@pan-sec/notebooklm-mcp 1.4.0

package/dist/utils/tool-validation.js

@@ -0,0 +1,277 @@
+/**
+ * Tool Validation Middleware (before_tool_callback pattern)
+ *
+ * Implements the before_tool_callback pattern from "Agentic Design Patterns"
+ * Chapter 18 - Guardrails/Safety Patterns
+ *
+ * This module provides pre-execution validation for tool calls,
+ * ensuring the Principle of Least Privilege is enforced.
+ */
+import { log } from "./logger.js";
+import { audit } from "./audit-logger.js";
+import crypto from "crypto";
+/**
+ * Tool permission definitions
+ */
+const TOOL_PERMISSIONS = {
+    // Read-only tools - minimal permissions
+    ask_question: ["read"],
+    list_notebooks: ["read"],
+    get_notebook: ["read"],
+    search_notebooks: ["read"],
+    get_library_stats: ["read"],
+    list_sessions: ["read"],
+    get_health: ["read"],
+    // Write tools - require write permission
+    add_notebook: ["read", "write"],
+    update_notebook: ["read", "write"],
+    select_notebook: ["read", "write"],
+    // Destructive tools - require admin permission
+    remove_notebook: ["read", "write", "admin"],
+    close_session: ["read", "write", "admin"],
+    reset_session: ["read", "write", "admin"],
+    cleanup_data: ["read", "write", "admin"],
+    // Auth tools - special permissions
+    setup_auth: ["auth"],
+    re_auth: ["auth"],
+};
+/**
+ * Sensitive parameter patterns that require extra validation
+ */
+const SENSITIVE_PARAMS = [
+    "user_id",
+    "session_id",
+    "notebook_id",
+    "auth_token",
+    "password",
+    "secret",
+    "key",
+    "credential",
+];
+/**
+ * Session context store (in-memory, per-process)
+ */
+const sessionContexts = new Map();
+/**
+ * Create or get session context
+ */
+export function getOrCreateSessionContext(sessionId, userId, clientId) {
+    let context = sessionContexts.get(sessionId);
+    if (!context) {
+        context = {
+            sessionId,
+            userId,
+            clientId,
+            permissions: new Set(["read"]), // Default: read-only
+            createdAt: new Date(),
+            lastActivity: new Date(),
+            requestCount: 0,
+        };
+        sessionContexts.set(sessionId, context);
+        log.info(`📋 Created session context: ${sessionId}`);
+    }
+    // Update activity
+    context.lastActivity = new Date();
+    context.requestCount++;
+    return context;
+}
+/**
+ * Grant permissions to a session
+ */
+export function grantPermissions(sessionId, permissions) {
+    const context = sessionContexts.get(sessionId);
+    if (context) {
+        permissions.forEach((p) => context.permissions.add(p));
+        log.info(`🔑 Granted permissions to ${sessionId}: ${permissions.join(", ")}`);
+    }
+}
+/**
+ * Revoke permissions from a session
+ */
+export function revokePermissions(sessionId, permissions) {
+    const context = sessionContexts.get(sessionId);
+    if (context) {
+        permissions.forEach((p) => context.permissions.delete(p));
+        log.info(`🔒 Revoked permissions from ${sessionId}: ${permissions.join(", ")}`);
+    }
+}
+/**
+ * Clear session context
+ */
+export function clearSessionContext(sessionId) {
+    sessionContexts.delete(sessionId);
+    log.info(`🗑️ Cleared session context: ${sessionId}`);
+}
+/**
+ * before_tool_callback - Validate tool call before execution
+ *
+ * This implements the pattern from Chapter 18:
+ * - Validates tool permissions
+ * - Checks session state matches parameters
+ * - Sanitizes sensitive arguments
+ * - Logs security events
+ *
+ * @returns ValidationResult - { allowed: true } to proceed, { allowed: false, reason } to block
+ */
+export async function beforeToolCallback(params) {
+    const { toolName, args, sessionContext } = params;
+    // 1. Check tool exists in permission map
+    const requiredPermissions = TOOL_PERMISSIONS[toolName];
+    if (!requiredPermissions) {
+        log.warning(`⚠️ Unknown tool: ${toolName}`);
+        await audit.security("unknown_tool_call", "warning", {
+            tool: toolName,
+            session_id: sessionContext.sessionId,
+        });
+        // Allow unknown tools but log them (fail-open for extensibility)
+        return { allowed: true };
+    }
+    // 2. Check session has required permissions
+    const missingPermissions = requiredPermissions.filter((p) => !sessionContext.permissions.has(p));
+    if (missingPermissions.length > 0) {
+        const reason = `Missing permissions: ${missingPermissions.join(", ")}`;
+        log.error(`🚫 [SECURITY] Tool blocked: ${toolName} - ${reason}`);
+        await audit.security("permission_denied", "error", {
+            tool: toolName,
+            session_id: sessionContext.sessionId,
+            missing_permissions: missingPermissions,
+        });
+        return { allowed: false, reason };
+    }
+    // 3. Validate sensitive parameters match session context
+    const sanitizedArgs = { ...args };
+    for (const param of SENSITIVE_PARAMS) {
+        if (param in args) {
+            const argValue = args[param];
+            // Session ID validation - must match current session or be undefined
+            if (param === "session_id" && argValue !== undefined) {
+                if (argValue !== sessionContext.sessionId) {
+                    // Check if it's a valid session the user owns
+                    const targetContext = sessionContexts.get(argValue);
+                    if (!targetContext || targetContext.userId !== sessionContext.userId) {
+                        const reason = `Session ID mismatch: cannot access session ${argValue}`;
+                        log.error(`🚫 [SECURITY] ${reason}`);
+                        await audit.security("session_hijack_attempt", "critical", {
+                            tool: toolName,
+                            session_id: sessionContext.sessionId,
+                            target_session: argValue,
+                        });
+                        return { allowed: false, reason };
+                    }
+                }
+            }
+            // User ID validation - must match session user
+            if (param === "user_id" && argValue !== undefined) {
+                if (sessionContext.userId && argValue !== sessionContext.userId) {
+                    const reason = `User ID mismatch: ${argValue} vs session user ${sessionContext.userId}`;
+                    log.error(`🚫 [SECURITY] ${reason}`);
+                    await audit.security("user_id_mismatch", "critical", {
+                        tool: toolName,
+                        session_id: sessionContext.sessionId,
+                        provided_user: argValue,
+                        session_user: sessionContext.userId,
+                    });
+                    return { allowed: false, reason };
+                }
+            }
+            // Mask sensitive values in sanitized args for logging
+            if (["password", "secret", "key", "credential", "auth_token"].includes(param)) {
+                sanitizedArgs[param] = "[REDACTED]";
+            }
+        }
+    }
+    // 4. Log successful validation
+    log.info(`✅ Tool validated: ${toolName}`);
+    await audit.tool(toolName, sanitizedArgs, true, 0, "pre_validation_passed");
+    return { allowed: true, sanitizedArgs };
+}
+/**
+ * Generate a secure session token
+ */
+export function generateSessionToken() {
+    return crypto.randomBytes(32).toString("base64url");
+}
+export function validateAuthHeaders(headers) {
+    const authHeader = headers["authorization"] || headers["x-mcp-auth"];
+    const clientId = headers["x-client-id"];
+    if (!authHeader) {
+        return { authenticated: false, error: "No authorization header" };
+    }
+    // Support Bearer token format
+    const bearerMatch = authHeader.match(/^Bearer\s+(.+)$/i);
+    if (bearerMatch) {
+        const token = bearerMatch[1];
+        // In production, validate token against stored tokens
+        // For now, we accept any valid-looking token
+        if (token.length >= 32) {
+            return {
+                authenticated: true,
+                userId: `user_${crypto.createHash("sha256").update(token).digest("hex").slice(0, 8)}`,
+                clientId: clientId,
+                permissions: ["read", "write"], // Authenticated users get read/write
+            };
+        }
+    }
+    // Support API key format
+    const apiKeyMatch = authHeader.match(/^ApiKey\s+(.+)$/i);
+    if (apiKeyMatch) {
+        const apiKey = apiKeyMatch[1];
+        if (apiKey.length >= 32) {
+            return {
+                authenticated: true,
+                userId: `api_${crypto.createHash("sha256").update(apiKey).digest("hex").slice(0, 8)}`,
+                clientId: clientId,
+                permissions: ["read", "write", "admin"], // API keys get full access
+            };
+        }
+    }
+    return { authenticated: false, error: "Invalid authorization format" };
+}
+/**
+ * Middleware to wrap tool handlers with before_tool_callback
+ */
+export function withToolValidation(toolName, handler, getSessionContext) {
+    return (async (...args) => {
+        const sessionContext = getSessionContext();
+        // Extract args object (usually first parameter)
+        const toolArgs = args[0] || {};
+        // Run before_tool_callback
+        const validation = await beforeToolCallback({
+            toolName,
+            args: toolArgs,
+            sessionContext,
+        });
+        if (!validation.allowed) {
+            return {
+                success: false,
+                error: `Security validation failed: ${validation.reason}`,
+            };
+        }
+        // Execute the actual handler
+        return handler(...args);
+    });
+}
+/**
+ * Get all active session contexts (for admin/debugging)
+ */
+export function getActiveSessionContexts() {
+    return Array.from(sessionContexts.values());
+}
+/**
+ * Clean up expired session contexts
+ */
+export function cleanupExpiredContexts(maxAgeMs = 8 * 60 * 60 * 1000) {
+    const now = Date.now();
+    let cleaned = 0;
+    for (const [sessionId, context] of sessionContexts.entries()) {
+        if (now - context.lastActivity.getTime() > maxAgeMs) {
+            sessionContexts.delete(sessionId);
+            cleaned++;
+        }
+    }
+    if (cleaned > 0) {
+        log.info(`🧹 Cleaned up ${cleaned} expired session contexts`);
+    }
+    return cleaned;
+}
+//# sourceMappingURL=tool-validation.js.map

package/dist/utils/tool-validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-validation.js","sourceRoot":"","sources":["../../src/utils/tool-validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAClC,OAAO,EAAE,KAAK,EAAE,MAAM,mBAAmB,CAAC;AAC1C,OAAO,MAAM,MAAM,QAAQ,CAAC;AAiC5B;;GAEG;AACH,MAAM,gBAAgB,GAA6B;IACjD,wCAAwC;IACxC,YAAY,EAAE,CAAC,MAAM,CAAC;IACtB,cAAc,EAAE,CAAC,MAAM,CAAC;IACxB,YAAY,EAAE,CAAC,MAAM,CAAC;IACtB,gBAAgB,EAAE,CAAC,MAAM,CAAC;IAC1B,iBAAiB,EAAE,CAAC,MAAM,CAAC;IAC3B,aAAa,EAAE,CAAC,MAAM,CAAC;IACvB,UAAU,EAAE,CAAC,MAAM,CAAC;IAEpB,yCAAyC;IACzC,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;IAC/B,eAAe,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;IAClC,eAAe,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC;IAElC,+CAA+C;IAC/C,eAAe,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;IAC3C,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;IACzC,aAAa,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;IACzC,YAAY,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC;IAExC,mCAAmC;IACnC,UAAU,EAAE,CAAC,MAAM,CAAC;IACpB,OAAO,EAAE,CAAC,MAAM,CAAC;CAClB,CAAC;AAEF;;GAEG;AACH,MAAM,gBAAgB,GAAG;IACvB,SAAS;IACT,YAAY;IACZ,aAAa;IACb,YAAY;IACZ,UAAU;IACV,QAAQ;IACR,KAAK;IACL,YAAY;CACb,CAAC;AAEF;;GAEG;AACH,MAAM,eAAe,GAAG,IAAI,GAAG,EAA0B,CAAC;AAE1D;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,SAAiB,EACjB,MAAe,EACf,QAAiB;IAEjB,IAAI,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAE7C,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG;YACR,SAAS;YACT,MAAM;YACN,QAAQ;YACR,WAAW,EAAE,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,EAAE,qBAAqB;YACrD,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,YAAY,EAAE,IAAI,IAAI,EAAE;YACxB,YAAY,EAAE,CAAC;SAChB,CAAC;QACF,eAAe,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QACxC,GAAG,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACvD,CAAC;IAED,kBAAkB;IAClB,OAAO,CAAC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC;IAClC,OAAO,CAAC,YAAY,EAAE,CAAC;IAEvB,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,SAAiB,EACjB,WAAqB;IAErB,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/C,IAAI,OAAO,EAAE,CAAC;QACZ,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,GAAG,CAAC,IAAI,CAAC,6BAA6B,SAAS,KAAK,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAChF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,SAAiB,EACjB,WAAqB;IAErB,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IAC/C,IAAI,OAAO,EAAE,CAAC;QACZ,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC1D,GAAG,CAAC,IAAI,CAAC,+BAA+B,SAAS,KAAK,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,SAAiB;IACnD,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAClC,GAAG,CAAC,IAAI,CAAC,gCAAgC,SAAS,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAsB;IAEtB,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,cAAc,EAAE,GAAG,MAAM,CAAC;IAElD,yCAAyC;IACzC,MAAM,mBAAmB,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACvD,IAAI,CAAC,mBAAmB,EAAE,CAAC;QACzB,GAAG,CAAC,OAAO,CAAC,oBAAoB,QAAQ,EAAE,CAAC,CAAC;QAC5C,MAAM,KAAK,CAAC,QAAQ,CAAC,mBAAmB,EAAE,SAAS,EAAE;YACnD,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,cAAc,CAAC,SAAS;SACrC,CAAC,CAAC;QACH,iEAAiE;QACjE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED,4CAA4C;IAC5C,MAAM,kBAAkB,GAAG,mBAAmB,CAAC,MAAM,CACnD,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,cAAc,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAC1C,CAAC;IAEF,IAAI,kBAAkB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,wBAAwB,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvE,GAAG,CAAC,KAAK,CAAC,+BAA+B,QAAQ,MAAM,MAAM,EAAE,CAAC,CAAC;QACjE,MAAM,KAAK,CAAC,QAAQ,CAAC,mBAAmB,EAAE,OAAO,EAAE;YACjD,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,cAAc,CAAC,SAAS;YACpC,mBAAmB,EAAE,kBAAkB;SACxC,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;IACpC,CAAC;IAED,yDAAyD;IACzD,MAAM,aAAa,GAAG,EAAE,GAAG,IAAI,EAAE,CAAC;IAElC,KAAK,MAAM,KAAK,IAAI,gBAAgB,EAAE,CAAC;QACrC,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;YAClB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;YAE7B,qEAAqE;YACrE,IAAI,KAAK,KAAK,YAAY,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBACrD,IAAI,QAAQ,KAAK,cAAc,CAAC,SAAS,EAAE,CAAC;oBAC1C,8CAA8C;oBAC9C,MAAM,aAAa,GAAG,eAAe,CAAC,GAAG,CAAC,QAAkB,CAAC,CAAC;oBAC9D,IAAI,CAAC,aAAa,IAAI,aAAa,CAAC,MAAM,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;wBACrE,MAAM,MAAM,GAAG,8CAA8C,QAAQ,EAAE,CAAC;wBACxE,GAAG,CAAC,KAAK,CAAC,iBAAiB,MAAM,EAAE,CAAC,CAAC;wBACrC,MAAM,KAAK,CAAC,QAAQ,CAAC,wBAAwB,EAAE,UAAU,EAAE;4BACzD,IAAI,EAAE,QAAQ;4BACd,UAAU,EAAE,cAAc,CAAC,SAAS;4BACpC,cAAc,EAAE,QAAQ;yBACzB,CAAC,CAAC;wBACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;oBACpC,CAAC;gBACH,CAAC;YACH,CAAC;YAED,+CAA+C;YAC/C,IAAI,KAAK,KAAK,SAAS,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;gBAClD,IAAI,cAAc,CAAC,MAAM,IAAI,QAAQ,KAAK,cAAc,CAAC,MAAM,EAAE,CAAC;oBAChE,MAAM,MAAM,GAAG,qBAAqB,QAAQ,oBAAoB,cAAc,CAAC,MAAM,EAAE,CAAC;oBACxF,GAAG,CAAC,KAAK,CAAC,iBAAiB,MAAM,EAAE,CAAC,CAAC;oBACrC,MAAM,KAAK,CAAC,QAAQ,CAAC,kBAAkB,EAAE,UAAU,EAAE;wBACnD,IAAI,EAAE,QAAQ;wBACd,UAAU,EAAE,cAAc,CAAC,SAAS;wBACpC,aAAa,EAAE,QAAQ;wBACvB,YAAY,EAAE,cAAc,CAAC,MAAM;qBACpC,CAAC,CAAC;oBACH,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;gBACpC,CAAC;YACH,CAAC;YAED,sDAAsD;YACtD,IAAI,CAAC,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;gBAC9E,aAAa,CAAC,KAAK,CAAC,GAAG,YAAY,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,GAAG,CAAC,IAAI,CAAC,qBAAqB,QAAQ,EAAE,CAAC,CAAC;IAC1C,MAAM,KAAK,CAAC,IAAI,CAAC,QAAQ,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,uBAAuB,CAAC,CAAC;IAE5E,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;AAC1C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AACtD,CAAC;AAaD,MAAM,UAAU,mBAAmB,CACjC,OAA2C;IAE3C,MAAM,UAAU,GAAG,OAAO,CAAC,eAAe,CAAC,IAAI,OAAO,CAAC,YAAY,CAAC,CAAC;IACrE,MAAM,QAAQ,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC;IAExC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IACpE,CAAC;IAED,8BAA8B;IAC9B,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACzD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC7B,sDAAsD;QACtD,6CAA6C;QAC7C,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACvB,OAAO;gBACL,aAAa,EAAE,IAAI;gBACnB,MAAM,EAAE,QAAQ,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;gBACrF,QAAQ,EAAE,QAA8B;gBACxC,WAAW,EAAE,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,qCAAqC;aACtE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,yBAAyB;IACzB,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACzD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,MAAM,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;QAC9B,IAAI,MAAM,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YACxB,OAAO;gBACL,aAAa,EAAE,IAAI;gBACnB,MAAM,EAAE,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;gBACrF,QAAQ,EAAE,QAA8B;gBACxC,WAAW,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,EAAE,2BAA2B;aACrE,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC;AACzE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,QAAgB,EAChB,OAAU,EACV,iBAAuC;IAEvC,OAAO,CAAC,KAAK,EAAE,GAAG,IAAe,EAAE,EAAE;QACnC,MAAM,cAAc,GAAG,iBAAiB,EAAE,CAAC;QAE3C,gDAAgD;QAChD,MAAM,QAAQ,GAAI,IAAI,CAAC,CAAC,CAA6B,IAAI,EAAE,CAAC;QAE5D,2BAA2B;QAC3B,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC;YAC1C,QAAQ;YACR,IAAI,EAAE,QAAQ;YACd,cAAc;SACf,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,+BAA+B,UAAU,CAAC,MAAM,EAAE;aAC1D,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,OAAO,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC;IAC1B,CAAC,CAAM,CAAC;AACV,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB;IACtC,OAAO,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,MAAM,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,WAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IAC1E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,CAAC,SAAS,EAAE,OAAO,CAAC,IAAI,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7D,IAAI,GAAG,GAAG,OAAO,CAAC,YAAY,CAAC,OAAO,EAAE,GAAG,QAAQ,EAAE,CAAC;YACpD,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAClC,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;QAChB,GAAG,CAAC,IAAI,CAAC,iBAAiB,OAAO,2BAA2B,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}