@quiltdata/benchling-webhook 0.8.8 → 0.8.9-20251130T212657Z

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@quiltdata/benchling-webhook",
-    "version": "0.8.8",
+    "version": "0.8.9-20251130T212657Z",
     "description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
     "main": "dist/lib/index.js",
     "types": "dist/lib/index.d.ts",
@@ -21,6 +21,9 @@
         "deploy:dev": "ts-node bin/cli.ts deploy --stage dev --profile dev",
         "deploy:prod": "ts-node bin/cli.ts deploy --stage prod",
         "deploy:notes": "bash scripts/release-notes.sh",
+        "destroy": "ts-node bin/cli.ts destroy",
+        "destroy:dev": "ts-node bin/cli.ts destroy --stage dev --profile dev",
+        "destroy:prod": "ts-node bin/cli.ts destroy --stage prod",
         "launch": "ts-node bin/xdg-launch.ts",
         "dev": "npm run launch -- --mode native --profile dev --verbose",
         "dev:docker": "npm run launch -- --mode docker-dev --profile dev --verbose",
@@ -74,7 +77,6 @@
     "devDependencies": {
         "@eslint/js": "^9.22.0",
         "@types/adm-zip": "^0.5.7",
-        "@types/aws-lambda": "^8.10.156",
         "@types/jest": "^30.0.0",
         "@types/node": "^24.0.0",
         "@typescript-eslint/eslint-plugin": "^8.26.1",
@@ -94,6 +96,7 @@
     "dependencies": {
         "@aws-sdk/client-cloudformation": "^3.920.0",
         "@aws-sdk/client-cloudwatch-logs": "^3.933.0",
+        "@aws-sdk/client-ec2": "^3.940.0",
         "@aws-sdk/client-ecs": "^3.933.0",
         "@aws-sdk/client-elastic-load-balancing-v2": "^3.932.0",
         "@aws-sdk/client-s3": "^3.758.0",
@@ -105,7 +108,7 @@
         "adm-zip": "^0.5.10",
         "ajv": "^8.17.1",
         "ajv-formats": "^3.0.1",
-        "aws-cdk-lib": "2.229.1",
+        "aws-cdk-lib": "2.230.0",
         "boxen": "^8.0.0",
         "chalk": "^5.0.0",
         "commander": "^14.0.2",

package/dist/scripts/discover-vpc.d.ts

@@ -0,0 +1,69 @@
+/**
+ * VPC Discovery Module
+ *
+ * Discovers VPC resources from Quilt CloudFormation stack and validates
+ * them against architecture requirements.
+ *
+ * @module scripts/discover-vpc
+ */
+/**
+ * VPC discovery options
+ */
+export interface VpcDiscoveryOptions {
+    /** CloudFormation stack ARN */
+    stackArn: string;
+    /** AWS region */
+    region: string;
+    /** AWS profile to use (optional) */
+    awsProfile?: string;
+}
+/**
+ * Discovered subnet information
+ */
+export interface DiscoveredSubnet {
+    /** Subnet ID */
+    subnetId: string;
+    /** Availability zone */
+    availabilityZone: string;
+    /** CIDR block */
+    cidrBlock: string;
+    /** Whether subnet is public (has IGW route) */
+    isPublic: boolean;
+    /** Whether subnet has NAT Gateway in route table */
+    hasNatGateway: boolean;
+    /** Subnet name from tags */
+    name?: string;
+}
+/**
+ * Discovered VPC information
+ */
+export interface DiscoveredVpc {
+    /** VPC ID */
+    vpcId: string;
+    /** VPC name from tags */
+    name?: string;
+    /** CIDR block */
+    cidrBlock: string;
+    /** AWS region */
+    region: string;
+    /** Subnets in VPC */
+    subnets: DiscoveredSubnet[];
+    /** Security group IDs */
+    securityGroups: string[];
+    /** Whether VPC meets architecture requirements */
+    isValid: boolean;
+    /** Validation error messages */
+    validationErrors: string[];
+}
+/**
+ * Discovers VPC resources from CloudFormation stack
+ *
+ * Quilt stacks don't create their own VPC - they use existing VPCs.
+ * We discover the VPC by looking at the OutboundSecurityGroup output,
+ * which references the VPC used by the stack.
+ *
+ * @param options - Discovery options
+ * @returns Discovered VPC or null if not found
+ */
+export declare function discoverVpcFromStack(options: VpcDiscoveryOptions): Promise<DiscoveredVpc | null>;
+//# sourceMappingURL=discover-vpc.d.ts.map

package/dist/scripts/discover-vpc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"discover-vpc.d.ts","sourceRoot":"","sources":["../../scripts/discover-vpc.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAcH;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,+BAA+B;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,oCAAoC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC7B,gBAAgB;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,gBAAgB,EAAE,MAAM,CAAC;IACzB,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,+CAA+C;IAC/C,QAAQ,EAAE,OAAO,CAAC;IAClB,oDAAoD;IACpD,aAAa,EAAE,OAAO,CAAC;IACvB,4BAA4B;IAC5B,IAAI,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC1B,aAAa;IACb,KAAK,EAAE,MAAM,CAAC;IACd,yBAAyB;IACzB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,iBAAiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,iBAAiB;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,qBAAqB;IACrB,OAAO,EAAE,gBAAgB,EAAE,CAAC;IAC5B,yBAAyB;IACzB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,kDAAkD;IAClD,OAAO,EAAE,OAAO,CAAC;IACjB,gCAAgC;IAChC,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC9B;AAcD;;;;;;;;;GASG;AACH,wBAAsB,oBAAoB,CACtC,OAAO,EAAE,mBAAmB,GAC7B,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAsK/B"}

package/dist/scripts/discover-vpc.js

@@ -0,0 +1,196 @@
+"use strict";
+/**
+ * VPC Discovery Module
+ *
+ * Discovers VPC resources from Quilt CloudFormation stack and validates
+ * them against architecture requirements.
+ *
+ * @module scripts/discover-vpc
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.discoverVpcFromStack = discoverVpcFromStack;
+const client_cloudformation_1 = require("@aws-sdk/client-cloudformation");
+const client_ec2_1 = require("@aws-sdk/client-ec2");
+/**
+ * Extracts stack name from ARN
+ */
+function extractStackNameFromArn(arn) {
+    // ARN format: arn:aws:cloudformation:region:account:stack/stack-name/guid
+    const parts = arn.split("/");
+    if (parts.length >= 2) {
+        return parts[1];
+    }
+    throw new Error(`Invalid stack ARN format: ${arn}`);
+}
+/**
+ * Discovers VPC resources from CloudFormation stack
+ *
+ * Quilt stacks don't create their own VPC - they use existing VPCs.
+ * We discover the VPC by looking at the OutboundSecurityGroup output,
+ * which references the VPC used by the stack.
+ *
+ * @param options - Discovery options
+ * @returns Discovered VPC or null if not found
+ */
+async function discoverVpcFromStack(options) {
+    const { stackArn, region } = options;
+    // Initialize AWS clients
+    const cfnConfig = { region };
+    const ec2Config = { region };
+    const cfnClient = new client_cloudformation_1.CloudFormationClient(cfnConfig);
+    const ec2Client = new client_ec2_1.EC2Client(ec2Config);
+    try {
+        // Step 1: Get OutboundSecurityGroup from stack outputs
+        const stackName = extractStackNameFromArn(stackArn);
+        const describeStacksCmd = new client_cloudformation_1.DescribeStacksCommand({
+            StackName: stackName,
+        });
+        const stacksResponse = await cfnClient.send(describeStacksCmd);
+        const stack = stacksResponse.Stacks?.[0];
+        if (!stack) {
+            return null;
+        }
+        // Find OutboundSecurityGroup output
+        const outboundSgOutput = stack.Outputs?.find((o) => o.OutputKey === "OutboundSecurityGroup");
+        if (!outboundSgOutput || !outboundSgOutput.OutputValue) {
+            return null;
+        }
+        const securityGroupId = outboundSgOutput.OutputValue;
+        // Step 2: Get VPC ID from security group
+        const sgDetailsCmd = new client_ec2_1.DescribeSecurityGroupsCommand({
+            GroupIds: [securityGroupId],
+        });
+        const sgDetailsResponse = await ec2Client.send(sgDetailsCmd);
+        const securityGroup = sgDetailsResponse.SecurityGroups?.[0];
+        if (!securityGroup || !securityGroup.VpcId) {
+            return null;
+        }
+        const vpcId = securityGroup.VpcId;
+        // Step 3: Enrich VPC metadata via EC2 API
+        const vpcDetailsCmd = new client_ec2_1.DescribeVpcsCommand({
+            VpcIds: [vpcId],
+        });
+        const vpcDetailsResponse = await ec2Client.send(vpcDetailsCmd);
+        const vpcDetails = vpcDetailsResponse.Vpcs?.[0];
+        if (!vpcDetails) {
+            return null;
+        }
+        const vpcName = vpcDetails.Tags?.find((t) => t.Key === "Name")?.Value;
+        const cidrBlock = vpcDetails.CidrBlock || "";
+        // Step 4: Get subnet details
+        const subnetsCmd = new client_ec2_1.DescribeSubnetsCommand({
+            Filters: [
+                {
+                    Name: "vpc-id",
+                    Values: [vpcId],
+                },
+            ],
+        });
+        const subnetsResponse = await ec2Client.send(subnetsCmd);
+        const ec2Subnets = subnetsResponse.Subnets || [];
+        // Step 5: Get route tables to determine subnet types
+        const routeTablesCmd = new client_ec2_1.DescribeRouteTablesCommand({
+            Filters: [
+                {
+                    Name: "vpc-id",
+                    Values: [vpcId],
+                },
+            ],
+        });
+        const routeTablesResponse = await ec2Client.send(routeTablesCmd);
+        const routeTables = routeTablesResponse.RouteTables || [];
+        // Build map of subnet -> route table -> NAT/IGW status
+        const subnetRouteMap = new Map();
+        for (const routeTable of routeTables) {
+            // Check if route table has IGW or NAT Gateway
+            const hasIgw = routeTable.Routes?.some((r) => r.GatewayId?.startsWith("igw-"));
+            const hasNat = routeTable.Routes?.some((r) => r.NatGatewayId?.startsWith("nat-"));
+            // Map subnets to this route table
+            const subnetIds = routeTable.Associations?.map((a) => a.SubnetId).filter((id) => !!id) || [];
+            for (const subnetId of subnetIds) {
+                subnetRouteMap.set(subnetId, {
+                    isPublic: !!hasIgw,
+                    hasNatGateway: !!hasNat,
+                });
+            }
+        }
+        // Build discovered subnets
+        const subnets = ec2Subnets.map((subnet) => {
+            const subnetId = subnet.SubnetId || "";
+            const routeInfo = subnetRouteMap.get(subnetId) || {
+                isPublic: false,
+                hasNatGateway: false,
+            };
+            const name = subnet.Tags?.find((t) => t.Key === "Name")?.Value;
+            return {
+                subnetId,
+                availabilityZone: subnet.AvailabilityZone || "",
+                cidrBlock: subnet.CidrBlock || "",
+                isPublic: routeInfo.isPublic,
+                hasNatGateway: routeInfo.hasNatGateway,
+                name,
+            };
+        });
+        // Step 6: Get security groups
+        const securityGroupsCmd = new client_ec2_1.DescribeSecurityGroupsCommand({
+            Filters: [
+                {
+                    Name: "vpc-id",
+                    Values: [vpcId],
+                },
+            ],
+        });
+        const securityGroupsResponse = await ec2Client.send(securityGroupsCmd);
+        const securityGroups = (securityGroupsResponse.SecurityGroups || [])
+            .map((sg) => sg.GroupId)
+            .filter((id) => !!id);
+        // Step 7: Build discovered VPC
+        const discoveredVpc = {
+            vpcId,
+            name: vpcName,
+            cidrBlock,
+            region,
+            subnets,
+            securityGroups,
+            isValid: false,
+            validationErrors: [],
+        };
+        // Step 8: Validate VPC
+        validateVpc(discoveredVpc);
+        return discoveredVpc;
+    }
+    catch (error) {
+        const err = error;
+        throw new Error(`VPC discovery failed: ${err.message}`);
+    }
+}
+/**
+ * Validates VPC meets architecture requirements
+ *
+ * Requirements:
+ * - Must have ≥2 private subnets in different AZs
+ * - Private subnets must have NAT Gateway for outbound access
+ *
+ * @param vpc - Discovered VPC to validate
+ */
+function validateVpc(vpc) {
+    const errors = [];
+    // Check private subnets
+    const privateSubnets = vpc.subnets.filter((s) => !s.isPublic);
+    if (privateSubnets.length < 2) {
+        errors.push(`Insufficient private subnets (found ${privateSubnets.length}, need ≥2)`);
+    }
+    // Check AZ distribution
+    const azs = new Set(privateSubnets.map((s) => s.availabilityZone));
+    if (azs.size < 2) {
+        errors.push(`Private subnets span only ${azs.size} AZ(s) (need ≥2 for high availability)`);
+    }
+    // Check NAT Gateway
+    const hasNat = vpc.subnets.some((s) => s.hasNatGateway);
+    if (!hasNat) {
+        errors.push("No NAT Gateway configured (required for ECS outbound access)");
+    }
+    vpc.isValid = errors.length === 0;
+    vpc.validationErrors = errors;
+}
+//# sourceMappingURL=discover-vpc.js.map

package/dist/scripts/discover-vpc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"discover-vpc.js","sourceRoot":"","sources":["../../scripts/discover-vpc.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;AAwFH,oDAwKC;AA9PD,0EAGwC;AACxC,oDAM6B;AAsD7B;;GAEG;AACH,SAAS,uBAAuB,CAAC,GAAW;IACxC,0EAA0E;IAC1E,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QACpB,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IACpB,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,EAAE,CAAC,CAAC;AACxD,CAAC;AAED;;;;;;;;;GASG;AACI,KAAK,UAAU,oBAAoB,CACtC,OAA4B;IAE5B,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC;IAErC,yBAAyB;IACzB,MAAM,SAAS,GAAG,EAAE,MAAM,EAAE,CAAC;IAC7B,MAAM,SAAS,GAAG,EAAE,MAAM,EAAE,CAAC;IAE7B,MAAM,SAAS,GAAG,IAAI,4CAAoB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,IAAI,sBAAS,CAAC,SAAS,CAAC,CAAC;IAE3C,IAAI,CAAC;QACD,uDAAuD;QACvD,MAAM,SAAS,GAAG,uBAAuB,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,iBAAiB,GAAG,IAAI,6CAAqB,CAAC;YAChD,SAAS,EAAE,SAAS;SACvB,CAAC,CAAC;QAEH,MAAM,cAAc,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC/D,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,oCAAoC;QACpC,MAAM,gBAAgB,GAAG,KAAK,CAAC,OAAO,EAAE,IAAI,CACxC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,uBAAuB,CACjD,CAAC;QACF,IAAI,CAAC,gBAAgB,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,eAAe,GAAG,gBAAgB,CAAC,WAAW,CAAC;QAErD,yCAAyC;QACzC,MAAM,YAAY,GAAG,IAAI,0CAA6B,CAAC;YACnD,QAAQ,EAAE,CAAC,eAAe,CAAC;SAC9B,CAAC,CAAC;QACH,MAAM,iBAAiB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAC7D,MAAM,aAAa,GAAG,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC;QAE5D,IAAI,CAAC,aAAa,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;YACzC,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC;QAElC,0CAA0C;QAC1C,MAAM,aAAa,GAAG,IAAI,gCAAmB,CAAC;YAC1C,MAAM,EAAE,CAAC,KAAK,CAAC;SAClB,CAAC,CAAC;QACH,MAAM,kBAAkB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAC/D,MAAM,UAAU,GAAG,kBAAkB,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAEhD,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,MAAM,OAAO,GAAG,UAAU,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC;QACtE,MAAM,SAAS,GAAG,UAAU,CAAC,SAAS,IAAI,EAAE,CAAC;QAE7C,6BAA6B;QAC7B,MAAM,UAAU,GAAG,IAAI,mCAAsB,CAAC;YAC1C,OAAO,EAAE;gBACL;oBACI,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,CAAC,KAAK,CAAC;iBAClB;aACJ;SACJ,CAAC,CAAC;QACH,MAAM,eAAe,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACzD,MAAM,UAAU,GAAG,eAAe,CAAC,OAAO,IAAI,EAAE,CAAC;QAEjD,qDAAqD;QACrD,MAAM,cAAc,GAAG,IAAI,uCAA0B,CAAC;YAClD,OAAO,EAAE;gBACL;oBACI,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,CAAC,KAAK,CAAC;iBAClB;aACJ;SACJ,CAAC,CAAC;QACH,MAAM,mBAAmB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACjE,MAAM,WAAW,GAAG,mBAAmB,CAAC,WAAW,IAAI,EAAE,CAAC;QAE1D,uDAAuD;QACvD,MAAM,cAAc,GAAG,IAAI,GAAG,EAG3B,CAAC;QAEJ,KAAK,MAAM,UAAU,IAAI,WAAW,EAAE,CAAC;YACnC,8CAA8C;YAC9C,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,IAAI,CAClC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,EAAE,UAAU,CAAC,MAAM,CAAC,CACzC,CAAC;YACF,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,EAAE,IAAI,CAClC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,EAAE,UAAU,CAAC,MAAM,CAAC,CAC5C,CAAC;YAEF,kCAAkC;YAClC,MAAM,SAAS,GACX,UAAU,CAAC,YAAY,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,CAClD,CAAC,EAAE,EAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAC7B,IAAI,EAAE,CAAC;YAEZ,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;gBAC/B,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE;oBACzB,QAAQ,EAAE,CAAC,CAAC,MAAM;oBAClB,aAAa,EAAE,CAAC,CAAC,MAAM;iBAC1B,CAAC,CAAC;YACP,CAAC;QACL,CAAC;QAED,2BAA2B;QAC3B,MAAM,OAAO,GAAuB,UAAU,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE;YAC1D,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,IAAI,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI;gBAC9C,QAAQ,EAAE,KAAK;gBACf,aAAa,EAAE,KAAK;aACvB,CAAC;YACF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,EAAE,KAAK,CAAC;YAE/D,OAAO;gBACH,QAAQ;gBACR,gBAAgB,EAAE,MAAM,CAAC,gBAAgB,IAAI,EAAE;gBAC/C,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,EAAE;gBACjC,QAAQ,EAAE,SAAS,CAAC,QAAQ;gBAC5B,aAAa,EAAE,SAAS,CAAC,aAAa;gBACtC,IAAI;aACP,CAAC;QACN,CAAC,CAAC,CAAC;QAEH,8BAA8B;QAC9B,MAAM,iBAAiB,GAAG,IAAI,0CAA6B,CAAC;YACxD,OAAO,EAAE;gBACL;oBACI,IAAI,EAAE,QAAQ;oBACd,MAAM,EAAE,CAAC,KAAK,CAAC;iBAClB;aACJ;SACJ,CAAC,CAAC;QACH,MAAM,sBAAsB,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QACvE,MAAM,cAAc,GAAG,CAAC,sBAAsB,CAAC,cAAc,IAAI,EAAE,CAAC;aAC/D,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,OAAO,CAAC;aACvB,MAAM,CAAC,CAAC,EAAE,EAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAExC,+BAA+B;QAC/B,MAAM,aAAa,GAAkB;YACjC,KAAK;YACL,IAAI,EAAE,OAAO;YACb,SAAS;YACT,MAAM;YACN,OAAO;YACP,cAAc;YACd,OAAO,EAAE,KAAK;YACd,gBAAgB,EAAE,EAAE;SACvB,CAAC;QAEF,uBAAuB;QACvB,WAAW,CAAC,aAAa,CAAC,CAAC;QAE3B,OAAO,aAAa,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,KAAc,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC;AACL,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,WAAW,CAAC,GAAkB;IACnC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,wBAAwB;IACxB,MAAM,cAAc,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC9D,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CACP,uCAAuC,cAAc,CAAC,MAAM,YAAY,CAC3E,CAAC;IACN,CAAC;IAED,wBAAwB;IACxB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACnE,IAAI,GAAG,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CACP,6BAA6B,GAAG,CAAC,IAAI,wCAAwC,CAChF,CAAC;IACN,CAAC;IAED,oBAAoB;IACpB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC;IACxD,IAAI,CAAC,MAAM,EAAE,CAAC;QACV,MAAM,CAAC,IAAI,CACP,8DAA8D,CACjE,CAAC;IACN,CAAC;IAED,GAAG,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC;IAClC,GAAG,CAAC,gBAAgB,GAAG,MAAM,CAAC;AAClC,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quiltdata/benchling-webhook",
-  "version": "0.8.8",
+  "version": "0.8.9-20251130T212657Z",
   "description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
   "main": "dist/lib/index.js",
   "types": "dist/lib/index.d.ts",
@@ -21,6 +21,9 @@
     "deploy:dev": "ts-node bin/cli.ts deploy --stage dev --profile dev",
     "deploy:prod": "ts-node bin/cli.ts deploy --stage prod",
     "deploy:notes": "bash scripts/release-notes.sh",
+    "destroy": "ts-node bin/cli.ts destroy",
+    "destroy:dev": "ts-node bin/cli.ts destroy --stage dev --profile dev",
+    "destroy:prod": "ts-node bin/cli.ts destroy --stage prod",
     "launch": "ts-node bin/xdg-launch.ts",
     "dev": "npm run launch -- --mode native --profile dev --verbose",
     "dev:docker": "npm run launch -- --mode docker-dev --profile dev --verbose",
@@ -74,7 +77,6 @@
   "devDependencies": {
     "@eslint/js": "^9.22.0",
     "@types/adm-zip": "^0.5.7",
-    "@types/aws-lambda": "^8.10.156",
     "@types/jest": "^30.0.0",
     "@types/node": "^24.0.0",
     "@typescript-eslint/eslint-plugin": "^8.26.1",
@@ -94,6 +96,7 @@
   "dependencies": {
     "@aws-sdk/client-cloudformation": "^3.920.0",
     "@aws-sdk/client-cloudwatch-logs": "^3.933.0",
+    "@aws-sdk/client-ec2": "^3.940.0",
     "@aws-sdk/client-ecs": "^3.933.0",
     "@aws-sdk/client-elastic-load-balancing-v2": "^3.932.0",
     "@aws-sdk/client-s3": "^3.758.0",
@@ -105,7 +108,7 @@
     "adm-zip": "^0.5.10",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
-    "aws-cdk-lib": "2.229.1",
+    "aws-cdk-lib": "2.230.0",
     "boxen": "^8.0.0",
     "chalk": "^5.0.0",
     "commander": "^14.0.2",

package/dist/lib/alb-api-gateway.d.ts

@@ -1,23 +0,0 @@
-import * as apigateway from "aws-cdk-lib/aws-apigateway";
-import * as logs from "aws-cdk-lib/aws-logs";
-import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";
-import { Construct } from "constructs";
-import { ProfileConfig } from "./types/config";
-/**
- * Properties for AlbApiGateway construct (v0.7.0+)
- *
- * Uses ProfileConfig to access security settings like webhook allow list.
- */
-export interface AlbApiGatewayProps {
-    readonly loadBalancer: elbv2.ApplicationLoadBalancer;
-    readonly config: ProfileConfig;
-}
-export declare class AlbApiGateway {
-    readonly api: apigateway.RestApi;
-    readonly logGroup: logs.ILogGroup;
-    constructor(scope: Construct, id: string, props: AlbApiGatewayProps);
-    private createResourcePolicy;
-    private createCloudWatchRole;
-    private addWebhookEndpoints;
-}
-//# sourceMappingURL=alb-api-gateway.d.ts.map

package/dist/lib/alb-api-gateway.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"alb-api-gateway.d.ts","sourceRoot":"","sources":["../../lib/alb-api-gateway.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AAEzD,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,KAAK,KAAK,MAAM,wCAAwC,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C;;;;GAIG;AACH,MAAM,WAAW,kBAAkB;IAC/B,QAAQ,CAAC,YAAY,EAAE,KAAK,CAAC,uBAAuB,CAAC;IACrD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;CAClC;AAED,qBAAa,aAAa;IACtB,SAAgB,GAAG,EAAE,UAAU,CAAC,OAAO,CAAC;IACxC,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;gBAGrC,KAAK,EAAE,SAAS,EAChB,EAAE,EAAE,MAAM,EACV,KAAK,EAAE,kBAAkB;IA0E7B,OAAO,CAAC,oBAAoB;IAwC5B,OAAO,CAAC,oBAAoB;IAiB5B,OAAO,CAAC,mBAAmB;CAqE9B"}

package/dist/lib/alb-api-gateway.js

@@ -1,211 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AlbApiGateway = void 0;
-const cdk = __importStar(require("aws-cdk-lib"));
-const apigateway = __importStar(require("aws-cdk-lib/aws-apigateway"));
-const iam = __importStar(require("aws-cdk-lib/aws-iam"));
-const logs = __importStar(require("aws-cdk-lib/aws-logs"));
-class AlbApiGateway {
-    constructor(scope, id, props) {
-        const { config } = props;
-        this.logGroup = new logs.LogGroup(scope, "ApiGatewayAccessLogs", {
-            logGroupName: "/aws/apigateway/benchling-webhook",
-            retention: logs.RetentionDays.ONE_WEEK,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
-        this.createCloudWatchRole(scope);
-        // Get webhook allow list from config
-        const webhookAllowList = config.security?.webhookAllowList || "";
-        // Parse IP allowlist for resource policy
-        let allowedIps = undefined;
-        if (webhookAllowList) {
-            if (cdk.Token.isUnresolved(webhookAllowList)) {
-                // For CDK tokens (parameters), we can't evaluate at synth time
-                // Split and let CloudFormation handle it
-                allowedIps = cdk.Fn.split(",", webhookAllowList);
-            }
-            else if (webhookAllowList.trim() !== "") {
-                // For concrete values, parse and filter
-                const parsed = webhookAllowList
-                    .split(",")
-                    .map(ip => ip.trim())
-                    .filter(ip => ip.length > 0);
-                if (parsed.length > 0) {
-                    allowedIps = parsed;
-                }
-            }
-        }
-        // Create resource policy for IP filtering at the edge
-        // Only create policy if we have IPs and they're not from an empty parameter
-        const policyDocument = this.createResourcePolicy(allowedIps, webhookAllowList);
-        this.api = new apigateway.RestApi(scope, "BenchlingWebhookAPI", {
-            restApiName: "BenchlingWebhookAPI",
-            policy: policyDocument,
-            deployOptions: {
-                stageName: "prod",
-                accessLogDestination: new apigateway.LogGroupLogDestination(this.logGroup),
-                methodOptions: {
-                    "/*/*": {
-                        loggingLevel: apigateway.MethodLoggingLevel.INFO,
-                        dataTraceEnabled: true,
-                    },
-                },
-            },
-        });
-        this.addWebhookEndpoints(props.loadBalancer);
-        // Output API Gateway ID for execution logs
-        new cdk.CfnOutput(scope, "ApiGatewayId", {
-            value: this.api.restApiId,
-            description: "API Gateway REST API ID",
-        });
-        // Output execution log group name
-        new cdk.CfnOutput(scope, "ApiGatewayExecutionLogGroup", {
-            value: `API-Gateway-Execution-Logs_${this.api.restApiId}/prod`,
-            description: "API Gateway execution log group for detailed request/response logs",
-        });
-        // Output ALB DNS for direct testing
-        new cdk.CfnOutput(scope, "LoadBalancerDNS", {
-            value: props.loadBalancer.loadBalancerDnsName,
-            description: "Application Load Balancer DNS name for direct testing",
-        });
-    }
-    createResourcePolicy(allowedIps, rawParameter) {
-        // Don't create policy if no IPs provided
-        if (!allowedIps) {
-            return undefined;
-        }
-        // Don't create policy for empty arrays
-        if (Array.isArray(allowedIps) && allowedIps.length === 0) {
-            return undefined;
-        }
-        // For CDK tokens (CloudFormation parameters), we can't evaluate at synth time
-        // Don't create policy for parameters since we can't conditionally apply them
-        // API Gateway doesn't support conditional policies, so we skip the policy entirely
-        // when using parameters. This means WebhookAllowList parameter won't work for
-        // runtime IP filtering - IPs must be set at deployment time.
-        if (rawParameter && cdk.Token.isUnresolved(rawParameter)) {
-            return undefined;
-        }
-        return new iam.PolicyDocument({
-            statements: [
-                new iam.PolicyStatement({
-                    effect: iam.Effect.ALLOW,
-                    principals: [new iam.AnyPrincipal()],
-                    actions: ["execute-api:Invoke"],
-                    resources: ["execute-api:/*"],
-                    conditions: {
-                        IpAddress: {
-                            "aws:SourceIp": allowedIps,
-                        },
-                    },
-                }),
-            ],
-        });
-    }
-    createCloudWatchRole(scope) {
-        const cloudWatchRole = new iam.Role(scope, "ApiGatewayCloudWatchRole", {
-            assumedBy: new iam.ServicePrincipal("apigateway.amazonaws.com"),
-            managedPolicies: [
-                iam.ManagedPolicy.fromAwsManagedPolicyName("service-role/AmazonAPIGatewayPushToCloudWatchLogs"),
-            ],
-        });
-        new apigateway.CfnAccount(scope, "ApiGatewayAccount", {
-            cloudWatchRoleArn: cloudWatchRole.roleArn,
-        });
-        return cloudWatchRole;
-    }
-    addWebhookEndpoints(loadBalancer) {
-        // Create HTTP integration to ALB
-        const albIntegration = new apigateway.HttpIntegration(`http://${loadBalancer.loadBalancerDnsName}/{proxy}`, {
-            httpMethod: "ANY",
-            options: {
-                requestParameters: {
-                    "integration.request.path.proxy": "method.request.path.proxy",
-                },
-                integrationResponses: [
-                    {
-                        statusCode: "200",
-                    },
-                    {
-                        statusCode: "400",
-                        selectionPattern: "4\\d{2}",
-                    },
-                    {
-                        statusCode: "500",
-                        selectionPattern: "5\\d{2}",
-                    },
-                ],
-            },
-        });
-        // Create proxy resource to forward all requests to ALB
-        const proxyResource = this.api.root.addResource("{proxy+}");
-        proxyResource.addMethod("ANY", albIntegration, {
-            requestParameters: {
-                "method.request.path.proxy": true,
-            },
-            methodResponses: [
-                { statusCode: "200" },
-                { statusCode: "400" },
-                { statusCode: "500" },
-            ],
-        });
-        // Also handle root path
-        this.api.root.addMethod("ANY", new apigateway.HttpIntegration(`http://${loadBalancer.loadBalancerDnsName}/`, {
-            httpMethod: "ANY",
-            options: {
-                integrationResponses: [
-                    { statusCode: "200" },
-                    {
-                        statusCode: "400",
-                        selectionPattern: "4\\d{2}",
-                    },
-                    {
-                        statusCode: "500",
-                        selectionPattern: "5\\d{2}",
-                    },
-                ],
-            },
-        }), {
-            methodResponses: [
-                { statusCode: "200" },
-                { statusCode: "400" },
-                { statusCode: "500" },
-            ],
-        });
-    }
-}
-exports.AlbApiGateway = AlbApiGateway;
-//# sourceMappingURL=alb-api-gateway.js.map

package/dist/lib/alb-api-gateway.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"alb-api-gateway.js","sourceRoot":"","sources":["../../lib/alb-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,uEAAyD;AACzD,yDAA2C;AAC3C,2DAA6C;AAe7C,MAAa,aAAa;IAItB,YACI,KAAgB,EAChB,EAAU,EACV,KAAyB;QAEzB,MAAM,EAAE,MAAM,EAAE,GAAG,KAAK,CAAC;QAEzB,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE;YAC7D,YAAY,EAAE,mCAAmC;YACjD,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAEjC,qCAAqC;QACrC,MAAM,gBAAgB,GAAG,MAAM,CAAC,QAAQ,EAAE,gBAAgB,IAAI,EAAE,CAAC;QAEjE,yCAAyC;QACzC,IAAI,UAAU,GAAyB,SAAS,CAAC;QACjD,IAAI,gBAAgB,EAAE,CAAC;YACnB,IAAI,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBAC3C,+DAA+D;gBAC/D,yCAAyC;gBACzC,UAAU,GAAG,GAAG,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,gBAAgB,CAAwB,CAAC;YAC5E,CAAC;iBAAM,IAAI,gBAAgB,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC;gBACxC,wCAAwC;gBACxC,MAAM,MAAM,GAAG,gBAAgB;qBAC1B,KAAK,CAAC,GAAG,CAAC;qBACV,GAAG,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;qBACpB,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBACjC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACpB,UAAU,GAAG,MAAM,CAAC;gBACxB,CAAC;YACL,CAAC;QACL,CAAC;QAED,sDAAsD;QACtD,4EAA4E;QAC5E,MAAM,cAAc,GAAG,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC;QAE/E,IAAI,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,qBAAqB,EAAE;YAC5D,WAAW,EAAE,qBAAqB;YAClC,MAAM,EAAE,cAAc;YACtB,aAAa,EAAE;gBACX,SAAS,EAAE,MAAM;gBACjB,oBAAoB,EAAE,IAAI,UAAU,CAAC,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC1E,aAAa,EAAE;oBACX,MAAM,EAAE;wBACJ,YAAY,EAAE,UAAU,CAAC,kBAAkB,CAAC,IAAI;wBAChD,gBAAgB,EAAE,IAAI;qBACzB;iBACJ;aACJ;SACJ,CAAC,CAAC;QAEH,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QAE7C,2CAA2C;QAC3C,IAAI,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,cAAc,EAAE;YACrC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,SAAS;YACzB,WAAW,EAAE,yBAAyB;SACzC,CAAC,CAAC;QAEH,kCAAkC;QAClC,IAAI,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,6BAA6B,EAAE;YACpD,KAAK,EAAE,8BAA8B,IAAI,CAAC,GAAG,CAAC,SAAS,OAAO;YAC9D,WAAW,EAAE,oEAAoE;SACpF,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,GAAG,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,EAAE;YACxC,KAAK,EAAE,KAAK,CAAC,YAAY,CAAC,mBAAmB;YAC7C,WAAW,EAAE,uDAAuD;SACvE,CAAC,CAAC;IACP,CAAC;IAEO,oBAAoB,CACxB,UAAgC,EAChC,YAAgC;QAEhC,yCAAyC;QACzC,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,OAAO,SAAS,CAAC;QACrB,CAAC;QAED,uCAAuC;QACvC,IAAI,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvD,OAAO,SAAS,CAAC;QACrB,CAAC;QAED,8EAA8E;QAC9E,6EAA6E;QAC7E,mFAAmF;QACnF,8EAA8E;QAC9E,6DAA6D;QAC7D,IAAI,YAAY,IAAI,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,YAAY,CAAC,EAAE,CAAC;YACvD,OAAO,SAAS,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,GAAG,CAAC,cAAc,CAAC;YAC1B,UAAU,EAAE;gBACR,IAAI,GAAG,CAAC,eAAe,CAAC;oBACpB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK;oBACxB,UAAU,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;oBACpC,OAAO,EAAE,CAAC,oBAAoB,CAAC;oBAC/B,SAAS,EAAE,CAAC,gBAAgB,CAAC;oBAC7B,UAAU,EAAE;wBACR,SAAS,EAAE;4BACP,cAAc,EAAE,UAAU;yBAC7B;qBACJ;iBACJ,CAAC;aACL;SACJ,CAAC,CAAC;IACP,CAAC;IAEO,oBAAoB,CAAC,KAAgB;QACzC,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,KAAK,EAAE,0BAA0B,EAAE;YACnE,SAAS,EAAE,IAAI,GAAG,CAAC,gBAAgB,CAAC,0BAA0B,CAAC;YAC/D,eAAe,EAAE;gBACb,GAAG,CAAC,aAAa,CAAC,wBAAwB,CACtC,mDAAmD,CACtD;aACJ;SACJ,CAAC,CAAC;QAEH,IAAI,UAAU,CAAC,UAAU,CAAC,KAAK,EAAE,mBAAmB,EAAE;YAClD,iBAAiB,EAAE,cAAc,CAAC,OAAO;SAC5C,CAAC,CAAC;QAEH,OAAO,cAAc,CAAC;IAC1B,CAAC;IAEO,mBAAmB,CACvB,YAA2C;QAE3C,iCAAiC;QACjC,MAAM,cAAc,GAAG,IAAI,UAAU,CAAC,eAAe,CACjD,UAAU,YAAY,CAAC,mBAAmB,UAAU,EACpD;YACI,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACL,iBAAiB,EAAE;oBACf,gCAAgC,EAAE,2BAA2B;iBAChE;gBACD,oBAAoB,EAAE;oBAClB;wBACI,UAAU,EAAE,KAAK;qBACpB;oBACD;wBACI,UAAU,EAAE,KAAK;wBACjB,gBAAgB,EAAE,SAAS;qBAC9B;oBACD;wBACI,UAAU,EAAE,KAAK;wBACjB,gBAAgB,EAAE,SAAS;qBAC9B;iBACJ;aACJ;SACJ,CACJ,CAAC;QAEF,uDAAuD;QACvD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,CAAC;QAC5D,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,cAAc,EAAE;YAC3C,iBAAiB,EAAE;gBACf,2BAA2B,EAAE,IAAI;aACpC;YACD,eAAe,EAAE;gBACb,EAAE,UAAU,EAAE,KAAK,EAAE;gBACrB,EAAE,UAAU,EAAE,KAAK,EAAE;gBACrB,EAAE,UAAU,EAAE,KAAK,EAAE;aACxB;SACJ,CAAC,CAAC;QAEH,wBAAwB;QACxB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,UAAU,CAAC,eAAe,CACzD,UAAU,YAAY,CAAC,mBAAmB,GAAG,EAC7C;YACI,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE;gBACL,oBAAoB,EAAE;oBAClB,EAAE,UAAU,EAAE,KAAK,EAAE;oBACrB;wBACI,UAAU,EAAE,KAAK;wBACjB,gBAAgB,EAAE,SAAS;qBAC9B;oBACD;wBACI,UAAU,EAAE,KAAK;wBACjB,gBAAgB,EAAE,SAAS;qBAC9B;iBACJ;aACJ;SACJ,CACJ,EAAE;YACC,eAAe,EAAE;gBACb,EAAE,UAAU,EAAE,KAAK,EAAE;gBACrB,EAAE,UAAU,EAAE,KAAK,EAAE;gBACrB,EAAE,UAAU,EAAE,KAAK,EAAE;aACxB;SACJ,CAAC,CAAC;IACP,CAAC;CACJ;AA/MD,sCA+MC"}