@neurosec/sentry 1.0.20 → 1.1.0

package/dist/launcher.js

@@ -0,0 +1,425 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectLauncherCapabilities = detectLauncherCapabilities;
+exports.resolveLaunchProfile = resolveLaunchProfile;
+exports.buildLaunchPlan = buildLaunchPlan;
+exports.launchWithSentry = launchWithSentry;
+exports.renderLaunchPlan = renderLaunchPlan;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+const child_process_1 = require("child_process");
+const sandbox_1 = require("./sandbox");
+const cert_manager_1 = require("./proxy/cert-manager");
+const types_1 = require("./types");
+function detectLauncherCapabilities(platform = os_1.default.platform()) {
+    return {
+        systemdRun: platform === 'linux' && commandExists('systemd-run'),
+        sandboxExec: platform === 'darwin' && commandExists('sandbox-exec'),
+        powershell: platform === 'win32' && (commandExists('powershell.exe') || commandExists('powershell')),
+    };
+}
+function resolveLaunchProfile(request) {
+    if (request.profileName) {
+        const byName = (0, sandbox_1.getProfileForFramework)('')?.name === request.profileName
+            ? (0, sandbox_1.getProfileForFramework)('')
+            : null;
+        if (byName)
+            return byName;
+    }
+    if (request.profileName) {
+        const explicit = require('./types').AGENT_SANDBOX_PROFILES.find((p) => p.name === request.profileName);
+        if (explicit)
+            return explicit;
+    }
+    return (0, sandbox_1.getProfileForFramework)(request.frameworkId ?? '') ?? require('./types').AGENT_SANDBOX_PROFILES.find((p) => p.name === 'default-restrictive');
+}
+function buildLaunchPlan(config, request, platform = os_1.default.platform(), capabilities = detectLauncherCapabilities(platform)) {
+    if (!request.command.length) {
+        throw new Error('launch requires a command after --');
+    }
+    const profile = resolveLaunchProfile(request);
+    if (!profile) {
+        throw new Error('no sandbox profile available');
+    }
+    const generatedFiles = [];
+    const notes = [];
+    const env = buildLaunchEnvironment(config, request.extraEnv ?? {}, !!request.dryRun);
+    const cwd = request.cwd;
+    if (platform === 'linux' && capabilities.systemdRun) {
+        return {
+            platform,
+            executable: 'systemd-run',
+            args: buildLinuxArgs(config, profile, request, env),
+            env,
+            cwd,
+            notes,
+            profile,
+            generatedFiles,
+        };
+    }
+    if (platform === 'darwin' && capabilities.sandboxExec) {
+        const profilePath = request.dryRun
+            ? path_1.default.join(config.sentry.stateDir, 'launcher', 'launch-dry-run.sb')
+            : writeMacLauncherProfile(config, profile);
+        generatedFiles.push(profilePath);
+        return {
+            platform,
+            executable: 'sandbox-exec',
+            args: ['-f', profilePath, ...request.command],
+            env,
+            cwd,
+            notes,
+            profile,
+            generatedFiles,
+        };
+    }
+    if (platform === 'win32' && capabilities.powershell) {
+        const scriptPath = request.dryRun
+            ? path_1.default.join(config.sentry.stateDir, 'launcher', 'launch-dry-run.ps1')
+            : writeWindowsLauncherScript(config, profile, request, env);
+        generatedFiles.push(scriptPath);
+        return {
+            platform,
+            executable: commandExists('powershell.exe') ? 'powershell.exe' : 'powershell',
+            args: ['-NoProfile', '-NonInteractive', '-ExecutionPolicy', 'Bypass', '-File', scriptPath],
+            env,
+            cwd,
+            notes,
+            profile,
+            generatedFiles,
+        };
+    }
+    notes.push('Platform launcher unavailable; falling back to plain spawn with proxy env only');
+    return {
+        platform,
+        executable: request.command[0],
+        args: request.command.slice(1),
+        env,
+        cwd,
+        notes,
+        profile,
+        generatedFiles,
+    };
+}
+async function launchWithSentry(config, request, platform = os_1.default.platform(), capabilities = detectLauncherCapabilities(platform)) {
+    const plan = buildLaunchPlan(config, request, platform, capabilities);
+    if (request.dryRun) {
+        process.stdout.write(renderLaunchPlan(plan) + '\n');
+        return 0;
+    }
+    return new Promise((resolve, reject) => {
+        const child = (0, child_process_1.spawn)(plan.executable, plan.args, {
+            cwd: plan.cwd,
+            env: plan.env,
+            stdio: 'inherit',
+        });
+        child.once('error', reject);
+        child.once('exit', (code, signal) => {
+            if (signal) {
+                resolve(1);
+                return;
+            }
+            resolve(code ?? 0);
+        });
+    });
+}
+function renderLaunchPlan(plan) {
+    return [
+        `Platform: ${plan.platform}`,
+        `Profile: ${plan.profile.name}`,
+        `Executable: ${plan.executable}`,
+        `Args: ${plan.args.map(shellQuote).join(' ')}`,
+        `Env additions: ${Object.keys(plan.env).length}`,
+        ...(plan.generatedFiles.length > 0 ? [`Generated: ${plan.generatedFiles.join(', ')}`] : []),
+        ...(plan.notes.length > 0 ? [`Notes: ${plan.notes.join(' | ')}`] : []),
+    ].join('\n');
+}
+function buildLaunchEnvironment(config, extraEnv, dryRun) {
+    const env = { ...process.env };
+    const proxyPort = config.proxy.interceptHttps ? config.proxy.port + 1 : config.proxy.port;
+    const proxyScheme = config.proxy.interceptHttps ? 'https' : 'http';
+    const proxyUrl = `${proxyScheme}://127.0.0.1:${proxyPort}`;
+    if (config.proxy.enabled) {
+        const providerEnvKeys = {
+            openai: ['OPENAI_BASE_URL', 'OPENAI_API_BASE'],
+            anthropic: ['ANTHROPIC_BASE_URL'],
+            'google-gemini': ['GOOGLE_GEMINI_BASE_URL'],
+            together: ['TOGETHER_BASE_URL'],
+            deepseek: ['DEEPSEEK_BASE_URL'],
+            groq: ['GROQ_BASE_URL'],
+            mistral: ['MISTRAL_BASE_URL'],
+            cohere: ['COHERE_BASE_URL'],
+            openrouter: ['OPENROUTER_BASE_URL'],
+            replicate: ['REPLICATE_BASE_URL'],
+        };
+        for (const id of Object.keys(types_1.KNOWN_PROVIDERS)) {
+            const vars = providerEnvKeys[id] ?? [`${id.toUpperCase().replace(/-/g, '_')}_BASE_URL`];
+            for (const variable of vars)
+                env[variable] = proxyUrl;
+        }
+        env.LANGCHAIN_ENDPOINT = proxyUrl;
+        env.LITELLM_BASE_URL = proxyUrl;
+        env.AZURE_OPENAI_ENDPOINT = proxyUrl;
+        if (config.proxy.interceptHttps) {
+            if (dryRun) {
+                env.NODE_EXTRA_CA_CERTS = config.proxy.certPath;
+            }
+            else {
+                const certInfo = (0, cert_manager_1.ensureProxyCertificate)({ certPath: config.proxy.certPath, keyPath: config.proxy.keyPath });
+                env.NODE_EXTRA_CA_CERTS = certInfo.certPath;
+            }
+        }
+    }
+    for (const [key, value] of Object.entries(extraEnv))
+        env[key] = value;
+    return env;
+}
+function buildLinuxArgs(config, profile, request, env) {
+    const args = ['--scope', '--quiet'];
+    if (request.cwd)
+        args.push(`--working-directory=${request.cwd}`);
+    const properties = [
+        `Description=NeuroShield Sentry launch (${profile.name})`,
+        `MemoryMax=${parseMemoryBytes(profile.memoryMax || config.sandboxDefaults.memoryMax)}`,
+        `TasksMax=${profile.pidMax || config.sandboxDefaults.pidMax}`,
+        `CPUQuota=${cpuQuotaPercent(profile.cpuMax || config.sandboxDefaults.cpuMax)}`,
+        'NoNewPrivileges=yes',
+        'PrivateTmp=yes',
+        'PrivateDevices=yes',
+        'ProtectKernelTunables=yes',
+        'ProtectKernelModules=yes',
+        'ProtectControlGroups=yes',
+        'ProtectProc=invisible',
+        'RestrictSUIDSGID=yes',
+        'LockPersonality=yes',
+        'RestrictNamespaces=yes',
+        'SystemCallArchitectures=native',
+        'SystemCallErrorNumber=EPERM',
+    ];
+    if (profile.allowedSyscalls.length > 0) {
+        properties.push(`SystemCallFilter=${profile.allowedSyscalls.join(' ')}`);
+    }
+    if (profile.blockedCapabilities.length > 0) {
+        properties.push(`CapabilityBoundingSet=~${Array.from(new Set(profile.blockedCapabilities)).join(' ')}`);
+    }
+    const fsRules = normalizeFsRules(profile.fsRules, request.cwd);
+    for (const p of fsRules.readWrite)
+        properties.push(`ReadWritePaths=${p}`);
+    for (const p of fsRules.readOnly)
+        properties.push(`ReadOnlyPaths=${p}`);
+    for (const p of fsRules.inaccessible)
+        properties.push(`InaccessiblePaths=${p}`);
+    if (config.proxy.enabled) {
+        properties.push('IPAddressDeny=any');
+        properties.push('IPAddressAllow=127.0.0.1/32');
+        properties.push('IPAddressAllow=::1/128');
+    }
+    for (const property of properties)
+        args.push('--property', property);
+    for (const [key, value] of Object.entries(diffEnv(env))) {
+        args.push(`--setenv=${key}=${value}`);
+    }
+    args.push(...request.command);
+    return args;
+}
+function writeMacLauncherProfile(config, profile) {
+    const dir = path_1.default.join(config.sentry.stateDir, 'launcher');
+    fs_1.default.mkdirSync(dir, { recursive: true });
+    const profilePath = path_1.default.join(dir, `launch-${Date.now()}.sb`);
+    const lines = [
+        '(version 1)',
+        '(deny default)',
+        '(allow process*)',
+        '(allow sysctl-read)',
+        '(allow ipc-posix-sem* ipc-posix-shm*)',
+    ];
+    for (const rule of profile.fsRules) {
+        const root = sanitizeFsRoot(rule.path);
+        switch (rule.permissions) {
+            case 'rw':
+            case 'w':
+                lines.push(`(allow file-read* file-write* (subpath "${root}"))`);
+                break;
+            case 'rwx':
+                lines.push(`(allow file-read* file-write* file-exec* (subpath "${root}"))`);
+                break;
+            case 'rx':
+                lines.push(`(allow file-read* file-exec* (subpath "${root}"))`);
+                break;
+            case 'r':
+                lines.push(`(allow file-read* (subpath "${root}"))`);
+                break;
+            case 'none':
+                lines.push(`(deny file-read* file-write* file-exec* (subpath "${root}"))`);
+                break;
+        }
+    }
+    for (const rule of profile.networkRules) {
+        if (rule.action === 'allow') {
+            if (rule.host)
+                lines.push(`(allow network* (remote ip "${rule.host}"))`);
+            else
+                lines.push('(allow network*)');
+        }
+    }
+    fs_1.default.writeFileSync(profilePath, lines.join('\n') + '\n', 'utf8');
+    return profilePath;
+}
+function writeWindowsLauncherScript(config, profile, request, env) {
+    const dir = path_1.default.join(config.sentry.stateDir, 'launcher');
+    fs_1.default.mkdirSync(dir, { recursive: true });
+    const scriptPath = path_1.default.join(dir, `launch-${Date.now()}.ps1`);
+    const command = psQuote(request.command[0]);
+    const argList = request.command.slice(1).map(psQuote).join(', ');
+    const jobName = `NeuroShield_Sentry_Launch_${Date.now()}`;
+    const sandboxProfileRoot = path_1.default.join(dir, `profile-${Date.now()}`);
+    const sandboxHome = path_1.default.join(sandboxProfileRoot, 'home');
+    const sandboxAppData = path_1.default.join(sandboxProfileRoot, 'AppData', 'Roaming');
+    const sandboxLocalAppData = path_1.default.join(sandboxProfileRoot, 'AppData', 'Local');
+    fs_1.default.mkdirSync(path_1.default.join(sandboxHome, '.ssh'), { recursive: true });
+    fs_1.default.mkdirSync(path_1.default.join(sandboxHome, '.aws'), { recursive: true });
+    fs_1.default.mkdirSync(path_1.default.join(sandboxHome, '.config'), { recursive: true });
+    fs_1.default.mkdirSync(sandboxAppData, { recursive: true });
+    fs_1.default.mkdirSync(sandboxLocalAppData, { recursive: true });
+    const isolatedEnv = {
+        ...diffEnv(env),
+        HOME: sandboxHome,
+        USERPROFILE: sandboxHome,
+        HOMEDRIVE: path_1.default.parse(sandboxHome).root.replace(/\\$/, ''),
+        HOMEPATH: sandboxHome.slice(path_1.default.parse(sandboxHome).root.length - 1),
+        APPDATA: sandboxAppData,
+        LOCALAPPDATA: sandboxLocalAppData,
+    };
+    const envLines = Object.entries(isolatedEnv).map(([key, value]) => `$env:${key} = ${psQuote(value)}`).join('\n');
+    const cwdLine = request.cwd ? `Set-Location -LiteralPath ${psQuote(request.cwd)}` : '';
+    const script = `
+$ErrorActionPreference = 'Stop'
+${envLines}
+${cwdLine}
+Add-Type -Namespace NeuroShield -Name JobObj -MemberDefinition @'
+[DllImport("kernel32.dll", CharSet=CharSet.Unicode, SetLastError=true)]
+public static extern IntPtr CreateJobObject(IntPtr a, string lpName);
+[DllImport("kernel32.dll", SetLastError=true)]
+public static extern bool AssignProcessToJobObject(IntPtr job, IntPtr proc);
+[DllImport("kernel32.dll", SetLastError=true)]
+public static extern bool SetInformationJobObject(IntPtr hJob, int infoClass, IntPtr lpJobObjectInfo, uint cbJobObjectInfoLength);
+[DllImport("kernel32.dll", SetLastError=true)]
+public static extern IntPtr OpenProcess(uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId);
+'@
+
+$proc = Start-Process -FilePath ${command} -ArgumentList @(${argList}) -PassThru -NoNewWindow
+$allowRuleName = "NeuroShield Allow Loopback $($proc.Id)"
+$blockRuleName = "NeuroShield Block Remote $($proc.Id)"
+$procPath = $proc.Path
+if (-not $procPath) { throw "Could not resolve launched process path" }
+New-NetFirewallRule -DisplayName $allowRuleName -Direction Outbound -Program $procPath -Action Allow -RemoteAddress 127.0.0.1,::1 | Out-Null
+New-NetFirewallRule -DisplayName $blockRuleName -Direction Outbound -Program $procPath -Action Block -RemoteAddress Any | Out-Null
+$job = [NeuroShield.JobObj]::CreateJobObject([IntPtr]::Zero, ${psQuote(jobName)})
+if ($job -eq [IntPtr]::Zero) { throw "CreateJobObject failed" }
+$size = 144
+$ptr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($size)
+[System.Runtime.InteropServices.Marshal]::WriteInt32($ptr, 0x18, [int](0x2000 -bor 0x8 -bor 0x200))
+[System.Runtime.InteropServices.Marshal]::WriteInt32($ptr, 0x40, ${profile.pidMax || config.sandboxDefaults.pidMax})
+[System.Runtime.InteropServices.Marshal]::WriteInt64($ptr, 0x60, [int64]${parseMemoryBytes(profile.memoryMax || config.sandboxDefaults.memoryMax)})
+$ok = [NeuroShield.JobObj]::SetInformationJobObject($job, 9, $ptr, [uint32]$size)
+[System.Runtime.InteropServices.Marshal]::FreeHGlobal($ptr)
+if (-not $ok) { throw "SetInformationJobObject failed" }
+$ph = [NeuroShield.JobObj]::OpenProcess(0x101, $false, [uint32]$proc.Id)
+if ($ph -eq [IntPtr]::Zero) { throw "OpenProcess failed" }
+$assigned = [NeuroShield.JobObj]::AssignProcessToJobObject($job, $ph)
+if (-not $assigned) { throw "AssignProcessToJobObject failed" }
+$exitCode = 1
+try {
+  $proc.WaitForExit()
+  $exitCode = $proc.ExitCode
+} finally {
+  Get-NetFirewallRule -DisplayName $allowRuleName -ErrorAction SilentlyContinue | Remove-NetFirewallRule -ErrorAction SilentlyContinue
+  Get-NetFirewallRule -DisplayName $blockRuleName -ErrorAction SilentlyContinue | Remove-NetFirewallRule -ErrorAction SilentlyContinue
+}
+exit $exitCode
+`.trim();
+    fs_1.default.writeFileSync(scriptPath, script, 'utf8');
+    return scriptPath;
+}
+function normalizeFsRules(rules, cwd) {
+    const readWrite = new Set();
+    const readOnly = new Set();
+    const inaccessible = new Set();
+    for (const rule of rules) {
+        const root = sanitizeFsRoot(rule.path);
+        if (!root)
+            continue;
+        if (rule.permissions === 'none')
+            inaccessible.add(root);
+        else if (rule.permissions.includes('w'))
+            readWrite.add(root);
+        else
+            readOnly.add(root);
+    }
+    if (cwd)
+        readWrite.add(cwd);
+    return {
+        readWrite: Array.from(readWrite),
+        readOnly: Array.from(readOnly),
+        inaccessible: Array.from(inaccessible),
+    };
+}
+function sanitizeFsRoot(input) {
+    return input.replace(/\*\*.*$/, '').replace(/\/$/, '') || '/';
+}
+function parseMemoryBytes(value) {
+    const match = value.match(/^(\d+)(GB|MB|KB|B)?$/i);
+    if (!match)
+        return 512 * 1024 * 1024;
+    const amount = parseInt(match[1], 10);
+    switch ((match[2] || 'B').toUpperCase()) {
+        case 'GB': return amount * 1024 * 1024 * 1024;
+        case 'MB': return amount * 1024 * 1024;
+        case 'KB': return amount * 1024;
+        default: return amount;
+    }
+}
+function cpuQuotaPercent(value) {
+    const numeric = Number.parseFloat(value);
+    if (!Number.isFinite(numeric) || numeric <= 0)
+        return '50%';
+    return `${Math.max(1, Math.round(numeric * 100))}%`;
+}
+function commandExists(name) {
+    const suffixes = process.platform === 'win32' && !name.endsWith('.exe') ? [name, `${name}.exe`] : [name];
+    for (const candidate of suffixes) {
+        const pathEnv = process.env.PATH ?? '';
+        for (const dir of pathEnv.split(path_1.default.delimiter)) {
+            if (!dir)
+                continue;
+            const target = path_1.default.join(dir, candidate);
+            try {
+                fs_1.default.accessSync(target, fs_1.default.constants.X_OK);
+                return true;
+            }
+            catch {
+                continue;
+            }
+        }
+    }
+    return false;
+}
+function diffEnv(env) {
+    const diff = {};
+    for (const [key, value] of Object.entries(env)) {
+        if (process.env[key] !== value)
+            diff[key] = value;
+    }
+    return diff;
+}
+function shellQuote(value) {
+    return value.includes(' ') ? JSON.stringify(value) : value;
+}
+function psQuote(value) {
+    return `'${value.replace(/'/g, "''")}'`;
+}
+//# sourceMappingURL=launcher.js.map

package/dist/launcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"launcher.js","sourceRoot":"","sources":["../src/launcher.ts"],"names":[],"mappings":";;;;;AAqCA,gEAMC;AAED,oDAcC;AAED,0CA8EC;AAED,4CA4BC;AAED,4CAUC;AArLD,4CAAoB;AACpB,gDAAwB;AACxB,4CAAoB;AACpB,iDAAsC;AAEtC,uCAAmD;AACnD,uDAA8D;AAC9D,mCAA0D;AA8B1D,SAAgB,0BAA0B,CAAC,WAA8B,YAAE,CAAC,QAAQ,EAAuB;IACzG,OAAO;QACL,UAAU,EAAE,QAAQ,KAAK,OAAO,IAAI,aAAa,CAAC,aAAa,CAAC;QAChE,WAAW,EAAE,QAAQ,KAAK,QAAQ,IAAI,aAAa,CAAC,cAAc,CAAC;QACnE,UAAU,EAAE,QAAQ,KAAK,OAAO,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,IAAI,aAAa,CAAC,YAAY,CAAC,CAAC;KACrG,CAAC;AACJ,CAAC;AAED,SAAgB,oBAAoB,CAAC,OAAsB;IACzD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,MAAM,GAAG,IAAA,gCAAsB,EAAC,EAAE,CAAC,EAAE,IAAI,KAAK,OAAO,CAAC,WAAW;YACrE,CAAC,CAAC,IAAA,gCAAsB,EAAC,EAAE,CAAC;YAC5B,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;IAC5B,CAAC;IAED,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,OAAO,CAAC,WAAW,CAA+B,CAAC;QACrJ,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;IAChC,CAAC;IAED,OAAO,IAAA,gCAAsB,EAAC,OAAO,CAAC,WAAW,IAAI,EAAE,CAAC,IAAI,OAAO,CAAC,SAAS,CAAC,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAiB,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC;AACtK,CAAC;AAED,SAAgB,eAAe,CAC7B,MAAoB,EACpB,OAAsB,EACtB,WAA8B,YAAE,CAAC,QAAQ,EAAuB,EAChE,eAAqC,0BAA0B,CAAC,QAAQ,CAAC;IAEzE,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;IACxD,CAAC;IAED,MAAM,OAAO,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;IAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAClD,CAAC;IAED,MAAM,cAAc,GAAa,EAAE,CAAC;IACpC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,MAAM,GAAG,GAAG,sBAAsB,CAAC,MAAM,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACrF,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAExB,IAAI,QAAQ,KAAK,OAAO,IAAI,YAAY,CAAC,UAAU,EAAE,CAAC;QACpD,OAAO;YACL,QAAQ;YACR,UAAU,EAAE,aAAa;YACzB,IAAI,EAAE,cAAc,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC;YACnD,GAAG;YACH,GAAG;YACH,KAAK;YACL,OAAO;YACP,cAAc;SACf,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,KAAK,QAAQ,IAAI,YAAY,CAAC,WAAW,EAAE,CAAC;QACtD,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM;YAChC,CAAC,CAAC,cAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,mBAAmB,CAAC;YACpE,CAAC,CAAC,uBAAuB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC7C,cAAc,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACjC,OAAO;YACL,QAAQ;YACR,UAAU,EAAE,cAAc;YAC1B,IAAI,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC,OAAO,CAAC;YAC7C,GAAG;YACH,GAAG;YACH,KAAK;YACL,OAAO;YACP,cAAc;SACf,CAAC;IACJ,CAAC;IAED,IAAI,QAAQ,KAAK,OAAO,IAAI,YAAY,CAAC,UAAU,EAAE,CAAC;QACpD,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM;YAC/B,CAAC,CAAC,cAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,EAAE,oBAAoB,CAAC;YACrE,CAAC,CAAC,0BAA0B,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;QAC9D,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAChC,OAAO;YACL,QAAQ;YACR,UAAU,EAAE,aAAa,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC,YAAY;YAC7E,IAAI,EAAE,CAAC,YAAY,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,CAAC;YAC1F,GAAG;YACH,GAAG;YACH,KAAK;YACL,OAAO;YACP,cAAc;SACf,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,gFAAgF,CAAC,CAAC;IAC7F,OAAO;QACL,QAAQ;QACR,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;QAC9B,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9B,GAAG;QACH,GAAG;QACH,KAAK;QACL,OAAO;QACP,cAAc;KACf,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,gBAAgB,CACpC,MAAoB,EACpB,OAAsB,EACtB,WAA8B,YAAE,CAAC,QAAQ,EAAuB,EAChE,eAAqC,0BAA0B,CAAC,QAAQ,CAAC;IAEzE,MAAM,IAAI,GAAG,eAAe,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,CAAC,CAAC;IAEtE,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,CAAC;QACpD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,OAAO,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC7C,MAAM,KAAK,GAAG,IAAA,qBAAK,EAAC,IAAI,CAAC,UAAU,EAAE,IAAI,CAAC,IAAI,EAAE;YAC9C,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,KAAK,EAAE,SAAS;SACjB,CAAC,CAAC;QACH,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE;YAClC,IAAI,MAAM,EAAE,CAAC;gBACX,OAAO,CAAC,CAAC,CAAC,CAAC;gBACX,OAAO;YACT,CAAC;YACD,OAAO,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,gBAAgB,CAAC,IAAgB;IAC/C,OAAO;QACL,aAAa,IAAI,CAAC,QAAQ,EAAE;QAC5B,YAAY,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE;QAC/B,eAAe,IAAI,CAAC,UAAU,EAAE;QAChC,SAAS,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE;QAC9C,kBAAkB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE;QAChD,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC3F,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;KACvE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,sBAAsB,CAAC,MAAoB,EAAE,QAAgC,EAAE,MAAe;IACrG,MAAM,GAAG,GAA2B,EAAE,GAAG,OAAO,CAAC,GAAG,EAA4B,CAAC;IACjF,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;IAC1F,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;IACnE,MAAM,QAAQ,GAAG,GAAG,WAAW,gBAAgB,SAAS,EAAE,CAAC;IAE3D,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACzB,MAAM,eAAe,GAA6B;YAChD,MAAM,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,CAAC;YAC9C,SAAS,EAAE,CAAC,oBAAoB,CAAC;YACjC,eAAe,EAAE,CAAC,wBAAwB,CAAC;YAC3C,QAAQ,EAAE,CAAC,mBAAmB,CAAC;YAC/B,QAAQ,EAAE,CAAC,mBAAmB,CAAC;YAC/B,IAAI,EAAE,CAAC,eAAe,CAAC;YACvB,OAAO,EAAE,CAAC,kBAAkB,CAAC;YAC7B,MAAM,EAAE,CAAC,iBAAiB,CAAC;YAC3B,UAAU,EAAE,CAAC,qBAAqB,CAAC;YACnC,SAAS,EAAE,CAAC,oBAAoB,CAAC;SAClC,CAAC;QAEF,KAAK,MAAM,EAAE,IAAI,MAAM,CAAC,IAAI,CAAC,uBAAe,CAAC,EAAE,CAAC;YAC9C,MAAM,IAAI,GAAG,eAAe,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,WAAW,CAAC,CAAC;YACxF,KAAK,MAAM,QAAQ,IAAI,IAAI;gBAAE,GAAG,CAAC,QAAQ,CAAC,GAAG,QAAQ,CAAC;QACxD,CAAC;QAED,GAAG,CAAC,kBAAkB,GAAG,QAAQ,CAAC;QAClC,GAAG,CAAC,gBAAgB,GAAG,QAAQ,CAAC;QAChC,GAAG,CAAC,qBAAqB,GAAG,QAAQ,CAAC;QAErC,IAAI,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAChC,IAAI,MAAM,EAAE,CAAC;gBACX,GAAG,CAAC,mBAAmB,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC;YAClD,CAAC;iBAAM,CAAC;gBACN,MAAM,QAAQ,GAAG,IAAA,qCAAsB,EAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBAC5G,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC,QAAQ,CAAC;YAC9C,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;QAAE,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CAAC,MAAoB,EAAE,OAAuB,EAAE,OAAsB,EAAE,GAA2B;IACxH,MAAM,IAAI,GAAG,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;IACpC,IAAI,OAAO,CAAC,GAAG;QAAE,IAAI,CAAC,IAAI,CAAC,uBAAuB,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IAEjE,MAAM,UAAU,GAAG;QACjB,0CAA0C,OAAO,CAAC,IAAI,GAAG;QACzD,aAAa,gBAAgB,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC,EAAE;QACtF,YAAY,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,EAAE;QAC7D,YAAY,eAAe,CAAC,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE;QAC9E,qBAAqB;QACrB,gBAAgB;QAChB,oBAAoB;QACpB,2BAA2B;QAC3B,0BAA0B;QAC1B,0BAA0B;QAC1B,uBAAuB;QACvB,sBAAsB;QACtB,qBAAqB;QACrB,wBAAwB;QACxB,gCAAgC;QAChC,6BAA6B;KAC9B,CAAC;IAEF,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,UAAU,CAAC,IAAI,CAAC,oBAAoB,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,IAAI,OAAO,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC3C,UAAU,CAAC,IAAI,CAAC,0BAA0B,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC1G,CAAC;IAED,MAAM,OAAO,GAAG,gBAAgB,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/D,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,SAAS;QAAE,UAAU,CAAC,IAAI,CAAC,kBAAkB,CAAC,EAAE,CAAC,CAAC;IAC1E,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ;QAAE,UAAU,CAAC,IAAI,CAAC,iBAAiB,CAAC,EAAE,CAAC,CAAC;IACxE,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,YAAY;QAAE,UAAU,CAAC,IAAI,CAAC,qBAAqB,CAAC,EAAE,CAAC,CAAC;IAEhF,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;QACzB,UAAU,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;QACrC,UAAU,CAAC,IAAI,CAAC,6BAA6B,CAAC,CAAC;QAC/C,UAAU,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAC5C,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,UAAU;QAAE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,QAAQ,CAAC,CAAC;IAErE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QACxD,IAAI,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,KAAK,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;IAC9B,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,uBAAuB,CAAC,MAAoB,EAAE,OAAuB;IAC5E,MAAM,GAAG,GAAG,cAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC1D,YAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;IAC9D,MAAM,KAAK,GAAa;QACtB,aAAa;QACb,gBAAgB;QAChB,kBAAkB;QAClB,qBAAqB;QACrB,uCAAuC;KACxC,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACnC,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;YACzB,KAAK,IAAI,CAAC;YACV,KAAK,GAAG;gBACN,KAAK,CAAC,IAAI,CAAC,2CAA2C,IAAI,KAAK,CAAC,CAAC;gBACjE,MAAM;YACR,KAAK,KAAK;gBACR,KAAK,CAAC,IAAI,CAAC,sDAAsD,IAAI,KAAK,CAAC,CAAC;gBAC5E,MAAM;YACR,KAAK,IAAI;gBACP,KAAK,CAAC,IAAI,CAAC,0CAA0C,IAAI,KAAK,CAAC,CAAC;gBAChE,MAAM;YACR,KAAK,GAAG;gBACN,KAAK,CAAC,IAAI,CAAC,+BAA+B,IAAI,KAAK,CAAC,CAAC;gBACrD,MAAM;YACR,KAAK,MAAM;gBACT,KAAK,CAAC,IAAI,CAAC,qDAAqD,IAAI,KAAK,CAAC,CAAC;gBAC3E,MAAM;QACV,CAAC;IACH,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;YAC5B,IAAI,IAAI,CAAC,IAAI;gBAAE,KAAK,CAAC,IAAI,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC;;gBACpE,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACtC,CAAC;IACH,CAAC;IAED,YAAE,CAAC,aAAa,CAAC,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/D,OAAO,WAAW,CAAC;AACrB,CAAC;AAED,SAAS,0BAA0B,CAAC,MAAoB,EAAE,OAAuB,EAAE,OAAsB,EAAE,GAA2B;IACpI,MAAM,GAAG,GAAG,cAAI,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC1D,YAAE,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACvC,MAAM,UAAU,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,6BAA6B,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;IAC1D,MAAM,kBAAkB,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,WAAW,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IACnE,MAAM,WAAW,GAAG,cAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC,CAAC;IAC1D,MAAM,cAAc,GAAG,cAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAC3E,MAAM,mBAAmB,GAAG,cAAI,CAAC,IAAI,CAAC,kBAAkB,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAC9E,YAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClE,YAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClE,YAAE,CAAC,SAAS,CAAC,cAAI,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACrE,YAAE,CAAC,SAAS,CAAC,cAAc,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,YAAE,CAAC,SAAS,CAAC,mBAAmB,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEvD,MAAM,WAAW,GAAG;QAClB,GAAG,OAAO,CAAC,GAAG,CAAC;QACf,IAAI,EAAE,WAAW;QACjB,WAAW,EAAE,WAAW;QACxB,SAAS,EAAE,cAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QAC1D,QAAQ,EAAE,WAAW,CAAC,KAAK,CAAC,cAAI,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC;QACpE,OAAO,EAAE,cAAc;QACvB,YAAY,EAAE,mBAAmB;KAClC,CAAC;IACF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,QAAQ,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjH,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACvF,MAAM,MAAM,GAAG;;EAEf,QAAQ;EACR,OAAO;;;;;;;;;;;;kCAYyB,OAAO,oBAAoB,OAAO;;;;;;;+DAOL,OAAO,CAAC,OAAO,CAAC;;;;;mEAKZ,OAAO,CAAC,MAAM,IAAI,MAAM,CAAC,eAAe,CAAC,MAAM;0EACxC,gBAAgB,CAAC,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,eAAe,CAAC,SAAS,CAAC;;;;;;;;;;;;;;;;;CAiBhJ,CAAC,IAAI,EAAE,CAAC;IACP,YAAE,CAAC,aAAa,CAAC,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAgC,EAAE,GAAY;IACtE,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAC;IAEvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI;YAAE,SAAS;QACpB,IAAI,IAAI,CAAC,WAAW,KAAK,MAAM;YAAE,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;aACnD,IAAI,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;;YACxD,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,GAAG;QAAE,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC5B,OAAO;QACL,SAAS,EAAE,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;QAChC,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC;QAC9B,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC;KACvC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CAAC,KAAa;IACnC,OAAO,KAAK,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,GAAG,CAAC;AAChE,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC;IACnD,IAAI,CAAC,KAAK;QAAE,OAAO,GAAG,GAAG,IAAI,GAAG,IAAI,CAAC;IACrC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACtC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC;QACxC,KAAK,IAAI,CAAC,CAAC,OAAO,MAAM,GAAG,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;QAC9C,KAAK,IAAI,CAAC,CAAC,OAAO,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC;QACvC,KAAK,IAAI,CAAC,CAAC,OAAO,MAAM,GAAG,IAAI,CAAC;QAChC,OAAO,CAAC,CAAC,OAAO,MAAM,CAAC;IACzB,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,MAAM,OAAO,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IACzC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,OAAO,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5D,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC;AACtD,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,IAAI,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;IACzG,KAAK,MAAM,SAAS,IAAI,QAAQ,EAAE,CAAC;QACjC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;QACvC,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,KAAK,CAAC,cAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YAChD,IAAI,CAAC,GAAG;gBAAE,SAAS;YACnB,MAAM,MAAM,GAAG,cAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;YACzC,IAAI,CAAC;gBACH,YAAE,CAAC,UAAU,CAAC,MAAM,EAAE,YAAE,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBACzC,OAAO,IAAI,CAAC;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,SAAS;YACX,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,OAAO,CAAC,GAA2B;IAC1C,MAAM,IAAI,GAA2B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,IAAI,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK;YAAE,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACpD,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;AAC7D,CAAC;AAED,SAAS,OAAO,CAAC,KAAa;IAC5B,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;AAC1C,CAAC"}

package/dist/launcher.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=launcher.test.d.ts.map

package/dist/launcher.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"launcher.test.d.ts","sourceRoot":"","sources":["../src/launcher.test.ts"],"names":[],"mappings":""}

package/dist/launcher.test.js

@@ -0,0 +1,109 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs_1 = __importDefault(require("fs"));
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
+const vitest_1 = require("vitest");
+vitest_1.vi.mock('./proxy/cert-manager', () => ({
+    ensureProxyCertificate: vitest_1.vi.fn(() => ({
+        certPath: '/tmp/neuroshield-test-cert.pem',
+        keyPath: '/tmp/neuroshield-test-key.pem',
+        generated: false,
+        fingerprintSha256: 'ABCDEF',
+        notAfter: 'tomorrow',
+    })),
+}));
+const launcher_1 = require("./launcher");
+function makeConfig() {
+    const stateDir = fs_1.default.mkdtempSync(path_1.default.join(os_1.default.tmpdir(), 'sentry-launch-'));
+    return {
+        sentry: {
+            hostId: 'host-1',
+            version: '1.0.0',
+            healthPort: 9190,
+            apiPort: 9191,
+            stateDir,
+            pidFilePath: path_1.default.join(stateDir, 'sentry.pid'),
+        },
+        neurosec: {
+            endpoint: 'https://sentry.neurosec.ai',
+            orgId: 'org-1',
+            tokenPath: path_1.default.join(stateDir, 'token'),
+            tlsCert: '',
+            tlsKey: '',
+            caBundlePath: '',
+            pinnedFingerprintSha256: '',
+            allowInsecureTls: false,
+            syncIntervalMs: 30000,
+            heartbeatIntervalMs: 300000,
+        },
+        enforcement: {
+            mode: 'enforce',
+            sandboxEnabled: true,
+            syscallFilterEnabled: true,
+            networkFilterEnabled: true,
+            filesystemFilterEnabled: true,
+        },
+        sandboxDefaults: { cpuMax: '0.5', memoryMax: '512MB', pidMax: 100 },
+        network: { allowHosts: ['api.openai.com:443'], blockHosts: [], allowPrivate: false, dnsMonitorEnabled: true },
+        skillAuthz: { enabled: true, allowUnknown: false, requireApproval: [] },
+        audit: { logPath: path_1.default.join(stateDir, 'audit.log'), retentionDays: 90, maxSizeMb: 500 },
+        discovery: { intervalMs: 30000, sourcePaths: ['/workspace'] },
+        proxy: {
+            enabled: true,
+            port: 9081,
+            bindAddress: '127.0.0.1',
+            upstreamTimeoutMs: 120000,
+            maxBufferSizeMb: 10,
+            interceptHttps: true,
+            certPath: path_1.default.join(stateDir, 'proxy-cert.pem'),
+            keyPath: path_1.default.join(stateDir, 'proxy-key.pem'),
+            allowedProviders: ['*'],
+            blockLocalModels: false,
+        },
+        redirect: { enabled: true, strategy: 'both', preserveOriginalKey: true, injectOnDiscover: true },
+    };
+}
+(0, vitest_1.describe)('Sentry launcher', () => {
+    let config;
+    (0, vitest_1.beforeEach)(() => {
+        config = makeConfig();
+    });
+    (0, vitest_1.it)('builds a Linux systemd-run plan with seccomp/resource properties and proxy env', () => {
+        const plan = (0, launcher_1.buildLaunchPlan)(config, { frameworkId: 'codex', command: ['node', 'agent.js'], cwd: '/workspace' }, 'linux', { systemdRun: true, sandboxExec: false, powershell: false });
+        (0, vitest_1.expect)(plan.executable).toBe('systemd-run');
+        (0, vitest_1.expect)(plan.args).toContain('--property');
+        (0, vitest_1.expect)(plan.args.join(' ')).toContain('SystemCallFilter=');
+        (0, vitest_1.expect)(plan.args.join(' ')).toContain('IPAddressDeny=any');
+        (0, vitest_1.expect)(plan.args.join(' ')).toContain('--setenv=OPENAI_BASE_URL=https://127.0.0.1:9082');
+        (0, vitest_1.expect)(plan.args.join(' ')).toContain('--setenv=NODE_EXTRA_CA_CERTS=/tmp/neuroshield-test-cert.pem');
+    });
+    (0, vitest_1.it)('builds a macOS sandbox-exec plan and writes a profile', () => {
+        const plan = (0, launcher_1.buildLaunchPlan)(config, { frameworkId: 'claude-code', command: ['node', 'agent.js'] }, 'darwin', { systemdRun: false, sandboxExec: true, powershell: false });
+        (0, vitest_1.expect)(plan.executable).toBe('sandbox-exec');
+        (0, vitest_1.expect)(plan.args[0]).toBe('-f');
+        (0, vitest_1.expect)(plan.generatedFiles).toHaveLength(1);
+        (0, vitest_1.expect)(fs_1.default.existsSync(plan.generatedFiles[0])).toBe(true);
+    });
+    (0, vitest_1.it)('falls back to direct spawn when no platform launcher exists', () => {
+        const plan = (0, launcher_1.buildLaunchPlan)(config, { frameworkId: 'unknown-agent', command: ['node', 'agent.js'] }, 'linux', { systemdRun: false, sandboxExec: false, powershell: false });
+        (0, vitest_1.expect)(plan.executable).toBe('node');
+        (0, vitest_1.expect)(plan.notes[0]).toMatch(/falling back/i);
+        (0, vitest_1.expect)(plan.env.OPENAI_BASE_URL).toBe('https://127.0.0.1:9082');
+    });
+    (0, vitest_1.it)('builds a Windows launcher script with loopback-only egress and isolated profile env', () => {
+        const plan = (0, launcher_1.buildLaunchPlan)(config, { frameworkId: 'claude-code', command: ['node', 'agent.js'] }, 'win32', { systemdRun: false, sandboxExec: false, powershell: true });
+        (0, vitest_1.expect)(plan.executable).toMatch(/^powershell(?:\.exe)?$/);
+        (0, vitest_1.expect)(plan.generatedFiles).toHaveLength(1);
+        const script = fs_1.default.readFileSync(plan.generatedFiles[0], 'utf8');
+        (0, vitest_1.expect)(script).toContain('New-NetFirewallRule -DisplayName $allowRuleName');
+        (0, vitest_1.expect)(script).toContain('New-NetFirewallRule -DisplayName $blockRuleName');
+        (0, vitest_1.expect)(script).toContain('$env:USERPROFILE = ');
+        (0, vitest_1.expect)(script).toContain('$env:APPDATA = ');
+        (0, vitest_1.expect)(script).toContain('$env:HOME = ');
+    });
+});
+//# sourceMappingURL=launcher.test.js.map

package/dist/launcher.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"launcher.test.js","sourceRoot":"","sources":["../src/launcher.test.ts"],"names":[],"mappings":";;;;;AAAA,4CAAoB;AACpB,4CAAoB;AACpB,gDAAwB;AACxB,mCAA8D;AAE9D,WAAE,CAAC,IAAI,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAAC,CAAC;IACrC,sBAAsB,EAAE,WAAE,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;QACnC,QAAQ,EAAE,gCAAgC;QAC1C,OAAO,EAAE,+BAA+B;QACxC,SAAS,EAAE,KAAK;QAChB,iBAAiB,EAAE,QAAQ;QAC3B,QAAQ,EAAE,UAAU;KACrB,CAAC,CAAC;CACJ,CAAC,CAAC,CAAC;AAEJ,yCAA6C;AAG7C,SAAS,UAAU;IACjB,MAAM,QAAQ,GAAG,YAAE,CAAC,WAAW,CAAC,cAAI,CAAC,IAAI,CAAC,YAAE,CAAC,MAAM,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC;IAC1E,OAAO;QACL,MAAM,EAAE;YACN,MAAM,EAAE,QAAQ;YAChB,OAAO,EAAE,OAAO;YAChB,UAAU,EAAE,IAAI;YAChB,OAAO,EAAE,IAAI;YACb,QAAQ;YACR,WAAW,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC;SAC/C;QACD,QAAQ,EAAE;YACR,QAAQ,EAAE,4BAA4B;YACtC,KAAK,EAAE,OAAO;YACd,SAAS,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC;YACvC,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,EAAE;YACV,YAAY,EAAE,EAAE;YAChB,uBAAuB,EAAE,EAAE;YAC3B,gBAAgB,EAAE,KAAK;YACvB,cAAc,EAAE,KAAK;YACrB,mBAAmB,EAAE,MAAM;SAC5B;QACD,WAAW,EAAE;YACX,IAAI,EAAE,SAAS;YACf,cAAc,EAAE,IAAI;YACpB,oBAAoB,EAAE,IAAI;YAC1B,oBAAoB,EAAE,IAAI;YAC1B,uBAAuB,EAAE,IAAI;SAC9B;QACD,eAAe,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE;QACnE,OAAO,EAAE,EAAE,UAAU,EAAE,CAAC,oBAAoB,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,IAAI,EAAE;QAC7G,UAAU,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,EAAE,EAAE;QACvE,KAAK,EAAE,EAAE,OAAO,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE;QACvF,SAAS,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,YAAY,CAAC,EAAE;QAC7D,KAAK,EAAE;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,IAAI;YACV,WAAW,EAAE,WAAW;YACxB,iBAAiB,EAAE,MAAM;YACzB,eAAe,EAAE,EAAE;YACnB,cAAc,EAAE,IAAI;YACpB,QAAQ,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,gBAAgB,CAAC;YAC/C,OAAO,EAAE,cAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,eAAe,CAAC;YAC7C,gBAAgB,EAAE,CAAC,GAAG,CAAC;YACvB,gBAAgB,EAAE,KAAK;SACxB;QACD,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,mBAAmB,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE;KACjG,CAAC;AACJ,CAAC;AAED,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,IAAI,MAAoB,CAAC;IAEzB,IAAA,mBAAU,EAAC,GAAG,EAAE;QACd,MAAM,GAAG,UAAU,EAAE,CAAC;IACxB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gFAAgF,EAAE,GAAG,EAAE;QACxF,MAAM,IAAI,GAAG,IAAA,0BAAe,EAC1B,MAAM,EACN,EAAE,WAAW,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,GAAG,EAAE,YAAY,EAAE,EAC1E,OAAO,EACP,EAAE,UAAU,EAAE,IAAI,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAC5D,CAAC;QAEF,IAAA,eAAM,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC3D,IAAA,eAAM,EAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC3D,IAAA,eAAM,EAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,iDAAiD,CAAC,CAAC;QACzF,IAAA,eAAM,EAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,6DAA6D,CAAC,CAAC;IACvG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,IAAI,GAAG,IAAA,0BAAe,EAC1B,MAAM,EACN,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,EAC7D,QAAQ,EACR,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,CAC5D,CAAC;QAEF,IAAA,eAAM,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QAC7C,IAAA,eAAM,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,IAAA,eAAM,EAAC,IAAI,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,YAAE,CAAC,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6DAA6D,EAAE,GAAG,EAAE;QACrE,MAAM,IAAI,GAAG,IAAA,0BAAe,EAC1B,MAAM,EACN,EAAE,WAAW,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,EAC/D,OAAO,EACP,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,EAAE,CAC7D,CAAC;QAEF,IAAA,eAAM,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACrC,IAAA,eAAM,EAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;QAC/C,IAAA,eAAM,EAAC,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qFAAqF,EAAE,GAAG,EAAE;QAC7F,MAAM,IAAI,GAAG,IAAA,0BAAe,EAC1B,MAAM,EACN,EAAE,WAAW,EAAE,aAAa,EAAE,OAAO,EAAE,CAAC,MAAM,EAAE,UAAU,CAAC,EAAE,EAC7D,OAAO,EACP,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,CAC5D,CAAC;QAEF,IAAA,eAAM,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC1D,IAAA,eAAM,EAAC,IAAI,CAAC,cAAc,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC5C,MAAM,MAAM,GAAG,YAAE,CAAC,YAAY,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;QAC/D,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,SAAS,CAAC,iDAAiD,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,SAAS,CAAC,iDAAiD,CAAC,CAAC;QAC5E,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,SAAS,CAAC,qBAAqB,CAAC,CAAC;QAChD,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,MAAM,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/proxy/cert-manager.d.ts

@@ -0,0 +1,24 @@
+export interface CertProvisionResult {
+    certPath: string;
+    keyPath: string;
+    generated: boolean;
+    fingerprintSha256: string;
+    notAfter: string;
+}
+export interface CertProvisionOptions {
+    certPath: string;
+    keyPath: string;
+    /** Extra Subject Alternative Names to add (DNS:* form is auto-applied). */
+    extraSans?: string[];
+    /** Days the generated cert is valid. */
+    validityDays?: number;
+}
+/**
+ * Ensure a usable cert/key pair exists. Returns the paths plus a SHA-256
+ * fingerprint suitable for client-side pinning.
+ *
+ * Idempotent: if files already exist AND parse as a valid cert, leaves them
+ * alone. Otherwise generates a new self-signed cert via openssl.
+ */
+export declare function ensureProxyCertificate(opts: CertProvisionOptions): CertProvisionResult;
+//# sourceMappingURL=cert-manager.d.ts.map

package/dist/proxy/cert-manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cert-manager.d.ts","sourceRoot":"","sources":["../../src/proxy/cert-manager.ts"],"names":[],"mappings":"AAoCA,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,oBAAoB;IACnC,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,oBAAoB,GAAG,mBAAmB,CAkDtF"}