@quiltdata/benchling-webhook 0.9.0-20251127T201515Z → 0.9.0-20251129T071202Z

package/dist/lib/waf-web-acl.d.ts

@@ -0,0 +1,51 @@
+import * as wafv2 from "aws-cdk-lib/aws-wafv2";
+import * as logs from "aws-cdk-lib/aws-logs";
+import { Construct } from "constructs";
+export interface WafWebAclProps {
+    /**
+     * Comma-separated list of allowed IP addresses/CIDR blocks
+     *
+     * Empty string means no IP filtering (discovery mode - COUNT all requests).
+     * Non-empty string enables IP filtering (security mode - BLOCK unknown IPs).
+     *
+     * @example "192.168.1.0/24,10.0.0.0/8"
+     * @default ""
+     */
+    readonly ipAllowList?: string;
+}
+/**
+ * WAF Web ACL for Benchling webhook IP filtering
+ *
+ * Provides defense-in-depth security at AWS edge with two rules:
+ * 1. Health check exception - Always allow /health, /health/ready, /health/live
+ * 2. IP allowlist - Allow requests from configured IP ranges
+ *
+ * **Automatic Mode Selection:**
+ * - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
+ * - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
+ *
+ * This allows customers to deploy initially without knowing Benchling IPs,
+ * discover them from CloudWatch logs, then add them to enable blocking mode.
+ */
+export declare class WafWebAcl extends Construct {
+    readonly webAcl: wafv2.CfnWebACL;
+    readonly ipSet: wafv2.CfnIPSet;
+    readonly logGroup: logs.ILogGroup;
+    constructor(scope: Construct, id: string, props?: WafWebAclProps);
+    /**
+     * Parse IP allowlist string into array of CIDR blocks
+     *
+     * - Splits by comma
+     * - Trims whitespace
+     * - Adds /32 suffix if not present
+     * - Filters out empty entries
+     *
+     * @param allowList Comma-separated list of IPs/CIDR blocks
+     * @returns Array of CIDR blocks
+     *
+     * @example
+     * parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
+     */
+    private parseIpAllowList;
+}
+//# sourceMappingURL=waf-web-acl.d.ts.map

package/dist/lib/waf-web-acl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"waf-web-acl.d.ts","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,KAAK,MAAM,uBAAuB,CAAC;AAC/C,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAEvC,MAAM,WAAW,cAAc;IAC3B;;;;;;;;OAQG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;;;;;;;;;;;;GAaG;AACH,qBAAa,SAAU,SAAQ,SAAS;IACpC,SAAgB,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC;IACxC,SAAgB,KAAK,EAAE,KAAK,CAAC,QAAQ,CAAC;IACtC,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;gBAE7B,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,GAAE,cAAmB;IA2HpE;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,gBAAgB;CAU3B"}

package/dist/lib/waf-web-acl.js

@@ -0,0 +1,192 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WafWebAcl = void 0;
+const cdk = __importStar(require("aws-cdk-lib"));
+const wafv2 = __importStar(require("aws-cdk-lib/aws-wafv2"));
+const logs = __importStar(require("aws-cdk-lib/aws-logs"));
+const constructs_1 = require("constructs");
+/**
+ * WAF Web ACL for Benchling webhook IP filtering
+ *
+ * Provides defense-in-depth security at AWS edge with two rules:
+ * 1. Health check exception - Always allow /health, /health/ready, /health/live
+ * 2. IP allowlist - Allow requests from configured IP ranges
+ *
+ * **Automatic Mode Selection:**
+ * - Empty IP allowlist → COUNT mode (discovery phase - logs requests but doesn't block)
+ * - Non-empty IP allowlist → BLOCK mode (security phase - blocks unknown IPs)
+ *
+ * This allows customers to deploy initially without knowing Benchling IPs,
+ * discover them from CloudWatch logs, then add them to enable blocking mode.
+ */
+class WafWebAcl extends constructs_1.Construct {
+    constructor(scope, id, props = {}) {
+        super(scope, id);
+        // Parse IP allowlist with CIDR notation normalization
+        const ipAllowList = this.parseIpAllowList(props.ipAllowList || "");
+        // Automatic mode selection based on IP allowlist
+        // - Empty allowlist: Allow mode (discovery - logs all requests, no blocking)
+        // - Has IPs: Block mode (security - blocks unknown IPs)
+        const isDiscoveryMode = ipAllowList.length === 0;
+        const mode = isDiscoveryMode ? "Allow" : "Block";
+        console.log(`WAF mode: ${mode} (${isDiscoveryMode ? "discovery - no IPs configured, all traffic allowed" : `security - ${ipAllowList.length} IP ranges configured`})`);
+        // Create IP Set for allowlist
+        this.ipSet = new wafv2.CfnIPSet(this, "IPSet", {
+            name: "BenchlingWebhookIPSet",
+            scope: "REGIONAL",
+            ipAddressVersion: "IPV4",
+            addresses: ipAllowList,
+            description: "Allowed IP addresses for Benchling webhooks",
+        });
+        // CloudWatch log group for WAF logs
+        this.logGroup = new logs.LogGroup(this, "WafLogGroup", {
+            logGroupName: "/aws/waf/benchling-webhook",
+            retention: logs.RetentionDays.ONE_WEEK,
+            removalPolicy: cdk.RemovalPolicy.DESTROY,
+        });
+        // Create Web ACL with two rules
+        // Default action: Allow (discovery mode) or Block (security mode)
+        const defaultActionConfig = isDiscoveryMode
+            ? { allow: {} }
+            : { block: {} };
+        this.webAcl = new wafv2.CfnWebACL(this, "WebACL", {
+            name: "BenchlingWebhookWebACL",
+            scope: "REGIONAL",
+            defaultAction: defaultActionConfig,
+            description: "WAF for Benchling webhook IP filtering with automatic discovery mode. " +
+                `Mode: ${mode} (${isDiscoveryMode ? "empty allowlist - all traffic allowed" : `${ipAllowList.length} IPs configured`})`,
+            rules: [
+                // Rule 1: Health check exception (Priority 10)
+                // Always allow health check endpoints regardless of IP
+                {
+                    name: "HealthCheckException",
+                    priority: 10,
+                    statement: {
+                        orStatement: {
+                            statements: [
+                                {
+                                    byteMatchStatement: {
+                                        fieldToMatch: { uriPath: {} },
+                                        positionalConstraint: "EXACTLY",
+                                        searchString: "/health",
+                                        textTransformations: [{ priority: 0, type: "NONE" }],
+                                    },
+                                },
+                                {
+                                    byteMatchStatement: {
+                                        fieldToMatch: { uriPath: {} },
+                                        positionalConstraint: "EXACTLY",
+                                        searchString: "/health/ready",
+                                        textTransformations: [{ priority: 0, type: "NONE" }],
+                                    },
+                                },
+                                {
+                                    byteMatchStatement: {
+                                        fieldToMatch: { uriPath: {} },
+                                        positionalConstraint: "EXACTLY",
+                                        searchString: "/health/live",
+                                        textTransformations: [{ priority: 0, type: "NONE" }],
+                                    },
+                                },
+                            ],
+                        },
+                    },
+                    action: { allow: {} },
+                    visibilityConfig: {
+                        sampledRequestsEnabled: true,
+                        cloudWatchMetricsEnabled: true,
+                        metricName: "HealthCheckException",
+                    },
+                },
+                // Rule 2: IP allowlist (Priority 20)
+                // Allow requests from configured IP ranges
+                // Note: When IP allowlist is empty, this rule matches no IPs,
+                // so all non-health requests fall through to default action (COUNT or BLOCK)
+                {
+                    name: "IPAllowlist",
+                    priority: 20,
+                    statement: {
+                        ipSetReferenceStatement: {
+                            arn: this.ipSet.attrArn,
+                        },
+                    },
+                    action: { allow: {} },
+                    visibilityConfig: {
+                        sampledRequestsEnabled: true,
+                        cloudWatchMetricsEnabled: true,
+                        metricName: "IPAllowlist",
+                    },
+                },
+            ],
+            visibilityConfig: {
+                sampledRequestsEnabled: true,
+                cloudWatchMetricsEnabled: true,
+                metricName: "BenchlingWebhookWebACL",
+            },
+        });
+        // Configure WAF logging to CloudWatch
+        new wafv2.CfnLoggingConfiguration(this, "WafLogging", {
+            resourceArn: this.webAcl.attrArn,
+            logDestinationConfigs: [this.logGroup.logGroupArn],
+        });
+    }
+    /**
+     * Parse IP allowlist string into array of CIDR blocks
+     *
+     * - Splits by comma
+     * - Trims whitespace
+     * - Adds /32 suffix if not present
+     * - Filters out empty entries
+     *
+     * @param allowList Comma-separated list of IPs/CIDR blocks
+     * @returns Array of CIDR blocks
+     *
+     * @example
+     * parseIpAllowList("192.168.1.0/24, 10.0.0.1") → ["192.168.1.0/24", "10.0.0.1/32"]
+     */
+    parseIpAllowList(allowList) {
+        return allowList
+            .split(",")
+            .map((ip) => ip.trim())
+            .filter((ip) => ip.length > 0)
+            .map((ip) => {
+            // Ensure CIDR notation (add /32 if not specified)
+            return ip.includes("/") ? ip : `${ip}/32`;
+        });
+    }
+}
+exports.WafWebAcl = WafWebAcl;
+//# sourceMappingURL=waf-web-acl.js.map

package/dist/lib/waf-web-acl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"waf-web-acl.js","sourceRoot":"","sources":["../../lib/waf-web-acl.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,6DAA+C;AAC/C,2DAA6C;AAC7C,2CAAuC;AAevC;;;;;;;;;;;;;GAaG;AACH,MAAa,SAAU,SAAQ,sBAAS;IAKpC,YAAY,KAAgB,EAAE,EAAU,EAAE,QAAwB,EAAE;QAChE,KAAK,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAEjB,sDAAsD;QACtD,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,CAAC,CAAC;QAEnE,iDAAiD;QACjD,6EAA6E;QAC7E,wDAAwD;QACxD,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC;QACjD,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QAEjD,OAAO,CAAC,GAAG,CACP,aAAa,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,oDAAoD,CAAC,CAAC,CAAC,cAAc,WAAW,CAAC,MAAM,uBAAuB,GAAG,CAC5J,CAAC;QAEF,8BAA8B;QAC9B,IAAI,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE;YAC3C,IAAI,EAAE,uBAAuB;YAC7B,KAAK,EAAE,UAAU;YACjB,gBAAgB,EAAE,MAAM;YACxB,SAAS,EAAE,WAAW;YACtB,WAAW,EAAE,6CAA6C;SAC7D,CAAC,CAAC;QAEH,oCAAoC;QACpC,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,aAAa,EAAE;YACnD,YAAY,EAAE,4BAA4B;YAC1C,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,gCAAgC;QAChC,kEAAkE;QAClE,MAAM,mBAAmB,GAA0C,eAAe;YAC9E,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;YACf,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;QAEpB,IAAI,CAAC,MAAM,GAAG,IAAI,KAAK,CAAC,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE;YAC9C,IAAI,EAAE,wBAAwB;YAC9B,KAAK,EAAE,UAAU;YACjB,aAAa,EAAE,mBAAmB;YAClC,WAAW,EACP,wEAAwE;gBACxE,SAAS,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,uCAAuC,CAAC,CAAC,CAAC,GAAG,WAAW,CAAC,MAAM,iBAAiB,GAAG;YAC3H,KAAK,EAAE;gBACH,+CAA+C;gBAC/C,uDAAuD;gBACvD;oBACI,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE;wBACP,WAAW,EAAE;4BACT,UAAU,EAAE;gCACR;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,SAAS;wCACvB,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;gCACD;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,eAAe;wCAC7B,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;gCACD;oCACI,kBAAkB,EAAE;wCAChB,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;wCAC7B,oBAAoB,EAAE,SAAS;wCAC/B,YAAY,EAAE,cAAc;wCAC5B,mBAAmB,EAAE,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;qCACvD;iCACJ;6BACJ;yBACJ;qBACJ;oBACD,MAAM,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;oBACrB,gBAAgB,EAAE;wBACd,sBAAsB,EAAE,IAAI;wBAC5B,wBAAwB,EAAE,IAAI;wBAC9B,UAAU,EAAE,sBAAsB;qBACrC;iBACJ;gBAED,qCAAqC;gBACrC,2CAA2C;gBAC3C,8DAA8D;gBAC9D,6EAA6E;gBAC7E;oBACI,IAAI,EAAE,aAAa;oBACnB,QAAQ,EAAE,EAAE;oBACZ,SAAS,EAAE;wBACP,uBAAuB,EAAE;4BACrB,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;yBAC1B;qBACJ;oBACD,MAAM,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;oBACrB,gBAAgB,EAAE;wBACd,sBAAsB,EAAE,IAAI;wBAC5B,wBAAwB,EAAE,IAAI;wBAC9B,UAAU,EAAE,aAAa;qBAC5B;iBACJ;aACJ;YACD,gBAAgB,EAAE;gBACd,sBAAsB,EAAE,IAAI;gBAC5B,wBAAwB,EAAE,IAAI;gBAC9B,UAAU,EAAE,wBAAwB;aACvC;SACJ,CAAC,CAAC;QAEH,sCAAsC;QACtC,IAAI,KAAK,CAAC,uBAAuB,CAAC,IAAI,EAAE,YAAY,EAAE;YAClD,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAChC,qBAAqB,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;SACrD,CAAC,CAAC;IACP,CAAC;IAED;;;;;;;;;;;;;OAaG;IACK,gBAAgB,CAAC,SAAiB;QACtC,OAAO,SAAS;aACX,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;aACtB,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;aAC7B,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE;YACR,kDAAkD;YAClD,OAAO,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC;QAC9C,CAAC,CAAC,CAAC;IACX,CAAC;CACJ;AAxJD,8BAwJC"}

package/dist/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@quiltdata/benchling-webhook",
-    "version": "0.9.0-20251127T201515Z",
+    "version": "0.9.0-20251129T071202Z",
     "description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
     "main": "dist/lib/index.js",
     "types": "dist/lib/index.d.ts",
@@ -18,8 +18,11 @@
         "build:clean": "rm -rf cdk.out dist */{*.js,*.d.ts}",
         "build:synth": "npx cdk synth",
         "build:typecheck": "tsc --noEmit",
-        "deploy:dev": "ts-node bin/cli.ts deploy --stage dev --profile dev",
-        "deploy:prod": "ts-node bin/cli.ts deploy --stage prod",
+        "build:lambda": "make lambda-bundle",
+        "build:lambda:check": "make check-bundle",
+        "build:lambda:clean": "make clean",
+        "deploy:dev": "make lambda-bundle && ts-node bin/cli.ts deploy --stage dev --profile dev",
+        "deploy:prod": "make lambda-bundle && ts-node bin/cli.ts deploy --stage prod",
         "deploy:notes": "bash scripts/release-notes.sh",
         "destroy": "ts-node bin/cli.ts destroy",
         "destroy:dev": "ts-node bin/cli.ts destroy --stage dev --profile dev",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@quiltdata/benchling-webhook",
-  "version": "0.9.0-20251127T201515Z",
+  "version": "0.9.0-20251129T071202Z",
   "description": "AWS CDK deployment for Benchling webhook processing using Fargate - Deploy directly with npx",
   "main": "dist/lib/index.js",
   "types": "dist/lib/index.d.ts",
@@ -18,8 +18,11 @@
     "build:clean": "rm -rf cdk.out dist */{*.js,*.d.ts}",
     "build:synth": "npx cdk synth",
     "build:typecheck": "tsc --noEmit",
-    "deploy:dev": "ts-node bin/cli.ts deploy --stage dev --profile dev",
-    "deploy:prod": "ts-node bin/cli.ts deploy --stage prod",
+    "build:lambda": "make lambda-bundle",
+    "build:lambda:check": "make check-bundle",
+    "build:lambda:clean": "make clean",
+    "deploy:dev": "make lambda-bundle && ts-node bin/cli.ts deploy --stage dev --profile dev",
+    "deploy:prod": "make lambda-bundle && ts-node bin/cli.ts deploy --stage prod",
     "deploy:notes": "bash scripts/release-notes.sh",
     "destroy": "ts-node bin/cli.ts destroy",
     "destroy:dev": "ts-node bin/cli.ts destroy --stage dev --profile dev",

package/dist/lib/rest-api-gateway.d.ts

@@ -1,32 +0,0 @@
-import * as apigateway from "aws-cdk-lib/aws-apigateway";
-import * as ec2 from "aws-cdk-lib/aws-ec2";
-import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";
-import * as servicediscovery from "aws-cdk-lib/aws-servicediscovery";
-import * as logs from "aws-cdk-lib/aws-logs";
-import * as lambda from "aws-cdk-lib/aws-lambda";
-import { Construct } from "constructs";
-import { ProfileConfig } from "./types/config";
-export interface RestApiGatewayProps {
-    readonly vpc: ec2.IVpc;
-    readonly cloudMapService: servicediscovery.IService;
-    readonly serviceSecurityGroup: ec2.ISecurityGroup;
-    readonly config: ProfileConfig;
-    readonly ecsService: elbv2.IApplicationLoadBalancerTarget | elbv2.INetworkLoadBalancerTarget;
-}
-export declare class RestApiGateway {
-    readonly api: apigateway.RestApi;
-    readonly vpcLink: apigateway.VpcLink;
-    readonly nlb: elbv2.NetworkLoadBalancer;
-    readonly logGroup: logs.ILogGroup;
-    readonly authorizer?: lambda.Function;
-    readonly authorizerLogGroup?: logs.ILogGroup;
-    constructor(scope: Construct, id: string, props: RestApiGatewayProps);
-    /**
-     * Build IAM resource policy for IP whitelisting
-     *
-     * If ipAllowList is empty, allow all IPs.
-     * Otherwise, only allow requests from specified IP addresses/CIDR blocks.
-     */
-    private buildResourcePolicy;
-}
-//# sourceMappingURL=rest-api-gateway.d.ts.map

package/dist/lib/rest-api-gateway.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"rest-api-gateway.d.ts","sourceRoot":"","sources":["../../lib/rest-api-gateway.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,UAAU,MAAM,4BAA4B,CAAC;AACzD,OAAO,KAAK,GAAG,MAAM,qBAAqB,CAAC;AAC3C,OAAO,KAAK,KAAK,MAAM,wCAAwC,CAAC;AAChE,OAAO,KAAK,gBAAgB,MAAM,kCAAkC,CAAC;AACrE,OAAO,KAAK,IAAI,MAAM,sBAAsB,CAAC;AAC7C,OAAO,KAAK,MAAM,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAE/C,MAAM,WAAW,mBAAmB;IAChC,QAAQ,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,CAAC;IACvB,QAAQ,CAAC,eAAe,EAAE,gBAAgB,CAAC,QAAQ,CAAC;IACpD,QAAQ,CAAC,oBAAoB,EAAE,GAAG,CAAC,cAAc,CAAC;IAClD,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAC/B,QAAQ,CAAC,UAAU,EAAE,KAAK,CAAC,8BAA8B,GAAG,KAAK,CAAC,0BAA0B,CAAC;CAChG;AAED,qBAAa,cAAc;IACvB,SAAgB,GAAG,EAAE,UAAU,CAAC,OAAO,CAAC;IACxC,SAAgB,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;IAC5C,SAAgB,GAAG,EAAE,KAAK,CAAC,mBAAmB,CAAC;IAC/C,SAAgB,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC;IACzC,SAAgB,UAAU,CAAC,EAAE,MAAM,CAAC,QAAQ,CAAC;IAC7C,SAAgB,kBAAkB,CAAC,EAAE,IAAI,CAAC,SAAS,CAAC;gBAExC,KAAK,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,mBAAmB;IA+MpE;;;;;OAKG;IACH,OAAO,CAAC,mBAAmB;CAmC9B"}

package/dist/lib/rest-api-gateway.js

@@ -1,268 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.RestApiGateway = void 0;
-const cdk = __importStar(require("aws-cdk-lib"));
-const apigateway = __importStar(require("aws-cdk-lib/aws-apigateway"));
-const ec2 = __importStar(require("aws-cdk-lib/aws-ec2"));
-const elbv2 = __importStar(require("aws-cdk-lib/aws-elasticloadbalancingv2"));
-const logs = __importStar(require("aws-cdk-lib/aws-logs"));
-const lambda = __importStar(require("aws-cdk-lib/aws-lambda"));
-const iam = __importStar(require("aws-cdk-lib/aws-iam"));
-class RestApiGateway {
-    constructor(scope, id, props) {
-        // Access logs for REST API
-        this.logGroup = new logs.LogGroup(scope, "ApiGatewayAccessLogs", {
-            logGroupName: "/aws/apigateway/benchling-webhook-rest",
-            retention: logs.RetentionDays.ONE_WEEK,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
-        // Create Network Load Balancer for VPC Link integration
-        // REST API Gateway requires NLB (not ALB) for private integration
-        this.nlb = new elbv2.NetworkLoadBalancer(scope, "NetworkLoadBalancer", {
-            vpc: props.vpc,
-            internetFacing: false,
-            vpcSubnets: {
-                subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
-            },
-        });
-        // Create target group for ECS service
-        const targetGroup = new elbv2.NetworkTargetGroup(scope, "TargetGroup", {
-            vpc: props.vpc,
-            port: 8080,
-            protocol: elbv2.Protocol.TCP,
-            targetType: elbv2.TargetType.IP,
-            healthCheck: {
-                enabled: true,
-                protocol: elbv2.Protocol.HTTP,
-                path: "/health",
-                interval: cdk.Duration.seconds(30),
-                timeout: cdk.Duration.seconds(10),
-                healthyThresholdCount: 2,
-                unhealthyThresholdCount: 3,
-            },
-            deregistrationDelay: cdk.Duration.seconds(30),
-        });
-        // Add listener to NLB
-        this.nlb.addListener("Listener", {
-            port: 80,
-            protocol: elbv2.Protocol.TCP,
-            defaultTargetGroups: [targetGroup],
-        });
-        // Register ECS service with target group
-        if ("attachToNetworkTargetGroup" in props.ecsService) {
-            props.ecsService.attachToNetworkTargetGroup(targetGroup);
-        }
-        // Create VPC Link with NLB as target
-        this.vpcLink = new apigateway.VpcLink(scope, "VpcLink", {
-            targets: [this.nlb],
-            vpcLinkName: "benchling-webhook-vpclink",
-            description: "VPC Link for Benchling Webhook REST API",
-        });
-        // Parse IP allowlist from config
-        const ipAllowList = props.config.security?.webhookAllowList
-            ?.split(",")
-            .map((ip) => ip.trim())
-            .filter((ip) => ip.length > 0) || [];
-        const verificationEnabled = props.config.security?.enableVerification !== false;
-        const benchlingSecretArn = props.config.benchling.secretArn;
-        if (!benchlingSecretArn) {
-            throw new Error("Benchling secret ARN is required to configure the Lambda authorizer");
-        }
-        // Build resource policy for IP whitelisting
-        const resourcePolicy = this.buildResourcePolicy(ipAllowList);
-        // Lambda authorizer for webhook verification
-        this.authorizerLogGroup = new logs.LogGroup(scope, "WebhookAuthorizerLogGroup", {
-            retention: logs.RetentionDays.ONE_WEEK,
-            removalPolicy: cdk.RemovalPolicy.DESTROY,
-        });
-        const bundlingCommands = [
-            "set -euo pipefail",
-            "export PIP_NO_BUILD_ISOLATION=1 PIP_ONLY_BINARY=:all: PIP_DISABLE_PIP_VERSION_CHECK=1 PIP_CACHE_DIR=/tmp/pipcache",
-            "pip install -q --platform manylinux2014_x86_64 --implementation cp --python-version 3.11 --abi cp311 --only-binary=:all: -t /asset-output -r /asset-input/lambda/authorizer/requirements.txt -c /asset-input/lambda/authorizer/constraints.txt",
-            "cp /asset-input/docker/src/lambda_authorizer.py /asset-output/index.py",
-        ].join(" && ");
-        const authorizerCode = process.env.NODE_ENV === "test"
-            ? lambda.Code.fromInline("def handler(event, context):\n    return {}")
-            : lambda.Code.fromAsset(".", {
-                bundling: {
-                    image: lambda.Runtime.PYTHON_3_11.bundlingImage,
-                    command: ["bash", "-c", bundlingCommands],
-                },
-            });
-        this.authorizer = new lambda.Function(scope, "WebhookAuthorizerFunction", {
-            runtime: lambda.Runtime.PYTHON_3_11,
-            handler: "index.handler",
-            memorySize: 128,
-            timeout: cdk.Duration.seconds(10),
-            architecture: lambda.Architecture.X86_64,
-            description: "Benchling webhook signature verification (defense-in-depth)",
-            environment: {
-                BENCHLING_SECRET_ARN: benchlingSecretArn,
-            },
-            code: authorizerCode,
-            logGroup: this.authorizerLogGroup,
-        });
-        this.authorizer.addToRolePolicy(new iam.PolicyStatement({
-            actions: ["secretsmanager:GetSecretValue"],
-            resources: [benchlingSecretArn],
-        }));
-        // Create REST API first (needed for proper authorizer permissions)
-        this.api = new apigateway.RestApi(scope, "BenchlingWebhookRestAPI", {
-            restApiName: "BenchlingWebhookRestAPI",
-            description: "REST API for Benchling webhook integration with IP whitelisting (v1.0.0+)",
-            policy: resourcePolicy,
-            deployOptions: {
-                stageName: "prod",
-                accessLogDestination: new apigateway.LogGroupLogDestination(this.logGroup),
-                accessLogFormat: apigateway.AccessLogFormat.jsonWithStandardFields({
-                    caller: true,
-                    httpMethod: true,
-                    ip: true,
-                    protocol: true,
-                    requestTime: true,
-                    resourcePath: true,
-                    responseLength: true,
-                    status: true,
-                    user: true,
-                }),
-                loggingLevel: apigateway.MethodLoggingLevel.INFO,
-                dataTraceEnabled: true,
-            },
-            endpointConfiguration: {
-                types: [apigateway.EndpointType.REGIONAL],
-            },
-        });
-        // Create authorizer AFTER API is created (for proper source ARN permissions)
-        const requestAuthorizer = verificationEnabled
-            ? new apigateway.RequestAuthorizer(scope, "WebhookRequestAuthorizer", {
-                handler: this.authorizer,
-                identitySources: [
-                    apigateway.IdentitySource.header("webhook-id"),
-                    apigateway.IdentitySource.header("webhook-signature"),
-                    apigateway.IdentitySource.header("webhook-timestamp"),
-                ],
-                resultsCacheTtl: cdk.Duration.seconds(0),
-            })
-            : undefined;
-        // Grant API Gateway permission to invoke Lambda authorizer from any method
-        // The CDK RequestAuthorizer grants permission only for /authorizers/{id},
-        // but API Gateway invokes from /{stage}/{method}/{path}, so we add explicit permission
-        if (verificationEnabled && this.authorizer) {
-            this.authorizer.addPermission("ApiGatewayInvokePermission", {
-                principal: new iam.ServicePrincipal("apigateway.amazonaws.com"),
-                action: "lambda:InvokeFunction",
-                sourceArn: this.api.arnForExecuteApi("*", "/*", "*"),
-            });
-        }
-        const createIntegration = (path) => new apigateway.Integration({
-            type: apigateway.IntegrationType.HTTP_PROXY,
-            integrationHttpMethod: "ANY",
-            uri: `http://${this.nlb.loadBalancerDnsName}:80${path}`,
-            options: {
-                connectionType: apigateway.ConnectionType.VPC_LINK,
-                vpcLink: this.vpcLink,
-            },
-        });
-        const webhookMethodOptions = requestAuthorizer
-            ? {
-                authorizer: requestAuthorizer,
-                authorizationType: apigateway.AuthorizationType.CUSTOM,
-            }
-            : undefined;
-        // Webhook endpoints secured by Lambda authorizer
-        const eventResource = this.api.root.addResource("event");
-        eventResource.addMethod("ANY", createIntegration("/event"), webhookMethodOptions);
-        const lifecycleResource = this.api.root.addResource("lifecycle");
-        lifecycleResource.addMethod("ANY", createIntegration("/lifecycle"), webhookMethodOptions);
-        const canvasResource = this.api.root.addResource("canvas");
-        canvasResource.addMethod("ANY", createIntegration("/canvas"), webhookMethodOptions);
-        // Health endpoints remain unauthenticated
-        const healthResource = this.api.root.addResource("health");
-        healthResource.addMethod("GET", createIntegration("/health"));
-        healthResource.addResource("ready").addMethod("GET", createIntegration("/health/ready"));
-        healthResource.addResource("live").addMethod("GET", createIntegration("/health/live"));
-        // Output IP filtering status
-        if (ipAllowList.length > 0) {
-            console.log(`IP Whitelisting enabled: ${ipAllowList.length} CIDR blocks`);
-            ipAllowList.forEach((ip) => console.log(`  - ${ip}`));
-        }
-        else {
-            console.log("IP Whitelisting disabled: all IPs allowed");
-        }
-    }
-    /**
-     * Build IAM resource policy for IP whitelisting
-     *
-     * If ipAllowList is empty, allow all IPs.
-     * Otherwise, only allow requests from specified IP addresses/CIDR blocks.
-     */
-    buildResourcePolicy(ipAllowList) {
-        if (ipAllowList.length === 0) {
-            // No IP filtering - allow all
-            return undefined;
-        }
-        return new iam.PolicyDocument({
-            statements: [
-                // Allow requests from whitelisted IPs
-                new iam.PolicyStatement({
-                    effect: iam.Effect.ALLOW,
-                    principals: [new iam.AnyPrincipal()],
-                    actions: ["execute-api:Invoke"],
-                    resources: ["execute-api:/*"],
-                    conditions: {
-                        IpAddress: {
-                            "aws:SourceIp": ipAllowList,
-                        },
-                    },
-                }),
-                // Explicitly deny requests from non-whitelisted IPs
-                new iam.PolicyStatement({
-                    effect: iam.Effect.DENY,
-                    principals: [new iam.AnyPrincipal()],
-                    actions: ["execute-api:Invoke"],
-                    resources: ["execute-api:/*"],
-                    conditions: {
-                        NotIpAddress: {
-                            "aws:SourceIp": ipAllowList,
-                        },
-                    },
-                }),
-            ],
-        });
-    }
-}
-exports.RestApiGateway = RestApiGateway;
-//# sourceMappingURL=rest-api-gateway.js.map

package/dist/lib/rest-api-gateway.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"rest-api-gateway.js","sourceRoot":"","sources":["../../lib/rest-api-gateway.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,iDAAmC;AACnC,uEAAyD;AACzD,yDAA2C;AAC3C,8EAAgE;AAEhE,2DAA6C;AAC7C,+DAAiD;AACjD,yDAA2C;AAY3C,MAAa,cAAc;IAQvB,YAAY,KAAgB,EAAE,EAAU,EAAE,KAA0B;QAChE,2BAA2B;QAC3B,IAAI,CAAC,QAAQ,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,EAAE;YAC7D,YAAY,EAAE,wCAAwC;YACtD,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,wDAAwD;QACxD,kEAAkE;QAClE,IAAI,CAAC,GAAG,GAAG,IAAI,KAAK,CAAC,mBAAmB,CAAC,KAAK,EAAE,qBAAqB,EAAE;YACnE,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,cAAc,EAAE,KAAK;YACrB,UAAU,EAAE;gBACR,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,mBAAmB;aACjD;SACJ,CAAC,CAAC;QAEH,sCAAsC;QACtC,MAAM,WAAW,GAAG,IAAI,KAAK,CAAC,kBAAkB,CAAC,KAAK,EAAE,aAAa,EAAE;YACnE,GAAG,EAAE,KAAK,CAAC,GAAG;YACd,IAAI,EAAE,IAAI;YACV,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YAC5B,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE;YAC/B,WAAW,EAAE;gBACT,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,IAAI;gBAC7B,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClC,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,qBAAqB,EAAE,CAAC;gBACxB,uBAAuB,EAAE,CAAC;aAC7B;YACD,mBAAmB,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;SAChD,CAAC,CAAC;QAEH,sBAAsB;QACtB,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE;YAC7B,IAAI,EAAE,EAAE;YACR,QAAQ,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG;YAC5B,mBAAmB,EAAE,CAAC,WAAW,CAAC;SACrC,CAAC,CAAC;QAEH,yCAAyC;QACzC,IAAI,4BAA4B,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;YACnD,KAAK,CAAC,UAAU,CAAC,0BAA0B,CAAC,WAAW,CAAC,CAAC;QAC7D,CAAC;QAED,qCAAqC;QACrC,IAAI,CAAC,OAAO,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,SAAS,EAAE;YACpD,OAAO,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC;YACnB,WAAW,EAAE,2BAA2B;YACxC,WAAW,EAAE,yCAAyC;SACzD,CAAC,CAAC;QAEH,iCAAiC;QACjC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,gBAAgB;YACvD,EAAE,KAAK,CAAC,GAAG,CAAC;aACX,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,CAAC;aACtB,MAAM,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAEzC,MAAM,mBAAmB,GAAG,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,kBAAkB,KAAK,KAAK,CAAC;QAChF,MAAM,kBAAkB,GAAG,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC;QAC5D,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;QAC3F,CAAC;QAED,4CAA4C;QAC5C,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,WAAW,CAAC,CAAC;QAE7D,6CAA6C;QAC7C,IAAI,CAAC,kBAAkB,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,2BAA2B,EAAE;YAC5E,SAAS,EAAE,IAAI,CAAC,aAAa,CAAC,QAAQ;YACtC,aAAa,EAAE,GAAG,CAAC,aAAa,CAAC,OAAO;SAC3C,CAAC,CAAC;QAEH,MAAM,gBAAgB,GAAG;YACrB,mBAAmB;YACnB,mHAAmH;YACnH,gPAAgP;YAChP,wEAAwE;SAC3E,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAEf,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM;YAClD,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,6CAA6C,CAAC;YACvE,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE;gBACzB,QAAQ,EAAE;oBACN,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,aAAa;oBAC/C,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,gBAAgB,CAAC;iBAC5C;aACJ,CAAC,CAAC;QAEP,IAAI,CAAC,UAAU,GAAG,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,2BAA2B,EAAE;YACtE,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW;YACnC,OAAO,EAAE,eAAe;YACxB,UAAU,EAAE,GAAG;YACf,OAAO,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;YACjC,YAAY,EAAE,MAAM,CAAC,YAAY,CAAC,MAAM;YACxC,WAAW,EAAE,6DAA6D;YAC1E,WAAW,EAAE;gBACT,oBAAoB,EAAE,kBAAkB;aAC3C;YACD,IAAI,EAAE,cAAc;YACpB,QAAQ,EAAE,IAAI,CAAC,kBAAkB;SACpC,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,CAAC,eAAe,CAC3B,IAAI,GAAG,CAAC,eAAe,CAAC;YACpB,OAAO,EAAE,CAAC,+BAA+B,CAAC;YAC1C,SAAS,EAAE,CAAC,kBAAkB,CAAC;SAClC,CAAC,CACL,CAAC;QAEF,mEAAmE;QACnE,IAAI,CAAC,GAAG,GAAG,IAAI,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,yBAAyB,EAAE;YAChE,WAAW,EAAE,yBAAyB;YACtC,WAAW,EAAE,2EAA2E;YACxF,MAAM,EAAE,cAAc;YACtB,aAAa,EAAE;gBACX,SAAS,EAAE,MAAM;gBACjB,oBAAoB,EAAE,IAAI,UAAU,CAAC,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC;gBAC1E,eAAe,EAAE,UAAU,CAAC,eAAe,CAAC,sBAAsB,CAAC;oBAC/D,MAAM,EAAE,IAAI;oBACZ,UAAU,EAAE,IAAI;oBAChB,EAAE,EAAE,IAAI;oBACR,QAAQ,EAAE,IAAI;oBACd,WAAW,EAAE,IAAI;oBACjB,YAAY,EAAE,IAAI;oBAClB,cAAc,EAAE,IAAI;oBACpB,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,IAAI;iBACb,CAAC;gBACF,YAAY,EAAE,UAAU,CAAC,kBAAkB,CAAC,IAAI;gBAChD,gBAAgB,EAAE,IAAI;aACzB;YACD,qBAAqB,EAAE;gBACnB,KAAK,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,QAAQ,CAAC;aAC5C;SACJ,CAAC,CAAC;QAEH,6EAA6E;QAC7E,MAAM,iBAAiB,GAAG,mBAAmB;YACzC,CAAC,CAAC,IAAI,UAAU,CAAC,iBAAiB,CAAC,KAAK,EAAE,0BAA0B,EAAE;gBAClE,OAAO,EAAE,IAAI,CAAC,UAAU;gBACxB,eAAe,EAAE;oBACb,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,YAAY,CAAC;oBAC9C,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,mBAAmB,CAAC;oBACrD,UAAU,CAAC,cAAc,CAAC,MAAM,CAAC,mBAAmB,CAAC;iBACxD;gBACD,eAAe,EAAE,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;aAC3C,CAAC;YACF,CAAC,CAAC,SAAS,CAAC;QAEhB,2EAA2E;QAC3E,0EAA0E;QAC1E,uFAAuF;QACvF,IAAI,mBAAmB,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YACzC,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,4BAA4B,EAAE;gBACxD,SAAS,EAAE,IAAI,GAAG,CAAC,gBAAgB,CAAC,0BAA0B,CAAC;gBAC/D,MAAM,EAAE,uBAAuB;gBAC/B,SAAS,EAAE,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,CAAC;aACvD,CAAC,CAAC;QACP,CAAC;QAED,MAAM,iBAAiB,GAAG,CAAC,IAAY,EAA0B,EAAE,CAC/D,IAAI,UAAU,CAAC,WAAW,CAAC;YACvB,IAAI,EAAE,UAAU,CAAC,eAAe,CAAC,UAAU;YAC3C,qBAAqB,EAAE,KAAK;YAC5B,GAAG,EAAE,UAAU,IAAI,CAAC,GAAG,CAAC,mBAAmB,MAAM,IAAI,EAAE;YACvD,OAAO,EAAE;gBACL,cAAc,EAAE,UAAU,CAAC,cAAc,CAAC,QAAQ;gBAClD,OAAO,EAAE,IAAI,CAAC,OAAO;aACxB;SACJ,CAAC,CAAC;QAEP,MAAM,oBAAoB,GAAG,iBAAiB;YAC1C,CAAC,CAAC;gBACE,UAAU,EAAE,iBAAiB;gBAC7B,iBAAiB,EAAE,UAAU,CAAC,iBAAiB,CAAC,MAAM;aACzD;YACD,CAAC,CAAC,SAAS,CAAC;QAEhB,iDAAiD;QACjD,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;QACzD,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,QAAQ,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAElF,MAAM,iBAAiB,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;QACjE,iBAAiB,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,YAAY,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAE1F,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC3D,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,SAAS,CAAC,EAAE,oBAAoB,CAAC,CAAC;QAEpF,0CAA0C;QAC1C,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QAC3D,cAAc,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9D,cAAc,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,eAAe,CAAC,CAAC,CAAC;QACzF,cAAc,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,KAAK,EAAE,iBAAiB,CAAC,cAAc,CAAC,CAAC,CAAC;QAEvF,6BAA6B;QAC7B,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,4BAA4B,WAAW,CAAC,MAAM,cAAc,CAAC,CAAC;YAC1E,WAAW,CAAC,OAAO,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;QAC1D,CAAC;aAAM,CAAC;YACJ,OAAO,CAAC,GAAG,CAAC,2CAA2C,CAAC,CAAC;QAC7D,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACK,mBAAmB,CAAC,WAAqB;QAC7C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC3B,8BAA8B;YAC9B,OAAO,SAAS,CAAC;QACrB,CAAC;QAED,OAAO,IAAI,GAAG,CAAC,cAAc,CAAC;YAC1B,UAAU,EAAE;gBACR,sCAAsC;gBACtC,IAAI,GAAG,CAAC,eAAe,CAAC;oBACpB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,KAAK;oBACxB,UAAU,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;oBACpC,OAAO,EAAE,CAAC,oBAAoB,CAAC;oBAC/B,SAAS,EAAE,CAAC,gBAAgB,CAAC;oBAC7B,UAAU,EAAE;wBACR,SAAS,EAAE;4BACP,cAAc,EAAE,WAAW;yBAC9B;qBACJ;iBACJ,CAAC;gBACF,oDAAoD;gBACpD,IAAI,GAAG,CAAC,eAAe,CAAC;oBACpB,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,IAAI;oBACvB,UAAU,EAAE,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;oBACpC,OAAO,EAAE,CAAC,oBAAoB,CAAC;oBAC/B,SAAS,EAAE,CAAC,gBAAgB,CAAC;oBAC7B,UAAU,EAAE;wBACR,YAAY,EAAE;4BACV,cAAc,EAAE,WAAW;yBAC9B;qBACJ;iBACJ,CAAC;aACL;SACJ,CAAC,CAAC;IACP,CAAC;CACJ;AAhQD,wCAgQC"}