@lobu/gateway 2.8.0

package/dist/proxy/http-proxy.js

@@ -0,0 +1,636 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.__testOnly = void 0;
+exports.setProxyGrantStore = setProxyGrantStore;
+exports.startHttpProxy = startHttpProxy;
+exports.stopHttpProxy = stopHttpProxy;
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const dns = __importStar(require("node:dns/promises"));
+const http = __importStar(require("node:http"));
+const net = __importStar(require("node:net"));
+const node_url_1 = require("node:url");
+const core_1 = require("@lobu/core");
+const network_allowlist_1 = require("../config/network-allowlist");
+const logger = (0, core_1.createLogger)("http-proxy");
+const blockedIpv4Ranges = [
+    ["0.0.0.0", 8],
+    ["10.0.0.0", 8],
+    ["100.64.0.0", 10],
+    ["127.0.0.0", 8],
+    ["169.254.0.0", 16],
+    ["172.16.0.0", 12],
+    ["192.168.0.0", 16],
+    ["198.18.0.0", 15],
+    ["224.0.0.0", 4],
+    ["240.0.0.0", 4],
+];
+const blockedIpv6Ranges = [
+    ["fc00::", 7],
+    ["fe80::", 10],
+    ["ff00::", 8],
+];
+const blockedIpv4List = new net.BlockList();
+for (const [address, prefix] of blockedIpv4Ranges) {
+    blockedIpv4List.addSubnet(address, prefix, "ipv4");
+}
+const blockedIpv6List = new net.BlockList();
+blockedIpv6List.addAddress("::", "ipv6");
+blockedIpv6List.addAddress("::1", "ipv6");
+for (const [address, prefix] of blockedIpv6Ranges) {
+    blockedIpv6List.addSubnet(address, prefix, "ipv6");
+}
+// Cache for global defaults (used when no deployment identified)
+let globalConfig = null;
+// Module-level grant store reference for domain grant checks
+let proxyGrantStore = null;
+/**
+ * Set the grant store for the HTTP proxy to check domain grants.
+ * Called during gateway initialization.
+ */
+function setProxyGrantStore(store) {
+    proxyGrantStore = store;
+}
+/**
+ * Get global network config (lazy loaded)
+ */
+function getGlobalConfig() {
+    if (!globalConfig) {
+        globalConfig = {
+            allowedDomains: (0, network_allowlist_1.loadAllowedDomains)(),
+            deniedDomains: (0, network_allowlist_1.loadDisallowedDomains)(),
+        };
+    }
+    return globalConfig;
+}
+/**
+ * Unified domain access check: global config → grant store.
+ *
+ * 1. If denied by global blocklist → block
+ * 2. If allowed by global allowlist → check grantStore.isDenied() → allow/block
+ * 3. If not in global list → check grantStore.hasGrant() → allow/block
+ */
+async function checkDomainAccess(hostname, agentId) {
+    const global = getGlobalConfig();
+    // Global blocklist always takes precedence
+    if (global.deniedDomains.length > 0 &&
+        matchesDomainPattern(hostname, global.deniedDomains)) {
+        return false;
+    }
+    // Check if globally allowed (unrestricted or in allowlist)
+    const globallyAllowed = isHostnameAllowed(hostname, global.allowedDomains, global.deniedDomains);
+    if (globallyAllowed) {
+        // Even if globally allowed, a per-agent deny grant can override
+        if (proxyGrantStore && agentId) {
+            const denied = await proxyGrantStore.isDenied(agentId, hostname);
+            if (denied) {
+                logger.debug(`Domain ${hostname} denied via grant (agent: ${agentId})`);
+                return false;
+            }
+        }
+        return true;
+    }
+    // Not globally allowed — check grant store for per-agent access
+    if (proxyGrantStore && agentId) {
+        const granted = await proxyGrantStore.hasGrant(agentId, hostname);
+        if (granted) {
+            logger.debug(`Domain ${hostname} allowed via grant (agent: ${agentId})`);
+            return true;
+        }
+    }
+    return false;
+}
+function parseMappedIpv4Address(ip) {
+    const normalized = ip.toLowerCase();
+    if (!normalized.startsWith("::ffff:")) {
+        return null;
+    }
+    const mapped = normalized.substring("::ffff:".length);
+    return net.isIP(mapped) === 4 ? mapped : null;
+}
+function parseMappedIpv4HexAddress(ip) {
+    const normalized = ip.toLowerCase();
+    if (!normalized.startsWith("::ffff:")) {
+        return null;
+    }
+    const mapped = normalized.substring("::ffff:".length);
+    if (mapped.includes(".")) {
+        return null;
+    }
+    const parts = mapped.split(":");
+    if (parts.length !== 2) {
+        return null;
+    }
+    const high = Number.parseInt(parts[0] || "", 16);
+    const low = Number.parseInt(parts[1] || "", 16);
+    if (Number.isNaN(high) ||
+        Number.isNaN(low) ||
+        high < 0 ||
+        high > 0xffff ||
+        low < 0 ||
+        low > 0xffff) {
+        return null;
+    }
+    return `${(high >> 8) & 0xff}.${high & 0xff}.${(low >> 8) & 0xff}.${low & 0xff}`;
+}
+function isBlockedIpAddress(ip) {
+    const ipv6WithoutZone = ip.split("%", 1)[0] || ip;
+    const mappedIpv4 = parseMappedIpv4Address(ipv6WithoutZone) ||
+        parseMappedIpv4HexAddress(ipv6WithoutZone);
+    if (mappedIpv4) {
+        return blockedIpv4List.check(mappedIpv4, "ipv4");
+    }
+    const family = net.isIP(ipv6WithoutZone);
+    if (family === 4) {
+        return blockedIpv4List.check(ipv6WithoutZone, "ipv4");
+    }
+    if (family === 6) {
+        return blockedIpv6List.check(ipv6WithoutZone, "ipv6");
+    }
+    return false;
+}
+exports.__testOnly = {
+    isBlockedIpAddress,
+};
+async function resolveAndValidateTarget(hostname) {
+    var _a;
+    const ipFamily = net.isIP(hostname);
+    if (ipFamily !== 0) {
+        if (isBlockedIpAddress(hostname)) {
+            return {
+                ok: false,
+                statusCode: 403,
+                clientMessage: `403 Forbidden - Target IP not allowed: ${hostname}`,
+                reason: `target is local/private IP (${hostname})`,
+            };
+        }
+        return { ok: true, resolvedIp: hostname };
+    }
+    let addresses;
+    try {
+        addresses = await dns.lookup(hostname, { all: true, verbatim: true });
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "unknown error";
+        return {
+            ok: false,
+            statusCode: 502,
+            clientMessage: `Bad Gateway: Could not resolve target host ${hostname}`,
+            reason: `DNS lookup failed for ${hostname}: ${message}`,
+        };
+    }
+    if (addresses.length === 0) {
+        return {
+            ok: false,
+            statusCode: 502,
+            clientMessage: `Bad Gateway: No DNS results for ${hostname}`,
+            reason: `DNS lookup returned no addresses for ${hostname}`,
+        };
+    }
+    const blockedAddress = addresses.find((addr) => isBlockedIpAddress(addr.address));
+    if (blockedAddress) {
+        return {
+            ok: false,
+            statusCode: 403,
+            clientMessage: `403 Forbidden - Target resolves to local/private IP: ${hostname}`,
+            reason: `${hostname} resolved to blocked IP ${blockedAddress.address}`,
+        };
+    }
+    return { ok: true, resolvedIp: (_a = addresses[0]) === null || _a === void 0 ? void 0 : _a.address };
+}
+/**
+ * Extract deployment name and token from Proxy-Authorization Basic auth header.
+ * Workers send: HTTP_PROXY=http://<deploymentName>:<token>@gateway:8118
+ * This creates a Basic auth header with username=deploymentName, password=token
+ */
+function extractProxyCredentials(req) {
+    const authHeader = req.headers["proxy-authorization"];
+    if (!authHeader || typeof authHeader !== "string") {
+        return null;
+    }
+    // Parse Basic auth: "Basic base64(username:password)"
+    const match = authHeader.match(/^Basic\s+(.+)$/i);
+    if (!match || !match[1]) {
+        return null;
+    }
+    try {
+        const decoded = Buffer.from(match[1], "base64").toString("utf-8");
+        const colonIndex = decoded.indexOf(":");
+        if (colonIndex === -1) {
+            return null;
+        }
+        const deploymentName = decoded.substring(0, colonIndex);
+        const token = decoded.substring(colonIndex + 1);
+        if (!deploymentName || !token) {
+            return null;
+        }
+        return { deploymentName, token };
+    }
+    catch (_a) {
+        return null;
+    }
+}
+/**
+ * Validate proxy authentication by verifying the encrypted worker token
+ * and cross-checking the claimed deployment name.
+ */
+function validateProxyAuth(req) {
+    const creds = extractProxyCredentials(req);
+    if (!creds) {
+        return null;
+    }
+    const tokenData = (0, core_1.verifyWorkerToken)(creds.token);
+    if (!tokenData) {
+        logger.warn(`Proxy auth failed: invalid token (claimed deployment: ${creds.deploymentName})`);
+        return null;
+    }
+    const deploymentMatch = tokenData.deploymentName.length === creds.deploymentName.length &&
+        node_crypto_1.default.timingSafeEqual(Buffer.from(tokenData.deploymentName), Buffer.from(creds.deploymentName));
+    if (!deploymentMatch) {
+        logger.warn(`Proxy auth failed: deployment mismatch (claimed: ${creds.deploymentName}, token: ${tokenData.deploymentName})`);
+        return null;
+    }
+    return { deploymentName: creds.deploymentName, tokenData };
+}
+/**
+ * Check if a hostname matches any domain patterns
+ * Supports exact matches and wildcard patterns (.example.com matches *.example.com)
+ */
+function matchesDomainPattern(hostname, patterns) {
+    const lowerHostname = hostname.toLowerCase();
+    for (const pattern of patterns) {
+        const lowerPattern = pattern.toLowerCase();
+        if (lowerPattern.startsWith(".")) {
+            // Wildcard pattern: .example.com matches *.example.com
+            const domain = lowerPattern.substring(1);
+            if (lowerHostname === domain || lowerHostname.endsWith(`.${domain}`)) {
+                return true;
+            }
+        }
+        else if (lowerPattern === lowerHostname) {
+            // Exact match
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Check if a hostname is allowed based on allowlist/blocklist configuration.
+ * Rules:
+ * - deniedDomains are checked first (take precedence)
+ * - allowedDomains are checked second
+ * - If allowedDomains contains "*", unrestricted mode is enabled
+ * - If allowedDomains is empty, complete isolation (deny all)
+ */
+function isHostnameAllowed(hostname, allowedDomains, deniedDomains) {
+    // Unrestricted mode - allow all except explicitly disallowed
+    if ((0, network_allowlist_1.isUnrestrictedMode)(allowedDomains)) {
+        if (deniedDomains.length === 0) {
+            return true; // No blocklist, allow all
+        }
+        return !matchesDomainPattern(hostname, deniedDomains);
+    }
+    // Complete isolation mode - deny all
+    if (allowedDomains.length === 0) {
+        return false;
+    }
+    // Allowlist mode - check if allowed
+    const isAllowed = matchesDomainPattern(hostname, allowedDomains);
+    // Even if allowed, check blocklist
+    if (isAllowed && deniedDomains.length > 0) {
+        return !matchesDomainPattern(hostname, deniedDomains);
+    }
+    return isAllowed;
+}
+/**
+ * Extract hostname from CONNECT request
+ */
+function extractConnectHostname(url) {
+    // CONNECT requests are in format: "host:port"
+    const match = url.match(/^([^:]+):\d+$/);
+    return (match === null || match === void 0 ? void 0 : match[1]) ? match[1] : null;
+}
+/**
+ * Handle HTTPS CONNECT tunneling with per-deployment network config
+ */
+async function handleConnect(req, clientSocket, head) {
+    const url = req.url || "";
+    const hostname = extractConnectHostname(url);
+    if (!hostname) {
+        logger.warn(`Invalid CONNECT request: ${url}`);
+        clientSocket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+        clientSocket.end();
+        return;
+    }
+    // Validate worker token
+    const auth = validateProxyAuth(req);
+    if (!auth) {
+        logger.warn(`Proxy auth required for CONNECT to ${hostname}`);
+        try {
+            clientSocket.write('HTTP/1.1 407 Proxy Authentication Required\r\nProxy-Authenticate: Basic realm="lobu-proxy"\r\n\r\n');
+            clientSocket.end();
+        }
+        catch (_a) {
+            // Client may have already disconnected
+        }
+        return;
+    }
+    const { deploymentName, tokenData } = auth;
+    // Check domain access: global config → grant store
+    const allowed = await checkDomainAccess(hostname, tokenData.agentId);
+    if (!allowed) {
+        logger.warn(`Blocked CONNECT to ${hostname} (deployment: ${deploymentName})`);
+        try {
+            clientSocket.write(`HTTP/1.1 403 Domain not allowed: ${hostname}. Network access is configured via lobu.toml or the gateway configuration APIs.\r\nContent-Type: text/plain\r\n\r\n403 Forbidden - Domain not allowed: ${hostname}. Network access is configured via lobu.toml or the gateway configuration APIs.\r\n`);
+            clientSocket.end();
+        }
+        catch (_b) {
+            // Client may have already disconnected
+        }
+        return;
+    }
+    const targetResolution = await resolveAndValidateTarget(hostname);
+    if (!targetResolution.ok) {
+        logger.warn(`Blocked CONNECT to ${hostname} (deployment: ${deploymentName}) - ${targetResolution.reason}`);
+        try {
+            clientSocket.write(`HTTP/1.1 ${targetResolution.statusCode} ${targetResolution.statusCode === 403 ? "Forbidden" : "Bad Gateway"}\r\nContent-Type: text/plain\r\n\r\n${targetResolution.clientMessage}\r\n`);
+            clientSocket.end();
+        }
+        catch (_c) {
+            // Client may have already disconnected
+        }
+        return;
+    }
+    const resolvedIp = targetResolution.resolvedIp;
+    if (!resolvedIp) {
+        clientSocket.write("HTTP/1.1 500 Internal Server Error\r\n\r\n");
+        clientSocket.end();
+        return;
+    }
+    logger.debug(`Allowing CONNECT to ${hostname} via ${resolvedIp}`);
+    // Parse host and port
+    const [host, portStr] = url.split(":");
+    const port = portStr ? parseInt(portStr, 10) || 443 : 443;
+    if (!host) {
+        logger.warn(`Invalid CONNECT host: ${url}`);
+        clientSocket.write("HTTP/1.1 400 Bad Request\r\n\r\n");
+        clientSocket.end();
+        return;
+    }
+    // Establish connection to target
+    const targetSocket = net.connect(port, resolvedIp, () => {
+        // Send success response to client
+        clientSocket.write("HTTP/1.1 200 Connection Established\r\n\r\n");
+        // Pipe the connection bidirectionally
+        targetSocket.write(head);
+        targetSocket.pipe(clientSocket);
+        clientSocket.pipe(targetSocket);
+    });
+    targetSocket.on("error", (err) => {
+        logger.debug(`Target connection error for ${hostname}: ${err.message}`);
+        try {
+            clientSocket.end();
+        }
+        catch (_a) {
+            // Ignore errors when closing already-closed socket
+        }
+    });
+    clientSocket.on("error", (err) => {
+        // ECONNRESET is common when clients drop connections - don't log as error
+        if (err.code === "ECONNRESET") {
+            logger.debug(`Client disconnected for ${hostname} (ECONNRESET)`);
+        }
+        else {
+            logger.debug(`Client connection error for ${hostname}: ${err.message}`);
+        }
+        try {
+            targetSocket.end();
+        }
+        catch (_a) {
+            // Ignore errors when closing already-closed socket
+        }
+    });
+    // Handle close events to clean up
+    targetSocket.on("close", () => {
+        try {
+            clientSocket.end();
+        }
+        catch (_a) {
+            // Ignore
+        }
+    });
+    clientSocket.on("close", () => {
+        try {
+            targetSocket.end();
+        }
+        catch (_a) {
+            // Ignore
+        }
+    });
+}
+/**
+ * Handle regular HTTP proxy requests with per-deployment network config
+ */
+async function handleProxyRequest(req, res) {
+    var _a;
+    const targetUrl = req.url;
+    if (!targetUrl) {
+        res.writeHead(400, { "Content-Type": "text/plain" });
+        res.end("Bad Request: No URL provided\n");
+        return;
+    }
+    let parsedUrl;
+    try {
+        parsedUrl = new node_url_1.URL(targetUrl);
+    }
+    catch (_b) {
+        res.writeHead(400, { "Content-Type": "text/plain" });
+        res.end("Bad Request: Invalid URL\n");
+        return;
+    }
+    const hostname = parsedUrl.hostname;
+    // Validate worker token
+    const auth = validateProxyAuth(req);
+    if (!auth) {
+        logger.warn(`Proxy auth required for ${req.method} ${hostname}`);
+        res.writeHead(407, {
+            "Content-Type": "text/plain",
+            "Proxy-Authenticate": 'Basic realm="lobu-proxy"',
+        });
+        res.end("407 Proxy Authentication Required\n");
+        return;
+    }
+    const { deploymentName, tokenData } = auth;
+    // Check domain access: global config → grant store
+    const allowed = await checkDomainAccess(hostname, tokenData.agentId);
+    if (!allowed) {
+        logger.warn(`Blocked request to ${hostname} (deployment: ${deploymentName})`);
+        res.writeHead(403, `Domain not allowed: ${hostname}`, {
+            "Content-Type": "text/plain",
+        });
+        res.end(`403 Forbidden - Domain not allowed: ${hostname}. Network access is configured via lobu.toml or the gateway configuration APIs.\n`);
+        return;
+    }
+    const targetResolution = await resolveAndValidateTarget(hostname);
+    if (!targetResolution.ok) {
+        logger.warn(`Blocked request to ${hostname} (deployment: ${deploymentName}) - ${targetResolution.reason}`);
+        res.writeHead((_a = targetResolution.statusCode) !== null && _a !== void 0 ? _a : 502, {
+            "Content-Type": "text/plain",
+        });
+        res.end(`${targetResolution.clientMessage}\n`);
+        return;
+    }
+    const resolvedIp = targetResolution.resolvedIp;
+    if (!resolvedIp) {
+        res.writeHead(500, { "Content-Type": "text/plain" });
+        res.end("Internal proxy error\n");
+        return;
+    }
+    logger.debug(`Proxying ${req.method} ${hostname}${parsedUrl.pathname} via ${resolvedIp}`);
+    // Remove proxy-authorization header before forwarding
+    const forwardHeaders = Object.assign({}, req.headers);
+    delete forwardHeaders["proxy-authorization"];
+    // Forward the request
+    const options = {
+        hostname: resolvedIp,
+        port: parsedUrl.port || (parsedUrl.protocol === "https:" ? 443 : 80),
+        path: parsedUrl.pathname + parsedUrl.search,
+        method: req.method,
+        headers: forwardHeaders,
+    };
+    const proxyReq = http.request(options, (proxyRes) => {
+        // Forward response headers
+        res.writeHead(proxyRes.statusCode || 500, proxyRes.headers);
+        // Stream response body
+        proxyRes.pipe(res);
+    });
+    proxyReq.on("error", (err) => {
+        logger.error(`Proxy request error for ${hostname}:`, err.message);
+        if (!res.headersSent) {
+            res.writeHead(502, { "Content-Type": "text/plain" });
+            res.end("Bad Gateway: Could not reach target server\n");
+        }
+        else {
+            res.end();
+        }
+    });
+    // Stream request body
+    req.pipe(proxyReq);
+}
+/**
+ * Start HTTP proxy server with per-deployment network config support.
+ *
+ * Workers identify themselves via Proxy-Authorization Basic auth:
+ *   HTTP_PROXY=http://<deploymentName>:<token>@gateway:8118
+ *
+ * The proxy validates the encrypted worker token, cross-checks the
+ * claimed deployment name, and looks up per-deployment network config.
+ * Returns 407 if authentication fails.
+ *
+ * @param port - Port to listen on (default 8118)
+ * @param host - Bind address (default "::" for all interfaces)
+ * @returns Promise that resolves with the server once listening, or rejects on error
+ */
+function startHttpProxy(port = 8118, host = "::") {
+    return new Promise((resolve, reject) => {
+        const global = getGlobalConfig();
+        const server = http.createServer((req, res) => {
+            handleProxyRequest(req, res).catch((err) => {
+                logger.error("Error handling proxy request:", err);
+                if (!res.headersSent) {
+                    res.writeHead(500, { "Content-Type": "text/plain" });
+                    res.end("Internal proxy error\n");
+                }
+            });
+        });
+        // Handle CONNECT method for HTTPS tunneling
+        server.on("connect", (req, clientSocket, head) => {
+            handleConnect(req, clientSocket, head).catch((err) => {
+                logger.error("Error handling CONNECT:", err);
+                try {
+                    clientSocket.write("HTTP/1.1 500 Internal Server Error\r\n\r\n");
+                    clientSocket.end();
+                }
+                catch (_a) {
+                    // Ignore
+                }
+            });
+        });
+        server.on("error", (err) => {
+            logger.error("HTTP proxy server error:", err);
+            reject(err);
+        });
+        server.listen(port, host, () => {
+            // Remove the startup error listener so it doesn't reject later operational errors
+            server.removeAllListeners("error");
+            server.on("error", (err) => {
+                logger.error("HTTP proxy server error:", err);
+            });
+            let mode;
+            if ((0, network_allowlist_1.isUnrestrictedMode)(global.allowedDomains)) {
+                mode = "unrestricted";
+            }
+            else if (global.allowedDomains.length > 0) {
+                mode = "allowlist";
+            }
+            else {
+                mode = "complete-isolation";
+            }
+            logger.debug(`HTTP proxy started on ${host}:${port} (mode=${mode}, allowed=${global.allowedDomains.length}, denied=${global.deniedDomains.length})`);
+            resolve(server);
+        });
+    });
+}
+/**
+ * Stop HTTP proxy server
+ */
+function stopHttpProxy(server) {
+    return new Promise((resolve, reject) => {
+        server.close((err) => {
+            if (err) {
+                logger.error("Error stopping HTTP proxy:", err);
+                reject(err);
+            }
+            else {
+                logger.info("HTTP proxy stopped");
+                resolve();
+            }
+        });
+    });
+}
+//# sourceMappingURL=http-proxy.js.map

package/dist/proxy/http-proxy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-proxy.js","sourceRoot":"","sources":["../../src/proxy/http-proxy.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuEA,gDAEC;AA4lBD,wCAyDC;AAKD,sCAYC;AA/uBD,8DAAiC;AAEjC,uDAAyC;AACzC,gDAAkC;AAClC,8CAAgC;AAChC,uCAA+B;AAE/B,qCAA6D;AAC7D,mEAIqC;AAGrC,MAAM,MAAM,GAAG,IAAA,mBAAY,EAAC,YAAY,CAAC,CAAC;AAe1C,MAAM,iBAAiB,GAA6C;IAClE,CAAC,SAAS,EAAE,CAAC,CAAC;IACd,CAAC,UAAU,EAAE,CAAC,CAAC;IACf,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,WAAW,EAAE,CAAC,CAAC;IAChB,CAAC,aAAa,EAAE,EAAE,CAAC;IACnB,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,aAAa,EAAE,EAAE,CAAC;IACnB,CAAC,YAAY,EAAE,EAAE,CAAC;IAClB,CAAC,WAAW,EAAE,CAAC,CAAC;IAChB,CAAC,WAAW,EAAE,CAAC,CAAC;CACjB,CAAC;AAEF,MAAM,iBAAiB,GAA6C;IAClE,CAAC,QAAQ,EAAE,CAAC,CAAC;IACb,CAAC,QAAQ,EAAE,EAAE,CAAC;IACd,CAAC,QAAQ,EAAE,CAAC,CAAC;CACd,CAAC;AAEF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;AAC5C,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;IAClD,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;AAC5C,eAAe,CAAC,UAAU,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACzC,eAAe,CAAC,UAAU,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AAC1C,KAAK,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,IAAI,iBAAiB,EAAE,CAAC;IAClD,eAAe,CAAC,SAAS,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AACrD,CAAC;AAED,iEAAiE;AACjE,IAAI,YAAY,GAAiC,IAAI,CAAC;AAEtD,6DAA6D;AAC7D,IAAI,eAAe,GAAsB,IAAI,CAAC;AAE9C;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,KAAiB;IAClD,eAAe,GAAG,KAAK,CAAC;AAC1B,CAAC;AAED;;GAEG;AACH,SAAS,eAAe;IACtB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG;YACb,cAAc,EAAE,IAAA,sCAAkB,GAAE;YACpC,aAAa,EAAE,IAAA,yCAAqB,GAAE;SACvC,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,iBAAiB,CAC9B,QAAgB,EAChB,OAA2B;IAE3B,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;IAEjC,2CAA2C;IAC3C,IACE,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC;QAC/B,oBAAoB,CAAC,QAAQ,EAAE,MAAM,CAAC,aAAa,CAAC,EACpD,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,2DAA2D;IAC3D,MAAM,eAAe,GAAG,iBAAiB,CACvC,QAAQ,EACR,MAAM,CAAC,cAAc,EACrB,MAAM,CAAC,aAAa,CACrB,CAAC;IAEF,IAAI,eAAe,EAAE,CAAC;QACpB,gEAAgE;QAChE,IAAI,eAAe,IAAI,OAAO,EAAE,CAAC;YAC/B,MAAM,MAAM,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjE,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,CAAC,UAAU,QAAQ,6BAA6B,OAAO,GAAG,CAAC,CAAC;gBACxE,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gEAAgE;IAChE,IAAI,eAAe,IAAI,OAAO,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAClE,IAAI,OAAO,EAAE,CAAC;YACZ,MAAM,CAAC,KAAK,CAAC,UAAU,QAAQ,8BAA8B,OAAO,GAAG,CAAC,CAAC;YACzE,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAOD,SAAS,sBAAsB,CAAC,EAAU;IACxC,MAAM,UAAU,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IACpC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,OAAO,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;AAChD,CAAC;AAED,SAAS,yBAAyB,CAAC,EAAU;IAC3C,MAAM,UAAU,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC;IACpC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;IACtD,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IACjD,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAChD,IACE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;QAClB,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;QACjB,IAAI,GAAG,CAAC;QACR,IAAI,GAAG,MAAM;QACb,GAAG,GAAG,CAAC;QACP,GAAG,GAAG,MAAM,EACZ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,GAAG,IAAI,EAAE,CAAC;AACnF,CAAC;AAED,SAAS,kBAAkB,CAAC,EAAU;IACpC,MAAM,eAAe,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAClD,MAAM,UAAU,GACd,sBAAsB,CAAC,eAAe,CAAC;QACvC,yBAAyB,CAAC,eAAe,CAAC,CAAC;IAC7C,IAAI,UAAU,EAAE,CAAC;QACf,OAAO,eAAe,CAAC,KAAK,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IACzC,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,OAAO,eAAe,CAAC,KAAK,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,MAAM,KAAK,CAAC,EAAE,CAAC;QACjB,OAAO,eAAe,CAAC,KAAK,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACxD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAEY,QAAA,UAAU,GAAG;IACxB,kBAAkB;CACnB,CAAC;AAEF,KAAK,UAAU,wBAAwB,CACrC,QAAgB;;IAEhB,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,QAAQ,KAAK,CAAC,EAAE,CAAC;QACnB,IAAI,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,UAAU,EAAE,GAAG;gBACf,aAAa,EAAE,0CAA0C,QAAQ,EAAE;gBACnE,MAAM,EAAE,+BAA+B,QAAQ,GAAG;aACnD,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;IAC5C,CAAC;IAED,IAAI,SAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;IACxE,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,CAAC;QACzE,OAAO;YACL,EAAE,EAAE,KAAK;YACT,UAAU,EAAE,GAAG;YACf,aAAa,EAAE,8CAA8C,QAAQ,EAAE;YACvE,MAAM,EAAE,yBAAyB,QAAQ,KAAK,OAAO,EAAE;SACxD,CAAC;IACJ,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,UAAU,EAAE,GAAG;YACf,aAAa,EAAE,mCAAmC,QAAQ,EAAE;YAC5D,MAAM,EAAE,wCAAwC,QAAQ,EAAE;SAC3D,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC7C,kBAAkB,CAAC,IAAI,CAAC,OAAO,CAAC,CACjC,CAAC;IACF,IAAI,cAAc,EAAE,CAAC;QACnB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,UAAU,EAAE,GAAG;YACf,aAAa,EAAE,wDAAwD,QAAQ,EAAE;YACjF,MAAM,EAAE,GAAG,QAAQ,2BAA2B,cAAc,CAAC,OAAO,EAAE;SACvE,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,MAAA,SAAS,CAAC,CAAC,CAAC,0CAAE,OAAO,EAAE,CAAC;AACzD,CAAC;AAED;;;;GAIG;AACH,SAAS,uBAAuB,CAC9B,GAAyB;IAEzB,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAC,CAAC;IACtD,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,sDAAsD;IACtD,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAClD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClE,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,UAAU,KAAK,CAAC,CAAC,EAAE,CAAC;YACtB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,cAAc,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;QACxD,MAAM,KAAK,GAAG,OAAO,CAAC,SAAS,CAAC,UAAU,GAAG,CAAC,CAAC,CAAC;QAChD,IAAI,CAAC,cAAc,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;IACnC,CAAC;IAAC,WAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAOD;;;GAGG;AACH,SAAS,iBAAiB,CAAC,GAAyB;IAClD,MAAM,KAAK,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAC;IAC3C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,SAAS,GAAG,IAAA,wBAAiB,EAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACjD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CACT,yDAAyD,KAAK,CAAC,cAAc,GAAG,CACjF,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,eAAe,GACnB,SAAS,CAAC,cAAc,CAAC,MAAM,KAAK,KAAK,CAAC,cAAc,CAAC,MAAM;QAC/D,qBAAM,CAAC,eAAe,CACpB,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,EACrC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,CAClC,CAAC;IACJ,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CACT,oDAAoD,KAAK,CAAC,cAAc,YAAY,SAAS,CAAC,cAAc,GAAG,CAChH,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED,OAAO,EAAE,cAAc,EAAE,KAAK,CAAC,cAAc,EAAE,SAAS,EAAE,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,QAAgB,EAAE,QAAkB;IAChE,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE7C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAE3C,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACjC,uDAAuD;YACvD,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;YACzC,IAAI,aAAa,KAAK,MAAM,IAAI,aAAa,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC,EAAE,CAAC;gBACrE,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;aAAM,IAAI,YAAY,KAAK,aAAa,EAAE,CAAC;YAC1C,cAAc;YACd,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,iBAAiB,CACxB,QAAgB,EAChB,cAAwB,EACxB,aAAuB;IAEvB,6DAA6D;IAC7D,IAAI,IAAA,sCAAkB,EAAC,cAAc,CAAC,EAAE,CAAC;QACvC,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,IAAI,CAAC,CAAC,0BAA0B;QACzC,CAAC;QACD,OAAO,CAAC,oBAAoB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACxD,CAAC;IAED,qCAAqC;IACrC,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oCAAoC;IACpC,MAAM,SAAS,GAAG,oBAAoB,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAEjE,mCAAmC;IACnC,IAAI,SAAS,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,OAAO,CAAC,oBAAoB,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,GAAW;IACzC,8CAA8C;IAC9C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IACzC,OAAO,CAAA,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAG,CAAC,CAAC,EAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAC1B,GAAyB,EACzB,YAAqC,EACrC,IAAY;IAEZ,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;IAE7C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,CAAC,IAAI,CAAC,4BAA4B,GAAG,EAAE,CAAC,CAAC;QAC/C,YAAY,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACvD,YAAY,CAAC,GAAG,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,wBAAwB;IACxB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;QAC9D,IAAI,CAAC;YACH,YAAY,CAAC,KAAK,CAChB,oGAAoG,CACrG,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAE3C,mDAAmD;IACnD,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CACT,sBAAsB,QAAQ,iBAAiB,cAAc,GAAG,CACjE,CAAC;QACF,IAAI,CAAC;YACH,YAAY,CAAC,KAAK,CAChB,oCAAoC,QAAQ,0JAA0J,QAAQ,qFAAqF,CACpS,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,gBAAgB,GAAG,MAAM,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAClE,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CACT,sBAAsB,QAAQ,iBAAiB,cAAc,OAAO,gBAAgB,CAAC,MAAM,EAAE,CAC9F,CAAC;QACF,IAAI,CAAC;YACH,YAAY,CAAC,KAAK,CAChB,YAAY,gBAAgB,CAAC,UAAU,IACrC,gBAAgB,CAAC,UAAU,KAAK,GAAG,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,aACtD,uCAAuC,gBAAgB,CAAC,aAAa,MAAM,CAC5E,CAAC;YACF,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,uCAAuC;QACzC,CAAC;QACD,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,UAAU,CAAC;IAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,YAAY,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;QACjE,YAAY,CAAC,GAAG,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,MAAM,CAAC,KAAK,CAAC,uBAAuB,QAAQ,QAAQ,UAAU,EAAE,CAAC,CAAC;IAElE,sBAAsB;IACtB,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACvC,MAAM,IAAI,GAAG,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;IAE1D,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CAAC,yBAAyB,GAAG,EAAE,CAAC,CAAC;QAC5C,YAAY,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACvD,YAAY,CAAC,GAAG,EAAE,CAAC;QACnB,OAAO;IACT,CAAC;IAED,iCAAiC;IACjC,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,UAAU,EAAE,GAAG,EAAE;QACtD,kCAAkC;QAClC,YAAY,CAAC,KAAK,CAAC,6CAA6C,CAAC,CAAC;QAElE,sCAAsC;QACtC,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACzB,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAChC,YAAY,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QAC/B,MAAM,CAAC,KAAK,CAAC,+BAA+B,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QACxE,IAAI,CAAC;YACH,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QAC/B,0EAA0E;QAC1E,IAAK,GAA6B,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACzD,MAAM,CAAC,KAAK,CAAC,2BAA2B,QAAQ,eAAe,CAAC,CAAC;QACnE,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,KAAK,CAAC,+BAA+B,QAAQ,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;QAC1E,CAAC;QACD,IAAI,CAAC;YACH,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,mDAAmD;QACrD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,kCAAkC;IAClC,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QAC5B,IAAI,CAAC;YACH,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;QAC5B,IAAI,CAAC;YACH,YAAY,CAAC,GAAG,EAAE,CAAC;QACrB,CAAC;QAAC,WAAM,CAAC;YACP,SAAS;QACX,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAC/B,GAAyB,EACzB,GAAwB;;IAExB,MAAM,SAAS,GAAG,GAAG,CAAC,GAAG,CAAC;IAE1B,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;QACrD,GAAG,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC1C,OAAO;IACT,CAAC;IAED,IAAI,SAAc,CAAC;IACnB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,cAAG,CAAC,SAAS,CAAC,CAAC;IACjC,CAAC;IAAC,WAAM,CAAC;QACP,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;QACrD,GAAG,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QACtC,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,SAAS,CAAC,QAAQ,CAAC;IAEpC,wBAAwB;IACxB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CAAC,2BAA2B,GAAG,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC,CAAC;QACjE,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE;YACjB,cAAc,EAAE,YAAY;YAC5B,oBAAoB,EAAE,0BAA0B;SACjD,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;QAC/C,OAAO;IACT,CAAC;IAED,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,GAAG,IAAI,CAAC;IAE3C,mDAAmD;IACnD,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;IACrE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CACT,sBAAsB,QAAQ,iBAAiB,cAAc,GAAG,CACjE,CAAC;QACF,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,uBAAuB,QAAQ,EAAE,EAAE;YACpD,cAAc,EAAE,YAAY;SAC7B,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CACL,uCAAuC,QAAQ,mFAAmF,CACnI,CAAC;QACF,OAAO;IACT,CAAC;IAED,MAAM,gBAAgB,GAAG,MAAM,wBAAwB,CAAC,QAAQ,CAAC,CAAC;IAClE,IAAI,CAAC,gBAAgB,CAAC,EAAE,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CACT,sBAAsB,QAAQ,iBAAiB,cAAc,OAAO,gBAAgB,CAAC,MAAM,EAAE,CAC9F,CAAC;QACF,GAAG,CAAC,SAAS,CAAC,MAAA,gBAAgB,CAAC,UAAU,mCAAI,GAAG,EAAE;YAChD,cAAc,EAAE,YAAY;SAC7B,CAAC,CAAC;QACH,GAAG,CAAC,GAAG,CAAC,GAAG,gBAAgB,CAAC,aAAa,IAAI,CAAC,CAAC;QAC/C,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,gBAAgB,CAAC,UAAU,CAAC;IAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;QACrD,GAAG,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QAClC,OAAO;IACT,CAAC;IAED,MAAM,CAAC,KAAK,CACV,YAAY,GAAG,CAAC,MAAM,IAAI,QAAQ,GAAG,SAAS,CAAC,QAAQ,QAAQ,UAAU,EAAE,CAC5E,CAAC;IAEF,sDAAsD;IACtD,MAAM,cAAc,qBAAQ,GAAG,CAAC,OAAO,CAAE,CAAC;IAC1C,OAAO,cAAc,CAAC,qBAAqB,CAAC,CAAC;IAE7C,sBAAsB;IACtB,MAAM,OAAO,GAAwB;QACnC,QAAQ,EAAE,UAAU;QACpB,IAAI,EAAE,SAAS,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,IAAI,EAAE,SAAS,CAAC,QAAQ,GAAG,SAAS,CAAC,MAAM;QAC3C,MAAM,EAAE,GAAG,CAAC,MAAM;QAClB,OAAO,EAAE,cAAc;KACxB,CAAC;IAEF,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,EAAE;QAClD,2BAA2B;QAC3B,GAAG,CAAC,SAAS,CAAC,QAAQ,CAAC,UAAU,IAAI,GAAG,EAAE,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5D,uBAAuB;QACvB,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;QAC3B,MAAM,CAAC,KAAK,CAAC,2BAA2B,QAAQ,GAAG,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;QAClE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;YACrD,GAAG,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;QAC1D,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,GAAG,EAAE,CAAC;QACZ,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,sBAAsB;IACtB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAgB,cAAc,CAC5B,OAAe,IAAI,EACnB,OAAe,IAAI;IAEnB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,eAAe,EAAE,CAAC;QAEjC,MAAM,MAAM,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC5C,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACzC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,GAAG,CAAC,CAAC;gBACnD,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;oBACrB,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,YAAY,EAAE,CAAC,CAAC;oBACrD,GAAG,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;gBACpC,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,4CAA4C;QAC5C,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,EAAE,EAAE;YAC/C,aAAa,CAAC,GAAG,EAAE,YAAY,EAAE,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;gBACnD,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAC;gBAC7C,IAAI,CAAC;oBACH,YAAY,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;oBACjE,YAAY,CAAC,GAAG,EAAE,CAAC;gBACrB,CAAC;gBAAC,WAAM,CAAC;oBACP,SAAS;gBACX,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;YAC9C,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;YAC7B,kFAAkF;YAClF,MAAM,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;YACnC,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;gBACzB,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAC;YAChD,CAAC,CAAC,CAAC;YAEH,IAAI,IAAY,CAAC;YACjB,IAAI,IAAA,sCAAkB,EAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;gBAC9C,IAAI,GAAG,cAAc,CAAC;YACxB,CAAC;iBAAM,IAAI,MAAM,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,IAAI,GAAG,WAAW,CAAC;YACrB,CAAC;iBAAM,CAAC;gBACN,IAAI,GAAG,oBAAoB,CAAC;YAC9B,CAAC;YAED,MAAM,CAAC,KAAK,CACV,yBAAyB,IAAI,IAAI,IAAI,UAAU,IAAI,aAAa,MAAM,CAAC,cAAc,CAAC,MAAM,YAAY,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,CACvI,CAAC;YACF,OAAO,CAAC,MAAM,CAAC,CAAC;QAClB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;GAEG;AACH,SAAgB,aAAa,CAAC,MAAmB;IAC/C,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;YACnB,IAAI,GAAG,EAAE,CAAC;gBACR,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE,GAAG,CAAC,CAAC;gBAChD,MAAM,CAAC,GAAG,CAAC,CAAC;YACd,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;gBAClC,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/proxy/proxy-manager.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Start filtering HTTP proxy for worker network isolation
+ * Workers can only access internet via this proxy, which enforces domain allowlist/blocklist
+ *
+ * Behavior based on environment configuration:
+ * - Empty/unset: Deny all (complete isolation)
+ * - WORKER_ALLOWED_DOMAINS=*: Allow all (unrestricted)
+ * - WORKER_ALLOWED_DOMAINS=domains: Allowlist mode
+ * - WORKER_DISALLOWED_DOMAINS=domains: Blocklist mode
+ * - Both set: Allowlist with exceptions
+ */
+export declare function startFilteringProxy(): Promise<void>;
+//# sourceMappingURL=proxy-manager.d.ts.map

package/dist/proxy/proxy-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"proxy-manager.d.ts","sourceRoot":"","sources":["../../src/proxy/proxy-manager.ts"],"names":[],"mappings":"AA+BA;;;;;;;;;;GAUG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,IAAI,CAAC,CAgBzD"}