@defai.digital/ax-cli 3.5.2 → 3.6.0

package/dist/utils/encryption.d.ts

@@ -0,0 +1,78 @@
+/**
+ * API Key Encryption Utilities
+ *
+ * Provides secure encryption/decryption for API keys stored in configuration
+ * files (REQ-SEC-003).
+ *
+ * Uses Node.js crypto module with:
+ * - AES-256-GCM for encryption (authenticated encryption)
+ * - PBKDF2 for key derivation from machine-specific identifier
+ * - Random IV for each encryption
+ * - Authentication tag verification
+ *
+ * @module encryption
+ */
+/**
+ * Encrypted value format
+ */
+export interface EncryptedValue {
+    encrypted: string;
+    iv: string;
+    tag: string;
+    version: number;
+}
+/**
+ * Encrypt a string value (typically an API key).
+ *
+ * @param plaintext - The value to encrypt
+ * @returns Encrypted value object with iv, tag, and encrypted data
+ */
+export declare function encrypt(plaintext: string): EncryptedValue;
+/**
+ * Decrypt an encrypted value.
+ *
+ * @param encryptedValue - The encrypted value object
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails (wrong machine, corrupted data, etc.)
+ */
+export declare function decrypt(encryptedValue: EncryptedValue): string;
+/**
+ * Check if a value is encrypted (has the expected structure).
+ *
+ * @param value - Value to check
+ * @returns True if value appears to be encrypted
+ */
+export declare function isEncrypted(value: unknown): value is EncryptedValue;
+/**
+ * Encrypt an object's sensitive fields.
+ *
+ * @param obj - Object containing sensitive fields
+ * @param fieldsToEncrypt - Array of field names to encrypt
+ * @returns New object with encrypted fields
+ */
+export declare function encryptFields<T extends Record<string, any>>(obj: T, fieldsToEncrypt: string[]): T;
+/**
+ * Decrypt an object's encrypted fields.
+ *
+ * @param obj - Object containing encrypted fields
+ * @param fieldsToDecrypt - Array of field names to decrypt
+ * @returns New object with decrypted fields
+ */
+export declare function decryptFields<T extends Record<string, any>>(obj: T, fieldsToDecrypt: string[]): T;
+/**
+ * Test if encryption is working (for diagnostics).
+ *
+ * @returns True if encryption/decryption round-trip works
+ */
+export declare function testEncryption(): boolean;
+/**
+ * Get encryption info for diagnostics.
+ */
+export declare function getEncryptionInfo(): {
+    algorithm: string;
+    keyLength: number;
+    ivLength: number;
+    pbkdf2Iterations: number;
+    version: number;
+    machineId: string;
+};

package/dist/utils/encryption.js

@@ -0,0 +1,216 @@
+/**
+ * API Key Encryption Utilities
+ *
+ * Provides secure encryption/decryption for API keys stored in configuration
+ * files (REQ-SEC-003).
+ *
+ * Uses Node.js crypto module with:
+ * - AES-256-GCM for encryption (authenticated encryption)
+ * - PBKDF2 for key derivation from machine-specific identifier
+ * - Random IV for each encryption
+ * - Authentication tag verification
+ *
+ * @module encryption
+ */
+import crypto from 'crypto';
+import os from 'os';
+/**
+ * Encryption configuration
+ */
+const ENCRYPTION_CONFIG = {
+    algorithm: 'aes-256-gcm',
+    keyLength: 32, // 256 bits
+    ivLength: 16, // 128 bits
+    saltLength: 32, // 256 bits
+    tagLength: 16, // 128 bits
+    pbkdf2Iterations: 100000, // OWASP recommendation
+    version: 1,
+};
+/**
+ * Get a machine-specific identifier for key derivation.
+ * Uses hostname + platform + arch to create a unique-per-machine string.
+ *
+ * Note: This is not cryptographically strong protection (attacker with file
+ * access can derive the key), but it prevents casual browsing of config files
+ * and provides defense in depth.
+ */
+function getMachineIdentifier() {
+    const hostname = os.hostname();
+    const platform = os.platform();
+    const arch = os.arch();
+    // Combine machine-specific data
+    return `${hostname}-${platform}-${arch}`;
+}
+/**
+ * Derive an encryption key from machine identifier and salt using PBKDF2.
+ *
+ * @param salt - Salt for key derivation
+ * @returns Derived encryption key
+ */
+function deriveKey(salt) {
+    const machineId = getMachineIdentifier();
+    return crypto.pbkdf2Sync(machineId, salt, ENCRYPTION_CONFIG.pbkdf2Iterations, ENCRYPTION_CONFIG.keyLength, 'sha256');
+}
+/**
+ * Encrypt a string value (typically an API key).
+ *
+ * @param plaintext - The value to encrypt
+ * @returns Encrypted value object with iv, tag, and encrypted data
+ */
+export function encrypt(plaintext) {
+    // Generate random salt and IV
+    const salt = crypto.randomBytes(ENCRYPTION_CONFIG.saltLength);
+    const iv = crypto.randomBytes(ENCRYPTION_CONFIG.ivLength);
+    // Derive key from machine identifier
+    const key = deriveKey(salt);
+    // Create cipher
+    const cipher = crypto.createCipheriv(ENCRYPTION_CONFIG.algorithm, key, iv);
+    // Encrypt the plaintext
+    let encrypted = cipher.update(plaintext, 'utf8', 'base64');
+    encrypted += cipher.final('base64');
+    // Get authentication tag
+    const tag = cipher.getAuthTag();
+    // Return encrypted value with metadata
+    // Store salt in the IV field for simplicity (both are public)
+    const saltAndIv = Buffer.concat([salt, iv]);
+    return {
+        encrypted,
+        iv: saltAndIv.toString('base64'),
+        tag: tag.toString('base64'),
+        version: ENCRYPTION_CONFIG.version,
+    };
+}
+/**
+ * Decrypt an encrypted value.
+ *
+ * @param encryptedValue - The encrypted value object
+ * @returns Decrypted plaintext
+ * @throws Error if decryption fails (wrong machine, corrupted data, etc.)
+ */
+export function decrypt(encryptedValue) {
+    try {
+        // Check version
+        if (encryptedValue.version !== ENCRYPTION_CONFIG.version) {
+            throw new Error(`Unsupported encryption version: ${encryptedValue.version}`);
+        }
+        // Extract salt and IV
+        const saltAndIv = Buffer.from(encryptedValue.iv, 'base64');
+        if (saltAndIv.length !== ENCRYPTION_CONFIG.saltLength + ENCRYPTION_CONFIG.ivLength) {
+            throw new Error('Invalid encrypted data: incorrect salt/IV length');
+        }
+        const salt = saltAndIv.subarray(0, ENCRYPTION_CONFIG.saltLength);
+        const iv = saltAndIv.subarray(ENCRYPTION_CONFIG.saltLength);
+        // Derive key from machine identifier
+        const key = deriveKey(salt);
+        // Create decipher
+        const decipher = crypto.createDecipheriv(ENCRYPTION_CONFIG.algorithm, key, iv);
+        // Set authentication tag
+        const tag = Buffer.from(encryptedValue.tag, 'base64');
+        decipher.setAuthTag(tag);
+        // Decrypt
+        let decrypted = decipher.update(encryptedValue.encrypted, 'base64', 'utf8');
+        decrypted += decipher.final('utf8');
+        return decrypted;
+    }
+    catch (error) {
+        // Provide a user-friendly error message
+        if (error instanceof Error) {
+            if (error.message.includes('Unsupported state or unable to authenticate data')) {
+                throw new Error('Failed to decrypt API key. This may be due to: ' +
+                    '(1) moving config to a different machine, ' +
+                    '(2) corrupted config file, or ' +
+                    '(3) config file was manually edited. ' +
+                    'Please re-enter your API key.');
+            }
+            throw new Error(`Decryption failed: ${error.message}`);
+        }
+        throw new Error('Decryption failed: Unknown error');
+    }
+}
+/**
+ * Check if a value is encrypted (has the expected structure).
+ *
+ * @param value - Value to check
+ * @returns True if value appears to be encrypted
+ */
+export function isEncrypted(value) {
+    if (typeof value !== 'object' || value === null) {
+        return false;
+    }
+    const obj = value;
+    return (typeof obj.encrypted === 'string' &&
+        typeof obj.iv === 'string' &&
+        typeof obj.tag === 'string' &&
+        typeof obj.version === 'number');
+}
+/**
+ * Encrypt an object's sensitive fields.
+ *
+ * @param obj - Object containing sensitive fields
+ * @param fieldsToEncrypt - Array of field names to encrypt
+ * @returns New object with encrypted fields
+ */
+export function encryptFields(obj, fieldsToEncrypt) {
+    const result = { ...obj };
+    for (const field of fieldsToEncrypt) {
+        if (field in result && typeof result[field] === 'string') {
+            // Don't re-encrypt already encrypted values
+            if (!isEncrypted(result[field])) {
+                result[field] = encrypt(result[field]);
+            }
+        }
+    }
+    return result;
+}
+/**
+ * Decrypt an object's encrypted fields.
+ *
+ * @param obj - Object containing encrypted fields
+ * @param fieldsToDecrypt - Array of field names to decrypt
+ * @returns New object with decrypted fields
+ */
+export function decryptFields(obj, fieldsToDecrypt) {
+    const result = { ...obj };
+    for (const field of fieldsToDecrypt) {
+        if (field in result && isEncrypted(result[field])) {
+            try {
+                result[field] = decrypt(result[field]);
+            }
+            catch (error) {
+                // If decryption fails, leave the field as-is and let caller handle it
+                console.error(`Failed to decrypt field "${field}":`, error instanceof Error ? error.message : String(error));
+            }
+        }
+    }
+    return result;
+}
+/**
+ * Test if encryption is working (for diagnostics).
+ *
+ * @returns True if encryption/decryption round-trip works
+ */
+export function testEncryption() {
+    try {
+        const testValue = 'test-api-key-12345';
+        const encrypted = encrypt(testValue);
+        const decrypted = decrypt(encrypted);
+        return decrypted === testValue;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Get encryption info for diagnostics.
+ */
+export function getEncryptionInfo() {
+    return {
+        algorithm: ENCRYPTION_CONFIG.algorithm,
+        keyLength: ENCRYPTION_CONFIG.keyLength,
+        ivLength: ENCRYPTION_CONFIG.ivLength,
+        pbkdf2Iterations: ENCRYPTION_CONFIG.pbkdf2Iterations,
+        version: ENCRYPTION_CONFIG.version,
+        machineId: getMachineIdentifier(),
+    };
+}
+//# sourceMappingURL=encryption.js.map

package/dist/utils/encryption.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encryption.js","sourceRoot":"","sources":["../../src/utils/encryption.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EAAE,MAAM,IAAI,CAAC;AAYpB;;GAEG;AACH,MAAM,iBAAiB,GAAG;IACxB,SAAS,EAAE,aAAsB;IACjC,SAAS,EAAE,EAAE,EAAE,WAAW;IAC1B,QAAQ,EAAE,EAAE,EAAE,WAAW;IACzB,UAAU,EAAE,EAAE,EAAE,WAAW;IAC3B,SAAS,EAAE,EAAE,EAAE,WAAW;IAC1B,gBAAgB,EAAE,MAAM,EAAE,uBAAuB;IACjD,OAAO,EAAE,CAAC;CACX,CAAC;AAEF;;;;;;;GAOG;AACH,SAAS,oBAAoB;IAC3B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,QAAQ,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC;IAC/B,MAAM,IAAI,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;IAEvB,gCAAgC;IAChC,OAAO,GAAG,QAAQ,IAAI,QAAQ,IAAI,IAAI,EAAE,CAAC;AAC3C,CAAC;AAED;;;;;GAKG;AACH,SAAS,SAAS,CAAC,IAAY;IAC7B,MAAM,SAAS,GAAG,oBAAoB,EAAE,CAAC;IAEzC,OAAO,MAAM,CAAC,UAAU,CACtB,SAAS,EACT,IAAI,EACJ,iBAAiB,CAAC,gBAAgB,EAClC,iBAAiB,CAAC,SAAS,EAC3B,QAAQ,CACT,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,OAAO,CAAC,SAAiB;IACvC,8BAA8B;IAC9B,MAAM,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;IAC9D,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAE1D,qCAAqC;IACrC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;IAE5B,gBAAgB;IAChB,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAClC,iBAAiB,CAAC,SAAS,EAC3B,GAAG,EACH,EAAE,CACH,CAAC;IAEF,wBAAwB;IACxB,IAAI,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC3D,SAAS,IAAI,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAEpC,yBAAyB;IACzB,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAEhC,uCAAuC;IACvC,8DAA8D;IAC9D,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC;IAE5C,OAAO;QACL,SAAS;QACT,EAAE,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAChC,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3B,OAAO,EAAE,iBAAiB,CAAC,OAAO;KACnC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,OAAO,CAAC,cAA8B;IACpD,IAAI,CAAC;QACH,gBAAgB;QAChB,IAAI,cAAc,CAAC,OAAO,KAAK,iBAAiB,CAAC,OAAO,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CACb,mCAAmC,cAAc,CAAC,OAAO,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC3D,IAAI,SAAS,CAAC,MAAM,KAAK,iBAAiB,CAAC,UAAU,GAAG,iBAAiB,CAAC,QAAQ,EAAE,CAAC;YACnF,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACtE,CAAC;QAED,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,iBAAiB,CAAC,UAAU,CAAC,CAAC;QACjE,MAAM,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,UAAU,CAAC,CAAC;QAE5D,qCAAqC;QACrC,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;QAE5B,kBAAkB;QAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,gBAAgB,CACtC,iBAAiB,CAAC,SAAS,EAC3B,GAAG,EACH,EAAE,CACH,CAAC;QAEF,yBAAyB;QACzB,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACtD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAEzB,UAAU;QACV,IAAI,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,cAAc,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5E,SAAS,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAEpC,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,wCAAwC;QACxC,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;YAC3B,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,kDAAkD,CAAC,EAAE,CAAC;gBAC/E,MAAM,IAAI,KAAK,CACb,iDAAiD;oBACjD,4CAA4C;oBAC5C,gCAAgC;oBAChC,uCAAuC;oBACvC,+BAA+B,CAChC,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,sBAAsB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;IACtD,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CAAC,KAAc;IACxC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAChD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,GAAG,GAAG,KAAY,CAAC;IACzB,OAAO,CACL,OAAO,GAAG,CAAC,SAAS,KAAK,QAAQ;QACjC,OAAO,GAAG,CAAC,EAAE,KAAK,QAAQ;QAC1B,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ;QAC3B,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,GAAM,EACN,eAAyB;IAEzB,MAAM,MAAM,GAAwB,EAAE,GAAG,GAAG,EAAE,CAAC;IAE/C,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,KAAK,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ,EAAE,CAAC;YACzD,4CAA4C;YAC5C,IAAI,CAAC,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;gBAChC,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACzC,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAW,CAAC;AACrB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAC3B,GAAM,EACN,eAAyB;IAEzB,MAAM,MAAM,GAAwB,EAAE,GAAG,GAAG,EAAE,CAAC;IAE/C,KAAK,MAAM,KAAK,IAAI,eAAe,EAAE,CAAC;QACpC,IAAI,KAAK,IAAI,MAAM,IAAI,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YACzC,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,sEAAsE;gBACtE,OAAO,CAAC,KAAK,CAAC,4BAA4B,KAAK,IAAI,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;YAC/G,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAW,CAAC;AACrB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,oBAAoB,CAAC;QACvC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;QACrC,OAAO,SAAS,KAAK,SAAS,CAAC;IACjC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB;IAQ/B,OAAO;QACL,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,SAAS,EAAE,iBAAiB,CAAC,SAAS;QACtC,QAAQ,EAAE,iBAAiB,CAAC,QAAQ;QACpC,gBAAgB,EAAE,iBAAiB,CAAC,gBAAgB;QACpD,OAAO,EAAE,iBAAiB,CAAC,OAAO;QAClC,SAAS,EAAE,oBAAoB,EAAE;KAClC,CAAC;AACJ,CAAC"}

package/dist/utils/error-sanitizer.d.ts

@@ -0,0 +1,119 @@
+/**
+ * Error Message Sanitization (REQ-SEC-010)
+ *
+ * Sanitizes error messages to prevent information disclosure
+ * Removes:
+ * - File system paths
+ * - API keys and secrets
+ * - Stack traces (for user-facing errors)
+ * - Internal implementation details
+ *
+ * Security: CVSS 6.5 (Medium Priority)
+ */
+/**
+ * Sanitized error structure
+ */
+export interface SanitizedError {
+    /**
+     * Sanitized error message (safe for user display)
+     */
+    message: string;
+    /**
+     * Error code (for documentation lookup)
+     */
+    code?: string;
+    /**
+     * Generic error category
+     */
+    category: string;
+    /**
+     * Suggested action for user
+     */
+    suggestion?: string;
+    /**
+     * Original error (for internal logging only)
+     */
+    originalError?: Error;
+}
+/**
+ * Error categories for user-friendly messages
+ */
+export declare enum ErrorCategory {
+    NETWORK = "NETWORK",
+    FILE_SYSTEM = "FILE_SYSTEM",
+    VALIDATION = "VALIDATION",
+    AUTHENTICATION = "AUTHENTICATION",
+    RATE_LIMIT = "RATE_LIMIT",
+    API_ERROR = "API_ERROR",
+    INTERNAL = "INTERNAL",
+    USER_INPUT = "USER_INPUT"
+}
+/**
+ * Sanitize error message by removing sensitive information
+ *
+ * @param message - Raw error message
+ * @returns Sanitized message safe for user display
+ */
+export declare function sanitizeErrorMessage(message: string): string;
+/**
+ * Sanitize stack trace by removing sensitive paths
+ *
+ * @param stack - Raw stack trace
+ * @returns Sanitized stack trace
+ */
+export declare function sanitizeStackTrace(stack: string): string;
+/**
+ * Remove stack trace entirely (for user-facing errors)
+ *
+ * @param message - Error message with potential stack trace
+ * @returns Message without stack trace
+ */
+export declare function removeStackTrace(message: string): string;
+/**
+ * Categorize error and create user-friendly message
+ *
+ * @param error - Error object
+ * @returns Sanitized error with category and suggestion
+ */
+export declare function sanitizeError(error: Error | unknown): SanitizedError;
+/**
+ * Format sanitized error for user display
+ *
+ * @param sanitizedError - Sanitized error object
+ * @returns Formatted error message
+ */
+export declare function formatUserError(sanitizedError: SanitizedError): string;
+/**
+ * Create internal log message with full details (not sanitized)
+ *
+ * @param error - Original error
+ * @param context - Additional context
+ * @returns Detailed log message
+ */
+export declare function createInternalLogMessage(error: Error | unknown, context?: Record<string, unknown>): string;
+/**
+ * Safe error wrapper for user-facing operations
+ *
+ * @param operation - Async operation to execute
+ * @param errorHandler - Optional custom error handler
+ * @returns Result or sanitized error
+ *
+ * @example
+ * ```typescript
+ * const result = await safeExecute(
+ *   () => riskyOperation(),
+ *   (error) => console.error('Internal error:', error)
+ * );
+ *
+ * if (!result.success) {
+ *   console.log(formatUserError(result.error));
+ * }
+ * ```
+ */
+export declare function safeExecute<T>(operation: () => Promise<T>, errorHandler?: (error: Error, sanitized: SanitizedError) => void): Promise<{
+    success: true;
+    data: T;
+} | {
+    success: false;
+    error: SanitizedError;
+}>;

package/dist/utils/error-sanitizer.js

@@ -0,0 +1,253 @@
+/**
+ * Error Message Sanitization (REQ-SEC-010)
+ *
+ * Sanitizes error messages to prevent information disclosure
+ * Removes:
+ * - File system paths
+ * - API keys and secrets
+ * - Stack traces (for user-facing errors)
+ * - Internal implementation details
+ *
+ * Security: CVSS 6.5 (Medium Priority)
+ */
+import { homedir } from 'os';
+import { getAuditLogger, AuditCategory } from './audit-logger.js';
+/**
+ * Patterns to detect and sanitize in error messages
+ */
+const SENSITIVE_PATTERNS = {
+    // File paths (Windows and Unix)
+    FILE_PATH: /([A-Za-z]:\\|\/)[^\s"'<>|]+/g,
+    // API keys and tokens (common formats)
+    // Matches patterns like "api_key=XXX", "secret: XXX", "API key: XXX", "bearer XXX"
+    API_KEY: /\b(?:api[_ -]?key|token|secret|password|bearer)[\s:=]+['"]?[a-zA-Z0-9_\-]{16,}['"]?/gi,
+    // Environment variables
+    ENV_VAR: /\$\{?[A-Z_][A-Z0-9_]*\}?/g,
+    // IP addresses (for SSRF protection)
+    IP_ADDRESS: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g,
+    // URLs with credentials
+    URL_WITH_CREDS: /https?:\/\/[^:]+:[^@]+@[^\s]+/g,
+    // Stack trace lines
+    STACK_TRACE_LINE: /^\s*at\s+.+\(.+:\d+:\d+\)$/gm,
+    // Home directory references
+    HOME_DIR: new RegExp(homedir().replace(/[.*+?^${}()|[\]\\]/g, '\\$&'), 'g'),
+};
+/**
+ * Replacement strings for sanitized content
+ */
+const REPLACEMENTS = {
+    FILE_PATH: '[REDACTED_PATH]',
+    API_KEY: '[REDACTED_KEY]',
+    ENV_VAR: '[REDACTED_ENV]',
+    IP_ADDRESS: '[REDACTED_IP]',
+    URL_WITH_CREDS: '[REDACTED_URL]',
+    STACK_TRACE_LINE: '',
+    HOME_DIR: '[USER_HOME]',
+};
+/**
+ * Error categories for user-friendly messages
+ */
+export var ErrorCategory;
+(function (ErrorCategory) {
+    ErrorCategory["NETWORK"] = "NETWORK";
+    ErrorCategory["FILE_SYSTEM"] = "FILE_SYSTEM";
+    ErrorCategory["VALIDATION"] = "VALIDATION";
+    ErrorCategory["AUTHENTICATION"] = "AUTHENTICATION";
+    ErrorCategory["RATE_LIMIT"] = "RATE_LIMIT";
+    ErrorCategory["API_ERROR"] = "API_ERROR";
+    ErrorCategory["INTERNAL"] = "INTERNAL";
+    ErrorCategory["USER_INPUT"] = "USER_INPUT";
+})(ErrorCategory || (ErrorCategory = {}));
+/**
+ * Sanitize error message by removing sensitive information
+ *
+ * @param message - Raw error message
+ * @returns Sanitized message safe for user display
+ */
+export function sanitizeErrorMessage(message) {
+    let sanitized = message;
+    // Remove URLs with credentials first (before FILE_PATH catches them)
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.URL_WITH_CREDS, REPLACEMENTS.URL_WITH_CREDS);
+    // Remove home directory references (before FILE_PATH catches them)
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.HOME_DIR, REPLACEMENTS.HOME_DIR);
+    // Remove file paths
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.FILE_PATH, REPLACEMENTS.FILE_PATH);
+    // Remove API keys and secrets
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.API_KEY, REPLACEMENTS.API_KEY);
+    // Remove environment variables
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.ENV_VAR, REPLACEMENTS.ENV_VAR);
+    // Remove IP addresses
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.IP_ADDRESS, REPLACEMENTS.IP_ADDRESS);
+    return sanitized;
+}
+/**
+ * Sanitize stack trace by removing sensitive paths
+ *
+ * @param stack - Raw stack trace
+ * @returns Sanitized stack trace
+ */
+export function sanitizeStackTrace(stack) {
+    let sanitized = stack;
+    // Remove home directory references first
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.HOME_DIR, REPLACEMENTS.HOME_DIR);
+    // Remove file paths from stack frames
+    sanitized = sanitized.replace(SENSITIVE_PATTERNS.FILE_PATH, REPLACEMENTS.FILE_PATH);
+    return sanitized;
+}
+/**
+ * Remove stack trace entirely (for user-facing errors)
+ *
+ * @param message - Error message with potential stack trace
+ * @returns Message without stack trace
+ */
+export function removeStackTrace(message) {
+    // Split at first "at " (stack trace start)
+    const parts = message.split(/\n\s*at\s+/);
+    return parts[0].trim();
+}
+/**
+ * Categorize error and create user-friendly message
+ *
+ * @param error - Error object
+ * @returns Sanitized error with category and suggestion
+ */
+export function sanitizeError(error) {
+    const errorObj = error instanceof Error ? error : new Error(String(error));
+    const message = errorObj.message;
+    // Sanitize the message
+    const sanitizedMessage = sanitizeErrorMessage(removeStackTrace(message));
+    // Determine category and suggestion
+    let category = ErrorCategory.INTERNAL;
+    let suggestion;
+    let code;
+    // Network errors
+    if (message.includes('ENOTFOUND') || message.includes('ECONNREFUSED') || message.includes('fetch failed')) {
+        category = ErrorCategory.NETWORK;
+        suggestion = 'Check your network connection and try again.';
+        code = 'ERR_NETWORK';
+    }
+    // File system errors
+    else if (message.includes('ENOENT') || message.includes('EACCES') || message.includes('EPERM')) {
+        category = ErrorCategory.FILE_SYSTEM;
+        suggestion = 'Check that the file exists and you have permission to access it.';
+        code = 'ERR_FILE_SYSTEM';
+    }
+    // Validation errors
+    else if (message.includes('validation') || message.includes('invalid') || message.includes('required')) {
+        category = ErrorCategory.VALIDATION;
+        suggestion = 'Check your input and try again.';
+        code = 'ERR_VALIDATION';
+    }
+    // Authentication errors
+    else if (message.includes('unauthorized') || message.includes('authentication') || message.includes('API key')) {
+        category = ErrorCategory.AUTHENTICATION;
+        suggestion = 'Check your API key configuration.';
+        code = 'ERR_AUTH';
+    }
+    // Rate limit errors
+    else if (message.includes('rate limit') || message.includes('too many requests')) {
+        category = ErrorCategory.RATE_LIMIT;
+        suggestion = 'Please wait a moment before trying again.';
+        code = 'ERR_RATE_LIMIT';
+    }
+    // API errors
+    else if (message.includes('API') || message.includes('status code')) {
+        category = ErrorCategory.API_ERROR;
+        suggestion = 'The API returned an error. Please try again later.';
+        code = 'ERR_API';
+    }
+    // REQ-SEC-008: Audit log errors with sensitive info detection
+    if (message !== sanitizedMessage) {
+        const auditLogger = getAuditLogger();
+        auditLogger.logWarning({
+            category: AuditCategory.SYSTEM_EVENT,
+            action: 'sensitive_data_in_error',
+            outcome: 'success',
+            details: {
+                category,
+                sanitized: true,
+            },
+        });
+    }
+    return {
+        message: sanitizedMessage,
+        code,
+        category,
+        suggestion,
+        originalError: errorObj,
+    };
+}
+/**
+ * Format sanitized error for user display
+ *
+ * @param sanitizedError - Sanitized error object
+ * @returns Formatted error message
+ */
+export function formatUserError(sanitizedError) {
+    const parts = [];
+    if (sanitizedError.code) {
+        parts.push(`[${sanitizedError.code}]`);
+    }
+    parts.push(sanitizedError.message);
+    if (sanitizedError.suggestion) {
+        parts.push(`\nℹ️  ${sanitizedError.suggestion}`);
+    }
+    return parts.join(' ');
+}
+/**
+ * Create internal log message with full details (not sanitized)
+ *
+ * @param error - Original error
+ * @param context - Additional context
+ * @returns Detailed log message
+ */
+export function createInternalLogMessage(error, context) {
+    const errorObj = error instanceof Error ? error : new Error(String(error));
+    const parts = [
+        `Error: ${errorObj.message}`,
+    ];
+    if (errorObj.stack) {
+        parts.push(`Stack: ${sanitizeStackTrace(errorObj.stack)}`);
+    }
+    if (context) {
+        parts.push(`Context: ${JSON.stringify(context, null, 2)}`);
+    }
+    return parts.join('\n');
+}
+/**
+ * Safe error wrapper for user-facing operations
+ *
+ * @param operation - Async operation to execute
+ * @param errorHandler - Optional custom error handler
+ * @returns Result or sanitized error
+ *
+ * @example
+ * ```typescript
+ * const result = await safeExecute(
+ *   () => riskyOperation(),
+ *   (error) => console.error('Internal error:', error)
+ * );
+ *
+ * if (!result.success) {
+ *   console.log(formatUserError(result.error));
+ * }
+ * ```
+ */
+export async function safeExecute(operation, errorHandler) {
+    try {
+        const data = await operation();
+        return { success: true, data };
+    }
+    catch (error) {
+        const sanitized = sanitizeError(error);
+        // Log internal error details
+        if (errorHandler) {
+            errorHandler(sanitized.originalError, sanitized);
+        }
+        else {
+            console.error(createInternalLogMessage(error));
+        }
+        return { success: false, error: sanitized };
+    }
+}
+//# sourceMappingURL=error-sanitizer.js.map

package/dist/utils/error-sanitizer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"error-sanitizer.js","sourceRoot":"","sources":["../../src/utils/error-sanitizer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,IAAI,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAElE;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACzB,gCAAgC;IAChC,SAAS,EAAE,8BAA8B;IAEzC,uCAAuC;IACvC,mFAAmF;IACnF,OAAO,EAAE,uFAAuF;IAEhG,wBAAwB;IACxB,OAAO,EAAE,2BAA2B;IAEpC,qCAAqC;IACrC,UAAU,EAAE,8BAA8B;IAE1C,wBAAwB;IACxB,cAAc,EAAE,gCAAgC;IAEhD,oBAAoB;IACpB,gBAAgB,EAAE,8BAA8B;IAEhD,4BAA4B;IAC5B,QAAQ,EAAE,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,EAAE,GAAG,CAAC;CACnE,CAAC;AAEX;;GAEG;AACH,MAAM,YAAY,GAAG;IACnB,SAAS,EAAE,iBAAiB;IAC5B,OAAO,EAAE,gBAAgB;IACzB,OAAO,EAAE,gBAAgB;IACzB,UAAU,EAAE,eAAe;IAC3B,cAAc,EAAE,gBAAgB;IAChC,gBAAgB,EAAE,EAAE;IACpB,QAAQ,EAAE,aAAa;CACf,CAAC;AAgCX;;GAEG;AACH,MAAM,CAAN,IAAY,aASX;AATD,WAAY,aAAa;IACvB,oCAAmB,CAAA;IACnB,4CAA2B,CAAA;IAC3B,0CAAyB,CAAA;IACzB,kDAAiC,CAAA;IACjC,0CAAyB,CAAA;IACzB,wCAAuB,CAAA;IACvB,sCAAqB,CAAA;IACrB,0CAAyB,CAAA;AAC3B,CAAC,EATW,aAAa,KAAb,aAAa,QASxB;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,IAAI,SAAS,GAAG,OAAO,CAAC;IAExB,qEAAqE;IACrE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,cAAc,EAAE,YAAY,CAAC,cAAc,CAAC,CAAC;IAE9F,mEAAmE;IACnE,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IAElF,oBAAoB;IACpB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;IAEpF,8BAA8B;IAC9B,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAEhF,+BAA+B;IAC/B,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC;IAEhF,sBAAsB;IACtB,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,UAAU,EAAE,YAAY,CAAC,UAAU,CAAC,CAAC;IAEtF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,IAAI,SAAS,GAAG,KAAK,CAAC;IAEtB,yCAAyC;IACzC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,QAAQ,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAC;IAElF,sCAAsC;IACtC,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,kBAAkB,CAAC,SAAS,EAAE,YAAY,CAAC,SAAS,CAAC,CAAC;IAEpF,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,2CAA2C;IAC3C,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAC1C,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,KAAsB;IAClD,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3E,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC;IAEjC,uBAAuB;IACvB,MAAM,gBAAgB,GAAG,oBAAoB,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC,CAAC;IAEzE,oCAAoC;IACpC,IAAI,QAAQ,GAAG,aAAa,CAAC,QAAQ,CAAC;IACtC,IAAI,UAA8B,CAAC;IACnC,IAAI,IAAwB,CAAC;IAE7B,iBAAiB;IACjB,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC1G,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC;QACjC,UAAU,GAAG,8CAA8C,CAAC;QAC5D,IAAI,GAAG,aAAa,CAAC;IACvB,CAAC;IACD,qBAAqB;SAChB,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/F,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC;QACrC,UAAU,GAAG,kEAAkE,CAAC;QAChF,IAAI,GAAG,iBAAiB,CAAC;IAC3B,CAAC;IACD,oBAAoB;SACf,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACvG,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC;QACpC,UAAU,GAAG,iCAAiC,CAAC;QAC/C,IAAI,GAAG,gBAAgB,CAAC;IAC1B,CAAC;IACD,wBAAwB;SACnB,IAAI,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAC/G,QAAQ,GAAG,aAAa,CAAC,cAAc,CAAC;QACxC,UAAU,GAAG,mCAAmC,CAAC;QACjD,IAAI,GAAG,UAAU,CAAC;IACpB,CAAC;IACD,oBAAoB;SACf,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACjF,QAAQ,GAAG,aAAa,CAAC,UAAU,CAAC;QACpC,UAAU,GAAG,2CAA2C,CAAC;QACzD,IAAI,GAAG,gBAAgB,CAAC;IAC1B,CAAC;IACD,aAAa;SACR,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACpE,QAAQ,GAAG,aAAa,CAAC,SAAS,CAAC;QACnC,UAAU,GAAG,oDAAoD,CAAC;QAClE,IAAI,GAAG,SAAS,CAAC;IACnB,CAAC;IAED,8DAA8D;IAC9D,IAAI,OAAO,KAAK,gBAAgB,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,cAAc,EAAE,CAAC;QACrC,WAAW,CAAC,UAAU,CAAC;YACrB,QAAQ,EAAE,aAAa,CAAC,YAAY;YACpC,MAAM,EAAE,yBAAyB;YACjC,OAAO,EAAE,SAAS;YAClB,OAAO,EAAE;gBACP,QAAQ;gBACR,SAAS,EAAE,IAAI;aAChB;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,OAAO,EAAE,gBAAgB;QACzB,IAAI;QACJ,QAAQ;QACR,UAAU;QACV,aAAa,EAAE,QAAQ;KACxB,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,cAA8B;IAC5D,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,cAAc,CAAC,IAAI,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,GAAG,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAEnC,IAAI,cAAc,CAAC,UAAU,EAAE,CAAC;QAC9B,KAAK,CAAC,IAAI,CAAC,SAAS,cAAc,CAAC,UAAU,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AACzB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,wBAAwB,CAAC,KAAsB,EAAE,OAAiC;IAChG,MAAM,QAAQ,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAE3E,MAAM,KAAK,GAAa;QACtB,UAAU,QAAQ,CAAC,OAAO,EAAE;KAC7B,CAAC;IAEF,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QACnB,KAAK,CAAC,IAAI,CAAC,UAAU,kBAAkB,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,SAA2B,EAC3B,YAAgE;IAEhE,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,SAAS,EAAE,CAAC;QAC/B,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACjC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QAEvC,6BAA6B;QAC7B,IAAI,YAAY,EAAE,CAAC;YACjB,YAAY,CAAC,SAAS,CAAC,aAAc,EAAE,SAAS,CAAC,CAAC;QACpD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,wBAAwB,CAAC,KAAK,CAAC,CAAC,CAAC;QACjD,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IAC9C,CAAC;AACH,CAAC"}