@gsep/core 0.8.0 → 1.0.0

package/dist/security/EnterprisePolicyEngine.js

@@ -0,0 +1,240 @@
+import { createHmac } from 'node:crypto';
+import { readFile } from 'node:fs/promises';
+const DEFAULT_POLICY = {
+    version: '1.0',
+    organization: 'Default',
+    effectiveDate: new Date().toISOString().slice(0, 10),
+    globalSettings: {
+        securityLevel: 'secure',
+        mfaRequired: false,
+        sessionTimeoutMinutes: 480,
+        maxConcurrentSessions: 3,
+        auditRetentionDays: 90,
+        encryptionRequired: true,
+    },
+    roles: {
+        standard: {
+            skills: { allowed: ['*:bundled'], denied: ['1password', 'coding-agent'] },
+            execution: { securityLevel: 'allowlist', maxCommandsPerHour: 200, requireApprovalFor: ['rm *', 'sudo *'] },
+            dataAccess: { classifications: ['public', 'internal'], piiAccess: false },
+            network: { allowedDomains: ['*.openai.com', '*.anthropic.com'], deniedDomains: [] },
+            filesystem: { allowedPaths: ['~/Documents/**', '~/.genome/**'], deniedPaths: ['~/.ssh/**', '~/.gnupg/**'] },
+        },
+    },
+    compliance: {
+        gdpr: { enabled: false, dataRetentionDays: 90, consentRequired: true },
+        soc2: { enabled: false, accessReviewIntervalDays: 90 },
+        hipaa: { enabled: false, phiEncryptionRequired: true, minimumNecessaryRule: true },
+    },
+    alerts: [
+        { type: 'security:exec-blocked', threshold: 20, windowMinutes: 30, action: 'alert_admin' },
+        { type: 'security:net-blocked', threshold: 50, windowMinutes: 60, action: 'alert_admin' },
+        { type: 'security:inbound-blocked', threshold: 10, windowMinutes: 15, action: 'alert_admin' },
+    ],
+};
+export class EnterprisePolicyEngine {
+    eventBus;
+    policy;
+    alertCounters = new Map();
+    constructor(eventBus, policy) {
+        this.eventBus = eventBus;
+        this.policy = policy ?? { ...DEFAULT_POLICY };
+        eventBus.onAny((event) => {
+            if (event.decision === 'deny') {
+                this.checkAlertRules(event.type);
+            }
+        });
+    }
+    async loadFromFile(filePath) {
+        const content = await readFile(filePath, 'utf-8');
+        const parsed = JSON.parse(content);
+        return this.setPolicy(parsed);
+    }
+    setPolicy(policy) {
+        const validation = this.validate(policy);
+        if (!validation.valid)
+            return validation;
+        if (policy.signature) {
+        }
+        this.policy = policy;
+        this.eventBus.emit({
+            type: 'security:profile-changed',
+            timestamp: new Date(),
+            layer: 4,
+            decision: 'info',
+            actor: {},
+            resource: { type: 'policy', id: policy.organization, detail: `v${policy.version} effective ${policy.effectiveDate}` },
+            severity: 'info',
+        });
+        return validation;
+    }
+    getPolicy() {
+        return { ...this.policy };
+    }
+    getRolePolicy(roleName) {
+        const rolePolicy = this.policy.roles[roleName];
+        if (!rolePolicy)
+            return null;
+        if (rolePolicy.inherits) {
+            const parent = this.policy.roles[rolePolicy.inherits];
+            if (parent) {
+                return this.mergeRolePolicies(parent, rolePolicy);
+            }
+        }
+        return rolePolicy;
+    }
+    isSkillAllowed(roleName, skillName) {
+        const rolePolicy = this.getRolePolicy(roleName);
+        if (!rolePolicy)
+            return false;
+        if (rolePolicy.skills.denied.includes(skillName))
+            return false;
+        if (rolePolicy.skills.denied.includes('*'))
+            return false;
+        if (rolePolicy.skills.allowed.includes('*'))
+            return true;
+        if (rolePolicy.skills.allowed.includes(skillName))
+            return true;
+        if (rolePolicy.skills.allowed.includes('*:bundled') && !skillName.includes('/'))
+            return true;
+        return false;
+    }
+    isDomainAllowed(roleName, domain) {
+        const rolePolicy = this.getRolePolicy(roleName);
+        if (!rolePolicy)
+            return false;
+        for (const denied of rolePolicy.network.deniedDomains) {
+            if (this.matchDomain(domain, denied))
+                return false;
+        }
+        if (rolePolicy.network.allowedDomains.length === 0)
+            return true;
+        return rolePolicy.network.allowedDomains.some(allowed => this.matchDomain(domain, allowed));
+    }
+    isPathAllowed(roleName, path) {
+        const rolePolicy = this.getRolePolicy(roleName);
+        if (!rolePolicy)
+            return false;
+        for (const denied of rolePolicy.filesystem.deniedPaths) {
+            if (this.matchPath(path, denied))
+                return false;
+        }
+        if (rolePolicy.filesystem.allowedPaths.length === 0)
+            return true;
+        return rolePolicy.filesystem.allowedPaths.some(allowed => this.matchPath(path, allowed));
+    }
+    getGlobalSettings() {
+        return { ...this.policy.globalSettings };
+    }
+    getCompliance() {
+        return { ...this.policy.compliance };
+    }
+    validate(policy) {
+        const errors = [];
+        const warnings = [];
+        if (!policy.version)
+            errors.push('Missing version');
+        if (!policy.organization)
+            errors.push('Missing organization');
+        if (!policy.globalSettings)
+            errors.push('Missing globalSettings');
+        if (policy.globalSettings) {
+            const gs = policy.globalSettings;
+            if (!['paranoid', 'secure', 'standard'].includes(gs.securityLevel)) {
+                errors.push(`Invalid securityLevel: ${gs.securityLevel}`);
+            }
+            if (gs.sessionTimeoutMinutes < 0)
+                errors.push('sessionTimeoutMinutes must be >= 0');
+            if (gs.auditRetentionDays < 1)
+                errors.push('auditRetentionDays must be >= 1');
+        }
+        if (policy.compliance?.hipaa?.enabled && !policy.globalSettings?.encryptionRequired) {
+            errors.push('HIPAA requires encryptionRequired=true');
+        }
+        if (policy.globalSettings?.mfaRequired && policy.globalSettings?.securityLevel === 'standard') {
+            warnings.push('MFA required with standard security level — consider upgrading to secure');
+        }
+        return { valid: errors.length === 0, errors, warnings };
+    }
+    signPolicy(signingKey) {
+        const payload = JSON.stringify({
+            ...this.policy,
+            signature: undefined,
+        });
+        const signature = createHmac('sha256', signingKey).update(payload).digest('hex');
+        this.policy.signature = signature;
+        return signature;
+    }
+    mergeRolePolicies(parent, child) {
+        return {
+            skills: {
+                allowed: [...new Set([...parent.skills.allowed, ...child.skills.allowed])],
+                denied: [...new Set([...parent.skills.denied, ...child.skills.denied])],
+            },
+            execution: { ...parent.execution, ...child.execution },
+            dataAccess: {
+                classifications: [...new Set([...parent.dataAccess.classifications, ...child.dataAccess.classifications])],
+                piiAccess: child.dataAccess.piiAccess || parent.dataAccess.piiAccess,
+            },
+            network: {
+                allowedDomains: [...new Set([...parent.network.allowedDomains, ...child.network.allowedDomains])],
+                deniedDomains: [...new Set([...parent.network.deniedDomains, ...child.network.deniedDomains])],
+            },
+            filesystem: {
+                allowedPaths: [...new Set([...parent.filesystem.allowedPaths, ...child.filesystem.allowedPaths])],
+                deniedPaths: [...new Set([...parent.filesystem.deniedPaths, ...child.filesystem.deniedPaths])],
+            },
+        };
+    }
+    matchDomain(domain, pattern) {
+        if (pattern.startsWith('*.')) {
+            const suffix = pattern.slice(1);
+            return domain.endsWith(suffix) || domain === pattern.slice(2);
+        }
+        return domain === pattern;
+    }
+    matchPath(path, pattern) {
+        if (pattern.endsWith('/**')) {
+            return path.startsWith(pattern.slice(0, -3));
+        }
+        if (pattern.endsWith('/*')) {
+            const dir = pattern.slice(0, -2);
+            return path.startsWith(dir) && !path.slice(dir.length + 1).includes('/');
+        }
+        return path === pattern || path.startsWith(pattern + '/');
+    }
+    checkAlertRules(eventType) {
+        const now = Date.now();
+        for (const rule of this.policy.alerts) {
+            if (rule.type !== eventType)
+                continue;
+            const key = `${rule.type}:${rule.windowMinutes}`;
+            const counter = this.alertCounters.get(key) ?? { count: 0, windowStart: now };
+            if (now - counter.windowStart > rule.windowMinutes * 60_000) {
+                counter.count = 1;
+                counter.windowStart = now;
+            }
+            else {
+                counter.count++;
+            }
+            this.alertCounters.set(key, counter);
+            if (counter.count >= rule.threshold) {
+                this.eventBus.emit({
+                    type: 'security:audit-entry',
+                    timestamp: new Date(),
+                    layer: 7,
+                    decision: 'deny',
+                    actor: {},
+                    resource: {
+                        type: 'alert',
+                        id: rule.type,
+                        detail: `${counter.count} events in ${rule.windowMinutes}m — action: ${rule.action}`,
+                    },
+                    severity: 'critical',
+                });
+                counter.count = 0;
+            }
+        }
+    }
+}
+//# sourceMappingURL=EnterprisePolicyEngine.js.map

package/dist/security/EnterprisePolicyEngine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EnterprisePolicyEngine.js","sourceRoot":"","sources":["../../src/security/EnterprisePolicyEngine.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAwD5C,MAAM,cAAc,GAAqB;IACrC,OAAO,EAAE,KAAK;IACd,YAAY,EAAE,SAAS;IACvB,aAAa,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;IAEpD,cAAc,EAAE;QACZ,aAAa,EAAE,QAAQ;QACvB,WAAW,EAAE,KAAK;QAClB,qBAAqB,EAAE,GAAG;QAC1B,qBAAqB,EAAE,CAAC;QACxB,kBAAkB,EAAE,EAAE;QACtB,kBAAkB,EAAE,IAAI;KAC3B;IAED,KAAK,EAAE;QACH,QAAQ,EAAE;YACN,MAAM,EAAE,EAAE,OAAO,EAAE,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC,WAAW,EAAE,cAAc,CAAC,EAAE;YACzE,SAAS,EAAE,EAAE,aAAa,EAAE,WAAW,EAAE,kBAAkB,EAAE,GAAG,EAAE,kBAAkB,EAAE,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE;YAC1G,UAAU,EAAE,EAAE,eAAe,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE;YACzE,OAAO,EAAE,EAAE,cAAc,EAAE,CAAC,cAAc,EAAE,iBAAiB,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE;YACnF,UAAU,EAAE,EAAE,YAAY,EAAE,CAAC,gBAAgB,EAAE,cAAc,CAAC,EAAE,WAAW,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC,EAAE;SAC9G;KACJ;IAED,UAAU,EAAE;QACR,IAAI,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,iBAAiB,EAAE,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE;QACtE,IAAI,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,EAAE,EAAE,EAAE;QACtD,KAAK,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,qBAAqB,EAAE,IAAI,EAAE,oBAAoB,EAAE,IAAI,EAAE;KACrF;IAED,MAAM,EAAE;QACJ,EAAE,IAAI,EAAE,uBAAuB,EAAE,SAAS,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;QAC1F,EAAE,IAAI,EAAE,sBAAsB,EAAE,SAAS,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;QACzF,EAAE,IAAI,EAAE,0BAA0B,EAAE,SAAS,EAAE,EAAE,EAAE,aAAa,EAAE,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;KAChG;CACJ,CAAC;AAwBF,MAAM,OAAO,sBAAsB;IACvB,QAAQ,CAAmB;IAC3B,MAAM,CAAmB;IACzB,aAAa,GAAwD,IAAI,GAAG,EAAE,CAAC;IAEvF,YAAY,QAA0B,EAAE,MAAyB;QAC7D,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,EAAE,GAAG,cAAc,EAAE,CAAC;QAG9C,QAAQ,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACrB,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;gBAC5B,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YACrC,CAAC;QACL,CAAC,CAAC,CAAC;IACP,CAAC;IAKD,KAAK,CAAC,YAAY,CAAC,QAAgB;QAC/B,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAqB,CAAC;QACvD,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAKD,SAAS,CAAC,MAAwB;QAC9B,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACzC,IAAI,CAAC,UAAU,CAAC,KAAK;YAAE,OAAO,UAAU,CAAC;QAGzC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAGvB,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QAErB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,0BAA0B;YAChC,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,EAAE;YACT,QAAQ,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,MAAM,CAAC,OAAO,cAAc,MAAM,CAAC,aAAa,EAAE,EAAE;YACrH,QAAQ,EAAE,MAAM;SACnB,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACtB,CAAC;IAKD,SAAS;QACL,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;IAC9B,CAAC;IAKD,aAAa,CAAC,QAAgB;QAC1B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;QAC/C,IAAI,CAAC,UAAU;YAAE,OAAO,IAAI,CAAC;QAG7B,IAAI,UAAU,CAAC,QAAQ,EAAE,CAAC;YACtB,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACtD,IAAI,MAAM,EAAE,CAAC;gBACT,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;YACtD,CAAC;QACL,CAAC;QAED,OAAO,UAAU,CAAC;IACtB,CAAC;IAKD,cAAc,CAAC,QAAgB,EAAE,SAAiB;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU;YAAE,OAAO,KAAK,CAAC;QAG9B,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,KAAK,CAAC;QAC/D,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,KAAK,CAAC;QAGzD,IAAI,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACzD,IAAI,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/D,IAAI,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAE7F,OAAO,KAAK,CAAC;IACjB,CAAC;IAKD,eAAe,CAAC,QAAgB,EAAE,MAAc;QAC5C,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU;YAAE,OAAO,KAAK,CAAC;QAG9B,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;YACpD,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;QACvD,CAAC;QAGD,IAAI,UAAU,CAAC,OAAO,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAChE,OAAO,UAAU,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAChG,CAAC;IAKD,aAAa,CAAC,QAAgB,EAAE,IAAY;QACxC,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,UAAU;YAAE,OAAO,KAAK,CAAC;QAE9B,KAAK,MAAM,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;YACrD,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;QACnD,CAAC;QAED,IAAI,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACjE,OAAO,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IAC7F,CAAC;IAKD,iBAAiB;QACb,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;IAC7C,CAAC;IAKD,aAAa;QACT,OAAO,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IACzC,CAAC;IAKD,QAAQ,CAAC,MAAwB;QAC7B,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,IAAI,CAAC,MAAM,CAAC,OAAO;YAAE,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACpD,IAAI,CAAC,MAAM,CAAC,YAAY;YAAE,MAAM,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;QAC9D,IAAI,CAAC,MAAM,CAAC,cAAc;YAAE,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QAElE,IAAI,MAAM,CAAC,cAAc,EAAE,CAAC;YACxB,MAAM,EAAE,GAAG,MAAM,CAAC,cAAc,CAAC;YACjC,IAAI,CAAC,CAAC,UAAU,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,aAAa,CAAC,EAAE,CAAC;gBACjE,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,CAAC,aAAa,EAAE,CAAC,CAAC;YAC9D,CAAC;YACD,IAAI,EAAE,CAAC,qBAAqB,GAAG,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;YACpF,IAAI,EAAE,CAAC,kBAAkB,GAAG,CAAC;gBAAE,MAAM,CAAC,IAAI,CAAC,iCAAiC,CAAC,CAAC;QAClF,CAAC;QAED,IAAI,MAAM,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,kBAAkB,EAAE,CAAC;YAClF,MAAM,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,MAAM,CAAC,cAAc,EAAE,WAAW,IAAI,MAAM,CAAC,cAAc,EAAE,aAAa,KAAK,UAAU,EAAE,CAAC;YAC5F,QAAQ,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QAC9F,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAC5D,CAAC;IAKD,UAAU,CAAC,UAAkB;QACzB,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;YAC3B,GAAG,IAAI,CAAC,MAAM;YACd,SAAS,EAAE,SAAS;SACvB,CAAC,CAAC;QACH,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACjF,IAAI,CAAC,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;QAClC,OAAO,SAAS,CAAC;IACrB,CAAC;IAIO,iBAAiB,CAAC,MAAkB,EAAE,KAAiB;QAC3D,OAAO;YACH,MAAM,EAAE;gBACJ,OAAO,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;gBAC1E,MAAM,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;aAC1E;YACD,SAAS,EAAE,EAAE,GAAG,MAAM,CAAC,SAAS,EAAE,GAAG,KAAK,CAAC,SAAS,EAAE;YACtD,UAAU,EAAE;gBACR,eAAe,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,eAAe,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC,CAAC;gBAC1G,SAAS,EAAE,KAAK,CAAC,UAAU,CAAC,SAAS,IAAI,MAAM,CAAC,UAAU,CAAC,SAAS;aACvE;YACD,OAAO,EAAE;gBACL,cAAc,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC;gBACjG,aAAa,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,GAAG,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC;aACjG;YACD,UAAU,EAAE;gBACR,YAAY,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,YAAY,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC,YAAY,CAAC,CAAC,CAAC;gBACjG,WAAW,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,WAAW,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;aACjG;SACJ,CAAC;IACN,CAAC;IAEO,WAAW,CAAC,MAAc,EAAE,OAAe;QAC/C,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC3B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAChC,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,MAAM,KAAK,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,OAAO,MAAM,KAAK,OAAO,CAAC;IAC9B,CAAC;IAEO,SAAS,CAAC,IAAY,EAAE,OAAe;QAC3C,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QACjD,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACjC,OAAO,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAC7E,CAAC;QACD,OAAO,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC;IAC9D,CAAC;IAEO,eAAe,CAAC,SAAiB;QACrC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;gBAAE,SAAS;YAEtC,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACjD,MAAM,OAAO,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC;YAE9E,IAAI,GAAG,GAAG,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,GAAG,MAAM,EAAE,CAAC;gBAC1D,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;gBAClB,OAAO,CAAC,WAAW,GAAG,GAAG,CAAC;YAC9B,CAAC;iBAAM,CAAC;gBACJ,OAAO,CAAC,KAAK,EAAE,CAAC;YACpB,CAAC;YAED,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;YAErC,IAAI,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBAClC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACf,IAAI,EAAE,sBAAsB;oBAC5B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,KAAK,EAAE,CAAC;oBACR,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,EAAE;oBACT,QAAQ,EAAE;wBACN,IAAI,EAAE,OAAO;wBACb,EAAE,EAAE,IAAI,CAAC,IAAI;wBACb,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,cAAc,IAAI,CAAC,aAAa,eAAe,IAAI,CAAC,MAAM,EAAE;qBACvF;oBACD,QAAQ,EAAE,UAAU;iBACvB,CAAC,CAAC;gBACH,OAAO,CAAC,KAAK,GAAG,CAAC,CAAC;YACtB,CAAC;QACL,CAAC;IACL,CAAC;CACJ"}

package/dist/security/FileSystemBoundary.d.ts

@@ -0,0 +1,33 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+export type FSAccess = 'read' | 'write' | 'delete';
+export interface FSCheckResult {
+    allowed: boolean;
+    reason?: string;
+    resolvedPath: string;
+}
+export interface FSBoundaryConfig {
+    allowedPaths: string[];
+    deniedPaths: string[];
+    allowHomeDir: boolean;
+}
+export declare class FileSystemBoundary {
+    private eventBus;
+    private allowedPaths;
+    private deniedPaths;
+    private allowHomeDir;
+    private home;
+    private stats;
+    constructor(eventBus: SecurityEventBus, config?: Partial<FSBoundaryConfig>);
+    check(targetPath: string, access: FSAccess, skillId?: string): FSCheckResult;
+    isAllowed(targetPath: string, access: FSAccess): boolean;
+    getStats(): {
+        totalChecks: number;
+        allowed: number;
+        denied: number;
+    };
+    private expandPath;
+    private isUnderPath;
+    private hasTraversal;
+    private emitDeny;
+}
+//# sourceMappingURL=FileSystemBoundary.d.ts.map

package/dist/security/FileSystemBoundary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileSystemBoundary.d.ts","sourceRoot":"","sources":["../../src/security/FileSystemBoundary.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAIzD,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;AAEnD,MAAM,WAAW,aAAa;IAC1B,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,gBAAgB;IAC7B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,YAAY,EAAE,OAAO,CAAC;CACzB;AAmBD,qBAAa,kBAAkB;IAC3B,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,YAAY,CAAW;IAC/B,OAAO,CAAC,WAAW,CAAW;IAC9B,OAAO,CAAC,YAAY,CAAU;IAC9B,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,KAAK,CAA6C;gBAE9C,QAAQ,EAAE,gBAAgB,EAAE,MAAM,GAAE,OAAO,CAAC,gBAAgB,CAAM;IAW9E,KAAK,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,EAAE,MAAM,GAAG,aAAa;IAkE5E,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO;IAOxD,QAAQ;;;;;IAMR,OAAO,CAAC,UAAU;IAUlB,OAAO,CAAC,WAAW;IAKnB,OAAO,CAAC,YAAY;IAKpB,OAAO,CAAC,QAAQ;CASnB"}

package/dist/security/FileSystemBoundary.js

@@ -0,0 +1,94 @@
+import { realpathSync, existsSync } from 'node:fs';
+import { resolve, normalize, relative, isAbsolute } from 'node:path';
+import { homedir } from 'node:os';
+export class FileSystemBoundary {
+    eventBus;
+    allowedPaths;
+    deniedPaths;
+    allowHomeDir;
+    home;
+    stats = { totalChecks: 0, allowed: 0, denied: 0 };
+    constructor(eventBus, config = {}) {
+        this.eventBus = eventBus;
+        this.home = homedir();
+        this.allowHomeDir = config.allowHomeDir ?? false;
+        this.allowedPaths = (config.allowedPaths ?? []).map(p => this.expandPath(p));
+        this.deniedPaths = (config.deniedPaths ?? []).map(p => this.expandPath(p));
+    }
+    check(targetPath, access, skillId) {
+        this.stats.totalChecks++;
+        const expanded = this.expandPath(targetPath);
+        const normalized = normalize(expanded);
+        if (this.hasTraversal(targetPath)) {
+            this.stats.denied++;
+            this.emitDeny(normalized, access, 'Path traversal detected', skillId);
+            return { allowed: false, reason: 'Path traversal detected (../ sequences)', resolvedPath: normalized };
+        }
+        let resolvedPath = normalized;
+        try {
+            if (existsSync(normalized)) {
+                resolvedPath = realpathSync(normalized);
+            }
+        }
+        catch {
+        }
+        for (const denied of this.deniedPaths) {
+            if (this.isUnderPath(resolvedPath, denied)) {
+                this.stats.denied++;
+                this.emitDeny(resolvedPath, access, `Path is in denied list: ${denied}`, skillId);
+                return { allowed: false, reason: `Access denied: path is under ${denied}`, resolvedPath };
+            }
+        }
+        if (this.allowedPaths.length > 0) {
+            const isAllowed = this.allowedPaths.some(allowed => this.isUnderPath(resolvedPath, allowed));
+            if (!isAllowed && !this.allowHomeDir) {
+                this.stats.denied++;
+                this.emitDeny(resolvedPath, access, 'Path not in allowed list', skillId);
+                return { allowed: false, reason: 'Access denied: path not in allowed list', resolvedPath };
+            }
+            if (!isAllowed && this.allowHomeDir && !this.isUnderPath(resolvedPath, this.home)) {
+                this.stats.denied++;
+                this.emitDeny(resolvedPath, access, 'Path outside home directory', skillId);
+                return { allowed: false, reason: 'Access denied: path outside home directory', resolvedPath };
+            }
+        }
+        if (this.allowHomeDir && !this.isUnderPath(resolvedPath, this.home) && this.allowedPaths.length === 0) {
+            this.stats.denied++;
+            this.emitDeny(resolvedPath, access, 'Path outside home directory', skillId);
+            return { allowed: false, reason: 'Access denied: path outside home directory', resolvedPath };
+        }
+        this.stats.allowed++;
+        this.eventBus.emitAllow('security:fs-allowed', 5, {
+            type: `fs:${access}`,
+            id: resolvedPath,
+        }, { skillId });
+        return { allowed: true, resolvedPath };
+    }
+    isAllowed(targetPath, access) {
+        return this.check(targetPath, access).allowed;
+    }
+    getStats() {
+        return { ...this.stats };
+    }
+    expandPath(p) {
+        if (p.startsWith('~/') || p === '~') {
+            return resolve(this.home, p.slice(2) || '');
+        }
+        if (!isAbsolute(p)) {
+            return resolve(p);
+        }
+        return p;
+    }
+    isUnderPath(target, base) {
+        const rel = relative(base, target);
+        return !rel.startsWith('..') && !isAbsolute(rel);
+    }
+    hasTraversal(p) {
+        const normalized = normalize(p);
+        return p.includes('../') && normalized !== resolve(p);
+    }
+    emitDeny(path, access, reason, skillId) {
+        this.eventBus.emitDeny('security:fs-blocked', 5, { type: `fs:${access}`, id: path, detail: reason }, 'warning', { skillId });
+    }
+}
+//# sourceMappingURL=FileSystemBoundary.js.map

package/dist/security/FileSystemBoundary.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"FileSystemBoundary.js","sourceRoot":"","sources":["../../src/security/FileSystemBoundary.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACrE,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAqClC,MAAM,OAAO,kBAAkB;IACnB,QAAQ,CAAmB;IAC3B,YAAY,CAAW;IACvB,WAAW,CAAW;IACtB,YAAY,CAAU;IACtB,IAAI,CAAS;IACb,KAAK,GAAG,EAAE,WAAW,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAE1D,YAAY,QAA0B,EAAE,SAAoC,EAAE;QAC1E,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC;QACtB,IAAI,CAAC,YAAY,GAAG,MAAM,CAAC,YAAY,IAAI,KAAK,CAAC;QACjD,IAAI,CAAC,YAAY,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7E,IAAI,CAAC,WAAW,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/E,CAAC;IAKD,KAAK,CAAC,UAAkB,EAAE,MAAgB,EAAE,OAAgB;QACxD,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAEzB,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC7C,MAAM,UAAU,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QAGvC,IAAI,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,CAAC;YAChC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,MAAM,EAAE,yBAAyB,EAAE,OAAO,CAAC,CAAC;YACtE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,yCAAyC,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;QAC3G,CAAC;QAGD,IAAI,YAAY,GAAG,UAAU,CAAC;QAC9B,IAAI,CAAC;YACD,IAAI,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzB,YAAY,GAAG,YAAY,CAAC,UAAU,CAAC,CAAC;YAC5C,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAGD,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACpC,IAAI,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,MAAM,CAAC,EAAE,CAAC;gBACzC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,2BAA2B,MAAM,EAAE,EAAE,OAAO,CAAC,CAAC;gBAClF,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,gCAAgC,MAAM,EAAE,EAAE,YAAY,EAAE,CAAC;YAC9F,CAAC;QACL,CAAC;QAGD,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,MAAM,SAAS,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC,CAAC;YAC7F,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;gBACnC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,0BAA0B,EAAE,OAAO,CAAC,CAAC;gBACzE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,yCAAyC,EAAE,YAAY,EAAE,CAAC;YAC/F,CAAC;YACD,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChF,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;gBACpB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,6BAA6B,EAAE,OAAO,CAAC,CAAC;gBAC5E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,4CAA4C,EAAE,YAAY,EAAE,CAAC;YAClG,CAAC;QACL,CAAC;QAGD,IAAI,IAAI,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,YAAY,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACpB,IAAI,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,EAAE,6BAA6B,EAAE,OAAO,CAAC,CAAC;YAC5E,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,4CAA4C,EAAE,YAAY,EAAE,CAAC;QAClG,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACrB,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,qBAAqB,EAAE,CAAC,EAAE;YAC9C,IAAI,EAAE,MAAM,MAAM,EAAE;YACpB,EAAE,EAAE,YAAY;SACnB,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAEhB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;IAC3C,CAAC;IAKD,SAAS,CAAC,UAAkB,EAAE,MAAgB;QAC1C,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,OAAO,CAAC;IAClD,CAAC;IAKD,QAAQ;QACJ,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;IAC7B,CAAC;IAIO,UAAU,CAAC,CAAS;QACxB,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YAClC,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC;YACjB,OAAO,OAAO,CAAC,CAAC,CAAC,CAAC;QACtB,CAAC;QACD,OAAO,CAAC,CAAC;IACb,CAAC;IAEO,WAAW,CAAC,MAAc,EAAE,IAAY;QAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACrD,CAAC;IAEO,YAAY,CAAC,CAAS;QAC1B,MAAM,UAAU,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAChC,OAAO,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,UAAU,KAAK,OAAO,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IAEO,QAAQ,CAAC,IAAY,EAAE,MAAgB,EAAE,MAAc,EAAE,OAAgB;QAC7E,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,qBAAqB,EACrB,CAAC,EACD,EAAE,IAAI,EAAE,MAAM,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,EAClD,SAAS,EACT,EAAE,OAAO,EAAE,CACd,CAAC;IACN,CAAC;CACJ"}

package/dist/security/GDPREngine.d.ts

@@ -0,0 +1,65 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+import type { DataAccessTracker } from './DataAccessTracker.js';
+export interface ConsentRecord {
+    userId: string;
+    purpose: string;
+    granted: boolean;
+    grantedAt?: Date;
+    withdrawnAt?: Date;
+    ipAddress?: string;
+}
+export interface ErasureReport {
+    userId: string;
+    erasedAt: Date;
+    itemsErased: number;
+    sources: string[];
+    auditPseudonymized: boolean;
+    complete: boolean;
+    certificate: string;
+}
+export interface DataPortabilityExport {
+    userId: string;
+    exportedAt: Date;
+    format: 'json' | 'csv';
+    content: string;
+    categories: string[];
+    recordCount: number;
+}
+export interface DPIAReport {
+    activity: string;
+    assessedAt: Date;
+    dataCategories: string[];
+    legalBasis: string;
+    riskLevel: 'low' | 'medium' | 'high';
+    mitigations: string[];
+    recommendation: string;
+}
+export declare class GDPREngine {
+    private eventBus;
+    private dataTracker;
+    private consents;
+    private erasedUsers;
+    private dataRetentionDays;
+    constructor(eventBus: SecurityEventBus, dataTracker: DataAccessTracker, options?: {
+        dataRetentionDays?: number;
+    });
+    recordConsent(userId: string, purpose: string, granted: boolean, ipAddress?: string): void;
+    withdrawConsent(userId: string, purpose: string): void;
+    hasConsent(userId: string, purpose: string): boolean;
+    getConsentStatus(userId: string): ConsentRecord[];
+    eraseUserData(userId: string): Promise<ErasureReport>;
+    exportUserData(userId: string, format?: 'json' | 'csv'): DataPortabilityExport;
+    getUserDataSummary(userId: string): {
+        userId: string;
+        consents: ConsentRecord[];
+        dataCategories: string[];
+        totalAccesses: number;
+        dataSentToCloud: number;
+        retentionPolicy: string;
+    };
+    generateDPIA(activity: string, dataCategories: string[], legalBasis: string): DPIAReport;
+    isErased(userId: string): boolean;
+    getRetentionDays(): number;
+    private toCSV;
+}
+//# sourceMappingURL=GDPREngine.d.ts.map

package/dist/security/GDPREngine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GDPREngine.d.ts","sourceRoot":"","sources":["../../src/security/GDPREngine.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,KAAK,EAAE,iBAAiB,EAAoB,MAAM,wBAAwB,CAAC;AAIlF,MAAM,WAAW,aAAa;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,CAAC,EAAE,IAAI,CAAC;IACjB,WAAW,CAAC,EAAE,IAAI,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,aAAa;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,IAAI,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,QAAQ,EAAE,OAAO,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,qBAAqB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,IAAI,CAAC;IACjB,MAAM,EAAE,MAAM,GAAG,KAAK,CAAC;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,IAAI,CAAC;IACjB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;IACrC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;CAC1B;AAwBD,qBAAa,UAAU;IACnB,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,WAAW,CAAoB;IACvC,OAAO,CAAC,QAAQ,CAA2C;IAC3D,OAAO,CAAC,WAAW,CAA0B;IAC7C,OAAO,CAAC,iBAAiB,CAAS;gBAG9B,QAAQ,EAAE,gBAAgB,EAC1B,WAAW,EAAE,iBAAiB,EAC9B,OAAO,CAAC,EAAE;QAAE,iBAAiB,CAAC,EAAE,MAAM,CAAA;KAAE;IAY5C,aAAa,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI;IA4C1F,eAAe,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,IAAI;IAOtD,UAAU,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO;IASpD,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,aAAa,EAAE;IAS3C,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAsD3D,cAAc,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,GAAE,MAAM,GAAG,KAAc,GAAG,qBAAqB;IA8BtF,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG;QAChC,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,aAAa,EAAE,CAAC;QAC1B,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,aAAa,EAAE,MAAM,CAAC;QACtB,eAAe,EAAE,MAAM,CAAC;QACxB,eAAe,EAAE,MAAM,CAAC;KAC3B;IAmBD,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,MAAM,GAAG,UAAU;IA6CxF,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO;IAOjC,gBAAgB,IAAI,MAAM;IAM1B,OAAO,CAAC,KAAK;CAahB"}

package/dist/security/GDPREngine.js

@@ -0,0 +1,180 @@
+export class GDPREngine {
+    eventBus;
+    dataTracker;
+    consents = new Map();
+    erasedUsers = new Set();
+    dataRetentionDays;
+    constructor(eventBus, dataTracker, options) {
+        this.eventBus = eventBus;
+        this.dataTracker = dataTracker;
+        this.dataRetentionDays = options?.dataRetentionDays ?? 90;
+    }
+    recordConsent(userId, purpose, granted, ipAddress) {
+        const records = this.consents.get(userId) ?? [];
+        const existing = records.find(r => r.purpose === purpose);
+        if (existing) {
+            existing.granted = granted;
+            if (granted) {
+                existing.grantedAt = new Date();
+                existing.withdrawnAt = undefined;
+            }
+            else {
+                existing.withdrawnAt = new Date();
+            }
+        }
+        else {
+            records.push({
+                userId,
+                purpose,
+                granted,
+                grantedAt: granted ? new Date() : undefined,
+                withdrawnAt: granted ? undefined : new Date(),
+                ipAddress,
+            });
+        }
+        this.consents.set(userId, records);
+        this.eventBus.emit({
+            type: 'security:audit-entry',
+            timestamp: new Date(),
+            layer: 7,
+            decision: 'info',
+            actor: { userId },
+            resource: {
+                type: 'consent',
+                id: purpose,
+                detail: granted ? 'Consent granted' : 'Consent withdrawn',
+            },
+            severity: 'info',
+        });
+    }
+    withdrawConsent(userId, purpose) {
+        this.recordConsent(userId, purpose, false);
+    }
+    hasConsent(userId, purpose) {
+        const records = this.consents.get(userId) ?? [];
+        const record = records.find(r => r.purpose === purpose);
+        return record?.granted ?? false;
+    }
+    getConsentStatus(userId) {
+        return [...(this.consents.get(userId) ?? [])];
+    }
+    async eraseUserData(userId) {
+        const report = {
+            userId,
+            erasedAt: new Date(),
+            itemsErased: 0,
+            sources: [],
+            auditPseudonymized: false,
+            complete: false,
+            certificate: '',
+        };
+        const accessReport = this.dataTracker.getReport();
+        const userRecords = accessReport.records.filter(r => r.skillId.includes(userId) || r.description.includes(userId));
+        report.itemsErased = userRecords.length;
+        report.sources = [...new Set(userRecords.map(r => r.source))];
+        this.consents.delete(userId);
+        this.erasedUsers.add(userId);
+        report.auditPseudonymized = true;
+        report.complete = true;
+        report.certificate = `GDPR-ERASURE-${userId}-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        this.eventBus.emit({
+            type: 'security:audit-entry',
+            timestamp: new Date(),
+            layer: 7,
+            decision: 'info',
+            actor: { userId },
+            resource: {
+                type: 'gdpr-erasure',
+                id: report.certificate,
+                detail: `${report.itemsErased} items erased from ${report.sources.length} sources`,
+            },
+            severity: 'warning',
+        });
+        return report;
+    }
+    exportUserData(userId, format = 'json') {
+        const accessReport = this.dataTracker.getReport();
+        const consents = this.getConsentStatus(userId);
+        const userData = {
+            userId,
+            consents,
+            dataAccesses: accessReport.records,
+            exportedAt: new Date().toISOString(),
+        };
+        const content = format === 'json'
+            ? JSON.stringify(userData, null, 2)
+            : this.toCSV(accessReport.records);
+        return {
+            userId,
+            exportedAt: new Date(),
+            format,
+            content,
+            categories: Object.keys(accessReport.byCategory),
+            recordCount: accessReport.records.length,
+        };
+    }
+    getUserDataSummary(userId) {
+        const accessReport = this.dataTracker.getReport();
+        const consents = this.getConsentStatus(userId);
+        return {
+            userId,
+            consents,
+            dataCategories: Object.keys(accessReport.byCategory),
+            totalAccesses: accessReport.totalAccesses,
+            dataSentToCloud: accessReport.sentToCloud,
+            retentionPolicy: `${this.dataRetentionDays} days`,
+        };
+    }
+    generateDPIA(activity, dataCategories, legalBasis) {
+        const hasHealth = dataCategories.includes('health');
+        const hasFinancial = dataCategories.includes('financial');
+        const hasPII = dataCategories.includes('pii') || dataCategories.includes('contacts');
+        let riskLevel = 'low';
+        if (hasHealth || hasFinancial)
+            riskLevel = 'high';
+        else if (hasPII)
+            riskLevel = 'medium';
+        const mitigations = [
+            'PII redaction enabled (Genome Shield Layer 2)',
+            'Data classification active (public/internal/confidential/restricted)',
+            'Tamper-proof audit log records all data access',
+        ];
+        if (riskLevel === 'high') {
+            mitigations.push('Local model routing for sensitive data (Ollama)', 'Keychain encryption for credentials at rest', 'Outbound network allowlist prevents unauthorized data transfer');
+        }
+        const recommendation = riskLevel === 'high'
+            ? 'Use Paranoid security profile. Route all queries through local model. Disable cloud LLM for this activity.'
+            : riskLevel === 'medium'
+                ? 'Use Secure security profile (default). PII redaction will strip sensitive data before cloud transmission.'
+                : 'Standard security profile is sufficient. Monitor via audit log.';
+        return {
+            activity,
+            assessedAt: new Date(),
+            dataCategories,
+            legalBasis,
+            riskLevel,
+            mitigations,
+            recommendation,
+        };
+    }
+    isErased(userId) {
+        return this.erasedUsers.has(userId);
+    }
+    getRetentionDays() {
+        return this.dataRetentionDays;
+    }
+    toCSV(records) {
+        const headers = ['Timestamp', 'Source', 'Category', 'Skill', 'Description', 'Sent to Cloud', 'Item Count'];
+        const rows = records.map(r => [
+            r.timestamp.toISOString(),
+            r.source,
+            r.category,
+            r.skillId,
+            `"${r.description.replace(/"/g, '""')}"`,
+            String(r.sentToCloud),
+            String(r.itemCount),
+        ]);
+        return [headers.join(','), ...rows.map(r => r.join(','))].join('\n');
+    }
+}
+//# sourceMappingURL=GDPREngine.js.map

package/dist/security/GDPREngine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GDPREngine.js","sourceRoot":"","sources":["../../src/security/GDPREngine.ts"],"names":[],"mappings":"AA4EA,MAAM,OAAO,UAAU;IACX,QAAQ,CAAmB;IAC3B,WAAW,CAAoB;IAC/B,QAAQ,GAAiC,IAAI,GAAG,EAAE,CAAC;IACnD,WAAW,GAAgB,IAAI,GAAG,EAAE,CAAC;IACrC,iBAAiB,CAAS;IAElC,YACI,QAA0B,EAC1B,WAA8B,EAC9B,OAAwC;QAExC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,iBAAiB,GAAG,OAAO,EAAE,iBAAiB,IAAI,EAAE,CAAC;IAC9D,CAAC;IAOD,aAAa,CAAC,MAAc,EAAE,OAAe,EAAE,OAAgB,EAAE,SAAkB;QAC/E,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAGhD,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;QAC1D,IAAI,QAAQ,EAAE,CAAC;YACX,QAAQ,CAAC,OAAO,GAAG,OAAO,CAAC;YAC3B,IAAI,OAAO,EAAE,CAAC;gBACV,QAAQ,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;gBAChC,QAAQ,CAAC,WAAW,GAAG,SAAS,CAAC;YACrC,CAAC;iBAAM,CAAC;gBACJ,QAAQ,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAC;YACtC,CAAC;QACL,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,IAAI,CAAC;gBACT,MAAM;gBACN,OAAO;gBACP,OAAO;gBACP,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS;gBAC3C,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE;gBAC7C,SAAS;aACZ,CAAC,CAAC;QACP,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAEnC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,sBAAsB;YAC5B,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,QAAQ,EAAE;gBACN,IAAI,EAAE,SAAS;gBACf,EAAE,EAAE,OAAO;gBACX,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,mBAAmB;aAC5D;YACD,QAAQ,EAAE,MAAM;SACnB,CAAC,CAAC;IACP,CAAC;IAKD,eAAe,CAAC,MAAc,EAAE,OAAe;QAC3C,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC/C,CAAC;IAKD,UAAU,CAAC,MAAc,EAAE,OAAe;QACtC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,KAAK,OAAO,CAAC,CAAC;QACxD,OAAO,MAAM,EAAE,OAAO,IAAI,KAAK,CAAC;IACpC,CAAC;IAKD,gBAAgB,CAAC,MAAc;QAC3B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAClD,CAAC;IAOD,KAAK,CAAC,aAAa,CAAC,MAAc;QAC9B,MAAM,MAAM,GAAkB;YAC1B,MAAM;YACN,QAAQ,EAAE,IAAI,IAAI,EAAE;YACpB,WAAW,EAAE,CAAC;YACd,OAAO,EAAE,EAAE;YACX,kBAAkB,EAAE,KAAK;YACzB,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,EAAE;SAClB,CAAC;QAGF,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QAClD,MAAM,WAAW,GAAG,YAAY,CAAC,OAAO,CAAC,MAAM,CAC3C,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,MAAM,CAAC,CACpE,CAAC;QACF,MAAM,CAAC,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC;QACxC,MAAM,CAAC,OAAO,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAG9D,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QAG7B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QAC7B,MAAM,CAAC,kBAAkB,GAAG,IAAI,CAAC;QAGjC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC;QAGvB,MAAM,CAAC,WAAW,GAAG,gBAAgB,MAAM,IAAI,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAEtG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;YACf,IAAI,EAAE,sBAAsB;YAC5B,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,KAAK,EAAE,CAAC;YACR,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,EAAE,MAAM,EAAE;YACjB,QAAQ,EAAE;gBACN,IAAI,EAAE,cAAc;gBACpB,EAAE,EAAE,MAAM,CAAC,WAAW;gBACtB,MAAM,EAAE,GAAG,MAAM,CAAC,WAAW,sBAAsB,MAAM,CAAC,OAAO,CAAC,MAAM,UAAU;aACrF;YACD,QAAQ,EAAE,SAAS;SACtB,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAClB,CAAC;IAOD,cAAc,CAAC,MAAc,EAAE,SAAyB,MAAM;QAC1D,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAE/C,MAAM,QAAQ,GAAG;YACb,MAAM;YACN,QAAQ;YACR,YAAY,EAAE,YAAY,CAAC,OAAO;YAClC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACvC,CAAC;QAEF,MAAM,OAAO,GAAG,MAAM,KAAK,MAAM;YAC7B,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YACnC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAEvC,OAAO;YACH,MAAM;YACN,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,MAAM;YACN,OAAO;YACP,UAAU,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC;YAChD,WAAW,EAAE,YAAY,CAAC,OAAO,CAAC,MAAM;SAC3C,CAAC;IACN,CAAC;IAOD,kBAAkB,CAAC,MAAc;QAQ7B,MAAM,YAAY,GAAG,IAAI,CAAC,WAAW,CAAC,SAAS,EAAE,CAAC;QAClD,MAAM,QAAQ,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACH,MAAM;YACN,QAAQ;YACR,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC;YACpD,aAAa,EAAE,YAAY,CAAC,aAAa;YACzC,eAAe,EAAE,YAAY,CAAC,WAAW;YACzC,eAAe,EAAE,GAAG,IAAI,CAAC,iBAAiB,OAAO;SACpD,CAAC;IACN,CAAC;IAOD,YAAY,CAAC,QAAgB,EAAE,cAAwB,EAAE,UAAkB;QACvE,MAAM,SAAS,GAAG,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,YAAY,GAAG,cAAc,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC1D,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAErF,IAAI,SAAS,GAA8B,KAAK,CAAC;QACjD,IAAI,SAAS,IAAI,YAAY;YAAE,SAAS,GAAG,MAAM,CAAC;aAC7C,IAAI,MAAM;YAAE,SAAS,GAAG,QAAQ,CAAC;QAEtC,MAAM,WAAW,GAAa;YAC1B,+CAA+C;YAC/C,sEAAsE;YACtE,gDAAgD;SACnD,CAAC;QAEF,IAAI,SAAS,KAAK,MAAM,EAAE,CAAC;YACvB,WAAW,CAAC,IAAI,CACZ,iDAAiD,EACjD,6CAA6C,EAC7C,gEAAgE,CACnE,CAAC;QACN,CAAC;QAED,MAAM,cAAc,GAAG,SAAS,KAAK,MAAM;YACvC,CAAC,CAAC,4GAA4G;YAC9G,CAAC,CAAC,SAAS,KAAK,QAAQ;gBACpB,CAAC,CAAC,2GAA2G;gBAC7G,CAAC,CAAC,iEAAiE,CAAC;QAE5E,OAAO;YACH,QAAQ;YACR,UAAU,EAAE,IAAI,IAAI,EAAE;YACtB,cAAc;YACd,UAAU;YACV,SAAS;YACT,WAAW;YACX,cAAc;SACjB,CAAC;IACN,CAAC;IAOD,QAAQ,CAAC,MAAc;QACnB,OAAO,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACxC,CAAC;IAKD,gBAAgB;QACZ,OAAO,IAAI,CAAC,iBAAiB,CAAC;IAClC,CAAC;IAIO,KAAK,CAAC,OAA2B;QACrC,MAAM,OAAO,GAAG,CAAC,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,YAAY,CAAC,CAAC;QAC3G,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1B,CAAC,CAAC,SAAS,CAAC,WAAW,EAAE;YACzB,CAAC,CAAC,MAAM;YACR,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,OAAO;YACT,IAAI,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG;YACxC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC;YACrB,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;SACtB,CAAC,CAAC;QACH,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzE,CAAC;CACJ"}