@edictum/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/chunk-CRPQFRYJ.mjs +238 -0
  2. package/dist/chunk-CRPQFRYJ.mjs.map +1 -0
  3. package/dist/chunk-IXMXZGJG.mjs +30 -0
  4. package/dist/chunk-IXMXZGJG.mjs.map +1 -0
  5. package/dist/chunk-X5E2YY35.mjs +1299 -0
  6. package/dist/chunk-X5E2YY35.mjs.map +1 -0
  7. package/dist/dry-run-54PYIM6T.mjs +199 -0
  8. package/dist/dry-run-54PYIM6T.mjs.map +1 -0
  9. package/dist/index.cjs +3774 -0
  10. package/dist/index.cjs.map +1 -0
  11. package/dist/index.d.cts +1201 -0
  12. package/dist/index.d.ts +1201 -0
  13. package/dist/index.mjs +1890 -0
  14. package/dist/index.mjs.map +1 -0
  15. package/dist/runner-ASI4JIW2.mjs +10 -0
  16. package/dist/runner-ASI4JIW2.mjs.map +1 -0
  17. package/package.json +58 -0
package/dist/index.cjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/errors.ts","../src/envelope.ts","../src/contracts.ts","../src/hooks.ts","../src/session.ts","../src/redaction.ts","../src/approval.ts","../src/audit.ts","../src/evaluation.ts","../src/pipeline.ts","../src/runner.ts","../src/dry-run.ts","../src/index.ts","../src/limits.ts","../src/storage.ts","../src/findings.ts","../src/compiled-state.ts","../src/guard.ts","../src/factory.ts","../src/yaml-engine/composer.ts","../src/yaml-engine/compiler.ts","../src/yaml-engine/compiler-utils.ts","../src/yaml-engine/operators.ts","../src/yaml-engine/selectors.ts","../src/yaml-engine/evaluator.ts","../src/yaml-engine/compile-contracts.ts","../src/yaml-engine/sandbox-compile-fn.ts","../src/yaml-engine/sandbox-compiler.ts","../src/fnmatch.ts","../src/yaml-engine/loader.ts","../src/yaml-engine/loader-validators.ts"],"sourcesContent":["/** Exception classes for Edictum. */\n\n/** Raised when guard.run() denies a tool call in enforce mode. */\nexport class EdictumDenied extends Error {\n readonly reason: string;\n readonly decisionSource: string | null;\n readonly decisionName: string | null;\n\n constructor(\n reason: string,\n decisionSource: string | null = null,\n decisionName: string | null = null,\n ) {\n super(reason);\n this.name = \"EdictumDenied\";\n this.reason = reason;\n this.decisionSource = decisionSource;\n this.decisionName = decisionName;\n }\n}\n\n/** Raised for configuration/load-time errors (invalid YAML, schema failures, etc.). */\nexport class EdictumConfigError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"EdictumConfigError\";\n }\n}\n\n/** Raised when the governed tool itself fails. */\nexport class EdictumToolError extends Error {\n constructor(message: string) {\n super(message);\n this.name = \"EdictumToolError\";\n }\n}\n","/** Tool Invocation Envelope — immutable snapshot of a tool call. */\n\nimport { randomUUID } from \"node:crypto\";\n\nimport { EdictumConfigError } from \"./errors.js\";\nimport type { ToolConfig } from \"./types.js\";\n\n// ---------------------------------------------------------------------------\n// SideEffect\n// ---------------------------------------------------------------------------\n\n/**\n * Classification of tool side effects.\n *\n * Determines postcondition behavior and retry safety.\n *\n * DEFAULTS:\n * - Unregistered tools -> IRREVERSIBLE (conservative)\n * - Bash -> IRREVERSIBLE unless strict allowlist match\n * - Classification errors always err toward MORE restrictive\n */\nexport const SideEffect = {\n PURE: \"pure\",\n READ: \"read\",\n WRITE: \"write\",\n IRREVERSIBLE: \"irreversible\",\n} as const;\n\nexport type SideEffect = (typeof SideEffect)[keyof typeof SideEffect];\n\n// ---------------------------------------------------------------------------\n// Principal\n// ---------------------------------------------------------------------------\n\n/**\n * Identity context for audit attribution.\n *\n * NOTE: `claims` is a plain object. The Principal itself is frozen via\n * `Object.freeze()`, making the reference immutable. Callers should treat\n * claims as read-only after construction.\n */\nexport interface Principal {\n readonly userId: string | null;\n readonly serviceId: string | null;\n readonly orgId: string | null;\n readonly role: string | null;\n readonly ticketRef: string | null;\n readonly claims: Readonly<Record<string, unknown>>;\n}\n\n/** Create a frozen Principal with defaults for omitted fields. */\nexport function createPrincipal(\n partial: Partial<Principal> = {},\n): Readonly<Principal> {\n const p: Principal = {\n userId: partial.userId ?? null,\n serviceId: partial.serviceId ?? null,\n orgId: partial.orgId ?? null,\n role: partial.role ?? null,\n ticketRef: partial.ticketRef ?? null,\n claims: partial.claims ?? {},\n };\n return deepFreeze(p);\n}\n\n// ---------------------------------------------------------------------------\n// _validateToolName\n// ---------------------------------------------------------------------------\n\n/**\n * Validate tool_name: reject empty, control chars, path separators.\n *\n * Throws EdictumConfigError for:\n * - Empty string\n * - Any ASCII control character (code < 0x20 or code === 0x7f)\n * - Forward slash `/`\n * - Backslash `\\`\n */\nexport function _validateToolName(toolName: string): void {\n if (!toolName) {\n throw new EdictumConfigError(`Invalid tool_name: ${JSON.stringify(toolName)}`);\n }\n for (let i = 0; i < toolName.length; i++) {\n const code = toolName.charCodeAt(i);\n const ch = toolName[i];\n if (code < 0x20 || code === 0x7f || ch === \"/\" || ch === \"\\\\\") {\n throw new EdictumConfigError(`Invalid tool_name: ${JSON.stringify(toolName)}`);\n }\n }\n}\n\n// ---------------------------------------------------------------------------\n// ToolEnvelope\n// ---------------------------------------------------------------------------\n\n/**\n * Immutable snapshot of a tool invocation.\n *\n * Prefer `createEnvelope()` factory for deep-copy guarantees.\n * Direct construction validates tool_name but does NOT deep-copy args.\n */\nexport interface ToolEnvelope {\n // Identity\n readonly toolName: string;\n readonly args: Readonly<Record<string, unknown>>;\n readonly callId: string;\n readonly runId: string;\n readonly callIndex: number;\n readonly parentCallId: string | null;\n\n // Classification\n readonly sideEffect: SideEffect;\n readonly idempotent: boolean;\n\n // Context\n readonly environment: string;\n readonly timestamp: Date;\n readonly caller: string;\n readonly toolUseId: string | null;\n\n // Principal\n readonly principal: Readonly<Principal> | null;\n\n // Extracted convenience fields\n readonly bashCommand: string | null;\n readonly filePath: string | null;\n\n // Extensible\n readonly metadata: Readonly<Record<string, unknown>>;\n}\n\n// ---------------------------------------------------------------------------\n// deepFreeze\n// ---------------------------------------------------------------------------\n\n/**\n * Recursively freeze an object and all nested objects.\n *\n * Date objects are skipped — Object.freeze() cannot prevent mutation\n * via Date prototype methods (setFullYear, setTime, etc.) because Date\n * stores state in internal slots, not own properties.\n */\nexport function deepFreeze<T>(obj: T): T {\n if (obj === null || obj === undefined || typeof obj !== \"object\") {\n return obj;\n }\n // Date internal slots are not freezable — skip to avoid false sense of safety\n if (obj instanceof Date) {\n return obj;\n }\n // RegExp with global/sticky flags stores mutable lastIndex in internal state.\n // Freezing prevents String.replace() from updating lastIndex → TypeError.\n if (obj instanceof RegExp) {\n return obj;\n }\n Object.freeze(obj);\n for (const value of Object.values(obj as Record<string, unknown>)) {\n if (value !== null && value !== undefined && typeof value === \"object\" && !Object.isFrozen(value)) {\n deepFreeze(value);\n }\n }\n return obj;\n}\n\n// ---------------------------------------------------------------------------\n// ToolRegistry\n// ---------------------------------------------------------------------------\n\n/** Maps tool names to governance properties. Unregistered tools default to IRREVERSIBLE. */\nexport class ToolRegistry {\n private readonly _tools: Map<string, ToolConfig> = new Map();\n\n register(\n name: string,\n sideEffect: SideEffect = SideEffect.WRITE,\n idempotent: boolean = false,\n ): void {\n this._tools.set(name, { name, sideEffect, idempotent });\n }\n\n classify(\n toolName: string,\n _args: Record<string, unknown>,\n ): [SideEffect, boolean] {\n const cfg = this._tools.get(toolName);\n if (cfg) {\n return [cfg.sideEffect as SideEffect, cfg.idempotent];\n }\n return [SideEffect.IRREVERSIBLE, false];\n }\n}\n\n// ---------------------------------------------------------------------------\n// BashClassifier\n// ---------------------------------------------------------------------------\n\n/**\n * Classify bash commands by side-effect level.\n *\n * Default is IRREVERSIBLE. Only downgraded to READ via strict\n * allowlist AND absence of shell operators.\n *\n * This is a heuristic, not a security boundary.\n */\nexport const BashClassifier = {\n READ_ALLOWLIST: [\n \"ls\",\n \"cat\",\n \"head\",\n \"tail\",\n \"wc\",\n \"find\",\n \"grep\",\n \"rg\",\n \"git status\",\n \"git log\",\n \"git diff\",\n \"git show\",\n \"git branch\",\n \"git remote\",\n \"git tag\",\n \"echo\",\n \"pwd\",\n \"whoami\",\n \"date\",\n \"which\",\n \"file\",\n \"stat\",\n \"du\",\n \"df\",\n \"tree\",\n \"less\",\n \"more\",\n ] as const,\n\n SHELL_OPERATORS: [\n \"\\n\",\n \"\\r\",\n \"<(\",\n \"<<\",\n \"$\",\n \"${\",\n \">\",\n \">>\",\n \"|\",\n \";\",\n \"&&\",\n \"||\",\n \"$(\",\n \"`\",\n \"#{\",\n ] as const,\n\n classify(command: string): SideEffect {\n const stripped = command.trim();\n if (!stripped) {\n return SideEffect.READ;\n }\n\n for (const op of BashClassifier.SHELL_OPERATORS) {\n if (stripped.includes(op)) {\n return SideEffect.IRREVERSIBLE;\n }\n }\n\n for (const allowed of BashClassifier.READ_ALLOWLIST) {\n if (stripped === allowed || stripped.startsWith(allowed + \" \")) {\n return SideEffect.READ;\n }\n }\n\n return SideEffect.IRREVERSIBLE;\n },\n} as const;\n\n// ---------------------------------------------------------------------------\n// safeDeepCopy — structuredClone with JSON roundtrip fallback\n// ---------------------------------------------------------------------------\n\nfunction safeDeepCopy<T>(value: T): T {\n try {\n return structuredClone(value);\n } catch {\n return JSON.parse(JSON.stringify(value)) as T;\n }\n}\n\n// ---------------------------------------------------------------------------\n// createEnvelope\n// ---------------------------------------------------------------------------\n\n/** Options for `createEnvelope()` beyond the required positional args. */\nexport interface CreateEnvelopeOptions {\n readonly runId?: string;\n readonly callIndex?: number;\n readonly callId?: string;\n readonly parentCallId?: string | null;\n readonly sideEffect?: SideEffect;\n readonly idempotent?: boolean;\n readonly environment?: string;\n readonly timestamp?: Date;\n readonly caller?: string;\n readonly toolUseId?: string | null;\n readonly principal?: Principal | null;\n readonly metadata?: Record<string, unknown>;\n readonly registry?: ToolRegistry | null;\n}\n\n/**\n * Factory that enforces immutability guarantees.\n *\n * Prefer this factory over direct construction — it deep-copies args\n * and metadata to ensure the envelope is a true immutable snapshot.\n */\nexport function createEnvelope(\n toolName: string,\n toolInput: Record<string, unknown>,\n options: CreateEnvelopeOptions = {},\n): Readonly<ToolEnvelope> {\n _validateToolName(toolName);\n\n // Deep-copy for immutability\n const safeArgs = safeDeepCopy(toolInput);\n\n // Deep-copy metadata\n const safeMetadata = options.metadata ? safeDeepCopy(options.metadata) : {};\n\n // Deep-copy Principal to protect claims dict\n let safePrincipal: Readonly<Principal> | null = null;\n if (options.principal != null) {\n const p = options.principal;\n safePrincipal = createPrincipal({\n userId: p.userId,\n serviceId: p.serviceId,\n orgId: p.orgId,\n role: p.role,\n ticketRef: p.ticketRef,\n claims: p.claims ? safeDeepCopy(p.claims as Record<string, unknown>) : {},\n });\n }\n\n // Classification: explicit options > registry > defaults\n const registry = options.registry ?? null;\n let sideEffect: SideEffect = options.sideEffect ?? SideEffect.IRREVERSIBLE;\n let idempotent = options.idempotent ?? false;\n let bashCommand: string | null = null;\n let filePath: string | null = null;\n\n // Registry overrides defaults but not explicit options\n if (registry) {\n const [regEffect, regIdempotent] = registry.classify(toolName, safeArgs);\n if (options.sideEffect == null) sideEffect = regEffect;\n if (options.idempotent == null) idempotent = regIdempotent;\n }\n\n // Extract convenience fields (handle both snake_case and camelCase keys)\n if (toolName === \"Bash\") {\n bashCommand = (safeArgs.command as string) ?? \"\";\n // BashClassifier wins over registry but NOT over explicit caller options\n if (options.sideEffect == null) {\n sideEffect = BashClassifier.classify(bashCommand);\n }\n } else if (\n toolName === \"Read\" ||\n toolName === \"Glob\" ||\n toolName === \"Grep\"\n ) {\n filePath =\n (safeArgs.file_path as string) ??\n (safeArgs.filePath as string) ??\n (safeArgs.path as string) ??\n null;\n } else if (toolName === \"Write\" || toolName === \"Edit\") {\n filePath =\n (safeArgs.file_path as string) ??\n (safeArgs.filePath as string) ??\n (safeArgs.path as string) ??\n null;\n }\n\n const envelope: ToolEnvelope = {\n toolName,\n args: safeArgs,\n callId: options.callId ?? randomUUID(),\n runId: options.runId ?? \"\",\n callIndex: options.callIndex ?? 0,\n parentCallId: options.parentCallId ?? null,\n sideEffect,\n idempotent,\n environment: options.environment ?? \"production\",\n timestamp: options.timestamp ?? new Date(),\n caller: options.caller ?? \"\",\n toolUseId: options.toolUseId ?? null,\n principal: safePrincipal,\n bashCommand,\n filePath,\n metadata: safeMetadata,\n };\n\n return deepFreeze(envelope);\n}\n","/** Pre/Post Conditions — contract types for tool governance. */\n\nimport type { ToolEnvelope } from \"./envelope.js\";\nimport type { Session } from \"./session.js\";\n\n// ---------------------------------------------------------------------------\n// Verdict\n// ---------------------------------------------------------------------------\n\n/** Outcome of a single contract check. */\nexport interface Verdict {\n readonly passed: boolean;\n readonly message: string | null;\n readonly metadata: Readonly<Record<string, unknown>>;\n}\n\n/** Factory methods for Verdict. */\nexport const Verdict = {\n /**\n * Contract passed — tool call is acceptable.\n */\n pass_(): Verdict {\n return Object.freeze({ passed: true, message: null, metadata: Object.freeze({}) });\n },\n\n /**\n * Contract failed with an actionable message (truncated to 500 chars).\n *\n * Make it SPECIFIC and INSTRUCTIVE — the agent uses it to self-correct.\n */\n fail(message: string, metadata: Record<string, unknown> = {}): Verdict {\n const truncated =\n message.length > 500 ? message.slice(0, 497) + \"...\" : message;\n return Object.freeze({\n passed: false,\n message: truncated,\n metadata: Object.freeze({ ...metadata }),\n });\n },\n};\n\n// ---------------------------------------------------------------------------\n// Contract interfaces — plain objects, not decorators\n// ---------------------------------------------------------------------------\n\n/** Before execution. Safe to deny — tool hasn't run yet. */\nexport interface Precondition {\n readonly contractType?: \"pre\";\n readonly tool: string;\n readonly check: (envelope: ToolEnvelope) => Verdict | Promise<Verdict>;\n readonly when?: ((envelope: ToolEnvelope) => boolean) | null;\n}\n\n/**\n * After execution. Observe-and-log.\n *\n * On failure for pure/read: inject context suggesting retry.\n * On failure for write/irreversible: warn only, NO retry coaching.\n */\nexport interface Postcondition {\n readonly contractType: \"post\";\n readonly tool: string;\n readonly check: (\n envelope: ToolEnvelope,\n response: unknown,\n ) => Verdict | Promise<Verdict>;\n readonly when?: ((envelope: ToolEnvelope) => boolean) | null;\n}\n\n/**\n * Cross-turn governance using persisted atomic counters.\n *\n * Session methods are ASYNC. Session contract checks must be async.\n *\n * Example:\n * ```typescript\n * const maxOperations: SessionContract = {\n * check: async (session) => {\n * const count = await session.executionCount();\n * if (count >= 200) {\n * return Verdict.fail(\"Session limit reached.\");\n * }\n * return Verdict.pass_();\n * },\n * };\n * ```\n */\nexport interface SessionContract {\n readonly check: (session: Session) => Verdict | Promise<Verdict>;\n}\n","/** Hook interception — before/after tool execution. */\n\nexport const HookResult = {\n ALLOW: \"allow\",\n DENY: \"deny\",\n} as const;\n\nexport type HookResult = (typeof HookResult)[keyof typeof HookResult];\n\nexport interface HookDecision {\n readonly result: HookResult;\n readonly reason: string | null;\n}\n\nexport const HookDecision = {\n allow(): HookDecision {\n return Object.freeze({ result: HookResult.ALLOW, reason: null });\n },\n\n deny(reason: string): HookDecision {\n const truncated =\n reason.length > 500 ? reason.slice(0, 497) + \"...\" : reason;\n return Object.freeze({ result: HookResult.DENY, reason: truncated });\n },\n};\n","/** Session -- atomic counters backed by StorageBackend. */\n\nimport { EdictumConfigError } from \"./errors.js\";\nimport type { StorageBackend } from \"./storage.js\";\n\n// ---------------------------------------------------------------------------\n// BatchGet capability detection\n// ---------------------------------------------------------------------------\n\n/** StorageBackend that also supports batchGet(). */\ninterface BatchCapableBackend extends StorageBackend {\n batchGet(keys: readonly string[]): Promise<Record<string, string | null>>;\n}\n\nfunction hasBatchGet(\n backend: StorageBackend,\n): backend is BatchCapableBackend {\n return \"batchGet\" in backend;\n}\n\n// ---------------------------------------------------------------------------\n// Input validation\n// ---------------------------------------------------------------------------\n\nconst MAX_ID_LENGTH = 10_000;\n\n/**\n * Validate a string used in storage keys: reject empty, control chars.\n * Mirrors _validateToolName logic for any key component.\n */\nfunction _validateStorageKeyComponent(value: string, label: string): void {\n if (!value) {\n throw new EdictumConfigError(`Invalid ${label}: ${JSON.stringify(value)}`);\n }\n if (value.length > MAX_ID_LENGTH) {\n throw new EdictumConfigError(`Invalid ${label}: exceeds ${MAX_ID_LENGTH} characters`);\n }\n for (let i = 0; i < value.length; i++) {\n const code = value.charCodeAt(i);\n if (code < 0x20 || code === 0x7f) {\n throw new EdictumConfigError(`Invalid ${label}: ${JSON.stringify(value)}`);\n }\n }\n}\n\n// ---------------------------------------------------------------------------\n// Session\n// ---------------------------------------------------------------------------\n\n/**\n * Tracks execution state via atomic counters in StorageBackend.\n *\n * All methods are ASYNC because StorageBackend is async.\n *\n * Counter semantics:\n * - attempts: every PreToolUse, including denied (pre-execution)\n * - execs: every PostToolUse (tool actually ran)\n * - tool:{name}: per-tool execution count\n * - consec_fail: resets on success, increments on failure\n */\nexport class Session {\n private readonly _sid: string;\n private readonly _backend: StorageBackend;\n\n constructor(sessionId: string, backend: StorageBackend) {\n _validateStorageKeyComponent(sessionId, \"session_id\");\n this._sid = sessionId;\n this._backend = backend;\n }\n\n get sessionId(): string {\n return this._sid;\n }\n\n /** Increment attempt counter. Called in PreToolUse (before governance). */\n async incrementAttempts(): Promise<number> {\n return await this._backend.increment(`s:${this._sid}:attempts`);\n }\n\n async attemptCount(): Promise<number> {\n return Number((await this._backend.get(`s:${this._sid}:attempts`)) ?? 0);\n }\n\n /** Record a tool execution. Called in PostToolUse. */\n async recordExecution(toolName: string, success: boolean): Promise<void> {\n _validateStorageKeyComponent(toolName, \"tool_name\");\n await this._backend.increment(`s:${this._sid}:execs`);\n await this._backend.increment(`s:${this._sid}:tool:${toolName}`);\n\n if (success) {\n await this._backend.delete(`s:${this._sid}:consec_fail`);\n } else {\n await this._backend.increment(`s:${this._sid}:consec_fail`);\n }\n }\n\n async executionCount(): Promise<number> {\n return Number((await this._backend.get(`s:${this._sid}:execs`)) ?? 0);\n }\n\n async toolExecutionCount(tool: string): Promise<number> {\n _validateStorageKeyComponent(tool, \"tool_name\");\n return Number(\n (await this._backend.get(`s:${this._sid}:tool:${tool}`)) ?? 0,\n );\n }\n\n async consecutiveFailures(): Promise<number> {\n return Number(\n (await this._backend.get(`s:${this._sid}:consec_fail`)) ?? 0,\n );\n }\n\n /**\n * Pre-fetch multiple session counters in a single backend call.\n *\n * Returns a record with keys: \"attempts\", \"execs\", and optionally\n * \"tool:{name}\" if includeTool is provided.\n *\n * Uses batchGet() on the backend when available (single HTTP round\n * trip for ServerBackend). Falls back to individual get() calls for\n * backends without batchGet support.\n */\n async batchGetCounters(options?: {\n includeTool?: string;\n }): Promise<Record<string, number>> {\n const keys: string[] = [\n `s:${this._sid}:attempts`,\n `s:${this._sid}:execs`,\n ];\n const keyLabels: string[] = [\"attempts\", \"execs\"];\n\n if (options?.includeTool != null) {\n _validateStorageKeyComponent(options.includeTool, \"tool_name\");\n keys.push(`s:${this._sid}:tool:${options.includeTool}`);\n keyLabels.push(`tool:${options.includeTool}`);\n }\n\n let raw: Record<string, string | null>;\n\n if (hasBatchGet(this._backend)) {\n raw = await this._backend.batchGet(keys);\n } else {\n raw = {};\n for (const key of keys) {\n raw[key] = await this._backend.get(key);\n }\n }\n\n const result: Record<string, number> = {};\n for (let i = 0; i < keys.length; i++) {\n const label = keyLabels[i] ?? \"\";\n const key = keys[i] ?? \"\";\n result[label] = Number(raw[key] ?? 0);\n }\n return result;\n }\n}\n","/** Redaction policy for sensitive data in audit events. */\n\nimport { EdictumConfigError } from \"./errors.js\";\n\n// ---------------------------------------------------------------------------\n// RedactionPolicy\n// ---------------------------------------------------------------------------\n\n/**\n * Redact sensitive data from audit events.\n *\n * Recurses into dicts AND lists. Normalizes keys to lowercase.\n * Caps total payload size. Detects common secret patterns in values.\n */\nexport class RedactionPolicy {\n static readonly DEFAULT_SENSITIVE_KEYS: ReadonlySet<string> = new Set([\n \"password\",\n \"secret\",\n \"token\",\n \"api_key\",\n \"apikey\",\n \"api-key\",\n \"authorization\",\n \"auth\",\n \"credentials\",\n \"private_key\",\n \"privatekey\",\n \"access_token\",\n \"refresh_token\",\n \"client_secret\",\n \"connection_string\",\n \"database_url\",\n \"db_password\",\n \"ssh_key\",\n \"passphrase\",\n ]);\n\n static readonly BASH_REDACTION_PATTERNS: ReadonlyArray<\n readonly [string, string]\n > = [\n [\n String.raw`(export\\s+\\w*(?:KEY|TOKEN|SECRET|PASSWORD|CREDENTIAL)\\w*=)\\S+`,\n \"$1[REDACTED]\",\n ],\n [String.raw`(-p\\s*|--password[= ])\\S+`, \"$1[REDACTED]\"],\n [String.raw`(://\\w+:)\\S+(@)`, \"$1[REDACTED]$2\"],\n ];\n\n static readonly SECRET_VALUE_PATTERNS: ReadonlyArray<string> = [\n String.raw`^(sk-[a-zA-Z0-9]{20,})`,\n String.raw`^(AKIA[A-Z0-9]{16})`,\n String.raw`^(eyJ[a-zA-Z0-9_-]{20,}\\.)`,\n String.raw`^(ghp_[a-zA-Z0-9]{36})`,\n String.raw`^(xox[bpas]-[a-zA-Z0-9-]{10,})`,\n ];\n\n static readonly MAX_PAYLOAD_SIZE = 32_768;\n static readonly MAX_REGEX_INPUT = 10_000;\n static readonly MAX_PATTERN_LENGTH = 10_000;\n\n private readonly _keys: ReadonlySet<string>;\n private readonly _patterns: ReadonlyArray<readonly [string, string]>;\n private readonly _compiledPatterns: ReadonlyArray<readonly [RegExp, string]>;\n private readonly _compiledSecretPatterns: ReadonlyArray<RegExp>;\n private readonly _detectValues: boolean;\n\n constructor(\n sensitiveKeys?: ReadonlySet<string> | null,\n customPatterns?: ReadonlyArray<readonly [string, string]> | null,\n detectSecretValues: boolean = true,\n ) {\n const baseKeys = sensitiveKeys\n ? new Set([...RedactionPolicy.DEFAULT_SENSITIVE_KEYS, ...sensitiveKeys])\n : new Set(RedactionPolicy.DEFAULT_SENSITIVE_KEYS);\n this._keys = new Set([...baseKeys].map((k) => k.toLowerCase()));\n if (customPatterns) {\n for (const [pattern] of customPatterns) {\n if (pattern.length > RedactionPolicy.MAX_PATTERN_LENGTH) {\n throw new EdictumConfigError(\n `Custom redaction pattern exceeds ${RedactionPolicy.MAX_PATTERN_LENGTH} characters`,\n );\n }\n }\n }\n this._patterns = [\n ...(customPatterns ?? []),\n ...RedactionPolicy.BASH_REDACTION_PATTERNS,\n ];\n this._compiledPatterns = this._patterns.map(\n ([pattern, replacement]) => [new RegExp(pattern, \"g\"), replacement] as const,\n );\n this._compiledSecretPatterns = RedactionPolicy.SECRET_VALUE_PATTERNS.map(\n (p) => new RegExp(p),\n );\n this._detectValues = detectSecretValues;\n }\n\n /** Recursively redact sensitive data from tool arguments. */\n redactArgs(args: unknown): unknown {\n if (args !== null && typeof args === \"object\" && !Array.isArray(args)) {\n const result: Record<string, unknown> = {};\n for (const [key, value] of Object.entries(\n args as Record<string, unknown>,\n )) {\n result[key] = this._isSensitiveKey(key)\n ? \"[REDACTED]\"\n : this.redactArgs(value);\n }\n return result;\n }\n if (Array.isArray(args)) {\n return args.map((item) => this.redactArgs(item));\n }\n if (typeof args === \"string\") {\n if (this._detectValues && this._looksLikeSecret(args)) {\n return \"[REDACTED]\";\n }\n if (args.length > 1000) {\n return args.slice(0, 997) + \"...\";\n }\n return args;\n }\n return args;\n }\n\n /** Check if a key name indicates sensitive data. */\n _isSensitiveKey(key: string): boolean {\n const k = key.toLowerCase();\n if (this._keys.has(k)) return true;\n // Normalize camelCase → snake_case for set lookup (e.g. databaseUrl → database_url)\n const normalized = key.replace(/([a-z])([A-Z])/g, \"$1_$2\").toLowerCase();\n if (normalized !== k && this._keys.has(normalized)) return true;\n // Split on _ , - , and camelCase boundaries (e.g. accessToken → [access, token])\n // to catch both snake_case and camelCase field names common in JS/TS.\n const parts = normalized.split(/[_\\-]/);\n return parts.some((part) =>\n part === \"token\" ||\n part === \"key\" ||\n part === \"secret\" ||\n part === \"password\" ||\n part === \"credential\",\n );\n }\n\n /** Check if a string value looks like a known secret format. */\n _looksLikeSecret(value: string): boolean {\n const capped = value.length > RedactionPolicy.MAX_REGEX_INPUT\n ? value.slice(0, RedactionPolicy.MAX_REGEX_INPUT)\n : value;\n for (const regex of this._compiledSecretPatterns) {\n if (regex.test(capped)) {\n return true;\n }\n }\n return false;\n }\n\n /** Apply redaction patterns to a bash command string. */\n redactBashCommand(command: string): string {\n const capped = command.length > RedactionPolicy.MAX_REGEX_INPUT\n ? command.slice(0, RedactionPolicy.MAX_REGEX_INPUT)\n : command;\n let result = capped;\n for (const [regex, replacement] of this._compiledPatterns) {\n regex.lastIndex = 0;\n result = result.replace(regex, replacement);\n }\n return result;\n }\n\n /** Apply redaction patterns and truncate a result string. */\n redactResult(result: string, maxLength: number = 500): string {\n const capped = result.length > RedactionPolicy.MAX_REGEX_INPUT\n ? result.slice(0, RedactionPolicy.MAX_REGEX_INPUT)\n : result;\n let redacted = capped;\n for (const [regex, replacement] of this._compiledPatterns) {\n regex.lastIndex = 0;\n redacted = redacted.replace(regex, replacement);\n }\n if (redacted.length > maxLength) {\n redacted = redacted.slice(0, maxLength - 3) + \"...\";\n }\n return redacted;\n }\n\n /** Cap total serialized size of audit payload. Returns a new object if truncated. */\n capPayload(data: Record<string, unknown>): Record<string, unknown> {\n const serialized = JSON.stringify(data);\n if (serialized.length > RedactionPolicy.MAX_PAYLOAD_SIZE) {\n const { resultSummary: _rs, toolArgs: _ta, ...rest } = data;\n void _rs; void _ta;\n return {\n ...rest,\n _truncated: true,\n toolArgs: { _redacted: \"payload exceeded 32KB\" },\n };\n }\n return data;\n }\n}\n","/** Approval protocol for human-in-the-loop tool call authorization. */\n\nimport { randomUUID } from \"node:crypto\";\nimport * as readline from \"node:readline\";\n\nimport { RedactionPolicy } from \"./redaction.js\";\n\n/** Strip ANSI escape sequences and control characters from terminal output. */\nfunction sanitizeForTerminal(s: string): string {\n return s.replace(/\\x1b\\[[0-9;]*[a-zA-Z]/g, \"\").replace(/[\\x00-\\x1f\\x7f]/g, \"\");\n}\n\n// ---------------------------------------------------------------------------\n// ApprovalStatus\n// ---------------------------------------------------------------------------\n\nexport const ApprovalStatus = {\n PENDING: \"pending\",\n APPROVED: \"approved\",\n DENIED: \"denied\",\n TIMEOUT: \"timeout\",\n} as const;\n\nexport type ApprovalStatus =\n (typeof ApprovalStatus)[keyof typeof ApprovalStatus];\n\n// ---------------------------------------------------------------------------\n// ApprovalRequest — frozen data object\n// ---------------------------------------------------------------------------\n\n/** A request for human approval of a tool call. */\nexport interface ApprovalRequest {\n readonly approvalId: string;\n readonly toolName: string;\n readonly toolArgs: Readonly<Record<string, unknown>>;\n readonly message: string;\n readonly timeout: number; // seconds\n readonly timeoutEffect: string; // \"deny\" | \"allow\"\n readonly principal: Readonly<Record<string, unknown>> | null;\n readonly metadata: Readonly<Record<string, unknown>>;\n readonly createdAt: Date;\n}\n\nfunction createApprovalRequest(\n fields: Omit<ApprovalRequest, \"createdAt\"> & { createdAt?: Date },\n): ApprovalRequest {\n const request: ApprovalRequest = {\n approvalId: fields.approvalId,\n toolName: fields.toolName,\n toolArgs: Object.freeze({ ...fields.toolArgs }),\n message: fields.message,\n timeout: fields.timeout,\n timeoutEffect: fields.timeoutEffect,\n principal:\n fields.principal !== null\n ? Object.freeze({ ...fields.principal })\n : null,\n metadata: Object.freeze({ ...fields.metadata }),\n createdAt: fields.createdAt ?? new Date(),\n };\n return Object.freeze(request);\n}\n\n// ---------------------------------------------------------------------------\n// ApprovalDecision — frozen data object\n// ---------------------------------------------------------------------------\n\n/** The result of a human approval decision. */\nexport interface ApprovalDecision {\n readonly approved: boolean;\n readonly approver: string | null;\n readonly reason: string | null;\n readonly status: ApprovalStatus;\n readonly timestamp: Date;\n}\n\nfunction createApprovalDecision(\n fields: Partial<ApprovalDecision> & { approved: boolean },\n): ApprovalDecision {\n const decision: ApprovalDecision = {\n approved: fields.approved,\n approver: fields.approver ?? null,\n reason: fields.reason ?? null,\n status: fields.status ?? ApprovalStatus.PENDING,\n timestamp: fields.timestamp ?? new Date(),\n };\n return Object.freeze(decision);\n}\n\n// ---------------------------------------------------------------------------\n// ApprovalBackend — protocol\n// ---------------------------------------------------------------------------\n\n/** Protocol for human-in-the-loop approval providers. */\nexport interface ApprovalBackend {\n requestApproval(\n toolName: string,\n toolArgs: Record<string, unknown>,\n message: string,\n options?: {\n timeout?: number;\n timeoutEffect?: string;\n principal?: Record<string, unknown> | null;\n metadata?: Record<string, unknown> | null;\n },\n ): Promise<ApprovalRequest>;\n\n waitForDecision(\n approvalId: string,\n timeout?: number | null,\n ): Promise<ApprovalDecision>;\n}\n\n// ---------------------------------------------------------------------------\n// LocalApprovalBackend — CLI-based approval for local testing\n// ---------------------------------------------------------------------------\n\n/**\n * CLI-based approval backend for local testing.\n *\n * Prompts on stdout, reads from stdin. Blocks until response or timeout.\n */\nexport class LocalApprovalBackend implements ApprovalBackend {\n private readonly _pending: Map<string, ApprovalRequest> = new Map();\n\n async requestApproval(\n toolName: string,\n toolArgs: Record<string, unknown>,\n message: string,\n options?: {\n timeout?: number;\n timeoutEffect?: string;\n principal?: Record<string, unknown> | null;\n metadata?: Record<string, unknown> | null;\n },\n ): Promise<ApprovalRequest> {\n const approvalId = randomUUID();\n const request = createApprovalRequest({\n approvalId,\n toolName,\n toolArgs,\n message,\n timeout: options?.timeout ?? 300,\n timeoutEffect: options?.timeoutEffect ?? \"deny\",\n principal: options?.principal ?? null,\n metadata: options?.metadata ?? {},\n });\n this._pending.set(approvalId, request);\n\n const redaction = new RedactionPolicy();\n const safeArgs = redaction.redactArgs(toolArgs);\n process.stdout.write(`[APPROVAL REQUIRED] ${sanitizeForTerminal(message)}\\n`);\n process.stdout.write(` Tool: ${sanitizeForTerminal(toolName)}\\n`);\n process.stdout.write(` Args: ${sanitizeForTerminal(JSON.stringify(safeArgs))}\\n`);\n process.stdout.write(` ID: ${approvalId}\\n`);\n\n return request;\n }\n\n async waitForDecision(\n approvalId: string,\n timeout?: number | null,\n ): Promise<ApprovalDecision> {\n const request = this._pending.get(approvalId);\n const effectiveTimeout =\n timeout ?? (request ? request.timeout : 300);\n\n try {\n const response = await this._readStdin(approvalId, effectiveTimeout);\n const approved = [\"y\", \"yes\", \"approve\"].includes(\n response.trim().toLowerCase(),\n );\n const status = approved\n ? ApprovalStatus.APPROVED\n : ApprovalStatus.DENIED;\n return createApprovalDecision({\n approved,\n approver: \"local\",\n status,\n });\n } catch {\n // Timeout\n const timeoutEffect = request ? request.timeoutEffect : \"deny\";\n const approved = timeoutEffect === \"allow\";\n return createApprovalDecision({\n approved,\n status: ApprovalStatus.TIMEOUT,\n });\n }\n }\n\n /** Read a single line from stdin with a timeout. */\n private _readStdin(\n approvalId: string,\n timeoutSeconds: number,\n ): Promise<string> {\n return new Promise<string>((resolve, reject) => {\n const rl = readline.createInterface({\n input: process.stdin,\n output: process.stdout,\n });\n\n const timer = setTimeout(() => {\n rl.close();\n reject(new Error(\"Approval timed out\"));\n }, timeoutSeconds * 1000);\n\n rl.question(`Approve? [y/N] (id: ${approvalId}): `, (answer) => {\n clearTimeout(timer);\n rl.close();\n resolve(answer);\n });\n });\n }\n}\n","/** Structured Event Log with Redaction. */\n\nimport { appendFile } from \"node:fs/promises\";\n\nimport { RedactionPolicy } from \"./redaction.js\";\n\n// -- AuditAction --------------------------------------------------------------\n\nexport const AuditAction = {\n CALL_DENIED: \"call_denied\",\n CALL_WOULD_DENY: \"call_would_deny\",\n CALL_ALLOWED: \"call_allowed\",\n CALL_EXECUTED: \"call_executed\",\n CALL_FAILED: \"call_failed\",\n POSTCONDITION_WARNING: \"postcondition_warning\",\n CALL_APPROVAL_REQUESTED: \"call_approval_requested\",\n CALL_APPROVAL_GRANTED: \"call_approval_granted\",\n CALL_APPROVAL_DENIED: \"call_approval_denied\",\n CALL_APPROVAL_TIMEOUT: \"call_approval_timeout\",\n} as const;\n\nexport type AuditAction = (typeof AuditAction)[keyof typeof AuditAction];\n\n// -- AuditEvent ---------------------------------------------------------------\n\nexport interface AuditEvent {\n schemaVersion: string;\n timestamp: Date;\n runId: string;\n callId: string;\n callIndex: number;\n parentCallId: string | null;\n toolName: string;\n toolArgs: Record<string, unknown>;\n sideEffect: string;\n environment: string;\n principal: Record<string, unknown> | null;\n action: AuditAction;\n decisionSource: string | null;\n decisionName: string | null;\n reason: string | null;\n hooksEvaluated: Record<string, unknown>[];\n contractsEvaluated: Record<string, unknown>[];\n toolSuccess: boolean | null;\n postconditionsPassed: boolean | null;\n durationMs: number;\n error: string | null;\n resultSummary: string | null;\n sessionAttemptCount: number;\n sessionExecutionCount: number;\n mode: string;\n policyVersion: string | null;\n policyError: boolean;\n}\n\n/** Factory with defaults matching the Python dataclass. */\nexport function createAuditEvent(f: Partial<AuditEvent> = {}): AuditEvent {\n return {\n schemaVersion: f.schemaVersion ?? \"0.3.0\",\n timestamp: f.timestamp ?? new Date(),\n runId: f.runId ?? \"\", callId: f.callId ?? \"\",\n callIndex: f.callIndex ?? 0, parentCallId: f.parentCallId ?? null,\n toolName: f.toolName ?? \"\", toolArgs: f.toolArgs ?? {},\n sideEffect: f.sideEffect ?? \"\", environment: f.environment ?? \"\",\n principal: f.principal ?? null,\n action: f.action ?? AuditAction.CALL_DENIED,\n decisionSource: f.decisionSource ?? null,\n decisionName: f.decisionName ?? null, reason: f.reason ?? null,\n hooksEvaluated: f.hooksEvaluated ?? [],\n contractsEvaluated: f.contractsEvaluated ?? [],\n toolSuccess: f.toolSuccess ?? null,\n postconditionsPassed: f.postconditionsPassed ?? null,\n durationMs: f.durationMs ?? 0, error: f.error ?? null,\n resultSummary: f.resultSummary ?? null,\n sessionAttemptCount: f.sessionAttemptCount ?? 0,\n sessionExecutionCount: f.sessionExecutionCount ?? 0,\n mode: f.mode ?? \"enforce\",\n policyVersion: f.policyVersion ?? null, policyError: f.policyError ?? false,\n };\n}\n\n// -- AuditSink ----------------------------------------------------------------\n\nexport interface AuditSink { emit(event: AuditEvent): Promise<void>; }\n\n// -- MarkEvictedError ---------------------------------------------------------\n\n/** Raised when a mark references events evicted from the buffer. */\nexport class MarkEvictedError extends Error {\n constructor(message: string) { super(message); this.name = \"MarkEvictedError\"; }\n}\n\n// -- CompositeSink ------------------------------------------------------------\n\n/** Fan-out sink: emits to all sinks, raises AggregateError on failures. */\nexport class CompositeSink implements AuditSink {\n private readonly _sinks: AuditSink[];\n\n constructor(sinks: AuditSink[]) {\n if (sinks.length === 0) throw new Error(\"CompositeSink requires at least one sink\");\n this._sinks = [...sinks];\n }\n\n get sinks(): AuditSink[] { return [...this._sinks]; }\n\n async emit(event: AuditEvent): Promise<void> {\n const errors: Error[] = [];\n for (const sink of this._sinks) {\n try { await sink.emit(event); }\n catch (err) { errors.push(err instanceof Error ? err : new Error(String(err))); }\n }\n if (errors.length > 0) {\n throw new AggregateError(errors, \"CompositeSink: one or more sinks failed\");\n }\n }\n}\n\n// -- Shared serialization -----------------------------------------------------\n\nfunction _toPlain(event: AuditEvent): Record<string, unknown> {\n const { timestamp, ...rest } = event;\n return { ...rest, timestamp: timestamp.toISOString() };\n}\n\n// -- StdoutAuditSink ----------------------------------------------------------\n\nexport class StdoutAuditSink implements AuditSink {\n private readonly _redaction: RedactionPolicy;\n constructor(redaction?: RedactionPolicy | null) {\n this._redaction = redaction ?? new RedactionPolicy();\n }\n async emit(event: AuditEvent): Promise<void> {\n process.stdout.write(JSON.stringify(this._redaction.capPayload(_toPlain(event))) + \"\\n\");\n }\n}\n\n// -- FileAuditSink ------------------------------------------------------------\n\nexport class FileAuditSink implements AuditSink {\n private readonly _path: string;\n private readonly _redaction: RedactionPolicy;\n constructor(path: string, redaction?: RedactionPolicy | null) {\n this._path = path; this._redaction = redaction ?? new RedactionPolicy();\n }\n async emit(event: AuditEvent): Promise<void> {\n const data = this._redaction.capPayload(_toPlain(event));\n await appendFile(this._path, JSON.stringify(data) + \"\\n\", \"utf-8\");\n }\n}\n\n// -- CollectingAuditSink ------------------------------------------------------\n\n/** In-memory ring buffer sink for programmatic inspection. */\nexport class CollectingAuditSink implements AuditSink {\n private _events: AuditEvent[] = [];\n private readonly _maxEvents: number;\n private _totalEmitted: number = 0;\n\n constructor(maxEvents: number = 50_000) {\n if (maxEvents < 1) throw new Error(`max_events must be >= 1, got ${maxEvents}`);\n this._maxEvents = maxEvents;\n }\n\n async emit(event: AuditEvent): Promise<void> {\n this._events.push(event);\n this._totalEmitted += 1;\n if (this._events.length > this._maxEvents) this._events = this._events.slice(-this._maxEvents);\n }\n\n get events(): AuditEvent[] { return [...this._events]; }\n mark(): number { return this._totalEmitted; }\n\n sinceMark(m: number): AuditEvent[] {\n if (m > this._totalEmitted) {\n throw new Error(`Mark ${m} is ahead of total emitted (${this._totalEmitted})`);\n }\n const evictedCount = this._totalEmitted - this._events.length;\n if (m < evictedCount) {\n throw new MarkEvictedError(\n `Mark ${m} references evicted events (buffer starts at ${evictedCount}, max_events=${this._maxEvents})`,\n );\n }\n return [...this._events.slice(m - evictedCount)];\n }\n\n last(): AuditEvent {\n if (this._events.length === 0) throw new Error(\"No events collected\");\n const last = this._events[this._events.length - 1];\n if (!last) throw new Error(\"No events collected\");\n return last;\n }\n\n filter(action: AuditAction): AuditEvent[] {\n return this._events.filter((e) => e.action === action);\n }\n\n clear(): void { this._events = []; }\n}\n","/** Evaluation result types for dry-run contract evaluation. */\n\n// ---------------------------------------------------------------------------\n// ContractResult\n// ---------------------------------------------------------------------------\n\n/** Result of evaluating a single contract. */\nexport interface ContractResult {\n readonly contractId: string;\n readonly contractType: string; // \"precondition\" | \"postcondition\" | \"sandbox\"\n readonly passed: boolean;\n readonly message: string | null;\n readonly tags: readonly string[];\n readonly observed: boolean;\n readonly effect: string;\n readonly policyError: boolean;\n}\n\n/** Create a frozen ContractResult with defaults matching the Python dataclass. */\nexport function createContractResult(\n fields: Pick<ContractResult, \"contractId\" | \"contractType\" | \"passed\"> &\n Partial<Omit<ContractResult, \"contractId\" | \"contractType\" | \"passed\">>,\n): ContractResult {\n return Object.freeze({\n contractId: fields.contractId,\n contractType: fields.contractType,\n passed: fields.passed,\n message: fields.message ?? null,\n tags: Object.freeze([...(fields.tags ?? [])]),\n observed: fields.observed ?? false,\n effect: fields.effect ?? \"warn\",\n policyError: fields.policyError ?? false,\n });\n}\n\n// ---------------------------------------------------------------------------\n// EvaluationResult\n// ---------------------------------------------------------------------------\n\n/** Result of dry-run evaluation of a tool call against contracts. */\nexport interface EvaluationResult {\n readonly verdict: string; // \"allow\" | \"deny\" | \"warn\"\n readonly toolName: string;\n readonly contracts: readonly ContractResult[];\n readonly denyReasons: readonly string[];\n readonly warnReasons: readonly string[];\n readonly contractsEvaluated: number;\n readonly policyError: boolean;\n}\n\n/** Create a frozen EvaluationResult with defaults matching the Python dataclass. */\nexport function createEvaluationResult(\n fields: Pick<EvaluationResult, \"verdict\" | \"toolName\"> &\n Partial<Omit<EvaluationResult, \"verdict\" | \"toolName\">>,\n): EvaluationResult {\n return Object.freeze({\n verdict: fields.verdict,\n toolName: fields.toolName,\n contracts: Object.freeze([...(fields.contracts ?? [])]),\n denyReasons: Object.freeze([...(fields.denyReasons ?? [])]),\n warnReasons: Object.freeze([...(fields.warnReasons ?? [])]),\n contractsEvaluated: fields.contractsEvaluated ?? 0,\n policyError: fields.policyError ?? false,\n });\n}\n","/**\n * GovernancePipeline -- single source of governance logic.\n *\n * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's pipeline.py\n * (485 LOC). PreDecision + PostDecision types + the 5-stage pre/post engine\n * form a single cohesive evaluation flow that would be harder to follow if split.\n */\n\nimport { Verdict } from \"./contracts.js\";\nimport { SideEffect } from \"./envelope.js\";\nimport type { ToolEnvelope } from \"./envelope.js\";\nimport { HookDecision, HookResult } from \"./hooks.js\";\nimport { RedactionPolicy } from \"./redaction.js\";\nimport type { Session } from \"./session.js\";\nimport type { GuardLike } from \"./internal-contracts.js\";\n\n// ---------------------------------------------------------------------------\n// PreDecision\n// ---------------------------------------------------------------------------\n\n/** Result of pre-execution governance evaluation. */\nexport interface PreDecision {\n readonly action: \"allow\" | \"deny\" | \"pending_approval\";\n readonly reason: string | null;\n readonly decisionSource: string | null;\n readonly decisionName: string | null;\n readonly hooksEvaluated: Record<string, unknown>[];\n readonly contractsEvaluated: Record<string, unknown>[];\n readonly observed: boolean;\n readonly policyError: boolean;\n readonly observeResults: Record<string, unknown>[];\n readonly approvalTimeout: number;\n readonly approvalTimeoutEffect: string;\n readonly approvalMessage: string | null;\n}\n\n/** Create a PreDecision with defaults for omitted fields. */\nexport function createPreDecision(\n partial: Partial<PreDecision> & Pick<PreDecision, \"action\">,\n): PreDecision {\n return {\n action: partial.action,\n reason: partial.reason ?? null,\n decisionSource: partial.decisionSource ?? null,\n decisionName: partial.decisionName ?? null,\n hooksEvaluated: partial.hooksEvaluated ?? [],\n contractsEvaluated: partial.contractsEvaluated ?? [],\n observed: partial.observed ?? false,\n policyError: partial.policyError ?? false,\n observeResults: partial.observeResults ?? [],\n approvalTimeout: partial.approvalTimeout ?? 300,\n approvalTimeoutEffect: partial.approvalTimeoutEffect ?? \"deny\",\n approvalMessage: partial.approvalMessage ?? null,\n };\n}\n\n// ---------------------------------------------------------------------------\n// PostDecision\n// ---------------------------------------------------------------------------\n\n/** Result of post-execution governance evaluation. */\nexport interface PostDecision {\n readonly toolSuccess: boolean;\n readonly postconditionsPassed: boolean;\n readonly warnings: string[];\n readonly contractsEvaluated: Record<string, unknown>[];\n readonly policyError: boolean;\n readonly redactedResponse: unknown;\n readonly outputSuppressed: boolean;\n}\n\n/** Create a PostDecision with defaults for omitted fields. */\nexport function createPostDecision(\n partial: Partial<PostDecision> & Pick<PostDecision, \"toolSuccess\">,\n): PostDecision {\n return {\n toolSuccess: partial.toolSuccess,\n postconditionsPassed: partial.postconditionsPassed ?? true,\n warnings: partial.warnings ?? [],\n contractsEvaluated: partial.contractsEvaluated ?? [],\n policyError: partial.policyError ?? false,\n redactedResponse: partial.redactedResponse ?? null,\n outputSuppressed: partial.outputSuppressed ?? false,\n };\n}\n\n// ---------------------------------------------------------------------------\n// Helpers\n// ---------------------------------------------------------------------------\n\n/** Check if any evaluated contract record has a policy_error in metadata. */\nfunction hasPolicyError(\n contractsEvaluated: Record<string, unknown>[],\n): boolean {\n return contractsEvaluated.some((c) => {\n const meta = c[\"metadata\"] as Record<string, unknown> | undefined;\n return meta?.[\"policy_error\"] === true;\n });\n}\n\n// ---------------------------------------------------------------------------\n// GovernancePipeline\n// ---------------------------------------------------------------------------\n\n/**\n * Orchestrates all governance checks.\n *\n * This is the single source of truth for governance logic.\n * Adapters call preExecute() and postExecute(), then translate\n * the structured results into framework-specific formats.\n */\nexport class GovernancePipeline {\n private readonly _guard: GuardLike;\n\n constructor(guard: GuardLike) {\n this._guard = guard;\n }\n\n async preExecute(\n envelope: ToolEnvelope,\n session: Session,\n ): Promise<PreDecision> {\n const hooksEvaluated: Record<string, unknown>[] = [];\n const contractsEvaluated: Record<string, unknown>[] = [];\n let hasObservedDeny = false;\n\n // Pre-fetch session counters in a single batch to reduce HTTP\n // round trips when using ServerBackend. The tool-specific key\n // is included only when a per-tool limit is configured.\n let toolNameForBatch: string | undefined;\n if (envelope.toolName in this._guard.limits.maxCallsPerTool) {\n toolNameForBatch = envelope.toolName;\n }\n const counters = await session.batchGetCounters({\n includeTool: toolNameForBatch,\n });\n\n // 1. Attempt limit\n const attemptCount = counters[\"attempts\"] ?? 0;\n if (attemptCount >= this._guard.limits.maxAttempts) {\n return createPreDecision({\n action: \"deny\",\n reason:\n `Attempt limit reached (${this._guard.limits.maxAttempts}). ` +\n \"Agent may be stuck in a retry loop. Stop and reassess.\",\n decisionSource: \"attempt_limit\",\n decisionName: \"max_attempts\",\n hooksEvaluated,\n contractsEvaluated,\n });\n }\n\n // 2. Before hooks (catch exceptions)\n for (const hookReg of this._guard.getHooks(\"before\", envelope)) {\n if (hookReg.when && !hookReg.when(envelope)) {\n continue;\n }\n let decision: HookDecision;\n try {\n decision = await hookReg.callback(envelope);\n } catch (exc) {\n decision = HookDecision.deny(`Hook error: ${exc}`);\n }\n\n const hookRecord: Record<string, unknown> = {\n name:\n hookReg.callback.name || \"anonymous\",\n result: decision.result,\n reason: decision.reason,\n };\n hooksEvaluated.push(hookRecord);\n\n if (decision.result === HookResult.DENY) {\n return createPreDecision({\n action: \"deny\",\n reason: decision.reason,\n decisionSource: \"hook\",\n decisionName: hookRecord[\"name\"] as string,\n hooksEvaluated,\n contractsEvaluated,\n policyError: (decision.reason ?? \"\").includes(\"Hook error:\"),\n });\n }\n }\n\n // 3. Preconditions (catch exceptions)\n for (const contract of this._guard.getPreconditions(envelope)) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(envelope);\n } catch (exc) {\n verdict = Verdict.fail(`Precondition error: ${exc}`, {\n policy_error: true,\n });\n }\n\n const contractRecord: Record<string, unknown> = {\n name: contract.name,\n type: \"precondition\",\n passed: verdict.passed,\n message: verdict.message,\n };\n if (\n verdict.metadata &&\n Object.keys(verdict.metadata).length > 0\n ) {\n contractRecord[\"metadata\"] = verdict.metadata;\n }\n contractsEvaluated.push(contractRecord);\n\n if (!verdict.passed) {\n // Per-contract observe mode: record but don't deny\n if (contract.mode === \"observe\") {\n contractRecord[\"observed\"] = true;\n hasObservedDeny = true;\n continue;\n }\n\n const source = contract.source ?? \"precondition\";\n const pe = hasPolicyError(contractsEvaluated);\n\n const effect = contract.effect ?? \"deny\";\n if (effect === \"approve\") {\n return createPreDecision({\n action: \"pending_approval\",\n reason: verdict.message,\n decisionSource: source,\n decisionName: contract.name,\n hooksEvaluated,\n contractsEvaluated,\n policyError: pe,\n approvalTimeout: contract.timeout ?? 300,\n approvalTimeoutEffect: contract.timeoutEffect ?? \"deny\",\n approvalMessage: verdict.message,\n });\n }\n\n return createPreDecision({\n action: \"deny\",\n reason: verdict.message,\n decisionSource: source,\n decisionName: contract.name,\n hooksEvaluated,\n contractsEvaluated,\n policyError: pe,\n });\n }\n }\n\n // 3.5. Sandbox contracts\n for (const contract of this._guard.getSandboxContracts(envelope)) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(envelope);\n } catch (exc) {\n verdict = Verdict.fail(`Sandbox contract error: ${exc}`, {\n policy_error: true,\n });\n }\n\n const contractRecord: Record<string, unknown> = {\n name: contract.name,\n type: \"sandbox\",\n passed: verdict.passed,\n message: verdict.message,\n };\n if (\n verdict.metadata &&\n Object.keys(verdict.metadata).length > 0\n ) {\n contractRecord[\"metadata\"] = verdict.metadata;\n }\n contractsEvaluated.push(contractRecord);\n\n if (!verdict.passed) {\n if (contract.mode === \"observe\") {\n contractRecord[\"observed\"] = true;\n hasObservedDeny = true;\n continue;\n }\n\n const source = contract.source ?? \"yaml_sandbox\";\n const pe = hasPolicyError(contractsEvaluated);\n\n const effect = contract.effect ?? \"deny\";\n if (effect === \"approve\") {\n return createPreDecision({\n action: \"pending_approval\",\n reason: verdict.message,\n decisionSource: source,\n decisionName: contract.name,\n hooksEvaluated,\n contractsEvaluated,\n policyError: pe,\n approvalTimeout: contract.timeout ?? 300,\n approvalTimeoutEffect: contract.timeoutEffect ?? \"deny\",\n approvalMessage: verdict.message,\n });\n }\n\n return createPreDecision({\n action: \"deny\",\n reason: verdict.message,\n decisionSource: source,\n decisionName: contract.name,\n hooksEvaluated,\n contractsEvaluated,\n policyError: pe,\n });\n }\n }\n\n // 4. Session contracts (catch exceptions)\n for (const contract of this._guard.getSessionContracts()) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(session);\n } catch (exc) {\n verdict = Verdict.fail(`Session contract error: ${exc}`, {\n policy_error: true,\n });\n }\n\n const contractRecord: Record<string, unknown> = {\n name: contract.name,\n type: \"session_contract\",\n passed: verdict.passed,\n message: verdict.message,\n };\n if (\n verdict.metadata &&\n Object.keys(verdict.metadata).length > 0\n ) {\n contractRecord[\"metadata\"] = verdict.metadata;\n }\n contractsEvaluated.push(contractRecord);\n\n if (!verdict.passed) {\n const source = contract.source ?? \"session_contract\";\n const pe = hasPolicyError(contractsEvaluated);\n return createPreDecision({\n action: \"deny\",\n reason: verdict.message,\n decisionSource: source,\n decisionName: contract.name,\n hooksEvaluated,\n contractsEvaluated,\n policyError: pe,\n });\n }\n }\n\n // 5. Execution limits (use pre-fetched counters)\n const execCount = counters[\"execs\"] ?? 0;\n if (execCount >= this._guard.limits.maxToolCalls) {\n return createPreDecision({\n action: \"deny\",\n reason:\n `Execution limit reached (${this._guard.limits.maxToolCalls} calls). ` +\n \"Summarize progress and stop.\",\n decisionSource: \"operation_limit\",\n decisionName: \"max_tool_calls\",\n hooksEvaluated,\n contractsEvaluated,\n });\n }\n\n // Per-tool limits (use pre-fetched counter when available)\n if (envelope.toolName in this._guard.limits.maxCallsPerTool) {\n const toolKey = `tool:${envelope.toolName}`;\n const toolCount = counters[toolKey] ?? 0;\n const toolLimit =\n this._guard.limits.maxCallsPerTool[envelope.toolName] ?? 0;\n if (toolCount >= toolLimit) {\n return createPreDecision({\n action: \"deny\",\n reason:\n `Per-tool limit: ${envelope.toolName} called ${toolCount} times (limit: ${toolLimit}).`,\n decisionSource: \"operation_limit\",\n decisionName: `max_calls_per_tool:${envelope.toolName}`,\n hooksEvaluated,\n contractsEvaluated,\n });\n }\n }\n\n // 6. All checks passed\n const pe = hasPolicyError(contractsEvaluated);\n\n // 7. Observe-mode contract evaluation (never affects the decision)\n const observeResults = await this._evaluateObserveContracts(\n envelope,\n session,\n );\n\n return createPreDecision({\n action: \"allow\",\n hooksEvaluated,\n contractsEvaluated,\n observed: hasObservedDeny,\n policyError: pe,\n observeResults,\n });\n }\n\n async postExecute(\n envelope: ToolEnvelope,\n toolResponse: unknown,\n toolSuccess: boolean,\n ): Promise<PostDecision> {\n const warnings: string[] = [];\n const contractsEvaluated: Record<string, unknown>[] = [];\n let redactedResponse: unknown = null;\n let outputSuppressed = false;\n\n // 1. Postconditions (catch exceptions)\n for (const contract of this._guard.getPostconditions(envelope)) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(envelope, toolResponse);\n } catch (exc) {\n verdict = Verdict.fail(`Postcondition error: ${exc}`, {\n policy_error: true,\n });\n }\n\n const contractRecord: Record<string, unknown> = {\n name: contract.name,\n type: \"postcondition\",\n passed: verdict.passed,\n message: verdict.message,\n };\n if (\n verdict.metadata &&\n Object.keys(verdict.metadata).length > 0\n ) {\n contractRecord[\"metadata\"] = verdict.metadata;\n }\n contractsEvaluated.push(contractRecord);\n\n if (!verdict.passed) {\n const effect = contract.effect ?? \"warn\";\n const contractMode = contract.mode;\n const isSafe =\n envelope.sideEffect === SideEffect.PURE ||\n envelope.sideEffect === SideEffect.READ;\n\n // Observe mode takes precedence\n if (contractMode === \"observe\") {\n contractRecord[\"observed\"] = true;\n warnings.push(`\\u26a0\\ufe0f [observe] ${verdict.message}`);\n } else if (effect === \"redact\" && isSafe) {\n const patterns = contract.redactPatterns ?? [];\n const source =\n redactedResponse !== null ? redactedResponse : toolResponse;\n let text = source != null ? String(source) : \"\";\n if (patterns.length > 0) {\n for (const pat of patterns) {\n // Python re.sub() replaces ALL occurrences; ensure global flag\n const globalPat = pat.global\n ? pat\n : new RegExp(pat.source, pat.flags + \"g\");\n text = text.replace(globalPat, \"[REDACTED]\");\n }\n } else {\n const policy = new RedactionPolicy();\n text = policy.redactResult(text, text.length + 100);\n }\n redactedResponse = text;\n warnings.push(\n `\\u26a0\\ufe0f Content redacted by ${contract.name}.`,\n );\n } else if (effect === \"deny\" && isSafe) {\n redactedResponse = `[OUTPUT SUPPRESSED] ${verdict.message}`;\n outputSuppressed = true;\n warnings.push(\n `\\u26a0\\ufe0f Output suppressed by ${contract.name}.`,\n );\n } else if (\n (effect === \"redact\" || effect === \"deny\") &&\n !isSafe\n ) {\n warnings.push(\n `\\u26a0\\ufe0f ${verdict.message} Tool already executed \\u2014 assess before proceeding.`,\n );\n } else if (isSafe) {\n warnings.push(\n `\\u26a0\\ufe0f ${verdict.message} Consider retrying.`,\n );\n } else {\n warnings.push(\n `\\u26a0\\ufe0f ${verdict.message} Tool already executed \\u2014 assess before proceeding.`,\n );\n }\n }\n }\n\n // 2. After hooks (catch exceptions)\n for (const hookReg of this._guard.getHooks(\"after\", envelope)) {\n if (hookReg.when && !hookReg.when(envelope)) {\n continue;\n }\n try {\n await hookReg.callback(envelope, toolResponse);\n } catch {\n // After hook errors are silently swallowed — they must not affect governance decisions.\n }\n }\n\n // 3. Observe-mode postconditions (from observe_alongside bundles)\n // These never affect the decision — only produce audit findings.\n for (const contract of this._guard.getObservePostconditions(envelope)) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(envelope, toolResponse);\n } catch (exc) {\n verdict = Verdict.fail(\n `Observe-mode postcondition error: ${exc}`,\n { policy_error: true },\n );\n }\n const record: Record<string, unknown> = {\n name: contract.name,\n type: \"postcondition\",\n passed: verdict.passed,\n message: verdict.message,\n observed: true,\n source: contract.source ?? \"yaml_postcondition\",\n };\n if (verdict.metadata && Object.keys(verdict.metadata).length > 0) {\n record[\"metadata\"] = verdict.metadata;\n }\n contractsEvaluated.push(record);\n if (!verdict.passed) {\n warnings.push(`\\u26a0\\ufe0f [observe] ${verdict.message}`);\n }\n }\n\n // Exclude observe-mode records from the \"real failure\" check —\n // observe-mode failures are logged but should not signal a real failure\n const postconditionsPassed =\n contractsEvaluated.length > 0\n ? contractsEvaluated.every(\n (c) => c[\"passed\"] === true || c[\"observed\"] === true,\n )\n : true;\n const pe = hasPolicyError(contractsEvaluated);\n\n return createPostDecision({\n toolSuccess,\n postconditionsPassed,\n warnings,\n contractsEvaluated,\n policyError: pe,\n redactedResponse,\n outputSuppressed,\n });\n }\n\n /**\n * Evaluate observe-mode contracts without affecting the real decision.\n *\n * Observe-mode contracts are identified by mode === \"observe\" on the\n * internal contract. Results are returned as dicts for audit emission\n * but never block calls.\n */\n private async _evaluateObserveContracts(\n envelope: ToolEnvelope,\n session: Session,\n ): Promise<Record<string, unknown>[]> {\n const results: Record<string, unknown>[] = [];\n\n // Observe-mode preconditions\n for (const contract of this._guard.getObservePreconditions(\n envelope,\n )) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(envelope);\n } catch (exc) {\n verdict = Verdict.fail(\n `Observe-mode precondition error: ${exc}`,\n { policy_error: true },\n );\n }\n\n results.push({\n name: contract.name,\n type: \"precondition\",\n passed: verdict.passed,\n message: verdict.message,\n source: contract.source ?? \"yaml_precondition\",\n });\n }\n\n // Observe-mode sandbox contracts\n for (const contract of this._guard.getObserveSandboxContracts(\n envelope,\n )) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(envelope);\n } catch (exc) {\n verdict = Verdict.fail(\n `Observe-mode sandbox error: ${exc}`,\n { policy_error: true },\n );\n }\n\n results.push({\n name: contract.name,\n type: \"sandbox\",\n passed: verdict.passed,\n message: verdict.message,\n source: contract.source ?? \"yaml_sandbox\",\n });\n }\n\n // Observe-mode session contracts -- evaluate against the real session\n for (const contract of this._guard.getObserveSessionContracts()) {\n let verdict: Verdict;\n try {\n verdict = await contract.check(session);\n } catch (exc) {\n verdict = Verdict.fail(\n `Observe-mode session contract error: ${exc}`,\n { policy_error: true },\n );\n }\n\n results.push({\n name: contract.name,\n type: \"session_contract\",\n passed: verdict.passed,\n message: verdict.message,\n source: contract.source ?? \"yaml_session\",\n });\n }\n\n return results;\n }\n}\n","/**\n * Execution logic for Edictum.run() -- governance pipeline with tool execution.\n *\n * Ports Python's _runner.py. Governance pipeline + tool callable execution.\n *\n * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's _runner.py\n * (350 LOC). The full run() flow (pre-execute → approval → execute → post-execute\n * → audit) is a single cohesive transaction that would be harder to follow if split.\n */\n\nimport type { Edictum } from \"./guard.js\";\nimport type { AuditAction } from \"./audit.js\";\nimport type { Principal, ToolEnvelope } from \"./envelope.js\";\nimport type { PreDecision } from \"./pipeline.js\";\nimport type { Session } from \"./session.js\";\n\nimport { ApprovalStatus } from \"./approval.js\";\nimport {\n AuditAction as AA,\n createAuditEvent,\n} from \"./audit.js\";\nimport { createEnvelope } from \"./envelope.js\";\nimport { EdictumDenied, EdictumToolError } from \"./errors.js\";\nimport { GovernancePipeline } from \"./pipeline.js\";\nimport { Session as SessionClass } from \"./session.js\";\n\n// ---------------------------------------------------------------------------\n// defaultSuccessCheck\n// ---------------------------------------------------------------------------\n\n/**\n * Default heuristic for tool success detection.\n *\n * Matches the heuristic used by all framework adapters:\n * - null/undefined is success\n * - object with is_error truthy is failure\n * - string starting with \"error:\" or \"fatal:\" (case-insensitive) is failure\n * - everything else is success\n */\nexport function defaultSuccessCheck(\n _toolName: string,\n result: unknown,\n): boolean {\n if (result == null) {\n return true;\n }\n if (typeof result === \"object\" && !Array.isArray(result)) {\n const dict = result as Record<string, unknown>;\n if (dict[\"is_error\"]) {\n return false;\n }\n }\n if (typeof result === \"string\") {\n const lower = result.slice(0, 7).toLowerCase();\n if (lower.startsWith(\"error:\") || lower.startsWith(\"fatal:\")) {\n return false;\n }\n }\n return true;\n}\n\n// ---------------------------------------------------------------------------\n// RunOptions\n// ---------------------------------------------------------------------------\n\n/** Options for the run() function beyond the required positional args. */\nexport interface RunOptions {\n readonly sessionId?: string;\n readonly environment?: string;\n readonly principal?: Principal;\n}\n\n// ---------------------------------------------------------------------------\n// _emitRunPreAudit\n// ---------------------------------------------------------------------------\n\nasync function _emitRunPreAudit(\n guard: Edictum,\n envelope: Readonly<ToolEnvelope>,\n session: Session,\n action: AuditAction,\n pre: PreDecision,\n): Promise<void> {\n const event = createAuditEvent({\n action,\n runId: envelope.runId,\n callId: envelope.callId,\n toolName: envelope.toolName,\n toolArgs: guard.redaction.redactArgs(envelope.args) as Record<\n string,\n unknown\n >,\n sideEffect: envelope.sideEffect,\n environment: envelope.environment,\n principal: envelope.principal\n ? ({ ...envelope.principal } as Record<string, unknown>)\n : null,\n decisionSource: pre.decisionSource,\n decisionName: pre.decisionName,\n reason: pre.reason,\n hooksEvaluated: pre.hooksEvaluated,\n contractsEvaluated: pre.contractsEvaluated,\n sessionAttemptCount: await session.attemptCount(),\n sessionExecutionCount: await session.executionCount(),\n mode: guard.mode,\n policyVersion: guard.policyVersion,\n policyError: pre.policyError,\n });\n await guard.auditSink.emit(event);\n // TODO: Phase 3 — _emitOtelGovernanceSpan(guard, event)\n}\n\n// ---------------------------------------------------------------------------\n// run\n// ---------------------------------------------------------------------------\n\n/**\n * Framework-agnostic entrypoint for governed tool execution.\n *\n * Creates session, pipeline, envelope. Runs pre-execute governance,\n * handles approval flow, executes the tool, runs post-execute governance,\n * emits audit events, and returns the (potentially redacted) result.\n */\nexport async function run(\n guard: Edictum,\n toolName: string,\n args: Record<string, unknown>,\n toolCallable: (\n args: Record<string, unknown>,\n ) => unknown | Promise<unknown>,\n options?: RunOptions,\n): Promise<unknown> {\n const sessionId = options?.sessionId ?? guard.sessionId;\n const session = new SessionClass(sessionId, guard.backend);\n const pipeline = new GovernancePipeline(guard);\n\n // Allow per-call environment override; fall back to guard-level default\n const env = options?.environment ?? guard.environment;\n\n // Resolve principal: per-call resolver > static > options\n let principal = options?.principal ?? undefined;\n if (principal === undefined) {\n const resolved = guard._resolvePrincipal(toolName, args);\n if (resolved != null) {\n principal = resolved;\n }\n }\n\n const envelope = createEnvelope(toolName, args, {\n runId: sessionId,\n environment: env,\n registry: guard.toolRegistry,\n principal: principal ?? null,\n });\n\n // Increment attempts\n await session.incrementAttempts();\n\n // TODO: Phase 3 — start OTel span\n // const span = guard.telemetry.startToolSpan(envelope);\n\n try {\n // TODO: Phase 3 — set policy version on span\n // if (guard.policyVersion) {\n // span.setAttribute(\"edictum.policy_version\", guard.policyVersion);\n // }\n\n // Pre-execute\n const pre = await pipeline.preExecute(envelope, session);\n\n // Handle pending_approval: request approval from backend\n if (pre.action === \"pending_approval\") {\n if (guard._approvalBackend == null) {\n // TODO: Phase 3 — span.setError(...)\n throw new EdictumDenied(\n `Approval required but no approval backend configured: ${pre.reason}`,\n pre.decisionSource,\n pre.decisionName,\n );\n }\n\n const principalDict = envelope.principal\n ? ({ ...envelope.principal } as Record<string, unknown>)\n : null;\n\n const approvalRequest =\n await guard._approvalBackend.requestApproval(\n envelope.toolName,\n envelope.args as Record<string, unknown>,\n pre.approvalMessage ?? pre.reason ?? \"\",\n {\n timeout: pre.approvalTimeout,\n timeoutEffect: pre.approvalTimeoutEffect,\n principal: principalDict,\n },\n );\n\n await _emitRunPreAudit(\n guard,\n envelope,\n session,\n AA.CALL_APPROVAL_REQUESTED,\n pre,\n );\n\n const decision = await guard._approvalBackend.waitForDecision(\n approvalRequest.approvalId,\n pre.approvalTimeout,\n );\n\n // Resolve approval: approved, denied, or timeout (with timeout_effect)\n let approved = false;\n if (decision.status === ApprovalStatus.TIMEOUT) {\n await _emitRunPreAudit(\n guard,\n envelope,\n session,\n AA.CALL_APPROVAL_TIMEOUT,\n pre,\n );\n if (pre.approvalTimeoutEffect === \"allow\") {\n approved = true;\n }\n } else if (!decision.approved) {\n await _emitRunPreAudit(\n guard,\n envelope,\n session,\n AA.CALL_APPROVAL_DENIED,\n pre,\n );\n } else {\n approved = true;\n await _emitRunPreAudit(\n guard,\n envelope,\n session,\n AA.CALL_APPROVAL_GRANTED,\n pre,\n );\n }\n\n if (approved) {\n // TODO: Phase 3 — guard.telemetry.recordAllowed(envelope)\n if (guard._onAllow) {\n try {\n guard._onAllow(envelope);\n } catch {\n // on_allow callback raised — swallow\n }\n }\n // TODO: Phase 3 — span.setAttribute(\"governance.action\", \"approved\")\n // Skip the normal pre-execution audit/callback logic below —\n // approval-granted path handles its own audit and callbacks.\n } else {\n const denyReason = decision.reason ?? pre.reason ?? \"\";\n // TODO: Phase 3 — guard.telemetry.recordDenial(envelope, denyReason)\n if (guard._onDeny) {\n try {\n guard._onDeny(envelope, denyReason, pre.decisionName);\n } catch {\n // on_deny callback raised — swallow\n }\n }\n // TODO: Phase 3 — span error attributes\n throw new EdictumDenied(\n decision.reason ?? pre.reason ?? \"denied\",\n pre.decisionSource,\n pre.decisionName,\n );\n }\n }\n\n // Determine if this is a real deny or just per-contract observed denials\n const realDeny = pre.action === \"deny\" && !pre.observed;\n\n // Skip pre-execution audit for approval-granted path (already handled above)\n if (pre.action === \"pending_approval\") {\n // Fall through directly to tool execution\n } else if (realDeny) {\n const auditAction =\n guard.mode === \"observe\" ? AA.CALL_WOULD_DENY : AA.CALL_DENIED;\n await _emitRunPreAudit(guard, envelope, session, auditAction, pre);\n // TODO: Phase 3 — guard.telemetry.recordDenial(envelope, pre.reason)\n\n if (guard.mode === \"enforce\") {\n if (guard._onDeny) {\n try {\n guard._onDeny(envelope, pre.reason ?? \"\", pre.decisionName);\n } catch {\n // on_deny callback raised — swallow\n }\n }\n // TODO: Phase 3 — span error attributes\n throw new EdictumDenied(\n pre.reason ?? \"denied\",\n pre.decisionSource,\n pre.decisionName,\n );\n }\n // observe mode: fall through to execute\n // TODO: Phase 3 — span.setAttribute(\"governance.action\", \"would_deny\")\n } else {\n // Emit CALL_WOULD_DENY for any per-contract observed denials\n for (const cr of pre.contractsEvaluated) {\n if (cr[\"observed\"] && !cr[\"passed\"]) {\n const observedEvent = createAuditEvent({\n action: AA.CALL_WOULD_DENY,\n runId: envelope.runId,\n callId: envelope.callId,\n toolName: envelope.toolName,\n toolArgs: guard.redaction.redactArgs(envelope.args) as Record<\n string,\n unknown\n >,\n sideEffect: envelope.sideEffect,\n environment: envelope.environment,\n principal: envelope.principal\n ? ({ ...envelope.principal } as Record<string, unknown>)\n : null,\n decisionSource: \"precondition\",\n decisionName: cr[\"name\"] as string,\n reason: cr[\"message\"] as string | null,\n mode: \"observe\",\n policyVersion: guard.policyVersion,\n policyError: pre.policyError,\n });\n await guard.auditSink.emit(observedEvent);\n // TODO: Phase 3 — _emitOtelGovernanceSpan(guard, observedEvent)\n }\n }\n\n await _emitRunPreAudit(\n guard,\n envelope,\n session,\n AA.CALL_ALLOWED,\n pre,\n );\n // TODO: Phase 3 — guard.telemetry.recordAllowed(envelope)\n if (guard._onAllow) {\n try {\n guard._onAllow(envelope);\n } catch {\n // on_allow callback raised — swallow\n }\n }\n // TODO: Phase 3 — span.setAttribute(\"governance.action\", \"allowed\")\n }\n\n // Emit observe-mode audit events (never affect the real decision)\n for (const sr of pre.observeResults) {\n const observeAction = sr[\"passed\"]\n ? AA.CALL_ALLOWED\n : AA.CALL_WOULD_DENY;\n const observeEvent = createAuditEvent({\n action: observeAction,\n runId: envelope.runId,\n callId: envelope.callId,\n toolName: envelope.toolName,\n toolArgs: guard.redaction.redactArgs(envelope.args) as Record<\n string,\n unknown\n >,\n sideEffect: envelope.sideEffect,\n environment: envelope.environment,\n principal: envelope.principal\n ? ({ ...envelope.principal } as Record<string, unknown>)\n : null,\n decisionSource: sr[\"source\"] as string | null,\n decisionName: sr[\"name\"] as string | null,\n reason: sr[\"message\"] as string | null,\n mode: \"observe\",\n policyVersion: guard.policyVersion,\n });\n await guard.auditSink.emit(observeEvent);\n // TODO: Phase 3 — _emitOtelGovernanceSpan(guard, observeEvent)\n }\n\n // Execute tool\n let result: unknown;\n let toolSuccess: boolean;\n try {\n // Use the frozen envelope.args snapshot — prevents TOCTOU between\n // governance evaluation and tool execution\n result = toolCallable(envelope.args as Record<string, unknown>);\n // Await if the callable returns a promise\n if (\n result != null &&\n typeof result === \"object\" &&\n typeof (result as Promise<unknown>).then === \"function\"\n ) {\n result = await (result as Promise<unknown>);\n }\n if (guard._successCheck) {\n toolSuccess = guard._successCheck(toolName, result);\n } else {\n toolSuccess = defaultSuccessCheck(toolName, result);\n }\n } catch (e: unknown) {\n result = String(e);\n toolSuccess = false;\n }\n\n // Post-execute\n const post = await pipeline.postExecute(envelope, result, toolSuccess);\n await session.recordExecution(toolName, toolSuccess);\n\n // Emit post-execute audit\n const postAction = toolSuccess\n ? AA.CALL_EXECUTED\n : AA.CALL_FAILED;\n const postEvent = createAuditEvent({\n action: postAction,\n runId: envelope.runId,\n callId: envelope.callId,\n toolName: envelope.toolName,\n toolArgs: guard.redaction.redactArgs(envelope.args) as Record<\n string,\n unknown\n >,\n sideEffect: envelope.sideEffect,\n environment: envelope.environment,\n principal: envelope.principal\n ? ({ ...envelope.principal } as Record<string, unknown>)\n : null,\n toolSuccess,\n postconditionsPassed: post.postconditionsPassed,\n contractsEvaluated: post.contractsEvaluated,\n sessionAttemptCount: await session.attemptCount(),\n sessionExecutionCount: await session.executionCount(),\n mode: guard.mode,\n policyVersion: guard.policyVersion,\n policyError: post.policyError,\n });\n await guard.auditSink.emit(postEvent);\n // TODO: Phase 3 — _emitOtelGovernanceSpan(guard, postEvent)\n\n // TODO: Phase 3 — span tool_success / postconditions_passed attributes\n // TODO: Phase 3 — span OK/error status\n\n if (!toolSuccess) {\n throw new EdictumToolError(String(result));\n }\n\n return post.redactedResponse != null ? post.redactedResponse : result;\n } finally {\n // TODO: Phase 3 — span.end()\n }\n}\n","/**\n * Dry-run evaluation logic for Edictum.evaluate() and evaluateBatch().\n *\n * Ports Python's _dry_run.py. Exhaustive contract evaluation without\n * tool execution. Session contracts are skipped (no session state).\n *\n * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's\n * _dry_run.py (205 LOC). evaluate() + evaluateBatch() are a cohesive unit.\n */\n\nimport type { Edictum } from \"./guard.js\";\nimport type { Principal } from \"./envelope.js\";\n\nimport { createEnvelope, createPrincipal } from \"./envelope.js\";\n\n/** Safely extract tags array from verdict metadata. */\nfunction safeTags(metadata: Readonly<Record<string, unknown>> | null | undefined): string[] {\n if (!metadata) return [];\n const raw = metadata[\"tags\"];\n if (!Array.isArray(raw)) return [];\n return raw.filter((t): t is string => typeof t === \"string\");\n}\nimport {\n createContractResult,\n createEvaluationResult,\n} from \"./evaluation.js\";\nimport type { ContractResult, EvaluationResult } from \"./evaluation.js\";\n\n// ---------------------------------------------------------------------------\n// EvaluateOptions\n// ---------------------------------------------------------------------------\n\n/** Options for the evaluate() function. */\nexport interface EvaluateOptions {\n readonly principal?: Principal;\n readonly output?: string;\n readonly environment?: string;\n}\n\n// ---------------------------------------------------------------------------\n// evaluate\n// ---------------------------------------------------------------------------\n\n/**\n * Dry-run evaluation of a tool call against all matching contracts.\n *\n * Unlike run(), this never executes the tool and evaluates all\n * matching contracts exhaustively (no short-circuit on first deny).\n * Session contracts are skipped (no session state in dry-run).\n */\nexport async function evaluate(\n guard: Edictum,\n toolName: string,\n args: Record<string, unknown>,\n options?: EvaluateOptions,\n): Promise<EvaluationResult> {\n const env = options?.environment ?? guard.environment;\n const envelope = createEnvelope(toolName, args, {\n environment: env,\n principal: options?.principal ?? null,\n registry: guard.toolRegistry,\n });\n\n const contracts: ContractResult[] = [];\n const denyReasons: string[] = [];\n const warnReasons: string[] = [];\n\n // Evaluate all matching preconditions (exhaustive, no short-circuit)\n for (const contract of guard.getPreconditions(envelope)) {\n const contractId = contract.name ?? \"unknown\";\n let verdict;\n try {\n verdict = await contract.check(envelope);\n } catch (exc: unknown) {\n const contractResult = createContractResult({\n contractId,\n contractType: \"precondition\",\n passed: false,\n message: `Precondition error: ${exc}`,\n policyError: true,\n });\n contracts.push(contractResult);\n denyReasons.push(contractResult.message ?? \"\");\n continue;\n }\n\n const tags = safeTags(verdict.metadata);\n const isObserved =\n contract.mode === \"observe\" && !verdict.passed;\n const pe = verdict.metadata\n ? (verdict.metadata[\"policy_error\"] as boolean) ?? false\n : false;\n\n const contractResult = createContractResult({\n contractId,\n contractType: \"precondition\",\n passed: verdict.passed,\n message: verdict.message,\n tags,\n observed: isObserved,\n policyError: pe,\n });\n contracts.push(contractResult);\n\n if (!verdict.passed && !isObserved) {\n denyReasons.push(verdict.message ?? \"\");\n }\n }\n\n // Evaluate sandbox contracts (exhaustive, no short-circuit)\n for (const contract of guard.getSandboxContracts(envelope)) {\n const contractId = contract.name ?? \"unknown\";\n let verdict;\n try {\n verdict = await contract.check(envelope);\n } catch (exc: unknown) {\n const contractResult = createContractResult({\n contractId,\n contractType: \"sandbox\",\n passed: false,\n message: `Sandbox error: ${exc}`,\n policyError: true,\n });\n contracts.push(contractResult);\n denyReasons.push(contractResult.message ?? \"\");\n continue;\n }\n\n const tags = safeTags(verdict.metadata);\n const isObserved =\n contract.mode === \"observe\" && !verdict.passed;\n const pe = verdict.metadata\n ? (verdict.metadata[\"policy_error\"] as boolean) ?? false\n : false;\n\n const contractResult = createContractResult({\n contractId,\n contractType: \"sandbox\",\n passed: verdict.passed,\n message: verdict.message,\n tags,\n observed: isObserved,\n policyError: pe,\n });\n contracts.push(contractResult);\n\n if (!verdict.passed && !isObserved) {\n denyReasons.push(verdict.message ?? \"\");\n }\n }\n\n // Evaluate postconditions only when output is provided\n if (options?.output != null) {\n for (const contract of guard.getPostconditions(envelope)) {\n const contractId = contract.name ?? \"unknown\";\n let verdict;\n try {\n verdict = await contract.check(envelope, options.output);\n } catch (exc: unknown) {\n const contractResult = createContractResult({\n contractId,\n contractType: \"postcondition\",\n passed: false,\n message: `Postcondition error: ${exc}`,\n policyError: true,\n });\n contracts.push(contractResult);\n // Route to correct bucket based on effect — deny-effect errors\n // must produce deny verdict, not warn\n const excEffect = contract.effect ?? \"warn\";\n if (excEffect === \"deny\") {\n denyReasons.push(contractResult.message ?? \"\");\n } else {\n warnReasons.push(contractResult.message ?? \"\");\n }\n continue;\n }\n\n const tags = safeTags(verdict.metadata);\n const isObserved =\n contract.mode === \"observe\" && !verdict.passed;\n const pe = verdict.metadata\n ? (verdict.metadata[\"policy_error\"] as boolean) ?? false\n : false;\n const effect = contract.effect ?? \"warn\";\n\n const contractResult = createContractResult({\n contractId,\n contractType: \"postcondition\",\n passed: verdict.passed,\n message: verdict.message,\n tags,\n observed: isObserved,\n effect,\n policyError: pe,\n });\n contracts.push(contractResult);\n\n if (!verdict.passed && !isObserved) {\n if (effect === \"deny\") {\n denyReasons.push(verdict.message ?? \"\");\n } else {\n warnReasons.push(verdict.message ?? \"\");\n }\n }\n }\n }\n\n // Compute verdict: deny > warn > allow\n let verdictStr: string;\n if (denyReasons.length > 0) {\n verdictStr = \"deny\";\n } else if (warnReasons.length > 0) {\n verdictStr = \"warn\";\n } else {\n verdictStr = \"allow\";\n }\n\n return createEvaluationResult({\n verdict: verdictStr,\n toolName,\n contracts,\n denyReasons,\n warnReasons,\n contractsEvaluated: contracts.length,\n policyError: contracts.some((r) => r.policyError),\n });\n}\n\n// ---------------------------------------------------------------------------\n// BatchCall\n// ---------------------------------------------------------------------------\n\n/** A single call in an evaluateBatch() batch. */\nexport interface BatchCall {\n readonly tool: string;\n readonly args?: Record<string, unknown>;\n readonly principal?: Record<string, unknown>;\n readonly output?: string | Record<string, unknown>;\n readonly environment?: string;\n}\n\n// ---------------------------------------------------------------------------\n// evaluateBatch\n// ---------------------------------------------------------------------------\n\n/**\n * Evaluate a batch of tool calls. Thin wrapper over evaluate().\n */\nexport async function evaluateBatch(\n guard: Edictum,\n calls: BatchCall[],\n): Promise<EvaluationResult[]> {\n const results: EvaluationResult[] = [];\n for (const call of calls) {\n const callArgs = call.args ?? {};\n\n // Convert principal dict to Principal object\n let principal: Principal | undefined;\n if (call.principal != null && typeof call.principal === \"object\") {\n principal = createPrincipal({\n role: call.principal[\"role\"] as string | undefined ?? undefined,\n userId: call.principal[\"userId\"] as string | undefined ?? undefined,\n ticketRef:\n call.principal[\"ticketRef\"] as string | undefined ?? undefined,\n claims:\n (typeof call.principal[\"claims\"] === \"object\"\n && call.principal[\"claims\"] != null\n && !Array.isArray(call.principal[\"claims\"])\n ? call.principal[\"claims\"] as Record<string, unknown>\n : {}),\n });\n }\n\n // Normalize output: if object, JSON.stringify\n let output: string | undefined;\n if (call.output != null) {\n if (typeof call.output === \"object\") {\n try {\n output = JSON.stringify(call.output);\n } catch {\n output = \"[unserializable output]\";\n }\n } else {\n output = call.output;\n }\n }\n\n results.push(\n await evaluate(guard, call.tool, callArgs, {\n principal,\n output,\n environment: call.environment,\n }),\n );\n }\n return results;\n}\n","/** Edictum — Runtime contract enforcement for AI agent tool calls. */\n\nexport const VERSION = \"0.1.0\";\n\n// Errors\nexport { EdictumConfigError, EdictumDenied, EdictumToolError } from \"./errors.js\";\n\n// Envelope & Classification\nexport {\n BashClassifier,\n createEnvelope,\n createPrincipal,\n deepFreeze,\n SideEffect,\n ToolRegistry,\n _validateToolName,\n} from \"./envelope.js\";\nexport type { CreateEnvelopeOptions, Principal, ToolEnvelope } from \"./envelope.js\";\n\n// Contracts\nexport { Verdict } from \"./contracts.js\";\nexport type { Precondition, Postcondition, SessionContract } from \"./contracts.js\";\n\n// Hooks\nexport { HookDecision, HookResult } from \"./hooks.js\";\n\n// Limits\nexport { DEFAULT_LIMITS } from \"./limits.js\";\nexport type { OperationLimits } from \"./limits.js\";\n\n// Types (internal, but exported for adapter authors)\nexport type { HookRegistration, ToolConfig } from \"./types.js\";\n\n// Storage\nexport { MemoryBackend } from \"./storage.js\";\nexport type { StorageBackend } from \"./storage.js\";\n\n// Session\nexport { Session } from \"./session.js\";\n\n// Approval\nexport {\n ApprovalStatus,\n LocalApprovalBackend,\n} from \"./approval.js\";\nexport type {\n ApprovalBackend,\n ApprovalDecision,\n ApprovalRequest,\n} from \"./approval.js\";\n\n// Audit\nexport {\n AuditAction,\n CollectingAuditSink,\n CompositeSink,\n createAuditEvent,\n FileAuditSink,\n MarkEvictedError,\n StdoutAuditSink,\n} from \"./audit.js\";\nexport type { AuditEvent, AuditSink } from \"./audit.js\";\n\n// Redaction\nexport { RedactionPolicy } from \"./redaction.js\";\n\n// Evaluation\nexport { createContractResult, createEvaluationResult } from \"./evaluation.js\";\nexport type { ContractResult, EvaluationResult } from \"./evaluation.js\";\n\n// Findings\nexport {\n buildFindings,\n classifyFinding,\n createFinding,\n createPostCallResult,\n} from \"./findings.js\";\nexport type { Finding, PostCallResult, PostDecisionLike } from \"./findings.js\";\n\n// Internal contract types (for adapter and YAML engine authors)\nexport type {\n GuardLike,\n InternalContract,\n InternalPrecondition,\n InternalPostcondition,\n InternalSessionContract,\n InternalSandboxContract,\n} from \"./internal-contracts.js\";\n\n// Compiled state\nexport { createCompiledState } from \"./compiled-state.js\";\nexport type { CompiledState } from \"./compiled-state.js\";\n\n// Pipeline\nexport { GovernancePipeline, createPreDecision, createPostDecision } from \"./pipeline.js\";\nexport type { PreDecision, PostDecision } from \"./pipeline.js\";\n\n// Guard\nexport { Edictum } from \"./guard.js\";\nexport type { EdictumOptions } from \"./guard.js\";\n\n// Runner (framework-agnostic tool execution)\nexport { defaultSuccessCheck, run } from \"./runner.js\";\nexport type { RunOptions } from \"./runner.js\";\n\n// Dry-run evaluation\nexport type { BatchCall, EvaluateOptions } from \"./dry-run.js\";\n\n// Fnmatch\nexport { fnmatch } from \"./fnmatch.js\";\n\n// YAML Factory\nexport { fromYaml, fromYamlString, reload } from \"./factory.js\";\nexport type { YamlFactoryOptions, FromYamlOptions, ReloadOptions } from \"./factory.js\";\n\n// YAML Engine (public API)\nexport {\n evaluateExpression,\n PolicyError,\n BUILTIN_OPERATOR_NAMES,\n BUILTIN_SELECTOR_PREFIXES,\n MAX_REGEX_INPUT,\n} from \"./yaml-engine/index.js\";\nexport type {\n CustomOperator,\n CustomSelector,\n} from \"./yaml-engine/index.js\";\nexport {\n compileContracts,\n loadBundle,\n loadBundleString,\n computeHash,\n MAX_BUNDLE_SIZE,\n composeBundles,\n expandMessage,\n validateOperators,\n} from \"./yaml-engine/index.js\";\nexport type {\n CompiledBundle,\n CompileOptions,\n BundleHash,\n ComposedBundle,\n CompositionReport,\n} from \"./yaml-engine/index.js\";\n","/** Operation Limits — tool call and attempt caps. */\n\n/**\n * Operation limits for an agent session.\n *\n * Two counter types:\n * - maxAttempts: caps ALL PreToolUse events (including denied)\n * - maxToolCalls: caps EXECUTIONS only (PostToolUse)\n *\n * Both are checked. Whichever fires first wins.\n */\nexport interface OperationLimits {\n readonly maxAttempts: number;\n readonly maxToolCalls: number;\n readonly maxCallsPerTool: Readonly<Record<string, number>>;\n}\n\nexport const DEFAULT_LIMITS: OperationLimits = Object.freeze({\n maxAttempts: 500,\n maxToolCalls: 200,\n maxCallsPerTool: Object.freeze({}),\n});\n","/** StorageBackend interface + MemoryBackend implementation. */\n\n// ---------------------------------------------------------------------------\n// StorageBackend — protocol for persistent state storage\n// ---------------------------------------------------------------------------\n\n/**\n * Protocol for persistent state storage.\n *\n * Requirements:\n * - increment() MUST be atomic\n * - get/set for simple key-value\n *\n * v0.1.0: No append() method (counters only, no list ops).\n */\nexport interface StorageBackend {\n get(key: string): Promise<string | null>;\n set(key: string, value: string): Promise<void>;\n delete(key: string): Promise<void>;\n increment(key: string, amount?: number): Promise<number>;\n}\n\n// ---------------------------------------------------------------------------\n// MemoryBackend — in-memory implementation for dev/testing\n// ---------------------------------------------------------------------------\n\n/**\n * In-memory storage for development and testing.\n *\n * WARNING: State lost on restart. Session contracts reset.\n * Suitable for: local dev, tests, single-process scripts.\n *\n * Node.js is single-threaded — Map operations are atomic.\n * No lock needed (unlike Python's asyncio.Lock).\n */\nexport class MemoryBackend implements StorageBackend {\n private readonly _data: Map<string, string> = new Map();\n private readonly _counters: Map<string, number> = new Map();\n\n async get(key: string): Promise<string | null> {\n const strVal = this._data.get(key);\n if (strVal !== undefined) {\n return strVal;\n }\n const numVal = this._counters.get(key);\n if (numVal !== undefined) {\n return numVal === Math.trunc(numVal)\n ? String(Math.trunc(numVal))\n : String(numVal);\n }\n return null;\n }\n\n async set(key: string, value: string): Promise<void> {\n this._data.set(key, value);\n }\n\n async delete(key: string): Promise<void> {\n this._data.delete(key);\n this._counters.delete(key);\n }\n\n async increment(key: string, amount: number = 1): Promise<number> {\n const current = this._counters.get(key) ?? 0;\n const next = current + amount;\n this._counters.set(key, next);\n return next;\n }\n\n /**\n * Retrieve multiple values in a single operation.\n *\n * In-memory implementation: multiple Map lookups, no network overhead.\n */\n async batchGet(keys: readonly string[]): Promise<Record<string, string | null>> {\n const result: Record<string, string | null> = {};\n for (const key of keys) {\n result[key] = await this.get(key);\n }\n return result;\n }\n}\n","/** Structured postcondition findings. */\n\n// ---------------------------------------------------------------------------\n// Finding\n// ---------------------------------------------------------------------------\n\n/**\n * A structured finding from a postcondition evaluation.\n *\n * Produced when a postcondition warns or detects an issue.\n * Returned to the caller via PostCallResult so they can\n * decide how to remediate.\n */\nexport interface Finding {\n readonly type: string;\n readonly contractId: string;\n readonly field: string;\n readonly message: string;\n readonly metadata: Readonly<Record<string, unknown>>;\n}\n\n/** Create a frozen Finding with defaults for metadata. */\nexport function createFinding(\n fields: Pick<Finding, \"type\" | \"contractId\" | \"field\" | \"message\"> &\n Partial<Pick<Finding, \"metadata\">>,\n): Finding {\n return Object.freeze({\n type: fields.type,\n contractId: fields.contractId,\n field: fields.field,\n message: fields.message,\n metadata: Object.freeze({ ...(fields.metadata ?? {}) }),\n });\n}\n\n// ---------------------------------------------------------------------------\n// PostCallResult\n// ---------------------------------------------------------------------------\n\n/**\n * Result from a governed tool call, including postcondition findings.\n *\n * Returned by adapter's postToolCall and available via asToolWrapper.\n *\n * When postconditionsPassed is false, the findings list contains\n * structured Finding objects describing what was detected. The caller\n * can then decide how to remediate (redact, replace, log, etc.).\n */\nexport interface PostCallResult {\n readonly result: unknown;\n readonly postconditionsPassed: boolean;\n readonly findings: readonly Finding[];\n readonly outputSuppressed: boolean;\n}\n\n/** Create a PostCallResult with defaults. */\nexport function createPostCallResult(\n fields: Pick<PostCallResult, \"result\"> &\n Partial<Omit<PostCallResult, \"result\">>,\n): PostCallResult {\n return Object.freeze({\n result: fields.result,\n postconditionsPassed: fields.postconditionsPassed ?? true,\n findings: Object.freeze([...(fields.findings ?? [])]),\n outputSuppressed: fields.outputSuppressed ?? false,\n });\n}\n\n// ---------------------------------------------------------------------------\n// classifyFinding\n// ---------------------------------------------------------------------------\n\n/**\n * Classify a postcondition finding type from contract ID and message.\n *\n * Returns a standard finding type string.\n */\nexport function classifyFinding(\n contractId: string,\n verdictMessage: string,\n): string {\n const contractLower = contractId.toLowerCase();\n const messageLower = (verdictMessage || \"\").toLowerCase();\n\n const piiTerms = [\"pii\", \"ssn\", \"patient\", \"name\", \"dob\"];\n if (\n piiTerms.some(\n (term) => contractLower.includes(term) || messageLower.includes(term),\n )\n ) {\n return \"pii_detected\";\n }\n\n const secretTerms = [\"secret\", \"token\", \"key\", \"credential\", \"password\"];\n if (\n secretTerms.some(\n (term) => contractLower.includes(term) || messageLower.includes(term),\n )\n ) {\n return \"secret_detected\";\n }\n\n const limitTerms = [\"session\", \"limit\", \"max_calls\", \"budget\"];\n if (\n limitTerms.some(\n (term) => contractLower.includes(term) || messageLower.includes(term),\n )\n ) {\n return \"limit_exceeded\";\n }\n\n return \"policy_violation\";\n}\n\n// ---------------------------------------------------------------------------\n// PostDecision — structural type (pipeline.ts doesn't exist yet)\n// ---------------------------------------------------------------------------\n\n/**\n * Structural type for the PostDecision fields consumed by buildFindings.\n *\n * The full PostDecision lives in pipeline.ts. This captures only the\n * subset needed here to avoid a circular import.\n */\nexport interface PostDecisionLike {\n readonly contractsEvaluated: ReadonlyArray<{\n readonly passed?: boolean;\n readonly name: string;\n readonly message?: string;\n readonly metadata?: Record<string, unknown>;\n }>;\n}\n\n// ---------------------------------------------------------------------------\n// buildFindings\n// ---------------------------------------------------------------------------\n\n/**\n * Build Finding objects from a PostDecision's failed postconditions.\n *\n * The `field` value is extracted from `metadata.field` if the\n * contract provides it (e.g. `Verdict.fail(\"msg\", { field: \"output.text\" })`),\n * otherwise defaults to `\"output\"` for postconditions.\n */\nexport function buildFindings(postDecision: PostDecisionLike): Finding[] {\n const findings: Finding[] = [];\n for (const cr of postDecision.contractsEvaluated) {\n if (!cr.passed) {\n const meta = cr.metadata ?? {};\n findings.push(\n createFinding({\n type: classifyFinding(cr.name, cr.message ?? \"\"),\n contractId: cr.name,\n field: (meta.field as string) ?? \"output\",\n message: cr.message ?? \"\",\n metadata: meta,\n }),\n );\n }\n }\n return findings;\n}\n","/**\n * _CompiledState -- frozen snapshot of compiled contracts.\n *\n * All contract lists are readonly arrays (frozen). The entire state is\n * replaced atomically via a single reference assignment in reload(),\n * ensuring concurrent evaluations never see a mix of old and new\n * contracts.\n */\n\nimport { deepFreeze } from \"./envelope.js\";\nimport type {\n InternalPrecondition,\n InternalPostcondition,\n InternalSessionContract,\n InternalSandboxContract,\n} from \"./internal-contracts.js\";\nimport { DEFAULT_LIMITS } from \"./limits.js\";\nimport type { OperationLimits } from \"./limits.js\";\n\nexport interface CompiledState {\n readonly preconditions: readonly InternalPrecondition[];\n readonly postconditions: readonly InternalPostcondition[];\n readonly sessionContracts: readonly InternalSessionContract[];\n readonly sandboxContracts: readonly InternalSandboxContract[];\n readonly observePreconditions: readonly InternalPrecondition[];\n readonly observePostconditions: readonly InternalPostcondition[];\n readonly observeSessionContracts: readonly InternalSessionContract[];\n readonly observeSandboxContracts: readonly InternalSandboxContract[];\n readonly limits: OperationLimits;\n readonly policyVersion: string | null;\n}\n\nexport function createCompiledState(\n partial: Partial<CompiledState> = {},\n): CompiledState {\n return deepFreeze({\n preconditions: partial.preconditions ?? [],\n postconditions: partial.postconditions ?? [],\n sessionContracts: partial.sessionContracts ?? [],\n sandboxContracts: partial.sandboxContracts ?? [],\n observePreconditions: partial.observePreconditions ?? [],\n observePostconditions: partial.observePostconditions ?? [],\n observeSessionContracts: partial.observeSessionContracts ?? [],\n observeSandboxContracts: partial.observeSandboxContracts ?? [],\n limits: partial.limits ?? DEFAULT_LIMITS,\n policyVersion: partial.policyVersion ?? null,\n });\n}\n","/**\n * Core Edictum class -- construction, contract registry, and accessor methods.\n *\n * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's _guard.py\n * (314 LOC) which is already the decomposed version of the original god class.\n * The contract classification + accessor methods form a cohesive unit.\n *\n * Minimum viable guard: constructor + contract classification + accessors.\n * run(), from_yaml(), from_server() are delegated methods added later.\n */\n\nimport { randomUUID } from \"node:crypto\";\n\nimport type { ApprovalBackend } from \"./approval.js\";\nimport {\n fromYaml as _fromYaml,\n fromYamlString as _fromYamlString,\n reload as _reload,\n} from \"./factory.js\";\nimport type { FromYamlOptions, ReloadOptions, YamlFactoryOptions } from \"./factory.js\";\nimport type { CompositionReport } from \"./yaml-engine/composer.js\";\nimport { CollectingAuditSink, CompositeSink } from \"./audit.js\";\nimport type { AuditSink } from \"./audit.js\";\nimport { createCompiledState } from \"./compiled-state.js\";\nimport { EdictumConfigError } from \"./errors.js\";\nimport type { CompiledState } from \"./compiled-state.js\";\nimport type {\n Precondition,\n Postcondition,\n SessionContract,\n} from \"./contracts.js\";\nimport { SideEffect, ToolRegistry } from \"./envelope.js\";\nimport type { Principal, ToolEnvelope } from \"./envelope.js\";\nimport type { EvaluationResult } from \"./evaluation.js\";\nimport { fnmatch } from \"./fnmatch.js\";\nimport type {\n GuardLike,\n InternalPrecondition,\n InternalPostcondition,\n InternalSessionContract,\n InternalSandboxContract,\n} from \"./internal-contracts.js\";\nimport { DEFAULT_LIMITS } from \"./limits.js\";\nimport type { OperationLimits } from \"./limits.js\";\nimport { RedactionPolicy } from \"./redaction.js\";\nimport { MemoryBackend } from \"./storage.js\";\nimport type { StorageBackend } from \"./storage.js\";\nimport type { HookRegistration } from \"./types.js\";\n\n// ---------------------------------------------------------------------------\n// User contract type discrimination\n// ---------------------------------------------------------------------------\n\n/** User-facing contract with optional name (not in interface, but allowed). */\ntype NamedContract = { readonly name?: string };\n\nfunction isSessionContract(\n c: Precondition | Postcondition | SessionContract,\n): c is SessionContract {\n return !(\"tool\" in c);\n}\n\n// ---------------------------------------------------------------------------\n// EdictumOptions\n// ---------------------------------------------------------------------------\n\n/** Constructor options for the Edictum guard. */\nexport interface EdictumOptions {\n readonly environment?: string;\n readonly mode?: \"enforce\" | \"observe\";\n readonly limits?: OperationLimits;\n readonly tools?: Record<\n string,\n { side_effect?: string; idempotent?: boolean }\n >;\n readonly contracts?: ReadonlyArray<\n Precondition | Postcondition | SessionContract\n >;\n readonly hooks?: ReadonlyArray<HookRegistration>;\n readonly auditSink?: AuditSink | AuditSink[];\n readonly redaction?: RedactionPolicy;\n readonly backend?: StorageBackend;\n readonly policyVersion?: string;\n readonly onDeny?: (\n envelope: ToolEnvelope,\n reason: string,\n source: string | null,\n ) => void;\n readonly onAllow?: (envelope: ToolEnvelope) => void;\n readonly successCheck?: (toolName: string, result: unknown) => boolean;\n readonly principal?: Principal;\n readonly principalResolver?: (\n toolName: string,\n toolInput: Record<string, unknown>,\n ) => Principal;\n readonly approvalBackend?: ApprovalBackend;\n}\n\n// ---------------------------------------------------------------------------\n// Edictum class\n// ---------------------------------------------------------------------------\n\n/**\n * Main configuration and entrypoint.\n *\n * Two usage modes:\n * 1. With framework adapter: use the appropriate adapter\n * 2. Framework-agnostic: use guard.run() directly\n */\nexport class Edictum implements GuardLike {\n readonly environment: string;\n readonly mode: \"enforce\" | \"observe\";\n readonly backend: StorageBackend;\n readonly redaction: RedactionPolicy;\n readonly toolRegistry: ToolRegistry;\n readonly auditSink: AuditSink;\n\n private readonly _localSink: CollectingAuditSink;\n private _state: CompiledState;\n private readonly _beforeHooks: HookRegistration[];\n private readonly _afterHooks: HookRegistration[];\n private readonly _sessionId: string;\n\n // Callbacks and resolution — not private because _runner.ts needs access\n // (Python's _runner.py accesses self._on_deny etc. directly)\n /** @internal */ readonly _onDeny:\n | ((\n envelope: ToolEnvelope,\n reason: string,\n source: string | null,\n ) => void)\n | null;\n /** @internal */ readonly _onAllow: ((envelope: ToolEnvelope) => void) | null;\n /** @internal */ readonly _successCheck:\n | ((toolName: string, result: unknown) => boolean)\n | null;\n private _principal: Principal | null;\n private readonly _principalResolver:\n | ((\n toolName: string,\n toolInput: Record<string, unknown>,\n ) => Principal)\n | null;\n /** @internal */ readonly _approvalBackend: ApprovalBackend | null;\n\n constructor(options: EdictumOptions = {}) {\n this.environment = options.environment ?? \"production\";\n this.mode = options.mode ?? \"enforce\";\n this.backend = options.backend ?? new MemoryBackend();\n this.redaction = options.redaction ?? new RedactionPolicy();\n this._onDeny = options.onDeny ?? null;\n this._onAllow = options.onAllow ?? null;\n this._successCheck = options.successCheck ?? null;\n this._principal = options.principal ?? null;\n this._principalResolver = options.principalResolver ?? null;\n this._approvalBackend = options.approvalBackend ?? null;\n\n // Audit sink: local sink always present\n this._localSink = new CollectingAuditSink();\n if (Array.isArray(options.auditSink)) {\n this.auditSink = new CompositeSink([\n this._localSink,\n ...options.auditSink,\n ]);\n } else if (options.auditSink != null) {\n this.auditSink = new CompositeSink([\n this._localSink,\n options.auditSink,\n ]);\n } else {\n this.auditSink = this._localSink;\n }\n\n // Build tool registry\n this.toolRegistry = new ToolRegistry();\n if (options.tools) {\n for (const [name, config] of Object.entries(options.tools)) {\n this.toolRegistry.register(\n name,\n (config.side_effect as SideEffect | undefined) ??\n SideEffect.IRREVERSIBLE,\n config.idempotent ?? false,\n );\n }\n }\n\n // Classify contracts and build compiled state\n this._state = Edictum._classifyContracts(\n options.contracts ?? [],\n options.limits ?? DEFAULT_LIMITS,\n options.policyVersion ?? null,\n );\n\n // Hooks are not reloaded -- mutable lists are fine\n this._beforeHooks = [];\n this._afterHooks = [];\n for (const item of options.hooks ?? []) {\n this._registerHook(item);\n }\n\n // Persistent session ID for accumulating limits across run() calls\n this._sessionId = randomUUID();\n }\n\n // -----------------------------------------------------------------------\n // Properties\n // -----------------------------------------------------------------------\n\n /** The local in-memory audit event collector. Always present. */\n get localSink(): CollectingAuditSink {\n return this._localSink;\n }\n\n /** Operation limits for the current contract set. */\n get limits(): OperationLimits {\n return this._state.limits;\n }\n\n /** Update operation limits (replaces compiled state atomically). */\n set limits(value: OperationLimits) {\n this._state = createCompiledState({ ...this._state, limits: value });\n }\n\n /** SHA256 hash identifying the active contract bundle. */\n get policyVersion(): string | null {\n return this._state.policyVersion;\n }\n\n /**\n * Replace the compiled state atomically.\n *\n * @internal — used by factory.ts reload(). Not part of the public API.\n */\n _replaceState(newState: CompiledState): void {\n this._state = newState;\n }\n\n /**\n * Read the current compiled state.\n *\n * @internal — used by factory.ts reload(). Not part of the public API.\n */\n _getState(): CompiledState {\n return this._state;\n }\n\n /** Update policy version (replaces compiled state atomically). */\n set policyVersion(value: string | null) {\n this._state = createCompiledState({\n ...this._state,\n policyVersion: value,\n });\n }\n\n /** The persistent session ID for this guard instance. */\n get sessionId(): string {\n return this._sessionId;\n }\n\n // -----------------------------------------------------------------------\n // Principal\n // -----------------------------------------------------------------------\n\n /** Update the principal used for subsequent tool calls. */\n setPrincipal(principal: Principal): void {\n this._principal = principal;\n }\n\n /** Resolve the principal for a tool call. */\n _resolvePrincipal(\n toolName: string,\n toolInput: Record<string, unknown>,\n ): Principal | null {\n if (this._principalResolver != null) {\n return this._principalResolver(toolName, toolInput);\n }\n return this._principal;\n }\n\n // -----------------------------------------------------------------------\n // Hooks\n // -----------------------------------------------------------------------\n\n private _registerHook(item: HookRegistration): void {\n if (item.phase === \"before\") {\n this._beforeHooks.push(item);\n } else {\n this._afterHooks.push(item);\n }\n }\n\n getHooks(\n phase: \"before\" | \"after\",\n envelope: ToolEnvelope,\n ): HookRegistration[] {\n const hooks =\n phase === \"before\" ? this._beforeHooks : this._afterHooks;\n return hooks.filter(\n (h) => h.tool === \"*\" || fnmatch(envelope.toolName, h.tool),\n );\n }\n\n // -----------------------------------------------------------------------\n // Contract accessors -- enforce mode\n // -----------------------------------------------------------------------\n\n getPreconditions(envelope: ToolEnvelope): InternalPrecondition[] {\n return Edictum._filterByTool(\n this._state.preconditions as InternalPrecondition[],\n envelope,\n );\n }\n\n getPostconditions(envelope: ToolEnvelope): InternalPostcondition[] {\n return Edictum._filterByTool(\n this._state.postconditions as InternalPostcondition[],\n envelope,\n );\n }\n\n getSessionContracts(): InternalSessionContract[] {\n return [...this._state.sessionContracts];\n }\n\n getSandboxContracts(envelope: ToolEnvelope): InternalSandboxContract[] {\n return Edictum._filterSandbox(\n this._state.sandboxContracts as InternalSandboxContract[],\n envelope,\n );\n }\n\n // -----------------------------------------------------------------------\n // Contract accessors -- observe mode\n // -----------------------------------------------------------------------\n\n getObservePreconditions(\n envelope: ToolEnvelope,\n ): InternalPrecondition[] {\n return Edictum._filterByTool(\n this._state.observePreconditions as InternalPrecondition[],\n envelope,\n );\n }\n\n getObservePostconditions(\n envelope: ToolEnvelope,\n ): InternalPostcondition[] {\n return Edictum._filterByTool(\n this._state.observePostconditions as InternalPostcondition[],\n envelope,\n );\n }\n\n getObserveSessionContracts(): InternalSessionContract[] {\n return [...this._state.observeSessionContracts];\n }\n\n getObserveSandboxContracts(\n envelope: ToolEnvelope,\n ): InternalSandboxContract[] {\n return Edictum._filterSandbox(\n this._state.observeSandboxContracts as InternalSandboxContract[],\n envelope,\n );\n }\n\n // -----------------------------------------------------------------------\n // Private helpers\n // -----------------------------------------------------------------------\n\n /**\n * Classify user-facing and internal contracts into enforce/observe lists.\n *\n * User-facing contracts (Precondition, Postcondition, SessionContract)\n * are converted to internal representations. Internal contracts (from\n * YAML compiler) carry _edictum_* metadata and are classified by their\n * _edictum_observe flag (Python uses _edictum_shadow — wire-format parity).\n */\n private static _classifyContracts(\n contracts: ReadonlyArray<\n Precondition | Postcondition | SessionContract\n >,\n limits: OperationLimits,\n policyVersion: string | null,\n ): CompiledState {\n const pre: InternalPrecondition[] = [];\n const post: InternalPostcondition[] = [];\n const session: InternalSessionContract[] = [];\n const sandbox: InternalSandboxContract[] = [];\n const oPre: InternalPrecondition[] = [];\n const oPost: InternalPostcondition[] = [];\n const oSession: InternalSessionContract[] = [];\n const oSandbox: InternalSandboxContract[] = [];\n\n for (const item of contracts) {\n const raw = item as unknown as Record<string, unknown>;\n const edictumType = raw._edictum_type as string | undefined;\n // Python YAML compiler emits _edictum_shadow; we accept both for wire-format parity\n const isObserve =\n (raw._edictum_observe as boolean) ??\n (raw._edictum_shadow as boolean) ??\n false;\n\n if (edictumType != null) {\n // Internal contract (from YAML compiler)\n Edictum._classifyInternal(\n raw,\n edictumType,\n isObserve,\n { pre, post, session, sandbox, oPre, oPost, oSession, oSandbox },\n );\n } else if (isSessionContract(item)) {\n const name = (raw as NamedContract).name ?? \"anonymous\";\n session.push({\n type: \"session_contract\",\n name,\n check: (item as SessionContract).check,\n });\n } else if (\"tool\" in item && (item as { contractType?: string }).contractType === \"post\") {\n const postItem = item as Postcondition;\n const name = (raw as NamedContract).name ?? \"anonymous\";\n post.push({\n type: \"postcondition\",\n name,\n tool: postItem.tool,\n check: postItem.check,\n when: postItem.when,\n });\n } else if (\"tool\" in item) {\n // Fail-closed: reject unknown contractType and detect missing \"post\"\n const ct = (raw as { contractType?: unknown }).contractType;\n if (ct != null && ct !== \"pre\") {\n throw new EdictumConfigError(\n `Contract with tool \"${(item as Precondition).tool}\" has unknown contractType ` +\n `\"${String(ct)}\". Expected \"pre\" or omitted for Precondition, \"post\" for Postcondition.`,\n );\n }\n // Best-effort heuristic for JS consumers who forget contractType: \"post\".\n // NOTE: Function.length is unreliable for rest parameters (...args) and\n // default-valued params — both give length 0. This catches the common\n // case (explicit (envelope, output)) but cannot guarantee detection.\n // Always set contractType: \"post\" explicitly.\n if (ct == null && item.check.length >= 2) {\n throw new EdictumConfigError(\n `Contract with tool \"${(item as Precondition).tool}\" has a check function with ` +\n `${item.check.length} parameters (looks like a Postcondition) but is missing ` +\n `contractType: \"post\". Add it to prevent misclassification.`,\n );\n }\n const preItem = item as Precondition;\n const name = (raw as NamedContract).name ?? \"anonymous\";\n pre.push({\n type: \"precondition\",\n name,\n tool: preItem.tool,\n check: preItem.check,\n when: preItem.when,\n });\n }\n }\n\n return createCompiledState({\n preconditions: pre,\n postconditions: post,\n sessionContracts: session,\n sandboxContracts: sandbox,\n observePreconditions: oPre,\n observePostconditions: oPost,\n observeSessionContracts: oSession,\n observeSandboxContracts: oSandbox,\n limits,\n policyVersion,\n });\n }\n\n /** Route an internal contract to the appropriate enforce/observe list. */\n private static _classifyInternal(\n raw: Record<string, unknown>,\n edictumType: string,\n isObserve: boolean,\n lists: {\n pre: InternalPrecondition[];\n post: InternalPostcondition[];\n session: InternalSessionContract[];\n sandbox: InternalSandboxContract[];\n oPre: InternalPrecondition[];\n oPost: InternalPostcondition[];\n oSession: InternalSessionContract[];\n oSandbox: InternalSandboxContract[];\n },\n ): void {\n const target = isObserve\n ? { pre: lists.oPre, post: lists.oPost, session: lists.oSession, sandbox: lists.oSandbox }\n : { pre: lists.pre, post: lists.post, session: lists.session, sandbox: lists.sandbox };\n\n if (edictumType === \"precondition\") target.pre.push(raw as unknown as InternalPrecondition);\n else if (edictumType === \"postcondition\") target.post.push(raw as unknown as InternalPostcondition);\n else if (edictumType === \"session_contract\") target.session.push(raw as unknown as InternalSessionContract);\n else if (edictumType === \"sandbox\") target.sandbox.push(raw as unknown as InternalSandboxContract);\n else {\n throw new EdictumConfigError(\n `Unknown _edictum_type \"${edictumType}\". ` +\n `Expected \"precondition\", \"postcondition\", \"session_contract\", or \"sandbox\".`,\n );\n }\n }\n\n /** Filter contracts by tool pattern and optional `when` guard. */\n private static _filterByTool<\n T extends {\n readonly tool: string;\n readonly when?: ((envelope: ToolEnvelope) => boolean) | null;\n },\n >(contracts: T[], envelope: ToolEnvelope): T[] {\n const result: T[] = [];\n for (const p of contracts) {\n const tool = p.tool ?? \"*\";\n const when = p.when ?? null;\n if (tool !== \"*\" && !fnmatch(envelope.toolName, tool)) {\n continue;\n }\n if (when != null) {\n try {\n if (!when(envelope)) continue;\n } catch {\n // Fail-closed: throwing predicate includes the contract (not excludes)\n // so it gets evaluated and can deny — safer than silently skipping.\n }\n }\n result.push(p);\n }\n return result;\n }\n\n /** Filter sandbox contracts by tool patterns array. */\n private static _filterSandbox(\n contracts: InternalSandboxContract[],\n envelope: ToolEnvelope,\n ): InternalSandboxContract[] {\n const result: InternalSandboxContract[] = [];\n for (const s of contracts) {\n const tools = s.tools ?? [\"*\"];\n if (tools.some((p) => fnmatch(envelope.toolName, p))) {\n result.push(s);\n }\n }\n return result;\n }\n\n // -----------------------------------------------------------------------\n // Delegated methods — run, evaluate, evaluateBatch\n // -----------------------------------------------------------------------\n\n /** Execute a tool call with full governance pipeline. */\n async run(\n toolName: string,\n args: Record<string, unknown>,\n toolCallable: (\n args: Record<string, unknown>,\n ) => unknown | Promise<unknown>,\n options?: {\n sessionId?: string;\n environment?: string;\n principal?: Principal;\n },\n ): Promise<unknown> {\n const { run } = await import(\"./runner.js\");\n return run(this, toolName, args, toolCallable, options);\n }\n\n /**\n * Dry-run evaluation of a tool call against all matching contracts.\n *\n * Never executes the tool. Evaluates exhaustively (no short-circuit).\n * Session contracts are skipped.\n */\n evaluate(\n toolName: string,\n args: Record<string, unknown>,\n options?: {\n principal?: Principal;\n output?: string;\n environment?: string;\n },\n ): Promise<EvaluationResult> {\n // Dynamic import avoids circular dependency\n return import(\"./dry-run.js\").then(({ evaluate }) =>\n evaluate(this, toolName, args, options),\n );\n }\n\n /** Evaluate a batch of tool calls. Thin wrapper over evaluate(). */\n evaluateBatch(\n calls: Array<{\n tool: string;\n args?: Record<string, unknown>;\n principal?: Record<string, unknown>;\n output?: string | Record<string, unknown>;\n environment?: string;\n }>,\n ): Promise<EvaluationResult[]> {\n return import(\"./dry-run.js\").then(({ evaluateBatch }) =>\n evaluateBatch(this, calls),\n );\n }\n\n // -----------------------------------------------------------------------\n // YAML factory methods — delegate to factory.ts\n // Circular dependency (factory.ts imports guard.ts) is safe because\n // ESM resolves all bindings before user code calls these methods.\n // -----------------------------------------------------------------------\n\n /**\n * Create an Edictum instance from one or more YAML contract bundle paths.\n *\n * When multiple paths are given, bundles are composed left-to-right\n * (later layers override earlier ones).\n *\n * When the trailing options object has `returnReport: true`, returns\n * a tuple of [Edictum, CompositionReport].\n */\n static fromYaml(\n ...args: [...string[], FromYamlOptions & { returnReport: true }]\n ): [Edictum, CompositionReport];\n static fromYaml(\n ...args: [...string[], FromYamlOptions] | string[]\n ): Edictum;\n static fromYaml(\n ...args: [...string[], FromYamlOptions] | string[]\n ): Edictum | [Edictum, CompositionReport] {\n return _fromYaml(...args);\n }\n\n /**\n * Create an Edictum instance from a YAML string or Uint8Array.\n */\n static fromYamlString(\n content: string | Uint8Array,\n options?: YamlFactoryOptions,\n ): Edictum {\n return _fromYamlString(content, options);\n }\n\n /**\n * Atomically replace this guard's contracts from a YAML string.\n *\n * Pass customOperators/customSelectors if the new YAML uses custom\n * operators or selectors that were passed to fromYaml/fromYamlString.\n */\n reload(yamlContent: string, options?: ReloadOptions): void {\n _reload(this, yamlContent, options);\n }\n}\n","/**\n * Factory functions for creating Edictum instances from YAML bundles.\n *\n * Ports Python's _factory.py: fromYaml, fromYamlString, reload.\n *\n * SIZE APPROVAL: This file exceeds 200 lines. It mirrors Python's _factory.py\n * (384 LOC). The three factory functions share option types and helper logic\n * that would create unnecessary coupling if split.\n *\n * Guard.ts delegates to these via dynamic import to avoid circular deps.\n */\n\nimport { createHash } from \"node:crypto\";\n\nimport type { ApprovalBackend } from \"./approval.js\";\nimport type { AuditSink } from \"./audit.js\";\nimport { EdictumConfigError } from \"./errors.js\";\nimport type { Principal, ToolEnvelope } from \"./envelope.js\";\nimport { Edictum } from \"./guard.js\";\nimport type { OperationLimits } from \"./limits.js\";\nimport type { RedactionPolicy } from \"./redaction.js\";\nimport type { StorageBackend } from \"./storage.js\";\nimport { composeBundles } from \"./yaml-engine/composer.js\";\nimport type { CompositionReport } from \"./yaml-engine/composer.js\";\nimport { compileContracts } from \"./yaml-engine/compiler.js\";\nimport type { CustomOperator, CustomSelector } from \"./yaml-engine/evaluator.js\";\nimport { loadBundle, loadBundleString } from \"./yaml-engine/loader.js\";\n\n// ---------------------------------------------------------------------------\n// Shared options type\n// ---------------------------------------------------------------------------\n\n/** Options shared by fromYaml and fromYamlString. */\nexport interface YamlFactoryOptions {\n readonly mode?: \"enforce\" | \"observe\";\n readonly tools?: Record<string, { side_effect?: string; idempotent?: boolean }>;\n readonly auditSink?: AuditSink | AuditSink[];\n readonly redaction?: RedactionPolicy;\n readonly backend?: StorageBackend;\n readonly environment?: string;\n readonly onDeny?: (envelope: ToolEnvelope, reason: string, source: string | null) => void;\n readonly onAllow?: (envelope: ToolEnvelope) => void;\n readonly customOperators?: Record<string, CustomOperator>;\n readonly customSelectors?: Record<string, CustomSelector>;\n readonly successCheck?: (toolName: string, result: unknown) => boolean;\n readonly principal?: Principal;\n readonly principalResolver?: (toolName: string, toolInput: Record<string, unknown>) => Principal;\n readonly approvalBackend?: ApprovalBackend;\n}\n\n/** Options for fromYaml, extending base with returnReport. */\nexport interface FromYamlOptions extends YamlFactoryOptions {\n readonly returnReport?: boolean;\n}\n\n// ---------------------------------------------------------------------------\n// fromYaml\n// ---------------------------------------------------------------------------\n\n/**\n * Create an Edictum instance from one or more YAML contract bundle paths.\n *\n * When multiple paths are given, bundles are composed left-to-right\n * (later layers override earlier ones).\n *\n * EXCEPTION TO \"ALL ASYNC\" RULE: This factory is intentionally synchronous,\n * matching Python's from_yaml(). File I/O uses Node's readFileSync and YAML\n * parsing is CPU-bound — neither benefits from async. The returned Edictum\n * instance's run()/evaluate()/evaluateBatch() methods are fully async.\n * Making this async would force all callers to await at module init time\n * for no concurrency benefit.\n */\nexport function fromYaml(\n ...args: [...string[], FromYamlOptions] | string[]\n): Edictum | [Edictum, CompositionReport] {\n // Separate paths from trailing options object\n let paths: string[];\n let options: FromYamlOptions;\n\n const last = args[args.length - 1];\n if (typeof last === \"object\" && last !== null && !Array.isArray(last)) {\n paths = args.slice(0, -1) as string[];\n options = last as FromYamlOptions;\n } else {\n paths = args as string[];\n options = {};\n }\n\n if (paths.length === 0) {\n throw new EdictumConfigError(\"fromYaml() requires at least one path\");\n }\n\n // Load all bundles\n const loaded: [Record<string, unknown>, { hex: string }][] = [];\n for (const p of paths) {\n loaded.push(loadBundle(p));\n }\n\n let bundleData: Record<string, unknown>;\n let policyVersion: string;\n let report: CompositionReport;\n\n if (loaded.length === 1) {\n const entry = loaded[0] as [Record<string, unknown>, { hex: string }];\n bundleData = entry[0];\n policyVersion = entry[1].hex;\n report = { overriddenContracts: [], observeContracts: [] };\n } else {\n const bundleTuples: [Record<string, unknown>, string][] = loaded.map(\n ([data], i) => [data, paths[i] as string],\n );\n const composed = composeBundles(...bundleTuples);\n bundleData = composed.bundle;\n report = composed.report;\n policyVersion = createHash(\"sha256\")\n .update(loaded.map(([, h]) => h.hex).join(\":\"))\n .digest(\"hex\");\n }\n\n const compiled = compileContracts(bundleData, {\n customOperators: options.customOperators ?? null,\n customSelectors: options.customSelectors ?? null,\n });\n\n const guard = _buildGuard(compiled, policyVersion, options);\n\n if (options.returnReport) {\n return [guard, report];\n }\n return guard;\n}\n\n// ---------------------------------------------------------------------------\n// fromYamlString\n// ---------------------------------------------------------------------------\n\n/**\n * Create an Edictum instance from a YAML string or Uint8Array.\n *\n * Like fromYaml but accepts YAML content directly instead of a file path.\n *\n * EXCEPTION TO \"ALL ASYNC\" RULE: Synchronous by design — see fromYaml docs.\n */\nexport function fromYamlString(\n content: string | Uint8Array,\n options: YamlFactoryOptions = {},\n): Edictum {\n const [bundleData, bundleHash] = loadBundleString(content);\n const policyVersion = bundleHash.hex;\n\n const compiled = compileContracts(bundleData, {\n customOperators: options.customOperators ?? null,\n customSelectors: options.customSelectors ?? null,\n });\n\n return _buildGuard(compiled, policyVersion, options);\n}\n\n// ---------------------------------------------------------------------------\n// reload\n// ---------------------------------------------------------------------------\n\n/** Options for reload(). */\nexport interface ReloadOptions {\n readonly customOperators?: Record<string, CustomOperator>;\n readonly customSelectors?: Record<string, CustomSelector>;\n}\n\n/**\n * Atomically replace a guard's contracts from a YAML string.\n *\n * Builds a new CompiledState from the YAML content and swaps the\n * guard's internal state reference. Concurrent evaluations that\n * started before reload() see the old state; evaluations after\n * see the new state.\n */\nexport function reload(\n guard: Edictum,\n yamlContent: string,\n options: ReloadOptions = {},\n): void {\n const [bundleData, bundleHash] = loadBundleString(yamlContent);\n const compiled = compileContracts(bundleData, {\n customOperators: options.customOperators ?? null,\n customSelectors: options.customSelectors ?? null,\n });\n\n const allContracts = [\n ...compiled.preconditions,\n ...compiled.postconditions,\n ...compiled.sessionContracts,\n ...compiled.sandboxContracts,\n ] as unknown[];\n\n // Classify into enforce/observe lists via the same logic the constructor uses.\n // We build a temporary Edictum to leverage _classifyContracts, then steal its state.\n const temp = new Edictum({\n contracts: allContracts as never[],\n limits: compiled.limits,\n policyVersion: bundleHash.hex,\n });\n\n // Atomic state swap via package-internal methods\n guard._replaceState(temp._getState());\n}\n\n// ---------------------------------------------------------------------------\n// Internal: build guard from compiled bundle\n// ---------------------------------------------------------------------------\n\nfunction _buildGuard(\n compiled: {\n preconditions: readonly unknown[];\n postconditions: readonly unknown[];\n sessionContracts: readonly unknown[];\n sandboxContracts: readonly unknown[];\n limits: OperationLimits;\n defaultMode: string;\n tools: Readonly<Record<string, Record<string, unknown>>>;\n },\n policyVersion: string,\n options: YamlFactoryOptions,\n): Edictum {\n const effectiveMode = options.mode ?? compiled.defaultMode;\n\n const allContracts = [\n ...compiled.preconditions,\n ...compiled.postconditions,\n ...compiled.sessionContracts,\n ...compiled.sandboxContracts,\n ];\n\n // Merge YAML tools with parameter tools (parameter wins on conflict)\n const mergedTools: Record<string, { side_effect?: string; idempotent?: boolean }> = {};\n for (const [name, cfg] of Object.entries(compiled.tools)) {\n mergedTools[name] = cfg as { side_effect?: string; idempotent?: boolean };\n }\n if (options.tools) {\n for (const [name, cfg] of Object.entries(options.tools)) {\n mergedTools[name] = cfg;\n }\n }\n\n return new Edictum({\n environment: options.environment ?? \"production\",\n mode: effectiveMode as \"enforce\" | \"observe\",\n limits: compiled.limits,\n tools: Object.keys(mergedTools).length > 0 ? mergedTools : undefined,\n contracts: allContracts as never[],\n auditSink: options.auditSink,\n redaction: options.redaction,\n backend: options.backend,\n policyVersion,\n onDeny: options.onDeny,\n onAllow: options.onAllow,\n successCheck: options.successCheck,\n principal: options.principal,\n principalResolver: options.principalResolver,\n approvalBackend: options.approvalBackend,\n });\n}\n","/** Bundle Composer — merge multiple parsed YAML bundles into one. */\n\nimport { EdictumConfigError } from \"../errors.js\";\n\n/** Records a contract that was replaced during composition. */\nexport interface CompositionOverride {\n readonly contractId: string;\n readonly overriddenBy: string;\n readonly originalSource: string;\n}\n\n/** Records a contract added as an observe-mode copy (observe_alongside). */\nexport interface ObserveContract {\n readonly contractId: string;\n readonly enforcedSource: string;\n readonly observedSource: string;\n}\n\n/** Report of what happened during composition. */\nexport interface CompositionReport {\n readonly overriddenContracts: readonly CompositionOverride[];\n readonly observeContracts: readonly ObserveContract[];\n}\n\n/** Result of composing multiple bundles. */\nexport interface ComposedBundle {\n readonly bundle: Record<string, unknown>;\n readonly report: CompositionReport;\n}\n\nfunction deepCopyBundle(data: Record<string, unknown>): Record<string, unknown> {\n return structuredClone(data);\n}\n\n/**\n * Merge multiple parsed bundle dicts left to right.\n *\n * Each entry is a tuple of [bundleData, sourceLabel]. Later layers\n * have higher priority.\n */\nexport function composeBundles(\n ...bundles: [Record<string, unknown>, string][]\n): ComposedBundle {\n if (bundles.length === 0) {\n throw new Error(\"composeBundles() requires at least one bundle\");\n }\n\n if (bundles.length === 1) {\n const entry = bundles[0] as [Record<string, unknown>, string];\n return {\n bundle: deepCopyBundle(entry[0]),\n report: { overriddenContracts: [], observeContracts: [] },\n };\n }\n\n const overrides: CompositionOverride[] = [];\n const observes: ObserveContract[] = [];\n\n const first = bundles[0] as [Record<string, unknown>, string];\n const merged = deepCopyBundle(first[0]);\n const firstLabel = first[1];\n\n const contractSources = new Map<string, string>();\n for (const c of (merged.contracts ?? []) as Record<string, unknown>[]) {\n contractSources.set(c.id as string, firstLabel);\n }\n\n for (let i = 1; i < bundles.length; i++) {\n const entry = bundles[i] as [Record<string, unknown>, string];\n const [data, label] = entry;\n const isObserveAlongside = Boolean(data.observe_alongside);\n\n if (isObserveAlongside) {\n mergeObserveAlongside(merged, data, label, contractSources, observes);\n } else {\n mergeStandard(merged, data, label, contractSources, overrides);\n }\n }\n\n return {\n bundle: merged,\n report: { overriddenContracts: overrides, observeContracts: observes },\n };\n}\n\nfunction mergeStandard(\n merged: Record<string, unknown>,\n layer: Record<string, unknown>,\n label: string,\n contractSources: Map<string, string>,\n overrides: CompositionOverride[],\n): void {\n if (\"defaults\" in layer) {\n const ld = layer.defaults as Record<string, unknown>;\n const md = (merged.defaults ?? {}) as Record<string, unknown>;\n if (\"mode\" in ld) md.mode = ld.mode;\n if (\"environment\" in ld) md.environment = ld.environment;\n merged.defaults = md;\n }\n\n if (\"limits\" in layer) merged.limits = deepCopyBundle(layer.limits as Record<string, unknown>);\n\n if (\"tools\" in layer) {\n const mt = (merged.tools ?? {}) as Record<string, unknown>;\n for (const [name, cfg] of Object.entries(layer.tools as Record<string, unknown>)) {\n mt[name] = { ...(cfg as Record<string, unknown>) };\n }\n merged.tools = mt;\n }\n\n if (\"metadata\" in layer) {\n const mm = (merged.metadata ?? {}) as Record<string, unknown>;\n for (const [k, v] of Object.entries(layer.metadata as Record<string, unknown>)) mm[k] = v;\n merged.metadata = mm;\n }\n\n if (\"observability\" in layer) {\n merged.observability = deepCopyBundle(layer.observability as Record<string, unknown>);\n }\n\n if (\"contracts\" in layer) {\n const existingById = new Map<string, number>();\n const mc = (merged.contracts ?? []) as Record<string, unknown>[];\n for (let j = 0; j < mc.length; j++) {\n const c = mc[j] as Record<string, unknown>;\n existingById.set(c.id as string, j);\n }\n\n for (const contract of (layer.contracts ?? []) as Record<string, unknown>[]) {\n const cid = contract.id as string;\n const newContract = deepCopyBundle(contract);\n\n if (existingById.has(cid)) {\n const idx = existingById.get(cid) as number;\n overrides.push({\n contractId: cid,\n overriddenBy: label,\n originalSource: contractSources.get(cid) ?? \"unknown\",\n });\n mc[idx] = newContract;\n } else {\n mc.push(newContract);\n existingById.set(cid, mc.length - 1);\n }\n contractSources.set(cid, label);\n }\n merged.contracts = mc;\n }\n}\n\nfunction mergeObserveAlongside(\n merged: Record<string, unknown>,\n layer: Record<string, unknown>,\n label: string,\n contractSources: Map<string, string>,\n observes: ObserveContract[],\n): void {\n const mc = (merged.contracts ?? []) as Record<string, unknown>[];\n\n for (const contract of (layer.contracts ?? []) as Record<string, unknown>[]) {\n const cid = contract.id as string;\n const observeId = `${cid}:candidate`;\n\n // Check for ID collisions — the generated observe ID must not clash\n // with any existing contract in the merged bundle.\n const existingIds = new Set(\n (mc as Record<string, unknown>[]).map((c) => c.id as string),\n );\n if (existingIds.has(observeId)) {\n throw new EdictumConfigError(\n `observe_alongside collision: generated ID \"${observeId}\" already exists in the bundle. ` +\n `Rename the conflicting contract or use a different ID for \"${cid}\".`,\n );\n }\n\n const observeContract = deepCopyBundle(contract);\n observeContract.id = observeId;\n observeContract.mode = \"observe\";\n observeContract._observe = true;\n\n mc.push(observeContract);\n observes.push({\n contractId: cid,\n enforcedSource: contractSources.get(cid) ?? \"\",\n observedSource: label,\n });\n }\n merged.contracts = mc;\n\n if (\"tools\" in layer) {\n const mt = (merged.tools ?? {}) as Record<string, unknown>;\n for (const [name, cfg] of Object.entries(layer.tools as Record<string, unknown>)) {\n mt[name] = { ...(cfg as Record<string, unknown>) };\n }\n merged.tools = mt;\n }\n\n if (\"metadata\" in layer) {\n const mm = (merged.metadata ?? {}) as Record<string, unknown>;\n for (const [k, v] of Object.entries(layer.metadata as Record<string, unknown>)) mm[k] = v;\n merged.metadata = mm;\n }\n}\n","/** Compiler — convert parsed YAML contracts into contract objects and OperationLimits. */\n\nimport type { OperationLimits } from \"../limits.js\";\nimport { DEFAULT_LIMITS } from \"../limits.js\";\nimport type { CustomOperator, CustomSelector } from \"./evaluator.js\";\nimport { EdictumConfigError } from \"../errors.js\";\nimport { validateOperators } from \"./compiler-utils.js\";\nimport { compilePre, compilePost, compileSession, mergeSessionLimits } from \"./compile-contracts.js\";\nimport { compileSandbox } from \"./sandbox-compile-fn.js\";\n\n// ---------------------------------------------------------------------------\n// CompiledBundle\n// ---------------------------------------------------------------------------\n\n/** Result of compiling a YAML contract bundle. */\nexport interface CompiledBundle {\n readonly preconditions: readonly unknown[];\n readonly postconditions: readonly unknown[];\n readonly sessionContracts: readonly unknown[];\n readonly sandboxContracts: readonly unknown[];\n readonly limits: OperationLimits;\n readonly defaultMode: string;\n readonly tools: Readonly<Record<string, Record<string, unknown>>>;\n}\n\n// ---------------------------------------------------------------------------\n// Compile options\n// ---------------------------------------------------------------------------\n\nexport interface CompileOptions {\n readonly customOperators?: Readonly<Record<string, CustomOperator>> | null;\n readonly customSelectors?: Readonly<Record<string, CustomSelector>> | null;\n}\n\n// ---------------------------------------------------------------------------\n// Main entry point\n// ---------------------------------------------------------------------------\n\n/**\n * Compile a validated YAML bundle into contract objects.\n *\n * @param bundle - A validated bundle dict (output of loadBundle).\n * @param options - Optional custom operators and selectors.\n * @returns CompiledBundle with preconditions, postconditions, sessionContracts,\n * and merged OperationLimits.\n */\nexport function compileContracts(\n bundle: Record<string, unknown>,\n options: CompileOptions = {},\n): CompiledBundle {\n const customOps = options?.customOperators ?? null;\n const customSels = options?.customSelectors ?? null;\n\n validateOperators(bundle, customOps);\n\n if (bundle.defaults == null || typeof bundle.defaults !== \"object\") {\n throw new EdictumConfigError(\n \"Bundle missing required 'defaults' section with 'mode' field\",\n );\n }\n const defaults = bundle.defaults as Record<string, unknown>;\n const defaultMode = defaults.mode as string;\n const preconditions: unknown[] = [];\n const postconditions: unknown[] = [];\n const sessionContracts: unknown[] = [];\n const sandboxContracts: unknown[] = [];\n let limits: OperationLimits = { ...DEFAULT_LIMITS };\n\n const contracts = (bundle.contracts ?? []) as Record<string, unknown>[];\n for (const contract of contracts) {\n // Skip disabled contracts\n if (contract.enabled === false) continue;\n\n const contractType = contract.type as string;\n const contractMode = (contract.mode as string) ?? defaultMode;\n\n if (contractType === \"pre\") {\n preconditions.push(compilePre(contract, contractMode, customOps, customSels));\n } else if (contractType === \"post\") {\n postconditions.push(compilePost(contract, contractMode, customOps, customSels));\n } else if (contractType === \"session\") {\n // Use _observe (TS) not _shadow (Python)\n const isObserve =\n (contract._observe as boolean) ?? (contract._shadow as boolean) ?? false;\n if (!isObserve) {\n limits = mergeSessionLimits(contract, limits);\n }\n sessionContracts.push(compileSession(contract, contractMode, limits));\n } else if (contractType === \"sandbox\") {\n sandboxContracts.push(compileSandbox(contract, contractMode));\n } else {\n throw new EdictumConfigError(\n `Unknown contract type \"${contractType}\" in contract \"${contract.id ?? \"unknown\"}\". ` +\n `Expected \"pre\", \"post\", \"session\", or \"sandbox\".`,\n );\n }\n }\n\n const tools = (bundle.tools ?? {}) as Record<string, Record<string, unknown>>;\n\n return {\n preconditions,\n postconditions,\n sessionContracts,\n sandboxContracts,\n limits,\n defaultMode,\n tools,\n };\n}\n","/** Compiler utilities — validation, regex precompilation, message expansion. */\n\nimport { EdictumConfigError } from \"../errors.js\";\nimport { RedactionPolicy } from \"../redaction.js\";\nimport type { ToolEnvelope } from \"../envelope.js\";\nimport {\n BUILTIN_OPERATOR_NAMES,\n _MISSING,\n resolveSelector,\n type CustomSelector,\n} from \"./evaluator.js\";\n\n// ---------------------------------------------------------------------------\n// Placeholder expansion\n// ---------------------------------------------------------------------------\n\nconst _PLACEHOLDER_RE = /\\{([^}]+)\\}/g;\nconst _PLACEHOLDER_CAP = 200;\n\n/**\n * Expand {placeholder} tokens in a message template.\n *\n * Missing placeholders are kept as-is. Each expansion is capped at 200 chars.\n * Values that look like secrets are redacted.\n */\nexport function expandMessage(\n template: string,\n envelope: ToolEnvelope,\n outputText?: string | null,\n customSelectors?: Readonly<Record<string, CustomSelector>> | null,\n): string {\n const redaction = new RedactionPolicy();\n\n return template.replace(_PLACEHOLDER_RE, (match, selectorRaw: string) => {\n const value = resolveSelector(selectorRaw, envelope, outputText, customSelectors);\n if (value === _MISSING || value == null) return match;\n let text = String(value);\n if (redaction._looksLikeSecret(text)) text = \"[REDACTED]\";\n if (text.length > _PLACEHOLDER_CAP) text = text.slice(0, _PLACEHOLDER_CAP - 3) + \"...\";\n return text;\n });\n}\n\n// ---------------------------------------------------------------------------\n// Operator validation\n// ---------------------------------------------------------------------------\n\n/** Validate that all operators used in the bundle are known (built-in or custom). */\nexport function validateOperators(\n bundle: Record<string, unknown>,\n customOperators: Readonly<Record<string, unknown>> | null,\n): void {\n const known = new Set([\n ...BUILTIN_OPERATOR_NAMES,\n ...Object.keys(customOperators ?? {}),\n ]);\n const contracts = (bundle.contracts ?? []) as Record<string, unknown>[];\n for (const contract of contracts) {\n const when = contract.when as Record<string, unknown> | undefined;\n if (when) {\n _validateExpressionOperators(when, known, contract.id as string);\n }\n }\n}\n\nfunction _validateExpressionOperators(\n expr: unknown,\n known: ReadonlySet<string>,\n contractId: string,\n): void {\n if (expr == null || typeof expr !== \"object\") return;\n const e = expr as Record<string, unknown>;\n\n if (\"all\" in e) {\n for (const sub of e.all as Record<string, unknown>[]) {\n _validateExpressionOperators(sub, known, contractId);\n }\n return;\n }\n if (\"any\" in e) {\n for (const sub of e.any as Record<string, unknown>[]) {\n _validateExpressionOperators(sub, known, contractId);\n }\n return;\n }\n if (\"not\" in e) {\n _validateExpressionOperators(e.not, known, contractId);\n return;\n }\n\n // Leaf node: selector -> operator\n for (const [, operator] of Object.entries(e)) {\n if (operator != null && typeof operator === \"object\") {\n for (const opName of Object.keys(operator as Record<string, unknown>)) {\n if (!known.has(opName)) {\n throw new EdictumConfigError(\n `Contract '${contractId}': unknown operator '${opName}'`,\n );\n }\n }\n }\n }\n}\n\n// ---------------------------------------------------------------------------\n// Regex precompilation\n// ---------------------------------------------------------------------------\n\n/**\n * Recursively walk an expression tree and compile regex patterns.\n *\n * Replaces string values under `matches` and `matches_any` with\n * pre-compiled RegExp objects so the evaluator never recompiles on every call.\n */\nexport function precompileRegexes(expr: unknown): unknown {\n if (expr == null || typeof expr !== \"object\") return expr;\n const e = expr as Record<string, unknown>;\n\n if (\"all\" in e) {\n return { all: (e.all as unknown[]).map(precompileRegexes) };\n }\n if (\"any\" in e) {\n return { any: (e.any as unknown[]).map(precompileRegexes) };\n }\n if (\"not\" in e) {\n return { not: precompileRegexes(e.not) };\n }\n\n // Leaf node: selector -> operator\n const compiled: Record<string, unknown> = {};\n for (const [selector, operator] of Object.entries(e)) {\n if (operator == null || typeof operator !== \"object\") {\n compiled[selector] = operator;\n continue;\n }\n const newOp = { ...(operator as Record<string, unknown>) };\n if (\"matches\" in newOp && typeof newOp.matches === \"string\") {\n newOp.matches = new RegExp(newOp.matches);\n }\n if (\"matches_any\" in newOp && Array.isArray(newOp.matches_any)) {\n newOp.matches_any = (newOp.matches_any as string[]).map(\n (p) => (typeof p === \"string\" ? new RegExp(p) : p),\n );\n }\n compiled[selector] = newOp;\n }\n return compiled;\n}\n\n// ---------------------------------------------------------------------------\n// Output pattern extraction\n// ---------------------------------------------------------------------------\n\n/**\n * Walk an expression tree and collect regex patterns from output.text leaves.\n *\n * Returns a flat list of compiled RegExp objects found under `matches` or\n * `matches_any` operators where the selector is `output.text`.\n * By the time this runs, `precompileRegexes` has already converted strings.\n */\nexport function extractOutputPatterns(expr: unknown): RegExp[] {\n if (expr == null || typeof expr !== \"object\") return [];\n const e = expr as Record<string, unknown>;\n\n if (\"all\" in e) {\n const patterns: RegExp[] = [];\n for (const sub of e.all as unknown[]) {\n patterns.push(...extractOutputPatterns(sub));\n }\n return patterns;\n }\n if (\"any\" in e) {\n const patterns: RegExp[] = [];\n for (const sub of e.any as unknown[]) {\n patterns.push(...extractOutputPatterns(sub));\n }\n return patterns;\n }\n if (\"not\" in e) {\n return extractOutputPatterns(e.not);\n }\n\n // Leaf node\n const collected: RegExp[] = [];\n for (const [selector, operator] of Object.entries(e)) {\n if (selector !== \"output.text\" || operator == null || typeof operator !== \"object\") continue;\n const op = operator as Record<string, unknown>;\n if (\"matches\" in op && op.matches instanceof RegExp) {\n collected.push(op.matches);\n }\n if (\"matches_any\" in op && Array.isArray(op.matches_any)) {\n for (const p of op.matches_any) {\n if (p instanceof RegExp) collected.push(p);\n }\n }\n }\n return collected;\n}\n","/** Built-in operators for YAML condition evaluation. */\n\n/** Cap regex input to prevent catastrophic backtracking DoS. */\nexport const MAX_REGEX_INPUT = 10_000;\n\n// ---------------------------------------------------------------------------\n// Operator implementations\n// ---------------------------------------------------------------------------\n\nfunction opEquals(fieldValue: unknown, opValue: unknown): boolean {\n return fieldValue === opValue;\n}\n\nfunction opNotEquals(fieldValue: unknown, opValue: unknown): boolean {\n return fieldValue !== opValue;\n}\n\nfunction opIn(fieldValue: unknown, opValue: unknown[]): boolean {\n return opValue.includes(fieldValue);\n}\n\nfunction opNotIn(fieldValue: unknown, opValue: unknown[]): boolean {\n return !opValue.includes(fieldValue);\n}\n\nfunction opContains(fieldValue: unknown, opValue: string): boolean {\n if (typeof fieldValue !== \"string\") throw new TypeError();\n return fieldValue.includes(opValue);\n}\n\nfunction opContainsAny(fieldValue: unknown, opValue: string[]): boolean {\n if (typeof fieldValue !== \"string\") throw new TypeError();\n return opValue.some((v) => fieldValue.includes(v));\n}\n\nfunction opStartsWith(fieldValue: unknown, opValue: string): boolean {\n if (typeof fieldValue !== \"string\") throw new TypeError();\n return fieldValue.startsWith(opValue);\n}\n\nfunction opEndsWith(fieldValue: unknown, opValue: string): boolean {\n if (typeof fieldValue !== \"string\") throw new TypeError();\n return fieldValue.endsWith(opValue);\n}\n\nfunction opMatches(fieldValue: unknown, opValue: string | RegExp): boolean {\n if (typeof fieldValue !== \"string\") throw new TypeError();\n const truncated = fieldValue.slice(0, MAX_REGEX_INPUT);\n if (opValue instanceof RegExp) {\n return opValue.test(truncated);\n }\n return new RegExp(opValue).test(truncated);\n}\n\nfunction opMatchesAny(\n fieldValue: unknown,\n opValue: Array<string | RegExp>,\n): boolean {\n if (typeof fieldValue !== \"string\") throw new TypeError();\n const truncated = fieldValue.slice(0, MAX_REGEX_INPUT);\n return opValue.some((p) =>\n p instanceof RegExp ? p.test(truncated) : new RegExp(p).test(truncated),\n );\n}\n\nfunction opGt(fieldValue: unknown, opValue: number): boolean {\n if (typeof fieldValue !== \"number\") throw new TypeError();\n return fieldValue > opValue;\n}\n\nfunction opGte(fieldValue: unknown, opValue: number): boolean {\n if (typeof fieldValue !== \"number\") throw new TypeError();\n return fieldValue >= opValue;\n}\n\nfunction opLt(fieldValue: unknown, opValue: number): boolean {\n if (typeof fieldValue !== \"number\") throw new TypeError();\n return fieldValue < opValue;\n}\n\nfunction opLte(fieldValue: unknown, opValue: number): boolean {\n if (typeof fieldValue !== \"number\") throw new TypeError();\n return fieldValue <= opValue;\n}\n\n// ---------------------------------------------------------------------------\n// Operator dispatch table\n// ---------------------------------------------------------------------------\n\nexport type OperatorFn = (fieldValue: unknown, opValue: unknown) => boolean;\n\nexport const OPERATORS: Readonly<Record<string, OperatorFn>> = {\n equals: opEquals,\n not_equals: opNotEquals,\n in: opIn as OperatorFn,\n not_in: opNotIn as OperatorFn,\n contains: opContains as OperatorFn,\n contains_any: opContainsAny as OperatorFn,\n starts_with: opStartsWith as OperatorFn,\n ends_with: opEndsWith as OperatorFn,\n matches: opMatches as OperatorFn,\n matches_any: opMatchesAny as OperatorFn,\n gt: opGt as OperatorFn,\n gte: opGte as OperatorFn,\n lt: opLt as OperatorFn,\n lte: opLte as OperatorFn,\n};\n\n/** All built-in operator names (including \"exists\" which is special-cased). */\nexport const BUILTIN_OPERATOR_NAMES: ReadonlySet<string> = new Set([\n ...Object.keys(OPERATORS),\n \"exists\",\n]);\n","/** Selector resolution — map YAML selector paths to ToolEnvelope values. */\n\nimport type { ToolEnvelope } from \"../envelope.js\";\nimport type { CustomSelector } from \"./evaluator.js\";\n\n// ---------------------------------------------------------------------------\n// Sentinel for \"field not found\"\n// ---------------------------------------------------------------------------\n\nconst _MISSING: unique symbol = Symbol(\"MISSING\");\nexport type Missing = typeof _MISSING;\nexport { _MISSING };\n\n// ---------------------------------------------------------------------------\n// Built-in selector prefixes — custom selectors must not use these\n// ---------------------------------------------------------------------------\n\nexport const BUILTIN_SELECTOR_PREFIXES: ReadonlySet<string> = new Set([\n \"environment\",\n \"tool\",\n \"args\",\n \"principal\",\n \"output\",\n \"env\",\n \"metadata\",\n]);\n\n// ---------------------------------------------------------------------------\n// Selector resolution\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a dotted selector path to a value from the envelope.\n * Returns `_MISSING` if the field is not found at any level.\n *\n * NOTE: ToolEnvelope uses camelCase (toolName, userId, serviceId, orgId,\n * ticketRef) but YAML selectors use snake_case (tool.name, principal.user_id).\n * This function maps between the two.\n */\nexport function resolveSelector(\n selector: string,\n envelope: ToolEnvelope,\n outputText?: string | null,\n customSelectors?: Readonly<Record<string, CustomSelector>> | null,\n): unknown {\n if (selector === \"environment\") return envelope.environment;\n if (selector === \"tool.name\") return envelope.toolName;\n\n if (selector.startsWith(\"args.\")) {\n return resolveNested(selector.slice(5), envelope.args as Record<string, unknown>);\n }\n\n if (selector.startsWith(\"principal.\")) {\n if (envelope.principal == null) return _MISSING;\n const rest = selector.slice(10);\n // Map YAML snake_case selectors to TS camelCase properties\n if (rest === \"user_id\") return envelope.principal.userId;\n if (rest === \"service_id\") return envelope.principal.serviceId;\n if (rest === \"org_id\") return envelope.principal.orgId;\n if (rest === \"role\") return envelope.principal.role;\n if (rest === \"ticket_ref\") return envelope.principal.ticketRef;\n if (rest.startsWith(\"claims.\")) {\n return resolveNested(\n rest.slice(7),\n envelope.principal.claims as Record<string, unknown>,\n );\n }\n return _MISSING;\n }\n\n if (selector === \"output.text\") {\n return outputText == null ? _MISSING : outputText;\n }\n\n // SECURITY NOTE (Python parity): env.* selector intentionally reads from\n // process.env, matching Python's os.environ.get(). This is by design — YAML\n // contracts use env.* to gate behavior on environment variables (e.g.,\n // env.EDICTUM_MODE). The message template expansion layer handles secret\n // redaction. Bundle authors control which env vars are referenced; untrusted\n // YAML bundles should not be loaded without review.\n if (selector.startsWith(\"env.\")) {\n const varName = selector.slice(4);\n const raw = process.env[varName];\n if (raw == null) return _MISSING;\n return coerceEnvValue(raw);\n }\n\n if (selector.startsWith(\"metadata.\")) {\n return resolveNested(\n selector.slice(9),\n envelope.metadata as Record<string, unknown>,\n );\n }\n\n // Custom selectors: match prefix before first dot\n if (customSelectors) {\n const dotPos = selector.indexOf(\".\");\n if (dotPos > 0) {\n const prefix = selector.slice(0, dotPos);\n if (Object.hasOwn(customSelectors, prefix)) {\n const resolver = customSelectors[prefix] as CustomSelector;\n const data = resolver(envelope);\n const rest = selector.slice(dotPos + 1);\n return resolveNested(rest, data);\n }\n }\n }\n\n return _MISSING;\n}\n\n// ---------------------------------------------------------------------------\n// Nested path resolution\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve a dotted path through nested dicts.\n * Returns `_MISSING` if any intermediate key is absent or not a dict.\n */\nexport function resolveNested(path: string, data: unknown): unknown {\n const parts = path.split(\".\");\n let current = data;\n for (const part of parts) {\n if (current == null || typeof current !== \"object\") return _MISSING;\n const obj = current as Record<string, unknown>;\n if (!Object.hasOwn(obj, part)) return _MISSING;\n current = obj[part];\n }\n return current;\n}\n\n// ---------------------------------------------------------------------------\n// Env value coercion\n// ---------------------------------------------------------------------------\n\n/** Coerce an env var string to a typed value for operator comparison. */\nexport function coerceEnvValue(raw: string): string | boolean | number {\n const low = raw.toLowerCase();\n if (low === \"true\") return true;\n if (low === \"false\") return false;\n const asInt = parseInt(raw, 10);\n if (!isNaN(asInt) && String(asInt) === raw) return asInt;\n const asFloat = parseFloat(raw);\n if (!isNaN(asFloat) && String(asFloat) === raw) return asFloat;\n return raw;\n}\n","/** Condition Evaluator — resolve selectors and apply operators against ToolEnvelope. */\n\nimport type { ToolEnvelope } from \"../envelope.js\";\nimport { OPERATORS, BUILTIN_OPERATOR_NAMES } from \"./operators.js\";\nimport { _MISSING, resolveSelector } from \"./selectors.js\";\n\n// Re-export for external consumers\nexport { BUILTIN_OPERATOR_NAMES };\nexport { MAX_REGEX_INPUT } from \"./operators.js\";\nexport { _MISSING, BUILTIN_SELECTOR_PREFIXES, resolveSelector } from \"./selectors.js\";\nexport type { Missing } from \"./selectors.js\";\n// Aliased re-exports for backward-compatible names\nexport { resolveNested as _resolveNested, coerceEnvValue as _coerceEnvValue } from \"./selectors.js\";\n\n// ---------------------------------------------------------------------------\n// PolicyError — sentinel for type mismatches (fail-closed)\n// ---------------------------------------------------------------------------\n\n/**\n * Sentinel indicating a type mismatch or evaluation error.\n *\n * Converts to `true` conceptually — errors trigger the contract (fail-closed).\n * Callers should treat PolicyError as \"condition matched\" and apply\n * deny/warn + policyError flag.\n */\nexport class PolicyError {\n readonly message: string;\n constructor(message: string) {\n this.message = message;\n }\n}\n\n// ---------------------------------------------------------------------------\n// Custom extension types\n// ---------------------------------------------------------------------------\n\nexport type CustomOperator = (fieldValue: unknown, opValue: unknown) => boolean;\nexport type CustomSelector = (envelope: ToolEnvelope) => Record<string, unknown>;\n\nexport interface EvaluateOptions {\n readonly customOperators?: Readonly<Record<string, CustomOperator>> | null;\n readonly customSelectors?: Readonly<Record<string, CustomSelector>> | null;\n}\n\n// ---------------------------------------------------------------------------\n// Main entry point\n// ---------------------------------------------------------------------------\n\n/**\n * Evaluate a boolean expression tree against an envelope.\n *\n * Returns `true` if the expression matches, `false` if not.\n * Returns a `PolicyError` if a type mismatch or evaluation error occurs\n * (caller should treat as deny/warn + policyError).\n *\n * Missing fields always evaluate to `false` (contract doesn't fire).\n */\nexport function evaluateExpression(\n expr: Record<string, unknown>,\n envelope: ToolEnvelope,\n outputText?: string | null,\n options?: EvaluateOptions,\n): boolean | PolicyError {\n const customOps = options?.customOperators ?? null;\n const customSels = options?.customSelectors ?? null;\n\n if (\"all\" in expr) {\n return _evalAll(expr.all as Record<string, unknown>[], envelope, outputText, customOps, customSels);\n }\n if (\"any\" in expr) {\n return _evalAny(expr.any as Record<string, unknown>[], envelope, outputText, customOps, customSels);\n }\n if (\"not\" in expr) {\n return _evalNot(expr.not as Record<string, unknown>, envelope, outputText, customOps, customSels);\n }\n\n // Leaf node: exactly one selector key (schema enforces single-key leaves).\n // Guard: if a malformed leaf has multiple keys, fail-closed with PolicyError\n // rather than silently dropping extra keys. Python takes next(iter(leaf))\n // which also ignores extras — this is a strictness improvement.\n const leafKeys = Object.keys(expr);\n if (leafKeys.length !== 1) {\n return new PolicyError(\n `Leaf expression must have exactly one selector key, got ${leafKeys.length}: [${leafKeys.join(\", \")}]`,\n );\n }\n return _evalLeaf(expr, envelope, outputText, customOps, customSels);\n}\n\n// ---------------------------------------------------------------------------\n// Boolean AST nodes\n// ---------------------------------------------------------------------------\n\nfunction _evalAll(\n exprs: Record<string, unknown>[],\n envelope: ToolEnvelope,\n outputText: string | null | undefined,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): boolean | PolicyError {\n for (const expr of exprs) {\n const result = evaluateExpression(expr, envelope, outputText, {\n customOperators: customOps, customSelectors: customSels,\n });\n if (result instanceof PolicyError) return result;\n if (!result) return false;\n }\n return true;\n}\n\nfunction _evalAny(\n exprs: Record<string, unknown>[],\n envelope: ToolEnvelope,\n outputText: string | null | undefined,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): boolean | PolicyError {\n for (const expr of exprs) {\n const result = evaluateExpression(expr, envelope, outputText, {\n customOperators: customOps, customSelectors: customSels,\n });\n if (result instanceof PolicyError) return result;\n if (result) return true;\n }\n return false;\n}\n\nfunction _evalNot(\n expr: Record<string, unknown>,\n envelope: ToolEnvelope,\n outputText: string | null | undefined,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): boolean | PolicyError {\n const result = evaluateExpression(expr, envelope, outputText, {\n customOperators: customOps, customSelectors: customSels,\n });\n if (result instanceof PolicyError) return result;\n return !result;\n}\n\nfunction _evalLeaf(\n leaf: Record<string, unknown>,\n envelope: ToolEnvelope,\n outputText: string | null | undefined,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): boolean | PolicyError {\n const selector = Object.keys(leaf)[0] as string;\n const operatorBlock = leaf[selector] as Record<string, unknown>;\n const value = resolveSelector(selector, envelope, outputText, customSels);\n const opName = Object.keys(operatorBlock)[0] as string;\n const opValue = operatorBlock[opName];\n return _applyOperator(opName, value, opValue, selector, customOps);\n}\n\n// ---------------------------------------------------------------------------\n// Operator application\n// ---------------------------------------------------------------------------\n\n/** Apply a single operator to a resolved field value. */\nfunction _applyOperator(\n op: string,\n fieldValue: unknown,\n opValue: unknown,\n selector: string,\n customOperators: Readonly<Record<string, CustomOperator>> | null,\n): boolean | PolicyError {\n // exists is special — works on _MISSING\n if (op === \"exists\") {\n const isPresent = fieldValue !== _MISSING && fieldValue != null;\n return isPresent === opValue;\n }\n\n // All other operators: missing field -> false\n if (fieldValue === _MISSING || fieldValue == null) return false;\n\n try {\n if (Object.hasOwn(OPERATORS, op)) return (OPERATORS[op] as (fv: unknown, ov: unknown) => boolean)(fieldValue, opValue);\n if (customOperators && Object.hasOwn(customOperators, op)) {\n return Boolean((customOperators[op] as CustomOperator)(fieldValue, opValue));\n }\n return new PolicyError(`Unknown operator: '${op}'`);\n } catch {\n return new PolicyError(\n `Type mismatch: operator '${op}' cannot be applied to ` +\n `selector '${selector}' value ${typeof fieldValue}`,\n );\n }\n}\n","/** Contract compilation — compile individual YAML contracts into callable objects. */\n\nimport { Verdict } from \"../contracts.js\";\nimport type { ToolEnvelope } from \"../envelope.js\";\nimport { EdictumConfigError } from \"../errors.js\";\nimport type { OperationLimits } from \"../limits.js\";\nimport type { Session } from \"../session.js\";\nimport { evaluateExpression, PolicyError, type CustomOperator, type CustomSelector } from \"./evaluator.js\";\nimport { expandMessage, extractOutputPatterns, precompileRegexes } from \"./compiler-utils.js\";\n\n/** Shared evaluation logic for pre/post check functions. */\nfunction _evalAndVerdict(\n whenExpr: Record<string, unknown>,\n envelope: ToolEnvelope,\n outputText: string | null | undefined,\n messageTemplate: string,\n tags: string[],\n thenMetadata: Record<string, unknown>,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): Verdict {\n try {\n const result = evaluateExpression(whenExpr, envelope, outputText, {\n customOperators: customOps, customSelectors: customSels,\n });\n if (result instanceof PolicyError) {\n const msg = expandMessage(messageTemplate, envelope, outputText, customSels);\n return Verdict.fail(msg, { tags, policyError: true, ...thenMetadata });\n }\n if (result) {\n const msg = expandMessage(messageTemplate, envelope, outputText, customSels);\n return Verdict.fail(msg, { tags, ...thenMetadata });\n }\n return Verdict.pass_();\n } catch (exc) {\n const msg = expandMessage(messageTemplate, envelope, outputText, customSels);\n return Verdict.fail(msg, { tags, policyError: true, errorDetail: String(exc), ...thenMetadata });\n }\n}\n\n/** Stamp _edictum_observe on the result if the contract is in observe mode. */\nfunction _maybeObserve(result: Record<string, unknown>, contract: Record<string, unknown>): void {\n if (contract._observe === true || contract._shadow === true) result._edictum_observe = true;\n}\n\n// ---------------------------------------------------------------------------\n// Pre-contract compilation\n// ---------------------------------------------------------------------------\n\nexport function compilePre(\n contract: Record<string, unknown>, mode: string,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): Record<string, unknown> {\n const contractId = contract.id as string;\n const tool = contract.tool as string;\n const whenExpr = precompileRegexes(contract.when) as Record<string, unknown>;\n const then = contract.then as Record<string, unknown>;\n const msgTpl = then.message as string;\n const tags = (then.tags ?? []) as string[];\n const meta = (then.metadata ?? {}) as Record<string, unknown>;\n\n const check = (envelope: ToolEnvelope): Verdict =>\n _evalAndVerdict(whenExpr, envelope, undefined, msgTpl, tags, meta, customOps, customSels);\n\n const result: Record<string, unknown> = {\n check, name: contractId, tool, type: \"precondition\",\n mode: mode as \"enforce\" | \"observe\",\n _edictum_type: \"precondition\", _edictum_tool: tool, _edictum_when: null,\n _edictum_mode: mode, _edictum_id: contractId, _edictum_source: \"yaml_precondition\",\n _edictum_effect: (then.effect as string) ?? \"deny\",\n _edictum_timeout: (then.timeout as number) ?? 300,\n _edictum_timeout_effect: (then.timeout_effect as string) ?? \"deny\",\n };\n _maybeObserve(result, contract);\n return result;\n}\n\n// ---------------------------------------------------------------------------\n// Post-contract compilation\n// ---------------------------------------------------------------------------\n\nexport function compilePost(\n contract: Record<string, unknown>, mode: string,\n customOps: Readonly<Record<string, CustomOperator>> | null,\n customSels: Readonly<Record<string, CustomSelector>> | null,\n): Record<string, unknown> {\n const contractId = contract.id as string;\n const tool = contract.tool as string;\n const whenExpr = precompileRegexes(contract.when) as Record<string, unknown>;\n const then = contract.then as Record<string, unknown>;\n const msgTpl = then.message as string;\n const tags = (then.tags ?? []) as string[];\n const meta = (then.metadata ?? {}) as Record<string, unknown>;\n\n const check = (envelope: ToolEnvelope, response: unknown): Verdict => {\n const outputText = response != null ? String(response) : undefined;\n return _evalAndVerdict(whenExpr, envelope, outputText, msgTpl, tags, meta, customOps, customSels);\n };\n\n const effectValue = (then.effect as string) ?? \"warn\";\n const result: Record<string, unknown> = {\n check, name: contractId, tool, type: \"postcondition\",\n mode: mode as \"enforce\" | \"observe\",\n effect: effectValue,\n _edictum_type: \"postcondition\", _edictum_tool: tool, _edictum_when: null,\n _edictum_mode: mode, _edictum_id: contractId, _edictum_source: \"yaml_postcondition\",\n _edictum_effect: effectValue,\n _edictum_redact_patterns: extractOutputPatterns(whenExpr),\n };\n _maybeObserve(result, contract);\n return result;\n}\n\n// ---------------------------------------------------------------------------\n// Session contract compilation\n// ---------------------------------------------------------------------------\n\nexport function compileSession(\n contract: Record<string, unknown>,\n mode: string,\n limits: OperationLimits,\n): Record<string, unknown> {\n const contractId = contract.id as string;\n const then = contract.then as Record<string, unknown>;\n const messageTemplate = then.message as string;\n const tags = (then.tags ?? []) as string[];\n const thenMetadata = (then.metadata ?? {}) as Record<string, unknown>;\n const capturedLimits = { ...limits };\n\n const check = async (session: Session): Promise<Verdict> => {\n const execCount = await session.executionCount();\n if (execCount >= capturedLimits.maxToolCalls) {\n return Verdict.fail(messageTemplate, { tags, ...thenMetadata });\n }\n const attemptCount = await session.attemptCount();\n if (attemptCount >= capturedLimits.maxAttempts) {\n return Verdict.fail(messageTemplate, { tags, ...thenMetadata });\n }\n return Verdict.pass_();\n };\n\n const result: Record<string, unknown> = {\n check, name: contractId, type: \"session_contract\",\n _edictum_type: \"session_contract\",\n _edictum_mode: mode,\n _edictum_id: contractId,\n _edictum_message: messageTemplate,\n _edictum_tags: tags,\n _edictum_then_metadata: thenMetadata,\n _edictum_source: \"yaml_session\",\n };\n if (contract._observe === true || contract._shadow === true) {\n result._edictum_observe = true;\n }\n return result;\n}\n\n// ---------------------------------------------------------------------------\n// Session limits merging\n// ---------------------------------------------------------------------------\n\n/**\n * Merge session contract limits into existing OperationLimits.\n * Picks the more restrictive value (lower) for each limit.\n */\nexport function mergeSessionLimits(\n contract: Record<string, unknown>,\n existing: OperationLimits,\n): OperationLimits {\n const sessionLimits = contract.limits as Record<string, unknown>;\n let maxToolCalls = existing.maxToolCalls;\n let maxAttempts = existing.maxAttempts;\n const maxCallsPerTool: Record<string, number> = { ...existing.maxCallsPerTool };\n\n if (\"max_tool_calls\" in sessionLimits) {\n const raw = sessionLimits.max_tool_calls;\n if (typeof raw !== \"number\" || !Number.isFinite(raw)) {\n throw new EdictumConfigError(`Session limit max_tool_calls must be a finite number, got: ${String(raw)}`);\n }\n maxToolCalls = Math.min(maxToolCalls, raw);\n }\n if (\"max_attempts\" in sessionLimits) {\n const raw = sessionLimits.max_attempts;\n if (typeof raw !== \"number\" || !Number.isFinite(raw)) {\n throw new EdictumConfigError(`Session limit max_attempts must be a finite number, got: ${String(raw)}`);\n }\n maxAttempts = Math.min(maxAttempts, raw);\n }\n if (\"max_calls_per_tool\" in sessionLimits) {\n const perTool = sessionLimits.max_calls_per_tool as Record<string, unknown>;\n for (const [tool, limit] of Object.entries(perTool)) {\n if (typeof limit !== \"number\" || !Number.isFinite(limit)) {\n throw new EdictumConfigError(\n `Session limit max_calls_per_tool['${tool}'] must be a finite number, got: ${String(limit)}`,\n );\n }\n if (Object.hasOwn(maxCallsPerTool, tool)) {\n maxCallsPerTool[tool] = Math.min(maxCallsPerTool[tool] as number, limit);\n } else {\n maxCallsPerTool[tool] = limit;\n }\n }\n }\n return { maxAttempts, maxToolCalls, maxCallsPerTool };\n}\n","/** compileSandbox — compile a sandbox contract YAML dict into a callable with metadata. */\n\nimport { Verdict } from \"../contracts.js\";\nimport type { ToolEnvelope } from \"../envelope.js\";\nimport { expandMessage } from \"./compiler-utils.js\";\nimport {\n extractPaths,\n extractCommand,\n extractUrls,\n extractHostname,\n domainMatches,\n} from \"./sandbox-compiler.js\";\n\nimport { realpathSync } from \"node:fs\";\nimport { resolve as pathResolve } from \"node:path\";\n\n/** Resolve a path via realpathSync, falling back to path.resolve. */\nfunction _realpath(p: string): string {\n try {\n return realpathSync(p);\n } catch {\n return pathResolve(p);\n }\n}\n\n/** Check if a path is within an allowed prefix. */\nfunction _pathWithin(filePath: string, prefix: string): boolean {\n return filePath === prefix || filePath.startsWith(prefix.replace(/\\/+$/, \"\") + \"/\");\n}\n\n/**\n * Compile a sandbox contract into a callable with _edictum_* metadata.\n *\n * The returned object has a `check` function and stamped metadata properties\n * for pipeline routing.\n */\nexport function compileSandbox(\n contract: Record<string, unknown>,\n mode: string,\n): Record<string, unknown> {\n const contractId = contract.id as string;\n\n // Normalize tool/tools to a list\n const toolPatterns: string[] = \"tools\" in contract\n ? (contract.tools as string[])\n : [contract.tool as string];\n\n const within = ((contract.within ?? []) as string[]).map(_realpath);\n const notWithin = ((contract.not_within ?? []) as string[]).map(_realpath);\n const allows = (contract.allows ?? {}) as Record<string, unknown>;\n const notAllows = (contract.not_allows ?? {}) as Record<string, unknown>;\n const allowedCommands = (allows.commands ?? []) as string[];\n const allowedDomains = (allows.domains ?? []) as string[];\n const blockedDomains = (notAllows.domains ?? []) as string[];\n const outside = (contract.outside as string) ?? \"deny\";\n const messageTemplate = (contract.message as string) ?? \"Tool call outside sandbox boundary.\";\n const timeout = (contract.timeout as number) ?? 300;\n const timeoutEffect = (contract.timeout_effect as string) ?? \"deny\";\n\n const check = (envelope: ToolEnvelope): Verdict => {\n // Path checks\n // SECURITY LIMITATION (Python parity — intentional fail-open on empty paths):\n // If extractPaths() returns empty (e.g., relative paths, ~, $HOME, or args\n // that don't match known path keys), within/not_within enforcement is silently\n // skipped. This matches Python's behavior — sandbox only checks paths it can\n // extract. A tool call with unrecognized path arguments will pass through\n // unchecked. This is a known gap: an attacker who crafts args that bypass\n // extractPaths() can evade sandbox path restrictions.\n // Mitigations: (1) use command allowlists as a complementary control,\n // (2) restrict tool access at the adapter level, (3) validate tool args\n // via precondition contracts that match the specific arg patterns.\n if (within.length > 0 || notWithin.length > 0) {\n const paths = extractPaths(envelope);\n if (paths.length > 0) {\n for (const p of paths) {\n for (const excluded of notWithin) {\n if (_pathWithin(p, excluded)) {\n return Verdict.fail(expandMessage(messageTemplate, envelope));\n }\n }\n }\n if (within.length > 0) {\n for (const p of paths) {\n if (!within.some((allowed) => _pathWithin(p, allowed))) {\n return Verdict.fail(expandMessage(messageTemplate, envelope));\n }\n }\n }\n }\n }\n\n // Command checks\n if (allowedCommands.length > 0) {\n const firstToken = extractCommand(envelope);\n if (firstToken !== null && !allowedCommands.includes(firstToken)) {\n return Verdict.fail(expandMessage(messageTemplate, envelope));\n }\n }\n\n // Domain checks\n const urls = extractUrls(envelope);\n if (urls.length > 0) {\n for (const url of urls) {\n const hostname = extractHostname(url);\n if (hostname) {\n if (blockedDomains.length > 0 && domainMatches(hostname, blockedDomains)) {\n return Verdict.fail(expandMessage(messageTemplate, envelope));\n }\n if (allowedDomains.length > 0 && !domainMatches(hostname, allowedDomains)) {\n return Verdict.fail(expandMessage(messageTemplate, envelope));\n }\n } else if (allowedDomains.length > 0) {\n // Fail-closed: URLs without extractable hostname (file://, data:, etc.)\n // cannot be verified against domain allowlist → deny\n return Verdict.fail(expandMessage(messageTemplate, envelope));\n }\n }\n }\n\n return Verdict.pass_();\n };\n\n const result: Record<string, unknown> = {\n check,\n name: contractId,\n tool: toolPatterns.length === 1 ? toolPatterns[0] : undefined,\n _edictum_type: \"sandbox\",\n _edictum_tools: toolPatterns,\n _edictum_mode: mode,\n _edictum_id: contractId,\n _edictum_source: \"yaml_sandbox\",\n _edictum_effect: outside,\n _edictum_timeout: timeout,\n _edictum_timeout_effect: timeoutEffect,\n };\n\n // Use _observe (TS) not _shadow (Python). Strict === true to prevent\n // truthy coercion of non-boolean values (e.g., strings, numbers).\n if (contract._observe === true || contract._shadow === true) {\n result._edictum_observe = true;\n }\n\n return result;\n}\n","/** Sandbox contract compiler — extract/classify tool call resources and compile sandbox contracts. */\n\nimport { realpathSync } from \"node:fs\";\nimport { resolve as pathResolve } from \"node:path\";\n\nimport type { ToolEnvelope } from \"../envelope.js\";\nimport { fnmatch } from \"../fnmatch.js\";\n\n// ---------------------------------------------------------------------------\n// Shell tokenization\n// ---------------------------------------------------------------------------\n\n/** Pattern for shell redirection operators at token start. */\nconst _REDIRECT_PREFIX_RE = /^(?:\\d*>>|>>|\\d*>|>|<<|<)/;\n\n/**\n * Shell command separators and metacharacters that allow chaining\n * multiple commands. If any of these appear in a raw command string,\n * the command is unsafe — the shell would execute multiple commands.\n *\n * Covers: ; | && || \\n \\r $() backtick ${} <()\n */\nconst _SHELL_SEPARATOR_RE = /[;|&\\n\\r`]|\\$\\(|\\$\\{|<\\(/;\n\n/**\n * Shell-aware tokenization of a command string.\n *\n * Handles single/double quotes. Strips shell redirection operators from\n * token prefixes so paths after redirects (e.g. >/etc/passwd) are exposed.\n * Falls back to basic split with quote stripping on parse error.\n */\nexport function tokenizeCommand(cmd: string): string[] {\n const rawTokens = _shlexSplit(cmd);\n\n const tokens: string[] = [];\n for (const t of rawTokens) {\n const stripped = t.replace(_REDIRECT_PREFIX_RE, \"\");\n if (stripped) tokens.push(stripped);\n }\n return tokens;\n}\n\n/** Minimal shlex.split() port — handle single/double quotes. */\nfunction _shlexSplit(s: string): string[] {\n const tokens: string[] = [];\n let current = \"\";\n let inSingle = false;\n let inDouble = false;\n let i = 0;\n\n try {\n while (i < s.length) {\n const ch = s.charAt(i);\n if (inSingle) {\n if (ch === \"'\") { inSingle = false; } else { current += ch; }\n } else if (inDouble) {\n if (ch === '\\\\' && i + 1 < s.length) {\n // Backslash escaping inside double quotes: \\\", \\\\, \\$, \\`, \\newline\n const next = s.charAt(i + 1);\n if (next === '\"' || next === '\\\\' || next === '$' || next === '`' || next === '\\n') {\n current += next;\n i++;\n } else {\n // Literal backslash for other characters (POSIX behavior)\n current += ch;\n }\n } else if (ch === '\"') { inDouble = false; } else { current += ch; }\n } else if (ch === \"'\") {\n inSingle = true;\n } else if (ch === '\"') {\n inDouble = true;\n } else if (ch === \" \" || ch === \"\\t\") {\n if (current) { tokens.push(current); current = \"\"; }\n } else {\n current += ch;\n }\n i++;\n }\n // Unclosed quotes — fall back\n if (inSingle || inDouble) {\n return s.split(/\\s+/).filter(Boolean).map((t) => t.replace(/^['\"]|['\"]$/g, \"\"));\n }\n if (current) tokens.push(current);\n return tokens;\n } catch {\n return s.split(/\\s+/).filter(Boolean).map((t) => t.replace(/^['\"]|['\"]$/g, \"\"));\n }\n}\n\n// ---------------------------------------------------------------------------\n// Path-like argument keys\n// ---------------------------------------------------------------------------\n\nconst _PATH_ARG_KEYS = new Set([\n \"path\", \"file_path\", \"filePath\", \"directory\", \"dir\",\n \"folder\", \"target\", \"destination\", \"source\", \"src\", \"dst\",\n]);\n\n/** Resolve a path via realpathSync, falling back to path.resolve for non-existent paths. */\nfunction _realpath(p: string): string {\n try {\n return realpathSync(p);\n } catch {\n return pathResolve(p);\n }\n}\n\n// ---------------------------------------------------------------------------\n// Resource extraction\n// ---------------------------------------------------------------------------\n\n/** Extract file paths from an envelope for sandbox evaluation. */\nexport function extractPaths(envelope: ToolEnvelope): string[] {\n const paths: string[] = [];\n const seen = new Set<string>();\n\n function add(p: string): void {\n if (!p) return;\n const resolved = _realpath(p);\n if (!seen.has(resolved)) { seen.add(resolved); paths.push(resolved); }\n }\n\n if (envelope.filePath) add(envelope.filePath);\n\n const args = envelope.args as Record<string, unknown>;\n for (const [key, value] of Object.entries(args)) {\n if (typeof value === \"string\" && _PATH_ARG_KEYS.has(key)) add(value);\n }\n for (const [key, value] of Object.entries(args)) {\n if (typeof value === \"string\" && value.startsWith(\"/\") && !_PATH_ARG_KEYS.has(key)) add(value);\n }\n\n const cmd = envelope.bashCommand ?? (args.command as string | undefined) ?? \"\";\n if (cmd) {\n for (const token of tokenizeCommand(cmd)) {\n if (token.startsWith(\"/\")) add(token);\n }\n }\n return paths;\n}\n\n/** Extract the first command token from an envelope (shell-aware). */\nexport function extractCommand(envelope: ToolEnvelope): string | null {\n const cmd = envelope.bashCommand ?? (envelope.args as Record<string, unknown>).command;\n if (!cmd || typeof cmd !== \"string\") return null;\n const stripped = cmd.trim();\n if (!stripped) return null;\n\n // Check for shell command separators/metacharacters BEFORE extracting.\n // If any are present, the shell would execute multiple commands — return\n // sentinel value that never matches any allowlist.\n if (_SHELL_SEPARATOR_RE.test(stripped)) return \"\\x00\";\n\n const rawFirst = stripped.split(/\\s/)[0] ?? \"\";\n if (_REDIRECT_PREFIX_RE.test(rawFirst)) return \"\\x00\";\n\n const tokens = tokenizeCommand(stripped);\n return tokens.length > 0 ? (tokens[0] ?? null) : null;\n}\n\n/** Extract URL strings from envelope args (shell-aware). */\nexport function extractUrls(envelope: ToolEnvelope): string[] {\n const urls: string[] = [];\n const seen = new Set<string>();\n\n function addUrl(u: string): void {\n if (!seen.has(u)) { seen.add(u); urls.push(u); }\n }\n\n for (const value of Object.values(envelope.args)) {\n if (typeof value !== \"string\" || !value.includes(\"://\")) continue;\n if (extractHostname(value) !== null) {\n addUrl(value);\n } else {\n for (const token of tokenizeCommand(value)) {\n if (token.includes(\"://\") && extractHostname(token) !== null) addUrl(token);\n }\n }\n }\n return urls;\n}\n\n/** Extract hostname from a URL string. */\nexport function extractHostname(url: string): string | null {\n try {\n return new URL(url).hostname || null;\n } catch {\n return null;\n }\n}\n\n/** Check if hostname matches any domain pattern (supports wildcards). */\nexport function domainMatches(hostname: string, patterns: string[]): boolean {\n return patterns.some((p) => fnmatch(hostname, p));\n}\n","/**\n * Minimal Python fnmatch.fnmatch() port for glob pattern matching.\n *\n * Used by Edictum for contract tool filtering and hook registration.\n */\n\n/**\n * Match a name against a glob pattern (fnmatch-style).\n *\n * Supports: `*` (any sequence), `?` (any single char), literal match.\n * Does NOT support `[...]` character classes (not used by edictum contracts).\n *\n * Input capped at 10,000 characters to prevent regex DoS.\n */\nexport function fnmatch(name: string, pattern: string): boolean {\n if (pattern === \"*\") return true;\n if (!pattern.includes(\"*\") && !pattern.includes(\"?\")) {\n return name === pattern;\n }\n\n // Cap input length for regex DoS prevention\n const safeName = name.length > 10_000 ? name.slice(0, 10_000) : name;\n const safePattern =\n pattern.length > 10_000 ? pattern.slice(0, 10_000) : pattern;\n\n // Convert glob to regex: escape regex chars, then replace glob wildcards\n let regex = \"\";\n for (let i = 0; i < safePattern.length; i++) {\n const ch = safePattern[i] ?? \"\";\n if (ch === \"*\") {\n regex += \".*\";\n } else if (ch === \"?\") {\n regex += \".\";\n } else if (\".+^${}()|[]\\\\\".includes(ch)) {\n regex += \"\\\\\" + ch;\n } else {\n regex += ch;\n }\n }\n\n return new RegExp(\"^\" + regex + \"$\").test(safeName);\n}\n","/** YAML Bundle Loader — parse, validate, compute bundle hash. */\n\nimport { createHash } from \"node:crypto\";\nimport { readFileSync, realpathSync, statSync } from \"node:fs\";\n\nimport { EdictumConfigError } from \"../errors.js\";\nimport {\n validateSchema,\n validateUniqueIds,\n validateRegexes,\n validatePreSelectors,\n validateSandboxContracts,\n} from \"./loader-validators.js\";\n\n// Re-export validators for direct access\nexport {\n validateSchema,\n validateUniqueIds,\n validateRegexes,\n validatePreSelectors,\n validateSandboxContracts,\n} from \"./loader-validators.js\";\n\n// ---------------------------------------------------------------------------\n// Constants\n// ---------------------------------------------------------------------------\n\n/** Maximum bundle file size in bytes (1 MB). */\nexport const MAX_BUNDLE_SIZE = 1_048_576;\n\n// ---------------------------------------------------------------------------\n// BundleHash\n// ---------------------------------------------------------------------------\n\n/** SHA256 hash of raw YAML bytes, used as policy_version. */\nexport interface BundleHash {\n readonly hex: string;\n}\n\n/** Compute SHA256 hash of raw YAML bytes. */\nexport function computeHash(rawBytes: Uint8Array): BundleHash {\n return { hex: createHash(\"sha256\").update(rawBytes).digest(\"hex\") };\n}\n\n// ---------------------------------------------------------------------------\n// YAML parsing helper\n// ---------------------------------------------------------------------------\n\n/** Load js-yaml or throw a helpful error. */\nfunction requireYaml(): { load(input: string): unknown } {\n try {\n // eslint-disable-next-line @typescript-eslint/no-require-imports\n const yaml = require(\"js-yaml\") as { load(input: string): unknown };\n return yaml;\n } catch {\n throw new EdictumConfigError(\n \"The YAML engine requires js-yaml. Install it with: npm install js-yaml\",\n );\n }\n}\n\n/** Parse YAML content string, returning the parsed object. */\nfunction parseYaml(content: string): Record<string, unknown> {\n const yaml = requireYaml();\n let data: unknown;\n try {\n data = yaml.load(content);\n } catch (e) {\n throw new EdictumConfigError(`YAML parse error: ${String(e)}`);\n }\n if (data == null || typeof data !== \"object\" || Array.isArray(data)) {\n throw new EdictumConfigError(\"YAML document must be a mapping\");\n }\n return data as Record<string, unknown>;\n}\n\n// ---------------------------------------------------------------------------\n// Validation pipeline\n// ---------------------------------------------------------------------------\n\n/** Run all bundle validations in sequence. */\nfunction validateBundle(data: Record<string, unknown>): void {\n validateSchema(data);\n validateUniqueIds(data);\n validateRegexes(data);\n validatePreSelectors(data);\n validateSandboxContracts(data);\n}\n\n// ---------------------------------------------------------------------------\n// Public API\n// ---------------------------------------------------------------------------\n\n/**\n * Load and validate a YAML contract bundle from a file path.\n *\n * @returns Tuple of [parsed bundle dict, bundle hash].\n * @throws EdictumConfigError on validation failure.\n * @throws Error if the file does not exist.\n */\nexport function loadBundle(source: string): [Record<string, unknown>, BundleHash] {\n // Resolve symlinks before reading to prevent path traversal attacks.\n const resolved = realpathSync(source);\n const fileSize = statSync(resolved).size;\n if (fileSize > MAX_BUNDLE_SIZE) {\n throw new EdictumConfigError(\n `Bundle file too large (${fileSize} bytes, max ${MAX_BUNDLE_SIZE})`,\n );\n }\n\n const rawBytes = readFileSync(resolved);\n const bundleHash = computeHash(rawBytes);\n const data = parseYaml(rawBytes.toString(\"utf-8\"));\n\n validateBundle(data);\n return [data, bundleHash];\n}\n\n/**\n * Load and validate a YAML contract bundle from a string or bytes.\n *\n * Like {@link loadBundle} but accepts YAML content directly instead of\n * a file path. Useful when YAML is generated programmatically or fetched\n * from an API.\n *\n * @returns Tuple of [parsed bundle dict, bundle hash].\n * @throws EdictumConfigError on validation failure.\n */\nexport function loadBundleString(\n content: string | Uint8Array,\n): [Record<string, unknown>, BundleHash] {\n const rawBytes =\n typeof content === \"string\" ? new TextEncoder().encode(content) : content;\n\n if (rawBytes.length > MAX_BUNDLE_SIZE) {\n throw new EdictumConfigError(\n `Bundle content too large (${rawBytes.length} bytes, max ${MAX_BUNDLE_SIZE})`,\n );\n }\n\n const bundleHash = computeHash(rawBytes);\n const text =\n typeof content === \"string\" ? content : new TextDecoder().decode(rawBytes);\n const data = parseYaml(text);\n\n validateBundle(data);\n return [data, bundleHash];\n}\n","/** Loader validation helpers — schema, uniqueness, regex, selector, and sandbox checks. */\n\nimport { EdictumConfigError } from \"../errors.js\";\n\n// ---------------------------------------------------------------------------\n// Schema validation (structural — no JSON Schema dependency)\n// ---------------------------------------------------------------------------\n\n/**\n * Basic structural validation of a parsed YAML bundle.\n *\n * Checks apiVersion, kind, metadata, and contracts array.\n * Full JSON Schema validation requires the edictum-schemas package (future).\n */\nexport function validateSchema(data: Record<string, unknown>): void {\n if (data.apiVersion !== \"edictum/v1\") {\n throw new EdictumConfigError(\n `Schema validation failed: apiVersion must be 'edictum/v1', got '${String(data.apiVersion)}'`,\n );\n }\n if (data.kind !== \"ContractBundle\") {\n throw new EdictumConfigError(\n `Schema validation failed: kind must be 'ContractBundle', got '${String(data.kind)}'`,\n );\n }\n if (data.metadata != null && typeof data.metadata !== \"object\") {\n throw new EdictumConfigError(\"Schema validation failed: metadata must be an object\");\n }\n if (!Array.isArray(data.contracts)) {\n throw new EdictumConfigError(\"Schema validation failed: contracts must be an array\");\n }\n}\n\n// ---------------------------------------------------------------------------\n// Unique IDs\n// ---------------------------------------------------------------------------\n\n// Reject control characters in contract IDs — null bytes, newlines, carriage\n// returns, and other C0/C1 control chars could corrupt storage keys or logs.\nconst CONTROL_CHAR_RE = /[\\x00-\\x1f\\x7f-\\x9f]/;\n\n/** Validate a single contract ID for dangerous characters. */\nfunction validateContractId(contractId: string): void {\n if (CONTROL_CHAR_RE.test(contractId)) {\n throw new EdictumConfigError(\n `Contract id contains control characters: '${contractId.replace(CONTROL_CHAR_RE, \"\\\\x??\")}'`,\n );\n }\n}\n\n/** Ensure all contract IDs are unique within the bundle and free of control characters. */\nexport function validateUniqueIds(data: Record<string, unknown>): void {\n const ids = new Set<string>();\n const contracts = (data.contracts ?? []) as Record<string, unknown>[];\n for (const contract of contracts) {\n const contractId = contract.id as string | undefined;\n if (contractId != null) {\n validateContractId(contractId);\n if (ids.has(contractId)) {\n throw new EdictumConfigError(`Duplicate contract id: '${contractId}'`);\n }\n ids.add(contractId);\n }\n }\n}\n\n// ---------------------------------------------------------------------------\n// Regex validation\n// ---------------------------------------------------------------------------\n\n/** Compile all regex patterns at load time to catch invalid patterns early. */\nexport function validateRegexes(data: Record<string, unknown>): void {\n const contracts = (data.contracts ?? []) as Record<string, unknown>[];\n for (const contract of contracts) {\n const when = contract.when;\n if (when != null) {\n validateExpressionRegexes(when as Record<string, unknown>);\n }\n }\n}\n\n/** Recursively validate regex patterns in expressions. */\nfunction validateExpressionRegexes(expr: unknown): void {\n if (expr == null || typeof expr !== \"object\") return;\n const e = expr as Record<string, unknown>;\n\n if (\"all\" in e) {\n for (const sub of e.all as unknown[]) validateExpressionRegexes(sub);\n return;\n }\n if (\"any\" in e) {\n for (const sub of e.any as unknown[]) validateExpressionRegexes(sub);\n return;\n }\n if (\"not\" in e) {\n validateExpressionRegexes(e.not);\n return;\n }\n\n // Leaf node: selector -> operator\n for (const operator of Object.values(e)) {\n if (operator == null || typeof operator !== \"object\") continue;\n const op = operator as Record<string, unknown>;\n if (\"matches\" in op) tryCompileRegex(op.matches as string);\n if (\"matches_any\" in op) {\n for (const pattern of op.matches_any as string[]) tryCompileRegex(pattern);\n }\n }\n}\n\n/** Attempt to compile a regex, raising EdictumConfigError on failure. */\nfunction tryCompileRegex(pattern: string): void {\n try {\n new RegExp(pattern);\n } catch (e) {\n throw new EdictumConfigError(`Invalid regex pattern '${pattern}': ${String(e)}`);\n }\n}\n\n// ---------------------------------------------------------------------------\n// Pre-selector validation\n// ---------------------------------------------------------------------------\n\n/** Reject output.text selectors in type: pre contracts (spec violation). */\nexport function validatePreSelectors(data: Record<string, unknown>): void {\n const contracts = (data.contracts ?? []) as Record<string, unknown>[];\n for (const contract of contracts) {\n if (contract.type !== \"pre\") continue;\n const when = contract.when;\n if (when != null && expressionHasSelector(when as Record<string, unknown>, \"output.text\")) {\n throw new EdictumConfigError(\n `Contract '${(contract.id as string) ?? \"?\"}': output.text selector is not available in type: pre contracts`,\n );\n }\n }\n}\n\n/** Check if an expression tree contains a specific selector. */\nfunction expressionHasSelector(expr: unknown, target: string): boolean {\n if (expr == null || typeof expr !== \"object\") return false;\n const e = expr as Record<string, unknown>;\n if (\"all\" in e) return (e.all as unknown[]).some((sub) => expressionHasSelector(sub, target));\n if (\"any\" in e) return (e.any as unknown[]).some((sub) => expressionHasSelector(sub, target));\n if (\"not\" in e) return expressionHasSelector(e.not, target);\n return target in e;\n}\n\n// ---------------------------------------------------------------------------\n// Sandbox contract validation\n// ---------------------------------------------------------------------------\n\n/** Validate sandbox contract field dependencies. */\nexport function validateSandboxContracts(data: Record<string, unknown>): void {\n const contracts = (data.contracts ?? []) as Record<string, unknown>[];\n for (const contract of contracts) {\n if (contract.type !== \"sandbox\") continue;\n const cid = (contract.id as string) ?? \"?\";\n\n if (\"not_within\" in contract && !(\"within\" in contract)) {\n throw new EdictumConfigError(`Contract '${cid}': not_within requires within to also be set`);\n }\n if (\"not_allows\" in contract && !(\"allows\" in contract)) {\n throw new EdictumConfigError(`Contract '${cid}': not_allows requires allows to also be set`);\n }\n if (\"not_allows\" in contract) {\n const notAllows = (contract.not_allows ?? {}) as Record<string, unknown>;\n if (\"domains\" in notAllows) {\n const allows = (contract.allows ?? {}) as Record<string, unknown>;\n if (!(\"domains\" in allows)) {\n throw new EdictumConfigError(\n `Contract '${cid}': not_allows.domains requires allows.domains to also be set`,\n );\n }\n }\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,IAGa,eAmBA,oBAQA;AA9Bb;AAAA;AAAA;AAGO,IAAM,gBAAN,cAA4B,MAAM;AAAA,MAC9B;AAAA,MACA;AAAA,MACA;AAAA,MAET,YACE,QACA,iBAAgC,MAChC,eAA8B,MAC9B;AACA,cAAM,MAAM;AACZ,aAAK,OAAO;AACZ,aAAK,SAAS;AACd,aAAK,iBAAiB;AACtB,aAAK,eAAe;AAAA,MACtB;AAAA,IACF;AAGO,IAAM,qBAAN,cAAiC,MAAM;AAAA,MAC5C,YAAY,SAAiB;AAC3B,cAAM,OAAO;AACb,aAAK,OAAO;AAAA,MACd;AAAA,IACF;AAGO,IAAM,mBAAN,cAA+B,MAAM;AAAA,MAC1C,YAAY,SAAiB;AAC3B,cAAM,OAAO;AACb,aAAK,OAAO;AAAA,MACd;AAAA,IACF;AAAA;AAAA;;;ACgBO,SAAS,gBACd,UAA8B,CAAC,GACV;AACrB,QAAM,IAAe;AAAA,IACnB,QAAQ,QAAQ,UAAU;AAAA,IAC1B,WAAW,QAAQ,aAAa;AAAA,IAChC,OAAO,QAAQ,SAAS;AAAA,IACxB,MAAM,QAAQ,QAAQ;AAAA,IACtB,WAAW,QAAQ,aAAa;AAAA,IAChC,QAAQ,QAAQ,UAAU,CAAC;AAAA,EAC7B;AACA,SAAO,WAAW,CAAC;AACrB;AAeO,SAAS,kBAAkB,UAAwB;AACxD,MAAI,CAAC,UAAU;AACb,UAAM,IAAI,mBAAmB,sBAAsB,KAAK,UAAU,QAAQ,CAAC,EAAE;AAAA,EAC/E;AACA,WAAS,IAAI,GAAG,IAAI,SAAS,QAAQ,KAAK;AACxC,UAAM,OAAO,SAAS,WAAW,CAAC;AAClC,UAAM,KAAK,SAAS,CAAC;AACrB,QAAI,OAAO,MAAQ,SAAS,OAAQ,OAAO,OAAO,OAAO,MAAM;AAC7D,YAAM,IAAI,mBAAmB,sBAAsB,KAAK,UAAU,QAAQ,CAAC,EAAE;AAAA,IAC/E;AAAA,EACF;AACF;AAqDO,SAAS,WAAc,KAAW;AACvC,MAAI,QAAQ,QAAQ,QAAQ,UAAa,OAAO,QAAQ,UAAU;AAChE,WAAO;AAAA,EACT;AAEA,MAAI,eAAe,MAAM;AACvB,WAAO;AAAA,EACT;AAGA,MAAI,eAAe,QAAQ;AACzB,WAAO;AAAA,EACT;AACA,SAAO,OAAO,GAAG;AACjB,aAAW,SAAS,OAAO,OAAO,GAA8B,GAAG;AACjE,QAAI,UAAU,QAAQ,UAAU,UAAa,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,KAAK,GAAG;AACjG,iBAAW,KAAK;AAAA,IAClB;AAAA,EACF;AACA,SAAO;AACT;AAqHA,SAAS,aAAgB,OAAa;AACpC,MAAI;AACF,WAAO,gBAAgB,KAAK;AAAA,EAC9B,QAAQ;AACN,WAAO,KAAK,MAAM,KAAK,UAAU,KAAK,CAAC;AAAA,EACzC;AACF;AA6BO,SAAS,eACd,UACA,WACA,UAAiC,CAAC,GACV;AACxB,oBAAkB,QAAQ;AAG1B,QAAM,WAAW,aAAa,SAAS;AAGvC,QAAM,eAAe,QAAQ,WAAW,aAAa,QAAQ,QAAQ,IAAI,CAAC;AAG1E,MAAI,gBAA4C;AAChD,MAAI,QAAQ,aAAa,MAAM;AAC7B,UAAM,IAAI,QAAQ;AAClB,oBAAgB,gBAAgB;AAAA,MAC9B,QAAQ,EAAE;AAAA,MACV,WAAW,EAAE;AAAA,MACb,OAAO,EAAE;AAAA,MACT,MAAM,EAAE;AAAA,MACR,WAAW,EAAE;AAAA,MACb,QAAQ,EAAE,SAAS,aAAa,EAAE,MAAiC,IAAI,CAAC;AAAA,IAC1E,CAAC;AAAA,EACH;AAGA,QAAM,WAAW,QAAQ,YAAY;AACrC,MAAI,aAAyB,QAAQ,cAAc,WAAW;AAC9D,MAAI,aAAa,QAAQ,cAAc;AACvC,MAAI,cAA6B;AACjC,MAAI,WAA0B;AAG9B,MAAI,UAAU;AACZ,UAAM,CAAC,WAAW,aAAa,IAAI,SAAS,SAAS,UAAU,QAAQ;AACvE,QAAI,QAAQ,cAAc,KAAM,cAAa;AAC7C,QAAI,QAAQ,cAAc,KAAM,cAAa;AAAA,EAC/C;AAGA,MAAI,aAAa,QAAQ;AACvB,kBAAe,SAAS,WAAsB;AAE9C,QAAI,QAAQ,cAAc,MAAM;AAC9B,mBAAa,eAAe,SAAS,WAAW;AAAA,IAClD;AAAA,EACF,WACE,aAAa,UACb,aAAa,UACb,aAAa,QACb;AACA,eACG,SAAS,aACT,SAAS,YACT,SAAS,QACV;AAAA,EACJ,WAAW,aAAa,WAAW,aAAa,QAAQ;AACtD,eACG,SAAS,aACT,SAAS,YACT,SAAS,QACV;AAAA,EACJ;AAEA,QAAM,WAAyB;AAAA,IAC7B;AAAA,IACA,MAAM;AAAA,IACN,QAAQ,QAAQ,cAAU,+BAAW;AAAA,IACrC,OAAO,QAAQ,SAAS;AAAA,IACxB,WAAW,QAAQ,aAAa;AAAA,IAChC,cAAc,QAAQ,gBAAgB;AAAA,IACtC;AAAA,IACA;AAAA,IACA,aAAa,QAAQ,eAAe;AAAA,IACpC,WAAW,QAAQ,aAAa,oBAAI,KAAK;AAAA,IACzC,QAAQ,QAAQ,UAAU;AAAA,IAC1B,WAAW,QAAQ,aAAa;AAAA,IAChC,WAAW;AAAA,IACX;AAAA,IACA;AAAA,IACA,UAAU;AAAA,EACZ;AAEA,SAAO,WAAW,QAAQ;AAC5B;AAhZA,IAEA,oBAmBa,YAoJA,cAmCA;AA5Mb;AAAA;AAAA;AAEA,yBAA2B;AAE3B;AAiBO,IAAM,aAAa;AAAA,MACxB,MAAM;AAAA,MACN,MAAM;AAAA,MACN,OAAO;AAAA,MACP,cAAc;AAAA,IAChB;AA+IO,IAAM,eAAN,MAAmB;AAAA,MACP,SAAkC,oBAAI,IAAI;AAAA,MAE3D,SACE,MACA,aAAyB,WAAW,OACpC,aAAsB,OAChB;AACN,aAAK,OAAO,IAAI,MAAM,EAAE,MAAM,YAAY,WAAW,CAAC;AAAA,MACxD;AAAA,MAEA,SACE,UACA,OACuB;AACvB,cAAM,MAAM,KAAK,OAAO,IAAI,QAAQ;AACpC,YAAI,KAAK;AACP,iBAAO,CAAC,IAAI,YAA0B,IAAI,UAAU;AAAA,QACtD;AACA,eAAO,CAAC,WAAW,cAAc,KAAK;AAAA,MACxC;AAAA,IACF;AAcO,IAAM,iBAAiB;AAAA,MAC5B,gBAAgB;AAAA,QACd;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA,iBAAiB;AAAA,QACf;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA,SAAS,SAA6B;AACpC,cAAM,WAAW,QAAQ,KAAK;AAC9B,YAAI,CAAC,UAAU;AACb,iBAAO,WAAW;AAAA,QACpB;AAEA,mBAAW,MAAM,eAAe,iBAAiB;AAC/C,cAAI,SAAS,SAAS,EAAE,GAAG;AACzB,mBAAO,WAAW;AAAA,UACpB;AAAA,QACF;AAEA,mBAAW,WAAW,eAAe,gBAAgB;AACnD,cAAI,aAAa,WAAW,SAAS,WAAW,UAAU,GAAG,GAAG;AAC9D,mBAAO,WAAW;AAAA,UACpB;AAAA,QACF;AAEA,eAAO,WAAW;AAAA,MACpB;AAAA,IACF;AAAA;AAAA;;;ACjRA,IAiBa;AAjBb;AAAA;AAAA;AAiBO,IAAM,UAAU;AAAA;AAAA;AAAA;AAAA,MAIrB,QAAiB;AACf,eAAO,OAAO,OAAO,EAAE,QAAQ,MAAM,SAAS,MAAM,UAAU,OAAO,OAAO,CAAC,CAAC,EAAE,CAAC;AAAA,MACnF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAOA,KAAK,SAAiB,WAAoC,CAAC,GAAY;AACrE,cAAM,YACJ,QAAQ,SAAS,MAAM,QAAQ,MAAM,GAAG,GAAG,IAAI,QAAQ;AACzD,eAAO,OAAO,OAAO;AAAA,UACnB,QAAQ;AAAA,UACR,SAAS;AAAA,UACT,UAAU,OAAO,OAAO,EAAE,GAAG,SAAS,CAAC;AAAA,QACzC,CAAC;AAAA,MACH;AAAA,IACF;AAAA;AAAA;;;ACvCA,IAEa,YAYA;AAdb;AAAA;AAAA;AAEO,IAAM,aAAa;AAAA,MACxB,OAAO;AAAA,MACP,MAAM;AAAA,IACR;AASO,IAAM,eAAe;AAAA,MAC1B,QAAsB;AACpB,eAAO,OAAO,OAAO,EAAE,QAAQ,WAAW,OAAO,QAAQ,KAAK,CAAC;AAAA,MACjE;AAAA,MAEA,KAAK,QAA8B;AACjC,cAAM,YACJ,OAAO,SAAS,MAAM,OAAO,MAAM,GAAG,GAAG,IAAI,QAAQ;AACvD,eAAO,OAAO,OAAO,EAAE,QAAQ,WAAW,MAAM,QAAQ,UAAU,CAAC;AAAA,MACrE;AAAA,IACF;AAAA;AAAA;;;ACVA,SAAS,YACP,SACgC;AAChC,SAAO,cAAc;AACvB;AAYA,SAAS,6BAA6B,OAAe,OAAqB;AACxE,MAAI,CAAC,OAAO;AACV,UAAM,IAAI,mBAAmB,WAAW,KAAK,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,EAC3E;AACA,MAAI,MAAM,SAAS,eAAe;AAChC,UAAM,IAAI,mBAAmB,WAAW,KAAK,aAAa,aAAa,aAAa;AAAA,EACtF;AACA,WAAS,IAAI,GAAG,IAAI,MAAM,QAAQ,KAAK;AACrC,UAAM,OAAO,MAAM,WAAW,CAAC;AAC/B,QAAI,OAAO,MAAQ,SAAS,KAAM;AAChC,YAAM,IAAI,mBAAmB,WAAW,KAAK,KAAK,KAAK,UAAU,KAAK,CAAC,EAAE;AAAA,IAC3E;AAAA,EACF;AACF;AA3CA,IAwBM,eAoCO;AA5Db;AAAA;AAAA;AAEA;AAsBA,IAAM,gBAAgB;AAoCf,IAAM,UAAN,MAAc;AAAA,MACF;AAAA,MACA;AAAA,MAEjB,YAAY,WAAmB,SAAyB;AACtD,qCAA6B,WAAW,YAAY;AACpD,aAAK,OAAO;AACZ,aAAK,WAAW;AAAA,MAClB;AAAA,MAEA,IAAI,YAAoB;AACtB,eAAO,KAAK;AAAA,MACd;AAAA;AAAA,MAGA,MAAM,oBAAqC;AACzC,eAAO,MAAM,KAAK,SAAS,UAAU,KAAK,KAAK,IAAI,WAAW;AAAA,MAChE;AAAA,MAEA,MAAM,eAAgC;AACpC,eAAO,OAAQ,MAAM,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,WAAW,KAAM,CAAC;AAAA,MACzE;AAAA;AAAA,MAGA,MAAM,gBAAgB,UAAkB,SAAiC;AACvE,qCAA6B,UAAU,WAAW;AAClD,cAAM,KAAK,SAAS,UAAU,KAAK,KAAK,IAAI,QAAQ;AACpD,cAAM,KAAK,SAAS,UAAU,KAAK,KAAK,IAAI,SAAS,QAAQ,EAAE;AAE/D,YAAI,SAAS;AACX,gBAAM,KAAK,SAAS,OAAO,KAAK,KAAK,IAAI,cAAc;AAAA,QACzD,OAAO;AACL,gBAAM,KAAK,SAAS,UAAU,KAAK,KAAK,IAAI,cAAc;AAAA,QAC5D;AAAA,MACF;AAAA,MAEA,MAAM,iBAAkC;AACtC,eAAO,OAAQ,MAAM,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,QAAQ,KAAM,CAAC;AAAA,MACtE;AAAA,MAEA,MAAM,mBAAmB,MAA+B;AACtD,qCAA6B,MAAM,WAAW;AAC9C,eAAO;AAAA,UACJ,MAAM,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,SAAS,IAAI,EAAE,KAAM;AAAA,QAC9D;AAAA,MACF;AAAA,MAEA,MAAM,sBAAuC;AAC3C,eAAO;AAAA,UACJ,MAAM,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,cAAc,KAAM;AAAA,QAC7D;AAAA,MACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAYA,MAAM,iBAAiB,SAEa;AAClC,cAAM,OAAiB;AAAA,UACrB,KAAK,KAAK,IAAI;AAAA,UACd,KAAK,KAAK,IAAI;AAAA,QAChB;AACA,cAAM,YAAsB,CAAC,YAAY,OAAO;AAEhD,YAAI,SAAS,eAAe,MAAM;AAChC,uCAA6B,QAAQ,aAAa,WAAW;AAC7D,eAAK,KAAK,KAAK,KAAK,IAAI,SAAS,QAAQ,WAAW,EAAE;AACtD,oBAAU,KAAK,QAAQ,QAAQ,WAAW,EAAE;AAAA,QAC9C;AAEA,YAAI;AAEJ,YAAI,YAAY,KAAK,QAAQ,GAAG;AAC9B,gBAAM,MAAM,KAAK,SAAS,SAAS,IAAI;AAAA,QACzC,OAAO;AACL,gBAAM,CAAC;AACP,qBAAW,OAAO,MAAM;AACtB,gBAAI,GAAG,IAAI,MAAM,KAAK,SAAS,IAAI,GAAG;AAAA,UACxC;AAAA,QACF;AAEA,cAAM,SAAiC,CAAC;AACxC,iBAAS,IAAI,GAAG,IAAI,KAAK,QAAQ,KAAK;AACpC,gBAAM,QAAQ,UAAU,CAAC,KAAK;AAC9B,gBAAM,MAAM,KAAK,CAAC,KAAK;AACvB,iBAAO,KAAK,IAAI,OAAO,IAAI,GAAG,KAAK,CAAC;AAAA,QACtC;AACA,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AAAA;;;AC7JA,IAca;AAdb;AAAA;AAAA;AAEA;AAYO,IAAM,kBAAN,MAAM,iBAAgB;AAAA,MAC3B,OAAgB,yBAA8C,oBAAI,IAAI;AAAA,QACpE;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF,CAAC;AAAA,MAED,OAAgB,0BAEZ;AAAA,QACF;AAAA,UACE,OAAO;AAAA,UACP;AAAA,QACF;AAAA,QACA,CAAC,OAAO,gCAAgC,cAAc;AAAA,QACtD,CAAC,OAAO,sBAAsB,gBAAgB;AAAA,MAChD;AAAA,MAEA,OAAgB,wBAA+C;AAAA,QAC7D,OAAO;AAAA,QACP,OAAO;AAAA,QACP,OAAO;AAAA,QACP,OAAO;AAAA,QACP,OAAO;AAAA,MACT;AAAA,MAEA,OAAgB,mBAAmB;AAAA,MACnC,OAAgB,kBAAkB;AAAA,MAClC,OAAgB,qBAAqB;AAAA,MAEpB;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MAEjB,YACE,eACA,gBACA,qBAA8B,MAC9B;AACA,cAAM,WAAW,gBACb,oBAAI,IAAI,CAAC,GAAG,iBAAgB,wBAAwB,GAAG,aAAa,CAAC,IACrE,IAAI,IAAI,iBAAgB,sBAAsB;AAClD,aAAK,QAAQ,IAAI,IAAI,CAAC,GAAG,QAAQ,EAAE,IAAI,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;AAC9D,YAAI,gBAAgB;AAClB,qBAAW,CAAC,OAAO,KAAK,gBAAgB;AACtC,gBAAI,QAAQ,SAAS,iBAAgB,oBAAoB;AACvD,oBAAM,IAAI;AAAA,gBACR,oCAAoC,iBAAgB,kBAAkB;AAAA,cACxE;AAAA,YACF;AAAA,UACF;AAAA,QACF;AACA,aAAK,YAAY;AAAA,UACf,GAAI,kBAAkB,CAAC;AAAA,UACvB,GAAG,iBAAgB;AAAA,QACrB;AACA,aAAK,oBAAoB,KAAK,UAAU;AAAA,UACtC,CAAC,CAAC,SAAS,WAAW,MAAM,CAAC,IAAI,OAAO,SAAS,GAAG,GAAG,WAAW;AAAA,QACpE;AACA,aAAK,0BAA0B,iBAAgB,sBAAsB;AAAA,UACnE,CAAC,MAAM,IAAI,OAAO,CAAC;AAAA,QACrB;AACA,aAAK,gBAAgB;AAAA,MACvB;AAAA;AAAA,MAGA,WAAW,MAAwB;AACjC,YAAI,SAAS,QAAQ,OAAO,SAAS,YAAY,CAAC,MAAM,QAAQ,IAAI,GAAG;AACrE,gBAAM,SAAkC,CAAC;AACzC,qBAAW,CAAC,KAAK,KAAK,KAAK,OAAO;AAAA,YAChC;AAAA,UACF,GAAG;AACD,mBAAO,GAAG,IAAI,KAAK,gBAAgB,GAAG,IAClC,eACA,KAAK,WAAW,KAAK;AAAA,UAC3B;AACA,iBAAO;AAAA,QACT;AACA,YAAI,MAAM,QAAQ,IAAI,GAAG;AACvB,iBAAO,KAAK,IAAI,CAAC,SAAS,KAAK,WAAW,IAAI,CAAC;AAAA,QACjD;AACA,YAAI,OAAO,SAAS,UAAU;AAC5B,cAAI,KAAK,iBAAiB,KAAK,iBAAiB,IAAI,GAAG;AACrD,mBAAO;AAAA,UACT;AACA,cAAI,KAAK,SAAS,KAAM;AACtB,mBAAO,KAAK,MAAM,GAAG,GAAG,IAAI;AAAA,UAC9B;AACA,iBAAO;AAAA,QACT;AACA,eAAO;AAAA,MACT;AAAA;AAAA,MAGA,gBAAgB,KAAsB;AACpC,cAAM,IAAI,IAAI,YAAY;AAC1B,YAAI,KAAK,MAAM,IAAI,CAAC,EAAG,QAAO;AAE9B,cAAM,aAAa,IAAI,QAAQ,mBAAmB,OAAO,EAAE,YAAY;AACvE,YAAI,eAAe,KAAK,KAAK,MAAM,IAAI,UAAU,EAAG,QAAO;AAG3D,cAAM,QAAQ,WAAW,MAAM,OAAO;AACtC,eAAO,MAAM;AAAA,UAAK,CAAC,SACjB,SAAS,WACT,SAAS,SACT,SAAS,YACT,SAAS,cACT,SAAS;AAAA,QACX;AAAA,MACF;AAAA;AAAA,MAGA,iBAAiB,OAAwB;AACvC,cAAM,SAAS,MAAM,SAAS,iBAAgB,kBAC1C,MAAM,MAAM,GAAG,iBAAgB,eAAe,IAC9C;AACJ,mBAAW,SAAS,KAAK,yBAAyB;AAChD,cAAI,MAAM,KAAK,MAAM,GAAG;AACtB,mBAAO;AAAA,UACT;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAAA;AAAA,MAGA,kBAAkB,SAAyB;AACzC,cAAM,SAAS,QAAQ,SAAS,iBAAgB,kBAC5C,QAAQ,MAAM,GAAG,iBAAgB,eAAe,IAChD;AACJ,YAAI,SAAS;AACb,mBAAW,CAAC,OAAO,WAAW,KAAK,KAAK,mBAAmB;AACzD,gBAAM,YAAY;AAClB,mBAAS,OAAO,QAAQ,OAAO,WAAW;AAAA,QAC5C;AACA,eAAO;AAAA,MACT;AAAA;AAAA,MAGA,aAAa,QAAgB,YAAoB,KAAa;AAC5D,cAAM,SAAS,OAAO,SAAS,iBAAgB,kBAC3C,OAAO,MAAM,GAAG,iBAAgB,eAAe,IAC/C;AACJ,YAAI,WAAW;AACf,mBAAW,CAAC,OAAO,WAAW,KAAK,KAAK,mBAAmB;AACzD,gBAAM,YAAY;AAClB,qBAAW,SAAS,QAAQ,OAAO,WAAW;AAAA,QAChD;AACA,YAAI,SAAS,SAAS,WAAW;AAC/B,qBAAW,SAAS,MAAM,GAAG,YAAY,CAAC,IAAI;AAAA,QAChD;AACA,eAAO;AAAA,MACT;AAAA;AAAA,MAGA,WAAW,MAAwD;AACjE,cAAM,aAAa,KAAK,UAAU,IAAI;AACtC,YAAI,WAAW,SAAS,iBAAgB,kBAAkB;AACxD,gBAAM,EAAE,eAAe,KAAK,UAAU,KAAK,GAAG,KAAK,IAAI;AACvD,eAAK;AAAK,eAAK;AACf,iBAAO;AAAA,YACL,GAAG;AAAA,YACH,YAAY;AAAA,YACZ,UAAU,EAAE,WAAW,wBAAwB;AAAA,UACjD;AAAA,QACF;AACA,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AAAA;;;AChMA,SAAS,oBAAoB,GAAmB;AAC9C,SAAO,EAAE,QAAQ,0BAA0B,EAAE,EAAE,QAAQ,oBAAoB,EAAE;AAC/E;AAiCA,SAAS,sBACP,QACiB;AACjB,QAAM,UAA2B;AAAA,IAC/B,YAAY,OAAO;AAAA,IACnB,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO,OAAO,EAAE,GAAG,OAAO,SAAS,CAAC;AAAA,IAC9C,SAAS,OAAO;AAAA,IAChB,SAAS,OAAO;AAAA,IAChB,eAAe,OAAO;AAAA,IACtB,WACE,OAAO,cAAc,OACjB,OAAO,OAAO,EAAE,GAAG,OAAO,UAAU,CAAC,IACrC;AAAA,IACN,UAAU,OAAO,OAAO,EAAE,GAAG,OAAO,SAAS,CAAC;AAAA,IAC9C,WAAW,OAAO,aAAa,oBAAI,KAAK;AAAA,EAC1C;AACA,SAAO,OAAO,OAAO,OAAO;AAC9B;AAeA,SAAS,uBACP,QACkB;AAClB,QAAM,WAA6B;AAAA,IACjC,UAAU,OAAO;AAAA,IACjB,UAAU,OAAO,YAAY;AAAA,IAC7B,QAAQ,OAAO,UAAU;AAAA,IACzB,QAAQ,OAAO,UAAU,eAAe;AAAA,IACxC,WAAW,OAAO,aAAa,oBAAI,KAAK;AAAA,EAC1C;AACA,SAAO,OAAO,OAAO,QAAQ;AAC/B;AAvFA,IAEAA,qBACA,UAaa,gBA0GA;AA1Hb;AAAA;AAAA;AAEA,IAAAA,sBAA2B;AAC3B,eAA0B;AAE1B;AAWO,IAAM,iBAAiB;AAAA,MAC5B,SAAS;AAAA,MACT,UAAU;AAAA,MACV,QAAQ;AAAA,MACR,SAAS;AAAA,IACX;AAqGO,IAAM,uBAAN,MAAsD;AAAA,MAC1C,WAAyC,oBAAI,IAAI;AAAA,MAElE,MAAM,gBACJ,UACA,UACA,SACA,SAM0B;AAC1B,cAAM,iBAAa,gCAAW;AAC9B,cAAM,UAAU,sBAAsB;AAAA,UACpC;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA,SAAS,SAAS,WAAW;AAAA,UAC7B,eAAe,SAAS,iBAAiB;AAAA,UACzC,WAAW,SAAS,aAAa;AAAA,UACjC,UAAU,SAAS,YAAY,CAAC;AAAA,QAClC,CAAC;AACD,aAAK,SAAS,IAAI,YAAY,OAAO;AAErC,cAAM,YAAY,IAAI,gBAAgB;AACtC,cAAM,WAAW,UAAU,WAAW,QAAQ;AAC9C,gBAAQ,OAAO,MAAM,uBAAuB,oBAAoB,OAAO,CAAC;AAAA,CAAI;AAC5E,gBAAQ,OAAO,MAAM,WAAW,oBAAoB,QAAQ,CAAC;AAAA,CAAI;AACjE,gBAAQ,OAAO,MAAM,WAAW,oBAAoB,KAAK,UAAU,QAAQ,CAAC,CAAC;AAAA,CAAI;AACjF,gBAAQ,OAAO,MAAM,WAAW,UAAU;AAAA,CAAI;AAE9C,eAAO;AAAA,MACT;AAAA,MAEA,MAAM,gBACJ,YACA,SAC2B;AAC3B,cAAM,UAAU,KAAK,SAAS,IAAI,UAAU;AAC5C,cAAM,mBACJ,YAAY,UAAU,QAAQ,UAAU;AAE1C,YAAI;AACF,gBAAM,WAAW,MAAM,KAAK,WAAW,YAAY,gBAAgB;AACnE,gBAAM,WAAW,CAAC,KAAK,OAAO,SAAS,EAAE;AAAA,YACvC,SAAS,KAAK,EAAE,YAAY;AAAA,UAC9B;AACA,gBAAM,SAAS,WACX,eAAe,WACf,eAAe;AACnB,iBAAO,uBAAuB;AAAA,YAC5B;AAAA,YACA,UAAU;AAAA,YACV;AAAA,UACF,CAAC;AAAA,QACH,QAAQ;AAEN,gBAAM,gBAAgB,UAAU,QAAQ,gBAAgB;AACxD,gBAAM,WAAW,kBAAkB;AACnC,iBAAO,uBAAuB;AAAA,YAC5B;AAAA,YACA,QAAQ,eAAe;AAAA,UACzB,CAAC;AAAA,QACH;AAAA,MACF;AAAA;AAAA,MAGQ,WACN,YACA,gBACiB;AACjB,eAAO,IAAI,QAAgB,CAAC,SAAS,WAAW;AAC9C,gBAAM,KAAc,yBAAgB;AAAA,YAClC,OAAO,QAAQ;AAAA,YACf,QAAQ,QAAQ;AAAA,UAClB,CAAC;AAED,gBAAM,QAAQ,WAAW,MAAM;AAC7B,eAAG,MAAM;AACT,mBAAO,IAAI,MAAM,oBAAoB,CAAC;AAAA,UACxC,GAAG,iBAAiB,GAAI;AAExB,aAAG,SAAS,uBAAuB,UAAU,OAAO,CAAC,WAAW;AAC9D,yBAAa,KAAK;AAClB,eAAG,MAAM;AACT,oBAAQ,MAAM;AAAA,UAChB,CAAC;AAAA,QACH,CAAC;AAAA,MACH;AAAA,IACF;AAAA;AAAA;;;AC9JO,SAAS,iBAAiB,IAAyB,CAAC,GAAe;AACxE,SAAO;AAAA,IACL,eAAe,EAAE,iBAAiB;AAAA,IAClC,WAAW,EAAE,aAAa,oBAAI,KAAK;AAAA,IACnC,OAAO,EAAE,SAAS;AAAA,IAAI,QAAQ,EAAE,UAAU;AAAA,IAC1C,WAAW,EAAE,aAAa;AAAA,IAAG,cAAc,EAAE,gBAAgB;AAAA,IAC7D,UAAU,EAAE,YAAY;AAAA,IAAI,UAAU,EAAE,YAAY,CAAC;AAAA,IACrD,YAAY,EAAE,cAAc;AAAA,IAAI,aAAa,EAAE,eAAe;AAAA,IAC9D,WAAW,EAAE,aAAa;AAAA,IAC1B,QAAQ,EAAE,UAAU,YAAY;AAAA,IAChC,gBAAgB,EAAE,kBAAkB;AAAA,IACpC,cAAc,EAAE,gBAAgB;AAAA,IAAM,QAAQ,EAAE,UAAU;AAAA,IAC1D,gBAAgB,EAAE,kBAAkB,CAAC;AAAA,IACrC,oBAAoB,EAAE,sBAAsB,CAAC;AAAA,IAC7C,aAAa,EAAE,eAAe;AAAA,IAC9B,sBAAsB,EAAE,wBAAwB;AAAA,IAChD,YAAY,EAAE,cAAc;AAAA,IAAG,OAAO,EAAE,SAAS;AAAA,IACjD,eAAe,EAAE,iBAAiB;AAAA,IAClC,qBAAqB,EAAE,uBAAuB;AAAA,IAC9C,uBAAuB,EAAE,yBAAyB;AAAA,IAClD,MAAM,EAAE,QAAQ;AAAA,IAChB,eAAe,EAAE,iBAAiB;AAAA,IAAM,aAAa,EAAE,eAAe;AAAA,EACxE;AACF;AAwCA,SAAS,SAAS,OAA4C;AAC5D,QAAM,EAAE,WAAW,GAAG,KAAK,IAAI;AAC/B,SAAO,EAAE,GAAG,MAAM,WAAW,UAAU,YAAY,EAAE;AACvD;AA1HA,IAEA,iBAMa,aAgFA,kBAOA,eA+BA,iBAYA,eAeA;AAzJb;AAAA;AAAA;AAEA,sBAA2B;AAE3B;AAIO,IAAM,cAAc;AAAA,MACzB,aAAa;AAAA,MACb,iBAAiB;AAAA,MACjB,cAAc;AAAA,MACd,eAAe;AAAA,MACf,aAAa;AAAA,MACb,uBAAuB;AAAA,MACvB,yBAAyB;AAAA,MACzB,uBAAuB;AAAA,MACvB,sBAAsB;AAAA,MACtB,uBAAuB;AAAA,IACzB;AAqEO,IAAM,mBAAN,cAA+B,MAAM;AAAA,MAC1C,YAAY,SAAiB;AAAE,cAAM,OAAO;AAAG,aAAK,OAAO;AAAA,MAAoB;AAAA,IACjF;AAKO,IAAM,gBAAN,MAAyC;AAAA,MAC7B;AAAA,MAEjB,YAAY,OAAoB;AAC9B,YAAI,MAAM,WAAW,EAAG,OAAM,IAAI,MAAM,0CAA0C;AAClF,aAAK,SAAS,CAAC,GAAG,KAAK;AAAA,MACzB;AAAA,MAEA,IAAI,QAAqB;AAAE,eAAO,CAAC,GAAG,KAAK,MAAM;AAAA,MAAG;AAAA,MAEpD,MAAM,KAAK,OAAkC;AAC3C,cAAM,SAAkB,CAAC;AACzB,mBAAW,QAAQ,KAAK,QAAQ;AAC9B,cAAI;AAAE,kBAAM,KAAK,KAAK,KAAK;AAAA,UAAG,SACvB,KAAK;AAAE,mBAAO,KAAK,eAAe,QAAQ,MAAM,IAAI,MAAM,OAAO,GAAG,CAAC,CAAC;AAAA,UAAG;AAAA,QAClF;AACA,YAAI,OAAO,SAAS,GAAG;AACrB,gBAAM,IAAI,eAAe,QAAQ,yCAAyC;AAAA,QAC5E;AAAA,MACF;AAAA,IACF;AAWO,IAAM,kBAAN,MAA2C;AAAA,MAC/B;AAAA,MACjB,YAAY,WAAoC;AAC9C,aAAK,aAAa,aAAa,IAAI,gBAAgB;AAAA,MACrD;AAAA,MACA,MAAM,KAAK,OAAkC;AAC3C,gBAAQ,OAAO,MAAM,KAAK,UAAU,KAAK,WAAW,WAAW,SAAS,KAAK,CAAC,CAAC,IAAI,IAAI;AAAA,MACzF;AAAA,IACF;AAIO,IAAM,gBAAN,MAAyC;AAAA,MAC7B;AAAA,MACA;AAAA,MACjB,YAAY,MAAc,WAAoC;AAC5D,aAAK,QAAQ;AAAM,aAAK,aAAa,aAAa,IAAI,gBAAgB;AAAA,MACxE;AAAA,MACA,MAAM,KAAK,OAAkC;AAC3C,cAAM,OAAO,KAAK,WAAW,WAAW,SAAS,KAAK,CAAC;AACvD,kBAAM,4BAAW,KAAK,OAAO,KAAK,UAAU,IAAI,IAAI,MAAM,OAAO;AAAA,MACnE;AAAA,IACF;AAKO,IAAM,sBAAN,MAA+C;AAAA,MAC5C,UAAwB,CAAC;AAAA,MAChB;AAAA,MACT,gBAAwB;AAAA,MAEhC,YAAY,YAAoB,KAAQ;AACtC,YAAI,YAAY,EAAG,OAAM,IAAI,MAAM,gCAAgC,SAAS,EAAE;AAC9E,aAAK,aAAa;AAAA,MACpB;AAAA,MAEA,MAAM,KAAK,OAAkC;AAC3C,aAAK,QAAQ,KAAK,KAAK;AACvB,aAAK,iBAAiB;AACtB,YAAI,KAAK,QAAQ,SAAS,KAAK,WAAY,MAAK,UAAU,KAAK,QAAQ,MAAM,CAAC,KAAK,UAAU;AAAA,MAC/F;AAAA,MAEA,IAAI,SAAuB;AAAE,eAAO,CAAC,GAAG,KAAK,OAAO;AAAA,MAAG;AAAA,MACvD,OAAe;AAAE,eAAO,KAAK;AAAA,MAAe;AAAA,MAE5C,UAAU,GAAyB;AACjC,YAAI,IAAI,KAAK,eAAe;AAC1B,gBAAM,IAAI,MAAM,QAAQ,CAAC,+BAA+B,KAAK,aAAa,GAAG;AAAA,QAC/E;AACA,cAAM,eAAe,KAAK,gBAAgB,KAAK,QAAQ;AACvD,YAAI,IAAI,cAAc;AACpB,gBAAM,IAAI;AAAA,YACR,QAAQ,CAAC,gDAAgD,YAAY,gBAAgB,KAAK,UAAU;AAAA,UACtG;AAAA,QACF;AACA,eAAO,CAAC,GAAG,KAAK,QAAQ,MAAM,IAAI,YAAY,CAAC;AAAA,MACjD;AAAA,MAEA,OAAmB;AACjB,YAAI,KAAK,QAAQ,WAAW,EAAG,OAAM,IAAI,MAAM,qBAAqB;AACpE,cAAM,OAAO,KAAK,QAAQ,KAAK,QAAQ,SAAS,CAAC;AACjD,YAAI,CAAC,KAAM,OAAM,IAAI,MAAM,qBAAqB;AAChD,eAAO;AAAA,MACT;AAAA,MAEA,OAAO,QAAmC;AACxC,eAAO,KAAK,QAAQ,OAAO,CAAC,MAAM,EAAE,WAAW,MAAM;AAAA,MACvD;AAAA,MAEA,QAAc;AAAE,aAAK,UAAU,CAAC;AAAA,MAAG;AAAA,IACrC;AAAA;AAAA;;;AClLO,SAAS,qBACd,QAEgB;AAChB,SAAO,OAAO,OAAO;AAAA,IACnB,YAAY,OAAO;AAAA,IACnB,cAAc,OAAO;AAAA,IACrB,QAAQ,OAAO;AAAA,IACf,SAAS,OAAO,WAAW;AAAA,IAC3B,MAAM,OAAO,OAAO,CAAC,GAAI,OAAO,QAAQ,CAAC,CAAE,CAAC;AAAA,IAC5C,UAAU,OAAO,YAAY;AAAA,IAC7B,QAAQ,OAAO,UAAU;AAAA,IACzB,aAAa,OAAO,eAAe;AAAA,EACrC,CAAC;AACH;AAkBO,SAAS,uBACd,QAEkB;AAClB,SAAO,OAAO,OAAO;AAAA,IACnB,SAAS,OAAO;AAAA,IAChB,UAAU,OAAO;AAAA,IACjB,WAAW,OAAO,OAAO,CAAC,GAAI,OAAO,aAAa,CAAC,CAAE,CAAC;AAAA,IACtD,aAAa,OAAO,OAAO,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE,CAAC;AAAA,IAC1D,aAAa,OAAO,OAAO,CAAC,GAAI,OAAO,eAAe,CAAC,CAAE,CAAC;AAAA,IAC1D,oBAAoB,OAAO,sBAAsB;AAAA,IACjD,aAAa,OAAO,eAAe;AAAA,EACrC,CAAC;AACH;AAhEA;AAAA;AAAA;AAAA;AAAA;;;ACqCO,SAAS,kBACd,SACa;AACb,SAAO;AAAA,IACL,QAAQ,QAAQ;AAAA,IAChB,QAAQ,QAAQ,UAAU;AAAA,IAC1B,gBAAgB,QAAQ,kBAAkB;AAAA,IAC1C,cAAc,QAAQ,gBAAgB;AAAA,IACtC,gBAAgB,QAAQ,kBAAkB,CAAC;AAAA,IAC3C,oBAAoB,QAAQ,sBAAsB,CAAC;AAAA,IACnD,UAAU,QAAQ,YAAY;AAAA,IAC9B,aAAa,QAAQ,eAAe;AAAA,IACpC,gBAAgB,QAAQ,kBAAkB,CAAC;AAAA,IAC3C,iBAAiB,QAAQ,mBAAmB;AAAA,IAC5C,uBAAuB,QAAQ,yBAAyB;AAAA,IACxD,iBAAiB,QAAQ,mBAAmB;AAAA,EAC9C;AACF;AAkBO,SAAS,mBACd,SACc;AACd,SAAO;AAAA,IACL,aAAa,QAAQ;AAAA,IACrB,sBAAsB,QAAQ,wBAAwB;AAAA,IACtD,UAAU,QAAQ,YAAY,CAAC;AAAA,IAC/B,oBAAoB,QAAQ,sBAAsB,CAAC;AAAA,IACnD,aAAa,QAAQ,eAAe;AAAA,IACpC,kBAAkB,QAAQ,oBAAoB;AAAA,IAC9C,kBAAkB,QAAQ,oBAAoB;AAAA,EAChD;AACF;AAOA,SAAS,eACP,oBACS;AACT,SAAO,mBAAmB,KAAK,CAAC,MAAM;AACpC,UAAM,OAAO,EAAE,UAAU;AACzB,WAAO,OAAO,cAAc,MAAM;AAAA,EACpC,CAAC;AACH;AAlGA,IA+Ga;AA/Gb;AAAA;AAAA;AAQA;AACA;AAEA;AACA;AAmGO,IAAM,qBAAN,MAAyB;AAAA,MACb;AAAA,MAEjB,YAAY,OAAkB;AAC5B,aAAK,SAAS;AAAA,MAChB;AAAA,MAEA,MAAM,WACJ,UACA,SACsB;AACtB,cAAM,iBAA4C,CAAC;AACnD,cAAM,qBAAgD,CAAC;AACvD,YAAI,kBAAkB;AAKtB,YAAI;AACJ,YAAI,SAAS,YAAY,KAAK,OAAO,OAAO,iBAAiB;AAC3D,6BAAmB,SAAS;AAAA,QAC9B;AACA,cAAM,WAAW,MAAM,QAAQ,iBAAiB;AAAA,UAC9C,aAAa;AAAA,QACf,CAAC;AAGD,cAAM,eAAe,SAAS,UAAU,KAAK;AAC7C,YAAI,gBAAgB,KAAK,OAAO,OAAO,aAAa;AAClD,iBAAO,kBAAkB;AAAA,YACvB,QAAQ;AAAA,YACR,QACE,0BAA0B,KAAK,OAAO,OAAO,WAAW;AAAA,YAE1D,gBAAgB;AAAA,YAChB,cAAc;AAAA,YACd;AAAA,YACA;AAAA,UACF,CAAC;AAAA,QACH;AAGA,mBAAW,WAAW,KAAK,OAAO,SAAS,UAAU,QAAQ,GAAG;AAC9D,cAAI,QAAQ,QAAQ,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC3C;AAAA,UACF;AACA,cAAI;AACJ,cAAI;AACF,uBAAW,MAAM,QAAQ,SAAS,QAAQ;AAAA,UAC5C,SAAS,KAAK;AACZ,uBAAW,aAAa,KAAK,eAAe,GAAG,EAAE;AAAA,UACnD;AAEA,gBAAM,aAAsC;AAAA,YAC1C,MACE,QAAQ,SAAS,QAAQ;AAAA,YAC3B,QAAQ,SAAS;AAAA,YACjB,QAAQ,SAAS;AAAA,UACnB;AACA,yBAAe,KAAK,UAAU;AAE9B,cAAI,SAAS,WAAW,WAAW,MAAM;AACvC,mBAAO,kBAAkB;AAAA,cACvB,QAAQ;AAAA,cACR,QAAQ,SAAS;AAAA,cACjB,gBAAgB;AAAA,cAChB,cAAc,WAAW,MAAM;AAAA,cAC/B;AAAA,cACA;AAAA,cACA,cAAc,SAAS,UAAU,IAAI,SAAS,aAAa;AAAA,YAC7D,CAAC;AAAA,UACH;AAAA,QACF;AAGA,mBAAW,YAAY,KAAK,OAAO,iBAAiB,QAAQ,GAAG;AAC7D,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,QAAQ;AAAA,UACzC,SAAS,KAAK;AACZ,sBAAU,QAAQ,KAAK,uBAAuB,GAAG,IAAI;AAAA,cACnD,cAAc;AAAA,YAChB,CAAC;AAAA,UACH;AAEA,gBAAM,iBAA0C;AAAA,YAC9C,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,UACnB;AACA,cACE,QAAQ,YACR,OAAO,KAAK,QAAQ,QAAQ,EAAE,SAAS,GACvC;AACA,2BAAe,UAAU,IAAI,QAAQ;AAAA,UACvC;AACA,6BAAmB,KAAK,cAAc;AAEtC,cAAI,CAAC,QAAQ,QAAQ;AAEnB,gBAAI,SAAS,SAAS,WAAW;AAC/B,6BAAe,UAAU,IAAI;AAC7B,gCAAkB;AAClB;AAAA,YACF;AAEA,kBAAM,SAAS,SAAS,UAAU;AAClC,kBAAMC,MAAK,eAAe,kBAAkB;AAE5C,kBAAM,SAAS,SAAS,UAAU;AAClC,gBAAI,WAAW,WAAW;AACxB,qBAAO,kBAAkB;AAAA,gBACvB,QAAQ;AAAA,gBACR,QAAQ,QAAQ;AAAA,gBAChB,gBAAgB;AAAA,gBAChB,cAAc,SAAS;AAAA,gBACvB;AAAA,gBACA;AAAA,gBACA,aAAaA;AAAA,gBACb,iBAAiB,SAAS,WAAW;AAAA,gBACrC,uBAAuB,SAAS,iBAAiB;AAAA,gBACjD,iBAAiB,QAAQ;AAAA,cAC3B,CAAC;AAAA,YACH;AAEA,mBAAO,kBAAkB;AAAA,cACvB,QAAQ;AAAA,cACR,QAAQ,QAAQ;AAAA,cAChB,gBAAgB;AAAA,cAChB,cAAc,SAAS;AAAA,cACvB;AAAA,cACA;AAAA,cACA,aAAaA;AAAA,YACf,CAAC;AAAA,UACH;AAAA,QACF;AAGA,mBAAW,YAAY,KAAK,OAAO,oBAAoB,QAAQ,GAAG;AAChE,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,QAAQ;AAAA,UACzC,SAAS,KAAK;AACZ,sBAAU,QAAQ,KAAK,2BAA2B,GAAG,IAAI;AAAA,cACvD,cAAc;AAAA,YAChB,CAAC;AAAA,UACH;AAEA,gBAAM,iBAA0C;AAAA,YAC9C,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,UACnB;AACA,cACE,QAAQ,YACR,OAAO,KAAK,QAAQ,QAAQ,EAAE,SAAS,GACvC;AACA,2BAAe,UAAU,IAAI,QAAQ;AAAA,UACvC;AACA,6BAAmB,KAAK,cAAc;AAEtC,cAAI,CAAC,QAAQ,QAAQ;AACnB,gBAAI,SAAS,SAAS,WAAW;AAC/B,6BAAe,UAAU,IAAI;AAC7B,gCAAkB;AAClB;AAAA,YACF;AAEA,kBAAM,SAAS,SAAS,UAAU;AAClC,kBAAMA,MAAK,eAAe,kBAAkB;AAE5C,kBAAM,SAAS,SAAS,UAAU;AAClC,gBAAI,WAAW,WAAW;AACxB,qBAAO,kBAAkB;AAAA,gBACvB,QAAQ;AAAA,gBACR,QAAQ,QAAQ;AAAA,gBAChB,gBAAgB;AAAA,gBAChB,cAAc,SAAS;AAAA,gBACvB;AAAA,gBACA;AAAA,gBACA,aAAaA;AAAA,gBACb,iBAAiB,SAAS,WAAW;AAAA,gBACrC,uBAAuB,SAAS,iBAAiB;AAAA,gBACjD,iBAAiB,QAAQ;AAAA,cAC3B,CAAC;AAAA,YACH;AAEA,mBAAO,kBAAkB;AAAA,cACvB,QAAQ;AAAA,cACR,QAAQ,QAAQ;AAAA,cAChB,gBAAgB;AAAA,cAChB,cAAc,SAAS;AAAA,cACvB;AAAA,cACA;AAAA,cACA,aAAaA;AAAA,YACf,CAAC;AAAA,UACH;AAAA,QACF;AAGA,mBAAW,YAAY,KAAK,OAAO,oBAAoB,GAAG;AACxD,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,OAAO;AAAA,UACxC,SAAS,KAAK;AACZ,sBAAU,QAAQ,KAAK,2BAA2B,GAAG,IAAI;AAAA,cACvD,cAAc;AAAA,YAChB,CAAC;AAAA,UACH;AAEA,gBAAM,iBAA0C;AAAA,YAC9C,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,UACnB;AACA,cACE,QAAQ,YACR,OAAO,KAAK,QAAQ,QAAQ,EAAE,SAAS,GACvC;AACA,2BAAe,UAAU,IAAI,QAAQ;AAAA,UACvC;AACA,6BAAmB,KAAK,cAAc;AAEtC,cAAI,CAAC,QAAQ,QAAQ;AACnB,kBAAM,SAAS,SAAS,UAAU;AAClC,kBAAMA,MAAK,eAAe,kBAAkB;AAC5C,mBAAO,kBAAkB;AAAA,cACvB,QAAQ;AAAA,cACR,QAAQ,QAAQ;AAAA,cAChB,gBAAgB;AAAA,cAChB,cAAc,SAAS;AAAA,cACvB;AAAA,cACA;AAAA,cACA,aAAaA;AAAA,YACf,CAAC;AAAA,UACH;AAAA,QACF;AAGA,cAAM,YAAY,SAAS,OAAO,KAAK;AACvC,YAAI,aAAa,KAAK,OAAO,OAAO,cAAc;AAChD,iBAAO,kBAAkB;AAAA,YACvB,QAAQ;AAAA,YACR,QACE,4BAA4B,KAAK,OAAO,OAAO,YAAY;AAAA,YAE7D,gBAAgB;AAAA,YAChB,cAAc;AAAA,YACd;AAAA,YACA;AAAA,UACF,CAAC;AAAA,QACH;AAGA,YAAI,SAAS,YAAY,KAAK,OAAO,OAAO,iBAAiB;AAC3D,gBAAM,UAAU,QAAQ,SAAS,QAAQ;AACzC,gBAAM,YAAY,SAAS,OAAO,KAAK;AACvC,gBAAM,YACJ,KAAK,OAAO,OAAO,gBAAgB,SAAS,QAAQ,KAAK;AAC3D,cAAI,aAAa,WAAW;AAC1B,mBAAO,kBAAkB;AAAA,cACvB,QAAQ;AAAA,cACR,QACE,mBAAmB,SAAS,QAAQ,WAAW,SAAS,kBAAkB,SAAS;AAAA,cACrF,gBAAgB;AAAA,cAChB,cAAc,sBAAsB,SAAS,QAAQ;AAAA,cACrD;AAAA,cACA;AAAA,YACF,CAAC;AAAA,UACH;AAAA,QACF;AAGA,cAAM,KAAK,eAAe,kBAAkB;AAG5C,cAAM,iBAAiB,MAAM,KAAK;AAAA,UAChC;AAAA,UACA;AAAA,QACF;AAEA,eAAO,kBAAkB;AAAA,UACvB,QAAQ;AAAA,UACR;AAAA,UACA;AAAA,UACA,UAAU;AAAA,UACV,aAAa;AAAA,UACb;AAAA,QACF,CAAC;AAAA,MACH;AAAA,MAEA,MAAM,YACJ,UACA,cACA,aACuB;AACvB,cAAM,WAAqB,CAAC;AAC5B,cAAM,qBAAgD,CAAC;AACvD,YAAI,mBAA4B;AAChC,YAAI,mBAAmB;AAGvB,mBAAW,YAAY,KAAK,OAAO,kBAAkB,QAAQ,GAAG;AAC9D,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,UAAU,YAAY;AAAA,UACvD,SAAS,KAAK;AACZ,sBAAU,QAAQ,KAAK,wBAAwB,GAAG,IAAI;AAAA,cACpD,cAAc;AAAA,YAChB,CAAC;AAAA,UACH;AAEA,gBAAM,iBAA0C;AAAA,YAC9C,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,UACnB;AACA,cACE,QAAQ,YACR,OAAO,KAAK,QAAQ,QAAQ,EAAE,SAAS,GACvC;AACA,2BAAe,UAAU,IAAI,QAAQ;AAAA,UACvC;AACA,6BAAmB,KAAK,cAAc;AAEtC,cAAI,CAAC,QAAQ,QAAQ;AACnB,kBAAM,SAAS,SAAS,UAAU;AAClC,kBAAM,eAAe,SAAS;AAC9B,kBAAM,SACJ,SAAS,eAAe,WAAW,QACnC,SAAS,eAAe,WAAW;AAGrC,gBAAI,iBAAiB,WAAW;AAC9B,6BAAe,UAAU,IAAI;AAC7B,uBAAS,KAAK,0BAA0B,QAAQ,OAAO,EAAE;AAAA,YAC3D,WAAW,WAAW,YAAY,QAAQ;AACxC,oBAAM,WAAW,SAAS,kBAAkB,CAAC;AAC7C,oBAAM,SACJ,qBAAqB,OAAO,mBAAmB;AACjD,kBAAI,OAAO,UAAU,OAAO,OAAO,MAAM,IAAI;AAC7C,kBAAI,SAAS,SAAS,GAAG;AACvB,2BAAW,OAAO,UAAU;AAE1B,wBAAM,YAAY,IAAI,SAClB,MACA,IAAI,OAAO,IAAI,QAAQ,IAAI,QAAQ,GAAG;AAC1C,yBAAO,KAAK,QAAQ,WAAW,YAAY;AAAA,gBAC7C;AAAA,cACF,OAAO;AACL,sBAAM,SAAS,IAAI,gBAAgB;AACnC,uBAAO,OAAO,aAAa,MAAM,KAAK,SAAS,GAAG;AAAA,cACpD;AACA,iCAAmB;AACnB,uBAAS;AAAA,gBACP,oCAAoC,SAAS,IAAI;AAAA,cACnD;AAAA,YACF,WAAW,WAAW,UAAU,QAAQ;AACtC,iCAAmB,uBAAuB,QAAQ,OAAO;AACzD,iCAAmB;AACnB,uBAAS;AAAA,gBACP,qCAAqC,SAAS,IAAI;AAAA,cACpD;AAAA,YACF,YACG,WAAW,YAAY,WAAW,WACnC,CAAC,QACD;AACA,uBAAS;AAAA,gBACP,gBAAgB,QAAQ,OAAO;AAAA,cACjC;AAAA,YACF,WAAW,QAAQ;AACjB,uBAAS;AAAA,gBACP,gBAAgB,QAAQ,OAAO;AAAA,cACjC;AAAA,YACF,OAAO;AACL,uBAAS;AAAA,gBACP,gBAAgB,QAAQ,OAAO;AAAA,cACjC;AAAA,YACF;AAAA,UACF;AAAA,QACF;AAGA,mBAAW,WAAW,KAAK,OAAO,SAAS,SAAS,QAAQ,GAAG;AAC7D,cAAI,QAAQ,QAAQ,CAAC,QAAQ,KAAK,QAAQ,GAAG;AAC3C;AAAA,UACF;AACA,cAAI;AACF,kBAAM,QAAQ,SAAS,UAAU,YAAY;AAAA,UAC/C,QAAQ;AAAA,UAER;AAAA,QACF;AAIA,mBAAW,YAAY,KAAK,OAAO,yBAAyB,QAAQ,GAAG;AACrE,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,UAAU,YAAY;AAAA,UACvD,SAAS,KAAK;AACZ,sBAAU,QAAQ;AAAA,cAChB,qCAAqC,GAAG;AAAA,cACxC,EAAE,cAAc,KAAK;AAAA,YACvB;AAAA,UACF;AACA,gBAAM,SAAkC;AAAA,YACtC,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,YACjB,UAAU;AAAA,YACV,QAAQ,SAAS,UAAU;AAAA,UAC7B;AACA,cAAI,QAAQ,YAAY,OAAO,KAAK,QAAQ,QAAQ,EAAE,SAAS,GAAG;AAChE,mBAAO,UAAU,IAAI,QAAQ;AAAA,UAC/B;AACA,6BAAmB,KAAK,MAAM;AAC9B,cAAI,CAAC,QAAQ,QAAQ;AACnB,qBAAS,KAAK,0BAA0B,QAAQ,OAAO,EAAE;AAAA,UAC3D;AAAA,QACF;AAIA,cAAM,uBACJ,mBAAmB,SAAS,IACxB,mBAAmB;AAAA,UACjB,CAAC,MAAM,EAAE,QAAQ,MAAM,QAAQ,EAAE,UAAU,MAAM;AAAA,QACnD,IACA;AACN,cAAM,KAAK,eAAe,kBAAkB;AAE5C,eAAO,mBAAmB;AAAA,UACxB;AAAA,UACA;AAAA,UACA;AAAA,UACA;AAAA,UACA,aAAa;AAAA,UACb;AAAA,UACA;AAAA,QACF,CAAC;AAAA,MACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MASA,MAAc,0BACZ,UACA,SACoC;AACpC,cAAM,UAAqC,CAAC;AAG5C,mBAAW,YAAY,KAAK,OAAO;AAAA,UACjC;AAAA,QACF,GAAG;AACD,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,QAAQ;AAAA,UACzC,SAAS,KAAK;AACZ,sBAAU,QAAQ;AAAA,cAChB,oCAAoC,GAAG;AAAA,cACvC,EAAE,cAAc,KAAK;AAAA,YACvB;AAAA,UACF;AAEA,kBAAQ,KAAK;AAAA,YACX,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,YACjB,QAAQ,SAAS,UAAU;AAAA,UAC7B,CAAC;AAAA,QACH;AAGA,mBAAW,YAAY,KAAK,OAAO;AAAA,UACjC;AAAA,QACF,GAAG;AACD,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,QAAQ;AAAA,UACzC,SAAS,KAAK;AACZ,sBAAU,QAAQ;AAAA,cAChB,+BAA+B,GAAG;AAAA,cAClC,EAAE,cAAc,KAAK;AAAA,YACvB;AAAA,UACF;AAEA,kBAAQ,KAAK;AAAA,YACX,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,YACjB,QAAQ,SAAS,UAAU;AAAA,UAC7B,CAAC;AAAA,QACH;AAGA,mBAAW,YAAY,KAAK,OAAO,2BAA2B,GAAG;AAC/D,cAAI;AACJ,cAAI;AACF,sBAAU,MAAM,SAAS,MAAM,OAAO;AAAA,UACxC,SAAS,KAAK;AACZ,sBAAU,QAAQ;AAAA,cAChB,wCAAwC,GAAG;AAAA,cAC3C,EAAE,cAAc,KAAK;AAAA,YACvB;AAAA,UACF;AAEA,kBAAQ,KAAK;AAAA,YACX,MAAM,SAAS;AAAA,YACf,MAAM;AAAA,YACN,QAAQ,QAAQ;AAAA,YAChB,SAAS,QAAQ;AAAA,YACjB,QAAQ,SAAS,UAAU;AAAA,UAC7B,CAAC;AAAA,QACH;AAEA,eAAO;AAAA,MACT;AAAA,IACF;AAAA;AAAA;;;ACjoBA;AAAA;AAAA;AAAA;AAAA;AAuCO,SAAS,oBACd,WACA,QACS;AACT,MAAI,UAAU,MAAM;AAClB,WAAO;AAAA,EACT;AACA,MAAI,OAAO,WAAW,YAAY,CAAC,MAAM,QAAQ,MAAM,GAAG;AACxD,UAAM,OAAO;AACb,QAAI,KAAK,UAAU,GAAG;AACpB,aAAO;AAAA,IACT;AAAA,EACF;AACA,MAAI,OAAO,WAAW,UAAU;AAC9B,UAAM,QAAQ,OAAO,MAAM,GAAG,CAAC,EAAE,YAAY;AAC7C,QAAI,MAAM,WAAW,QAAQ,KAAK,MAAM,WAAW,QAAQ,GAAG;AAC5D,aAAO;AAAA,IACT;AAAA,EACF;AACA,SAAO;AACT;AAiBA,eAAe,iBACb,OACA,UACA,SACA,QACA,KACe;AACf,QAAM,QAAQ,iBAAiB;AAAA,IAC7B;AAAA,IACA,OAAO,SAAS;AAAA,IAChB,QAAQ,SAAS;AAAA,IACjB,UAAU,SAAS;AAAA,IACnB,UAAU,MAAM,UAAU,WAAW,SAAS,IAAI;AAAA,IAIlD,YAAY,SAAS;AAAA,IACrB,aAAa,SAAS;AAAA,IACtB,WAAW,SAAS,YACf,EAAE,GAAG,SAAS,UAAU,IACzB;AAAA,IACJ,gBAAgB,IAAI;AAAA,IACpB,cAAc,IAAI;AAAA,IAClB,QAAQ,IAAI;AAAA,IACZ,gBAAgB,IAAI;AAAA,IACpB,oBAAoB,IAAI;AAAA,IACxB,qBAAqB,MAAM,QAAQ,aAAa;AAAA,IAChD,uBAAuB,MAAM,QAAQ,eAAe;AAAA,IACpD,MAAM,MAAM;AAAA,IACZ,eAAe,MAAM;AAAA,IACrB,aAAa,IAAI;AAAA,EACnB,CAAC;AACD,QAAM,MAAM,UAAU,KAAK,KAAK;AAElC;AAaA,eAAsB,IACpB,OACA,UACA,MACA,cAGA,SACkB;AAClB,QAAM,YAAY,SAAS,aAAa,MAAM;AAC9C,QAAM,UAAU,IAAI,QAAa,WAAW,MAAM,OAAO;AACzD,QAAM,WAAW,IAAI,mBAAmB,KAAK;AAG7C,QAAM,MAAM,SAAS,eAAe,MAAM;AAG1C,MAAI,YAAY,SAAS,aAAa;AACtC,MAAI,cAAc,QAAW;AAC3B,UAAM,WAAW,MAAM,kBAAkB,UAAU,IAAI;AACvD,QAAI,YAAY,MAAM;AACpB,kBAAY;AAAA,IACd;AAAA,EACF;AAEA,QAAM,WAAW,eAAe,UAAU,MAAM;AAAA,IAC9C,OAAO;AAAA,IACP,aAAa;AAAA,IACb,UAAU,MAAM;AAAA,IAChB,WAAW,aAAa;AAAA,EAC1B,CAAC;AAGD,QAAM,QAAQ,kBAAkB;AAKhC,MAAI;AAOF,UAAM,MAAM,MAAM,SAAS,WAAW,UAAU,OAAO;AAGvD,QAAI,IAAI,WAAW,oBAAoB;AACrC,UAAI,MAAM,oBAAoB,MAAM;AAElC,cAAM,IAAI;AAAA,UACR,yDAAyD,IAAI,MAAM;AAAA,UACnE,IAAI;AAAA,UACJ,IAAI;AAAA,QACN;AAAA,MACF;AAEA,YAAM,gBAAgB,SAAS,YAC1B,EAAE,GAAG,SAAS,UAAU,IACzB;AAEJ,YAAM,kBACJ,MAAM,MAAM,iBAAiB;AAAA,QAC3B,SAAS;AAAA,QACT,SAAS;AAAA,QACT,IAAI,mBAAmB,IAAI,UAAU;AAAA,QACrC;AAAA,UACE,SAAS,IAAI;AAAA,UACb,eAAe,IAAI;AAAA,UACnB,WAAW;AAAA,QACb;AAAA,MACF;AAEF,YAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA,YAAG;AAAA,QACH;AAAA,MACF;AAEA,YAAM,WAAW,MAAM,MAAM,iBAAiB;AAAA,QAC5C,gBAAgB;AAAA,QAChB,IAAI;AAAA,MACN;AAGA,UAAI,WAAW;AACf,UAAI,SAAS,WAAW,eAAe,SAAS;AAC9C,cAAM;AAAA,UACJ;AAAA,UACA;AAAA,UACA;AAAA,UACA,YAAG;AAAA,UACH;AAAA,QACF;AACA,YAAI,IAAI,0BAA0B,SAAS;AACzC,qBAAW;AAAA,QACb;AAAA,MACF,WAAW,CAAC,SAAS,UAAU;AAC7B,cAAM;AAAA,UACJ;AAAA,UACA;AAAA,UACA;AAAA,UACA,YAAG;AAAA,UACH;AAAA,QACF;AAAA,MACF,OAAO;AACL,mBAAW;AACX,cAAM;AAAA,UACJ;AAAA,UACA;AAAA,UACA;AAAA,UACA,YAAG;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEA,UAAI,UAAU;AAEZ,YAAI,MAAM,UAAU;AAClB,cAAI;AACF,kBAAM,SAAS,QAAQ;AAAA,UACzB,QAAQ;AAAA,UAER;AAAA,QACF;AAAA,MAIF,OAAO;AACL,cAAM,aAAa,SAAS,UAAU,IAAI,UAAU;AAEpD,YAAI,MAAM,SAAS;AACjB,cAAI;AACF,kBAAM,QAAQ,UAAU,YAAY,IAAI,YAAY;AAAA,UACtD,QAAQ;AAAA,UAER;AAAA,QACF;AAEA,cAAM,IAAI;AAAA,UACR,SAAS,UAAU,IAAI,UAAU;AAAA,UACjC,IAAI;AAAA,UACJ,IAAI;AAAA,QACN;AAAA,MACF;AAAA,IACF;AAGA,UAAM,WAAW,IAAI,WAAW,UAAU,CAAC,IAAI;AAG/C,QAAI,IAAI,WAAW,oBAAoB;AAAA,IAEvC,WAAW,UAAU;AACnB,YAAM,cACJ,MAAM,SAAS,YAAY,YAAG,kBAAkB,YAAG;AACrD,YAAM,iBAAiB,OAAO,UAAU,SAAS,aAAa,GAAG;AAGjE,UAAI,MAAM,SAAS,WAAW;AAC5B,YAAI,MAAM,SAAS;AACjB,cAAI;AACF,kBAAM,QAAQ,UAAU,IAAI,UAAU,IAAI,IAAI,YAAY;AAAA,UAC5D,QAAQ;AAAA,UAER;AAAA,QACF;AAEA,cAAM,IAAI;AAAA,UACR,IAAI,UAAU;AAAA,UACd,IAAI;AAAA,UACJ,IAAI;AAAA,QACN;AAAA,MACF;AAAA,IAGF,OAAO;AAEL,iBAAW,MAAM,IAAI,oBAAoB;AACvC,YAAI,GAAG,UAAU,KAAK,CAAC,GAAG,QAAQ,GAAG;AACnC,gBAAM,gBAAgB,iBAAiB;AAAA,YACrC,QAAQ,YAAG;AAAA,YACX,OAAO,SAAS;AAAA,YAChB,QAAQ,SAAS;AAAA,YACjB,UAAU,SAAS;AAAA,YACnB,UAAU,MAAM,UAAU,WAAW,SAAS,IAAI;AAAA,YAIlD,YAAY,SAAS;AAAA,YACrB,aAAa,SAAS;AAAA,YACtB,WAAW,SAAS,YACf,EAAE,GAAG,SAAS,UAAU,IACzB;AAAA,YACJ,gBAAgB;AAAA,YAChB,cAAc,GAAG,MAAM;AAAA,YACvB,QAAQ,GAAG,SAAS;AAAA,YACpB,MAAM;AAAA,YACN,eAAe,MAAM;AAAA,YACrB,aAAa,IAAI;AAAA,UACnB,CAAC;AACD,gBAAM,MAAM,UAAU,KAAK,aAAa;AAAA,QAE1C;AAAA,MACF;AAEA,YAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA,YAAG;AAAA,QACH;AAAA,MACF;AAEA,UAAI,MAAM,UAAU;AAClB,YAAI;AACF,gBAAM,SAAS,QAAQ;AAAA,QACzB,QAAQ;AAAA,QAER;AAAA,MACF;AAAA,IAEF;AAGA,eAAW,MAAM,IAAI,gBAAgB;AACnC,YAAM,gBAAgB,GAAG,QAAQ,IAC7B,YAAG,eACH,YAAG;AACP,YAAM,eAAe,iBAAiB;AAAA,QACpC,QAAQ;AAAA,QACR,OAAO,SAAS;AAAA,QAChB,QAAQ,SAAS;AAAA,QACjB,UAAU,SAAS;AAAA,QACnB,UAAU,MAAM,UAAU,WAAW,SAAS,IAAI;AAAA,QAIlD,YAAY,SAAS;AAAA,QACrB,aAAa,SAAS;AAAA,QACtB,WAAW,SAAS,YACf,EAAE,GAAG,SAAS,UAAU,IACzB;AAAA,QACJ,gBAAgB,GAAG,QAAQ;AAAA,QAC3B,cAAc,GAAG,MAAM;AAAA,QACvB,QAAQ,GAAG,SAAS;AAAA,QACpB,MAAM;AAAA,QACN,eAAe,MAAM;AAAA,MACvB,CAAC;AACD,YAAM,MAAM,UAAU,KAAK,YAAY;AAAA,IAEzC;AAGA,QAAI;AACJ,QAAI;AACJ,QAAI;AAGF,eAAS,aAAa,SAAS,IAA+B;AAE9D,UACE,UAAU,QACV,OAAO,WAAW,YAClB,OAAQ,OAA4B,SAAS,YAC7C;AACA,iBAAS,MAAO;AAAA,MAClB;AACA,UAAI,MAAM,eAAe;AACvB,sBAAc,MAAM,cAAc,UAAU,MAAM;AAAA,MACpD,OAAO;AACL,sBAAc,oBAAoB,UAAU,MAAM;AAAA,MACpD;AAAA,IACF,SAAS,GAAY;AACnB,eAAS,OAAO,CAAC;AACjB,oBAAc;AAAA,IAChB;AAGA,UAAM,OAAO,MAAM,SAAS,YAAY,UAAU,QAAQ,WAAW;AACrE,UAAM,QAAQ,gBAAgB,UAAU,WAAW;AAGnD,UAAM,aAAa,cACf,YAAG,gBACH,YAAG;AACP,UAAM,YAAY,iBAAiB;AAAA,MACjC,QAAQ;AAAA,MACR,OAAO,SAAS;AAAA,MAChB,QAAQ,SAAS;AAAA,MACjB,UAAU,SAAS;AAAA,MACnB,UAAU,MAAM,UAAU,WAAW,SAAS,IAAI;AAAA,MAIlD,YAAY,SAAS;AAAA,MACrB,aAAa,SAAS;AAAA,MACtB,WAAW,SAAS,YACf,EAAE,GAAG,SAAS,UAAU,IACzB;AAAA,MACJ;AAAA,MACA,sBAAsB,KAAK;AAAA,MAC3B,oBAAoB,KAAK;AAAA,MACzB,qBAAqB,MAAM,QAAQ,aAAa;AAAA,MAChD,uBAAuB,MAAM,QAAQ,eAAe;AAAA,MACpD,MAAM,MAAM;AAAA,MACZ,eAAe,MAAM;AAAA,MACrB,aAAa,KAAK;AAAA,IACpB,CAAC;AACD,UAAM,MAAM,UAAU,KAAK,SAAS;AAMpC,QAAI,CAAC,aAAa;AAChB,YAAM,IAAI,iBAAiB,OAAO,MAAM,CAAC;AAAA,IAC3C;AAEA,WAAO,KAAK,oBAAoB,OAAO,KAAK,mBAAmB;AAAA,EACjE,UAAE;AAAA,EAEF;AACF;AAjcA;AAAA;AAAA;AAgBA;AACA;AAIA;AACA;AACA;AACA;AAAA;AAAA;;;ACxBA;AAAA;AAAA;AAAA;AAAA;AAgBA,SAAS,SAAS,UAA0E;AAC1F,MAAI,CAAC,SAAU,QAAO,CAAC;AACvB,QAAM,MAAM,SAAS,MAAM;AAC3B,MAAI,CAAC,MAAM,QAAQ,GAAG,EAAG,QAAO,CAAC;AACjC,SAAO,IAAI,OAAO,CAAC,MAAmB,OAAO,MAAM,QAAQ;AAC7D;AA6BA,eAAsB,SACpB,OACA,UACA,MACA,SAC2B;AAC3B,QAAM,MAAM,SAAS,eAAe,MAAM;AAC1C,QAAM,WAAW,eAAe,UAAU,MAAM;AAAA,IAC9C,aAAa;AAAA,IACb,WAAW,SAAS,aAAa;AAAA,IACjC,UAAU,MAAM;AAAA,EAClB,CAAC;AAED,QAAM,YAA8B,CAAC;AACrC,QAAM,cAAwB,CAAC;AAC/B,QAAM,cAAwB,CAAC;AAG/B,aAAW,YAAY,MAAM,iBAAiB,QAAQ,GAAG;AACvD,UAAM,aAAa,SAAS,QAAQ;AACpC,QAAI;AACJ,QAAI;AACF,gBAAU,MAAM,SAAS,MAAM,QAAQ;AAAA,IACzC,SAAS,KAAc;AACrB,YAAMC,kBAAiB,qBAAqB;AAAA,QAC1C;AAAA,QACA,cAAc;AAAA,QACd,QAAQ;AAAA,QACR,SAAS,uBAAuB,GAAG;AAAA,QACnC,aAAa;AAAA,MACf,CAAC;AACD,gBAAU,KAAKA,eAAc;AAC7B,kBAAY,KAAKA,gBAAe,WAAW,EAAE;AAC7C;AAAA,IACF;AAEA,UAAM,OAAO,SAAS,QAAQ,QAAQ;AACtC,UAAM,aACJ,SAAS,SAAS,aAAa,CAAC,QAAQ;AAC1C,UAAM,KAAK,QAAQ,WACd,QAAQ,SAAS,cAAc,KAAiB,QACjD;AAEJ,UAAM,iBAAiB,qBAAqB;AAAA,MAC1C;AAAA,MACA,cAAc;AAAA,MACd,QAAQ,QAAQ;AAAA,MAChB,SAAS,QAAQ;AAAA,MACjB;AAAA,MACA,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AACD,cAAU,KAAK,cAAc;AAE7B,QAAI,CAAC,QAAQ,UAAU,CAAC,YAAY;AAClC,kBAAY,KAAK,QAAQ,WAAW,EAAE;AAAA,IACxC;AAAA,EACF;AAGA,aAAW,YAAY,MAAM,oBAAoB,QAAQ,GAAG;AAC1D,UAAM,aAAa,SAAS,QAAQ;AACpC,QAAI;AACJ,QAAI;AACF,gBAAU,MAAM,SAAS,MAAM,QAAQ;AAAA,IACzC,SAAS,KAAc;AACrB,YAAMA,kBAAiB,qBAAqB;AAAA,QAC1C;AAAA,QACA,cAAc;AAAA,QACd,QAAQ;AAAA,QACR,SAAS,kBAAkB,GAAG;AAAA,QAC9B,aAAa;AAAA,MACf,CAAC;AACD,gBAAU,KAAKA,eAAc;AAC7B,kBAAY,KAAKA,gBAAe,WAAW,EAAE;AAC7C;AAAA,IACF;AAEA,UAAM,OAAO,SAAS,QAAQ,QAAQ;AACtC,UAAM,aACJ,SAAS,SAAS,aAAa,CAAC,QAAQ;AAC1C,UAAM,KAAK,QAAQ,WACd,QAAQ,SAAS,cAAc,KAAiB,QACjD;AAEJ,UAAM,iBAAiB,qBAAqB;AAAA,MAC1C;AAAA,MACA,cAAc;AAAA,MACd,QAAQ,QAAQ;AAAA,MAChB,SAAS,QAAQ;AAAA,MACjB;AAAA,MACA,UAAU;AAAA,MACV,aAAa;AAAA,IACf,CAAC;AACD,cAAU,KAAK,cAAc;AAE7B,QAAI,CAAC,QAAQ,UAAU,CAAC,YAAY;AAClC,kBAAY,KAAK,QAAQ,WAAW,EAAE;AAAA,IACxC;AAAA,EACF;AAGA,MAAI,SAAS,UAAU,MAAM;AAC3B,eAAW,YAAY,MAAM,kBAAkB,QAAQ,GAAG;AACxD,YAAM,aAAa,SAAS,QAAQ;AACpC,UAAI;AACJ,UAAI;AACF,kBAAU,MAAM,SAAS,MAAM,UAAU,QAAQ,MAAM;AAAA,MACzD,SAAS,KAAc;AACrB,cAAMA,kBAAiB,qBAAqB;AAAA,UAC1C;AAAA,UACA,cAAc;AAAA,UACd,QAAQ;AAAA,UACR,SAAS,wBAAwB,GAAG;AAAA,UACpC,aAAa;AAAA,QACf,CAAC;AACD,kBAAU,KAAKA,eAAc;AAG7B,cAAM,YAAY,SAAS,UAAU;AACrC,YAAI,cAAc,QAAQ;AACxB,sBAAY,KAAKA,gBAAe,WAAW,EAAE;AAAA,QAC/C,OAAO;AACL,sBAAY,KAAKA,gBAAe,WAAW,EAAE;AAAA,QAC/C;AACA;AAAA,MACF;AAEA,YAAM,OAAO,SAAS,QAAQ,QAAQ;AACtC,YAAM,aACJ,SAAS,SAAS,aAAa,CAAC,QAAQ;AAC1C,YAAM,KAAK,QAAQ,WACd,QAAQ,SAAS,cAAc,KAAiB,QACjD;AACJ,YAAM,SAAS,SAAS,UAAU;AAElC,YAAM,iBAAiB,qBAAqB;AAAA,QAC1C;AAAA,QACA,cAAc;AAAA,QACd,QAAQ,QAAQ;AAAA,QAChB,SAAS,QAAQ;AAAA,QACjB;AAAA,QACA,UAAU;AAAA,QACV;AAAA,QACA,aAAa;AAAA,MACf,CAAC;AACD,gBAAU,KAAK,cAAc;AAE7B,UAAI,CAAC,QAAQ,UAAU,CAAC,YAAY;AAClC,YAAI,WAAW,QAAQ;AACrB,sBAAY,KAAK,QAAQ,WAAW,EAAE;AAAA,QACxC,OAAO;AACL,sBAAY,KAAK,QAAQ,WAAW,EAAE;AAAA,QACxC;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAGA,MAAI;AACJ,MAAI,YAAY,SAAS,GAAG;AAC1B,iBAAa;AAAA,EACf,WAAW,YAAY,SAAS,GAAG;AACjC,iBAAa;AAAA,EACf,OAAO;AACL,iBAAa;AAAA,EACf;AAEA,SAAO,uBAAuB;AAAA,IAC5B,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,oBAAoB,UAAU;AAAA,IAC9B,aAAa,UAAU,KAAK,CAAC,MAAM,EAAE,WAAW;AAAA,EAClD,CAAC;AACH;AAsBA,eAAsB,cACpB,OACA,OAC6B;AAC7B,QAAM,UAA8B,CAAC;AACrC,aAAW,QAAQ,OAAO;AACxB,UAAM,WAAW,KAAK,QAAQ,CAAC;AAG/B,QAAI;AACJ,QAAI,KAAK,aAAa,QAAQ,OAAO,KAAK,cAAc,UAAU;AAChE,kBAAY,gBAAgB;AAAA,QAC1B,MAAM,KAAK,UAAU,MAAM,KAA2B;AAAA,QACtD,QAAQ,KAAK,UAAU,QAAQ,KAA2B;AAAA,QAC1D,WACE,KAAK,UAAU,WAAW,KAA2B;AAAA,QACvD,QACG,OAAO,KAAK,UAAU,QAAQ,MAAM,YAChC,KAAK,UAAU,QAAQ,KAAK,QAC5B,CAAC,MAAM,QAAQ,KAAK,UAAU,QAAQ,CAAC,IACxC,KAAK,UAAU,QAAQ,IACvB,CAAC;AAAA,MACT,CAAC;AAAA,IACH;AAGA,QAAI;AACJ,QAAI,KAAK,UAAU,MAAM;AACvB,UAAI,OAAO,KAAK,WAAW,UAAU;AACnC,YAAI;AACF,mBAAS,KAAK,UAAU,KAAK,MAAM;AAAA,QACrC,QAAQ;AACN,mBAAS;AAAA,QACX;AAAA,MACF,OAAO;AACL,iBAAS,KAAK;AAAA,MAChB;AAAA,IACF;AAEA,YAAQ;AAAA,MACN,MAAM,SAAS,OAAO,KAAK,MAAM,UAAU;AAAA,QACzC;AAAA,QACA;AAAA,QACA,aAAa,KAAK;AAAA,MACpB,CAAC;AAAA,IACH;AAAA,EACF;AACA,SAAO;AACT;AAzSA;AAAA;AAAA;AAaA;AASA;AAAA;AAAA;;;ACtBA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAKA;AAGA;AAYA;AAIA;;;ACPO,IAAM,iBAAkC,OAAO,OAAO;AAAA,EAC3D,aAAa;AAAA,EACb,cAAc;AAAA,EACd,iBAAiB,OAAO,OAAO,CAAC,CAAC;AACnC,CAAC;;;ACcM,IAAM,gBAAN,MAA8C;AAAA,EAClC,QAA6B,oBAAI,IAAI;AAAA,EACrC,YAAiC,oBAAI,IAAI;AAAA,EAE1D,MAAM,IAAI,KAAqC;AAC7C,UAAM,SAAS,KAAK,MAAM,IAAI,GAAG;AACjC,QAAI,WAAW,QAAW;AACxB,aAAO;AAAA,IACT;AACA,UAAM,SAAS,KAAK,UAAU,IAAI,GAAG;AACrC,QAAI,WAAW,QAAW;AACxB,aAAO,WAAW,KAAK,MAAM,MAAM,IAC/B,OAAO,KAAK,MAAM,MAAM,CAAC,IACzB,OAAO,MAAM;AAAA,IACnB;AACA,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,IAAI,KAAa,OAA8B;AACnD,SAAK,MAAM,IAAI,KAAK,KAAK;AAAA,EAC3B;AAAA,EAEA,MAAM,OAAO,KAA4B;AACvC,SAAK,MAAM,OAAO,GAAG;AACrB,SAAK,UAAU,OAAO,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,UAAU,KAAa,SAAiB,GAAoB;AAChE,UAAM,UAAU,KAAK,UAAU,IAAI,GAAG,KAAK;AAC3C,UAAM,OAAO,UAAU;AACvB,SAAK,UAAU,IAAI,KAAK,IAAI;AAC5B,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,SAAS,MAAiE;AAC9E,UAAM,SAAwC,CAAC;AAC/C,eAAW,OAAO,MAAM;AACtB,aAAO,GAAG,IAAI,MAAM,KAAK,IAAI,GAAG;AAAA,IAClC;AACA,WAAO;AAAA,EACT;AACF;;;AF3CA;AAGA;AAWA;AAYA;AAGA;;;AG7CO,SAAS,cACd,QAES;AACT,SAAO,OAAO,OAAO;AAAA,IACnB,MAAM,OAAO;AAAA,IACb,YAAY,OAAO;AAAA,IACnB,OAAO,OAAO;AAAA,IACd,SAAS,OAAO;AAAA,IAChB,UAAU,OAAO,OAAO,EAAE,GAAI,OAAO,YAAY,CAAC,EAAG,CAAC;AAAA,EACxD,CAAC;AACH;AAuBO,SAAS,qBACd,QAEgB;AAChB,SAAO,OAAO,OAAO;AAAA,IACnB,QAAQ,OAAO;AAAA,IACf,sBAAsB,OAAO,wBAAwB;AAAA,IACrD,UAAU,OAAO,OAAO,CAAC,GAAI,OAAO,YAAY,CAAC,CAAE,CAAC;AAAA,IACpD,kBAAkB,OAAO,oBAAoB;AAAA,EAC/C,CAAC;AACH;AAWO,SAAS,gBACd,YACA,gBACQ;AACR,QAAM,gBAAgB,WAAW,YAAY;AAC7C,QAAM,gBAAgB,kBAAkB,IAAI,YAAY;AAExD,QAAM,WAAW,CAAC,OAAO,OAAO,WAAW,QAAQ,KAAK;AACxD,MACE,SAAS;AAAA,IACP,CAAC,SAAS,cAAc,SAAS,IAAI,KAAK,aAAa,SAAS,IAAI;AAAA,EACtE,GACA;AACA,WAAO;AAAA,EACT;AAEA,QAAM,cAAc,CAAC,UAAU,SAAS,OAAO,cAAc,UAAU;AACvE,MACE,YAAY;AAAA,IACV,CAAC,SAAS,cAAc,SAAS,IAAI,KAAK,aAAa,SAAS,IAAI;AAAA,EACtE,GACA;AACA,WAAO;AAAA,EACT;AAEA,QAAM,aAAa,CAAC,WAAW,SAAS,aAAa,QAAQ;AAC7D,MACE,WAAW;AAAA,IACT,CAAC,SAAS,cAAc,SAAS,IAAI,KAAK,aAAa,SAAS,IAAI;AAAA,EACtE,GACA;AACA,WAAO;AAAA,EACT;AAEA,SAAO;AACT;AAgCO,SAAS,cAAc,cAA2C;AACvE,QAAM,WAAsB,CAAC;AAC7B,aAAW,MAAM,aAAa,oBAAoB;AAChD,QAAI,CAAC,GAAG,QAAQ;AACd,YAAM,OAAO,GAAG,YAAY,CAAC;AAC7B,eAAS;AAAA,QACP,cAAc;AAAA,UACZ,MAAM,gBAAgB,GAAG,MAAM,GAAG,WAAW,EAAE;AAAA,UAC/C,YAAY,GAAG;AAAA,UACf,OAAQ,KAAK,SAAoB;AAAA,UACjC,SAAS,GAAG,WAAW;AAAA,UACvB,UAAU;AAAA,QACZ,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;ACxJA;AAuBO,SAAS,oBACd,UAAkC,CAAC,GACpB;AACf,SAAO,WAAW;AAAA,IAChB,eAAe,QAAQ,iBAAiB,CAAC;AAAA,IACzC,gBAAgB,QAAQ,kBAAkB,CAAC;AAAA,IAC3C,kBAAkB,QAAQ,oBAAoB,CAAC;AAAA,IAC/C,kBAAkB,QAAQ,oBAAoB,CAAC;AAAA,IAC/C,sBAAsB,QAAQ,wBAAwB,CAAC;AAAA,IACvD,uBAAuB,QAAQ,yBAAyB,CAAC;AAAA,IACzD,yBAAyB,QAAQ,2BAA2B,CAAC;AAAA,IAC7D,yBAAyB,QAAQ,2BAA2B,CAAC;AAAA,IAC7D,QAAQ,QAAQ,UAAU;AAAA,IAC1B,eAAe,QAAQ,iBAAiB;AAAA,EAC1C,CAAC;AACH;;;AJ+CA;;;AKnFA,IAAAC,sBAA2B;;;ACC3B,IAAAC,sBAA2B;AAI3B;;;ACdA;AA4BA,SAAS,eAAe,MAAwD;AAC9E,SAAO,gBAAgB,IAAI;AAC7B;AAQO,SAAS,kBACX,SACa;AAChB,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,IAAI,MAAM,+CAA+C;AAAA,EACjE;AAEA,MAAI,QAAQ,WAAW,GAAG;AACxB,UAAM,QAAQ,QAAQ,CAAC;AACvB,WAAO;AAAA,MACL,QAAQ,eAAe,MAAM,CAAC,CAAC;AAAA,MAC/B,QAAQ,EAAE,qBAAqB,CAAC,GAAG,kBAAkB,CAAC,EAAE;AAAA,IAC1D;AAAA,EACF;AAEA,QAAM,YAAmC,CAAC;AAC1C,QAAM,WAA8B,CAAC;AAErC,QAAM,QAAQ,QAAQ,CAAC;AACvB,QAAM,SAAS,eAAe,MAAM,CAAC,CAAC;AACtC,QAAM,aAAa,MAAM,CAAC;AAE1B,QAAM,kBAAkB,oBAAI,IAAoB;AAChD,aAAW,KAAM,OAAO,aAAa,CAAC,GAAiC;AACrE,oBAAgB,IAAI,EAAE,IAAc,UAAU;AAAA,EAChD;AAEA,WAAS,IAAI,GAAG,IAAI,QAAQ,QAAQ,KAAK;AACvC,UAAM,QAAQ,QAAQ,CAAC;AACvB,UAAM,CAAC,MAAM,KAAK,IAAI;AACtB,UAAM,qBAAqB,QAAQ,KAAK,iBAAiB;AAEzD,QAAI,oBAAoB;AACtB,4BAAsB,QAAQ,MAAM,OAAO,iBAAiB,QAAQ;AAAA,IACtE,OAAO;AACL,oBAAc,QAAQ,MAAM,OAAO,iBAAiB,SAAS;AAAA,IAC/D;AAAA,EACF;AAEA,SAAO;AAAA,IACL,QAAQ;AAAA,IACR,QAAQ,EAAE,qBAAqB,WAAW,kBAAkB,SAAS;AAAA,EACvE;AACF;AAEA,SAAS,cACP,QACA,OACA,OACA,iBACA,WACM;AACN,MAAI,cAAc,OAAO;AACvB,UAAM,KAAK,MAAM;AACjB,UAAM,KAAM,OAAO,YAAY,CAAC;AAChC,QAAI,UAAU,GAAI,IAAG,OAAO,GAAG;AAC/B,QAAI,iBAAiB,GAAI,IAAG,cAAc,GAAG;AAC7C,WAAO,WAAW;AAAA,EACpB;AAEA,MAAI,YAAY,MAAO,QAAO,SAAS,eAAe,MAAM,MAAiC;AAE7F,MAAI,WAAW,OAAO;AACpB,UAAM,KAAM,OAAO,SAAS,CAAC;AAC7B,eAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,MAAM,KAAgC,GAAG;AAChF,SAAG,IAAI,IAAI,EAAE,GAAI,IAAgC;AAAA,IACnD;AACA,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,cAAc,OAAO;AACvB,UAAM,KAAM,OAAO,YAAY,CAAC;AAChC,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,QAAmC,EAAG,IAAG,CAAC,IAAI;AACxF,WAAO,WAAW;AAAA,EACpB;AAEA,MAAI,mBAAmB,OAAO;AAC5B,WAAO,gBAAgB,eAAe,MAAM,aAAwC;AAAA,EACtF;AAEA,MAAI,eAAe,OAAO;AACxB,UAAM,eAAe,oBAAI,IAAoB;AAC7C,UAAM,KAAM,OAAO,aAAa,CAAC;AACjC,aAAS,IAAI,GAAG,IAAI,GAAG,QAAQ,KAAK;AAClC,YAAM,IAAI,GAAG,CAAC;AACd,mBAAa,IAAI,EAAE,IAAc,CAAC;AAAA,IACpC;AAEA,eAAW,YAAa,MAAM,aAAa,CAAC,GAAiC;AAC3E,YAAM,MAAM,SAAS;AACrB,YAAM,cAAc,eAAe,QAAQ;AAE3C,UAAI,aAAa,IAAI,GAAG,GAAG;AACzB,cAAM,MAAM,aAAa,IAAI,GAAG;AAChC,kBAAU,KAAK;AAAA,UACb,YAAY;AAAA,UACZ,cAAc;AAAA,UACd,gBAAgB,gBAAgB,IAAI,GAAG,KAAK;AAAA,QAC9C,CAAC;AACD,WAAG,GAAG,IAAI;AAAA,MACZ,OAAO;AACL,WAAG,KAAK,WAAW;AACnB,qBAAa,IAAI,KAAK,GAAG,SAAS,CAAC;AAAA,MACrC;AACA,sBAAgB,IAAI,KAAK,KAAK;AAAA,IAChC;AACA,WAAO,YAAY;AAAA,EACrB;AACF;AAEA,SAAS,sBACP,QACA,OACA,OACA,iBACA,UACM;AACN,QAAM,KAAM,OAAO,aAAa,CAAC;AAEjC,aAAW,YAAa,MAAM,aAAa,CAAC,GAAiC;AAC3E,UAAM,MAAM,SAAS;AACrB,UAAM,YAAY,GAAG,GAAG;AAIxB,UAAM,cAAc,IAAI;AAAA,MACrB,GAAiC,IAAI,CAAC,MAAM,EAAE,EAAY;AAAA,IAC7D;AACA,QAAI,YAAY,IAAI,SAAS,GAAG;AAC9B,YAAM,IAAI;AAAA,QACR,8CAA8C,SAAS,8FACO,GAAG;AAAA,MACnE;AAAA,IACF;AAEA,UAAM,kBAAkB,eAAe,QAAQ;AAC/C,oBAAgB,KAAK;AACrB,oBAAgB,OAAO;AACvB,oBAAgB,WAAW;AAE3B,OAAG,KAAK,eAAe;AACvB,aAAS,KAAK;AAAA,MACZ,YAAY;AAAA,MACZ,gBAAgB,gBAAgB,IAAI,GAAG,KAAK;AAAA,MAC5C,gBAAgB;AAAA,IAClB,CAAC;AAAA,EACH;AACA,SAAO,YAAY;AAEnB,MAAI,WAAW,OAAO;AACpB,UAAM,KAAM,OAAO,SAAS,CAAC;AAC7B,eAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,MAAM,KAAgC,GAAG;AAChF,SAAG,IAAI,IAAI,EAAE,GAAI,IAAgC;AAAA,IACnD;AACA,WAAO,QAAQ;AAAA,EACjB;AAEA,MAAI,cAAc,OAAO;AACvB,UAAM,KAAM,OAAO,YAAY,CAAC;AAChC,eAAW,CAAC,GAAG,CAAC,KAAK,OAAO,QAAQ,MAAM,QAAmC,EAAG,IAAG,CAAC,IAAI;AACxF,WAAO,WAAW;AAAA,EACpB;AACF;;;ACrMA;;;ACHA;AACA;;;ACAO,IAAM,kBAAkB;AAM/B,SAAS,SAAS,YAAqB,SAA2B;AAChE,SAAO,eAAe;AACxB;AAEA,SAAS,YAAY,YAAqB,SAA2B;AACnE,SAAO,eAAe;AACxB;AAEA,SAAS,KAAK,YAAqB,SAA6B;AAC9D,SAAO,QAAQ,SAAS,UAAU;AACpC;AAEA,SAAS,QAAQ,YAAqB,SAA6B;AACjE,SAAO,CAAC,QAAQ,SAAS,UAAU;AACrC;AAEA,SAAS,WAAW,YAAqB,SAA0B;AACjE,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,WAAW,SAAS,OAAO;AACpC;AAEA,SAAS,cAAc,YAAqB,SAA4B;AACtE,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,QAAQ,KAAK,CAAC,MAAM,WAAW,SAAS,CAAC,CAAC;AACnD;AAEA,SAAS,aAAa,YAAqB,SAA0B;AACnE,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,WAAW,WAAW,OAAO;AACtC;AAEA,SAAS,WAAW,YAAqB,SAA0B;AACjE,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,WAAW,SAAS,OAAO;AACpC;AAEA,SAAS,UAAU,YAAqB,SAAmC;AACzE,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,QAAM,YAAY,WAAW,MAAM,GAAG,eAAe;AACrD,MAAI,mBAAmB,QAAQ;AAC7B,WAAO,QAAQ,KAAK,SAAS;AAAA,EAC/B;AACA,SAAO,IAAI,OAAO,OAAO,EAAE,KAAK,SAAS;AAC3C;AAEA,SAAS,aACP,YACA,SACS;AACT,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,QAAM,YAAY,WAAW,MAAM,GAAG,eAAe;AACrD,SAAO,QAAQ;AAAA,IAAK,CAAC,MACnB,aAAa,SAAS,EAAE,KAAK,SAAS,IAAI,IAAI,OAAO,CAAC,EAAE,KAAK,SAAS;AAAA,EACxE;AACF;AAEA,SAAS,KAAK,YAAqB,SAA0B;AAC3D,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,aAAa;AACtB;AAEA,SAAS,MAAM,YAAqB,SAA0B;AAC5D,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,cAAc;AACvB;AAEA,SAAS,KAAK,YAAqB,SAA0B;AAC3D,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,aAAa;AACtB;AAEA,SAAS,MAAM,YAAqB,SAA0B;AAC5D,MAAI,OAAO,eAAe,SAAU,OAAM,IAAI,UAAU;AACxD,SAAO,cAAc;AACvB;AAQO,IAAM,YAAkD;AAAA,EAC7D,QAAQ;AAAA,EACR,YAAY;AAAA,EACZ,IAAI;AAAA,EACJ,QAAQ;AAAA,EACR,UAAU;AAAA,EACV,cAAc;AAAA,EACd,aAAa;AAAA,EACb,WAAW;AAAA,EACX,SAAS;AAAA,EACT,aAAa;AAAA,EACb,IAAI;AAAA,EACJ,KAAK;AAAA,EACL,IAAI;AAAA,EACJ,KAAK;AACP;AAGO,IAAM,yBAA8C,oBAAI,IAAI;AAAA,EACjE,GAAG,OAAO,KAAK,SAAS;AAAA,EACxB;AACF,CAAC;;;ACvGD,IAAM,WAA0B,uBAAO,SAAS;AAQzC,IAAM,4BAAiD,oBAAI,IAAI;AAAA,EACpE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF,CAAC;AAcM,SAAS,gBACd,UACA,UACA,YACA,iBACS;AACT,MAAI,aAAa,cAAe,QAAO,SAAS;AAChD,MAAI,aAAa,YAAa,QAAO,SAAS;AAE9C,MAAI,SAAS,WAAW,OAAO,GAAG;AAChC,WAAO,cAAc,SAAS,MAAM,CAAC,GAAG,SAAS,IAA+B;AAAA,EAClF;AAEA,MAAI,SAAS,WAAW,YAAY,GAAG;AACrC,QAAI,SAAS,aAAa,KAAM,QAAO;AACvC,UAAM,OAAO,SAAS,MAAM,EAAE;AAE9B,QAAI,SAAS,UAAW,QAAO,SAAS,UAAU;AAClD,QAAI,SAAS,aAAc,QAAO,SAAS,UAAU;AACrD,QAAI,SAAS,SAAU,QAAO,SAAS,UAAU;AACjD,QAAI,SAAS,OAAQ,QAAO,SAAS,UAAU;AAC/C,QAAI,SAAS,aAAc,QAAO,SAAS,UAAU;AACrD,QAAI,KAAK,WAAW,SAAS,GAAG;AAC9B,aAAO;AAAA,QACL,KAAK,MAAM,CAAC;AAAA,QACZ,SAAS,UAAU;AAAA,MACrB;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAEA,MAAI,aAAa,eAAe;AAC9B,WAAO,cAAc,OAAO,WAAW;AAAA,EACzC;AAQA,MAAI,SAAS,WAAW,MAAM,GAAG;AAC/B,UAAM,UAAU,SAAS,MAAM,CAAC;AAChC,UAAM,MAAM,QAAQ,IAAI,OAAO;AAC/B,QAAI,OAAO,KAAM,QAAO;AACxB,WAAO,eAAe,GAAG;AAAA,EAC3B;AAEA,MAAI,SAAS,WAAW,WAAW,GAAG;AACpC,WAAO;AAAA,MACL,SAAS,MAAM,CAAC;AAAA,MAChB,SAAS;AAAA,IACX;AAAA,EACF;AAGA,MAAI,iBAAiB;AACnB,UAAM,SAAS,SAAS,QAAQ,GAAG;AACnC,QAAI,SAAS,GAAG;AACd,YAAM,SAAS,SAAS,MAAM,GAAG,MAAM;AACvC,UAAI,OAAO,OAAO,iBAAiB,MAAM,GAAG;AAC1C,cAAM,WAAW,gBAAgB,MAAM;AACvC,cAAM,OAAO,SAAS,QAAQ;AAC9B,cAAM,OAAO,SAAS,MAAM,SAAS,CAAC;AACtC,eAAO,cAAc,MAAM,IAAI;AAAA,MACjC;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;AAUO,SAAS,cAAc,MAAc,MAAwB;AAClE,QAAM,QAAQ,KAAK,MAAM,GAAG;AAC5B,MAAI,UAAU;AACd,aAAW,QAAQ,OAAO;AACxB,QAAI,WAAW,QAAQ,OAAO,YAAY,SAAU,QAAO;AAC3D,UAAM,MAAM;AACZ,QAAI,CAAC,OAAO,OAAO,KAAK,IAAI,EAAG,QAAO;AACtC,cAAU,IAAI,IAAI;AAAA,EACpB;AACA,SAAO;AACT;AAOO,SAAS,eAAe,KAAwC;AACrE,QAAM,MAAM,IAAI,YAAY;AAC5B,MAAI,QAAQ,OAAQ,QAAO;AAC3B,MAAI,QAAQ,QAAS,QAAO;AAC5B,QAAM,QAAQ,SAAS,KAAK,EAAE;AAC9B,MAAI,CAAC,MAAM,KAAK,KAAK,OAAO,KAAK,MAAM,IAAK,QAAO;AACnD,QAAM,UAAU,WAAW,GAAG;AAC9B,MAAI,CAAC,MAAM,OAAO,KAAK,OAAO,OAAO,MAAM,IAAK,QAAO;AACvD,SAAO;AACT;;;ACxHO,IAAM,cAAN,MAAkB;AAAA,EACd;AAAA,EACT,YAAY,SAAiB;AAC3B,SAAK,UAAU;AAAA,EACjB;AACF;AA2BO,SAAS,mBACd,MACA,UACA,YACA,SACuB;AACvB,QAAM,YAAY,SAAS,mBAAmB;AAC9C,QAAM,aAAa,SAAS,mBAAmB;AAE/C,MAAI,SAAS,MAAM;AACjB,WAAO,SAAS,KAAK,KAAkC,UAAU,YAAY,WAAW,UAAU;AAAA,EACpG;AACA,MAAI,SAAS,MAAM;AACjB,WAAO,SAAS,KAAK,KAAkC,UAAU,YAAY,WAAW,UAAU;AAAA,EACpG;AACA,MAAI,SAAS,MAAM;AACjB,WAAO,SAAS,KAAK,KAAgC,UAAU,YAAY,WAAW,UAAU;AAAA,EAClG;AAMA,QAAM,WAAW,OAAO,KAAK,IAAI;AACjC,MAAI,SAAS,WAAW,GAAG;AACzB,WAAO,IAAI;AAAA,MACT,2DAA2D,SAAS,MAAM,MAAM,SAAS,KAAK,IAAI,CAAC;AAAA,IACrG;AAAA,EACF;AACA,SAAO,UAAU,MAAM,UAAU,YAAY,WAAW,UAAU;AACpE;AAMA,SAAS,SACP,OACA,UACA,YACA,WACA,YACuB;AACvB,aAAW,QAAQ,OAAO;AACxB,UAAM,SAAS,mBAAmB,MAAM,UAAU,YAAY;AAAA,MAC5D,iBAAiB;AAAA,MAAW,iBAAiB;AAAA,IAC/C,CAAC;AACD,QAAI,kBAAkB,YAAa,QAAO;AAC1C,QAAI,CAAC,OAAQ,QAAO;AAAA,EACtB;AACA,SAAO;AACT;AAEA,SAAS,SACP,OACA,UACA,YACA,WACA,YACuB;AACvB,aAAW,QAAQ,OAAO;AACxB,UAAM,SAAS,mBAAmB,MAAM,UAAU,YAAY;AAAA,MAC5D,iBAAiB;AAAA,MAAW,iBAAiB;AAAA,IAC/C,CAAC;AACD,QAAI,kBAAkB,YAAa,QAAO;AAC1C,QAAI,OAAQ,QAAO;AAAA,EACrB;AACA,SAAO;AACT;AAEA,SAAS,SACP,MACA,UACA,YACA,WACA,YACuB;AACvB,QAAM,SAAS,mBAAmB,MAAM,UAAU,YAAY;AAAA,IAC5D,iBAAiB;AAAA,IAAW,iBAAiB;AAAA,EAC/C,CAAC;AACD,MAAI,kBAAkB,YAAa,QAAO;AAC1C,SAAO,CAAC;AACV;AAEA,SAAS,UACP,MACA,UACA,YACA,WACA,YACuB;AACvB,QAAM,WAAW,OAAO,KAAK,IAAI,EAAE,CAAC;AACpC,QAAM,gBAAgB,KAAK,QAAQ;AACnC,QAAM,QAAQ,gBAAgB,UAAU,UAAU,YAAY,UAAU;AACxE,QAAM,SAAS,OAAO,KAAK,aAAa,EAAE,CAAC;AAC3C,QAAM,UAAU,cAAc,MAAM;AACpC,SAAO,eAAe,QAAQ,OAAO,SAAS,UAAU,SAAS;AACnE;AAOA,SAAS,eACP,IACA,YACA,SACA,UACA,iBACuB;AAEvB,MAAI,OAAO,UAAU;AACnB,UAAM,YAAY,eAAe,YAAY,cAAc;AAC3D,WAAO,cAAc;AAAA,EACvB;AAGA,MAAI,eAAe,YAAY,cAAc,KAAM,QAAO;AAE1D,MAAI;AACF,QAAI,OAAO,OAAO,WAAW,EAAE,EAAG,QAAQ,UAAU,EAAE,EAA4C,YAAY,OAAO;AACrH,QAAI,mBAAmB,OAAO,OAAO,iBAAiB,EAAE,GAAG;AACzD,aAAO,QAAS,gBAAgB,EAAE,EAAqB,YAAY,OAAO,CAAC;AAAA,IAC7E;AACA,WAAO,IAAI,YAAY,sBAAsB,EAAE,GAAG;AAAA,EACpD,QAAQ;AACN,WAAO,IAAI;AAAA,MACT,4BAA4B,EAAE,oCACf,QAAQ,WAAW,OAAO,UAAU;AAAA,IACrD;AAAA,EACF;AACF;;;AH7KA,IAAM,kBAAkB;AACxB,IAAM,mBAAmB;AAQlB,SAAS,cACd,UACA,UACA,YACA,iBACQ;AACR,QAAM,YAAY,IAAI,gBAAgB;AAEtC,SAAO,SAAS,QAAQ,iBAAiB,CAAC,OAAO,gBAAwB;AACvE,UAAM,QAAQ,gBAAgB,aAAa,UAAU,YAAY,eAAe;AAChF,QAAI,UAAU,YAAY,SAAS,KAAM,QAAO;AAChD,QAAI,OAAO,OAAO,KAAK;AACvB,QAAI,UAAU,iBAAiB,IAAI,EAAG,QAAO;AAC7C,QAAI,KAAK,SAAS,iBAAkB,QAAO,KAAK,MAAM,GAAG,mBAAmB,CAAC,IAAI;AACjF,WAAO;AAAA,EACT,CAAC;AACH;AAOO,SAAS,kBACd,QACA,iBACM;AACN,QAAM,QAAQ,oBAAI,IAAI;AAAA,IACpB,GAAG;AAAA,IACH,GAAG,OAAO,KAAK,mBAAmB,CAAC,CAAC;AAAA,EACtC,CAAC;AACD,QAAM,YAAa,OAAO,aAAa,CAAC;AACxC,aAAW,YAAY,WAAW;AAChC,UAAM,OAAO,SAAS;AACtB,QAAI,MAAM;AACR,mCAA6B,MAAM,OAAO,SAAS,EAAY;AAAA,IACjE;AAAA,EACF;AACF;AAEA,SAAS,6BACP,MACA,OACA,YACM;AACN,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU;AAC9C,QAAM,IAAI;AAEV,MAAI,SAAS,GAAG;AACd,eAAW,OAAO,EAAE,KAAkC;AACpD,mCAA6B,KAAK,OAAO,UAAU;AAAA,IACrD;AACA;AAAA,EACF;AACA,MAAI,SAAS,GAAG;AACd,eAAW,OAAO,EAAE,KAAkC;AACpD,mCAA6B,KAAK,OAAO,UAAU;AAAA,IACrD;AACA;AAAA,EACF;AACA,MAAI,SAAS,GAAG;AACd,iCAA6B,EAAE,KAAK,OAAO,UAAU;AACrD;AAAA,EACF;AAGA,aAAW,CAAC,EAAE,QAAQ,KAAK,OAAO,QAAQ,CAAC,GAAG;AAC5C,QAAI,YAAY,QAAQ,OAAO,aAAa,UAAU;AACpD,iBAAW,UAAU,OAAO,KAAK,QAAmC,GAAG;AACrE,YAAI,CAAC,MAAM,IAAI,MAAM,GAAG;AACtB,gBAAM,IAAI;AAAA,YACR,aAAa,UAAU,wBAAwB,MAAM;AAAA,UACvD;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAYO,SAAS,kBAAkB,MAAwB;AACxD,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,QAAM,IAAI;AAEV,MAAI,SAAS,GAAG;AACd,WAAO,EAAE,KAAM,EAAE,IAAkB,IAAI,iBAAiB,EAAE;AAAA,EAC5D;AACA,MAAI,SAAS,GAAG;AACd,WAAO,EAAE,KAAM,EAAE,IAAkB,IAAI,iBAAiB,EAAE;AAAA,EAC5D;AACA,MAAI,SAAS,GAAG;AACd,WAAO,EAAE,KAAK,kBAAkB,EAAE,GAAG,EAAE;AAAA,EACzC;AAGA,QAAM,WAAoC,CAAC;AAC3C,aAAW,CAAC,UAAU,QAAQ,KAAK,OAAO,QAAQ,CAAC,GAAG;AACpD,QAAI,YAAY,QAAQ,OAAO,aAAa,UAAU;AACpD,eAAS,QAAQ,IAAI;AACrB;AAAA,IACF;AACA,UAAM,QAAQ,EAAE,GAAI,SAAqC;AACzD,QAAI,aAAa,SAAS,OAAO,MAAM,YAAY,UAAU;AAC3D,YAAM,UAAU,IAAI,OAAO,MAAM,OAAO;AAAA,IAC1C;AACA,QAAI,iBAAiB,SAAS,MAAM,QAAQ,MAAM,WAAW,GAAG;AAC9D,YAAM,cAAe,MAAM,YAAyB;AAAA,QAClD,CAAC,MAAO,OAAO,MAAM,WAAW,IAAI,OAAO,CAAC,IAAI;AAAA,MAClD;AAAA,IACF;AACA,aAAS,QAAQ,IAAI;AAAA,EACvB;AACA,SAAO;AACT;AAaO,SAAS,sBAAsB,MAAyB;AAC7D,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO,CAAC;AACtD,QAAM,IAAI;AAEV,MAAI,SAAS,GAAG;AACd,UAAM,WAAqB,CAAC;AAC5B,eAAW,OAAO,EAAE,KAAkB;AACpC,eAAS,KAAK,GAAG,sBAAsB,GAAG,CAAC;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AACA,MAAI,SAAS,GAAG;AACd,UAAM,WAAqB,CAAC;AAC5B,eAAW,OAAO,EAAE,KAAkB;AACpC,eAAS,KAAK,GAAG,sBAAsB,GAAG,CAAC;AAAA,IAC7C;AACA,WAAO;AAAA,EACT;AACA,MAAI,SAAS,GAAG;AACd,WAAO,sBAAsB,EAAE,GAAG;AAAA,EACpC;AAGA,QAAM,YAAsB,CAAC;AAC7B,aAAW,CAAC,UAAU,QAAQ,KAAK,OAAO,QAAQ,CAAC,GAAG;AACpD,QAAI,aAAa,iBAAiB,YAAY,QAAQ,OAAO,aAAa,SAAU;AACpF,UAAM,KAAK;AACX,QAAI,aAAa,MAAM,GAAG,mBAAmB,QAAQ;AACnD,gBAAU,KAAK,GAAG,OAAO;AAAA,IAC3B;AACA,QAAI,iBAAiB,MAAM,MAAM,QAAQ,GAAG,WAAW,GAAG;AACxD,iBAAW,KAAK,GAAG,aAAa;AAC9B,YAAI,aAAa,OAAQ,WAAU,KAAK,CAAC;AAAA,MAC3C;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;;;AInMA;AAEA;AAOA,SAAS,gBACP,UACA,UACA,YACA,iBACA,MACA,cACA,WACA,YACS;AACT,MAAI;AACF,UAAM,SAAS,mBAAmB,UAAU,UAAU,YAAY;AAAA,MAChE,iBAAiB;AAAA,MAAW,iBAAiB;AAAA,IAC/C,CAAC;AACD,QAAI,kBAAkB,aAAa;AACjC,YAAM,MAAM,cAAc,iBAAiB,UAAU,YAAY,UAAU;AAC3E,aAAO,QAAQ,KAAK,KAAK,EAAE,MAAM,aAAa,MAAM,GAAG,aAAa,CAAC;AAAA,IACvE;AACA,QAAI,QAAQ;AACV,YAAM,MAAM,cAAc,iBAAiB,UAAU,YAAY,UAAU;AAC3E,aAAO,QAAQ,KAAK,KAAK,EAAE,MAAM,GAAG,aAAa,CAAC;AAAA,IACpD;AACA,WAAO,QAAQ,MAAM;AAAA,EACvB,SAAS,KAAK;AACZ,UAAM,MAAM,cAAc,iBAAiB,UAAU,YAAY,UAAU;AAC3E,WAAO,QAAQ,KAAK,KAAK,EAAE,MAAM,aAAa,MAAM,aAAa,OAAO,GAAG,GAAG,GAAG,aAAa,CAAC;AAAA,EACjG;AACF;AAGA,SAAS,cAAc,QAAiC,UAAyC;AAC/F,MAAI,SAAS,aAAa,QAAQ,SAAS,YAAY,KAAM,QAAO,mBAAmB;AACzF;AAMO,SAAS,WACd,UAAmC,MACnC,WACA,YACyB;AACzB,QAAM,aAAa,SAAS;AAC5B,QAAM,OAAO,SAAS;AACtB,QAAM,WAAW,kBAAkB,SAAS,IAAI;AAChD,QAAM,OAAO,SAAS;AACtB,QAAM,SAAS,KAAK;AACpB,QAAM,OAAQ,KAAK,QAAQ,CAAC;AAC5B,QAAM,OAAQ,KAAK,YAAY,CAAC;AAEhC,QAAM,QAAQ,CAAC,aACb,gBAAgB,UAAU,UAAU,QAAW,QAAQ,MAAM,MAAM,WAAW,UAAU;AAE1F,QAAM,SAAkC;AAAA,IACtC;AAAA,IAAO,MAAM;AAAA,IAAY;AAAA,IAAM,MAAM;AAAA,IACrC;AAAA,IACA,eAAe;AAAA,IAAgB,eAAe;AAAA,IAAM,eAAe;AAAA,IACnE,eAAe;AAAA,IAAM,aAAa;AAAA,IAAY,iBAAiB;AAAA,IAC/D,iBAAkB,KAAK,UAAqB;AAAA,IAC5C,kBAAmB,KAAK,WAAsB;AAAA,IAC9C,yBAA0B,KAAK,kBAA6B;AAAA,EAC9D;AACA,gBAAc,QAAQ,QAAQ;AAC9B,SAAO;AACT;AAMO,SAAS,YACd,UAAmC,MACnC,WACA,YACyB;AACzB,QAAM,aAAa,SAAS;AAC5B,QAAM,OAAO,SAAS;AACtB,QAAM,WAAW,kBAAkB,SAAS,IAAI;AAChD,QAAM,OAAO,SAAS;AACtB,QAAM,SAAS,KAAK;AACpB,QAAM,OAAQ,KAAK,QAAQ,CAAC;AAC5B,QAAM,OAAQ,KAAK,YAAY,CAAC;AAEhC,QAAM,QAAQ,CAAC,UAAwB,aAA+B;AACpE,UAAM,aAAa,YAAY,OAAO,OAAO,QAAQ,IAAI;AACzD,WAAO,gBAAgB,UAAU,UAAU,YAAY,QAAQ,MAAM,MAAM,WAAW,UAAU;AAAA,EAClG;AAEA,QAAM,cAAe,KAAK,UAAqB;AAC/C,QAAM,SAAkC;AAAA,IACtC;AAAA,IAAO,MAAM;AAAA,IAAY;AAAA,IAAM,MAAM;AAAA,IACrC;AAAA,IACA,QAAQ;AAAA,IACR,eAAe;AAAA,IAAiB,eAAe;AAAA,IAAM,eAAe;AAAA,IACpE,eAAe;AAAA,IAAM,aAAa;AAAA,IAAY,iBAAiB;AAAA,IAC/D,iBAAiB;AAAA,IACjB,0BAA0B,sBAAsB,QAAQ;AAAA,EAC1D;AACA,gBAAc,QAAQ,QAAQ;AAC9B,SAAO;AACT;AAMO,SAAS,eACd,UACA,MACA,QACyB;AACzB,QAAM,aAAa,SAAS;AAC5B,QAAM,OAAO,SAAS;AACtB,QAAM,kBAAkB,KAAK;AAC7B,QAAM,OAAQ,KAAK,QAAQ,CAAC;AAC5B,QAAM,eAAgB,KAAK,YAAY,CAAC;AACxC,QAAM,iBAAiB,EAAE,GAAG,OAAO;AAEnC,QAAM,QAAQ,OAAO,YAAuC;AAC1D,UAAM,YAAY,MAAM,QAAQ,eAAe;AAC/C,QAAI,aAAa,eAAe,cAAc;AAC5C,aAAO,QAAQ,KAAK,iBAAiB,EAAE,MAAM,GAAG,aAAa,CAAC;AAAA,IAChE;AACA,UAAM,eAAe,MAAM,QAAQ,aAAa;AAChD,QAAI,gBAAgB,eAAe,aAAa;AAC9C,aAAO,QAAQ,KAAK,iBAAiB,EAAE,MAAM,GAAG,aAAa,CAAC;AAAA,IAChE;AACA,WAAO,QAAQ,MAAM;AAAA,EACvB;AAEA,QAAM,SAAkC;AAAA,IACtC;AAAA,IAAO,MAAM;AAAA,IAAY,MAAM;AAAA,IAC/B,eAAe;AAAA,IACf,eAAe;AAAA,IACf,aAAa;AAAA,IACb,kBAAkB;AAAA,IAClB,eAAe;AAAA,IACf,wBAAwB;AAAA,IACxB,iBAAiB;AAAA,EACnB;AACA,MAAI,SAAS,aAAa,QAAQ,SAAS,YAAY,MAAM;AAC3D,WAAO,mBAAmB;AAAA,EAC5B;AACA,SAAO;AACT;AAUO,SAAS,mBACd,UACA,UACiB;AACjB,QAAM,gBAAgB,SAAS;AAC/B,MAAI,eAAe,SAAS;AAC5B,MAAI,cAAc,SAAS;AAC3B,QAAM,kBAA0C,EAAE,GAAG,SAAS,gBAAgB;AAE9E,MAAI,oBAAoB,eAAe;AACrC,UAAM,MAAM,cAAc;AAC1B,QAAI,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,GAAG,GAAG;AACpD,YAAM,IAAI,mBAAmB,8DAA8D,OAAO,GAAG,CAAC,EAAE;AAAA,IAC1G;AACA,mBAAe,KAAK,IAAI,cAAc,GAAG;AAAA,EAC3C;AACA,MAAI,kBAAkB,eAAe;AACnC,UAAM,MAAM,cAAc;AAC1B,QAAI,OAAO,QAAQ,YAAY,CAAC,OAAO,SAAS,GAAG,GAAG;AACpD,YAAM,IAAI,mBAAmB,4DAA4D,OAAO,GAAG,CAAC,EAAE;AAAA,IACxG;AACA,kBAAc,KAAK,IAAI,aAAa,GAAG;AAAA,EACzC;AACA,MAAI,wBAAwB,eAAe;AACzC,UAAM,UAAU,cAAc;AAC9B,eAAW,CAAC,MAAM,KAAK,KAAK,OAAO,QAAQ,OAAO,GAAG;AACnD,UAAI,OAAO,UAAU,YAAY,CAAC,OAAO,SAAS,KAAK,GAAG;AACxD,cAAM,IAAI;AAAA,UACR,qCAAqC,IAAI,oCAAoC,OAAO,KAAK,CAAC;AAAA,QAC5F;AAAA,MACF;AACA,UAAI,OAAO,OAAO,iBAAiB,IAAI,GAAG;AACxC,wBAAgB,IAAI,IAAI,KAAK,IAAI,gBAAgB,IAAI,GAAa,KAAK;AAAA,MACzE,OAAO;AACL,wBAAgB,IAAI,IAAI;AAAA,MAC1B;AAAA,IACF;AAAA,EACF;AACA,SAAO,EAAE,aAAa,cAAc,gBAAgB;AACtD;;;AC3MA;;;ACAA,qBAA6B;AAC7B,uBAAuC;;;ACWhC,SAAS,QAAQ,MAAc,SAA0B;AAC9D,MAAI,YAAY,IAAK,QAAO;AAC5B,MAAI,CAAC,QAAQ,SAAS,GAAG,KAAK,CAAC,QAAQ,SAAS,GAAG,GAAG;AACpD,WAAO,SAAS;AAAA,EAClB;AAGA,QAAM,WAAW,KAAK,SAAS,MAAS,KAAK,MAAM,GAAG,GAAM,IAAI;AAChE,QAAM,cACJ,QAAQ,SAAS,MAAS,QAAQ,MAAM,GAAG,GAAM,IAAI;AAGvD,MAAI,QAAQ;AACZ,WAAS,IAAI,GAAG,IAAI,YAAY,QAAQ,KAAK;AAC3C,UAAM,KAAK,YAAY,CAAC,KAAK;AAC7B,QAAI,OAAO,KAAK;AACd,eAAS;AAAA,IACX,WAAW,OAAO,KAAK;AACrB,eAAS;AAAA,IACX,WAAW,gBAAgB,SAAS,EAAE,GAAG;AACvC,eAAS,OAAO;AAAA,IAClB,OAAO;AACL,eAAS;AAAA,IACX;AAAA,EACF;AAEA,SAAO,IAAI,OAAO,MAAM,QAAQ,GAAG,EAAE,KAAK,QAAQ;AACpD;;;AD5BA,IAAM,sBAAsB;AAS5B,IAAM,sBAAsB;AASrB,SAAS,gBAAgB,KAAuB;AACrD,QAAM,YAAY,YAAY,GAAG;AAEjC,QAAM,SAAmB,CAAC;AAC1B,aAAW,KAAK,WAAW;AACzB,UAAM,WAAW,EAAE,QAAQ,qBAAqB,EAAE;AAClD,QAAI,SAAU,QAAO,KAAK,QAAQ;AAAA,EACpC;AACA,SAAO;AACT;AAGA,SAAS,YAAY,GAAqB;AACxC,QAAM,SAAmB,CAAC;AAC1B,MAAI,UAAU;AACd,MAAI,WAAW;AACf,MAAI,WAAW;AACf,MAAI,IAAI;AAER,MAAI;AACF,WAAO,IAAI,EAAE,QAAQ;AACnB,YAAM,KAAK,EAAE,OAAO,CAAC;AACrB,UAAI,UAAU;AACZ,YAAI,OAAO,KAAK;AAAE,qBAAW;AAAA,QAAO,OAAO;AAAE,qBAAW;AAAA,QAAI;AAAA,MAC9D,WAAW,UAAU;AACnB,YAAI,OAAO,QAAQ,IAAI,IAAI,EAAE,QAAQ;AAEnC,gBAAM,OAAO,EAAE,OAAO,IAAI,CAAC;AAC3B,cAAI,SAAS,OAAO,SAAS,QAAQ,SAAS,OAAO,SAAS,OAAO,SAAS,MAAM;AAClF,uBAAW;AACX;AAAA,UACF,OAAO;AAEL,uBAAW;AAAA,UACb;AAAA,QACF,WAAW,OAAO,KAAK;AAAE,qBAAW;AAAA,QAAO,OAAO;AAAE,qBAAW;AAAA,QAAI;AAAA,MACrE,WAAW,OAAO,KAAK;AACrB,mBAAW;AAAA,MACb,WAAW,OAAO,KAAK;AACrB,mBAAW;AAAA,MACb,WAAW,OAAO,OAAO,OAAO,KAAM;AACpC,YAAI,SAAS;AAAE,iBAAO,KAAK,OAAO;AAAG,oBAAU;AAAA,QAAI;AAAA,MACrD,OAAO;AACL,mBAAW;AAAA,MACb;AACA;AAAA,IACF;AAEA,QAAI,YAAY,UAAU;AACxB,aAAO,EAAE,MAAM,KAAK,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,gBAAgB,EAAE,CAAC;AAAA,IAChF;AACA,QAAI,QAAS,QAAO,KAAK,OAAO;AAChC,WAAO;AAAA,EACT,QAAQ;AACN,WAAO,EAAE,MAAM,KAAK,EAAE,OAAO,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,gBAAgB,EAAE,CAAC;AAAA,EAChF;AACF;AAMA,IAAM,iBAAiB,oBAAI,IAAI;AAAA,EAC7B;AAAA,EAAQ;AAAA,EAAa;AAAA,EAAY;AAAA,EAAa;AAAA,EAC9C;AAAA,EAAU;AAAA,EAAU;AAAA,EAAe;AAAA,EAAU;AAAA,EAAO;AACtD,CAAC;AAGD,SAAS,UAAU,GAAmB;AACpC,MAAI;AACF,eAAO,6BAAa,CAAC;AAAA,EACvB,QAAQ;AACN,eAAO,iBAAAC,SAAY,CAAC;AAAA,EACtB;AACF;AAOO,SAAS,aAAa,UAAkC;AAC7D,QAAM,QAAkB,CAAC;AACzB,QAAM,OAAO,oBAAI,IAAY;AAE7B,WAAS,IAAI,GAAiB;AAC5B,QAAI,CAAC,EAAG;AACR,UAAM,WAAW,UAAU,CAAC;AAC5B,QAAI,CAAC,KAAK,IAAI,QAAQ,GAAG;AAAE,WAAK,IAAI,QAAQ;AAAG,YAAM,KAAK,QAAQ;AAAA,IAAG;AAAA,EACvE;AAEA,MAAI,SAAS,SAAU,KAAI,SAAS,QAAQ;AAE5C,QAAM,OAAO,SAAS;AACtB,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,IAAI,GAAG;AAC/C,QAAI,OAAO,UAAU,YAAY,eAAe,IAAI,GAAG,EAAG,KAAI,KAAK;AAAA,EACrE;AACA,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,IAAI,GAAG;AAC/C,QAAI,OAAO,UAAU,YAAY,MAAM,WAAW,GAAG,KAAK,CAAC,eAAe,IAAI,GAAG,EAAG,KAAI,KAAK;AAAA,EAC/F;AAEA,QAAM,MAAM,SAAS,eAAgB,KAAK,WAAkC;AAC5E,MAAI,KAAK;AACP,eAAW,SAAS,gBAAgB,GAAG,GAAG;AACxC,UAAI,MAAM,WAAW,GAAG,EAAG,KAAI,KAAK;AAAA,IACtC;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,eAAe,UAAuC;AACpE,QAAM,MAAM,SAAS,eAAgB,SAAS,KAAiC;AAC/E,MAAI,CAAC,OAAO,OAAO,QAAQ,SAAU,QAAO;AAC5C,QAAM,WAAW,IAAI,KAAK;AAC1B,MAAI,CAAC,SAAU,QAAO;AAKtB,MAAI,oBAAoB,KAAK,QAAQ,EAAG,QAAO;AAE/C,QAAM,WAAW,SAAS,MAAM,IAAI,EAAE,CAAC,KAAK;AAC5C,MAAI,oBAAoB,KAAK,QAAQ,EAAG,QAAO;AAE/C,QAAM,SAAS,gBAAgB,QAAQ;AACvC,SAAO,OAAO,SAAS,IAAK,OAAO,CAAC,KAAK,OAAQ;AACnD;AAGO,SAAS,YAAY,UAAkC;AAC5D,QAAM,OAAiB,CAAC;AACxB,QAAM,OAAO,oBAAI,IAAY;AAE7B,WAAS,OAAO,GAAiB;AAC/B,QAAI,CAAC,KAAK,IAAI,CAAC,GAAG;AAAE,WAAK,IAAI,CAAC;AAAG,WAAK,KAAK,CAAC;AAAA,IAAG;AAAA,EACjD;AAEA,aAAW,SAAS,OAAO,OAAO,SAAS,IAAI,GAAG;AAChD,QAAI,OAAO,UAAU,YAAY,CAAC,MAAM,SAAS,KAAK,EAAG;AACzD,QAAI,gBAAgB,KAAK,MAAM,MAAM;AACnC,aAAO,KAAK;AAAA,IACd,OAAO;AACL,iBAAW,SAAS,gBAAgB,KAAK,GAAG;AAC1C,YAAI,MAAM,SAAS,KAAK,KAAK,gBAAgB,KAAK,MAAM,KAAM,QAAO,KAAK;AAAA,MAC5E;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAGO,SAAS,gBAAgB,KAA4B;AAC1D,MAAI;AACF,WAAO,IAAI,IAAI,GAAG,EAAE,YAAY;AAAA,EAClC,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAGO,SAAS,cAAc,UAAkB,UAA6B;AAC3E,SAAO,SAAS,KAAK,CAAC,MAAM,QAAQ,UAAU,CAAC,CAAC;AAClD;;;ADrLA,IAAAC,kBAA6B;AAC7B,IAAAC,oBAAuC;AAGvC,SAASC,WAAU,GAAmB;AACpC,MAAI;AACF,eAAO,8BAAa,CAAC;AAAA,EACvB,QAAQ;AACN,eAAO,kBAAAC,SAAY,CAAC;AAAA,EACtB;AACF;AAGA,SAAS,YAAY,UAAkB,QAAyB;AAC9D,SAAO,aAAa,UAAU,SAAS,WAAW,OAAO,QAAQ,QAAQ,EAAE,IAAI,GAAG;AACpF;AAQO,SAAS,eACd,UACA,MACyB;AACzB,QAAM,aAAa,SAAS;AAG5B,QAAM,eAAyB,WAAW,WACrC,SAAS,QACV,CAAC,SAAS,IAAc;AAE5B,QAAM,UAAW,SAAS,UAAU,CAAC,GAAgB,IAAID,UAAS;AAClE,QAAM,aAAc,SAAS,cAAc,CAAC,GAAgB,IAAIA,UAAS;AACzE,QAAM,SAAU,SAAS,UAAU,CAAC;AACpC,QAAM,YAAa,SAAS,cAAc,CAAC;AAC3C,QAAM,kBAAmB,OAAO,YAAY,CAAC;AAC7C,QAAM,iBAAkB,OAAO,WAAW,CAAC;AAC3C,QAAM,iBAAkB,UAAU,WAAW,CAAC;AAC9C,QAAM,UAAW,SAAS,WAAsB;AAChD,QAAM,kBAAmB,SAAS,WAAsB;AACxD,QAAM,UAAW,SAAS,WAAsB;AAChD,QAAM,gBAAiB,SAAS,kBAA6B;AAE7D,QAAM,QAAQ,CAAC,aAAoC;AAYjD,QAAI,OAAO,SAAS,KAAK,UAAU,SAAS,GAAG;AAC7C,YAAM,QAAQ,aAAa,QAAQ;AACnC,UAAI,MAAM,SAAS,GAAG;AACpB,mBAAW,KAAK,OAAO;AACrB,qBAAW,YAAY,WAAW;AAChC,gBAAI,YAAY,GAAG,QAAQ,GAAG;AAC5B,qBAAO,QAAQ,KAAK,cAAc,iBAAiB,QAAQ,CAAC;AAAA,YAC9D;AAAA,UACF;AAAA,QACF;AACA,YAAI,OAAO,SAAS,GAAG;AACrB,qBAAW,KAAK,OAAO;AACrB,gBAAI,CAAC,OAAO,KAAK,CAAC,YAAY,YAAY,GAAG,OAAO,CAAC,GAAG;AACtD,qBAAO,QAAQ,KAAK,cAAc,iBAAiB,QAAQ,CAAC;AAAA,YAC9D;AAAA,UACF;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAGA,QAAI,gBAAgB,SAAS,GAAG;AAC9B,YAAM,aAAa,eAAe,QAAQ;AAC1C,UAAI,eAAe,QAAQ,CAAC,gBAAgB,SAAS,UAAU,GAAG;AAChE,eAAO,QAAQ,KAAK,cAAc,iBAAiB,QAAQ,CAAC;AAAA,MAC9D;AAAA,IACF;AAGA,UAAM,OAAO,YAAY,QAAQ;AACjC,QAAI,KAAK,SAAS,GAAG;AACnB,iBAAW,OAAO,MAAM;AACtB,cAAM,WAAW,gBAAgB,GAAG;AACpC,YAAI,UAAU;AACZ,cAAI,eAAe,SAAS,KAAK,cAAc,UAAU,cAAc,GAAG;AACxE,mBAAO,QAAQ,KAAK,cAAc,iBAAiB,QAAQ,CAAC;AAAA,UAC9D;AACA,cAAI,eAAe,SAAS,KAAK,CAAC,cAAc,UAAU,cAAc,GAAG;AACzE,mBAAO,QAAQ,KAAK,cAAc,iBAAiB,QAAQ,CAAC;AAAA,UAC9D;AAAA,QACF,WAAW,eAAe,SAAS,GAAG;AAGpC,iBAAO,QAAQ,KAAK,cAAc,iBAAiB,QAAQ,CAAC;AAAA,QAC9D;AAAA,MACF;AAAA,IACF;AAEA,WAAO,QAAQ,MAAM;AAAA,EACvB;AAEA,QAAM,SAAkC;AAAA,IACtC;AAAA,IACA,MAAM;AAAA,IACN,MAAM,aAAa,WAAW,IAAI,aAAa,CAAC,IAAI;AAAA,IACpD,eAAe;AAAA,IACf,gBAAgB;AAAA,IAChB,eAAe;AAAA,IACf,aAAa;AAAA,IACb,iBAAiB;AAAA,IACjB,iBAAiB;AAAA,IACjB,kBAAkB;AAAA,IAClB,yBAAyB;AAAA,EAC3B;AAIA,MAAI,SAAS,aAAa,QAAQ,SAAS,YAAY,MAAM;AAC3D,WAAO,mBAAmB;AAAA,EAC5B;AAEA,SAAO;AACT;;;ANjGO,SAAS,iBACd,QACA,UAA0B,CAAC,GACX;AAChB,QAAM,YAAY,SAAS,mBAAmB;AAC9C,QAAM,aAAa,SAAS,mBAAmB;AAE/C,oBAAkB,QAAQ,SAAS;AAEnC,MAAI,OAAO,YAAY,QAAQ,OAAO,OAAO,aAAa,UAAU;AAClE,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACA,QAAM,WAAW,OAAO;AACxB,QAAM,cAAc,SAAS;AAC7B,QAAM,gBAA2B,CAAC;AAClC,QAAM,iBAA4B,CAAC;AACnC,QAAM,mBAA8B,CAAC;AACrC,QAAM,mBAA8B,CAAC;AACrC,MAAI,SAA0B,EAAE,GAAG,eAAe;AAElD,QAAM,YAAa,OAAO,aAAa,CAAC;AACxC,aAAW,YAAY,WAAW;AAEhC,QAAI,SAAS,YAAY,MAAO;AAEhC,UAAM,eAAe,SAAS;AAC9B,UAAM,eAAgB,SAAS,QAAmB;AAElD,QAAI,iBAAiB,OAAO;AAC1B,oBAAc,KAAK,WAAW,UAAU,cAAc,WAAW,UAAU,CAAC;AAAA,IAC9E,WAAW,iBAAiB,QAAQ;AAClC,qBAAe,KAAK,YAAY,UAAU,cAAc,WAAW,UAAU,CAAC;AAAA,IAChF,WAAW,iBAAiB,WAAW;AAErC,YAAM,YACH,SAAS,YAAyB,SAAS,WAAuB;AACrE,UAAI,CAAC,WAAW;AACd,iBAAS,mBAAmB,UAAU,MAAM;AAAA,MAC9C;AACA,uBAAiB,KAAK,eAAe,UAAU,cAAc,MAAM,CAAC;AAAA,IACtE,WAAW,iBAAiB,WAAW;AACrC,uBAAiB,KAAK,eAAe,UAAU,YAAY,CAAC;AAAA,IAC9D,OAAO;AACL,YAAM,IAAI;AAAA,QACR,0BAA0B,YAAY,kBAAkB,SAAS,MAAM,SAAS;AAAA,MAElF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,QAAS,OAAO,SAAS,CAAC;AAEhC,SAAO;AAAA,IACL;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;;;AS3GA,IAAAE,sBAA2B;AAC3B,IAAAC,kBAAqD;AAErD;;;ACHA;AAYO,SAAS,eAAe,MAAqC;AAClE,MAAI,KAAK,eAAe,cAAc;AACpC,UAAM,IAAI;AAAA,MACR,mEAAmE,OAAO,KAAK,UAAU,CAAC;AAAA,IAC5F;AAAA,EACF;AACA,MAAI,KAAK,SAAS,kBAAkB;AAClC,UAAM,IAAI;AAAA,MACR,iEAAiE,OAAO,KAAK,IAAI,CAAC;AAAA,IACpF;AAAA,EACF;AACA,MAAI,KAAK,YAAY,QAAQ,OAAO,KAAK,aAAa,UAAU;AAC9D,UAAM,IAAI,mBAAmB,sDAAsD;AAAA,EACrF;AACA,MAAI,CAAC,MAAM,QAAQ,KAAK,SAAS,GAAG;AAClC,UAAM,IAAI,mBAAmB,sDAAsD;AAAA,EACrF;AACF;AAQA,IAAM,kBAAkB;AAGxB,SAAS,mBAAmB,YAA0B;AACpD,MAAI,gBAAgB,KAAK,UAAU,GAAG;AACpC,UAAM,IAAI;AAAA,MACR,6CAA6C,WAAW,QAAQ,iBAAiB,OAAO,CAAC;AAAA,IAC3F;AAAA,EACF;AACF;AAGO,SAAS,kBAAkB,MAAqC;AACrE,QAAM,MAAM,oBAAI,IAAY;AAC5B,QAAM,YAAa,KAAK,aAAa,CAAC;AACtC,aAAW,YAAY,WAAW;AAChC,UAAM,aAAa,SAAS;AAC5B,QAAI,cAAc,MAAM;AACtB,yBAAmB,UAAU;AAC7B,UAAI,IAAI,IAAI,UAAU,GAAG;AACvB,cAAM,IAAI,mBAAmB,2BAA2B,UAAU,GAAG;AAAA,MACvE;AACA,UAAI,IAAI,UAAU;AAAA,IACpB;AAAA,EACF;AACF;AAOO,SAAS,gBAAgB,MAAqC;AACnE,QAAM,YAAa,KAAK,aAAa,CAAC;AACtC,aAAW,YAAY,WAAW;AAChC,UAAM,OAAO,SAAS;AACtB,QAAI,QAAQ,MAAM;AAChB,gCAA0B,IAA+B;AAAA,IAC3D;AAAA,EACF;AACF;AAGA,SAAS,0BAA0B,MAAqB;AACtD,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU;AAC9C,QAAM,IAAI;AAEV,MAAI,SAAS,GAAG;AACd,eAAW,OAAO,EAAE,IAAkB,2BAA0B,GAAG;AACnE;AAAA,EACF;AACA,MAAI,SAAS,GAAG;AACd,eAAW,OAAO,EAAE,IAAkB,2BAA0B,GAAG;AACnE;AAAA,EACF;AACA,MAAI,SAAS,GAAG;AACd,8BAA0B,EAAE,GAAG;AAC/B;AAAA,EACF;AAGA,aAAW,YAAY,OAAO,OAAO,CAAC,GAAG;AACvC,QAAI,YAAY,QAAQ,OAAO,aAAa,SAAU;AACtD,UAAM,KAAK;AACX,QAAI,aAAa,GAAI,iBAAgB,GAAG,OAAiB;AACzD,QAAI,iBAAiB,IAAI;AACvB,iBAAW,WAAW,GAAG,YAAyB,iBAAgB,OAAO;AAAA,IAC3E;AAAA,EACF;AACF;AAGA,SAAS,gBAAgB,SAAuB;AAC9C,MAAI;AACF,QAAI,OAAO,OAAO;AAAA,EACpB,SAAS,GAAG;AACV,UAAM,IAAI,mBAAmB,0BAA0B,OAAO,MAAM,OAAO,CAAC,CAAC,EAAE;AAAA,EACjF;AACF;AAOO,SAAS,qBAAqB,MAAqC;AACxE,QAAM,YAAa,KAAK,aAAa,CAAC;AACtC,aAAW,YAAY,WAAW;AAChC,QAAI,SAAS,SAAS,MAAO;AAC7B,UAAM,OAAO,SAAS;AACtB,QAAI,QAAQ,QAAQ,sBAAsB,MAAiC,aAAa,GAAG;AACzF,YAAM,IAAI;AAAA,QACR,aAAc,SAAS,MAAiB,GAAG;AAAA,MAC7C;AAAA,IACF;AAAA,EACF;AACF;AAGA,SAAS,sBAAsB,MAAe,QAAyB;AACrE,MAAI,QAAQ,QAAQ,OAAO,SAAS,SAAU,QAAO;AACrD,QAAM,IAAI;AACV,MAAI,SAAS,EAAG,QAAQ,EAAE,IAAkB,KAAK,CAAC,QAAQ,sBAAsB,KAAK,MAAM,CAAC;AAC5F,MAAI,SAAS,EAAG,QAAQ,EAAE,IAAkB,KAAK,CAAC,QAAQ,sBAAsB,KAAK,MAAM,CAAC;AAC5F,MAAI,SAAS,EAAG,QAAO,sBAAsB,EAAE,KAAK,MAAM;AAC1D,SAAO,UAAU;AACnB;AAOO,SAAS,yBAAyB,MAAqC;AAC5E,QAAM,YAAa,KAAK,aAAa,CAAC;AACtC,aAAW,YAAY,WAAW;AAChC,QAAI,SAAS,SAAS,UAAW;AACjC,UAAM,MAAO,SAAS,MAAiB;AAEvC,QAAI,gBAAgB,YAAY,EAAE,YAAY,WAAW;AACvD,YAAM,IAAI,mBAAmB,aAAa,GAAG,8CAA8C;AAAA,IAC7F;AACA,QAAI,gBAAgB,YAAY,EAAE,YAAY,WAAW;AACvD,YAAM,IAAI,mBAAmB,aAAa,GAAG,8CAA8C;AAAA,IAC7F;AACA,QAAI,gBAAgB,UAAU;AAC5B,YAAM,YAAa,SAAS,cAAc,CAAC;AAC3C,UAAI,aAAa,WAAW;AAC1B,cAAM,SAAU,SAAS,UAAU,CAAC;AACpC,YAAI,EAAE,aAAa,SAAS;AAC1B,gBAAM,IAAI;AAAA,YACR,aAAa,GAAG;AAAA,UAClB;AAAA,QACF;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;;;ADpJO,IAAM,kBAAkB;AAYxB,SAAS,YAAY,UAAkC;AAC5D,SAAO,EAAE,SAAK,gCAAW,QAAQ,EAAE,OAAO,QAAQ,EAAE,OAAO,KAAK,EAAE;AACpE;AAOA,SAAS,cAAgD;AACvD,MAAI;AAEF,UAAM,OAAO,QAAQ,SAAS;AAC9B,WAAO;AAAA,EACT,QAAQ;AACN,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AACF;AAGA,SAAS,UAAU,SAA0C;AAC3D,QAAM,OAAO,YAAY;AACzB,MAAI;AACJ,MAAI;AACF,WAAO,KAAK,KAAK,OAAO;AAAA,EAC1B,SAAS,GAAG;AACV,UAAM,IAAI,mBAAmB,qBAAqB,OAAO,CAAC,CAAC,EAAE;AAAA,EAC/D;AACA,MAAI,QAAQ,QAAQ,OAAO,SAAS,YAAY,MAAM,QAAQ,IAAI,GAAG;AACnE,UAAM,IAAI,mBAAmB,iCAAiC;AAAA,EAChE;AACA,SAAO;AACT;AAOA,SAAS,eAAe,MAAqC;AAC3D,iBAAe,IAAI;AACnB,oBAAkB,IAAI;AACtB,kBAAgB,IAAI;AACpB,uBAAqB,IAAI;AACzB,2BAAyB,IAAI;AAC/B;AAaO,SAAS,WAAW,QAAuD;AAEhF,QAAM,eAAW,8BAAa,MAAM;AACpC,QAAM,eAAW,0BAAS,QAAQ,EAAE;AACpC,MAAI,WAAW,iBAAiB;AAC9B,UAAM,IAAI;AAAA,MACR,0BAA0B,QAAQ,eAAe,eAAe;AAAA,IAClE;AAAA,EACF;AAEA,QAAM,eAAW,8BAAa,QAAQ;AACtC,QAAM,aAAa,YAAY,QAAQ;AACvC,QAAM,OAAO,UAAU,SAAS,SAAS,OAAO,CAAC;AAEjD,iBAAe,IAAI;AACnB,SAAO,CAAC,MAAM,UAAU;AAC1B;AAYO,SAAS,iBACd,SACuC;AACvC,QAAM,WACJ,OAAO,YAAY,WAAW,IAAI,YAAY,EAAE,OAAO,OAAO,IAAI;AAEpE,MAAI,SAAS,SAAS,iBAAiB;AACrC,UAAM,IAAI;AAAA,MACR,6BAA6B,SAAS,MAAM,eAAe,eAAe;AAAA,IAC5E;AAAA,EACF;AAEA,QAAM,aAAa,YAAY,QAAQ;AACvC,QAAM,OACJ,OAAO,YAAY,WAAW,UAAU,IAAI,YAAY,EAAE,OAAO,QAAQ;AAC3E,QAAM,OAAO,UAAU,IAAI;AAE3B,iBAAe,IAAI;AACnB,SAAO,CAAC,MAAM,UAAU;AAC1B;;;AX3EO,SAAS,YACX,MACqC;AAExC,MAAI;AACJ,MAAI;AAEJ,QAAM,OAAO,KAAK,KAAK,SAAS,CAAC;AACjC,MAAI,OAAO,SAAS,YAAY,SAAS,QAAQ,CAAC,MAAM,QAAQ,IAAI,GAAG;AACrE,YAAQ,KAAK,MAAM,GAAG,EAAE;AACxB,cAAU;AAAA,EACZ,OAAO;AACL,YAAQ;AACR,cAAU,CAAC;AAAA,EACb;AAEA,MAAI,MAAM,WAAW,GAAG;AACtB,UAAM,IAAI,mBAAmB,uCAAuC;AAAA,EACtE;AAGA,QAAM,SAAuD,CAAC;AAC9D,aAAW,KAAK,OAAO;AACrB,WAAO,KAAK,WAAW,CAAC,CAAC;AAAA,EAC3B;AAEA,MAAI;AACJ,MAAI;AACJ,MAAI;AAEJ,MAAI,OAAO,WAAW,GAAG;AACvB,UAAM,QAAQ,OAAO,CAAC;AACtB,iBAAa,MAAM,CAAC;AACpB,oBAAgB,MAAM,CAAC,EAAE;AACzB,aAAS,EAAE,qBAAqB,CAAC,GAAG,kBAAkB,CAAC,EAAE;AAAA,EAC3D,OAAO;AACL,UAAM,eAAoD,OAAO;AAAA,MAC/D,CAAC,CAAC,IAAI,GAAG,MAAM,CAAC,MAAM,MAAM,CAAC,CAAW;AAAA,IAC1C;AACA,UAAM,WAAW,eAAe,GAAG,YAAY;AAC/C,iBAAa,SAAS;AACtB,aAAS,SAAS;AAClB,wBAAgB,gCAAW,QAAQ,EAChC,OAAO,OAAO,IAAI,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,GAAG,EAAE,KAAK,GAAG,CAAC,EAC7C,OAAO,KAAK;AAAA,EACjB;AAEA,QAAM,WAAW,iBAAiB,YAAY;AAAA,IAC5C,iBAAiB,QAAQ,mBAAmB;AAAA,IAC5C,iBAAiB,QAAQ,mBAAmB;AAAA,EAC9C,CAAC;AAED,QAAM,QAAQ,YAAY,UAAU,eAAe,OAAO;AAE1D,MAAI,QAAQ,cAAc;AACxB,WAAO,CAAC,OAAO,MAAM;AAAA,EACvB;AACA,SAAO;AACT;AAaO,SAAS,eACd,SACA,UAA8B,CAAC,GACtB;AACT,QAAM,CAAC,YAAY,UAAU,IAAI,iBAAiB,OAAO;AACzD,QAAM,gBAAgB,WAAW;AAEjC,QAAM,WAAW,iBAAiB,YAAY;AAAA,IAC5C,iBAAiB,QAAQ,mBAAmB;AAAA,IAC5C,iBAAiB,QAAQ,mBAAmB;AAAA,EAC9C,CAAC;AAED,SAAO,YAAY,UAAU,eAAe,OAAO;AACrD;AAoBO,SAAS,OACd,OACA,aACA,UAAyB,CAAC,GACpB;AACN,QAAM,CAAC,YAAY,UAAU,IAAI,iBAAiB,WAAW;AAC7D,QAAM,WAAW,iBAAiB,YAAY;AAAA,IAC5C,iBAAiB,QAAQ,mBAAmB;AAAA,IAC5C,iBAAiB,QAAQ,mBAAmB;AAAA,EAC9C,CAAC;AAED,QAAM,eAAe;AAAA,IACnB,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,EACd;AAIA,QAAM,OAAO,IAAI,QAAQ;AAAA,IACvB,WAAW;AAAA,IACX,QAAQ,SAAS;AAAA,IACjB,eAAe,WAAW;AAAA,EAC5B,CAAC;AAGD,QAAM,cAAc,KAAK,UAAU,CAAC;AACtC;AAMA,SAAS,YACP,UASA,eACA,SACS;AACT,QAAM,gBAAgB,QAAQ,QAAQ,SAAS;AAE/C,QAAM,eAAe;AAAA,IACnB,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,IACZ,GAAG,SAAS;AAAA,EACd;AAGA,QAAM,cAA8E,CAAC;AACrF,aAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,SAAS,KAAK,GAAG;AACxD,gBAAY,IAAI,IAAI;AAAA,EACtB;AACA,MAAI,QAAQ,OAAO;AACjB,eAAW,CAAC,MAAM,GAAG,KAAK,OAAO,QAAQ,QAAQ,KAAK,GAAG;AACvD,kBAAY,IAAI,IAAI;AAAA,IACtB;AAAA,EACF;AAEA,SAAO,IAAI,QAAQ;AAAA,IACjB,aAAa,QAAQ,eAAe;AAAA,IACpC,MAAM;AAAA,IACN,QAAQ,SAAS;AAAA,IACjB,OAAO,OAAO,KAAK,WAAW,EAAE,SAAS,IAAI,cAAc;AAAA,IAC3D,WAAW;AAAA,IACX,WAAW,QAAQ;AAAA,IACnB,WAAW,QAAQ;AAAA,IACnB,SAAS,QAAQ;AAAA,IACjB;AAAA,IACA,QAAQ,QAAQ;AAAA,IAChB,SAAS,QAAQ;AAAA,IACjB,cAAc,QAAQ;AAAA,IACtB,WAAW,QAAQ;AAAA,IACnB,mBAAmB,QAAQ;AAAA,IAC3B,iBAAiB,QAAQ;AAAA,EAC3B,CAAC;AACH;;;AD/OA;AAGA;AAOA;AAaA;AAYA,SAAS,kBACP,GACsB;AACtB,SAAO,EAAE,UAAU;AACrB;AAiDO,IAAM,UAAN,MAAM,SAA6B;AAAA,EAC/B;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEQ;AAAA,EACT;AAAA,EACS;AAAA,EACA;AAAA,EACA;AAAA;AAAA;AAAA;AAAA,EAIS;AAAA;AAAA,EAOA;AAAA;AAAA,EACA;AAAA,EAGlB;AAAA,EACS;AAAA;AAAA,EAMS;AAAA,EAE1B,YAAY,UAA0B,CAAC,GAAG;AACxC,SAAK,cAAc,QAAQ,eAAe;AAC1C,SAAK,OAAO,QAAQ,QAAQ;AAC5B,SAAK,UAAU,QAAQ,WAAW,IAAI,cAAc;AACpD,SAAK,YAAY,QAAQ,aAAa,IAAI,gBAAgB;AAC1D,SAAK,UAAU,QAAQ,UAAU;AACjC,SAAK,WAAW,QAAQ,WAAW;AACnC,SAAK,gBAAgB,QAAQ,gBAAgB;AAC7C,SAAK,aAAa,QAAQ,aAAa;AACvC,SAAK,qBAAqB,QAAQ,qBAAqB;AACvD,SAAK,mBAAmB,QAAQ,mBAAmB;AAGnD,SAAK,aAAa,IAAI,oBAAoB;AAC1C,QAAI,MAAM,QAAQ,QAAQ,SAAS,GAAG;AACpC,WAAK,YAAY,IAAI,cAAc;AAAA,QACjC,KAAK;AAAA,QACL,GAAG,QAAQ;AAAA,MACb,CAAC;AAAA,IACH,WAAW,QAAQ,aAAa,MAAM;AACpC,WAAK,YAAY,IAAI,cAAc;AAAA,QACjC,KAAK;AAAA,QACL,QAAQ;AAAA,MACV,CAAC;AAAA,IACH,OAAO;AACL,WAAK,YAAY,KAAK;AAAA,IACxB;AAGA,SAAK,eAAe,IAAI,aAAa;AACrC,QAAI,QAAQ,OAAO;AACjB,iBAAW,CAAC,MAAM,MAAM,KAAK,OAAO,QAAQ,QAAQ,KAAK,GAAG;AAC1D,aAAK,aAAa;AAAA,UAChB;AAAA,UACC,OAAO,eACN,WAAW;AAAA,UACb,OAAO,cAAc;AAAA,QACvB;AAAA,MACF;AAAA,IACF;AAGA,SAAK,SAAS,SAAQ;AAAA,MACpB,QAAQ,aAAa,CAAC;AAAA,MACtB,QAAQ,UAAU;AAAA,MAClB,QAAQ,iBAAiB;AAAA,IAC3B;AAGA,SAAK,eAAe,CAAC;AACrB,SAAK,cAAc,CAAC;AACpB,eAAW,QAAQ,QAAQ,SAAS,CAAC,GAAG;AACtC,WAAK,cAAc,IAAI;AAAA,IACzB;AAGA,SAAK,iBAAa,gCAAW;AAAA,EAC/B;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,IAAI,YAAiC;AACnC,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,IAAI,SAA0B;AAC5B,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA,EAGA,IAAI,OAAO,OAAwB;AACjC,SAAK,SAAS,oBAAoB,EAAE,GAAG,KAAK,QAAQ,QAAQ,MAAM,CAAC;AAAA,EACrE;AAAA;AAAA,EAGA,IAAI,gBAA+B;AACjC,WAAO,KAAK,OAAO;AAAA,EACrB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAc,UAA+B;AAC3C,SAAK,SAAS;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,YAA2B;AACzB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA,EAGA,IAAI,cAAc,OAAsB;AACtC,SAAK,SAAS,oBAAoB;AAAA,MAChC,GAAG,KAAK;AAAA,MACR,eAAe;AAAA,IACjB,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,IAAI,YAAoB;AACtB,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,WAA4B;AACvC,SAAK,aAAa;AAAA,EACpB;AAAA;AAAA,EAGA,kBACE,UACA,WACkB;AAClB,QAAI,KAAK,sBAAsB,MAAM;AACnC,aAAO,KAAK,mBAAmB,UAAU,SAAS;AAAA,IACpD;AACA,WAAO,KAAK;AAAA,EACd;AAAA;AAAA;AAAA;AAAA,EAMQ,cAAc,MAA8B;AAClD,QAAI,KAAK,UAAU,UAAU;AAC3B,WAAK,aAAa,KAAK,IAAI;AAAA,IAC7B,OAAO;AACL,WAAK,YAAY,KAAK,IAAI;AAAA,IAC5B;AAAA,EACF;AAAA,EAEA,SACE,OACA,UACoB;AACpB,UAAM,QACJ,UAAU,WAAW,KAAK,eAAe,KAAK;AAChD,WAAO,MAAM;AAAA,MACX,CAAC,MAAM,EAAE,SAAS,OAAO,QAAQ,SAAS,UAAU,EAAE,IAAI;AAAA,IAC5D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,iBAAiB,UAAgD;AAC/D,WAAO,SAAQ;AAAA,MACb,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA,EAEA,kBAAkB,UAAiD;AACjE,WAAO,SAAQ;AAAA,MACb,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA,EAEA,sBAAiD;AAC/C,WAAO,CAAC,GAAG,KAAK,OAAO,gBAAgB;AAAA,EACzC;AAAA,EAEA,oBAAoB,UAAmD;AACrE,WAAO,SAAQ;AAAA,MACb,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAMA,wBACE,UACwB;AACxB,WAAO,SAAQ;AAAA,MACb,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA,EAEA,yBACE,UACyB;AACzB,WAAO,SAAQ;AAAA,MACb,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA,EAEA,6BAAwD;AACtD,WAAO,CAAC,GAAG,KAAK,OAAO,uBAAuB;AAAA,EAChD;AAAA,EAEA,2BACE,UAC2B;AAC3B,WAAO,SAAQ;AAAA,MACb,KAAK,OAAO;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAcA,OAAe,mBACb,WAGA,QACA,eACe;AACf,UAAM,MAA8B,CAAC;AACrC,UAAM,OAAgC,CAAC;AACvC,UAAM,UAAqC,CAAC;AAC5C,UAAM,UAAqC,CAAC;AAC5C,UAAM,OAA+B,CAAC;AACtC,UAAM,QAAiC,CAAC;AACxC,UAAM,WAAsC,CAAC;AAC7C,UAAM,WAAsC,CAAC;AAE7C,eAAW,QAAQ,WAAW;AAC5B,YAAM,MAAM;AACZ,YAAM,cAAc,IAAI;AAExB,YAAM,YACH,IAAI,oBACJ,IAAI,mBACL;AAEF,UAAI,eAAe,MAAM;AAEvB,iBAAQ;AAAA,UACN;AAAA,UACA;AAAA,UACA;AAAA,UACA,EAAE,KAAK,MAAM,SAAS,SAAS,MAAM,OAAO,UAAU,SAAS;AAAA,QACjE;AAAA,MACF,WAAW,kBAAkB,IAAI,GAAG;AAClC,cAAM,OAAQ,IAAsB,QAAQ;AAC5C,gBAAQ,KAAK;AAAA,UACX,MAAM;AAAA,UACN;AAAA,UACA,OAAQ,KAAyB;AAAA,QACnC,CAAC;AAAA,MACH,WAAW,UAAU,QAAS,KAAmC,iBAAiB,QAAQ;AACxF,cAAM,WAAW;AACjB,cAAM,OAAQ,IAAsB,QAAQ;AAC5C,aAAK,KAAK;AAAA,UACR,MAAM;AAAA,UACN;AAAA,UACA,MAAM,SAAS;AAAA,UACf,OAAO,SAAS;AAAA,UAChB,MAAM,SAAS;AAAA,QACjB,CAAC;AAAA,MACH,WAAW,UAAU,MAAM;AAEzB,cAAM,KAAM,IAAmC;AAC/C,YAAI,MAAM,QAAQ,OAAO,OAAO;AAC9B,gBAAM,IAAI;AAAA,YACR,uBAAwB,KAAsB,IAAI,+BAC9C,OAAO,EAAE,CAAC;AAAA,UAChB;AAAA,QACF;AAMA,YAAI,MAAM,QAAQ,KAAK,MAAM,UAAU,GAAG;AACxC,gBAAM,IAAI;AAAA,YACR,uBAAwB,KAAsB,IAAI,+BAC/C,KAAK,MAAM,MAAM;AAAA,UAEtB;AAAA,QACF;AACA,cAAM,UAAU;AAChB,cAAM,OAAQ,IAAsB,QAAQ;AAC5C,YAAI,KAAK;AAAA,UACP,MAAM;AAAA,UACN;AAAA,UACA,MAAM,QAAQ;AAAA,UACd,OAAO,QAAQ;AAAA,UACf,MAAM,QAAQ;AAAA,QAChB,CAAC;AAAA,MACH;AAAA,IACF;AAEA,WAAO,oBAAoB;AAAA,MACzB,eAAe;AAAA,MACf,gBAAgB;AAAA,MAChB,kBAAkB;AAAA,MAClB,kBAAkB;AAAA,MAClB,sBAAsB;AAAA,MACtB,uBAAuB;AAAA,MACvB,yBAAyB;AAAA,MACzB,yBAAyB;AAAA,MACzB;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH;AAAA;AAAA,EAGA,OAAe,kBACb,KACA,aACA,WACA,OAUM;AACN,UAAM,SAAS,YACX,EAAE,KAAK,MAAM,MAAM,MAAM,MAAM,OAAO,SAAS,MAAM,UAAU,SAAS,MAAM,SAAS,IACvF,EAAE,KAAK,MAAM,KAAK,MAAM,MAAM,MAAM,SAAS,MAAM,SAAS,SAAS,MAAM,QAAQ;AAEvF,QAAI,gBAAgB,eAAgB,QAAO,IAAI,KAAK,GAAsC;AAAA,aACjF,gBAAgB,gBAAiB,QAAO,KAAK,KAAK,GAAuC;AAAA,aACzF,gBAAgB,mBAAoB,QAAO,QAAQ,KAAK,GAAyC;AAAA,aACjG,gBAAgB,UAAW,QAAO,QAAQ,KAAK,GAAyC;AAAA,SAC5F;AACH,YAAM,IAAI;AAAA,QACR,0BAA0B,WAAW;AAAA,MAEvC;AAAA,IACF;AAAA,EACF;AAAA;AAAA,EAGA,OAAe,cAKb,WAAgB,UAA6B;AAC7C,UAAM,SAAc,CAAC;AACrB,eAAW,KAAK,WAAW;AACzB,YAAM,OAAO,EAAE,QAAQ;AACvB,YAAM,OAAO,EAAE,QAAQ;AACvB,UAAI,SAAS,OAAO,CAAC,QAAQ,SAAS,UAAU,IAAI,GAAG;AACrD;AAAA,MACF;AACA,UAAI,QAAQ,MAAM;AAChB,YAAI;AACF,cAAI,CAAC,KAAK,QAAQ,EAAG;AAAA,QACvB,QAAQ;AAAA,QAGR;AAAA,MACF;AACA,aAAO,KAAK,CAAC;AAAA,IACf;AACA,WAAO;AAAA,EACT;AAAA;AAAA,EAGA,OAAe,eACb,WACA,UAC2B;AAC3B,UAAM,SAAoC,CAAC;AAC3C,eAAW,KAAK,WAAW;AACzB,YAAM,QAAQ,EAAE,SAAS,CAAC,GAAG;AAC7B,UAAI,MAAM,KAAK,CAAC,MAAM,QAAQ,SAAS,UAAU,CAAC,CAAC,GAAG;AACpD,eAAO,KAAK,CAAC;AAAA,MACf;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,IACJ,UACA,MACA,cAGA,SAKkB;AAClB,UAAM,EAAE,KAAAC,KAAI,IAAI,MAAM;AACtB,WAAOA,KAAI,MAAM,UAAU,MAAM,cAAc,OAAO;AAAA,EACxD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,SACE,UACA,MACA,SAK2B;AAE3B,WAAO,gEAAuB;AAAA,MAAK,CAAC,EAAE,UAAAC,UAAS,MAC7CA,UAAS,MAAM,UAAU,MAAM,OAAO;AAAA,IACxC;AAAA,EACF;AAAA;AAAA,EAGA,cACE,OAO6B;AAC7B,WAAO,gEAAuB;AAAA,MAAK,CAAC,EAAE,eAAAC,eAAc,MAClDA,eAAc,MAAM,KAAK;AAAA,IAC3B;AAAA,EACF;AAAA,EAuBA,OAAO,YACF,MACqC;AACxC,WAAO,SAAU,GAAG,IAAI;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,eACL,SACA,SACS;AACT,WAAO,eAAgB,SAAS,OAAO;AAAA,EACzC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,OAAO,aAAqB,SAA+B;AACzD,WAAQ,MAAM,aAAa,OAAO;AAAA,EACpC;AACF;;;ALtiBA;AApGO,IAAM,UAAU;","names":["import_node_crypto","pe","contractResult","import_node_crypto","import_node_crypto","pathResolve","import_node_fs","import_node_path","_realpath","pathResolve","import_node_crypto","import_node_fs","run","evaluate","evaluateBatch"]}