@prompd/cli 0.3.3

package/dist/lib/security.d.ts

@@ -0,0 +1,120 @@
+/**
+ * Security utilities for Prompd CLI
+ * Implements least privilege and security boundaries
+ */
+export declare class SecurityManager {
+    static initialize(): void;
+    private static readonly MAX_FILE_SIZE;
+    private static readonly MAX_WORKFLOW_NODES;
+    private static readonly ALLOWED_TEMP_DIR;
+    private static readonly BLOCKED_PATHS;
+    /**
+     * Validates and sanitizes file paths to prevent directory traversal
+     */
+    static validateFilePath(filePath: string, allowedExtensions?: string[]): string;
+    /**
+     * Sanitizes tool/workflow names to prevent injection
+     */
+    static sanitizeToolName(name: string): string;
+    /**
+     * Creates a secure temporary file path
+     */
+    static createSecureTempPath(prefix?: string, extension?: string): string;
+    /**
+     * Validates file size before processing
+     */
+    static validateFileSize(filePath: string): Promise<void>;
+    /**
+     * Validates workflow complexity to prevent DoS
+     */
+    static validateWorkflowComplexity(workflow: any): void;
+    /**
+     * Validates API endpoints (whitelist approach)
+     */
+    private static isAllowedApiEndpoint;
+    /**
+     * Sanitizes user input parameters
+     */
+    static sanitizeParameters(params: Record<string, any>, maxDepth?: number): Record<string, any>;
+    private static sanitizeParameterKey;
+    private static sanitizeStringValue;
+    private static sanitizeNumberValue;
+    private static sanitizeArrayValue;
+    /**
+     * Creates a secure execution environment
+     */
+    static createSecureExecutionContext(): Promise<{
+        tempDir: string;
+        cleanup: () => Promise<void>;
+    }>;
+    /**
+     * Validates registry URL for security
+     * Only HTTPS allowed except for localhost
+     */
+    static validateRegistryUrl(url: string): boolean;
+    /**
+     * Scans content for potential secrets
+     * Returns true if secrets detected
+     */
+    static scanForSecrets(content: string): Promise<{
+        hasSecrets: boolean;
+        secrets: Array<{
+            type: string;
+            line: number;
+        }>;
+    }>;
+    /**
+     * Scans a file for potential secrets before packaging/publishing
+     */
+    static scanFileForSecrets(filePath: string): Promise<{
+        hasSecrets: boolean;
+        secrets: Array<{
+            type: string;
+            line: number;
+        }>;
+    }>;
+    /**
+     * Sanitizes environment variables (clear sensitive data after reading)
+     */
+    static sanitizeEnvironment(): void;
+}
+/**
+ * Git-specific security validation functions
+ * Ported from Python CLI security.py
+ */
+export declare class GitSecurityError extends Error {
+    constructor(message: string);
+}
+/**
+ * Validates file paths specifically for Git operations.
+ * Prevents command injection and path traversal attacks.
+ */
+export declare function validateGitFilePath(filePath: string): string;
+/**
+ * Validates Git commit messages for safety.
+ * Prevents command injection in commit messages.
+ */
+export declare function validateGitMessage(message: string): string;
+/**
+ * Validates semantic version strings.
+ */
+export declare function validateVersionString(version: string): string;
+/**
+ * Security middleware for MCP requests
+ */
+export declare class MCPSecurityMiddleware {
+    private static readonly MAX_REQUEST_SIZE;
+    private static readonly RATE_LIMIT_WINDOW;
+    private static readonly RATE_LIMIT_MAX_REQUESTS;
+    private requestCounts;
+    /**
+     * Validates incoming MCP request
+     */
+    validateRequest(request: any, clientId?: string): void;
+    private enforceRateLimit;
+    /**
+     * Cleans up old rate limit data
+     */
+    cleanup(): void;
+}
+//# sourceMappingURL=security.d.ts.map

package/dist/lib/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/lib/security.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAMH,qBAAa,eAAe;IAC1B,MAAM,CAAC,UAAU,IAAI,IAAI;IAKzB,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAAoB;IACzD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAQ;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAiB;IACzD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,aAAa,CAA2E;IAEhH;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,iBAAiB,GAAE,MAAM,EAAO,GAAG,MAAM;IA0BnF;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;IAmB7C;;OAEG;IACH,MAAM,CAAC,oBAAoB,CAAC,MAAM,GAAE,MAAiB,EAAE,SAAS,GAAE,MAAe,GAAG,MAAM;IAS1F;;OAEG;WACU,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAc9D;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,QAAQ,EAAE,GAAG,GAAG,IAAI;IAyBtD;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,oBAAoB;IAyBnC;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,QAAQ,GAAE,MAAU,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC;IA6BjG,OAAO,CAAC,MAAM,CAAC,oBAAoB;IAenC,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAclC,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAalC,OAAO,CAAC,MAAM,CAAC,kBAAkB;IA4BjC;;OAEG;WACU,4BAA4B,IAAI,OAAO,CAAC;QACnD,OAAO,EAAE,MAAM,CAAC;QAChB,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9B,CAAC;IAuBF;;;OAGG;IACH,MAAM,CAAC,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;IAIhD;;;OAGG;WACU,cAAc,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC;QACpD,UAAU,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAChD,CAAC;IAUF;;OAEG;WACU,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC;QACzD,UAAU,EAAE,OAAO,CAAC;QACpB,OAAO,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;KAChD,CAAC;IAUF;;OAEG;IACH,MAAM,CAAC,mBAAmB,IAAI,IAAI;CAcnC;AAED;;;GAGG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;gBAC7B,OAAO,EAAE,MAAM;CAI5B;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAkC5D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAmB1D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAsB7D;AAED;;GAEG;AACH,qBAAa,qBAAqB;IAChC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAc;IACtD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAa;IACtD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAAO;IAEtD,OAAO,CAAC,aAAa,CAA2D;IAEhF;;OAEG;IACH,eAAe,CAAC,OAAO,EAAE,GAAG,EAAE,QAAQ,GAAE,MAAkB,GAAG,IAAI;IAgBjE,OAAO,CAAC,gBAAgB;IAoBxB;;OAEG;IACH,OAAO,IAAI,IAAI;CAQhB"}

package/dist/lib/security.js

@@ -0,0 +1,478 @@
+"use strict";
+/**
+ * Security utilities for Prompd CLI
+ * Implements least privilege and security boundaries
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MCPSecurityMiddleware = exports.GitSecurityError = exports.SecurityManager = void 0;
+exports.validateGitFilePath = validateGitFilePath;
+exports.validateGitMessage = validateGitMessage;
+exports.validateVersionString = validateVersionString;
+const path = __importStar(require("path"));
+const fs = __importStar(require("fs-extra"));
+const validation_1 = require("./validation");
+class SecurityManager {
+    static initialize() {
+        // Initialize security settings if needed
+        console.log('Security Manager initialized');
+    }
+    /**
+     * Validates and sanitizes file paths to prevent directory traversal
+     */
+    static validateFilePath(filePath, allowedExtensions = []) {
+        if (!filePath || typeof filePath !== 'string') {
+            throw new Error('Invalid file path');
+        }
+        // Normalize and resolve path
+        const normalized = path.normalize(path.resolve(filePath));
+        // Check for directory traversal attempts
+        for (const blockedPath of this.BLOCKED_PATHS) {
+            if (normalized.toLowerCase().includes(blockedPath.toLowerCase())) {
+                throw new Error(`Access denied: Path contains blocked directory: ${blockedPath}`);
+            }
+        }
+        // Validate extension if specified
+        if (allowedExtensions.length > 0) {
+            const ext = path.extname(normalized).toLowerCase();
+            if (!allowedExtensions.includes(ext)) {
+                throw new Error(`Invalid file extension. Allowed: ${allowedExtensions.join(', ')}`);
+            }
+        }
+        return normalized;
+    }
+    /**
+     * Sanitizes tool/workflow names to prevent injection
+     */
+    static sanitizeToolName(name) {
+        if (!name || typeof name !== 'string') {
+            throw new Error('Tool name is required');
+        }
+        // Only allow alphanumeric, hyphens, underscores
+        const sanitized = name.replace(/[^a-zA-Z0-9\-_]/g, '');
+        if (sanitized.length === 0) {
+            throw new Error('Tool name must contain valid characters (a-z, A-Z, 0-9, -, _)');
+        }
+        if (sanitized.length > 64) {
+            throw new Error('Tool name too long (max 64 characters)');
+        }
+        return sanitized;
+    }
+    /**
+     * Creates a secure temporary file path
+     */
+    static createSecureTempPath(prefix = 'prompd', extension = '.tmp') {
+        const sanitizedPrefix = this.sanitizeToolName(prefix);
+        const timestamp = Date.now();
+        const random = Math.random().toString(36).substring(2);
+        const filename = `${sanitizedPrefix}-${timestamp}-${random}${extension}`;
+        return path.join(this.ALLOWED_TEMP_DIR, 'temp', filename);
+    }
+    /**
+     * Validates file size before processing
+     */
+    static async validateFileSize(filePath) {
+        try {
+            const stats = await fs.stat(filePath);
+            if (stats.size > this.MAX_FILE_SIZE) {
+                throw new Error(`File too large: ${Math.round(stats.size / 1024 / 1024)}MB (max: ${this.MAX_FILE_SIZE / 1024 / 1024}MB)`);
+            }
+        }
+        catch (error) {
+            if (error instanceof Error && error.message.includes('File too large')) {
+                throw error;
+            }
+            throw new Error(`Cannot access file: ${filePath}`);
+        }
+    }
+    /**
+     * Validates workflow complexity to prevent DoS
+     */
+    static validateWorkflowComplexity(workflow) {
+        if (!workflow || typeof workflow !== 'object') {
+            throw new Error('Invalid workflow format');
+        }
+        // Check node count
+        if (workflow.nodes && workflow.nodes.length > this.MAX_WORKFLOW_NODES) {
+            throw new Error(`Workflow too complex: ${workflow.nodes.length} nodes (max: ${this.MAX_WORKFLOW_NODES})`);
+        }
+        // Check for potentially dangerous node types
+        if (workflow.nodes) {
+            for (const node of workflow.nodes) {
+                if (node.type === 'transformer' && node.data?.config?.transformationType === 'javascript') {
+                    throw new Error('JavaScript transformation nodes are disabled for security');
+                }
+                // Block external API calls without explicit permission
+                if (node.type === 'api' && !this.isAllowedApiEndpoint(node.data?.config?.endpoint)) {
+                    throw new Error(`API endpoint not allowed: ${node.data?.config?.endpoint}`);
+                }
+            }
+        }
+    }
+    /**
+     * Validates API endpoints (whitelist approach)
+     */
+    static isAllowedApiEndpoint(endpoint) {
+        if (!endpoint)
+            return false;
+        // Only allow HTTPS endpoints
+        if (!endpoint.startsWith('https://')) {
+            return false;
+        }
+        // Simple whitelist - in production this would be configurable
+        const allowedDomains = [
+            'api.openai.com',
+            'api.anthropic.com',
+            'localhost' // For development
+        ];
+        try {
+            const url = new URL(endpoint);
+            return allowedDomains.some(domain => url.hostname === domain || url.hostname.endsWith(`.${domain}`));
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Sanitizes user input parameters
+     */
+    static sanitizeParameters(params, maxDepth = 3) {
+        if (!params || typeof params !== 'object') {
+            return {};
+        }
+        const sanitized = {};
+        for (const [key, value] of Object.entries(params)) {
+            // Validate key
+            const cleanKey = this.sanitizeParameterKey(key);
+            // Sanitize value based on type
+            if (typeof value === 'string') {
+                sanitized[cleanKey] = this.sanitizeStringValue(value);
+            }
+            else if (typeof value === 'number') {
+                sanitized[cleanKey] = this.sanitizeNumberValue(value);
+            }
+            else if (typeof value === 'boolean') {
+                sanitized[cleanKey] = Boolean(value);
+            }
+            else if (Array.isArray(value)) {
+                sanitized[cleanKey] = this.sanitizeArrayValue(value, maxDepth - 1);
+            }
+            else if (typeof value === 'object' && value !== null && maxDepth > 0) {
+                sanitized[cleanKey] = this.sanitizeParameters(value, maxDepth - 1);
+            }
+            // Drop functions, undefined, symbols, etc.
+        }
+        return sanitized;
+    }
+    static sanitizeParameterKey(key) {
+        if (typeof key !== 'string') {
+            throw new Error('Parameter key must be string');
+        }
+        // Remove potentially dangerous characters
+        const sanitized = key.replace(/[^a-zA-Z0-9_]/g, '_');
+        if (sanitized.length === 0 || sanitized.length > 128) {
+            throw new Error('Invalid parameter key length');
+        }
+        return sanitized;
+    }
+    static sanitizeStringValue(value) {
+        if (typeof value !== 'string') {
+            return '';
+        }
+        // Limit string length to prevent memory exhaustion
+        if (value.length > 10000) {
+            throw new Error('Parameter value too long (max 10000 characters)');
+        }
+        // Remove null bytes and control characters (except common whitespace)
+        return value.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '');
+    }
+    static sanitizeNumberValue(value) {
+        if (typeof value !== 'number' || !isFinite(value)) {
+            throw new Error('Invalid number value');
+        }
+        // Prevent extreme values
+        if (Math.abs(value) > Number.MAX_SAFE_INTEGER) {
+            throw new Error('Number value out of safe range');
+        }
+        return value;
+    }
+    static sanitizeArrayValue(value, maxDepth) {
+        if (!Array.isArray(value)) {
+            return [];
+        }
+        // Limit array size
+        if (value.length > 1000) {
+            throw new Error('Array too large (max 1000 items)');
+        }
+        if (maxDepth <= 0) {
+            return []; // Prevent deep nesting
+        }
+        return value.slice(0, 100).map(item => {
+            if (typeof item === 'string') {
+                return this.sanitizeStringValue(item);
+            }
+            else if (typeof item === 'number') {
+                return this.sanitizeNumberValue(item);
+            }
+            else if (typeof item === 'boolean') {
+                return Boolean(item);
+            }
+            else if (typeof item === 'object' && item !== null) {
+                return this.sanitizeParameters(item, maxDepth - 1);
+            }
+            return item;
+        });
+    }
+    /**
+     * Creates a secure execution environment
+     */
+    static async createSecureExecutionContext() {
+        const tempDir = path.join(this.ALLOWED_TEMP_DIR, 'temp', `execution-${Date.now()}-${Math.random().toString(36)}`);
+        await fs.ensureDir(tempDir);
+        // Set restrictive permissions if on Unix-like system
+        try {
+            await fs.chmod(tempDir, 0o700); // Owner read/write/execute only
+        }
+        catch {
+            // Windows doesn't support chmod, ignore
+        }
+        const cleanup = async () => {
+            try {
+                await fs.remove(tempDir);
+            }
+            catch (error) {
+                console.warn(`Failed to cleanup temp directory: ${tempDir}`, error);
+            }
+        };
+        return { tempDir, cleanup };
+    }
+    /**
+     * Validates registry URL for security
+     * Only HTTPS allowed except for localhost
+     */
+    static validateRegistryUrl(url) {
+        return (0, validation_1.validateRegistryUrl)(url);
+    }
+    /**
+     * Scans content for potential secrets
+     * Returns true if secrets detected
+     */
+    static async scanForSecrets(content) {
+        const { detectSecrets } = await Promise.resolve().then(() => __importStar(require('./validation')));
+        const detected = detectSecrets(content);
+        return {
+            hasSecrets: detected.length > 0,
+            secrets: detected.map(s => ({ type: s.type, line: s.line }))
+        };
+    }
+    /**
+     * Scans a file for potential secrets before packaging/publishing
+     */
+    static async scanFileForSecrets(filePath) {
+        try {
+            const content = await fs.readFile(filePath, 'utf-8');
+            return this.scanForSecrets(content);
+        }
+        catch (error) {
+            // If we can't read the file, assume no secrets (might be binary)
+            return { hasSecrets: false, secrets: [] };
+        }
+    }
+    /**
+     * Sanitizes environment variables (clear sensitive data after reading)
+     */
+    static sanitizeEnvironment() {
+        // Clear any temporary sensitive environment variables
+        const sensitiveVars = [
+            'TEMP_API_KEY',
+            'TEMP_TOKEN',
+            'TEMP_PASSWORD'
+        ];
+        sensitiveVars.forEach(varName => {
+            if (process.env[varName]) {
+                delete process.env[varName];
+            }
+        });
+    }
+}
+exports.SecurityManager = SecurityManager;
+SecurityManager.MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB
+SecurityManager.MAX_WORKFLOW_NODES = 1000;
+SecurityManager.ALLOWED_TEMP_DIR = process.cwd();
+SecurityManager.BLOCKED_PATHS = ['..', '~', '/etc', '/usr', '/var', 'C:\\Windows', 'C:\\Program Files'];
+/**
+ * Git-specific security validation functions
+ * Ported from Python CLI security.py
+ */
+class GitSecurityError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'GitSecurityError';
+    }
+}
+exports.GitSecurityError = GitSecurityError;
+/**
+ * Validates file paths specifically for Git operations.
+ * Prevents command injection and path traversal attacks.
+ */
+function validateGitFilePath(filePath) {
+    if (!filePath || typeof filePath !== 'string') {
+        throw new GitSecurityError('File path is required');
+    }
+    // Normalize the path
+    const normalized = path.normalize(filePath);
+    // Check for path traversal attempts
+    const dangerousPatterns = ['..', '~', '$'];
+    for (const pattern of dangerousPatterns) {
+        if (normalized.includes(pattern)) {
+            throw new GitSecurityError(`Potentially dangerous path component '${pattern}' found in: ${normalized}`);
+        }
+    }
+    // Prevent command injection through filenames
+    const dangerousChars = [';', '&', '|', '`', '$', '(', ')', '<', '>', '"', "'"];
+    for (const char of dangerousChars) {
+        if (normalized.includes(char)) {
+            throw new GitSecurityError(`Potentially dangerous character '${char}' in filename: ${normalized}`);
+        }
+    }
+    // Check for absolute paths outside current directory
+    if (path.isAbsolute(normalized)) {
+        const cwd = process.cwd();
+        const resolved = path.resolve(normalized);
+        if (!resolved.startsWith(cwd)) {
+            throw new GitSecurityError(`Absolute path outside current directory not allowed: ${resolved}`);
+        }
+    }
+    return normalized;
+}
+/**
+ * Validates Git commit messages for safety.
+ * Prevents command injection in commit messages.
+ */
+function validateGitMessage(message) {
+    if (!message || !message.trim()) {
+        throw new GitSecurityError('Commit message cannot be empty');
+    }
+    // Check message length (Git has practical limits)
+    if (message.length > 2000) {
+        throw new GitSecurityError('Commit message too long (max 2000 characters)');
+    }
+    // Check for command injection attempts in commit message
+    const dangerousPatterns = ['$(', '`', '${', '#!/', '&>', '|>', '<(', '>('];
+    for (const pattern of dangerousPatterns) {
+        if (message.includes(pattern)) {
+            throw new GitSecurityError(`Potentially dangerous pattern '${pattern}' in commit message`);
+        }
+    }
+    return message.trim();
+}
+/**
+ * Validates semantic version strings.
+ */
+function validateVersionString(version) {
+    if (!version || typeof version !== 'string') {
+        throw new GitSecurityError('Version string is required');
+    }
+    // Semantic version pattern (major.minor.patch with optional pre-release/build)
+    const versionPattern = /^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?$/;
+    if (!versionPattern.test(version)) {
+        throw new GitSecurityError(`Invalid semantic version format: ${version}`);
+    }
+    // Check for reasonable version numbers
+    const parts = version.split('.', 3);
+    for (let i = 0; i < 3; i++) {
+        const num = parseInt(parts[i], 10);
+        if (num < 0 || num > 999) {
+            throw new GitSecurityError(`Version component out of range (0-999): ${num}`);
+        }
+    }
+    return version;
+}
+/**
+ * Security middleware for MCP requests
+ */
+class MCPSecurityMiddleware {
+    constructor() {
+        this.requestCounts = new Map();
+    }
+    /**
+     * Validates incoming MCP request
+     */
+    validateRequest(request, clientId = 'default') {
+        // Size validation
+        const requestSize = JSON.stringify(request).length;
+        if (requestSize > MCPSecurityMiddleware.MAX_REQUEST_SIZE) {
+            throw new Error(`Request too large: ${requestSize} bytes (max: ${MCPSecurityMiddleware.MAX_REQUEST_SIZE})`);
+        }
+        // Rate limiting
+        this.enforceRateLimit(clientId);
+        // Parameter validation
+        if (request.params?.arguments) {
+            request.params.arguments = SecurityManager.sanitizeParameters(request.params.arguments);
+        }
+    }
+    enforceRateLimit(clientId) {
+        const now = Date.now();
+        const clientData = this.requestCounts.get(clientId);
+        if (!clientData || now > clientData.resetTime) {
+            // Reset or initialize
+            this.requestCounts.set(clientId, {
+                count: 1,
+                resetTime: now + MCPSecurityMiddleware.RATE_LIMIT_WINDOW
+            });
+            return;
+        }
+        if (clientData.count >= MCPSecurityMiddleware.RATE_LIMIT_MAX_REQUESTS) {
+            throw new Error(`Rate limit exceeded. Try again in ${Math.ceil((clientData.resetTime - now) / 1000)} seconds`);
+        }
+        clientData.count++;
+    }
+    /**
+     * Cleans up old rate limit data
+     */
+    cleanup() {
+        const now = Date.now();
+        for (const [clientId, data] of this.requestCounts.entries()) {
+            if (now > data.resetTime) {
+                this.requestCounts.delete(clientId);
+            }
+        }
+    }
+}
+exports.MCPSecurityMiddleware = MCPSecurityMiddleware;
+MCPSecurityMiddleware.MAX_REQUEST_SIZE = 100 * 1024; // 100KB
+MCPSecurityMiddleware.RATE_LIMIT_WINDOW = 60 * 1000; // 1 minute
+MCPSecurityMiddleware.RATE_LIMIT_MAX_REQUESTS = 100;
+//# sourceMappingURL=security.js.map

package/dist/lib/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/lib/security.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAuWH,kDAkCC;AAMD,gDAmBC;AAKD,sDAsBC;AA3bD,2CAA6B;AAC7B,6CAA+B;AAC/B,6CAA6F;AAE7F,MAAa,eAAe;IAC1B,MAAM,CAAC,UAAU;QACf,yCAAyC;QACzC,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;IAC9C,CAAC;IAOD;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,QAAgB,EAAE,oBAA8B,EAAE;QACxE,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;QACvC,CAAC;QAED,6BAA6B;QAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;QAE1D,yCAAyC;QACzC,KAAK,MAAM,WAAW,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YAC7C,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;gBACjE,MAAM,IAAI,KAAK,CAAC,mDAAmD,WAAW,EAAE,CAAC,CAAC;YACpF,CAAC;QACH,CAAC;QAED,kCAAkC;QAClC,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACjC,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,WAAW,EAAE,CAAC;YACnD,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACrC,MAAM,IAAI,KAAK,CAAC,oCAAoC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACtF,CAAC;QACH,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,gBAAgB,CAAC,IAAY;QAClC,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;YACtC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;QAC3C,CAAC;QAED,gDAAgD;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,kBAAkB,EAAE,EAAE,CAAC,CAAC;QAEvD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,+DAA+D,CAAC,CAAC;QACnF,CAAC;QAED,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,oBAAoB,CAAC,SAAiB,QAAQ,EAAE,YAAoB,MAAM;QAC/E,MAAM,eAAe,GAAG,IAAI,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACtD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,GAAG,eAAe,IAAI,SAAS,IAAI,MAAM,GAAG,SAAS,EAAE,CAAC;QAEzE,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC5D,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,QAAgB;QAC5C,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACtC,IAAI,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,aAAa,EAAE,CAAC;gBACpC,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC,YAAY,IAAI,CAAC,aAAa,GAAG,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC;YAC5H,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACvE,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,uBAAuB,QAAQ,EAAE,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,0BAA0B,CAAC,QAAa;QAC7C,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC7C,CAAC;QAED,mBAAmB;QACnB,IAAI,QAAQ,CAAC,KAAK,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,GAAG,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,yBAAyB,QAAQ,CAAC,KAAK,CAAC,MAAM,gBAAgB,IAAI,CAAC,kBAAkB,GAAG,CAAC,CAAC;QAC5G,CAAC;QAED,6CAA6C;QAC7C,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;YACnB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;gBAClC,IAAI,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,kBAAkB,KAAK,YAAY,EAAE,CAAC;oBAC1F,MAAM,IAAI,KAAK,CAAC,2DAA2D,CAAC,CAAC;gBAC/E,CAAC;gBAED,uDAAuD;gBACvD,IAAI,IAAI,CAAC,IAAI,KAAK,KAAK,IAAI,CAAC,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,CAAC;oBACnF,MAAM,IAAI,KAAK,CAAC,6BAA6B,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC9E,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAED;;OAEG;IACK,MAAM,CAAC,oBAAoB,CAAC,QAAgB;QAClD,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;QAE5B,6BAA6B;QAC7B,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACrC,OAAO,KAAK,CAAC;QACf,CAAC;QAED,8DAA8D;QAC9D,MAAM,cAAc,GAAG;YACrB,gBAAgB;YAChB,mBAAmB;YACnB,WAAW,CAAC,kBAAkB;SAC/B,CAAC;QAEF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC;YAC9B,OAAO,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAClC,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC,CAC/D,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,MAA2B,EAAE,WAAmB,CAAC;QACzE,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC1C,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,SAAS,GAAwB,EAAE,CAAC;QAE1C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,eAAe;YACf,MAAM,QAAQ,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC;YAEhD,+BAA+B;YAC/B,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACxD,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBACrC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC;YACxD,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,SAAS,EAAE,CAAC;gBACtC,SAAS,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;YACvC,CAAC;iBAAM,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC;YACrE,CAAC;iBAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,QAAQ,GAAG,CAAC,EAAE,CAAC;gBACvE,SAAS,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC,kBAAkB,CAAC,KAAK,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC;YACrE,CAAC;YACD,2CAA2C;QAC7C,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,MAAM,CAAC,oBAAoB,CAAC,GAAW;QAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,0CAA0C;QAC1C,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAErD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,IAAI,SAAS,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAClD,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAEO,MAAM,CAAC,mBAAmB,CAAC,KAAa;QAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,mDAAmD;QACnD,IAAI,KAAK,CAAC,MAAM,GAAG,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,sEAAsE;QACtE,OAAO,KAAK,CAAC,OAAO,CAAC,mCAAmC,EAAE,EAAE,CAAC,CAAC;IAChE,CAAC;IAEO,MAAM,CAAC,mBAAmB,CAAC,KAAa;QAC9C,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;QAC1C,CAAC;QAED,yBAAyB;QACzB,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC9C,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAEO,MAAM,CAAC,kBAAkB,CAAC,KAAY,EAAE,QAAgB;QAC9D,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,mBAAmB;QACnB,IAAI,KAAK,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,kCAAkC,CAAC,CAAC;QACtD,CAAC;QAED,IAAI,QAAQ,IAAI,CAAC,EAAE,CAAC;YAClB,OAAO,EAAE,CAAC,CAAC,uBAAuB;QACpC,CAAC;QAED,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;YACpC,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YACxC,CAAC;iBAAM,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;gBACpC,OAAO,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC;YACxC,CAAC;iBAAM,IAAI,OAAO,IAAI,KAAK,SAAS,EAAE,CAAC;gBACrC,OAAO,OAAO,CAAC,IAAI,CAAC,CAAC;YACvB,CAAC;iBAAM,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBACrD,OAAO,IAAI,CAAC,kBAAkB,CAAC,IAAI,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC;YACrD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,4BAA4B;QAIvC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,MAAM,EAAE,aAAa,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;QAElH,MAAM,EAAE,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;QAE5B,qDAAqD;QACrD,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,gCAAgC;QAClE,CAAC;QAAC,MAAM,CAAC;YACP,wCAAwC;QAC1C,CAAC;QAED,MAAM,OAAO,GAAG,KAAK,IAAI,EAAE;YACzB,IAAI,CAAC;gBACH,MAAM,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC3B,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,OAAO,CAAC,IAAI,CAAC,qCAAqC,OAAO,EAAE,EAAE,KAAK,CAAC,CAAC;YACtE,CAAC;QACH,CAAC,CAAC;QAEF,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;IAC9B,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,mBAAmB,CAAC,GAAW;QACpC,OAAO,IAAA,gCAAmB,EAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,OAAe;QAIzC,MAAM,EAAE,aAAa,EAAE,GAAG,wDAAa,cAAc,GAAC,CAAC;QACvD,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;QAExC,OAAO;YACL,UAAU,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC;YAC/B,OAAO,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;SAC7D,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAgB;QAI9C,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YACrD,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QACtC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,iEAAiE;YACjE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,EAAE,CAAC;QAC5C,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,mBAAmB;QACxB,sDAAsD;QACtD,MAAM,aAAa,GAAG;YACpB,cAAc;YACd,YAAY;YACZ,eAAe;SAChB,CAAC;QAEF,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE;YAC9B,IAAI,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC;gBACzB,OAAO,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC9B,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;;AA/UH,0CAgVC;AA1UyB,6BAAa,GAAG,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO;AACzC,kCAAkB,GAAG,IAAI,CAAC;AAC1B,gCAAgB,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;AACjC,6BAAa,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,EAAE,mBAAmB,CAAC,CAAC;AAyUlH;;;GAGG;AACH,MAAa,gBAAiB,SAAQ,KAAK;IACzC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;IACjC,CAAC;CACF;AALD,4CAKC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,QAAgB;IAClD,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9C,MAAM,IAAI,gBAAgB,CAAC,uBAAuB,CAAC,CAAC;IACtD,CAAC;IAED,qBAAqB;IACrB,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAE5C,oCAAoC;IACpC,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC3C,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,gBAAgB,CAAC,yCAAyC,OAAO,eAAe,UAAU,EAAE,CAAC,CAAC;QAC1G,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,MAAM,cAAc,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC/E,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,gBAAgB,CAAC,oCAAoC,IAAI,kBAAkB,UAAU,EAAE,CAAC,CAAC;QACrG,CAAC;IACH,CAAC;IAED,qDAAqD;IACrD,IAAI,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAChC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,EAAE,CAAC;QAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,gBAAgB,CAAC,wDAAwD,QAAQ,EAAE,CAAC,CAAC;QACjG,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,OAAe;IAChD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAChC,MAAM,IAAI,gBAAgB,CAAC,gCAAgC,CAAC,CAAC;IAC/D,CAAC;IAED,kDAAkD;IAClD,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,gBAAgB,CAAC,+CAA+C,CAAC,CAAC;IAC9E,CAAC;IAED,yDAAyD;IACzD,MAAM,iBAAiB,GAAG,CAAC,IAAI,EAAE,GAAG,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;IAC3E,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,gBAAgB,CAAC,kCAAkC,OAAO,qBAAqB,CAAC,CAAC;QAC7F,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,OAAe;IACnD,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAC5C,MAAM,IAAI,gBAAgB,CAAC,4BAA4B,CAAC,CAAC;IAC3D,CAAC;IAED,+EAA+E;IAC/E,MAAM,cAAc,GAAG,0GAA0G,CAAC;IAElI,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAClC,MAAM,IAAI,gBAAgB,CAAC,oCAAoC,OAAO,EAAE,CAAC,CAAC;IAC5E,CAAC;IAED,uCAAuC;IACvC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACnC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;YACzB,MAAM,IAAI,gBAAgB,CAAC,2CAA2C,GAAG,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAa,qBAAqB;IAAlC;QAKU,kBAAa,GAAG,IAAI,GAAG,EAAgD,CAAC;IAoDlF,CAAC;IAlDC;;OAEG;IACH,eAAe,CAAC,OAAY,EAAE,WAAmB,SAAS;QACxD,kBAAkB;QAClB,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC;QACnD,IAAI,WAAW,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,CAAC;YACzD,MAAM,IAAI,KAAK,CAAC,sBAAsB,WAAW,gBAAgB,qBAAqB,CAAC,gBAAgB,GAAG,CAAC,CAAC;QAC9G,CAAC;QAED,gBAAgB;QAChB,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;QAEhC,uBAAuB;QACvB,IAAI,OAAO,CAAC,MAAM,EAAE,SAAS,EAAE,CAAC;YAC9B,OAAO,CAAC,MAAM,CAAC,SAAS,GAAG,eAAe,CAAC,kBAAkB,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAC1F,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,QAAgB;QACvC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAEpD,IAAI,CAAC,UAAU,IAAI,GAAG,GAAG,UAAU,CAAC,SAAS,EAAE,CAAC;YAC9C,sBAAsB;YACtB,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,EAAE;gBAC/B,KAAK,EAAE,CAAC;gBACR,SAAS,EAAE,GAAG,GAAG,qBAAqB,CAAC,iBAAiB;aACzD,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,UAAU,CAAC,KAAK,IAAI,qBAAqB,CAAC,uBAAuB,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,qCAAqC,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,SAAS,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC;QACjH,CAAC;QAED,UAAU,CAAC,KAAK,EAAE,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,OAAO;QACL,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,EAAE,CAAC;YAC5D,IAAI,GAAG,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;gBACzB,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;YACtC,CAAC;QACH,CAAC;IACH,CAAC;;AAxDH,sDAyDC;AAxDyB,sCAAgB,GAAG,GAAG,GAAG,IAAI,AAAb,CAAc,CAAC,QAAQ;AACvC,uCAAiB,GAAG,EAAE,GAAG,IAAI,AAAZ,CAAa,CAAC,WAAW;AAC1C,6CAAuB,GAAG,GAAG,AAAN,CAAO"}