@salesforce/b2c-tooling-sdk 1.9.0 → 1.11.0

package/dist/cjs/safety/safety-guard.js

@@ -1,270 +0,0 @@
-/*
- * Copyright (c) 2025, Salesforce, Inc.
- * SPDX-License-Identifier: Apache-2
- * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
- */
-/**
- * SafetyGuard: SDK-level safety evaluation engine.
- *
- * Evaluates operations against safety rules and levels, producing typed
- * evaluations (allow/block/confirm). Used by both the HTTP middleware
- * (automatic) and command-level checks (opt-in).
- *
- * @module safety/safety-guard
- */
-import { Minimatch } from 'minimatch';
-import { getLogger } from '../logging/index.js';
-import { SafetyBlockedError, SafetyConfirmationRequired, checkLevelViolation, describeSafetyLevel, } from './safety-middleware.js';
-/** Regex to extract job ID from OCAPI job execution URLs. */
-const JOB_EXECUTION_PATTERN = /\/jobs\/([^/]+)\/executions/;
-/**
- * Extract a job ID from a URL path if it's a job execution endpoint.
- *
- * Matches patterns like:
- * - `/s/-/dw/data/v24_5/jobs/sfcc-site-archive-import/executions`
- * - `/jobs/sfcc-site-archive-export/executions`
- */
-export function extractJobIdFromPath(path) {
-    const match = JOB_EXECUTION_PATTERN.exec(path);
-    return match?.[1];
-}
-/**
- * Test whether a string matches a glob pattern.
- * Uses minimatch with dot matching enabled.
- */
-function matchGlob(value, pattern) {
-    const matcher = new Minimatch(pattern, { dot: true, nocase: true });
-    return matcher.match(value);
-}
-/**
- * Check if a rule matches an operation.
- */
-function ruleMatchesOperation(rule, operation) {
-    // Command matcher
-    if (rule.command !== undefined) {
-        if (!operation.commandId)
-            return false;
-        return matchGlob(operation.commandId, rule.command);
-    }
-    // Job matcher
-    if (rule.job !== undefined) {
-        const jobId = operation.jobId ?? (operation.path ? extractJobIdFromPath(operation.path) : undefined);
-        if (!jobId)
-            return false;
-        return matchGlob(jobId, rule.job);
-    }
-    // HTTP method + path matcher
-    if (rule.path !== undefined) {
-        if (!operation.path)
-            return false;
-        if (!matchGlob(operation.path, rule.path))
-            return false;
-        // If method is specified, it must also match
-        if (rule.method !== undefined) {
-            if (!operation.method)
-                return false;
-            return matchGlob(operation.method.toUpperCase(), rule.method.toUpperCase());
-        }
-        return true;
-    }
-    // Method-only matcher (no path)
-    if (rule.method !== undefined) {
-        if (!operation.method)
-            return false;
-        return matchGlob(operation.method.toUpperCase(), rule.method.toUpperCase());
-    }
-    // Rule has no matchers — does not match anything
-    return false;
-}
-/**
- * SafetyGuard evaluates operations against safety rules and levels.
- *
- * The guard provides three levels of API:
- * - {@link evaluate} — returns a {@link SafetyEvaluation} describing what should happen
- * - {@link assert} — throws {@link SafetyBlockedError} or {@link SafetyConfirmationRequired}
- * - {@link temporarilyAllow} — creates a scoped exemption for confirmed operations
- *
- * The HTTP middleware uses the guard internally so all HTTP requests are
- * evaluated automatically. CLI commands and other consumers can use the
- * guard directly for richer safety interaction (command-level checks,
- * confirmation flows).
- *
- * @example
- * ```typescript
- * const guard = new SafetyGuard({
- *   level: 'NO_UPDATE',
- *   confirm: true,
- *   rules: [{ job: 'sfcc-site-archive-export', action: 'allow' }],
- * });
- *
- * const evaluation = guard.evaluate({ type: 'job', jobId: 'sfcc-site-archive-export' });
- * // evaluation.action === 'allow'
- * ```
- */
-export class SafetyGuard {
-    config;
-    temporaryAllows = [];
-    logger;
-    constructor(config) {
-        this.config = config;
-        this.logger = getLogger();
-    }
-    /**
-     * Evaluate an operation against safety rules and level.
-     *
-     * Evaluation order:
-     * 1. Temporary allows (from confirmed retries) — if matched, allow
-     * 2. Config rules in order — first matching rule's action wins
-     * 3. Level-based default — confirm if `confirm: true`, otherwise block/allow
-     *
-     * All evaluations are trace-logged for diagnostics.
-     */
-    evaluate(operation) {
-        // 1. Check temporary allows (confirmed operations)
-        for (const rule of this.temporaryAllows) {
-            if (ruleMatchesOperation(rule, operation)) {
-                const evaluation = {
-                    action: 'allow',
-                    reason: 'Temporarily allowed after confirmation',
-                    operation,
-                    rule,
-                };
-                this.logger.trace({ operation, evaluation }, '[SafetyGuard] Allowed by temporary exemption');
-                return evaluation;
-            }
-        }
-        // 2. Check config rules (first match wins)
-        if (this.config.rules) {
-            for (const rule of this.config.rules) {
-                if (ruleMatchesOperation(rule, operation)) {
-                    const evaluation = {
-                        action: rule.action,
-                        reason: this.describeRuleMatch(rule, operation),
-                        operation,
-                        rule,
-                    };
-                    this.logger.trace({ operation, rule, action: rule.action }, '[SafetyGuard] Matched rule');
-                    return evaluation;
-                }
-            }
-        }
-        // 3. Fall back to level-based evaluation
-        return this.evaluateByLevel(operation);
-    }
-    /**
-     * Assert that an operation is allowed.
-     *
-     * @throws {SafetyBlockedError} if the operation is blocked
-     * @throws {SafetyConfirmationRequired} if the operation needs confirmation
-     */
-    assert(operation) {
-        const evaluation = this.evaluate(operation);
-        switch (evaluation.action) {
-            case 'allow':
-                return;
-            case 'block':
-                throw new SafetyBlockedError(evaluation.reason, operation.method ?? '', operation.url ?? '', this.config.level);
-            case 'confirm':
-                throw new SafetyConfirmationRequired(evaluation);
-        }
-    }
-    /**
-     * Create a temporary exemption for a confirmed operation.
-     *
-     * Returns a cleanup function that removes the exemption. Use this
-     * to retry an operation after the user has confirmed.
-     */
-    temporarilyAllow(operation) {
-        const rule = this.operationToRule(operation);
-        return this.temporarilyAddRule(rule);
-    }
-    /**
-     * Add a temporary safety rule for a scoped exemption.
-     *
-     * Unlike {@link temporarilyAllow} which derives a rule from an operation,
-     * this accepts an arbitrary rule — useful for granting broad temporary
-     * access (e.g., allowing WebDAV DELETE on Impex paths during a job export).
-     *
-     * Returns a cleanup function that removes the rule.
-     */
-    temporarilyAddRule(rule) {
-        this.temporaryAllows.push(rule);
-        this.logger.trace({ rule }, '[SafetyGuard] Added temporary rule');
-        return () => {
-            const idx = this.temporaryAllows.indexOf(rule);
-            if (idx >= 0) {
-                this.temporaryAllows.splice(idx, 1);
-                this.logger.trace({ rule }, '[SafetyGuard] Removed temporary rule');
-            }
-        };
-    }
-    /**
-     * Evaluate an operation using only the safety level (no rules).
-     */
-    evaluateByLevel(operation) {
-        // For HTTP operations, check the level
-        if (operation.method && operation.path) {
-            const violation = checkLevelViolation(operation.method, operation.path, this.config.level);
-            if (violation) {
-                const action = this.config.confirm ? 'confirm' : 'block';
-                const evaluation = {
-                    action,
-                    reason: this.describeLevelBlock(operation),
-                    operation,
-                };
-                this.logger.trace({ operation, action, level: this.config.level }, '[SafetyGuard] Level evaluation');
-                return evaluation;
-            }
-        }
-        // For command operations, no level-based blocking (levels are HTTP-level)
-        // Commands opt into safety via rules or assertDestructiveOperationAllowed()
-        const evaluation = {
-            action: 'allow',
-            reason: 'No matching rule and level allows this operation',
-            operation,
-        };
-        this.logger.trace({ operation, level: this.config.level }, '[SafetyGuard] Allowed by level');
-        return evaluation;
-    }
-    /**
-     * Convert an operation to a temporary allow rule for retry.
-     */
-    operationToRule(operation) {
-        if (operation.commandId) {
-            return { command: operation.commandId, action: 'allow' };
-        }
-        if (operation.jobId) {
-            return { job: operation.jobId, action: 'allow' };
-        }
-        // HTTP operation — match exact method + path
-        return {
-            method: operation.method,
-            path: operation.path,
-            action: 'allow',
-        };
-    }
-    /**
-     * Describe why a rule matched, for user-facing messages.
-     */
-    describeRuleMatch(rule, operation) {
-        if (rule.command) {
-            return `Command "${operation.commandId}" matched safety rule (command: "${rule.command}", action: ${rule.action})`;
-        }
-        if (rule.job) {
-            return `Job "${operation.jobId}" matched safety rule (job: "${rule.job}", action: ${rule.action})`;
-        }
-        const method = operation.method ?? 'unknown';
-        const path = operation.path ?? 'unknown';
-        return `${method} ${path} matched safety rule (action: ${rule.action})`;
-    }
-    /**
-     * Describe why the level blocked an operation, for user-facing messages.
-     */
-    describeLevelBlock(operation) {
-        const method = operation.method ?? 'unknown';
-        const path = operation.path ?? 'unknown';
-        const levelDesc = describeSafetyLevel(this.config.level);
-        return `${method} ${path} blocked by safety level ${this.config.level} — ${levelDesc}`;
-    }
-}
-//# sourceMappingURL=safety-guard.js.map

package/dist/cjs/safety/safety-guard.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"safety-guard.js","sourceRoot":"","sources":["../../../src/safety/safety-guard.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH;;;;;;;;GAQG;AAEH,OAAO,EAAC,SAAS,EAAC,MAAM,WAAW,CAAC;AACpC,OAAO,EAAC,SAAS,EAAc,MAAM,qBAAqB,CAAC;AAE3D,OAAO,EACL,kBAAkB,EAClB,0BAA0B,EAC1B,mBAAmB,EACnB,mBAAmB,GACpB,MAAM,wBAAwB,CAAC;AAGhC,6DAA6D;AAC7D,MAAM,qBAAqB,GAAG,6BAA6B,CAAC;AAE5D;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,IAAY;IAC/C,MAAM,KAAK,GAAG,qBAAqB,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/C,OAAO,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,KAAa,EAAE,OAAe;IAC/C,MAAM,OAAO,GAAG,IAAI,SAAS,CAAC,OAAO,EAAE,EAAC,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAC,CAAC,CAAC;IAClE,OAAO,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAAC,IAAgB,EAAE,SAA0B;IACxE,kBAAkB;IAClB,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC,SAAS,CAAC,SAAS;YAAE,OAAO,KAAK,CAAC;QACvC,OAAO,SAAS,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,CAAC;IACtD,CAAC;IAED,cAAc;IACd,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,oBAAoB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QACrG,IAAI,CAAC,KAAK;YAAE,OAAO,KAAK,CAAC;QACzB,OAAO,SAAS,CAAC,KAAK,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IACpC,CAAC;IAED,6BAA6B;IAC7B,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,IAAI,CAAC,SAAS,CAAC,IAAI;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;QACxD,6CAA6C;QAC7C,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,IAAI,CAAC,SAAS,CAAC,MAAM;gBAAE,OAAO,KAAK,CAAC;YACpC,OAAO,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;QAC9E,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,gCAAgC;IAChC,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,SAAS,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QACpC,OAAO,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,iDAAiD;IACjD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,WAAW;IAIM;IAHpB,eAAe,GAAiB,EAAE,CAAC;IAC1B,MAAM,CAAS;IAEhC,YAA4B,MAAoB;QAApB,WAAM,GAAN,MAAM,CAAc;QAC9C,IAAI,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;IAC5B,CAAC;IAED;;;;;;;;;OASG;IACH,QAAQ,CAAC,SAA0B;QACjC,mDAAmD;QACnD,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACxC,IAAI,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC1C,MAAM,UAAU,GAAqB;oBACnC,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,wCAAwC;oBAChD,SAAS;oBACT,IAAI;iBACL,CAAC;gBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,UAAU,EAAC,EAAE,8CAA8C,CAAC,CAAC;gBAC3F,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;QAED,2CAA2C;QAC3C,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YACtB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACrC,IAAI,oBAAoB,CAAC,IAAI,EAAE,SAAS,CAAC,EAAE,CAAC;oBAC1C,MAAM,UAAU,GAAqB;wBACnC,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,MAAM,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC;wBAC/C,SAAS;wBACT,IAAI;qBACL,CAAC;oBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAC,EAAE,4BAA4B,CAAC,CAAC;oBACxF,OAAO,UAAU,CAAC;gBACpB,CAAC;YACH,CAAC;QACH,CAAC;QAED,yCAAyC;QACzC,OAAO,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;IACzC,CAAC;IAED;;;;;OAKG;IACH,MAAM,CAAC,SAA0B;QAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;QAC5C,QAAQ,UAAU,CAAC,MAAM,EAAE,CAAC;YAC1B,KAAK,OAAO;gBACV,OAAO;YACT,KAAK,OAAO;gBACV,MAAM,IAAI,kBAAkB,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,MAAM,IAAI,EAAE,EAAE,SAAS,CAAC,GAAG,IAAI,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAClH,KAAK,SAAS;gBACZ,MAAM,IAAI,0BAA0B,CAAC,UAAU,CAAC,CAAC;QACrD,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,gBAAgB,CAAC,SAA0B;QACzC,MAAM,IAAI,GAAG,IAAI,CAAC,eAAe,CAAC,SAAS,CAAC,CAAC;QAC7C,OAAO,IAAI,CAAC,kBAAkB,CAAC,IAAI,CAAC,CAAC;IACvC,CAAC;IAED;;;;;;;;OAQG;IACH,kBAAkB,CAAC,IAAgB;QACjC,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,IAAI,EAAC,EAAE,oCAAoC,CAAC,CAAC;QAEhE,OAAO,GAAG,EAAE;YACV,MAAM,GAAG,GAAG,IAAI,CAAC,eAAe,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;YAC/C,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;gBACb,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;gBACpC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,IAAI,EAAC,EAAE,sCAAsC,CAAC,CAAC;YACpE,CAAC;QACH,CAAC,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,SAA0B;QAChD,uCAAuC;QACvC,IAAI,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,mBAAmB,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC3F,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,MAAM,GAAiB,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC;gBACvE,MAAM,UAAU,GAAqB;oBACnC,MAAM;oBACN,MAAM,EAAE,IAAI,CAAC,kBAAkB,CAAC,SAAS,CAAC;oBAC1C,SAAS;iBACV,CAAC;gBACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAC,EAAE,gCAAgC,CAAC,CAAC;gBACnG,OAAO,UAAU,CAAC;YACpB,CAAC;QACH,CAAC;QAED,0EAA0E;QAC1E,4EAA4E;QAC5E,MAAM,UAAU,GAAqB;YACnC,MAAM,EAAE,OAAO;YACf,MAAM,EAAE,kDAAkD;YAC1D,SAAS;SACV,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,EAAC,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAC,EAAE,gCAAgC,CAAC,CAAC;QAC3F,OAAO,UAAU,CAAC;IACpB,CAAC;IAED;;OAEG;IACK,eAAe,CAAC,SAA0B;QAChD,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;YACxB,OAAO,EAAC,OAAO,EAAE,SAAS,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,EAAC,CAAC;QACzD,CAAC;QACD,IAAI,SAAS,CAAC,KAAK,EAAE,CAAC;YACpB,OAAO,EAAC,GAAG,EAAE,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAC,CAAC;QACjD,CAAC;QACD,6CAA6C;QAC7C,OAAO;YACL,MAAM,EAAE,SAAS,CAAC,MAAM;YACxB,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,MAAM,EAAE,OAAO;SAChB,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,IAAgB,EAAE,SAA0B;QACpE,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,YAAY,SAAS,CAAC,SAAS,oCAAoC,IAAI,CAAC,OAAO,cAAc,IAAI,CAAC,MAAM,GAAG,CAAC;QACrH,CAAC;QACD,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;YACb,OAAO,QAAQ,SAAS,CAAC,KAAK,gCAAgC,IAAI,CAAC,GAAG,cAAc,IAAI,CAAC,MAAM,GAAG,CAAC;QACrG,CAAC;QACD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC;QACzC,OAAO,GAAG,MAAM,IAAI,IAAI,iCAAiC,IAAI,CAAC,MAAM,GAAG,CAAC;IAC1E,CAAC;IAED;;OAEG;IACK,kBAAkB,CAAC,SAA0B;QACnD,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,IAAI,SAAS,CAAC;QAC7C,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,IAAI,SAAS,CAAC;QACzC,MAAM,SAAS,GAAG,mBAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACzD,OAAO,GAAG,MAAM,IAAI,IAAI,4BAA4B,IAAI,CAAC,MAAM,CAAC,KAAK,MAAM,SAAS,EAAE,CAAC;IACzF,CAAC;CACF"}

package/dist/cjs/safety/safety-middleware.d.ts

@@ -1,130 +0,0 @@
-import type { SafetyRule } from './types.js';
-import type { SafetyEvaluation } from './types.js';
-/**
- * Safety levels for preventing destructive operations.
- *
- * - NONE: No safety restrictions (default)
- * - NO_DELETE: Block DELETE operations only
- * - NO_UPDATE: Block DELETE and destructive operations (reset, stop, restart)
- * - READ_ONLY: Block all write operations (only GET allowed)
- */
-export type SafetyLevel = 'NONE' | 'NO_DELETE' | 'NO_UPDATE' | 'READ_ONLY';
-/**
- * Safety configuration.
- *
- * Supports both simple level-based blocking and granular per-rule actions.
- */
-export interface SafetyConfig {
-    /** The base safety level. */
-    level: SafetyLevel;
-    /** When true, operations that the level would block require confirmation instead of hard-blocking. */
-    confirm?: boolean;
-    /** Ordered list of rules. First matching rule wins. */
-    rules?: SafetyRule[];
-}
-/**
- * Returns the more restrictive of two safety levels.
- */
-export declare function maxSafetyLevel(a: SafetyLevel, b: SafetyLevel): SafetyLevel;
-/**
- * Check if a string is a valid SafetyLevel.
- */
-export declare function isValidSafetyLevel(value: string): value is SafetyLevel;
-/**
- * Parse a string to a SafetyLevel, returning undefined for invalid values.
- * Accepts case-insensitive input and converts dashes to underscores.
- */
-export declare function parseSafetyLevelString(value: string | undefined): SafetyLevel | undefined;
-/**
- * Safety error thrown when an operation is blocked by safety configuration.
- */
-export declare class SafetyBlockedError extends Error {
-    readonly method: string;
-    readonly url: string;
-    readonly safetyLevel: SafetyLevel;
-    constructor(message: string, method: string, url: string, safetyLevel: SafetyLevel);
-}
-/**
- * Error thrown when an operation requires interactive confirmation.
- *
- * Callers can catch this error, prompt the user, and retry the operation
- * using {@link withSafetyConfirmation}.
- */
-export declare class SafetyConfirmationRequired extends Error {
-    readonly evaluation: SafetyEvaluation;
-    constructor(evaluation: SafetyEvaluation);
-}
-/**
- * Checks if an HTTP operation should be blocked based on a safety level.
- *
- * This is the low-level level check. For full rule-based evaluation,
- * use {@link SafetyGuard.evaluate}.
- *
- * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
- * @param path - URL pathname
- * @param level - Safety level to check against
- * @returns Error message if blocked, undefined if allowed
- */
-export declare function checkLevelViolation(method: string, path: string, level: SafetyLevel): string | undefined;
-/**
- * Checks if an HTTP operation should be blocked based on safety configuration.
- *
- * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
- * @param url - Request URL
- * @param config - Safety configuration
- * @returns Error message if blocked, undefined if allowed
- * @deprecated Use {@link SafetyGuard.evaluate} for full rule-based evaluation.
- */
-export declare function checkSafetyViolation(method: string, url: string, config: SafetyConfig): string | undefined;
-/**
- * Parse safety level from environment variable.
- *
- * Reads from SFCC_SAFETY_LEVEL. Valid values: NONE, NO_DELETE, NO_UPDATE, READ_ONLY
- * (case-insensitive; dashes converted to underscores). Invalid values are logged
- * as a warning and the default level is returned.
- *
- * @param defaultLevel - Default level if no environment variable is set or value is invalid
- * @returns Parsed safety level
- */
-export declare function getSafetyLevel(defaultLevel?: SafetyLevel): SafetyLevel;
-/**
- * Get a user-friendly description of the safety level.
- */
-export declare function describeSafetyLevel(level: SafetyLevel): string;
-/** Validated safety config fragment (shared by global and per-instance). */
-export interface SafetyConfigFragment {
-    level?: SafetyLevel;
-    confirm?: boolean;
-    rules?: SafetyRule[];
-}
-/**
- * Load global safety configuration from a JSON file.
- *
- * Resolution order:
- * 1. `SFCC_SAFETY_CONFIG` env var — explicit path to a safety config file
- * 2. `{configDir}/safety.json` — oclif config directory (e.g., `~/.config/b2c/safety.json`)
- *
- * The file has the same shape as the `safety` object in dw.json:
- * ```json
- * { "level": "NO_DELETE", "confirm": true, "rules": [...] }
- * ```
- *
- * @param configDir - oclif config directory path (e.g., `this.config.configDir`)
- * @returns Validated safety config fragment, or undefined if no file found
- */
-export declare function loadGlobalSafetyConfig(configDir?: string): SafetyConfigFragment | undefined;
-/**
- * Compute effective safety config by merging environment variables, global
- * safety config, and per-instance config.
- *
- * Merge strategy:
- * - **Level**: `max(env, global, instance)` — most restrictive wins
- * - **Confirm**: OR across all sources
- * - **Rules**: instance rules first, then global rules (first-match-wins,
- *   so instance rules can override global policy)
- *
- * @param instanceSafety - Per-instance safety config from dw.json
- * @param globalSafety - Global safety config from safety.json
- * @returns Merged SafetyConfig
- */
-export declare function resolveEffectiveSafetyConfig(instanceSafety?: SafetyConfigFragment, globalSafety?: SafetyConfigFragment): SafetyConfig;

package/dist/cjs/safety/safety-middleware.js

@@ -1,248 +0,0 @@
-/*
- * Copyright (c) 2025, Salesforce, Inc.
- * SPDX-License-Identifier: Apache-2
- * For full license text, see the license.txt file in the repo root or http://www.apache.org/licenses/LICENSE-2.0
- */
-import { existsSync, readFileSync } from 'node:fs';
-import { join } from 'node:path';
-import { getLogger } from '../logging/logger.js';
-import { isValidSafetyAction } from './types.js';
-/**
- * Ordering of safety levels from least to most restrictive.
- */
-const LEVEL_ORDER = {
-    NONE: 0,
-    NO_DELETE: 1,
-    NO_UPDATE: 2,
-    READ_ONLY: 3,
-};
-/**
- * Valid safety level strings.
- */
-const VALID_LEVELS = ['NONE', 'NO_DELETE', 'NO_UPDATE', 'READ_ONLY'];
-/**
- * Returns the more restrictive of two safety levels.
- */
-export function maxSafetyLevel(a, b) {
-    return LEVEL_ORDER[a] >= LEVEL_ORDER[b] ? a : b;
-}
-/**
- * Check if a string is a valid SafetyLevel.
- */
-export function isValidSafetyLevel(value) {
-    return VALID_LEVELS.includes(value);
-}
-/**
- * Parse a string to a SafetyLevel, returning undefined for invalid values.
- * Accepts case-insensitive input and converts dashes to underscores.
- */
-export function parseSafetyLevelString(value) {
-    if (!value)
-        return undefined;
-    const normalized = value.toUpperCase().replace(/-/g, '_');
-    return isValidSafetyLevel(normalized) ? normalized : undefined;
-}
-/**
- * Safety error thrown when an operation is blocked by safety configuration.
- */
-export class SafetyBlockedError extends Error {
-    method;
-    url;
-    safetyLevel;
-    constructor(message, method, url, safetyLevel) {
-        super(message);
-        this.method = method;
-        this.url = url;
-        this.safetyLevel = safetyLevel;
-        this.name = 'SafetyBlockedError';
-    }
-}
-/**
- * Error thrown when an operation requires interactive confirmation.
- *
- * Callers can catch this error, prompt the user, and retry the operation
- * using {@link withSafetyConfirmation}.
- */
-export class SafetyConfirmationRequired extends Error {
-    evaluation;
-    constructor(evaluation) {
-        super(`Confirmation required: ${evaluation.reason}`);
-        this.evaluation = evaluation;
-        this.name = 'SafetyConfirmationRequired';
-    }
-}
-/**
- * Checks if an HTTP operation should be blocked based on a safety level.
- *
- * This is the low-level level check. For full rule-based evaluation,
- * use {@link SafetyGuard.evaluate}.
- *
- * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
- * @param path - URL pathname
- * @param level - Safety level to check against
- * @returns Error message if blocked, undefined if allowed
- */
-export function checkLevelViolation(method, path, level) {
-    const upperMethod = method.toUpperCase();
-    switch (level) {
-        case 'NONE':
-            return undefined;
-        case 'NO_DELETE':
-            if (upperMethod === 'DELETE') {
-                return `Delete operation blocked: DELETE ${path} (NO_DELETE mode prevents deletions)`;
-            }
-            return undefined;
-        case 'NO_UPDATE': {
-            if (upperMethod === 'DELETE') {
-                return `Delete operation blocked: DELETE ${path} (NO_UPDATE mode prevents deletions)`;
-            }
-            const destructivePatterns = ['/reset', '/stop', '/restart', '/operations'];
-            if (destructivePatterns.some((pattern) => path.includes(pattern)) && upperMethod === 'POST') {
-                return `Destructive operation blocked: POST ${path} (NO_UPDATE mode prevents reset/stop/restart)`;
-            }
-            return undefined;
-        }
-        case 'READ_ONLY':
-            if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(upperMethod)) {
-                return `Write operation blocked: ${upperMethod} ${path} (READ_ONLY mode prevents all modifications)`;
-            }
-            return undefined;
-        default:
-            return undefined;
-    }
-}
-/**
- * Checks if an HTTP operation should be blocked based on safety configuration.
- *
- * @param method - HTTP method (GET, POST, PUT, PATCH, DELETE)
- * @param url - Request URL
- * @param config - Safety configuration
- * @returns Error message if blocked, undefined if allowed
- * @deprecated Use {@link SafetyGuard.evaluate} for full rule-based evaluation.
- */
-export function checkSafetyViolation(method, url, config) {
-    const path = new URL(url, 'http://dummy').pathname;
-    return checkLevelViolation(method, path, config.level);
-}
-/**
- * Parse safety level from environment variable.
- *
- * Reads from SFCC_SAFETY_LEVEL. Valid values: NONE, NO_DELETE, NO_UPDATE, READ_ONLY
- * (case-insensitive; dashes converted to underscores). Invalid values are logged
- * as a warning and the default level is returned.
- *
- * @param defaultLevel - Default level if no environment variable is set or value is invalid
- * @returns Parsed safety level
- */
-export function getSafetyLevel(defaultLevel = 'NONE') {
-    const safetyLevelEnv = process.env['SFCC_SAFETY_LEVEL'];
-    if (safetyLevelEnv) {
-        const parsed = parseSafetyLevelString(safetyLevelEnv);
-        if (parsed)
-            return parsed;
-        getLogger().warn({ envValue: safetyLevelEnv, validValues: VALID_LEVELS }, 'SFCC_SAFETY_LEVEL has an invalid value; using default safety level');
-    }
-    return defaultLevel;
-}
-/**
- * Get a user-friendly description of the safety level.
- */
-export function describeSafetyLevel(level) {
-    switch (level) {
-        case 'NONE':
-            return 'No safety restrictions';
-        case 'NO_DELETE':
-            return 'Delete operations blocked';
-        case 'NO_UPDATE':
-            return 'Destructive operations blocked (delete, reset, stop, restart)';
-        case 'READ_ONLY':
-            return 'Read-only mode - all write operations blocked';
-        default:
-            return 'Unknown safety level';
-    }
-}
-/**
- * Load global safety configuration from a JSON file.
- *
- * Resolution order:
- * 1. `SFCC_SAFETY_CONFIG` env var — explicit path to a safety config file
- * 2. `{configDir}/safety.json` — oclif config directory (e.g., `~/.config/b2c/safety.json`)
- *
- * The file has the same shape as the `safety` object in dw.json:
- * ```json
- * { "level": "NO_DELETE", "confirm": true, "rules": [...] }
- * ```
- *
- * @param configDir - oclif config directory path (e.g., `this.config.configDir`)
- * @returns Validated safety config fragment, or undefined if no file found
- */
-export function loadGlobalSafetyConfig(configDir) {
-    const logger = getLogger();
-    // 1. Check SFCC_SAFETY_CONFIG env var
-    const envPath = process.env['SFCC_SAFETY_CONFIG'];
-    const filePath = envPath || (configDir ? join(configDir, 'safety.json') : undefined);
-    if (!filePath || !existsSync(filePath)) {
-        return undefined;
-    }
-    try {
-        const raw = JSON.parse(readFileSync(filePath, 'utf-8'));
-        const result = {};
-        if (raw.level) {
-            const parsed = parseSafetyLevelString(raw.level);
-            if (parsed) {
-                result.level = parsed;
-            }
-            else {
-                logger.warn({ level: raw.level, file: filePath }, 'Invalid safety level in global safety config; ignoring');
-            }
-        }
-        if (raw.confirm !== undefined) {
-            result.confirm = raw.confirm === true;
-        }
-        if (raw.rules && Array.isArray(raw.rules)) {
-            result.rules = raw.rules.filter((r) => {
-                if (!isValidSafetyAction(r.action)) {
-                    logger.warn({ rule: r, file: filePath }, 'Invalid safety rule action in global safety config; skipping rule');
-                    return false;
-                }
-                return true;
-            });
-        }
-        logger.trace({ filePath, level: result.level, ruleCount: result.rules?.length }, 'Loaded global safety config');
-        return result;
-    }
-    catch (error) {
-        logger.warn({ error, file: filePath }, 'Failed to load global safety config; ignoring');
-        return undefined;
-    }
-}
-/**
- * Compute effective safety config by merging environment variables, global
- * safety config, and per-instance config.
- *
- * Merge strategy:
- * - **Level**: `max(env, global, instance)` — most restrictive wins
- * - **Confirm**: OR across all sources
- * - **Rules**: instance rules first, then global rules (first-match-wins,
- *   so instance rules can override global policy)
- *
- * @param instanceSafety - Per-instance safety config from dw.json
- * @param globalSafety - Global safety config from safety.json
- * @returns Merged SafetyConfig
- */
-export function resolveEffectiveSafetyConfig(instanceSafety, globalSafety) {
-    const envLevel = getSafetyLevel('NONE');
-    const envConfirm = process.env['SFCC_SAFETY_CONFIRM'] === 'true' || process.env['SFCC_SAFETY_CONFIRM'] === '1';
-    const instanceLevel = instanceSafety?.level ?? 'NONE';
-    const globalLevel = globalSafety?.level ?? 'NONE';
-    // Merge rules: instance first, then global (first-match-wins)
-    const instanceRules = instanceSafety?.rules ?? [];
-    const globalRules = globalSafety?.rules ?? [];
-    const mergedRules = [...instanceRules, ...globalRules];
-    return {
-        level: maxSafetyLevel(envLevel, maxSafetyLevel(globalLevel, instanceLevel)),
-        confirm: envConfirm || instanceSafety?.confirm === true || globalSafety?.confirm === true,
-        rules: mergedRules.length > 0 ? mergedRules : undefined,
-    };
-}
-//# sourceMappingURL=safety-middleware.js.map

package/dist/cjs/safety/safety-middleware.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"safety-middleware.js","sourceRoot":"","sources":["../../../src/safety/safety-middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAC,UAAU,EAAE,YAAY,EAAC,MAAM,SAAS,CAAC;AACjD,OAAO,EAAC,IAAI,EAAC,MAAM,WAAW,CAAC;AAC/B,OAAO,EAAC,SAAS,EAAC,MAAM,sBAAsB,CAAC;AAE/C,OAAO,EAAC,mBAAmB,EAAC,MAAM,YAAY,CAAC;AA2B/C;;GAEG;AACH,MAAM,WAAW,GAAgC;IAC/C,IAAI,EAAE,CAAC;IACP,SAAS,EAAE,CAAC;IACZ,SAAS,EAAE,CAAC;IACZ,SAAS,EAAE,CAAC;CACb,CAAC;AAEF;;GAEG;AACH,MAAM,YAAY,GAA2B,CAAC,MAAM,EAAE,WAAW,EAAE,WAAW,EAAE,WAAW,CAAU,CAAC;AAEtG;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,CAAc,EAAE,CAAc;IAC3D,OAAO,WAAW,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAa;IAC9C,OAAO,YAAY,CAAC,QAAQ,CAAC,KAAoB,CAAC,CAAC;AACrD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAyB;IAC9D,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IAC1D,OAAO,kBAAkB,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC;AACjE,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAGzB;IACA;IACA;IAJlB,YACE,OAAe,EACC,MAAc,EACd,GAAW,EACX,WAAwB;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAJC,WAAM,GAAN,MAAM,CAAQ;QACd,QAAG,GAAH,GAAG,CAAQ;QACX,gBAAW,GAAX,WAAW,CAAa;QAGxC,IAAI,CAAC,IAAI,GAAG,oBAAoB,CAAC;IACnC,CAAC;CACF;AAED;;;;;GAKG;AACH,MAAM,OAAO,0BAA2B,SAAQ,KAAK;IACvB;IAA5B,YAA4B,UAA4B;QACtD,KAAK,CAAC,0BAA0B,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;QAD3B,eAAU,GAAV,UAAU,CAAkB;QAEtD,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,EAAE,IAAY,EAAE,KAAkB;IAClF,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IAEzC,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,SAAS,CAAC;QAEnB,KAAK,WAAW;YACd,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,oCAAoC,IAAI,sCAAsC,CAAC;YACxF,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB,KAAK,WAAW,CAAC,CAAC,CAAC;YACjB,IAAI,WAAW,KAAK,QAAQ,EAAE,CAAC;gBAC7B,OAAO,oCAAoC,IAAI,sCAAsC,CAAC;YACxF,CAAC;YACD,MAAM,mBAAmB,GAAG,CAAC,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC;YAC3E,IAAI,mBAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,IAAI,WAAW,KAAK,MAAM,EAAE,CAAC;gBAC5F,OAAO,uCAAuC,IAAI,+CAA+C,CAAC;YACpG,CAAC;YACD,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,KAAK,WAAW;YACd,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC7D,OAAO,4BAA4B,WAAW,IAAI,IAAI,8CAA8C,CAAC;YACvG,CAAC;YACD,OAAO,SAAS,CAAC;QAEnB;YACE,OAAO,SAAS,CAAC;IACrB,CAAC;AACH,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,GAAW,EAAE,MAAoB;IACpF,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,QAAQ,CAAC;IACnD,OAAO,mBAAmB,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;AACzD,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,eAA4B,MAAM;IAC/D,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;IACxD,IAAI,cAAc,EAAE,CAAC;QACnB,MAAM,MAAM,GAAG,sBAAsB,CAAC,cAAc,CAAC,CAAC;QACtD,IAAI,MAAM;YAAE,OAAO,MAAM,CAAC;QAE1B,SAAS,EAAE,CAAC,IAAI,CACd,EAAC,QAAQ,EAAE,cAAc,EAAE,WAAW,EAAE,YAAY,EAAC,EACrD,oEAAoE,CACrE,CAAC;IACJ,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAkB;IACpD,QAAQ,KAAK,EAAE,CAAC;QACd,KAAK,MAAM;YACT,OAAO,wBAAwB,CAAC;QAClC,KAAK,WAAW;YACd,OAAO,2BAA2B,CAAC;QACrC,KAAK,WAAW;YACd,OAAO,+DAA+D,CAAC;QACzE,KAAK,WAAW;YACd,OAAO,+CAA+C,CAAC;QACzD;YACE,OAAO,sBAAsB,CAAC;IAClC,CAAC;AACH,CAAC;AAgBD;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,sBAAsB,CAAC,SAAkB;IACvD,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,sCAAsC;IACtC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC;IAClD,MAAM,QAAQ,GAAG,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAErF,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QACvC,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAoB,CAAC;QAC3E,MAAM,MAAM,GAAyB,EAAE,CAAC;QAExC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;YACd,MAAM,MAAM,GAAG,sBAAsB,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;YACjD,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,KAAK,GAAG,MAAM,CAAC;YACxB,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAC,EAAE,wDAAwD,CAAC,CAAC;YAC5G,CAAC;QACH,CAAC;QAED,IAAI,GAAG,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAC9B,MAAM,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,KAAK,IAAI,CAAC;QACxC,CAAC;QAED,IAAI,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1C,MAAM,CAAC,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACpC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;oBACnC,MAAM,CAAC,IAAI,CAAC,EAAC,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAC,EAAE,mEAAmE,CAAC,CAAC;oBAC5G,OAAO,KAAK,CAAC;gBACf,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAiB,CAAC;QACrB,CAAC;QAED,MAAM,CAAC,KAAK,CAAC,EAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAC,EAAE,6BAA6B,CAAC,CAAC;QAC9G,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,CAAC,IAAI,CAAC,EAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAC,EAAE,+CAA+C,CAAC,CAAC;QACtF,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,4BAA4B,CAC1C,cAAqC,EACrC,YAAmC;IAEnC,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,KAAK,GAAG,CAAC;IAE/G,MAAM,aAAa,GAAG,cAAc,EAAE,KAAK,IAAI,MAAM,CAAC;IACtD,MAAM,WAAW,GAAG,YAAY,EAAE,KAAK,IAAI,MAAM,CAAC;IAElD,8DAA8D;IAC9D,MAAM,aAAa,GAAG,cAAc,EAAE,KAAK,IAAI,EAAE,CAAC;IAClD,MAAM,WAAW,GAAG,YAAY,EAAE,KAAK,IAAI,EAAE,CAAC;IAC9C,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,WAAW,CAAC,CAAC;IAEvD,OAAO;QACL,KAAK,EAAE,cAAc,CAAC,QAAQ,EAAE,cAAc,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;QAC3E,OAAO,EAAE,UAAU,IAAI,cAAc,EAAE,OAAO,KAAK,IAAI,IAAI,YAAY,EAAE,OAAO,KAAK,IAAI;QACzF,KAAK,EAAE,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;KACxD,CAAC;AACJ,CAAC"}