@dollhousemcp/mcp-server 1.3.0

package/dist/src/security/pathValidator.js

@@ -0,0 +1,97 @@
+import path from 'path';
+import fs from 'fs/promises';
+import { logger } from '../utils/logger.js';
+export class PathValidator {
+    static ALLOWED_DIRECTORIES = [];
+    static ALLOWED_EXTENSIONS = ['.md', '.markdown', '.txt', '.yml', '.yaml'];
+    static initialize(personasDir, allowedExtensions) {
+        this.ALLOWED_DIRECTORIES = [
+            path.resolve(personasDir),
+            path.resolve('./personas'),
+            path.resolve('./custom-personas'),
+            path.resolve('./backups'),
+            path.resolve(process.env.PERSONAS_DIR || './personas')
+        ];
+        if (allowedExtensions) {
+            this.ALLOWED_EXTENSIONS = allowedExtensions;
+        }
+    }
+    static async validatePersonaPath(userPath) {
+        if (!userPath || typeof userPath !== 'string') {
+            throw new Error('Path must be a non-empty string');
+        }
+        // Remove any null bytes
+        const cleanPath = userPath.replace(/\x00/g, '');
+        // Normalize and resolve path
+        const normalizedPath = path.normalize(cleanPath);
+        const resolvedPath = path.resolve(normalizedPath);
+        // Check for path traversal attempts
+        if (normalizedPath.includes('..') || cleanPath.includes('..')) {
+            logger.warn('Path traversal attempt detected', { userPath });
+            throw new Error('Path traversal detected');
+        }
+        // Check if path is within allowed directories
+        if (this.ALLOWED_DIRECTORIES.length === 0) {
+            // If not initialized, allow paths under current working directory's personas folder
+            const defaultAllowed = [
+                path.resolve('./personas'),
+                path.resolve(process.env.PERSONAS_DIR || './personas')
+            ];
+            const isAllowed = defaultAllowed.some(allowedDir => resolvedPath.startsWith(allowedDir + path.sep) ||
+                resolvedPath === allowedDir);
+            if (!isAllowed) {
+                throw new Error(`Path access denied: ${userPath}`);
+            }
+        }
+        else {
+            const isAllowed = this.ALLOWED_DIRECTORIES.some(allowedDir => resolvedPath.startsWith(allowedDir + path.sep) ||
+                resolvedPath === allowedDir);
+            if (!isAllowed) {
+                throw new Error(`Path access denied: ${userPath}`);
+            }
+        }
+        // Validate filename if it's a file
+        if (path.extname(resolvedPath)) {
+            const filename = path.basename(resolvedPath);
+            const ext = path.extname(filename).toLowerCase();
+            // Check if extension is allowed
+            if (!this.ALLOWED_EXTENSIONS.includes(ext)) {
+                throw new Error(`File extension not allowed: ${ext}. Allowed: ${this.ALLOWED_EXTENSIONS.join(', ')}`);
+            }
+            // Validate filename format (alphanumeric, dash, underscore, dot)
+            if (!/^[a-zA-Z0-9\-_.]+$/i.test(filename)) {
+                throw new Error(`Invalid filename format: ${filename}`);
+            }
+        }
+        return resolvedPath;
+    }
+    static async safeReadFile(filePath) {
+        const validatedPath = await this.validatePersonaPath(filePath);
+        // Check file exists and is not a directory
+        const stats = await fs.stat(validatedPath);
+        if (stats.isDirectory()) {
+            throw new Error('Path is a directory, not a file');
+        }
+        // Size check
+        if (stats.size > 500000) { // 500KB
+            throw new Error('File too large');
+        }
+        return fs.readFile(validatedPath, 'utf-8');
+    }
+    static async safeWriteFile(filePath, content) {
+        const validatedPath = await this.validatePersonaPath(filePath);
+        // Content validation
+        if (content.length > 500000) {
+            throw new Error('Content too large');
+        }
+        // Ensure directory exists before atomic write
+        const dirPath = path.dirname(validatedPath);
+        await fs.mkdir(dirPath, { recursive: true });
+        // Write to temp file first (atomic write)
+        const tempPath = `${validatedPath}.tmp`;
+        await fs.writeFile(tempPath, content, 'utf-8');
+        // Rename to final path (atomic on most filesystems)
+        await fs.rename(tempPath, validatedPath);
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicGF0aFZhbGlkYXRvci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9zZWN1cml0eS9wYXRoVmFsaWRhdG9yLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBLE9BQU8sSUFBSSxNQUFNLE1BQU0sQ0FBQztBQUN4QixPQUFPLEVBQUUsTUFBTSxhQUFhLENBQUM7QUFDN0IsT0FBTyxFQUFFLE1BQU0sRUFBRSxNQUFNLG9CQUFvQixDQUFDO0FBRTVDLE1BQU0sT0FBTyxhQUFhO0lBQ2hCLE1BQU0sQ0FBQyxtQkFBbUIsR0FBYSxFQUFFLENBQUM7SUFDMUMsTUFBTSxDQUFDLGtCQUFrQixHQUFhLENBQUMsS0FBSyxFQUFFLFdBQVcsRUFBRSxNQUFNLEVBQUUsTUFBTSxFQUFFLE9BQU8sQ0FBQyxDQUFDO0lBRTVGLE1BQU0sQ0FBQyxVQUFVLENBQUMsV0FBbUIsRUFBRSxpQkFBNEI7UUFDakUsSUFBSSxDQUFDLG1CQUFtQixHQUFHO1lBQ3pCLElBQUksQ0FBQyxPQUFPLENBQUMsV0FBVyxDQUFDO1lBQ3pCLElBQUksQ0FBQyxPQUFPLENBQUMsWUFBWSxDQUFDO1lBQzFCLElBQUksQ0FBQyxPQUFPLENBQUMsbUJBQW1CLENBQUM7WUFDakMsSUFBSSxDQUFDLE9BQU8sQ0FBQyxXQUFXLENBQUM7WUFDekIsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFlBQVksSUFBSSxZQUFZLENBQUM7U0FDdkQsQ0FBQztRQUVGLElBQUksaUJBQWlCLEVBQUUsQ0FBQztZQUN0QixJQUFJLENBQUMsa0JBQWtCLEdBQUcsaUJBQWlCLENBQUM7UUFDOUMsQ0FBQztJQUNILENBQUM7SUFFRCxNQUFNLENBQUMsS0FBSyxDQUFDLG1CQUFtQixDQUFDLFFBQWdCO1FBQy9DLElBQUksQ0FBQyxRQUFRLElBQUksT0FBTyxRQUFRLEtBQUssUUFBUSxFQUFFLENBQUM7WUFDOUMsTUFBTSxJQUFJLEtBQUssQ0FBQyxpQ0FBaUMsQ0FBQyxDQUFDO1FBQ3JELENBQUM7UUFFRCx3QkFBd0I7UUFDeEIsTUFBTSxTQUFTLEdBQUcsUUFBUSxDQUFDLE9BQU8sQ0FBQyxPQUFPLEVBQUUsRUFBRSxDQUFDLENBQUM7UUFFaEQsNkJBQTZCO1FBQzdCLE1BQU0sY0FBYyxHQUFHLElBQUksQ0FBQyxTQUFTLENBQUMsU0FBUyxDQUFDLENBQUM7UUFDakQsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxjQUFjLENBQUMsQ0FBQztRQUVsRCxvQ0FBb0M7UUFDcEMsSUFBSSxjQUFjLENBQUMsUUFBUSxDQUFDLElBQUksQ0FBQyxJQUFJLFNBQVMsQ0FBQyxRQUFRLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQztZQUM5RCxNQUFNLENBQUMsSUFBSSxDQUFDLGlDQUFpQyxFQUFFLEVBQUUsUUFBUSxFQUFFLENBQUMsQ0FBQztZQUM3RCxNQUFNLElBQUksS0FBSyxDQUFDLHlCQUF5QixDQUFDLENBQUM7UUFDN0MsQ0FBQztRQUVELDhDQUE4QztRQUM5QyxJQUFJLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxNQUFNLEtBQUssQ0FBQyxFQUFFLENBQUM7WUFDMUMsb0ZBQW9GO1lBQ3BGLE1BQU0sY0FBYyxHQUFHO2dCQUNyQixJQUFJLENBQUMsT0FBTyxDQUFDLFlBQVksQ0FBQztnQkFDMUIsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsR0FBRyxDQUFDLFlBQVksSUFBSSxZQUFZLENBQUM7YUFDdkQsQ0FBQztZQUNGLE1BQU0sU0FBUyxHQUFHLGNBQWMsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FDakQsWUFBWSxDQUFDLFVBQVUsQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztnQkFDOUMsWUFBWSxLQUFLLFVBQVUsQ0FDNUIsQ0FBQztZQUNGLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztnQkFDZixNQUFNLElBQUksS0FBSyxDQUFDLHVCQUF1QixRQUFRLEVBQUUsQ0FBQyxDQUFDO1lBQ3JELENBQUM7UUFDSCxDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sU0FBUyxHQUFHLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxJQUFJLENBQUMsVUFBVSxDQUFDLEVBQUUsQ0FDM0QsWUFBWSxDQUFDLFVBQVUsQ0FBQyxVQUFVLEdBQUcsSUFBSSxDQUFDLEdBQUcsQ0FBQztnQkFDOUMsWUFBWSxLQUFLLFVBQVUsQ0FDNUIsQ0FBQztZQUVGLElBQUksQ0FBQyxTQUFTLEVBQUUsQ0FBQztnQkFDZixNQUFNLElBQUksS0FBSyxDQUFDLHVCQUF1QixRQUFRLEVBQUUsQ0FBQyxDQUFDO1lBQ3JELENBQUM7UUFDSCxDQUFDO1FBRUQsbUNBQW1DO1FBQ25DLElBQUksSUFBSSxDQUFDLE9BQU8sQ0FBQyxZQUFZLENBQUMsRUFBRSxDQUFDO1lBQy9CLE1BQU0sUUFBUSxHQUFHLElBQUksQ0FBQyxRQUFRLENBQUMsWUFBWSxDQUFDLENBQUM7WUFDN0MsTUFBTSxHQUFHLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxRQUFRLENBQUMsQ0FBQyxXQUFXLEVBQUUsQ0FBQztZQUVqRCxnQ0FBZ0M7WUFDaEMsSUFBSSxDQUFDLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxRQUFRLENBQUMsR0FBRyxDQUFDLEVBQUUsQ0FBQztnQkFDM0MsTUFBTSxJQUFJLEtBQUssQ0FBQywrQkFBK0IsR0FBRyxjQUFjLElBQUksQ0FBQyxrQkFBa0IsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLEVBQUUsQ0FBQyxDQUFDO1lBQ3hHLENBQUM7WUFFRCxpRUFBaUU7WUFDakUsSUFBSSxDQUFDLHFCQUFxQixDQUFDLElBQUksQ0FBQyxRQUFRLENBQUMsRUFBRSxDQUFDO2dCQUMxQyxNQUFNLElBQUksS0FBSyxDQUFDLDRCQUE0QixRQUFRLEVBQUUsQ0FBQyxDQUFDO1lBQzFELENBQUM7UUFDSCxDQUFDO1FBRUQsT0FBTyxZQUFZLENBQUM7SUFDdEIsQ0FBQztJQUVELE1BQU0sQ0FBQyxLQUFLLENBQUMsWUFBWSxDQUFDLFFBQWdCO1FBQ3hDLE1BQU0sYUFBYSxHQUFHLE1BQU0sSUFBSSxDQUFDLG1CQUFtQixDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBRS9ELDJDQUEyQztRQUMzQyxNQUFNLEtBQUssR0FBRyxNQUFNLEVBQUUsQ0FBQyxJQUFJLENBQUMsYUFBYSxDQUFDLENBQUM7UUFDM0MsSUFBSSxLQUFLLENBQUMsV0FBVyxFQUFFLEVBQUUsQ0FBQztZQUN4QixNQUFNLElBQUksS0FBSyxDQUFDLGlDQUFpQyxDQUFDLENBQUM7UUFDckQsQ0FBQztRQUVELGFBQWE7UUFDYixJQUFJLEtBQUssQ0FBQyxJQUFJLEdBQUcsTUFBTSxFQUFFLENBQUMsQ0FBQyxRQUFRO1lBQ2pDLE1BQU0sSUFBSSxLQUFLLENBQUMsZ0JBQWdCLENBQUMsQ0FBQztRQUNwQyxDQUFDO1FBRUQsT0FBTyxFQUFFLENBQUMsUUFBUSxDQUFDLGFBQWEsRUFBRSxPQUFPLENBQUMsQ0FBQztJQUM3QyxDQUFDO0lBRUQsTUFBTSxDQUFDLEtBQUssQ0FBQyxhQUFhLENBQUMsUUFBZ0IsRUFBRSxPQUFlO1FBQzFELE1BQU0sYUFBYSxHQUFHLE1BQU0sSUFBSSxDQUFDLG1CQUFtQixDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBRS9ELHFCQUFxQjtRQUNyQixJQUFJLE9BQU8sQ0FBQyxNQUFNLEdBQUcsTUFBTSxFQUFFLENBQUM7WUFDNUIsTUFBTSxJQUFJLEtBQUssQ0FBQyxtQkFBbUIsQ0FBQyxDQUFDO1FBQ3ZDLENBQUM7UUFFRCw4Q0FBOEM7UUFDOUMsTUFBTSxPQUFPLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxhQUFhLENBQUMsQ0FBQztRQUM1QyxNQUFNLEVBQUUsQ0FBQyxLQUFLLENBQUMsT0FBTyxFQUFFLEVBQUUsU0FBUyxFQUFFLElBQUksRUFBRSxDQUFDLENBQUM7UUFFN0MsMENBQTBDO1FBQzFDLE1BQU0sUUFBUSxHQUFHLEdBQUcsYUFBYSxNQUFNLENBQUM7UUFDeEMsTUFBTSxFQUFFLENBQUMsU0FBUyxDQUFDLFFBQVEsRUFBRSxPQUFPLEVBQUUsT0FBTyxDQUFDLENBQUM7UUFFL0Msb0RBQW9EO1FBQ3BELE1BQU0sRUFBRSxDQUFDLE1BQU0sQ0FBQyxRQUFRLEVBQUUsYUFBYSxDQUFDLENBQUM7SUFDM0MsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbImltcG9ydCBwYXRoIGZyb20gJ3BhdGgnO1xuaW1wb3J0IGZzIGZyb20gJ2ZzL3Byb21pc2VzJztcbmltcG9ydCB7IGxvZ2dlciB9IGZyb20gJy4uL3V0aWxzL2xvZ2dlci5qcyc7XG5cbmV4cG9ydCBjbGFzcyBQYXRoVmFsaWRhdG9yIHtcbiAgcHJpdmF0ZSBzdGF0aWMgQUxMT1dFRF9ESVJFQ1RPUklFUzogc3RyaW5nW10gPSBbXTtcbiAgcHJpdmF0ZSBzdGF0aWMgQUxMT1dFRF9FWFRFTlNJT05TOiBzdHJpbmdbXSA9IFsnLm1kJywgJy5tYXJrZG93bicsICcudHh0JywgJy55bWwnLCAnLnlhbWwnXTtcbiAgXG4gIHN0YXRpYyBpbml0aWFsaXplKHBlcnNvbmFzRGlyOiBzdHJpbmcsIGFsbG93ZWRFeHRlbnNpb25zPzogc3RyaW5nW10pOiB2b2lkIHtcbiAgICB0aGlzLkFMTE9XRURfRElSRUNUT1JJRVMgPSBbXG4gICAgICBwYXRoLnJlc29sdmUocGVyc29uYXNEaXIpLFxuICAgICAgcGF0aC5yZXNvbHZlKCcuL3BlcnNvbmFzJyksXG4gICAgICBwYXRoLnJlc29sdmUoJy4vY3VzdG9tLXBlcnNvbmFzJyksXG4gICAgICBwYXRoLnJlc29sdmUoJy4vYmFja3VwcycpLFxuICAgICAgcGF0aC5yZXNvbHZlKHByb2Nlc3MuZW52LlBFUlNPTkFTX0RJUiB8fCAnLi9wZXJzb25hcycpXG4gICAgXTtcbiAgICBcbiAgICBpZiAoYWxsb3dlZEV4dGVuc2lvbnMpIHtcbiAgICAgIHRoaXMuQUxMT1dFRF9FWFRFTlNJT05TID0gYWxsb3dlZEV4dGVuc2lvbnM7XG4gICAgfVxuICB9XG5cbiAgc3RhdGljIGFzeW5jIHZhbGlkYXRlUGVyc29uYVBhdGgodXNlclBhdGg6IHN0cmluZyk6IFByb21pc2U8c3RyaW5nPiB7XG4gICAgaWYgKCF1c2VyUGF0aCB8fCB0eXBlb2YgdXNlclBhdGggIT09ICdzdHJpbmcnKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ1BhdGggbXVzdCBiZSBhIG5vbi1lbXB0eSBzdHJpbmcnKTtcbiAgICB9XG5cbiAgICAvLyBSZW1vdmUgYW55IG51bGwgYnl0ZXNcbiAgICBjb25zdCBjbGVhblBhdGggPSB1c2VyUGF0aC5yZXBsYWNlKC9cXHgwMC9nLCAnJyk7XG4gICAgXG4gICAgLy8gTm9ybWFsaXplIGFuZCByZXNvbHZlIHBhdGhcbiAgICBjb25zdCBub3JtYWxpemVkUGF0aCA9IHBhdGgubm9ybWFsaXplKGNsZWFuUGF0aCk7XG4gICAgY29uc3QgcmVzb2x2ZWRQYXRoID0gcGF0aC5yZXNvbHZlKG5vcm1hbGl6ZWRQYXRoKTtcbiAgICBcbiAgICAvLyBDaGVjayBmb3IgcGF0aCB0cmF2ZXJzYWwgYXR0ZW1wdHNcbiAgICBpZiAobm9ybWFsaXplZFBhdGguaW5jbHVkZXMoJy4uJykgfHwgY2xlYW5QYXRoLmluY2x1ZGVzKCcuLicpKSB7XG4gICAgICBsb2dnZXIud2FybignUGF0aCB0cmF2ZXJzYWwgYXR0ZW1wdCBkZXRlY3RlZCcsIHsgdXNlclBhdGggfSk7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ1BhdGggdHJhdmVyc2FsIGRldGVjdGVkJyk7XG4gICAgfVxuICAgIFxuICAgIC8vIENoZWNrIGlmIHBhdGggaXMgd2l0aGluIGFsbG93ZWQgZGlyZWN0b3JpZXNcbiAgICBpZiAodGhpcy5BTExPV0VEX0RJUkVDVE9SSUVTLmxlbmd0aCA9PT0gMCkge1xuICAgICAgLy8gSWYgbm90IGluaXRpYWxpemVkLCBhbGxvdyBwYXRocyB1bmRlciBjdXJyZW50IHdvcmtpbmcgZGlyZWN0b3J5J3MgcGVyc29uYXMgZm9sZGVyXG4gICAgICBjb25zdCBkZWZhdWx0QWxsb3dlZCA9IFtcbiAgICAgICAgcGF0aC5yZXNvbHZlKCcuL3BlcnNvbmFzJyksXG4gICAgICAgIHBhdGgucmVzb2x2ZShwcm9jZXNzLmVudi5QRVJTT05BU19ESVIgfHwgJy4vcGVyc29uYXMnKVxuICAgICAgXTtcbiAgICAgIGNvbnN0IGlzQWxsb3dlZCA9IGRlZmF1bHRBbGxvd2VkLnNvbWUoYWxsb3dlZERpciA9PiBcbiAgICAgICAgcmVzb2x2ZWRQYXRoLnN0YXJ0c1dpdGgoYWxsb3dlZERpciArIHBhdGguc2VwKSB8fCBcbiAgICAgICAgcmVzb2x2ZWRQYXRoID09PSBhbGxvd2VkRGlyXG4gICAgICApO1xuICAgICAgaWYgKCFpc0FsbG93ZWQpIHtcbiAgICAgICAgdGhyb3cgbmV3IEVycm9yKGBQYXRoIGFjY2VzcyBkZW5pZWQ6ICR7dXNlclBhdGh9YCk7XG4gICAgICB9XG4gICAgfSBlbHNlIHtcbiAgICAgIGNvbnN0IGlzQWxsb3dlZCA9IHRoaXMuQUxMT1dFRF9ESVJFQ1RPUklFUy5zb21lKGFsbG93ZWREaXIgPT4gXG4gICAgICAgIHJlc29sdmVkUGF0aC5zdGFydHNXaXRoKGFsbG93ZWREaXIgKyBwYXRoLnNlcCkgfHwgXG4gICAgICAgIHJlc29sdmVkUGF0aCA9PT0gYWxsb3dlZERpclxuICAgICAgKTtcbiAgICAgIFxuICAgICAgaWYgKCFpc0FsbG93ZWQpIHtcbiAgICAgICAgdGhyb3cgbmV3IEVycm9yKGBQYXRoIGFjY2VzcyBkZW5pZWQ6ICR7dXNlclBhdGh9YCk7XG4gICAgICB9XG4gICAgfVxuICAgIFxuICAgIC8vIFZhbGlkYXRlIGZpbGVuYW1lIGlmIGl0J3MgYSBmaWxlXG4gICAgaWYgKHBhdGguZXh0bmFtZShyZXNvbHZlZFBhdGgpKSB7XG4gICAgICBjb25zdCBmaWxlbmFtZSA9IHBhdGguYmFzZW5hbWUocmVzb2x2ZWRQYXRoKTtcbiAgICAgIGNvbnN0IGV4dCA9IHBhdGguZXh0bmFtZShmaWxlbmFtZSkudG9Mb3dlckNhc2UoKTtcbiAgICAgIFxuICAgICAgLy8gQ2hlY2sgaWYgZXh0ZW5zaW9uIGlzIGFsbG93ZWRcbiAgICAgIGlmICghdGhpcy5BTExPV0VEX0VYVEVOU0lPTlMuaW5jbHVkZXMoZXh0KSkge1xuICAgICAgICB0aHJvdyBuZXcgRXJyb3IoYEZpbGUgZXh0ZW5zaW9uIG5vdCBhbGxvd2VkOiAke2V4dH0uIEFsbG93ZWQ6ICR7dGhpcy5BTExPV0VEX0VYVEVOU0lPTlMuam9pbignLCAnKX1gKTtcbiAgICAgIH1cbiAgICAgIFxuICAgICAgLy8gVmFsaWRhdGUgZmlsZW5hbWUgZm9ybWF0IChhbHBoYW51bWVyaWMsIGRhc2gsIHVuZGVyc2NvcmUsIGRvdClcbiAgICAgIGlmICghL15bYS16QS1aMC05XFwtXy5dKyQvaS50ZXN0KGZpbGVuYW1lKSkge1xuICAgICAgICB0aHJvdyBuZXcgRXJyb3IoYEludmFsaWQgZmlsZW5hbWUgZm9ybWF0OiAke2ZpbGVuYW1lfWApO1xuICAgICAgfVxuICAgIH1cbiAgICBcbiAgICByZXR1cm4gcmVzb2x2ZWRQYXRoO1xuICB9XG5cbiAgc3RhdGljIGFzeW5jIHNhZmVSZWFkRmlsZShmaWxlUGF0aDogc3RyaW5nKTogUHJvbWlzZTxzdHJpbmc+IHtcbiAgICBjb25zdCB2YWxpZGF0ZWRQYXRoID0gYXdhaXQgdGhpcy52YWxpZGF0ZVBlcnNvbmFQYXRoKGZpbGVQYXRoKTtcbiAgICBcbiAgICAvLyBDaGVjayBmaWxlIGV4aXN0cyBhbmQgaXMgbm90IGEgZGlyZWN0b3J5XG4gICAgY29uc3Qgc3RhdHMgPSBhd2FpdCBmcy5zdGF0KHZhbGlkYXRlZFBhdGgpO1xuICAgIGlmIChzdGF0cy5pc0RpcmVjdG9yeSgpKSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ1BhdGggaXMgYSBkaXJlY3RvcnksIG5vdCBhIGZpbGUnKTtcbiAgICB9XG4gICAgXG4gICAgLy8gU2l6ZSBjaGVja1xuICAgIGlmIChzdGF0cy5zaXplID4gNTAwMDAwKSB7IC8vIDUwMEtCXG4gICAgICB0aHJvdyBuZXcgRXJyb3IoJ0ZpbGUgdG9vIGxhcmdlJyk7XG4gICAgfVxuICAgIFxuICAgIHJldHVybiBmcy5yZWFkRmlsZSh2YWxpZGF0ZWRQYXRoLCAndXRmLTgnKTtcbiAgfVxuXG4gIHN0YXRpYyBhc3luYyBzYWZlV3JpdGVGaWxlKGZpbGVQYXRoOiBzdHJpbmcsIGNvbnRlbnQ6IHN0cmluZyk6IFByb21pc2U8dm9pZD4ge1xuICAgIGNvbnN0IHZhbGlkYXRlZFBhdGggPSBhd2FpdCB0aGlzLnZhbGlkYXRlUGVyc29uYVBhdGgoZmlsZVBhdGgpO1xuICAgIFxuICAgIC8vIENvbnRlbnQgdmFsaWRhdGlvblxuICAgIGlmIChjb250ZW50Lmxlbmd0aCA+IDUwMDAwMCkge1xuICAgICAgdGhyb3cgbmV3IEVycm9yKCdDb250ZW50IHRvbyBsYXJnZScpO1xuICAgIH1cbiAgICBcbiAgICAvLyBFbnN1cmUgZGlyZWN0b3J5IGV4aXN0cyBiZWZvcmUgYXRvbWljIHdyaXRlXG4gICAgY29uc3QgZGlyUGF0aCA9IHBhdGguZGlybmFtZSh2YWxpZGF0ZWRQYXRoKTtcbiAgICBhd2FpdCBmcy5ta2RpcihkaXJQYXRoLCB7IHJlY3Vyc2l2ZTogdHJ1ZSB9KTtcbiAgICBcbiAgICAvLyBXcml0ZSB0byB0ZW1wIGZpbGUgZmlyc3QgKGF0b21pYyB3cml0ZSlcbiAgICBjb25zdCB0ZW1wUGF0aCA9IGAke3ZhbGlkYXRlZFBhdGh9LnRtcGA7XG4gICAgYXdhaXQgZnMud3JpdGVGaWxlKHRlbXBQYXRoLCBjb250ZW50LCAndXRmLTgnKTtcbiAgICBcbiAgICAvLyBSZW5hbWUgdG8gZmluYWwgcGF0aCAoYXRvbWljIG9uIG1vc3QgZmlsZXN5c3RlbXMpXG4gICAgYXdhaXQgZnMucmVuYW1lKHRlbXBQYXRoLCB2YWxpZGF0ZWRQYXRoKTtcbiAgfVxufSJdfQ==

package/dist/src/security/secureYamlParser.d.ts

@@ -0,0 +1,46 @@
+/**
+ * Secure YAML Parser for DollhouseMCP
+ *
+ * Provides safe YAML parsing that prevents deserialization attacks
+ * by using a restricted schema and pre-validation.
+ *
+ * Security: SEC-003 - YAML parsing vulnerability protection
+ */
+import matter from 'gray-matter';
+export interface SecureParseOptions {
+    maxYamlSize?: number;
+    maxContentSize?: number;
+    allowedKeys?: string[];
+    validateContent?: boolean;
+}
+export interface ParsedContent {
+    data: Record<string, any>;
+    content: string;
+    excerpt?: string;
+}
+export declare class SecureYamlParser {
+    private static readonly DEFAULT_OPTIONS;
+    private static readonly SAFE_SCHEMA;
+    private static readonly FIELD_VALIDATORS;
+    /**
+     * Securely parse content with YAML frontmatter
+     */
+    static parse(input: string, options?: SecureParseOptions): ParsedContent;
+    /**
+     * Create a secure gray-matter compatible parser
+     */
+    static createSecureMatterParser(): {
+        parse: (input: string) => {
+            data: Record<string, any>;
+            content: string;
+            excerpt: string | undefined;
+            orig: string;
+        };
+        stringify: (content: string, data: any) => string;
+    };
+    /**
+     * Safe wrapper for gray-matter with security validations
+     */
+    static safeMatter(input: string, options?: matter.GrayMatterOption<string, any>): matter.GrayMatterFile<string>;
+}
+//# sourceMappingURL=secureYamlParser.d.ts.map

package/dist/src/security/secureYamlParser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secureYamlParser.d.ts","sourceRoot":"","sources":["../../../src/security/secureYamlParser.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,MAAM,MAAM,aAAa,CAAC;AAKjC,MAAM,WAAW,kBAAkB;IACjC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,CAIrC;IAGF,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAwB;IAG3D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAatC;IAEF;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,kBAAuB,GAAG,aAAa;IA8G5E;;OAEG;IACH,MAAM,CAAC,wBAAwB;uBAEZ,MAAM;;;;;;6BASA,MAAM,QAAQ,GAAG;;IAoB1C;;OAEG;IACH,MAAM,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,CAAC,gBAAgB,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC;CAgChH"}

package/dist/src/security/secureYamlParser.js

@@ -0,0 +1,203 @@
+/**
+ * Secure YAML Parser for DollhouseMCP
+ *
+ * Provides safe YAML parsing that prevents deserialization attacks
+ * by using a restricted schema and pre-validation.
+ *
+ * Security: SEC-003 - YAML parsing vulnerability protection
+ */
+import * as yaml from 'js-yaml';
+import matter from 'gray-matter';
+import { SecurityError } from '../errors/SecurityError.js';
+import { ContentValidator } from './contentValidator.js';
+import { SecurityMonitor } from './securityMonitor.js';
+export class SecureYamlParser {
+    static DEFAULT_OPTIONS = {
+        maxYamlSize: 64 * 1024, // 64KB for YAML
+        maxContentSize: 1024 * 1024, // 1MB for content
+        validateContent: true
+    };
+    // Allowed YAML types - using FAILSAFE_SCHEMA as base
+    static SAFE_SCHEMA = yaml.FAILSAFE_SCHEMA;
+    // Additional validation for specific persona fields
+    static FIELD_VALIDATORS = {
+        name: (v) => typeof v === 'string' && v.length <= 100,
+        description: (v) => typeof v === 'string' && v.length <= 500,
+        author: (v) => typeof v === 'string' && v.length <= 100,
+        version: (v) => typeof v === 'string' && /^\d+\.\d+(\.\d+)?(-[a-zA-Z0-9.-]+)?$/.test(v),
+        category: (v) => typeof v === 'string' && v.length <= 50,
+        age_rating: (v) => ['all', '13+', '18+'].includes(v),
+        price: (v) => typeof v === 'string' && (v === 'free' || /^\$\d+\.\d{2}$/.test(v)),
+        ai_generated: (v) => typeof v === 'boolean' || v === 'true' || v === 'false',
+        generation_method: (v) => ['human', 'ChatGPT', 'Claude', 'hybrid'].includes(v),
+        created_date: (v) => typeof v === 'string' && !isNaN(Date.parse(v)),
+        triggers: (v) => Array.isArray(v) && v.every(t => typeof t === 'string' && t.length <= 50),
+        content_flags: (v) => Array.isArray(v) && v.every(f => typeof f === 'string' && f.length <= 50)
+    };
+    /**
+     * Securely parse content with YAML frontmatter
+     */
+    static parse(input, options = {}) {
+        const opts = { ...this.DEFAULT_OPTIONS, ...options };
+        // 1. Size validation
+        if (input.length > (opts.maxContentSize || this.DEFAULT_OPTIONS.maxContentSize)) {
+            throw new SecurityError('Content exceeds maximum allowed size', 'medium');
+        }
+        // 2. Extract frontmatter boundaries
+        const frontmatterMatch = input.match(/^---\n([\s\S]*?)\n---/);
+        if (!frontmatterMatch) {
+            // No frontmatter, return empty data
+            return {
+                data: {},
+                content: input
+            };
+        }
+        const yamlContent = frontmatterMatch[1];
+        const markdownContent = input.substring(frontmatterMatch[0].length);
+        // 3. Validate YAML size
+        if (yamlContent.length > (opts.maxYamlSize || this.DEFAULT_OPTIONS.maxYamlSize)) {
+            throw new SecurityError('YAML frontmatter exceeds maximum allowed size', 'medium');
+        }
+        // 4. Pre-parse security validation
+        if (!ContentValidator.validateYamlContent(yamlContent)) {
+            SecurityMonitor.logSecurityEvent({
+                type: 'YAML_INJECTION_ATTEMPT',
+                severity: 'CRITICAL',
+                source: 'secure_yaml_parser',
+                details: 'Malicious YAML pattern detected during parsing'
+            });
+            throw new SecurityError('Malicious YAML content detected', 'critical');
+        }
+        // 5. Parse with safe schema
+        let data;
+        try {
+            data = yaml.load(yamlContent, {
+                schema: this.SAFE_SCHEMA,
+                json: false, // Don't allow JSON-specific types
+                onWarning: (warning) => {
+                    SecurityMonitor.logSecurityEvent({
+                        type: 'YAML_PARSING_WARNING',
+                        severity: 'LOW',
+                        source: 'secure_yaml_parser',
+                        details: `YAML warning: ${warning.message}`
+                    });
+                }
+            });
+        }
+        catch (error) {
+            throw new SecurityError(`YAML parsing failed: ${error instanceof Error ? error.message : 'Unknown error'}`, 'high');
+        }
+        // 6. Ensure data is an object
+        if (typeof data !== 'object' || data === null || Array.isArray(data)) {
+            throw new SecurityError('YAML must contain an object at root level', 'medium');
+        }
+        // 7. Validate allowed keys if specified
+        if (opts.allowedKeys) {
+            const invalidKeys = Object.keys(data).filter(key => !opts.allowedKeys.includes(key));
+            if (invalidKeys.length > 0) {
+                throw new SecurityError(`Invalid YAML keys detected: ${invalidKeys.join(', ')}`, 'medium');
+            }
+        }
+        // 8. Validate field types and content
+        for (const [key, value] of Object.entries(data)) {
+            // Check field-specific validators
+            if (this.FIELD_VALIDATORS[key] && !this.FIELD_VALIDATORS[key](value)) {
+                throw new SecurityError(`Invalid value for field '${key}'`, 'medium');
+            }
+            // Validate string fields for injection patterns
+            if (typeof value === 'string' && opts.validateContent) {
+                const validation = ContentValidator.validateAndSanitize(value);
+                if (!validation.isValid && validation.severity === 'critical') {
+                    throw new SecurityError(`Security threat detected in field '${key}'`, 'critical');
+                }
+                // Replace with sanitized content
+                data[key] = validation.sanitizedContent;
+            }
+        }
+        // 9. Validate markdown content if requested
+        let finalContent = markdownContent;
+        if (opts.validateContent) {
+            const contentValidation = ContentValidator.validateAndSanitize(markdownContent);
+            if (!contentValidation.isValid && contentValidation.severity === 'critical') {
+                throw new SecurityError('Security threat detected in content', 'critical');
+            }
+            finalContent = contentValidation.sanitizedContent || markdownContent;
+        }
+        SecurityMonitor.logSecurityEvent({
+            type: 'YAML_PARSE_SUCCESS',
+            severity: 'LOW',
+            source: 'secure_yaml_parser',
+            details: `Successfully parsed YAML with ${Object.keys(data).length} fields`
+        });
+        return {
+            data,
+            content: finalContent
+        };
+    }
+    /**
+     * Create a secure gray-matter compatible parser
+     */
+    static createSecureMatterParser() {
+        return {
+            parse: (input) => {
+                const result = this.parse(input);
+                return {
+                    data: result.data,
+                    content: result.content,
+                    excerpt: result.excerpt,
+                    orig: input
+                };
+            },
+            stringify: (content, data) => {
+                // Validate data before stringifying
+                const validation = ContentValidator.validateMetadata(data);
+                if (!validation.isValid) {
+                    throw new SecurityError('Cannot stringify content with security threats', 'high');
+                }
+                // Use safe YAML dump
+                const yamlStr = yaml.dump(data, {
+                    schema: this.SAFE_SCHEMA,
+                    skipInvalid: true,
+                    noRefs: true,
+                    noCompatMode: true
+                });
+                return `---\n${yamlStr}---\n${content}`;
+            }
+        };
+    }
+    /**
+     * Safe wrapper for gray-matter with security validations
+     */
+    static safeMatter(input, options) {
+        // First, use our secure parser
+        const secureParsed = this.parse(input);
+        // Then use gray-matter with custom engines
+        return matter(input, {
+            ...options,
+            engines: {
+                yaml: {
+                    parse: (str) => {
+                        // Use our secure YAML parsing
+                        const parsed = yaml.load(str, {
+                            schema: this.SAFE_SCHEMA,
+                            json: false
+                        });
+                        // Ensure it's an object
+                        if (typeof parsed !== 'object' || parsed === null) {
+                            return {};
+                        }
+                        return parsed;
+                    },
+                    stringify: (obj) => {
+                        return yaml.dump(obj, {
+                            schema: this.SAFE_SCHEMA,
+                            skipInvalid: true,
+                            noRefs: true
+                        });
+                    }
+                }
+            }
+        });
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJlWWFtbFBhcnNlci5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uL3NyYy9zZWN1cml0eS9zZWN1cmVZYW1sUGFyc2VyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7O0dBT0c7QUFFSCxPQUFPLEtBQUssSUFBSSxNQUFNLFNBQVMsQ0FBQztBQUNoQyxPQUFPLE1BQU0sTUFBTSxhQUFhLENBQUM7QUFDakMsT0FBTyxFQUFFLGFBQWEsRUFBRSxNQUFNLDRCQUE0QixDQUFDO0FBQzNELE9BQU8sRUFBRSxnQkFBZ0IsRUFBRSxNQUFNLHVCQUF1QixDQUFDO0FBQ3pELE9BQU8sRUFBRSxlQUFlLEVBQUUsTUFBTSxzQkFBc0IsQ0FBQztBQWV2RCxNQUFNLE9BQU8sZ0JBQWdCO0lBQ25CLE1BQU0sQ0FBVSxlQUFlLEdBQXVCO1FBQzVELFdBQVcsRUFBRSxFQUFFLEdBQUcsSUFBSSxFQUFPLGdCQUFnQjtRQUM3QyxjQUFjLEVBQUUsSUFBSSxHQUFHLElBQUksRUFBRyxrQkFBa0I7UUFDaEQsZUFBZSxFQUFFLElBQUk7S0FDdEIsQ0FBQztJQUVGLHFEQUFxRDtJQUM3QyxNQUFNLENBQVUsV0FBVyxHQUFHLElBQUksQ0FBQyxlQUFlLENBQUM7SUFFM0Qsb0RBQW9EO0lBQzVDLE1BQU0sQ0FBVSxnQkFBZ0IsR0FBNEM7UUFDbEYsSUFBSSxFQUFFLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxRQUFRLElBQUksQ0FBQyxDQUFDLE1BQU0sSUFBSSxHQUFHO1FBQ3JELFdBQVcsRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssUUFBUSxJQUFJLENBQUMsQ0FBQyxNQUFNLElBQUksR0FBRztRQUM1RCxNQUFNLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLFFBQVEsSUFBSSxDQUFDLENBQUMsTUFBTSxJQUFJLEdBQUc7UUFDdkQsT0FBTyxFQUFFLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxPQUFPLENBQUMsS0FBSyxRQUFRLElBQUksc0NBQXNDLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQztRQUN2RixRQUFRLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLFFBQVEsSUFBSSxDQUFDLENBQUMsTUFBTSxJQUFJLEVBQUU7UUFDeEQsVUFBVSxFQUFFLENBQUMsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxDQUFDLEtBQUssRUFBRSxLQUFLLEVBQUUsS0FBSyxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztRQUNwRCxLQUFLLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLFFBQVEsSUFBSSxDQUFDLENBQUMsS0FBSyxNQUFNLElBQUksZ0JBQWdCLENBQUMsSUFBSSxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ2pGLFlBQVksRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssU0FBUyxJQUFJLENBQUMsS0FBSyxNQUFNLElBQUksQ0FBQyxLQUFLLE9BQU87UUFDNUUsaUJBQWlCLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLENBQUMsT0FBTyxFQUFFLFNBQVMsRUFBRSxRQUFRLEVBQUUsUUFBUSxDQUFDLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQztRQUM5RSxZQUFZLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLE9BQU8sQ0FBQyxLQUFLLFFBQVEsSUFBSSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxDQUFDO1FBQ25FLFFBQVEsRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssUUFBUSxJQUFJLENBQUMsQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDO1FBQzFGLGFBQWEsRUFBRSxDQUFDLENBQUMsRUFBRSxFQUFFLENBQUMsS0FBSyxDQUFDLE9BQU8sQ0FBQyxDQUFDLENBQUMsSUFBSSxDQUFDLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsT0FBTyxDQUFDLEtBQUssUUFBUSxJQUFJLENBQUMsQ0FBQyxNQUFNLElBQUksRUFBRSxDQUFDO0tBQ2hHLENBQUM7SUFFRjs7T0FFRztJQUNILE1BQU0sQ0FBQyxLQUFLLENBQUMsS0FBYSxFQUFFLFVBQThCLEVBQUU7UUFDMUQsTUFBTSxJQUFJLEdBQUcsRUFBRSxHQUFHLElBQUksQ0FBQyxlQUFlLEVBQUUsR0FBRyxPQUFPLEVBQUUsQ0FBQztRQUVyRCxxQkFBcUI7UUFDckIsSUFBSSxLQUFLLENBQUMsTUFBTSxHQUFHLENBQUMsSUFBSSxDQUFDLGNBQWMsSUFBSSxJQUFJLENBQUMsZUFBZSxDQUFDLGNBQWUsQ0FBQyxFQUFFLENBQUM7WUFDakYsTUFBTSxJQUFJLGFBQWEsQ0FBQyxzQ0FBc0MsRUFBRSxRQUFRLENBQUMsQ0FBQztRQUM1RSxDQUFDO1FBRUQsb0NBQW9DO1FBQ3BDLE1BQU0sZ0JBQWdCLEdBQUcsS0FBSyxDQUFDLEtBQUssQ0FBQyx1QkFBdUIsQ0FBQyxDQUFDO1FBQzlELElBQUksQ0FBQyxnQkFBZ0IsRUFBRSxDQUFDO1lBQ3RCLG9DQUFvQztZQUNwQyxPQUFPO2dCQUNMLElBQUksRUFBRSxFQUFFO2dCQUNSLE9BQU8sRUFBRSxLQUFLO2FBQ2YsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLFdBQVcsR0FBRyxnQkFBZ0IsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUN4QyxNQUFNLGVBQWUsR0FBRyxLQUFLLENBQUMsU0FBUyxDQUFDLGdCQUFnQixDQUFDLENBQUMsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxDQUFDO1FBRXBFLHdCQUF3QjtRQUN4QixJQUFJLFdBQVcsQ0FBQyxNQUFNLEdBQUcsQ0FBQyxJQUFJLENBQUMsV0FBVyxJQUFJLElBQUksQ0FBQyxlQUFlLENBQUMsV0FBWSxDQUFDLEVBQUUsQ0FBQztZQUNqRixNQUFNLElBQUksYUFBYSxDQUFDLCtDQUErQyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1FBQ3JGLENBQUM7UUFFRCxtQ0FBbUM7UUFDbkMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLG1CQUFtQixDQUFDLFdBQVcsQ0FBQyxFQUFFLENBQUM7WUFDdkQsZUFBZSxDQUFDLGdCQUFnQixDQUFDO2dCQUMvQixJQUFJLEVBQUUsd0JBQXdCO2dCQUM5QixRQUFRLEVBQUUsVUFBVTtnQkFDcEIsTUFBTSxFQUFFLG9CQUFvQjtnQkFDNUIsT0FBTyxFQUFFLGdEQUFnRDthQUMxRCxDQUFDLENBQUM7WUFDSCxNQUFNLElBQUksYUFBYSxDQUFDLGlDQUFpQyxFQUFFLFVBQVUsQ0FBQyxDQUFDO1FBQ3pFLENBQUM7UUFFRCw0QkFBNEI7UUFDNUIsSUFBSSxJQUFTLENBQUM7UUFDZCxJQUFJLENBQUM7WUFDSCxJQUFJLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxXQUFXLEVBQUU7Z0JBQzVCLE1BQU0sRUFBRSxJQUFJLENBQUMsV0FBVztnQkFDeEIsSUFBSSxFQUFFLEtBQUssRUFBRyxrQ0FBa0M7Z0JBQ2hELFNBQVMsRUFBRSxDQUFDLE9BQU8sRUFBRSxFQUFFO29CQUNyQixlQUFlLENBQUMsZ0JBQWdCLENBQUM7d0JBQy9CLElBQUksRUFBRSxzQkFBc0I7d0JBQzVCLFFBQVEsRUFBRSxLQUFLO3dCQUNmLE1BQU0sRUFBRSxvQkFBb0I7d0JBQzVCLE9BQU8sRUFBRSxpQkFBaUIsT0FBTyxDQUFDLE9BQU8sRUFBRTtxQkFDNUMsQ0FBQyxDQUFDO2dCQUNMLENBQUM7YUFDRixDQUFDLENBQUM7UUFDTCxDQUFDO1FBQUMsT0FBTyxLQUFLLEVBQUUsQ0FBQztZQUNmLE1BQU0sSUFBSSxhQUFhLENBQUMsd0JBQXdCLEtBQUssWUFBWSxLQUFLLENBQUMsQ0FBQyxDQUFDLEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQyxDQUFDLGVBQWUsRUFBRSxFQUFFLE1BQU0sQ0FBQyxDQUFDO1FBQ3RILENBQUM7UUFFRCw4QkFBOEI7UUFDOUIsSUFBSSxPQUFPLElBQUksS0FBSyxRQUFRLElBQUksSUFBSSxLQUFLLElBQUksSUFBSSxLQUFLLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDckUsTUFBTSxJQUFJLGFBQWEsQ0FBQywyQ0FBMkMsRUFBRSxRQUFRLENBQUMsQ0FBQztRQUNqRixDQUFDO1FBRUQsd0NBQXdDO1FBQ3hDLElBQUksSUFBSSxDQUFDLFdBQVcsRUFBRSxDQUFDO1lBQ3JCLE1BQU0sV0FBVyxHQUFHLE1BQU0sQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLENBQUMsTUFBTSxDQUFDLEdBQUcsQ0FBQyxFQUFFLENBQUMsQ0FBQyxJQUFJLENBQUMsV0FBWSxDQUFDLFFBQVEsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDO1lBQ3RGLElBQUksV0FBVyxDQUFDLE1BQU0sR0FBRyxDQUFDLEVBQUUsQ0FBQztnQkFDM0IsTUFBTSxJQUFJLGFBQWEsQ0FBQywrQkFBK0IsV0FBVyxDQUFDLElBQUksQ0FBQyxJQUFJLENBQUMsRUFBRSxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQzdGLENBQUM7UUFDSCxDQUFDO1FBRUQsc0NBQXNDO1FBQ3RDLEtBQUssTUFBTSxDQUFDLEdBQUcsRUFBRSxLQUFLLENBQUMsSUFBSSxNQUFNLENBQUMsT0FBTyxDQUFDLElBQUksQ0FBQyxFQUFFLENBQUM7WUFDaEQsa0NBQWtDO1lBQ2xDLElBQUksSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxJQUFJLENBQUMsSUFBSSxDQUFDLGdCQUFnQixDQUFDLEdBQUcsQ0FBQyxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUM7Z0JBQ3JFLE1BQU0sSUFBSSxhQUFhLENBQUMsNEJBQTRCLEdBQUcsR0FBRyxFQUFFLFFBQVEsQ0FBQyxDQUFDO1lBQ3hFLENBQUM7WUFFRCxnREFBZ0Q7WUFDaEQsSUFBSSxPQUFPLEtBQUssS0FBSyxRQUFRLElBQUksSUFBSSxDQUFDLGVBQWUsRUFBRSxDQUFDO2dCQUN0RCxNQUFNLFVBQVUsR0FBRyxnQkFBZ0IsQ0FBQyxtQkFBbUIsQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDL0QsSUFBSSxDQUFDLFVBQVUsQ0FBQyxPQUFPLElBQUksVUFBVSxDQUFDLFFBQVEsS0FBSyxVQUFVLEVBQUUsQ0FBQztvQkFDOUQsTUFBTSxJQUFJLGFBQWEsQ0FBQyxzQ0FBc0MsR0FBRyxHQUFHLEVBQUUsVUFBVSxDQUFDLENBQUM7Z0JBQ3BGLENBQUM7Z0JBQ0QsaUNBQWlDO2dCQUNqQyxJQUFJLENBQUMsR0FBRyxDQUFDLEdBQUcsVUFBVSxDQUFDLGdCQUFnQixDQUFDO1lBQzFDLENBQUM7UUFDSCxDQUFDO1FBRUQsNENBQTRDO1FBQzVDLElBQUksWUFBWSxHQUFHLGVBQWUsQ0FBQztRQUNuQyxJQUFJLElBQUksQ0FBQyxlQUFlLEVBQUUsQ0FBQztZQUN6QixNQUFNLGlCQUFpQixHQUFHLGdCQUFnQixDQUFDLG1CQUFtQixDQUFDLGVBQWUsQ0FBQyxDQUFDO1lBQ2hGLElBQUksQ0FBQyxpQkFBaUIsQ0FBQyxPQUFPLElBQUksaUJBQWlCLENBQUMsUUFBUSxLQUFLLFVBQVUsRUFBRSxDQUFDO2dCQUM1RSxNQUFNLElBQUksYUFBYSxDQUFDLHFDQUFxQyxFQUFFLFVBQVUsQ0FBQyxDQUFDO1lBQzdFLENBQUM7WUFDRCxZQUFZLEdBQUcsaUJBQWlCLENBQUMsZ0JBQWdCLElBQUksZUFBZSxDQUFDO1FBQ3ZFLENBQUM7UUFFRCxlQUFlLENBQUMsZ0JBQWdCLENBQUM7WUFDL0IsSUFBSSxFQUFFLG9CQUFvQjtZQUMxQixRQUFRLEVBQUUsS0FBSztZQUNmLE1BQU0sRUFBRSxvQkFBb0I7WUFDNUIsT0FBTyxFQUFFLGlDQUFpQyxNQUFNLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sU0FBUztTQUM1RSxDQUFDLENBQUM7UUFFSCxPQUFPO1lBQ0wsSUFBSTtZQUNKLE9BQU8sRUFBRSxZQUFZO1NBQ3RCLENBQUM7SUFDSixDQUFDO0lBRUQ7O09BRUc7SUFDSCxNQUFNLENBQUMsd0JBQXdCO1FBQzdCLE9BQU87WUFDTCxLQUFLLEVBQUUsQ0FBQyxLQUFhLEVBQUUsRUFBRTtnQkFDdkIsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQztnQkFDakMsT0FBTztvQkFDTCxJQUFJLEVBQUUsTUFBTSxDQUFDLElBQUk7b0JBQ2pCLE9BQU8sRUFBRSxNQUFNLENBQUMsT0FBTztvQkFDdkIsT0FBTyxFQUFFLE1BQU0sQ0FBQyxPQUFPO29CQUN2QixJQUFJLEVBQUUsS0FBSztpQkFDWixDQUFDO1lBQ0osQ0FBQztZQUNELFNBQVMsRUFBRSxDQUFDLE9BQWUsRUFBRSxJQUFTLEVBQUUsRUFBRTtnQkFDeEMsb0NBQW9DO2dCQUNwQyxNQUFNLFVBQVUsR0FBRyxnQkFBZ0IsQ0FBQyxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsQ0FBQztnQkFDM0QsSUFBSSxDQUFDLFVBQVUsQ0FBQyxPQUFPLEVBQUUsQ0FBQztvQkFDeEIsTUFBTSxJQUFJLGFBQWEsQ0FBQyxnREFBZ0QsRUFBRSxNQUFNLENBQUMsQ0FBQztnQkFDcEYsQ0FBQztnQkFFRCxxQkFBcUI7Z0JBQ3JCLE1BQU0sT0FBTyxHQUFHLElBQUksQ0FBQyxJQUFJLENBQUMsSUFBSSxFQUFFO29CQUM5QixNQUFNLEVBQUUsSUFBSSxDQUFDLFdBQVc7b0JBQ3hCLFdBQVcsRUFBRSxJQUFJO29CQUNqQixNQUFNLEVBQUUsSUFBSTtvQkFDWixZQUFZLEVBQUUsSUFBSTtpQkFDbkIsQ0FBQyxDQUFDO2dCQUVILE9BQU8sUUFBUSxPQUFPLFFBQVEsT0FBTyxFQUFFLENBQUM7WUFDMUMsQ0FBQztTQUNGLENBQUM7SUFDSixDQUFDO0lBRUQ7O09BRUc7SUFDSCxNQUFNLENBQUMsVUFBVSxDQUFDLEtBQWEsRUFBRSxPQUE4QztRQUM3RSwrQkFBK0I7UUFDL0IsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxLQUFLLENBQUMsQ0FBQztRQUV2QywyQ0FBMkM7UUFDM0MsT0FBTyxNQUFNLENBQUMsS0FBSyxFQUFFO1lBQ25CLEdBQUcsT0FBTztZQUNWLE9BQU8sRUFBRTtnQkFDUCxJQUFJLEVBQUU7b0JBQ0osS0FBSyxFQUFFLENBQUMsR0FBVyxFQUFFLEVBQUU7d0JBQ3JCLDhCQUE4Qjt3QkFDOUIsTUFBTSxNQUFNLEdBQUcsSUFBSSxDQUFDLElBQUksQ0FBQyxHQUFHLEVBQUU7NEJBQzVCLE1BQU0sRUFBRSxJQUFJLENBQUMsV0FBVzs0QkFDeEIsSUFBSSxFQUFFLEtBQUs7eUJBQ1osQ0FBQyxDQUFDO3dCQUNILHdCQUF3Qjt3QkFDeEIsSUFBSSxPQUFPLE1BQU0sS0FBSyxRQUFRLElBQUksTUFBTSxLQUFLLElBQUksRUFBRSxDQUFDOzRCQUNsRCxPQUFPLEVBQUUsQ0FBQzt3QkFDWixDQUFDO3dCQUNELE9BQU8sTUFBZ0IsQ0FBQztvQkFDMUIsQ0FBQztvQkFDRCxTQUFTLEVBQUUsQ0FBQyxHQUFRLEVBQUUsRUFBRTt3QkFDdEIsT0FBTyxJQUFJLENBQUMsSUFBSSxDQUFDLEdBQUcsRUFBRTs0QkFDcEIsTUFBTSxFQUFFLElBQUksQ0FBQyxXQUFXOzRCQUN4QixXQUFXLEVBQUUsSUFBSTs0QkFDakIsTUFBTSxFQUFFLElBQUk7eUJBQ2IsQ0FBQyxDQUFDO29CQUNMLENBQUM7aUJBQ0Y7YUFDRjtTQUNGLENBQUMsQ0FBQztJQUNMLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIFNlY3VyZSBZQU1MIFBhcnNlciBmb3IgRG9sbGhvdXNlTUNQXG4gKiBcbiAqIFByb3ZpZGVzIHNhZmUgWUFNTCBwYXJzaW5nIHRoYXQgcHJldmVudHMgZGVzZXJpYWxpemF0aW9uIGF0dGFja3NcbiAqIGJ5IHVzaW5nIGEgcmVzdHJpY3RlZCBzY2hlbWEgYW5kIHByZS12YWxpZGF0aW9uLlxuICogXG4gKiBTZWN1cml0eTogU0VDLTAwMyAtIFlBTUwgcGFyc2luZyB2dWxuZXJhYmlsaXR5IHByb3RlY3Rpb25cbiAqL1xuXG5pbXBvcnQgKiBhcyB5YW1sIGZyb20gJ2pzLXlhbWwnO1xuaW1wb3J0IG1hdHRlciBmcm9tICdncmF5LW1hdHRlcic7XG5pbXBvcnQgeyBTZWN1cml0eUVycm9yIH0gZnJvbSAnLi4vZXJyb3JzL1NlY3VyaXR5RXJyb3IuanMnO1xuaW1wb3J0IHsgQ29udGVudFZhbGlkYXRvciB9IGZyb20gJy4vY29udGVudFZhbGlkYXRvci5qcyc7XG5pbXBvcnQgeyBTZWN1cml0eU1vbml0b3IgfSBmcm9tICcuL3NlY3VyaXR5TW9uaXRvci5qcyc7XG5cbmV4cG9ydCBpbnRlcmZhY2UgU2VjdXJlUGFyc2VPcHRpb25zIHtcbiAgbWF4WWFtbFNpemU/OiBudW1iZXI7XG4gIG1heENvbnRlbnRTaXplPzogbnVtYmVyO1xuICBhbGxvd2VkS2V5cz86IHN0cmluZ1tdO1xuICB2YWxpZGF0ZUNvbnRlbnQ/OiBib29sZWFuO1xufVxuXG5leHBvcnQgaW50ZXJmYWNlIFBhcnNlZENvbnRlbnQge1xuICBkYXRhOiBSZWNvcmQ8c3RyaW5nLCBhbnk+O1xuICBjb250ZW50OiBzdHJpbmc7XG4gIGV4Y2VycHQ/OiBzdHJpbmc7XG59XG5cbmV4cG9ydCBjbGFzcyBTZWN1cmVZYW1sUGFyc2VyIHtcbiAgcHJpdmF0ZSBzdGF0aWMgcmVhZG9ubHkgREVGQVVMVF9PUFRJT05TOiBTZWN1cmVQYXJzZU9wdGlvbnMgPSB7XG4gICAgbWF4WWFtbFNpemU6IDY0ICogMTAyNCwgICAgICAvLyA2NEtCIGZvciBZQU1MXG4gICAgbWF4Q29udGVudFNpemU6IDEwMjQgKiAxMDI0LCAgLy8gMU1CIGZvciBjb250ZW50XG4gICAgdmFsaWRhdGVDb250ZW50OiB0cnVlXG4gIH07XG5cbiAgLy8gQWxsb3dlZCBZQU1MIHR5cGVzIC0gdXNpbmcgRkFJTFNBRkVfU0NIRU1BIGFzIGJhc2VcbiAgcHJpdmF0ZSBzdGF0aWMgcmVhZG9ubHkgU0FGRV9TQ0hFTUEgPSB5YW1sLkZBSUxTQUZFX1NDSEVNQTtcblxuICAvLyBBZGRpdGlvbmFsIHZhbGlkYXRpb24gZm9yIHNwZWNpZmljIHBlcnNvbmEgZmllbGRzXG4gIHByaXZhdGUgc3RhdGljIHJlYWRvbmx5IEZJRUxEX1ZBTElEQVRPUlM6IFJlY29yZDxzdHJpbmcsICh2YWx1ZTogYW55KSA9PiBib29sZWFuPiA9IHtcbiAgICBuYW1lOiAodikgPT4gdHlwZW9mIHYgPT09ICdzdHJpbmcnICYmIHYubGVuZ3RoIDw9IDEwMCxcbiAgICBkZXNjcmlwdGlvbjogKHYpID0+IHR5cGVvZiB2ID09PSAnc3RyaW5nJyAmJiB2Lmxlbmd0aCA8PSA1MDAsXG4gICAgYXV0aG9yOiAodikgPT4gdHlwZW9mIHYgPT09ICdzdHJpbmcnICYmIHYubGVuZ3RoIDw9IDEwMCxcbiAgICB2ZXJzaW9uOiAodikgPT4gdHlwZW9mIHYgPT09ICdzdHJpbmcnICYmIC9eXFxkK1xcLlxcZCsoXFwuXFxkKyk/KC1bYS16QS1aMC05Li1dKyk/JC8udGVzdCh2KSxcbiAgICBjYXRlZ29yeTogKHYpID0+IHR5cGVvZiB2ID09PSAnc3RyaW5nJyAmJiB2Lmxlbmd0aCA8PSA1MCxcbiAgICBhZ2VfcmF0aW5nOiAodikgPT4gWydhbGwnLCAnMTMrJywgJzE4KyddLmluY2x1ZGVzKHYpLFxuICAgIHByaWNlOiAodikgPT4gdHlwZW9mIHYgPT09ICdzdHJpbmcnICYmICh2ID09PSAnZnJlZScgfHwgL15cXCRcXGQrXFwuXFxkezJ9JC8udGVzdCh2KSksXG4gICAgYWlfZ2VuZXJhdGVkOiAodikgPT4gdHlwZW9mIHYgPT09ICdib29sZWFuJyB8fCB2ID09PSAndHJ1ZScgfHwgdiA9PT0gJ2ZhbHNlJyxcbiAgICBnZW5lcmF0aW9uX21ldGhvZDogKHYpID0+IFsnaHVtYW4nLCAnQ2hhdEdQVCcsICdDbGF1ZGUnLCAnaHlicmlkJ10uaW5jbHVkZXModiksXG4gICAgY3JlYXRlZF9kYXRlOiAodikgPT4gdHlwZW9mIHYgPT09ICdzdHJpbmcnICYmICFpc05hTihEYXRlLnBhcnNlKHYpKSxcbiAgICB0cmlnZ2VyczogKHYpID0+IEFycmF5LmlzQXJyYXkodikgJiYgdi5ldmVyeSh0ID0+IHR5cGVvZiB0ID09PSAnc3RyaW5nJyAmJiB0Lmxlbmd0aCA8PSA1MCksXG4gICAgY29udGVudF9mbGFnczogKHYpID0+IEFycmF5LmlzQXJyYXkodikgJiYgdi5ldmVyeShmID0+IHR5cGVvZiBmID09PSAnc3RyaW5nJyAmJiBmLmxlbmd0aCA8PSA1MClcbiAgfTtcblxuICAvKipcbiAgICogU2VjdXJlbHkgcGFyc2UgY29udGVudCB3aXRoIFlBTUwgZnJvbnRtYXR0ZXJcbiAgICovXG4gIHN0YXRpYyBwYXJzZShpbnB1dDogc3RyaW5nLCBvcHRpb25zOiBTZWN1cmVQYXJzZU9wdGlvbnMgPSB7fSk6IFBhcnNlZENvbnRlbnQge1xuICAgIGNvbnN0IG9wdHMgPSB7IC4uLnRoaXMuREVGQVVMVF9PUFRJT05TLCAuLi5vcHRpb25zIH07XG5cbiAgICAvLyAxLiBTaXplIHZhbGlkYXRpb25cbiAgICBpZiAoaW5wdXQubGVuZ3RoID4gKG9wdHMubWF4Q29udGVudFNpemUgfHwgdGhpcy5ERUZBVUxUX09QVElPTlMubWF4Q29udGVudFNpemUhKSkge1xuICAgICAgdGhyb3cgbmV3IFNlY3VyaXR5RXJyb3IoJ0NvbnRlbnQgZXhjZWVkcyBtYXhpbXVtIGFsbG93ZWQgc2l6ZScsICdtZWRpdW0nKTtcbiAgICB9XG5cbiAgICAvLyAyLiBFeHRyYWN0IGZyb250bWF0dGVyIGJvdW5kYXJpZXNcbiAgICBjb25zdCBmcm9udG1hdHRlck1hdGNoID0gaW5wdXQubWF0Y2goL14tLS1cXG4oW1xcc1xcU10qPylcXG4tLS0vKTtcbiAgICBpZiAoIWZyb250bWF0dGVyTWF0Y2gpIHtcbiAgICAgIC8vIE5vIGZyb250bWF0dGVyLCByZXR1cm4gZW1wdHkgZGF0YVxuICAgICAgcmV0dXJuIHtcbiAgICAgICAgZGF0YToge30sXG4gICAgICAgIGNvbnRlbnQ6IGlucHV0XG4gICAgICB9O1xuICAgIH1cblxuICAgIGNvbnN0IHlhbWxDb250ZW50ID0gZnJvbnRtYXR0ZXJNYXRjaFsxXTtcbiAgICBjb25zdCBtYXJrZG93bkNvbnRlbnQgPSBpbnB1dC5zdWJzdHJpbmcoZnJvbnRtYXR0ZXJNYXRjaFswXS5sZW5ndGgpO1xuXG4gICAgLy8gMy4gVmFsaWRhdGUgWUFNTCBzaXplXG4gICAgaWYgKHlhbWxDb250ZW50Lmxlbmd0aCA+IChvcHRzLm1heFlhbWxTaXplIHx8IHRoaXMuREVGQVVMVF9PUFRJT05TLm1heFlhbWxTaXplISkpIHtcbiAgICAgIHRocm93IG5ldyBTZWN1cml0eUVycm9yKCdZQU1MIGZyb250bWF0dGVyIGV4Y2VlZHMgbWF4aW11bSBhbGxvd2VkIHNpemUnLCAnbWVkaXVtJyk7XG4gICAgfVxuXG4gICAgLy8gNC4gUHJlLXBhcnNlIHNlY3VyaXR5IHZhbGlkYXRpb25cbiAgICBpZiAoIUNvbnRlbnRWYWxpZGF0b3IudmFsaWRhdGVZYW1sQ29udGVudCh5YW1sQ29udGVudCkpIHtcbiAgICAgIFNlY3VyaXR5TW9uaXRvci5sb2dTZWN1cml0eUV2ZW50KHtcbiAgICAgICAgdHlwZTogJ1lBTUxfSU5KRUNUSU9OX0FUVEVNUFQnLFxuICAgICAgICBzZXZlcml0eTogJ0NSSVRJQ0FMJyxcbiAgICAgICAgc291cmNlOiAnc2VjdXJlX3lhbWxfcGFyc2VyJyxcbiAgICAgICAgZGV0YWlsczogJ01hbGljaW91cyBZQU1MIHBhdHRlcm4gZGV0ZWN0ZWQgZHVyaW5nIHBhcnNpbmcnXG4gICAgICB9KTtcbiAgICAgIHRocm93IG5ldyBTZWN1cml0eUVycm9yKCdNYWxpY2lvdXMgWUFNTCBjb250ZW50IGRldGVjdGVkJywgJ2NyaXRpY2FsJyk7XG4gICAgfVxuXG4gICAgLy8gNS4gUGFyc2Ugd2l0aCBzYWZlIHNjaGVtYVxuICAgIGxldCBkYXRhOiBhbnk7XG4gICAgdHJ5IHtcbiAgICAgIGRhdGEgPSB5YW1sLmxvYWQoeWFtbENvbnRlbnQsIHtcbiAgICAgICAgc2NoZW1hOiB0aGlzLlNBRkVfU0NIRU1BLFxuICAgICAgICBqc29uOiBmYWxzZSwgIC8vIERvbid0IGFsbG93IEpTT04tc3BlY2lmaWMgdHlwZXNcbiAgICAgICAgb25XYXJuaW5nOiAod2FybmluZykgPT4ge1xuICAgICAgICAgIFNlY3VyaXR5TW9uaXRvci5sb2dTZWN1cml0eUV2ZW50KHtcbiAgICAgICAgICAgIHR5cGU6ICdZQU1MX1BBUlNJTkdfV0FSTklORycsXG4gICAgICAgICAgICBzZXZlcml0eTogJ0xPVycsXG4gICAgICAgICAgICBzb3VyY2U6ICdzZWN1cmVfeWFtbF9wYXJzZXInLFxuICAgICAgICAgICAgZGV0YWlsczogYFlBTUwgd2FybmluZzogJHt3YXJuaW5nLm1lc3NhZ2V9YFxuICAgICAgICAgIH0pO1xuICAgICAgICB9XG4gICAgICB9KTtcbiAgICB9IGNhdGNoIChlcnJvcikge1xuICAgICAgdGhyb3cgbmV3IFNlY3VyaXR5RXJyb3IoYFlBTUwgcGFyc2luZyBmYWlsZWQ6ICR7ZXJyb3IgaW5zdGFuY2VvZiBFcnJvciA/IGVycm9yLm1lc3NhZ2UgOiAnVW5rbm93biBlcnJvcid9YCwgJ2hpZ2gnKTtcbiAgICB9XG5cbiAgICAvLyA2LiBFbnN1cmUgZGF0YSBpcyBhbiBvYmplY3RcbiAgICBpZiAodHlwZW9mIGRhdGEgIT09ICdvYmplY3QnIHx8IGRhdGEgPT09IG51bGwgfHwgQXJyYXkuaXNBcnJheShkYXRhKSkge1xuICAgICAgdGhyb3cgbmV3IFNlY3VyaXR5RXJyb3IoJ1lBTUwgbXVzdCBjb250YWluIGFuIG9iamVjdCBhdCByb290IGxldmVsJywgJ21lZGl1bScpO1xuICAgIH1cblxuICAgIC8vIDcuIFZhbGlkYXRlIGFsbG93ZWQga2V5cyBpZiBzcGVjaWZpZWRcbiAgICBpZiAob3B0cy5hbGxvd2VkS2V5cykge1xuICAgICAgY29uc3QgaW52YWxpZEtleXMgPSBPYmplY3Qua2V5cyhkYXRhKS5maWx0ZXIoa2V5ID0+ICFvcHRzLmFsbG93ZWRLZXlzIS5pbmNsdWRlcyhrZXkpKTtcbiAgICAgIGlmIChpbnZhbGlkS2V5cy5sZW5ndGggPiAwKSB7XG4gICAgICAgIHRocm93IG5ldyBTZWN1cml0eUVycm9yKGBJbnZhbGlkIFlBTUwga2V5cyBkZXRlY3RlZDogJHtpbnZhbGlkS2V5cy5qb2luKCcsICcpfWAsICdtZWRpdW0nKTtcbiAgICAgIH1cbiAgICB9XG5cbiAgICAvLyA4LiBWYWxpZGF0ZSBmaWVsZCB0eXBlcyBhbmQgY29udGVudFxuICAgIGZvciAoY29uc3QgW2tleSwgdmFsdWVdIG9mIE9iamVjdC5lbnRyaWVzKGRhdGEpKSB7XG4gICAgICAvLyBDaGVjayBmaWVsZC1zcGVjaWZpYyB2YWxpZGF0b3JzXG4gICAgICBpZiAodGhpcy5GSUVMRF9WQUxJREFUT1JTW2tleV0gJiYgIXRoaXMuRklFTERfVkFMSURBVE9SU1trZXldKHZhbHVlKSkge1xuICAgICAgICB0aHJvdyBuZXcgU2VjdXJpdHlFcnJvcihgSW52YWxpZCB2YWx1ZSBmb3IgZmllbGQgJyR7a2V5fSdgLCAnbWVkaXVtJyk7XG4gICAgICB9XG5cbiAgICAgIC8vIFZhbGlkYXRlIHN0cmluZyBmaWVsZHMgZm9yIGluamVjdGlvbiBwYXR0ZXJuc1xuICAgICAgaWYgKHR5cGVvZiB2YWx1ZSA9PT0gJ3N0cmluZycgJiYgb3B0cy52YWxpZGF0ZUNvbnRlbnQpIHtcbiAgICAgICAgY29uc3QgdmFsaWRhdGlvbiA9IENvbnRlbnRWYWxpZGF0b3IudmFsaWRhdGVBbmRTYW5pdGl6ZSh2YWx1ZSk7XG4gICAgICAgIGlmICghdmFsaWRhdGlvbi5pc1ZhbGlkICYmIHZhbGlkYXRpb24uc2V2ZXJpdHkgPT09ICdjcml0aWNhbCcpIHtcbiAgICAgICAgICB0aHJvdyBuZXcgU2VjdXJpdHlFcnJvcihgU2VjdXJpdHkgdGhyZWF0IGRldGVjdGVkIGluIGZpZWxkICcke2tleX0nYCwgJ2NyaXRpY2FsJyk7XG4gICAgICAgIH1cbiAgICAgICAgLy8gUmVwbGFjZSB3aXRoIHNhbml0aXplZCBjb250ZW50XG4gICAgICAgIGRhdGFba2V5XSA9IHZhbGlkYXRpb24uc2FuaXRpemVkQ29udGVudDtcbiAgICAgIH1cbiAgICB9XG5cbiAgICAvLyA5LiBWYWxpZGF0ZSBtYXJrZG93biBjb250ZW50IGlmIHJlcXVlc3RlZFxuICAgIGxldCBmaW5hbENvbnRlbnQgPSBtYXJrZG93bkNvbnRlbnQ7XG4gICAgaWYgKG9wdHMudmFsaWRhdGVDb250ZW50KSB7XG4gICAgICBjb25zdCBjb250ZW50VmFsaWRhdGlvbiA9IENvbnRlbnRWYWxpZGF0b3IudmFsaWRhdGVBbmRTYW5pdGl6ZShtYXJrZG93bkNvbnRlbnQpO1xuICAgICAgaWYgKCFjb250ZW50VmFsaWRhdGlvbi5pc1ZhbGlkICYmIGNvbnRlbnRWYWxpZGF0aW9uLnNldmVyaXR5ID09PSAnY3JpdGljYWwnKSB7XG4gICAgICAgIHRocm93IG5ldyBTZWN1cml0eUVycm9yKCdTZWN1cml0eSB0aHJlYXQgZGV0ZWN0ZWQgaW4gY29udGVudCcsICdjcml0aWNhbCcpO1xuICAgICAgfVxuICAgICAgZmluYWxDb250ZW50ID0gY29udGVudFZhbGlkYXRpb24uc2FuaXRpemVkQ29udGVudCB8fCBtYXJrZG93bkNvbnRlbnQ7XG4gICAgfVxuXG4gICAgU2VjdXJpdHlNb25pdG9yLmxvZ1NlY3VyaXR5RXZlbnQoe1xuICAgICAgdHlwZTogJ1lBTUxfUEFSU0VfU1VDQ0VTUycsXG4gICAgICBzZXZlcml0eTogJ0xPVycsXG4gICAgICBzb3VyY2U6ICdzZWN1cmVfeWFtbF9wYXJzZXInLFxuICAgICAgZGV0YWlsczogYFN1Y2Nlc3NmdWxseSBwYXJzZWQgWUFNTCB3aXRoICR7T2JqZWN0LmtleXMoZGF0YSkubGVuZ3RofSBmaWVsZHNgXG4gICAgfSk7XG5cbiAgICByZXR1cm4ge1xuICAgICAgZGF0YSxcbiAgICAgIGNvbnRlbnQ6IGZpbmFsQ29udGVudFxuICAgIH07XG4gIH1cblxuICAvKipcbiAgICogQ3JlYXRlIGEgc2VjdXJlIGdyYXktbWF0dGVyIGNvbXBhdGlibGUgcGFyc2VyXG4gICAqL1xuICBzdGF0aWMgY3JlYXRlU2VjdXJlTWF0dGVyUGFyc2VyKCkge1xuICAgIHJldHVybiB7XG4gICAgICBwYXJzZTogKGlucHV0OiBzdHJpbmcpID0+IHtcbiAgICAgICAgY29uc3QgcmVzdWx0ID0gdGhpcy5wYXJzZShpbnB1dCk7XG4gICAgICAgIHJldHVybiB7XG4gICAgICAgICAgZGF0YTogcmVzdWx0LmRhdGEsXG4gICAgICAgICAgY29udGVudDogcmVzdWx0LmNvbnRlbnQsXG4gICAgICAgICAgZXhjZXJwdDogcmVzdWx0LmV4Y2VycHQsXG4gICAgICAgICAgb3JpZzogaW5wdXRcbiAgICAgICAgfTtcbiAgICAgIH0sXG4gICAgICBzdHJpbmdpZnk6IChjb250ZW50OiBzdHJpbmcsIGRhdGE6IGFueSkgPT4ge1xuICAgICAgICAvLyBWYWxpZGF0ZSBkYXRhIGJlZm9yZSBzdHJpbmdpZnlpbmdcbiAgICAgICAgY29uc3QgdmFsaWRhdGlvbiA9IENvbnRlbnRWYWxpZGF0b3IudmFsaWRhdGVNZXRhZGF0YShkYXRhKTtcbiAgICAgICAgaWYgKCF2YWxpZGF0aW9uLmlzVmFsaWQpIHtcbiAgICAgICAgICB0aHJvdyBuZXcgU2VjdXJpdHlFcnJvcignQ2Fubm90IHN0cmluZ2lmeSBjb250ZW50IHdpdGggc2VjdXJpdHkgdGhyZWF0cycsICdoaWdoJyk7XG4gICAgICAgIH1cblxuICAgICAgICAvLyBVc2Ugc2FmZSBZQU1MIGR1bXBcbiAgICAgICAgY29uc3QgeWFtbFN0ciA9IHlhbWwuZHVtcChkYXRhLCB7XG4gICAgICAgICAgc2NoZW1hOiB0aGlzLlNBRkVfU0NIRU1BLFxuICAgICAgICAgIHNraXBJbnZhbGlkOiB0cnVlLFxuICAgICAgICAgIG5vUmVmczogdHJ1ZSxcbiAgICAgICAgICBub0NvbXBhdE1vZGU6IHRydWVcbiAgICAgICAgfSk7XG5cbiAgICAgICAgcmV0dXJuIGAtLS1cXG4ke3lhbWxTdHJ9LS0tXFxuJHtjb250ZW50fWA7XG4gICAgICB9XG4gICAgfTtcbiAgfVxuXG4gIC8qKlxuICAgKiBTYWZlIHdyYXBwZXIgZm9yIGdyYXktbWF0dGVyIHdpdGggc2VjdXJpdHkgdmFsaWRhdGlvbnNcbiAgICovXG4gIHN0YXRpYyBzYWZlTWF0dGVyKGlucHV0OiBzdHJpbmcsIG9wdGlvbnM/OiBtYXR0ZXIuR3JheU1hdHRlck9wdGlvbjxzdHJpbmcsIGFueT4pOiBtYXR0ZXIuR3JheU1hdHRlckZpbGU8c3RyaW5nPiB7XG4gICAgLy8gRmlyc3QsIHVzZSBvdXIgc2VjdXJlIHBhcnNlclxuICAgIGNvbnN0IHNlY3VyZVBhcnNlZCA9IHRoaXMucGFyc2UoaW5wdXQpO1xuXG4gICAgLy8gVGhlbiB1c2UgZ3JheS1tYXR0ZXIgd2l0aCBjdXN0b20gZW5naW5lc1xuICAgIHJldHVybiBtYXR0ZXIoaW5wdXQsIHtcbiAgICAgIC4uLm9wdGlvbnMsXG4gICAgICBlbmdpbmVzOiB7XG4gICAgICAgIHlhbWw6IHtcbiAgICAgICAgICBwYXJzZTogKHN0cjogc3RyaW5nKSA9PiB7XG4gICAgICAgICAgICAvLyBVc2Ugb3VyIHNlY3VyZSBZQU1MIHBhcnNpbmdcbiAgICAgICAgICAgIGNvbnN0IHBhcnNlZCA9IHlhbWwubG9hZChzdHIsIHtcbiAgICAgICAgICAgICAgc2NoZW1hOiB0aGlzLlNBRkVfU0NIRU1BLFxuICAgICAgICAgICAgICBqc29uOiBmYWxzZVxuICAgICAgICAgICAgfSk7XG4gICAgICAgICAgICAvLyBFbnN1cmUgaXQncyBhbiBvYmplY3RcbiAgICAgICAgICAgIGlmICh0eXBlb2YgcGFyc2VkICE9PSAnb2JqZWN0JyB8fCBwYXJzZWQgPT09IG51bGwpIHtcbiAgICAgICAgICAgICAgcmV0dXJuIHt9O1xuICAgICAgICAgICAgfVxuICAgICAgICAgICAgcmV0dXJuIHBhcnNlZCBhcyBvYmplY3Q7XG4gICAgICAgICAgfSxcbiAgICAgICAgICBzdHJpbmdpZnk6IChvYmo6IGFueSkgPT4ge1xuICAgICAgICAgICAgcmV0dXJuIHlhbWwuZHVtcChvYmosIHtcbiAgICAgICAgICAgICAgc2NoZW1hOiB0aGlzLlNBRkVfU0NIRU1BLFxuICAgICAgICAgICAgICBza2lwSW52YWxpZDogdHJ1ZSxcbiAgICAgICAgICAgICAgbm9SZWZzOiB0cnVlXG4gICAgICAgICAgICB9KTtcbiAgICAgICAgICB9XG4gICAgICAgIH1cbiAgICAgIH1cbiAgICB9KTtcbiAgfVxufSJdfQ==

package/dist/src/security/securityMonitor.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Security Monitor for DollhouseMCP
+ *
+ * Centralized security event logging and monitoring system
+ * for tracking and alerting on security-related events.
+ */
+export interface SecurityEvent {
+    type: 'CONTENT_INJECTION_ATTEMPT' | 'YAML_INJECTION_ATTEMPT' | 'PATH_TRAVERSAL_ATTEMPT' | 'TOKEN_VALIDATION_FAILURE' | 'UPDATE_SECURITY_VIOLATION' | 'RATE_LIMIT_EXCEEDED' | 'YAML_PARSING_WARNING' | 'YAML_PARSE_SUCCESS' | 'TOKEN_VALIDATION_SUCCESS' | 'RATE_LIMIT_WARNING' | 'TOKEN_CACHE_CLEARED';
+    severity: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+    source: string;
+    details: string;
+    userAgent?: string;
+    ip?: string;
+    additionalData?: Record<string, any>;
+}
+export interface SecurityLogEntry extends SecurityEvent {
+    timestamp: string;
+    id: string;
+}
+export declare class SecurityMonitor {
+    private static eventCount;
+    private static readonly events;
+    private static readonly MAX_EVENTS;
+    /**
+     * Logs a security event
+     */
+    static logSecurityEvent(event: SecurityEvent): void;
+    /**
+     * Sends security alerts for critical events
+     */
+    private static sendSecurityAlert;
+    /**
+     * Gets recent security events for analysis
+     */
+    static getRecentEvents(count?: number): SecurityLogEntry[];
+    /**
+     * Gets events by severity
+     */
+    static getEventsBySeverity(severity: SecurityEvent['severity']): SecurityLogEntry[];
+    /**
+     * Gets events by type
+     */
+    static getEventsByType(type: SecurityEvent['type']): SecurityLogEntry[];
+    /**
+     * Generates a security report
+     */
+    static generateSecurityReport(): {
+        totalEvents: number;
+        eventsBySeverity: Record<string, number>;
+        eventsByType: Record<string, number>;
+        recentCriticalEvents: SecurityLogEntry[];
+    };
+    /**
+     * Clears old events (for memory management)
+     */
+    static clearOldEvents(daysToKeep?: number): void;
+}
+//# sourceMappingURL=securityMonitor.d.ts.map

package/dist/src/security/securityMonitor.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"securityMonitor.d.ts","sourceRoot":"","sources":["../../../src/security/securityMonitor.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,2BAA2B,GAAG,wBAAwB,GAAG,wBAAwB,GACjF,0BAA0B,GAAG,2BAA2B,GAAG,qBAAqB,GAChF,sBAAsB,GAAG,oBAAoB,GAAG,0BAA0B,GAC1E,oBAAoB,GAAG,qBAAqB,CAAC;IACnD,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;CACtC;AAED,MAAM,WAAW,gBAAiB,SAAQ,aAAa;IACrD,SAAS,EAAE,MAAM,CAAC;IAClB,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAC,UAAU,CAAK;IAC9B,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAA0B;IACxD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAQ;IAE1C;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI;IAsBnD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,iBAAiB;IAsBhC;;OAEG;IACH,MAAM,CAAC,eAAe,CAAC,KAAK,GAAE,MAAY,GAAG,gBAAgB,EAAE;IAI/D;;OAEG;IACH,MAAM,CAAC,mBAAmB,CAAC,QAAQ,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,gBAAgB,EAAE;IAInF;;OAEG;IACH,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,GAAG,gBAAgB,EAAE;IAIvE;;OAEG;IACH,MAAM,CAAC,sBAAsB,IAAI;QAC/B,WAAW,EAAE,MAAM,CAAC;QACpB,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACzC,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACrC,oBAAoB,EAAE,gBAAgB,EAAE,CAAC;KAC1C;IAuBD;;OAEG;IACH,MAAM,CAAC,cAAc,CAAC,UAAU,GAAE,MAAU,GAAG,IAAI;CAUpD"}

package/dist/src/security/securityMonitor.js

@@ -0,0 +1,108 @@
+/**
+ * Security Monitor for DollhouseMCP
+ *
+ * Centralized security event logging and monitoring system
+ * for tracking and alerting on security-related events.
+ */
+import { logger } from '../utils/logger.js';
+export class SecurityMonitor {
+    static eventCount = 0;
+    static events = [];
+    static MAX_EVENTS = 1000; // Keep last 1000 events in memory
+    /**
+     * Logs a security event
+     */
+    static logSecurityEvent(event) {
+        const logEntry = {
+            ...event,
+            timestamp: new Date().toISOString(),
+            id: `SEC-${Date.now()}-${++this.eventCount}`,
+        };
+        // Store in memory (circular buffer)
+        this.events.push(logEntry);
+        if (this.events.length > this.MAX_EVENTS) {
+            this.events.shift();
+        }
+        // In MCP servers, we cannot write to stderr/stdout as it breaks the JSON-RPC protocol
+        // Security events are stored in memory and can be retrieved via API
+        // Only send critical alerts via the proper channel
+        if (event.severity === 'CRITICAL') {
+            this.sendSecurityAlert(logEntry);
+        }
+    }
+    /**
+     * Sends security alerts for critical events
+     */
+    static sendSecurityAlert(event) {
+        // In a production environment, this would integrate with:
+        // - Slack webhooks
+        // - Email alerts
+        // - PagerDuty
+        // - Security Information and Event Management (SIEM) systems
+        // Log critical security alerts with structured data
+        // DO NOT use console.error in MCP servers as it breaks the JSON-RPC protocol
+        logger.error('🚨 CRITICAL SECURITY ALERT 🚨', {
+            type: event.type,
+            details: event.details,
+            timestamp: event.timestamp,
+            id: event.id
+        });
+        // If in production mode with proper config, send actual alerts
+        if (process.env.DOLLHOUSE_SECURITY_ALERTS === 'true') {
+            // TODO: Implement actual alert mechanisms
+        }
+    }
+    /**
+     * Gets recent security events for analysis
+     */
+    static getRecentEvents(count = 100) {
+        return this.events.slice(-count);
+    }
+    /**
+     * Gets events by severity
+     */
+    static getEventsBySeverity(severity) {
+        return this.events.filter(event => event.severity === severity);
+    }
+    /**
+     * Gets events by type
+     */
+    static getEventsByType(type) {
+        return this.events.filter(event => event.type === type);
+    }
+    /**
+     * Generates a security report
+     */
+    static generateSecurityReport() {
+        const eventsBySeverity = {
+            CRITICAL: 0,
+            HIGH: 0,
+            MEDIUM: 0,
+            LOW: 0,
+        };
+        const eventsByType = {};
+        for (const event of this.events) {
+            eventsBySeverity[event.severity]++;
+            eventsByType[event.type] = (eventsByType[event.type] || 0) + 1;
+        }
+        return {
+            totalEvents: this.events.length,
+            eventsBySeverity,
+            eventsByType,
+            recentCriticalEvents: this.getEventsBySeverity('CRITICAL').slice(-10),
+        };
+    }
+    /**
+     * Clears old events (for memory management)
+     */
+    static clearOldEvents(daysToKeep = 7) {
+        const cutoffDate = new Date();
+        cutoffDate.setDate(cutoffDate.getDate() - daysToKeep);
+        const cutoffTimestamp = cutoffDate.toISOString();
+        const index = this.events.findIndex(event => event.timestamp >= cutoffTimestamp);
+        if (index > 0) {
+            this.events.splice(0, index);
+        }
+    }
+}
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoic2VjdXJpdHlNb25pdG9yLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vc3JjL3NlY3VyaXR5L3NlY3VyaXR5TW9uaXRvci50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7Ozs7R0FLRztBQUVILE9BQU8sRUFBRSxNQUFNLEVBQUUsTUFBTSxvQkFBb0IsQ0FBQztBQW9CNUMsTUFBTSxPQUFPLGVBQWU7SUFDbEIsTUFBTSxDQUFDLFVBQVUsR0FBRyxDQUFDLENBQUM7SUFDdEIsTUFBTSxDQUFVLE1BQU0sR0FBdUIsRUFBRSxDQUFDO0lBQ2hELE1BQU0sQ0FBVSxVQUFVLEdBQUcsSUFBSSxDQUFDLENBQUMsa0NBQWtDO0lBRTdFOztPQUVHO0lBQ0gsTUFBTSxDQUFDLGdCQUFnQixDQUFDLEtBQW9CO1FBQzFDLE1BQU0sUUFBUSxHQUFxQjtZQUNqQyxHQUFHLEtBQUs7WUFDUixTQUFTLEVBQUUsSUFBSSxJQUFJLEVBQUUsQ0FBQyxXQUFXLEVBQUU7WUFDbkMsRUFBRSxFQUFFLE9BQU8sSUFBSSxDQUFDLEdBQUcsRUFBRSxJQUFJLEVBQUUsSUFBSSxDQUFDLFVBQVUsRUFBRTtTQUM3QyxDQUFDO1FBRUYsb0NBQW9DO1FBQ3BDLElBQUksQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUFDLFFBQVEsQ0FBQyxDQUFDO1FBQzNCLElBQUksSUFBSSxDQUFDLE1BQU0sQ0FBQyxNQUFNLEdBQUcsSUFBSSxDQUFDLFVBQVUsRUFBRSxDQUFDO1lBQ3pDLElBQUksQ0FBQyxNQUFNLENBQUMsS0FBSyxFQUFFLENBQUM7UUFDdEIsQ0FBQztRQUVELHNGQUFzRjtRQUN0RixvRUFBb0U7UUFDcEUsbURBQW1EO1FBRW5ELElBQUksS0FBSyxDQUFDLFFBQVEsS0FBSyxVQUFVLEVBQUUsQ0FBQztZQUNsQyxJQUFJLENBQUMsaUJBQWlCLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDbkMsQ0FBQztJQUNILENBQUM7SUFFRDs7T0FFRztJQUNLLE1BQU0sQ0FBQyxpQkFBaUIsQ0FBQyxLQUF1QjtRQUN0RCwwREFBMEQ7UUFDMUQsbUJBQW1CO1FBQ25CLGlCQUFpQjtRQUNqQixjQUFjO1FBQ2QsNkRBQTZEO1FBRTdELG9EQUFvRDtRQUNwRCw2RUFBNkU7UUFDN0UsTUFBTSxDQUFDLEtBQUssQ0FBQywrQkFBK0IsRUFBRTtZQUM1QyxJQUFJLEVBQUUsS0FBSyxDQUFDLElBQUk7WUFDaEIsT0FBTyxFQUFFLEtBQUssQ0FBQyxPQUFPO1lBQ3RCLFNBQVMsRUFBRSxLQUFLLENBQUMsU0FBUztZQUMxQixFQUFFLEVBQUUsS0FBSyxDQUFDLEVBQUU7U0FDYixDQUFDLENBQUM7UUFFSCwrREFBK0Q7UUFDL0QsSUFBSSxPQUFPLENBQUMsR0FBRyxDQUFDLHlCQUF5QixLQUFLLE1BQU0sRUFBRSxDQUFDO1lBQ3JELDBDQUEwQztRQUM1QyxDQUFDO0lBQ0gsQ0FBQztJQUVEOztPQUVHO0lBQ0gsTUFBTSxDQUFDLGVBQWUsQ0FBQyxRQUFnQixHQUFHO1FBQ3hDLE9BQU8sSUFBSSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQztJQUNuQyxDQUFDO0lBRUQ7O09BRUc7SUFDSCxNQUFNLENBQUMsbUJBQW1CLENBQUMsUUFBbUM7UUFDNUQsT0FBTyxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxRQUFRLEtBQUssUUFBUSxDQUFDLENBQUM7SUFDbEUsQ0FBQztJQUVEOztPQUVHO0lBQ0gsTUFBTSxDQUFDLGVBQWUsQ0FBQyxJQUEyQjtRQUNoRCxPQUFPLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTSxDQUFDLEtBQUssQ0FBQyxFQUFFLENBQUMsS0FBSyxDQUFDLElBQUksS0FBSyxJQUFJLENBQUMsQ0FBQztJQUMxRCxDQUFDO0lBRUQ7O09BRUc7SUFDSCxNQUFNLENBQUMsc0JBQXNCO1FBTTNCLE1BQU0sZ0JBQWdCLEdBQTJCO1lBQy9DLFFBQVEsRUFBRSxDQUFDO1lBQ1gsSUFBSSxFQUFFLENBQUM7WUFDUCxNQUFNLEVBQUUsQ0FBQztZQUNULEdBQUcsRUFBRSxDQUFDO1NBQ1AsQ0FBQztRQUVGLE1BQU0sWUFBWSxHQUEyQixFQUFFLENBQUM7UUFFaEQsS0FBSyxNQUFNLEtBQUssSUFBSSxJQUFJLENBQUMsTUFBTSxFQUFFLENBQUM7WUFDaEMsZ0JBQWdCLENBQUMsS0FBSyxDQUFDLFFBQVEsQ0FBQyxFQUFFLENBQUM7WUFDbkMsWUFBWSxDQUFDLEtBQUssQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLFlBQVksQ0FBQyxLQUFLLENBQUMsSUFBSSxDQUFDLElBQUksQ0FBQyxDQUFDLEdBQUcsQ0FBQyxDQUFDO1FBQ2pFLENBQUM7UUFFRCxPQUFPO1lBQ0wsV0FBVyxFQUFFLElBQUksQ0FBQyxNQUFNLENBQUMsTUFBTTtZQUMvQixnQkFBZ0I7WUFDaEIsWUFBWTtZQUNaLG9CQUFvQixFQUFFLElBQUksQ0FBQyxtQkFBbUIsQ0FBQyxVQUFVLENBQUMsQ0FBQyxLQUFLLENBQUMsQ0FBQyxFQUFFLENBQUM7U0FDdEUsQ0FBQztJQUNKLENBQUM7SUFFRDs7T0FFRztJQUNILE1BQU0sQ0FBQyxjQUFjLENBQUMsYUFBcUIsQ0FBQztRQUMxQyxNQUFNLFVBQVUsR0FBRyxJQUFJLElBQUksRUFBRSxDQUFDO1FBQzlCLFVBQVUsQ0FBQyxPQUFPLENBQUMsVUFBVSxDQUFDLE9BQU8sRUFBRSxHQUFHLFVBQVUsQ0FBQyxDQUFDO1FBQ3RELE1BQU0sZUFBZSxHQUFHLFVBQVUsQ0FBQyxXQUFXLEVBQUUsQ0FBQztRQUVqRCxNQUFNLEtBQUssR0FBRyxJQUFJLENBQUMsTUFBTSxDQUFDLFNBQVMsQ0FBQyxLQUFLLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxTQUFTLElBQUksZUFBZSxDQUFDLENBQUM7UUFDakYsSUFBSSxLQUFLLEdBQUcsQ0FBQyxFQUFFLENBQUM7WUFDZCxJQUFJLENBQUMsTUFBTSxDQUFDLE1BQU0sQ0FBQyxDQUFDLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDL0IsQ0FBQztJQUNILENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIFNlY3VyaXR5IE1vbml0b3IgZm9yIERvbGxob3VzZU1DUFxuICogXG4gKiBDZW50cmFsaXplZCBzZWN1cml0eSBldmVudCBsb2dnaW5nIGFuZCBtb25pdG9yaW5nIHN5c3RlbVxuICogZm9yIHRyYWNraW5nIGFuZCBhbGVydGluZyBvbiBzZWN1cml0eS1yZWxhdGVkIGV2ZW50cy5cbiAqL1xuXG5pbXBvcnQgeyBsb2dnZXIgfSBmcm9tICcuLi91dGlscy9sb2dnZXIuanMnO1xuXG5leHBvcnQgaW50ZXJmYWNlIFNlY3VyaXR5RXZlbnQge1xuICB0eXBlOiAnQ09OVEVOVF9JTkpFQ1RJT05fQVRURU1QVCcgfCAnWUFNTF9JTkpFQ1RJT05fQVRURU1QVCcgfCAnUEFUSF9UUkFWRVJTQUxfQVRURU1QVCcgfCBcbiAgICAgICAgJ1RPS0VOX1ZBTElEQVRJT05fRkFJTFVSRScgfCAnVVBEQVRFX1NFQ1VSSVRZX1ZJT0xBVElPTicgfCAnUkFURV9MSU1JVF9FWENFRURFRCcgfFxuICAgICAgICAnWUFNTF9QQVJTSU5HX1dBUk5JTkcnIHwgJ1lBTUxfUEFSU0VfU1VDQ0VTUycgfCAnVE9LRU5fVkFMSURBVElPTl9TVUNDRVNTJyB8XG4gICAgICAgICdSQVRFX0xJTUlUX1dBUk5JTkcnIHwgJ1RPS0VOX0NBQ0hFX0NMRUFSRUQnO1xuICBzZXZlcml0eTogJ0xPVycgfCAnTUVESVVNJyB8ICdISUdIJyB8ICdDUklUSUNBTCc7XG4gIHNvdXJjZTogc3RyaW5nO1xuICBkZXRhaWxzOiBzdHJpbmc7XG4gIHVzZXJBZ2VudD86IHN0cmluZztcbiAgaXA/OiBzdHJpbmc7XG4gIGFkZGl0aW9uYWxEYXRhPzogUmVjb3JkPHN0cmluZywgYW55Pjtcbn1cblxuZXhwb3J0IGludGVyZmFjZSBTZWN1cml0eUxvZ0VudHJ5IGV4dGVuZHMgU2VjdXJpdHlFdmVudCB7XG4gIHRpbWVzdGFtcDogc3RyaW5nO1xuICBpZDogc3RyaW5nO1xufVxuXG5leHBvcnQgY2xhc3MgU2VjdXJpdHlNb25pdG9yIHtcbiAgcHJpdmF0ZSBzdGF0aWMgZXZlbnRDb3VudCA9IDA7XG4gIHByaXZhdGUgc3RhdGljIHJlYWRvbmx5IGV2ZW50czogU2VjdXJpdHlMb2dFbnRyeVtdID0gW107XG4gIHByaXZhdGUgc3RhdGljIHJlYWRvbmx5IE1BWF9FVkVOVFMgPSAxMDAwOyAvLyBLZWVwIGxhc3QgMTAwMCBldmVudHMgaW4gbWVtb3J5XG5cbiAgLyoqXG4gICAqIExvZ3MgYSBzZWN1cml0eSBldmVudFxuICAgKi9cbiAgc3RhdGljIGxvZ1NlY3VyaXR5RXZlbnQoZXZlbnQ6IFNlY3VyaXR5RXZlbnQpOiB2b2lkIHtcbiAgICBjb25zdCBsb2dFbnRyeTogU2VjdXJpdHlMb2dFbnRyeSA9IHtcbiAgICAgIC4uLmV2ZW50LFxuICAgICAgdGltZXN0YW1wOiBuZXcgRGF0ZSgpLnRvSVNPU3RyaW5nKCksXG4gICAgICBpZDogYFNFQy0ke0RhdGUubm93KCl9LSR7Kyt0aGlzLmV2ZW50Q291bnR9YCxcbiAgICB9O1xuXG4gICAgLy8gU3RvcmUgaW4gbWVtb3J5IChjaXJjdWxhciBidWZmZXIpXG4gICAgdGhpcy5ldmVudHMucHVzaChsb2dFbnRyeSk7XG4gICAgaWYgKHRoaXMuZXZlbnRzLmxlbmd0aCA+IHRoaXMuTUFYX0VWRU5UUykge1xuICAgICAgdGhpcy5ldmVudHMuc2hpZnQoKTtcbiAgICB9XG5cbiAgICAvLyBJbiBNQ1Agc2VydmVycywgd2UgY2Fubm90IHdyaXRlIHRvIHN0ZGVyci9zdGRvdXQgYXMgaXQgYnJlYWtzIHRoZSBKU09OLVJQQyBwcm90b2NvbFxuICAgIC8vIFNlY3VyaXR5IGV2ZW50cyBhcmUgc3RvcmVkIGluIG1lbW9yeSBhbmQgY2FuIGJlIHJldHJpZXZlZCB2aWEgQVBJXG4gICAgLy8gT25seSBzZW5kIGNyaXRpY2FsIGFsZXJ0cyB2aWEgdGhlIHByb3BlciBjaGFubmVsXG4gICAgXG4gICAgaWYgKGV2ZW50LnNldmVyaXR5ID09PSAnQ1JJVElDQUwnKSB7XG4gICAgICB0aGlzLnNlbmRTZWN1cml0eUFsZXJ0KGxvZ0VudHJ5KTtcbiAgICB9XG4gIH1cblxuICAvKipcbiAgICogU2VuZHMgc2VjdXJpdHkgYWxlcnRzIGZvciBjcml0aWNhbCBldmVudHNcbiAgICovXG4gIHByaXZhdGUgc3RhdGljIHNlbmRTZWN1cml0eUFsZXJ0KGV2ZW50OiBTZWN1cml0eUxvZ0VudHJ5KTogdm9pZCB7XG4gICAgLy8gSW4gYSBwcm9kdWN0aW9uIGVudmlyb25tZW50LCB0aGlzIHdvdWxkIGludGVncmF0ZSB3aXRoOlxuICAgIC8vIC0gU2xhY2sgd2ViaG9va3NcbiAgICAvLyAtIEVtYWlsIGFsZXJ0c1xuICAgIC8vIC0gUGFnZXJEdXR5XG4gICAgLy8gLSBTZWN1cml0eSBJbmZvcm1hdGlvbiBhbmQgRXZlbnQgTWFuYWdlbWVudCAoU0lFTSkgc3lzdGVtc1xuICAgIFxuICAgIC8vIExvZyBjcml0aWNhbCBzZWN1cml0eSBhbGVydHMgd2l0aCBzdHJ1Y3R1cmVkIGRhdGFcbiAgICAvLyBETyBOT1QgdXNlIGNvbnNvbGUuZXJyb3IgaW4gTUNQIHNlcnZlcnMgYXMgaXQgYnJlYWtzIHRoZSBKU09OLVJQQyBwcm90b2NvbFxuICAgIGxvZ2dlci5lcnJvcign8J+aqCBDUklUSUNBTCBTRUNVUklUWSBBTEVSVCDwn5qoJywge1xuICAgICAgdHlwZTogZXZlbnQudHlwZSxcbiAgICAgIGRldGFpbHM6IGV2ZW50LmRldGFpbHMsXG4gICAgICB0aW1lc3RhbXA6IGV2ZW50LnRpbWVzdGFtcCxcbiAgICAgIGlkOiBldmVudC5pZFxuICAgIH0pO1xuICAgIFxuICAgIC8vIElmIGluIHByb2R1Y3Rpb24gbW9kZSB3aXRoIHByb3BlciBjb25maWcsIHNlbmQgYWN0dWFsIGFsZXJ0c1xuICAgIGlmIChwcm9jZXNzLmVudi5ET0xMSE9VU0VfU0VDVVJJVFlfQUxFUlRTID09PSAndHJ1ZScpIHtcbiAgICAgIC8vIFRPRE86IEltcGxlbWVudCBhY3R1YWwgYWxlcnQgbWVjaGFuaXNtc1xuICAgIH1cbiAgfVxuXG4gIC8qKlxuICAgKiBHZXRzIHJlY2VudCBzZWN1cml0eSBldmVudHMgZm9yIGFuYWx5c2lzXG4gICAqL1xuICBzdGF0aWMgZ2V0UmVjZW50RXZlbnRzKGNvdW50OiBudW1iZXIgPSAxMDApOiBTZWN1cml0eUxvZ0VudHJ5W10ge1xuICAgIHJldHVybiB0aGlzLmV2ZW50cy5zbGljZSgtY291bnQpO1xuICB9XG5cbiAgLyoqXG4gICAqIEdldHMgZXZlbnRzIGJ5IHNldmVyaXR5XG4gICAqL1xuICBzdGF0aWMgZ2V0RXZlbnRzQnlTZXZlcml0eShzZXZlcml0eTogU2VjdXJpdHlFdmVudFsnc2V2ZXJpdHknXSk6IFNlY3VyaXR5TG9nRW50cnlbXSB7XG4gICAgcmV0dXJuIHRoaXMuZXZlbnRzLmZpbHRlcihldmVudCA9PiBldmVudC5zZXZlcml0eSA9PT0gc2V2ZXJpdHkpO1xuICB9XG5cbiAgLyoqXG4gICAqIEdldHMgZXZlbnRzIGJ5IHR5cGVcbiAgICovXG4gIHN0YXRpYyBnZXRFdmVudHNCeVR5cGUodHlwZTogU2VjdXJpdHlFdmVudFsndHlwZSddKTogU2VjdXJpdHlMb2dFbnRyeVtdIHtcbiAgICByZXR1cm4gdGhpcy5ldmVudHMuZmlsdGVyKGV2ZW50ID0+IGV2ZW50LnR5cGUgPT09IHR5cGUpO1xuICB9XG5cbiAgLyoqXG4gICAqIEdlbmVyYXRlcyBhIHNlY3VyaXR5IHJlcG9ydFxuICAgKi9cbiAgc3RhdGljIGdlbmVyYXRlU2VjdXJpdHlSZXBvcnQoKToge1xuICAgIHRvdGFsRXZlbnRzOiBudW1iZXI7XG4gICAgZXZlbnRzQnlTZXZlcml0eTogUmVjb3JkPHN0cmluZywgbnVtYmVyPjtcbiAgICBldmVudHNCeVR5cGU6IFJlY29yZDxzdHJpbmcsIG51bWJlcj47XG4gICAgcmVjZW50Q3JpdGljYWxFdmVudHM6IFNlY3VyaXR5TG9nRW50cnlbXTtcbiAgfSB7XG4gICAgY29uc3QgZXZlbnRzQnlTZXZlcml0eTogUmVjb3JkPHN0cmluZywgbnVtYmVyPiA9IHtcbiAgICAgIENSSVRJQ0FMOiAwLFxuICAgICAgSElHSDogMCxcbiAgICAgIE1FRElVTTogMCxcbiAgICAgIExPVzogMCxcbiAgICB9O1xuXG4gICAgY29uc3QgZXZlbnRzQnlUeXBlOiBSZWNvcmQ8c3RyaW5nLCBudW1iZXI+ID0ge307XG5cbiAgICBmb3IgKGNvbnN0IGV2ZW50IG9mIHRoaXMuZXZlbnRzKSB7XG4gICAgICBldmVudHNCeVNldmVyaXR5W2V2ZW50LnNldmVyaXR5XSsrO1xuICAgICAgZXZlbnRzQnlUeXBlW2V2ZW50LnR5cGVdID0gKGV2ZW50c0J5VHlwZVtldmVudC50eXBlXSB8fCAwKSArIDE7XG4gICAgfVxuXG4gICAgcmV0dXJuIHtcbiAgICAgIHRvdGFsRXZlbnRzOiB0aGlzLmV2ZW50cy5sZW5ndGgsXG4gICAgICBldmVudHNCeVNldmVyaXR5LFxuICAgICAgZXZlbnRzQnlUeXBlLFxuICAgICAgcmVjZW50Q3JpdGljYWxFdmVudHM6IHRoaXMuZ2V0RXZlbnRzQnlTZXZlcml0eSgnQ1JJVElDQUwnKS5zbGljZSgtMTApLFxuICAgIH07XG4gIH1cblxuICAvKipcbiAgICogQ2xlYXJzIG9sZCBldmVudHMgKGZvciBtZW1vcnkgbWFuYWdlbWVudClcbiAgICovXG4gIHN0YXRpYyBjbGVhck9sZEV2ZW50cyhkYXlzVG9LZWVwOiBudW1iZXIgPSA3KTogdm9pZCB7XG4gICAgY29uc3QgY3V0b2ZmRGF0ZSA9IG5ldyBEYXRlKCk7XG4gICAgY3V0b2ZmRGF0ZS5zZXREYXRlKGN1dG9mZkRhdGUuZ2V0RGF0ZSgpIC0gZGF5c1RvS2VlcCk7XG4gICAgY29uc3QgY3V0b2ZmVGltZXN0YW1wID0gY3V0b2ZmRGF0ZS50b0lTT1N0cmluZygpO1xuXG4gICAgY29uc3QgaW5kZXggPSB0aGlzLmV2ZW50cy5maW5kSW5kZXgoZXZlbnQgPT4gZXZlbnQudGltZXN0YW1wID49IGN1dG9mZlRpbWVzdGFtcCk7XG4gICAgaWYgKGluZGV4ID4gMCkge1xuICAgICAgdGhpcy5ldmVudHMuc3BsaWNlKDAsIGluZGV4KTtcbiAgICB9XG4gIH1cbn0iXX0=