;AAC7C,cAAQ,iBAAiB,IAAI,SAAS,KAAK,IAAI;AAG/C,UAAI,MAAM;AACR,cAAM,QAAQ,KAAK,MAAM,QAAQ,EAAE,OAAO,OAAO;AACjD,cAAM,cAAwB,CAAC;AAC/B,mBAAW,QAAQ,OAAO;AACxB,gBAAM,OAAO,KAAK,QAAQ,oBAAoB,EAAE;AAChD,cAAI,CAAC,KAAM;AAEX,gBAAM,UAAU,cAAc,IAAI;AAClC,cAAI,SAAS;AACX,wBAAY,KAAK,GAAG,IAAI,KAAK,OAAO,EAAE;AACtC;AAAA,UACF;AAEA,cAAI,WAAW;AACf,cAAI,QAAQ;AACV,uBAAW;AAAA,cACT,sEAAsE,IAAI,2DAC3C,IAAI;AAAA,cAEnC,EAAE,SAAS,IAAO;AAAA,YACpB;AAAA,UACF,WAAW,QAAQ;AACjB,uBAAW,IAAI,iBAAiB,IAAI,yBAAyB;AAAA,UAC/D,OAAO;AACL,uBAAW,IAAI,iHAAiH,IAAI,sCAAsC;AAAA,UAC5K;AACA,sBAAY,KAAK,WAAW,GAAG,IAAI,KAAK,QAAQ,KAAK,GAAG,IAAI,eAAe;AAAA,QAC7E;AACA,gBAAQ,aAAa,IAAI,YAAY,KAAK,IAAI;AAAA,MAChD;AAEA,YAAM,MAAM,OAAO,QAAQ,OAAO,EAC/B,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC;AAAA,EAAS,CAAC,EAAE,EACpC,KAAK,MAAM;AAEd,aAAO,WAAW,GAAG;AAAA,IACvB,GAAG,EAAE,aAAa,UAAU,CAAC;AAAA,EAC/B;AAEA,SAAO;AACT;AASA,eAAsB,gCACpB,IACA,WACA,OAAgC,CAAC,GACjC;AAEA,QAAM,EAAE,KAAK,IAAI,MAAM,OAAO,gCAAgC;AAC9D,QAAM,WAAW,MAAM,6BAA6B,IAAI,WAAW,IAAI;AAIvE,SAAO,SAAS;AAAA,IAAI,CAAC,MACnB,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,YAAY,EAAE,SAAkC,EAAE,aAAa,EAAE,YAAY,CAAC;AAAA,EAC9G;AACF;AAEA,eAAsB,uBACpB,IACA,WACA,OAAgC,CAAC,GACP;AAC1B,QAAM,EAAE,mBAAmB,IAAI,MAAM,OAAO,gCAAgC;AAC5E,QAAM,QAAQ,MAAM,gCAAgC,IAAI,WAAW,IAAI;AACvE,SAAO,mBAAmB,EAAE,MAAM,eAAe,SAAS,SAAS,MAAM,CAAC;AAC5E;;;AQxgBA,OAAO,cAAc;AACrB,SAAS,iBAAiB;AAC1B,SAAS,eAAe;AACxB,SAAS,kBAAkB;AAC3B,SAAS,KAAAC,UAAS;;;ACMlB,SAAS,KAAAC,UAAS;AAIX,IAAM,uBAAuB,OAAO,KAAK,gBAAgB;AAGzD,IAAM,kBAAkBC,GAAE,OAAO;AAAA,EACtC,QAAQA,GAAE,MAAMA,GAAE,KAAK,oBAA6C,CAAC,EAAE,SAAS;AAAA,EAChF,OAAOA,GAAE,MAAMA,GAAE,KAAK,UAAU,CAAC,EAAE,SAAS;AAC9C,CAAC;AAIM,IAAM,kBAAkBA,GAAE,KAAK;AAAA,EACpC;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAU;AAAA,EAAa;AAAA,EAAc;AAAA,EACrD;AAAA,EAAS;AAAA,EAAQ;AAAA,EAAgB;AACnC,CAAC;AAIM,IAAM,gBAAgB,CAAC,wBAAwB,aAAa,iBAAiB;AAE7E,IAAM,kBAAkBA,GAAE,OAAO;AAAA,EACtC,OAAO;AAAA,EACP,IAAIA,GAAE,KAAK,CAAC,WAAW,UAAU,MAAM,OAAO,MAAM,OAAO,MAAM,YAAY,SAAS,CAAC;AAAA,EACvF,OAAOA,GAAE,MAAM,CAACA,GAAE,OAAO,GAAGA,GAAE,OAAO,CAAC,CAAC,EAAE,SAAS;AAAA,EAClD,SAASA,GAAE,KAAK,aAAa,EAAE,SAAS;AAC1C,CAAC;AAUM,IAAM,kBAAwCA,GAAE;AAAA,EAAK,MAC1DA,GAAE,MAAM;AAAA,IACN;AAAA,IACAA,GAAE,OAAO,EAAE,KAAKA,GAAE,MAAM,eAAe,EAAE,CAAC;AAAA,IAC1CA,GAAE,OAAO,EAAE,KAAKA,GAAE,MAAM,eAAe,EAAE,CAAC;AAAA,IAC1CA,GAAE,OAAO,EAAE,KAAK,gBAAgB,CAAC;AAAA,EACnC,CAAC;AACH;AAEO,IAAMC,cAAa,CAAC,YAAY,QAAQ,UAAU,KAAK;AACvD,IAAM,iBAAiBD,GAAE,KAAKC,WAAU;AAIxC,IAAM,kBAA4C,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,EAAE;AAE5F,IAAM,uBAAuBD,GAAE,OAAO;AAAA,EAC3C,IAAIA,GAAE,OAAO;AAAA,EACb,SAASA,GAAE,OAAO,EAAE,SAAS,qCAAqC;AAAA,EAClE,WAAWA,GAAE,KAAK,CAAC,OAAO,QAAQ,YAAY,UAAU,CAAC;AAAA,EACzD,OAAOA,GAAE,OAAO;AAAA,EAChB,UAAU;AAAA,EACV,WAAWA,GAAE,OAAO;AAAA,EACpB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAMP,gBAAgB,gBAAgB,SAAS;AAAA,EACzC,OAAO;AACT,CAAC;AAGM,IAAM,gBAAgBA,GAAE,OAAO;AAAA,EACpC,MAAMA,GAAE,OAAO;AAAA,EACf,SAASA,GAAE,OAAO;AAAA,EAClB,WAAWA,GAAE,OAAO;AAAA,EACpB,aAAaA,GAAE,OAAO;AAAA,EACtB,OAAOA,GAAE,MAAM,oBAAoB,EAAE,IAAI,CAAC;AAC5C,CAAC,EAAE,YAAY,CAAC,IAAI,QAAQ;AAC1B,QAAM,OAAO,oBAAI,IAAY;AAC7B,aAAW,KAAK,GAAG,OAAO;AACxB,QAAI,KAAK,IAAI,EAAE,EAAE,EAAG,KAAI,SAAS,EAAE,MAAM,UAAU,SAAS,sBAAsB,EAAE,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;AAC3G,SAAK,IAAI,EAAE,EAAE;AAAA,EACf;AACF,CAAC;AAGM,IAAM,sBAAsBA,GAAE,OAAO;AAAA,EAC1C,QAAQA,GAAE,OAAO;AAAA,EACjB,SAASA,GAAE,OAAO;AAAA,EAClB,WAAWA,GAAE,OAAO;AAAA,EACpB,UAAU;AAAA,EACV,QAAQA,GAAE,KAAK,CAAC,QAAQ,QAAQ,gBAAgB,CAAC;AAAA,EACjD,iBAAiBA,GAAE,OAAO,EAAE,IAAI;AAAA,EAChC,aAAaA,GAAE,OAAO,EAAE,IAAI;AAAA,EAC5B,gBAAgBA,GAAE,MAAMA,GAAE,OAAO,CAAC;AACpC,CAAC;AAGM,IAAM,yBAAyBA,GAAE,OAAO;AAAA,EAC7C,aAAaA,GAAE,OAAO;AAAA,EACtB,gBAAgBA,GAAE,OAAO;AAAA,EACzB,aAAaA,GAAE,OAAO;AAAA,EACtB,OAAOA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,SAAS;AAAA,EAC3C,QAAQA,GAAE,KAAK,CAAC,QAAQ,QAAQ,gBAAgB,CAAC;AAAA,EACjD,QAAQA,GAAE,OAAO;AAAA,IACf,OAAOA,GAAE,OAAO;AAAA,IAAG,YAAYA,GAAE,OAAO;AAAA,IAAG,QAAQA,GAAE,OAAO;AAAA,IAC5D,QAAQA,GAAE,OAAO;AAAA,IAAG,eAAeA,GAAE,OAAO;AAAA,EAC9C,CAAC;AAAA,EACD,YAAYA,GAAE,OAAO,gBAAgBA,GAAE,OAAO,EAAE,QAAQA,GAAE,OAAO,GAAG,QAAQA,GAAE,OAAO,EAAE,CAAC,CAAC;AAAA,EACzF,UAAUA,GAAE,MAAM,mBAAmB;AAAA,EACrC,MAAMA,GAAE,MAAMA,GAAE,OAAO;AAAA,IACrB,QAAQA,GAAE,OAAO;AAAA,IAAG,SAASA,GAAE,OAAO;AAAA,IAAG,UAAU;AAAA,IACnD,OAAOA,GAAE,OAAO;AAAA,IAAG,SAASA,GAAE,MAAMA,GAAE,OAAO,CAAC;AAAA,EAChD,CAAC,CAAC;AACJ,CAAC;;;ACtGD,IAAM,eAAe;AACrB,IAAM,qBAAqB;AAG3B,SAAS,UAAU,MAAe,OAA2B;AAC3D,UAAQ,OAAO;AAAA,IACb,KAAK;AAAQ,aAAO,KAAK;AAAA,IACzB,KAAK;AAAQ,aAAO,KAAK;AAAA,IACzB,KAAK;AAAU,aAAO,KAAK;AAAA,IAC3B,KAAK;AAAa,aAAO,KAAK;AAAA,IAC9B,KAAK;AAAc,aAAO,KAAK;AAAA,IAC/B,KAAK;AAAgB,aAAO,KAAK;AAAA,IACjC,KAAK;AAAS,aAAO,KAAK;AAAA,IAC1B,KAAK;AAAQ,aAAO,KAAK;AAAA,IACzB,KAAK;AAAgB,aAAO,OAAO,KAAK,KAAK,YAAY,CAAC,CAAC;AAAA,IAC3D,KAAK;AAAkB,aAAO,OAAO,OAAO,KAAK,YAAY,CAAC,CAAC,EAAE,IAAI,CAAC,MAAO,OAAO,MAAM,WAAW,IAAI,KAAK,UAAU,CAAC,CAAE;AAAA,EAC7H;AACF;AAGA,SAAS,UAAU,OAAyB;AAC1C,MAAI,UAAU,UAAa,UAAU,KAAM,QAAO;AAClD,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,SAAS;AAChD,MAAI,OAAO,UAAU,SAAU,QAAO,MAAM,SAAS;AACrD,SAAO;AACT;AAEA,SAAS,eAAe,OAAgB,SAAqD;AAC3F,QAAM,OAAO,CAAC,MAAuB;AACnC,YAAQ,SAAS;AAAA,MACf,KAAK;AAAwB,eAAO,cAAc,CAAC,MAAM;AAAA;AAAA,MACzD,KAAK;AAAa,eAAO,aAAa,KAAK,CAAC;AAAA,MAC5C,KAAK;AAAmB,eAAO,mBAAmB,KAAK,CAAC;AAAA,IAC1D;AAAA,EACF;AACA,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,KAAK,CAAC,MAAM,OAAO,MAAM,YAAY,KAAK,CAAC,CAAC;AACnF,SAAO,OAAO,UAAU,YAAY,KAAK,KAAK;AAChD;AAEO,SAAS,kBAAkB,MAAe,MAA0B;AACzE,QAAM,IAAI,UAAU,MAAM,KAAK,KAAK;AACpC,UAAQ,KAAK,IAAI;AAAA,IACf,KAAK;AAAW,aAAO,UAAU,CAAC;AAAA,IAClC,KAAK;AAAU,aAAO,CAAC,UAAU,CAAC;AAAA,IAClC,KAAK;AAAM,aAAO,OAAO,MAAM,YAAY,OAAO,KAAK,UAAU,YAAY,IAAI,KAAK;AAAA,IACtF,KAAK;AAAO,aAAO,OAAO,MAAM,YAAY,OAAO,KAAK,UAAU,YAAY,KAAK,KAAK;AAAA,IACxF,KAAK;AAAM,aAAO,OAAO,MAAM,YAAY,OAAO,KAAK,UAAU,YAAY,IAAI,KAAK;AAAA,IACtF,KAAK;AAAO,aAAO,OAAO,MAAM,YAAY,OAAO,KAAK,UAAU,YAAY,KAAK,KAAK;AAAA,IACxF,KAAK;AAAM,aAAO,MAAM,KAAK;AAAA,IAC7B,KAAK;AAAY,aAAO,MAAM,QAAQ,CAAC,KAAK,KAAK,UAAU,UAAa,EAAE,SAAS,KAAK,KAAc;AAAA,IACtG,KAAK;AAAW,aAAO,KAAK,YAAY,UAAa,eAAe,GAAG,KAAK,OAAO;AAAA,EACrF;AACF;AAEO,SAAS,cAAc,MAAe,OAA2B;AACtE,MAAI,SAAS,MAAO,QAAO,MAAM,IAAI,MAAM,CAAC,MAAM,cAAc,MAAM,CAAC,CAAC;AACxE,MAAI,SAAS,MAAO,QAAO,MAAM,IAAI,KAAK,CAAC,MAAM,cAAc,MAAM,CAAC,CAAC;AACvE,MAAI,SAAS,MAAO,QAAO,CAAC,cAAc,MAAM,MAAM,GAAG;AACzD,SAAO,kBAAkB,MAAM,KAAK;AACtC;AAGA,SAAS,YAAY,MAA0C;AAC7D,QAAM,EAAE,QAAQ,MAAM,IAAI,KAAK;AAC/B,OAAK,CAAC,UAAU,OAAO,WAAW,OAAO,CAAC,SAAS,MAAM,WAAW,GAAI,QAAO;AAC/E,QAAM,MAAM,oBAAI,IAAY;AAC5B,aAAW,KAAK,UAAU,CAAC,EAAG,YAAW,KAAK,iBAAiB,CAAkC,EAAG,KAAI,IAAI,CAAC;AAC7G,aAAW,KAAK,SAAS,CAAC,EAAG,KAAI,IAAI,CAAC;AACtC,SAAO;AACT;AAGA,SAAS,gBAAgB,OAAkB,MAAiC;AAC1E,QAAM,QAAQ,YAAY,IAAI;AAC9B,SAAO,MAAM;AAAA,IAAO,CAAC,OAClB,UAAU,QAAQ,MAAM,IAAI,EAAE,IAAI,OAClC,KAAK,mBAAmB,UAAa,cAAc,GAAG,KAAK,cAAc;AAAA,EAC5E;AACF;AAEO,SAAS,aAAa,OAAwB,MAAqC;AACxF,QAAM,aAAa,gBAAgB,MAAM,OAAO,IAAI;AACpD,QAAM,OAAO,EAAE,QAAQ,KAAK,IAAI,SAAS,KAAK,SAAS,WAAW,KAAK,WAAW,UAAU,KAAK,SAAS;AAC1G,MAAI,WAAW,WAAW,GAAG;AAC3B,WAAO,EAAE,GAAG,MAAM,QAAQ,kBAAkB,iBAAiB,GAAG,aAAa,GAAG,gBAAgB,CAAC,EAAE;AAAA,EACrG;AACA,QAAM,iBAAiB,WAAW,OAAO,CAAC,MAAM,CAAC,cAAc,GAAG,KAAK,KAAK,CAAC,EAAE,IAAI,CAAC,MAAM,EAAE,EAAE,EAAE,KAAK;AACrG,SAAO;AAAA,IACL,GAAG;AAAA,IACH,QAAQ,eAAe,WAAW,IAAI,SAAS;AAAA,IAC/C,iBAAiB,WAAW;AAAA,IAC5B,aAAa,WAAW,SAAS,eAAe;AAAA,IAChD;AAAA,EACF;AACF;AAOO,SAAS,cAAc,OAAwB,SAAkB,MAA2C;AACjH,QAAM,QAAQ,CAAC,GAAG,MAAM,KAAK,EAAE,KAAK,CAAC,GAAG,MAAO,EAAE,KAAK,EAAE,KAAK,KAAK,EAAE,KAAK,EAAE,KAAK,IAAI,CAAE;AACtF,QAAM,QAAQ,CAAC,GAAG,QAAQ,KAAK,EAAE,KAAK,CAAC,GAAG,MAAO,EAAE,KAAK,EAAE,KAAK,KAAK,EAAE,KAAK,EAAE,KAAK,IAAI,CAAE;AACxF,QAAM,WAAW,MAAM,IAAI,CAAC,MAAM,aAAa,EAAE,OAAO,OAAO,MAAM,MAAM,GAAG,CAAC,CAAC;AAEhF,QAAM,aAAa,OAAO,YAAYE,YAAW,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,QAAQ,GAAG,QAAQ,EAAE,CAAC,CAAC,CAAC;AAC1F,MAAI,aAAa,GAAG,SAAS,GAAG,SAAS,GAAG,gBAAgB;AAC5D,MAAI,cAAc,GAAG,eAAe;AACpC,QAAM,OAAiC,CAAC;AAExC,aAAW,KAAK,UAAU;AACxB,UAAM,IAAI,gBAAgB,EAAE,QAAoB;AAChD,QAAI,EAAE,WAAW,kBAAkB;AAAE;AAAiB;AAAA,IAAU;AAChE;AACA,mBAAe;AACf,QAAI,EAAE,WAAW,QAAQ;AAAE;AAAU,sBAAgB;AAAG,iBAAW,EAAE,QAAQ,EAAE;AAAA,IAAU,OACpF;AACH;AAAU,iBAAW,EAAE,QAAQ,EAAE;AACjC,YAAM,OAAO,MAAM,KAAK,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM;AAChD,WAAK,KAAK,EAAE,QAAQ,EAAE,QAAQ,SAAS,EAAE,SAAS,UAAU,EAAE,UAAU,OAAO,KAAK,OAAO,SAAS,EAAE,eAAe,CAAC;AAAA,IACxH;AAAA,EACF;AAEA,QAAM,QAAQ,eAAe,IAAI,OAAO,KAAK,MAAO,MAAM,eAAgB,WAAW;AACrF,QAAM,SAAqC,eAAe,IAAI,mBAAmB,WAAW,IAAI,SAAS;AAEzG,SAAO;AAAA,IACL,aAAa,QAAQ;AAAA,IACrB,gBAAgB,QAAQ;AAAA,IACxB,aAAa,MAAM,QAAO,oBAAI,KAAK,GAAE,YAAY;AAAA,IACjD;AAAA,IACA;AAAA,IACA,QAAQ,EAAE,OAAO,MAAM,QAAQ,YAAY,QAAQ,QAAQ,cAAc;AAAA,IACzE;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;ACnJA,IAAM,UAAU,CAAC,MAAuB,GAAG,EAAE,QAAQ,KAAI,EAAE,QAAQ,KAAI,EAAE,YAAY;AAG9E,SAAS,gBAAgB,OAAwB;AACtD,MAAI,UAAU,QAAQ,OAAO,UAAU,SAAU,QAAO,KAAK,UAAU,KAAK,KAAK;AACjF,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,IAAI,MAAM,IAAI,eAAe,EAAE,KAAK,GAAG,CAAC;AACzE,QAAM,OAAO,OAAO,KAAK,KAAgC,EAAE,KAAK;AAChE,SAAO,IAAI,KAAK,IAAI,CAAC,MAAM,GAAG,KAAK,UAAU,CAAC,CAAC,IAAI,gBAAiB,MAAkC,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,GAAG,CAAC;AACxH;AAGA,SAAS,cAAc,GAAY,GAA0B;AAC3D,QAAM,UAAwB,CAAC;AAC/B,aAAW,KAAK,cAAc;AAC5B,QAAI,MAAM,QAAQ;AAChB,UAAI,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,IAAG,MAAM,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,IAAG,EAAG,SAAQ,KAAK,CAAC;AAAA,IACnF,WAAW,MAAM,cAAc,MAAM,QAAQ;AAE3C,UAAI,gBAAgB,EAAE,CAAC,CAAC,MAAM,gBAAgB,EAAE,CAAC,CAAC,EAAG,SAAQ,KAAK,CAAC;AAAA,IACrE,WAAW,EAAE,CAAC,MAAM,EAAE,CAAC,GAAG;AACxB,cAAQ,KAAK,CAAC;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAoBO,SAAS,aAAa,MAAqB,SAAuC;AACvF,QAAM,YAAY,IAAI,IAAI,KAAK,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAC1D,QAAM,WAAW,IAAI,IAAI,QAAQ,MAAM,IAAI,CAAC,MAAM,CAAC,EAAE,IAAI,CAAC,CAAC,CAAC;AAE5D,QAAM,QAAmB,CAAC;AAC1B,QAAM,UAAqB,CAAC;AAC5B,QAAM,UAAwB,CAAC;AAC/B,MAAI,iBAAiB;AAErB,aAAW,CAAC,IAAI,KAAK,KAAK,UAAU;AAClC,UAAM,SAAS,UAAU,IAAI,EAAE;AAC/B,QAAI,CAAC,QAAQ;AACX,YAAM,KAAK,KAAK;AAChB;AAAA,IACF;AACA,UAAM,SAAS,cAAc,QAAQ,KAAK;AAC1C,QAAI,OAAO,SAAS,GAAG;AACrB,cAAQ,KAAK,EAAE,IAAI,QAAQ,OAAO,eAAe,QAAQ,iBAAiB,MAAM,aAAa,OAAO,WAAW,CAAC;AAAA,IAClH,OAAO;AACL;AAAA,IACF;AAAA,EACF;AACA,aAAW,CAAC,IAAI,MAAM,KAAK,WAAW;AACpC,QAAI,CAAC,SAAS,IAAI,EAAE,EAAG,SAAQ,KAAK,MAAM;AAAA,EAC5C;AAEA,QAAM,YAAY,IAAI,IAAI,KAAK,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAChE,QAAM,WAAW,IAAI,IAAI,QAAQ,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;AAClE,QAAM,aAAwB,CAAC;AAC/B,QAAM,eAA0B,CAAC;AACjC,MAAI,iBAAiB;AACrB,aAAW,CAAC,GAAG,CAAC,KAAK,UAAU;AAC7B,QAAI,UAAU,IAAI,CAAC,EAAG;AAAA,QACjB,YAAW,KAAK,CAAC;AAAA,EACxB;AACA,aAAW,CAAC,GAAG,CAAC,KAAK,WAAW;AAC9B,QAAI,CAAC,SAAS,IAAI,CAAC,EAAG,cAAa,KAAK,CAAC;AAAA,EAC3C;AAEA,SAAO;AAAA,IACL,OAAO,EAAE,OAAO,SAAS,SAAS,WAAW,eAAe;AAAA,IAC5D,OAAO,EAAE,OAAO,YAAY,SAAS,cAAc,WAAW,eAAe;AAAA,IAC7E,SAAS;AAAA,MACP,YAAY,MAAM;AAAA,MAClB,cAAc,QAAQ;AAAA,MACtB,cAAc,QAAQ;AAAA,MACtB,YAAY,WAAW;AAAA,MACvB,cAAc,aAAa;AAAA,IAC7B;AAAA,EACF;AACF;;;AC3FA,IAAM,gBAAqC,IAAI,IAAI,OAAO,OAAO,gBAAgB,EAAE,KAAK,CAAC;AAGzF,SAAS,YAAY,GAAqB;AACxC,SAAO,EAAE,UAAU,QAAQ,EAAE,WAAW,MAAM,EAAE,WAAW;AAC7D;AAGO,SAAS,cACd,OACA,QACA,aAAgC,4BACrB;AACX,QAAM,MAAiB,CAAC;AACxB,aAAW,KAAK,OAAO;AACrB,UAAM,IAAI,OAAO,IAAI,EAAE,EAAE,KAAK;AAC9B,QAAI,MAAM,GAAG;AACX,UAAI,KAAK,EAAE,QAAQ,EAAE,IAAI,MAAM,UAAU,UAAU,QAAQ,QAAQ,8BAA8B,CAAC;AAAA,IACpG,WAAW,KAAK,WAAW,kBAAkB;AAC3C,UAAI,KAAK,EAAE,QAAQ,EAAE,IAAI,MAAM,UAAU,UAAU,OAAO,QAAQ,iCAAiC,CAAC,IAAI,CAAC;AAAA,IAC3G;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,eACd,OACA,aAAgC,4BACrB;AACX,QAAM,MAAiB,CAAC;AACxB,aAAW,KAAK,OAAO;AACrB,QAAI,CAAC,cAAc,IAAI,EAAE,IAAI,GAAG;AAC9B,UAAI,KAAK,EAAE,QAAQ,EAAE,IAAI,MAAM,aAAa,UAAU,UAAU,QAAQ,wBAAwB,EAAE,IAAI,IAAI,CAAC;AAC3G;AAAA,IACF;AACA,QAAI,YAAY,CAAC,GAAG;AAClB,YAAM,UAAU,EAAE,aAAa,WAAW;AAC1C,YAAM,UAAU,EAAE,gBAAgB,QAAQ,EAAE,eAAe,WAAW;AACtE,UAAI,WAAW,SAAS;AACtB,cAAM,MAAuB,WAAW,UAAU,SAAS;AAC3D,cAAM,QAAkB,CAAC;AACzB,YAAI,QAAS,OAAM,KAAK,kBAAkB,EAAE,WAAW,QAAQ,CAAC,CAAC,EAAE;AACnE,YAAI,QAAS,OAAM,KAAK,eAAe,EAAE,YAAY,EAAE;AACvD,YAAI,KAAK,EAAE,QAAQ,EAAE,IAAI,MAAM,aAAa,UAAU,KAAK,QAAQ,GAAG,MAAM,KAAK,OAAO,CAAC,2BAA2B,CAAC;AAAA,MACvH;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,gBACd,OACA,QACA,aAAgC,4BACrB;AACX,SAAO,CAAC,GAAG,cAAc,OAAO,QAAQ,UAAU,GAAG,GAAG,eAAe,OAAO,UAAU,CAAC,EACtF,KAAK,CAAC,GAAG,MAAM,EAAE,OAAO,cAAc,EAAE,MAAM,KAAK,EAAE,KAAK,cAAc,EAAE,IAAI,CAAC;AACpF;AAGO,SAAS,aAAa,MAAiB,SAA+B;AAC3E,QAAM,OAAO,IAAI,IAAI,KAAK,IAAI,CAAC,MAAM,GAAG,EAAE,MAAM,IAAI,EAAE,IAAI,EAAE,CAAC;AAC7D,SAAO,QAAQ,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,GAAG,EAAE,MAAM,IAAI,EAAE,IAAI,EAAE,CAAC;AACjE;;;AJtDO,IAAM,iBAAiB;AASvB,SAAS,gBAAgB,KAA6B;AAC3D,MAAI,OAAO,KAAM,QAAO;AACxB,QAAM,UAAU,kBAAkB,OAAO,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG;AAClE,SAAO,qBAAqB,KAAK,OAAO,IAAI,UAAU;AACxD;AAKA,IAAM,gBAAgB;AAOf,SAAS,YAAY,IAAoB;AAC9C,SAAO,GAAG,KAAK,EAAE,YAAY,EAAE,QAAQ,QAAQ,GAAG,EAAE,QAAQ,eAAe,EAAE;AAC/E;AAGA,IAAM,gBAAgB,CAAC,QAAQ,QAAQ,QAAQ,KAAK;AAO7C,SAAS,UAAU,UAA4D;AACpF,QAAM,MAA+B,CAAC;AACtC,aAAW,KAAK,eAAe;AAC7B,QAAI,SAAS,CAAC,KAAK,KAAM,KAAI,CAAC,IAAI,SAAS,CAAC;AAAA,EAC9C;AACA,SAAO;AACT;AAOO,SAAS,YAAY,MAAc,MAAc,SAA0C;AAChG,QAAM,UAAU,OAAO,KAAK,OAAO,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,QAAQ,CAAC,CAAC,CAAC,EAAE,EAAE,KAAK,GAAG;AAC7F,QAAM,UAAU,GAAG,IAAI,SAAI,KAAK,KAAK,EAAE,YAAY,CAAC,SAAI,OAAO;AAC/D,SAAO,WAAW,QAAQ,EAAE,OAAO,OAAO,EAAE,OAAO,KAAK,EAAE,MAAM,GAAG,EAAE;AACvE;AAQO,SAAS,SAAS,cAAkC,IAAoB;AAC7E,QAAM,MAAM,gBAAgB,aAAa,KAAK,IAAI,aAAa,KAAK,IAAI;AACxE,SAAO,GAAG,GAAG,IAAI,YAAY,EAAE,CAAC;AAClC;AAGA,SAAS,cAAiB,KAAa,UAAgB;AACrD,MAAI;AACF,WAAO,KAAK,MAAM,GAAG;AAAA,EACvB,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAIA,IAAM,mBAAmBC,GAAE,OAAO;AAAA,EAChC,IAAIA,GAAE,OAAO;AAAA,EACb,MAAMA,GAAE,QAAQ,UAAU;AAAA,EAC1B,YAAYA,GAAE,OAAO;AAAA,EACrB,cAAcA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,QAAQA,GAAE,OAAO;AAAA,EACjB,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACrC,QAAQA,GAAE,OAAO,EAAE,QAAQ,cAAc;AAAA,EACzC,UAAUA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACzC,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACrC,YAAYA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,cAAcA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,iBAAiBA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAClD,CAAC;AAED,IAAM,gBAAgBA,GAAE,OAAO;AAAA,EAC7B,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,MAAMA,GAAE,KAAK,UAAU;AAAA,EACvB,MAAMA,GAAE,OAAO;AAAA,EACf,gBAAgBA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC/C,eAAeA,GAAE,OAAO;AAAA,EACxB,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACxC,OAAOA,GAAE,OAAO,EAAE,QAAQ,CAAC;AAAA,EAC3B,YAAYA,GAAE,OAAO,EAAE,QAAQ,GAAG;AAAA,EAClC,UAAUA,GAAE,OAAO,EAAE,QAAQ,IAAI;AAAA,EACjC,MAAMA,GAAE,OAAO,EAAE,QAAQ,IAAI;AAAA,EAC7B,QAAQA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACvC,YAAYA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,eAAeA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC9C,OAAOA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACtC,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACrC,WAAWA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC1C,cAAcA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC/C,CAAC;AAGD,IAAM,uBAAuBA,GAAE,OAAO;AAAA,EACpC,WAAWA,GAAE,OAAO;AAAA,EACpB,YAAYA,GAAE,OAAO;AAAA,EACrB,UAAUA,GAAE,OAAO;AAAA,EACnB,MAAMA,GAAE,OAAO;AAAA,EACf,cAAcA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO,EAAE,QAAQ,GAAG;AACpC,CAAC;AAGD,IAAM,oBAAoBA,GAAE,OAAO;AAAA,EACjC,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,iBAAiBA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAChD,QAAQA,GAAE,OAAO;AAAA,EACjB,aAAaA,GAAE,OAAO;AAAA,EACtB,eAAeA,GAAE,OAAO;AAAA,EACxB,eAAeA,GAAE,OAAO;AAAA,EACxB,aAAaA,GAAE,OAAO;AAAA,EACtB,eAAeA,GAAE,OAAO;AAAA,EACxB,OAAOA,GAAE,OAAO;AAClB,CAAC;AAED,IAAM,gBAAgBA,GAAE,OAAO;AAAA,EAC7B,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,WAAWA,GAAE,OAAO;AAAA,EACpB,WAAWA,GAAE,OAAO;AAAA,EACpB,cAAcA,GAAE,KAAK,kBAAkB;AAAA,EACvC,UAAUA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACzC,YAAYA,GAAE,OAAO,EAAE,QAAQ,GAAG;AAAA,EAClC,eAAeA,GAAE,OAAO;AAC1B,CAAC;AAGD,IAAM,wBAAwBA,GAAE,OAAO;AAAA,EACrC,cAAcA,GAAE,OAAO;AAAA,EACvB,YAAYA,GAAE,OAAO;AAAA,EACrB,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACxC,MAAMA,GAAE,KAAK,CAAC,QAAQ,MAAM,CAAC;AAAA,EAC7B,SAASA,GAAE,OAAO;AAAA,EAClB,QAAQA,GAAE,KAAK,CAAC,WAAW,YAAY,UAAU,UAAU,CAAC;AAAA,EAC5D,YAAYA,GAAE,KAAK,CAAC,QAAQ,MAAM,CAAC,EAAE,SAAS,EAAE,SAAS;AAAA,EACzD,YAAYA,GAAE,OAAO;AAAA,EACrB,YAAYA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC3C,WAAWA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC5C,CAAC;AAED,IAAM,iBAAiBA,GAAE,OAAO;AAAA,EAC9B,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACxC,WAAWA,GAAE,OAAO;AAAA,EACpB,YAAYA,GAAE,OAAO;AAAA,EACrB,SAASA,GAAE,OAAO;AAAA,EAClB,KAAKA,GAAE,OAAO;AAAA,EACd,QAAQA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACvC,aAAaA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACrC,aAAaA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACxC,cAAcA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAC/C,CAAC;AAED,IAAM,gBAAgBA,GAAE,OAAO;AAAA,EAC7B,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,aAAaA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC5C,YAAYA,GAAE,OAAO;AAAA,EACrB,cAAcA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAC7C,OAAOA,GAAE,OAAO,EAAE,QAAQ,IAAI;AAAA,EAC9B,mBAAmBA,GAAE,OAAO,EAAE,QAAQ,IAAI;AAAA,EAC1C,QAAQA,GAAE,KAAK,CAAC,UAAU,aAAa,WAAW,CAAC;AACrD,CAAC;AAED,IAAM,oBAAoBA,GAAE,OAAO;AAAA,EACjC,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACrC,SAASA,GAAE,OAAO;AAAA,EAClB,UAAUA,GAAE,OAAO,EAAE,QAAQ,IAAI;AAAA,EACjC,aAAaA,GAAE,OAAO,EAAE,QAAQ,CAAC;AAAA,EACjC,YAAYA,GAAE,OAAO;AAAA,EACrB,WAAWA,GAAE,OAAO;AAAA,EACpB,iBAAiBA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EAChD,mBAAmBA,GAAE,OAAO,EAAE,QAAQ,IAAI;AAC5C,CAAC;AAED,IAAM,sBAAsBA,GAAE,OAAO;AAAA,EACnC,IAAIA,GAAE,OAAO;AAAA,EACb,YAAYA,GAAE,OAAO;AAAA,EACrB,iBAAiBA,GAAE,OAAO;AAAA,EAC1B,iBAAiBA,GAAE,OAAO;AAAA,EAC1B,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS;AAAA,EACrC,YAAYA,GAAE,OAAO;AACvB,CAAC;AA4CD,SAAS,UAAU,MAAsB;AACvC,aAAW,CAAC,OAAO,KAAK,KAAK,OAAO,QAAQ,gBAAgB,GAAG;AAC7D,QAAK,MAA4B,SAAS,IAAI,EAAG,QAAO;AAAA,EAC1D;AACA,SAAO;AACT;AAOO,SAAS,kBAAkB,SAAuB,WAA2B;AAClF,QAAM,OAAO,UAAU,MAAM,GAAG,EAAE;AAClC,QAAM,QAAQ,QAAQ,OAAO;AAC7B,MAAI,UAAU,EAAG,QAAO,2BAAqB,IAAI;AAEjD,QAAM,UAAU,oBAAI,IAAoB;AACxC,aAAW,CAAC,MAAM,CAAC,KAAK,OAAO,QAAQ,QAAQ,WAAW,GAAG;AAC3D,UAAM,IAAI,UAAU,IAAI;AACxB,YAAQ,IAAI,IAAI,QAAQ,IAAI,CAAC,KAAK,KAAK,CAAC;AAAA,EAC1C;AACA,QAAM,YAAY,CAAC,GAAG,QAAQ,QAAQ,CAAC,EACpC,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC,EACtD,MAAM,GAAG,CAAC,EACV,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC;AAEjB,QAAM,OAAO,UAAU,IAAI,SAAS;AACpC,SAAO,GAAG,UAAU,KAAK,GAAG,CAAC,SAAM,KAAK,IAAI,IAAI,SAAM,IAAI;AAC5D;AAqDA,IAAM,SAAS;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AA6LR,IAAM,gBAAN,MAAoB;AAAA,EACjB;AAAA;AAAA,EAES;AAAA,EACA;AAAA,EAEjB,YAAY,QAAgB,MAAoC;AAC9D,cAAU,QAAQ,MAAM,GAAG,EAAE,WAAW,KAAK,CAAC;AAC9C,SAAK,KAAK,IAAI,SAAS,MAAM;AAC7B,SAAK,GAAG,OAAO,oBAAoB;AACnC,SAAK,GAAG,OAAO,mBAAmB;AAClC,SAAK,GAAG,OAAO,qBAAqB;AACpC,SAAK,iBAAiB,MAAM,SAAS,WAAW;AAChD,SAAK,oBAAoB,MAAM,WAAW;AAC1C,SAAK,QAAQ;AAAA,EACf;AAAA,EAEQ,UAAgB;AACtB,UAAM,UAAW,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAChE,QAAI,YAAY,GAAG;AACjB,WAAK,GAAG,KAAK,MAAM;AACnB,WAAK,GAAG,OAAO,mBAAmB;AAClC;AAAA,IACF,WAAW,YAAY,GAAG;AAExB,YAAM,OAAQ,KAAK,GAAG,QAAQ,0BAA0B,EAAE,IAAI,EAA8B,IAAI,OAAK,EAAE,IAAI;AAC3G,UAAI,CAAC,KAAK,SAAS,QAAQ,EAAG,MAAK,GAAG,KAAK,0CAA0C;AACrF,UAAI,CAAC,KAAK,SAAS,YAAY,EAAG,MAAK,GAAG,KAAK,8CAA8C;AAC7F,UAAI,CAAC,KAAK,SAAS,eAAe,EAAG,MAAK,GAAG,KAAK,iDAAiD;AACnG,WAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAWZ;AACD,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AACA,QAAI,YAAY,GAAG;AAEjB,WAAK,GAAG,KAAK,gHAAgH;AAC7H,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAEA,UAAM,UAAU,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC/D,QAAI,UAAU,GAAG;AACf,WAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA,OAIZ;AACD,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAEA,UAAM,KAAK,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC1D,QAAI,KAAK,GAAG;AACV,YAAM,OAAQ,KAAK,GAAG,QAAQ,6BAA6B,EAAE,IAAI,EAA8B,IAAI,OAAK,EAAE,IAAI;AAC9G,UAAI,CAAC,KAAK,SAAS,MAAM,EAAG,MAAK,GAAG,KAAK,2CAA2C;AACpF,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAEA,UAAM,KAAK,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC1D,QAAI,KAAK,GAAG;AACV,YAAM,OAAQ,KAAK,GAAG,QAAQ,oCAAoC,EAAE,IAAI,EAA8B,IAAI,OAAK,EAAE,IAAI;AACrH,UAAI,CAAC,KAAK,SAAS,SAAS,EAAG,MAAK,GAAG,KAAK,qDAAqD;AACjG,UAAI,CAAC,KAAK,SAAS,cAAc,EAAG,MAAK,GAAG,KAAK,6DAA6D;AAC9G,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAIA,UAAM,KAAK,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC1D,QAAI,KAAK,GAAG;AACV,YAAM,SAAS,CAAC,YAAY,SAAS,SAAS,eAAe,mBAAmB,SAAS,WAAW;AACpG,iBAAW,KAAK,QAAQ;AACtB,cAAM,OAAQ,KAAK,GAAG,QAAQ,qBAAqB,CAAC,GAAG,EAAE,IAAI,EAA8B,IAAI,CAAC,MAAM,EAAE,IAAI;AAG5G,YAAI,KAAK,SAAS,KAAK,CAAC,KAAK,SAAS,QAAQ,GAAG;AAC/C,eAAK,GAAG,KAAK,eAAe,CAAC,6CAA6C,cAAc,GAAG;AAAA,QAC7F;AAAA,MACF;AACA,YAAM,WAAW,CAAC,SACf,KAAK,GAAG,QAAQ,qBAAqB,IAAI,GAAG,EAAE,IAAI,EAAgB,SAAS;AAC9E,UAAI,SAAS,UAAU,EAAG,MAAK,GAAG,KAAK,oEAAoE;AAC3G,UAAI,SAAS,OAAO,EAAG,MAAK,GAAG,KAAK,kFAAkF;AACtH,UAAI,SAAS,OAAO,EAAG,MAAK,GAAG,KAAK,kFAAkF;AACtH,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAKA,UAAM,KAAK,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC1D,QAAI,KAAK,GAAG;AACV,YAAM,KAAM,KAAK,GAAG,QAAQ,6BAA6B,EAAE,IAAI,EAA8B,IAAI,CAAC,MAAM,EAAE,IAAI;AAC9G,UAAI,GAAG,SAAS,GAAG;AACjB,mBAAW,OAAO,CAAC,YAAY,QAAQ,cAAc,cAAc,GAAG;AACpE,cAAI,CAAC,GAAG,SAAS,GAAG,EAAG,MAAK,GAAG,KAAK,mCAAmC,GAAG,OAAO;AAAA,QACnF;AAAA,MACF;AACA,YAAM,KAAM,KAAK,GAAG,QAAQ,0BAA0B,EAAE,IAAI,EAA8B,IAAI,CAAC,MAAM,EAAE,IAAI;AAC3G,UAAI,GAAG,SAAS,GAAG;AACjB,YAAI,CAAC,GAAG,SAAS,WAAW,EAAG,MAAK,GAAG,KAAK,6CAA6C;AACzF,YAAI,CAAC,GAAG,SAAS,cAAc,EAAG,MAAK,GAAG,KAAK,gDAAgD;AAAA,MACjG;AACA,WAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAYZ;AAED,UAAI,GAAG,SAAS,GAAG;AACjB,aAAK,GAAG,KAAK;AAAA;AAAA;AAAA,SAGZ;AAAA,MACH;AACA,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAKA,UAAM,KAAK,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC1D,QAAI,KAAK,GAAG;AACV,YAAM,KAAM,KAAK,GAAG,QAAQ,6BAA6B,EAAE,IAAI,EAA8B,IAAI,CAAC,MAAM,EAAE,IAAI;AAG9G,UAAI,GAAG,SAAS,KAAK,CAAC,GAAG,SAAS,iBAAiB,GAAG;AACpD,aAAK,GAAG,KAAK,sDAAsD;AAAA,MACrE;AACA,WAAK,GAAG,OAAO,kBAAkB;AAAA,IACnC;AAIA,UAAM,KAAK,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC1D,QAAI,KAAK,IAAI;AACX,WAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAeZ;AACD,WAAK,GAAG,OAAO,mBAAmB;AAAA,IACpC;AAMA,UAAM,MAAM,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC3D,QAAI,MAAM,IAAI;AACZ,WAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAWZ;AACD,WAAK,GAAG,OAAO,mBAAmB;AAAA,IACpC;AAMA,UAAM,MAAM,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC3D,QAAI,MAAM,IAAI;AACZ,WAAK,GAAG,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAeZ;AACD,WAAK,GAAG,OAAO,mBAAmB;AAAA,IACpC;AASA,UAAM,MAAM,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC3D,QAAI,MAAM,IAAI;AACZ,YAAM,WAAY,KAAK,GAAG,QAAQ,0BAA0B,EAAE,IAAI,EAAgB,SAAS;AAC3F,UAAI,UAAU;AACZ,aAAK,GAAG,KAAK;AAAA;AAAA;AAAA,SAGZ;AAAA,MACH;AACA,YAAM,aAAc,KAAK,GAAG,QAAQ,sCAAsC,EAAE,IAAI,EAAgB,SAAS;AACzG,UAAI,YAAY;AACd,aAAK,GAAG,KAAK,0FAA0F;AAAA,MACzG;AACA,WAAK,GAAG,OAAO,mBAAmB;AAAA,IACpC;AAIA,UAAM,MAAM,KAAK,GAAG,OAAO,gBAAgB,EAAE,QAAQ,KAAK,CAAC;AAC3D,QAAI,MAAM,IAAI;AACZ,YAAM,WAAY,KAAK,GAAG,QAAQ,0BAA0B,EAAE,IAAI;AAClE,UAAI,SAAS,SAAS,GAAG;AACvB,cAAM,OAAO,SAAS,IAAI,CAAC,MAAM,EAAE,IAAI;AACvC,YAAI,CAAC,KAAK,SAAS,OAAO,EAAG,MAAK,GAAG,KAAK,yCAAyC;AACnF,YAAI,CAAC,KAAK,SAAS,MAAM,EAAG,MAAK,GAAG,KAAK,wCAAwC;AACjF,aAAK,GAAG,KAAK,wEAAwE;AAAA,MACvF;AACA,WAAK,GAAG,OAAO,mBAAmB;AAAA,IACpC;AAAA,EACF;AAAA,EAEA,QAAc;AACZ,SAAK,GAAG,OAAO,UAAU;AACzB,SAAK,GAAG,MAAM;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gBAAmC;AACjC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,cAAc,MAAkB,QAA2B,UAA2B;AACpF,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,SAAS,gBAAgB,YAAY,OAAO,YAAY;AAG9D,SAAK,GAAG;AAAA,MACN;AAAA;AAAA,IAEF,EAAE;AAAA,MACA;AAAA,MAAI;AAAA,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,MAAG,KAAK,UAAU,MAAM;AAAA,MAAG;AAAA,MAC5D,SAAS;AAAA,MAAG,OAAO;AAAA,MAAG,UAAU;AAAA,MAAG,OAAO,gBAAgB;AAAA,IAC5D;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGQ,SAAS,WAA2B;AAC1C,UAAM,IAAI,KAAK,GAAG,QAAQ,0CAA0C,EAAE,IAAI,SAAS;AACnF,WAAO,GAAG,UAAU;AAAA,EACtB;AAAA,EAEA,WAAW,IAAkB;AAC3B,SAAK,GAAG,QAAQ,mDAAmD,EAChE,KAAI,oBAAI,KAAK,GAAE,YAAY,GAAG,EAAE;AAAA,EACrC;AAAA,EAEA,WAAW,IAAoC;AAC7C,UAAM,MAAM,KAAK,GAAG,QAAQ,qCAAqC,EAAE,IAAI,EAAE;AACzE,WAAO,MAAM,KAAK,WAAW,GAAG,IAAI;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,iBAAiB,MAAe,UAA2C;AACzE,UAAM,UAAoB,CAAC;AAC3B,UAAM,SAAoB,CAAC;AAC3B,QAAI,MAAM;AAAE,cAAQ,KAAK,UAAU;AAAG,aAAO,KAAK,IAAI;AAAA,IAAG;AACzD,QAAI,aAAa,QAAW;AAAE,cAAQ,KAAK,YAAY;AAAG,aAAO,KAAK,QAAQ;AAAA,IAAG;AACjF,UAAM,QAAQ,QAAQ,SAAS,SAAS,QAAQ,KAAK,OAAO,CAAC,MAAM;AACnE,UAAM,MAAM,KAAK,GAAG,QAAQ,0BAA0B,KAAK,6BAA6B,EAAE,IAAI,GAAG,MAAM;AACvG,WAAO,MAAM,KAAK,WAAW,GAAG,IAAI;AAAA,EACtC;AAAA,EAEA,YAAY,UAAiC;AAC3C,UAAM,OAAO,aAAa,SACtB,KAAK,GAAG,QAAQ,6DAA6D,EAAE,IAAI,QAAQ,IAC3F,KAAK,GAAG,QAAQ,4CAA4C,EAAE,IAAI;AACtE,WAAO,KAAK,IAAI,OAAK,KAAK,WAAW,CAAC,CAAC;AAAA,EACzC;AAAA,EAEQ,WAAW,GAAwC;AACzD,UAAM,IAAI,iBAAiB,MAAM,CAAC;AAClC,WAAO;AAAA,MACL,IAAI,EAAE;AAAA,MACN,MAAM,EAAE;AAAA,MACR,WAAW,EAAE;AAAA,MACb,aAAa,EAAE,gBAAgB;AAAA,MAC/B,QAAQ,EAAE;AAAA,MACV,MAAM,EAAE,QAAQ;AAAA,MAChB,QAAQ,EAAE;AAAA,MACV,UAAU,EAAE,YAAY;AAAA,MACxB,MAAM,EAAE,QAAQ;AAAA,MAChB,WAAW,EAAE,cAAc;AAAA,MAC3B,cAAc,EAAE,gBAAgB;AAAA,MAChC,eAAe,EAAE,mBAAmB;AAAA,IACtC;AAAA,EACF;AAAA;AAAA,EAGA,aAAa,IAAkB;AAC7B,SAAK,GAAG,QAAQ,sDAAsD,EACnE,KAAI,oBAAI,KAAK,GAAE,YAAY,GAAG,EAAE;AAAA,EACrC;AAAA;AAAA,EAGA,eAAe,IAAY,MAAoB;AAC7C,SAAK,GAAG,QAAQ,2CAA2C,EAAE,IAAI,MAAM,EAAE;AAAA,EAC3E;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,QAAgB,WAAiC;AAC5D,UAAM,OAAO,KAAK,WAAW,MAAM;AACnC,QAAI,CAAC,KAAM,OAAM,IAAI,MAAM,2BAA2B,MAAM,EAAE;AAC9D,UAAM,UAAU,KAAK,WAAW,SAAS;AACzC,QAAI,CAAC,QAAS,OAAM,IAAI,MAAM,8BAA8B,SAAS,EAAE;AAEvE,UAAM,WAAW,EAAE,OAAO,KAAK,SAAS,MAAM,GAAG,OAAO,KAAK,SAAS,MAAM,EAAE;AAC9E,UAAM,UAAU,EAAE,OAAO,KAAK,SAAS,SAAS,GAAG,OAAO,KAAK,SAAS,SAAS,EAAE;AACnF,UAAM,QAAQ,aAAa,UAAU,OAAO;AAI5C,UAAM,YAAY,KAAK,gBAAgB,MAAM,EAAE;AAC/C,UAAM,WAAW,KAAK,gBAAgB,SAAS,EAAE;AAEjD,WAAO;AAAA,MACL,MAAM,EAAE,WAAW,QAAQ,WAAW,KAAK,WAAW,WAAW,SAAS,MAAM,QAAQ,WAAW,SAAS,MAAM,OAAO;AAAA,MACzH,SAAS,EAAE,WAAW,WAAW,WAAW,QAAQ,WAAW,WAAW,QAAQ,MAAM,QAAQ,WAAW,QAAQ,MAAM,OAAO;AAAA,MAChI,GAAG;AAAA,MACH,WAAW,EAAE,MAAM,WAAW,SAAS,UAAU,OAAO,aAAa,WAAW,QAAQ,EAAE;AAAA,IAC5F;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,WAAmB,SAAkB,MAA2C;AAC3F,QAAI,CAAC,KAAK,WAAW,SAAS,EAAG,OAAM,IAAI,MAAM,sBAAsB,SAAS,EAAE;AAClF,WAAO,cAAc,EAAE,OAAO,KAAK,SAAS,SAAS,GAAG,OAAO,KAAK,SAAS,SAAS,EAAE,GAAG,SAAS,IAAI;AAAA,EAC1G;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,mBAAmB,WAAmB,MAAe,UAA2C;AAC9F,UAAM,UAAoB,CAAC,SAAS;AACpC,UAAM,SAAoB,CAAC,SAAS;AACpC,QAAI,MAAM;AAAE,cAAQ,KAAK,UAAU;AAAG,aAAO,KAAK,IAAI;AAAA,IAAG;AACzD,QAAI,aAAa,QAAW;AAAE,cAAQ,KAAK,YAAY;AAAG,aAAO,KAAK,QAAQ;AAAA,IAAG;AACjF,UAAM,MAAM,KAAK,GACd,QAAQ,gCAAgC,QAAQ,KAAK,OAAO,CAAC,8BAA8B,EAC3F,IAAI,GAAG,MAAM;AAChB,WAAO,MAAM,KAAK,WAAW,GAAG,IAAI;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,eAAe,WAAmB,eAAmC,OAA8B;AACjG,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,IAAI,MAAM;AAChB,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAKf,EAAE;AAAA,MACD;AAAA,MAAI;AAAA,MAAW,iBAAiB;AAAA,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,MAC7D,EAAE;AAAA,MAAY,EAAE;AAAA,MAAc,EAAE;AAAA,MAAc,EAAE;AAAA,MAAY,EAAE;AAAA,MAC9D,KAAK,UAAU,KAAK;AAAA,IACtB;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,aAAa,QAAQ,IAAmB;AACtC,UAAM,OAAO,KAAK,GACf,QAAQ,sDAAsD,EAC9D,IAAI,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,CAAC,CAAC;AACrC,WAAO,KAAK,IAAI,CAAC,MAAM,KAAK,YAAY,CAAC,CAAC;AAAA,EAC5C;AAAA;AAAA,EAGA,oBAA6C;AAC3C,UAAM,MAAM,KAAK,GACd,QAAQ,sDAAsD,EAC9D,IAAI;AACP,WAAO,MAAM,KAAK,YAAY,GAAG,IAAI;AAAA,EACvC;AAAA,EAEQ,YAAY,GAAyC;AAC3D,UAAM,IAAI,kBAAkB,MAAM,CAAC;AACnC,UAAM,aAA4B;AAAA,MAChC,OAAO,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,SAAS,CAAC,GAAG,WAAW,EAAE;AAAA,MAC3D,OAAO,EAAE,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,WAAW,EAAE;AAAA,MAC9C,SAAS,EAAE,YAAY,GAAG,cAAc,GAAG,cAAc,GAAG,YAAY,GAAG,cAAc,EAAE;AAAA,IAC7F;AACA,WAAO;AAAA,MACL,IAAI,EAAE;AAAA,MACN,WAAW,EAAE;AAAA,MACb,eAAe,EAAE,mBAAmB;AAAA,MACpC,OAAO,EAAE;AAAA,MACT,SAAS;AAAA,QACP,YAAY,EAAE;AAAA,QACd,cAAc,EAAE;AAAA,QAChB,cAAc,EAAE;AAAA,QAChB,YAAY,EAAE;AAAA,QACd,cAAc,EAAE;AAAA,MAClB;AAAA,MACA,OAAO,cAA6B,EAAE,OAAO,UAAU;AAAA,IACzD;AAAA,EACF;AAAA;AAAA,EAIA,WAAW,WAAmB,MAAqB,QAAQ,GAAG,aAAiC;AAG7F,UAAM,SAAS,KAAK,SAAS,SAAS;AAItC,UAAM,KAAK,YAAY,KAAK,MAAM,KAAK,MAAM,UAAU,KAAK,YAAY,CAAC,CAAC,CAAC;AAG3E,UAAM,QAAQ,KAAK,GAAG;AAAA,MACpB;AAAA;AAAA;AAAA,IAGF,EAAE,IAAI,IAAI,GAAG,SAAS,QAAQ,EAAE,CAAC,GAAG;AACpC,UAAM,MAAM,OAAO,aAAa,SAAS,QAAQ,KAAK,EAAE;AAExD,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAKf,EAAE;AAAA,MACD,KAAK;AAAA,MAAI;AAAA,MAAW,KAAK;AAAA,MAAM,kBAAkB,KAAK,IAAI;AAAA,MAAG,KAAK;AAAA,OAClE,oBAAI,KAAK,GAAE,YAAY;AAAA,MAAG;AAAA,MAAO,KAAK;AAAA,MACtC,KAAK,UAAU,cAAc,KAAK,YAAY,CAAC,CAAC,CAAC;AAAA,MACjD,KAAK,WAAW,KAAK,QAAQ,CAAC,GAAG,IAAI,iBAAiB,CAAC;AAAA,MACvD,KAAK,UAAU,OAAO,kBAAkB,KAAK,MAAM,IAAI;AAAA,MACvD,KAAK,aAAa,OAAO,kBAAkB,KAAK,SAAS,IAAI;AAAA,MAC7D,KAAK,gBAAgB;AAAA,MACrB,KAAK,SAAS,OAAO,kBAAkB,KAAK,KAAK,IAAI;AAAA,MACrD,KAAK,OAAO,KAAK,UAAU,gBAAgB,MAAM,KAAK,IAAI,CAAC,IAAI;AAAA,MAC/D;AAAA,MAAQ;AAAA,MAAK;AAAA,IACf;AAEA,QAAI,aAAa;AAGf,WAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OASf,EAAE;AAAA,QACD;AAAA,QAAK,YAAY;AAAA,QACjB,kBAAkB,YAAY,QAAQ;AAAA,QAAG,kBAAkB,YAAY,IAAI;AAAA,QAC3E,YAAY,gBAAgB,OAAO,kBAAkB,YAAY,YAAY,IAAI;AAAA,QACjF,YAAY;AAAA,QAAI,YAAY;AAAA,MAC9B;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,gBAAgBC,WAAiC;AAC/C,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB;AAAA,IACF,EAAE,IAAIA,SAAQ;AACd,WAAO,KAAK,IAAI,CAAC,MAAM;AACrB,YAAM,IAAI,qBAAqB,MAAM,CAAC;AACtC,aAAO;AAAA,QACL,WAAW,EAAE;AAAA,QACb,UAAU,EAAE;AAAA,QACZ,MAAM,EAAE;AAAA,QACR,cAAc,EAAE,gBAAgB;AAAA,QAChC,IAAI,EAAE;AAAA,QACN,YAAY,EAAE;AAAA,MAChB;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,SAAS,WAAmB,MAAuD;AACjF,QAAI,MAAM;AACV,QAAI,MAAM,OAAO;AACf,aAAO,UAAU,KAAK,KAAK;AAC3B,UAAI,KAAK,OAAQ,QAAO,WAAW,KAAK,MAAM;AAAA,IAChD;AACA,UAAM,OAAO,KAAK,GAAG,QAAQ,GAAG,EAAE,IAAI,SAAS;AAC/C,WAAO,KAAK,IAAI,OAAK,KAAK,QAAQ,CAAC,CAAC;AAAA,EACtC;AAAA,EAEA,aAAa,WAA2B;AACtC,UAAM,MAAM,KAAK,GAAG,QAAQ,wDAAwD,EAAE,IAAI,SAAS;AACnG,WAAO,IAAI;AAAA,EACb;AAAA,EAEQ,QAAQ,GAAqC;AACnD,UAAM,IAAI,cAAc,MAAM,CAAC;AAC/B,WAAO;AAAA,MACL,IAAI,EAAE;AAAA,MACN,WAAW,EAAE;AAAA,MACb,MAAM,EAAE;AAAA,MACR,MAAM,EAAE;AAAA,MACR,eAAe,EAAE,kBAAkB;AAAA,MACnC,cAAc,EAAE;AAAA,MAChB,OAAO,EAAE;AAAA,MACT,YAAY,EAAE;AAAA,MACd,UAAU,cAAuC,EAAE,UAAU,CAAC,CAAC;AAAA,MAC/D,MAAM,cAAwB,EAAE,MAAM,CAAC,CAAC;AAAA,MACxC,QAAQ,EAAE,WAAW;AAAA,MACrB,QAAQ,EAAE,UAAU;AAAA,MACpB,WAAW,EAAE,cAAc;AAAA,MAC3B,cAAc,EAAE,iBAAiB;AAAA,MACjC,OAAO,EAAE,SAAS;AAAA,MAClB,MAAM,EAAE,OAAO,cAAqC,EAAE,MAAM,MAAS,IAAI;AAAA,MACzE,UAAU,EAAE,aAAa;AAAA,MACzB,aAAa,EAAE,gBAAgB;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,sBAAsB,WAAmB,QAAgB,MAAgC;AACvF,UAAM,OAAiB,CAAC;AACxB,UAAM,OAAkB,CAAC;AACzB,QAAI,KAAK,UAAU,QAAW;AAC5B,WAAK,KAAK,WAAW;AACrB,WAAK,KAAK,KAAK,SAAS,OAAO,OAAO,kBAAkB,KAAK,KAAK,CAAC;AAAA,IACrE;AACA,QAAI,KAAK,SAAS,QAAW;AAC3B,WAAK,KAAK,UAAU;AACpB,WAAK,KAAK,KAAK,QAAQ,OAAO,OAAO,KAAK,UAAU,gBAAgB,MAAM,KAAK,IAAI,CAAC,CAAC;AAAA,IACvF;AACA,QAAI,KAAK,WAAW,EAAG,QAAO;AAC9B,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB,oBAAoB,KAAK,KAAK,IAAI,CAAC;AAAA,IACrC,EAAE,IAAI,GAAG,MAAM,WAAW,MAAM;AAChC,WAAO,KAAK,UAAU;AAAA,EACxB;AAAA,EAEA,WAAW,WAAmB,QAAsB;AAClD,SAAK,GAAG,QAAQ,mDAAmD,EAAE,IAAI,WAAW,MAAM;AAE1F,SAAK,GAAG;AAAA,MACN;AAAA,IACF,EAAE,IAAI,WAAW,QAAQ,MAAM;AAAA,EACjC;AAAA;AAAA,EAIA,WAAW,WAAmB,MAA2B;AACvD,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,SAAS,KAAK,SAAS,SAAS;AACtC,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAIf,EAAE;AAAA,MACD;AAAA,MAAI;AAAA,MAAW,KAAK;AAAA,MAAU,KAAK;AAAA,MACnC,KAAK;AAAA,MAAc,kBAAkB,KAAK,QAAQ;AAAA,MAAG,KAAK;AAAA,OAC1D,oBAAI,KAAK,GAAE,YAAY;AAAA,MAAG;AAAA,IAC5B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gBAAgB,WAAmB,UAAkB,UAAkB,cAA4B;AACjG,SAAK,GAAG;AAAA,MACN;AAAA,IACF,EAAE,IAAI,WAAW,UAAU,UAAU,YAAY;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeA,mBAAmB,WAAmB,OAAsB,aAAiC;AAC3F,UAAM,QAAQ,KAAK,GAAG,YAAY,MAAM;AACtC,iBAAW,KAAK,MAAM,MAAM,QAAS,MAAK,WAAW,WAAW,EAAE,EAAE;AACpE,iBAAW,KAAK,MAAM,MAAM,OAAO;AACjC,aAAK,WAAW,WAAW,GAAG,EAAE,OAAO,cAAc,EAAE,GAAG,aAAa,YAAY,EAAE,WAAW,IAAI,MAAS;AAAA,MAC/G;AACA,iBAAW,KAAK,MAAM,MAAM,SAAS;AACnC,aAAK,WAAW,WAAW,EAAE,OAAO,EAAE,MAAM,OAAO,cAAc,EAAE,GAAG,aAAa,YAAY,EAAE,MAAM,WAAW,IAAI,MAAS;AAAA,MACjI;AACA,iBAAW,KAAK,MAAM,MAAM,QAAS,MAAK,gBAAgB,WAAW,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY;AAC3G,iBAAW,KAAK,MAAM,MAAM,MAAO,MAAK,WAAW,WAAW,CAAC;AAC/D,WAAK,aAAa,SAAS;AAAA,IAC7B,CAAC;AACD,UAAM;AAAA,EACR;AAAA,EAEA,SAAS,WAAmB,MAAuD;AACjF,QAAI,MAAM;AACV,QAAI,MAAM,OAAO;AACf,aAAO,UAAU,KAAK,KAAK;AAC3B,UAAI,KAAK,OAAQ,QAAO,WAAW,KAAK,MAAM;AAAA,IAChD;AACA,UAAM,OAAO,KAAK,GAAG,QAAQ,GAAG,EAAE,IAAI,SAAS;AAC/C,WAAO,KAAK,IAAI,OAAK;AACnB,YAAM,IAAI,cAAc,MAAM,CAAC;AAC/B,aAAO;AAAA,QACL,IAAI,EAAE;AAAA,QACN,WAAW,EAAE;AAAA,QACb,UAAU,EAAE;AAAA,QACZ,UAAU,EAAE;AAAA,QACZ,cAAc,EAAE;AAAA,QAChB,UAAU,EAAE,YAAY;AAAA,QACxB,YAAY,EAAE;AAAA,QACd,cAAc,EAAE;AAAA,MAClB;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA,EAIA,YACE,WACA,OAEA,QACM;AACN,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,SAAS,KAAK,SAAS,SAAS;AACtC,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAIf,EAAE;AAAA,MACD;AAAA,MAAI;AAAA,MAAW,UAAU;AAAA,OAAM,oBAAI,KAAK,GAAE,YAAY;AAAA,MACtD,MAAM;AAAA,MAAW,MAAM;AAAA,MAAS,MAAM;AAAA,MACtC,MAAM,UAAU;AAAA,MAAM,MAAM,cAAc;AAAA,MAAM,MAAM,QAAQ;AAAA,MAC9D,MAAM,WAAW;AAAA,MAAM,MAAM,eAAe;AAAA,MAAM;AAAA,IACpD;AAAA,EACF;AAAA,EAEA,UAAU,WAAmB,OAA4B;AACvD,UAAM,OAAO,QACT,KAAK,GAAG,QAAQ,yFAAyF,EAAE,IAAI,WAAW,KAAK,IAC/H,KAAK,GAAG,QAAQ,uEAAuE,EAAE,IAAI,SAAS;AAC1G,WAAO,KAAK,IAAI,OAAK;AACnB,YAAM,IAAI,eAAe,MAAM,CAAC;AAChC,aAAO;AAAA,QACL,IAAI,EAAE;AAAA,QACN,WAAW,EAAE;AAAA,QACb,QAAQ,EAAE,WAAW;AAAA,QACrB,WAAW,EAAE;AAAA,QACb,WAAW,EAAE;AAAA,QACb,SAAS,EAAE;AAAA,QACX,KAAK,EAAE;AAAA,QACP,QAAQ,EAAE,UAAU;AAAA,QACpB,YAAY,EAAE,eAAe;AAAA,QAC7B,MAAM,EAAE,QAAQ;AAAA,QAChB,YAAY,EAAE,eAAe;AAAA,QAC7B,SAAS,EAAE,WAAW;AAAA,QACtB,aAAa,EAAE,gBAAgB;AAAA,MACjC;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA,EAIA,UAAU,WAAmB,aAA8B;AACzD,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,SAAS,KAAK,SAAS,SAAS;AACtC,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAGf,EAAE,IAAI,IAAI,WAAW,eAAe,OAAM,oBAAI,KAAK,GAAE,YAAY,GAAG,MAAM;AAC3E,WAAO;AAAA,EACT;AAAA,EAEA,eAAe,WAAyB;AACtC,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAGf,EAAE,KAAI,oBAAI,KAAK,GAAE,YAAY,GAAG,SAAS;AAAA,EAC5C;AAAA,EAEA,sBAAsB,WAAmB,aAA2B;AAClE,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAGf,EAAE,IAAI,aAAa,SAAS;AAAA,EAC/B;AAAA,EAEA,cAAc,WAAwC;AACpD,UAAM,MAAM,KAAK,GAAG;AAAA,MAClB;AAAA,IACF,EAAE,IAAI,SAAS;AACf,WAAO,MAAM,KAAK,QAAQ,GAAG,IAAI;AAAA,EACnC;AAAA,EAEA,SAAS,WAA8B;AACrC,UAAM,OAAO,KAAK,GAAG,QAAQ,8DAA8D,EAAE,IAAI,SAAS;AAC1G,WAAO,KAAK,IAAI,OAAK,KAAK,QAAQ,CAAC,CAAC;AAAA,EACtC;AAAA,EAEQ,QAAQ,GAAqC;AACnD,UAAM,IAAI,cAAc,MAAM,CAAC;AAC/B,WAAO;AAAA,MACL,IAAI,EAAE;AAAA,MACN,WAAW,EAAE;AAAA,MACb,aAAa,EAAE,eAAe;AAAA,MAC9B,WAAW,EAAE;AAAA,MACb,aAAa,EAAE,gBAAgB;AAAA,MAC/B,OAAO,EAAE;AAAA,MACT,kBAAkB,EAAE;AAAA,MACpB,QAAQ,EAAE;AAAA,IACZ;AAAA,EACF;AAAA;AAAA,EAIA,eAAe,WAAmB,MAAqC;AACrE,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,SAAS,KAAK,SAAS,SAAS;AACtC,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAKf,EAAE;AAAA,MACD;AAAA,MAAI;AAAA,MAAW,KAAK,QAAQ;AAAA,MAAM,KAAK;AAAA,MACvC,KAAK;AAAA,MAAS,KAAK;AAAA,MACnB,KAAK;AAAA,MAAW,KAAK;AAAA,MAAU,KAAK;AAAA,MACpC,KAAK;AAAA,MAAkB;AAAA,IACzB;AAAA,EACF;AAAA,EAEA,aAAa,WAAkC;AAC7C,UAAM,OAAO,KAAK,GAAG,QAAQ,8CAA8C,EAAE,IAAI,SAAS;AAC1F,WAAO,KAAK,IAAI,OAAK;AACnB,YAAM,IAAI,kBAAkB,MAAM,CAAC;AACnC,aAAO;AAAA,QACL,IAAI,EAAE;AAAA,QACN,WAAW,EAAE;AAAA,QACb,MAAM,EAAE,QAAQ;AAAA,QAChB,SAAS,EAAE;AAAA,QACX,SAAS,EAAE;AAAA,QACX,aAAa,EAAE;AAAA,QACf,WAAW,EAAE;AAAA,QACb,UAAU,EAAE;AAAA,QACZ,eAAe,EAAE,mBAAmB;AAAA,QACpC,kBAAkB,EAAE;AAAA,MACtB;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA,EAIA,iBAAiB,WAAmB,MAAsC;AAExE,UAAM,WAAW,KAAK,GAAG;AAAA,MACvB;AAAA,IACF,EAAE,IAAI,WAAW,KAAK,eAAe,KAAK,aAAa;AACvD,QAAI,SAAU,QAAO,SAAS;AAC9B,UAAM,KAAK,OAAO,WAAW;AAC7B,UAAM,SAAS,KAAK,SAAS,SAAS;AACtC,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA,KAGf,EAAE,IAAI,IAAI,WAAW,KAAK,eAAe,KAAK,eAAe,KAAK,QAAQ,OAAM,oBAAI,KAAK,GAAE,YAAY,GAAG,MAAM;AACjH,WAAO;AAAA,EACT;AAAA,EAEA,eAAe,WAAoC;AACjD,UAAM,OAAO,KAAK,GAAG,QAAQ,gDAAgD,EAAE,IAAI,SAAS;AAC5F,WAAO,KAAK,IAAI,OAAK;AACnB,YAAM,IAAI,oBAAoB,MAAM,CAAC;AACrC,aAAO;AAAA,QACL,IAAI,EAAE;AAAA,QACN,WAAW,EAAE;AAAA,QACb,eAAe,EAAE;AAAA,QACjB,eAAe,EAAE;AAAA,QACjB,MAAM,EAAE,QAAQ;AAAA,QAChB,WAAW,EAAE;AAAA,MACf;AAAA,IACF,CAAC;AAAA,EACH;AAAA,EAEA,iBAAiB,WAAmB,cAA4B;AAC9D,SAAK,GAAG,QAAQ,yDAAyD,EAAE,IAAI,WAAW,YAAY;AAAA,EACxG;AAAA;AAAA,EAIA,YAAY,SAAiB,QAA0C;AACrE,SAAK,GAAG,QAAQ;AAAA;AAAA,KAEf,EAAE,IAAI,SAAS,SAAQ,oBAAI,KAAK,GAAE,YAAY,CAAC;AAAA,EAClD;AAAA,EAEA,YAAY,SAAqC;AAC/C,UAAM,MAAM,KAAK,GAAG,QAAQ,qDAAqD,EAAE,IAAI,OAAO;AAC9F,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,gBAAgB,SAAiB,OAA2B;AAC1D,UAAM,QAAQ,mBAAmB,MAAM,KAAK;AAC5C,SAAK,GAAG;AAAA,MACN;AAAA,IACF,EAAE,IAAI,SAAS,QAAO,oBAAI,KAAK,GAAE,YAAY,CAAC;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,mBAAkC;AAChC,UAAM,OAAO,KAAK,GAAG,QAAQ,2CAA2C,EAAE,IAAI;AAC9E,QAAI,eAA6B;AACjC,UAAM,YAAwD,CAAC;AAC/D,eAAW,KAAK,MAAM;AACpB,YAAM,QAAQ,mBAAmB,MAAM,EAAE,KAAK;AAC9C,UAAI,EAAE,YAAY,IAAK,gBAAe;AAAA,UACjC,WAAU,KAAK,EAAE,SAAS,EAAE,SAAS,MAAM,CAAC;AAAA,IACnD;AACA,WAAO,EAAE,cAAc,UAAU;AAAA,EACnC;AAAA;AAAA,EAGA,qBAAqB,SAAuB;AAC1C,SAAK,GAAG,QAAQ,iEAAiE,EAAE,IAAI,OAAO;AAAA,EAChG;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,aAAa,OAAe,YAA0B;AACpD,SAAK,GAAG;AAAA,MACN;AAAA,IACF,EAAE,IAAI,OAAO,aAAY,oBAAI,KAAK,GAAE,YAAY,CAAC;AAAA,EACnD;AAAA;AAAA,EAGA,YAAY,OAAmC;AAC7C,UAAM,MAAM,KAAK,GAAG,QAAQ,2DAA2D,EAAE,IAAI,KAAK;AAClG,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,eAAe,MAQN;AACP,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,UAAU,KAAK,WAAW,YAAY,OAAO;AACnD,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAIf,EAAE;AAAA,MACD,KAAK;AAAA,MAAa,KAAK;AAAA,MAAW,KAAK,UAAU;AAAA,MAAM,KAAK;AAAA,MAC5D,KAAK,UAAU,KAAK,OAAO;AAAA,MAAG,KAAK;AAAA,MAAQ,KAAK,aAAa;AAAA,MAAM;AAAA,MAAK;AAAA,IAC1E;AAAA,EACF;AAAA;AAAA,EAGA,iBAAiB,QAA4E;AAC3F,UAAM,UAAoB,CAAC;AAC3B,UAAM,SAAoB,CAAC;AAC3B,QAAI,QAAQ,QAAQ;AAAE,cAAQ,KAAK,YAAY;AAAG,aAAO,KAAK,OAAO,MAAM;AAAA,IAAG;AAC9E,QAAI,QAAQ,WAAW;AAAE,cAAQ,KAAK,gBAAgB;AAAG,aAAO,KAAK,OAAO,SAAS;AAAA,IAAG;AACxF,UAAM,QAAQ,QAAQ,SAAS,SAAS,QAAQ,KAAK,OAAO,CAAC,MAAM;AACnE,UAAM,OAAO,KAAK,GAAG,QAAQ,gCAAgC,KAAK,gBAAgB,EAAE,IAAI,GAAG,MAAM;AACjG,WAAO,KAAK,IAAI,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC;AAAA,EAChD;AAAA;AAAA,EAGA,uBAAsD;AACpD,UAAM,MAAqC,EAAE,SAAS,GAAG,UAAU,GAAG,QAAQ,GAAG,UAAU,EAAE;AAC7F,UAAM,OAAO,KAAK,GAAG,QAAQ,+DAA+D,EAAE,IAAI;AAClG,eAAW,KAAK,MAAM;AACpB,UAAI,EAAE,UAAU,IAAK,KAAI,EAAE,MAAuB,IAAI,EAAE;AAAA,IAC1D;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,kBAA+B;AAC7B,UAAM,OAAO,KAAK,GAAG,QAAQ,iEAAiE,EAAE,IAAI;AACpG,WAAO,IAAI,IAAI,KAAK,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC;AAAA,EAChD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,iBAAiBC,cAAqB,QAAuB,WAAmC;AAC9F,UAAM,OAAM,oBAAI,KAAK,GAAE,YAAY;AACnC,UAAM,WAAW,WAAW,WAAW,MAAM;AAC7C,SAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA,KAIf,EAAE,IAAI,QAAQ,aAAa,MAAM,KAAK,UAAUA,YAAW;AAAA,EAC9D;AAAA;AAAA,EAGA,kBAAkB,OAAmC;AACnD,QAAI,MAAM;AACV,QAAI,MAAO,QAAO,UAAU,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,CAAC,CAAC;AAC1D,UAAM,OAAO,KAAK,GAAG,QAAQ,GAAG,EAAE,IAAI;AACtC,WAAO,KAAK,IAAI,CAAC,MAAM,KAAK,gBAAgB,CAAC,CAAC;AAAA,EAChD;AAAA,EAEQ,gBAAgB,GAA6C;AACnE,UAAM,IAAI,sBAAsB,MAAM,CAAC;AACvC,WAAO;AAAA,MACL,aAAa,EAAE;AAAA,MACf,WAAW,EAAE;AAAA,MACb,QAAQ,EAAE,WAAW;AAAA,MACrB,MAAM,EAAE;AAAA,MACR,SAAS,cAAuB,EAAE,SAAS,IAAI;AAAA,MAC/C,QAAQ,EAAE;AAAA,MACV,WAAW,EAAE,cAAc;AAAA,MAC3B,WAAW,EAAE;AAAA,MACb,WAAW,EAAE,cAAc;AAAA,MAC3B,UAAU,EAAE,aAAa;AAAA,IAC3B;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAc,WAAyB;AACrC,SAAK,GAAG,QAAQ,8CAA8C,EAAE,IAAI,SAAS;AAC7E,SAAK,GAAG,QAAQ,4CAA4C,EAAE,IAAI,SAAS;AAC3E,SAAK,GAAG,QAAQ,kDAAkD,EAAE,IAAI,SAAS;AACjF,SAAK,GAAG,QAAQ,wCAAwC,EAAE,IAAI,SAAS;AACvE,SAAK,GAAG,QAAQ,wCAAwC,EAAE,IAAI,SAAS;AACvE,SAAK,GAAG,QAAQ,wCAAwC,EAAE,IAAI,SAAS;AACvE,SAAK,GAAG,QAAQ,mCAAmC,EAAE,IAAI,SAAS;AAAA,EACpE;AAAA;AAAA;AAAA;AAAA,EAKA,cAAc,WAA2B;AACvC,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB;AAAA,IACF,EAAE,IAAI,SAAS;AACf,eAAW,OAAO,MAAM;AACtB,WAAK,cAAc,IAAI,EAAE;AAAA,IAC3B;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA,EAKA,QAAQ,WAAmB,QAAqC;AAC9D,UAAM,MAAM,KAAK,GAAG,QAAQ,qDAAqD,EAC9E,IAAI,WAAW,MAAM;AACxB,WAAO,MAAM,KAAK,QAAQ,GAAG,IAAI;AAAA,EACnC;AAAA;AAAA,EAGA,cAAc,WAAmB,KAA8C;AAC7E,UAAM,MAAM,oBAAI,IAAqB;AACrC,aAAS,IAAI,GAAG,IAAI,IAAI,QAAQ,KAAK,KAAK;AACxC,YAAM,QAAQ,IAAI,MAAM,GAAG,IAAI,GAAG;AAClC,YAAM,eAAe,MAAM,IAAI,MAAM,GAAG,EAAE,KAAK,GAAG;AAClD,YAAM,OAAO,KAAK,GAAG;AAAA,QACnB,uDAAuD,YAAY;AAAA,MACrE,EAAE,IAAI,WAAW,GAAG,KAAK;AACzB,iBAAW,KAAK,MAAM;AAAE,cAAM,IAAI,KAAK,QAAQ,CAAC;AAAG,YAAI,IAAI,EAAE,IAAI,CAAC;AAAA,MAAG;AAAA,IACvE;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,eAAe,WAAmB,OAAqC;AACrE,QAAI,MAAM,WAAW,EAAG,QAAO,CAAC;AAChC,UAAM,eAAe,MAAM,IAAI,MAAM,GAAG,EAAE,KAAK,GAAG;AAClD,UAAM,OAAO,KAAK,GAAG;AAAA,MACnB,yDAAyD,YAAY;AAAA,IACvE,EAAE,IAAI,WAAW,GAAG,KAAK;AACzB,WAAO,KAAK,IAAI,OAAK,KAAK,QAAQ,CAAC,CAAC;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,YAAY,WAAmB,OAAe,MAAiE;AAC7G,UAAM,IAAI,IAAI,MAAM,KAAK,EAAE,YAAY,CAAC;AACxC,UAAM,SAAoB,CAAC,WAAW,GAAG,GAAG,GAAG,GAAG,CAAC;AACnD,QAAI,MAAM;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AASV,QAAI,MAAM,SAAS,KAAK,MAAM,SAAS,GAAG;AACxC,aAAO,iBAAiB,KAAK,MAAM,IAAI,MAAM,GAAG,EAAE,KAAK,GAAG,CAAC;AAC3D,aAAO,KAAK,GAAG,KAAK,KAAK;AAAA,IAC3B;AACA,WAAO;AACP,QAAI,MAAM,MAAO,QAAO,UAAU,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,KAAK,CAAC,CAAC;AACrE,UAAM,OAAO,KAAK,GAAG,QAAQ,GAAG,EAAE,IAAI,GAAG,MAAM;AAC/C,WAAO,KAAK,IAAI,OAAK,KAAK,QAAQ,CAAC,CAAC;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,gBACE,WACA,QACA,OAA8E,CAAC,GAC9D;AACjB,UAAM,YAAY,KAAK,aAAa;AACpC,UAAM,WAAW,KAAK,IAAI,GAAG,KAAK,IAAI,KAAK,YAAY,GAAG,EAAE,CAAC;AAC7D,UAAM,OAAO,KAAK,QAAQ,WAAW,MAAM;AAE3C,UAAM,YAAY,oBAAI,IAAoB;AAC1C,UAAMC,WAAU,CAAC,QAAyC;AAExD,YAAM,CAAC,MAAM,EAAE,IAAI,QAAQ,eAAe,CAAC,aAAa,WAAW,IAAI,CAAC,aAAa,WAAW;AAChG,YAAM,MAAM;AAAA;AAAA;AAAA;AAAA,qBAIG,EAAE,8BAA8B,EAAE;AAAA,0CACb,IAAI;AAAA;AAAA;AAAA,8CAGA,EAAE;AAAA;AAAA;AAG1C,YAAM,OAAO,KAAK,GAAG,QAAQ,GAAG,EAAE,IAAI,QAAQ,QAAQ,WAAW,UAAU,MAAM;AACjF,iBAAW,KAAK,MAAM;AACpB,cAAM,OAAO,UAAU,IAAI,EAAE,OAAO;AACpC,YAAI,SAAS,UAAa,EAAE,QAAQ,KAAM,WAAU,IAAI,EAAE,SAAS,EAAE,KAAK;AAAA,MAC5E;AAAA,IACF;AAEA,QAAI,cAAc,QAAQ;AAAE,MAAAA,SAAQ,YAAY;AAAG,MAAAA,SAAQ,UAAU;AAAA,IAAG,MACnE,CAAAA,SAAQ,SAAS;AAEtB,UAAM,OAAO,KAAK,cAAc,WAAW,CAAC,GAAG,UAAU,KAAK,CAAC,CAAC;AAChE,UAAM,QAAQ,CAAC,GAAG,UAAU,QAAQ,CAAC,EAClC,IAAI,CAAC,CAAC,IAAI,KAAK,MAAM;AAAE,YAAM,IAAI,KAAK,IAAI,EAAE;AAAG,aAAO,IAAI,EAAE,GAAG,GAAG,MAAM,IAAI;AAAA,IAAW,CAAC,EACxF,OAAO,CAAC,MAAwC,MAAM,MAAS,EAC/D,KAAK,CAAC,GAAG,MAAM,EAAE,QAAQ,EAAE,KAAK;AAGnC,UAAM,YAAY,oBAAI,IAAY,CAAC,QAAQ,GAAG,UAAU,KAAK,CAAC,CAAC;AAC/D,UAAM,QAAQ,KAAK,SAAS,SAAS,EAAE,OAAO,OAAK,UAAU,IAAI,EAAE,QAAQ,KAAK,UAAU,IAAI,EAAE,QAAQ,CAAC;AAEzG,WAAO,EAAE,MAAM,WAAW,UAAU,OAAO,MAAM;AAAA,EACnD;AAAA;AAAA,EAGA,gBAAgB,WAAiC;AAC/C,UAAM,SAAS;AAAA,MACb,OAAQ,KAAK,GAAG,QAAQ,mDAAmD,EAAE,IAAI,SAAS,EAAoB;AAAA,MAC9G,OAAQ,KAAK,GAAG,QAAQ,mDAAmD,EAAE,IAAI,SAAS,EAAoB;AAAA,IAChH;AACA,UAAM,SAAiC,CAAC;AACxC,eAAW,KAAK,KAAK,GAAG,QAAQ,uEAAuE,EAAE,IAAI,SAAS,GAAyC;AAC7J,aAAO,EAAE,IAAI,IAAI,EAAE;AAAA,IACrB;AACA,UAAM,WAAmC,CAAC;AAC1C,eAAW,KAAK,KAAK,GAAG,QAAQ,4FAA4F,EAAE,IAAI,SAAS,GAAsC;AAC/K,eAAS,EAAE,CAAC,IAAI,EAAE;AAAA,IACpB;AACA,UAAM,iBAAyC,CAAC;AAChD,eAAW,KAAK,KAAK,GAAG,QAAQ,kFAAkF,EAAE,IAAI,SAAS,GAAwC;AACvK,qBAAe,EAAE,GAAG,IAAI,EAAE;AAAA,IAC5B;AAIA,UAAM,aAAa,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAMlC,EAAE,IAAI,SAAS;AAEhB,UAAM,SAAS,oBAAI,IAAoB;AACvC,eAAW,KAAK,WAAY,QAAO,IAAI,EAAE,IAAI,EAAE,MAAM;AAGrD,UAAM,eAAe,CAAC,GAAG,UAAU,EAChC,KAAK,CAAC,GAAG,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,GAAG,cAAc,EAAE,EAAE,CAAC,EAC7F,MAAM,GAAG,EAAE,EACX,IAAI,CAAC,EAAE,IAAI,MAAM,MAAM,QAAAC,QAAO,OAAO,EAAE,IAAI,MAAM,MAAM,QAAAA,QAAO,EAAE;AAEnE,UAAM,YAAY,KAAK,iBACnB,gBAAgB,KAAK,SAAS,SAAS,GAAG,QAAQ,KAAK,iBAAiB,IACxE,CAAC;AAGL,UAAM,eAAgB,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAKrC,EAAE,IAAI,SAAS,EAAoB;AAIpC,UAAM,eAAe,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAUpC,EAAE,IAAI,SAAS;AAChB,UAAM,cAAc,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAUnC,EAAE,IAAI,SAAS;AAChB,UAAM,WAAY,KAAK,GAAG;AAAA,MACxB;AAAA,IACF,EAAE,IAAI,SAAS,EAAoB;AAEnC,WAAO;AAAA,MACL;AAAA,MAAW;AAAA,MAAQ,aAAa;AAAA,MAAQ,eAAe;AAAA,MACvD,qBAAqB;AAAA,MAAgB;AAAA,MAAc;AAAA,MAAW;AAAA,MAC9D;AAAA,MAAc;AAAA,MAAa,cAAc,EAAE,UAAU,OAAO,OAAO,MAAM;AAAA,IAC3E;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,qBAAqB,KAAqB;AACxC,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,KAAK,WAAW,MAAM;AAC5B,UAAM,WAAW,KAAK,GAAG,QAAQ,sCAAsC,EAAE,IAAI,EAAE;AAC/E,QAAI,SAAU,QAAO;AACrB,SAAK,GAAG;AAAA,MACN;AAAA;AAAA,IAEF,EAAE,IAAI,KAAI,oBAAI,KAAK,GAAE,YAAY,GAAG,QAAQ,GAAG;AAC/C,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,4BAA4B,KAAa,KAAiC;AACxE,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,MAAM,KAAK,GAAG;AAAA,MAClB;AAAA,IACF,EAAE,IAAI,QAAQ,GAAG;AACjB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,6BAA6B,KAAa,IAA0D;AAClG,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,MAAM,KAAK,GAAG;AAAA,MAClB;AAAA,IACF,EAAE,IAAI,QAAQ,EAAE;AAChB,QAAI,CAAC,OAAO,IAAI,aAAa,KAAM,QAAO;AAC1C,WAAO,EAAE,IAAI,IAAI,IAAI,UAAU,IAAI,UAAU;AAAA,EAC/C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAYA,kBACE,KACA,MACA,UACA,aACsB;AACtB,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,YAAY,KAAK,qBAAqB,MAAM;AAClD,UAAM,MAAM,KAAK,GAAG,YAAY,MAA4B;AAE1D,UAAI,WAAW,KAAK,4BAA4B,QAAQ,SAAS,QAAQ;AACzE,UAAI,UAAgC;AACpC,UAAI,CAAC,UAAU;AACb,cAAM,SAAS,KAAK,6BAA6B,QAAQ,SAAS,WAAW;AAC7E,mBAAW,QAAQ;AAAA,MACrB;AACA,UAAI,CAAC,UAAU;AAAE,mBAAW,KAAK;AAAI,kBAAU;AAAA,MAAW;AAE1D,YAAM,WAAW,KAAK,eAAe,QAAQ,WAAW,QAAQ;AAEhE,YAAM,aAAa,MAAM,KAAK,oBAAI,IAAI,CAAC,GAAI,UAAU,QAAQ,CAAC,GAAI,GAAI,KAAK,QAAQ,CAAC,CAAE,CAAC,CAAC;AACxF,YAAM,aAAa,EAAE,GAAI,UAAU,YAAY,CAAC,GAAI,GAAI,KAAK,YAAY,CAAC,EAAG;AAC7E,YAAM,aAAa,KAAK,IAAI,UAAU,cAAc,GAAG,KAAK,UAAU;AAEtE,WAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,OAKf,EAAE;AAAA,QACD;AAAA,QAAU;AAAA,QAAW,KAAK;AAAA,QAAM,kBAAkB,KAAK,IAAI;AAAA,QAAG,KAAK;AAAA,QACnE,UAAU,iBAAgB,oBAAI,KAAK,GAAE,YAAY;AAAA,QAAG;AAAA,QAAG;AAAA,QACvD,KAAK,UAAU,cAAc,UAAU,CAAC;AAAA,QACxC,KAAK,UAAU,WAAW,IAAI,iBAAiB,CAAC;AAAA,QAChD,KAAK,UAAU,OAAO,kBAAkB,KAAK,MAAM,IAAK,UAAU,UAAU;AAAA,QAC5E,KAAK,aAAa,OAAO,kBAAkB,KAAK,SAAS,IAAK,UAAU,aAAa;AAAA,QACrF,KAAK,gBAAgB,UAAU,gBAAgB;AAAA,QAC/C;AAAA,QAAQ,SAAS;AAAA,QAAU,SAAS;AAAA,MACtC;AAGA,WAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OASf,EAAE;AAAA,QACD,SAAS;AAAA,QAAU,YAAY;AAAA,QAC/B,kBAAkB,YAAY,QAAQ;AAAA,QAAG,kBAAkB,YAAY,IAAI;AAAA,QAC3E,YAAY,gBAAgB,OAAO,kBAAkB,YAAY,YAAY,IAAI;AAAA,QACjF,YAAY;AAAA,QAAI,YAAY;AAAA,MAC9B;AACA,aAAO;AAAA,IACT,CAAC;AACD,WAAO,IAAI;AAAA,EACb;AAAA;AAAA,EAGA,kBAAkB,KAAa,MAA2B;AACxD,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,YAAY,KAAK,qBAAqB,MAAM;AAGlD,UAAM,MAAM,KAAK,GAAG;AAAA,MAClB;AAAA,IACF,EAAE,IAAI,QAAQ,KAAK,UAAU,KAAK,UAAU,KAAK,YAAY;AAC7D,QAAI,IAAK;AACT,SAAK,WAAW,WAAW,IAAI;AAAA,EACjC;AAAA;AAAA,EAGA,eAAe,KAAa,WAAmB,QAAqC;AAClF,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,MAAM,KAAK,GAAG;AAAA,MAClB;AAAA,IACF,EAAE,IAAI,QAAQ,WAAW,MAAM;AAC/B,WAAO,MAAM,KAAK,QAAQ,GAAG,IAAI;AAAA,EACnC;AAAA;AAAA,EAGA,0BAA0B,KAA4B;AACpD,WAAO,KAAK,gBAAgB,GAAG;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,cAAc,KAAyB;AACrC,UAAM,SAAS,gBAAgB,GAAG;AAClC,UAAM,SAAS;AAAA,MACb,OAAQ,KAAK,GAAG,QAAQ,+CAA+C,EAAE,IAAI,MAAM,EAAoB;AAAA,MACvG,OAAQ,KAAK,GAAG,QAAQ,+CAA+C,EAAE,IAAI,MAAM,EAAoB;AAAA,IACzG;AACA,UAAM,SAAiC,CAAC;AACxC,eAAW,KAAK,KAAK,GAAG,QAAQ,mEAAmE,EAAE,IAAI,MAAM,GAAyC;AACtJ,aAAO,EAAE,IAAI,IAAI,EAAE;AAAA,IACrB;AACA,UAAM,WAAmC,CAAC;AAC1C,eAAW,KAAK,KAAK,GAAG,QAAQ,wFAAwF,EAAE,IAAI,MAAM,GAAsC;AACxK,eAAS,EAAE,CAAC,IAAI,EAAE;AAAA,IACpB;AACA,UAAM,iBAAyC,CAAC;AAChD,eAAW,KAAK,KAAK,GAAG,QAAQ,8EAA8E,EAAE,IAAI,MAAM,GAAwC;AAChK,qBAAe,EAAE,GAAG,IAAI,EAAE;AAAA,IAC5B;AACA,UAAM,eAAgB,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,KAQrC,EAAE,IAAI,MAAM;AAEb,UAAM,eAAgB,KAAK,GAAG,QAAQ;AAAA;AAAA;AAAA;AAAA;AAAA,KAKrC,EAAE,IAAI,MAAM,EAAoB;AAEjC,WAAO,EAAE,KAAK,QAAQ,QAAQ,aAAa,QAAQ,eAAe,UAAU,qBAAqB,gBAAgB,cAAc,aAAa;AAAA,EAC9I;AAAA;AAAA,EAIA,SAAS,WAAoF;AAC3F,UAAM,QAAS,KAAK,GAAG,QAAQ,sDAAsD,EAAE,IAAI,SAAS,EAAoB;AACxH,UAAM,QAAS,KAAK,GAAG,QAAQ,sDAAsD,EAAE,IAAI,SAAS,EAAoB;AACxH,UAAM,SAAU,KAAK,GAAG,QAAQ,gEAAgE,EAAE,IAAI,SAAS,EAAoB;AACnI,UAAM,QAAS,KAAK,GAAG,QAAQ,sDAAsD,EAAE,IAAI,SAAS,EAAoB;AACxH,WAAO,EAAE,OAAO,OAAO,QAAQ,MAAM;AAAA,EACvC;AACF;;;AKl9DA,SAAS,KAAAC,UAAS;AAgCX,IAAM,eAAeC,GAAE,OAAO;AAAA,EACnC,IAAIA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACpB,OAAOA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EACvB,WAAWA,GAAE,MAAM;AAAA,IACjBA,GAAE,QAAQ,KAAK;AAAA,IACfA,GAAE,MAAMA,GAAE,KAAK,CAAC,SAAS,UAAU,OAAO,CAAC,CAAC,EAAE,SAAS;AAAA,EACzD,CAAC;AAAA,EACD,iBAAiBA,GAAE,MAAMA,GAAE,OAAO,EAAE,IAAI,CAAC,CAAC,EAAE,SAAS;AAAA,EACrD,QAAQA,GAAE,OAA0B,CAAC,MAAM,OAAO,MAAM,YAAY;AAAA,IAClE,SAAS;AAAA,EACX,CAAC;AAAA,EACD,MAAMA,GAAE,OAAwB,CAAC,MAAM,OAAO,MAAM,YAAY;AAAA,IAC9D,SAAS;AAAA,EACX,CAAC;AACH,CAAC;AAOM,SAAS,gBAAgB,OAAyB;AACvD,eAAa,MAAM,KAAK;AACxB,SAAO;AACT;;;ACHO,IAAM,kBAAN,MAAsB;AAAA,EACnB,WAAW,oBAAI,IAAqB;AAAA,EAE5C,SAAS,SAAwB;AAC/B,QAAI,KAAK,SAAS,IAAI,QAAQ,EAAE,EAAG,OAAM,IAAI,MAAM,+BAA+B,QAAQ,EAAE,EAAE;AAC9F,SAAK,SAAS,IAAI,QAAQ,IAAI,OAAO;AACrC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,iBAAiB,KAAa,SAAwB;AACpD,UAAM,QAAQ,gBAAgB,OAAO;AACrC,UAAM,KAAK,UAAU,GAAG,IAAI,MAAM,EAAE;AACpC,UAAM,WAAW,MAAM,mBAAmB,CAAC;AAC3C,UAAM,UAAmB,OAAO,OAAO;AAAA,MACrC;AAAA,MACA,OAAO,MAAM;AAAA,MACb,WAAW,MAAM;AAAA,MACjB,iBAAiB;AAAA,MACjB,QAAQ,CAAC,QAAqB,MAAM,OAAO,GAAG;AAAA,MAC9C,MAAM,CAAC,QACL,MAAM,KAAK;AAAA,QACT,GAAG;AAAA,QACH,KAAK,CAAC,KAAK,SAAS;AAClB,gBAAM,MAAM,IAAI,KAAK,EAAE,MAAM,KAAK,EAAE,CAAC,KAAK;AAC1C,cAAI,CAAC,SAAS,SAAS,GAAG,EAAG,QAAO;AACpC,cAAI,CAAC,cAAc,GAAG,EAAE,QAAS,QAAO;AACxC,iBAAO,IAAI,IAAI,KAAK,IAAI;AAAA,QAC1B;AAAA,MACF,CAAC;AAAA,IACL,CAAC;AACD,WAAO,KAAK,SAAS,OAAO;AAAA,EAC9B;AAAA,EAEA,IAAI,IAAiC;AACnC,WAAO,KAAK,SAAS,IAAI,EAAE;AAAA,EAC7B;AAAA,EAEA,OAAkB;AAChB,WAAO,CAAC,GAAG,KAAK,SAAS,OAAO,CAAC;AAAA,EACnC;AAAA;AAAA,EAGA,YAAY,UAA+B;AACzC,WAAO,KAAK,KAAK,EAAE,OAAO,CAAC,MAAM,EAAE,cAAc,SAAS,EAAE,UAAU,SAAS,QAAQ,CAAC;AAAA,EAC1F;AACF;;;ACpHO,IAAM,WAAW;AAAA,EACtB;AAAA,EAAa;AAAA,EAAc;AAAA,EAAY;AAAA,EAAS;AAAA,EAAW;AAAA,EAAW;AAAA,EAAY;AAAA,EAClF;AAAA,EAAY;AAAA,EAAW;AAAA,EAAc;AAAA,EAAa;AAAA,EAAa;AAAA,EAAW;AAAA,EAAS;AAAA,EACnF;AAAA,EAAQ;AAAA,EAAQ;AAAA,EAAY;AAAA,EAAS;AAAA,EAAY;AAAA,EAAW;AAAA,EAAgB;AAC9E;AAGO,SAAS,eAAe,MAAuB;AACpD,QAAM,IAAI,KAAK,YAAY;AAC3B,SAAO,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;AAC3C;AAGA,IAAM,WAAW;AAAA,EACf;AAAA,EAAW;AAAA,EAAW;AAAA,EAAc;AAAA,EAAc;AAAA,EAAS;AAAA,EAAe;AAAA,EAAW;AAAA,EACrF;AAAA,EAAU;AAAA,EAAS;AAAA,EAAU;AAAA,EAAS;AAAA,EAAW;AAAA,EAAY;AAAA,EAAW;AAAA,EAAW;AAAA,EACnF;AAAA,EAAY;AAAA,EAAc;AAAA,EAAe;AAAA,EAAwB;AAAA,EAAgB;AAAA,EACjF;AAAA,EAAY;AAAA,EAAe;AAAA,EAAW;AAAA,EAAW;AAAA,EAAa;AAAA,EAAc;AAAA,EAAY;AAAA,EACxF;AAAA,EAAc;AAAA,EAAW;AAAA,EAAY;AAAA,EAAc;AAAA,EAAe;AAAA,EAAY;AAAA,EAAU;AAAA,EACxF;AAAA,EAAW;AAAA,EAAc;AAAA,EAAgB;AAAA,EAAW;AAAA,EAAU;AAAA,EAAS;AAAA,EAAa;AAAA,EACpF;AAAA,EAAY;AAAA,EAAc;AAAA,EAAc;AAAA,EAAS;AAAA,EAAU;AAAA,EAAc;AAAA,EAAU;AAAA,EAAW;AAChG;AAEA,SAAS,SAASC,WAA8E;AAC9F,QAAM,IAAIA,UAAS,YAAY;AAC/B,MAAI,eAAe,CAAC,EAAG,QAAO;AAC9B,MAAI,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,EAAG,QAAO,EAAE,MAAM,aAAa,YAAY,IAAI;AAErF,MAAI,uBAAuB,KAAK,CAAC,KAAK,gCAAgC,KAAK,CAAC,GAAG;AAC7E,WAAO,EAAE,MAAM,eAAe,YAAY,IAAI;AAAA,EAChD;AACA,SAAO;AACT;AAEO,IAAM,mBAA4B;AAAA,EACvC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,QAAQ,MAAM;AAAA,EACd,MAAM,KAAK,KAA0B;AACnC,UAAM,QAAQ,OAAO,IAAI,iBAAiB,kBAAkB;AAC5D,UAAM,OAAO,oBAAI,IAAY;AAC7B,UAAM,QAAyB,CAAC;AAChC,eAAW,QAAQ,OAAO;AACxB,YAAM,QAAQ,SAAS,KAAK,QAAQ;AACpC,UAAI,CAAC,MAAO;AACZ,YAAM,KAAK,GAAG,MAAM,IAAI,IAAI,KAAK,QAAQ;AACzC,UAAI,KAAK,IAAI,EAAE,EAAG;AAClB,WAAK,IAAI,EAAE;AACX,YAAM,KAAK;AAAA,QACT;AAAA,QAAI,MAAM,MAAM;AAAA,QAAM,MAAM,KAAK;AAAA,QAAU,eAAe;AAAA,QAC1D,YAAY,MAAM;AAAA,QAAY,MAAM,CAAC,UAAU;AAAA,QAC/C,UAAU,EAAE,UAAU,KAAK,UAAU,GAAI,KAAK,OAAO,EAAE,MAAM,KAAK,KAAK,IAAI,CAAC,EAAG;AAAA,MACjF,CAAC;AAAA,IACH;AACA,WAAO,EAAE,OAAO,OAAO,CAAC,EAAE;AAAA,EAC5B;AACF;;;AC9DA,IAAM,cAAwC;AAAA,EAC5C,KAAK,CAAC,QAAQ,iBAAiB,UAAU,YAAY,OAAO,QAAQ,OAAO,SAAS,QAAQ,YAAY,WAAW,UAAU,YAAY,SAAS,SAAS,UAAU;AAAA,EACrK,YAAY,CAAC,OAAO,MAAM,UAAU,kBAAkB,UAAU,WAAW,QAAQ,aAAa,WAAW,WAAW,UAAU,UAAU,SAAS,OAAO;AAAA,EAC1J,SAAS,CAAC,QAAQ,OAAO,QAAQ,QAAQ,OAAO,QAAQ,UAAU,WAAW,OAAO,UAAU,QAAQ,SAAS,QAAQ,OAAO,UAAU,MAAM,SAAS,SAAS,OAAO,YAAY,QAAQ;AAAA,EAC3L,UAAU,CAAC,QAAQ,SAAS,WAAW,aAAa,WAAW,mBAAmB;AAAA,EAClF,OAAO,CAAC,OAAO,UAAU,MAAM,UAAU,OAAO,UAAU,WAAW,YAAY,UAAU;AAAA,EAC3F,SAAS,CAAC,iBAAiB,YAAY,WAAW,SAAS,OAAO;AAAA,EAClE,eAAe,CAAC,cAAc,eAAe,iBAAiB,gBAAgB;AAChF;AAEO,IAAM,uBAAgC;AAAA,EAC3C,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,SAAS,WAAW,aAAa;AAAA,EACnD,QAAQ,MAAM;AAAA,EACd,MAAM,KAAK,KAA0B;AACnC,UAAM,QAAyB,CAAC;AAChC,UAAM,aAAa,IAAI,QAAQ,IAAI,YAAY,EAAE,MAAM,QAAQ,EAAE,OAAO,OAAO;AAC/E,eAAW,CAAC,UAAU,KAAK,KAAK,OAAO,QAAQ,WAAW,GAAG;AAC3D,iBAAW,QAAQ,OAAO;AACxB,cAAM,QAAQ,IAAI,iBAAiB,eAAe,IAAI;AACtD,YAAI,CAAC,KAAM;AACX,cAAM,UAAU,UAAU,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC;AACtD,cAAM,KAAK;AAAA,UACT,IAAI,aAAa,IAAI;AAAA,UACrB,MAAM;AAAA,UACN,MAAM;AAAA,UACN,eAAe;AAAA,UACf,YAAY,UAAU,OAAO;AAAA,UAC7B,MAAM,CAAC,QAAQ;AAAA,UACf,UAAU,EAAE,UAAU,KAAK;AAAA,QAC7B,CAAC;AAAA,MACH;AAAA,IACF;AACA,WAAO,EAAE,OAAO,OAAO,CAAC,EAAE;AAAA,EAC5B;AACF;;;ACrCO,IAAM,WAAgE;AAAA,EAC3E,MAAM,EAAE,MAAM,mBAAmB,SAAS,aAAa;AAAA,EACvD,MAAM,EAAE,MAAM,mBAAmB,SAAS,QAAQ;AAAA,EAClD,MAAM,EAAE,MAAM,mBAAmB,SAAS,YAAY;AAAA,EACtD,OAAO,EAAE,MAAM,mBAAmB,SAAS,UAAU;AAAA,EACrD,MAAM,EAAE,MAAM,mBAAmB,SAAS,gBAAgB;AAAA,EAC1D,MAAM,EAAE,MAAM,gBAAgB,SAAS,QAAQ;AAAA,EAC/C,OAAO,EAAE,MAAM,gBAAgB,SAAS,YAAY;AAAA,EACpD,MAAM,EAAE,MAAM,kBAAkB,SAAS,QAAQ;AAAA,EACjD,MAAM,EAAE,MAAM,kBAAkB,SAAS,WAAW;AAAA,EACpD,MAAM,EAAE,MAAM,kBAAkB,SAAS,OAAO;AAAA,EAChD,MAAM,EAAE,MAAM,eAAe,SAAS,aAAa;AAAA,EACnD,KAAM,EAAE,MAAM,eAAe,SAAS,WAAW;AAAA,EACjD,MAAM,EAAE,MAAM,eAAe,SAAS,WAAW;AAAA,EACjD,KAAM,EAAE,MAAM,eAAe,SAAS,WAAW;AAAA,EACjD,IAAI,EAAE,MAAM,eAAe,SAAS,OAAO;AAAA,EAC3C,KAAK,EAAE,MAAM,eAAe,SAAS,QAAQ;AAAA,EAC7C,MAAM,EAAE,MAAM,eAAe,SAAS,QAAQ;AAAA,EAC9C,MAAM,EAAE,MAAM,eAAe,SAAS,SAAS;AAAA,EAC/C,MAAM,EAAE,MAAM,eAAe,SAAS,OAAO;AAAA,EAC7C,MAAM,EAAE,MAAM,eAAe,SAAS,SAAS;AAAA,EAC/C,OAAO,EAAE,MAAM,eAAe,SAAS,sBAAsB;AAC/D;AAGO,SAAS,sBAAsB,KAAuB;AAC3D,QAAM,QAAQ,oBAAI,IAAY;AAC9B,aAAW,KAAK,IAAI,SAAS,kBAAkB,GAAG;AAChD,UAAM,IAAI,OAAO,EAAE,CAAC,CAAC;AACrB,QAAI,KAAK,SAAU,OAAM,IAAI,CAAC;AAAA,EAChC;AACA,SAAO,CAAC,GAAG,KAAK;AAClB;AAEO,IAAM,eAAwB;AAAA,EACnC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,MAAM,QAAQ,sBAAsB;AAAA,EACtD,QAAQ,MAAM;AAAA,EACd,MAAM,KAAK,KAA0B;AACnC,UAAM,OAAO,IAAI,sBAAsB,oBAAoB;AAC3D,UAAM,QAAyB,CAAC;AAChC,eAAW,QAAQ,sBAAsB,GAAG,GAAG;AAC7C,YAAM,EAAE,MAAM,QAAQ,IAAI,SAAS,IAAI;AACvC,YAAM,KAAK;AAAA,QACT,IAAI,GAAG,IAAI,cAAc,IAAI;AAAA,QAC7B;AAAA,QACA,MAAM,GAAG,OAAO,MAAM,IAAI;AAAA,QAC1B,eAAe;AAAA,QACf,YAAY;AAAA,QACZ,MAAM,CAAC,SAAS,OAAO;AAAA,QACvB,UAAU,EAAE,MAAM,SAAS,MAAM,YAAY;AAAA,MAC/C,CAAC;AAAA,IACH;AACA,WAAO,EAAE,OAAO,OAAO,CAAC,EAAE;AAAA,EAC5B;AACF;;;AC5CO,IAAM,aAA2C;AAAA,EACtD,0BAA0B;AAAA,EAC1B,mBAAmB;AAAA,EACnB,qBAAqB;AAAA,EACrB,eAAe;AACjB;AAGO,SAAS,aAAa,MAAoB,QAAwB;AACvE,SAAO,IAAI,IAAI,KAAK,MAAM,OAAM,oBAAI,KAAK,GAAE,YAAY,CAAC;AAC1D;;;ACTA,IAAM,UAAU;AAGhB,SAAS,cAAc,OAAsD;AAC3E,QAAM,IAAI,MAAM,KAAK;AACrB,MAAI,CAAC,EAAG,QAAO;AACf,QAAM,MAAM,EAAE,YAAY,GAAG;AAC7B,MAAI,OAAO,EAAG,QAAO;AACrB,QAAM,OAAO,EAAE,MAAM,GAAG,GAAG,EAAE,QAAQ,YAAY,EAAE;AACnD,QAAM,UAAU,EAAE,MAAM,MAAM,CAAC;AAC/B,MAAI,CAAC,QAAQ,KAAK,OAAO,EAAG,QAAO;AACnC,QAAM,OAAO,OAAO,OAAO;AAC3B,MAAI,OAAO,KAAK,OAAO,MAAO,QAAO;AACrC,SAAO,EAAE,MAAM,KAAK;AACtB;AAWO,SAAS,iBAAiB,KAAgC;AAC/D,QAAM,MAAyB,CAAC;AAChC,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,OAAO,CAAC,OAAuC,WAAiD;AACpG,UAAM,MAAM,GAAG,MAAM,IAAI,KAAK,OAAO,IAAI,IAAI,OAAO,IAAI;AACxD,QAAI,KAAK,IAAI,GAAG,EAAG;AACnB,SAAK,IAAI,GAAG;AACZ,QAAI,KAAK,EAAE,WAAW,MAAM,MAAM,YAAY,OAAO,MAAM,YAAY,OAAO,KAAK,CAAC;AAAA,EACtF;AAEA,aAAW,QAAQ,IAAI,MAAM,OAAO,GAAG;AACrC,UAAM,IAAI,KAAK,KAAK;AACpB,QAAI,CAAC,EAAG;AAGR,UAAM,QAAQ,EAAE,MAAM,2CAA2C;AACjE,QAAI,OAAO;AACT,YAAM,QAAQ,cAAc,MAAM,CAAC,CAAC;AACpC,YAAM,SAAS,cAAc,MAAM,CAAC,CAAC;AACrC,UAAI,SAAS,OAAQ,MAAK,OAAO,MAAM;AACvC;AAAA,IACF;AAGA,QAAI,YAAY,KAAK,CAAC,KAAK,aAAa,KAAK,CAAC,GAAG;AAC/C,YAAM,OAAO,EAAE,MAAM,KAAK,EAAE,OAAO,OAAO;AAC1C,YAAM,YAAY,KACf,IAAI,CAAC,MAAM,cAAc,CAAC,CAAC,EAC3B,OAAO,CAAC,MAA2C,MAAM,IAAI;AAChE,UAAI,UAAU,UAAU,GAAG;AACzB,cAAM,QAAQ,UAAU,UAAU,SAAS,CAAC;AAC5C,cAAM,SAAS,UAAU,UAAU,SAAS,CAAC;AAC7C,aAAK,OAAO,MAAM;AAAA,MACpB;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAEO,IAAM,qBAA8B;AAAA,EACzC,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,MAAM,QAAQ,WAAW,sBAAsB;AAAA,EACjE,QAAQ,MAAM;AAAA,EACd,MAAM,KAAK,KAAuC;AAChD,UAAM,QAAQ,kBAAkB,IAAI,8BAA8B,4BAA4B,CAAC;AAC/F,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,QAAI,MAAM,WAAW,EAAG,QAAO,EAAE,OAAO,MAAM;AAG9C,UAAM,SAAS;AACf,UAAM,KAAK;AAAA,MACT,IAAI;AAAA,MACJ,MAAM;AAAA,MACN,MAAM;AAAA,MACN,eAAe;AAAA,MACf,YAAY;AAAA,MACZ,UAAU,EAAE,MAAM,YAAY;AAAA,MAC9B,MAAM,CAAC,OAAO;AAAA,IAChB,CAAC;AAED,UAAM,WAAW,oBAAI,IAAY;AACjC,eAAW,KAAK,OAAO;AACrB,YAAM,MAAM,SAAS,EAAE,UAAU;AACjC,UAAI,CAAC,IAAK;AACV,YAAM,WAAW,GAAG,IAAI,IAAI,cAAc,EAAE,UAAU;AACtD,UAAI,SAAS,IAAI,QAAQ,EAAG;AAC5B,eAAS,IAAI,QAAQ;AACrB,YAAM,KAAK;AAAA,QACT,UAAU;AAAA,QACV;AAAA,QACA,cAAc;AAAA,QACd,UAAU,aAAa,0BAA0B,GAAG,EAAE,SAAS,OAAO,EAAE,UAAU,IAAI,EAAE,UAAU,EAAE;AAAA,QACpG,YAAY,WAAW,wBAAwB;AAAA,MACjD,CAAC;AAAA,IACH;AACA,WAAO,EAAE,OAAO,MAAM;AAAA,EACxB;AACF;;;ACvGA,IAAM,cAAc;AAQpB,IAAM,cAAsC;AAAA,EAC1C,UAAU;AAAA,EAAM,YAAY;AAAA,EAAM,OAAO;AAAA,EAAM,SAAS;AAAA,EAAO,OAAO;AAAA,EACtE,MAAM;AAAA,EAAM,OAAO;AAAA,EAAM,eAAe;AAC1C;AAGA,SAAS,aAAuB;AAC9B,QAAM,OAAO,CAAC,QAAQ,IAAI,CAAC;AAC3B,MAAI,CAAC,OAAQ,MAAK,KAAK,cAAc,mBAAmB;AACxD,SAAO;AACT;AAMO,SAAS,uBAAuB,KAAqB;AAC1D,SAAO,IAGJ,QAAQ,yCAAyC,CAAC,IAAI,WAAmB,GAAG,MAAM,OAAO,EACzF,QAAQ,gCAAgC,SAAS;AACtD;AAMO,SAAS,oBAAoB,KAA+C;AACjF,QAAM,MAAwC,CAAC;AAC/C,QAAM,OAAO,oBAAI,IAAY;AAC7B,QAAM,MAAM,CAAC,MAAc,SAAuB;AAChD,UAAM,MAAM,GAAG,IAAI,IAAI,IAAI;AAC3B,QAAI,KAAK,IAAI,GAAG,EAAG;AACnB,SAAK,IAAI,GAAG;AACZ,QAAI,KAAK,EAAE,MAAM,KAAK,CAAC;AAAA,EACzB;AACA,aAAW,KAAK,IAAI,SAAS,yCAAyC,EAAG,KAAI,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC;AAC/F,aAAW,KAAK,IAAI,SAAS,wDAAwD,EAAG,KAAI,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,CAAC,CAAC;AAC9G,SAAO;AACT;AAMO,SAAS,iBAAiB,KAAyD;AACxF,QAAM,QAAQ,IAAI,MAAM,OAAO;AAC/B,QAAM,SAAqD,CAAC;AAC5D,MAAI,aAAa;AACjB,MAAI,iBAAiB;AACrB,MAAI,UAA2D;AAC/D,MAAI,gBAAgB;AACpB,MAAI,SAAS;AACb,MAAI,aAAa;AAEjB,QAAM,WAAW,CAAC,MAAsB,EAAE,SAAS,EAAE,UAAU,EAAE;AAEjE,aAAW,WAAW,OAAO;AAC3B,QAAI,CAAC,QAAQ,KAAK,KAAK,QAAQ,KAAK,EAAE,WAAW,GAAG,EAAG;AACvD,UAAM,SAAS,SAAS,OAAO;AAC/B,UAAM,UAAU,QAAQ,KAAK;AAE7B,QAAI,iBAAiB,KAAK,OAAO,GAAG;AAAE,mBAAa;AAAM,uBAAiB;AAAQ;AAAA,IAAU;AAC5F,QAAI,CAAC,WAAY;AACjB,QAAI,UAAU,kBAAkB,CAAC,aAAa,KAAK,OAAO,GAAG;AAAE,mBAAa;AAAO,gBAAU;AAAM,eAAS;AAAO;AAAA,IAAU;AAK7H,UAAM,WAAW,QAAQ,MAAM,yBAAyB;AACxD,UAAM,kBAAkB,CAAC,CAAC,YAAY,SAAS,mBAAmB,kBAAkB,MAAM,WAAW;AACrG,QAAI,iBAAiB;AACnB,gBAAU,EAAE,SAAS,SAAU,CAAC,GAAG,WAAW,CAAC,EAAE;AACjD,aAAO,KAAK,OAAO;AACnB,sBAAgB;AAChB,eAAS;AACT;AAAA,IACF;AACA,QAAI,CAAC,QAAS;AAEd,QAAI,eAAe,KAAK,OAAO,GAAG;AAChC,eAAS;AACT,mBAAa;AAEb,YAAM,SAAS,QAAQ,MAAM,6BAA6B;AAC1D,UAAI,QAAQ;AACV,mBAAW,OAAO,OAAO,CAAC,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,SAAS,EAAE,CAAC,EAAE,OAAO,OAAO,GAAG;AAChG,kBAAQ,UAAU,KAAK,GAAG;AAAA,QAC5B;AACA,iBAAS;AAAA,MACX;AACA;AAAA,IACF;AAEA,QAAI,QAAQ;AACV,UAAI,UAAU,YAAY;AAAE,iBAAS;AAAA,MAAO,OACvC;AACH,cAAM,WAAW,QAAQ,MAAM,4BAA4B;AAC3D,cAAM,UAAU,QAAQ,MAAM,yBAAyB;AACvD,cAAM,MAAM,WAAW,CAAC,KAAK,UAAU,CAAC;AACxC,YAAI,KAAK;AAAE,cAAI,CAAC,QAAQ,UAAU,SAAS,GAAG,EAAG,SAAQ,UAAU,KAAK,GAAG;AAAG;AAAA,QAAU;AAAA,MAC1F;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,sBAAsB,MAAc,KACyC;AAC3F,QAAM,IAAI,IAAI,MAAM,4BAA4B;AAChD,MAAI,CAAC,EAAG,QAAO;AACf,QAAM,SAAS,EAAE,CAAC,EAAE,YAAY;AAChC,MAAI,EAAE,UAAU,aAAc,QAAO;AACrC,QAAM,YAAY,IAAI,MAAM,iCAAiC;AAC7D,QAAM,OAAO,YAAY,OAAO,UAAU,CAAC,CAAC,IAAI,YAAY,MAAM;AAClE,MAAI,CAAC,QAAQ,EAAE,QAAQ,UAAW,QAAO;AAIzC,QAAM,eACJ,WAAW,UAAU,WAAW,UAAU,eAAe;AAC3D,QAAM,WAAW,uBAAuB,GAAG;AAC3C,SAAO;AAAA,IACL;AAAA,IACA,SAAS,SAAS,IAAI,EAAE;AAAA,IACxB;AAAA,IACA,UAAU,aAAa,qBAAqB,GAAG,IAAI,IAAI,QAAQ,EAAE;AAAA,EACnE;AACF;AAOA,SAAS,WAAW,KAAsB;AACxC,aAAW,QAAQ,IAAI,MAAM,OAAO,GAAG;AACrC,UAAM,KAAK,KAAK,QAAQ,GAAG;AAC3B,QAAI,MAAM,EAAG;AACb,UAAM,OAAO,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK;AACpC,QAAI,CAAC,YAAY,KAAK,IAAI,EAAG;AAC7B,QAAI,sBAAsB,MAAM,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK,CAAC,EAAG,QAAO;AAAA,EACrE;AACA,SAAO;AACT;AAEO,IAAM,uBAAgC;AAAA,EAC3C,IAAI;AAAA,EACJ,OAAO;AAAA,EACP,WAAW;AAAA,EACX,iBAAiB,CAAC,OAAO,QAAQ,QAAQ,YAAY,MAAM,eAAe;AAAA,EAC1E,OAAO,KAA2B;AAChC,UAAM,SAAS,IAAI,aAAa,WAAW,WAAW,GAAG,CAAC,UAAU,cAAc,uBAAuB,cAAc,GAAG,GAAG,EAAE;AAC/H,QAAI,MAAM,KAAK,EAAE,SAAS,EAAG,QAAO;AACpC,WAAO,WAAW,IAAI,IAAI,UAAU,CAAC;AAAA,EACvC;AAAA,EACA,MAAM,KAAK,KAAuC;AAChD,UAAM,QAAyB,CAAC;AAChC,UAAM,QAAyB,CAAC;AAChC,UAAM,SAAS;AACf,QAAI,cAAc;AAClB,UAAM,WAAW,MAAY;AAC3B,UAAI,YAAa;AACjB,oBAAc;AACd,YAAM,KAAK,EAAE,IAAI,QAAQ,MAAM,QAAQ,MAAM,aAAa,eAAe,kBAAkB,YAAY,KAAK,UAAU,EAAE,MAAM,YAAY,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;AAAA,IAChK;AAGA,eAAW,QAAQ,IAAI,IAAI,UAAU,EAAE,MAAM,OAAO,GAAG;AACrD,YAAM,KAAK,KAAK,QAAQ,GAAG;AAC3B,UAAI,MAAM,EAAG;AACb,YAAM,OAAO,KAAK,MAAM,GAAG,EAAE,EAAE,KAAK;AACpC,YAAM,QAAQ,KAAK,MAAM,KAAK,CAAC,EAAE,KAAK;AACtC,UAAI,CAAC,YAAY,KAAK,IAAI,EAAG;AAC7B,YAAM,SAAS,sBAAsB,MAAM,KAAK;AAChD,UAAI,CAAC,OAAQ;AACb,eAAS;AACT,YAAM,KAAK;AAAA,QACT,UAAU;AAAA,QACV,UAAU,GAAG,SAAS,OAAO,IAAI,EAAE,IAAI,cAAc,OAAO,IAAI;AAAA,QAChE,cAAc,OAAO;AAAA,QACrB,UAAU,OAAO;AAAA,QACjB,YAAY,WAAW,mBAAmB;AAAA,MAC5C,CAAC;AAAA,IACH;AAGA,UAAM,cAAc,IAAI,aAAa;AACrC,UAAM,aAAa,YAAY,WAAW,GAAG,CAAC,UAAU,YAAY,GAAG,GAAG,EAAE,EACzE,MAAM,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACrD,eAAW,QAAQ,YAAY;AAC7B,YAAM,UAAU,IAAI,IAAI,QAAQ,IAAI,GAAG;AACvC,UAAI,CAAC,QAAS;AACd,iBAAW,EAAE,MAAM,KAAK,KAAK,oBAAoB,OAAO,GAAG;AACzD,YAAI,EAAE,QAAQ,UAAW;AACzB,iBAAS;AACT,cAAM,KAAK;AAAA,UACT,UAAU;AAAA,UACV,UAAU,GAAG,SAAS,IAAI,EAAE,IAAI,cAAc,IAAI;AAAA,UAClD,cAAc;AAAA,UACd,UAAU,aAAa,mBAAmB,SAAS,IAAI,KAAK,IAAI,IAAI,IAAI,EAAE;AAAA,UAC1E,YAAY,WAAW,iBAAiB;AAAA,QAC1C,CAAC;AAAA,MACH;AAAA,IACF;AAGA,UAAM,eAAe,YAAY,WAAW,GAAG,CAAC,uBAAuB,cAAc,GAAG,GAAG,EAAE,EAC1F,MAAM,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AACrD,eAAW,QAAQ,cAAc;AAC/B,YAAM,UAAU,IAAI,IAAI,QAAQ,IAAI,GAAG;AACvC,UAAI,CAAC,QAAS;AACd,iBAAW,EAAE,SAAS,UAAU,KAAK,iBAAiB,OAAO,GAAG;AAC9D,YAAI,UAAU,WAAW,EAAG;AAC5B,cAAM,QAAQ,aAAa,OAAO;AAClC,cAAM,KAAK,EAAE,IAAI,OAAO,MAAM,aAAa,MAAM,SAAS,eAAe,kBAAkB,YAAY,KAAK,UAAU,EAAE,SAAS,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;AAC5J,mBAAW,OAAO,WAAW;AAC3B,gBAAM,QAAQ,aAAa,GAAG;AAC9B,gBAAM,KAAK,EAAE,IAAI,OAAO,MAAM,aAAa,MAAM,KAAK,eAAe,kBAAkB,YAAY,KAAK,UAAU,EAAE,SAAS,KAAK,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;AACxJ,gBAAM,KAAK;AAAA,YACT,UAAU;AAAA,YACV,UAAU;AAAA,YACV,cAAc;AAAA,YACd,UAAU,aAAa,mBAAmB,WAAW,IAAI,KAAK,OAAO,eAAe,GAAG,EAAE;AAAA,YACzF,YAAY,WAAW,iBAAiB;AAAA,UAC1C,CAAC;AAAA,QACH;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,MAAM;AAAA,EACxB;AACF;;;ACxOO,SAAS,kBAAmC;AACjD,SAAO,IAAI,gBAAgB,EACxB,SAAS,gBAAgB,EACzB,SAAS,oBAAoB,EAC7B,SAAS,YAAY,EACrB,SAAS,eAAe,EACxB,SAAS,eAAe,EACxB,SAAS,iBAAiB,EAC1B,SAAS,UAAU,EACnB,SAAS,gBAAgB,EACzB,SAAS,kBAAkB,EAC3B,SAAS,oBAAoB;AAClC;;;AC1BA,eAAsB,YACpB,UACA,MACmB;AACnB,QAAM,SAAmB,CAAC;AAC1B,aAAW,OAAO,MAAM;AACtB,QAAI;AACF,YAAM,MAAO,MAAM,OAAO;AAC1B,YAAM,SAAS,IAAI;AACnB,UAAI,CAAC,UAAU,OAAO,OAAO,aAAa,YAAY;AACpD,gBAAQ,yCAAyC,EAAE,IAAI,CAAC;AACxD;AAAA,MACF;AACA,YAAM,MAAwB;AAAA,QAC5B,iBAAiB,CAAC,YAAY;AAC5B,mBAAS,iBAAiB,KAAK,OAAO;AAAA,QACxC;AAAA,MACF;AACA,aAAO,SAAS,GAAG;AACnB,aAAO,KAAK,GAAG;AACf,cAAQ,yBAAyB,EAAE,KAAK,MAAM,OAAO,KAAK,CAAC;AAAA,IAC7D,SAAS,KAAK;AACZ,cAAQ,wCAAwC;AAAA,QAC9C;AAAA,QACA,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACxD,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;;;ACaA,SAAS,YAAY,WAAmB,OAAwB,OAAuC;AACrG,QAAM,MAAK,oBAAI,KAAK,GAAE,YAAY;AAClC,SAAO;AAAA,IACL,OAAO,MAAM,IAAI,CAAC,OAAO;AAAA,MACvB,GAAG;AAAA,MAAG;AAAA,MAAW,cAAc;AAAA,MAAI,OAAO;AAAA,MAC1C,MAAM,EAAE,QAAQ,CAAC;AAAA,MAAG,UAAU,EAAE,YAAY,CAAC;AAAA,IAC/C,EAAE;AAAA,IACF,OAAO,MAAM,IAAI,CAAC,OAAO,EAAE,GAAG,GAAG,IAAI,IAAI,WAAW,cAAc,GAAG,EAAE;AAAA,EACzE;AACF;AAEA,eAAsB,kBACpB,IACA,WACA,OAA8B,CAAC,GACA;AAC/B,QAAM,WAAW,KAAK,YAAY,gBAAgB;AAGlD,MAAI,CAAC,KAAK,YAAY,KAAK,WAAW,KAAK,QAAQ,SAAS,GAAG;AAC7D,UAAM,YAAY,UAAU,KAAK,OAAO;AAAA,EAC1C;AACA,QAAM,MAAmB,EAAE,MAAM,KAAK,MAAM,UAAU,UAAU,KAAK,eAAe,oBAAoB,4BAA4B,WAAW,eAAe,kBAAkB,GAAG,KAAK,IAAI;AAE5L,QAAM,QAAQ,oBAAI,IAA2B;AAC7C,QAAM,QAAyB,CAAC;AAChC,QAAM,MAAgB,CAAC;AAEvB,aAAW,WAAW,SAAS,YAAY,QAAQ,GAAG;AACpD,QAAI;AACF,UAAI,CAAE,MAAM,QAAQ,OAAO,GAAG,EAAI;AAClC,YAAM,SAAS,MAAM,QAAQ,KAAK,GAAG;AACrC,UAAI,KAAK,QAAQ,EAAE;AACnB,iBAAW,QAAQ,OAAO,OAAO;AAE/B,cAAM,OAAO,MAAM,IAAI,KAAK,EAAE;AAC9B,YAAI,CAAC,QAAQ,KAAK,aAAa,KAAK,WAAY,OAAM,IAAI,KAAK,IAAI,IAAI;AAAA,MACzE;AACA,YAAM,KAAK,GAAG,OAAO,KAAK;AAC1B,WAAK,aAAa,GAAG,QAAQ,KAAK,MAAM,OAAO,MAAM,MAAM,QAAQ;AAAA,IACrE,SAAS,KAAK;AACZ,WAAK,aAAa,GAAG,QAAQ,KAAK,aAAa,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC,GAAG;AAAA,IACpG;AAAA,EACF;AAIA,QAAM,UAAU,GAAG,WAAW,SAAS;AACvC,QAAM,kBAA+D,SAAS,YAC1E;AAAA,IACE,WAAW,QAAQ;AAAA,IACnB,UAAU,QAAQ,YAAY;AAAA,IAC9B,MAAM,QAAQ,QAAQ;AAAA,IACtB,cAAc,QAAQ;AAAA,IACtB,KAAI,oBAAI,KAAK,GAAE,YAAY;AAAA,EAC7B,IACA;AAGJ,QAAM,aAAa,MAAM,OAAO,CAAC,MAAM,MAAM,IAAI,EAAE,QAAQ,KAAK,MAAM,IAAI,EAAE,QAAQ,CAAC;AAErF,MAAI,KAAK,SAAS,UAAU;AAM1B,UAAM,QAAuB,EAAE,OAAO,GAAG,SAAS,SAAS,GAAG,OAAO,GAAG,SAAS,SAAS,EAAE;AAC5F,UAAM,UAAU,YAAY,WAAW,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,UAAU;AACtE,UAAM,QAAQ,aAAa,OAAO,OAAO;AACzC,OAAG;AAAA,MACD;AAAA,MAAW;AAAA,MACX,kBAAkB,EAAE,GAAG,iBAAiB,YAAY,IAAI,IAAI;AAAA,IAC9D;AACA,WAAO,EAAE,OAAO,QAAQ,MAAM,QAAQ,OAAO,QAAQ,MAAM,QAAQ,UAAU,KAAK,MAAM;AAAA,EAC1F;AAGA,aAAW,QAAQ,MAAM,OAAO,GAAG;AACjC,OAAG;AAAA,MACD;AAAA,MAAW;AAAA,MAAM;AAAA,MACjB,kBAAkB,EAAE,GAAG,iBAAiB,YAAY,KAAK,WAAW,IAAI;AAAA,IAC1E;AAAA,EACF;AACA,aAAW,QAAQ,WAAY,IAAG,WAAW,WAAW,IAAI;AAE5D,SAAO,EAAE,OAAO,MAAM,MAAM,OAAO,WAAW,QAAQ,UAAU,IAAI;AACtE;AAOO,SAAS,iBAAiB,UAA4B,SAAoB;AAC/E,SAAO,OAAO,IAAmB,WAAmB,SAAyD;AAC3G,UAAM,IAAI,MAAM,kBAAkB,IAAI,WAAW,EAAE,MAAM,KAAK,MAAM,MAAM,KAAK,MAAM,UAAU,QAAQ,CAAC;AACxG,WAAO,EAAE,OAAO,EAAE,OAAO,OAAO,EAAE,OAAO,GAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,EAAG;AAAA,EAClF;AACF;;;ACxJO,IAAM,WAAoB,cAAc,MAAM;AAAA,EACnD,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,aAAa;AAAA,EACb,OAAO;AAAA,IACL;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAsB,WAAW;AAAA,MACxC,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK;AAAA,QACZ,EAAE,OAAO,SAAS,IAAI,UAAU;AAAA,QAChC,EAAE,OAAO,UAAU,IAAI,UAAU;AAAA,QACjC,EAAE,OAAO,QAAQ,IAAI,WAAW,SAAS,YAAY;AAAA,QACrD,EAAE,OAAO,gBAAgB,IAAI,WAAW,SAAS,YAAY;AAAA,MAC/D,EAAE;AAAA,IACJ;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAoD,WAAW;AAAA,MACtE,OAAO,EAAE,QAAQ,CAAC,QAAQ,KAAK,EAAE;AAAA,MACjC,OAAO,EAAE,OAAO,UAAU,IAAI,UAAU;AAAA,IAC1C;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAyD,WAAW;AAAA,MAC3E,OAAO,EAAE,QAAQ,CAAC,QAAQ,OAAO,EAAE;AAAA,MACnC,OAAO,EAAE,OAAO,cAAc,IAAI,OAAO,OAAO,IAAI;AAAA,IACtD;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAuD,WAAW;AAAA,MACzE,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,uBAAuB,EAAE;AAAA,IAC5F;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAkD,WAAW;AAAA,MACpE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE;AAAA,MAC1B,gBAAgB,EAAE,OAAO,gBAAgB,IAAI,UAAU;AAAA,MACvD,OAAO,EAAE,OAAO,gBAAgB,IAAI,OAAO,OAAO,GAAG;AAAA,IACvD;AAAA,EACF;AACF,CAAC;;;AC7CM,IAAM,MAAe,cAAc,MAAM;AAAA,EAC9C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,aAAa;AAAA,EACb,OAAO;AAAA,IACL;AAAA,MACE,IAAI;AAAA,MAAW,SAAS;AAAA,MAAW,WAAW;AAAA,MAAO,UAAU;AAAA,MAC/D,OAAO;AAAA,MAAqD,WAAW;AAAA,MACvE,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,uBAAuB,EAAE;AAAA,IAC5F;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAW,SAAS;AAAA,MAAW,WAAW;AAAA,MAAO,UAAU;AAAA,MAC/D,OAAO;AAAA,MAAsC,WAAW;AAAA,MACxD,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE;AAAA,MAC1B,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,kBAAkB,EAAE;AAAA,IACvF;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAW,SAAS;AAAA,MAAW,WAAW;AAAA,MAAO,UAAU;AAAA,MAC/D,OAAO;AAAA,MAA4C,WAAW;AAAA,MAC9D,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,CAAC,EAAE,OAAO,SAAS,IAAI,UAAU,GAAG,EAAE,OAAO,gBAAgB,IAAI,WAAW,SAAS,YAAY,CAAC,EAAE;AAAA,IACpH;AAAA,EACF;AACF,CAAC;;;ACzBM,IAAM,OAAgB,cAAc,MAAM;AAAA,EAC/C,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,aAAa;AAAA,EACb,OAAO;AAAA,IACL;AAAA,MACE,IAAI;AAAA,MAAS,SAAS;AAAA,MAAS,WAAW;AAAA,MAAQ,UAAU;AAAA,MAC5D,OAAO;AAAA,MAA4C,WAAW;AAAA,MAC9D,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,uBAAuB,EAAE;AAAA,IAC5F;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAS,SAAS;AAAA,MAAS,WAAW;AAAA,MAAQ,UAAU;AAAA,MAC5D,OAAO;AAAA,MAAgD,WAAW;AAAA,MAClE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE;AAAA,MAC1B,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,kBAAkB,EAAE;AAAA,IACvF;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAS,SAAS;AAAA,MAAS,WAAW;AAAA,MAAQ,UAAU;AAAA,MAC5D,OAAO;AAAA,MAAuC,WAAW;AAAA,MACzD,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,CAAC,EAAE,OAAO,SAAS,IAAI,UAAU,GAAG,EAAE,OAAO,UAAU,IAAI,UAAU,CAAC,EAAE;AAAA,IACxF;AAAA,EACF;AACF,CAAC;;;ACzBM,IAAM,WAAoB,cAAc,MAAM;AAAA,EACnD,MAAM;AAAA,EACN,SAAS;AAAA,EACT,WAAW;AAAA,EACX,aAAa;AAAA,EACb,OAAO;AAAA,IACL;AAAA,MACE,IAAI;AAAA,MAAS,SAAS;AAAA,MAAS,WAAW;AAAA,MAAY,UAAU;AAAA,MAChE,OAAO;AAAA,MAA4C,WAAW;AAAA,MAC9D,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,CAAC,EAAE,OAAO,SAAS,IAAI,UAAU,GAAG,EAAE,OAAO,gBAAgB,IAAI,WAAW,SAAS,YAAY,CAAC,EAAE;AAAA,IACpH;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAiD,WAAW;AAAA,MACnE,OAAO,CAAC;AAAA,MACR,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,uBAAuB,EAAE;AAAA,IAC5F;AAAA,IACA;AAAA,MACE,IAAI;AAAA,MAAU,SAAS;AAAA,MAAU,WAAW;AAAA,MAAY,UAAU;AAAA,MAClE,OAAO;AAAA,MAAuD,WAAW;AAAA,MACzE,OAAO,EAAE,QAAQ,CAAC,MAAM,EAAE;AAAA,MAC1B,OAAO,EAAE,KAAK,EAAE,OAAO,kBAAkB,IAAI,WAAW,SAAS,kBAAkB,EAAE;AAAA,IACvF;AAAA,EACF;AACF,CAAC;;;ACvBD,IAAM,WAAoC,EAAE,UAAU,KAAK,MAAM,SAAS;AAGnE,SAAS,WAAW,MAAmC;AAC5D,SAAO,SAAS,IAAI;AACtB;AAGO,SAAS,eAA+F;AAC7G,SAAO,OAAO,OAAO,QAAQ,EAAE,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,EAAE,SAAS,WAAW,EAAE,WAAW,WAAW,EAAE,MAAM,OAAO,EAAE;AACrI;;;ACTO,IAAM,aAAN,MAAsC;AAAA,EAClC,OAAO;AAAA,EAEhB,MAAM,KAAK,OAAkC;AAC3C,YAAQ,OAAO,MAAM,KAAK,UAAU,YAAY,KAAK,CAAC,IAAI,IAAI;AAC9D,YAAQ,uBAAuB,EAAE,MAAM,KAAK,MAAM,UAAU,MAAM,UAAU,OAAO,MAAM,MAAM,OAAO,CAAC;AAAA,EACzG;AACF;;;ACNA,IAAM,iBAAiB,oBAAI,IAAI,CAAC,aAAa,aAAa,SAAS,KAAK,CAAC;AASlE,SAAS,mBAAmB,KAAa,MAAyB,QAAQ,KAAc;AAC7F,MAAI,IAAI,oCAAoC,IAAK,QAAO;AACxD,MAAI;AACJ,MAAI;AACF,aAAS,IAAI,IAAI,GAAG;AAAA,EACtB,QAAQ;AACN,WAAO;AAAA,EACT;AACA,MAAI,OAAO,aAAa,SAAU,QAAO;AACzC,MAAI,OAAO,aAAa,WAAW,eAAe,IAAI,OAAO,QAAQ,EAAG,QAAO;AAC/E,SAAO;AACT;AAgBO,IAAM,cAAN,MAAuC;AAAA,EAG5C,YAA6B,MAA0B;AAA1B;AAAA,EAA2B;AAAA,EAF/C,OAAO;AAAA,EAIhB,MAAM,KAAK,OAAkC;AAC3C,QAAI,OAAO,UAAU,YAAY;AAC/B,cAAQ,kDAAkD,EAAE,MAAM,KAAK,KAAK,CAAC;AAC7E;AAAA,IACF;AACA,UAAM,EAAE,KAAK,OAAO,UAAU,IAAI,KAAK;AACvC,QAAI,CAAC,KAAK;AACR,cAAQ,+CAA+C,EAAE,MAAM,KAAK,KAAK,CAAC;AAC1E;AAAA,IACF;AACA,QAAI,CAAC,mBAAmB,GAAG,GAAG;AAC5B,cAAQ,2EAA2E;AAAA,QACjF,MAAM,KAAK;AAAA,QACX,MAAM,eAAe,GAAG;AAAA,MAC1B,CAAC;AACD;AAAA,IACF;AACA,QAAI;AACF,YAAM,MAAM,MAAM,MAAM,KAAK;AAAA,QAC3B,QAAQ;AAAA,QACR,SAAS;AAAA,UACP,gBAAgB;AAAA,UAChB,GAAI,QAAQ,EAAE,eAAe,UAAU,KAAK,GAAG,IAAI,CAAC;AAAA,QACtD;AAAA,QACA,MAAM,KAAK,UAAU,YAAY,KAAK,CAAC;AAAA,QACvC,QAAQ,YAAY,QAAQ,aAAa,GAAM;AAAA,MACjD,CAAC;AACD,UAAI,CAAC,IAAI,IAAI;AACX,iBAAS,uBAAuB,EAAE,MAAM,KAAK,MAAM,MAAM,eAAe,GAAG,GAAG,QAAQ,IAAI,OAAO,CAAC;AAAA,MACpG;AAAA,IACF,SAAS,KAAK;AACZ,eAAS,uBAAuB;AAAA,QAC9B,MAAM,KAAK;AAAA,QACX,MAAM,eAAe,GAAG;AAAA,QACxB,QAAQ,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAAA,MACzD,CAAC;AAAA,IACH;AAAA,EACF;AACF;;;AChFO,SAAS,WAAW,OAAkC;AAC3D,QAAM,UAAU,OAAO,SAAS,MAAM,MAAM,SAAS,IAAI,MAAM,QAAQ,CAAC,EAAE,MAAM,SAAkB,CAAC;AACnG,QAAM,QAAqB,CAAC;AAC5B,aAAW,KAAK,SAAS;AACvB,QAAI,EAAE,SAAS,WAAW;AACxB,UAAI,CAAC,EAAE,IAAK;AACZ,YAAM,KAAK,IAAI,YAAY;AAAA,QACzB,KAAK,EAAE;AAAA,QACP,OAAO,EAAE,SAAS,QAAQ,IAAI;AAAA,QAC9B,WAAW,EAAE;AAAA,MACf,CAAC,CAAC;AAAA,IACJ,OAAO;AACL,YAAM,KAAK,IAAI,WAAW,CAAC;AAAA,IAC7B;AAAA,EACF;AACA,SAAO,MAAM,SAAS,IAAI,QAAQ,CAAC,IAAI,WAAW,CAAC;AACrD;;;ACHO,SAAS,YAAY,OAAmC;AAC7D,MAAI,OAAO;AACX,aAAW,MAAM,OAAO;AACtB,UAAM,IAAI,WAAW,QAAQ,GAAG,QAAQ;AACxC,QAAI,IAAI,KAAM,QAAO;AAAA,EACvB;AACA,SAAO,WAAW,IAAI;AACxB;AAEA,IAAM,mBAAmB,IAAI,IAAY,sBAAsB;AAOxD,SAAS,uBAAuB,QAA8B;AACnE,MAAI,CAAC,OAAO,cAAc,SAAS,UAAU,EAAG,QAAO,CAAC;AACxD,QAAM,SAAS,OAAO,OAAO,YAAY,CAAC;AAC1C,QAAM,QAAQ,OAAO,MAAM,YAAY,CAAC;AACxC,QAAM,OAAO,oBAAI,IAAY,CAAC,GAAG,OAAO,KAAK,MAAM,GAAG,GAAG,OAAO,KAAK,KAAK,CAAC,CAAC;AAC5E,QAAM,YAAsB,CAAC;AAC7B,aAAW,KAAK,MAAM;AACpB,QAAI,CAAC,iBAAiB,IAAI,EAAE,YAAY,CAAC,EAAG;AAC5C,QAAI,gBAAiB,OAAmC,CAAC,CAAC,MAAM,gBAAiB,MAAkC,CAAC,CAAC,GAAG;AACtH,gBAAU,KAAK,CAAC;AAAA,IAClB;AAAA,EACF;AACA,SAAO,UAAU,KAAK;AACxB;AAGA,IAAM,UAAU,CAAC,UAAkB,KAAa,aAC9C,GAAG,QAAQ,KAAK,GAAG,MAAM,QAAQ;AAY5B,SAAS,cAAc,MAAoB,MAAY,oBAAI,KAAK,GAAe;AACpF,QAAM,QAA0B,CAAC;AAEjC,aAAW,KAAK,KAAK,MAAM,OAAO;AAChC,UAAM,KAAK,EAAE,MAAM,cAAc,KAAK,EAAE,IAAI,OAAO,EAAE,MAAM,UAAU,EAAE,MAAM,UAAU,OAAO,CAAC;AAAA,EACjG;AACA,aAAW,KAAK,KAAK,MAAM,SAAS;AAClC,UAAM,KAAK,EAAE,MAAM,gBAAgB,KAAK,EAAE,IAAI,OAAO,EAAE,MAAM,UAAU,EAAE,MAAM,UAAU,UAAU,CAAC;AAAA,EACtG;AACA,aAAW,KAAK,KAAK,MAAM,SAAS;AAClC,UAAM,iBAAiB,uBAAuB,CAAC;AAC/C,UAAM,WAAqB,eAAe,SAAS,IAAI,aAAa;AACpE,UAAM,KAAK;AAAA,MACT,MAAM;AAAA,MACN,KAAK,EAAE;AAAA,MACP,OAAO,EAAE,MAAM;AAAA,MACf,UAAU,EAAE,MAAM;AAAA,MAClB;AAAA,MACA,eAAe,EAAE;AAAA,MACjB,GAAI,eAAe,SAAS,IAAI,EAAE,eAAe,IAAI,CAAC;AAAA,IACxD,CAAC;AAAA,EACH;AACA,aAAW,KAAK,KAAK,MAAM,OAAO;AAChC,UAAM,KAAK;AAAA,MACT,MAAM;AAAA,MACN,KAAK,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,QAAQ;AAAA,MACnD,OAAO,GAAG,EAAE,QAAQ,WAAM,EAAE,QAAQ;AAAA,MACpC,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AACA,aAAW,KAAK,KAAK,MAAM,SAAS;AAClC,UAAM,KAAK;AAAA,MACT,MAAM;AAAA,MACN,KAAK,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,QAAQ;AAAA,MACnD,OAAO,GAAG,EAAE,QAAQ,WAAM,EAAE,QAAQ;AAAA,MACpC,UAAU;AAAA,IACZ,CAAC;AAAA,EACH;AAEA,SAAO;AAAA,IACL,MAAM,KAAK;AAAA,IACX,SAAS,KAAK;AAAA,IACd,SAAS,KAAK;AAAA,IACd,UAAU,YAAY,KAAK;AAAA,IAC3B;AAAA,IACA,aAAa,IAAI,YAAY;AAAA,EAC/B;AACF;AAGO,SAAS,iBAAiB,OAAmB,KAA2B;AAC7E,QAAM,UAAU,WAAW,QAAQ,GAAG;AACtC,QAAM,QAAQ,MAAM,MAAM,OAAO,CAAC,OAAO,WAAW,QAAQ,GAAG,QAAQ,KAAK,OAAO;AACnF,SAAO,EAAE,GAAG,OAAO,OAAO,UAAU,YAAY,KAAK,EAAE;AACzD;AAWA,eAAsB,SACpB,IAAmB,QAA2B,OAAwB,CAAC,GAC3C;AAE5B,QAAM,WAAW,GAAG,YAAY;AAChC,QAAM,YAAY,KAAK,WAAW,SAAS,CAAC,GAAG;AAC/C,QAAM,SAAS,KAAK,QAAQ,SAAS,CAAC,GAAG;AACzC,MAAI,CAAC,UAAU,CAAC,WAAW;AACzB,YAAQ,0CAA0C;AAClD,WAAO;AAAA,EACT;AACA,MAAI,WAAW,WAAW;AACxB,YAAQ,0DAA0D,EAAE,SAAS,UAAU,CAAC;AACxF,WAAO;AAAA,EACT;AAEA,QAAM,OAAO,GAAG,aAAa,QAAQ,SAAS;AAC9C,MAAI,QAAQ,cAAc,IAAI;AAC9B,UAAQ,iBAAiB,OAAO,KAAK,eAAe,OAAO,OAAO,eAAe,MAAM;AAEvF,QAAM,QAAQ,WAAW,OAAO,KAAK;AACrC,QAAM,UAAU,MAAM,QAAQ,WAAW,MAAM,IAAI,CAAC,MAAM,EAAE,KAAK,KAAK,CAAC,CAAC;AACxE,UAAQ,QAAQ,CAAC,GAAG,MAAM;AACxB,QAAI,EAAE,WAAW,YAAY;AAC3B,eAAS,uBAAuB;AAAA,QAC9B,MAAM,MAAM,CAAC,GAAG;AAAA,QAChB,QAAQ,EAAE,kBAAkB,QAAQ,EAAE,OAAO,UAAU,OAAO,EAAE,MAAM;AAAA,MACxE,CAAC;AAAA,IACH;AAAA,EACF,CAAC;AAGD,KAAG,YAAY,WAAW;AAAA,IACxB,WAAW;AAAA,IACX,SAAS;AAAA,IACT,KAAK,QAAQ;AAAA,IACb,SAAS,KAAK,UAAU,YAAY;AAAA,MAClC,MAAM;AAAA,MACN,SAAS;AAAA,MACT,UAAU,MAAM;AAAA,MAChB,OAAO,MAAM,MAAM;AAAA,MACnB,OAAO,MAAM,IAAI,CAAC,MAAM,EAAE,IAAI;AAAA,IAChC,CAAC,CAAC;AAAA,EACJ,CAAC;AAED,SAAO;AACT;;;ACtKA,SAAS,aAAa,gBAAgB;AACtC,SAAS,YAAY,aAAAC,YAAW,cAAc,eAAe,gBAAgB;AAC7E,SAAS,eAAe;AACxB,SAAS,WAAAC,UAAS,YAAY;AAWvB,SAAS,WAAW,OAAe,QAAQ,GAAW;AAC3D,SAAO,KAAK,MAAM,gBAAgB,SAAS;AAC7C;AAGA,IAAM,YAAY;AAGlB,SAAS,eAAe,MAAsB;AAC5C,MAAI,WAAW,IAAI,GAAG;AAEpB,QAAI;AACF,YAAM,OAAO,SAAS,IAAI,EAAE,OAAO;AACnC,UAAI,OAAO,IAAO;AAChB,gBAAQ,4DAAuD,IAAI;AAAA,MACrE;AAAA,IACF,QAAQ;AAAA,IAER;AACA,UAAM,MAAM,aAAa,MAAM,MAAM,EAAE,KAAK;AAC5C,UAAM,MAAM,OAAO,KAAK,KAAK,KAAK;AAClC,QAAI,IAAI,WAAW,UAAW,QAAO;AAErC,YAAQ,gEAA2D;AAAA,EACrE;AACA,EAAAC,WAAUC,SAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAC5C,QAAM,SAAS,YAAY,SAAS;AACpC,gBAAc,MAAM,OAAO,SAAS,KAAK,GAAG,EAAE,MAAM,IAAM,CAAC;AAC3D,UAAQ,+FAA0F;AAClG,SAAO;AACT;AAQO,SAAS,WAAW,OAAsB,CAAC,GAAW;AAC3D,QAAM,OAAO,KAAK,WAAW,WAAW;AACxC,QAAM,SAAS,eAAe,IAAI;AAClC,QAAM,OAAO,KAAK,gBAAgB,KAAK,aAAa,KAAK,IAAI,KAAK,aAAa,KAAK,IAAI;AACxF,SAAO,OAAO,KAAK,SAAS,UAAU,QAAQ,OAAO,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;AACjF;AAOO,SAAS,aAAa,OAAsB,CAAC,GAAW;AAC7D,QAAM,OAAO,KAAK,WAAW,WAAW;AACxC,EAAAD,WAAUC,SAAQ,IAAI,GAAG,EAAE,WAAW,KAAK,CAAC;AAC5C,QAAM,SAAS,YAAY,SAAS;AACpC,gBAAc,MAAM,OAAO,SAAS,KAAK,GAAG,EAAE,MAAM,IAAM,CAAC;AAC3D,UAAQ,wGAAmG;AAC3G,QAAM,OAAO,KAAK,gBAAgB,KAAK,aAAa,KAAK,IAAI,KAAK,aAAa,KAAK,IAAI;AACxF,SAAO,OAAO,KAAK,SAAS,UAAU,QAAQ,OAAO,MAAM,CAAC,GAAG,MAAM,SAAS,CAAC;AACjF;AAGO,SAAS,QAAQ,QAAwB;AAC9C,SAAO,OAAO,KAAK,SAAS,UAAU,QAAQ,OAAO,KAAK,qBAAqB,GAAG,QAAQ,EAAE,CAAC;AAC/F;AAGO,SAAS,YAAY,QAAwB;AAClD,SAAO,OAAO,KAAK,SAAS,UAAU,QAAQ,OAAO,KAAK,yBAAyB,GAAG,YAAY,EAAE,CAAC;AACvG;;;AC9EA,SAAS,YAAY,gBAAgB,kBAAkB,eAAAC,oBAAmB;AAanE,IAAM,aACX;AAGF,IAAM,WAAW;AAGjB,IAAM,aAAa;AACnB,IAAM,WAAW;AAGjB,IAAM,eAAe;AACrB,SAAS,OAAO,KAAqB;AACnC,MAAI,OAAO;AACX,MAAI,QAAQ;AACZ,MAAI,MAAM;AACV,aAAW,QAAQ,KAAK;AACtB,YAAS,SAAS,IAAK;AACvB,YAAQ;AACR,WAAO,QAAQ,GAAG;AAChB,aAAO,aAAc,UAAW,OAAO,IAAM,EAAE;AAC/C,cAAQ;AAAA,IACV;AAAA,EACF;AACA,MAAI,OAAO,EAAG,QAAO,aAAc,SAAU,IAAI,OAAS,EAAE;AAC5D,SAAO;AACT;AAGA,SAAS,iBAAiB,WAAmB,KAAqB;AAChE,QAAM,KAAKC,aAAY,EAAE;AACzB,QAAM,SAAS,eAAe,eAAe,KAAK,EAAE;AACpD,QAAM,KAAK,OAAO,OAAO,CAAC,OAAO,OAAO,WAAW,MAAM,GAAG,OAAO,MAAM,CAAC,CAAC;AAC3E,QAAM,MAAM,OAAO,WAAW;AAC9B,SAAO,OAAO,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC,EAAE,SAAS,QAAQ;AACvD;AAEA,SAAS,iBAAiB,SAAiB,KAAiC;AAC1E,MAAI;AACF,UAAM,MAAM,OAAO,KAAK,SAAS,QAAQ;AACzC,UAAM,KAAK,IAAI,SAAS,GAAG,EAAE;AAC7B,UAAM,MAAM,IAAI,SAAS,IAAI,EAAE;AAC/B,UAAM,KAAK,IAAI,SAAS,EAAE;AAC1B,UAAM,WAAW,iBAAiB,eAAe,KAAK,EAAE;AACxD,aAAS,WAAW,GAAG;AACvB,WAAO,OAAO,OAAO,CAAC,SAAS,OAAO,EAAE,GAAG,SAAS,MAAM,CAAC,CAAC,EAAE,SAAS,MAAM;AAAA,EAC/E,QAAQ;AAEN,WAAO;AAAA,EACT;AACF;AAQO,SAAS,qBAAqB,WAAmB,MAAoB,QAAgB,IAA4B;AACtH,QAAM,SAAS,WAAW,UAAU,QAAQ,MAAM,CAAC,EAAE,OAAO,SAAS,EAAE,OAAO;AAC9E,QAAM,QAAQ,QAAQ,IAAI,IAAI,OAAO,OAAO,SAAS,GAAG,EAAE,CAAC,CAAC;AAC5D,MAAI,GAAI,IAAG,aAAa,OAAO,iBAAiB,WAAW,YAAY,MAAM,CAAC,CAAC;AAC/E,SAAO;AACT;AAQO,SAAS,mBAAmB,GAAW,QAAgB,IAA4B;AACxF,MAAI,MAAM;AAEV,QAAM,IAAI,QAAQ,YAAY,CAAC,MAAM,qBAAqB,GAAG,MAAM,QAAQ,EAAE,CAAC;AAE9E,QAAM,IAAI,QAAQ,UAAU,CAAC,MAAM,qBAAqB,GAAG,QAAQ,QAAQ,EAAE,CAAC;AAC9E,QAAM,IAAI,QAAQ,YAAY,CAAC,MAAM,qBAAqB,GAAG,QAAQ,QAAQ,EAAE,CAAC;AAEhF,QAAM,IAAI;AAAA,IAAQ;AAAA,IAAqD,CAAC,IAAI,MAAc,SACxF,GAAG,qBAAqB,MAAM,QAAQ,QAAQ,EAAE,CAAC,IAAI,qBAAqB,MAAM,QAAQ,QAAQ,EAAE,CAAC;AAAA,EACrG;AAEA,QAAM,IAAI,QAAQ,UAAU,CAAC,MAAM,qBAAqB,GAAG,QAAQ,QAAQ,EAAE,CAAC;AAC9E,SAAO;AACT;AAQO,SAAS,aAAa,OAAgB,QAAgB,IAA6B;AACxF,MAAI,OAAO,UAAU,SAAU,QAAO,mBAAmB,OAAO,QAAQ,EAAE;AAC1E,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,IAAI,CAAC,MAAM,aAAa,GAAG,QAAQ,EAAE,CAAC;AAC7E,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,MAA+B,CAAC;AACtC,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAgC,EAAG,KAAI,CAAC,IAAI,aAAa,GAAG,QAAQ,EAAE;AAC1G,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAOO,SAAS,iBAAiB,OAAe,QAAgB,IAAuC;AACrG,QAAM,UAAU,GAAG,YAAY,KAAK;AACpC,MAAI,WAAW,KAAM,QAAO;AAC5B,QAAM,YAAY,iBAAiB,SAAS,YAAY,MAAM,CAAC;AAC/D,MAAI,cAAc,QAAW;AAC3B,aAAS,wFAAwF;AAAA,EACnG;AACA,SAAO;AACT;;;AC1IA,SAAS,WAAW,wBAAwB;AAC5C,SAAS,KAAAC,UAAS;;;ACWX,IAAM,wBAAwB;AAAA,EACnC,cAAc;AAAA,EACd,kBAAkB;AAAA,EAClB,gBAAgB;AAAA,EAChB,QAAQ;AACV;AA0BA,IAAM,gBAAgB;AAGtB,IAAM,cAAqE;AAAA,EACzE,CAAC,kBAAkB,iBAAiB,GAAG;AAAA,EACvC,CAAC,iDAAiD,iBAAiB,IAAI;AAAA,EACvE,CAAC,+CAA+C,iBAAiB,SAAS;AAAA,EAC1E,CAAC,mEAAmE,iBAAiB,KAAK;AAAA,EAC1F,CAAC,aAAa,iBAAiB,IAAI;AACrC;AAIA,IAAM,WAAqB;AAAA,EACzB;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACA,IAAM,aAAuB;AAAA,EAC3B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;AACA,IAAM,YAAsB;AAAA,EAC1B;AAAA,EACA;AAAA,EACA;AACF;AAEA,SAAS,WAAW,OAAe,MAA+B;AAChE,aAAW,MAAM,MAAM;AACrB,UAAM,IAAI,MAAM,MAAM,EAAE;AACxB,QAAI,GAAG,QAAQ,QAAS,QAAO,EAAE,OAAO;AAAA,EAC1C;AACA,SAAO;AACT;AAEA,SAAS,aAAa,GAAmB;AACvC,SAAO,EAAE,QAAQ,gBAAgB,EAAE,EAAE,QAAQ,mCAAmC,EAAE,EAAE,KAAK;AAC3F;AAEA,SAAS,iBAAiB,MAA+C;AACvE,QAAM,MAAM,oBAAI,IAAc;AAC9B,aAAW,CAAC,IAAI,KAAK,KAAK,YAAa,KAAI,GAAG,KAAK,IAAI,EAAG,YAAW,KAAK,MAAO,KAAI,IAAI,CAAC;AAC1F,SAAO,IAAI,OAAO,IAAI,CAAC,GAAG,GAAG,IAAI;AACnC;AAGO,SAAS,aAAa,KAAuB;AAClD,QAAM,QAAQ,kBAAkB,GAAG,EAAE,MAAM,GAAG,aAAa,EAAE,KAAK;AAElE,MAAI,WAAuB;AAC3B,MAAI,OAAO,WAAW,OAAO,QAAQ;AACrC,MAAI,SAAS,KAAM,YAAW;AAAA,YACpB,OAAO,WAAW,OAAO,UAAU,OAAO,KAAM,YAAW;AAAA,YAC3D,OAAO,WAAW,OAAO,SAAS,OAAO,KAAM,YAAW;AAEpE,QAAM,WAAW,SAAS;AAC1B,QAAM,eAAe,aAAa,QAAQ,KAAK;AAG/C,QAAM,WAAW,SAAS,OAAO,QAAQ,MAAM,QAAQ,MAAM,GAAG;AAChE,QAAM,aAAa,iBAAiB,QAAQ;AAG5C,SAAO,EAAE,OAAO,cAAc,UAAU,WAAW,sBAAsB,QAAQ,GAAG,YAAY,SAAS;AAC3G;AAGA,eAAsB,eACpB,IACA,WACA,QACA,QACA,OAAuB,CAAC,GACA;AACxB,QAAM,cAAc,KAAK,eAAe;AAGxC,MAAI,OAAO,aAAa,QAAQ;AAC9B,UAAMC,WAAU,MAAM,OAAO,IAAI,WAAW,OAAO,cAAc,EAAE,OAAO,OAAO,YAAY,OAAO,YAAY,CAAC;AACjH,aAAS,eAAe,EAAE,UAAU,QAAQ,YAAY,OAAO,YAAY,UAAU,GAAG,SAASA,SAAQ,OAAO,CAAC;AACjH,WAAO,EAAE,QAAQ,SAAAA,UAAS,OAAOA,SAAQ,IAAI,CAAC,MAAM,EAAE,IAAI,GAAG,OAAO,CAAC,EAAE;AAAA,EACzE;AAIA,QAAM,UAAU,MAAM,OAAO,IAAI,WAAW,OAAO,cAAc,EAAE,OAAO,YAAY,CAAC;AACvF,MAAI,QAAQ,WAAW,GAAG;AACxB,aAAS,eAAe,EAAE,UAAU,OAAO,UAAU,SAAS,GAAG,SAAS,EAAE,CAAC;AAC7E,WAAO,EAAE,QAAQ,SAAS,OAAO,CAAC,GAAG,OAAO,CAAC,EAAE;AAAA,EACjD;AACA,QAAM,OAAO,QAAQ,CAAC,EAAE;AACxB,QAAM,OAAO,GAAG,gBAAgB,WAAW,KAAK,IAAI,EAAE,WAAW,OAAO,WAAW,UAAU,KAAK,YAAY,EAAE,CAAC;AACjH,QAAM,QAAQ,OAAO,aAAa,IAAI,IAAY,OAAO,UAAU,IAAI;AACvE,QAAM,QAAQ,QAAQ,KAAK,MAAM,OAAO,CAAC,MAAM,MAAM,IAAI,EAAE,IAAI,CAAC,IAAI,KAAK;AAEzE,WAAS,eAAe;AAAA,IACtB,UAAU,OAAO;AAAA,IAAU,WAAW,OAAO;AAAA,IAC7C,YAAY,OAAO,YAAY,UAAU;AAAA,IAAG,SAAS,QAAQ;AAAA,IAAQ,SAAS,MAAM;AAAA,EACtF,CAAC;AACD,SAAO,EAAE,QAAQ,SAAS,OAAO,OAAO,KAAK,MAAM;AACrD;;;ADxIA,IAAM,cAAc;AACpB,IAAM,iBAAiB;AAEvB,IAAM,gBAAgB,iBAAiB;AACvC,IAAM,aAAa,iBAAiB;AA4CpC,IAAM,gBAA0B,OAAO,IAAI,WAAW,OAAO,SAC3D,GAAG,YAAY,WAAW,OAAO,EAAE,OAAO,KAAK,OAAO,OAAO,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE;AAGrG,SAAS,YAAY,GAAqC;AACxD,SAAO;AAAA,IACL,IAAI,EAAE;AAAA,IACN,MAAM,EAAE;AAAA,IACR,MAAM,EAAE;AAAA,IACR,YAAY,EAAE;AAAA,IACd,GAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,OAAO,IAAI,CAAC;AAAA,IACvC,GAAI,EAAE,KAAK,SAAS,EAAE,MAAM,EAAE,KAAK,IAAI,CAAC;AAAA,EAC1C;AACF;AAEA,SAAS,KAAK,MAAe;AAC3B,SAAO,EAAE,SAAS,CAAC,EAAE,MAAM,QAAiB,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,EAAE,CAAC,EAAE;AACrF;AAGA,SAAS,aAAa,GAA+C;AACnE,SAAO,SAAS;AAClB;AAEA,SAAS,YAAY,GAAsC;AACzD,QAAM,SAAS,aAAa,CAAC,IACzB,sCAAiC,EAAE,GAAG,KAAK,EAAE,YAAY,eAAe,EAAE,iBAAiB,IAAI,KAAK,GAAG,MACvG,4CAAuC,EAAE,SAAS;AACtD,QAAM,QAAQ;AAAA,IACZ;AAAA,IACA;AAAA,IACA,WAAW,EAAE,OAAO,KAAK,WAAW,EAAE,OAAO,KAAK;AAAA,IAClD;AAAA,IACA;AAAA,IACA,GAAG,OAAO,QAAQ,EAAE,WAAW,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE;AAAA,IAC7F;AAAA,IACA;AAAA,IACA,GAAG,OAAO,QAAQ,EAAE,aAAa,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE;AAAA,IAC/F;AAAA,IACA;AAAA,IACA,GAAG,OAAO,QAAQ,EAAE,mBAAmB,EAAE,KAAK,CAAC,GAAG,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE;AAAA,IACrG;AAAA,IACA;AAAA,IACA,GAAG,EAAE,aAAa,IAAI,CAAC,MAAM,OAAO,EAAE,EAAE,KAAK,EAAE,IAAI,mBAAc,EAAE,MAAM,EAAE;AAAA;AAAA,IAE3E,GAAI,CAAC,aAAa,CAAC,IACf;AAAA,MAAC;AAAA,MAAI,cAAc,EAAE,UAAU,MAAM;AAAA,MACpC,GAAI,EAAE,UAAU,WAAW,IACvB,CAAC,UAAU,IACX,EAAE,UAAU,MAAM,GAAG,EAAE,EAAE,IAAI,CAAC,MAAM,QAAQ,EAAE,QAAQ,KAAK,EAAE,IAAI,KAAK,EAAE,MAAM,WAAM,EAAE,MAAM,EAAE;AAAA,IAAE,IACrG,CAAC;AAAA;AAAA,IAEL,GAAI,CAAC,aAAa,CAAC,KAAK,EAAE,aAAa,SACnC,CAAC,IAAI,mBAAmB,GAAG,EAAE,aAAa,IAAI,CAAC,MAAM,OAAO,EAAE,MAAM,KAAK,EAAE,QAAQ,IAAI,EAAE,MAAM,MAAM,EAAE,KAAK,KAAK,EAAE,KAAK,SAAS,CAAC,IAClI,CAAC;AAAA,IACL,GAAI,CAAC,aAAa,CAAC,KAAK,EAAE,aAAa,WACnC,CAAC,IAAI,kBAAkB,EAAE,aAAa,QAAQ,IAAI,EAAE,aAAa,KAAK,mBAAmB,IACzF,CAAC;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACA,SAAO,MAAM,KAAK,IAAI;AACxB;AAKO,SAAS,gBAAgB,OAA+B,CAAC,GAAc;AAC5E,QAAM,KAAK,KAAK,MAAM,IAAI,cAAc,KAAK,UAAU,cAAc,EAAE,MAAM;AAC7E,QAAM,SAAS,KAAK,UAAU;AAC9B,QAAM,SAAS,gBAAgB,KAAK,MAAM;AAG1C,QAAM,MAAM,KAAK,QAAQ,SAAY,gBAAgB,KAAK,GAAG,IAAI;AAQjE,QAAM,iBAAiB,MAA0B;AAC/C,QAAI,KAAK,WAAW,KAAK,YAAY,UAAU;AAC7C,YAAM,IAAI,GAAG,WAAW,KAAK,OAAO;AACpC,aAAO,KAAK,EAAE,WAAW,SAAS,EAAE,KAAK;AAAA,IAC3C;AACA,WAAO,GAAG,iBAAiB,YAAY,MAAM,GAAG,MAAM,GAAG,iBAAiB,QAAW,MAAM,GAAG;AAAA,EAChG;AAEA,QAAM,SAAS,IAAI;AAAA,IACjB,EAAE,MAAM,aAAa,SAAS,eAAe;AAAA,IAC7C;AAAA,MACE,cAAc,EAAE,WAAW,EAAE,WAAW,MAAM,aAAa,KAAK,GAAG,OAAO,CAAC,GAAG,SAAS,CAAC,GAAG,SAAS,CAAC,EAAE;AAAA,MACvG,cACE;AAAA,IAGJ;AAAA,EACF;AAIA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,EAAE,OAAO,oBAAoB,aAAa,4EAAuE,UAAU,gBAAgB;AAAA,IAC3I,CAAC,QAAQ;AACP,UAAI,QAAQ,QAAW;AACrB,eAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,iBAAiB,MAAM,YAAY,GAAG,cAAc,GAAG,CAAC,EAAE,CAAC,EAAE;AAAA,MAC9G;AACA,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,iBAAiB,MAAM,mDAAmD,CAAC,EAAE;AACtI,aAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,iBAAiB,MAAM,YAAY,GAAG,gBAAgB,GAAG,CAAC,EAAE,CAAC,EAAE;AAAA,IAChH;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,EAAE,OAAO,gBAAgB,aAAa,kEAAkE,UAAU,mBAAmB;AAAA,IACrI,CAAC,QAAQ;AACP,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,OAAO,8BAA8B,CAAC,EAAE,CAAC,EAAE;AAC/I,YAAM,IAAI,GAAG,gBAAgB,GAAG;AAChC,aAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,cAAc,EAAE,cAAc,aAAa,EAAE,aAAa,cAAc,EAAE,aAAa,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE;AAAA,IAClM;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,EAAE,OAAO,cAAc,aAAa,wDAAwD,UAAU,mBAAmB;AAAA,IACzH,CAAC,QAAQ;AACP,YAAM,MAAM,eAAe;AAC3B,YAAM,QAAQ,MAAM,GAAG,SAAS,GAAG,IAAI,CAAC;AACxC,aAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,OAAO,MAAM,QAAQ,OAAO,MAAM,IAAI,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,EAAE,KAAK,EAAE,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE;AAAA,IACpM;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,IAAI,iBAAiB,4BAA4B,EAAE,MAAM,OAAU,CAAC;AAAA,IACpE,EAAE,OAAO,eAAe,aAAa,6CAA6C,UAAU,mBAAmB;AAAA,IAC/G,CAAC,KAAK,cAAc;AAClB,YAAM,MAAM,eAAe;AAC3B,YAAM,KAAK,mBAAmB,OAAO,UAAU,IAAI,CAAC,CAAC;AACrD,YAAM,OAAO,MAAM,GAAG,QAAQ,KAAK,EAAE,IAAI;AACzC,UAAI,CAAC,KAAM,QAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,OAAO,mBAAmB,EAAE,GAAG,CAAC,EAAE,CAAC,EAAE;AAC1I,YAAM,QAAQ,GAAG,SAAS,GAAI,EAAE,OAAO,CAAC,MAAM,EAAE,aAAa,MAAM,EAAE,aAAa,EAAE;AACpF,aAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE;AAAA,IACvH;AAAA,EACF;AAEA,QAAM,oBAAoB,CAAC,MAAc,KAAa,OAAe,UACnE,OAAO,iBAAiB,MAAM,KAAK,EAAE,OAAO,aAAa,kBAAkB,MAAM,KAAK,IAAI,CAAC,KAAK,UAAU,mBAAmB,GAAG,CAAC,MAAM;AACrI,UAAM,MAAM,eAAe;AAC3B,UAAM,QAAQ,MAAM,GAAG,eAAe,KAAK,KAAK,IAAI,CAAC;AACrD,WAAO,EAAE,UAAU,CAAC,EAAE,KAAK,EAAE,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,OAAO,MAAM,QAAQ,OAAO,MAAM,IAAI,WAAW,EAAE,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE;AAAA,EAC5J,CAAC;AAEH,oBAAkB,YAAY,0BAA0B,YAAY,aAAa;AACjF,oBAAkB,aAAa,2BAA2B,eAAe,UAAU;AAEnF,SAAO;AAAA,IACL;AAAA,IACA,IAAI,iBAAiB,mCAAmC,EAAE,MAAM,OAAU,CAAC;AAAA,IAC3E,EAAE,OAAO,gBAAgB,aAAa,iDAAiD,UAAU,mBAAmB;AAAA,IACpH,CAAC,KAAK,cAAc;AAClB,YAAM,MAAM,eAAe;AAC3B,YAAM,KAAK,mBAAmB,OAAO,UAAU,IAAI,CAAC,CAAC;AACrD,UAAI,CAAC,IAAK,QAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,EAAE,OAAO,aAAa,CAAC,EAAE,CAAC,EAAE;AAC9H,YAAM,IAAI,GAAG,gBAAgB,KAAK,IAAI,EAAE,WAAW,cAAc,UAAU,EAAE,CAAC;AAC9E,aAAO,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU;AAAA,QACtF,MAAM;AAAA,QACN,OAAO,EAAE,MAAM;AAAA,QACf,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE;AAAA,QACjE,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,EAAE,UAAU,KAAK,EAAE,cAAc,YAAY,EAAE,YAAY,UAAU,EAAE,SAAS,EAAE;AAAA,MACvI,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE;AAAA,IACjB;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA,EAAE,OAAO,sBAAsB,aAAa,0CAA0C,UAAU,mBAAmB;AAAA,IACnH,CAAC,SAAS,EAAE,UAAU,CAAC,EAAE,KAAK,IAAI,MAAM,UAAU,oBAAoB,MAAM,KAAK,UAAU,GAAG,YAAY,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,EAAE;AAAA,EACjI;AAKA,QAAM,WAAW,EAAE,cAAc,MAAM,eAAe,MAAM;AAE5D,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,wBAAwB,aAAa,kGAAkG,aAAa,CAAC,GAAG,aAAa,SAAS;AAAA,IACvL,MAAM;AACJ,UAAI,QAAQ,OAAW,QAAO,KAAK,GAAG,cAAc,GAAG,CAAC;AACxD,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,aAAO,KAAK,GAAG,gBAAgB,GAAG,CAAC;AAAA,IACrC;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,oBAAoB,aAAa,4EAA4E,aAAa,CAAC,GAAG,aAAa,SAAS;AAAA,IAC7J,MAAM;AACJ,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,IAAI,GAAG,gBAAgB,GAAG;AAChC,aAAO,KAAK,EAAE,cAAc,EAAE,cAAc,aAAa,EAAE,aAAa,cAAc,EAAE,aAAa,CAAC;AAAA,IACxG;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,aAAa;AAAA,QACX,OAAOC,GAAE,OAAO,EAAE,SAAS,oDAAoD;AAAA,QAC/E,OAAOA,GAAE,MAAMA,GAAE,KAAK,UAAU,CAAC,EAAE,SAAS,EAAE,SAAS,8BAA8B;AAAA,QACrF,OAAOA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE,EAAE,SAAS;AAAA,MAC/D;AAAA,MACA,aAAa;AAAA,IACf;AAAA,IACA,OAAO,SAAS;AACd,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,UAAU,MAAM,OAAO,IAAI,KAAK,KAAK,OAAO,EAAE,OAAO,KAAK,OAAO,OAAO,KAAK,SAAS,GAAG,CAAC;AAChG,aAAO,KAAK,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAQ,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,EAAE,IAAI,GAAG,GAAI,EAAE,UAAU,SAAY,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,EAAG,EAAE,EAAE,CAAC;AAAA,IACxJ;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,aAAa,EAAE,OAAOA,GAAE,OAAO,GAAG,OAAOA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE,EAAE,SAAS,EAAE;AAAA,MACjG,aAAa;AAAA,IACf;AAAA,IACA,OAAO,SAAS;AACd,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,UAAU,MAAM,OAAO,IAAI,KAAK,KAAK,OAAO,EAAE,OAAO,KAAK,SAAS,GAAG,CAAC;AAC7E,aAAO,KAAK,EAAE,OAAO,QAAQ,QAAQ,SAAS,QAAQ,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,EAAE,IAAI,GAAG,GAAI,EAAE,UAAU,SAAY,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,EAAG,EAAE,EAAE,CAAC;AAAA,IACxJ;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,aAAa,EAAE,MAAMA,GAAE,KAAK,CAAC,YAAY,aAAa,KAAK,CAAC,EAAE,QAAQ,KAAK,EAAE,SAAS,EAAE;AAAA,MACxF,aAAa;AAAA,IACf;AAAA,IACA,CAAC,SAAS;AACR,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,OAAO,KAAK,QAAQ;AAC1B,YAAM,QAAQ,SAAS,aAAa,gBAAgB,SAAS,cAAc,aAAa,CAAC,GAAG,eAAe,GAAG,UAAU;AACxH,aAAO,KAAK,GAAG,eAAe,KAAK,KAAK,EAAE,IAAI,WAAW,CAAC;AAAA,IAC5D;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,YAAY,aAAa,gDAAgD,aAAa,EAAE,IAAIA,GAAE,OAAO,EAAE,GAAG,aAAa,SAAS;AAAA,IACzI,CAAC,SAAS;AACR,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,OAAO,GAAG,QAAQ,KAAK,KAAK,EAAE;AACpC,UAAI,CAAC,KAAM,QAAO,KAAK,EAAE,OAAO,mBAAmB,KAAK,EAAE,GAAG,CAAC;AAC9D,YAAM,QAAQ,GAAG,SAAS,GAAG,EAAE,OAAO,CAAC,MAAM,EAAE,aAAa,KAAK,MAAM,EAAE,aAAa,KAAK,EAAE;AAC7F,aAAO,KAAK,EAAE,MAAM,MAAM,CAAC;AAAA,IAC7B;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,aAAa;AAAA,QACX,IAAIA,GAAE,OAAO;AAAA,QACb,WAAWA,GAAE,KAAK,CAAC,cAAc,YAAY,MAAM,CAAC,EAAE,QAAQ,YAAY,EAAE,SAAS;AAAA,QACrF,UAAUA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,CAAC,EAAE,SAAS;AAAA,QAC9D,eAAeA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,SAAS,EAAE,SAAS,0CAA0C;AAAA,MACxG;AAAA,MACA,aAAa;AAAA,IACf;AAAA,IACA,CAAC,SAAS;AACR,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,IAAI,GAAG,gBAAgB,KAAK,KAAK,IAAI,EAAE,WAAW,KAAK,aAAa,cAAc,UAAU,KAAK,YAAY,EAAE,CAAC;AACtH,YAAM,gBAAgB,KAAK,iBAAiB;AAC5C,aAAO,KAAK;AAAA,QACV,MAAM,EAAE,OAAO,YAAY,EAAE,IAAI,IAAI;AAAA,QACrC,WAAW,EAAE;AAAA,QACb,OAAO,EAAE,MAAM;AAAA,QACf,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,CAAC,GAAG,OAAO,EAAE,MAAM,EAAE;AAAA,QACjE,OAAO,EAAE,MACN,OAAO,CAAC,MAAM,EAAE,cAAc,aAAa,EAC3C,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,EAAE,UAAU,KAAK,EAAE,cAAc,YAAY,EAAE,YAAY,UAAU,EAAE,SAAS,EAAE;AAAA,MAC3H,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aACE;AAAA,MAIF,aAAa;AAAA,QACX,OAAOA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,GAAI,EAAE,SAAS,8CAA8C;AAAA,QAC1F,UAAUA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,QAAQ,CAAC,EAAE,SAAS;AAAA,MAChE;AAAA,MACA,aAAa;AAAA,IACf;AAAA,IACA,OAAO,SAAS;AACd,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,SAAS,aAAa,KAAK,KAAK;AACtC,YAAM,IAAI,MAAM,eAAe,IAAI,KAAK,QAAQ,QAAQ,EAAE,UAAU,KAAK,YAAY,EAAE,CAAC;AACxF,aAAO,KAAK;AAAA,QACV,QAAQ;AAAA,UACN,OAAO,EAAE,OAAO;AAAA,UAAO,cAAc,EAAE,OAAO;AAAA,UAC9C,UAAU,EAAE,OAAO;AAAA,UAAU,WAAW,EAAE,OAAO,aAAa;AAAA,UAC9D,YAAY,EAAE,OAAO,cAAc;AAAA,UAAM,UAAU,EAAE,OAAO;AAAA,QAC9D;AAAA,QACA,SAAS,EAAE,QAAQ,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,EAAE,IAAI,GAAG,GAAI,EAAE,UAAU,SAAY,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,EAAG,EAAE;AAAA,QAChH,OAAO,EAAE,MAAM;AAAA,QACf,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,CAAC,GAAG,GAAI,EAAE,UAAU,SAAY,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC,EAAG,EAAE;AAAA,QACvG,OAAO,EAAE,MAAM,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,EAAE,UAAU,KAAK,EAAE,aAAa,EAAE;AAAA,MACvF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aACE;AAAA,MAGF,aAAa;AAAA,QACX,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,2DAA2D;AAAA,QAChG,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,mDAAmD;AAAA,MAC7F;AAAA,MACA,aAAa;AAAA,IACf;AAAA,IACA,CAAC,SAAS;AAER,YAAM,WAAW,GAAG,YAAY,MAAM;AACtC,YAAM,YAAY,KAAK,WAAW,SAAS,CAAC,GAAG;AAC/C,YAAM,SAAS,KAAK,QAAQ,SAAS,CAAC,GAAG;AACzC,UAAI,CAAC,UAAU,CAAC,UAAW,QAAO,KAAK,EAAE,OAAO,gDAAgD,CAAC;AACjG,UAAI,WAAW,UAAW,QAAO,KAAK,EAAE,OAAO,yCAAyC,CAAC;AACzF,YAAM,IAAI,GAAG,aAAa,QAAQ,SAAS;AAC3C,aAAO,KAAK;AAAA,QACV,MAAM,EAAE;AAAA,QACR,SAAS,EAAE;AAAA,QACX,SAAS,EAAE;AAAA,QACX,OAAO;AAAA,UACL,OAAO,EAAE,MAAM,MAAM,IAAI,WAAW;AAAA,UACpC,SAAS,EAAE,MAAM,QAAQ,IAAI,WAAW;AAAA,UACxC,SAAS,EAAE,MAAM,QAAQ,IAAI,CAAC,OAAO,EAAE,GAAG,YAAY,EAAE,KAAK,GAAG,eAAe,EAAE,cAAc,EAAE;AAAA,QACnG;AAAA,QACA,OAAO;AAAA,UACL,OAAO,EAAE,MAAM,MAAM,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,EAAE,UAAU,KAAK,EAAE,aAAa,EAAE;AAAA,UAC3F,SAAS,EAAE,MAAM,QAAQ,IAAI,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,IAAI,EAAE,UAAU,KAAK,EAAE,aAAa,EAAE;AAAA,QACjG;AAAA,QACA,WAAW;AAAA,UACT,OAAO,EAAE,UAAU;AAAA,UACnB,WAAW,EAAE,UAAU,KAAK;AAAA,UAC5B,cAAc,EAAE,UAAU,QAAQ;AAAA,QACpC;AAAA,MACF,CAAC;AAAA,IACH;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aACE;AAAA,MAGF,aAAa;AAAA,QACX,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,mDAAmD;AAAA,QACxF,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,2CAA2C;AAAA,QACnF,aAAaA,GAAE,KAAK,CAAC,QAAQ,WAAW,UAAU,CAAC,EAAE,SAAS,EAAE,SAAS,gCAAgC;AAAA,MAC3G;AAAA,MACA,aAAa;AAAA,IACf;AAAA,IACA,CAAC,SAAS;AAER,YAAM,WAAW,GAAG,YAAY,MAAM;AACtC,YAAM,YAAY,KAAK,WAAW,SAAS,CAAC,GAAG;AAC/C,YAAM,SAAS,KAAK,QAAQ,SAAS,CAAC,GAAG;AACzC,UAAI,CAAC,UAAU,CAAC,UAAW,QAAO,KAAK,EAAE,OAAO,gDAAgD,CAAC;AACjG,UAAI,WAAW,UAAW,QAAO,KAAK,EAAE,OAAO,yCAAyC,CAAC;AACzF,UAAI,QAAQ,cAAc,GAAG,aAAa,QAAQ,SAAS,CAAC;AAC5D,UAAI,KAAK,YAAa,SAAQ,iBAAiB,OAAO,KAAK,WAAW;AACtE,aAAO,KAAK,YAAY,KAAK,CAAC;AAAA,IAChC;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aACE;AAAA,MAEF,aAAa;AAAA,QACX,SAASA,GAAE,OAAO,EAAE,QAAQ,UAAU,EAAE,SAAS,EAAE,SAAS,kCAAkC;AAAA,QAC9F,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,0CAA0C;AAAA,MACpF;AAAA,MACA,aAAa;AAAA,IACf;AAAA,IACA,CAAC,SAAS;AACR,YAAM,MAAM,KAAK,WAAW,eAAe;AAC3C,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,OAAO,KAAK,WAAW;AAC7B,YAAM,KAAK,WAAW,IAAI;AAC1B,UAAI,CAAC,GAAI,QAAO,KAAK,EAAE,OAAO,oBAAoB,IAAI,IAAI,WAAW,aAAa,EAAE,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC;AACxG,aAAO,KAAK,GAAG,aAAa,KAAK,EAAE,CAAC;AAAA,IACtC;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,aAAa,EAAE,OAAOA,GAAE,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,IAAI,GAAG,EAAE,QAAQ,EAAE,EAAE,SAAS,EAAE;AAAA,MAC9E,aAAa;AAAA,IACf;AAAA,IACA,CAAC,SAAS;AACR,YAAM,MAAM,eAAe;AAC3B,UAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,8BAA8B,CAAC;AAC9D,YAAM,SAAS,GAAG,UAAU,GAAG,EAAE,MAAM,EAAE,KAAK,SAAS,GAAG;AAC1D,aAAO,KAAK,EAAE,OAAO,OAAO,QAAQ,OAAO,CAAC;AAAA,IAC9C;AAAA,EACF;AAEA,MAAI,KAAK,WAAW;AAClB,UAAM,YAAY,KAAK;AACvB,WAAO;AAAA,MACL;AAAA,MACA;AAAA,QACE,OAAO;AAAA,QACP,aAAa;AAAA,QACb,aAAa;AAAA,UACX,MAAMA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,6CAA6C;AAAA,UAClF,QAAQA,GAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,2FAA2F;AAAA,QACrI;AAAA;AAAA,QAEA,aAAa,EAAE,cAAc,OAAO,iBAAiB,OAAO,eAAe,KAAK;AAAA,MAClF;AAAA,MACA,OAAO,SAAS;AACd,YAAI,MAAM,eAAe;AACzB,YAAI,KAAK,QAAQ;AAEf,cAAI,CAAC,IAAK,QAAO,KAAK,EAAE,OAAO,6CAA6C,CAAC;AAAA,QAC/E,WAAW,CAAC,KAAK;AACf,gBAAM,GAAG,cAAc,YAAY,cAAc,GAAG,MAAM;AAAA,QAC5D;AACA,cAAM,SAAS,MAAM,UAAU,IAAI,KAAK,EAAE,MAAM,KAAK,MAAM,MAAM,KAAK,SAAS,WAAW,UAAU,CAAC;AAGrG,cAAM,OAAO,GAAG,WAAW,GAAG;AAC9B,YAAI,QAAQ,CAAC,KAAK,KAAM,IAAG,eAAe,KAAK,kBAAkB,GAAG,gBAAgB,GAAG,GAAG,KAAK,SAAS,CAAC;AACzG,eAAO,OAAO,oBAAoB,EAAE,KAAK,8BAA8B,CAAC,EAAE,MAAM,CAAC,QAAiB;AAChG,kBAAQ,OAAO,MAAM,0DAA0D,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,CAAI;AAAA,QACrI,CAAC;AACD,eAAO,OAAO,0BAA0B;AACxC,eAAO,KAAK;AAAA,UACV,SAAS;AAAA,UAAK,OAAO,OAAO;AAAA,UAAO,OAAO,OAAO;AAAA,UACjD,GAAI,OAAO,QAAQ,EAAE,SAAS,OAAO,MAAM,QAAQ,IAAI,CAAC;AAAA,QAC1D,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAIA,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,wBAAwB,aAAa,2FAA2F;AAAA,IACzI,OAAO;AAAA,MACL,UAAU,CAAC;AAAA,QACT,MAAM;AAAA,QAAQ,SAAS,EAAE,MAAM,QAAQ,MACrC,mUAG0C;AAAA,MAAE,CAAC;AAAA,IACnD;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,YAAY,EAAE,SAASA,GAAE,OAAO,EAAE,SAAS,yBAAyB,EAAE;AAAA,IACxE;AAAA,IACA,CAAC,UAAU;AAAA,MACT,UAAU,CAAC;AAAA,QACT,MAAM;AAAA,QAAQ,SAAS,EAAE,MAAM,QAAQ,MACrC,uCAAuC,KAAK,OAAO,oMAEM;AAAA,MAAE,CAAC;AAAA,IAClE;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,wBAAwB,aAAa,kEAAkE;AAAA,IAChH,OAAO;AAAA,MACL,UAAU,CAAC;AAAA,QACT,MAAM;AAAA,QAAQ,SAAS,EAAE,MAAM,QAAQ,MACrC,mRAEgF;AAAA,MAAE,CAAC;AAAA,IACzF;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,qBAAqB,aAAa,kDAAkD;AAAA,IAC7F,OAAO;AAAA,MACL,UAAU,CAAC;AAAA,QACT,MAAM;AAAA,QAAQ,SAAS,EAAE,MAAM,QAAQ,MACrC,2PAEmE;AAAA,MAAE,CAAC;AAAA,IAC5E;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA,EAAE,OAAO,iCAAiC,aAAa,4DAA4D;AAAA,IACnH,OAAO;AAAA,MACL,UAAU,CAAC;AAAA,QACT,MAAM;AAAA,QAAQ,SAAS,EAAE,MAAM,QAAQ,MACrC,6VAGqC;AAAA,MAAE,CAAC;AAAA,IAC9C;AAAA,EACF;AAEA,SAAO;AAAA,IACL;AAAA,IACA;AAAA,MACE,OAAO;AAAA,MACP,aAAa;AAAA,MACb,YAAY,EAAE,SAASA,GAAE,OAAO,EAAE,SAAS,EAAE,SAAS,+CAA+C,EAAE;AAAA,IACzG;AAAA,IACA,CAAC,UAAU;AAAA,MACT,UAAU,CAAC;AAAA,QACT,MAAM;AAAA,QAAQ,SAAS,EAAE,MAAM,QAAQ,MAAM,KAAK,UAC9C,uCAAuC,KAAK,OAAO,iNAGnD,uQAEmD;AAAA,MAAE,CAAC;AAAA,IAC9D;AAAA,EACF;AAEA,SAAO;AACT;;;AEroBA,SAAS,kBAAkB;AAC3B,OAAO,UAAU;AACjB,SAAS,4BAA4B;AACrC,SAAS,qCAAqC;AAI9C,eAAsB,SAAS,QAAkC;AAC/D,QAAM,YAAY,IAAI,qBAAqB;AAC3C,QAAM,OAAO,QAAQ,SAAS;AAChC;AA0BA,IAAM,mBAAmB,IAAI,OAAO;AAOpC,eAAe,eAAe,KAA2B,KAA6D;AACpH,QAAM,SAAmB,CAAC;AAC1B,MAAI,QAAQ;AACZ,MAAI,WAAW;AACf,mBAAiB,SAAS,KAAK;AAC7B,QAAI,SAAU;AACd,UAAM,MAAM;AACZ,aAAS,IAAI;AACb,QAAI,QAAQ,KAAK;AAAE,iBAAW;AAAM,aAAO,SAAS;AAAG;AAAA,IAAU;AACjE,WAAO,KAAK,GAAG;AAAA,EACjB;AACA,MAAI,SAAU,QAAO,EAAE,UAAU,MAAM,OAAO,OAAU;AACxD,MAAI,OAAO,WAAW,EAAG,QAAO,EAAE,UAAU,OAAO,OAAO,OAAU;AACpE,MAAI;AAAE,WAAO,EAAE,UAAU,OAAO,OAAO,KAAK,MAAM,OAAO,OAAO,MAAM,EAAE,SAAS,MAAM,CAAC,EAAE;AAAA,EAAG,QACvF;AAAE,WAAO,EAAE,UAAU,OAAO,OAAO,OAAU;AAAA,EAAG;AACxD;AAGA,SAAS,gBAAgB,GAAW,GAAoB;AACtD,MAAI,EAAE,WAAW,EAAE,OAAQ,QAAO;AAClC,MAAI,OAAO;AACX,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,IAAK,SAAQ,EAAE,WAAW,CAAC,IAAI,EAAE,WAAW,CAAC;AAC3E,SAAO,SAAS;AAClB;AAGA,SAAS,YAAY,QAAgD;AACnE,MAAI,CAAC,OAAQ,QAAO;AACpB,QAAM,IAAI,mBAAmB,KAAK,OAAO,KAAK,CAAC;AAC/C,SAAO,IAAI,EAAE,CAAC,IAAI;AACpB;AAEA,eAAe,aAAa,KAA6C;AACvE,QAAM,SAAmB,CAAC;AAC1B,mBAAiB,SAAS,IAAK,QAAO,KAAK,KAAe;AAC1D,MAAI,OAAO,WAAW,EAAG,QAAO;AAChC,MAAI;AAAE,WAAO,KAAK,MAAM,OAAO,OAAO,MAAM,EAAE,SAAS,MAAM,CAAC;AAAA,EAAG,QAAQ;AAAE,WAAO;AAAA,EAAW;AAC/F;AAOA,IAAMC,kBAAiB,oBAAI,IAAI,CAAC,aAAa,aAAa,OAAO,OAAO,CAAC;AAEzE,eAAsB,QAAQ,SAA0B,OAAoB,CAAC,GAAyB;AACpG,QAAM,OAAO,KAAK,QAAQ;AAC1B,QAAM,OAAO,KAAK,QAAQ;AAE1B,QAAM,aAAaA,gBAAe,IAAI,IAAI;AAK1C,MAAI,CAAC,cAAc,KAAK,iBAAiB,QAAW;AAClD,UAAM,IAAI;AAAA,MACR,yCAAyC,IAAI;AAAA,IAE/C;AAAA,EACF;AAIA,MAAI,CAAC,cAAc,CAAC,KAAK,OAAO;AAC9B,UAAM,IAAI;AAAA,MACR,yCAAyC,IAAI;AAAA,IAE/C;AAAA,EACF;AAEA,QAAM,eAAe,KAAK,gBAAgB,CAAC,GAAG,IAAI,IAAI,IAAI,IAAI,aAAa,IAAI,IAAI,aAAa,IAAI,EAAE;AACtG,QAAM,QAAQ,KAAK;AACnB,QAAM,aAAa,oBAAI,IAA2C;AAElE,QAAM,aAAa,KAAK,aAAa,OAAO,KAAK,QAAQ;AACvD,QAAI;AACF,YAAM,MAAM,IAAI,OAAO;AACvB,YAAM,WAAW,IAAI,WAAW,SAAS,KAAK,KAAK,aAAa;AAGhE,UAAI,CAAC,IAAI,WAAW,MAAM,KAAK,CAAC,UAAU;AAAE,YAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC,EAAE,IAAI,uBAAuB;AAAG;AAAA,MAAQ;AAI7I,UAAI,OAAO;AACT,cAAM,WAAW,YAAY,IAAI,QAAQ,eAAe,CAAC;AACzD,YAAI,CAAC,YAAY,CAAC,gBAAgB,UAAU,KAAK,GAAG;AAClD,cAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,oBAAoB,SAAS,CAAC,EACpF,IAAI,0BAA0B;AACjC;AAAA,QACF;AAAA,MACF;AAGA,UAAI,UAAU;AAIZ,cAAM,cAAc,IAAI,QAAQ,MAAM,KAAK,IAAI,YAAY;AAC3D,YAAI,CAAC,aAAa,KAAK,CAAC,MAAM,EAAE,YAAY,MAAM,UAAU,GAAG;AAC7D,cAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC,EAAE,IAAI,8BAA8B;AAC7F;AAAA,QACF;AACA,cAAM,WAAW,KAAK;AACtB,YAAI,IAAI,WAAW,QAAQ;AACzB,cAAI,UAAU,KAAK,EAAE,gBAAgB,oBAAoB,SAAS,OAAO,CAAC,EAAE,IAAI,gCAAgC;AAChH;AAAA,QACF;AACA,cAAM,EAAE,UAAU,MAAM,IAAI,MAAM,eAAe,KAAK,gBAAgB;AACtE,YAAI,UAAU;AAAE,cAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC,EAAE,IAAI,+BAA+B;AAAG;AAAA,QAAQ;AACzH,cAAM,MAAM,SAAS,KAAK;AAC1B,YAAI,UAAU,IAAI,QAAQ,EAAE,gBAAgB,mBAAmB,CAAC,EAAE,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC;AAC9F;AAAA,MACF;AAEA,YAAM,YAAY,IAAI,QAAQ,gBAAgB;AAC9C,YAAM,WAAW,YAAY,WAAW,IAAI,SAAS,IAAI;AAEzD,UAAI,UAAU;AACZ,cAAMC,QAAO,IAAI,WAAW,SAAS,MAAM,aAAa,GAAG,IAAI;AAC/D,cAAM,SAAS,cAAc,KAAK,KAAKA,KAAI;AAC3C;AAAA,MACF;AAEA,UAAI,IAAI,WAAW,QAAQ;AACzB,YAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC,EAAE,IAAI,+CAA+C;AAC9G;AAAA,MACF;AAGA,YAAM,OAAO,MAAM,aAAa,GAAG;AACnC,YAAM,YAA2C,IAAI,8BAA8B;AAAA,QACjF,oBAAoB,MAAM,WAAW;AAAA,QACrC,8BAA8B;AAAA,QAC9B;AAAA,QACA,GAAI,KAAK,iBAAiB,EAAE,gBAAgB,KAAK,eAAe,IAAI,CAAC;AAAA,QACrE,sBAAsB,CAAC,OAAe;AAAE,qBAAW,IAAI,IAAI,SAAS;AAAA,QAAG;AAAA,MACzE,CAAC;AACD,gBAAU,UAAU,MAAM;AAAE,YAAI,UAAU,UAAW,YAAW,OAAO,UAAU,SAAS;AAAA,MAAG;AAC7F,YAAM,QAAQ,EAAE,QAAQ,SAAS;AACjC,YAAM,UAAU,cAAc,KAAK,KAAK,IAAI;AAAA,IAC9C,SAAS,KAAK;AACZ,cAAQ,OAAO,MAAM,0CAA0C,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,CAAI;AACnH,UAAI,CAAC,IAAI,YAAa,KAAI,UAAU,KAAK,EAAE,gBAAgB,mBAAmB,CAAC,EAAE,IAAI,4BAA4B;AAAA,IACnH;AAAA,EACF,CAAC;AAED,QAAM,IAAI,QAAc,CAAC,YAAY,WAAW,OAAO,MAAM,MAAM,OAAO,CAAC;AAC3E,SAAO;AACT;;;ACxMO,SAAS,MAAM,GAAmB;AACvC,MAAI,IAAI;AACR,WAAS,IAAI,GAAG,IAAI,EAAE,QAAQ,KAAK;AACjC,SAAK,EAAE,WAAW,CAAC;AACnB,QAAI,KAAK,KAAK,GAAG,QAAU;AAAA,EAC7B;AACA,SAAO,MAAM;AACf;;;ACeA,eAAsB,oBACpB,QAAQ,2BACgC;AACxC,MAAI;AAIF,UAAM,KAAM,MAAM,OAAO,2BAAqC;AAM9D,UAAM,YAAY,MAAM,GAAG,SAAS,sBAAsB,KAAK;AAC/D,WAAO;AAAA,MACL,IAAI,SAAS,KAAK;AAAA,MAClB,YAAY;AAAA,MACZ,MAAM,MAAM,OAA0C;AACpD,cAAM,MAAsB,CAAC;AAC7B,mBAAW,QAAQ,OAAO;AACxB,gBAAM,SAAS,MAAM,UAAU,MAAM,EAAE,SAAS,QAAQ,WAAW,KAAK,CAAC;AACzE,cAAI,KAAK,aAAa,KAAK,OAAO,IAAwB,CAAC;AAAA,QAC7D;AACA,eAAO;AAAA,MACT;AAAA,IACF;AAAA,EACF,QAAQ;AACN,WAAO;AAAA,EACT;AACF;;;ACxCO,SAAS,SAAS,GAAoB;AAC3C,QAAM,OAAO,OAAO,EAAE,WAAW,aAAa,MAAM,WAAY,EAAE,SAAS,aAAa,IAAe;AACvG,QAAM,WAAW,OAAO,EAAE,WAAW,UAAU,MAAM,WAAY,EAAE,SAAS,UAAU,IAAe;AACrG,SAAO,CAAC,EAAE,MAAM,EAAE,GAAG,QAAQ,SAAS,GAAG,GAAG,QAAQ,EAAE,IAAI,IAAI,EAAE,UAAU,IAAI,EAAE,aAAa,IAAI,UAAU,EAAE,KAAK,KAAK,GAAG,GAAG,IAAI,EAC9H,OAAO,OAAO,EAAE,KAAK,UAAK;AAC/B;AAEA,SAAS,KAAK,GAAmB;AAC/B,SAAO,MAAM,CAAC,EAAE,SAAS,EAAE;AAC7B;AAEA,SAAS,SAAS,GAAyB;AACzC,SAAO,OAAO,KAAK,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU;AACzD;AAEO,IAAM,cAAN,MAAkB;AAAA,EAGvB,YAAoB,IAA2B,UAA6B;AAAxD;AAA2B;AAAA,EAA8B;AAAA,EAFrE,SAAS;AAAA;AAAA,EAKjB,MAAM,OAAyB;AAC7B,QAAI,KAAK,OAAQ,QAAO;AACxB,QAAI;AACF,YAAM,OAAO,KAAK,GAAG,cAAc;AAGnC,YAAM,YAAa,MAAM,OAAO,YAAsB;AACtD,gBAAU,KAAK,IAAI;AACnB,WAAK,KAAK;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,OAST;AAED,YAAM,SAAS,KAAK,QAAQ,+CAA+C,EAAE,IAAI;AACjF,YAAM,OAAO,KAAK,SAAS;AAC3B,UAAI,UAAU,OAAO,OAAO,KAAK,MAAM,MAAM;AAC3C,aAAK,KAAK,wDAAwD;AAAA,MACpE;AACA,WAAK,KAAK,2EAA2E,IAAI,IAAI;AAC7F,WAAK,QAAQ,2DAA2D,EAAE,IAAI,QAAQ,OAAO,IAAI,CAAC;AAClG,WAAK,QAAQ,2DAA2D,EAAE,IAAI,YAAY,KAAK,SAAS,EAAE;AAC1G,WAAK,SAAS;AACd,aAAO;AAAA,IACT,QAAQ;AACN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA,EAGA,MAAM,MAAM,WAAiE;AAC3E,QAAI,CAAE,MAAM,KAAK,KAAK,EAAI,QAAO,EAAE,UAAU,GAAG,OAAO,EAAE;AACzD,UAAM,OAAO,KAAK,GAAG,cAAc;AACnC,UAAM,QAAQ,KAAK,GAAG,SAAS,SAAS;AAExC,UAAM,SAAS,KAAK,QAAQ,wEAAwE;AACpG,UAAM,WAAW,KAAK,QAAQ,oEAAoE;AAClG,UAAM,UAAU,KAAK,QAAQ,+CAA+C;AAC5E,UAAM,SAAS,KAAK,QAAQ,uCAAuC;AACnE,UAAM,SAAS,KAAK,QAAQ,wDAAwD;AAEpF,UAAM,UAAkD,CAAC;AACzD,eAAW,KAAK,OAAO;AACrB,YAAM,OAAO,SAAS,CAAC;AACvB,YAAM,IAAI,KAAK,GAAG,KAAK,SAAS,EAAE,IAAI,IAAI,EAAE;AAC5C,YAAM,WAAW,OAAO,IAAI,WAAW,EAAE,EAAE;AAC3C,UAAI,UAAU;AACZ,YAAI,SAAS,SAAS,EAAG;AACzB,gBAAQ,IAAI,GAAG,SAAS,KAAK;AAC7B,eAAO,IAAI,OAAO,SAAS,KAAK,CAAC;AACjC,gBAAQ,KAAK,EAAE,OAAO,OAAO,SAAS,KAAK,GAAG,KAAK,CAAC;AAAA,MACtD,OAAO;AACL,cAAM,OAAO,SAAS,IAAI,WAAW,EAAE,IAAI,CAAC;AAC5C,gBAAQ,KAAK,EAAE,OAAO,OAAO,KAAK,eAAyB,GAAG,KAAK,CAAC;AAAA,MACtE;AAAA,IACF;AAEA,QAAI,QAAQ,SAAS,GAAG;AACtB,YAAM,UAAU,MAAM,KAAK,SAAS,MAAM,QAAQ,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC;AACpE,YAAM,KAAK,KAAK,YAAY,MAAM;AAChC,gBAAQ,QAAQ,CAAC,GAAG,MAAM,OAAO,IAAI,EAAE,OAAO,SAAS,QAAQ,CAAC,CAAE,CAAC,CAAC;AAAA,MACtE,CAAC;AACD,SAAG;AAAA,IACL;AACA,WAAO,EAAE,UAAU,QAAQ,QAAQ,OAAO,MAAM,OAAO;AAAA,EACzD;AAAA;AAAA,EAGA,MAAM,OAAO,WAAmB,OAAe,GAAiE;AAC9G,QAAI,CAAE,MAAM,KAAK,KAAK,EAAI,QAAO,CAAC;AAClC,UAAM,KAAK,MAAM,SAAS;AAC1B,UAAM,OAAO,KAAK,GAAG,cAAc;AACnC,UAAM,CAAC,EAAE,IAAI,MAAM,KAAK,SAAS,MAAM,CAAC,KAAK,CAAC;AAC9C,QAAI,CAAC,GAAI,QAAO,CAAC;AAIjB,UAAM,YAAY,KAAK,IAAI,IAAI,GAAG,CAAC;AACnC,UAAM,MAAM,KAAK;AAAA,MACf;AAAA,IACF,EAAE,IAAI,SAAS,EAAE,GAAG,SAAS;AAE7B,UAAM,OAAO,KAAK,QAAQ,kFAAkF;AAC5G,UAAM,MAAmD,CAAC;AAC1D,eAAW,OAAO,KAAK;AACrB,YAAM,IAAI,KAAK,IAAI,IAAI,KAAK;AAC5B,UAAI,KAAK,EAAE,cAAc,UAAW,KAAI,KAAK,EAAE,QAAQ,EAAE,QAAQ,UAAU,IAAI,SAAS,CAAC;AACzF,UAAI,IAAI,UAAU,EAAG;AAAA,IACvB;AACA,WAAO;AAAA,EACT;AACF;;;ACpHA,IAAM,UAAU,CAAC,IAAmB,WAAmB,OAAe,SACpE,GAAG,YAAY,WAAW,OAAO,EAAE,OAAO,KAAK,OAAO,OAAO,KAAK,MAAM,CAAC,EAAE,IAAI,CAAC,UAAU,EAAE,KAAK,EAAE;AAGrG,IAAMC,iBAAgB,MAAgB,OAAO,GAAG,KAAK,GAAG,SAAS,QAAQ,GAAG,KAAK,GAAG,IAAI;AAcxF,eAAsB,qBACpB,IACA,UACA,OAA8B,CAAC,GACZ;AACnB,QAAM,MAAM,KAAK;AACjB,QAAM,WAAW,YAAa,MAAM,oBAAoB;AACxD,MAAI,CAAC,UAAU;AACb,UAAM,iIAA4H;AAClI,WAAOA,eAAc;AAAA,EACvB;AACA,QAAM,QAAQ,IAAI,YAAY,IAAI,QAAQ;AAC1C,QAAM,KAAK,MAAM,MAAM,KAAK;AAC5B,MAAI,CAAC,IAAI;AACP,UAAM,oHAA+G;AACrH,WAAOA,eAAc;AAAA,EACvB;AACA,QAAM,wBAAwB;AAE9B,SAAO,OAAO,GAAG,KAAK,OAAO,cAAiE;AAC5F,UAAM,OAAO,MAAM,MAAM,OAAO,KAAK,OAAO,UAAU,KAAK;AAC3D,QAAI,KAAK,WAAW,EAAG,QAAO,QAAQ,GAAG,KAAK,OAAO,SAAS;AAE9D,UAAM,OAAO,EAAE,cAAc,KAAK,KAAK,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC;AAC3D,UAAM,UAAoD,CAAC;AAC3D,eAAW,KAAK,MAAM;AACpB,YAAM,OAAO,KAAK,IAAI,EAAE,MAAM;AAC9B,UAAI,CAAC,KAAM;AACX,UAAI,UAAU,SAAS,UAAU,MAAM,SAAS,KAAK,CAAC,UAAU,MAAM,SAAS,KAAK,IAAI,EAAG;AAE3F,cAAQ,KAAK,EAAE,MAAM,OAAO,KAAK,IAAI,GAAG,IAAI,EAAE,WAAW,CAAC,EAAE,CAAC;AAAA,IAC/D;AACA,WAAO,QAAQ,SAAS,IAAI,UAAU,QAAQ,GAAG,KAAK,OAAO,SAAS;AAAA,EACxE;AACF;;;AChDO,IAAM,qBAAN,MAAiD;AAAA,EACtD,YAA6B,IAAmB;AAAnB;AAAA,EAAoB;AAAA,EAEjD,WAAW,KAAa,MAAqB,UAAwB,aAAgD;AACnH,WAAO,KAAK,GAAG,kBAAkB,KAAK,MAAM,UAAU,WAAW;AAAA,EACnE;AAAA,EAEA,WAAW,KAAa,MAA2B;AACjD,SAAK,GAAG,kBAAkB,KAAK,IAAI;AAAA,EACrC;AAAA,EAEA,WAAW,KAAyB;AAClC,WAAO,KAAK,GAAG,cAAc,GAAG;AAAA,EAClC;AAAA,EAEA,gBAAgBC,WAAiC;AAC/C,WAAO,KAAK,GAAG,0BAA0BA,SAAQ;AAAA,EACnD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,QAAc;AAAA,EAEd;AACF;;;ACpBA,SAAS,KAAAC,UAAS;;;ACSX,SAAS,gBAAgB,KAAa,MAAmC;AAC9E,SAAO;AAAA,IACL,UAAU,SAAS,KAAK,KAAK,EAAE;AAAA,IAC/B,aAAa,YAAY,KAAK,MAAM,KAAK,MAAM,UAAU,KAAK,YAAY,CAAC,CAAC,CAAC;AAAA,EAC/E;AACF;;;ACDA,IAAM,cAAc;AAGpB,IAAM,OAAO;AAGb,IAAMC,cAAa;AACnB,IAAMC,YAAW;AACjB,IAAM,YAAY;AAUlB,IAAM,qBAAqB;AAG3B,IAAM,aAAa;AAGnB,SAAS,mBAAmB,GAAW,MAA+B;AACpE,QAAM,MAAuB,CAAC;AAC9B,QAAM,UAAU,EAAE,KAAK;AACvB,MAAI,YAAY,MAAM,WAAW,KAAK,OAAO,EAAG,QAAO;AAEvD,MAAI,WAAW,KAAK,CAAC,KAAK,YAAY,KAAK,CAAC,EAAG,KAAI,KAAK,EAAE,MAAM,MAAM,aAAa,CAAC;AACpF,aAAW,YAAY;AAAG,cAAY,YAAY;AAElD,MAAI,UAAU,KAAK,CAAC,EAAG,KAAI,KAAK,EAAE,MAAM,MAAM,WAAW,CAAC;AAC1D,YAAU,YAAY;AAEtB,MAAIA,UAAS,KAAK,CAAC,KAAKD,YAAW,KAAK,CAAC,EAAG,KAAI,KAAK,EAAE,MAAM,MAAM,gBAAgB,CAAC;AACpF,EAAAC,UAAS,YAAY;AAAG,EAAAD,YAAW,YAAY;AAE/C,MAAI,KAAK,KAAK,CAAC,EAAG,KAAI,KAAK,EAAE,MAAM,MAAM,WAAW,CAAC;AACrD,OAAK,YAAY;AAGjB,MAAI,IAAI,WAAW,KAAK,mBAAmB,KAAK,OAAO,EAAG,KAAI,KAAK,EAAE,MAAM,MAAM,WAAW,CAAC;AAE7F,SAAO;AACT;AAOO,SAAS,mBAAmB,OAAgB,OAA2B,OAAO,IAAqB;AACxG,MAAI,UAAU,aAAc,QAAO,CAAC;AACpC,SAAO,QAAQ,OAAO,IAAI;AAC5B;AAEA,SAAS,QAAQ,OAAgB,MAA+B;AAC9D,MAAI,OAAO,UAAU,SAAU,QAAO,mBAAmB,OAAO,QAAQ,QAAQ;AAChF,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,QAAQ,CAAC,GAAG,MAAM,QAAQ,GAAG,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;AACpF,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,WAAO,OAAO,QAAQ,KAAgC,EAAE,QAAQ,CAAC,CAAC,GAAG,CAAC,MAAM,QAAQ,GAAG,OAAO,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;AAAA,EACnH;AACA,SAAO,CAAC;AACV;AAGA,SAAS,MAAM,OAAgB,MAAuB;AACpD,MAAI,OAAO,UAAU,SAAU,QAAO,mBAAmB,OAAO,QAAQ,QAAQ,EAAE,SAAS,IAAI,QAAQ;AACvG,MAAI,MAAM,QAAQ,KAAK,EAAG,QAAO,MAAM,IAAI,CAAC,GAAG,MAAM,MAAM,GAAG,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC;AAC9E,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,UAAM,MAA+B,CAAC;AACtC,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,KAAgC,EAAG,KAAI,CAAC,IAAI,MAAM,GAAG,OAAO,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC;AAClH,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAaO,SAAS,qBACd,MACA,OACA,MACsD;AACtD,QAAM,aAAa;AAAA,IACjB,GAAG,mBAAmB,KAAK,MAAM,OAAO,MAAM;AAAA,IAC9C,GAAG,mBAAmB,KAAK,IAAI,OAAO,IAAI;AAAA,IAC1C,GAAG,mBAAmB,KAAK,YAAY,CAAC,GAAG,OAAO,UAAU;AAAA,IAC5D,GAAG,mBAAmB,KAAK,QAAQ,CAAC,GAAG,OAAO,MAAM;AAAA,IACpD,GAAG,mBAAmB,KAAK,UAAU,IAAI,OAAO,QAAQ;AAAA,IACxD,GAAG,mBAAmB,KAAK,aAAa,IAAI,OAAO,WAAW;AAAA,EAChE;AACA,MAAI,WAAW,WAAW,KAAK,SAAS,SAAU,QAAO,EAAE,MAAM,WAAW;AAE5E,QAAM,WAA0B;AAAA,IAC9B,GAAG;AAAA,IACH,MAAM,MAAM,KAAK,MAAM,MAAM;AAAA,IAC7B,UAAU,MAAM,KAAK,YAAY,CAAC,GAAG,UAAU;AAAA,IAC/C,OAAO,KAAK,QAAQ,CAAC,GAAG,IAAI,CAAC,GAAG,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAW;AAAA,IACtE,GAAI,KAAK,UAAU,OAAO,EAAE,QAAQ,MAAM,KAAK,QAAQ,QAAQ,EAAY,IAAI,CAAC;AAAA,IAChF,GAAI,KAAK,aAAa,OAAO,EAAE,WAAW,MAAM,KAAK,WAAW,WAAW,EAAY,IAAI,CAAC;AAAA,EAC9F;AACA,SAAO,EAAE,MAAM,UAAU,WAAW;AACtC;;;AFpHO,IAAM,wBAAwB;AAGrC,IAAM,YAAY;AAGlB,IAAM,oBAAoBE,GAAE,OAAO;AAAA,EACjC,WAAWA,GAAE,OAAO,EAAE,IAAI,CAAC;AAAA,EAC3B,UAAUA,GAAE,OAAO,EAAE,QAAQ,SAAS;AAAA,EACtC,MAAMA,GAAE,OAAO,EAAE,QAAQ,SAAS;AAAA,EAClC,YAAYA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,IAAI,CAAC,EAAE,QAAQ,GAAG;AAClD,CAAC;AAOM,IAAM,uBAAuBA,GAAE,OAAO;AAAA,EAC3C,eAAeA,GAAE,QAAQ,qBAAqB;AAAA,EAC9C,KAAKA,GAAE,OAAO,EAAE,IAAI,CAAC,EAAE,SAAS;AAAA,EAChC,OAAOA,GAAE,MAAMA,GAAE,OAAO;AAAA,IACtB,aAAaA,GAAE,OAAO;AAAA,IACtB,MAAMA,GAAE,KAAK,CAAC,QAAQ,MAAM,CAAC;AAAA,IAC7B,SAASA,GAAE,QAAQ;AAAA,EACrB,CAAC,CAAC,EAAE,IAAI,SAAS;AAAA;AAAA,EAEjB,aAAa,kBAAkB,SAAS;AAAA,EACxC,oBAAoBA,GAAE,KAAK,CAAC,QAAQ,cAAc,MAAM,CAAC,EAAE,SAAS;AACtE,CAAC;AA8BM,SAAS,eAAe,OAAqB,UAA0B,OAAsB,CAAC,GAAiB;AACpH,QAAM,WAAW,KAAK,YAAY;AAClC,QAAM,MAAM,SAAS,OAAO,KAAK,cAAc;AAC/C,QAAM,QAA4B,SAAS,sBAAsB;AACjE,QAAM,MAAK,oBAAI,KAAK,GAAE,YAAY;AAClC,QAAM,cAA2B;AAAA,IAC/B,WAAW,SAAS,aAAa,aAAa;AAAA,IAC9C,UAAU,SAAS,aAAa,YAAY;AAAA,IAC5C,MAAM,SAAS,aAAa,QAAQ;AAAA,IACpC,cAAc;AAAA,IACd;AAAA,IACA,YAAY,SAAS,aAAa,cAAc;AAAA,EAClD;AAEA,MAAI,WAAW;AACf,MAAI,SAAS;AACb,MAAI,WAAW;AACf,MAAI,QAAQ;AACZ,MAAI,aAAa;AAEjB,QAAM,kBAAkB,oBAAI,IAAY;AAExC,aAAW,QAAQ,SAAS,OAAO;AACjC,QAAI,KAAK,SAAS,OAAQ;AAC1B,UAAM,SAAS,WAAW,UAAU,KAAK,OAAO;AAChD,QAAI,CAAC,OAAO,SAAS;AACnB,kBAAY;AACZ,cAAQ,0CAA0C,EAAE,KAAK,aAAa,KAAK,YAAY,CAAC;AACxF;AAAA,IACF;AACA,UAAM,OAAO,OAAO;AACpB,UAAM,QAAQ,qBAAqB,MAAM,OAAO,QAAQ;AACxD,QAAI,MAAM,WAAW,SAAS,GAAG;AAC/B,oBAAc,MAAM,WAAW;AAI/B,YAAM,cAAc,MAAM,WAAW,KAAK,CAAC,MAAM,EAAE,SAAS,IAAI;AAChE,UAAI,aAAa,YAAY,aAAa;AACxC,oBAAY;AACZ,gBAAQ,sDAAsD;AAAA,UAC5D;AAAA,UAAK,QAAQ,KAAK;AAAA,UAAI,QAAQ;AAAA,UAC9B,MAAM;AAAA,UAAU;AAAA,UAChB,OAAO,MAAM,WAAW,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE;AAAA,QAC1D,CAAC;AACD;AAAA,MACF;AACA,cAAQ,sDAAsD;AAAA,QAC5D;AAAA,QAAK,QAAQ,KAAK;AAAA,QAAI,QAAQ;AAAA,QAC9B,OAAO,MAAM,WAAW,IAAI,CAAC,MAAM,GAAG,EAAE,IAAI,IAAI,EAAE,IAAI,EAAE;AAAA,MAC1D,CAAC;AAAA,IACH;AACA,UAAM,OAAO,MAAM;AACnB,UAAM,WAAW,gBAAgB,KAAK,IAAI;AAC1C,UAAM,UAAU,MAAM,WAAW,KAAK,MAAM,UAAU,EAAE,GAAG,aAAa,YAAY,KAAK,WAAW,CAAC;AACrG,gBAAY;AACZ,QAAI,YAAY,SAAU,WAAU;AACpC,oBAAgB,IAAI,KAAK,EAAE;AAAA,EAC7B;AAEA,aAAW,QAAQ,SAAS,OAAO;AACjC,QAAI,KAAK,SAAS,OAAQ;AAC1B,UAAM,SAAS,WAAW,UAAU,KAAK,OAAO;AAChD,QAAI,CAAC,OAAO,SAAS;AACnB,cAAQ,0CAA0C,EAAE,KAAK,aAAa,KAAK,YAAY,CAAC;AACxF;AAAA,IACF;AACA,UAAM,OAAO,OAAO;AAGpB,QAAI,gBAAgB,OAAO,MAAM,CAAC,gBAAgB,IAAI,KAAK,QAAQ,KAAK,CAAC,gBAAgB,IAAI,KAAK,QAAQ,IAAI;AAC5G;AAAA,IACF;AACA,UAAM,WAAW,KAAK,IAAI;AAC1B,aAAS;AAAA,EACX;AAEA,UAAQ,UAAU,EAAE,KAAK,UAAU,QAAQ,UAAU,OAAO,YAAY,OAAO,SAAS,CAAC;AACzF,SAAO,EAAE,KAAK,UAAU,QAAQ,UAAU,OAAO,WAAW;AAC9D;;;AGxIO,SAAS,oBAAoB,OAAqB,OAAsB,CAAC,GAAkB;AAChG,SAAO,CAAC,SAAkC;AACxC,UAAM,SAAS,qBAAqB,UAAU,IAAI;AAClD,QAAI,CAAC,OAAO,SAAS;AACnB,YAAM,SAAS,OAAO,MAAM,OAAO,IAAI,CAAC,MAAM,GAAG,EAAE,KAAK,KAAK,GAAG,KAAK,QAAQ,KAAK,EAAE,OAAO,EAAE;AAC7F,cAAQ,qCAAqC,EAAE,OAAO,CAAC;AACvD,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,oBAAoB,OAAO,EAAE;AAAA,IACpE;AACA,QAAI;AACF,YAAM,SAAuB,eAAe,OAAO,OAAO,MAAM,IAAI;AACpE,aAAO,EAAE,QAAQ,KAAK,MAAM,OAAO;AAAA,IACrC,SAAS,KAAK;AACZ,cAAQ,kBAAkB,EAAE,OAAO,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,EAAE,CAAC;AACrF,aAAO,EAAE,QAAQ,KAAK,MAAM,EAAE,OAAO,gBAAgB,EAAE;AAAA,IACzD;AAAA,EACF;AACF;;;ACKO,SAAS,aAAa,MAA+B;AAC1D,QAAM,OAAsB,CAAC;AAC7B,WAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,UAAM,IAAI,KAAK,CAAC;AAChB,QAAI,MAAM,SAAU,MAAK,YAAY;AAAA,aAC5B,MAAM,UAAW,MAAK,YAAY;AAAA,aAClC,MAAM,gBAAiB,MAAK,WAAW;AAAA,aACvC,MAAM,SAAU,MAAK,OAAO,OAAO,KAAK,EAAE,CAAC,CAAC;AAAA,aAC5C,MAAM,SAAU,MAAK,OAAO,KAAK,EAAE,CAAC;AAAA,aACpC,MAAM,kBAAmB,MAAK,gBAAgB,KAAK,EAAE,CAAC,KAAK,IAAI,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAAA,aAC7G,MAAM,UAAW,MAAK,QAAQ,KAAK,EAAE,CAAC;AAAA,aACtC,MAAM,OAAQ,MAAK,SAAS,KAAK,EAAE,CAAC;AAAA,aACpC,MAAM,YAAa,MAAK,UAAU,KAAK,EAAE,CAAC;AAAA,aAC1C,MAAM,cAAc,MAAM,QAAS,MAAK,SAAS,KAAK,EAAE,CAAC;AAAA,aACzD,MAAM,YAAa,MAAK,WAAW,KAAK,EAAE,CAAC,KAAK,IAAI,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO;AAAA,aAClG,MAAM,gBAAiB,MAAK,aAAa;AAAA,aACzC,MAAM,eAAe;AAAE,YAAM,IAAI,KAAK,EAAE,CAAC;AAAG,UAAI,MAAM,YAAY,MAAM,QAAS,MAAK,WAAW;AAAA,IAAG,WACpG,MAAM,YAAY,MAAM,KAAM,MAAK,OAAO;AAAA,EACrD;AACA,SAAO;AACT;AAEA,eAAsB,SAAS,OAAwB,CAAC,GAAkB;AACxE,QAAM,MAAM,KAAK,QAAQ,CAAC,MAAc,QAAQ,OAAO,MAAM,IAAI,IAAI;AACrE,QAAM,KAAK,IAAI,cAAc,KAAK,UAAU,cAAc,EAAE,MAAM;AAElE,MAAI;AACJ,MAAI,KAAK,aAAa,OAAO;AAC3B,aAAS,MAAM,qBAAqB,IAAI,QAAW,EAAE,IAAI,CAAC;AAAA,EAC5D;AACA,QAAM,UACJ,KAAK,YACJ,QAAQ,IAAI,qBAAqB,IAC9B,QAAQ,IAAI,qBAAqB,EAAE,MAAM,GAAG,EAAE,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO,OAAO,IACjF,CAAC;AACP,QAAM,YAAY,iBAAiB,QAAW,OAAO;AAErD,QAAM,SAAS,gBAAgB,KAAK,MAAM;AAK1C,QAAM,aAAa,KAAK,eAAe;AACvC,QAAM,MAAM,aAAa,SAAS;AAClC,QAAM,UAAU,MAAM,gBAAgB,EAAE,IAAI,SAAS,KAAK,WAAW,UAAU,QAAQ,QAAQ,WAAW,GAAI,QAAQ,SAAY,EAAE,IAAI,IAAI,CAAC,EAAG,CAAC;AAEjJ,QAAM,YAAY,aAAa,SAAS,KAAK;AAE7C,MAAI,cAAc,QAAQ;AACxB,UAAM,OAAO,KAAK,QAAQ;AAC1B,UAAM,OAAO,KAAK,QAAQ;AAE1B,UAAM,QAAQ,KAAK,SAAS,QAAQ,IAAI,wBAAwB,KAAK,QAAQ,IAAI,2BAA2B;AAC5G,QAAI;AACJ,QAAI,YAAY;AACd,YAAM,QAAQ,IAAI,mBAAmB,EAAE;AACvC,YAAM,WAAW,KAAK,YAAY;AAClC,iBAAW,oBAAoB,OAAO,EAAE,UAAU,YAAY,OAAO,CAAC;AAAA,IACxE;AACA,UAAM,QAAQ,SAAS;AAAA,MACrB;AAAA,MACA;AAAA,MACA,GAAI,KAAK,eAAe,EAAE,cAAc,KAAK,aAAa,IAAI,CAAC;AAAA,MAC/D,GAAI,QAAQ,EAAE,MAAM,IAAI,CAAC;AAAA,MACzB,GAAI,WAAW,EAAE,SAAS,IAAI,CAAC;AAAA,IACjC,CAAC;AACD,UAAM,WAAW,aAAa,wDAAwD,KAAK,YAAY,QAAQ,MAAM;AACrH,QAAI,sDAAsD,IAAI,IAAI,IAAI,OAAO,QAAQ,mCAAmC,EAAE,aAAa,MAAM,IAAI,QAAQ,EAAE;AAAA,EAC7J,OAAO;AACL,QAAI,iDAAiD,MAAM,GAAG;AAC9D,UAAM,SAAS,QAAQ,CAAC;AAAA,EAC1B;AACF;","names":["run","z","z","z","SEVERITIES","SEVERITIES","z","globalId","contentHash","collect","degree","z","z","hostname","mkdirSync","dirname","mkdirSync","dirname","randomBytes","randomBytes","z","anchors","z","LOOPBACK_HOSTS","body","lexicalSearch","globalId","z","POSIX_PATH","WIN_PATH","z"]}