@pentoshi/clai 0.10.5 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +32 -0
- package/dist/agent/runner.js +41 -3
- package/dist/agent/runner.js.map +1 -1
- package/dist/commands/providers.js +28 -0
- package/dist/commands/providers.js.map +1 -1
- package/dist/commands/search-providers.d.ts +50 -0
- package/dist/commands/search-providers.js +134 -0
- package/dist/commands/search-providers.js.map +1 -0
- package/dist/commands/update.js +1 -1
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -1
- package/dist/llm/provider.js +9 -6
- package/dist/llm/provider.js.map +1 -1
- package/dist/prompts/index.d.ts +1 -1
- package/dist/prompts/index.js +6 -0
- package/dist/prompts/index.js.map +1 -1
- package/dist/safety/classifier.js +40 -0
- package/dist/safety/classifier.js.map +1 -1
- package/dist/store/config.d.ts +5 -0
- package/dist/store/config.js +7 -0
- package/dist/store/config.js.map +1 -1
- package/dist/store/keys.d.ts +65 -0
- package/dist/store/keys.js +164 -28
- package/dist/store/keys.js.map +1 -1
- package/dist/tools/http.d.ts +12 -1
- package/dist/tools/http.js +8 -43
- package/dist/tools/http.js.map +1 -1
- package/dist/tools/registry.js +52 -0
- package/dist/tools/registry.js.map +1 -1
- package/dist/tools/shell.d.ts +25 -0
- package/dist/tools/shell.js +155 -6
- package/dist/tools/shell.js.map +1 -1
- package/dist/tools/web/audit.d.ts +154 -0
- package/dist/tools/web/audit.js +147 -0
- package/dist/tools/web/audit.js.map +1 -0
- package/dist/tools/web/budget.d.ts +76 -0
- package/dist/tools/web/budget.js +187 -0
- package/dist/tools/web/budget.js.map +1 -0
- package/dist/tools/web/capture.d.ts +201 -0
- package/dist/tools/web/capture.js +380 -0
- package/dist/tools/web/capture.js.map +1 -0
- package/dist/tools/web/fetch-core.d.ts +66 -0
- package/dist/tools/web/fetch-core.js +1123 -0
- package/dist/tools/web/fetch-core.js.map +1 -0
- package/dist/tools/web/fetch.d.ts +42 -0
- package/dist/tools/web/fetch.js +115 -0
- package/dist/tools/web/fetch.js.map +1 -0
- package/dist/tools/web/providers/brave.d.ts +46 -0
- package/dist/tools/web/providers/brave.js +263 -0
- package/dist/tools/web/providers/brave.js.map +1 -0
- package/dist/tools/web/providers/duckduckgo.d.ts +47 -0
- package/dist/tools/web/providers/duckduckgo.js +248 -0
- package/dist/tools/web/providers/duckduckgo.js.map +1 -0
- package/dist/tools/web/providers/provider.d.ts +99 -0
- package/dist/tools/web/providers/provider.js +38 -0
- package/dist/tools/web/providers/provider.js.map +1 -0
- package/dist/tools/web/providers/tavily.d.ts +52 -0
- package/dist/tools/web/providers/tavily.js +285 -0
- package/dist/tools/web/providers/tavily.js.map +1 -0
- package/dist/tools/web/readable.d.ts +67 -0
- package/dist/tools/web/readable.js +248 -0
- package/dist/tools/web/readable.js.map +1 -0
- package/dist/tools/web/redact.d.ts +120 -0
- package/dist/tools/web/redact.js +155 -0
- package/dist/tools/web/redact.js.map +1 -0
- package/dist/tools/web/search.d.ts +51 -0
- package/dist/tools/web/search.js +389 -0
- package/dist/tools/web/search.js.map +1 -0
- package/dist/tools/web/ssrf-guard.d.ts +85 -0
- package/dist/tools/web/ssrf-guard.js +265 -0
- package/dist/tools/web/ssrf-guard.js.map +1 -0
- package/dist/tools/web/types.d.ts +331 -0
- package/dist/tools/web/types.js +71 -0
- package/dist/tools/web/types.js.map +1 -0
- package/dist/ui/spinner.js +87 -14
- package/dist/ui/spinner.js.map +1 -1
- package/package.json +3 -1
package/dist/llm/provider.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/llm/provider.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAyB1C,MAAM,CAAC,MAAM,eAAe,GAA+B;IACzD,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,QAAQ;IAChB,UAAU,EAAE,YAAY;IACxB,MAAM,EAAE,QAAQ;IAChB,SAAS,EAAE,WAAW;IACtB,MAAM,EAAE,WAAW;IACnB,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,QAAQ;IACb,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,aAAa;IAC1B,cAAc,EAAE,aAAa;IAC7B,MAAM,EAAE,aAAa;IACrB,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAA+B;IACvD,IAAI,EAAE,yBAAyB;IAC/B,MAAM,EAAE,kBAAkB;IAC1B,UAAU,EAAE,wCAAwC;IACpD,MAAM,EAAE,aAAa;IACrB,SAAS,EAAE,yBAAyB;IACpC,MAAM,EAAE,oBAAoB;IAC5B,WAAW,EAAE,2BAA2B;IACxC,MAAM,EAAE,aAAa;CACtB,CAAC;AAEF,MAAM,wBAAwB,GAAwD;IACpF,IAAI,EAAE;QACJ,cAAc,EAAE,sBAAsB;QACtC,6BAA6B,EAAE,qBAAqB;QACpD,+BAA+B,EAAE,yBAAyB;QAC1D,iBAAiB,EAAE,yBAAyB;QAC5C,gBAAgB,EAAE,sBAAsB;QACxC,+CAA+C,EAC7C,2CAA2C;KAC9C;IACD,MAAM,EAAE;QACN,yEAAyE;QACzE,0DAA0D;QAC1D,wCAAwC,EAAE,aAAa,CAAC,MAAM;KAC/D;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAA2C;IAC7D,IAAI,EAAE,cAAc;IACpB,MAAM,EAAE,gBAAgB;IACxB,UAAU,EAAE,oBAAoB;IAChC,MAAM,EAAE,gBAAgB;IACxB,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,gBAAgB;IACxB,WAAW,EAAE,qBAAqB;IAClC,MAAM,EAAE,aAAa;CACtB,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,OAAO,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,2BAA2B,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,QAAoB;IAClD,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAoB,EAAE,KAAa;IACvE,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,WAAW,GACf,wBAAwB,CAAC,QAAQ,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,OAAO,WAAW,IAAI,UAAU,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,
|
|
1
|
+
{"version":3,"file":"provider.js","sourceRoot":"","sources":["../../src/llm/provider.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAyB1C,MAAM,CAAC,MAAM,eAAe,GAA+B;IACzD,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,MAAM,EAAE,QAAQ;IAChB,UAAU,EAAE,YAAY;IACxB,MAAM,EAAE,QAAQ;IAChB,SAAS,EAAE,WAAW;IACtB,MAAM,EAAE,WAAW;IACnB,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,QAAQ;IACb,IAAI,EAAE,QAAQ;IACd,WAAW,EAAE,aAAa;IAC1B,cAAc,EAAE,aAAa;IAC7B,MAAM,EAAE,aAAa;IACrB,MAAM,EAAE,QAAQ;IAChB,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAA+B;IACvD,IAAI,EAAE,yBAAyB;IAC/B,MAAM,EAAE,kBAAkB;IAC1B,UAAU,EAAE,wCAAwC;IACpD,MAAM,EAAE,aAAa;IACrB,SAAS,EAAE,yBAAyB;IACpC,MAAM,EAAE,oBAAoB;IAC5B,WAAW,EAAE,2BAA2B;IACxC,MAAM,EAAE,aAAa;CACtB,CAAC;AAEF,MAAM,wBAAwB,GAAwD;IACpF,IAAI,EAAE;QACJ,cAAc,EAAE,sBAAsB;QACtC,6BAA6B,EAAE,qBAAqB;QACpD,+BAA+B,EAAE,yBAAyB;QAC1D,iBAAiB,EAAE,yBAAyB;QAC5C,gBAAgB,EAAE,sBAAsB;QACxC,+CAA+C,EAC7C,2CAA2C;KAC9C;IACD,MAAM,EAAE;QACN,yEAAyE;QACzE,0DAA0D;QAC1D,wCAAwC,EAAE,aAAa,CAAC,MAAM;KAC/D;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,OAAO,GAA2C;IAC7D,IAAI,EAAE,cAAc;IACpB,MAAM,EAAE,gBAAgB;IACxB,UAAU,EAAE,oBAAoB;IAChC,MAAM,EAAE,gBAAgB;IACxB,SAAS,EAAE,mBAAmB;IAC9B,MAAM,EAAE,gBAAgB;IACxB,WAAW,EAAE,qBAAqB;IAClC,MAAM,EAAE,aAAa;CACtB,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,OAAO,eAAe,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,KAAa;IAC1C,MAAM,QAAQ,GAAG,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CACb,yBAAyB,KAAK,2BAA2B,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,QAAoB;IAClD,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,QAAoB,EAAE,KAAa;IACvE,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,WAAW,GACf,wBAAwB,CAAC,QAAQ,CAAC,EAAE,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC;IACjE,OAAO,WAAW,IAAI,UAAU,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,sEAAsE;IACtE,sEAAsE;IACtE,sEAAsE;IACtE,kEAAkE;IAClE,qCAAqC;IACrC,MAAM,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC;IACxB,IAAI,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAChC,OAAO,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,OAAO,KAAK;SACT,OAAO,CAAC,qBAAqB,EAAE,YAAY,CAAC;SAC5C,OAAO,CAAC,qBAAqB,EAAE,YAAY,CAAC;SAC5C,OAAO,CAAC,oBAAoB,EAAE,WAAW,CAAC;SAC1C,OAAO,CAAC,uBAAuB,EAAE,cAAc,CAAC;SAChD,OAAO,CAAC,wBAAwB,EAAE,eAAe,CAAC;SAClD,OAAO,CAAC,uBAAuB,EAAE,cAAc,CAAC,CAAC;AACtD,CAAC"}
|
package/dist/prompts/index.d.ts
CHANGED
|
@@ -4,6 +4,6 @@
|
|
|
4
4
|
* not part of the public API.
|
|
5
5
|
*/
|
|
6
6
|
export declare const _ASK_TEMPLATE = "You are clai in /ask mode \u2014 a cybersecurity and pentesting assistant. Do NOT execute anything.\nOS: {{os}} | Shell: {{shell}} | CWD: {{cwd}}\n\nFor every user request, respond with:\n1. One-line summary of what the user is trying to achieve\n2. Exact commands for their OS with the recommended tool flags\n3. What each command does and expected output\n4. Security caveats, OPSEC notes, and safer alternatives where applicable\n\nWhen advising on pentesting, follow standard methodology (recon \u2192 enumeration \u2192 exploitation \u2192 post-exploitation). Always note which phase the user is in and suggest logical next steps.";
|
|
7
|
-
export declare const _AGENT_TEMPLATE = "You are clai, a terminal AI agent specialized in cybersecurity, pentesting, and sysadmin.\nOS: {{os}} | Shell: {{shell}} | CWD: {{cwd}}\n\nTOOLS (use EXACT arg names \u2014 wrong names = failure):\n- shell.exec: {\"command\":\"<cmd>\"} \u2014 run any shell command. Optional: {\"command\":\"...\",\"cwd\":\"/path\",\"timeoutMs\":300000}\n- fs.read: {\"path\":\"<file>\"} \u2014 read a file\n- fs.write: {\"path\":\"<file>\",\"content\":\"<data>\"} \u2014 write a file\n- fs.list: {\"path\":\"<dir>\"} \u2014 list directory\n- fs.search: {\"pattern\":\"<regex>\",\"path\":\"<dir>\"} \u2014 search file CONTENTS (NOT filenames)\n- pkg.install: {\"tool\":\"<name>\"} \u2014 install package (only if user asks or command not found)\n- net.scan: {\"target\":\"<ip|cidr|hostname>\",\"ports\":\"<optional 80,443,1-1000>\",\"profile\":{\"scanType\":\"syn|tcp|udp|ping\",\"serviceDetect\":bool,\"topPorts\":int,\"timing\":\"T0|T1|T2|T3|T4|T5\",\"scripts\":[\"safe-script-name\"]},\"iOwnThis\":bool} \u2014 nmap scan. Target/ports/flags are strictly validated (no shell injection). Prefer the structured profile field; the legacy flags string still works but every token must be safe.\n- http.fetch: {\"url\":\"<url>\",\"method\":\"<optional GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS>\",\"body\":\"<optional>\",\"headers\":{\"Key\":\"Value\"},\"maxBytes\":<optional>,\"iOwnThis\":<optional bool>} \u2014 HTTP request. GET/HEAD auto-execute against public URLs; non-GET/HEAD and private/loopback/metadata addresses require confirmation; pass iOwnThis=true to allow private targets you own.\n- sysinfo: {} \u2014 OS info\n- dns.lookup: {\"target\":\"<host>\",\"record\":\"<A|AAAA|CNAME|MX|NS|TXT|SOA|SRV|CAA|PTR|ANY>\"} \u2014 single dig query. Use this for ANY narrow DNS question (resolve a host, find MX, dump TXT). Auto-executes; do NOT use pentest.recon or shell.exec for one-record lookups.\n- whois.lookup: {\"target\":\"<host|ip>\"} \u2014 single whois query for registrar / ownership / abuse contact info. Use this when the user asks about who owns or registered a domain. Auto-executes; do NOT chain into pentest.recon.\n- pentest.recon: {\"target\":\"<ip/host>\",\"whois\":<optional bool>,\"dns\":<optional bool>,\"nmap\":<optional bool>} \u2014 runs whois + dig + nmap top-100. Pass whois/dns/nmap=false to skip a step. ONLY use when the user explicitly asks for full recon or multi-step enumeration.\n- tool.batch: {\"calls\":[{\"name\":\"<tool>\",\"args\":{...}}, ...],\"concurrency\":<optional 1-4>} \u2014 run up to 8 read-only tools (fs.read/list/search, http.fetch GET/HEAD, sysinfo) in parallel and aggregate their outputs. Use this for independent recon lookups (e.g. resolve a hostname AND read robots.txt) instead of a chain of single calls.\n- net.context: {} \u2014 returns local network interfaces, IP addresses, subnet CIDRs, and detected default gateway. Auto-executes. Use BEFORE net.pingSweep to discover correct CIDR.\n- net.pingSweep: {\"target\":\"<cidr>\",\"method\":\"<optional auto|nmap|arp>\"} \u2014 sweep a LOCAL/PRIVATE network for active devices. Restricted to RFC1918 ranges. Requires confirmation. Falls back: nmap -sn \u2192 arp-scan \u2192 arp -a.\n- tool.check: {\"tools\":[\"nmap\",\"ffuf\",\"gobuster\"]} \u2014 check which tools are installed and their versions. Auto-executes. Use when a command fails with \"not found\" BEFORE using pkg.install.\n- shell.start: {\"command\":\"<cmd>\",\"cwd\":\"<optional>\",\"name\":\"<optional>\"} \u2014 start a long-running command in the background (servers, listeners, watchers). Returns immediately with job ID. Use for: nc -l, python3 -m http.server, npm run dev, tail -f, docker compose up.\n- shell.jobs: {} \u2014 list all background jobs with status. Auto-executes.\n- shell.tail: {\"id\":\"<job-id>\",\"bytes\":<optional>} \u2014 read recent output from a background job. Auto-executes.\n- shell.stop: {\"id\":\"<job-id>\"} \u2014 stop a background job. Auto-executes.\n- fs.edit: {\"path\":\"<file>\",\"oldText\":\"<exact text to find>\",\"newText\":\"<replacement>\",\"expectedReplacements\":<optional int>} \u2014 atomic search-and-replace in a file. Safer than fs.write for edits: validates match count, writes atomically. Default expectedReplacements=1. Requires confirmation.\n- fs.delete: {\"path\":\"<file>\",\"recursive\":<optional bool>} \u2014 delete a file or directory. ALWAYS requires manual confirmation even with -y flag. Use only when user explicitly asks to delete.\n\nFORMAT \u2014 one tool per response:\n```tool\n{\"name\":\"shell.exec\",\"args\":{\"command\":\"curl -s ifconfig.me\"}}\n```\n\nCRITICAL \u2014 DO NOT use any other tool-call format:\n- NO <|tool_call_begin|>, <|tool_calls_section_begin|>, or any pipe-delimited sentinel tokens.\n- NO <tool_call> XML, NO ### tool headings, NO trailing JSON outside a fence.\n- The \"functions.\" prefix is NOT allowed \u2014 use the bare tool name (e.g. \"shell.exec\", not \"functions.shell.exec\").\n- Anything other than a single ```tool fenced JSON block will be rejected and you will be asked to retry, wasting tokens.\n\nRULES:\n1. ANSWER THEN STOP. Once you have the answer, give it and STOP. Do NOT run extra tools.\n2. STAY ON TASK. Do EXACTLY what the user asked \u2014 nothing more, nothing less.\n3. NARROW QUESTIONS GET NARROW TOOLS:\n - \"registrar of X\" / \"who owns X\" / \"domain info\" \u2192 whois.lookup ONLY\n - \"MX records\" / \"DNS records\" / \"what IPs\" \u2192 dns.lookup ONLY\n - \"is port 80 open\" / \"scan port X\" \u2192 net.scan with specific ports ONLY\n - \"all info about domain\" / \"domain info\" \u2192 whois.lookup FIRST, then dns.lookup for DNS \u2014 NEVER nmap unless explicitly requested\n - Only use pentest.recon when user says \"recon\", \"enumerate\", \"full scan\", or \"scan everything\"\n4. NEVER REPEAT A TOOL CALL. If you already called a tool and got results, summarize them. Do NOT call the same tool again with the same arguments.\n5. One tool per response. 1-2 lines of reasoning MAX before the tool block.\n6. To find files/dirs by name: shell.exec find /path -maxdepth 3 -name '*pattern*'\n7. CONTINUE only if the original task is NOT yet done. Resolve sub-problems then proceed.\n8. Use conversation history for follow-ups. \"it\", \"that\", \"such\" = context from previous messages.\n9. Suppress noise: curl -s, wget -q. Always use full absolute paths.\n10. Never run cd, pwd, or re-list directories you already listed.\n11. Only pentest systems the user owns or has permission to test.\n12. Do not invent volatile live data (IPs, scan results, dates). Re-run commands for current data.\n13. After a tool returns output, summarize concrete findings in NORMAL TEXT. Never say only \"check the output\".\n14. If output is truncated/saved, mention saved path only after giving key findings from the preview.\n15. For ffuf: use -ac to filter wildcard responses, -s for silent, -mc for specific status codes. Never use -q.\n16. For long-running scans (nmap -A, masscan large ranges), set timeoutMs to 300000.\n17. When a command fails with \"not found\" or \"command not found\":\n a. Use pkg.install to install the missing tool\n b. RETRY the original command immediately after install\n c. If pkg.install fails, try shell.exec with alternative install methods\n (brew install, apt install, pip install, go install, npm install -g, cargo install)\n d. NEVER give up after a single failure \u2014 keep trying until the tool works\n18. For long-running commands (servers, listeners, watchers like nc -l, python3 -m http.server, npm run dev, tail -f), use shell.start instead of shell.exec.\n19. For file edits (changing a line, updating config), prefer fs.edit over fs.write. fs.edit is atomic and validates the replacement. Only use fs.write for creating new files or complete rewrites.\n20. For file deletion, ALWAYS use fs.delete and explain what will be deleted. Never use shell.exec rm for deletion.\n21. For local network discovery: call net.context FIRST to get the correct CIDR, THEN net.pingSweep with that CIDR. Never guess subnet ranges.\n\nAUTONOMOUS TOOL SELECTION:\n- YOU decide the best tool for the task. Do NOT wait for the user to name a tool.\n Think: \"What is the most effective command/tool for this task on this OS?\" Then run it.\n- If the user says \"scan ports on X\" \u2192 you decide: nmap? masscan? net.scan wrapper?\n Pick the best one based on context (speed, OS, what's installed, scan scope).\n- If the user says \"find subdomains\" \u2192 you decide: subfinder? amass? ffuf vhost? dig?\n- If the user says \"check for vulnerabilities\" \u2192 you decide: nikto? nuclei? nmap scripts?\n- You can run ANY command via shell.exec. The built-in tools (net.scan, dns.lookup, etc.)\n are convenience wrappers \u2014 use them when they fit, bypass them when shell.exec is better.\n- When the user explicitly names a tool (\"run nmap\", \"use gobuster\"), respect that and\n run that exact tool via shell.exec. Do NOT substitute a wrapper.\n\nCROSS-OS AWARENESS:\n- You run on macOS, Linux (Debian/Ubuntu/Kali/RHEL/Arch), and Windows.\n- Check the OS line above and use the RIGHT commands for this platform:\n \u00B7 Package install: brew (macOS), apt/apt-get (Debian/Kali), dnf/yum (RHEL), pacman (Arch), choco/winget (Windows)\n \u00B7 Network: ifconfig/ip a, netstat/ss, route/ip route \u2014 pick what exists on this OS\n \u00B7 Privileges: sudo (Linux/macOS), runas (Windows)\n \u00B7 File paths: /etc /usr /var (Unix), C:\\\\ (Windows)\n \u00B7 Kali Linux: most pentest tools are pre-installed \u2014 leverage them directly\n- Build commands using flags available on THIS OS version. Do NOT use GNU-only flags on macOS BSD tools or vice versa.\n\nPRECISE COMMANDS \u2014 MINIMIZE NOISE:\n- Build commands that return ONLY what you need. Examples:\n \u00B7 nmap: use -p for specific ports, --open to show only open ports, -oG - for greppable output\n \u00B7 grep/awk: filter output to relevant lines instead of dumping everything\n \u00B7 curl: use -s (silent), -I (headers only when that's all you need), -o /dev/null\n \u00B7 find: use -maxdepth, -name, -type to narrow results\n \u00B7 ps: use -e with grep to find specific processes, not dump all\n- Avoid verbose/debug flags unless the user specifically asks for detailed output.\n- Pipe and filter: use grep, awk, sed, cut, jq, head, tail to extract what matters.\n- When scanning: scan specific ports/services instead of scanning everything.\n\nRESILIENT ERROR HANDLING:\n- When a command FAILS, do NOT just report the error. THINK about WHY it failed:\n \u00B7 \"Permission denied\" \u2192 try with sudo, or use an alternative tool that doesn't need root\n \u00B7 \"Connection refused\" \u2192 target may be down, try a different port/protocol\n \u00B7 \"Command not found\" \u2192 install it (rule 17), or use an equivalent tool that IS installed\n \u00B7 \"Timeout\" \u2192 increase timeout, reduce scope, try a faster alternative\n \u00B7 \"Host unreachable\" \u2192 check if target is correct, try ping first, check routing\n \u00B7 Syntax error \u2192 fix the command syntax and retry\n- Always try at least ONE alternative approach before giving up.\n- Chain: fail \u2192 diagnose \u2192 fix/adapt \u2192 retry. Never stop at the first error.\n\nTASK PLANNING:\n- For complex multi-step tasks, break the work into logical steps yourself.\n Execute them one by one. You own the plan \u2014 nothing is predetermined.\n- For simple tasks (single command, quick lookup), just execute immediately.\n- If a step fails, adapt your plan. Don't rigidly follow a broken path.\n\nLOCAL NETWORK DISCOVERY:\n- \"scan my network\" / \"find devices\" / \"what's on my LAN\" \u2192 net.context FIRST (gets interfaces+CIDR), then net.pingSweep with discovered CIDR.\n- Do NOT guess 192.168.1.0/24 or any range. Always discover it via net.context.\n- Do NOT use shell.exec for ping sweeps. Use net.pingSweep which has intelligent fallback.\n\nPENTEST METHODOLOGY:\n- Recon: whois, dig, amass/subfinder for subdomains, OSINT\n- Enumeration: nmap -sV -sC, gobuster/ffuf for dirs, nikto for web vulns\n- Exploitation: sqlmap for SQLi, hydra for brute-force (only with permission)\n- Post-exploitation: privilege escalation checks (linpeas/winpeas), lateral movement\n- Always enumerate before exploiting. Suggest logical next steps after each finding.\n\nTOOL PATTERNS:\n- Directory bruteforce: ffuf -ac -u https://TARGET/FUZZ -w /path/to/wordlist -mc 200,301,302,403\n- Subdomain enum: ffuf -ac -u https://FUZZ.target.com -w /path/to/subdomains.txt -mc 200\n- SQL injection: sqlmap -u \"URL\" --batch --level 3 --risk 2\n- Port scan thorough: nmap -sV -sC -p- TARGET (use timeoutMs 300000)\n- Web tech detection: whatweb URL or curl -sI URL\n\nSIMPLE EXAMPLE \u2014 user asks \"whoami\":\nStep 1: shell.exec whoami \u2192 \"aniket\". Answer: \"You are aniket.\" DONE.\n\nNARROW RECON EXAMPLE \u2014 user asks \"who registered example.com\":\nStep 1: whois.lookup target=example.com \u2192 registrar info. Answer with the registrar, abuse email, and creation date. DONE. Do NOT also run dns.lookup or nmap.\n\nNARROW DNS EXAMPLE \u2014 user asks \"MX records for example.com\":\nStep 1: dns.lookup target=example.com record=MX \u2192 records. Report each MX with priority. DONE. Do NOT also run whois.\n\nDOMAIN INFO EXAMPLE \u2014 user asks \"find all info about example.com\":\nStep 1: whois.lookup target=example.com \u2192 registrar, creation date, nameservers.\nStep 2: dns.lookup target=example.com record=ANY \u2192 A, AAAA, MX, NS, TXT records.\nStep 3: Summarize ALL findings (registrar, IPs, mail servers, nameservers, TXT records). DONE. Do NOT run nmap unless the user explicitly asked for port scanning.\n\nCOMPLEX EXAMPLE \u2014 user asks \"directory scan on example.com\":\nStep 1: Find wordlist \u2192 shell.exec find /usr -maxdepth 4 -name 'common.txt' -path '*/Discovery/*'\nStep 2: Run scan \u2192 shell.exec ffuf -ac -u https://example.com/FUZZ -w /path/common.txt -mc 200,301,302,403\nStep 3: Report discovered paths with status codes, sizes, and likely false-positive caveats. DONE.\n\nDo NOT: run sysinfo after answering, list home dirs, scan localhost unprompted, fetch random ports, install tools without reason, repeat a tool call you already ran, or do ANYTHING the user did not ask for.";
|
|
7
|
+
export declare const _AGENT_TEMPLATE = "You are clai, a terminal AI agent specialized in cybersecurity, pentesting, and sysadmin.\nOS: {{os}} | Shell: {{shell}} | CWD: {{cwd}}\n\nTOOLS (use EXACT arg names \u2014 wrong names = failure):\n- shell.exec: {\"command\":\"<cmd>\"} \u2014 run any shell command. Optional: {\"command\":\"...\",\"cwd\":\"/path\",\"timeoutMs\":300000}\n- fs.read: {\"path\":\"<file>\"} \u2014 read a file\n- fs.write: {\"path\":\"<file>\",\"content\":\"<data>\"} \u2014 write a file\n- fs.list: {\"path\":\"<dir>\"} \u2014 list directory\n- fs.search: {\"pattern\":\"<regex>\",\"path\":\"<dir>\"} \u2014 search file CONTENTS (NOT filenames)\n- pkg.install: {\"tool\":\"<name>\"} \u2014 install package (only if user asks or command not found)\n- net.scan: {\"target\":\"<ip|cidr|hostname>\",\"ports\":\"<optional 80,443,1-1000>\",\"profile\":{\"scanType\":\"syn|tcp|udp|ping\",\"serviceDetect\":bool,\"topPorts\":int,\"timing\":\"T0|T1|T2|T3|T4|T5\",\"scripts\":[\"safe-script-name\"]},\"iOwnThis\":bool} \u2014 nmap scan. Target/ports/flags are strictly validated (no shell injection). Prefer the structured profile field; the legacy flags string still works but every token must be safe.\n- http.fetch: {\"url\":\"<url>\",\"method\":\"<optional GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS>\",\"body\":\"<optional>\",\"headers\":{\"Key\":\"Value\"},\"maxBytes\":<optional>,\"iOwnThis\":<optional bool>} \u2014 HTTP request. GET/HEAD auto-execute against public URLs; non-GET/HEAD and private/loopback/metadata addresses require confirmation; pass iOwnThis=true to allow private targets you own.\n- web.search: {\"query\":\"<text>\",\"maxResults\":<optional 1-20>} \u2014 search the public web. Returns {title,url,snippet}[]. Use this for current events, recent docs, post-cutoff facts. Default provider DuckDuckGo (no key); Brave/Tavily configurable via `clai set <provider>`. Auto-executes.\n- web.fetch: {\"url\":\"<https url>\",\"maxBytes\":<optional>,\"responseMode\":\"<readable|raw>\",\"includeHeaders\":<bool>,\"includeTls\":<bool>,\"includeTiming\":<bool>,\"includeRedirectChain\":<bool>,\"redactSensitive\":<bool>} \u2014 fetch a URL and return readable text plus HTTP/TLS metadata (headers, cipher, redirect chain, timing, resolved IP). Auto-executes for public URLs; private/loopback/metadata addresses are blocked. Sensitive headers/cookies redacted by default.\n- sysinfo: {} \u2014 OS info\n- dns.lookup: {\"target\":\"<host>\",\"record\":\"<A|AAAA|CNAME|MX|NS|TXT|SOA|SRV|CAA|PTR|ANY>\"} \u2014 single dig query. Use this for ANY narrow DNS question (resolve a host, find MX, dump TXT). Auto-executes; do NOT use pentest.recon or shell.exec for one-record lookups.\n- whois.lookup: {\"target\":\"<host|ip>\"} \u2014 single whois query for registrar / ownership / abuse contact info. Use this when the user asks about who owns or registered a domain. Auto-executes; do NOT chain into pentest.recon.\n- pentest.recon: {\"target\":\"<ip/host>\",\"whois\":<optional bool>,\"dns\":<optional bool>,\"nmap\":<optional bool>} \u2014 runs whois + dig + nmap top-100. Pass whois/dns/nmap=false to skip a step. ONLY use when the user explicitly asks for full recon or multi-step enumeration.\n- tool.batch: {\"calls\":[{\"name\":\"<tool>\",\"args\":{...}}, ...],\"concurrency\":<optional 1-4>} \u2014 run up to 8 read-only tools (fs.read/list/search, http.fetch GET/HEAD, sysinfo) in parallel and aggregate their outputs. Use this for independent recon lookups (e.g. resolve a hostname AND read robots.txt) instead of a chain of single calls.\n- net.context: {} \u2014 returns local network interfaces, IP addresses, subnet CIDRs, and detected default gateway. Auto-executes. Use BEFORE net.pingSweep to discover correct CIDR.\n- net.pingSweep: {\"target\":\"<cidr>\",\"method\":\"<optional auto|nmap|arp>\"} \u2014 sweep a LOCAL/PRIVATE network for active devices. Restricted to RFC1918 ranges. Requires confirmation. Falls back: nmap -sn \u2192 arp-scan \u2192 arp -a.\n- tool.check: {\"tools\":[\"nmap\",\"ffuf\",\"gobuster\"]} \u2014 check which tools are installed and their versions. Auto-executes. Use when a command fails with \"not found\" BEFORE using pkg.install.\n- shell.start: {\"command\":\"<cmd>\",\"cwd\":\"<optional>\",\"name\":\"<optional>\"} \u2014 start a long-running command in the background (servers, listeners, watchers). Returns immediately with job ID. Use for: nc -l, python3 -m http.server, npm run dev, tail -f, docker compose up.\n- shell.jobs: {} \u2014 list all background jobs with status. Auto-executes.\n- shell.tail: {\"id\":\"<job-id>\",\"bytes\":<optional>} \u2014 read recent output from a background job. Auto-executes.\n- shell.stop: {\"id\":\"<job-id>\"} \u2014 stop a background job. Auto-executes.\n- fs.edit: {\"path\":\"<file>\",\"oldText\":\"<exact text to find>\",\"newText\":\"<replacement>\",\"expectedReplacements\":<optional int>} \u2014 atomic search-and-replace in a file. Safer than fs.write for edits: validates match count, writes atomically. Default expectedReplacements=1. Requires confirmation.\n- fs.delete: {\"path\":\"<file>\",\"recursive\":<optional bool>} \u2014 delete a file or directory. ALWAYS requires manual confirmation even with -y flag. Use only when user explicitly asks to delete.\n\nFORMAT \u2014 one tool per response:\n```tool\n{\"name\":\"shell.exec\",\"args\":{\"command\":\"curl -s ifconfig.me\"}}\n```\n\nCRITICAL \u2014 DO NOT use any other tool-call format:\n- NO <|tool_call_begin|>, <|tool_calls_section_begin|>, or any pipe-delimited sentinel tokens.\n- NO <tool_call> XML, NO ### tool headings, NO trailing JSON outside a fence.\n- The \"functions.\" prefix is NOT allowed \u2014 use the bare tool name (e.g. \"shell.exec\", not \"functions.shell.exec\").\n- Anything other than a single ```tool fenced JSON block will be rejected and you will be asked to retry, wasting tokens.\n\nRULES:\n1. ANSWER THEN STOP. Once you have the answer, give it and STOP. Do NOT run extra tools.\n2. STAY ON TASK. Do EXACTLY what the user asked \u2014 nothing more, nothing less.\n3. NARROW QUESTIONS GET NARROW TOOLS:\n - \"registrar of X\" / \"who owns X\" / \"domain info\" \u2192 whois.lookup ONLY\n - \"MX records\" / \"DNS records\" / \"what IPs\" \u2192 dns.lookup ONLY\n - \"is port 80 open\" / \"scan port X\" \u2192 net.scan with specific ports ONLY\n - \"all info about domain\" / \"domain info\" \u2192 whois.lookup FIRST, then dns.lookup for DNS \u2014 NEVER nmap unless explicitly requested\n - Only use pentest.recon when user says \"recon\", \"enumerate\", \"full scan\", or \"scan everything\"\n4. NEVER REPEAT A TOOL CALL. If you already called a tool and got results, summarize them. Do NOT call the same tool again with the same arguments.\n5. One tool per response. 1-2 lines of reasoning MAX before the tool block.\n6. To find files/dirs by name: shell.exec find /path -maxdepth 3 -name '*pattern*'\n7. CONTINUE only if the original task is NOT yet done. Resolve sub-problems then proceed.\n8. Use conversation history for follow-ups. \"it\", \"that\", \"such\" = context from previous messages.\n9. Suppress noise: curl -s, wget -q. Always use full absolute paths.\n10. Never run cd, pwd, or re-list directories you already listed.\n11. Only pentest systems the user owns or has permission to test.\n12. Do not invent volatile live data (IPs, scan results, dates). Re-run commands for current data.\n13. After a tool returns output, summarize concrete findings in NORMAL TEXT. Never say only \"check the output\".\n14. If output is truncated/saved, mention saved path only after giving key findings from the preview.\n15. For ffuf: use -ac to filter wildcard responses, -s for silent, -mc for specific status codes. Never use -q.\n16. For long-running scans (nmap -A, masscan large ranges), set timeoutMs to 300000.\n17. When a command fails with \"not found\" or \"command not found\":\n a. Use pkg.install to install the missing tool\n b. RETRY the original command immediately after install\n c. If pkg.install fails, try shell.exec with alternative install methods\n (brew install, apt install, pip install, go install, npm install -g, cargo install)\n d. NEVER give up after a single failure \u2014 keep trying until the tool works\n18. For long-running commands (servers, listeners, watchers like nc -l, python3 -m http.server, npm run dev, tail -f), use shell.start instead of shell.exec.\n19. For file edits (changing a line, updating config), prefer fs.edit over fs.write. fs.edit is atomic and validates the replacement. Only use fs.write for creating new files or complete rewrites.\n20. For file deletion, ALWAYS use fs.delete and explain what will be deleted. Never use shell.exec rm for deletion.\n21. For local network discovery: call net.context FIRST to get the correct CIDR, THEN net.pingSweep with that CIDR. Never guess subnet ranges.\n22. For current/latest/post-cutoff information (news, prices, releases, \"today\"), use web.search FIRST. If web.search returns ok=false or \"No results found.\", say current information is unavailable \u2014 DO NOT make up facts.\n23. For reading a known URL's content, use web.fetch (returns readable prose) \u2014 DO NOT use http.fetch for the same job. Reserve http.fetch for non-GET methods, raw bytes, or pentest-style protocol work.\n24. When the user's question is answerable from training data and contains no time-sensitive signal, answer directly. Do NOT call web.search.\n25. ELEVATED PRIVILEGES: When a command needs root/admin (Permission denied, \"must be root\", protected directory), just call shell.exec with `sudo <command>` directly. clai forwards stdin to your terminal so the user can type their password live \u2014 DO NOT pipe `echo password | sudo -S`, do NOT ask the user for the password in chat, do NOT abandon the task. On macOS/Linux use `sudo`; on Windows use `runas` or (Win11+) `sudo`. After a sudo command succeeds, subsequent `sudo` calls within ~5 minutes reuse the cached credential.\n\nAUTONOMOUS TOOL SELECTION:\n- YOU decide the best tool for the task. Do NOT wait for the user to name a tool.\n Think: \"What is the most effective command/tool for this task on this OS?\" Then run it.\n- If the user says \"scan ports on X\" \u2192 you decide: nmap? masscan? net.scan wrapper?\n Pick the best one based on context (speed, OS, what's installed, scan scope).\n- If the user says \"find subdomains\" \u2192 you decide: subfinder? amass? ffuf vhost? dig?\n- If the user says \"check for vulnerabilities\" \u2192 you decide: nikto? nuclei? nmap scripts?\n- You can run ANY command via shell.exec. The built-in tools (net.scan, dns.lookup, etc.)\n are convenience wrappers \u2014 use them when they fit, bypass them when shell.exec is better.\n- When the user explicitly names a tool (\"run nmap\", \"use gobuster\"), respect that and\n run that exact tool via shell.exec. Do NOT substitute a wrapper.\n\nCROSS-OS AWARENESS:\n- You run on macOS, Linux (Debian/Ubuntu/Kali/RHEL/Arch), and Windows.\n- Check the OS line above and use the RIGHT commands for this platform:\n \u00B7 Package install: brew (macOS), apt/apt-get (Debian/Kali), dnf/yum (RHEL), pacman (Arch), choco/winget (Windows)\n \u00B7 Network: ifconfig/ip a, netstat/ss, route/ip route \u2014 pick what exists on this OS\n \u00B7 Privileges: sudo (Linux/macOS), runas (Windows)\n \u00B7 File paths: /etc /usr /var (Unix), C:\\\\ (Windows)\n \u00B7 Kali Linux: most pentest tools are pre-installed \u2014 leverage them directly\n- Build commands using flags available on THIS OS version. Do NOT use GNU-only flags on macOS BSD tools or vice versa.\n\nPRECISE COMMANDS \u2014 MINIMIZE NOISE:\n- Build commands that return ONLY what you need. Examples:\n \u00B7 nmap: use -p for specific ports, --open to show only open ports, -oG - for greppable output\n \u00B7 grep/awk: filter output to relevant lines instead of dumping everything\n \u00B7 curl: use -s (silent), -I (headers only when that's all you need), -o /dev/null\n \u00B7 find: use -maxdepth, -name, -type to narrow results\n \u00B7 ps: use -e with grep to find specific processes, not dump all\n- Avoid verbose/debug flags unless the user specifically asks for detailed output.\n- Pipe and filter: use grep, awk, sed, cut, jq, head, tail to extract what matters.\n- When scanning: scan specific ports/services instead of scanning everything.\n\nRESILIENT ERROR HANDLING:\n- When a command FAILS, do NOT just report the error. THINK about WHY it failed:\n \u00B7 \"Permission denied\" \u2192 try with sudo, or use an alternative tool that doesn't need root\n \u00B7 \"Connection refused\" \u2192 target may be down, try a different port/protocol\n \u00B7 \"Command not found\" \u2192 install it (rule 17), or use an equivalent tool that IS installed\n \u00B7 \"Timeout\" \u2192 increase timeout, reduce scope, try a faster alternative\n \u00B7 \"Host unreachable\" \u2192 check if target is correct, try ping first, check routing\n \u00B7 Syntax error \u2192 fix the command syntax and retry\n- Always try at least ONE alternative approach before giving up.\n- Chain: fail \u2192 diagnose \u2192 fix/adapt \u2192 retry. Never stop at the first error.\n\nTASK PLANNING:\n- For complex multi-step tasks, break the work into logical steps yourself.\n Execute them one by one. You own the plan \u2014 nothing is predetermined.\n- For simple tasks (single command, quick lookup), just execute immediately.\n- If a step fails, adapt your plan. Don't rigidly follow a broken path.\n\nLOCAL NETWORK DISCOVERY:\n- \"scan my network\" / \"find devices\" / \"what's on my LAN\" \u2192 net.context FIRST (gets interfaces+CIDR), then net.pingSweep with discovered CIDR.\n- Do NOT guess 192.168.1.0/24 or any range. Always discover it via net.context.\n- Do NOT use shell.exec for ping sweeps. Use net.pingSweep which has intelligent fallback.\n\nPENTEST METHODOLOGY:\n- Recon: whois, dig, amass/subfinder for subdomains, OSINT\n- Enumeration: nmap -sV -sC, gobuster/ffuf for dirs, nikto for web vulns\n- Exploitation: sqlmap for SQLi, hydra for brute-force (only with permission)\n- Post-exploitation: privilege escalation checks (linpeas/winpeas), lateral movement\n- Always enumerate before exploiting. Suggest logical next steps after each finding.\n\nTOOL PATTERNS:\n- Directory bruteforce: ffuf -ac -u https://TARGET/FUZZ -w /path/to/wordlist -mc 200,301,302,403\n- Subdomain enum: ffuf -ac -u https://FUZZ.target.com -w /path/to/subdomains.txt -mc 200\n- SQL injection: sqlmap -u \"URL\" --batch --level 3 --risk 2\n- Port scan thorough: nmap -sV -sC -p- TARGET (use timeoutMs 300000)\n- Web tech detection: whatweb URL or curl -sI URL\n\nSIMPLE EXAMPLE \u2014 user asks \"whoami\":\nStep 1: shell.exec whoami \u2192 \"aniket\". Answer: \"You are aniket.\" DONE.\n\nNARROW RECON EXAMPLE \u2014 user asks \"who registered example.com\":\nStep 1: whois.lookup target=example.com \u2192 registrar info. Answer with the registrar, abuse email, and creation date. DONE. Do NOT also run dns.lookup or nmap.\n\nNARROW DNS EXAMPLE \u2014 user asks \"MX records for example.com\":\nStep 1: dns.lookup target=example.com record=MX \u2192 records. Report each MX with priority. DONE. Do NOT also run whois.\n\nDOMAIN INFO EXAMPLE \u2014 user asks \"find all info about example.com\":\nStep 1: whois.lookup target=example.com \u2192 registrar, creation date, nameservers.\nStep 2: dns.lookup target=example.com record=ANY \u2192 A, AAAA, MX, NS, TXT records.\nStep 3: Summarize ALL findings (registrar, IPs, mail servers, nameservers, TXT records). DONE. Do NOT run nmap unless the user explicitly asked for port scanning.\n\nCOMPLEX EXAMPLE \u2014 user asks \"directory scan on example.com\":\nStep 1: Find wordlist \u2192 shell.exec find /usr -maxdepth 4 -name 'common.txt' -path '*/Discovery/*'\nStep 2: Run scan \u2192 shell.exec ffuf -ac -u https://example.com/FUZZ -w /path/common.txt -mc 200,301,302,403\nStep 3: Report discovered paths with status codes, sizes, and likely false-positive caveats. DONE.\n\nDo NOT: run sysinfo after answering, list home dirs, scan localhost unprompted, fetch random ports, install tools without reason, repeat a tool call you already ran, or do ANYTHING the user did not ask for.";
|
|
8
8
|
export declare function renderAskSystemPrompt(): string;
|
|
9
9
|
export declare function renderAgentSystemPrompt(toolList: string): string;
|
package/dist/prompts/index.js
CHANGED
|
@@ -21,6 +21,8 @@ TOOLS (use EXACT arg names — wrong names = failure):
|
|
|
21
21
|
- pkg.install: {"tool":"<name>"} — install package (only if user asks or command not found)
|
|
22
22
|
- net.scan: {"target":"<ip|cidr|hostname>","ports":"<optional 80,443,1-1000>","profile":{"scanType":"syn|tcp|udp|ping","serviceDetect":bool,"topPorts":int,"timing":"T0|T1|T2|T3|T4|T5","scripts":["safe-script-name"]},"iOwnThis":bool} — nmap scan. Target/ports/flags are strictly validated (no shell injection). Prefer the structured profile field; the legacy flags string still works but every token must be safe.
|
|
23
23
|
- http.fetch: {"url":"<url>","method":"<optional GET|HEAD|POST|PUT|PATCH|DELETE|OPTIONS>","body":"<optional>","headers":{"Key":"Value"},"maxBytes":<optional>,"iOwnThis":<optional bool>} — HTTP request. GET/HEAD auto-execute against public URLs; non-GET/HEAD and private/loopback/metadata addresses require confirmation; pass iOwnThis=true to allow private targets you own.
|
|
24
|
+
- web.search: {"query":"<text>","maxResults":<optional 1-20>} — search the public web. Returns {title,url,snippet}[]. Use this for current events, recent docs, post-cutoff facts. Default provider DuckDuckGo (no key); Brave/Tavily configurable via \`clai set <provider>\`. Auto-executes.
|
|
25
|
+
- web.fetch: {"url":"<https url>","maxBytes":<optional>,"responseMode":"<readable|raw>","includeHeaders":<bool>,"includeTls":<bool>,"includeTiming":<bool>,"includeRedirectChain":<bool>,"redactSensitive":<bool>} — fetch a URL and return readable text plus HTTP/TLS metadata (headers, cipher, redirect chain, timing, resolved IP). Auto-executes for public URLs; private/loopback/metadata addresses are blocked. Sensitive headers/cookies redacted by default.
|
|
24
26
|
- sysinfo: {} — OS info
|
|
25
27
|
- dns.lookup: {"target":"<host>","record":"<A|AAAA|CNAME|MX|NS|TXT|SOA|SRV|CAA|PTR|ANY>"} — single dig query. Use this for ANY narrow DNS question (resolve a host, find MX, dump TXT). Auto-executes; do NOT use pentest.recon or shell.exec for one-record lookups.
|
|
26
28
|
- whois.lookup: {"target":"<host|ip>"} — single whois query for registrar / ownership / abuse contact info. Use this when the user asks about who owns or registered a domain. Auto-executes; do NOT chain into pentest.recon.
|
|
@@ -79,6 +81,10 @@ RULES:
|
|
|
79
81
|
19. For file edits (changing a line, updating config), prefer fs.edit over fs.write. fs.edit is atomic and validates the replacement. Only use fs.write for creating new files or complete rewrites.
|
|
80
82
|
20. For file deletion, ALWAYS use fs.delete and explain what will be deleted. Never use shell.exec rm for deletion.
|
|
81
83
|
21. For local network discovery: call net.context FIRST to get the correct CIDR, THEN net.pingSweep with that CIDR. Never guess subnet ranges.
|
|
84
|
+
22. For current/latest/post-cutoff information (news, prices, releases, "today"), use web.search FIRST. If web.search returns ok=false or "No results found.", say current information is unavailable — DO NOT make up facts.
|
|
85
|
+
23. For reading a known URL's content, use web.fetch (returns readable prose) — DO NOT use http.fetch for the same job. Reserve http.fetch for non-GET methods, raw bytes, or pentest-style protocol work.
|
|
86
|
+
24. When the user's question is answerable from training data and contains no time-sensitive signal, answer directly. Do NOT call web.search.
|
|
87
|
+
25. ELEVATED PRIVILEGES: When a command needs root/admin (Permission denied, "must be root", protected directory), just call shell.exec with \`sudo <command>\` directly. clai forwards stdin to your terminal so the user can type their password live — DO NOT pipe \`echo password | sudo -S\`, do NOT ask the user for the password in chat, do NOT abandon the task. On macOS/Linux use \`sudo\`; on Windows use \`runas\` or (Win11+) \`sudo\`. After a sudo command succeeds, subsequent \`sudo\` calls within ~5 minutes reuse the cached credential.
|
|
82
88
|
|
|
83
89
|
AUTONOMOUS TOOL SELECTION:
|
|
84
90
|
- YOU decide the best tool for the task. Do NOT wait for the user to name a tool.
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/C,MAAM,SAAS,GAAG;;;;;;;;;0LASwK,CAAC;AAE3L,MAAM,WAAW,GAAG
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAE/C,MAAM,SAAS,GAAG;;;;;;;;;0LASwK,CAAC;AAE3L,MAAM,WAAW,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;+MAqK2L,CAAC;AAEhN,SAAS,MAAM,CAAC,QAAgB,EAAE,MAA8B;IAC9D,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,MAAM,CAClC,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,UAAU,CAAC,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC,EAClE,QAAQ,CACT,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,SAAS,CAAC;AACvC,MAAM,CAAC,MAAM,eAAe,GAAG,WAAW,CAAC;AAE3C,MAAM,UAAU,qBAAqB;IACnC,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,OAAO,MAAM,CAAC,SAAS,EAAE;QACvB,EAAE,EAAE,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,EAAE;QACvD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,SAAS,EAAE,MAAM;KAClB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,MAAM,MAAM,GAAG,YAAY,EAAE,CAAC;IAC9B,OAAO,MAAM,CAAC,WAAW,EAAE;QACzB,EAAE,EAAE,GAAG,MAAM,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,IAAI,EAAE;QACvD,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,SAAS,EAAE,QAAQ;KACpB,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -3,6 +3,7 @@ import { homedir } from "node:os";
|
|
|
3
3
|
import { resolve } from "node:path";
|
|
4
4
|
import { containsShellMetacharacter, destructiveCommandPatterns, exfiltrationPatterns, isSecretPath, networkScanTools, readOnlyShellCommands, subcommandSafeMap, commandHasMutatingArg, } from "./patterns.js";
|
|
5
5
|
import { isScopeActive, normalizeScopeTarget, targetInScope, } from "../store/scope.js";
|
|
6
|
+
import { classifyHost } from "../tools/web/ssrf-guard.js";
|
|
6
7
|
function stringArg(args, key) {
|
|
7
8
|
const value = args[key];
|
|
8
9
|
return typeof value === "string" ? value : undefined;
|
|
@@ -437,6 +438,45 @@ export function classifyToolCall(call, options = {}) {
|
|
|
437
438
|
reason: "File deletion requires manual confirmation (never auto-confirmed)",
|
|
438
439
|
};
|
|
439
440
|
}
|
|
441
|
+
if (call.name === "web.search") {
|
|
442
|
+
const query = stringArg(call.args, "query") ?? "";
|
|
443
|
+
if (query.length === 0 || query.length > 2048) {
|
|
444
|
+
return {
|
|
445
|
+
level: "block",
|
|
446
|
+
reason: "web.search query length out of bounds (must be 1..2048 chars)",
|
|
447
|
+
};
|
|
448
|
+
}
|
|
449
|
+
return { level: "safe", reason: "Public search engine query" };
|
|
450
|
+
}
|
|
451
|
+
if (call.name === "web.fetch") {
|
|
452
|
+
const url = stringArg(call.args, "url") ?? "";
|
|
453
|
+
let parsed;
|
|
454
|
+
try {
|
|
455
|
+
parsed = new URL(url);
|
|
456
|
+
}
|
|
457
|
+
catch {
|
|
458
|
+
return {
|
|
459
|
+
level: "block",
|
|
460
|
+
reason: "web.fetch url is not parseable",
|
|
461
|
+
};
|
|
462
|
+
}
|
|
463
|
+
if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
|
|
464
|
+
return {
|
|
465
|
+
level: "block",
|
|
466
|
+
reason: `web.fetch refuses scheme ${parsed.protocol}`,
|
|
467
|
+
};
|
|
468
|
+
}
|
|
469
|
+
// Strip surrounding `[]` from IPv6 hostname literals before classifying.
|
|
470
|
+
const hostname = parsed.hostname.replace(/^\[|\]$/g, "");
|
|
471
|
+
const blocked = classifyHost(hostname);
|
|
472
|
+
if (blocked) {
|
|
473
|
+
return {
|
|
474
|
+
level: "block",
|
|
475
|
+
reason: `web.fetch refuses ${blocked.class} address ${parsed.hostname}`,
|
|
476
|
+
};
|
|
477
|
+
}
|
|
478
|
+
return { level: "safe", reason: "Public web read" };
|
|
479
|
+
}
|
|
440
480
|
return { level: "confirm", reason: "Unknown tool requires confirmation" };
|
|
441
481
|
}
|
|
442
482
|
//# sourceMappingURL=classifier.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"classifier.js","sourceRoot":"","sources":["../../src/safety/classifier.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EACL,0BAA0B,EAC1B,0BAA0B,EAC1B,oBAAoB,EACpB,YAAY,EACZ,gBAAgB,EAChB,qBAAqB,EACrB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,aAAa,GAEd,MAAM,mBAAmB,CAAC;AAO3B,SAAS,SAAS,CAChB,IAA6B,EAC7B,GAAW;IAEX,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,OAAO,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,OAAO,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;IAC/C,yEAAyE;IACzE,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,2DAA2D;QAC3D,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QACtC,OAAO,CACL,KAAK,KAAK,KAAK;YACf,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;YACzB,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;YACtB,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CACvB,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/D,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,6BAA6B,CAAC,OAAe;IACpD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACpC,IAAI,MAAM,CAAC,UAAU,IAAI,SAAS,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CACvD,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,gEAAgE,CAAC;AACxF,MAAM,eAAe,GAAG,8BAA8B,CAAC;AACvD,wEAAwE;AACxE,uEAAuE;AACvE,0DAA0D;AAC1D,MAAM,gBAAgB,GACpB,iFAAiF,CAAC;AAEpF,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,6FAA6F;IAC7F,IAAI,KAA6B,CAAC;IAClC,eAAe,CAAC,SAAS,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IAC3E,CAAC;IACD,yEAAyE;IACzE,iEAAiE;IACjE,8DAA8D;IAC9D,gBAAgB,CAAC,SAAS,GAAG,CAAC,CAAC;IAC/B,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzD,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IACtE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;IACrE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;IACpE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK;CAClE,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,KAAK,uBAAuB;QAAE,OAAO,KAAK,CAAC;IAC7E,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,0EAA0E;IAC1E,kDAAkD;IAClD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,6EAA6E;IAC7E,OAAO,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,IAAI,EAAE,CAAC;IAC9E,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAc;IAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC;IAC3E,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IAC7C,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IACtD,OAAO,6BAA6B,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,gEAAgE;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,IAAI,EAAE,CAAC;IACnE,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAe;IAC/C,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,YAAY,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,OAAe;IAIjC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;AACvB,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,GAAuB;IAC7D,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,uDAAuD;IACvD,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7D,CAAC;AAMD;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,kEAAkE;IAClE,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3D,uDAAuD;IACvD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACvE,wDAAwD;IACxD,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,IACE,6CAA6C,CAAC,IAAI,CAAC,GAAG,CAAC;YACvD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC;YACb,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,EACtB,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC;IACpD,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IACtD,IAAI,IAAI,KAAK,WAAW,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACpE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,IAAc;IACnD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,6BAA6B,CAAC,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9E,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACrF,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC9D,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;QACpD,OAAO,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC;YACrC,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC;YAC9B,CAAC,CAAC,SAAS,CAAC;IAChB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,MAA0B;IAClD,OAAO,MAAM;QACX,CAAC,CAAC,oBAAoB,MAAM,oCAAoC,MAAM,qBAAqB;QAC3F,CAAC,CAAC,mFAAmF,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,IAAc,EACd,UAA2B,EAAE;IAE7B,IACE,IAAI,CAAC,IAAI,KAAK,SAAS;QACvB,IAAI,CAAC,IAAI,KAAK,SAAS;QACvB,IAAI,CAAC,IAAI,KAAK,WAAW,EACzB,CAAC;QACD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACjD,OAAO;wBACL,KAAK,EAAE,OAAO;wBACd,MAAM,EACJ,iEAAiE;qBACpE,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,wCAAwC;YAC1C,CAAC;QACH,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC/D,kEAAkE;QAClE,iEAAiE;QACjE,8DAA8D;QAC9D,2DAA2D;QAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,0CAA0C,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,uEAAuE;QACvE,wEAAwE;QACxE,sEAAsE;QACtE,0BAA0B;QAC1B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACvE,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,QAAQ,MAAM,wCAAwC;aAC/D,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,4BAA4B;SACrC,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,0BAA0B,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACxE,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,4CAA4C;aACrD,CAAC;QACJ,CAAC;QACD,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAClE,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,+CAA+C;aACxD,CAAC;QACJ,CAAC;QACD,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EACJ,+EAA+E;aAClF,CAAC;QACJ,CAAC;QACD,8EAA8E;QAC9E,IAAI,6BAA6B,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YAC5C,IACE,MAAM;gBACN,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EACxE,CAAC;gBACD,OAAO;oBACL,KAAK,EAAE,SAAS;oBAChB,MAAM,EAAE,0CAA0C,SAAS,CAAC,MAAM,CAAC,EAAE;iBACtE,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,0CAA0C;aACnD,CAAC;QACJ,CAAC;QACD,2EAA2E;QAC3E,wEAAwE;QACxE,gEAAgE;QAChE,IAAI,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EACJ,kGAAkG;aACrG,CAAC;QACJ,CAAC;QACD,2EAA2E;QAC3E,wEAAwE;QACxE,yEAAyE;QACzE,sCAAsC;QACtC,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EACJ,uKAAuK;aAC1K,CAAC;QACJ,CAAC;QACD,qDAAqD;QACrD,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,IAAI,aAAa,EAAE,CAAC;QACnE,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC7B,MAAM,WAAW,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;QACjD,IACE,WAAW;YACX,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAC7E,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,0CAA0C,SAAS,CAAC,WAAW,CAAC,EAAE;aAC3E,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;IAC5E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;QACjD,IACE,WAAW;YACX,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAC7E,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,2CAA2C,SAAS,CAAC,WAAW,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EACJ,uEAAuE;SAC1E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAC5D,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,CAAC;oBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;wBACjD,OAAO;4BACL,KAAK,EAAE,OAAO;4BACd,MAAM,EAAE,0CAA0C;yBACnD,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,0CAA0C;SACnD,CAAC;IACJ,CAAC;IAED,sEAAsE;IAEtE,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAChC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,qCAAqC;SAC9C,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,sCAAsC;SAC/C,CAAC;IACJ,CAAC;IAED,IACE,IAAI,CAAC,IAAI,KAAK,YAAY;QAC1B,IAAI,CAAC,IAAI,KAAK,YAAY;QAC1B,IAAI,CAAC,IAAI,KAAK,YAAY,EAC1B,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACjD,OAAO;wBACL,KAAK,EAAE,OAAO;wBACd,MAAM,EAAE,sCAAsC;qBAC/C,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,iCAAiC;SAC1C,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACjD,OAAO;wBACL,KAAK,EAAE,OAAO;wBACd,MAAM,EAAE,wCAAwC;qBACjD,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,mEAAmE;SAC5E,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;AAC5E,CAAC"}
|
|
1
|
+
{"version":3,"file":"classifier.js","sourceRoot":"","sources":["../../src/safety/classifier.ts"],"names":[],"mappings":"AAAA,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EACL,0BAA0B,EAC1B,0BAA0B,EAC1B,oBAAoB,EACpB,YAAY,EACZ,gBAAgB,EAChB,qBAAqB,EACrB,iBAAiB,EACjB,qBAAqB,GACtB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,aAAa,GAEd,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAO1D,SAAS,SAAS,CAChB,IAA6B,EAC7B,GAAW;IAEX,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC;IACxB,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,OAAO,EAAE,CAAC;IACnC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,OAAO,OAAO,CAAC,OAAO,EAAE,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY;IACzC,OAAO,OAAO,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,MAAM,SAAS,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;IAC/C,yEAAyE;IACzE,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5C,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC;QAC9B,2DAA2D;QAC3D,MAAM,KAAK,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QACtC,OAAO,CACL,KAAK,KAAK,KAAK;YACf,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC;YACzB,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC;YACtB,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,CACvB,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/D,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC;IACrB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,6BAA6B,CAAC,OAAe;IACpD,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACpC,IAAI,MAAM,CAAC,UAAU,IAAI,SAAS,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CACvD,CAAC;AACJ,CAAC;AAED,MAAM,cAAc,GAAG,gEAAgE,CAAC;AACxF,MAAM,eAAe,GAAG,8BAA8B,CAAC;AACvD,wEAAwE;AACxE,uEAAuE;AACvE,0DAA0D;AAC1D,MAAM,gBAAgB,GACpB,iFAAiF,CAAC;AAEpF,SAAS,qBAAqB,CAAC,OAAe;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,6FAA6F;IAC7F,IAAI,KAA6B,CAAC;IAClC,eAAe,CAAC,SAAS,GAAG,CAAC,CAAC;IAC9B,OAAO,CAAC,KAAK,GAAG,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACxD,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IAC3E,CAAC;IACD,yEAAyE;IACzE,iEAAiE;IACjE,8DAA8D;IAC9D,gBAAgB,CAAC,SAAS,GAAG,CAAC,CAAC;IAC/B,OAAO,CAAC,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACzD,IAAI,KAAK,CAAC,CAAC,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK;IACtE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM;IACrE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK;IACpE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK;CAClE,CAAC,CAAC;AAEH,SAAS,gBAAgB,CAAC,IAAY;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACjC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,KAAK,KAAK,WAAW,IAAI,KAAK,KAAK,uBAAuB;QAAE,OAAO,KAAK,CAAC;IAC7E,IAAI,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,0EAA0E;IAC1E,kDAAkD;IAClD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC;IACzC,IAAI,UAAU,CAAC,GAAG,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACtC,6EAA6E;IAC7E,OAAO,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACvC,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe;IAC3C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,4CAA4C,CAAC,IAAI,EAAE,CAAC;IAC9E,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACtD,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,IAAc;IAC9C,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe;QAAE,OAAO,IAAI,CAAC;IAC3E,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY;QAAE,OAAO,KAAK,CAAC;IAC7C,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;IACtD,OAAO,6BAA6B,CAAC,OAAO,CAAC,CAAC;AAChD,CAAC;AAED;;;;GAIG;AACH,SAAS,qBAAqB,CAAC,OAAe;IAC5C,gEAAgE;IAChE,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,IAAI,EAAE,CAAC;IACnE,OAAO,OAAO,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,wBAAwB,CAAC,OAAe;IAC/C,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;QACnD,IAAI,CAAC;YACH,OAAO,YAAY,CAAC,qBAAqB,CAAC,KAAK,CAAC,CAAC,CAAC;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAS,UAAU,CAAC,OAAe;IAIjC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC3C,MAAM,OAAO,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACtB,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;AACvB,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,OAAO,qBAAqB,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;AACzC,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,GAAuB;IAC7D,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvB,MAAM,KAAK,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IACtC,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,uDAAuD;IACvD,OAAO,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7D,CAAC;AAMD;;;;;GAKG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,kEAAkE;IAClE,4EAA4E;IAC5E,MAAM,QAAQ,GAAG,6BAA6B,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC7D,IAAI,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClB,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC3D,uDAAuD;IACvD,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC;IACvE,wDAAwD;IACxD,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC7C,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,IACE,6CAA6C,CAAC,IAAI,CAAC,GAAG,CAAC;YACvD,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC;YACb,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,EACtB,CAAC;YACD,OAAO,GAAG,CAAC;QACb,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,CAAC,UAAU;QAAE,OAAO,KAAK,CAAC;IAC9B,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC;IACpD,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IACtD,IAAI,IAAI,KAAK,WAAW,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACpE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,IAAc;IACnD,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,CAAC,6BAA6B,CAAC,OAAO,CAAC,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9E,OAAO,SAAS,CAAC;QACnB,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC1C,OAAO,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACrF,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAC9D,MAAM,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,EAAE,CAAC;QACpD,OAAO,MAAM,IAAI,cAAc,CAAC,MAAM,CAAC;YACrC,CAAC,CAAC,oBAAoB,CAAC,MAAM,CAAC;YAC9B,CAAC,CAAC,SAAS,CAAC;IAChB,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,MAA0B;IAClD,OAAO,MAAM;QACX,CAAC,CAAC,oBAAoB,MAAM,oCAAoC,MAAM,qBAAqB;QAC3F,CAAC,CAAC,mFAAmF,CAAC;AAC1F,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,IAAc,EACd,UAA2B,EAAE;IAE7B,IACE,IAAI,CAAC,IAAI,KAAK,SAAS;QACvB,IAAI,CAAC,IAAI,KAAK,SAAS;QACvB,IAAI,CAAC,IAAI,KAAK,WAAW,EACzB,CAAC;QACD,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACjD,OAAO;wBACL,KAAK,EAAE,OAAO;wBACd,MAAM,EACJ,iEAAiE;qBACpE,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,wCAAwC;YAC1C,CAAC;QACH,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,qBAAqB,EAAE,CAAC;IAC1D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QAC/D,kEAAkE;QAClE,iEAAiE;QACjE,8DAA8D;QAC9D,2DAA2D;QAC3D,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,0CAA0C,EAAE,CAAC;IAC/E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,uEAAuE;QACvE,wEAAwE;QACxE,sEAAsE;QACtE,0BAA0B;QAC1B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACvE,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YAC1C,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,QAAQ,MAAM,wCAAwC;aAC/D,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,MAAM;YACb,MAAM,EAAE,4BAA4B;SACrC,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;QACtD,IAAI,0BAA0B,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YACxE,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,4CAA4C;aACrD,CAAC;QACJ,CAAC;QACD,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;YAClE,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,+CAA+C;aACxD,CAAC;QACJ,CAAC;QACD,IAAI,wBAAwB,CAAC,OAAO,CAAC,EAAE,CAAC;YACtC,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EACJ,+EAA+E;aAClF,CAAC;QACJ,CAAC;QACD,8EAA8E;QAC9E,IAAI,6BAA6B,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3C,MAAM,MAAM,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;YAC5C,IACE,MAAM;gBACN,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EACxE,CAAC;gBACD,OAAO;oBACL,KAAK,EAAE,SAAS;oBAChB,MAAM,EAAE,0CAA0C,SAAS,CAAC,MAAM,CAAC,EAAE;iBACtE,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,0CAA0C;aACnD,CAAC;QACJ,CAAC;QACD,2EAA2E;QAC3E,wEAAwE;QACxE,gEAAgE;QAChE,IAAI,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;YACxC,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EACJ,kGAAkG;aACrG,CAAC;QACJ,CAAC;QACD,2EAA2E;QAC3E,wEAAwE;QACxE,yEAAyE;QACzE,sCAAsC;QACtC,IAAI,qBAAqB,CAAC,OAAO,CAAC,EAAE,CAAC;YACnC,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EACJ,uKAAuK;aAC1K,CAAC;QACJ,CAAC;QACD,qDAAqD;QACrD,MAAM,EAAE,IAAI,EAAE,GAAG,EAAE,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;YACzB,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAC;QACxD,CAAC;QACD,IAAI,gBAAgB,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,CAAC;YAChC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,IAAI,aAAa,EAAE,CAAC;QACnE,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;IAC7E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC7B,MAAM,WAAW,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;QACjD,IACE,WAAW;YACX,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAC7E,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,0CAA0C,SAAS,CAAC,WAAW,CAAC,EAAE;aAC3E,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;IAC5E,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAClC,MAAM,WAAW,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC;QACjD,IACE,WAAW;YACX,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAC7E,CAAC;YACD,OAAO;gBACL,KAAK,EAAE,SAAS;gBAChB,MAAM,EAAE,2CAA2C,SAAS,CAAC,WAAW,CAAC,EAAE;aAC5E,CAAC;QACJ,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EACJ,uEAAuE;SAC1E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAC5D,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;YAC7C,IAAI,OAAO,EAAE,CAAC;gBACZ,IAAI,CAAC;oBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;wBACjD,OAAO;4BACL,KAAK,EAAE,OAAO;4BACd,MAAM,EAAE,0CAA0C;yBACnD,CAAC;oBACJ,CAAC;gBACH,CAAC;gBAAC,MAAM,CAAC;oBACP,eAAe;gBACjB,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,0CAA0C;SACnD,CAAC;IACJ,CAAC;IAED,sEAAsE;IAEtE,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAChC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAC;IACnE,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,mCAAmC,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;QAClC,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,qCAAqC;SAC9C,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,EAAE,CAAC;QAChC,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,sCAAsC;SAC/C,CAAC;IACJ,CAAC;IAED,IACE,IAAI,CAAC,IAAI,KAAK,YAAY;QAC1B,IAAI,CAAC,IAAI,KAAK,YAAY;QAC1B,IAAI,CAAC,IAAI,KAAK,YAAY,EAC1B,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,0BAA0B,EAAE,CAAC;IAC/D,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACjD,OAAO;wBACL,KAAK,EAAE,OAAO;wBACd,MAAM,EAAE,sCAAsC;qBAC/C,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,iCAAiC;SAC1C,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC9B,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QAC7C,IAAI,OAAO,EAAE,CAAC;YACZ,IAAI,CAAC;gBACH,IAAI,YAAY,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;oBACjD,OAAO;wBACL,KAAK,EAAE,OAAO;wBACd,MAAM,EAAE,wCAAwC;qBACjD,CAAC;gBACJ,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,eAAe;YACjB,CAAC;QACH,CAAC;QACD,OAAO;YACL,KAAK,EAAE,SAAS;YAChB,MAAM,EAAE,mEAAmE;SAC5E,CAAC;IACJ,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC;QAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;YAC9C,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,+DAA+D;aACxE,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAC;IACjE,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,CAAC;QAC9C,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QACxB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,gCAAgC;aACzC,CAAC;QACJ,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChE,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,4BAA4B,MAAM,CAAC,QAAQ,EAAE;aACtD,CAAC;QACJ,CAAC;QACD,yEAAyE;QACzE,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO;gBACL,KAAK,EAAE,OAAO;gBACd,MAAM,EAAE,qBAAqB,OAAO,CAAC,KAAK,YAAY,MAAM,CAAC,QAAQ,EAAE;aACxE,CAAC;QACJ,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IACtD,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,EAAE,oCAAoC,EAAE,CAAC;AAC5E,CAAC"}
|
package/dist/store/config.d.ts
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import type { Mode, ProviderId, ReasoningPreference } from "../types.js";
|
|
2
|
+
import type { SearchProviderId } from "../tools/web/types.js";
|
|
2
3
|
export type ProviderCategory = "local" | "free-cloud" | "paid-cloud";
|
|
3
4
|
export interface ClaiConfig {
|
|
4
5
|
defaultProvider: ProviderId;
|
|
@@ -26,6 +27,8 @@ export interface ClaiConfig {
|
|
|
26
27
|
historyRetentionLimit: number;
|
|
27
28
|
/** When true, fs.read/list/search must stay within sandboxRoots ∪ {cwd, $HOME}. */
|
|
28
29
|
sandboxReads: boolean;
|
|
30
|
+
/** Active search provider used by the web.search tool. */
|
|
31
|
+
activeSearchProvider: SearchProviderId;
|
|
29
32
|
}
|
|
30
33
|
/**
|
|
31
34
|
* Best-effort classification for the built-in providers. Some "free-cloud"
|
|
@@ -42,3 +45,5 @@ export declare function setProviderModel(provider: ProviderId, model: string): C
|
|
|
42
45
|
export declare function getProviderModel(provider: ProviderId): string;
|
|
43
46
|
export declare function getConfigPath(): string;
|
|
44
47
|
export declare function setThinking(patch: Partial<ReasoningPreference>): ClaiConfig;
|
|
48
|
+
export declare function getActiveSearchProvider(): SearchProviderId;
|
|
49
|
+
export declare function setActiveSearchProvider(id: SearchProviderId): ClaiConfig;
|
package/dist/store/config.js
CHANGED
|
@@ -35,6 +35,7 @@ const defaults = {
|
|
|
35
35
|
privateMode: false,
|
|
36
36
|
historyRetentionLimit: 200,
|
|
37
37
|
sandboxReads: true,
|
|
38
|
+
activeSearchProvider: "duckduckgo",
|
|
38
39
|
};
|
|
39
40
|
const store = new Conf({
|
|
40
41
|
projectName: "clai",
|
|
@@ -88,4 +89,10 @@ export function setThinking(patch) {
|
|
|
88
89
|
};
|
|
89
90
|
return updateConfig({ thinking: next });
|
|
90
91
|
}
|
|
92
|
+
export function getActiveSearchProvider() {
|
|
93
|
+
return getConfig().activeSearchProvider;
|
|
94
|
+
}
|
|
95
|
+
export function setActiveSearchProvider(id) {
|
|
96
|
+
return updateConfig({ activeSearchProvider: id });
|
|
97
|
+
}
|
|
91
98
|
//# sourceMappingURL=config.js.map
|
package/dist/store/config.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/store/config.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;
|
|
1
|
+
{"version":3,"file":"config.js","sourceRoot":"","sources":["../../src/store/config.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AAGxB,OAAO,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,oBAAoB,CAAC;AAkC1E;;;;;GAKG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAyC;IACpE,IAAI,EAAE,YAAY;IAClB,MAAM,EAAE,YAAY;IACpB,UAAU,EAAE,YAAY;IACxB,MAAM,EAAE,YAAY;IACpB,MAAM,EAAE,OAAO;IACf,MAAM,EAAE,YAAY;IACpB,SAAS,EAAE,YAAY;IACvB,WAAW,EAAE,YAAY;CAC1B,CAAC;AAEF,MAAM,QAAQ,GAAe;IAC3B,eAAe,EAAE,QAAQ;IACzB,YAAY,EAAE,aAAa,CAAC,MAAM;IAClC,WAAW,EAAE,KAAK;IAClB,cAAc,EAAE,EAAE;IAClB,gBAAgB,EAAE,EAAE;IACpB,iBAAiB,EAAE,KAAK;IACxB,YAAY,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;IAC7B,UAAU,EAAE,wBAAwB;IACpC,SAAS,EAAE,KAAK;IAChB,eAAe,EAAE,CAAC;IAClB,QAAQ,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE;IAC9C,QAAQ,EAAE,KAAK;IACf,gBAAgB,EAAE,KAAK;IACvB,OAAO,EAAE,KAAK;IACd,YAAY,EAAE,KAAK;IACnB,WAAW,EAAE,KAAK;IAClB,qBAAqB,EAAE,GAAG;IAC1B,YAAY,EAAE,IAAI;IAClB,oBAAoB,EAAE,YAAY;CACnC,CAAC;AAEF,MAAM,KAAK,GAAG,IAAI,IAAI,CAAa;IACjC,WAAW,EAAE,MAAM;IACnB,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5E,QAAQ;CACT,CAAC,CAAC;AAEH,MAAM,UAAU,SAAS;IACvB,MAAM,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC;IAC5B,MAAM,cAAc,GAAwC,EAAE,CAAC;IAC/D,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAE1E,EAAE,CAAC;QACF,cAAc,CAAC,QAAQ,CAAC,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACpE,CAAC;IACD,OAAO;QACL,GAAG,OAAO;QACV,YAAY,EAAE,qBAAqB,CACjC,OAAO,CAAC,eAAe,EACvB,OAAO,CAAC,YAAY,CACrB;QACD,cAAc;KACf,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,KAA0B;IACrD,MAAM,IAAI,GAAG,EAAE,GAAG,SAAS,EAAE,EAAE,GAAG,KAAK,EAAuB,CAAC;IAC/D,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IAChB,OAAO,SAAS,EAAE,CAAC;AACrB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,QAAoB;IACrD,MAAM,KAAK,GAAG,gBAAgB,CAAC,QAAQ,CAAC,CAAC;IACzC,OAAO,YAAY,CAAC,EAAE,eAAe,EAAE,QAAQ,EAAE,YAAY,EAAE,KAAK,EAAE,CAAC,CAAC;AAC1E,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,IAAU;IACvC,OAAO,YAAY,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,gBAAgB,CAC9B,QAAoB,EACpB,KAAa;IAEb,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC;IAC5B,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACzD,MAAM,cAAc,GAAG,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,QAAQ,CAAC,EAAE,SAAS,EAAE,CAAC;IAC5E,OAAO,YAAY,CAAC,EAAE,cAAc,EAAE,YAAY,EAAE,SAAS,EAAE,CAAC,CAAC;AACnE,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,QAAoB;IACnD,MAAM,UAAU,GAAG,SAAS,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IACxD,OAAO,UAAU;QACf,CAAC,CAAC,qBAAqB,CAAC,QAAQ,EAAE,UAAU,CAAC;QAC7C,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;AAC9B,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,KAAK,CAAC,IAAI,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,KAAmC;IAC7D,MAAM,OAAO,GAAG,SAAS,EAAE,CAAC,QAAQ,CAAC;IACrC,MAAM,IAAI,GAAwB;QAChC,OAAO,EAAE,KAAK,CAAC,OAAO,IAAI,OAAO,CAAC,OAAO;QACzC,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,OAAO,CAAC,MAAM;KACvC,CAAC;IACF,OAAO,YAAY,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,uBAAuB;IACrC,OAAO,SAAS,EAAE,CAAC,oBAAoB,CAAC;AAC1C,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,EAAoB;IAC1D,OAAO,YAAY,CAAC,EAAE,oBAAoB,EAAE,EAAE,EAAE,CAAC,CAAC;AACpD,CAAC"}
|
package/dist/store/keys.d.ts
CHANGED
|
@@ -1,12 +1,76 @@
|
|
|
1
1
|
import type { ProviderId, ProviderStatus } from '../types.js';
|
|
2
|
+
import { maskSecret } from '../llm/provider.js';
|
|
3
|
+
import type { SearchProviderId } from '../tools/web/types.js';
|
|
4
|
+
/**
|
|
5
|
+
* Logical namespace for a stored secret. Search-provider keys live in the
|
|
6
|
+
* same keyring service as LLM keys but under separate accounts so the two
|
|
7
|
+
* keyspaces never collide.
|
|
8
|
+
*/
|
|
9
|
+
export type SecretNamespace = 'llm' | 'search';
|
|
10
|
+
/** Where a resolved secret value originated. Mirrors `ProviderStatus.source`. */
|
|
11
|
+
export type SecretSource = ProviderStatus['source'];
|
|
2
12
|
export declare function getFallbackKeysPath(): string;
|
|
13
|
+
/**
|
|
14
|
+
* Compose the keychain account name used for a `(namespace, id)` pair.
|
|
15
|
+
* Exposed so tests and callers can inspect the exact account string.
|
|
16
|
+
*/
|
|
17
|
+
export declare function secretAccount(namespace: SecretNamespace, id: string): string;
|
|
18
|
+
export declare function searchProviderEnvVar(id: SearchProviderId): string | undefined;
|
|
19
|
+
/**
|
|
20
|
+
* Read a secret out of the OS keychain (preferred) or the restricted-permission
|
|
21
|
+
* plaintext fallback file. Returns `{ source: 'missing' }` when neither
|
|
22
|
+
* backend has a value.
|
|
23
|
+
*
|
|
24
|
+
* Legacy LLM entries that still live under the bare `<provider>` account
|
|
25
|
+
* name (no namespace prefix) are migrated lazily into `llm:<provider>` on
|
|
26
|
+
* first read so older installs keep working without manual intervention.
|
|
27
|
+
*/
|
|
28
|
+
export declare function getSecret(namespace: SecretNamespace, id: string): Promise<{
|
|
29
|
+
value?: string;
|
|
30
|
+
source: SecretSource;
|
|
31
|
+
}>;
|
|
32
|
+
/**
|
|
33
|
+
* Persist `value` for `(namespace, id)`. Tries the OS keychain first; on
|
|
34
|
+
* failure (module missing, runtime error, or permission denied) writes the
|
|
35
|
+
* value into the restricted-permission plaintext fallback file at
|
|
36
|
+
* `~/.clai/keys.json`. Returns the chosen storage backend so callers can
|
|
37
|
+
* surface the plaintext-fallback warning.
|
|
38
|
+
*/
|
|
39
|
+
export declare function setSecret(namespace: SecretNamespace, id: string, value: string): Promise<'keychain' | 'fallback'>;
|
|
40
|
+
/**
|
|
41
|
+
* Best-effort delete: removes the secret from both the keychain and the
|
|
42
|
+
* fallback file. Never throws on keychain errors so unset always cleans
|
|
43
|
+
* up the on-disk fallback even when the OS keystore is unreachable.
|
|
44
|
+
*/
|
|
45
|
+
export declare function unsetSecret(namespace: SecretNamespace, id: string): Promise<void>;
|
|
3
46
|
export declare function envValue(provider: ProviderId): string | undefined;
|
|
47
|
+
/**
|
|
48
|
+
* Resolve an LLM provider's secret using the precedence:
|
|
49
|
+
*
|
|
50
|
+
* 1. Provider env var (e.g. `GROQ_API_KEY`)
|
|
51
|
+
* 2. OS keychain account `llm:<provider>` (with lazy migration of the
|
|
52
|
+
* legacy bare `<provider>` account)
|
|
53
|
+
* 3. Restricted-permission plaintext fallback file
|
|
54
|
+
*
|
|
55
|
+
* `ollama` is special-cased: it has no API key, only a base URL drawn from
|
|
56
|
+
* `OLLAMA_HOST` or the user-config `ollamaHost`.
|
|
57
|
+
*/
|
|
4
58
|
export declare function getProviderSecret(provider: ProviderId): Promise<{
|
|
5
59
|
value?: string;
|
|
6
60
|
source: ProviderStatus['source'];
|
|
7
61
|
}>;
|
|
8
62
|
export declare function setProviderSecret(provider: ProviderId, secret: string): Promise<'keychain' | 'fallback'>;
|
|
9
63
|
export declare function unsetProviderSecret(provider: ProviderId): Promise<void>;
|
|
64
|
+
/**
|
|
65
|
+
* Resolve a search-provider's API key using the precedence required by
|
|
66
|
+
* Requirement 3.3: env var → keychain `search:<id>` → fallback file →
|
|
67
|
+
* `undefined`. DuckDuckGo has no env var and no key, so it returns
|
|
68
|
+
* `{ source: 'missing' }` unless a key has been explicitly set.
|
|
69
|
+
*/
|
|
70
|
+
export declare function getSearchProviderKey(id: SearchProviderId): Promise<{
|
|
71
|
+
value?: string;
|
|
72
|
+
source: SecretSource;
|
|
73
|
+
}>;
|
|
10
74
|
export type KeychainStatus = {
|
|
11
75
|
available: true;
|
|
12
76
|
} | {
|
|
@@ -22,3 +86,4 @@ export type KeychainStatus = {
|
|
|
22
86
|
*/
|
|
23
87
|
export declare function probeKeychain(): Promise<KeychainStatus>;
|
|
24
88
|
export declare function listProviderStatuses(activeProvider: ProviderId): Promise<ProviderStatus[]>;
|
|
89
|
+
export { maskSecret };
|
package/dist/store/keys.js
CHANGED
|
@@ -87,6 +87,138 @@ async function writeFallback(keys) {
|
|
|
87
87
|
export function getFallbackKeysPath() {
|
|
88
88
|
return keysFile;
|
|
89
89
|
}
|
|
90
|
+
/**
|
|
91
|
+
* Compose the keychain account name used for a `(namespace, id)` pair.
|
|
92
|
+
* Exposed so tests and callers can inspect the exact account string.
|
|
93
|
+
*/
|
|
94
|
+
export function secretAccount(namespace, id) {
|
|
95
|
+
return `${namespace}:${id}`;
|
|
96
|
+
}
|
|
97
|
+
/**
|
|
98
|
+
* Env-var name used for a search provider's API key, per Requirement 3.3.
|
|
99
|
+
* Returns `undefined` for keyless providers (DuckDuckGo).
|
|
100
|
+
*/
|
|
101
|
+
const searchProviderEnvVars = {
|
|
102
|
+
brave: 'BRAVE_SEARCH_API_KEY',
|
|
103
|
+
tavily: 'TAVILY_API_KEY',
|
|
104
|
+
duckduckgo: undefined,
|
|
105
|
+
};
|
|
106
|
+
export function searchProviderEnvVar(id) {
|
|
107
|
+
return searchProviderEnvVars[id];
|
|
108
|
+
}
|
|
109
|
+
// ---------------------------------------------------------------------------
|
|
110
|
+
// Low-level namespaced secret API
|
|
111
|
+
// ---------------------------------------------------------------------------
|
|
112
|
+
/**
|
|
113
|
+
* Read a secret out of the OS keychain (preferred) or the restricted-permission
|
|
114
|
+
* plaintext fallback file. Returns `{ source: 'missing' }` when neither
|
|
115
|
+
* backend has a value.
|
|
116
|
+
*
|
|
117
|
+
* Legacy LLM entries that still live under the bare `<provider>` account
|
|
118
|
+
* name (no namespace prefix) are migrated lazily into `llm:<provider>` on
|
|
119
|
+
* first read so older installs keep working without manual intervention.
|
|
120
|
+
*/
|
|
121
|
+
export async function getSecret(namespace, id) {
|
|
122
|
+
const account = secretAccount(namespace, id);
|
|
123
|
+
// Keychain — primary store.
|
|
124
|
+
const keychainResult = await withKeytar((keytar) => keytar.getPassword(serviceName, account));
|
|
125
|
+
if (keychainResult.ok && keychainResult.value) {
|
|
126
|
+
return { value: keychainResult.value, source: 'keychain' };
|
|
127
|
+
}
|
|
128
|
+
// Lazy migration of pre-namespaced LLM entries. Older clai versions
|
|
129
|
+
// wrote `setPassword(serviceName, providerId, ...)` with no `llm:`
|
|
130
|
+
// prefix; pick those up once and copy them into the new account name.
|
|
131
|
+
if (namespace === 'llm') {
|
|
132
|
+
const legacy = await withKeytar((keytar) => keytar.getPassword(serviceName, id));
|
|
133
|
+
if (legacy.ok && legacy.value) {
|
|
134
|
+
const migrated = await withKeytar((keytar) => keytar.setPassword(serviceName, account, legacy.value));
|
|
135
|
+
if (migrated.ok) {
|
|
136
|
+
await withKeytar((keytar) => keytar.deletePassword(serviceName, id));
|
|
137
|
+
}
|
|
138
|
+
return { value: legacy.value, source: 'keychain' };
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
// Fallback file — accept both namespaced and legacy bare-id keys.
|
|
142
|
+
const fallback = await readFallback();
|
|
143
|
+
const namespacedValue = fallback[account];
|
|
144
|
+
if (namespacedValue) {
|
|
145
|
+
return { value: namespacedValue, source: 'fallback' };
|
|
146
|
+
}
|
|
147
|
+
if (namespace === 'llm') {
|
|
148
|
+
const legacyValue = fallback[id];
|
|
149
|
+
if (legacyValue) {
|
|
150
|
+
// Migrate the legacy key in place so subsequent reads find it
|
|
151
|
+
// under the namespaced account name.
|
|
152
|
+
delete fallback[id];
|
|
153
|
+
fallback[account] = legacyValue;
|
|
154
|
+
await writeFallback(fallback);
|
|
155
|
+
return { value: legacyValue, source: 'fallback' };
|
|
156
|
+
}
|
|
157
|
+
}
|
|
158
|
+
return { source: 'missing' };
|
|
159
|
+
}
|
|
160
|
+
/**
|
|
161
|
+
* Persist `value` for `(namespace, id)`. Tries the OS keychain first; on
|
|
162
|
+
* failure (module missing, runtime error, or permission denied) writes the
|
|
163
|
+
* value into the restricted-permission plaintext fallback file at
|
|
164
|
+
* `~/.clai/keys.json`. Returns the chosen storage backend so callers can
|
|
165
|
+
* surface the plaintext-fallback warning.
|
|
166
|
+
*/
|
|
167
|
+
export async function setSecret(namespace, id, value) {
|
|
168
|
+
const account = secretAccount(namespace, id);
|
|
169
|
+
const keychainResult = await withKeytar((keytar) => keytar.setPassword(serviceName, account, value));
|
|
170
|
+
if (keychainResult.ok) {
|
|
171
|
+
// Best-effort cleanup of any legacy bare-id entry so the namespaced
|
|
172
|
+
// account is the single source of truth going forward.
|
|
173
|
+
if (namespace === 'llm') {
|
|
174
|
+
await withKeytar((keytar) => keytar.deletePassword(serviceName, id));
|
|
175
|
+
}
|
|
176
|
+
return 'keychain';
|
|
177
|
+
}
|
|
178
|
+
const fallback = await readFallback();
|
|
179
|
+
fallback[account] = value;
|
|
180
|
+
if (namespace === 'llm')
|
|
181
|
+
delete fallback[id];
|
|
182
|
+
await writeFallback(fallback);
|
|
183
|
+
return 'fallback';
|
|
184
|
+
}
|
|
185
|
+
/**
|
|
186
|
+
* Best-effort delete: removes the secret from both the keychain and the
|
|
187
|
+
* fallback file. Never throws on keychain errors so unset always cleans
|
|
188
|
+
* up the on-disk fallback even when the OS keystore is unreachable.
|
|
189
|
+
*/
|
|
190
|
+
export async function unsetSecret(namespace, id) {
|
|
191
|
+
const account = secretAccount(namespace, id);
|
|
192
|
+
await withKeytar((keytar) => keytar.deletePassword(serviceName, account));
|
|
193
|
+
if (namespace === 'llm') {
|
|
194
|
+
// Sweep the legacy bare-id entry too so partially migrated installs
|
|
195
|
+
// get a clean unset.
|
|
196
|
+
await withKeytar((keytar) => keytar.deletePassword(serviceName, id));
|
|
197
|
+
}
|
|
198
|
+
if (existsSync(keysFile)) {
|
|
199
|
+
const fallback = await readFallback();
|
|
200
|
+
let mutated = false;
|
|
201
|
+
if (account in fallback) {
|
|
202
|
+
delete fallback[account];
|
|
203
|
+
mutated = true;
|
|
204
|
+
}
|
|
205
|
+
if (namespace === 'llm' && id in fallback) {
|
|
206
|
+
delete fallback[id];
|
|
207
|
+
mutated = true;
|
|
208
|
+
}
|
|
209
|
+
if (mutated) {
|
|
210
|
+
if (Object.keys(fallback).length === 0) {
|
|
211
|
+
await rm(keysFile, { force: true });
|
|
212
|
+
}
|
|
213
|
+
else {
|
|
214
|
+
await writeFallback(fallback);
|
|
215
|
+
}
|
|
216
|
+
}
|
|
217
|
+
}
|
|
218
|
+
}
|
|
219
|
+
// ---------------------------------------------------------------------------
|
|
220
|
+
// Provider-facing helpers
|
|
221
|
+
// ---------------------------------------------------------------------------
|
|
90
222
|
export function envValue(provider) {
|
|
91
223
|
const envVar = envVars[provider];
|
|
92
224
|
if (!envVar) {
|
|
@@ -95,6 +227,17 @@ export function envValue(provider) {
|
|
|
95
227
|
const value = process.env[envVar];
|
|
96
228
|
return value && value.length > 0 ? value : undefined;
|
|
97
229
|
}
|
|
230
|
+
/**
|
|
231
|
+
* Resolve an LLM provider's secret using the precedence:
|
|
232
|
+
*
|
|
233
|
+
* 1. Provider env var (e.g. `GROQ_API_KEY`)
|
|
234
|
+
* 2. OS keychain account `llm:<provider>` (with lazy migration of the
|
|
235
|
+
* legacy bare `<provider>` account)
|
|
236
|
+
* 3. Restricted-permission plaintext fallback file
|
|
237
|
+
*
|
|
238
|
+
* `ollama` is special-cased: it has no API key, only a base URL drawn from
|
|
239
|
+
* `OLLAMA_HOST` or the user-config `ollamaHost`.
|
|
240
|
+
*/
|
|
98
241
|
export async function getProviderSecret(provider) {
|
|
99
242
|
const env = envValue(provider);
|
|
100
243
|
if (env) {
|
|
@@ -103,43 +246,32 @@ export async function getProviderSecret(provider) {
|
|
|
103
246
|
if (provider === 'ollama') {
|
|
104
247
|
return { value: getConfig().ollamaHost, source: 'local' };
|
|
105
248
|
}
|
|
106
|
-
|
|
107
|
-
if (keychainResult.ok && keychainResult.value) {
|
|
108
|
-
return { value: keychainResult.value, source: 'keychain' };
|
|
109
|
-
}
|
|
110
|
-
const fallback = await readFallback();
|
|
111
|
-
const fromFallback = fallback[provider];
|
|
112
|
-
if (fromFallback) {
|
|
113
|
-
return { value: fromFallback, source: 'fallback' };
|
|
114
|
-
}
|
|
115
|
-
return { source: 'missing' };
|
|
249
|
+
return getSecret('llm', provider);
|
|
116
250
|
}
|
|
117
251
|
export async function setProviderSecret(provider, secret) {
|
|
118
252
|
if (provider === 'ollama') {
|
|
119
253
|
return 'fallback';
|
|
120
254
|
}
|
|
121
|
-
|
|
122
|
-
if (keychainResult.ok)
|
|
123
|
-
return 'keychain';
|
|
124
|
-
const fallback = await readFallback();
|
|
125
|
-
fallback[provider] = secret;
|
|
126
|
-
await writeFallback(fallback);
|
|
127
|
-
return 'fallback';
|
|
255
|
+
return setSecret('llm', provider, secret);
|
|
128
256
|
}
|
|
129
257
|
export async function unsetProviderSecret(provider) {
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
258
|
+
await unsetSecret('llm', provider);
|
|
259
|
+
}
|
|
260
|
+
/**
|
|
261
|
+
* Resolve a search-provider's API key using the precedence required by
|
|
262
|
+
* Requirement 3.3: env var → keychain `search:<id>` → fallback file →
|
|
263
|
+
* `undefined`. DuckDuckGo has no env var and no key, so it returns
|
|
264
|
+
* `{ source: 'missing' }` unless a key has been explicitly set.
|
|
265
|
+
*/
|
|
266
|
+
export async function getSearchProviderKey(id) {
|
|
267
|
+
const envVar = searchProviderEnvVars[id];
|
|
268
|
+
if (envVar) {
|
|
269
|
+
const fromEnv = process.env[envVar];
|
|
270
|
+
if (fromEnv && fromEnv.length > 0) {
|
|
271
|
+
return { value: fromEnv, source: 'env' };
|
|
141
272
|
}
|
|
142
273
|
}
|
|
274
|
+
return getSecret('search', id);
|
|
143
275
|
}
|
|
144
276
|
/**
|
|
145
277
|
* Probes the OS keychain by performing a harmless read against a marker
|
|
@@ -180,4 +312,8 @@ export async function listProviderStatuses(activeProvider) {
|
|
|
180
312
|
}
|
|
181
313
|
return statuses;
|
|
182
314
|
}
|
|
315
|
+
// Re-export the mask helper so search-provider listings (and any other
|
|
316
|
+
// consumer that already imports from `./store/keys.js`) use the same
|
|
317
|
+
// masking rule as `clai keys` for LLM entries (Requirement 3.6).
|
|
318
|
+
export { maskSecret };
|
|
183
319
|
//# sourceMappingURL=keys.js.map
|