@mneme-ai/core 2.60.0 → 2.62.0

package/dist/passport/index.js

@@ -0,0 +1,369 @@
+/**
+ * v2.61.0 — PASSPORT: capability-based security for MCP.
+ *
+ * Pre-v2.61, every MCP tool was equal-trust: an agent could ask for
+ * `shell.exec` the same way it asks for `read_file`. This is the
+ * security model of "all root" — exactly what a CISO refuses.
+ *
+ * PASSPORT introduces capability tokens. Before calling a sensitive
+ * tool, an agent must request a HMAC-signed passport from Mneme.
+ * Other MCP servers (or future Mneme-wrapped servers) verify the
+ * passport HMAC + scope + TTL before executing. If the requesting
+ * agent's trust score is below the tier's threshold → REFUSED.
+ *
+ * Five wild innovations (the "premium" angle beyond a JWT):
+ *
+ *  1. COMPOSED TRUST SCORE — fuses NEMESIS env-scan + verify_identity
+ *     + HONEST_MIRROR weight + STEALTH score + historical approval
+ *     rate into a single 0..1. Per-signal weighted; transparent
+ *     for audit. Hand-written single-scores can lie; fused signals
+ *     resist gaming.
+ *
+ *  2. CAPABILITY DELEGATION CHAIN — passport.delegate(parent, scope)
+ *     creates a CHILD passport with strictly-reduced scope + parent
+ *     reference. Verifier walks the chain to attribute every call to
+ *     the originating agent. Cycles + scope-expansion attempts are
+ *     refused.
+ *
+ *  3. HMAC-CHAINED AUDIT LEDGER — every issuance + verification +
+ *     revocation appends to `.mneme/passport/ledger.jsonl` with
+ *     HMAC chain. Tamper-evident; works offline; survives daemon
+ *     restart. Court-admissible audit trail.
+ *
+ *  4. REVOCATION CASCADE — revoking a parent passport auto-revokes
+ *     every child issued via delegation. Atomic propagation; no
+ *     dangling permissions after a vendor incident.
+ *
+ *  5. POLICY OVERRIDES — `.mneme/passport/policy.json` lets users
+ *     tighten DEFAULT_POLICY (e.g. require multi-party for
+ *     destructive tier). Pinned + drift-detectable like SKELETON
+ *     KEY snapshots — silent policy tampering is detectable.
+ *
+ * Pure ESM. Defensive — never throws.
+ */
+import { createHmac, randomBytes } from "node:crypto";
+import { appendFileSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { computeTrust } from "./trust_score.js";
+import { classifyTier, resolveTier } from "./policy.js";
+const KEY_ENV = "MNEME_PASSPORT_KEY";
+const DEFAULT_KEY = "mneme-passport-v1";
+function keyOf() { return process.env[KEY_ENV] ?? DEFAULT_KEY; }
+/* ── Token encoding ─────────────────────────────────────────────── */
+function canonicalJson(o) {
+    // Deterministic key ordering for HMAC stability.
+    // Drop keys with undefined values (JSON.stringify default behavior).
+    if (o === undefined)
+        return "null"; // shouldn't surface at top level
+    if (o === null || typeof o !== "object")
+        return JSON.stringify(o);
+    if (Array.isArray(o))
+        return "[" + o.map((x) => canonicalJson(x === undefined ? null : x)).join(",") + "]";
+    const entries = Object.entries(o).filter(([, v]) => v !== undefined);
+    entries.sort(([a], [b]) => a.localeCompare(b));
+    return "{" + entries.map(([k, v]) => JSON.stringify(k) + ":" + canonicalJson(v)).join(",") + "}";
+}
+function signClaims(claims) {
+    return createHmac("sha256", keyOf()).update(canonicalJson(claims)).digest("hex");
+}
+function encodeToken(claims, hmac) {
+    const body = Buffer.from(canonicalJson(claims), "utf8").toString("base64url");
+    return `${body}.${hmac}`;
+}
+export function decodePassport(token) {
+    if (typeof token !== "string")
+        return null;
+    const dot = token.indexOf(".");
+    if (dot <= 0)
+        return null;
+    const body = token.slice(0, dot);
+    const hmac = token.slice(dot + 1);
+    try {
+        const claims = JSON.parse(Buffer.from(body, "base64url").toString("utf8"));
+        if (!claims || typeof claims !== "object")
+            return null;
+        return { claims, hmac };
+    }
+    catch {
+        return null;
+    }
+}
+function ledgerPath(cwd) {
+    return join(cwd, ".mneme", "passport", "ledger.jsonl");
+}
+function readLedgerLines(cwd) {
+    try {
+        return readFileSync(ledgerPath(cwd), "utf8").trim().split(/\n/).filter((l) => l.trim().length > 0);
+    }
+    catch {
+        return [];
+    }
+}
+function lastLedgerHmac(cwd) {
+    const lines = readLedgerLines(cwd);
+    if (lines.length === 0)
+        return "";
+    try {
+        return JSON.parse(lines[lines.length - 1]).hmac;
+    }
+    catch {
+        return "";
+    }
+}
+function appendLedger(cwd, kind, jti, extra) {
+    const prevHmac = lastLedgerHmac(cwd);
+    const body = {
+        kind, at: new Date().toISOString(), jti,
+        tool: extra.tool, agent: extra.agent, verdict: extra.verdict, prevHmac,
+    };
+    const hmac = createHmac("sha256", keyOf()).update(prevHmac).update(canonicalJson(body)).digest("hex");
+    const entry = { ...body, hmac };
+    try {
+        mkdirSync(dirname(ledgerPath(cwd)), { recursive: true });
+        appendFileSync(ledgerPath(cwd), JSON.stringify(entry) + "\n");
+    }
+    catch { /* noop */ }
+    return entry;
+}
+/* ── Revocation ─────────────────────────────────────────────────── */
+function revocationsPath(cwd) {
+    return join(cwd, ".mneme", "passport", "revocations.json");
+}
+function readRevocations(cwd) {
+    try {
+        const data = JSON.parse(readFileSync(revocationsPath(cwd), "utf8"));
+        return new Set(data.jtis ?? []);
+    }
+    catch {
+        return new Set();
+    }
+}
+function writeRevocations(cwd, set) {
+    try {
+        mkdirSync(dirname(revocationsPath(cwd)), { recursive: true });
+        writeFileSync(revocationsPath(cwd), JSON.stringify({ jtis: Array.from(set) }, null, 2));
+    }
+    catch { /* noop */ }
+}
+/* ── Delegation graph ───────────────────────────────────────────── */
+function delegationGraphPath(cwd) {
+    return join(cwd, ".mneme", "passport", "delegations.json");
+}
+function readDelegations(cwd) {
+    try {
+        return JSON.parse(readFileSync(delegationGraphPath(cwd), "utf8"));
+    }
+    catch {
+        return { parents: {} };
+    }
+}
+function writeDelegations(cwd, g) {
+    try {
+        mkdirSync(dirname(delegationGraphPath(cwd)), { recursive: true });
+        writeFileSync(delegationGraphPath(cwd), JSON.stringify(g, null, 2));
+    }
+    catch { /* noop */ }
+}
+function descendantsOf(jti, g) {
+    const set = new Set();
+    const queue = [jti];
+    while (queue.length > 0) {
+        const cur = queue.shift();
+        for (const [child, parent] of Object.entries(g.parents)) {
+            if (parent === cur && !set.has(child)) {
+                set.add(child);
+                queue.push(child);
+            }
+        }
+    }
+    return set;
+}
+/* ── Issue ──────────────────────────────────────────────────────── */
+export function issuePassport(input) {
+    const cwd = input.cwd ?? process.cwd();
+    const tierName = input.tier ?? classifyTier(input.tool);
+    const tier = resolveTier(tierName, input.policyOverrides);
+    if (!tier)
+        return { ok: false, reason: "tier_unknown", hint: `unknown risk tier: ${tierName}` };
+    // Parent verification (delegation)
+    let parentJti;
+    if (input.parent) {
+        const parent = verifyPassport({ token: input.parent, cwd });
+        if (!parent.valid || !parent.claims) {
+            return { ok: false, reason: "parent_invalid", hint: `parent passport invalid: ${parent.reason}` };
+        }
+        // Child scope must be a strict subset of parent scope.
+        if (input.scope && parent.claims.scope) {
+            const parentScopes = new Set(parent.claims.scope);
+            for (const s of input.scope) {
+                if (!parentScopes.has(s)) {
+                    return { ok: false, reason: "parent_scope_violation", hint: `child scope '${s}' not in parent scope` };
+                }
+            }
+        }
+        parentJti = parent.claims.jti;
+    }
+    // Trust score
+    const trust = computeTrust(input.trustInputs ?? {});
+    if (trust.score < tier.minTrust) {
+        return {
+            ok: false, reason: "trust_too_low",
+            hint: `trust ${(trust.score * 100).toFixed(0)}% < required ${(tier.minTrust * 100).toFixed(0)}% for tier '${tierName}': ${trust.reason}`,
+            trust, tier: { ...tier, name: tierName },
+        };
+    }
+    const now = Date.now();
+    const claims = {
+        tool: input.tool,
+        tier: tierName,
+        iat: new Date(now).toISOString(),
+        exp: new Date(now + tier.ttlMs).toISOString(),
+        jti: randomBytes(8).toString("hex"),
+        parentJti,
+        agent: input.agent,
+        trust: trust.score,
+        scope: input.scope,
+    };
+    const hmac = signClaims(claims);
+    const token = encodeToken(claims, hmac);
+    const passport = { claims, hmac, token };
+    // Persist delegation edge.
+    if (parentJti) {
+        const g = readDelegations(cwd);
+        g.parents[claims.jti] = parentJti;
+        writeDelegations(cwd, g);
+    }
+    // Audit ledger.
+    appendLedger(cwd, "issue", claims.jti, { tool: claims.tool, agent: claims.agent });
+    return {
+        ok: true, reason: "granted",
+        hint: `passport issued: tier=${tierName} ttl=${(tier.ttlMs / 1000).toFixed(0)}s trust=${(trust.score * 100).toFixed(0)}%`,
+        passport, trust, tier: { ...tier, name: tierName },
+    };
+}
+export function verifyPassport(input) {
+    const cwd = input.cwd ?? process.cwd();
+    const decoded = decodePassport(input.token);
+    if (!decoded)
+        return { valid: false, reason: "malformed" };
+    const { claims, hmac } = decoded;
+    const expected = signClaims(claims);
+    if (expected !== hmac) {
+        if (!input.noLedger)
+            appendLedger(cwd, "verify", claims.jti, { verdict: "bad_hmac", tool: claims.tool });
+        return { valid: false, reason: "bad_hmac", claims };
+    }
+    const now = Date.now();
+    const expMs = Date.parse(claims.exp);
+    if (!Number.isFinite(expMs) || now > expMs) {
+        if (!input.noLedger)
+            appendLedger(cwd, "verify", claims.jti, { verdict: "expired", tool: claims.tool });
+        return { valid: false, reason: "expired", claims };
+    }
+    const revoked = readRevocations(cwd);
+    if (revoked.has(claims.jti)) {
+        if (!input.noLedger)
+            appendLedger(cwd, "verify", claims.jti, { verdict: "revoked", tool: claims.tool });
+        return { valid: false, reason: "revoked", claims };
+    }
+    if (input.expectedTool && claims.tool !== input.expectedTool) {
+        if (!input.noLedger)
+            appendLedger(cwd, "verify", claims.jti, { verdict: "tool_mismatch", tool: claims.tool });
+        return { valid: false, reason: "tool_mismatch", claims };
+    }
+    if (input.expectedScope && input.expectedScope.length > 0) {
+        const have = new Set(claims.scope ?? []);
+        for (const s of input.expectedScope) {
+            if (!have.has(s)) {
+                if (!input.noLedger)
+                    appendLedger(cwd, "verify", claims.jti, { verdict: "scope_mismatch", tool: claims.tool });
+                return { valid: false, reason: "scope_mismatch", claims };
+            }
+        }
+    }
+    // Build delegation chain (audit-only — revocation cascade is handled
+    // by revokePassport({cascade:true}) explicitly marking descendants.
+    // If the caller used cascade=false on revoke, they're explicitly saying
+    // descendants should remain valid — verify must honor that intent.
+    const chain = [];
+    if (claims.parentJti) {
+        const g = readDelegations(cwd);
+        let cursor = claims.parentJti;
+        const guard = new Set();
+        while (cursor && !guard.has(cursor)) {
+            guard.add(cursor);
+            chain.unshift({ ...claims, jti: cursor, tool: claims.tool });
+            cursor = g.parents[cursor];
+        }
+    }
+    if (!input.noLedger)
+        appendLedger(cwd, "verify", claims.jti, { verdict: "valid", tool: claims.tool });
+    return { valid: true, reason: "ok", ttlMs: expMs - now, claims, chain };
+}
+export function revokePassport(input) {
+    const cwd = input.cwd ?? process.cwd();
+    let jti = input.jti;
+    if (!jti && input.token) {
+        const d = decodePassport(input.token);
+        if (d)
+            jti = d.claims.jti;
+    }
+    if (!jti)
+        return { ok: false, revokedJtis: [], hint: "missing jti or token" };
+    const cascade = input.cascade !== false;
+    const revoked = readRevocations(cwd);
+    revoked.add(jti);
+    const cascaded = [];
+    if (cascade) {
+        const g = readDelegations(cwd);
+        for (const desc of descendantsOf(jti, g)) {
+            if (!revoked.has(desc))
+                cascaded.push(desc);
+            revoked.add(desc);
+        }
+    }
+    writeRevocations(cwd, revoked);
+    appendLedger(cwd, "revoke", jti, { verdict: cascade ? `cascade(+${cascaded.length})` : "single" });
+    return {
+        ok: true,
+        revokedJtis: [jti, ...cascaded],
+        hint: cascaded.length > 0 ? `revoked ${jti} + ${cascaded.length} delegated descendant(s)` : `revoked ${jti}`,
+    };
+}
+/* ── Ledger verify ──────────────────────────────────────────────── */
+export function verifyLedgerChain(cwd) {
+    const lines = readLedgerLines(cwd);
+    let prevHmac = "";
+    for (let i = 0; i < lines.length; i++) {
+        let row;
+        try {
+            row = JSON.parse(lines[i]);
+        }
+        catch {
+            return { ok: false, rows: i, brokenAt: i };
+        }
+        if (row.prevHmac !== prevHmac)
+            return { ok: false, rows: i, brokenAt: i };
+        const expected = createHmac("sha256", keyOf()).update(prevHmac).update(canonicalJson({
+            kind: row.kind, at: row.at, jti: row.jti, tool: row.tool, agent: row.agent, verdict: row.verdict, prevHmac,
+        })).digest("hex");
+        if (expected !== row.hmac)
+            return { ok: false, rows: i, brokenAt: i };
+        prevHmac = row.hmac;
+    }
+    return { ok: true, rows: lines.length };
+}
+export function readLedger(cwd) {
+    return readLedgerLines(cwd).map((l) => {
+        try {
+            return JSON.parse(l);
+        }
+        catch {
+            return null;
+        }
+    }).filter((x) => x !== null);
+}
+/* ── Re-exports ─────────────────────────────────────────────────── */
+export { computeTrust } from "./trust_score.js";
+export { DEFAULT_POLICY, classifyTier, resolveTier } from "./policy.js";
+//# sourceMappingURL=index.js.map

package/dist/passport/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/passport/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA0CG;AAEH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACtD,OAAO,EAAE,cAAc,EAAc,SAAS,EAAE,YAAY,EAAY,aAAa,EAAE,MAAM,SAAS,CAAC;AACvG,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAE1C,OAAO,EAAE,YAAY,EAAsC,MAAM,kBAAkB,CAAC;AACpF,OAAO,EAAkB,YAAY,EAAE,WAAW,EAAkC,MAAM,aAAa,CAAC;AAExG,MAAM,OAAO,GAAG,oBAAoB,CAAC;AACrC,MAAM,WAAW,GAAG,mBAAmB,CAAC;AACxC,SAAS,KAAK,KAAa,OAAO,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC;AA4ExE,uEAAuE;AAEvE,SAAS,aAAa,CAAC,CAAU;IAC/B,iDAAiD;IACjD,qEAAqE;IACrE,IAAI,CAAC,KAAK,SAAS;QAAE,OAAO,MAAM,CAAC,CAAC,iCAAiC;IACrE,IAAI,CAAC,KAAK,IAAI,IAAI,OAAO,CAAC,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;IAClE,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC;QAAE,OAAO,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;IAC3G,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,CAA4B,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAChG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/C,OAAO,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;AACnG,CAAC;AAED,SAAS,UAAU,CAAC,MAAsB;IACxC,OAAO,UAAU,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACnF,CAAC;AAED,SAAS,WAAW,CAAC,MAAsB,EAAE,IAAY;IACvD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9E,OAAO,GAAG,IAAI,IAAI,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,IAAI,GAAG,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACjC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;IAClC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAmB,CAAC;QAC7F,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAC;QACvD,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAeD,SAAS,UAAU,CAAC,GAAW;IAC7B,OAAO,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACrG,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,EAAE,CAAC;IAAC,CAAC;AACxB,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IAClC,IAAI,CAAC;QACH,OAAQ,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAE,CAAiB,CAAC,IAAI,CAAC;IACpE,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,EAAE,CAAC;IAAC,CAAC;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,IAAyB,EAAE,GAAW,EAAE,KAA2B;IACpG,MAAM,QAAQ,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;IACrC,MAAM,IAAI,GAA8B;QACtC,IAAI,EAAE,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE,GAAG;QACvC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ;KACvE,CAAC;IACF,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACtG,MAAM,KAAK,GAAgB,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,CAAC;IAC7C,IAAI,CAAC;QACH,SAAS,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACzD,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,CAAC;IAChE,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IACtB,OAAO,KAAK,CAAC;AACf,CAAC;AAED,uEAAuE;AAEvE,SAAS,eAAe,CAAC,GAAW;IAClC,OAAO,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAC7D,CAAC;AAOD,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAmB,CAAC;QACtF,OAAO,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,IAAI,GAAG,EAAE,CAAC;IAAC,CAAC;AAC/B,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW,EAAE,GAAgB;IACrD,IAAI,CAAC;QACH,SAAS,CAAC,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9D,aAAa,CAAC,eAAe,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC1F,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;AACxB,CAAC;AAED,uEAAuE;AAEvE,SAAS,mBAAmB,CAAC,GAAW;IACtC,OAAO,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,kBAAkB,CAAC,CAAC;AAC7D,CAAC;AAOD,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC,CAAoB,CAAC;IACvF,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;IAAC,CAAC;AACrC,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW,EAAE,CAAkB;IACvD,IAAI,CAAC;QACH,SAAS,CAAC,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAClE,aAAa,CAAC,mBAAmB,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IACtE,CAAC;IAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,CAAkB;IACpD,MAAM,GAAG,GAAG,IAAI,GAAG,EAAU,CAAC;IAC9B,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,CAAC;IACpB,OAAO,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,EAAG,CAAC;QAC3B,KAAK,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;YACxD,IAAI,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;gBACtC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;gBACf,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,uEAAuE;AAEvE,MAAM,UAAU,aAAa,CAAC,KAAiB;IAC7C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACvC,MAAM,QAAQ,GAAa,KAAK,CAAC,IAAI,IAAI,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClE,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1D,IAAI,CAAC,IAAI;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,IAAI,EAAE,sBAAsB,QAAQ,EAAE,EAAE,CAAC;IAEhG,mCAAmC;IACnC,IAAI,SAA6B,CAAC;IAClC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,MAAM,MAAM,GAAG,cAAc,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;QAC5D,IAAI,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACpC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,IAAI,EAAE,4BAA4B,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;QACpG,CAAC;QACD,uDAAuD;QACvD,IAAI,KAAK,CAAC,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACvC,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClD,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;gBAC5B,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;oBACzB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,IAAI,EAAE,gBAAgB,CAAC,uBAAuB,EAAE,CAAC;gBACzG,CAAC;YACH,CAAC;QACH,CAAC;QACD,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC;IAChC,CAAC;IAED,cAAc;IACd,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;IACpD,IAAI,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAChC,OAAO;YACL,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe;YAClC,IAAI,EAAE,SAAS,CAAC,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,QAAQ,MAAM,KAAK,CAAC,MAAM,EAAE;YACxI,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE;SACzC,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,MAAM,GAAmB;QAC7B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,IAAI,EAAE,QAAQ;QACd,GAAG,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,WAAW,EAAE;QAChC,GAAG,EAAE,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE;QAC7C,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACnC,SAAS;QACT,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,KAAK,EAAE,KAAK,CAAC,KAAK;KACnB,CAAC;IACF,MAAM,IAAI,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAa,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IAEnD,2BAA2B;IAC3B,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAC/B,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,SAAS,CAAC;QAClC,gBAAgB,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,gBAAgB;IAChB,YAAY,CAAC,GAAG,EAAE,OAAO,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IAEnF,OAAO;QACL,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS;QAC3B,IAAI,EAAE,yBAAyB,QAAQ,QAAQ,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG;QACzH,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,IAAI,EAAE,IAAI,EAAE,QAAQ,EAAE;KACnD,CAAC;AACJ,CAAC;AAgBD,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC5C,IAAI,CAAC,OAAO;QAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,CAAC;IAC3D,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IACjC,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACpC,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;QACtB,IAAI,CAAC,KAAK,CAAC,QAAQ;YAAE,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACzG,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,EAAE,CAAC;IACtD,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,GAAG,KAAK,EAAE,CAAC;QAC3C,IAAI,CAAC,KAAK,CAAC,QAAQ;YAAE,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACxG,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IACrD,CAAC;IACD,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,KAAK,CAAC,QAAQ;YAAE,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACxG,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC;IACrD,CAAC;IACD,IAAI,KAAK,CAAC,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,KAAK,CAAC,YAAY,EAAE,CAAC;QAC7D,IAAI,CAAC,KAAK,CAAC,QAAQ;YAAE,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9G,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,CAAC;IAC3D,CAAC;IACD,IAAI,KAAK,CAAC,aAAa,IAAI,KAAK,CAAC,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1D,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;QACzC,KAAK,MAAM,CAAC,IAAI,KAAK,CAAC,aAAa,EAAE,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;gBACjB,IAAI,CAAC,KAAK,CAAC,QAAQ;oBAAE,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC/G,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,EAAE,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;IACD,qEAAqE;IACrE,oEAAoE;IACpE,wEAAwE;IACxE,mEAAmE;IACnE,MAAM,KAAK,GAAqB,EAAE,CAAC;IACnC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,MAAM,GAAuB,MAAM,CAAC,SAAS,CAAC;QAClD,MAAM,KAAK,GAAG,IAAI,GAAG,EAAU,CAAC;QAChC,OAAO,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACpC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YAClB,KAAK,CAAC,OAAO,CAAC,EAAE,GAAG,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;YAC7D,MAAM,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7B,CAAC;IACH,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,QAAQ;QAAE,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;IACtG,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,GAAG,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;AAC1E,CAAC;AAmBD,MAAM,UAAU,cAAc,CAAC,KAAkB;IAC/C,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IACvC,IAAI,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC;IACpB,IAAI,CAAC,GAAG,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QACxB,MAAM,CAAC,GAAG,cAAc,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACtC,IAAI,CAAC;YAAE,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;IAC5B,CAAC;IACD,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,WAAW,EAAE,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,CAAC;IAC9E,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,KAAK,KAAK,CAAC;IACxC,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjB,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QAC/B,KAAK,MAAM,IAAI,IAAI,aAAa,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC;YACzC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC;gBAAE,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IACD,gBAAgB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAC/B,YAAY,CAAC,GAAG,EAAE,QAAQ,EAAE,GAAG,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,YAAY,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC;IACnG,OAAO;QACL,EAAE,EAAE,IAAI;QACR,WAAW,EAAE,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC;QAC/B,IAAI,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,GAAG,MAAM,QAAQ,CAAC,MAAM,0BAA0B,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE;KAC7G,CAAC;AACJ,CAAC;AAED,uEAAuE;AAEvE,MAAM,UAAU,iBAAiB,CAAC,GAAW;IAC3C,MAAM,KAAK,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACnC,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,GAAgB,CAAC;QACrB,IAAI,CAAC;YAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAE,CAAgB,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAAC,CAAC;QACzG,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QAC1E,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC;YACnF,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,QAAQ;SAC3G,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAClB,IAAI,QAAQ,KAAK,GAAG,CAAC,IAAI;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC;QACtE,QAAQ,GAAG,GAAG,CAAC,IAAI,CAAC;IACtB,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,GAAW;IACpC,OAAO,eAAe,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;QACpC,IAAI,CAAC;YAAC,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAgB,CAAC;QAAC,CAAC;QAAC,MAAM,CAAC;YAAC,OAAO,IAAI,CAAC;QAAC,CAAC;IACrE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAoB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;AACjD,CAAC;AAED,uEAAuE;AAEvE,OAAO,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAEhD,OAAO,EAAE,cAAc,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC"}

package/dist/passport/policy.d.ts

@@ -0,0 +1,34 @@
+/**
+ * v2.61.0 — PASSPORT policy: risk tier → required trust threshold.
+ *
+ * Each MCP tool call is classified into a risk tier. Tiers map to a
+ * minimum trust score the requesting agent must clear AND a TTL for
+ * the issued passport. Stricter tiers = shorter TTL.
+ *
+ * Default policy is conservative; users override via `mneme passport
+ * policy --set tier=value` or `.mneme/passport/policy.json`.
+ */
+export type RiskTier = "safe" | "read" | "write" | "network" | "destructive";
+export interface TierConfig {
+    /** Required trust score 0..1 to grant passport. */
+    minTrust: number;
+    /** Passport TTL in milliseconds. */
+    ttlMs: number;
+    /** Human-readable description. */
+    description: string;
+    /** When true, single-agent trust is insufficient — needs multi-party. */
+    requiresMultiParty?: boolean;
+}
+export declare const DEFAULT_POLICY: Record<RiskTier, TierConfig>;
+/**
+ * Classify a tool name into a risk tier using lightweight heuristics.
+ * Used when the caller does not specify a tier.
+ *
+ * Order matters: most-specific first.
+ */
+export declare function classifyTier(toolName: string): RiskTier;
+/**
+ * Resolve a tier config, applying an optional user override.
+ */
+export declare function resolveTier(tier: RiskTier, overrides?: Partial<Record<RiskTier, Partial<TierConfig>>>): TierConfig;
+//# sourceMappingURL=policy.d.ts.map

package/dist/passport/policy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/passport/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,aAAa,CAAC;AAE7E,MAAM,WAAW,UAAU;IACzB,mDAAmD;IACnD,QAAQ,EAAE,MAAM,CAAC;IACjB,oCAAoC;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,kCAAkC;IAClC,WAAW,EAAE,MAAM,CAAC;IACpB,yEAAyE;IACzE,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,QAAQ,EAAE,UAAU,CA2BvD,CAAC;AAEF;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,QAAQ,CAYvD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,UAAU,CASlH"}

package/dist/passport/policy.js

@@ -0,0 +1,75 @@
+/**
+ * v2.61.0 — PASSPORT policy: risk tier → required trust threshold.
+ *
+ * Each MCP tool call is classified into a risk tier. Tiers map to a
+ * minimum trust score the requesting agent must clear AND a TTL for
+ * the issued passport. Stricter tiers = shorter TTL.
+ *
+ * Default policy is conservative; users override via `mneme passport
+ * policy --set tier=value` or `.mneme/passport/policy.json`.
+ */
+export const DEFAULT_POLICY = {
+    safe: {
+        minTrust: 0.0,
+        ttlMs: 60 * 60 * 1000, // 1 hour
+        description: "Read-only metadata (catalog, status, version). No state mutation possible.",
+    },
+    read: {
+        minTrust: 0.30,
+        ttlMs: 30 * 60 * 1000, // 30 min
+        description: "Read user data / files / db (could exfiltrate secrets).",
+    },
+    write: {
+        minTrust: 0.60,
+        ttlMs: 10 * 60 * 1000, // 10 min
+        description: "Mutate user data / files / db (scoped writes).",
+    },
+    network: {
+        minTrust: 0.70,
+        ttlMs: 5 * 60 * 1000, // 5 min
+        description: "Outbound network call (could exfiltrate / SSRF).",
+    },
+    destructive: {
+        minTrust: 0.85,
+        ttlMs: 5 * 60 * 1000, // 5 min
+        description: "Irreversible operation (rm -rf, DROP TABLE, git push --force, terminate instance).",
+        requiresMultiParty: false, // Set true in production policy via override.
+    },
+};
+/**
+ * Classify a tool name into a risk tier using lightweight heuristics.
+ * Used when the caller does not specify a tier.
+ *
+ * Order matters: most-specific first.
+ */
+export function classifyTier(toolName) {
+    const lower = toolName.toLowerCase();
+    // Destructive (anything that can execute arbitrary code, delete data, irreversibly mutate).
+    if (/shell|exec|spawn|bash|cmd[_.]|process[_.]|rm[_-]?(rf|fr)?|drop[_-]?(table|database)|truncate|delete[_-]?all|force[_-]?push|terminate|destroy|wipe|format/.test(lower))
+        return "destructive";
+    // Network
+    if (/fetch|http|request|post|put|delete[_-]?http|webhook|publish|broadcast|email|sms/.test(lower))
+        return "network";
+    // Write
+    if (/write|create|insert|update|patch|edit|mutate|append|set|commit|push|publish/.test(lower))
+        return "write";
+    // Read
+    if (/read|cat|fetch[_-]?file|stat|find|search|query|select|list|show/.test(lower))
+        return "read";
+    // Safe default
+    return "safe";
+}
+/**
+ * Resolve a tier config, applying an optional user override.
+ */
+export function resolveTier(tier, overrides) {
+    const base = DEFAULT_POLICY[tier];
+    const override = overrides?.[tier] ?? {};
+    return {
+        minTrust: override.minTrust ?? base.minTrust,
+        ttlMs: override.ttlMs ?? base.ttlMs,
+        description: override.description ?? base.description,
+        requiresMultiParty: override.requiresMultiParty ?? base.requiresMultiParty,
+    };
+}
+//# sourceMappingURL=policy.js.map

package/dist/passport/policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy.js","sourceRoot":"","sources":["../../src/passport/policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAeH,MAAM,CAAC,MAAM,cAAc,GAAiC;IAC1D,IAAI,EAAE;QACJ,QAAQ,EAAE,GAAG;QACb,KAAK,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;QAChC,WAAW,EAAE,4EAA4E;KAC1F;IACD,IAAI,EAAE;QACJ,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;QAChC,WAAW,EAAE,yDAAyD;KACvE;IACD,KAAK,EAAE;QACL,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI,EAAE,SAAS;QAChC,WAAW,EAAE,gDAAgD;KAC9D;IACD,OAAO,EAAE;QACP,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,QAAQ;QAC9B,WAAW,EAAE,kDAAkD;KAChE;IACD,WAAW,EAAE;QACX,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,CAAC,GAAG,EAAE,GAAG,IAAI,EAAE,QAAQ;QAC9B,WAAW,EAAE,oFAAoF;QACjG,kBAAkB,EAAE,KAAK,EAAE,8CAA8C;KAC1E;CACF,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,YAAY,CAAC,QAAgB;IAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IACrC,4FAA4F;IAC5F,IAAI,0JAA0J,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,aAAa,CAAC;IACjM,UAAU;IACV,IAAI,iFAAiF,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IACpH,QAAQ;IACR,IAAI,6EAA6E,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,OAAO,CAAC;IAC9G,OAAO;IACP,IAAI,iEAAiE,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,MAAM,CAAC;IACjG,eAAe;IACf,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAc,EAAE,SAA0D;IACpG,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,SAAS,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;IACzC,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ;QAC5C,KAAK,EAAE,QAAQ,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK;QACnC,WAAW,EAAE,QAAQ,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW;QACrD,kBAAkB,EAAE,QAAQ,CAAC,kBAAkB,IAAI,IAAI,CAAC,kBAAkB;KAC3E,CAAC;AACJ,CAAC"}

package/dist/passport/trust_score.d.ts

@@ -0,0 +1,46 @@
+/**
+ * v2.61.0 — PASSPORT trust score.
+ *
+ * Fuses multiple signals into a single 0..1 trust score for an agent
+ * requesting capability. Composable on existing Mneme primitives —
+ * doesn't duplicate logic.
+ *
+ * Signals (weighted):
+ *  - NEMESIS env-scan confidence (agent vendor known with high confidence?)
+ *  - NEMESIS verify_identity verdict (claimed vs detected)
+ *  - HONEST_MIRROR weight per vendor (calibrated from past performance)
+ *  - STEALTH score INVERTED (stealthy agents = harder to attribute = lower trust)
+ *  - Past PASSPORT request approval rate (behavior history)
+ *
+ * Each signal is optional; missing signals contribute neutral 0.5.
+ * Output: { score, reason, signals } — score is HMAC-friendly determinism.
+ */
+export interface TrustInputs {
+    /** NEMESIS env-scan confidence 0..1 (how sure are we of the vendor identity). */
+    envScanConfidence?: number;
+    /** NEMESIS verify_identity verdict if available. */
+    identityVerdict?: "CONFIRMED" | "DISPUTED" | "IMPOSSIBLE" | "INCONCLUSIVE";
+    /** HONEST_MIRROR per-vendor weight 0..1 (calibrated honesty). */
+    honestMirrorWeight?: number;
+    /** STEALTH score 0..1 (1 = perfectly anonymous; lower trust for sensitive ops). */
+    stealthScore?: number;
+    /** Past PASSPORT approval rate 0..1 (count approved / total requested). */
+    historicalApprovalRate?: number;
+    /** Per-capability-class score (e.g. write_fs has been used successfully 50× without incident). */
+    perCapabilityScore?: number;
+}
+export interface TrustResult {
+    /** Final fused score 0..1. */
+    score: number;
+    /** Plain-English explanation. */
+    reason: string;
+    /** Per-signal breakdown (transparency for audit). */
+    signals: Array<{
+        name: string;
+        value: number;
+        weight: number;
+        contribution: number;
+    }>;
+}
+export declare function computeTrust(inputs: TrustInputs): TrustResult;
+//# sourceMappingURL=trust_score.d.ts.map

package/dist/passport/trust_score.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust_score.d.ts","sourceRoot":"","sources":["../../src/passport/trust_score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,MAAM,WAAW,WAAW;IAC1B,iFAAiF;IACjF,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oDAAoD;IACpD,eAAe,CAAC,EAAE,WAAW,GAAG,UAAU,GAAG,YAAY,GAAG,cAAc,CAAC;IAC3E,iEAAiE;IACjE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mFAAmF;IACnF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,2EAA2E;IAC3E,sBAAsB,CAAC,EAAE,MAAM,CAAC;IAChC,kGAAkG;IAClG,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,iCAAiC;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,qDAAqD;IACrD,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;CACvF;AAsBD,wBAAgB,YAAY,CAAC,MAAM,EAAE,WAAW,GAAG,WAAW,CAmC7D"}

package/dist/passport/trust_score.js

@@ -0,0 +1,64 @@
+/**
+ * v2.61.0 — PASSPORT trust score.
+ *
+ * Fuses multiple signals into a single 0..1 trust score for an agent
+ * requesting capability. Composable on existing Mneme primitives —
+ * doesn't duplicate logic.
+ *
+ * Signals (weighted):
+ *  - NEMESIS env-scan confidence (agent vendor known with high confidence?)
+ *  - NEMESIS verify_identity verdict (claimed vs detected)
+ *  - HONEST_MIRROR weight per vendor (calibrated from past performance)
+ *  - STEALTH score INVERTED (stealthy agents = harder to attribute = lower trust)
+ *  - Past PASSPORT request approval rate (behavior history)
+ *
+ * Each signal is optional; missing signals contribute neutral 0.5.
+ * Output: { score, reason, signals } — score is HMAC-friendly determinism.
+ */
+// Verdict → numeric value
+const VERDICT_VALUE = {
+    CONFIRMED: 1.0,
+    DISPUTED: 0.3,
+    IMPOSSIBLE: 0.0,
+    INCONCLUSIVE: 0.5,
+};
+// Weights (sum to 1.0 across present signals).
+const WEIGHTS = {
+    envScanConfidence: 0.20,
+    identityVerdict: 0.25,
+    honestMirrorWeight: 0.25,
+    stealthScoreInverted: 0.10,
+    historicalApprovalRate: 0.10,
+    perCapabilityScore: 0.10,
+};
+function clamp(x) { return Math.max(0, Math.min(1, x)); }
+export function computeTrust(inputs) {
+    const signals = [];
+    let totalWeight = 0;
+    let weightedSum = 0;
+    const add = (name, valueOpt, weight, neutral = 0.5) => {
+        const v = typeof valueOpt === "number" && Number.isFinite(valueOpt) ? clamp(valueOpt) : neutral;
+        const present = typeof valueOpt === "number" && Number.isFinite(valueOpt);
+        if (present) {
+            signals.push({ name, value: v, weight, contribution: +(v * weight).toFixed(4) });
+            totalWeight += weight;
+            weightedSum += v * weight;
+        }
+        else {
+            signals.push({ name, value: v, weight: 0, contribution: 0 });
+        }
+    };
+    add("envScanConfidence", inputs.envScanConfidence, WEIGHTS.envScanConfidence);
+    add("identityVerdict", inputs.identityVerdict ? VERDICT_VALUE[inputs.identityVerdict] : undefined, WEIGHTS.identityVerdict);
+    add("honestMirrorWeight", inputs.honestMirrorWeight, WEIGHTS.honestMirrorWeight);
+    add("stealthScoreInverted", typeof inputs.stealthScore === "number" ? 1 - clamp(inputs.stealthScore) : undefined, WEIGHTS.stealthScoreInverted);
+    add("historicalApprovalRate", inputs.historicalApprovalRate, WEIGHTS.historicalApprovalRate);
+    add("perCapabilityScore", inputs.perCapabilityScore, WEIGHTS.perCapabilityScore);
+    const score = totalWeight > 0 ? +(weightedSum / totalWeight).toFixed(4) : 0.5;
+    const presentCount = signals.filter((s) => s.weight > 0).length;
+    const reason = presentCount === 0
+        ? "no trust signals provided — defaulting to neutral 0.5"
+        : `fused ${presentCount}/${signals.length} signals → score ${(score * 100).toFixed(0)}%`;
+    return { score, reason, signals };
+}
+//# sourceMappingURL=trust_score.js.map

package/dist/passport/trust_score.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust_score.js","sourceRoot":"","sources":["../../src/passport/trust_score.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AA0BH,0BAA0B;AAC1B,MAAM,aAAa,GAAgE;IACjF,SAAS,EAAE,GAAG;IACd,QAAQ,EAAE,GAAG;IACb,UAAU,EAAE,GAAG;IACf,YAAY,EAAE,GAAG;CAClB,CAAC;AAEF,+CAA+C;AAC/C,MAAM,OAAO,GAAG;IACd,iBAAiB,EAAE,IAAI;IACvB,eAAe,EAAE,IAAI;IACrB,kBAAkB,EAAE,IAAI;IACxB,oBAAoB,EAAE,IAAI;IAC1B,sBAAsB,EAAE,IAAI;IAC5B,kBAAkB,EAAE,IAAI;CACzB,CAAC;AAEF,SAAS,KAAK,CAAC,CAAS,IAAY,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAEzE,MAAM,UAAU,YAAY,CAAC,MAAmB;IAC9C,MAAM,OAAO,GAA2B,EAAE,CAAC;IAC3C,IAAI,WAAW,GAAG,CAAC,CAAC;IACpB,IAAI,WAAW,GAAG,CAAC,CAAC;IAEpB,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,QAA4B,EAAE,MAAc,EAAE,OAAO,GAAG,GAAG,EAAE,EAAE;QACxF,MAAM,CAAC,GAAG,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;QAChG,MAAM,OAAO,GAAG,OAAO,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAC1E,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACjF,WAAW,IAAI,MAAM,CAAC;YACtB,WAAW,IAAI,CAAC,GAAG,MAAM,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,YAAY,EAAE,CAAC,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC,CAAC;IAEF,GAAG,CAAC,mBAAmB,EAAE,MAAM,CAAC,iBAAiB,EAAE,OAAO,CAAC,iBAAiB,CAAC,CAAC;IAC9E,GAAG,CAAC,iBAAiB,EACnB,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC,SAAS,EAC1E,OAAO,CAAC,eAAe,CAAC,CAAC;IAC3B,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IACjF,GAAG,CAAC,sBAAsB,EACxB,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,SAAS,EACpF,OAAO,CAAC,oBAAoB,CAAC,CAAC;IAChC,GAAG,CAAC,wBAAwB,EAAE,MAAM,CAAC,sBAAsB,EAAE,OAAO,CAAC,sBAAsB,CAAC,CAAC;IAC7F,GAAG,CAAC,oBAAoB,EAAE,MAAM,CAAC,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAEjF,MAAM,KAAK,GAAG,WAAW,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,GAAG,WAAW,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC9E,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC;IAChE,MAAM,MAAM,GAAG,YAAY,KAAK,CAAC;QAC/B,CAAC,CAAC,uDAAuD;QACzD,CAAC,CAAC,SAAS,YAAY,IAAI,OAAO,CAAC,MAAM,oBAAoB,CAAC,KAAK,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC;IAE3F,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACpC,CAAC"}

package/dist/truth_gate/claims.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"claims.d.ts","sourceRoot":"","sources":["../../src/truth_gate/claims.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAExC,eAAO,MAAM,aAAa,EAAE,aAAa,CAAC,KAAK,CAod9C,CAAC"}
+{"version":3,"file":"claims.d.ts","sourceRoot":"","sources":["../../src/truth_gate/claims.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,YAAY,CAAC;AAExC,eAAO,MAAM,aAAa,EAAE,aAAa,CAAC,KAAK,CA4f9C,CAAC"}