npm - @sentinel-atl/trust-gateway - Versions diffs - 0.3.0 - Mend

@sentinel-atl/trust-gateway 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,134 @@
+# @sentinel-atl/trust-gateway
+YAML-configured MCP trust gateway — runtime enforcement of Sentinel Trust Certificates.
+Acts as a reverse proxy between MCP clients and servers, enforcing trust policies based on scan results and STCs. Supports stdio and HTTP/SSE upstreams, strict/permissive modes, per-server policies, and tool-level access control.
+## Install
+```bash
+npm install @sentinel-atl/trust-gateway
+```
+## Quick Start
+### 1. Create a config file
+```yaml
+# sentinel.yaml
+gateway:
+  name: my-gateway
+  port: 3100
+  mode: strict        # reject untrusted servers (or 'permissive' to warn only)
+  minTrustScore: 60
+  minGrade: C
+servers:
+  - name: filesystem
+    upstream: stdio://node ./fs-server.js
+    trust:
+      minScore: 75
+      minGrade: B
+      requireCertificate: true
+      maxFindingsCritical: 0
+      maxFindingsHigh: 2
+      allowedPermissions: [filesystem]
+    blockedTools: [delete_file]
+```
+### 2. Start the gateway
+```bash
+npx sentinel-gateway --config sentinel.yaml
+```
+### 3. Validate config without starting
+```bash
+npx sentinel-gateway validate sentinel.yaml
+```
+## Configuration Reference
+### Gateway Settings
+```yaml
+gateway:
+  name: my-gateway
+  port: 3100
+  mode: strict | permissive
+  minTrustScore: 60          # Global minimum (0-100)
+  minGrade: C                # Global minimum (A-F)
+  logPath: ./audit.jsonl     # Audit log location
+  apiKeys: [key1, key2]      # API key auth
+  corsOrigins: ['*']         # CORS origins
+  tlsCert: /path/to/cert.pem
+  tlsKey: /path/to/key.pem
+  rateLimit: "1000/min"
+```
+### Per-Server Policies
+```yaml
+servers:
+  - name: my-server
+    upstream: http://localhost:4000/sse  # or stdio://command args
+    trust:
+      minScore: 75
+      minGrade: B
+      requireCertificate: true
+      maxFindingsCritical: 0
+      maxFindingsHigh: 2
+      allowedPermissions: [filesystem, network]
+      blockedPermissions: [native]
+    rateLimit: "100/min"
+    blockedTools: [dangerous_tool]
+    allowedTools: [safe_tool_a, safe_tool_b]
+    certificatePath: ./server.stc.json
+```
+## Programmatic Usage
+```ts
+import { TrustGateway, loadConfig } from '@sentinel-atl/trust-gateway';
+const config = await loadConfig('./sentinel.yaml');
+const gateway = new TrustGateway(config);
+const decision = await gateway.evaluate({
+  serverName: 'filesystem',
+  tool: 'read_file',
+});
+// { allowed: true, score: 85, grade: 'B', ... }
+```
+### With Persistent Storage
+```ts
+import { TrustStore } from '@sentinel-atl/trust-gateway';
+import { RedisStore } from '@sentinel-atl/store';
+const backend = new RedisStore({ url: 'redis://localhost:6379' });
+const trustStore = new TrustStore({ backend });
+```
+## Environment Variables
+| Variable | Description |
+|----------|-------------|
+| `SENTINEL_API_KEYS` | API key auth |
+| `SENTINEL_CORS_ORIGINS` | CORS allowed origins |
+| `SENTINEL_TLS_CERT_PATH` | TLS certificate path |
+| `SENTINEL_TLS_KEY_PATH` | TLS private key path |
+## Security
+- **Content-Type enforcement** on `/message` endpoint
+- **Security headers** — CSP, X-Content-Type-Options, X-Frame-Options
+- **HSTS** when TLS is active
+- **Rate limiting** — global and per-server
+- **Audit logging** to JSONL with rotation
+## License
+MIT

package/dist/cli.d.ts ADDED Viewed

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js ADDED Viewed

@@ -0,0 +1,153 @@
+#!/usr/bin/env node
+process.on('unhandledRejection', (err) => {
+    console.error('Unhandled rejection:', err);
+    process.exit(1);
+});
+process.on('uncaughtException', (err) => {
+    console.error('Uncaught exception:', err);
+    process.exit(1);
+});
+/**
+ * sentinel-gateway — CLI for running the Sentinel Trust Gateway
+ *
+ * Usage:
+ *   sentinel-gateway --config sentinel.yaml
+ *   sentinel-gateway validate sentinel.yaml
+ */
+import { readFile } from 'node:fs/promises';
+import { loadConfig, validateConfig } from './config.js';
+import { TrustGateway } from './gateway.js';
+import { TrustGatewayProxy } from './proxy.js';
+import { parse as parseYaml } from 'yaml';
+import { authConfigFromEnv, corsConfigFromEnv, tlsConfigFromEnv, } from '@sentinel-atl/hardening';
+const args = process.argv.slice(2);
+if (args[0] === 'validate') {
+    // Validate a config file
+    const configPath = args[1];
+    if (!configPath) {
+        console.error('Usage: sentinel-gateway validate <config.yaml>');
+        process.exit(1);
+    }
+    try {
+        const raw = await readFile(configPath, 'utf-8');
+        const config = parseYaml(raw);
+        const errors = validateConfig(config);
+        if (errors.length === 0) {
+            console.log('✓ Configuration is valid');
+            console.log(`  Gateway: ${config.gateway.name}`);
+            console.log(`  Mode: ${config.gateway.mode}`);
+            console.log(`  Servers: ${config.servers.length}`);
+            for (const server of config.servers) {
+                console.log(`    - ${server.name} → ${server.upstream}`);
+            }
+        }
+        else {
+            console.error('✗ Configuration errors:');
+            for (const err of errors) {
+                console.error(`  ${err.path}: ${err.message}`);
+            }
+            process.exit(1);
+        }
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+}
+else if (args.includes('--config')) {
+    const configIdx = args.indexOf('--config');
+    const configPath = args[configIdx + 1];
+    if (!configPath) {
+        console.error('Usage: sentinel-gateway --config <sentinel.yaml>');
+        process.exit(1);
+    }
+    try {
+        const config = await loadConfig(configPath);
+        console.log(`🛡️  Sentinel Trust Gateway`);
+        console.log(`  Name: ${config.gateway.name}`);
+        console.log(`  Mode: ${config.gateway.mode}`);
+        console.log(`  Port: ${config.gateway.port}`);
+        console.log(`  Servers: ${config.servers.length}`);
+        for (const server of config.servers) {
+            console.log(`    - ${server.name} → ${server.upstream}`);
+        }
+        const gateway = new TrustGateway(config);
+        // Load certificates
+        for (const server of config.servers) {
+            if (server.certificatePath) {
+                try {
+                    const stored = await gateway.getTrustStore().loadCertificate(server.name, server.certificatePath);
+                    const status = stored.verified ? '✓ verified' : '✗ invalid';
+                    console.log(`  [${status}] ${server.name}: score ${stored.certificate.trustScore.overall}/100`);
+                }
+                catch (err) {
+                    console.error(`  ✗ Failed to load certificate for ${server.name}: ${err.message}`);
+                }
+            }
+        }
+        // Start HTTP proxy with hardening config (YAML > env > defaults)
+        const authConfig = config.gateway.apiKeys?.length
+            ? { enabled: true, keys: config.gateway.apiKeys.map(k => ({ key: k, scopes: ['read', 'write', 'admin'] })) }
+            : authConfigFromEnv();
+        const corsConfig = config.gateway.corsOrigins?.length
+            ? { allowedOrigins: config.gateway.corsOrigins }
+            : corsConfigFromEnv();
+        const tlsConfig = (config.gateway.tlsCert && config.gateway.tlsKey)
+            ? { enabled: true, certPath: config.gateway.tlsCert, keyPath: config.gateway.tlsKey }
+            : tlsConfigFromEnv();
+        const proxy = new TrustGatewayProxy({
+            config,
+            trustStore: gateway.getTrustStore(),
+            auth: authConfig,
+            cors: corsConfig,
+            tls: tlsConfig,
+        });
+        const { port } = await proxy.start();
+        const proto = tlsConfig ? 'https' : 'http';
+        console.log(`\n  🚀 HTTP proxy listening on ${proto}://localhost:${port}`);
+        console.log('  Endpoints:');
+        console.log(`    GET  /sse?server=<name>   SSE stream`);
+        console.log(`    POST /message?server=<name>  JSON-RPC relay`);
+        console.log(`    GET  /health              Health check`);
+        console.log(`    GET  /stats               Gateway stats`);
+        console.log();
+        // Graceful shutdown
+        const shutdown = async () => {
+            console.log('\n  Shutting down...');
+            await proxy.stop();
+            process.exit(0);
+        };
+        process.on('SIGINT', shutdown);
+        process.on('SIGTERM', shutdown);
+    }
+    catch (err) {
+        console.error(`Error: ${err.message}`);
+        process.exit(1);
+    }
+}
+else {
+    console.log('🛡️  Sentinel Trust Gateway');
+    console.log();
+    console.log('Usage:');
+    console.log('  sentinel-gateway --config <sentinel.yaml>   Start the HTTP proxy');
+    console.log('  sentinel-gateway validate <config.yaml>     Validate config');
+    console.log();
+    console.log('Example sentinel.yaml:');
+    console.log(`
+gateway:
+  name: my-gateway
+  port: 3100
+  mode: strict
+  minTrustScore: 60
+servers:
+  - name: filesystem
+    upstream: stdio://node server.js
+    trust:
+      minScore: 75
+      requireCertificate: true
+      allowedPermissions: [filesystem]
+    blockedTools: [delete_file]
+  `);
+}
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE;IACvC,OAAO,CAAC,KAAK,CAAC,sBAAsB,EAAE,GAAG,CAAC,CAAC;IAC3C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AACH,OAAO,CAAC,EAAE,CAAC,mBAAmB,EAAE,CAAC,GAAG,EAAE,EAAE;IACtC,OAAO,CAAC,KAAK,CAAC,qBAAqB,EAAE,GAAG,CAAC,CAAC;IAC1C,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACzD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EACL,iBAAiB,EACjB,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,yBAAyB,CAAC;AAGjC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAEnC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,UAAU,EAAE,CAAC;IAC3B,yBAAyB;IACzB,MAAM,UAAU,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;IAC3B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;QAC9B,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QAEtC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,CAAC;YACxC,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YACjD,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YACnD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACpC,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,KAAK,CAAC,yBAAyB,CAAC,CAAC;YACzC,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;gBACzB,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,CAAC,OAAO,EAAE,CAAC,CAAC;YACjD,CAAC;YACD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAW,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;KAAM,IAAI,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;IACvC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,UAAU,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,cAAc,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,OAAO,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,IAAI,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC;QAEzC,oBAAoB;QACpB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,aAAa,EAAE,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,eAAe,CAAC,CAAC;oBAClG,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,WAAW,CAAC;oBAC5D,OAAO,CAAC,GAAG,CAAC,MAAM,MAAM,KAAK,MAAM,CAAC,IAAI,WAAW,MAAM,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,MAAM,CAAC,CAAC;gBAClG,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,OAAO,CAAC,KAAK,CAAC,sCAAsC,MAAM,CAAC,IAAI,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;gBAChG,CAAC;YACH,CAAC;QACH,CAAC;QAED,iEAAiE;QACjE,MAAM,UAAU,GAA2B,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,MAAM;YACvE,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,MAAe,EAAE,OAAgB,EAAE,OAAgB,CAAC,EAAE,CAAC,CAAC,EAAE;YACvI,CAAC,CAAC,iBAAiB,EAAE,CAAC;QAExB,MAAM,UAAU,GAA2B,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE,MAAM;YAC3E,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,OAAO,CAAC,WAAW,EAAE;YAChD,CAAC,CAAC,iBAAiB,EAAE,CAAC;QAExB,MAAM,SAAS,GAA0B,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;YACxF,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE;YACrF,CAAC,CAAC,gBAAgB,EAAE,CAAC;QAEvB,MAAM,KAAK,GAAG,IAAI,iBAAiB,CAAC;YAClC,MAAM;YACN,UAAU,EAAE,OAAO,CAAC,aAAa,EAAE;YACnC,IAAI,EAAE,UAAU;YAChB,IAAI,EAAE,UAAU;YAChB,GAAG,EAAE,SAAS;SACf,CAAC,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,KAAK,CAAC,KAAK,EAAE,CAAC;QAErC,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC;QAC3C,OAAO,CAAC,GAAG,CAAC,kCAAkC,KAAK,gBAAgB,IAAI,EAAE,CAAC,CAAC;QAC3E,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QAC5B,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAC/D,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,EAAE,CAAC;QAEd,oBAAoB;QACpB,MAAM,QAAQ,GAAG,KAAK,IAAI,EAAE;YAC1B,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;YACpC,MAAM,KAAK,CAAC,IAAI,EAAE,CAAC;YACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC,CAAC;QACF,OAAO,CAAC,EAAE,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAC/B,OAAO,CAAC,EAAE,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,UAAW,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAClD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC;KAAM,CAAC;IACN,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;IAC3C,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACtB,OAAO,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;IAClF,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAC;IAC7E,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;GAeX,CAAC,CAAC;AACL,CAAC"}

package/dist/config.d.ts ADDED Viewed

@@ -0,0 +1,95 @@
+/**
+ * YAML configuration loader and validator for the trust gateway.
+ *
+ * Example sentinel.yaml:
+ *
+ * gateway:
+ *   name: my-trust-gateway
+ *   port: 3100
+ *   mode: strict           # strict = reject unverified, permissive = warn only
+ *   minTrustScore: 60      # global minimum trust score (0-100)
+ *   minGrade: C            # global minimum grade (A-F)
+ *   logPath: ./audit.jsonl
+ *
+ * servers:
+ *   - name: filesystem
+ *     upstream: stdio://node server.js
+ *     trust:
+ *       minScore: 75
+ *       minGrade: B
+ *       requireCertificate: true
+ *       maxFindingsCritical: 0
+ *       maxFindingsHigh: 2
+ *       allowedPermissions: [filesystem]
+ *     rateLimit: 100/min
+ *     blockedTools: [delete_file, write_file]
+ *
+ *   - name: web-search
+ *     upstream: http://localhost:4000/sse
+ *     trust:
+ *       minScore: 50
+ *       allowedPermissions: [network]
+ */
+export interface TrustRequirements {
+    /** Minimum trust score (0-100) */
+    minScore?: number;
+    /** Minimum grade (A-F) */
+    minGrade?: string;
+    /** Whether a valid STC is required */
+    requireCertificate?: boolean;
+    /** Maximum allowed critical findings */
+    maxFindingsCritical?: number;
+    /** Maximum allowed high findings */
+    maxFindingsHigh?: number;
+    /** Allowed permission kinds (whitelist) */
+    allowedPermissions?: string[];
+    /** Blocked permission kinds (blacklist) */
+    blockedPermissions?: string[];
+}
+export interface ServerPolicy {
+    /** Server name */
+    name: string;
+    /** Upstream MCP server connection (stdio:// or http://) */
+    upstream: string;
+    /** Trust requirements for this server */
+    trust?: TrustRequirements;
+    /** Rate limit (e.g., "100/min", "1000/hour") */
+    rateLimit?: string;
+    /** Blocked tool names */
+    blockedTools?: string[];
+    /** Allowed tool names (whitelist — if set, only these tools are allowed) */
+    allowedTools?: string[];
+    /** Path to the server's STC file */
+    certificatePath?: string;
+}
+export interface GatewayConfig {
+    gateway: {
+        name: string;
+        port: number;
+        mode: 'strict' | 'permissive';
+        minTrustScore?: number;
+        minGrade?: string;
+        logPath?: string;
+        /** API keys for authentication (comma-separated in YAML, or use env SENTINEL_API_KEYS) */
+        apiKeys?: string[];
+        /** Allowed CORS origins (comma-separated in YAML, or use env SENTINEL_CORS_ORIGINS) */
+        corsOrigins?: string[];
+        /** Path to TLS certificate file */
+        tlsCert?: string;
+        /** Path to TLS key file */
+        tlsKey?: string;
+        /** Global rate limit (e.g. "1000/min") */
+        rateLimit?: string;
+    };
+    servers: ServerPolicy[];
+}
+export interface ConfigError {
+    path: string;
+    message: string;
+}
+export declare function validateConfig(config: GatewayConfig): ConfigError[];
+/**
+ * Load and validate a sentinel.yaml configuration file.
+ */
+export declare function loadConfig(configPath: string): Promise<GatewayConfig>;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAOH,MAAM,WAAW,iBAAiB;IAChC,kCAAkC;IAClC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,sCAAsC;IACtC,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,wCAAwC;IACxC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,oCAAoC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,2CAA2C;IAC3C,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC/B;AAED,MAAM,WAAW,YAAY;IAC3B,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,yCAAyC;IACzC,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAC1B,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,4EAA4E;IAC5E,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,oCAAoC;IACpC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAED,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE;QACP,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,IAAI,EAAE,QAAQ,GAAG,YAAY,CAAC;QAC9B,aAAa,CAAC,EAAE,MAAM,CAAC;QACvB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,0FAA0F;QAC1F,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;QACnB,uFAAuF;QACvF,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,mCAAmC;QACnC,OAAO,CAAC,EAAE,MAAM,CAAC;QACjB,2BAA2B;QAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,0CAA0C;QAC1C,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB,CAAC;IACF,OAAO,EAAE,YAAY,EAAE,CAAC;CACzB;AAOD,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,aAAa,GAAG,WAAW,EAAE,CAsEnE;AAID;;GAEG;AACH,wBAAsB,UAAU,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAW3E"}

package/dist/config.js ADDED Viewed

@@ -0,0 +1,110 @@
+/**
+ * YAML configuration loader and validator for the trust gateway.
+ *
+ * Example sentinel.yaml:
+ *
+ * gateway:
+ *   name: my-trust-gateway
+ *   port: 3100
+ *   mode: strict           # strict = reject unverified, permissive = warn only
+ *   minTrustScore: 60      # global minimum trust score (0-100)
+ *   minGrade: C            # global minimum grade (A-F)
+ *   logPath: ./audit.jsonl
+ *
+ * servers:
+ *   - name: filesystem
+ *     upstream: stdio://node server.js
+ *     trust:
+ *       minScore: 75
+ *       minGrade: B
+ *       requireCertificate: true
+ *       maxFindingsCritical: 0
+ *       maxFindingsHigh: 2
+ *       allowedPermissions: [filesystem]
+ *     rateLimit: 100/min
+ *     blockedTools: [delete_file, write_file]
+ *
+ *   - name: web-search
+ *     upstream: http://localhost:4000/sse
+ *     trust:
+ *       minScore: 50
+ *       allowedPermissions: [network]
+ */
+import { readFile } from 'node:fs/promises';
+import { parse as parseYaml } from 'yaml';
+// ─── Validators ──────────────────────────────────────────────────────
+const VALID_GRADES = ['A', 'B', 'C', 'D', 'F'];
+const VALID_PERMISSIONS = ['filesystem', 'network', 'process', 'crypto', 'environment', 'native'];
+export function validateConfig(config) {
+    const errors = [];
+    if (!config.gateway) {
+        errors.push({ path: 'gateway', message: 'Missing gateway configuration' });
+        return errors;
+    }
+    if (!config.gateway.name) {
+        errors.push({ path: 'gateway.name', message: 'Gateway name is required' });
+    }
+    if (!config.gateway.port || config.gateway.port < 1 || config.gateway.port > 65535) {
+        errors.push({ path: 'gateway.port', message: 'Port must be between 1 and 65535' });
+    }
+    if (!['strict', 'permissive'].includes(config.gateway.mode)) {
+        errors.push({ path: 'gateway.mode', message: 'Mode must be "strict" or "permissive"' });
+    }
+    if (config.gateway.minTrustScore !== undefined &&
+        (config.gateway.minTrustScore < 0 || config.gateway.minTrustScore > 100)) {
+        errors.push({ path: 'gateway.minTrustScore', message: 'Score must be 0-100' });
+    }
+    if (config.gateway.minGrade !== undefined && !VALID_GRADES.includes(config.gateway.minGrade)) {
+        errors.push({ path: 'gateway.minGrade', message: `Grade must be one of: ${VALID_GRADES.join(', ')}` });
+    }
+    if (!Array.isArray(config.servers)) {
+        errors.push({ path: 'servers', message: 'Servers must be an array' });
+        return errors;
+    }
+    for (let i = 0; i < config.servers.length; i++) {
+        const server = config.servers[i];
+        const prefix = `servers[${i}]`;
+        if (!server.name) {
+            errors.push({ path: `${prefix}.name`, message: 'Server name is required' });
+        }
+        if (!server.upstream) {
+            errors.push({ path: `${prefix}.upstream`, message: 'Upstream is required' });
+        }
+        else if (!server.upstream.startsWith('stdio://') &&
+            !server.upstream.startsWith('http://') &&
+            !server.upstream.startsWith('https://')) {
+            errors.push({ path: `${prefix}.upstream`, message: 'Upstream must start with stdio://, http://, or https://' });
+        }
+        if (server.trust?.minGrade && !VALID_GRADES.includes(server.trust.minGrade)) {
+            errors.push({ path: `${prefix}.trust.minGrade`, message: `Grade must be one of: ${VALID_GRADES.join(', ')}` });
+        }
+        if (server.trust?.allowedPermissions) {
+            for (const perm of server.trust.allowedPermissions) {
+                if (!VALID_PERMISSIONS.includes(perm)) {
+                    errors.push({ path: `${prefix}.trust.allowedPermissions`, message: `Unknown permission: ${perm}` });
+                }
+            }
+        }
+        if (server.rateLimit) {
+            if (!/^\d+\/(min|hour|day)$/.test(server.rateLimit)) {
+                errors.push({ path: `${prefix}.rateLimit`, message: 'Rate limit must be in format "N/min", "N/hour", or "N/day"' });
+            }
+        }
+    }
+    return errors;
+}
+// ─── Loader ──────────────────────────────────────────────────────────
+/**
+ * Load and validate a sentinel.yaml configuration file.
+ */
+export async function loadConfig(configPath) {
+    const raw = await readFile(configPath, 'utf-8');
+    const config = parseYaml(raw);
+    const errors = validateConfig(config);
+    if (errors.length > 0) {
+        const messages = errors.map(e => `  ${e.path}: ${e.message}`).join('\n');
+        throw new Error(`Invalid configuration:\n${messages}`);
+    }
+    return config;
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AA4D1C,wEAAwE;AAExE,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;AAC/C,MAAM,iBAAiB,GAAG,CAAC,YAAY,EAAE,SAAS,EAAE,SAAS,EAAE,QAAQ,EAAE,aAAa,EAAE,QAAQ,CAAC,CAAC;AAOlG,MAAM,UAAU,cAAc,CAAC,MAAqB;IAClD,MAAM,MAAM,GAAkB,EAAE,CAAC;IAEjC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;QACpB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC,CAAC;QAC3E,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;IAC7E,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,KAAK,EAAE,CAAC;QACnF,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;IACrF,CAAC;IAED,IAAI,CAAC,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5D,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,uCAAuC,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,KAAK,SAAS;QAC1C,CAAC,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,GAAG,GAAG,CAAC,EAAE,CAAC;QAC7E,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,uBAAuB,EAAE,OAAO,EAAE,qBAAqB,EAAE,CAAC,CAAC;IACjF,CAAC;IAED,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,KAAK,SAAS,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7F,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,EAAE,yBAAyB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;IACzG,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACnC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,0BAA0B,EAAE,CAAC,CAAC;QACtE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,MAAM,GAAG,WAAW,CAAC,GAAG,CAAC;QAE/B,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,MAAM,OAAO,EAAE,OAAO,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,MAAM,WAAW,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAC/E,CAAC;aAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC;YACvC,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC;YACtC,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,MAAM,WAAW,EAAE,OAAO,EAAE,yDAAyD,EAAE,CAAC,CAAC;QAClH,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,EAAE,QAAQ,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5E,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,MAAM,iBAAiB,EAAE,OAAO,EAAE,yBAAyB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC;QACjH,CAAC;QAED,IAAI,MAAM,CAAC,KAAK,EAAE,kBAAkB,EAAE,CAAC;YACrC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC;gBACnD,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;oBACtC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,MAAM,2BAA2B,EAAE,OAAO,EAAE,uBAAuB,IAAI,EAAE,EAAE,CAAC,CAAC;gBACtG,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;YACrB,IAAI,CAAC,uBAAuB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;gBACpD,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,GAAG,MAAM,YAAY,EAAE,OAAO,EAAE,4DAA4D,EAAE,CAAC,CAAC;YACtH,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,wEAAwE;AAExE;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,UAAkB;IACjD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAChD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAkB,CAAC;IAE/C,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACtC,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,2BAA2B,QAAQ,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/gateway.d.ts ADDED Viewed

@@ -0,0 +1,63 @@
+/**
+ * Trust Gateway — runtime MCP request enforcement using YAML policies and STCs.
+ *
+ * For every incoming tool call, the gateway:
+ * 1. Identifies which server policy applies
+ * 2. Checks the server's STC trust score against the policy
+ * 3. Enforces tool allow/block lists
+ * 4. Applies rate limiting
+ * 5. Logs the decision to the audit trail
+ */
+import { AuditLog } from '@sentinel-atl/audit';
+import type { GatewayConfig } from './config.js';
+import { TrustStore } from './trust-store.js';
+export interface GatewayRequest {
+    /** Name of the server being called */
+    serverName: string;
+    /** Tool being invoked */
+    toolName: string;
+    /** Caller identifier */
+    callerId: string;
+    /** Tool call arguments (for logging) */
+    arguments?: Record<string, unknown>;
+}
+export type TrustDecision = 'allow' | 'deny-no-cert' | 'deny-invalid-cert' | 'deny-expired' | 'deny-score' | 'deny-grade' | 'deny-findings' | 'deny-permissions' | 'deny-blocked-tool' | 'deny-not-allowed' | 'deny-rate-limit' | 'deny-unknown-server' | 'warn';
+export interface GatewayResponse {
+    allowed: boolean;
+    decision: TrustDecision;
+    reason?: string;
+    serverName: string;
+    toolName: string;
+    trustScore?: number;
+    grade?: string;
+    latencyMs: number;
+}
+export declare class TrustGateway {
+    private config;
+    private trustStore;
+    private auditLog;
+    private rateLimiters;
+    private stats;
+    constructor(config: GatewayConfig, trustStore?: TrustStore, auditLog?: AuditLog);
+    /**
+     * Get the trust store for loading certificates.
+     */
+    getTrustStore(): TrustStore;
+    /**
+     * Process a tool call request through the trust pipeline.
+     */
+    processRequest(request: GatewayRequest): Promise<GatewayResponse>;
+    /**
+     * Get gateway stats.
+     */
+    getStats(): {
+        totalRequests: number;
+        allowed: number;
+        denied: number;
+        warned: number;
+    };
+    private checkTrust;
+    private audit;
+    private makeResponse;
+}
+//# sourceMappingURL=gateway.d.ts.map

package/dist/gateway.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../src/gateway.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAC/C,OAAO,KAAK,EAAE,aAAa,EAAmC,MAAM,aAAa,CAAC;AAClF,OAAO,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAI9C,MAAM,WAAW,cAAc;IAC7B,sCAAsC;IACtC,UAAU,EAAE,MAAM,CAAC;IACnB,yBAAyB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,wBAAwB;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,wCAAwC;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,MAAM,MAAM,aAAa,GACrB,OAAO,GACP,cAAc,GACd,mBAAmB,GACnB,cAAc,GACd,YAAY,GACZ,YAAY,GACZ,eAAe,GACf,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,iBAAiB,GACjB,qBAAqB,GACrB,MAAM,CAAC;AAEX,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,aAAa,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAiDD,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,UAAU,CAAa;IAC/B,OAAO,CAAC,QAAQ,CAAW;IAC3B,OAAO,CAAC,YAAY,CAAkC;IACtD,OAAO,CAAC,KAAK,CAKX;gBAEU,MAAM,EAAE,aAAa,EAAE,UAAU,CAAC,EAAE,UAAU,EAAE,QAAQ,CAAC,EAAE,QAAQ;IAgB/E;;OAEG;IACH,aAAa,IAAI,UAAU;IAI3B;;OAEG;IACG,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC;IAiFvE;;OAEG;IACH,QAAQ;;;;;;IAMR,OAAO,CAAC,UAAU;YA4EJ,KAAK;IAkBnB,OAAO,CAAC,YAAY;CAgBrB"}