@nekzus/liop 2.0.0-alpha.1 → 2.0.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (124) hide show
  1. package/README.md +30 -20
  2. package/dist/bin/agent.d.ts +0 -1
  3. package/dist/bin/agent.js +5 -306
  4. package/dist/bin/agent.js.map +1 -0
  5. package/dist/{bridge/stream.d.ts → bridge.d.ts} +44 -3
  6. package/dist/bridge.js +2 -0
  7. package/dist/bridge.js.map +1 -0
  8. package/dist/chunk-7MAGL6ON.js +33 -0
  9. package/dist/chunk-7MAGL6ON.js.map +1 -0
  10. package/dist/chunk-ANFXJGMP.js +2 -0
  11. package/dist/chunk-ANFXJGMP.js.map +1 -0
  12. package/dist/chunk-DBXGYHKY.js +2 -0
  13. package/dist/chunk-DBXGYHKY.js.map +1 -0
  14. package/dist/chunk-FW6CICSY.js +29 -0
  15. package/dist/chunk-FW6CICSY.js.map +1 -0
  16. package/dist/chunk-HM77MWB6.js +2 -0
  17. package/dist/chunk-HM77MWB6.js.map +1 -0
  18. package/dist/chunk-HNDVAKEK.js +24 -0
  19. package/dist/chunk-HNDVAKEK.js.map +1 -0
  20. package/dist/chunk-HQZHZM6U.js +2 -0
  21. package/dist/chunk-HQZHZM6U.js.map +1 -0
  22. package/dist/chunk-JBMEAXYU.js +13 -0
  23. package/dist/chunk-JBMEAXYU.js.map +1 -0
  24. package/dist/chunk-LYULZHZO.js +3 -0
  25. package/dist/chunk-LYULZHZO.js.map +1 -0
  26. package/dist/chunk-P52IE4L6.js +2 -0
  27. package/dist/chunk-P52IE4L6.js.map +1 -0
  28. package/dist/chunk-PPCOS2NU.js +2 -0
  29. package/dist/chunk-PPCOS2NU.js.map +1 -0
  30. package/dist/chunk-RWRRBYG4.js +2 -0
  31. package/dist/chunk-RWRRBYG4.js.map +1 -0
  32. package/dist/chunk-S6RJHZV2.js +2 -0
  33. package/dist/chunk-S6RJHZV2.js.map +1 -0
  34. package/dist/chunk-UVTEJYHN.js +2 -0
  35. package/dist/chunk-UVTEJYHN.js.map +1 -0
  36. package/dist/client.d.ts +5 -0
  37. package/dist/client.js +2 -0
  38. package/dist/client.js.map +1 -0
  39. package/dist/{gateway/router.d.ts → gateway.d.ts} +30 -5
  40. package/dist/gateway.js +2 -0
  41. package/dist/gateway.js.map +1 -0
  42. package/dist/{client/index.d.ts → index-CyxNLlz7.d.ts} +24 -5
  43. package/dist/index.d.ts +313 -12
  44. package/dist/index.js +31 -12
  45. package/dist/index.js.map +1 -0
  46. package/dist/kyber-2WDOTUQX.js +2 -0
  47. package/dist/kyber-2WDOTUQX.js.map +1 -0
  48. package/dist/{mesh/node.d.ts → mesh.d.ts} +5 -3
  49. package/dist/mesh.js +2 -0
  50. package/dist/mesh.js.map +1 -0
  51. package/dist/{server/index.d.ts → server.d.ts} +125 -12
  52. package/dist/server.js +2 -0
  53. package/dist/server.js.map +1 -0
  54. package/dist/types.d.ts +17 -14
  55. package/dist/types.js +2 -26
  56. package/dist/types.js.map +1 -0
  57. package/dist/{crypto/verifier.d.ts → verifier-DTCD9imJ.d.ts} +3 -1
  58. package/dist/verifier-RQRYXA4C.js +2 -0
  59. package/dist/verifier-RQRYXA4C.js.map +1 -0
  60. package/dist/workers/logic-execution.d.ts +4 -2
  61. package/dist/workers/logic-execution.js +2 -123
  62. package/dist/workers/logic-execution.js.map +1 -0
  63. package/dist/workers/zk-verifier.d.ts +4 -2
  64. package/dist/workers/zk-verifier.js +2 -98
  65. package/dist/workers/zk-verifier.js.map +1 -0
  66. package/package.json +32 -19
  67. package/dist/bridge/index.d.ts +0 -37
  68. package/dist/bridge/index.js +0 -249
  69. package/dist/bridge/stream.js +0 -210
  70. package/dist/client/index.js +0 -275
  71. package/dist/crypto/logic-image-id.d.ts +0 -3
  72. package/dist/crypto/logic-image-id.js +0 -27
  73. package/dist/crypto/verifier.js +0 -97
  74. package/dist/economy/estimator.d.ts +0 -53
  75. package/dist/economy/estimator.js +0 -69
  76. package/dist/economy/index.d.ts +0 -5
  77. package/dist/economy/index.js +0 -3
  78. package/dist/economy/otel.d.ts +0 -38
  79. package/dist/economy/otel.js +0 -100
  80. package/dist/economy/telemetry.d.ts +0 -77
  81. package/dist/economy/telemetry.js +0 -224
  82. package/dist/errors.d.ts +0 -14
  83. package/dist/errors.js +0 -19
  84. package/dist/gateway/hybrid.d.ts +0 -23
  85. package/dist/gateway/hybrid.js +0 -199
  86. package/dist/gateway/router.js +0 -1054
  87. package/dist/mesh/index.d.ts +0 -1
  88. package/dist/mesh/index.js +0 -1
  89. package/dist/mesh/node.js +0 -853
  90. package/dist/prompts/adapters.d.ts +0 -16
  91. package/dist/prompts/adapters.js +0 -55
  92. package/dist/rpc/client.d.ts +0 -22
  93. package/dist/rpc/client.js +0 -40
  94. package/dist/rpc/codec/lpm.d.ts +0 -20
  95. package/dist/rpc/codec/lpm.js +0 -36
  96. package/dist/rpc/crypto/aes.d.ts +0 -22
  97. package/dist/rpc/crypto/aes.js +0 -47
  98. package/dist/rpc/crypto/kyber.d.ts +0 -27
  99. package/dist/rpc/crypto/kyber.js +0 -70
  100. package/dist/rpc/proto.d.ts +0 -2
  101. package/dist/rpc/proto.js +0 -33
  102. package/dist/rpc/server.d.ts +0 -13
  103. package/dist/rpc/server.js +0 -50
  104. package/dist/rpc/tls.d.ts +0 -26
  105. package/dist/rpc/tls.js +0 -54
  106. package/dist/rpc/types.d.ts +0 -28
  107. package/dist/rpc/types.js +0 -5
  108. package/dist/sandbox/guardian.d.ts +0 -18
  109. package/dist/sandbox/guardian.js +0 -58
  110. package/dist/sandbox/wasi.d.ts +0 -36
  111. package/dist/sandbox/wasi.js +0 -233
  112. package/dist/security/guardian.d.ts +0 -22
  113. package/dist/security/guardian.js +0 -52
  114. package/dist/security/zk.d.ts +0 -37
  115. package/dist/security/zk.js +0 -76
  116. package/dist/server/index.js +0 -1047
  117. package/dist/server/ner-scanner.d.ts +0 -29
  118. package/dist/server/ner-scanner.js +0 -141
  119. package/dist/server/pii.d.ts +0 -66
  120. package/dist/server/pii.js +0 -428
  121. package/dist/utils/logger.d.ts +0 -21
  122. package/dist/utils/logger.js +0 -70
  123. package/dist/utils/mcpCompact.d.ts +0 -11
  124. package/dist/utils/mcpCompact.js +0 -29
package/dist/chunk-FW6CICSY.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/rpc/server.ts","../src/security/taint-analyzer.ts","../src/server/ner-scanner.ts","../src/server/pii.ts","../src/server/index.ts"],"names":["GRPC_CHANNEL_OPTIONS","LiopRpcServer","handlers","liopV1","port","tls","credentials","createServerCredentials","resolve","reject","error","assignedPort","log","TaintAnalyzer","_TaintAnalyzer","piiFields","f","sourceCode","ast","wrapped","recordBoundVars","taintedVars","simple","node","member","methodName","callback","fn","param","recordParam","declarator","iteration","sizeBefore","callee","arg","violation","line","operation","bin","unary","cond","prop","el","expr","spread","propName","parentMember","litVal","call","fnName","scopedRecordVars","scopedTaintedVars","recordParamIndex","hasTaintedReturn","returnVisitors","val","name","obj","MEDICAL_VOCABULARY","MIN_TEXT_LENGTH","NON_TEXT_PATTERN","NerScanner","_NerScanner","mod","text","doc","entities","people","person","trimmed","places","place","orgs","org","input","seen","values","allEntities","value","result","e","isLuhnValid","cardNumber","digits","sum","isEven","digit","isIbanValid","iban","sanitized","rearranged","numericString","charCode","PII_PATTERNS","match","p","area","PII_PRESETS","PiiScanner","_PiiScanner","patterns","forbiddenKeys","nerScanner","k","token","parsed","patternViolation","nerResult","personEntity","element","key","fuzzyViolation","normalized","pattern","rule","def","matchedText","__dirname","path","fileURLToPath","LiopServer","_LiopServer","serverInfo","config","rlConfig","isTS","workerExt","execArgv","tsxPkg","createRequire","pathToFileURL","isTest","workerPaths","workerFilename","Piscina","FixedQueue","payload","compact","_toolName","logic","policy","taintViolation","toolName","output","schemaResult","z","i","rec","texts","part","t","joined","policyObj","recordsCount","maxRows","allowPrimitives","item","keys","v","lines","schema","depth","schemaType","properties","items","propType","nested","options","description","shape","handler","generatedSchema","zodToJsonSchema","finalDescription","finalHandler","blockedKeys","schemaDigest","args","_extra","clientId","now","stats","payloadValue","bypassCache","payloadHash","crypto","cached","preflightReason","inputSchema","err","_request","uri","mimeType","content","entry","windowMs","maxPerWindow","active","retryAfterSec","maxGlobal","request","globalLimitResult","rateLimitResult","parsedArgs","resource","records","envPort","MeshNode","meshNodeRef","tools","resources","r","tool","Kyber768Wrapper","publicKey","secretKey","sessionToken","session","q","workerResponse","finalOutput","decoded","toolResult","response","Buffer","aggregationViolation","internalReason","isDev","detail","errorResponse","_args","rawPayload","toolPolicy","policyViolation"],"mappings":"qfAiBA,IAAMA,CAAAA,CAAuB,CAC5B,wBAAA,CAA0B,GAAA,CAC1B,2BAAA,CAA6B,GAAA,CAC7B,qCAAA,CAAuC,CAAA,CACvC,8BAAA,CAAgC,EAAA,CAChC,iCAAA,CAAmC,EAAA,CACnC,qBAAA,CAAuB,CACxB,CAAA,CAEaC,CAAAA,CAAN,KAAoB,CAClB,OAER,WAAA,EAAc,CACb,IAAA,CAAK,MAAA,CAAS,IAAS,CAAA,CAAA,MAAA,CAAOD,CAAoB,EACnD,CAEO,UAAA,CAAWE,CAAAA,CAQT,CACR,IAAA,CAAK,MAAA,CAAO,UAAA,CAAWC,CAAAA,CAAO,SAAA,CAAU,OAAA,CAAS,CAChD,eAAA,CAAiBD,CAAAA,CAAS,eAAA,CAC1B,YAAA,CAAcA,CAAAA,CAAS,YACxB,CAAC,EACF,CAEA,MAAa,MAAA,CACZE,CAAAA,CAAe,KAAA,CACfC,EACkB,CAClB,IAAMC,CAAAA,CAAcC,CAAAA,CAAwBF,CAAG,CAAA,CAC/C,OAAO,IAAI,OAAA,CAAQ,CAACG,CAAAA,CAASC,CAAAA,GAAW,CACvC,IAAA,CAAK,MAAA,CAAO,SAAA,CACX,WAAWL,CAAI,CAAA,CAAA,CACfE,CAAAA,CACA,CAACI,CAAAA,CAAOC,CAAAA,GAAiB,CACxB,GAAID,CAAAA,CAAO,CACVD,CAAAA,CAAOC,CAAK,CAAA,CACZ,MACD,CACAE,GAAAA,CAAI,KAAK,CAAA,oCAAA,EAAuCD,CAAY,CAAA,CAAE,CAAA,CAC9DH,CAAAA,CAAQG,CAAY,EACrB,CACD,EACD,CAAC,CACF,CAEA,MAAa,IAAA,EAAsB,CAClC,OAAO,IAAI,OAAA,CAASH,CAAAA,EAAY,CAC/B,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,IAAM,CAC7BI,GAAAA,CAAI,IAAA,CAAK,6BAA6B,CAAA,CACtCJ,CAAAA,GACD,CAAC,EACF,CAAC,CACF,CACD,ECtCO,IAAMK,CAAAA,CAAN,MAAMC,CAAc,CACT,SAAA,CAGjB,OAAwB,yBAAA,CAA4B,IAAI,GAAA,CAAI,CAE3D,YAAA,CACA,aAAA,CACA,QAAA,CACA,IAAA,CAEA,SAAA,CACA,aAAA,CACA,QAAA,CAEA,eAAA,CACA,YAAA,CACA,UAAA,CACA,WAEA,WAAA,CACA,OAAA,CACA,QAAA,CACA,OAAA,CACA,OAAA,CACA,UAAA,CACA,SAAA,CACA,YAAA,CACA,WAAA,CACA,aAAA,CACA,aAAA,CACA,MAAA,CACA,WAAA,CACA,SAAA,CACA,UAAA,CACA,QAAA,CACA,QACD,CAAC,CAAA,CAGD,OAAwB,sBAAA,CAAyB,IAAI,GAAA,CAAI,CACxD,KAAA,CACA,SAAA,CACA,QAAA,CACA,MAAA,CACA,MAAA,CACA,OAAA,CACA,SAAA,CACA,WACD,CAAC,CAAA,CAGD,OAAwB,cAAA,CAAiB,IAAI,GAAA,CAAI,CAAC,QAAA,CAAU,aAAa,CAAC,CAAA,CAE1E,WAAA,CAAYC,CAAAA,CAAqB,CAChC,IAAA,CAAK,SAAA,CAAY,IAAI,IAAIA,CAAAA,CAAU,GAAA,CAAKC,CAAAA,EAAMA,CAAAA,CAAE,WAAA,EAAa,CAAC,EAC/D,CAQA,OAAA,CAAQC,CAAAA,CAA2C,CAClD,IAAIC,CAAAA,CACJ,GAAI,CAEH,IAAMC,CAAAA,CAAU,CAAA;AAAA,EAA0CF,CAAU;AAAA,CAAA,CAAA,CACpEC,CAAAA,CAAY,QAAMC,CAAAA,CAAS,CAC1B,YAAa,IAAA,CACb,UAAA,CAAY,SACZ,SAAA,CAAW,CAAA,CACZ,CAAC,EACF,CAAA,KAAQ,CAEP,OAAO,IACR,CAEA,IAAMC,CAAAA,CAAkB,IAAI,GAAA,CACtBC,CAAAA,CAAc,IAAI,GAAA,CAGxB,OAAA,IAAA,CAAK,wBAAwBH,CAAAA,CAAKE,CAAe,EAGjD,IAAA,CAAK,cAAA,CAAeF,EAAKE,CAAAA,CAAiBC,CAAW,EAG9C,IAAA,CAAK,qBAAA,CAAsBH,EAAKE,CAAAA,CAAiBC,CAAW,CACpE,CAIQ,uBAAA,CACPH,EACAE,CAAAA,CACO,CAyDPE,OAAOJ,CAAAA,CAxDgC,CACtC,eAAiBK,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,OAE7C,IAAMC,CAAAA,CAASD,CAAAA,CAAK,OACdE,CAAAA,CAAa,IAAA,CAAK,gBAAgBD,CAAM,CAAA,CAI9C,GAHI,CAACC,CAAAA,EAGD,CAAC,IAAA,CAAK,kBAAA,CAAmBD,EAAO,MAAM,CAAA,CAAG,OAE7C,IAAME,CAAAA,CAAWH,EAAK,SAAA,CAAU,CAAC,EACjC,GAAKG,CAAAA,GAGJA,EAAS,IAAA,GAAS,yBAAA,EAClBA,EAAS,IAAA,GAAS,oBAAA,CAAA,CACjB,CACD,IAAMC,CAAAA,CAAKD,CAAAA,CAEX,GACCZ,CAAAA,CAAc,sBAAA,CAAuB,IAAIW,CAAU,CAAA,EACnDE,EAAG,MAAA,CAAO,MAAA,CAAS,EAClB,CACD,IAAMC,EAAQD,CAAAA,CAAG,MAAA,CAAO,CAAC,CAAA,CACrBC,CAAAA,CAAM,OAAS,YAAA,EAClBR,CAAAA,CAAgB,IAAIQ,CAAAA,CAAM,IAAI,EAEhC,CAEA,GACCd,EAAc,cAAA,CAAe,GAAA,CAAIW,CAAU,CAAA,EAC3CE,CAAAA,CAAG,OAAO,MAAA,CAAS,CAAA,CAClB,CACD,IAAME,CAAAA,CAAcF,EAAG,MAAA,CAAO,CAAC,EAC3BE,CAAAA,CAAY,IAAA,GAAS,cACxBT,CAAAA,CAAgB,GAAA,CAAIS,EAAY,IAAI,EAEtC,CACD,CACD,CAAA,CAGA,eAAiBN,CAAAA,EAAS,CACzB,GAAK,IAAA,CAAK,kBAAA,CAAmBA,EAAK,KAAK,CAAA,EAEnCA,EAAK,IAAA,CAAK,IAAA,GAAS,sBACtB,IAAA,IAAWO,CAAAA,IAAcP,EAAK,IAAA,CAAK,YAAA,CAC9BO,EAAW,EAAA,CAAG,IAAA,GAAS,cAC1BV,CAAAA,CAAgB,GAAA,CAAIU,EAAW,EAAA,CAAG,IAAI,EAI1C,CACD,CAEoB,EAmBpBR,MAAAA,CAAOJ,CAAAA,CAhBqC,CAC3C,kBAAA,CAAqBK,CAAAA,EAAS,CAC7B,GAAI,EAAA,CAACA,CAAAA,CAAK,IAAA,EAAQA,CAAAA,CAAK,EAAA,CAAG,OAAS,YAAA,CAAA,EAGlCA,CAAAA,CAAK,KAAK,IAAA,GAAS,kBAAA,EAClBA,EAAK,IAAA,CAAgC,QAAA,CACrC,CACD,IAAMC,CAAAA,CAASD,EAAK,IAAA,CAChB,IAAA,CAAK,mBAAmBC,CAAAA,CAAO,MAAM,GACxCJ,CAAAA,CAAgB,GAAA,CAAIG,EAAK,EAAA,CAAG,IAAI,EAElC,CACD,CACD,CAEyB,EAC1B,CAIQ,eACPL,CAAAA,CACAE,CAAAA,CACAC,EACO,CAGP,IAAA,IAASU,EAAY,CAAA,CAAGA,CAAAA,CAAY,EAAGA,CAAAA,EAAAA,CAAa,CACnD,IAAMC,CAAAA,CAAaX,CAAAA,CAAY,KA8C/B,GAHAC,MAAAA,CAAOJ,EAzCgC,CACtC,kBAAA,CAAqBK,GAAS,CACzB,CAACA,EAAK,IAAA,EAAQA,CAAAA,CAAK,GAAG,IAAA,GAAS,YAAA,EAGlC,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,KAAMH,CAAAA,CAAiBC,CAAW,GAEhEA,CAAAA,CAAY,GAAA,CAAIE,EAAK,EAAA,CAAG,IAAI,EAE9B,CAAA,CAEA,oBAAA,CAAuBA,GAAS,CAC3BA,CAAAA,CAAK,KAAK,IAAA,GAAS,YAAA,EAGtB,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,MAAOH,CAAAA,CAAiBC,CAAW,GAEjEA,CAAAA,CAAY,GAAA,CAAKE,EAAK,IAAA,CAA0B,IAAI,EAEtD,CAAA,CAIA,cAAA,CAAiBA,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,OAE7C,IAAMU,CAAAA,CAASV,EAAK,MAAA,CACD,IAAA,CAAK,gBAAgBU,CAAM,CAAA,GAG9B,QACfA,CAAAA,CAAO,MAAA,CAAO,OAAS,YAAA,EACvBV,CAAAA,CAAK,UAAU,IAAA,CAAMW,CAAAA,EACpB,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,EAAiBC,CAAW,CAC3D,GAEAA,CAAAA,CAAY,GAAA,CAAKY,EAAO,MAAA,CAA4B,IAAI,EAE1D,CACD,CAEoB,EAGhBZ,CAAAA,CAAY,IAAA,GAASW,EAAY,KACtC,CACD,CAIQ,qBAAA,CACPd,CAAAA,CACAE,EACAC,CAAAA,CACwB,CACxB,IAAIc,CAAAA,CAAmC,IAAA,CA+BvC,OAAAb,MAAAA,CAAOJ,CAAAA,CA7BgC,CACtC,eAAA,CAAkBK,CAAAA,EAAS,CAC1B,GAAI,CAAAY,GAECZ,CAAAA,CAAK,QAAA,EAGT,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,SAAUH,CAAAA,CAAiBC,CAAW,EACnE,CACD,IAAMe,EAAOb,CAAAA,CAAK,GAAA,EAAK,MAAM,IAAA,CAC1BA,CAAAA,CAAK,IAAI,KAAA,CAAM,IAAA,CAAO,EACtB,MAAA,CACGc,CAAAA,CAAY,KAAK,mBAAA,CACtBd,CAAAA,CAAK,SACLH,CAAAA,CACAC,CACD,CAAA,CACAc,CAAAA,CAAY,CACX,MAAA,CACC,qFACGE,CAAAA,CAAY,CAAA,WAAA,EAAcA,CAAS,CAAA,EAAA,CAAA,CAAO,EAAE,yEAEhD,IAAA,CAAAD,CAAAA,CACA,UAAAC,CACD,EACD,CACD,CACD,CAEoB,EAEbF,CACR,CAQQ,oBACPZ,CAAAA,CACAH,CAAAA,CACAC,EACU,CACV,OAAQE,EAAK,IAAA,EACZ,KAAK,YAAA,CACJ,OAAOF,EAAY,GAAA,CAAKE,CAAAA,CAA0B,IAAI,CAAA,CAEvD,KAAK,mBACJ,OAAO,IAAA,CAAK,oBACXA,CAAAA,CACAH,CAAAA,CACAC,CACD,CAAA,CAED,KAAK,iBACJ,OAAO,IAAA,CAAK,kBACXE,CAAAA,CACAH,CAAAA,CACAC,CACD,CAAA,CAED,KAAK,mBACL,KAAK,mBAAA,CAAqB,CACzB,IAAMiB,CAAAA,CAAMf,EACZ,OACC,IAAA,CAAK,oBAAoBe,CAAAA,CAAI,IAAA,CAAMlB,EAAiBC,CAAW,CAAA,EAC/D,KAAK,mBAAA,CAAoBiB,CAAAA,CAAI,MAAOlB,CAAAA,CAAiBC,CAAW,CAElE,CAEA,KAAK,kBAAmB,CACvB,IAAMkB,EAAQhB,CAAAA,CACd,OAAO,KAAK,mBAAA,CACXgB,CAAAA,CAAM,SACNnB,CAAAA,CACAC,CACD,CACD,CAEA,KAAK,uBAAA,CAAyB,CAC7B,IAAMmB,CAAAA,CAAOjB,EAEb,OACC,IAAA,CAAK,oBAAoBiB,CAAAA,CAAK,IAAA,CAAMpB,EAAiBC,CAAW,CAAA,EAChE,KAAK,mBAAA,CACJmB,CAAAA,CAAK,WACLpB,CAAAA,CACAC,CACD,GACA,IAAA,CAAK,mBAAA,CAAoBmB,EAAK,SAAA,CAAWpB,CAAAA,CAAiBC,CAAW,CAEvE,CAEA,KAAK,kBAAA,CAEJ,OADYE,EACD,UAAA,CAAW,IAAA,CACpBkB,GACAA,CAAAA,CAAK,IAAA,GAAS,YACd,IAAA,CAAK,mBAAA,CAAoBA,EAAK,KAAA,CAAOrB,CAAAA,CAAiBC,CAAW,CACnE,CAAA,CAGD,KAAK,iBAAA,CAEJ,OADYE,EACD,QAAA,CAAS,IAAA,CAClBmB,GACAA,CAAAA,GAAO,IAAA,EACP,KAAK,mBAAA,CAAoBA,CAAAA,CAAItB,EAAiBC,CAAW,CAC3D,EAGD,KAAK,iBAAA,CAEJ,OADaE,CAAAA,CACD,WAAA,CAAY,KAAMoB,CAAAA,EAC7B,IAAA,CAAK,oBAAoBA,CAAAA,CAAMvB,CAAAA,CAAiBC,CAAW,CAC5D,CAAA,CAGD,KAAK,eAAA,CAAiB,CACrB,IAAMuB,CAAAA,CAASrB,CAAAA,CACf,OAAO,IAAA,CAAK,mBAAA,CACXqB,EAAO,QAAA,CACPxB,CAAAA,CACAC,CACD,CACD,CAEA,QAEC,OAAO,MACT,CACD,CAMQ,mBAAA,CACPG,CAAAA,CACAJ,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMwB,CAAAA,CAAW,IAAA,CAAK,gBAAgBrB,CAAM,CAAA,CAG5C,GACCA,CAAAA,CAAO,MAAA,CAAO,OAAS,YAAA,EACvBJ,CAAAA,CAAgB,IAAKI,CAAAA,CAAO,MAAA,CAA4B,IAAI,CAAA,EAC5DqB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,EAAS,WAAA,EAAa,EAEzC,OAAO,KAAA,CAKR,GACCrB,CAAAA,CAAO,MAAA,CAAO,OAAS,kBAAA,EACvBqB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,EAAS,WAAA,EAAa,EACxC,CACD,IAAMC,EAAetB,CAAAA,CAAO,MAAA,CAC5B,GACCsB,CAAAA,CAAa,QAAA,EACb,KAAK,kBAAA,CAAmBA,CAAAA,CAAa,MAAM,CAAA,CAE3C,OAAO,KAET,CAIA,GAAI,KAAK,mBAAA,CAAoBtB,CAAAA,CAAO,OAAQJ,CAAAA,CAAiBC,CAAW,EACvE,OAAO,KAAA,CAKR,GACCG,CAAAA,CAAO,QAAA,EACPA,EAAO,MAAA,CAAO,IAAA,GAAS,cACvBJ,CAAAA,CAAgB,GAAA,CAAKI,EAAO,MAAA,CAA4B,IAAI,GAIxDA,CAAAA,CAAO,QAAA,CAAS,OAAS,SAAA,CAAW,CACvC,IAAMuB,CAAAA,CAAUvB,CAAAA,CAAO,SAA2B,KAAA,CAClD,GACC,OAAOuB,CAAAA,EAAW,QAAA,EAClB,IAAA,CAAK,SAAA,CAAU,GAAA,CAAIA,CAAAA,CAAO,aAAa,CAAA,CAEvC,OAAO,KAET,CAGD,OAAO,MACR,CAMQ,kBACPC,CAAAA,CACA5B,CAAAA,CACAC,EACU,CAEV,GAAI2B,EAAK,MAAA,CAAO,IAAA,GAAS,mBAAoB,CAC5C,IAAMf,EAASe,CAAAA,CAAK,MAAA,CACdvB,EAAa,IAAA,CAAK,eAAA,CAAgBQ,CAAM,CAAA,CAG9C,GACCR,GACAX,CAAAA,CAAc,yBAAA,CAA0B,IAAIW,CAAU,CAAA,EACtD,KAAK,mBAAA,CAAoBQ,CAAAA,CAAO,OAAQb,CAAAA,CAAiBC,CAAW,EAEpE,OAAO,KAAA,CAIR,GAAI,IAAA,CAAK,kBAAA,CAAmBY,EAAO,MAAM,CAAA,EAAKe,EAAK,SAAA,CAAU,CAAC,EAAG,CAChE,IAAMtB,EAAWsB,CAAAA,CAAK,SAAA,CAAU,CAAC,CAAA,CACjC,GACCtB,EAAS,IAAA,GAAS,yBAAA,EAClBA,EAAS,IAAA,GAAS,oBAAA,CAElB,OAAO,IAAA,CAAK,wBAAA,CACXA,EACAD,CAAAA,CACAL,CAAAA,CACAC,CACD,CAEF,CAYA,GAPC,IAAA,CAAK,mBAAA,CAAoBY,EAAO,MAAA,CAAQb,CAAAA,CAAiBC,CAAW,CAAA,EAQpE2B,CAAAA,CAAK,UAAU,IAAA,CAAMd,CAAAA,EACpB,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,CAEA,OAAO,KAET,CAKA,GAAI2B,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,CAC5C,IAAMf,CAAAA,CAASe,CAAAA,CAAK,OACD,IAAA,CAAK,eAAA,CAAgBf,CAAM,CAAA,GAE9B,MAAA,EACfA,EAAO,MAAA,CAAO,IAAA,GAAS,cACvBe,CAAAA,CAAK,SAAA,CAAU,KAAMd,CAAAA,EACpB,IAAA,CAAK,oBAAoBA,CAAAA,CAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,EAGAA,EAAY,GAAA,CAAKY,CAAAA,CAAO,OAA4B,IAAI,EAE1D,CAKA,GAAIe,CAAAA,CAAK,OAAO,IAAA,GAAS,YAAA,CAAc,CACtC,IAAMC,CAAAA,CAAUD,EAAK,MAAA,CAA4B,IAAA,CAUjD,GAAI,CARiB,IAAI,IAAI,CAC5B,MAAA,CACA,SACA,UAAA,CACA,YAAA,CACA,QACA,UACD,CAAC,EACiB,GAAA,CAAIC,CAAM,EAC3B,OAAOD,CAAAA,CAAK,UAAU,IAAA,CAAMd,CAAAA,EAC3B,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,EAAiBC,CAAW,CAC3D,CAEF,CAEA,OAAO,MACR,CAMQ,wBAAA,CACPK,EACAD,CAAAA,CACAL,CAAAA,CACAC,EACU,CAEV,IAAM6B,EAAmB,IAAI,GAAA,CAAI9B,CAAe,CAAA,CAC1C+B,CAAAA,CAAoB,IAAI,IAAI9B,CAAW,CAAA,CAE7C,GAAIK,CAAAA,CAAS,MAAA,CAAO,OAAS,CAAA,CAAG,CAG/B,IAAM0B,CAAAA,CADL3B,CAAAA,GAAe,MAAQX,CAAAA,CAAc,cAAA,CAAe,IAAIW,CAAU,CAAA,CAC/B,EAAI,CAAA,CAGvCC,CAAAA,CAAS,OAAO,MAAA,CAAS0B,CAAAA,EACzB1B,EAAS,MAAA,CAAO0B,CAAgB,EAAE,IAAA,GAAS,YAAA,EAE3CF,EAAiB,GAAA,CACfxB,CAAAA,CAAS,OAAO0B,CAAgB,CAAA,CAAuB,IACzD,EAEF,CAGA,GACC1B,CAAAA,CAAS,IAAA,GAAS,2BAClBA,CAAAA,CAAS,IAAA,CAAK,OAAS,gBAAA,CAEvB,OAAO,KAAK,mBAAA,CACXA,CAAAA,CAAS,KACTwB,CAAAA,CACAC,CACD,EAID,IAAIE,CAAAA,CAAmB,MACjBC,CAAAA,CAAuC,CAC5C,gBAAkB/B,CAAAA,EAAS,CAEzBA,EAAK,QAAA,EACL,IAAA,CAAK,oBACJA,CAAAA,CAAK,QAAA,CACL2B,EACAC,CACD,CAAA,GAEAE,EAAmB,IAAA,EAErB,CACD,EAEA,OAAA/B,MAAAA,CAAOI,EAAS,IAAA,CAAoB4B,CAAc,EAE3CD,CACR,CAKQ,gBAAgB7B,CAAAA,CAA+C,CACtE,GAAI,CAACA,CAAAA,CAAO,UAAYA,CAAAA,CAAO,QAAA,CAAS,IAAA,GAAS,YAAA,CAChD,OAAQA,CAAAA,CAAO,SAA8B,IAAA,CAE9C,GAAIA,EAAO,QAAA,EAAYA,CAAAA,CAAO,SAAS,IAAA,GAAS,SAAA,CAAW,CAC1D,IAAM+B,CAAAA,CAAO/B,EAAO,QAAA,CAA2B,KAAA,CAC/C,GAAI,OAAO+B,CAAAA,EAAQ,SAAU,OAAOA,CACrC,CACA,OAAO,IACR,CAGQ,kBAAA,CAAmBhC,CAAAA,CAA2B,CAErD,GAAIA,CAAAA,CAAK,OAAS,kBAAA,CAAoB,CACrC,IAAMC,CAAAA,CAASD,CAAAA,CAEf,GADiB,IAAA,CAAK,eAAA,CAAgBC,CAAM,CAAA,GAE9B,SAAA,EACbA,EAAO,MAAA,CAAO,IAAA,GAAS,cACtBA,CAAAA,CAAO,MAAA,CAA4B,OAAS,KAAA,CAE7C,OAAO,KAET,CAEA,OACCD,EAAK,IAAA,GAAS,YAAA,EACbA,EAA0B,IAAA,GAAS,SAKtC,CAGQ,mBAAA,CACPA,CAAAA,CACAH,EACAC,CAAAA,CACqB,CACrB,GAAIE,CAAAA,CAAK,IAAA,GAAS,aAAc,CAC/B,IAAMiC,EAAQjC,CAAAA,CAA0B,IAAA,CACxC,GAAIF,CAAAA,CAAY,GAAA,CAAImC,CAAI,CAAA,CAAG,OAAO,aAAaA,CAAI,CAAA,gBAAA,CACpD,CAEA,GAAIjC,CAAAA,CAAK,OAAS,kBAAA,CAAoB,CACrC,IAAMkC,CAAAA,CAAMlC,CAAAA,CACZ,IAAA,IAAWkB,CAAAA,IAAQgB,CAAAA,CAAI,UAAA,CACtB,GACChB,CAAAA,CAAK,IAAA,GAAS,YACd,IAAA,CAAK,mBAAA,CAAoBA,EAAK,KAAA,CAAOrB,CAAAA,CAAiBC,CAAW,CAAA,CAMjE,OAAO,aAHNoB,CAAAA,CAAK,GAAA,CAAI,OAAS,YAAA,CACdA,CAAAA,CAAK,IAAyB,IAAA,CAC/B,SACuB,8BAG9B,CAEA,GAAIlB,EAAK,IAAA,GAAS,gBAAA,CAAkB,CACnC,IAAMyB,CAAAA,CAAOzB,EACb,GAAIyB,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMvB,CAAAA,CAAa,KAAK,eAAA,CACvBuB,CAAAA,CAAK,MACN,CAAA,CACA,GAAIvB,EAAY,OAAO,CAAA,WAAA,EAAcA,CAAU,CAAA,cAAA,CAChD,CACD,CAGD,CACD,CAAA,KCtrBMiC,CAAAA,CAA6C,CAClD,QAAS,YAAA,CACT,UAAA,CAAY,aACZ,SAAA,CAAW,YAAA,CACX,WAAY,YAAA,CACZ,YAAA,CAAc,aACd,UAAA,CAAY,YAAA,CACZ,SAAU,YAAA,CACV,WAAA,CAAa,aACb,aAAA,CAAe,YAAA,CACf,UAAW,YAAA,CACX,aAAA,CAAe,aACf,WAAA,CAAa,YAAA,CACb,cAAe,YAAA,CACf,UAAA,CAAY,aACZ,QAAA,CAAU,YAAA,CACV,QAAS,YAAA,CACT,mBAAA,CAAqB,aACrB,UAAA,CAAY,YAAA,CACZ,SAAA,CAAW,YAAA,CACX,YAAA,CAAc,YAAA,CAEd,aAAc,WAAA,CACd,QAAA,CAAU,YACV,UAAA,CAAY,WAAA,CACZ,UAAW,WAAA,CACX,MAAA,CAAQ,WACT,CAAA,CAgBMC,CAAAA,CAAkB,EAGlBC,CAAAA,CAAmB,6CAAA,CASZC,EAAN,MAAMC,CAAW,CACvB,OAAe,GAAA,CAAwB,KAKvC,MAAc,MAAA,EAA6B,CAC1C,GAAI,CAACA,EAAW,GAAA,CAAK,CAEpB,IAAMC,CAAAA,CAAO,aAAa,kBAAkB,CAAA,CAE5CD,EAAW,GAAA,CAAOC,CAAAA,CAAI,SAAWA,CAAAA,CACjCD,CAAAA,CAAW,IAAI,QAAA,CAASJ,CAAkB,EAC3C,CACA,OAAOI,EAAW,GACnB,CAMA,MAAM,IAAA,CAAKE,CAAAA,CAAsC,CAChD,GAAIA,CAAAA,CAAK,OAASL,CAAAA,EAAmBC,CAAAA,CAAiB,KAAKI,CAAI,CAAA,CAC9D,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAIxC,IAAMC,GADM,MAAM,IAAA,CAAK,QAAO,EACdD,CAAI,EACdE,CAAAA,CAAwB,GAExBC,CAAAA,CAASF,CAAAA,CAAI,QAAO,CAAE,GAAA,CAAI,OAAO,CAAA,CACvC,IAAA,IAAWG,KAAUD,CAAAA,CAAQ,CAC5B,IAAME,CAAAA,CAAUD,CAAAA,CAAO,IAAA,GACnBC,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,QAAA,CAAU,KAAMG,CAAQ,CAAC,EAEjD,CAEA,IAAMC,EAASL,CAAAA,CAAI,MAAA,GAAS,GAAA,CAAI,OAAO,EACvC,IAAA,IAAWM,CAAAA,IAASD,EAAQ,CAC3B,IAAMD,EAAUE,CAAAA,CAAM,IAAA,GAClBF,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,OAAA,CAAS,KAAMG,CAAQ,CAAC,EAEhD,CAEA,IAAMG,EAAOP,CAAAA,CAAI,aAAA,GAAgB,GAAA,CAAI,OAAO,EAC5C,IAAA,IAAWQ,CAAAA,IAAOD,EAAM,CACvB,IAAMH,EAAUI,CAAAA,CAAI,IAAA,GAChBJ,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,cAAA,CAAgB,KAAMG,CAAQ,CAAC,EAEvD,CAEA,OAAO,CACN,QAAA,CAAUH,CAAAA,CAAS,OAAS,CAAA,CAC5B,QAAA,CAAAA,CACD,CACD,CAMA,MAAM,QAAA,CACLQ,CAAAA,CACAC,EAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CACb,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAGxC,GAAI,OAAOA,CAAAA,EAAU,QAAA,CACpB,OAAO,IAAA,CAAK,IAAA,CAAKA,CAAK,CAAA,CAGvB,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAC9B,GAAIC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAC3B,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAExCC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAExB,IAAME,CAAAA,CAAS,KAAA,CAAM,QAAQF,CAAK,CAAA,CAC/BA,EACA,MAAA,CAAO,MAAA,CAAOA,CAAgC,CAAA,CAE3CG,CAAAA,CAA2B,EAAC,CAElC,IAAA,IAAWC,KAASF,CAAAA,CAAQ,CAC3B,IAAMG,CAAAA,CAAS,MAAM,KAAK,QAAA,CAASD,CAAAA,CAAOH,CAAI,CAAA,CAC9C,GAAII,EAAO,QAAA,GACVF,CAAAA,CAAY,KAAK,GAAGE,CAAAA,CAAO,QAAQ,CAAA,CAE/BA,CAAAA,CAAO,SAAS,IAAA,CAAMC,CAAAA,EAAMA,EAAE,IAAA,GAAS,QAAQ,GAClD,OAAO,CAAE,SAAU,IAAA,CAAM,QAAA,CAAUH,CAAY,CAGlD,CAEA,OAAO,CACN,QAAA,CAAUA,EAAY,MAAA,CAAS,CAAA,CAC/B,QAAA,CAAUA,CACX,CACD,CAEA,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CACxC,CACD,ECvLA,SAASI,CAAAA,CAAYC,EAA6B,CACjD,IAAMC,EAASD,CAAAA,CAAW,OAAA,CAAQ,MAAO,EAAE,CAAA,CAC3C,GAAIC,CAAAA,CAAO,MAAA,CAAS,IAAMA,CAAAA,CAAO,MAAA,CAAS,GAAI,OAAO,MAAA,CAErD,IAAIC,CAAAA,CAAM,CAAA,CACNC,EAAS,KAAA,CAEb,IAAA,IAAS,EAAIF,CAAAA,CAAO,MAAA,CAAS,EAAG,CAAA,EAAK,CAAA,CAAG,IAAK,CAC5C,IAAIG,CAAAA,CAAQ,QAAA,CAASH,CAAAA,CAAO,MAAA,CAAO,CAAC,CAAA,CAAG,EAAE,EAErCE,CAAAA,GACHC,CAAAA,EAAS,EACLA,CAAAA,CAAQ,CAAA,GACXA,GAAS,CAAA,CAAA,CAAA,CAIXF,CAAAA,EAAOE,EACPD,CAAAA,CAAS,CAACA,EACX,CAEA,OAAOD,EAAM,EAAA,GAAO,CACrB,CAMA,SAASG,CAAAA,CAAYC,EAAuB,CAC3C,IAAMC,EAAYD,CAAAA,CAAK,OAAA,CAAQ,OAAQ,EAAE,CAAA,CAAE,aAAY,CAEvD,GAAI,CAAC,kCAAA,CAAmC,IAAA,CAAKC,CAAS,CAAA,CAAG,OAAO,OAEhE,IAAMC,CAAAA,CAAaD,CAAAA,CAAU,SAAA,CAAU,CAAC,CAAA,CAAIA,EAAU,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAEhEE,CAAAA,CAAgB,GACpB,IAAA,IAAS,CAAA,CAAI,EAAG,CAAA,CAAID,CAAAA,CAAW,OAAQ,CAAA,EAAA,CAAK,CAC3C,IAAME,CAAAA,CAAWF,CAAAA,CAAW,WAAW,CAAC,CAAA,CACxC,GAAIE,CAAAA,EAAY,EAAA,EAAMA,GAAY,EAAA,CACjCD,CAAAA,EAAAA,CAAkBC,EAAW,EAAA,EAAI,QAAA,WACvBA,CAAAA,EAAY,EAAA,EAAMA,GAAY,EAAA,CACxCD,CAAAA,EAAiBD,EAAW,MAAA,CAAO,CAAC,OAEpC,OAAO,MAET,CAEA,GAAI,CACH,OAAO,MAAA,CAAOC,CAAa,EAAI,GAAA,GAAQ,EACxC,MAAa,CACZ,OAAO,MACR,CACD,KAUaE,CAAAA,CAAe,CAC3B,MAAO,CACN,IAAA,CAAM,QACN,OAAA,CAAS,sDAAA,CACT,UAAYC,CAAAA,EACX,CAACA,EAAM,QAAA,CAAS,cAAc,GAAK,CAACA,CAAAA,CAAM,SAAS,WAAW,CAChE,EACA,WAAA,CAAa,CACZ,KAAM,aAAA,CACN,OAAA,CAAS,2BACT,SAAA,CAAWb,CACZ,EACA,UAAA,CAAY,CACX,KAAM,YAAA,CACN,OAAA,CAAS,yCAAA,CACT,SAAA,CAAYa,CAAAA,EACK,CAAC,YAAa,SAAA,CAAW,iBAAiB,EAC9C,QAAA,CAASA,CAAK,EAAU,KAAA,CAEtBA,CAAAA,CAAM,MAAM,GAAG,CAAA,CAAE,IAAI,MAAM,CAAA,CAC5B,MAAOC,CAAAA,EAAMA,CAAAA,EAAK,GAAKA,CAAAA,EAAK,GAAG,CAE9C,CAAA,CACA,KAAA,CAAO,CACN,IAAA,CAAM,OAAA,CAEN,QAAS,+DAAA,CACT,SAAA,CAAYD,GAAkB,CAC7B,IAAMX,EAASW,CAAAA,CAAM,OAAA,CAAQ,MAAO,EAAE,CAAA,CAItC,OAHI,EAAAX,CAAAA,CAAO,OAAS,CAAA,EAAKA,CAAAA,CAAO,OAAS,EAAA,EAErC,WAAA,CAAY,KAAKA,CAAM,CAAA,EACvBA,IAAW,YAAA,CAEhB,CACD,EACA,GAAA,CAAK,CACJ,KAAM,KAAA,CACN,OAAA,CAAS,iCACT,SAAA,CAAYW,CAAAA,EAAkB,CAC7B,IAAMX,CAAAA,CAASW,EAAM,OAAA,CAAQ,KAAA,CAAO,EAAE,CAAA,CACtC,GAAIX,EAAO,MAAA,GAAW,CAAA,CAAG,OAAO,MAAA,CAEhC,IAAMa,EAAO,QAAA,CAASb,CAAAA,CAAO,UAAU,CAAA,CAAG,CAAC,EAAG,EAAE,CAAA,CAShD,OARI,EAAAa,CAAAA,GAAS,GAAKA,CAAAA,GAAS,GAAA,EAAOA,CAAAA,EAAQ,GAAA,EAE5B,QAAA,CAASb,CAAAA,CAAO,UAAU,CAAA,CAAG,CAAC,EAAG,EAAE,CAAA,GACnC,GAEC,QAAA,CAASA,CAAAA,CAAO,UAAU,CAAA,CAAG,CAAC,EAAG,EAAE,CAAA,GACnC,GAEX,WAAA,CAAY,IAAA,CAAKA,CAAM,CAAA,EAAKA,CAAAA,GAAW,YAG5C,CACD,CAAA,CACA,KAAM,CACL,IAAA,CAAM,OACN,OAAA,CAAS,sCAAA,CACT,UAAWI,CACZ,CAAA,CACA,aAAc,CACb,IAAA,CAAM,eAEN,OAAA,CAAS,6CACV,CACD,CAAA,CAMaU,CAAAA,CAAc,CAC1B,aAAA,CAAe,CACdJ,EAAa,KAAA,CACbA,CAAAA,CAAa,YACbA,CAAAA,CAAa,UAAA,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,aACbA,CAAAA,CAAa,IACd,EACA,YAAA,CAAc,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,YACbA,CAAAA,CAAa,UAAA,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,IACbA,CAAAA,CAAa,YACd,EACA,OAAA,CAAS,CACRA,EAAa,KAAA,CACbA,CAAAA,CAAa,YACbA,CAAAA,CAAa,UAAA,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,KACbA,CAAAA,CAAa,YACd,CACD,CAAA,CAEaK,CAAAA,CAAN,MAAMC,CAAW,CACf,QAAA,CACA,gBAAA,CACA,UAAA,CAMR,OAAwB,aAAe,IAAI,GAAA,CAAI,CAE9C,MAAA,CACA,OAAA,CACA,UACA,UAAA,CACA,SAAA,CACA,WACA,UAAA,CACA,QAAA,CACA,SACA,YAAA,CACA,QAAA,CACA,YACA,SAAA,CACA,QAAA,CACA,UACA,QAAA,CACA,QAAA,CACA,QACA,MAAA,CACA,MAAA,CACA,OACA,MAAA,CACA,MAAA,CACA,QACA,OAAA,CACA,OAAA,CACA,QACA,QAAA,CACA,OAAA,CACA,UACA,SAAA,CACA,UAAA,CACA,YACA,OAAA,CACA,SAAA,CACA,OACA,OAAA,CAEA,WAAA,CACA,aACA,WAAA,CACA,UAAA,CACA,SACA,UAAA,CACA,UAAA,CACA,WACA,SAAA,CACA,SAAA,CAEA,WACA,SAAA,CACA,YAAA,CACA,YACA,WAAA,CACA,WAAA,CACA,aAEA,YAAA,CACA,aAAA,CACA,aAEA,WAAA,CACA,aAAA,CACA,WACA,UAAA,CACA,SAAA,CAEA,YACA,UAAA,CAEA,UAAA,CACA,qBACA,YAAA,CACA,QAAA,CACA,SACA,WAAA,CACA,QAAA,CACA,SACA,WAAA,CACA,eAAA,CACA,UACA,QACD,CAAC,EAMO,0BAAA,CAKA,mBAAA,CAER,YACCC,CAAAA,CAAsB,GACtBC,CAAAA,CAA0B,GAC1BC,CAAAA,CACC,CACD,IAAA,CAAK,QAAA,CAAWF,CAAAA,CAChB,IAAA,CAAK,iBAAmB,IAAI,GAAA,CAAIC,EAAc,GAAA,CAAKE,CAAAA,EAAMA,EAAE,WAAA,EAAa,CAAC,CAAA,CACzE,IAAA,CAAK,WAAaD,CAAAA,EAAc,IAAA,CAGhC,KAAK,0BAAA,CAA6B,IAAI,IACtC,IAAA,CAAK,mBAAA,CAAsB,EAAC,CAE5B,IAAA,IAAWE,KAAS,IAAA,CAAK,gBAAA,CACpBA,EAAM,MAAA,CAAS,CAAA,CAIlB,KAAK,0BAAA,CAA2B,GAAA,CAC/BA,EACA,IAAI,MAAA,CACH,aAAaA,CAAK,CAAA,sBAAA,EACHA,EAAM,MAAA,CAAO,CAAC,EAAE,WAAA,EAAa,GAAGA,CAAAA,CAAM,KAAA,CAAM,CAAC,CAAC,CAAA,EAAA,EACxDA,CAAK,CAAA,CAAA,CAAA,CACV,GACD,CACD,CAAA,CAEA,IAAA,CAAK,oBAAoB,IAAA,CAAKA,CAAK,EAGtC,CAYA,MAAa,KACZ9B,CAAAA,CACAC,CAAAA,CAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CAA6B,OAAO,IAAA,CAGlD,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAG9B,IAAML,CAAAA,CAAUK,EAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,EAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,IAAMoC,CAAAA,CAAS,IAAA,CAAK,MAAMpC,CAAO,CAAA,CAE3BlC,EAAY,MAAM,IAAA,CAAK,KAAKsE,CAAAA,CAAQ9B,CAAI,EAC9C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAAA,KAAa,CAEb,CAID,IAAMuE,EAAmB,IAAA,CAAK,WAAA,CAAYhC,CAAK,CAAA,CAC/C,GAAIgC,EAAkB,OAAOA,CAAAA,CAG7B,GAAI,IAAA,CAAK,UAAA,CAAY,CACpB,IAAMC,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAKjC,CAAK,CAAA,CAClD,GAAIiC,CAAAA,CAAU,QAAA,CAAU,CACvB,IAAMC,CAAAA,CAAeD,EAAU,QAAA,CAAS,IAAA,CACtC3B,GAAMA,CAAAA,CAAE,IAAA,GAAS,QACnB,CAAA,CACA,GAAI4B,EACH,OAAO,CAAA,kCAAA,EAAqCA,EAAa,IAAI,CAAA,CAAA,CAE/D,CACD,CAEA,OAAO,IACR,CAGA,GAAI,OAAOlC,CAAAA,EAAU,QAAA,CAAU,CAE9B,GAAIC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAAG,OAAO,IAAA,CAGtC,GAFAC,EAAK,GAAA,CAAID,CAAe,EAEpB,KAAA,CAAM,OAAA,CAAQA,CAAK,CAAA,CACtB,IAAA,IAAWmC,CAAAA,IAAWnC,EAAO,CAC5B,IAAMvC,EAAY,MAAM,IAAA,CAAK,KAAK0E,CAAAA,CAASlC,CAAI,EAC/C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAAA,YAEW,CAAC2E,CAAAA,CAAKhC,CAAK,CAAA,GAAK,MAAA,CAAO,QACjCJ,CACD,CAAA,CAAG,CAEF,GAAI,IAAA,CAAK,iBAAiB,GAAA,CAAIoC,CAAAA,CAAI,aAAa,CAAA,CAC9C,OAAO,CAAA,eAAA,EAAkBA,CAAG,GAI7B,IAAMC,CAAAA,CAAiB,KAAK,aAAA,CAAcD,CAAG,EAC7C,GAAIC,CAAAA,CAAgB,OAAOA,CAAAA,CAG3B,IAAM5E,EAAY,MAAM,IAAA,CAAK,KAAK2C,CAAAA,CAAOH,CAAI,EAC7C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAEF,CAEA,OAAO,IACR,CAMQ,aAAA,CAAc2E,CAAAA,CAA4B,CACjD,IAAME,CAAAA,CAAaF,EAAI,WAAA,EAAY,CAGnC,GAAIX,CAAAA,CAAW,YAAA,CAAa,IAAIa,CAAU,CAAA,CAAG,OAAO,IAAA,CAGpD,IAAA,GAAW,CAACR,CAAAA,CAAOS,CAAO,IAAK,IAAA,CAAK,0BAAA,CACnC,GAAIA,CAAAA,CAAQ,IAAA,CAAKH,CAAG,CAAA,CACnB,OAAO,CAAA,uBAAA,EAA0BA,CAAG,CAAA,2BAAA,EAA8BN,CAAK,IAKzE,IAAA,IAAWA,CAAAA,IAAS,KAAK,mBAAA,CACxB,GAAIQ,EAAW,QAAA,CAASR,CAAK,EAC5B,OAAO,CAAA,uBAAA,EAA0BM,CAAG,CAAA,4BAAA,EAA+BN,CAAK,IAI1E,OAAO,IACR,CAEQ,WAAA,CAAYxC,CAAAA,CAA6B,CAChD,IAAA,IAAWkD,CAAAA,IAAQ,KAAK,QAAA,CACvB,GAAI,OAAOA,CAAAA,EAAS,QAAA,CAAA,CACnB,GAAIlD,CAAAA,CAAK,WAAA,GAAc,QAAA,CAASkD,CAAAA,CAAK,aAAa,CAAA,CACjD,OAAOA,CAAAA,CAAAA,KAAAA,GAEEA,CAAAA,YAAgB,QAE1B,GADIA,CAAAA,CAAK,SAAQA,CAAAA,CAAK,SAAA,CAAY,GAC9BA,CAAAA,CAAK,IAAA,CAAKlD,CAAI,CAAA,CACjB,OAAOkD,EAAK,MAAA,CAAA,KAAA,GAEH,OAAOA,GAAS,QAAA,EAAYA,CAAAA,GAAS,KAAM,CAErD,IAAMC,EAAMD,CAAAA,CAEZ,GAAI,OAAOC,CAAAA,CAAI,OAAA,EAAY,UAC1B,GAAInD,CAAAA,CAAK,aAAY,CAAE,QAAA,CAASmD,EAAI,OAAA,CAAQ,WAAA,EAAa,CAAA,GACpD,CAACA,EAAI,SAAA,EAAaA,CAAAA,CAAI,UAAUA,CAAAA,CAAI,OAAO,GAC9C,OAAOA,CAAAA,CAAI,aAGHA,CAAAA,CAAI,OAAA,YAAmB,MAAA,CAAQ,CACrCA,CAAAA,CAAI,OAAA,CAAQ,SAAQA,CAAAA,CAAI,OAAA,CAAQ,UAAY,CAAA,CAAA,CAGhD,IAAIrB,EAAQqB,CAAAA,CAAI,OAAA,CAAQ,KAAKnD,CAAI,CAAA,CACjC,KAAO8B,CAAAA,GAAU,IAAA,EAAM,CACtB,IAAMsB,CAAAA,CAActB,EAAM,CAAC,CAAA,CAC3B,GAAI,CAACqB,CAAAA,CAAI,WAAaA,CAAAA,CAAI,SAAA,CAAUC,CAAW,CAAA,CAC9C,OAAOD,EAAI,IAAA,CAEZ,GAAI,CAACA,CAAAA,CAAI,OAAA,CAAQ,OAAQ,MACzBrB,CAAAA,CAAQqB,EAAI,OAAA,CAAQ,IAAA,CAAKnD,CAAI,EAC9B,CACD,CACD,CAED,OAAO,IACR,CACD,MC/aMqD,CAAAA,CAAYC,CAAAA,CAAK,QAAQC,aAAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAC,CAAA,CAyDhDC,EAAN,MAAMC,CAAW,CA+TvB,WAAA,CACSC,CAAAA,CACAC,EACP,CAFO,IAAA,CAAA,UAAA,CAAAD,EACA,IAAA,CAAA,MAAA,CAAAC,CAAAA,CAER,IAAMrB,CAAAA,CAAa,IAAA,CAAK,QAAQ,QAAA,EAAU,iBAAA,CACvC,IAAIzC,CAAAA,CACJ,IAAA,CAEH,KAAK,UAAA,CAAa,IAAIqC,EACrB,IAAA,CAAK,MAAA,EAAQ,UAAU,WAAA,EAAeD,CAAAA,CAAY,cAClD,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,EAAiB,CACvC,IAAA,CACA,OACA,UAAA,CACA,WAAA,CACA,WACA,SAAA,CACA,QAAA,CACA,OACA,YAAA,CACA,SAAA,CACA,QACA,OAAA,CACA,KAAA,CACA,gBACA,eAAA,CACA,gBAAA,CACA,WACA,OAAA,CACA,QAAA,CACA,YACD,CAAA,CACAK,CACD,EAGA,IAAMsB,CAAAA,CAAW,KAAK,MAAA,EAAQ,QAAA,EAAU,UACxC,IAAA,CAAK,gBAAA,CACJA,GAAU,QAAA,EACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,2BAA6B,OAAA,CAAS,EAAE,EACrE,IAAA,CAAK,oBAAA,CACJA,GAAU,YAAA,EACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,qBAAuB,IAAA,CAAM,EAAE,EAC5D,IAAA,CAAK,sBAAA,CACJA,GAAU,kBAAA,EACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,4BAA8B,IAAA,CAAM,EAAE,EAGnE,IAAMvB,CAAAA,CAAgB,KAAK,MAAA,EAAQ,QAAA,EAAU,eAAiB,CAC7D,IAAA,CACA,OACA,UAAA,CACA,WAAA,CACA,WACA,SAAA,CACA,QAAA,CACA,OACA,YAAA,CACA,SAAA,CACA,QACA,OAAA,CACA,KAAA,CACA,gBACA,eAAA,CACA,gBAAA,CACA,WACA,OAAA,CACA,QAAA,CACA,YACD,CAAA,CACA,IAAA,CAAK,aAAA,CAAgB,IAAIxF,CAAAA,CAAcwF,CAAa,EAGpD,IAAMwB,CAAAA,CAAO,YAAY,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA,CACrCC,CAAAA,CAAYD,EAAO,KAAA,CAAQ,KAAA,CAE7BE,EAAqB,EAAC,CAC1B,GAAIF,CAAAA,CACH,GAAI,CAEH,IAAMG,CAAAA,CADMC,cAAc,MAAA,CAAA,IAAA,CAAY,GAAG,EACtB,OAAA,CAAQ,kBAAkB,EAI7CF,CAAAA,CAAW,CAAC,WAHQG,aAAAA,CACnBZ,CAAAA,CAAK,KAAKA,CAAAA,CAAK,OAAA,CAAQU,CAAM,CAAA,CAAG,MAAA,CAAQ,YAAY,CACrD,CAAA,CAAE,IACiC,EACpC,CAAA,KAAa,CACZD,CAAAA,CAAW,CAAC,WAAY,KAAK,EAC9B,CAGD,IAAMI,CAAAA,CAAS,QAAQ,GAAA,CAAI,QAAA,GAAa,QAAU,OAAA,CAAQ,GAAA,CAAI,OAG1D,IAAA,CAAK,MAAA,EAAQ,cAAgB,CAAC,IAAA,CAAK,WAAW,YAAA,GACjD,IAAA,CAAK,WAAW,YAAA,CAAe,IAAA,CAAK,OAAO,YAAA,CAAA,CAO5C,IAAMC,EAAc,CACnBd,CAAAA,CAAK,QAAQD,CAAAA,CAAW,CAAA,yBAAA,EAA4BS,CAAS,CAAA,CAAE,CAAA,CAC/DR,EAAK,OAAA,CAAQD,CAAAA,CAAW,6BAA6BS,CAAS,CAAA,CAAE,CACjE,CAAA,CAEMO,CAAAA,CACLD,CAAAA,CAAY,IAAA,CAAMrC,CAAAA,EAAS,CAAA,CAAA,UAAA,CAAWA,CAAC,CAAC,CAAA,EAAKqC,EAAY,CAAC,CAAA,CAE3D,KAAK,UAAA,CAAa,IAAIE,QAAQ,CAC7B,QAAA,CAAUD,EACV,UAAA,CAAY,IAAA,CAAK,QAAQ,UAAA,EAAY,UAAA,GAAeF,EAAS,CAAA,CAAI,CAAA,CAAA,CACjE,WAAY,IAAA,CAAK,MAAA,EAAQ,YAAY,UAAA,GAAeA,CAAAA,CAAS,EAAI,CAAA,CAAA,CACjE,WAAA,CACC,KAAK,MAAA,EAAQ,UAAA,EAAY,cAAgBA,CAAAA,CAAS,GAAA,CAAM,KACzD,QAAA,CAAU,MAAA,CACV,UAAW,IAAII,UAAAA,CACf,SAAAR,CAAAA,CAGA,cAAA,CAAgB,CACf,sBAAA,CACC,IAAA,CAAK,QAAQ,UAAA,EAAY,SAAA,EACzB,OAAO,QAAA,CAAS,OAAA,CAAQ,IAAI,uBAAA,EAA2B,IAAA,CAAM,EAAE,CACjE,CACD,CAAC,CAAA,CAKD,IAAA,CAAK,SACJ,6BAAA,CACA,+BAAA,CACA,sFACA,YAAA,CACA,IAAM,QAAQ,OAAA,CAAQ,IAAA,CAAK,mBAAmB,CAC/C,EACD,CAvcQ,UAAA,CACP,IAAI,GAAA,CACG,eAAA,CAGJ,IAAI,GAAA,CACS,YAAA,CAAe,KAAU,EAAA,CAAK,GAAA,CAC9B,mBAAqB,CAAA,CACrB,oBAAA,CAAuB,GAAK,GAAA,CAGrC,eAAA,CAAyC,IAAI,GAAA,CACpC,oBAAA,CACA,gBAAA,CAGT,iBAA6B,EAAC,CACrB,uBAGA,aAAA,CAET,KAAA,CAUJ,IAAI,GAAA,CACA,SAAA,CAGJ,IAAI,GAAA,CACA,OAAA,CAQJ,IAAI,GAAA,CACA,YAAA,CAA+C,KAC/C,cAAA,CAA4C,GAE5C,UAAA,CACA,UAAA,CACA,SAA4B,IAAA,CAC5B,SAAA,CAAkC,KAClC,SAAA,CAA2B,IAAA,CAC3B,SAGJ,IAAI,GAAA,CAGR,OAAwB,kBAAA,CACvB,2EAAA,CAEO,aAAaS,CAAAA,CAAgC,CACpD,IAAMC,CAAAA,CAAUD,CAAAA,CAAQ,MAAMf,CAAAA,CAAW,kBAAkB,EAC3D,OAAOgB,CAAAA,EAAS,QAAQ,KAAA,CAAQA,CAAAA,CAAQ,OAAO,KAAA,CAAM,IAAA,GAAS,IAC/D,CAEQ,iBAAiB/D,CAAAA,CAAyB,CACjD,GAAI,OAAOA,CAAAA,EAAU,SAAU,OAAOA,CAAAA,CACtC,IAAML,CAAAA,CAAUK,CAAAA,CAAM,MAAK,CAC3B,GACEL,EAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,WAAW,GAAG,CAAA,EAAKA,EAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,OAAO,IAAA,CAAK,KAAA,CAAMA,CAAO,CAC1B,CAAA,KAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEQ,mBACPgE,CAAAA,CACAC,CAAAA,CACAC,EACgB,CAEhB,GAAIA,EAAQ,CACX,IAAMH,EAAUE,CAAAA,CAAM,OAAA,CAAQ,OAAQ,GAAG,CAAA,CAEzC,GAAIC,CAAAA,CAAO,uBAAA,EACoB,CAG7B,8EAAA,CACA,gHACD,EAC0B,IAAA,CAAM7C,CAAAA,EAAMA,EAAE,IAAA,CAAK0C,CAAO,CAAC,CAAA,CACpD,OAAO,0EAIT,GAAIG,CAAAA,CAAO,uBAAuB,IAAA,CAAM7C,CAAAA,EAAMA,EAAE,IAAA,CAAK0C,CAAO,CAAC,CAAA,CAC5D,OAAO,yDAET,CAGA,IAAMI,EAAiB,IAAA,CAAK,aAAA,CAAc,QAAQF,CAAK,CAAA,CACvD,OAAIE,CAAAA,CACI,CAAA,2BAAA,EAA8BA,EAAe,MAAM,CAAA,CAAA,CAGpD,IACR,CAEQ,oBAAA,CACPC,EACAC,CAAAA,CACAH,CAAAA,CACgB,CAChB,GAAI,CAACA,EAAQ,OAAO,IAAA,CACpB,IAAMnC,CAAAA,CAAS,IAAA,CAAK,iBAAiBsC,CAAM,CAAA,CAE3C,GAAIH,CAAAA,CAAO,YAAA,CAAc,CAkBxB,IAAMI,CAAAA,CAAAA,CAbmB,IAAM,CAC9B,GAAI,EAAEJ,CAAAA,CAAO,YAAA,YAAwBK,IAAE,SAAA,CAAA,CACtC,OAAOL,CAAAA,CAAO,YAAA,CAEf,IAAMnF,CAAAA,CAAMmF,EAAO,YAAA,CAEnB,OAAMnF,EAAI,IAAA,CAAK,QAAA,YAAoBwF,IAAE,QAAA,CAI9BxF,CAAAA,CAAI,QAAO,CAHVA,CAIT,IAAG,CAEkC,SAAA,CAAUgD,CAAM,CAAA,CACrD,GAAI,CAACuC,CAAAA,CAAa,OAAA,CAGjB,OAAO,CAAA,mCAAA,EAAsCF,CAAQ,KAAKE,CAAAA,CAAa,KAAA,CAAM,OAC3E,GAAA,CAAKE,CAAAA,EAAM,GAAGA,CAAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAA,EAAK,QAAQ,CAAA,CAAA,EAAIA,CAAAA,CAAE,OAAO,CAAA,CAAE,CAAA,CACzD,KACA,IACD,CAAC,kIAEJ,CAEA,OACCN,EAAO,uBAAA,EACP,IAAA,CAAK,+BACJ,IAAA,CAAK,8BAAA,CAA+BnC,CAAM,CAAA,CAC1CmC,CAAAA,CAAO,wBACP,IAAA,CAAK,cAAA,CAAe,MACrB,CAAA,CAGC,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,QACzB,OAAA,CAAQ,GAAA,CAAI,mBAAqB,GAAA,CAG/B,gPAAA,CACA,iFAGG,IACR,CAOQ,+BAA+BlE,CAAAA,CAAyB,CAC/D,GAAI,OAAOA,CAAAA,EAAU,SAAU,CAC9B,IAAML,EAAUK,CAAAA,CAAM,IAAA,GACtB,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,EAC/CA,EAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,OAAO,IAAA,CAAK,+BAA+B,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAC,CAC/D,MAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEA,GAAI,CAACA,CAAAA,EAAS,OAAOA,GAAU,QAAA,CAC9B,OAAOA,EAGR,IAAMyE,CAAAA,CAAMzE,EACZ,GAAI,CAAC,MAAM,OAAA,CAAQyE,CAAAA,CAAI,OAAO,CAAA,EAAKA,CAAAA,CAAI,OAAA,CAAQ,SAAW,CAAA,CACzD,OAAOzE,EAGR,IAAM0E,CAAAA,CAAkB,EAAC,CACzB,IAAA,IAAWC,KAAQF,CAAAA,CAAI,OAAA,CACtB,GAAIE,CAAAA,EAAQ,OAAOA,GAAS,QAAA,EAAY,MAAA,GAAUA,EAAM,CACvD,IAAMC,EAAKD,CAAAA,CAA4B,IAAA,CACnC,OAAOC,CAAAA,EAAM,QAAA,EAChBF,EAAM,IAAA,CAAKE,CAAC,EAEd,CAED,GAAIF,EAAM,MAAA,GAAW,CAAA,CACpB,OAAO1E,CAAAA,CAGR,IAAM6E,EAASH,CAAAA,CAAM,MAAA,GAAW,EAAIA,CAAAA,CAAM,CAAC,CAAA,CAAIA,CAAAA,CAAM,IAAA,CAAK;AAAA,CAAI,CAAA,CAC9D,OAAO,IAAA,CAAK,8BAAA,CAA+BG,CAAM,CAClD,CAEQ,8BAAA,CACP7E,CAAAA,CACA8E,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMC,CAAAA,CACL,OAAOF,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,aAAA,EAAkB,QAAA,CAChCA,CAAAA,CAAU,aAAA,CACV,EAAA,CACEG,CAAAA,CACL,OAAOH,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,oBAAA,EAAyB,SAAA,CACvCA,CAAAA,CAAU,oBAAA,CACV,IAAA,CAEJ,GAAI,OAAO9E,CAAAA,EAAU,QAAA,CAAU,CAC9B,IAAML,CAAAA,CAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,OAAO,IAAA,CAAK,8BAAA,CACX,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAA,CAClBmF,CAAAA,CACAC,CACD,CACD,CAAA,KAAQ,CACP,OAAO,MACR,CAED,OAAO,MACR,CAEA,GAAI,KAAA,CAAM,OAAA,CAAQ/E,CAAK,CAAA,CACtB,OACCA,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOkF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAG3DlF,CAAAA,CAAM,MAAA,CAASgF,CAAAA,CACX,IAAA,CAEDhF,CAAAA,CAAM,IAAA,CAAMkF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAIA/E,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOkF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAE1D,CAAAD,CAAAA,CAICjF,EAAM,IAAA,CAAMkF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAGD,GAAI/E,CAAAA,EAAS,OAAOA,CAAAA,EAAU,QAAA,CAAU,CACvC,IAAMmF,CAAAA,CAAO,MAAA,CAAO,IAAA,CAAKnF,CAAgC,CAAA,CAkBzD,OAdI+E,CAAAA,GAAiB,MAAA,EAAaA,CAAAA,CAAe,CAAA,EAAKA,CAAAA,CAAe,EAAA,GAChEI,CAAAA,CAAK,MAAA,CAAS,CAAA,EAEH,MAAA,CAAO,OAAOnF,CAAgC,CAAA,CAErD,IAAA,CACLoF,CAAAA,EAAM,KAAA,CAAM,OAAA,CAAQA,CAAC,CAAA,EAAM,OAAOA,CAAAA,EAAM,QAAA,EAAYA,CAAAA,GAAM,IAC5D,CAAA,CAAA,EAOED,CAAAA,CAAK,MAAA,CAASH,CAAAA,CACV,IAAA,CAGD,MAAA,CAAO,MAAA,CAAOhF,CAAgC,CAAA,CAAE,IAAA,CAAMI,CAAAA,EAC5D,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAO0E,CAAAA,CAAWC,CAAY,CACnE,CACD,CAEA,OAAO,MACR,CAiJQ,iBAAA,EAA4B,CACnC,IAAMM,CAAAA,CAAQ,CACb,gCAAA,CACA,kCAAA,CACA,EAAA,CACA,SAAA,CACA,EAAA,CACA,mBAAA,CACA,2BAAA,CACA,qBAAA,CACA,QAAA,CACA,EAAA,CACA,sBAAA,CACA,sDAAA,CACA,uCAAA,CACA,iDAAA,CACA,uDAAA,CACA,EAAA,CACA,uBAAA,CACA,sDAAA,CACA,gEAAA,CACA,kDACD,CAAA,CAEA,OAAI,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,eAAe,MAAA,EACzCA,CAAAA,CAAM,IAAA,CACL,CAAA,qBAAA,EAAwB,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,IAAI,CAAC,CAAA,CACtE,CAAA,CAGDA,CAAAA,CAAM,IAAA,CACL,EAAA,CACA,8BACA,4EAAA,CACA,4EAAA,CACA,kEAAA,CACA,mEAAA,CACA,EAAA,CACA,cAAA,CACA,iEAAA,CACA,gDAAA,CACA,EAAA,CACA,0BAAA,CACA,iEAAA,CACA,sEAAA,CACA,EAAA,CACA,sBAAA,CACA,8DACD,CAAA,CAEOA,EAAM,IAAA,CAAK;AAAA,CAAI,CACvB,CAWQ,yBAAA,CACPC,EACAC,CAAAA,CAAQ,CAAA,CACC,CAET,GAAIA,CAAAA,CAAQ,CAAA,CAAG,OAAO,QAEtB,IAAMC,CAAAA,CAAaF,EAAO,IAAA,CACpBG,CAAAA,CAAaH,EAAO,UAAA,CAGpBI,CAAAA,CAAQJ,CAAAA,CAAO,KAAA,CAGrB,OAAIG,CAAAA,CAgBI,CAAA,CAAA,EAfQ,OAAO,OAAA,CAAQA,CAAU,EAAE,GAAA,CAAI,CAAC,CAACrD,CAAAA,CAAKrE,CAAI,IAAM,CAC9D,IAAM4H,EAAW5H,CAAAA,CAAK,IAAA,CACtB,GAAI4H,CAAAA,GAAa,OAAA,EAAW5H,CAAAA,CAAK,KAAA,CAAO,CACvC,IAAM6H,CAAAA,CAAS,KAAK,yBAAA,CACnB7H,CAAAA,CAAK,MACLwH,CAAAA,CAAQ,CACT,EACA,OAAO,CAAA,EAAGnD,CAAG,CAAA,UAAA,EAAawD,CAAM,GACjC,CACA,GAAID,IAAa,QAAA,EAAY5H,CAAAA,CAAK,UAAA,CAAY,CAC7C,IAAM6H,CAAAA,CAAS,IAAA,CAAK,0BAA0B7H,CAAAA,CAAMwH,CAAAA,CAAQ,CAAC,CAAA,CAC7D,OAAO,GAAGnD,CAAG,CAAA,CAAA,EAAIwD,CAAM,CAAA,CAAA,CACxB,CACA,OAAO,CAAA,EAAGxD,CAAG,IAAIuD,CAAAA,EAAY,SAAS,CAAA,CAAA,CACvC,CAAC,EACiB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,CAIzBH,CAAAA,GAAe,SAAWE,CAAAA,CAEtB,CAAA,SAAA,EADc,KAAK,yBAAA,CAA0BA,CAAAA,CAAOH,EAAQ,CAAC,CACrC,GAI5BC,CAAAA,EACG,MAAA,CAAO,KAAKF,CAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CACrC,CAKA,MAAa,QACZO,CAAAA,CAOI,GACY,CAChB,OAAO,KAAK,aAAA,CAAcA,CAAO,CAClC,CAKO,IAAA,CACN/G,EACAgH,CAAAA,CACAC,CAAAA,CACAC,EACA9B,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,MAAM,GAAA,CAAIpF,CAAI,EACtB,MAAM,IAAI,MAAM,CAAA,yBAAA,EAA4BA,CAAI,EAAE,CAAA,CAGnD,IAAMwG,EAASf,GAAAA,CAAE,MAAA,CAAOwB,CAAK,CAAA,CACvBE,CAAAA,CAAkBC,gBAAgBZ,CAAM,CAAA,CAE1Ca,CAAAA,CAAmBL,CAAAA,CACnBM,EAAeJ,CAAAA,CAGnB,GAAID,EAAM,OAAA,EAAWA,CAAAA,CAAM,mBAAmBxB,GAAAA,CAAE,SAAA,CAAW,CAC1D,IAAM8B,CAAAA,CAAc,KAAK,MAAA,EAAQ,QAAA,EAAU,eAAiB,EAAC,CAe7D,GAVAF,CAAAA,EACC;;AAAA,sMAAA,CAAA,CAKGE,CAAAA,CAAY,MAAA,CAAS,CAAA,GACxBF,CAAAA,EAAoB;AAAA,mBAAA,EAAwBE,CAAAA,CAAY,IAAA,CAAK,IAAI,CAAC,KAG/D,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,EAAe,IAAA,CAAK,yBAAA,CAA0B,IAAA,CAAK,YAAY,EACrEH,CAAAA,EAAoB;AAAA,gBAAA,EAAqBG,CAAY,+CACtD,CAEAF,CAAAA,CAAe,MACdG,CAAAA,CACAC,CAAAA,GACI,CACJ,IAAMC,CAAAA,CAAW,oBACXC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfC,CAAAA,CAAQ,KAAK,eAAA,CAAgB,GAAA,CAAIF,CAAQ,CAAA,EAAK,CACnD,QAAA,CAAU,EACV,WAAA,CAAa,CACd,EAEA,GACCE,CAAAA,CAAM,UAAY,IAAA,CAAK,kBAAA,EACvBD,EAAMC,CAAAA,CAAM,WAAA,CAAc,KAAK,oBAAA,CAE/B,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,mEACP,CACD,CAAA,CACA,QAAS,IACV,CAAA,CAGD,IAAMC,CAAAA,CAAgBL,CAAAA,CACpB,QACIM,CAAAA,CACJN,CAAAA,CAAiC,0BAA4B,IAAA,CAEzDO,CAAAA,CAAcC,EAClB,UAAA,CAAW,QAAQ,EACnB,MAAA,CAAOH,CAAY,EACnB,MAAA,CAAO,KAAK,CAAA,CACR3C,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAa2C,CAAY,CAAA,CACtCI,CAAAA,CAAS,KAAK,UAAA,CAAW,GAAA,CAAIF,CAAW,CAAA,CAE9C,GACC,CAACD,CAAAA,EACDG,CAAAA,EACAN,CAAAA,CAAMM,EAAO,SAAA,CAAY,IAAA,CAAK,cAG1B/C,CAAAA,CAAO,CACTsC,EAAiC,OAAA,CAAUtC,CAAAA,CAG5C,IAAMgD,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5BnI,EACAmF,CAAAA,CACAC,CACD,EACA,OAAI+C,CAAAA,CACI,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,IACV,EAEM,MAAM,IAAA,CAAK,mBAAA,CAAoBV,CAAAA,CAAMtC,CAAAA,CAAOnF,CAAI,CACxD,CAGD,GAAI,CAACmF,CAAAA,CACJ,OAAA0C,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,YAAcD,CAAAA,CACpB,IAAA,CAAK,gBAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,CACjC,CACN,QAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,gKACP,CACD,CAAA,CACA,OAAA,CAAS,IACV,CAAA,CAGD,GAAI,CAGH,IAAM1C,CAAAA,CAAQ,KAAK,YAAA,CACjBsC,CAAAA,CAAiC,OACnC,CAAA,CAECA,CAAAA,CAAiC,QAAUtC,CAAAA,CAG5C,IAAMgD,EAAkB,IAAA,CAAK,kBAAA,CAAmBnI,CAAAA,CAAMmF,CAAAA,CAAOC,CAAM,CAAA,CACnE,GAAI+C,CAAAA,CACH,OAAAN,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,YAAcD,CAAAA,CACpB,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,EACjC,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,OAAQ,IAAA,CAAMM,CAAgB,CAAC,CAAA,CACjD,OAAA,CAAS,CAAA,CACV,EAGD,IAAM5G,CAAAA,CAAS,MAAM,IAAA,CAAK,mBAAA,CAAoBkG,EAAMtC,CAAAA,CAAOnF,CAAI,EAE/D,OAAKuB,CAAAA,CAAO,SAUXsG,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,GAXxC,IAAA,CAAK,gBAAgB,GAAA,CAAIF,CAAAA,CAAU,CAClC,QAAA,CAAU,CAAA,CACV,YAAaC,CACd,CAAC,EACD,IAAA,CAAK,UAAA,CAAW,IAAII,CAAAA,CAAa,CAChC,KAAMA,CAAAA,CACN,SAAA,CAAWJ,CACZ,CAAC,CAAA,CAAA,CAOKrG,CACR,CAAA,MAASrE,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,CAAAA,CACV,OAAA2K,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,EAAUE,CAAK,CAAA,CACjC,CACN,OAAA,CAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,CAAA,2BAAA,EAA8BrG,CAAAA,CAAE,OAAO,EAAG,CACjE,CAAA,CACA,QAAS,IACV,CACD,CACD,EACD,CAEA,IAAM4G,CAAAA,CAAc,CACnB,IAAA,CAAM,SACN,UAAA,CAAajB,CAAAA,CAA4C,YAAc,EAAC,CACxE,SAAWA,CAAAA,CAA4C,QACxD,CAAA,CAEA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAInH,EAAM,CACpB,IAAA,CAAM,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAaqH,CAAAA,CAAkB,WAAA,CAAAe,CAAY,CAAA,CACzD,OAAA,CAASd,EACT,MAAA,CAAAd,CAAAA,CACA,OAAApB,CACD,CAAC,EAGG,IAAA,CAAK,QAAA,EACR,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmBpF,CAAI,EAAE,KAAA,CAAOqI,CAAAA,EAAQ,CACrDjL,GAAAA,CAAI,IAAA,CACH,4CAA4C4C,CAAI,CAAA,EAAA,EAAKqI,CAAAA,CAAI,OAAO,CAAA,CACjE,EACD,CAAC,EAEH,CAKO,OACNrI,CAAAA,CACAgH,CAAAA,CACAS,EACAP,CAAAA,CAGO,CACP,GAAI,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAIlH,CAAI,CAAA,CACxB,MAAM,IAAI,KAAA,CAAM,CAAA,2BAAA,EAA8BA,CAAI,CAAA,CAAE,CAAA,CAErD,KAAK,OAAA,CAAQ,GAAA,CAAIA,EAAM,CACtB,MAAA,CAAQ,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAAgH,CAAAA,CAAa,SAAA,CAAWS,CAAK,CAAA,CAC7C,OAAA,CAAAP,CACD,CAAC,EACF,CAKO,wBAA+B,CACrC,IAAA,CAAK,OACJ,oBAAA,CACA,yKAAA,CACA,EAAC,CACAoB,CAAAA,GACO,CACN,YAAa,iCAAA,CACb,QAAA,CAAU,CACT,CACC,IAAA,CAAM,OACN,OAAA,CAAS,CACR,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,CAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4IAAA,EAcL,KAAK,YAAA,CACF;;AAAA;AAAA,EAA0C,IAAA,CAAK,UAAU,IAAA,CAAK,YAAA,CAAc,KAAM,CAAC,CAAC,GACpF,EACJ;;AAAA,yDAAA,CAGD,CACD,CACD,CACD,CAAA,CAEF,EACD,CAKO,QAAA,CACNtI,EACAuI,CAAAA,CACAvB,CAAAA,CACAwB,EACAC,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,SAAA,CAAU,IAAIF,CAAG,CAAA,CACzB,MAAM,IAAI,KAAA,CAAM,oCAAoCA,CAAG,CAAA,CAAE,EAE1D,IAAA,CAAK,SAAA,CAAU,IAAIA,CAAAA,CAAK,CAAE,KAAAvI,CAAAA,CAAM,GAAA,CAAAuI,EAAK,WAAA,CAAAvB,CAAAA,CAAa,SAAAwB,CAAAA,CAAU,OAAA,CAAAC,CAAQ,CAAC,EACtE,CAKO,cAAA,CACNjC,CAAAA,CACAxG,EAAe,gCAAA,CACfuI,CAAAA,CAAc,uBACdvB,CAAAA,CAAsB,sEAAA,CACf,CACP,IAAA,CAAK,YAAA,CAAeR,EAIpB,IAAMgB,CAAAA,CAAe,KAAK,yBAAA,CAA0BhB,CAAM,EAC1D,IAAA,GAAW,CAAClB,EAAUoD,CAAK,CAAA,GAAK,KAAK,KAAA,CAAM,OAAA,GAEzCA,CAAAA,CAAM,MAAA,CAAO,MAAM,OAAA,EACnBA,CAAAA,CAAM,OAAO,KAAA,CAAM,OAAA,YAAmBjD,IAAE,SAAA,EACxCiD,CAAAA,CAAM,KAAK,WAAA,EACX,CAACA,EAAM,IAAA,CAAK,WAAA,CAAY,SAAS,iBAAiB,CAAA,GAElDA,CAAAA,CAAM,IAAA,CAAK,WAAA,EAAe;AAAA,gBAAA,EAAqBlB,CAAY,CAAA,wBAAA,EAA2Be,CAAG,CAAA,CAAA,CACzF,IAAA,CAAK,MAAM,GAAA,CAAIjD,CAAAA,CAAUoD,CAAK,CAAA,CAAA,CAIhC,KAAK,QAAA,CACJ1I,CAAAA,CACAuI,CAAAA,CACAvB,CAAAA,CACA,mBACA,IAAA,CAAK,SAAA,CAAUR,CAAAA,CAAQ,IAAA,CAAM,CAAC,CAC/B,EACD,CAKO,aAAA,EAAsB,CAC5B,IAAA,CAAK,UAAA,CAAW,KAAA,EAAM,CACtBpJ,IAAI,IAAA,CAAK,iDAAiD,EAC3D,CAQQ,sBAAA,CAAuBkI,EAAyC,CACvE,IAAMsC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfe,CAAAA,CAAW,IAAA,CAAK,gBAAA,CAChBC,EAAe,IAAA,CAAK,oBAAA,CAIpBC,CAAAA,CAAAA,CAFS,IAAA,CAAK,gBAAgB,GAAA,CAAIvD,CAAQ,CAAA,EAAK,IAE/B,MAAA,CAAQQ,CAAAA,EAAM8B,CAAAA,CAAM9B,CAAAA,CAAI6C,CAAQ,CAAA,CAEtD,GAAIE,CAAAA,CAAO,MAAA,EAAUD,EAAc,CAClC,IAAME,CAAAA,CAAgB,IAAA,CAAK,MAAMD,CAAAA,CAAO,CAAC,EAAIF,CAAAA,CAAWf,CAAAA,EAAO,GAAI,CAAA,CACnE,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CACC,wCAAwCtC,CAAQ,CAAA,MAAA,EACzCsD,CAAY,CAAA,KAAA,EAAQD,EAAW,GAAI,CAAA,sBAAA,EAC3BG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,OAAA,CAAS,IACV,CACD,CAEA,OAAAD,CAAAA,CAAO,IAAA,CAAKjB,CAAG,EACf,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAItC,CAAAA,CAAUuD,CAAM,CAAA,CAClC,IACR,CAOQ,oBAAA,EAA8C,CACrD,IAAMjB,CAAAA,CAAM,IAAA,CAAK,GAAA,EAAI,CACfe,EAAW,IAAA,CAAK,gBAAA,CAChBI,CAAAA,CAAY,IAAA,CAAK,uBAMvB,GAJA,IAAA,CAAK,gBAAA,CAAmB,IAAA,CAAK,iBAAiB,MAAA,CAC5CjD,CAAAA,EAAM8B,EAAM9B,CAAAA,CAAI6C,CAClB,EAEI,IAAA,CAAK,gBAAA,CAAiB,MAAA,EAAUI,CAAAA,CAAW,CAC9C,IAAMD,CAAAA,CAAgB,IAAA,CAAK,IAAA,CAAA,CACzB,KAAK,gBAAA,CAAiB,CAAC,CAAA,CAAIH,CAAAA,CAAWf,GAAO,GAC/C,CAAA,CACA,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CACC,sDACOmB,CAAS,CAAA,iBAAA,EAAoBJ,CAAAA,CAAW,GAAI,yBACpCG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,QAAS,IACV,CACD,CAEA,OAAA,IAAA,CAAK,iBAAiB,IAAA,CAAKlB,CAAG,CAAA,CACvB,IACR,CAKA,MAAa,QAAA,CAASoB,CAAAA,CAAmD,CACxE,IAAMN,CAAAA,CAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAIM,EAAQ,IAAI,CAAA,CACzC,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmBM,CAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA,CAIlD,IAAMC,CAAAA,CAAoB,KAAK,oBAAA,EAAqB,CACpD,GAAIA,CAAAA,CAAmB,OAAOA,CAAAA,CAC9B,IAAMC,CAAAA,CAAkB,IAAA,CAAK,uBAAuBF,CAAAA,CAAQ,IAAI,CAAA,CAChE,GAAIE,EAAiB,OAAOA,CAAAA,CAE5B,GAAI,CAEH,IAAMC,CAAAA,CAAaT,CAAAA,CAAM,MAAA,CAAO,KAAA,CAAMM,EAAQ,SAAA,EAAa,EAAE,CAAA,CAW7D,GAPEA,EAAQ,SAAA,EACN,uBAAA,GAA4B,CAAA,CAAA,GAE9BG,CAAAA,CAAuC,wBAA0B,CAAA,CAAA,CAAA,CAKlEA,CAAAA,EACA,OAAQA,CAAAA,CAAuC,SAAY,QAAA,CAC1D,CACD,IAAMnE,CAAAA,CAAWmE,EACf,OAAA,CACIhE,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAaH,CAAO,CAAA,CACvC,GAAIG,CAAAA,CAAO,CACV,IAAMgD,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5Ba,CAAAA,CAAQ,KACR7D,CAAAA,CACAuD,CAAAA,CAAM,MACP,CAAA,CACA,OAAIP,CAAAA,CACI,CACN,QAAS,CAAC,CAAE,KAAM,MAAA,CAAQ,IAAA,CAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,CAAA,CACV,CAAA,EAEAgB,CAAAA,CAAuC,QAAUhE,CAAAA,CAC3C,MAAM,IAAA,CAAK,mBAAA,CACjBgE,EACAhE,CAAAA,CACA6D,CAAAA,CAAQ,IACT,CAAA,CACD,CACD,CAGA,OADe,MAAMN,CAAAA,CAAM,OAAA,CAAQS,EAAY,EAAE,CAElD,CAAA,MAASjM,EAAgB,CACxB,IAAMsE,CAAAA,CAAItE,CAAAA,CACV,OAAIsE,CAAAA,YAAaiE,GAAAA,CAAE,SACX,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,qBAAqBjE,CAAAA,CAAE,OAAO,CAAA,CAAG,CAAC,EAClE,OAAA,CAAS,IACV,CAAA,CAEM,CACN,QAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAM,CAAA,0BAAA,EAA6BA,CAAAA,CAAE,OAAO,CAAA,CAAG,CAChE,CAAA,CACA,OAAA,CAAS,IACV,CACD,CACD,CAKO,SAAA,EAAoB,CAC1B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,MAAM,MAAA,EAAQ,EAAE,GAAA,CAAKsE,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CACzD,CAKO,WAAA,EAAwB,CAC9B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAKvD,CAAAA,EAAMA,CAAAA,CAAE,MAAM,CAC7D,CAKA,MAAa,SAAA,CAAUyG,EAAqD,CAC3E,IAAMN,CAAAA,CAAQ,IAAA,CAAK,QAAQ,GAAA,CAAIM,CAAAA,CAAQ,IAAI,CAAA,CAC3C,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,qBAAqBM,CAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA,CAEpD,OAAO,MAAMN,CAAAA,CAAM,OAAA,CAAQM,CAAO,CACnC,CAKO,aAAA,EAA4B,CAClC,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAC1C,CAKA,MAAa,YAAA,CAAaT,EAEvB,CACF,IAAMa,CAAAA,CAAW,IAAA,CAAK,UAAU,GAAA,CAAIb,CAAG,CAAA,CACvC,GAAI,CAACa,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuBb,CAAG,CAAA,CAAE,CAAA,CAG7C,IAAI/H,CAAAA,CAAO,0BACX,OAAI,OAAO4I,CAAAA,CAAS,OAAA,EAAY,WAC/B5I,CAAAA,CAAO,MAAM4I,CAAAA,CAAS,OAAA,GACZ,OAAOA,CAAAA,CAAS,SAAY,QAAA,CACtC5I,CAAAA,CAAO4I,EAAS,OAAA,CACNA,CAAAA,CAAS,WAAA,GACnB5I,CAAAA,CAAO4I,EAAS,WAAA,CAAA,CAGV,CACN,QAAA,CAAU,CACT,CACC,GAAA,CAAKA,CAAAA,CAAS,GAAA,CACd,QAAA,CAAUA,EAAS,QAAA,EAAY,YAAA,CAC/B,KAAA5I,CACD,CACD,CACD,CACD,CAEO,aAAA,EAA4B,CAClC,OAAO,IAAA,CAAK,UACb,CAEO,WAAA,EAA+B,CACrC,OAAO,IAAA,CAAK,QACb,CAKO,eAAe6I,CAAAA,CAAoC,CACzD,IAAA,CAAK,cAAA,CAAiBA,EACvB,CAEO,YAAA,EAA8B,CACpC,OAAO,KAAK,SACb,CAMA,MAAa,aAAA,CACZtC,EAOI,EAAC,CACW,CAChB,IAAMuC,EAAU,OAAA,CAAQ,GAAA,CAAI,eACzB,MAAA,CAAO,QAAA,CAAS,QAAQ,GAAA,CAAI,cAAA,CAAgB,EAAE,CAAA,CAC9C,OACG1M,CAAAA,CAAOmK,CAAAA,CAAQ,IAAA,EAAQuC,CAAAA,EAAW,MAGxC,IAAA,CAAK,QAAA,CAAW,IAAIC,GAAAA,CAASxC,EAAQ,UAAU,CAAA,CAC/C,MAAM,IAAA,CAAK,QAAA,CAAS,OAAM,CAI1B,IAAMyC,CAAAA,CAAc,IAAA,CAAK,SACzB,IAAA,CAAK,QAAA,CAAS,uBAAA,CAAwB,IAAoB,CACzD,IAAMC,CAAAA,CAAQ,IAAA,CAAK,SAAA,GAAY,GAAA,CAAK3D,CAAAA,GAAO,CAC1C,IAAA,CAAMA,CAAAA,CAAE,KACR,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,WAAA,CAAaA,EAAE,WAChB,CAAA,CAAE,CAAA,CAEI4D,CAAAA,CAAY,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAKC,CAAAA,GAAO,CACjE,KAAMA,CAAAA,CAAE,IAAA,CACR,GAAA,CAAKA,CAAAA,CAAE,IACP,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,QAAA,CAAUA,EAAE,QAAA,CACZ,IAAA,CAAM,OAAOA,CAAAA,CAAE,SAAY,QAAA,CAAWA,CAAAA,CAAE,QAAUA,CAAAA,CAAE,WACrD,EAAE,CAAA,CAEF,OAAO,CACN,MAAA,CAAQH,EAAY,SAAA,EAAU,CAC9B,QAAA,CAAU5M,CAAAA,CACV,MAAA6M,CAAAA,CACA,SAAA,CAAAC,CAAAA,CACA,UAAA,CAAY,KAAK,UAClB,CACD,CAAC,CAAA,CAGD,IAAA,IAAWE,KAAQ,IAAA,CAAK,SAAA,EAAU,CACjC,MAAM,KAAK,QAAA,CAAS,kBAAA,CAAmBA,CAAAA,CAAK,IAAI,EAAE,KAAA,CAAMxM,GAAAA,CAAI,IAAI,CAAA,CAIjE,MAAM,IAAA,CAAK,QAAA,CAAS,kBAAiB,CAAE,KAAA,CAAMA,IAAI,IAAI,CAAA,CAGrD,IAAA,CAAK,SAAA,CAAY,IAAIX,CAAAA,CAErB,IAAA,CAAK,SAAA,CAAU,UAAA,CAAW,CACzB,eAAA,CAAiB,CAAC+C,CAAAA,CAAMtB,CAAAA,GAAa,CACpC,IAAM8K,CAAAA,CAAUxJ,CAAAA,CAAK,OAAA,CACrBpC,IAAI,IAAA,CACH,CAAA,8CAAA,EAAiD4L,CAAAA,CAAQ,eAAe,EACzE,CAAA,CAGA,OAAO,qBAAwB,CAAA,CAAE,KAAK,MAAO,CAAE,eAAA,CAAAa,CAAgB,IAAM,CACpE,GAAM,CAAE,SAAA,CAAAC,CAAAA,CAAW,UAAAC,CAAU,CAAA,CAC5B,MAAMF,CAAAA,CAAgB,iBAAgB,CAEjCG,CAAAA,CAAe/B,CAAAA,CAAO,UAAA,GAC5B,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI+B,CAAAA,CAAc,CAC/B,eAAA,CAAiBhB,CAAAA,CAAQ,eAAA,CACzB,QAAA,CAAUe,CACX,CAAC,CAAA,CAED7L,CAAAA,CAAS,IAAA,CAAM,CACd,QAAA,CAAU,IAAA,CACV,aAAA,CAAe8L,CAAAA,CACf,cAAe,EAAA,CACf,gBAAA,CAAkBF,CACnB,CAAC,EACF,CAAC,EACF,EACA,YAAA,CAAc,MACbtK,GACI,CACJ,IAAMwJ,CAAAA,CAAUxJ,CAAAA,CAAK,QACrBpC,GAAAA,CAAI,IAAA,CACH,CAAA,kDAAA,EAAqD4L,CAAAA,CAAQ,aAAa,CAAA,CAC3E,CAAA,CAEA,IAAMiB,CAAAA,CAAU,KAAK,QAAA,CAAS,GAAA,CAAIjB,CAAAA,CAAQ,aAAa,EACvD,GAAI,CAACiB,CAAAA,CAAS,CACbzK,EAAK,IAAA,CAAK,OAAA,CAAS,CAClB,IAAA,CAAW0K,SAAO,eAAA,CAClB,OAAA,CAAS,uBACV,CAAC,EACD,MACD,CAEA,GAAI,CAEH,IAAMC,EAAiB,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAYnB,CAAAA,CAAQ,cAAA,CACpB,YAAA,CAAc,MAAM,IAAA,CAAKiB,CAAAA,CAAQ,QAAQ,CAAA,CACzC,WAAYjB,CAAAA,CAAQ,WAAA,CACpB,OAAQA,CAAAA,CAAQ,MAAA,CAChB,SAAUA,CAAAA,CAAQ,SAAA,CAClB,OAAA,CAAS,IAAA,CAAK,eACd,YAAA,CAAcA,CAAAA,CAAQ,aAAA,CACtB,WAAA,CAAa,EACd,CAAC,CAAA,CAEGoB,CAAAA,CACJ,GAAI,CACHA,CAAAA,CACC,OAAOD,EAAe,MAAA,EAAW,QAAA,CAC9BA,EAAe,MAAA,CACf,IAAA,CAAK,SAAA,CAAUA,CAAAA,CAAe,MAAM,CAAA,CAGxC,IAAME,CAAAA,CAAU,IAAA,CAAK,MAAMD,CAAW,CAAA,CACtC,GAAIC,CAAAA,CAAQ,kBAAmB,CAC9BjN,GAAAA,CAAI,IAAA,CACH,CAAA,mCAAA,EAAsCiN,EAAQ,iBAAiB,CAAA,CAChE,CAAA,CACA,IAAMC,EAAa,MAAM,IAAA,CAAK,QAAA,CAAS,CACtC,KAAMD,CAAAA,CAAQ,iBAAA,CACd,SAAA,CAAWA,CAAAA,CAAQ,mBAAqB,EACzC,CAAC,CAAA,CACDD,CAAAA,CAAc,KAAK,SAAA,CAAUE,CAAU,EACxC,CACD,MAAQ,CACPF,CAAAA,CAAc,MAAA,CAAOD,CAAAA,CAAe,MAAM,EAC3C,CAEA,IAAMI,CAAAA,CAA0B,CAC/B,iBAAA,CAAmBH,CAAAA,CACnB,mBAAA,CAAqBI,MAAAA,CAAO,KAC3BL,CAAAA,CAAe,QAAA,EAAY,EAAA,CAC3B,KACD,EACA,UAAA,CAAYA,CAAAA,CAAe,UAAA,CACxBK,MAAAA,CAAO,KAAKL,CAAAA,CAAe,UAAA,CAAY,QAAQ,CAAA,CAC/CK,OAAO,IAAA,CAAK,EAAE,EACjB,QAAA,CAAU,CAAA,CACX,EAGM7L,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK,CAC5C,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAMyL,CAAY,CACnC,CAAC,CAAA,CACKK,EAAuB,IAAA,CAAK,8BAAA,CACjC,IAAA,CAAK,8BAAA,CAA+BL,CAAW,CAChD,CAAA,CACA,GAAIzL,CAAAA,EAAa8L,EAAsB,CAEtC,IAAMC,CAAAA,CACL/L,CAAAA,EAAa,qCACdvB,GAAAA,CAAI,IAAA,CACH,CAAA,iDAAA,EAAoDsN,CAAc,EACnE,CAAA,CACAH,CAAAA,CAAS,kBACR,6EAAA,CACDA,CAAAA,CAAS,SAAW,CAAA,EACrB,CAEA/K,CAAAA,CAAK,KAAA,CAAM+K,EAAU,IAAM,CAC1B/K,CAAAA,CAAK,GAAA,GACN,CAAC,EACF,CAAA,MAAStC,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,EACJyN,CAAAA,CACL,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,WAAa,MAAA,CAEpBC,CAAAA,CAASpJ,CAAAA,CAAE,OAAA,EAAW,OAAOtE,CAAK,CAAA,CACxCE,GAAAA,CAAI,KAAA,CAAM,+BAA+BwN,CAAM,CAAA,CAAE,EAOjD,IAAMC,CAAAA,CAA+B,CACpC,iBAAA,CANoBF,CAAAA,CAClB,CAAA,iBAAA,EAAoBC,CAAM,GAC1B,wGAAA,CAKF,mBAAA,CAAqBJ,MAAAA,CAAO,IAAA,CAAK,EAAE,CAAA,CACnC,UAAA,CAAYA,MAAAA,CAAO,IAAA,CAAK,EAAE,CAAA,CAC1B,QAAA,CAAU,IACX,CAAA,CAEA,GAAI,CACHhL,CAAAA,CAAK,KAAA,CAAMqL,CAAAA,CAAe,IAAM,CAC/BrL,CAAAA,CAAK,GAAA,GACN,CAAC,EACF,CAAA,KAAoB,CACnBA,CAAAA,CAAK,MACN,CACD,CACD,CACD,CAAC,EAED,IAAA,CAAK,SAAA,CAAY,MAAM,IAAA,CAAK,UAAU,MAAA,CAAO5C,CAAI,CAAA,CACjDQ,GAAAA,CAAI,KACH,CAAA,wDAAA,EAA2D,IAAA,CAAK,QAAA,CAAS,SAAA,EAAW,CAAA,CACrF,EACD,CAKA,MAAc,oBACb0N,CAAAA,CACAC,CAAAA,CACAzF,CAAAA,CAC0B,CAC1B,GAAI,CAEH,IAAM6E,CAAAA,CAAiB,MAAM,KAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAY,IAAI,UAAA,CAAW,CAAC,EAC5B,YAAA,CAAc,KAAA,CAAM,KAAK,IAAI,UAAA,CAAW,CAAC,CAAC,EAC1C,cAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,EAChC,UAAA,CAAYK,MAAAA,CAAO,IAAA,CAAKO,CAAU,EAClC,MAAA,CAAQ,EAAC,CACT,OAAA,CAAS,KAAK,cAAA,CACd,YAAA,CAAc,iBAAA,CACd,WAAA,CAAa,EACd,CAAC,CAAA,CAUKtC,CAAAA,CAAU,CACf,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAViB,IAAA,CAAK,UAAU,CACjC,kBAAA,CAAoB0B,EAAe,MAAA,CACnC,QAAA,CAAUA,EAAe,QAAA,CACzB,UAAA,CAAYA,CAAAA,CAAe,UAAA,CAC3B,OAAQ,+BACT,CAAC,CAMA,CACD,EAEMa,CAAAA,CAAa1F,CAAAA,CAChB,IAAA,CAAK,KAAA,CAAM,IAAIA,CAAQ,CAAA,EAAG,OAC1B,KAAA,CAAA,CACG2F,CAAAA,CAAkB,KAAK,oBAAA,CAC5B3F,CAAAA,EAAY,cAAA,CACZ6E,CAAAA,CAAe,OACfa,CACD,CAAA,CACA,GAAIC,CAAAA,CAEH,OAAA7N,GAAAA,CAAI,IAAA,CACH,CAAA,qCAAA,EAAwCkI,CAAAA,EAAY,cAAc,CAAA,EAAA,EAAK2F,CAAe,EACvF,CAAA,CAWO,CACN,QAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,KAZF,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,OAAA,CAAQ,IAAI,gBAAA,GAAqB,GAAA,CAG/BA,CAAAA,CACA,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,CAAA,CACV,CAAA,CAID,IAAMtM,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK8J,CAAO,CAAA,CAC9CgC,CAAAA,CAAuB,IAAA,CAAK,+BACjCN,CAAAA,CAAe,MAChB,EACA,GAAIxL,CAAAA,EAAa8L,EAAsB,CAGtC,IAAMC,CAAAA,CACL/L,CAAAA,EACA,iGACD,OAAAvB,GAAAA,CAAI,IAAA,CACH,CAAA,qDAAA,EAAwDsN,CAAc,CAAA,CACvE,CAAA,CAWO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CAZF,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,WAAa,MAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,GAAqB,IAG/B,CAAA,kCAAA,EAAqCA,CAAc,CAAA,CAAA,CACnD,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,EACV,CACD,CAEA,OAAO,CAAE,OAAA,CAAAjC,CAAQ,CAClB,OAASvL,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,EACJyN,CAAAA,CACL,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,eACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,QAAQ,GAAA,CAAI,gBAAA,GAAqB,GAAA,CAE5BC,CAAAA,CAASpJ,EAAE,OAAA,EAAW,MAAA,CAAOtE,CAAK,CAAA,CACxC,OAAAE,GAAAA,CAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CwN,CAAM,EAAE,CAAA,CAMrD,CACN,QAAS,CACR,CACC,KAAM,MAAA,CACN,IAAA,CARkBD,CAAAA,CAClB,CAAA,iBAAA,EAAoBC,CAAM,CAAA,CAAA,CAC1B,wGAOD,CACD,CAAA,CACA,QAAS,IACV,CACD,CACD,CAMA,MAAa,KAAA,EAAuB,CAC/B,KAAK,UAAA,EACR,MAAM,KAAK,UAAA,CAAW,KAAA,CAAM,CAAE,KAAA,CAAO,IAAK,CAAC,CAAA,CAExC,IAAA,CAAK,SAAA,EACR,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAK,CAEvB,KAAK,QAAA,EACR,MAAM,KAAK,QAAA,CAAS,IAAA,GAEtB,CACD","file":"chunk-FW6CICSY.js","sourcesContent":["import * as grpc from \"@grpc/grpc-js\";\nimport { log } from \"../utils/logger.js\";\nimport { liopV1 } from \"./proto.js\";\nimport { createServerCredentials, type LiopTlsOptions } from \"./tls.js\";\nimport type {\n\tIntentRequest,\n\tIntentResponse,\n\tLogicRequest,\n\tLogicResponse,\n} from \"./types.js\";\n\n/**\n * LIOP gRPC Service Implementation\n * Handles intent negotiation and secure logic execution.\n */\n\n/** Production-grade gRPC channel options per official grpc-node recommendations */\nconst GRPC_CHANNEL_OPTIONS = {\n\t\"grpc.keepalive_time_ms\": 30_000,\n\t\"grpc.keepalive_timeout_ms\": 10_000,\n\t\"grpc.keepalive_permit_without_calls\": 1,\n\t\"grpc.max_send_message_length\": -1,\n\t\"grpc.max_receive_message_length\": -1,\n\t\"grpc.enable_retries\": 1,\n};\n\nexport class LiopRpcServer {\n\tprivate server: grpc.Server;\n\n\tconstructor() {\n\t\tthis.server = new grpc.Server(GRPC_CHANNEL_OPTIONS);\n\t}\n\n\tpublic addService(handlers: {\n\t\tnegotiateIntent: (\n\t\t\tcall: grpc.ServerUnaryCall<IntentRequest, IntentResponse>,\n\t\t\tcallback: grpc.sendUnaryData<IntentResponse>,\n\t\t) => void;\n\t\texecuteLogic: (\n\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t) => void;\n\t}): void {\n\t\tthis.server.addService(liopV1.LogicMesh.service, {\n\t\t\tNegotiateIntent: handlers.negotiateIntent,\n\t\t\tExecuteLogic: handlers.executeLogic,\n\t\t});\n\t}\n\n\tpublic async listen(\n\t\tport: number = 50051,\n\t\ttls?: LiopTlsOptions,\n\t): Promise<number> {\n\t\tconst credentials = createServerCredentials(tls);\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.server.bindAsync(\n\t\t\t\t`0.0.0.0:${port}`,\n\t\t\t\tcredentials,\n\t\t\t\t(error, assignedPort) => {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\treject(error);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\tlog.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);\n\t\t\t\t\tresolve(assignedPort);\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\tpublic async stop(): Promise<void> {\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.server.tryShutdown(() => {\n\t\t\t\tlog.info(\"[LIOP-RPC] Server shut down\");\n\t\t\t\tresolve();\n\t\t\t});\n\t\t});\n\t}\n}\n","/**\n * LIOP Taint Analyzer — Static Information Flow Control (IFC)\n *\n * Performs AST-level taint tracking on injected Logic-on-Origin code\n * to detect side-channel data exfiltration via scalar derivation\n * (charCodeAt, boolean inference, arithmetic on PII fields).\n *\n * Architecture: 3-pass analysis using Acorn ESTree parser.\n * Pass 1 — Identify record-bound variables (callback params of env.records methods)\n * Pass 2 — Propagate taint through assignments and expressions\n * Pass 3 — Check return statements for tainted values flowing to output\n *\n * References:\n * - Acorn ESTree spec: https://github.com/estree/estree\n * - Acorn-Walk SimpleVisitors: https://github.com/acornjs/acorn/tree/master/acorn-walk\n * - OWASP Information Flow Control patterns\n */\n\nimport * as acorn from \"acorn\";\nimport { type SimpleVisitors, simple } from \"acorn-walk\";\n\n// ── Public API ───────────────────────────────────────────────────────\n\nexport interface TaintViolation {\n\t/** Human-readable reason for the block */\n\treason: string;\n\t/** Source line number (1-indexed) if available */\n\tline?: number;\n\t/** The specific operation that triggered the violation */\n\toperation?: string;\n}\n\n/**\n * Static taint analyzer for LIOP Logic-on-Origin payloads.\n *\n * Detects when PII field values are derived into scalar outputs\n * (charCodeAt, boolean inference, arithmetic) that would bypass\n * the Egress Shield's pattern-based detection.\n */\nexport class TaintAnalyzer {\n\tprivate readonly piiFields: Set<string>;\n\n\t/** String methods that extract character-level information from PII */\n\tprivate static readonly TAINT_PROPAGATING_METHODS = new Set([\n\t\t// Character extraction\n\t\t\"charCodeAt\",\n\t\t\"codePointAt\",\n\t\t\"charAt\",\n\t\t\"at\",\n\t\t// Search/position (reveals content structure)\n\t\t\"indexOf\",\n\t\t\"lastIndexOf\",\n\t\t\"search\",\n\t\t// Comparison (reveals ordering/content)\n\t\t\"localeCompare\",\n\t\t\"startsWith\",\n\t\t\"endsWith\",\n\t\t\"includes\",\n\t\t// Transformation (preserves PII content in different form)\n\t\t\"substring\",\n\t\t\"slice\",\n\t\t\"substr\",\n\t\t\"split\",\n\t\t\"match\",\n\t\t\"matchAll\",\n\t\t\"replace\",\n\t\t\"replaceAll\",\n\t\t\"normalize\",\n\t\t\"toLowerCase\",\n\t\t\"toUpperCase\",\n\t\t\"trim\",\n\t\t\"trimStart\",\n\t\t\"trimEnd\",\n\t\t\"padStart\",\n\t\t\"padEnd\",\n\t\t\"repeat\",\n\t]);\n\n\t/** Array iteration methods whose callbacks receive individual records */\n\tprivate static readonly ARRAY_CALLBACK_METHODS = new Set([\n\t\t\"map\",\n\t\t\"forEach\",\n\t\t\"filter\",\n\t\t\"find\",\n\t\t\"some\",\n\t\t\"every\",\n\t\t\"flatMap\",\n\t\t\"findIndex\",\n\t]);\n\n\t/** Reduce-family methods where the record param is the SECOND callback arg */\n\tprivate static readonly REDUCE_METHODS = new Set([\"reduce\", \"reduceRight\"]);\n\n\tconstructor(piiFields: string[]) {\n\t\tthis.piiFields = new Set(piiFields.map((f) => f.toLowerCase()));\n\t}\n\n\t/**\n\t * Analyzes injected source code for PII taint violations.\n\t *\n\t * @param sourceCode - The raw JavaScript logic extracted from the LIOP envelope\n\t * @returns A TaintViolation if PII-derived values flow to output, null if clean\n\t */\n\tanalyze(sourceCode: string): TaintViolation | null {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\t// Wrap in function body to handle bare `return` statements\n\t\t\tconst wrapped = `function liop_analysis_wrapper(env) {\\n${sourceCode}\\n}`;\n\t\t\tast = acorn.parse(wrapped, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t\tlocations: true,\n\t\t\t});\n\t\t} catch {\n\t\t\t// Syntax errors are handled downstream by the sandbox VM\n\t\t\treturn null;\n\t\t}\n\n\t\tconst recordBoundVars = new Set<string>();\n\t\tconst taintedVars = new Set<string>();\n\n\t\t// Pass 1: Identify variables bound to individual records\n\t\tthis.identifyRecordBoundVars(ast, recordBoundVars);\n\n\t\t// Pass 2: Propagate taint through variable assignments\n\t\tthis.propagateTaint(ast, recordBoundVars, taintedVars);\n\n\t\t// Pass 3: Check if any return statement contains tainted values\n\t\treturn this.checkReturnStatements(ast, recordBoundVars, taintedVars);\n\t}\n\n\t// ── Pass 1: Record-Bound Variable Identification ──────────────────\n\n\tprivate identifyRecordBoundVars(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t): void {\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst member = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(member);\n\t\t\t\tif (!methodName) return;\n\n\t\t\t\t// Check if this is env.records.METHOD(callback)\n\t\t\t\tif (!this.isEnvRecordsAccess(member.object)) return;\n\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (!callback) return;\n\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.ARRAY_CALLBACK_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 0\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst param = fn.params[0];\n\t\t\t\t\t\tif (param.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(param.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.REDUCE_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 1\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst recordParam = fn.params[1];\n\t\t\t\t\t\tif (recordParam.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(recordParam.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// for (const r of env.records) → r is record-bound\n\t\t\tForOfStatement: (node) => {\n\t\t\t\tif (!this.isEnvRecordsAccess(node.right)) return;\n\n\t\t\t\tif (node.left.type === \"VariableDeclaration\") {\n\t\t\t\t\tfor (const declarator of node.left.declarations) {\n\t\t\t\t\t\tif (declarator.id.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(declarator.id.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\t// Also handle: const r = env.records[N]\n\t\tconst indexVisitors: SimpleVisitors<void> = {\n\t\t\tVariableDeclarator: (node) => {\n\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\tif (\n\t\t\t\t\tnode.init.type === \"MemberExpression\" &&\n\t\t\t\t\t(node.init as acorn.MemberExpression).computed\n\t\t\t\t) {\n\t\t\t\t\tconst member = node.init as acorn.MemberExpression;\n\t\t\t\t\tif (this.isEnvRecordsAccess(member.object)) {\n\t\t\t\t\t\trecordBoundVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, indexVisitors);\n\t}\n\n\t// ── Pass 2: Taint Propagation ─────────────────────────────────────\n\n\tprivate propagateTaint(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): void {\n\t\t// Multiple iterations to handle transitive taint chains\n\t\t// (e.g., const a = r.name; const b = a; const c = b.charCodeAt(0))\n\t\tfor (let iteration = 0; iteration < 3; iteration++) {\n\t\t\tconst sizeBefore = taintedVars.size;\n\n\t\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\t\tVariableDeclarator: (node) => {\n\t\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.init, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\tAssignmentExpression: (node) => {\n\t\t\t\t\tif (node.left.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.right, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((node.left as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\t// Imperative taint: array.push(taintedValue) contaminates the array\n\t\t\t\t// Covers for-of and forEach patterns that push PII-derived values\n\t\t\t\tCallExpression: (node) => {\n\t\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tmethodName === \"push\" &&\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\tnode.arguments.some((arg) =>\n\t\t\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t};\n\n\t\t\tsimple(ast, visitors);\n\n\t\t\t// Fixed point: stop if no new tainted vars discovered\n\t\t\tif (taintedVars.size === sizeBefore) break;\n\t\t}\n\t}\n\n\t// ── Pass 3: Return Statement Sink Detection ───────────────────────\n\n\tprivate checkReturnStatements(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (violation) return; // Already found one\n\n\t\t\t\tif (!node.argument) return;\n\n\t\t\t\tif (\n\t\t\t\t\tthis.isExpressionTainted(node.argument, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst line = node.loc?.start.line\n\t\t\t\t\t\t? node.loc.start.line - 1 // Adjust for wrapper function offset\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tconst operation = this.describeTaintSource(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t\tviolation = {\n\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t`PII side-channel detected: output contains values derived from restricted fields. ` +\n\t\t\t\t\t\t\t`${operation ? `Operation: ${operation}. ` : \"\"}` +\n\t\t\t\t\t\t\t`Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,\n\t\t\t\t\t\tline,\n\t\t\t\t\t\toperation,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\treturn violation;\n\t}\n\n\t// ── Core Taint Evaluation ─────────────────────────────────────────\n\n\t/**\n\t * Recursively determines if an AST expression produces a tainted value.\n\t * A value is tainted if it derives from a PII field on a record-bound variable.\n\t */\n\tprivate isExpressionTainted(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tswitch (node.type) {\n\t\t\tcase \"Identifier\":\n\t\t\t\treturn taintedVars.has((node as acorn.Identifier).name);\n\n\t\t\tcase \"MemberExpression\":\n\t\t\t\treturn this.isMemberExprTainted(\n\t\t\t\t\tnode as acorn.MemberExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"CallExpression\":\n\t\t\t\treturn this.isCallExprTainted(\n\t\t\t\t\tnode as acorn.CallExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"BinaryExpression\":\n\t\t\tcase \"LogicalExpression\": {\n\t\t\t\tconst bin = node as acorn.BinaryExpression;\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(bin.left, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(bin.right, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"UnaryExpression\": {\n\t\t\t\tconst unary = node as acorn.UnaryExpression;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tunary.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ConditionalExpression\": {\n\t\t\t\tconst cond = node as acorn.ConditionalExpression;\n\t\t\t\t// If the test involves tainted values, the branch choice leaks info\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(cond.test, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tcond.consequent,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t) ||\n\t\t\t\t\tthis.isExpressionTainted(cond.alternate, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ObjectExpression\": {\n\t\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\t\treturn obj.properties.some(\n\t\t\t\t\t(prop) =>\n\t\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ArrayExpression\": {\n\t\t\t\tconst arr = node as acorn.ArrayExpression;\n\t\t\t\treturn arr.elements.some(\n\t\t\t\t\t(el) =>\n\t\t\t\t\t\tel !== null &&\n\t\t\t\t\t\tthis.isExpressionTainted(el, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"TemplateLiteral\": {\n\t\t\t\tconst tmpl = node as acorn.TemplateLiteral;\n\t\t\t\treturn tmpl.expressions.some((expr) =>\n\t\t\t\t\tthis.isExpressionTainted(expr, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"SpreadElement\": {\n\t\t\t\tconst spread = node as acorn.SpreadElement;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tspread.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tdefault:\n\t\t\t\t// Literals, ThisExpression, etc. are never tainted\n\t\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Checks if a MemberExpression accesses a PII field on a record-bound variable.\n\t * Examples: r.accountHolder, r[\"name\"], taintedVar.length, taintedVar[0]\n\t */\n\tprivate isMemberExprTainted(\n\t\tmember: acorn.MemberExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tconst propName = this.getPropertyName(member);\n\n\t\t// Case 1: recordBoundVar.piiField (direct PII access via callback param)\n\t\tif (\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name) &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 2: env.records[N].piiField (direct indexed access without callback)\n\t\t// AST: MemberExpression { object: MemberExpression { object: env.records, computed: true }, property: piiField }\n\t\tif (\n\t\t\tmember.object.type === \"MemberExpression\" &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\tconst parentMember = member.object as acorn.MemberExpression;\n\t\t\tif (\n\t\t\t\tparentMember.computed &&\n\t\t\t\tthis.isEnvRecordsAccess(parentMember.object)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Case 3: taintedVar.anything (any property access on tainted value)\n\t\t// .length on a tainted string leaks PII info, .charCodeAt leaks chars, etc.\n\t\tif (this.isExpressionTainted(member.object, recordBoundVars, taintedVars)) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 4: Computed access on record-bound var with PII field\n\t\t// e.g., r[\"account\" + \"Holder\"]\n\t\tif (\n\t\t\tmember.computed &&\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name)\n\t\t) {\n\t\t\t// Conservative: if computed access on record, check if the property\n\t\t\t// expression evaluates to a PII field (for string literals only)\n\t\t\tif (member.property.type === \"Literal\") {\n\t\t\t\tconst litVal = (member.property as acorn.Literal).value;\n\t\t\t\tif (\n\t\t\t\t\ttypeof litVal === \"string\" &&\n\t\t\t\t\tthis.piiFields.has(litVal.toLowerCase())\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if a CallExpression produces a tainted result.\n\t * Handles: taintedObj.method(), env.records.map(r => r.piiField), etc.\n\t */\n\tprivate isCallExprTainted(\n\t\tcall: acorn.CallExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Pattern: taintedObj.method() — method on tainted object propagates taint\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t// tainted.charCodeAt() / tainted.split() / etc.\n\t\t\tif (\n\t\t\t\tmethodName &&\n\t\t\t\tTaintAnalyzer.TAINT_PROPAGATING_METHODS.has(methodName) &&\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// env.records.map/filter/reduce(callback) — check if callback produces taint\n\t\t\tif (this.isEnvRecordsAccess(callee.object) && call.arguments[0]) {\n\t\t\t\tconst callback = call.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\treturn this.doesCallbackProduceTaint(\n\t\t\t\t\t\tcallback as acorn.ArrowFunctionExpression,\n\t\t\t\t\t\tmethodName,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Tainted array/string method chains: tainted.reduce(...), tainted.map(...)\n\t\t\t// Handles patterns like r.accountHolder.split('').reduce((a,c) => ...)\n\t\t\tif (\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// Math.round(taintedArg) / JSON.stringify(taintedArg) — function calls with tainted arguments\n\t\t\t// on safe objects still produce tainted results\n\t\t\tif (\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Pattern: someArray.push(taintedValue) — marks the receiving array as tainted\n\t\t// This covers imperative for-of patterns:\n\t\t// for (const r of env.records) { codes.push(r.name.charCodeAt(0)) }\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\t\t\tif (\n\t\t\t\tmethodName === \"push\" &&\n\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\t// Mark the array variable as tainted (it now contains PII-derived values)\n\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t}\n\t\t}\n\n\t\t// Check if any argument is tainted (for functions that might propagate)\n\t\t// Conservative: if calling a function WITH tainted args, consider result tainted\n\t\t// This catches: someHelper(r.name), parseInt(taintedVar), etc.\n\t\tif (call.callee.type === \"Identifier\") {\n\t\t\tconst fnName = (call.callee as acorn.Identifier).name;\n\t\t\t// Allow safe math/utility functions that don't propagate PII\n\t\t\tconst SAFE_GLOBALS = new Set([\n\t\t\t\t\"Math\",\n\t\t\t\t\"Number\",\n\t\t\t\t\"parseInt\",\n\t\t\t\t\"parseFloat\",\n\t\t\t\t\"isNaN\",\n\t\t\t\t\"isFinite\",\n\t\t\t]);\n\t\t\tif (!SAFE_GLOBALS.has(fnName)) {\n\t\t\t\treturn call.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if an array method callback produces tainted output.\n\t * e.g., env.records.map(r => r.name.charCodeAt(0)) → tainted result\n\t */\n\tprivate doesCallbackProduceTaint(\n\t\tcallback: acorn.ArrowFunctionExpression | acorn.FunctionExpression,\n\t\tmethodName: string | null,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Create a temporary scope with callback params as record-bound\n\t\tconst scopedRecordVars = new Set(recordBoundVars);\n\t\tconst scopedTaintedVars = new Set(taintedVars);\n\n\t\tif (callback.params.length > 0) {\n\t\t\tconst isReduce =\n\t\t\t\tmethodName !== null && TaintAnalyzer.REDUCE_METHODS.has(methodName);\n\t\t\tconst recordParamIndex = isReduce ? 1 : 0;\n\n\t\t\tif (\n\t\t\t\tcallback.params.length > recordParamIndex &&\n\t\t\t\tcallback.params[recordParamIndex].type === \"Identifier\"\n\t\t\t) {\n\t\t\t\tscopedRecordVars.add(\n\t\t\t\t\t(callback.params[recordParamIndex] as acorn.Identifier).name,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// For arrow functions with expression body: (r) => r.name.charCodeAt(0)\n\t\tif (\n\t\t\tcallback.type === \"ArrowFunctionExpression\" &&\n\t\t\tcallback.body.type !== \"BlockStatement\"\n\t\t) {\n\t\t\treturn this.isExpressionTainted(\n\t\t\t\tcallback.body,\n\t\t\t\tscopedRecordVars,\n\t\t\t\tscopedTaintedVars,\n\t\t\t);\n\t\t}\n\n\t\t// For block bodies, check return statements within the callback\n\t\tlet hasTaintedReturn = false;\n\t\tconst returnVisitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.argument &&\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\tscopedRecordVars,\n\t\t\t\t\t\tscopedTaintedVars,\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\thasTaintedReturn = true;\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(callback.body as acorn.Node, returnVisitors);\n\n\t\treturn hasTaintedReturn;\n\t}\n\n\t// ── Utility Methods ───────────────────────────────────────────────\n\n\t/** Extracts the property name from a MemberExpression (dot or bracket with string literal) */\n\tprivate getPropertyName(member: acorn.MemberExpression): string | null {\n\t\tif (!member.computed && member.property.type === \"Identifier\") {\n\t\t\treturn (member.property as acorn.Identifier).name;\n\t\t}\n\t\tif (member.computed && member.property.type === \"Literal\") {\n\t\t\tconst val = (member.property as acorn.Literal).value;\n\t\t\tif (typeof val === \"string\") return val;\n\t\t}\n\t\treturn null;\n\t}\n\n\t/** Checks if an expression resolves to `env.records` or `records` */\n\tprivate isEnvRecordsAccess(node: acorn.Node): boolean {\n\t\t// Direct: env.records\n\t\tif (node.type === \"MemberExpression\") {\n\t\t\tconst member = node as acorn.MemberExpression;\n\t\t\tconst propName = this.getPropertyName(member);\n\t\t\tif (\n\t\t\t\tpropName === \"records\" &&\n\t\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\t\t(member.object as acorn.Identifier).name === \"env\"\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\t// Bare: records (injected as sandbox global)\n\t\tif (\n\t\t\tnode.type === \"Identifier\" &&\n\t\t\t(node as acorn.Identifier).name === \"records\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\t/** Generates a human-readable description of the taint source for error messages */\n\tprivate describeTaintSource(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): string | undefined {\n\t\tif (node.type === \"Identifier\") {\n\t\t\tconst name = (node as acorn.Identifier).name;\n\t\t\tif (taintedVars.has(name)) return `variable '${name}' is PII-derived`;\n\t\t}\n\n\t\tif (node.type === \"ObjectExpression\") {\n\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\tfor (const prop of obj.properties) {\n\t\t\t\tif (\n\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst keyName =\n\t\t\t\t\t\tprop.key.type === \"Identifier\"\n\t\t\t\t\t\t\t? (prop.key as acorn.Identifier).name\n\t\t\t\t\t\t\t: \"unknown\";\n\t\t\t\t\treturn `property '${keyName}' contains PII-derived value`;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst methodName = this.getPropertyName(\n\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t);\n\t\t\t\tif (methodName) return `result of .${methodName}() on PII data`;\n\t\t\t}\n\t\t}\n\n\t\treturn undefined;\n\t}\n}\n","/**\n * LIOP NER Content Scanner (The Shield V3 — Named Entity Recognition Layer)\n *\n * Lightweight NER scanner using `compromise` NLP for detecting\n * person names, places, and organizations in free-text output values.\n *\n * This layer operates AFTER the regex-based PII scanner and\n * catches entities that lack a deterministic format pattern\n * (e.g., \"Evelyn Reed\" cannot be detected by regex).\n *\n * Architecture: opt-in per-server via `enableNerScanning: true`.\n * Performance: ~10ms for typical SDK output sizes (< 10KB).\n *\n * @see https://github.com/spencermountain/compromise\n */\n// Types for compromise (minimal)\ntype NlpDoc = {\n\tpeople: () => { out: (type: string) => string[] };\n\tplaces: () => { out: (type: string) => string[] };\n\torganizations: () => { out: (type: string) => string[] };\n};\ntype NlpStatic = ((text: string) => NlpDoc) & {\n\taddWords: (words: Record<string, string>) => void;\n};\n\n/**\n * Medical/pharmaceutical vocabulary safelist.\n * These terms are tagged as #Medication to prevent the NER\n * from misclassifying them as person/organization names.\n * Extends progressively — add terms as false positives arise.\n */\nconst MEDICAL_VOCABULARY: Record<string, string> = {\n\taspirin: \"Medication\",\n\tlisinopril: \"Medication\",\n\tmetformin: \"Medication\",\n\tamlodipine: \"Medication\",\n\tatorvastatin: \"Medication\",\n\tomeprazole: \"Medication\",\n\tlosartan: \"Medication\",\n\tsimvastatin: \"Medication\",\n\tlevothyroxine: \"Medication\",\n\tibuprofen: \"Medication\",\n\tacetaminophen: \"Medication\",\n\tamoxicillin: \"Medication\",\n\tciprofloxacin: \"Medication\",\n\tprednisone: \"Medication\",\n\twarfarin: \"Medication\",\n\tinsulin: \"Medication\",\n\thydrochlorothiazide: \"Medication\",\n\tgabapentin: \"Medication\",\n\talbuterol: \"Medication\",\n\tpantoprazole: \"Medication\",\n\t// Generic clinical terms\n\thypertension: \"Condition\",\n\tdiabetes: \"Condition\",\n\tbronchitis: \"Condition\",\n\tpneumonia: \"Condition\",\n\tasthma: \"Condition\",\n};\n\n/** Single named entity detected by the NER scanner. */\nexport interface NerEntity {\n\ttype: \"person\" | \"place\" | \"organization\";\n\ttext: string;\n}\n\n/** Result of an NER scan operation. */\nexport interface NerScanResult {\n\tdetected: boolean;\n\tentities: NerEntity[];\n}\n\n// Minimum string length to attempt NER analysis.\n// Shorter strings are unlikely to contain meaningful named entities.\nconst MIN_TEXT_LENGTH = 4;\n\n// Pattern to identify strings that are purely numeric/symbolic (skip NER)\nconst NON_TEXT_PATTERN = /^[\\d\\s.,:;!?()[\\]{}<>@#$%^&*+=|\\\\/\"'`~_-]+$/;\n\n/**\n * Scans text content for named entities that may represent PII.\n * Uses `compromise/three` for person, place, and organization detection.\n *\n * Designed for egress filtering — optimized for recall over precision\n * to ensure sensitive data does not leak through aliased output keys.\n */\nexport class NerScanner {\n\tprivate static nlp: NlpStatic | null = null;\n\n\t/**\n\t * Lazy loads the compromise library only when needed.\n\t */\n\tprivate async getNlp(): Promise<NlpStatic> {\n\t\tif (!NerScanner.nlp) {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: dynamic import of optional dependency\n\t\t\tconst mod = (await import(\"compromise/three\")) as any;\n\t\t\t// compromise export can vary depending on bundling\n\t\t\tNerScanner.nlp = (mod.default || mod) as NlpStatic;\n\t\t\tNerScanner.nlp.addWords(MEDICAL_VOCABULARY);\n\t\t}\n\t\treturn NerScanner.nlp;\n\t}\n\n\t/**\n\t * Scans a single string value for named entities.\n\t * Returns detected entities if the text contains recognizable PII.\n\t */\n\tasync scan(text: string): Promise<NerScanResult> {\n\t\tif (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tconst nlp = await this.getNlp();\n\t\tconst doc = nlp(text);\n\t\tconst entities: NerEntity[] = [];\n\n\t\tconst people = doc.people().out(\"array\");\n\t\tfor (const person of people) {\n\t\t\tconst trimmed = person.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"person\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst places = doc.places().out(\"array\");\n\t\tfor (const place of places) {\n\t\t\tconst trimmed = place.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"place\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst orgs = doc.organizations().out(\"array\");\n\t\tfor (const org of orgs) {\n\t\t\tconst trimmed = org.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"organization\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tdetected: entities.length > 0,\n\t\t\tentities,\n\t\t};\n\t}\n\n\t/**\n\t * Recursively scans all string values within an object/array.\n\t * Stops at the first detection for performance (fail-fast).\n\t */\n\tasync scanDeep(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<NerScanResult> {\n\t\tif (input === null || input === undefined) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tif (typeof input === \"string\") {\n\t\t\treturn this.scan(input);\n\t\t}\n\n\t\tif (typeof input === \"object\") {\n\t\t\tif (seen.has(input as object)) {\n\t\t\t\treturn { detected: false, entities: [] };\n\t\t\t}\n\t\t\tseen.add(input as object);\n\n\t\t\tconst values = Array.isArray(input)\n\t\t\t\t? input\n\t\t\t\t: Object.values(input as Record<string, unknown>);\n\n\t\t\tconst allEntities: NerEntity[] = [];\n\n\t\t\tfor (const value of values) {\n\t\t\t\tconst result = await this.scanDeep(value, seen);\n\t\t\t\tif (result.detected) {\n\t\t\t\t\tallEntities.push(...result.entities);\n\t\t\t\t\t// Fail-fast: return immediately on first person detection\n\t\t\t\t\tif (result.entities.some((e) => e.type === \"person\")) {\n\t\t\t\t\t\treturn { detected: true, entities: allEntities };\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tdetected: allEntities.length > 0,\n\t\t\t\tentities: allEntities,\n\t\t\t};\n\t\t}\n\n\t\treturn { detected: false, entities: [] };\n\t}\n}\n","/**\n * LIOP Professional PII Engine (The Shield V2 - Tier-1 Military Edition)\n * Implements high-fidelity detection based on NIST and OWASP standards.\n * Features Multi-Layer Verification (Regex + Algorithmic Validators).\n */\n\n/**\n * Validates a credit card number using the Luhn algorithm.\n * Prevents false positives from random 16-digit IDs.\n */\nfunction isLuhnValid(cardNumber: string): boolean {\n\tconst digits = cardNumber.replace(/\\D/g, \"\");\n\tif (digits.length < 13 || digits.length > 19) return false;\n\n\tlet sum = 0;\n\tlet isEven = false;\n\n\tfor (let i = digits.length - 1; i >= 0; i--) {\n\t\tlet digit = parseInt(digits.charAt(i), 10);\n\n\t\tif (isEven) {\n\t\t\tdigit *= 2;\n\t\t\tif (digit > 9) {\n\t\t\t\tdigit -= 9;\n\t\t\t}\n\t\t}\n\n\t\tsum += digit;\n\t\tisEven = !isEven;\n\t}\n\n\treturn sum % 10 === 0;\n}\n\n/**\n * Validates an International Bank Account Number (IBAN) using ISO 7064 Modulo 97.\n * Uses BigInt algebra to avoid JS floating point truncation with 30-digit numbers.\n */\nfunction isIbanValid(iban: string): boolean {\n\tconst sanitized = iban.replace(/\\s+/g, \"\").toUpperCase();\n\n\tif (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized)) return false;\n\n\tconst rearranged = sanitized.substring(4) + sanitized.substring(0, 4);\n\n\tlet numericString = \"\";\n\tfor (let i = 0; i < rearranged.length; i++) {\n\t\tconst charCode = rearranged.charCodeAt(i);\n\t\tif (charCode >= 65 && charCode <= 90) {\n\t\t\tnumericString += (charCode - 55).toString();\n\t\t} else if (charCode >= 48 && charCode <= 57) {\n\t\t\tnumericString += rearranged.charAt(i);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\ttry {\n\t\treturn BigInt(numericString) % 97n === 1n;\n\t} catch (_e) {\n\t\treturn false;\n\t}\n}\n\nexport type PiiRuleDefinition = {\n\tname: string;\n\tpattern: string | RegExp;\n\tvalidator?: (match: string) => boolean;\n};\n\nexport type PiiRule = string | RegExp | PiiRuleDefinition;\n\nexport const PII_PATTERNS = {\n\tEMAIL: {\n\t\tname: \"EMAIL\",\n\t\tpattern: /\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b/gi,\n\t\tvalidator: (match: string) =>\n\t\t\t!match.endsWith(\"@example.com\") && !match.endsWith(\"@test.com\"),\n\t} as PiiRuleDefinition,\n\tCREDIT_CARD: {\n\t\tname: \"CREDIT_CARD\",\n\t\tpattern: /\\b(?:\\d[ -]*?){13,16}\\b/g,\n\t\tvalidator: isLuhnValid,\n\t} as PiiRuleDefinition,\n\tIP_ADDRESS: {\n\t\tname: \"IP_ADDRESS\",\n\t\tpattern: /\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst safeIps = [\"127.0.0.1\", \"0.0.0.0\", \"255.255.255.255\"];\n\t\t\tif (safeIps.includes(match)) return false;\n\t\t\t// Validate valid IPv4 ranges\n\t\t\tconst parts = match.split(\".\").map(Number);\n\t\t\treturn parts.every((p) => p >= 0 && p <= 255);\n\t\t},\n\t} as PiiRuleDefinition,\n\tPHONE: {\n\t\tname: \"PHONE\",\n\t\t// Strict boundary to avoid matching long numeric IDs wrapped in symbols\n\t\tpattern: /(?:(?:\\+?\\d{1,3}[-. ]?)?\\(?\\d{3}\\)?[-. ]?\\d{3}[-. ]?\\d{4})\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length < 7 || digits.length > 15) return false;\n\t\t\t// Reject fake test numbers like 0000000000 or 1234567890\n\t\t\tif (/^(\\d)\\1+$/.test(digits)) return false;\n\t\t\tif (digits === \"1234567890\") return false;\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tSSN: {\n\t\tname: \"SSN\",\n\t\tpattern: /\\b\\d{3}[- ]?\\d{2}[- ]?\\d{4}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length !== 9) return false;\n\n\t\t\tconst area = parseInt(digits.substring(0, 3), 10);\n\t\t\tif (area === 0 || area === 666 || area >= 900) return false;\n\n\t\t\tconst group = parseInt(digits.substring(3, 5), 10);\n\t\t\tif (group === 0) return false;\n\n\t\t\tconst serial = parseInt(digits.substring(5, 9), 10);\n\t\t\tif (serial === 0) return false;\n\n\t\t\tif (/^(\\d)\\1+$/.test(digits) || digits === \"123456789\") return false;\n\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tIBAN: {\n\t\tname: \"IBAN\",\n\t\tpattern: /\\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\\b/gi,\n\t\tvalidator: isIbanValid,\n\t} as PiiRuleDefinition,\n\tPASSPORT_MRZ: {\n\t\tname: \"PASSPORT_MRZ\",\n\t\t// Machina Readable Zone line match for standard international passports\n\t\tpattern: /\\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\\b|\\s|$)/g,\n\t} as PiiRuleDefinition,\n};\n\n/**\n * Regional and Cultural Security Presets for Out-Of-The-Box compliance.\n * Developers can override, merge, or omit these based on local laws.\n */\nexport const PII_PRESETS = {\n\tGLOBAL_STRICT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t\tPII_PATTERNS.IBAN,\n\t],\n\tUS_COMPLIANT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.SSN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n\tEU_GDPR: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.IBAN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n};\n\nexport class PiiScanner {\n\tprivate patterns: PiiRule[];\n\tprivate forbiddenKeysSet: Set<string>;\n\tprivate nerScanner: import(\"./ner-scanner.js\").NerScanner | null;\n\n\t/**\n\t * Safelist of keys that contain forbidden substrings but are NOT PII.\n\t * Prevents false positives from fuzzy matching (e.g., \"grid\" contains \"id\").\n\t */\n\tprivate static readonly KEY_SAFELIST = new Set([\n\t\t// Common words containing \"id\" substring\n\t\t\"grid\",\n\t\t\"video\",\n\t\t\"android\",\n\t\t\"identity\",\n\t\t\"provide\",\n\t\t\"override\",\n\t\t\"validate\",\n\t\t\"hidden\",\n\t\t\"widget\",\n\t\t\"guidelines\",\n\t\t\"beside\",\n\t\t\"guideline\",\n\t\t\"outside\",\n\t\t\"inside\",\n\t\t\"collide\",\n\t\t\"decide\",\n\t\t\"divide\",\n\t\t\"aside\",\n\t\t\"ride\",\n\t\t\"side\",\n\t\t\"wide\",\n\t\t\"hide\",\n\t\t\"tide\",\n\t\t\"pride\",\n\t\t\"bride\",\n\t\t\"slide\",\n\t\t\"guide\",\n\t\t\"stride\",\n\t\t\"oxide\",\n\t\t\"dioxide\",\n\t\t\"suicide\",\n\t\t\"homicide\",\n\t\t\"pesticide\",\n\t\t\"valid\",\n\t\t\"invalid\",\n\t\t\"void\",\n\t\t\"avoid\",\n\t\t// Common words containing \"name\" substring\n\t\t\"diagnosis\",\n\t\t\"medication\",\n\t\t\"namespace\",\n\t\t\"namesake\",\n\t\t\"rename\",\n\t\t\"filename\",\n\t\t\"hostname\",\n\t\t\"typename\",\n\t\t\"unnamed\",\n\t\t\"renamed\",\n\t\t// Common words containing \"phone\" substring\n\t\t\"phonetic\",\n\t\t\"phoneme\",\n\t\t\"microphone\",\n\t\t\"headphone\",\n\t\t\"telephone\",\n\t\t\"saxophone\",\n\t\t\"smartphone\",\n\t\t// Common words containing \"address\" substring\n\t\t\"streetview\",\n\t\t\"addressable\",\n\t\t\"addressing\",\n\t\t// Common words containing \"city\" substring\n\t\t\"cityscape\",\n\t\t\"electricity\",\n\t\t\"capacity\",\n\t\t\"velocity\",\n\t\t\"opacity\",\n\t\t// Common technical terms\n\t\t\"timestamp\",\n\t\t\"timezone\",\n\t\t// LIOP Protocol Internal Keys (must never be blocked)\n\t\t\"image_id\",\n\t\t\"computation_result\",\n\t\t\"zk_receipt\",\n\t\t\"testid\",\n\t\t\"toolid\",\n\t\t\"sessionid\",\n\t\t\"peerid\",\n\t\t\"nodeid\",\n\t\t\"requestid\",\n\t\t\"correlationid\",\n\t\t\"traceid\",\n\t\t\"spanid\",\n\t]);\n\n\t/**\n\t * Short forbidden tokens (< 4 chars) that require boundary-aware matching.\n\t * Uses regex boundary detection to avoid false positives.\n\t */\n\tprivate shortTokenBoundaryPatterns: Map<string, RegExp>;\n\n\t/**\n\t * Long forbidden tokens (>= 4 chars) that use substring containment.\n\t */\n\tprivate longForbiddenTokens: string[];\n\n\tconstructor(\n\t\tpatterns: PiiRule[] = [],\n\t\tforbiddenKeys: string[] = [],\n\t\tnerScanner?: import(\"./ner-scanner.js\").NerScanner | null,\n\t) {\n\t\tthis.patterns = patterns;\n\t\tthis.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));\n\t\tthis.nerScanner = nerScanner ?? null;\n\n\t\t// Pre-compute fuzzy matching structures for performance\n\t\tthis.shortTokenBoundaryPatterns = new Map();\n\t\tthis.longForbiddenTokens = [];\n\n\t\tfor (const token of this.forbiddenKeysSet) {\n\t\t\tif (token.length < 4) {\n\t\t\t\t// Short tokens: require word boundary (camelCase, snake_case, kebab-case, or exact)\n\t\t\t\t// \"id\" matches: \"patientId\", \"record_id\", \"user-id\", \"id\"\n\t\t\t\t// \"id\" does NOT match: \"grid\", \"video\", \"android\"\n\t\t\t\tthis.shortTokenBoundaryPatterns.set(\n\t\t\t\t\ttoken,\n\t\t\t\t\tnew RegExp(\n\t\t\t\t\t\t`(?:^|[_-])${token}(?:$|[_-])|` + // snake/kebab boundary\n\t\t\t\t\t\t\t`(?:^|[a-z])${token.charAt(0).toUpperCase()}${token.slice(1)}|` + // camelCase boundary (e.g., patientId)\n\t\t\t\t\t\t\t`^${token}$`, // exact match\n\t\t\t\t\t\t\"i\",\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tthis.longForbiddenTokens.push(token);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Scans any input (string, object, array) for PII violations.\n\t * Returns the pattern/rule name that triggered the violation, or null if safe.\n\t *\n\t * Detection pipeline (fail-fast):\n\t * 1. Exact key match (O(1) Set lookup)\n\t * 2. Fuzzy key match (boundary detection for short tokens, substring for long)\n\t * 3. Regex/algorithmic pattern match on string values\n\t * 4. NER content scan on string values (if enabled)\n\t */\n\tpublic async scan(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<string | null> {\n\t\tif (input === null || input === undefined) return null;\n\n\t\t// 1. String Scan (Direct Regex/String/Definition check)\n\t\tif (typeof input === \"string\") {\n\t\t\t// SECURITY PATCH: JSON Deep-Parsing Recursion (Fortification V2)\n\t\t\t// Defeats Double JSON Encoding bypasses by forcefully parsing stringified JSON back into objects.\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\tconst parsed = JSON.parse(trimmed);\n\t\t\t\t\t// Successfully parsed JSON string. Recursively scan the unescaped object.\n\t\t\t\t\tconst violation = await this.scan(parsed, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t} catch (_e) {\n\t\t\t\t\t// Silent fallback: It looked like JSON but wasn't valid. Proceed with raw string check.\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check string value against regex patterns\n\t\t\tconst patternViolation = this.checkString(input);\n\t\t\tif (patternViolation) return patternViolation;\n\n\t\t\t// Layer 3: NER Content Scan — detect person names in free-text values\n\t\t\tif (this.nerScanner) {\n\t\t\t\tconst nerResult = await this.nerScanner.scan(input);\n\t\t\t\tif (nerResult.detected) {\n\t\t\t\t\tconst personEntity = nerResult.entities.find(\n\t\t\t\t\t\t(e) => e.type === \"person\",\n\t\t\t\t\t);\n\t\t\t\t\tif (personEntity) {\n\t\t\t\t\t\treturn `PII Entity Detected: person name \"${personEntity.text}\"`;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn null;\n\t\t}\n\n\t\t// 2. Recursive Objects/Arrays Scan\n\t\tif (typeof input === \"object\") {\n\t\t\t// Protection against circular references\n\t\t\tif (seen.has(input as object)) return null;\n\t\t\tseen.add(input as object);\n\n\t\t\tif (Array.isArray(input)) {\n\t\t\t\tfor (const element of input) {\n\t\t\t\t\tconst violation = await this.scan(element, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfor (const [key, value] of Object.entries(\n\t\t\t\t\tinput as Record<string, unknown>,\n\t\t\t\t)) {\n\t\t\t\t\t// Layer 1: Exact key match — O(1) constant time\n\t\t\t\t\tif (this.forbiddenKeysSet.has(key.toLowerCase())) {\n\t\t\t\t\t\treturn `Forbidden Key: ${key}`;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Layer 2: Fuzzy key match — catches aliases and variations\n\t\t\t\t\tconst fuzzyViolation = this.checkKeyFuzzy(key);\n\t\t\t\t\tif (fuzzyViolation) return fuzzyViolation;\n\n\t\t\t\t\t// Recurse into values\n\t\t\t\t\tconst violation = await this.scan(value, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks a key against fuzzy matching rules.\n\t * Short tokens use boundary-aware regex; long tokens use substring containment.\n\t */\n\tprivate checkKeyFuzzy(key: string): string | null {\n\t\tconst normalized = key.toLowerCase();\n\n\t\t// Skip safelisted keys entirely\n\t\tif (PiiScanner.KEY_SAFELIST.has(normalized)) return null;\n\n\t\t// Short token boundary matching (e.g., \"id\" in \"patientId\" but not \"grid\")\n\t\tfor (const [token, pattern] of this.shortTokenBoundaryPatterns) {\n\t\t\tif (pattern.test(key)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} matches boundary pattern \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\t// Long token substring matching (e.g., \"name\" in \"firstName\", \"names\")\n\t\tfor (const token of this.longForbiddenTokens) {\n\t\t\tif (normalized.includes(token)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} contains restricted token \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate checkString(text: string): string | null {\n\t\tfor (const rule of this.patterns) {\n\t\t\tif (typeof rule === \"string\") {\n\t\t\t\tif (text.toLowerCase().includes(rule.toLowerCase())) {\n\t\t\t\t\treturn rule;\n\t\t\t\t}\n\t\t\t} else if (rule instanceof RegExp) {\n\t\t\t\tif (rule.global) rule.lastIndex = 0;\n\t\t\t\tif (rule.test(text)) {\n\t\t\t\t\treturn rule.source;\n\t\t\t\t}\n\t\t\t} else if (typeof rule === \"object\" && rule !== null) {\n\t\t\t\t// PiiRuleDefinition (Military Grade Multi-layer)\n\t\t\t\tconst def = rule as PiiRuleDefinition;\n\n\t\t\t\tif (typeof def.pattern === \"string\") {\n\t\t\t\t\tif (text.toLowerCase().includes(def.pattern.toLowerCase())) {\n\t\t\t\t\t\tif (!def.validator || def.validator(def.pattern)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else if (def.pattern instanceof RegExp) {\n\t\t\t\t\tif (def.pattern.global) def.pattern.lastIndex = 0;\n\n\t\t\t\t\t// Use matchAll or exec to get the specific match for the validator\n\t\t\t\t\tlet match = def.pattern.exec(text);\n\t\t\t\t\twhile (match !== null) {\n\t\t\t\t\t\tconst matchedText = match[0];\n\t\t\t\t\t\tif (!def.validator || def.validator(matchedText)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!def.pattern.global) break; // Break if not global\n\t\t\t\t\t\tmatch = def.pattern.exec(text);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn null;\n\t}\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport { FixedQueue, Piscina } from \"piscina\";\nimport { z } from \"zod\";\nimport { zodToJsonSchema } from \"zod-to-json-schema\";\nimport { type LiopManifest, MeshNode } from \"../mesh/node.js\";\nimport { LiopRpcServer } from \"../rpc/server.js\";\nimport type { LogicRequest, LogicResponse } from \"../rpc/types.js\";\nimport { TaintAnalyzer } from \"../security/taint-analyzer.js\";\nimport type {\n\tCallToolRequest,\n\tCallToolResult,\n\tGetPromptRequest,\n\tGetPromptResult,\n\tPrompt,\n\tResource,\n\tServerInfo,\n\tTool,\n} from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\nimport { NerScanner } from \"./ner-scanner.js\";\nimport { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from \"./pii.js\";\n\nexport { NerScanner, PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };\n\nexport type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (\n\targs: z.infer<z.ZodObject<T>>,\n\textra: { signal?: AbortSignal },\n) => Promise<CallToolResult>;\n\nconst __dirname = path.dirname(fileURLToPath(import.meta.url));\n\nexport interface LiopServerOptions {\n\tcapabilities?: Record<string, unknown>;\n\tworkerPool?: {\n\t\tenabled?: boolean;\n\t\tminThreads?: number;\n\t\tmaxThreads?: number;\n\t\tidleTimeout?: number;\n\t\t/** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */\n\t\tmaxHeapMb?: number;\n\t};\n\tsecurity?: {\n\t\tpiiPatterns?: PiiRule[];\n\t\tforbiddenKeys?: string[];\n\t\t/** Enable NLP-based Named Entity Recognition scanning on output values. */\n\t\tenableNerScanning?: boolean;\n\t\t/** Rate limiting configuration for tool calls (OWASP A01). */\n\t\trateLimit?: {\n\t\t\t/** Maximum calls per window per tool (default: 15). */\n\t\t\tmaxPerWindow?: number;\n\t\t\t/** Maximum calls per window across ALL tools combined (default: 40). */\n\t\t\tglobalMaxPerWindow?: number;\n\t\t\t/** Sliding window duration in milliseconds (default: 60000 = 1 min). */\n\t\t\twindowMs?: number;\n\t\t};\n\t};\n\ttaxonomy?: {\n\t\tdomain?: string;\n\t\tclearanceTier?: number;\n\t\texecutionTypes?: string[];\n\t};\n}\n\nexport interface AggregationPolicy {\n\t/** Maximum number of object-type array elements allowed (default: 10) */\n\tmaxOutputRows?: number;\n\t/** Allow arrays containing only primitive values (default: true) */\n\tallowPrimitiveArrays?: boolean;\n}\n\nexport interface LogicExecutionPolicy {\n\t/**\n\t * Validate the business payload returned by sandbox logic (post-execution).\n\t * This runs before final egress checks and blocks non-conforming outputs.\n\t */\n\toutputSchema?: z.ZodType<unknown>;\n\t/**\n\t * Enforce aggregation-first heuristics (preflight + post-check).\n\t */\n\tenforceAggregationFirst?: boolean | AggregationPolicy;\n\t/**\n\t * Optional additional deny patterns checked against extracted logic source.\n\t */\n\tpreflightDenyPatterns?: RegExp[];\n}\n\nexport class LiopServer {\n\tprivate logicCache: Map<string, { hash: string; timestamp: number }> =\n\t\tnew Map();\n\tprivate connectionStats: Map<\n\t\tstring,\n\t\t{ failures: number; lastAttempt: number }\n\t> = new Map();\n\tprivate readonly CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours\n\tprivate readonly THROTTLE_THRESHOLD = 5;\n\tprivate readonly THROTTLE_COOLDOWN_MS = 60 * 1000; // 60 seconds\n\n\t// [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration\n\tprivate toolCallWindows: Map<string, number[]> = new Map();\n\tprivate readonly toolCallMaxPerWindow: number;\n\tprivate readonly toolCallWindowMs: number;\n\n\t// [OWASP-A01] Global cross-tool rate limiter — prevents distributed micro-query attacks\n\tprivate globalCallWindow: number[] = [];\n\tprivate readonly globalCallMaxPerWindow: number;\n\n\t// [SEC] AST-level taint tracker for PII side-channel prevention\n\tprivate readonly taintAnalyzer: TaintAnalyzer;\n\n\tprivate tools: Map<\n\t\tstring,\n\t\t{\n\t\t\ttool: Tool;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\thandler: ToolHandler<any>;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\tschema: z.ZodObject<any>;\n\t\t\tpolicy?: LogicExecutionPolicy;\n\t\t}\n\t> = new Map();\n\tprivate resources: Map<\n\t\tstring,\n\t\tResource & { content?: string | (() => Promise<string>) }\n\t> = new Map();\n\tprivate prompts: Map<\n\t\tstring,\n\t\t{\n\t\t\tprompt: Prompt;\n\t\t\thandler: (\n\t\t\t\trequest: GetPromptRequest,\n\t\t\t) => GetPromptResult | Promise<GetPromptResult>;\n\t\t}\n\t> = new Map();\n\tprivate activeSchema: Record<string, unknown> | null = null;\n\tprivate sandboxRecords: Record<string, unknown>[] = [];\n\n\tprivate piiScanner: PiiScanner;\n\tprivate workerPool: Piscina;\n\tprivate meshNode: MeshNode | null = null;\n\tprivate rpcServer: LiopRpcServer | null = null;\n\tprivate boundPort: number | null = null;\n\tprivate sessions: Map<\n\t\tstring,\n\t\t{ capability_hash: string; kyber_sk: Uint8Array }\n\t> = new Map();\n\n\t// Compact envelope: @LIOP{target,name}\\n<code>\\n@END\n\tprivate static readonly LIOP_COMPACT_REGEX =\n\t\t/@LIOP\\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\\}\\n(?<logic>[\\s\\S]*?)\\n@END/m;\n\n\tprivate extractLogic(payload: string): string | null {\n\t\tconst compact = payload.match(LiopServer.LIOP_COMPACT_REGEX);\n\t\treturn compact?.groups?.logic ? compact.groups.logic.trim() : null;\n\t}\n\n\tprivate parseUnknownJson(input: unknown): unknown {\n\t\tif (typeof input !== \"string\") return input;\n\t\tconst trimmed = input.trim();\n\t\tif (\n\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t) {\n\t\t\ttry {\n\t\t\t\treturn JSON.parse(trimmed);\n\t\t\t} catch {\n\t\t\t\treturn input;\n\t\t\t}\n\t\t}\n\t\treturn input;\n\t}\n\n\tprivate runPreflightPolicy(\n\t\t_toolName: string,\n\t\tlogic: string,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\t// Phase 1: Regex-based row-level export detection (fast path)\n\t\tif (policy) {\n\t\t\tconst compact = logic.replace(/\\s+/g, \" \");\n\n\t\t\tif (policy.enforceAggregationFirst) {\n\t\t\t\tconst rowExtractionPatterns = [\n\t\t\t\t\t// Block raw record dumps but allow safe aggregation chains\n\t\t\t\t\t// (.reduce, .length, .filter().length, .every, .some)\n\t\t\t\t\t/return\\s+env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter|every|some|find)\\b)/i,\n\t\t\t\t\t/return\\s*\\{[\\s\\S]*\\b(accounts|patients|rows|records)\\s*:\\s*env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter)\\b)/i,\n\t\t\t\t];\n\t\t\t\tif (rowExtractionPatterns.some((p) => p.test(compact))) {\n\t\t\t\t\treturn \"Preflight policy rejected: potential row-level export pattern detected.\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (policy.preflightDenyPatterns?.some((p) => p.test(compact))) {\n\t\t\t\treturn \"Preflight policy rejected: custom deny pattern matched.\";\n\t\t\t}\n\t\t}\n\n\t\t// Phase 2: AST-level taint tracking (detects PII side-channel derivation)\n\t\tconst taintViolation = this.taintAnalyzer.analyze(logic);\n\t\tif (taintViolation) {\n\t\t\treturn `Preflight policy rejected: ${taintViolation.reason}`;\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate validateOutputPolicy(\n\t\ttoolName: string,\n\t\toutput: unknown,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\tif (!policy) return null;\n\t\tconst parsed = this.parseUnknownJson(output);\n\n\t\tif (policy.outputSchema) {\n\t\t\t// SEC-HARDENING: Force strict mode on ZodObject schemas to prevent\n\t\t\t// key aliasing bypasses via .passthrough(). However, respect schemas\n\t\t\t// that explicitly use .catchall() — calling .strict() would override\n\t\t\t// the catchall with ZodNever, destroying the developer's intent.\n\t\t\tconst effectiveSchema = (() => {\n\t\t\t\tif (!(policy.outputSchema instanceof z.ZodObject)) {\n\t\t\t\t\treturn policy.outputSchema;\n\t\t\t\t}\n\t\t\t\tconst obj = policy.outputSchema as z.ZodObject<z.ZodRawShape>;\n\t\t\t\t// If schema has an explicit catchall (not ZodNever), respect it\n\t\t\t\tif (!(obj._def.catchall instanceof z.ZodNever)) {\n\t\t\t\t\treturn obj;\n\t\t\t\t}\n\t\t\t\t// Otherwise force strict to block unrecognized keys by default\n\t\t\t\treturn obj.strict();\n\t\t\t})();\n\n\t\t\tconst schemaResult = effectiveSchema.safeParse(parsed);\n\t\t\tif (!schemaResult.success) {\n\t\t\t\t// SEC-CRITICAL: Never expose rejected data in error messages.\n\t\t\t\t// Only report the structural violation (unrecognized keys, type mismatches).\n\t\t\t\treturn `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues\n\t\t\t\t\t.map((i) => `${i.path.join(\".\") || \"<root>\"} ${i.message}`)\n\t\t\t\t\t.join(\n\t\t\t\t\t\t\"; \",\n\t\t\t\t\t)}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;\n\t\t\t}\n\t\t}\n\n\t\tif (\n\t\t\tpolicy.enforceAggregationFirst &&\n\t\t\tthis.violatesAggregationFirstPolicy(\n\t\t\t\tthis.unwrapForAggregationPolicyScan(parsed),\n\t\t\t\tpolicy.enforceAggregationFirst,\n\t\t\t\tthis.sandboxRecords.length,\n\t\t\t)\n\t\t) {\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\treturn isDev\n\t\t\t\t? \"Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results.\"\n\t\t\t\t: \"Aggregation-First Policy Violation: Output blocked due to privacy constraints.\";\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Proxied tools stringify a full MCP CallToolResult (`{ content: [...] }`).\n\t * Aggregation-first heuristics must scan the inner business JSON, not the MCP envelope\n\t * (otherwise `content` looks like a tabular array of objects and everything blocks).\n\t */\n\tprivate unwrapForAggregationPolicyScan(input: unknown): unknown {\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.unwrapForAggregationPolicyScan(JSON.parse(trimmed));\n\t\t\t\t} catch {\n\t\t\t\t\treturn input;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn input;\n\t\t}\n\n\t\tif (!input || typeof input !== \"object\") {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst rec = input as Record<string, unknown>;\n\t\tif (!Array.isArray(rec.content) || rec.content.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst texts: string[] = [];\n\t\tfor (const part of rec.content) {\n\t\t\tif (part && typeof part === \"object\" && \"text\" in part) {\n\t\t\t\tconst t = (part as { text?: unknown }).text;\n\t\t\t\tif (typeof t === \"string\") {\n\t\t\t\t\ttexts.push(t);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (texts.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst joined = texts.length === 1 ? texts[0] : texts.join(\"\\n\");\n\t\treturn this.unwrapForAggregationPolicyScan(joined);\n\t}\n\n\tprivate violatesAggregationFirstPolicy(\n\t\tinput: unknown,\n\t\tpolicyObj?: boolean | AggregationPolicy,\n\t\trecordsCount?: number,\n\t): boolean {\n\t\tconst maxRows =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.maxOutputRows === \"number\"\n\t\t\t\t? policyObj.maxOutputRows\n\t\t\t\t: 10;\n\t\tconst allowPrimitives =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.allowPrimitiveArrays === \"boolean\"\n\t\t\t\t? policyObj.allowPrimitiveArrays\n\t\t\t\t: true;\n\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tJSON.parse(trimmed),\n\t\t\t\t\t\tpolicyObj,\n\t\t\t\t\t\trecordsCount,\n\t\t\t\t\t);\n\t\t\t\t} catch {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false;\n\t\t}\n\n\t\tif (Array.isArray(input)) {\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item === \"object\" && item !== null)\n\t\t\t) {\n\t\t\t\t// Treat tabular row export as non-aggregated leakage risk if above threshold.\n\t\t\t\tif (input.length > maxRows) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\treturn input.some((item) =>\n\t\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item !== \"object\" || item === null)\n\t\t\t) {\n\t\t\t\tif (!allowPrimitives) return true;\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn input.some((item) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\tif (input && typeof input === \"object\") {\n\t\t\tconst keys = Object.keys(input as Record<string, unknown>);\n\n\t\t\t// K-ANONYMITY: If source dataset is too small (< 10), enforce restriction.\n\t\t\t// Allow basic statistical summaries (max 3 keys: count/avg/stddev, no nesting).\n\t\t\tif (recordsCount !== undefined && recordsCount > 0 && recordsCount < 10) {\n\t\t\t\tif (keys.length > 3) return true;\n\t\t\t\t// Check for nesting/arrays in a small sample\n\t\t\t\tconst values = Object.values(input as Record<string, unknown>);\n\t\t\t\tif (\n\t\t\t\t\tvalues.some(\n\t\t\t\t\t\t(v) => Array.isArray(v) || (typeof v === \"object\" && v !== null),\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Treat flat dictionary with too many keys as non-aggregated leakage risk (Dynamic Key Bypass).\n\t\t\tif (keys.length > maxRows) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn Object.values(input as Record<string, unknown>).some((value) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(value, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tconstructor(\n\t\tprivate serverInfo: ServerInfo,\n\t\tprivate config?: LiopServerOptions,\n\t) {\n\t\tconst nerScanner = this.config?.security?.enableNerScanning\n\t\t\t? new NerScanner()\n\t\t\t: null;\n\n\t\tthis.piiScanner = new PiiScanner(\n\t\t\tthis.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT,\n\t\t\tthis.config?.security?.forbiddenKeys ?? [\n\t\t\t\t\"id\",\n\t\t\t\t\"name\",\n\t\t\t\t\"fullName\",\n\t\t\t\t\"firstName\",\n\t\t\t\t\"lastName\",\n\t\t\t\t\"address\",\n\t\t\t\t\"street\",\n\t\t\t\t\"city\",\n\t\t\t\t\"postalCode\",\n\t\t\t\t\"zipCode\",\n\t\t\t\t\"phone\",\n\t\t\t\t\"email\",\n\t\t\t\t\"ssn\",\n\t\t\t\t\"accountHolder\",\n\t\t\t\t\"accountNumber\",\n\t\t\t\t\"account_number\",\n\t\t\t\t\"password\",\n\t\t\t\t\"token\",\n\t\t\t\t\"secret\",\n\t\t\t\t\"privateKey\",\n\t\t\t],\n\t\t\tnerScanner,\n\t\t);\n\n\t\t// [OWASP-A01] Rate limit: config > env > default (15 calls/min per-tool, 40 global)\n\t\tconst rlConfig = this.config?.security?.rateLimit;\n\t\tthis.toolCallWindowMs =\n\t\t\trlConfig?.windowMs ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? \"60000\", 10);\n\t\tthis.toolCallMaxPerWindow =\n\t\t\trlConfig?.maxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? \"15\", 10);\n\t\tthis.globalCallMaxPerWindow =\n\t\t\trlConfig?.globalMaxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX ?? \"40\", 10);\n\n\t\t// [SEC] Initialize AST-level taint analyzer with PII field definitions\n\t\tconst forbiddenKeys = this.config?.security?.forbiddenKeys ?? [\n\t\t\t\"id\",\n\t\t\t\"name\",\n\t\t\t\"fullName\",\n\t\t\t\"firstName\",\n\t\t\t\"lastName\",\n\t\t\t\"address\",\n\t\t\t\"street\",\n\t\t\t\"city\",\n\t\t\t\"postalCode\",\n\t\t\t\"zipCode\",\n\t\t\t\"phone\",\n\t\t\t\"email\",\n\t\t\t\"ssn\",\n\t\t\t\"accountHolder\",\n\t\t\t\"accountNumber\",\n\t\t\t\"account_number\",\n\t\t\t\"password\",\n\t\t\t\"token\",\n\t\t\t\"secret\",\n\t\t\t\"privateKey\",\n\t\t];\n\t\tthis.taintAnalyzer = new TaintAnalyzer(forbiddenKeys);\n\n\t\t// Initialize Zero-Blocking Worker Pool for Heavy Cryptography & Sandboxing\n\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\tlet execArgv: string[] = [];\n\t\tif (isTS) {\n\t\t\ttry {\n\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t).href;\n\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t} catch (_e) {\n\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t}\n\t\t}\n\n\t\tconst isTest = process.env.NODE_ENV === \"test\" || process.env.VITEST;\n\n\t\t// Sync capabilities to serverInfo for MCP Handshakes\n\t\tif (this.config?.capabilities && !this.serverInfo.capabilities) {\n\t\t\tthis.serverInfo.capabilities = this.config.capabilities as Record<\n\t\t\t\tstring,\n\t\t\t\tunknown\n\t\t\t>;\n\t\t}\n\n\t\t// Support both flat dist/ and original src/ structure\n\t\tconst workerPaths = [\n\t\t\tpath.resolve(__dirname, `./workers/logic-execution${workerExt}`), // Flat dist/ (tsup)\n\t\t\tpath.resolve(__dirname, `../workers/logic-execution${workerExt}`), // Original src/\n\t\t];\n\n\t\tconst workerFilename =\n\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\tthis.workerPool = new Piscina({\n\t\t\tfilename: workerFilename,\n\t\t\tminThreads: this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2),\n\t\t\tmaxThreads: this.config?.workerPool?.maxThreads ?? (isTest ? 1 : 8),\n\t\t\tidleTimeout:\n\t\t\t\tthis.config?.workerPool?.idleTimeout ?? (isTest ? 500 : 5000),\n\t\t\tmaxQueue: \"auto\",\n\t\t\ttaskQueue: new FixedQueue(),\n\t\t\texecArgv,\n\t\t\t// [DoS Defense] Enforce hard memory ceiling per worker thread.\n\t\t\t// Workers exceeding this limit are terminated by Node.js runtime.\n\t\t\tresourceLimits: {\n\t\t\t\tmaxOldGenerationSizeMb:\n\t\t\t\t\tthis.config?.workerPool?.maxHeapMb ??\n\t\t\t\t\tNumber.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? \"64\", 10),\n\t\t\t},\n\t\t});\n\n\t\t// [Token Economy] Auto-register LIOP protocol spec as a single Resource.\n\t\t// This centralizes the envelope documentation that was previously\n\t\t// duplicated in every tool description, reducing token overhead.\n\t\tthis.resource(\n\t\t\t\"LIOP Envelope Specification\",\n\t\t\t\"liop://protocol/envelope-spec\",\n\t\t\t\"Complete Logic-on-Origin envelope format, execution rules, and security constraints\",\n\t\t\t\"text/plain\",\n\t\t\t() => Promise.resolve(this.buildEnvelopeSpec()),\n\t\t);\n\t}\n\t/**\n\t * Builds the centralized LIOP envelope specification document.\n\t * Served as a single Resource (liop://protocol/envelope-spec) instead\n\t * of being duplicated across every tool description.\n\t */\n\tprivate buildEnvelopeSpec(): string {\n\t\tconst lines = [\n\t\t\t\"LIOP v1 Envelope Specification\",\n\t\t\t\"================================\",\n\t\t\t\"\",\n\t\t\t\"FORMAT:\",\n\t\t\t\"\",\n\t\t\t\"Compact Envelope:\",\n\t\t\t\" @LIOP{wasi_v1,TaskName}\",\n\t\t\t\" <JavaScript code>\",\n\t\t\t\" @END\",\n\t\t\t\"\",\n\t\t\t\"RUNTIME ENVIRONMENT:\",\n\t\t\t\"- env.records: Array of data objects from the origin\",\n\t\t\t\"- Must use 'return' to output results\",\n\t\t\t\"- Zero-Trust WASI Sandbox (Node.js Worker Pool)\",\n\t\t\t\"- Return aggregated objects, NOT raw row-level arrays\",\n\t\t\t\"\",\n\t\t\t\"SECURITY CONSTRAINTS:\",\n\t\t\t\"- PII Egress Shield blocks raw identifiers in output\",\n\t\t\t\"- Aggregation-First policy: prefer counts, averages, summaries\",\n\t\t\t\"- AST Guardian: static analysis before execution\",\n\t\t];\n\n\t\tif (this.config?.security?.forbiddenKeys?.length) {\n\t\t\tlines.push(\n\t\t\t\t`- Restricted fields: ${this.config.security.forbiddenKeys.join(\", \")}`,\n\t\t\t);\n\t\t}\n\n\t\tlines.push(\n\t\t\t\"\",\n\t\t\t\"TAINT TRACKING (Phase 108):\",\n\t\t\t\"- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)\",\n\t\t\t\"- Operations on restricted fields are tracked through variable assignments\",\n\t\t\t\"- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked\",\n\t\t\t\"- Allowed: aggregations on non-PII fields (balance, amount, date)\",\n\t\t\t\"\",\n\t\t\t\"K-ANONYMITY:\",\n\t\t\t\"- Datasets < 10 records: max 3 scalar output fields, no nesting\",\n\t\t\t\"- Datasets >= 10 records: max 10 output fields\",\n\t\t\t\"\",\n\t\t\t\"RATE LIMITS (OWASP A01):\",\n\t\t\t\"- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)\",\n\t\t\t\"- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)\",\n\t\t\t\"\",\n\t\t\t\"OPTIONAL PARAMETERS:\",\n\t\t\t\"- __liop_bypass_ast_cache: boolean (force AST re-evaluation)\",\n\t\t);\n\n\t\treturn lines.join(\"\\n\");\n\t}\n\n\t/**\n\t * Extracts a compact, human-readable field summary from a JSON Schema.\n\t *\n\t * Walks the schema structure to find actual data property names and types,\n\t * rather than returning top-level schema metadata keys (type, items, etc.).\n\t *\n\t * Example output for a banking schema:\n\t * \"Array of {id(string), accountHolder(string), balance(number), transactions(array of {date(string), amount(number)})}\"\n\t */\n\tprivate extractSchemaFieldSummary(\n\t\tschema: Record<string, unknown>,\n\t\tdepth = 0,\n\t): string {\n\t\t// Prevent excessive recursion in deeply nested schemas\n\t\tif (depth > 3) return \"{...}\";\n\n\t\tconst schemaType = schema.type as string | undefined;\n\t\tconst properties = schema.properties as\n\t\t\t| Record<string, Record<string, unknown>>\n\t\t\t| undefined;\n\t\tconst items = schema.items as Record<string, unknown> | undefined;\n\n\t\t// Object with properties → list field names with their types\n\t\tif (properties) {\n\t\t\tconst fields = Object.entries(properties).map(([key, prop]) => {\n\t\t\t\tconst propType = prop.type as string | undefined;\n\t\t\t\tif (propType === \"array\" && prop.items) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(\n\t\t\t\t\t\tprop.items as Record<string, unknown>,\n\t\t\t\t\t\tdepth + 1,\n\t\t\t\t\t);\n\t\t\t\t\treturn `${key}(array of ${nested})`;\n\t\t\t\t}\n\t\t\t\tif (propType === \"object\" && prop.properties) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(prop, depth + 1);\n\t\t\t\t\treturn `${key}(${nested})`;\n\t\t\t\t}\n\t\t\t\treturn `${key}(${propType || \"unknown\"})`;\n\t\t\t});\n\t\t\treturn `{${fields.join(\", \")}}`;\n\t\t}\n\n\t\t// Array type → describe the items structure\n\t\tif (schemaType === \"array\" && items) {\n\t\t\tconst itemsSummary = this.extractSchemaFieldSummary(items, depth + 1);\n\t\t\treturn `Array of ${itemsSummary}`;\n\t\t}\n\n\t\t// Simple type or unknown structure → fallback to key listing\n\t\tif (schemaType) return schemaType;\n\t\treturn Object.keys(schema).join(\", \");\n\t}\n\n\t/**\n\t * Convenience alias for connectToMesh(), matching official documentation.\n\t */\n\tpublic async connect(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\treturn this.connectToMesh(options);\n\t}\n\n\t/**\n\t * Register a new Tool\n\t */\n\tpublic tool<T extends z.ZodRawShape>(\n\t\tname: string,\n\t\tdescription: string,\n\t\tshape: T,\n\t\thandler: ToolHandler<T>,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): void {\n\t\tif (this.tools.has(name)) {\n\t\t\tthrow new Error(`Tool already registered: ${name}`);\n\t\t}\n\n\t\tconst schema = z.object(shape);\n\t\tconst generatedSchema = zodToJsonSchema(schema);\n\n\t\tlet finalDescription = description;\n\t\tlet finalHandler = handler;\n\n\t\t// LIOP Zero-Shot Autonomy Middleware: Detect Logic-on-Origin tools\n\t\tif (shape.payload && shape.payload instanceof z.ZodString) {\n\t\t\tconst blockedKeys = this.config?.security?.forbiddenKeys || [];\n\n\t\t\t// [Token Economy] Centralized description: reference the protocol spec\n\t\t\t// Resource instead of duplicating the full envelope format per tool.\n\t\t\t// Same information, delivered once via liop://protocol/envelope-spec.\n\t\t\tfinalDescription +=\n\t\t\t\t\"\\n\\nPayload: LIOP v1 envelope (WASI sandbox).\" +\n\t\t\t\t\" Format: @LIOP{wasi_v1,TaskName}\\\\n<JS code>\\\\n@END\" +\n\t\t\t\t\" | Access data: env.records. Return aggregated object.\" +\n\t\t\t\t\" | Full spec: resource liop://protocol/envelope-spec\";\n\n\t\t\tif (blockedKeys.length > 0) {\n\t\t\t\tfinalDescription += `\\nRestricted fields: ${blockedKeys.join(\", \")}.`;\n\t\t\t}\n\n\t\t\tif (this.activeSchema) {\n\t\t\t\tconst schemaDigest = this.extractSchemaFieldSummary(this.activeSchema);\n\t\t\t\tfinalDescription += `\\nData structure: ${schemaDigest}. Full schema: resource liop://schema/global`;\n\t\t\t}\n\n\t\t\tfinalHandler = async (\n\t\t\t\targs: z.infer<z.ZodObject<T>>,\n\t\t\t\t_extra: { signal?: AbortSignal },\n\t\t\t) => {\n\t\t\t\tconst clientId = \"global_connection\"; // Simplify for now, treating the instance as one connection\n\t\t\t\tconst now = Date.now();\n\t\t\t\tconst stats = this.connectionStats.get(clientId) || {\n\t\t\t\t\tfailures: 0,\n\t\t\t\t\tlastAttempt: 0,\n\t\t\t\t};\n\n\t\t\t\tif (\n\t\t\t\t\tstats.failures >= this.THROTTLE_THRESHOLD &&\n\t\t\t\t\tnow - stats.lastAttempt < this.THROTTLE_COOLDOWN_MS\n\t\t\t\t) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadValue = (args as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst bypassCache =\n\t\t\t\t\t(args as Record<string, unknown>).__liop_bypass_ast_cache === true;\n\n\t\t\t\tconst payloadHash = crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(payloadValue)\n\t\t\t\t\t.digest(\"hex\");\n\t\t\t\tconst logic = this.extractLogic(payloadValue);\n\t\t\t\tconst cached = this.logicCache.get(payloadHash);\n\n\t\t\t\tif (\n\t\t\t\t\t!bypassCache &&\n\t\t\t\t\tcached &&\n\t\t\t\t\tnow - cached.timestamp < this.CACHE_TTL_MS\n\t\t\t\t) {\n\t\t\t\t\t// Hash verified. Skips boundaries check (already validated!). Extract logic directly.\n\t\t\t\t\tif (logic) {\n\t\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing\n\t\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tlogic,\n\t\t\t\t\t\t\tpolicy,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn await this.executeInWorkerPool(args, logic, name);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!logic) {\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"Error: Malformed payload. Missing @LIOP boundary.\\\\nYou MUST wrap your logic exactly like this:\\\\n\\\\n@LIOP{wasi_v1,DynamicAudit}\\\\n// Your JS code here\\\\n@END\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Logic check already performed above, extraction is guaranteed at this point.\n\t\t\t\t\t// biome-ignore lint/style/noNonNullAssertion: safe extraction after check\n\t\t\t\t\tconst logic = this.extractLogic(\n\t\t\t\t\t\t(args as Record<string, unknown>).payload as string,\n\t\t\t\t\t)!;\n\t\t\t\t\t// Extract pure logic and deliver it to the developer's function\n\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing (Includes PII Shield)\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(name, logic, policy);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\n\t\t\t\t\tconst result = await this.executeInWorkerPool(args, logic, name);\n\n\t\t\t\t\tif (!result.isError) {\n\t\t\t\t\t\tthis.connectionStats.set(clientId, {\n\t\t\t\t\t\t\tfailures: 0,\n\t\t\t\t\t\t\tlastAttempt: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t\tthis.logicCache.set(payloadHash, {\n\t\t\t\t\t\t\thash: payloadHash,\n\t\t\t\t\t\t\ttimestamp: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t} else {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t}\n\n\t\t\t\t\treturn result;\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{ type: \"text\", text: `ExecutionRuntimeException: ${e.message}` },\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t};\n\t\t}\n\n\t\tconst inputSchema = {\n\t\t\ttype: \"object\",\n\t\t\tproperties: (generatedSchema as Record<string, unknown>).properties || {},\n\t\t\trequired: (generatedSchema as Record<string, unknown>).required,\n\t\t};\n\n\t\tthis.tools.set(name, {\n\t\t\ttool: { name, description: finalDescription, inputSchema },\n\t\t\thandler: finalHandler,\n\t\t\tschema,\n\t\t\tpolicy,\n\t\t});\n\n\t\t// [LIOP-ALPHA] Auto-announce capability to the Mesh P2P DHT if node is active\n\t\tif (this.meshNode) {\n\t\t\tthis.meshNode.announceCapability(name).catch((err) => {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Mesh] Failed to auto-announce tool ${name}: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t}\n\n\t/**\n\t * Register a dynamic prompt\n\t */\n\tpublic prompt(\n\t\tname: string,\n\t\tdescription: string | undefined,\n\t\targs: Prompt[\"arguments\"],\n\t\thandler: (\n\t\t\trequest: GetPromptRequest,\n\t\t) => GetPromptResult | Promise<GetPromptResult>,\n\t): void {\n\t\tif (this.prompts.has(name)) {\n\t\t\tthrow new Error(`Prompt already registered: ${name}`);\n\t\t}\n\t\tthis.prompts.set(name, {\n\t\t\tprompt: { name, description, arguments: args },\n\t\t\thandler,\n\t\t});\n\t}\n\n\t/**\n\t * Enables LIOP Zero-Shot Autonomy by registering the Blind Analyst standard prompt.\n\t */\n\tpublic enableZeroShotAutonomy(): void {\n\t\tthis.prompt(\n\t\t\t\"liop_blind_analyst\",\n\t\t\t\"The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.\",\n\t\t\t[],\n\t\t\t(_request) => {\n\t\t\t\treturn {\n\t\t\t\t\tdescription: \"LIOP Blind Analyst Instructions\",\n\t\t\t\t\tmessages: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\trole: \"user\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: `You are the \"Blind Analyst\" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.\nYour objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.\n\nINDUSTRIAL CONSTRAINTS & PROTOCOL RULES:\n1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.\n2. AGGREGATION FIRST: Always prefer returning counts, averages, or anonymized summaries.\n3. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.\n Structure:\n @LIOP{wasi_v1,AnalysisTask}\n // Your JS Code Here\n @END\n4. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.\n5. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).\n6. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.${\n\t\t\t\t\t\t\t\t\tthis.activeSchema\n\t\t\t\t\t\t\t\t\t\t? `\\n\\nCURRENT DATA DICTIONARY (STRICT):\\n${JSON.stringify(this.activeSchema, null, 2)}`\n\t\t\t\t\t\t\t\t\t\t: \"\"\n\t\t\t\t\t\t\t\t}\n\nProtocol Adherence is mandatory for successful execution.`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t};\n\t\t\t},\n\t\t);\n\t}\n\n\t/**\n\t * Register a dynamic resource\n\t */\n\tpublic resource(\n\t\tname: string,\n\t\turi: string,\n\t\tdescription?: string,\n\t\tmimeType?: string,\n\t\tcontent?: string | (() => Promise<string>),\n\t): void {\n\t\tif (this.resources.has(uri)) {\n\t\t\tthrow new Error(`Resource URI already registered: ${uri}`);\n\t\t}\n\t\tthis.resources.set(uri, { name, uri, description, mimeType, content });\n\t}\n\n\t/**\n\t * Broadcasts the Data Dictionary to the LLM prior to code injection.\n\t */\n\tpublic dataDictionary(\n\t\tschema: Record<string, unknown>,\n\t\tname: string = \"Global Medical Data Dictionary\",\n\t\turi: string = \"liop://schema/global\",\n\t\tdescription: string = \"Exposes the internal database schema for Zero-Shot Autonomy planning\",\n\t): void {\n\t\tthis.activeSchema = schema;\n\n\t\t// [Token Economy] Retroactively update tool descriptions with schema field references.\n\t\t// Extracts actual data property names from the JSON Schema structure.\n\t\tconst schemaDigest = this.extractSchemaFieldSummary(schema);\n\t\tfor (const [toolName, entry] of this.tools.entries()) {\n\t\t\tif (\n\t\t\t\tentry.schema.shape.payload &&\n\t\t\t\tentry.schema.shape.payload instanceof z.ZodString &&\n\t\t\t\tentry.tool.description &&\n\t\t\t\t!entry.tool.description.includes(\"Data structure:\")\n\t\t\t) {\n\t\t\t\tentry.tool.description += `\\nData structure: ${schemaDigest}. Full schema: resource ${uri}`;\n\t\t\t\tthis.tools.set(toolName, entry);\n\t\t\t}\n\t\t}\n\n\t\tthis.resource(\n\t\t\tname,\n\t\t\turi,\n\t\t\tdescription,\n\t\t\t\"application/json\",\n\t\t\tJSON.stringify(schema, null, 2),\n\t\t);\n\t}\n\n\t/**\n\t * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).\n\t */\n\tpublic clearAstCache(): void {\n\t\tthis.logicCache.clear();\n\t\tlog.info(\"[LIOP-SDK] AST Security Cache cleared by Admin.\");\n\t}\n\n\t/**\n\t * Sliding window rate limiter for tool call frequency.\n\t * Prevents micro-query exfiltration attacks where an attacker\n\t * makes hundreds of individually-legitimate calls to reconstruct\n\t * the full dataset field by field. (OWASP A01)\n\t */\n\tprivate checkToolCallRateLimit(toolName: string): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxPerWindow = this.toolCallMaxPerWindow;\n\n\t\tconst window = this.toolCallWindows.get(toolName) || [];\n\t\t// Evict expired timestamps outside the sliding window\n\t\tconst active = window.filter((t) => now - t < windowMs);\n\n\t\tif (active.length >= maxPerWindow) {\n\t\t\tconst retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1000);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Too many calls to ${toolName}. ` +\n\t\t\t\t\t\t\t`Max ${maxPerWindow} per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tactive.push(now);\n\t\tthis.toolCallWindows.set(toolName, active);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Global cross-tool rate limiter.\n\t * Prevents attackers from distributing micro-queries across multiple tools\n\t * to evade per-tool rate limits. (OWASP A01)\n\t */\n\tprivate checkGlobalRateLimit(): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxGlobal = this.globalCallMaxPerWindow;\n\n\t\tthis.globalCallWindow = this.globalCallWindow.filter(\n\t\t\t(t) => now - t < windowMs,\n\t\t);\n\n\t\tif (this.globalCallWindow.length >= maxGlobal) {\n\t\t\tconst retryAfterSec = Math.ceil(\n\t\t\t\t(this.globalCallWindow[0] + windowMs - now) / 1000,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Global call limit exceeded. ` +\n\t\t\t\t\t\t\t`Max ${maxGlobal} total calls per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tthis.globalCallWindow.push(now);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Emulates calling a tool (used locally or via LIOPMcpBridge)\n\t */\n\tpublic async callTool(request: CallToolRequest): Promise<CallToolResult> {\n\t\tconst entry = this.tools.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Tool not found: ${request.name}`);\n\t\t}\n\n\t\t// [OWASP-A01] Rate limiting: prevent micro-query exfiltration\n\t\tconst globalLimitResult = this.checkGlobalRateLimit();\n\t\tif (globalLimitResult) return globalLimitResult;\n\t\tconst rateLimitResult = this.checkToolCallRateLimit(request.name);\n\t\tif (rateLimitResult) return rateLimitResult;\n\n\t\ttry {\n\t\t\t// Validate inputs natively with Zod before execution\n\t\t\tconst parsedArgs = entry.schema.parse(request.arguments || {});\n\n\t\t\t// Re-inject the bypass flag if present since Zod might strip unrecognized keys\n\t\t\tif (\n\t\t\t\t(request.arguments as Record<string, unknown>)\n\t\t\t\t\t?.__liop_bypass_ast_cache === true\n\t\t\t) {\n\t\t\t\t(parsedArgs as Record<string, unknown>).__liop_bypass_ast_cache = true;\n\t\t\t}\n\n\t\t\t// [LOGIC-ON-ORIGIN] Intercept code injection directly\n\t\t\tif (\n\t\t\t\tparsedArgs &&\n\t\t\t\ttypeof (parsedArgs as Record<string, unknown>).payload === \"string\"\n\t\t\t) {\n\t\t\t\tconst payload = (parsedArgs as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst logic = this.extractLogic(payload);\n\t\t\t\tif (logic) {\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\tentry.policy,\n\t\t\t\t\t);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\t\t\t\t\t(parsedArgs as Record<string, unknown>).payload = logic;\n\t\t\t\t\treturn await this.executeInWorkerPool(\n\t\t\t\t\t\tparsedArgs,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst result = await entry.handler(parsedArgs, {});\n\t\t\treturn result;\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tif (e instanceof z.ZodError) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [{ type: \"text\", text: `Validation Error: ${e.message}` }],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{ type: \"text\", text: `Internal Execution Error: ${e.message}` },\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Retrieves registered tools\n\t */\n\tpublic listTools(): Tool[] {\n\t\treturn Array.from(this.tools.values()).map((t) => t.tool);\n\t}\n\n\t/**\n\t * Retrieves registered prompts\n\t */\n\tpublic listPrompts(): Prompt[] {\n\t\treturn Array.from(this.prompts.values()).map((p) => p.prompt);\n\t}\n\n\t/**\n\t * Gets a specific prompt by name\n\t */\n\tpublic async getPrompt(request: GetPromptRequest): Promise<GetPromptResult> {\n\t\tconst entry = this.prompts.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Prompt not found: ${request.name}`);\n\t\t}\n\t\treturn await entry.handler(request);\n\t}\n\n\t/**\n\t * Retrieves registered resources\n\t */\n\tpublic listResources(): Resource[] {\n\t\treturn Array.from(this.resources.values());\n\t}\n\n\t/**\n\t * Reads a specific resource by URI\n\t */\n\tpublic async readResource(uri: string): Promise<{\n\t\tcontents: Array<{ uri: string; mimeType?: string; text: string }>;\n\t}> {\n\t\tconst resource = this.resources.get(uri);\n\t\tif (!resource) {\n\t\t\tthrow new Error(`Resource not found: ${uri}`);\n\t\t}\n\n\t\tlet text = \"No description provided\";\n\t\tif (typeof resource.content === \"function\") {\n\t\t\ttext = await resource.content();\n\t\t} else if (typeof resource.content === \"string\") {\n\t\t\ttext = resource.content;\n\t\t} else if (resource.description) {\n\t\t\ttext = resource.description;\n\t\t}\n\n\t\treturn {\n\t\t\tcontents: [\n\t\t\t\t{\n\t\t\t\t\turi: resource.uri,\n\t\t\t\t\tmimeType: resource.mimeType || \"text/plain\",\n\t\t\t\t\ttext,\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t}\n\n\tpublic getServerInfo(): ServerInfo {\n\t\treturn this.serverInfo;\n\t}\n\n\tpublic getMeshNode(): MeshNode | null {\n\t\treturn this.meshNode;\n\t}\n\n\t/**\n\t * Injects data into the secure sandbox context for Logic-on-Origin tools.\n\t */\n\tpublic setSandboxData(records: Record<string, unknown>[]) {\n\t\tthis.sandboxRecords = records;\n\t}\n\n\tpublic getBoundPort(): number | null {\n\t\treturn this.boundPort;\n\t}\n\n\t/**\n\t * Connects to the libp2p Kademlia DHT and announces capabilities.\n\t * Boots the gRPC server for secure Logic-on-Origin.\n\t */\n\tpublic async connectToMesh(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\tconst envPort = process.env.LIOP_GRPC_PORT\n\t\t\t? Number.parseInt(process.env.LIOP_GRPC_PORT, 10)\n\t\t\t: undefined;\n\t\tconst port = options.port ?? envPort ?? 50051;\n\n\t\t// 1. Initialize Mesh Node (Discovery)\n\t\tthis.meshNode = new MeshNode(options.meshConfig);\n\t\tawait this.meshNode.start();\n\n\t\t// 2. Register LIOP Manifest Protocol Handler\n\t\t// This allows remote peers to query our tool/resource metadata dynamically.\n\t\tconst meshNodeRef = this.meshNode;\n\t\tthis.meshNode.registerManifestHandler((): LiopManifest => {\n\t\t\tconst tools = this.listTools().map((t) => ({\n\t\t\t\tname: t.name,\n\t\t\t\tdescription: t.description,\n\t\t\t\tinputSchema: t.inputSchema as Record<string, unknown>,\n\t\t\t}));\n\n\t\t\tconst resources = Array.from(this.resources.values()).map((r) => ({\n\t\t\t\tname: r.name,\n\t\t\t\turi: r.uri,\n\t\t\t\tdescription: r.description,\n\t\t\t\tmimeType: r.mimeType,\n\t\t\t\ttext: typeof r.content === \"string\" ? r.content : r.description,\n\t\t\t}));\n\n\t\t\treturn {\n\t\t\t\tpeerId: meshNodeRef.getPeerId(),\n\t\t\t\tgrpcPort: port,\n\t\t\t\ttools,\n\t\t\t\tresources,\n\t\t\t\tserverInfo: this.serverInfo,\n\t\t\t};\n\t\t});\n\n\t\t// 3. Announce local tools to the DHT\n\t\tfor (const tool of this.listTools()) {\n\t\t\tawait this.meshNode.announceCapability(tool.name).catch(log.info);\n\t\t}\n\n\t\t// 4. Announce manifest availability\n\t\tawait this.meshNode.announceManifest().catch(log.info);\n\n\t\t// 5. Initialize gRPC Server (Execution)\n\t\tthis.rpcServer = new LiopRpcServer();\n\n\t\tthis.rpcServer.addService({\n\t\t\tnegotiateIntent: (call, callback) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Negotiating intent for capability: ${request.capability_hash}`,\n\t\t\t\t);\n\n\t\t\t\t// Standard dynamic import to avoid potential circularity\n\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(async ({ Kyber768Wrapper }) => {\n\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t});\n\n\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t});\n\t\t\t\t});\n\t\t\t},\n\t\t\texecuteLogic: async (\n\t\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t\t) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Executing Logic-on-Origin for session: ${request.session_token}`,\n\t\t\t\t);\n\n\t\t\t\tconst session = this.sessions.get(request.session_token);\n\t\t\t\tif (!session) {\n\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\tdetails: \"Invalid session token\",\n\t\t\t\t\t});\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Pass to Worker Pool for PQC Decryption and WASI/V8 execution\n\t\t\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\t\t\tciphertext: request.pqc_ciphertext,\n\t\t\t\t\t\tsecretKeyObj: Array.from(session.kyber_sk),\n\t\t\t\t\t\twasmBinary: request.wasm_binary,\n\t\t\t\t\t\tinputs: request.inputs,\n\t\t\t\t\t\taesNonce: request.aes_nonce,\n\t\t\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\t\t\tsessionToken: request.session_token,\n\t\t\t\t\t\tisEncrypted: true,\n\t\t\t\t\t});\n\n\t\t\t\t\tlet finalOutput: string;\n\t\t\t\t\ttry {\n\t\t\t\t\t\tfinalOutput =\n\t\t\t\t\t\t\ttypeof workerResponse.output === \"string\"\n\t\t\t\t\t\t\t\t? workerResponse.output\n\t\t\t\t\t\t\t\t: JSON.stringify(workerResponse.output);\n\n\t\t\t\t\t\t// [PROTOCOL TRANSFORMER] Support for Proxied Tool Calls\n\t\t\t\t\t\tconst decoded = JSON.parse(finalOutput);\n\t\t\t\t\t\tif (decoded.__liop_proxy_tool) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Executing Proxied Tool: ${decoded.__liop_proxy_tool}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tconst toolResult = await this.callTool({\n\t\t\t\t\t\t\t\tname: decoded.__liop_proxy_tool,\n\t\t\t\t\t\t\t\targuments: decoded.__liop_proxy_args || {},\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tfinalOutput = JSON.stringify(toolResult);\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch {\n\t\t\t\t\t\tfinalOutput = String(workerResponse.output);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst response: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: finalOutput,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\n\t\t\t\t\t\t\tworkerResponse.image_id || \"\",\n\t\t\t\t\t\t\t\"hex\",\n\t\t\t\t\t\t),\n\t\t\t\t\t\tzk_receipt: workerResponse.zk_receipt\n\t\t\t\t\t\t\t? Buffer.from(workerResponse.zk_receipt, \"base64\")\n\t\t\t\t\t\t\t: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: false,\n\t\t\t\t\t};\n\n\t\t\t\t\t// Final PII check for gRPC egress\n\t\t\t\t\tconst violation = await this.piiScanner.scan([\n\t\t\t\t\t\t{ type: \"text\", text: finalOutput },\n\t\t\t\t\t]);\n\t\t\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tthis.unwrapForAggregationPolicyScan(finalOutput),\n\t\t\t\t\t);\n\t\t\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller\n\t\t\t\t\t\tconst internalReason =\n\t\t\t\t\t\t\tviolation || \"Aggregation-First Policy Violation\";\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tresponse.semantic_evidence =\n\t\t\t\t\t\t\t\"[LIOP] Egress Security Violation. Output blocked due to policy enforcement.\";\n\t\t\t\t\t\tresponse.is_error = true;\n\t\t\t\t\t}\n\n\t\t\t\t\tcall.write(response, () => {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t});\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tconst isDev =\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"test\";\n\n\t\t\t\t\tconst detail = e.message || String(error);\n\t\t\t\t\tlog.error(`[LIOP-RPC] Execution Error: ${detail}`);\n\n\t\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t\t? `Execution Error: ${detail}`\n\t\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\t\t\t// Send error response before closing, avoiding \"stream closed without results\"\n\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: errorMessage,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t};\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t});\n\t\t\t\t\t} catch (_writeErr) {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t});\n\n\t\tthis.boundPort = await this.rpcServer.listen(port);\n\t\tlog.info(\n\t\t\t`[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`,\n\t\t);\n\t}\n\n\t/**\n\t * Internal worker execution with Egress Filtering logic.\n\t */\n\tprivate async executeInWorkerPool(\n\t\t_args: Record<string, unknown>,\n\t\trawPayload: string,\n\t\ttoolName?: string,\n\t): Promise<CallToolResult> {\n\t\ttry {\n\t\t\t// Transparent local execution without dynamic PQC\n\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\tciphertext: new Uint8Array(0),\n\t\t\t\tsecretKeyObj: Array.from(new Uint8Array(0)),\n\t\t\t\tkyberPublicKey: new Uint8Array(0),\n\t\t\t\twasmBinary: Buffer.from(rawPayload),\n\t\t\t\tinputs: {},\n\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\tsessionToken: \"local-dev-token\",\n\t\t\t\tisEncrypted: false, // Use plaintext for local Logic-on-Origin injection\n\t\t\t});\n\n\t\t\t// Standard MCP Content Array\n\t\t\tconst textOutput = JSON.stringify({\n\t\t\t\tcomputation_result: workerResponse.output,\n\t\t\t\timage_id: workerResponse.image_id,\n\t\t\t\tzk_receipt: workerResponse.zk_receipt,\n\t\t\t\tstatus: \"Worker Pool Execution Success\",\n\t\t\t});\n\n\t\t\tconst content = [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\ttext: textOutput,\n\t\t\t\t},\n\t\t\t];\n\n\t\t\tconst toolPolicy = toolName\n\t\t\t\t? this.tools.get(toolName)?.policy\n\t\t\t\t: undefined;\n\t\t\tconst policyViolation = this.validateOutputPolicy(\n\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\tworkerResponse.output,\n\t\t\t\ttoolPolicy,\n\t\t\t);\n\t\t\tif (policyViolation) {\n\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller in Production\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Output policy blocked for ${toolName || \"unknown_tool\"}: ${policyViolation}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? policyViolation\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Professional PII Protection Guard\n\t\t\tconst violation = await this.piiScanner.scan(content);\n\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\tworkerResponse.output,\n\t\t\t);\n\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t// SEC-CRITICAL: Log the specific violation reason server-side only.\n\t\t\t\t// Never expose detection details (entity names, matched values) to the caller in Production.\n\t\t\t\tconst internalReason =\n\t\t\t\t\tviolation ||\n\t\t\t\t\t\"Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.\";\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? `[LIOP] Egress Security Violation: ${internalReason}`\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn { content };\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\tconst detail = e.message || String(error);\n\t\t\tlog.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);\n\n\t\t\tconst errorMessage = isDev\n\t\t\t\t? `WorkerPoolError: ${detail}`\n\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Safely destroys the worker pool, gRPC server, and Mesh node.\n\t * Recommended to be called during graceful shutdowns or test teardowns.\n\t */\n\tpublic async close(): Promise<void> {\n\t\tif (this.workerPool) {\n\t\t\tawait this.workerPool.close({ force: true });\n\t\t}\n\t\tif (this.rpcServer) {\n\t\t\tawait this.rpcServer.stop();\n\t\t}\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t}\n}\n"]}
package/dist/chunk-HM77MWB6.js ADDED
@@ -0,0 +1,2 @@
1
+ import {a}from'./chunk-S6RJHZV2.js';import n from'path';import {fileURLToPath}from'url';import*as r from'@grpc/grpc-js';import*as d from'@grpc/proto-loader';import*as t from'fs';var m=fileURLToPath(import.meta.url),s=n.dirname(m),u=[n.resolve(s,"./protocol/liop_core.proto"),n.resolve(s,"../protocol/liop_core.proto")],g=n.resolve(s,"../../../../protocol/proto/liop_core.proto"),p=u.find(e=>t.existsSync(e))||g;t.existsSync(p)||a.error(`[LIOP-Proto] CRITICAL: Proto file not found at ${p}`);var S=d.loadSync(p,{keepCase:true,longs:String,enums:String,defaults:true,oneofs:true}),y=r.loadPackageDefinition(S),_=y.liop.v1;function x(e){if(!e?.certChain||!e?.privateKey)return r.ServerCredentials.createInsecure();try{let o=e.rootCert?t.readFileSync(e.rootCert):null,c=t.readFileSync(e.certChain),a=t.readFileSync(e.privateKey);return r.ServerCredentials.createSsl(o,[{cert_chain:c,private_key:a}])}catch(o){return a.info(`[LIOP-TLS] Failed to load certificates, falling back to insecure: ${o}`),r.ServerCredentials.createInsecure()}}function K(e){if(!e?.rootCert)return r.credentials.createInsecure();try{let o=t.readFileSync(e.rootCert),c=e.certChain?t.readFileSync(e.certChain):void 0,a=e.privateKey?t.readFileSync(e.privateKey):void 0;return r.credentials.createSsl(o,a,c)}catch(o){return a.info(`[LIOP-TLS] Failed to load certificates, falling back to insecure: ${o}`),r.credentials.createInsecure()}}export{_ as a,x as b,K as c};//# sourceMappingURL=chunk-HM77MWB6.js.map
2
+ //# sourceMappingURL=chunk-HM77MWB6.js.map
package/dist/chunk-HM77MWB6.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/rpc/proto.ts","../src/rpc/tls.ts"],"names":["__filename","fileURLToPath","__dirname","path","PROD_PATHS","DEV_PROTO_PATH","PROTO_PATH","p","l","log","packageDefinition","liopProto","f","liopV1","createServerCredentials","tls","rootCert","certChain","privateKey","error","createChannelCredentials"],"mappings":"kLAKA,IAAMA,CAAAA,CAAaC,aAAAA,CAAc,YAAY,GAAG,CAAA,CAC1CC,CAAAA,CAAYC,CAAAA,CAAK,OAAA,CAAQH,CAAU,EAMnCI,CAAAA,CAAa,CAClBD,EAAK,OAAA,CAAQD,CAAAA,CAAW,4BAA4B,CAAA,CACpDC,CAAAA,CAAK,OAAA,CAAQD,CAAAA,CAAW,6BAA6B,CACtD,EAEMG,CAAAA,CAAiBF,CAAAA,CAAK,OAAA,CAC3BD,CAAAA,CACA,4CACD,CAAA,CAGMI,EAAaF,CAAAA,CAAW,IAAA,CAAMG,CAAAA,EAASC,CAAA,CAAA,UAAA,CAAWD,CAAC,CAAC,GAAKF,CAAAA,CAEvDG,CAAA,CAAA,UAAA,CAAWF,CAAU,CAAA,EAC5BG,CAAAA,CAAI,MAAM,CAAA,+CAAA,EAAkDH,CAAU,CAAA,CAAE,CAAA,CAOzE,IAAMI,CAAAA,CAAgC,WAASJ,CAAAA,CAAY,CAC1D,QAAA,CAAU,IAAA,CACV,KAAA,CAAO,MAAA,CACP,MAAO,MAAA,CACP,QAAA,CAAU,IAAA,CACV,MAAA,CAAQ,IACT,CAAC,EAGYK,CAAAA,CAAiBC,CAAA,CAAA,qBAAA,CAAsBF,CAAiB,CAAA,CACxDG,CAAAA,CAASF,CAAAA,CAAU,KAAK,GClB9B,SAASG,CAAAA,CACfC,CAAAA,CACyB,CACzB,GAAI,CAACA,GAAK,SAAA,EAAa,CAACA,CAAAA,EAAK,UAAA,CAC5B,OAAY,CAAA,CAAA,iBAAA,CAAkB,gBAAe,CAG9C,GAAI,CACH,IAAMC,CAAAA,CAAWD,EAAI,QAAA,CAAc,CAAA,CAAA,YAAA,CAAaA,CAAAA,CAAI,QAAQ,CAAA,CAAI,IAAA,CAC1DE,EAAe,CAAA,CAAA,YAAA,CAAaF,CAAAA,CAAI,SAAS,CAAA,CACzCG,CAAAA,CAAgB,CAAA,CAAA,YAAA,CAAaH,EAAI,UAAU,CAAA,CAEjD,OAAY,CAAA,CAAA,iBAAA,CAAkB,SAAA,CAAUC,CAAAA,CAAU,CACjD,CAAE,UAAA,CAAYC,EAAW,WAAA,CAAaC,CAAW,CAClD,CAAC,CACF,CAAA,MAASC,CAAAA,CAAO,CACf,OAAAV,EAAI,IAAA,CACH,CAAA,kEAAA,EAAqEU,CAAK,CAAA,CAC3E,CAAA,CACY,CAAA,CAAA,iBAAA,CAAkB,gBAC/B,CACD,CAMO,SAASC,CAAAA,CACfL,CAAAA,CAC0B,CAC1B,GAAI,CAACA,GAAK,QAAA,CACT,OAAY,cAAY,cAAA,EAAe,CAGxC,GAAI,CACH,IAAMC,CAAAA,CAAc,eAAaD,CAAAA,CAAI,QAAQ,CAAA,CACvCE,CAAAA,CAAYF,CAAAA,CAAI,SAAA,CAChB,eAAaA,CAAAA,CAAI,SAAS,CAAA,CAC7B,KAAA,CAAA,CACGG,CAAAA,CAAaH,CAAAA,CAAI,WACjB,CAAA,CAAA,YAAA,CAAaA,CAAAA,CAAI,UAAU,CAAA,CAC9B,KAAA,CAAA,CAEH,OAAY,cAAY,SAAA,CAAUC,CAAAA,CAAUE,CAAAA,CAAYD,CAAS,CAClE,CAAA,MAASE,EAAO,CACf,OAAAV,CAAAA,CAAI,IAAA,CACH,CAAA,kEAAA,EAAqEU,CAAK,EAC3E,CAAA,CACY,CAAA,CAAA,WAAA,CAAY,cAAA,EACzB,CACD","file":"chunk-HM77MWB6.js","sourcesContent":["import path from \"node:path\";\nimport { fileURLToPath } from \"node:url\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport * as protoLoader from \"@grpc/proto-loader\";\n\nconst __filename = fileURLToPath(import.meta.url);\nconst __dirname = path.dirname(__filename);\n\nimport * as fs from \"node:fs\";\nimport { log } from \"../utils/logger.js\";\n\n// Selection logic: support both flat dist/ and original src/ structure\nconst PROD_PATHS = [\n\tpath.resolve(__dirname, \"./protocol/liop_core.proto\"), // Flat dist/ (tsup)\n\tpath.resolve(__dirname, \"../protocol/liop_core.proto\"), // dist/rpc/ (tsc)\n];\n\nconst DEV_PROTO_PATH = path.resolve(\n\t__dirname,\n\t\"../../../../protocol/proto/liop_core.proto\",\n);\n\n// Selection logic\nconst PROTO_PATH = PROD_PATHS.find((p) => fs.existsSync(p)) || DEV_PROTO_PATH;\n\nif (!fs.existsSync(PROTO_PATH)) {\n\tlog.error(`[LIOP-Proto] CRITICAL: Proto file not found at ${PROTO_PATH}`);\n}\n\n/**\n * LIOP Proto Loader\n * Loads the core gRPC definitions for the Logic-Injection-on-Origin Protocol.\n */\nconst packageDefinition = protoLoader.loadSync(PROTO_PATH, {\n\tkeepCase: true,\n\tlongs: String,\n\tenums: String,\n\tdefaults: true,\n\toneofs: true,\n});\n\n// biome-ignore lint/suspicious/noExplicitAny: gRPC dynamic loading requires any for the service definition map\nexport const liopProto = grpc.loadPackageDefinition(packageDefinition) as any;\nexport const liopV1 = liopProto.liop.v1;\n","/**\n * LIOP TLS Configuration\n *\n * Provides conditional TLS credential factories for gRPC connections.\n * When TLS options are provided, connections are secured with mutual TLS.\n * Otherwise, falls back to insecure credentials (alpha/development mode).\n */\n\nimport * as fs from \"node:fs\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport { log } from \"../utils/logger.js\";\n\nexport interface LiopTlsOptions {\n\t/** Path to the root CA certificate (PEM format) */\n\trootCert?: string;\n\t/** Path to the server/client certificate (PEM format) */\n\tcertChain?: string;\n\t/** Path to the private key (PEM format) */\n\tprivateKey?: string;\n}\n\n/**\n * Creates gRPC server credentials from TLS options.\n * Falls back to insecure if no options are provided.\n */\nexport function createServerCredentials(\n\ttls?: LiopTlsOptions,\n): grpc.ServerCredentials {\n\tif (!tls?.certChain || !tls?.privateKey) {\n\t\treturn grpc.ServerCredentials.createInsecure();\n\t}\n\n\ttry {\n\t\tconst rootCert = tls.rootCert ? fs.readFileSync(tls.rootCert) : null;\n\t\tconst certChain = fs.readFileSync(tls.certChain);\n\t\tconst privateKey = fs.readFileSync(tls.privateKey);\n\n\t\treturn grpc.ServerCredentials.createSsl(rootCert, [\n\t\t\t{ cert_chain: certChain, private_key: privateKey },\n\t\t]);\n\t} catch (error) {\n\t\tlog.info(\n\t\t\t`[LIOP-TLS] Failed to load certificates, falling back to insecure: ${error}`,\n\t\t);\n\t\treturn grpc.ServerCredentials.createInsecure();\n\t}\n}\n\n/**\n * Creates gRPC channel credentials from TLS options.\n * Falls back to insecure if no options are provided.\n */\nexport function createChannelCredentials(\n\ttls?: LiopTlsOptions,\n): grpc.ChannelCredentials {\n\tif (!tls?.rootCert) {\n\t\treturn grpc.credentials.createInsecure();\n\t}\n\n\ttry {\n\t\tconst rootCert = fs.readFileSync(tls.rootCert);\n\t\tconst certChain = tls.certChain\n\t\t\t? fs.readFileSync(tls.certChain)\n\t\t\t: undefined;\n\t\tconst privateKey = tls.privateKey\n\t\t\t? fs.readFileSync(tls.privateKey)\n\t\t\t: undefined;\n\n\t\treturn grpc.credentials.createSsl(rootCert, privateKey, certChain);\n\t} catch (error) {\n\t\tlog.info(\n\t\t\t`[LIOP-TLS] Failed to load certificates, falling back to insecure: ${error}`,\n\t\t);\n\t\treturn grpc.credentials.createInsecure();\n\t}\n}\n"]}
package/dist/chunk-HNDVAKEK.js ADDED
@@ -0,0 +1,24 @@
1
+ import A from'crypto';import*as n from'fs/promises';import*as b from'os';import*as c from'path';import h from'vm';import {WASI}from'wasi';var f=class extends Error{constructor(t){super(`AST Sec-Policy Violation: ${t}`),this.name="GuardianError";}},w={analyze(d){let t=WebAssembly.Module.imports(d),s=0,l=new Set(["fd_write","fd_read","fd_close","fd_seek","environ_get","environ_sizes_get","args_get","args_sizes_get","clock_time_get","random_get","proc_exit","fd_prestat_get","fd_prestat_dir_name","fd_fdstat_get"]);for(let i of t){if(i.module==="wasi_snapshot_preview1"){if(!l.has(i.name))throw new f(`Banned WASI Import Detected: ${i.module}/${i.name}`)}else throw new f(`Banned Host Import Module Detected: ${i.module}`);if(s++,s>128)throw new f("Import limit exceeded. Possible resource exhaustion attack.")}}};var x=process.emit;process.emit=(d,t,...s)=>d==="warning"&&typeof t=="object"&&t.name==="ExperimentalWarning"&&String(t.message).includes("WASI")||String(t.message).includes("importing WASI")?false:x.call(process,d,t,...s);var y=class{wasi;sandboxId;workingDir;config;stdoutHandle=null;stderrHandle=null;constructor(t={}){this.sandboxId=A.randomUUID(),this.workingDir=c.join(b.tmpdir(),"liop-mesh","sandboxes",this.sandboxId),this.config=t;}async init(){try{await n.mkdir(this.workingDir,{recursive:!0}),this.stdoutHandle=await n.open(c.join(this.workingDir,"stdout.log"),"w+"),this.stderrHandle=await n.open(c.join(this.workingDir,"stderr.log"),"w+"),this.wasi=new WASI({version:"preview1",args:["liop_runtime"],env:this.config.allowEnv?process.env:{NODE_ENV:"production",LIOP_NODE:"true",RUNTIME_ID:this.sandboxId},preopens:{"/sandbox":this.workingDir,...this.config.allowedDirectories},stdout:this.stdoutHandle.fd,stderr:this.stderrHandle.fd});}catch(t){throw new Error(`Sandbox Initialization Failed: ${t instanceof Error?t.message:"FS Error"}`)}}async execute(t,s=[],l={}){let i=performance.now();if(t instanceof Buffer)try{let e=await WebAssembly.compile(new Uint8Array(t));w.analyze(e);let p=await WebAssembly.instantiate(e,this.wasi.getImportObject());this.wasi.start(p);let u=c.join(this.workingDir,"stdout.log"),o=c.join(this.workingDir,"stderr.log"),m=await n.readFile(u,"utf-8"),r=await n.readFile(o,"utf-8"),a=performance.now()-i;return {output:m||(r?`Error: ${r}`:"WASM_EXECUTION_SUCCESS"),fuelConsumed:Math.floor(a*1e3)}}catch(e){throw new Error(`WASM Runtime Error: ${e instanceof Error?e.message:String(e)}`)}else {let e=Object.create(null),p={records:s,...l};e.require=void 0,e.process=void 0,e.global=void 0,e.globalThis=void 0,e.Buffer=void 0,e.setTimeout=void 0,e.setInterval=void 0,e.setImmediate=void 0,e.queueMicrotask=void 0,e.eval=void 0,e.Function=void 0,e.SharedArrayBuffer=void 0,e.Date=void 0,e.ArrayBuffer=void 0,e.Uint8Array=void 0,e.Int8Array=void 0,e.Uint16Array=void 0,e.Int16Array=void 0,e.Uint32Array=void 0,e.Int32Array=void 0,e.Float32Array=void 0,e.Float64Array=void 0,e.BigInt64Array=void 0,e.BigUint64Array=void 0,e.DataView=void 0,e.records=JSON.parse(JSON.stringify(s)),e.env=JSON.parse(JSON.stringify(p));for(let[r,a]of Object.entries(l))e[r]=JSON.parse(JSON.stringify(a));let u=r=>{if(r&&typeof r=="object"&&!Object.isFrozen(r)){Object.freeze(r);for(let a of Object.keys(r))u(r[a]);}return r};u(e.records),u(e.env);for(let r of Object.keys(e))Object.defineProperty(e,r,{writable:false,configurable:false});let o=String(t);(/^\s*return\s/m.test(o)||!o.includes("function liop_main"))&&(o.includes("function liop_main")||(o=`function liop_main(env) {
2
+ ${o}
3
+ }`));let m=`
4
+ (function() {
5
+ try {
6
+ Object.freeze(Object.prototype);
7
+ Object.freeze(Array.prototype);
8
+ Object.freeze(String.prototype);
9
+ Object.freeze(Number.prototype);
10
+ Object.freeze(Boolean.prototype);
11
+ Object.freeze(Object.getPrototypeOf(function(){}));
12
+
13
+ ${o}
14
+ if (typeof liop_main === 'function') {
15
+ return liop_main(env);
16
+ }
17
+ return "ERR_NO_ENTRY_POINT";
18
+ } catch(e) {
19
+ return "LogicError: " + e.message;
20
+ }
21
+ })();
22
+ `;try{let r=new h.Script(m,{filename:`liop-sandbox-${this.sandboxId.slice(0,8)}.js`}),a=h.createContext(e,{name:"LIOP Isolate",origin:"liop://sandbox"}),_=r.runInContext(a,{timeout:5e3,breakOnSigint:!0,displayErrors:!0}),S=performance.now()-i,I=Math.floor(S*1500+100),g=Math.ceil(I/100)*100;if(g>1e6)throw new Error("LIOP_RESOURCE_EXHAUSTED: Execution fuel limit exceeded.");return {output:_,fuelConsumed:g}}catch(r){throw new Error(`V8 Isolate Fault: ${r instanceof Error?r.message:"Execution Timeout"}`)}}}async teardown(){try{this.stdoutHandle&&await this.stdoutHandle.close(),this.stderrHandle&&await this.stderrHandle.close(),await n.rm(this.workingDir,{recursive:!0,force:!0});}catch{}}};
23
+ export{w as a,y as b};//# sourceMappingURL=chunk-HNDVAKEK.js.map
24
+ //# sourceMappingURL=chunk-HNDVAKEK.js.map
package/dist/chunk-HNDVAKEK.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/sandbox/guardian.ts","../src/sandbox/wasi.ts"],"names":["GuardianError","message","ASTGuardian","module","imports","_importCount","ALLOWED_WASI_FUNCTIONS","imp","originalEmit","name","data","args","WasiSandbox","config","crypto","WASI","error","compiledLogic","records","inputs","startTime","instance","stdoutPath","stderrPath","stdout","stderr","duration","sandboxEnv","env","key","value","deepFreeze","obj","processedLogic","scriptCode","script","vm","context","output","rawFuel","fuelUsed"],"mappings":"0IAAO,IAAMA,CAAAA,CAAN,cAA4B,KAAM,CACxC,YAAYC,CAAAA,CAAiB,CAC5B,KAAA,CAAM,CAAA,0BAAA,EAA6BA,CAAO,CAAA,CAAE,CAAA,CAC5C,IAAA,CAAK,IAAA,CAAO,gBACb,CACD,CAAA,CAQaC,CAAAA,CAAc,CAO1B,OAAA,CAAQC,CAAAA,CAAkC,CACzC,IAAMC,EAAU,WAAA,CAAY,MAAA,CAAO,OAAA,CAAQD,CAAM,EAC7CE,CAAAA,CAAe,CAAA,CAEbC,CAAAA,CAAyB,IAAI,IAAI,CACtC,UAAA,CACA,SAAA,CACA,UAAA,CACA,SAAA,CACA,aAAA,CACA,mBAAA,CACA,UAAA,CACA,iBACA,gBAAA,CACA,YAAA,CACA,WAAA,CACA,gBAAA,CACA,sBACA,eACD,CAAC,CAAA,CAED,IAAA,IAAWC,KAAOH,CAAAA,CAAS,CAE1B,GAAIG,CAAAA,CAAI,MAAA,GAAW,wBAAA,CAAA,CAClB,GAAI,CAACD,EAAuB,GAAA,CAAIC,CAAAA,CAAI,IAAI,CAAA,CACvC,MAAM,IAAIP,CAAAA,CACT,CAAA,6BAAA,EAAgCO,CAAAA,CAAI,MAAM,CAAA,CAAA,EAAIA,CAAAA,CAAI,IAAI,CAAA,CACvD,CAAA,CAAA,KAGD,MAAM,IAAIP,CAAAA,CACT,uCAAuCO,CAAAA,CAAI,MAAM,CAAA,CAClD,CAAA,CAID,GAFAF,CAAAA,EAAAA,CAEIA,CAAAA,CAAe,GAAA,CAClB,MAAM,IAAIL,CAAAA,CACT,6DACD,CAEF,CAKD,CACD,EC1DA,IAAMQ,CAAAA,CAAe,QAAQ,IAAA,CAE7B,OAAA,CAAQ,IAAA,CAAO,CAACC,EAAMC,CAAAA,CAAAA,GAASC,CAAAA,GAE5BF,CAAAA,GAAS,SAAA,EACT,OAAOC,CAAAA,EAAS,QAAA,EACfA,CAAAA,CAAiC,IAAA,GAAS,qBAAA,EAC3C,MAAA,CAAQA,CAAAA,CAAiC,OAAO,EAAE,QAAA,CAAS,MAAM,CAAA,EAClE,MAAA,CAAQA,EAAiC,OAAO,CAAA,CAAE,QAAA,CAAS,gBAAgB,EAEpE,KAAA,CAEDF,CAAAA,CAAa,IAAA,CAAK,OAAA,CAASC,CAAAA,CAAMC,CAAAA,CAAM,GAAGC,CAAI,EAgB/C,IAAMC,CAAAA,CAAN,KAAkB,CAChB,KACA,SAAA,CACA,UAAA,CACA,MAAA,CACA,YAAA,CAAqC,KACrC,YAAA,CAAqC,IAAA,CAE7C,WAAA,CAAYC,CAAAA,CAAwB,EAAC,CAAG,CACvC,IAAA,CAAK,UAAYC,CAAAA,CAAO,UAAA,EAAW,CAEnC,IAAA,CAAK,WAAkB,CAAA,CAAA,IAAA,CACnB,CAAA,CAAA,MAAA,EAAO,CACV,WAAA,CACA,YACA,IAAA,CAAK,SACN,CAAA,CACA,IAAA,CAAK,MAAA,CAASD,EACf,CAKA,MAAa,MAAsB,CAClC,GAAI,CACH,MAAS,QAAM,IAAA,CAAK,UAAA,CAAY,CAAE,SAAA,CAAW,EAAK,CAAC,CAAA,CAGnD,IAAA,CAAK,YAAA,CAAe,MAAS,CAAA,CAAA,IAAA,CACvB,CAAA,CAAA,IAAA,CAAK,IAAA,CAAK,WAAY,YAAY,CAAA,CACvC,IACD,CAAA,CACA,KAAK,YAAA,CAAe,MAAS,CAAA,CAAA,IAAA,CACvB,CAAA,CAAA,IAAA,CAAK,KAAK,UAAA,CAAY,YAAY,CAAA,CACvC,IACD,CAAA,CAEA,IAAA,CAAK,IAAA,CAAO,IAAIE,KAAK,CACpB,OAAA,CAAS,UAAA,CACT,IAAA,CAAM,CAAC,cAAc,CAAA,CACrB,GAAA,CAAK,IAAA,CAAK,OAAO,QAAA,CACd,OAAA,CAAQ,GAAA,CACR,CACA,QAAA,CAAU,YAAA,CACV,SAAA,CAAW,MAAA,CACX,WAAY,IAAA,CAAK,SAClB,CAAA,CACF,QAAA,CAAU,CACT,UAAA,CAAY,IAAA,CAAK,UAAA,CACjB,GAAG,KAAK,MAAA,CAAO,kBAChB,CAAA,CACA,MAAA,CAAQ,IAAA,CAAK,YAAA,CAAa,EAAA,CAC1B,MAAA,CAAQ,KAAK,YAAA,CAAa,EAC3B,CAAC,EACF,OAASC,CAAAA,CAAO,CACf,MAAM,IAAI,MACT,CAAA,+BAAA,EAAkCA,CAAAA,YAAiB,KAAA,CAAQA,CAAAA,CAAM,QAAU,UAAU,CAAA,CACtF,CACD,CACD,CAKA,MAAa,OAAA,CACZC,CAAAA,CACAC,CAAAA,CAAqC,EAAC,CACtCC,CAAAA,CAAkC,EAAC,CACkB,CACrD,IAAMC,CAAAA,CAAY,WAAA,CAAY,GAAA,EAAI,CAElC,GAAIH,CAAAA,YAAyB,MAAA,CAE5B,GAAI,CACH,IAAMd,CAAAA,CAAS,MAAM,YAAY,OAAA,CAAQ,IAAI,UAAA,CAAWc,CAAa,CAAC,CAAA,CAGtEf,CAAAA,CAAY,OAAA,CAAQC,CAAM,CAAA,CAE1B,IAAMkB,CAAAA,CAAW,MAAM,YAAY,WAAA,CAClClB,CAAAA,CACA,IAAA,CAAK,IAAA,CAAK,iBACX,CAAA,CAGA,IAAA,CAAK,IAAA,CAAK,MAAMkB,CAAQ,CAAA,CAGxB,IAAMC,CAAAA,CAAkB,CAAA,CAAA,IAAA,CAAK,IAAA,CAAK,UAAA,CAAY,YAAY,EACpDC,CAAAA,CAAkB,CAAA,CAAA,IAAA,CAAK,IAAA,CAAK,UAAA,CAAY,YAAY,CAAA,CACpDC,CAAAA,CAAS,MAAS,CAAA,CAAA,QAAA,CAASF,EAAY,OAAO,CAAA,CAC9CG,CAAAA,CAAS,MAAS,CAAA,CAAA,QAAA,CAASF,CAAAA,CAAY,OAAO,CAAA,CAE9CG,EAAW,WAAA,CAAY,GAAA,EAAI,CAAIN,CAAAA,CACrC,OAAO,CACN,MAAA,CACCI,CAAAA,GAAWC,CAAAA,CAAS,UAAUA,CAAM,CAAA,CAAA,CAAK,wBAAA,CAAA,CAC1C,YAAA,CAAc,IAAA,CAAK,KAAA,CAAMC,CAAAA,CAAW,GAAI,CACzC,CACD,CAAA,MAASV,CAAAA,CAAgB,CACxB,MAAM,IAAI,KAAA,CACT,CAAA,oBAAA,EAAuBA,CAAAA,YAAiB,MAAQA,CAAAA,CAAM,OAAA,CAAU,MAAA,CAAOA,CAAK,CAAC,CAAA,CAC9E,CACD,CAAA,KACM,CAKN,IAAMW,CAAAA,CAAkB,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA,CACpCC,CAAAA,CAAM,CAAE,OAAA,CAAAV,EAAS,GAAGC,CAAO,CAAA,CAGjCQ,CAAAA,CAAW,OAAA,CAAU,MAAA,CACrBA,CAAAA,CAAW,OAAA,CAAU,OACrBA,CAAAA,CAAW,MAAA,CAAS,MAAA,CACpBA,CAAAA,CAAW,WAAa,MAAA,CACxBA,CAAAA,CAAW,MAAA,CAAS,MAAA,CACpBA,EAAW,UAAA,CAAa,MAAA,CACxBA,CAAAA,CAAW,WAAA,CAAc,OACzBA,CAAAA,CAAW,YAAA,CAAe,MAAA,CAC1BA,CAAAA,CAAW,eAAiB,MAAA,CAC5BA,CAAAA,CAAW,IAAA,CAAO,MAAA,CAClBA,EAAW,QAAA,CAAW,MAAA,CACtBA,CAAAA,CAAW,iBAAA,CAAoB,OAC/BA,CAAAA,CAAW,IAAA,CAAO,MAAA,CAMlBA,CAAAA,CAAW,WAAA,CAAc,MAAA,CACzBA,CAAAA,CAAW,UAAA,CAAa,OACxBA,CAAAA,CAAW,SAAA,CAAY,MAAA,CACvBA,CAAAA,CAAW,YAAc,MAAA,CACzBA,CAAAA,CAAW,UAAA,CAAa,MAAA,CACxBA,EAAW,WAAA,CAAc,MAAA,CACzBA,CAAAA,CAAW,UAAA,CAAa,MAAA,CACxBA,CAAAA,CAAW,YAAA,CAAe,MAAA,CAC1BA,EAAW,YAAA,CAAe,MAAA,CAC1BA,CAAAA,CAAW,aAAA,CAAgB,OAC3BA,CAAAA,CAAW,cAAA,CAAiB,MAAA,CAC5BA,CAAAA,CAAW,SAAW,MAAA,CAGtBA,CAAAA,CAAW,OAAA,CAAU,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,SAAA,CAAUT,CAAO,CAAC,CAAA,CACvDS,CAAAA,CAAW,GAAA,CAAM,IAAA,CAAK,MAAM,IAAA,CAAK,SAAA,CAAUC,CAAG,CAAC,EAE/C,IAAA,GAAW,CAACC,CAAAA,CAAKC,CAAK,CAAA,GAAK,MAAA,CAAO,OAAA,CAAQX,CAAM,EAC/CQ,CAAAA,CAAWE,CAAG,CAAA,CAAI,IAAA,CAAK,MAAM,IAAA,CAAK,SAAA,CAAUC,CAAK,CAAC,EAKnD,IAAMC,CAAAA,CAAcC,CAAAA,EAAa,CAChC,GAAIA,CAAAA,EAAO,OAAOA,CAAAA,EAAQ,UAAY,CAAC,MAAA,CAAO,QAAA,CAASA,CAAG,EAAG,CAC5D,MAAA,CAAO,MAAA,CAAOA,CAAG,EACjB,IAAA,IAAWH,CAAAA,IAAO,MAAA,CAAO,IAAA,CAAKG,CAAG,CAAA,CAChCD,CAAAA,CAAWC,CAAAA,CAAIH,CAAG,CAAC,EAErB,CACA,OAAOG,CACR,CAAA,CAEAD,CAAAA,CAAWJ,CAAAA,CAAW,OAAO,EAC7BI,CAAAA,CAAWJ,CAAAA,CAAW,GAAG,CAAA,CAGzB,IAAA,IAAWE,CAAAA,IAAO,MAAA,CAAO,IAAA,CAAKF,CAAU,CAAA,CACvC,MAAA,CAAO,cAAA,CAAeA,CAAAA,CAAYE,EAAK,CACtC,QAAA,CAAU,KAAA,CACV,YAAA,CAAc,KACf,CAAC,CAAA,CAKF,IAAII,CAAAA,CAAiB,OAAOhB,CAAa,CAAA,CAAA,CAExC,eAAA,CAAgB,IAAA,CAAKgB,CAAc,CAAA,EACnC,CAACA,CAAAA,CAAe,QAAA,CAAS,oBAAoB,CAAA,IAExCA,CAAAA,CAAe,QAAA,CAAS,oBAAoB,IAChDA,CAAAA,CAAiB,CAAA;AAAA,EAA8BA,CAAc;AAAA,CAAA,CAAA,CAAA,CAAA,CAI/D,IAAMC,CAAAA,CAAa;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;;AAAA,MAAA,EAUdD,CAAc;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,GAAA,CAAA,CAWnB,GAAI,CACH,IAAME,CAAAA,CAAS,IAAIC,CAAAA,CAAG,MAAA,CAAOF,CAAAA,CAAY,CACxC,QAAA,CAAU,CAAA,aAAA,EAAgB,IAAA,CAAK,SAAA,CAAU,KAAA,CAAM,CAAA,CAAG,CAAC,CAAC,CAAA,GAAA,CACrD,CAAC,CAAA,CAEKG,CAAAA,CAAUD,CAAAA,CAAG,aAAA,CAAcT,CAAAA,CAAY,CAC5C,IAAA,CAAM,cAAA,CACN,MAAA,CAAQ,gBACT,CAAC,CAAA,CAGKW,CAAAA,CAASH,CAAAA,CAAO,YAAA,CAAaE,CAAAA,CAAS,CAC3C,OAAA,CAAS,GAAA,CACT,aAAA,CAAe,CAAA,CAAA,CACf,aAAA,CAAe,CAAA,CAChB,CAAC,CAAA,CAEKX,CAAAA,CAAW,WAAA,CAAY,GAAA,EAAI,CAAIN,CAAAA,CAE/BmB,CAAAA,CAAU,IAAA,CAAK,KAAA,CAAMb,CAAAA,CAAW,IAAA,CAAO,GAAG,CAAA,CAC1Cc,CAAAA,CAAW,IAAA,CAAK,IAAA,CAAKD,CAAAA,CAAU,GAAG,EAAI,GAAA,CAE5C,GAAIC,CAAAA,CAAW,GAAA,CACd,MAAM,IAAI,KAAA,CACT,yDACD,CAAA,CAGD,OAAO,CAAE,MAAA,CAAAF,CAAAA,CAAQ,YAAA,CAAcE,CAAS,CACzC,CAAA,MAASxB,CAAAA,CAAO,CACf,MAAM,IAAI,KAAA,CACT,CAAA,kBAAA,EAAqBA,CAAAA,YAAiB,KAAA,CAAQA,CAAAA,CAAM,OAAA,CAAU,mBAAmB,CAAA,CAClF,CACD,CACD,CACD,CAKA,MAAa,QAAA,EAA0B,CACtC,GAAI,CACC,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,YAAA,CAAa,KAAA,EAAM,CACjD,IAAA,CAAK,YAAA,EAAc,MAAM,IAAA,CAAK,YAAA,CAAa,KAAA,EAAM,CACrD,MAAS,CAAA,CAAA,EAAA,CAAG,IAAA,CAAK,UAAA,CAAY,CAAE,SAAA,CAAW,CAAA,CAAA,CAAM,KAAA,CAAO,CAAA,CAAK,CAAC,EAC9D,CAAA,KAAa,CAEb,CACD,CACD","file":"chunk-HNDVAKEK.js","sourcesContent":["export class GuardianError extends Error {\n\tconstructor(message: string) {\n\t\tsuper(`AST Sec-Policy Violation: ${message}`);\n\t\tthis.name = \"GuardianError\";\n\t}\n}\n\n/**\n * The Guardian-TS Module\n * Scans the Abstract Syntax Tree (AST) imports of incoming WASM\n * before it reaches the V8 Wasmtime engine to prevent sandbox-escape\n * zero-days, resource exhaustion bombs, and evasive execution.\n */\nexport const ASTGuardian = {\n\t/**\n\t * Analyzes the WebAssembly Module interface proactively.\n\t *\n\t * @param module - The compiled WebAssembly.Module to inspect\n\t * @throws {GuardianError} If illegal imports or capabilities are detected\n\t */\n\tanalyze(module: WebAssembly.Module): void {\n\t\tconst imports = WebAssembly.Module.imports(module);\n\t\tlet _importCount = 0;\n\n\t\tconst ALLOWED_WASI_FUNCTIONS = new Set([\n\t\t\t\"fd_write\",\n\t\t\t\"fd_read\",\n\t\t\t\"fd_close\",\n\t\t\t\"fd_seek\",\n\t\t\t\"environ_get\",\n\t\t\t\"environ_sizes_get\",\n\t\t\t\"args_get\",\n\t\t\t\"args_sizes_get\",\n\t\t\t\"clock_time_get\",\n\t\t\t\"random_get\",\n\t\t\t\"proc_exit\",\n\t\t\t\"fd_prestat_get\",\n\t\t\t\"fd_prestat_dir_name\",\n\t\t\t\"fd_fdstat_get\",\n\t\t]);\n\n\t\tfor (const imp of imports) {\n\t\t\t// Strict Sandbox Validation: Only allow WASI preview 1 specific whitelisted functions.\n\t\t\tif (imp.module === \"wasi_snapshot_preview1\") {\n\t\t\t\tif (!ALLOWED_WASI_FUNCTIONS.has(imp.name)) {\n\t\t\t\t\tthrow new GuardianError(\n\t\t\t\t\t\t`Banned WASI Import Detected: ${imp.module}/${imp.name}`,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tthrow new GuardianError(\n\t\t\t\t\t`Banned Host Import Module Detected: ${imp.module}`,\n\t\t\t\t);\n\t\t\t}\n\t\t\t_importCount++;\n\n\t\t\tif (_importCount > 128) {\n\t\t\t\tthrow new GuardianError(\n\t\t\t\t\t\"Import limit exceeded. Possible resource exhaustion attack.\",\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// In Node.js / V8, the maximum module size and function limits\n\t\t// are natively enforced by the engine during compilation.\n\t\t// A successfully compiled WebAssembly.Module already passed structural checks.\n\t},\n};\n","import crypto from \"node:crypto\";\nimport * as fs from \"node:fs/promises\";\nimport * as os from \"node:os\";\nimport * as path from \"node:path\";\nimport vm from \"node:vm\";\nimport { WASI } from \"node:wasi\";\nimport { ASTGuardian } from \"./guardian.js\";\n\n// Silence Node.js ExperimentalWarning for WASI (Industrial console parity)\nconst originalEmit = process.emit;\n// @ts-expect-error\nprocess.emit = (name, data, ...args) => {\n\tif (\n\t\t(name === \"warning\" &&\n\t\t\ttypeof data === \"object\" &&\n\t\t\t(data as Record<string, unknown>).name === \"ExperimentalWarning\" &&\n\t\t\tString((data as Record<string, unknown>).message).includes(\"WASI\")) ||\n\t\tString((data as Record<string, unknown>).message).includes(\"importing WASI\")\n\t) {\n\t\treturn false;\n\t}\n\treturn originalEmit.call(process, name, data, ...args);\n};\n\nexport interface SandboxConfig {\n\tallowEnv?: boolean;\n\tallowedDirectories?: Record<string, string>; // guestPath -> hostPath\n\tmemoryLimitMb?: number;\n}\n\n/**\n * LIOP WasiSandbox (Industrial Grade)\n *\n * Provides a production-grade isolated environment for executing untrusted logic.\n * Primarily uses WebAssembly (WASI) for byte-code isolation, with a hardened\n * V8 Isolate fallback for dynamic JS-to-WASM logic injection.\n */\nexport class WasiSandbox {\n\tprivate wasi!: WASI;\n\tprivate sandboxId: string;\n\tprivate workingDir: string;\n\tprivate config: SandboxConfig;\n\tprivate stdoutHandle: fs.FileHandle | null = null;\n\tprivate stderrHandle: fs.FileHandle | null = null;\n\n\tconstructor(config: SandboxConfig = {}) {\n\t\tthis.sandboxId = crypto.randomUUID();\n\t\t// Use a dedicated LIOP directory in the OS temp folder\n\t\tthis.workingDir = path.join(\n\t\t\tos.tmpdir(),\n\t\t\t\"liop-mesh\",\n\t\t\t\"sandboxes\",\n\t\t\tthis.sandboxId,\n\t\t);\n\t\tthis.config = config;\n\t}\n\n\t/**\n\t * Initializes the physical sandbox environment with strict directory lockdown.\n\t */\n\tpublic async init(): Promise<void> {\n\t\ttry {\n\t\t\tawait fs.mkdir(this.workingDir, { recursive: true });\n\n\t\t\t// Initialize WASI with explicit limits\n\t\t\tthis.stdoutHandle = await fs.open(\n\t\t\t\tpath.join(this.workingDir, \"stdout.log\"),\n\t\t\t\t\"w+\",\n\t\t\t);\n\t\t\tthis.stderrHandle = await fs.open(\n\t\t\t\tpath.join(this.workingDir, \"stderr.log\"),\n\t\t\t\t\"w+\",\n\t\t\t);\n\n\t\t\tthis.wasi = new WASI({\n\t\t\t\tversion: \"preview1\",\n\t\t\t\targs: [\"liop_runtime\"],\n\t\t\t\tenv: this.config.allowEnv\n\t\t\t\t\t? process.env\n\t\t\t\t\t: {\n\t\t\t\t\t\t\tNODE_ENV: \"production\",\n\t\t\t\t\t\t\tLIOP_NODE: \"true\",\n\t\t\t\t\t\t\tRUNTIME_ID: this.sandboxId,\n\t\t\t\t\t\t},\n\t\t\t\tpreopens: {\n\t\t\t\t\t\"/sandbox\": this.workingDir,\n\t\t\t\t\t...this.config.allowedDirectories,\n\t\t\t\t},\n\t\t\t\tstdout: this.stdoutHandle.fd,\n\t\t\t\tstderr: this.stderrHandle.fd,\n\t\t\t});\n\t\t} catch (error) {\n\t\t\tthrow new Error(\n\t\t\t\t`Sandbox Initialization Failed: ${error instanceof Error ? error.message : \"FS Error\"}`,\n\t\t\t);\n\t\t}\n\t}\n\n\t/**\n\t * Executes logic (WASM or JS-Wrapped) with hard resource limits.\n\t */\n\tpublic async execute(\n\t\tcompiledLogic: Buffer | string,\n\t\trecords: Record<string, unknown>[] = [],\n\t\tinputs: Record<string, unknown> = {},\n\t): Promise<{ output: unknown; fuelConsumed: number }> {\n\t\tconst startTime = performance.now();\n\n\t\tif (compiledLogic instanceof Buffer) {\n\t\t\t// Path A: Native WebAssembly Isolation\n\t\t\ttry {\n\t\t\t\tconst module = await WebAssembly.compile(new Uint8Array(compiledLogic));\n\n\t\t\t\t// Tier-0 Guardian: Static analysis to prevent sandbox escapes\n\t\t\t\tASTGuardian.analyze(module);\n\n\t\t\t\tconst instance = await WebAssembly.instantiate(\n\t\t\t\t\tmodule,\n\t\t\t\t\tthis.wasi.getImportObject() as WebAssembly.Imports,\n\t\t\t\t);\n\n\t\t\t\t// Standard entry point\n\t\t\t\tthis.wasi.start(instance);\n\n\t\t\t\t// Capture output from the sandbox\n\t\t\t\tconst stdoutPath = path.join(this.workingDir, \"stdout.log\");\n\t\t\t\tconst stderrPath = path.join(this.workingDir, \"stderr.log\");\n\t\t\t\tconst stdout = await fs.readFile(stdoutPath, \"utf-8\");\n\t\t\t\tconst stderr = await fs.readFile(stderrPath, \"utf-8\");\n\n\t\t\t\tconst duration = performance.now() - startTime;\n\t\t\t\treturn {\n\t\t\t\t\toutput:\n\t\t\t\t\t\tstdout || (stderr ? `Error: ${stderr}` : \"WASM_EXECUTION_SUCCESS\"),\n\t\t\t\t\tfuelConsumed: Math.floor(duration * 1000),\n\t\t\t\t};\n\t\t\t} catch (error: unknown) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`WASM Runtime Error: ${error instanceof Error ? error.message : String(error)}`,\n\t\t\t\t);\n\t\t\t}\n\t\t} else {\n\t\t\t// Path B: Hardened V8 Isolate Fallback\n\t\t\t// Uses node:vm with zero-prototype objects to prevent prototype pollution escapes.\n\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Required for Sandbox global poisoning\n\t\t\tconst sandboxEnv: any = Object.create(null); // Isolated global object\n\t\t\tconst env = { records, ...inputs };\n\n\t\t\t// Explicitly poison Node.js escape vectors in the context\n\t\t\tsandboxEnv.require = undefined;\n\t\t\tsandboxEnv.process = undefined;\n\t\t\tsandboxEnv.global = undefined;\n\t\t\tsandboxEnv.globalThis = undefined;\n\t\t\tsandboxEnv.Buffer = undefined;\n\t\t\tsandboxEnv.setTimeout = undefined;\n\t\t\tsandboxEnv.setInterval = undefined;\n\t\t\tsandboxEnv.setImmediate = undefined;\n\t\t\tsandboxEnv.queueMicrotask = undefined;\n\t\t\tsandboxEnv.eval = undefined;\n\t\t\tsandboxEnv.Function = undefined;\n\t\t\tsandboxEnv.SharedArrayBuffer = undefined;\n\t\t\tsandboxEnv.Date = undefined;\n\n\t\t\t// [DoS Defense] Block off-heap memory allocation vectors.\n\t\t\t// Logic-on-Origin operates on JSON data (env.records) — binary buffers\n\t\t\t// serve no legitimate purpose and enable memory exhaustion DoS.\n\t\t\t// (Uint8Array(2GB) bypassed Piscina's maxOldGenerationSizeMb limit)\n\t\t\tsandboxEnv.ArrayBuffer = undefined;\n\t\t\tsandboxEnv.Uint8Array = undefined;\n\t\t\tsandboxEnv.Int8Array = undefined;\n\t\t\tsandboxEnv.Uint16Array = undefined;\n\t\t\tsandboxEnv.Int16Array = undefined;\n\t\t\tsandboxEnv.Uint32Array = undefined;\n\t\t\tsandboxEnv.Int32Array = undefined;\n\t\t\tsandboxEnv.Float32Array = undefined;\n\t\t\tsandboxEnv.Float64Array = undefined;\n\t\t\tsandboxEnv.BigInt64Array = undefined;\n\t\t\tsandboxEnv.BigUint64Array = undefined;\n\t\t\tsandboxEnv.DataView = undefined;\n\n\t\t\t// Inject strictly monitored globals\n\t\t\tsandboxEnv.records = JSON.parse(JSON.stringify(records)); // Deep copy safety\n\t\t\tsandboxEnv.env = JSON.parse(JSON.stringify(env));\n\n\t\t\tfor (const [key, value] of Object.entries(inputs)) {\n\t\t\t\tsandboxEnv[key] = JSON.parse(JSON.stringify(value));\n\t\t\t}\n\n\t\t\t// Freeze the sandbox context to prevent mutation (SEC-GAP-1)\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Required for recursive deep freeze of unknown data\n\t\t\tconst deepFreeze = (obj: any) => {\n\t\t\t\tif (obj && typeof obj === \"object\" && !Object.isFrozen(obj)) {\n\t\t\t\t\tObject.freeze(obj);\n\t\t\t\t\tfor (const key of Object.keys(obj)) {\n\t\t\t\t\t\tdeepFreeze(obj[key]);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\treturn obj;\n\t\t\t};\n\n\t\t\tdeepFreeze(sandboxEnv.records);\n\t\t\tdeepFreeze(sandboxEnv.env);\n\n\t\t\t// Prevent property addition/modification on global scope\n\t\t\tfor (const key of Object.keys(sandboxEnv)) {\n\t\t\t\tObject.defineProperty(sandboxEnv, key, {\n\t\t\t\t\twritable: false,\n\t\t\t\t\tconfigurable: false,\n\t\t\t\t});\n\t\t\t}\n\n\t\t\t// LIOP Execution Wrapper\n\t\t\t// Host-side logic transformation to avoid 'new Function' in sandbox\n\t\t\tlet processedLogic = String(compiledLogic);\n\t\t\tif (\n\t\t\t\t/^\\s*return\\s/m.test(processedLogic) ||\n\t\t\t\t!processedLogic.includes(\"function liop_main\")\n\t\t\t) {\n\t\t\t\tif (!processedLogic.includes(\"function liop_main\")) {\n\t\t\t\t\tprocessedLogic = `function liop_main(env) {\\n${processedLogic}\\n}`;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst scriptCode = `\n\t\t\t\t(function() {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tObject.freeze(Object.prototype);\n\t\t\t\t\t\tObject.freeze(Array.prototype);\n\t\t\t\t\t\tObject.freeze(String.prototype);\n\t\t\t\t\t\tObject.freeze(Number.prototype);\n\t\t\t\t\t\tObject.freeze(Boolean.prototype);\n\t\t\t\t\t\tObject.freeze(Object.getPrototypeOf(function(){}));\n\n\t\t\t\t\t\t${processedLogic}\n\t\t\t\t\t\tif (typeof liop_main === 'function') {\n\t\t\t\t\t\t\treturn liop_main(env);\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn \"ERR_NO_ENTRY_POINT\";\n\t\t\t\t\t} catch(e) {\n\t\t\t\t\t\treturn \"LogicError: \" + e.message;\n\t\t\t\t\t}\n\t\t\t\t})();\n\t\t\t`;\n\n\t\t\ttry {\n\t\t\t\tconst script = new vm.Script(scriptCode, {\n\t\t\t\t\tfilename: `liop-sandbox-${this.sandboxId.slice(0, 8)}.js`,\n\t\t\t\t});\n\n\t\t\t\tconst context = vm.createContext(sandboxEnv, {\n\t\t\t\t\tname: \"LIOP Isolate\",\n\t\t\t\t\torigin: \"liop://sandbox\",\n\t\t\t\t});\n\n\t\t\t\t// Execution with hard CPU and Memory limits (Fuel)\n\t\t\t\tconst output = script.runInContext(context, {\n\t\t\t\t\ttimeout: 5000,\n\t\t\t\t\tbreakOnSigint: true,\n\t\t\t\t\tdisplayErrors: true,\n\t\t\t\t});\n\n\t\t\t\tconst duration = performance.now() - startTime;\n\t\t\t\t// SEC: Normalize fuel to buckets of 100 to prevent timing side-channel inference\n\t\t\t\tconst rawFuel = Math.floor(duration * 1500 + 100);\n\t\t\t\tconst fuelUsed = Math.ceil(rawFuel / 100) * 100;\n\n\t\t\t\tif (fuelUsed > 1000000) {\n\t\t\t\t\tthrow new Error(\n\t\t\t\t\t\t\"LIOP_RESOURCE_EXHAUSTED: Execution fuel limit exceeded.\",\n\t\t\t\t\t);\n\t\t\t\t}\n\n\t\t\t\treturn { output, fuelConsumed: fuelUsed };\n\t\t\t} catch (error) {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t`V8 Isolate Fault: ${error instanceof Error ? error.message : \"Execution Timeout\"}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Physically cleans up the sandbox and releases resources.\n\t */\n\tpublic async teardown(): Promise<void> {\n\t\ttry {\n\t\t\tif (this.stdoutHandle) await this.stdoutHandle.close();\n\t\t\tif (this.stderrHandle) await this.stderrHandle.close();\n\t\t\tawait fs.rm(this.workingDir, { recursive: true, force: true });\n\t\t} catch (_e) {\n\t\t\t// Silent fail on teardown to prevent process crashes\n\t\t}\n\t}\n}\n"]}
package/dist/chunk-HQZHZM6U.js ADDED
@@ -0,0 +1,2 @@
1
+ import {z}from'zod';var o=z.object({name:z.string(),description:z.string().optional(),inputSchema:z.record(z.string(),z.unknown())}),i=z.object({uri:z.string(),name:z.string(),description:z.string().optional(),mimeType:z.string().optional()}),s=z.object({name:z.string(),description:z.string().optional(),arguments:z.array(z.object({name:z.string(),description:z.string().optional(),required:z.boolean().optional()})).optional()});export{o as a,i as b,s as c};//# sourceMappingURL=chunk-HQZHZM6U.js.map
2
+ //# sourceMappingURL=chunk-HQZHZM6U.js.map
package/dist/chunk-HQZHZM6U.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/types.ts"],"names":["ToolSchema","z","ResourceSchema","PromptSchema"],"mappings":"oBAMO,IAAMA,EAAaC,CAAAA,CAAE,MAAA,CAAO,CAClC,IAAA,CAAMA,CAAAA,CAAE,QAAO,CACf,WAAA,CAAaA,EAAE,MAAA,EAAO,CAAE,UAAS,CACjC,WAAA,CAAaA,CAAAA,CAAE,MAAA,CAAOA,CAAAA,CAAE,MAAA,GAAUA,CAAAA,CAAE,OAAA,EAAS,CAC9C,CAAC,EAIYC,CAAAA,CAAiBD,CAAAA,CAAE,OAAO,CACtC,GAAA,CAAKA,EAAE,MAAA,EAAO,CACd,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS,CACjC,SAAUA,CAAAA,CAAE,MAAA,GAAS,QAAA,EACtB,CAAC,CAAA,CAIYE,CAAAA,CAAeF,EAAE,MAAA,CAAO,CACpC,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,QAAO,CAAE,QAAA,EAAS,CACjC,SAAA,CAAWA,CAAAA,CACT,KAAA,CACAA,EAAE,MAAA,CAAO,CACR,KAAMA,CAAAA,CAAE,MAAA,GACR,WAAA,CAAaA,CAAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS,CACjC,SAAUA,CAAAA,CAAE,OAAA,GAAU,QAAA,EACvB,CAAC,CACF,CAAA,CACC,QAAA,EACH,CAAC","file":"chunk-HQZHZM6U.js","sourcesContent":["import { z } from \"zod\";\n\n/**\n * Base Protocol Types representing parity with Model Context Protocol\n */\n\nexport const ToolSchema = z.object({\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\tinputSchema: z.record(z.string(), z.unknown()), // Represents a JSON Schema\n});\n\nexport type Tool = z.infer<typeof ToolSchema>;\n\nexport const ResourceSchema = z.object({\n\turi: z.string(),\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\tmimeType: z.string().optional(),\n});\n\nexport type Resource = z.infer<typeof ResourceSchema>;\n\nexport const PromptSchema = z.object({\n\tname: z.string(),\n\tdescription: z.string().optional(),\n\targuments: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tname: z.string(),\n\t\t\t\tdescription: z.string().optional(),\n\t\t\t\trequired: z.boolean().optional(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n});\n\nexport type Prompt = z.infer<typeof PromptSchema>;\n\nexport interface CallToolRequest {\n\tname: string;\n\targuments?: Record<string, unknown>;\n}\n\nexport interface CallToolResult {\n\tcontent: Array<{\n\t\ttype: \"text\" | \"image\" | \"resource\";\n\t\ttext?: string;\n\t\tdata?: string;\n\t\tmimeType?: string;\n\t\tresource?: {\n\t\t\turi: string;\n\t\t\ttext?: string;\n\t\t\tblob?: string;\n\t\t};\n\t}>;\n\tisError?: boolean;\n}\n\nexport interface GetPromptRequest {\n\tname: string;\n\targuments?: Record<string, string>;\n}\n\nexport interface GetPromptResult {\n\tdescription?: string;\n\tmessages: Array<{\n\t\trole: \"user\" | \"assistant\";\n\t\tcontent:\n\t\t\t| { type: \"text\"; text: string }\n\t\t\t| { type: \"image\"; data: string; mimeType: string }\n\t\t\t| {\n\t\t\t\t\ttype: \"resource\";\n\t\t\t\t\tresource: { uri: string; text?: string; blob?: string };\n\t\t\t };\n\t}>;\n}\n\nexport interface ServerInfo {\n\tname: string;\n\tversion: string;\n\tcapabilities?: {\n\t\tprompts?: { listChanged?: boolean };\n\t\tresources?: { subscribe?: boolean; listChanged?: boolean };\n\t\ttools?: { listChanged?: boolean };\n\t\tlogging?: Record<string, unknown>;\n\t};\n}\n\nexport interface McpRequest {\n\tmethod: string;\n\tparams?: unknown;\n\tid?: string | number | null;\n\tjsonrpc?: \"2.0\";\n}\n\nexport interface McpResponse {\n\tjsonrpc: \"2.0\";\n\tid?: string | number | null;\n\tresult?: unknown;\n\terror?: {\n\t\tcode: number;\n\t\tmessage: string;\n\t\tdata?: unknown;\n\t};\n}\n"]}
package/dist/chunk-JBMEAXYU.js ADDED
@@ -0,0 +1,13 @@
1
+ import {g}from'./chunk-7MAGL6ON.js';import {a}from'./chunk-S6RJHZV2.js';import*as d from'http';import*as c from'http2';import*as l from'net';var h=class{constructor(e,r=null,o=50051){this.liopServer=e;this.meshNode=r;this.router=new g(this.liopServer,this.meshNode,o),this.h2Server=c.createServer(),this.setupH2Routes(),this.h1Server=d.createServer(),this.setupH1Routes(),this.netServer=l.createServer(t=>{t.once("data",n=>{let s=n.toString().startsWith("PRI * HTTP/2.0");a.info(`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${s?"HTTP/2 (gRPC)":"HTTP/1.1 (MCP)"}`),s?this.h2Server.emit("connection",t):this.h1Server.emit("connection",t),t.unshift(n);}),t.on("error",n=>a.error(`[LIOP-Gateway] NetServer Socket Error: ${n.message}`));}),this.h1Server.on("error",t=>a.error(`[LIOP-Gateway] H1 Server Error: ${t.message}`)),this.h2Server.on("error",t=>a.error(`[LIOP-Gateway] H2 Server Error: ${t.message}`)),a.info("[LIOP-Gateway] Hybrid adapter initialized.");}netServer;h2Server;h1Server;router;setupH2Routes(){this.h2Server.on("stream",(e,r)=>{let o=r["content-type"],t=r[":path"];o==="application/grpc"?this.handleGrpcStream(e):t==="/mcp"&&this.handleMcpH2Stream(e,r);});}setupH1Routes(){this.h1Server.on("request",async(e,r)=>{let o=e.url||"",t=e.method;if(t==="GET"&&(o==="/"||o==="/mcp"||o==="/health")){if(o==="/health"&&e.headers.accept?.includes("application/json")){let n=this.meshNode?{peerId:this.meshNode.getPeerId()?.toString()||"",multiaddrs:this.meshNode.getMultiaddrs().map(s=>s.toString())}:null;r.writeHead(200,{"Content-Type":"application/json"}),r.end(JSON.stringify({status:"healthy",node:this.liopServer.getServerInfo(),mesh:n,tools:this.liopServer.listTools().map(s=>s.name),timestamp:new Date().toISOString()}));return}r.writeHead(200,{"Content-Type":"text/html; charset=utf-8"}),r.end(`
2
+ <body style="background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0">
3
+ <div style="background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)">
4
+ <h1 style="color:#38bdf8;margin-top:0">LIOP Protocol Transformer</h1>
5
+ <p style="opacity:0.8;font-weight:600">L4/L7 Transcoding: JSON-RPC &harr; gRPC</p>
6
+ <p style="opacity:0.6;font-size:14px">Active Protections: Kyber768 + AES-256-GCM + ZK-Proof Ready</p>
7
+ <div style="background:#0f172a;padding:15px;border-radius:8px;margin-top:20px;border:1px dashed #334155">
8
+ <code style="color:#10b981">Endpoint: http://localhost:3000/mcp</code>
9
+ </div>
10
+ </div>
11
+ </body>
12
+ `);return}if(o==="/mcp"&&t==="POST"){let n="";e.on("data",s=>n+=s.toString()),e.on("end",async()=>{try{let s=JSON.parse(n),a=await this.router.dispatch(s);r.writeHead(200,{"Content-Type":"application/json"}),r.end(JSON.stringify(a));}catch(s){a.info(`[LIOP-Gateway] Error processing JSON-RPC payload: ${s.message}`),r.writeHead(400),r.end(JSON.stringify({jsonrpc:"2.0",error:{code:-32700,message:"Parse error"}}));}});}else r.writeHead(404),r.end("Not Found");});}handleGrpcStream(e){e.on("data",r=>{let o=r;o&&a.info(`[LIOP-Gateway] Native gRPC Proxy passing ${o.length} bytes`);}),e.respond({":status":200,"content-type":"application/grpc"}),e.end();}handleMcpH2Stream(e,r){let o="";e.on("data",t=>o+=t.toString()),e.on("end",async()=>{try{let t=await this.router.dispatch(JSON.parse(o));t?(e.respond({":status":200,"content-type":"application/json"}),e.end(JSON.stringify(t))):e.close();}catch{e.respond({":status":400}),e.end();}});}async listen(e,r="0.0.0.0"){if(this.meshNode){await this.meshNode.start();let o=this.liopServer.listTools();for(let t of o)await this.meshNode.announceCapability(t.name),a.info(`[LIOP-Gateway] \u{1F4E1} Announced local tool to Mesh: ${t.name}`);}return new Promise((o,t)=>{this.netServer.on("error",n=>{n.code==="EADDRINUSE"?a.info(`[LIOP-Gateway] FATAL: Port ${e} is already in use by another process.`):a.error(`[LIOP-Gateway] Binding Error: ${n.message}`),t(n);}),this.netServer.listen(e,r,()=>{let n=this.netServer.address(),s=typeof n=="string"?n:n?.address||r,a$1=typeof n=="string"?e:n?.port||e;a.info(`[LIOP-Gateway] \u2705 Transformer Mesh Gateway READY and listening on ${s}:${a$1}`),o(a$1);});})}async stop(){this.meshNode&&await this.meshNode.stop(),this.netServer.close(),this.h2Server.close(),this.h1Server.close();}getRouter(){return this.router}};export{h as a};//# sourceMappingURL=chunk-JBMEAXYU.js.map
13
+ //# sourceMappingURL=chunk-JBMEAXYU.js.map
package/dist/chunk-JBMEAXYU.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/gateway/hybrid.ts"],"names":["LiopHybridGateway","liopServer","meshNode","rpcPort","LiopMcpRouter","socket","buffer","isHttp2","log","err","stream","headers","contentType","path","req","res","url","method","meshInfo","m","t","body","chunk","jsonRequest","response","e","data","_headers","port","host","tools","tool","resolve","reject","addr","actualHost","assignedPort"],"mappings":"6IAYO,IAAMA,CAAAA,CAAN,KAAwB,CAM9B,WAAA,CACSC,EACAC,CAAAA,CAA4B,IAAA,CACpCC,CAAAA,CAAkB,KAAA,CACjB,CAHO,IAAA,CAAA,UAAA,CAAAF,CAAAA,CACA,IAAA,CAAA,QAAA,CAAAC,EAIR,IAAA,CAAK,MAAA,CAAS,IAAIE,CAAAA,CAAc,KAAK,UAAA,CAAY,IAAA,CAAK,QAAA,CAAUD,CAAO,EAGvE,IAAA,CAAK,QAAA,CAAiB,CAAA,CAAA,YAAA,EAAa,CACnC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAgB,CAAA,CAAA,YAAA,EAAa,CAClC,IAAA,CAAK,aAAA,EAAc,CAGnB,IAAA,CAAK,SAAA,CAAgB,CAAA,CAAA,YAAA,CAAcE,GAAW,CAC7CA,CAAAA,CAAO,IAAA,CAAK,MAAA,CAASC,CAAAA,EAAW,CAC/B,IAAMC,CAAAA,CAAUD,EAAO,QAAA,EAAS,CAAE,UAAA,CAAW,gBAAgB,EAC7DE,CAAAA,CAAI,IAAA,CACH,CAAA,iDAAA,EAAoDD,CAAAA,CAAU,gBAAkB,gBAAgB,CAAA,CACjG,CAAA,CACIA,CAAAA,CACH,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcF,CAAM,CAAA,CAEvC,IAAA,CAAK,QAAA,CAAS,IAAA,CAAK,YAAA,CAAcA,CAAM,CAAA,CAExCA,CAAAA,CAAO,QAAQC,CAAM,EACtB,CAAC,CAAA,CACDD,CAAAA,CAAO,EAAA,CAAG,OAAA,CAAUI,CAAAA,EACnBD,EAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CC,CAAAA,CAAI,OAAO,EAAE,CAClE,EACD,CAAC,CAAA,CAGD,KAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,CAAAA,CAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CACA,IAAA,CAAK,QAAA,CAAS,EAAA,CAAG,OAAA,CAAUA,CAAAA,EAC1BD,EAAI,KAAA,CAAM,CAAA,gCAAA,EAAmCC,CAAAA,CAAI,OAAO,CAAA,CAAE,CAC3D,CAAA,CAEAD,CAAAA,CAAI,KAAK,4CAA4C,EACtD,CAjDQ,SAAA,CACA,SACA,QAAA,CACA,MAAA,CAgDA,aAAA,EAAgB,CACvB,KAAK,QAAA,CAAS,EAAA,CAAG,QAAA,CAAU,CAACE,CAAAA,CAAQC,CAAAA,GAAY,CAC/C,IAAMC,EAAcD,CAAAA,CAAQ,cAAc,CAAA,CACpCE,CAAAA,CAAOF,CAAAA,CAAQ,OAAO,CAAA,CAExBC,CAAAA,GAAgB,mBACnB,IAAA,CAAK,gBAAA,CAAiBF,CAAiC,CAAA,CAC7CG,CAAAA,GAAS,MAAA,EACnB,IAAA,CAAK,iBAAA,CAAkBH,EAAmCC,CAAO,EAEnE,CAAC,EACF,CAEQ,aAAA,EAAgB,CACvB,IAAA,CAAK,QAAA,CAAS,GAAG,SAAA,CAAW,MAAOG,CAAAA,CAAKC,CAAAA,GAAQ,CAC/C,IAAMC,CAAAA,CAAMF,CAAAA,CAAI,KAAO,EAAA,CACjBG,CAAAA,CAASH,CAAAA,CAAI,MAAA,CAEnB,GACCG,CAAAA,GAAW,KAAA,GACVD,CAAAA,GAAQ,KAAOA,CAAAA,GAAQ,MAAA,EAAUA,CAAAA,GAAQ,SAAA,CAAA,CACzC,CACD,GACCA,CAAAA,GAAQ,SAAA,EACRF,EAAI,OAAA,CAAQ,MAAA,EAAQ,QAAA,CAAS,kBAAkB,EAC9C,CACD,IAAMI,CAAAA,CAAW,IAAA,CAAK,SACnB,CACA,MAAA,CAAQ,IAAA,CAAK,QAAA,CAAS,SAAA,EAAU,EAAG,QAAA,EAAS,EAAK,GACjD,UAAA,CAAY,IAAA,CAAK,QAAA,CACf,aAAA,EAAc,CACd,GAAA,CAAKC,CAAAA,EAAMA,CAAAA,CAAE,UAAU,CAC1B,CAAA,CACC,IAAA,CACHJ,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,eAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,IACH,IAAA,CAAK,SAAA,CAAU,CACd,MAAA,CAAQ,UACR,IAAA,CAAM,IAAA,CAAK,UAAA,CAAW,aAAA,EAAc,CACpC,IAAA,CAAMG,CAAAA,CACN,KAAA,CAAO,KAAK,UAAA,CAAW,SAAA,EAAU,CAAE,GAAA,CAAKE,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CAAA,CACpD,UAAW,IAAI,IAAA,EAAK,CAAE,WAAA,EACvB,CAAC,CACF,CAAA,CACA,MACD,CAEAL,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,0BAA2B,CAAC,CAAA,CACjEA,EAAI,GAAA,CAAI;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,gBAAA,CAWK,EACb,MACD,CAEA,GAAIC,CAAAA,GAAQ,MAAA,EAAUC,IAAW,MAAA,CAAQ,CACxC,IAAII,CAAAA,CAAO,GACXP,CAAAA,CAAI,EAAA,CAAG,OAASQ,CAAAA,EAAWD,CAAAA,EAAQC,EAAM,QAAA,EAAW,CAAA,CACpDR,CAAAA,CAAI,GAAG,KAAA,CAAO,SAAY,CACzB,GAAI,CACH,IAAMS,CAAAA,CAAc,IAAA,CAAK,KAAA,CAAMF,CAAI,EAC7BG,CAAAA,CAAW,MAAM,KAAK,MAAA,CAAO,QAAA,CAASD,CAAW,CAAA,CACvDR,CAAAA,CAAI,SAAA,CAAU,GAAA,CAAK,CAAE,cAAA,CAAgB,kBAAmB,CAAC,CAAA,CACzDA,CAAAA,CAAI,IAAI,IAAA,CAAK,SAAA,CAAUS,CAAQ,CAAC,EACjC,CAAA,MAASC,CAAAA,CAAY,CACpBjB,CAAAA,CAAI,IAAA,CACH,qDAAsDiB,CAAAA,CAAY,OAAO,CAAA,CAC1E,CAAA,CACAV,EAAI,SAAA,CAAU,GAAG,EACjBA,CAAAA,CAAI,GAAA,CACH,KAAK,SAAA,CAAU,CACd,QAAS,KAAA,CACT,KAAA,CAAO,CAAE,IAAA,CAAM,MAAA,CAAQ,QAAS,aAAc,CAC/C,CAAC,CACF,EACD,CACD,CAAC,EACF,CAAA,KACCA,CAAAA,CAAI,UAAU,GAAG,CAAA,CACjBA,EAAI,GAAA,CAAI,WAAW,EAErB,CAAC,EACF,CAEQ,gBAAA,CAAiBL,EAAiC,CACzDA,CAAAA,CAAO,GAAG,MAAA,CAASY,CAAAA,EAAmB,CAErC,IAAMI,EAAOJ,CAAAA,CACTI,CAAAA,EACHlB,EAAI,IAAA,CACH,CAAA,yCAAA,EAA4CkB,EAAK,MAAM,CAAA,MAAA,CACxD,EACF,CAAC,EACDhB,CAAAA,CAAO,OAAA,CAAQ,CAAE,SAAA,CAAW,GAAA,CAAK,eAAgB,kBAAmB,CAAC,CAAA,CACrEA,CAAAA,CAAO,MACR,CAEQ,kBACPA,CAAAA,CACAiB,CAAAA,CACC,CACD,IAAIN,CAAAA,CAAO,EAAA,CACXX,CAAAA,CAAO,GAAG,MAAA,CAASY,CAAAA,EAAWD,GAAQC,CAAAA,CAAM,QAAA,EAAW,CAAA,CACvDZ,CAAAA,CAAO,EAAA,CAAG,KAAA,CAAO,SAAY,CAC5B,GAAI,CACH,IAAMc,CAAAA,CAAW,MAAM,IAAA,CAAK,MAAA,CAAO,SAAS,IAAA,CAAK,KAAA,CAAMH,CAAI,CAAC,CAAA,CACxDG,GACHd,CAAAA,CAAO,OAAA,CAAQ,CACd,SAAA,CAAW,GAAA,CACX,cAAA,CAAgB,kBACjB,CAAC,CAAA,CACDA,CAAAA,CAAO,IAAI,IAAA,CAAK,SAAA,CAAUc,CAAQ,CAAC,CAAA,EAC7Bd,CAAAA,CAAO,KAAA,GACf,CAAA,KAAa,CACZA,EAAO,OAAA,CAAQ,CAAE,UAAW,GAAI,CAAC,CAAA,CACjCA,CAAAA,CAAO,MACR,CACD,CAAC,EACF,CAEA,MAAa,MAAA,CAAOkB,CAAAA,CAAcC,CAAAA,CAAe,SAAA,CAA4B,CAC5E,GAAI,IAAA,CAAK,SAAU,CAClB,MAAM,KAAK,QAAA,CAAS,KAAA,EAAM,CAG1B,IAAMC,EAAQ,IAAA,CAAK,UAAA,CAAW,WAAU,CACxC,IAAA,IAAWC,KAAQD,CAAAA,CAClB,MAAM,IAAA,CAAK,QAAA,CAAS,mBAAmBC,CAAAA,CAAK,IAAI,EAChDvB,CAAAA,CAAI,IAAA,CACH,0DAAmDuB,CAAAA,CAAK,IAAI,CAAA,CAC7D,EAEF,CACA,OAAO,IAAI,QAAQ,CAACC,CAAAA,CAASC,IAAW,CACvC,IAAA,CAAK,UAAU,EAAA,CAAG,OAAA,CAAUxB,GAAmC,CAC1DA,CAAAA,CAAI,OAAS,YAAA,CAChBD,CAAAA,CAAI,KACH,CAAA,2BAAA,EAA8BoB,CAAI,CAAA,sCAAA,CACnC,CAAA,CAEApB,EAAI,KAAA,CAAM,CAAA,8BAAA,EAAiCC,EAAI,OAAO,CAAA,CAAE,EAEzDwB,CAAAA,CAAOxB,CAAG,EACX,CAAC,EAED,IAAA,CAAK,SAAA,CAAU,OAAOmB,CAAAA,CAAMC,CAAAA,CAAM,IAAM,CACvC,IAAMK,CAAAA,CAAO,IAAA,CAAK,UAAU,OAAA,EAAQ,CAC9BC,EACL,OAAOD,CAAAA,EAAS,SAAWA,CAAAA,CAAOA,CAAAA,EAAM,OAAA,EAAWL,CAAAA,CAC9CO,IACL,OAAOF,CAAAA,EAAS,SAAWN,CAAAA,CAAOM,CAAAA,EAAM,MAAQN,CAAAA,CAEjDpB,CAAAA,CAAI,IAAA,CACH,CAAA,sEAAA,EAAoE2B,CAAU,CAAA,CAAA,EAAIC,GAAY,EAC/F,CAAA,CACAJ,CAAAA,CAAQI,GAAY,EACrB,CAAC,EACF,CAAC,CACF,CAEA,MAAa,MAAO,CACf,IAAA,CAAK,UACR,MAAM,IAAA,CAAK,QAAA,CAAS,IAAA,GAErB,IAAA,CAAK,SAAA,CAAU,OAAM,CACrB,IAAA,CAAK,SAAS,KAAA,EAAM,CACpB,KAAK,QAAA,CAAS,KAAA,GACf,CAEO,SAAA,EAA2B,CACjC,OAAO,IAAA,CAAK,MACb,CACD","file":"chunk-JBMEAXYU.js","sourcesContent":["import * as http from \"node:http\";\nimport * as http2 from \"node:http2\";\nimport * as net from \"node:net\";\nimport type { MeshNode } from \"../mesh/index.js\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpRouter } from \"./router.js\";\n\n/**\n * LIOP Hybrid Gateway\n * High-level orchestration for connecting MCP (JSON-RPC) clients to the LIOP Mesh.\n */\nexport class LiopHybridGateway {\n\tprivate netServer: net.Server;\n\tprivate h2Server: http2.Http2Server;\n\tprivate h1Server: http.Server;\n\tprivate router: LiopMcpRouter;\n\n\tconstructor(\n\t\tprivate liopServer: LiopServer,\n\t\tprivate meshNode: MeshNode | null = null,\n\t\trpcPort: number = 50051,\n\t) {\n\t\t// Initialize the Universal Router\n\t\tthis.router = new LiopMcpRouter(this.liopServer, this.meshNode, rpcPort);\n\n\t\t// Internal HTTP/2 Server (for Native gRPC Proxying)\n\t\tthis.h2Server = http2.createServer();\n\t\tthis.setupH2Routes();\n\n\t\t// Internal HTTP/1 Server (for Browser/MCP)\n\t\tthis.h1Server = http.createServer();\n\t\tthis.setupH1Routes();\n\n\t\t// Primary Multiplexer (L4)\n\t\tthis.netServer = net.createServer((socket) => {\n\t\t\tsocket.once(\"data\", (buffer) => {\n\t\t\t\tconst isHttp2 = buffer.toString().startsWith(\"PRI * HTTP/2.0\");\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Incoming L4 Connection. Protocol: ${isHttp2 ? \"HTTP/2 (gRPC)\" : \"HTTP/1.1 (MCP)\"}`,\n\t\t\t\t);\n\t\t\t\tif (isHttp2) {\n\t\t\t\t\tthis.h2Server.emit(\"connection\", socket);\n\t\t\t\t} else {\n\t\t\t\t\tthis.h1Server.emit(\"connection\", socket);\n\t\t\t\t}\n\t\t\t\tsocket.unshift(buffer);\n\t\t\t});\n\t\t\tsocket.on(\"error\", (err) =>\n\t\t\t\tlog.error(`[LIOP-Gateway] NetServer Socket Error: ${err.message}`),\n\t\t\t);\n\t\t});\n\n\t\t// Attach error listeners to sub-servers to catch silent failures\n\t\tthis.h1Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H1 Server Error: ${err.message}`),\n\t\t);\n\t\tthis.h2Server.on(\"error\", (err) =>\n\t\t\tlog.error(`[LIOP-Gateway] H2 Server Error: ${err.message}`),\n\t\t);\n\n\t\tlog.info(\"[LIOP-Gateway] Hybrid adapter initialized.\");\n\t}\n\n\tprivate setupH2Routes() {\n\t\tthis.h2Server.on(\"stream\", (stream, headers) => {\n\t\t\tconst contentType = headers[\"content-type\"] as string;\n\t\t\tconst path = headers[\":path\"] as string;\n\n\t\t\tif (contentType === \"application/grpc\") {\n\t\t\t\tthis.handleGrpcStream(stream as http2.ServerHttp2Stream);\n\t\t\t} else if (path === \"/mcp\") {\n\t\t\t\tthis.handleMcpH2Stream(stream as http2.ServerHttp2Stream, headers);\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate setupH1Routes() {\n\t\tthis.h1Server.on(\"request\", async (req, res) => {\n\t\t\tconst url = req.url || \"\";\n\t\t\tconst method = req.method;\n\n\t\t\tif (\n\t\t\t\tmethod === \"GET\" &&\n\t\t\t\t(url === \"/\" || url === \"/mcp\" || url === \"/health\")\n\t\t\t) {\n\t\t\t\tif (\n\t\t\t\t\turl === \"/health\" &&\n\t\t\t\t\treq.headers.accept?.includes(\"application/json\")\n\t\t\t\t) {\n\t\t\t\t\tconst meshInfo = this.meshNode\n\t\t\t\t\t\t? {\n\t\t\t\t\t\t\t\tpeerId: this.meshNode.getPeerId()?.toString() || \"\",\n\t\t\t\t\t\t\t\tmultiaddrs: this.meshNode\n\t\t\t\t\t\t\t\t\t.getMultiaddrs()\n\t\t\t\t\t\t\t\t\t.map((m) => m.toString()),\n\t\t\t\t\t\t\t}\n\t\t\t\t\t\t: null;\n\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\tres.end(\n\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\tstatus: \"healthy\",\n\t\t\t\t\t\t\tnode: this.liopServer.getServerInfo(),\n\t\t\t\t\t\t\tmesh: meshInfo,\n\t\t\t\t\t\t\ttools: this.liopServer.listTools().map((t) => t.name),\n\t\t\t\t\t\t\ttimestamp: new Date().toISOString(),\n\t\t\t\t\t\t}),\n\t\t\t\t\t);\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\tres.writeHead(200, { \"Content-Type\": \"text/html; charset=utf-8\" });\n\t\t\t\tres.end(`\n <body style=\"background:#0f172a;color:#f8fafc;font-family:sans-serif;display:flex;flex-direction:column;align-items:center;justify-content:center;height:100vh;margin:0\">\n <div style=\"background:#1e293b;padding:40px;border-radius:16px;border:1px solid #38bdf8;text-align:center;box-shadow:0 20px 25px -5px rgba(0,0,0,0.1)\">\n <h1 style=\"color:#38bdf8;margin-top:0\">LIOP Protocol Transformer</h1>\n <p style=\"opacity:0.8;font-weight:600\">L4/L7 Transcoding: JSON-RPC &harr; gRPC</p>\n <p style=\"opacity:0.6;font-size:14px\">Active Protections: Kyber768 + AES-256-GCM + ZK-Proof Ready</p>\n <div style=\"background:#0f172a;padding:15px;border-radius:8px;margin-top:20px;border:1px dashed #334155\">\n <code style=\"color:#10b981\">Endpoint: http://localhost:3000/mcp</code>\n </div>\n </div>\n </body>\n `);\n\t\t\t\treturn;\n\t\t\t}\n\n\t\t\tif (url === \"/mcp\" && method === \"POST\") {\n\t\t\t\tlet body = \"\";\n\t\t\t\treq.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\t\t\treq.on(\"end\", async () => {\n\t\t\t\t\ttry {\n\t\t\t\t\t\tconst jsonRequest = JSON.parse(body);\n\t\t\t\t\t\tconst response = await this.router.dispatch(jsonRequest);\n\t\t\t\t\t\tres.writeHead(200, { \"Content-Type\": \"application/json\" });\n\t\t\t\t\t\tres.end(JSON.stringify(response));\n\t\t\t\t\t} catch (e: unknown) {\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-Gateway] Error processing JSON-RPC payload: ${(e as Error).message}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tres.writeHead(400);\n\t\t\t\t\t\tres.end(\n\t\t\t\t\t\t\tJSON.stringify({\n\t\t\t\t\t\t\t\tjsonrpc: \"2.0\",\n\t\t\t\t\t\t\t\terror: { code: -32700, message: \"Parse error\" },\n\t\t\t\t\t\t\t}),\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t});\n\t\t\t} else {\n\t\t\t\tres.writeHead(404);\n\t\t\t\tres.end(\"Not Found\");\n\t\t\t}\n\t\t});\n\t}\n\n\tprivate handleGrpcStream(stream: http2.ServerHttp2Stream) {\n\t\tstream.on(\"data\", (chunk: unknown) => {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Standard gRPC stream data is Buffer\n\t\t\tconst data = chunk as any;\n\t\t\tif (data)\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] Native gRPC Proxy passing ${data.length} bytes`,\n\t\t\t\t);\n\t\t});\n\t\tstream.respond({ \":status\": 200, \"content-type\": \"application/grpc\" });\n\t\tstream.end();\n\t}\n\n\tprivate handleMcpH2Stream(\n\t\tstream: http2.ServerHttp2Stream,\n\t\t_headers: http2.IncomingHttpHeaders,\n\t) {\n\t\tlet body = \"\";\n\t\tstream.on(\"data\", (chunk) => (body += chunk.toString()));\n\t\tstream.on(\"end\", async () => {\n\t\t\ttry {\n\t\t\t\tconst response = await this.router.dispatch(JSON.parse(body));\n\t\t\t\tif (response) {\n\t\t\t\t\tstream.respond({\n\t\t\t\t\t\t\":status\": 200,\n\t\t\t\t\t\t\"content-type\": \"application/json\",\n\t\t\t\t\t});\n\t\t\t\t\tstream.end(JSON.stringify(response));\n\t\t\t\t} else stream.close();\n\t\t\t} catch (_e) {\n\t\t\t\tstream.respond({ \":status\": 400 });\n\t\t\t\tstream.end();\n\t\t\t}\n\t\t});\n\t}\n\n\tpublic async listen(port: number, host: string = \"0.0.0.0\"): Promise<number> {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.start();\n\n\t\t\t// Announce all local tools to the DHT\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\tfor (const tool of tools) {\n\t\t\t\tawait this.meshNode.announceCapability(tool.name);\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] 📡 Announced local tool to Mesh: ${tool.name}`,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.netServer.on(\"error\", (err: Error & { code?: string }) => {\n\t\t\t\tif (err.code === \"EADDRINUSE\") {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-Gateway] FATAL: Port ${port} is already in use by another process.`,\n\t\t\t\t\t);\n\t\t\t\t} else {\n\t\t\t\t\tlog.error(`[LIOP-Gateway] Binding Error: ${err.message}`);\n\t\t\t\t}\n\t\t\t\treject(err);\n\t\t\t});\n\n\t\t\tthis.netServer.listen(port, host, () => {\n\t\t\t\tconst addr = this.netServer.address();\n\t\t\t\tconst actualHost =\n\t\t\t\t\ttypeof addr === \"string\" ? addr : addr?.address || host;\n\t\t\t\tconst assignedPort =\n\t\t\t\t\ttypeof addr === \"string\" ? port : addr?.port || port;\n\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Gateway] ✅ Transformer Mesh Gateway READY and listening on ${actualHost}:${assignedPort}`,\n\t\t\t\t);\n\t\t\t\tresolve(assignedPort);\n\t\t\t});\n\t\t});\n\t}\n\n\tpublic async stop() {\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t\tthis.netServer.close();\n\t\tthis.h2Server.close();\n\t\tthis.h1Server.close();\n\t}\n\n\tpublic getRouter(): LiopMcpRouter {\n\t\treturn this.router;\n\t}\n}\n"]}