@path58/n8n-mcp 0.1.0

package/dist/validation/l6-checks/security.js

@@ -0,0 +1,273 @@
+/**
+ * L6 Security Checks
+ *
+ * RAG-2.2.40: L6 Pattern Validation
+ * Created: January 5, 2026
+ *
+ * Validates security best practices:
+ * - HARDCODED_SECRET: API keys, passwords, tokens in plaintext
+ * - HARDCODED_URL: Production URLs hardcoded (should use environment variables)
+ *
+ * Note: Security issues are flagged but NOT auto-fixable (per PM requirement)
+ */
+import { getL6Severity, blocksCertification } from '../config/l6-severity.js';
+/**
+ * Patterns that indicate hardcoded secrets
+ */
+const SECRET_PATTERNS = [
+    // API keys
+    /api[_-]?key/i,
+    /apikey/i,
+    /access[_-]?key/i,
+    /secret[_-]?key/i,
+    // Tokens
+    /bearer[_-]?token/i,
+    /auth[_-]?token/i,
+    /access[_-]?token/i,
+    /refresh[_-]?token/i,
+    // Passwords
+    /password/i,
+    /passwd/i,
+    /pwd/i,
+    // Credentials
+    /credentials/i,
+    /client[_-]?secret/i,
+    /private[_-]?key/i,
+    // Common formats
+    /[a-f0-9]{32,}/i, // Long hex strings (API keys often use this format)
+    /sk_live_[a-zA-Z0-9]{24,}/i, // Stripe secret keys
+    /ghp_[a-zA-Z0-9]{36,}/i, // GitHub personal access tokens
+];
+/**
+ * Patterns that indicate production URLs
+ */
+const URL_PATTERNS = [
+    /https?:\/\/api\./i,
+    /https?:\/\/.*\.com/i,
+    /https?:\/\/.*\.net/i,
+    /https?:\/\/.*\.org/i,
+    /https?:\/\/.*\.io/i,
+    /https?:\/\/production\./i,
+    /https?:\/\/prod\./i,
+];
+/**
+ * Check if a value looks like a hardcoded secret
+ */
+function looksLikeSecret(key, value) {
+    if (typeof value !== 'string') {
+        return false;
+    }
+    // Check if key name matches secret patterns
+    const keyMatchesPattern = SECRET_PATTERNS.some((pattern) => pattern.test(key));
+    // Check if value looks like a secret (long alphanumeric string)
+    const valueIsLongString = value.length > 20 && /^[a-zA-Z0-9_-]+$/.test(value);
+    // Check if value matches specific secret formats
+    const valueMatchesPattern = SECRET_PATTERNS.slice(-3).some((pattern) => pattern.test(value));
+    return keyMatchesPattern && (valueIsLongString || valueMatchesPattern);
+}
+/**
+ * Check if a value looks like a production URL
+ */
+function looksLikeProductionUrl(value) {
+    if (typeof value !== 'string') {
+        return false;
+    }
+    return URL_PATTERNS.some((pattern) => pattern.test(value));
+}
+/**
+ * Scan object for potential secrets and URLs
+ * Returns both errors (HARDCODED_SECRET) and warnings (HARDCODED_URL)
+ */
+function scanForSecrets(obj, path, nodeName, nodeType) {
+    const errors = [];
+    const warnings = [];
+    if (!obj || typeof obj !== 'object') {
+        return { errors, warnings };
+    }
+    for (const [key, value] of Object.entries(obj)) {
+        const fullPath = path ? `${path}.${key}` : key;
+        // Check for hardcoded secrets (ERROR - critical security issue)
+        if (looksLikeSecret(key, value)) {
+            const code = 'HARDCODED_SECRET';
+            errors.push({
+                code: 'HARDCODED_SECRET',
+                message: `Possible hardcoded secret detected in "${fullPath}". Secrets should be stored in environment variables or credentials.`,
+                path: fullPath,
+                node_name: nodeName,
+                node_type: nodeType,
+                severity: getL6Severity(code),
+                blocks_certification: blocksCertification(code),
+                details: {
+                    field_name: key,
+                    value_length: typeof value === 'string' ? value.length : 0,
+                },
+                suggested_fix: {
+                    id: `fix-secret-${nodeName}-${fullPath}`,
+                    fix_type: 'add_error_handling', // Repurposed for security
+                    confidence: 0.0, // Zero confidence - manual review required
+                    auto_applicable: false,
+                    description: `Move secret from "${fullPath}" to environment variable or credential`,
+                    target_node: nodeName,
+                    patch: {},
+                    context: {
+                        security_issue: 'hardcoded_secret',
+                        recommendation: 'Use {{ $env.API_KEY }} or configure in credentials',
+                        field: fullPath,
+                    },
+                },
+            });
+        }
+        // Check for hardcoded production URLs (treated as error for checkHardcodedSecrets)
+        if (looksLikeProductionUrl(value)) {
+            const code = 'HARDCODED_URL';
+            errors.push({
+                code: 'HARDCODED_URL',
+                message: `Production URL hardcoded in "${fullPath}". URLs should be stored in environment variables.`,
+                path: fullPath,
+                node_name: nodeName,
+                node_type: nodeType,
+                severity: getL6Severity(code),
+                blocks_certification: blocksCertification(code),
+                details: {
+                    url: typeof value === 'string' ? value.substring(0, 50) : '',
+                },
+                suggested_fix: {
+                    id: `fix-url-${nodeName}-${fullPath}`,
+                    fix_type: 'add_error_handling', // Repurposed for security
+                    confidence: 0.0, // Zero confidence - manual review required
+                    auto_applicable: false,
+                    description: `Move URL from "${fullPath}" to environment variable`,
+                    target_node: nodeName,
+                    patch: {},
+                    context: {
+                        security_issue: 'hardcoded_url',
+                        recommendation: 'Use {{ $env.API_URL }} instead of hardcoded URL',
+                        field: fullPath,
+                        current_url: typeof value === 'string' ? value.substring(0, 100) : '',
+                    },
+                },
+            });
+        }
+        // Recursively check nested objects
+        if (typeof value === 'object' && value !== null) {
+            const nested = scanForSecrets(value, fullPath, nodeName, nodeType);
+            errors.push(...nested.errors);
+            warnings.push(...nested.warnings);
+        }
+    }
+    return { errors, warnings };
+}
+/**
+ * Check 1: HARDCODED_SECRET (ERROR) and HARDCODED_URL (ERROR)
+ * Detect potential API keys, passwords, tokens in plaintext
+ */
+export function checkHardcodedSecrets(context) {
+    const { workflow } = context;
+    const errors = [];
+    // Guard: malformed workflow JSON should not crash L6.
+    if (!workflow.nodes || !Array.isArray(workflow.nodes)) {
+        return errors;
+    }
+    for (const node of workflow.nodes) {
+        const result = scanForSecrets(node.parameters, `nodes.${node.name}.parameters`, node.name, node.type);
+        errors.push(...result.errors);
+    }
+    return errors;
+}
+/**
+ * Check 2: HARDCODED_URL
+ * Detect production URLs that should be in environment variables
+ *
+ * Note: HARDCODED_URL is now detected as an error in checkHardcodedSecrets().
+ * This function is kept for backward compatibility but returns empty.
+ */
+export function checkHardcodedUrls(_context) {
+    // HARDCODED_URL is now returned as an error from checkHardcodedSecrets()
+    return [];
+}
+/**
+ * Check 3: MISSING_WEBHOOK_AUTH
+ * Detect webhook triggers that accept mutating requests without authentication
+ *
+ * RAG-2.2.77: New pattern check
+ *
+ * Only warns for POST, PUT, DELETE, PATCH methods - GET is allowed without auth
+ */
+export function checkMissingWebhookAuth(context) {
+    const { workflow } = context;
+    const warnings = [];
+    // Guard: Ensure workflow.nodes exists
+    if (!workflow.nodes || !Array.isArray(workflow.nodes)) {
+        return warnings;
+    }
+    // Find webhook nodes
+    const webhooks = workflow.nodes.filter(n => n.type === 'n8n-nodes-base.webhook');
+    for (const webhook of webhooks) {
+        const auth = webhook.parameters?.authentication;
+        const rawHttpMethod = webhook.parameters?.httpMethod;
+        // httpMethod can be a string, array of strings, or undefined
+        // Normalize to array for consistent handling
+        const httpMethods = Array.isArray(rawHttpMethod)
+            ? rawHttpMethod.filter((m) => typeof m === 'string')
+            : typeof rawHttpMethod === 'string'
+                ? [rawHttpMethod]
+                : ['GET']; // Default to GET if not specified
+        // Only warn for mutating methods without auth
+        const mutatingMethods = ['POST', 'PUT', 'DELETE', 'PATCH'];
+        const hasMutatingMethod = httpMethods.some(m => mutatingMethods.includes(m.toUpperCase()));
+        if (hasMutatingMethod && (!auth || auth === 'none')) {
+            const mutatingMethodsUsed = httpMethods.filter(m => mutatingMethods.includes(m.toUpperCase()));
+            const methodDisplay = mutatingMethodsUsed.join(', ');
+            const code = 'MISSING_WEBHOOK_AUTH';
+            warnings.push({
+                code: 'MISSING_WEBHOOK_AUTH',
+                message: `Webhook "${webhook.name}" accepts ${methodDisplay} requests without authentication - potential security risk`,
+                node_name: webhook.name,
+                node_type: webhook.type,
+                severity: getL6Severity(code),
+                blocks_certification: blocksCertification(code),
+                details: {
+                    http_method: methodDisplay,
+                    http_methods: mutatingMethodsUsed,
+                    current_auth: auth || 'none',
+                },
+                suggested_fix: {
+                    id: `fix-webhook-auth-${webhook.name}-${Date.now()}`,
+                    fix_type: 'add_auth',
+                    confidence: 0.7,
+                    auto_applicable: false,
+                    description: 'Add authentication (Basic Auth, Header Auth, or JWT)',
+                    target_node: webhook.name,
+                    patch: {},
+                    context: {
+                        http_method: methodDisplay,
+                        suggested_auth_options: ['basicAuth', 'headerAuth', 'jwt'],
+                    },
+                },
+            });
+        }
+    }
+    return warnings;
+}
+/**
+ * Run all security checks in parallel
+ *
+ * RAG-2.2.77: Added MISSING_WEBHOOK_AUTH check
+ */
+export async function checkSecurity(context) {
+    if (context.options?.skipSecurityCheck) {
+        return { errors: [], warnings: [] };
+    }
+    const startTime = performance.now();
+    // Security checks scan the same data, but split into errors vs warnings for gating policy.
+    // RAG-2.2.77: Added webhookAuthWarnings
+    const errors = checkHardcodedSecrets(context);
+    const urlWarnings = checkHardcodedUrls(context);
+    const webhookAuthWarnings = checkMissingWebhookAuth(context);
+    const duration = performance.now() - startTime;
+    return {
+        errors,
+        warnings: [...urlWarnings, ...webhookAuthWarnings],
+    };
+}
+//# sourceMappingURL=security.js.map

package/dist/validation/l6-checks/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../../src/validation/l6-checks/security.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE3E;;GAEG;AACH,MAAM,eAAe,GAAG;IACtB,WAAW;IACX,cAAc;IACd,SAAS;IACT,iBAAiB;IACjB,iBAAiB;IAEjB,SAAS;IACT,mBAAmB;IACnB,iBAAiB;IACjB,mBAAmB;IACnB,oBAAoB;IAEpB,YAAY;IACZ,WAAW;IACX,SAAS;IACT,MAAM;IAEN,cAAc;IACd,cAAc;IACd,oBAAoB;IACpB,kBAAkB;IAElB,iBAAiB;IACjB,gBAAgB,EAAE,oDAAoD;IACtE,2BAA2B,EAAE,qBAAqB;IAClD,uBAAuB,EAAE,gCAAgC;CAC1D,CAAC;AAEF;;GAEG;AACH,MAAM,YAAY,GAAG;IACnB,mBAAmB;IACnB,qBAAqB;IACrB,qBAAqB;IACrB,qBAAqB;IACrB,oBAAoB;IACpB,0BAA0B;IAC1B,oBAAoB;CACrB,CAAC;AAEF;;GAEG;AACH,SAAS,eAAe,CAAC,GAAW,EAAE,KAAc;IAClD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,4CAA4C;IAC5C,MAAM,iBAAiB,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAE/E,gEAAgE;IAChE,MAAM,iBAAiB,GAAG,KAAK,CAAC,MAAM,GAAG,EAAE,IAAI,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAE9E,iDAAiD;IACjD,MAAM,mBAAmB,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CACrE,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CACpB,CAAC;IAEF,OAAO,iBAAiB,IAAI,CAAC,iBAAiB,IAAI,mBAAmB,CAAC,CAAC;AACzE,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAAC,KAAc;IAC5C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,SAAS,cAAc,CACrB,GAAY,EACZ,IAAY,EACZ,QAAgB,EAChB,QAAgB;IAEhB,MAAM,MAAM,GAAc,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAgB,EAAE,CAAC;IAEjC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;IAC9B,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;QAE/C,gEAAgE;QAChE,IAAI,eAAe,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,CAAC;YAChC,MAAM,IAAI,GAAG,kBAAkB,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,0CAA0C,QAAQ,sEAAsE;gBACjI,IAAI,EAAE,QAAQ;gBACd,SAAS,EAAE,QAAQ;gBACnB,SAAS,EAAE,QAAQ;gBACnB,QAAQ,EAAE,aAAa,CAAC,IAAI,CAAC;gBAC7B,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC;gBAC/C,OAAO,EAAE;oBACP,UAAU,EAAE,GAAG;oBACf,YAAY,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;iBAC3D;gBACD,aAAa,EAAE;oBACb,EAAE,EAAE,cAAc,QAAQ,IAAI,QAAQ,EAAE;oBACxC,QAAQ,EAAE,oBAAoB,EAAE,0BAA0B;oBAC1D,UAAU,EAAE,GAAG,EAAE,2CAA2C;oBAC5D,eAAe,EAAE,KAAK;oBACtB,WAAW,EAAE,qBAAqB,QAAQ,yCAAyC;oBACnF,WAAW,EAAE,QAAQ;oBACrB,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,cAAc,EAAE,oDAAoD;wBACpE,KAAK,EAAE,QAAQ;qBAChB;iBACF;aACF,CAAC,CAAC;QACL,CAAC;QAED,mFAAmF;QACnF,IAAI,sBAAsB,CAAC,KAAK,CAAC,EAAE,CAAC;YAClC,MAAM,IAAI,GAAG,eAAe,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,gCAAgC,QAAQ,oDAAoD;gBACrG,IAAI,EAAE,QAAQ;gBACd,SAAS,EAAE,QAAQ;gBACnB,SAAS,EAAE,QAAQ;gBACnB,QAAQ,EAAE,aAAa,CAAC,IAAI,CAAC;gBAC7B,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC;gBAC/C,OAAO,EAAE;oBACP,GAAG,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE;iBAC7D;gBACD,aAAa,EAAE;oBACb,EAAE,EAAE,WAAW,QAAQ,IAAI,QAAQ,EAAE;oBACrC,QAAQ,EAAE,oBAAoB,EAAE,0BAA0B;oBAC1D,UAAU,EAAE,GAAG,EAAE,2CAA2C;oBAC5D,eAAe,EAAE,KAAK;oBACtB,WAAW,EAAE,kBAAkB,QAAQ,2BAA2B;oBAClE,WAAW,EAAE,QAAQ;oBACrB,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,cAAc,EAAE,eAAe;wBAC/B,cAAc,EAAE,iDAAiD;wBACjE,KAAK,EAAE,QAAQ;wBACf,WAAW,EAAE,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE;qBACtE;iBACF;aACF,CAAC,CAAC;QACL,CAAC;QAED,mCAAmC;QACnC,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAChD,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;YACnE,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;YAC9B,QAAQ,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC;AAC9B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAkB;IACtD,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAC7B,MAAM,MAAM,GAAc,EAAE,CAAC;IAE7B,sDAAsD;IACtD,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACtD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,cAAc,CAC3B,IAAI,CAAC,UAAU,EACf,SAAS,IAAI,CAAC,IAAI,aAAa,EAC/B,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,IAAI,CACV,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAmB;IACpD,yEAAyE;IACzE,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAkB;IACxD,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;IAC7B,MAAM,QAAQ,GAAgB,EAAE,CAAC;IAEjC,sCAAsC;IACtC,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACtD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,qBAAqB;IACrB,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACzC,CAAC,CAAC,IAAI,KAAK,wBAAwB,CACpC,CAAC;IAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,UAAU,EAAE,cAAoC,CAAC;QACtE,MAAM,aAAa,GAAG,OAAO,CAAC,UAAU,EAAE,UAAU,CAAC;QAErD,6DAA6D;QAC7D,6CAA6C;QAC7C,MAAM,WAAW,GAAa,KAAK,CAAC,OAAO,CAAC,aAAa,CAAC;YACxD,CAAC,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC;YACjE,CAAC,CAAC,OAAO,aAAa,KAAK,QAAQ;gBACjC,CAAC,CAAC,CAAC,aAAa,CAAC;gBACjB,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,kCAAkC;QAEjD,8CAA8C;QAC9C,MAAM,eAAe,GAAG,CAAC,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,iBAAiB,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAC7C,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC1C,CAAC;QAEF,IAAI,iBAAiB,IAAI,CAAC,CAAC,IAAI,IAAI,IAAI,KAAK,MAAM,CAAC,EAAE,CAAC;YACpD,MAAM,mBAAmB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACjD,eAAe,CAAC,QAAQ,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAC1C,CAAC;YACF,MAAM,aAAa,GAAG,mBAAmB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrD,MAAM,IAAI,GAAG,sBAAsB,CAAC;YACpC,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,YAAY,OAAO,CAAC,IAAI,aAAa,aAAa,4DAA4D;gBACvH,SAAS,EAAE,OAAO,CAAC,IAAI;gBACvB,SAAS,EAAE,OAAO,CAAC,IAAI;gBACvB,QAAQ,EAAE,aAAa,CAAC,IAAI,CAAC;gBAC7B,oBAAoB,EAAE,mBAAmB,CAAC,IAAI,CAAC;gBAC/C,OAAO,EAAE;oBACP,WAAW,EAAE,aAAa;oBAC1B,YAAY,EAAE,mBAAmB;oBACjC,YAAY,EAAE,IAAI,IAAI,MAAM;iBAC7B;gBACD,aAAa,EAAE;oBACb,EAAE,EAAE,oBAAoB,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,GAAG,EAAE,EAAE;oBACpD,QAAQ,EAAE,UAAU;oBACpB,UAAU,EAAE,GAAG;oBACf,eAAe,EAAE,KAAK;oBACtB,WAAW,EAAE,sDAAsD;oBACnE,WAAW,EAAE,OAAO,CAAC,IAAI;oBACzB,KAAK,EAAE,EAAE;oBACT,OAAO,EAAE;wBACP,WAAW,EAAE,aAAa;wBAC1B,sBAAsB,EAAE,CAAC,WAAW,EAAE,YAAY,EAAE,KAAK,CAAC;qBAC3D;iBACF;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,OAAkB;IAIpD,IAAI,OAAO,CAAC,OAAO,EAAE,iBAAiB,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC;IACtC,CAAC;IAED,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEpC,2FAA2F;IAC3F,wCAAwC;IACxC,MAAM,MAAM,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAC;IAC9C,MAAM,WAAW,GAAG,kBAAkB,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,mBAAmB,GAAG,uBAAuB,CAAC,OAAO,CAAC,CAAC;IAE7D,MAAM,QAAQ,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;IAE/C,OAAO;QACL,MAAM;QACN,QAAQ,EAAE,CAAC,GAAG,WAAW,EAAE,GAAG,mBAAmB,CAAC;KACnD,CAAC;AACJ,CAAC"}