@nekzus/liop 2.0.0-alpha.4 → 2.0.0-alpha.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (16) hide show
  1. package/README.md +1 -1
  2. package/dist/bin/agent.js +1 -1
  3. package/dist/bridge.js +1 -1
  4. package/dist/chunk-5OAZNVIU.js +31 -0
  5. package/dist/chunk-5OAZNVIU.js.map +1 -0
  6. package/dist/{chunk-LYULZHZO.js → chunk-62YQHKSS.js} +2 -2
  7. package/dist/{chunk-LYULZHZO.js.map → chunk-62YQHKSS.js.map} +1 -1
  8. package/dist/index.js +1 -1
  9. package/dist/server.d.ts +18 -0
  10. package/dist/server.js +1 -1
  11. package/dist/workers/logic-execution.d.ts +5 -0
  12. package/dist/workers/logic-execution.js +1 -1
  13. package/dist/workers/logic-execution.js.map +1 -1
  14. package/package.json +1 -4
  15. package/dist/chunk-FW6CICSY.js +0 -29
  16. package/dist/chunk-FW6CICSY.js.map +0 -1
package/dist/chunk-FW6CICSY.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"sources":["../src/rpc/server.ts","../src/security/taint-analyzer.ts","../src/server/ner-scanner.ts","../src/server/pii.ts","../src/server/index.ts"],"names":["GRPC_CHANNEL_OPTIONS","LiopRpcServer","handlers","liopV1","port","tls","credentials","createServerCredentials","resolve","reject","error","assignedPort","log","TaintAnalyzer","_TaintAnalyzer","piiFields","f","sourceCode","ast","wrapped","recordBoundVars","taintedVars","simple","node","member","methodName","callback","fn","param","recordParam","declarator","iteration","sizeBefore","callee","arg","violation","line","operation","bin","unary","cond","prop","el","expr","spread","propName","parentMember","litVal","call","fnName","scopedRecordVars","scopedTaintedVars","recordParamIndex","hasTaintedReturn","returnVisitors","val","name","obj","MEDICAL_VOCABULARY","MIN_TEXT_LENGTH","NON_TEXT_PATTERN","NerScanner","_NerScanner","mod","text","doc","entities","people","person","trimmed","places","place","orgs","org","input","seen","values","allEntities","value","result","e","isLuhnValid","cardNumber","digits","sum","isEven","digit","isIbanValid","iban","sanitized","rearranged","numericString","charCode","PII_PATTERNS","match","p","area","PII_PRESETS","PiiScanner","_PiiScanner","patterns","forbiddenKeys","nerScanner","k","token","parsed","patternViolation","nerResult","personEntity","element","key","fuzzyViolation","normalized","pattern","rule","def","matchedText","__dirname","path","fileURLToPath","LiopServer","_LiopServer","serverInfo","config","rlConfig","isTS","workerExt","execArgv","tsxPkg","createRequire","pathToFileURL","isTest","workerPaths","workerFilename","Piscina","FixedQueue","payload","compact","_toolName","logic","policy","taintViolation","toolName","output","schemaResult","z","i","rec","texts","part","t","joined","policyObj","recordsCount","maxRows","allowPrimitives","item","keys","v","lines","schema","depth","schemaType","properties","items","propType","nested","options","description","shape","handler","generatedSchema","zodToJsonSchema","finalDescription","finalHandler","blockedKeys","schemaDigest","args","_extra","clientId","now","stats","payloadValue","bypassCache","payloadHash","crypto","cached","preflightReason","inputSchema","err","_request","uri","mimeType","content","entry","windowMs","maxPerWindow","active","retryAfterSec","maxGlobal","request","globalLimitResult","rateLimitResult","parsedArgs","resource","records","envPort","MeshNode","meshNodeRef","tools","resources","r","tool","Kyber768Wrapper","publicKey","secretKey","sessionToken","session","q","workerResponse","finalOutput","decoded","toolResult","response","Buffer","aggregationViolation","internalReason","isDev","detail","errorResponse","_args","rawPayload","toolPolicy","policyViolation"],"mappings":"qfAiBA,IAAMA,CAAAA,CAAuB,CAC5B,wBAAA,CAA0B,GAAA,CAC1B,2BAAA,CAA6B,GAAA,CAC7B,qCAAA,CAAuC,CAAA,CACvC,8BAAA,CAAgC,EAAA,CAChC,iCAAA,CAAmC,EAAA,CACnC,qBAAA,CAAuB,CACxB,CAAA,CAEaC,CAAAA,CAAN,KAAoB,CAClB,OAER,WAAA,EAAc,CACb,IAAA,CAAK,MAAA,CAAS,IAAS,CAAA,CAAA,MAAA,CAAOD,CAAoB,EACnD,CAEO,UAAA,CAAWE,CAAAA,CAQT,CACR,IAAA,CAAK,MAAA,CAAO,UAAA,CAAWC,CAAAA,CAAO,SAAA,CAAU,OAAA,CAAS,CAChD,eAAA,CAAiBD,CAAAA,CAAS,eAAA,CAC1B,YAAA,CAAcA,CAAAA,CAAS,YACxB,CAAC,EACF,CAEA,MAAa,MAAA,CACZE,CAAAA,CAAe,KAAA,CACfC,EACkB,CAClB,IAAMC,CAAAA,CAAcC,CAAAA,CAAwBF,CAAG,CAAA,CAC/C,OAAO,IAAI,OAAA,CAAQ,CAACG,CAAAA,CAASC,CAAAA,GAAW,CACvC,IAAA,CAAK,MAAA,CAAO,SAAA,CACX,WAAWL,CAAI,CAAA,CAAA,CACfE,CAAAA,CACA,CAACI,CAAAA,CAAOC,CAAAA,GAAiB,CACxB,GAAID,CAAAA,CAAO,CACVD,CAAAA,CAAOC,CAAK,CAAA,CACZ,MACD,CACAE,GAAAA,CAAI,KAAK,CAAA,oCAAA,EAAuCD,CAAY,CAAA,CAAE,CAAA,CAC9DH,CAAAA,CAAQG,CAAY,EACrB,CACD,EACD,CAAC,CACF,CAEA,MAAa,IAAA,EAAsB,CAClC,OAAO,IAAI,OAAA,CAASH,CAAAA,EAAY,CAC/B,IAAA,CAAK,MAAA,CAAO,WAAA,CAAY,IAAM,CAC7BI,GAAAA,CAAI,IAAA,CAAK,6BAA6B,CAAA,CACtCJ,CAAAA,GACD,CAAC,EACF,CAAC,CACF,CACD,ECtCO,IAAMK,CAAAA,CAAN,MAAMC,CAAc,CACT,SAAA,CAGjB,OAAwB,yBAAA,CAA4B,IAAI,GAAA,CAAI,CAE3D,YAAA,CACA,aAAA,CACA,QAAA,CACA,IAAA,CAEA,SAAA,CACA,aAAA,CACA,QAAA,CAEA,eAAA,CACA,YAAA,CACA,UAAA,CACA,WAEA,WAAA,CACA,OAAA,CACA,QAAA,CACA,OAAA,CACA,OAAA,CACA,UAAA,CACA,SAAA,CACA,YAAA,CACA,WAAA,CACA,aAAA,CACA,aAAA,CACA,MAAA,CACA,WAAA,CACA,SAAA,CACA,UAAA,CACA,QAAA,CACA,QACD,CAAC,CAAA,CAGD,OAAwB,sBAAA,CAAyB,IAAI,GAAA,CAAI,CACxD,KAAA,CACA,SAAA,CACA,QAAA,CACA,MAAA,CACA,MAAA,CACA,OAAA,CACA,SAAA,CACA,WACD,CAAC,CAAA,CAGD,OAAwB,cAAA,CAAiB,IAAI,GAAA,CAAI,CAAC,QAAA,CAAU,aAAa,CAAC,CAAA,CAE1E,WAAA,CAAYC,CAAAA,CAAqB,CAChC,IAAA,CAAK,SAAA,CAAY,IAAI,IAAIA,CAAAA,CAAU,GAAA,CAAKC,CAAAA,EAAMA,CAAAA,CAAE,WAAA,EAAa,CAAC,EAC/D,CAQA,OAAA,CAAQC,CAAAA,CAA2C,CAClD,IAAIC,CAAAA,CACJ,GAAI,CAEH,IAAMC,CAAAA,CAAU,CAAA;AAAA,EAA0CF,CAAU;AAAA,CAAA,CAAA,CACpEC,CAAAA,CAAY,QAAMC,CAAAA,CAAS,CAC1B,YAAa,IAAA,CACb,UAAA,CAAY,SACZ,SAAA,CAAW,CAAA,CACZ,CAAC,EACF,CAAA,KAAQ,CAEP,OAAO,IACR,CAEA,IAAMC,CAAAA,CAAkB,IAAI,GAAA,CACtBC,CAAAA,CAAc,IAAI,GAAA,CAGxB,OAAA,IAAA,CAAK,wBAAwBH,CAAAA,CAAKE,CAAe,EAGjD,IAAA,CAAK,cAAA,CAAeF,EAAKE,CAAAA,CAAiBC,CAAW,EAG9C,IAAA,CAAK,qBAAA,CAAsBH,EAAKE,CAAAA,CAAiBC,CAAW,CACpE,CAIQ,uBAAA,CACPH,EACAE,CAAAA,CACO,CAyDPE,OAAOJ,CAAAA,CAxDgC,CACtC,eAAiBK,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,OAE7C,IAAMC,CAAAA,CAASD,CAAAA,CAAK,OACdE,CAAAA,CAAa,IAAA,CAAK,gBAAgBD,CAAM,CAAA,CAI9C,GAHI,CAACC,CAAAA,EAGD,CAAC,IAAA,CAAK,kBAAA,CAAmBD,EAAO,MAAM,CAAA,CAAG,OAE7C,IAAME,CAAAA,CAAWH,EAAK,SAAA,CAAU,CAAC,EACjC,GAAKG,CAAAA,GAGJA,EAAS,IAAA,GAAS,yBAAA,EAClBA,EAAS,IAAA,GAAS,oBAAA,CAAA,CACjB,CACD,IAAMC,CAAAA,CAAKD,CAAAA,CAEX,GACCZ,CAAAA,CAAc,sBAAA,CAAuB,IAAIW,CAAU,CAAA,EACnDE,EAAG,MAAA,CAAO,MAAA,CAAS,EAClB,CACD,IAAMC,EAAQD,CAAAA,CAAG,MAAA,CAAO,CAAC,CAAA,CACrBC,CAAAA,CAAM,OAAS,YAAA,EAClBR,CAAAA,CAAgB,IAAIQ,CAAAA,CAAM,IAAI,EAEhC,CAEA,GACCd,EAAc,cAAA,CAAe,GAAA,CAAIW,CAAU,CAAA,EAC3CE,CAAAA,CAAG,OAAO,MAAA,CAAS,CAAA,CAClB,CACD,IAAME,CAAAA,CAAcF,EAAG,MAAA,CAAO,CAAC,EAC3BE,CAAAA,CAAY,IAAA,GAAS,cACxBT,CAAAA,CAAgB,GAAA,CAAIS,EAAY,IAAI,EAEtC,CACD,CACD,CAAA,CAGA,eAAiBN,CAAAA,EAAS,CACzB,GAAK,IAAA,CAAK,kBAAA,CAAmBA,EAAK,KAAK,CAAA,EAEnCA,EAAK,IAAA,CAAK,IAAA,GAAS,sBACtB,IAAA,IAAWO,CAAAA,IAAcP,EAAK,IAAA,CAAK,YAAA,CAC9BO,EAAW,EAAA,CAAG,IAAA,GAAS,cAC1BV,CAAAA,CAAgB,GAAA,CAAIU,EAAW,EAAA,CAAG,IAAI,EAI1C,CACD,CAEoB,EAmBpBR,MAAAA,CAAOJ,CAAAA,CAhBqC,CAC3C,kBAAA,CAAqBK,CAAAA,EAAS,CAC7B,GAAI,EAAA,CAACA,CAAAA,CAAK,IAAA,EAAQA,CAAAA,CAAK,EAAA,CAAG,OAAS,YAAA,CAAA,EAGlCA,CAAAA,CAAK,KAAK,IAAA,GAAS,kBAAA,EAClBA,EAAK,IAAA,CAAgC,QAAA,CACrC,CACD,IAAMC,CAAAA,CAASD,EAAK,IAAA,CAChB,IAAA,CAAK,mBAAmBC,CAAAA,CAAO,MAAM,GACxCJ,CAAAA,CAAgB,GAAA,CAAIG,EAAK,EAAA,CAAG,IAAI,EAElC,CACD,CACD,CAEyB,EAC1B,CAIQ,eACPL,CAAAA,CACAE,CAAAA,CACAC,EACO,CAGP,IAAA,IAASU,EAAY,CAAA,CAAGA,CAAAA,CAAY,EAAGA,CAAAA,EAAAA,CAAa,CACnD,IAAMC,CAAAA,CAAaX,CAAAA,CAAY,KA8C/B,GAHAC,MAAAA,CAAOJ,EAzCgC,CACtC,kBAAA,CAAqBK,GAAS,CACzB,CAACA,EAAK,IAAA,EAAQA,CAAAA,CAAK,GAAG,IAAA,GAAS,YAAA,EAGlC,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,KAAMH,CAAAA,CAAiBC,CAAW,GAEhEA,CAAAA,CAAY,GAAA,CAAIE,EAAK,EAAA,CAAG,IAAI,EAE9B,CAAA,CAEA,oBAAA,CAAuBA,GAAS,CAC3BA,CAAAA,CAAK,KAAK,IAAA,GAAS,YAAA,EAGtB,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,MAAOH,CAAAA,CAAiBC,CAAW,GAEjEA,CAAAA,CAAY,GAAA,CAAKE,EAAK,IAAA,CAA0B,IAAI,EAEtD,CAAA,CAIA,cAAA,CAAiBA,CAAAA,EAAS,CACzB,GAAIA,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,OAE7C,IAAMU,CAAAA,CAASV,EAAK,MAAA,CACD,IAAA,CAAK,gBAAgBU,CAAM,CAAA,GAG9B,QACfA,CAAAA,CAAO,MAAA,CAAO,OAAS,YAAA,EACvBV,CAAAA,CAAK,UAAU,IAAA,CAAMW,CAAAA,EACpB,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,EAAiBC,CAAW,CAC3D,GAEAA,CAAAA,CAAY,GAAA,CAAKY,EAAO,MAAA,CAA4B,IAAI,EAE1D,CACD,CAEoB,EAGhBZ,CAAAA,CAAY,IAAA,GAASW,EAAY,KACtC,CACD,CAIQ,qBAAA,CACPd,CAAAA,CACAE,EACAC,CAAAA,CACwB,CACxB,IAAIc,CAAAA,CAAmC,IAAA,CA+BvC,OAAAb,MAAAA,CAAOJ,CAAAA,CA7BgC,CACtC,eAAA,CAAkBK,CAAAA,EAAS,CAC1B,GAAI,CAAAY,GAECZ,CAAAA,CAAK,QAAA,EAGT,KAAK,mBAAA,CAAoBA,CAAAA,CAAK,SAAUH,CAAAA,CAAiBC,CAAW,EACnE,CACD,IAAMe,EAAOb,CAAAA,CAAK,GAAA,EAAK,MAAM,IAAA,CAC1BA,CAAAA,CAAK,IAAI,KAAA,CAAM,IAAA,CAAO,EACtB,MAAA,CACGc,CAAAA,CAAY,KAAK,mBAAA,CACtBd,CAAAA,CAAK,SACLH,CAAAA,CACAC,CACD,CAAA,CACAc,CAAAA,CAAY,CACX,MAAA,CACC,qFACGE,CAAAA,CAAY,CAAA,WAAA,EAAcA,CAAS,CAAA,EAAA,CAAA,CAAO,EAAE,yEAEhD,IAAA,CAAAD,CAAAA,CACA,UAAAC,CACD,EACD,CACD,CACD,CAEoB,EAEbF,CACR,CAQQ,oBACPZ,CAAAA,CACAH,CAAAA,CACAC,EACU,CACV,OAAQE,EAAK,IAAA,EACZ,KAAK,YAAA,CACJ,OAAOF,EAAY,GAAA,CAAKE,CAAAA,CAA0B,IAAI,CAAA,CAEvD,KAAK,mBACJ,OAAO,IAAA,CAAK,oBACXA,CAAAA,CACAH,CAAAA,CACAC,CACD,CAAA,CAED,KAAK,iBACJ,OAAO,IAAA,CAAK,kBACXE,CAAAA,CACAH,CAAAA,CACAC,CACD,CAAA,CAED,KAAK,mBACL,KAAK,mBAAA,CAAqB,CACzB,IAAMiB,CAAAA,CAAMf,EACZ,OACC,IAAA,CAAK,oBAAoBe,CAAAA,CAAI,IAAA,CAAMlB,EAAiBC,CAAW,CAAA,EAC/D,KAAK,mBAAA,CAAoBiB,CAAAA,CAAI,MAAOlB,CAAAA,CAAiBC,CAAW,CAElE,CAEA,KAAK,kBAAmB,CACvB,IAAMkB,EAAQhB,CAAAA,CACd,OAAO,KAAK,mBAAA,CACXgB,CAAAA,CAAM,SACNnB,CAAAA,CACAC,CACD,CACD,CAEA,KAAK,uBAAA,CAAyB,CAC7B,IAAMmB,CAAAA,CAAOjB,EAEb,OACC,IAAA,CAAK,oBAAoBiB,CAAAA,CAAK,IAAA,CAAMpB,EAAiBC,CAAW,CAAA,EAChE,KAAK,mBAAA,CACJmB,CAAAA,CAAK,WACLpB,CAAAA,CACAC,CACD,GACA,IAAA,CAAK,mBAAA,CAAoBmB,EAAK,SAAA,CAAWpB,CAAAA,CAAiBC,CAAW,CAEvE,CAEA,KAAK,kBAAA,CAEJ,OADYE,EACD,UAAA,CAAW,IAAA,CACpBkB,GACAA,CAAAA,CAAK,IAAA,GAAS,YACd,IAAA,CAAK,mBAAA,CAAoBA,EAAK,KAAA,CAAOrB,CAAAA,CAAiBC,CAAW,CACnE,CAAA,CAGD,KAAK,iBAAA,CAEJ,OADYE,EACD,QAAA,CAAS,IAAA,CAClBmB,GACAA,CAAAA,GAAO,IAAA,EACP,KAAK,mBAAA,CAAoBA,CAAAA,CAAItB,EAAiBC,CAAW,CAC3D,EAGD,KAAK,iBAAA,CAEJ,OADaE,CAAAA,CACD,WAAA,CAAY,KAAMoB,CAAAA,EAC7B,IAAA,CAAK,oBAAoBA,CAAAA,CAAMvB,CAAAA,CAAiBC,CAAW,CAC5D,CAAA,CAGD,KAAK,eAAA,CAAiB,CACrB,IAAMuB,CAAAA,CAASrB,CAAAA,CACf,OAAO,IAAA,CAAK,mBAAA,CACXqB,EAAO,QAAA,CACPxB,CAAAA,CACAC,CACD,CACD,CAEA,QAEC,OAAO,MACT,CACD,CAMQ,mBAAA,CACPG,CAAAA,CACAJ,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMwB,CAAAA,CAAW,IAAA,CAAK,gBAAgBrB,CAAM,CAAA,CAG5C,GACCA,CAAAA,CAAO,MAAA,CAAO,OAAS,YAAA,EACvBJ,CAAAA,CAAgB,IAAKI,CAAAA,CAAO,MAAA,CAA4B,IAAI,CAAA,EAC5DqB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,EAAS,WAAA,EAAa,EAEzC,OAAO,KAAA,CAKR,GACCrB,CAAAA,CAAO,MAAA,CAAO,OAAS,kBAAA,EACvBqB,CAAAA,EACA,KAAK,SAAA,CAAU,GAAA,CAAIA,EAAS,WAAA,EAAa,EACxC,CACD,IAAMC,EAAetB,CAAAA,CAAO,MAAA,CAC5B,GACCsB,CAAAA,CAAa,QAAA,EACb,KAAK,kBAAA,CAAmBA,CAAAA,CAAa,MAAM,CAAA,CAE3C,OAAO,KAET,CAIA,GAAI,KAAK,mBAAA,CAAoBtB,CAAAA,CAAO,OAAQJ,CAAAA,CAAiBC,CAAW,EACvE,OAAO,KAAA,CAKR,GACCG,CAAAA,CAAO,QAAA,EACPA,EAAO,MAAA,CAAO,IAAA,GAAS,cACvBJ,CAAAA,CAAgB,GAAA,CAAKI,EAAO,MAAA,CAA4B,IAAI,GAIxDA,CAAAA,CAAO,QAAA,CAAS,OAAS,SAAA,CAAW,CACvC,IAAMuB,CAAAA,CAAUvB,CAAAA,CAAO,SAA2B,KAAA,CAClD,GACC,OAAOuB,CAAAA,EAAW,QAAA,EAClB,IAAA,CAAK,SAAA,CAAU,GAAA,CAAIA,CAAAA,CAAO,aAAa,CAAA,CAEvC,OAAO,KAET,CAGD,OAAO,MACR,CAMQ,kBACPC,CAAAA,CACA5B,CAAAA,CACAC,EACU,CAEV,GAAI2B,EAAK,MAAA,CAAO,IAAA,GAAS,mBAAoB,CAC5C,IAAMf,EAASe,CAAAA,CAAK,MAAA,CACdvB,EAAa,IAAA,CAAK,eAAA,CAAgBQ,CAAM,CAAA,CAG9C,GACCR,GACAX,CAAAA,CAAc,yBAAA,CAA0B,IAAIW,CAAU,CAAA,EACtD,KAAK,mBAAA,CAAoBQ,CAAAA,CAAO,OAAQb,CAAAA,CAAiBC,CAAW,EAEpE,OAAO,KAAA,CAIR,GAAI,IAAA,CAAK,kBAAA,CAAmBY,EAAO,MAAM,CAAA,EAAKe,EAAK,SAAA,CAAU,CAAC,EAAG,CAChE,IAAMtB,EAAWsB,CAAAA,CAAK,SAAA,CAAU,CAAC,CAAA,CACjC,GACCtB,EAAS,IAAA,GAAS,yBAAA,EAClBA,EAAS,IAAA,GAAS,oBAAA,CAElB,OAAO,IAAA,CAAK,wBAAA,CACXA,EACAD,CAAAA,CACAL,CAAAA,CACAC,CACD,CAEF,CAYA,GAPC,IAAA,CAAK,mBAAA,CAAoBY,EAAO,MAAA,CAAQb,CAAAA,CAAiBC,CAAW,CAAA,EAQpE2B,CAAAA,CAAK,UAAU,IAAA,CAAMd,CAAAA,EACpB,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,CAEA,OAAO,KAET,CAKA,GAAI2B,CAAAA,CAAK,MAAA,CAAO,OAAS,kBAAA,CAAoB,CAC5C,IAAMf,CAAAA,CAASe,CAAAA,CAAK,OACD,IAAA,CAAK,eAAA,CAAgBf,CAAM,CAAA,GAE9B,MAAA,EACfA,EAAO,MAAA,CAAO,IAAA,GAAS,cACvBe,CAAAA,CAAK,SAAA,CAAU,KAAMd,CAAAA,EACpB,IAAA,CAAK,oBAAoBA,CAAAA,CAAKd,CAAAA,CAAiBC,CAAW,CAC3D,CAAA,EAGAA,EAAY,GAAA,CAAKY,CAAAA,CAAO,OAA4B,IAAI,EAE1D,CAKA,GAAIe,CAAAA,CAAK,OAAO,IAAA,GAAS,YAAA,CAAc,CACtC,IAAMC,CAAAA,CAAUD,EAAK,MAAA,CAA4B,IAAA,CAUjD,GAAI,CARiB,IAAI,IAAI,CAC5B,MAAA,CACA,SACA,UAAA,CACA,YAAA,CACA,QACA,UACD,CAAC,EACiB,GAAA,CAAIC,CAAM,EAC3B,OAAOD,CAAAA,CAAK,UAAU,IAAA,CAAMd,CAAAA,EAC3B,KAAK,mBAAA,CAAoBA,CAAAA,CAAKd,EAAiBC,CAAW,CAC3D,CAEF,CAEA,OAAO,MACR,CAMQ,wBAAA,CACPK,EACAD,CAAAA,CACAL,CAAAA,CACAC,EACU,CAEV,IAAM6B,EAAmB,IAAI,GAAA,CAAI9B,CAAe,CAAA,CAC1C+B,CAAAA,CAAoB,IAAI,IAAI9B,CAAW,CAAA,CAE7C,GAAIK,CAAAA,CAAS,MAAA,CAAO,OAAS,CAAA,CAAG,CAG/B,IAAM0B,CAAAA,CADL3B,CAAAA,GAAe,MAAQX,CAAAA,CAAc,cAAA,CAAe,IAAIW,CAAU,CAAA,CAC/B,EAAI,CAAA,CAGvCC,CAAAA,CAAS,OAAO,MAAA,CAAS0B,CAAAA,EACzB1B,EAAS,MAAA,CAAO0B,CAAgB,EAAE,IAAA,GAAS,YAAA,EAE3CF,EAAiB,GAAA,CACfxB,CAAAA,CAAS,OAAO0B,CAAgB,CAAA,CAAuB,IACzD,EAEF,CAGA,GACC1B,CAAAA,CAAS,IAAA,GAAS,2BAClBA,CAAAA,CAAS,IAAA,CAAK,OAAS,gBAAA,CAEvB,OAAO,KAAK,mBAAA,CACXA,CAAAA,CAAS,KACTwB,CAAAA,CACAC,CACD,EAID,IAAIE,CAAAA,CAAmB,MACjBC,CAAAA,CAAuC,CAC5C,gBAAkB/B,CAAAA,EAAS,CAEzBA,EAAK,QAAA,EACL,IAAA,CAAK,oBACJA,CAAAA,CAAK,QAAA,CACL2B,EACAC,CACD,CAAA,GAEAE,EAAmB,IAAA,EAErB,CACD,EAEA,OAAA/B,MAAAA,CAAOI,EAAS,IAAA,CAAoB4B,CAAc,EAE3CD,CACR,CAKQ,gBAAgB7B,CAAAA,CAA+C,CACtE,GAAI,CAACA,CAAAA,CAAO,UAAYA,CAAAA,CAAO,QAAA,CAAS,IAAA,GAAS,YAAA,CAChD,OAAQA,CAAAA,CAAO,SAA8B,IAAA,CAE9C,GAAIA,EAAO,QAAA,EAAYA,CAAAA,CAAO,SAAS,IAAA,GAAS,SAAA,CAAW,CAC1D,IAAM+B,CAAAA,CAAO/B,EAAO,QAAA,CAA2B,KAAA,CAC/C,GAAI,OAAO+B,CAAAA,EAAQ,SAAU,OAAOA,CACrC,CACA,OAAO,IACR,CAGQ,kBAAA,CAAmBhC,CAAAA,CAA2B,CAErD,GAAIA,CAAAA,CAAK,OAAS,kBAAA,CAAoB,CACrC,IAAMC,CAAAA,CAASD,CAAAA,CAEf,GADiB,IAAA,CAAK,eAAA,CAAgBC,CAAM,CAAA,GAE9B,SAAA,EACbA,EAAO,MAAA,CAAO,IAAA,GAAS,cACtBA,CAAAA,CAAO,MAAA,CAA4B,OAAS,KAAA,CAE7C,OAAO,KAET,CAEA,OACCD,EAAK,IAAA,GAAS,YAAA,EACbA,EAA0B,IAAA,GAAS,SAKtC,CAGQ,mBAAA,CACPA,CAAAA,CACAH,EACAC,CAAAA,CACqB,CACrB,GAAIE,CAAAA,CAAK,IAAA,GAAS,aAAc,CAC/B,IAAMiC,EAAQjC,CAAAA,CAA0B,IAAA,CACxC,GAAIF,CAAAA,CAAY,GAAA,CAAImC,CAAI,CAAA,CAAG,OAAO,aAAaA,CAAI,CAAA,gBAAA,CACpD,CAEA,GAAIjC,CAAAA,CAAK,OAAS,kBAAA,CAAoB,CACrC,IAAMkC,CAAAA,CAAMlC,CAAAA,CACZ,IAAA,IAAWkB,CAAAA,IAAQgB,CAAAA,CAAI,UAAA,CACtB,GACChB,CAAAA,CAAK,IAAA,GAAS,YACd,IAAA,CAAK,mBAAA,CAAoBA,EAAK,KAAA,CAAOrB,CAAAA,CAAiBC,CAAW,CAAA,CAMjE,OAAO,aAHNoB,CAAAA,CAAK,GAAA,CAAI,OAAS,YAAA,CACdA,CAAAA,CAAK,IAAyB,IAAA,CAC/B,SACuB,8BAG9B,CAEA,GAAIlB,EAAK,IAAA,GAAS,gBAAA,CAAkB,CACnC,IAAMyB,CAAAA,CAAOzB,EACb,GAAIyB,CAAAA,CAAK,OAAO,IAAA,GAAS,kBAAA,CAAoB,CAC5C,IAAMvB,CAAAA,CAAa,KAAK,eAAA,CACvBuB,CAAAA,CAAK,MACN,CAAA,CACA,GAAIvB,EAAY,OAAO,CAAA,WAAA,EAAcA,CAAU,CAAA,cAAA,CAChD,CACD,CAGD,CACD,CAAA,KCtrBMiC,CAAAA,CAA6C,CAClD,QAAS,YAAA,CACT,UAAA,CAAY,aACZ,SAAA,CAAW,YAAA,CACX,WAAY,YAAA,CACZ,YAAA,CAAc,aACd,UAAA,CAAY,YAAA,CACZ,SAAU,YAAA,CACV,WAAA,CAAa,aACb,aAAA,CAAe,YAAA,CACf,UAAW,YAAA,CACX,aAAA,CAAe,aACf,WAAA,CAAa,YAAA,CACb,cAAe,YAAA,CACf,UAAA,CAAY,aACZ,QAAA,CAAU,YAAA,CACV,QAAS,YAAA,CACT,mBAAA,CAAqB,aACrB,UAAA,CAAY,YAAA,CACZ,SAAA,CAAW,YAAA,CACX,YAAA,CAAc,YAAA,CAEd,aAAc,WAAA,CACd,QAAA,CAAU,YACV,UAAA,CAAY,WAAA,CACZ,UAAW,WAAA,CACX,MAAA,CAAQ,WACT,CAAA,CAgBMC,CAAAA,CAAkB,EAGlBC,CAAAA,CAAmB,6CAAA,CASZC,EAAN,MAAMC,CAAW,CACvB,OAAe,GAAA,CAAwB,KAKvC,MAAc,MAAA,EAA6B,CAC1C,GAAI,CAACA,EAAW,GAAA,CAAK,CAEpB,IAAMC,CAAAA,CAAO,aAAa,kBAAkB,CAAA,CAE5CD,EAAW,GAAA,CAAOC,CAAAA,CAAI,SAAWA,CAAAA,CACjCD,CAAAA,CAAW,IAAI,QAAA,CAASJ,CAAkB,EAC3C,CACA,OAAOI,EAAW,GACnB,CAMA,MAAM,IAAA,CAAKE,CAAAA,CAAsC,CAChD,GAAIA,CAAAA,CAAK,OAASL,CAAAA,EAAmBC,CAAAA,CAAiB,KAAKI,CAAI,CAAA,CAC9D,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAIxC,IAAMC,GADM,MAAM,IAAA,CAAK,QAAO,EACdD,CAAI,EACdE,CAAAA,CAAwB,GAExBC,CAAAA,CAASF,CAAAA,CAAI,QAAO,CAAE,GAAA,CAAI,OAAO,CAAA,CACvC,IAAA,IAAWG,KAAUD,CAAAA,CAAQ,CAC5B,IAAME,CAAAA,CAAUD,CAAAA,CAAO,IAAA,GACnBC,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,QAAA,CAAU,KAAMG,CAAQ,CAAC,EAEjD,CAEA,IAAMC,EAASL,CAAAA,CAAI,MAAA,GAAS,GAAA,CAAI,OAAO,EACvC,IAAA,IAAWM,CAAAA,IAASD,EAAQ,CAC3B,IAAMD,EAAUE,CAAAA,CAAM,IAAA,GAClBF,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,OAAA,CAAS,KAAMG,CAAQ,CAAC,EAEhD,CAEA,IAAMG,EAAOP,CAAAA,CAAI,aAAA,GAAgB,GAAA,CAAI,OAAO,EAC5C,IAAA,IAAWQ,CAAAA,IAAOD,EAAM,CACvB,IAAMH,EAAUI,CAAAA,CAAI,IAAA,GAChBJ,CAAAA,CAAQ,MAAA,EAAUV,GACrBO,CAAAA,CAAS,IAAA,CAAK,CAAE,IAAA,CAAM,cAAA,CAAgB,KAAMG,CAAQ,CAAC,EAEvD,CAEA,OAAO,CACN,QAAA,CAAUH,CAAAA,CAAS,OAAS,CAAA,CAC5B,QAAA,CAAAA,CACD,CACD,CAMA,MAAM,QAAA,CACLQ,CAAAA,CACAC,EAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CACb,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAGxC,GAAI,OAAOA,CAAAA,EAAU,QAAA,CACpB,OAAO,IAAA,CAAK,IAAA,CAAKA,CAAK,CAAA,CAGvB,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAC9B,GAAIC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAC3B,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CAAA,CAExCC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAExB,IAAME,CAAAA,CAAS,KAAA,CAAM,QAAQF,CAAK,CAAA,CAC/BA,EACA,MAAA,CAAO,MAAA,CAAOA,CAAgC,CAAA,CAE3CG,CAAAA,CAA2B,EAAC,CAElC,IAAA,IAAWC,KAASF,CAAAA,CAAQ,CAC3B,IAAMG,CAAAA,CAAS,MAAM,KAAK,QAAA,CAASD,CAAAA,CAAOH,CAAI,CAAA,CAC9C,GAAII,EAAO,QAAA,GACVF,CAAAA,CAAY,KAAK,GAAGE,CAAAA,CAAO,QAAQ,CAAA,CAE/BA,CAAAA,CAAO,SAAS,IAAA,CAAMC,CAAAA,EAAMA,EAAE,IAAA,GAAS,QAAQ,GAClD,OAAO,CAAE,SAAU,IAAA,CAAM,QAAA,CAAUH,CAAY,CAGlD,CAEA,OAAO,CACN,QAAA,CAAUA,EAAY,MAAA,CAAS,CAAA,CAC/B,QAAA,CAAUA,CACX,CACD,CAEA,OAAO,CAAE,QAAA,CAAU,MAAO,QAAA,CAAU,EAAG,CACxC,CACD,ECvLA,SAASI,CAAAA,CAAYC,EAA6B,CACjD,IAAMC,EAASD,CAAAA,CAAW,OAAA,CAAQ,MAAO,EAAE,CAAA,CAC3C,GAAIC,CAAAA,CAAO,MAAA,CAAS,IAAMA,CAAAA,CAAO,MAAA,CAAS,GAAI,OAAO,MAAA,CAErD,IAAIC,CAAAA,CAAM,CAAA,CACNC,EAAS,KAAA,CAEb,IAAA,IAAS,EAAIF,CAAAA,CAAO,MAAA,CAAS,EAAG,CAAA,EAAK,CAAA,CAAG,IAAK,CAC5C,IAAIG,CAAAA,CAAQ,QAAA,CAASH,CAAAA,CAAO,MAAA,CAAO,CAAC,CAAA,CAAG,EAAE,EAErCE,CAAAA,GACHC,CAAAA,EAAS,EACLA,CAAAA,CAAQ,CAAA,GACXA,GAAS,CAAA,CAAA,CAAA,CAIXF,CAAAA,EAAOE,EACPD,CAAAA,CAAS,CAACA,EACX,CAEA,OAAOD,EAAM,EAAA,GAAO,CACrB,CAMA,SAASG,CAAAA,CAAYC,EAAuB,CAC3C,IAAMC,EAAYD,CAAAA,CAAK,OAAA,CAAQ,OAAQ,EAAE,CAAA,CAAE,aAAY,CAEvD,GAAI,CAAC,kCAAA,CAAmC,IAAA,CAAKC,CAAS,CAAA,CAAG,OAAO,OAEhE,IAAMC,CAAAA,CAAaD,CAAAA,CAAU,SAAA,CAAU,CAAC,CAAA,CAAIA,EAAU,SAAA,CAAU,CAAA,CAAG,CAAC,CAAA,CAEhEE,CAAAA,CAAgB,GACpB,IAAA,IAAS,CAAA,CAAI,EAAG,CAAA,CAAID,CAAAA,CAAW,OAAQ,CAAA,EAAA,CAAK,CAC3C,IAAME,CAAAA,CAAWF,CAAAA,CAAW,WAAW,CAAC,CAAA,CACxC,GAAIE,CAAAA,EAAY,EAAA,EAAMA,GAAY,EAAA,CACjCD,CAAAA,EAAAA,CAAkBC,EAAW,EAAA,EAAI,QAAA,WACvBA,CAAAA,EAAY,EAAA,EAAMA,GAAY,EAAA,CACxCD,CAAAA,EAAiBD,EAAW,MAAA,CAAO,CAAC,OAEpC,OAAO,MAET,CAEA,GAAI,CACH,OAAO,MAAA,CAAOC,CAAa,EAAI,GAAA,GAAQ,EACxC,MAAa,CACZ,OAAO,MACR,CACD,KAUaE,CAAAA,CAAe,CAC3B,MAAO,CACN,IAAA,CAAM,QACN,OAAA,CAAS,sDAAA,CACT,UAAYC,CAAAA,EACX,CAACA,EAAM,QAAA,CAAS,cAAc,GAAK,CAACA,CAAAA,CAAM,SAAS,WAAW,CAChE,EACA,WAAA,CAAa,CACZ,KAAM,aAAA,CACN,OAAA,CAAS,2BACT,SAAA,CAAWb,CACZ,EACA,UAAA,CAAY,CACX,KAAM,YAAA,CACN,OAAA,CAAS,yCAAA,CACT,SAAA,CAAYa,CAAAA,EACK,CAAC,YAAa,SAAA,CAAW,iBAAiB,EAC9C,QAAA,CAASA,CAAK,EAAU,KAAA,CAEtBA,CAAAA,CAAM,MAAM,GAAG,CAAA,CAAE,IAAI,MAAM,CAAA,CAC5B,MAAOC,CAAAA,EAAMA,CAAAA,EAAK,GAAKA,CAAAA,EAAK,GAAG,CAE9C,CAAA,CACA,KAAA,CAAO,CACN,IAAA,CAAM,OAAA,CAEN,QAAS,+DAAA,CACT,SAAA,CAAYD,GAAkB,CAC7B,IAAMX,EAASW,CAAAA,CAAM,OAAA,CAAQ,MAAO,EAAE,CAAA,CAItC,OAHI,EAAAX,CAAAA,CAAO,OAAS,CAAA,EAAKA,CAAAA,CAAO,OAAS,EAAA,EAErC,WAAA,CAAY,KAAKA,CAAM,CAAA,EACvBA,IAAW,YAAA,CAEhB,CACD,EACA,GAAA,CAAK,CACJ,KAAM,KAAA,CACN,OAAA,CAAS,iCACT,SAAA,CAAYW,CAAAA,EAAkB,CAC7B,IAAMX,CAAAA,CAASW,EAAM,OAAA,CAAQ,KAAA,CAAO,EAAE,CAAA,CACtC,GAAIX,EAAO,MAAA,GAAW,CAAA,CAAG,OAAO,MAAA,CAEhC,IAAMa,EAAO,QAAA,CAASb,CAAAA,CAAO,UAAU,CAAA,CAAG,CAAC,EAAG,EAAE,CAAA,CAShD,OARI,EAAAa,CAAAA,GAAS,GAAKA,CAAAA,GAAS,GAAA,EAAOA,CAAAA,EAAQ,GAAA,EAE5B,QAAA,CAASb,CAAAA,CAAO,UAAU,CAAA,CAAG,CAAC,EAAG,EAAE,CAAA,GACnC,GAEC,QAAA,CAASA,CAAAA,CAAO,UAAU,CAAA,CAAG,CAAC,EAAG,EAAE,CAAA,GACnC,GAEX,WAAA,CAAY,IAAA,CAAKA,CAAM,CAAA,EAAKA,CAAAA,GAAW,YAG5C,CACD,CAAA,CACA,KAAM,CACL,IAAA,CAAM,OACN,OAAA,CAAS,sCAAA,CACT,UAAWI,CACZ,CAAA,CACA,aAAc,CACb,IAAA,CAAM,eAEN,OAAA,CAAS,6CACV,CACD,CAAA,CAMaU,CAAAA,CAAc,CAC1B,aAAA,CAAe,CACdJ,EAAa,KAAA,CACbA,CAAAA,CAAa,YACbA,CAAAA,CAAa,UAAA,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,aACbA,CAAAA,CAAa,IACd,EACA,YAAA,CAAc,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,YACbA,CAAAA,CAAa,UAAA,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,IACbA,CAAAA,CAAa,YACd,EACA,OAAA,CAAS,CACRA,EAAa,KAAA,CACbA,CAAAA,CAAa,YACbA,CAAAA,CAAa,UAAA,CACbA,EAAa,KAAA,CACbA,CAAAA,CAAa,KACbA,CAAAA,CAAa,YACd,CACD,CAAA,CAEaK,CAAAA,CAAN,MAAMC,CAAW,CACf,QAAA,CACA,gBAAA,CACA,UAAA,CAMR,OAAwB,aAAe,IAAI,GAAA,CAAI,CAE9C,MAAA,CACA,OAAA,CACA,UACA,UAAA,CACA,SAAA,CACA,WACA,UAAA,CACA,QAAA,CACA,SACA,YAAA,CACA,QAAA,CACA,YACA,SAAA,CACA,QAAA,CACA,UACA,QAAA,CACA,QAAA,CACA,QACA,MAAA,CACA,MAAA,CACA,OACA,MAAA,CACA,MAAA,CACA,QACA,OAAA,CACA,OAAA,CACA,QACA,QAAA,CACA,OAAA,CACA,UACA,SAAA,CACA,UAAA,CACA,YACA,OAAA,CACA,SAAA,CACA,OACA,OAAA,CAEA,WAAA,CACA,aACA,WAAA,CACA,UAAA,CACA,SACA,UAAA,CACA,UAAA,CACA,WACA,SAAA,CACA,SAAA,CAEA,WACA,SAAA,CACA,YAAA,CACA,YACA,WAAA,CACA,WAAA,CACA,aAEA,YAAA,CACA,aAAA,CACA,aAEA,WAAA,CACA,aAAA,CACA,WACA,UAAA,CACA,SAAA,CAEA,YACA,UAAA,CAEA,UAAA,CACA,qBACA,YAAA,CACA,QAAA,CACA,SACA,WAAA,CACA,QAAA,CACA,SACA,WAAA,CACA,eAAA,CACA,UACA,QACD,CAAC,EAMO,0BAAA,CAKA,mBAAA,CAER,YACCC,CAAAA,CAAsB,GACtBC,CAAAA,CAA0B,GAC1BC,CAAAA,CACC,CACD,IAAA,CAAK,QAAA,CAAWF,CAAAA,CAChB,IAAA,CAAK,iBAAmB,IAAI,GAAA,CAAIC,EAAc,GAAA,CAAKE,CAAAA,EAAMA,EAAE,WAAA,EAAa,CAAC,CAAA,CACzE,IAAA,CAAK,WAAaD,CAAAA,EAAc,IAAA,CAGhC,KAAK,0BAAA,CAA6B,IAAI,IACtC,IAAA,CAAK,mBAAA,CAAsB,EAAC,CAE5B,IAAA,IAAWE,KAAS,IAAA,CAAK,gBAAA,CACpBA,EAAM,MAAA,CAAS,CAAA,CAIlB,KAAK,0BAAA,CAA2B,GAAA,CAC/BA,EACA,IAAI,MAAA,CACH,aAAaA,CAAK,CAAA,sBAAA,EACHA,EAAM,MAAA,CAAO,CAAC,EAAE,WAAA,EAAa,GAAGA,CAAAA,CAAM,KAAA,CAAM,CAAC,CAAC,CAAA,EAAA,EACxDA,CAAK,CAAA,CAAA,CAAA,CACV,GACD,CACD,CAAA,CAEA,IAAA,CAAK,oBAAoB,IAAA,CAAKA,CAAK,EAGtC,CAYA,MAAa,KACZ9B,CAAAA,CACAC,CAAAA,CAAO,IAAI,OAAA,CACc,CACzB,GAAID,CAAAA,EAAU,IAAA,CAA6B,OAAO,IAAA,CAGlD,GAAI,OAAOA,CAAAA,EAAU,QAAA,CAAU,CAG9B,IAAML,CAAAA,CAAUK,EAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,EAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,IAAMoC,CAAAA,CAAS,IAAA,CAAK,MAAMpC,CAAO,CAAA,CAE3BlC,EAAY,MAAM,IAAA,CAAK,KAAKsE,CAAAA,CAAQ9B,CAAI,EAC9C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAAA,KAAa,CAEb,CAID,IAAMuE,EAAmB,IAAA,CAAK,WAAA,CAAYhC,CAAK,CAAA,CAC/C,GAAIgC,EAAkB,OAAOA,CAAAA,CAG7B,GAAI,IAAA,CAAK,UAAA,CAAY,CACpB,IAAMC,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAKjC,CAAK,CAAA,CAClD,GAAIiC,CAAAA,CAAU,QAAA,CAAU,CACvB,IAAMC,CAAAA,CAAeD,EAAU,QAAA,CAAS,IAAA,CACtC3B,GAAMA,CAAAA,CAAE,IAAA,GAAS,QACnB,CAAA,CACA,GAAI4B,EACH,OAAO,CAAA,kCAAA,EAAqCA,EAAa,IAAI,CAAA,CAAA,CAE/D,CACD,CAEA,OAAO,IACR,CAGA,GAAI,OAAOlC,CAAAA,EAAU,QAAA,CAAU,CAE9B,GAAIC,CAAAA,CAAK,IAAID,CAAe,CAAA,CAAG,OAAO,IAAA,CAGtC,GAFAC,EAAK,GAAA,CAAID,CAAe,EAEpB,KAAA,CAAM,OAAA,CAAQA,CAAK,CAAA,CACtB,IAAA,IAAWmC,CAAAA,IAAWnC,EAAO,CAC5B,IAAMvC,EAAY,MAAM,IAAA,CAAK,KAAK0E,CAAAA,CAASlC,CAAI,EAC/C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAAA,YAEW,CAAC2E,CAAAA,CAAKhC,CAAK,CAAA,GAAK,MAAA,CAAO,QACjCJ,CACD,CAAA,CAAG,CAEF,GAAI,IAAA,CAAK,iBAAiB,GAAA,CAAIoC,CAAAA,CAAI,aAAa,CAAA,CAC9C,OAAO,CAAA,eAAA,EAAkBA,CAAG,GAI7B,IAAMC,CAAAA,CAAiB,KAAK,aAAA,CAAcD,CAAG,EAC7C,GAAIC,CAAAA,CAAgB,OAAOA,CAAAA,CAG3B,IAAM5E,EAAY,MAAM,IAAA,CAAK,KAAK2C,CAAAA,CAAOH,CAAI,EAC7C,GAAIxC,CAAAA,CAAW,OAAOA,CACvB,CAEF,CAEA,OAAO,IACR,CAMQ,aAAA,CAAc2E,CAAAA,CAA4B,CACjD,IAAME,CAAAA,CAAaF,EAAI,WAAA,EAAY,CAGnC,GAAIX,CAAAA,CAAW,YAAA,CAAa,IAAIa,CAAU,CAAA,CAAG,OAAO,IAAA,CAGpD,IAAA,GAAW,CAACR,CAAAA,CAAOS,CAAO,IAAK,IAAA,CAAK,0BAAA,CACnC,GAAIA,CAAAA,CAAQ,IAAA,CAAKH,CAAG,CAAA,CACnB,OAAO,CAAA,uBAAA,EAA0BA,CAAG,CAAA,2BAAA,EAA8BN,CAAK,IAKzE,IAAA,IAAWA,CAAAA,IAAS,KAAK,mBAAA,CACxB,GAAIQ,EAAW,QAAA,CAASR,CAAK,EAC5B,OAAO,CAAA,uBAAA,EAA0BM,CAAG,CAAA,4BAAA,EAA+BN,CAAK,IAI1E,OAAO,IACR,CAEQ,WAAA,CAAYxC,CAAAA,CAA6B,CAChD,IAAA,IAAWkD,CAAAA,IAAQ,KAAK,QAAA,CACvB,GAAI,OAAOA,CAAAA,EAAS,QAAA,CAAA,CACnB,GAAIlD,CAAAA,CAAK,WAAA,GAAc,QAAA,CAASkD,CAAAA,CAAK,aAAa,CAAA,CACjD,OAAOA,CAAAA,CAAAA,KAAAA,GAEEA,CAAAA,YAAgB,QAE1B,GADIA,CAAAA,CAAK,SAAQA,CAAAA,CAAK,SAAA,CAAY,GAC9BA,CAAAA,CAAK,IAAA,CAAKlD,CAAI,CAAA,CACjB,OAAOkD,EAAK,MAAA,CAAA,KAAA,GAEH,OAAOA,GAAS,QAAA,EAAYA,CAAAA,GAAS,KAAM,CAErD,IAAMC,EAAMD,CAAAA,CAEZ,GAAI,OAAOC,CAAAA,CAAI,OAAA,EAAY,UAC1B,GAAInD,CAAAA,CAAK,aAAY,CAAE,QAAA,CAASmD,EAAI,OAAA,CAAQ,WAAA,EAAa,CAAA,GACpD,CAACA,EAAI,SAAA,EAAaA,CAAAA,CAAI,UAAUA,CAAAA,CAAI,OAAO,GAC9C,OAAOA,CAAAA,CAAI,aAGHA,CAAAA,CAAI,OAAA,YAAmB,MAAA,CAAQ,CACrCA,CAAAA,CAAI,OAAA,CAAQ,SAAQA,CAAAA,CAAI,OAAA,CAAQ,UAAY,CAAA,CAAA,CAGhD,IAAIrB,EAAQqB,CAAAA,CAAI,OAAA,CAAQ,KAAKnD,CAAI,CAAA,CACjC,KAAO8B,CAAAA,GAAU,IAAA,EAAM,CACtB,IAAMsB,CAAAA,CAActB,EAAM,CAAC,CAAA,CAC3B,GAAI,CAACqB,CAAAA,CAAI,WAAaA,CAAAA,CAAI,SAAA,CAAUC,CAAW,CAAA,CAC9C,OAAOD,EAAI,IAAA,CAEZ,GAAI,CAACA,CAAAA,CAAI,OAAA,CAAQ,OAAQ,MACzBrB,CAAAA,CAAQqB,EAAI,OAAA,CAAQ,IAAA,CAAKnD,CAAI,EAC9B,CACD,CACD,CAED,OAAO,IACR,CACD,MC/aMqD,CAAAA,CAAYC,CAAAA,CAAK,QAAQC,aAAAA,CAAc,MAAA,CAAA,IAAA,CAAY,GAAG,CAAC,CAAA,CAyDhDC,EAAN,MAAMC,CAAW,CA+TvB,WAAA,CACSC,CAAAA,CACAC,EACP,CAFO,IAAA,CAAA,UAAA,CAAAD,EACA,IAAA,CAAA,MAAA,CAAAC,CAAAA,CAER,IAAMrB,CAAAA,CAAa,IAAA,CAAK,QAAQ,QAAA,EAAU,iBAAA,CACvC,IAAIzC,CAAAA,CACJ,IAAA,CAEH,KAAK,UAAA,CAAa,IAAIqC,EACrB,IAAA,CAAK,MAAA,EAAQ,UAAU,WAAA,EAAeD,CAAAA,CAAY,cAClD,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,aAAA,EAAiB,CACvC,IAAA,CACA,OACA,UAAA,CACA,WAAA,CACA,WACA,SAAA,CACA,QAAA,CACA,OACA,YAAA,CACA,SAAA,CACA,QACA,OAAA,CACA,KAAA,CACA,gBACA,eAAA,CACA,gBAAA,CACA,WACA,OAAA,CACA,QAAA,CACA,YACD,CAAA,CACAK,CACD,EAGA,IAAMsB,CAAAA,CAAW,KAAK,MAAA,EAAQ,QAAA,EAAU,UACxC,IAAA,CAAK,gBAAA,CACJA,GAAU,QAAA,EACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,2BAA6B,OAAA,CAAS,EAAE,EACrE,IAAA,CAAK,oBAAA,CACJA,GAAU,YAAA,EACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,qBAAuB,IAAA,CAAM,EAAE,EAC5D,IAAA,CAAK,sBAAA,CACJA,GAAU,kBAAA,EACV,MAAA,CAAO,SAAS,OAAA,CAAQ,GAAA,CAAI,4BAA8B,IAAA,CAAM,EAAE,EAGnE,IAAMvB,CAAAA,CAAgB,KAAK,MAAA,EAAQ,QAAA,EAAU,eAAiB,CAC7D,IAAA,CACA,OACA,UAAA,CACA,WAAA,CACA,WACA,SAAA,CACA,QAAA,CACA,OACA,YAAA,CACA,SAAA,CACA,QACA,OAAA,CACA,KAAA,CACA,gBACA,eAAA,CACA,gBAAA,CACA,WACA,OAAA,CACA,QAAA,CACA,YACD,CAAA,CACA,IAAA,CAAK,aAAA,CAAgB,IAAIxF,CAAAA,CAAcwF,CAAa,EAGpD,IAAMwB,CAAAA,CAAO,YAAY,GAAA,CAAI,QAAA,CAAS,KAAK,CAAA,CACrCC,CAAAA,CAAYD,EAAO,KAAA,CAAQ,KAAA,CAE7BE,EAAqB,EAAC,CAC1B,GAAIF,CAAAA,CACH,GAAI,CAEH,IAAMG,CAAAA,CADMC,cAAc,MAAA,CAAA,IAAA,CAAY,GAAG,EACtB,OAAA,CAAQ,kBAAkB,EAI7CF,CAAAA,CAAW,CAAC,WAHQG,aAAAA,CACnBZ,CAAAA,CAAK,KAAKA,CAAAA,CAAK,OAAA,CAAQU,CAAM,CAAA,CAAG,MAAA,CAAQ,YAAY,CACrD,CAAA,CAAE,IACiC,EACpC,CAAA,KAAa,CACZD,CAAAA,CAAW,CAAC,WAAY,KAAK,EAC9B,CAGD,IAAMI,CAAAA,CAAS,QAAQ,GAAA,CAAI,QAAA,GAAa,QAAU,OAAA,CAAQ,GAAA,CAAI,OAG1D,IAAA,CAAK,MAAA,EAAQ,cAAgB,CAAC,IAAA,CAAK,WAAW,YAAA,GACjD,IAAA,CAAK,WAAW,YAAA,CAAe,IAAA,CAAK,OAAO,YAAA,CAAA,CAO5C,IAAMC,EAAc,CACnBd,CAAAA,CAAK,QAAQD,CAAAA,CAAW,CAAA,yBAAA,EAA4BS,CAAS,CAAA,CAAE,CAAA,CAC/DR,EAAK,OAAA,CAAQD,CAAAA,CAAW,6BAA6BS,CAAS,CAAA,CAAE,CACjE,CAAA,CAEMO,CAAAA,CACLD,CAAAA,CAAY,IAAA,CAAMrC,CAAAA,EAAS,CAAA,CAAA,UAAA,CAAWA,CAAC,CAAC,CAAA,EAAKqC,EAAY,CAAC,CAAA,CAE3D,KAAK,UAAA,CAAa,IAAIE,QAAQ,CAC7B,QAAA,CAAUD,EACV,UAAA,CAAY,IAAA,CAAK,QAAQ,UAAA,EAAY,UAAA,GAAeF,EAAS,CAAA,CAAI,CAAA,CAAA,CACjE,WAAY,IAAA,CAAK,MAAA,EAAQ,YAAY,UAAA,GAAeA,CAAAA,CAAS,EAAI,CAAA,CAAA,CACjE,WAAA,CACC,KAAK,MAAA,EAAQ,UAAA,EAAY,cAAgBA,CAAAA,CAAS,GAAA,CAAM,KACzD,QAAA,CAAU,MAAA,CACV,UAAW,IAAII,UAAAA,CACf,SAAAR,CAAAA,CAGA,cAAA,CAAgB,CACf,sBAAA,CACC,IAAA,CAAK,QAAQ,UAAA,EAAY,SAAA,EACzB,OAAO,QAAA,CAAS,OAAA,CAAQ,IAAI,uBAAA,EAA2B,IAAA,CAAM,EAAE,CACjE,CACD,CAAC,CAAA,CAKD,IAAA,CAAK,SACJ,6BAAA,CACA,+BAAA,CACA,sFACA,YAAA,CACA,IAAM,QAAQ,OAAA,CAAQ,IAAA,CAAK,mBAAmB,CAC/C,EACD,CAvcQ,UAAA,CACP,IAAI,GAAA,CACG,eAAA,CAGJ,IAAI,GAAA,CACS,YAAA,CAAe,KAAU,EAAA,CAAK,GAAA,CAC9B,mBAAqB,CAAA,CACrB,oBAAA,CAAuB,GAAK,GAAA,CAGrC,eAAA,CAAyC,IAAI,GAAA,CACpC,oBAAA,CACA,gBAAA,CAGT,iBAA6B,EAAC,CACrB,uBAGA,aAAA,CAET,KAAA,CAUJ,IAAI,GAAA,CACA,SAAA,CAGJ,IAAI,GAAA,CACA,OAAA,CAQJ,IAAI,GAAA,CACA,YAAA,CAA+C,KAC/C,cAAA,CAA4C,GAE5C,UAAA,CACA,UAAA,CACA,SAA4B,IAAA,CAC5B,SAAA,CAAkC,KAClC,SAAA,CAA2B,IAAA,CAC3B,SAGJ,IAAI,GAAA,CAGR,OAAwB,kBAAA,CACvB,2EAAA,CAEO,aAAaS,CAAAA,CAAgC,CACpD,IAAMC,CAAAA,CAAUD,CAAAA,CAAQ,MAAMf,CAAAA,CAAW,kBAAkB,EAC3D,OAAOgB,CAAAA,EAAS,QAAQ,KAAA,CAAQA,CAAAA,CAAQ,OAAO,KAAA,CAAM,IAAA,GAAS,IAC/D,CAEQ,iBAAiB/D,CAAAA,CAAyB,CACjD,GAAI,OAAOA,CAAAA,EAAU,SAAU,OAAOA,CAAAA,CACtC,IAAML,CAAAA,CAAUK,CAAAA,CAAM,MAAK,CAC3B,GACEL,EAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,WAAW,GAAG,CAAA,EAAKA,EAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,OAAO,IAAA,CAAK,KAAA,CAAMA,CAAO,CAC1B,CAAA,KAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEQ,mBACPgE,CAAAA,CACAC,CAAAA,CACAC,EACgB,CAEhB,GAAIA,EAAQ,CACX,IAAMH,EAAUE,CAAAA,CAAM,OAAA,CAAQ,OAAQ,GAAG,CAAA,CAEzC,GAAIC,CAAAA,CAAO,uBAAA,EACoB,CAG7B,8EAAA,CACA,gHACD,EAC0B,IAAA,CAAM7C,CAAAA,EAAMA,EAAE,IAAA,CAAK0C,CAAO,CAAC,CAAA,CACpD,OAAO,0EAIT,GAAIG,CAAAA,CAAO,uBAAuB,IAAA,CAAM7C,CAAAA,EAAMA,EAAE,IAAA,CAAK0C,CAAO,CAAC,CAAA,CAC5D,OAAO,yDAET,CAGA,IAAMI,EAAiB,IAAA,CAAK,aAAA,CAAc,QAAQF,CAAK,CAAA,CACvD,OAAIE,CAAAA,CACI,CAAA,2BAAA,EAA8BA,EAAe,MAAM,CAAA,CAAA,CAGpD,IACR,CAEQ,oBAAA,CACPC,EACAC,CAAAA,CACAH,CAAAA,CACgB,CAChB,GAAI,CAACA,EAAQ,OAAO,IAAA,CACpB,IAAMnC,CAAAA,CAAS,IAAA,CAAK,iBAAiBsC,CAAM,CAAA,CAE3C,GAAIH,CAAAA,CAAO,YAAA,CAAc,CAkBxB,IAAMI,CAAAA,CAAAA,CAbmB,IAAM,CAC9B,GAAI,EAAEJ,CAAAA,CAAO,YAAA,YAAwBK,IAAE,SAAA,CAAA,CACtC,OAAOL,CAAAA,CAAO,YAAA,CAEf,IAAMnF,CAAAA,CAAMmF,EAAO,YAAA,CAEnB,OAAMnF,EAAI,IAAA,CAAK,QAAA,YAAoBwF,IAAE,QAAA,CAI9BxF,CAAAA,CAAI,QAAO,CAHVA,CAIT,IAAG,CAEkC,SAAA,CAAUgD,CAAM,CAAA,CACrD,GAAI,CAACuC,CAAAA,CAAa,OAAA,CAGjB,OAAO,CAAA,mCAAA,EAAsCF,CAAQ,KAAKE,CAAAA,CAAa,KAAA,CAAM,OAC3E,GAAA,CAAKE,CAAAA,EAAM,GAAGA,CAAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAA,EAAK,QAAQ,CAAA,CAAA,EAAIA,CAAAA,CAAE,OAAO,CAAA,CAAE,CAAA,CACzD,KACA,IACD,CAAC,kIAEJ,CAEA,OACCN,EAAO,uBAAA,EACP,IAAA,CAAK,+BACJ,IAAA,CAAK,8BAAA,CAA+BnC,CAAM,CAAA,CAC1CmC,CAAAA,CAAO,wBACP,IAAA,CAAK,cAAA,CAAe,MACrB,CAAA,CAGC,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,QACzB,OAAA,CAAQ,GAAA,CAAI,mBAAqB,GAAA,CAG/B,gPAAA,CACA,iFAGG,IACR,CAOQ,+BAA+BlE,CAAAA,CAAyB,CAC/D,GAAI,OAAOA,CAAAA,EAAU,SAAU,CAC9B,IAAML,EAAUK,CAAAA,CAAM,IAAA,GACtB,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,SAAS,GAAG,CAAA,EAC/CA,EAAQ,UAAA,CAAW,GAAG,GAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,CAEhD,GAAI,CACH,OAAO,IAAA,CAAK,+BAA+B,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAC,CAC/D,MAAQ,CACP,OAAOK,CACR,CAED,OAAOA,CACR,CAEA,GAAI,CAACA,CAAAA,EAAS,OAAOA,GAAU,QAAA,CAC9B,OAAOA,EAGR,IAAMyE,CAAAA,CAAMzE,EACZ,GAAI,CAAC,MAAM,OAAA,CAAQyE,CAAAA,CAAI,OAAO,CAAA,EAAKA,CAAAA,CAAI,OAAA,CAAQ,SAAW,CAAA,CACzD,OAAOzE,EAGR,IAAM0E,CAAAA,CAAkB,EAAC,CACzB,IAAA,IAAWC,KAAQF,CAAAA,CAAI,OAAA,CACtB,GAAIE,CAAAA,EAAQ,OAAOA,GAAS,QAAA,EAAY,MAAA,GAAUA,EAAM,CACvD,IAAMC,EAAKD,CAAAA,CAA4B,IAAA,CACnC,OAAOC,CAAAA,EAAM,QAAA,EAChBF,EAAM,IAAA,CAAKE,CAAC,EAEd,CAED,GAAIF,EAAM,MAAA,GAAW,CAAA,CACpB,OAAO1E,CAAAA,CAGR,IAAM6E,EAASH,CAAAA,CAAM,MAAA,GAAW,EAAIA,CAAAA,CAAM,CAAC,CAAA,CAAIA,CAAAA,CAAM,IAAA,CAAK;AAAA,CAAI,CAAA,CAC9D,OAAO,IAAA,CAAK,8BAAA,CAA+BG,CAAM,CAClD,CAEQ,8BAAA,CACP7E,CAAAA,CACA8E,CAAAA,CACAC,CAAAA,CACU,CACV,IAAMC,CAAAA,CACL,OAAOF,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,aAAA,EAAkB,QAAA,CAChCA,CAAAA,CAAU,aAAA,CACV,EAAA,CACEG,CAAAA,CACL,OAAOH,CAAAA,EAAc,QAAA,EACrB,OAAOA,CAAAA,CAAU,oBAAA,EAAyB,SAAA,CACvCA,CAAAA,CAAU,oBAAA,CACV,IAAA,CAEJ,GAAI,OAAO9E,CAAAA,EAAU,QAAA,CAAU,CAC9B,IAAML,CAAAA,CAAUK,CAAAA,CAAM,IAAA,EAAK,CAC3B,GACEL,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,CAAA,EAC/CA,CAAAA,CAAQ,UAAA,CAAW,GAAG,CAAA,EAAKA,CAAAA,CAAQ,QAAA,CAAS,GAAG,EAEhD,GAAI,CACH,OAAO,IAAA,CAAK,8BAAA,CACX,IAAA,CAAK,KAAA,CAAMA,CAAO,CAAA,CAClBmF,CAAAA,CACAC,CACD,CACD,CAAA,KAAQ,CACP,OAAO,MACR,CAED,OAAO,MACR,CAEA,GAAI,KAAA,CAAM,OAAA,CAAQ/E,CAAK,CAAA,CACtB,OACCA,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOkF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAG3DlF,CAAAA,CAAM,MAAA,CAASgF,CAAAA,CACX,IAAA,CAEDhF,CAAAA,CAAM,IAAA,CAAMkF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAIA/E,CAAAA,CAAM,MAAA,CAAS,CAAA,EACfA,CAAAA,CAAM,KAAA,CAAOkF,CAAAA,EAAS,OAAOA,CAAAA,EAAS,QAAA,EAAYA,CAAAA,GAAS,IAAI,CAAA,CAE1D,CAAAD,CAAAA,CAICjF,EAAM,IAAA,CAAMkF,CAAAA,EAClB,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAMJ,CAAAA,CAAWC,CAAY,CAClE,CAAA,CAGD,GAAI/E,CAAAA,EAAS,OAAOA,CAAAA,EAAU,QAAA,CAAU,CACvC,IAAMmF,CAAAA,CAAO,MAAA,CAAO,IAAA,CAAKnF,CAAgC,CAAA,CAkBzD,OAdI+E,CAAAA,GAAiB,MAAA,EAAaA,CAAAA,CAAe,CAAA,EAAKA,CAAAA,CAAe,EAAA,GAChEI,CAAAA,CAAK,MAAA,CAAS,CAAA,EAEH,MAAA,CAAO,OAAOnF,CAAgC,CAAA,CAErD,IAAA,CACLoF,CAAAA,EAAM,KAAA,CAAM,OAAA,CAAQA,CAAC,CAAA,EAAM,OAAOA,CAAAA,EAAM,QAAA,EAAYA,CAAAA,GAAM,IAC5D,CAAA,CAAA,EAOED,CAAAA,CAAK,MAAA,CAASH,CAAAA,CACV,IAAA,CAGD,MAAA,CAAO,MAAA,CAAOhF,CAAgC,CAAA,CAAE,IAAA,CAAMI,CAAAA,EAC5D,IAAA,CAAK,8BAAA,CAA+BA,CAAAA,CAAO0E,CAAAA,CAAWC,CAAY,CACnE,CACD,CAEA,OAAO,MACR,CAiJQ,iBAAA,EAA4B,CACnC,IAAMM,CAAAA,CAAQ,CACb,gCAAA,CACA,kCAAA,CACA,EAAA,CACA,SAAA,CACA,EAAA,CACA,mBAAA,CACA,2BAAA,CACA,qBAAA,CACA,QAAA,CACA,EAAA,CACA,sBAAA,CACA,sDAAA,CACA,uCAAA,CACA,iDAAA,CACA,uDAAA,CACA,EAAA,CACA,uBAAA,CACA,sDAAA,CACA,gEAAA,CACA,kDACD,CAAA,CAEA,OAAI,IAAA,CAAK,MAAA,EAAQ,QAAA,EAAU,eAAe,MAAA,EACzCA,CAAAA,CAAM,IAAA,CACL,CAAA,qBAAA,EAAwB,IAAA,CAAK,MAAA,CAAO,QAAA,CAAS,aAAA,CAAc,IAAA,CAAK,IAAI,CAAC,CAAA,CACtE,CAAA,CAGDA,CAAAA,CAAM,IAAA,CACL,EAAA,CACA,8BACA,4EAAA,CACA,4EAAA,CACA,kEAAA,CACA,mEAAA,CACA,EAAA,CACA,cAAA,CACA,iEAAA,CACA,gDAAA,CACA,EAAA,CACA,0BAAA,CACA,iEAAA,CACA,sEAAA,CACA,EAAA,CACA,sBAAA,CACA,8DACD,CAAA,CAEOA,EAAM,IAAA,CAAK;AAAA,CAAI,CACvB,CAWQ,yBAAA,CACPC,EACAC,CAAAA,CAAQ,CAAA,CACC,CAET,GAAIA,CAAAA,CAAQ,CAAA,CAAG,OAAO,QAEtB,IAAMC,CAAAA,CAAaF,EAAO,IAAA,CACpBG,CAAAA,CAAaH,EAAO,UAAA,CAGpBI,CAAAA,CAAQJ,CAAAA,CAAO,KAAA,CAGrB,OAAIG,CAAAA,CAgBI,CAAA,CAAA,EAfQ,OAAO,OAAA,CAAQA,CAAU,EAAE,GAAA,CAAI,CAAC,CAACrD,CAAAA,CAAKrE,CAAI,IAAM,CAC9D,IAAM4H,EAAW5H,CAAAA,CAAK,IAAA,CACtB,GAAI4H,CAAAA,GAAa,OAAA,EAAW5H,CAAAA,CAAK,KAAA,CAAO,CACvC,IAAM6H,CAAAA,CAAS,KAAK,yBAAA,CACnB7H,CAAAA,CAAK,MACLwH,CAAAA,CAAQ,CACT,EACA,OAAO,CAAA,EAAGnD,CAAG,CAAA,UAAA,EAAawD,CAAM,GACjC,CACA,GAAID,IAAa,QAAA,EAAY5H,CAAAA,CAAK,UAAA,CAAY,CAC7C,IAAM6H,CAAAA,CAAS,IAAA,CAAK,0BAA0B7H,CAAAA,CAAMwH,CAAAA,CAAQ,CAAC,CAAA,CAC7D,OAAO,GAAGnD,CAAG,CAAA,CAAA,EAAIwD,CAAM,CAAA,CAAA,CACxB,CACA,OAAO,CAAA,EAAGxD,CAAG,IAAIuD,CAAAA,EAAY,SAAS,CAAA,CAAA,CACvC,CAAC,EACiB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA,CAAA,CAIzBH,CAAAA,GAAe,SAAWE,CAAAA,CAEtB,CAAA,SAAA,EADc,KAAK,yBAAA,CAA0BA,CAAAA,CAAOH,EAAQ,CAAC,CACrC,GAI5BC,CAAAA,EACG,MAAA,CAAO,KAAKF,CAAM,CAAA,CAAE,IAAA,CAAK,IAAI,CACrC,CAKA,MAAa,QACZO,CAAAA,CAOI,GACY,CAChB,OAAO,KAAK,aAAA,CAAcA,CAAO,CAClC,CAKO,IAAA,CACN/G,EACAgH,CAAAA,CACAC,CAAAA,CACAC,EACA9B,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,MAAM,GAAA,CAAIpF,CAAI,EACtB,MAAM,IAAI,MAAM,CAAA,yBAAA,EAA4BA,CAAI,EAAE,CAAA,CAGnD,IAAMwG,EAASf,GAAAA,CAAE,MAAA,CAAOwB,CAAK,CAAA,CACvBE,CAAAA,CAAkBC,gBAAgBZ,CAAM,CAAA,CAE1Ca,CAAAA,CAAmBL,CAAAA,CACnBM,EAAeJ,CAAAA,CAGnB,GAAID,EAAM,OAAA,EAAWA,CAAAA,CAAM,mBAAmBxB,GAAAA,CAAE,SAAA,CAAW,CAC1D,IAAM8B,CAAAA,CAAc,KAAK,MAAA,EAAQ,QAAA,EAAU,eAAiB,EAAC,CAe7D,GAVAF,CAAAA,EACC;;AAAA,sMAAA,CAAA,CAKGE,CAAAA,CAAY,MAAA,CAAS,CAAA,GACxBF,CAAAA,EAAoB;AAAA,mBAAA,EAAwBE,CAAAA,CAAY,IAAA,CAAK,IAAI,CAAC,KAG/D,IAAA,CAAK,YAAA,CAAc,CACtB,IAAMC,EAAe,IAAA,CAAK,yBAAA,CAA0B,IAAA,CAAK,YAAY,EACrEH,CAAAA,EAAoB;AAAA,gBAAA,EAAqBG,CAAY,+CACtD,CAEAF,CAAAA,CAAe,MACdG,CAAAA,CACAC,CAAAA,GACI,CACJ,IAAMC,CAAAA,CAAW,oBACXC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfC,CAAAA,CAAQ,KAAK,eAAA,CAAgB,GAAA,CAAIF,CAAQ,CAAA,EAAK,CACnD,QAAA,CAAU,EACV,WAAA,CAAa,CACd,EAEA,GACCE,CAAAA,CAAM,UAAY,IAAA,CAAK,kBAAA,EACvBD,EAAMC,CAAAA,CAAM,WAAA,CAAc,KAAK,oBAAA,CAE/B,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,mEACP,CACD,CAAA,CACA,QAAS,IACV,CAAA,CAGD,IAAMC,CAAAA,CAAgBL,CAAAA,CACpB,QACIM,CAAAA,CACJN,CAAAA,CAAiC,0BAA4B,IAAA,CAEzDO,CAAAA,CAAcC,EAClB,UAAA,CAAW,QAAQ,EACnB,MAAA,CAAOH,CAAY,EACnB,MAAA,CAAO,KAAK,CAAA,CACR3C,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAa2C,CAAY,CAAA,CACtCI,CAAAA,CAAS,KAAK,UAAA,CAAW,GAAA,CAAIF,CAAW,CAAA,CAE9C,GACC,CAACD,CAAAA,EACDG,CAAAA,EACAN,CAAAA,CAAMM,EAAO,SAAA,CAAY,IAAA,CAAK,cAG1B/C,CAAAA,CAAO,CACTsC,EAAiC,OAAA,CAAUtC,CAAAA,CAG5C,IAAMgD,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5BnI,EACAmF,CAAAA,CACAC,CACD,EACA,OAAI+C,CAAAA,CACI,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,IACV,EAEM,MAAM,IAAA,CAAK,mBAAA,CAAoBV,CAAAA,CAAMtC,CAAAA,CAAOnF,CAAI,CACxD,CAGD,GAAI,CAACmF,CAAAA,CACJ,OAAA0C,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,YAAcD,CAAAA,CACpB,IAAA,CAAK,gBAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,CACjC,CACN,QAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,gKACP,CACD,CAAA,CACA,OAAA,CAAS,IACV,CAAA,CAGD,GAAI,CAGH,IAAM1C,CAAAA,CAAQ,KAAK,YAAA,CACjBsC,CAAAA,CAAiC,OACnC,CAAA,CAECA,CAAAA,CAAiC,QAAUtC,CAAAA,CAG5C,IAAMgD,EAAkB,IAAA,CAAK,kBAAA,CAAmBnI,CAAAA,CAAMmF,CAAAA,CAAOC,CAAM,CAAA,CACnE,GAAI+C,CAAAA,CACH,OAAAN,EAAM,QAAA,EAAA,CACNA,CAAAA,CAAM,YAAcD,CAAAA,CACpB,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,EACjC,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,OAAQ,IAAA,CAAMM,CAAgB,CAAC,CAAA,CACjD,OAAA,CAAS,CAAA,CACV,EAGD,IAAM5G,CAAAA,CAAS,MAAM,IAAA,CAAK,mBAAA,CAAoBkG,EAAMtC,CAAAA,CAAOnF,CAAI,EAE/D,OAAKuB,CAAAA,CAAO,SAUXsG,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,CAAAA,CAAUE,CAAK,CAAA,GAXxC,IAAA,CAAK,gBAAgB,GAAA,CAAIF,CAAAA,CAAU,CAClC,QAAA,CAAU,CAAA,CACV,YAAaC,CACd,CAAC,EACD,IAAA,CAAK,UAAA,CAAW,IAAII,CAAAA,CAAa,CAChC,KAAMA,CAAAA,CACN,SAAA,CAAWJ,CACZ,CAAC,CAAA,CAAA,CAOKrG,CACR,CAAA,MAASrE,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,CAAAA,CACV,OAAA2K,CAAAA,CAAM,QAAA,EAAA,CACNA,EAAM,WAAA,CAAcD,CAAAA,CACpB,KAAK,eAAA,CAAgB,GAAA,CAAID,EAAUE,CAAK,CAAA,CACjC,CACN,OAAA,CAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,CAAA,2BAAA,EAA8BrG,CAAAA,CAAE,OAAO,EAAG,CACjE,CAAA,CACA,QAAS,IACV,CACD,CACD,EACD,CAEA,IAAM4G,CAAAA,CAAc,CACnB,IAAA,CAAM,SACN,UAAA,CAAajB,CAAAA,CAA4C,YAAc,EAAC,CACxE,SAAWA,CAAAA,CAA4C,QACxD,CAAA,CAEA,IAAA,CAAK,KAAA,CAAM,GAAA,CAAInH,EAAM,CACpB,IAAA,CAAM,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAaqH,CAAAA,CAAkB,WAAA,CAAAe,CAAY,CAAA,CACzD,OAAA,CAASd,EACT,MAAA,CAAAd,CAAAA,CACA,OAAApB,CACD,CAAC,EAGG,IAAA,CAAK,QAAA,EACR,IAAA,CAAK,QAAA,CAAS,kBAAA,CAAmBpF,CAAI,EAAE,KAAA,CAAOqI,CAAAA,EAAQ,CACrDjL,GAAAA,CAAI,IAAA,CACH,4CAA4C4C,CAAI,CAAA,EAAA,EAAKqI,CAAAA,CAAI,OAAO,CAAA,CACjE,EACD,CAAC,EAEH,CAKO,OACNrI,CAAAA,CACAgH,CAAAA,CACAS,EACAP,CAAAA,CAGO,CACP,GAAI,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAIlH,CAAI,CAAA,CACxB,MAAM,IAAI,KAAA,CAAM,CAAA,2BAAA,EAA8BA,CAAI,CAAA,CAAE,CAAA,CAErD,KAAK,OAAA,CAAQ,GAAA,CAAIA,EAAM,CACtB,MAAA,CAAQ,CAAE,IAAA,CAAAA,CAAAA,CAAM,YAAAgH,CAAAA,CAAa,SAAA,CAAWS,CAAK,CAAA,CAC7C,OAAA,CAAAP,CACD,CAAC,EACF,CAKO,wBAA+B,CACrC,IAAA,CAAK,OACJ,oBAAA,CACA,yKAAA,CACA,EAAC,CACAoB,CAAAA,GACO,CACN,YAAa,iCAAA,CACb,QAAA,CAAU,CACT,CACC,IAAA,CAAM,OACN,OAAA,CAAS,CACR,IAAA,CAAM,MAAA,CACN,IAAA,CAAM,CAAA;AAAA;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,4IAAA,EAcL,KAAK,YAAA,CACF;;AAAA;AAAA,EAA0C,IAAA,CAAK,UAAU,IAAA,CAAK,YAAA,CAAc,KAAM,CAAC,CAAC,GACpF,EACJ;;AAAA,yDAAA,CAGD,CACD,CACD,CACD,CAAA,CAEF,EACD,CAKO,QAAA,CACNtI,EACAuI,CAAAA,CACAvB,CAAAA,CACAwB,EACAC,CAAAA,CACO,CACP,GAAI,IAAA,CAAK,SAAA,CAAU,IAAIF,CAAG,CAAA,CACzB,MAAM,IAAI,KAAA,CAAM,oCAAoCA,CAAG,CAAA,CAAE,EAE1D,IAAA,CAAK,SAAA,CAAU,IAAIA,CAAAA,CAAK,CAAE,KAAAvI,CAAAA,CAAM,GAAA,CAAAuI,EAAK,WAAA,CAAAvB,CAAAA,CAAa,SAAAwB,CAAAA,CAAU,OAAA,CAAAC,CAAQ,CAAC,EACtE,CAKO,cAAA,CACNjC,CAAAA,CACAxG,EAAe,gCAAA,CACfuI,CAAAA,CAAc,uBACdvB,CAAAA,CAAsB,sEAAA,CACf,CACP,IAAA,CAAK,YAAA,CAAeR,EAIpB,IAAMgB,CAAAA,CAAe,KAAK,yBAAA,CAA0BhB,CAAM,EAC1D,IAAA,GAAW,CAAClB,EAAUoD,CAAK,CAAA,GAAK,KAAK,KAAA,CAAM,OAAA,GAEzCA,CAAAA,CAAM,MAAA,CAAO,MAAM,OAAA,EACnBA,CAAAA,CAAM,OAAO,KAAA,CAAM,OAAA,YAAmBjD,IAAE,SAAA,EACxCiD,CAAAA,CAAM,KAAK,WAAA,EACX,CAACA,EAAM,IAAA,CAAK,WAAA,CAAY,SAAS,iBAAiB,CAAA,GAElDA,CAAAA,CAAM,IAAA,CAAK,WAAA,EAAe;AAAA,gBAAA,EAAqBlB,CAAY,CAAA,wBAAA,EAA2Be,CAAG,CAAA,CAAA,CACzF,IAAA,CAAK,MAAM,GAAA,CAAIjD,CAAAA,CAAUoD,CAAK,CAAA,CAAA,CAIhC,KAAK,QAAA,CACJ1I,CAAAA,CACAuI,CAAAA,CACAvB,CAAAA,CACA,mBACA,IAAA,CAAK,SAAA,CAAUR,CAAAA,CAAQ,IAAA,CAAM,CAAC,CAC/B,EACD,CAKO,aAAA,EAAsB,CAC5B,IAAA,CAAK,UAAA,CAAW,KAAA,EAAM,CACtBpJ,IAAI,IAAA,CAAK,iDAAiD,EAC3D,CAQQ,sBAAA,CAAuBkI,EAAyC,CACvE,IAAMsC,CAAAA,CAAM,IAAA,CAAK,KAAI,CACfe,CAAAA,CAAW,IAAA,CAAK,gBAAA,CAChBC,EAAe,IAAA,CAAK,oBAAA,CAIpBC,CAAAA,CAAAA,CAFS,IAAA,CAAK,gBAAgB,GAAA,CAAIvD,CAAQ,CAAA,EAAK,IAE/B,MAAA,CAAQQ,CAAAA,EAAM8B,CAAAA,CAAM9B,CAAAA,CAAI6C,CAAQ,CAAA,CAEtD,GAAIE,CAAAA,CAAO,MAAA,EAAUD,EAAc,CAClC,IAAME,CAAAA,CAAgB,IAAA,CAAK,MAAMD,CAAAA,CAAO,CAAC,EAAIF,CAAAA,CAAWf,CAAAA,EAAO,GAAI,CAAA,CACnE,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CACC,wCAAwCtC,CAAQ,CAAA,MAAA,EACzCsD,CAAY,CAAA,KAAA,EAAQD,EAAW,GAAI,CAAA,sBAAA,EAC3BG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,OAAA,CAAS,IACV,CACD,CAEA,OAAAD,CAAAA,CAAO,IAAA,CAAKjB,CAAG,EACf,IAAA,CAAK,eAAA,CAAgB,GAAA,CAAItC,CAAAA,CAAUuD,CAAM,CAAA,CAClC,IACR,CAOQ,oBAAA,EAA8C,CACrD,IAAMjB,CAAAA,CAAM,IAAA,CAAK,GAAA,EAAI,CACfe,EAAW,IAAA,CAAK,gBAAA,CAChBI,CAAAA,CAAY,IAAA,CAAK,uBAMvB,GAJA,IAAA,CAAK,gBAAA,CAAmB,IAAA,CAAK,iBAAiB,MAAA,CAC5CjD,CAAAA,EAAM8B,EAAM9B,CAAAA,CAAI6C,CAClB,EAEI,IAAA,CAAK,gBAAA,CAAiB,MAAA,EAAUI,CAAAA,CAAW,CAC9C,IAAMD,CAAAA,CAAgB,IAAA,CAAK,IAAA,CAAA,CACzB,KAAK,gBAAA,CAAiB,CAAC,CAAA,CAAIH,CAAAA,CAAWf,GAAO,GAC/C,CAAA,CACA,OAAO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CACC,sDACOmB,CAAS,CAAA,iBAAA,EAAoBJ,CAAAA,CAAW,GAAI,yBACpCG,CAAa,CAAA,EAAA,CAC9B,CACD,CAAA,CACA,QAAS,IACV,CACD,CAEA,OAAA,IAAA,CAAK,iBAAiB,IAAA,CAAKlB,CAAG,CAAA,CACvB,IACR,CAKA,MAAa,QAAA,CAASoB,CAAAA,CAAmD,CACxE,IAAMN,CAAAA,CAAQ,IAAA,CAAK,KAAA,CAAM,GAAA,CAAIM,EAAQ,IAAI,CAAA,CACzC,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,gBAAA,EAAmBM,CAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA,CAIlD,IAAMC,CAAAA,CAAoB,KAAK,oBAAA,EAAqB,CACpD,GAAIA,CAAAA,CAAmB,OAAOA,CAAAA,CAC9B,IAAMC,CAAAA,CAAkB,IAAA,CAAK,uBAAuBF,CAAAA,CAAQ,IAAI,CAAA,CAChE,GAAIE,EAAiB,OAAOA,CAAAA,CAE5B,GAAI,CAEH,IAAMC,CAAAA,CAAaT,CAAAA,CAAM,MAAA,CAAO,KAAA,CAAMM,EAAQ,SAAA,EAAa,EAAE,CAAA,CAW7D,GAPEA,EAAQ,SAAA,EACN,uBAAA,GAA4B,CAAA,CAAA,GAE9BG,CAAAA,CAAuC,wBAA0B,CAAA,CAAA,CAAA,CAKlEA,CAAAA,EACA,OAAQA,CAAAA,CAAuC,SAAY,QAAA,CAC1D,CACD,IAAMnE,CAAAA,CAAWmE,EACf,OAAA,CACIhE,CAAAA,CAAQ,IAAA,CAAK,YAAA,CAAaH,CAAO,CAAA,CACvC,GAAIG,CAAAA,CAAO,CACV,IAAMgD,CAAAA,CAAkB,IAAA,CAAK,kBAAA,CAC5Ba,CAAAA,CAAQ,KACR7D,CAAAA,CACAuD,CAAAA,CAAM,MACP,CAAA,CACA,OAAIP,CAAAA,CACI,CACN,QAAS,CAAC,CAAE,KAAM,MAAA,CAAQ,IAAA,CAAMA,CAAgB,CAAC,EACjD,OAAA,CAAS,CAAA,CACV,CAAA,EAEAgB,CAAAA,CAAuC,QAAUhE,CAAAA,CAC3C,MAAM,IAAA,CAAK,mBAAA,CACjBgE,EACAhE,CAAAA,CACA6D,CAAAA,CAAQ,IACT,CAAA,CACD,CACD,CAGA,OADe,MAAMN,CAAAA,CAAM,OAAA,CAAQS,EAAY,EAAE,CAElD,CAAA,MAASjM,EAAgB,CACxB,IAAMsE,CAAAA,CAAItE,CAAAA,CACV,OAAIsE,CAAAA,YAAaiE,GAAAA,CAAE,SACX,CACN,OAAA,CAAS,CAAC,CAAE,IAAA,CAAM,MAAA,CAAQ,IAAA,CAAM,qBAAqBjE,CAAAA,CAAE,OAAO,CAAA,CAAG,CAAC,EAClE,OAAA,CAAS,IACV,CAAA,CAEM,CACN,QAAS,CACR,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAM,CAAA,0BAAA,EAA6BA,CAAAA,CAAE,OAAO,CAAA,CAAG,CAChE,CAAA,CACA,OAAA,CAAS,IACV,CACD,CACD,CAKO,SAAA,EAAoB,CAC1B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,MAAM,MAAA,EAAQ,EAAE,GAAA,CAAKsE,CAAAA,EAAMA,CAAAA,CAAE,IAAI,CACzD,CAKO,WAAA,EAAwB,CAC9B,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,OAAA,CAAQ,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAKvD,CAAAA,EAAMA,CAAAA,CAAE,MAAM,CAC7D,CAKA,MAAa,SAAA,CAAUyG,EAAqD,CAC3E,IAAMN,CAAAA,CAAQ,IAAA,CAAK,QAAQ,GAAA,CAAIM,CAAAA,CAAQ,IAAI,CAAA,CAC3C,GAAI,CAACN,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,qBAAqBM,CAAAA,CAAQ,IAAI,CAAA,CAAE,CAAA,CAEpD,OAAO,MAAMN,CAAAA,CAAM,OAAA,CAAQM,CAAO,CACnC,CAKO,aAAA,EAA4B,CAClC,OAAO,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAC1C,CAKA,MAAa,YAAA,CAAaT,EAEvB,CACF,IAAMa,CAAAA,CAAW,IAAA,CAAK,UAAU,GAAA,CAAIb,CAAG,CAAA,CACvC,GAAI,CAACa,CAAAA,CACJ,MAAM,IAAI,KAAA,CAAM,CAAA,oBAAA,EAAuBb,CAAG,CAAA,CAAE,CAAA,CAG7C,IAAI/H,CAAAA,CAAO,0BACX,OAAI,OAAO4I,CAAAA,CAAS,OAAA,EAAY,WAC/B5I,CAAAA,CAAO,MAAM4I,CAAAA,CAAS,OAAA,GACZ,OAAOA,CAAAA,CAAS,SAAY,QAAA,CACtC5I,CAAAA,CAAO4I,EAAS,OAAA,CACNA,CAAAA,CAAS,WAAA,GACnB5I,CAAAA,CAAO4I,EAAS,WAAA,CAAA,CAGV,CACN,QAAA,CAAU,CACT,CACC,GAAA,CAAKA,CAAAA,CAAS,GAAA,CACd,QAAA,CAAUA,EAAS,QAAA,EAAY,YAAA,CAC/B,KAAA5I,CACD,CACD,CACD,CACD,CAEO,aAAA,EAA4B,CAClC,OAAO,IAAA,CAAK,UACb,CAEO,WAAA,EAA+B,CACrC,OAAO,IAAA,CAAK,QACb,CAKO,eAAe6I,CAAAA,CAAoC,CACzD,IAAA,CAAK,cAAA,CAAiBA,EACvB,CAEO,YAAA,EAA8B,CACpC,OAAO,KAAK,SACb,CAMA,MAAa,aAAA,CACZtC,EAOI,EAAC,CACW,CAChB,IAAMuC,EAAU,OAAA,CAAQ,GAAA,CAAI,eACzB,MAAA,CAAO,QAAA,CAAS,QAAQ,GAAA,CAAI,cAAA,CAAgB,EAAE,CAAA,CAC9C,OACG1M,CAAAA,CAAOmK,CAAAA,CAAQ,IAAA,EAAQuC,CAAAA,EAAW,MAGxC,IAAA,CAAK,QAAA,CAAW,IAAIC,GAAAA,CAASxC,EAAQ,UAAU,CAAA,CAC/C,MAAM,IAAA,CAAK,QAAA,CAAS,OAAM,CAI1B,IAAMyC,CAAAA,CAAc,IAAA,CAAK,SACzB,IAAA,CAAK,QAAA,CAAS,uBAAA,CAAwB,IAAoB,CACzD,IAAMC,CAAAA,CAAQ,IAAA,CAAK,SAAA,GAAY,GAAA,CAAK3D,CAAAA,GAAO,CAC1C,IAAA,CAAMA,CAAAA,CAAE,KACR,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,WAAA,CAAaA,EAAE,WAChB,CAAA,CAAE,CAAA,CAEI4D,CAAAA,CAAY,MAAM,IAAA,CAAK,IAAA,CAAK,SAAA,CAAU,MAAA,EAAQ,CAAA,CAAE,GAAA,CAAKC,CAAAA,GAAO,CACjE,KAAMA,CAAAA,CAAE,IAAA,CACR,GAAA,CAAKA,CAAAA,CAAE,IACP,WAAA,CAAaA,CAAAA,CAAE,WAAA,CACf,QAAA,CAAUA,EAAE,QAAA,CACZ,IAAA,CAAM,OAAOA,CAAAA,CAAE,SAAY,QAAA,CAAWA,CAAAA,CAAE,QAAUA,CAAAA,CAAE,WACrD,EAAE,CAAA,CAEF,OAAO,CACN,MAAA,CAAQH,EAAY,SAAA,EAAU,CAC9B,QAAA,CAAU5M,CAAAA,CACV,MAAA6M,CAAAA,CACA,SAAA,CAAAC,CAAAA,CACA,UAAA,CAAY,KAAK,UAClB,CACD,CAAC,CAAA,CAGD,IAAA,IAAWE,KAAQ,IAAA,CAAK,SAAA,EAAU,CACjC,MAAM,KAAK,QAAA,CAAS,kBAAA,CAAmBA,CAAAA,CAAK,IAAI,EAAE,KAAA,CAAMxM,GAAAA,CAAI,IAAI,CAAA,CAIjE,MAAM,IAAA,CAAK,QAAA,CAAS,kBAAiB,CAAE,KAAA,CAAMA,IAAI,IAAI,CAAA,CAGrD,IAAA,CAAK,SAAA,CAAY,IAAIX,CAAAA,CAErB,IAAA,CAAK,SAAA,CAAU,UAAA,CAAW,CACzB,eAAA,CAAiB,CAAC+C,CAAAA,CAAMtB,CAAAA,GAAa,CACpC,IAAM8K,CAAAA,CAAUxJ,CAAAA,CAAK,OAAA,CACrBpC,IAAI,IAAA,CACH,CAAA,8CAAA,EAAiD4L,CAAAA,CAAQ,eAAe,EACzE,CAAA,CAGA,OAAO,qBAAwB,CAAA,CAAE,KAAK,MAAO,CAAE,eAAA,CAAAa,CAAgB,IAAM,CACpE,GAAM,CAAE,SAAA,CAAAC,CAAAA,CAAW,UAAAC,CAAU,CAAA,CAC5B,MAAMF,CAAAA,CAAgB,iBAAgB,CAEjCG,CAAAA,CAAe/B,CAAAA,CAAO,UAAA,GAC5B,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI+B,CAAAA,CAAc,CAC/B,eAAA,CAAiBhB,CAAAA,CAAQ,eAAA,CACzB,QAAA,CAAUe,CACX,CAAC,CAAA,CAED7L,CAAAA,CAAS,IAAA,CAAM,CACd,QAAA,CAAU,IAAA,CACV,aAAA,CAAe8L,CAAAA,CACf,cAAe,EAAA,CACf,gBAAA,CAAkBF,CACnB,CAAC,EACF,CAAC,EACF,EACA,YAAA,CAAc,MACbtK,GACI,CACJ,IAAMwJ,CAAAA,CAAUxJ,CAAAA,CAAK,QACrBpC,GAAAA,CAAI,IAAA,CACH,CAAA,kDAAA,EAAqD4L,CAAAA,CAAQ,aAAa,CAAA,CAC3E,CAAA,CAEA,IAAMiB,CAAAA,CAAU,KAAK,QAAA,CAAS,GAAA,CAAIjB,CAAAA,CAAQ,aAAa,EACvD,GAAI,CAACiB,CAAAA,CAAS,CACbzK,EAAK,IAAA,CAAK,OAAA,CAAS,CAClB,IAAA,CAAW0K,SAAO,eAAA,CAClB,OAAA,CAAS,uBACV,CAAC,EACD,MACD,CAEA,GAAI,CAEH,IAAMC,EAAiB,MAAM,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAYnB,CAAAA,CAAQ,cAAA,CACpB,YAAA,CAAc,MAAM,IAAA,CAAKiB,CAAAA,CAAQ,QAAQ,CAAA,CACzC,WAAYjB,CAAAA,CAAQ,WAAA,CACpB,OAAQA,CAAAA,CAAQ,MAAA,CAChB,SAAUA,CAAAA,CAAQ,SAAA,CAClB,OAAA,CAAS,IAAA,CAAK,eACd,YAAA,CAAcA,CAAAA,CAAQ,aAAA,CACtB,WAAA,CAAa,EACd,CAAC,CAAA,CAEGoB,CAAAA,CACJ,GAAI,CACHA,CAAAA,CACC,OAAOD,EAAe,MAAA,EAAW,QAAA,CAC9BA,EAAe,MAAA,CACf,IAAA,CAAK,SAAA,CAAUA,CAAAA,CAAe,MAAM,CAAA,CAGxC,IAAME,CAAAA,CAAU,IAAA,CAAK,MAAMD,CAAW,CAAA,CACtC,GAAIC,CAAAA,CAAQ,kBAAmB,CAC9BjN,GAAAA,CAAI,IAAA,CACH,CAAA,mCAAA,EAAsCiN,EAAQ,iBAAiB,CAAA,CAChE,CAAA,CACA,IAAMC,EAAa,MAAM,IAAA,CAAK,QAAA,CAAS,CACtC,KAAMD,CAAAA,CAAQ,iBAAA,CACd,SAAA,CAAWA,CAAAA,CAAQ,mBAAqB,EACzC,CAAC,CAAA,CACDD,CAAAA,CAAc,KAAK,SAAA,CAAUE,CAAU,EACxC,CACD,MAAQ,CACPF,CAAAA,CAAc,MAAA,CAAOD,CAAAA,CAAe,MAAM,EAC3C,CAEA,IAAMI,CAAAA,CAA0B,CAC/B,iBAAA,CAAmBH,CAAAA,CACnB,mBAAA,CAAqBI,MAAAA,CAAO,KAC3BL,CAAAA,CAAe,QAAA,EAAY,EAAA,CAC3B,KACD,EACA,UAAA,CAAYA,CAAAA,CAAe,UAAA,CACxBK,MAAAA,CAAO,KAAKL,CAAAA,CAAe,UAAA,CAAY,QAAQ,CAAA,CAC/CK,OAAO,IAAA,CAAK,EAAE,EACjB,QAAA,CAAU,CAAA,CACX,EAGM7L,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK,CAC5C,CAAE,IAAA,CAAM,MAAA,CAAQ,KAAMyL,CAAY,CACnC,CAAC,CAAA,CACKK,EAAuB,IAAA,CAAK,8BAAA,CACjC,IAAA,CAAK,8BAAA,CAA+BL,CAAW,CAChD,CAAA,CACA,GAAIzL,CAAAA,EAAa8L,EAAsB,CAEtC,IAAMC,CAAAA,CACL/L,CAAAA,EAAa,qCACdvB,GAAAA,CAAI,IAAA,CACH,CAAA,iDAAA,EAAoDsN,CAAc,EACnE,CAAA,CACAH,CAAAA,CAAS,kBACR,6EAAA,CACDA,CAAAA,CAAS,SAAW,CAAA,EACrB,CAEA/K,CAAAA,CAAK,KAAA,CAAM+K,EAAU,IAAM,CAC1B/K,CAAAA,CAAK,GAAA,GACN,CAAC,EACF,CAAA,MAAStC,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,EACJyN,CAAAA,CACL,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,WAAa,MAAA,CAEpBC,CAAAA,CAASpJ,CAAAA,CAAE,OAAA,EAAW,OAAOtE,CAAK,CAAA,CACxCE,GAAAA,CAAI,KAAA,CAAM,+BAA+BwN,CAAM,CAAA,CAAE,EAOjD,IAAMC,CAAAA,CAA+B,CACpC,iBAAA,CANoBF,CAAAA,CAClB,CAAA,iBAAA,EAAoBC,CAAM,GAC1B,wGAAA,CAKF,mBAAA,CAAqBJ,MAAAA,CAAO,IAAA,CAAK,EAAE,CAAA,CACnC,UAAA,CAAYA,MAAAA,CAAO,IAAA,CAAK,EAAE,CAAA,CAC1B,QAAA,CAAU,IACX,CAAA,CAEA,GAAI,CACHhL,CAAAA,CAAK,KAAA,CAAMqL,CAAAA,CAAe,IAAM,CAC/BrL,CAAAA,CAAK,GAAA,GACN,CAAC,EACF,CAAA,KAAoB,CACnBA,CAAAA,CAAK,MACN,CACD,CACD,CACD,CAAC,EAED,IAAA,CAAK,SAAA,CAAY,MAAM,IAAA,CAAK,UAAU,MAAA,CAAO5C,CAAI,CAAA,CACjDQ,GAAAA,CAAI,KACH,CAAA,wDAAA,EAA2D,IAAA,CAAK,QAAA,CAAS,SAAA,EAAW,CAAA,CACrF,EACD,CAKA,MAAc,oBACb0N,CAAAA,CACAC,CAAAA,CACAzF,CAAAA,CAC0B,CAC1B,GAAI,CAEH,IAAM6E,CAAAA,CAAiB,MAAM,KAAK,UAAA,CAAW,GAAA,CAAI,CAChD,UAAA,CAAY,IAAI,UAAA,CAAW,CAAC,EAC5B,YAAA,CAAc,KAAA,CAAM,KAAK,IAAI,UAAA,CAAW,CAAC,CAAC,EAC1C,cAAA,CAAgB,IAAI,UAAA,CAAW,CAAC,EAChC,UAAA,CAAYK,MAAAA,CAAO,IAAA,CAAKO,CAAU,EAClC,MAAA,CAAQ,EAAC,CACT,OAAA,CAAS,KAAK,cAAA,CACd,YAAA,CAAc,iBAAA,CACd,WAAA,CAAa,EACd,CAAC,CAAA,CAUKtC,CAAAA,CAAU,CACf,CACC,IAAA,CAAM,MAAA,CACN,IAAA,CAViB,IAAA,CAAK,UAAU,CACjC,kBAAA,CAAoB0B,EAAe,MAAA,CACnC,QAAA,CAAUA,EAAe,QAAA,CACzB,UAAA,CAAYA,CAAAA,CAAe,UAAA,CAC3B,OAAQ,+BACT,CAAC,CAMA,CACD,EAEMa,CAAAA,CAAa1F,CAAAA,CAChB,IAAA,CAAK,KAAA,CAAM,IAAIA,CAAQ,CAAA,EAAG,OAC1B,KAAA,CAAA,CACG2F,CAAAA,CAAkB,KAAK,oBAAA,CAC5B3F,CAAAA,EAAY,cAAA,CACZ6E,CAAAA,CAAe,OACfa,CACD,CAAA,CACA,GAAIC,CAAAA,CAEH,OAAA7N,GAAAA,CAAI,IAAA,CACH,CAAA,qCAAA,EAAwCkI,CAAAA,EAAY,cAAc,CAAA,EAAA,EAAK2F,CAAe,EACvF,CAAA,CAWO,CACN,QAAS,CACR,CACC,IAAA,CAAM,MAAA,CACN,KAZF,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,aAAA,EACzB,QAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,OAAA,CAAQ,IAAI,gBAAA,GAAqB,GAAA,CAG/BA,CAAAA,CACA,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,CAAA,CACV,CAAA,CAID,IAAMtM,CAAAA,CAAY,MAAM,IAAA,CAAK,UAAA,CAAW,KAAK8J,CAAO,CAAA,CAC9CgC,CAAAA,CAAuB,IAAA,CAAK,+BACjCN,CAAAA,CAAe,MAChB,EACA,GAAIxL,CAAAA,EAAa8L,EAAsB,CAGtC,IAAMC,CAAAA,CACL/L,CAAAA,EACA,iGACD,OAAAvB,GAAAA,CAAI,IAAA,CACH,CAAA,qDAAA,EAAwDsN,CAAc,CAAA,CACvE,CAAA,CAWO,CACN,OAAA,CAAS,CACR,CACC,IAAA,CAAM,OACN,IAAA,CAZF,OAAA,CAAQ,IAAI,QAAA,GAAa,aAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,WAAa,MAAA,EACzB,OAAA,CAAQ,GAAA,CAAI,gBAAA,GAAqB,IAG/B,CAAA,kCAAA,EAAqCA,CAAc,CAAA,CAAA,CACnD,2IAOD,CACD,CAAA,CACA,OAAA,CAAS,EACV,CACD,CAEA,OAAO,CAAE,OAAA,CAAAjC,CAAQ,CAClB,OAASvL,CAAAA,CAAgB,CACxB,IAAMsE,CAAAA,CAAItE,EACJyN,CAAAA,CACL,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,eACzB,OAAA,CAAQ,GAAA,CAAI,QAAA,GAAa,MAAA,EACzB,QAAQ,GAAA,CAAI,gBAAA,GAAqB,GAAA,CAE5BC,CAAAA,CAASpJ,EAAE,OAAA,EAAW,MAAA,CAAOtE,CAAK,CAAA,CACxC,OAAAE,GAAAA,CAAI,KAAA,CAAM,CAAA,uCAAA,EAA0CwN,CAAM,EAAE,CAAA,CAMrD,CACN,QAAS,CACR,CACC,KAAM,MAAA,CACN,IAAA,CARkBD,CAAAA,CAClB,CAAA,iBAAA,EAAoBC,CAAM,CAAA,CAAA,CAC1B,wGAOD,CACD,CAAA,CACA,QAAS,IACV,CACD,CACD,CAMA,MAAa,KAAA,EAAuB,CAC/B,KAAK,UAAA,EACR,MAAM,KAAK,UAAA,CAAW,KAAA,CAAM,CAAE,KAAA,CAAO,IAAK,CAAC,CAAA,CAExC,IAAA,CAAK,SAAA,EACR,MAAM,IAAA,CAAK,SAAA,CAAU,IAAA,EAAK,CAEvB,KAAK,QAAA,EACR,MAAM,KAAK,QAAA,CAAS,IAAA,GAEtB,CACD","file":"chunk-FW6CICSY.js","sourcesContent":["import * as grpc from \"@grpc/grpc-js\";\nimport { log } from \"../utils/logger.js\";\nimport { liopV1 } from \"./proto.js\";\nimport { createServerCredentials, type LiopTlsOptions } from \"./tls.js\";\nimport type {\n\tIntentRequest,\n\tIntentResponse,\n\tLogicRequest,\n\tLogicResponse,\n} from \"./types.js\";\n\n/**\n * LIOP gRPC Service Implementation\n * Handles intent negotiation and secure logic execution.\n */\n\n/** Production-grade gRPC channel options per official grpc-node recommendations */\nconst GRPC_CHANNEL_OPTIONS = {\n\t\"grpc.keepalive_time_ms\": 30_000,\n\t\"grpc.keepalive_timeout_ms\": 10_000,\n\t\"grpc.keepalive_permit_without_calls\": 1,\n\t\"grpc.max_send_message_length\": -1,\n\t\"grpc.max_receive_message_length\": -1,\n\t\"grpc.enable_retries\": 1,\n};\n\nexport class LiopRpcServer {\n\tprivate server: grpc.Server;\n\n\tconstructor() {\n\t\tthis.server = new grpc.Server(GRPC_CHANNEL_OPTIONS);\n\t}\n\n\tpublic addService(handlers: {\n\t\tnegotiateIntent: (\n\t\t\tcall: grpc.ServerUnaryCall<IntentRequest, IntentResponse>,\n\t\t\tcallback: grpc.sendUnaryData<IntentResponse>,\n\t\t) => void;\n\t\texecuteLogic: (\n\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t) => void;\n\t}): void {\n\t\tthis.server.addService(liopV1.LogicMesh.service, {\n\t\t\tNegotiateIntent: handlers.negotiateIntent,\n\t\t\tExecuteLogic: handlers.executeLogic,\n\t\t});\n\t}\n\n\tpublic async listen(\n\t\tport: number = 50051,\n\t\ttls?: LiopTlsOptions,\n\t): Promise<number> {\n\t\tconst credentials = createServerCredentials(tls);\n\t\treturn new Promise((resolve, reject) => {\n\t\t\tthis.server.bindAsync(\n\t\t\t\t`0.0.0.0:${port}`,\n\t\t\t\tcredentials,\n\t\t\t\t(error, assignedPort) => {\n\t\t\t\t\tif (error) {\n\t\t\t\t\t\treject(error);\n\t\t\t\t\t\treturn;\n\t\t\t\t\t}\n\t\t\t\t\tlog.info(`[LIOP-RPC] Server listening on port ${assignedPort}`);\n\t\t\t\t\tresolve(assignedPort);\n\t\t\t\t},\n\t\t\t);\n\t\t});\n\t}\n\n\tpublic async stop(): Promise<void> {\n\t\treturn new Promise((resolve) => {\n\t\t\tthis.server.tryShutdown(() => {\n\t\t\t\tlog.info(\"[LIOP-RPC] Server shut down\");\n\t\t\t\tresolve();\n\t\t\t});\n\t\t});\n\t}\n}\n","/**\n * LIOP Taint Analyzer — Static Information Flow Control (IFC)\n *\n * Performs AST-level taint tracking on injected Logic-on-Origin code\n * to detect side-channel data exfiltration via scalar derivation\n * (charCodeAt, boolean inference, arithmetic on PII fields).\n *\n * Architecture: 3-pass analysis using Acorn ESTree parser.\n * Pass 1 — Identify record-bound variables (callback params of env.records methods)\n * Pass 2 — Propagate taint through assignments and expressions\n * Pass 3 — Check return statements for tainted values flowing to output\n *\n * References:\n * - Acorn ESTree spec: https://github.com/estree/estree\n * - Acorn-Walk SimpleVisitors: https://github.com/acornjs/acorn/tree/master/acorn-walk\n * - OWASP Information Flow Control patterns\n */\n\nimport * as acorn from \"acorn\";\nimport { type SimpleVisitors, simple } from \"acorn-walk\";\n\n// ── Public API ───────────────────────────────────────────────────────\n\nexport interface TaintViolation {\n\t/** Human-readable reason for the block */\n\treason: string;\n\t/** Source line number (1-indexed) if available */\n\tline?: number;\n\t/** The specific operation that triggered the violation */\n\toperation?: string;\n}\n\n/**\n * Static taint analyzer for LIOP Logic-on-Origin payloads.\n *\n * Detects when PII field values are derived into scalar outputs\n * (charCodeAt, boolean inference, arithmetic) that would bypass\n * the Egress Shield's pattern-based detection.\n */\nexport class TaintAnalyzer {\n\tprivate readonly piiFields: Set<string>;\n\n\t/** String methods that extract character-level information from PII */\n\tprivate static readonly TAINT_PROPAGATING_METHODS = new Set([\n\t\t// Character extraction\n\t\t\"charCodeAt\",\n\t\t\"codePointAt\",\n\t\t\"charAt\",\n\t\t\"at\",\n\t\t// Search/position (reveals content structure)\n\t\t\"indexOf\",\n\t\t\"lastIndexOf\",\n\t\t\"search\",\n\t\t// Comparison (reveals ordering/content)\n\t\t\"localeCompare\",\n\t\t\"startsWith\",\n\t\t\"endsWith\",\n\t\t\"includes\",\n\t\t// Transformation (preserves PII content in different form)\n\t\t\"substring\",\n\t\t\"slice\",\n\t\t\"substr\",\n\t\t\"split\",\n\t\t\"match\",\n\t\t\"matchAll\",\n\t\t\"replace\",\n\t\t\"replaceAll\",\n\t\t\"normalize\",\n\t\t\"toLowerCase\",\n\t\t\"toUpperCase\",\n\t\t\"trim\",\n\t\t\"trimStart\",\n\t\t\"trimEnd\",\n\t\t\"padStart\",\n\t\t\"padEnd\",\n\t\t\"repeat\",\n\t]);\n\n\t/** Array iteration methods whose callbacks receive individual records */\n\tprivate static readonly ARRAY_CALLBACK_METHODS = new Set([\n\t\t\"map\",\n\t\t\"forEach\",\n\t\t\"filter\",\n\t\t\"find\",\n\t\t\"some\",\n\t\t\"every\",\n\t\t\"flatMap\",\n\t\t\"findIndex\",\n\t]);\n\n\t/** Reduce-family methods where the record param is the SECOND callback arg */\n\tprivate static readonly REDUCE_METHODS = new Set([\"reduce\", \"reduceRight\"]);\n\n\tconstructor(piiFields: string[]) {\n\t\tthis.piiFields = new Set(piiFields.map((f) => f.toLowerCase()));\n\t}\n\n\t/**\n\t * Analyzes injected source code for PII taint violations.\n\t *\n\t * @param sourceCode - The raw JavaScript logic extracted from the LIOP envelope\n\t * @returns A TaintViolation if PII-derived values flow to output, null if clean\n\t */\n\tanalyze(sourceCode: string): TaintViolation | null {\n\t\tlet ast: acorn.Node;\n\t\ttry {\n\t\t\t// Wrap in function body to handle bare `return` statements\n\t\t\tconst wrapped = `function liop_analysis_wrapper(env) {\\n${sourceCode}\\n}`;\n\t\t\tast = acorn.parse(wrapped, {\n\t\t\t\tecmaVersion: 2022,\n\t\t\t\tsourceType: \"script\",\n\t\t\t\tlocations: true,\n\t\t\t});\n\t\t} catch {\n\t\t\t// Syntax errors are handled downstream by the sandbox VM\n\t\t\treturn null;\n\t\t}\n\n\t\tconst recordBoundVars = new Set<string>();\n\t\tconst taintedVars = new Set<string>();\n\n\t\t// Pass 1: Identify variables bound to individual records\n\t\tthis.identifyRecordBoundVars(ast, recordBoundVars);\n\n\t\t// Pass 2: Propagate taint through variable assignments\n\t\tthis.propagateTaint(ast, recordBoundVars, taintedVars);\n\n\t\t// Pass 3: Check if any return statement contains tainted values\n\t\treturn this.checkReturnStatements(ast, recordBoundVars, taintedVars);\n\t}\n\n\t// ── Pass 1: Record-Bound Variable Identification ──────────────────\n\n\tprivate identifyRecordBoundVars(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t): void {\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tCallExpression: (node) => {\n\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\tconst member = node.callee as acorn.MemberExpression;\n\t\t\t\tconst methodName = this.getPropertyName(member);\n\t\t\t\tif (!methodName) return;\n\n\t\t\t\t// Check if this is env.records.METHOD(callback)\n\t\t\t\tif (!this.isEnvRecordsAccess(member.object)) return;\n\n\t\t\t\tconst callback = node.arguments[0];\n\t\t\t\tif (!callback) return;\n\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\tconst fn = callback as acorn.ArrowFunctionExpression;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.ARRAY_CALLBACK_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 0\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst param = fn.params[0];\n\t\t\t\t\t\tif (param.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(param.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tTaintAnalyzer.REDUCE_METHODS.has(methodName) &&\n\t\t\t\t\t\tfn.params.length > 1\n\t\t\t\t\t) {\n\t\t\t\t\t\tconst recordParam = fn.params[1];\n\t\t\t\t\t\tif (recordParam.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(recordParam.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\n\t\t\t// for (const r of env.records) → r is record-bound\n\t\t\tForOfStatement: (node) => {\n\t\t\t\tif (!this.isEnvRecordsAccess(node.right)) return;\n\n\t\t\t\tif (node.left.type === \"VariableDeclaration\") {\n\t\t\t\t\tfor (const declarator of node.left.declarations) {\n\t\t\t\t\t\tif (declarator.id.type === \"Identifier\") {\n\t\t\t\t\t\t\trecordBoundVars.add(declarator.id.name);\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\t// Also handle: const r = env.records[N]\n\t\tconst indexVisitors: SimpleVisitors<void> = {\n\t\t\tVariableDeclarator: (node) => {\n\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\tif (\n\t\t\t\t\tnode.init.type === \"MemberExpression\" &&\n\t\t\t\t\t(node.init as acorn.MemberExpression).computed\n\t\t\t\t) {\n\t\t\t\t\tconst member = node.init as acorn.MemberExpression;\n\t\t\t\t\tif (this.isEnvRecordsAccess(member.object)) {\n\t\t\t\t\t\trecordBoundVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, indexVisitors);\n\t}\n\n\t// ── Pass 2: Taint Propagation ─────────────────────────────────────\n\n\tprivate propagateTaint(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): void {\n\t\t// Multiple iterations to handle transitive taint chains\n\t\t// (e.g., const a = r.name; const b = a; const c = b.charCodeAt(0))\n\t\tfor (let iteration = 0; iteration < 3; iteration++) {\n\t\t\tconst sizeBefore = taintedVars.size;\n\n\t\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\t\tVariableDeclarator: (node) => {\n\t\t\t\t\tif (!node.init || node.id.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.init, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add(node.id.name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\tAssignmentExpression: (node) => {\n\t\t\t\t\tif (node.left.type !== \"Identifier\") return;\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tthis.isExpressionTainted(node.right, recordBoundVars, taintedVars)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((node.left as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\n\t\t\t\t// Imperative taint: array.push(taintedValue) contaminates the array\n\t\t\t\t// Covers for-of and forEach patterns that push PII-derived values\n\t\t\t\tCallExpression: (node) => {\n\t\t\t\t\tif (node.callee.type !== \"MemberExpression\") return;\n\n\t\t\t\t\tconst callee = node.callee as acorn.MemberExpression;\n\t\t\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t\t\tif (\n\t\t\t\t\t\tmethodName === \"push\" &&\n\t\t\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\t\t\tnode.arguments.some((arg) =>\n\t\t\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t\t\t)\n\t\t\t\t\t) {\n\t\t\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t\t\t}\n\t\t\t\t},\n\t\t\t};\n\n\t\t\tsimple(ast, visitors);\n\n\t\t\t// Fixed point: stop if no new tainted vars discovered\n\t\t\tif (taintedVars.size === sizeBefore) break;\n\t\t}\n\t}\n\n\t// ── Pass 3: Return Statement Sink Detection ───────────────────────\n\n\tprivate checkReturnStatements(\n\t\tast: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): TaintViolation | null {\n\t\tlet violation: TaintViolation | null = null;\n\n\t\tconst visitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (violation) return; // Already found one\n\n\t\t\t\tif (!node.argument) return;\n\n\t\t\t\tif (\n\t\t\t\t\tthis.isExpressionTainted(node.argument, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst line = node.loc?.start.line\n\t\t\t\t\t\t? node.loc.start.line - 1 // Adjust for wrapper function offset\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tconst operation = this.describeTaintSource(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t\tviolation = {\n\t\t\t\t\t\treason:\n\t\t\t\t\t\t\t`PII side-channel detected: output contains values derived from restricted fields. ` +\n\t\t\t\t\t\t\t`${operation ? `Operation: ${operation}. ` : \"\"}` +\n\t\t\t\t\t\t\t`Use only non-PII fields (e.g., numeric/date columns) for aggregations.`,\n\t\t\t\t\t\tline,\n\t\t\t\t\t\toperation,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(ast, visitors);\n\n\t\treturn violation;\n\t}\n\n\t// ── Core Taint Evaluation ─────────────────────────────────────────\n\n\t/**\n\t * Recursively determines if an AST expression produces a tainted value.\n\t * A value is tainted if it derives from a PII field on a record-bound variable.\n\t */\n\tprivate isExpressionTainted(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tswitch (node.type) {\n\t\t\tcase \"Identifier\":\n\t\t\t\treturn taintedVars.has((node as acorn.Identifier).name);\n\n\t\t\tcase \"MemberExpression\":\n\t\t\t\treturn this.isMemberExprTainted(\n\t\t\t\t\tnode as acorn.MemberExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"CallExpression\":\n\t\t\t\treturn this.isCallExprTainted(\n\t\t\t\t\tnode as acorn.CallExpression,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\n\t\t\tcase \"BinaryExpression\":\n\t\t\tcase \"LogicalExpression\": {\n\t\t\t\tconst bin = node as acorn.BinaryExpression;\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(bin.left, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(bin.right, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"UnaryExpression\": {\n\t\t\t\tconst unary = node as acorn.UnaryExpression;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tunary.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ConditionalExpression\": {\n\t\t\t\tconst cond = node as acorn.ConditionalExpression;\n\t\t\t\t// If the test involves tainted values, the branch choice leaks info\n\t\t\t\treturn (\n\t\t\t\t\tthis.isExpressionTainted(cond.test, recordBoundVars, taintedVars) ||\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tcond.consequent,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t) ||\n\t\t\t\t\tthis.isExpressionTainted(cond.alternate, recordBoundVars, taintedVars)\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ObjectExpression\": {\n\t\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\t\treturn obj.properties.some(\n\t\t\t\t\t(prop) =>\n\t\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"ArrayExpression\": {\n\t\t\t\tconst arr = node as acorn.ArrayExpression;\n\t\t\t\treturn arr.elements.some(\n\t\t\t\t\t(el) =>\n\t\t\t\t\t\tel !== null &&\n\t\t\t\t\t\tthis.isExpressionTainted(el, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"TemplateLiteral\": {\n\t\t\t\tconst tmpl = node as acorn.TemplateLiteral;\n\t\t\t\treturn tmpl.expressions.some((expr) =>\n\t\t\t\t\tthis.isExpressionTainted(expr, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tcase \"SpreadElement\": {\n\t\t\t\tconst spread = node as acorn.SpreadElement;\n\t\t\t\treturn this.isExpressionTainted(\n\t\t\t\t\tspread.argument,\n\t\t\t\t\trecordBoundVars,\n\t\t\t\t\ttaintedVars,\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tdefault:\n\t\t\t\t// Literals, ThisExpression, etc. are never tainted\n\t\t\t\treturn false;\n\t\t}\n\t}\n\n\t/**\n\t * Checks if a MemberExpression accesses a PII field on a record-bound variable.\n\t * Examples: r.accountHolder, r[\"name\"], taintedVar.length, taintedVar[0]\n\t */\n\tprivate isMemberExprTainted(\n\t\tmember: acorn.MemberExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\tconst propName = this.getPropertyName(member);\n\n\t\t// Case 1: recordBoundVar.piiField (direct PII access via callback param)\n\t\tif (\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name) &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 2: env.records[N].piiField (direct indexed access without callback)\n\t\t// AST: MemberExpression { object: MemberExpression { object: env.records, computed: true }, property: piiField }\n\t\tif (\n\t\t\tmember.object.type === \"MemberExpression\" &&\n\t\t\tpropName &&\n\t\t\tthis.piiFields.has(propName.toLowerCase())\n\t\t) {\n\t\t\tconst parentMember = member.object as acorn.MemberExpression;\n\t\t\tif (\n\t\t\t\tparentMember.computed &&\n\t\t\t\tthis.isEnvRecordsAccess(parentMember.object)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Case 3: taintedVar.anything (any property access on tainted value)\n\t\t// .length on a tainted string leaks PII info, .charCodeAt leaks chars, etc.\n\t\tif (this.isExpressionTainted(member.object, recordBoundVars, taintedVars)) {\n\t\t\treturn true;\n\t\t}\n\n\t\t// Case 4: Computed access on record-bound var with PII field\n\t\t// e.g., r[\"account\" + \"Holder\"]\n\t\tif (\n\t\t\tmember.computed &&\n\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\trecordBoundVars.has((member.object as acorn.Identifier).name)\n\t\t) {\n\t\t\t// Conservative: if computed access on record, check if the property\n\t\t\t// expression evaluates to a PII field (for string literals only)\n\t\t\tif (member.property.type === \"Literal\") {\n\t\t\t\tconst litVal = (member.property as acorn.Literal).value;\n\t\t\t\tif (\n\t\t\t\t\ttypeof litVal === \"string\" &&\n\t\t\t\t\tthis.piiFields.has(litVal.toLowerCase())\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if a CallExpression produces a tainted result.\n\t * Handles: taintedObj.method(), env.records.map(r => r.piiField), etc.\n\t */\n\tprivate isCallExprTainted(\n\t\tcall: acorn.CallExpression,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Pattern: taintedObj.method() — method on tainted object propagates taint\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\n\t\t\t// tainted.charCodeAt() / tainted.split() / etc.\n\t\t\tif (\n\t\t\t\tmethodName &&\n\t\t\t\tTaintAnalyzer.TAINT_PROPAGATING_METHODS.has(methodName) &&\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// env.records.map/filter/reduce(callback) — check if callback produces taint\n\t\t\tif (this.isEnvRecordsAccess(callee.object) && call.arguments[0]) {\n\t\t\t\tconst callback = call.arguments[0];\n\t\t\t\tif (\n\t\t\t\t\tcallback.type === \"ArrowFunctionExpression\" ||\n\t\t\t\t\tcallback.type === \"FunctionExpression\"\n\t\t\t\t) {\n\t\t\t\t\treturn this.doesCallbackProduceTaint(\n\t\t\t\t\t\tcallback as acorn.ArrowFunctionExpression,\n\t\t\t\t\t\tmethodName,\n\t\t\t\t\t\trecordBoundVars,\n\t\t\t\t\t\ttaintedVars,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Tainted array/string method chains: tainted.reduce(...), tainted.map(...)\n\t\t\t// Handles patterns like r.accountHolder.split('').reduce((a,c) => ...)\n\t\t\tif (\n\t\t\t\tthis.isExpressionTainted(callee.object, recordBoundVars, taintedVars)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\t// Math.round(taintedArg) / JSON.stringify(taintedArg) — function calls with tainted arguments\n\t\t\t// on safe objects still produce tainted results\n\t\t\tif (\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\n\t\t// Pattern: someArray.push(taintedValue) — marks the receiving array as tainted\n\t\t// This covers imperative for-of patterns:\n\t\t// for (const r of env.records) { codes.push(r.name.charCodeAt(0)) }\n\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\tconst callee = call.callee as acorn.MemberExpression;\n\t\t\tconst methodName = this.getPropertyName(callee);\n\t\t\tif (\n\t\t\t\tmethodName === \"push\" &&\n\t\t\t\tcallee.object.type === \"Identifier\" &&\n\t\t\t\tcall.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t)\n\t\t\t) {\n\t\t\t\t// Mark the array variable as tainted (it now contains PII-derived values)\n\t\t\t\ttaintedVars.add((callee.object as acorn.Identifier).name);\n\t\t\t}\n\t\t}\n\n\t\t// Check if any argument is tainted (for functions that might propagate)\n\t\t// Conservative: if calling a function WITH tainted args, consider result tainted\n\t\t// This catches: someHelper(r.name), parseInt(taintedVar), etc.\n\t\tif (call.callee.type === \"Identifier\") {\n\t\t\tconst fnName = (call.callee as acorn.Identifier).name;\n\t\t\t// Allow safe math/utility functions that don't propagate PII\n\t\t\tconst SAFE_GLOBALS = new Set([\n\t\t\t\t\"Math\",\n\t\t\t\t\"Number\",\n\t\t\t\t\"parseInt\",\n\t\t\t\t\"parseFloat\",\n\t\t\t\t\"isNaN\",\n\t\t\t\t\"isFinite\",\n\t\t\t]);\n\t\t\tif (!SAFE_GLOBALS.has(fnName)) {\n\t\t\t\treturn call.arguments.some((arg) =>\n\t\t\t\t\tthis.isExpressionTainted(arg, recordBoundVars, taintedVars),\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\treturn false;\n\t}\n\n\t/**\n\t * Checks if an array method callback produces tainted output.\n\t * e.g., env.records.map(r => r.name.charCodeAt(0)) → tainted result\n\t */\n\tprivate doesCallbackProduceTaint(\n\t\tcallback: acorn.ArrowFunctionExpression | acorn.FunctionExpression,\n\t\tmethodName: string | null,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): boolean {\n\t\t// Create a temporary scope with callback params as record-bound\n\t\tconst scopedRecordVars = new Set(recordBoundVars);\n\t\tconst scopedTaintedVars = new Set(taintedVars);\n\n\t\tif (callback.params.length > 0) {\n\t\t\tconst isReduce =\n\t\t\t\tmethodName !== null && TaintAnalyzer.REDUCE_METHODS.has(methodName);\n\t\t\tconst recordParamIndex = isReduce ? 1 : 0;\n\n\t\t\tif (\n\t\t\t\tcallback.params.length > recordParamIndex &&\n\t\t\t\tcallback.params[recordParamIndex].type === \"Identifier\"\n\t\t\t) {\n\t\t\t\tscopedRecordVars.add(\n\t\t\t\t\t(callback.params[recordParamIndex] as acorn.Identifier).name,\n\t\t\t\t);\n\t\t\t}\n\t\t}\n\n\t\t// For arrow functions with expression body: (r) => r.name.charCodeAt(0)\n\t\tif (\n\t\t\tcallback.type === \"ArrowFunctionExpression\" &&\n\t\t\tcallback.body.type !== \"BlockStatement\"\n\t\t) {\n\t\t\treturn this.isExpressionTainted(\n\t\t\t\tcallback.body,\n\t\t\t\tscopedRecordVars,\n\t\t\t\tscopedTaintedVars,\n\t\t\t);\n\t\t}\n\n\t\t// For block bodies, check return statements within the callback\n\t\tlet hasTaintedReturn = false;\n\t\tconst returnVisitors: SimpleVisitors<void> = {\n\t\t\tReturnStatement: (node) => {\n\t\t\t\tif (\n\t\t\t\t\tnode.argument &&\n\t\t\t\t\tthis.isExpressionTainted(\n\t\t\t\t\t\tnode.argument,\n\t\t\t\t\t\tscopedRecordVars,\n\t\t\t\t\t\tscopedTaintedVars,\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\thasTaintedReturn = true;\n\t\t\t\t}\n\t\t\t},\n\t\t};\n\n\t\tsimple(callback.body as acorn.Node, returnVisitors);\n\n\t\treturn hasTaintedReturn;\n\t}\n\n\t// ── Utility Methods ───────────────────────────────────────────────\n\n\t/** Extracts the property name from a MemberExpression (dot or bracket with string literal) */\n\tprivate getPropertyName(member: acorn.MemberExpression): string | null {\n\t\tif (!member.computed && member.property.type === \"Identifier\") {\n\t\t\treturn (member.property as acorn.Identifier).name;\n\t\t}\n\t\tif (member.computed && member.property.type === \"Literal\") {\n\t\t\tconst val = (member.property as acorn.Literal).value;\n\t\t\tif (typeof val === \"string\") return val;\n\t\t}\n\t\treturn null;\n\t}\n\n\t/** Checks if an expression resolves to `env.records` or `records` */\n\tprivate isEnvRecordsAccess(node: acorn.Node): boolean {\n\t\t// Direct: env.records\n\t\tif (node.type === \"MemberExpression\") {\n\t\t\tconst member = node as acorn.MemberExpression;\n\t\t\tconst propName = this.getPropertyName(member);\n\t\t\tif (\n\t\t\t\tpropName === \"records\" &&\n\t\t\t\tmember.object.type === \"Identifier\" &&\n\t\t\t\t(member.object as acorn.Identifier).name === \"env\"\n\t\t\t) {\n\t\t\t\treturn true;\n\t\t\t}\n\t\t}\n\t\t// Bare: records (injected as sandbox global)\n\t\tif (\n\t\t\tnode.type === \"Identifier\" &&\n\t\t\t(node as acorn.Identifier).name === \"records\"\n\t\t) {\n\t\t\treturn true;\n\t\t}\n\t\treturn false;\n\t}\n\n\t/** Generates a human-readable description of the taint source for error messages */\n\tprivate describeTaintSource(\n\t\tnode: acorn.Node,\n\t\trecordBoundVars: Set<string>,\n\t\ttaintedVars: Set<string>,\n\t): string | undefined {\n\t\tif (node.type === \"Identifier\") {\n\t\t\tconst name = (node as acorn.Identifier).name;\n\t\t\tif (taintedVars.has(name)) return `variable '${name}' is PII-derived`;\n\t\t}\n\n\t\tif (node.type === \"ObjectExpression\") {\n\t\t\tconst obj = node as acorn.ObjectExpression;\n\t\t\tfor (const prop of obj.properties) {\n\t\t\t\tif (\n\t\t\t\t\tprop.type === \"Property\" &&\n\t\t\t\t\tthis.isExpressionTainted(prop.value, recordBoundVars, taintedVars)\n\t\t\t\t) {\n\t\t\t\t\tconst keyName =\n\t\t\t\t\t\tprop.key.type === \"Identifier\"\n\t\t\t\t\t\t\t? (prop.key as acorn.Identifier).name\n\t\t\t\t\t\t\t: \"unknown\";\n\t\t\t\t\treturn `property '${keyName}' contains PII-derived value`;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\tif (node.type === \"CallExpression\") {\n\t\t\tconst call = node as acorn.CallExpression;\n\t\t\tif (call.callee.type === \"MemberExpression\") {\n\t\t\t\tconst methodName = this.getPropertyName(\n\t\t\t\t\tcall.callee as acorn.MemberExpression,\n\t\t\t\t);\n\t\t\t\tif (methodName) return `result of .${methodName}() on PII data`;\n\t\t\t}\n\t\t}\n\n\t\treturn undefined;\n\t}\n}\n","/**\n * LIOP NER Content Scanner (The Shield V3 — Named Entity Recognition Layer)\n *\n * Lightweight NER scanner using `compromise` NLP for detecting\n * person names, places, and organizations in free-text output values.\n *\n * This layer operates AFTER the regex-based PII scanner and\n * catches entities that lack a deterministic format pattern\n * (e.g., \"Evelyn Reed\" cannot be detected by regex).\n *\n * Architecture: opt-in per-server via `enableNerScanning: true`.\n * Performance: ~10ms for typical SDK output sizes (< 10KB).\n *\n * @see https://github.com/spencermountain/compromise\n */\n// Types for compromise (minimal)\ntype NlpDoc = {\n\tpeople: () => { out: (type: string) => string[] };\n\tplaces: () => { out: (type: string) => string[] };\n\torganizations: () => { out: (type: string) => string[] };\n};\ntype NlpStatic = ((text: string) => NlpDoc) & {\n\taddWords: (words: Record<string, string>) => void;\n};\n\n/**\n * Medical/pharmaceutical vocabulary safelist.\n * These terms are tagged as #Medication to prevent the NER\n * from misclassifying them as person/organization names.\n * Extends progressively — add terms as false positives arise.\n */\nconst MEDICAL_VOCABULARY: Record<string, string> = {\n\taspirin: \"Medication\",\n\tlisinopril: \"Medication\",\n\tmetformin: \"Medication\",\n\tamlodipine: \"Medication\",\n\tatorvastatin: \"Medication\",\n\tomeprazole: \"Medication\",\n\tlosartan: \"Medication\",\n\tsimvastatin: \"Medication\",\n\tlevothyroxine: \"Medication\",\n\tibuprofen: \"Medication\",\n\tacetaminophen: \"Medication\",\n\tamoxicillin: \"Medication\",\n\tciprofloxacin: \"Medication\",\n\tprednisone: \"Medication\",\n\twarfarin: \"Medication\",\n\tinsulin: \"Medication\",\n\thydrochlorothiazide: \"Medication\",\n\tgabapentin: \"Medication\",\n\talbuterol: \"Medication\",\n\tpantoprazole: \"Medication\",\n\t// Generic clinical terms\n\thypertension: \"Condition\",\n\tdiabetes: \"Condition\",\n\tbronchitis: \"Condition\",\n\tpneumonia: \"Condition\",\n\tasthma: \"Condition\",\n};\n\n/** Single named entity detected by the NER scanner. */\nexport interface NerEntity {\n\ttype: \"person\" | \"place\" | \"organization\";\n\ttext: string;\n}\n\n/** Result of an NER scan operation. */\nexport interface NerScanResult {\n\tdetected: boolean;\n\tentities: NerEntity[];\n}\n\n// Minimum string length to attempt NER analysis.\n// Shorter strings are unlikely to contain meaningful named entities.\nconst MIN_TEXT_LENGTH = 4;\n\n// Pattern to identify strings that are purely numeric/symbolic (skip NER)\nconst NON_TEXT_PATTERN = /^[\\d\\s.,:;!?()[\\]{}<>@#$%^&*+=|\\\\/\"'`~_-]+$/;\n\n/**\n * Scans text content for named entities that may represent PII.\n * Uses `compromise/three` for person, place, and organization detection.\n *\n * Designed for egress filtering — optimized for recall over precision\n * to ensure sensitive data does not leak through aliased output keys.\n */\nexport class NerScanner {\n\tprivate static nlp: NlpStatic | null = null;\n\n\t/**\n\t * Lazy loads the compromise library only when needed.\n\t */\n\tprivate async getNlp(): Promise<NlpStatic> {\n\t\tif (!NerScanner.nlp) {\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: dynamic import of optional dependency\n\t\t\tconst mod = (await import(\"compromise/three\")) as any;\n\t\t\t// compromise export can vary depending on bundling\n\t\t\tNerScanner.nlp = (mod.default || mod) as NlpStatic;\n\t\t\tNerScanner.nlp.addWords(MEDICAL_VOCABULARY);\n\t\t}\n\t\treturn NerScanner.nlp;\n\t}\n\n\t/**\n\t * Scans a single string value for named entities.\n\t * Returns detected entities if the text contains recognizable PII.\n\t */\n\tasync scan(text: string): Promise<NerScanResult> {\n\t\tif (text.length < MIN_TEXT_LENGTH || NON_TEXT_PATTERN.test(text)) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tconst nlp = await this.getNlp();\n\t\tconst doc = nlp(text);\n\t\tconst entities: NerEntity[] = [];\n\n\t\tconst people = doc.people().out(\"array\");\n\t\tfor (const person of people) {\n\t\t\tconst trimmed = person.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"person\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst places = doc.places().out(\"array\");\n\t\tfor (const place of places) {\n\t\t\tconst trimmed = place.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"place\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\tconst orgs = doc.organizations().out(\"array\");\n\t\tfor (const org of orgs) {\n\t\t\tconst trimmed = org.trim();\n\t\t\tif (trimmed.length >= MIN_TEXT_LENGTH) {\n\t\t\t\tentities.push({ type: \"organization\", text: trimmed });\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tdetected: entities.length > 0,\n\t\t\tentities,\n\t\t};\n\t}\n\n\t/**\n\t * Recursively scans all string values within an object/array.\n\t * Stops at the first detection for performance (fail-fast).\n\t */\n\tasync scanDeep(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<NerScanResult> {\n\t\tif (input === null || input === undefined) {\n\t\t\treturn { detected: false, entities: [] };\n\t\t}\n\n\t\tif (typeof input === \"string\") {\n\t\t\treturn this.scan(input);\n\t\t}\n\n\t\tif (typeof input === \"object\") {\n\t\t\tif (seen.has(input as object)) {\n\t\t\t\treturn { detected: false, entities: [] };\n\t\t\t}\n\t\t\tseen.add(input as object);\n\n\t\t\tconst values = Array.isArray(input)\n\t\t\t\t? input\n\t\t\t\t: Object.values(input as Record<string, unknown>);\n\n\t\t\tconst allEntities: NerEntity[] = [];\n\n\t\t\tfor (const value of values) {\n\t\t\t\tconst result = await this.scanDeep(value, seen);\n\t\t\t\tif (result.detected) {\n\t\t\t\t\tallEntities.push(...result.entities);\n\t\t\t\t\t// Fail-fast: return immediately on first person detection\n\t\t\t\t\tif (result.entities.some((e) => e.type === \"person\")) {\n\t\t\t\t\t\treturn { detected: true, entities: allEntities };\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tdetected: allEntities.length > 0,\n\t\t\t\tentities: allEntities,\n\t\t\t};\n\t\t}\n\n\t\treturn { detected: false, entities: [] };\n\t}\n}\n","/**\n * LIOP Professional PII Engine (The Shield V2 - Tier-1 Military Edition)\n * Implements high-fidelity detection based on NIST and OWASP standards.\n * Features Multi-Layer Verification (Regex + Algorithmic Validators).\n */\n\n/**\n * Validates a credit card number using the Luhn algorithm.\n * Prevents false positives from random 16-digit IDs.\n */\nfunction isLuhnValid(cardNumber: string): boolean {\n\tconst digits = cardNumber.replace(/\\D/g, \"\");\n\tif (digits.length < 13 || digits.length > 19) return false;\n\n\tlet sum = 0;\n\tlet isEven = false;\n\n\tfor (let i = digits.length - 1; i >= 0; i--) {\n\t\tlet digit = parseInt(digits.charAt(i), 10);\n\n\t\tif (isEven) {\n\t\t\tdigit *= 2;\n\t\t\tif (digit > 9) {\n\t\t\t\tdigit -= 9;\n\t\t\t}\n\t\t}\n\n\t\tsum += digit;\n\t\tisEven = !isEven;\n\t}\n\n\treturn sum % 10 === 0;\n}\n\n/**\n * Validates an International Bank Account Number (IBAN) using ISO 7064 Modulo 97.\n * Uses BigInt algebra to avoid JS floating point truncation with 30-digit numbers.\n */\nfunction isIbanValid(iban: string): boolean {\n\tconst sanitized = iban.replace(/\\s+/g, \"\").toUpperCase();\n\n\tif (!/^[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}$/.test(sanitized)) return false;\n\n\tconst rearranged = sanitized.substring(4) + sanitized.substring(0, 4);\n\n\tlet numericString = \"\";\n\tfor (let i = 0; i < rearranged.length; i++) {\n\t\tconst charCode = rearranged.charCodeAt(i);\n\t\tif (charCode >= 65 && charCode <= 90) {\n\t\t\tnumericString += (charCode - 55).toString();\n\t\t} else if (charCode >= 48 && charCode <= 57) {\n\t\t\tnumericString += rearranged.charAt(i);\n\t\t} else {\n\t\t\treturn false;\n\t\t}\n\t}\n\n\ttry {\n\t\treturn BigInt(numericString) % 97n === 1n;\n\t} catch (_e) {\n\t\treturn false;\n\t}\n}\n\nexport type PiiRuleDefinition = {\n\tname: string;\n\tpattern: string | RegExp;\n\tvalidator?: (match: string) => boolean;\n};\n\nexport type PiiRule = string | RegExp | PiiRuleDefinition;\n\nexport const PII_PATTERNS = {\n\tEMAIL: {\n\t\tname: \"EMAIL\",\n\t\tpattern: /\\b[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}\\b/gi,\n\t\tvalidator: (match: string) =>\n\t\t\t!match.endsWith(\"@example.com\") && !match.endsWith(\"@test.com\"),\n\t} as PiiRuleDefinition,\n\tCREDIT_CARD: {\n\t\tname: \"CREDIT_CARD\",\n\t\tpattern: /\\b(?:\\d[ -]*?){13,16}\\b/g,\n\t\tvalidator: isLuhnValid,\n\t} as PiiRuleDefinition,\n\tIP_ADDRESS: {\n\t\tname: \"IP_ADDRESS\",\n\t\tpattern: /\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst safeIps = [\"127.0.0.1\", \"0.0.0.0\", \"255.255.255.255\"];\n\t\t\tif (safeIps.includes(match)) return false;\n\t\t\t// Validate valid IPv4 ranges\n\t\t\tconst parts = match.split(\".\").map(Number);\n\t\t\treturn parts.every((p) => p >= 0 && p <= 255);\n\t\t},\n\t} as PiiRuleDefinition,\n\tPHONE: {\n\t\tname: \"PHONE\",\n\t\t// Strict boundary to avoid matching long numeric IDs wrapped in symbols\n\t\tpattern: /(?:(?:\\+?\\d{1,3}[-. ]?)?\\(?\\d{3}\\)?[-. ]?\\d{3}[-. ]?\\d{4})\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length < 7 || digits.length > 15) return false;\n\t\t\t// Reject fake test numbers like 0000000000 or 1234567890\n\t\t\tif (/^(\\d)\\1+$/.test(digits)) return false;\n\t\t\tif (digits === \"1234567890\") return false;\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tSSN: {\n\t\tname: \"SSN\",\n\t\tpattern: /\\b\\d{3}[- ]?\\d{2}[- ]?\\d{4}\\b/g,\n\t\tvalidator: (match: string) => {\n\t\t\tconst digits = match.replace(/\\D/g, \"\");\n\t\t\tif (digits.length !== 9) return false;\n\n\t\t\tconst area = parseInt(digits.substring(0, 3), 10);\n\t\t\tif (area === 0 || area === 666 || area >= 900) return false;\n\n\t\t\tconst group = parseInt(digits.substring(3, 5), 10);\n\t\t\tif (group === 0) return false;\n\n\t\t\tconst serial = parseInt(digits.substring(5, 9), 10);\n\t\t\tif (serial === 0) return false;\n\n\t\t\tif (/^(\\d)\\1+$/.test(digits) || digits === \"123456789\") return false;\n\n\t\t\treturn true;\n\t\t},\n\t} as PiiRuleDefinition,\n\tIBAN: {\n\t\tname: \"IBAN\",\n\t\tpattern: /\\b[A-Z]{2}[0-9]{2}[A-Z0-9]{1,30}\\b/gi,\n\t\tvalidator: isIbanValid,\n\t} as PiiRuleDefinition,\n\tPASSPORT_MRZ: {\n\t\tname: \"PASSPORT_MRZ\",\n\t\t// Machina Readable Zone line match for standard international passports\n\t\tpattern: /\\bP[A-Z<][A-Z<]{3}[A-Z0-9<]{39}(?:\\b|\\s|$)/g,\n\t} as PiiRuleDefinition,\n};\n\n/**\n * Regional and Cultural Security Presets for Out-Of-The-Box compliance.\n * Developers can override, merge, or omit these based on local laws.\n */\nexport const PII_PRESETS = {\n\tGLOBAL_STRICT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t\tPII_PATTERNS.IBAN,\n\t],\n\tUS_COMPLIANT: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.SSN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n\tEU_GDPR: [\n\t\tPII_PATTERNS.EMAIL,\n\t\tPII_PATTERNS.CREDIT_CARD,\n\t\tPII_PATTERNS.IP_ADDRESS,\n\t\tPII_PATTERNS.PHONE,\n\t\tPII_PATTERNS.IBAN,\n\t\tPII_PATTERNS.PASSPORT_MRZ,\n\t],\n};\n\nexport class PiiScanner {\n\tprivate patterns: PiiRule[];\n\tprivate forbiddenKeysSet: Set<string>;\n\tprivate nerScanner: import(\"./ner-scanner.js\").NerScanner | null;\n\n\t/**\n\t * Safelist of keys that contain forbidden substrings but are NOT PII.\n\t * Prevents false positives from fuzzy matching (e.g., \"grid\" contains \"id\").\n\t */\n\tprivate static readonly KEY_SAFELIST = new Set([\n\t\t// Common words containing \"id\" substring\n\t\t\"grid\",\n\t\t\"video\",\n\t\t\"android\",\n\t\t\"identity\",\n\t\t\"provide\",\n\t\t\"override\",\n\t\t\"validate\",\n\t\t\"hidden\",\n\t\t\"widget\",\n\t\t\"guidelines\",\n\t\t\"beside\",\n\t\t\"guideline\",\n\t\t\"outside\",\n\t\t\"inside\",\n\t\t\"collide\",\n\t\t\"decide\",\n\t\t\"divide\",\n\t\t\"aside\",\n\t\t\"ride\",\n\t\t\"side\",\n\t\t\"wide\",\n\t\t\"hide\",\n\t\t\"tide\",\n\t\t\"pride\",\n\t\t\"bride\",\n\t\t\"slide\",\n\t\t\"guide\",\n\t\t\"stride\",\n\t\t\"oxide\",\n\t\t\"dioxide\",\n\t\t\"suicide\",\n\t\t\"homicide\",\n\t\t\"pesticide\",\n\t\t\"valid\",\n\t\t\"invalid\",\n\t\t\"void\",\n\t\t\"avoid\",\n\t\t// Common words containing \"name\" substring\n\t\t\"diagnosis\",\n\t\t\"medication\",\n\t\t\"namespace\",\n\t\t\"namesake\",\n\t\t\"rename\",\n\t\t\"filename\",\n\t\t\"hostname\",\n\t\t\"typename\",\n\t\t\"unnamed\",\n\t\t\"renamed\",\n\t\t// Common words containing \"phone\" substring\n\t\t\"phonetic\",\n\t\t\"phoneme\",\n\t\t\"microphone\",\n\t\t\"headphone\",\n\t\t\"telephone\",\n\t\t\"saxophone\",\n\t\t\"smartphone\",\n\t\t// Common words containing \"address\" substring\n\t\t\"streetview\",\n\t\t\"addressable\",\n\t\t\"addressing\",\n\t\t// Common words containing \"city\" substring\n\t\t\"cityscape\",\n\t\t\"electricity\",\n\t\t\"capacity\",\n\t\t\"velocity\",\n\t\t\"opacity\",\n\t\t// Common technical terms\n\t\t\"timestamp\",\n\t\t\"timezone\",\n\t\t// LIOP Protocol Internal Keys (must never be blocked)\n\t\t\"image_id\",\n\t\t\"computation_result\",\n\t\t\"zk_receipt\",\n\t\t\"testid\",\n\t\t\"toolid\",\n\t\t\"sessionid\",\n\t\t\"peerid\",\n\t\t\"nodeid\",\n\t\t\"requestid\",\n\t\t\"correlationid\",\n\t\t\"traceid\",\n\t\t\"spanid\",\n\t]);\n\n\t/**\n\t * Short forbidden tokens (< 4 chars) that require boundary-aware matching.\n\t * Uses regex boundary detection to avoid false positives.\n\t */\n\tprivate shortTokenBoundaryPatterns: Map<string, RegExp>;\n\n\t/**\n\t * Long forbidden tokens (>= 4 chars) that use substring containment.\n\t */\n\tprivate longForbiddenTokens: string[];\n\n\tconstructor(\n\t\tpatterns: PiiRule[] = [],\n\t\tforbiddenKeys: string[] = [],\n\t\tnerScanner?: import(\"./ner-scanner.js\").NerScanner | null,\n\t) {\n\t\tthis.patterns = patterns;\n\t\tthis.forbiddenKeysSet = new Set(forbiddenKeys.map((k) => k.toLowerCase()));\n\t\tthis.nerScanner = nerScanner ?? null;\n\n\t\t// Pre-compute fuzzy matching structures for performance\n\t\tthis.shortTokenBoundaryPatterns = new Map();\n\t\tthis.longForbiddenTokens = [];\n\n\t\tfor (const token of this.forbiddenKeysSet) {\n\t\t\tif (token.length < 4) {\n\t\t\t\t// Short tokens: require word boundary (camelCase, snake_case, kebab-case, or exact)\n\t\t\t\t// \"id\" matches: \"patientId\", \"record_id\", \"user-id\", \"id\"\n\t\t\t\t// \"id\" does NOT match: \"grid\", \"video\", \"android\"\n\t\t\t\tthis.shortTokenBoundaryPatterns.set(\n\t\t\t\t\ttoken,\n\t\t\t\t\tnew RegExp(\n\t\t\t\t\t\t`(?:^|[_-])${token}(?:$|[_-])|` + // snake/kebab boundary\n\t\t\t\t\t\t\t`(?:^|[a-z])${token.charAt(0).toUpperCase()}${token.slice(1)}|` + // camelCase boundary (e.g., patientId)\n\t\t\t\t\t\t\t`^${token}$`, // exact match\n\t\t\t\t\t\t\"i\",\n\t\t\t\t\t),\n\t\t\t\t);\n\t\t\t} else {\n\t\t\t\tthis.longForbiddenTokens.push(token);\n\t\t\t}\n\t\t}\n\t}\n\n\t/**\n\t * Scans any input (string, object, array) for PII violations.\n\t * Returns the pattern/rule name that triggered the violation, or null if safe.\n\t *\n\t * Detection pipeline (fail-fast):\n\t * 1. Exact key match (O(1) Set lookup)\n\t * 2. Fuzzy key match (boundary detection for short tokens, substring for long)\n\t * 3. Regex/algorithmic pattern match on string values\n\t * 4. NER content scan on string values (if enabled)\n\t */\n\tpublic async scan(\n\t\tinput: unknown,\n\t\tseen = new WeakSet<object>(),\n\t): Promise<string | null> {\n\t\tif (input === null || input === undefined) return null;\n\n\t\t// 1. String Scan (Direct Regex/String/Definition check)\n\t\tif (typeof input === \"string\") {\n\t\t\t// SECURITY PATCH: JSON Deep-Parsing Recursion (Fortification V2)\n\t\t\t// Defeats Double JSON Encoding bypasses by forcefully parsing stringified JSON back into objects.\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\tconst parsed = JSON.parse(trimmed);\n\t\t\t\t\t// Successfully parsed JSON string. Recursively scan the unescaped object.\n\t\t\t\t\tconst violation = await this.scan(parsed, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t} catch (_e) {\n\t\t\t\t\t// Silent fallback: It looked like JSON but wasn't valid. Proceed with raw string check.\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check string value against regex patterns\n\t\t\tconst patternViolation = this.checkString(input);\n\t\t\tif (patternViolation) return patternViolation;\n\n\t\t\t// Layer 3: NER Content Scan — detect person names in free-text values\n\t\t\tif (this.nerScanner) {\n\t\t\t\tconst nerResult = await this.nerScanner.scan(input);\n\t\t\t\tif (nerResult.detected) {\n\t\t\t\t\tconst personEntity = nerResult.entities.find(\n\t\t\t\t\t\t(e) => e.type === \"person\",\n\t\t\t\t\t);\n\t\t\t\t\tif (personEntity) {\n\t\t\t\t\t\treturn `PII Entity Detected: person name \"${personEntity.text}\"`;\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn null;\n\t\t}\n\n\t\t// 2. Recursive Objects/Arrays Scan\n\t\tif (typeof input === \"object\") {\n\t\t\t// Protection against circular references\n\t\t\tif (seen.has(input as object)) return null;\n\t\t\tseen.add(input as object);\n\n\t\t\tif (Array.isArray(input)) {\n\t\t\t\tfor (const element of input) {\n\t\t\t\t\tconst violation = await this.scan(element, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t} else {\n\t\t\t\tfor (const [key, value] of Object.entries(\n\t\t\t\t\tinput as Record<string, unknown>,\n\t\t\t\t)) {\n\t\t\t\t\t// Layer 1: Exact key match — O(1) constant time\n\t\t\t\t\tif (this.forbiddenKeysSet.has(key.toLowerCase())) {\n\t\t\t\t\t\treturn `Forbidden Key: ${key}`;\n\t\t\t\t\t}\n\n\t\t\t\t\t// Layer 2: Fuzzy key match — catches aliases and variations\n\t\t\t\t\tconst fuzzyViolation = this.checkKeyFuzzy(key);\n\t\t\t\t\tif (fuzzyViolation) return fuzzyViolation;\n\n\t\t\t\t\t// Recurse into values\n\t\t\t\t\tconst violation = await this.scan(value, seen);\n\t\t\t\t\tif (violation) return violation;\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Checks a key against fuzzy matching rules.\n\t * Short tokens use boundary-aware regex; long tokens use substring containment.\n\t */\n\tprivate checkKeyFuzzy(key: string): string | null {\n\t\tconst normalized = key.toLowerCase();\n\n\t\t// Skip safelisted keys entirely\n\t\tif (PiiScanner.KEY_SAFELIST.has(normalized)) return null;\n\n\t\t// Short token boundary matching (e.g., \"id\" in \"patientId\" but not \"grid\")\n\t\tfor (const [token, pattern] of this.shortTokenBoundaryPatterns) {\n\t\t\tif (pattern.test(key)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} matches boundary pattern \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\t// Long token substring matching (e.g., \"name\" in \"firstName\", \"names\")\n\t\tfor (const token of this.longForbiddenTokens) {\n\t\t\tif (normalized.includes(token)) {\n\t\t\t\treturn `Forbidden Key (fuzzy): ${key} contains restricted token \"${token}\"`;\n\t\t\t}\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate checkString(text: string): string | null {\n\t\tfor (const rule of this.patterns) {\n\t\t\tif (typeof rule === \"string\") {\n\t\t\t\tif (text.toLowerCase().includes(rule.toLowerCase())) {\n\t\t\t\t\treturn rule;\n\t\t\t\t}\n\t\t\t} else if (rule instanceof RegExp) {\n\t\t\t\tif (rule.global) rule.lastIndex = 0;\n\t\t\t\tif (rule.test(text)) {\n\t\t\t\t\treturn rule.source;\n\t\t\t\t}\n\t\t\t} else if (typeof rule === \"object\" && rule !== null) {\n\t\t\t\t// PiiRuleDefinition (Military Grade Multi-layer)\n\t\t\t\tconst def = rule as PiiRuleDefinition;\n\n\t\t\t\tif (typeof def.pattern === \"string\") {\n\t\t\t\t\tif (text.toLowerCase().includes(def.pattern.toLowerCase())) {\n\t\t\t\t\t\tif (!def.validator || def.validator(def.pattern)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t}\n\t\t\t\t} else if (def.pattern instanceof RegExp) {\n\t\t\t\t\tif (def.pattern.global) def.pattern.lastIndex = 0;\n\n\t\t\t\t\t// Use matchAll or exec to get the specific match for the validator\n\t\t\t\t\tlet match = def.pattern.exec(text);\n\t\t\t\t\twhile (match !== null) {\n\t\t\t\t\t\tconst matchedText = match[0];\n\t\t\t\t\t\tif (!def.validator || def.validator(matchedText)) {\n\t\t\t\t\t\t\treturn def.name;\n\t\t\t\t\t\t}\n\t\t\t\t\t\tif (!def.pattern.global) break; // Break if not global\n\t\t\t\t\t\tmatch = def.pattern.exec(text);\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\treturn null;\n\t}\n}\n","import { Buffer } from \"node:buffer\";\nimport crypto from \"node:crypto\";\nimport * as fs from \"node:fs\";\nimport { createRequire } from \"node:module\";\nimport path from \"node:path\";\nimport { fileURLToPath, pathToFileURL } from \"node:url\";\nimport * as grpc from \"@grpc/grpc-js\";\nimport { FixedQueue, Piscina } from \"piscina\";\nimport { z } from \"zod\";\nimport { zodToJsonSchema } from \"zod-to-json-schema\";\nimport { type LiopManifest, MeshNode } from \"../mesh/node.js\";\nimport { LiopRpcServer } from \"../rpc/server.js\";\nimport type { LogicRequest, LogicResponse } from \"../rpc/types.js\";\nimport { TaintAnalyzer } from \"../security/taint-analyzer.js\";\nimport type {\n\tCallToolRequest,\n\tCallToolResult,\n\tGetPromptRequest,\n\tGetPromptResult,\n\tPrompt,\n\tResource,\n\tServerInfo,\n\tTool,\n} from \"../types.js\";\nimport { log } from \"../utils/logger.js\";\nimport { NerScanner } from \"./ner-scanner.js\";\nimport { PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner } from \"./pii.js\";\n\nexport { NerScanner, PII_PATTERNS, PII_PRESETS, type PiiRule, PiiScanner };\n\nexport type ToolHandler<T extends z.ZodRawShape = z.ZodRawShape> = (\n\targs: z.infer<z.ZodObject<T>>,\n\textra: { signal?: AbortSignal },\n) => Promise<CallToolResult>;\n\nconst __dirname = path.dirname(fileURLToPath(import.meta.url));\n\nexport interface LiopServerOptions {\n\tcapabilities?: Record<string, unknown>;\n\tworkerPool?: {\n\t\tenabled?: boolean;\n\t\tminThreads?: number;\n\t\tmaxThreads?: number;\n\t\tidleTimeout?: number;\n\t\t/** Max heap memory per worker in MB (default: 64). Prevents heap bomb DoS. */\n\t\tmaxHeapMb?: number;\n\t};\n\tsecurity?: {\n\t\tpiiPatterns?: PiiRule[];\n\t\tforbiddenKeys?: string[];\n\t\t/** Enable NLP-based Named Entity Recognition scanning on output values. */\n\t\tenableNerScanning?: boolean;\n\t\t/** Rate limiting configuration for tool calls (OWASP A01). */\n\t\trateLimit?: {\n\t\t\t/** Maximum calls per window per tool (default: 15). */\n\t\t\tmaxPerWindow?: number;\n\t\t\t/** Maximum calls per window across ALL tools combined (default: 40). */\n\t\t\tglobalMaxPerWindow?: number;\n\t\t\t/** Sliding window duration in milliseconds (default: 60000 = 1 min). */\n\t\t\twindowMs?: number;\n\t\t};\n\t};\n\ttaxonomy?: {\n\t\tdomain?: string;\n\t\tclearanceTier?: number;\n\t\texecutionTypes?: string[];\n\t};\n}\n\nexport interface AggregationPolicy {\n\t/** Maximum number of object-type array elements allowed (default: 10) */\n\tmaxOutputRows?: number;\n\t/** Allow arrays containing only primitive values (default: true) */\n\tallowPrimitiveArrays?: boolean;\n}\n\nexport interface LogicExecutionPolicy {\n\t/**\n\t * Validate the business payload returned by sandbox logic (post-execution).\n\t * This runs before final egress checks and blocks non-conforming outputs.\n\t */\n\toutputSchema?: z.ZodType<unknown>;\n\t/**\n\t * Enforce aggregation-first heuristics (preflight + post-check).\n\t */\n\tenforceAggregationFirst?: boolean | AggregationPolicy;\n\t/**\n\t * Optional additional deny patterns checked against extracted logic source.\n\t */\n\tpreflightDenyPatterns?: RegExp[];\n}\n\nexport class LiopServer {\n\tprivate logicCache: Map<string, { hash: string; timestamp: number }> =\n\t\tnew Map();\n\tprivate connectionStats: Map<\n\t\tstring,\n\t\t{ failures: number; lastAttempt: number }\n\t> = new Map();\n\tprivate readonly CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours\n\tprivate readonly THROTTLE_THRESHOLD = 5;\n\tprivate readonly THROTTLE_COOLDOWN_MS = 60 * 1000; // 60 seconds\n\n\t// [OWASP-A01] Sliding window rate limiter — prevents micro-query exfiltration\n\tprivate toolCallWindows: Map<string, number[]> = new Map();\n\tprivate readonly toolCallMaxPerWindow: number;\n\tprivate readonly toolCallWindowMs: number;\n\n\t// [OWASP-A01] Global cross-tool rate limiter — prevents distributed micro-query attacks\n\tprivate globalCallWindow: number[] = [];\n\tprivate readonly globalCallMaxPerWindow: number;\n\n\t// [SEC] AST-level taint tracker for PII side-channel prevention\n\tprivate readonly taintAnalyzer: TaintAnalyzer;\n\n\tprivate tools: Map<\n\t\tstring,\n\t\t{\n\t\t\ttool: Tool;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\thandler: ToolHandler<any>;\n\t\t\t// biome-ignore lint/suspicious/noExplicitAny: Erased at runtime\n\t\t\tschema: z.ZodObject<any>;\n\t\t\tpolicy?: LogicExecutionPolicy;\n\t\t}\n\t> = new Map();\n\tprivate resources: Map<\n\t\tstring,\n\t\tResource & { content?: string | (() => Promise<string>) }\n\t> = new Map();\n\tprivate prompts: Map<\n\t\tstring,\n\t\t{\n\t\t\tprompt: Prompt;\n\t\t\thandler: (\n\t\t\t\trequest: GetPromptRequest,\n\t\t\t) => GetPromptResult | Promise<GetPromptResult>;\n\t\t}\n\t> = new Map();\n\tprivate activeSchema: Record<string, unknown> | null = null;\n\tprivate sandboxRecords: Record<string, unknown>[] = [];\n\n\tprivate piiScanner: PiiScanner;\n\tprivate workerPool: Piscina;\n\tprivate meshNode: MeshNode | null = null;\n\tprivate rpcServer: LiopRpcServer | null = null;\n\tprivate boundPort: number | null = null;\n\tprivate sessions: Map<\n\t\tstring,\n\t\t{ capability_hash: string; kyber_sk: Uint8Array }\n\t> = new Map();\n\n\t// Compact envelope: @LIOP{target,name}\\n<code>\\n@END\n\tprivate static readonly LIOP_COMPACT_REGEX =\n\t\t/@LIOP\\{(?<target>[^,}]+)(?:,(?<name>[^}]*))?\\}\\n(?<logic>[\\s\\S]*?)\\n@END/m;\n\n\tprivate extractLogic(payload: string): string | null {\n\t\tconst compact = payload.match(LiopServer.LIOP_COMPACT_REGEX);\n\t\treturn compact?.groups?.logic ? compact.groups.logic.trim() : null;\n\t}\n\n\tprivate parseUnknownJson(input: unknown): unknown {\n\t\tif (typeof input !== \"string\") return input;\n\t\tconst trimmed = input.trim();\n\t\tif (\n\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t) {\n\t\t\ttry {\n\t\t\t\treturn JSON.parse(trimmed);\n\t\t\t} catch {\n\t\t\t\treturn input;\n\t\t\t}\n\t\t}\n\t\treturn input;\n\t}\n\n\tprivate runPreflightPolicy(\n\t\t_toolName: string,\n\t\tlogic: string,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\t// Phase 1: Regex-based row-level export detection (fast path)\n\t\tif (policy) {\n\t\t\tconst compact = logic.replace(/\\s+/g, \" \");\n\n\t\t\tif (policy.enforceAggregationFirst) {\n\t\t\t\tconst rowExtractionPatterns = [\n\t\t\t\t\t// Block raw record dumps but allow safe aggregation chains\n\t\t\t\t\t// (.reduce, .length, .filter().length, .every, .some)\n\t\t\t\t\t/return\\s+env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter|every|some|find)\\b)/i,\n\t\t\t\t\t/return\\s*\\{[\\s\\S]*\\b(accounts|patients|rows|records)\\s*:\\s*env\\.records(?!\\s*\\.\\s*(?:reduce|length|filter)\\b)/i,\n\t\t\t\t];\n\t\t\t\tif (rowExtractionPatterns.some((p) => p.test(compact))) {\n\t\t\t\t\treturn \"Preflight policy rejected: potential row-level export pattern detected.\";\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tif (policy.preflightDenyPatterns?.some((p) => p.test(compact))) {\n\t\t\t\treturn \"Preflight policy rejected: custom deny pattern matched.\";\n\t\t\t}\n\t\t}\n\n\t\t// Phase 2: AST-level taint tracking (detects PII side-channel derivation)\n\t\tconst taintViolation = this.taintAnalyzer.analyze(logic);\n\t\tif (taintViolation) {\n\t\t\treturn `Preflight policy rejected: ${taintViolation.reason}`;\n\t\t}\n\n\t\treturn null;\n\t}\n\n\tprivate validateOutputPolicy(\n\t\ttoolName: string,\n\t\toutput: unknown,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): string | null {\n\t\tif (!policy) return null;\n\t\tconst parsed = this.parseUnknownJson(output);\n\n\t\tif (policy.outputSchema) {\n\t\t\t// SEC-HARDENING: Force strict mode on ZodObject schemas to prevent\n\t\t\t// key aliasing bypasses via .passthrough(). However, respect schemas\n\t\t\t// that explicitly use .catchall() — calling .strict() would override\n\t\t\t// the catchall with ZodNever, destroying the developer's intent.\n\t\t\tconst effectiveSchema = (() => {\n\t\t\t\tif (!(policy.outputSchema instanceof z.ZodObject)) {\n\t\t\t\t\treturn policy.outputSchema;\n\t\t\t\t}\n\t\t\t\tconst obj = policy.outputSchema as z.ZodObject<z.ZodRawShape>;\n\t\t\t\t// If schema has an explicit catchall (not ZodNever), respect it\n\t\t\t\tif (!(obj._def.catchall instanceof z.ZodNever)) {\n\t\t\t\t\treturn obj;\n\t\t\t\t}\n\t\t\t\t// Otherwise force strict to block unrecognized keys by default\n\t\t\t\treturn obj.strict();\n\t\t\t})();\n\n\t\t\tconst schemaResult = effectiveSchema.safeParse(parsed);\n\t\t\tif (!schemaResult.success) {\n\t\t\t\t// SEC-CRITICAL: Never expose rejected data in error messages.\n\t\t\t\t// Only report the structural violation (unrecognized keys, type mismatches).\n\t\t\t\treturn `[LIOP] Output schema violation for ${toolName}: ${schemaResult.error.issues\n\t\t\t\t\t.map((i) => `${i.path.join(\".\") || \"<root>\"} ${i.message}`)\n\t\t\t\t\t.join(\n\t\t\t\t\t\t\"; \",\n\t\t\t\t\t)}. HINT: Your output must conform to the declared schema. Use 'env.records' to access the dataset and return only allowed fields.`;\n\t\t\t}\n\t\t}\n\n\t\tif (\n\t\t\tpolicy.enforceAggregationFirst &&\n\t\t\tthis.violatesAggregationFirstPolicy(\n\t\t\t\tthis.unwrapForAggregationPolicyScan(parsed),\n\t\t\t\tpolicy.enforceAggregationFirst,\n\t\t\t\tthis.sandboxRecords.length,\n\t\t\t)\n\t\t) {\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\treturn isDev\n\t\t\t\t? \"Aggregation-First Policy Violation: row-level export or K-Anonymity violation blocked. HINT: Use .reduce() to produce a flat {key:value} object. Do NOT use .map() to create arrays of objects. Ensure dataset size > 10 for detailed results.\"\n\t\t\t\t: \"Aggregation-First Policy Violation: Output blocked due to privacy constraints.\";\n\t\t}\n\n\t\treturn null;\n\t}\n\n\t/**\n\t * Proxied tools stringify a full MCP CallToolResult (`{ content: [...] }`).\n\t * Aggregation-first heuristics must scan the inner business JSON, not the MCP envelope\n\t * (otherwise `content` looks like a tabular array of objects and everything blocks).\n\t */\n\tprivate unwrapForAggregationPolicyScan(input: unknown): unknown {\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.unwrapForAggregationPolicyScan(JSON.parse(trimmed));\n\t\t\t\t} catch {\n\t\t\t\t\treturn input;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn input;\n\t\t}\n\n\t\tif (!input || typeof input !== \"object\") {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst rec = input as Record<string, unknown>;\n\t\tif (!Array.isArray(rec.content) || rec.content.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst texts: string[] = [];\n\t\tfor (const part of rec.content) {\n\t\t\tif (part && typeof part === \"object\" && \"text\" in part) {\n\t\t\t\tconst t = (part as { text?: unknown }).text;\n\t\t\t\tif (typeof t === \"string\") {\n\t\t\t\t\ttexts.push(t);\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif (texts.length === 0) {\n\t\t\treturn input;\n\t\t}\n\n\t\tconst joined = texts.length === 1 ? texts[0] : texts.join(\"\\n\");\n\t\treturn this.unwrapForAggregationPolicyScan(joined);\n\t}\n\n\tprivate violatesAggregationFirstPolicy(\n\t\tinput: unknown,\n\t\tpolicyObj?: boolean | AggregationPolicy,\n\t\trecordsCount?: number,\n\t): boolean {\n\t\tconst maxRows =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.maxOutputRows === \"number\"\n\t\t\t\t? policyObj.maxOutputRows\n\t\t\t\t: 10;\n\t\tconst allowPrimitives =\n\t\t\ttypeof policyObj === \"object\" &&\n\t\t\ttypeof policyObj.allowPrimitiveArrays === \"boolean\"\n\t\t\t\t? policyObj.allowPrimitiveArrays\n\t\t\t\t: true;\n\n\t\tif (typeof input === \"string\") {\n\t\t\tconst trimmed = input.trim();\n\t\t\tif (\n\t\t\t\t(trimmed.startsWith(\"{\") && trimmed.endsWith(\"}\")) ||\n\t\t\t\t(trimmed.startsWith(\"[\") && trimmed.endsWith(\"]\"))\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\treturn this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tJSON.parse(trimmed),\n\t\t\t\t\t\tpolicyObj,\n\t\t\t\t\t\trecordsCount,\n\t\t\t\t\t);\n\t\t\t\t} catch {\n\t\t\t\t\treturn false;\n\t\t\t\t}\n\t\t\t}\n\t\t\treturn false;\n\t\t}\n\n\t\tif (Array.isArray(input)) {\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item === \"object\" && item !== null)\n\t\t\t) {\n\t\t\t\t// Treat tabular row export as non-aggregated leakage risk if above threshold.\n\t\t\t\tif (input.length > maxRows) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t\treturn input.some((item) =>\n\t\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t\t);\n\t\t\t}\n\n\t\t\tif (\n\t\t\t\tinput.length > 0 &&\n\t\t\t\tinput.every((item) => typeof item !== \"object\" || item === null)\n\t\t\t) {\n\t\t\t\tif (!allowPrimitives) return true;\n\t\t\t\treturn false;\n\t\t\t}\n\n\t\t\treturn input.some((item) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(item, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\tif (input && typeof input === \"object\") {\n\t\t\tconst keys = Object.keys(input as Record<string, unknown>);\n\n\t\t\t// K-ANONYMITY: If source dataset is too small (< 10), enforce restriction.\n\t\t\t// Allow basic statistical summaries (max 3 keys: count/avg/stddev, no nesting).\n\t\t\tif (recordsCount !== undefined && recordsCount > 0 && recordsCount < 10) {\n\t\t\t\tif (keys.length > 3) return true;\n\t\t\t\t// Check for nesting/arrays in a small sample\n\t\t\t\tconst values = Object.values(input as Record<string, unknown>);\n\t\t\t\tif (\n\t\t\t\t\tvalues.some(\n\t\t\t\t\t\t(v) => Array.isArray(v) || (typeof v === \"object\" && v !== null),\n\t\t\t\t\t)\n\t\t\t\t) {\n\t\t\t\t\treturn true;\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Treat flat dictionary with too many keys as non-aggregated leakage risk (Dynamic Key Bypass).\n\t\t\tif (keys.length > maxRows) {\n\t\t\t\treturn true;\n\t\t\t}\n\n\t\t\treturn Object.values(input as Record<string, unknown>).some((value) =>\n\t\t\t\tthis.violatesAggregationFirstPolicy(value, policyObj, recordsCount),\n\t\t\t);\n\t\t}\n\n\t\treturn false;\n\t}\n\n\tconstructor(\n\t\tprivate serverInfo: ServerInfo,\n\t\tprivate config?: LiopServerOptions,\n\t) {\n\t\tconst nerScanner = this.config?.security?.enableNerScanning\n\t\t\t? new NerScanner()\n\t\t\t: null;\n\n\t\tthis.piiScanner = new PiiScanner(\n\t\t\tthis.config?.security?.piiPatterns ?? PII_PRESETS.GLOBAL_STRICT,\n\t\t\tthis.config?.security?.forbiddenKeys ?? [\n\t\t\t\t\"id\",\n\t\t\t\t\"name\",\n\t\t\t\t\"fullName\",\n\t\t\t\t\"firstName\",\n\t\t\t\t\"lastName\",\n\t\t\t\t\"address\",\n\t\t\t\t\"street\",\n\t\t\t\t\"city\",\n\t\t\t\t\"postalCode\",\n\t\t\t\t\"zipCode\",\n\t\t\t\t\"phone\",\n\t\t\t\t\"email\",\n\t\t\t\t\"ssn\",\n\t\t\t\t\"accountHolder\",\n\t\t\t\t\"accountNumber\",\n\t\t\t\t\"account_number\",\n\t\t\t\t\"password\",\n\t\t\t\t\"token\",\n\t\t\t\t\"secret\",\n\t\t\t\t\"privateKey\",\n\t\t\t],\n\t\t\tnerScanner,\n\t\t);\n\n\t\t// [OWASP-A01] Rate limit: config > env > default (15 calls/min per-tool, 40 global)\n\t\tconst rlConfig = this.config?.security?.rateLimit;\n\t\tthis.toolCallWindowMs =\n\t\t\trlConfig?.windowMs ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_WINDOW_MS ?? \"60000\", 10);\n\t\tthis.toolCallMaxPerWindow =\n\t\t\trlConfig?.maxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_MAX ?? \"15\", 10);\n\t\tthis.globalCallMaxPerWindow =\n\t\t\trlConfig?.globalMaxPerWindow ??\n\t\t\tNumber.parseInt(process.env.LIOP_RATE_LIMIT_GLOBAL_MAX ?? \"40\", 10);\n\n\t\t// [SEC] Initialize AST-level taint analyzer with PII field definitions\n\t\tconst forbiddenKeys = this.config?.security?.forbiddenKeys ?? [\n\t\t\t\"id\",\n\t\t\t\"name\",\n\t\t\t\"fullName\",\n\t\t\t\"firstName\",\n\t\t\t\"lastName\",\n\t\t\t\"address\",\n\t\t\t\"street\",\n\t\t\t\"city\",\n\t\t\t\"postalCode\",\n\t\t\t\"zipCode\",\n\t\t\t\"phone\",\n\t\t\t\"email\",\n\t\t\t\"ssn\",\n\t\t\t\"accountHolder\",\n\t\t\t\"accountNumber\",\n\t\t\t\"account_number\",\n\t\t\t\"password\",\n\t\t\t\"token\",\n\t\t\t\"secret\",\n\t\t\t\"privateKey\",\n\t\t];\n\t\tthis.taintAnalyzer = new TaintAnalyzer(forbiddenKeys);\n\n\t\t// Initialize Zero-Blocking Worker Pool for Heavy Cryptography & Sandboxing\n\t\tconst isTS = import.meta.url.endsWith(\".ts\");\n\t\tconst workerExt = isTS ? \".ts\" : \".js\";\n\n\t\tlet execArgv: string[] = [];\n\t\tif (isTS) {\n\t\t\ttry {\n\t\t\t\tconst req = createRequire(import.meta.url);\n\t\t\t\tconst tsxPkg = req.resolve(\"tsx/package.json\");\n\t\t\t\tconst absoluteTsx = pathToFileURL(\n\t\t\t\t\tpath.join(path.dirname(tsxPkg), \"dist\", \"loader.mjs\"),\n\t\t\t\t).href;\n\t\t\t\texecArgv = [\"--import\", absoluteTsx];\n\t\t\t} catch (_e) {\n\t\t\t\texecArgv = [\"--import\", \"tsx\"];\n\t\t\t}\n\t\t}\n\n\t\tconst isTest = process.env.NODE_ENV === \"test\" || process.env.VITEST;\n\n\t\t// Sync capabilities to serverInfo for MCP Handshakes\n\t\tif (this.config?.capabilities && !this.serverInfo.capabilities) {\n\t\t\tthis.serverInfo.capabilities = this.config.capabilities as Record<\n\t\t\t\tstring,\n\t\t\t\tunknown\n\t\t\t>;\n\t\t}\n\n\t\t// Support both flat dist/ and original src/ structure\n\t\tconst workerPaths = [\n\t\t\tpath.resolve(__dirname, `./workers/logic-execution${workerExt}`), // Flat dist/ (tsup)\n\t\t\tpath.resolve(__dirname, `../workers/logic-execution${workerExt}`), // Original src/\n\t\t];\n\n\t\tconst workerFilename =\n\t\t\tworkerPaths.find((p) => fs.existsSync(p)) || workerPaths[1];\n\n\t\tthis.workerPool = new Piscina({\n\t\t\tfilename: workerFilename,\n\t\t\tminThreads: this.config?.workerPool?.minThreads ?? (isTest ? 0 : 2),\n\t\t\tmaxThreads: this.config?.workerPool?.maxThreads ?? (isTest ? 1 : 8),\n\t\t\tidleTimeout:\n\t\t\t\tthis.config?.workerPool?.idleTimeout ?? (isTest ? 500 : 5000),\n\t\t\tmaxQueue: \"auto\",\n\t\t\ttaskQueue: new FixedQueue(),\n\t\t\texecArgv,\n\t\t\t// [DoS Defense] Enforce hard memory ceiling per worker thread.\n\t\t\t// Workers exceeding this limit are terminated by Node.js runtime.\n\t\t\tresourceLimits: {\n\t\t\t\tmaxOldGenerationSizeMb:\n\t\t\t\t\tthis.config?.workerPool?.maxHeapMb ??\n\t\t\t\t\tNumber.parseInt(process.env.LIOP_WORKER_MAX_HEAP_MB ?? \"64\", 10),\n\t\t\t},\n\t\t});\n\n\t\t// [Token Economy] Auto-register LIOP protocol spec as a single Resource.\n\t\t// This centralizes the envelope documentation that was previously\n\t\t// duplicated in every tool description, reducing token overhead.\n\t\tthis.resource(\n\t\t\t\"LIOP Envelope Specification\",\n\t\t\t\"liop://protocol/envelope-spec\",\n\t\t\t\"Complete Logic-on-Origin envelope format, execution rules, and security constraints\",\n\t\t\t\"text/plain\",\n\t\t\t() => Promise.resolve(this.buildEnvelopeSpec()),\n\t\t);\n\t}\n\t/**\n\t * Builds the centralized LIOP envelope specification document.\n\t * Served as a single Resource (liop://protocol/envelope-spec) instead\n\t * of being duplicated across every tool description.\n\t */\n\tprivate buildEnvelopeSpec(): string {\n\t\tconst lines = [\n\t\t\t\"LIOP v1 Envelope Specification\",\n\t\t\t\"================================\",\n\t\t\t\"\",\n\t\t\t\"FORMAT:\",\n\t\t\t\"\",\n\t\t\t\"Compact Envelope:\",\n\t\t\t\" @LIOP{wasi_v1,TaskName}\",\n\t\t\t\" <JavaScript code>\",\n\t\t\t\" @END\",\n\t\t\t\"\",\n\t\t\t\"RUNTIME ENVIRONMENT:\",\n\t\t\t\"- env.records: Array of data objects from the origin\",\n\t\t\t\"- Must use 'return' to output results\",\n\t\t\t\"- Zero-Trust WASI Sandbox (Node.js Worker Pool)\",\n\t\t\t\"- Return aggregated objects, NOT raw row-level arrays\",\n\t\t\t\"\",\n\t\t\t\"SECURITY CONSTRAINTS:\",\n\t\t\t\"- PII Egress Shield blocks raw identifiers in output\",\n\t\t\t\"- Aggregation-First policy: prefer counts, averages, summaries\",\n\t\t\t\"- AST Guardian: static analysis before execution\",\n\t\t];\n\n\t\tif (this.config?.security?.forbiddenKeys?.length) {\n\t\t\tlines.push(\n\t\t\t\t`- Restricted fields: ${this.config.security.forbiddenKeys.join(\", \")}`,\n\t\t\t);\n\t\t}\n\n\t\tlines.push(\n\t\t\t\"\",\n\t\t\t\"TAINT TRACKING (Phase 108):\",\n\t\t\t\"- AST-level analysis blocks PII-derived scalars (charCodeAt, charAt, etc.)\",\n\t\t\t\"- Operations on restricted fields are tracked through variable assignments\",\n\t\t\t\"- Boolean inference (field.charCodeAt(0) < N ? 1 : 0) is blocked\",\n\t\t\t\"- Allowed: aggregations on non-PII fields (balance, amount, date)\",\n\t\t\t\"\",\n\t\t\t\"K-ANONYMITY:\",\n\t\t\t\"- Datasets < 10 records: max 3 scalar output fields, no nesting\",\n\t\t\t\"- Datasets >= 10 records: max 10 output fields\",\n\t\t\t\"\",\n\t\t\t\"RATE LIMITS (OWASP A01):\",\n\t\t\t\"- Per-tool: 15 calls/min (configurable via LIOP_RATE_LIMIT_MAX)\",\n\t\t\t\"- Global: 40 calls/min across all tools (LIOP_RATE_LIMIT_GLOBAL_MAX)\",\n\t\t\t\"\",\n\t\t\t\"OPTIONAL PARAMETERS:\",\n\t\t\t\"- __liop_bypass_ast_cache: boolean (force AST re-evaluation)\",\n\t\t);\n\n\t\treturn lines.join(\"\\n\");\n\t}\n\n\t/**\n\t * Extracts a compact, human-readable field summary from a JSON Schema.\n\t *\n\t * Walks the schema structure to find actual data property names and types,\n\t * rather than returning top-level schema metadata keys (type, items, etc.).\n\t *\n\t * Example output for a banking schema:\n\t * \"Array of {id(string), accountHolder(string), balance(number), transactions(array of {date(string), amount(number)})}\"\n\t */\n\tprivate extractSchemaFieldSummary(\n\t\tschema: Record<string, unknown>,\n\t\tdepth = 0,\n\t): string {\n\t\t// Prevent excessive recursion in deeply nested schemas\n\t\tif (depth > 3) return \"{...}\";\n\n\t\tconst schemaType = schema.type as string | undefined;\n\t\tconst properties = schema.properties as\n\t\t\t| Record<string, Record<string, unknown>>\n\t\t\t| undefined;\n\t\tconst items = schema.items as Record<string, unknown> | undefined;\n\n\t\t// Object with properties → list field names with their types\n\t\tif (properties) {\n\t\t\tconst fields = Object.entries(properties).map(([key, prop]) => {\n\t\t\t\tconst propType = prop.type as string | undefined;\n\t\t\t\tif (propType === \"array\" && prop.items) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(\n\t\t\t\t\t\tprop.items as Record<string, unknown>,\n\t\t\t\t\t\tdepth + 1,\n\t\t\t\t\t);\n\t\t\t\t\treturn `${key}(array of ${nested})`;\n\t\t\t\t}\n\t\t\t\tif (propType === \"object\" && prop.properties) {\n\t\t\t\t\tconst nested = this.extractSchemaFieldSummary(prop, depth + 1);\n\t\t\t\t\treturn `${key}(${nested})`;\n\t\t\t\t}\n\t\t\t\treturn `${key}(${propType || \"unknown\"})`;\n\t\t\t});\n\t\t\treturn `{${fields.join(\", \")}}`;\n\t\t}\n\n\t\t// Array type → describe the items structure\n\t\tif (schemaType === \"array\" && items) {\n\t\t\tconst itemsSummary = this.extractSchemaFieldSummary(items, depth + 1);\n\t\t\treturn `Array of ${itemsSummary}`;\n\t\t}\n\n\t\t// Simple type or unknown structure → fallback to key listing\n\t\tif (schemaType) return schemaType;\n\t\treturn Object.keys(schema).join(\", \");\n\t}\n\n\t/**\n\t * Convenience alias for connectToMesh(), matching official documentation.\n\t */\n\tpublic async connect(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\treturn this.connectToMesh(options);\n\t}\n\n\t/**\n\t * Register a new Tool\n\t */\n\tpublic tool<T extends z.ZodRawShape>(\n\t\tname: string,\n\t\tdescription: string,\n\t\tshape: T,\n\t\thandler: ToolHandler<T>,\n\t\tpolicy?: LogicExecutionPolicy,\n\t): void {\n\t\tif (this.tools.has(name)) {\n\t\t\tthrow new Error(`Tool already registered: ${name}`);\n\t\t}\n\n\t\tconst schema = z.object(shape);\n\t\tconst generatedSchema = zodToJsonSchema(schema);\n\n\t\tlet finalDescription = description;\n\t\tlet finalHandler = handler;\n\n\t\t// LIOP Zero-Shot Autonomy Middleware: Detect Logic-on-Origin tools\n\t\tif (shape.payload && shape.payload instanceof z.ZodString) {\n\t\t\tconst blockedKeys = this.config?.security?.forbiddenKeys || [];\n\n\t\t\t// [Token Economy] Centralized description: reference the protocol spec\n\t\t\t// Resource instead of duplicating the full envelope format per tool.\n\t\t\t// Same information, delivered once via liop://protocol/envelope-spec.\n\t\t\tfinalDescription +=\n\t\t\t\t\"\\n\\nPayload: LIOP v1 envelope (WASI sandbox).\" +\n\t\t\t\t\" Format: @LIOP{wasi_v1,TaskName}\\\\n<JS code>\\\\n@END\" +\n\t\t\t\t\" | Access data: env.records. Return aggregated object.\" +\n\t\t\t\t\" | Full spec: resource liop://protocol/envelope-spec\";\n\n\t\t\tif (blockedKeys.length > 0) {\n\t\t\t\tfinalDescription += `\\nRestricted fields: ${blockedKeys.join(\", \")}.`;\n\t\t\t}\n\n\t\t\tif (this.activeSchema) {\n\t\t\t\tconst schemaDigest = this.extractSchemaFieldSummary(this.activeSchema);\n\t\t\t\tfinalDescription += `\\nData structure: ${schemaDigest}. Full schema: resource liop://schema/global`;\n\t\t\t}\n\n\t\t\tfinalHandler = async (\n\t\t\t\targs: z.infer<z.ZodObject<T>>,\n\t\t\t\t_extra: { signal?: AbortSignal },\n\t\t\t) => {\n\t\t\t\tconst clientId = \"global_connection\"; // Simplify for now, treating the instance as one connection\n\t\t\t\tconst now = Date.now();\n\t\t\t\tconst stats = this.connectionStats.get(clientId) || {\n\t\t\t\t\tfailures: 0,\n\t\t\t\t\tlastAttempt: 0,\n\t\t\t\t};\n\n\t\t\t\tif (\n\t\t\t\t\tstats.failures >= this.THROTTLE_THRESHOLD &&\n\t\t\t\t\tnow - stats.lastAttempt < this.THROTTLE_COOLDOWN_MS\n\t\t\t\t) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"LIOP_THROTTLED: Too many violations. Cooling down for 60 seconds.\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadValue = (args as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst bypassCache =\n\t\t\t\t\t(args as Record<string, unknown>).__liop_bypass_ast_cache === true;\n\n\t\t\t\tconst payloadHash = crypto\n\t\t\t\t\t.createHash(\"sha256\")\n\t\t\t\t\t.update(payloadValue)\n\t\t\t\t\t.digest(\"hex\");\n\t\t\t\tconst logic = this.extractLogic(payloadValue);\n\t\t\t\tconst cached = this.logicCache.get(payloadHash);\n\n\t\t\t\tif (\n\t\t\t\t\t!bypassCache &&\n\t\t\t\t\tcached &&\n\t\t\t\t\tnow - cached.timestamp < this.CACHE_TTL_MS\n\t\t\t\t) {\n\t\t\t\t\t// Hash verified. Skips boundaries check (already validated!). Extract logic directly.\n\t\t\t\t\tif (logic) {\n\t\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing\n\t\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\t\tname,\n\t\t\t\t\t\t\tlogic,\n\t\t\t\t\t\t\tpolicy,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t\t};\n\t\t\t\t\t\t}\n\t\t\t\t\t\treturn await this.executeInWorkerPool(args, logic, name);\n\t\t\t\t\t}\n\t\t\t\t}\n\n\t\t\t\tif (!logic) {\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: \"Error: Malformed payload. Missing @LIOP boundary.\\\\nYou MUST wrap your logic exactly like this:\\\\n\\\\n@LIOP{wasi_v1,DynamicAudit}\\\\n// Your JS code here\\\\n@END\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Logic check already performed above, extraction is guaranteed at this point.\n\t\t\t\t\t// biome-ignore lint/style/noNonNullAssertion: safe extraction after check\n\t\t\t\t\tconst logic = this.extractLogic(\n\t\t\t\t\t\t(args as Record<string, unknown>).payload as string,\n\t\t\t\t\t)!;\n\t\t\t\t\t// Extract pure logic and deliver it to the developer's function\n\t\t\t\t\t(args as Record<string, unknown>).payload = logic;\n\n\t\t\t\t\t// DELEGATE TO WORKER POOL: Parallel PQC & Sandboxing (Includes PII Shield)\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(name, logic, policy);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\n\t\t\t\t\tconst result = await this.executeInWorkerPool(args, logic, name);\n\n\t\t\t\t\tif (!result.isError) {\n\t\t\t\t\t\tthis.connectionStats.set(clientId, {\n\t\t\t\t\t\t\tfailures: 0,\n\t\t\t\t\t\t\tlastAttempt: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t\tthis.logicCache.set(payloadHash, {\n\t\t\t\t\t\t\thash: payloadHash,\n\t\t\t\t\t\t\ttimestamp: now,\n\t\t\t\t\t\t});\n\t\t\t\t\t} else {\n\t\t\t\t\t\tstats.failures++;\n\t\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\t}\n\n\t\t\t\t\treturn result;\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tstats.failures++;\n\t\t\t\t\tstats.lastAttempt = now;\n\t\t\t\t\tthis.connectionStats.set(clientId, stats);\n\t\t\t\t\treturn {\n\t\t\t\t\t\tcontent: [\n\t\t\t\t\t\t\t{ type: \"text\", text: `ExecutionRuntimeException: ${e.message}` },\n\t\t\t\t\t\t],\n\t\t\t\t\t\tisError: true,\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t};\n\t\t}\n\n\t\tconst inputSchema = {\n\t\t\ttype: \"object\",\n\t\t\tproperties: (generatedSchema as Record<string, unknown>).properties || {},\n\t\t\trequired: (generatedSchema as Record<string, unknown>).required,\n\t\t};\n\n\t\tthis.tools.set(name, {\n\t\t\ttool: { name, description: finalDescription, inputSchema },\n\t\t\thandler: finalHandler,\n\t\t\tschema,\n\t\t\tpolicy,\n\t\t});\n\n\t\t// [LIOP-ALPHA] Auto-announce capability to the Mesh P2P DHT if node is active\n\t\tif (this.meshNode) {\n\t\t\tthis.meshNode.announceCapability(name).catch((err) => {\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-Mesh] Failed to auto-announce tool ${name}: ${err.message}`,\n\t\t\t\t);\n\t\t\t});\n\t\t}\n\t}\n\n\t/**\n\t * Register a dynamic prompt\n\t */\n\tpublic prompt(\n\t\tname: string,\n\t\tdescription: string | undefined,\n\t\targs: Prompt[\"arguments\"],\n\t\thandler: (\n\t\t\trequest: GetPromptRequest,\n\t\t) => GetPromptResult | Promise<GetPromptResult>,\n\t): void {\n\t\tif (this.prompts.has(name)) {\n\t\t\tthrow new Error(`Prompt already registered: ${name}`);\n\t\t}\n\t\tthis.prompts.set(name, {\n\t\t\tprompt: { name, description, arguments: args },\n\t\t\thandler,\n\t\t});\n\t}\n\n\t/**\n\t * Enables LIOP Zero-Shot Autonomy by registering the Blind Analyst standard prompt.\n\t */\n\tpublic enableZeroShotAutonomy(): void {\n\t\tthis.prompt(\n\t\t\t\"liop_blind_analyst\",\n\t\t\t\"The official Logic-Injection-on-Origin Protocol system prompt. Instructs the LLM on how to securely inject Logic-on-Origin without violating PII or safety constraints.\",\n\t\t\t[],\n\t\t\t(_request) => {\n\t\t\t\treturn {\n\t\t\t\t\tdescription: \"LIOP Blind Analyst Instructions\",\n\t\t\t\t\tmessages: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\trole: \"user\",\n\t\t\t\t\t\t\tcontent: {\n\t\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\t\ttext: `You are the \"Blind Analyst\" operating within the Logic-Injection-on-Origin Protocol (LIOP) ecosystem.\nYour objective is to perform secure Logic-on-Origin injections. You must process remote data without ever requesting its extraction.\n\nINDUSTRIAL CONSTRAINTS & PROTOCOL RULES:\n1. DATA PRIVACY: NEVER attempt to export Personally Identifiable Information (PII). The LIOP Egress Shield will block any response containing raw IDs, names, or addresses.\n2. AGGREGATION FIRST: Always prefer returning counts, averages, or anonymized summaries.\n3. PAYLOAD ENCAPSULATION: Your JavaScript payloads MUST strictly adhere to the Compact Envelope. DO NOT include markdown backticks or leading text inside the 'payload' argument.\n Structure:\n @LIOP{wasi_v1,AnalysisTask}\n // Your JS Code Here\n @END\n4. RUNTIME SCOPE: The execution environment provides a global 'env' object. Use 'env.records' to access the target dataset.\n5. LOCALIZATION: Format all JSON response keys in the language used by the user in their query (e.g., use Spanish keys if the query is in Spanish).\n6. SCHEMA RIGIDITY: Only use fields defined in the 'Data Dictionary'. Usage of non-existent fields will trigger a sandbox runtime exception.${\n\t\t\t\t\t\t\t\t\tthis.activeSchema\n\t\t\t\t\t\t\t\t\t\t? `\\n\\nCURRENT DATA DICTIONARY (STRICT):\\n${JSON.stringify(this.activeSchema, null, 2)}`\n\t\t\t\t\t\t\t\t\t\t: \"\"\n\t\t\t\t\t\t\t\t}\n\nProtocol Adherence is mandatory for successful execution.`,\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t};\n\t\t\t},\n\t\t);\n\t}\n\n\t/**\n\t * Register a dynamic resource\n\t */\n\tpublic resource(\n\t\tname: string,\n\t\turi: string,\n\t\tdescription?: string,\n\t\tmimeType?: string,\n\t\tcontent?: string | (() => Promise<string>),\n\t): void {\n\t\tif (this.resources.has(uri)) {\n\t\t\tthrow new Error(`Resource URI already registered: ${uri}`);\n\t\t}\n\t\tthis.resources.set(uri, { name, uri, description, mimeType, content });\n\t}\n\n\t/**\n\t * Broadcasts the Data Dictionary to the LLM prior to code injection.\n\t */\n\tpublic dataDictionary(\n\t\tschema: Record<string, unknown>,\n\t\tname: string = \"Global Medical Data Dictionary\",\n\t\turi: string = \"liop://schema/global\",\n\t\tdescription: string = \"Exposes the internal database schema for Zero-Shot Autonomy planning\",\n\t): void {\n\t\tthis.activeSchema = schema;\n\n\t\t// [Token Economy] Retroactively update tool descriptions with schema field references.\n\t\t// Extracts actual data property names from the JSON Schema structure.\n\t\tconst schemaDigest = this.extractSchemaFieldSummary(schema);\n\t\tfor (const [toolName, entry] of this.tools.entries()) {\n\t\t\tif (\n\t\t\t\tentry.schema.shape.payload &&\n\t\t\t\tentry.schema.shape.payload instanceof z.ZodString &&\n\t\t\t\tentry.tool.description &&\n\t\t\t\t!entry.tool.description.includes(\"Data structure:\")\n\t\t\t) {\n\t\t\t\tentry.tool.description += `\\nData structure: ${schemaDigest}. Full schema: resource ${uri}`;\n\t\t\t\tthis.tools.set(toolName, entry);\n\t\t\t}\n\t\t}\n\n\t\tthis.resource(\n\t\t\tname,\n\t\t\turi,\n\t\t\tdescription,\n\t\t\t\"application/json\",\n\t\t\tJSON.stringify(schema, null, 2),\n\t\t);\n\t}\n\n\t/**\n\t * Manually invalidates the AST Logic Cache (e.g. for Zero-Day patches).\n\t */\n\tpublic clearAstCache(): void {\n\t\tthis.logicCache.clear();\n\t\tlog.info(\"[LIOP-SDK] AST Security Cache cleared by Admin.\");\n\t}\n\n\t/**\n\t * Sliding window rate limiter for tool call frequency.\n\t * Prevents micro-query exfiltration attacks where an attacker\n\t * makes hundreds of individually-legitimate calls to reconstruct\n\t * the full dataset field by field. (OWASP A01)\n\t */\n\tprivate checkToolCallRateLimit(toolName: string): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxPerWindow = this.toolCallMaxPerWindow;\n\n\t\tconst window = this.toolCallWindows.get(toolName) || [];\n\t\t// Evict expired timestamps outside the sliding window\n\t\tconst active = window.filter((t) => now - t < windowMs);\n\n\t\tif (active.length >= maxPerWindow) {\n\t\t\tconst retryAfterSec = Math.ceil((active[0] + windowMs - now) / 1000);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Too many calls to ${toolName}. ` +\n\t\t\t\t\t\t\t`Max ${maxPerWindow} per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tactive.push(now);\n\t\tthis.toolCallWindows.set(toolName, active);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Global cross-tool rate limiter.\n\t * Prevents attackers from distributing micro-queries across multiple tools\n\t * to evade per-tool rate limits. (OWASP A01)\n\t */\n\tprivate checkGlobalRateLimit(): CallToolResult | null {\n\t\tconst now = Date.now();\n\t\tconst windowMs = this.toolCallWindowMs;\n\t\tconst maxGlobal = this.globalCallMaxPerWindow;\n\n\t\tthis.globalCallWindow = this.globalCallWindow.filter(\n\t\t\t(t) => now - t < windowMs,\n\t\t);\n\n\t\tif (this.globalCallWindow.length >= maxGlobal) {\n\t\t\tconst retryAfterSec = Math.ceil(\n\t\t\t\t(this.globalCallWindow[0] + windowMs - now) / 1000,\n\t\t\t);\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext:\n\t\t\t\t\t\t\t`LIOP_RATE_LIMITED: Global call limit exceeded. ` +\n\t\t\t\t\t\t\t`Max ${maxGlobal} total calls per ${windowMs / 1000}s window. ` +\n\t\t\t\t\t\t\t`Retry after ${retryAfterSec}s.`,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\n\t\tthis.globalCallWindow.push(now);\n\t\treturn null;\n\t}\n\n\t/**\n\t * Emulates calling a tool (used locally or via LIOPMcpBridge)\n\t */\n\tpublic async callTool(request: CallToolRequest): Promise<CallToolResult> {\n\t\tconst entry = this.tools.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Tool not found: ${request.name}`);\n\t\t}\n\n\t\t// [OWASP-A01] Rate limiting: prevent micro-query exfiltration\n\t\tconst globalLimitResult = this.checkGlobalRateLimit();\n\t\tif (globalLimitResult) return globalLimitResult;\n\t\tconst rateLimitResult = this.checkToolCallRateLimit(request.name);\n\t\tif (rateLimitResult) return rateLimitResult;\n\n\t\ttry {\n\t\t\t// Validate inputs natively with Zod before execution\n\t\t\tconst parsedArgs = entry.schema.parse(request.arguments || {});\n\n\t\t\t// Re-inject the bypass flag if present since Zod might strip unrecognized keys\n\t\t\tif (\n\t\t\t\t(request.arguments as Record<string, unknown>)\n\t\t\t\t\t?.__liop_bypass_ast_cache === true\n\t\t\t) {\n\t\t\t\t(parsedArgs as Record<string, unknown>).__liop_bypass_ast_cache = true;\n\t\t\t}\n\n\t\t\t// [LOGIC-ON-ORIGIN] Intercept code injection directly\n\t\t\tif (\n\t\t\t\tparsedArgs &&\n\t\t\t\ttypeof (parsedArgs as Record<string, unknown>).payload === \"string\"\n\t\t\t) {\n\t\t\t\tconst payload = (parsedArgs as Record<string, unknown>)\n\t\t\t\t\t.payload as string;\n\t\t\t\tconst logic = this.extractLogic(payload);\n\t\t\t\tif (logic) {\n\t\t\t\t\tconst preflightReason = this.runPreflightPolicy(\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\tentry.policy,\n\t\t\t\t\t);\n\t\t\t\t\tif (preflightReason) {\n\t\t\t\t\t\treturn {\n\t\t\t\t\t\t\tcontent: [{ type: \"text\", text: preflightReason }],\n\t\t\t\t\t\t\tisError: true,\n\t\t\t\t\t\t};\n\t\t\t\t\t}\n\t\t\t\t\t(parsedArgs as Record<string, unknown>).payload = logic;\n\t\t\t\t\treturn await this.executeInWorkerPool(\n\t\t\t\t\t\tparsedArgs,\n\t\t\t\t\t\tlogic,\n\t\t\t\t\t\trequest.name,\n\t\t\t\t\t);\n\t\t\t\t}\n\t\t\t}\n\n\t\t\tconst result = await entry.handler(parsedArgs, {});\n\t\t\treturn result;\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tif (e instanceof z.ZodError) {\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [{ type: \"text\", text: `Validation Error: ${e.message}` }],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{ type: \"text\", text: `Internal Execution Error: ${e.message}` },\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Retrieves registered tools\n\t */\n\tpublic listTools(): Tool[] {\n\t\treturn Array.from(this.tools.values()).map((t) => t.tool);\n\t}\n\n\t/**\n\t * Retrieves registered prompts\n\t */\n\tpublic listPrompts(): Prompt[] {\n\t\treturn Array.from(this.prompts.values()).map((p) => p.prompt);\n\t}\n\n\t/**\n\t * Gets a specific prompt by name\n\t */\n\tpublic async getPrompt(request: GetPromptRequest): Promise<GetPromptResult> {\n\t\tconst entry = this.prompts.get(request.name);\n\t\tif (!entry) {\n\t\t\tthrow new Error(`Prompt not found: ${request.name}`);\n\t\t}\n\t\treturn await entry.handler(request);\n\t}\n\n\t/**\n\t * Retrieves registered resources\n\t */\n\tpublic listResources(): Resource[] {\n\t\treturn Array.from(this.resources.values());\n\t}\n\n\t/**\n\t * Reads a specific resource by URI\n\t */\n\tpublic async readResource(uri: string): Promise<{\n\t\tcontents: Array<{ uri: string; mimeType?: string; text: string }>;\n\t}> {\n\t\tconst resource = this.resources.get(uri);\n\t\tif (!resource) {\n\t\t\tthrow new Error(`Resource not found: ${uri}`);\n\t\t}\n\n\t\tlet text = \"No description provided\";\n\t\tif (typeof resource.content === \"function\") {\n\t\t\ttext = await resource.content();\n\t\t} else if (typeof resource.content === \"string\") {\n\t\t\ttext = resource.content;\n\t\t} else if (resource.description) {\n\t\t\ttext = resource.description;\n\t\t}\n\n\t\treturn {\n\t\t\tcontents: [\n\t\t\t\t{\n\t\t\t\t\turi: resource.uri,\n\t\t\t\t\tmimeType: resource.mimeType || \"text/plain\",\n\t\t\t\t\ttext,\n\t\t\t\t},\n\t\t\t],\n\t\t};\n\t}\n\n\tpublic getServerInfo(): ServerInfo {\n\t\treturn this.serverInfo;\n\t}\n\n\tpublic getMeshNode(): MeshNode | null {\n\t\treturn this.meshNode;\n\t}\n\n\t/**\n\t * Injects data into the secure sandbox context for Logic-on-Origin tools.\n\t */\n\tpublic setSandboxData(records: Record<string, unknown>[]) {\n\t\tthis.sandboxRecords = records;\n\t}\n\n\tpublic getBoundPort(): number | null {\n\t\treturn this.boundPort;\n\t}\n\n\t/**\n\t * Connects to the libp2p Kademlia DHT and announces capabilities.\n\t * Boots the gRPC server for secure Logic-on-Origin.\n\t */\n\tpublic async connectToMesh(\n\t\toptions: {\n\t\t\tport?: number;\n\t\t\tmeshConfig?: {\n\t\t\t\tlistenAddresses?: string[];\n\t\t\t\tbootstrapNodes?: string[];\n\t\t\t\tidentityPath?: string;\n\t\t\t};\n\t\t} = {},\n\t): Promise<void> {\n\t\tconst envPort = process.env.LIOP_GRPC_PORT\n\t\t\t? Number.parseInt(process.env.LIOP_GRPC_PORT, 10)\n\t\t\t: undefined;\n\t\tconst port = options.port ?? envPort ?? 50051;\n\n\t\t// 1. Initialize Mesh Node (Discovery)\n\t\tthis.meshNode = new MeshNode(options.meshConfig);\n\t\tawait this.meshNode.start();\n\n\t\t// 2. Register LIOP Manifest Protocol Handler\n\t\t// This allows remote peers to query our tool/resource metadata dynamically.\n\t\tconst meshNodeRef = this.meshNode;\n\t\tthis.meshNode.registerManifestHandler((): LiopManifest => {\n\t\t\tconst tools = this.listTools().map((t) => ({\n\t\t\t\tname: t.name,\n\t\t\t\tdescription: t.description,\n\t\t\t\tinputSchema: t.inputSchema as Record<string, unknown>,\n\t\t\t}));\n\n\t\t\tconst resources = Array.from(this.resources.values()).map((r) => ({\n\t\t\t\tname: r.name,\n\t\t\t\turi: r.uri,\n\t\t\t\tdescription: r.description,\n\t\t\t\tmimeType: r.mimeType,\n\t\t\t\ttext: typeof r.content === \"string\" ? r.content : r.description,\n\t\t\t}));\n\n\t\t\treturn {\n\t\t\t\tpeerId: meshNodeRef.getPeerId(),\n\t\t\t\tgrpcPort: port,\n\t\t\t\ttools,\n\t\t\t\tresources,\n\t\t\t\tserverInfo: this.serverInfo,\n\t\t\t};\n\t\t});\n\n\t\t// 3. Announce local tools to the DHT\n\t\tfor (const tool of this.listTools()) {\n\t\t\tawait this.meshNode.announceCapability(tool.name).catch(log.info);\n\t\t}\n\n\t\t// 4. Announce manifest availability\n\t\tawait this.meshNode.announceManifest().catch(log.info);\n\n\t\t// 5. Initialize gRPC Server (Execution)\n\t\tthis.rpcServer = new LiopRpcServer();\n\n\t\tthis.rpcServer.addService({\n\t\t\tnegotiateIntent: (call, callback) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Negotiating intent for capability: ${request.capability_hash}`,\n\t\t\t\t);\n\n\t\t\t\t// Standard dynamic import to avoid potential circularity\n\t\t\t\timport(\"../rpc/crypto/kyber.js\").then(async ({ Kyber768Wrapper }) => {\n\t\t\t\t\tconst { publicKey, secretKey } =\n\t\t\t\t\t\tawait Kyber768Wrapper.generateKeyPair();\n\n\t\t\t\t\tconst sessionToken = crypto.randomUUID();\n\t\t\t\t\tthis.sessions.set(sessionToken, {\n\t\t\t\t\t\tcapability_hash: request.capability_hash,\n\t\t\t\t\t\tkyber_sk: secretKey,\n\t\t\t\t\t});\n\n\t\t\t\t\tcallback(null, {\n\t\t\t\t\t\taccepted: true,\n\t\t\t\t\t\tsession_token: sessionToken,\n\t\t\t\t\t\terror_message: \"\",\n\t\t\t\t\t\tkyber_public_key: publicKey,\n\t\t\t\t\t});\n\t\t\t\t});\n\t\t\t},\n\t\t\texecuteLogic: async (\n\t\t\t\tcall: grpc.ServerWritableStream<LogicRequest, LogicResponse>,\n\t\t\t) => {\n\t\t\t\tconst request = call.request;\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-RPC] Executing Logic-on-Origin for session: ${request.session_token}`,\n\t\t\t\t);\n\n\t\t\t\tconst session = this.sessions.get(request.session_token);\n\t\t\t\tif (!session) {\n\t\t\t\t\tcall.emit(\"error\", {\n\t\t\t\t\t\tcode: grpc.status.UNAUTHENTICATED,\n\t\t\t\t\t\tdetails: \"Invalid session token\",\n\t\t\t\t\t});\n\t\t\t\t\treturn;\n\t\t\t\t}\n\n\t\t\t\ttry {\n\t\t\t\t\t// Pass to Worker Pool for PQC Decryption and WASI/V8 execution\n\t\t\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\t\t\tciphertext: request.pqc_ciphertext,\n\t\t\t\t\t\tsecretKeyObj: Array.from(session.kyber_sk),\n\t\t\t\t\t\twasmBinary: request.wasm_binary,\n\t\t\t\t\t\tinputs: request.inputs,\n\t\t\t\t\t\taesNonce: request.aes_nonce,\n\t\t\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\t\t\tsessionToken: request.session_token,\n\t\t\t\t\t\tisEncrypted: true,\n\t\t\t\t\t});\n\n\t\t\t\t\tlet finalOutput: string;\n\t\t\t\t\ttry {\n\t\t\t\t\t\tfinalOutput =\n\t\t\t\t\t\t\ttypeof workerResponse.output === \"string\"\n\t\t\t\t\t\t\t\t? workerResponse.output\n\t\t\t\t\t\t\t\t: JSON.stringify(workerResponse.output);\n\n\t\t\t\t\t\t// [PROTOCOL TRANSFORMER] Support for Proxied Tool Calls\n\t\t\t\t\t\tconst decoded = JSON.parse(finalOutput);\n\t\t\t\t\t\tif (decoded.__liop_proxy_tool) {\n\t\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t\t`[LIOP-RPC] Executing Proxied Tool: ${decoded.__liop_proxy_tool}`,\n\t\t\t\t\t\t\t);\n\t\t\t\t\t\t\tconst toolResult = await this.callTool({\n\t\t\t\t\t\t\t\tname: decoded.__liop_proxy_tool,\n\t\t\t\t\t\t\t\targuments: decoded.__liop_proxy_args || {},\n\t\t\t\t\t\t\t});\n\t\t\t\t\t\t\tfinalOutput = JSON.stringify(toolResult);\n\t\t\t\t\t\t}\n\t\t\t\t\t} catch {\n\t\t\t\t\t\tfinalOutput = String(workerResponse.output);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst response: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: finalOutput,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\n\t\t\t\t\t\t\tworkerResponse.image_id || \"\",\n\t\t\t\t\t\t\t\"hex\",\n\t\t\t\t\t\t),\n\t\t\t\t\t\tzk_receipt: workerResponse.zk_receipt\n\t\t\t\t\t\t\t? Buffer.from(workerResponse.zk_receipt, \"base64\")\n\t\t\t\t\t\t\t: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: false,\n\t\t\t\t\t};\n\n\t\t\t\t\t// Final PII check for gRPC egress\n\t\t\t\t\tconst violation = await this.piiScanner.scan([\n\t\t\t\t\t\t{ type: \"text\", text: finalOutput },\n\t\t\t\t\t]);\n\t\t\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\t\t\tthis.unwrapForAggregationPolicyScan(finalOutput),\n\t\t\t\t\t);\n\t\t\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller\n\t\t\t\t\t\tconst internalReason =\n\t\t\t\t\t\t\tviolation || \"Aggregation-First Policy Violation\";\n\t\t\t\t\t\tlog.info(\n\t\t\t\t\t\t\t`[LIOP-RPC] Secure egress blocked in gRPC stream: ${internalReason}`,\n\t\t\t\t\t\t);\n\t\t\t\t\t\tresponse.semantic_evidence =\n\t\t\t\t\t\t\t\"[LIOP] Egress Security Violation. Output blocked due to policy enforcement.\";\n\t\t\t\t\t\tresponse.is_error = true;\n\t\t\t\t\t}\n\n\t\t\t\t\tcall.write(response, () => {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t});\n\t\t\t\t} catch (error: unknown) {\n\t\t\t\t\tconst e = error as Error;\n\t\t\t\t\tconst isDev =\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\t\tprocess.env.NODE_ENV === \"test\";\n\n\t\t\t\t\tconst detail = e.message || String(error);\n\t\t\t\t\tlog.error(`[LIOP-RPC] Execution Error: ${detail}`);\n\n\t\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t\t? `Execution Error: ${detail}`\n\t\t\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\t\t\t// Send error response before closing, avoiding \"stream closed without results\"\n\t\t\t\t\tconst errorResponse: LogicResponse = {\n\t\t\t\t\t\tsemantic_evidence: errorMessage,\n\t\t\t\t\t\tcryptographic_proof: Buffer.from(\"\"),\n\t\t\t\t\t\tzk_receipt: Buffer.from(\"\"),\n\t\t\t\t\t\tis_error: true,\n\t\t\t\t\t};\n\n\t\t\t\t\ttry {\n\t\t\t\t\t\tcall.write(errorResponse, () => {\n\t\t\t\t\t\t\tcall.end();\n\t\t\t\t\t\t});\n\t\t\t\t\t} catch (_writeErr) {\n\t\t\t\t\t\tcall.end();\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t},\n\t\t});\n\n\t\tthis.boundPort = await this.rpcServer.listen(port);\n\t\tlog.info(\n\t\t\t`[LIOP-SDK] Node successfully announced to Mesh. PeerID: ${this.meshNode.getPeerId()}`,\n\t\t);\n\t}\n\n\t/**\n\t * Internal worker execution with Egress Filtering logic.\n\t */\n\tprivate async executeInWorkerPool(\n\t\t_args: Record<string, unknown>,\n\t\trawPayload: string,\n\t\ttoolName?: string,\n\t): Promise<CallToolResult> {\n\t\ttry {\n\t\t\t// Transparent local execution without dynamic PQC\n\t\t\tconst workerResponse = await this.workerPool.run({\n\t\t\t\tciphertext: new Uint8Array(0),\n\t\t\t\tsecretKeyObj: Array.from(new Uint8Array(0)),\n\t\t\t\tkyberPublicKey: new Uint8Array(0),\n\t\t\t\twasmBinary: Buffer.from(rawPayload),\n\t\t\t\tinputs: {},\n\t\t\t\trecords: this.sandboxRecords,\n\t\t\t\tsessionToken: \"local-dev-token\",\n\t\t\t\tisEncrypted: false, // Use plaintext for local Logic-on-Origin injection\n\t\t\t});\n\n\t\t\t// Standard MCP Content Array\n\t\t\tconst textOutput = JSON.stringify({\n\t\t\t\tcomputation_result: workerResponse.output,\n\t\t\t\timage_id: workerResponse.image_id,\n\t\t\t\tzk_receipt: workerResponse.zk_receipt,\n\t\t\t\tstatus: \"Worker Pool Execution Success\",\n\t\t\t});\n\n\t\t\tconst content = [\n\t\t\t\t{\n\t\t\t\t\ttype: \"text\" as const,\n\t\t\t\t\ttext: textOutput,\n\t\t\t\t},\n\t\t\t];\n\n\t\t\tconst toolPolicy = toolName\n\t\t\t\t? this.tools.get(toolName)?.policy\n\t\t\t\t: undefined;\n\t\t\tconst policyViolation = this.validateOutputPolicy(\n\t\t\t\ttoolName || \"unknown_tool\",\n\t\t\t\tworkerResponse.output,\n\t\t\t\ttoolPolicy,\n\t\t\t);\n\t\t\tif (policyViolation) {\n\t\t\t\t// SEC-CRITICAL: Log details server-side, never expose to caller in Production\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Output policy blocked for ${toolName || \"unknown_tool\"}: ${policyViolation}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? policyViolation\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Professional PII Protection Guard\n\t\t\tconst violation = await this.piiScanner.scan(content);\n\t\t\tconst aggregationViolation = this.violatesAggregationFirstPolicy(\n\t\t\t\tworkerResponse.output,\n\t\t\t);\n\t\t\tif (violation || aggregationViolation) {\n\t\t\t\t// SEC-CRITICAL: Log the specific violation reason server-side only.\n\t\t\t\t// Never expose detection details (entity names, matched values) to the caller in Production.\n\t\t\t\tconst internalReason =\n\t\t\t\t\tviolation ||\n\t\t\t\t\t\"Aggregation-First Policy Violation: Output blocked due to dynamic flat-key policy enforcement.\";\n\t\t\t\tlog.info(\n\t\t\t\t\t`[LIOP-SDK] Secure egress blocked in local execution: ${internalReason}`,\n\t\t\t\t);\n\n\t\t\t\tconst isDev =\n\t\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\t\tconst errorMessage = isDev\n\t\t\t\t\t? `[LIOP] Egress Security Violation: ${internalReason}`\n\t\t\t\t\t: \"[LIOP] Egress Security Violation. Output blocked due to policy enforcement. Ensure your logic uses strictly aggregated, non-PII patterns.\";\n\n\t\t\t\treturn {\n\t\t\t\t\tcontent: [\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t\t},\n\t\t\t\t\t],\n\t\t\t\t\tisError: true,\n\t\t\t\t};\n\t\t\t}\n\n\t\t\treturn { content };\n\t\t} catch (error: unknown) {\n\t\t\tconst e = error as Error;\n\t\t\tconst isDev =\n\t\t\t\tprocess.env.NODE_ENV === \"development\" ||\n\t\t\t\tprocess.env.NODE_ENV === \"test\" ||\n\t\t\t\tprocess.env.LIOP_SEC_VERBOSE === \"1\";\n\n\t\t\tconst detail = e.message || String(error);\n\t\t\tlog.error(`[LIOP-SDK] WorkerPool Execution Fault: ${detail}`);\n\n\t\t\tconst errorMessage = isDev\n\t\t\t\t? `WorkerPoolError: ${detail}`\n\t\t\t\t: \"[LIOP] Execution Failed. The injected logic violated runtime constraints or encountered a fatal error.\";\n\n\t\t\treturn {\n\t\t\t\tcontent: [\n\t\t\t\t\t{\n\t\t\t\t\t\ttype: \"text\",\n\t\t\t\t\t\ttext: errorMessage,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t\tisError: true,\n\t\t\t};\n\t\t}\n\t}\n\n\t/**\n\t * Safely destroys the worker pool, gRPC server, and Mesh node.\n\t * Recommended to be called during graceful shutdowns or test teardowns.\n\t */\n\tpublic async close(): Promise<void> {\n\t\tif (this.workerPool) {\n\t\t\tawait this.workerPool.close({ force: true });\n\t\t}\n\t\tif (this.rpcServer) {\n\t\t\tawait this.rpcServer.stop();\n\t\t}\n\t\tif (this.meshNode) {\n\t\t\tawait this.meshNode.stop();\n\t\t}\n\t}\n}\n"]}