@nekzus/liop 2.0.0-alpha.1 → 2.0.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (124) hide show
  1. package/README.md +54 -24
  2. package/dist/bin/agent.d.ts +0 -1
  3. package/dist/bin/agent.js +5 -306
  4. package/dist/bin/agent.js.map +1 -0
  5. package/dist/{bridge/stream.d.ts → bridge.d.ts} +44 -3
  6. package/dist/bridge.js +2 -0
  7. package/dist/bridge.js.map +1 -0
  8. package/dist/chunk-5OAZNVIU.js +31 -0
  9. package/dist/chunk-5OAZNVIU.js.map +1 -0
  10. package/dist/chunk-62YQHKSS.js +3 -0
  11. package/dist/chunk-62YQHKSS.js.map +1 -0
  12. package/dist/chunk-7MAGL6ON.js +33 -0
  13. package/dist/chunk-7MAGL6ON.js.map +1 -0
  14. package/dist/chunk-ANFXJGMP.js +2 -0
  15. package/dist/chunk-ANFXJGMP.js.map +1 -0
  16. package/dist/chunk-DBXGYHKY.js +2 -0
  17. package/dist/chunk-DBXGYHKY.js.map +1 -0
  18. package/dist/chunk-HM77MWB6.js +2 -0
  19. package/dist/chunk-HM77MWB6.js.map +1 -0
  20. package/dist/chunk-HNDVAKEK.js +24 -0
  21. package/dist/chunk-HNDVAKEK.js.map +1 -0
  22. package/dist/chunk-HQZHZM6U.js +2 -0
  23. package/dist/chunk-HQZHZM6U.js.map +1 -0
  24. package/dist/chunk-JBMEAXYU.js +13 -0
  25. package/dist/chunk-JBMEAXYU.js.map +1 -0
  26. package/dist/chunk-P52IE4L6.js +2 -0
  27. package/dist/chunk-P52IE4L6.js.map +1 -0
  28. package/dist/chunk-PPCOS2NU.js +2 -0
  29. package/dist/chunk-PPCOS2NU.js.map +1 -0
  30. package/dist/chunk-RWRRBYG4.js +2 -0
  31. package/dist/chunk-RWRRBYG4.js.map +1 -0
  32. package/dist/chunk-S6RJHZV2.js +2 -0
  33. package/dist/chunk-S6RJHZV2.js.map +1 -0
  34. package/dist/chunk-UVTEJYHN.js +2 -0
  35. package/dist/chunk-UVTEJYHN.js.map +1 -0
  36. package/dist/client.d.ts +5 -0
  37. package/dist/client.js +2 -0
  38. package/dist/client.js.map +1 -0
  39. package/dist/{gateway/router.d.ts → gateway.d.ts} +30 -5
  40. package/dist/gateway.js +2 -0
  41. package/dist/gateway.js.map +1 -0
  42. package/dist/{client/index.d.ts → index-CyxNLlz7.d.ts} +24 -5
  43. package/dist/index.d.ts +313 -12
  44. package/dist/index.js +31 -12
  45. package/dist/index.js.map +1 -0
  46. package/dist/kyber-2WDOTUQX.js +2 -0
  47. package/dist/kyber-2WDOTUQX.js.map +1 -0
  48. package/dist/{mesh/node.d.ts → mesh.d.ts} +5 -3
  49. package/dist/mesh.js +2 -0
  50. package/dist/mesh.js.map +1 -0
  51. package/dist/{server/index.d.ts → server.d.ts} +143 -12
  52. package/dist/server.js +2 -0
  53. package/dist/server.js.map +1 -0
  54. package/dist/types.d.ts +17 -14
  55. package/dist/types.js +2 -26
  56. package/dist/types.js.map +1 -0
  57. package/dist/{crypto/verifier.d.ts → verifier-DTCD9imJ.d.ts} +3 -1
  58. package/dist/verifier-RQRYXA4C.js +2 -0
  59. package/dist/verifier-RQRYXA4C.js.map +1 -0
  60. package/dist/workers/logic-execution.d.ts +9 -2
  61. package/dist/workers/logic-execution.js +2 -123
  62. package/dist/workers/logic-execution.js.map +1 -0
  63. package/dist/workers/zk-verifier.d.ts +4 -2
  64. package/dist/workers/zk-verifier.js +2 -98
  65. package/dist/workers/zk-verifier.js.map +1 -0
  66. package/package.json +35 -22
  67. package/dist/bridge/index.d.ts +0 -37
  68. package/dist/bridge/index.js +0 -249
  69. package/dist/bridge/stream.js +0 -210
  70. package/dist/client/index.js +0 -275
  71. package/dist/crypto/logic-image-id.d.ts +0 -3
  72. package/dist/crypto/logic-image-id.js +0 -27
  73. package/dist/crypto/verifier.js +0 -97
  74. package/dist/economy/estimator.d.ts +0 -53
  75. package/dist/economy/estimator.js +0 -69
  76. package/dist/economy/index.d.ts +0 -5
  77. package/dist/economy/index.js +0 -3
  78. package/dist/economy/otel.d.ts +0 -38
  79. package/dist/economy/otel.js +0 -100
  80. package/dist/economy/telemetry.d.ts +0 -77
  81. package/dist/economy/telemetry.js +0 -224
  82. package/dist/errors.d.ts +0 -14
  83. package/dist/errors.js +0 -19
  84. package/dist/gateway/hybrid.d.ts +0 -23
  85. package/dist/gateway/hybrid.js +0 -199
  86. package/dist/gateway/router.js +0 -1054
  87. package/dist/mesh/index.d.ts +0 -1
  88. package/dist/mesh/index.js +0 -1
  89. package/dist/mesh/node.js +0 -853
  90. package/dist/prompts/adapters.d.ts +0 -16
  91. package/dist/prompts/adapters.js +0 -55
  92. package/dist/rpc/client.d.ts +0 -22
  93. package/dist/rpc/client.js +0 -40
  94. package/dist/rpc/codec/lpm.d.ts +0 -20
  95. package/dist/rpc/codec/lpm.js +0 -36
  96. package/dist/rpc/crypto/aes.d.ts +0 -22
  97. package/dist/rpc/crypto/aes.js +0 -47
  98. package/dist/rpc/crypto/kyber.d.ts +0 -27
  99. package/dist/rpc/crypto/kyber.js +0 -70
  100. package/dist/rpc/proto.d.ts +0 -2
  101. package/dist/rpc/proto.js +0 -33
  102. package/dist/rpc/server.d.ts +0 -13
  103. package/dist/rpc/server.js +0 -50
  104. package/dist/rpc/tls.d.ts +0 -26
  105. package/dist/rpc/tls.js +0 -54
  106. package/dist/rpc/types.d.ts +0 -28
  107. package/dist/rpc/types.js +0 -5
  108. package/dist/sandbox/guardian.d.ts +0 -18
  109. package/dist/sandbox/guardian.js +0 -58
  110. package/dist/sandbox/wasi.d.ts +0 -36
  111. package/dist/sandbox/wasi.js +0 -233
  112. package/dist/security/guardian.d.ts +0 -22
  113. package/dist/security/guardian.js +0 -52
  114. package/dist/security/zk.d.ts +0 -37
  115. package/dist/security/zk.js +0 -76
  116. package/dist/server/index.js +0 -1047
  117. package/dist/server/ner-scanner.d.ts +0 -29
  118. package/dist/server/ner-scanner.js +0 -141
  119. package/dist/server/pii.d.ts +0 -66
  120. package/dist/server/pii.js +0 -428
  121. package/dist/utils/logger.d.ts +0 -21
  122. package/dist/utils/logger.js +0 -70
  123. package/dist/utils/mcpCompact.d.ts +0 -11
  124. package/dist/utils/mcpCompact.js +0 -29
package/dist/chunk-5OAZNVIU.js ADDED
@@ -0,0 +1,31 @@
1
+ import {a,b}from'./chunk-HM77MWB6.js';import {a as a$2}from'./chunk-PPCOS2NU.js';import {a as a$1}from'./chunk-S6RJHZV2.js';import {Buffer}from'buffer';import H from'crypto';import*as Z from'fs';import {createRequire}from'module';import R from'path';import {fileURLToPath,pathToFileURL}from'url';import*as z from'@grpc/grpc-js';import {Piscina,FixedQueue}from'piscina';import {z as z$1}from'zod';import {zodToJsonSchema}from'zod-to-json-schema';import*as k from'acorn';import {simple}from'acorn-walk';var Y={"grpc.keepalive_time_ms":3e4,"grpc.keepalive_timeout_ms":1e4,"grpc.keepalive_permit_without_calls":1,"grpc.max_send_message_length":-1,"grpc.max_receive_message_length":-1,"grpc.enable_retries":1},T=class{server;constructor(){this.server=new z.Server(Y);}addService(e){this.server.addService(a.LogicMesh.service,{NegotiateIntent:e.negotiateIntent,ExecuteLogic:e.executeLogic});}async listen(e=50051,t){let r=b(t);return new Promise((i,n)=>{this.server.bindAsync(`0.0.0.0:${e}`,r,(s,o)=>{if(s){n(s);return}a$1.info(`[LIOP-RPC] Server listening on port ${o}`),i(o);});})}async stop(){return new Promise(e=>{this.server.tryShutdown(()=>{a$1.info("[LIOP-RPC] Server shut down"),e();});})}};var A=class p{piiFields;static TAINT_PROPAGATING_METHODS=new Set(["charCodeAt","codePointAt","charAt","at","indexOf","lastIndexOf","search","localeCompare","startsWith","endsWith","includes","substring","slice","substr","split","match","matchAll","replace","replaceAll","normalize","toLowerCase","toUpperCase","trim","trimStart","trimEnd","padStart","padEnd","repeat"]);static ARRAY_CALLBACK_METHODS=new Set(["map","forEach","filter","find","some","every","flatMap","findIndex"]);static REDUCE_METHODS=new Set(["reduce","reduceRight"]);constructor(e){this.piiFields=new Set(e.map(t=>t.toLowerCase()));}analyze(e,t,r=50){let i;try{let a=`function liop_analysis_wrapper(env) {
2
+ ${e}
3
+ }`;i=k.parse(a,{ecmaVersion:2022,sourceType:"script",locations:!0});}catch{return null}let n=new Set,s=new Set;this.identifyRecordBoundVars(i,n),this.propagateTaint(i,n,s);let o=this.checkReturnStatements(i,n,s);if(o)return o;if(t!==void 0&&t>0&&t<r){let a=this.detectCorrelatedAggregations(i);if(a)return a.reason=a.reason.replace("50 records",`${r} records`),a}if(t!==void 0&&t>0&&t<r){let a=this.detectMinMaxExtraction(i);if(a)return a.reason=a.reason.replace("50 records",`${r} records`),a}return null}extractQueriedFields(e){let t;try{t=k.parse(`function w(env) {
4
+ ${e}
5
+ }`,{ecmaVersion:2022,sourceType:"script"});}catch{return []}let r=new Set;return simple(t,{CallExpression:n=>{if(n.callee.type!=="MemberExpression")return;let s=n.callee,o=this.getPropertyName(s);if(!o||!this.isEnvRecordsChain(s.object))return;let a=n.arguments[0];if(!a||a.type!=="ArrowFunctionExpression"&&a.type!=="FunctionExpression")return;let c=a,l=0;if(p.REDUCE_METHODS.has(o)&&(l=1),c.params.length>l){let u=c.params[l];if(u.type==="Identifier"){let d=u.name,m=this.extractFieldsFromBody(c.body,d);for(let h of m)r.add(h);}}}}),Array.from(r)}detectCorrelatedAggregations(e){let t=new Map;simple(e,{CallExpression:i=>{if(i.callee.type!=="MemberExpression")return;let n=i.callee,s=this.getPropertyName(n);if(!s||!p.REDUCE_METHODS.has(s)||!this.isEnvRecordsChain(n.object))return;let o=i.arguments[0];if(!o||o.type!=="ArrowFunctionExpression"&&o.type!=="FunctionExpression")return;let a=o,c=a.params.length>1?a.params[1]:a.params[0];if(!c||c.type!=="Identifier")return;let l=c.name,u=this.extractFieldsFromBody(a.body,l);for(let d of u){let m=t.get(d)??0;t.set(d,m+1);}}});for(let[i,n]of t)if(n>=2)return {reason:`Correlation guard: ${n} aggregations detected on field '${i}'. Multiple correlated aggregations on the same field can enable differencing attacks. Use a single aggregation per numeric field, or increase dataset size above 50 records.`};return null}isEnvRecordsChain(e){if(this.isEnvRecordsAccess(e))return true;if(e.type==="CallExpression"){let t=e;if(t.callee.type==="MemberExpression"){let r=t.callee,i=this.getPropertyName(r);if(i&&(i==="slice"||i==="filter"||i==="toSorted"))return this.isEnvRecordsChain(r.object)}}return false}extractFieldsFromBody(e,t){let r=[];return simple(e,{MemberExpression:n=>{if(n.object.type==="Identifier"&&n.object.name===t){let s=this.getPropertyName(n);s&&s!=="length"&&r.push(s);}}}),r}detectMinMaxExtraction(e){let t=null;return simple(e,{CallExpression:i=>{if(!t&&i.callee.type==="MemberExpression"){let n=i.callee;if(n.object.type==="Identifier"&&n.object.name==="Math"){let s=this.getPropertyName(n);(s==="min"||s==="max")&&i.arguments.some(o=>o.type==="SpreadElement"&&this.isRecordsMapCall(o.argument))&&(t={reason:`Min/Max gate: Math.${s}() on individual records blocked for small datasets (n < 50). Use avg/stddev/count for privacy-safe aggregations.`});}}},MemberExpression:i=>{if(!t&&i.computed&&i.object.type==="CallExpression"){let n=i.object;if(n.callee.type==="MemberExpression"){let s=this.getPropertyName(n.callee);if(s==="sort"||s==="toSorted"){let o=n.callee.object;this.isEnvRecordsChain(o)&&(t={reason:"Min/Max gate: .sort()[index] on individual records blocked for small datasets (n < 50). Use avg/stddev/count for privacy-safe aggregations."});}}}}}),t}isRecordsMapCall(e){if(e.type!=="CallExpression")return false;let t=e;if(t.callee.type!=="MemberExpression")return false;let r=t.callee;return this.getPropertyName(r)==="map"&&this.isEnvRecordsChain(r.object)}identifyRecordBoundVars(e,t){simple(e,{CallExpression:n=>{if(n.callee.type!=="MemberExpression")return;let s=n.callee,o=this.getPropertyName(s);if(!o||!this.isEnvRecordsAccess(s.object))return;let a=n.arguments[0];if(a&&(a.type==="ArrowFunctionExpression"||a.type==="FunctionExpression")){let c=a;if(p.ARRAY_CALLBACK_METHODS.has(o)&&c.params.length>0){let l=c.params[0];l.type==="Identifier"&&t.add(l.name);}if(p.REDUCE_METHODS.has(o)&&c.params.length>1){let l=c.params[1];l.type==="Identifier"&&t.add(l.name);}}},ForOfStatement:n=>{if(this.isEnvRecordsAccess(n.right)&&n.left.type==="VariableDeclaration")for(let s of n.left.declarations)s.id.type==="Identifier"&&t.add(s.id.name);}}),simple(e,{VariableDeclarator:n=>{if(!(!n.init||n.id.type!=="Identifier")&&n.init.type==="MemberExpression"&&n.init.computed){let s=n.init;this.isEnvRecordsAccess(s.object)&&t.add(n.id.name);}}});}propagateTaint(e,t,r){for(let i=0;i<3;i++){let n=r.size;if(simple(e,{VariableDeclarator:o=>{!o.init||o.id.type!=="Identifier"||this.isExpressionTainted(o.init,t,r)&&r.add(o.id.name);},AssignmentExpression:o=>{o.left.type==="Identifier"&&this.isExpressionTainted(o.right,t,r)&&r.add(o.left.name);},CallExpression:o=>{if(o.callee.type!=="MemberExpression")return;let a=o.callee;this.getPropertyName(a)==="push"&&a.object.type==="Identifier"&&o.arguments.some(l=>this.isExpressionTainted(l,t,r))&&r.add(a.object.name);}}),r.size===n)break}}checkReturnStatements(e,t,r){let i=null;return simple(e,{ReturnStatement:s=>{if(!i&&s.argument&&this.isExpressionTainted(s.argument,t,r)){let o=s.loc?.start.line?s.loc.start.line-1:void 0,a=this.describeTaintSource(s.argument,t,r);i={reason:`PII side-channel detected: output contains values derived from restricted fields. ${a?`Operation: ${a}. `:""}Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,line:o,operation:a};}}}),i}isExpressionTainted(e,t,r){switch(e.type){case "Identifier":return r.has(e.name);case "MemberExpression":return this.isMemberExprTainted(e,t,r);case "CallExpression":return this.isCallExprTainted(e,t,r);case "BinaryExpression":case "LogicalExpression":{let i=e;return this.isExpressionTainted(i.left,t,r)||this.isExpressionTainted(i.right,t,r)}case "UnaryExpression":{let i=e;return this.isExpressionTainted(i.argument,t,r)}case "ConditionalExpression":{let i=e;return this.isExpressionTainted(i.test,t,r)||this.isExpressionTainted(i.consequent,t,r)||this.isExpressionTainted(i.alternate,t,r)}case "ObjectExpression":return e.properties.some(n=>n.type==="Property"&&this.isExpressionTainted(n.value,t,r));case "ArrayExpression":return e.elements.some(n=>n!==null&&this.isExpressionTainted(n,t,r));case "TemplateLiteral":return e.expressions.some(n=>this.isExpressionTainted(n,t,r));case "SpreadElement":{let i=e;return this.isExpressionTainted(i.argument,t,r)}default:return false}}isMemberExprTainted(e,t,r){let i=this.getPropertyName(e);if(e.object.type==="Identifier"&&t.has(e.object.name)&&i&&this.piiFields.has(i.toLowerCase()))return true;if(e.object.type==="MemberExpression"&&i&&this.piiFields.has(i.toLowerCase())){let n=e.object;if(n.computed&&this.isEnvRecordsAccess(n.object))return true}if(this.isExpressionTainted(e.object,t,r))return true;if(e.computed&&e.object.type==="Identifier"&&t.has(e.object.name)&&e.property.type==="Literal"){let n=e.property.value;if(typeof n=="string"&&this.piiFields.has(n.toLowerCase()))return true}return false}isCallExprTainted(e,t,r){if(e.callee.type==="MemberExpression"){let i=e.callee,n=this.getPropertyName(i);if(n&&p.TAINT_PROPAGATING_METHODS.has(n)&&this.isExpressionTainted(i.object,t,r))return true;if(this.isEnvRecordsAccess(i.object)&&e.arguments[0]){let s=e.arguments[0];if(s.type==="ArrowFunctionExpression"||s.type==="FunctionExpression")return this.doesCallbackProduceTaint(s,n,t,r)}if(this.isExpressionTainted(i.object,t,r)||e.arguments.some(s=>this.isExpressionTainted(s,t,r)))return true}if(e.callee.type==="MemberExpression"){let i=e.callee;this.getPropertyName(i)==="push"&&i.object.type==="Identifier"&&e.arguments.some(s=>this.isExpressionTainted(s,t,r))&&r.add(i.object.name);}if(e.callee.type==="Identifier"){let i=e.callee.name;if(!new Set(["Math","Number","parseInt","parseFloat","isNaN","isFinite"]).has(i))return e.arguments.some(s=>this.isExpressionTainted(s,t,r))}return false}doesCallbackProduceTaint(e,t,r,i){let n=new Set(r),s=new Set(i);if(e.params.length>0){let l=t!==null&&p.REDUCE_METHODS.has(t)?1:0;e.params.length>l&&e.params[l].type==="Identifier"&&n.add(e.params[l].name);}if(e.type==="ArrowFunctionExpression"&&e.body.type!=="BlockStatement")return this.isExpressionTainted(e.body,n,s);let o=false,a={ReturnStatement:c=>{c.argument&&this.isExpressionTainted(c.argument,n,s)&&(o=true);}};return simple(e.body,a),o}getPropertyName(e){if(!e.computed&&e.property.type==="Identifier")return e.property.name;if(e.computed&&e.property.type==="Literal"){let t=e.property.value;if(typeof t=="string")return t}return null}isEnvRecordsAccess(e){if(e.type==="MemberExpression"){let t=e;if(this.getPropertyName(t)==="records"&&t.object.type==="Identifier"&&t.object.name==="env")return true}return e.type==="Identifier"&&e.name==="records"}describeTaintSource(e,t,r){if(e.type==="Identifier"){let i=e.name;if(r.has(i))return `variable '${i}' is PII-derived`}if(e.type==="ObjectExpression"){let i=e;for(let n of i.properties)if(n.type==="Property"&&this.isExpressionTainted(n.value,t,r))return `property '${n.key.type==="Identifier"?n.key.name:"unknown"}' contains PII-derived value`}if(e.type==="CallExpression"){let i=e;if(i.callee.type==="MemberExpression"){let n=this.getPropertyName(i.callee);if(n)return `result of .${n}() on PII data`}}}};var V={aspirin:"Medication",lisinopril:"Medication",metformin:"Medication",amlodipine:"Medication",atorvastatin:"Medication",omeprazole:"Medication",losartan:"Medication",simvastatin:"Medication",levothyroxine:"Medication",ibuprofen:"Medication",acetaminophen:"Medication",amoxicillin:"Medication",ciprofloxacin:"Medication",prednisone:"Medication",warfarin:"Medication",insulin:"Medication",hydrochlorothiazide:"Medication",gabapentin:"Medication",albuterol:"Medication",pantoprazole:"Medication",hypertension:"Condition",diabetes:"Condition",bronchitis:"Condition",pneumonia:"Condition",asthma:"Condition"},_=4,J=/^[\d\s.,:;!?()[\]{}<>@#$%^&*+=|\\/"'`~_-]+$/,N=class p{static nlp=null;async getNlp(){if(!p.nlp){let e=await import('compromise/three');p.nlp=e.default||e,p.nlp.addWords(V);}return p.nlp}async scan(e){if(e.length<_||J.test(e))return {detected:false,entities:[]};let r=(await this.getNlp())(e),i=[],n=r.people().out("array");for(let a of n){let c=a.trim();c.length>=_&&i.push({type:"person",text:c});}let s=r.places().out("array");for(let a of s){let c=a.trim();c.length>=_&&i.push({type:"place",text:c});}let o=r.organizations().out("array");for(let a of o){let c=a.trim();c.length>=_&&i.push({type:"organization",text:c});}return {detected:i.length>0,entities:i}}async scanDeep(e,t=new WeakSet){if(e==null)return {detected:false,entities:[]};if(typeof e=="string")return this.scan(e);if(typeof e=="object"){if(t.has(e))return {detected:false,entities:[]};t.add(e);let r=Array.isArray(e)?e:Object.values(e),i=[];for(let n of r){let s=await this.scanDeep(n,t);if(s.detected&&(i.push(...s.entities),s.entities.some(o=>o.type==="person")))return {detected:true,entities:i}}return {detected:i.length>0,entities:i}}return {detected:false,entities:[]}}};function Q(p){let e=p.replace(/\D/g,"");if(e.length<13||e.length>19)return false;let t=0,r=false;for(let i=e.length-1;i>=0;i--){let n=parseInt(e.charAt(i),10);r&&(n*=2,n>9&&(n-=9)),t+=n,r=!r;}return t%10===0}function X(p){let e=p.replace(/\s+/g,"").toUpperCase();if(!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(e))return false;let t=e.substring(4)+e.substring(0,4),r="";for(let i=0;i<t.length;i++){let n=t.charCodeAt(i);if(n>=65&&n<=90)r+=(n-55).toString();else if(n>=48&&n<=57)r+=t.charAt(i);else return false}try{return BigInt(r)%97n===1n}catch{return false}}var f={EMAIL:{name:"EMAIL",pattern:/\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b/gi,validator:p=>!p.endsWith("@example.com")&&!p.endsWith("@test.com")},CREDIT_CARD:{name:"CREDIT_CARD",pattern:/\b(?:\d[ -]*?){13,16}\b/g,validator:Q},IP_ADDRESS:{name:"IP_ADDRESS",pattern:/\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b/g,validator:p=>["127.0.0.1","0.0.0.0","255.255.255.255"].includes(p)?false:p.split(".").map(Number).every(r=>r>=0&&r<=255)},PHONE:{name:"PHONE",pattern:/(?:(?:\+?\d{1,3}[-. ]?)?\(?\d{3}\)?[-. ]?\d{3}[-. ]?\d{4})\b/g,validator:p=>{let e=p.replace(/\D/g,"");return !(e.length<7||e.length>15||/^(\d)\1+$/.test(e)||e==="1234567890")}},SSN:{name:"SSN",pattern:/\b\d{3}[- ]?\d{2}[- ]?\d{4}\b/g,validator:p=>{let e=p.replace(/\D/g,"");if(e.length!==9)return false;let t=parseInt(e.substring(0,3),10);return !(t===0||t===666||t>=900||parseInt(e.substring(3,5),10)===0||parseInt(e.substring(5,9),10)===0||/^(\d)\1+$/.test(e)||e==="123456789")}},IBAN:{name:"IBAN",pattern:/\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\b/gi,validator:X},PASSPORT_MRZ:{name:"PASSPORT_MRZ",pattern:/\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\b|\s|$)/g}},U={GLOBAL_STRICT:[f.EMAIL,f.CREDIT_CARD,f.IP_ADDRESS,f.PHONE,f.PASSPORT_MRZ,f.IBAN],US_COMPLIANT:[f.EMAIL,f.CREDIT_CARD,f.IP_ADDRESS,f.PHONE,f.SSN,f.PASSPORT_MRZ],EU_GDPR:[f.EMAIL,f.CREDIT_CARD,f.IP_ADDRESS,f.PHONE,f.IBAN,f.PASSPORT_MRZ]},M=class p{patterns;forbiddenKeysSet;nerScanner;static KEY_SAFELIST=new Set(["grid","video","android","identity","provide","override","validate","hidden","widget","guidelines","beside","guideline","outside","inside","collide","decide","divide","aside","ride","side","wide","hide","tide","pride","bride","slide","guide","stride","oxide","dioxide","suicide","homicide","pesticide","valid","invalid","void","avoid","diagnosis","medication","namespace","namesake","rename","filename","hostname","typename","unnamed","renamed","phonetic","phoneme","microphone","headphone","telephone","saxophone","smartphone","streetview","addressable","addressing","cityscape","electricity","capacity","velocity","opacity","timestamp","timezone","image_id","computation_result","zk_receipt","testid","toolid","sessionid","peerid","nodeid","requestid","correlationid","traceid","spanid"]);shortTokenBoundaryPatterns;longForbiddenTokens;constructor(e=[],t=[],r){this.patterns=e,this.forbiddenKeysSet=new Set(t.map(i=>i.toLowerCase())),this.nerScanner=r??null,this.shortTokenBoundaryPatterns=new Map,this.longForbiddenTokens=[];for(let i of this.forbiddenKeysSet)i.length<4?this.shortTokenBoundaryPatterns.set(i,new RegExp(`(?:^|[_-])${i}(?:$|[_-])|(?:^|[a-z])${i.charAt(0).toUpperCase()}${i.slice(1)}|^${i}$`,"i")):this.longForbiddenTokens.push(i);}async scan(e,t=new WeakSet){if(e==null)return null;if(typeof e=="string"){let r=e.trim();if(r.startsWith("{")&&r.endsWith("}")||r.startsWith("[")&&r.endsWith("]"))try{let n=JSON.parse(r),s=await this.scan(n,t);if(s)return s}catch{}let i=this.checkString(e);if(i)return i;if(this.nerScanner){let n=await this.nerScanner.scan(e);if(n.detected){let s=n.entities.find(o=>o.type==="person");if(s)return `PII Entity Detected: person name "${s.text}"`}}return null}if(typeof e=="object"){if(t.has(e))return null;if(t.add(e),Array.isArray(e))for(let r of e){let i=await this.scan(r,t);if(i)return i}else for(let[r,i]of Object.entries(e)){if(this.forbiddenKeysSet.has(r.toLowerCase()))return `Forbidden Key: ${r}`;let n=this.checkKeyFuzzy(r);if(n)return n;let s=await this.scan(i,t);if(s)return s}}return null}checkKeyFuzzy(e){let t=e.toLowerCase();if(p.KEY_SAFELIST.has(t))return null;for(let[r,i]of this.shortTokenBoundaryPatterns)if(i.test(e))return `Forbidden Key (fuzzy): ${e} matches boundary pattern "${r}"`;for(let r of this.longForbiddenTokens)if(t.includes(r))return `Forbidden Key (fuzzy): ${e} contains restricted token "${r}"`;return null}checkString(e){for(let t of this.patterns)if(typeof t=="string"){if(e.toLowerCase().includes(t.toLowerCase()))return t}else if(t instanceof RegExp){if(t.global&&(t.lastIndex=0),t.test(e))return t.source}else if(typeof t=="object"&&t!==null){let r=t;if(typeof r.pattern=="string"){if(e.toLowerCase().includes(r.pattern.toLowerCase())&&(!r.validator||r.validator(r.pattern)))return r.name}else if(r.pattern instanceof RegExp){r.pattern.global&&(r.pattern.lastIndex=0);let i=r.pattern.exec(e);for(;i!==null;){let n=i[0];if(!r.validator||r.validator(n))return r.name;if(!r.pattern.global)break;i=r.pattern.exec(e);}}}return null}};var G=R.dirname(fileURLToPath(import.meta.url)),K=class p{constructor(e,t){this.serverInfo=e;this.config=t;let r=this.config?.security?.enableNerScanning?new N:null;this.piiScanner=new M(this.config?.security?.piiPatterns??U.GLOBAL_STRICT,this.config?.security?.forbiddenKeys??["id","name","fullName","firstName","lastName","address","street","city","postalCode","zipCode","phone","email","ssn","accountHolder","accountNumber","account_number","password","token","secret","privateKey"],r);let i=this.config?.security?.rateLimit;this.toolCallWindowMs=i?.windowMs??Number.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS??"60000",10),this.toolCallMaxPerWindow=i?.maxPerWindow??Number.parseInt(process.env.LIOP_RATE_LIMIT_MAX??"15",10),this.globalCallMaxPerWindow=i?.globalMaxPerWindow??Number.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX??"40",10);let n=this.config?.security?.forbiddenKeys??["id","name","fullName","firstName","lastName","address","street","city","postalCode","zipCode","phone","email","ssn","accountHolder","accountNumber","account_number","password","token","secret","privateKey"];this.taintAnalyzer=new A(n);let s=import.meta.url.endsWith(".ts"),o=s?".ts":".js",a=[];if(s)try{let m=createRequire(import.meta.url).resolve("tsx/package.json");a=["--import",pathToFileURL(R.join(R.dirname(m),"dist","loader.mjs")).href];}catch{a=["--import","tsx"];}let c=process.env.NODE_ENV==="test"||process.env.VITEST;this.config?.capabilities&&!this.serverInfo.capabilities&&(this.serverInfo.capabilities=this.config.capabilities);let l=[R.resolve(G,`./workers/logic-execution${o}`),R.resolve(G,`../workers/logic-execution${o}`)],u=l.find(d=>Z.existsSync(d))||l[1];this.workerPool=new Piscina({filename:u,minThreads:this.config?.workerPool?.minThreads??(c?0:2),maxThreads:this.config?.workerPool?.maxThreads??(c?1:8),idleTimeout:this.config?.workerPool?.idleTimeout??(c?500:5e3),maxQueue:"auto",taskQueue:new FixedQueue,execArgv:a,resourceLimits:{maxOldGenerationSizeMb:this.config?.workerPool?.maxHeapMb??Number.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB??"64",10)}}),this.resource("LIOP Envelope Specification","liop://protocol/envelope-spec","Complete Logic-on-Origin envelope format, execution rules, and security constraints","text/plain",()=>Promise.resolve(this.buildEnvelopeSpec()));}logicCache=new Map;connectionStats=new Map;CACHE_TTL_MS=1440*60*1e3;THROTTLE_THRESHOLD=5;THROTTLE_COOLDOWN_MS=60*1e3;toolCallWindows=new Map;toolCallMaxPerWindow;toolCallWindowMs;globalCallWindow=[];globalCallMaxPerWindow;fieldQueryBudget=new Map;taintAnalyzer;tools=new Map;resources=new Map;prompts=new Map;activeSchema=null;sandboxRecords=[];piiScanner;workerPool;meshNode=null;rpcServer=null;boundPort=null;sessions=new Map;static LIOP_COMPACT_REGEX=/@LIOP\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\}\n(?<logic>[\s\S]*?)\n@END/m;extractLogic(e){let t=e.match(p.LIOP_COMPACT_REGEX);return t?.groups?.logic?t.groups.logic.trim():null}parseUnknownJson(e){if(typeof e!="string")return e;let t=e.trim();if(t.startsWith("{")&&t.endsWith("}")||t.startsWith("[")&&t.endsWith("]"))try{return JSON.parse(t)}catch{return e}return e}runPreflightPolicy(e,t,r){if(r){let a=t.replace(/\s+/g," ");if(r.enforceAggregationFirst&&[/return\s+env\.records(?!\s*\.\s*(?:reduce|length|filter|every|some|find)\b)/i,/return\s*\{[\s\S]*\b(accounts|patients|rows|records)\s*:\s*env\.records(?!\s*\.\s*(?:reduce|length|filter)\b)/i].some(l=>l.test(a)))return "Preflight policy rejected: potential row-level export pattern detected.";if(r.preflightDenyPatterns?.some(c=>c.test(a)))return "Preflight policy rejected: custom deny pattern matched."}let i=50;typeof r?.enforceAggregationFirst=="object"&&(i=r.enforceAggregationFirst.minMaxBlockThreshold??50);let n=this.taintAnalyzer.analyze(t,this.sandboxRecords.length,i);if(n)return `Preflight policy rejected: ${n.reason}`;let s=r?.queryBudgetPerField??5,o=this.taintAnalyzer.extractQueriedFields(t);if(o.length>0){let a=this.fieldQueryBudget.get(e);a||(a=new Map,this.fieldQueryBudget.set(e,a));for(let c of o)if((a.get(c)??0)>=s)return `Preflight policy rejected: Query budget exceeded for field '${c}' (max ${s} per session). Rotate PQC session to reset budget.`;for(let c of o){let l=a.get(c)??0;a.set(c,l+1);}}return null}validateOutputPolicy(e,t,r){if(!r)return null;let i=this.parseUnknownJson(t);if(r.outputSchema){let s=(()=>{if(!(r.outputSchema instanceof z$1.ZodObject))return r.outputSchema;let o=r.outputSchema;return o._def.catchall instanceof z$1.ZodNever?o.strict():o})().safeParse(i);if(!s.success)return `[LIOP] Output schema violation for ${e}: ${s.error.issues.map(o=>`${o.path.join(".")||"<root>"} ${o.message}`).join("; ")}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`}return r.enforceAggregationFirst&&this.violatesAggregationFirstPolicy(this.unwrapForAggregationPolicyScan(i),r.enforceAggregationFirst,this.sandboxRecords.length)?process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test"||process.env.LIOP_SEC_VERBOSE==="1"?"Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results.":"Aggregation-First Policy Violation: Output blocked due to privacy constraints.":null}unwrapForAggregationPolicyScan(e){if(typeof e=="string"){let n=e.trim();if(n.startsWith("{")&&n.endsWith("}")||n.startsWith("[")&&n.endsWith("]"))try{return this.unwrapForAggregationPolicyScan(JSON.parse(n))}catch{return e}return e}if(!e||typeof e!="object")return e;let t=e;if(!Array.isArray(t.content)||t.content.length===0)return e;let r=[];for(let n of t.content)if(n&&typeof n=="object"&&"text"in n){let s=n.text;typeof s=="string"&&r.push(s);}if(r.length===0)return e;let i=r.length===1?r[0]:r.join(`
6
+ `);return this.unwrapForAggregationPolicyScan(i)}violatesAggregationFirstPolicy(e,t,r){let i=typeof t=="object"&&typeof t.maxOutputRows=="number"?t.maxOutputRows:10,n=typeof t=="object"&&typeof t.allowPrimitiveArrays=="boolean"?t.allowPrimitiveArrays:true;if(typeof e=="string"){let s=e.trim();if(s.startsWith("{")&&s.endsWith("}")||s.startsWith("[")&&s.endsWith("]"))try{return this.violatesAggregationFirstPolicy(JSON.parse(s),t,r)}catch{return false}return false}if(Array.isArray(e))return e.length>0&&e.every(s=>typeof s=="object"&&s!==null)?e.length>i?true:e.some(s=>this.violatesAggregationFirstPolicy(s,t,r)):e.length>0&&e.every(s=>typeof s!="object"||s===null)?!n:e.some(s=>this.violatesAggregationFirstPolicy(s,t,r));if(e&&typeof e=="object"){let s=Object.keys(e);return r!==void 0&&r>0&&r<10&&(s.length>3||Object.values(e).some(a=>Array.isArray(a)||typeof a=="object"&&a!==null))||s.length>i?true:Object.values(e).some(o=>this.violatesAggregationFirstPolicy(o,t,r))}return false}buildEnvelopeSpec(){let e=["LIOP v1 Envelope Specification","================================","","FORMAT:","","Compact Envelope:"," @LIOP{wasi_v1,TaskName}"," <JavaScript code>"," @END","","RUNTIME ENVIRONMENT:","- env.records: Array of data objects from the origin","- Must use 'return' to output results","- Zero-Trust WASI Sandbox (Node.js Worker Pool)","- Return aggregated objects, NOT raw row-level arrays","","SECURITY CONSTRAINTS:","- PII Egress Shield blocks raw identifiers in output","- Aggregation-First policy: prefer counts, averages, summaries","- AST Guardian: static analysis before execution"];return this.config?.security?.forbiddenKeys?.length&&e.push(`- Restricted fields: ${this.config.security.forbiddenKeys.join(", ")}`),e.push("","TAINT TRACKING (Phase 108):","- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)","- Operations on restricted fields are tracked through variable assignments","- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked","- Allowed: aggregations on non-PII fields (balance, amount, date)","","K-ANONYMITY:","- Datasets < 10 records: max 3 scalar output fields, no nesting","- Datasets >= 10 records: max 10 output fields","","RATE LIMITS (OWASP A01):","- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)","- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)","","OPTIONAL PARAMETERS:","- __liop_bypass_ast_cache: boolean (force AST re-evaluation)"),e.join(`
7
+ `)}extractSchemaFieldSummary(e,t=0){if(t>3)return "{...}";let r=e.type,i=e.properties,n=e.items;return i?`{${Object.entries(i).map(([o,a])=>{let c=a.type;if(c==="array"&&a.items){let l=this.extractSchemaFieldSummary(a.items,t+1);return `${o}(array of ${l})`}if(c==="object"&&a.properties){let l=this.extractSchemaFieldSummary(a,t+1);return `${o}(${l})`}return `${o}(${c||"unknown"})`}).join(", ")}}`:r==="array"&&n?`Array of ${this.extractSchemaFieldSummary(n,t+1)}`:r||Object.keys(e).join(", ")}async connect(e={}){return this.connectToMesh(e)}tool(e,t,r,i,n){if(this.tools.has(e))throw new Error(`Tool already registered: ${e}`);let s=z$1.object(r),o=zodToJsonSchema(s),a=t,c=i;if(r.payload&&r.payload instanceof z$1.ZodString){let u=this.config?.security?.forbiddenKeys||[];if(a+=`
8
+
9
+ Payload: LIOP v1 envelope (WASI sandbox). Format: @LIOP{wasi_v1,TaskName}\\n<JS code>\\n@END | Access data: env.records. Return aggregated object. | Full spec: resource liop://protocol/envelope-spec`,u.length>0&&(a+=`
10
+ Restricted fields: ${u.join(", ")}.`),this.activeSchema){let d=this.extractSchemaFieldSummary(this.activeSchema);a+=`
11
+ Data structure: ${d}. Full schema: resource liop://schema/global`;}c=async(d,m)=>{let h="global_connection",b=Date.now(),y=this.connectionStats.get(h)||{failures:0,lastAttempt:0};if(y.failures>=this.THROTTLE_THRESHOLD&&b-y.lastAttempt<this.THROTTLE_COOLDOWN_MS)return {content:[{type:"text",text:"LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds."}],isError:true};let C=d.payload,B=d.__liop_bypass_ast_cache===true,O=H.createHash("sha256").update(C).digest("hex"),S=this.extractLogic(C),D=this.logicCache.get(O);if(!B&&D&&b-D.timestamp<this.CACHE_TTL_MS&&S){d.payload=S;let v=this.runPreflightPolicy(e,S,n);return v?{content:[{type:"text",text:v}],isError:true}:await this.executeInWorkerPool(d,S,e)}if(!S)return y.failures++,y.lastAttempt=b,this.connectionStats.set(h,y),{content:[{type:"text",text:"Error: Malformed payload. Missing @LIOP boundary.\\nYou MUST wrap your logic exactly like this:\\n\\n@LIOP{wasi_v1,DynamicAudit}\\n// Your JS code here\\n@END"}],isError:true};try{let v=this.extractLogic(d.payload);d.payload=v;let w=this.runPreflightPolicy(e,v,n);if(w)return y.failures++,y.lastAttempt=b,this.connectionStats.set(h,y),{content:[{type:"text",text:w}],isError:!0};let j=await this.executeInWorkerPool(d,v,e);return j.isError?(y.failures++,y.lastAttempt=b,this.connectionStats.set(h,y)):(this.connectionStats.set(h,{failures:0,lastAttempt:b}),this.logicCache.set(O,{hash:O,timestamp:b})),j}catch(v){let w=v;return y.failures++,y.lastAttempt=b,this.connectionStats.set(h,y),{content:[{type:"text",text:`ExecutionRuntimeException: ${w.message}`}],isError:true}}};}let l={type:"object",properties:o.properties||{},required:o.required};this.tools.set(e,{tool:{name:e,description:a,inputSchema:l},handler:c,schema:s,policy:n}),this.meshNode&&this.meshNode.announceCapability(e).catch(u=>{a$1.info(`[LIOP-Mesh] Failed to auto-announce tool ${e}: ${u.message}`);});}prompt(e,t,r,i){if(this.prompts.has(e))throw new Error(`Prompt already registered: ${e}`);this.prompts.set(e,{prompt:{name:e,description:t,arguments:r},handler:i});}enableZeroShotAutonomy(){this.prompt("liop_blind_analyst","The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.",[],e=>({description:"LIOP Blind Analyst Instructions",messages:[{role:"user",content:{type:"text",text:`You are the "Blind Analyst" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.
12
+ Your objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.
13
+
14
+ INDUSTRIAL CONSTRAINTS & PROTOCOL RULES:
15
+ 1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.
16
+ 2. AGGREGATION FIRST: Always prefer returning counts, averages, or anonymized summaries.
17
+ 3. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.
18
+ Structure:
19
+ @LIOP{wasi_v1,AnalysisTask}
20
+ // Your JS Code Here
21
+ @END
22
+ 4. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.
23
+ 5. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).
24
+ 6. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.${this.activeSchema?`
25
+
26
+ CURRENT DATA DICTIONARY (STRICT):
27
+ ${JSON.stringify(this.activeSchema,null,2)}`:""}
28
+
29
+ Protocol Adherence is mandatory for successful execution.`}}]}));}resource(e,t,r,i,n){if(this.resources.has(t))throw new Error(`Resource URI already registered: ${t}`);this.resources.set(t,{name:e,uri:t,description:r,mimeType:i,content:n});}dataDictionary(e,t="Global Medical Data Dictionary",r="liop://schema/global",i="Exposes the internal database schema for Zero-Shot Autonomy planning"){this.activeSchema=e;let n=this.extractSchemaFieldSummary(e);for(let[s,o]of this.tools.entries())o.schema.shape.payload&&o.schema.shape.payload instanceof z$1.ZodString&&o.tool.description&&!o.tool.description.includes("Data structure:")&&(o.tool.description+=`
30
+ Data structure: ${n}. Full schema: resource ${r}`,this.tools.set(s,o));this.resource(t,r,i,"application/json",JSON.stringify(e,null,2));}clearAstCache(){this.logicCache.clear(),a$1.info("[LIOP-SDK] AST Security Cache cleared by Admin.");}checkToolCallRateLimit(e){let t=Date.now(),r=this.toolCallWindowMs,i=this.toolCallMaxPerWindow,s=(this.toolCallWindows.get(e)||[]).filter(o=>t-o<r);if(s.length>=i){let o=Math.ceil((s[0]+r-t)/1e3);return {content:[{type:"text",text:`LIOP_RATE_LIMITED: Too many calls to ${e}. Max ${i} per ${r/1e3}s window. Retry after ${o}s.`}],isError:true}}return s.push(t),this.toolCallWindows.set(e,s),null}checkGlobalRateLimit(){let e=Date.now(),t=this.toolCallWindowMs,r=this.globalCallMaxPerWindow;if(this.globalCallWindow=this.globalCallWindow.filter(i=>e-i<t),this.globalCallWindow.length>=r){let i=Math.ceil((this.globalCallWindow[0]+t-e)/1e3);return {content:[{type:"text",text:`LIOP_RATE_LIMITED: Global call limit exceeded. Max ${r} total calls per ${t/1e3}s window. Retry after ${i}s.`}],isError:true}}return this.globalCallWindow.push(e),null}async callTool(e){let t=this.tools.get(e.name);if(!t)throw new Error(`Tool not found: ${e.name}`);let r=this.checkGlobalRateLimit();if(r)return r;let i=this.checkToolCallRateLimit(e.name);if(i)return i;try{let n=t.schema.parse(e.arguments||{});if(e.arguments?.__liop_bypass_ast_cache===!0&&(n.__liop_bypass_ast_cache=!0),n&&typeof n.payload=="string"){let o=n.payload,a=this.extractLogic(o);if(a){let c=this.runPreflightPolicy(e.name,a,t.policy);return c?{content:[{type:"text",text:c}],isError:!0}:(n.payload=a,await this.executeInWorkerPool(n,a,e.name))}}return await t.handler(n,{})}catch(n){let s=n;return s instanceof z$1.ZodError?{content:[{type:"text",text:`Validation Error: ${s.message}`}],isError:true}:{content:[{type:"text",text:`Internal Execution Error: ${s.message}`}],isError:true}}}listTools(){return Array.from(this.tools.values()).map(e=>e.tool)}listPrompts(){return Array.from(this.prompts.values()).map(e=>e.prompt)}async getPrompt(e){let t=this.prompts.get(e.name);if(!t)throw new Error(`Prompt not found: ${e.name}`);return await t.handler(e)}listResources(){return Array.from(this.resources.values())}async readResource(e){let t=this.resources.get(e);if(!t)throw new Error(`Resource not found: ${e}`);let r="No description provided";return typeof t.content=="function"?r=await t.content():typeof t.content=="string"?r=t.content:t.description&&(r=t.description),{contents:[{uri:t.uri,mimeType:t.mimeType||"text/plain",text:r}]}}getServerInfo(){return this.serverInfo}getMeshNode(){return this.meshNode}setSandboxData(e){this.sandboxRecords=e;}getBoundPort(){return this.boundPort}async connectToMesh(e={}){let t=process.env.LIOP_GRPC_PORT?Number.parseInt(process.env.LIOP_GRPC_PORT,10):void 0,r=e.port??t??50051;this.meshNode=new a$2(e.meshConfig),await this.meshNode.start();let i=this.meshNode;this.meshNode.registerManifestHandler(()=>{let n=this.listTools().map(o=>({name:o.name,description:o.description,inputSchema:o.inputSchema})),s=Array.from(this.resources.values()).map(o=>({name:o.name,uri:o.uri,description:o.description,mimeType:o.mimeType,text:typeof o.content=="string"?o.content:o.description}));return {peerId:i.getPeerId(),grpcPort:r,tools:n,resources:s,serverInfo:this.serverInfo}});for(let n of this.listTools())await this.meshNode.announceCapability(n.name).catch(a$1.info);await this.meshNode.announceManifest().catch(a$1.info),this.rpcServer=new T,this.rpcServer.addService({negotiateIntent:(n,s)=>{let o=n.request;a$1.info(`[LIOP-RPC] Negotiating intent for capability: ${o.capability_hash}`),import('./kyber-2WDOTUQX.js').then(async({Kyber768Wrapper:a})=>{let{publicKey:c,secretKey:l}=await a.generateKeyPair(),u=H.randomUUID();this.fieldQueryBudget.clear(),this.sessions.set(u,{capability_hash:o.capability_hash,kyber_sk:l}),s(null,{accepted:true,session_token:u,error_message:"",kyber_public_key:c});});},executeLogic:async n=>{let s=n.request;a$1.info(`[LIOP-RPC] Executing Logic-on-Origin for session: ${s.session_token}`);let o=this.sessions.get(s.session_token);if(!o){n.emit("error",{code:z.status.UNAUTHENTICATED,details:"Invalid session token"});return}try{let a=await this.workerPool.run({ciphertext:s.pqc_ciphertext,secretKeyObj:Array.from(o.kyber_sk),wasmBinary:s.wasm_binary,inputs:s.inputs,aesNonce:s.aes_nonce,records:this.sandboxRecords,sessionToken:s.session_token,isEncrypted:!0}),c;try{c=typeof a.output=="string"?a.output:JSON.stringify(a.output);let m=JSON.parse(c);if(m.__liop_proxy_tool){a$1.info(`[LIOP-RPC] Executing Proxied Tool: ${m.__liop_proxy_tool}`);let h=await this.callTool({name:m.__liop_proxy_tool,arguments:m.__liop_proxy_args||{}});c=JSON.stringify(h);}}catch{c=String(a.output);}let l={semantic_evidence:c,cryptographic_proof:Buffer.from(a.image_id||"","hex"),zk_receipt:a.zk_receipt?Buffer.from(a.zk_receipt,"base64"):Buffer.from(""),is_error:!1},u=await this.piiScanner.scan([{type:"text",text:c}]),d=this.violatesAggregationFirstPolicy(this.unwrapForAggregationPolicyScan(c));if(u||d){let m=u||"Aggregation-First Policy Violation";a$1.info(`[LIOP-RPC] Secure egress blocked in gRPC stream: ${m}`),l.semantic_evidence="[LIOP] Egress Security Violation. Output blocked due to policy enforcement.",l.is_error=!0;}n.write(l,()=>{n.end();});}catch(a){let c=a,l=process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test",u=c.message||String(a);a$1.error(`[LIOP-RPC] Execution Error: ${u}`);let m={semantic_evidence:l?`Execution Error: ${u}`:"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.",cryptographic_proof:Buffer.from(""),zk_receipt:Buffer.from(""),is_error:true};try{n.write(m,()=>{n.end();});}catch{n.end();}}}}),this.boundPort=await this.rpcServer.listen(r),a$1.info(`[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`);}async executeInWorkerPool(e,t,r){try{let i=r?this.tools.get(r)?.policy:void 0,n=i?{epsilon:i.dpEpsilon??1,sensitivity:i.dpSensitivity??1,smallDatasetThreshold:50}:void 0,s=await this.workerPool.run({ciphertext:new Uint8Array(0),secretKeyObj:Array.from(new Uint8Array(0)),kyberPublicKey:new Uint8Array(0),wasmBinary:Buffer.from(t),inputs:{},records:this.sandboxRecords,sessionToken:"local-dev-token",isEncrypted:!1,dpConfig:n}),o=s.output,c=[{type:"text",text:JSON.stringify({computation_result:o,image_id:s.image_id,zk_receipt:s.zk_receipt,status:"Worker Pool Execution Success"})}],l=r?this.tools.get(r)?.policy:void 0,u=this.validateOutputPolicy(r||"unknown_tool",o,l);if(u)return a$1.info(`[LIOP-SDK] Output policy blocked for ${r||"unknown_tool"}: ${u}`),{content:[{type:"text",text:process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test"||process.env.LIOP_SEC_VERBOSE==="1"?u:"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns."}],isError:!0};let d=await this.piiScanner.scan(c),m=this.violatesAggregationFirstPolicy(o);if(d||m){let h=d||"Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.";return a$1.info(`[LIOP-SDK] Secure egress blocked in local execution: ${h}`),{content:[{type:"text",text:process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test"||process.env.LIOP_SEC_VERBOSE==="1"?`[LIOP] Egress Security Violation: ${h}`:"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns."}],isError:!0}}return {content:c}}catch(i){let n=i,s=process.env.NODE_ENV==="development"||process.env.NODE_ENV==="test"||process.env.LIOP_SEC_VERBOSE==="1",o=n.message||String(i);return a$1.error(`[LIOP-SDK] WorkerPool Execution Fault: ${o}`),{content:[{type:"text",text:o.includes("worker_thread_exited")||o.includes("ERR_WORKER_OUT_OF_MEMORY")||o.includes("terminated")||o.includes("heap limit")?"[LIOP] Execution terminated: memory limit exceeded (64MB heap). Reduce data processing volume.":s?`WorkerPoolError: ${o}`:"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error."}],isError:true}}}async close(){this.workerPool&&await this.workerPool.close({force:true}),this.rpcServer&&await this.rpcServer.stop(),this.meshNode&&await this.meshNode.stop();}};export{T as a,N as b,f as c,U as d,M as e,K as f};//# sourceMappingURL=chunk-5OAZNVIU.js.map
31
+ //# sourceMappingURL=chunk-5OAZNVIU.js.map
package/dist/chunk-5OAZNVIU.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/rpc/server.ts","../src/security/taint-analyzer.ts","../src/server/ner-scanner.ts","../src/server/pii.ts","../src/server/index.ts"],"names":["GRPC_CHANNEL_OPTIONS","LiopRpcServer","handlers","liopV1","port","tls","credentials","createServerCredentials","resolve","reject","error","assignedPort","log","TaintAnalyzer","_TaintAnalyzer","piiFields","f","sourceCode","recordCount","minMaxBlockThreshold","ast","wrapped","recordBoundVars","taintedVars","taintResult","correlationResult","minMaxResult","fields","simple","node","callee","methodName","callback","fn","paramIndex","recordParam","paramName","extracted","fieldAggCounts","field","current","count","call","member","method","body","prop","violation","arg","sortTarget","param","declarator","iteration","sizeBefore","line","operation","bin","unary","cond","el","expr","spread","propName","parentMember","litVal","fnName","scopedRecordVars","scopedTaintedVars","recordParamIndex","hasTaintedReturn","returnVisitors","val","name","obj","MEDICAL_VOCABULARY","MIN_TEXT_LENGTH","NON_TEXT_PATTERN","NerScanner","_NerScanner","mod","text","doc","entities","people","person","trimmed","places","place","orgs","org","input","seen","values","allEntities","value","result","e","isLuhnValid","cardNumber","digits","sum","isEven","digit","isIbanValid","iban","sanitized","rearranged","numericString","charCode","PII_PATTERNS","match","p","area","PII_PRESETS","PiiScanner","_PiiScanner","patterns","forbiddenKeys","nerScanner","k","token","parsed","patternViolation","nerResult","personEntity","element","key","fuzzyViolation","normalized","pattern","rule","def","matchedText","__dirname","path","fileURLToPath","LiopServer","_LiopServer","serverInfo","config","rlConfig","isTS","workerExt","execArgv","tsxPkg","createRequire","pathToFileURL","isTest","workerPaths","workerFilename","Piscina","FixedQueue","payload","compact","_toolName","logic","policy","minMaxThreshold","taintViolation","queryLimit","extractedFields","toolBudget","toolName","output","schemaResult","z","i","rec","texts","part","t","joined","policyObj","recordsCount","maxRows","allowPrimitives","item","keys","v","lines","schema","depth","schemaType","properties","items","propType","nested","options","description","shape","handler","generatedSchema","zodToJsonSchema","finalDescription","finalHandler","blockedKeys","schemaDigest","args","_extra","clientId","now","stats","payloadValue","bypassCache","payloadHash","crypto","cached","preflightReason","inputSchema","err","_request","uri","mimeType","content","entry","windowMs","maxPerWindow","active","retryAfterSec","maxGlobal","request","globalLimitResult","rateLimitResult","parsedArgs","resource","records","envPort","MeshNode","meshNodeRef","tools","resources","r","tool","Kyber768Wrapper","publicKey","secretKey","sessionToken","session","q","workerResponse","finalOutput","decoded","toolResult","response","Buffer","aggregationViolation","internalReason","isDev","detail","errorResponse","_args","rawPayload","dpPolicy","dpConfig","dpOutput","toolPolicy","policyViolation"],"mappings":"qfAiBA,IAAMA,CAAAA,CAAuB,CAC5B,yBAA0B,GAAA,CAC1B,2BAAA,CAA6B,GAAA,CAC7B,qCAAA,CAAuC,CAAA,CACvC,8BAAA,CAAgC,EAAA,CAChC,iCAAA,CAAmC,EAAA,CACnC,qBAAA,CAAuB,CACxB,CAAA,CAEaC,CAAAA,CAAN,KAAoB,CAClB,MAAA,CAER,aAAc,CACb,IAAA,CAAK,MAAA,CAAS,IAAS,CAAA,CAAA,MAAA,CAAOD,CAAoB,EACnD,CAEO,UAAA,CAAWE,CAAAA,CAQT,CACR,IAAA,CAAK,MAAA,CAAO,UAAA,CAAWC,CAAAA,CAAO,SAAA,CAAU,OAAA,CAAS,CAChD,eAAA,CAAiBD,CAAAA,CAAS,eAAA,CAC1B,YAAA,CAAcA,CAAAA,CAAS,YACxB,CAAC,EACF,CAEA,MAAa,MAAA,CACZE,CAAAA,CAAe,KAAA,CACfC,CAAAA,CACkB,CAClB,IAAMC,CAAAA,CAAcC,CAAAA,CAAwBF,CAAG,CAAA,CAC/C,OAAO,IAAI,OAAA,CAAQ,CAACG,CAAAA,CAASC,CAAAA,GAAW,CACvC,IAAA,CAAK,MAAA,CAAO,SAAA,CACX,CAAA,QAAA,EAAWL,CAAI,CAAA,CAAA,CACfE,CAAAA,CACA,CAACI,CAAAA,CAAOC,CAAAA,GAAiB,CACxB,GAAID,CAAAA,CAAO,CACVD,CAAAA,CAAOC,CAAK,CAAA,CACZ,MACD,CACAE,GAAAA,CAAI,IAAA,CAAK,uCAAuCD,CAAY,CAAA,CAAE,CAAA,CAC9DH,CAAAA,CAAQG,CAAY,EACrB,CACD,EACD,CAAC,CACF,CAEA,MAAa,IAAA,EAAsB,CAClC,OAAO,IAAI,OAAA,CAASH,CAAAA,EAAY,CAC/B,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,IAAM,CAC7BI,GAAAA,CAAI,IAAA,CAAK,6BAA6B,CAAA,CACtCJ,CAAAA,GACD,CAAC,EACF,CAAC,CACF,CACD,ECtCO,IAAMK,CAAAA,CAAN,MAAMC,CAAc,CACT,SAAA,CAGjB,OAAwB,yBAAA,CAA4B,IAAI,GAAA,CAAI,CAE3D,YAAA,CACA,aAAA,CACA,QAAA,CACA,IAAA,CAEA,SAAA,CACA,aAAA,CACA,QAAA,CAEA,eAAA,CACA,YAAA,CACA,UAAA,CACA,UAAA,CAEA,WAAA,CACA,QACA,QAAA,CACA,OAAA,CACA,OAAA,CACA,UAAA,CACA,SAAA,CACA,YAAA,CACA,WAAA,CACA,aAAA,CACA,aAAA,CACA,MAAA,CACA,WAAA,CACA,SAAA,CACA,UAAA,CACA,QAAA,CACA,QACD,CAAC,EAGD,OAAwB,sBAAA,CAAyB,IAAI,GAAA,CAAI,CACxD,KAAA,CACA,SAAA,CACA,QAAA,CACA,MAAA,CACA,MAAA,CACA,OAAA,CACA,SAAA,CACA,WACD,CAAC,CAAA,CAGD,OAAwB,eAAiB,IAAI,GAAA,CAAI,CAAC,QAAA,CAAU,aAAa,CAAC,CAAA,CAE1E,WAAA,CAAYC,CAAAA,CAAqB,CAChC,IAAA,CAAK,SAAA,CAAY,IAAI,GAAA,CAAIA,CAAAA,CAAU,GAAA,CAAKC,GAAMA,CAAAA,CAAE,WAAA,EAAa,CAAC,EAC/D,CAUA,OAAA,CACCC,CAAAA,CACAC,CAAAA,CACAC,CAAAA,CAA+B,EAAA,CACP,CACxB,IAAIC,CAAAA,CACJ,GAAI,CAEH,IAAMC,CAAAA,CAAU,CAAA;AAAA,EAA0CJ,CAAU;AAAA,CAAA,CAAA,CACpEG,CAAAA,CAAY,CAAA,CAAA,KAAA,CAAMC,CAAAA,CAAS,CAC1B,WAAA,CAAa,IAAA,CACb,UAAA,CAAY,QAAA,CACZ,SAAA,CAAW,CAAA,CACZ,CAAC,EACF,CAAA,KAAQ,CAEP,OAAO,IACR,CAEA,IAAMC,CAAAA,CAAkB,IAAI,GAAA,CACtBC,CAAAA,CAAc,IAAI,GAAA,CAGxB,IAAA,CAAK,uBAAA,CAAwBH,CAAAA,CAAKE,CAAe,EAGjD,IAAA,CAAK,cAAA,CAAeF,CAAAA,CAAKE,CAAAA,CAAiBC,CAAW,CAAA,CAGrD,IAAMC,CAAAA,CAAc,IAAA,CAAK,qBAAA,CACxBJ,CAAAA,CACAE,CAAAA,CACAC,CACD,CAAA,CACA,GAAIC,CAAAA,CAAa,OAAOA,CAAAA,CAGxB,GACCN,CAAAA,GAAgB,MAAA,EAChBA,CAAAA,CAAc,CAAA,EACdA,CAAAA,CAAcC,CAAAA,CACb,CACD,IAAMM,CAAAA,CAAoB,IAAA,CAAK,6BAA6BL,CAAG,CAAA,CAC/D,GAAIK,CAAAA,CAEH,OAAAA,CAAAA,CAAkB,MAAA,CAASA,CAAAA,CAAkB,MAAA,CAAO,OAAA,CACnD,YAAA,CACA,CAAA,EAAGN,CAAoB,CAAA,QAAA,CACxB,EACOM,CAET,CAGA,GACCP,CAAAA,GAAgB,MAAA,EAChBA,CAAAA,CAAc,CAAA,EACdA,CAAAA,CAAcC,CAAAA,CACb,CACD,IAAMO,CAAAA,CAAe,IAAA,CAAK,sBAAA,CAAuBN,CAAG,CAAA,CACpD,GAAIM,CAAAA,CACH,OAAAA,CAAAA,CAAa,MAAA,CAASA,CAAAA,CAAa,MAAA,CAAO,OAAA,CACzC,YAAA,CACA,CAAA,EAAGP,CAAoB,CAAA,QAAA,CACxB,CAAA,CACOO,CAET,CAEA,OAAO,IACR,CAMA,oBAAA,CAAqBT,CAAAA,CAA8B,CAClD,IAAIG,CAAAA,CACJ,GAAI,CACHA,CAAAA,CAAY,CAAA,CAAA,KAAA,CAAM,CAAA;AAAA,EAAsBH,CAAU;AAAA,CAAA,CAAA,CAAO,CACxD,WAAA,CAAa,IAAA,CACb,UAAA,CAAY,QACb,CAAC,EACF,CAAA,KAAQ,CACP,OAAO,EACR,CAEA,IAAMU,CAAAA,CAAS,IAAI,GAAA,CAuCnB,OAAAC,MAAAA,CAAOR,EArCgC,CACtC,cAAA,CAAiBS,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,OAC7C,IAAMC,CAAAA,CAASD,CAAAA,CAAK,OAGdE,CAAAA,CAAa,IAAA,CAAK,eAAA,CAAgBD,CAAM,CAAA,CAC9C,GAAI,CAACC,CAAAA,EAAc,CAAC,IAAA,CAAK,iBAAA,CAAkBD,CAAAA,CAAO,MAAM,CAAA,CAAG,OAE3D,IAAME,CAAAA,CAAWH,CAAAA,CAAK,SAAA,CAAU,CAAC,CAAA,CACjC,GACC,CAACG,CAAAA,EACAA,CAAAA,CAAS,IAAA,GAAS,yBAAA,EAClBA,CAAAA,CAAS,OAAS,oBAAA,CAEnB,OAED,IAAMC,CAAAA,CAAKD,CAAAA,CACPE,CAAAA,CAAa,EAKjB,GAJIpB,CAAAA,CAAc,cAAA,CAAe,GAAA,CAAIiB,CAAU,CAAA,GAC9CG,EAAa,CAAA,CAAA,CAGVD,CAAAA,CAAG,MAAA,CAAO,MAAA,CAASC,CAAAA,CAAY,CAClC,IAAMC,CAAAA,CAAcF,CAAAA,CAAG,MAAA,CAAOC,CAAU,CAAA,CACxC,GAAIC,EAAY,IAAA,GAAS,YAAA,CAAc,CACtC,IAAMC,CAAAA,CAAaD,CAAAA,CAAiC,KAC9CE,CAAAA,CAAY,IAAA,CAAK,qBAAA,CACtBJ,CAAAA,CAAG,IAAA,CACHG,CACD,CAAA,CACA,IAAA,IAAWpB,CAAAA,IAAKqB,CAAAA,CAAWV,CAAAA,CAAO,GAAA,CAAIX,CAAC,EACxC,CACD,CACD,CACD,CAEoB,CAAA,CACb,KAAA,CAAM,IAAA,CAAKW,CAAM,CACzB,CASQ,4BAAA,CAA6BP,CAAAA,CAAwC,CAC5E,IAAMkB,EAAiB,IAAI,GAAA,CA0C3BV,MAAAA,CAAOR,CAAAA,CAxCgC,CACtC,cAAA,CAAiBS,GAAS,CACzB,GAAIA,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,OAE7C,IAAMC,CAAAA,CAASD,CAAAA,CAAK,MAAA,CACdE,CAAAA,CAAa,IAAA,CAAK,gBAAgBD,CAAM,CAAA,CAO9C,GAJI,CAACC,CAAAA,EAAc,CAACjB,EAAc,cAAA,CAAe,GAAA,CAAIiB,CAAU,CAAA,EAI3D,CAAC,IAAA,CAAK,iBAAA,CAAkBD,CAAAA,CAAO,MAAM,CAAA,CAAG,OAG5C,IAAME,CAAAA,CAAWH,CAAAA,CAAK,UAAU,CAAC,CAAA,CACjC,GACC,CAACG,CAAAA,EACAA,CAAAA,CAAS,OAAS,yBAAA,EAClBA,CAAAA,CAAS,IAAA,GAAS,oBAAA,CAEnB,OAED,IAAMC,EAAKD,CAAAA,CACLG,CAAAA,CAAcF,CAAAA,CAAG,MAAA,CAAO,MAAA,CAAS,CAAA,CAAIA,CAAAA,CAAG,MAAA,CAAO,CAAC,CAAA,CAAIA,CAAAA,CAAG,MAAA,CAAO,CAAC,CAAA,CACrE,GAAI,CAACE,CAAAA,EAAeA,CAAAA,CAAY,IAAA,GAAS,YAAA,CAAc,OAEvD,IAAMC,CAAAA,CAAaD,CAAAA,CAAiC,IAAA,CAC9CR,CAAAA,CAAS,IAAA,CAAK,qBAAA,CACnBM,EAAG,IAAA,CACHG,CACD,CAAA,CAEA,IAAA,IAAWG,CAAAA,IAASZ,CAAAA,CAAQ,CAC3B,IAAMa,CAAAA,CAAUF,CAAAA,CAAe,GAAA,CAAIC,CAAK,CAAA,EAAK,CAAA,CAC7CD,EAAe,GAAA,CAAIC,CAAAA,CAAOC,CAAAA,CAAU,CAAC,EACtC,CACD,CACD,CAEoB,CAAA,CAEpB,IAAA,GAAW,CAACD,CAAAA,CAAOE,CAAK,IAAKH,CAAAA,CAC5B,GAAIG,CAAAA,EAAS,CAAA,CACZ,OAAO,CACN,OACC,CAAA,mBAAA,EAAsBA,CAAK,CAAA,iCAAA,EAAoCF,CAAK,CAAA,6KAAA,CAGtE,CAAA,CAIF,OAAO,IACR,CAKQ,iBAAA,CAAkBV,CAAAA,CAA2B,CACpD,GAAI,KAAK,kBAAA,CAAmBA,CAAI,CAAA,CAAG,OAAO,KAAA,CAG1C,GAAIA,EAAK,IAAA,GAAS,gBAAA,CAAkB,CACnC,IAAMa,CAAAA,CAAOb,CAAAA,CACb,GAAIa,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMC,CAAAA,CAASD,EAAK,MAAA,CACdE,CAAAA,CAAS,IAAA,CAAK,eAAA,CAAgBD,CAAM,CAAA,CAC1C,GACCC,CAAAA,GACCA,CAAAA,GAAW,OAAA,EAAWA,CAAAA,GAAW,QAAA,EAAYA,CAAAA,GAAW,YAEzD,OAAO,IAAA,CAAK,iBAAA,CAAkBD,CAAAA,CAAO,MAAM,CAE7C,CACD,CAGA,OAAO,MACR,CAOQ,qBAAA,CAAsBE,CAAAA,CAAkBT,EAA6B,CAC5E,IAAMT,CAAAA,CAAmB,EAAC,CAiB1B,OAAAC,OAAOiB,CAAAA,CAfgC,CACtC,gBAAA,CAAmBhB,CAAAA,EAAS,CAC3B,GACCA,EAAK,MAAA,CAAO,IAAA,GAAS,YAAA,EACpBA,CAAAA,CAAK,MAAA,CAA4B,IAAA,GAASO,CAAAA,CAC1C,CACD,IAAMU,CAAAA,CAAO,IAAA,CAAK,eAAA,CAAgBjB,CAAI,CAAA,CAElCiB,GAAQA,CAAAA,GAAS,QAAA,EACpBnB,CAAAA,CAAO,IAAA,CAAKmB,CAAI,EAElB,CACD,CACD,CAEqB,CAAA,CACdnB,CACR,CAQQ,sBAAA,CAAuBP,EAAwC,CACtE,IAAI2B,CAAAA,CAAmC,IAAA,CA+DvC,OAAAnB,MAAAA,CAAOR,EA7DgC,CACtC,cAAA,CAAiBS,CAAAA,EAAS,CACzB,GAAI,CAAAkB,GAIAlB,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMC,EAASD,CAAAA,CAAK,MAAA,CACpB,GACCC,CAAAA,CAAO,MAAA,CAAO,IAAA,GAAS,cACtBA,CAAAA,CAAO,MAAA,CAA4B,IAAA,GAAS,MAAA,CAC5C,CACD,IAAMc,CAAAA,CAAS,IAAA,CAAK,eAAA,CAAgBd,CAAM,CAAA,CAAA,CACtCc,CAAAA,GAAW,KAAA,EAASA,CAAAA,GAAW,QAGjCf,CAAAA,CAAK,SAAA,CAAU,IAAA,CACbmB,CAAAA,EACAA,CAAAA,CAAI,IAAA,GAAS,iBACb,IAAA,CAAK,gBAAA,CACHA,CAAAA,CAA4B,QAC9B,CACF,CAAA,GAEAD,EAAY,CACX,MAAA,CACC,CAAA,mBAAA,EAAsBH,CAAM,CAAA,iHAAA,CAE9B,CAAA,EAGH,CACD,CACD,CAAA,CAGA,gBAAA,CAAmBf,CAAAA,EAAS,CAC3B,GAAI,CAAAkB,GAGAlB,CAAAA,CAAK,QAAA,EAAYA,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,gBAAA,CAAkB,CAC3D,IAAMa,CAAAA,CAAOb,CAAAA,CAAK,MAAA,CAClB,GAAIa,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAME,CAAAA,CAAS,IAAA,CAAK,eAAA,CACnBF,CAAAA,CAAK,MACN,CAAA,CACA,GAAIE,CAAAA,GAAW,MAAA,EAAUA,CAAAA,GAAW,WAAY,CAC/C,IAAMK,CAAAA,CAAcP,CAAAA,CAAK,MAAA,CAAkC,MAAA,CACvD,KAAK,iBAAA,CAAkBO,CAAU,CAAA,GACpCF,CAAAA,CAAY,CACX,MAAA,CACC,6IAEF,CAAA,EAEF,CACD,CACD,CACD,CACD,CAEoB,EACbA,CACR,CAKQ,gBAAA,CAAiBlB,CAAAA,CAA2B,CACnD,GAAIA,EAAK,IAAA,GAAS,gBAAA,CAAkB,OAAO,MAAA,CAC3C,IAAMa,CAAAA,CAAOb,EACb,GAAIa,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,OAAO,OACpD,IAAMZ,CAAAA,CAASY,CAAAA,CAAK,MAAA,CAEpB,OADe,IAAA,CAAK,eAAA,CAAgBZ,CAAM,CAAA,GACxB,KAAA,EAAS,IAAA,CAAK,iBAAA,CAAkBA,CAAAA,CAAO,MAAM,CAChE,CAIQ,uBAAA,CACPV,CAAAA,CACAE,CAAAA,CACO,CAyDPM,MAAAA,CAAOR,EAxDgC,CACtC,cAAA,CAAiBS,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,OAE7C,IAAMc,CAAAA,CAASd,CAAAA,CAAK,OACdE,CAAAA,CAAa,IAAA,CAAK,eAAA,CAAgBY,CAAM,CAAA,CAI9C,GAHI,CAACZ,CAAAA,EAGD,CAAC,IAAA,CAAK,kBAAA,CAAmBY,CAAAA,CAAO,MAAM,EAAG,OAE7C,IAAMX,CAAAA,CAAWH,CAAAA,CAAK,SAAA,CAAU,CAAC,EACjC,GAAKG,CAAAA,GAGJA,CAAAA,CAAS,IAAA,GAAS,yBAAA,EAClBA,CAAAA,CAAS,IAAA,GAAS,oBAAA,CAAA,CACjB,CACD,IAAMC,CAAAA,CAAKD,CAAAA,CAEX,GACClB,CAAAA,CAAc,uBAAuB,GAAA,CAAIiB,CAAU,CAAA,EACnDE,CAAAA,CAAG,MAAA,CAAO,MAAA,CAAS,EAClB,CACD,IAAMiB,CAAAA,CAAQjB,CAAAA,CAAG,MAAA,CAAO,CAAC,EACrBiB,CAAAA,CAAM,IAAA,GAAS,YAAA,EAClB5B,CAAAA,CAAgB,GAAA,CAAI4B,CAAAA,CAAM,IAAI,EAEhC,CAEA,GACCpC,CAAAA,CAAc,cAAA,CAAe,GAAA,CAAIiB,CAAU,CAAA,EAC3CE,CAAAA,CAAG,MAAA,CAAO,MAAA,CAAS,CAAA,CAClB,CACD,IAAME,CAAAA,CAAcF,CAAAA,CAAG,MAAA,CAAO,CAAC,CAAA,CAC3BE,CAAAA,CAAY,OAAS,YAAA,EACxBb,CAAAA,CAAgB,GAAA,CAAIa,CAAAA,CAAY,IAAI,EAEtC,CACD,CACD,CAAA,CAGA,cAAA,CAAiBN,CAAAA,EAAS,CACzB,GAAK,IAAA,CAAK,mBAAmBA,CAAAA,CAAK,KAAK,CAAA,EAEnCA,CAAAA,CAAK,IAAA,CAAK,IAAA,GAAS,sBACtB,IAAA,IAAWsB,CAAAA,IAActB,CAAAA,CAAK,IAAA,CAAK,YAAA,CAC9BsB,CAAAA,CAAW,GAAG,IAAA,GAAS,YAAA,EAC1B7B,CAAAA,CAAgB,GAAA,CAAI6B,CAAAA,CAAW,EAAA,CAAG,IAAI,EAI1C,CACD,CAEoB,CAAA,CAmBpBvB,MAAAA,CAAOR,CAAAA,CAhBqC,CAC3C,mBAAqBS,CAAAA,EAAS,CAC7B,GAAI,EAAA,CAACA,CAAAA,CAAK,IAAA,EAAQA,EAAK,EAAA,CAAG,IAAA,GAAS,YAAA,CAAA,EAGlCA,CAAAA,CAAK,IAAA,CAAK,IAAA,GAAS,oBAClBA,CAAAA,CAAK,IAAA,CAAgC,QAAA,CACrC,CACD,IAAMc,CAAAA,CAASd,CAAAA,CAAK,IAAA,CAChB,IAAA,CAAK,kBAAA,CAAmBc,CAAAA,CAAO,MAAM,CAAA,EACxCrB,CAAAA,CAAgB,IAAIO,CAAAA,CAAK,EAAA,CAAG,IAAI,EAElC,CACD,CACD,CAEyB,EAC1B,CAIQ,cAAA,CACPT,CAAAA,CACAE,CAAAA,CACAC,CAAAA,CACO,CAGP,IAAA,IAAS6B,CAAAA,CAAY,CAAA,CAAGA,CAAAA,CAAY,CAAA,CAAGA,CAAAA,EAAAA,CAAa,CACnD,IAAMC,CAAAA,CAAa9B,CAAAA,CAAY,IAAA,CA8C/B,GAHAK,MAAAA,CAAOR,EAzCgC,CACtC,kBAAA,CAAqBS,CAAAA,EAAS,CACzB,CAACA,CAAAA,CAAK,MAAQA,CAAAA,CAAK,EAAA,CAAG,IAAA,GAAS,YAAA,EAGlC,IAAA,CAAK,mBAAA,CAAoBA,EAAK,IAAA,CAAMP,CAAAA,CAAiBC,CAAW,CAAA,EAEhEA,CAAAA,CAAY,GAAA,CAAIM,CAAAA,CAAK,EAAA,CAAG,IAAI,EAE9B,CAAA,CAEA,oBAAA,CAAuBA,CAAAA,EAAS,CAC3BA,EAAK,IAAA,CAAK,IAAA,GAAS,YAAA,EAGtB,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK,MAAOP,CAAAA,CAAiBC,CAAW,CAAA,EAEjEA,CAAAA,CAAY,GAAA,CAAKM,CAAAA,CAAK,KAA0B,IAAI,EAEtD,CAAA,CAIA,cAAA,CAAiBA,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,OAE7C,IAAMC,CAAAA,CAASD,EAAK,MAAA,CACD,IAAA,CAAK,eAAA,CAAgBC,CAAM,CAAA,GAG9B,MAAA,EACfA,EAAO,MAAA,CAAO,IAAA,GAAS,YAAA,EACvBD,CAAAA,CAAK,SAAA,CAAU,IAAA,CAAMmB,GACpB,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK1B,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,EAEAA,CAAAA,CAAY,GAAA,CAAKO,CAAAA,CAAO,MAAA,CAA4B,IAAI,EAE1D,CACD,CAEoB,CAAA,CAGhBP,CAAAA,CAAY,IAAA,GAAS8B,CAAAA,CAAY,KACtC,CACD,CAIQ,qBAAA,CACPjC,CAAAA,CACAE,CAAAA,CACAC,CAAAA,CACwB,CACxB,IAAIwB,EAAmC,IAAA,CA+BvC,OAAAnB,MAAAA,CAAOR,CAAAA,CA7BgC,CACtC,eAAA,CAAkBS,GAAS,CAC1B,GAAI,CAAAkB,CAAAA,EAEClB,CAAAA,CAAK,QAAA,EAGT,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,QAAA,CAAUP,CAAAA,CAAiBC,CAAW,CAAA,CACnE,CACD,IAAM+B,CAAAA,CAAOzB,CAAAA,CAAK,GAAA,EAAK,KAAA,CAAM,IAAA,CAC1BA,EAAK,GAAA,CAAI,KAAA,CAAM,IAAA,CAAO,CAAA,CACtB,MAAA,CACG0B,CAAAA,CAAY,IAAA,CAAK,mBAAA,CACtB1B,CAAAA,CAAK,QAAA,CACLP,CAAAA,CACAC,CACD,CAAA,CACAwB,CAAAA,CAAY,CACX,MAAA,CACC,CAAA,kFAAA,EACGQ,CAAAA,CAAY,CAAA,WAAA,EAAcA,CAAS,CAAA,EAAA,CAAA,CAAO,EAAE,CAAA,sEAAA,CAAA,CAEhD,IAAA,CAAAD,CAAAA,CACA,SAAA,CAAAC,CACD,EACD,CACD,CACD,CAEoB,CAAA,CAEbR,CACR,CAQQ,mBAAA,CACPlB,CAAAA,CACAP,CAAAA,CACAC,CAAAA,CACU,CACV,OAAQM,CAAAA,CAAK,IAAA,EACZ,KAAK,YAAA,CACJ,OAAON,CAAAA,CAAY,GAAA,CAAKM,CAAAA,CAA0B,IAAI,EAEvD,KAAK,kBAAA,CACJ,OAAO,IAAA,CAAK,mBAAA,CACXA,CAAAA,CACAP,EACAC,CACD,CAAA,CAED,KAAK,gBAAA,CACJ,OAAO,IAAA,CAAK,iBAAA,CACXM,CAAAA,CACAP,CAAAA,CACAC,CACD,CAAA,CAED,KAAK,kBAAA,CACL,KAAK,oBAAqB,CACzB,IAAMiC,CAAAA,CAAM3B,CAAAA,CACZ,OACC,IAAA,CAAK,oBAAoB2B,CAAAA,CAAI,IAAA,CAAMlC,CAAAA,CAAiBC,CAAW,CAAA,EAC/D,IAAA,CAAK,oBAAoBiC,CAAAA,CAAI,KAAA,CAAOlC,CAAAA,CAAiBC,CAAW,CAElE,CAEA,KAAK,iBAAA,CAAmB,CACvB,IAAMkC,CAAAA,CAAQ5B,CAAAA,CACd,OAAO,KAAK,mBAAA,CACX4B,CAAAA,CAAM,QAAA,CACNnC,CAAAA,CACAC,CACD,CACD,CAEA,KAAK,uBAAA,CAAyB,CAC7B,IAAMmC,CAAAA,CAAO7B,CAAAA,CAEb,OACC,IAAA,CAAK,mBAAA,CAAoB6B,CAAAA,CAAK,IAAA,CAAMpC,CAAAA,CAAiBC,CAAW,CAAA,EAChE,IAAA,CAAK,mBAAA,CACJmC,CAAAA,CAAK,UAAA,CACLpC,CAAAA,CACAC,CACD,CAAA,EACA,KAAK,mBAAA,CAAoBmC,CAAAA,CAAK,SAAA,CAAWpC,CAAAA,CAAiBC,CAAW,CAEvE,CAEA,KAAK,kBAAA,CAEJ,OADYM,CAAAA,CACD,UAAA,CAAW,IAAA,CACpBiB,GACAA,CAAAA,CAAK,IAAA,GAAS,UAAA,EACd,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK,MAAOxB,CAAAA,CAAiBC,CAAW,CACnE,CAAA,CAGD,KAAK,iBAAA,CAEJ,OADYM,CAAAA,CACD,QAAA,CAAS,IAAA,CAClB8B,CAAAA,EACAA,CAAAA,GAAO,IAAA,EACP,KAAK,mBAAA,CAAoBA,CAAAA,CAAIrC,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,CAGD,KAAK,iBAAA,CAEJ,OADaM,CAAAA,CACD,WAAA,CAAY,IAAA,CAAM+B,CAAAA,EAC7B,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAMtC,CAAAA,CAAiBC,CAAW,CAC5D,CAAA,CAGD,KAAK,gBAAiB,CACrB,IAAMsC,CAAAA,CAAShC,CAAAA,CACf,OAAO,IAAA,CAAK,oBACXgC,CAAAA,CAAO,QAAA,CACPvC,CAAAA,CACAC,CACD,CACD,CAEA,QAEC,OAAO,MACT,CACD,CAMQ,mBAAA,CACPoB,CAAAA,CACArB,EACAC,CAAAA,CACU,CACV,IAAMuC,CAAAA,CAAW,IAAA,CAAK,eAAA,CAAgBnB,CAAM,CAAA,CAG5C,GACCA,CAAAA,CAAO,MAAA,CAAO,IAAA,GAAS,YAAA,EACvBrB,EAAgB,GAAA,CAAKqB,CAAAA,CAAO,MAAA,CAA4B,IAAI,CAAA,EAC5DmB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,CAAAA,CAAS,WAAA,EAAa,CAAA,CAEzC,OAAO,KAAA,CAKR,GACCnB,CAAAA,CAAO,MAAA,CAAO,IAAA,GAAS,kBAAA,EACvBmB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,CAAAA,CAAS,WAAA,EAAa,CAAA,CACxC,CACD,IAAMC,CAAAA,CAAepB,CAAAA,CAAO,MAAA,CAC5B,GACCoB,CAAAA,CAAa,UACb,IAAA,CAAK,kBAAA,CAAmBA,CAAAA,CAAa,MAAM,CAAA,CAE3C,OAAO,KAET,CAIA,GAAI,IAAA,CAAK,mBAAA,CAAoBpB,CAAAA,CAAO,MAAA,CAAQrB,CAAAA,CAAiBC,CAAW,CAAA,CACvE,OAAO,KAAA,CAKR,GACCoB,CAAAA,CAAO,QAAA,EACPA,EAAO,MAAA,CAAO,IAAA,GAAS,YAAA,EACvBrB,CAAAA,CAAgB,GAAA,CAAKqB,CAAAA,CAAO,OAA4B,IAAI,CAAA,EAIxDA,CAAAA,CAAO,QAAA,CAAS,IAAA,GAAS,SAAA,CAAW,CACvC,IAAMqB,CAAAA,CAAUrB,CAAAA,CAAO,QAAA,CAA2B,KAAA,CAClD,GACC,OAAOqB,GAAW,QAAA,EAClB,IAAA,CAAK,SAAA,CAAU,GAAA,CAAIA,CAAAA,CAAO,WAAA,EAAa,CAAA,CAEvC,OAAO,KAET,CAGD,OAAO,MACR,CAMQ,iBAAA,CACPtB,CAAAA,CACApB,CAAAA,CACAC,CAAAA,CACU,CAEV,GAAImB,EAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMZ,CAAAA,CAASY,EAAK,MAAA,CACdX,CAAAA,CAAa,IAAA,CAAK,eAAA,CAAgBD,CAAM,CAAA,CAG9C,GACCC,CAAAA,EACAjB,CAAAA,CAAc,yBAAA,CAA0B,GAAA,CAAIiB,CAAU,CAAA,EACtD,KAAK,mBAAA,CAAoBD,CAAAA,CAAO,MAAA,CAAQR,CAAAA,CAAiBC,CAAW,CAAA,CAEpE,OAAO,KAAA,CAIR,GAAI,IAAA,CAAK,kBAAA,CAAmBO,CAAAA,CAAO,MAAM,CAAA,EAAKY,EAAK,SAAA,CAAU,CAAC,CAAA,CAAG,CAChE,IAAMV,CAAAA,CAAWU,EAAK,SAAA,CAAU,CAAC,CAAA,CACjC,GACCV,CAAAA,CAAS,IAAA,GAAS,2BAClBA,CAAAA,CAAS,IAAA,GAAS,oBAAA,CAElB,OAAO,IAAA,CAAK,wBAAA,CACXA,EACAD,CAAAA,CACAT,CAAAA,CACAC,CACD,CAEF,CAYA,GAPC,KAAK,mBAAA,CAAoBO,CAAAA,CAAO,MAAA,CAAQR,CAAAA,CAAiBC,CAAW,CAAA,EAQpEmB,EAAK,SAAA,CAAU,IAAA,CAAMM,CAAAA,EACpB,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK1B,EAAiBC,CAAW,CAC3D,CAAA,CAEA,OAAO,KAET,CAKA,GAAImB,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMZ,CAAAA,CAASY,EAAK,MAAA,CACD,IAAA,CAAK,eAAA,CAAgBZ,CAAM,CAAA,GAE9B,MAAA,EACfA,EAAO,MAAA,CAAO,IAAA,GAAS,YAAA,EACvBY,CAAAA,CAAK,SAAA,CAAU,IAAA,CAAMM,GACpB,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK1B,CAAAA,CAAiBC,CAAW,CAC3D,GAGAA,CAAAA,CAAY,GAAA,CAAKO,CAAAA,CAAO,MAAA,CAA4B,IAAI,EAE1D,CAKA,GAAIY,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,YAAA,CAAc,CACtC,IAAMuB,CAAAA,CAAUvB,CAAAA,CAAK,MAAA,CAA4B,IAAA,CAUjD,GAAI,CARiB,IAAI,GAAA,CAAI,CAC5B,MAAA,CACA,QAAA,CACA,UAAA,CACA,YAAA,CACA,OAAA,CACA,UACD,CAAC,CAAA,CACiB,GAAA,CAAIuB,CAAM,CAAA,CAC3B,OAAOvB,EAAK,SAAA,CAAU,IAAA,CAAMM,CAAAA,EAC3B,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK1B,EAAiBC,CAAW,CAC3D,CAEF,CAEA,OAAO,MACR,CAMQ,wBAAA,CACPS,CAAAA,CACAD,CAAAA,CACAT,CAAAA,CACAC,CAAAA,CACU,CAEV,IAAM2C,CAAAA,CAAmB,IAAI,GAAA,CAAI5C,CAAe,CAAA,CAC1C6C,CAAAA,CAAoB,IAAI,IAAI5C,CAAW,CAAA,CAE7C,GAAIS,CAAAA,CAAS,MAAA,CAAO,MAAA,CAAS,EAAG,CAG/B,IAAMoC,CAAAA,CADLrC,CAAAA,GAAe,IAAA,EAAQjB,CAAAA,CAAc,eAAe,GAAA,CAAIiB,CAAU,CAAA,CAC/B,CAAA,CAAI,CAAA,CAGvCC,CAAAA,CAAS,MAAA,CAAO,MAAA,CAASoC,CAAAA,EACzBpC,CAAAA,CAAS,MAAA,CAAOoC,CAAgB,CAAA,CAAE,IAAA,GAAS,cAE3CF,CAAAA,CAAiB,GAAA,CACflC,CAAAA,CAAS,MAAA,CAAOoC,CAAgB,CAAA,CAAuB,IACzD,EAEF,CAGA,GACCpC,CAAAA,CAAS,IAAA,GAAS,yBAAA,EAClBA,EAAS,IAAA,CAAK,IAAA,GAAS,gBAAA,CAEvB,OAAO,IAAA,CAAK,mBAAA,CACXA,EAAS,IAAA,CACTkC,CAAAA,CACAC,CACD,CAAA,CAID,IAAIE,CAAAA,CAAmB,MACjBC,CAAAA,CAAuC,CAC5C,eAAA,CAAkBzC,CAAAA,EAAS,CAEzBA,CAAAA,CAAK,UACL,IAAA,CAAK,mBAAA,CACJA,CAAAA,CAAK,QAAA,CACLqC,CAAAA,CACAC,CACD,IAEAE,CAAAA,CAAmB,IAAA,EAErB,CACD,CAAA,CAEA,OAAAzC,MAAAA,CAAOI,CAAAA,CAAS,IAAA,CAAoBsC,CAAc,CAAA,CAE3CD,CACR,CAKQ,eAAA,CAAgB1B,CAAAA,CAA+C,CACtE,GAAI,CAACA,CAAAA,CAAO,QAAA,EAAYA,CAAAA,CAAO,QAAA,CAAS,OAAS,YAAA,CAChD,OAAQA,CAAAA,CAAO,QAAA,CAA8B,IAAA,CAE9C,GAAIA,EAAO,QAAA,EAAYA,CAAAA,CAAO,QAAA,CAAS,IAAA,GAAS,SAAA,CAAW,CAC1D,IAAM4B,CAAAA,CAAO5B,CAAAA,CAAO,QAAA,CAA2B,KAAA,CAC/C,GAAI,OAAO4B,GAAQ,QAAA,CAAU,OAAOA,CACrC,CACA,OAAO,IACR,CAGQ,kBAAA,CAAmB1C,CAAAA,CAA2B,CAErD,GAAIA,CAAAA,CAAK,IAAA,GAAS,mBAAoB,CACrC,IAAMc,CAAAA,CAASd,CAAAA,CAEf,GADiB,IAAA,CAAK,eAAA,CAAgBc,CAAM,CAAA,GAE9B,SAAA,EACbA,CAAAA,CAAO,MAAA,CAAO,IAAA,GAAS,YAAA,EACtBA,EAAO,MAAA,CAA4B,IAAA,GAAS,KAAA,CAE7C,OAAO,KAET,CAEA,OACCd,CAAAA,CAAK,IAAA,GAAS,YAAA,EACbA,CAAAA,CAA0B,IAAA,GAAS,SAKtC,CAGQ,mBAAA,CACPA,CAAAA,CACAP,CAAAA,CACAC,CAAAA,CACqB,CACrB,GAAIM,EAAK,IAAA,GAAS,YAAA,CAAc,CAC/B,IAAM2C,CAAAA,CAAQ3C,CAAAA,CAA0B,KACxC,GAAIN,CAAAA,CAAY,GAAA,CAAIiD,CAAI,CAAA,CAAG,OAAO,aAAaA,CAAI,CAAA,gBAAA,CACpD,CAEA,GAAI3C,CAAAA,CAAK,IAAA,GAAS,mBAAoB,CACrC,IAAM4C,CAAAA,CAAM5C,CAAAA,CACZ,IAAA,IAAWiB,CAAAA,IAAQ2B,CAAAA,CAAI,UAAA,CACtB,GACC3B,CAAAA,CAAK,IAAA,GAAS,UAAA,EACd,IAAA,CAAK,mBAAA,CAAoBA,EAAK,KAAA,CAAOxB,CAAAA,CAAiBC,CAAW,CAAA,CAMjE,OAAO,CAAA,UAAA,EAHNuB,EAAK,GAAA,CAAI,IAAA,GAAS,YAAA,CACdA,CAAAA,CAAK,GAAA,CAAyB,IAAA,CAC/B,SACuB,CAAA,4BAAA,CAG9B,CAEA,GAAIjB,CAAAA,CAAK,IAAA,GAAS,gBAAA,CAAkB,CACnC,IAAMa,CAAAA,CAAOb,CAAAA,CACb,GAAIa,CAAAA,CAAK,MAAA,CAAO,IAAA,GAAS,mBAAoB,CAC5C,IAAMX,CAAAA,CAAa,IAAA,CAAK,eAAA,CACvBW,CAAAA,CAAK,MACN,CAAA,CACA,GAAIX,CAAAA,CAAY,OAAO,CAAA,WAAA,EAAcA,CAAU,gBAChD,CACD,CAGD,CACD,CAAA,CC1+BA,IAAM2C,CAAAA,CAA6C,CAClD,OAAA,CAAS,YAAA,CACT,UAAA,CAAY,YAAA,CACZ,SAAA,CAAW,YAAA,CACX,UAAA,CAAY,aACZ,YAAA,CAAc,YAAA,CACd,UAAA,CAAY,YAAA,CACZ,QAAA,CAAU,YAAA,CACV,YAAa,YAAA,CACb,aAAA,CAAe,YAAA,CACf,SAAA,CAAW,YAAA,CACX,aAAA,CAAe,aACf,WAAA,CAAa,YAAA,CACb,aAAA,CAAe,YAAA,CACf,UAAA,CAAY,YAAA,CACZ,SAAU,YAAA,CACV,OAAA,CAAS,YAAA,CACT,mBAAA,CAAqB,YAAA,CACrB,UAAA,CAAY,aACZ,SAAA,CAAW,YAAA,CACX,YAAA,CAAc,YAAA,CAEd,YAAA,CAAc,WAAA,CACd,SAAU,WAAA,CACV,UAAA,CAAY,WAAA,CACZ,SAAA,CAAW,WAAA,CACX,MAAA,CAAQ,WACT,CAAA,CAgBMC,CAAAA,CAAkB,CAAA,CAGlBC,CAAAA,CAAmB,6CAAA,CASZC,CAAAA,CAAN,MAAMC,CAAW,CACvB,OAAe,GAAA,CAAwB,IAAA,CAKvC,MAAc,MAAA,EAA6B,CAC1C,GAAI,CAACA,CAAAA,CAAW,GAAA,CAAK,CAEpB,IAAMC,EAAO,MAAM,OAAO,kBAAkB,CAAA,CAE5CD,CAAAA,CAAW,GAAA,CAAOC,EAAI,OAAA,EAAWA,CAAAA,CACjCD,CAAAA,CAAW,GAAA,CAAI,QAAA,CAASJ,CAAkB,EAC3C,CACA,OAAOI,CAAAA,CAAW,GACnB,CAMA,MAAM,IAAA,CAAKE,EAAsC,CAChD,GAAIA,CAAAA,CAAK,MAAA,CAASL,CAAAA,EAAmBC,CAAAA,CAAiB,KAAKI,CAAI,CAAA,CAC9D,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,SAAU,EAAG,CAAA,CAIxC,IAAMC,CAAAA,CAAAA,CADM,MAAM,IAAA,CAAK,MAAA,EAAO,EACdD,CAAI,CAAA,CACdE,CAAAA,CAAwB,EAAC,CAEzBC,EAASF,CAAAA,CAAI,MAAA,EAAO,CAAE,GAAA,CAAI,OAAO,CAAA,CACvC,QAAWG,CAAAA,IAAUD,CAAAA,CAAQ,CAC5B,IAAME,CAAAA,CAAUD,CAAAA,CAAO,MAAK,CACxBC,CAAAA,CAAQ,MAAA,EAAUV,CAAAA,EACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,QAAA,CAAU,IAAA,CAAMG,CAAQ,CAAC,EAEjD,CAEA,IAAMC,CAAAA,CAASL,CAAAA,CAAI,MAAA,EAAO,CAAE,GAAA,CAAI,OAAO,CAAA,CACvC,IAAA,IAAWM,CAAAA,IAASD,CAAAA,CAAQ,CAC3B,IAAMD,EAAUE,CAAAA,CAAM,IAAA,EAAK,CACvBF,CAAAA,CAAQ,MAAA,EAAUV,CAAAA,EACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,OAAA,CAAS,IAAA,CAAMG,CAAQ,CAAC,EAEhD,CAEA,IAAMG,CAAAA,CAAOP,CAAAA,CAAI,aAAA,EAAc,CAAE,IAAI,OAAO,CAAA,CAC5C,IAAA,IAAWQ,CAAAA,IAAOD,CAAAA,CAAM,CACvB,IAAMH,CAAAA,CAAUI,CAAAA,CAAI,IAAA,EAAK,CACrBJ,CAAAA,CAAQ,MAAA,EAAUV,CAAAA,EACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,cAAA,CAAgB,IAAA,CAAMG,CAAQ,CAAC,EAEvD,CAEA,OAAO,CACN,QAAA,CAAUH,CAAAA,CAAS,OAAS,CAAA,CAC5B,QAAA,CAAAA,CACD,CACD,CAMA,MAAM,SACLQ,CAAAA,CACAC,CAAAA,CAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CACb,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,QAAA,CAAU,EAAG,CAAA,CAGxC,GAAI,OAAOA,CAAAA,EAAU,QAAA,CACpB,OAAO,KAAK,IAAA,CAAKA,CAAK,CAAA,CAGvB,GAAI,OAAOA,CAAAA,EAAU,SAAU,CAC9B,GAAIC,CAAAA,CAAK,GAAA,CAAID,CAAe,CAAA,CAC3B,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,QAAA,CAAU,EAAG,EAExCC,CAAAA,CAAK,GAAA,CAAID,CAAe,CAAA,CAExB,IAAME,CAAAA,CAAS,MAAM,OAAA,CAAQF,CAAK,CAAA,CAC/BA,CAAAA,CACA,MAAA,CAAO,MAAA,CAAOA,CAAgC,CAAA,CAE3CG,CAAAA,CAA2B,EAAC,CAElC,IAAA,IAAWC,CAAAA,IAASF,CAAAA,CAAQ,CAC3B,IAAMG,CAAAA,CAAS,MAAM,IAAA,CAAK,QAAA,CAASD,CAAAA,CAAOH,CAAI,CAAA,CAC9C,GAAII,CAAAA,CAAO,QAAA,GACVF,CAAAA,CAAY,IAAA,CAAK,GAAGE,CAAAA,CAAO,QAAQ,CAAA,CAE/BA,CAAAA,CAAO,QAAA,CAAS,IAAA,CAAMC,GAAMA,CAAAA,CAAE,IAAA,GAAS,QAAQ,CAAA,CAAA,CAClD,OAAO,CAAE,SAAU,IAAA,CAAM,QAAA,CAAUH,CAAY,CAGlD,CAEA,OAAO,CACN,QAAA,CAAUA,CAAAA,CAAY,MAAA,CAAS,CAAA,CAC/B,QAAA,CAAUA,CACX,CACD,CAEA,OAAO,CAAE,QAAA,CAAU,KAAA,CAAO,QAAA,CAAU,EAAG,CACxC,CACD,ECvLA,SAASI,CAAAA,CAAYC,CAAAA,CAA6B,CACjD,IAAMC,CAAAA,CAASD,CAAAA,CAAW,OAAA,CAAQ,KAAA,CAAO,EAAE,EAC3C,GAAIC,CAAAA,CAAO,MAAA,CAAS,EAAA,EAAMA,CAAAA,CAAO,MAAA,CAAS,GAAI,OAAO,MAAA,CAErD,IAAIC,CAAAA,CAAM,CAAA,CACNC,CAAAA,CAAS,MAEb,IAAA,IAAS,CAAA,CAAIF,CAAAA,CAAO,MAAA,CAAS,CAAA,CAAG,CAAA,EAAK,EAAG,CAAA,EAAA,CAAK,CAC5C,IAAIG,CAAAA,CAAQ,QAAA,CAASH,CAAAA,CAAO,OAAO,CAAC,CAAA,CAAG,EAAE,CAAA,CAErCE,CAAAA,GACHC,CAAAA,EAAS,EACLA,CAAAA,CAAQ,CAAA,GACXA,CAAAA,EAAS,CAAA,CAAA,CAAA,CAIXF,CAAAA,EAAOE,CAAAA,CACPD,EAAS,CAACA,EACX,CAEA,OAAOD,CAAAA,CAAM,EAAA,GAAO,CACrB,CAMA,SAASG,CAAAA,CAAYC,CAAAA,CAAuB,CAC3C,IAAMC,CAAAA,CAAYD,EAAK,OAAA,CAAQ,MAAA,CAAQ,EAAE,CAAA,CAAE,WAAA,EAAY,CAEvD,GAAI,CAAC,kCAAA,CAAmC,IAAA,CAAKC,CAAS,CAAA,CAAG,OAAO,OAEhE,IAAMC,CAAAA,CAAaD,CAAAA,CAAU,SAAA,CAAU,CAAC,CAAA,CAAIA,CAAAA,CAAU,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAEhEE,CAAAA,CAAgB,EAAA,CACpB,IAAA,IAAS,EAAI,CAAA,CAAG,CAAA,CAAID,CAAAA,CAAW,MAAA,CAAQ,CAAA,EAAA,CAAK,CAC3C,IAAME,CAAAA,CAAWF,CAAAA,CAAW,UAAA,CAAW,CAAC,CAAA,CACxC,GAAIE,GAAY,EAAA,EAAMA,CAAAA,EAAY,EAAA,CACjCD,CAAAA,EAAAA,CAAkBC,CAAAA,CAAW,EAAA,EAAI,QAAA,EAAS,CAAA,KAAA,GAChCA,CAAAA,EAAY,EAAA,EAAMA,CAAAA,EAAY,EAAA,CACxCD,CAAAA,EAAiBD,CAAAA,CAAW,OAAO,CAAC,CAAA,CAAA,KAEpC,OAAO,MAET,CAEA,GAAI,CACH,OAAO,MAAA,CAAOC,CAAa,CAAA,CAAI,GAAA,GAAQ,EACxC,MAAa,CACZ,OAAO,MACR,CACD,CAUO,IAAME,EAAe,CAC3B,KAAA,CAAO,CACN,IAAA,CAAM,OAAA,CACN,OAAA,CAAS,uDACT,SAAA,CAAYC,CAAAA,EACX,CAACA,CAAAA,CAAM,QAAA,CAAS,cAAc,GAAK,CAACA,CAAAA,CAAM,QAAA,CAAS,WAAW,CAChE,CAAA,CACA,YAAa,CACZ,IAAA,CAAM,aAAA,CACN,OAAA,CAAS,0BAAA,CACT,SAAA,CAAWb,CACZ,CAAA,CACA,UAAA,CAAY,CACX,IAAA,CAAM,YAAA,CACN,OAAA,CAAS,yCAAA,CACT,UAAYa,CAAAA,EACK,CAAC,WAAA,CAAa,SAAA,CAAW,iBAAiB,CAAA,CAC9C,SAASA,CAAK,CAAA,CAAU,KAAA,CAEtBA,CAAAA,CAAM,KAAA,CAAM,GAAG,EAAE,GAAA,CAAI,MAAM,CAAA,CAC5B,KAAA,CAAOC,CAAAA,EAAMA,CAAAA,EAAK,GAAKA,CAAAA,EAAK,GAAG,CAE9C,CAAA,CACA,KAAA,CAAO,CACN,KAAM,OAAA,CAEN,OAAA,CAAS,+DAAA,CACT,SAAA,CAAYD,CAAAA,EAAkB,CAC7B,IAAMX,CAAAA,CAASW,CAAAA,CAAM,OAAA,CAAQ,KAAA,CAAO,EAAE,CAAA,CAItC,OAHI,EAAAX,CAAAA,CAAO,MAAA,CAAS,CAAA,EAAKA,CAAAA,CAAO,MAAA,CAAS,EAAA,EAErC,WAAA,CAAY,IAAA,CAAKA,CAAM,CAAA,EACvBA,CAAAA,GAAW,YAAA,CAEhB,CACD,EACA,GAAA,CAAK,CACJ,IAAA,CAAM,KAAA,CACN,OAAA,CAAS,gCAAA,CACT,UAAYW,CAAAA,EAAkB,CAC7B,IAAMX,CAAAA,CAASW,CAAAA,CAAM,OAAA,CAAQ,MAAO,EAAE,CAAA,CACtC,GAAIX,CAAAA,CAAO,MAAA,GAAW,CAAA,CAAG,OAAO,MAAA,CAEhC,IAAMa,CAAAA,CAAO,QAAA,CAASb,CAAAA,CAAO,SAAA,CAAU,EAAG,CAAC,CAAA,CAAG,EAAE,CAAA,CAShD,OARI,EAAAa,IAAS,CAAA,EAAKA,CAAAA,GAAS,GAAA,EAAOA,CAAAA,EAAQ,GAAA,EAE5B,QAAA,CAASb,EAAO,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAAG,EAAE,CAAA,GACnC,CAAA,EAEC,QAAA,CAASA,CAAAA,CAAO,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAAG,EAAE,IACnC,CAAA,EAEX,WAAA,CAAY,IAAA,CAAKA,CAAM,CAAA,EAAKA,CAAAA,GAAW,YAG5C,CACD,CAAA,CACA,IAAA,CAAM,CACL,IAAA,CAAM,MAAA,CACN,QAAS,sCAAA,CACT,SAAA,CAAWI,CACZ,CAAA,CACA,YAAA,CAAc,CACb,IAAA,CAAM,cAAA,CAEN,OAAA,CAAS,6CACV,CACD,CAAA,CAMaU,CAAAA,CAAc,CAC1B,cAAe,CACdJ,CAAAA,CAAa,KAAA,CACbA,CAAAA,CAAa,WAAA,CACbA,CAAAA,CAAa,WACbA,CAAAA,CAAa,KAAA,CACbA,CAAAA,CAAa,YAAA,CACbA,CAAAA,CAAa,IACd,EACA,YAAA,CAAc,CACbA,CAAAA,CAAa,KAAA,CACbA,CAAAA,CAAa,WAAA,CACbA,CAAAA,CAAa,UAAA,CACbA,CAAAA,CAAa,KAAA,CACbA,CAAAA,CAAa,GAAA,CACbA,CAAAA,CAAa,YACd,EACA,OAAA,CAAS,CACRA,CAAAA,CAAa,KAAA,CACbA,CAAAA,CAAa,WAAA,CACbA,EAAa,UAAA,CACbA,CAAAA,CAAa,KAAA,CACbA,CAAAA,CAAa,IAAA,CACbA,CAAAA,CAAa,YACd,CACD,CAAA,CAEaK,CAAAA,CAAN,MAAMC,CAAW,CACf,SACA,gBAAA,CACA,UAAA,CAMR,OAAwB,YAAA,CAAe,IAAI,GAAA,CAAI,CAE9C,MAAA,CACA,OAAA,CACA,SAAA,CACA,UAAA,CACA,SAAA,CACA,UAAA,CACA,WACA,QAAA,CACA,QAAA,CACA,YAAA,CACA,QAAA,CACA,WAAA,CACA,SAAA,CACA,SACA,SAAA,CACA,QAAA,CACA,QAAA,CACA,OAAA,CACA,MAAA,CACA,MAAA,CACA,MAAA,CACA,MAAA,CACA,MAAA,CACA,OAAA,CACA,OAAA,CACA,OAAA,CACA,OAAA,CACA,QAAA,CACA,QACA,SAAA,CACA,SAAA,CACA,UAAA,CACA,WAAA,CACA,OAAA,CACA,SAAA,CACA,OACA,OAAA,CAEA,WAAA,CACA,YAAA,CACA,WAAA,CACA,UAAA,CACA,QAAA,CACA,WACA,UAAA,CACA,UAAA,CACA,SAAA,CACA,SAAA,CAEA,UAAA,CACA,SAAA,CACA,aACA,WAAA,CACA,WAAA,CACA,WAAA,CACA,YAAA,CAEA,YAAA,CACA,aAAA,CACA,aAEA,WAAA,CACA,aAAA,CACA,UAAA,CACA,UAAA,CACA,SAAA,CAEA,WAAA,CACA,WAEA,UAAA,CACA,oBAAA,CACA,YAAA,CACA,QAAA,CACA,QAAA,CACA,WAAA,CACA,SACA,QAAA,CACA,WAAA,CACA,eAAA,CACA,SAAA,CACA,QACD,CAAC,CAAA,CAMO,0BAAA,CAKA,mBAAA,CAER,WAAA,CACCC,CAAAA,CAAsB,EAAC,CACvBC,CAAAA,CAA0B,EAAC,CAC3BC,CAAAA,CACC,CACD,IAAA,CAAK,QAAA,CAAWF,CAAAA,CAChB,KAAK,gBAAA,CAAmB,IAAI,GAAA,CAAIC,CAAAA,CAAc,GAAA,CAAKE,CAAAA,EAAMA,EAAE,WAAA,EAAa,CAAC,CAAA,CACzE,IAAA,CAAK,UAAA,CAAaD,GAAc,IAAA,CAGhC,IAAA,CAAK,0BAAA,CAA6B,IAAI,GAAA,CACtC,IAAA,CAAK,oBAAsB,EAAC,CAE5B,IAAA,IAAWE,CAAAA,IAAS,IAAA,CAAK,gBAAA,CACpBA,EAAM,MAAA,CAAS,CAAA,CAIlB,IAAA,CAAK,0BAAA,CAA2B,GAAA,CAC/BA,CAAAA,CACA,IAAI,MAAA,CACH,CAAA,UAAA,EAAaA,CAAK,CAAA,sBAAA,EACHA,CAAAA,CAAM,MAAA,CAAO,CAAC,CAAA,CAAE,WAAA,EAAa,CAAA,EAAGA,CAAAA,CAAM,KAAA,CAAM,CAAC,CAAC,CAAA,EAAA,EACxDA,CAAK,CAAA,CAAA,CAAA,CACV,GACD,CACD,CAAA,CAEA,KAAK,mBAAA,CAAoB,IAAA,CAAKA,CAAK,EAGtC,CAYA,MAAa,KACZ9B,CAAAA,CACAC,CAAAA,CAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CAA6B,OAAO,IAAA,CAGlD,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAG9B,IAAML,CAAAA,CAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,EAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,GAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,IAAMoC,CAAAA,CAAS,IAAA,CAAK,KAAA,CAAMpC,CAAO,CAAA,CAE3BtC,CAAAA,CAAY,MAAM,IAAA,CAAK,IAAA,CAAK0E,CAAAA,CAAQ9B,CAAI,CAAA,CAC9C,GAAI5C,CAAAA,CAAW,OAAOA,CACvB,CAAA,KAAa,CAEb,CAID,IAAM2E,CAAAA,CAAmB,IAAA,CAAK,WAAA,CAAYhC,CAAK,EAC/C,GAAIgC,CAAAA,CAAkB,OAAOA,CAAAA,CAG7B,GAAI,IAAA,CAAK,WAAY,CACpB,IAAMC,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAKjC,CAAK,CAAA,CAClD,GAAIiC,CAAAA,CAAU,QAAA,CAAU,CACvB,IAAMC,CAAAA,CAAeD,CAAAA,CAAU,QAAA,CAAS,IAAA,CACtC3B,CAAAA,EAAMA,CAAAA,CAAE,IAAA,GAAS,QACnB,CAAA,CACA,GAAI4B,CAAAA,CACH,OAAO,CAAA,kCAAA,EAAqCA,CAAAA,CAAa,IAAI,CAAA,CAAA,CAE/D,CACD,CAEA,OAAO,IACR,CAGA,GAAI,OAAOlC,CAAAA,EAAU,QAAA,CAAU,CAE9B,GAAIC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAAG,OAAO,IAAA,CAGtC,GAFAC,CAAAA,CAAK,GAAA,CAAID,CAAe,CAAA,CAEpB,KAAA,CAAM,OAAA,CAAQA,CAAK,CAAA,CACtB,IAAA,IAAWmC,KAAWnC,CAAAA,CAAO,CAC5B,IAAM3C,CAAAA,CAAY,MAAM,IAAA,CAAK,KAAK8E,CAAAA,CAASlC,CAAI,CAAA,CAC/C,GAAI5C,CAAAA,CAAW,OAAOA,CACvB,CAAA,KAEA,IAAA,GAAW,CAAC+E,CAAAA,CAAKhC,CAAK,CAAA,GAAK,MAAA,CAAO,OAAA,CACjCJ,CACD,CAAA,CAAG,CAEF,GAAI,IAAA,CAAK,gBAAA,CAAiB,IAAIoC,CAAAA,CAAI,WAAA,EAAa,CAAA,CAC9C,OAAO,CAAA,eAAA,EAAkBA,CAAG,CAAA,CAAA,CAI7B,IAAMC,CAAAA,CAAiB,IAAA,CAAK,aAAA,CAAcD,CAAG,EAC7C,GAAIC,CAAAA,CAAgB,OAAOA,CAAAA,CAG3B,IAAMhF,CAAAA,CAAY,MAAM,IAAA,CAAK,IAAA,CAAK+C,CAAAA,CAAOH,CAAI,CAAA,CAC7C,GAAI5C,EAAW,OAAOA,CACvB,CAEF,CAEA,OAAO,IACR,CAMQ,aAAA,CAAc+E,CAAAA,CAA4B,CACjD,IAAME,CAAAA,CAAaF,CAAAA,CAAI,aAAY,CAGnC,GAAIX,CAAAA,CAAW,YAAA,CAAa,GAAA,CAAIa,CAAU,CAAA,CAAG,OAAO,IAAA,CAGpD,IAAA,GAAW,CAACR,CAAAA,CAAOS,CAAO,CAAA,GAAK,KAAK,0BAAA,CACnC,GAAIA,CAAAA,CAAQ,IAAA,CAAKH,CAAG,CAAA,CACnB,OAAO,CAAA,uBAAA,EAA0BA,CAAG,CAAA,2BAAA,EAA8BN,CAAK,CAAA,CAAA,CAAA,CAKzE,IAAA,IAAWA,KAAS,IAAA,CAAK,mBAAA,CACxB,GAAIQ,CAAAA,CAAW,QAAA,CAASR,CAAK,CAAA,CAC5B,OAAO,CAAA,uBAAA,EAA0BM,CAAG,CAAA,4BAAA,EAA+BN,CAAK,CAAA,CAAA,CAAA,CAI1E,OAAO,IACR,CAEQ,WAAA,CAAYxC,CAAAA,CAA6B,CAChD,IAAA,IAAWkD,CAAAA,IAAQ,KAAK,QAAA,CACvB,GAAI,OAAOA,CAAAA,EAAS,QAAA,CAAA,CACnB,GAAIlD,EAAK,WAAA,EAAY,CAAE,QAAA,CAASkD,CAAAA,CAAK,WAAA,EAAa,CAAA,CACjD,OAAOA,CAAAA,CAAAA,KAAAA,GAEEA,CAAAA,YAAgB,MAAA,CAAA,CAE1B,GADIA,CAAAA,CAAK,MAAA,GAAQA,EAAK,SAAA,CAAY,CAAA,CAAA,CAC9BA,CAAAA,CAAK,IAAA,CAAKlD,CAAI,CAAA,CACjB,OAAOkD,CAAAA,CAAK,MAAA,CAAA,KAAA,GAEH,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,KAAM,CAErD,IAAMC,CAAAA,CAAMD,CAAAA,CAEZ,GAAI,OAAOC,EAAI,OAAA,EAAY,QAAA,CAAA,CAC1B,GAAInD,CAAAA,CAAK,WAAA,EAAY,CAAE,SAASmD,CAAAA,CAAI,OAAA,CAAQ,WAAA,EAAa,CAAA,GACpD,CAACA,EAAI,SAAA,EAAaA,CAAAA,CAAI,SAAA,CAAUA,CAAAA,CAAI,OAAO,CAAA,CAAA,CAC9C,OAAOA,CAAAA,CAAI,IAAA,CAAA,KAAA,GAGHA,CAAAA,CAAI,OAAA,YAAmB,MAAA,CAAQ,CACrCA,CAAAA,CAAI,OAAA,CAAQ,MAAA,GAAQA,CAAAA,CAAI,OAAA,CAAQ,SAAA,CAAY,CAAA,CAAA,CAGhD,IAAIrB,EAAQqB,CAAAA,CAAI,OAAA,CAAQ,IAAA,CAAKnD,CAAI,CAAA,CACjC,KAAO8B,IAAU,IAAA,EAAM,CACtB,IAAMsB,CAAAA,CAActB,CAAAA,CAAM,CAAC,EAC3B,GAAI,CAACqB,CAAAA,CAAI,SAAA,EAAaA,CAAAA,CAAI,SAAA,CAAUC,CAAW,CAAA,CAC9C,OAAOD,CAAAA,CAAI,IAAA,CAEZ,GAAI,CAACA,EAAI,OAAA,CAAQ,MAAA,CAAQ,MACzBrB,CAAAA,CAAQqB,CAAAA,CAAI,OAAA,CAAQ,KAAKnD,CAAI,EAC9B,CACD,CACD,CAED,OAAO,IACR,CACD,EC/aA,IAAMqD,CAAAA,CAAYC,CAAAA,CAAK,OAAA,CAAQC,aAAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAC,CAAA,CA0EhDC,CAAAA,CAAN,MAAMC,CAAW,CAsWvB,WAAA,CACSC,CAAAA,CACAC,CAAAA,CACP,CAFO,IAAA,CAAA,UAAA,CAAAD,CAAAA,CACA,YAAAC,CAAAA,CAER,IAAMrB,CAAAA,CAAa,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,kBACvC,IAAIzC,CAAAA,CACJ,IAAA,CAEH,IAAA,CAAK,UAAA,CAAa,IAAIqC,EACrB,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,WAAA,EAAeD,CAAAA,CAAY,aAAA,CAClD,KAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,EAAiB,CACvC,IAAA,CACA,MAAA,CACA,WACA,WAAA,CACA,UAAA,CACA,SAAA,CACA,QAAA,CACA,MAAA,CACA,YAAA,CACA,UACA,OAAA,CACA,OAAA,CACA,KAAA,CACA,eAAA,CACA,eAAA,CACA,gBAAA,CACA,UAAA,CACA,OAAA,CACA,QAAA,CACA,YACD,CAAA,CACAK,CACD,CAAA,CAGA,IAAMsB,EAAW,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,SAAA,CACxC,IAAA,CAAK,gBAAA,CACJA,GAAU,QAAA,EACV,MAAA,CAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,yBAAA,EAA6B,QAAS,EAAE,CAAA,CACrE,IAAA,CAAK,oBAAA,CACJA,CAAAA,EAAU,YAAA,EACV,MAAA,CAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,mBAAA,EAAuB,IAAA,CAAM,EAAE,CAAA,CAC5D,KAAK,sBAAA,CACJA,CAAAA,EAAU,kBAAA,EACV,MAAA,CAAO,QAAA,CAAS,OAAA,CAAQ,IAAI,0BAAA,EAA8B,IAAA,CAAM,EAAE,CAAA,CAGnE,IAAMvB,CAAAA,CAAgB,KAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,EAAiB,CAC7D,IAAA,CACA,MAAA,CACA,UAAA,CACA,WAAA,CACA,UAAA,CACA,SAAA,CACA,QAAA,CACA,MAAA,CACA,YAAA,CACA,SAAA,CACA,QACA,OAAA,CACA,KAAA,CACA,eAAA,CACA,eAAA,CACA,gBAAA,CACA,UAAA,CACA,QACA,QAAA,CACA,YACD,CAAA,CACA,IAAA,CAAK,aAAA,CAAgB,IAAIxG,EAAcwG,CAAa,CAAA,CAGpD,IAAMwB,CAAAA,CAAO,MAAA,CAAA,IAAA,CAAY,GAAA,CAAI,SAAS,KAAK,CAAA,CACrCC,CAAAA,CAAYD,CAAAA,CAAO,KAAA,CAAQ,KAAA,CAE7BE,EAAqB,EAAC,CAC1B,GAAIF,CAAAA,CACH,GAAI,CAEH,IAAMG,CAAAA,CADMC,aAAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA,CACtB,OAAA,CAAQ,kBAAkB,CAAA,CAI7CF,CAAAA,CAAW,CAAC,UAAA,CAHQG,aAAAA,CACnBZ,CAAAA,CAAK,IAAA,CAAKA,CAAAA,CAAK,OAAA,CAAQU,CAAM,CAAA,CAAG,MAAA,CAAQ,YAAY,CACrD,EAAE,IACiC,EACpC,CAAA,KAAa,CACZD,CAAAA,CAAW,CAAC,WAAY,KAAK,EAC9B,CAGD,IAAMI,CAAAA,CAAS,OAAA,CAAQ,IAAI,QAAA,GAAa,MAAA,EAAU,OAAA,CAAQ,GAAA,CAAI,MAAA,CAG1D,IAAA,CAAK,QAAQ,YAAA,EAAgB,CAAC,IAAA,CAAK,UAAA,CAAW,YAAA,GACjD,IAAA,CAAK,WAAW,YAAA,CAAe,IAAA,CAAK,MAAA,CAAO,YAAA,CAAA,CAO5C,IAAMC,CAAAA,CAAc,CACnBd,CAAAA,CAAK,OAAA,CAAQD,CAAAA,CAAW,CAAA,yBAAA,EAA4BS,CAAS,CAAA,CAAE,EAC/DR,CAAAA,CAAK,OAAA,CAAQD,CAAAA,CAAW,CAAA,0BAAA,EAA6BS,CAAS,CAAA,CAAE,CACjE,CAAA,CAEMO,CAAAA,CACLD,CAAAA,CAAY,IAAA,CAAMrC,CAAAA,EAAS,CAAA,CAAA,UAAA,CAAWA,CAAC,CAAC,CAAA,EAAKqC,CAAAA,CAAY,CAAC,CAAA,CAE3D,IAAA,CAAK,UAAA,CAAa,IAAIE,OAAAA,CAAQ,CAC7B,QAAA,CAAUD,CAAAA,CACV,UAAA,CAAY,IAAA,CAAK,QAAQ,UAAA,EAAY,UAAA,GAAeF,CAAAA,CAAS,CAAA,CAAI,CAAA,CAAA,CACjE,UAAA,CAAY,KAAK,MAAA,EAAQ,UAAA,EAAY,UAAA,GAAeA,CAAAA,CAAS,CAAA,CAAI,CAAA,CAAA,CACjE,YACC,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,WAAA,GAAgBA,CAAAA,CAAS,GAAA,CAAM,KACzD,QAAA,CAAU,MAAA,CACV,SAAA,CAAW,IAAII,UAAAA,CACf,QAAA,CAAAR,EAGA,cAAA,CAAgB,CACf,sBAAA,CACC,IAAA,CAAK,MAAA,EAAQ,UAAA,EAAY,SAAA,EACzB,MAAA,CAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,uBAAA,EAA2B,IAAA,CAAM,EAAE,CACjE,CACD,CAAC,CAAA,CAKD,IAAA,CAAK,QAAA,CACJ,6BAAA,CACA,gCACA,qFAAA,CACA,YAAA,CACA,IAAM,OAAA,CAAQ,OAAA,CAAQ,IAAA,CAAK,mBAAmB,CAC/C,EACD,CA9eQ,UAAA,CACP,IAAI,GAAA,CACG,eAAA,CAGJ,IAAI,GAAA,CACS,YAAA,CAAe,IAAA,CAAU,EAAA,CAAK,GAAA,CAC9B,mBAAqB,CAAA,CACrB,oBAAA,CAAuB,EAAA,CAAK,GAAA,CAGrC,eAAA,CAAyC,IAAI,IACpC,oBAAA,CACA,gBAAA,CAGT,gBAAA,CAA6B,EAAC,CACrB,sBAAA,CAGT,iBAAqD,IAAI,GAAA,CAGhD,aAAA,CAET,KAAA,CAUJ,IAAI,GAAA,CACA,SAAA,CAGJ,IAAI,GAAA,CACA,OAAA,CAQJ,IAAI,GAAA,CACA,YAAA,CAA+C,IAAA,CAC/C,eAA4C,EAAC,CAE7C,UAAA,CACA,UAAA,CACA,QAAA,CAA4B,IAAA,CAC5B,UAAkC,IAAA,CAClC,SAAA,CAA2B,IAAA,CAC3B,QAAA,CAGJ,IAAI,GAAA,CAGR,OAAwB,kBAAA,CACvB,2EAAA,CAEO,YAAA,CAAaS,CAAAA,CAAgC,CACpD,IAAMC,EAAUD,CAAAA,CAAQ,KAAA,CAAMf,CAAAA,CAAW,kBAAkB,CAAA,CAC3D,OAAOgB,GAAS,MAAA,EAAQ,KAAA,CAAQA,CAAAA,CAAQ,MAAA,CAAO,KAAA,CAAM,IAAA,GAAS,IAC/D,CAEQ,gBAAA,CAAiB/D,CAAAA,CAAyB,CACjD,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,OAAOA,CAAAA,CACtC,IAAML,CAAAA,CAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,EAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,OAAO,IAAA,CAAK,KAAA,CAAMA,CAAO,CAC1B,CAAA,KAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEQ,kBAAA,CACPgE,EACAC,CAAAA,CACAC,CAAAA,CACgB,CAEhB,GAAIA,CAAAA,CAAQ,CACX,IAAMH,CAAAA,CAAUE,CAAAA,CAAM,OAAA,CAAQ,MAAA,CAAQ,GAAG,CAAA,CAEzC,GAAIC,CAAAA,CAAO,uBAAA,EACoB,CAG7B,8EAAA,CACA,gHACD,CAAA,CAC0B,IAAA,CAAM7C,CAAAA,EAAMA,CAAAA,CAAE,IAAA,CAAK0C,CAAO,CAAC,CAAA,CACpD,OAAO,0EAIT,GAAIG,CAAAA,CAAO,qBAAA,EAAuB,IAAA,CAAM7C,CAAAA,EAAMA,CAAAA,CAAE,KAAK0C,CAAO,CAAC,CAAA,CAC5D,OAAO,yDAET,CAIA,IAAII,CAAAA,CAAkB,EAAA,CAClB,OAAOD,CAAAA,EAAQ,uBAAA,EAA4B,QAAA,GAC9CC,EACCD,CAAAA,CAAO,uBAAA,CAAwB,oBAAA,EAAwB,EAAA,CAAA,CAEzD,IAAME,CAAAA,CAAiB,KAAK,aAAA,CAAc,OAAA,CACzCH,CAAAA,CACA,IAAA,CAAK,cAAA,CAAe,MAAA,CACpBE,CACD,CAAA,CACA,GAAIC,CAAAA,CACH,OAAO,CAAA,2BAAA,EAA8BA,CAAAA,CAAe,MAAM,CAAA,CAAA,CAI3D,IAAMC,CAAAA,CAAaH,CAAAA,EAAQ,mBAAA,EAAuB,CAAA,CAC5CI,CAAAA,CAAkB,IAAA,CAAK,aAAA,CAAc,oBAAA,CAAqBL,CAAK,CAAA,CAErE,GAAIK,CAAAA,CAAgB,OAAS,CAAA,CAAG,CAC/B,IAAIC,CAAAA,CAAa,IAAA,CAAK,gBAAA,CAAiB,IAAIP,CAAS,CAAA,CAC/CO,CAAAA,GACJA,CAAAA,CAAa,IAAI,GAAA,CACjB,KAAK,gBAAA,CAAiB,GAAA,CAAIP,CAAAA,CAAWO,CAAU,CAAA,CAAA,CAIhD,IAAA,IAAW1H,CAAAA,IAASyH,CAAAA,CAEnB,GAAA,CADcC,CAAAA,CAAW,GAAA,CAAI1H,CAAK,CAAA,EAAK,CAAA,GAC1BwH,EACZ,OAAO,CAAA,4DAAA,EAA+DxH,CAAK,CAAA,OAAA,EAAUwH,CAAU,CAAA,kDAAA,CAAA,CAKjG,QAAWxH,CAAAA,IAASyH,CAAAA,CAAiB,CACpC,IAAMvH,CAAAA,CAAQwH,CAAAA,CAAW,IAAI1H,CAAK,CAAA,EAAK,CAAA,CACvC0H,CAAAA,CAAW,GAAA,CAAI1H,CAAAA,CAAOE,CAAAA,CAAQ,CAAC,EAChC,CACD,CAEA,OAAO,IACR,CAEQ,qBACPyH,CAAAA,CACAC,CAAAA,CACAP,CAAAA,CACgB,CAChB,GAAI,CAACA,EAAQ,OAAO,IAAA,CACpB,IAAMnC,CAAAA,CAAS,IAAA,CAAK,gBAAA,CAAiB0C,CAAM,CAAA,CAE3C,GAAIP,CAAAA,CAAO,YAAA,CAAc,CAkBxB,IAAMQ,GAbmB,IAAM,CAC9B,GAAI,EAAER,CAAAA,CAAO,YAAA,YAAwBS,IAAE,SAAA,CAAA,CACtC,OAAOT,CAAAA,CAAO,YAAA,CAEf,IAAMnF,CAAAA,CAAMmF,EAAO,YAAA,CAEnB,OAAMnF,CAAAA,CAAI,IAAA,CAAK,QAAA,YAAoB4F,GAAAA,CAAE,SAI9B5F,CAAAA,CAAI,MAAA,EAAO,CAHVA,CAIT,CAAA,GAAG,CAEkC,SAAA,CAAUgD,CAAM,CAAA,CACrD,GAAI,CAAC2C,CAAAA,CAAa,OAAA,CAGjB,OAAO,sCAAsCF,CAAQ,CAAA,EAAA,EAAKE,CAAAA,CAAa,KAAA,CAAM,MAAA,CAC3E,GAAA,CAAKE,GAAM,CAAA,EAAGA,CAAAA,CAAE,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,EAAK,QAAQ,CAAA,CAAA,EAAIA,CAAAA,CAAE,OAAO,CAAA,CAAE,CAAA,CACzD,IAAA,CACA,IACD,CAAC,CAAA,gIAAA,CAEJ,CAEA,OACCV,CAAAA,CAAO,uBAAA,EACP,IAAA,CAAK,+BACJ,IAAA,CAAK,8BAAA,CAA+BnC,CAAM,CAAA,CAC1CmC,CAAAA,CAAO,uBAAA,CACP,KAAK,cAAA,CAAe,MACrB,CAAA,CAGC,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,eACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,GAAqB,GAAA,CAG/B,gPAAA,CACA,gFAAA,CAGG,IACR,CAOQ,8BAAA,CAA+BlE,CAAAA,CAAyB,CAC/D,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAC9B,IAAML,EAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,WAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,OAAO,IAAA,CAAK,8BAAA,CAA+B,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAC,CAC/D,CAAA,KAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEA,GAAI,CAACA,CAAAA,EAAS,OAAOA,CAAAA,EAAU,QAAA,CAC9B,OAAOA,CAAAA,CAGR,IAAM6E,CAAAA,CAAM7E,CAAAA,CACZ,GAAI,CAAC,KAAA,CAAM,OAAA,CAAQ6E,CAAAA,CAAI,OAAO,CAAA,EAAKA,EAAI,OAAA,CAAQ,MAAA,GAAW,CAAA,CACzD,OAAO7E,CAAAA,CAGR,IAAM8E,EAAkB,EAAC,CACzB,IAAA,IAAWC,CAAAA,IAAQF,CAAAA,CAAI,OAAA,CACtB,GAAIE,CAAAA,EAAQ,OAAOA,CAAAA,EAAS,QAAA,EAAY,MAAA,GAAUA,CAAAA,CAAM,CACvD,IAAMC,CAAAA,CAAKD,CAAAA,CAA4B,IAAA,CACnC,OAAOC,CAAAA,EAAM,QAAA,EAChBF,EAAM,IAAA,CAAKE,CAAC,EAEd,CAED,GAAIF,CAAAA,CAAM,SAAW,CAAA,CACpB,OAAO9E,CAAAA,CAGR,IAAMiF,CAAAA,CAASH,CAAAA,CAAM,MAAA,GAAW,CAAA,CAAIA,CAAAA,CAAM,CAAC,CAAA,CAAIA,CAAAA,CAAM,IAAA,CAAK;AAAA,CAAI,CAAA,CAC9D,OAAO,IAAA,CAAK,8BAAA,CAA+BG,CAAM,CAClD,CAEQ,8BAAA,CACPjF,CAAAA,CACAkF,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMC,CAAAA,CACL,OAAOF,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,aAAA,EAAkB,QAAA,CAChCA,CAAAA,CAAU,aAAA,CACV,EAAA,CACEG,CAAAA,CACL,OAAOH,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,oBAAA,EAAyB,SAAA,CACvCA,CAAAA,CAAU,oBAAA,CACV,IAAA,CAEJ,GAAI,OAAOlF,CAAAA,EAAU,QAAA,CAAU,CAC9B,IAAML,CAAAA,CAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,OAAO,IAAA,CAAK,8BAAA,CACX,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAA,CAClBuF,CAAAA,CACAC,CACD,CACD,CAAA,KAAQ,CACP,OAAO,MACR,CAED,OAAO,MACR,CAEA,GAAI,KAAA,CAAM,OAAA,CAAQnF,CAAK,CAAA,CACtB,OACCA,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOsF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAG3DtF,CAAAA,CAAM,MAAA,CAASoF,CAAAA,CACX,IAAA,CAEDpF,CAAAA,CAAM,IAAA,CAAMsF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAIAnF,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOsF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAE1D,CAAAD,CAAAA,CAICrF,EAAM,IAAA,CAAMsF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAGD,GAAInF,CAAAA,EAAS,OAAOA,CAAAA,EAAU,QAAA,CAAU,CACvC,IAAMuF,CAAAA,CAAO,MAAA,CAAO,IAAA,CAAKvF,CAAgC,CAAA,CAkBzD,OAdImF,CAAAA,GAAiB,MAAA,EAAaA,CAAAA,CAAe,CAAA,EAAKA,CAAAA,CAAe,EAAA,GAChEI,CAAAA,CAAK,MAAA,CAAS,CAAA,EAEH,MAAA,CAAO,OAAOvF,CAAgC,CAAA,CAErD,IAAA,CACLwF,CAAAA,EAAM,KAAA,CAAM,OAAA,CAAQA,CAAC,CAAA,EAAM,OAAOA,CAAAA,EAAM,QAAA,EAAYA,CAAAA,GAAM,IAC5D,CAAA,CAAA,EAOED,CAAAA,CAAK,MAAA,CAASH,CAAAA,CACV,IAAA,CAGD,MAAA,CAAO,MAAA,CAAOpF,CAAgC,CAAA,CAAE,IAAA,CAAMI,CAAAA,EAC5D,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAO8E,CAAAA,CAAWC,CAAY,CACnE,CACD,CAEA,OAAO,MACR,CAiJQ,iBAAA,EAA4B,CACnC,IAAMM,CAAAA,CAAQ,CACb,gCAAA,CACA,kCAAA,CACA,EAAA,CACA,SAAA,CACA,EAAA,CACA,mBAAA,CACA,2BAAA,CACA,qBAAA,CACA,QAAA,CACA,EAAA,CACA,sBAAA,CACA,sDAAA,CACA,uCAAA,CACA,iDAAA,CACA,uDAAA,CACA,EAAA,CACA,uBAAA,CACA,sDAAA,CACA,gEAAA,CACA,kDACD,CAAA,CAEA,OAAI,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,eAAe,MAAA,EACzCA,CAAAA,CAAM,IAAA,CACL,CAAA,qBAAA,EAAwB,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,IAAI,CAAC,CAAA,CACtE,CAAA,CAGDA,CAAAA,CAAM,IAAA,CACL,EAAA,CACA,8BACA,4EAAA,CACA,4EAAA,CACA,kEAAA,CACA,mEAAA,CACA,EAAA,CACA,cAAA,CACA,iEAAA,CACA,gDAAA,CACA,EAAA,CACA,0BAAA,CACA,iEAAA,CACA,sEAAA,CACA,EAAA,CACA,sBAAA,CACA,8DACD,CAAA,CAEOA,EAAM,IAAA,CAAK;AAAA,CAAI,CACvB,CAWQ,yBAAA,CACPC,EACAC,CAAAA,CAAQ,CAAA,CACC,CAET,GAAIA,CAAAA,CAAQ,CAAA,CAAG,OAAO,QAEtB,IAAMC,CAAAA,CAAaF,EAAO,IAAA,CACpBG,CAAAA,CAAaH,EAAO,UAAA,CAGpBI,CAAAA,CAAQJ,CAAAA,CAAO,KAAA,CAGrB,OAAIG,CAAAA,CAgBI,CAAA,CAAA,EAfQ,OAAO,OAAA,CAAQA,CAAU,EAAE,GAAA,CAAI,CAAC,CAACzD,CAAAA,CAAKhF,CAAI,IAAM,CAC9D,IAAM2I,EAAW3I,CAAAA,CAAK,IAAA,CACtB,GAAI2I,CAAAA,GAAa,OAAA,EAAW3I,CAAAA,CAAK,KAAA,CAAO,CACvC,IAAM4I,CAAAA,CAAS,KAAK,yBAAA,CACnB5I,CAAAA,CAAK,MACLuI,CAAAA,CAAQ,CACT,EACA,OAAO,CAAA,EAAGvD,CAAG,CAAA,UAAA,EAAa4D,CAAM,GACjC,CACA,GAAID,IAAa,QAAA,EAAY3I,CAAAA,CAAK,UAAA,CAAY,CAC7C,IAAM4I,CAAAA,CAAS,IAAA,CAAK,0BAA0B5I,CAAAA,CAAMuI,CAAAA,CAAQ,CAAC,CAAA,CAC7D,OAAO,GAAGvD,CAAG,CAAA,CAAA,EAAI4D,CAAM,CAAA,CAAA,CACxB,CACA,OAAO,CAAA,EAAG5D,CAAG,IAAI2D,CAAAA,EAAY,SAAS,CAAA,CAAA,CACvC,CAAC,EACiB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,CAIzBH,CAAAA,GAAe,SAAWE,CAAAA,CAEtB,CAAA,SAAA,EADc,KAAK,yBAAA,CAA0BA,CAAAA,CAAOH,EAAQ,CAAC,CACrC,GAI5BC,CAAAA,EACG,MAAA,CAAO,KAAKF,CAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CACrC,CAKA,MAAa,QACZO,CAAAA,CAOI,GACY,CAChB,OAAO,KAAK,aAAA,CAAcA,CAAO,CAClC,CAKO,IAAA,CACNnH,EACAoH,CAAAA,CACAC,CAAAA,CACAC,EACAlC,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,MAAM,GAAA,CAAIpF,CAAI,EACtB,MAAM,IAAI,MAAM,CAAA,yBAAA,EAA4BA,CAAI,EAAE,CAAA,CAGnD,IAAM4G,EAASf,GAAAA,CAAE,MAAA,CAAOwB,CAAK,CAAA,CACvBE,CAAAA,CAAkBC,gBAAgBZ,CAAM,CAAA,CAE1Ca,CAAAA,CAAmBL,CAAAA,CACnBM,EAAeJ,CAAAA,CAGnB,GAAID,EAAM,OAAA,EAAWA,CAAAA,CAAM,mBAAmBxB,GAAAA,CAAE,SAAA,CAAW,CAC1D,IAAM8B,CAAAA,CAAc,KAAK,MAAA,EAAQ,QAAA,EAAU,eAAiB,EAAC,CAe7D,GAVAF,CAAAA,EACC;;AAAA,sMAAA,CAAA,CAKGE,CAAAA,CAAY,MAAA,CAAS,CAAA,GACxBF,CAAAA,EAAoB;AAAA,mBAAA,EAAwBE,CAAAA,CAAY,IAAA,CAAK,IAAI,CAAC,KAG/D,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,EAAe,IAAA,CAAK,yBAAA,CAA0B,IAAA,CAAK,YAAY,EACrEH,CAAAA,EAAoB;AAAA,gBAAA,EAAqBG,CAAY,+CACtD,CAEAF,CAAAA,CAAe,MACdG,CAAAA,CACAC,CAAAA,GACI,CACJ,IAAMC,CAAAA,CAAW,oBACXC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfC,CAAAA,CAAQ,KAAK,eAAA,CAAgB,GAAA,CAAIF,CAAQ,CAAA,EAAK,CACnD,QAAA,CAAU,EACV,WAAA,CAAa,CACd,EAEA,GACCE,CAAAA,CAAM,UAAY,IAAA,CAAK,kBAAA,EACvBD,EAAMC,CAAAA,CAAM,WAAA,CAAc,KAAK,oBAAA,CAE/B,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,mEACP,CACD,CAAA,CACA,QAAS,IACV,CAAA,CAGD,IAAMC,CAAAA,CAAgBL,CAAAA,CACpB,QACIM,CAAAA,CACJN,CAAAA,CAAiC,0BAA4B,IAAA,CAEzDO,CAAAA,CAAcC,EAClB,UAAA,CAAW,QAAQ,EACnB,MAAA,CAAOH,CAAY,EACnB,MAAA,CAAO,KAAK,CAAA,CACR/C,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAa+C,CAAY,CAAA,CACtCI,CAAAA,CAAS,KAAK,UAAA,CAAW,GAAA,CAAIF,CAAW,CAAA,CAE9C,GACC,CAACD,CAAAA,EACDG,CAAAA,EACAN,CAAAA,CAAMM,EAAO,SAAA,CAAY,IAAA,CAAK,cAG1BnD,CAAAA,CAAO,CACT0C,EAAiC,OAAA,CAAU1C,CAAAA,CAG5C,IAAMoD,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5BvI,EACAmF,CAAAA,CACAC,CACD,EACA,OAAImD,CAAAA,CACI,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,IACV,EAEM,MAAM,IAAA,CAAK,mBAAA,CAAoBV,CAAAA,CAAM1C,CAAAA,CAAOnF,CAAI,CACxD,CAGD,GAAI,CAACmF,CAAAA,CACJ,OAAA8C,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,YAAcD,CAAAA,CACpB,IAAA,CAAK,gBAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,CACjC,CACN,QAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,gKACP,CACD,CAAA,CACA,OAAA,CAAS,IACV,CAAA,CAGD,GAAI,CAGH,IAAM9C,CAAAA,CAAQ,KAAK,YAAA,CACjB0C,CAAAA,CAAiC,OACnC,CAAA,CAECA,CAAAA,CAAiC,QAAU1C,CAAAA,CAG5C,IAAMoD,EAAkB,IAAA,CAAK,kBAAA,CAAmBvI,CAAAA,CAAMmF,CAAAA,CAAOC,CAAM,CAAA,CACnE,GAAImD,CAAAA,CACH,OAAAN,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,YAAcD,CAAAA,CACpB,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,EACjC,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,OAAQ,IAAA,CAAMM,CAAgB,CAAC,CAAA,CACjD,OAAA,CAAS,CAAA,CACV,EAGD,IAAMhH,CAAAA,CAAS,MAAM,IAAA,CAAK,mBAAA,CAAoBsG,EAAM1C,CAAAA,CAAOnF,CAAI,EAE/D,OAAKuB,CAAAA,CAAO,SAUX0G,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,GAXxC,IAAA,CAAK,gBAAgB,GAAA,CAAIF,CAAAA,CAAU,CAClC,QAAA,CAAU,CAAA,CACV,YAAaC,CACd,CAAC,EACD,IAAA,CAAK,UAAA,CAAW,IAAII,CAAAA,CAAa,CAChC,KAAMA,CAAAA,CACN,SAAA,CAAWJ,CACZ,CAAC,CAAA,CAAA,CAOKzG,CACR,CAAA,MAASrF,CAAAA,CAAgB,CACxB,IAAMsF,CAAAA,CAAItF,CAAAA,CACV,OAAA+L,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,EAAUE,CAAK,CAAA,CACjC,CACN,OAAA,CAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,CAAA,2BAAA,EAA8BzG,CAAAA,CAAE,OAAO,EAAG,CACjE,CAAA,CACA,QAAS,IACV,CACD,CACD,EACD,CAEA,IAAMgH,CAAAA,CAAc,CACnB,IAAA,CAAM,SACN,UAAA,CAAajB,CAAAA,CAA4C,YAAc,EAAC,CACxE,SAAWA,CAAAA,CAA4C,QACxD,CAAA,CAEA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAIvH,EAAM,CACpB,IAAA,CAAM,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAayH,CAAAA,CAAkB,WAAA,CAAAe,CAAY,CAAA,CACzD,OAAA,CAASd,EACT,MAAA,CAAAd,CAAAA,CACA,OAAAxB,CACD,CAAC,EAGG,IAAA,CAAK,QAAA,EACR,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmBpF,CAAI,EAAE,KAAA,CAAOyI,CAAAA,EAAQ,CACrDrM,GAAAA,CAAI,IAAA,CACH,4CAA4C4D,CAAI,CAAA,EAAA,EAAKyI,CAAAA,CAAI,OAAO,CAAA,CACjE,EACD,CAAC,EAEH,CAKO,OACNzI,CAAAA,CACAoH,CAAAA,CACAS,EACAP,CAAAA,CAGO,CACP,GAAI,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAItH,CAAI,CAAA,CACxB,MAAM,IAAI,KAAA,CAAM,CAAA,2BAAA,EAA8BA,CAAI,CAAA,CAAE,CAAA,CAErD,KAAK,OAAA,CAAQ,GAAA,CAAIA,EAAM,CACtB,MAAA,CAAQ,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAAoH,CAAAA,CAAa,SAAA,CAAWS,CAAK,CAAA,CAC7C,OAAA,CAAAP,CACD,CAAC,EACF,CAKO,wBAA+B,CACrC,IAAA,CAAK,OACJ,oBAAA,CACA,yKAAA,CACA,EAAC,CACAoB,CAAAA,GACO,CACN,YAAa,iCAAA,CACb,QAAA,CAAU,CACT,CACC,IAAA,CAAM,OACN,OAAA,CAAS,CACR,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,CAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4IAAA,EAcL,KAAK,YAAA,CACF;;AAAA;AAAA,EAA0C,IAAA,CAAK,UAAU,IAAA,CAAK,YAAA,CAAc,KAAM,CAAC,CAAC,GACpF,EACJ;;AAAA,yDAAA,CAGD,CACD,CACD,CACD,CAAA,CAEF,EACD,CAKO,QAAA,CACN1I,EACA2I,CAAAA,CACAvB,CAAAA,CACAwB,EACAC,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,SAAA,CAAU,IAAIF,CAAG,CAAA,CACzB,MAAM,IAAI,KAAA,CAAM,oCAAoCA,CAAG,CAAA,CAAE,EAE1D,IAAA,CAAK,SAAA,CAAU,IAAIA,CAAAA,CAAK,CAAE,KAAA3I,CAAAA,CAAM,GAAA,CAAA2I,EAAK,WAAA,CAAAvB,CAAAA,CAAa,SAAAwB,CAAAA,CAAU,OAAA,CAAAC,CAAQ,CAAC,EACtE,CAKO,cAAA,CACNjC,CAAAA,CACA5G,EAAe,gCAAA,CACf2I,CAAAA,CAAc,uBACdvB,CAAAA,CAAsB,sEAAA,CACf,CACP,IAAA,CAAK,YAAA,CAAeR,EAIpB,IAAMgB,CAAAA,CAAe,KAAK,yBAAA,CAA0BhB,CAAM,EAC1D,IAAA,GAAW,CAAClB,EAAUoD,CAAK,CAAA,GAAK,KAAK,KAAA,CAAM,OAAA,GAEzCA,CAAAA,CAAM,MAAA,CAAO,MAAM,OAAA,EACnBA,CAAAA,CAAM,OAAO,KAAA,CAAM,OAAA,YAAmBjD,IAAE,SAAA,EACxCiD,CAAAA,CAAM,KAAK,WAAA,EACX,CAACA,EAAM,IAAA,CAAK,WAAA,CAAY,SAAS,iBAAiB,CAAA,GAElDA,CAAAA,CAAM,IAAA,CAAK,WAAA,EAAe;AAAA,gBAAA,EAAqBlB,CAAY,CAAA,wBAAA,EAA2Be,CAAG,CAAA,CAAA,CACzF,IAAA,CAAK,MAAM,GAAA,CAAIjD,CAAAA,CAAUoD,CAAK,CAAA,CAAA,CAIhC,KAAK,QAAA,CACJ9I,CAAAA,CACA2I,EACAvB,CAAAA,CACA,kBAAA,CACA,KAAK,SAAA,CAAUR,CAAAA,CAAQ,IAAA,CAAM,CAAC,CAC/B,EACD,CAKO,aAAA,EAAsB,CAC5B,KAAK,UAAA,CAAW,KAAA,EAAM,CACtBxK,GAAAA,CAAI,KAAK,iDAAiD,EAC3D,CAQQ,sBAAA,CAAuBsJ,CAAAA,CAAyC,CACvE,IAAMsC,CAAAA,CAAM,IAAA,CAAK,GAAA,GACXe,CAAAA,CAAW,IAAA,CAAK,gBAAA,CAChBC,CAAAA,CAAe,KAAK,oBAAA,CAIpBC,CAAAA,CAAAA,CAFS,IAAA,CAAK,eAAA,CAAgB,IAAIvD,CAAQ,CAAA,EAAK,EAAC,EAEhC,MAAA,CAAQQ,GAAM8B,CAAAA,CAAM9B,CAAAA,CAAI6C,CAAQ,CAAA,CAEtD,GAAIE,CAAAA,CAAO,MAAA,EAAUD,EAAc,CAClC,IAAME,EAAgB,IAAA,CAAK,IAAA,CAAA,CAAMD,CAAAA,CAAO,CAAC,EAAIF,CAAAA,CAAWf,CAAAA,EAAO,GAAI,CAAA,CACnE,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CACC,CAAA,qCAAA,EAAwCtC,CAAQ,CAAA,MAAA,EACzCsD,CAAY,CAAA,KAAA,EAAQD,CAAAA,CAAW,GAAI,CAAA,sBAAA,EAC3BG,CAAa,CAAA,EAAA,CAC9B,CACD,EACA,OAAA,CAAS,IACV,CACD,CAEA,OAAAD,CAAAA,CAAO,IAAA,CAAKjB,CAAG,CAAA,CACf,IAAA,CAAK,gBAAgB,GAAA,CAAItC,CAAAA,CAAUuD,CAAM,CAAA,CAClC,IACR,CAOQ,oBAAA,EAA8C,CACrD,IAAMjB,CAAAA,CAAM,KAAK,GAAA,EAAI,CACfe,EAAW,IAAA,CAAK,gBAAA,CAChBI,CAAAA,CAAY,IAAA,CAAK,uBAMvB,GAJA,IAAA,CAAK,gBAAA,CAAmB,IAAA,CAAK,iBAAiB,MAAA,CAC5CjD,CAAAA,EAAM8B,CAAAA,CAAM9B,CAAAA,CAAI6C,CAClB,CAAA,CAEI,IAAA,CAAK,iBAAiB,MAAA,EAAUI,CAAAA,CAAW,CAC9C,IAAMD,CAAAA,CAAgB,IAAA,CAAK,IAAA,CAAA,CACzB,KAAK,gBAAA,CAAiB,CAAC,EAAIH,CAAAA,CAAWf,CAAAA,EAAO,GAC/C,CAAA,CACA,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CACC,CAAA,mDAAA,EACOmB,CAAS,CAAA,iBAAA,EAAoBJ,CAAAA,CAAW,GAAI,CAAA,sBAAA,EACpCG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,OAAA,CAAS,IACV,CACD,CAEA,OAAA,IAAA,CAAK,gBAAA,CAAiB,KAAKlB,CAAG,CAAA,CACvB,IACR,CAKA,MAAa,SAASoB,CAAAA,CAAmD,CACxE,IAAMN,CAAAA,CAAQ,KAAK,KAAA,CAAM,GAAA,CAAIM,CAAAA,CAAQ,IAAI,EACzC,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmBM,EAAQ,IAAI,CAAA,CAAE,EAIlD,IAAMC,CAAAA,CAAoB,IAAA,CAAK,oBAAA,GAC/B,GAAIA,CAAAA,CAAmB,OAAOA,CAAAA,CAC9B,IAAMC,CAAAA,CAAkB,IAAA,CAAK,sBAAA,CAAuBF,CAAAA,CAAQ,IAAI,CAAA,CAChE,GAAIE,EAAiB,OAAOA,CAAAA,CAE5B,GAAI,CAEH,IAAMC,CAAAA,CAAaT,CAAAA,CAAM,OAAO,KAAA,CAAMM,CAAAA,CAAQ,WAAa,EAAE,EAW7D,GAPEA,CAAAA,CAAQ,SAAA,EACN,uBAAA,GAA4B,KAE9BG,CAAAA,CAAuC,uBAAA,CAA0B,IAKlEA,CAAAA,EACA,OAAQA,EAAuC,OAAA,EAAY,QAAA,CAC1D,CACD,IAAMvE,EAAWuE,CAAAA,CACf,OAAA,CACIpE,CAAAA,CAAQ,IAAA,CAAK,aAAaH,CAAO,CAAA,CACvC,GAAIG,CAAAA,CAAO,CACV,IAAMoD,CAAAA,CAAkB,KAAK,kBAAA,CAC5Ba,CAAAA,CAAQ,KACRjE,CAAAA,CACA2D,CAAAA,CAAM,MACP,CAAA,CACA,OAAIP,CAAAA,CACI,CACN,QAAS,CAAC,CAAE,KAAM,MAAA,CAAQ,IAAA,CAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,CAAA,CACV,GAEAgB,CAAAA,CAAuC,OAAA,CAAUpE,EAC3C,MAAM,IAAA,CAAK,mBAAA,CACjBoE,CAAAA,CACApE,EACAiE,CAAAA,CAAQ,IACT,CAAA,CACD,CACD,CAGA,OADe,MAAMN,CAAAA,CAAM,OAAA,CAAQS,EAAY,EAAE,CAElD,CAAA,MAASrN,CAAAA,CAAgB,CACxB,IAAMsF,CAAAA,CAAItF,CAAAA,CACV,OAAIsF,aAAaqE,GAAAA,CAAE,QAAA,CACX,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,CAAA,kBAAA,EAAqBrE,EAAE,OAAO,CAAA,CAAG,CAAC,CAAA,CAClE,OAAA,CAAS,IACV,CAAA,CAEM,CACN,OAAA,CAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,CAAA,0BAAA,EAA6BA,EAAE,OAAO,CAAA,CAAG,CAChE,CAAA,CACA,QAAS,IACV,CACD,CACD,CAKO,SAAA,EAAoB,CAC1B,OAAO,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,MAAM,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAK0E,GAAMA,CAAAA,CAAE,IAAI,CACzD,CAKO,aAAwB,CAC9B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,QAAQ,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAK3D,GAAMA,CAAAA,CAAE,MAAM,CAC7D,CAKA,MAAa,SAAA,CAAU6G,CAAAA,CAAqD,CAC3E,IAAMN,EAAQ,IAAA,CAAK,OAAA,CAAQ,IAAIM,CAAAA,CAAQ,IAAI,EAC3C,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,kBAAA,EAAqBM,EAAQ,IAAI,CAAA,CAAE,EAEpD,OAAO,MAAMN,CAAAA,CAAM,OAAA,CAAQM,CAAO,CACnC,CAKO,eAA4B,CAClC,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAC1C,CAKA,MAAa,YAAA,CAAaT,EAEvB,CACF,IAAMa,CAAAA,CAAW,IAAA,CAAK,UAAU,GAAA,CAAIb,CAAG,EACvC,GAAI,CAACa,EACJ,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuBb,CAAG,CAAA,CAAE,CAAA,CAG7C,IAAInI,CAAAA,CAAO,yBAAA,CACX,OAAI,OAAOgJ,CAAAA,CAAS,OAAA,EAAY,UAAA,CAC/BhJ,EAAO,MAAMgJ,CAAAA,CAAS,SAAQ,CACpB,OAAOA,EAAS,OAAA,EAAY,QAAA,CACtChJ,CAAAA,CAAOgJ,CAAAA,CAAS,QACNA,CAAAA,CAAS,WAAA,GACnBhJ,CAAAA,CAAOgJ,CAAAA,CAAS,aAGV,CACN,QAAA,CAAU,CACT,CACC,IAAKA,CAAAA,CAAS,GAAA,CACd,SAAUA,CAAAA,CAAS,QAAA,EAAY,aAC/B,IAAA,CAAAhJ,CACD,CACD,CACD,CACD,CAEO,aAAA,EAA4B,CAClC,OAAO,IAAA,CAAK,UACb,CAEO,WAAA,EAA+B,CACrC,OAAO,KAAK,QACb,CAKO,eAAeiJ,CAAAA,CAAoC,CACzD,KAAK,cAAA,CAAiBA,EACvB,CAEO,YAAA,EAA8B,CACpC,OAAO,IAAA,CAAK,SACb,CAMA,MAAa,aAAA,CACZtC,CAAAA,CAOI,EAAC,CACW,CAChB,IAAMuC,CAAAA,CAAU,QAAQ,GAAA,CAAI,cAAA,CACzB,OAAO,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAA,CAAgB,EAAE,CAAA,CAC9C,MAAA,CACG9N,CAAAA,CAAOuL,CAAAA,CAAQ,MAAQuC,CAAAA,EAAW,KAAA,CAGxC,IAAA,CAAK,QAAA,CAAW,IAAIC,GAAAA,CAASxC,CAAAA,CAAQ,UAAU,CAAA,CAC/C,MAAM,KAAK,QAAA,CAAS,KAAA,EAAM,CAI1B,IAAMyC,EAAc,IAAA,CAAK,QAAA,CACzB,IAAA,CAAK,QAAA,CAAS,wBAAwB,IAAoB,CACzD,IAAMC,CAAAA,CAAQ,KAAK,SAAA,EAAU,CAAE,IAAK3D,CAAAA,GAAO,CAC1C,KAAMA,CAAAA,CAAE,IAAA,CACR,WAAA,CAAaA,CAAAA,CAAE,YACf,WAAA,CAAaA,CAAAA,CAAE,WAChB,CAAA,CAAE,CAAA,CAEI4D,EAAY,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,QAAQ,CAAA,CAAE,IAAKC,CAAAA,GAAO,CACjE,KAAMA,CAAAA,CAAE,IAAA,CACR,GAAA,CAAKA,CAAAA,CAAE,IACP,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,QAAA,CAAUA,EAAE,QAAA,CACZ,IAAA,CAAM,OAAOA,CAAAA,CAAE,SAAY,QAAA,CAAWA,CAAAA,CAAE,QAAUA,CAAAA,CAAE,WACrD,EAAE,CAAA,CAEF,OAAO,CACN,MAAA,CAAQH,EAAY,SAAA,EAAU,CAC9B,SAAUhO,CAAAA,CACV,KAAA,CAAAiO,EACA,SAAA,CAAAC,CAAAA,CACA,UAAA,CAAY,IAAA,CAAK,UAClB,CACD,CAAC,EAGD,IAAA,IAAWE,CAAAA,IAAQ,KAAK,SAAA,EAAU,CACjC,MAAM,IAAA,CAAK,SAAS,kBAAA,CAAmBA,CAAAA,CAAK,IAAI,CAAA,CAAE,MAAM5N,GAAAA,CAAI,IAAI,CAAA,CAIjE,MAAM,KAAK,QAAA,CAAS,gBAAA,GAAmB,KAAA,CAAMA,GAAAA,CAAI,IAAI,CAAA,CAGrD,IAAA,CAAK,SAAA,CAAY,IAAIX,EAErB,IAAA,CAAK,SAAA,CAAU,WAAW,CACzB,eAAA,CAAiB,CAACyC,CAAAA,CAAMV,CAAAA,GAAa,CACpC,IAAM4L,EAAUlL,CAAAA,CAAK,OAAA,CACrB9B,IAAI,IAAA,CACH,CAAA,8CAAA,EAAiDgN,EAAQ,eAAe,CAAA,CACzE,CAAA,CAGA,OAAO,qBAAwB,CAAA,CAAE,IAAA,CAAK,MAAO,CAAE,gBAAAa,CAAgB,CAAA,GAAM,CACpE,GAAM,CAAE,SAAA,CAAAC,CAAAA,CAAW,UAAAC,CAAU,CAAA,CAC5B,MAAMF,CAAAA,CAAgB,eAAA,EAAgB,CAEjCG,CAAAA,CAAe/B,EAAO,UAAA,EAAW,CAGvC,IAAA,CAAK,gBAAA,CAAiB,OAAM,CAE5B,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI+B,EAAc,CAC/B,eAAA,CAAiBhB,EAAQ,eAAA,CACzB,QAAA,CAAUe,CACX,CAAC,CAAA,CAED3M,CAAAA,CAAS,IAAA,CAAM,CACd,QAAA,CAAU,IAAA,CACV,aAAA,CAAe4M,CAAAA,CACf,cAAe,EAAA,CACf,gBAAA,CAAkBF,CACnB,CAAC,EACF,CAAC,EACF,EACA,YAAA,CAAc,MACbhM,GACI,CACJ,IAAMkL,CAAAA,CAAUlL,CAAAA,CAAK,QACrB9B,GAAAA,CAAI,IAAA,CACH,qDAAqDgN,CAAAA,CAAQ,aAAa,EAC3E,CAAA,CAEA,IAAMiB,CAAAA,CAAU,IAAA,CAAK,SAAS,GAAA,CAAIjB,CAAAA,CAAQ,aAAa,CAAA,CACvD,GAAI,CAACiB,CAAAA,CAAS,CACbnM,CAAAA,CAAK,IAAA,CAAK,QAAS,CAClB,IAAA,CAAWoM,CAAA,CAAA,MAAA,CAAO,eAAA,CAClB,QAAS,uBACV,CAAC,CAAA,CACD,MACD,CAEA,GAAI,CAEH,IAAMC,CAAAA,CAAiB,MAAM,KAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAYnB,EAAQ,cAAA,CACpB,YAAA,CAAc,MAAM,IAAA,CAAKiB,CAAAA,CAAQ,QAAQ,CAAA,CACzC,UAAA,CAAYjB,CAAAA,CAAQ,WAAA,CACpB,OAAQA,CAAAA,CAAQ,MAAA,CAChB,SAAUA,CAAAA,CAAQ,SAAA,CAClB,QAAS,IAAA,CAAK,cAAA,CACd,YAAA,CAAcA,CAAAA,CAAQ,cACtB,WAAA,CAAa,CAAA,CACd,CAAC,CAAA,CAEGoB,EACJ,GAAI,CACHA,CAAAA,CACC,OAAOD,EAAe,MAAA,EAAW,QAAA,CAC9BA,EAAe,MAAA,CACf,IAAA,CAAK,UAAUA,CAAAA,CAAe,MAAM,CAAA,CAGxC,IAAME,EAAU,IAAA,CAAK,KAAA,CAAMD,CAAW,CAAA,CACtC,GAAIC,EAAQ,iBAAA,CAAmB,CAC9BrO,GAAAA,CAAI,IAAA,CACH,sCAAsCqO,CAAAA,CAAQ,iBAAiB,EAChE,CAAA,CACA,IAAMC,EAAa,MAAM,IAAA,CAAK,QAAA,CAAS,CACtC,KAAMD,CAAAA,CAAQ,iBAAA,CACd,SAAA,CAAWA,CAAAA,CAAQ,mBAAqB,EACzC,CAAC,CAAA,CACDD,EAAc,IAAA,CAAK,SAAA,CAAUE,CAAU,EACxC,CACD,MAAQ,CACPF,CAAAA,CAAc,MAAA,CAAOD,CAAAA,CAAe,MAAM,EAC3C,CAEA,IAAMI,CAAAA,CAA0B,CAC/B,iBAAA,CAAmBH,CAAAA,CACnB,mBAAA,CAAqBI,MAAAA,CAAO,KAC3BL,CAAAA,CAAe,QAAA,EAAY,GAC3B,KACD,CAAA,CACA,WAAYA,CAAAA,CAAe,UAAA,CACxBK,MAAAA,CAAO,IAAA,CAAKL,EAAe,UAAA,CAAY,QAAQ,CAAA,CAC/CK,MAAAA,CAAO,KAAK,EAAE,CAAA,CACjB,QAAA,CAAU,CAAA,CACX,EAGMrM,CAAAA,CAAY,MAAM,KAAK,UAAA,CAAW,IAAA,CAAK,CAC5C,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAMiM,CAAY,CACnC,CAAC,EACKK,CAAAA,CAAuB,IAAA,CAAK,+BACjC,IAAA,CAAK,8BAAA,CAA+BL,CAAW,CAChD,EACA,GAAIjM,CAAAA,EAAasM,EAAsB,CAEtC,IAAMC,EACLvM,CAAAA,EAAa,oCAAA,CACdnC,GAAAA,CAAI,IAAA,CACH,oDAAoD0O,CAAc,CAAA,CACnE,CAAA,CACAH,CAAAA,CAAS,kBACR,6EAAA,CACDA,CAAAA,CAAS,QAAA,CAAW,CAAA,EACrB,CAEAzM,CAAAA,CAAK,KAAA,CAAMyM,EAAU,IAAM,CAC1BzM,EAAK,GAAA,GACN,CAAC,EACF,OAAShC,CAAAA,CAAgB,CACxB,IAAMsF,CAAAA,CAAItF,CAAAA,CACJ6O,EACL,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,OAEpBC,CAAAA,CAASxJ,CAAAA,CAAE,SAAW,MAAA,CAAOtF,CAAK,CAAA,CACxCE,GAAAA,CAAI,MAAM,CAAA,4BAAA,EAA+B4O,CAAM,CAAA,CAAE,CAAA,CAOjD,IAAMC,CAAAA,CAA+B,CACpC,iBAAA,CANoBF,CAAAA,CAClB,oBAAoBC,CAAM,CAAA,CAAA,CAC1B,yGAKF,mBAAA,CAAqBJ,MAAAA,CAAO,KAAK,EAAE,CAAA,CACnC,UAAA,CAAYA,MAAAA,CAAO,KAAK,EAAE,CAAA,CAC1B,SAAU,IACX,CAAA,CAEA,GAAI,CACH1M,CAAAA,CAAK,KAAA,CAAM+M,CAAAA,CAAe,IAAM,CAC/B/M,CAAAA,CAAK,MACN,CAAC,EACF,CAAA,KAAoB,CACnBA,CAAAA,CAAK,GAAA,GACN,CACD,CACD,CACD,CAAC,EAED,IAAA,CAAK,SAAA,CAAY,MAAM,IAAA,CAAK,UAAU,MAAA,CAAOtC,CAAI,EACjDQ,GAAAA,CAAI,IAAA,CACH,2DAA2D,IAAA,CAAK,QAAA,CAAS,SAAA,EAAW,EACrF,EACD,CAKA,MAAc,mBAAA,CACb8O,EACAC,CAAAA,CACAzF,CAAAA,CAC0B,CAC1B,GAAI,CAEH,IAAM0F,CAAAA,CAAW1F,EAAW,IAAA,CAAK,KAAA,CAAM,IAAIA,CAAQ,CAAA,EAAG,MAAA,CAAS,KAAA,CAAA,CACzD2F,EAAWD,CAAAA,CACd,CACA,OAAA,CAASA,CAAAA,CAAS,WAAa,CAAA,CAC/B,WAAA,CAAaA,CAAAA,CAAS,aAAA,EAAiB,EACvC,qBAAA,CAAuB,EACxB,EACC,KAAA,CAAA,CAGGb,CAAAA,CAAiB,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,CAChD,WAAY,IAAI,UAAA,CAAW,CAAC,CAAA,CAC5B,YAAA,CAAc,MAAM,IAAA,CAAK,IAAI,UAAA,CAAW,CAAC,CAAC,CAAA,CAC1C,cAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,EAChC,UAAA,CAAYK,MAAAA,CAAO,IAAA,CAAKO,CAAU,EAClC,MAAA,CAAQ,EAAC,CACT,OAAA,CAAS,KAAK,cAAA,CACd,YAAA,CAAc,iBAAA,CACd,WAAA,CAAa,GACb,QAAA,CAAAE,CACD,CAAC,CAAA,CAGKC,CAAAA,CAAWf,EAAe,MAAA,CAU1B1B,CAAAA,CAAU,CACf,CACC,KAAM,MAAA,CACN,IAAA,CAViB,KAAK,SAAA,CAAU,CACjC,mBAAoByC,CAAAA,CACpB,QAAA,CAAUf,CAAAA,CAAe,QAAA,CACzB,WAAYA,CAAAA,CAAe,UAAA,CAC3B,OAAQ,+BACT,CAAC,CAMA,CACD,CAAA,CAEMgB,CAAAA,CAAa7F,CAAAA,CAChB,KAAK,KAAA,CAAM,GAAA,CAAIA,CAAQ,CAAA,EAAG,OAC1B,KAAA,CAAA,CACG8F,CAAAA,CAAkB,IAAA,CAAK,oBAAA,CAC5B9F,GAAY,cAAA,CACZ4F,CAAAA,CACAC,CACD,CAAA,CACA,GAAIC,EAEH,OAAApP,GAAAA,CAAI,IAAA,CACH,CAAA,qCAAA,EAAwCsJ,GAAY,cAAc,CAAA,EAAA,EAAK8F,CAAe,CAAA,CACvF,CAAA,CAWO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CAZF,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,OAAA,CAAQ,IAAI,gBAAA,GAAqB,GAAA,CAG/BA,CAAAA,CACA,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,CAAA,CACV,CAAA,CAID,IAAMjN,CAAAA,CAAY,MAAM,KAAK,UAAA,CAAW,IAAA,CAAKsK,CAAO,CAAA,CAC9CgC,CAAAA,CAAuB,IAAA,CAAK,8BAAA,CACjCS,CACD,CAAA,CACA,GAAI/M,GAAasM,CAAAA,CAAsB,CAGtC,IAAMC,CAAAA,CACLvM,CAAAA,EACA,gGAAA,CACD,OAAAnC,IAAI,IAAA,CACH,CAAA,qDAAA,EAAwD0O,CAAc,CAAA,CACvE,CAAA,CAWO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CAZF,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,eACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,QAAQ,GAAA,CAAI,gBAAA,GAAqB,IAG/B,CAAA,kCAAA,EAAqCA,CAAc,GACnD,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,EACV,CACD,CAEA,OAAO,CAAE,OAAA,CAAAjC,CAAQ,CAClB,CAAA,MAAS3M,CAAAA,CAAgB,CACxB,IAAMsF,CAAAA,CAAItF,CAAAA,CACJ6O,EACL,OAAA,CAAQ,GAAA,CAAI,WAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,QACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,GAAqB,GAAA,CAE5BC,EAASxJ,CAAAA,CAAE,OAAA,EAAW,MAAA,CAAOtF,CAAK,EACxC,OAAAE,GAAAA,CAAI,MAAM,CAAA,uCAAA,EAA0C4O,CAAM,EAAE,CAAA,CAerD,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,KAfFA,CAAAA,CAAO,QAAA,CAAS,sBAAsB,CAAA,EACtCA,CAAAA,CAAO,QAAA,CAAS,0BAA0B,GAC1CA,CAAAA,CAAO,QAAA,CAAS,YAAY,CAAA,EAC5BA,CAAAA,CAAO,SAAS,YAAY,CAAA,CAG1B,gGAAA,CACAD,CAAAA,CACC,oBAAoBC,CAAM,CAAA,CAAA,CAC1B,wGAOF,CACD,EACA,OAAA,CAAS,IACV,CACD,CACD,CAMA,MAAa,KAAA,EAAuB,CAC/B,IAAA,CAAK,UAAA,EACR,MAAM,IAAA,CAAK,UAAA,CAAW,KAAA,CAAM,CAAE,MAAO,IAAK,CAAC,EAExC,IAAA,CAAK,SAAA,EACR,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAK,CAEvB,KAAK,QAAA,EACR,MAAM,KAAK,QAAA,CAAS,IAAA,GAEtB,CACD","file":"chunk-5OAZNVIU.js","sourcesContent":["import * as grpc from \"@grpc/grpc-js\";\nimport { log } from \"../utils/logger.js\";\nimport { liopV1 } from \"./proto.js\";\nimport { createServerCredentials, type LiopTlsOptions } from \"./tls.js\";\nimport type {\n\tIntentRequest,\n\tIntentResponse,\n\tLogicRequest,\n\tLogicResponse,\n} from \"./types.js\";\n\n/**\n * LIOP gRPC Service Implementation\n * Handles intent negotiation and secure logic execution.\n */\n\n/** Production-grade gRPC channel options per official grpc-node recommendations */\nconst GRPC_CHANNEL_OPTIONS = {\n\t\"grpc.keepalive_time_ms\": 30_000,\n\t\"grpc.keepalive_timeout_ms\": 10_000,\n\t\"grpc.keepalive_permit_without_calls\": 1,\n\t\"grpc.max_send_message_length\": -1,\n\t\"grpc.max_receive_message_length\": -1,\n\t\"grpc.enable_retries\": 1,\n};\n\nexport class LiopRpcServer {\n\tprivate server: grpc.Server;\n\n\tconstructor() {\n\t\tthis.server = new grpc.Server(GRPC_CHANNEL_OPTIONS);\n\t}\n\n\tpublic addService(handlers: {\n\t\tnegotiateIntent: (\n\t\t\tcall: grpc.ServerUnaryCall<IntentRequest, IntentResponse>,\n\t\t\tcallback: grpc.sendUnaryData<IntentResponse>,\n\t\t) => void;\n\t\texecuteLogic: (\n\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t) => void;\n\t}): void {\n\t\tthis.server.addService(liopV1.LogicMesh.service, {\n\t\t\tNegotiateIntent: handlers.negotiateIntent,\n\t\t\tExecuteLogic: handlers.executeLogic,\n\t\t});\n\t}\n\n\tpublic async listen(\n\t\tport: number = 50051,\n\t\ttls?: LiopTlsOptions,\n\t): Promise<number> {\n\t\tconst credentials = createServerCredentials(tls);\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.server.bindAsync(\n\t\t\t\t`0.0.0.0:${port}`,\n\t\t\t\tcredentials,\n\t\t\t\t(error, assignedPort) => {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\treject(error);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\tlog.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);\n\t\t\t\t\tresolve(assignedPort);\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\tpublic async stop(): Promise<void> {\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.server.tryShutdown(() => {\n\t\t\t\tlog.info(\"[LIOP-RPC] Server shut down\");\n\t\t\t\tresolve();\n\t\t\t});\n\t\t});\n\t}\n}\n","/**\n * LIOP Taint Analyzer — Static Information Flow Control (IFC)\n *\n * Performs AST-level taint tracking on injected Logic-on-Origin code\n * to detect side-channel data exfiltration via scalar derivation\n * (charCodeAt, boolean inference, arithmetic on PII fields).\n *\n * Architecture: 3-pass analysis using Acorn ESTree parser.\n * Pass 1 — Identify record-bound variables (callback params of env.records methods)\n * Pass 2 — Propagate taint through assignments and expressions\n * Pass 3 — Check return statements for tainted values flowing to output\n *\n * References:\n * - Acorn ESTree spec: https://github.com/estree/estree\n * - Acorn-Walk SimpleVisitors: https://github.com/acornjs/acorn/tree/master/acorn-walk\n * - OWASP Information Flow Control patterns\n */\n\nimport * as acorn from \"acorn\";\nimport { type SimpleVisitors, simple } from \"acorn-walk\";\n\n// ── Public API ───────────────────────────────────────────────────────\n\nexport interface TaintViolation {\n\t/** Human-readable reason for the block */\n\treason: string;\n\t/** Source line number (1-indexed) if available */\n\tline?: number;\n\t/** The specific operation that triggered the violation */\n\toperation?: string;\n}\n\n/**\n * Static taint analyzer for LIOP Logic-on-Origin payloads.\n *\n * Detects when PII field values are derived into scalar outputs\n * (charCodeAt, boolean inference, arithmetic) that would bypass\n * the Egress Shield's pattern-based detection.\n */\nexport class TaintAnalyzer {\n\tprivate readonly piiFields: Set<string>;\n\n\t/** String methods that extract character-level information from PII */\n\tprivate static readonly TAINT_PROPAGATING_METHODS = new Set([\n\t\t// Character extraction\n\t\t\"charCodeAt\",\n\t\t\"codePointAt\",\n\t\t\"charAt\",\n\t\t\"at\",\n\t\t// Search/position (reveals content structure)\n\t\t\"indexOf\",\n\t\t\"lastIndexOf\",\n\t\t\"search\",\n\t\t// Comparison (reveals ordering/content)\n\t\t\"localeCompare\",\n\t\t\"startsWith\",\n\t\t\"endsWith\",\n\t\t\"includes\",\n\t\t// Transformation (preserves PII content in different form)\n\t\t\"substring\",\n\t\t\"slice\",\n\t\t\"substr\",\n\t\t\"split\",\n\t\t\"match\",\n\t\t\"matchAll\",\n\t\t\"replace\",\n\t\t\"replaceAll\",\n\t\t\"normalize\",\n\t\t\"toLowerCase\",\n\t\t\"toUpperCase\",\n\t\t\"trim\",\n\t\t\"trimStart\",\n\t\t\"trimEnd\",\n\t\t\"padStart\",\n\t\t\"padEnd\",\n\t\t\"repeat\",\n\t]);\n\n\t/** Array iteration methods whose callbacks receive individual records */\n\tprivate static readonly ARRAY_CALLBACK_METHODS = new Set([\n\t\t\"map\",\n\t\t\"forEach\",\n\t\t\"filter\",\n\t\t\"find\",\n\t\t\"some\",\n\t\t\"every\",\n\t\t\"flatMap\",\n\t\t\"findIndex\",\n\t]);\n\n\t/** Reduce-family methods where the record param is the SECOND callback arg */\n\tprivate static readonly REDUCE_METHODS = new Set([\"reduce\", \"reduceRight\"]);\n\n\tconstructor(piiFields: string[]) {\n\t\tthis.piiFields = new Set(piiFields.map((f) => f.toLowerCase()));\n\t}\n\n\t/**\n\t * Analyzes injected source code for PII taint violations.\n\t *\n\t * @param sourceCode - The raw JavaScript logic extracted from the LIOP envelope\n\t * @param recordCount - Size of source dataset (enables correlation/min-max gates for small sets)\n\t * @param minMaxBlockThreshold - Threshold below which extrema/correlation extraction is blocked\n\t * @returns A TaintViolation if PII-derived values flow to output, null if clean\n\t */\n\tanalyze(\n\t\tsourceCode: string,\n\t\trecordCount?: number,\n\t\tminMaxBlockThreshold: number = 50,\n\t): TaintViolation | null {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\t// Wrap in function body to handle bare `return` statements\n\t\t\tconst wrapped = `function liop_analysis_wrapper(env) {\\n${sourceCode}\\n}`;\n\t\t\tast = acorn.parse(wrapped, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t\tlocations: true,\n\t\t\t});\n\t\t} catch {\n\t\t\t// Syntax errors are handled downstream by the sandbox VM\n\t\t\treturn null;\n\t\t}\n\n\t\tconst recordBoundVars = new Set<string>();\n\t\tconst taintedVars = new Set<string>();\n\n\t\t// Pass 1: Identify variables bound to individual records\n\t\tthis.identifyRecordBoundVars(ast, recordBoundVars);\n\n\t\t// Pass 2: Propagate taint through variable assignments\n\t\tthis.propagateTaint(ast, recordBoundVars, taintedVars);\n\n\t\t// Pass 3: Check if any return statement contains tainted values\n\t\tconst taintResult = this.checkReturnStatements(\n\t\t\tast,\n\t\t\trecordBoundVars,\n\t\t\ttaintedVars,\n\t\t);\n\t\tif (taintResult) return taintResult;\n\n\t\t// Pass 4: Correlation Guard — detect multiple reduce on same field (F-01)\n\t\tif (\n\t\t\trecordCount !== undefined &&\n\t\t\trecordCount > 0 &&\n\t\t\trecordCount < minMaxBlockThreshold\n\t\t) {\n\t\t\tconst correlationResult = this.detectCorrelatedAggregations(ast);\n\t\t\tif (correlationResult) {\n\t\t\t\t// Augment error with the actual threshold for clarity (Phase 109 requirement)\n\t\t\t\tcorrelationResult.reason = correlationResult.reason.replace(\n\t\t\t\t\t\"50 records\",\n\t\t\t\t\t`${minMaxBlockThreshold} records`,\n\t\t\t\t);\n\t\t\t\treturn correlationResult;\n\t\t\t}\n\t\t}\n\n\t\t// Pass 5: Min/Max Gate — block extrema extraction on small datasets (F-02)\n\t\tif (\n\t\t\trecordCount !== undefined &&\n\t\t\trecordCount > 0 &&\n\t\t\trecordCount < minMaxBlockThreshold\n\t\t) {\n\t\t\tconst minMaxResult = this.detectMinMaxExtraction(ast);\n\t\t\tif (minMaxResult) {\n\t\t\t\tminMaxResult.reason = minMaxResult.reason.replace(\n\t\t\t\t\t\"50 records\",\n\t\t\t\t\t`${minMaxBlockThreshold} records`,\n\t\t\t\t);\n\t\t\t\treturn minMaxResult;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Extracts all unique field names accessed via env.records operations.\n\t * Used by the Query Budget to enforce per-field query limits.\n\t */\n\textractQueriedFields(sourceCode: string): string[] {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\tast = acorn.parse(`function w(env) {\\n${sourceCode}\\n}`, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t});\n\t\t} catch {\n\t\t\treturn [];\n\t\t}\n\n\t\tconst fields = new Set<string>();\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\n\t\t\t\t// Only track fields accessed within array methods (map, filter, reduce)\n\t\t\t\tconst methodName = this.getPropertyName(callee);\n\t\t\t\tif (!methodName || !this.isEnvRecordsChain(callee.object)) return;\n\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\t!callback ||\n\t\t\t\t\t(callback.type !== \"ArrowFunctionExpression\" &&\n\t\t\t\t\t\tcallback.type !== \"FunctionExpression\")\n\t\t\t\t)\n\t\t\t\t\treturn;\n\n\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\t\t\t\tlet paramIndex = 0;\n\t\t\t\tif (TaintAnalyzer.REDUCE_METHODS.has(methodName)) {\n\t\t\t\t\tparamIndex = 1; // 2nd arg is the record in reduce\n\t\t\t\t}\n\n\t\t\t\tif (fn.params.length > paramIndex) {\n\t\t\t\t\tconst recordParam = fn.params[paramIndex];\n\t\t\t\t\tif (recordParam.type === \"Identifier\") {\n\t\t\t\t\t\tconst paramName = (recordParam as acorn.Identifier).name;\n\t\t\t\t\t\tconst extracted = this.extractFieldsFromBody(\n\t\t\t\t\t\t\tfn.body as acorn.Node,\n\t\t\t\t\t\t\tparamName,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tfor (const f of extracted) fields.add(f);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\t\treturn Array.from(fields);\n\t}\n\n\t// ── Pass 4: Correlation Guard ─────────────────────────────────────\n\n\t/**\n\t * Detects when 2+ reduce/aggregation calls access the same field.\n\t * This prevents differencing attacks: sum(all.field) - sum(excl1.field) = individual value.\n\t * Exempt: .length access (metadata, not field access).\n\t */\n\tprivate detectCorrelatedAggregations(ast: acorn.Node): TaintViolation | null {\n\t\tconst fieldAggCounts = new Map<string, number>();\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t// Only track reduce/reduceRight aggregations\n\t\t\t\tif (!methodName || !TaintAnalyzer.REDUCE_METHODS.has(methodName))\n\t\t\t\t\treturn;\n\n\t\t\t\t// Must be called on env.records or a derivation of it (.slice(), .filter())\n\t\t\t\tif (!this.isEnvRecordsChain(callee.object)) return;\n\n\t\t\t\t// Extract the field name accessed in the callback\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\t!callback ||\n\t\t\t\t\t(callback.type !== \"ArrowFunctionExpression\" &&\n\t\t\t\t\t\tcallback.type !== \"FunctionExpression\")\n\t\t\t\t)\n\t\t\t\t\treturn;\n\n\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\t\t\t\tconst recordParam = fn.params.length > 1 ? fn.params[1] : fn.params[0];\n\t\t\t\tif (!recordParam || recordParam.type !== \"Identifier\") return;\n\n\t\t\t\tconst paramName = (recordParam as acorn.Identifier).name;\n\t\t\t\tconst fields = this.extractFieldsFromBody(\n\t\t\t\t\tfn.body as acorn.Node,\n\t\t\t\t\tparamName,\n\t\t\t\t);\n\n\t\t\t\tfor (const field of fields) {\n\t\t\t\t\tconst current = fieldAggCounts.get(field) ?? 0;\n\t\t\t\t\tfieldAggCounts.set(field, current + 1);\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\tfor (const [field, count] of fieldAggCounts) {\n\t\t\tif (count >= 2) {\n\t\t\t\treturn {\n\t\t\t\t\treason:\n\t\t\t\t\t\t`Correlation guard: ${count} aggregations detected on field '${field}'. ` +\n\t\t\t\t\t\t\"Multiple correlated aggregations on the same field can enable differencing attacks. \" +\n\t\t\t\t\t\t\"Use a single aggregation per numeric field, or increase dataset size above 50 records.\",\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks if a node is env.records or a chain like env.records.slice(N) / env.records.filter(...)\n\t */\n\tprivate isEnvRecordsChain(node: acorn.Node): boolean {\n\t\tif (this.isEnvRecordsAccess(node)) return true;\n\n\t\t// Handle env.records.slice(N), env.records.filter(...)\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst member = call.callee as acorn.MemberExpression;\n\t\t\t\tconst method = this.getPropertyName(member);\n\t\t\t\tif (\n\t\t\t\t\tmethod &&\n\t\t\t\t\t(method === \"slice\" || method === \"filter\" || method === \"toSorted\")\n\t\t\t\t) {\n\t\t\t\t\treturn this.isEnvRecordsChain(member.object);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t// Handle [...env.records] (SpreadElement in ArrayExpression assigned to var)\n\t\treturn false;\n\t}\n\n\t/**\n\t * Extracts field names accessed on a record parameter within a function body.\n\t * e.g., in `(s, r) => s + r.balance`, extracts \"balance\".\n\t * Ignores .length as it's metadata, not a field access.\n\t */\n\tprivate extractFieldsFromBody(body: acorn.Node, paramName: string): string[] {\n\t\tconst fields: string[] = [];\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tMemberExpression: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.object.type === \"Identifier\" &&\n\t\t\t\t\t(node.object as acorn.Identifier).name === paramName\n\t\t\t\t) {\n\t\t\t\t\tconst prop = this.getPropertyName(node);\n\t\t\t\t\t// Exempt .length — it's array metadata, not a data field\n\t\t\t\t\tif (prop && prop !== \"length\") {\n\t\t\t\t\t\tfields.push(prop);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(body, visitors);\n\t\treturn fields;\n\t}\n\n\t// ── Pass 5: Min/Max Gate ──────────────────────────────────────────\n\n\t/**\n\t * Detects Math.min/max and sort()[0] patterns that expose individual\n\t * record values from small datasets.\n\t */\n\tprivate detectMinMaxExtraction(ast: acorn.Node): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (violation) return;\n\n\t\t\t\t// Pattern: Math.min(...env.records.map(r => r.field))\n\t\t\t\t// Pattern: Math.max(...env.records.map(r => r.field))\n\t\t\t\tif (node.callee.type === \"MemberExpression\") {\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tif (\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\t(callee.object as acorn.Identifier).name === \"Math\"\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst method = this.getPropertyName(callee);\n\t\t\t\t\t\tif (method === \"min\" || method === \"max\") {\n\t\t\t\t\t\t\t// Check if any argument is a spread of env.records.map\n\t\t\t\t\t\t\tif (\n\t\t\t\t\t\t\t\tnode.arguments.some(\n\t\t\t\t\t\t\t\t\t(arg) =>\n\t\t\t\t\t\t\t\t\t\targ.type === \"SpreadElement\" &&\n\t\t\t\t\t\t\t\t\t\tthis.isRecordsMapCall(\n\t\t\t\t\t\t\t\t\t\t\t(arg as acorn.SpreadElement).argument,\n\t\t\t\t\t\t\t\t\t\t),\n\t\t\t\t\t\t\t\t)\n\t\t\t\t\t\t\t) {\n\t\t\t\t\t\t\t\tviolation = {\n\t\t\t\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t\t\t\t`Min/Max gate: Math.${method}() on individual records blocked for small datasets (n < 50). ` +\n\t\t\t\t\t\t\t\t\t\t\"Use avg/stddev/count for privacy-safe aggregations.\",\n\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// Pattern: env.records.sort(...)[0].field or [...env.records].sort(...)[0].field\n\t\t\tMemberExpression: (node) => {\n\t\t\t\tif (violation) return;\n\n\t\t\t\t// Check for sort result indexed access: .sort(...)[0]\n\t\t\t\tif (node.computed && node.object.type === \"CallExpression\") {\n\t\t\t\t\tconst call = node.object as acorn.CallExpression;\n\t\t\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\t\t\tconst method = this.getPropertyName(\n\t\t\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (method === \"sort\" || method === \"toSorted\") {\n\t\t\t\t\t\t\tconst sortTarget = (call.callee as acorn.MemberExpression).object;\n\t\t\t\t\t\t\tif (this.isEnvRecordsChain(sortTarget)) {\n\t\t\t\t\t\t\t\tviolation = {\n\t\t\t\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t\t\t\t\"Min/Max gate: .sort()[index] on individual records blocked for small datasets (n < 50). \" +\n\t\t\t\t\t\t\t\t\t\t\"Use avg/stddev/count for privacy-safe aggregations.\",\n\t\t\t\t\t\t\t\t};\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\t\treturn violation;\n\t}\n\n\t/**\n\t * Checks if a node is env.records.map(callback) — used by Min/Max Gate.\n\t */\n\tprivate isRecordsMapCall(node: acorn.Node): boolean {\n\t\tif (node.type !== \"CallExpression\") return false;\n\t\tconst call = node as acorn.CallExpression;\n\t\tif (call.callee.type !== \"MemberExpression\") return false;\n\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\tconst method = this.getPropertyName(callee);\n\t\treturn method === \"map\" && this.isEnvRecordsChain(callee.object);\n\t}\n\n\t// ── Pass 1: Record-Bound Variable Identification ──────────────────\n\n\tprivate identifyRecordBoundVars(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t): void {\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst member = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(member);\n\t\t\t\tif (!methodName) return;\n\n\t\t\t\t// Check if this is env.records.METHOD(callback)\n\t\t\t\tif (!this.isEnvRecordsAccess(member.object)) return;\n\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (!callback) return;\n\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.ARRAY_CALLBACK_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 0\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst param = fn.params[0];\n\t\t\t\t\t\tif (param.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(param.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.REDUCE_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 1\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst recordParam = fn.params[1];\n\t\t\t\t\t\tif (recordParam.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(recordParam.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// for (const r of env.records) → r is record-bound\n\t\t\tForOfStatement: (node) => {\n\t\t\t\tif (!this.isEnvRecordsAccess(node.right)) return;\n\n\t\t\t\tif (node.left.type === \"VariableDeclaration\") {\n\t\t\t\t\tfor (const declarator of node.left.declarations) {\n\t\t\t\t\t\tif (declarator.id.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(declarator.id.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\t// Also handle: const r = env.records[N]\n\t\tconst indexVisitors: SimpleVisitors<void> = {\n\t\t\tVariableDeclarator: (node) => {\n\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\tif (\n\t\t\t\t\tnode.init.type === \"MemberExpression\" &&\n\t\t\t\t\t(node.init as acorn.MemberExpression).computed\n\t\t\t\t) {\n\t\t\t\t\tconst member = node.init as acorn.MemberExpression;\n\t\t\t\t\tif (this.isEnvRecordsAccess(member.object)) {\n\t\t\t\t\t\trecordBoundVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, indexVisitors);\n\t}\n\n\t// ── Pass 2: Taint Propagation ─────────────────────────────────────\n\n\tprivate propagateTaint(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): void {\n\t\t// Multiple iterations to handle transitive taint chains\n\t\t// (e.g., const a = r.name; const b = a; const c = b.charCodeAt(0))\n\t\tfor (let iteration = 0; iteration < 3; iteration++) {\n\t\t\tconst sizeBefore = taintedVars.size;\n\n\t\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\t\tVariableDeclarator: (node) => {\n\t\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.init, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\tAssignmentExpression: (node) => {\n\t\t\t\t\tif (node.left.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.right, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((node.left as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\t// Imperative taint: array.push(taintedValue) contaminates the array\n\t\t\t\t// Covers for-of and forEach patterns that push PII-derived values\n\t\t\t\tCallExpression: (node) => {\n\t\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tmethodName === \"push\" &&\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\tnode.arguments.some((arg) =>\n\t\t\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t};\n\n\t\t\tsimple(ast, visitors);\n\n\t\t\t// Fixed point: stop if no new tainted vars discovered\n\t\t\tif (taintedVars.size === sizeBefore) break;\n\t\t}\n\t}\n\n\t// ── Pass 3: Return Statement Sink Detection ───────────────────────\n\n\tprivate checkReturnStatements(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (violation) return; // Already found one\n\n\t\t\t\tif (!node.argument) return;\n\n\t\t\t\tif (\n\t\t\t\t\tthis.isExpressionTainted(node.argument, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst line = node.loc?.start.line\n\t\t\t\t\t\t? node.loc.start.line - 1 // Adjust for wrapper function offset\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tconst operation = this.describeTaintSource(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t\tviolation = {\n\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t`PII side-channel detected: output contains values derived from restricted fields. ` +\n\t\t\t\t\t\t\t`${operation ? `Operation: ${operation}. ` : \"\"}` +\n\t\t\t\t\t\t\t`Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,\n\t\t\t\t\t\tline,\n\t\t\t\t\t\toperation,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\treturn violation;\n\t}\n\n\t// ── Core Taint Evaluation ─────────────────────────────────────────\n\n\t/**\n\t * Recursively determines if an AST expression produces a tainted value.\n\t * A value is tainted if it derives from a PII field on a record-bound variable.\n\t */\n\tprivate isExpressionTainted(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tswitch (node.type) {\n\t\t\tcase \"Identifier\":\n\t\t\t\treturn taintedVars.has((node as acorn.Identifier).name);\n\n\t\t\tcase \"MemberExpression\":\n\t\t\t\treturn this.isMemberExprTainted(\n\t\t\t\t\tnode as acorn.MemberExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"CallExpression\":\n\t\t\t\treturn this.isCallExprTainted(\n\t\t\t\t\tnode as acorn.CallExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"BinaryExpression\":\n\t\t\tcase \"LogicalExpression\": {\n\t\t\t\tconst bin = node as acorn.BinaryExpression;\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(bin.left, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(bin.right, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"UnaryExpression\": {\n\t\t\t\tconst unary = node as acorn.UnaryExpression;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tunary.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ConditionalExpression\": {\n\t\t\t\tconst cond = node as acorn.ConditionalExpression;\n\t\t\t\t// If the test involves tainted values, the branch choice leaks info\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(cond.test, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tcond.consequent,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t) ||\n\t\t\t\t\tthis.isExpressionTainted(cond.alternate, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ObjectExpression\": {\n\t\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\t\treturn obj.properties.some(\n\t\t\t\t\t(prop) =>\n\t\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ArrayExpression\": {\n\t\t\t\tconst arr = node as acorn.ArrayExpression;\n\t\t\t\treturn arr.elements.some(\n\t\t\t\t\t(el) =>\n\t\t\t\t\t\tel !== null &&\n\t\t\t\t\t\tthis.isExpressionTainted(el, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"TemplateLiteral\": {\n\t\t\t\tconst tmpl = node as acorn.TemplateLiteral;\n\t\t\t\treturn tmpl.expressions.some((expr) =>\n\t\t\t\t\tthis.isExpressionTainted(expr, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"SpreadElement\": {\n\t\t\t\tconst spread = node as acorn.SpreadElement;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tspread.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tdefault:\n\t\t\t\t// Literals, ThisExpression, etc. are never tainted\n\t\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Checks if a MemberExpression accesses a PII field on a record-bound variable.\n\t * Examples: r.accountHolder, r[\"name\"], taintedVar.length, taintedVar[0]\n\t */\n\tprivate isMemberExprTainted(\n\t\tmember: acorn.MemberExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tconst propName = this.getPropertyName(member);\n\n\t\t// Case 1: recordBoundVar.piiField (direct PII access via callback param)\n\t\tif (\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name) &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 2: env.records[N].piiField (direct indexed access without callback)\n\t\t// AST: MemberExpression { object: MemberExpression { object: env.records, computed: true }, property: piiField }\n\t\tif (\n\t\t\tmember.object.type === \"MemberExpression\" &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\tconst parentMember = member.object as acorn.MemberExpression;\n\t\t\tif (\n\t\t\t\tparentMember.computed &&\n\t\t\t\tthis.isEnvRecordsAccess(parentMember.object)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Case 3: taintedVar.anything (any property access on tainted value)\n\t\t// .length on a tainted string leaks PII info, .charCodeAt leaks chars, etc.\n\t\tif (this.isExpressionTainted(member.object, recordBoundVars, taintedVars)) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 4: Computed access on record-bound var with PII field\n\t\t// e.g., r[\"account\" + \"Holder\"]\n\t\tif (\n\t\t\tmember.computed &&\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name)\n\t\t) {\n\t\t\t// Conservative: if computed access on record, check if the property\n\t\t\t// expression evaluates to a PII field (for string literals only)\n\t\t\tif (member.property.type === \"Literal\") {\n\t\t\t\tconst litVal = (member.property as acorn.Literal).value;\n\t\t\t\tif (\n\t\t\t\t\ttypeof litVal === \"string\" &&\n\t\t\t\t\tthis.piiFields.has(litVal.toLowerCase())\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if a CallExpression produces a tainted result.\n\t * Handles: taintedObj.method(), env.records.map(r => r.piiField), etc.\n\t */\n\tprivate isCallExprTainted(\n\t\tcall: acorn.CallExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Pattern: taintedObj.method() — method on tainted object propagates taint\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t// tainted.charCodeAt() / tainted.split() / etc.\n\t\t\tif (\n\t\t\t\tmethodName &&\n\t\t\t\tTaintAnalyzer.TAINT_PROPAGATING_METHODS.has(methodName) &&\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// env.records.map/filter/reduce(callback) — check if callback produces taint\n\t\t\tif (this.isEnvRecordsAccess(callee.object) && call.arguments[0]) {\n\t\t\t\tconst callback = call.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\treturn this.doesCallbackProduceTaint(\n\t\t\t\t\t\tcallback as acorn.ArrowFunctionExpression,\n\t\t\t\t\t\tmethodName,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Tainted array/string method chains: tainted.reduce(...), tainted.map(...)\n\t\t\t// Handles patterns like r.accountHolder.split('').reduce((a,c) => ...)\n\t\t\tif (\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// Math.round(taintedArg) / JSON.stringify(taintedArg) — function calls with tainted arguments\n\t\t\t// on safe objects still produce tainted results\n\t\t\tif (\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Pattern: someArray.push(taintedValue) — marks the receiving array as tainted\n\t\t// This covers imperative for-of patterns:\n\t\t// for (const r of env.records) { codes.push(r.name.charCodeAt(0)) }\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\t\t\tif (\n\t\t\t\tmethodName === \"push\" &&\n\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\t// Mark the array variable as tainted (it now contains PII-derived values)\n\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t}\n\t\t}\n\n\t\t// Check if any argument is tainted (for functions that might propagate)\n\t\t// Conservative: if calling a function WITH tainted args, consider result tainted\n\t\t// This catches: someHelper(r.name), parseInt(taintedVar), etc.\n\t\tif (call.callee.type === \"Identifier\") {\n\t\t\tconst fnName = (call.callee as acorn.Identifier).name;\n\t\t\t// Allow safe math/utility functions that don't propagate PII\n\t\t\tconst SAFE_GLOBALS = new Set([\n\t\t\t\t\"Math\",\n\t\t\t\t\"Number\",\n\t\t\t\t\"parseInt\",\n\t\t\t\t\"parseFloat\",\n\t\t\t\t\"isNaN\",\n\t\t\t\t\"isFinite\",\n\t\t\t]);\n\t\t\tif (!SAFE_GLOBALS.has(fnName)) {\n\t\t\t\treturn call.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if an array method callback produces tainted output.\n\t * e.g., env.records.map(r => r.name.charCodeAt(0)) → tainted result\n\t */\n\tprivate doesCallbackProduceTaint(\n\t\tcallback: acorn.ArrowFunctionExpression | acorn.FunctionExpression,\n\t\tmethodName: string | null,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Create a temporary scope with callback params as record-bound\n\t\tconst scopedRecordVars = new Set(recordBoundVars);\n\t\tconst scopedTaintedVars = new Set(taintedVars);\n\n\t\tif (callback.params.length > 0) {\n\t\t\tconst isReduce =\n\t\t\t\tmethodName !== null && TaintAnalyzer.REDUCE_METHODS.has(methodName);\n\t\t\tconst recordParamIndex = isReduce ? 1 : 0;\n\n\t\t\tif (\n\t\t\t\tcallback.params.length > recordParamIndex &&\n\t\t\t\tcallback.params[recordParamIndex].type === \"Identifier\"\n\t\t\t) {\n\t\t\t\tscopedRecordVars.add(\n\t\t\t\t\t(callback.params[recordParamIndex] as acorn.Identifier).name,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// For arrow functions with expression body: (r) => r.name.charCodeAt(0)\n\t\tif (\n\t\t\tcallback.type === \"ArrowFunctionExpression\" &&\n\t\t\tcallback.body.type !== \"BlockStatement\"\n\t\t) {\n\t\t\treturn this.isExpressionTainted(\n\t\t\t\tcallback.body,\n\t\t\t\tscopedRecordVars,\n\t\t\t\tscopedTaintedVars,\n\t\t\t);\n\t\t}\n\n\t\t// For block bodies, check return statements within the callback\n\t\tlet hasTaintedReturn = false;\n\t\tconst returnVisitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.argument &&\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\tscopedRecordVars,\n\t\t\t\t\t\tscopedTaintedVars,\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\thasTaintedReturn = true;\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(callback.body as acorn.Node, returnVisitors);\n\n\t\treturn hasTaintedReturn;\n\t}\n\n\t// ── Utility Methods ───────────────────────────────────────────────\n\n\t/** Extracts the property name from a MemberExpression (dot or bracket with string literal) */\n\tprivate getPropertyName(member: acorn.MemberExpression): string | null {\n\t\tif (!member.computed && member.property.type === \"Identifier\") {\n\t\t\treturn (member.property as acorn.Identifier).name;\n\t\t}\n\t\tif (member.computed && member.property.type === \"Literal\") {\n\t\t\tconst val = (member.property as acorn.Literal).value;\n\t\t\tif (typeof val === \"string\") return val;\n\t\t}\n\t\treturn null;\n\t}\n\n\t/** Checks if an expression resolves to `env.records` or `records` */\n\tprivate isEnvRecordsAccess(node: acorn.Node): boolean {\n\t\t// Direct: env.records\n\t\tif (node.type === \"MemberExpression\") {\n\t\t\tconst member = node as acorn.MemberExpression;\n\t\t\tconst propName = this.getPropertyName(member);\n\t\t\tif (\n\t\t\t\tpropName === \"records\" &&\n\t\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\t\t(member.object as acorn.Identifier).name === \"env\"\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\t// Bare: records (injected as sandbox global)\n\t\tif (\n\t\t\tnode.type === \"Identifier\" &&\n\t\t\t(node as acorn.Identifier).name === \"records\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\t/** Generates a human-readable description of the taint source for error messages */\n\tprivate describeTaintSource(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): string | undefined {\n\t\tif (node.type === \"Identifier\") {\n\t\t\tconst name = (node as acorn.Identifier).name;\n\t\t\tif (taintedVars.has(name)) return `variable '${name}' is PII-derived`;\n\t\t}\n\n\t\tif (node.type === \"ObjectExpression\") {\n\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\tfor (const prop of obj.properties) {\n\t\t\t\tif (\n\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst keyName =\n\t\t\t\t\t\tprop.key.type === \"Identifier\"\n\t\t\t\t\t\t\t? (prop.key as acorn.Identifier).name\n\t\t\t\t\t\t\t: \"unknown\";\n\t\t\t\t\treturn `property '${keyName}' contains PII-derived value`;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst methodName = this.getPropertyName(\n\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t);\n\t\t\t\tif (methodName) return `result of .${methodName}() on PII data`;\n\t\t\t}\n\t\t}\n\n\t\treturn undefined;\n\t}\n}\n","/**\n * LIOP NER Content Scanner (The Shield V3 — Named Entity Recognition Layer)\n *\n * Lightweight NER scanner using `compromise` NLP for detecting\n * person names, places, and organizations in free-text output values.\n *\n * This layer operates AFTER the regex-based PII scanner and\n * catches entities that lack a deterministic format pattern\n * (e.g., \"Evelyn Reed\" cannot be detected by regex).\n *\n * Architecture: opt-in per-server via `enableNerScanning: true`.\n * Performance: ~10ms for typical SDK output sizes (< 10KB).\n *\n * @see https://github.com/spencermountain/compromise\n */\n// Types for compromise (minimal)\ntype NlpDoc = {\n\tpeople: () => { out: (type: string) => string[] };\n\tplaces: () => { out: (type: string) => string[] };\n\torganizations: () => { out: (type: string) => string[] };\n};\ntype NlpStatic = ((text: string) => NlpDoc) & {\n\taddWords: (words: Record<string, string>) => void;\n};\n\n/**\n * Medical/pharmaceutical vocabulary safelist.\n * These terms are tagged as #Medication to prevent the NER\n * from misclassifying them as person/organization names.\n * Extends progressively — add terms as false positives arise.\n */\nconst MEDICAL_VOCABULARY: Record<string, string> = {\n\taspirin: \"Medication\",\n\tlisinopril: \"Medication\",\n\tmetformin: \"Medication\",\n\tamlodipine: \"Medication\",\n\tatorvastatin: \"Medication\",\n\tomeprazole: \"Medication\",\n\tlosartan: \"Medication\",\n\tsimvastatin: \"Medication\",\n\tlevothyroxine: \"Medication\",\n\tibuprofen: \"Medication\",\n\tacetaminophen: \"Medication\",\n\tamoxicillin: \"Medication\",\n\tciprofloxacin: \"Medication\",\n\tprednisone: \"Medication\",\n\twarfarin: \"Medication\",\n\tinsulin: \"Medication\",\n\thydrochlorothiazide: \"Medication\",\n\tgabapentin: \"Medication\",\n\talbuterol: \"Medication\",\n\tpantoprazole: \"Medication\",\n\t// Generic clinical terms\n\thypertension: \"Condition\",\n\tdiabetes: \"Condition\",\n\tbronchitis: \"Condition\",\n\tpneumonia: \"Condition\",\n\tasthma: \"Condition\",\n};\n\n/** Single named entity detected by the NER scanner. */\nexport interface NerEntity {\n\ttype: \"person\" | \"place\" | \"organization\";\n\ttext: string;\n}\n\n/** Result of an NER scan operation. */\nexport interface NerScanResult {\n\tdetected: boolean;\n\tentities: NerEntity[];\n}\n\n// Minimum string length to attempt NER analysis.\n// Shorter strings are unlikely to contain meaningful named entities.\nconst MIN_TEXT_LENGTH = 4;\n\n// Pattern to identify strings that are purely numeric/symbolic (skip NER)\nconst NON_TEXT_PATTERN = /^[\\d\\s.,:;!?()[\\]{}<>@#$%^&*+=|\\\\/\"'`~_-]+$/;\n\n/**\n * Scans text content for named entities that may represent PII.\n * Uses `compromise/three` for person, place, and organization detection.\n *\n * Designed for egress filtering — optimized for recall over precision\n * to ensure sensitive data does not leak through aliased output keys.\n */\nexport class NerScanner {\n\tprivate static nlp: NlpStatic | null = null;\n\n\t/**\n\t * Lazy loads the compromise library only when needed.\n\t */\n\tprivate async getNlp(): Promise<NlpStatic> {\n\t\tif (!NerScanner.nlp) {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: dynamic import of optional dependency\n\t\t\tconst mod = (await import(\"compromise/three\")) as any;\n\t\t\t// compromise export can vary depending on bundling\n\t\t\tNerScanner.nlp = (mod.default || mod) as NlpStatic;\n\t\t\tNerScanner.nlp.addWords(MEDICAL_VOCABULARY);\n\t\t}\n\t\treturn NerScanner.nlp;\n\t}\n\n\t/**\n\t * Scans a single string value for named entities.\n\t * Returns detected entities if the text contains recognizable PII.\n\t */\n\tasync scan(text: string): Promise<NerScanResult> {\n\t\tif (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tconst nlp = await this.getNlp();\n\t\tconst doc = nlp(text);\n\t\tconst entities: NerEntity[] = [];\n\n\t\tconst people = doc.people().out(\"array\");\n\t\tfor (const person of people) {\n\t\t\tconst trimmed = person.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"person\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst places = doc.places().out(\"array\");\n\t\tfor (const place of places) {\n\t\t\tconst trimmed = place.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"place\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst orgs = doc.organizations().out(\"array\");\n\t\tfor (const org of orgs) {\n\t\t\tconst trimmed = org.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"organization\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tdetected: entities.length > 0,\n\t\t\tentities,\n\t\t};\n\t}\n\n\t/**\n\t * Recursively scans all string values within an object/array.\n\t * Stops at the first detection for performance (fail-fast).\n\t */\n\tasync scanDeep(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<NerScanResult> {\n\t\tif (input === null || input === undefined) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tif (typeof input === \"string\") {\n\t\t\treturn this.scan(input);\n\t\t}\n\n\t\tif (typeof input === \"object\") {\n\t\t\tif (seen.has(input as object)) {\n\t\t\t\treturn { detected: false, entities: [] };\n\t\t\t}\n\t\t\tseen.add(input as object);\n\n\t\t\tconst values = Array.isArray(input)\n\t\t\t\t? input\n\t\t\t\t: Object.values(input as Record<string, unknown>);\n\n\t\t\tconst allEntities: NerEntity[] = [];\n\n\t\t\tfor (const value of values) {\n\t\t\t\tconst result = await this.scanDeep(value, seen);\n\t\t\t\tif (result.detected) {\n\t\t\t\t\tallEntities.push(...result.entities);\n\t\t\t\t\t// Fail-fast: return immediately on first person detection\n\t\t\t\t\tif (result.entities.some((e) => e.type === \"person\")) {\n\t\t\t\t\t\treturn { detected: true, entities: allEntities };\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tdetected: allEntities.length > 0,\n\t\t\t\tentities: allEntities,\n\t\t\t};\n\t\t}\n\n\t\treturn { detected: false, entities: [] };\n\t}\n}\n","/**\n * LIOP Professional PII Engine (The Shield V2 - Tier-1 Military Edition)\n * Implements high-fidelity detection based on NIST and OWASP standards.\n * Features Multi-Layer Verification (Regex + Algorithmic Validators).\n */\n\n/**\n * Validates a credit card number using the Luhn algorithm.\n * Prevents false positives from random 16-digit IDs.\n */\nfunction isLuhnValid(cardNumber: string): boolean {\n\tconst digits = cardNumber.replace(/\\D/g, \"\");\n\tif (digits.length < 13 || digits.length > 19) return false;\n\n\tlet sum = 0;\n\tlet isEven = false;\n\n\tfor (let i = digits.length - 1; i >= 0; i--) {\n\t\tlet digit = parseInt(digits.charAt(i), 10);\n\n\t\tif (isEven) {\n\t\t\tdigit *= 2;\n\t\t\tif (digit > 9) {\n\t\t\t\tdigit -= 9;\n\t\t\t}\n\t\t}\n\n\t\tsum += digit;\n\t\tisEven = !isEven;\n\t}\n\n\treturn sum % 10 === 0;\n}\n\n/**\n * Validates an International Bank Account Number (IBAN) using ISO 7064 Modulo 97.\n * Uses BigInt algebra to avoid JS floating point truncation with 30-digit numbers.\n */\nfunction isIbanValid(iban: string): boolean {\n\tconst sanitized = iban.replace(/\\s+/g, \"\").toUpperCase();\n\n\tif (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized)) return false;\n\n\tconst rearranged = sanitized.substring(4) + sanitized.substring(0, 4);\n\n\tlet numericString = \"\";\n\tfor (let i = 0; i < rearranged.length; i++) {\n\t\tconst charCode = rearranged.charCodeAt(i);\n\t\tif (charCode >= 65 && charCode <= 90) {\n\t\t\tnumericString += (charCode - 55).toString();\n\t\t} else if (charCode >= 48 && charCode <= 57) {\n\t\t\tnumericString += rearranged.charAt(i);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\ttry {\n\t\treturn BigInt(numericString) % 97n === 1n;\n\t} catch (_e) {\n\t\treturn false;\n\t}\n}\n\nexport type PiiRuleDefinition = {\n\tname: string;\n\tpattern: string | RegExp;\n\tvalidator?: (match: string) => boolean;\n};\n\nexport type PiiRule = string | RegExp | PiiRuleDefinition;\n\nexport const PII_PATTERNS = {\n\tEMAIL: {\n\t\tname: \"EMAIL\",\n\t\tpattern: /\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b/gi,\n\t\tvalidator: (match: string) =>\n\t\t\t!match.endsWith(\"@example.com\") && !match.endsWith(\"@test.com\"),\n\t} as PiiRuleDefinition,\n\tCREDIT_CARD: {\n\t\tname: \"CREDIT_CARD\",\n\t\tpattern: /\\b(?:\\d[ -]*?){13,16}\\b/g,\n\t\tvalidator: isLuhnValid,\n\t} as PiiRuleDefinition,\n\tIP_ADDRESS: {\n\t\tname: \"IP_ADDRESS\",\n\t\tpattern: /\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst safeIps = [\"127.0.0.1\", \"0.0.0.0\", \"255.255.255.255\"];\n\t\t\tif (safeIps.includes(match)) return false;\n\t\t\t// Validate valid IPv4 ranges\n\t\t\tconst parts = match.split(\".\").map(Number);\n\t\t\treturn parts.every((p) => p >= 0 && p <= 255);\n\t\t},\n\t} as PiiRuleDefinition,\n\tPHONE: {\n\t\tname: \"PHONE\",\n\t\t// Strict boundary to avoid matching long numeric IDs wrapped in symbols\n\t\tpattern: /(?:(?:\\+?\\d{1,3}[-. ]?)?\\(?\\d{3}\\)?[-. ]?\\d{3}[-. ]?\\d{4})\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length < 7 || digits.length > 15) return false;\n\t\t\t// Reject fake test numbers like 0000000000 or 1234567890\n\t\t\tif (/^(\\d)\\1+$/.test(digits)) return false;\n\t\t\tif (digits === \"1234567890\") return false;\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tSSN: {\n\t\tname: \"SSN\",\n\t\tpattern: /\\b\\d{3}[- ]?\\d{2}[- ]?\\d{4}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length !== 9) return false;\n\n\t\t\tconst area = parseInt(digits.substring(0, 3), 10);\n\t\t\tif (area === 0 || area === 666 || area >= 900) return false;\n\n\t\t\tconst group = parseInt(digits.substring(3, 5), 10);\n\t\t\tif (group === 0) return false;\n\n\t\t\tconst serial = parseInt(digits.substring(5, 9), 10);\n\t\t\tif (serial === 0) return false;\n\n\t\t\tif (/^(\\d)\\1+$/.test(digits) || digits === \"123456789\") return false;\n\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tIBAN: {\n\t\tname: \"IBAN\",\n\t\tpattern: /\\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\\b/gi,\n\t\tvalidator: isIbanValid,\n\t} as PiiRuleDefinition,\n\tPASSPORT_MRZ: {\n\t\tname: \"PASSPORT_MRZ\",\n\t\t// Machina Readable Zone line match for standard international passports\n\t\tpattern: /\\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\\b|\\s|$)/g,\n\t} as PiiRuleDefinition,\n};\n\n/**\n * Regional and Cultural Security Presets for Out-Of-The-Box compliance.\n * Developers can override, merge, or omit these based on local laws.\n */\nexport const PII_PRESETS = {\n\tGLOBAL_STRICT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t\tPII_PATTERNS.IBAN,\n\t],\n\tUS_COMPLIANT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.SSN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n\tEU_GDPR: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.IBAN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n};\n\nexport class PiiScanner {\n\tprivate patterns: PiiRule[];\n\tprivate forbiddenKeysSet: Set<string>;\n\tprivate nerScanner: import(\"./ner-scanner.js\").NerScanner | null;\n\n\t/**\n\t * Safelist of keys that contain forbidden substrings but are NOT PII.\n\t * Prevents false positives from fuzzy matching (e.g., \"grid\" contains \"id\").\n\t */\n\tprivate static readonly KEY_SAFELIST = new Set([\n\t\t// Common words containing \"id\" substring\n\t\t\"grid\",\n\t\t\"video\",\n\t\t\"android\",\n\t\t\"identity\",\n\t\t\"provide\",\n\t\t\"override\",\n\t\t\"validate\",\n\t\t\"hidden\",\n\t\t\"widget\",\n\t\t\"guidelines\",\n\t\t\"beside\",\n\t\t\"guideline\",\n\t\t\"outside\",\n\t\t\"inside\",\n\t\t\"collide\",\n\t\t\"decide\",\n\t\t\"divide\",\n\t\t\"aside\",\n\t\t\"ride\",\n\t\t\"side\",\n\t\t\"wide\",\n\t\t\"hide\",\n\t\t\"tide\",\n\t\t\"pride\",\n\t\t\"bride\",\n\t\t\"slide\",\n\t\t\"guide\",\n\t\t\"stride\",\n\t\t\"oxide\",\n\t\t\"dioxide\",\n\t\t\"suicide\",\n\t\t\"homicide\",\n\t\t\"pesticide\",\n\t\t\"valid\",\n\t\t\"invalid\",\n\t\t\"void\",\n\t\t\"avoid\",\n\t\t// Common words containing \"name\" substring\n\t\t\"diagnosis\",\n\t\t\"medication\",\n\t\t\"namespace\",\n\t\t\"namesake\",\n\t\t\"rename\",\n\t\t\"filename\",\n\t\t\"hostname\",\n\t\t\"typename\",\n\t\t\"unnamed\",\n\t\t\"renamed\",\n\t\t// Common words containing \"phone\" substring\n\t\t\"phonetic\",\n\t\t\"phoneme\",\n\t\t\"microphone\",\n\t\t\"headphone\",\n\t\t\"telephone\",\n\t\t\"saxophone\",\n\t\t\"smartphone\",\n\t\t// Common words containing \"address\" substring\n\t\t\"streetview\",\n\t\t\"addressable\",\n\t\t\"addressing\",\n\t\t// Common words containing \"city\" substring\n\t\t\"cityscape\",\n\t\t\"electricity\",\n\t\t\"capacity\",\n\t\t\"velocity\",\n\t\t\"opacity\",\n\t\t// Common technical terms\n\t\t\"timestamp\",\n\t\t\"timezone\",\n\t\t// LIOP Protocol Internal Keys (must never be blocked)\n\t\t\"image_id\",\n\t\t\"computation_result\",\n\t\t\"zk_receipt\",\n\t\t\"testid\",\n\t\t\"toolid\",\n\t\t\"sessionid\",\n\t\t\"peerid\",\n\t\t\"nodeid\",\n\t\t\"requestid\",\n\t\t\"correlationid\",\n\t\t\"traceid\",\n\t\t\"spanid\",\n\t]);\n\n\t/**\n\t * Short forbidden tokens (< 4 chars) that require boundary-aware matching.\n\t * Uses regex boundary detection to avoid false positives.\n\t */\n\tprivate shortTokenBoundaryPatterns: Map<string, RegExp>;\n\n\t/**\n\t * Long forbidden tokens (>= 4 chars) that use substring containment.\n\t */\n\tprivate longForbiddenTokens: string[];\n\n\tconstructor(\n\t\tpatterns: PiiRule[] = [],\n\t\tforbiddenKeys: string[] = [],\n\t\tnerScanner?: import(\"./ner-scanner.js\").NerScanner | null,\n\t) {\n\t\tthis.patterns = patterns;\n\t\tthis.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));\n\t\tthis.nerScanner = nerScanner ?? null;\n\n\t\t// Pre-compute fuzzy matching structures for performance\n\t\tthis.shortTokenBoundaryPatterns = new Map();\n\t\tthis.longForbiddenTokens = [];\n\n\t\tfor (const token of this.forbiddenKeysSet) {\n\t\t\tif (token.length < 4) {\n\t\t\t\t// Short tokens: require word boundary (camelCase, snake_case, kebab-case, or exact)\n\t\t\t\t// \"id\" matches: \"patientId\", \"record_id\", \"user-id\", \"id\"\n\t\t\t\t// \"id\" does NOT match: \"grid\", \"video\", \"android\"\n\t\t\t\tthis.shortTokenBoundaryPatterns.set(\n\t\t\t\t\ttoken,\n\t\t\t\t\tnew RegExp(\n\t\t\t\t\t\t`(?:^|[_-])${token}(?:$|[_-])|` + // snake/kebab boundary\n\t\t\t\t\t\t\t`(?:^|[a-z])${token.charAt(0).toUpperCase()}${token.slice(1)}|` + // camelCase boundary (e.g., patientId)\n\t\t\t\t\t\t\t`^${token}$`, // exact match\n\t\t\t\t\t\t\"i\",\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tthis.longForbiddenTokens.push(token);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Scans any input (string, object, array) for PII violations.\n\t * Returns the pattern/rule name that triggered the violation, or null if safe.\n\t *\n\t * Detection pipeline (fail-fast):\n\t * 1. Exact key match (O(1) Set lookup)\n\t * 2. Fuzzy key match (boundary detection for short tokens, substring for long)\n\t * 3. Regex/algorithmic pattern match on string values\n\t * 4. NER content scan on string values (if enabled)\n\t */\n\tpublic async scan(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<string | null> {\n\t\tif (input === null || input === undefined) return null;\n\n\t\t// 1. String Scan (Direct Regex/String/Definition check)\n\t\tif (typeof input === \"string\") {\n\t\t\t// SECURITY PATCH: JSON Deep-Parsing Recursion (Fortification V2)\n\t\t\t// Defeats Double JSON Encoding bypasses by forcefully parsing stringified JSON back into objects.\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\tconst parsed = JSON.parse(trimmed);\n\t\t\t\t\t// Successfully parsed JSON string. Recursively scan the unescaped object.\n\t\t\t\t\tconst violation = await this.scan(parsed, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t} catch (_e) {\n\t\t\t\t\t// Silent fallback: It looked like JSON but wasn't valid. Proceed with raw string check.\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check string value against regex patterns\n\t\t\tconst patternViolation = this.checkString(input);\n\t\t\tif (patternViolation) return patternViolation;\n\n\t\t\t// Layer 3: NER Content Scan — detect person names in free-text values\n\t\t\tif (this.nerScanner) {\n\t\t\t\tconst nerResult = await this.nerScanner.scan(input);\n\t\t\t\tif (nerResult.detected) {\n\t\t\t\t\tconst personEntity = nerResult.entities.find(\n\t\t\t\t\t\t(e) => e.type === \"person\",\n\t\t\t\t\t);\n\t\t\t\t\tif (personEntity) {\n\t\t\t\t\t\treturn `PII Entity Detected: person name \"${personEntity.text}\"`;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn null;\n\t\t}\n\n\t\t// 2. Recursive Objects/Arrays Scan\n\t\tif (typeof input === \"object\") {\n\t\t\t// Protection against circular references\n\t\t\tif (seen.has(input as object)) return null;\n\t\t\tseen.add(input as object);\n\n\t\t\tif (Array.isArray(input)) {\n\t\t\t\tfor (const element of input) {\n\t\t\t\t\tconst violation = await this.scan(element, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfor (const [key, value] of Object.entries(\n\t\t\t\t\tinput as Record<string, unknown>,\n\t\t\t\t)) {\n\t\t\t\t\t// Layer 1: Exact key match — O(1) constant time\n\t\t\t\t\tif (this.forbiddenKeysSet.has(key.toLowerCase())) {\n\t\t\t\t\t\treturn `Forbidden Key: ${key}`;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Layer 2: Fuzzy key match — catches aliases and variations\n\t\t\t\t\tconst fuzzyViolation = this.checkKeyFuzzy(key);\n\t\t\t\t\tif (fuzzyViolation) return fuzzyViolation;\n\n\t\t\t\t\t// Recurse into values\n\t\t\t\t\tconst violation = await this.scan(value, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks a key against fuzzy matching rules.\n\t * Short tokens use boundary-aware regex; long tokens use substring containment.\n\t */\n\tprivate checkKeyFuzzy(key: string): string | null {\n\t\tconst normalized = key.toLowerCase();\n\n\t\t// Skip safelisted keys entirely\n\t\tif (PiiScanner.KEY_SAFELIST.has(normalized)) return null;\n\n\t\t// Short token boundary matching (e.g., \"id\" in \"patientId\" but not \"grid\")\n\t\tfor (const [token, pattern] of this.shortTokenBoundaryPatterns) {\n\t\t\tif (pattern.test(key)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} matches boundary pattern \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\t// Long token substring matching (e.g., \"name\" in \"firstName\", \"names\")\n\t\tfor (const token of this.longForbiddenTokens) {\n\t\t\tif (normalized.includes(token)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} contains restricted token \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate checkString(text: string): string | null {\n\t\tfor (const rule of this.patterns) {\n\t\t\tif (typeof rule === \"string\") {\n\t\t\t\tif (text.toLowerCase().includes(rule.toLowerCase())) {\n\t\t\t\t\treturn rule;\n\t\t\t\t}\n\t\t\t} else if (rule instanceof RegExp) {\n\t\t\t\tif (rule.global) rule.lastIndex = 0;\n\t\t\t\tif (rule.test(text)) {\n\t\t\t\t\treturn rule.source;\n\t\t\t\t}\n\t\t\t} else if (typeof rule === \"object\" && rule !== null) {\n\t\t\t\t// PiiRuleDefinition (Military Grade Multi-layer)\n\t\t\t\tconst def = rule as PiiRuleDefinition;\n\n\t\t\t\tif (typeof def.pattern === \"string\") {\n\t\t\t\t\tif (text.toLowerCase().includes(def.pattern.toLowerCase())) {\n\t\t\t\t\t\tif (!def.validator || def.validator(def.pattern)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else if (def.pattern instanceof RegExp) {\n\t\t\t\t\tif (def.pattern.global) def.pattern.lastIndex = 0;\n\n\t\t\t\t\t// Use matchAll or exec to get the specific match for the validator\n\t\t\t\t\tlet match = def.pattern.exec(text);\n\t\t\t\t\twhile (match !== null) {\n\t\t\t\t\t\tconst matchedText = match[0];\n\t\t\t\t\t\tif (!def.validator || def.validator(matchedText)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!def.pattern.global) break; // Break if not global\n\t\t\t\t\t\tmatch = def.pattern.exec(text);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn null;\n\t}\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport { FixedQueue, Piscina } from \"piscina\";\nimport { z } from \"zod\";\nimport { zodToJsonSchema } from \"zod-to-json-schema\";\nimport { type LiopManifest, MeshNode } from \"../mesh/node.js\";\nimport { LiopRpcServer } from \"../rpc/server.js\";\nimport type { LogicRequest, LogicResponse } from \"../rpc/types.js\";\nimport { TaintAnalyzer } from \"../security/taint-analyzer.js\";\nimport type {\n\tCallToolRequest,\n\tCallToolResult,\n\tGetPromptRequest,\n\tGetPromptResult,\n\tPrompt,\n\tResource,\n\tServerInfo,\n\tTool,\n} from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\nimport { NerScanner } from \"./ner-scanner.js\";\nimport { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from \"./pii.js\";\n\nexport { NerScanner, PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };\n\nexport type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (\n\targs: z.infer<z.ZodObject<T>>,\n\textra: { signal?: AbortSignal },\n) => Promise<CallToolResult>;\n\nconst __dirname = path.dirname(fileURLToPath(import.meta.url));\n\nexport interface LiopServerOptions {\n\tcapabilities?: Record<string, unknown>;\n\tworkerPool?: {\n\t\tenabled?: boolean;\n\t\tminThreads?: number;\n\t\tmaxThreads?: number;\n\t\tidleTimeout?: number;\n\t\t/** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */\n\t\tmaxHeapMb?: number;\n\t};\n\tsecurity?: {\n\t\tpiiPatterns?: PiiRule[];\n\t\tforbiddenKeys?: string[];\n\t\t/** Enable NLP-based Named Entity Recognition scanning on output values. */\n\t\tenableNerScanning?: boolean;\n\t\t/** Rate limiting configuration for tool calls (OWASP A01). */\n\t\trateLimit?: {\n\t\t\t/** Maximum calls per window per tool (default: 15). */\n\t\t\tmaxPerWindow?: number;\n\t\t\t/** Maximum calls per window across ALL tools combined (default: 40). */\n\t\t\tglobalMaxPerWindow?: number;\n\t\t\t/** Sliding window duration in milliseconds (default: 60000 = 1 min). */\n\t\t\twindowMs?: number;\n\t\t};\n\t};\n\ttaxonomy?: {\n\t\tdomain?: string;\n\t\tclearanceTier?: number;\n\t\texecutionTypes?: string[];\n\t};\n}\n\nexport interface AggregationPolicy {\n\t/** Maximum number of object-type array elements allowed (default: 10) */\n\tmaxOutputRows?: number;\n\t/** Allow arrays containing only primitive values (default: true) */\n\tallowPrimitiveArrays?: boolean;\n\t/** Block min/max extraction when dataset size < this value (default: 50) */\n\tminMaxBlockThreshold?: number;\n}\n\nexport interface LogicExecutionPolicy {\n\t/**\n\t * Validate the business payload returned by sandbox logic (post-execution).\n\t * This runs before final egress checks and blocks non-conforming outputs.\n\t */\n\toutputSchema?: z.ZodType<unknown>;\n\t/**\n\t * Enforce aggregation-first heuristics (preflight + post-check).\n\t */\n\tenforceAggregationFirst?: boolean | AggregationPolicy;\n\t/**\n\t * Optional additional deny patterns checked against extracted logic source.\n\t */\n\tpreflightDenyPatterns?: RegExp[];\n\t/**\n\t * Differential Privacy epsilon per query (default: 1.0).\n\t * Lower = stronger privacy + more noise. Standard: Apple iOS uses 1.0.\n\t */\n\tdpEpsilon?: number;\n\t/**\n\t * DP sensitivity: max change when one record added/removed (default: 1.0).\n\t * For SUM queries on a field with range [0, X], set sensitivity = X.\n\t */\n\tdpSensitivity?: number;\n\t/**\n\t * Max queries per numeric field per PQC session (default: 5).\n\t * Prevents multi-query differencing attacks.\n\t */\n\tqueryBudgetPerField?: number;\n}\n\nexport class LiopServer {\n\tprivate logicCache: Map<string, { hash: string; timestamp: number }> =\n\t\tnew Map();\n\tprivate connectionStats: Map<\n\t\tstring,\n\t\t{ failures: number; lastAttempt: number }\n\t> = new Map();\n\tprivate readonly CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours\n\tprivate readonly THROTTLE_THRESHOLD = 5;\n\tprivate readonly THROTTLE_COOLDOWN_MS = 60 * 1000; // 60 seconds\n\n\t// [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration\n\tprivate toolCallWindows: Map<string, number[]> = new Map();\n\tprivate readonly toolCallMaxPerWindow: number;\n\tprivate readonly toolCallWindowMs: number;\n\n\t// [OWASP-A01] Global cross-tool rate limiter — prevents distributed micro-query attacks\n\tprivate globalCallWindow: number[] = [];\n\tprivate readonly globalCallMaxPerWindow: number;\n\n\t// [DP] Query Budget — tracks per-field query counts to prevent multi-query differencing\n\tprivate fieldQueryBudget: Map<string, Map<string, number>> = new Map();\n\n\t// [SEC] AST-level taint tracker for PII side-channel prevention\n\tprivate readonly taintAnalyzer: TaintAnalyzer;\n\n\tprivate tools: Map<\n\t\tstring,\n\t\t{\n\t\t\ttool: Tool;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\thandler: ToolHandler<any>;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\tschema: z.ZodObject<any>;\n\t\t\tpolicy?: LogicExecutionPolicy;\n\t\t}\n\t> = new Map();\n\tprivate resources: Map<\n\t\tstring,\n\t\tResource & { content?: string | (() => Promise<string>) }\n\t> = new Map();\n\tprivate prompts: Map<\n\t\tstring,\n\t\t{\n\t\t\tprompt: Prompt;\n\t\t\thandler: (\n\t\t\t\trequest: GetPromptRequest,\n\t\t\t) => GetPromptResult | Promise<GetPromptResult>;\n\t\t}\n\t> = new Map();\n\tprivate activeSchema: Record<string, unknown> | null = null;\n\tprivate sandboxRecords: Record<string, unknown>[] = [];\n\n\tprivate piiScanner: PiiScanner;\n\tprivate workerPool: Piscina;\n\tprivate meshNode: MeshNode | null = null;\n\tprivate rpcServer: LiopRpcServer | null = null;\n\tprivate boundPort: number | null = null;\n\tprivate sessions: Map<\n\t\tstring,\n\t\t{ capability_hash: string; kyber_sk: Uint8Array }\n\t> = new Map();\n\n\t// Compact envelope: @LIOP{target,name}\\n<code>\\n@END\n\tprivate static readonly LIOP_COMPACT_REGEX =\n\t\t/@LIOP\\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\\}\\n(?<logic>[\\s\\S]*?)\\n@END/m;\n\n\tprivate extractLogic(payload: string): string | null {\n\t\tconst compact = payload.match(LiopServer.LIOP_COMPACT_REGEX);\n\t\treturn compact?.groups?.logic ? compact.groups.logic.trim() : null;\n\t}\n\n\tprivate parseUnknownJson(input: unknown): unknown {\n\t\tif (typeof input !== \"string\") return input;\n\t\tconst trimmed = input.trim();\n\t\tif (\n\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t) {\n\t\t\ttry {\n\t\t\t\treturn JSON.parse(trimmed);\n\t\t\t} catch {\n\t\t\t\treturn input;\n\t\t\t}\n\t\t}\n\t\treturn input;\n\t}\n\n\tprivate runPreflightPolicy(\n\t\t_toolName: string,\n\t\tlogic: string,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\t// Phase 1: Regex-based row-level export detection (fast path)\n\t\tif (policy) {\n\t\t\tconst compact = logic.replace(/\\s+/g, \" \");\n\n\t\t\tif (policy.enforceAggregationFirst) {\n\t\t\t\tconst rowExtractionPatterns = [\n\t\t\t\t\t// Block raw record dumps but allow safe aggregation chains\n\t\t\t\t\t// (.reduce, .length, .filter().length, .every, .some)\n\t\t\t\t\t/return\\s+env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter|every|some|find)\\b)/i,\n\t\t\t\t\t/return\\s*\\{[\\s\\S]*\\b(accounts|patients|rows|records)\\s*:\\s*env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter)\\b)/i,\n\t\t\t\t];\n\t\t\t\tif (rowExtractionPatterns.some((p) => p.test(compact))) {\n\t\t\t\t\treturn \"Preflight policy rejected: potential row-level export pattern detected.\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (policy.preflightDenyPatterns?.some((p) => p.test(compact))) {\n\t\t\t\treturn \"Preflight policy rejected: custom deny pattern matched.\";\n\t\t\t}\n\t\t}\n\n\t\t// Phase 2: AST-level taint tracking (detects PII side-channel derivation)\n\t\t// Pass recordCount and minMaxBlockThreshold to enable Correlation Guard (Pass 4) and Min/Max Gate (Pass 5)\n\t\tlet minMaxThreshold = 50;\n\t\tif (typeof policy?.enforceAggregationFirst === \"object\") {\n\t\t\tminMaxThreshold =\n\t\t\t\tpolicy.enforceAggregationFirst.minMaxBlockThreshold ?? 50;\n\t\t}\n\t\tconst taintViolation = this.taintAnalyzer.analyze(\n\t\t\tlogic,\n\t\t\tthis.sandboxRecords.length,\n\t\t\tminMaxThreshold,\n\t\t);\n\t\tif (taintViolation) {\n\t\t\treturn `Preflight policy rejected: ${taintViolation.reason}`;\n\t\t}\n\n\t\t// Phase 3: Query Budget Enforcement (prevents multi-query differencing)\n\t\tconst queryLimit = policy?.queryBudgetPerField ?? 5;\n\t\tconst extractedFields = this.taintAnalyzer.extractQueriedFields(logic);\n\n\t\tif (extractedFields.length > 0) {\n\t\t\tlet toolBudget = this.fieldQueryBudget.get(_toolName);\n\t\t\tif (!toolBudget) {\n\t\t\t\ttoolBudget = new Map<string, number>();\n\t\t\t\tthis.fieldQueryBudget.set(_toolName, toolBudget);\n\t\t\t}\n\n\t\t\t// Check budget before incrementing to avoid partial updates on failure\n\t\t\tfor (const field of extractedFields) {\n\t\t\t\tconst count = toolBudget.get(field) ?? 0;\n\t\t\t\tif (count >= queryLimit) {\n\t\t\t\t\treturn `Preflight policy rejected: Query budget exceeded for field '${field}' (max ${queryLimit} per session). Rotate PQC session to reset budget.`;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// All fields within budget, increment them\n\t\t\tfor (const field of extractedFields) {\n\t\t\t\tconst count = toolBudget.get(field) ?? 0;\n\t\t\t\ttoolBudget.set(field, count + 1);\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate validateOutputPolicy(\n\t\ttoolName: string,\n\t\toutput: unknown,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\tif (!policy) return null;\n\t\tconst parsed = this.parseUnknownJson(output);\n\n\t\tif (policy.outputSchema) {\n\t\t\t// SEC-HARDENING: Force strict mode on ZodObject schemas to prevent\n\t\t\t// key aliasing bypasses via .passthrough(). However, respect schemas\n\t\t\t// that explicitly use .catchall() — calling .strict() would override\n\t\t\t// the catchall with ZodNever, destroying the developer's intent.\n\t\t\tconst effectiveSchema = (() => {\n\t\t\t\tif (!(policy.outputSchema instanceof z.ZodObject)) {\n\t\t\t\t\treturn policy.outputSchema;\n\t\t\t\t}\n\t\t\t\tconst obj = policy.outputSchema as z.ZodObject<z.ZodRawShape>;\n\t\t\t\t// If schema has an explicit catchall (not ZodNever), respect it\n\t\t\t\tif (!(obj._def.catchall instanceof z.ZodNever)) {\n\t\t\t\t\treturn obj;\n\t\t\t\t}\n\t\t\t\t// Otherwise force strict to block unrecognized keys by default\n\t\t\t\treturn obj.strict();\n\t\t\t})();\n\n\t\t\tconst schemaResult = effectiveSchema.safeParse(parsed);\n\t\t\tif (!schemaResult.success) {\n\t\t\t\t// SEC-CRITICAL: Never expose rejected data in error messages.\n\t\t\t\t// Only report the structural violation (unrecognized keys, type mismatches).\n\t\t\t\treturn `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues\n\t\t\t\t\t.map((i) => `${i.path.join(\".\") || \"<root>\"} ${i.message}`)\n\t\t\t\t\t.join(\n\t\t\t\t\t\t\"; \",\n\t\t\t\t\t)}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;\n\t\t\t}\n\t\t}\n\n\t\tif (\n\t\t\tpolicy.enforceAggregationFirst &&\n\t\t\tthis.violatesAggregationFirstPolicy(\n\t\t\t\tthis.unwrapForAggregationPolicyScan(parsed),\n\t\t\t\tpolicy.enforceAggregationFirst,\n\t\t\t\tthis.sandboxRecords.length,\n\t\t\t)\n\t\t) {\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\treturn isDev\n\t\t\t\t? \"Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results.\"\n\t\t\t\t: \"Aggregation-First Policy Violation: Output blocked due to privacy constraints.\";\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Proxied tools stringify a full MCP CallToolResult (`{ content: [...] }`).\n\t * Aggregation-first heuristics must scan the inner business JSON, not the MCP envelope\n\t * (otherwise `content` looks like a tabular array of objects and everything blocks).\n\t */\n\tprivate unwrapForAggregationPolicyScan(input: unknown): unknown {\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.unwrapForAggregationPolicyScan(JSON.parse(trimmed));\n\t\t\t\t} catch {\n\t\t\t\t\treturn input;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn input;\n\t\t}\n\n\t\tif (!input || typeof input !== \"object\") {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst rec = input as Record<string, unknown>;\n\t\tif (!Array.isArray(rec.content) || rec.content.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst texts: string[] = [];\n\t\tfor (const part of rec.content) {\n\t\t\tif (part && typeof part === \"object\" && \"text\" in part) {\n\t\t\t\tconst t = (part as { text?: unknown }).text;\n\t\t\t\tif (typeof t === \"string\") {\n\t\t\t\t\ttexts.push(t);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (texts.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst joined = texts.length === 1 ? texts[0] : texts.join(\"\\n\");\n\t\treturn this.unwrapForAggregationPolicyScan(joined);\n\t}\n\n\tprivate violatesAggregationFirstPolicy(\n\t\tinput: unknown,\n\t\tpolicyObj?: boolean | AggregationPolicy,\n\t\trecordsCount?: number,\n\t): boolean {\n\t\tconst maxRows =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.maxOutputRows === \"number\"\n\t\t\t\t? policyObj.maxOutputRows\n\t\t\t\t: 10;\n\t\tconst allowPrimitives =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.allowPrimitiveArrays === \"boolean\"\n\t\t\t\t? policyObj.allowPrimitiveArrays\n\t\t\t\t: true;\n\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tJSON.parse(trimmed),\n\t\t\t\t\t\tpolicyObj,\n\t\t\t\t\t\trecordsCount,\n\t\t\t\t\t);\n\t\t\t\t} catch {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false;\n\t\t}\n\n\t\tif (Array.isArray(input)) {\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item === \"object\" && item !== null)\n\t\t\t) {\n\t\t\t\t// Treat tabular row export as non-aggregated leakage risk if above threshold.\n\t\t\t\tif (input.length > maxRows) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\treturn input.some((item) =>\n\t\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item !== \"object\" || item === null)\n\t\t\t) {\n\t\t\t\tif (!allowPrimitives) return true;\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn input.some((item) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\tif (input && typeof input === \"object\") {\n\t\t\tconst keys = Object.keys(input as Record<string, unknown>);\n\n\t\t\t// K-ANONYMITY: If source dataset is too small (< 10), enforce restriction.\n\t\t\t// Allow basic statistical summaries (max 3 keys: count/avg/stddev, no nesting).\n\t\t\tif (recordsCount !== undefined && recordsCount > 0 && recordsCount < 10) {\n\t\t\t\tif (keys.length > 3) return true;\n\t\t\t\t// Check for nesting/arrays in a small sample\n\t\t\t\tconst values = Object.values(input as Record<string, unknown>);\n\t\t\t\tif (\n\t\t\t\t\tvalues.some(\n\t\t\t\t\t\t(v) => Array.isArray(v) || (typeof v === \"object\" && v !== null),\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Treat flat dictionary with too many keys as non-aggregated leakage risk (Dynamic Key Bypass).\n\t\t\tif (keys.length > maxRows) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn Object.values(input as Record<string, unknown>).some((value) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(value, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tconstructor(\n\t\tprivate serverInfo: ServerInfo,\n\t\tprivate config?: LiopServerOptions,\n\t) {\n\t\tconst nerScanner = this.config?.security?.enableNerScanning\n\t\t\t? new NerScanner()\n\t\t\t: null;\n\n\t\tthis.piiScanner = new PiiScanner(\n\t\t\tthis.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT,\n\t\t\tthis.config?.security?.forbiddenKeys ?? [\n\t\t\t\t\"id\",\n\t\t\t\t\"name\",\n\t\t\t\t\"fullName\",\n\t\t\t\t\"firstName\",\n\t\t\t\t\"lastName\",\n\t\t\t\t\"address\",\n\t\t\t\t\"street\",\n\t\t\t\t\"city\",\n\t\t\t\t\"postalCode\",\n\t\t\t\t\"zipCode\",\n\t\t\t\t\"phone\",\n\t\t\t\t\"email\",\n\t\t\t\t\"ssn\",\n\t\t\t\t\"accountHolder\",\n\t\t\t\t\"accountNumber\",\n\t\t\t\t\"account_number\",\n\t\t\t\t\"password\",\n\t\t\t\t\"token\",\n\t\t\t\t\"secret\",\n\t\t\t\t\"privateKey\",\n\t\t\t],\n\t\t\tnerScanner,\n\t\t);\n\n\t\t// [OWASP-A01] Rate limit: config > env > default (15 calls/min per-tool, 40 global)\n\t\tconst rlConfig = this.config?.security?.rateLimit;\n\t\tthis.toolCallWindowMs =\n\t\t\trlConfig?.windowMs ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? \"60000\", 10);\n\t\tthis.toolCallMaxPerWindow =\n\t\t\trlConfig?.maxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? \"15\", 10);\n\t\tthis.globalCallMaxPerWindow =\n\t\t\trlConfig?.globalMaxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX ?? \"40\", 10);\n\n\t\t// [SEC] Initialize AST-level taint analyzer with PII field definitions\n\t\tconst forbiddenKeys = this.config?.security?.forbiddenKeys ?? [\n\t\t\t\"id\",\n\t\t\t\"name\",\n\t\t\t\"fullName\",\n\t\t\t\"firstName\",\n\t\t\t\"lastName\",\n\t\t\t\"address\",\n\t\t\t\"street\",\n\t\t\t\"city\",\n\t\t\t\"postalCode\",\n\t\t\t\"zipCode\",\n\t\t\t\"phone\",\n\t\t\t\"email\",\n\t\t\t\"ssn\",\n\t\t\t\"accountHolder\",\n\t\t\t\"accountNumber\",\n\t\t\t\"account_number\",\n\t\t\t\"password\",\n\t\t\t\"token\",\n\t\t\t\"secret\",\n\t\t\t\"privateKey\",\n\t\t];\n\t\tthis.taintAnalyzer = new TaintAnalyzer(forbiddenKeys);\n\n\t\t// Initialize Zero-Blocking Worker Pool for Heavy Cryptography & Sandboxing\n\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\tlet execArgv: string[] = [];\n\t\tif (isTS) {\n\t\t\ttry {\n\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t).href;\n\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t} catch (_e) {\n\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t}\n\t\t}\n\n\t\tconst isTest = process.env.NODE_ENV === \"test\" || process.env.VITEST;\n\n\t\t// Sync capabilities to serverInfo for MCP Handshakes\n\t\tif (this.config?.capabilities && !this.serverInfo.capabilities) {\n\t\t\tthis.serverInfo.capabilities = this.config.capabilities as Record<\n\t\t\t\tstring,\n\t\t\t\tunknown\n\t\t\t>;\n\t\t}\n\n\t\t// Support both flat dist/ and original src/ structure\n\t\tconst workerPaths = [\n\t\t\tpath.resolve(__dirname, `./workers/logic-execution${workerExt}`), // Flat dist/ (tsup)\n\t\t\tpath.resolve(__dirname, `../workers/logic-execution${workerExt}`), // Original src/\n\t\t];\n\n\t\tconst workerFilename =\n\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\tthis.workerPool = new Piscina({\n\t\t\tfilename: workerFilename,\n\t\t\tminThreads: this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2),\n\t\t\tmaxThreads: this.config?.workerPool?.maxThreads ?? (isTest ? 1 : 8),\n\t\t\tidleTimeout:\n\t\t\t\tthis.config?.workerPool?.idleTimeout ?? (isTest ? 500 : 5000),\n\t\t\tmaxQueue: \"auto\",\n\t\t\ttaskQueue: new FixedQueue(),\n\t\t\texecArgv,\n\t\t\t// [DoS Defense] Enforce hard memory ceiling per worker thread.\n\t\t\t// Workers exceeding this limit are terminated by Node.js runtime.\n\t\t\tresourceLimits: {\n\t\t\t\tmaxOldGenerationSizeMb:\n\t\t\t\t\tthis.config?.workerPool?.maxHeapMb ??\n\t\t\t\t\tNumber.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? \"64\", 10),\n\t\t\t},\n\t\t});\n\n\t\t// [Token Economy] Auto-register LIOP protocol spec as a single Resource.\n\t\t// This centralizes the envelope documentation that was previously\n\t\t// duplicated in every tool description, reducing token overhead.\n\t\tthis.resource(\n\t\t\t\"LIOP Envelope Specification\",\n\t\t\t\"liop://protocol/envelope-spec\",\n\t\t\t\"Complete Logic-on-Origin envelope format, execution rules, and security constraints\",\n\t\t\t\"text/plain\",\n\t\t\t() => Promise.resolve(this.buildEnvelopeSpec()),\n\t\t);\n\t}\n\t/**\n\t * Builds the centralized LIOP envelope specification document.\n\t * Served as a single Resource (liop://protocol/envelope-spec) instead\n\t * of being duplicated across every tool description.\n\t */\n\tprivate buildEnvelopeSpec(): string {\n\t\tconst lines = [\n\t\t\t\"LIOP v1 Envelope Specification\",\n\t\t\t\"================================\",\n\t\t\t\"\",\n\t\t\t\"FORMAT:\",\n\t\t\t\"\",\n\t\t\t\"Compact Envelope:\",\n\t\t\t\" @LIOP{wasi_v1,TaskName}\",\n\t\t\t\" <JavaScript code>\",\n\t\t\t\" @END\",\n\t\t\t\"\",\n\t\t\t\"RUNTIME ENVIRONMENT:\",\n\t\t\t\"- env.records: Array of data objects from the origin\",\n\t\t\t\"- Must use 'return' to output results\",\n\t\t\t\"- Zero-Trust WASI Sandbox (Node.js Worker Pool)\",\n\t\t\t\"- Return aggregated objects, NOT raw row-level arrays\",\n\t\t\t\"\",\n\t\t\t\"SECURITY CONSTRAINTS:\",\n\t\t\t\"- PII Egress Shield blocks raw identifiers in output\",\n\t\t\t\"- Aggregation-First policy: prefer counts, averages, summaries\",\n\t\t\t\"- AST Guardian: static analysis before execution\",\n\t\t];\n\n\t\tif (this.config?.security?.forbiddenKeys?.length) {\n\t\t\tlines.push(\n\t\t\t\t`- Restricted fields: ${this.config.security.forbiddenKeys.join(\", \")}`,\n\t\t\t);\n\t\t}\n\n\t\tlines.push(\n\t\t\t\"\",\n\t\t\t\"TAINT TRACKING (Phase 108):\",\n\t\t\t\"- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)\",\n\t\t\t\"- Operations on restricted fields are tracked through variable assignments\",\n\t\t\t\"- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked\",\n\t\t\t\"- Allowed: aggregations on non-PII fields (balance, amount, date)\",\n\t\t\t\"\",\n\t\t\t\"K-ANONYMITY:\",\n\t\t\t\"- Datasets < 10 records: max 3 scalar output fields, no nesting\",\n\t\t\t\"- Datasets >= 10 records: max 10 output fields\",\n\t\t\t\"\",\n\t\t\t\"RATE LIMITS (OWASP A01):\",\n\t\t\t\"- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)\",\n\t\t\t\"- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)\",\n\t\t\t\"\",\n\t\t\t\"OPTIONAL PARAMETERS:\",\n\t\t\t\"- __liop_bypass_ast_cache: boolean (force AST re-evaluation)\",\n\t\t);\n\n\t\treturn lines.join(\"\\n\");\n\t}\n\n\t/**\n\t * Extracts a compact, human-readable field summary from a JSON Schema.\n\t *\n\t * Walks the schema structure to find actual data property names and types,\n\t * rather than returning top-level schema metadata keys (type, items, etc.).\n\t *\n\t * Example output for a banking schema:\n\t * \"Array of {id(string), accountHolder(string), balance(number), transactions(array of {date(string), amount(number)})}\"\n\t */\n\tprivate extractSchemaFieldSummary(\n\t\tschema: Record<string, unknown>,\n\t\tdepth = 0,\n\t): string {\n\t\t// Prevent excessive recursion in deeply nested schemas\n\t\tif (depth > 3) return \"{...}\";\n\n\t\tconst schemaType = schema.type as string | undefined;\n\t\tconst properties = schema.properties as\n\t\t\t| Record<string, Record<string, unknown>>\n\t\t\t| undefined;\n\t\tconst items = schema.items as Record<string, unknown> | undefined;\n\n\t\t// Object with properties → list field names with their types\n\t\tif (properties) {\n\t\t\tconst fields = Object.entries(properties).map(([key, prop]) => {\n\t\t\t\tconst propType = prop.type as string | undefined;\n\t\t\t\tif (propType === \"array\" && prop.items) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(\n\t\t\t\t\t\tprop.items as Record<string, unknown>,\n\t\t\t\t\t\tdepth + 1,\n\t\t\t\t\t);\n\t\t\t\t\treturn `${key}(array of ${nested})`;\n\t\t\t\t}\n\t\t\t\tif (propType === \"object\" && prop.properties) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(prop, depth + 1);\n\t\t\t\t\treturn `${key}(${nested})`;\n\t\t\t\t}\n\t\t\t\treturn `${key}(${propType || \"unknown\"})`;\n\t\t\t});\n\t\t\treturn `{${fields.join(\", \")}}`;\n\t\t}\n\n\t\t// Array type → describe the items structure\n\t\tif (schemaType === \"array\" && items) {\n\t\t\tconst itemsSummary = this.extractSchemaFieldSummary(items, depth + 1);\n\t\t\treturn `Array of ${itemsSummary}`;\n\t\t}\n\n\t\t// Simple type or unknown structure → fallback to key listing\n\t\tif (schemaType) return schemaType;\n\t\treturn Object.keys(schema).join(\", \");\n\t}\n\n\t/**\n\t * Convenience alias for connectToMesh(), matching official documentation.\n\t */\n\tpublic async connect(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\treturn this.connectToMesh(options);\n\t}\n\n\t/**\n\t * Register a new Tool\n\t */\n\tpublic tool<T extends z.ZodRawShape>(\n\t\tname: string,\n\t\tdescription: string,\n\t\tshape: T,\n\t\thandler: ToolHandler<T>,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): void {\n\t\tif (this.tools.has(name)) {\n\t\t\tthrow new Error(`Tool already registered: ${name}`);\n\t\t}\n\n\t\tconst schema = z.object(shape);\n\t\tconst generatedSchema = zodToJsonSchema(schema);\n\n\t\tlet finalDescription = description;\n\t\tlet finalHandler = handler;\n\n\t\t// LIOP Zero-Shot Autonomy Middleware: Detect Logic-on-Origin tools\n\t\tif (shape.payload && shape.payload instanceof z.ZodString) {\n\t\t\tconst blockedKeys = this.config?.security?.forbiddenKeys || [];\n\n\t\t\t// [Token Economy] Centralized description: reference the protocol spec\n\t\t\t// Resource instead of duplicating the full envelope format per tool.\n\t\t\t// Same information, delivered once via liop://protocol/envelope-spec.\n\t\t\tfinalDescription +=\n\t\t\t\t\"\\n\\nPayload: LIOP v1 envelope (WASI sandbox).\" +\n\t\t\t\t\" Format: @LIOP{wasi_v1,TaskName}\\\\n<JS code>\\\\n@END\" +\n\t\t\t\t\" | Access data: env.records. Return aggregated object.\" +\n\t\t\t\t\" | Full spec: resource liop://protocol/envelope-spec\";\n\n\t\t\tif (blockedKeys.length > 0) {\n\t\t\t\tfinalDescription += `\\nRestricted fields: ${blockedKeys.join(\", \")}.`;\n\t\t\t}\n\n\t\t\tif (this.activeSchema) {\n\t\t\t\tconst schemaDigest = this.extractSchemaFieldSummary(this.activeSchema);\n\t\t\t\tfinalDescription += `\\nData structure: ${schemaDigest}. Full schema: resource liop://schema/global`;\n\t\t\t}\n\n\t\t\tfinalHandler = async (\n\t\t\t\targs: z.infer<z.ZodObject<T>>,\n\t\t\t\t_extra: { signal?: AbortSignal },\n\t\t\t) => {\n\t\t\t\tconst clientId = \"global_connection\"; // Simplify for now, treating the instance as one connection\n\t\t\t\tconst now = Date.now();\n\t\t\t\tconst stats = this.connectionStats.get(clientId) || {\n\t\t\t\t\tfailures: 0,\n\t\t\t\t\tlastAttempt: 0,\n\t\t\t\t};\n\n\t\t\t\tif (\n\t\t\t\t\tstats.failures >= this.THROTTLE_THRESHOLD &&\n\t\t\t\t\tnow - stats.lastAttempt < this.THROTTLE_COOLDOWN_MS\n\t\t\t\t) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadValue = (args as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst bypassCache =\n\t\t\t\t\t(args as Record<string, unknown>).__liop_bypass_ast_cache === true;\n\n\t\t\t\tconst payloadHash = crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(payloadValue)\n\t\t\t\t\t.digest(\"hex\");\n\t\t\t\tconst logic = this.extractLogic(payloadValue);\n\t\t\t\tconst cached = this.logicCache.get(payloadHash);\n\n\t\t\t\tif (\n\t\t\t\t\t!bypassCache &&\n\t\t\t\t\tcached &&\n\t\t\t\t\tnow - cached.timestamp < this.CACHE_TTL_MS\n\t\t\t\t) {\n\t\t\t\t\t// Hash verified. Skips boundaries check (already validated!). Extract logic directly.\n\t\t\t\t\tif (logic) {\n\t\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing\n\t\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tlogic,\n\t\t\t\t\t\t\tpolicy,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn await this.executeInWorkerPool(args, logic, name);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!logic) {\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"Error: Malformed payload. Missing @LIOP boundary.\\\\nYou MUST wrap your logic exactly like this:\\\\n\\\\n@LIOP{wasi_v1,DynamicAudit}\\\\n// Your JS code here\\\\n@END\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Logic check already performed above, extraction is guaranteed at this point.\n\t\t\t\t\t// biome-ignore lint/style/noNonNullAssertion: safe extraction after check\n\t\t\t\t\tconst logic = this.extractLogic(\n\t\t\t\t\t\t(args as Record<string, unknown>).payload as string,\n\t\t\t\t\t)!;\n\t\t\t\t\t// Extract pure logic and deliver it to the developer's function\n\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing (Includes PII Shield)\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(name, logic, policy);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\n\t\t\t\t\tconst result = await this.executeInWorkerPool(args, logic, name);\n\n\t\t\t\t\tif (!result.isError) {\n\t\t\t\t\t\tthis.connectionStats.set(clientId, {\n\t\t\t\t\t\t\tfailures: 0,\n\t\t\t\t\t\t\tlastAttempt: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t\tthis.logicCache.set(payloadHash, {\n\t\t\t\t\t\t\thash: payloadHash,\n\t\t\t\t\t\t\ttimestamp: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t} else {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t}\n\n\t\t\t\t\treturn result;\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{ type: \"text\", text: `ExecutionRuntimeException: ${e.message}` },\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t};\n\t\t}\n\n\t\tconst inputSchema = {\n\t\t\ttype: \"object\",\n\t\t\tproperties: (generatedSchema as Record<string, unknown>).properties || {},\n\t\t\trequired: (generatedSchema as Record<string, unknown>).required,\n\t\t};\n\n\t\tthis.tools.set(name, {\n\t\t\ttool: { name, description: finalDescription, inputSchema },\n\t\t\thandler: finalHandler,\n\t\t\tschema,\n\t\t\tpolicy,\n\t\t});\n\n\t\t// [LIOP-ALPHA] Auto-announce capability to the Mesh P2P DHT if node is active\n\t\tif (this.meshNode) {\n\t\t\tthis.meshNode.announceCapability(name).catch((err) => {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Mesh] Failed to auto-announce tool ${name}: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t}\n\n\t/**\n\t * Register a dynamic prompt\n\t */\n\tpublic prompt(\n\t\tname: string,\n\t\tdescription: string | undefined,\n\t\targs: Prompt[\"arguments\"],\n\t\thandler: (\n\t\t\trequest: GetPromptRequest,\n\t\t) => GetPromptResult | Promise<GetPromptResult>,\n\t): void {\n\t\tif (this.prompts.has(name)) {\n\t\t\tthrow new Error(`Prompt already registered: ${name}`);\n\t\t}\n\t\tthis.prompts.set(name, {\n\t\t\tprompt: { name, description, arguments: args },\n\t\t\thandler,\n\t\t});\n\t}\n\n\t/**\n\t * Enables LIOP Zero-Shot Autonomy by registering the Blind Analyst standard prompt.\n\t */\n\tpublic enableZeroShotAutonomy(): void {\n\t\tthis.prompt(\n\t\t\t\"liop_blind_analyst\",\n\t\t\t\"The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.\",\n\t\t\t[],\n\t\t\t(_request) => {\n\t\t\t\treturn {\n\t\t\t\t\tdescription: \"LIOP Blind Analyst Instructions\",\n\t\t\t\t\tmessages: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\trole: \"user\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: `You are the \"Blind Analyst\" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.\nYour objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.\n\nINDUSTRIAL CONSTRAINTS & PROTOCOL RULES:\n1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.\n2. AGGREGATION FIRST: Always prefer returning counts, averages, or anonymized summaries.\n3. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.\n Structure:\n @LIOP{wasi_v1,AnalysisTask}\n // Your JS Code Here\n @END\n4. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.\n5. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).\n6. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.${\n\t\t\t\t\t\t\t\t\tthis.activeSchema\n\t\t\t\t\t\t\t\t\t\t? `\\n\\nCURRENT DATA DICTIONARY (STRICT):\\n${JSON.stringify(this.activeSchema, null, 2)}`\n\t\t\t\t\t\t\t\t\t\t: \"\"\n\t\t\t\t\t\t\t\t}\n\nProtocol Adherence is mandatory for successful execution.`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t};\n\t\t\t},\n\t\t);\n\t}\n\n\t/**\n\t * Register a dynamic resource\n\t */\n\tpublic resource(\n\t\tname: string,\n\t\turi: string,\n\t\tdescription?: string,\n\t\tmimeType?: string,\n\t\tcontent?: string | (() => Promise<string>),\n\t): void {\n\t\tif (this.resources.has(uri)) {\n\t\t\tthrow new Error(`Resource URI already registered: ${uri}`);\n\t\t}\n\t\tthis.resources.set(uri, { name, uri, description, mimeType, content });\n\t}\n\n\t/**\n\t * Broadcasts the Data Dictionary to the LLM prior to code injection.\n\t */\n\tpublic dataDictionary(\n\t\tschema: Record<string, unknown>,\n\t\tname: string = \"Global Medical Data Dictionary\",\n\t\turi: string = \"liop://schema/global\",\n\t\tdescription: string = \"Exposes the internal database schema for Zero-Shot Autonomy planning\",\n\t): void {\n\t\tthis.activeSchema = schema;\n\n\t\t// [Token Economy] Retroactively update tool descriptions with schema field references.\n\t\t// Extracts actual data property names from the JSON Schema structure.\n\t\tconst schemaDigest = this.extractSchemaFieldSummary(schema);\n\t\tfor (const [toolName, entry] of this.tools.entries()) {\n\t\t\tif (\n\t\t\t\tentry.schema.shape.payload &&\n\t\t\t\tentry.schema.shape.payload instanceof z.ZodString &&\n\t\t\t\tentry.tool.description &&\n\t\t\t\t!entry.tool.description.includes(\"Data structure:\")\n\t\t\t) {\n\t\t\t\tentry.tool.description += `\\nData structure: ${schemaDigest}. Full schema: resource ${uri}`;\n\t\t\t\tthis.tools.set(toolName, entry);\n\t\t\t}\n\t\t}\n\n\t\tthis.resource(\n\t\t\tname,\n\t\t\turi,\n\t\t\tdescription,\n\t\t\t\"application/json\",\n\t\t\tJSON.stringify(schema, null, 2),\n\t\t);\n\t}\n\n\t/**\n\t * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).\n\t */\n\tpublic clearAstCache(): void {\n\t\tthis.logicCache.clear();\n\t\tlog.info(\"[LIOP-SDK] AST Security Cache cleared by Admin.\");\n\t}\n\n\t/**\n\t * Sliding window rate limiter for tool call frequency.\n\t * Prevents micro-query exfiltration attacks where an attacker\n\t * makes hundreds of individually-legitimate calls to reconstruct\n\t * the full dataset field by field. (OWASP A01)\n\t */\n\tprivate checkToolCallRateLimit(toolName: string): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxPerWindow = this.toolCallMaxPerWindow;\n\n\t\tconst window = this.toolCallWindows.get(toolName) || [];\n\t\t// Evict expired timestamps outside the sliding window\n\t\tconst active = window.filter((t) => now - t < windowMs);\n\n\t\tif (active.length >= maxPerWindow) {\n\t\t\tconst retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1000);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Too many calls to ${toolName}. ` +\n\t\t\t\t\t\t\t`Max ${maxPerWindow} per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tactive.push(now);\n\t\tthis.toolCallWindows.set(toolName, active);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Global cross-tool rate limiter.\n\t * Prevents attackers from distributing micro-queries across multiple tools\n\t * to evade per-tool rate limits. (OWASP A01)\n\t */\n\tprivate checkGlobalRateLimit(): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxGlobal = this.globalCallMaxPerWindow;\n\n\t\tthis.globalCallWindow = this.globalCallWindow.filter(\n\t\t\t(t) => now - t < windowMs,\n\t\t);\n\n\t\tif (this.globalCallWindow.length >= maxGlobal) {\n\t\t\tconst retryAfterSec = Math.ceil(\n\t\t\t\t(this.globalCallWindow[0] + windowMs - now) / 1000,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Global call limit exceeded. ` +\n\t\t\t\t\t\t\t`Max ${maxGlobal} total calls per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tthis.globalCallWindow.push(now);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Emulates calling a tool (used locally or via LIOPMcpBridge)\n\t */\n\tpublic async callTool(request: CallToolRequest): Promise<CallToolResult> {\n\t\tconst entry = this.tools.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Tool not found: ${request.name}`);\n\t\t}\n\n\t\t// [OWASP-A01] Rate limiting: prevent micro-query exfiltration\n\t\tconst globalLimitResult = this.checkGlobalRateLimit();\n\t\tif (globalLimitResult) return globalLimitResult;\n\t\tconst rateLimitResult = this.checkToolCallRateLimit(request.name);\n\t\tif (rateLimitResult) return rateLimitResult;\n\n\t\ttry {\n\t\t\t// Validate inputs natively with Zod before execution\n\t\t\tconst parsedArgs = entry.schema.parse(request.arguments || {});\n\n\t\t\t// Re-inject the bypass flag if present since Zod might strip unrecognized keys\n\t\t\tif (\n\t\t\t\t(request.arguments as Record<string, unknown>)\n\t\t\t\t\t?.__liop_bypass_ast_cache === true\n\t\t\t) {\n\t\t\t\t(parsedArgs as Record<string, unknown>).__liop_bypass_ast_cache = true;\n\t\t\t}\n\n\t\t\t// [LOGIC-ON-ORIGIN] Intercept code injection directly\n\t\t\tif (\n\t\t\t\tparsedArgs &&\n\t\t\t\ttypeof (parsedArgs as Record<string, unknown>).payload === \"string\"\n\t\t\t) {\n\t\t\t\tconst payload = (parsedArgs as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst logic = this.extractLogic(payload);\n\t\t\t\tif (logic) {\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\tentry.policy,\n\t\t\t\t\t);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\t\t\t\t\t(parsedArgs as Record<string, unknown>).payload = logic;\n\t\t\t\t\treturn await this.executeInWorkerPool(\n\t\t\t\t\t\tparsedArgs,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst result = await entry.handler(parsedArgs, {});\n\t\t\treturn result;\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tif (e instanceof z.ZodError) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [{ type: \"text\", text: `Validation Error: ${e.message}` }],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{ type: \"text\", text: `Internal Execution Error: ${e.message}` },\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Retrieves registered tools\n\t */\n\tpublic listTools(): Tool[] {\n\t\treturn Array.from(this.tools.values()).map((t) => t.tool);\n\t}\n\n\t/**\n\t * Retrieves registered prompts\n\t */\n\tpublic listPrompts(): Prompt[] {\n\t\treturn Array.from(this.prompts.values()).map((p) => p.prompt);\n\t}\n\n\t/**\n\t * Gets a specific prompt by name\n\t */\n\tpublic async getPrompt(request: GetPromptRequest): Promise<GetPromptResult> {\n\t\tconst entry = this.prompts.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Prompt not found: ${request.name}`);\n\t\t}\n\t\treturn await entry.handler(request);\n\t}\n\n\t/**\n\t * Retrieves registered resources\n\t */\n\tpublic listResources(): Resource[] {\n\t\treturn Array.from(this.resources.values());\n\t}\n\n\t/**\n\t * Reads a specific resource by URI\n\t */\n\tpublic async readResource(uri: string): Promise<{\n\t\tcontents: Array<{ uri: string; mimeType?: string; text: string }>;\n\t}> {\n\t\tconst resource = this.resources.get(uri);\n\t\tif (!resource) {\n\t\t\tthrow new Error(`Resource not found: ${uri}`);\n\t\t}\n\n\t\tlet text = \"No description provided\";\n\t\tif (typeof resource.content === \"function\") {\n\t\t\ttext = await resource.content();\n\t\t} else if (typeof resource.content === \"string\") {\n\t\t\ttext = resource.content;\n\t\t} else if (resource.description) {\n\t\t\ttext = resource.description;\n\t\t}\n\n\t\treturn {\n\t\t\tcontents: [\n\t\t\t\t{\n\t\t\t\t\turi: resource.uri,\n\t\t\t\t\tmimeType: resource.mimeType || \"text/plain\",\n\t\t\t\t\ttext,\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t}\n\n\tpublic getServerInfo(): ServerInfo {\n\t\treturn this.serverInfo;\n\t}\n\n\tpublic getMeshNode(): MeshNode | null {\n\t\treturn this.meshNode;\n\t}\n\n\t/**\n\t * Injects data into the secure sandbox context for Logic-on-Origin tools.\n\t */\n\tpublic setSandboxData(records: Record<string, unknown>[]) {\n\t\tthis.sandboxRecords = records;\n\t}\n\n\tpublic getBoundPort(): number | null {\n\t\treturn this.boundPort;\n\t}\n\n\t/**\n\t * Connects to the libp2p Kademlia DHT and announces capabilities.\n\t * Boots the gRPC server for secure Logic-on-Origin.\n\t */\n\tpublic async connectToMesh(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\tconst envPort = process.env.LIOP_GRPC_PORT\n\t\t\t? Number.parseInt(process.env.LIOP_GRPC_PORT, 10)\n\t\t\t: undefined;\n\t\tconst port = options.port ?? envPort ?? 50051;\n\n\t\t// 1. Initialize Mesh Node (Discovery)\n\t\tthis.meshNode = new MeshNode(options.meshConfig);\n\t\tawait this.meshNode.start();\n\n\t\t// 2. Register LIOP Manifest Protocol Handler\n\t\t// This allows remote peers to query our tool/resource metadata dynamically.\n\t\tconst meshNodeRef = this.meshNode;\n\t\tthis.meshNode.registerManifestHandler((): LiopManifest => {\n\t\t\tconst tools = this.listTools().map((t) => ({\n\t\t\t\tname: t.name,\n\t\t\t\tdescription: t.description,\n\t\t\t\tinputSchema: t.inputSchema as Record<string, unknown>,\n\t\t\t}));\n\n\t\t\tconst resources = Array.from(this.resources.values()).map((r) => ({\n\t\t\t\tname: r.name,\n\t\t\t\turi: r.uri,\n\t\t\t\tdescription: r.description,\n\t\t\t\tmimeType: r.mimeType,\n\t\t\t\ttext: typeof r.content === \"string\" ? r.content : r.description,\n\t\t\t}));\n\n\t\t\treturn {\n\t\t\t\tpeerId: meshNodeRef.getPeerId(),\n\t\t\t\tgrpcPort: port,\n\t\t\t\ttools,\n\t\t\t\tresources,\n\t\t\t\tserverInfo: this.serverInfo,\n\t\t\t};\n\t\t});\n\n\t\t// 3. Announce local tools to the DHT\n\t\tfor (const tool of this.listTools()) {\n\t\t\tawait this.meshNode.announceCapability(tool.name).catch(log.info);\n\t\t}\n\n\t\t// 4. Announce manifest availability\n\t\tawait this.meshNode.announceManifest().catch(log.info);\n\n\t\t// 5. Initialize gRPC Server (Execution)\n\t\tthis.rpcServer = new LiopRpcServer();\n\n\t\tthis.rpcServer.addService({\n\t\t\tnegotiateIntent: (call, callback) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Negotiating intent for capability: ${request.capability_hash}`,\n\t\t\t\t);\n\n\t\t\t\t// Standard dynamic import to avoid potential circularity\n\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(async ({ Kyber768Wrapper }) => {\n\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\n\t\t\t\t\t// [SECURITY] Reset session-bound state\n\t\t\t\t\tthis.fieldQueryBudget.clear();\n\n\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t});\n\n\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t});\n\t\t\t\t});\n\t\t\t},\n\t\t\texecuteLogic: async (\n\t\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t\t) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Executing Logic-on-Origin for session: ${request.session_token}`,\n\t\t\t\t);\n\n\t\t\t\tconst session = this.sessions.get(request.session_token);\n\t\t\t\tif (!session) {\n\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\tdetails: \"Invalid session token\",\n\t\t\t\t\t});\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Pass to Worker Pool for PQC Decryption and WASI/V8 execution\n\t\t\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\t\t\tciphertext: request.pqc_ciphertext,\n\t\t\t\t\t\tsecretKeyObj: Array.from(session.kyber_sk),\n\t\t\t\t\t\twasmBinary: request.wasm_binary,\n\t\t\t\t\t\tinputs: request.inputs,\n\t\t\t\t\t\taesNonce: request.aes_nonce,\n\t\t\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\t\t\tsessionToken: request.session_token,\n\t\t\t\t\t\tisEncrypted: true,\n\t\t\t\t\t});\n\n\t\t\t\t\tlet finalOutput: string;\n\t\t\t\t\ttry {\n\t\t\t\t\t\tfinalOutput =\n\t\t\t\t\t\t\ttypeof workerResponse.output === \"string\"\n\t\t\t\t\t\t\t\t? workerResponse.output\n\t\t\t\t\t\t\t\t: JSON.stringify(workerResponse.output);\n\n\t\t\t\t\t\t// [PROTOCOL TRANSFORMER] Support for Proxied Tool Calls\n\t\t\t\t\t\tconst decoded = JSON.parse(finalOutput);\n\t\t\t\t\t\tif (decoded.__liop_proxy_tool) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Executing Proxied Tool: ${decoded.__liop_proxy_tool}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tconst toolResult = await this.callTool({\n\t\t\t\t\t\t\t\tname: decoded.__liop_proxy_tool,\n\t\t\t\t\t\t\t\targuments: decoded.__liop_proxy_args || {},\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tfinalOutput = JSON.stringify(toolResult);\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch {\n\t\t\t\t\t\tfinalOutput = String(workerResponse.output);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst response: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: finalOutput,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\n\t\t\t\t\t\t\tworkerResponse.image_id || \"\",\n\t\t\t\t\t\t\t\"hex\",\n\t\t\t\t\t\t),\n\t\t\t\t\t\tzk_receipt: workerResponse.zk_receipt\n\t\t\t\t\t\t\t? Buffer.from(workerResponse.zk_receipt, \"base64\")\n\t\t\t\t\t\t\t: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: false,\n\t\t\t\t\t};\n\n\t\t\t\t\t// Final PII check for gRPC egress\n\t\t\t\t\tconst violation = await this.piiScanner.scan([\n\t\t\t\t\t\t{ type: \"text\", text: finalOutput },\n\t\t\t\t\t]);\n\t\t\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tthis.unwrapForAggregationPolicyScan(finalOutput),\n\t\t\t\t\t);\n\t\t\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller\n\t\t\t\t\t\tconst internalReason =\n\t\t\t\t\t\t\tviolation || \"Aggregation-First Policy Violation\";\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tresponse.semantic_evidence =\n\t\t\t\t\t\t\t\"[LIOP] Egress Security Violation. Output blocked due to policy enforcement.\";\n\t\t\t\t\t\tresponse.is_error = true;\n\t\t\t\t\t}\n\n\t\t\t\t\tcall.write(response, () => {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t});\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tconst isDev =\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"test\";\n\n\t\t\t\t\tconst detail = e.message || String(error);\n\t\t\t\t\tlog.error(`[LIOP-RPC] Execution Error: ${detail}`);\n\n\t\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t\t? `Execution Error: ${detail}`\n\t\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\t\t\t// Send error response before closing, avoiding \"stream closed without results\"\n\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: errorMessage,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t};\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t});\n\t\t\t\t\t} catch (_writeErr) {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t});\n\n\t\tthis.boundPort = await this.rpcServer.listen(port);\n\t\tlog.info(\n\t\t\t`[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`,\n\t\t);\n\t}\n\n\t/**\n\t * Internal worker execution with Egress Filtering logic.\n\t */\n\tprivate async executeInWorkerPool(\n\t\t_args: Record<string, unknown>,\n\t\trawPayload: string,\n\t\ttoolName?: string,\n\t): Promise<CallToolResult> {\n\t\ttry {\n\t\t\t// [DP] Prepare Differential Privacy configuration\n\t\t\tconst dpPolicy = toolName ? this.tools.get(toolName)?.policy : undefined;\n\t\t\tconst dpConfig = dpPolicy\n\t\t\t\t? {\n\t\t\t\t\t\tepsilon: dpPolicy.dpEpsilon ?? 1.0,\n\t\t\t\t\t\tsensitivity: dpPolicy.dpSensitivity ?? 1.0,\n\t\t\t\t\t\tsmallDatasetThreshold: 50,\n\t\t\t\t\t}\n\t\t\t\t: undefined;\n\n\t\t\t// Transparent local execution without dynamic PQC\n\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\tciphertext: new Uint8Array(0),\n\t\t\t\tsecretKeyObj: Array.from(new Uint8Array(0)),\n\t\t\t\tkyberPublicKey: new Uint8Array(0),\n\t\t\t\twasmBinary: Buffer.from(rawPayload),\n\t\t\t\tinputs: {},\n\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\tsessionToken: \"local-dev-token\",\n\t\t\t\tisEncrypted: false, // Use plaintext for local Logic-on-Origin injection\n\t\t\t\tdpConfig, // Pass DP Config to apply inside worker before ZK-Receipt commitment\n\t\t\t});\n\n\t\t\t// DP is now applied directly inside the worker to ensure ZK-Receipt integrity\n\t\t\tconst dpOutput = workerResponse.output;\n\n\t\t\t// Standard MCP Content Array\n\t\t\tconst textOutput = JSON.stringify({\n\t\t\t\tcomputation_result: dpOutput,\n\t\t\t\timage_id: workerResponse.image_id,\n\t\t\t\tzk_receipt: workerResponse.zk_receipt,\n\t\t\t\tstatus: \"Worker Pool Execution Success\",\n\t\t\t});\n\n\t\t\tconst content = [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\ttext: textOutput,\n\t\t\t\t},\n\t\t\t];\n\n\t\t\tconst toolPolicy = toolName\n\t\t\t\t? this.tools.get(toolName)?.policy\n\t\t\t\t: undefined;\n\t\t\tconst policyViolation = this.validateOutputPolicy(\n\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\tdpOutput, // Phase 109: Validate NOISY output to ensure invariants\n\t\t\t\ttoolPolicy,\n\t\t\t);\n\t\t\tif (policyViolation) {\n\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller in Production\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Output policy blocked for ${toolName || \"unknown_tool\"}: ${policyViolation}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? policyViolation\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Professional PII Protection Guard\n\t\t\tconst violation = await this.piiScanner.scan(content);\n\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\tdpOutput, // Phase 109: Validate NOISY output\n\t\t\t);\n\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t// SEC-CRITICAL: Log the specific violation reason server-side only.\n\t\t\t\t// Never expose detection details (entity names, matched values) to the caller in Production.\n\t\t\t\tconst internalReason =\n\t\t\t\t\tviolation ||\n\t\t\t\t\t\"Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.\";\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? `[LIOP] Egress Security Violation: ${internalReason}`\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn { content };\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\tconst detail = e.message || String(error);\n\t\t\tlog.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);\n\n\t\t\t// [OOM Hardening] Detect V8 worker termination due to heap limit\n\t\t\tconst isOom =\n\t\t\t\tdetail.includes(\"worker_thread_exited\") ||\n\t\t\t\tdetail.includes(\"ERR_WORKER_OUT_OF_MEMORY\") ||\n\t\t\t\tdetail.includes(\"terminated\") ||\n\t\t\t\tdetail.includes(\"heap limit\");\n\n\t\t\tconst errorMessage = isOom\n\t\t\t\t? \"[LIOP] Execution terminated: memory limit exceeded (64MB heap). Reduce data processing volume.\"\n\t\t\t\t: isDev\n\t\t\t\t\t? `WorkerPoolError: ${detail}`\n\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Safely destroys the worker pool, gRPC server, and Mesh node.\n\t * Recommended to be called during graceful shutdowns or test teardowns.\n\t */\n\tpublic async close(): Promise<void> {\n\t\tif (this.workerPool) {\n\t\t\tawait this.workerPool.close({ force: true });\n\t\t}\n\t\tif (this.rpcServer) {\n\t\t\tawait this.rpcServer.stop();\n\t\t}\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t}\n}\n"]}
package/dist/chunk-62YQHKSS.js ADDED
@@ -0,0 +1,3 @@
1
+ import {a}from'./chunk-S6RJHZV2.js';import {randomUUID}from'crypto';import {serve}from'@hono/node-server';import {Hono}from'hono';import {cors}from'hono/cors';var T=10,R=1800*1e3,y=60*1e3,f=class{constructor(e,r={}){this.options=r;this.app=new Hono,this.bridgeLogic=new p(e),this.activeSessions=new Map,this.maxSessionsPerIp=r.maxSessionsPerIp??T,this.sessionTimeoutMs=r.sessionTimeoutMs??R,this.setupRoutes();}app;httpServer=null;bridgeLogic;activeSessions;evictionTimer=null;maxSessionsPerIp;sessionTimeoutMs;async createSessionTransport(e){let{WebStandardStreamableHTTPServerTransport:r}=await import('@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js'),s=new r({sessionIdGenerator:()=>randomUUID(),onsessioninitialized:t=>{this.activeSessions.set(t,{transport:s,lastActivity:Date.now(),clientIp:e}),a.info(`[LIOP-StreamBridge] Session opened: ${t} (IP: ${e})`);}});return s.onmessage=async t=>{if(s.sessionId){let i=this.activeSessions.get(s.sessionId);i&&(i.lastActivity=Date.now());}try{let i=await this.bridgeLogic.handleJsonRpcRequest(t);i!==void 0&&await s.send(i);}catch(i){a.info("[LIOP-StreamBridge] JSON-RPC error:",i.message);}},s.onclose=()=>{s.sessionId&&(this.activeSessions.delete(s.sessionId),a.info(`[LIOP-StreamBridge] Session closed: ${s.sessionId}`));},s}countSessionsByIp(e){let r=0;for(let s of this.activeSessions.values())s.clientIp===e&&r++;return r}getClientIp(e){return e.req.header("x-forwarded-for")?.split(",")[0]?.trim()||e.req.header("x-real-ip")||"unknown"}evictIdleSessions(){let e=Date.now();for(let[r,s]of this.activeSessions)e-s.lastActivity>this.sessionTimeoutMs&&(a.info(`[LIOP-StreamBridge] Evicting idle session: ${r}`),s.transport.close().catch(()=>{}),this.activeSessions.delete(r));}setupRoutes(){this.app.use("*",cors()),process.env.ZERO_TRUST_TOKEN||(process.env.ZERO_TRUST_TOKEN=randomUUID(),a.info("=".repeat(60)),a.info("\u26A0\uFE0F STRICT ZERO-TRUST MODE ENABLED \u26A0\uFE0F"),a.info("No ZERO_TRUST_TOKEN found in environment."),a.info("A secure ephemeral token has been generated for this session:"),a.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`),a.info("=".repeat(60))),this.app.use("/mcp",async(e,r)=>{let s=e.req.header("Authorization"),t=process.env.ZERO_TRUST_TOKEN;if(!s?.startsWith("Bearer ")||s.split(" ")[1]!==t)return a.info("[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token."),e.json({error:"Unauthorized: LIOP Zero-Trust Policy Enforced"},401);await r();}),this.app.all("/mcp",async e=>{let r=e.req.header("mcp-session-id");if(r){let o=this.activeSessions.get(r);if(!o)return e.json({error:"Session not found"},404);o.lastActivity=Date.now();let c=await o.transport.handleRequest(e.req.raw);return e.req.method==="DELETE"&&(this.activeSessions.delete(r),a.info(`[LIOP-StreamBridge] Session closed (DELETE): ${r}`)),c}let s=this.getClientIp(e),t=this.countSessionsByIp(s);return t>=this.maxSessionsPerIp?(a.info(`[LIOP-StreamBridge] Rate limit hit for IP: ${s} (${t} sessions)`),e.json({error:"Too Many Sessions: Rate limit exceeded"},429)):await(await this.createSessionTransport(s)).handleRequest(e.req.raw)});}async start(e){let r=e??this.options.port??3e3;return this.evictionTimer=setInterval(()=>this.evictIdleSessions(),y),new Promise(s=>{this.httpServer=serve({fetch:this.app.fetch,port:r},t=>{a.info(`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${t.port}/mcp`),s();});})}async stop(){this.evictionTimer&&(clearInterval(this.evictionTimer),this.evictionTimer=null);for(let[e,r]of this.activeSessions)await r.transport.close(),this.activeSessions.delete(e);this.httpServer&&(this.httpServer.close(),a.info("[LIOP-StreamBridge] HTTP ports released."));}};var p=class{constructor(e,r={}){this.options=r;e?.constructor?.name==="LiopServer"?(this.liopServer=e,a.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)")):e?.constructor?.name==="McpServer"?(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)")):(this.legacyMcpServer=e,a.info("[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)"));}liopServer=null;legacyMcpServer=null;async handleJsonRpcRequest(e){let r=e.id,s=e.method,t=e.params;return e.jsonrpc!=="2.0"?this.errorResponse(r,-32600,"Invalid Request"):this.liopServer?this.handleLiopToMcp(r,s,t):this.legacyMcpServer&&this.liopServer?this.handleLiopToMcp(r,s,t):this.errorResponse(r,-32601,"Bridge source not configured")}async handleLiopToMcp(e,r,s){if(!this.liopServer)return null;if(r==="initialize")return this.successResponse(e,{protocolVersion:"2025-11-25",capabilities:{prompts:{},resources:{},tools:{}},serverInfo:this.liopServer.getServerInfo()});if(r!=="notifications/initialized"){if(r==="ping")return this.successResponse(e,{});if(r==="tools/list"){let t=this.liopServer.listTools();return this.successResponse(e,{tools:t})}if(r==="resources/list"){let t=this.liopServer.listResources();return this.successResponse(e,{resources:t})}if(r==="prompts/list"){let t=this.liopServer.listPrompts();return this.successResponse(e,{prompts:t})}if(r==="prompts/get"){if(!s?.name)return this.errorResponse(e,-32602,"Missing prompt name");try{let t=await this.liopServer.getPrompt({name:s.name,arguments:s.arguments});return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="resources/read"){if(!s?.uri)return this.errorResponse(e,-32602,"Missing resource URI");try{let t=await this.liopServer.readResource(s.uri);return this.successResponse(e,t)}catch(t){return this.errorResponse(e,-32e3,t.message)}}if(r==="tools/call"){if(!s?.name)return this.errorResponse(e,-32602,"Missing tool name");let t={name:s.name,arguments:s.arguments||{}};try{let i=await this.liopServer.callTool(t);return await this.verifyZkReceipt(t,i)?this.successResponse(e,i):this.successResponse(e,{content:[{type:"text",text:"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload."}],isError:!0})}catch(i){return this.errorResponse(e,-32e3,i.message)}}return this.errorResponse(e,-32601,"Method not found")}}successResponse(e,r){return {jsonrpc:"2.0",id:e,result:r}}errorResponse(e,r,s){return {jsonrpc:"2.0",id:e,error:{code:r,message:s}}}async verifyZkReceipt(e,r){if(!e.arguments?.payload||typeof e.arguments.payload!="string")return true;try{let s=e.arguments.payload,t=r.content[0]?.text;if(t&&typeof t=="string")try{let i=JSON.parse(t);if(i.image_id||i.zk_receipt){let{LiopVerifier:o}=await import('./verifier-RQRYXA4C.js');if(!await new o().verifyZkReceipt(Buffer.from(s,"utf-8"),i.image_id,Buffer.from(i.zk_receipt||"","base64")))return !1;i.audit_status="VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge",r.content[0].text=JSON.stringify(i);}}catch{}return !0}catch(s){return a.info("[LIOP-Bridge] ZK-Verifier Failure:",s),false}}async connect(){if(this.legacyMcpServer){let{LiopServer:t}=await import('./server.js');if(this.liopServer=new t(this.options.serverInfo||{name:"liop-bridge",version:"1.0.0"},{security:this.options.security}),this.options.publishToMesh){await this.liopServer.connect();let i=this.legacyMcpServer;if(i._registeredTools)for(let[o,c]of Object.entries(i._registeredTools)){let a=c;this.liopServer.tool(o,a.description||"",a.inputSchema||{},async l=>await a.handler(l));}if(i._registeredResources)for(let[o,c]of Object.entries(i._registeredResources)){let a=c;this.liopServer.resource(a.name,o,a.metadata?.description||"",a.metadata?.mimeType||"application/octet-stream",async()=>(await a.readCallback(new URL(o))).contents[0].text);}}return}let r=(await import('readline')).createInterface({input:process.stdin,output:process.stdout,terminal:false}),s=async()=>{a.info("[LIOP-Bridge] Disconnecting session..."),this.liopServer&&await this.liopServer.close(),process.exit(0);};r.on("close",s),process.on("SIGINT",s),process.on("SIGTERM",s),r.on("line",async t=>{if(t.trim())try{let i=JSON.parse(t),o=await this.handleJsonRpcRequest(i);o&&process.stdout.write(`${JSON.stringify(o)}
2
+ `);}catch(i){a.error(`[LIOP-Bridge] Error: ${i.message}`);}});}};export{f as a,p as b};//# sourceMappingURL=chunk-62YQHKSS.js.map
3
+ //# sourceMappingURL=chunk-62YQHKSS.js.map