@mondaydotcomorg/atp-provenance 0.17.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +417 -0
- package/dist/ast/instrumentor.d.ts +37 -0
- package/dist/ast/instrumentor.d.ts.map +1 -0
- package/dist/ast/instrumentor.js +299 -0
- package/dist/ast/instrumentor.js.map +1 -0
- package/dist/index.d.ts +7 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +7 -0
- package/dist/index.js.map +1 -0
- package/dist/policies/engine.d.ts +71 -0
- package/dist/policies/engine.d.ts.map +1 -0
- package/dist/policies/engine.js +433 -0
- package/dist/policies/engine.js.map +1 -0
- package/dist/registry.d.ts +94 -0
- package/dist/registry.d.ts.map +1 -0
- package/dist/registry.js +445 -0
- package/dist/registry.js.map +1 -0
- package/dist/tokens.d.ts +49 -0
- package/dist/tokens.d.ts.map +1 -0
- package/dist/tokens.js +239 -0
- package/dist/tokens.js.map +1 -0
- package/dist/types.d.ts +150 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +47 -0
- package/dist/types.js.map +1 -0
- package/package.json +51 -0
|
@@ -0,0 +1,433 @@
|
|
|
1
|
+
import { ProvenanceSecurityError, ProvenanceSource } from '../types.js';
|
|
2
|
+
import { getProvenance, getAllProvenance, canRead, } from '../registry.js';
|
|
3
|
+
export class SecurityPolicyEngine {
|
|
4
|
+
policies;
|
|
5
|
+
logger;
|
|
6
|
+
approvalCallback;
|
|
7
|
+
customGetProvenance;
|
|
8
|
+
constructor(policies, logger, customGetProvenance) {
|
|
9
|
+
this.policies = policies;
|
|
10
|
+
this.logger = logger;
|
|
11
|
+
this.customGetProvenance = customGetProvenance;
|
|
12
|
+
}
|
|
13
|
+
/**
|
|
14
|
+
* Set a custom getProvenance function (e.g., for AST mode)
|
|
15
|
+
*/
|
|
16
|
+
setGetProvenance(fn) {
|
|
17
|
+
this.customGetProvenance = fn;
|
|
18
|
+
}
|
|
19
|
+
/**
|
|
20
|
+
* Set approval callback for policies that return action='approve'
|
|
21
|
+
*/
|
|
22
|
+
setApprovalCallback(callback) {
|
|
23
|
+
this.approvalCallback = callback;
|
|
24
|
+
}
|
|
25
|
+
async checkTool(toolName, apiGroup, args) {
|
|
26
|
+
this.logger.debug('Checking security policies', {
|
|
27
|
+
toolName,
|
|
28
|
+
apiGroup,
|
|
29
|
+
policyCount: this.policies.length,
|
|
30
|
+
});
|
|
31
|
+
// Use custom getProvenance if available, otherwise use default
|
|
32
|
+
const getProvenanceFn = this.customGetProvenance || getProvenance;
|
|
33
|
+
for (const policy of this.policies) {
|
|
34
|
+
const result = await policy.check(toolName, args, getProvenanceFn);
|
|
35
|
+
const action = this.normalizeAction(result);
|
|
36
|
+
if (action === 'block') {
|
|
37
|
+
this.logger.warn('Security policy blocked tool execution', {
|
|
38
|
+
toolName,
|
|
39
|
+
apiGroup,
|
|
40
|
+
policy: policy.name,
|
|
41
|
+
reason: result.reason,
|
|
42
|
+
});
|
|
43
|
+
throw new ProvenanceSecurityError(result.reason || `Policy ${policy.name} denied execution`, policy.name, toolName, { apiGroup, args: this.sanitizeArgs(args), context: result.context });
|
|
44
|
+
}
|
|
45
|
+
if (action === 'approve') {
|
|
46
|
+
this.logger.info('Security policy requires approval', {
|
|
47
|
+
toolName,
|
|
48
|
+
apiGroup,
|
|
49
|
+
policy: policy.name,
|
|
50
|
+
reason: result.reason,
|
|
51
|
+
});
|
|
52
|
+
const approved = await this.requestApproval(toolName, apiGroup, policy.name, result);
|
|
53
|
+
if (!approved) {
|
|
54
|
+
this.logger.warn('Security policy approval denied', {
|
|
55
|
+
toolName,
|
|
56
|
+
apiGroup,
|
|
57
|
+
policy: policy.name,
|
|
58
|
+
});
|
|
59
|
+
throw new ProvenanceSecurityError(`Approval denied: ${result.reason || 'Operation requires approval'}`, policy.name, toolName, { apiGroup, args: this.sanitizeArgs(args), approvalDenied: true });
|
|
60
|
+
}
|
|
61
|
+
this.logger.info('Security policy approval granted', {
|
|
62
|
+
toolName,
|
|
63
|
+
apiGroup,
|
|
64
|
+
policy: policy.name,
|
|
65
|
+
});
|
|
66
|
+
}
|
|
67
|
+
if (action === 'log') {
|
|
68
|
+
this.logger.warn('Security policy audit event', {
|
|
69
|
+
toolName,
|
|
70
|
+
apiGroup,
|
|
71
|
+
policy: policy.name,
|
|
72
|
+
reason: result.reason,
|
|
73
|
+
context: result.context,
|
|
74
|
+
args: this.sanitizeArgs(args),
|
|
75
|
+
});
|
|
76
|
+
}
|
|
77
|
+
}
|
|
78
|
+
this.logger.debug('All security policies passed', { toolName, apiGroup });
|
|
79
|
+
}
|
|
80
|
+
normalizeAction(result) {
|
|
81
|
+
if (result.action) {
|
|
82
|
+
return result.action;
|
|
83
|
+
}
|
|
84
|
+
if (result.allowed !== undefined) {
|
|
85
|
+
return result.allowed ? 'log' : 'block';
|
|
86
|
+
}
|
|
87
|
+
return 'log';
|
|
88
|
+
}
|
|
89
|
+
async requestApproval(toolName, apiGroup, policyName, result) {
|
|
90
|
+
if (!this.approvalCallback) {
|
|
91
|
+
this.logger.error('Approval required but no callback configured', {
|
|
92
|
+
toolName,
|
|
93
|
+
policy: policyName,
|
|
94
|
+
});
|
|
95
|
+
throw new ProvenanceSecurityError('Approval required but approval handler not configured', policyName, toolName, { requiresApproval: true });
|
|
96
|
+
}
|
|
97
|
+
const message = result.reason || `Policy ${policyName} requires approval for ${toolName}`;
|
|
98
|
+
const context = {
|
|
99
|
+
toolName,
|
|
100
|
+
apiGroup,
|
|
101
|
+
policy: policyName,
|
|
102
|
+
...(result.context || {}),
|
|
103
|
+
};
|
|
104
|
+
try {
|
|
105
|
+
return await this.approvalCallback(message, context);
|
|
106
|
+
}
|
|
107
|
+
catch (error) {
|
|
108
|
+
this.logger.error('Approval request failed', { error, toolName, policy: policyName });
|
|
109
|
+
return false;
|
|
110
|
+
}
|
|
111
|
+
}
|
|
112
|
+
sanitizeArgs(args) {
|
|
113
|
+
const sanitized = {};
|
|
114
|
+
for (const [key, value] of Object.entries(args)) {
|
|
115
|
+
if (typeof value === 'string' && value.length > 100) {
|
|
116
|
+
sanitized[key] = value.substring(0, 100) + '...';
|
|
117
|
+
}
|
|
118
|
+
else if (typeof value === 'object') {
|
|
119
|
+
sanitized[key] = '[object]';
|
|
120
|
+
}
|
|
121
|
+
else {
|
|
122
|
+
sanitized[key] = value;
|
|
123
|
+
}
|
|
124
|
+
}
|
|
125
|
+
return sanitized;
|
|
126
|
+
}
|
|
127
|
+
}
|
|
128
|
+
/**
|
|
129
|
+
* Built-in Security Policies
|
|
130
|
+
*/
|
|
131
|
+
/**
|
|
132
|
+
* Helper: Get all provenance from args object, including scanning all nested values
|
|
133
|
+
* This catches primitives that came from tool-originated objects
|
|
134
|
+
*/
|
|
135
|
+
function getAllProvenanceFromArgs(args, getProvenance) {
|
|
136
|
+
const allProvenance = [];
|
|
137
|
+
const visited = new Set();
|
|
138
|
+
function scan(value) {
|
|
139
|
+
if (value === null || value === undefined)
|
|
140
|
+
return;
|
|
141
|
+
if (typeof value === 'string' || typeof value === 'number') {
|
|
142
|
+
try {
|
|
143
|
+
const primitiveProv = getProvenance(value);
|
|
144
|
+
if (primitiveProv) {
|
|
145
|
+
allProvenance.push(primitiveProv);
|
|
146
|
+
}
|
|
147
|
+
}
|
|
148
|
+
catch (error) {
|
|
149
|
+
// Ignore errors during provenance lookup
|
|
150
|
+
}
|
|
151
|
+
return;
|
|
152
|
+
}
|
|
153
|
+
if (typeof value !== 'object')
|
|
154
|
+
return;
|
|
155
|
+
if (visited.has(value))
|
|
156
|
+
return;
|
|
157
|
+
visited.add(value);
|
|
158
|
+
const provenance = getProvenance(value);
|
|
159
|
+
if (provenance) {
|
|
160
|
+
allProvenance.push(provenance);
|
|
161
|
+
}
|
|
162
|
+
if (Array.isArray(value)) {
|
|
163
|
+
for (const item of value) {
|
|
164
|
+
scan(item);
|
|
165
|
+
}
|
|
166
|
+
}
|
|
167
|
+
else {
|
|
168
|
+
for (const key in value) {
|
|
169
|
+
if (Object.prototype.hasOwnProperty.call(value, key)) {
|
|
170
|
+
scan(value[key]);
|
|
171
|
+
}
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
}
|
|
175
|
+
for (const key in args) {
|
|
176
|
+
if (Object.prototype.hasOwnProperty.call(args, key)) {
|
|
177
|
+
scan(args[key]);
|
|
178
|
+
}
|
|
179
|
+
}
|
|
180
|
+
return allProvenance;
|
|
181
|
+
}
|
|
182
|
+
/**
|
|
183
|
+
* Prevent data exfiltration - blocks sending private data to unauthorized recipients
|
|
184
|
+
*/
|
|
185
|
+
export const preventDataExfiltration = {
|
|
186
|
+
name: 'prevent-data-exfiltration',
|
|
187
|
+
description: 'Prevents sending data to recipients who cannot read it',
|
|
188
|
+
check: (toolName, args, getProvenance) => {
|
|
189
|
+
const recipientKeys = ['to', 'recipient', 'recipients', 'email', 'address'];
|
|
190
|
+
const dataKeys = ['body', 'message', 'content', 'data', 'payload'];
|
|
191
|
+
let recipient = null;
|
|
192
|
+
for (const key of recipientKeys) {
|
|
193
|
+
if (args[key] && typeof args[key] === 'string') {
|
|
194
|
+
recipient = args[key];
|
|
195
|
+
break;
|
|
196
|
+
}
|
|
197
|
+
}
|
|
198
|
+
if (!recipient) {
|
|
199
|
+
return { action: 'log' };
|
|
200
|
+
}
|
|
201
|
+
const allProvenance = getAllProvenanceFromArgs(args, getProvenance);
|
|
202
|
+
for (const metadata of allProvenance) {
|
|
203
|
+
if (metadata.source.type === ProvenanceSource.TOOL) {
|
|
204
|
+
if (metadata.readers.type === 'restricted') {
|
|
205
|
+
if (!canRead(recipient, metadata.readers)) {
|
|
206
|
+
return {
|
|
207
|
+
action: 'block',
|
|
208
|
+
reason: `Recipient "${recipient}" cannot read data from ${metadata.source.toolName}. Authorized readers: ${metadata.readers.readers.join(', ')}`,
|
|
209
|
+
policy: 'prevent-data-exfiltration',
|
|
210
|
+
context: {
|
|
211
|
+
recipient,
|
|
212
|
+
toolSource: metadata.source.toolName,
|
|
213
|
+
authorizedReaders: metadata.readers.readers,
|
|
214
|
+
},
|
|
215
|
+
};
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
}
|
|
219
|
+
}
|
|
220
|
+
return { action: 'log' };
|
|
221
|
+
},
|
|
222
|
+
};
|
|
223
|
+
/**
|
|
224
|
+
* Prevent data exfiltration (approval mode) - requires approval for risky sends
|
|
225
|
+
*/
|
|
226
|
+
export const preventDataExfiltrationWithApproval = {
|
|
227
|
+
name: 'prevent-data-exfiltration-approval',
|
|
228
|
+
description: 'Requires approval for sending data to recipients who cannot read it',
|
|
229
|
+
check: (toolName, args, getProvenance) => {
|
|
230
|
+
const recipientKeys = ['to', 'recipient', 'recipients', 'email', 'address'];
|
|
231
|
+
let recipient = null;
|
|
232
|
+
for (const key of recipientKeys) {
|
|
233
|
+
if (args[key] && typeof args[key] === 'string') {
|
|
234
|
+
recipient = args[key];
|
|
235
|
+
break;
|
|
236
|
+
}
|
|
237
|
+
}
|
|
238
|
+
if (!recipient) {
|
|
239
|
+
return { action: 'log' };
|
|
240
|
+
}
|
|
241
|
+
const allProvenance = getAllProvenanceFromArgs(args, getProvenance);
|
|
242
|
+
for (const metadata of allProvenance) {
|
|
243
|
+
if (metadata.source.type === ProvenanceSource.TOOL) {
|
|
244
|
+
if (metadata.readers.type === 'restricted') {
|
|
245
|
+
if (!canRead(recipient, metadata.readers)) {
|
|
246
|
+
return {
|
|
247
|
+
action: 'approve',
|
|
248
|
+
reason: `Sending data from ${metadata.source.toolName} to "${recipient}" (not in authorized readers)`,
|
|
249
|
+
policy: 'prevent-data-exfiltration-approval',
|
|
250
|
+
context: {
|
|
251
|
+
recipient,
|
|
252
|
+
toolSource: metadata.source.toolName,
|
|
253
|
+
authorizedReaders: metadata.readers.readers,
|
|
254
|
+
sensitiveFields: Object.keys(args).filter((k) => args[k] !== null),
|
|
255
|
+
},
|
|
256
|
+
};
|
|
257
|
+
}
|
|
258
|
+
}
|
|
259
|
+
}
|
|
260
|
+
}
|
|
261
|
+
return { action: 'log' };
|
|
262
|
+
},
|
|
263
|
+
};
|
|
264
|
+
/**
|
|
265
|
+
* Require user origin - ensures sensitive operations only use user-provided data
|
|
266
|
+
*/
|
|
267
|
+
export const requireUserOrigin = {
|
|
268
|
+
name: 'require-user-origin',
|
|
269
|
+
description: 'Requires critical parameters to come directly from user input',
|
|
270
|
+
check: (toolName, args, getProvenance) => {
|
|
271
|
+
const criticalTools = ['deleteDatabase', 'dropTable', 'executeSQL', 'sendMoney', 'transfer'];
|
|
272
|
+
if (!criticalTools.some((t) => toolName.toLowerCase().includes(t.toLowerCase()))) {
|
|
273
|
+
return { action: 'log' };
|
|
274
|
+
}
|
|
275
|
+
for (const [key, value] of Object.entries(args)) {
|
|
276
|
+
const allProvenance = getAllProvenance(value);
|
|
277
|
+
for (const metadata of allProvenance) {
|
|
278
|
+
if (metadata.source.type !== ProvenanceSource.USER &&
|
|
279
|
+
metadata.source.type !== ProvenanceSource.SYSTEM) {
|
|
280
|
+
return {
|
|
281
|
+
action: 'block',
|
|
282
|
+
reason: `Critical tool "${toolName}" parameter "${key}" must come from user input, but came from ${metadata.source.type}`,
|
|
283
|
+
policy: 'require-user-origin',
|
|
284
|
+
context: {
|
|
285
|
+
toolName,
|
|
286
|
+
parameterKey: key,
|
|
287
|
+
actualSource: metadata.source.type,
|
|
288
|
+
},
|
|
289
|
+
};
|
|
290
|
+
}
|
|
291
|
+
}
|
|
292
|
+
}
|
|
293
|
+
return { action: 'log' };
|
|
294
|
+
},
|
|
295
|
+
};
|
|
296
|
+
/**
|
|
297
|
+
* Require user origin (approval mode) - requires approval for non-user-originated critical operations
|
|
298
|
+
*/
|
|
299
|
+
export const requireUserOriginWithApproval = {
|
|
300
|
+
name: 'require-user-origin-approval',
|
|
301
|
+
description: 'Requires approval for critical operations with non-user data',
|
|
302
|
+
check: (toolName, args, getProvenance) => {
|
|
303
|
+
const criticalTools = ['deleteDatabase', 'dropTable', 'executeSQL', 'sendMoney', 'transfer'];
|
|
304
|
+
if (!criticalTools.some((t) => toolName.toLowerCase().includes(t.toLowerCase()))) {
|
|
305
|
+
return { action: 'log' };
|
|
306
|
+
}
|
|
307
|
+
for (const [key, value] of Object.entries(args)) {
|
|
308
|
+
const allProvenance = getAllProvenance(value);
|
|
309
|
+
for (const metadata of allProvenance) {
|
|
310
|
+
if (metadata.source.type !== ProvenanceSource.USER &&
|
|
311
|
+
metadata.source.type !== ProvenanceSource.SYSTEM) {
|
|
312
|
+
return {
|
|
313
|
+
action: 'approve',
|
|
314
|
+
reason: `Critical operation "${toolName}" with parameter "${key}" from ${metadata.source.type} source`,
|
|
315
|
+
policy: 'require-user-origin-approval',
|
|
316
|
+
context: {
|
|
317
|
+
toolName,
|
|
318
|
+
parameterKey: key,
|
|
319
|
+
actualSource: metadata.source.type,
|
|
320
|
+
value: String(value).substring(0, 100),
|
|
321
|
+
},
|
|
322
|
+
};
|
|
323
|
+
}
|
|
324
|
+
}
|
|
325
|
+
}
|
|
326
|
+
return { action: 'log' };
|
|
327
|
+
},
|
|
328
|
+
};
|
|
329
|
+
/**
|
|
330
|
+
* Block LLM-generated recipients - prevents sending to LLM-extracted emails
|
|
331
|
+
*/
|
|
332
|
+
export const blockLLMRecipients = {
|
|
333
|
+
name: 'block-llm-recipients',
|
|
334
|
+
description: 'Blocks sending data to LLM-extracted email addresses',
|
|
335
|
+
check: (toolName, args, getProvenance) => {
|
|
336
|
+
const recipientKeys = ['to', 'recipient', 'recipients', 'email'];
|
|
337
|
+
for (const key of recipientKeys) {
|
|
338
|
+
if (!args[key])
|
|
339
|
+
continue;
|
|
340
|
+
const metadata = getProvenance(args[key]);
|
|
341
|
+
if (metadata && metadata.source.type === ProvenanceSource.LLM) {
|
|
342
|
+
return {
|
|
343
|
+
action: 'block',
|
|
344
|
+
reason: `Cannot send to LLM-extracted recipient in parameter "${key}". Recipients must come from user input or trusted sources.`,
|
|
345
|
+
policy: 'block-llm-recipients',
|
|
346
|
+
context: {
|
|
347
|
+
parameterKey: key,
|
|
348
|
+
recipientValue: String(args[key]).substring(0, 50),
|
|
349
|
+
},
|
|
350
|
+
};
|
|
351
|
+
}
|
|
352
|
+
}
|
|
353
|
+
return { action: 'log' };
|
|
354
|
+
},
|
|
355
|
+
};
|
|
356
|
+
/**
|
|
357
|
+
* Block LLM-generated recipients (approval mode) - requires approval for LLM-extracted emails
|
|
358
|
+
*/
|
|
359
|
+
export const blockLLMRecipientsWithApproval = {
|
|
360
|
+
name: 'block-llm-recipients-approval',
|
|
361
|
+
description: 'Requires approval for sending to LLM-extracted email addresses',
|
|
362
|
+
check: (toolName, args, getProvenance) => {
|
|
363
|
+
const recipientKeys = ['to', 'recipient', 'recipients', 'email'];
|
|
364
|
+
for (const key of recipientKeys) {
|
|
365
|
+
if (!args[key])
|
|
366
|
+
continue;
|
|
367
|
+
const metadata = getProvenance(args[key]);
|
|
368
|
+
if (metadata && metadata.source.type === ProvenanceSource.LLM) {
|
|
369
|
+
return {
|
|
370
|
+
action: 'approve',
|
|
371
|
+
reason: `Sending to LLM-extracted recipient "${args[key]}" in parameter "${key}"`,
|
|
372
|
+
policy: 'block-llm-recipients-approval',
|
|
373
|
+
context: {
|
|
374
|
+
parameterKey: key,
|
|
375
|
+
recipientValue: String(args[key]),
|
|
376
|
+
llmOperation: metadata.source.operation,
|
|
377
|
+
},
|
|
378
|
+
};
|
|
379
|
+
}
|
|
380
|
+
}
|
|
381
|
+
return { action: 'log' };
|
|
382
|
+
},
|
|
383
|
+
};
|
|
384
|
+
/**
|
|
385
|
+
* Audit sensitive data access - logs access without blocking
|
|
386
|
+
*/
|
|
387
|
+
export const auditSensitiveAccess = {
|
|
388
|
+
name: 'audit-sensitive-access',
|
|
389
|
+
description: 'Logs access to sensitive data (does not block)',
|
|
390
|
+
check: (toolName, args, getProvenance) => {
|
|
391
|
+
const sensitiveTools = ['getPassword', 'getCreditCard', 'getSSN', 'getBankAccount'];
|
|
392
|
+
if (sensitiveTools.some((t) => toolName.toLowerCase().includes(t.toLowerCase()))) {
|
|
393
|
+
const allProvenance = getAllProvenance(args);
|
|
394
|
+
return {
|
|
395
|
+
action: 'log',
|
|
396
|
+
reason: `Sensitive data accessed via ${toolName}`,
|
|
397
|
+
policy: 'audit-sensitive-access',
|
|
398
|
+
context: {
|
|
399
|
+
toolName,
|
|
400
|
+
provenanceChain: allProvenance.map((p) => ({
|
|
401
|
+
source: p.source,
|
|
402
|
+
id: p.id,
|
|
403
|
+
})),
|
|
404
|
+
},
|
|
405
|
+
};
|
|
406
|
+
}
|
|
407
|
+
return { action: 'log' };
|
|
408
|
+
},
|
|
409
|
+
};
|
|
410
|
+
/**
|
|
411
|
+
* Helper: Create custom policy
|
|
412
|
+
*/
|
|
413
|
+
export function createCustomPolicy(name, description, checkFn) {
|
|
414
|
+
return { name, description, check: checkFn };
|
|
415
|
+
}
|
|
416
|
+
/**
|
|
417
|
+
* Get all built-in policies
|
|
418
|
+
*/
|
|
419
|
+
export function getBuiltInPolicies() {
|
|
420
|
+
return [preventDataExfiltration, requireUserOrigin, blockLLMRecipients, auditSensitiveAccess];
|
|
421
|
+
}
|
|
422
|
+
/**
|
|
423
|
+
* Get all built-in policies with approval variants
|
|
424
|
+
*/
|
|
425
|
+
export function getBuiltInPoliciesWithApproval() {
|
|
426
|
+
return [
|
|
427
|
+
preventDataExfiltrationWithApproval,
|
|
428
|
+
requireUserOriginWithApproval,
|
|
429
|
+
blockLLMRecipientsWithApproval,
|
|
430
|
+
auditSensitiveAccess,
|
|
431
|
+
];
|
|
432
|
+
}
|
|
433
|
+
//# sourceMappingURL=engine.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/policies/engine.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EACN,aAAa,EACb,gBAAgB,EAChB,OAAO,GAEP,MAAM,gBAAgB,CAAC;AASxB,MAAM,OAAO,oBAAoB;IACxB,QAAQ,CAAmB;IAC3B,MAAM,CAAS;IACf,gBAAgB,CAGF;IACd,mBAAmB,CAA2B;IAEtD,YACC,QAA0B,EAC1B,MAAc,EACd,mBAA6C;QAE7C,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QACzB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,mBAAmB,GAAG,mBAAmB,CAAC;IAChD,CAAC;IAED;;OAEG;IACH,gBAAgB,CAAC,EAA2B;QAC3C,IAAI,CAAC,mBAAmB,GAAG,EAAE,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,mBAAmB,CAClB,QAAiF;QAEjF,IAAI,CAAC,gBAAgB,GAAG,QAAQ,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,SAAS,CACd,QAAgB,EAChB,QAAgB,EAChB,IAA6B;QAE7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,EAAE;YAC/C,QAAQ;YACR,QAAQ;YACR,WAAW,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;SACjC,CAAC,CAAC;QAEH,+DAA+D;QAC/D,MAAM,eAAe,GAAG,IAAI,CAAC,mBAAmB,IAAI,aAAa,CAAC;QAElE,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE,eAAe,CAAC,CAAC;YAEnE,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;YAE5C,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;gBACxB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,EAAE;oBAC1D,QAAQ;oBACR,QAAQ;oBACR,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;iBACrB,CAAC,CAAC;gBAEH,MAAM,IAAI,uBAAuB,CAChC,MAAM,CAAC,MAAM,IAAI,UAAU,MAAM,CAAC,IAAI,mBAAmB,EACzD,MAAM,CAAC,IAAI,EACX,QAAQ,EACR,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CACpE,CAAC;YACH,CAAC;YAED,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;oBACrD,QAAQ;oBACR,QAAQ;oBACR,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;iBACrB,CAAC,CAAC;gBAEH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;gBAErF,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACf,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,iCAAiC,EAAE;wBACnD,QAAQ;wBACR,QAAQ;wBACR,MAAM,EAAE,MAAM,CAAC,IAAI;qBACnB,CAAC,CAAC;oBAEH,MAAM,IAAI,uBAAuB,CAChC,oBAAoB,MAAM,CAAC,MAAM,IAAI,6BAA6B,EAAE,EACpE,MAAM,CAAC,IAAI,EACX,QAAQ,EACR,EAAE,QAAQ,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CACjE,CAAC;gBACH,CAAC;gBAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;oBACpD,QAAQ;oBACR,QAAQ;oBACR,MAAM,EAAE,MAAM,CAAC,IAAI;iBACnB,CAAC,CAAC;YACJ,CAAC;YAED,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;gBACtB,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6BAA6B,EAAE;oBAC/C,QAAQ;oBACR,QAAQ;oBACR,MAAM,EAAE,MAAM,CAAC,IAAI;oBACnB,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,OAAO,EAAE,MAAM,CAAC,OAAO;oBACvB,IAAI,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC;iBAC7B,CAAC,CAAC;YACJ,CAAC;QACF,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;IAC3E,CAAC;IAEO,eAAe,CAAC,MAAoB;QAC3C,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,MAAM,CAAC,MAAM,CAAC;QACtB,CAAC;QAED,IAAI,MAAM,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC;QACzC,CAAC;QAED,OAAO,KAAK,CAAC;IACd,CAAC;IAEO,KAAK,CAAC,eAAe,CAC5B,QAAgB,EAChB,QAAgB,EAChB,UAAkB,EAClB,MAAoB;QAEpB,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,CAAC;YAC5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8CAA8C,EAAE;gBACjE,QAAQ;gBACR,MAAM,EAAE,UAAU;aAClB,CAAC,CAAC;YACH,MAAM,IAAI,uBAAuB,CAChC,uDAAuD,EACvD,UAAU,EACV,QAAQ,EACR,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAC1B,CAAC;QACH,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,IAAI,UAAU,UAAU,0BAA0B,QAAQ,EAAE,CAAC;QAC1F,MAAM,OAAO,GAAG;YACf,QAAQ;YACR,QAAQ;YACR,MAAM,EAAE,UAAU;YAClB,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;SACzB,CAAC;QAEF,IAAI,CAAC;YACJ,OAAO,MAAM,IAAI,CAAC,gBAAgB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACtD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,yBAAyB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;YACtF,OAAO,KAAK,CAAC;QACd,CAAC;IACF,CAAC;IAEO,YAAY,CAAC,IAA6B;QACjD,MAAM,SAAS,GAA4B,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;gBACrD,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;YAClD,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACtC,SAAS,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC;YAC7B,CAAC;iBAAM,CAAC;gBACP,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACxB,CAAC;QACF,CAAC;QACD,OAAO,SAAS,CAAC;IAClB,CAAC;CACD;AAED;;GAEG;AAEH;;;GAGG;AACH,SAAS,wBAAwB,CAChC,IAA6B,EAC7B,aAAsC;IAEtC,MAAM,aAAa,GAAU,EAAE,CAAC;IAChC,MAAM,OAAO,GAAG,IAAI,GAAG,EAAO,CAAC;IAE/B,SAAS,IAAI,CAAC,KAAc;QAC3B,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS;YAAE,OAAO;QAElD,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC5D,IAAI,CAAC;gBACJ,MAAM,aAAa,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;gBAC3C,IAAI,aAAa,EAAE,CAAC;oBACnB,aAAa,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;gBACnC,CAAC;YACF,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBAChB,yCAAyC;YAC1C,CAAC;YACD,OAAO;QACR,CAAC;QAED,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO;QACtC,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC;YAAE,OAAO;QAC/B,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAEnB,MAAM,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACxC,IAAI,UAAU,EAAE,CAAC;YAChB,aAAa,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBAC1B,IAAI,CAAC,IAAI,CAAC,CAAC;YACZ,CAAC;QACF,CAAC;aAAM,CAAC;YACP,KAAK,MAAM,GAAG,IAAI,KAAK,EAAE,CAAC;gBACzB,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC;oBACtD,IAAI,CAAE,KAAa,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC3B,CAAC;YACF,CAAC;QACF,CAAC;IACF,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACxB,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;YACrD,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACjB,CAAC;IACF,CAAC;IAED,OAAO,aAAa,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAAmB;IACtD,IAAI,EAAE,2BAA2B;IACjC,WAAW,EAAE,wDAAwD;IACrE,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAC5E,MAAM,QAAQ,GAAG,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;QAEnE,IAAI,SAAS,GAAkB,IAAI,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAChD,SAAS,GAAG,IAAI,CAAC,GAAG,CAAW,CAAC;gBAChC,MAAM;YACP,CAAC;QACF,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAEpE,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI,EAAE,CAAC;gBACpD,IAAI,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC5C,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC3C,OAAO;4BACN,MAAM,EAAE,OAAuB;4BAC/B,MAAM,EAAE,cAAc,SAAS,2BAA2B,QAAQ,CAAC,MAAM,CAAC,QAAQ,yBAAyB,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;4BAChJ,MAAM,EAAE,2BAA2B;4BACnC,OAAO,EAAE;gCACR,SAAS;gCACT,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ;gCACpC,iBAAiB,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO;6BAC3C;yBACD,CAAC;oBACH,CAAC;gBACF,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,mCAAmC,GAAmB;IAClE,IAAI,EAAE,oCAAoC;IAC1C,WAAW,EAAE,qEAAqE;IAClF,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;QAE5E,IAAI,SAAS,GAAkB,IAAI,CAAC;QACpC,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;gBAChD,SAAS,GAAG,IAAI,CAAC,GAAG,CAAW,CAAC;gBAChC,MAAM;YACP,CAAC;QACF,CAAC;QAED,IAAI,CAAC,SAAS,EAAE,CAAC;YAChB,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,MAAM,aAAa,GAAG,wBAAwB,CAAC,IAAI,EAAE,aAAa,CAAC,CAAC;QAEpE,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;YACtC,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI,EAAE,CAAC;gBACpD,IAAI,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;oBAC5C,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;wBAC3C,OAAO;4BACN,MAAM,EAAE,SAAyB;4BACjC,MAAM,EAAE,qBAAqB,QAAQ,CAAC,MAAM,CAAC,QAAQ,QAAQ,SAAS,+BAA+B;4BACrG,MAAM,EAAE,oCAAoC;4BAC5C,OAAO,EAAE;gCACR,SAAS;gCACT,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,QAAQ;gCACpC,iBAAiB,EAAE,QAAQ,CAAC,OAAO,CAAC,OAAO;gCAC3C,eAAe,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC;6BAClE;yBACD,CAAC;oBACH,CAAC;gBACF,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAmB;IAChD,IAAI,EAAE,qBAAqB;IAC3B,WAAW,EAAE,+DAA+D;IAC5E,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,aAAa,GAAG,CAAC,gBAAgB,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAE7F,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAClF,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YAE9C,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACtC,IACC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI;oBAC9C,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,MAAM,EAC/C,CAAC;oBACF,OAAO;wBACN,MAAM,EAAE,OAAuB;wBAC/B,MAAM,EAAE,kBAAkB,QAAQ,gBAAgB,GAAG,8CAA8C,QAAQ,CAAC,MAAM,CAAC,IAAI,EAAE;wBACzH,MAAM,EAAE,qBAAqB;wBAC7B,OAAO,EAAE;4BACR,QAAQ;4BACR,YAAY,EAAE,GAAG;4BACjB,YAAY,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI;yBAClC;qBACD,CAAC;gBACH,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAmB;IAC5D,IAAI,EAAE,8BAA8B;IACpC,WAAW,EAAE,8DAA8D;IAC3E,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,aAAa,GAAG,CAAC,gBAAgB,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,EAAE,UAAU,CAAC,CAAC;QAE7F,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAClF,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;QAC1C,CAAC;QAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACjD,MAAM,aAAa,GAAG,gBAAgB,CAAC,KAAK,CAAC,CAAC;YAE9C,KAAK,MAAM,QAAQ,IAAI,aAAa,EAAE,CAAC;gBACtC,IACC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,IAAI;oBAC9C,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,MAAM,EAC/C,CAAC;oBACF,OAAO;wBACN,MAAM,EAAE,SAAyB;wBACjC,MAAM,EAAE,uBAAuB,QAAQ,qBAAqB,GAAG,UAAU,QAAQ,CAAC,MAAM,CAAC,IAAI,SAAS;wBACtG,MAAM,EAAE,8BAA8B;wBACtC,OAAO,EAAE;4BACR,QAAQ;4BACR,YAAY,EAAE,GAAG;4BACjB,YAAY,EAAE,QAAQ,CAAC,MAAM,CAAC,IAAI;4BAClC,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;yBACtC;qBACD,CAAC;gBACH,CAAC;YACF,CAAC;QACF,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAAmB;IACjD,IAAI,EAAE,sBAAsB;IAC5B,WAAW,EAAE,sDAAsD;IACnE,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;QAEjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEzB,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1C,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,GAAG,EAAE,CAAC;gBAC/D,OAAO;oBACN,MAAM,EAAE,OAAuB;oBAC/B,MAAM,EAAE,wDAAwD,GAAG,6DAA6D;oBAChI,MAAM,EAAE,sBAAsB;oBAC9B,OAAO,EAAE;wBACR,YAAY,EAAE,GAAG;wBACjB,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;qBAClD;iBACD,CAAC;YACH,CAAC;QACF,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,8BAA8B,GAAmB;IAC7D,IAAI,EAAE,+BAA+B;IACrC,WAAW,EAAE,gEAAgE;IAC7E,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,aAAa,GAAG,CAAC,IAAI,EAAE,WAAW,EAAE,YAAY,EAAE,OAAO,CAAC,CAAC;QAEjE,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YACjC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEzB,MAAM,QAAQ,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1C,IAAI,QAAQ,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB,CAAC,GAAG,EAAE,CAAC;gBAC/D,OAAO;oBACN,MAAM,EAAE,SAAyB;oBACjC,MAAM,EAAE,uCAAuC,IAAI,CAAC,GAAG,CAAC,mBAAmB,GAAG,GAAG;oBACjF,MAAM,EAAE,+BAA+B;oBACvC,OAAO,EAAE;wBACR,YAAY,EAAE,GAAG;wBACjB,cAAc,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;wBACjC,YAAY,EAAG,QAAQ,CAAC,MAAc,CAAC,SAAS;qBAChD;iBACD,CAAC;YACH,CAAC;QACF,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAmB;IACnD,IAAI,EAAE,wBAAwB;IAC9B,WAAW,EAAE,gDAAgD;IAC7D,KAAK,EAAE,CAAC,QAAQ,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE;QACxC,MAAM,cAAc,GAAG,CAAC,aAAa,EAAE,eAAe,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;QAEpF,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC;YAClF,MAAM,aAAa,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAE7C,OAAO;gBACN,MAAM,EAAE,KAAqB;gBAC7B,MAAM,EAAE,+BAA+B,QAAQ,EAAE;gBACjD,MAAM,EAAE,wBAAwB;gBAChC,OAAO,EAAE;oBACR,QAAQ;oBACR,eAAe,EAAE,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBAC1C,MAAM,EAAE,CAAC,CAAC,MAAM;wBAChB,EAAE,EAAE,CAAC,CAAC,EAAE;qBACR,CAAC,CAAC;iBACH;aACD,CAAC;QACH,CAAC;QAED,OAAO,EAAE,MAAM,EAAE,KAAqB,EAAE,CAAC;IAC1C,CAAC;CACD,CAAC;AAEF;;GAEG;AACH,MAAM,UAAU,kBAAkB,CACjC,IAAY,EACZ,WAAmB,EACnB,OAAgC;IAEhC,OAAO,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IACjC,OAAO,CAAC,uBAAuB,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,oBAAoB,CAAC,CAAC;AAC/F,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,8BAA8B;IAC7C,OAAO;QACN,mCAAmC;QACnC,6BAA6B;QAC7B,8BAA8B;QAC9B,oBAAoB;KACpB,CAAC;AACH,CAAC"}
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
import type { ProvenanceMetadata, SourceMetadata, ReaderPermissions } from './types.js';
|
|
2
|
+
/**
|
|
3
|
+
* Mark a primitive value as tainted (derived from tool data)
|
|
4
|
+
* Used by AST mode to track derived values
|
|
5
|
+
*/
|
|
6
|
+
export declare function markPrimitiveTainted(value: unknown, sourceMetadata: ProvenanceMetadata): void;
|
|
7
|
+
/**
|
|
8
|
+
* Check if a primitive is tainted (derived from tool data)
|
|
9
|
+
*/
|
|
10
|
+
export declare function isPrimitiveTainted(value: unknown): boolean;
|
|
11
|
+
/**
|
|
12
|
+
* Set the current execution ID for provenance tracking
|
|
13
|
+
* MUST be called at start of each execution to prevent memory leaks
|
|
14
|
+
*/
|
|
15
|
+
export declare function setProvenanceExecutionId(executionId: string): void;
|
|
16
|
+
/**
|
|
17
|
+
* Clear the current execution ID
|
|
18
|
+
*/
|
|
19
|
+
export declare function clearProvenanceExecutionId(): void;
|
|
20
|
+
/**
|
|
21
|
+
* Register provenance metadata directly (for AST tracking in isolated-vm)
|
|
22
|
+
*/
|
|
23
|
+
export declare function registerProvenanceMetadata(id: string, metadata: ProvenanceMetadata, executionId?: string): void;
|
|
24
|
+
/**
|
|
25
|
+
* Cleanup provenance for a specific execution to prevent memory leaks
|
|
26
|
+
* MUST be called after execution completes or fails
|
|
27
|
+
*/
|
|
28
|
+
export declare function cleanupProvenanceForExecution(executionId: string): void;
|
|
29
|
+
/**
|
|
30
|
+
* Check if a primitive value was extracted from a provenance-tracked object
|
|
31
|
+
* This catches: const ssn = user.ssn; await send({ body: ssn })
|
|
32
|
+
* Also checks if value is marked as tainted (AST mode)
|
|
33
|
+
*/
|
|
34
|
+
export declare function getProvenanceForPrimitive(value: unknown): ProvenanceMetadata | null;
|
|
35
|
+
/**
|
|
36
|
+
* Capture provenance state for pause/resume
|
|
37
|
+
*/
|
|
38
|
+
export declare function captureProvenanceState(executionId: string): Map<string, ProvenanceMetadata>;
|
|
39
|
+
/**
|
|
40
|
+
* Capture provenance snapshot including primitive taints for multi-step token persistence
|
|
41
|
+
*/
|
|
42
|
+
export declare function captureProvenanceSnapshot(executionId: string): {
|
|
43
|
+
registry: Array<[string, ProvenanceMetadata]>;
|
|
44
|
+
primitives: Array<[string, ProvenanceMetadata]>;
|
|
45
|
+
};
|
|
46
|
+
/**
|
|
47
|
+
* Restore provenance state after resume
|
|
48
|
+
*/
|
|
49
|
+
export declare function restoreProvenanceState(executionId: string, state: Map<string, ProvenanceMetadata>): void;
|
|
50
|
+
/**
|
|
51
|
+
* Restore provenance snapshot including primitive taints for multi-step token persistence
|
|
52
|
+
*/
|
|
53
|
+
export declare function restoreProvenanceSnapshot(executionId: string, snapshot: {
|
|
54
|
+
registry: Array<[string, ProvenanceMetadata]>;
|
|
55
|
+
primitives: Array<[string, ProvenanceMetadata]>;
|
|
56
|
+
}): void;
|
|
57
|
+
/**
|
|
58
|
+
* Create a provenance-tracked value
|
|
59
|
+
* SOLUTION: Store metadata in global registry, attach only ID to object
|
|
60
|
+
* The ID (simple string) SURVIVES isolated-vm cloning
|
|
61
|
+
*
|
|
62
|
+
* For objects, also wraps in Proxy to track primitive extractions
|
|
63
|
+
*/
|
|
64
|
+
export declare function createProvenanceProxy<T>(value: T, source: SourceMetadata, readers?: ReaderPermissions, dependencies?: string[]): T;
|
|
65
|
+
/**
|
|
66
|
+
* Get provenance metadata from a value
|
|
67
|
+
* Looks up by ID from global registry (survives isolated-vm cloning)
|
|
68
|
+
*/
|
|
69
|
+
export declare function getProvenance(value: unknown): ProvenanceMetadata | null;
|
|
70
|
+
/**
|
|
71
|
+
* Check if a value has provenance tracking
|
|
72
|
+
*/
|
|
73
|
+
export declare function hasProvenance(value: unknown): boolean;
|
|
74
|
+
/**
|
|
75
|
+
* Get all provenance metadata in an object recursively
|
|
76
|
+
*/
|
|
77
|
+
export declare function getAllProvenance(value: unknown, visited?: Set<any>): ProvenanceMetadata[];
|
|
78
|
+
/**
|
|
79
|
+
* Merge reader permissions (intersection for security)
|
|
80
|
+
*/
|
|
81
|
+
export declare function mergeReaders(readers1: ReaderPermissions, readers2: ReaderPermissions): ReaderPermissions;
|
|
82
|
+
/**
|
|
83
|
+
* Check if a reader can access data with given permissions
|
|
84
|
+
*/
|
|
85
|
+
export declare function canRead(reader: string, permissions: ReaderPermissions): boolean;
|
|
86
|
+
/**
|
|
87
|
+
* Extract provenance for serialization (pause/resume)
|
|
88
|
+
*/
|
|
89
|
+
export declare function extractProvenanceMap(sandbox: Record<string, unknown>): Map<string, ProvenanceMetadata>;
|
|
90
|
+
/**
|
|
91
|
+
* Restore provenance from serialized state
|
|
92
|
+
*/
|
|
93
|
+
export declare function restoreProvenanceMap(provenanceMap: Map<string, ProvenanceMetadata>, sandbox: Record<string, unknown>): void;
|
|
94
|
+
//# sourceMappingURL=registry.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../src/registry.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EACX,kBAAkB,EAClB,cAAc,EACd,iBAAiB,EAEjB,MAAM,YAAY,CAAC;AAiBpB;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,OAAO,EAAE,cAAc,EAAE,kBAAkB,GAAG,IAAI,CAc7F;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAa1D;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAQlE;AAED;;GAEG;AACH,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACzC,EAAE,EAAE,MAAM,EACV,QAAQ,EAAE,kBAAkB,EAC5B,WAAW,CAAC,EAAE,MAAM,GAClB,IAAI,CA2BN;AAED;;;GAGG;AACH,wBAAgB,6BAA6B,CAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAmBvE;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,OAAO,GAAG,kBAAkB,GAAG,IAAI,CAwCnF;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,WAAW,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAY3F;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,MAAM,GAAG;IAC/D,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAC9C,UAAU,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;CAChD,CA6BA;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACrC,WAAW,EAAE,MAAM,EACnB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,GACpC,IAAI,CAQN;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACxC,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE;IACT,QAAQ,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;IAC9C,UAAU,EAAE,KAAK,CAAC,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAAC,CAAC;CAChD,GACC,IAAI,CAiBN;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,CAAC,EACtC,KAAK,EAAE,CAAC,EACR,MAAM,EAAE,cAAc,EACtB,OAAO,GAAE,iBAAsC,EAC/C,YAAY,GAAE,MAAM,EAAO,GACzB,CAAC,CA+DH;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,kBAAkB,GAAG,IAAI,CAgCvE;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAErD;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,WAAiB,GAAG,kBAAkB,EAAE,CAkC/F;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC3B,QAAQ,EAAE,iBAAiB,EAC3B,QAAQ,EAAE,iBAAiB,GACzB,iBAAiB,CAUnB;AAED;;GAEG;AACH,wBAAgB,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAK/E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CACnC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,CAqCjC;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CACnC,aAAa,EAAE,GAAG,CAAC,MAAM,EAAE,kBAAkB,CAAC,EAC9C,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC9B,IAAI,CAON"}
|