@getaegis/cli 0.8.0 → 0.9.0

package/dist/policy/policy.js

@@ -0,0 +1,426 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { parse as parseYaml } from 'yaml';
+const VALID_METHODS = new Set([
+    'GET',
+    'POST',
+    'PUT',
+    'PATCH',
+    'DELETE',
+    'HEAD',
+    'OPTIONS',
+]);
+// ─── Time format regex ────────────────────────────────────────────
+const TIME_PATTERN = /^([01]\d|2[0-3]):([0-5]\d)$/;
+// ─── Rate limit format regex ──────────────────────────────────────
+const RATE_LIMIT_PATTERN = /^\d+\/(second|sec|min|minute|hour|hr|day)$/;
+// ─── Validation ───────────────────────────────────────────────────
+/**
+ * Validate a single policy rule.
+ */
+function validateRule(rule, index, errors) {
+    const prefix = `rules[${index}]`;
+    if (typeof rule !== 'object' || rule === null) {
+        errors.push({ message: `${prefix} must be an object`, path: prefix });
+        return;
+    }
+    const r = rule;
+    // service — required string
+    if (typeof r.service !== 'string' || r.service.trim().length === 0) {
+        errors.push({
+            message: `${prefix}.service is required and must be a non-empty string`,
+            path: `${prefix}.service`,
+        });
+    }
+    // methods — optional array of valid HTTP methods
+    if (r.methods !== undefined) {
+        if (!Array.isArray(r.methods)) {
+            errors.push({
+                message: `${prefix}.methods must be an array of HTTP methods`,
+                path: `${prefix}.methods`,
+            });
+        }
+        else {
+            for (let i = 0; i < r.methods.length; i++) {
+                const m = r.methods[i];
+                if (typeof m !== 'string' || !VALID_METHODS.has(m.toUpperCase())) {
+                    errors.push({
+                        message: `${prefix}.methods[${i}] "${String(m)}" is not a valid HTTP method. Allowed: ${[...VALID_METHODS].join(', ')}`,
+                        path: `${prefix}.methods[${i}]`,
+                    });
+                }
+            }
+        }
+    }
+    // paths — optional array of regex strings
+    if (r.paths !== undefined) {
+        if (!Array.isArray(r.paths)) {
+            errors.push({
+                message: `${prefix}.paths must be an array of regex pattern strings`,
+                path: `${prefix}.paths`,
+            });
+        }
+        else {
+            for (let i = 0; i < r.paths.length; i++) {
+                const p = r.paths[i];
+                if (typeof p !== 'string') {
+                    errors.push({
+                        message: `${prefix}.paths[${i}] must be a string`,
+                        path: `${prefix}.paths[${i}]`,
+                    });
+                }
+                else {
+                    try {
+                        new RegExp(p);
+                    }
+                    catch {
+                        errors.push({
+                            message: `${prefix}.paths[${i}] "${p}" is not a valid regular expression`,
+                            path: `${prefix}.paths[${i}]`,
+                        });
+                    }
+                }
+            }
+        }
+    }
+    // rate_limit / rateLimit — optional string matching pattern
+    const rateLimit = r.rate_limit ?? r.rateLimit;
+    if (rateLimit !== undefined) {
+        if (typeof rateLimit !== 'string' || !RATE_LIMIT_PATTERN.test(rateLimit)) {
+            errors.push({
+                message: `${prefix}.rate_limit "${String(rateLimit)}" is invalid. Expected format: "<number>/<unit>" (e.g. "100/hour", "50/min")`,
+                path: `${prefix}.rate_limit`,
+            });
+        }
+    }
+    // time_window / timeWindow — optional object with start, end, timezone
+    const timeWindow = r.time_window ?? r.timeWindow;
+    if (timeWindow !== undefined) {
+        if (typeof timeWindow !== 'object' || timeWindow === null) {
+            errors.push({
+                message: `${prefix}.time_window must be an object with start, end, and timezone`,
+                path: `${prefix}.time_window`,
+            });
+        }
+        else {
+            const tw = timeWindow;
+            if (typeof tw.start !== 'string' || !TIME_PATTERN.test(tw.start)) {
+                errors.push({
+                    message: `${prefix}.time_window.start must be in HH:MM 24-hour format (e.g. "09:00")`,
+                    path: `${prefix}.time_window.start`,
+                });
+            }
+            if (typeof tw.end !== 'string' || !TIME_PATTERN.test(tw.end)) {
+                errors.push({
+                    message: `${prefix}.time_window.end must be in HH:MM 24-hour format (e.g. "18:00")`,
+                    path: `${prefix}.time_window.end`,
+                });
+            }
+            if (tw.timezone !== undefined && typeof tw.timezone !== 'string') {
+                errors.push({
+                    message: `${prefix}.time_window.timezone must be a string (IANA timezone)`,
+                    path: `${prefix}.time_window.timezone`,
+                });
+            }
+            // Validate timezone is a real IANA zone
+            if (typeof tw.timezone === 'string') {
+                try {
+                    Intl.DateTimeFormat(undefined, { timeZone: tw.timezone });
+                }
+                catch {
+                    errors.push({
+                        message: `${prefix}.time_window.timezone "${tw.timezone}" is not a valid IANA timezone`,
+                        path: `${prefix}.time_window.timezone`,
+                    });
+                }
+            }
+        }
+    }
+}
+/**
+ * Parse and validate a raw YAML string into a Policy.
+ * Returns a validation result with errors (if any) and the parsed policy (if valid).
+ */
+export function parsePolicy(yamlContent, filePath) {
+    const errors = [];
+    // Parse YAML
+    let raw;
+    try {
+        raw = parseYaml(yamlContent);
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            valid: false,
+            errors: [{ file: filePath, message: `YAML parse error: ${message}` }],
+            filePath,
+        };
+    }
+    if (typeof raw !== 'object' || raw === null) {
+        return {
+            valid: false,
+            errors: [{ file: filePath, message: 'Policy must be a YAML object' }],
+            filePath,
+        };
+    }
+    const doc = raw;
+    // agent — required string
+    if (typeof doc.agent !== 'string' || doc.agent.trim().length === 0) {
+        errors.push({
+            file: filePath,
+            message: '"agent" is required and must be a non-empty string',
+            path: 'agent',
+        });
+    }
+    // rules — required non-empty array
+    if (!Array.isArray(doc.rules)) {
+        errors.push({
+            file: filePath,
+            message: '"rules" is required and must be an array',
+            path: 'rules',
+        });
+    }
+    else if (doc.rules.length === 0) {
+        errors.push({
+            file: filePath,
+            message: '"rules" must contain at least one rule',
+            path: 'rules',
+        });
+    }
+    else {
+        for (let i = 0; i < doc.rules.length; i++) {
+            validateRule(doc.rules[i], i, errors);
+        }
+    }
+    if (errors.length > 0) {
+        // Attach file to all errors
+        for (const err of errors) {
+            err.file = err.file ?? filePath;
+        }
+        return { valid: false, errors, filePath };
+    }
+    // Build the validated Policy object
+    const rules = doc.rules.map((r) => {
+        const rule = {
+            service: r.service,
+        };
+        if (r.methods) {
+            rule.methods = r.methods.map((m) => m.toUpperCase());
+        }
+        if (r.paths) {
+            rule.paths = r.paths;
+        }
+        const rateLimitVal = r.rate_limit ?? r.rateLimit;
+        if (rateLimitVal) {
+            rule.rateLimit = rateLimitVal;
+        }
+        const timeWindowVal = r.time_window ?? r.timeWindow;
+        if (timeWindowVal) {
+            const tw = timeWindowVal;
+            rule.timeWindow = {
+                start: tw.start,
+                end: tw.end,
+                timezone: tw.timezone ?? 'UTC',
+            };
+        }
+        return rule;
+    });
+    return {
+        valid: true,
+        errors: [],
+        policy: {
+            agent: doc.agent,
+            rules,
+        },
+        filePath,
+    };
+}
+/**
+ * Load and validate a single policy file from disk.
+ */
+export function loadPolicyFile(filePath) {
+    let content;
+    try {
+        content = fs.readFileSync(filePath, 'utf-8');
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            valid: false,
+            errors: [{ file: filePath, message: `Failed to read file: ${message}` }],
+            filePath,
+        };
+    }
+    return parsePolicy(content, filePath);
+}
+/**
+ * Load all policy files from a directory (*.yaml and *.yml).
+ * Returns an array of validation results, one per file.
+ */
+export function loadPoliciesFromDirectory(dirPath) {
+    if (!fs.existsSync(dirPath)) {
+        return [
+            {
+                valid: false,
+                errors: [{ message: `Policy directory does not exist: ${dirPath}` }],
+            },
+        ];
+    }
+    const stat = fs.statSync(dirPath);
+    if (!stat.isDirectory()) {
+        return [
+            {
+                valid: false,
+                errors: [{ message: `Not a directory: ${dirPath}` }],
+            },
+        ];
+    }
+    const files = fs
+        .readdirSync(dirPath)
+        .filter((f) => f.endsWith('.yaml') || f.endsWith('.yml'))
+        .sort();
+    if (files.length === 0) {
+        return [];
+    }
+    const results = [];
+    for (const file of files) {
+        const fullPath = path.join(dirPath, file);
+        results.push(loadPolicyFile(fullPath));
+    }
+    // Check for duplicate agent names across files
+    const agentNames = new Map();
+    for (const result of results) {
+        if (result.valid && result.policy) {
+            const existing = agentNames.get(result.policy.agent);
+            if (existing) {
+                result.valid = false;
+                result.errors.push({
+                    file: result.errors[0]?.file,
+                    message: `Duplicate policy for agent "${result.policy.agent}" — already defined in ${existing}`,
+                    path: 'agent',
+                });
+            }
+            else {
+                agentNames.set(result.policy.agent, result.errors[0]?.file ?? 'unknown');
+            }
+        }
+    }
+    return results;
+}
+/**
+ * Build a map of agent name → Policy from a set of validation results.
+ * Only includes valid policies.
+ */
+export function buildPolicyMap(results) {
+    const map = new Map();
+    for (const result of results) {
+        if (result.valid && result.policy) {
+            map.set(result.policy.agent, result.policy);
+        }
+    }
+    return map;
+}
+/**
+ * Check if the current time falls within a time window.
+ *
+ * Handles midnight-spanning windows (e.g. 22:00 → 06:00).
+ */
+function isWithinTimeWindow(timeWindow, now) {
+    // Get the current time in the specified timezone
+    const formatter = new Intl.DateTimeFormat('en-US', {
+        timeZone: timeWindow.timezone,
+        hour: '2-digit',
+        minute: '2-digit',
+        hour12: false,
+    });
+    const parts = formatter.formatToParts(now);
+    const hourPart = parts.find((p) => p.type === 'hour');
+    const minutePart = parts.find((p) => p.type === 'minute');
+    const currentHour = parseInt(hourPart?.value ?? '0', 10);
+    const currentMinute = parseInt(minutePart?.value ?? '0', 10);
+    const currentMinutes = currentHour * 60 + currentMinute;
+    const [startH, startM] = timeWindow.start.split(':').map(Number);
+    const [endH, endM] = timeWindow.end.split(':').map(Number);
+    const startMinutes = startH * 60 + startM;
+    const endMinutes = endH * 60 + endM;
+    if (startMinutes <= endMinutes) {
+        // Normal window: e.g. 09:00 → 18:00
+        return currentMinutes >= startMinutes && currentMinutes < endMinutes;
+    }
+    // Midnight-spanning window: e.g. 22:00 → 06:00
+    return currentMinutes >= startMinutes || currentMinutes < endMinutes;
+}
+/**
+ * Evaluate a request against a policy.
+ *
+ * Rules are matched by service name. If no rule matches the service,
+ * the request is denied. If a rule matches, method and path constraints
+ * are checked. If multiple rules match the same service, the request is
+ * allowed if ANY rule permits it.
+ *
+ * Returns an evaluation result indicating whether the request is allowed
+ * and, if not, why.
+ */
+export function evaluatePolicy(policy, request) {
+    const now = request.now ?? new Date();
+    const method = request.method.toUpperCase();
+    // Find all rules matching this service
+    const matchingRules = policy.rules.filter((r) => r.service === request.service);
+    if (matchingRules.length === 0) {
+        return {
+            allowed: false,
+            reason: `No policy rule for service "${request.service}" — agent "${policy.agent}" is not permitted to access this service`,
+            violation: 'no_matching_rule',
+        };
+    }
+    // Try each matching rule — allowed if ANY rule permits the request
+    const denials = [];
+    for (const rule of matchingRules) {
+        // Check method restriction
+        if (rule.methods && !rule.methods.includes(method)) {
+            denials.push({
+                rule,
+                reason: `Method ${method} not allowed — permitted: ${rule.methods.join(', ')}`,
+                violation: 'method',
+            });
+            continue;
+        }
+        // Check path restriction
+        if (rule.paths) {
+            const pathMatch = rule.paths.some((pattern) => new RegExp(pattern).test(request.path));
+            if (!pathMatch) {
+                denials.push({
+                    rule,
+                    reason: `Path "${request.path}" does not match any allowed pattern: ${rule.paths.join(', ')}`,
+                    violation: 'path',
+                });
+                continue;
+            }
+        }
+        // Check time window
+        if (rule.timeWindow) {
+            if (!isWithinTimeWindow(rule.timeWindow, now)) {
+                denials.push({
+                    rule,
+                    reason: `Request outside allowed time window (${rule.timeWindow.start}–${rule.timeWindow.end} ${rule.timeWindow.timezone})`,
+                    violation: 'time_window',
+                });
+                continue;
+            }
+        }
+        // All checks passed — this rule allows the request
+        return {
+            allowed: true,
+            matchedRule: rule,
+        };
+    }
+    // No rule allowed the request — use the most specific denial
+    const denial = denials[0];
+    return {
+        allowed: false,
+        matchedRule: denial.rule,
+        reason: denial.reason,
+        violation: denial.violation,
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist/policy/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/policy/policy.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAS1C,MAAM,aAAa,GAAwB,IAAI,GAAG,CAAC;IACjD,KAAK;IACL,MAAM;IACN,KAAK;IACL,OAAO;IACP,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC,CAAC;AAgEH,qEAAqE;AAErE,MAAM,YAAY,GAAG,6BAA6B,CAAC;AAEnD,qEAAqE;AAErE,MAAM,kBAAkB,GAAG,4CAA4C,CAAC;AAExE,qEAAqE;AAErE;;GAEG;AACH,SAAS,YAAY,CAAC,IAAa,EAAE,KAAa,EAAE,MAA+B;IACjF,MAAM,MAAM,GAAG,SAAS,KAAK,GAAG,CAAC;IAEjC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;QAC9C,MAAM,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,GAAG,MAAM,oBAAoB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACtE,OAAO;IACT,CAAC;IAED,MAAM,CAAC,GAAG,IAA+B,CAAC;IAE1C,4BAA4B;IAC5B,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC;YACV,OAAO,EAAE,GAAG,MAAM,qDAAqD;YACvE,IAAI,EAAE,GAAG,MAAM,UAAU;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,GAAG,MAAM,2CAA2C;gBAC7D,IAAI,EAAE,GAAG,MAAM,UAAU;aAC1B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC1C,MAAM,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBACvB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;oBACjE,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,GAAG,MAAM,YAAY,CAAC,MAAM,MAAM,CAAC,CAAC,CAAC,0CAA0C,CAAC,GAAG,aAAa,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;wBACvH,IAAI,EAAE,GAAG,MAAM,YAAY,CAAC,GAAG;qBAChC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,0CAA0C;IAC1C,IAAI,CAAC,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,GAAG,MAAM,kDAAkD;gBACpE,IAAI,EAAE,GAAG,MAAM,QAAQ;aACxB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;gBACrB,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;oBAC1B,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,oBAAoB;wBACjD,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG;qBAC9B,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC;wBACH,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC;oBAChB,CAAC;oBAAC,MAAM,CAAC;wBACP,MAAM,CAAC,IAAI,CAAC;4BACV,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC,MAAM,CAAC,qCAAqC;4BACzE,IAAI,EAAE,GAAG,MAAM,UAAU,CAAC,GAAG;yBAC9B,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED,4DAA4D;IAC5D,MAAM,SAAS,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;IAC9C,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACzE,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,GAAG,MAAM,gBAAgB,MAAM,CAAC,SAAS,CAAC,8EAA8E;gBACjI,IAAI,EAAE,GAAG,MAAM,aAAa;aAC7B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,MAAM,UAAU,GAAG,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAC;IACjD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;QAC7B,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YAC1D,MAAM,CAAC,IAAI,CAAC;gBACV,OAAO,EAAE,GAAG,MAAM,8DAA8D;gBAChF,IAAI,EAAE,GAAG,MAAM,cAAc;aAC9B,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,MAAM,EAAE,GAAG,UAAqC,CAAC;YAEjD,IAAI,OAAO,EAAE,CAAC,KAAK,KAAK,QAAQ,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;gBACjE,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,GAAG,MAAM,mEAAmE;oBACrF,IAAI,EAAE,GAAG,MAAM,oBAAoB;iBACpC,CAAC,CAAC;YACL,CAAC;YACD,IAAI,OAAO,EAAE,CAAC,GAAG,KAAK,QAAQ,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC7D,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,GAAG,MAAM,iEAAiE;oBACnF,IAAI,EAAE,GAAG,MAAM,kBAAkB;iBAClC,CAAC,CAAC;YACL,CAAC;YACD,IAAI,EAAE,CAAC,QAAQ,KAAK,SAAS,IAAI,OAAO,EAAE,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACjE,MAAM,CAAC,IAAI,CAAC;oBACV,OAAO,EAAE,GAAG,MAAM,wDAAwD;oBAC1E,IAAI,EAAE,GAAG,MAAM,uBAAuB;iBACvC,CAAC,CAAC;YACL,CAAC;YACD,wCAAwC;YACxC,IAAI,OAAO,EAAE,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;gBACpC,IAAI,CAAC;oBACH,IAAI,CAAC,cAAc,CAAC,SAAS,EAAE,EAAE,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC;gBAC5D,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,CAAC;wBACV,OAAO,EAAE,GAAG,MAAM,0BAA0B,EAAE,CAAC,QAAQ,gCAAgC;wBACvF,IAAI,EAAE,GAAG,MAAM,uBAAuB;qBACvC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,WAAmB,EAAE,QAAiB;IAChE,MAAM,MAAM,GAA4B,EAAE,CAAC;IAE3C,aAAa;IACb,IAAI,GAAY,CAAC;IACjB,IAAI,CAAC;QACH,GAAG,GAAG,SAAS,CAAC,WAAW,CAAC,CAAC;IAC/B,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,qBAAqB,OAAO,EAAE,EAAE,CAAC;YACrE,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;QAC5C,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;YACrE,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,GAA8B,CAAC;IAE3C,0BAA0B;IAC1B,IAAI,OAAO,GAAG,CAAC,KAAK,KAAK,QAAQ,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,oDAAoD;YAC7D,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;IAED,mCAAmC;IACnC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,0CAA0C;YACnD,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,wCAAwC;YACjD,IAAI,EAAE,OAAO;SACd,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,MAAM,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,4BAA4B;QAC5B,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;YACzB,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,QAAQ,CAAC;QAClC,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,oCAAoC;IACpC,MAAM,KAAK,GAAkB,GAAG,CAAC,KAAwC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QAClF,MAAM,IAAI,GAAe;YACvB,OAAO,EAAE,CAAC,CAAC,OAAiB;SAC7B,CAAC;QAEF,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACd,IAAI,CAAC,OAAO,GAAI,CAAC,CAAC,OAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAgB,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;YACZ,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,KAAiB,CAAC;QACnC,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,SAAS,CAAC;QACjD,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC,SAAS,GAAG,YAAsB,CAAC;QAC1C,CAAC;QAED,MAAM,aAAa,GAAG,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,UAAU,CAAC;QACpD,IAAI,aAAa,EAAE,CAAC;YAClB,MAAM,EAAE,GAAG,aAAwC,CAAC;YACpD,IAAI,CAAC,UAAU,GAAG;gBAChB,KAAK,EAAE,EAAE,CAAC,KAAe;gBACzB,GAAG,EAAE,EAAE,CAAC,GAAa;gBACrB,QAAQ,EAAG,EAAE,CAAC,QAAmB,IAAI,KAAK;aAC3C,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,EAAE,IAAI;QACX,MAAM,EAAE,EAAE;QACV,MAAM,EAAE;YACN,KAAK,EAAE,GAAG,CAAC,KAAe;YAC1B,KAAK;SACN;QACD,QAAQ;KACT,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC7C,IAAI,OAAe,CAAC;IACpB,IAAI,CAAC;QACH,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,wBAAwB,OAAO,EAAE,EAAE,CAAC;YACxE,QAAQ;SACT,CAAC;IACJ,CAAC;IAED,OAAO,WAAW,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,yBAAyB,CAAC,OAAe;IACvD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,OAAO;YACL;gBACE,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,oCAAoC,OAAO,EAAE,EAAE,CAAC;aACrE;SACF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;QACxB,OAAO;YACL;gBACE,KAAK,EAAE,KAAK;gBACZ,MAAM,EAAE,CAAC,EAAE,OAAO,EAAE,oBAAoB,OAAO,EAAE,EAAE,CAAC;aACrD;SACF,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,EAAE;SACb,WAAW,CAAC,OAAO,CAAC;SACpB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;SACxD,IAAI,EAAE,CAAC;IAEV,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,OAAO,GAA6B,EAAE,CAAC;IAE7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QAC1C,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,+CAA+C;IAC/C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC7C,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACrD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,GAAG,KAAK,CAAC;gBACrB,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC;oBACjB,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI;oBAC5B,OAAO,EAAE,+BAA+B,MAAM,CAAC,MAAM,CAAC,KAAK,0BAA0B,QAAQ,EAAE;oBAC/F,IAAI,EAAE,OAAO;iBACd,CAAC,CAAC;YACL,CAAC;iBAAM,CAAC;gBACN,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,SAAS,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,OAAiC;IAC9D,MAAM,GAAG,GAAG,IAAI,GAAG,EAAkB,CAAC;IACtC,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAgCD;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,UAAsB,EAAE,GAAS;IAC3D,iDAAiD;IACjD,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE;QACjD,QAAQ,EAAE,UAAU,CAAC,QAAQ;QAC7B,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,SAAS;QACjB,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,SAAS,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;IACtD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC;IAC1D,MAAM,WAAW,GAAG,QAAQ,CAAC,QAAQ,EAAE,KAAK,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,QAAQ,CAAC,UAAU,EAAE,KAAK,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC;IAC7D,MAAM,cAAc,GAAG,WAAW,GAAG,EAAE,GAAG,aAAa,CAAC;IAExD,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACjE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,UAAU,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC3D,MAAM,YAAY,GAAG,MAAM,GAAG,EAAE,GAAG,MAAM,CAAC;IAC1C,MAAM,UAAU,GAAG,IAAI,GAAG,EAAE,GAAG,IAAI,CAAC;IAEpC,IAAI,YAAY,IAAI,UAAU,EAAE,CAAC;QAC/B,oCAAoC;QACpC,OAAO,cAAc,IAAI,YAAY,IAAI,cAAc,GAAG,UAAU,CAAC;IACvE,CAAC;IACD,+CAA+C;IAC/C,OAAO,cAAc,IAAI,YAAY,IAAI,cAAc,GAAG,UAAU,CAAC;AACvE,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,cAAc,CAAC,MAAc,EAAE,OAAsB;IACnE,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;IAE5C,uCAAuC;IACvC,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAEhF,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,OAAO;YACL,OAAO,EAAE,KAAK;YACd,MAAM,EAAE,+BAA+B,OAAO,CAAC,OAAO,cAAc,MAAM,CAAC,KAAK,2CAA2C;YAC3H,SAAS,EAAE,kBAAkB;SAC9B,CAAC;IACJ,CAAC;IAED,mEAAmE;IACnE,MAAM,OAAO,GACX,EAAE,CAAC;IAEL,KAAK,MAAM,IAAI,IAAI,aAAa,EAAE,CAAC;QACjC,2BAA2B;QAC3B,IAAI,IAAI,CAAC,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAoB,CAAC,EAAE,CAAC;YACjE,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI;gBACJ,MAAM,EAAE,UAAU,MAAM,6BAA6B,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;gBAC9E,SAAS,EAAE,QAAQ;aACpB,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,yBAAyB;QACzB,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;YACvF,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,MAAM,EAAE,SAAS,OAAO,CAAC,IAAI,yCAAyC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;oBAC7F,SAAS,EAAE,MAAM;iBAClB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;QACH,CAAC;QAED,oBAAoB;QACpB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACpB,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,EAAE,CAAC;gBAC9C,OAAO,CAAC,IAAI,CAAC;oBACX,IAAI;oBACJ,MAAM,EAAE,wCAAwC,IAAI,CAAC,UAAU,CAAC,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,IAAI,IAAI,CAAC,UAAU,CAAC,QAAQ,GAAG;oBAC3H,SAAS,EAAE,aAAa;iBACzB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,OAAO;YACL,OAAO,EAAE,IAAI;YACb,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,6DAA6D;IAC7D,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IAC1B,OAAO;QACL,OAAO,EAAE,KAAK;QACd,WAAW,EAAE,MAAM,CAAC,IAAI;QACxB,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,SAAS,EAAE,MAAM,CAAC,SAAS;KAC5B,CAAC;AACJ,CAAC"}

package/dist/user/index.d.ts

@@ -0,0 +1,3 @@
+export type { Permission, User, UserRole, UserWithToken } from './user.js';
+export { getPermissions, hasPermission, UserRegistry, VALID_ROLES } from './user.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/user/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/user/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,aAAa,EAAE,MAAM,WAAW,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC"}

package/dist/user/index.js

@@ -0,0 +1,2 @@
+export { getPermissions, hasPermission, UserRegistry, VALID_ROLES } from './user.js';
+//# sourceMappingURL=index.js.map

package/dist/user/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/user/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC"}

package/dist/user/user.d.ts

@@ -0,0 +1,102 @@
+import type Database from 'better-sqlite3-multiple-ciphers';
+/**
+ * Aegis user roles — three tiers of access control:
+ * - **admin**: Full access — manage credentials, agents, policies, users, webhooks, vaults
+ * - **operator**: Operational access — start/stop Gate, view Ledger, manage agents
+ * - **viewer**: Read-only — view Ledger, stats, and credential metadata (no secrets)
+ */
+export type UserRole = 'admin' | 'operator' | 'viewer';
+export declare const VALID_ROLES: readonly UserRole[];
+/**
+ * Permission categories that map to CLI commands/actions.
+ * Each role grants a different set of permissions.
+ */
+export type Permission = 'vault:read' | 'vault:write' | 'vault:manage' | 'agent:read' | 'agent:write' | 'ledger:read' | 'ledger:export' | 'gate:start' | 'policy:read' | 'policy:write' | 'webhook:read' | 'webhook:write' | 'user:read' | 'user:write' | 'dashboard:view' | 'doctor:run';
+/**
+ * Check if a role has a specific permission.
+ */
+export declare function hasPermission(role: UserRole, permission: Permission): boolean;
+/**
+ * Get all permissions for a role.
+ */
+export declare function getPermissions(role: UserRole): ReadonlySet<Permission>;
+export interface User {
+    id: string;
+    name: string;
+    role: UserRole;
+    tokenPrefix: string;
+    createdAt: string;
+    updatedAt: string;
+}
+export interface UserWithToken extends User {
+    token: string;
+}
+/**
+ * User Registry — manages user identities, authentication, and role-based access control.
+ *
+ * Users are authenticated via API keys (same pattern as agent tokens):
+ * - Token format: aegis_user_{uuid}_{hmac_prefix}
+ * - Tokens are SHA-256 hashed for fast lookup — hash-only, no recovery
+ * - Prefixed (first 17 chars: "aegis_user_" + 6) for safe logging
+ *
+ * Security: Same hash-only storage as agent tokens. If a token is lost,
+ * use regenerateToken() to issue a new one.
+ */
+export declare class UserRegistry {
+    private db;
+    private derivedKey;
+    constructor(db: Database.Database, derivedKey: Buffer);
+    /**
+     * Register a new user. Returns the user with their API key (shown once).
+     *
+     * Token format: aegis_user_{uuid}_{hmac_prefix}
+     */
+    add(params: {
+        name: string;
+        role: UserRole;
+    }): UserWithToken;
+    /**
+     * List all registered users (without tokens).
+     */
+    list(): User[];
+    /**
+     * Get a user by name (without token).
+     */
+    getByName(name: string): User | null;
+    /**
+     * Validate a user API key. Returns the user if the token is valid, null otherwise.
+     *
+     * Uses SHA-256 hash comparison for O(1) lookup.
+     */
+    validateToken(token: string): User | null;
+    /**
+     * Remove a user by name.
+     */
+    remove(name: string): boolean;
+    /**
+     * Update a user's role.
+     */
+    updateRole(params: {
+        name: string;
+        role: UserRole;
+    }): User;
+    /**
+     * Regenerate a user's token. Issues a new token, invalidates the old one.
+     *
+     * The user keeps their identity (id, name, role).
+     * Only the token changes.
+     *
+     * Returns the user with the new token (shown once), or null if not found.
+     */
+    regenerateToken(name: string): UserWithToken | null;
+    /**
+     * Check if a user has a specific permission.
+     */
+    checkPermission(name: string, permission: Permission): boolean;
+    /**
+     * Count users. Used by init to determine if initial admin setup is needed.
+     */
+    count(): number;
+    private rowToUser;
+}
+//# sourceMappingURL=user.d.ts.map

package/dist/user/user.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user.d.ts","sourceRoot":"","sources":["../../src/user/user.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,QAAQ,MAAM,iCAAiC,CAAC;AAI5D;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,CAAC;AAEvD,eAAO,MAAM,WAAW,EAAE,SAAS,QAAQ,EAA6C,CAAC;AAEzF;;;GAGG;AACH,MAAM,MAAM,UAAU,GAClB,YAAY,GACZ,aAAa,GACb,cAAc,GACd,YAAY,GACZ,aAAa,GACb,aAAa,GACb,eAAe,GACf,YAAY,GACZ,aAAa,GACb,cAAc,GACd,cAAc,GACd,eAAe,GACf,WAAW,GACX,YAAY,GACZ,gBAAgB,GAChB,YAAY,CAAC;AAwCjB;;GAEG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO,CAE7E;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,QAAQ,GAAG,WAAW,CAAC,UAAU,CAAC,CAEtE;AAID,MAAM,WAAW,IAAI;IACnB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,QAAQ,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,aAAc,SAAQ,IAAI;IACzC,KAAK,EAAE,MAAM,CAAC;CACf;AAcD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IAIrB,OAAO,CAAC,EAAE;IAHZ,OAAO,CAAC,UAAU,CAAS;gBAGjB,EAAE,EAAE,QAAQ,CAAC,QAAQ,EAC7B,UAAU,EAAE,MAAM;IAKpB;;;;OAIG;IACH,GAAG,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,QAAQ,CAAA;KAAE,GAAG,aAAa;IAsC5D;;OAEG;IACH,IAAI,IAAI,IAAI,EAAE;IAMd;;OAEG;IACH,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IAOpC;;;;OAIG;IACH,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;IASzC;;OAEG;IACH,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO;IAK7B;;OAEG;IACH,UAAU,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,QAAQ,CAAA;KAAE,GAAG,IAAI;IAqB1D;;;;;;;OAOG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,IAAI;IA6BnD;;OAEG;IACH,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO;IAM9D;;OAEG;IACH,KAAK,IAAI,MAAM;IAOf,OAAO,CAAC,SAAS;CAUlB"}