@pan-sec/notebooklm-mcp 1.4.0

package/dist/utils/secure-memory.js

@@ -0,0 +1,279 @@
+/**
+ * Secure Memory Utilities for NotebookLM MCP Server
+ *
+ * Provides secure handling of sensitive data in memory:
+ * - Zero-fill buffers and strings after use
+ * - Secure string class that auto-wipes
+ * - Memory-safe credential handling
+ *
+ * Why this matters:
+ * - Prevents memory dump attacks
+ * - Reduces credential exposure window
+ * - Mitigates cold boot attacks
+ *
+ * Added by Pantheon Security for hardened fork.
+ */
+import crypto from "crypto";
+/**
+ * Securely zero-fill a Buffer
+ * Uses crypto.randomFill first to prevent compiler optimization removal
+ */
+export function zeroBuffer(buffer) {
+    if (!buffer || buffer.length === 0)
+        return;
+    // First overwrite with random data (prevents optimization removal)
+    crypto.randomFillSync(buffer);
+    // Then zero fill
+    buffer.fill(0);
+}
+/**
+ * Securely zero-fill a Uint8Array
+ */
+export function zeroUint8Array(arr) {
+    if (!arr || arr.length === 0)
+        return;
+    // Overwrite with random then zero
+    crypto.randomFillSync(arr);
+    arr.fill(0);
+}
+/**
+ * Create a secure string that can be wiped
+ * Note: JavaScript strings are immutable, so we use a Buffer internally
+ */
+export class SecureString {
+    buffer;
+    wiped = false;
+    constructor(value) {
+        this.buffer = Buffer.from(value, "utf-8");
+    }
+    /**
+     * Get the string value (creates new string each time)
+     */
+    toString() {
+        if (this.wiped) {
+            throw new Error("SecureString has been wiped");
+        }
+        return this.buffer.toString("utf-8");
+    }
+    /**
+     * Get the underlying buffer (for crypto operations)
+     */
+    toBuffer() {
+        if (this.wiped) {
+            throw new Error("SecureString has been wiped");
+        }
+        return this.buffer;
+    }
+    /**
+     * Get length without exposing content
+     */
+    get length() {
+        return this.wiped ? 0 : this.buffer.length;
+    }
+    /**
+     * Securely wipe the string from memory
+     */
+    wipe() {
+        if (!this.wiped) {
+            zeroBuffer(this.buffer);
+            this.wiped = true;
+        }
+    }
+    /**
+     * Check if already wiped
+     */
+    isWiped() {
+        return this.wiped;
+    }
+}
+/**
+ * Secure credential holder with automatic wiping
+ */
+export class SecureCredential {
+    value;
+    createdAt;
+    maxAgeMs;
+    autoWipeTimer;
+    constructor(credential, maxAgeMs = 300000) {
+        this.value = new SecureString(credential);
+        this.createdAt = Date.now();
+        this.maxAgeMs = maxAgeMs;
+        // Auto-wipe after max age
+        this.autoWipeTimer = setTimeout(() => {
+            this.wipe();
+        }, maxAgeMs);
+    }
+    /**
+     * Get the credential value
+     */
+    getValue() {
+        if (this.isExpired()) {
+            this.wipe();
+            throw new Error("Credential has expired");
+        }
+        return this.value.toString();
+    }
+    /**
+     * Check if credential has expired
+     */
+    isExpired() {
+        return Date.now() - this.createdAt > this.maxAgeMs;
+    }
+    /**
+     * Get time remaining before auto-wipe (ms)
+     */
+    getTimeRemaining() {
+        const remaining = this.maxAgeMs - (Date.now() - this.createdAt);
+        return Math.max(0, remaining);
+    }
+    /**
+     * Securely wipe the credential
+     */
+    wipe() {
+        if (this.autoWipeTimer) {
+            clearTimeout(this.autoWipeTimer);
+            this.autoWipeTimer = undefined;
+        }
+        this.value.wipe();
+    }
+    /**
+     * Check if already wiped
+     */
+    isWiped() {
+        return this.value.isWiped();
+    }
+}
+/**
+ * Secure object that wipes all string/buffer properties on dispose
+ */
+export class SecureObject {
+    data;
+    disposed = false;
+    constructor(data) {
+        this.data = data;
+    }
+    /**
+     * Get a property value
+     */
+    get(key) {
+        if (this.disposed) {
+            throw new Error("SecureObject has been disposed");
+        }
+        return this.data[key];
+    }
+    /**
+     * Get all data (use carefully)
+     */
+    getData() {
+        if (this.disposed) {
+            throw new Error("SecureObject has been disposed");
+        }
+        return this.data;
+    }
+    /**
+     * Dispose and wipe all sensitive data
+     */
+    dispose() {
+        if (this.disposed)
+            return;
+        for (const key of Object.keys(this.data)) {
+            const value = this.data[key];
+            if (Buffer.isBuffer(value)) {
+                zeroBuffer(value);
+            }
+            else if (value instanceof Uint8Array) {
+                zeroUint8Array(value);
+            }
+            else if (value instanceof SecureString) {
+                value.wipe();
+            }
+            else if (value instanceof SecureCredential) {
+                value.wipe();
+            }
+            else if (typeof value === "string") {
+                // Can't truly wipe JS strings, but we can dereference
+                this.data[key] = "";
+            }
+        }
+        this.disposed = true;
+    }
+    /**
+     * Check if disposed
+     */
+    isDisposed() {
+        return this.disposed;
+    }
+}
+/**
+ * Execute a function with a secure credential, auto-wiping after use
+ */
+export async function withSecureCredential(credential, fn) {
+    const secureCred = new SecureCredential(credential);
+    try {
+        return await fn(secureCred);
+    }
+    finally {
+        secureCred.wipe();
+    }
+}
+/**
+ * Execute a function with a secure buffer, auto-wiping after use
+ */
+export async function withSecureBuffer(data, fn) {
+    try {
+        return await fn(data);
+    }
+    finally {
+        zeroBuffer(data);
+    }
+}
+/**
+ * Create a secure copy of a buffer that will be wiped on GC
+ * Uses FinalizationRegistry for automatic cleanup
+ */
+const bufferRegistry = new FinalizationRegistry((held) => {
+    zeroBuffer(held.buffer);
+});
+export function createSecureBuffer(arg, encoding) {
+    let buffer;
+    if (typeof arg === "number") {
+        buffer = Buffer.alloc(arg);
+    }
+    else {
+        buffer = Buffer.from(arg, encoding);
+    }
+    // Register for auto-cleanup on GC
+    // Note: holdings must be different from target
+    bufferRegistry.register(buffer, { buffer });
+    return buffer;
+}
+/**
+ * Secure comparison to prevent timing attacks
+ */
+export function secureCompare(a, b) {
+    const bufA = typeof a === "string" ? Buffer.from(a) : a;
+    const bufB = typeof b === "string" ? Buffer.from(b) : b;
+    if (bufA.length !== bufB.length) {
+        // Still do the comparison to maintain constant time
+        crypto.timingSafeEqual(bufA, Buffer.alloc(bufA.length));
+        return false;
+    }
+    return crypto.timingSafeEqual(bufA, bufB);
+}
+/**
+ * Generate a secure random string
+ */
+export function secureRandomString(length, encoding = "base64url") {
+    const bytes = Math.ceil(length * 0.75); // base64 expands ~33%
+    return crypto.randomBytes(bytes).toString(encoding).slice(0, length);
+}
+/**
+ * Mask sensitive data for logging (doesn't expose real length)
+ */
+export function maskSensitive(value, showChars = 4) {
+    if (!value || value.length <= showChars) {
+        return "****";
+    }
+    return value.slice(0, showChars) + "****";
+}
+//# sourceMappingURL=secure-memory.js.map

package/dist/utils/secure-memory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secure-memory.js","sourceRoot":"","sources":["../../src/utils/secure-memory.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,MAAM,MAAM,QAAQ,CAAC;AAE5B;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAE3C,mEAAmE;IACnE,MAAM,CAAC,cAAc,CAAC,MAAM,CAAC,CAAC;IAC9B,iBAAiB;IACjB,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,GAAe;IAC5C,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAErC,kCAAkC;IAClC,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAC3B,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,OAAO,YAAY;IACf,MAAM,CAAS;IACf,KAAK,GAAY,KAAK,CAAC;IAE/B,YAAY,KAAa;QACvB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACvC,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,IAAI,MAAM;QACR,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;YAChB,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACxB,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC;QACpB,CAAC;IACH,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,CAAC;IACpB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,gBAAgB;IACnB,KAAK,CAAe;IACpB,SAAS,CAAS;IAClB,QAAQ,CAAS;IACjB,aAAa,CAAkB;IAEvC,YAAY,UAAkB,EAAE,WAAmB,MAAM;QACvD,IAAI,CAAC,KAAK,GAAG,IAAI,YAAY,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;QAEzB,0BAA0B;QAC1B,IAAI,CAAC,aAAa,GAAG,UAAU,CAAC,GAAG,EAAE;YACnC,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,CAAC,EAAE,QAAQ,CAAC,CAAC;IACf,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,IAAI,IAAI,CAAC,SAAS,EAAE,EAAE,CAAC;YACrB,IAAI,CAAC,IAAI,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC;IAC/B,CAAC;IAED;;OAEG;IACH,SAAS;QACP,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,gBAAgB;QACd,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC;QAChE,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAChC,CAAC;IAED;;OAEG;IACH,IAAI;QACF,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YACjC,IAAI,CAAC,aAAa,GAAG,SAAS,CAAC;QACjC,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC;IAC9B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,YAAY;IACf,IAAI,CAAI;IACR,QAAQ,GAAY,KAAK,CAAC;IAElC,YAAY,IAAO;QACjB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,GAAG,CAAoB,GAAM;QAC3B,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO;QAE1B,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YACzC,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAE7B,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC3B,UAAU,CAAC,KAAK,CAAC,CAAC;YACpB,CAAC;iBAAM,IAAI,KAAK,YAAY,UAAU,EAAE,CAAC;gBACvC,cAAc,CAAC,KAAK,CAAC,CAAC;YACxB,CAAC;iBAAM,IAAI,KAAK,YAAY,YAAY,EAAE,CAAC;gBACzC,KAAK,CAAC,IAAI,EAAE,CAAC;YACf,CAAC;iBAAM,IAAI,KAAK,YAAY,gBAAgB,EAAE,CAAC;gBAC7C,KAAK,CAAC,IAAI,EAAE,CAAC;YACf,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACrC,sDAAsD;gBACrD,IAAI,CAAC,IAAgC,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YACnD,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC;IACvB,CAAC;IAED;;OAEG;IACH,UAAU;QACR,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,UAAkB,EAClB,EAA0C;IAE1C,MAAM,UAAU,GAAG,IAAI,gBAAgB,CAAC,UAAU,CAAC,CAAC;IACpD,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,UAAU,CAAC,CAAC;IAC9B,CAAC;YAAS,CAAC;QACT,UAAU,CAAC,IAAI,EAAE,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAY,EACZ,EAAkC;IAElC,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;YAAS,CAAC;QACT,UAAU,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,cAAc,GAAG,IAAI,oBAAoB,CAAC,CAAC,IAAwB,EAAE,EAAE;IAC3E,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;AAC1B,CAAC,CAAC,CAAC;AAIH,MAAM,UAAU,kBAAkB,CAAC,GAAoB,EAAE,QAAyB;IAChF,IAAI,MAAc,CAAC;IAEnB,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;SAAM,CAAC;QACN,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,kCAAkC;IAClC,+CAA+C;IAC/C,cAAc,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAE5C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,CAAkB,EAAE,CAAkB;IAClE,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxD,MAAM,IAAI,GAAG,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAExD,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;QAChC,oDAAoD;QACpD,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACxD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,MAAM,CAAC,eAAe,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc,EAAE,WAA2B,WAAW;IACvF,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,sBAAsB;IAC9D,OAAO,MAAM,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC;AACvE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,YAAoB,CAAC;IAChE,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,SAAS,EAAE,CAAC;QACxC,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,GAAG,MAAM,CAAC;AAC5C,CAAC"}

package/dist/utils/security.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Security Utilities for NotebookLM MCP Server
+ *
+ * Provides input validation, sanitization, and security hardening.
+ * Added by Pantheon Security for hardened fork.
+ */
+/**
+ * Validate and sanitize a NotebookLM URL
+ * Prevents URL injection, javascript: URLs, and other attacks
+ *
+ * @param url - The URL to validate
+ * @returns Validated URL or throws error
+ */
+export declare function validateNotebookUrl(url: string): string;
+/**
+ * Validate notebook ID format
+ * NotebookLM IDs are typically alphanumeric with dashes
+ */
+export declare function validateNotebookId(id: string): string;
+/**
+ * Validate session ID format
+ */
+export declare function validateSessionId(id: string): string;
+/**
+ * Validate question input
+ * Prevents extremely long inputs that could cause DoS
+ */
+export declare function validateQuestion(question: string): string;
+/**
+ * Sanitize a string for safe logging
+ * Masks sensitive information like passwords, tokens, etc.
+ */
+export declare function sanitizeForLogging(value: string): string;
+/**
+ * Mask an email for logging (more aggressive than general sanitization)
+ */
+export declare function maskEmail(email: string): string;
+/**
+ * Validate file path to prevent path traversal
+ */
+export declare function validateFilePath(basePath: string, filePath: string): string;
+/**
+ * Rate limiter for preventing abuse
+ */
+export declare class RateLimiter {
+    private requests;
+    private readonly maxRequests;
+    private readonly windowMs;
+    constructor(maxRequests?: number, windowMs?: number);
+    /**
+     * Check if a request should be allowed
+     * @param key - Identifier for the rate limit (e.g., session ID, IP)
+     * @returns true if allowed, false if rate limited
+     */
+    isAllowed(key: string): boolean;
+    /**
+     * Get remaining requests for a key
+     */
+    getRemaining(key: string): number;
+    /**
+     * Clear all rate limit data
+     */
+    clear(): void;
+}
+/**
+ * Custom security error class
+ */
+export declare class SecurityError extends Error {
+    constructor(message: string);
+}
+/**
+ * Environment variable validator
+ * Ensures sensitive env vars are not logged
+ */
+export declare function getSecureEnvVar(name: string, defaultValue?: string): string;
+/**
+ * Check if running in a secure context
+ */
+export declare function checkSecurityContext(): {
+    secure: boolean;
+    warnings: string[];
+};
+//# sourceMappingURL=security.d.ts.map

package/dist/utils/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAoBH;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAkDvD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAmBrD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAkBpD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAkBzD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CA6BxD;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAU/C;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAe3E;AAED;;GAEG;AACH,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAoC;IACpD,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;gBAEtB,WAAW,GAAE,MAAY,EAAE,QAAQ,GAAE,MAAc;IAK/D;;;;OAIG;IACH,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAsB/B;;OAEG;IACH,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM;IAOjC;;OAEG;IACH,KAAK,IAAI,IAAI;CAGd;AAED;;GAEG;AACH,qBAAa,aAAc,SAAQ,KAAK;gBAC1B,OAAO,EAAE,MAAM;CAI5B;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,YAAY,GAAE,MAAW,GAAG,MAAM,CAG/E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,IAAI;IAAE,MAAM,EAAE,OAAO,CAAC;IAAC,QAAQ,EAAE,MAAM,EAAE,CAAA;CAAE,CAsB9E"}

package/dist/utils/security.js

@@ -0,0 +1,272 @@
+/**
+ * Security Utilities for NotebookLM MCP Server
+ *
+ * Provides input validation, sanitization, and security hardening.
+ * Added by Pantheon Security for hardened fork.
+ */
+/**
+ * Allowed URL patterns for NotebookLM
+ */
+const ALLOWED_NOTEBOOK_DOMAINS = [
+    'notebooklm.google.com',
+    'notebooklm.google.co.uk',
+    'notebooklm.google.de',
+    'notebooklm.google.fr',
+    'notebooklm.google.es',
+    'notebooklm.google.it',
+    'notebooklm.google.nl',
+    'notebooklm.google.com.au',
+    'notebooklm.google.ca',
+];
+// Auth domains (reserved for future use)
+// const ALLOWED_AUTH_DOMAINS = ['accounts.google.com'];
+/**
+ * Validate and sanitize a NotebookLM URL
+ * Prevents URL injection, javascript: URLs, and other attacks
+ *
+ * @param url - The URL to validate
+ * @returns Validated URL or throws error
+ */
+export function validateNotebookUrl(url) {
+    if (!url || typeof url !== 'string') {
+        throw new SecurityError('URL is required and must be a string');
+    }
+    // Trim whitespace
+    const trimmed = url.trim();
+    // Block empty URLs
+    if (trimmed.length === 0) {
+        throw new SecurityError('URL cannot be empty');
+    }
+    // Block dangerous protocols
+    const lowerUrl = trimmed.toLowerCase();
+    const dangerousProtocols = ['javascript:', 'data:', 'vbscript:', 'file:', 'about:'];
+    for (const protocol of dangerousProtocols) {
+        if (lowerUrl.startsWith(protocol)) {
+            throw new SecurityError(`Dangerous protocol not allowed: ${protocol}`);
+        }
+    }
+    // Parse URL
+    let parsed;
+    try {
+        parsed = new URL(trimmed);
+    }
+    catch {
+        throw new SecurityError('Invalid URL format');
+    }
+    // Enforce HTTPS
+    if (parsed.protocol !== 'https:') {
+        throw new SecurityError('Only HTTPS URLs are allowed');
+    }
+    // Validate domain
+    const hostname = parsed.hostname.toLowerCase();
+    const isAllowedNotebook = ALLOWED_NOTEBOOK_DOMAINS.some(d => hostname === d || hostname.endsWith('.' + d));
+    if (!isAllowedNotebook) {
+        throw new SecurityError(`Domain not allowed: ${hostname}. Only NotebookLM domains are permitted.`);
+    }
+    // Block path traversal attempts
+    if (parsed.pathname.includes('..') || parsed.pathname.includes('%2e%2e')) {
+        throw new SecurityError('Path traversal not allowed');
+    }
+    // Return the validated, normalized URL
+    return parsed.href;
+}
+/**
+ * Validate notebook ID format
+ * NotebookLM IDs are typically alphanumeric with dashes
+ */
+export function validateNotebookId(id) {
+    if (!id || typeof id !== 'string') {
+        throw new SecurityError('Notebook ID is required and must be a string');
+    }
+    const trimmed = id.trim();
+    // Allow alphanumeric, dashes, underscores (typical Google ID format)
+    const validPattern = /^[a-zA-Z0-9_-]+$/;
+    if (!validPattern.test(trimmed)) {
+        throw new SecurityError('Invalid notebook ID format. Only alphanumeric characters, dashes, and underscores allowed.');
+    }
+    // Reasonable length limit
+    if (trimmed.length > 128) {
+        throw new SecurityError('Notebook ID too long (max 128 characters)');
+    }
+    return trimmed;
+}
+/**
+ * Validate session ID format
+ */
+export function validateSessionId(id) {
+    if (!id || typeof id !== 'string') {
+        throw new SecurityError('Session ID is required and must be a string');
+    }
+    const trimmed = id.trim();
+    // UUID-like format or alphanumeric
+    const validPattern = /^[a-zA-Z0-9_-]+$/;
+    if (!validPattern.test(trimmed)) {
+        throw new SecurityError('Invalid session ID format');
+    }
+    if (trimmed.length > 64) {
+        throw new SecurityError('Session ID too long (max 64 characters)');
+    }
+    return trimmed;
+}
+/**
+ * Validate question input
+ * Prevents extremely long inputs that could cause DoS
+ */
+export function validateQuestion(question) {
+    if (!question || typeof question !== 'string') {
+        throw new SecurityError('Question is required and must be a string');
+    }
+    const trimmed = question.trim();
+    if (trimmed.length === 0) {
+        throw new SecurityError('Question cannot be empty');
+    }
+    // Reasonable max length (NotebookLM has its own limits)
+    const MAX_QUESTION_LENGTH = 32000;
+    if (trimmed.length > MAX_QUESTION_LENGTH) {
+        throw new SecurityError(`Question too long (max ${MAX_QUESTION_LENGTH} characters)`);
+    }
+    return trimmed;
+}
+/**
+ * Sanitize a string for safe logging
+ * Masks sensitive information like passwords, tokens, etc.
+ */
+export function sanitizeForLogging(value) {
+    if (!value || typeof value !== 'string') {
+        return '[invalid]';
+    }
+    // Mask email addresses (show first char and domain)
+    const emailMasked = value.replace(/([a-zA-Z0-9._%+-])([a-zA-Z0-9._%+-]*)@([a-zA-Z0-9.-]+\.[a-zA-Z]{2,})/g, (_, first, rest, domain) => `${first}${'*'.repeat(Math.min(rest.length, 8))}@${domain}`);
+    // Mask anything that looks like a password or secret
+    const secretPatterns = [
+        /password[=:]\s*["']?([^"'\s]+)/gi,
+        /secret[=:]\s*["']?([^"'\s]+)/gi,
+        /token[=:]\s*["']?([^"'\s]+)/gi,
+        /api[_-]?key[=:]\s*["']?([^"'\s]+)/gi,
+        /auth[=:]\s*["']?([^"'\s]+)/gi,
+    ];
+    let result = emailMasked;
+    for (const pattern of secretPatterns) {
+        result = result.replace(pattern, (match, _secret) => {
+            const prefix = match.split(/[=:]/)[0];
+            return `${prefix}=[REDACTED]`;
+        });
+    }
+    return result;
+}
+/**
+ * Mask an email for logging (more aggressive than general sanitization)
+ */
+export function maskEmail(email) {
+    if (!email || typeof email !== 'string' || !email.includes('@')) {
+        return '***@***.***';
+    }
+    const [name, domain] = email.split('@');
+    if (name.length <= 2) {
+        return `${'*'.repeat(name.length)}@${domain}`;
+    }
+    return `${name[0]}${'*'.repeat(name.length - 2)}${name[name.length - 1]}@${domain}`;
+}
+/**
+ * Validate file path to prevent path traversal
+ */
+export function validateFilePath(basePath, filePath) {
+    const path = require('path');
+    // Resolve to absolute path
+    const resolved = path.resolve(basePath, filePath);
+    // Ensure it's within the base path
+    const normalizedBase = path.normalize(basePath);
+    const normalizedResolved = path.normalize(resolved);
+    if (!normalizedResolved.startsWith(normalizedBase)) {
+        throw new SecurityError('Path traversal detected: file must be within allowed directory');
+    }
+    return normalizedResolved;
+}
+/**
+ * Rate limiter for preventing abuse
+ */
+export class RateLimiter {
+    requests = new Map();
+    maxRequests;
+    windowMs;
+    constructor(maxRequests = 100, windowMs = 60000) {
+        this.maxRequests = maxRequests;
+        this.windowMs = windowMs;
+    }
+    /**
+     * Check if a request should be allowed
+     * @param key - Identifier for the rate limit (e.g., session ID, IP)
+     * @returns true if allowed, false if rate limited
+     */
+    isAllowed(key) {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        // Get existing requests for this key
+        let requests = this.requests.get(key) || [];
+        // Filter to only requests within the window
+        requests = requests.filter(timestamp => timestamp > windowStart);
+        // Check if under limit
+        if (requests.length >= this.maxRequests) {
+            return false;
+        }
+        // Add current request
+        requests.push(now);
+        this.requests.set(key, requests);
+        return true;
+    }
+    /**
+     * Get remaining requests for a key
+     */
+    getRemaining(key) {
+        const now = Date.now();
+        const windowStart = now - this.windowMs;
+        const requests = (this.requests.get(key) || []).filter(t => t > windowStart);
+        return Math.max(0, this.maxRequests - requests.length);
+    }
+    /**
+     * Clear all rate limit data
+     */
+    clear() {
+        this.requests.clear();
+    }
+}
+/**
+ * Custom security error class
+ */
+export class SecurityError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'SecurityError';
+    }
+}
+/**
+ * Environment variable validator
+ * Ensures sensitive env vars are not logged
+ */
+export function getSecureEnvVar(name, defaultValue = '') {
+    const value = process.env[name];
+    return value !== undefined ? value : defaultValue;
+}
+/**
+ * Check if running in a secure context
+ */
+export function checkSecurityContext() {
+    const warnings = [];
+    // Check for plaintext credentials in env
+    if (process.env.LOGIN_PASSWORD) {
+        warnings.push('LOGIN_PASSWORD is set in environment - consider using a secrets manager');
+    }
+    // Check for debug mode
+    if (process.env.DEBUG === 'true' || process.env.NODE_ENV === 'development') {
+        warnings.push('Running in debug/development mode - ensure this is intentional');
+    }
+    // Check for headless mode (visible browser can leak info)
+    if (process.env.HEADLESS === 'false') {
+        warnings.push('Browser is running in visible mode - screen may expose sensitive data');
+    }
+    return {
+        secure: warnings.length === 0,
+        warnings,
+    };
+}
+//# sourceMappingURL=security.js.map

package/dist/utils/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH;;GAEG;AACH,MAAM,wBAAwB,GAAG;IAC/B,uBAAuB;IACvB,yBAAyB;IACzB,sBAAsB;IACtB,sBAAsB;IACtB,sBAAsB;IACtB,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;IAC1B,sBAAsB;CACvB,CAAC;AAEF,yCAAyC;AACzC,wDAAwD;AAExD;;;;;;GAMG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,aAAa,CAAC,sCAAsC,CAAC,CAAC;IAClE,CAAC;IAED,kBAAkB;IAClB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAE3B,mBAAmB;IACnB,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,aAAa,CAAC,qBAAqB,CAAC,CAAC;IACjD,CAAC;IAED,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IACvC,MAAM,kBAAkB,GAAG,CAAC,aAAa,EAAE,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACpF,KAAK,MAAM,QAAQ,IAAI,kBAAkB,EAAE,CAAC;QAC1C,IAAI,QAAQ,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,aAAa,CAAC,mCAAmC,QAAQ,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,YAAY;IACZ,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,aAAa,CAAC,oBAAoB,CAAC,CAAC;IAChD,CAAC;IAED,gBAAgB;IAChB,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,aAAa,CAAC,6BAA6B,CAAC,CAAC;IACzD,CAAC;IAED,kBAAkB;IAClB,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAC/C,MAAM,iBAAiB,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,KAAK,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;IAE3G,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,MAAM,IAAI,aAAa,CAAC,uBAAuB,QAAQ,0CAA0C,CAAC,CAAC;IACrG,CAAC;IAED,gCAAgC;IAChC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACzE,MAAM,IAAI,aAAa,CAAC,4BAA4B,CAAC,CAAC;IACxD,CAAC;IAED,uCAAuC;IACvC,OAAO,MAAM,CAAC,IAAI,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,EAAU;IAC3C,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,aAAa,CAAC,8CAA8C,CAAC,CAAC;IAC1E,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;IAE1B,qEAAqE;IACrE,MAAM,YAAY,GAAG,kBAAkB,CAAC;IACxC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,aAAa,CAAC,4FAA4F,CAAC,CAAC;IACxH,CAAC;IAED,0BAA0B;IAC1B,IAAI,OAAO,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,aAAa,CAAC,2CAA2C,CAAC,CAAC;IACvE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,EAAU;IAC1C,IAAI,CAAC,EAAE,IAAI,OAAO,EAAE,KAAK,QAAQ,EAAE,CAAC;QAClC,MAAM,IAAI,aAAa,CAAC,6CAA6C,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC;IAE1B,mCAAmC;IACnC,MAAM,YAAY,GAAG,kBAAkB,CAAC;IACxC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,aAAa,CAAC,2BAA2B,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACxB,MAAM,IAAI,aAAa,CAAC,yCAAyC,CAAC,CAAC;IACrE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,aAAa,CAAC,2CAA2C,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC;IAEhC,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,aAAa,CAAC,0BAA0B,CAAC,CAAC;IACtD,CAAC;IAED,wDAAwD;IACxD,MAAM,mBAAmB,GAAG,KAAK,CAAC;IAClC,IAAI,OAAO,CAAC,MAAM,GAAG,mBAAmB,EAAE,CAAC;QACzC,MAAM,IAAI,aAAa,CAAC,0BAA0B,mBAAmB,cAAc,CAAC,CAAC;IACvF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACxC,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,oDAAoD;IACpD,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAC/B,uEAAuE,EACvE,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,EAAE,CACxF,CAAC;IAEF,qDAAqD;IACrD,MAAM,cAAc,GAAG;QACrB,kCAAkC;QAClC,gCAAgC;QAChC,+BAA+B;QAC/B,qCAAqC;QACrC,8BAA8B;KAC/B,CAAC;IAEF,IAAI,MAAM,GAAG,WAAW,CAAC;IACzB,KAAK,MAAM,OAAO,IAAI,cAAc,EAAE,CAAC;QACrC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,EAAE;YAClD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,OAAO,GAAG,MAAM,aAAa,CAAC;QAChC,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAChE,OAAO,aAAa,CAAC;IACvB,CAAC;IAED,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACrB,OAAO,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;IAChD,CAAC;IACD,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,MAAM,EAAE,CAAC;AACtF,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB,EAAE,QAAgB;IACjE,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7B,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAElD,mCAAmC;IACnC,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,kBAAkB,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,cAAc,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,aAAa,CAAC,gEAAgE,CAAC,CAAC;IAC5F,CAAC;IAED,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,WAAW;IACd,QAAQ,GAA0B,IAAI,GAAG,EAAE,CAAC;IACnC,WAAW,CAAS;IACpB,QAAQ,CAAS;IAElC,YAAY,cAAsB,GAAG,EAAE,WAAmB,KAAK;QAC7D,IAAI,CAAC,WAAW,GAAG,WAAW,CAAC;QAC/B,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,SAAS,CAAC,GAAW;QACnB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QAExC,qCAAqC;QACrC,IAAI,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;QAE5C,4CAA4C;QAC5C,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,SAAS,GAAG,WAAW,CAAC,CAAC;QAEjE,uBAAuB;QACvB,IAAI,QAAQ,CAAC,MAAM,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YACxC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sBAAsB;QACtB,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACnB,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAEjC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,GAAW;QACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,WAAW,GAAG,GAAG,GAAG,IAAI,CAAC,QAAQ,CAAC;QACxC,MAAM,QAAQ,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,WAAW,CAAC,CAAC;QAC7E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC;IACzD,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,CAAC;IACxB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,aAAc,SAAQ,KAAK;IACtC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,eAAuB,EAAE;IACrE,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChC,OAAO,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,CAAC;AACpD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,QAAQ,GAAa,EAAE,CAAC;IAE9B,yCAAyC;IACzC,IAAI,OAAO,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC;QAC/B,QAAQ,CAAC,IAAI,CAAC,yEAAyE,CAAC,CAAC;IAC3F,CAAC;IAED,uBAAuB;IACvB,IAAI,OAAO,CAAC,GAAG,CAAC,KAAK,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;QAC3E,QAAQ,CAAC,IAAI,CAAC,gEAAgE,CAAC,CAAC;IAClF,CAAC;IAED,0DAA0D;IAC1D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;QACrC,QAAQ,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACzF,CAAC;IAED,OAAO;QACL,MAAM,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;QAC7B,QAAQ;KACT,CAAC;AACJ,CAAC"}