@jterrats/open-orchestra 1.0.16 → 1.0.18

package/dist/security/chat-guardrails.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"chat-guardrails.js","sourceRoot":"","sources":["../../src/security/chat-guardrails.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AACtD,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,eAAe,EACf,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,UAAU,EACV,QAAQ,EACR,wBAAwB,EACxB,aAAa,GAEd,MAAM,gCAAgC,CAAC;AAexC,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAElE,MAAM,sBAAsB,GAAG;IAC7B,eAAe;IACf,WAAW;IACX,WAAW;CAC4B,CAAC;AAE1C,MAAM,UAAU,qBAAqB,CACnC,OAAsC;IAEtC,MAAM,UAAU,GAAG,wBAAwB,CAAC,OAAO,CAAC,CAAC;IACrD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,qBAAqB,CAAC,OAAO,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAC9D,CAAC;IAED,MAAM,aAAa,GAAG,OAA+B,CAAC;IACtD,MAAM,UAAU,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IAChD,MAAM,KAAK,GAAG,QAAQ,CAAC,aAAa,CAAC,CAAC;IACtC,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,qBAAqB,CAAC,aAAa,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,kBAAkB,CAAC;YACrC,QAAQ,EAAE,aAAa,CAAC,QAAQ;SACjC,CAAC,CAAC;QACH,MAAM,eAAe,GACnB,aAAa,CAAC,uBAAuB;YACrC,oBAAoB,CAAC,WAAW,CAAC,CAAC;QACpC,MAAM,cAAc,GAAG,iBAAiB,CACtC,aAAa,EACb,WAAW,EACX,eAAe,CAChB,CAAC;QACF,MAAM,eAAe,GAAG,sBAAsB,CAC5C,aAAa,CAAC,MAAM,EACpB,WAAW,CACZ,CAAC;QACF,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC/B,OAAO,qBAAqB,CAC1B,aAAa,CAAC,SAAS,EACvB,eAAe,EACf,KAAK,EACL,eAAe,EACf,cAAc,CACf,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,sBAAsB,CAAC;YAC5C,SAAS,EAAE,aAAa,CAAC,SAAS;YAClC,OAAO,EAAE,gBAAgB,CAAC,aAAa,CAAC;YACxC,MAAM,EAAE,eAAe,CAAC,aAAa,CAAC,MAAM,EAAE,aAAa,CAAC,QAAQ,CAAC;YACrE,QAAQ,EAAE,iBAAiB,CAAC,aAAa,CAAC,QAAQ,CAAC;YACnD,IAAI,EAAE,aAAa,CAAC,IAAI,CAAC,IAAI;YAC7B,kBAAkB,EAAE,qBAAqB,CAAC,cAAc,CAAC;YACzD,QAAQ,EAAE,cAAc;YACxB,eAAe;SAChB,CAAC,CAAC;QAEH,OAAO,sBAAsB,CAC3B,aAAa,EACb,KAAK,EACL,cAAc,EACd,eAAe,EACf,cAAc,CACf,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,qBAAqB,CAC1B,aAAa,CAAC,SAAS,EACvB;YACE;gBACE,MAAM,EAAE,0BAA0B;gBAClC,MAAM,EAAE,8BAA8B;aACvC;SACF,EACD,KAAK,CACN,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAC7B,MAA2B,EAC3B,QAAyB;IAEzB,IAAI,MAAM,KAAK,aAAa;QAAE,OAAO,EAAE,CAAC;IACxC,OAAO,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAClC,OAAO,CAAC,cAAc,CAAC,QAAQ;SAC5B,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,mBAAmB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SACtD,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QACjB,MAAM,EAAE,mBAAmB,OAAO,CAAC,IAAI,EAAE;QACzC,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,sCAAsC;KACpE,CAAC,CAAC,CACN,CAAC;AACJ,CAAC;AAED,SAAS,mBAAmB,CAAC,IAAwB;IACnD,OAAO,sBAAsB,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,KAAK,IAAI,CAAC,CAAC;AAC1E,CAAC;AAED,SAAS,iBAAiB,CACxB,OAA6B,EAC7B,WAA4B,EAC5B,eAAgC;IAEhC,OAAO,eAAe,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,eAAe,EAAE,KAAK,EAAE,EAAE;QACrE,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;QACtC,OAAO,kBAAkB,CAAC;YACxB,QAAQ,EAAE;gBACR;oBACE,EAAE,EAAE,eAAe,CAAC,EAAE;oBACtB,IAAI,EAAE,UAAU,EAAE,IAAI,IAAI,SAAS;oBACnC,UAAU,EAAE,UAAU,EAAE,UAAU,IAAI,SAAS;oBAC/C,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI;oBACvB,IAAI,EAAE,eAAe,CAAC,IAAI;iBAC3B;aACF;SACF,CAAC,CAAC,CAAC,CAAkB,CAAC;IACzB,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,sBAAsB,CAC7B,OAA6B,EAC7B,KAAyB,EACzB,cAA8B,EAC9B,eAAgC,EAChC,cAA+B;IAE/B,MAAM,OAAO,GAAG,oBAAoB,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAC7D,MAAM,QAAQ,GAA0B;QACtC,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO;QACP,aAAa,EAAE,cAAc,CAAC,OAAO;QACrC,cAAc,EAAE,cAAc,CAAC,cAAc;QAC7C,eAAe,EAAE,cAAc,CAAC,eAAe;QAC/C,gBAAgB,EAAE,eAAe,CAAC,gBAAgB;QAClD,gBAAgB,EAAE;YAChB,GAAG,cAAc,CAAC,gBAAgB;YAClC,GAAG,eAAe,CAAC,gBAAgB;SACpC;QACD,eAAe,EAAE,GAAG,OAAO,2BAA2B,cAAc,CAAC,OAAO,EAAE;QAC9E,KAAK;QACL,UAAU,EAAE,OAAO,KAAK,OAAO;QAC/B,cAAc;KACf,CAAC;IACF,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,QAAQ,CAAC,WAAW,GAAG;YACrB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,cAAc,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,uBAAuB;YACrE,UAAU,EAAE,OAAO,CAAC,SAAS;YAC7B,cAAc,EAAE,cAAc,CAAC,cAAc;YAC7C,eAAe,EAAE,cAAc,CAAC,eAAe;YAC/C,KAAK;SACN,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAC5B,SAA6B,EAC7B,KAA0B,EAC1B,KAAK,GAAG,UAAU,EAAE,EACpB,eAAe,GAAG,oBAAoB,EAAE,EACxC,iBAAkC,EAAE;IAEpC,OAAO;QACL,SAAS,EAAE,SAAS,IAAI,SAAS;QACjC,OAAO,EAAE,OAAO;QAChB,aAAa,EAAE,MAAM;QACrB,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe,EAAE,eAAe,CAAC,MAAM;QACvC,gBAAgB,EAAE,eAAe,CAAC,gBAAgB;QAClD,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EAAE,qCAAqC;QACtD,KAAK;QACL,UAAU,EAAE,KAAK;QACjB,cAAc;KACf,CAAC;AACJ,CAAC;AAED,SAAS,oBAAoB;IAC3B,OAAO;QACL,MAAM,EAAE,kBAA4C;QACpD,gBAAgB,EAAE,EAAE;QACpB,gBAAgB,EAAE,CAAC,uBAAuB,CAAC;KAC5C,CAAC;AACJ,CAAC"}

package/dist/security/content-classifier.d.ts

@@ -0,0 +1,2 @@
+import type { ContentClassification } from "./policy-types.js";
+export declare function classifyContent(text: string): ContentClassification;

package/dist/security/content-classifier.js

@@ -0,0 +1,179 @@
+import { hasPaymentCardLikeValue } from "./payment-card-detection.js";
+const promptInjectionPhrases = [
+    "ignore previous instructions",
+    "ignore all previous instructions",
+    "reveal the system prompt",
+    "disclose your system prompt",
+    "bypass policy",
+    "disable safety",
+    "developer message",
+];
+const indirectPromptMarkers = [
+    "```",
+    "<!--",
+    "[//]:",
+    "data:text/markdown",
+];
+const privateHostPatterns = [
+    "localhost",
+    "127.",
+    "10.",
+    "192.168.",
+    "169.254.",
+    "172.16.",
+    "172.17.",
+    "172.18.",
+    "172.19.",
+    "172.20.",
+    "172.21.",
+    "172.22.",
+    "172.23.",
+    "172.24.",
+    "172.25.",
+    "172.26.",
+    "172.27.",
+    "172.28.",
+    "172.29.",
+    "172.30.",
+    "172.31.",
+    "[::1]",
+];
+const piiRules = [
+    {
+        kind: "piiEmail",
+        ruleId: "content.pii.email",
+        severity: "high",
+        summary: "content contains an email address",
+        matches: (value) => /\b[a-z0-9._%+-]+@[a-z0-9.-]+[.][a-z]{2,}\b/i.test(value),
+    },
+    {
+        kind: "piiPhone",
+        ruleId: "content.pii.phone",
+        severity: "high",
+        summary: "content contains a phone-number-like value",
+        matches: (value) => /(?:\+?1[\s.-]?)?(?:[(]\d{3}[)]|\b\d{3})[\s.-]?\d{3}[\s.-]?\d{4}\b/.test(value),
+    },
+    {
+        kind: "piiSsn",
+        ruleId: "content.pii.ssn",
+        severity: "critical",
+        summary: "content contains an SSN-like identifier",
+        matches: (value) => /\b\d{3}-\d{2}-\d{4}\b/.test(value),
+    },
+    {
+        kind: "piiPaymentCard",
+        ruleId: "content.pii.payment-card",
+        severity: "critical",
+        summary: "content contains a payment-card-like value",
+        matches: hasPaymentCardLikeValue,
+    },
+];
+const contentRules = [
+    {
+        kind: "promptInjection",
+        ruleId: "content.prompt-injection.directive",
+        severity: "critical",
+        summary: "instruction text attempts to override policy or reveal prompts",
+        matches: (value) => includesAny(value, promptInjectionPhrases),
+    },
+    {
+        kind: "indirectPromptInjection",
+        ruleId: "content.prompt-injection.indirect-artifact",
+        severity: "critical",
+        summary: "artifact text hides instruction-like content in markup or code",
+        matches: (value) => includesAny(value, indirectPromptMarkers) &&
+            includesAny(value, promptInjectionPhrases),
+    },
+    {
+        kind: "sqlLike",
+        ruleId: "content.query.sql-like",
+        severity: "high",
+        summary: "content resembles SQL query or mutation text",
+        matches: (value) => /\b(select|insert|update|delete|drop|union)\b[\s\S]{0,80}\b(from|into|table|where|values)\b/i.test(value) || /'\s+or\s+'?1'?='?1/i.test(value),
+    },
+    {
+        kind: "noSqlLike",
+        ruleId: "content.query.nosql-like",
+        severity: "high",
+        summary: "content resembles NoSQL operator or JavaScript query text",
+        matches: (value) => /[$](ne|gt|gte|lt|lte|where|regex)\b/i.test(value) ||
+            /\bdb[.][a-z0-9_-]+[.](find|update|remove|delete)/i.test(value),
+    },
+    {
+        kind: "shellLike",
+        ruleId: "content.executable.shell-like",
+        severity: "critical",
+        summary: "content resembles shell execution or command chaining text",
+        matches: (value) => /\b(rm\s+-rf|curl\s+|wget\s+|powershell\s+|bash\s+-c|sh\s+-c)\b/i.test(value) || /(\$\(|`[^`]+`|[;&|]{2})/.test(value),
+    },
+    {
+        kind: "unsafeUrl",
+        ruleId: "content.url.unsafe-or-private",
+        severity: "critical",
+        summary: "URL is not https or targets a private host pattern",
+        matches: hasUnsafeUrl,
+    },
+    {
+        kind: "pathTraversal",
+        ruleId: "content.path.traversal-like",
+        severity: "critical",
+        summary: "content contains path traversal or sensitive absolute path text",
+        matches: (value) => /(^|[/\\])[.][.]([/\\]|$)/.test(value) ||
+            /(^|\s)(\/etc\/passwd|\/proc\/self|[a-z]:\\windows\\system32)/i.test(value),
+    },
+    {
+        kind: "secretShaped",
+        ruleId: "content.secret.shaped-value",
+        severity: "critical",
+        summary: "content contains token, bearer credential, or password-shaped text",
+        matches: (value) => /\bbearer\s+[a-z0-9._-]{12,}/i.test(value) ||
+            /\b(api[_-]?key|password|secret|token)\s*[:=]\s*[^\s"']{12,}/i.test(value),
+    },
+    ...piiRules,
+];
+export function classifyContent(text) {
+    const findings = contentRules
+        .filter((rule) => rule.matches(text))
+        .map(toFinding);
+    return {
+        classification: classificationForFindings(findings),
+        findings,
+    };
+}
+function toFinding(rule) {
+    return {
+        kind: rule.kind,
+        ruleId: rule.ruleId,
+        severity: rule.severity,
+        summary: rule.summary,
+    };
+}
+function classificationForFindings(findings) {
+    if (findings.some((finding) => finding.kind === "secretShaped" || finding.kind.startsWith("pii"))) {
+        return "restricted";
+    }
+    if (findings.length > 0) {
+        return "unknown";
+    }
+    return "internal";
+}
+function includesAny(value, needles) {
+    const normalized = value.toLowerCase();
+    return needles.some((needle) => normalized.includes(needle));
+}
+function hasUnsafeUrl(value) {
+    const urls = value.match(/\b[a-z][a-z0-9+.-]*:\/\/[^\s)>\]"]+/gi) ?? [];
+    return urls.some((rawUrl) => {
+        let parsed;
+        try {
+            parsed = new URL(rawUrl);
+        }
+        catch {
+            return true;
+        }
+        const hostname = parsed.hostname.toLowerCase();
+        return (parsed.protocol !== "https:" ||
+            privateHostPatterns.some((pattern) => hostname.startsWith(pattern)));
+    });
+}
+//# sourceMappingURL=content-classifier.js.map

package/dist/security/content-classifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"content-classifier.js","sourceRoot":"","sources":["../../src/security/content-classifier.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,uBAAuB,EAAE,MAAM,6BAA6B,CAAC;AAUtE,MAAM,sBAAsB,GAAG;IAC7B,8BAA8B;IAC9B,kCAAkC;IAClC,0BAA0B;IAC1B,6BAA6B;IAC7B,eAAe;IACf,gBAAgB;IAChB,mBAAmB;CACX,CAAC;AAEX,MAAM,qBAAqB,GAAG;IAC5B,KAAK;IACL,MAAM;IACN,OAAO;IACP,oBAAoB;CACZ,CAAC;AAEX,MAAM,mBAAmB,GAAG;IAC1B,WAAW;IACX,MAAM;IACN,KAAK;IACL,UAAU;IACV,UAAU;IACV,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,SAAS;IACT,OAAO;CACC,CAAC;AAEX,MAAM,QAAQ,GAAG;IACf;QACE,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,mBAAmB;QAC3B,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,mCAAmC;QAC5C,OAAO,EAAE,CAAC,KAAa,EAAE,EAAE,CACzB,6CAA6C,CAAC,IAAI,CAAC,KAAK,CAAC;KAC5D;IACD;QACE,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,mBAAmB;QAC3B,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,4CAA4C;QACrD,OAAO,EAAE,CAAC,KAAa,EAAE,EAAE,CACzB,mEAAmE,CAAC,IAAI,CACtE,KAAK,CACN;KACJ;IACD;QACE,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,iBAAiB;QACzB,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,yCAAyC;QAClD,OAAO,EAAE,CAAC,KAAa,EAAE,EAAE,CAAC,uBAAuB,CAAC,IAAI,CAAC,KAAK,CAAC;KAChE;IACD;QACE,IAAI,EAAE,gBAAgB;QACtB,MAAM,EAAE,0BAA0B;QAClC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,4CAA4C;QACrD,OAAO,EAAE,uBAAuB;KACjC;CACsB,CAAC;AAE1B,MAAM,YAAY,GAAkB;IAClC;QACE,IAAI,EAAE,iBAAiB;QACvB,MAAM,EAAE,oCAAoC;QAC5C,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,gEAAgE;QACzE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,sBAAsB,CAAC;KAC/D;IACD;QACE,IAAI,EAAE,yBAAyB;QAC/B,MAAM,EAAE,4CAA4C;QACpD,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,gEAAgE;QACzE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,WAAW,CAAC,KAAK,EAAE,qBAAqB,CAAC;YACzC,WAAW,CAAC,KAAK,EAAE,sBAAsB,CAAC;KAC7C;IACD;QACE,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,wBAAwB;QAChC,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,8CAA8C;QACvD,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,6FAA6F,CAAC,IAAI,CAChG,KAAK,CACN,IAAI,qBAAqB,CAAC,IAAI,CAAC,KAAK,CAAC;KACzC;IACD;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,0BAA0B;QAClC,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,2DAA2D;QACpE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,sCAAsC,CAAC,IAAI,CAAC,KAAK,CAAC;YAClD,mDAAmD,CAAC,IAAI,CAAC,KAAK,CAAC;KAClE;IACD;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,+BAA+B;QACvC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,4DAA4D;QACrE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,iEAAiE,CAAC,IAAI,CACpE,KAAK,CACN,IAAI,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC;KAC7C;IACD;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,+BAA+B;QACvC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,oDAAoD;QAC7D,OAAO,EAAE,YAAY;KACtB;IACD;QACE,IAAI,EAAE,eAAe;QACrB,MAAM,EAAE,6BAA6B;QACrC,QAAQ,EAAE,UAAU;QACpB,OAAO,EAAE,iEAAiE;QAC1E,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,0BAA0B,CAAC,IAAI,CAAC,KAAK,CAAC;YACtC,+DAA+D,CAAC,IAAI,CAClE,KAAK,CACN;KACJ;IACD;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,6BAA6B;QACrC,QAAQ,EAAE,UAAU;QACpB,OAAO,EACL,oEAAoE;QACtE,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE,CACjB,8BAA8B,CAAC,IAAI,CAAC,KAAK,CAAC;YAC1C,8DAA8D,CAAC,IAAI,CACjE,KAAK,CACN;KACJ;IACD,GAAG,QAAQ;CACZ,CAAC;AAEF,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,QAAQ,GAAG,YAAY;SAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;SACpC,GAAG,CAAC,SAAS,CAAC,CAAC;IAClB,OAAO;QACL,cAAc,EAAE,yBAAyB,CAAC,QAAQ,CAAC;QACnD,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,IAAiB;IAClC,OAAO;QACL,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC;AACJ,CAAC;AAED,SAAS,yBAAyB,CAChC,QAA0B;IAE1B,IACE,QAAQ,CAAC,IAAI,CACX,CAAC,OAAO,EAAE,EAAE,CACV,OAAO,CAAC,IAAI,KAAK,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,CACpE,EACD,CAAC;QACD,OAAO,YAAY,CAAC;IACtB,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,WAAW,CAAC,KAAa,EAAE,OAA0B;IAC5D,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;IACvC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAC/D,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,uCAAuC,CAAC,IAAI,EAAE,CAAC;IACxE,OAAO,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;QAC1B,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAC/C,OAAO,CACL,MAAM,CAAC,QAAQ,KAAK,QAAQ;YAC5B,mBAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CACpE,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/security/operation-contract-types.d.ts

@@ -0,0 +1,28 @@
+import type { PolicyAction, PolicyDecision, PolicyResource, PolicySink, PolicySubject, SegmentKind } from "./policy-types.js";
+export type OperationKind = "evidence" | "provider" | "pythonWorker" | "runtime" | "tool";
+export interface OperationPayloadInput {
+    text?: string;
+    kind?: SegmentKind;
+    provenance?: string;
+}
+export interface PythonWorkerContractInput {
+    contract?: "json";
+    timeoutMs?: number;
+    maxInputBytes?: number;
+    authorizes?: boolean;
+    network?: boolean;
+    filesystem?: boolean;
+}
+export interface OperationPacketInput {
+    packetId?: string;
+    kind?: OperationKind;
+    subject?: Partial<PolicySubject>;
+    action?: PolicyAction;
+    resource?: Partial<PolicyResource>;
+    sink?: PolicySink;
+    payload?: OperationPayloadInput;
+    pythonWorker?: PythonWorkerContractInput;
+}
+export interface OperationValidationDecision extends PolicyDecision {
+    encodedPayload?: string;
+}

package/dist/security/operation-contract-types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=operation-contract-types.js.map

package/dist/security/operation-contract-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"operation-contract-types.js","sourceRoot":"","sources":["../../src/security/operation-contract-types.ts"],"names":[],"mappings":""}

package/dist/security/operation-contract.d.ts

@@ -0,0 +1,2 @@
+import type { OperationPacketInput, OperationValidationDecision } from "./operation-contract-types.js";
+export declare function validateOperationPacket(input: OperationPacketInput): OperationValidationDecision;

package/dist/security/operation-contract.js

@@ -0,0 +1,169 @@
+import { encodeForSink } from "./sink-encoding.js";
+import { evaluateSecurityPolicy } from "./policy-engine.js";
+import { intakePromptSegment } from "./prompt-intake.js";
+import { redactPromptSegments } from "./redaction.js";
+const specs = {
+    evidence: {
+        action: "evidence.write",
+        resourceType: "evidence",
+        sink: "evidence",
+        segmentKind: "evidence",
+    },
+    provider: {
+        action: "provider.message",
+        resourceType: "prompt",
+        sink: "provider",
+        segmentKind: "data",
+    },
+    pythonWorker: {
+        action: "pythonWorker.process",
+        resourceType: "pythonWorker",
+        sink: "json",
+        segmentKind: "data",
+    },
+    runtime: {
+        action: "command.execute",
+        resourceType: "command",
+        sink: "log",
+        segmentKind: "instruction",
+    },
+    tool: {
+        action: "command.execute",
+        resourceType: "command",
+        sink: "log",
+        segmentKind: "toolInput",
+    },
+};
+export function validateOperationPacket(input) {
+    const contractRules = validateContractShape(input);
+    if (contractRules.length > 0)
+        return contractDeny(input.packetId, contractRules);
+    const kind = input.kind;
+    const spec = specs[kind];
+    const packetId = input.packetId;
+    const subject = input.subject;
+    const action = input.action;
+    const resource = input.resource;
+    const sink = input.sink;
+    const semanticRules = [
+        exactRule("operation.contract.action", action, spec.action, "action"),
+        exactRule("operation.contract.resource", resource.resourceType, spec.resourceType, "resource type"),
+        exactRule("operation.contract.sink", sink, spec.sink, "sink"),
+        ...validatePythonWorkerContract(input),
+    ].filter((rule) => rule !== null);
+    if (semanticRules.length > 0)
+        return contractDeny(input.packetId, semanticRules);
+    const segment = normalizedSegment(input, spec, packetId, sink);
+    const redactionReport = redactPromptSegments([segment]);
+    const policySegment = redactedPolicySegment(input, spec, redactionReport, packetId, sink);
+    const policyDecision = evaluateSecurityPolicy({
+        requestId: packetId,
+        subject,
+        action,
+        resource,
+        sink,
+        dataClassification: policySegment.classification.classification,
+        segments: [policySegment],
+        redactionReport,
+    });
+    if (policyDecision.outcome === "deny")
+        return policyDecision;
+    return {
+        ...policyDecision,
+        encodedPayload: encodeForSink(policySegment.text, sink).value,
+    };
+}
+function validateContractShape(input) {
+    return [
+        requiredRule("operation.contract.packet-id", "packet id", input.packetId),
+        requiredRule("operation.contract.kind", "operation kind", input.kind),
+        requiredRule("operation.contract.subject", "subject", input.subject),
+        requiredRule("operation.contract.action", "action", input.action),
+        requiredRule("operation.contract.resource", "resource", input.resource),
+        requiredRule("operation.contract.resource-type", "resource type", input.resource?.resourceType),
+        requiredRule("operation.contract.sink", "sink", input.sink),
+        requiredRule("operation.contract.payload", "payload", input.payload),
+        requiredRule("operation.contract.payload-text", "payload text", input.payload?.text),
+    ].filter((rule) => rule !== null);
+}
+function validatePythonWorkerContract(input) {
+    if (input.kind !== "pythonWorker")
+        return [];
+    const worker = input.pythonWorker;
+    const rules = [
+        requiredRule("operation.python-worker.contract", "worker contract", worker),
+        exactRule("operation.python-worker.json-contract", worker?.contract, "json", "worker contract"),
+        falseRule("operation.python-worker.no-auth", "worker authorization authority", worker?.authorizes),
+        falseRule("operation.python-worker.no-network", "worker network access", worker?.network),
+        falseRule("operation.python-worker.no-filesystem", "worker filesystem access", worker?.filesystem),
+        boundedNumberRule("operation.python-worker.timeout", "worker timeout", worker?.timeoutMs, 1, 5000),
+        boundedNumberRule("operation.python-worker.input-bytes", "worker max input bytes", worker?.maxInputBytes, 1, 1_000_000),
+        jsonRule(input.payload?.text),
+    ];
+    return rules.filter((rule) => rule !== null);
+}
+function normalizedSegment(input, spec, packetId, sink) {
+    return intakePromptSegment({
+        id: `${packetId}:payload`,
+        kind: input.payload?.kind ?? spec.segmentKind,
+        provenance: input.payload?.provenance ?? `${input.kind}:packet`,
+        sink,
+        text: input.payload?.text ?? "",
+    });
+}
+function redactedPolicySegment(input, spec, redactionReport, packetId, sink) {
+    return intakePromptSegment({
+        id: `${packetId}:payload:redacted`,
+        kind: input.payload?.kind ?? spec.segmentKind,
+        provenance: input.payload?.provenance ?? `${input.kind}:packet`,
+        sink,
+        text: redactionReport.redactedSegments[0]?.text ?? "",
+    });
+}
+function requiredRule(ruleId, label, value) {
+    if (value)
+        return null;
+    return { ruleId, reason: `missing ${label}` };
+}
+function exactRule(ruleId, actual, expected, label) {
+    if (actual === expected)
+        return null;
+    return { ruleId, reason: `ambiguous ${label}` };
+}
+function falseRule(ruleId, label, value) {
+    if (value === false)
+        return null;
+    return { ruleId, reason: `${label} must be disabled` };
+}
+function boundedNumberRule(ruleId, label, value, min, max) {
+    if (typeof value === "number" &&
+        Number.isInteger(value) &&
+        value >= min &&
+        value <= max) {
+        return null;
+    }
+    return { ruleId, reason: `${label} must be between ${min} and ${max}` };
+}
+function jsonRule(text) {
+    try {
+        JSON.parse(text ?? "");
+        return null;
+    }
+    catch {
+        return {
+            ruleId: "operation.python-worker.json-payload",
+            reason: "worker payload must be valid JSON",
+        };
+    }
+}
+function contractDeny(packetId, rules) {
+    return {
+        requestId: packetId ?? "unknown",
+        outcome: "deny",
+        matchedRuleIds: rules.map((rule) => rule.ruleId),
+        redactionStatus: "unsafeUnredacted",
+        sanitizedReasons: rules.map((rule) => rule.reason),
+        evidenceSummary: "deny: operation contract failed closed",
+    };
+}
+//# sourceMappingURL=operation-contract.js.map

package/dist/security/operation-contract.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"operation-contract.js","sourceRoot":"","sources":["../../src/security/operation-contract.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,sBAAsB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,OAAO,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,gBAAgB,CAAC;AA4BtD,MAAM,KAAK,GAAG;IACZ,QAAQ,EAAE;QACR,MAAM,EAAE,gBAAgB;QACxB,YAAY,EAAE,UAAU;QACxB,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,UAAU;KACxB;IACD,QAAQ,EAAE;QACR,MAAM,EAAE,kBAAkB;QAC1B,YAAY,EAAE,QAAQ;QACtB,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,MAAM;KACpB;IACD,YAAY,EAAE;QACZ,MAAM,EAAE,sBAAsB;QAC9B,YAAY,EAAE,cAAc;QAC5B,IAAI,EAAE,MAAM;QACZ,WAAW,EAAE,MAAM;KACpB;IACD,OAAO,EAAE;QACP,MAAM,EAAE,iBAAiB;QACzB,YAAY,EAAE,SAAS;QACvB,IAAI,EAAE,KAAK;QACX,WAAW,EAAE,aAAa;KAC3B;IACD,IAAI,EAAE;QACJ,MAAM,EAAE,iBAAiB;QACzB,YAAY,EAAE,SAAS;QACvB,IAAI,EAAE,KAAK;QACX,WAAW,EAAE,WAAW;KACzB;CACkD,CAAC;AAEtD,MAAM,UAAU,uBAAuB,CACrC,KAA2B;IAE3B,MAAM,aAAa,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACnD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;QAC1B,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAErD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAqB,CAAC;IACzC,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;IACzB,MAAM,QAAQ,GAAG,KAAK,CAAC,QAAkB,CAAC;IAC1C,MAAM,OAAO,GAAG,KAAK,CAAC,OAAwB,CAAC;IAC/C,MAAM,MAAM,GAAG,KAAK,CAAC,MAAsB,CAAC;IAC5C,MAAM,QAAQ,GAAG,KAAK,CAAC,QAA0B,CAAC;IAClD,MAAM,IAAI,GAAG,KAAK,CAAC,IAAkB,CAAC;IACtC,MAAM,aAAa,GAAG;QACpB,SAAS,CAAC,2BAA2B,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC;QACrE,SAAS,CACP,6BAA6B,EAC7B,QAAQ,CAAC,YAAY,EACrB,IAAI,CAAC,YAAY,EACjB,eAAe,CAChB;QACD,SAAS,CAAC,yBAAyB,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC;QAC7D,GAAG,4BAA4B,CAAC,KAAK,CAAC;KACvC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAwB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IACxD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC;QAC1B,OAAO,YAAY,CAAC,KAAK,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IAErD,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC/D,MAAM,eAAe,GAAG,oBAAoB,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IACxD,MAAM,aAAa,GAAG,qBAAqB,CACzC,KAAK,EACL,IAAI,EACJ,eAAe,EACf,QAAQ,EACR,IAAI,CACL,CAAC;IACF,MAAM,cAAc,GAAG,sBAAsB,CAAC;QAC5C,SAAS,EAAE,QAAQ;QACnB,OAAO;QACP,MAAM;QACN,QAAQ;QACR,IAAI;QACJ,kBAAkB,EAAE,aAAa,CAAC,cAAc,CAAC,cAAc;QAC/D,QAAQ,EAAE,CAAC,aAAa,CAAC;QACzB,eAAe;KAChB,CAAC,CAAC;IAEH,IAAI,cAAc,CAAC,OAAO,KAAK,MAAM;QAAE,OAAO,cAAc,CAAC;IAE7D,OAAO;QACL,GAAG,cAAc;QACjB,cAAc,EAAE,aAAa,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,KAAK;KAC9D,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAA2B;IACxD,OAAO;QACL,YAAY,CAAC,8BAA8B,EAAE,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC;QACzE,YAAY,CAAC,yBAAyB,EAAE,gBAAgB,EAAE,KAAK,CAAC,IAAI,CAAC;QACrE,YAAY,CAAC,4BAA4B,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC;QACpE,YAAY,CAAC,2BAA2B,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC;QACjE,YAAY,CAAC,6BAA6B,EAAE,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC;QACvE,YAAY,CACV,kCAAkC,EAClC,eAAe,EACf,KAAK,CAAC,QAAQ,EAAE,YAAY,CAC7B;QACD,YAAY,CAAC,yBAAyB,EAAE,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC;QAC3D,YAAY,CAAC,4BAA4B,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC;QACpE,YAAY,CACV,iCAAiC,EACjC,cAAc,EACd,KAAK,CAAC,OAAO,EAAE,IAAI,CACpB;KACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAAwB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,4BAA4B,CACnC,KAA2B;IAE3B,IAAI,KAAK,CAAC,IAAI,KAAK,cAAc;QAAE,OAAO,EAAE,CAAC;IAC7C,MAAM,MAAM,GAAG,KAAK,CAAC,YAAY,CAAC;IAClC,MAAM,KAAK,GAAG;QACZ,YAAY,CAAC,kCAAkC,EAAE,iBAAiB,EAAE,MAAM,CAAC;QAC3E,SAAS,CACP,uCAAuC,EACvC,MAAM,EAAE,QAAQ,EAChB,MAAM,EACN,iBAAiB,CAClB;QACD,SAAS,CACP,iCAAiC,EACjC,gCAAgC,EAChC,MAAM,EAAE,UAAU,CACnB;QACD,SAAS,CACP,oCAAoC,EACpC,uBAAuB,EACvB,MAAM,EAAE,OAAO,CAChB;QACD,SAAS,CACP,uCAAuC,EACvC,0BAA0B,EAC1B,MAAM,EAAE,UAAU,CACnB;QACD,iBAAiB,CACf,iCAAiC,EACjC,gBAAgB,EAChB,MAAM,EAAE,SAAS,EACjB,CAAC,EACD,IAAI,CACL;QACD,iBAAiB,CACf,qCAAqC,EACrC,wBAAwB,EACxB,MAAM,EAAE,aAAa,EACrB,CAAC,EACD,SAAS,CACV;QACD,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,CAAC;KAC9B,CAAC;IACF,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAwB,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,iBAAiB,CACxB,KAA2B,EAC3B,IAAmB,EACnB,QAAgB,EAChB,IAAgB;IAEhB,OAAO,mBAAmB,CAAC;QACzB,EAAE,EAAE,GAAG,QAAQ,UAAU;QACzB,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,WAAW;QAC7C,UAAU,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,IAAI,GAAG,KAAK,CAAC,IAAI,SAAS;QAC/D,IAAI;QACJ,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,EAAE;KAChC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAC5B,KAA2B,EAC3B,IAAmB,EACnB,eAAyD,EACzD,QAAgB,EAChB,IAAgB;IAEhB,OAAO,mBAAmB,CAAC;QACzB,EAAE,EAAE,GAAG,QAAQ,mBAAmB;QAClC,IAAI,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,WAAW;QAC7C,UAAU,EAAE,KAAK,CAAC,OAAO,EAAE,UAAU,IAAI,GAAG,KAAK,CAAC,IAAI,SAAS;QAC/D,IAAI;QACJ,IAAI,EAAE,eAAe,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,IAAI,IAAI,EAAE;KACtD,CAAC,CAAC;AACL,CAAC;AAED,SAAS,YAAY,CACnB,MAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,KAAK;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,WAAW,KAAK,EAAE,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,SAAS,CAChB,MAAc,EACd,MAAe,EACf,QAAiB,EACjB,KAAa;IAEb,IAAI,MAAM,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,KAAK,EAAE,EAAE,CAAC;AAClD,CAAC;AAED,SAAS,SAAS,CAChB,MAAc,EACd,KAAa,EACb,KAA0B;IAE1B,IAAI,KAAK,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACjC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,mBAAmB,EAAE,CAAC;AACzD,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAc,EACd,KAAa,EACb,KAAyB,EACzB,GAAW,EACX,GAAW;IAEX,IACE,OAAO,KAAK,KAAK,QAAQ;QACzB,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;QACvB,KAAK,IAAI,GAAG;QACZ,KAAK,IAAI,GAAG,EACZ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,oBAAoB,GAAG,QAAQ,GAAG,EAAE,EAAE,CAAC;AAC1E,CAAC;AAED,SAAS,QAAQ,CAAC,IAAwB;IACxC,IAAI,CAAC;QACH,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,MAAM,EAAE,sCAAsC;YAC9C,MAAM,EAAE,mCAAmC;SAC5C,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CACnB,QAA4B,EAC5B,KAAqB;IAErB,OAAO;QACL,SAAS,EAAE,QAAQ,IAAI,SAAS;QAChC,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe,EAAE,kBAA4C;QAC7D,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EAAE,wCAAwC;KAC1D,CAAC;AACJ,CAAC"}

package/dist/security/payment-card-detection.d.ts

@@ -0,0 +1,3 @@
+export declare function hasPaymentCardLikeValue(value: string): boolean;
+export declare function redactPaymentCardLikeValues(value: string, replacement: string): string;
+export declare function isPaymentCardLikeValue(value: string): boolean;

package/dist/security/payment-card-detection.js

@@ -0,0 +1,48 @@
+const paymentCardCandidatePattern = /\b\d(?:[ -]?\d){12,18}\b/g;
+export function hasPaymentCardLikeValue(value) {
+    return paymentCardCandidates(value).some(isPaymentCardLikeValue);
+}
+export function redactPaymentCardLikeValues(value, replacement) {
+    return value.replace(paymentCardCandidatePattern, (match, offset) => isPaymentCardLikeCandidate(value, match, offset) ? replacement : match);
+}
+export function isPaymentCardLikeValue(value) {
+    const digits = value.replace(/[ -]/g, "");
+    if (digits.length < 13 || digits.length > 19)
+        return false;
+    return luhnChecksum(digits);
+}
+function paymentCardCandidates(value) {
+    paymentCardCandidatePattern.lastIndex = 0;
+    return [...value.matchAll(paymentCardCandidatePattern)]
+        .filter((match) => isPaymentCardLikeCandidate(value, match[0], match.index ?? 0))
+        .map((match) => match[0]);
+}
+function isPaymentCardLikeCandidate(source, value, offset) {
+    if (!isPaymentCardLikeValue(value))
+        return false;
+    const before = source[offset - 1] ?? "";
+    const after = source[offset + value.length] ?? "";
+    return !isIdentifierBoundary(before) && !isIdentifierBoundary(after);
+}
+function isIdentifierBoundary(value) {
+    return /[A-Za-z0-9_-]/.test(value);
+}
+function luhnChecksum(value) {
+    let sum = 0;
+    let shouldDouble = false;
+    for (let index = value.length - 1; index >= 0; index -= 1) {
+        const digit = Number(value[index]);
+        if (!Number.isInteger(digit))
+            return false;
+        let contribution = digit;
+        if (shouldDouble) {
+            contribution = digit * 2;
+            if (contribution > 9)
+                contribution -= 9;
+        }
+        sum += contribution;
+        shouldDouble = !shouldDouble;
+    }
+    return sum > 0 && sum % 10 === 0;
+}
+//# sourceMappingURL=payment-card-detection.js.map

package/dist/security/payment-card-detection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"payment-card-detection.js","sourceRoot":"","sources":["../../src/security/payment-card-detection.ts"],"names":[],"mappings":"AAAA,MAAM,2BAA2B,GAAG,2BAA2B,CAAC;AAEhE,MAAM,UAAU,uBAAuB,CAAC,KAAa;IACnD,OAAO,qBAAqB,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,KAAa,EACb,WAAmB;IAEnB,OAAO,KAAK,CAAC,OAAO,CAAC,2BAA2B,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAClE,0BAA0B,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,KAAK,CACvE,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,KAAa;IAClD,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE,IAAI,MAAM,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3D,OAAO,YAAY,CAAC,MAAM,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAa;IAC1C,2BAA2B,CAAC,SAAS,GAAG,CAAC,CAAC;IAC1C,OAAO,CAAC,GAAG,KAAK,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CAAC;SACpD,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAChB,0BAA0B,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC,CAC9D;SACA,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,0BAA0B,CACjC,MAAc,EACd,KAAa,EACb,MAAc;IAEd,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IACxC,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IAClD,OAAO,CAAC,oBAAoB,CAAC,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAa;IACzC,OAAO,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,YAAY,CAAC,KAAa;IACjC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,YAAY,GAAG,KAAK,CAAC;IACzB,KAAK,IAAI,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;QAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QAC3C,IAAI,YAAY,GAAG,KAAK,CAAC;QACzB,IAAI,YAAY,EAAE,CAAC;YACjB,YAAY,GAAG,KAAK,GAAG,CAAC,CAAC;YACzB,IAAI,YAAY,GAAG,CAAC;gBAAE,YAAY,IAAI,CAAC,CAAC;QAC1C,CAAC;QACD,GAAG,IAAI,YAAY,CAAC;QACpB,YAAY,GAAG,CAAC,YAAY,CAAC;IAC/B,CAAC;IACD,OAAO,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,EAAE,KAAK,CAAC,CAAC;AACnC,CAAC"}

package/dist/security/policy-engine.d.ts

@@ -0,0 +1,2 @@
+import type { PolicyDecision, PolicyRequestInput } from "./policy-types.js";
+export declare function evaluateSecurityPolicy(input: PolicyRequestInput): PolicyDecision;

package/dist/security/policy-engine.js

@@ -0,0 +1,142 @@
+const sensitiveSinks = ["evidence", "log", "provider"];
+export function evaluateSecurityPolicy(input) {
+    const validation = validatePolicyRequest(input);
+    if (validation.length > 0) {
+        return denyDecision(input.requestId, validation, "unsafeUnredacted");
+    }
+    const request = input;
+    const denied = deniedRules(request);
+    if (denied.length > 0) {
+        return denyDecision(request.requestId, denied, highestRedactionStatus(denied, request.redactionReport.status));
+    }
+    const quarantined = quarantineRules(request);
+    if (quarantined.length > 0) {
+        return quarantineDecision(request.requestId, quarantined, request.redactionReport.status);
+    }
+    return {
+        requestId: request.requestId,
+        outcome: "allow",
+        matchedRuleIds: ["policy.default.allow-after-rules"],
+        redactionStatus: request.redactionReport.status,
+        sanitizedReasons: ["request satisfied deterministic policy rules"],
+        evidenceSummary: "allow: deterministic security policy accepted request",
+    };
+}
+function validatePolicyRequest(input) {
+    const missing = [
+        requiredRule("policy.input.request-id", "request id", input.requestId),
+        requiredRule("policy.input.subject", "subject", input.subject),
+        requiredRule("policy.input.action", "action", input.action),
+        requiredRule("policy.input.resource", "resource", input.resource),
+        requiredRule("policy.input.sink", "sink", input.sink),
+        requiredRule("policy.input.data-classification", "data classification", input.dataClassification),
+        requiredRule("policy.input.redaction", "redaction report", input.redactionReport),
+    ].filter((rule) => rule !== null);
+    if (missing.length > 0)
+        return missing;
+    const scoped = input.subject?.tenantId ?? input.subject?.workspaceId;
+    const resourceScoped = input.resource?.tenantId ?? input.resource?.workspaceId;
+    const scopeRules = [
+        requiredRule("policy.scope.subject", "subject tenant or workspace", scoped),
+        requiredRule("policy.scope.resource", "resource tenant or workspace", resourceScoped),
+    ].filter((rule) => rule !== null);
+    if (scopeRules.length > 0)
+        return scopeRules;
+    if (input.subject?.tenantId && input.resource?.tenantId) {
+        if (input.subject.tenantId !== input.resource.tenantId) {
+            return [
+                {
+                    ruleId: "policy.scope.tenant-mismatch",
+                    reason: "subject and resource tenant scope do not match",
+                },
+            ];
+        }
+    }
+    return [];
+}
+function deniedRules(request) {
+    const rules = [];
+    if (request.redactionReport.status === "unsafeUnredacted") {
+        rules.push({
+            ruleId: "policy.redaction.fail-closed",
+            reason: "restricted content is not safely redacted",
+            redactionStatus: "unsafeUnredacted",
+        });
+    }
+    if (request.action === "url.fetch" || request.sink === "url") {
+        rules.push(...findingRules(request, "unsafeUrl", "deny"));
+    }
+    if (request.action === "file.write") {
+        rules.push(...findingRules(request, "pathTraversal", "deny"));
+    }
+    return rules;
+}
+function quarantineRules(request) {
+    const rules = request.segments.flatMap((segment) => {
+        if (segment.kind === "unknown" && isSensitiveSink(request.sink)) {
+            return [
+                {
+                    ruleId: "policy.segment.unknown-sensitive-sink",
+                    reason: `segment ${segment.id} is unknown for sensitive sink`,
+                },
+            ];
+        }
+        return segment.classification.findings
+            .filter((finding) => finding.severity === "critical" || finding.severity === "high")
+            .map((finding) => findingRule(segment.id, finding, "quarantine"));
+    });
+    if (request.dataClassification === "unknown" &&
+        isSensitiveSink(request.sink)) {
+        rules.push({
+            ruleId: "policy.data.unknown-sensitive-sink",
+            reason: "unknown data classification cannot reach sensitive sink",
+        });
+    }
+    return rules;
+}
+function findingRules(request, kind, disposition) {
+    return request.segments.flatMap((segment) => segment.classification.findings
+        .filter((finding) => finding.kind === kind)
+        .map((finding) => findingRule(segment.id, finding, disposition)));
+}
+function findingRule(segmentId, finding, disposition) {
+    return {
+        ruleId: `policy.${disposition}.${finding.kind}`,
+        reason: `segment ${segmentId} matched ${finding.summary}`,
+    };
+}
+function requiredRule(ruleId, label, value) {
+    if (value)
+        return null;
+    return {
+        ruleId,
+        reason: `missing ${label}`,
+    };
+}
+function denyDecision(requestId, rules, redactionStatus) {
+    return {
+        requestId: requestId ?? "unknown",
+        outcome: "deny",
+        matchedRuleIds: rules.map((rule) => rule.ruleId),
+        redactionStatus,
+        sanitizedReasons: rules.map((rule) => rule.reason),
+        evidenceSummary: "deny: deterministic security policy failed closed",
+    };
+}
+function quarantineDecision(requestId, rules, redactionStatus) {
+    return {
+        requestId,
+        outcome: "quarantine",
+        matchedRuleIds: rules.map((rule) => rule.ruleId),
+        redactionStatus,
+        sanitizedReasons: rules.map((rule) => rule.reason),
+        evidenceSummary: "quarantine: deterministic security policy isolated content",
+    };
+}
+function highestRedactionStatus(rules, fallback) {
+    return (rules.find((rule) => rule.redactionStatus)?.redactionStatus ?? fallback);
+}
+function isSensitiveSink(sink) {
+    return sensitiveSinks.some((sensitiveSink) => sensitiveSink === sink);
+}
+//# sourceMappingURL=policy-engine.js.map

package/dist/security/policy-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-engine.js","sourceRoot":"","sources":["../../src/security/policy-engine.ts"],"names":[],"mappings":"AAcA,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,KAAK,EAAE,UAAU,CAAU,CAAC;AAEhE,MAAM,UAAU,sBAAsB,CACpC,KAAyB;IAEzB,MAAM,UAAU,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,YAAY,CAAC,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,kBAAkB,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,OAAO,GAAG,KAAsB,CAAC;IACvC,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACpC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,OAAO,YAAY,CACjB,OAAO,CAAC,SAAS,EACjB,MAAM,EACN,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAC/D,CAAC;IACJ,CAAC;IAED,MAAM,WAAW,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IAC7C,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3B,OAAO,kBAAkB,CACvB,OAAO,CAAC,SAAS,EACjB,WAAW,EACX,OAAO,CAAC,eAAe,CAAC,MAAM,CAC/B,CAAC;IACJ,CAAC;IAED,OAAO;QACL,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,OAAO,EAAE,OAAO;QAChB,cAAc,EAAE,CAAC,kCAAkC,CAAC;QACpD,eAAe,EAAE,OAAO,CAAC,eAAe,CAAC,MAAM;QAC/C,gBAAgB,EAAE,CAAC,8CAA8C,CAAC;QAClE,eAAe,EAAE,uDAAuD;KACzE,CAAC;AACJ,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAyB;IACtD,MAAM,OAAO,GAAG;QACd,YAAY,CAAC,yBAAyB,EAAE,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC;QACtE,YAAY,CAAC,sBAAsB,EAAE,SAAS,EAAE,KAAK,CAAC,OAAO,CAAC;QAC9D,YAAY,CAAC,qBAAqB,EAAE,QAAQ,EAAE,KAAK,CAAC,MAAM,CAAC;QAC3D,YAAY,CAAC,uBAAuB,EAAE,UAAU,EAAE,KAAK,CAAC,QAAQ,CAAC;QACjE,YAAY,CAAC,mBAAmB,EAAE,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC;QACrD,YAAY,CACV,kCAAkC,EAClC,qBAAqB,EACrB,KAAK,CAAC,kBAAkB,CACzB;QACD,YAAY,CACV,wBAAwB,EACxB,kBAAkB,EAClB,KAAK,CAAC,eAAe,CACtB;KACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAA4B,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5D,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,OAAO,CAAC;IAEvC,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAC,OAAO,EAAE,WAAW,CAAC;IACrE,MAAM,cAAc,GAClB,KAAK,CAAC,QAAQ,EAAE,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,WAAW,CAAC;IAC1D,MAAM,UAAU,GAAG;QACjB,YAAY,CAAC,sBAAsB,EAAE,6BAA6B,EAAE,MAAM,CAAC;QAC3E,YAAY,CACV,uBAAuB,EACvB,8BAA8B,EAC9B,cAAc,CACf;KACF,CAAC,MAAM,CAAC,CAAC,IAAI,EAA4B,EAAE,CAAC,IAAI,KAAK,IAAI,CAAC,CAAC;IAC5D,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,UAAU,CAAC;IAE7C,IAAI,KAAK,CAAC,OAAO,EAAE,QAAQ,IAAI,KAAK,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,KAAK,KAAK,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACvD,OAAO;gBACL;oBACE,MAAM,EAAE,8BAA8B;oBACtC,MAAM,EAAE,gDAAgD;iBACzD;aACF,CAAC;QACJ,CAAC;IACH,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,OAAsB;IACzC,MAAM,KAAK,GAAuB,EAAE,CAAC;IACrC,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,KAAK,kBAAkB,EAAE,CAAC;QAC1D,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,8BAA8B;YACtC,MAAM,EAAE,2CAA2C;YACnD,eAAe,EAAE,kBAAkB;SACpC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,WAAW,IAAI,OAAO,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC;QAC7D,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,YAAY,EAAE,CAAC;QACpC,KAAK,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,OAAO,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,eAAe,CAAC,OAAsB;IAC7C,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QACjD,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YAChE,OAAO;gBACL;oBACE,MAAM,EAAE,uCAAuC;oBAC/C,MAAM,EAAE,WAAW,OAAO,CAAC,EAAE,gCAAgC;iBAC9D;aACF,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC,cAAc,CAAC,QAAQ;aACnC,MAAM,CACL,CAAC,OAAO,EAAE,EAAE,CACV,OAAO,CAAC,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,CACjE;aACA,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IACH,IACE,OAAO,CAAC,kBAAkB,KAAK,SAAS;QACxC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,EAC7B,CAAC;QACD,KAAK,CAAC,IAAI,CAAC;YACT,MAAM,EAAE,oCAAoC;YAC5C,MAAM,EAAE,yDAAyD;SAClE,CAAC,CAAC;IACL,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CACnB,OAAsB,EACtB,IAA4B,EAC5B,WAAkC;IAElC,OAAO,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAC1C,OAAO,CAAC,cAAc,CAAC,QAAQ;SAC5B,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,KAAK,IAAI,CAAC;SAC1C,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC,CACnE,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAClB,SAAiB,EACjB,OAAuB,EACvB,WAAkC;IAElC,OAAO;QACL,MAAM,EAAE,UAAU,WAAW,IAAI,OAAO,CAAC,IAAI,EAAE;QAC/C,MAAM,EAAE,WAAW,SAAS,YAAY,OAAO,CAAC,OAAO,EAAE;KAC1D,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,MAAc,EACd,KAAa,EACb,KAAc;IAEd,IAAI,KAAK;QAAE,OAAO,IAAI,CAAC;IACvB,OAAO;QACL,MAAM;QACN,MAAM,EAAE,WAAW,KAAK,EAAE;KAC3B,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,SAA6B,EAC7B,KAAyB,EACzB,eAAgC;IAEhC,OAAO;QACL,SAAS,EAAE,SAAS,IAAI,SAAS;QACjC,OAAO,EAAE,MAAM;QACf,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe;QACf,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EAAE,mDAAmD;KACrE,CAAC;AACJ,CAAC;AAED,SAAS,kBAAkB,CACzB,SAAiB,EACjB,KAAyB,EACzB,eAAgC;IAEhC,OAAO;QACL,SAAS;QACT,OAAO,EAAE,YAAY;QACrB,cAAc,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAChD,eAAe;QACf,gBAAgB,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;QAClD,eAAe,EACb,4DAA4D;KAC/D,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAC7B,KAAyB,EACzB,QAAyB;IAEzB,OAAO,CACL,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC,EAAE,eAAe,IAAI,QAAQ,CACxE,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,IAAY;IACnC,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,aAAa,KAAK,IAAI,CAAC,CAAC;AACxE,CAAC"}