@gsep/core 0.8.0 → 1.0.0

package/dist/security/GenomeSecurityBridge.d.ts

@@ -0,0 +1,47 @@
+import { SecurityEventBus } from './SecurityEventBus.js';
+import { PIIRedactionEngine } from './PIIRedactionEngine.js';
+import type { SecurityConfig } from './SecurityPresets.js';
+export type ChannelTrustLevel = 'system' | 'validated' | 'external' | 'untrusted';
+export interface InboundResult {
+    sanitized: string;
+    allowed: boolean;
+    blockReason?: string;
+    piiDetected: string[];
+    classification: string;
+    trustLevel: ChannelTrustLevel;
+    anomalies: string[];
+}
+export interface OutboundResult {
+    clean: boolean;
+    verdict: 'pass' | 'sanitize' | 'quarantine';
+    threats: string[];
+    sanitized?: string;
+}
+export interface SecurityStatus {
+    profile: string;
+    inboundScanned: number;
+    inboundBlocked: number;
+    outboundScanned: number;
+    outboundQuarantined: number;
+    piiRedacted: number;
+    anomaliesDetected: number;
+}
+export declare class GenomeSecurityBridge {
+    private config;
+    private eventBus;
+    private piiEngine;
+    private classifier;
+    private inboundScanned;
+    private inboundBlocked;
+    private outboundScanned;
+    private outboundQuarantined;
+    private anomaliesDetected;
+    constructor(config: SecurityConfig, eventBus: SecurityEventBus);
+    processInbound(message: string, channel: string, userId?: string): Promise<InboundResult>;
+    processOutbound(response: string, _systemPrompt?: string): Promise<OutboundResult>;
+    getTrustLevel(channel: string): ChannelTrustLevel;
+    getStatus(): SecurityStatus;
+    getPIIEngine(): PIIRedactionEngine;
+    clearSession(): void;
+}
+//# sourceMappingURL=GenomeSecurityBridge.d.ts.map

package/dist/security/GenomeSecurityBridge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GenomeSecurityBridge.d.ts","sourceRoot":"","sources":["../../src/security/GenomeSecurityBridge.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAE7D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAI3D,MAAM,MAAM,iBAAiB,GAAG,QAAQ,GAAG,WAAW,GAAG,UAAU,GAAG,WAAW,CAAC;AAElF,MAAM,WAAW,aAAa;IAE1B,SAAS,EAAE,MAAM,CAAC;IAElB,OAAO,EAAE,OAAO,CAAC;IAEjB,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,WAAW,EAAE,MAAM,EAAE,CAAC;IAEtB,cAAc,EAAE,MAAM,CAAC;IAEvB,UAAU,EAAE,iBAAiB,CAAC;IAE9B,SAAS,EAAE,MAAM,EAAE,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAE3B,KAAK,EAAE,OAAO,CAAC;IAEf,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,YAAY,CAAC;IAE5C,OAAO,EAAE,MAAM,EAAE,CAAC;IAElB,SAAS,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,cAAc;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,iBAAiB,EAAE,MAAM,CAAC;CAC7B;AA8DD,qBAAa,oBAAoB;IAC7B,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,QAAQ,CAAmB;IACnC,OAAO,CAAC,SAAS,CAAqB;IACtC,OAAO,CAAC,UAAU,CAAiB;IAGnC,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,cAAc,CAAK;IAC3B,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,iBAAiB,CAAK;gBAElB,MAAM,EAAE,cAAc,EAAE,QAAQ,EAAE,gBAAgB;IAiBxD,cAAc,CAChB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,EACf,MAAM,CAAC,EAAE,MAAM,GAChB,OAAO,CAAC,aAAa,CAAC;IAoFnB,eAAe,CACjB,QAAQ,EAAE,MAAM,EAChB,aAAa,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,cAAc,CAAC;IA+C1B,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB;IAOjD,SAAS,IAAI,cAAc;IAe3B,YAAY,IAAI,kBAAkB;IAOlC,YAAY,IAAI,IAAI;CAGvB"}

package/dist/security/GenomeSecurityBridge.js

@@ -0,0 +1,157 @@
+import { PIIRedactionEngine } from './PIIRedactionEngine.js';
+import { DataClassifier } from './DataClassifier.js';
+const CHANNEL_TRUST = {
+    'system': 'system',
+    'internal': 'system',
+    'c0': 'system',
+    'imessage': 'validated',
+    'apple-notes': 'validated',
+    'apple-reminders': 'validated',
+    'obsidian': 'validated',
+    'bear-notes': 'validated',
+    'things-mac': 'validated',
+    'cli': 'validated',
+    'tui': 'validated',
+    'web-local': 'validated',
+    'telegram': 'external',
+    'discord': 'external',
+    'slack': 'external',
+    'whatsapp': 'external',
+    'signal': 'external',
+    'matrix': 'external',
+    'msteams': 'external',
+    'line': 'external',
+    'feishu': 'external',
+    'googlechat': 'external',
+    'irc': 'external',
+    'twitch': 'external',
+    'nostr': 'external',
+    'web': 'untrusted',
+    'mcp': 'untrusted',
+    'plugin': 'untrusted',
+    'api': 'untrusted',
+    'webhook': 'untrusted',
+};
+export class GenomeSecurityBridge {
+    config;
+    eventBus;
+    piiEngine;
+    classifier;
+    inboundScanned = 0;
+    inboundBlocked = 0;
+    outboundScanned = 0;
+    outboundQuarantined = 0;
+    anomaliesDetected = 0;
+    constructor(config, eventBus) {
+        this.config = config;
+        this.eventBus = eventBus;
+        this.piiEngine = new PIIRedactionEngine({
+            categories: config.piiCategories.length > 0 ? config.piiCategories : undefined,
+        });
+        this.classifier = new DataClassifier();
+    }
+    async processInbound(message, channel, userId) {
+        this.inboundScanned++;
+        const trustLevel = this.getTrustLevel(channel);
+        const anomalies = [];
+        const classification = this.classifier.classify(message);
+        let sanitized = message;
+        let piiDetected = [];
+        if (this.config.enablePIIRedaction) {
+            const redaction = this.piiEngine.redact(message);
+            sanitized = redaction.redacted;
+            piiDetected = redaction.categories;
+            if (redaction.matches.length > 0) {
+                this.eventBus.emit({
+                    type: 'security:pii-redacted',
+                    timestamp: new Date(),
+                    layer: 2,
+                    decision: 'info',
+                    actor: { userId, channel },
+                    resource: {
+                        type: 'pii',
+                        id: `${redaction.matches.length} items`,
+                        detail: piiDetected.join(', '),
+                    },
+                    severity: 'info',
+                });
+            }
+        }
+        if (trustLevel === 'untrusted' &&
+            classification.classification === 'restricted' &&
+            (this.config.firewallMode === 'full-quarantine' || this.config.firewallMode === 'full-sanitize')) {
+            this.inboundBlocked++;
+            this.eventBus.emitDeny('security:inbound-blocked', 1, { type: 'message', id: channel, detail: 'restricted data from untrusted source' }, 'critical', { userId, channel });
+            return {
+                sanitized: '',
+                allowed: false,
+                blockReason: 'Restricted data from untrusted source blocked.',
+                piiDetected,
+                classification: classification.classification,
+                trustLevel,
+                anomalies,
+            };
+        }
+        this.eventBus.emitAllow('security:inbound-scanned', 1, {
+            type: 'message',
+            id: channel,
+            detail: `trust=${trustLevel} class=${classification.classification}`,
+        }, { userId, channel });
+        return {
+            sanitized,
+            allowed: true,
+            piiDetected,
+            classification: classification.classification,
+            trustLevel,
+            anomalies,
+        };
+    }
+    async processOutbound(response, _systemPrompt) {
+        this.outboundScanned++;
+        const rehydrated = this.config.enablePIIRedaction
+            ? this.piiEngine.rehydrate(response)
+            : response;
+        const classification = this.classifier.classify(rehydrated);
+        if (classification.classification === 'restricted' &&
+            this.config.firewallMode === 'full-quarantine') {
+            this.outboundQuarantined++;
+            this.eventBus.emitDeny('security:outbound-quarantined', 1, { type: 'response', id: 'llm-output', detail: 'restricted data in output' }, 'high');
+            return {
+                clean: false,
+                verdict: 'quarantine',
+                threats: [`Output contains ${classification.classification} data: ${classification.categories.join(', ')}`],
+            };
+        }
+        this.eventBus.emitAllow('security:outbound-scanned', 1, {
+            type: 'response',
+            id: 'llm-output',
+        });
+        return {
+            clean: true,
+            verdict: 'pass',
+            threats: [],
+            sanitized: rehydrated,
+        };
+    }
+    getTrustLevel(channel) {
+        return CHANNEL_TRUST[channel.toLowerCase()] ?? 'untrusted';
+    }
+    getStatus() {
+        return {
+            profile: this.config.profile,
+            inboundScanned: this.inboundScanned,
+            inboundBlocked: this.inboundBlocked,
+            outboundScanned: this.outboundScanned,
+            outboundQuarantined: this.outboundQuarantined,
+            piiRedacted: this.piiEngine.getStats().totalRedacted,
+            anomaliesDetected: this.anomaliesDetected,
+        };
+    }
+    getPIIEngine() {
+        return this.piiEngine;
+    }
+    clearSession() {
+        this.piiEngine.clearVault();
+    }
+}
+//# sourceMappingURL=GenomeSecurityBridge.js.map

package/dist/security/GenomeSecurityBridge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"GenomeSecurityBridge.js","sourceRoot":"","sources":["../../src/security/GenomeSecurityBridge.ts"],"names":[],"mappings":"AAYA,OAAO,EAAE,kBAAkB,EAAE,MAAM,yBAAyB,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AA+CrD,MAAM,aAAa,GAAsC;IAErD,QAAQ,EAAE,QAAQ;IAClB,UAAU,EAAE,QAAQ;IACpB,IAAI,EAAE,QAAQ;IAGd,UAAU,EAAE,WAAW;IACvB,aAAa,EAAE,WAAW;IAC1B,iBAAiB,EAAE,WAAW;IAC9B,UAAU,EAAE,WAAW;IACvB,YAAY,EAAE,WAAW;IACzB,YAAY,EAAE,WAAW;IACzB,KAAK,EAAE,WAAW;IAClB,KAAK,EAAE,WAAW;IAClB,WAAW,EAAE,WAAW;IAGxB,UAAU,EAAE,UAAU;IACtB,SAAS,EAAE,UAAU;IACrB,OAAO,EAAE,UAAU;IACnB,UAAU,EAAE,UAAU;IACtB,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IACpB,SAAS,EAAE,UAAU;IACrB,MAAM,EAAE,UAAU;IAClB,QAAQ,EAAE,UAAU;IACpB,YAAY,EAAE,UAAU;IACxB,KAAK,EAAE,UAAU;IACjB,QAAQ,EAAE,UAAU;IACpB,OAAO,EAAE,UAAU;IAGnB,KAAK,EAAE,WAAW;IAClB,KAAK,EAAE,WAAW;IAClB,QAAQ,EAAE,WAAW;IACrB,KAAK,EAAE,WAAW;IAClB,SAAS,EAAE,WAAW;CACzB,CAAC;AAoBF,MAAM,OAAO,oBAAoB;IACrB,MAAM,CAAiB;IACvB,QAAQ,CAAmB;IAC3B,SAAS,CAAqB;IAC9B,UAAU,CAAiB;IAG3B,cAAc,GAAG,CAAC,CAAC;IACnB,cAAc,GAAG,CAAC,CAAC;IACnB,eAAe,GAAG,CAAC,CAAC;IACpB,mBAAmB,GAAG,CAAC,CAAC;IACxB,iBAAiB,GAAG,CAAC,CAAC;IAE9B,YAAY,MAAsB,EAAE,QAA0B;QAC1D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,IAAI,kBAAkB,CAAC;YACpC,UAAU,EAAE,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,aAAsB,CAAC,CAAC,CAAC,SAAS;SAC1F,CAAC,CAAC;QACH,IAAI,CAAC,UAAU,GAAG,IAAI,cAAc,EAAE,CAAC;IAC3C,CAAC;IAUD,KAAK,CAAC,cAAc,CAChB,OAAe,EACf,OAAe,EACf,MAAe;QAEf,IAAI,CAAC,cAAc,EAAE,CAAC;QAEtB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAC/C,MAAM,SAAS,GAAa,EAAE,CAAC;QAG/B,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAGzD,IAAI,SAAS,GAAG,OAAO,CAAC;QACxB,IAAI,WAAW,GAAa,EAAE,CAAC;QAE/B,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB,EAAE,CAAC;YACjC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACjD,SAAS,GAAG,SAAS,CAAC,QAAQ,CAAC;YAC/B,WAAW,GAAG,SAAS,CAAC,UAAU,CAAC;YAEnC,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC;oBACf,IAAI,EAAE,uBAAuB;oBAC7B,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,KAAK,EAAE,CAAC;oBACR,QAAQ,EAAE,MAAM;oBAChB,KAAK,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE;oBAC1B,QAAQ,EAAE;wBACN,IAAI,EAAE,KAAK;wBACX,EAAE,EAAE,GAAG,SAAS,CAAC,OAAO,CAAC,MAAM,QAAQ;wBACvC,MAAM,EAAE,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC;qBACjC;oBACD,QAAQ,EAAE,MAAM;iBACnB,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAGD,IACI,UAAU,KAAK,WAAW;YAC1B,cAAc,CAAC,cAAc,KAAK,YAAY;YAC9C,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,iBAAiB,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,eAAe,CAAC,EAClG,CAAC;YACC,IAAI,CAAC,cAAc,EAAE,CAAC;YACtB,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,0BAA0B,EAC1B,CAAC,EACD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,uCAAuC,EAAE,EACjF,UAAU,EACV,EAAE,MAAM,EAAE,OAAO,EAAE,CACtB,CAAC;YAEF,OAAO;gBACH,SAAS,EAAE,EAAE;gBACb,OAAO,EAAE,KAAK;gBACd,WAAW,EAAE,gDAAgD;gBAC7D,WAAW;gBACX,cAAc,EAAE,cAAc,CAAC,cAAc;gBAC7C,UAAU;gBACV,SAAS;aACZ,CAAC;QACN,CAAC;QAGD,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,0BAA0B,EAAE,CAAC,EAAE;YACnD,IAAI,EAAE,SAAS;YACf,EAAE,EAAE,OAAO;YACX,MAAM,EAAE,SAAS,UAAU,UAAU,cAAc,CAAC,cAAc,EAAE;SACvE,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;QAExB,OAAO;YACH,SAAS;YACT,OAAO,EAAE,IAAI;YACb,WAAW;YACX,cAAc,EAAE,cAAc,CAAC,cAAc;YAC7C,UAAU;YACV,SAAS;SACZ,CAAC;IACN,CAAC;IAQD,KAAK,CAAC,eAAe,CACjB,QAAgB,EAChB,aAAsB;QAEtB,IAAI,CAAC,eAAe,EAAE,CAAC;QAGvB,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,kBAAkB;YAC7C,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC;YACpC,CAAC,CAAC,QAAQ,CAAC;QAGf,MAAM,cAAc,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAG5D,IACI,cAAc,CAAC,cAAc,KAAK,YAAY;YAC9C,IAAI,CAAC,MAAM,CAAC,YAAY,KAAK,iBAAiB,EAChD,CAAC;YACC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC3B,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAClB,+BAA+B,EAC/B,CAAC,EACD,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,YAAY,EAAE,MAAM,EAAE,2BAA2B,EAAE,EAC3E,MAAM,CACT,CAAC;YAEF,OAAO;gBACH,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,YAAY;gBACrB,OAAO,EAAE,CAAC,mBAAmB,cAAc,CAAC,cAAc,UAAU,cAAc,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;aAC9G,CAAC;QACN,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,2BAA2B,EAAE,CAAC,EAAE;YACpD,IAAI,EAAE,UAAU;YAChB,EAAE,EAAE,YAAY;SACnB,CAAC,CAAC;QAEH,OAAO;YACH,KAAK,EAAE,IAAI;YACX,OAAO,EAAE,MAAM;YACf,OAAO,EAAE,EAAE;YACX,SAAS,EAAE,UAAU;SACxB,CAAC;IACN,CAAC;IAKD,aAAa,CAAC,OAAe;QACzB,OAAO,aAAa,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,IAAI,WAAW,CAAC;IAC/D,CAAC;IAKD,SAAS;QACL,OAAO;YACH,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,cAAc,EAAE,IAAI,CAAC,cAAc;YACnC,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;YAC7C,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,CAAC,aAAa;YACpD,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;SAC5C,CAAC;IACN,CAAC;IAKD,YAAY;QACR,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1B,CAAC;IAKD,YAAY;QACR,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;IAChC,CAAC;CACJ"}

package/dist/security/KeyHierarchy.d.ts

@@ -0,0 +1,23 @@
+import { KeychainAdapter } from './KeychainAdapter.js';
+export interface DerivedKeys {
+    dek: Buffer;
+    cek: Buffer;
+    alk: Buffer;
+}
+export declare class KeyHierarchy {
+    private keychain;
+    private masterKey;
+    private derivedKeys;
+    private initialized;
+    constructor(keychain: KeychainAdapter);
+    initialize(): Promise<void>;
+    getDerivedKeys(): DerivedKeys;
+    hasMasterKey(): Promise<boolean>;
+    rotateMasterKey(): Promise<{
+        oldMasterKey: Buffer;
+        newKeys: DerivedKeys;
+    }>;
+    destroy(): void;
+    private deriveKey;
+}
+//# sourceMappingURL=KeyHierarchy.d.ts.map

package/dist/security/KeyHierarchy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeyHierarchy.d.ts","sourceRoot":"","sources":["../../src/security/KeyHierarchy.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAevD,MAAM,WAAW,WAAW;IAExB,GAAG,EAAE,MAAM,CAAC;IAEZ,GAAG,EAAE,MAAM,CAAC;IAEZ,GAAG,EAAE,MAAM,CAAC;CACf;AAaD,qBAAa,YAAY;IACrB,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,WAAW,CAA4B;IAC/C,OAAO,CAAC,WAAW,CAAS;gBAEhB,QAAQ,EAAE,eAAe;IAQ/B,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAyBjC,cAAc,IAAI,WAAW;IAUvB,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC;IAShC,eAAe,IAAI,OAAO,CAAC;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,WAAW,CAAA;KAAE,CAAC;IAwBhF,OAAO,IAAI,IAAI;YAgBD,SAAS;CAa1B"}

package/dist/security/KeyHierarchy.js

@@ -0,0 +1,78 @@
+import { randomBytes, hkdf } from 'node:crypto';
+import { promisify } from 'node:util';
+const hkdfAsync = promisify(hkdf);
+const MASTER_KEY_NAME = 'master-key';
+const MASTER_KEY_BYTES = 32;
+const DERIVED_KEY_BYTES = 32;
+const KEY_LABELS = {
+    dek: 'genome-shield-dek-v1',
+    cek: 'genome-shield-cek-v1',
+    alk: 'genome-shield-alk-v1',
+};
+export class KeyHierarchy {
+    keychain;
+    masterKey = null;
+    derivedKeys = null;
+    initialized = false;
+    constructor(keychain) {
+        this.keychain = keychain;
+    }
+    async initialize() {
+        if (this.initialized)
+            return;
+        this.masterKey = await this.keychain.getBuffer(MASTER_KEY_NAME);
+        if (!this.masterKey) {
+            this.masterKey = randomBytes(MASTER_KEY_BYTES);
+            await this.keychain.setBuffer(MASTER_KEY_NAME, this.masterKey);
+        }
+        this.derivedKeys = {
+            dek: await this.deriveKey(KEY_LABELS.dek),
+            cek: await this.deriveKey(KEY_LABELS.cek),
+            alk: await this.deriveKey(KEY_LABELS.alk),
+        };
+        this.initialized = true;
+    }
+    getDerivedKeys() {
+        if (!this.derivedKeys) {
+            throw new Error('[KeyHierarchy] Not initialized. Call initialize() first.');
+        }
+        return this.derivedKeys;
+    }
+    async hasMasterKey() {
+        return this.keychain.has(MASTER_KEY_NAME);
+    }
+    async rotateMasterKey() {
+        if (!this.masterKey) {
+            throw new Error('[KeyHierarchy] Cannot rotate — not initialized.');
+        }
+        const oldMasterKey = Buffer.from(this.masterKey);
+        this.masterKey = randomBytes(MASTER_KEY_BYTES);
+        await this.keychain.setBuffer(MASTER_KEY_NAME, this.masterKey);
+        this.derivedKeys = {
+            dek: await this.deriveKey(KEY_LABELS.dek),
+            cek: await this.deriveKey(KEY_LABELS.cek),
+            alk: await this.deriveKey(KEY_LABELS.alk),
+        };
+        return { oldMasterKey, newKeys: this.derivedKeys };
+    }
+    destroy() {
+        if (this.masterKey) {
+            this.masterKey.fill(0);
+            this.masterKey = null;
+        }
+        if (this.derivedKeys) {
+            this.derivedKeys.dek.fill(0);
+            this.derivedKeys.cek.fill(0);
+            this.derivedKeys.alk.fill(0);
+            this.derivedKeys = null;
+        }
+        this.initialized = false;
+    }
+    async deriveKey(label) {
+        if (!this.masterKey)
+            throw new Error('[KeyHierarchy] No master key.');
+        const derived = await hkdfAsync('sha256', this.masterKey, Buffer.alloc(0), label, DERIVED_KEY_BYTES);
+        return Buffer.from(derived);
+    }
+}
+//# sourceMappingURL=KeyHierarchy.js.map

package/dist/security/KeyHierarchy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeyHierarchy.js","sourceRoot":"","sources":["../../src/security/KeyHierarchy.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAElC,MAAM,eAAe,GAAG,YAAY,CAAC;AACrC,MAAM,gBAAgB,GAAG,EAAE,CAAC;AAC5B,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAG7B,MAAM,UAAU,GAAG;IACf,GAAG,EAAE,sBAAsB;IAC3B,GAAG,EAAE,sBAAsB;IAC3B,GAAG,EAAE,sBAAsB;CACrB,CAAC;AAsBX,MAAM,OAAO,YAAY;IACb,QAAQ,CAAkB;IAC1B,SAAS,GAAkB,IAAI,CAAC;IAChC,WAAW,GAAuB,IAAI,CAAC;IACvC,WAAW,GAAG,KAAK,CAAC;IAE5B,YAAY,QAAyB;QACjC,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC7B,CAAC;IAMD,KAAK,CAAC,UAAU;QACZ,IAAI,IAAI,CAAC,WAAW;YAAE,OAAO;QAG7B,IAAI,CAAC,SAAS,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QAEhE,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAElB,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;YAC/C,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QACnE,CAAC;QAGD,IAAI,CAAC,WAAW,GAAG;YACf,GAAG,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,GAAG,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,GAAG,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;SAC5C,CAAC;QAEF,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;IAC5B,CAAC;IAKD,cAAc;QACV,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC;YACpB,MAAM,IAAI,KAAK,CAAC,0DAA0D,CAAC,CAAC;QAChF,CAAC;QACD,OAAO,IAAI,CAAC,WAAW,CAAC;IAC5B,CAAC;IAKD,KAAK,CAAC,YAAY;QACd,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAC9C,CAAC;IAOD,KAAK,CAAC,eAAe;QACjB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAGjD,IAAI,CAAC,SAAS,GAAG,WAAW,CAAC,gBAAgB,CAAC,CAAC;QAC/C,MAAM,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,eAAe,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC;QAG/D,IAAI,CAAC,WAAW,GAAG;YACf,GAAG,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,GAAG,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;YACzC,GAAG,EAAE,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;SAC5C,CAAC;QAEF,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,IAAI,CAAC,WAAW,EAAE,CAAC;IACvD,CAAC;IAKD,OAAO;QACH,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACjB,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YACvB,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC;QAC1B,CAAC;QACD,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACnB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAC7B,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC;IAC7B,CAAC;IAIO,KAAK,CAAC,SAAS,CAAC,KAAa;QACjC,IAAI,CAAC,IAAI,CAAC,SAAS;YAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;QAEtE,MAAM,OAAO,GAAG,MAAM,SAAS,CAC3B,QAAQ,EACR,IAAI,CAAC,SAAS,EACd,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EACf,KAAK,EACL,iBAAiB,CACpB,CAAC;QAEF,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChC,CAAC;CACJ"}

package/dist/security/KeychainAdapter.d.ts

@@ -0,0 +1,19 @@
+export declare class KeychainAdapter {
+    private servicePrefix;
+    private account;
+    constructor(options?: {
+        servicePrefix?: string;
+        account?: string;
+    });
+    get(key: string): Promise<string | null>;
+    set(key: string, value: string): Promise<void>;
+    delete(key: string): Promise<boolean>;
+    has(key: string): Promise<boolean>;
+    list(): Promise<string[]>;
+    setBuffer(key: string, value: Buffer): Promise<void>;
+    getBuffer(key: string): Promise<Buffer | null>;
+    isAvailable(): Promise<boolean>;
+    private serviceFor;
+    private escapeRegex;
+}
+//# sourceMappingURL=KeychainAdapter.d.ts.map

package/dist/security/KeychainAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeychainAdapter.d.ts","sourceRoot":"","sources":["../../src/security/KeychainAdapter.ts"],"names":[],"mappings":"AAuBA,qBAAa,eAAe;IACxB,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,OAAO,CAAS;gBAEZ,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE;IAS5D,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAmBxC,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAkB9C,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAiBrC,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IASlC,IAAI,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IA8BzB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOpD,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAS9C,WAAW,IAAI,OAAO,CAAC,OAAO,CAAC;IAWrC,OAAO,CAAC,UAAU;IAIlB,OAAO,CAAC,WAAW;CAGtB"}

package/dist/security/KeychainAdapter.js

@@ -0,0 +1,104 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+const execFileAsync = promisify(execFile);
+const SERVICE_PREFIX = 'com.genome.agent';
+const ACCOUNT = 'genome-agent';
+const SECURITY_BIN = '/usr/bin/security';
+export class KeychainAdapter {
+    servicePrefix;
+    account;
+    constructor(options) {
+        this.servicePrefix = options?.servicePrefix ?? SERVICE_PREFIX;
+        this.account = options?.account ?? ACCOUNT;
+    }
+    async get(key) {
+        const service = this.serviceFor(key);
+        try {
+            const { stdout } = await execFileAsync(SECURITY_BIN, [
+                'find-generic-password',
+                '-s', service,
+                '-a', this.account,
+                '-w',
+            ]);
+            return stdout.trim();
+        }
+        catch {
+            return null;
+        }
+    }
+    async set(key, value) {
+        const service = this.serviceFor(key);
+        await this.delete(key).catch(() => { });
+        await execFileAsync(SECURITY_BIN, [
+            'add-generic-password',
+            '-s', service,
+            '-a', this.account,
+            '-w', value,
+            '-U',
+        ]);
+    }
+    async delete(key) {
+        const service = this.serviceFor(key);
+        try {
+            await execFileAsync(SECURITY_BIN, [
+                'delete-generic-password',
+                '-s', service,
+                '-a', this.account,
+            ]);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async has(key) {
+        const value = await this.get(key);
+        return value !== null;
+    }
+    async list() {
+        try {
+            const { stdout } = await execFileAsync(SECURITY_BIN, [
+                'dump-keychain',
+            ]);
+            const keys = [];
+            const serviceRegex = new RegExp(`"svce"<blob>="(${this.escapeRegex(this.servicePrefix)}\\.[^"]+)"`, 'g');
+            let match;
+            while ((match = serviceRegex.exec(stdout)) !== null) {
+                const fullService = match[1];
+                const key = fullService.slice(this.servicePrefix.length + 1);
+                if (key && !keys.includes(key)) {
+                    keys.push(key);
+                }
+            }
+            return keys.sort();
+        }
+        catch {
+            return [];
+        }
+    }
+    async setBuffer(key, value) {
+        await this.set(key, value.toString('base64'));
+    }
+    async getBuffer(key) {
+        const value = await this.get(key);
+        if (value === null)
+            return null;
+        return Buffer.from(value, 'base64');
+    }
+    async isAvailable() {
+        try {
+            await execFileAsync(SECURITY_BIN, ['show-keychain-info']);
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    serviceFor(key) {
+        return `${this.servicePrefix}.${key}`;
+    }
+    escapeRegex(str) {
+        return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    }
+}
+//# sourceMappingURL=KeychainAdapter.js.map

package/dist/security/KeychainAdapter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"KeychainAdapter.js","sourceRoot":"","sources":["../../src/security/KeychainAdapter.ts"],"names":[],"mappings":"AAcA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C,MAAM,cAAc,GAAG,kBAAkB,CAAC;AAC1C,MAAM,OAAO,GAAG,cAAc,CAAC;AAC/B,MAAM,YAAY,GAAG,mBAAmB,CAAC;AAEzC,MAAM,OAAO,eAAe;IAChB,aAAa,CAAS;IACtB,OAAO,CAAS;IAExB,YAAY,OAAsD;QAC9D,IAAI,CAAC,aAAa,GAAG,OAAO,EAAE,aAAa,IAAI,cAAc,CAAC;QAC9D,IAAI,CAAC,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC;IAC/C,CAAC;IAMD,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC;YACD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE;gBACjD,uBAAuB;gBACvB,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,IAAI,CAAC,OAAO;gBAClB,IAAI;aACP,CAAC,CAAC;YACH,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACzB,CAAC;QAAC,MAAM,CAAC;YAEL,OAAO,IAAI,CAAC;QAChB,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,GAAG,CAAC,GAAW,EAAE,KAAa;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QAGrC,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAEvC,MAAM,aAAa,CAAC,YAAY,EAAE;YAC9B,sBAAsB;YACtB,IAAI,EAAE,OAAO;YACb,IAAI,EAAE,IAAI,CAAC,OAAO;YAClB,IAAI,EAAE,KAAK;YACX,IAAI;SACP,CAAC,CAAC;IACP,CAAC;IAKD,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC;YACD,MAAM,aAAa,CAAC,YAAY,EAAE;gBAC9B,yBAAyB;gBACzB,IAAI,EAAE,OAAO;gBACb,IAAI,EAAE,IAAI,CAAC,OAAO;aACrB,CAAC,CAAC;YACH,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,OAAO,KAAK,KAAK,IAAI,CAAC;IAC1B,CAAC;IAMD,KAAK,CAAC,IAAI;QACN,IAAI,CAAC;YACD,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE;gBACjD,eAAe;aAClB,CAAC,CAAC;YAEH,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,MAAM,YAAY,GAAG,IAAI,MAAM,CAC3B,kBAAkB,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,aAAa,CAAC,YAAY,EAClE,GAAG,CACN,CAAC;YAEF,IAAI,KAAK,CAAC;YACV,OAAO,CAAC,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAClD,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAC7B,MAAM,GAAG,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBAC7D,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC7B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACnB,CAAC;YACL,CAAC;YAED,OAAO,IAAI,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,EAAE,CAAC;QACd,CAAC;IACL,CAAC;IAKD,KAAK,CAAC,SAAS,CAAC,GAAW,EAAE,KAAa;QACtC,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;IAClD,CAAC;IAKD,KAAK,CAAC,SAAS,CAAC,GAAW;QACvB,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,KAAK,KAAK,IAAI;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IACxC,CAAC;IAKD,KAAK,CAAC,WAAW;QACb,IAAI,CAAC;YACD,MAAM,aAAa,CAAC,YAAY,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC;YAC1D,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAIO,UAAU,CAAC,GAAW;QAC1B,OAAO,GAAG,IAAI,CAAC,aAAa,IAAI,GAAG,EAAE,CAAC;IAC1C,CAAC;IAEO,WAAW,CAAC,GAAW;QAC3B,OAAO,GAAG,CAAC,OAAO,CAAC,qBAAqB,EAAE,MAAM,CAAC,CAAC;IACtD,CAAC;CACJ"}

package/dist/security/LLMProxyLayer.d.ts

@@ -0,0 +1,63 @@
+import { type DataClassification } from './DataClassifier.js';
+import { SecurityEventBus } from './SecurityEventBus.js';
+export interface LLMAdapterLike {
+    chat(messages: Array<{
+        role: string;
+        content: string;
+    }>, options?: unknown): Promise<{
+        content: string;
+        usage?: {
+            inputTokens: number;
+            outputTokens: number;
+        };
+    }>;
+    model?: string;
+    name?: string;
+}
+export interface LLMProxyConfig {
+    enableRedaction: boolean;
+    piiCategories?: string[];
+    localAdapter?: LLMAdapterLike;
+    localRouteThreshold: DataClassification;
+    eventBus?: SecurityEventBus;
+}
+export interface ProxyStats {
+    totalRequests: number;
+    redactedRequests: number;
+    localRouted: number;
+    cloudRouted: number;
+    totalPIIRedacted: number;
+    byCategory: Record<string, number>;
+}
+export declare class LLMProxyLayer implements LLMAdapterLike {
+    readonly model: string;
+    readonly name: string;
+    private cloudAdapter;
+    private localAdapter?;
+    private piiEngine;
+    private classifier;
+    private eventBus?;
+    private localRouteThreshold;
+    private enableRedaction;
+    private stats;
+    constructor(cloudAdapter: LLMAdapterLike, config?: Partial<LLMProxyConfig>);
+    chat(messages: Array<{
+        role: string;
+        content: string;
+    }>, options?: unknown): Promise<{
+        content: string;
+        usage?: {
+            inputTokens: number;
+            outputTokens: number;
+        };
+    }>;
+    getStats(): ProxyStats;
+    getPIIStats(): {
+        totalScanned: number;
+        totalRedacted: number;
+        byCategory: Record<import("./PIIRedactionEngine.js").PIICategory, number>;
+    };
+    clearVault(): void;
+    private shouldRouteLocal;
+}
+//# sourceMappingURL=LLMProxyLayer.d.ts.map

package/dist/security/LLMProxyLayer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"LLMProxyLayer.d.ts","sourceRoot":"","sources":["../../src/security/LLMProxyLayer.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAkB,KAAK,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAC;AAKzD,MAAM,WAAW,cAAc;IAC3B,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,EAAE,OAAO,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC;QACjF,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,CAAC,EAAE;YAAE,WAAW,EAAE,MAAM,CAAC;YAAC,YAAY,EAAE,MAAM,CAAA;SAAE,CAAC;KACzD,CAAC,CAAC;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAE3B,eAAe,EAAE,OAAO,CAAC;IAEzB,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IAEzB,YAAY,CAAC,EAAE,cAAc,CAAC;IAE9B,mBAAmB,EAAE,kBAAkB,CAAC;IAExC,QAAQ,CAAC,EAAE,gBAAgB,CAAC;CAC/B;AAED,MAAM,WAAW,UAAU;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,gBAAgB,EAAE,MAAM,CAAC;IACzB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACtC;AAoBD,qBAAa,aAAc,YAAW,cAAc;IAChD,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IAEtB,OAAO,CAAC,YAAY,CAAiB;IACrC,OAAO,CAAC,YAAY,CAAC,CAAiB;IACtC,OAAO,CAAC,SAAS,CAAqB;IACtC,OAAO,CAAC,UAAU,CAAiB;IACnC,OAAO,CAAC,QAAQ,CAAC,CAAmB;IACpC,OAAO,CAAC,mBAAmB,CAAqB;IAChD,OAAO,CAAC,eAAe,CAAU;IAEjC,OAAO,CAAC,KAAK,CAOX;gBAEU,YAAY,EAAE,cAAc,EAAE,MAAM,GAAE,OAAO,CAAC,cAAc,CAAM;IAmBxE,IAAI,CACN,QAAQ,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,EAClD,OAAO,CAAC,EAAE,OAAO,GAClB,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE;YAAE,WAAW,EAAE,MAAM,CAAC;YAAC,YAAY,EAAE,MAAM,CAAA;SAAE,CAAA;KAAE,CAAC;IAyHtF,QAAQ,IAAI,UAAU;IAOtB,WAAW;;;;;IAOX,UAAU,IAAI,IAAI;IAMlB,OAAO,CAAC,gBAAgB;CAS3B"}