@panguard-ai/atr 1.4.3 → 1.5.1

package/dist/embedding/build-corpus.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env npx tsx
+/**
+ * Build attack embedding corpus from ATR rule test cases.
+ *
+ * Reads all stable ATR rules, extracts true_positive test cases,
+ * encodes them through all-MiniLM-L6-v2, and saves as JSON.
+ *
+ * Usage:
+ *   npx tsx src/embedding/build-corpus.ts
+ *
+ * Output:
+ *   data/attack-embeddings.json
+ */
+import { readFileSync, writeFileSync, mkdirSync, readdirSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+import * as yaml from 'js-yaml';
+const RULES_DIR = resolve(join(import.meta.dirname ?? '.', '..', '..', 'rules'));
+const OUTPUT_PATH = resolve(join(import.meta.dirname ?? '.', '..', '..', 'data', 'attack-embeddings.json'));
+async function main() {
+    console.log('Building attack embedding corpus...');
+    console.log(`Rules dir: ${RULES_DIR}`);
+    // Load model
+    console.log('Loading embedding model (first run downloads ~22MB)...');
+    const { TransformersJSModel } = await import('./model-loader.js');
+    const model = new TransformersJSModel();
+    await model.initialize();
+    console.log('Model loaded.');
+    // Collect all true_positive texts from rules
+    const attacks = [];
+    function walkDir(dir) {
+        const files = [];
+        for (const entry of readdirSync(dir, { withFileTypes: true })) {
+            const fullPath = join(dir, entry.name);
+            if (entry.isDirectory()) {
+                files.push(...walkDir(fullPath));
+            }
+            else if (entry.name.endsWith('.yaml') || entry.name.endsWith('.yml')) {
+                files.push(fullPath);
+            }
+        }
+        return files;
+    }
+    const ruleFiles = walkDir(RULES_DIR);
+    console.log(`Found ${ruleFiles.length} rule files.`);
+    for (const file of ruleFiles) {
+        try {
+            const content = readFileSync(file, 'utf-8');
+            const rule = yaml.load(content);
+            if (!rule?.id || !rule?.test_cases?.true_positives)
+                continue;
+            for (const tp of rule.test_cases.true_positives) {
+                const text = tp.input ?? tp.content ?? tp.user_input ?? tp.tool_response ?? tp.tool_description ?? tp.tool_args;
+                if (!text || text.length < 10)
+                    continue;
+                attacks.push({
+                    id: rule.id,
+                    text: text.slice(0, 512),
+                    category: rule.tags?.category ?? 'unknown',
+                    severity: rule.severity ?? 'medium',
+                    ruleTitle: rule.title ?? rule.id,
+                });
+            }
+        }
+        catch {
+            // Skip unparseable rules
+        }
+    }
+    console.log(`Extracted ${attacks.length} attack payloads from ${ruleFiles.length} rules.`);
+    // Deduplicate by text
+    const seen = new Set();
+    const unique = attacks.filter((a) => {
+        if (seen.has(a.text))
+            return false;
+        seen.add(a.text);
+        return true;
+    });
+    console.log(`Unique payloads: ${unique.length}`);
+    // Encode all payloads
+    console.log('Encoding payloads...');
+    const output = [];
+    for (let i = 0; i < unique.length; i++) {
+        const a = unique[i];
+        process.stdout.write(`\r  [${i + 1}/${unique.length}] ${a.id}`);
+        const vec = await model.encode(a.text);
+        output.push({
+            id: `${a.id}-tp${i}`,
+            text: a.text,
+            vector: Array.from(vec),
+            label: `${a.ruleTitle}: ${a.text.slice(0, 80)}`,
+            category: a.category,
+            severity: a.severity,
+        });
+    }
+    console.log('\n');
+    // Save
+    mkdirSync(join(OUTPUT_PATH, '..'), { recursive: true });
+    writeFileSync(OUTPUT_PATH, JSON.stringify(output, null, 2));
+    console.log(`Saved ${output.length} embeddings to ${OUTPUT_PATH}`);
+    console.log(`File size: ${(readFileSync(OUTPUT_PATH).length / 1024).toFixed(0)} KB`);
+}
+main().catch((err) => {
+    console.error('Fatal:', err);
+    process.exit(1);
+});
+//# sourceMappingURL=build-corpus.js.map

package/dist/embedding/build-corpus.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"build-corpus.js","sourceRoot":"","sources":["../../src/embedding/build-corpus.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,WAAW,EAAc,MAAM,SAAS,CAAC;AAC1F,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAEhC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;AACjF,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,IAAI,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,wBAAwB,CAAC,CAAC,CAAC;AAuB5G,KAAK,UAAU,IAAI;IACjB,OAAO,CAAC,GAAG,CAAC,qCAAqC,CAAC,CAAC;IACnD,OAAO,CAAC,GAAG,CAAC,cAAc,SAAS,EAAE,CAAC,CAAC;IAEvC,aAAa;IACb,OAAO,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;IACtE,MAAM,EAAE,mBAAmB,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAClE,MAAM,KAAK,GAAG,IAAI,mBAAmB,EAAE,CAAC;IACxC,MAAM,KAAK,CAAC,UAAU,EAAE,CAAC;IACzB,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IAE7B,6CAA6C;IAC7C,MAAM,OAAO,GAA+F,EAAE,CAAC;IAE/G,SAAS,OAAO,CAAC,GAAW;QAC1B,MAAM,KAAK,GAAa,EAAE,CAAC;QAC3B,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;YAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;YACvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;gBACxB,KAAK,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YACnC,CAAC;iBAAM,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBACvE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,SAAS,SAAS,CAAC,MAAM,cAAc,CAAC,CAAC;IAErD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;YAC5C,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAgB,CAAC;YAC/C,IAAI,CAAC,IAAI,EAAE,EAAE,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,cAAc;gBAAE,SAAS;YAE7D,KAAK,MAAM,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;gBAChD,MAAM,IAAI,GAAG,EAAE,CAAC,KAAK,IAAI,EAAE,CAAC,OAAO,IAAI,EAAE,CAAC,UAAU,IAAI,EAAE,CAAC,aAAa,IAAI,EAAE,CAAC,gBAAgB,IAAI,EAAE,CAAC,SAAS,CAAC;gBAChH,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,EAAE;oBAAE,SAAS;gBAExC,OAAO,CAAC,IAAI,CAAC;oBACX,EAAE,EAAE,IAAI,CAAC,EAAE;oBACX,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC;oBACxB,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,QAAQ,IAAI,SAAS;oBAC1C,QAAQ,EAAE,IAAI,CAAC,QAAQ,IAAI,QAAQ;oBACnC,SAAS,EAAE,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,EAAE;iBACjC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,yBAAyB;QAC3B,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,aAAa,OAAO,CAAC,MAAM,yBAAyB,SAAS,CAAC,MAAM,SAAS,CAAC,CAAC;IAE3F,sBAAsB;IACtB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACjB,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,oBAAoB,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;IAEjD,sBAAsB;IACtB,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;IACpC,MAAM,MAAM,GAOP,EAAE,CAAC;IAER,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;QACrB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAChE,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,EAAE;YACpB,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;YACvB,KAAK,EAAE,GAAG,CAAC,CAAC,SAAS,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;YAC/C,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,QAAQ,EAAE,CAAC,CAAC,QAAQ;SACrB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAElB,OAAO;IACP,SAAS,CAAC,IAAI,CAAC,WAAW,EAAE,IAAI,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACxD,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;IAC5D,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,MAAM,kBAAkB,WAAW,EAAE,CAAC,CAAC;IACnE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,MAAM,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;AACvF,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IAC7B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/embedding/model-loader.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Embedding model loader.
+ *
+ * Lazy-loads all-MiniLM-L6-v2 via @xenova/transformers (optional dep).
+ * Model is ~22MB, cached to disk after first download.
+ * Runs in pure JS/WASM -- no native bindings needed.
+ *
+ * @module agent-threat-rules/embedding/model-loader
+ */
+export interface EmbeddingModel {
+    /** Encode text to embedding vector */
+    encode(text: string): Promise<Float32Array>;
+    /** Encode multiple texts (batched) */
+    encodeBatch(texts: readonly string[]): Promise<Float32Array[]>;
+    /** Initialize / load the model */
+    initialize(): Promise<void>;
+    /** Model output dimension */
+    readonly dimension: number;
+    /** Whether model is loaded */
+    readonly isLoaded: boolean;
+}
+export declare class TransformersJSModel implements EmbeddingModel {
+    readonly dimension = 384;
+    private pipeline;
+    get isLoaded(): boolean;
+    /** Lazy-load the model on first use */
+    initialize(): Promise<void>;
+    encode(text: string): Promise<Float32Array>;
+    encodeBatch(texts: readonly string[]): Promise<Float32Array[]>;
+}
+/** Create a no-op model for testing */
+export declare class MockEmbeddingModel implements EmbeddingModel {
+    readonly dimension = 384;
+    readonly isLoaded = true;
+    private readonly mockVectors;
+    constructor(mockVectors?: Map<string, Float32Array>);
+    initialize(): Promise<void>;
+    encode(text: string): Promise<Float32Array>;
+    encodeBatch(texts: readonly string[]): Promise<Float32Array[]>;
+}
+//# sourceMappingURL=model-loader.d.ts.map

package/dist/embedding/model-loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-loader.d.ts","sourceRoot":"","sources":["../../src/embedding/model-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,WAAW,cAAc;IAC7B,sCAAsC;IACtC,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAC5C,sCAAsC;IACtC,WAAW,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;IAC/D,kCAAkC;IAClC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;IAC5B,6BAA6B;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,8BAA8B;IAC9B,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;CAC5B;AAKD,qBAAa,mBAAoB,YAAW,cAAc;IACxD,QAAQ,CAAC,SAAS,OAAa;IAC/B,OAAO,CAAC,QAAQ,CAAiB;IAEjC,IAAI,QAAQ,IAAI,OAAO,CAEtB;IAED,uCAAuC;IACjC,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAoB3B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAQ3C,WAAW,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;CAYrE;AAED,uCAAuC;AACvC,qBAAa,kBAAmB,YAAW,cAAc;IACvD,QAAQ,CAAC,SAAS,OAAa;IAC/B,QAAQ,CAAC,QAAQ,QAAQ;IACzB,OAAO,CAAC,QAAQ,CAAC,WAAW,CAA4B;gBAE5C,WAAW,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC;IAI7C,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAI3B,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAgB3C,WAAW,CAAC,KAAK,EAAE,SAAS,MAAM,EAAE,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;CAGrE"}

package/dist/embedding/model-loader.js

@@ -0,0 +1,90 @@
+/**
+ * Embedding model loader.
+ *
+ * Lazy-loads all-MiniLM-L6-v2 via @xenova/transformers (optional dep).
+ * Model is ~22MB, cached to disk after first download.
+ * Runs in pure JS/WASM -- no native bindings needed.
+ *
+ * @module agent-threat-rules/embedding/model-loader
+ */
+const MODEL_NAME = 'Xenova/all-MiniLM-L6-v2';
+const DIMENSION = 384;
+export class TransformersJSModel {
+    dimension = DIMENSION;
+    pipeline = null;
+    get isLoaded() {
+        return this.pipeline !== null;
+    }
+    /** Lazy-load the model on first use */
+    async initialize() {
+        if (this.pipeline)
+            return;
+        try {
+            // Dynamic import to keep @xenova/transformers optional
+            const { pipeline } = await import('@xenova/transformers');
+            this.pipeline = (await pipeline('feature-extraction', MODEL_NAME, {
+                quantized: true,
+            }));
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            if (msg.includes('Cannot find module') || msg.includes('MODULE_NOT_FOUND')) {
+                throw new Error('Embedding model requires @xenova/transformers. Install: npm install @xenova/transformers');
+            }
+            throw new Error(`Failed to load embedding model: ${msg}`);
+        }
+    }
+    async encode(text) {
+        if (!this.pipeline)
+            await this.initialize();
+        const pipelineFn = this.pipeline;
+        const output = await pipelineFn([text], { pooling: 'mean', normalize: true });
+        return new Float32Array(output.data.slice(0, DIMENSION));
+    }
+    async encodeBatch(texts) {
+        if (!this.pipeline)
+            await this.initialize();
+        const pipelineFn = this.pipeline;
+        const results = [];
+        // Process one at a time to control memory
+        for (const text of texts) {
+            const output = await pipelineFn([text], { pooling: 'mean', normalize: true });
+            results.push(new Float32Array(output.data.slice(0, DIMENSION)));
+        }
+        return results;
+    }
+}
+/** Create a no-op model for testing */
+export class MockEmbeddingModel {
+    dimension = DIMENSION;
+    isLoaded = true;
+    mockVectors;
+    constructor(mockVectors) {
+        this.mockVectors = mockVectors ?? new Map();
+    }
+    async initialize() {
+        // No-op for mock
+    }
+    async encode(text) {
+        const existing = this.mockVectors.get(text);
+        if (existing)
+            return existing;
+        // Generate deterministic vector from text hash
+        const vec = new Float32Array(DIMENSION);
+        for (let i = 0; i < DIMENSION; i++) {
+            vec[i] = Math.sin(text.charCodeAt(i % text.length) * (i + 1) * 0.01);
+        }
+        // Normalize
+        let mag = 0;
+        for (let i = 0; i < DIMENSION; i++)
+            mag += vec[i] * vec[i];
+        mag = Math.sqrt(mag);
+        for (let i = 0; i < DIMENSION; i++)
+            vec[i] /= mag;
+        return vec;
+    }
+    async encodeBatch(texts) {
+        return Promise.all(texts.map((t) => this.encode(t)));
+    }
+}
+//# sourceMappingURL=model-loader.js.map

package/dist/embedding/model-loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"model-loader.js","sourceRoot":"","sources":["../../src/embedding/model-loader.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAeH,MAAM,UAAU,GAAG,yBAAyB,CAAC;AAC7C,MAAM,SAAS,GAAG,GAAG,CAAC;AAEtB,MAAM,OAAO,mBAAmB;IACrB,SAAS,GAAG,SAAS,CAAC;IACvB,QAAQ,GAAY,IAAI,CAAC;IAEjC,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC;IAChC,CAAC;IAED,uCAAuC;IACvC,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,QAAQ;YAAE,OAAO;QAE1B,IAAI,CAAC;YACH,uDAAuD;YACvD,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,sBAAsB,CAAC,CAAC;YAC1D,IAAI,CAAC,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,oBAAoB,EAAE,UAAU,EAAE;gBAChE,SAAS,EAAE,IAAI;aAChB,CAAC,CAAyB,CAAC;QAC9B,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,IAAI,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;gBAC3E,MAAM,IAAI,KAAK,CACb,0FAA0F,CAC3F,CAAC;YACJ,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY;QACvB,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAE5C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAmG,CAAC;QAC5H,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC9E,OAAO,IAAI,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAwB;QACxC,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAE5C,MAAM,UAAU,GAAG,IAAI,CAAC,QAAmG,CAAC;QAC5H,MAAM,OAAO,GAAmB,EAAE,CAAC;QACnC,0CAA0C;QAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC9E,OAAO,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,CAAC;QAClE,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,uCAAuC;AACvC,MAAM,OAAO,kBAAkB;IACpB,SAAS,GAAG,SAAS,CAAC;IACtB,QAAQ,GAAG,IAAI,CAAC;IACR,WAAW,CAA4B;IAExD,YAAY,WAAuC;QACjD,IAAI,CAAC,WAAW,GAAG,WAAW,IAAI,IAAI,GAAG,EAAE,CAAC;IAC9C,CAAC;IAED,KAAK,CAAC,UAAU;QACd,iBAAiB;IACnB,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY;QACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,+CAA+C;QAC/C,MAAM,GAAG,GAAG,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;QACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC;YACnC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QACvE,CAAC;QACD,YAAY;QACZ,IAAI,GAAG,GAAG,CAAC,CAAC;QACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE;YAAE,GAAG,IAAI,GAAG,CAAC,CAAC,CAAE,GAAG,GAAG,CAAC,CAAC,CAAE,CAAC;QAC7D,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,EAAE,CAAC,EAAE;YAAE,GAAG,CAAC,CAAC,CAAE,IAAI,GAAG,CAAC;QACnD,OAAO,GAAG,CAAC;IACb,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAAwB;QACxC,OAAO,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACvD,CAAC;CACF"}

package/dist/embedding/vector-store.d.ts

@@ -0,0 +1,41 @@
+/**
+ * In-memory vector store with cosine similarity search.
+ *
+ * Stores pre-computed attack embeddings and finds nearest neighbors
+ * for incoming text. Sub-millisecond for ~2000 vectors at 384 dimensions.
+ *
+ * @module agent-threat-rules/embedding/vector-store
+ */
+import type { ATRSeverity } from '../types.js';
+export interface VectorEntry {
+    readonly id: string;
+    readonly vector: Float32Array;
+    readonly label: string;
+    readonly category: string;
+    readonly severity: ATRSeverity;
+}
+export interface SearchResult {
+    readonly entry: VectorEntry;
+    readonly similarity: number;
+}
+export declare class VectorStore {
+    private readonly entries;
+    constructor(entries?: readonly VectorEntry[]);
+    /** Create new store with additional entries (immutable) */
+    withEntries(newEntries: readonly VectorEntry[]): VectorStore;
+    /**
+     * Find top-K nearest neighbors by cosine similarity.
+     * Only returns results above the threshold.
+     */
+    search(query: Float32Array, topK?: number, threshold?: number): readonly SearchResult[];
+    size(): number;
+}
+/** Load pre-computed embeddings from JSON */
+export declare function loadVectorEntries(data: readonly {
+    id: string;
+    vector: number[];
+    label: string;
+    category: string;
+    severity: string;
+}[]): VectorEntry[];
+//# sourceMappingURL=vector-store.d.ts.map

package/dist/embedding/vector-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"vector-store.d.ts","sourceRoot":"","sources":["../../src/embedding/vector-store.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAE/C,MAAM,WAAW,WAAW;IAC1B,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,MAAM,EAAE,YAAY,CAAC;IAC9B,QAAQ,CAAC,KAAK,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,QAAQ,EAAE,WAAW,CAAC;CAChC;AAED,MAAM,WAAW,YAAY;IAC3B,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC;IAC5B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC7B;AAED,qBAAa,WAAW;IACtB,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyB;gBAErC,OAAO,CAAC,EAAE,SAAS,WAAW,EAAE;IAI5C,2DAA2D;IAC3D,WAAW,CAAC,UAAU,EAAE,SAAS,WAAW,EAAE,GAAG,WAAW;IAI5D;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,YAAY,EAAE,IAAI,GAAE,MAAU,EAAE,SAAS,GAAE,MAAa,GAAG,SAAS,YAAY,EAAE;IAiBhG,IAAI,IAAI,MAAM;CAGf;AAyBD,6CAA6C;AAC7C,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,SAAS;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,EAAE,GACnG,WAAW,EAAE,CAQf"}

package/dist/embedding/vector-store.js

@@ -0,0 +1,70 @@
+/**
+ * In-memory vector store with cosine similarity search.
+ *
+ * Stores pre-computed attack embeddings and finds nearest neighbors
+ * for incoming text. Sub-millisecond for ~2000 vectors at 384 dimensions.
+ *
+ * @module agent-threat-rules/embedding/vector-store
+ */
+export class VectorStore {
+    entries;
+    constructor(entries) {
+        this.entries = entries ?? [];
+    }
+    /** Create new store with additional entries (immutable) */
+    withEntries(newEntries) {
+        return new VectorStore([...this.entries, ...newEntries]);
+    }
+    /**
+     * Find top-K nearest neighbors by cosine similarity.
+     * Only returns results above the threshold.
+     */
+    search(query, topK = 3, threshold = 0.82) {
+        if (this.entries.length === 0)
+            return [];
+        const results = [];
+        for (const entry of this.entries) {
+            const sim = cosineSimilarity(query, entry.vector);
+            if (sim >= threshold) {
+                results.push({ entry, similarity: sim });
+            }
+        }
+        // Sort by similarity descending, take top K
+        results.sort((a, b) => b.similarity - a.similarity);
+        return results.slice(0, topK);
+    }
+    size() {
+        return this.entries.length;
+    }
+}
+/**
+ * Cosine similarity between two vectors.
+ * Returns value between -1 and 1 (1 = identical direction).
+ */
+function cosineSimilarity(a, b) {
+    if (a.length !== b.length)
+        return 0;
+    let dot = 0;
+    let magA = 0;
+    let magB = 0;
+    for (let i = 0; i < a.length; i++) {
+        dot += a[i] * b[i];
+        magA += a[i] * a[i];
+        magB += b[i] * b[i];
+    }
+    const denom = Math.sqrt(magA) * Math.sqrt(magB);
+    if (denom === 0)
+        return 0;
+    return dot / denom;
+}
+/** Load pre-computed embeddings from JSON */
+export function loadVectorEntries(data) {
+    return data.map((d) => ({
+        id: d.id,
+        vector: new Float32Array(d.vector),
+        label: d.label,
+        category: d.category,
+        severity: (d.severity || 'medium'),
+    }));
+}
+//# sourceMappingURL=vector-store.js.map

package/dist/embedding/vector-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vector-store.js","sourceRoot":"","sources":["../../src/embedding/vector-store.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAiBH,MAAM,OAAO,WAAW;IACL,OAAO,CAAyB;IAEjD,YAAY,OAAgC;QAC1C,IAAI,CAAC,OAAO,GAAG,OAAO,IAAI,EAAE,CAAC;IAC/B,CAAC;IAED,2DAA2D;IAC3D,WAAW,CAAC,UAAkC;QAC5C,OAAO,IAAI,WAAW,CAAC,CAAC,GAAG,IAAI,CAAC,OAAO,EAAE,GAAG,UAAU,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAmB,EAAE,OAAe,CAAC,EAAE,YAAoB,IAAI;QACpE,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,EAAE,CAAC;QAEzC,MAAM,OAAO,GAAmB,EAAE,CAAC;QAEnC,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,gBAAgB,CAAC,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;YAClD,IAAI,GAAG,IAAI,SAAS,EAAE,CAAC;gBACrB,OAAO,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;QAED,4CAA4C;QAC5C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC;QACpD,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,IAAI;QACF,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC;IAC7B,CAAC;CACF;AAED;;;GAGG;AACH,SAAS,gBAAgB,CAAC,CAAe,EAAE,CAAe;IACxD,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,CAAC,CAAC;IAEpC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,IAAI,GAAG,CAAC,CAAC;IAEb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACrB,IAAI,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QACtB,IAAI,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,IAAI,KAAK,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE1B,OAAO,GAAG,GAAG,KAAK,CAAC;AACrB,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,iBAAiB,CAC/B,IAAoG;IAEpG,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtB,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,MAAM,EAAE,IAAI,YAAY,CAAC,CAAC,CAAC,MAAM,CAAC;QAClC,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,QAAQ,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,QAAQ,CAAgB;KAClD,CAAC,CAAC,CAAC;AACN,CAAC"}

package/dist/engine.d.ts

@@ -0,0 +1,222 @@
+/**
+ * ATR Engine - Evaluates agent events against ATR rules
+ *
+ * Core detection engine that:
+ * 1. Loads ATR YAML rules from disk
+ * 2. Evaluates agent events (LLM I/O, tool calls, behaviors) against rules
+ * 3. Returns matched rules with confidence scores
+ * 4. Supports two condition formats:
+ *    - Array format: conditions is an array of {field, operator, value} objects
+ *    - Named format: conditions is an object map of named condition blocks
+ *
+ * @module agent-threat-rules/engine
+ */
+import type { ATRRule, ATRMatch, AgentEvent, ATRVerdict, ActionResult, ScanResult } from './types.js';
+import type { SessionTracker } from './session-tracker.js';
+import type { ActionExecutor } from './action-executor.js';
+import type { SkillFingerprintStore } from './skill-fingerprint.js';
+import type { SemanticLayerConfig } from './layer-integration.js';
+import type { InvariantChecker } from './tier0-invariant.js';
+import type { BlacklistProvider } from './tier1-blacklist.js';
+import type { EmbeddingModule } from './modules/embedding.js';
+/**
+ * Detection reporter — opt-in callback for feeding scan results back to
+ * ATR Threat Cloud. Every integration endpoint that enables this becomes
+ * a sensor in the global detection network. Anonymized detection events
+ * are aggregated across all endpoints to crystallize new rules.
+ *
+ * Privacy: only ruleId, severity, and scanTarget are reported by default.
+ * No raw content, no PII, no file paths. Platforms can override onDetection
+ * to control exactly what is sent.
+ */
+export interface ATRReporter {
+    /** Called for every match. Implement to POST anonymized data to TC. */
+    readonly onDetection: (report: ATRDetectionReport) => void | Promise<void>;
+    /** Called when a scan completes with zero matches (opt-in). */
+    readonly onClean?: (report: ATRCleanReport) => void | Promise<void>;
+}
+export interface ATRDetectionReport {
+    readonly ruleId: string;
+    readonly severity: string;
+    readonly scanTarget: string;
+    readonly category: string;
+    readonly confidence: number;
+    readonly timestamp: string;
+    /** Content hash (SHA-256) — identifies the scanned artifact without revealing content */
+    readonly contentHash: string;
+}
+export interface ATRCleanReport {
+    readonly rulesEvaluated: number;
+    readonly scanTarget: string;
+    readonly timestamp: string;
+    readonly contentHash: string;
+}
+export interface ATREngineConfig {
+    /** Directory containing ATR rule YAML files */
+    rulesDir?: string;
+    /** Pre-loaded rules (for testing or embedding) */
+    rules?: ATRRule[];
+    /** Optional session tracker for behavioral detection across events */
+    sessionTracker?: SessionTracker;
+    /** Optional Tier 0: Invariant enforcement (hard boundaries, pre-check) */
+    invariantChecker?: InvariantChecker;
+    /** Optional Tier 1: Skill blacklist provider (known-bad lookup) */
+    blacklistProvider?: BlacklistProvider;
+    /** Optional Layer 2: Skill behavioral fingerprinting (no LLM required) */
+    fingerprintStore?: SkillFingerprintStore;
+    /** Optional Tier 2.5: Embedding similarity module (requires @xenova/transformers) */
+    embeddingModule?: EmbeddingModule;
+    /** Optional Layer 3: Semantic LLM-as-judge analysis (requires API key) */
+    semanticModule?: SemanticLayerConfig;
+    /** Optional: detection reporter for feeding results to ATR Threat Cloud */
+    reporter?: ATRReporter;
+}
+export declare class ATREngine {
+    private readonly config;
+    private rules;
+    private readonly compiledPatterns;
+    private readonly semanticModuleInstance;
+    /**
+     * Find bundled rules directory shipped with the npm package.
+     * Checks: ../rules (from dist/), ./rules (repo root)
+     */
+    private findBundledRulesDir;
+    constructor(config?: ATREngineConfig);
+    /**
+     * Load rules from configured directory and/or pre-loaded rules.
+     */
+    loadRules(): Promise<number>;
+    /**
+     * Load a single rule file and add it to the engine.
+     */
+    addRuleFile(filePath: string): void;
+    /**
+     * Add a pre-parsed rule to the engine.
+     */
+    addRule(rule: ATRRule): void;
+    /**
+     * Evaluate an agent event against all loaded ATR rules.
+     * Returns all matching rules with details.
+     */
+    evaluate(event: AgentEvent): ATRMatch[];
+    /**
+     * Evaluate a single rule against an event.
+     * Supports both array-format and named-map-format conditions.
+     */
+    private evaluateRule;
+    /**
+     * Evaluate array-format conditions: [{field, operator, value}, ...]
+     * with condition: "any" | "all"
+     */
+    private evaluateArrayConditions;
+    /**
+     * Evaluate a single array-format condition {field, operator, value}.
+     */
+    private evaluateArrayCondition;
+    /**
+     * Evaluate named-map-format conditions: {name: {field, patterns, match_type}, ...}
+     * with condition: "name1 AND name2" | "name1 OR name2" | "name1"
+     */
+    private evaluateNamedConditions;
+    /**
+     * Evaluate a single named condition against an event.
+     */
+    private evaluateNamedCondition;
+    /**
+     * Evaluate a pattern matching condition (named format with patterns array).
+     */
+    private evaluatePatternCondition;
+    /**
+     * Determine if a rule should suppress matches inside markdown code blocks.
+     * Rules that commonly false-positive on documentation (shell commands, file paths,
+     * code examples) are suppressed. Prompt injection rules are NEVER suppressed
+     * because attackers deliberately hide payloads in code blocks.
+     */
+    private shouldSuppressInCodeBlocks;
+    /**
+     * Evaluate a behavioral threshold condition.
+     * When a session tracker is available and the event has a sessionId,
+     * supports session-derived metrics: call_frequency, pattern_frequency, event_count.
+     */
+    private evaluateBehavioralCondition;
+    /**
+     * Resolve a metric value from event metrics or session tracker.
+     * Session-derived metrics use the format: "call_frequency:toolName" or "pattern_frequency:pattern".
+     */
+    private resolveMetricValue;
+    /**
+     * Parse a window string (e.g. "5m", "1h", "30s") to milliseconds.
+     * Defaults to 5 minutes if not specified or unparseable.
+     */
+    private parseWindowMs;
+    /**
+     * Evaluate a sequence condition against the current event.
+     *
+     * Two modes:
+     * 1. Session-aware (when SessionTracker + sessionId available):
+     *    Checks patterns across historical events in the session.
+     *    Respects `ordered` flag and `within` time window.
+     * 2. Single-event fallback: checks if patterns co-occur in one event.
+     */
+    private evaluateSequenceCondition;
+    /**
+     * Cross-event sequence detection using SessionTracker.
+     * Checks if step patterns have been seen across events in order.
+     */
+    private evaluateSequenceAcrossSession;
+    /**
+     * Single-event fallback: check if step patterns co-occur in one event.
+     */
+    private evaluateSequenceSingleEvent;
+    /**
+     * Resolve a field value from an agent event.
+     */
+    private resolveField;
+    /**
+     * Evaluate a boolean expression string against condition results.
+     * Supports AND, OR, NOT operators.
+     */
+    private evaluateExpression;
+    /**
+     * Split expression by operator, respecting parentheses.
+     */
+    private splitByOperator;
+    /**
+     * Pre-compile regex patterns for a rule (performance optimization).
+     * Supports both array-format and named-map-format conditions.
+     */
+    private compilePatterns;
+    /**
+     * Evaluate an event and compute a verdict with optional action execution.
+     *
+     * Combines evaluate() + computeVerdict() + optional ActionExecutor
+     * into a single call for convenience.
+     */
+    evaluateWithVerdict(event: AgentEvent, executor?: ActionExecutor): Promise<{
+        verdict: ATRVerdict;
+        actionResults: readonly ActionResult[];
+        layersUsed: readonly string[];
+    }>;
+    /** Get loaded rule count */
+    getRuleCount(): number;
+    /** Get all loaded rules */
+    getRules(): readonly ATRRule[];
+    /** Get a rule by ID */
+    getRuleById(id: string): ATRRule | undefined;
+    /** Get rules by category */
+    getRulesByCategory(category: string): ATRRule[];
+    /**
+     * Scan SKILL.md content for threats.
+     * All rules fire with scanContext='skill':
+     *   - skill/both rules: native context, full confidence
+     *   - MCP-only rules: cross-context, confidence * 0.6
+     * Also decodes base64 blocks and scans decoded content.
+     * Code-block suppression and FP denylist applied in evaluate().
+     */
+    scanSkill(content: string): ATRMatch[];
+    /** Scan a SKILL.md file and return a unified ScanResult with content_hash. */
+    scanSkillFull(content: string, filePath?: string): ScanResult;
+    /** Evaluate an MCP agent event and return a unified ScanResult with content_hash. */
+    evaluateFull(event: AgentEvent, filePath?: string): ScanResult;
+}
+//# sourceMappingURL=engine.d.ts.map

package/dist/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EACV,OAAO,EACP,QAAQ,EACR,UAAU,EAGV,UAAU,EACV,YAAY,EACZ,UAAU,EAEX,MAAM,YAAY,CAAC;AAKpB,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAC3D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,wBAAwB,CAAC;AAEpE,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,wBAAwB,CAAC;AAQlE,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AAE9D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AA0G9D;;;;;;;;;GASG;AACH,MAAM,WAAW,WAAW;IAC1B,uEAAuE;IACvE,QAAQ,CAAC,WAAW,EAAE,CAAC,MAAM,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3E,+DAA+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CACrE;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,yFAAyF;IACzF,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAC;IAChC,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;IAC5B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;CAC9B;AAED,MAAM,WAAW,eAAe;IAC9B,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,kDAAkD;IAClD,KAAK,CAAC,EAAE,OAAO,EAAE,CAAC;IAClB,sEAAsE;IACtE,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IACpC,mEAAmE;IACnE,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;IACtC,0EAA0E;IAC1E,gBAAgB,CAAC,EAAE,qBAAqB,CAAC;IACzC,qFAAqF;IACrF,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,0EAA0E;IAC1E,cAAc,CAAC,EAAE,mBAAmB,CAAC;IACrC,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,WAAW,CAAC;CACxB;AAED,qBAAa,SAAS;IAwBR,OAAO,CAAC,QAAQ,CAAC,MAAM;IAvBnC,OAAO,CAAC,KAAK,CAAiB;IAC9B,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA4C;IAC7E,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAwB;IAE/D;;;OAGG;IACH,OAAO,CAAC,mBAAmB;gBAeE,MAAM,GAAE,eAAoB;IAUzD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC;IA2BlC;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI;IAMnC;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,OAAO,GAAG,IAAI;IAK5B;;;OAGG;IACH,QAAQ,CAAC,KAAK,EAAE,UAAU,GAAG,QAAQ,EAAE;IAiIvC;;;OAGG;IACH,OAAO,CAAC,YAAY;IAapB;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAwC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAgF9B;;;OAGG;IACH,OAAO,CAAC,uBAAuB;IAoC/B;;OAEG;IACH,OAAO,CAAC,sBAAsB;IAiC9B;;OAEG;IACH,OAAO,CAAC,wBAAwB;IAuFhC;;;;;OAKG;IACH,OAAO,CAAC,0BAA0B;IAwBlC;;;;OAIG;IACH,OAAO,CAAC,2BAA2B;IAoBnC;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAgC1B;;;OAGG;IACH,OAAO,CAAC,aAAa;IAiBrB;;;;;;;;OAQG;IACH,OAAO,CAAC,yBAAyB;IAmBjC;;;OAGG;IACH,OAAO,CAAC,6BAA6B;IAyErC;;OAEG;IACH,OAAO,CAAC,2BAA2B;IA4BnC;;OAEG;IACH,OAAO,CAAC,YAAY;IAuCpB;;;OAGG;IACH,OAAO,CAAC,kBAAkB;IAsC1B;;OAEG;IACH,OAAO,CAAC,eAAe;IAgCvB;;;OAGG;IACH,OAAO,CAAC,eAAe;IAoDvB;;;;;OAKG;IACG,mBAAmB,CACvB,KAAK,EAAE,UAAU,EACjB,QAAQ,CAAC,EAAE,cAAc,GACxB,OAAO,CAAC;QACT,OAAO,EAAE,UAAU,CAAC;QACpB,aAAa,EAAE,SAAS,YAAY,EAAE,CAAC;QACvC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;KAC/B,CAAC;IAuGF,4BAA4B;IAC5B,YAAY,IAAI,MAAM;IAItB,2BAA2B;IAC3B,QAAQ,IAAI,SAAS,OAAO,EAAE;IAI9B,uBAAuB;IACvB,WAAW,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,GAAG,SAAS;IAI5C,4BAA4B;IAC5B,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,EAAE;IAI/C;;;;;;;OAOG;IACH,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE;IA4BtC,8EAA8E;IAC9E,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;IAa7D,qFAAqF;IACrF,YAAY,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,UAAU;CAgB/D"}