@dotsetlabs/tollgate 0.1.0

package/dist/scanner.js

@@ -0,0 +1,373 @@
+/**
+ * MCP Server Scanner
+ *
+ * Scans MCP servers to discover tools and assess security risks.
+ * Spawns the server, calls tools/list, analyzes tool definitions,
+ * and generates recommended security policies.
+ *
+ * Usage:
+ *   tollgate scan @modelcontextprotocol/server-postgres
+ *   tollgate scan npx -y @anthropic/mcp-server-filesystem ./
+ *
+ * @module scanner
+ */
+import { UpstreamClient } from './proxy/client.js';
+// ============================================================================
+// Risk Analysis Engine
+// ============================================================================
+/**
+ * Keywords indicating read-only operations.
+ */
+const READ_KEYWORDS = [
+    'get', 'list', 'read', 'fetch', 'query', 'search', 'find', 'show', 'describe',
+    'view', 'retrieve', 'lookup', 'check', 'info', 'status', 'history', 'log',
+];
+/**
+ * Keywords indicating write operations.
+ */
+const WRITE_KEYWORDS = [
+    'create', 'add', 'insert', 'update', 'modify', 'edit', 'set', 'put', 'post',
+    'write', 'upload', 'send', 'push', 'publish', 'save', 'store', 'append',
+    'move', 'rename', 'copy', 'enable', 'disable', 'configure',
+];
+/**
+ * Keywords indicating destructive operations.
+ */
+const DESTRUCTIVE_KEYWORDS = [
+    'delete', 'remove', 'drop', 'truncate', 'clear', 'purge', 'destroy', 'erase',
+    'revoke', 'terminate', 'kill', 'reset', 'wipe', 'archive', 'trash',
+];
+/**
+ * Keywords indicating dangerous operations.
+ */
+const DANGEROUS_KEYWORDS = [
+    'execute', 'run', 'eval', 'exec', 'shell', 'command', 'script', 'sudo',
+    'admin', 'root', 'system', 'raw', 'arbitrary', 'inject', 'grant', 'permission',
+];
+/**
+ * Parameter names indicating sensitive input.
+ */
+const DANGEROUS_PARAMETERS = [
+    'sql', 'query', 'command', 'script', 'code', 'shell', 'exec', 'path',
+    'file', 'url', 'endpoint', 'password', 'secret', 'token', 'key',
+];
+/**
+ * Tool name patterns mapped to recommended analyzers.
+ */
+const ANALYZER_PATTERNS = [
+    { pattern: /sql|query|database|postgres|mysql|sqlite/i, analyzer: 'sql' },
+    { pattern: /file|path|directory|folder|read|write|fs/i, analyzer: 'filesystem' },
+    { pattern: /shell|command|exec|run|bash|terminal/i, analyzer: 'shell' },
+    { pattern: /http|fetch|request|api|url|web|browse/i, analyzer: 'http' },
+];
+/**
+ * Analyze a single tool definition to assess its risk.
+ */
+export function analyzeTool(tool) {
+    const indicators = [];
+    const name = tool.name.toLowerCase();
+    const description = (tool.description ?? '').toLowerCase();
+    const combined = `${name} ${description}`;
+    // Helper function to check for word boundary matches (not substring matches)
+    const matchesKeyword = (text, keyword) => {
+        // Match keyword as a word or at word boundaries (handles underscores, camelCase breaks)
+        const pattern = new RegExp(`(?:^|[_\\s])${keyword}(?:[_\\s]|$)`, 'i');
+        return pattern.test(text) || text.startsWith(keyword) || text.endsWith(keyword);
+    };
+    // Check for dangerous keywords first (highest priority)
+    for (const keyword of DANGEROUS_KEYWORDS) {
+        if (matchesKeyword(combined, keyword)) {
+            indicators.push({
+                type: 'keyword',
+                value: keyword,
+                risk: 'dangerous',
+                description: `Contains dangerous keyword: "${keyword}"`,
+            });
+        }
+    }
+    // Check for destructive keywords
+    for (const keyword of DESTRUCTIVE_KEYWORDS) {
+        if (matchesKeyword(combined, keyword)) {
+            indicators.push({
+                type: 'keyword',
+                value: keyword,
+                risk: 'destructive',
+                description: `Contains destructive keyword: "${keyword}"`,
+            });
+        }
+    }
+    // Check for write keywords
+    for (const keyword of WRITE_KEYWORDS) {
+        if (matchesKeyword(name, keyword)) {
+            indicators.push({
+                type: 'keyword',
+                value: keyword,
+                risk: 'write',
+                description: `Tool name suggests write operation: "${keyword}"`,
+            });
+        }
+    }
+    // Check for read keywords
+    for (const keyword of READ_KEYWORDS) {
+        if (matchesKeyword(name, keyword)) {
+            indicators.push({
+                type: 'keyword',
+                value: keyword,
+                risk: 'read',
+                description: `Tool name suggests read operation: "${keyword}"`,
+            });
+        }
+    }
+    // Check input schema for dangerous parameters
+    if (tool.inputSchema && typeof tool.inputSchema === 'object') {
+        const schema = tool.inputSchema;
+        const properties = (schema.properties ?? {});
+        for (const paramName of Object.keys(properties)) {
+            const lowerParam = paramName.toLowerCase();
+            for (const dangerous of DANGEROUS_PARAMETERS) {
+                if (lowerParam.includes(dangerous)) {
+                    indicators.push({
+                        type: 'parameter',
+                        value: paramName,
+                        risk: 'write',
+                        description: `Has potentially sensitive parameter: "${paramName}"`,
+                    });
+                }
+            }
+        }
+    }
+    // Determine overall risk level (highest indicator wins)
+    let risk = 'safe';
+    const riskOrder = ['safe', 'read', 'write', 'destructive', 'dangerous'];
+    for (const indicator of indicators) {
+        if (riskOrder.indexOf(indicator.risk) > riskOrder.indexOf(risk)) {
+            risk = indicator.risk;
+        }
+    }
+    // Determine category
+    let category = 'unknown';
+    if (risk === 'dangerous') {
+        category = 'admin';
+    }
+    else if (risk === 'destructive' || risk === 'write') {
+        category = 'write';
+    }
+    else if (risk === 'read') {
+        category = 'read';
+    }
+    // Determine recommended action
+    let recommendedAction = 'prompt';
+    switch (risk) {
+        case 'safe':
+            recommendedAction = 'allow';
+            break;
+        case 'read':
+            recommendedAction = 'allow';
+            break;
+        case 'write':
+            recommendedAction = 'prompt';
+            break;
+        case 'destructive':
+            recommendedAction = 'deny';
+            break;
+        case 'dangerous':
+            recommendedAction = 'deny';
+            break;
+    }
+    // Check if smart analysis is available
+    let recommendedAnalyzer;
+    for (const { pattern, analyzer } of ANALYZER_PATTERNS) {
+        if (pattern.test(combined)) {
+            recommendedAnalyzer = analyzer;
+            // If we have an analyzer, suggest smart action for write operations
+            if (risk === 'write' || risk === 'destructive') {
+                recommendedAction = 'smart';
+            }
+            break;
+        }
+    }
+    return {
+        name: tool.name,
+        description: tool.description ?? '',
+        risk,
+        category,
+        indicators,
+        recommendedAction,
+        recommendedAnalyzer,
+        inputSchema: tool.inputSchema,
+    };
+}
+/**
+ * Calculate overall risk from analyzed tools.
+ */
+function calculateOverallRisk(tools) {
+    const riskOrder = ['safe', 'read', 'write', 'destructive', 'dangerous'];
+    let maxRisk = 'safe';
+    for (const tool of tools) {
+        if (riskOrder.indexOf(tool.risk) > riskOrder.indexOf(maxRisk)) {
+            maxRisk = tool.risk;
+        }
+    }
+    return maxRisk;
+}
+// ============================================================================
+// Scanner
+// ============================================================================
+/**
+ * Scan an MCP server to discover tools and assess security risks.
+ *
+ * @param command - Server command (e.g., "npx")
+ * @param args - Server arguments (e.g., ["-y", "@modelcontextprotocol/server-postgres"])
+ * @param options - Scanner options
+ * @returns Scan result with tool analysis
+ */
+export async function scanServer(command, args, options = {}) {
+    const timeoutMs = options.timeoutMs ?? 30000;
+    // Create upstream client
+    const client = new UpstreamClient({
+        config: {
+            command,
+            args,
+            env: options.env,
+        },
+        callTimeoutMs: timeoutMs,
+        healthCheck: { enabled: false },
+    });
+    try {
+        // Initialize connection (spawns server)
+        await client.initialize();
+        // List all tools
+        const toolsResult = await client.listTools();
+        const tools = toolsResult.tools ?? [];
+        // Analyze each tool
+        const analyzedTools = tools.map(analyzeTool);
+        // Calculate summary
+        const summary = {
+            safe: analyzedTools.filter((t) => t.risk === 'safe').length,
+            read: analyzedTools.filter((t) => t.risk === 'read').length,
+            write: analyzedTools.filter((t) => t.risk === 'write').length,
+            destructive: analyzedTools.filter((t) => t.risk === 'destructive').length,
+            dangerous: analyzedTools.filter((t) => t.risk === 'dangerous').length,
+        };
+        return {
+            serverCommand: command,
+            serverArgs: args,
+            scanTime: new Date(),
+            toolCount: tools.length,
+            tools: analyzedTools,
+            overallRisk: calculateOverallRisk(analyzedTools),
+            summary,
+        };
+    }
+    finally {
+        // Always close the client
+        await client.close();
+    }
+}
+// ============================================================================
+// Policy Generation
+// ============================================================================
+/**
+ * Generate a tollgate.yaml policy configuration from scan results.
+ */
+export function generatePolicy(scanResult, serverName = 'scanned-server') {
+    const lines = [
+        '# Tollgate Configuration',
+        '# Generated by `tollgate scan`',
+        '# Review and customize before use',
+        '',
+        'version: "1"',
+        '',
+        'defaults:',
+        '  action: prompt',
+        '  timeout: 60000',
+        '',
+        'servers:',
+        `  ${serverName}:`,
+        `    command: "${scanResult.serverCommand}"`,
+        `    args: [${scanResult.serverArgs.map((a) => `"${a}"`).join(', ')}]`,
+        '',
+        '    tools:',
+    ];
+    // Determine if we should use an analyzer
+    const analyzers = new Set(scanResult.tools.map((t) => t.recommendedAnalyzer).filter(Boolean));
+    const primaryAnalyzer = analyzers.size === 1 ? [...analyzers][0] : undefined;
+    if (primaryAnalyzer) {
+        lines.push('    defaults:');
+        lines.push(`      analyzer: ${primaryAnalyzer}`);
+        lines.push('');
+        lines.push('    tools:');
+    }
+    // Group tools by recommended action
+    const byAction = {
+        allow: scanResult.tools.filter((t) => t.recommendedAction === 'allow'),
+        prompt: scanResult.tools.filter((t) => t.recommendedAction === 'prompt'),
+        smart: scanResult.tools.filter((t) => t.recommendedAction === 'smart'),
+        deny: scanResult.tools.filter((t) => t.recommendedAction === 'deny'),
+    };
+    // Add allow rules
+    if (byAction.allow.length > 0) {
+        lines.push('      # Read-only operations (safe)');
+        for (const tool of byAction.allow) {
+            lines.push(`      "${tool.name}":`);
+            lines.push('        action: allow');
+        }
+        lines.push('');
+    }
+    // Add smart rules
+    if (byAction.smart.length > 0) {
+        lines.push('      # Write operations (with smart analysis)');
+        for (const tool of byAction.smart) {
+            lines.push(`      "${tool.name}":`);
+            lines.push('        action: smart');
+            if (tool.recommendedAnalyzer) {
+                lines.push(`        analyzer: ${tool.recommendedAnalyzer}`);
+            }
+            lines.push('        risks:');
+            lines.push('          read: allow');
+            lines.push('          write: prompt');
+            lines.push('          destructive: deny');
+            lines.push('          dangerous: deny');
+        }
+        lines.push('');
+    }
+    // Add prompt rules
+    if (byAction.prompt.length > 0) {
+        lines.push('      # Write operations (require approval)');
+        for (const tool of byAction.prompt) {
+            lines.push(`      "${tool.name}":`);
+            lines.push('        action: prompt');
+            lines.push(`        message: "Agent wants to run ${tool.name}"`);
+        }
+        lines.push('');
+    }
+    // Add deny rules
+    if (byAction.deny.length > 0) {
+        lines.push('      # Dangerous operations (blocked)');
+        for (const tool of byAction.deny) {
+            lines.push(`      "${tool.name}":`);
+            lines.push('        action: deny');
+            lines.push(`        reason: "${tool.risk === 'dangerous' ? 'Dangerous operation blocked' : 'Destructive operation blocked'}"`);
+        }
+        lines.push('');
+    }
+    // Add catch-all
+    lines.push('      # Catch-all for unknown tools');
+    lines.push('      "*":');
+    lines.push('        action: prompt');
+    return lines.join('\n');
+}
+/**
+ * Generate a partial config to append to existing tollgate.yaml.
+ */
+export function generateServerConfig(scanResult, serverName = 'scanned-server') {
+    // Generate full config then extract just the server section
+    const fullConfig = generatePolicy(scanResult, serverName);
+    const lines = fullConfig.split('\n');
+    // Find the servers: section and return from there
+    const serverIndex = lines.findIndex((l) => l.startsWith('servers:'));
+    if (serverIndex === -1)
+        return fullConfig;
+    return lines.slice(serverIndex).join('\n');
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../src/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAmEnD,+EAA+E;AAC/E,uBAAuB;AACvB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,aAAa,GAAG;IAClB,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU;IAC7E,MAAM,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK;CAC5E,CAAC;AAEF;;GAEG;AACH,MAAM,cAAc,GAAG;IACnB,QAAQ,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;IAC3E,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO,EAAE,QAAQ;IACvE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW;CAC7D,CAAC;AAEF;;GAEG;AACH,MAAM,oBAAoB,GAAG;IACzB,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO;IAC5E,QAAQ,EAAE,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO;CACrE,CAAC;AAEF;;GAEG;AACH,MAAM,kBAAkB,GAAG;IACvB,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM;IACtE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,WAAW,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY;CACjF,CAAC;AAEF;;GAEG;AACH,MAAM,oBAAoB,GAAG;IACzB,KAAK,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM;IACpE,MAAM,EAAE,KAAK,EAAE,UAAU,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,KAAK;CAClE,CAAC;AAEF;;GAEG;AACH,MAAM,iBAAiB,GAAkF;IACrG,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,KAAK,EAAE;IACzE,EAAE,OAAO,EAAE,2CAA2C,EAAE,QAAQ,EAAE,YAAY,EAAE;IAChF,EAAE,OAAO,EAAE,uCAAuC,EAAE,QAAQ,EAAE,OAAO,EAAE;IACvE,EAAE,OAAO,EAAE,wCAAwC,EAAE,QAAQ,EAAE,MAAM,EAAE;CAC1E,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAU;IAClC,MAAM,UAAU,GAAoB,EAAE,CAAC;IACvC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,WAAW,GAAG,CAAC,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAC3D,MAAM,QAAQ,GAAG,GAAG,IAAI,IAAI,WAAW,EAAE,CAAC;IAE1C,6EAA6E;IAC7E,MAAM,cAAc,GAAG,CAAC,IAAY,EAAE,OAAe,EAAW,EAAE;QAC9D,wFAAwF;QACxF,MAAM,OAAO,GAAG,IAAI,MAAM,CAAC,eAAe,OAAO,cAAc,EAAE,GAAG,CAAC,CAAC;QACtE,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACpF,CAAC,CAAC;IAEF,wDAAwD;IACxD,KAAK,MAAM,OAAO,IAAI,kBAAkB,EAAE,CAAC;QACvC,IAAI,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,WAAW;gBACjB,WAAW,EAAE,gCAAgC,OAAO,GAAG;aAC1D,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,iCAAiC;IACjC,KAAK,MAAM,OAAO,IAAI,oBAAoB,EAAE,CAAC;QACzC,IAAI,cAAc,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,aAAa;gBACnB,WAAW,EAAE,kCAAkC,OAAO,GAAG;aAC5D,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,2BAA2B;IAC3B,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;QACnC,IAAI,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,OAAO;gBACb,WAAW,EAAE,wCAAwC,OAAO,GAAG;aAClE,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,0BAA0B;IAC1B,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;QAClC,IAAI,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;YAChC,UAAU,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,OAAO;gBACd,IAAI,EAAE,MAAM;gBACZ,WAAW,EAAE,uCAAuC,OAAO,GAAG;aACjE,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,8CAA8C;IAC9C,IAAI,IAAI,CAAC,WAAW,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,MAAM,GAAG,IAAI,CAAC,WAAsC,CAAC;QAC3D,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,EAAE,CAA4B,CAAC;QAExE,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;YAC3C,KAAK,MAAM,SAAS,IAAI,oBAAoB,EAAE,CAAC;gBAC3C,IAAI,UAAU,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;oBACjC,UAAU,CAAC,IAAI,CAAC;wBACZ,IAAI,EAAE,WAAW;wBACjB,KAAK,EAAE,SAAS;wBAChB,IAAI,EAAE,OAAO;wBACb,WAAW,EAAE,yCAAyC,SAAS,GAAG;qBACrE,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;QACL,CAAC;IACL,CAAC;IAED,wDAAwD;IACxD,IAAI,IAAI,GAAkB,MAAM,CAAC;IACjC,MAAM,SAAS,GAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;IAEzF,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACjC,IAAI,SAAS,CAAC,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9D,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC;QAC1B,CAAC;IACL,CAAC;IAED,qBAAqB;IACrB,IAAI,QAAQ,GAA2C,SAAS,CAAC;IACjE,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;QACvB,QAAQ,GAAG,OAAO,CAAC;IACvB,CAAC;SAAM,IAAI,IAAI,KAAK,aAAa,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACpD,QAAQ,GAAG,OAAO,CAAC;IACvB,CAAC;SAAM,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,QAAQ,GAAG,MAAM,CAAC;IACtB,CAAC;IAED,+BAA+B;IAC/B,IAAI,iBAAiB,GAA0C,QAAQ,CAAC;IACxE,QAAQ,IAAI,EAAE,CAAC;QACX,KAAK,MAAM;YACP,iBAAiB,GAAG,OAAO,CAAC;YAC5B,MAAM;QACV,KAAK,MAAM;YACP,iBAAiB,GAAG,OAAO,CAAC;YAC5B,MAAM;QACV,KAAK,OAAO;YACR,iBAAiB,GAAG,QAAQ,CAAC;YAC7B,MAAM;QACV,KAAK,aAAa;YACd,iBAAiB,GAAG,MAAM,CAAC;YAC3B,MAAM;QACV,KAAK,WAAW;YACZ,iBAAiB,GAAG,MAAM,CAAC;YAC3B,MAAM;IACd,CAAC;IAED,uCAAuC;IACvC,IAAI,mBAAwE,CAAC;IAC7E,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,iBAAiB,EAAE,CAAC;QACpD,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACzB,mBAAmB,GAAG,QAAQ,CAAC;YAC/B,oEAAoE;YACpE,IAAI,IAAI,KAAK,OAAO,IAAI,IAAI,KAAK,aAAa,EAAE,CAAC;gBAC7C,iBAAiB,GAAG,OAAO,CAAC;YAChC,CAAC;YACD,MAAM;QACV,CAAC;IACL,CAAC;IAED,OAAO;QACH,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,WAAW,EAAE,IAAI,CAAC,WAAW,IAAI,EAAE;QACnC,IAAI;QACJ,QAAQ;QACR,UAAU;QACV,iBAAiB;QACjB,mBAAmB;QACnB,WAAW,EAAE,IAAI,CAAC,WAAkD;KACvE,CAAC;AACN,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,KAAqB;IAC/C,MAAM,SAAS,GAAoB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;IACzF,IAAI,OAAO,GAAkB,MAAM,CAAC;IAEpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACvB,IAAI,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC;QACxB,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC;AAED,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC5B,OAAe,EACf,IAAc,EACd,UAA0B,EAAE;IAE5B,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;IAE7C,yBAAyB;IACzB,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC;QAC9B,MAAM,EAAE;YACJ,OAAO;YACP,IAAI;YACJ,GAAG,EAAE,OAAO,CAAC,GAAG;SACnB;QACD,aAAa,EAAE,SAAS;QACxB,WAAW,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC;QACD,wCAAwC;QACxC,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;QAE1B,iBAAiB;QACjB,MAAM,WAAW,GAAG,MAAM,MAAM,CAAC,SAAS,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,WAAW,CAAC,KAAK,IAAI,EAAE,CAAC;QAEtC,oBAAoB;QACpB,MAAM,aAAa,GAAG,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QAE7C,oBAAoB;QACpB,MAAM,OAAO,GAAG;YACZ,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM;YAC3D,IAAI,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM;YAC3D,KAAK,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,MAAM;YAC7D,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,aAAa,CAAC,CAAC,MAAM;YACzE,SAAS,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,MAAM;SACxE,CAAC;QAEF,OAAO;YACH,aAAa,EAAE,OAAO;YACtB,UAAU,EAAE,IAAI;YAChB,QAAQ,EAAE,IAAI,IAAI,EAAE;YACpB,SAAS,EAAE,KAAK,CAAC,MAAM;YACvB,KAAK,EAAE,aAAa;YACpB,WAAW,EAAE,oBAAoB,CAAC,aAAa,CAAC;YAChD,OAAO;SACV,CAAC;IACN,CAAC;YAAS,CAAC;QACP,0BAA0B;QAC1B,MAAM,MAAM,CAAC,KAAK,EAAE,CAAC;IACzB,CAAC;AACL,CAAC;AAED,+EAA+E;AAC/E,oBAAoB;AACpB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,UAAU,cAAc,CAC1B,UAAsB,EACtB,aAAqB,gBAAgB;IAErC,MAAM,KAAK,GAAa;QACpB,0BAA0B;QAC1B,gCAAgC;QAChC,mCAAmC;QACnC,EAAE;QACF,cAAc;QACd,EAAE;QACF,WAAW;QACX,kBAAkB;QAClB,kBAAkB;QAClB,EAAE;QACF,UAAU;QACV,KAAK,UAAU,GAAG;QAClB,iBAAiB,UAAU,CAAC,aAAa,GAAG;QAC5C,cAAc,UAAU,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;QACtE,EAAE;QACF,YAAY;KACf,CAAC;IAEF,yCAAyC;IACzC,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAC9F,MAAM,eAAe,GAAG,SAAS,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAE7E,IAAI,eAAe,EAAE,CAAC;QAClB,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,mBAAmB,eAAe,EAAE,CAAC,CAAC;QACjD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACf,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC7B,CAAC;IAED,oCAAoC;IACpC,MAAM,QAAQ,GAAG;QACb,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB,KAAK,OAAO,CAAC;QACtE,MAAM,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB,KAAK,QAAQ,CAAC;QACxE,KAAK,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB,KAAK,OAAO,CAAC;QACtE,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB,KAAK,MAAM,CAAC;KACvE,CAAC;IAEF,kBAAkB;IAClB,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;QAClD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QACxC,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,kBAAkB;IAClB,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,gDAAgD,CAAC,CAAC;QAC7D,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACpC,IAAI,IAAI,CAAC,mBAAmB,EAAE,CAAC;gBAC3B,KAAK,CAAC,IAAI,CAAC,qBAAqB,IAAI,CAAC,mBAAmB,EAAE,CAAC,CAAC;YAChE,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC7B,KAAK,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC;YACtC,KAAK,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;QAC5C,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,mBAAmB;IACnB,IAAI,QAAQ,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,6CAA6C,CAAC,CAAC;QAC1D,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,MAAM,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;YACrC,KAAK,CAAC,IAAI,CAAC,wCAAwC,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC;QACrE,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,iBAAiB;IACjB,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QACrD,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC/B,KAAK,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,IAAI,CAAC,CAAC;YACpC,KAAK,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;YACnC,KAAK,CAAC,IAAI,CAAC,oBAAoB,IAAI,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,+BAA+B,GAAG,CAAC,CAAC;QACnI,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,gBAAgB;IAChB,KAAK,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IAClD,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IACzB,KAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAErC,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAChC,UAAsB,EACtB,aAAqB,gBAAgB;IAErC,4DAA4D;IAC5D,MAAM,UAAU,GAAG,cAAc,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAErC,kDAAkD;IAClD,MAAM,WAAW,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IACrE,IAAI,WAAW,KAAK,CAAC,CAAC;QAAE,OAAO,UAAU,CAAC;IAE1C,OAAO,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC/C,CAAC"}

package/dist/session/index.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Session module for Tollgate
+ *
+ * Provides session-based approval management, allowing users to grant
+ * time-bounded permissions for tool calls.
+ *
+ * @example
+ * ```typescript
+ * import { SessionManager, type SessionGrant } from './session/index.js';
+ *
+ * const manager = new SessionManager();
+ *
+ * // Create grant on approval
+ * const grant = manager.createGrant({
+ *   context,
+ *   scope: 'tool',
+ *   duration: '5min',
+ *   grantedBy: 'terminal',
+ * });
+ *
+ * // Check before prompting
+ * const result = manager.checkGrant(context);
+ * if (result.granted) {
+ *   // Skip prompt, use cached approval
+ * }
+ * ```
+ */
+export { SessionManager, InMemorySessionStore } from './manager.js';
+export { SqliteSessionStore } from './sqlite-store.js';
+export type { SessionScope, SessionDuration, SessionGrant, CreateSessionGrantInput, SessionCheckResult, SessionPolicyConfig, SessionStats, SessionStore, } from './types.js';
+export { durationToTtlSeconds, DEFAULT_SESSION_CONFIG, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/session/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAEvD,YAAY,EACV,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,uBAAuB,EACvB,kBAAkB,EAClB,mBAAmB,EACnB,YAAY,EACZ,YAAY,GACb,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,YAAY,CAAC"}

package/dist/session/index.js

@@ -0,0 +1,31 @@
+/**
+ * Session module for Tollgate
+ *
+ * Provides session-based approval management, allowing users to grant
+ * time-bounded permissions for tool calls.
+ *
+ * @example
+ * ```typescript
+ * import { SessionManager, type SessionGrant } from './session/index.js';
+ *
+ * const manager = new SessionManager();
+ *
+ * // Create grant on approval
+ * const grant = manager.createGrant({
+ *   context,
+ *   scope: 'tool',
+ *   duration: '5min',
+ *   grantedBy: 'terminal',
+ * });
+ *
+ * // Check before prompting
+ * const result = manager.checkGrant(context);
+ * if (result.granted) {
+ *   // Skip prompt, use cached approval
+ * }
+ * ```
+ */
+export { SessionManager, InMemorySessionStore } from './manager.js';
+export { SqliteSessionStore } from './sqlite-store.js';
+export { durationToTtlSeconds, DEFAULT_SESSION_CONFIG, } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/session/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/session/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAEH,OAAO,EAAE,cAAc,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACpE,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAavD,OAAO,EACL,oBAAoB,EACpB,sBAAsB,GACvB,MAAM,YAAY,CAAC"}

package/dist/session/manager.d.ts

@@ -0,0 +1,166 @@
+/**
+ * Session Manager for Tollgate
+ *
+ * Manages session-based approvals, allowing users to grant time-bounded
+ * permissions that reduce approval fatigue while maintaining security.
+ *
+ * @example
+ * ```typescript
+ * const manager = new SessionManager();
+ *
+ * // Create a grant when user approves with session option
+ * const grant = manager.createGrant({
+ *   context: { server: 'postgres', tool: 'query', args: {}, timestamp: new Date() },
+ *   scope: 'tool',
+ *   duration: '5min',
+ *   grantedBy: 'terminal',
+ * });
+ *
+ * // Check if a future call is covered
+ * const result = manager.checkGrant({
+ *   server: 'postgres',
+ *   tool: 'query',
+ *   args: { sql: 'SELECT * FROM users' },
+ *   timestamp: new Date(),
+ * });
+ *
+ * if (result.granted) {
+ *   // Skip prompting, forward directly
+ * }
+ * ```
+ */
+import type { ToolCallContext } from '../policy/types.js';
+import type { SessionGrant, CreateSessionGrantInput, SessionCheckResult, SessionStore, SessionStats } from './types.js';
+/**
+ * In-memory session store implementation.
+ *
+ * Grants are stored in memory and lost on restart.
+ * For persistence, use SqliteSessionStore (see session/sqlite-store.ts).
+ */
+export declare class InMemorySessionStore implements SessionStore {
+    private grants;
+    set(grant: SessionGrant): void;
+    get(id: string): SessionGrant | undefined;
+    findMatching(context: ToolCallContext): SessionGrant[];
+    delete(id: string): boolean;
+    pruneExpired(): number;
+    getAll(): SessionGrant[];
+    clear(): void;
+    getStats(): SessionStats;
+}
+/**
+ * SessionManager handles creation, checking, and lifecycle of session grants.
+ *
+ * Thread-safe and designed for concurrent access from the proxy server.
+ */
+export declare class SessionManager {
+    private readonly store;
+    private pruneInterval;
+    private readonly mutex;
+    /**
+     * Request deduplication cache to prevent double-counting for the same request.
+     * Maps requestId -> grantId for recently processed requests.
+     * Entries are cleared after 5 seconds to prevent memory leaks.
+     */
+    private readonly recentRequests;
+    private readonly REQUEST_CACHE_TTL_MS;
+    /**
+     * Creates a new SessionManager.
+     *
+     * @param store - Session store backend (defaults to in-memory)
+     * @param autoPrune - Whether to automatically prune expired grants (default: true)
+     * @param pruneIntervalMs - How often to prune (default: 60 seconds)
+     */
+    constructor(store?: SessionStore, autoPrune?: boolean, pruneIntervalMs?: number);
+    /**
+     * Clean up old entries from the request deduplication cache.
+     */
+    private pruneRecentRequests;
+    /**
+     * Creates a new session grant based on an approved tool call.
+     *
+     * @param input - Grant creation parameters
+     * @returns The created grant
+     *
+     * @example
+     * ```typescript
+     * const grant = manager.createGrant({
+     *   context: { server: 'postgres', tool: 'query', args: {}, timestamp: new Date() },
+     *   scope: 'tool',
+     *   duration: '5min',
+     *   grantedBy: 'terminal',
+     * });
+     * ```
+     */
+    createGrant(input: CreateSessionGrantInput): SessionGrant;
+    /**
+     * Checks if a tool call is covered by an existing session grant.
+     *
+     * Returns the most specific matching grant if multiple exist.
+     * Order of specificity: exact > tool > pattern > server
+     *
+     * @param context - The tool call to check
+     * @param requestId - Optional request ID for deduplication (prevents double-counting on retry)
+     * @returns Check result with grant details if matched
+     *
+     * @example
+     * ```typescript
+     * const result = manager.checkGrant({
+     *   server: 'postgres',
+     *   tool: 'query',
+     *   args: { sql: 'SELECT * FROM users' },
+     *   timestamp: new Date(),
+     * }, 'req-123');
+     *
+     * if (result.granted) {
+     *   console.log(`Authorized by session grant ${result.grant.id}`);
+     * }
+     * ```
+     */
+    checkGrant(context: ToolCallContext, requestId?: string): SessionCheckResult;
+    /**
+     * Checks if a specific grant matches a tool call context.
+     */
+    private grantMatchesContext;
+    /**
+     * Revokes a session grant by ID.
+     *
+     * @param id - Grant ID to revoke
+     * @returns true if grant was found and revoked
+     */
+    revokeGrant(id: string): boolean;
+    /**
+     * Revokes all grants for a specific server.
+     *
+     * @param server - Server name
+     * @returns Number of grants revoked
+     */
+    revokeByServer(server: string): number;
+    /**
+     * Revokes all session grants.
+     */
+    revokeAll(): void;
+    /**
+     * Gets all active (non-expired) grants.
+     */
+    getActiveGrants(): SessionGrant[];
+    /**
+     * Gets session statistics.
+     */
+    getStats(): SessionStats;
+    /**
+     * Manually trigger expired grant cleanup.
+     *
+     * @returns Number of grants pruned
+     */
+    pruneExpired(): number;
+    /**
+     * Formats a grant for display in terminal or logs.
+     */
+    formatGrant(grant: SessionGrant): string;
+    /**
+     * Cleans up resources. Call when shutting down.
+     */
+    close(): void;
+}
+//# sourceMappingURL=manager.d.ts.map

package/dist/session/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/session/manager.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAE1D,OAAO,KAAK,EACV,YAAY,EAEZ,uBAAuB,EACvB,kBAAkB,EAClB,YAAY,EACZ,YAAY,EACb,MAAM,YAAY,CAAC;AAgCpB;;;;;GAKG;AACH,qBAAa,oBAAqB,YAAW,YAAY;IACvD,OAAO,CAAC,MAAM,CAAwC;IAEtD,GAAG,CAAC,KAAK,EAAE,YAAY,GAAG,IAAI;IAI9B,GAAG,CAAC,EAAE,EAAE,MAAM,GAAG,YAAY,GAAG,SAAS;IAIzC,YAAY,CAAC,OAAO,EAAE,eAAe,GAAG,YAAY,EAAE;IAqBtD,MAAM,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAI3B,YAAY,IAAI,MAAM;IActB,MAAM,IAAI,YAAY,EAAE;IAIxB,KAAK,IAAI,IAAI;IAIb,QAAQ,IAAI,YAAY;CA4BzB;AAED;;;;GAIG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAe;IACrC,OAAO,CAAC,aAAa,CAA+C;IACpE,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAoB;IAC1C;;;;OAIG;IACH,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA6D;IAC5F,OAAO,CAAC,QAAQ,CAAC,oBAAoB,CAAQ;IAE7C;;;;;;OAMG;gBAED,KAAK,CAAC,EAAE,YAAY,EACpB,SAAS,GAAE,OAAc,EACzB,eAAe,GAAE,MAAe;IAsBlC;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAS3B;;;;;;;;;;;;;;;OAeG;IACH,WAAW,CAAC,KAAK,EAAE,uBAAuB,GAAG,YAAY;IAsDzD;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,UAAU,CAAC,OAAO,EAAE,eAAe,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,kBAAkB;IA6D5E;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAgC3B;;;;;OAKG;IACH,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO;IAIhC;;;;;OAKG;IACH,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM;IAatC;;OAEG;IACH,SAAS,IAAI,IAAI;IAIjB;;OAEG;IACH,eAAe,IAAI,YAAY,EAAE;IAOjC;;OAEG;IACH,QAAQ,IAAI,YAAY;IAIxB;;;;OAIG;IACH,YAAY,IAAI,MAAM;IAItB;;OAEG;IACH,WAAW,CAAC,KAAK,EAAE,YAAY,GAAG,MAAM;IA0CxC;;OAEG;IACH,KAAK,IAAI,IAAI;CAMd"}