@eddacraft/anvil-runtime 0.1.0

package/dist/gate/checks/policy.check.js

@@ -0,0 +1,457 @@
+/**
+ * Policy Check - Evaluate OPA/Rego policies against plans
+ */
+import { execFileSync } from 'node:child_process';
+import { BaseCheck } from '../check.interface.js';
+import { getOPABinaryManager, PolicyLoader, OPAExecutor, } from '../policy/index.js';
+import { parseSeverity, createDebugger } from '@eddacraft/anvil-core';
+const log = createDebugger('check');
+/**
+ * Default policy directory
+ */
+const DEFAULT_POLICY_DIR = '.anvil/policies';
+/**
+ * Score penalties per severity
+ */
+const SEVERITY_PENALTIES = {
+    error: 20,
+    warning: 5,
+    info: 1,
+};
+/**
+ * Policy check that evaluates OPA/Rego policies against plans
+ */
+export class PolicyCheck extends BaseCheck {
+    name = 'policy';
+    description = 'Evaluate OPA/Rego policies against plans';
+    policyLoader;
+    constructor() {
+        super();
+        this.policyLoader = new PolicyLoader();
+    }
+    async run(context) {
+        log(`policy check starting, workspace=${context.workspace_root}`);
+        const config = this.parseConfig(context.check_config);
+        // Policy check requires a plan
+        if (!context.plan) {
+            log('policy check: no plan provided, skipping');
+            return this.createSuccess('Policy check skipped (no plan provided)', 100, {
+                skipped: true,
+                reason: 'Policy check requires a plan',
+            });
+        }
+        try {
+            // Step 1: Ensure OPA binary is available
+            const binaryManager = getOPABinaryManager();
+            let binaryPath;
+            try {
+                binaryPath = await binaryManager.ensureBinary();
+                log(`policy check: OPA binary available at ${binaryPath}`);
+            }
+            catch (error) {
+                log(`policy check: OPA binary not available: ${error instanceof Error ? error.message : 'unknown'}`);
+                return this.createFailure('OPA binary not available', error instanceof Error ? error.message : 'Failed to download OPA');
+            }
+            // Step 2: Load policies
+            const policyDir = config.policy_dir || DEFAULT_POLICY_DIR;
+            log(`policy check: loading policies from ${policyDir}`);
+            const discoveryResult = await this.policyLoader.loadPolicies(context.workspace_root, {
+                policyDir,
+                enabledPolicies: config.enabled_policies,
+                disabledPolicies: config.disabled_policies,
+            });
+            // Check for policy loading errors
+            if (discoveryResult.errors.length > 0) {
+                const errorMessages = discoveryResult.errors.map((e) => `${e.path}: ${e.error}`).join('; ');
+                log(`policy check: policy loading errors: ${errorMessages}`);
+                return this.createFailure(`Failed to load some policies: ${errorMessages}`, undefined, {
+                    loadErrors: discoveryResult.errors,
+                });
+            }
+            // No policies found
+            if (discoveryResult.policies.length === 0) {
+                log(`policy check: no policies configured in ${policyDir}`);
+                return this.createSuccess('No policies configured', 100, {
+                    policyDir: discoveryResult.directory,
+                    policyCount: 0,
+                });
+            }
+            log(`policy check: loaded ${discoveryResult.policies.length} policies`);
+            // Step 3: Run policy tests if required
+            if (config.require_policy_tests) {
+                log('policy check: running policy tests');
+                const testResult = await this.runPolicyTests(binaryPath, discoveryResult.policies, policyDir, config.timeout);
+                if (!testResult.passed) {
+                    log(`policy check: policy tests failed (${testResult.failed}/${testResult.total})`);
+                    return this.createFailure(`${testResult.failed} of ${testResult.total} policy tests failed`, testResult.details.join('; '), {
+                        policyCount: discoveryResult.policies.length,
+                        testResults: testResult,
+                    });
+                }
+            }
+            // Step 4: Prepare OPA input
+            const input = this.buildOPAInput(context, config.include_git_context !== false);
+            // Step 4: Execute OPA
+            const executor = new OPAExecutor(binaryPath, {
+                timeout: config.timeout,
+                query: config.query,
+                includeRawOutput: false,
+            });
+            const result = await executor.evaluate(discoveryResult.policies, input);
+            if (!result.success) {
+                log(`policy check: evaluation failed: ${result.error}`);
+                return this.createFailure('Policy evaluation failed', result.error, {
+                    policyCount: discoveryResult.policies.length,
+                    executionTimeMs: result.metadata.execution_time_ms,
+                });
+            }
+            // Step 5: Calculate score and determine pass/fail
+            const { score, passed, violationsByPolicy } = this.calculateScore(result.violations, config.severity_threshold || 'error');
+            const message = this.buildMessage(result.violations, discoveryResult.policies, passed);
+            log('policy check result', {
+                passed,
+                score,
+                violations: result.violations.length,
+                policies: discoveryResult.policies.length,
+                executionTimeMs: result.metadata.execution_time_ms,
+            });
+            return this.createResult(passed, message, score, {
+                policyCount: discoveryResult.policies.length,
+                violationCount: result.violations.length,
+                violations: result.violations,
+                violationsByPolicy,
+                executionTimeMs: result.metadata.execution_time_ms,
+                policies: discoveryResult.policies.map((p) => ({
+                    name: p.name,
+                    package: p.package,
+                    hasTests: p.hasTests,
+                })),
+            });
+        }
+        catch (error) {
+            log(`policy check error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+            return this.createFailure('Policy check failed unexpectedly', error instanceof Error ? error.message : 'Unknown error');
+        }
+    }
+    /**
+     * Parse and validate check configuration
+     */
+    parseConfig(checkConfig) {
+        return {
+            policy_dir: typeof checkConfig.policy_dir === 'string' ? checkConfig.policy_dir : undefined,
+            severity_threshold: parseSeverity(checkConfig.severity_threshold, undefined),
+            enabled_policies: Array.isArray(checkConfig.enabled_policies)
+                ? checkConfig.enabled_policies.filter((p) => typeof p === 'string')
+                : undefined,
+            disabled_policies: Array.isArray(checkConfig.disabled_policies)
+                ? checkConfig.disabled_policies.filter((p) => typeof p === 'string')
+                : undefined,
+            query: typeof checkConfig.query === 'string' ? checkConfig.query : undefined,
+            timeout: typeof checkConfig.timeout === 'number' ? checkConfig.timeout : undefined,
+            require_policy_tests: typeof checkConfig.require_policy_tests === 'boolean'
+                ? checkConfig.require_policy_tests
+                : undefined,
+            include_git_context: typeof checkConfig.include_git_context === 'boolean'
+                ? checkConfig.include_git_context
+                : true, // Default to true
+        };
+    }
+    /**
+     * Build OPA input from check context
+     */
+    buildOPAInput(context, includeGitContext) {
+        const plan = context.plan; // Safe: checked in run()
+        // Calculate affected directories
+        const affectedDirectories = new Set();
+        for (const change of plan.proposed_changes) {
+            if (change.path) {
+                const parts = change.path.split('/');
+                if (parts.length > 1) {
+                    affectedDirectories.add(parts.slice(0, -1).join('/'));
+                }
+            }
+        }
+        // Build context with optional git info
+        const opaContext = {
+            workspace_root: context.workspace_root,
+            timestamp: Date.now(),
+        };
+        // Add git context if enabled
+        if (includeGitContext) {
+            const gitContext = this.getGitContext(context.workspace_root);
+            if (gitContext) {
+                opaContext.git = gitContext;
+            }
+            // Add CI context from environment
+            const ciContext = this.getCIContext();
+            if (ciContext) {
+                opaContext.ci = ciContext;
+            }
+        }
+        const architecture = this.buildArchitectureInput(context);
+        return {
+            plan: {
+                id: plan.id,
+                hash: plan.hash,
+                intent: plan.intent,
+                schema_version: plan.schema_version,
+                proposed_changes: plan.proposed_changes.map((change) => ({
+                    type: change.type,
+                    path: change.path,
+                    description: change.description,
+                    metadata: change.metadata,
+                    extension: change.path?.split('.').pop(),
+                    directory: change.path?.split('/').slice(0, -1).join('/'),
+                })),
+                provenance: plan.provenance,
+                validations: plan.validations,
+                tags: plan.tags,
+                change_count: plan.proposed_changes.length,
+                affected_directories: Array.from(affectedDirectories),
+            },
+            context: opaContext,
+            architecture,
+            config: context.check_config,
+        };
+    }
+    /**
+     * Bridges ArchitectureCheck output to PolicyCheck OPA input.
+     * Enables Rego policies to query architecture context via input.architecture
+     */
+    buildArchitectureInput(context) {
+        // Cast to full ArchitectureContext - CheckContext.architectureContext is typed as base for portability
+        const archContext = context.architectureContext;
+        if (!archContext) {
+            return undefined;
+        }
+        const layers = {};
+        for (const [layerName, layerStats] of Object.entries(archContext.layers)) {
+            layers[layerName] = layerStats.patterns;
+        }
+        const boundaries = [];
+        for (const [layerName, layerStats] of Object.entries(archContext.layers)) {
+            for (const depLayer of layerStats.depends_on) {
+                boundaries.push({ from: layerName, to: depLayer });
+            }
+        }
+        return {
+            layers,
+            boundaries,
+            dependencies: archContext.dependencies,
+            summary: {
+                total_modules: archContext.summary.total_modules,
+                total_violations: archContext.summary.total_violations,
+                new_violations: archContext.summary.new_violations,
+                circular_count: archContext.summary.circular_count,
+                orphan_count: archContext.summary.orphan_count,
+                layer_violation_count: archContext.summary.layer_violation_count,
+                error_count: archContext.summary.error_count,
+                warn_count: archContext.summary.warn_count,
+                baseline_loaded: archContext.summary.baseline_loaded,
+            },
+            violations: archContext.violations.map((v) => ({
+                from: v.from,
+                to: v.to,
+                rule: v.rule,
+                severity: v.severity,
+                is_circular: v.is_circular,
+                is_new: v.is_new,
+                from_layer: v.from_layer,
+                to_layer: v.to_layer,
+            })),
+        };
+    }
+    /**
+     * Get git context for repository-aware policies
+     */
+    getGitContext(workspaceRoot) {
+        try {
+            const execGit = (args) => {
+                try {
+                    return execFileSync('git', args, {
+                        cwd: workspaceRoot,
+                        encoding: 'utf-8',
+                        stdio: ['pipe', 'pipe', 'pipe'],
+                    }).trim();
+                }
+                catch {
+                    return undefined;
+                }
+            };
+            const branch = execGit(['rev-parse', '--abbrev-ref', 'HEAD']);
+            if (!branch)
+                return undefined; // Not a git repository
+            const commitSha = execGit(['rev-parse', 'HEAD']);
+            const author = execGit(['log', '-1', '--format=%an']);
+            const authorEmail = execGit(['log', '-1', '--format=%ae']);
+            // Try to get base branch (for PRs)
+            let baseBranch;
+            // First try origin/HEAD which points to the default branch
+            const originHeadRef = execGit(['symbolic-ref', 'refs/remotes/origin/HEAD']);
+            if (originHeadRef) {
+                const match = originHeadRef.match(/^refs\/remotes\/origin\/(.+)$/);
+                if (match?.[1]) {
+                    baseBranch = match[1];
+                }
+            }
+            // Fallback: probe common default branch names
+            if (!baseBranch) {
+                const defaultBranches = ['main', 'master', 'develop'];
+                for (const defaultBranch of defaultBranches) {
+                    const exists = execGit(['rev-parse', '--verify', defaultBranch]);
+                    if (exists) {
+                        baseBranch = defaultBranch;
+                        break;
+                    }
+                }
+            }
+            return {
+                branch,
+                base_branch: baseBranch,
+                commit_sha: commitSha,
+                author,
+                author_email: authorEmail,
+            };
+        }
+        catch {
+            return undefined;
+        }
+    }
+    /**
+     * Get CI context from environment variables
+     */
+    getCIContext() {
+        // GitHub Actions
+        if (process.env.GITHUB_ACTIONS === 'true') {
+            return {
+                provider: 'github',
+                build_id: process.env.GITHUB_RUN_ID,
+                pr_number: process.env.GITHUB_PR_NUMBER || this.extractPRNumber(process.env.GITHUB_REF),
+                pr_author: process.env.GITHUB_ACTOR,
+            };
+        }
+        // GitLab CI
+        if (process.env.GITLAB_CI === 'true') {
+            return {
+                provider: 'gitlab',
+                build_id: process.env.CI_JOB_ID,
+                pr_number: process.env.CI_MERGE_REQUEST_IID,
+                pr_author: process.env.GITLAB_USER_LOGIN,
+            };
+        }
+        // Jenkins
+        if (process.env.JENKINS_URL) {
+            return {
+                provider: 'jenkins',
+                build_id: process.env.BUILD_ID,
+                pr_number: process.env.CHANGE_ID,
+                pr_author: process.env.CHANGE_AUTHOR,
+            };
+        }
+        // Azure DevOps
+        if (process.env.TF_BUILD === 'True') {
+            return {
+                provider: 'azure',
+                build_id: process.env.BUILD_BUILDID,
+                pr_number: process.env.SYSTEM_PULLREQUEST_PULLREQUESTID,
+                pr_author: process.env.BUILD_REQUESTEDFOR,
+            };
+        }
+        // Local development
+        return {
+            provider: 'local',
+        };
+    }
+    /**
+     * Extract PR number from GitHub ref (e.g., refs/pull/123/merge)
+     */
+    extractPRNumber(ref) {
+        if (!ref)
+            return undefined;
+        const match = ref.match(/refs\/pull\/(\d+)/);
+        return match?.[1];
+    }
+    /**
+     * Run policy tests and return results
+     */
+    async runPolicyTests(binaryPath, policies, policyDir, timeout) {
+        const testFiles = policies
+            .filter((p) => p.hasTests)
+            .map((p) => p.testPath)
+            .filter(Boolean);
+        if (testFiles.length === 0) {
+            return { passed: true, failed: 0, total: 0, details: [] };
+        }
+        const executor = new OPAExecutor(binaryPath, { timeout });
+        const result = await executor.runTests(policies, testFiles);
+        // Check for execution errors in addition to test failures
+        const hasErrors = result.errors.length > 0;
+        const errorDetails = hasErrors ? result.errors.map((e) => `Execution error: ${e}`) : [];
+        return {
+            passed: result.failed === 0 && !hasErrors,
+            failed: result.failed,
+            total: result.passed + result.failed,
+            details: [
+                ...result.details
+                    .filter((d) => !d.passed)
+                    .map((d) => `${d.name}: ${d.message || 'failed'}`),
+                ...errorDetails,
+            ],
+        };
+    }
+    /**
+     * Calculate score based on violations
+     */
+    calculateScore(violations, severityThreshold) {
+        // Group violations by policy
+        const violationsByPolicy = {};
+        for (const v of violations) {
+            const policy = v.policy || 'unknown';
+            if (!violationsByPolicy[policy]) {
+                violationsByPolicy[policy] = [];
+            }
+            violationsByPolicy[policy].push(v);
+        }
+        // Calculate total penalty
+        let totalPenalty = 0;
+        let hasBlockingViolation = false;
+        for (const v of violations) {
+            const penalty = SEVERITY_PENALTIES[v.severity] || 0;
+            totalPenalty += penalty;
+            // Check if this violation should block
+            if (this.isBlockingSeverity(v.severity, severityThreshold)) {
+                hasBlockingViolation = true;
+            }
+        }
+        const score = Math.max(0, 100 - totalPenalty);
+        const passed = !hasBlockingViolation;
+        return { score, passed, violationsByPolicy };
+    }
+    /**
+     * Check if a severity level should block the check
+     */
+    isBlockingSeverity(severity, threshold) {
+        const levels = { error: 3, warning: 2, info: 1 };
+        return levels[severity] >= levels[threshold];
+    }
+    /**
+     * Build human-readable message
+     */
+    buildMessage(violations, policies, passed) {
+        if (violations.length === 0) {
+            return `All ${policies.length} policies passed`;
+        }
+        const errorCount = violations.filter((v) => v.severity === 'error').length;
+        const warningCount = violations.filter((v) => v.severity === 'warning').length;
+        const infoCount = violations.filter((v) => v.severity === 'info').length;
+        const parts = [];
+        if (errorCount > 0)
+            parts.push(`${errorCount} error${errorCount > 1 ? 's' : ''}`);
+        if (warningCount > 0)
+            parts.push(`${warningCount} warning${warningCount > 1 ? 's' : ''}`);
+        if (infoCount > 0)
+            parts.push(`${infoCount} info`);
+        const status = passed ? 'passed with issues' : 'failed';
+        return `Policy check ${status}: ${parts.join(', ')}`;
+    }
+}

package/dist/gate/checks/secret/entropy-detector.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Entropy Detector - Shannon entropy-based detection for secrets
+ *
+ * Detects high-entropy strings that are likely to be secrets or sensitive data.
+ */
+/**
+ * Secret finding from entropy detection
+ */
+export interface EntropyFinding {
+    file: string;
+    line: number;
+    type: string;
+    match: string;
+    context: string;
+    entropy: number;
+    source: 'entropy';
+}
+/**
+ * Configuration for entropy detection
+ */
+export interface EntropyDetectorConfig {
+    /** Minimum entropy threshold for detection (default: 4.5) */
+    entropy_threshold: number;
+    /** Minimum string length for entropy analysis (default: 16) */
+    min_entropy_length: number;
+    /** Patterns to allowlist (reduce false positives) */
+    allowlist: string[];
+}
+/**
+ * Entropy detector for high-entropy strings
+ */
+export declare class EntropyDetector {
+    private matcher;
+    /**
+     * Calculate Shannon entropy of a string
+     * Higher entropy = more randomness = likely a secret
+     */
+    calculateEntropy(str: string): number;
+    /**
+     * Detect high-entropy strings that might be secrets
+     */
+    detectHighEntropyStrings(line: string, lineNumber: number, file: string, config: EntropyDetectorConfig): EntropyFinding[];
+}
+//# sourceMappingURL=entropy-detector.d.ts.map

package/dist/gate/checks/secret/entropy-detector.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy-detector.d.ts","sourceRoot":"","sources":["../../../../src/gate/checks/secret/entropy-detector.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAOH;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,SAAS,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,6DAA6D;IAC7D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,+DAA+D;IAC/D,kBAAkB,EAAE,MAAM,CAAC;IAC3B,qDAAqD;IACrD,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,OAAO,CAAwB;IAEvC;;;OAGG;IACH,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAkBrC;;OAEG;IACH,wBAAwB,CACtB,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,IAAI,EAAE,MAAM,EACZ,MAAM,EAAE,qBAAqB,GAC5B,cAAc,EAAE;CA6CpB"}

package/dist/gate/checks/secret/entropy-detector.js

@@ -0,0 +1,76 @@
+/**
+ * Entropy Detector - Shannon entropy-based detection for secrets
+ *
+ * Detects high-entropy strings that are likely to be secrets or sensitive data.
+ */
+import { PatternMatcher } from './secret-patterns.js';
+import { createDebugger } from '@eddacraft/anvil-core';
+const log = createDebugger('check');
+/**
+ * Entropy detector for high-entropy strings
+ */
+export class EntropyDetector {
+    matcher = new PatternMatcher();
+    /**
+     * Calculate Shannon entropy of a string
+     * Higher entropy = more randomness = likely a secret
+     */
+    calculateEntropy(str) {
+        if (!str || str.length === 0)
+            return 0;
+        const charFrequency = {};
+        for (const char of str) {
+            charFrequency[char] = (charFrequency[char] || 0) + 1;
+        }
+        let entropy = 0;
+        const len = str.length;
+        for (const char in charFrequency) {
+            const frequency = charFrequency[char] / len;
+            entropy -= frequency * Math.log2(frequency);
+        }
+        return entropy;
+    }
+    /**
+     * Detect high-entropy strings that might be secrets
+     */
+    detectHighEntropyStrings(line, lineNumber, file, config) {
+        const findings = [];
+        const threshold = config.entropy_threshold;
+        const minLength = config.min_entropy_length;
+        // Extract potential secret strings (quoted strings, assignments)
+        const stringPatterns = [
+            // Quoted strings
+            /['"]([^'"]{16,})['"]/,
+            // Variable assignments with alphanumeric values
+            /[:=]\s*['"]?([a-zA-Z0-9_/+=-]{16,})['"]?/,
+        ];
+        for (const pattern of stringPatterns) {
+            const matches = line.match(pattern);
+            if (matches && matches[1]) {
+                const candidate = matches[1];
+                // Skip if too short or already detected by pattern
+                if (candidate.length < minLength)
+                    continue;
+                if (this.matcher.isAllowlisted(candidate, config.allowlist))
+                    continue;
+                // Skip if it looks like code or common patterns
+                if (this.matcher.looksLikeCode(candidate))
+                    continue;
+                const entropy = this.calculateEntropy(candidate);
+                if (entropy >= threshold) {
+                    log(`entropy-detector: high entropy string found in ${file}:${lineNumber} (entropy=${entropy.toFixed(2)}, threshold=${threshold})`);
+                    findings.push({
+                        file,
+                        line: lineNumber,
+                        type: 'High Entropy String',
+                        match: this.matcher.redactSecret(candidate),
+                        context: this.matcher.redactLine(line.trim()),
+                        entropy: Math.round(entropy * 100) / 100,
+                        source: 'entropy',
+                    });
+                }
+            }
+        }
+        return findings;
+    }
+}

package/dist/gate/checks/secret/git-scanner.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Git Scanner - Scan git history for secrets in recent commits
+ *
+ * Scans git commit diffs to find secrets that may have been committed in the past.
+ */
+/**
+ * Secret finding from git history
+ */
+export interface GitHistoryFinding {
+    file: string;
+    line: number;
+    type: string;
+    match: string;
+    context: string;
+    source: 'git-history';
+}
+/**
+ * Configuration for git scanning
+ */
+export interface GitScannerConfig {
+    /** Number of commits to scan in git history (default: 10) */
+    git_history_depth: number;
+    /** Patterns to allowlist (reduce false positives) */
+    allowlist: string[];
+}
+/**
+ * Git scanner for finding secrets in repository history
+ */
+export declare class GitScanner {
+    private matcher;
+    /**
+     * Scan git history for secrets in recent commits
+     */
+    scanGitHistory(workspaceRoot: string, config: GitScannerConfig): Promise<GitHistoryFinding[]>;
+}
+//# sourceMappingURL=git-scanner.d.ts.map

package/dist/gate/checks/secret/git-scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git-scanner.d.ts","sourceRoot":"","sources":["../../../../src/gate/checks/secret/git-scanner.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAWH;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,aAAa,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,6DAA6D;IAC7D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,SAAS,EAAE,MAAM,EAAE,CAAC;CACrB;AAED;;GAEG;AACH,qBAAa,UAAU;IACrB,OAAO,CAAC,OAAO,CAAwB;IAEvC;;OAEG;IACG,cAAc,CAClB,aAAa,EAAE,MAAM,EACrB,MAAM,EAAE,gBAAgB,GACvB,OAAO,CAAC,iBAAiB,EAAE,CAAC;CAkFhC"}