@det-acp/core 0.2.0

package/dist/policy/evaluator.js

@@ -0,0 +1,383 @@
+/**
+ * Policy Evaluator — runtime enforcement of policy rules.
+ *
+ * Given an ActionRequest and a loaded Policy, determines:
+ *  - allow: action is permitted
+ *  - deny:  action is blocked
+ *  - gate:  action requires approval before execution
+ *
+ * Supports both stateless (single action) and stateful (session-aware) evaluation.
+ */
+import { minimatch } from 'minimatch';
+// ---------------------------------------------------------------------------
+// Main evaluation entry point (stateless — single action)
+// ---------------------------------------------------------------------------
+export function evaluateAction(request, policy, budget) {
+    // 1. Check forbidden patterns
+    const forbiddenCheck = checkForbiddenPatterns(request, policy);
+    if (forbiddenCheck) {
+        return {
+            verdict: 'deny',
+            tool: request.tool,
+            reasons: [forbiddenCheck],
+        };
+    }
+    // 2. Check capability exists for this tool
+    const capability = findCapability(request.tool, policy);
+    if (!capability) {
+        return {
+            verdict: 'deny',
+            tool: request.tool,
+            reasons: [`No capability defined for tool "${request.tool}"`],
+        };
+    }
+    // 3. Check scope constraints
+    const scopeViolations = checkScope(request, capability);
+    if (scopeViolations.length > 0) {
+        return {
+            verdict: 'deny',
+            tool: request.tool,
+            reasons: scopeViolations,
+        };
+    }
+    // 4. Check budget limits
+    if (budget) {
+        const budgetViolations = checkBudget(policy.limits, budget);
+        if (budgetViolations.length > 0) {
+            return {
+                verdict: 'deny',
+                tool: request.tool,
+                reasons: budgetViolations,
+            };
+        }
+    }
+    // 5. Check if a gate applies
+    const gate = findGate(request, policy);
+    if (gate) {
+        return {
+            verdict: 'gate',
+            tool: request.tool,
+            reasons: [`Gate required: ${gate.approval} approval for "${gate.action}" (risk: ${gate.risk_level ?? 'unspecified'})`],
+            gate,
+        };
+    }
+    return {
+        verdict: 'allow',
+        tool: request.tool,
+        reasons: ['Action permitted by policy'],
+    };
+}
+// ---------------------------------------------------------------------------
+// Session-aware evaluation (stateful)
+// ---------------------------------------------------------------------------
+/**
+ * Evaluate an action in the context of an active session.
+ * Checks session-level constraints on top of the standard policy checks.
+ */
+export function evaluateSessionAction(request, policy, session) {
+    const warnings = [];
+    // 1. Check if session is still active
+    if (session.state !== 'active') {
+        return {
+            verdict: 'deny',
+            tool: request.tool,
+            reasons: [`Session is ${session.state}, not accepting new actions`],
+        };
+    }
+    // 2. Check session constraints before standard policy checks
+    const sessionConstraints = policy.session;
+    if (sessionConstraints) {
+        // Max actions per session
+        if (sessionConstraints.max_actions != null) {
+            if (session.budget.actionsEvaluated >= sessionConstraints.max_actions) {
+                return {
+                    verdict: 'deny',
+                    tool: request.tool,
+                    reasons: [`Session action limit reached: ${session.budget.actionsEvaluated} >= ${sessionConstraints.max_actions}`],
+                };
+            }
+            // Warn when approaching limit
+            const remaining = sessionConstraints.max_actions - session.budget.actionsEvaluated;
+            if (remaining <= 5) {
+                warnings.push(`Approaching action limit: ${remaining} actions remaining`);
+            }
+        }
+        // Max denials — terminate session if too many denials
+        if (sessionConstraints.max_denials != null) {
+            if (session.budget.actionsDenied >= sessionConstraints.max_denials) {
+                return {
+                    verdict: 'deny',
+                    tool: request.tool,
+                    reasons: [`Session denial limit reached: ${session.budget.actionsDenied} >= ${sessionConstraints.max_denials}. Session should be terminated.`],
+                };
+            }
+        }
+        // Rate limiting
+        if (sessionConstraints.rate_limit) {
+            const rateLimitViolation = checkRateLimit(session, sessionConstraints.rate_limit.max_per_minute);
+            if (rateLimitViolation) {
+                return {
+                    verdict: 'deny',
+                    tool: request.tool,
+                    reasons: [rateLimitViolation],
+                };
+            }
+        }
+        // Escalation rules
+        if (sessionConstraints.escalation) {
+            const escalation = checkEscalation(session, sessionConstraints.escalation);
+            if (escalation) {
+                return {
+                    verdict: 'gate',
+                    tool: request.tool,
+                    reasons: [escalation.reason],
+                    gate: {
+                        action: request.tool,
+                        approval: 'human',
+                        risk_level: 'medium',
+                        condition: escalation.trigger,
+                    },
+                    warnings,
+                };
+            }
+        }
+    }
+    // 3. Run standard policy checks (with session budget)
+    const result = evaluateAction(request, policy, session.budget);
+    // Attach warnings
+    if (warnings.length > 0) {
+        return { ...result, warnings };
+    }
+    return result;
+}
+// ---------------------------------------------------------------------------
+// Rate limiting
+// ---------------------------------------------------------------------------
+function checkRateLimit(session, maxPerMinute) {
+    const now = Date.now();
+    const oneMinuteAgo = now - 60_000;
+    // Count actions in the last minute
+    const recentActions = session.actions.filter((a) => {
+        const actionTime = new Date(a.timestamp).getTime();
+        return actionTime >= oneMinuteAgo;
+    });
+    if (recentActions.length >= maxPerMinute) {
+        return `Rate limit exceeded: ${recentActions.length} actions in the last minute (limit: ${maxPerMinute})`;
+    }
+    return null;
+}
+function checkEscalation(session, rules) {
+    const elapsedMinutes = (Date.now() - session.budget.startedAt) / 60_000;
+    for (const rule of rules) {
+        if (rule.after_actions != null && session.budget.actionsEvaluated >= rule.after_actions) {
+            // Check if a human check-in has already been done after this threshold
+            // by looking for a recent gate approval in the session history
+            const lastCheckinIndex = findLastCheckin(session, rule.after_actions);
+            if (lastCheckinIndex === -1) {
+                return {
+                    reason: `Escalation: ${session.budget.actionsEvaluated} actions evaluated, human check-in required after ${rule.after_actions}`,
+                    trigger: `after_actions:${rule.after_actions}`,
+                };
+            }
+        }
+        if (rule.after_minutes != null && elapsedMinutes >= rule.after_minutes) {
+            const lastTimeCheckin = findLastTimeCheckin(session, rule.after_minutes);
+            if (lastTimeCheckin === -1) {
+                return {
+                    reason: `Escalation: ${Math.floor(elapsedMinutes)} minutes elapsed, human check-in required after ${rule.after_minutes} minutes`,
+                    trigger: `after_minutes:${rule.after_minutes}`,
+                };
+            }
+        }
+    }
+    return null;
+}
+/**
+ * Find the last action index where a human check-in gate was approved
+ * after the given threshold was crossed.
+ */
+function findLastCheckin(session, threshold) {
+    // Look for any gated action (with human approval) that was resolved
+    // after the threshold was reached
+    for (let i = session.actions.length - 1; i >= 0; i--) {
+        const action = session.actions[i];
+        if (action.index >= threshold &&
+            action.validation.verdict === 'gate' &&
+            action.result !== undefined) {
+            return i;
+        }
+    }
+    return -1;
+}
+function findLastTimeCheckin(session, _afterMinutes) {
+    // Look for any gated action that was a time-based escalation and was resolved
+    for (let i = session.actions.length - 1; i >= 0; i--) {
+        const action = session.actions[i];
+        if (action.validation.verdict === 'gate' &&
+            action.validation.gate?.condition?.startsWith('after_minutes:') &&
+            action.result !== undefined) {
+            return i;
+        }
+    }
+    return -1;
+}
+// ---------------------------------------------------------------------------
+// Forbidden pattern checks
+// ---------------------------------------------------------------------------
+function checkForbiddenPatterns(request, policy) {
+    const input = request.input;
+    for (const forbidden of policy.forbidden) {
+        const pattern = forbidden.pattern;
+        // Check against path-like inputs
+        const pathValue = (input.path ?? input.file ?? input.target);
+        if (pathValue && minimatch(pathValue, pattern)) {
+            return `Path "${pathValue}" matches forbidden pattern "${pattern}"`;
+        }
+        // Check against command inputs
+        const command = (input.command ?? input.cmd);
+        if (command && command.includes(pattern)) {
+            return `Command contains forbidden pattern "${pattern}"`;
+        }
+        // Check against URL inputs
+        const url = (input.url ?? input.endpoint);
+        if (url && minimatch(url, pattern)) {
+            return `URL "${url}" matches forbidden pattern "${pattern}"`;
+        }
+    }
+    return null;
+}
+// ---------------------------------------------------------------------------
+// Capability lookup
+// ---------------------------------------------------------------------------
+function findCapability(tool, policy) {
+    return policy.capabilities.find((cap) => cap.tool === tool);
+}
+// ---------------------------------------------------------------------------
+// Scope validation
+// ---------------------------------------------------------------------------
+function checkScope(request, capability) {
+    const violations = [];
+    const input = request.input;
+    const scope = capability.scope;
+    // Path scope
+    if (scope.paths) {
+        const pathValue = (input.path ?? input.file ?? input.target);
+        if (pathValue) {
+            const allowed = scope.paths.some((pattern) => minimatch(pathValue, pattern));
+            if (!allowed) {
+                violations.push(`Path "${pathValue}" is outside allowed scope: [${scope.paths.join(', ')}]`);
+            }
+        }
+    }
+    // Binary scope (for command:run)
+    if (scope.binaries) {
+        const binary = (input.binary ?? input.command);
+        if (binary) {
+            // Extract the base binary name (first word of the command)
+            const baseBinary = binary.split(/\s+/)[0];
+            const baseName = baseBinary.split('/').pop() ?? baseBinary;
+            if (!scope.binaries.includes(baseName)) {
+                violations.push(`Binary "${baseName}" is not in allowed list: [${scope.binaries.join(', ')}]`);
+            }
+        }
+    }
+    // Domain scope (for http:request)
+    if (scope.domains) {
+        const url = (input.url ?? input.endpoint);
+        if (url) {
+            try {
+                const parsed = new URL(url);
+                if (!scope.domains.includes(parsed.hostname)) {
+                    violations.push(`Domain "${parsed.hostname}" is not in allowed list: [${scope.domains.join(', ')}]`);
+                }
+            }
+            catch {
+                violations.push(`Invalid URL: "${url}"`);
+            }
+        }
+    }
+    // Method scope (for http:request)
+    if (scope.methods) {
+        const method = (input.method ?? 'GET').toUpperCase();
+        if (!scope.methods.includes(method)) {
+            violations.push(`HTTP method "${method}" is not in allowed list: [${scope.methods.join(', ')}]`);
+        }
+    }
+    // Repo scope (for git operations)
+    if (scope.repos) {
+        const repo = (input.repo ?? input.repository);
+        if (repo) {
+            const allowed = scope.repos.some((pattern) => minimatch(repo, pattern));
+            if (!allowed) {
+                violations.push(`Repository "${repo}" is outside allowed scope: [${scope.repos.join(', ')}]`);
+            }
+        }
+    }
+    return violations;
+}
+// ---------------------------------------------------------------------------
+// Budget checks
+// ---------------------------------------------------------------------------
+function checkBudget(limits, budget) {
+    const violations = [];
+    if (limits.max_runtime_ms != null) {
+        const elapsed = Date.now() - budget.startedAt;
+        if (elapsed > limits.max_runtime_ms) {
+            violations.push(`Runtime budget exceeded: ${elapsed}ms > ${limits.max_runtime_ms}ms`);
+        }
+    }
+    if (limits.max_files_changed != null && budget.filesChanged >= limits.max_files_changed) {
+        violations.push(`File change budget exceeded: ${budget.filesChanged} >= ${limits.max_files_changed}`);
+    }
+    if (limits.max_output_bytes != null && budget.totalOutputBytes >= limits.max_output_bytes) {
+        violations.push(`Output size budget exceeded: ${budget.totalOutputBytes} >= ${limits.max_output_bytes}`);
+    }
+    if (limits.max_retries != null && budget.retries >= limits.max_retries) {
+        violations.push(`Retry budget exceeded: ${budget.retries} >= ${limits.max_retries}`);
+    }
+    if (limits.max_cost_usd != null && budget.costUsd >= limits.max_cost_usd) {
+        violations.push(`Cost budget exceeded: $${budget.costUsd} >= $${limits.max_cost_usd}`);
+    }
+    return violations;
+}
+// ---------------------------------------------------------------------------
+// Gate lookup
+// ---------------------------------------------------------------------------
+function findGate(request, policy) {
+    return policy.gates.find((gate) => {
+        if (gate.action !== request.tool)
+            return false;
+        // If gate has a condition, evaluate it
+        if (gate.condition === 'outside_scope') {
+            // This gate fires only if the action targets something outside scope
+            const capability = findCapability(request.tool, policy);
+            if (capability) {
+                const scopeViolations = checkScope(request, capability);
+                return scopeViolations.length > 0;
+            }
+        }
+        // No condition or unknown condition — gate always applies
+        return !gate.condition;
+    });
+}
+// ---------------------------------------------------------------------------
+// Utility: assess risk level for an action
+// ---------------------------------------------------------------------------
+export function assessRiskLevel(request, policy) {
+    // Check if there's an explicit gate with a risk level
+    const gate = policy.gates.find((g) => g.action === request.tool);
+    if (gate?.risk_level)
+        return gate.risk_level;
+    // Heuristic risk assessment
+    const tool = request.tool;
+    if (tool === 'file:delete' || tool === 'command:run')
+        return 'high';
+    if (tool === 'file:write' || tool === 'git:apply')
+        return 'medium';
+    if (tool === 'http:request')
+        return 'medium';
+    if (tool === 'file:read' || tool === 'git:diff')
+        return 'low';
+    return 'medium';
+}
+//# sourceMappingURL=evaluator.js.map

package/dist/policy/evaluator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"evaluator.js","sourceRoot":"","sources":["../../src/policy/evaluator.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AActC,8EAA8E;AAC9E,0DAA0D;AAC1D,8EAA8E;AAE9E,MAAM,UAAU,cAAc,CAC5B,OAAsB,EACtB,MAAc,EACd,MAAsB;IAEtB,8BAA8B;IAC9B,MAAM,cAAc,GAAG,sBAAsB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC/D,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,cAAc,CAAC;SAC1B,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACxD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO;YACL,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,mCAAmC,OAAO,CAAC,IAAI,GAAG,CAAC;SAC9D,CAAC;IACJ,CAAC;IAED,6BAA6B;IAC7B,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IACxD,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,eAAe;SACzB,CAAC;IACJ,CAAC;IAED,yBAAyB;IACzB,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,gBAAgB,GAAG,WAAW,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC5D,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,OAAO,EAAE,MAAM;gBACf,IAAI,EAAE,OAAO,CAAC,IAAI;gBAClB,OAAO,EAAE,gBAAgB;aAC1B,CAAC;QACJ,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,MAAM,IAAI,GAAG,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvC,IAAI,IAAI,EAAE,CAAC;QACT,OAAO;YACL,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,kBAAkB,IAAI,CAAC,QAAQ,kBAAkB,IAAI,CAAC,MAAM,YAAY,IAAI,CAAC,UAAU,IAAI,aAAa,GAAG,CAAC;YACtH,IAAI;SACL,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,OAAO,EAAE,CAAC,4BAA4B,CAAC;KACxC,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,sCAAsC;AACtC,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAsB,EACtB,MAAc,EACd,OAAgB;IAEhB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,sCAAsC;IACtC,IAAI,OAAO,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC/B,OAAO;YACL,OAAO,EAAE,MAAM;YACf,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,OAAO,EAAE,CAAC,cAAc,OAAO,CAAC,KAAK,6BAA6B,CAAC;SACpE,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,MAAM,kBAAkB,GAAG,MAAM,CAAC,OAAO,CAAC;IAC1C,IAAI,kBAAkB,EAAE,CAAC;QACvB,0BAA0B;QAC1B,IAAI,kBAAkB,CAAC,WAAW,IAAI,IAAI,EAAE,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,CAAC,gBAAgB,IAAI,kBAAkB,CAAC,WAAW,EAAE,CAAC;gBACtE,OAAO;oBACL,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,CAAC,iCAAiC,OAAO,CAAC,MAAM,CAAC,gBAAgB,OAAO,kBAAkB,CAAC,WAAW,EAAE,CAAC;iBACnH,CAAC;YACJ,CAAC;YAED,8BAA8B;YAC9B,MAAM,SAAS,GAAG,kBAAkB,CAAC,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC;YACnF,IAAI,SAAS,IAAI,CAAC,EAAE,CAAC;gBACnB,QAAQ,CAAC,IAAI,CAAC,6BAA6B,SAAS,oBAAoB,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;QAED,sDAAsD;QACtD,IAAI,kBAAkB,CAAC,WAAW,IAAI,IAAI,EAAE,CAAC;YAC3C,IAAI,OAAO,CAAC,MAAM,CAAC,aAAa,IAAI,kBAAkB,CAAC,WAAW,EAAE,CAAC;gBACnE,OAAO;oBACL,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,CAAC,iCAAiC,OAAO,CAAC,MAAM,CAAC,aAAa,OAAO,kBAAkB,CAAC,WAAW,iCAAiC,CAAC;iBAC/I,CAAC;YACJ,CAAC;QACH,CAAC;QAED,gBAAgB;QAChB,IAAI,kBAAkB,CAAC,UAAU,EAAE,CAAC;YAClC,MAAM,kBAAkB,GAAG,cAAc,CAAC,OAAO,EAAE,kBAAkB,CAAC,UAAU,CAAC,cAAc,CAAC,CAAC;YACjG,IAAI,kBAAkB,EAAE,CAAC;gBACvB,OAAO;oBACL,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,CAAC,kBAAkB,CAAC;iBAC9B,CAAC;YACJ,CAAC;QACH,CAAC;QAED,mBAAmB;QACnB,IAAI,kBAAkB,CAAC,UAAU,EAAE,CAAC;YAClC,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,EAAE,kBAAkB,CAAC,UAAU,CAAC,CAAC;YAC3E,IAAI,UAAU,EAAE,CAAC;gBACf,OAAO;oBACL,OAAO,EAAE,MAAM;oBACf,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,OAAO,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC;oBAC5B,IAAI,EAAE;wBACJ,MAAM,EAAE,OAAO,CAAC,IAAI;wBACpB,QAAQ,EAAE,OAAO;wBACjB,UAAU,EAAE,QAAQ;wBACpB,SAAS,EAAE,UAAU,CAAC,OAAO;qBAC9B;oBACD,QAAQ;iBACT,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,sDAAsD;IACtD,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAE/D,kBAAkB;IAClB,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,GAAG,MAAM,EAAE,QAAQ,EAAE,CAAC;IACjC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,SAAS,cAAc,CAAC,OAAgB,EAAE,YAAoB;IAC5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,YAAY,GAAG,GAAG,GAAG,MAAM,CAAC;IAElC,mCAAmC;IACnC,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACjD,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC;QACnD,OAAO,UAAU,IAAI,YAAY,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,IAAI,aAAa,CAAC,MAAM,IAAI,YAAY,EAAE,CAAC;QACzC,OAAO,wBAAwB,aAAa,CAAC,MAAM,uCAAuC,YAAY,GAAG,CAAC;IAC5G,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAWD,SAAS,eAAe,CACtB,OAAgB,EAChB,KAAgE;IAEhE,MAAM,cAAc,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,MAAM,CAAC;IAExE,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,gBAAgB,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACxF,uEAAuE;YACvE,+DAA+D;YAC/D,MAAM,gBAAgB,GAAG,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YACtE,IAAI,gBAAgB,KAAK,CAAC,CAAC,EAAE,CAAC;gBAC5B,OAAO;oBACL,MAAM,EAAE,eAAe,OAAO,CAAC,MAAM,CAAC,gBAAgB,qDAAqD,IAAI,CAAC,aAAa,EAAE;oBAC/H,OAAO,EAAE,iBAAiB,IAAI,CAAC,aAAa,EAAE;iBAC/C,CAAC;YACJ,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,IAAI,cAAc,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvE,MAAM,eAAe,GAAG,mBAAmB,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC;YACzE,IAAI,eAAe,KAAK,CAAC,CAAC,EAAE,CAAC;gBAC3B,OAAO;oBACL,MAAM,EAAE,eAAe,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,mDAAmD,IAAI,CAAC,aAAa,UAAU;oBAChI,OAAO,EAAE,iBAAiB,IAAI,CAAC,aAAa,EAAE;iBAC/C,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAS,eAAe,CAAC,OAAgB,EAAE,SAAiB;IAC1D,oEAAoE;IACpE,kCAAkC;IAClC,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAClC,IACE,MAAM,CAAC,KAAK,IAAI,SAAS;YACzB,MAAM,CAAC,UAAU,CAAC,OAAO,KAAK,MAAM;YACpC,MAAM,CAAC,MAAM,KAAK,SAAS,EAC3B,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC,CAAC;AACZ,CAAC;AAED,SAAS,mBAAmB,CAAC,OAAgB,EAAE,aAAqB;IAClE,8EAA8E;IAC9E,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QACrD,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QAClC,IACE,MAAM,CAAC,UAAU,CAAC,OAAO,KAAK,MAAM;YACpC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,SAAS,EAAE,UAAU,CAAC,gBAAgB,CAAC;YAC/D,MAAM,CAAC,MAAM,KAAK,SAAS,EAC3B,CAAC;YACD,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC,CAAC;AACZ,CAAC;AAED,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E,SAAS,sBAAsB,CAAC,OAAsB,EAAE,MAAc;IACpE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAE5B,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,CAAC;QAElC,iCAAiC;QACjC,MAAM,SAAS,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,CAAuB,CAAC;QACnF,IAAI,SAAS,IAAI,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC;YAC/C,OAAO,SAAS,SAAS,gCAAgC,OAAO,GAAG,CAAC;QACtE,CAAC;QAED,+BAA+B;QAC/B,MAAM,OAAO,GAAG,CAAC,KAAK,CAAC,OAAO,IAAI,KAAK,CAAC,GAAG,CAAuB,CAAC;QACnE,IAAI,OAAO,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACzC,OAAO,uCAAuC,OAAO,GAAG,CAAC;QAC3D,CAAC;QAED,2BAA2B;QAC3B,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,QAAQ,CAAuB,CAAC;QAChE,IAAI,GAAG,IAAI,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO,QAAQ,GAAG,gCAAgC,OAAO,GAAG,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,8EAA8E;AAC9E,oBAAoB;AACpB,8EAA8E;AAE9E,SAAS,cAAc,CAAC,IAAY,EAAE,MAAc;IAClD,OAAO,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AAC9D,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E,SAAS,UAAU,CAAC,OAAsB,EAAE,UAAsB;IAChE,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC;IAE/B,aAAa;IACb,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,SAAS,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,MAAM,CAAuB,CAAC;QACnF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;YAC7E,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,UAAU,CAAC,IAAI,CAAC,SAAS,SAAS,gCAAgC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,OAAO,CAAuB,CAAC;QACrE,IAAI,MAAM,EAAE,CAAC;YACX,2DAA2D;YAC3D,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1C,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,UAAU,CAAC;YAC3D,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBACvC,UAAU,CAAC,IAAI,CAAC,WAAW,QAAQ,8BAA8B,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACjG,CAAC;QACH,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,IAAI,KAAK,CAAC,QAAQ,CAAuB,CAAC;QAChE,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC5B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAC7C,UAAU,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,QAAQ,8BAA8B,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACvG,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,UAAU,CAAC,IAAI,CAAC,iBAAiB,GAAG,GAAG,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,IAAI,KAAK,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,MAAM,GAAG,CAAE,KAAK,CAAC,MAAiB,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACjE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC,gBAAgB,MAAM,8BAA8B,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnG,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,IAAI,KAAK,CAAC,UAAU,CAAuB,CAAC;QACpE,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;YACxE,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,UAAU,CAAC,IAAI,CAAC,eAAe,IAAI,gCAAgC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChG,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E,SAAS,WAAW,CAAC,MAAc,EAAE,MAAqB;IACxD,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,IAAI,MAAM,CAAC,cAAc,IAAI,IAAI,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,CAAC,SAAS,CAAC;QAC9C,IAAI,OAAO,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC,4BAA4B,OAAO,QAAQ,MAAM,CAAC,cAAc,IAAI,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,iBAAiB,IAAI,IAAI,IAAI,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;QACxF,UAAU,CAAC,IAAI,CAAC,gCAAgC,MAAM,CAAC,YAAY,OAAO,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC;IACxG,CAAC;IAED,IAAI,MAAM,CAAC,gBAAgB,IAAI,IAAI,IAAI,MAAM,CAAC,gBAAgB,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC1F,UAAU,CAAC,IAAI,CAAC,gCAAgC,MAAM,CAAC,gBAAgB,OAAO,MAAM,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC3G,CAAC;IAED,IAAI,MAAM,CAAC,WAAW,IAAI,IAAI,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;QACvE,UAAU,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,OAAO,OAAO,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,IAAI,IAAI,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACzE,UAAU,CAAC,IAAI,CAAC,0BAA0B,MAAM,CAAC,OAAO,QAAQ,MAAM,CAAC,YAAY,EAAE,CAAC,CAAC;IACzF,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,cAAc;AACd,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,OAAsB,EAAE,MAAc;IACtD,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QAChC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAE/C,uCAAuC;QACvC,IAAI,IAAI,CAAC,SAAS,KAAK,eAAe,EAAE,CAAC;YACvC,qEAAqE;YACrE,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YACxD,IAAI,UAAU,EAAE,CAAC;gBACf,MAAM,eAAe,GAAG,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;gBACxD,OAAO,eAAe,CAAC,MAAM,GAAG,CAAC,CAAC;YACpC,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,8EAA8E;AAC9E,2CAA2C;AAC3C,8EAA8E;AAE9E,MAAM,UAAU,eAAe,CAAC,OAAsB,EAAE,MAAc;IACpE,sDAAsD;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjE,IAAI,IAAI,EAAE,UAAU;QAAE,OAAO,IAAI,CAAC,UAAU,CAAC;IAE7C,4BAA4B;IAC5B,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,IAAI,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,aAAa;QAAE,OAAO,MAAM,CAAC;IACpE,IAAI,IAAI,KAAK,YAAY,IAAI,IAAI,KAAK,WAAW;QAAE,OAAO,QAAQ,CAAC;IACnE,IAAI,IAAI,KAAK,cAAc;QAAE,OAAO,QAAQ,CAAC;IAC7C,IAAI,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,UAAU;QAAE,OAAO,KAAK,CAAC;IAE9D,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/policy/loader.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Policy Loader — reads a YAML policy file and validates it against the Zod schema.
+ */
+import type { Policy } from '../types.js';
+export declare class PolicyValidationError extends Error {
+    readonly issues: Array<{
+        path: string;
+        message: string;
+    }>;
+    constructor(message: string, issues: Array<{
+        path: string;
+        message: string;
+    }>);
+}
+/**
+ * Load and validate a policy from a YAML file path.
+ */
+export declare function loadPolicyFromFile(filePath: string): Policy;
+/**
+ * Parse and validate a policy from a YAML string.
+ */
+export declare function parsePolicyYaml(yamlString: string): Policy;
+/**
+ * Validate a policy object (already parsed).
+ */
+export declare function validatePolicy(policy: unknown): Policy;
+//# sourceMappingURL=loader.d.ts.map

package/dist/policy/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/policy/loader.ts"],"names":[],"mappings":"AAAA;;GAEG;AAMH,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAE1C,qBAAa,qBAAsB,SAAQ,KAAK;aAG5B,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;gBADhE,OAAO,EAAE,MAAM,EACC,MAAM,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC;CAKnE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAQ3D;AAED;;GAEG;AACH,wBAAgB,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CA8B1D;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,CAatD"}

package/dist/policy/loader.js

@@ -0,0 +1,69 @@
+/**
+ * Policy Loader — reads a YAML policy file and validates it against the Zod schema.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import yaml from 'js-yaml';
+import { PolicySchema } from './schema.js';
+export class PolicyValidationError extends Error {
+    issues;
+    constructor(message, issues) {
+        super(message);
+        this.issues = issues;
+        this.name = 'PolicyValidationError';
+    }
+}
+/**
+ * Load and validate a policy from a YAML file path.
+ */
+export function loadPolicyFromFile(filePath) {
+    const absPath = path.resolve(filePath);
+    if (!fs.existsSync(absPath)) {
+        throw new Error(`Policy file not found: ${absPath}`);
+    }
+    const raw = fs.readFileSync(absPath, 'utf-8');
+    return parsePolicyYaml(raw);
+}
+/**
+ * Parse and validate a policy from a YAML string.
+ */
+export function parsePolicyYaml(yamlString) {
+    let parsed;
+    try {
+        parsed = yaml.load(yamlString);
+    }
+    catch (err) {
+        throw new PolicyValidationError('Invalid YAML syntax', [
+            { path: '', message: err.message },
+        ]);
+    }
+    if (parsed === null || parsed === undefined || typeof parsed !== 'object') {
+        throw new PolicyValidationError('Policy must be a YAML object', [
+            { path: '', message: 'Expected an object, got ' + typeof parsed },
+        ]);
+    }
+    const result = PolicySchema.safeParse(parsed);
+    if (!result.success) {
+        const issues = result.error.issues.map((issue) => ({
+            path: issue.path.join('.'),
+            message: issue.message,
+        }));
+        throw new PolicyValidationError(`Policy validation failed with ${issues.length} issue(s)`, issues);
+    }
+    return result.data;
+}
+/**
+ * Validate a policy object (already parsed).
+ */
+export function validatePolicy(policy) {
+    const result = PolicySchema.safeParse(policy);
+    if (!result.success) {
+        const issues = result.error.issues.map((issue) => ({
+            path: issue.path.join('.'),
+            message: issue.message,
+        }));
+        throw new PolicyValidationError(`Policy validation failed with ${issues.length} issue(s)`, issues);
+    }
+    return result.data;
+}
+//# sourceMappingURL=loader.js.map

package/dist/policy/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/policy/loader.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAG3C,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAG5B;IAFlB,YACE,OAAe,EACC,MAAgD;QAEhE,KAAK,CAAC,OAAO,CAAC,CAAC;QAFC,WAAM,GAAN,MAAM,CAA0C;QAGhE,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,0BAA0B,OAAO,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAC9C,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB;IAChD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,qBAAqB,CAAC,qBAAqB,EAAE;YACrD,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAG,GAAa,CAAC,OAAO,EAAE;SAC9C,CAAC,CAAC;IACL,CAAC;IAED,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC1E,MAAM,IAAI,qBAAqB,CAAC,8BAA8B,EAAE;YAC9D,EAAE,IAAI,EAAE,EAAE,EAAE,OAAO,EAAE,0BAA0B,GAAG,OAAO,MAAM,EAAE;SAClE,CAAC,CAAC;IACL,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAE9C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACjD,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,qBAAqB,CAC7B,iCAAiC,MAAM,CAAC,MAAM,WAAW,EACzD,MAAM,CACP,CAAC;IACJ,CAAC;IAED,OAAO,MAAM,CAAC,IAAc,CAAC;AAC/B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,MAAe;IAC5C,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAC9C,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YACjD,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;YAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,qBAAqB,CAC7B,iCAAiC,MAAM,CAAC,MAAM,WAAW,EACzD,MAAM,CACP,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC,IAAc,CAAC;AAC/B,CAAC"}