@nekzus/liop 2.0.0-alpha.2 → 2.0.0-alpha.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/README.md +64 -24
  2. package/dist/bin/agent.js +3 -3
  3. package/dist/bin/agent.js.map +1 -1
  4. package/dist/bridge.js +1 -1
  5. package/dist/chunk-2MGFSIXN.js +2 -0
  6. package/dist/chunk-2MGFSIXN.js.map +1 -0
  7. package/dist/chunk-4C666HHU.js +2 -0
  8. package/dist/chunk-4C666HHU.js.map +1 -0
  9. package/dist/{chunk-PPCOS2NU.js → chunk-7I6YJS3C.js} +2 -2
  10. package/dist/{chunk-PPCOS2NU.js.map → chunk-7I6YJS3C.js.map} +1 -1
  11. package/dist/{chunk-HNDVAKEK.js → chunk-C65RM2A3.js} +6 -6
  12. package/dist/chunk-C65RM2A3.js.map +1 -0
  13. package/dist/{chunk-P52IE4L6.js → chunk-ISKM7EAL.js} +2 -2
  14. package/dist/{chunk-P52IE4L6.js.map → chunk-ISKM7EAL.js.map} +1 -1
  15. package/dist/{chunk-XLVRRGOX.js → chunk-NWZ5KZDN.js} +3 -3
  16. package/dist/chunk-NWZ5KZDN.js.map +1 -0
  17. package/dist/{chunk-PIBCW4BD.js → chunk-SYMZRXI3.js} +3 -3
  18. package/dist/{chunk-PIBCW4BD.js.map → chunk-SYMZRXI3.js.map} +1 -1
  19. package/dist/chunk-TNMS53OP.js +2 -0
  20. package/dist/chunk-TNMS53OP.js.map +1 -0
  21. package/dist/chunk-UK7OBXGZ.js +33 -0
  22. package/dist/chunk-UK7OBXGZ.js.map +1 -0
  23. package/dist/chunk-V5MKJT6S.js +2 -0
  24. package/dist/chunk-V5MKJT6S.js.map +1 -0
  25. package/dist/chunk-WG353XMU.js +43 -0
  26. package/dist/chunk-WG353XMU.js.map +1 -0
  27. package/dist/client.d.ts +1 -1
  28. package/dist/client.js +1 -1
  29. package/dist/gateway.js +1 -1
  30. package/dist/{index-CyxNLlz7.d.ts → index-BihN3W-K.d.ts} +9 -0
  31. package/dist/index.d.ts +2 -2
  32. package/dist/index.js +1 -1
  33. package/dist/index.js.map +1 -1
  34. package/dist/kyber-NONMBQNH.js +2 -0
  35. package/dist/{kyber-2WDOTUQX.js.map → kyber-NONMBQNH.js.map} +1 -1
  36. package/dist/mesh.js +1 -1
  37. package/dist/server.d.ts +18 -0
  38. package/dist/server.js +1 -1
  39. package/dist/types.js +1 -1
  40. package/dist/verifier-6M7GY4TW.js +2 -0
  41. package/dist/{verifier-RQRYXA4C.js.map → verifier-6M7GY4TW.js.map} +1 -1
  42. package/dist/workers/logic-execution.d.ts +5 -0
  43. package/dist/workers/logic-execution.js +1 -1
  44. package/dist/workers/logic-execution.js.map +1 -1
  45. package/dist/workers/zk-verifier.js +1 -1
  46. package/dist/workers/zk-verifier.js.map +1 -1
  47. package/package.json +54 -49
  48. package/dist/chunk-4ABAFG44.js +0 -33
  49. package/dist/chunk-4ABAFG44.js.map +0 -1
  50. package/dist/chunk-HM77MWB6.js +0 -2
  51. package/dist/chunk-HM77MWB6.js.map +0 -1
  52. package/dist/chunk-HNDVAKEK.js.map +0 -1
  53. package/dist/chunk-HQZHZM6U.js +0 -2
  54. package/dist/chunk-HQZHZM6U.js.map +0 -1
  55. package/dist/chunk-X6FJATUE.js +0 -29
  56. package/dist/chunk-X6FJATUE.js.map +0 -1
  57. package/dist/chunk-XLVRRGOX.js.map +0 -1
  58. package/dist/kyber-2WDOTUQX.js +0 -2
  59. package/dist/verifier-RQRYXA4C.js +0 -2
package/dist/chunk-X6FJATUE.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/rpc/server.ts","../src/security/taint-analyzer.ts","../src/server/ner-scanner.ts","../src/server/pii.ts","../src/server/index.ts"],"names":["GRPC_CHANNEL_OPTIONS","LiopRpcServer","handlers","liopV1","port","tls","credentials","createServerCredentials","resolve","reject","error","assignedPort","log","TaintAnalyzer","_TaintAnalyzer","piiFields","f","sourceCode","ast","wrapped","recordBoundVars","taintedVars","simple","node","member","methodName","callback","fn","param","recordParam","declarator","iteration","sizeBefore","callee","arg","violation","line","operation","bin","unary","cond","prop","el","expr","spread","propName","parentMember","litVal","call","fnName","scopedRecordVars","scopedTaintedVars","recordParamIndex","hasTaintedReturn","returnVisitors","val","name","obj","MEDICAL_VOCABULARY","MIN_TEXT_LENGTH","NON_TEXT_PATTERN","NerScanner","_NerScanner","mod","text","doc","entities","people","person","trimmed","places","place","orgs","org","input","seen","values","allEntities","value","result","e","isLuhnValid","cardNumber","digits","sum","isEven","digit","isIbanValid","iban","sanitized","rearranged","numericString","charCode","PII_PATTERNS","match","p","area","PII_PRESETS","PiiScanner","_PiiScanner","patterns","forbiddenKeys","nerScanner","k","token","parsed","patternViolation","nerResult","personEntity","element","key","fuzzyViolation","normalized","pattern","rule","def","matchedText","respectPlainToolPayload","v","__dirname","path","fileURLToPath","LiopServer","_LiopServer","serverInfo","config","rlConfig","isTS","workerExt","execArgv","tsxPkg","createRequire","pathToFileURL","isTest","workerPaths","workerFilename","Piscina","FixedQueue","payload","compact","_toolName","logic","policy","taintViolation","toolName","output","schemaResult","z","i","rec","texts","part","t","joined","policyObj","recordsCount","maxRows","allowPrimitives","item","keys","lines","schema","depth","schemaType","properties","items","propType","nested","options","description","shape","handler","generatedSchema","zodToJsonSchema","finalDescription","finalHandler","blockedKeys","schemaDigest","args","_extra","clientId","now","stats","payloadValue","bypassCache","payloadHash","crypto","cached","preflightReason","inputSchema","err","_request","uri","mimeType","content","entry","windowMs","maxPerWindow","active","retryAfterSec","maxGlobal","request","globalLimitResult","rateLimitResult","parsedArgs","resource","records","envPort","MeshNode","meshNodeRef","tools","resources","r","tool","Kyber768Wrapper","publicKey","secretKey","sessionToken","session","q","workerResponse","finalOutput","decoded","toolResult","response","Buffer","aggregationViolation","internalReason","isDev","detail","errorResponse","_args","rawPayload","toolPolicy","policyViolation"],"mappings":"qfAiBA,IAAMA,CAAAA,CAAuB,CAC5B,wBAAA,CAA0B,GAAA,CAC1B,2BAAA,CAA6B,GAAA,CAC7B,qCAAA,CAAuC,CAAA,CACvC,8BAAA,CAAgC,EAAA,CAChC,iCAAA,CAAmC,EAAA,CACnC,qBAAA,CAAuB,CACxB,CAAA,CAEaC,CAAAA,CAAN,KAAoB,CAClB,OAER,WAAA,EAAc,CACb,IAAA,CAAK,MAAA,CAAS,IAAS,CAAA,CAAA,MAAA,CAAOD,CAAoB,EACnD,CAEO,UAAA,CAAWE,CAAAA,CAQT,CACR,IAAA,CAAK,MAAA,CAAO,UAAA,CAAWC,CAAAA,CAAO,SAAA,CAAU,OAAA,CAAS,CAChD,eAAA,CAAiBD,CAAAA,CAAS,eAAA,CAC1B,YAAA,CAAcA,CAAAA,CAAS,YACxB,CAAC,EACF,CAEA,MAAa,MAAA,CACZE,CAAAA,CAAe,KAAA,CACfC,EACkB,CAClB,IAAMC,CAAAA,CAAcC,CAAAA,CAAwBF,CAAG,CAAA,CAC/C,OAAO,IAAI,OAAA,CAAQ,CAACG,CAAAA,CAASC,CAAAA,GAAW,CACvC,IAAA,CAAK,MAAA,CAAO,SAAA,CACX,WAAWL,CAAI,CAAA,CAAA,CACfE,CAAAA,CACA,CAACI,CAAAA,CAAOC,CAAAA,GAAiB,CACxB,GAAID,CAAAA,CAAO,CACVD,CAAAA,CAAOC,CAAK,CAAA,CACZ,MACD,CACAE,GAAAA,CAAI,KAAK,CAAA,oCAAA,EAAuCD,CAAY,CAAA,CAAE,CAAA,CAC9DH,CAAAA,CAAQG,CAAY,EACrB,CACD,EACD,CAAC,CACF,CAEA,MAAa,IAAA,EAAsB,CAClC,OAAO,IAAI,OAAA,CAASH,CAAAA,EAAY,CAC/B,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,IAAM,CAC7BI,GAAAA,CAAI,IAAA,CAAK,6BAA6B,CAAA,CACtCJ,CAAAA,GACD,CAAC,EACF,CAAC,CACF,CACD,ECtCO,IAAMK,CAAAA,CAAN,MAAMC,CAAc,CACT,SAAA,CAGjB,OAAwB,yBAAA,CAA4B,IAAI,GAAA,CAAI,CAE3D,YAAA,CACA,aAAA,CACA,QAAA,CACA,IAAA,CAEA,SAAA,CACA,aAAA,CACA,QAAA,CAEA,eAAA,CACA,YAAA,CACA,UAAA,CACA,WAEA,WAAA,CACA,OAAA,CACA,QAAA,CACA,OAAA,CACA,OAAA,CACA,UAAA,CACA,SAAA,CACA,YAAA,CACA,WAAA,CACA,aAAA,CACA,aAAA,CACA,MAAA,CACA,WAAA,CACA,SAAA,CACA,UAAA,CACA,QAAA,CACA,QACD,CAAC,CAAA,CAGD,OAAwB,sBAAA,CAAyB,IAAI,GAAA,CAAI,CACxD,KAAA,CACA,SAAA,CACA,QAAA,CACA,MAAA,CACA,MAAA,CACA,OAAA,CACA,SAAA,CACA,WACD,CAAC,CAAA,CAGD,OAAwB,cAAA,CAAiB,IAAI,GAAA,CAAI,CAAC,QAAA,CAAU,aAAa,CAAC,CAAA,CAE1E,WAAA,CAAYC,CAAAA,CAAqB,CAChC,IAAA,CAAK,SAAA,CAAY,IAAI,IAAIA,CAAAA,CAAU,GAAA,CAAKC,CAAAA,EAAMA,CAAAA,CAAE,WAAA,EAAa,CAAC,EAC/D,CAQA,OAAA,CAAQC,CAAAA,CAA2C,CAClD,IAAIC,CAAAA,CACJ,GAAI,CAEH,IAAMC,CAAAA,CAAU,CAAA;AAAA,EAA0CF,CAAU;AAAA,CAAA,CAAA,CACpEC,CAAAA,CAAY,QAAMC,CAAAA,CAAS,CAC1B,YAAa,IAAA,CACb,UAAA,CAAY,SACZ,SAAA,CAAW,CAAA,CACZ,CAAC,EACF,CAAA,KAAQ,CAEP,OAAO,IACR,CAEA,IAAMC,CAAAA,CAAkB,IAAI,GAAA,CACtBC,CAAAA,CAAc,IAAI,GAAA,CAGxB,OAAA,IAAA,CAAK,wBAAwBH,CAAAA,CAAKE,CAAe,EAGjD,IAAA,CAAK,cAAA,CAAeF,EAAKE,CAAAA,CAAiBC,CAAW,EAG9C,IAAA,CAAK,qBAAA,CAAsBH,EAAKE,CAAAA,CAAiBC,CAAW,CACpE,CAIQ,uBAAA,CACPH,EACAE,CAAAA,CACO,CAyDPE,OAAOJ,CAAAA,CAxDgC,CACtC,eAAiBK,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,OAE7C,IAAMC,CAAAA,CAASD,CAAAA,CAAK,OACdE,CAAAA,CAAa,IAAA,CAAK,gBAAgBD,CAAM,CAAA,CAI9C,GAHI,CAACC,CAAAA,EAGD,CAAC,IAAA,CAAK,kBAAA,CAAmBD,EAAO,MAAM,CAAA,CAAG,OAE7C,IAAME,CAAAA,CAAWH,EAAK,SAAA,CAAU,CAAC,EACjC,GAAKG,CAAAA,GAGJA,EAAS,IAAA,GAAS,yBAAA,EAClBA,EAAS,IAAA,GAAS,oBAAA,CAAA,CACjB,CACD,IAAMC,CAAAA,CAAKD,CAAAA,CAEX,GACCZ,CAAAA,CAAc,sBAAA,CAAuB,IAAIW,CAAU,CAAA,EACnDE,EAAG,MAAA,CAAO,MAAA,CAAS,EAClB,CACD,IAAMC,EAAQD,CAAAA,CAAG,MAAA,CAAO,CAAC,CAAA,CACrBC,CAAAA,CAAM,OAAS,YAAA,EAClBR,CAAAA,CAAgB,IAAIQ,CAAAA,CAAM,IAAI,EAEhC,CAEA,GACCd,EAAc,cAAA,CAAe,GAAA,CAAIW,CAAU,CAAA,EAC3CE,CAAAA,CAAG,OAAO,MAAA,CAAS,CAAA,CAClB,CACD,IAAME,CAAAA,CAAcF,EAAG,MAAA,CAAO,CAAC,EAC3BE,CAAAA,CAAY,IAAA,GAAS,YAAA,EACxBT,CAAAA,CAAgB,GAAA,CAAIS,CAAAA,CAAY,IAAI,EAEtC,CACD,CACD,CAAA,CAGA,cAAA,CAAiBN,GAAS,CACzB,GAAK,KAAK,kBAAA,CAAmBA,CAAAA,CAAK,KAAK,CAAA,EAEnCA,CAAAA,CAAK,KAAK,IAAA,GAAS,qBAAA,CACtB,QAAWO,CAAAA,IAAcP,CAAAA,CAAK,KAAK,YAAA,CAC9BO,CAAAA,CAAW,GAAG,IAAA,GAAS,YAAA,EAC1BV,EAAgB,GAAA,CAAIU,CAAAA,CAAW,GAAG,IAAI,EAI1C,CACD,CAEoB,CAAA,CAmBpBR,OAAOJ,CAAAA,CAhBqC,CAC3C,mBAAqBK,CAAAA,EAAS,CAC7B,GAAI,EAAA,CAACA,CAAAA,CAAK,IAAA,EAAQA,CAAAA,CAAK,EAAA,CAAG,IAAA,GAAS,eAGlCA,CAAAA,CAAK,IAAA,CAAK,OAAS,kBAAA,EAClBA,CAAAA,CAAK,KAAgC,QAAA,CACrC,CACD,IAAMC,CAAAA,CAASD,CAAAA,CAAK,KAChB,IAAA,CAAK,kBAAA,CAAmBC,EAAO,MAAM,CAAA,EACxCJ,EAAgB,GAAA,CAAIG,CAAAA,CAAK,GAAG,IAAI,EAElC,CACD,CACD,CAEyB,EAC1B,CAIQ,cAAA,CACPL,EACAE,CAAAA,CACAC,CAAAA,CACO,CAGP,IAAA,IAASU,CAAAA,CAAY,EAAGA,CAAAA,CAAY,CAAA,CAAGA,IAAa,CACnD,IAAMC,EAAaX,CAAAA,CAAY,IAAA,CA8C/B,GAHAC,MAAAA,CAAOJ,CAAAA,CAzCgC,CACtC,kBAAA,CAAqBK,CAAAA,EAAS,CACzB,CAACA,CAAAA,CAAK,MAAQA,CAAAA,CAAK,EAAA,CAAG,OAAS,YAAA,EAGlC,IAAA,CAAK,oBAAoBA,CAAAA,CAAK,IAAA,CAAMH,EAAiBC,CAAW,CAAA,EAEhEA,EAAY,GAAA,CAAIE,CAAAA,CAAK,GAAG,IAAI,EAE9B,EAEA,oBAAA,CAAuBA,CAAAA,EAAS,CAC3BA,CAAAA,CAAK,IAAA,CAAK,OAAS,YAAA,EAGtB,IAAA,CAAK,oBAAoBA,CAAAA,CAAK,KAAA,CAAOH,EAAiBC,CAAW,CAAA,EAEjEA,EAAY,GAAA,CAAKE,CAAAA,CAAK,KAA0B,IAAI,EAEtD,CAAA,CAIA,cAAA,CAAiBA,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,OAE7C,IAAMU,CAAAA,CAASV,CAAAA,CAAK,OACD,IAAA,CAAK,eAAA,CAAgBU,CAAM,CAAA,GAG9B,MAAA,EACfA,EAAO,MAAA,CAAO,IAAA,GAAS,cACvBV,CAAAA,CAAK,SAAA,CAAU,KAAMW,CAAAA,EACpB,IAAA,CAAK,oBAAoBA,CAAAA,CAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,EAEAA,EAAY,GAAA,CAAKY,CAAAA,CAAO,OAA4B,IAAI,EAE1D,CACD,CAEoB,CAAA,CAGhBZ,EAAY,IAAA,GAASW,CAAAA,CAAY,KACtC,CACD,CAIQ,qBAAA,CACPd,CAAAA,CACAE,CAAAA,CACAC,CAAAA,CACwB,CACxB,IAAIc,CAAAA,CAAmC,KA+BvC,OAAAb,MAAAA,CAAOJ,EA7BgC,CACtC,eAAA,CAAkBK,GAAS,CAC1B,GAAI,CAAAY,CAAAA,EAECZ,CAAAA,CAAK,UAGT,IAAA,CAAK,mBAAA,CAAoBA,EAAK,QAAA,CAAUH,CAAAA,CAAiBC,CAAW,CAAA,CACnE,CACD,IAAMe,CAAAA,CAAOb,CAAAA,CAAK,KAAK,KAAA,CAAM,IAAA,CAC1BA,EAAK,GAAA,CAAI,KAAA,CAAM,KAAO,CAAA,CACtB,MAAA,CACGc,EAAY,IAAA,CAAK,mBAAA,CACtBd,EAAK,QAAA,CACLH,CAAAA,CACAC,CACD,CAAA,CACAc,CAAAA,CAAY,CACX,MAAA,CACC,CAAA,kFAAA,EACGE,CAAAA,CAAY,cAAcA,CAAS,CAAA,EAAA,CAAA,CAAO,EAAE,CAAA,sEAAA,CAAA,CAEhD,IAAA,CAAAD,EACA,SAAA,CAAAC,CACD,EACD,CACD,CACD,CAEoB,CAAA,CAEbF,CACR,CAQQ,mBAAA,CACPZ,CAAAA,CACAH,EACAC,CAAAA,CACU,CACV,OAAQE,CAAAA,CAAK,IAAA,EACZ,KAAK,YAAA,CACJ,OAAOF,CAAAA,CAAY,GAAA,CAAKE,EAA0B,IAAI,CAAA,CAEvD,KAAK,kBAAA,CACJ,OAAO,KAAK,mBAAA,CACXA,CAAAA,CACAH,EACAC,CACD,CAAA,CAED,KAAK,gBAAA,CACJ,OAAO,KAAK,iBAAA,CACXE,CAAAA,CACAH,EACAC,CACD,CAAA,CAED,KAAK,kBAAA,CACL,KAAK,oBAAqB,CACzB,IAAMiB,EAAMf,CAAAA,CACZ,OACC,KAAK,mBAAA,CAAoBe,CAAAA,CAAI,KAAMlB,CAAAA,CAAiBC,CAAW,GAC/D,IAAA,CAAK,mBAAA,CAAoBiB,EAAI,KAAA,CAAOlB,CAAAA,CAAiBC,CAAW,CAElE,CAEA,KAAK,iBAAA,CAAmB,CACvB,IAAMkB,CAAAA,CAAQhB,CAAAA,CACd,OAAO,IAAA,CAAK,mBAAA,CACXgB,EAAM,QAAA,CACNnB,CAAAA,CACAC,CACD,CACD,CAEA,KAAK,uBAAA,CAAyB,CAC7B,IAAMmB,CAAAA,CAAOjB,CAAAA,CAEb,OACC,KAAK,mBAAA,CAAoBiB,CAAAA,CAAK,KAAMpB,CAAAA,CAAiBC,CAAW,GAChE,IAAA,CAAK,mBAAA,CACJmB,EAAK,UAAA,CACLpB,CAAAA,CACAC,CACD,CAAA,EACA,IAAA,CAAK,oBAAoBmB,CAAAA,CAAK,SAAA,CAAWpB,EAAiBC,CAAW,CAEvE,CAEA,KAAK,kBAAA,CAEJ,OADYE,CAAAA,CACD,UAAA,CAAW,KACpBkB,CAAAA,EACAA,CAAAA,CAAK,OAAS,UAAA,EACd,IAAA,CAAK,oBAAoBA,CAAAA,CAAK,KAAA,CAAOrB,EAAiBC,CAAW,CACnE,EAGD,KAAK,iBAAA,CAEJ,OADYE,CAAAA,CACD,QAAA,CAAS,IAAA,CAClBmB,CAAAA,EACAA,CAAAA,GAAO,IAAA,EACP,KAAK,mBAAA,CAAoBA,CAAAA,CAAItB,EAAiBC,CAAW,CAC3D,EAGD,KAAK,iBAAA,CAEJ,OADaE,CAAAA,CACD,WAAA,CAAY,KAAMoB,CAAAA,EAC7B,IAAA,CAAK,oBAAoBA,CAAAA,CAAMvB,CAAAA,CAAiBC,CAAW,CAC5D,CAAA,CAGD,KAAK,eAAA,CAAiB,CACrB,IAAMuB,CAAAA,CAASrB,CAAAA,CACf,OAAO,IAAA,CAAK,mBAAA,CACXqB,EAAO,QAAA,CACPxB,CAAAA,CACAC,CACD,CACD,CAEA,QAEC,OAAO,MACT,CACD,CAMQ,mBAAA,CACPG,EACAJ,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMwB,CAAAA,CAAW,IAAA,CAAK,gBAAgBrB,CAAM,CAAA,CAG5C,GACCA,CAAAA,CAAO,MAAA,CAAO,OAAS,YAAA,EACvBJ,CAAAA,CAAgB,IAAKI,CAAAA,CAAO,MAAA,CAA4B,IAAI,CAAA,EAC5DqB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,EAAS,WAAA,EAAa,EAEzC,OAAO,KAAA,CAKR,GACCrB,CAAAA,CAAO,MAAA,CAAO,OAAS,kBAAA,EACvBqB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,EAAS,WAAA,EAAa,EACxC,CACD,IAAMC,EAAetB,CAAAA,CAAO,MAAA,CAC5B,GACCsB,CAAAA,CAAa,QAAA,EACb,IAAA,CAAK,kBAAA,CAAmBA,CAAAA,CAAa,MAAM,EAE3C,OAAO,KAET,CAIA,GAAI,IAAA,CAAK,oBAAoBtB,CAAAA,CAAO,MAAA,CAAQJ,EAAiBC,CAAW,CAAA,CACvE,OAAO,KAAA,CAKR,GACCG,EAAO,QAAA,EACPA,CAAAA,CAAO,OAAO,IAAA,GAAS,YAAA,EACvBJ,EAAgB,GAAA,CAAKI,CAAAA,CAAO,OAA4B,IAAI,CAAA,EAIxDA,EAAO,QAAA,CAAS,IAAA,GAAS,UAAW,CACvC,IAAMuB,EAAUvB,CAAAA,CAAO,QAAA,CAA2B,MAClD,GACC,OAAOuB,GAAW,QAAA,EAClB,IAAA,CAAK,UAAU,GAAA,CAAIA,CAAAA,CAAO,WAAA,EAAa,CAAA,CAEvC,OAAO,KAET,CAGD,OAAO,MACR,CAMQ,iBAAA,CACPC,EACA5B,CAAAA,CACAC,CAAAA,CACU,CAEV,GAAI2B,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMf,CAAAA,CAASe,EAAK,MAAA,CACdvB,CAAAA,CAAa,KAAK,eAAA,CAAgBQ,CAAM,EAG9C,GACCR,CAAAA,EACAX,EAAc,yBAAA,CAA0B,GAAA,CAAIW,CAAU,CAAA,EACtD,IAAA,CAAK,oBAAoBQ,CAAAA,CAAO,MAAA,CAAQb,EAAiBC,CAAW,CAAA,CAEpE,OAAO,KAAA,CAIR,GAAI,KAAK,kBAAA,CAAmBY,CAAAA,CAAO,MAAM,CAAA,EAAKe,CAAAA,CAAK,SAAA,CAAU,CAAC,CAAA,CAAG,CAChE,IAAMtB,CAAAA,CAAWsB,CAAAA,CAAK,UAAU,CAAC,CAAA,CACjC,GACCtB,CAAAA,CAAS,IAAA,GAAS,2BAClBA,CAAAA,CAAS,IAAA,GAAS,qBAElB,OAAO,IAAA,CAAK,yBACXA,CAAAA,CACAD,CAAAA,CACAL,EACAC,CACD,CAEF,CAYA,GAPC,IAAA,CAAK,oBAAoBY,CAAAA,CAAO,MAAA,CAAQb,EAAiBC,CAAW,CAAA,EAQpE2B,EAAK,SAAA,CAAU,IAAA,CAAMd,GACpB,IAAA,CAAK,mBAAA,CAAoBA,EAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,CAEA,OAAO,KAET,CAKA,GAAI2B,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMf,CAAAA,CAASe,EAAK,MAAA,CACD,IAAA,CAAK,gBAAgBf,CAAM,CAAA,GAE9B,QACfA,CAAAA,CAAO,MAAA,CAAO,OAAS,YAAA,EACvBe,CAAAA,CAAK,UAAU,IAAA,CAAMd,CAAAA,EACpB,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,EAAiBC,CAAW,CAC3D,GAGAA,CAAAA,CAAY,GAAA,CAAKY,EAAO,MAAA,CAA4B,IAAI,EAE1D,CAKA,GAAIe,EAAK,MAAA,CAAO,IAAA,GAAS,aAAc,CACtC,IAAMC,EAAUD,CAAAA,CAAK,MAAA,CAA4B,KAUjD,GAAI,CARiB,IAAI,GAAA,CAAI,CAC5B,OACA,QAAA,CACA,UAAA,CACA,aACA,OAAA,CACA,UACD,CAAC,CAAA,CACiB,GAAA,CAAIC,CAAM,CAAA,CAC3B,OAAOD,EAAK,SAAA,CAAU,IAAA,CAAMd,GAC3B,IAAA,CAAK,mBAAA,CAAoBA,EAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAEF,CAEA,OAAO,MACR,CAMQ,yBACPK,CAAAA,CACAD,CAAAA,CACAL,EACAC,CAAAA,CACU,CAEV,IAAM6B,CAAAA,CAAmB,IAAI,IAAI9B,CAAe,CAAA,CAC1C+B,EAAoB,IAAI,GAAA,CAAI9B,CAAW,CAAA,CAE7C,GAAIK,CAAAA,CAAS,OAAO,MAAA,CAAS,CAAA,CAAG,CAG/B,IAAM0B,CAAAA,CADL3B,IAAe,IAAA,EAAQX,CAAAA,CAAc,eAAe,GAAA,CAAIW,CAAU,EAC/B,CAAA,CAAI,CAAA,CAGvCC,EAAS,MAAA,CAAO,MAAA,CAAS0B,GACzB1B,CAAAA,CAAS,MAAA,CAAO0B,CAAgB,CAAA,CAAE,IAAA,GAAS,cAE3CF,CAAAA,CAAiB,GAAA,CACfxB,EAAS,MAAA,CAAO0B,CAAgB,EAAuB,IACzD,EAEF,CAGA,GACC1B,CAAAA,CAAS,OAAS,yBAAA,EAClBA,CAAAA,CAAS,KAAK,IAAA,GAAS,gBAAA,CAEvB,OAAO,IAAA,CAAK,mBAAA,CACXA,CAAAA,CAAS,IAAA,CACTwB,CAAAA,CACAC,CACD,EAID,IAAIE,CAAAA,CAAmB,MACjBC,CAAAA,CAAuC,CAC5C,gBAAkB/B,CAAAA,EAAS,CAEzBA,EAAK,QAAA,EACL,IAAA,CAAK,oBACJA,CAAAA,CAAK,QAAA,CACL2B,EACAC,CACD,CAAA,GAEAE,EAAmB,IAAA,EAErB,CACD,EAEA,OAAA/B,MAAAA,CAAOI,EAAS,IAAA,CAAoB4B,CAAc,EAE3CD,CACR,CAKQ,gBAAgB7B,CAAAA,CAA+C,CACtE,GAAI,CAACA,CAAAA,CAAO,UAAYA,CAAAA,CAAO,QAAA,CAAS,OAAS,YAAA,CAChD,OAAQA,EAAO,QAAA,CAA8B,IAAA,CAE9C,GAAIA,CAAAA,CAAO,QAAA,EAAYA,CAAAA,CAAO,SAAS,IAAA,GAAS,SAAA,CAAW,CAC1D,IAAM+B,CAAAA,CAAO/B,EAAO,QAAA,CAA2B,KAAA,CAC/C,GAAI,OAAO+B,CAAAA,EAAQ,SAAU,OAAOA,CACrC,CACA,OAAO,IACR,CAGQ,kBAAA,CAAmBhC,CAAAA,CAA2B,CAErD,GAAIA,CAAAA,CAAK,OAAS,kBAAA,CAAoB,CACrC,IAAMC,CAAAA,CAASD,CAAAA,CAEf,GADiB,IAAA,CAAK,eAAA,CAAgBC,CAAM,CAAA,GAE9B,SAAA,EACbA,EAAO,MAAA,CAAO,IAAA,GAAS,cACtBA,CAAAA,CAAO,MAAA,CAA4B,OAAS,KAAA,CAE7C,OAAO,KAET,CAEA,OACCD,CAAAA,CAAK,OAAS,YAAA,EACbA,CAAAA,CAA0B,OAAS,SAKtC,CAGQ,oBACPA,CAAAA,CACAH,CAAAA,CACAC,EACqB,CACrB,GAAIE,EAAK,IAAA,GAAS,YAAA,CAAc,CAC/B,IAAMiC,CAAAA,CAAQjC,EAA0B,IAAA,CACxC,GAAIF,EAAY,GAAA,CAAImC,CAAI,EAAG,OAAO,CAAA,UAAA,EAAaA,CAAI,CAAA,gBAAA,CACpD,CAEA,GAAIjC,CAAAA,CAAK,IAAA,GAAS,mBAAoB,CACrC,IAAMkC,EAAMlC,CAAAA,CACZ,IAAA,IAAWkB,KAAQgB,CAAAA,CAAI,UAAA,CACtB,GACChB,CAAAA,CAAK,IAAA,GAAS,UAAA,EACd,IAAA,CAAK,mBAAA,CAAoBA,CAAAA,CAAK,MAAOrB,CAAAA,CAAiBC,CAAW,EAMjE,OAAO,CAAA,UAAA,EAHNoB,EAAK,GAAA,CAAI,IAAA,GAAS,aACdA,CAAAA,CAAK,GAAA,CAAyB,KAC/B,SACuB,CAAA,4BAAA,CAG9B,CAEA,GAAIlB,CAAAA,CAAK,OAAS,gBAAA,CAAkB,CACnC,IAAMyB,CAAAA,CAAOzB,CAAAA,CACb,GAAIyB,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,CAC5C,IAAMvB,CAAAA,CAAa,IAAA,CAAK,gBACvBuB,CAAAA,CAAK,MACN,EACA,GAAIvB,CAAAA,CAAY,OAAO,CAAA,WAAA,EAAcA,CAAU,gBAChD,CACD,CAGD,CACD,CAAA,CCtrBA,IAAMiC,CAAAA,CAA6C,CAClD,OAAA,CAAS,YAAA,CACT,WAAY,YAAA,CACZ,SAAA,CAAW,aACX,UAAA,CAAY,YAAA,CACZ,aAAc,YAAA,CACd,UAAA,CAAY,aACZ,QAAA,CAAU,YAAA,CACV,YAAa,YAAA,CACb,aAAA,CAAe,aACf,SAAA,CAAW,YAAA,CACX,cAAe,YAAA,CACf,WAAA,CAAa,aACb,aAAA,CAAe,YAAA,CACf,WAAY,YAAA,CACZ,QAAA,CAAU,aACV,OAAA,CAAS,YAAA,CACT,oBAAqB,YAAA,CACrB,UAAA,CAAY,aACZ,SAAA,CAAW,YAAA,CACX,aAAc,YAAA,CAEd,YAAA,CAAc,YACd,QAAA,CAAU,WAAA,CACV,UAAA,CAAY,WAAA,CACZ,SAAA,CAAW,WAAA,CACX,OAAQ,WACT,CAAA,CAgBMC,EAAkB,CAAA,CAGlBC,CAAAA,CAAmB,8CASZC,CAAAA,CAAN,MAAMC,CAAW,CACvB,OAAe,IAAwB,IAAA,CAKvC,MAAc,QAA6B,CAC1C,GAAI,CAACA,CAAAA,CAAW,GAAA,CAAK,CAEpB,IAAMC,CAAAA,CAAO,MAAM,OAAO,kBAAkB,EAE5CD,CAAAA,CAAW,GAAA,CAAOC,EAAI,OAAA,EAAWA,CAAAA,CACjCD,EAAW,GAAA,CAAI,QAAA,CAASJ,CAAkB,EAC3C,CACA,OAAOI,CAAAA,CAAW,GACnB,CAMA,MAAM,IAAA,CAAKE,EAAsC,CAChD,GAAIA,EAAK,MAAA,CAASL,CAAAA,EAAmBC,EAAiB,IAAA,CAAKI,CAAI,EAC9D,OAAO,CAAE,SAAU,KAAA,CAAO,QAAA,CAAU,EAAG,CAAA,CAIxC,IAAMC,CAAAA,CAAAA,CADM,MAAM,KAAK,MAAA,EAAO,EACdD,CAAI,CAAA,CACdE,CAAAA,CAAwB,EAAC,CAEzBC,CAAAA,CAASF,EAAI,MAAA,EAAO,CAAE,IAAI,OAAO,CAAA,CACvC,QAAWG,CAAAA,IAAUD,CAAAA,CAAQ,CAC5B,IAAME,CAAAA,CAAUD,EAAO,IAAA,EAAK,CACxBC,EAAQ,MAAA,EAAUV,CAAAA,EACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,SAAU,IAAA,CAAMG,CAAQ,CAAC,EAEjD,CAEA,IAAMC,CAAAA,CAASL,CAAAA,CAAI,QAAO,CAAE,GAAA,CAAI,OAAO,CAAA,CACvC,IAAA,IAAWM,KAASD,CAAAA,CAAQ,CAC3B,IAAMD,CAAAA,CAAUE,CAAAA,CAAM,MAAK,CACvBF,CAAAA,CAAQ,QAAUV,CAAAA,EACrBO,CAAAA,CAAS,KAAK,CAAE,IAAA,CAAM,QAAS,IAAA,CAAMG,CAAQ,CAAC,EAEhD,CAEA,IAAMG,CAAAA,CAAOP,CAAAA,CAAI,eAAc,CAAE,GAAA,CAAI,OAAO,CAAA,CAC5C,IAAA,IAAWQ,CAAAA,IAAOD,CAAAA,CAAM,CACvB,IAAMH,EAAUI,CAAAA,CAAI,IAAA,GAChBJ,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,cAAA,CAAgB,KAAMG,CAAQ,CAAC,EAEvD,CAEA,OAAO,CACN,QAAA,CAAUH,CAAAA,CAAS,OAAS,CAAA,CAC5B,QAAA,CAAAA,CACD,CACD,CAMA,MAAM,QAAA,CACLQ,CAAAA,CACAC,EAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,KACb,OAAO,CAAE,SAAU,KAAA,CAAO,QAAA,CAAU,EAAG,CAAA,CAGxC,GAAI,OAAOA,CAAAA,EAAU,QAAA,CACpB,OAAO,IAAA,CAAK,IAAA,CAAKA,CAAK,CAAA,CAGvB,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAC9B,GAAIC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAC3B,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAExCC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAExB,IAAME,CAAAA,CAAS,KAAA,CAAM,QAAQF,CAAK,CAAA,CAC/BA,EACA,MAAA,CAAO,MAAA,CAAOA,CAAgC,CAAA,CAE3CG,CAAAA,CAA2B,EAAC,CAElC,IAAA,IAAWC,KAASF,CAAAA,CAAQ,CAC3B,IAAMG,CAAAA,CAAS,MAAM,IAAA,CAAK,SAASD,CAAAA,CAAOH,CAAI,EAC9C,GAAII,CAAAA,CAAO,WACVF,CAAAA,CAAY,IAAA,CAAK,GAAGE,CAAAA,CAAO,QAAQ,EAE/BA,CAAAA,CAAO,QAAA,CAAS,KAAMC,CAAAA,EAAMA,CAAAA,CAAE,OAAS,QAAQ,CAAA,CAAA,CAClD,OAAO,CAAE,QAAA,CAAU,KAAM,QAAA,CAAUH,CAAY,CAGlD,CAEA,OAAO,CACN,QAAA,CAAUA,CAAAA,CAAY,OAAS,CAAA,CAC/B,QAAA,CAAUA,CACX,CACD,CAEA,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CACxC,CACD,ECvLA,SAASI,CAAAA,CAAYC,CAAAA,CAA6B,CACjD,IAAMC,CAAAA,CAASD,EAAW,OAAA,CAAQ,KAAA,CAAO,EAAE,CAAA,CAC3C,GAAIC,EAAO,MAAA,CAAS,EAAA,EAAMA,EAAO,MAAA,CAAS,EAAA,CAAI,OAAO,MAAA,CAErD,IAAIC,EAAM,CAAA,CACNC,CAAAA,CAAS,MAEb,IAAA,IAAS,CAAA,CAAIF,EAAO,MAAA,CAAS,CAAA,CAAG,GAAK,CAAA,CAAG,CAAA,EAAA,CAAK,CAC5C,IAAIG,CAAAA,CAAQ,SAASH,CAAAA,CAAO,MAAA,CAAO,CAAC,CAAA,CAAG,EAAE,EAErCE,CAAAA,GACHC,CAAAA,EAAS,CAAA,CACLA,CAAAA,CAAQ,CAAA,GACXA,CAAAA,EAAS,IAIXF,CAAAA,EAAOE,CAAAA,CACPD,EAAS,CAACA,EACX,CAEA,OAAOD,CAAAA,CAAM,KAAO,CACrB,CAMA,SAASG,CAAAA,CAAYC,CAAAA,CAAuB,CAC3C,IAAMC,CAAAA,CAAYD,EAAK,OAAA,CAAQ,MAAA,CAAQ,EAAE,CAAA,CAAE,WAAA,GAE3C,GAAI,CAAC,mCAAmC,IAAA,CAAKC,CAAS,EAAG,OAAO,MAAA,CAEhE,IAAMC,CAAAA,CAAaD,CAAAA,CAAU,UAAU,CAAC,CAAA,CAAIA,EAAU,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAEhEE,CAAAA,CAAgB,EAAA,CACpB,IAAA,IAAS,CAAA,CAAI,CAAA,CAAG,EAAID,CAAAA,CAAW,MAAA,CAAQ,IAAK,CAC3C,IAAME,EAAWF,CAAAA,CAAW,UAAA,CAAW,CAAC,CAAA,CACxC,GAAIE,GAAY,EAAA,EAAMA,CAAAA,EAAY,GACjCD,CAAAA,EAAAA,CAAkBC,CAAAA,CAAW,IAAI,QAAA,EAAS,CAAA,KAAA,GAChCA,GAAY,EAAA,EAAMA,CAAAA,EAAY,GACxCD,CAAAA,EAAiBD,CAAAA,CAAW,OAAO,CAAC,CAAA,CAAA,YAE7B,MAET,CAEA,GAAI,CACH,OAAO,OAAOC,CAAa,CAAA,CAAI,MAAQ,EACxC,CAAA,KAAa,CACZ,OAAO,MACR,CACD,CAUO,IAAME,EAAe,CAC3B,KAAA,CAAO,CACN,IAAA,CAAM,OAAA,CACN,QAAS,sDAAA,CACT,SAAA,CAAYC,GACX,CAACA,CAAAA,CAAM,SAAS,cAAc,CAAA,EAAK,CAACA,CAAAA,CAAM,QAAA,CAAS,WAAW,CAChE,CAAA,CACA,YAAa,CACZ,IAAA,CAAM,cACN,OAAA,CAAS,0BAAA,CACT,UAAWb,CACZ,CAAA,CACA,WAAY,CACX,IAAA,CAAM,aACN,OAAA,CAAS,yCAAA,CACT,UAAYa,CAAAA,EACK,CAAC,YAAa,SAAA,CAAW,iBAAiB,EAC9C,QAAA,CAASA,CAAK,CAAA,CAAU,KAAA,CAEtBA,CAAAA,CAAM,KAAA,CAAM,GAAG,CAAA,CAAE,GAAA,CAAI,MAAM,CAAA,CAC5B,KAAA,CAAOC,GAAMA,CAAAA,EAAK,CAAA,EAAKA,GAAK,GAAG,CAE9C,EACA,KAAA,CAAO,CACN,KAAM,OAAA,CAEN,OAAA,CAAS,gEACT,SAAA,CAAYD,CAAAA,EAAkB,CAC7B,IAAMX,CAAAA,CAASW,EAAM,OAAA,CAAQ,KAAA,CAAO,EAAE,CAAA,CAItC,OAHI,EAAAX,CAAAA,CAAO,MAAA,CAAS,GAAKA,CAAAA,CAAO,MAAA,CAAS,IAErC,WAAA,CAAY,IAAA,CAAKA,CAAM,CAAA,EACvBA,CAAAA,GAAW,aAEhB,CACD,CAAA,CACA,GAAA,CAAK,CACJ,IAAA,CAAM,KAAA,CACN,QAAS,gCAAA,CACT,SAAA,CAAYW,GAAkB,CAC7B,IAAMX,EAASW,CAAAA,CAAM,OAAA,CAAQ,MAAO,EAAE,CAAA,CACtC,GAAIX,CAAAA,CAAO,MAAA,GAAW,EAAG,OAAO,MAAA,CAEhC,IAAMa,CAAAA,CAAO,QAAA,CAASb,EAAO,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAAG,EAAE,EAShD,OARI,EAAAa,IAAS,CAAA,EAAKA,CAAAA,GAAS,KAAOA,CAAAA,EAAQ,GAAA,EAE5B,SAASb,CAAAA,CAAO,SAAA,CAAU,EAAG,CAAC,CAAA,CAAG,EAAE,CAAA,GACnC,CAAA,EAEC,QAAA,CAASA,CAAAA,CAAO,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAAG,EAAE,IACnC,CAAA,EAEX,WAAA,CAAY,KAAKA,CAAM,CAAA,EAAKA,IAAW,WAAA,CAG5C,CACD,EACA,IAAA,CAAM,CACL,KAAM,MAAA,CACN,OAAA,CAAS,uCACT,SAAA,CAAWI,CACZ,EACA,YAAA,CAAc,CACb,KAAM,cAAA,CAEN,OAAA,CAAS,6CACV,CACD,CAAA,CAMaU,EAAc,CAC1B,aAAA,CAAe,CACdJ,CAAAA,CAAa,KAAA,CACbA,EAAa,WAAA,CACbA,CAAAA,CAAa,WACbA,CAAAA,CAAa,KAAA,CACbA,EAAa,YAAA,CACbA,CAAAA,CAAa,IACd,CAAA,CACA,YAAA,CAAc,CACbA,CAAAA,CAAa,KAAA,CACbA,EAAa,WAAA,CACbA,CAAAA,CAAa,WACbA,CAAAA,CAAa,KAAA,CACbA,EAAa,GAAA,CACbA,CAAAA,CAAa,YACd,CAAA,CACA,OAAA,CAAS,CACRA,CAAAA,CAAa,KAAA,CACbA,EAAa,WAAA,CACbA,CAAAA,CAAa,WACbA,CAAAA,CAAa,KAAA,CACbA,EAAa,IAAA,CACbA,CAAAA,CAAa,YACd,CACD,CAAA,CAEaK,EAAN,MAAMC,CAAW,CACf,QAAA,CACA,gBAAA,CACA,WAMR,OAAwB,YAAA,CAAe,IAAI,GAAA,CAAI,CAE9C,OACA,OAAA,CACA,SAAA,CACA,UAAA,CACA,SAAA,CACA,UAAA,CACA,UAAA,CACA,SACA,QAAA,CACA,YAAA,CACA,SACA,WAAA,CACA,SAAA,CACA,SACA,SAAA,CACA,QAAA,CACA,SACA,OAAA,CACA,MAAA,CACA,OACA,MAAA,CACA,MAAA,CACA,OACA,OAAA,CACA,OAAA,CACA,QACA,OAAA,CACA,QAAA,CACA,QACA,SAAA,CACA,SAAA,CACA,WACA,WAAA,CACA,OAAA,CACA,UACA,MAAA,CACA,OAAA,CAEA,YACA,YAAA,CACA,WAAA,CACA,WACA,QAAA,CACA,UAAA,CACA,WACA,UAAA,CACA,SAAA,CACA,UAEA,UAAA,CACA,SAAA,CACA,aACA,WAAA,CACA,WAAA,CACA,WAAA,CACA,YAAA,CAEA,YAAA,CACA,aAAA,CACA,aAEA,WAAA,CACA,aAAA,CACA,WACA,UAAA,CACA,SAAA,CAEA,YACA,UAAA,CAEA,UAAA,CACA,qBACA,YAAA,CACA,QAAA,CACA,SACA,WAAA,CACA,QAAA,CACA,SACA,WAAA,CACA,eAAA,CACA,UACA,QACD,CAAC,EAMO,0BAAA,CAKA,mBAAA,CAER,YACCC,CAAAA,CAAsB,GACtBC,CAAAA,CAA0B,GAC1BC,CAAAA,CACC,CACD,KAAK,QAAA,CAAWF,CAAAA,CAChB,KAAK,gBAAA,CAAmB,IAAI,IAAIC,CAAAA,CAAc,GAAA,CAAKE,GAAMA,CAAAA,CAAE,WAAA,EAAa,CAAC,CAAA,CACzE,IAAA,CAAK,WAAaD,CAAAA,EAAc,IAAA,CAGhC,KAAK,0BAAA,CAA6B,IAAI,IACtC,IAAA,CAAK,mBAAA,CAAsB,EAAC,CAE5B,IAAA,IAAWE,KAAS,IAAA,CAAK,gBAAA,CACpBA,EAAM,MAAA,CAAS,CAAA,CAIlB,KAAK,0BAAA,CAA2B,GAAA,CAC/BA,EACA,IAAI,MAAA,CACH,aAAaA,CAAK,CAAA,sBAAA,EACHA,EAAM,MAAA,CAAO,CAAC,EAAE,WAAA,EAAa,GAAGA,CAAAA,CAAM,KAAA,CAAM,CAAC,CAAC,CAAA,EAAA,EACxDA,CAAK,CAAA,CAAA,CAAA,CACV,GACD,CACD,CAAA,CAEA,IAAA,CAAK,oBAAoB,IAAA,CAAKA,CAAK,EAGtC,CAYA,MAAa,KACZ9B,CAAAA,CACAC,CAAAA,CAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CAA6B,OAAO,IAAA,CAGlD,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAG9B,IAAML,CAAAA,CAAUK,EAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,EAC/CA,EAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,IAAMoC,CAAAA,CAAS,IAAA,CAAK,KAAA,CAAMpC,CAAO,CAAA,CAE3BlC,EAAY,MAAM,IAAA,CAAK,KAAKsE,CAAAA,CAAQ9B,CAAI,EAC9C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAAA,KAAa,CAEb,CAID,IAAMuE,EAAmB,IAAA,CAAK,WAAA,CAAYhC,CAAK,CAAA,CAC/C,GAAIgC,EAAkB,OAAOA,CAAAA,CAG7B,GAAI,IAAA,CAAK,UAAA,CAAY,CACpB,IAAMC,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAKjC,CAAK,CAAA,CAClD,GAAIiC,CAAAA,CAAU,QAAA,CAAU,CACvB,IAAMC,CAAAA,CAAeD,EAAU,QAAA,CAAS,IAAA,CACtC3B,CAAAA,EAAMA,CAAAA,CAAE,IAAA,GAAS,QACnB,EACA,GAAI4B,CAAAA,CACH,OAAO,CAAA,kCAAA,EAAqCA,CAAAA,CAAa,IAAI,CAAA,CAAA,CAE/D,CACD,CAEA,OAAO,IACR,CAGA,GAAI,OAAOlC,GAAU,QAAA,CAAU,CAE9B,GAAIC,CAAAA,CAAK,GAAA,CAAID,CAAe,CAAA,CAAG,OAAO,KAGtC,GAFAC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAEpB,MAAM,OAAA,CAAQA,CAAK,EACtB,IAAA,IAAWmC,CAAAA,IAAWnC,EAAO,CAC5B,IAAMvC,EAAY,MAAM,IAAA,CAAK,KAAK0E,CAAAA,CAASlC,CAAI,CAAA,CAC/C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAAA,KAEA,IAAA,GAAW,CAAC2E,CAAAA,CAAKhC,CAAK,IAAK,MAAA,CAAO,OAAA,CACjCJ,CACD,CAAA,CAAG,CAEF,GAAI,IAAA,CAAK,gBAAA,CAAiB,IAAIoC,CAAAA,CAAI,WAAA,EAAa,CAAA,CAC9C,OAAO,kBAAkBA,CAAG,CAAA,CAAA,CAI7B,IAAMC,CAAAA,CAAiB,IAAA,CAAK,cAAcD,CAAG,CAAA,CAC7C,GAAIC,CAAAA,CAAgB,OAAOA,EAG3B,IAAM5E,CAAAA,CAAY,MAAM,IAAA,CAAK,IAAA,CAAK2C,EAAOH,CAAI,CAAA,CAC7C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAEF,CAEA,OAAO,IACR,CAMQ,aAAA,CAAc2E,EAA4B,CACjD,IAAME,EAAaF,CAAAA,CAAI,WAAA,GAGvB,GAAIX,CAAAA,CAAW,aAAa,GAAA,CAAIa,CAAU,EAAG,OAAO,IAAA,CAGpD,OAAW,CAACR,CAAAA,CAAOS,CAAO,CAAA,GAAK,IAAA,CAAK,2BACnC,GAAIA,CAAAA,CAAQ,KAAKH,CAAG,CAAA,CACnB,OAAO,CAAA,uBAAA,EAA0BA,CAAG,8BAA8BN,CAAK,CAAA,CAAA,CAAA,CAKzE,QAAWA,CAAAA,IAAS,IAAA,CAAK,oBACxB,GAAIQ,CAAAA,CAAW,SAASR,CAAK,CAAA,CAC5B,OAAO,CAAA,uBAAA,EAA0BM,CAAG,CAAA,4BAAA,EAA+BN,CAAK,CAAA,CAAA,CAAA,CAI1E,OAAO,IACR,CAEQ,WAAA,CAAYxC,EAA6B,CAChD,IAAA,IAAWkD,KAAQ,IAAA,CAAK,QAAA,CACvB,GAAI,OAAOA,CAAAA,EAAS,UACnB,GAAIlD,CAAAA,CAAK,aAAY,CAAE,QAAA,CAASkD,EAAK,WAAA,EAAa,EACjD,OAAOA,CAAAA,CAAAA,KAAAA,GAEEA,aAAgB,MAAA,CAAA,CAE1B,GADIA,EAAK,MAAA,GAAQA,CAAAA,CAAK,UAAY,CAAA,CAAA,CAC9BA,CAAAA,CAAK,KAAKlD,CAAI,CAAA,CACjB,OAAOkD,CAAAA,CAAK,MAAA,CAAA,KAAA,GAEH,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAA,CAAM,CAErD,IAAMC,EAAMD,CAAAA,CAEZ,GAAI,OAAOC,CAAAA,CAAI,OAAA,EAAY,UAC1B,GAAInD,CAAAA,CAAK,aAAY,CAAE,QAAA,CAASmD,EAAI,OAAA,CAAQ,WAAA,EAAa,CAAA,GACpD,CAACA,EAAI,SAAA,EAAaA,CAAAA,CAAI,UAAUA,CAAAA,CAAI,OAAO,GAC9C,OAAOA,CAAAA,CAAI,aAGHA,CAAAA,CAAI,OAAA,YAAmB,OAAQ,CACrCA,CAAAA,CAAI,QAAQ,MAAA,GAAQA,CAAAA,CAAI,QAAQ,SAAA,CAAY,CAAA,CAAA,CAGhD,IAAIrB,CAAAA,CAAQqB,CAAAA,CAAI,QAAQ,IAAA,CAAKnD,CAAI,CAAA,CACjC,KAAO8B,CAAAA,GAAU,IAAA,EAAM,CACtB,IAAMsB,CAAAA,CAActB,EAAM,CAAC,CAAA,CAC3B,GAAI,CAACqB,CAAAA,CAAI,WAAaA,CAAAA,CAAI,SAAA,CAAUC,CAAW,CAAA,CAC9C,OAAOD,EAAI,IAAA,CAEZ,GAAI,CAACA,CAAAA,CAAI,OAAA,CAAQ,OAAQ,MACzBrB,CAAAA,CAAQqB,EAAI,OAAA,CAAQ,IAAA,CAAKnD,CAAI,EAC9B,CACD,CACD,CAED,OAAO,IACR,CACD,EChbA,SAASqD,EAAAA,EAAmC,CAC3C,IAAMC,CAAAA,CAAI,OAAA,CAAQ,IAAI,+BAAA,EAAiC,WAAA,GAAc,IAAA,EAAK,CAC1E,OAAOA,CAAAA,GAAM,GAAA,EAAOA,IAAM,MAAA,EAAUA,CAAAA,GAAM,KAC3C,CAOA,IAAMC,EAAYC,CAAAA,CAAK,OAAA,CAAQC,cAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAC,CAAA,CAyDhDC,CAAAA,CAAN,MAAMC,CAAW,CA+TvB,YACSC,CAAAA,CACAC,CAAAA,CACP,CAFO,IAAA,CAAA,UAAA,CAAAD,CAAAA,CACA,YAAAC,CAAAA,CAER,IAAMvB,EAAa,IAAA,CAAK,MAAA,EAAQ,UAAU,iBAAA,CACvC,IAAIzC,EACJ,IAAA,CAEH,IAAA,CAAK,WAAa,IAAIqC,CAAAA,CACrB,KAAK,MAAA,EAAQ,QAAA,EAAU,WAAA,EAAeD,CAAAA,CAAY,aAAA,CAClD,IAAA,CAAK,QAAQ,QAAA,EAAU,aAAA,EAAiB,CACvC,IAAA,CACA,MAAA,CACA,WACA,WAAA,CACA,UAAA,CACA,UACA,QAAA,CACA,MAAA,CACA,aACA,SAAA,CACA,OAAA,CACA,QACA,KAAA,CACA,eAAA,CACA,gBACA,gBAAA,CACA,UAAA,CACA,QACA,QAAA,CACA,YACD,EACAK,CACD,CAAA,CAGA,IAAMwB,CAAAA,CAAW,IAAA,CAAK,QAAQ,QAAA,EAAU,SAAA,CACxC,KAAK,gBAAA,CACJA,CAAAA,EAAU,UACV,MAAA,CAAO,QAAA,CAAS,QAAQ,GAAA,CAAI,yBAAA,EAA6B,QAAS,EAAE,CAAA,CACrE,IAAA,CAAK,oBAAA,CACJA,CAAAA,EAAU,YAAA,EACV,OAAO,QAAA,CAAS,OAAA,CAAQ,IAAI,mBAAA,EAAuB,IAAA,CAAM,EAAE,CAAA,CAC5D,IAAA,CAAK,uBACJA,CAAAA,EAAU,kBAAA,EACV,OAAO,QAAA,CAAS,OAAA,CAAQ,IAAI,0BAAA,EAA8B,IAAA,CAAM,EAAE,CAAA,CAGnE,IAAMzB,EAAgB,IAAA,CAAK,MAAA,EAAQ,UAAU,aAAA,EAAiB,CAC7D,KACA,MAAA,CACA,UAAA,CACA,YACA,UAAA,CACA,SAAA,CACA,SACA,MAAA,CACA,YAAA,CACA,UACA,OAAA,CACA,OAAA,CACA,MACA,eAAA,CACA,eAAA,CACA,iBACA,UAAA,CACA,OAAA,CACA,QAAA,CACA,YACD,CAAA,CACA,IAAA,CAAK,cAAgB,IAAIxF,CAAAA,CAAcwF,CAAa,CAAA,CAGpD,IAAM0B,EAAO,MAAA,CAAA,IAAA,CAAY,GAAA,CAAI,SAAS,KAAK,CAAA,CACrCC,EAAYD,CAAAA,CAAO,KAAA,CAAQ,MAE7BE,CAAAA,CAAqB,GACzB,GAAIF,CAAAA,CACH,GAAI,CAEH,IAAMG,EADMC,aAAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAA,CACtB,OAAA,CAAQ,kBAAkB,CAAA,CAI7CF,CAAAA,CAAW,CAAC,UAAA,CAHQG,aAAAA,CACnBZ,EAAK,IAAA,CAAKA,CAAAA,CAAK,QAAQU,CAAM,CAAA,CAAG,OAAQ,YAAY,CACrD,CAAA,CAAE,IACiC,EACpC,CAAA,KAAa,CACZD,CAAAA,CAAW,CAAC,WAAY,KAAK,EAC9B,CAGD,IAAMI,CAAAA,CAAS,QAAQ,GAAA,CAAI,QAAA,GAAa,QAAU,OAAA,CAAQ,GAAA,CAAI,OAG1D,IAAA,CAAK,MAAA,EAAQ,cAAgB,CAAC,IAAA,CAAK,WAAW,YAAA,GACjD,IAAA,CAAK,WAAW,YAAA,CAAe,IAAA,CAAK,OAAO,YAAA,CAAA,CAO5C,IAAMC,EAAc,CACnBd,CAAAA,CAAK,QAAQD,CAAAA,CAAW,CAAA,yBAAA,EAA4BS,CAAS,CAAA,CAAE,CAAA,CAC/DR,EAAK,OAAA,CAAQD,CAAAA,CAAW,6BAA6BS,CAAS,CAAA,CAAE,CACjE,CAAA,CAEMO,CAAAA,CACLD,CAAAA,CAAY,KAAMvC,CAAAA,EAAS,CAAA,CAAA,UAAA,CAAWA,CAAC,CAAC,CAAA,EAAKuC,EAAY,CAAC,CAAA,CAE3D,KAAK,UAAA,CAAa,IAAIE,QAAQ,CAC7B,QAAA,CAAUD,EACV,UAAA,CAAY,IAAA,CAAK,QAAQ,UAAA,EAAY,UAAA,GAAeF,EAAS,CAAA,CAAI,CAAA,CAAA,CACjE,WAAY,IAAA,CAAK,MAAA,EAAQ,YAAY,UAAA,GAAeA,CAAAA,CAAS,EAAI,CAAA,CAAA,CACjE,WAAA,CACC,KAAK,MAAA,EAAQ,UAAA,EAAY,cAAgBA,CAAAA,CAAS,GAAA,CAAM,KACzD,QAAA,CAAU,MAAA,CACV,UAAW,IAAII,UAAAA,CACf,QAAA,CAAAR,CAAAA,CAGA,cAAA,CAAgB,CACf,uBACC,IAAA,CAAK,MAAA,EAAQ,YAAY,SAAA,EACzB,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,yBAA2B,IAAA,CAAM,EAAE,CACjE,CACD,CAAC,EAKD,IAAA,CAAK,QAAA,CACJ,8BACA,+BAAA,CACA,qFAAA,CACA,aACA,IAAM,OAAA,CAAQ,QAAQ,IAAA,CAAK,iBAAA,EAAmB,CAC/C,EACD,CAvcQ,UAAA,CACP,IAAI,IACG,eAAA,CAGJ,IAAI,IACS,YAAA,CAAe,IAAA,CAAU,GAAK,GAAA,CAC9B,kBAAA,CAAqB,EACrB,oBAAA,CAAuB,EAAA,CAAK,GAAA,CAGrC,eAAA,CAAyC,IAAI,GAAA,CACpC,qBACA,gBAAA,CAGT,gBAAA,CAA6B,EAAC,CACrB,sBAAA,CAGA,cAET,KAAA,CAUJ,IAAI,IACA,SAAA,CAGJ,IAAI,IACA,OAAA,CAQJ,IAAI,IACA,YAAA,CAA+C,IAAA,CAC/C,eAA4C,EAAC,CAE7C,WACA,UAAA,CACA,QAAA,CAA4B,KAC5B,SAAA,CAAkC,IAAA,CAClC,UAA2B,IAAA,CAC3B,QAAA,CAGJ,IAAI,GAAA,CAGR,OAAwB,mBACvB,2EAAA,CAEO,YAAA,CAAaS,EAAgC,CACpD,IAAMC,EAAUD,CAAAA,CAAQ,KAAA,CAAMf,EAAW,kBAAkB,CAAA,CAC3D,OAAOgB,CAAAA,EAAS,MAAA,EAAQ,MAAQA,CAAAA,CAAQ,MAAA,CAAO,MAAM,IAAA,EAAK,CAAI,IAC/D,CAEQ,gBAAA,CAAiBjE,EAAyB,CACjD,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,OAAOA,CAAAA,CACtC,IAAML,EAAUK,CAAAA,CAAM,IAAA,GACtB,GACEL,CAAAA,CAAQ,WAAW,GAAG,CAAA,EAAKA,EAAQ,QAAA,CAAS,GAAG,GAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,CAEhD,GAAI,CACH,OAAO,KAAK,KAAA,CAAMA,CAAO,CAC1B,CAAA,KAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEQ,kBAAA,CACPkE,EACAC,CAAAA,CACAC,CAAAA,CACgB,CAEhB,GAAIA,CAAAA,CAAQ,CACX,IAAMH,CAAAA,CAAUE,EAAM,OAAA,CAAQ,MAAA,CAAQ,GAAG,CAAA,CAEzC,GAAIC,EAAO,uBAAA,EACoB,CAG7B,+EACA,gHACD,CAAA,CAC0B,KAAM/C,CAAAA,EAAMA,CAAAA,CAAE,KAAK4C,CAAO,CAAC,EACpD,OAAO,yEAAA,CAIT,GAAIG,CAAAA,CAAO,qBAAA,EAAuB,KAAM/C,CAAAA,EAAMA,CAAAA,CAAE,KAAK4C,CAAO,CAAC,CAAA,CAC5D,OAAO,yDAET,CAGA,IAAMI,CAAAA,CAAiB,IAAA,CAAK,cAAc,OAAA,CAAQF,CAAK,EACvD,OAAIE,CAAAA,CACI,8BAA8BA,CAAAA,CAAe,MAAM,GAGpD,IACR,CAEQ,qBACPC,CAAAA,CACAC,CAAAA,CACAH,EACgB,CAChB,GAAI,CAACA,CAAAA,CAAQ,OAAO,KACpB,IAAMrC,CAAAA,CAAS,KAAK,gBAAA,CAAiBwC,CAAM,EAE3C,GAAIH,CAAAA,CAAO,aAAc,CAkBxB,IAAMI,GAbmB,IAAM,CAC9B,GAAI,EAAEJ,CAAAA,CAAO,wBAAwBK,GAAAA,CAAE,SAAA,CAAA,CACtC,OAAOL,CAAAA,CAAO,YAAA,CAEf,IAAMrF,EAAMqF,CAAAA,CAAO,YAAA,CAEnB,OAAMrF,CAAAA,CAAI,IAAA,CAAK,oBAAoB0F,GAAAA,CAAE,QAAA,CAI9B1F,EAAI,MAAA,EAAO,CAHVA,CAIT,CAAA,GAAG,CAEkC,UAAUgD,CAAM,CAAA,CACrD,GAAI,CAACyC,CAAAA,CAAa,QAGjB,OAAO,CAAA,mCAAA,EAAsCF,CAAQ,CAAA,EAAA,EAAKE,CAAAA,CAAa,MAAM,MAAA,CAC3E,GAAA,CAAKE,GAAM,CAAA,EAAGA,CAAAA,CAAE,KAAK,IAAA,CAAK,GAAG,GAAK,QAAQ,CAAA,CAAA,EAAIA,EAAE,OAAO,CAAA,CAAE,EACzD,IAAA,CACA,IACD,CAAC,CAAA,gIAAA,CAEJ,CAEA,OACCN,EAAO,uBAAA,EACP,IAAA,CAAK,+BACJ,IAAA,CAAK,8BAAA,CAA+BrC,CAAM,CAAA,CAC1CqC,CAAAA,CAAO,wBACP,IAAA,CAAK,cAAA,CAAe,MACrB,CAAA,CAGC,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,QACzB,OAAA,CAAQ,GAAA,CAAI,mBAAqB,GAAA,CAG/B,gPAAA,CACA,iFAGG,IACR,CAOQ,+BAA+BpE,CAAAA,CAAyB,CAC/D,GAAI,OAAOA,CAAAA,EAAU,SAAU,CAC9B,IAAML,EAAUK,CAAAA,CAAM,IAAA,GACtB,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,EAC/CA,EAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,OAAO,IAAA,CAAK,+BAA+B,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAC,CAC/D,MAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEA,GAAI,CAACA,CAAAA,EAAS,OAAOA,GAAU,QAAA,CAC9B,OAAOA,EAGR,IAAM2E,CAAAA,CAAM3E,EACZ,GAAI,CAAC,MAAM,OAAA,CAAQ2E,CAAAA,CAAI,OAAO,CAAA,EAAKA,CAAAA,CAAI,OAAA,CAAQ,SAAW,CAAA,CACzD,OAAO3E,EAGR,IAAM4E,CAAAA,CAAkB,EAAC,CACzB,IAAA,IAAWC,KAAQF,CAAAA,CAAI,OAAA,CACtB,GAAIE,CAAAA,EAAQ,OAAOA,GAAS,QAAA,EAAY,MAAA,GAAUA,EAAM,CACvD,IAAMC,EAAKD,CAAAA,CAA4B,IAAA,CACnC,OAAOC,CAAAA,EAAM,QAAA,EAChBF,EAAM,IAAA,CAAKE,CAAC,EAEd,CAED,GAAIF,EAAM,MAAA,GAAW,CAAA,CACpB,OAAO5E,CAAAA,CAGR,IAAM+E,EAASH,CAAAA,CAAM,MAAA,GAAW,EAAIA,CAAAA,CAAM,CAAC,CAAA,CAAIA,CAAAA,CAAM,IAAA,CAAK;AAAA,CAAI,CAAA,CAC9D,OAAO,IAAA,CAAK,8BAAA,CAA+BG,CAAM,CAClD,CAEQ,8BAAA,CACP/E,CAAAA,CACAgF,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMC,CAAAA,CACL,OAAOF,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,aAAA,EAAkB,QAAA,CAChCA,CAAAA,CAAU,aAAA,CACV,EAAA,CACEG,CAAAA,CACL,OAAOH,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,oBAAA,EAAyB,SAAA,CACvCA,CAAAA,CAAU,oBAAA,CACV,IAAA,CAEJ,GAAI,OAAOhF,CAAAA,EAAU,QAAA,CAAU,CAC9B,IAAML,CAAAA,CAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,OAAO,IAAA,CAAK,8BAAA,CACX,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAA,CAClBqF,CAAAA,CACAC,CACD,CACD,CAAA,KAAQ,CACP,OAAO,MACR,CAED,OAAO,MACR,CAEA,GAAI,KAAA,CAAM,OAAA,CAAQjF,CAAK,CAAA,CACtB,OACCA,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOoF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAG3DpF,CAAAA,CAAM,MAAA,CAASkF,CAAAA,CACX,IAAA,CAEDlF,CAAAA,CAAM,IAAA,CAAMoF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAIAjF,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOoF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAE1D,CAAAD,CAAAA,CAICnF,EAAM,IAAA,CAAMoF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAGD,GAAIjF,CAAAA,EAAS,OAAOA,CAAAA,EAAU,QAAA,CAAU,CACvC,IAAMqF,CAAAA,CAAO,MAAA,CAAO,IAAA,CAAKrF,CAAgC,CAAA,CAkBzD,OAdIiF,CAAAA,GAAiB,MAAA,EAAaA,CAAAA,CAAe,CAAA,EAAKA,CAAAA,CAAe,EAAA,GAChEI,CAAAA,CAAK,MAAA,CAAS,CAAA,EAEH,MAAA,CAAO,OAAOrF,CAAgC,CAAA,CAErD,IAAA,CACL4C,CAAAA,EAAM,KAAA,CAAM,OAAA,CAAQA,CAAC,CAAA,EAAM,OAAOA,CAAAA,EAAM,QAAA,EAAYA,CAAAA,GAAM,IAC5D,CAAA,CAAA,EAOEyC,CAAAA,CAAK,MAAA,CAASH,CAAAA,CACV,IAAA,CAGD,MAAA,CAAO,MAAA,CAAOlF,CAAgC,CAAA,CAAE,IAAA,CAAMI,CAAAA,EAC5D,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAO4E,CAAAA,CAAWC,CAAY,CACnE,CACD,CAEA,OAAO,MACR,CAiJQ,iBAAA,EAA4B,CACnC,IAAMK,CAAAA,CAAQ,CACb,gCAAA,CACA,kCAAA,CACA,EAAA,CACA,SAAA,CACA,EAAA,CACA,mBAAA,CACA,2BAAA,CACA,qBAAA,CACA,QAAA,CACA,EAAA,CACA,sBAAA,CACA,sDAAA,CACA,uCAAA,CACA,iDAAA,CACA,uDAAA,CACA,EAAA,CACA,uBAAA,CACA,sDAAA,CACA,gEAAA,CACA,kDACD,CAAA,CAEA,OAAI,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,eAAe,MAAA,EACzCA,CAAAA,CAAM,IAAA,CACL,CAAA,qBAAA,EAAwB,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,IAAI,CAAC,CAAA,CACtE,CAAA,CAGDA,CAAAA,CAAM,IAAA,CACL,EAAA,CACA,8BACA,4EAAA,CACA,4EAAA,CACA,kEAAA,CACA,mEAAA,CACA,EAAA,CACA,cAAA,CACA,iEAAA,CACA,gDAAA,CACA,EAAA,CACA,0BAAA,CACA,iEAAA,CACA,sEAAA,CACA,EAAA,CACA,sBAAA,CACA,8DACD,CAAA,CAEOA,EAAM,IAAA,CAAK;AAAA,CAAI,CACvB,CAWQ,yBAAA,CACPC,EACAC,CAAAA,CAAQ,CAAA,CACC,CAET,GAAIA,CAAAA,CAAQ,CAAA,CAAG,OAAO,QAEtB,IAAMC,CAAAA,CAAaF,EAAO,IAAA,CACpBG,CAAAA,CAAaH,EAAO,UAAA,CAGpBI,CAAAA,CAAQJ,CAAAA,CAAO,KAAA,CAGrB,OAAIG,CAAAA,CAgBI,CAAA,CAAA,EAfQ,OAAO,OAAA,CAAQA,CAAU,EAAE,GAAA,CAAI,CAAC,CAACtD,CAAAA,CAAKrE,CAAI,IAAM,CAC9D,IAAM6H,EAAW7H,CAAAA,CAAK,IAAA,CACtB,GAAI6H,CAAAA,GAAa,OAAA,EAAW7H,CAAAA,CAAK,KAAA,CAAO,CACvC,IAAM8H,CAAAA,CAAS,KAAK,yBAAA,CACnB9H,CAAAA,CAAK,MACLyH,CAAAA,CAAQ,CACT,EACA,OAAO,CAAA,EAAGpD,CAAG,CAAA,UAAA,EAAayD,CAAM,GACjC,CACA,GAAID,IAAa,QAAA,EAAY7H,CAAAA,CAAK,UAAA,CAAY,CAC7C,IAAM8H,CAAAA,CAAS,IAAA,CAAK,0BAA0B9H,CAAAA,CAAMyH,CAAAA,CAAQ,CAAC,CAAA,CAC7D,OAAO,GAAGpD,CAAG,CAAA,CAAA,EAAIyD,CAAM,CAAA,CAAA,CACxB,CACA,OAAO,CAAA,EAAGzD,CAAG,IAAIwD,CAAAA,EAAY,SAAS,CAAA,CAAA,CACvC,CAAC,EACiB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,CAIzBH,CAAAA,GAAe,SAAWE,CAAAA,CAEtB,CAAA,SAAA,EADc,KAAK,yBAAA,CAA0BA,CAAAA,CAAOH,EAAQ,CAAC,CACrC,GAI5BC,CAAAA,EACG,MAAA,CAAO,KAAKF,CAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CACrC,CAKA,MAAa,QACZO,CAAAA,CAOI,GACY,CAChB,OAAO,KAAK,aAAA,CAAcA,CAAO,CAClC,CAKO,IAAA,CACNhH,EACAiH,CAAAA,CACAC,CAAAA,CACAC,EACA7B,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,MAAM,GAAA,CAAItF,CAAI,EACtB,MAAM,IAAI,MAAM,CAAA,yBAAA,EAA4BA,CAAI,EAAE,CAAA,CAGnD,IAAMyG,EAASd,GAAAA,CAAE,MAAA,CAAOuB,CAAK,CAAA,CACvBE,CAAAA,CAAkBC,gBAAgBZ,CAAM,CAAA,CAE1Ca,CAAAA,CAAmBL,CAAAA,CACnBM,EAAeJ,CAAAA,CAGnB,GAAID,EAAM,OAAA,EAAWA,CAAAA,CAAM,mBAAmBvB,GAAAA,CAAE,SAAA,CAAW,CAC1D,IAAM6B,CAAAA,CAAc,KAAK,MAAA,EAAQ,QAAA,EAAU,eAAiB,EAAC,CAe7D,GAVAF,CAAAA,EACC;;AAAA,sMAAA,CAAA,CAKGE,CAAAA,CAAY,MAAA,CAAS,CAAA,GACxBF,CAAAA,EAAoB;AAAA,mBAAA,EAAwBE,CAAAA,CAAY,IAAA,CAAK,IAAI,CAAC,KAG/D,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,EAAe,IAAA,CAAK,yBAAA,CAA0B,IAAA,CAAK,YAAY,EACrEH,CAAAA,EAAoB;AAAA,gBAAA,EAAqBG,CAAY,+CACtD,CAEAF,CAAAA,CAAe,MACdG,CAAAA,CACAC,CAAAA,GACI,CACJ,IAAMC,CAAAA,CAAW,oBACXC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfC,CAAAA,CAAQ,KAAK,eAAA,CAAgB,GAAA,CAAIF,CAAQ,CAAA,EAAK,CACnD,QAAA,CAAU,EACV,WAAA,CAAa,CACd,EAEA,GACCE,CAAAA,CAAM,UAAY,IAAA,CAAK,kBAAA,EACvBD,CAAAA,CAAMC,CAAAA,CAAM,WAAA,CAAc,IAAA,CAAK,qBAE/B,OAAO,CACN,QAAS,CACR,CACC,KAAM,MAAA,CACN,IAAA,CAAM,mEACP,CACD,CAAA,CACA,OAAA,CAAS,IACV,CAAA,CAGD,IAAMC,EAAgBL,CAAAA,CACpB,OAAA,CACIM,EACJN,CAAAA,CAAiC,uBAAA,GAA4B,IAAA,CAEzDO,CAAAA,CAAcC,CAAAA,CAClB,UAAA,CAAW,QAAQ,CAAA,CACnB,MAAA,CAAOH,CAAY,CAAA,CACnB,MAAA,CAAO,KAAK,CAAA,CACR1C,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAa0C,CAAY,CAAA,CACtCI,EAAS,IAAA,CAAK,UAAA,CAAW,IAAIF,CAAW,CAAA,CAE9C,GACC,CAACD,CAAAA,EACDG,CAAAA,EACAN,CAAAA,CAAMM,CAAAA,CAAO,SAAA,CAAY,KAAK,YAAA,EAG1B9C,CAAAA,CAAO,CACTqC,CAAAA,CAAiC,OAAA,CAAUrC,EAG5C,IAAM+C,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5BpI,CAAAA,CACAqF,CAAAA,CACAC,CACD,CAAA,CACA,OAAI8C,EACI,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,OAAQ,IAAA,CAAMA,CAAgB,CAAC,CAAA,CACjD,OAAA,CAAS,IACV,CAAA,CAEM,MAAM,KAAK,mBAAA,CAAoBV,CAAAA,CAAMrC,CAAAA,CAAOrF,CAAI,CACxD,CAGD,GAAI,CAACqF,CAAAA,CACJ,OAAIxB,EAAAA,EAAwB,CACpB,MAAMsD,CAAAA,CAAQO,CAAAA,CAAiCC,CAAM,CAAA,EAE7DG,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,EAAUE,CAAK,CAAA,CACjC,CACN,OAAA,CAAS,CACR,CACC,KAAM,MAAA,CACN,IAAA,CAAM,gKACP,CACD,CAAA,CACA,QAAS,IACV,CAAA,CAAA,CAGD,GAAI,CAGH,IAAMzC,CAAAA,CAAQ,KAAK,YAAA,CACjBqC,CAAAA,CAAiC,OACnC,CAAA,CAECA,CAAAA,CAAiC,QAAUrC,CAAAA,CAG5C,IAAM+C,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAAmBpI,CAAAA,CAAMqF,EAAOC,CAAM,CAAA,CACnE,GAAI8C,CAAAA,CACH,OAAAN,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,WAAA,CAAcD,CAAAA,CACpB,IAAA,CAAK,eAAA,CAAgB,IAAID,CAAAA,CAAUE,CAAK,EACjC,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAMM,CAAgB,CAAC,EACjD,OAAA,CAAS,CAAA,CACV,EAGD,IAAM7G,CAAAA,CAAS,MAAM,IAAA,CAAK,mBAAA,CAAoBmG,EAAMrC,CAAAA,CAAOrF,CAAI,EAE/D,OAAKuB,CAAAA,CAAO,SAUXuG,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,GAXxC,IAAA,CAAK,gBAAgB,GAAA,CAAIF,CAAAA,CAAU,CAClC,QAAA,CAAU,CAAA,CACV,WAAA,CAAaC,CACd,CAAC,CAAA,CACD,KAAK,UAAA,CAAW,GAAA,CAAII,EAAa,CAChC,IAAA,CAAMA,EACN,SAAA,CAAWJ,CACZ,CAAC,CAAA,CAAA,CAOKtG,CACR,CAAA,MAASrE,EAAgB,CACxB,IAAMsE,EAAItE,CAAAA,CACV,OAAA4K,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,WAAA,CAAcD,CAAAA,CACpB,IAAA,CAAK,eAAA,CAAgB,IAAID,CAAAA,CAAUE,CAAK,EACjC,CACN,OAAA,CAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,CAAA,2BAAA,EAA8BtG,CAAAA,CAAE,OAAO,CAAA,CAAG,CACjE,EACA,OAAA,CAAS,IACV,CACD,CACD,EACD,CAEA,IAAM6G,CAAAA,CAAc,CACnB,KAAM,QAAA,CACN,UAAA,CAAajB,EAA4C,UAAA,EAAc,GACvE,QAAA,CAAWA,CAAAA,CAA4C,QACxD,CAAA,CAEA,IAAA,CAAK,KAAA,CAAM,IAAIpH,CAAAA,CAAM,CACpB,KAAM,CAAE,IAAA,CAAAA,EAAM,WAAA,CAAasH,CAAAA,CAAkB,YAAAe,CAAY,CAAA,CACzD,QAASd,CAAAA,CACT,MAAA,CAAAd,EACA,MAAA,CAAAnB,CACD,CAAC,CAAA,CAGG,IAAA,CAAK,QAAA,EACR,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmBtF,CAAI,CAAA,CAAE,KAAA,CAAOsI,GAAQ,CACrDlL,GAAAA,CAAI,KACH,CAAA,yCAAA,EAA4C4C,CAAI,CAAA,EAAA,EAAKsI,CAAAA,CAAI,OAAO,CAAA,CACjE,EACD,CAAC,EAEH,CAKO,MAAA,CACNtI,CAAAA,CACAiH,EACAS,CAAAA,CACAP,CAAAA,CAGO,CACP,GAAI,IAAA,CAAK,OAAA,CAAQ,IAAInH,CAAI,CAAA,CACxB,MAAM,IAAI,KAAA,CAAM,8BAA8BA,CAAI,CAAA,CAAE,CAAA,CAErD,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAIA,EAAM,CACtB,MAAA,CAAQ,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAAiH,CAAAA,CAAa,SAAA,CAAWS,CAAK,CAAA,CAC7C,OAAA,CAAAP,CACD,CAAC,EACF,CAKO,wBAA+B,CACrC,IAAA,CAAK,OACJ,oBAAA,CACA,yKAAA,CACA,EAAC,CACAoB,CAAAA,GACO,CACN,YAAa,iCAAA,CACb,QAAA,CAAU,CACT,CACC,IAAA,CAAM,OACN,OAAA,CAAS,CACR,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,CAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4IAAA,EAcL,KAAK,YAAA,CACF;;AAAA;AAAA,EAA0C,IAAA,CAAK,UAAU,IAAA,CAAK,YAAA,CAAc,KAAM,CAAC,CAAC,GACpF,EACJ;;AAAA,yDAAA,CAGD,CACD,CACD,CACD,CAAA,CAEF,EACD,CAKO,QAAA,CACNvI,EACAwI,CAAAA,CACAvB,CAAAA,CACAwB,EACAC,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,SAAA,CAAU,IAAIF,CAAG,CAAA,CACzB,MAAM,IAAI,KAAA,CAAM,oCAAoCA,CAAG,CAAA,CAAE,EAE1D,IAAA,CAAK,SAAA,CAAU,IAAIA,CAAAA,CAAK,CAAE,KAAAxI,CAAAA,CAAM,GAAA,CAAAwI,EAAK,WAAA,CAAAvB,CAAAA,CAAa,SAAAwB,CAAAA,CAAU,OAAA,CAAAC,CAAQ,CAAC,EACtE,CAKO,cAAA,CACNjC,CAAAA,CACAzG,EAAe,gCAAA,CACfwI,CAAAA,CAAc,uBACdvB,CAAAA,CAAsB,sEAAA,CACf,CACP,IAAA,CAAK,YAAA,CAAeR,EAIpB,IAAMgB,CAAAA,CAAe,KAAK,yBAAA,CAA0BhB,CAAM,EAC1D,IAAA,GAAW,CAACjB,EAAUmD,CAAK,CAAA,GAAK,KAAK,KAAA,CAAM,OAAA,GAEzCA,CAAAA,CAAM,MAAA,CAAO,MAAM,OAAA,EACnBA,CAAAA,CAAM,OAAO,KAAA,CAAM,OAAA,YAAmBhD,IAAE,SAAA,EACxCgD,CAAAA,CAAM,KAAK,WAAA,EACX,CAACA,EAAM,IAAA,CAAK,WAAA,CAAY,SAAS,iBAAiB,CAAA,GAElDA,CAAAA,CAAM,IAAA,CAAK,WAAA,EAAe;AAAA,gBAAA,EAAqBlB,CAAY,CAAA,wBAAA,EAA2Be,CAAG,CAAA,CAAA,CACzF,IAAA,CAAK,MAAM,GAAA,CAAIhD,CAAAA,CAAUmD,CAAK,CAAA,CAAA,CAIhC,KAAK,QAAA,CACJ3I,CAAAA,CACAwI,CAAAA,CACAvB,CAAAA,CACA,mBACA,IAAA,CAAK,SAAA,CAAUR,CAAAA,CAAQ,IAAA,CAAM,CAAC,CAC/B,EACD,CAKO,aAAA,EAAsB,CAC5B,IAAA,CAAK,UAAA,CAAW,KAAA,EAAM,CACtBrJ,IAAI,IAAA,CAAK,iDAAiD,EAC3D,CAQQ,sBAAA,CAAuBoI,EAAyC,CACvE,IAAMqC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfe,CAAAA,CAAW,IAAA,CAAK,gBAAA,CAChBC,EAAe,IAAA,CAAK,oBAAA,CAIpBC,CAAAA,CAAAA,CAFS,IAAA,CAAK,gBAAgB,GAAA,CAAItD,CAAQ,CAAA,EAAK,IAE/B,MAAA,CAAQQ,CAAAA,EAAM6B,CAAAA,CAAM7B,CAAAA,CAAI4C,CAAQ,CAAA,CAEtD,GAAIE,CAAAA,CAAO,MAAA,EAAUD,EAAc,CAClC,IAAME,CAAAA,CAAgB,IAAA,CAAK,MAAMD,CAAAA,CAAO,CAAC,EAAIF,CAAAA,CAAWf,CAAAA,EAAO,GAAI,CAAA,CACnE,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CACC,wCAAwCrC,CAAQ,CAAA,MAAA,EACzCqD,CAAY,CAAA,KAAA,EAAQD,EAAW,GAAI,CAAA,sBAAA,EAC3BG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,OAAA,CAAS,IACV,CACD,CAEA,OAAAD,CAAAA,CAAO,IAAA,CAAKjB,CAAG,EACf,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAIrC,CAAAA,CAAUsD,CAAM,CAAA,CAClC,IACR,CAOQ,oBAAA,EAA8C,CACrD,IAAMjB,CAAAA,CAAM,IAAA,CAAK,GAAA,EAAI,CACfe,EAAW,IAAA,CAAK,gBAAA,CAChBI,CAAAA,CAAY,IAAA,CAAK,uBAMvB,GAJA,IAAA,CAAK,gBAAA,CAAmB,IAAA,CAAK,iBAAiB,MAAA,CAC5ChD,CAAAA,EAAM6B,EAAM7B,CAAAA,CAAI4C,CAClB,EAEI,IAAA,CAAK,gBAAA,CAAiB,MAAA,EAAUI,CAAAA,CAAW,CAC9C,IAAMD,CAAAA,CAAgB,IAAA,CAAK,IAAA,CAAA,CACzB,KAAK,gBAAA,CAAiB,CAAC,CAAA,CAAIH,CAAAA,CAAWf,GAAO,GAC/C,CAAA,CACA,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CACC,sDACOmB,CAAS,CAAA,iBAAA,EAAoBJ,CAAAA,CAAW,GAAI,yBACpCG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,QAAS,IACV,CACD,CAEA,OAAA,IAAA,CAAK,iBAAiB,IAAA,CAAKlB,CAAG,CAAA,CACvB,IACR,CAKA,MAAa,QAAA,CAASoB,CAAAA,CAAmD,CACxE,IAAMN,CAAAA,CAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAIM,EAAQ,IAAI,CAAA,CACzC,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmBM,CAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA,CAIlD,IAAMC,CAAAA,CAAoB,KAAK,oBAAA,EAAqB,CACpD,GAAIA,CAAAA,CAAmB,OAAOA,CAAAA,CAC9B,IAAMC,CAAAA,CAAkB,IAAA,CAAK,uBAAuBF,CAAAA,CAAQ,IAAI,CAAA,CAChE,GAAIE,EAAiB,OAAOA,CAAAA,CAE5B,GAAI,CAEH,IAAMC,CAAAA,CAAaT,CAAAA,CAAM,MAAA,CAAO,KAAA,CAAMM,EAAQ,SAAA,EAAa,EAAE,CAAA,CAW7D,GAPEA,EAAQ,SAAA,EACN,uBAAA,GAA4B,CAAA,CAAA,GAE9BG,CAAAA,CAAuC,wBAA0B,CAAA,CAAA,CAAA,CAKlEA,CAAAA,EACA,OAAQA,CAAAA,CAAuC,SAAY,QAAA,CAC1D,CACD,IAAMlE,CAAAA,CAAWkE,EACf,OAAA,CACI/D,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAaH,CAAO,CAAA,CACvC,GAAIG,CAAAA,CAAO,CACV,IAAM+C,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5Ba,CAAAA,CAAQ,KACR5D,CAAAA,CACAsD,CAAAA,CAAM,MACP,CAAA,CACA,OAAIP,CAAAA,CACI,CACN,QAAS,CAAC,CAAE,KAAM,MAAA,CAAQ,IAAA,CAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,CAAA,CACV,CAAA,EAEAgB,CAAAA,CAAuC,QAAU/D,CAAAA,CAC3C,MAAM,IAAA,CAAK,mBAAA,CACjB+D,EACA/D,CAAAA,CACA4D,CAAAA,CAAQ,IACT,CAAA,CACD,CACD,CAGA,OADe,MAAMN,CAAAA,CAAM,OAAA,CAAQS,EAAY,EAAE,CAElD,CAAA,MAASlM,EAAgB,CACxB,IAAMsE,CAAAA,CAAItE,CAAAA,CACV,OAAIsE,CAAAA,YAAamE,GAAAA,CAAE,SACX,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,qBAAqBnE,CAAAA,CAAE,OAAO,CAAA,CAAG,CAAC,EAClE,OAAA,CAAS,IACV,CAAA,CAEM,CACN,QAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAM,CAAA,0BAAA,EAA6BA,CAAAA,CAAE,OAAO,CAAA,CAAG,CAChE,CAAA,CACA,OAAA,CAAS,IACV,CACD,CACD,CAKO,SAAA,EAAoB,CAC1B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,MAAM,MAAA,EAAQ,EAAE,GAAA,CAAKwE,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CACzD,CAKO,WAAA,EAAwB,CAC9B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAKzD,CAAAA,EAAMA,CAAAA,CAAE,MAAM,CAC7D,CAKA,MAAa,SAAA,CAAU0G,EAAqD,CAC3E,IAAMN,CAAAA,CAAQ,IAAA,CAAK,QAAQ,GAAA,CAAIM,CAAAA,CAAQ,IAAI,CAAA,CAC3C,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,qBAAqBM,CAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA,CAEpD,OAAO,MAAMN,CAAAA,CAAM,OAAA,CAAQM,CAAO,CACnC,CAKO,aAAA,EAA4B,CAClC,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAC1C,CAKA,MAAa,YAAA,CAAaT,EAEvB,CACF,IAAMa,CAAAA,CAAW,IAAA,CAAK,UAAU,GAAA,CAAIb,CAAG,CAAA,CACvC,GAAI,CAACa,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuBb,CAAG,CAAA,CAAE,CAAA,CAG7C,IAAIhI,CAAAA,CAAO,0BACX,OAAI,OAAO6I,CAAAA,CAAS,OAAA,EAAY,WAC/B7I,CAAAA,CAAO,MAAM6I,CAAAA,CAAS,OAAA,GACZ,OAAOA,CAAAA,CAAS,SAAY,QAAA,CACtC7I,CAAAA,CAAO6I,EAAS,OAAA,CACNA,CAAAA,CAAS,WAAA,GACnB7I,CAAAA,CAAO6I,EAAS,WAAA,CAAA,CAGV,CACN,QAAA,CAAU,CACT,CACC,GAAA,CAAKA,CAAAA,CAAS,GAAA,CACd,QAAA,CAAUA,EAAS,QAAA,EAAY,YAAA,CAC/B,KAAA7I,CACD,CACD,CACD,CACD,CAEO,aAAA,EAA4B,CAClC,OAAO,IAAA,CAAK,UACb,CAEO,WAAA,EAA+B,CACrC,OAAO,IAAA,CAAK,QACb,CAKO,eAAe8I,CAAAA,CAAoC,CACzD,IAAA,CAAK,cAAA,CAAiBA,EACvB,CAEO,YAAA,EAA8B,CACpC,OAAO,KAAK,SACb,CAMA,MAAa,aAAA,CACZtC,EAOI,EAAC,CACW,CAChB,IAAMuC,EAAU,OAAA,CAAQ,GAAA,CAAI,eACzB,MAAA,CAAO,QAAA,CAAS,QAAQ,GAAA,CAAI,cAAA,CAAgB,EAAE,CAAA,CAC9C,OACG3M,CAAAA,CAAOoK,CAAAA,CAAQ,IAAA,EAAQuC,CAAAA,EAAW,MAGxC,IAAA,CAAK,QAAA,CAAW,IAAIC,GAAAA,CAASxC,EAAQ,UAAU,CAAA,CAC/C,MAAM,IAAA,CAAK,QAAA,CAAS,OAAM,CAI1B,IAAMyC,CAAAA,CAAc,IAAA,CAAK,SACzB,IAAA,CAAK,QAAA,CAAS,uBAAA,CAAwB,IAAoB,CACzD,IAAMC,CAAAA,CAAQ,IAAA,CAAK,SAAA,GAAY,GAAA,CAAK1D,CAAAA,GAAO,CAC1C,IAAA,CAAMA,CAAAA,CAAE,KACR,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,WAAA,CAAaA,EAAE,WAChB,CAAA,CAAE,CAAA,CAEI2D,CAAAA,CAAY,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAKC,CAAAA,GAAO,CACjE,KAAMA,CAAAA,CAAE,IAAA,CACR,GAAA,CAAKA,CAAAA,CAAE,IACP,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,QAAA,CAAUA,EAAE,QAAA,CACZ,IAAA,CAAM,OAAOA,CAAAA,CAAE,SAAY,QAAA,CAAWA,CAAAA,CAAE,QAAUA,CAAAA,CAAE,WACrD,EAAE,CAAA,CAEF,OAAO,CACN,MAAA,CAAQH,EAAY,SAAA,EAAU,CAC9B,QAAA,CAAU7M,CAAAA,CACV,MAAA8M,CAAAA,CACA,SAAA,CAAAC,CAAAA,CACA,UAAA,CAAY,KAAK,UAClB,CACD,CAAC,CAAA,CAGD,IAAA,IAAWE,KAAQ,IAAA,CAAK,SAAA,EAAU,CACjC,MAAM,KAAK,QAAA,CAAS,kBAAA,CAAmBA,CAAAA,CAAK,IAAI,EAAE,KAAA,CAAMzM,GAAAA,CAAI,IAAI,CAAA,CAIjE,MAAM,IAAA,CAAK,QAAA,CAAS,kBAAiB,CAAE,KAAA,CAAMA,IAAI,IAAI,CAAA,CAGrD,IAAA,CAAK,SAAA,CAAY,IAAIX,CAAAA,CAErB,IAAA,CAAK,SAAA,CAAU,UAAA,CAAW,CACzB,eAAA,CAAiB,CAAC+C,CAAAA,CAAMtB,CAAAA,GAAa,CACpC,IAAM+K,CAAAA,CAAUzJ,CAAAA,CAAK,OAAA,CACrBpC,IAAI,IAAA,CACH,CAAA,8CAAA,EAAiD6L,CAAAA,CAAQ,eAAe,EACzE,CAAA,CAGA,OAAO,qBAAwB,CAAA,CAAE,KAAK,MAAO,CAAE,eAAA,CAAAa,CAAgB,IAAM,CACpE,GAAM,CAAE,SAAA,CAAAC,CAAAA,CAAW,UAAAC,CAAU,CAAA,CAC5B,MAAMF,CAAAA,CAAgB,iBAAgB,CAEjCG,CAAAA,CAAe/B,CAAAA,CAAO,UAAA,GAC5B,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI+B,CAAAA,CAAc,CAC/B,eAAA,CAAiBhB,CAAAA,CAAQ,eAAA,CACzB,QAAA,CAAUe,CACX,CAAC,CAAA,CAED9L,CAAAA,CAAS,IAAA,CAAM,CACd,QAAA,CAAU,IAAA,CACV,aAAA,CAAe+L,CAAAA,CACf,cAAe,EAAA,CACf,gBAAA,CAAkBF,CACnB,CAAC,EACF,CAAC,EACF,EACA,YAAA,CAAc,MACbvK,GACI,CACJ,IAAMyJ,CAAAA,CAAUzJ,CAAAA,CAAK,QACrBpC,GAAAA,CAAI,IAAA,CACH,CAAA,kDAAA,EAAqD6L,CAAAA,CAAQ,aAAa,CAAA,CAC3E,CAAA,CAEA,IAAMiB,CAAAA,CAAU,KAAK,QAAA,CAAS,GAAA,CAAIjB,CAAAA,CAAQ,aAAa,EACvD,GAAI,CAACiB,CAAAA,CAAS,CACb1K,EAAK,IAAA,CAAK,OAAA,CAAS,CAClB,IAAA,CAAW2K,SAAO,eAAA,CAClB,OAAA,CAAS,uBACV,CAAC,EACD,MACD,CAEA,GAAI,CAEH,IAAMC,EAAiB,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAYnB,CAAAA,CAAQ,cAAA,CACpB,YAAA,CAAc,MAAM,IAAA,CAAKiB,CAAAA,CAAQ,QAAQ,CAAA,CACzC,WAAYjB,CAAAA,CAAQ,WAAA,CACpB,OAAQA,CAAAA,CAAQ,MAAA,CAChB,SAAUA,CAAAA,CAAQ,SAAA,CAClB,OAAA,CAAS,IAAA,CAAK,eACd,YAAA,CAAcA,CAAAA,CAAQ,aAAA,CACtB,WAAA,CAAa,EACd,CAAC,CAAA,CAEGoB,CAAAA,CACJ,GAAI,CACHA,CAAAA,CACC,OAAOD,EAAe,MAAA,EAAW,QAAA,CAC9BA,EAAe,MAAA,CACf,IAAA,CAAK,SAAA,CAAUA,CAAAA,CAAe,MAAM,CAAA,CAGxC,IAAME,CAAAA,CAAU,IAAA,CAAK,MAAMD,CAAW,CAAA,CACtC,GAAIC,CAAAA,CAAQ,kBAAmB,CAC9BlN,GAAAA,CAAI,IAAA,CACH,CAAA,mCAAA,EAAsCkN,EAAQ,iBAAiB,CAAA,CAChE,CAAA,CACA,IAAMC,EAAa,MAAM,IAAA,CAAK,QAAA,CAAS,CACtC,KAAMD,CAAAA,CAAQ,iBAAA,CACd,SAAA,CAAWA,CAAAA,CAAQ,mBAAqB,EACzC,CAAC,CAAA,CACDD,CAAAA,CAAc,KAAK,SAAA,CAAUE,CAAU,EACxC,CACD,MAAQ,CACPF,CAAAA,CAAc,MAAA,CAAOD,CAAAA,CAAe,MAAM,EAC3C,CAEA,IAAMI,CAAAA,CAA0B,CAC/B,iBAAA,CAAmBH,CAAAA,CACnB,mBAAA,CAAqBI,MAAAA,CAAO,KAC3BL,CAAAA,CAAe,QAAA,EAAY,EAAA,CAC3B,KACD,EACA,UAAA,CAAYA,CAAAA,CAAe,UAAA,CACxBK,MAAAA,CAAO,KAAKL,CAAAA,CAAe,UAAA,CAAY,QAAQ,CAAA,CAC/CK,OAAO,IAAA,CAAK,EAAE,EACjB,QAAA,CAAU,CAAA,CACX,EAGM9L,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK,CAC5C,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAM0L,CAAY,CACnC,CAAC,CAAA,CACKK,EAAuB,IAAA,CAAK,8BAAA,CACjC,IAAA,CAAK,8BAAA,CAA+BL,CAAW,CAChD,CAAA,CACA,GAAI1L,CAAAA,EAAa+L,EAAsB,CAEtC,IAAMC,CAAAA,CACLhM,CAAAA,EAAa,qCACdvB,GAAAA,CAAI,IAAA,CACH,CAAA,iDAAA,EAAoDuN,CAAc,EACnE,CAAA,CACAH,CAAAA,CAAS,kBACR,6EAAA,CACDA,CAAAA,CAAS,SAAW,CAAA,EACrB,CAEAhL,CAAAA,CAAK,KAAA,CAAMgL,EAAU,IAAM,CAC1BhL,CAAAA,CAAK,GAAA,GACN,CAAC,EACF,CAAA,MAAStC,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,EACJ0N,CAAAA,CACL,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,WAAa,MAAA,CAEpBC,CAAAA,CAASrJ,CAAAA,CAAE,OAAA,EAAW,OAAOtE,CAAK,CAAA,CACxCE,GAAAA,CAAI,KAAA,CAAM,+BAA+ByN,CAAM,CAAA,CAAE,EAOjD,IAAMC,CAAAA,CAA+B,CACpC,iBAAA,CANoBF,CAAAA,CAClB,CAAA,iBAAA,EAAoBC,CAAM,GAC1B,wGAAA,CAKF,mBAAA,CAAqBJ,MAAAA,CAAO,IAAA,CAAK,EAAE,CAAA,CACnC,UAAA,CAAYA,MAAAA,CAAO,IAAA,CAAK,EAAE,CAAA,CAC1B,QAAA,CAAU,IACX,CAAA,CAEA,GAAI,CACHjL,CAAAA,CAAK,KAAA,CAAMsL,CAAAA,CAAe,IAAM,CAC/BtL,CAAAA,CAAK,GAAA,GACN,CAAC,EACF,CAAA,KAAoB,CACnBA,CAAAA,CAAK,MACN,CACD,CACD,CACD,CAAC,EAED,IAAA,CAAK,SAAA,CAAY,MAAM,IAAA,CAAK,UAAU,MAAA,CAAO5C,CAAI,CAAA,CACjDQ,GAAAA,CAAI,KACH,CAAA,wDAAA,EAA2D,IAAA,CAAK,QAAA,CAAS,SAAA,EAAW,CAAA,CACrF,EACD,CAKA,MAAc,oBACb2N,CAAAA,CACAC,CAAAA,CACAxF,CAAAA,CAC0B,CAC1B,GAAI,CAEH,IAAM4E,CAAAA,CAAiB,MAAM,KAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAY,IAAI,UAAA,CAAW,CAAC,EAC5B,YAAA,CAAc,KAAA,CAAM,KAAK,IAAI,UAAA,CAAW,CAAC,CAAC,EAC1C,cAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,EAChC,UAAA,CAAYK,MAAAA,CAAO,IAAA,CAAKO,CAAU,EAClC,MAAA,CAAQ,EAAC,CACT,OAAA,CAAS,KAAK,cAAA,CACd,YAAA,CAAc,iBAAA,CACd,WAAA,CAAa,EACd,CAAC,CAAA,CAUKtC,CAAAA,CAAU,CACf,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAViB,IAAA,CAAK,UAAU,CACjC,kBAAA,CAAoB0B,EAAe,MAAA,CACnC,QAAA,CAAUA,EAAe,QAAA,CACzB,UAAA,CAAYA,CAAAA,CAAe,UAAA,CAC3B,OAAQ,+BACT,CAAC,CAMA,CACD,EAEMa,CAAAA,CAAazF,CAAAA,CAChB,IAAA,CAAK,KAAA,CAAM,IAAIA,CAAQ,CAAA,EAAG,OAC1B,KAAA,CAAA,CACG0F,CAAAA,CAAkB,KAAK,oBAAA,CAC5B1F,CAAAA,EAAY,cAAA,CACZ4E,CAAAA,CAAe,OACfa,CACD,CAAA,CACA,GAAIC,CAAAA,CAEH,OAAA9N,GAAAA,CAAI,IAAA,CACH,CAAA,qCAAA,EAAwCoI,CAAAA,EAAY,cAAc,CAAA,EAAA,EAAK0F,CAAe,EACvF,CAAA,CAWO,CACN,QAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,KAZF,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,OAAA,CAAQ,IAAI,gBAAA,GAAqB,GAAA,CAG/BA,CAAAA,CACA,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,CAAA,CACV,CAAA,CAID,IAAMvM,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK+J,CAAO,CAAA,CAC9CgC,CAAAA,CAAuB,IAAA,CAAK,+BACjCN,CAAAA,CAAe,MAChB,EACA,GAAIzL,CAAAA,EAAa+L,EAAsB,CAGtC,IAAMC,CAAAA,CACLhM,CAAAA,EACA,iGACD,OAAAvB,GAAAA,CAAI,IAAA,CACH,CAAA,qDAAA,EAAwDuN,CAAc,CAAA,CACvE,CAAA,CAWO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CAZF,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,WAAa,MAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,GAAqB,IAG/B,CAAA,kCAAA,EAAqCA,CAAc,CAAA,CAAA,CACnD,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,EACV,CACD,CAEA,OAAO,CAAE,OAAA,CAAAjC,CAAQ,CAClB,OAASxL,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,EACJ0N,CAAAA,CACL,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,eACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,QAAQ,GAAA,CAAI,gBAAA,GAAqB,GAAA,CAE5BC,CAAAA,CAASrJ,EAAE,OAAA,EAAW,MAAA,CAAOtE,CAAK,CAAA,CACxC,OAAAE,GAAAA,CAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CyN,CAAM,EAAE,CAAA,CAMrD,CACN,QAAS,CACR,CACC,KAAM,MAAA,CACN,IAAA,CARkBD,CAAAA,CAClB,CAAA,iBAAA,EAAoBC,CAAM,CAAA,CAAA,CAC1B,wGAOD,CACD,CAAA,CACA,QAAS,IACV,CACD,CACD,CAMA,MAAa,KAAA,EAAuB,CAC/B,KAAK,UAAA,EACR,MAAM,KAAK,UAAA,CAAW,KAAA,CAAM,CAAE,KAAA,CAAO,IAAK,CAAC,CAAA,CAExC,IAAA,CAAK,SAAA,EACR,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAK,CAEvB,KAAK,QAAA,EACR,MAAM,KAAK,QAAA,CAAS,IAAA,GAEtB,CACD","file":"chunk-X6FJATUE.js","sourcesContent":["import * as grpc from \"@grpc/grpc-js\";\nimport { log } from \"../utils/logger.js\";\nimport { liopV1 } from \"./proto.js\";\nimport { createServerCredentials, type LiopTlsOptions } from \"./tls.js\";\nimport type {\n\tIntentRequest,\n\tIntentResponse,\n\tLogicRequest,\n\tLogicResponse,\n} from \"./types.js\";\n\n/**\n * LIOP gRPC Service Implementation\n * Handles intent negotiation and secure logic execution.\n */\n\n/** Production-grade gRPC channel options per official grpc-node recommendations */\nconst GRPC_CHANNEL_OPTIONS = {\n\t\"grpc.keepalive_time_ms\": 30_000,\n\t\"grpc.keepalive_timeout_ms\": 10_000,\n\t\"grpc.keepalive_permit_without_calls\": 1,\n\t\"grpc.max_send_message_length\": -1,\n\t\"grpc.max_receive_message_length\": -1,\n\t\"grpc.enable_retries\": 1,\n};\n\nexport class LiopRpcServer {\n\tprivate server: grpc.Server;\n\n\tconstructor() {\n\t\tthis.server = new grpc.Server(GRPC_CHANNEL_OPTIONS);\n\t}\n\n\tpublic addService(handlers: {\n\t\tnegotiateIntent: (\n\t\t\tcall: grpc.ServerUnaryCall<IntentRequest, IntentResponse>,\n\t\t\tcallback: grpc.sendUnaryData<IntentResponse>,\n\t\t) => void;\n\t\texecuteLogic: (\n\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t) => void;\n\t}): void {\n\t\tthis.server.addService(liopV1.LogicMesh.service, {\n\t\t\tNegotiateIntent: handlers.negotiateIntent,\n\t\t\tExecuteLogic: handlers.executeLogic,\n\t\t});\n\t}\n\n\tpublic async listen(\n\t\tport: number = 50051,\n\t\ttls?: LiopTlsOptions,\n\t): Promise<number> {\n\t\tconst credentials = createServerCredentials(tls);\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.server.bindAsync(\n\t\t\t\t`0.0.0.0:${port}`,\n\t\t\t\tcredentials,\n\t\t\t\t(error, assignedPort) => {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\treject(error);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\tlog.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);\n\t\t\t\t\tresolve(assignedPort);\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\tpublic async stop(): Promise<void> {\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.server.tryShutdown(() => {\n\t\t\t\tlog.info(\"[LIOP-RPC] Server shut down\");\n\t\t\t\tresolve();\n\t\t\t});\n\t\t});\n\t}\n}\n","/**\n * LIOP Taint Analyzer — Static Information Flow Control (IFC)\n *\n * Performs AST-level taint tracking on injected Logic-on-Origin code\n * to detect side-channel data exfiltration via scalar derivation\n * (charCodeAt, boolean inference, arithmetic on PII fields).\n *\n * Architecture: 3-pass analysis using Acorn ESTree parser.\n * Pass 1 — Identify record-bound variables (callback params of env.records methods)\n * Pass 2 — Propagate taint through assignments and expressions\n * Pass 3 — Check return statements for tainted values flowing to output\n *\n * References:\n * - Acorn ESTree spec: https://github.com/estree/estree\n * - Acorn-Walk SimpleVisitors: https://github.com/acornjs/acorn/tree/master/acorn-walk\n * - OWASP Information Flow Control patterns\n */\n\nimport * as acorn from \"acorn\";\nimport { type SimpleVisitors, simple } from \"acorn-walk\";\n\n// ── Public API ───────────────────────────────────────────────────────\n\nexport interface TaintViolation {\n\t/** Human-readable reason for the block */\n\treason: string;\n\t/** Source line number (1-indexed) if available */\n\tline?: number;\n\t/** The specific operation that triggered the violation */\n\toperation?: string;\n}\n\n/**\n * Static taint analyzer for LIOP Logic-on-Origin payloads.\n *\n * Detects when PII field values are derived into scalar outputs\n * (charCodeAt, boolean inference, arithmetic) that would bypass\n * the Egress Shield's pattern-based detection.\n */\nexport class TaintAnalyzer {\n\tprivate readonly piiFields: Set<string>;\n\n\t/** String methods that extract character-level information from PII */\n\tprivate static readonly TAINT_PROPAGATING_METHODS = new Set([\n\t\t// Character extraction\n\t\t\"charCodeAt\",\n\t\t\"codePointAt\",\n\t\t\"charAt\",\n\t\t\"at\",\n\t\t// Search/position (reveals content structure)\n\t\t\"indexOf\",\n\t\t\"lastIndexOf\",\n\t\t\"search\",\n\t\t// Comparison (reveals ordering/content)\n\t\t\"localeCompare\",\n\t\t\"startsWith\",\n\t\t\"endsWith\",\n\t\t\"includes\",\n\t\t// Transformation (preserves PII content in different form)\n\t\t\"substring\",\n\t\t\"slice\",\n\t\t\"substr\",\n\t\t\"split\",\n\t\t\"match\",\n\t\t\"matchAll\",\n\t\t\"replace\",\n\t\t\"replaceAll\",\n\t\t\"normalize\",\n\t\t\"toLowerCase\",\n\t\t\"toUpperCase\",\n\t\t\"trim\",\n\t\t\"trimStart\",\n\t\t\"trimEnd\",\n\t\t\"padStart\",\n\t\t\"padEnd\",\n\t\t\"repeat\",\n\t]);\n\n\t/** Array iteration methods whose callbacks receive individual records */\n\tprivate static readonly ARRAY_CALLBACK_METHODS = new Set([\n\t\t\"map\",\n\t\t\"forEach\",\n\t\t\"filter\",\n\t\t\"find\",\n\t\t\"some\",\n\t\t\"every\",\n\t\t\"flatMap\",\n\t\t\"findIndex\",\n\t]);\n\n\t/** Reduce-family methods where the record param is the SECOND callback arg */\n\tprivate static readonly REDUCE_METHODS = new Set([\"reduce\", \"reduceRight\"]);\n\n\tconstructor(piiFields: string[]) {\n\t\tthis.piiFields = new Set(piiFields.map((f) => f.toLowerCase()));\n\t}\n\n\t/**\n\t * Analyzes injected source code for PII taint violations.\n\t *\n\t * @param sourceCode - The raw JavaScript logic extracted from the LIOP envelope\n\t * @returns A TaintViolation if PII-derived values flow to output, null if clean\n\t */\n\tanalyze(sourceCode: string): TaintViolation | null {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\t// Wrap in function body to handle bare `return` statements\n\t\t\tconst wrapped = `function liop_analysis_wrapper(env) {\\n${sourceCode}\\n}`;\n\t\t\tast = acorn.parse(wrapped, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t\tlocations: true,\n\t\t\t});\n\t\t} catch {\n\t\t\t// Syntax errors are handled downstream by the sandbox VM\n\t\t\treturn null;\n\t\t}\n\n\t\tconst recordBoundVars = new Set<string>();\n\t\tconst taintedVars = new Set<string>();\n\n\t\t// Pass 1: Identify variables bound to individual records\n\t\tthis.identifyRecordBoundVars(ast, recordBoundVars);\n\n\t\t// Pass 2: Propagate taint through variable assignments\n\t\tthis.propagateTaint(ast, recordBoundVars, taintedVars);\n\n\t\t// Pass 3: Check if any return statement contains tainted values\n\t\treturn this.checkReturnStatements(ast, recordBoundVars, taintedVars);\n\t}\n\n\t// ── Pass 1: Record-Bound Variable Identification ──────────────────\n\n\tprivate identifyRecordBoundVars(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t): void {\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst member = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(member);\n\t\t\t\tif (!methodName) return;\n\n\t\t\t\t// Check if this is env.records.METHOD(callback)\n\t\t\t\tif (!this.isEnvRecordsAccess(member.object)) return;\n\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (!callback) return;\n\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.ARRAY_CALLBACK_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 0\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst param = fn.params[0];\n\t\t\t\t\t\tif (param.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(param.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.REDUCE_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 1\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst recordParam = fn.params[1];\n\t\t\t\t\t\tif (recordParam.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(recordParam.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// for (const r of env.records) → r is record-bound\n\t\t\tForOfStatement: (node) => {\n\t\t\t\tif (!this.isEnvRecordsAccess(node.right)) return;\n\n\t\t\t\tif (node.left.type === \"VariableDeclaration\") {\n\t\t\t\t\tfor (const declarator of node.left.declarations) {\n\t\t\t\t\t\tif (declarator.id.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(declarator.id.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\t// Also handle: const r = env.records[N]\n\t\tconst indexVisitors: SimpleVisitors<void> = {\n\t\t\tVariableDeclarator: (node) => {\n\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\tif (\n\t\t\t\t\tnode.init.type === \"MemberExpression\" &&\n\t\t\t\t\t(node.init as acorn.MemberExpression).computed\n\t\t\t\t) {\n\t\t\t\t\tconst member = node.init as acorn.MemberExpression;\n\t\t\t\t\tif (this.isEnvRecordsAccess(member.object)) {\n\t\t\t\t\t\trecordBoundVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, indexVisitors);\n\t}\n\n\t// ── Pass 2: Taint Propagation ─────────────────────────────────────\n\n\tprivate propagateTaint(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): void {\n\t\t// Multiple iterations to handle transitive taint chains\n\t\t// (e.g., const a = r.name; const b = a; const c = b.charCodeAt(0))\n\t\tfor (let iteration = 0; iteration < 3; iteration++) {\n\t\t\tconst sizeBefore = taintedVars.size;\n\n\t\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\t\tVariableDeclarator: (node) => {\n\t\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.init, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\tAssignmentExpression: (node) => {\n\t\t\t\t\tif (node.left.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.right, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((node.left as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\t// Imperative taint: array.push(taintedValue) contaminates the array\n\t\t\t\t// Covers for-of and forEach patterns that push PII-derived values\n\t\t\t\tCallExpression: (node) => {\n\t\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tmethodName === \"push\" &&\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\tnode.arguments.some((arg) =>\n\t\t\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t};\n\n\t\t\tsimple(ast, visitors);\n\n\t\t\t// Fixed point: stop if no new tainted vars discovered\n\t\t\tif (taintedVars.size === sizeBefore) break;\n\t\t}\n\t}\n\n\t// ── Pass 3: Return Statement Sink Detection ───────────────────────\n\n\tprivate checkReturnStatements(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (violation) return; // Already found one\n\n\t\t\t\tif (!node.argument) return;\n\n\t\t\t\tif (\n\t\t\t\t\tthis.isExpressionTainted(node.argument, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst line = node.loc?.start.line\n\t\t\t\t\t\t? node.loc.start.line - 1 // Adjust for wrapper function offset\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tconst operation = this.describeTaintSource(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t\tviolation = {\n\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t`PII side-channel detected: output contains values derived from restricted fields. ` +\n\t\t\t\t\t\t\t`${operation ? `Operation: ${operation}. ` : \"\"}` +\n\t\t\t\t\t\t\t`Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,\n\t\t\t\t\t\tline,\n\t\t\t\t\t\toperation,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\treturn violation;\n\t}\n\n\t// ── Core Taint Evaluation ─────────────────────────────────────────\n\n\t/**\n\t * Recursively determines if an AST expression produces a tainted value.\n\t * A value is tainted if it derives from a PII field on a record-bound variable.\n\t */\n\tprivate isExpressionTainted(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tswitch (node.type) {\n\t\t\tcase \"Identifier\":\n\t\t\t\treturn taintedVars.has((node as acorn.Identifier).name);\n\n\t\t\tcase \"MemberExpression\":\n\t\t\t\treturn this.isMemberExprTainted(\n\t\t\t\t\tnode as acorn.MemberExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"CallExpression\":\n\t\t\t\treturn this.isCallExprTainted(\n\t\t\t\t\tnode as acorn.CallExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"BinaryExpression\":\n\t\t\tcase \"LogicalExpression\": {\n\t\t\t\tconst bin = node as acorn.BinaryExpression;\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(bin.left, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(bin.right, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"UnaryExpression\": {\n\t\t\t\tconst unary = node as acorn.UnaryExpression;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tunary.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ConditionalExpression\": {\n\t\t\t\tconst cond = node as acorn.ConditionalExpression;\n\t\t\t\t// If the test involves tainted values, the branch choice leaks info\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(cond.test, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tcond.consequent,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t) ||\n\t\t\t\t\tthis.isExpressionTainted(cond.alternate, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ObjectExpression\": {\n\t\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\t\treturn obj.properties.some(\n\t\t\t\t\t(prop) =>\n\t\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ArrayExpression\": {\n\t\t\t\tconst arr = node as acorn.ArrayExpression;\n\t\t\t\treturn arr.elements.some(\n\t\t\t\t\t(el) =>\n\t\t\t\t\t\tel !== null &&\n\t\t\t\t\t\tthis.isExpressionTainted(el, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"TemplateLiteral\": {\n\t\t\t\tconst tmpl = node as acorn.TemplateLiteral;\n\t\t\t\treturn tmpl.expressions.some((expr) =>\n\t\t\t\t\tthis.isExpressionTainted(expr, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"SpreadElement\": {\n\t\t\t\tconst spread = node as acorn.SpreadElement;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tspread.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tdefault:\n\t\t\t\t// Literals, ThisExpression, etc. are never tainted\n\t\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Checks if a MemberExpression accesses a PII field on a record-bound variable.\n\t * Examples: r.accountHolder, r[\"name\"], taintedVar.length, taintedVar[0]\n\t */\n\tprivate isMemberExprTainted(\n\t\tmember: acorn.MemberExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tconst propName = this.getPropertyName(member);\n\n\t\t// Case 1: recordBoundVar.piiField (direct PII access via callback param)\n\t\tif (\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name) &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 2: env.records[N].piiField (direct indexed access without callback)\n\t\t// AST: MemberExpression { object: MemberExpression { object: env.records, computed: true }, property: piiField }\n\t\tif (\n\t\t\tmember.object.type === \"MemberExpression\" &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\tconst parentMember = member.object as acorn.MemberExpression;\n\t\t\tif (\n\t\t\t\tparentMember.computed &&\n\t\t\t\tthis.isEnvRecordsAccess(parentMember.object)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Case 3: taintedVar.anything (any property access on tainted value)\n\t\t// .length on a tainted string leaks PII info, .charCodeAt leaks chars, etc.\n\t\tif (this.isExpressionTainted(member.object, recordBoundVars, taintedVars)) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 4: Computed access on record-bound var with PII field\n\t\t// e.g., r[\"account\" + \"Holder\"]\n\t\tif (\n\t\t\tmember.computed &&\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name)\n\t\t) {\n\t\t\t// Conservative: if computed access on record, check if the property\n\t\t\t// expression evaluates to a PII field (for string literals only)\n\t\t\tif (member.property.type === \"Literal\") {\n\t\t\t\tconst litVal = (member.property as acorn.Literal).value;\n\t\t\t\tif (\n\t\t\t\t\ttypeof litVal === \"string\" &&\n\t\t\t\t\tthis.piiFields.has(litVal.toLowerCase())\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if a CallExpression produces a tainted result.\n\t * Handles: taintedObj.method(), env.records.map(r => r.piiField), etc.\n\t */\n\tprivate isCallExprTainted(\n\t\tcall: acorn.CallExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Pattern: taintedObj.method() — method on tainted object propagates taint\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t// tainted.charCodeAt() / tainted.split() / etc.\n\t\t\tif (\n\t\t\t\tmethodName &&\n\t\t\t\tTaintAnalyzer.TAINT_PROPAGATING_METHODS.has(methodName) &&\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// env.records.map/filter/reduce(callback) — check if callback produces taint\n\t\t\tif (this.isEnvRecordsAccess(callee.object) && call.arguments[0]) {\n\t\t\t\tconst callback = call.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\treturn this.doesCallbackProduceTaint(\n\t\t\t\t\t\tcallback as acorn.ArrowFunctionExpression,\n\t\t\t\t\t\tmethodName,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Tainted array/string method chains: tainted.reduce(...), tainted.map(...)\n\t\t\t// Handles patterns like r.accountHolder.split('').reduce((a,c) => ...)\n\t\t\tif (\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// Math.round(taintedArg) / JSON.stringify(taintedArg) — function calls with tainted arguments\n\t\t\t// on safe objects still produce tainted results\n\t\t\tif (\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Pattern: someArray.push(taintedValue) — marks the receiving array as tainted\n\t\t// This covers imperative for-of patterns:\n\t\t// for (const r of env.records) { codes.push(r.name.charCodeAt(0)) }\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\t\t\tif (\n\t\t\t\tmethodName === \"push\" &&\n\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\t// Mark the array variable as tainted (it now contains PII-derived values)\n\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t}\n\t\t}\n\n\t\t// Check if any argument is tainted (for functions that might propagate)\n\t\t// Conservative: if calling a function WITH tainted args, consider result tainted\n\t\t// This catches: someHelper(r.name), parseInt(taintedVar), etc.\n\t\tif (call.callee.type === \"Identifier\") {\n\t\t\tconst fnName = (call.callee as acorn.Identifier).name;\n\t\t\t// Allow safe math/utility functions that don't propagate PII\n\t\t\tconst SAFE_GLOBALS = new Set([\n\t\t\t\t\"Math\",\n\t\t\t\t\"Number\",\n\t\t\t\t\"parseInt\",\n\t\t\t\t\"parseFloat\",\n\t\t\t\t\"isNaN\",\n\t\t\t\t\"isFinite\",\n\t\t\t]);\n\t\t\tif (!SAFE_GLOBALS.has(fnName)) {\n\t\t\t\treturn call.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if an array method callback produces tainted output.\n\t * e.g., env.records.map(r => r.name.charCodeAt(0)) → tainted result\n\t */\n\tprivate doesCallbackProduceTaint(\n\t\tcallback: acorn.ArrowFunctionExpression | acorn.FunctionExpression,\n\t\tmethodName: string | null,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Create a temporary scope with callback params as record-bound\n\t\tconst scopedRecordVars = new Set(recordBoundVars);\n\t\tconst scopedTaintedVars = new Set(taintedVars);\n\n\t\tif (callback.params.length > 0) {\n\t\t\tconst isReduce =\n\t\t\t\tmethodName !== null && TaintAnalyzer.REDUCE_METHODS.has(methodName);\n\t\t\tconst recordParamIndex = isReduce ? 1 : 0;\n\n\t\t\tif (\n\t\t\t\tcallback.params.length > recordParamIndex &&\n\t\t\t\tcallback.params[recordParamIndex].type === \"Identifier\"\n\t\t\t) {\n\t\t\t\tscopedRecordVars.add(\n\t\t\t\t\t(callback.params[recordParamIndex] as acorn.Identifier).name,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// For arrow functions with expression body: (r) => r.name.charCodeAt(0)\n\t\tif (\n\t\t\tcallback.type === \"ArrowFunctionExpression\" &&\n\t\t\tcallback.body.type !== \"BlockStatement\"\n\t\t) {\n\t\t\treturn this.isExpressionTainted(\n\t\t\t\tcallback.body,\n\t\t\t\tscopedRecordVars,\n\t\t\t\tscopedTaintedVars,\n\t\t\t);\n\t\t}\n\n\t\t// For block bodies, check return statements within the callback\n\t\tlet hasTaintedReturn = false;\n\t\tconst returnVisitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.argument &&\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\tscopedRecordVars,\n\t\t\t\t\t\tscopedTaintedVars,\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\thasTaintedReturn = true;\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(callback.body as acorn.Node, returnVisitors);\n\n\t\treturn hasTaintedReturn;\n\t}\n\n\t// ── Utility Methods ───────────────────────────────────────────────\n\n\t/** Extracts the property name from a MemberExpression (dot or bracket with string literal) */\n\tprivate getPropertyName(member: acorn.MemberExpression): string | null {\n\t\tif (!member.computed && member.property.type === \"Identifier\") {\n\t\t\treturn (member.property as acorn.Identifier).name;\n\t\t}\n\t\tif (member.computed && member.property.type === \"Literal\") {\n\t\t\tconst val = (member.property as acorn.Literal).value;\n\t\t\tif (typeof val === \"string\") return val;\n\t\t}\n\t\treturn null;\n\t}\n\n\t/** Checks if an expression resolves to `env.records` or `records` */\n\tprivate isEnvRecordsAccess(node: acorn.Node): boolean {\n\t\t// Direct: env.records\n\t\tif (node.type === \"MemberExpression\") {\n\t\t\tconst member = node as acorn.MemberExpression;\n\t\t\tconst propName = this.getPropertyName(member);\n\t\t\tif (\n\t\t\t\tpropName === \"records\" &&\n\t\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\t\t(member.object as acorn.Identifier).name === \"env\"\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\t// Bare: records (injected as sandbox global)\n\t\tif (\n\t\t\tnode.type === \"Identifier\" &&\n\t\t\t(node as acorn.Identifier).name === \"records\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\t/** Generates a human-readable description of the taint source for error messages */\n\tprivate describeTaintSource(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): string | undefined {\n\t\tif (node.type === \"Identifier\") {\n\t\t\tconst name = (node as acorn.Identifier).name;\n\t\t\tif (taintedVars.has(name)) return `variable '${name}' is PII-derived`;\n\t\t}\n\n\t\tif (node.type === \"ObjectExpression\") {\n\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\tfor (const prop of obj.properties) {\n\t\t\t\tif (\n\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst keyName =\n\t\t\t\t\t\tprop.key.type === \"Identifier\"\n\t\t\t\t\t\t\t? (prop.key as acorn.Identifier).name\n\t\t\t\t\t\t\t: \"unknown\";\n\t\t\t\t\treturn `property '${keyName}' contains PII-derived value`;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst methodName = this.getPropertyName(\n\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t);\n\t\t\t\tif (methodName) return `result of .${methodName}() on PII data`;\n\t\t\t}\n\t\t}\n\n\t\treturn undefined;\n\t}\n}\n","/**\n * LIOP NER Content Scanner (The Shield V3 — Named Entity Recognition Layer)\n *\n * Lightweight NER scanner using `compromise` NLP for detecting\n * person names, places, and organizations in free-text output values.\n *\n * This layer operates AFTER the regex-based PII scanner and\n * catches entities that lack a deterministic format pattern\n * (e.g., \"Evelyn Reed\" cannot be detected by regex).\n *\n * Architecture: opt-in per-server via `enableNerScanning: true`.\n * Performance: ~10ms for typical SDK output sizes (< 10KB).\n *\n * @see https://github.com/spencermountain/compromise\n */\n// Types for compromise (minimal)\ntype NlpDoc = {\n\tpeople: () => { out: (type: string) => string[] };\n\tplaces: () => { out: (type: string) => string[] };\n\torganizations: () => { out: (type: string) => string[] };\n};\ntype NlpStatic = ((text: string) => NlpDoc) & {\n\taddWords: (words: Record<string, string>) => void;\n};\n\n/**\n * Medical/pharmaceutical vocabulary safelist.\n * These terms are tagged as #Medication to prevent the NER\n * from misclassifying them as person/organization names.\n * Extends progressively — add terms as false positives arise.\n */\nconst MEDICAL_VOCABULARY: Record<string, string> = {\n\taspirin: \"Medication\",\n\tlisinopril: \"Medication\",\n\tmetformin: \"Medication\",\n\tamlodipine: \"Medication\",\n\tatorvastatin: \"Medication\",\n\tomeprazole: \"Medication\",\n\tlosartan: \"Medication\",\n\tsimvastatin: \"Medication\",\n\tlevothyroxine: \"Medication\",\n\tibuprofen: \"Medication\",\n\tacetaminophen: \"Medication\",\n\tamoxicillin: \"Medication\",\n\tciprofloxacin: \"Medication\",\n\tprednisone: \"Medication\",\n\twarfarin: \"Medication\",\n\tinsulin: \"Medication\",\n\thydrochlorothiazide: \"Medication\",\n\tgabapentin: \"Medication\",\n\talbuterol: \"Medication\",\n\tpantoprazole: \"Medication\",\n\t// Generic clinical terms\n\thypertension: \"Condition\",\n\tdiabetes: \"Condition\",\n\tbronchitis: \"Condition\",\n\tpneumonia: \"Condition\",\n\tasthma: \"Condition\",\n};\n\n/** Single named entity detected by the NER scanner. */\nexport interface NerEntity {\n\ttype: \"person\" | \"place\" | \"organization\";\n\ttext: string;\n}\n\n/** Result of an NER scan operation. */\nexport interface NerScanResult {\n\tdetected: boolean;\n\tentities: NerEntity[];\n}\n\n// Minimum string length to attempt NER analysis.\n// Shorter strings are unlikely to contain meaningful named entities.\nconst MIN_TEXT_LENGTH = 4;\n\n// Pattern to identify strings that are purely numeric/symbolic (skip NER)\nconst NON_TEXT_PATTERN = /^[\\d\\s.,:;!?()[\\]{}<>@#$%^&*+=|\\\\/\"'`~_-]+$/;\n\n/**\n * Scans text content for named entities that may represent PII.\n * Uses `compromise/three` for person, place, and organization detection.\n *\n * Designed for egress filtering — optimized for recall over precision\n * to ensure sensitive data does not leak through aliased output keys.\n */\nexport class NerScanner {\n\tprivate static nlp: NlpStatic | null = null;\n\n\t/**\n\t * Lazy loads the compromise library only when needed.\n\t */\n\tprivate async getNlp(): Promise<NlpStatic> {\n\t\tif (!NerScanner.nlp) {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: dynamic import of optional dependency\n\t\t\tconst mod = (await import(\"compromise/three\")) as any;\n\t\t\t// compromise export can vary depending on bundling\n\t\t\tNerScanner.nlp = (mod.default || mod) as NlpStatic;\n\t\t\tNerScanner.nlp.addWords(MEDICAL_VOCABULARY);\n\t\t}\n\t\treturn NerScanner.nlp;\n\t}\n\n\t/**\n\t * Scans a single string value for named entities.\n\t * Returns detected entities if the text contains recognizable PII.\n\t */\n\tasync scan(text: string): Promise<NerScanResult> {\n\t\tif (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tconst nlp = await this.getNlp();\n\t\tconst doc = nlp(text);\n\t\tconst entities: NerEntity[] = [];\n\n\t\tconst people = doc.people().out(\"array\");\n\t\tfor (const person of people) {\n\t\t\tconst trimmed = person.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"person\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst places = doc.places().out(\"array\");\n\t\tfor (const place of places) {\n\t\t\tconst trimmed = place.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"place\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst orgs = doc.organizations().out(\"array\");\n\t\tfor (const org of orgs) {\n\t\t\tconst trimmed = org.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"organization\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tdetected: entities.length > 0,\n\t\t\tentities,\n\t\t};\n\t}\n\n\t/**\n\t * Recursively scans all string values within an object/array.\n\t * Stops at the first detection for performance (fail-fast).\n\t */\n\tasync scanDeep(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<NerScanResult> {\n\t\tif (input === null || input === undefined) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tif (typeof input === \"string\") {\n\t\t\treturn this.scan(input);\n\t\t}\n\n\t\tif (typeof input === \"object\") {\n\t\t\tif (seen.has(input as object)) {\n\t\t\t\treturn { detected: false, entities: [] };\n\t\t\t}\n\t\t\tseen.add(input as object);\n\n\t\t\tconst values = Array.isArray(input)\n\t\t\t\t? input\n\t\t\t\t: Object.values(input as Record<string, unknown>);\n\n\t\t\tconst allEntities: NerEntity[] = [];\n\n\t\t\tfor (const value of values) {\n\t\t\t\tconst result = await this.scanDeep(value, seen);\n\t\t\t\tif (result.detected) {\n\t\t\t\t\tallEntities.push(...result.entities);\n\t\t\t\t\t// Fail-fast: return immediately on first person detection\n\t\t\t\t\tif (result.entities.some((e) => e.type === \"person\")) {\n\t\t\t\t\t\treturn { detected: true, entities: allEntities };\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tdetected: allEntities.length > 0,\n\t\t\t\tentities: allEntities,\n\t\t\t};\n\t\t}\n\n\t\treturn { detected: false, entities: [] };\n\t}\n}\n","/**\n * LIOP Professional PII Engine (The Shield V2 - Tier-1 Military Edition)\n * Implements high-fidelity detection based on NIST and OWASP standards.\n * Features Multi-Layer Verification (Regex + Algorithmic Validators).\n */\n\n/**\n * Validates a credit card number using the Luhn algorithm.\n * Prevents false positives from random 16-digit IDs.\n */\nfunction isLuhnValid(cardNumber: string): boolean {\n\tconst digits = cardNumber.replace(/\\D/g, \"\");\n\tif (digits.length < 13 || digits.length > 19) return false;\n\n\tlet sum = 0;\n\tlet isEven = false;\n\n\tfor (let i = digits.length - 1; i >= 0; i--) {\n\t\tlet digit = parseInt(digits.charAt(i), 10);\n\n\t\tif (isEven) {\n\t\t\tdigit *= 2;\n\t\t\tif (digit > 9) {\n\t\t\t\tdigit -= 9;\n\t\t\t}\n\t\t}\n\n\t\tsum += digit;\n\t\tisEven = !isEven;\n\t}\n\n\treturn sum % 10 === 0;\n}\n\n/**\n * Validates an International Bank Account Number (IBAN) using ISO 7064 Modulo 97.\n * Uses BigInt algebra to avoid JS floating point truncation with 30-digit numbers.\n */\nfunction isIbanValid(iban: string): boolean {\n\tconst sanitized = iban.replace(/\\s+/g, \"\").toUpperCase();\n\n\tif (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized)) return false;\n\n\tconst rearranged = sanitized.substring(4) + sanitized.substring(0, 4);\n\n\tlet numericString = \"\";\n\tfor (let i = 0; i < rearranged.length; i++) {\n\t\tconst charCode = rearranged.charCodeAt(i);\n\t\tif (charCode >= 65 && charCode <= 90) {\n\t\t\tnumericString += (charCode - 55).toString();\n\t\t} else if (charCode >= 48 && charCode <= 57) {\n\t\t\tnumericString += rearranged.charAt(i);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\ttry {\n\t\treturn BigInt(numericString) % 97n === 1n;\n\t} catch (_e) {\n\t\treturn false;\n\t}\n}\n\nexport type PiiRuleDefinition = {\n\tname: string;\n\tpattern: string | RegExp;\n\tvalidator?: (match: string) => boolean;\n};\n\nexport type PiiRule = string | RegExp | PiiRuleDefinition;\n\nexport const PII_PATTERNS = {\n\tEMAIL: {\n\t\tname: \"EMAIL\",\n\t\tpattern: /\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b/gi,\n\t\tvalidator: (match: string) =>\n\t\t\t!match.endsWith(\"@example.com\") && !match.endsWith(\"@test.com\"),\n\t} as PiiRuleDefinition,\n\tCREDIT_CARD: {\n\t\tname: \"CREDIT_CARD\",\n\t\tpattern: /\\b(?:\\d[ -]*?){13,16}\\b/g,\n\t\tvalidator: isLuhnValid,\n\t} as PiiRuleDefinition,\n\tIP_ADDRESS: {\n\t\tname: \"IP_ADDRESS\",\n\t\tpattern: /\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst safeIps = [\"127.0.0.1\", \"0.0.0.0\", \"255.255.255.255\"];\n\t\t\tif (safeIps.includes(match)) return false;\n\t\t\t// Validate valid IPv4 ranges\n\t\t\tconst parts = match.split(\".\").map(Number);\n\t\t\treturn parts.every((p) => p >= 0 && p <= 255);\n\t\t},\n\t} as PiiRuleDefinition,\n\tPHONE: {\n\t\tname: \"PHONE\",\n\t\t// Strict boundary to avoid matching long numeric IDs wrapped in symbols\n\t\tpattern: /(?:(?:\\+?\\d{1,3}[-. ]?)?\\(?\\d{3}\\)?[-. ]?\\d{3}[-. ]?\\d{4})\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length < 7 || digits.length > 15) return false;\n\t\t\t// Reject fake test numbers like 0000000000 or 1234567890\n\t\t\tif (/^(\\d)\\1+$/.test(digits)) return false;\n\t\t\tif (digits === \"1234567890\") return false;\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tSSN: {\n\t\tname: \"SSN\",\n\t\tpattern: /\\b\\d{3}[- ]?\\d{2}[- ]?\\d{4}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length !== 9) return false;\n\n\t\t\tconst area = parseInt(digits.substring(0, 3), 10);\n\t\t\tif (area === 0 || area === 666 || area >= 900) return false;\n\n\t\t\tconst group = parseInt(digits.substring(3, 5), 10);\n\t\t\tif (group === 0) return false;\n\n\t\t\tconst serial = parseInt(digits.substring(5, 9), 10);\n\t\t\tif (serial === 0) return false;\n\n\t\t\tif (/^(\\d)\\1+$/.test(digits) || digits === \"123456789\") return false;\n\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tIBAN: {\n\t\tname: \"IBAN\",\n\t\tpattern: /\\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\\b/gi,\n\t\tvalidator: isIbanValid,\n\t} as PiiRuleDefinition,\n\tPASSPORT_MRZ: {\n\t\tname: \"PASSPORT_MRZ\",\n\t\t// Machina Readable Zone line match for standard international passports\n\t\tpattern: /\\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\\b|\\s|$)/g,\n\t} as PiiRuleDefinition,\n};\n\n/**\n * Regional and Cultural Security Presets for Out-Of-The-Box compliance.\n * Developers can override, merge, or omit these based on local laws.\n */\nexport const PII_PRESETS = {\n\tGLOBAL_STRICT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t\tPII_PATTERNS.IBAN,\n\t],\n\tUS_COMPLIANT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.SSN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n\tEU_GDPR: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.IBAN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n};\n\nexport class PiiScanner {\n\tprivate patterns: PiiRule[];\n\tprivate forbiddenKeysSet: Set<string>;\n\tprivate nerScanner: import(\"./ner-scanner.js\").NerScanner | null;\n\n\t/**\n\t * Safelist of keys that contain forbidden substrings but are NOT PII.\n\t * Prevents false positives from fuzzy matching (e.g., \"grid\" contains \"id\").\n\t */\n\tprivate static readonly KEY_SAFELIST = new Set([\n\t\t// Common words containing \"id\" substring\n\t\t\"grid\",\n\t\t\"video\",\n\t\t\"android\",\n\t\t\"identity\",\n\t\t\"provide\",\n\t\t\"override\",\n\t\t\"validate\",\n\t\t\"hidden\",\n\t\t\"widget\",\n\t\t\"guidelines\",\n\t\t\"beside\",\n\t\t\"guideline\",\n\t\t\"outside\",\n\t\t\"inside\",\n\t\t\"collide\",\n\t\t\"decide\",\n\t\t\"divide\",\n\t\t\"aside\",\n\t\t\"ride\",\n\t\t\"side\",\n\t\t\"wide\",\n\t\t\"hide\",\n\t\t\"tide\",\n\t\t\"pride\",\n\t\t\"bride\",\n\t\t\"slide\",\n\t\t\"guide\",\n\t\t\"stride\",\n\t\t\"oxide\",\n\t\t\"dioxide\",\n\t\t\"suicide\",\n\t\t\"homicide\",\n\t\t\"pesticide\",\n\t\t\"valid\",\n\t\t\"invalid\",\n\t\t\"void\",\n\t\t\"avoid\",\n\t\t// Common words containing \"name\" substring\n\t\t\"diagnosis\",\n\t\t\"medication\",\n\t\t\"namespace\",\n\t\t\"namesake\",\n\t\t\"rename\",\n\t\t\"filename\",\n\t\t\"hostname\",\n\t\t\"typename\",\n\t\t\"unnamed\",\n\t\t\"renamed\",\n\t\t// Common words containing \"phone\" substring\n\t\t\"phonetic\",\n\t\t\"phoneme\",\n\t\t\"microphone\",\n\t\t\"headphone\",\n\t\t\"telephone\",\n\t\t\"saxophone\",\n\t\t\"smartphone\",\n\t\t// Common words containing \"address\" substring\n\t\t\"streetview\",\n\t\t\"addressable\",\n\t\t\"addressing\",\n\t\t// Common words containing \"city\" substring\n\t\t\"cityscape\",\n\t\t\"electricity\",\n\t\t\"capacity\",\n\t\t\"velocity\",\n\t\t\"opacity\",\n\t\t// Common technical terms\n\t\t\"timestamp\",\n\t\t\"timezone\",\n\t\t// LIOP Protocol Internal Keys (must never be blocked)\n\t\t\"image_id\",\n\t\t\"computation_result\",\n\t\t\"zk_receipt\",\n\t\t\"testid\",\n\t\t\"toolid\",\n\t\t\"sessionid\",\n\t\t\"peerid\",\n\t\t\"nodeid\",\n\t\t\"requestid\",\n\t\t\"correlationid\",\n\t\t\"traceid\",\n\t\t\"spanid\",\n\t]);\n\n\t/**\n\t * Short forbidden tokens (< 4 chars) that require boundary-aware matching.\n\t * Uses regex boundary detection to avoid false positives.\n\t */\n\tprivate shortTokenBoundaryPatterns: Map<string, RegExp>;\n\n\t/**\n\t * Long forbidden tokens (>= 4 chars) that use substring containment.\n\t */\n\tprivate longForbiddenTokens: string[];\n\n\tconstructor(\n\t\tpatterns: PiiRule[] = [],\n\t\tforbiddenKeys: string[] = [],\n\t\tnerScanner?: import(\"./ner-scanner.js\").NerScanner | null,\n\t) {\n\t\tthis.patterns = patterns;\n\t\tthis.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));\n\t\tthis.nerScanner = nerScanner ?? null;\n\n\t\t// Pre-compute fuzzy matching structures for performance\n\t\tthis.shortTokenBoundaryPatterns = new Map();\n\t\tthis.longForbiddenTokens = [];\n\n\t\tfor (const token of this.forbiddenKeysSet) {\n\t\t\tif (token.length < 4) {\n\t\t\t\t// Short tokens: require word boundary (camelCase, snake_case, kebab-case, or exact)\n\t\t\t\t// \"id\" matches: \"patientId\", \"record_id\", \"user-id\", \"id\"\n\t\t\t\t// \"id\" does NOT match: \"grid\", \"video\", \"android\"\n\t\t\t\tthis.shortTokenBoundaryPatterns.set(\n\t\t\t\t\ttoken,\n\t\t\t\t\tnew RegExp(\n\t\t\t\t\t\t`(?:^|[_-])${token}(?:$|[_-])|` + // snake/kebab boundary\n\t\t\t\t\t\t\t`(?:^|[a-z])${token.charAt(0).toUpperCase()}${token.slice(1)}|` + // camelCase boundary (e.g., patientId)\n\t\t\t\t\t\t\t`^${token}$`, // exact match\n\t\t\t\t\t\t\"i\",\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tthis.longForbiddenTokens.push(token);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Scans any input (string, object, array) for PII violations.\n\t * Returns the pattern/rule name that triggered the violation, or null if safe.\n\t *\n\t * Detection pipeline (fail-fast):\n\t * 1. Exact key match (O(1) Set lookup)\n\t * 2. Fuzzy key match (boundary detection for short tokens, substring for long)\n\t * 3. Regex/algorithmic pattern match on string values\n\t * 4. NER content scan on string values (if enabled)\n\t */\n\tpublic async scan(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<string | null> {\n\t\tif (input === null || input === undefined) return null;\n\n\t\t// 1. String Scan (Direct Regex/String/Definition check)\n\t\tif (typeof input === \"string\") {\n\t\t\t// SECURITY PATCH: JSON Deep-Parsing Recursion (Fortification V2)\n\t\t\t// Defeats Double JSON Encoding bypasses by forcefully parsing stringified JSON back into objects.\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\tconst parsed = JSON.parse(trimmed);\n\t\t\t\t\t// Successfully parsed JSON string. Recursively scan the unescaped object.\n\t\t\t\t\tconst violation = await this.scan(parsed, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t} catch (_e) {\n\t\t\t\t\t// Silent fallback: It looked like JSON but wasn't valid. Proceed with raw string check.\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check string value against regex patterns\n\t\t\tconst patternViolation = this.checkString(input);\n\t\t\tif (patternViolation) return patternViolation;\n\n\t\t\t// Layer 3: NER Content Scan — detect person names in free-text values\n\t\t\tif (this.nerScanner) {\n\t\t\t\tconst nerResult = await this.nerScanner.scan(input);\n\t\t\t\tif (nerResult.detected) {\n\t\t\t\t\tconst personEntity = nerResult.entities.find(\n\t\t\t\t\t\t(e) => e.type === \"person\",\n\t\t\t\t\t);\n\t\t\t\t\tif (personEntity) {\n\t\t\t\t\t\treturn `PII Entity Detected: person name \"${personEntity.text}\"`;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn null;\n\t\t}\n\n\t\t// 2. Recursive Objects/Arrays Scan\n\t\tif (typeof input === \"object\") {\n\t\t\t// Protection against circular references\n\t\t\tif (seen.has(input as object)) return null;\n\t\t\tseen.add(input as object);\n\n\t\t\tif (Array.isArray(input)) {\n\t\t\t\tfor (const element of input) {\n\t\t\t\t\tconst violation = await this.scan(element, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfor (const [key, value] of Object.entries(\n\t\t\t\t\tinput as Record<string, unknown>,\n\t\t\t\t)) {\n\t\t\t\t\t// Layer 1: Exact key match — O(1) constant time\n\t\t\t\t\tif (this.forbiddenKeysSet.has(key.toLowerCase())) {\n\t\t\t\t\t\treturn `Forbidden Key: ${key}`;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Layer 2: Fuzzy key match — catches aliases and variations\n\t\t\t\t\tconst fuzzyViolation = this.checkKeyFuzzy(key);\n\t\t\t\t\tif (fuzzyViolation) return fuzzyViolation;\n\n\t\t\t\t\t// Recurse into values\n\t\t\t\t\tconst violation = await this.scan(value, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks a key against fuzzy matching rules.\n\t * Short tokens use boundary-aware regex; long tokens use substring containment.\n\t */\n\tprivate checkKeyFuzzy(key: string): string | null {\n\t\tconst normalized = key.toLowerCase();\n\n\t\t// Skip safelisted keys entirely\n\t\tif (PiiScanner.KEY_SAFELIST.has(normalized)) return null;\n\n\t\t// Short token boundary matching (e.g., \"id\" in \"patientId\" but not \"grid\")\n\t\tfor (const [token, pattern] of this.shortTokenBoundaryPatterns) {\n\t\t\tif (pattern.test(key)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} matches boundary pattern \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\t// Long token substring matching (e.g., \"name\" in \"firstName\", \"names\")\n\t\tfor (const token of this.longForbiddenTokens) {\n\t\t\tif (normalized.includes(token)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} contains restricted token \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate checkString(text: string): string | null {\n\t\tfor (const rule of this.patterns) {\n\t\t\tif (typeof rule === \"string\") {\n\t\t\t\tif (text.toLowerCase().includes(rule.toLowerCase())) {\n\t\t\t\t\treturn rule;\n\t\t\t\t}\n\t\t\t} else if (rule instanceof RegExp) {\n\t\t\t\tif (rule.global) rule.lastIndex = 0;\n\t\t\t\tif (rule.test(text)) {\n\t\t\t\t\treturn rule.source;\n\t\t\t\t}\n\t\t\t} else if (typeof rule === \"object\" && rule !== null) {\n\t\t\t\t// PiiRuleDefinition (Military Grade Multi-layer)\n\t\t\t\tconst def = rule as PiiRuleDefinition;\n\n\t\t\t\tif (typeof def.pattern === \"string\") {\n\t\t\t\t\tif (text.toLowerCase().includes(def.pattern.toLowerCase())) {\n\t\t\t\t\t\tif (!def.validator || def.validator(def.pattern)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else if (def.pattern instanceof RegExp) {\n\t\t\t\t\tif (def.pattern.global) def.pattern.lastIndex = 0;\n\n\t\t\t\t\t// Use matchAll or exec to get the specific match for the validator\n\t\t\t\t\tlet match = def.pattern.exec(text);\n\t\t\t\t\twhile (match !== null) {\n\t\t\t\t\t\tconst matchedText = match[0];\n\t\t\t\t\t\tif (!def.validator || def.validator(matchedText)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!def.pattern.global) break; // Break if not global\n\t\t\t\t\t\tmatch = def.pattern.exec(text);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn null;\n\t}\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport { FixedQueue, Piscina } from \"piscina\";\nimport { z } from \"zod\";\nimport { zodToJsonSchema } from \"zod-to-json-schema\";\nimport { type LiopManifest, MeshNode } from \"../mesh/node.js\";\nimport { LiopRpcServer } from \"../rpc/server.js\";\nimport type { LogicRequest, LogicResponse } from \"../rpc/types.js\";\nimport { TaintAnalyzer } from \"../security/taint-analyzer.js\";\nimport type {\n\tCallToolRequest,\n\tCallToolResult,\n\tGetPromptRequest,\n\tGetPromptResult,\n\tPrompt,\n\tResource,\n\tServerInfo,\n\tTool,\n} from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\nimport { NerScanner } from \"./ner-scanner.js\";\nimport { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from \"./pii.js\";\n\nexport { NerScanner, PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };\n\n/**\n * When enabled, `payload` tools that are not LIOP v1 envelopes are passed through to the\n * registered handler unchanged (no worker extraction). Default off for strict protocol tests.\n */\nfunction respectPlainToolPayload(): boolean {\n\tconst v = process.env.LIOP_RESPECT_PLAIN_TOOL_PAYLOAD?.toLowerCase().trim();\n\treturn v === \"1\" || v === \"true\" || v === \"yes\";\n}\n\nexport type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (\n\targs: z.infer<z.ZodObject<T>>,\n\textra: { signal?: AbortSignal },\n) => Promise<CallToolResult>;\n\nconst __dirname = path.dirname(fileURLToPath(import.meta.url));\n\nexport interface LiopServerOptions {\n\tcapabilities?: Record<string, unknown>;\n\tworkerPool?: {\n\t\tenabled?: boolean;\n\t\tminThreads?: number;\n\t\tmaxThreads?: number;\n\t\tidleTimeout?: number;\n\t\t/** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */\n\t\tmaxHeapMb?: number;\n\t};\n\tsecurity?: {\n\t\tpiiPatterns?: PiiRule[];\n\t\tforbiddenKeys?: string[];\n\t\t/** Enable NLP-based Named Entity Recognition scanning on output values. */\n\t\tenableNerScanning?: boolean;\n\t\t/** Rate limiting configuration for tool calls (OWASP A01). */\n\t\trateLimit?: {\n\t\t\t/** Maximum calls per window per tool (default: 15). */\n\t\t\tmaxPerWindow?: number;\n\t\t\t/** Maximum calls per window across ALL tools combined (default: 40). */\n\t\t\tglobalMaxPerWindow?: number;\n\t\t\t/** Sliding window duration in milliseconds (default: 60000 = 1 min). */\n\t\t\twindowMs?: number;\n\t\t};\n\t};\n\ttaxonomy?: {\n\t\tdomain?: string;\n\t\tclearanceTier?: number;\n\t\texecutionTypes?: string[];\n\t};\n}\n\nexport interface AggregationPolicy {\n\t/** Maximum number of object-type array elements allowed (default: 10) */\n\tmaxOutputRows?: number;\n\t/** Allow arrays containing only primitive values (default: true) */\n\tallowPrimitiveArrays?: boolean;\n}\n\nexport interface LogicExecutionPolicy {\n\t/**\n\t * Validate the business payload returned by sandbox logic (post-execution).\n\t * This runs before final egress checks and blocks non-conforming outputs.\n\t */\n\toutputSchema?: z.ZodType<unknown>;\n\t/**\n\t * Enforce aggregation-first heuristics (preflight + post-check).\n\t */\n\tenforceAggregationFirst?: boolean | AggregationPolicy;\n\t/**\n\t * Optional additional deny patterns checked against extracted logic source.\n\t */\n\tpreflightDenyPatterns?: RegExp[];\n}\n\nexport class LiopServer {\n\tprivate logicCache: Map<string, { hash: string; timestamp: number }> =\n\t\tnew Map();\n\tprivate connectionStats: Map<\n\t\tstring,\n\t\t{ failures: number; lastAttempt: number }\n\t> = new Map();\n\tprivate readonly CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours\n\tprivate readonly THROTTLE_THRESHOLD = 5;\n\tprivate readonly THROTTLE_COOLDOWN_MS = 60 * 1000; // 60 seconds\n\n\t// [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration\n\tprivate toolCallWindows: Map<string, number[]> = new Map();\n\tprivate readonly toolCallMaxPerWindow: number;\n\tprivate readonly toolCallWindowMs: number;\n\n\t// [OWASP-A01] Global cross-tool rate limiter — prevents distributed micro-query attacks\n\tprivate globalCallWindow: number[] = [];\n\tprivate readonly globalCallMaxPerWindow: number;\n\n\t// [SEC] AST-level taint tracker for PII side-channel prevention\n\tprivate readonly taintAnalyzer: TaintAnalyzer;\n\n\tprivate tools: Map<\n\t\tstring,\n\t\t{\n\t\t\ttool: Tool;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\thandler: ToolHandler<any>;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\tschema: z.ZodObject<any>;\n\t\t\tpolicy?: LogicExecutionPolicy;\n\t\t}\n\t> = new Map();\n\tprivate resources: Map<\n\t\tstring,\n\t\tResource & { content?: string | (() => Promise<string>) }\n\t> = new Map();\n\tprivate prompts: Map<\n\t\tstring,\n\t\t{\n\t\t\tprompt: Prompt;\n\t\t\thandler: (\n\t\t\t\trequest: GetPromptRequest,\n\t\t\t) => GetPromptResult | Promise<GetPromptResult>;\n\t\t}\n\t> = new Map();\n\tprivate activeSchema: Record<string, unknown> | null = null;\n\tprivate sandboxRecords: Record<string, unknown>[] = [];\n\n\tprivate piiScanner: PiiScanner;\n\tprivate workerPool: Piscina;\n\tprivate meshNode: MeshNode | null = null;\n\tprivate rpcServer: LiopRpcServer | null = null;\n\tprivate boundPort: number | null = null;\n\tprivate sessions: Map<\n\t\tstring,\n\t\t{ capability_hash: string; kyber_sk: Uint8Array }\n\t> = new Map();\n\n\t// Compact envelope: @LIOP{target,name}\\n<code>\\n@END\n\tprivate static readonly LIOP_COMPACT_REGEX =\n\t\t/@LIOP\\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\\}\\n(?<logic>[\\s\\S]*?)\\n@END/m;\n\n\tprivate extractLogic(payload: string): string | null {\n\t\tconst compact = payload.match(LiopServer.LIOP_COMPACT_REGEX);\n\t\treturn compact?.groups?.logic ? compact.groups.logic.trim() : null;\n\t}\n\n\tprivate parseUnknownJson(input: unknown): unknown {\n\t\tif (typeof input !== \"string\") return input;\n\t\tconst trimmed = input.trim();\n\t\tif (\n\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t) {\n\t\t\ttry {\n\t\t\t\treturn JSON.parse(trimmed);\n\t\t\t} catch {\n\t\t\t\treturn input;\n\t\t\t}\n\t\t}\n\t\treturn input;\n\t}\n\n\tprivate runPreflightPolicy(\n\t\t_toolName: string,\n\t\tlogic: string,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\t// Phase 1: Regex-based row-level export detection (fast path)\n\t\tif (policy) {\n\t\t\tconst compact = logic.replace(/\\s+/g, \" \");\n\n\t\t\tif (policy.enforceAggregationFirst) {\n\t\t\t\tconst rowExtractionPatterns = [\n\t\t\t\t\t// Block raw record dumps but allow safe aggregation chains\n\t\t\t\t\t// (.reduce, .length, .filter().length, .every, .some)\n\t\t\t\t\t/return\\s+env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter|every|some|find)\\b)/i,\n\t\t\t\t\t/return\\s*\\{[\\s\\S]*\\b(accounts|patients|rows|records)\\s*:\\s*env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter)\\b)/i,\n\t\t\t\t];\n\t\t\t\tif (rowExtractionPatterns.some((p) => p.test(compact))) {\n\t\t\t\t\treturn \"Preflight policy rejected: potential row-level export pattern detected.\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (policy.preflightDenyPatterns?.some((p) => p.test(compact))) {\n\t\t\t\treturn \"Preflight policy rejected: custom deny pattern matched.\";\n\t\t\t}\n\t\t}\n\n\t\t// Phase 2: AST-level taint tracking (detects PII side-channel derivation)\n\t\tconst taintViolation = this.taintAnalyzer.analyze(logic);\n\t\tif (taintViolation) {\n\t\t\treturn `Preflight policy rejected: ${taintViolation.reason}`;\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate validateOutputPolicy(\n\t\ttoolName: string,\n\t\toutput: unknown,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\tif (!policy) return null;\n\t\tconst parsed = this.parseUnknownJson(output);\n\n\t\tif (policy.outputSchema) {\n\t\t\t// SEC-HARDENING: Force strict mode on ZodObject schemas to prevent\n\t\t\t// key aliasing bypasses via .passthrough(). However, respect schemas\n\t\t\t// that explicitly use .catchall() — calling .strict() would override\n\t\t\t// the catchall with ZodNever, destroying the developer's intent.\n\t\t\tconst effectiveSchema = (() => {\n\t\t\t\tif (!(policy.outputSchema instanceof z.ZodObject)) {\n\t\t\t\t\treturn policy.outputSchema;\n\t\t\t\t}\n\t\t\t\tconst obj = policy.outputSchema as z.ZodObject<z.ZodRawShape>;\n\t\t\t\t// If schema has an explicit catchall (not ZodNever), respect it\n\t\t\t\tif (!(obj._def.catchall instanceof z.ZodNever)) {\n\t\t\t\t\treturn obj;\n\t\t\t\t}\n\t\t\t\t// Otherwise force strict to block unrecognized keys by default\n\t\t\t\treturn obj.strict();\n\t\t\t})();\n\n\t\t\tconst schemaResult = effectiveSchema.safeParse(parsed);\n\t\t\tif (!schemaResult.success) {\n\t\t\t\t// SEC-CRITICAL: Never expose rejected data in error messages.\n\t\t\t\t// Only report the structural violation (unrecognized keys, type mismatches).\n\t\t\t\treturn `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues\n\t\t\t\t\t.map((i) => `${i.path.join(\".\") || \"<root>\"} ${i.message}`)\n\t\t\t\t\t.join(\n\t\t\t\t\t\t\"; \",\n\t\t\t\t\t)}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;\n\t\t\t}\n\t\t}\n\n\t\tif (\n\t\t\tpolicy.enforceAggregationFirst &&\n\t\t\tthis.violatesAggregationFirstPolicy(\n\t\t\t\tthis.unwrapForAggregationPolicyScan(parsed),\n\t\t\t\tpolicy.enforceAggregationFirst,\n\t\t\t\tthis.sandboxRecords.length,\n\t\t\t)\n\t\t) {\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\treturn isDev\n\t\t\t\t? \"Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results.\"\n\t\t\t\t: \"Aggregation-First Policy Violation: Output blocked due to privacy constraints.\";\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Proxied tools stringify a full MCP CallToolResult (`{ content: [...] }`).\n\t * Aggregation-first heuristics must scan the inner business JSON, not the MCP envelope\n\t * (otherwise `content` looks like a tabular array of objects and everything blocks).\n\t */\n\tprivate unwrapForAggregationPolicyScan(input: unknown): unknown {\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.unwrapForAggregationPolicyScan(JSON.parse(trimmed));\n\t\t\t\t} catch {\n\t\t\t\t\treturn input;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn input;\n\t\t}\n\n\t\tif (!input || typeof input !== \"object\") {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst rec = input as Record<string, unknown>;\n\t\tif (!Array.isArray(rec.content) || rec.content.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst texts: string[] = [];\n\t\tfor (const part of rec.content) {\n\t\t\tif (part && typeof part === \"object\" && \"text\" in part) {\n\t\t\t\tconst t = (part as { text?: unknown }).text;\n\t\t\t\tif (typeof t === \"string\") {\n\t\t\t\t\ttexts.push(t);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (texts.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst joined = texts.length === 1 ? texts[0] : texts.join(\"\\n\");\n\t\treturn this.unwrapForAggregationPolicyScan(joined);\n\t}\n\n\tprivate violatesAggregationFirstPolicy(\n\t\tinput: unknown,\n\t\tpolicyObj?: boolean | AggregationPolicy,\n\t\trecordsCount?: number,\n\t): boolean {\n\t\tconst maxRows =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.maxOutputRows === \"number\"\n\t\t\t\t? policyObj.maxOutputRows\n\t\t\t\t: 10;\n\t\tconst allowPrimitives =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.allowPrimitiveArrays === \"boolean\"\n\t\t\t\t? policyObj.allowPrimitiveArrays\n\t\t\t\t: true;\n\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tJSON.parse(trimmed),\n\t\t\t\t\t\tpolicyObj,\n\t\t\t\t\t\trecordsCount,\n\t\t\t\t\t);\n\t\t\t\t} catch {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false;\n\t\t}\n\n\t\tif (Array.isArray(input)) {\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item === \"object\" && item !== null)\n\t\t\t) {\n\t\t\t\t// Treat tabular row export as non-aggregated leakage risk if above threshold.\n\t\t\t\tif (input.length > maxRows) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\treturn input.some((item) =>\n\t\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item !== \"object\" || item === null)\n\t\t\t) {\n\t\t\t\tif (!allowPrimitives) return true;\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn input.some((item) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\tif (input && typeof input === \"object\") {\n\t\t\tconst keys = Object.keys(input as Record<string, unknown>);\n\n\t\t\t// K-ANONYMITY: If source dataset is too small (< 10), enforce restriction.\n\t\t\t// Allow basic statistical summaries (max 3 keys: count/avg/stddev, no nesting).\n\t\t\tif (recordsCount !== undefined && recordsCount > 0 && recordsCount < 10) {\n\t\t\t\tif (keys.length > 3) return true;\n\t\t\t\t// Check for nesting/arrays in a small sample\n\t\t\t\tconst values = Object.values(input as Record<string, unknown>);\n\t\t\t\tif (\n\t\t\t\t\tvalues.some(\n\t\t\t\t\t\t(v) => Array.isArray(v) || (typeof v === \"object\" && v !== null),\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Treat flat dictionary with too many keys as non-aggregated leakage risk (Dynamic Key Bypass).\n\t\t\tif (keys.length > maxRows) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn Object.values(input as Record<string, unknown>).some((value) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(value, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tconstructor(\n\t\tprivate serverInfo: ServerInfo,\n\t\tprivate config?: LiopServerOptions,\n\t) {\n\t\tconst nerScanner = this.config?.security?.enableNerScanning\n\t\t\t? new NerScanner()\n\t\t\t: null;\n\n\t\tthis.piiScanner = new PiiScanner(\n\t\t\tthis.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT,\n\t\t\tthis.config?.security?.forbiddenKeys ?? [\n\t\t\t\t\"id\",\n\t\t\t\t\"name\",\n\t\t\t\t\"fullName\",\n\t\t\t\t\"firstName\",\n\t\t\t\t\"lastName\",\n\t\t\t\t\"address\",\n\t\t\t\t\"street\",\n\t\t\t\t\"city\",\n\t\t\t\t\"postalCode\",\n\t\t\t\t\"zipCode\",\n\t\t\t\t\"phone\",\n\t\t\t\t\"email\",\n\t\t\t\t\"ssn\",\n\t\t\t\t\"accountHolder\",\n\t\t\t\t\"accountNumber\",\n\t\t\t\t\"account_number\",\n\t\t\t\t\"password\",\n\t\t\t\t\"token\",\n\t\t\t\t\"secret\",\n\t\t\t\t\"privateKey\",\n\t\t\t],\n\t\t\tnerScanner,\n\t\t);\n\n\t\t// [OWASP-A01] Rate limit: config > env > default (15 calls/min per-tool, 40 global)\n\t\tconst rlConfig = this.config?.security?.rateLimit;\n\t\tthis.toolCallWindowMs =\n\t\t\trlConfig?.windowMs ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? \"60000\", 10);\n\t\tthis.toolCallMaxPerWindow =\n\t\t\trlConfig?.maxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? \"15\", 10);\n\t\tthis.globalCallMaxPerWindow =\n\t\t\trlConfig?.globalMaxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX ?? \"40\", 10);\n\n\t\t// [SEC] Initialize AST-level taint analyzer with PII field definitions\n\t\tconst forbiddenKeys = this.config?.security?.forbiddenKeys ?? [\n\t\t\t\"id\",\n\t\t\t\"name\",\n\t\t\t\"fullName\",\n\t\t\t\"firstName\",\n\t\t\t\"lastName\",\n\t\t\t\"address\",\n\t\t\t\"street\",\n\t\t\t\"city\",\n\t\t\t\"postalCode\",\n\t\t\t\"zipCode\",\n\t\t\t\"phone\",\n\t\t\t\"email\",\n\t\t\t\"ssn\",\n\t\t\t\"accountHolder\",\n\t\t\t\"accountNumber\",\n\t\t\t\"account_number\",\n\t\t\t\"password\",\n\t\t\t\"token\",\n\t\t\t\"secret\",\n\t\t\t\"privateKey\",\n\t\t];\n\t\tthis.taintAnalyzer = new TaintAnalyzer(forbiddenKeys);\n\n\t\t// Initialize Zero-Blocking Worker Pool for Heavy Cryptography & Sandboxing\n\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\tlet execArgv: string[] = [];\n\t\tif (isTS) {\n\t\t\ttry {\n\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t).href;\n\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t} catch (_e) {\n\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t}\n\t\t}\n\n\t\tconst isTest = process.env.NODE_ENV === \"test\" || process.env.VITEST;\n\n\t\t// Sync capabilities to serverInfo for MCP Handshakes\n\t\tif (this.config?.capabilities && !this.serverInfo.capabilities) {\n\t\t\tthis.serverInfo.capabilities = this.config.capabilities as Record<\n\t\t\t\tstring,\n\t\t\t\tunknown\n\t\t\t>;\n\t\t}\n\n\t\t// Support both flat dist/ and original src/ structure\n\t\tconst workerPaths = [\n\t\t\tpath.resolve(__dirname, `./workers/logic-execution${workerExt}`), // Flat dist/ (tsup)\n\t\t\tpath.resolve(__dirname, `../workers/logic-execution${workerExt}`), // Original src/\n\t\t];\n\n\t\tconst workerFilename =\n\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\tthis.workerPool = new Piscina({\n\t\t\tfilename: workerFilename,\n\t\t\tminThreads: this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2),\n\t\t\tmaxThreads: this.config?.workerPool?.maxThreads ?? (isTest ? 1 : 8),\n\t\t\tidleTimeout:\n\t\t\t\tthis.config?.workerPool?.idleTimeout ?? (isTest ? 500 : 5000),\n\t\t\tmaxQueue: \"auto\",\n\t\t\ttaskQueue: new FixedQueue(),\n\t\t\texecArgv,\n\t\t\t// [DoS Defense] Enforce hard memory ceiling per worker thread.\n\t\t\t// Workers exceeding this limit are terminated by Node.js runtime.\n\t\t\tresourceLimits: {\n\t\t\t\tmaxOldGenerationSizeMb:\n\t\t\t\t\tthis.config?.workerPool?.maxHeapMb ??\n\t\t\t\t\tNumber.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? \"64\", 10),\n\t\t\t},\n\t\t});\n\n\t\t// [Token Economy] Auto-register LIOP protocol spec as a single Resource.\n\t\t// This centralizes the envelope documentation that was previously\n\t\t// duplicated in every tool description, reducing token overhead.\n\t\tthis.resource(\n\t\t\t\"LIOP Envelope Specification\",\n\t\t\t\"liop://protocol/envelope-spec\",\n\t\t\t\"Complete Logic-on-Origin envelope format, execution rules, and security constraints\",\n\t\t\t\"text/plain\",\n\t\t\t() => Promise.resolve(this.buildEnvelopeSpec()),\n\t\t);\n\t}\n\t/**\n\t * Builds the centralized LIOP envelope specification document.\n\t * Served as a single Resource (liop://protocol/envelope-spec) instead\n\t * of being duplicated across every tool description.\n\t */\n\tprivate buildEnvelopeSpec(): string {\n\t\tconst lines = [\n\t\t\t\"LIOP v1 Envelope Specification\",\n\t\t\t\"================================\",\n\t\t\t\"\",\n\t\t\t\"FORMAT:\",\n\t\t\t\"\",\n\t\t\t\"Compact Envelope:\",\n\t\t\t\" @LIOP{wasi_v1,TaskName}\",\n\t\t\t\" <JavaScript code>\",\n\t\t\t\" @END\",\n\t\t\t\"\",\n\t\t\t\"RUNTIME ENVIRONMENT:\",\n\t\t\t\"- env.records: Array of data objects from the origin\",\n\t\t\t\"- Must use 'return' to output results\",\n\t\t\t\"- Zero-Trust WASI Sandbox (Node.js Worker Pool)\",\n\t\t\t\"- Return aggregated objects, NOT raw row-level arrays\",\n\t\t\t\"\",\n\t\t\t\"SECURITY CONSTRAINTS:\",\n\t\t\t\"- PII Egress Shield blocks raw identifiers in output\",\n\t\t\t\"- Aggregation-First policy: prefer counts, averages, summaries\",\n\t\t\t\"- AST Guardian: static analysis before execution\",\n\t\t];\n\n\t\tif (this.config?.security?.forbiddenKeys?.length) {\n\t\t\tlines.push(\n\t\t\t\t`- Restricted fields: ${this.config.security.forbiddenKeys.join(\", \")}`,\n\t\t\t);\n\t\t}\n\n\t\tlines.push(\n\t\t\t\"\",\n\t\t\t\"TAINT TRACKING (Phase 108):\",\n\t\t\t\"- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)\",\n\t\t\t\"- Operations on restricted fields are tracked through variable assignments\",\n\t\t\t\"- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked\",\n\t\t\t\"- Allowed: aggregations on non-PII fields (balance, amount, date)\",\n\t\t\t\"\",\n\t\t\t\"K-ANONYMITY:\",\n\t\t\t\"- Datasets < 10 records: max 3 scalar output fields, no nesting\",\n\t\t\t\"- Datasets >= 10 records: max 10 output fields\",\n\t\t\t\"\",\n\t\t\t\"RATE LIMITS (OWASP A01):\",\n\t\t\t\"- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)\",\n\t\t\t\"- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)\",\n\t\t\t\"\",\n\t\t\t\"OPTIONAL PARAMETERS:\",\n\t\t\t\"- __liop_bypass_ast_cache: boolean (force AST re-evaluation)\",\n\t\t);\n\n\t\treturn lines.join(\"\\n\");\n\t}\n\n\t/**\n\t * Extracts a compact, human-readable field summary from a JSON Schema.\n\t *\n\t * Walks the schema structure to find actual data property names and types,\n\t * rather than returning top-level schema metadata keys (type, items, etc.).\n\t *\n\t * Example output for a banking schema:\n\t * \"Array of {id(string), accountHolder(string), balance(number), transactions(array of {date(string), amount(number)})}\"\n\t */\n\tprivate extractSchemaFieldSummary(\n\t\tschema: Record<string, unknown>,\n\t\tdepth = 0,\n\t): string {\n\t\t// Prevent excessive recursion in deeply nested schemas\n\t\tif (depth > 3) return \"{...}\";\n\n\t\tconst schemaType = schema.type as string | undefined;\n\t\tconst properties = schema.properties as\n\t\t\t| Record<string, Record<string, unknown>>\n\t\t\t| undefined;\n\t\tconst items = schema.items as Record<string, unknown> | undefined;\n\n\t\t// Object with properties → list field names with their types\n\t\tif (properties) {\n\t\t\tconst fields = Object.entries(properties).map(([key, prop]) => {\n\t\t\t\tconst propType = prop.type as string | undefined;\n\t\t\t\tif (propType === \"array\" && prop.items) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(\n\t\t\t\t\t\tprop.items as Record<string, unknown>,\n\t\t\t\t\t\tdepth + 1,\n\t\t\t\t\t);\n\t\t\t\t\treturn `${key}(array of ${nested})`;\n\t\t\t\t}\n\t\t\t\tif (propType === \"object\" && prop.properties) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(prop, depth + 1);\n\t\t\t\t\treturn `${key}(${nested})`;\n\t\t\t\t}\n\t\t\t\treturn `${key}(${propType || \"unknown\"})`;\n\t\t\t});\n\t\t\treturn `{${fields.join(\", \")}}`;\n\t\t}\n\n\t\t// Array type → describe the items structure\n\t\tif (schemaType === \"array\" && items) {\n\t\t\tconst itemsSummary = this.extractSchemaFieldSummary(items, depth + 1);\n\t\t\treturn `Array of ${itemsSummary}`;\n\t\t}\n\n\t\t// Simple type or unknown structure → fallback to key listing\n\t\tif (schemaType) return schemaType;\n\t\treturn Object.keys(schema).join(\", \");\n\t}\n\n\t/**\n\t * Convenience alias for connectToMesh(), matching official documentation.\n\t */\n\tpublic async connect(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\treturn this.connectToMesh(options);\n\t}\n\n\t/**\n\t * Register a new Tool\n\t */\n\tpublic tool<T extends z.ZodRawShape>(\n\t\tname: string,\n\t\tdescription: string,\n\t\tshape: T,\n\t\thandler: ToolHandler<T>,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): void {\n\t\tif (this.tools.has(name)) {\n\t\t\tthrow new Error(`Tool already registered: ${name}`);\n\t\t}\n\n\t\tconst schema = z.object(shape);\n\t\tconst generatedSchema = zodToJsonSchema(schema);\n\n\t\tlet finalDescription = description;\n\t\tlet finalHandler = handler;\n\n\t\t// LIOP Zero-Shot Autonomy Middleware: Detect Logic-on-Origin tools\n\t\tif (shape.payload && shape.payload instanceof z.ZodString) {\n\t\t\tconst blockedKeys = this.config?.security?.forbiddenKeys || [];\n\n\t\t\t// [Token Economy] Centralized description: reference the protocol spec\n\t\t\t// Resource instead of duplicating the full envelope format per tool.\n\t\t\t// Same information, delivered once via liop://protocol/envelope-spec.\n\t\t\tfinalDescription +=\n\t\t\t\t\"\\n\\nPayload: LIOP v1 envelope (WASI sandbox).\" +\n\t\t\t\t\" Format: @LIOP{wasi_v1,TaskName}\\\\n<JS code>\\\\n@END\" +\n\t\t\t\t\" | Access data: env.records. Return aggregated object.\" +\n\t\t\t\t\" | Full spec: resource liop://protocol/envelope-spec\";\n\n\t\t\tif (blockedKeys.length > 0) {\n\t\t\t\tfinalDescription += `\\nRestricted fields: ${blockedKeys.join(\", \")}.`;\n\t\t\t}\n\n\t\t\tif (this.activeSchema) {\n\t\t\t\tconst schemaDigest = this.extractSchemaFieldSummary(this.activeSchema);\n\t\t\t\tfinalDescription += `\\nData structure: ${schemaDigest}. Full schema: resource liop://schema/global`;\n\t\t\t}\n\n\t\t\tfinalHandler = async (\n\t\t\t\targs: z.infer<z.ZodObject<T>>,\n\t\t\t\t_extra: { signal?: AbortSignal },\n\t\t\t) => {\n\t\t\t\tconst clientId = \"global_connection\"; // Simplify for now, treating the instance as one connection\n\t\t\t\tconst now = Date.now();\n\t\t\t\tconst stats = this.connectionStats.get(clientId) || {\n\t\t\t\t\tfailures: 0,\n\t\t\t\t\tlastAttempt: 0,\n\t\t\t\t};\n\n\t\t\t\tif (\n\t\t\t\t\tstats.failures >= this.THROTTLE_THRESHOLD &&\n\t\t\t\t\tnow - stats.lastAttempt < this.THROTTLE_COOLDOWN_MS\n\t\t\t\t) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadValue = (args as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst bypassCache =\n\t\t\t\t\t(args as Record<string, unknown>).__liop_bypass_ast_cache === true;\n\n\t\t\t\tconst payloadHash = crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(payloadValue)\n\t\t\t\t\t.digest(\"hex\");\n\t\t\t\tconst logic = this.extractLogic(payloadValue);\n\t\t\t\tconst cached = this.logicCache.get(payloadHash);\n\n\t\t\t\tif (\n\t\t\t\t\t!bypassCache &&\n\t\t\t\t\tcached &&\n\t\t\t\t\tnow - cached.timestamp < this.CACHE_TTL_MS\n\t\t\t\t) {\n\t\t\t\t\t// Hash verified. Skips boundaries check (already validated!). Extract logic directly.\n\t\t\t\t\tif (logic) {\n\t\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing\n\t\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tlogic,\n\t\t\t\t\t\t\tpolicy,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn await this.executeInWorkerPool(args, logic, name);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!logic) {\n\t\t\t\t\tif (respectPlainToolPayload()) {\n\t\t\t\t\t\treturn await handler(args as z.infer<z.ZodObject<T>>, _extra);\n\t\t\t\t\t}\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"Error: Malformed payload. Missing @LIOP boundary.\\\\nYou MUST wrap your logic exactly like this:\\\\n\\\\n@LIOP{wasi_v1,DynamicAudit}\\\\n// Your JS code here\\\\n@END\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Logic check already performed above, extraction is guaranteed at this point.\n\t\t\t\t\t// biome-ignore lint/style/noNonNullAssertion: safe extraction after check\n\t\t\t\t\tconst logic = this.extractLogic(\n\t\t\t\t\t\t(args as Record<string, unknown>).payload as string,\n\t\t\t\t\t)!;\n\t\t\t\t\t// Extract pure logic and deliver it to the developer's function\n\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing (Includes PII Shield)\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(name, logic, policy);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\n\t\t\t\t\tconst result = await this.executeInWorkerPool(args, logic, name);\n\n\t\t\t\t\tif (!result.isError) {\n\t\t\t\t\t\tthis.connectionStats.set(clientId, {\n\t\t\t\t\t\t\tfailures: 0,\n\t\t\t\t\t\t\tlastAttempt: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t\tthis.logicCache.set(payloadHash, {\n\t\t\t\t\t\t\thash: payloadHash,\n\t\t\t\t\t\t\ttimestamp: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t} else {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t}\n\n\t\t\t\t\treturn result;\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{ type: \"text\", text: `ExecutionRuntimeException: ${e.message}` },\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t};\n\t\t}\n\n\t\tconst inputSchema = {\n\t\t\ttype: \"object\",\n\t\t\tproperties: (generatedSchema as Record<string, unknown>).properties || {},\n\t\t\trequired: (generatedSchema as Record<string, unknown>).required,\n\t\t};\n\n\t\tthis.tools.set(name, {\n\t\t\ttool: { name, description: finalDescription, inputSchema },\n\t\t\thandler: finalHandler,\n\t\t\tschema,\n\t\t\tpolicy,\n\t\t});\n\n\t\t// [LIOP-ALPHA] Auto-announce capability to the Mesh P2P DHT if node is active\n\t\tif (this.meshNode) {\n\t\t\tthis.meshNode.announceCapability(name).catch((err) => {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Mesh] Failed to auto-announce tool ${name}: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t}\n\n\t/**\n\t * Register a dynamic prompt\n\t */\n\tpublic prompt(\n\t\tname: string,\n\t\tdescription: string | undefined,\n\t\targs: Prompt[\"arguments\"],\n\t\thandler: (\n\t\t\trequest: GetPromptRequest,\n\t\t) => GetPromptResult | Promise<GetPromptResult>,\n\t): void {\n\t\tif (this.prompts.has(name)) {\n\t\t\tthrow new Error(`Prompt already registered: ${name}`);\n\t\t}\n\t\tthis.prompts.set(name, {\n\t\t\tprompt: { name, description, arguments: args },\n\t\t\thandler,\n\t\t});\n\t}\n\n\t/**\n\t * Enables LIOP Zero-Shot Autonomy by registering the Blind Analyst standard prompt.\n\t */\n\tpublic enableZeroShotAutonomy(): void {\n\t\tthis.prompt(\n\t\t\t\"liop_blind_analyst\",\n\t\t\t\"The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.\",\n\t\t\t[],\n\t\t\t(_request) => {\n\t\t\t\treturn {\n\t\t\t\t\tdescription: \"LIOP Blind Analyst Instructions\",\n\t\t\t\t\tmessages: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\trole: \"user\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: `You are the \"Blind Analyst\" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.\nYour objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.\n\nINDUSTRIAL CONSTRAINTS & PROTOCOL RULES:\n1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.\n2. AGGREGATION FIRST: Always prefer returning counts, averages, or anonymized summaries.\n3. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.\n Structure:\n @LIOP{wasi_v1,AnalysisTask}\n // Your JS Code Here\n @END\n4. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.\n5. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).\n6. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.${\n\t\t\t\t\t\t\t\t\tthis.activeSchema\n\t\t\t\t\t\t\t\t\t\t? `\\n\\nCURRENT DATA DICTIONARY (STRICT):\\n${JSON.stringify(this.activeSchema, null, 2)}`\n\t\t\t\t\t\t\t\t\t\t: \"\"\n\t\t\t\t\t\t\t\t}\n\nProtocol Adherence is mandatory for successful execution.`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t};\n\t\t\t},\n\t\t);\n\t}\n\n\t/**\n\t * Register a dynamic resource\n\t */\n\tpublic resource(\n\t\tname: string,\n\t\turi: string,\n\t\tdescription?: string,\n\t\tmimeType?: string,\n\t\tcontent?: string | (() => Promise<string>),\n\t): void {\n\t\tif (this.resources.has(uri)) {\n\t\t\tthrow new Error(`Resource URI already registered: ${uri}`);\n\t\t}\n\t\tthis.resources.set(uri, { name, uri, description, mimeType, content });\n\t}\n\n\t/**\n\t * Broadcasts the Data Dictionary to the LLM prior to code injection.\n\t */\n\tpublic dataDictionary(\n\t\tschema: Record<string, unknown>,\n\t\tname: string = \"Global Medical Data Dictionary\",\n\t\turi: string = \"liop://schema/global\",\n\t\tdescription: string = \"Exposes the internal database schema for Zero-Shot Autonomy planning\",\n\t): void {\n\t\tthis.activeSchema = schema;\n\n\t\t// [Token Economy] Retroactively update tool descriptions with schema field references.\n\t\t// Extracts actual data property names from the JSON Schema structure.\n\t\tconst schemaDigest = this.extractSchemaFieldSummary(schema);\n\t\tfor (const [toolName, entry] of this.tools.entries()) {\n\t\t\tif (\n\t\t\t\tentry.schema.shape.payload &&\n\t\t\t\tentry.schema.shape.payload instanceof z.ZodString &&\n\t\t\t\tentry.tool.description &&\n\t\t\t\t!entry.tool.description.includes(\"Data structure:\")\n\t\t\t) {\n\t\t\t\tentry.tool.description += `\\nData structure: ${schemaDigest}. Full schema: resource ${uri}`;\n\t\t\t\tthis.tools.set(toolName, entry);\n\t\t\t}\n\t\t}\n\n\t\tthis.resource(\n\t\t\tname,\n\t\t\turi,\n\t\t\tdescription,\n\t\t\t\"application/json\",\n\t\t\tJSON.stringify(schema, null, 2),\n\t\t);\n\t}\n\n\t/**\n\t * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).\n\t */\n\tpublic clearAstCache(): void {\n\t\tthis.logicCache.clear();\n\t\tlog.info(\"[LIOP-SDK] AST Security Cache cleared by Admin.\");\n\t}\n\n\t/**\n\t * Sliding window rate limiter for tool call frequency.\n\t * Prevents micro-query exfiltration attacks where an attacker\n\t * makes hundreds of individually-legitimate calls to reconstruct\n\t * the full dataset field by field. (OWASP A01)\n\t */\n\tprivate checkToolCallRateLimit(toolName: string): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxPerWindow = this.toolCallMaxPerWindow;\n\n\t\tconst window = this.toolCallWindows.get(toolName) || [];\n\t\t// Evict expired timestamps outside the sliding window\n\t\tconst active = window.filter((t) => now - t < windowMs);\n\n\t\tif (active.length >= maxPerWindow) {\n\t\t\tconst retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1000);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Too many calls to ${toolName}. ` +\n\t\t\t\t\t\t\t`Max ${maxPerWindow} per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tactive.push(now);\n\t\tthis.toolCallWindows.set(toolName, active);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Global cross-tool rate limiter.\n\t * Prevents attackers from distributing micro-queries across multiple tools\n\t * to evade per-tool rate limits. (OWASP A01)\n\t */\n\tprivate checkGlobalRateLimit(): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxGlobal = this.globalCallMaxPerWindow;\n\n\t\tthis.globalCallWindow = this.globalCallWindow.filter(\n\t\t\t(t) => now - t < windowMs,\n\t\t);\n\n\t\tif (this.globalCallWindow.length >= maxGlobal) {\n\t\t\tconst retryAfterSec = Math.ceil(\n\t\t\t\t(this.globalCallWindow[0] + windowMs - now) / 1000,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Global call limit exceeded. ` +\n\t\t\t\t\t\t\t`Max ${maxGlobal} total calls per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tthis.globalCallWindow.push(now);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Emulates calling a tool (used locally or via LIOPMcpBridge)\n\t */\n\tpublic async callTool(request: CallToolRequest): Promise<CallToolResult> {\n\t\tconst entry = this.tools.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Tool not found: ${request.name}`);\n\t\t}\n\n\t\t// [OWASP-A01] Rate limiting: prevent micro-query exfiltration\n\t\tconst globalLimitResult = this.checkGlobalRateLimit();\n\t\tif (globalLimitResult) return globalLimitResult;\n\t\tconst rateLimitResult = this.checkToolCallRateLimit(request.name);\n\t\tif (rateLimitResult) return rateLimitResult;\n\n\t\ttry {\n\t\t\t// Validate inputs natively with Zod before execution\n\t\t\tconst parsedArgs = entry.schema.parse(request.arguments || {});\n\n\t\t\t// Re-inject the bypass flag if present since Zod might strip unrecognized keys\n\t\t\tif (\n\t\t\t\t(request.arguments as Record<string, unknown>)\n\t\t\t\t\t?.__liop_bypass_ast_cache === true\n\t\t\t) {\n\t\t\t\t(parsedArgs as Record<string, unknown>).__liop_bypass_ast_cache = true;\n\t\t\t}\n\n\t\t\t// [LOGIC-ON-ORIGIN] Intercept code injection directly\n\t\t\tif (\n\t\t\t\tparsedArgs &&\n\t\t\t\ttypeof (parsedArgs as Record<string, unknown>).payload === \"string\"\n\t\t\t) {\n\t\t\t\tconst payload = (parsedArgs as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst logic = this.extractLogic(payload);\n\t\t\t\tif (logic) {\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\tentry.policy,\n\t\t\t\t\t);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\t\t\t\t\t(parsedArgs as Record<string, unknown>).payload = logic;\n\t\t\t\t\treturn await this.executeInWorkerPool(\n\t\t\t\t\t\tparsedArgs,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst result = await entry.handler(parsedArgs, {});\n\t\t\treturn result;\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tif (e instanceof z.ZodError) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [{ type: \"text\", text: `Validation Error: ${e.message}` }],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{ type: \"text\", text: `Internal Execution Error: ${e.message}` },\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Retrieves registered tools\n\t */\n\tpublic listTools(): Tool[] {\n\t\treturn Array.from(this.tools.values()).map((t) => t.tool);\n\t}\n\n\t/**\n\t * Retrieves registered prompts\n\t */\n\tpublic listPrompts(): Prompt[] {\n\t\treturn Array.from(this.prompts.values()).map((p) => p.prompt);\n\t}\n\n\t/**\n\t * Gets a specific prompt by name\n\t */\n\tpublic async getPrompt(request: GetPromptRequest): Promise<GetPromptResult> {\n\t\tconst entry = this.prompts.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Prompt not found: ${request.name}`);\n\t\t}\n\t\treturn await entry.handler(request);\n\t}\n\n\t/**\n\t * Retrieves registered resources\n\t */\n\tpublic listResources(): Resource[] {\n\t\treturn Array.from(this.resources.values());\n\t}\n\n\t/**\n\t * Reads a specific resource by URI\n\t */\n\tpublic async readResource(uri: string): Promise<{\n\t\tcontents: Array<{ uri: string; mimeType?: string; text: string }>;\n\t}> {\n\t\tconst resource = this.resources.get(uri);\n\t\tif (!resource) {\n\t\t\tthrow new Error(`Resource not found: ${uri}`);\n\t\t}\n\n\t\tlet text = \"No description provided\";\n\t\tif (typeof resource.content === \"function\") {\n\t\t\ttext = await resource.content();\n\t\t} else if (typeof resource.content === \"string\") {\n\t\t\ttext = resource.content;\n\t\t} else if (resource.description) {\n\t\t\ttext = resource.description;\n\t\t}\n\n\t\treturn {\n\t\t\tcontents: [\n\t\t\t\t{\n\t\t\t\t\turi: resource.uri,\n\t\t\t\t\tmimeType: resource.mimeType || \"text/plain\",\n\t\t\t\t\ttext,\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t}\n\n\tpublic getServerInfo(): ServerInfo {\n\t\treturn this.serverInfo;\n\t}\n\n\tpublic getMeshNode(): MeshNode | null {\n\t\treturn this.meshNode;\n\t}\n\n\t/**\n\t * Injects data into the secure sandbox context for Logic-on-Origin tools.\n\t */\n\tpublic setSandboxData(records: Record<string, unknown>[]) {\n\t\tthis.sandboxRecords = records;\n\t}\n\n\tpublic getBoundPort(): number | null {\n\t\treturn this.boundPort;\n\t}\n\n\t/**\n\t * Connects to the libp2p Kademlia DHT and announces capabilities.\n\t * Boots the gRPC server for secure Logic-on-Origin.\n\t */\n\tpublic async connectToMesh(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\tconst envPort = process.env.LIOP_GRPC_PORT\n\t\t\t? Number.parseInt(process.env.LIOP_GRPC_PORT, 10)\n\t\t\t: undefined;\n\t\tconst port = options.port ?? envPort ?? 50051;\n\n\t\t// 1. Initialize Mesh Node (Discovery)\n\t\tthis.meshNode = new MeshNode(options.meshConfig);\n\t\tawait this.meshNode.start();\n\n\t\t// 2. Register LIOP Manifest Protocol Handler\n\t\t// This allows remote peers to query our tool/resource metadata dynamically.\n\t\tconst meshNodeRef = this.meshNode;\n\t\tthis.meshNode.registerManifestHandler((): LiopManifest => {\n\t\t\tconst tools = this.listTools().map((t) => ({\n\t\t\t\tname: t.name,\n\t\t\t\tdescription: t.description,\n\t\t\t\tinputSchema: t.inputSchema as Record<string, unknown>,\n\t\t\t}));\n\n\t\t\tconst resources = Array.from(this.resources.values()).map((r) => ({\n\t\t\t\tname: r.name,\n\t\t\t\turi: r.uri,\n\t\t\t\tdescription: r.description,\n\t\t\t\tmimeType: r.mimeType,\n\t\t\t\ttext: typeof r.content === \"string\" ? r.content : r.description,\n\t\t\t}));\n\n\t\t\treturn {\n\t\t\t\tpeerId: meshNodeRef.getPeerId(),\n\t\t\t\tgrpcPort: port,\n\t\t\t\ttools,\n\t\t\t\tresources,\n\t\t\t\tserverInfo: this.serverInfo,\n\t\t\t};\n\t\t});\n\n\t\t// 3. Announce local tools to the DHT\n\t\tfor (const tool of this.listTools()) {\n\t\t\tawait this.meshNode.announceCapability(tool.name).catch(log.info);\n\t\t}\n\n\t\t// 4. Announce manifest availability\n\t\tawait this.meshNode.announceManifest().catch(log.info);\n\n\t\t// 5. Initialize gRPC Server (Execution)\n\t\tthis.rpcServer = new LiopRpcServer();\n\n\t\tthis.rpcServer.addService({\n\t\t\tnegotiateIntent: (call, callback) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Negotiating intent for capability: ${request.capability_hash}`,\n\t\t\t\t);\n\n\t\t\t\t// Standard dynamic import to avoid potential circularity\n\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(async ({ Kyber768Wrapper }) => {\n\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t});\n\n\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t});\n\t\t\t\t});\n\t\t\t},\n\t\t\texecuteLogic: async (\n\t\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t\t) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Executing Logic-on-Origin for session: ${request.session_token}`,\n\t\t\t\t);\n\n\t\t\t\tconst session = this.sessions.get(request.session_token);\n\t\t\t\tif (!session) {\n\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\tdetails: \"Invalid session token\",\n\t\t\t\t\t});\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Pass to Worker Pool for PQC Decryption and WASI/V8 execution\n\t\t\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\t\t\tciphertext: request.pqc_ciphertext,\n\t\t\t\t\t\tsecretKeyObj: Array.from(session.kyber_sk),\n\t\t\t\t\t\twasmBinary: request.wasm_binary,\n\t\t\t\t\t\tinputs: request.inputs,\n\t\t\t\t\t\taesNonce: request.aes_nonce,\n\t\t\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\t\t\tsessionToken: request.session_token,\n\t\t\t\t\t\tisEncrypted: true,\n\t\t\t\t\t});\n\n\t\t\t\t\tlet finalOutput: string;\n\t\t\t\t\ttry {\n\t\t\t\t\t\tfinalOutput =\n\t\t\t\t\t\t\ttypeof workerResponse.output === \"string\"\n\t\t\t\t\t\t\t\t? workerResponse.output\n\t\t\t\t\t\t\t\t: JSON.stringify(workerResponse.output);\n\n\t\t\t\t\t\t// [PROTOCOL TRANSFORMER] Support for Proxied Tool Calls\n\t\t\t\t\t\tconst decoded = JSON.parse(finalOutput);\n\t\t\t\t\t\tif (decoded.__liop_proxy_tool) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Executing Proxied Tool: ${decoded.__liop_proxy_tool}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tconst toolResult = await this.callTool({\n\t\t\t\t\t\t\t\tname: decoded.__liop_proxy_tool,\n\t\t\t\t\t\t\t\targuments: decoded.__liop_proxy_args || {},\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tfinalOutput = JSON.stringify(toolResult);\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch {\n\t\t\t\t\t\tfinalOutput = String(workerResponse.output);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst response: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: finalOutput,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\n\t\t\t\t\t\t\tworkerResponse.image_id || \"\",\n\t\t\t\t\t\t\t\"hex\",\n\t\t\t\t\t\t),\n\t\t\t\t\t\tzk_receipt: workerResponse.zk_receipt\n\t\t\t\t\t\t\t? Buffer.from(workerResponse.zk_receipt, \"base64\")\n\t\t\t\t\t\t\t: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: false,\n\t\t\t\t\t};\n\n\t\t\t\t\t// Final PII check for gRPC egress\n\t\t\t\t\tconst violation = await this.piiScanner.scan([\n\t\t\t\t\t\t{ type: \"text\", text: finalOutput },\n\t\t\t\t\t]);\n\t\t\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tthis.unwrapForAggregationPolicyScan(finalOutput),\n\t\t\t\t\t);\n\t\t\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller\n\t\t\t\t\t\tconst internalReason =\n\t\t\t\t\t\t\tviolation || \"Aggregation-First Policy Violation\";\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tresponse.semantic_evidence =\n\t\t\t\t\t\t\t\"[LIOP] Egress Security Violation. Output blocked due to policy enforcement.\";\n\t\t\t\t\t\tresponse.is_error = true;\n\t\t\t\t\t}\n\n\t\t\t\t\tcall.write(response, () => {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t});\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tconst isDev =\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"test\";\n\n\t\t\t\t\tconst detail = e.message || String(error);\n\t\t\t\t\tlog.error(`[LIOP-RPC] Execution Error: ${detail}`);\n\n\t\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t\t? `Execution Error: ${detail}`\n\t\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\t\t\t// Send error response before closing, avoiding \"stream closed without results\"\n\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: errorMessage,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t};\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t});\n\t\t\t\t\t} catch (_writeErr) {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t});\n\n\t\tthis.boundPort = await this.rpcServer.listen(port);\n\t\tlog.info(\n\t\t\t`[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`,\n\t\t);\n\t}\n\n\t/**\n\t * Internal worker execution with Egress Filtering logic.\n\t */\n\tprivate async executeInWorkerPool(\n\t\t_args: Record<string, unknown>,\n\t\trawPayload: string,\n\t\ttoolName?: string,\n\t): Promise<CallToolResult> {\n\t\ttry {\n\t\t\t// Transparent local execution without dynamic PQC\n\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\tciphertext: new Uint8Array(0),\n\t\t\t\tsecretKeyObj: Array.from(new Uint8Array(0)),\n\t\t\t\tkyberPublicKey: new Uint8Array(0),\n\t\t\t\twasmBinary: Buffer.from(rawPayload),\n\t\t\t\tinputs: {},\n\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\tsessionToken: \"local-dev-token\",\n\t\t\t\tisEncrypted: false, // Use plaintext for local Logic-on-Origin injection\n\t\t\t});\n\n\t\t\t// Standard MCP Content Array\n\t\t\tconst textOutput = JSON.stringify({\n\t\t\t\tcomputation_result: workerResponse.output,\n\t\t\t\timage_id: workerResponse.image_id,\n\t\t\t\tzk_receipt: workerResponse.zk_receipt,\n\t\t\t\tstatus: \"Worker Pool Execution Success\",\n\t\t\t});\n\n\t\t\tconst content = [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\ttext: textOutput,\n\t\t\t\t},\n\t\t\t];\n\n\t\t\tconst toolPolicy = toolName\n\t\t\t\t? this.tools.get(toolName)?.policy\n\t\t\t\t: undefined;\n\t\t\tconst policyViolation = this.validateOutputPolicy(\n\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\tworkerResponse.output,\n\t\t\t\ttoolPolicy,\n\t\t\t);\n\t\t\tif (policyViolation) {\n\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller in Production\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Output policy blocked for ${toolName || \"unknown_tool\"}: ${policyViolation}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? policyViolation\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Professional PII Protection Guard\n\t\t\tconst violation = await this.piiScanner.scan(content);\n\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\tworkerResponse.output,\n\t\t\t);\n\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t// SEC-CRITICAL: Log the specific violation reason server-side only.\n\t\t\t\t// Never expose detection details (entity names, matched values) to the caller in Production.\n\t\t\t\tconst internalReason =\n\t\t\t\t\tviolation ||\n\t\t\t\t\t\"Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.\";\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? `[LIOP] Egress Security Violation: ${internalReason}`\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn { content };\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\tconst detail = e.message || String(error);\n\t\t\tlog.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);\n\n\t\t\tconst errorMessage = isDev\n\t\t\t\t? `WorkerPoolError: ${detail}`\n\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Safely destroys the worker pool, gRPC server, and Mesh node.\n\t * Recommended to be called during graceful shutdowns or test teardowns.\n\t */\n\tpublic async close(): Promise<void> {\n\t\tif (this.workerPool) {\n\t\t\tawait this.workerPool.close({ force: true });\n\t\t}\n\t\tif (this.rpcServer) {\n\t\t\tawait this.rpcServer.stop();\n\t\t}\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t}\n}\n"]}
package/dist/chunk-XLVRRGOX.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/bridge/stream.ts","../src/bridge/index.ts"],"names":["DEFAULT_MAX_SESSIONS_PER_IP","DEFAULT_SESSION_TIMEOUT_MS","EVICTION_INTERVAL_MS","LiopStreamBridge","internalServer","options","Hono","LiopMcpBridge","clientIp","WebStandardStreamableHTTPServerTransport","transport","randomUUID","sessionId","log","message","entry","result","err","ip","count","c","now","cors","next","auth","expectedToken","existing","response","currentSessions","port","listenPort","resolve","serve","info","id","source","payload","method","params","tools","resources","prompts","request","code","contentText","data","LiopVerifier","e","LiopServer","legacy","name","tool","t","args","uri","resource","r","rl","shutdown","line"],"mappings":"+JA6BA,IAAMA,EAA8B,EAAA,CAC9BC,CAAAA,CAA6B,IAAA,CAAU,GAAA,CACvCC,EAAuB,EAAA,CAAK,GAAA,CAgBrBC,CAAAA,CAAN,KAAuB,CAS7B,WAAA,CACCC,CAAAA,CACQC,CAAAA,CAAmC,GAC1C,CADO,IAAA,CAAA,OAAA,CAAAA,EAER,IAAA,CAAK,GAAA,CAAM,IAAIC,IAAAA,CACf,IAAA,CAAK,WAAA,CAAc,IAAIC,EAAcH,CAAc,CAAA,CACnD,IAAA,CAAK,cAAA,CAAiB,IAAI,GAAA,CAC1B,IAAA,CAAK,gBAAA,CACJC,CAAAA,CAAQ,kBAAoBL,CAAAA,CAC7B,IAAA,CAAK,iBACJK,CAAAA,CAAQ,gBAAA,EAAoBJ,EAE7B,IAAA,CAAK,WAAA,GACN,CArBQ,IACA,UAAA,CAA8C,IAAA,CAC9C,WAAA,CACA,cAAA,CACA,cAAuD,IAAA,CACvD,gBAAA,CACA,gBAAA,CAoBR,MAAc,uBACbO,CAAAA,CACoD,CACpD,GAAM,CAAE,wCAAA,CAAAC,CAAyC,CAAA,CAAI,MAAM,OAC1D,+DACD,EACMC,CAAAA,CAAY,IAAID,CAAAA,CAAyC,CAC9D,mBAAoB,IAAME,UAAAA,EAAW,CACrC,oBAAA,CAAuBC,GAAsB,CAC5C,IAAA,CAAK,eAAe,GAAA,CAAIA,CAAAA,CAAW,CAClC,SAAA,CAAAF,CAAAA,CACA,YAAA,CAAc,IAAA,CAAK,KAAI,CACvB,QAAA,CAAAF,CACD,CAAC,EACDK,CAAAA,CAAI,IAAA,CACH,CAAA,oCAAA,EAAuCD,CAAS,SAASJ,CAAQ,CAAA,CAAA,CAClE,EACD,CACD,CAAC,EAGD,OAAAE,CAAAA,CAAU,SAAA,CAAY,MAAOI,GAA4B,CAExD,GAAIJ,CAAAA,CAAU,SAAA,CAAW,CACxB,IAAMK,CAAAA,CAAQ,IAAA,CAAK,cAAA,CAAe,IAAIL,CAAAA,CAAU,SAAS,EACrDK,CAAAA,GAAOA,CAAAA,CAAM,aAAe,IAAA,CAAK,GAAA,EAAI,EAC1C,CAEA,GAAI,CACH,IAAMC,CAAAA,CAAS,MAAM,KAAK,WAAA,CAAY,oBAAA,CACrCF,CACD,CAAA,CAEIE,IAAW,KAAA,CAAA,EACd,MAAMN,EAAU,IAAA,CAAKM,CAAwB,EAE/C,CAAA,MAASC,CAAAA,CAAc,CACtBJ,CAAAA,CAAI,KAAK,qCAAA,CAAwCI,CAAAA,CAAc,OAAO,EACvE,CACD,CAAA,CAEAP,CAAAA,CAAU,OAAA,CAAU,IAAM,CACrBA,CAAAA,CAAU,SAAA,GACb,KAAK,cAAA,CAAe,MAAA,CAAOA,EAAU,SAAS,CAAA,CAC9CG,CAAAA,CAAI,IAAA,CAAK,uCAAuCH,CAAAA,CAAU,SAAS,CAAA,CAAE,CAAA,EAEvE,EAEOA,CACR,CAKQ,iBAAA,CAAkBQ,CAAAA,CAAoB,CAC7C,IAAIC,CAAAA,CAAQ,EACZ,IAAA,IAAWJ,CAAAA,IAAS,KAAK,cAAA,CAAe,MAAA,EAAO,CAC1CA,CAAAA,CAAM,WAAaG,CAAAA,EAAIC,CAAAA,EAAAA,CAE5B,OAAOA,CACR,CAKQ,WAAA,CAAYC,CAAAA,CAET,CACV,OACCA,EAAE,GAAA,CAAI,MAAA,CAAO,iBAAiB,CAAA,EAAG,KAAA,CAAM,GAAG,CAAA,CAAE,CAAC,CAAA,EAAG,IAAA,IAChDA,CAAAA,CAAE,GAAA,CAAI,MAAA,CAAO,WAAW,GACxB,SAEF,CAKQ,iBAAA,EAA0B,CACjC,IAAMC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACrB,IAAA,GAAW,CAACT,CAAAA,CAAWG,CAAK,CAAA,GAAK,IAAA,CAAK,eACjCM,CAAAA,CAAMN,CAAAA,CAAM,YAAA,CAAe,IAAA,CAAK,mBACnCF,CAAAA,CAAI,IAAA,CAAK,CAAA,2CAAA,EAA8CD,CAAS,EAAE,CAAA,CAClEG,CAAAA,CAAM,UAAU,KAAA,EAAM,CAAE,MAAM,IAAM,CAEpC,CAAC,CAAA,CACD,KAAK,cAAA,CAAe,MAAA,CAAOH,CAAS,CAAA,EAGvC,CAEQ,WAAA,EAAc,CACrB,IAAA,CAAK,GAAA,CAAI,IAAI,GAAA,CAAKU,IAAAA,EAAM,CAAA,CAGnB,OAAA,CAAQ,IAAI,gBAAA,GAChB,OAAA,CAAQ,GAAA,CAAI,gBAAA,CAAmBX,YAAW,CAC1CE,CAAAA,CAAI,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,CAAC,CAAA,CACvBA,CAAAA,CAAI,KAAK,0DAAsC,CAAA,CAC/CA,EAAI,IAAA,CAAK,2CAA2C,EACpDA,CAAAA,CAAI,IAAA,CAAK,+DAA+D,CAAA,CACxEA,EAAI,IAAA,CAAK,CAAA,OAAA,EAAU,QAAQ,GAAA,CAAI,gBAAgB,EAAE,CAAA,CACjDA,CAAAA,CAAI,IAAA,CAAK,GAAA,CAAI,OAAO,EAAE,CAAC,GAIxB,IAAA,CAAK,GAAA,CAAI,IAAI,MAAA,CAAQ,MAAOO,CAAAA,CAAGG,CAAAA,GAAS,CACvC,IAAMC,CAAAA,CAAOJ,CAAAA,CAAE,GAAA,CAAI,OAAO,eAAe,CAAA,CAEnCK,CAAAA,CAAgB,OAAA,CAAQ,IAAI,gBAAA,CAClC,GACC,CAACD,CAAAA,EAAM,UAAA,CAAW,SAAS,CAAA,EAC3BA,CAAAA,CAAK,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA,GAAMC,CAAAA,CAEvB,OAAAZ,EAAI,IAAA,CACH,sEACD,CAAA,CACOO,CAAAA,CAAE,KACR,CAAE,KAAA,CAAO,+CAAgD,CAAA,CACzD,GACD,EAGD,MAAMG,CAAAA,GACP,CAAC,EAGD,IAAA,CAAK,GAAA,CAAI,GAAA,CAAI,MAAA,CAAQ,MAAOH,CAAAA,EAAM,CACjC,IAAMR,CAAAA,CAAYQ,EAAE,GAAA,CAAI,MAAA,CAAO,gBAAgB,CAAA,CAG/C,GAAIR,EAAW,CACd,IAAMc,CAAAA,CAAW,IAAA,CAAK,eAAe,GAAA,CAAId,CAAS,CAAA,CAClD,GAAI,CAACc,CAAAA,CACJ,OAAON,CAAAA,CAAE,IAAA,CAAK,CAAE,KAAA,CAAO,mBAAoB,EAAG,GAAG,CAAA,CAGlDM,EAAS,YAAA,CAAe,IAAA,CAAK,GAAA,EAAI,CAEjC,IAAMC,CAAAA,CAAW,MAAMD,CAAAA,CAAS,SAAA,CAAU,cAAcN,CAAAA,CAAE,GAAA,CAAI,GAAG,CAAA,CAIjE,OAAIA,CAAAA,CAAE,GAAA,CAAI,SAAW,QAAA,GACpB,IAAA,CAAK,eAAe,MAAA,CAAOR,CAAS,CAAA,CACpCC,CAAAA,CAAI,KAAK,CAAA,6CAAA,EAAgDD,CAAS,CAAA,CAAE,CAAA,CAAA,CAG9De,CACR,CAIA,IAAMnB,CAAAA,CAAW,IAAA,CAAK,YAAYY,CAAC,CAAA,CAC7BQ,EAAkB,IAAA,CAAK,iBAAA,CAAkBpB,CAAQ,CAAA,CACvD,OAAIoB,CAAAA,EAAmB,IAAA,CAAK,kBAC3Bf,CAAAA,CAAI,IAAA,CACH,CAAA,2CAAA,EAA8CL,CAAQ,KAAKoB,CAAe,CAAA,UAAA,CAC3E,CAAA,CACOR,CAAAA,CAAE,KAAK,CAAE,KAAA,CAAO,wCAAyC,CAAA,CAAG,GAAG,GAIhE,KAAA,CADW,MAAM,IAAA,CAAK,sBAAA,CAAuBZ,CAAQ,CAAA,EACrC,aAAA,CAAcY,CAAAA,CAAE,GAAA,CAAI,GAAG,CAC/C,CAAC,EACF,CAKA,MAAa,KAAA,CAAMS,CAAAA,CAA8B,CAChD,IAAMC,CAAAA,CAAaD,GAAQ,IAAA,CAAK,OAAA,CAAQ,IAAA,EAAQ,GAAA,CAGhD,YAAK,aAAA,CAAgB,WAAA,CACpB,IAAM,IAAA,CAAK,mBAAkB,CAC7B3B,CACD,CAAA,CAEO,IAAI,QAAS6B,CAAAA,EAAY,CAC/B,KAAK,UAAA,CAAaC,KAAAA,CACjB,CACC,KAAA,CAAO,IAAA,CAAK,GAAA,CAAI,KAAA,CAChB,KAAMF,CACP,CAAA,CACCG,CAAAA,EAAS,CACTpB,EAAI,IAAA,CACH,CAAA,gEAAA,EAAmEoB,CAAAA,CAAK,IAAI,MAC7E,CAAA,CACAF,CAAAA,GACD,CACD,EACD,CAAC,CACF,CAKA,MAAa,IAAA,EAAsB,CAC9B,IAAA,CAAK,aAAA,GACR,aAAA,CAAc,IAAA,CAAK,aAAa,CAAA,CAChC,IAAA,CAAK,aAAA,CAAgB,IAAA,CAAA,CAGtB,OAAW,CAACG,CAAAA,CAAInB,CAAK,CAAA,GAAK,IAAA,CAAK,eAC9B,MAAMA,CAAAA,CAAM,SAAA,CAAU,KAAA,GACtB,IAAA,CAAK,cAAA,CAAe,MAAA,CAAOmB,CAAE,EAG1B,IAAA,CAAK,UAAA,GACR,IAAA,CAAK,UAAA,CAAW,OAAM,CACtBrB,CAAAA,CAAI,KAAK,0CAA0C,CAAA,EAErD,CACD,EC5QO,IAAMN,CAAAA,CAAN,KAAoB,CAG1B,WAAA,CAEC4B,CAAAA,CACQ9B,CAAAA,CAA6B,GACpC,CADO,IAAA,CAAA,OAAA,CAAAA,CAAAA,CAIJ8B,CAAAA,EAAQ,aAAa,IAAA,GAAS,YAAA,EACjC,KAAK,UAAA,CAAaA,CAAAA,CAClBtB,EAAI,IAAA,CAAK,gDAAgD,CAAA,EAC/CsB,CAAAA,EAAQ,aAAa,IAAA,GAAS,WAAA,EACxC,IAAA,CAAK,eAAA,CAAkBA,EACvBtB,CAAAA,CAAI,IAAA,CAAK,oDAAoD,CAAA,GAG7D,KAAK,eAAA,CAAkBsB,CAAAA,CACvBtB,EAAI,IAAA,CAAK,6DAA6D,GAExE,CApBQ,UAAA,CAAgC,IAAA,CAChC,eAAA,CAAoC,KAyB5C,MAAa,oBAAA,CACZuB,CAAAA,CACmB,CACnB,IAAMF,CAAAA,CAAKE,CAAAA,CAAQ,EAAA,CACbC,CAAAA,CAASD,EAAQ,MAAA,CACjBE,CAAAA,CAASF,EAAQ,MAAA,CAEvB,OAAIA,EAAQ,OAAA,GAAY,KAAA,CAChB,IAAA,CAAK,aAAA,CAAcF,EAAI,MAAA,CAAQ,iBAAiB,EAIpD,IAAA,CAAK,UAAA,CACD,KAAK,eAAA,CAAgBA,CAAAA,CAAIG,CAAAA,CAAQC,CAAM,EAI3C,IAAA,CAAK,eAAA,EAAmB,KAAK,UAAA,CACzB,IAAA,CAAK,gBAAgBJ,CAAAA,CAAIG,CAAAA,CAAQC,CAAM,CAAA,CAGxC,KAAK,aAAA,CAAcJ,CAAAA,CAAI,MAAA,CAAQ,8BAA8B,CACrE,CAEA,MAAc,eAAA,CACbA,CAAAA,CACAG,EACAC,CAAAA,CACmB,CACnB,GAAI,CAAC,IAAA,CAAK,WAAY,OAAO,IAAA,CAE7B,GAAID,CAAAA,GAAW,aACd,OAAO,IAAA,CAAK,eAAA,CAAgBH,CAAAA,CAAI,CAC/B,eAAA,CAAiB,YAAA,CACjB,YAAA,CAAc,CACb,QAAS,EAAC,CACV,UAAW,EAAC,CACZ,MAAO,EACR,CAAA,CACA,UAAA,CAAY,KAAK,UAAA,CAAW,aAAA,EAC7B,CAAC,EAGF,GAAIG,CAAAA,GAAW,2BAAA,CACf,CAAA,GAAIA,IAAW,MAAA,CAAQ,OAAO,KAAK,eAAA,CAAgBH,CAAAA,CAAI,EAAE,CAAA,CAEzD,GAAIG,CAAAA,GAAW,aAAc,CAC5B,IAAME,CAAAA,CAAQ,IAAA,CAAK,WAAW,SAAA,EAAU,CACxC,OAAO,IAAA,CAAK,gBAAgBL,CAAAA,CAAI,CAAE,MAAAK,CAAM,CAAC,CAC1C,CAEA,GAAIF,CAAAA,GAAW,gBAAA,CAAkB,CAChC,IAAMG,CAAAA,CAAY,IAAA,CAAK,UAAA,CAAW,eAAc,CAChD,OAAO,IAAA,CAAK,eAAA,CAAgBN,EAAI,CAAE,SAAA,CAAAM,CAAU,CAAC,CAC9C,CAEA,GAAIH,CAAAA,GAAW,cAAA,CAAgB,CAC9B,IAAMI,CAAAA,CAAU,IAAA,CAAK,UAAA,CAAW,WAAA,GAChC,OAAO,IAAA,CAAK,eAAA,CAAgBP,CAAAA,CAAI,CAAE,OAAA,CAAAO,CAAQ,CAAC,CAC5C,CAEA,GAAIJ,CAAAA,GAAW,aAAA,CAAe,CAC7B,GAAI,CAACC,CAAAA,EAAQ,IAAA,CACZ,OAAO,IAAA,CAAK,cAAcJ,CAAAA,CAAI,MAAA,CAAQ,qBAAqB,CAAA,CAE5D,GAAI,CACH,IAAMlB,EAAS,MAAM,IAAA,CAAK,WAAW,SAAA,CAAU,CAC9C,IAAA,CAAMsB,CAAAA,CAAO,KACb,SAAA,CAAWA,CAAAA,CAAO,SACnB,CAAC,EACD,OAAO,IAAA,CAAK,eAAA,CAAgBJ,CAAAA,CAAIlB,CAAM,CACvC,CAAA,MAASC,EAAc,CACtB,OAAO,KAAK,aAAA,CAAciB,CAAAA,CAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIoB,IAAW,gBAAA,CAAkB,CAChC,GAAI,CAACC,GAAQ,GAAA,CACZ,OAAO,KAAK,aAAA,CAAcJ,CAAAA,CAAI,OAAQ,sBAAsB,CAAA,CAE7D,GAAI,CACH,IAAMlB,CAAAA,CAAS,MAAM,IAAA,CAAK,UAAA,CAAW,aAAasB,CAAAA,CAAO,GAAa,CAAA,CACtE,OAAO,KAAK,eAAA,CAAgBJ,CAAAA,CAAIlB,CAAM,CACvC,CAAA,MAASC,EAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAciB,EAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,GAAIoB,CAAAA,GAAW,YAAA,CAAc,CAC5B,GAAI,CAACC,GAAQ,IAAA,CACZ,OAAO,KAAK,aAAA,CAAcJ,CAAAA,CAAI,MAAA,CAAQ,mBAAmB,EAE1D,IAAMQ,CAAAA,CAA2B,CAChC,IAAA,CAAMJ,EAAO,IAAA,CACb,SAAA,CAAYA,CAAAA,CAAO,SAAA,EAAyC,EAC7D,CAAA,CAEA,GAAI,CACH,IAAMtB,EAAyB,MAAM,IAAA,CAAK,UAAA,CAAW,QAAA,CAAS0B,CAAO,CAAA,CAGrE,OAFmB,MAAM,IAAA,CAAK,gBAAgBA,CAAAA,CAAS1B,CAAM,CAAA,CActD,IAAA,CAAK,gBAAgBkB,CAAAA,CAAIlB,CAAM,EAX9B,IAAA,CAAK,eAAA,CAAgBkB,EAAI,CAC/B,OAAA,CAAS,CACR,CACC,KAAM,MAAA,CACN,IAAA,CAAM,sHACP,CACD,EACA,OAAA,CAAS,CAAA,CACV,CAAC,CAIH,OAASjB,CAAAA,CAAc,CACtB,OAAO,IAAA,CAAK,aAAA,CAAciB,EAAI,KAAA,CAASjB,CAAAA,CAAc,OAAO,CAC7D,CACD,CAEA,OAAO,IAAA,CAAK,aAAA,CAAciB,EAAI,MAAA,CAAQ,kBAAkB,CAAA,CACzD,CAEQ,gBACPA,CAAAA,CACAlB,CAAAA,CACC,CACD,OAAO,CAAE,QAAS,KAAA,CAAO,EAAA,CAAAkB,CAAAA,CAAI,MAAA,CAAAlB,CAAO,CACrC,CAEQ,cAAckB,CAAAA,CAAqBS,CAAAA,CAAc7B,EAAiB,CACzE,OAAO,CAAE,OAAA,CAAS,MAAO,EAAA,CAAAoB,CAAAA,CAAI,MAAO,CAAE,IAAA,CAAAS,EAAM,OAAA,CAAA7B,CAAQ,CAAE,CACvD,CAEA,MAAc,eAAA,CACb4B,CAAAA,CACA1B,CAAAA,CACmB,CACnB,GACC,CAAC0B,CAAAA,CAAQ,SAAA,EAAW,SACpB,OAAOA,CAAAA,CAAQ,UAAU,OAAA,EAAY,QAAA,CAErC,OAAO,KAAA,CAGR,GAAI,CACH,IAAMN,EAAUM,CAAAA,CAAQ,SAAA,CAAU,OAAA,CAC5BE,CAAAA,CAAc5B,EAAO,OAAA,CAAQ,CAAC,CAAA,EAAG,IAAA,CAEvC,GAAI4B,CAAAA,EAAe,OAAOA,GAAgB,QAAA,CACzC,GAAI,CACH,IAAMC,CAAAA,CAAO,IAAA,CAAK,KAAA,CAAMD,CAAW,CAAA,CAEnC,GAAIC,CAAAA,CAAK,QAAA,EAAYA,EAAK,UAAA,CAAY,CAErC,GAAM,CAAE,aAAAC,CAAa,CAAA,CAAI,MAAM,OAAO,wBAAuB,EAU7D,GAAI,CANgB,MAHH,IAAIA,GAAa,CAGC,eAAA,CAClC,MAAA,CAAO,IAAA,CAAKV,EAAS,OAAO,CAAA,CAC5BS,CAAAA,CAAK,QAAA,CACL,OAAO,IAAA,CAAKA,CAAAA,CAAK,YAAc,EAAA,CAAI,QAAQ,CAC5C,CAAA,CAGC,OAAO,CAAA,CAAA,CAGRA,CAAAA,CAAK,aACJ,yEAAA,CACD7B,CAAAA,CAAO,OAAA,CAAQ,CAAC,EAAE,IAAA,CAAO,IAAA,CAAK,SAAA,CAAU6B,CAAI,EAC7C,CACD,CAAA,KAAQ,CAER,CAED,OAAO,EACR,CAAA,MAASE,CAAAA,CAAG,CACX,OAAAlC,EAAI,IAAA,CAAK,oCAAA,CAAsCkC,CAAC,CAAA,CACzC,KACR,CACD,CAKA,MAAa,OAAA,EAAyB,CAErC,GAAI,IAAA,CAAK,gBAAiB,CACzB,GAAM,CAAE,UAAA,CAAAC,CAAW,CAAA,CAAI,aAAa,aAAoB,CAAA,CASxD,GARA,IAAA,CAAK,WAAa,IAAIA,CAAAA,CACrB,IAAA,CAAK,OAAA,CAAQ,YAAc,CAC1B,IAAA,CAAM,cACN,OAAA,CAAS,OACV,EACA,CAAE,QAAA,CAAU,IAAA,CAAK,OAAA,CAAQ,QAAS,CACnC,CAAA,CAEI,IAAA,CAAK,OAAA,CAAQ,cAAe,CAC/B,MAAM,IAAA,CAAK,UAAA,CAAW,SAAQ,CAI9B,IAAMC,EAAS,IAAA,CAAK,eAAA,CAGpB,GAAIA,CAAAA,CAAO,gBAAA,CACV,IAAA,GAAW,CAACC,EAAMC,CAAI,CAAA,GAAK,MAAA,CAAO,OAAA,CAAQF,EAAO,gBAAgB,CAAA,CAAG,CAEnE,IAAMG,EAAID,CAAAA,CACV,IAAA,CAAK,WAAW,IAAA,CACfD,CAAAA,CACAE,EAAE,WAAA,EAAe,EAAA,CACjBA,CAAAA,CAAE,WAAA,EAAe,EAAC,CAElB,MAAOC,CAAAA,EACC,MAAMD,EAAE,OAAA,CAAQC,CAAI,CAE7B,EACD,CAID,GAAIJ,CAAAA,CAAO,qBACV,IAAA,GAAW,CAACK,EAAKC,CAAQ,CAAA,GAAK,MAAA,CAAO,OAAA,CACpCN,EAAO,oBACR,CAAA,CAAG,CAEF,IAAMO,EAAID,CAAAA,CACV,IAAA,CAAK,UAAA,CAAW,QAAA,CACfC,EAAE,IAAA,CACFF,CAAAA,CACAE,EAAE,QAAA,EAAU,WAAA,EAAe,GAC3BA,CAAAA,CAAE,QAAA,EAAU,QAAA,EAAY,0BAAA,CACxB,UACa,MAAMA,CAAAA,CAAE,YAAA,CAAa,IAAI,IAAIF,CAAG,CAAC,CAAA,EAClC,QAAA,CAAS,CAAC,CAAA,CAAE,IAEzB,EACD,CAEF,CACA,MACD,CAIA,IAAMG,CAAAA,CAAAA,CADW,aAAa,UAAe,CAAA,EACzB,eAAA,CAAgB,CACnC,MAAO,OAAA,CAAQ,KAAA,CACf,MAAA,CAAQ,OAAA,CAAQ,OAChB,QAAA,CAAU,KACX,CAAC,CAAA,CAEKC,CAAAA,CAAW,SAAY,CAC5B7C,CAAAA,CAAI,IAAA,CAAK,wCAAwC,EAC7C,IAAA,CAAK,UAAA,EAAY,MAAM,IAAA,CAAK,WAAW,KAAA,EAAM,CACjD,OAAA,CAAQ,IAAA,CAAK,CAAC,EACf,CAAA,CAEA4C,EAAG,EAAA,CAAG,OAAA,CAASC,CAAQ,CAAA,CACvB,OAAA,CAAQ,EAAA,CAAG,QAAA,CAAUA,CAAQ,CAAA,CAC7B,OAAA,CAAQ,EAAA,CAAG,SAAA,CAAWA,CAAQ,CAAA,CAE9BD,CAAAA,CAAG,EAAA,CAAG,MAAA,CAAQ,MAAOE,CAAAA,EAAS,CAC7B,GAAKA,CAAAA,CAAK,IAAA,GACV,GAAI,CACH,IAAMvB,CAAAA,CAAU,KAAK,KAAA,CAAMuB,CAAI,EACzBhC,CAAAA,CAAW,MAAM,KAAK,oBAAA,CAAqBS,CAAO,CAAA,CACpDT,CAAAA,EACH,QAAQ,MAAA,CAAO,KAAA,CAAM,GAAG,IAAA,CAAK,SAAA,CAAUA,CAAQ,CAAC;AAAA,CAAI,EAEtD,CAAA,MAASoB,CAAAA,CAAY,CACpBlC,EAAI,KAAA,CAAM,CAAA,qBAAA,EAAyBkC,CAAAA,CAAY,OAAO,CAAA,CAAE,EACzD,CACD,CAAC,EACF,CACD","file":"chunk-XLVRRGOX.js","sourcesContent":["import { randomUUID } from \"node:crypto\";\nimport { serve } from \"@hono/node-server\";\nimport type { WebStandardStreamableHTTPServerTransport } from \"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\";\nimport type { JSONRPCMessage } from \"@modelcontextprotocol/sdk/types.js\";\nimport { Hono } from \"hono\";\nimport { cors } from \"hono/cors\";\nimport type { LiopServer } from \"../server/index.js\";\nimport { log } from \"../utils/logger.js\";\nimport { LiopMcpBridge } from \"./index.js\";\n\n/**\n * Configuration options for LiopStreamBridge.\n */\nexport interface LiopStreamBridgeOptions {\n\t/** Port to listen on (default: 3000) */\n\tport?: number;\n\t/** Max concurrent sessions per IP (default: 5) */\n\tmaxSessionsPerIp?: number;\n\t/** Session idle timeout in milliseconds (default: 30 min) */\n\tsessionTimeoutMs?: number;\n}\n\n/** Internal metadata for tracked sessions */\ninterface SessionEntry {\n\ttransport: WebStandardStreamableHTTPServerTransport;\n\tlastActivity: number;\n\tclientIp: string;\n}\n\nconst DEFAULT_MAX_SESSIONS_PER_IP = 10;\nconst DEFAULT_SESSION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes\nconst EVICTION_INTERVAL_MS = 60 * 1000; // Check every minute\n\n/**\n * LiopStreamBridge\n *\n * Exposes a LiopServer over a remote HTTP network using the industry-standard\n * MCP Streamable HTTP Transport + Hono JS.\n *\n * Supports concurrent multi-client connections via per-session transport instances (Map pattern).\n * External agents connect using only a URL + Bearer Token (Zero-Trust).\n *\n * Security hardening:\n * - Zero-Trust Bearer Token enforcement\n * - Per-IP rate limiting on session creation\n * - Automatic eviction of idle sessions (TTL)\n */\nexport class LiopStreamBridge {\n\tprivate app: Hono;\n\tprivate httpServer: ReturnType<typeof serve> | null = null;\n\tprivate bridgeLogic: LiopMcpBridge;\n\tprivate activeSessions: Map<string, SessionEntry>;\n\tprivate evictionTimer: ReturnType<typeof setInterval> | null = null;\n\tprivate maxSessionsPerIp: number;\n\tprivate sessionTimeoutMs: number;\n\n\tconstructor(\n\t\tinternalServer: LiopServer,\n\t\tprivate options: LiopStreamBridgeOptions = {},\n\t) {\n\t\tthis.app = new Hono();\n\t\tthis.bridgeLogic = new LiopMcpBridge(internalServer);\n\t\tthis.activeSessions = new Map();\n\t\tthis.maxSessionsPerIp =\n\t\t\toptions.maxSessionsPerIp ?? DEFAULT_MAX_SESSIONS_PER_IP;\n\t\tthis.sessionTimeoutMs =\n\t\t\toptions.sessionTimeoutMs ?? DEFAULT_SESSION_TIMEOUT_MS;\n\n\t\tthis.setupRoutes();\n\t}\n\n\t/**\n\t * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.\n\t */\n\tprivate async createSessionTransport(\n\t\tclientIp: string,\n\t): Promise<WebStandardStreamableHTTPServerTransport> {\n\t\tconst { WebStandardStreamableHTTPServerTransport } = await import(\n\t\t\t\"@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js\"\n\t\t);\n\t\tconst transport = new WebStandardStreamableHTTPServerTransport({\n\t\t\tsessionIdGenerator: () => randomUUID(),\n\t\t\tonsessioninitialized: (sessionId: string) => {\n\t\t\t\tthis.activeSessions.set(sessionId, {\n\t\t\t\t\ttransport,\n\t\t\t\t\tlastActivity: Date.now(),\n\t\t\t\t\tclientIp,\n\t\t\t\t});\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Session opened: ${sessionId} (IP: ${clientIp})`,\n\t\t\t\t);\n\t\t\t},\n\t\t});\n\n\t\t// Wire the transport's incoming messages to the LiopMcpBridge JSON-RPC router\n\t\ttransport.onmessage = async (message: JSONRPCMessage) => {\n\t\t\t// Touch activity timestamp on every message\n\t\t\tif (transport.sessionId) {\n\t\t\t\tconst entry = this.activeSessions.get(transport.sessionId);\n\t\t\t\tif (entry) entry.lastActivity = Date.now();\n\t\t\t}\n\n\t\t\ttry {\n\t\t\t\tconst result = await this.bridgeLogic.handleJsonRpcRequest(\n\t\t\t\t\tmessage as unknown as Record<string, unknown>,\n\t\t\t\t);\n\t\t\t\t// Notifications return undefined — no response needed\n\t\t\t\tif (result !== undefined) {\n\t\t\t\t\tawait transport.send(result as JSONRPCMessage);\n\t\t\t\t}\n\t\t\t} catch (err: unknown) {\n\t\t\t\tlog.info(\"[LIOP-StreamBridge] JSON-RPC error:\", (err as Error).message);\n\t\t\t}\n\t\t};\n\n\t\ttransport.onclose = () => {\n\t\t\tif (transport.sessionId) {\n\t\t\t\tthis.activeSessions.delete(transport.sessionId);\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed: ${transport.sessionId}`);\n\t\t\t}\n\t\t};\n\n\t\treturn transport;\n\t}\n\n\t/**\n\t * Returns the number of active sessions for a given IP.\n\t */\n\tprivate countSessionsByIp(ip: string): number {\n\t\tlet count = 0;\n\t\tfor (const entry of this.activeSessions.values()) {\n\t\t\tif (entry.clientIp === ip) count++;\n\t\t}\n\t\treturn count;\n\t}\n\n\t/**\n\t * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).\n\t */\n\tprivate getClientIp(c: {\n\t\treq: { header: (name: string) => string | undefined };\n\t}): string {\n\t\treturn (\n\t\t\tc.req.header(\"x-forwarded-for\")?.split(\",\")[0]?.trim() ||\n\t\t\tc.req.header(\"x-real-ip\") ||\n\t\t\t\"unknown\"\n\t\t);\n\t}\n\n\t/**\n\t * Evicts sessions that have been idle longer than the configured timeout.\n\t */\n\tprivate evictIdleSessions(): void {\n\t\tconst now = Date.now();\n\t\tfor (const [sessionId, entry] of this.activeSessions) {\n\t\t\tif (now - entry.lastActivity > this.sessionTimeoutMs) {\n\t\t\t\tlog.info(`[LIOP-StreamBridge] Evicting idle session: ${sessionId}`);\n\t\t\t\tentry.transport.close().catch(() => {\n\t\t\t\t\t/* Swallow close errors */\n\t\t\t\t});\n\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t}\n\t\t}\n\t}\n\n\tprivate setupRoutes() {\n\t\tthis.app.use(\"*\", cors());\n\n\t\t// Initialize strict zero-trust token if not provided\n\t\tif (!process.env.ZERO_TRUST_TOKEN) {\n\t\t\tprocess.env.ZERO_TRUST_TOKEN = randomUUID();\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t\tlog.info(\"⚠️ STRICT ZERO-TRUST MODE ENABLED ⚠️\");\n\t\t\tlog.info(\"No ZERO_TRUST_TOKEN found in environment.\");\n\t\t\tlog.info(\"A secure ephemeral token has been generated for this session:\");\n\t\t\tlog.info(`Token: ${process.env.ZERO_TRUST_TOKEN}`);\n\t\t\tlog.info(\"=\".repeat(60));\n\t\t}\n\n\t\t// ZTA (Zero-Trust Architecture) Security Middleware\n\t\tthis.app.use(\"/mcp\", async (c, next) => {\n\t\t\tconst auth = c.req.header(\"Authorization\");\n\n\t\t\tconst expectedToken = process.env.ZERO_TRUST_TOKEN;\n\t\t\tif (\n\t\t\t\t!auth?.startsWith(\"Bearer \") ||\n\t\t\t\tauth.split(\" \")[1] !== expectedToken\n\t\t\t) {\n\t\t\t\tlog.info(\n\t\t\t\t\t\"[LIOP-StreamBridge] ALERT: Access denied - Invalid Zero-Trust token.\",\n\t\t\t\t);\n\t\t\t\treturn c.json(\n\t\t\t\t\t{ error: \"Unauthorized: LIOP Zero-Trust Policy Enforced\" },\n\t\t\t\t\t401,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tawait next();\n\t\t});\n\n\t\t// Multi-Session Streamable HTTP Handler\n\t\tthis.app.all(\"/mcp\", async (c) => {\n\t\t\tconst sessionId = c.req.header(\"mcp-session-id\");\n\n\t\t\t// Route to existing session if session ID is present\n\t\t\tif (sessionId) {\n\t\t\t\tconst existing = this.activeSessions.get(sessionId);\n\t\t\t\tif (!existing) {\n\t\t\t\t\treturn c.json({ error: \"Session not found\" }, 404);\n\t\t\t\t}\n\t\t\t\t// Touch activity on every routed request\n\t\t\t\texisting.lastActivity = Date.now();\n\n\t\t\t\tconst response = await existing.transport.handleRequest(c.req.raw);\n\n\t\t\t\t// If DELETE, the transport closes internally but onclose may not fire.\n\t\t\t\t// Explicitly clean up the session from the Map.\n\t\t\t\tif (c.req.method === \"DELETE\") {\n\t\t\t\t\tthis.activeSessions.delete(sessionId);\n\t\t\t\t\tlog.info(`[LIOP-StreamBridge] Session closed (DELETE): ${sessionId}`);\n\t\t\t\t}\n\n\t\t\t\treturn response;\n\t\t\t}\n\n\t\t\t// No session ID → New client initializing.\n\t\t\t// Rate-limit: enforce max sessions per IP\n\t\t\tconst clientIp = this.getClientIp(c);\n\t\t\tconst currentSessions = this.countSessionsByIp(clientIp);\n\t\t\tif (currentSessions >= this.maxSessionsPerIp) {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-StreamBridge] Rate limit hit for IP: ${clientIp} (${currentSessions} sessions)`,\n\t\t\t\t);\n\t\t\t\treturn c.json({ error: \"Too Many Sessions: Rate limit exceeded\" }, 429);\n\t\t\t}\n\n\t\t\tconst transport = await this.createSessionTransport(clientIp);\n\t\t\treturn await transport.handleRequest(c.req.raw);\n\t\t});\n\t}\n\n\t/**\n\t * Starts the LiopStreamBridge HTTP server and session eviction timer.\n\t */\n\tpublic async start(port?: number): Promise<void> {\n\t\tconst listenPort = port ?? this.options.port ?? 3000;\n\n\t\t// Start the idle session eviction timer\n\t\tthis.evictionTimer = setInterval(\n\t\t\t() => this.evictIdleSessions(),\n\t\t\tEVICTION_INTERVAL_MS,\n\t\t);\n\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.httpServer = serve(\n\t\t\t\t{\n\t\t\t\t\tfetch: this.app.fetch,\n\t\t\t\t\tport: listenPort,\n\t\t\t\t},\n\t\t\t\t(info) => {\n\t\t\t\t\tlog.info(\n\t\t\t\t\t\t`[LIOP-StreamBridge] Streamable HTTP Gateway on http://localhost:${info.port}/mcp`,\n\t\t\t\t\t);\n\t\t\t\t\tresolve();\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\t/**\n\t * Graceful shutdown — closes all active sessions, stops timers, and releases port.\n\t */\n\tpublic async stop(): Promise<void> {\n\t\tif (this.evictionTimer) {\n\t\t\tclearInterval(this.evictionTimer);\n\t\t\tthis.evictionTimer = null;\n\t\t}\n\n\t\tfor (const [id, entry] of this.activeSessions) {\n\t\t\tawait entry.transport.close();\n\t\t\tthis.activeSessions.delete(id);\n\t\t}\n\n\t\tif (this.httpServer) {\n\t\t\tthis.httpServer.close();\n\t\t\tlog.info(\"[LIOP-StreamBridge] HTTP ports released.\");\n\t\t}\n\t}\n}\n","import type { McpServer } from \"@modelcontextprotocol/sdk/server/mcp.js\";\nimport type { LiopServer, LiopServerOptions } from \"../server/index.js\";\nimport type { CallToolRequest, CallToolResult } from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\n\nexport interface LiopBridgeOptions {\n\tpublishToMesh?: boolean;\n\tmeshIdentity?: string;\n\tserverInfo?: {\n\t\tname: string;\n\t\tversion: string;\n\t};\n\tsecurity?: LiopServerOptions[\"security\"];\n}\n\n/**\n * LIOP MCP Bridge\n * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,\n * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.\n */\nexport class LiopMcpBridge {\n\tprivate liopServer: LiopServer | null = null;\n\tprivate legacyMcpServer: McpServer | null = null;\n\tconstructor(\n\t\t// biome-ignore lint/suspicious/noExplicitAny: polymorphic source detection\n\t\tsource: LiopServer | McpServer | any,\n\t\tprivate options: LiopBridgeOptions = {},\n\t) {\n\t\t// Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)\n\t\t// We use constructor name check to avoid hard dependency on optional SDK at runtime start\n\t\tif (source?.constructor?.name === \"LiopServer\") {\n\t\t\tthis.liopServer = source as LiopServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)\");\n\t\t} else if (source?.constructor?.name === \"McpServer\") {\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)\");\n\t\t} else {\n\t\t\t// Fallback for inferred legacy MCP servers\n\t\t\tthis.legacyMcpServer = source as McpServer;\n\t\t\tlog.info(\"[LIOP-Bridge] Mode: WRAP (Inferred Legacy MCP -> LIOP Mesh)\");\n\t\t}\n\t}\n\n\t/**\n\t * Handles an incoming standard MCP JSON-RPC 2.0 payload.\n\t * Pipes it to the underlying server (LIOP or Legacy MCP).\n\t */\n\tpublic async handleJsonRpcRequest(\n\t\tpayload: Record<string, unknown>,\n\t): Promise<unknown> {\n\t\tconst id = payload.id as string | number;\n\t\tconst method = payload.method as string;\n\t\tconst params = payload.params as Record<string, unknown> | undefined;\n\n\t\tif (payload.jsonrpc !== \"2.0\") {\n\t\t\treturn this.errorResponse(id, -32600, \"Invalid Request\");\n\t\t}\n\n\t\t// Mode: EXPOSE (Standard behavior used by Claude Desktop)\n\t\tif (this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\t// Mode: WRAP (Redirecting via internal LiopServer after connect())\n\t\tif (this.legacyMcpServer && this.liopServer) {\n\t\t\treturn this.handleLiopToMcp(id, method, params);\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Bridge source not configured\");\n\t}\n\n\tprivate async handleLiopToMcp(\n\t\tid: string | number,\n\t\tmethod: string,\n\t\tparams: Record<string, unknown> | undefined,\n\t): Promise<unknown> {\n\t\tif (!this.liopServer) return null;\n\n\t\tif (method === \"initialize\") {\n\t\t\treturn this.successResponse(id, {\n\t\t\t\tprotocolVersion: \"2025-11-25\",\n\t\t\t\tcapabilities: {\n\t\t\t\t\tprompts: {},\n\t\t\t\t\tresources: {},\n\t\t\t\t\ttools: {},\n\t\t\t\t},\n\t\t\t\tserverInfo: this.liopServer.getServerInfo(),\n\t\t\t});\n\t\t}\n\n\t\tif (method === \"notifications/initialized\") return undefined;\n\t\tif (method === \"ping\") return this.successResponse(id, {});\n\n\t\tif (method === \"tools/list\") {\n\t\t\tconst tools = this.liopServer.listTools();\n\t\t\treturn this.successResponse(id, { tools });\n\t\t}\n\n\t\tif (method === \"resources/list\") {\n\t\t\tconst resources = this.liopServer.listResources();\n\t\t\treturn this.successResponse(id, { resources });\n\t\t}\n\n\t\tif (method === \"prompts/list\") {\n\t\t\tconst prompts = this.liopServer.listPrompts();\n\t\t\treturn this.successResponse(id, { prompts });\n\t\t}\n\n\t\tif (method === \"prompts/get\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing prompt name\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.getPrompt({\n\t\t\t\t\tname: params.name as string,\n\t\t\t\t\targuments: params.arguments as Record<string, string> | undefined,\n\t\t\t\t});\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"resources/read\") {\n\t\t\tif (!params?.uri) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing resource URI\");\n\t\t\t}\n\t\t\ttry {\n\t\t\t\tconst result = await this.liopServer.readResource(params.uri as string);\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\tif (method === \"tools/call\") {\n\t\t\tif (!params?.name) {\n\t\t\t\treturn this.errorResponse(id, -32602, \"Missing tool name\");\n\t\t\t}\n\t\t\tconst request: CallToolRequest = {\n\t\t\t\tname: params.name as string,\n\t\t\t\targuments: (params.arguments as Record<string, unknown>) || {},\n\t\t\t};\n\n\t\t\ttry {\n\t\t\t\tconst result: CallToolResult = await this.liopServer.callTool(request);\n\t\t\t\tconst isVerified = await this.verifyZkReceipt(request, result);\n\n\t\t\t\tif (!isVerified) {\n\t\t\t\t\treturn this.successResponse(id, {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t});\n\t\t\t\t}\n\n\t\t\t\treturn this.successResponse(id, result);\n\t\t\t} catch (err: unknown) {\n\t\t\t\treturn this.errorResponse(id, -32000, (err as Error).message);\n\t\t\t}\n\t\t}\n\n\t\treturn this.errorResponse(id, -32601, \"Method not found\");\n\t}\n\n\tprivate successResponse(\n\t\tid: string | number | null | undefined,\n\t\tresult: unknown,\n\t) {\n\t\treturn { jsonrpc: \"2.0\", id, result };\n\t}\n\n\tprivate errorResponse(id: string | number, code: number, message: string) {\n\t\treturn { jsonrpc: \"2.0\", id, error: { code, message } };\n\t}\n\n\tprivate async verifyZkReceipt(\n\t\trequest: CallToolRequest,\n\t\tresult: CallToolResult,\n\t): Promise<boolean> {\n\t\tif (\n\t\t\t!request.arguments?.payload ||\n\t\t\ttypeof request.arguments.payload !== \"string\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\ttry {\n\t\t\tconst payload = request.arguments.payload as string;\n\t\t\tconst contentText = result.content[0]?.text;\n\n\t\t\tif (contentText && typeof contentText === \"string\") {\n\t\t\t\ttry {\n\t\t\t\t\tconst data = JSON.parse(contentText);\n\n\t\t\t\t\tif (data.image_id || data.zk_receipt) {\n\t\t\t\t\t\t// 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )\n\t\t\t\t\t\tconst { LiopVerifier } = await import(\"../crypto/verifier.js\");\n\t\t\t\t\t\tconst verifier = new LiopVerifier();\n\n\t\t\t\t\t\t// 2. Delegate the heavy mathematical check (ZK Journal + Seal)\n\t\t\t\t\t\tconst isAuthentic = await verifier.verifyZkReceipt(\n\t\t\t\t\t\t\tBuffer.from(payload, \"utf-8\"),\n\t\t\t\t\t\t\tdata.image_id,\n\t\t\t\t\t\t\tBuffer.from(data.zk_receipt || \"\", \"base64\"),\n\t\t\t\t\t\t);\n\n\t\t\t\t\t\tif (!isAuthentic) {\n\t\t\t\t\t\t\treturn false;\n\t\t\t\t\t\t}\n\n\t\t\t\t\t\tdata.audit_status =\n\t\t\t\t\t\t\t\"VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge\";\n\t\t\t\t\t\tresult.content[0].text = JSON.stringify(data);\n\t\t\t\t\t}\n\t\t\t\t} catch {\n\t\t\t\t\t// Output not JSON\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn true;\n\t\t} catch (e) {\n\t\t\tlog.info(\"[LIOP-Bridge] ZK-Verifier Failure:\", e);\n\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Connects the bridge via stdio or Mesh depending on mode.\n\t */\n\tpublic async connect(): Promise<void> {\n\t\t// In WRAP mode, we actually need to create a LiopServer and join the mesh\n\t\tif (this.legacyMcpServer) {\n\t\t\tconst { LiopServer } = await import(\"../server/index.js\");\n\t\t\tthis.liopServer = new LiopServer(\n\t\t\t\tthis.options.serverInfo || {\n\t\t\t\t\tname: \"liop-bridge\",\n\t\t\t\t\tversion: \"1.0.0\",\n\t\t\t\t},\n\t\t\t\t{ security: this.options.security },\n\t\t\t);\n\n\t\t\tif (this.options.publishToMesh) {\n\t\t\t\tawait this.liopServer.connect();\n\n\t\t\t\t// Automatically Bridge Legacy Capabilities to LIOP Mesh\n\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported\n\t\t\t\tconst legacy = this.legacyMcpServer as any;\n\n\t\t\t\t// 1. Sync Tools\n\t\t\t\tif (legacy._registeredTools) {\n\t\t\t\t\tfor (const [name, tool] of Object.entries(legacy._registeredTools)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst t = tool as any;\n\t\t\t\t\t\tthis.liopServer.tool(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tt.description || \"\",\n\t\t\t\t\t\t\tt.inputSchema || {},\n\t\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args\n\t\t\t\t\t\t\tasync (args: any) => {\n\t\t\t\t\t\t\t\treturn await t.handler(args);\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\t// 2. Sync Resources\n\t\t\t\tif (legacy._registeredResources) {\n\t\t\t\t\tfor (const [uri, resource] of Object.entries(\n\t\t\t\t\t\tlegacy._registeredResources,\n\t\t\t\t\t)) {\n\t\t\t\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure\n\t\t\t\t\t\tconst r = resource as any;\n\t\t\t\t\t\tthis.liopServer.resource(\n\t\t\t\t\t\t\tr.name,\n\t\t\t\t\t\t\turi,\n\t\t\t\t\t\t\tr.metadata?.description || \"\",\n\t\t\t\t\t\t\tr.metadata?.mimeType || \"application/octet-stream\",\n\t\t\t\t\t\t\tasync () => {\n\t\t\t\t\t\t\t\tconst res = await r.readCallback(new URL(uri));\n\t\t\t\t\t\t\t\treturn res.contents[0].text;\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn;\n\t\t}\n\n\t\t// In EXPOSE mode, listen to stdio (Claude Desktop)\n\t\tconst readline = await import(\"node:readline\");\n\t\tconst rl = readline.createInterface({\n\t\t\tinput: process.stdin,\n\t\t\toutput: process.stdout,\n\t\t\tterminal: false,\n\t\t});\n\n\t\tconst shutdown = async () => {\n\t\t\tlog.info(\"[LIOP-Bridge] Disconnecting session...\");\n\t\t\tif (this.liopServer) await this.liopServer.close();\n\t\t\tprocess.exit(0);\n\t\t};\n\n\t\trl.on(\"close\", shutdown);\n\t\tprocess.on(\"SIGINT\", shutdown);\n\t\tprocess.on(\"SIGTERM\", shutdown);\n\n\t\trl.on(\"line\", async (line) => {\n\t\t\tif (!line.trim()) return;\n\t\t\ttry {\n\t\t\t\tconst payload = JSON.parse(line);\n\t\t\t\tconst response = await this.handleJsonRpcRequest(payload);\n\t\t\t\tif (response) {\n\t\t\t\t\tprocess.stdout.write(`${JSON.stringify(response)}\\n`);\n\t\t\t\t}\n\t\t\t} catch (e: unknown) {\n\t\t\t\tlog.error(`[LIOP-Bridge] Error: ${(e as Error).message}`);\n\t\t\t}\n\t\t});\n\t}\n}\n\nexport * from \"./stream.js\";\n"]}
package/dist/kyber-2WDOTUQX.js DELETED
@@ -1,2 +0,0 @@
1
- export{a as Kyber768Wrapper}from'./chunk-DBXGYHKY.js';//# sourceMappingURL=kyber-2WDOTUQX.js.map
2
- //# sourceMappingURL=kyber-2WDOTUQX.js.map
package/dist/verifier-RQRYXA4C.js DELETED
@@ -1,2 +0,0 @@
1
- export{a as LiopVerifier}from'./chunk-UVTEJYHN.js';import'./chunk-ANFXJGMP.js';import'./chunk-S6RJHZV2.js';//# sourceMappingURL=verifier-RQRYXA4C.js.map
2
- //# sourceMappingURL=verifier-RQRYXA4C.js.map