@salesforce/b2c-tooling-sdk 1.0.0 → 1.1.0

package/dist/cjs/safety/safety-guard.js

@@ -0,0 +1,270 @@
+/*
+ * Copyright (c) 2025, Salesforce, Inc.
+ * SPDX-License-Identifier: Apache-2
+ * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
+ */
+/**
+ * SafetyGuard: SDK-level safety evaluation engine.
+ *
+ * Evaluates operations against safety rules and levels, producing typed
+ * evaluations (allow/block/confirm). Used by both the HTTP middleware
+ * (automatic) and command-level checks (opt-in).
+ *
+ * @module safety/safety-guard
+ */
+import { Minimatch } from 'minimatch';
+import { getLogger } from '../logging/index.js';
+import { SafetyBlockedError, SafetyConfirmationRequired, checkLevelViolation, describeSafetyLevel, } from './safety-middleware.js';
+/** Regex to extract job ID from OCAPI job execution URLs. */
+const JOB_EXECUTION_PATTERN = /\/jobs\/([^/]+)\/executions/;
+/**
+ * Extract a job ID from a URL path if it's a job execution endpoint.
+ *
+ * Matches patterns like:
+ * - `/s/-/dw/data/v24_5/jobs/sfcc-site-archive-import/executions`
+ * - `/jobs/sfcc-site-archive-export/executions`
+ */
+export function extractJobIdFromPath(path) {
+    const match = JOB_EXECUTION_PATTERN.exec(path);
+    return match?.[1];
+}
+/**
+ * Test whether a string matches a glob pattern.
+ * Uses minimatch with dot matching enabled.
+ */
+function matchGlob(value, pattern) {
+    const matcher = new Minimatch(pattern, { dot: true, nocase: true });
+    return matcher.match(value);
+}
+/**
+ * Check if a rule matches an operation.
+ */
+function ruleMatchesOperation(rule, operation) {
+    // Command matcher
+    if (rule.command !== undefined) {
+        if (!operation.commandId)
+            return false;
+        return matchGlob(operation.commandId, rule.command);
+    }
+    // Job matcher
+    if (rule.job !== undefined) {
+        const jobId = operation.jobId ?? (operation.path ? extractJobIdFromPath(operation.path) : undefined);
+        if (!jobId)
+            return false;
+        return matchGlob(jobId, rule.job);
+    }
+    // HTTP method + path matcher
+    if (rule.path !== undefined) {
+        if (!operation.path)
+            return false;
+        if (!matchGlob(operation.path, rule.path))
+            return false;
+        // If method is specified, it must also match
+        if (rule.method !== undefined) {
+            if (!operation.method)
+                return false;
+            return matchGlob(operation.method.toUpperCase(), rule.method.toUpperCase());
+        }
+        return true;
+    }
+    // Method-only matcher (no path)
+    if (rule.method !== undefined) {
+        if (!operation.method)
+            return false;
+        return matchGlob(operation.method.toUpperCase(), rule.method.toUpperCase());
+    }
+    // Rule has no matchers — does not match anything
+    return false;
+}
+/**
+ * SafetyGuard evaluates operations against safety rules and levels.
+ *
+ * The guard provides three levels of API:
+ * - {@link evaluate} — returns a {@link SafetyEvaluation} describing what should happen
+ * - {@link assert} — throws {@link SafetyBlockedError} or {@link SafetyConfirmationRequired}
+ * - {@link temporarilyAllow} — creates a scoped exemption for confirmed operations
+ *
+ * The HTTP middleware uses the guard internally so all HTTP requests are
+ * evaluated automatically. CLI commands and other consumers can use the
+ * guard directly for richer safety interaction (command-level checks,
+ * confirmation flows).
+ *
+ * @example
+ * ```typescript
+ * const guard = new SafetyGuard({
+ *   level: 'NO_UPDATE',
+ *   confirm: true,
+ *   rules: [{ job: 'sfcc-site-archive-export', action: 'allow' }],
+ * });
+ *
+ * const evaluation = guard.evaluate({ type: 'job', jobId: 'sfcc-site-archive-export' });
+ * // evaluation.action === 'allow'
+ * ```
+ */
+export class SafetyGuard {
+    config;
+    temporaryAllows = [];
+    logger;
+    constructor(config) {
+        this.config = config;
+        this.logger = getLogger();
+    }
+    /**
+     * Evaluate an operation against safety rules and level.
+     *
+     * Evaluation order:
+     * 1. Temporary allows (from confirmed retries) — if matched, allow
+     * 2. Config rules in order — first matching rule's action wins
+     * 3. Level-based default — confirm if `confirm: true`, otherwise block/allow
+     *
+     * All evaluations are trace-logged for diagnostics.
+     */
+    evaluate(operation) {
+        // 1. Check temporary allows (confirmed operations)
+        for (const rule of this.temporaryAllows) {
+            if (ruleMatchesOperation(rule, operation)) {
+                const evaluation = {
+                    action: 'allow',
+                    reason: 'Temporarily allowed after confirmation',
+                    operation,
+                    rule,
+                };
+                this.logger.trace({ operation, evaluation }, '[SafetyGuard] Allowed by temporary exemption');
+                return evaluation;
+            }
+        }
+        // 2. Check config rules (first match wins)
+        if (this.config.rules) {
+            for (const rule of this.config.rules) {
+                if (ruleMatchesOperation(rule, operation)) {
+                    const evaluation = {
+                        action: rule.action,
+                        reason: this.describeRuleMatch(rule, operation),
+                        operation,
+                        rule,
+                    };
+                    this.logger.trace({ operation, rule, action: rule.action }, '[SafetyGuard] Matched rule');
+                    return evaluation;
+                }
+            }
+        }
+        // 3. Fall back to level-based evaluation
+        return this.evaluateByLevel(operation);
+    }
+    /**
+     * Assert that an operation is allowed.
+     *
+     * @throws {SafetyBlockedError} if the operation is blocked
+     * @throws {SafetyConfirmationRequired} if the operation needs confirmation
+     */
+    assert(operation) {
+        const evaluation = this.evaluate(operation);
+        switch (evaluation.action) {
+            case 'allow':
+                return;
+            case 'block':
+                throw new SafetyBlockedError(evaluation.reason, operation.method ?? '', operation.url ?? '', this.config.level);
+            case 'confirm':
+                throw new SafetyConfirmationRequired(evaluation);
+        }
+    }
+    /**
+     * Create a temporary exemption for a confirmed operation.
+     *
+     * Returns a cleanup function that removes the exemption. Use this
+     * to retry an operation after the user has confirmed.
+     */
+    temporarilyAllow(operation) {
+        const rule = this.operationToRule(operation);
+        return this.temporarilyAddRule(rule);
+    }
+    /**
+     * Add a temporary safety rule for a scoped exemption.
+     *
+     * Unlike {@link temporarilyAllow} which derives a rule from an operation,
+     * this accepts an arbitrary rule — useful for granting broad temporary
+     * access (e.g., allowing WebDAV DELETE on Impex paths during a job export).
+     *
+     * Returns a cleanup function that removes the rule.
+     */
+    temporarilyAddRule(rule) {
+        this.temporaryAllows.push(rule);
+        this.logger.trace({ rule }, '[SafetyGuard] Added temporary rule');
+        return () => {
+            const idx = this.temporaryAllows.indexOf(rule);
+            if (idx >= 0) {
+                this.temporaryAllows.splice(idx, 1);
+                this.logger.trace({ rule }, '[SafetyGuard] Removed temporary rule');
+            }
+        };
+    }
+    /**
+     * Evaluate an operation using only the safety level (no rules).
+     */
+    evaluateByLevel(operation) {
+        // For HTTP operations, check the level
+        if (operation.method && operation.path) {
+            const violation = checkLevelViolation(operation.method, operation.path, this.config.level);
+            if (violation) {
+                const action = this.config.confirm ? 'confirm' : 'block';
+                const evaluation = {
+                    action,
+                    reason: this.describeLevelBlock(operation),
+                    operation,
+                };
+                this.logger.trace({ operation, action, level: this.config.level }, '[SafetyGuard] Level evaluation');
+                return evaluation;
+            }
+        }
+        // For command operations, no level-based blocking (levels are HTTP-level)
+        // Commands opt into safety via rules or assertDestructiveOperationAllowed()
+        const evaluation = {
+            action: 'allow',
+            reason: 'No matching rule and level allows this operation',
+            operation,
+        };
+        this.logger.trace({ operation, level: this.config.level }, '[SafetyGuard] Allowed by level');
+        return evaluation;
+    }
+    /**
+     * Convert an operation to a temporary allow rule for retry.
+     */
+    operationToRule(operation) {
+        if (operation.commandId) {
+            return { command: operation.commandId, action: 'allow' };
+        }
+        if (operation.jobId) {
+            return { job: operation.jobId, action: 'allow' };
+        }
+        // HTTP operation — match exact method + path
+        return {
+            method: operation.method,
+            path: operation.path,
+            action: 'allow',
+        };
+    }
+    /**
+     * Describe why a rule matched, for user-facing messages.
+     */
+    describeRuleMatch(rule, operation) {
+        if (rule.command) {
+            return `Command "${operation.commandId}" matched safety rule (command: "${rule.command}", action: ${rule.action})`;
+        }
+        if (rule.job) {
+            return `Job "${operation.jobId}" matched safety rule (job: "${rule.job}", action: ${rule.action})`;
+        }
+        const method = operation.method ?? 'unknown';
+        const path = operation.path ?? 'unknown';
+        return `${method} ${path} matched safety rule (action: ${rule.action})`;
+    }
+    /**
+     * Describe why the level blocked an operation, for user-facing messages.
+     */
+    describeLevelBlock(operation) {
+        const method = operation.method ?? 'unknown';
+        const path = operation.path ?? 'unknown';
+        const levelDesc = describeSafetyLevel(this.config.level);
+        return `${method} ${path} blocked by safety level ${this.config.level} — ${levelDesc}`;
+    }
+}
+//# sourceMappingURL=safety-guard.js.map

package/dist/cjs/safety/safety-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety-guard.js","sourceRoot":"","sources":["../../../src/safety/safety-guard.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;GAQG;AAEH,OAAO,EAAC,SAAS,EAAC,MAAM,WAAW,CAAC;AACpC,OAAO,EAAC,SAAS,EAAc,MAAM,qBAAqB,CAAC;AAE3D,OAAO,EACL,kBAAkB,EAClB,0BAA0B,EAC1B,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAGhC,6DAA6D;AAC7D,MAAM,qBAAqB,GAAG,6BAA6B,CAAC;AAE5D;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,KAAa,EAAE,OAAe;IAC/C,MAAM,OAAO,GAAG,IAAI,SAAS,CAAC,OAAO,EAAE,EAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAC,CAAC,CAAC;IAClE,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAgB,EAAE,SAA0B;IACxE,kBAAkB;IAClB,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC,SAAS,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,SAAS,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACtD,CAAC;IAED,cAAc;IACd,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,oBAAoB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACrG,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,OAAO,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,SAAS,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACxD,6CAA6C;QAC7C,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,IAAI,CAAC,SAAS,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YACpC,OAAO,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;QAC9E,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,SAAS,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACpC,OAAO,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,iDAAiD;IACjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,WAAW;IAIM;IAHpB,eAAe,GAAiB,EAAE,CAAC;IAC1B,MAAM,CAAS;IAEhC,YAA4B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;QAC9C,IAAI,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;;;;;OASG;IACH,QAAQ,CAAC,SAA0B;QACjC,mDAAmD;QACnD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACxC,IAAI,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC1C,MAAM,UAAU,GAAqB;oBACnC,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,wCAAwC;oBAChD,SAAS;oBACT,IAAI;iBACL,CAAC;gBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,UAAU,EAAC,EAAE,8CAA8C,CAAC,CAAC;gBAC3F,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACrC,IAAI,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;oBAC1C,MAAM,UAAU,GAAqB;wBACnC,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,MAAM,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC;wBAC/C,SAAS;wBACT,IAAI;qBACL,CAAC;oBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,EAAE,4BAA4B,CAAC,CAAC;oBACxF,OAAO,UAAU,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,OAAO,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,SAA0B;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,QAAQ,UAAU,CAAC,MAAM,EAAE,CAAC;YAC1B,KAAK,OAAO;gBACV,OAAO;YACT,KAAK,OAAO;gBACV,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,MAAM,IAAI,EAAE,EAAE,SAAS,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClH,KAAK,SAAS;gBACZ,MAAM,IAAI,0BAA0B,CAAC,UAAU,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,gBAAgB,CAAC,SAA0B;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IAED;;;;;;;;OAQG;IACH,kBAAkB,CAAC,IAAgB;QACjC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,IAAI,EAAC,EAAE,oCAAoC,CAAC,CAAC;QAEhE,OAAO,GAAG,EAAE;YACV,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;gBACb,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBACpC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,IAAI,EAAC,EAAE,sCAAsC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,SAA0B;QAChD,uCAAuC;QACvC,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,mBAAmB,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC3F,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,MAAM,GAAiB,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;gBACvE,MAAM,UAAU,GAAqB;oBACnC,MAAM;oBACN,MAAM,EAAE,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC;oBAC1C,SAAS;iBACV,CAAC;gBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAC,EAAE,gCAAgC,CAAC,CAAC;gBACnG,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,4EAA4E;QAC5E,MAAM,UAAU,GAAqB;YACnC,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,kDAAkD;YAC1D,SAAS;SACV,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAC,EAAE,gCAAgC,CAAC,CAAC;QAC3F,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,SAA0B;QAChD,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;YACxB,OAAO,EAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAC,CAAC;QACzD,CAAC;QACD,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACpB,OAAO,EAAC,GAAG,EAAE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAC,CAAC;QACjD,CAAC;QACD,6CAA6C;QAC7C,OAAO;YACL,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAgB,EAAE,SAA0B;QACpE,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,YAAY,SAAS,CAAC,SAAS,oCAAoC,IAAI,CAAC,OAAO,cAAc,IAAI,CAAC,MAAM,GAAG,CAAC;QACrH,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,OAAO,QAAQ,SAAS,CAAC,KAAK,gCAAgC,IAAI,CAAC,GAAG,cAAc,IAAI,CAAC,MAAM,GAAG,CAAC;QACrG,CAAC;QACD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC;QACzC,OAAO,GAAG,MAAM,IAAI,IAAI,iCAAiC,IAAI,CAAC,MAAM,GAAG,CAAC;IAC1E,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,SAA0B;QACnD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC;QACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,GAAG,MAAM,IAAI,IAAI,4BAA4B,IAAI,CAAC,MAAM,CAAC,KAAK,MAAM,SAAS,EAAE,CAAC;IACzF,CAAC;CACF"}

package/dist/cjs/safety/safety-middleware.d.ts

@@ -1,3 +1,5 @@
+import type { SafetyRule } from './types.js';
+import type { SafetyEvaluation } from './types.js';
 /**
  * Safety levels for preventing destructive operations.
  *
@@ -7,11 +9,34 @@
  * - READ_ONLY: Block all write operations (only GET allowed)
  */
 export type SafetyLevel = 'NONE' | 'NO_DELETE' | 'NO_UPDATE' | 'READ_ONLY';
+/**
+ * Safety configuration.
+ *
+ * Supports both simple level-based blocking and granular per-rule actions.
+ */
 export interface SafetyConfig {
+    /** The base safety level. */
     level: SafetyLevel;
+    /** When true, operations that the level would block require confirmation instead of hard-blocking. */
+    confirm?: boolean;
+    /** Ordered list of rules. First matching rule wins. */
+    rules?: SafetyRule[];
 }
 /**
- * Safety error thrown when an operation is blocked by safety middleware.
+ * Returns the more restrictive of two safety levels.
+ */
+export declare function maxSafetyLevel(a: SafetyLevel, b: SafetyLevel): SafetyLevel;
+/**
+ * Check if a string is a valid SafetyLevel.
+ */
+export declare function isValidSafetyLevel(value: string): value is SafetyLevel;
+/**
+ * Parse a string to a SafetyLevel, returning undefined for invalid values.
+ * Accepts case-insensitive input and converts dashes to underscores.
+ */
+export declare function parseSafetyLevelString(value: string | undefined): SafetyLevel | undefined;
+/**
+ * Safety error thrown when an operation is blocked by safety configuration.
  */
 export declare class SafetyBlockedError extends Error {
     readonly method: string;
@@ -19,6 +44,28 @@ export declare class SafetyBlockedError extends Error {
     readonly safetyLevel: SafetyLevel;
     constructor(message: string, method: string, url: string, safetyLevel: SafetyLevel);
 }
+/**
+ * Error thrown when an operation requires interactive confirmation.
+ *
+ * Callers can catch this error, prompt the user, and retry the operation
+ * using {@link withSafetyConfirmation}.
+ */
+export declare class SafetyConfirmationRequired extends Error {
+    readonly evaluation: SafetyEvaluation;
+    constructor(evaluation: SafetyEvaluation);
+}
+/**
+ * Checks if an HTTP operation should be blocked based on a safety level.
+ *
+ * This is the low-level level check. For full rule-based evaluation,
+ * use {@link SafetyGuard.evaluate}.
+ *
+ * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
+ * @param path - URL pathname
+ * @param level - Safety level to check against
+ * @returns Error message if blocked, undefined if allowed
+ */
+export declare function checkLevelViolation(method: string, path: string, level: SafetyLevel): string | undefined;
 /**
  * Checks if an HTTP operation should be blocked based on safety configuration.
  *
@@ -26,6 +73,7 @@ export declare class SafetyBlockedError extends Error {
  * @param url - Request URL
  * @param config - Safety configuration
  * @returns Error message if blocked, undefined if allowed
+ * @deprecated Use {@link SafetyGuard.evaluate} for full rule-based evaluation.
  */
 export declare function checkSafetyViolation(method: string, url: string, config: SafetyConfig): string | undefined;
 /**
@@ -43,3 +91,40 @@ export declare function getSafetyLevel(defaultLevel?: SafetyLevel): SafetyLevel;
  * Get a user-friendly description of the safety level.
  */
 export declare function describeSafetyLevel(level: SafetyLevel): string;
+/** Validated safety config fragment (shared by global and per-instance). */
+export interface SafetyConfigFragment {
+    level?: SafetyLevel;
+    confirm?: boolean;
+    rules?: SafetyRule[];
+}
+/**
+ * Load global safety configuration from a JSON file.
+ *
+ * Resolution order:
+ * 1. `SFCC_SAFETY_CONFIG` env var — explicit path to a safety config file
+ * 2. `{configDir}/safety.json` — oclif config directory (e.g., `~/.config/b2c/safety.json`)
+ *
+ * The file has the same shape as the `safety` object in dw.json:
+ * ```json
+ * { "level": "NO_DELETE", "confirm": true, "rules": [...] }
+ * ```
+ *
+ * @param configDir - oclif config directory path (e.g., `this.config.configDir`)
+ * @returns Validated safety config fragment, or undefined if no file found
+ */
+export declare function loadGlobalSafetyConfig(configDir?: string): SafetyConfigFragment | undefined;
+/**
+ * Compute effective safety config by merging environment variables, global
+ * safety config, and per-instance config.
+ *
+ * Merge strategy:
+ * - **Level**: `max(env, global, instance)` — most restrictive wins
+ * - **Confirm**: OR across all sources
+ * - **Rules**: instance rules first, then global rules (first-match-wins,
+ *   so instance rules can override global policy)
+ *
+ * @param instanceSafety - Per-instance safety config from dw.json
+ * @param globalSafety - Global safety config from safety.json
+ * @returns Merged SafetyConfig
+ */
+export declare function resolveEffectiveSafetyConfig(instanceSafety?: SafetyConfigFragment, globalSafety?: SafetyConfigFragment): SafetyConfig;

package/dist/cjs/safety/safety-middleware.js

@@ -3,9 +3,47 @@
  * SPDX-License-Identifier: Apache-2
  * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
  */
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
 import { getLogger } from '../logging/logger.js';
+import { isValidSafetyAction } from './types.js';
 /**
- * Safety error thrown when an operation is blocked by safety middleware.
+ * Ordering of safety levels from least to most restrictive.
+ */
+const LEVEL_ORDER = {
+    NONE: 0,
+    NO_DELETE: 1,
+    NO_UPDATE: 2,
+    READ_ONLY: 3,
+};
+/**
+ * Valid safety level strings.
+ */
+const VALID_LEVELS = ['NONE', 'NO_DELETE', 'NO_UPDATE', 'READ_ONLY'];
+/**
+ * Returns the more restrictive of two safety levels.
+ */
+export function maxSafetyLevel(a, b) {
+    return LEVEL_ORDER[a] >= LEVEL_ORDER[b] ? a : b;
+}
+/**
+ * Check if a string is a valid SafetyLevel.
+ */
+export function isValidSafetyLevel(value) {
+    return VALID_LEVELS.includes(value);
+}
+/**
+ * Parse a string to a SafetyLevel, returning undefined for invalid values.
+ * Accepts case-insensitive input and converts dashes to underscores.
+ */
+export function parseSafetyLevelString(value) {
+    if (!value)
+        return undefined;
+    const normalized = value.toUpperCase().replace(/-/g, '_');
+    return isValidSafetyLevel(normalized) ? normalized : undefined;
+}
+/**
+ * Safety error thrown when an operation is blocked by safety configuration.
  */
 export class SafetyBlockedError extends Error {
     method;
@@ -20,35 +58,50 @@ export class SafetyBlockedError extends Error {
     }
 }
 /**
- * Checks if an HTTP operation should be blocked based on safety configuration.
+ * Error thrown when an operation requires interactive confirmation.
+ *
+ * Callers can catch this error, prompt the user, and retry the operation
+ * using {@link withSafetyConfirmation}.
+ */
+export class SafetyConfirmationRequired extends Error {
+    evaluation;
+    constructor(evaluation) {
+        super(`Confirmation required: ${evaluation.reason}`);
+        this.evaluation = evaluation;
+        this.name = 'SafetyConfirmationRequired';
+    }
+}
+/**
+ * Checks if an HTTP operation should be blocked based on a safety level.
+ *
+ * This is the low-level level check. For full rule-based evaluation,
+ * use {@link SafetyGuard.evaluate}.
  *
  * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
- * @param url - Request URL
- * @param config - Safety configuration
+ * @param path - URL pathname
+ * @param level - Safety level to check against
  * @returns Error message if blocked, undefined if allowed
  */
-export function checkSafetyViolation(method, url, config) {
+export function checkLevelViolation(method, path, level) {
     const upperMethod = method.toUpperCase();
-    const path = new URL(url, 'http://dummy').pathname;
-    switch (config.level) {
+    switch (level) {
         case 'NONE':
-            return undefined; // No restrictions
+            return undefined;
         case 'NO_DELETE':
             if (upperMethod === 'DELETE') {
                 return `Delete operation blocked: DELETE ${path} (NO_DELETE mode prevents deletions)`;
             }
             return undefined;
-        case 'NO_UPDATE':
-            // Block DELETE operations
+        case 'NO_UPDATE': {
             if (upperMethod === 'DELETE') {
                 return `Delete operation blocked: DELETE ${path} (NO_UPDATE mode prevents deletions)`;
             }
-            // Block operations that contain reset, stop, restart in path or might be destructive
             const destructivePatterns = ['/reset', '/stop', '/restart', '/operations'];
             if (destructivePatterns.some((pattern) => path.includes(pattern)) && upperMethod === 'POST') {
                 return `Destructive operation blocked: POST ${path} (NO_UPDATE mode prevents reset/stop/restart)`;
             }
             return undefined;
+        }
         case 'READ_ONLY':
             if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(upperMethod)) {
                 return `Write operation blocked: ${upperMethod} ${path} (READ_ONLY mode prevents all modifications)`;
@@ -58,6 +111,19 @@ export function checkSafetyViolation(method, url, config) {
             return undefined;
     }
 }
+/**
+ * Checks if an HTTP operation should be blocked based on safety configuration.
+ *
+ * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
+ * @param url - Request URL
+ * @param config - Safety configuration
+ * @returns Error message if blocked, undefined if allowed
+ * @deprecated Use {@link SafetyGuard.evaluate} for full rule-based evaluation.
+ */
+export function checkSafetyViolation(method, url, config) {
+    const path = new URL(url, 'http://dummy').pathname;
+    return checkLevelViolation(method, path, config.level);
+}
 /**
  * Parse safety level from environment variable.
  *
@@ -71,11 +137,10 @@ export function checkSafetyViolation(method, url, config) {
 export function getSafetyLevel(defaultLevel = 'NONE') {
     const safetyLevelEnv = process.env['SFCC_SAFETY_LEVEL'];
     if (safetyLevelEnv) {
-        const upper = safetyLevelEnv.toUpperCase().replace(/-/g, '_');
-        if (['NONE', 'NO_DELETE', 'NO_UPDATE', 'READ_ONLY'].includes(upper)) {
-            return upper;
-        }
-        getLogger().warn({ envValue: safetyLevelEnv, validValues: ['NONE', 'NO_DELETE', 'NO_UPDATE', 'READ_ONLY'] }, 'SFCC_SAFETY_LEVEL has an invalid value; using default safety level');
+        const parsed = parseSafetyLevelString(safetyLevelEnv);
+        if (parsed)
+            return parsed;
+        getLogger().warn({ envValue: safetyLevelEnv, validValues: VALID_LEVELS }, 'SFCC_SAFETY_LEVEL has an invalid value; using default safety level');
     }
     return defaultLevel;
 }
@@ -96,4 +161,88 @@ export function describeSafetyLevel(level) {
             return 'Unknown safety level';
     }
 }
+/**
+ * Load global safety configuration from a JSON file.
+ *
+ * Resolution order:
+ * 1. `SFCC_SAFETY_CONFIG` env var — explicit path to a safety config file
+ * 2. `{configDir}/safety.json` — oclif config directory (e.g., `~/.config/b2c/safety.json`)
+ *
+ * The file has the same shape as the `safety` object in dw.json:
+ * ```json
+ * { "level": "NO_DELETE", "confirm": true, "rules": [...] }
+ * ```
+ *
+ * @param configDir - oclif config directory path (e.g., `this.config.configDir`)
+ * @returns Validated safety config fragment, or undefined if no file found
+ */
+export function loadGlobalSafetyConfig(configDir) {
+    const logger = getLogger();
+    // 1. Check SFCC_SAFETY_CONFIG env var
+    const envPath = process.env['SFCC_SAFETY_CONFIG'];
+    const filePath = envPath || (configDir ? join(configDir, 'safety.json') : undefined);
+    if (!filePath || !existsSync(filePath)) {
+        return undefined;
+    }
+    try {
+        const raw = JSON.parse(readFileSync(filePath, 'utf-8'));
+        const result = {};
+        if (raw.level) {
+            const parsed = parseSafetyLevelString(raw.level);
+            if (parsed) {
+                result.level = parsed;
+            }
+            else {
+                logger.warn({ level: raw.level, file: filePath }, 'Invalid safety level in global safety config; ignoring');
+            }
+        }
+        if (raw.confirm !== undefined) {
+            result.confirm = raw.confirm === true;
+        }
+        if (raw.rules && Array.isArray(raw.rules)) {
+            result.rules = raw.rules.filter((r) => {
+                if (!isValidSafetyAction(r.action)) {
+                    logger.warn({ rule: r, file: filePath }, 'Invalid safety rule action in global safety config; skipping rule');
+                    return false;
+                }
+                return true;
+            });
+        }
+        logger.trace({ filePath, level: result.level, ruleCount: result.rules?.length }, 'Loaded global safety config');
+        return result;
+    }
+    catch (error) {
+        logger.warn({ error, file: filePath }, 'Failed to load global safety config; ignoring');
+        return undefined;
+    }
+}
+/**
+ * Compute effective safety config by merging environment variables, global
+ * safety config, and per-instance config.
+ *
+ * Merge strategy:
+ * - **Level**: `max(env, global, instance)` — most restrictive wins
+ * - **Confirm**: OR across all sources
+ * - **Rules**: instance rules first, then global rules (first-match-wins,
+ *   so instance rules can override global policy)
+ *
+ * @param instanceSafety - Per-instance safety config from dw.json
+ * @param globalSafety - Global safety config from safety.json
+ * @returns Merged SafetyConfig
+ */
+export function resolveEffectiveSafetyConfig(instanceSafety, globalSafety) {
+    const envLevel = getSafetyLevel('NONE');
+    const envConfirm = process.env['SFCC_SAFETY_CONFIRM'] === 'true' || process.env['SFCC_SAFETY_CONFIRM'] === '1';
+    const instanceLevel = instanceSafety?.level ?? 'NONE';
+    const globalLevel = globalSafety?.level ?? 'NONE';
+    // Merge rules: instance first, then global (first-match-wins)
+    const instanceRules = instanceSafety?.rules ?? [];
+    const globalRules = globalSafety?.rules ?? [];
+    const mergedRules = [...instanceRules, ...globalRules];
+    return {
+        level: maxSafetyLevel(envLevel, maxSafetyLevel(globalLevel, instanceLevel)),
+        confirm: envConfirm || instanceSafety?.confirm === true || globalSafety?.confirm === true,
+        rules: mergedRules.length > 0 ? mergedRules : undefined,
+    };
+}
 //# sourceMappingURL=safety-middleware.js.map

package/dist/cjs/safety/safety-middleware.js.map

@@ -1 +1 @@
-{"version":3,"file":"safety-middleware.js","sourceRoot":"","sources":["../../../src/safety/safety-middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,SAAS,EAAC,MAAM,sBAAsB,CAAC;AAgB/C;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IACA;IACA;IAJlB,YACE,OAAe,EACC,MAAc,EACd,GAAW,EACX,WAAwB;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,WAAM,GAAN,MAAM,CAAQ;QACd,QAAG,GAAH,GAAG,CAAQ;QACX,gBAAW,GAAX,WAAW,CAAa;QAGxC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,GAAW,EAAE,MAAoB;IACpF,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,QAAQ,CAAC;IAEnD,QAAQ,MAAM,CAAC,KAAK,EAAE,CAAC;QACrB,KAAK,MAAM;YACT,OAAO,SAAS,CAAC,CAAC,kBAAkB;QAEtC,KAAK,WAAW;YACd,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,oCAAoC,IAAI,sCAAsC,CAAC;YACxF,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB,KAAK,WAAW;YACd,0BAA0B;YAC1B,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,oCAAoC,IAAI,sCAAsC,CAAC;YACxF,CAAC;YACD,qFAAqF;YACrF,MAAM,mBAAmB,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAC3E,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;gBAC5F,OAAO,uCAAuC,IAAI,+CAA+C,CAAC;YACpG,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB,KAAK,WAAW;YACd,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC7D,OAAO,4BAA4B,WAAW,IAAI,IAAI,8CAA8C,CAAC;YACvG,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,eAA4B,MAAM;IAC/D,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACxD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,KAAK,GAAG,cAAc,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAC9D,IAAI,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACpE,OAAO,KAAoB,CAAC;QAC9B,CAAC;QACD,SAAS,EAAE,CAAC,IAAI,CACd,EAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,CAAC,EAAC,EACxF,oEAAoE,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAkB;IACpD,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,wBAAwB,CAAC;QAClC,KAAK,WAAW;YACd,OAAO,2BAA2B,CAAC;QACrC,KAAK,WAAW;YACd,OAAO,+DAA+D,CAAC;QACzE,KAAK,WAAW;YACd,OAAO,+CAA+C,CAAC;QACzD;YACE,OAAO,sBAAsB,CAAC;IAClC,CAAC;AACH,CAAC"}
+{"version":3,"file":"safety-middleware.js","sourceRoot":"","sources":["../../../src/safety/safety-middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,UAAU,EAAE,YAAY,EAAC,MAAM,SAAS,CAAC;AACjD,OAAO,EAAC,IAAI,EAAC,MAAM,WAAW,CAAC;AAC/B,OAAO,EAAC,SAAS,EAAC,MAAM,sBAAsB,CAAC;AAE/C,OAAO,EAAC,mBAAmB,EAAC,MAAM,YAAY,CAAC;AA2B/C;;GAEG;AACH,MAAM,WAAW,GAAgC;IAC/C,IAAI,EAAE,CAAC;IACP,SAAS,EAAE,CAAC;IACZ,SAAS,EAAE,CAAC;IACZ,SAAS,EAAE,CAAC;CACb,CAAC;AAEF;;GAEG;AACH,MAAM,YAAY,GAA2B,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,CAAU,CAAC;AAEtG;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,CAAc,EAAE,CAAc;IAC3D,OAAO,WAAW,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAoB,CAAC,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAyB;IAC9D,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IACA;IACA;IAJlB,YACE,OAAe,EACC,MAAc,EACd,GAAW,EACX,WAAwB;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,WAAM,GAAN,MAAM,CAAQ;QACd,QAAG,GAAH,GAAG,CAAQ;QACX,gBAAW,GAAX,WAAW,CAAa;QAGxC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,0BAA2B,SAAQ,KAAK;IACvB;IAA5B,YAA4B,UAA4B;QACtD,KAAK,CAAC,0BAA0B,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAD3B,eAAU,GAAV,UAAU,CAAkB;QAEtD,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,IAAY,EAAE,KAAkB;IAClF,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEzC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,SAAS,CAAC;QAEnB,KAAK,WAAW;YACd,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,oCAAoC,IAAI,sCAAsC,CAAC;YACxF,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,oCAAoC,IAAI,sCAAsC,CAAC;YACxF,CAAC;YACD,MAAM,mBAAmB,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAC3E,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;gBAC5F,OAAO,uCAAuC,IAAI,+CAA+C,CAAC;YACpG,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,KAAK,WAAW;YACd,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC7D,OAAO,4BAA4B,WAAW,IAAI,IAAI,8CAA8C,CAAC;YACvG,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,GAAW,EAAE,MAAoB;IACpF,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,QAAQ,CAAC;IACnD,OAAO,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,eAA4B,MAAM;IAC/D,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACxD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,sBAAsB,CAAC,cAAc,CAAC,CAAC;QACtD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,SAAS,EAAE,CAAC,IAAI,CACd,EAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAC,EACrD,oEAAoE,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAkB;IACpD,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,wBAAwB,CAAC;QAClC,KAAK,WAAW;YACd,OAAO,2BAA2B,CAAC;QACrC,KAAK,WAAW;YACd,OAAO,+DAA+D,CAAC;QACzE,KAAK,WAAW;YACd,OAAO,+CAA+C,CAAC;QACzD;YACE,OAAO,sBAAsB,CAAC;IAClC,CAAC;AACH,CAAC;AAgBD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAkB;IACvD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,sCAAsC;IACtC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAErF,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAoB,CAAC;QAC3E,MAAM,MAAM,GAAyB,EAAE,CAAC;QAExC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC;YACxB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAC,EAAE,wDAAwD,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC;QAED,IAAI,GAAG,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,KAAK,IAAI,CAAC;QACxC,CAAC;QAED,IAAI,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACpC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAC,EAAE,mEAAmE,CAAC,CAAC;oBAC5G,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAiB,CAAC;QACrB,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,EAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAC,EAAE,6BAA6B,CAAC,CAAC;QAC9G,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAC,EAAE,+CAA+C,CAAC,CAAC;QACtF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,4BAA4B,CAC1C,cAAqC,EACrC,YAAmC;IAEnC,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,KAAK,GAAG,CAAC;IAE/G,MAAM,aAAa,GAAG,cAAc,EAAE,KAAK,IAAI,MAAM,CAAC;IACtD,MAAM,WAAW,GAAG,YAAY,EAAE,KAAK,IAAI,MAAM,CAAC;IAElD,8DAA8D;IAC9D,MAAM,aAAa,GAAG,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC;IAClD,MAAM,WAAW,GAAG,YAAY,EAAE,KAAK,IAAI,EAAE,CAAC;IAC9C,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,WAAW,CAAC,CAAC;IAEvD,OAAO;QACL,KAAK,EAAE,cAAc,CAAC,QAAQ,EAAE,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QAC3E,OAAO,EAAE,UAAU,IAAI,cAAc,EAAE,OAAO,KAAK,IAAI,IAAI,YAAY,EAAE,OAAO,KAAK,IAAI;QACzF,KAAK,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC"}