@dollhousemcp/mcp-server 1.3.0

package/dist/update/RateLimiter.js

@@ -0,0 +1,172 @@
+/**
+ * RateLimiter - Implements rate limiting for API calls to prevent abuse
+ *
+ * Features:
+ * - Token bucket algorithm for flexible rate limiting
+ * - Configurable limits per time window
+ * - Memory-efficient implementation
+ * - Thread-safe for concurrent requests
+ */
+export class RateLimiter {
+    tokens;
+    lastRefill;
+    lastRequest;
+    maxTokens;
+    refillRate;
+    minDelay;
+    constructor(config) {
+        if (config.maxRequests <= 0) {
+            throw new Error('maxRequests must be positive');
+        }
+        if (config.windowMs <= 0) {
+            throw new Error('windowMs must be positive');
+        }
+        this.maxTokens = config.maxRequests;
+        this.tokens = this.maxTokens;
+        this.refillRate = this.maxTokens / config.windowMs;
+        // Validate refill rate to prevent division by zero
+        if (this.refillRate <= 0 || !isFinite(this.refillRate)) {
+            throw new Error('Invalid configuration: refill rate must be positive and finite');
+        }
+        this.lastRefill = Date.now();
+        this.lastRequest = 0;
+        this.minDelay = config.minDelayMs || 0;
+    }
+    /**
+     * Check if a request is allowed under the rate limit
+     * @returns Status object indicating if request is allowed
+     */
+    checkLimit() {
+        const now = Date.now();
+        // Refill tokens based on time elapsed
+        this.refillTokens(now);
+        // Check minimum delay between requests
+        if (this.minDelay > 0 && this.lastRequest > 0) {
+            const timeSinceLastRequest = now - this.lastRequest;
+            if (timeSinceLastRequest < this.minDelay) {
+                const retryAfterMs = this.minDelay - timeSinceLastRequest;
+                return {
+                    allowed: false,
+                    retryAfterMs,
+                    remainingTokens: Math.floor(this.tokens),
+                    resetTime: new Date(now + retryAfterMs)
+                };
+            }
+        }
+        // Check if we have tokens available
+        if (this.tokens < 1) {
+            // Calculate when the next token will be available
+            const tokensNeeded = 1 - this.tokens;
+            const msUntilNextToken = tokensNeeded / this.refillRate;
+            return {
+                allowed: false,
+                retryAfterMs: Math.ceil(msUntilNextToken),
+                remainingTokens: 0,
+                resetTime: new Date(now + msUntilNextToken)
+            };
+        }
+        // Request is allowed
+        return {
+            allowed: true,
+            remainingTokens: Math.floor(this.tokens),
+            resetTime: this.getResetTime()
+        };
+    }
+    /**
+     * Consume a token for an allowed request
+     * Should be called after checkLimit() returns allowed: true
+     */
+    consumeToken() {
+        const now = Date.now();
+        this.refillTokens(now);
+        if (this.tokens >= 1) {
+            this.tokens -= 1;
+            this.lastRequest = now;
+        }
+    }
+    /**
+     * Get current rate limit status without consuming a token
+     */
+    getStatus() {
+        const now = Date.now();
+        this.refillTokens(now);
+        return {
+            allowed: this.tokens >= 1,
+            remainingTokens: Math.floor(this.tokens),
+            resetTime: this.getResetTime()
+        };
+    }
+    /**
+     * Reset the rate limiter to full capacity
+     * Useful for testing or manual intervention
+     */
+    reset() {
+        this.tokens = this.maxTokens;
+        this.lastRefill = Date.now();
+        this.lastRequest = 0;
+    }
+    /**
+     * Refill tokens based on time elapsed
+     */
+    refillTokens(now) {
+        const timeSinceLastRefill = now - this.lastRefill;
+        const tokensToAdd = timeSinceLastRefill * this.refillRate;
+        this.tokens = Math.min(this.maxTokens, this.tokens + tokensToAdd);
+        this.lastRefill = now;
+    }
+    /**
+     * Calculate when the rate limit window will reset
+     */
+    getResetTime() {
+        const now = Date.now();
+        const tokensToFull = this.maxTokens - this.tokens;
+        const msUntilFull = tokensToFull / this.refillRate;
+        return new Date(now + msUntilFull);
+    }
+    /**
+     * Get human-readable rate limit information
+     */
+    toString() {
+        const status = this.getStatus();
+        return `RateLimit: ${status.remainingTokens}/${this.maxTokens} tokens, ` +
+            `resets at ${status.resetTime.toISOString()}`;
+    }
+}
+/**
+ * Factory function to create common rate limiters
+ */
+export class RateLimiterFactory {
+    /**
+     * GitHub API rate limiter (60 requests per hour for unauthenticated)
+     */
+    static createGitHubLimiter() {
+        return new RateLimiter({
+            maxRequests: 60,
+            windowMs: 60 * 60 * 1000, // 1 hour
+            minDelayMs: 1000 // 1 second minimum between requests
+        });
+    }
+    /**
+     * Conservative rate limiter for update checks
+     * Allows 10 checks per hour with 30 second minimum delay
+     */
+    static createUpdateCheckLimiter() {
+        return new RateLimiter({
+            maxRequests: 10,
+            windowMs: 60 * 60 * 1000, // 1 hour
+            minDelayMs: 30 * 1000 // 30 seconds between checks
+        });
+    }
+    /**
+     * Strict rate limiter for sensitive operations
+     * Allows 5 requests per hour with 1 minute minimum delay
+     */
+    static createStrictLimiter() {
+        return new RateLimiter({
+            maxRequests: 5,
+            windowMs: 60 * 60 * 1000, // 1 hour
+            minDelayMs: 60 * 1000 // 1 minute between requests
+        });
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiUmF0ZUxpbWl0ZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdXBkYXRlL1JhdGVMaW1pdGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7OztHQVFHO0FBZUgsTUFBTSxPQUFPLFdBQVc7SUFDZCxNQUFNLENBQVM7SUFDZixVQUFVLENBQVM7SUFDbkIsV0FBVyxDQUFTO0lBQ1gsU0FBUyxDQUFTO0lBQ2xCLFVBQVUsQ0FBUztJQUNuQixRQUFRLENBQVM7SUFFbEMsWUFBWSxNQUF5QjtRQUNuQyxJQUFJLE1BQU0sQ0FBQyxXQUFXLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDNUIsTUFBTSxJQUFJLEtBQUssQ0FBQyw4QkFBOEIsQ0FBQyxDQUFDO1FBQ2xELENBQUM7UUFDRCxJQUFJLE1BQU0sQ0FBQyxRQUFRLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDekIsTUFBTSxJQUFJLEtBQUssQ0FBQywyQkFBMkIsQ0FBQyxDQUFDO1FBQy9DLENBQUM7UUFFRCxJQUFJLENBQUMsU0FBUyxHQUFHLE1BQU0sQ0FBQyxXQUFXLENBQUM7UUFDcEMsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDO1FBQzdCLElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLFNBQVMsR0FBRyxNQUFNLENBQUMsUUFBUSxDQUFDO1FBRW5ELG1EQUFtRDtRQUNuRCxJQUFJLElBQUksQ0FBQyxVQUFVLElBQUksQ0FBQyxJQUFJLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUFDO1lBQ3ZELE1BQU0sSUFBSSxLQUFLLENBQUMsZ0VBQWdFLENBQUMsQ0FBQztRQUNwRixDQUFDO1FBRUQsSUFBSSxDQUFDLFVBQVUsR0FBRyxJQUFJLENBQUMsR0FBRyxFQUFFLENBQUM7UUFDN0IsSUFBSSxDQUFDLFdBQVcsR0FBRyxDQUFDLENBQUM7UUFDckIsSUFBSSxDQUFDLFFBQVEsR0FBRyxNQUFNLENBQUMsVUFBVSxJQUFJLENBQUMsQ0FBQztJQUN6QyxDQUFDO0lBRUQ7OztPQUdHO0lBQ0gsVUFBVTtRQUNSLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUV2QixzQ0FBc0M7UUFDdEMsSUFBSSxDQUFDLFlBQVksQ0FBQyxHQUFHLENBQUMsQ0FBQztRQUV2Qix1Q0FBdUM7UUFDdkMsSUFBSSxJQUFJLENBQUMsUUFBUSxHQUFHLENBQUMsSUFBSSxJQUFJLENBQUMsV0FBVyxHQUFHLENBQUMsRUFBRSxDQUFDO1lBQzlDLE1BQU0sb0JBQW9CLEdBQUcsR0FBRyxHQUFHLElBQUksQ0FBQyxXQUFXLENBQUM7WUFDcEQsSUFBSSxvQkFBb0IsR0FBRyxJQUFJLENBQUMsUUFBUSxFQUFFLENBQUM7Z0JBQ3pDLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxRQUFRLEdBQUcsb0JBQW9CLENBQUM7Z0JBQzFELE9BQU87b0JBQ0wsT0FBTyxFQUFFLEtBQUs7b0JBQ2QsWUFBWTtvQkFDWixlQUFlLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDO29CQUN4QyxTQUFTLEVBQUUsSUFBSSxJQUFJLENBQUMsR0FBRyxHQUFHLFlBQVksQ0FBQztpQkFDeEMsQ0FBQztZQUNKLENBQUM7UUFDSCxDQUFDO1FBRUQsb0NBQW9DO1FBQ3BDLElBQUksSUFBSSxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztZQUNwQixrREFBa0Q7WUFDbEQsTUFBTSxZQUFZLEdBQUcsQ0FBQyxHQUFHLElBQUksQ0FBQyxNQUFNLENBQUM7WUFDckMsTUFBTSxnQkFBZ0IsR0FBRyxZQUFZLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQztZQUV4RCxPQUFPO2dCQUNMLE9BQU8sRUFBRSxLQUFLO2dCQUNkLFlBQVksRUFBRSxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDO2dCQUN6QyxlQUFlLEVBQUUsQ0FBQztnQkFDbEIsU0FBUyxFQUFFLElBQUksSUFBSSxDQUFDLEdBQUcsR0FBRyxnQkFBZ0IsQ0FBQzthQUM1QyxDQUFDO1FBQ0osQ0FBQztRQUVELHFCQUFxQjtRQUNyQixPQUFPO1lBQ0wsT0FBTyxFQUFFLElBQUk7WUFDYixlQUFlLEVBQUUsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsTUFBTSxDQUFDO1lBQ3hDLFNBQVMsRUFBRSxJQUFJLENBQUMsWUFBWSxFQUFFO1NBQy9CLENBQUM7SUFDSixDQUFDO0lBRUQ7OztPQUdHO0lBQ0gsWUFBWTtRQUNWLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixJQUFJLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBRXZCLElBQUksSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDLEVBQUUsQ0FBQztZQUNyQixJQUFJLENBQUMsTUFBTSxJQUFJLENBQUMsQ0FBQztZQUNqQixJQUFJLENBQUMsV0FBVyxHQUFHLEdBQUcsQ0FBQztRQUN6QixDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0gsU0FBUztRQUNQLE1BQU0sR0FBRyxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztRQUN2QixJQUFJLENBQUMsWUFBWSxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBRXZCLE9BQU87WUFDTCxPQUFPLEVBQUUsSUFBSSxDQUFDLE1BQU0sSUFBSSxDQUFDO1lBQ3pCLGVBQWUsRUFBRSxJQUFJLENBQUMsS0FBSyxDQUFDLElBQUksQ0FBQyxNQUFNLENBQUM7WUFDeEMsU0FBUyxFQUFFLElBQUksQ0FBQyxZQUFZLEVBQUU7U0FDL0IsQ0FBQztJQUNKLENBQUM7SUFFRDs7O09BR0c7SUFDSCxLQUFLO1FBQ0gsSUFBSSxDQUFDLE1BQU0sR0FBRyxJQUFJLENBQUMsU0FBUyxDQUFDO1FBQzdCLElBQUksQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQzdCLElBQUksQ0FBQyxXQUFXLEdBQUcsQ0FBQyxDQUFDO0lBQ3ZCLENBQUM7SUFFRDs7T0FFRztJQUNLLFlBQVksQ0FBQyxHQUFXO1FBQzlCLE1BQU0sbUJBQW1CLEdBQUcsR0FBRyxHQUFHLElBQUksQ0FBQyxVQUFVLENBQUM7UUFDbEQsTUFBTSxXQUFXLEdBQUcsbUJBQW1CLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQztRQUUxRCxJQUFJLENBQUMsTUFBTSxHQUFHLElBQUksQ0FBQyxHQUFHLENBQUMsSUFBSSxDQUFDLFNBQVMsRUFBRSxJQUFJLENBQUMsTUFBTSxHQUFHLFdBQVcsQ0FBQyxDQUFDO1FBQ2xFLElBQUksQ0FBQyxVQUFVLEdBQUcsR0FBRyxDQUFDO0lBQ3hCLENBQUM7SUFFRDs7T0FFRztJQUNLLFlBQVk7UUFDbEIsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLEdBQUcsRUFBRSxDQUFDO1FBQ3ZCLE1BQU0sWUFBWSxHQUFHLElBQUksQ0FBQyxTQUFTLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQztRQUNsRCxNQUFNLFdBQVcsR0FBRyxZQUFZLEdBQUcsSUFBSSxDQUFDLFVBQVUsQ0FBQztRQUNuRCxPQUFPLElBQUksSUFBSSxDQUFDLEdBQUcsR0FBRyxXQUFXLENBQUMsQ0FBQztJQUNyQyxDQUFDO0lBRUQ7O09BRUc7SUFDSCxRQUFRO1FBQ04sTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLFNBQVMsRUFBRSxDQUFDO1FBQ2hDLE9BQU8sY0FBYyxNQUFNLENBQUMsZUFBZSxJQUFJLElBQUksQ0FBQyxTQUFTLFdBQVc7WUFDakUsYUFBYSxNQUFNLENBQUMsU0FBUyxDQUFDLFdBQVcsRUFBRSxFQUFFLENBQUM7SUFDdkQsQ0FBQztDQUNGO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLE9BQU8sa0JBQWtCO0lBQzdCOztPQUVHO0lBQ0gsTUFBTSxDQUFDLG1CQUFtQjtRQUN4QixPQUFPLElBQUksV0FBVyxDQUFDO1lBQ3JCLFdBQVcsRUFBRSxFQUFFO1lBQ2YsUUFBUSxFQUFFLEVBQUUsR0FBRyxFQUFFLEdBQUcsSUFBSSxFQUFFLFNBQVM7WUFDbkMsVUFBVSxFQUFFLElBQUksQ0FBQyxvQ0FBb0M7U0FDdEQsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVEOzs7T0FHRztJQUNILE1BQU0sQ0FBQyx3QkFBd0I7UUFDN0IsT0FBTyxJQUFJLFdBQVcsQ0FBQztZQUNyQixXQUFXLEVBQUUsRUFBRTtZQUNmLFFBQVEsRUFBRSxFQUFFLEdBQUcsRUFBRSxHQUFHLElBQUksRUFBRSxTQUFTO1lBQ25DLFVBQVUsRUFBRSxFQUFFLEdBQUcsSUFBSSxDQUFDLDRCQUE0QjtTQUNuRCxDQUFDLENBQUM7SUFDTCxDQUFDO0lBRUQ7OztPQUdHO0lBQ0gsTUFBTSxDQUFDLG1CQUFtQjtRQUN4QixPQUFPLElBQUksV0FBVyxDQUFDO1lBQ3JCLFdBQVcsRUFBRSxDQUFDO1lBQ2QsUUFBUSxFQUFFLEVBQUUsR0FBRyxFQUFFLEdBQUcsSUFBSSxFQUFFLFNBQVM7WUFDbkMsVUFBVSxFQUFFLEVBQUUsR0FBRyxJQUFJLENBQUMsNEJBQTRCO1NBQ25ELENBQUMsQ0FBQztJQUNMLENBQUM7Q0FDRiIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogUmF0ZUxpbWl0ZXIgLSBJbXBsZW1lbnRzIHJhdGUgbGltaXRpbmcgZm9yIEFQSSBjYWxscyB0byBwcmV2ZW50IGFidXNlXG4gKiBcbiAqIEZlYXR1cmVzOlxuICogLSBUb2tlbiBidWNrZXQgYWxnb3JpdGhtIGZvciBmbGV4aWJsZSByYXRlIGxpbWl0aW5nXG4gKiAtIENvbmZpZ3VyYWJsZSBsaW1pdHMgcGVyIHRpbWUgd2luZG93XG4gKiAtIE1lbW9yeS1lZmZpY2llbnQgaW1wbGVtZW50YXRpb25cbiAqIC0gVGhyZWFkLXNhZmUgZm9yIGNvbmN1cnJlbnQgcmVxdWVzdHNcbiAqL1xuXG5leHBvcnQgaW50ZXJmYWNlIFJhdGVMaW1pdGVyQ29uZmlnIHtcbiAgbWF4UmVxdWVzdHM6IG51bWJlcjsgICAgICAvLyBNYXhpbXVtIHJlcXVlc3RzIGFsbG93ZWRcbiAgd2luZG93TXM6IG51bWJlcjsgICAgICAgICAvLyBUaW1lIHdpbmRvdyBpbiBtaWxsaXNlY29uZHNcbiAgbWluRGVsYXlNcz86IG51bWJlcjsgICAgICAvLyBNaW5pbXVtIGRlbGF5IGJldHdlZW4gcmVxdWVzdHMgKG9wdGlvbmFsKVxufVxuXG5leHBvcnQgaW50ZXJmYWNlIFJhdGVMaW1pdFN0YXR1cyB7XG4gIGFsbG93ZWQ6IGJvb2xlYW47XG4gIHJldHJ5QWZ0ZXJNcz86IG51bWJlcjtcbiAgcmVtYWluaW5nVG9rZW5zOiBudW1iZXI7XG4gIHJlc2V0VGltZTogRGF0ZTtcbn1cblxuZXhwb3J0IGNsYXNzIFJhdGVMaW1pdGVyIHtcbiAgcHJpdmF0ZSB0b2tlbnM6IG51bWJlcjtcbiAgcHJpdmF0ZSBsYXN0UmVmaWxsOiBudW1iZXI7XG4gIHByaXZhdGUgbGFzdFJlcXVlc3Q6IG51bWJlcjtcbiAgcHJpdmF0ZSByZWFkb25seSBtYXhUb2tlbnM6IG51bWJlcjtcbiAgcHJpdmF0ZSByZWFkb25seSByZWZpbGxSYXRlOiBudW1iZXI7XG4gIHByaXZhdGUgcmVhZG9ubHkgbWluRGVsYXk6IG51bWJlcjtcblxuICBjb25zdHJ1Y3Rvcihjb25maWc6IFJhdGVMaW1pdGVyQ29uZmlnKSB7XG4gICAgaWYgKGNvbmZpZy5tYXhSZXF1ZXN0cyA8PSAwKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ21heFJlcXVlc3RzIG11c3QgYmUgcG9zaXRpdmUnKTtcbiAgICB9XG4gICAgaWYgKGNvbmZpZy53aW5kb3dNcyA8PSAwKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ3dpbmRvd01zIG11c3QgYmUgcG9zaXRpdmUnKTtcbiAgICB9XG5cbiAgICB0aGlzLm1heFRva2VucyA9IGNvbmZpZy5tYXhSZXF1ZXN0cztcbiAgICB0aGlzLnRva2VucyA9IHRoaXMubWF4VG9rZW5zO1xuICAgIHRoaXMucmVmaWxsUmF0ZSA9IHRoaXMubWF4VG9rZW5zIC8gY29uZmlnLndpbmRvd01zO1xuICAgIFxuICAgIC8vIFZhbGlkYXRlIHJlZmlsbCByYXRlIHRvIHByZXZlbnQgZGl2aXNpb24gYnkgemVyb1xuICAgIGlmICh0aGlzLnJlZmlsbFJhdGUgPD0gMCB8fCAhaXNGaW5pdGUodGhpcy5yZWZpbGxSYXRlKSkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdJbnZhbGlkIGNvbmZpZ3VyYXRpb246IHJlZmlsbCByYXRlIG11c3QgYmUgcG9zaXRpdmUgYW5kIGZpbml0ZScpO1xuICAgIH1cbiAgICBcbiAgICB0aGlzLmxhc3RSZWZpbGwgPSBEYXRlLm5vdygpO1xuICAgIHRoaXMubGFzdFJlcXVlc3QgPSAwO1xuICAgIHRoaXMubWluRGVsYXkgPSBjb25maWcubWluRGVsYXlNcyB8fCAwO1xuICB9XG5cbiAgLyoqXG4gICAqIENoZWNrIGlmIGEgcmVxdWVzdCBpcyBhbGxvd2VkIHVuZGVyIHRoZSByYXRlIGxpbWl0XG4gICAqIEByZXR1cm5zIFN0YXR1cyBvYmplY3QgaW5kaWNhdGluZyBpZiByZXF1ZXN0IGlzIGFsbG93ZWRcbiAgICovXG4gIGNoZWNrTGltaXQoKTogUmF0ZUxpbWl0U3RhdHVzIHtcbiAgICBjb25zdCBub3cgPSBEYXRlLm5vdygpO1xuICAgIFxuICAgIC8vIFJlZmlsbCB0b2tlbnMgYmFzZWQgb24gdGltZSBlbGFwc2VkXG4gICAgdGhpcy5yZWZpbGxUb2tlbnMobm93KTtcblxuICAgIC8vIENoZWNrIG1pbmltdW0gZGVsYXkgYmV0d2VlbiByZXF1ZXN0c1xuICAgIGlmICh0aGlzLm1pbkRlbGF5ID4gMCAmJiB0aGlzLmxhc3RSZXF1ZXN0ID4gMCkge1xuICAgICAgY29uc3QgdGltZVNpbmNlTGFzdFJlcXVlc3QgPSBub3cgLSB0aGlzLmxhc3RSZXF1ZXN0O1xuICAgICAgaWYgKHRpbWVTaW5jZUxhc3RSZXF1ZXN0IDwgdGhpcy5taW5EZWxheSkge1xuICAgICAgICBjb25zdCByZXRyeUFmdGVyTXMgPSB0aGlzLm1pbkRlbGF5IC0gdGltZVNpbmNlTGFzdFJlcXVlc3Q7XG4gICAgICAgIHJldHVybiB7XG4gICAgICAgICAgYWxsb3dlZDogZmFsc2UsXG4gICAgICAgICAgcmV0cnlBZnRlck1zLFxuICAgICAgICAgIHJlbWFpbmluZ1Rva2VuczogTWF0aC5mbG9vcih0aGlzLnRva2VucyksXG4gICAgICAgICAgcmVzZXRUaW1lOiBuZXcgRGF0ZShub3cgKyByZXRyeUFmdGVyTXMpXG4gICAgICAgIH07XG4gICAgICB9XG4gICAgfVxuXG4gICAgLy8gQ2hlY2sgaWYgd2UgaGF2ZSB0b2tlbnMgYXZhaWxhYmxlXG4gICAgaWYgKHRoaXMudG9rZW5zIDwgMSkge1xuICAgICAgLy8gQ2FsY3VsYXRlIHdoZW4gdGhlIG5leHQgdG9rZW4gd2lsbCBiZSBhdmFpbGFibGVcbiAgICAgIGNvbnN0IHRva2Vuc05lZWRlZCA9IDEgLSB0aGlzLnRva2VucztcbiAgICAgIGNvbnN0IG1zVW50aWxOZXh0VG9rZW4gPSB0b2tlbnNOZWVkZWQgLyB0aGlzLnJlZmlsbFJhdGU7XG4gICAgICBcbiAgICAgIHJldHVybiB7XG4gICAgICAgIGFsbG93ZWQ6IGZhbHNlLFxuICAgICAgICByZXRyeUFmdGVyTXM6IE1hdGguY2VpbChtc1VudGlsTmV4dFRva2VuKSxcbiAgICAgICAgcmVtYWluaW5nVG9rZW5zOiAwLFxuICAgICAgICByZXNldFRpbWU6IG5ldyBEYXRlKG5vdyArIG1zVW50aWxOZXh0VG9rZW4pXG4gICAgICB9O1xuICAgIH1cblxuICAgIC8vIFJlcXVlc3QgaXMgYWxsb3dlZFxuICAgIHJldHVybiB7XG4gICAgICBhbGxvd2VkOiB0cnVlLFxuICAgICAgcmVtYWluaW5nVG9rZW5zOiBNYXRoLmZsb29yKHRoaXMudG9rZW5zKSxcbiAgICAgIHJlc2V0VGltZTogdGhpcy5nZXRSZXNldFRpbWUoKVxuICAgIH07XG4gIH1cblxuICAvKipcbiAgICogQ29uc3VtZSBhIHRva2VuIGZvciBhbiBhbGxvd2VkIHJlcXVlc3RcbiAgICogU2hvdWxkIGJlIGNhbGxlZCBhZnRlciBjaGVja0xpbWl0KCkgcmV0dXJucyBhbGxvd2VkOiB0cnVlXG4gICAqL1xuICBjb25zdW1lVG9rZW4oKTogdm9pZCB7XG4gICAgY29uc3Qgbm93ID0gRGF0ZS5ub3coKTtcbiAgICB0aGlzLnJlZmlsbFRva2Vucyhub3cpO1xuICAgIFxuICAgIGlmICh0aGlzLnRva2VucyA+PSAxKSB7XG4gICAgICB0aGlzLnRva2VucyAtPSAxO1xuICAgICAgdGhpcy5sYXN0UmVxdWVzdCA9IG5vdztcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogR2V0IGN1cnJlbnQgcmF0ZSBsaW1pdCBzdGF0dXMgd2l0aG91dCBjb25zdW1pbmcgYSB0b2tlblxuICAgKi9cbiAgZ2V0U3RhdHVzKCk6IFJhdGVMaW1pdFN0YXR1cyB7XG4gICAgY29uc3Qgbm93ID0gRGF0ZS5ub3coKTtcbiAgICB0aGlzLnJlZmlsbFRva2Vucyhub3cpO1xuXG4gICAgcmV0dXJuIHtcbiAgICAgIGFsbG93ZWQ6IHRoaXMudG9rZW5zID49IDEsXG4gICAgICByZW1haW5pbmdUb2tlbnM6IE1hdGguZmxvb3IodGhpcy50b2tlbnMpLFxuICAgICAgcmVzZXRUaW1lOiB0aGlzLmdldFJlc2V0VGltZSgpXG4gICAgfTtcbiAgfVxuXG4gIC8qKlxuICAgKiBSZXNldCB0aGUgcmF0ZSBsaW1pdGVyIHRvIGZ1bGwgY2FwYWNpdHlcbiAgICogVXNlZnVsIGZvciB0ZXN0aW5nIG9yIG1hbnVhbCBpbnRlcnZlbnRpb25cbiAgICovXG4gIHJlc2V0KCk6IHZvaWQge1xuICAgIHRoaXMudG9rZW5zID0gdGhpcy5tYXhUb2tlbnM7XG4gICAgdGhpcy5sYXN0UmVmaWxsID0gRGF0ZS5ub3coKTtcbiAgICB0aGlzLmxhc3RSZXF1ZXN0ID0gMDtcbiAgfVxuXG4gIC8qKlxuICAgKiBSZWZpbGwgdG9rZW5zIGJhc2VkIG9uIHRpbWUgZWxhcHNlZFxuICAgKi9cbiAgcHJpdmF0ZSByZWZpbGxUb2tlbnMobm93OiBudW1iZXIpOiB2b2lkIHtcbiAgICBjb25zdCB0aW1lU2luY2VMYXN0UmVmaWxsID0gbm93IC0gdGhpcy5sYXN0UmVmaWxsO1xuICAgIGNvbnN0IHRva2Vuc1RvQWRkID0gdGltZVNpbmNlTGFzdFJlZmlsbCAqIHRoaXMucmVmaWxsUmF0ZTtcbiAgICBcbiAgICB0aGlzLnRva2VucyA9IE1hdGgubWluKHRoaXMubWF4VG9rZW5zLCB0aGlzLnRva2VucyArIHRva2Vuc1RvQWRkKTtcbiAgICB0aGlzLmxhc3RSZWZpbGwgPSBub3c7XG4gIH1cblxuICAvKipcbiAgICogQ2FsY3VsYXRlIHdoZW4gdGhlIHJhdGUgbGltaXQgd2luZG93IHdpbGwgcmVzZXRcbiAgICovXG4gIHByaXZhdGUgZ2V0UmVzZXRUaW1lKCk6IERhdGUge1xuICAgIGNvbnN0IG5vdyA9IERhdGUubm93KCk7XG4gICAgY29uc3QgdG9rZW5zVG9GdWxsID0gdGhpcy5tYXhUb2tlbnMgLSB0aGlzLnRva2VucztcbiAgICBjb25zdCBtc1VudGlsRnVsbCA9IHRva2Vuc1RvRnVsbCAvIHRoaXMucmVmaWxsUmF0ZTtcbiAgICByZXR1cm4gbmV3IERhdGUobm93ICsgbXNVbnRpbEZ1bGwpO1xuICB9XG5cbiAgLyoqXG4gICAqIEdldCBodW1hbi1yZWFkYWJsZSByYXRlIGxpbWl0IGluZm9ybWF0aW9uXG4gICAqL1xuICB0b1N0cmluZygpOiBzdHJpbmcge1xuICAgIGNvbnN0IHN0YXR1cyA9IHRoaXMuZ2V0U3RhdHVzKCk7XG4gICAgcmV0dXJuIGBSYXRlTGltaXQ6ICR7c3RhdHVzLnJlbWFpbmluZ1Rva2Vuc30vJHt0aGlzLm1heFRva2Vuc30gdG9rZW5zLCBgICtcbiAgICAgICAgICAgYHJlc2V0cyBhdCAke3N0YXR1cy5yZXNldFRpbWUudG9JU09TdHJpbmcoKX1gO1xuICB9XG59XG5cbi8qKlxuICogRmFjdG9yeSBmdW5jdGlvbiB0byBjcmVhdGUgY29tbW9uIHJhdGUgbGltaXRlcnNcbiAqL1xuZXhwb3J0IGNsYXNzIFJhdGVMaW1pdGVyRmFjdG9yeSB7XG4gIC8qKlxuICAgKiBHaXRIdWIgQVBJIHJhdGUgbGltaXRlciAoNjAgcmVxdWVzdHMgcGVyIGhvdXIgZm9yIHVuYXV0aGVudGljYXRlZClcbiAgICovXG4gIHN0YXRpYyBjcmVhdGVHaXRIdWJMaW1pdGVyKCk6IFJhdGVMaW1pdGVyIHtcbiAgICByZXR1cm4gbmV3IFJhdGVMaW1pdGVyKHtcbiAgICAgIG1heFJlcXVlc3RzOiA2MCxcbiAgICAgIHdpbmRvd01zOiA2MCAqIDYwICogMTAwMCwgLy8gMSBob3VyXG4gICAgICBtaW5EZWxheU1zOiAxMDAwIC8vIDEgc2Vjb25kIG1pbmltdW0gYmV0d2VlbiByZXF1ZXN0c1xuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIENvbnNlcnZhdGl2ZSByYXRlIGxpbWl0ZXIgZm9yIHVwZGF0ZSBjaGVja3NcbiAgICogQWxsb3dzIDEwIGNoZWNrcyBwZXIgaG91ciB3aXRoIDMwIHNlY29uZCBtaW5pbXVtIGRlbGF5XG4gICAqL1xuICBzdGF0aWMgY3JlYXRlVXBkYXRlQ2hlY2tMaW1pdGVyKCk6IFJhdGVMaW1pdGVyIHtcbiAgICByZXR1cm4gbmV3IFJhdGVMaW1pdGVyKHtcbiAgICAgIG1heFJlcXVlc3RzOiAxMCxcbiAgICAgIHdpbmRvd01zOiA2MCAqIDYwICogMTAwMCwgLy8gMSBob3VyXG4gICAgICBtaW5EZWxheU1zOiAzMCAqIDEwMDAgLy8gMzAgc2Vjb25kcyBiZXR3ZWVuIGNoZWNrc1xuICAgIH0pO1xuICB9XG5cbiAgLyoqXG4gICAqIFN0cmljdCByYXRlIGxpbWl0ZXIgZm9yIHNlbnNpdGl2ZSBvcGVyYXRpb25zXG4gICAqIEFsbG93cyA1IHJlcXVlc3RzIHBlciBob3VyIHdpdGggMSBtaW51dGUgbWluaW11bSBkZWxheVxuICAgKi9cbiAgc3RhdGljIGNyZWF0ZVN0cmljdExpbWl0ZXIoKTogUmF0ZUxpbWl0ZXIge1xuICAgIHJldHVybiBuZXcgUmF0ZUxpbWl0ZXIoe1xuICAgICAgbWF4UmVxdWVzdHM6IDUsXG4gICAgICB3aW5kb3dNczogNjAgKiA2MCAqIDEwMDAsIC8vIDEgaG91clxuICAgICAgbWluRGVsYXlNczogNjAgKiAxMDAwIC8vIDEgbWludXRlIGJldHdlZW4gcmVxdWVzdHNcbiAgICB9KTtcbiAgfVxufSJdfQ==

package/dist/update/SignatureVerifier.d.ts

@@ -0,0 +1,71 @@
+/**
+ * SignatureVerifier - Verifies GitHub release signatures to ensure authenticity
+ *
+ * Security features:
+ * - Verifies GPG signatures on git tags
+ * - Validates release artifacts checksums
+ * - Ensures releases come from trusted sources
+ * - Prevents tampering and supply chain attacks
+ */
+export interface SignatureVerificationResult {
+    verified: boolean;
+    signerKey?: string;
+    signerEmail?: string;
+    signatureDate?: Date;
+    error?: string;
+}
+export interface ChecksumVerificationResult {
+    verified: boolean;
+    expectedChecksum?: string;
+    actualChecksum?: string;
+    error?: string;
+}
+export declare class SignatureVerifier {
+    private trustedKeys;
+    private allowUnsignedInDev;
+    constructor(options?: {
+        trustedKeys?: string[];
+        allowUnsignedInDev?: boolean;
+    });
+    /**
+     * Verify a git tag signature
+     * @param tagName The tag to verify (e.g., 'v1.2.0')
+     * @returns Verification result with signer information
+     */
+    verifyTagSignature(tagName: string): Promise<SignatureVerificationResult>;
+    /**
+     * Verify a file checksum against expected value
+     * @param filePath Path to the file to verify
+     * @param expectedChecksum Expected SHA256 checksum
+     * @returns Verification result
+     */
+    verifyChecksum(filePath: string, expectedChecksum: string): Promise<ChecksumVerificationResult>;
+    /**
+     * Verify release artifacts using a checksums file
+     * @param checksumsFile Path to checksums file (e.g., SHA256SUMS)
+     * @param artifactDir Directory containing artifacts to verify
+     * @returns Map of filename to verification result
+     */
+    verifyReleaseArtifacts(checksumsFile: string, artifactDir: string): Promise<Map<string, ChecksumVerificationResult>>;
+    /**
+     * Add a trusted key for signature verification
+     * @param keyId GPG key ID or fingerprint
+     */
+    addTrustedKey(keyId: string): void;
+    /**
+     * Remove a trusted key
+     * @param keyId GPG key ID or fingerprint
+     */
+    removeTrustedKey(keyId: string): void;
+    /**
+     * Get list of trusted keys
+     */
+    getTrustedKeys(): string[];
+    /**
+     * Import a GPG public key
+     * @param keyData The public key data to import
+     * @returns Success status
+     */
+    importPublicKey(keyData: string): Promise<boolean>;
+}
+//# sourceMappingURL=SignatureVerifier.d.ts.map

package/dist/update/SignatureVerifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"SignatureVerifier.d.ts","sourceRoot":"","sources":["../../src/update/SignatureVerifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AASH,MAAM,WAAW,2BAA2B;IAC1C,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,0BAA0B;IACzC,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,iBAAiB;IAC5B,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,kBAAkB,CAAU;gBAExB,OAAO,CAAC,EAAE;QACpB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,kBAAkB,CAAC,EAAE,OAAO,CAAC;KAC9B;IAWD;;;;OAIG;IACG,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAkF/E;;;;;OAKG;IACG,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,0BAA0B,CAAC;IA2BrG;;;;;OAKG;IACG,sBAAsB,CAC1B,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,0BAA0B,CAAC,CAAC;IAiCnD;;;OAGG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAIlC;;;OAGG;IACH,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAIrC;;OAEG;IACH,cAAc,IAAI,MAAM,EAAE;IAI1B;;;;OAIG;IACG,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;CAoBzD"}

package/dist/update/SignatureVerifier.js

@@ -0,0 +1,214 @@
+/**
+ * SignatureVerifier - Verifies GitHub release signatures to ensure authenticity
+ *
+ * Security features:
+ * - Verifies GPG signatures on git tags
+ * - Validates release artifacts checksums
+ * - Ensures releases come from trusted sources
+ * - Prevents tampering and supply chain attacks
+ */
+import { safeExec } from '../utils/git.js';
+import * as crypto from 'crypto';
+import * as fs from 'fs/promises';
+import * as path from 'path';
+import { randomBytes } from 'crypto';
+import { logger } from '../utils/logger.js';
+export class SignatureVerifier {
+    trustedKeys;
+    allowUnsignedInDev;
+    constructor(options) {
+        // Default trusted keys - should be GPG key IDs of maintainers
+        this.trustedKeys = new Set(options?.trustedKeys || [
+        // Add trusted GPG key fingerprints here
+        // Example: '1234567890ABCDEF1234567890ABCDEF12345678'
+        ]);
+        // Allow unsigned releases in development mode
+        this.allowUnsignedInDev = options?.allowUnsignedInDev ?? true;
+    }
+    /**
+     * Verify a git tag signature
+     * @param tagName The tag to verify (e.g., 'v1.2.0')
+     * @returns Verification result with signer information
+     */
+    async verifyTagSignature(tagName) {
+        try {
+            // Check if GPG is available
+            try {
+                await safeExec('gpg', ['--version']);
+            }
+            catch {
+                return {
+                    verified: false,
+                    error: 'GPG is not installed or not available in PATH'
+                };
+            }
+            // Verify the tag signature
+            const { stdout, stderr } = await safeExec('git', ['verify-tag', tagName]);
+            // Parse GPG output (comes on stderr)
+            const output = stderr || stdout;
+            // Check for good signature
+            if (!output.includes('Good signature')) {
+                // Check if tag is unsigned
+                if (output.includes('error: no signature found')) {
+                    if (this.allowUnsignedInDev && process.env.NODE_ENV !== 'production') {
+                        return {
+                            verified: true,
+                            error: 'Tag is unsigned (allowed in development mode)'
+                        };
+                    }
+                    return {
+                        verified: false,
+                        error: 'Tag is not signed'
+                    };
+                }
+                return {
+                    verified: false,
+                    error: 'Invalid signature'
+                };
+            }
+            // Extract signer information
+            const keyMatch = output.match(/key (?:ID )?([A-F0-9]+)/i);
+            const emailMatch = output.match(/"([^"]+)"/);
+            const dateMatch = output.match(/made (\w+ \w+ \d+ \d+:\d+:\d+ \d+ \w+)/);
+            const signerKey = keyMatch ? keyMatch[1] : undefined;
+            const signerEmail = emailMatch ? emailMatch[1] : undefined;
+            const signatureDate = dateMatch ? new Date(dateMatch[1]) : undefined;
+            // Check if key is trusted
+            if (this.trustedKeys.size > 0 && signerKey) {
+                // Check if the key ID ends with any of our trusted keys
+                const isTrusted = Array.from(this.trustedKeys).some(trustedKey => signerKey.endsWith(trustedKey.toUpperCase()));
+                if (!isTrusted) {
+                    return {
+                        verified: false,
+                        signerKey,
+                        signerEmail,
+                        signatureDate,
+                        error: `Signature is valid but key ${signerKey} is not in trusted keys list`
+                    };
+                }
+            }
+            return {
+                verified: true,
+                signerKey,
+                signerEmail,
+                signatureDate
+            };
+        }
+        catch (error) {
+            return {
+                verified: false,
+                error: `Failed to verify signature: ${error instanceof Error ? error.message : String(error)}`
+            };
+        }
+    }
+    /**
+     * Verify a file checksum against expected value
+     * @param filePath Path to the file to verify
+     * @param expectedChecksum Expected SHA256 checksum
+     * @returns Verification result
+     */
+    async verifyChecksum(filePath, expectedChecksum) {
+        try {
+            // Read file and calculate checksum
+            const fileBuffer = await fs.readFile(filePath);
+            const hash = crypto.createHash('sha256');
+            hash.update(fileBuffer);
+            const actualChecksum = hash.digest('hex');
+            // Compare checksums
+            const verified = actualChecksum.toLowerCase() === expectedChecksum.toLowerCase();
+            return {
+                verified,
+                expectedChecksum,
+                actualChecksum,
+                error: verified ? undefined : 'Checksum mismatch'
+            };
+        }
+        catch (error) {
+            return {
+                verified: false,
+                expectedChecksum,
+                error: `Failed to verify checksum: ${error instanceof Error ? error.message : String(error)}`
+            };
+        }
+    }
+    /**
+     * Verify release artifacts using a checksums file
+     * @param checksumsFile Path to checksums file (e.g., SHA256SUMS)
+     * @param artifactDir Directory containing artifacts to verify
+     * @returns Map of filename to verification result
+     */
+    async verifyReleaseArtifacts(checksumsFile, artifactDir) {
+        const results = new Map();
+        try {
+            // Read checksums file
+            const checksumsContent = await fs.readFile(checksumsFile, 'utf-8');
+            const lines = checksumsContent.split('\n').filter(line => line.trim());
+            // Parse checksums (format: "checksum  filename" or "checksum *filename")
+            for (const line of lines) {
+                const match = line.match(/^([a-f0-9]+)\s+\*?(.+)$/i);
+                if (!match)
+                    continue;
+                const [, checksum, filename] = match;
+                const filePath = path.join(artifactDir, filename);
+                // Verify each file
+                const result = await this.verifyChecksum(filePath, checksum);
+                results.set(filename, result);
+            }
+            return results;
+        }
+        catch (error) {
+            // If we can't read the checksums file, mark all as unverified
+            results.set('*', {
+                verified: false,
+                error: `Failed to read checksums file: ${error instanceof Error ? error.message : String(error)}`
+            });
+            return results;
+        }
+    }
+    /**
+     * Add a trusted key for signature verification
+     * @param keyId GPG key ID or fingerprint
+     */
+    addTrustedKey(keyId) {
+        this.trustedKeys.add(keyId.toUpperCase());
+    }
+    /**
+     * Remove a trusted key
+     * @param keyId GPG key ID or fingerprint
+     */
+    removeTrustedKey(keyId) {
+        this.trustedKeys.delete(keyId.toUpperCase());
+    }
+    /**
+     * Get list of trusted keys
+     */
+    getTrustedKeys() {
+        return Array.from(this.trustedKeys);
+    }
+    /**
+     * Import a GPG public key
+     * @param keyData The public key data to import
+     * @returns Success status
+     */
+    async importPublicKey(keyData) {
+        try {
+            // Write key data to temporary file with secure random name
+            const tempFile = path.join(process.cwd(), `.gpg-import-${randomBytes(8).toString('hex')}.asc`);
+            await fs.writeFile(tempFile, keyData);
+            try {
+                // Import the key
+                await safeExec('gpg', ['--import', tempFile]);
+                return true;
+            }
+            finally {
+                // Clean up temp file
+                await fs.unlink(tempFile).catch(() => { });
+            }
+        }
+        catch (error) {
+            logger.error('Failed to import GPG key:', error);
+            return false;
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiU2lnbmF0dXJlVmVyaWZpZXIuanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi8uLi9zcmMvdXBkYXRlL1NpZ25hdHVyZVZlcmlmaWVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7OztHQVFHO0FBRUgsT0FBTyxFQUFFLFFBQVEsRUFBRSxNQUFNLGlCQUFpQixDQUFDO0FBQzNDLE9BQU8sS0FBSyxNQUFNLE1BQU0sUUFBUSxDQUFDO0FBQ2pDLE9BQU8sS0FBSyxFQUFFLE1BQU0sYUFBYSxDQUFDO0FBQ2xDLE9BQU8sS0FBSyxJQUFJLE1BQU0sTUFBTSxDQUFDO0FBQzdCLE9BQU8sRUFBRSxXQUFXLEVBQUUsTUFBTSxRQUFRLENBQUM7QUFDckMsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLG9CQUFvQixDQUFDO0FBaUI1QyxNQUFNLE9BQU8saUJBQWlCO0lBQ3BCLFdBQVcsQ0FBYztJQUN6QixrQkFBa0IsQ0FBVTtJQUVwQyxZQUFZLE9BR1g7UUFDQyw4REFBOEQ7UUFDOUQsSUFBSSxDQUFDLFdBQVcsR0FBRyxJQUFJLEdBQUcsQ0FBQyxPQUFPLEVBQUUsV0FBVyxJQUFJO1FBQ2pELHdDQUF3QztRQUN4QyxzREFBc0Q7U0FDdkQsQ0FBQyxDQUFDO1FBRUgsOENBQThDO1FBQzlDLElBQUksQ0FBQyxrQkFBa0IsR0FBRyxPQUFPLEVBQUUsa0JBQWtCLElBQUksSUFBSSxDQUFDO0lBQ2hFLENBQUM7SUFFRDs7OztPQUlHO0lBQ0gsS0FBSyxDQUFDLGtCQUFrQixDQUFDLE9BQWU7UUFDdEMsSUFBSSxDQUFDO1lBQ0gsNEJBQTRCO1lBQzVCLElBQUksQ0FBQztnQkFDSCxNQUFNLFFBQVEsQ0FBQyxLQUFLLEVBQUUsQ0FBQyxXQUFXLENBQUMsQ0FBQyxDQUFDO1lBQ3ZDLENBQUM7WUFBQyxNQUFNLENBQUM7Z0JBQ1AsT0FBTztvQkFDTCxRQUFRLEVBQUUsS0FBSztvQkFDZixLQUFLLEVBQUUsK0NBQStDO2lCQUN2RCxDQUFDO1lBQ0osQ0FBQztZQUVELDJCQUEyQjtZQUMzQixNQUFNLEVBQUUsTUFBTSxFQUFFLE1BQU0sRUFBRSxHQUFHLE1BQU0sUUFBUSxDQUFDLEtBQUssRUFBRSxDQUFDLFlBQVksRUFBRSxPQUFPLENBQUMsQ0FBQyxDQUFDO1lBRTFFLHFDQUFxQztZQUNyQyxNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksTUFBTSxDQUFDO1lBRWhDLDJCQUEyQjtZQUMzQixJQUFJLENBQUMsTUFBTSxDQUFDLFFBQVEsQ0FBQyxnQkFBZ0IsQ0FBQyxFQUFFLENBQUM7Z0JBQ3ZDLDJCQUEyQjtnQkFDM0IsSUFBSSxNQUFNLENBQUMsUUFBUSxDQUFDLDJCQUEyQixDQUFDLEVBQUUsQ0FBQztvQkFDakQsSUFBSSxJQUFJLENBQUMsa0JBQWtCLElBQUksT0FBTyxDQUFDLEdBQUcsQ0FBQyxRQUFRLEtBQUssWUFBWSxFQUFFLENBQUM7d0JBQ3JFLE9BQU87NEJBQ0wsUUFBUSxFQUFFLElBQUk7NEJBQ2QsS0FBSyxFQUFFLCtDQUErQzt5QkFDdkQsQ0FBQztvQkFDSixDQUFDO29CQUNELE9BQU87d0JBQ0wsUUFBUSxFQUFFLEtBQUs7d0JBQ2YsS0FBSyxFQUFFLG1CQUFtQjtxQkFDM0IsQ0FBQztnQkFDSixDQUFDO2dCQUVELE9BQU87b0JBQ0wsUUFBUSxFQUFFLEtBQUs7b0JBQ2YsS0FBSyxFQUFFLG1CQUFtQjtpQkFDM0IsQ0FBQztZQUNKLENBQUM7WUFFRCw2QkFBNkI7WUFDN0IsTUFBTSxRQUFRLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO1lBQzFELE1BQU0sVUFBVSxHQUFHLE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVyxDQUFDLENBQUM7WUFDN0MsTUFBTSxTQUFTLEdBQUcsTUFBTSxDQUFDLEtBQUssQ0FBQyx3Q0FBd0MsQ0FBQyxDQUFDO1lBRXpFLE1BQU0sU0FBUyxHQUFHLFFBQVEsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7WUFDckQsTUFBTSxXQUFXLEdBQUcsVUFBVSxDQUFDLENBQUMsQ0FBQyxVQUFVLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVMsQ0FBQztZQUMzRCxNQUFNLGFBQWEsR0FBRyxTQUFTLENBQUMsQ0FBQyxDQUFDLElBQUksSUFBSSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7WUFFckUsMEJBQTBCO1lBQzFCLElBQUksSUFBSSxDQUFDLFdBQVcsQ0FBQyxJQUFJLEdBQUcsQ0FBQyxJQUFJLFNBQVMsRUFBRSxDQUFDO2dCQUMzQyx3REFBd0Q7Z0JBQ3hELE1BQU0sU0FBUyxHQUFHLEtBQUssQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQyxDQUFDLElBQUksQ0FBQyxVQUFVLENBQUMsRUFBRSxDQUMvRCxTQUFTLENBQUMsUUFBUSxDQUFDLFVBQVUsQ0FBQyxXQUFXLEVBQUUsQ0FBQyxDQUM3QyxDQUFDO2dCQUVGLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztvQkFDZixPQUFPO3dCQUNMLFFBQVEsRUFBRSxLQUFLO3dCQUNmLFNBQVM7d0JBQ1QsV0FBVzt3QkFDWCxhQUFhO3dCQUNiLEtBQUssRUFBRSw4QkFBOEIsU0FBUyw4QkFBOEI7cUJBQzdFLENBQUM7Z0JBQ0osQ0FBQztZQUNILENBQUM7WUFFRCxPQUFPO2dCQUNMLFFBQVEsRUFBRSxJQUFJO2dCQUNkLFNBQVM7Z0JBQ1QsV0FBVztnQkFDWCxhQUFhO2FBQ2QsQ0FBQztRQUVKLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsT0FBTztnQkFDTCxRQUFRLEVBQUUsS0FBSztnQkFDZixLQUFLLEVBQUUsK0JBQStCLEtBQUssWUFBWSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsRUFBRTthQUMvRixDQUFDO1FBQ0osQ0FBQztJQUNILENBQUM7SUFFRDs7Ozs7T0FLRztJQUNILEtBQUssQ0FBQyxjQUFjLENBQUMsUUFBZ0IsRUFBRSxnQkFBd0I7UUFDN0QsSUFBSSxDQUFDO1lBQ0gsbUNBQW1DO1lBQ25DLE1BQU0sVUFBVSxHQUFHLE1BQU0sRUFBRSxDQUFDLFFBQVEsQ0FBQyxRQUFRLENBQUMsQ0FBQztZQUMvQyxNQUFNLElBQUksR0FBRyxNQUFNLENBQUMsVUFBVSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1lBQ3pDLElBQUksQ0FBQyxNQUFNLENBQUMsVUFBVSxDQUFDLENBQUM7WUFDeEIsTUFBTSxjQUFjLEdBQUcsSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQztZQUUxQyxvQkFBb0I7WUFDcEIsTUFBTSxRQUFRLEdBQUcsY0FBYyxDQUFDLFdBQVcsRUFBRSxLQUFLLGdCQUFnQixDQUFDLFdBQVcsRUFBRSxDQUFDO1lBRWpGLE9BQU87Z0JBQ0wsUUFBUTtnQkFDUixnQkFBZ0I7Z0JBQ2hCLGNBQWM7Z0JBQ2QsS0FBSyxFQUFFLFFBQVEsQ0FBQyxDQUFDLENBQUMsU0FBUyxDQUFDLENBQUMsQ0FBQyxtQkFBbUI7YUFDbEQsQ0FBQztRQUVKLENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsT0FBTztnQkFDTCxRQUFRLEVBQUUsS0FBSztnQkFDZixnQkFBZ0I7Z0JBQ2hCLEtBQUssRUFBRSw4QkFBOEIsS0FBSyxZQUFZLEtBQUssQ0FBQyxDQUFDLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFO2FBQzlGLENBQUM7UUFDSixDQUFDO0lBQ0gsQ0FBQztJQUVEOzs7OztPQUtHO0lBQ0gsS0FBSyxDQUFDLHNCQUFzQixDQUMxQixhQUFxQixFQUNyQixXQUFtQjtRQUVuQixNQUFNLE9BQU8sR0FBRyxJQUFJLEdBQUcsRUFBc0MsQ0FBQztRQUU5RCxJQUFJLENBQUM7WUFDSCxzQkFBc0I7WUFDdEIsTUFBTSxnQkFBZ0IsR0FBRyxNQUFNLEVBQUUsQ0FBQyxRQUFRLENBQUMsYUFBYSxFQUFFLE9BQU8sQ0FBQyxDQUFDO1lBQ25FLE1BQU0sS0FBSyxHQUFHLGdCQUFnQixDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFLENBQUMsQ0FBQztZQUV2RSx5RUFBeUU7WUFDekUsS0FBSyxNQUFNLElBQUksSUFBSSxLQUFLLEVBQUUsQ0FBQztnQkFDekIsTUFBTSxLQUFLLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQywwQkFBMEIsQ0FBQyxDQUFDO2dCQUNyRCxJQUFJLENBQUMsS0FBSztvQkFBRSxTQUFTO2dCQUVyQixNQUFNLENBQUMsRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLEdBQUcsS0FBSyxDQUFDO2dCQUNyQyxNQUFNLFFBQVEsR0FBRyxJQUFJLENBQUMsSUFBSSxDQUFDLFdBQVcsRUFBRSxRQUFRLENBQUMsQ0FBQztnQkFFbEQsbUJBQW1CO2dCQUNuQixNQUFNLE1BQU0sR0FBRyxNQUFNLElBQUksQ0FBQyxjQUFjLENBQUMsUUFBUSxFQUFFLFFBQVEsQ0FBQyxDQUFDO2dCQUM3RCxPQUFPLENBQUMsR0FBRyxDQUFDLFFBQVEsRUFBRSxNQUFNLENBQUMsQ0FBQztZQUNoQyxDQUFDO1lBRUQsT0FBTyxPQUFPLENBQUM7UUFFakIsQ0FBQztRQUFDLE9BQU8sS0FBSyxFQUFFLENBQUM7WUFDZiw4REFBOEQ7WUFDOUQsT0FBTyxDQUFDLEdBQUcsQ0FBQyxHQUFHLEVBQUU7Z0JBQ2YsUUFBUSxFQUFFLEtBQUs7Z0JBQ2YsS0FBSyxFQUFFLGtDQUFrQyxLQUFLLFlBQVksS0FBSyxDQUFDLENBQUMsQ0FBQyxLQUFLLENBQUMsT0FBTyxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsS0FBSyxDQUFDLEVBQUU7YUFDbEcsQ0FBQyxDQUFDO1lBQ0gsT0FBTyxPQUFPLENBQUM7UUFDakIsQ0FBQztJQUNILENBQUM7SUFFRDs7O09BR0c7SUFDSCxhQUFhLENBQUMsS0FBYTtRQUN6QixJQUFJLENBQUMsV0FBVyxDQUFDLEdBQUcsQ0FBQyxLQUFLLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztJQUM1QyxDQUFDO0lBRUQ7OztPQUdHO0lBQ0gsZ0JBQWdCLENBQUMsS0FBYTtRQUM1QixJQUFJLENBQUMsV0FBVyxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztJQUMvQyxDQUFDO0lBRUQ7O09BRUc7SUFDSCxjQUFjO1FBQ1osT0FBTyxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLENBQUMsQ0FBQztJQUN0QyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNILEtBQUssQ0FBQyxlQUFlLENBQUMsT0FBZTtRQUNuQyxJQUFJLENBQUM7WUFDSCwyREFBMkQ7WUFDM0QsTUFBTSxRQUFRLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsR0FBRyxFQUFFLEVBQUUsZUFBZSxXQUFXLENBQUMsQ0FBQyxDQUFDLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxNQUFNLENBQUMsQ0FBQztZQUMvRixNQUFNLEVBQUUsQ0FBQyxTQUFTLENBQUMsUUFBUSxFQUFFLE9BQU8sQ0FBQyxDQUFDO1lBRXRDLElBQUksQ0FBQztnQkFDSCxpQkFBaUI7Z0JBQ2pCLE1BQU0sUUFBUSxDQUFDLEtBQUssRUFBRSxDQUFDLFVBQVUsRUFBRSxRQUFRLENBQUMsQ0FBQyxDQUFDO2dCQUM5QyxPQUFPLElBQUksQ0FBQztZQUNkLENBQUM7b0JBQVMsQ0FBQztnQkFDVCxxQkFBcUI7Z0JBQ3JCLE1BQU0sRUFBRSxDQUFDLE1BQU0sQ0FBQyxRQUFRLENBQUMsQ0FBQyxLQUFLLENBQUMsR0FBRyxFQUFFLEdBQUUsQ0FBQyxDQUFDLENBQUM7WUFDNUMsQ0FBQztRQUVILENBQUM7UUFBQyxPQUFPLEtBQUssRUFBRSxDQUFDO1lBQ2YsTUFBTSxDQUFDLEtBQUssQ0FBQywyQkFBMkIsRUFBRSxLQUFLLENBQUMsQ0FBQztZQUNqRCxPQUFPLEtBQUssQ0FBQztRQUNmLENBQUM7SUFDSCxDQUFDO0NBQ0YiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIFNpZ25hdHVyZVZlcmlmaWVyIC0gVmVyaWZpZXMgR2l0SHViIHJlbGVhc2Ugc2lnbmF0dXJlcyB0byBlbnN1cmUgYXV0aGVudGljaXR5XG4gKiBcbiAqIFNlY3VyaXR5IGZlYXR1cmVzOlxuICogLSBWZXJpZmllcyBHUEcgc2lnbmF0dXJlcyBvbiBnaXQgdGFnc1xuICogLSBWYWxpZGF0ZXMgcmVsZWFzZSBhcnRpZmFjdHMgY2hlY2tzdW1zXG4gKiAtIEVuc3VyZXMgcmVsZWFzZXMgY29tZSBmcm9tIHRydXN0ZWQgc291cmNlc1xuICogLSBQcmV2ZW50cyB0YW1wZXJpbmcgYW5kIHN1cHBseSBjaGFpbiBhdHRhY2tzXG4gKi9cblxuaW1wb3J0IHsgc2FmZUV4ZWMgfSBmcm9tICcuLi91dGlscy9naXQuanMnO1xuaW1wb3J0ICogYXMgY3J5cHRvIGZyb20gJ2NyeXB0byc7XG5pbXBvcnQgKiBhcyBmcyBmcm9tICdmcy9wcm9taXNlcyc7XG5pbXBvcnQgKiBhcyBwYXRoIGZyb20gJ3BhdGgnO1xuaW1wb3J0IHsgcmFuZG9tQnl0ZXMgfSBmcm9tICdjcnlwdG8nO1xuaW1wb3J0IHsgbG9nZ2VyIH0gZnJvbSAnLi4vdXRpbHMvbG9nZ2VyLmpzJztcblxuZXhwb3J0IGludGVyZmFjZSBTaWduYXR1cmVWZXJpZmljYXRpb25SZXN1bHQge1xuICB2ZXJpZmllZDogYm9vbGVhbjtcbiAgc2lnbmVyS2V5Pzogc3RyaW5nO1xuICBzaWduZXJFbWFpbD86IHN0cmluZztcbiAgc2lnbmF0dXJlRGF0ZT86IERhdGU7XG4gIGVycm9yPzogc3RyaW5nO1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIENoZWNrc3VtVmVyaWZpY2F0aW9uUmVzdWx0IHtcbiAgdmVyaWZpZWQ6IGJvb2xlYW47XG4gIGV4cGVjdGVkQ2hlY2tzdW0/OiBzdHJpbmc7XG4gIGFjdHVhbENoZWNrc3VtPzogc3RyaW5nO1xuICBlcnJvcj86IHN0cmluZztcbn1cblxuZXhwb3J0IGNsYXNzIFNpZ25hdHVyZVZlcmlmaWVyIHtcbiAgcHJpdmF0ZSB0cnVzdGVkS2V5czogU2V0PHN0cmluZz47XG4gIHByaXZhdGUgYWxsb3dVbnNpZ25lZEluRGV2OiBib29sZWFuO1xuICBcbiAgY29uc3RydWN0b3Iob3B0aW9ucz86IHtcbiAgICB0cnVzdGVkS2V5cz86IHN0cmluZ1tdO1xuICAgIGFsbG93VW5zaWduZWRJbkRldj86IGJvb2xlYW47XG4gIH0pIHtcbiAgICAvLyBEZWZhdWx0IHRydXN0ZWQga2V5cyAtIHNob3VsZCBiZSBHUEcga2V5IElEcyBvZiBtYWludGFpbmVyc1xuICAgIHRoaXMudHJ1c3RlZEtleXMgPSBuZXcgU2V0KG9wdGlvbnM/LnRydXN0ZWRLZXlzIHx8IFtcbiAgICAgIC8vIEFkZCB0cnVzdGVkIEdQRyBrZXkgZmluZ2VycHJpbnRzIGhlcmVcbiAgICAgIC8vIEV4YW1wbGU6ICcxMjM0NTY3ODkwQUJDREVGMTIzNDU2Nzg5MEFCQ0RFRjEyMzQ1Njc4J1xuICAgIF0pO1xuICAgIFxuICAgIC8vIEFsbG93IHVuc2lnbmVkIHJlbGVhc2VzIGluIGRldmVsb3BtZW50IG1vZGVcbiAgICB0aGlzLmFsbG93VW5zaWduZWRJbkRldiA9IG9wdGlvbnM/LmFsbG93VW5zaWduZWRJbkRldiA/PyB0cnVlO1xuICB9XG4gIFxuICAvKipcbiAgICogVmVyaWZ5IGEgZ2l0IHRhZyBzaWduYXR1cmVcbiAgICogQHBhcmFtIHRhZ05hbWUgVGhlIHRhZyB0byB2ZXJpZnkgKGUuZy4sICd2MS4yLjAnKVxuICAgKiBAcmV0dXJucyBWZXJpZmljYXRpb24gcmVzdWx0IHdpdGggc2lnbmVyIGluZm9ybWF0aW9uXG4gICAqL1xuICBhc3luYyB2ZXJpZnlUYWdTaWduYXR1cmUodGFnTmFtZTogc3RyaW5nKTogUHJvbWlzZTxTaWduYXR1cmVWZXJpZmljYXRpb25SZXN1bHQ+IHtcbiAgICB0cnkge1xuICAgICAgLy8gQ2hlY2sgaWYgR1BHIGlzIGF2YWlsYWJsZVxuICAgICAgdHJ5IHtcbiAgICAgICAgYXdhaXQgc2FmZUV4ZWMoJ2dwZycsIFsnLS12ZXJzaW9uJ10pO1xuICAgICAgfSBjYXRjaCB7XG4gICAgICAgIHJldHVybiB7XG4gICAgICAgICAgdmVyaWZpZWQ6IGZhbHNlLFxuICAgICAgICAgIGVycm9yOiAnR1BHIGlzIG5vdCBpbnN0YWxsZWQgb3Igbm90IGF2YWlsYWJsZSBpbiBQQVRIJ1xuICAgICAgICB9O1xuICAgICAgfVxuICAgICAgXG4gICAgICAvLyBWZXJpZnkgdGhlIHRhZyBzaWduYXR1cmVcbiAgICAgIGNvbnN0IHsgc3Rkb3V0LCBzdGRlcnIgfSA9IGF3YWl0IHNhZmVFeGVjKCdnaXQnLCBbJ3ZlcmlmeS10YWcnLCB0YWdOYW1lXSk7XG4gICAgICBcbiAgICAgIC8vIFBhcnNlIEdQRyBvdXRwdXQgKGNvbWVzIG9uIHN0ZGVycilcbiAgICAgIGNvbnN0IG91dHB1dCA9IHN0ZGVyciB8fCBzdGRvdXQ7XG4gICAgICBcbiAgICAgIC8vIENoZWNrIGZvciBnb29kIHNpZ25hdHVyZVxuICAgICAgaWYgKCFvdXRwdXQuaW5jbHVkZXMoJ0dvb2Qgc2lnbmF0dXJlJykpIHtcbiAgICAgICAgLy8gQ2hlY2sgaWYgdGFnIGlzIHVuc2lnbmVkXG4gICAgICAgIGlmIChvdXRwdXQuaW5jbHVkZXMoJ2Vycm9yOiBubyBzaWduYXR1cmUgZm91bmQnKSkge1xuICAgICAgICAgIGlmICh0aGlzLmFsbG93VW5zaWduZWRJbkRldiAmJiBwcm9jZXNzLmVudi5OT0RFX0VOViAhPT0gJ3Byb2R1Y3Rpb24nKSB7XG4gICAgICAgICAgICByZXR1cm4ge1xuICAgICAgICAgICAgICB2ZXJpZmllZDogdHJ1ZSxcbiAgICAgICAgICAgICAgZXJyb3I6ICdUYWcgaXMgdW5zaWduZWQgKGFsbG93ZWQgaW4gZGV2ZWxvcG1lbnQgbW9kZSknXG4gICAgICAgICAgICB9O1xuICAgICAgICAgIH1cbiAgICAgICAgICByZXR1cm4ge1xuICAgICAgICAgICAgdmVyaWZpZWQ6IGZhbHNlLFxuICAgICAgICAgICAgZXJyb3I6ICdUYWcgaXMgbm90IHNpZ25lZCdcbiAgICAgICAgICB9O1xuICAgICAgICB9XG4gICAgICAgIFxuICAgICAgICByZXR1cm4ge1xuICAgICAgICAgIHZlcmlmaWVkOiBmYWxzZSxcbiAgICAgICAgICBlcnJvcjogJ0ludmFsaWQgc2lnbmF0dXJlJ1xuICAgICAgICB9O1xuICAgICAgfVxuICAgICAgXG4gICAgICAvLyBFeHRyYWN0IHNpZ25lciBpbmZvcm1hdGlvblxuICAgICAgY29uc3Qga2V5TWF0Y2ggPSBvdXRwdXQubWF0Y2goL2tleSAoPzpJRCApPyhbQS1GMC05XSspL2kpO1xuICAgICAgY29uc3QgZW1haWxNYXRjaCA9IG91dHB1dC5tYXRjaCgvXCIoW15cIl0rKVwiLyk7XG4gICAgICBjb25zdCBkYXRlTWF0Y2ggPSBvdXRwdXQubWF0Y2goL21hZGUgKFxcdysgXFx3KyBcXGQrIFxcZCs6XFxkKzpcXGQrIFxcZCsgXFx3KykvKTtcbiAgICAgIFxuICAgICAgY29uc3Qgc2lnbmVyS2V5ID0ga2V5TWF0Y2ggPyBrZXlNYXRjaFsxXSA6IHVuZGVmaW5lZDtcbiAgICAgIGNvbnN0IHNpZ25lckVtYWlsID0gZW1haWxNYXRjaCA/IGVtYWlsTWF0Y2hbMV0gOiB1bmRlZmluZWQ7XG4gICAgICBjb25zdCBzaWduYXR1cmVEYXRlID0gZGF0ZU1hdGNoID8gbmV3IERhdGUoZGF0ZU1hdGNoWzFdKSA6IHVuZGVmaW5lZDtcbiAgICAgIFxuICAgICAgLy8gQ2hlY2sgaWYga2V5IGlzIHRydXN0ZWRcbiAgICAgIGlmICh0aGlzLnRydXN0ZWRLZXlzLnNpemUgPiAwICYmIHNpZ25lcktleSkge1xuICAgICAgICAvLyBDaGVjayBpZiB0aGUga2V5IElEIGVuZHMgd2l0aCBhbnkgb2Ygb3VyIHRydXN0ZWQga2V5c1xuICAgICAgICBjb25zdCBpc1RydXN0ZWQgPSBBcnJheS5mcm9tKHRoaXMudHJ1c3RlZEtleXMpLnNvbWUodHJ1c3RlZEtleSA9PiBcbiAgICAgICAgICBzaWduZXJLZXkuZW5kc1dpdGgodHJ1c3RlZEtleS50b1VwcGVyQ2FzZSgpKVxuICAgICAgICApO1xuICAgICAgICBcbiAgICAgICAgaWYgKCFpc1RydXN0ZWQpIHtcbiAgICAgICAgICByZXR1cm4ge1xuICAgICAgICAgICAgdmVyaWZpZWQ6IGZhbHNlLFxuICAgICAgICAgICAgc2lnbmVyS2V5LFxuICAgICAgICAgICAgc2lnbmVyRW1haWwsXG4gICAgICAgICAgICBzaWduYXR1cmVEYXRlLFxuICAgICAgICAgICAgZXJyb3I6IGBTaWduYXR1cmUgaXMgdmFsaWQgYnV0IGtleSAke3NpZ25lcktleX0gaXMgbm90IGluIHRydXN0ZWQga2V5cyBsaXN0YFxuICAgICAgICAgIH07XG4gICAgICAgIH1cbiAgICAgIH1cbiAgICAgIFxuICAgICAgcmV0dXJuIHtcbiAgICAgICAgdmVyaWZpZWQ6IHRydWUsXG4gICAgICAgIHNpZ25lcktleSxcbiAgICAgICAgc2lnbmVyRW1haWwsXG4gICAgICAgIHNpZ25hdHVyZURhdGVcbiAgICAgIH07XG4gICAgICBcbiAgICB9IGNhdGNoIChlcnJvcikge1xuICAgICAgcmV0dXJuIHtcbiAgICAgICAgdmVyaWZpZWQ6IGZhbHNlLFxuICAgICAgICBlcnJvcjogYEZhaWxlZCB0byB2ZXJpZnkgc2lnbmF0dXJlOiAke2Vycm9yIGluc3RhbmNlb2YgRXJyb3IgPyBlcnJvci5tZXNzYWdlIDogU3RyaW5nKGVycm9yKX1gXG4gICAgICB9O1xuICAgIH1cbiAgfVxuICBcbiAgLyoqXG4gICAqIFZlcmlmeSBhIGZpbGUgY2hlY2tzdW0gYWdhaW5zdCBleHBlY3RlZCB2YWx1ZVxuICAgKiBAcGFyYW0gZmlsZVBhdGggUGF0aCB0byB0aGUgZmlsZSB0byB2ZXJpZnlcbiAgICogQHBhcmFtIGV4cGVjdGVkQ2hlY2tzdW0gRXhwZWN0ZWQgU0hBMjU2IGNoZWNrc3VtXG4gICAqIEByZXR1cm5zIFZlcmlmaWNhdGlvbiByZXN1bHRcbiAgICovXG4gIGFzeW5jIHZlcmlmeUNoZWNrc3VtKGZpbGVQYXRoOiBzdHJpbmcsIGV4cGVjdGVkQ2hlY2tzdW06IHN0cmluZyk6IFByb21pc2U8Q2hlY2tzdW1WZXJpZmljYXRpb25SZXN1bHQ+IHtcbiAgICB0cnkge1xuICAgICAgLy8gUmVhZCBmaWxlIGFuZCBjYWxjdWxhdGUgY2hlY2tzdW1cbiAgICAgIGNvbnN0IGZpbGVCdWZmZXIgPSBhd2FpdCBmcy5yZWFkRmlsZShmaWxlUGF0aCk7XG4gICAgICBjb25zdCBoYXNoID0gY3J5cHRvLmNyZWF0ZUhhc2goJ3NoYTI1NicpO1xuICAgICAgaGFzaC51cGRhdGUoZmlsZUJ1ZmZlcik7XG4gICAgICBjb25zdCBhY3R1YWxDaGVja3N1bSA9IGhhc2guZGlnZXN0KCdoZXgnKTtcbiAgICAgIFxuICAgICAgLy8gQ29tcGFyZSBjaGVja3N1bXNcbiAgICAgIGNvbnN0IHZlcmlmaWVkID0gYWN0dWFsQ2hlY2tzdW0udG9Mb3dlckNhc2UoKSA9PT0gZXhwZWN0ZWRDaGVja3N1bS50b0xvd2VyQ2FzZSgpO1xuICAgICAgXG4gICAgICByZXR1cm4ge1xuICAgICAgICB2ZXJpZmllZCxcbiAgICAgICAgZXhwZWN0ZWRDaGVja3N1bSxcbiAgICAgICAgYWN0dWFsQ2hlY2tzdW0sXG4gICAgICAgIGVycm9yOiB2ZXJpZmllZCA/IHVuZGVmaW5lZCA6ICdDaGVja3N1bSBtaXNtYXRjaCdcbiAgICAgIH07XG4gICAgICBcbiAgICB9IGNhdGNoIChlcnJvcikge1xuICAgICAgcmV0dXJuIHtcbiAgICAgICAgdmVyaWZpZWQ6IGZhbHNlLFxuICAgICAgICBleHBlY3RlZENoZWNrc3VtLFxuICAgICAgICBlcnJvcjogYEZhaWxlZCB0byB2ZXJpZnkgY2hlY2tzdW06ICR7ZXJyb3IgaW5zdGFuY2VvZiBFcnJvciA/IGVycm9yLm1lc3NhZ2UgOiBTdHJpbmcoZXJyb3IpfWBcbiAgICAgIH07XG4gICAgfVxuICB9XG4gIFxuICAvKipcbiAgICogVmVyaWZ5IHJlbGVhc2UgYXJ0aWZhY3RzIHVzaW5nIGEgY2hlY2tzdW1zIGZpbGVcbiAgICogQHBhcmFtIGNoZWNrc3Vtc0ZpbGUgUGF0aCB0byBjaGVja3N1bXMgZmlsZSAoZS5nLiwgU0hBMjU2U1VNUylcbiAgICogQHBhcmFtIGFydGlmYWN0RGlyIERpcmVjdG9yeSBjb250YWluaW5nIGFydGlmYWN0cyB0byB2ZXJpZnlcbiAgICogQHJldHVybnMgTWFwIG9mIGZpbGVuYW1lIHRvIHZlcmlmaWNhdGlvbiByZXN1bHRcbiAgICovXG4gIGFzeW5jIHZlcmlmeVJlbGVhc2VBcnRpZmFjdHMoXG4gICAgY2hlY2tzdW1zRmlsZTogc3RyaW5nLCBcbiAgICBhcnRpZmFjdERpcjogc3RyaW5nXG4gICk6IFByb21pc2U8TWFwPHN0cmluZywgQ2hlY2tzdW1WZXJpZmljYXRpb25SZXN1bHQ+PiB7XG4gICAgY29uc3QgcmVzdWx0cyA9IG5ldyBNYXA8c3RyaW5nLCBDaGVja3N1bVZlcmlmaWNhdGlvblJlc3VsdD4oKTtcbiAgICBcbiAgICB0cnkge1xuICAgICAgLy8gUmVhZCBjaGVja3N1bXMgZmlsZVxuICAgICAgY29uc3QgY2hlY2tzdW1zQ29udGVudCA9IGF3YWl0IGZzLnJlYWRGaWxlKGNoZWNrc3Vtc0ZpbGUsICd1dGYtOCcpO1xuICAgICAgY29uc3QgbGluZXMgPSBjaGVja3N1bXNDb250ZW50LnNwbGl0KCdcXG4nKS5maWx0ZXIobGluZSA9PiBsaW5lLnRyaW0oKSk7XG4gICAgICBcbiAgICAgIC8vIFBhcnNlIGNoZWNrc3VtcyAoZm9ybWF0OiBcImNoZWNrc3VtICBmaWxlbmFtZVwiIG9yIFwiY2hlY2tzdW0gKmZpbGVuYW1lXCIpXG4gICAgICBmb3IgKGNvbnN0IGxpbmUgb2YgbGluZXMpIHtcbiAgICAgICAgY29uc3QgbWF0Y2ggPSBsaW5lLm1hdGNoKC9eKFthLWYwLTldKylcXHMrXFwqPyguKykkL2kpO1xuICAgICAgICBpZiAoIW1hdGNoKSBjb250aW51ZTtcbiAgICAgICAgXG4gICAgICAgIGNvbnN0IFssIGNoZWNrc3VtLCBmaWxlbmFtZV0gPSBtYXRjaDtcbiAgICAgICAgY29uc3QgZmlsZVBhdGggPSBwYXRoLmpvaW4oYXJ0aWZhY3REaXIsIGZpbGVuYW1lKTtcbiAgICAgICAgXG4gICAgICAgIC8vIFZlcmlmeSBlYWNoIGZpbGVcbiAgICAgICAgY29uc3QgcmVzdWx0ID0gYXdhaXQgdGhpcy52ZXJpZnlDaGVja3N1bShmaWxlUGF0aCwgY2hlY2tzdW0pO1xuICAgICAgICByZXN1bHRzLnNldChmaWxlbmFtZSwgcmVzdWx0KTtcbiAgICAgIH1cbiAgICAgIFxuICAgICAgcmV0dXJuIHJlc3VsdHM7XG4gICAgICBcbiAgICB9IGNhdGNoIChlcnJvcikge1xuICAgICAgLy8gSWYgd2UgY2FuJ3QgcmVhZCB0aGUgY2hlY2tzdW1zIGZpbGUsIG1hcmsgYWxsIGFzIHVudmVyaWZpZWRcbiAgICAgIHJlc3VsdHMuc2V0KCcqJywge1xuICAgICAgICB2ZXJpZmllZDogZmFsc2UsXG4gICAgICAgIGVycm9yOiBgRmFpbGVkIHRvIHJlYWQgY2hlY2tzdW1zIGZpbGU6ICR7ZXJyb3IgaW5zdGFuY2VvZiBFcnJvciA/IGVycm9yLm1lc3NhZ2UgOiBTdHJpbmcoZXJyb3IpfWBcbiAgICAgIH0pO1xuICAgICAgcmV0dXJuIHJlc3VsdHM7XG4gICAgfVxuICB9XG4gIFxuICAvKipcbiAgICogQWRkIGEgdHJ1c3RlZCBrZXkgZm9yIHNpZ25hdHVyZSB2ZXJpZmljYXRpb25cbiAgICogQHBhcmFtIGtleUlkIEdQRyBrZXkgSUQgb3IgZmluZ2VycHJpbnRcbiAgICovXG4gIGFkZFRydXN0ZWRLZXkoa2V5SWQ6IHN0cmluZyk6IHZvaWQge1xuICAgIHRoaXMudHJ1c3RlZEtleXMuYWRkKGtleUlkLnRvVXBwZXJDYXNlKCkpO1xuICB9XG4gIFxuICAvKipcbiAgICogUmVtb3ZlIGEgdHJ1c3RlZCBrZXlcbiAgICogQHBhcmFtIGtleUlkIEdQRyBrZXkgSUQgb3IgZmluZ2VycHJpbnRcbiAgICovXG4gIHJlbW92ZVRydXN0ZWRLZXkoa2V5SWQ6IHN0cmluZyk6IHZvaWQge1xuICAgIHRoaXMudHJ1c3RlZEtleXMuZGVsZXRlKGtleUlkLnRvVXBwZXJDYXNlKCkpO1xuICB9XG4gIFxuICAvKipcbiAgICogR2V0IGxpc3Qgb2YgdHJ1c3RlZCBrZXlzXG4gICAqL1xuICBnZXRUcnVzdGVkS2V5cygpOiBzdHJpbmdbXSB7XG4gICAgcmV0dXJuIEFycmF5LmZyb20odGhpcy50cnVzdGVkS2V5cyk7XG4gIH1cbiAgXG4gIC8qKlxuICAgKiBJbXBvcnQgYSBHUEcgcHVibGljIGtleVxuICAgKiBAcGFyYW0ga2V5RGF0YSBUaGUgcHVibGljIGtleSBkYXRhIHRvIGltcG9ydFxuICAgKiBAcmV0dXJucyBTdWNjZXNzIHN0YXR1c1xuICAgKi9cbiAgYXN5bmMgaW1wb3J0UHVibGljS2V5KGtleURhdGE6IHN0cmluZyk6IFByb21pc2U8Ym9vbGVhbj4ge1xuICAgIHRyeSB7XG4gICAgICAvLyBXcml0ZSBrZXkgZGF0YSB0byB0ZW1wb3JhcnkgZmlsZSB3aXRoIHNlY3VyZSByYW5kb20gbmFtZVxuICAgICAgY29uc3QgdGVtcEZpbGUgPSBwYXRoLmpvaW4ocHJvY2Vzcy5jd2QoKSwgYC5ncGctaW1wb3J0LSR7cmFuZG9tQnl0ZXMoOCkudG9TdHJpbmcoJ2hleCcpfS5hc2NgKTtcbiAgICAgIGF3YWl0IGZzLndyaXRlRmlsZSh0ZW1wRmlsZSwga2V5RGF0YSk7XG4gICAgICBcbiAgICAgIHRyeSB7XG4gICAgICAgIC8vIEltcG9ydCB0aGUga2V5XG4gICAgICAgIGF3YWl0IHNhZmVFeGVjKCdncGcnLCBbJy0taW1wb3J0JywgdGVtcEZpbGVdKTtcbiAgICAgICAgcmV0dXJuIHRydWU7XG4gICAgICB9IGZpbmFsbHkge1xuICAgICAgICAvLyBDbGVhbiB1cCB0ZW1wIGZpbGVcbiAgICAgICAgYXdhaXQgZnMudW5saW5rKHRlbXBGaWxlKS5jYXRjaCgoKSA9PiB7fSk7XG4gICAgICB9XG4gICAgICBcbiAgICB9IGNhdGNoIChlcnJvcikge1xuICAgICAgbG9nZ2VyLmVycm9yKCdGYWlsZWQgdG8gaW1wb3J0IEdQRyBrZXk6JywgZXJyb3IpO1xuICAgICAgcmV0dXJuIGZhbHNlO1xuICAgIH1cbiAgfVxufSJdfQ==

package/dist/update/UpdateChecker.d.ts

@@ -0,0 +1,127 @@
+/**
+ * UpdateChecker - Secure GitHub release update checking with comprehensive sanitization
+ *
+ * Security measures implemented:
+ * 1. XSS Protection: DOMPurify with strict no-tags/no-attributes policy
+ * 2. Command Injection Prevention: Multiple regex patterns for various escape sequences
+ * 3. URL Validation: Whitelist approach allowing only http/https schemes
+ * 4. Information Disclosure Prevention: Sanitized logging of sensitive data
+ * 5. Length Limits: Configurable limits to prevent DoS attacks
+ * 6. OWASP Patterns: Protection against PHP, ASP, hex, unicode, and octal escapes
+ *
+ * Performance optimizations:
+ * - Cached DOMPurify instance to avoid recreation overhead
+ * - Single-pass regex processing for injection patterns
+ * - Exponential backoff for network retries
+ */
+import { VersionManager } from './VersionManager.js';
+import { RateLimiter } from './RateLimiter.js';
+import { SignatureVerifier } from './SignatureVerifier.js';
+export interface UpdateCheckResult {
+    currentVersion: string;
+    latestVersion: string;
+    isUpdateAvailable: boolean;
+    releaseDate: string;
+    releaseNotes: string;
+    releaseUrl: string;
+    tagName?: string;
+    signatureVerified?: boolean;
+    signerInfo?: string;
+}
+export declare class UpdateChecker {
+    private versionManager;
+    private rateLimiter;
+    private signatureVerifier;
+    private static purifyWindow;
+    private static purify;
+    private readonly releaseNotesMaxLength;
+    private readonly urlMaxLength;
+    private readonly securityLogger?;
+    private readonly requireSignedReleases;
+    constructor(versionManager: VersionManager, options?: {
+        releaseNotesMaxLength?: number;
+        urlMaxLength?: number;
+        securityLogger?: (event: string, details: any) => void;
+        rateLimiter?: RateLimiter;
+        signatureVerifier?: SignatureVerifier;
+        requireSignedReleases?: boolean;
+    });
+    /**
+     * Execute a network operation with retry logic and exponential backoff
+     * @param operation - The async operation to execute
+     * @param maxRetries - Maximum number of retry attempts (default: 3)
+     * @param baseDelay - Base delay in milliseconds for exponential backoff (default: 1000ms)
+     * @returns Promise resolving to the operation result
+     * @throws The last error if all retries fail
+     */
+    private retryNetworkOperation;
+    /**
+     * Check for updates from GitHub releases with security and error handling
+     * @returns UpdateCheckResult if update info is available, null if no releases found
+     * @throws Error for network or API failures or rate limit exceeded
+     */
+    checkForUpdates(): Promise<UpdateCheckResult | null>;
+    /**
+     * Get current rate limit status
+     * @returns Current rate limit status including remaining requests and reset time
+     */
+    getRateLimitStatus(): {
+        allowed: boolean;
+        remainingRequests: number;
+        resetTime: Date;
+        waitTimeSeconds?: number;
+    };
+    /**
+     * Format update check results for display with comprehensive sanitization
+     * @param result - The update check result to format
+     * @param error - Optional error from update check
+     * @param personaIndicator - Optional persona indicator prefix
+     * @returns Formatted string safe for display
+     */
+    formatUpdateCheckResult(result: UpdateCheckResult | null, error?: Error, personaIndicator?: string): string;
+    /**
+     * Sanitize URLs to prevent dangerous schemes and information disclosure
+     *
+     * Security measures:
+     * - Length validation to prevent DoS
+     * - Whitelist approach: only http/https allowed
+     * - Sanitized logging to prevent sensitive data exposure
+     *
+     * @param url - The URL to sanitize
+     * @returns Empty string if invalid/dangerous, original URL if safe
+     */
+    private sanitizeUrl;
+    /**
+     * Sanitize release notes to prevent XSS, command injection, and DoS
+     *
+     * Security layers:
+     * 1. Length limiting (configurable, default 5000 chars)
+     * 2. HTML/JS sanitization via DOMPurify (no tags/attributes allowed)
+     * 3. Command injection pattern removal (backticks, command substitution)
+     * 4. OWASP pattern removal (PHP, ASP, hex/unicode/octal escapes)
+     *
+     * @param notes - The release notes to sanitize
+     * @returns Sanitized release notes safe for display
+     */
+    private sanitizeReleaseNotes;
+    /**
+     * Format date to human-readable format with consistent timezone handling
+     * @param dateStr - ISO date string to format
+     * @returns Human-readable date string (e.g., "January 5, 2025")
+     */
+    private formatDate;
+    /**
+     * Log security events for monitoring and alerting
+     * Only logs if securityLogger callback was provided in constructor
+     * @param event - The security event type
+     * @param details - Event details (sanitized to prevent info disclosure)
+     */
+    private logSecurityEvent;
+    /**
+     * Reset static DOMPurify cache (useful for long-running processes)
+     * This prevents memory accumulation in services that run for extended periods
+     * @static
+     */
+    static resetCache(): void;
+}
+//# sourceMappingURL=UpdateChecker.d.ts.map

package/dist/update/UpdateChecker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"UpdateChecker.d.ts","sourceRoot":"","sources":["../../src/update/UpdateChecker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AACrD,OAAO,EAAE,WAAW,EAAsB,MAAM,kBAAkB,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAK3D,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,iBAAiB,CAAC,EAAE,OAAO,CAAC;IAC5B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAKD,qBAAa,aAAa;IACxB,OAAO,CAAC,cAAc,CAAiB;IACvC,OAAO,CAAC,WAAW,CAAc;IACjC,OAAO,CAAC,iBAAiB,CAAoB;IAK7C,OAAO,CAAC,MAAM,CAAC,YAAY,CAAa;IACxC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAkC;IAGvD,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAS;IAC/C,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAwC;IACxE,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAU;gBAG9C,cAAc,EAAE,cAAc,EAC9B,OAAO,CAAC,EAAE;QACR,qBAAqB,CAAC,EAAE,MAAM,CAAC;QAC/B,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,KAAK,IAAI,CAAC;QACvD,WAAW,CAAC,EAAE,WAAW,CAAC;QAC1B,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;QACtC,qBAAqB,CAAC,EAAE,OAAO,CAAC;KACjC;IA+CH;;;;;;;OAOG;YACW,qBAAqB;IAgCnC;;;;OAIG;IACG,eAAe,IAAI,OAAO,CAAC,iBAAiB,GAAG,IAAI,CAAC;IA4H1D;;;OAGG;IACH,kBAAkB,IAAI;QACpB,OAAO,EAAE,OAAO,CAAC;QACjB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,SAAS,EAAE,IAAI,CAAC;QAChB,eAAe,CAAC,EAAE,MAAM,CAAC;KAC1B;IAUD;;;;;;OAMG;IACH,uBAAuB,CAAC,MAAM,EAAE,iBAAiB,GAAG,IAAI,EAAE,KAAK,CAAC,EAAE,KAAK,EAAE,gBAAgB,GAAE,MAAW,GAAG,MAAM;IAoF/G;;;;;;;;;;OAUG;IACH,OAAO,CAAC,WAAW;IAiCnB;;;;;;;;;;;OAWG;IACH,OAAO,CAAC,oBAAoB;IA+E5B;;;;OAIG;IACH,OAAO,CAAC,UAAU;IAmBlB;;;;;OAKG;IACH,OAAO,CAAC,gBAAgB;IAMxB;;;;OAIG;WACW,UAAU,IAAI,IAAI;CAIjC"}