@phuetz/code-buddy 0.1.25 → 0.2.0

package/dist/security/shell-env-policy.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Shell Environment Policy — Codex-inspired subprocess env control
+ *
+ * Controls which environment variables are passed to every subprocess
+ * the agent spawns. Prevents accidental leakage of API keys and
+ * credentials to untrusted subprocess environments.
+ *
+ * Config (via [shell_env] in .codebuddy/config.toml):
+ *
+ *   [shell_env]
+ *   inherit = "all"          # all | core | none
+ *   exclude = ["*SECRET*", "*TOKEN*", "*KEY*", "*PASSWORD*"]
+ *   include_only = []        # if set, only these vars pass (overrides exclude)
+ *   # set = { NODE_ENV = "production" }  # always-injected overrides
+ *
+ * Defaults strip variables matching common credential patterns while
+ * preserving PATH, HOME, USER, SHELL, TERM, LANG, etc.
+ */
+/** Baseline inheritance mode */
+export type EnvInheritMode = 'all' | 'core' | 'none';
+export interface ShellEnvPolicyConfig {
+    /** How many env vars to start with */
+    inherit?: EnvInheritMode;
+    /** Glob-style patterns to strip from inherited env */
+    exclude?: string[];
+    /** If non-empty, ONLY these vars are passed (overrides exclude) */
+    include_only?: string[];
+    /** Key/value pairs always injected into every subprocess env */
+    set?: Record<string, string>;
+}
+export declare class ShellEnvPolicy {
+    private config;
+    constructor(config?: ShellEnvPolicyConfig);
+    /**
+     * Build a filtered environment object for subprocess spawning.
+     * Returns a new object — never mutates process.env.
+     */
+    buildEnv(source?: NodeJS.ProcessEnv): NodeJS.ProcessEnv;
+    /**
+     * Check if a specific env var would be passed through.
+     */
+    wouldPass(key: string): boolean;
+}
+export declare function getShellEnvPolicy(config?: ShellEnvPolicyConfig): ShellEnvPolicy;
+export declare function resetShellEnvPolicy(): void;

package/dist/security/shell-env-policy.js

@@ -0,0 +1,141 @@
+/**
+ * Shell Environment Policy — Codex-inspired subprocess env control
+ *
+ * Controls which environment variables are passed to every subprocess
+ * the agent spawns. Prevents accidental leakage of API keys and
+ * credentials to untrusted subprocess environments.
+ *
+ * Config (via [shell_env] in .codebuddy/config.toml):
+ *
+ *   [shell_env]
+ *   inherit = "all"          # all | core | none
+ *   exclude = ["*SECRET*", "*TOKEN*", "*KEY*", "*PASSWORD*"]
+ *   include_only = []        # if set, only these vars pass (overrides exclude)
+ *   # set = { NODE_ENV = "production" }  # always-injected overrides
+ *
+ * Defaults strip variables matching common credential patterns while
+ * preserving PATH, HOME, USER, SHELL, TERM, LANG, etc.
+ */
+import { logger } from '../utils/logger.js';
+// ============================================================================
+// Core variable sets
+// ============================================================================
+/** Always-safe variables for 'core' mode */
+const CORE_VARS = new Set([
+    'PATH', 'HOME', 'USER', 'LOGNAME', 'SHELL', 'TERM', 'TERM_PROGRAM',
+    'LANG', 'LC_ALL', 'LC_CTYPE', 'TZ', 'TMPDIR', 'TEMP', 'TMP',
+    'PWD', 'OLDPWD', 'SHLVL', 'COLORTERM', 'CLICOLOR',
+    // Node.js / npm
+    'NODE_ENV', 'NODE_PATH', 'NPM_CONFIG_PREFIX',
+    // Common CI vars (non-sensitive)
+    'CI', 'GITHUB_ACTIONS', 'GITLAB_CI',
+]);
+/** Default exclusion glob patterns (credential-like names) */
+const DEFAULT_EXCLUDE_PATTERNS = [
+    '*_KEY', '*_SECRET', '*_TOKEN', '*_PASSWORD', '*_PASSWD',
+    '*_CREDENTIAL', '*_CREDENTIALS', '*_CERT', '*_PRIVATE*',
+    'AWS_*', 'OPENAI_*', 'ANTHROPIC_*', 'GOOGLE_*API*',
+    'GROK_API*', 'MORPH_API*', 'EXA_API*', 'BRAVE_API*',
+    'PERPLEXITY_API*', 'OPENROUTER_API*', 'PICOVOICE_*',
+    'DATABASE_URL', 'MONGO_*', 'REDIS_*', 'POSTGRES_*', 'MYSQL_*',
+    'JWT_SECRET', 'SESSION_SECRET', 'COOKIE_SECRET',
+    'SLACK_*TOKEN*', 'TELEGRAM_*TOKEN*', 'DISCORD_*TOKEN*',
+    'STRIPE_*', 'TWILIO_*', 'SENDGRID_*',
+];
+// ============================================================================
+// Glob-style pattern matching (lightweight, no deps)
+// ============================================================================
+function globMatch(pattern, str) {
+    // Convert glob to regex: * → [^_]* within a word segment, handle leading/trailing *
+    const regexStr = pattern
+        .toUpperCase()
+        .replace(/[.+^${}()|[\]\\]/g, '\\$&') // escape regex special chars
+        .replace(/\*/g, '.*');
+    try {
+        return new RegExp(`^${regexStr}$`).test(str.toUpperCase());
+    }
+    catch {
+        return false;
+    }
+}
+function matchesAny(patterns, key) {
+    return patterns.some(p => globMatch(p, key));
+}
+// ============================================================================
+// ShellEnvPolicy
+// ============================================================================
+export class ShellEnvPolicy {
+    config;
+    constructor(config = {}) {
+        this.config = {
+            inherit: config.inherit ?? 'all',
+            exclude: config.exclude ?? DEFAULT_EXCLUDE_PATTERNS,
+            include_only: config.include_only ?? [],
+            set: config.set ?? {},
+        };
+    }
+    /**
+     * Build a filtered environment object for subprocess spawning.
+     * Returns a new object — never mutates process.env.
+     */
+    buildEnv(source = process.env) {
+        let env = {};
+        // Step 1: baseline from inherit mode
+        if (this.config.inherit === 'all') {
+            env = { ...source };
+        }
+        else if (this.config.inherit === 'core') {
+            for (const key of Object.keys(source)) {
+                if (CORE_VARS.has(key)) {
+                    env[key] = source[key];
+                }
+            }
+        }
+        // 'none' starts with empty {}
+        // Step 2: apply include_only whitelist (takes priority over exclude)
+        if (this.config.include_only.length > 0) {
+            const whitelisted = {};
+            for (const key of Object.keys(env)) {
+                if (matchesAny(this.config.include_only, key)) {
+                    whitelisted[key] = env[key];
+                }
+            }
+            env = whitelisted;
+        }
+        else {
+            // Step 3: apply exclude patterns
+            for (const key of Object.keys(env)) {
+                if (matchesAny(this.config.exclude, key)) {
+                    delete env[key];
+                    logger.debug(`ShellEnvPolicy: stripped env var ${key}`);
+                }
+            }
+        }
+        // Step 4: inject forced overrides
+        for (const [key, value] of Object.entries(this.config.set)) {
+            env[key] = value;
+        }
+        return env;
+    }
+    /**
+     * Check if a specific env var would be passed through.
+     */
+    wouldPass(key) {
+        const built = this.buildEnv({ [key]: 'test' });
+        return key in built;
+    }
+}
+// ============================================================================
+// Singleton
+// ============================================================================
+let _policy = null;
+export function getShellEnvPolicy(config) {
+    if (!_policy) {
+        _policy = new ShellEnvPolicy(config);
+    }
+    return _policy;
+}
+export function resetShellEnvPolicy() {
+    _policy = null;
+}
+//# sourceMappingURL=shell-env-policy.js.map

package/dist/security/shell-env-policy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"shell-env-policy.js","sourceRoot":"","sources":["../../src/security/shell-env-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAoB5C,+EAA+E;AAC/E,qBAAqB;AACrB,+EAA+E;AAE/E,4CAA4C;AAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,cAAc;IAClE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK;IAC3D,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,WAAW,EAAE,UAAU;IACjD,gBAAgB;IAChB,UAAU,EAAE,WAAW,EAAE,mBAAmB;IAC5C,iCAAiC;IACjC,IAAI,EAAE,gBAAgB,EAAE,WAAW;CACpC,CAAC,CAAC;AAEH,8DAA8D;AAC9D,MAAM,wBAAwB,GAAG;IAC/B,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,YAAY,EAAE,UAAU;IACxD,cAAc,EAAE,eAAe,EAAE,QAAQ,EAAE,YAAY;IACvD,OAAO,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc;IAClD,WAAW,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY;IACnD,iBAAiB,EAAE,iBAAiB,EAAE,aAAa;IACnD,cAAc,EAAE,SAAS,EAAE,SAAS,EAAE,YAAY,EAAE,SAAS;IAC7D,YAAY,EAAE,gBAAgB,EAAE,eAAe;IAC/C,eAAe,EAAE,kBAAkB,EAAE,iBAAiB;IACtD,UAAU,EAAE,UAAU,EAAE,YAAY;CACrC,CAAC;AAEF,+EAA+E;AAC/E,qDAAqD;AACrD,+EAA+E;AAE/E,SAAS,SAAS,CAAC,OAAe,EAAE,GAAW;IAC7C,oFAAoF;IACpF,MAAM,QAAQ,GAAG,OAAO;SACrB,WAAW,EAAE;SACb,OAAO,CAAC,mBAAmB,EAAE,MAAM,CAAC,CAAC,6BAA6B;SAClE,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACxB,IAAI,CAAC;QACH,OAAO,IAAI,MAAM,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC;IAC7D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,QAAkB,EAAE,GAAW;IACjD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E,MAAM,OAAO,cAAc;IACjB,MAAM,CAAiC;IAE/C,YAAY,SAA+B,EAAE;QAC3C,IAAI,CAAC,MAAM,GAAG;YACZ,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,KAAK;YAChC,OAAO,EAAE,MAAM,CAAC,OAAO,IAAI,wBAAwB;YACnD,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,EAAE;YACvC,GAAG,EAAE,MAAM,CAAC,GAAG,IAAI,EAAE;SACtB,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,QAAQ,CAAC,SAA4B,OAAO,CAAC,GAAG;QAC9C,IAAI,GAAG,GAAsB,EAAE,CAAC;QAEhC,qCAAqC;QACrC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YAClC,GAAG,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QACtB,CAAC;aAAM,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;YAC1C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;gBACtC,IAAI,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;oBACvB,GAAG,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;gBACzB,CAAC;YACH,CAAC;QACH,CAAC;QACD,8BAA8B;QAE9B,qEAAqE;QACrE,IAAI,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACxC,MAAM,WAAW,GAAsB,EAAE,CAAC;YAC1C,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,GAAG,CAAC,EAAE,CAAC;oBAC9C,WAAW,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;YACD,GAAG,GAAG,WAAW,CAAC;QACpB,CAAC;aAAM,CAAC;YACN,iCAAiC;YACjC,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,IAAI,UAAU,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC,EAAE,CAAC;oBACzC,OAAO,GAAG,CAAC,GAAG,CAAC,CAAC;oBAChB,MAAM,CAAC,KAAK,CAAC,oCAAoC,GAAG,EAAE,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACnB,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;OAEG;IACH,SAAS,CAAC,GAAW;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/C,OAAO,GAAG,IAAI,KAAK,CAAC;IACtB,CAAC;CACF;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,OAAO,GAA0B,IAAI,CAAC;AAE1C,MAAM,UAAU,iBAAiB,CAAC,MAA6B;IAC7D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,GAAG,IAAI,cAAc,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,GAAG,IAAI,CAAC;AACjB,CAAC"}

package/dist/security/ssrf-guard.d.ts

@@ -0,0 +1,61 @@
+/**
+ * SSRF Guard — OpenClaw-inspired server-side request forgery protection
+ *
+ * Applied to all outbound HTTP calls made by the agent (web_fetch, media
+ * download, webhook delivery). Blocks all private/loopback/link-local
+ * addresses including advanced bypass vectors:
+ *
+ * - RFC 1918 / loopback / link-local IPv4
+ * - IPv4-mapped IPv6 (::ffff:127.0.0.1), full-form variants
+ * - NAT64 prefix (64:ff9b::/96, 64:ff9b:1::/48)
+ * - 6to4 (2002::/16)
+ * - Teredo (2001:0000::/32)
+ * - Octal, hex, short, packed IPv4 literals (0177.0.0.1, 127.1, 2130706433)
+ * - Sensitive headers stripped on cross-origin redirects
+ *
+ * Fails **closed** on parse errors (unknown format → blocked).
+ */
+export interface SSRFCheckResult {
+    safe: boolean;
+    reason?: string;
+}
+export interface SSRFGuardConfig {
+    /** Additional allowed hosts (exact hostname or *.domain.com wildcard) */
+    allowedHosts?: string[];
+    /** Additional blocked CIDR-like ranges (for extension) */
+    extraBlockedHosts?: string[];
+    /** Resolve DNS and check each returned IP (default: true) */
+    resolveDns?: boolean;
+}
+export declare class SSRFGuard {
+    private config;
+    constructor(config?: SSRFGuardConfig);
+    /**
+     * Check if a URL is safe to fetch.
+     * Resolves the hostname to IP(s) and validates each one.
+     *
+     * @returns `{safe: true}` if the URL is safe, or `{safe: false, reason}` otherwise.
+     */
+    isSafeUrl(rawUrl: string): Promise<SSRFCheckResult>;
+    /**
+     * Synchronous check for IP literals only (no DNS).
+     * Use for fast path when URL is already an IP literal.
+     */
+    isSafeUrlSync(rawUrl: string): SSRFCheckResult;
+    private isAllowedHost;
+    /** Returns null if not an IP literal */
+    private checkIpLiteral;
+    private checkIPv4String;
+    private checkIPv4Uint32;
+    private checkIPv6;
+}
+export declare function getSSRFGuard(config?: SSRFGuardConfig): SSRFGuard;
+export declare function resetSSRFGuard(): void;
+/**
+ * Convenience wrapper — use in web_fetch, webhook delivery, media download.
+ *
+ * @example
+ * const check = await assertSafeUrl(url);
+ * if (!check.safe) throw new Error(`SSRF blocked: ${check.reason}`);
+ */
+export declare function assertSafeUrl(url: string): Promise<SSRFCheckResult>;

package/dist/security/ssrf-guard.js

@@ -0,0 +1,382 @@
+/**
+ * SSRF Guard — OpenClaw-inspired server-side request forgery protection
+ *
+ * Applied to all outbound HTTP calls made by the agent (web_fetch, media
+ * download, webhook delivery). Blocks all private/loopback/link-local
+ * addresses including advanced bypass vectors:
+ *
+ * - RFC 1918 / loopback / link-local IPv4
+ * - IPv4-mapped IPv6 (::ffff:127.0.0.1), full-form variants
+ * - NAT64 prefix (64:ff9b::/96, 64:ff9b:1::/48)
+ * - 6to4 (2002::/16)
+ * - Teredo (2001:0000::/32)
+ * - Octal, hex, short, packed IPv4 literals (0177.0.0.1, 127.1, 2130706433)
+ * - Sensitive headers stripped on cross-origin redirects
+ *
+ * Fails **closed** on parse errors (unknown format → blocked).
+ */
+import * as dns from 'dns/promises';
+import { logger } from '../utils/logger.js';
+// ============================================================================
+// Private IP range matchers (IPv4)
+// ============================================================================
+/** Parse decimal, octal (0177.0.0.1), hex (0x7f000001), short forms (127.1) to uint32 */
+function parseIPv4ToUint32(host) {
+    // Hex: 0x7f000001
+    if (/^0x[0-9a-f]+$/i.test(host)) {
+        const n = parseInt(host, 16);
+        return isNaN(n) ? null : n >>> 0;
+    }
+    // Pure decimal integer: 2130706433
+    if (/^\d+$/.test(host)) {
+        const n = parseInt(host, 10);
+        return isNaN(n) ? null : n >>> 0;
+    }
+    // Dotted notation: handles decimal, octal, hex per-octet and short forms
+    const parts = host.split('.');
+    if (parts.length < 1 || parts.length > 4)
+        return null;
+    const octets = [];
+    for (const part of parts) {
+        let val;
+        if (/^0x[0-9a-f]+$/i.test(part)) {
+            val = parseInt(part, 16);
+        }
+        else if (/^0[0-7]+$/.test(part)) {
+            val = parseInt(part, 8); // octal
+        }
+        else if (/^\d+$/.test(part)) {
+            val = parseInt(part, 10);
+        }
+        else {
+            return null;
+        }
+        if (isNaN(val) || val < 0)
+            return null;
+        octets.push(val);
+    }
+    // Short-form expansion: 127.1 → 127.0.0.1, 10.1.2 → 10.1.0.2
+    while (octets.length < 4) {
+        const last = octets.pop();
+        // last octet expands into remaining spots (like inet_aton)
+        octets.push(0);
+        octets.push(last);
+    }
+    if (octets.some(o => o > 255))
+        return null;
+    return ((octets[0] << 24) | (octets[1] << 16) | (octets[2] << 8) | octets[3]) >>> 0;
+}
+function isPrivateIPv4(uint32) {
+    // 0.0.0.0/8 — This network
+    if ((uint32 & 0xff000000) === 0x00000000)
+        return true;
+    // 10.0.0.0/8
+    if ((uint32 & 0xff000000) === 0x0a000000)
+        return true;
+    // 100.64.0.0/10 — Shared address space (RFC 6598)
+    if ((uint32 & 0xffc00000) === 0x64400000)
+        return true;
+    // 127.0.0.0/8 — Loopback
+    if ((uint32 & 0xff000000) === 0x7f000000)
+        return true;
+    // 169.254.0.0/16 — Link-local / AWS metadata
+    if ((uint32 & 0xffff0000) === 0xa9fe0000)
+        return true;
+    // 172.16.0.0/12
+    if ((uint32 & 0xfff00000) === 0xac100000)
+        return true;
+    // 192.0.0.0/24 — IETF protocol assignments
+    if ((uint32 & 0xffffff00) === 0xc0000000)
+        return true;
+    // 192.168.0.0/16
+    if ((uint32 & 0xffff0000) === 0xc0a80000)
+        return true;
+    // 198.18.0.0/15 — Benchmark testing
+    if ((uint32 & 0xfffe0000) === 0xc6120000)
+        return true;
+    // 198.51.100.0/24 — TEST-NET-2
+    if ((uint32 & 0xffffff00) === 0xc6336400)
+        return true;
+    // 203.0.113.0/24 — TEST-NET-3
+    if ((uint32 & 0xffffff00) === 0xcb007100)
+        return true;
+    // 224.0.0.0/4 — Multicast
+    if ((uint32 & 0xf0000000) === 0xe0000000)
+        return true;
+    // 240.0.0.0/4 — Reserved
+    if ((uint32 & 0xf0000000) === 0xf0000000)
+        return true;
+    // 255.255.255.255
+    if (uint32 === 0xffffffff)
+        return true;
+    return false;
+}
+// ============================================================================
+// IPv6 private range detection
+// ============================================================================
+/** Expand a possibly compressed IPv6 address to 8 groups of uint16 */
+function expandIPv6(address) {
+    try {
+        // Handle IPv4-mapped: ::ffff:1.2.3.4
+        const v4mapped = address.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);
+        if (v4mapped) {
+            const v4 = parseIPv4ToUint32(v4mapped[1]);
+            if (v4 === null)
+                return null;
+            return [0, 0, 0, 0, 0, 0xffff, (v4 >>> 16) & 0xffff, v4 & 0xffff];
+        }
+        if (!address.includes(':'))
+            return null;
+        // Split on ::
+        const halves = address.split('::');
+        if (halves.length > 2)
+            return null;
+        const parseGroups = (s) => {
+            if (s === '')
+                return [];
+            return s.split(':').map(g => {
+                // Handle embedded IPv4 in last two groups
+                if (g.includes('.')) {
+                    const v4 = parseIPv4ToUint32(g);
+                    return v4 !== null ? [((v4 >>> 16) & 0xffff), v4 & 0xffff] : null;
+                }
+                const n = parseInt(g, 16);
+                return isNaN(n) ? null : [n];
+            }).reduce((acc, val) => {
+                if (acc === null || val === null)
+                    return null;
+                return [...acc, ...(Array.isArray(val[0]) ? val[0] : val)];
+            }, []);
+        };
+        if (halves.length === 1) {
+            const groups = parseGroups(halves[0]);
+            if (!groups || groups.length !== 8)
+                return null;
+            return groups;
+        }
+        const left = parseGroups(halves[0]) ?? [];
+        const right = parseGroups(halves[1]) ?? [];
+        const fill = new Array(8 - left.length - right.length).fill(0);
+        const groups = [...left, ...fill, ...right];
+        if (groups.length !== 8)
+            return null;
+        return groups;
+    }
+    catch {
+        return null;
+    }
+}
+function isPrivateIPv6(address) {
+    const addr = address.toLowerCase().replace(/^\[|\]$/g, ''); // strip brackets
+    // ::1 — loopback
+    if (addr === '::1')
+        return true;
+    // :: — unspecified
+    if (addr === '::')
+        return true;
+    const groups = expandIPv6(addr);
+    if (!groups)
+        return false; // parse error → caller should handle
+    const g = groups;
+    // ::ffff:0:0/96 — IPv4-mapped
+    if (g[0] === 0 && g[1] === 0 && g[2] === 0 && g[3] === 0 && g[4] === 0 && g[5] === 0xffff) {
+        const v4 = (g[6] << 16) | g[7];
+        return isPrivateIPv4(v4 >>> 0);
+    }
+    // 0:0:0:0:0:0::/96 — IPv4-compatible (deprecated but still mapped)
+    if (g[0] === 0 && g[1] === 0 && g[2] === 0 && g[3] === 0 && g[4] === 0 && g[5] === 0) {
+        const v4 = (g[6] << 16) | g[7];
+        if (v4 !== 0 && v4 !== 1)
+            return isPrivateIPv4(v4 >>> 0);
+    }
+    // 64:ff9b::/96 — NAT64 (RFC 6052)
+    if (g[0] === 0x0064 && g[1] === 0xff9b && g[2] === 0 && g[3] === 0 && g[4] === 0 && g[5] === 0) {
+        const v4 = (g[6] << 16) | g[7];
+        return isPrivateIPv4(v4 >>> 0);
+    }
+    // 64:ff9b:1::/48 — NAT64 (RFC 8215)
+    if (g[0] === 0x0064 && g[1] === 0xff9b && g[2] === 0x0001)
+        return true;
+    // 2002::/16 — 6to4 (RFC 3056): embedded IPv4 is in groups [1] and [2]
+    if (g[0] === 0x2002) {
+        const v4 = (g[1] << 16) | g[2];
+        return isPrivateIPv4(v4 >>> 0);
+    }
+    // 2001:0000::/32 — Teredo (RFC 4380)
+    if (g[0] === 0x2001 && g[1] === 0x0000)
+        return true;
+    // fc00::/7 — Unique local
+    if ((g[0] & 0xfe00) === 0xfc00)
+        return true;
+    // fe80::/10 — Link-local
+    if ((g[0] & 0xffc0) === 0xfe80)
+        return true;
+    // ff00::/8 — Multicast
+    if ((g[0] & 0xff00) === 0xff00)
+        return true;
+    return false;
+}
+// ============================================================================
+// SSRFGuard
+// ============================================================================
+export class SSRFGuard {
+    config;
+    constructor(config = {}) {
+        this.config = {
+            allowedHosts: config.allowedHosts ?? [],
+            extraBlockedHosts: config.extraBlockedHosts ?? [],
+            resolveDns: config.resolveDns ?? true,
+        };
+    }
+    /**
+     * Check if a URL is safe to fetch.
+     * Resolves the hostname to IP(s) and validates each one.
+     *
+     * @returns `{safe: true}` if the URL is safe, or `{safe: false, reason}` otherwise.
+     */
+    async isSafeUrl(rawUrl) {
+        let parsed;
+        try {
+            parsed = new URL(rawUrl);
+        }
+        catch {
+            return { safe: false, reason: 'Invalid URL (parse error)' };
+        }
+        // Only allow http/https
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            return { safe: false, reason: `Blocked protocol: ${parsed.protocol}` };
+        }
+        const host = parsed.hostname.toLowerCase();
+        // Check allowlist first
+        if (this.isAllowedHost(host)) {
+            return { safe: true };
+        }
+        // Check extra blocked hosts
+        if (this.config.extraBlockedHosts.some(h => host === h || host.endsWith('.' + h))) {
+            return { safe: false, reason: `Host on blocked list: ${host}` };
+        }
+        // Check if host is an IP literal
+        const ipCheck = this.checkIpLiteral(host);
+        if (ipCheck !== null)
+            return ipCheck;
+        // Resolve DNS and check each returned address
+        if (this.config.resolveDns) {
+            try {
+                const addresses = await dns.lookup(host, { all: true });
+                for (const { address, family } of addresses) {
+                    const result = family === 6
+                        ? this.checkIPv6(address)
+                        : this.checkIPv4String(address);
+                    if (!result.safe) {
+                        return { safe: false, reason: `Host ${host} resolves to private IP: ${address} — ${result.reason}` };
+                    }
+                }
+            }
+            catch (err) {
+                // DNS resolution failure → fail closed
+                return { safe: false, reason: `DNS resolution failed for ${host}: ${err}` };
+            }
+        }
+        return { safe: true };
+    }
+    /**
+     * Synchronous check for IP literals only (no DNS).
+     * Use for fast path when URL is already an IP literal.
+     */
+    isSafeUrlSync(rawUrl) {
+        let parsed;
+        try {
+            parsed = new URL(rawUrl);
+        }
+        catch {
+            return { safe: false, reason: 'Invalid URL' };
+        }
+        if (!['http:', 'https:'].includes(parsed.protocol)) {
+            return { safe: false, reason: `Blocked protocol: ${parsed.protocol}` };
+        }
+        const host = parsed.hostname;
+        const ipCheck = this.checkIpLiteral(host);
+        if (ipCheck !== null)
+            return ipCheck;
+        // Cannot verify hostname without DNS — return safe (async version required)
+        return { safe: true };
+    }
+    isAllowedHost(host) {
+        return this.config.allowedHosts.some(allowed => {
+            if (allowed.startsWith('*.')) {
+                return host.endsWith(allowed.slice(1));
+            }
+            return host === allowed;
+        });
+    }
+    /** Returns null if not an IP literal */
+    checkIpLiteral(host) {
+        // IPv6 literal in brackets [::1]
+        if (host.startsWith('[') && host.endsWith(']')) {
+            return this.checkIPv6(host.slice(1, -1));
+        }
+        // Try parsing as IPv4 (handles octal/hex/short forms)
+        const v4 = parseIPv4ToUint32(host);
+        if (v4 !== null) {
+            return this.checkIPv4Uint32(v4);
+        }
+        // Try parsing as plain IPv6 (no brackets)
+        if (host.includes(':')) {
+            return this.checkIPv6(host);
+        }
+        return null; // Not an IP literal
+    }
+    checkIPv4String(address) {
+        const v4 = parseIPv4ToUint32(address);
+        if (v4 === null)
+            return { safe: false, reason: `Could not parse IPv4 address: ${address}` };
+        return this.checkIPv4Uint32(v4);
+    }
+    checkIPv4Uint32(uint32) {
+        if (isPrivateIPv4(uint32)) {
+            const a = [(uint32 >>> 24) & 0xff, (uint32 >>> 16) & 0xff, (uint32 >>> 8) & 0xff, uint32 & 0xff];
+            return { safe: false, reason: `Private/reserved IPv4: ${a.join('.')}` };
+        }
+        return { safe: true };
+    }
+    checkIPv6(address) {
+        if (isPrivateIPv6(address)) {
+            return { safe: false, reason: `Private/reserved IPv6: ${address}` };
+        }
+        // Expand to verify parse succeeded
+        const groups = expandIPv6(address.toLowerCase());
+        if (groups === null) {
+            return { safe: false, reason: `Could not parse IPv6 address: ${address}` };
+        }
+        return { safe: true };
+    }
+}
+// ============================================================================
+// Singleton
+// ============================================================================
+let _guard = null;
+export function getSSRFGuard(config) {
+    if (!_guard)
+        _guard = new SSRFGuard(config);
+    return _guard;
+}
+export function resetSSRFGuard() {
+    _guard = null;
+}
+/**
+ * Convenience wrapper — use in web_fetch, webhook delivery, media download.
+ *
+ * @example
+ * const check = await assertSafeUrl(url);
+ * if (!check.safe) throw new Error(`SSRF blocked: ${check.reason}`);
+ */
+export async function assertSafeUrl(url) {
+    try {
+        return await getSSRFGuard().isSafeUrl(url);
+    }
+    catch (err) {
+        logger.warn('SSRFGuard check failed', { url, err });
+        return { safe: false, reason: `SSRF guard error: ${err}` };
+    }
+}
+//# sourceMappingURL=ssrf-guard.js.map

package/dist/security/ssrf-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssrf-guard.js","sourceRoot":"","sources":["../../src/security/ssrf-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,KAAK,GAAG,MAAM,cAAc,CAAC;AACpC,OAAO,EAAE,MAAM,EAAE,MAAM,oBAAoB,CAAC;AAoB5C,+EAA+E;AAC/E,mCAAmC;AACnC,+EAA+E;AAE/E,yFAAyF;AACzF,SAAS,iBAAiB,CAAC,IAAY;IACrC,kBAAkB;IAClB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC7B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,mCAAmC;IACnC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC7B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,yEAAyE;IACzE,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAEtD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,GAAW,CAAC;QAChB,IAAI,gBAAgB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAChC,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC3B,CAAC;aAAM,IAAI,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAClC,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ;QACnC,CAAC;aAAM,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC3B,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACnB,CAAC;IAED,6DAA6D;IAC7D,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,EAAG,CAAC;QAC3B,2DAA2D;QAC3D,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3C,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC;AACtF,CAAC;AAED,SAAS,aAAa,CAAC,MAAc;IACnC,2BAA2B;IAC3B,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,aAAa;IACb,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,kDAAkD;IAClD,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,yBAAyB;IACzB,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,6CAA6C;IAC7C,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,gBAAgB;IAChB,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,2CAA2C;IAC3C,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,iBAAiB;IACjB,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,oCAAoC;IACpC,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,+BAA+B;IAC/B,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,8BAA8B;IAC9B,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,0BAA0B;IAC1B,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,yBAAyB;IACzB,IAAI,CAAC,MAAM,GAAG,UAAU,CAAC,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IACtD,kBAAkB;IAClB,IAAI,MAAM,KAAK,UAAU;QAAE,OAAO,IAAI,CAAC;IAEvC,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E,sEAAsE;AACtE,SAAS,UAAU,CAAC,OAAe;IACjC,IAAI,CAAC;QACH,qCAAqC;QACrC,MAAM,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACjE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,EAAE,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1C,IAAI,EAAE,KAAK,IAAI;gBAAE,OAAO,IAAI,CAAC;YAC7B,OAAO,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,MAAM,EAAE,EAAE,GAAG,MAAM,CAAC,CAAC;QACpE,CAAC;QAED,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAExC,cAAc;QACd,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QAEnC,MAAM,WAAW,GAAG,CAAC,CAAS,EAAmB,EAAE;YACjD,IAAI,CAAC,KAAK,EAAE;gBAAE,OAAO,EAAE,CAAC;YACxB,OAAO,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;gBAC1B,0CAA0C;gBAC1C,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBACpB,MAAM,EAAE,GAAG,iBAAiB,CAAC,CAAC,CAAC,CAAC;oBAChC,OAAO,EAAE,KAAK,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,MAAM,CAAC,EAAE,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBACpE,CAAC;gBACD,MAAM,CAAC,GAAG,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBAC1B,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAC/B,CAAC,CAAC,CAAC,MAAM,CAAkB,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBACtC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,IAAI;oBAAE,OAAO,IAAI,CAAC;gBAC9C,OAAO,CAAC,GAAG,GAAG,EAAE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAa,CAAC,CAAC;YACzE,CAAC,EAAE,EAAE,CAAC,CAAC;QACT,CAAC,CAAC;QAEF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YACtC,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO,IAAI,CAAC;YAChD,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,MAAM,IAAI,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAC3C,MAAM,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC,GAAG,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC;QAC5C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QACrC,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,OAAe;IACpC,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,iBAAiB;IAE7E,iBAAiB;IACjB,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IAChC,mBAAmB;IACnB,IAAI,IAAI,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAE/B,MAAM,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IAChC,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC,CAAC,qCAAqC;IAEhE,MAAM,CAAC,GAAG,MAAM,CAAC;IAEjB,8BAA8B;IAC9B,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QAC1F,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,OAAO,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,mEAAmE;IACnE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QACrF,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC;YAAE,OAAO,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IAC3D,CAAC;IAED,kCAAkC;IAClC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/F,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,OAAO,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,oCAAoC;IACpC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEvE,sEAAsE;IACtE,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;QACpB,MAAM,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/B,OAAO,aAAa,CAAC,EAAE,KAAK,CAAC,CAAC,CAAC;IACjC,CAAC;IAED,qCAAqC;IACrC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEpD,0BAA0B;IAC1B,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAE5C,yBAAyB;IACzB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAE5C,uBAAuB;IACvB,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAE5C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,MAAM,OAAO,SAAS;IACZ,MAAM,CAA4B;IAE1C,YAAY,SAA0B,EAAE;QACtC,IAAI,CAAC,MAAM,GAAG;YACZ,YAAY,EAAE,MAAM,CAAC,YAAY,IAAI,EAAE;YACvC,iBAAiB,EAAE,MAAM,CAAC,iBAAiB,IAAI,EAAE;YACjD,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,IAAI;SACtC,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,SAAS,CAAC,MAAc;QAC5B,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,2BAA2B,EAAE,CAAC;QAC9D,CAAC;QAED,wBAAwB;QACxB,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;QAE3C,wBAAwB;QACxB,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;QACxB,CAAC;QAED,4BAA4B;QAC5B,IAAI,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;YAClF,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,IAAI,EAAE,EAAE,CAAC;QAClE,CAAC;QAED,iCAAiC;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,OAAO,CAAC;QAErC,8CAA8C;QAC9C,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;YAC3B,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC;gBACxD,KAAK,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI,SAAS,EAAE,CAAC;oBAC5C,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC;wBACzB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;wBACzB,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC;oBAClC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;wBACjB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,QAAQ,IAAI,4BAA4B,OAAO,MAAM,MAAM,CAAC,MAAM,EAAE,EAAE,CAAC;oBACvG,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,uCAAuC;gBACvC,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,IAAI,KAAK,GAAG,EAAE,EAAE,CAAC;YAC9E,CAAC;QACH,CAAC;QAED,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAED;;;OAGG;IACH,aAAa,CAAC,MAAc;QAC1B,IAAI,MAAW,CAAC;QAChB,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QAChD,CAAC;QAED,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;YACnD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;QACzE,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,CAAC;QAC7B,MAAM,OAAO,GAAG,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,OAAO,KAAK,IAAI;YAAE,OAAO,OAAO,CAAC;QAErC,4EAA4E;QAC5E,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAEO,aAAa,CAAC,IAAY;QAChC,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YAC7C,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YACzC,CAAC;YACD,OAAO,IAAI,KAAK,OAAO,CAAC;QAC1B,CAAC,CAAC,CAAC;IACL,CAAC;IAED,wCAAwC;IAChC,cAAc,CAAC,IAAY;QACjC,iCAAiC;QACjC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC/C,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC3C,CAAC;QAED,sDAAsD;QACtD,MAAM,EAAE,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;QAClC,CAAC;QAED,0CAA0C;QAC1C,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC9B,CAAC;QAED,OAAO,IAAI,CAAC,CAAC,oBAAoB;IACnC,CAAC;IAEO,eAAe,CAAC,OAAe;QACrC,MAAM,EAAE,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;QACtC,IAAI,EAAE,KAAK,IAAI;YAAE,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,OAAO,EAAE,EAAE,CAAC;QAC5F,OAAO,IAAI,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC;IAClC,CAAC;IAEO,eAAe,CAAC,MAAc;QACpC,IAAI,aAAa,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,MAAM,KAAK,EAAE,CAAC,GAAG,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC,CAAC;YACjG,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,0BAA0B,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QAC1E,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;IAEO,SAAS,CAAC,OAAe;QAC/B,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,0BAA0B,OAAO,EAAE,EAAE,CAAC;QACtE,CAAC;QACD,mCAAmC;QACnC,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,CAAC;QACjD,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,iCAAiC,OAAO,EAAE,EAAE,CAAC;QAC7E,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACxB,CAAC;CACF;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E,IAAI,MAAM,GAAqB,IAAI,CAAC;AAEpC,MAAM,UAAU,YAAY,CAAC,MAAwB;IACnD,IAAI,CAAC,MAAM;QAAE,MAAM,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,cAAc;IAC5B,MAAM,GAAG,IAAI,CAAC;AAChB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,GAAW;IAC7C,IAAI,CAAC;QACH,OAAO,MAAM,YAAY,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QACpD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,MAAM,EAAE,qBAAqB,GAAG,EAAE,EAAE,CAAC;IAC7D,CAAC;AACH,CAAC"}