@skillsmith/core 0.4.9 → 0.4.11

package/dist/src/services/quarantine/QuarantineService.js

@@ -0,0 +1,464 @@
+/**
+ * SMI-2269: Quarantine Service with Authentication
+ * SMI-2277: Persist multi-approval state to database
+ *
+ * Service layer for quarantine operations that enforces authentication
+ * and authorization. Wraps QuarantineRepository with security controls.
+ *
+ * VP Engineering Guidance:
+ * - Auth belongs in service/handler layer, not repository
+ * - Repositories should be pure data access
+ *
+ * Security Controls:
+ * - QUA-002: Requires authenticated session for review operations
+ * - Enforces security_reviewer permission for review access
+ * - Multi-approval workflow for MALICIOUS severity
+ * - Audit logs include verified reviewer identity
+ * - Approval state persisted to database (survives restarts)
+ *
+ * @module @skillsmith/core/services/quarantine/QuarantineService
+ */
+import { QuarantineServiceError, requirePermission } from './types.js';
+// ============================================================================
+// Configuration
+// ============================================================================
+/**
+ * Number of approvals required for MALICIOUS severity reviews
+ */
+const MALICIOUS_APPROVAL_COUNT = 2;
+/**
+ * Multi-approval timeout in milliseconds (24 hours)
+ */
+const MULTI_APPROVAL_TIMEOUT_MS = 24 * 60 * 60 * 1000;
+// ============================================================================
+// Service Implementation
+// ============================================================================
+/**
+ * Quarantine Service with Authentication
+ *
+ * Provides authenticated access to quarantine operations with:
+ * - Session validation
+ * - Permission checks (security_reviewer role)
+ * - Multi-approval workflow for MALICIOUS severity
+ * - Audit logging with verified identities
+ * - Database-persisted approval state (SMI-2277)
+ *
+ * @example
+ * ```typescript
+ * const service = new QuarantineService(repository, approvalRepository, auditLogger)
+ *
+ * // Review a quarantined skill (requires authentication)
+ * const result = await service.review(
+ *   session,
+ *   quarantineId,
+ *   { reviewStatus: 'approved', reviewNotes: 'Verified safe' }
+ * )
+ * ```
+ */
+export class QuarantineService {
+    repository;
+    approvalRepository;
+    auditLogger;
+    constructor(repository, approvalRepository, auditLogger) {
+        this.repository = repository;
+        this.approvalRepository = approvalRepository;
+        this.auditLogger = auditLogger;
+    }
+    // ==========================================================================
+    // Read Operations (require quarantine:read permission)
+    // ==========================================================================
+    /**
+     * Find a quarantine entry by ID
+     *
+     * @param session - Authenticated session
+     * @param id - Quarantine entry ID
+     * @returns Quarantine entry or null
+     */
+    findById(session, id) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.findById(id);
+    }
+    /**
+     * Find quarantine entries for a skill
+     *
+     * @param session - Authenticated session
+     * @param skillId - Skill ID
+     * @returns Array of quarantine entries
+     */
+    findBySkillId(session, skillId) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.findBySkillId(skillId);
+    }
+    /**
+     * Find all quarantine entries with optional filtering
+     *
+     * @param session - Authenticated session
+     * @param filter - Query filters
+     * @returns Paginated quarantine results
+     */
+    findAll(session, filter) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.findAll(filter);
+    }
+    /**
+     * Get quarantine statistics
+     *
+     * @param session - Authenticated session
+     * @returns Quarantine statistics
+     */
+    getStats(session) {
+        requirePermission(session, 'quarantine:read');
+        return this.repository.getStats();
+    }
+    // ==========================================================================
+    // Review Operations (require quarantine:review permission)
+    // ==========================================================================
+    /**
+     * Review a quarantine entry with authentication
+     *
+     * This is the secure replacement for QuarantineRepository.review().
+     * It enforces:
+     * - Valid authenticated session
+     * - security_reviewer permission (quarantine:review)
+     * - Multi-approval for MALICIOUS severity (quarantine:review_malicious)
+     * - Audit logging with verified reviewer identity
+     *
+     * @param session - Authenticated session (verified by auth layer)
+     * @param quarantineId - Quarantine entry ID to review
+     * @param input - Review decision and notes
+     * @returns Review result with verified reviewer identity
+     * @throws QuarantineServiceError on auth/permission failure
+     */
+    review(session, quarantineId, input) {
+        // Validate session and require review permission
+        requirePermission(session, 'quarantine:review');
+        // Get the quarantine entry
+        const entry = this.repository.findById(quarantineId);
+        if (!entry) {
+            throw new QuarantineServiceError(`Quarantine entry not found: ${quarantineId}`, 'NOT_FOUND', {
+                quarantineId,
+            });
+        }
+        // Check if already reviewed
+        if (entry.reviewStatus !== 'pending') {
+            throw new QuarantineServiceError(`Quarantine entry already reviewed: ${entry.reviewStatus}`, 'ALREADY_REVIEWED', { quarantineId, currentStatus: entry.reviewStatus });
+        }
+        // For MALICIOUS severity, require multi-approval workflow
+        if (entry.severity === 'MALICIOUS' && input.reviewStatus === 'approved') {
+            return this.handleMaliciousApproval(session, quarantineId, entry.skillId, input);
+        }
+        // For MALICIOUS severity rejection or non-MALICIOUS, check elevated permission
+        if (entry.severity === 'MALICIOUS') {
+            requirePermission(session, 'quarantine:review_malicious');
+        }
+        // Perform the review with verified identity
+        const reviewResult = this.repository.review(quarantineId, {
+            reviewedBy: session.email, // Verified email from session
+            reviewStatus: input.reviewStatus,
+            reviewNotes: input.reviewNotes,
+        });
+        if (!reviewResult) {
+            throw new QuarantineServiceError('Failed to review quarantine entry', 'INVALID_INPUT', {
+                quarantineId,
+            });
+        }
+        // Log audit event with full session details
+        this.auditLogger.log({
+            event_type: 'quarantine_authenticated_review',
+            actor: 'reviewer',
+            resource: entry.skillId,
+            action: 'review',
+            result: 'success',
+            metadata: {
+                quarantineId,
+                reviewStatus: input.reviewStatus,
+                reviewer: {
+                    userId: session.userId,
+                    email: session.email,
+                    displayName: session.displayName,
+                },
+                sessionId: session.sessionId,
+                severity: entry.severity,
+                canImport: reviewResult.canImport,
+            },
+        });
+        return {
+            success: true,
+            approved: reviewResult.approved,
+            skillId: reviewResult.skillId,
+            severity: reviewResult.severity,
+            canImport: reviewResult.canImport,
+            warnings: reviewResult.warnings,
+            reviewedBy: {
+                userId: session.userId,
+                email: session.email,
+                displayName: session.displayName,
+            },
+        };
+    }
+    // ==========================================================================
+    // Multi-Approval Workflow (MALICIOUS Severity)
+    // ==========================================================================
+    /**
+     * Handle approval for MALICIOUS severity skills
+     *
+     * MALICIOUS severity requires multiple reviewers to approve
+     * before a skill can be unquarantined. This prevents single
+     * reviewer compromise from allowing malicious skills.
+     *
+     * Approval state is persisted to the database (SMI-2277) so
+     * pending approvals survive service restarts.
+     *
+     * @param session - Authenticated session
+     * @param quarantineId - Quarantine entry ID
+     * @param skillId - Skill ID
+     * @param input - Review input
+     * @returns Review result with multi-approval status
+     */
+    handleMaliciousApproval(session, quarantineId, skillId, input) {
+        // Require elevated permission for MALICIOUS review
+        requirePermission(session, 'quarantine:review_malicious');
+        // Check if this reviewer already approved (database-backed)
+        if (this.approvalRepository.hasReviewerApproved(quarantineId, session.userId)) {
+            // Retrieve existing approval for error details
+            const existingApprovals = this.approvalRepository.getPendingApprovals(quarantineId);
+            const existing = existingApprovals.find((a) => a.reviewerId === session.userId);
+            throw new QuarantineServiceError('You have already approved this entry', 'ALREADY_REVIEWED', {
+                quarantineId,
+                previousApprovalAt: existing?.createdAt ?? 'unknown',
+            });
+        }
+        // Check for approval timeout
+        const startTime = this.approvalRepository.getWorkflowStartTime(quarantineId);
+        if (startTime) {
+            const timeSinceStart = Date.now() - new Date(startTime).getTime();
+            if (timeSinceStart > MULTI_APPROVAL_TIMEOUT_MS) {
+                // Capture existing approvals before clearing for audit
+                const expiredApprovals = this.approvalRepository.getPendingApprovals(quarantineId);
+                // Reset approval workflow
+                this.approvalRepository.clearApprovals(quarantineId);
+                // Log timeout event so cleared reviewer work is auditable
+                this.auditLogger.log({
+                    event_type: 'quarantine_multi_approval_timeout',
+                    actor: 'system',
+                    resource: skillId,
+                    action: 'timeout',
+                    result: 'success',
+                    metadata: {
+                        quarantineId,
+                        timeoutMs: MULTI_APPROVAL_TIMEOUT_MS,
+                        expiredApprovals: expiredApprovals.map((a) => ({
+                            reviewerId: a.reviewerId,
+                            email: a.reviewerEmail,
+                            approvedAt: a.createdAt,
+                        })),
+                        triggeredBy: {
+                            userId: session.userId,
+                            email: session.email,
+                        },
+                    },
+                });
+                throw new QuarantineServiceError('Multi-approval workflow timed out. Please start again.', 'INVALID_INPUT', { quarantineId, timeoutMs: MULTI_APPROVAL_TIMEOUT_MS });
+            }
+        }
+        // Record this approval in the database
+        this.approvalRepository.recordApproval({
+            skillId: quarantineId,
+            reviewerId: session.userId,
+            reviewerEmail: session.email,
+            decision: 'approved',
+            reason: input.reviewNotes,
+            requiredApprovals: MALICIOUS_APPROVAL_COUNT,
+        });
+        // Get current approval count and all pending approvals
+        const pendingApprovals = this.approvalRepository.getPendingApprovals(quarantineId);
+        const approvalCount = pendingApprovals.filter((a) => a.decision === 'approved').length;
+        // Build the multi-approval status from database state
+        const approvalStatus = this.buildMultiApprovalStatus(quarantineId, pendingApprovals);
+        // Log the approval
+        this.auditLogger.log({
+            event_type: 'quarantine_multi_approval',
+            actor: 'reviewer',
+            resource: skillId,
+            action: 'approve',
+            result: 'success',
+            metadata: {
+                quarantineId,
+                approvalNumber: approvalCount,
+                requiredApprovals: MALICIOUS_APPROVAL_COUNT,
+                reviewer: {
+                    userId: session.userId,
+                    email: session.email,
+                },
+            },
+        });
+        // Check if we have enough approvals
+        if (approvalCount >= MALICIOUS_APPROVAL_COUNT) {
+            // Mark approvals as complete in database
+            this.approvalRepository.markComplete(quarantineId);
+            approvalStatus.isComplete = true;
+            approvalStatus.completedAt = new Date();
+            // Perform the actual review
+            const approverEmails = pendingApprovals
+                .filter((a) => a.decision === 'approved')
+                .map((a) => a.reviewerEmail);
+            const reviewResult = this.repository.review(quarantineId, {
+                reviewedBy: approverEmails.join(', '),
+                reviewStatus: 'approved',
+                reviewNotes: `Multi-approval complete: ${approvalCount} reviewers approved. ${input.reviewNotes || ''}`,
+            });
+            // Log completion
+            this.auditLogger.log({
+                event_type: 'quarantine_multi_approval_complete',
+                actor: 'reviewer',
+                resource: skillId,
+                action: 'complete',
+                result: 'success',
+                metadata: {
+                    quarantineId,
+                    approvals: pendingApprovals
+                        .filter((a) => a.decision === 'approved')
+                        .map((a) => ({
+                        reviewerId: a.reviewerId,
+                        email: a.reviewerEmail,
+                        approvedAt: a.createdAt,
+                    })),
+                },
+            });
+            return {
+                success: true,
+                approved: true,
+                skillId,
+                severity: 'MALICIOUS',
+                canImport: reviewResult?.canImport ?? false,
+                warnings: [
+                    'MALICIOUS skill approved through multi-approval workflow',
+                    `Approved by: ${approverEmails.join(', ')}`,
+                ],
+                reviewedBy: {
+                    userId: session.userId,
+                    email: session.email,
+                    displayName: session.displayName,
+                },
+                multiApprovalStatus: approvalStatus,
+            };
+        }
+        // Need more approvals
+        return {
+            success: true,
+            approved: false,
+            skillId,
+            severity: 'MALICIOUS',
+            canImport: false,
+            warnings: [
+                `Multi-approval in progress: ${approvalCount}/${MALICIOUS_APPROVAL_COUNT} approvals received`,
+                `Requires ${MALICIOUS_APPROVAL_COUNT - approvalCount} more approval(s)`,
+            ],
+            reviewedBy: {
+                userId: session.userId,
+                email: session.email,
+                displayName: session.displayName,
+            },
+            multiApprovalStatus: approvalStatus,
+        };
+    }
+    /**
+     * Get pending multi-approval status for a quarantine entry
+     *
+     * @param session - Authenticated session
+     * @param quarantineId - Quarantine entry ID
+     * @returns Multi-approval status or null
+     */
+    getMultiApprovalStatus(session, quarantineId) {
+        requirePermission(session, 'quarantine:read');
+        const pendingApprovals = this.approvalRepository.getPendingApprovals(quarantineId);
+        if (pendingApprovals.length === 0) {
+            return null;
+        }
+        return this.buildMultiApprovalStatus(quarantineId, pendingApprovals);
+    }
+    /**
+     * Cancel a pending multi-approval workflow
+     *
+     * @param session - Authenticated session (requires admin)
+     * @param quarantineId - Quarantine entry ID
+     * @returns Whether the cancellation was successful
+     */
+    cancelMultiApproval(session, quarantineId) {
+        requirePermission(session, 'quarantine:admin');
+        const pendingApprovals = this.approvalRepository.getPendingApprovals(quarantineId);
+        if (pendingApprovals.length === 0) {
+            return false;
+        }
+        this.approvalRepository.clearApprovals(quarantineId);
+        this.auditLogger.log({
+            event_type: 'quarantine_multi_approval_cancelled',
+            actor: 'reviewer',
+            resource: quarantineId,
+            action: 'cancel',
+            result: 'success',
+            metadata: {
+                quarantineId,
+                cancelledBy: session.email,
+                pendingApprovals: pendingApprovals.length,
+            },
+        });
+        return true;
+    }
+    // ==========================================================================
+    // Admin Operations (require quarantine:admin permission)
+    // ==========================================================================
+    /**
+     * Create a quarantine entry (admin only)
+     *
+     * @param session - Authenticated session
+     * @param input - Quarantine creation input
+     * @returns Created quarantine entry
+     */
+    create(session, input) {
+        requirePermission(session, 'quarantine:create');
+        return this.repository.create(input);
+    }
+    /**
+     * Delete a quarantine entry (admin only)
+     *
+     * @param session - Authenticated session
+     * @param id - Quarantine entry ID
+     * @returns Whether the entry was deleted
+     */
+    delete(session, id) {
+        requirePermission(session, 'quarantine:delete');
+        // Cancel any pending multi-approval
+        this.approvalRepository.clearApprovals(id);
+        return this.repository.delete(id);
+    }
+    // ==========================================================================
+    // Private Helpers
+    // ==========================================================================
+    /**
+     * Build a MultiApprovalStatus from database rows
+     *
+     * Converts persisted approval entries into the MultiApprovalStatus
+     * interface expected by consumers.
+     */
+    buildMultiApprovalStatus(quarantineId, approvals) {
+        const currentApprovals = approvals.map((a) => ({
+            reviewerId: a.reviewerId,
+            reviewerEmail: a.reviewerEmail,
+            approvedAt: new Date(a.createdAt),
+            notes: a.reason ?? undefined,
+        }));
+        const startedAt = approvals.length > 0 ? new Date(approvals[0].createdAt) : new Date();
+        const isComplete = approvals.some((a) => a.isComplete);
+        const completedEntry = approvals.find((a) => a.completedAt);
+        return {
+            quarantineId,
+            requiredApprovals: MALICIOUS_APPROVAL_COUNT,
+            currentApprovals,
+            isComplete,
+            startedAt,
+            completedAt: completedEntry ? new Date(completedEntry.completedAt) : undefined,
+        };
+    }
+}
+//# sourceMappingURL=QuarantineService.js.map

package/dist/src/services/quarantine/QuarantineService.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"QuarantineService.js","sourceRoot":"","sources":["../../../../src/services/quarantine/QuarantineService.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAYH,OAAO,EAAE,sBAAsB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAA;AAEtE,+EAA+E;AAC/E,gBAAgB;AAChB,+EAA+E;AAE/E;;GAEG;AACH,MAAM,wBAAwB,GAAG,CAAC,CAAA;AAElC;;GAEG;AACH,MAAM,yBAAyB,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;AAErD,+EAA+E;AAC/E,yBAAyB;AACzB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,OAAO,iBAAiB;IAET;IACA;IACA;IAHnB,YACmB,UAAgC,EAChC,kBAAsC,EACtC,WAAwB;QAFxB,eAAU,GAAV,UAAU,CAAsB;QAChC,uBAAkB,GAAlB,kBAAkB,CAAoB;QACtC,gBAAW,GAAX,WAAW,CAAa;IACxC,CAAC;IAEJ,6EAA6E;IAC7E,uDAAuD;IACvD,6EAA6E;IAE7E;;;;;;OAMG;IACH,QAAQ,CAAC,OAA6B,EAAE,EAAU;QAChD,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAA;IACrC,CAAC;IAED;;;;;;OAMG;IACH,aAAa,CAAC,OAA6B,EAAE,OAAe;QAC1D,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,CAAC,CAAA;IAC/C,CAAC;IAED;;;;;;OAMG;IACH,OAAO,CAAC,OAA6B,EAAE,MAAuD;QAC5F,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,CAAA;IACxC,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CAAC,OAA6B;QACpC,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAC7C,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,CAAA;IACnC,CAAC;IAED,6EAA6E;IAC7E,2DAA2D;IAC3D,6EAA6E;IAE7E;;;;;;;;;;;;;;;OAeG;IACH,MAAM,CACJ,OAA6B,EAC7B,YAAoB,EACpB,KAA+B;QAE/B,iDAAiD;QACjD,iBAAiB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAE/C,2BAA2B;QAC3B,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAA;QACpD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,sBAAsB,CAAC,+BAA+B,YAAY,EAAE,EAAE,WAAW,EAAE;gBAC3F,YAAY;aACb,CAAC,CAAA;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,KAAK,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,IAAI,sBAAsB,CAC9B,sCAAsC,KAAK,CAAC,YAAY,EAAE,EAC1D,kBAAkB,EAClB,EAAE,YAAY,EAAE,aAAa,EAAE,KAAK,CAAC,YAAY,EAAE,CACpD,CAAA;QACH,CAAC;QAED,0DAA0D;QAC1D,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,IAAI,KAAK,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;YACxE,OAAO,IAAI,CAAC,uBAAuB,CAAC,OAAO,EAAE,YAAY,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,CAAA;QAClF,CAAC;QAED,+EAA+E;QAC/E,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,EAAE,CAAC;YACnC,iBAAiB,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAA;QAC3D,CAAC;QAED,4CAA4C;QAC5C,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,EAAE;YACxD,UAAU,EAAE,OAAO,CAAC,KAAK,EAAE,8BAA8B;YACzD,YAAY,EAAE,KAAK,CAAC,YAAY;YAChC,WAAW,EAAE,KAAK,CAAC,WAAW;SAC/B,CAAC,CAAA;QAEF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,MAAM,IAAI,sBAAsB,CAAC,mCAAmC,EAAE,eAAe,EAAE;gBACrF,YAAY;aACb,CAAC,CAAA;QACJ,CAAC;QAED,4CAA4C;QAC5C,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,UAAU,EAAE,iCAAiC;YAC7C,KAAK,EAAE,UAAU;YACjB,QAAQ,EAAE,KAAK,CAAC,OAAO;YACvB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,YAAY;gBACZ,YAAY,EAAE,KAAK,CAAC,YAAY;gBAChC,QAAQ,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,SAAS,EAAE,YAAY,CAAC,SAAS;aAClC;SACF,CAAC,CAAA;QAEF,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,OAAO,EAAE,YAAY,CAAC,OAAO;YAC7B,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,SAAS,EAAE,YAAY,CAAC,SAAS;YACjC,QAAQ,EAAE,YAAY,CAAC,QAAQ;YAC/B,UAAU,EAAE;gBACV,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;SACF,CAAA;IACH,CAAC;IAED,6EAA6E;IAC7E,+CAA+C;IAC/C,6EAA6E;IAE7E;;;;;;;;;;;;;;;OAeG;IACK,uBAAuB,CAC7B,OAA6B,EAC7B,YAAoB,EACpB,OAAe,EACf,KAA+B;QAE/B,mDAAmD;QACnD,iBAAiB,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAA;QAEzD,4DAA4D;QAC5D,IAAI,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,YAAY,EAAE,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9E,+CAA+C;YAC/C,MAAM,iBAAiB,GAAG,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;YACnF,MAAM,QAAQ,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,OAAO,CAAC,MAAM,CAAC,CAAA;YAC/E,MAAM,IAAI,sBAAsB,CAAC,sCAAsC,EAAE,kBAAkB,EAAE;gBAC3F,YAAY;gBACZ,kBAAkB,EAAE,QAAQ,EAAE,SAAS,IAAI,SAAS;aACrD,CAAC,CAAA;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,SAAS,GAAG,IAAI,CAAC,kBAAkB,CAAC,oBAAoB,CAAC,YAAY,CAAC,CAAA;QAC5E,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAA;YACjE,IAAI,cAAc,GAAG,yBAAyB,EAAE,CAAC;gBAC/C,uDAAuD;gBACvD,MAAM,gBAAgB,GAAG,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;gBAElF,0BAA0B;gBAC1B,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,YAAY,CAAC,CAAA;gBAEpD,0DAA0D;gBAC1D,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;oBACnB,UAAU,EAAE,mCAAmC;oBAC/C,KAAK,EAAE,QAAQ;oBACf,QAAQ,EAAE,OAAO;oBACjB,MAAM,EAAE,SAAS;oBACjB,MAAM,EAAE,SAAS;oBACjB,QAAQ,EAAE;wBACR,YAAY;wBACZ,SAAS,EAAE,yBAAyB;wBACpC,gBAAgB,EAAE,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;4BAC7C,UAAU,EAAE,CAAC,CAAC,UAAU;4BACxB,KAAK,EAAE,CAAC,CAAC,aAAa;4BACtB,UAAU,EAAE,CAAC,CAAC,SAAS;yBACxB,CAAC,CAAC;wBACH,WAAW,EAAE;4BACX,MAAM,EAAE,OAAO,CAAC,MAAM;4BACtB,KAAK,EAAE,OAAO,CAAC,KAAK;yBACrB;qBACF;iBACF,CAAC,CAAA;gBAEF,MAAM,IAAI,sBAAsB,CAC9B,wDAAwD,EACxD,eAAe,EACf,EAAE,YAAY,EAAE,SAAS,EAAE,yBAAyB,EAAE,CACvD,CAAA;YACH,CAAC;QACH,CAAC;QAED,uCAAuC;QACvC,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC;YACrC,OAAO,EAAE,YAAY;YACrB,UAAU,EAAE,OAAO,CAAC,MAAM;YAC1B,aAAa,EAAE,OAAO,CAAC,KAAK;YAC5B,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,KAAK,CAAC,WAAW;YACzB,iBAAiB,EAAE,wBAAwB;SAC5C,CAAC,CAAA;QAEF,uDAAuD;QACvD,MAAM,gBAAgB,GAAG,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;QAClF,MAAM,aAAa,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAA;QAEtF,sDAAsD;QACtD,MAAM,cAAc,GAAG,IAAI,CAAC,wBAAwB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;QAEpF,mBAAmB;QACnB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,UAAU,EAAE,2BAA2B;YACvC,KAAK,EAAE,UAAU;YACjB,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,YAAY;gBACZ,cAAc,EAAE,aAAa;gBAC7B,iBAAiB,EAAE,wBAAwB;gBAC3C,QAAQ,EAAE;oBACR,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;iBACrB;aACF;SACF,CAAC,CAAA;QAEF,oCAAoC;QACpC,IAAI,aAAa,IAAI,wBAAwB,EAAE,CAAC;YAC9C,yCAAyC;YACzC,IAAI,CAAC,kBAAkB,CAAC,YAAY,CAAC,YAAY,CAAC,CAAA;YAClD,cAAc,CAAC,UAAU,GAAG,IAAI,CAAA;YAChC,cAAc,CAAC,WAAW,GAAG,IAAI,IAAI,EAAE,CAAA;YAEvC,4BAA4B;YAC5B,MAAM,cAAc,GAAG,gBAAgB;iBACpC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;iBACxC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC,CAAA;YAC9B,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,YAAY,EAAE;gBACxD,UAAU,EAAE,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC;gBACrC,YAAY,EAAE,UAAU;gBACxB,WAAW,EAAE,4BAA4B,aAAa,wBAAwB,KAAK,CAAC,WAAW,IAAI,EAAE,EAAE;aACxG,CAAC,CAAA;YAEF,iBAAiB;YACjB,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;gBACnB,UAAU,EAAE,oCAAoC;gBAChD,KAAK,EAAE,UAAU;gBACjB,QAAQ,EAAE,OAAO;gBACjB,MAAM,EAAE,UAAU;gBAClB,MAAM,EAAE,SAAS;gBACjB,QAAQ,EAAE;oBACR,YAAY;oBACZ,SAAS,EAAE,gBAAgB;yBACxB,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;yBACxC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;wBACX,UAAU,EAAE,CAAC,CAAC,UAAU;wBACxB,KAAK,EAAE,CAAC,CAAC,aAAa;wBACtB,UAAU,EAAE,CAAC,CAAC,SAAS;qBACxB,CAAC,CAAC;iBACN;aACF,CAAC,CAAA;YAEF,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,IAAI;gBACd,OAAO;gBACP,QAAQ,EAAE,WAAW;gBACrB,SAAS,EAAE,YAAY,EAAE,SAAS,IAAI,KAAK;gBAC3C,QAAQ,EAAE;oBACR,0DAA0D;oBAC1D,gBAAgB,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;iBAC5C;gBACD,UAAU,EAAE;oBACV,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;oBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,mBAAmB,EAAE,cAAc;aACpC,CAAA;QACH,CAAC;QAED,sBAAsB;QACtB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,KAAK;YACf,OAAO;YACP,QAAQ,EAAE,WAAW;YACrB,SAAS,EAAE,KAAK;YAChB,QAAQ,EAAE;gBACR,+BAA+B,aAAa,IAAI,wBAAwB,qBAAqB;gBAC7F,YAAY,wBAAwB,GAAG,aAAa,mBAAmB;aACxE;YACD,UAAU,EAAE;gBACV,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;gBACpB,WAAW,EAAE,OAAO,CAAC,WAAW;aACjC;YACD,mBAAmB,EAAE,cAAc;SACpC,CAAA;IACH,CAAC;IAED;;;;;;OAMG;IACH,sBAAsB,CACpB,OAA6B,EAC7B,YAAoB;QAEpB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAA;QAE7C,MAAM,gBAAgB,GAAG,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;QAClF,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,IAAI,CAAC,wBAAwB,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAA;IACtE,CAAC;IAED;;;;;;OAMG;IACH,mBAAmB,CAAC,OAA6B,EAAE,YAAoB;QACrE,iBAAiB,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAA;QAE9C,MAAM,gBAAgB,GAAG,IAAI,CAAC,kBAAkB,CAAC,mBAAmB,CAAC,YAAY,CAAC,CAAA;QAClF,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,OAAO,KAAK,CAAA;QACd,CAAC;QAED,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,YAAY,CAAC,CAAA;QAEpD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC;YACnB,UAAU,EAAE,qCAAqC;YACjD,KAAK,EAAE,UAAU;YACjB,QAAQ,EAAE,YAAY;YACtB,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR,YAAY;gBACZ,WAAW,EAAE,OAAO,CAAC,KAAK;gBAC1B,gBAAgB,EAAE,gBAAgB,CAAC,MAAM;aAC1C;SACF,CAAC,CAAA;QAEF,OAAO,IAAI,CAAA;IACb,CAAC;IAED,6EAA6E;IAC7E,yDAAyD;IACzD,6EAA6E;IAE7E;;;;;;OAMG;IACH,MAAM,CAAC,OAA6B,EAAE,KAAoD;QACxF,iBAAiB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAC/C,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;IACtC,CAAC;IAED;;;;;;OAMG;IACH,MAAM,CAAC,OAA6B,EAAE,EAAU;QAC9C,iBAAiB,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAA;QAE/C,oCAAoC;QACpC,IAAI,CAAC,kBAAkB,CAAC,cAAc,CAAC,EAAE,CAAC,CAAA;QAE1C,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC,CAAA;IACnC,CAAC;IAED,6EAA6E;IAC7E,kBAAkB;IAClB,6EAA6E;IAE7E;;;;;OAKG;IACK,wBAAwB,CAC9B,YAAoB,EACpB,SAOE;QAEF,MAAM,gBAAgB,GAAqB,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC/D,UAAU,EAAE,CAAC,CAAC,UAAU;YACxB,aAAa,EAAE,CAAC,CAAC,aAAa;YAC9B,UAAU,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;YACjC,KAAK,EAAE,CAAC,CAAC,MAAM,IAAI,SAAS;SAC7B,CAAC,CAAC,CAAA;QAEH,MAAM,SAAS,GAAG,SAAS,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,EAAE,CAAA;QACtF,MAAM,UAAU,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAA;QACtD,MAAM,cAAc,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAA;QAE3D,OAAO;YACL,YAAY;YACZ,iBAAiB,EAAE,wBAAwB;YAC3C,gBAAgB;YAChB,UAAU;YACV,SAAS;YACT,WAAW,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,WAAY,CAAC,CAAC,CAAC,CAAC,SAAS;SAChF,CAAA;IACH,CAAC;CACF"}

package/dist/src/services/quarantine/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * SMI-2269: Quarantine Service Module
+ *
+ * Authenticated quarantine operations with multi-approval workflow.
+ *
+ * @module @skillsmith/core/services/quarantine
+ */
+export { QuarantineService } from './QuarantineService.js';
+export { type QuarantinePermission, type AuthenticatedSession, type ApprovalRecord, type MultiApprovalStatus, type AuthenticatedReviewInput, type AuthenticatedReviewResult, type QuarantineServiceErrorCode, QuarantineServiceError, hasPermission, isSessionValid, requirePermission, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/src/services/quarantine/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/services/quarantine/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAC1D,OAAO,EAEL,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,wBAAwB,EAC7B,KAAK,yBAAyB,EAC9B,KAAK,0BAA0B,EAE/B,sBAAsB,EAEtB,aAAa,EACb,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA"}

package/dist/src/services/quarantine/index.js

@@ -0,0 +1,14 @@
+/**
+ * SMI-2269: Quarantine Service Module
+ *
+ * Authenticated quarantine operations with multi-approval workflow.
+ *
+ * @module @skillsmith/core/services/quarantine
+ */
+export { QuarantineService } from './QuarantineService.js';
+export { 
+// Error class
+QuarantineServiceError, 
+// Helper functions
+hasPermission, isSessionValid, requirePermission, } from './types.js';
+//# sourceMappingURL=index.js.map

package/dist/src/services/quarantine/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/services/quarantine/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAA;AAC1D,OAAO;AASL,cAAc;AACd,sBAAsB;AACtB,mBAAmB;AACnB,aAAa,EACb,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA"}

package/dist/src/services/quarantine/types.d.ts

@@ -0,0 +1,127 @@
+/**
+ * SMI-2269: Quarantine Service Types
+ *
+ * Authentication and authorization types for quarantine review operations.
+ * Part of QUA-002 security fix: No authentication on quarantine review.
+ *
+ * @module @skillsmith/core/services/quarantine/types
+ */
+import type { QuarantineSeverity, QuarantineReviewStatus } from '../../db/quarantine-schema.js';
+/**
+ * User permissions for quarantine operations
+ */
+export type QuarantinePermission = 'quarantine:read' | 'quarantine:create' | 'quarantine:review' | 'quarantine:review_malicious' | 'quarantine:delete' | 'quarantine:admin';
+/**
+ * Authenticated session for quarantine operations
+ *
+ * All quarantine review operations require a valid session with
+ * appropriate permissions. This ensures audit trails contain
+ * verified reviewer identities.
+ */
+export interface AuthenticatedSession {
+    /** Unique user identifier (from auth provider) */
+    userId: string;
+    /** User's email address (verified) */
+    email: string;
+    /** User's display name */
+    displayName: string;
+    /** User's assigned permissions */
+    permissions: QuarantinePermission[];
+    /** Session token ID for audit logging */
+    sessionId: string;
+    /** Session expiration timestamp */
+    expiresAt: Date;
+    /** Organization/team ID (for team-based permissions) */
+    organizationId?: string;
+}
+/**
+ * Approval record for multi-approval workflow
+ */
+export interface ApprovalRecord {
+    /** Reviewer user ID */
+    reviewerId: string;
+    /** Reviewer email */
+    reviewerEmail: string;
+    /** Timestamp of approval */
+    approvedAt: Date;
+    /** Optional notes from reviewer */
+    notes?: string;
+}
+/**
+ * Multi-approval status for MALICIOUS severity reviews
+ */
+export interface MultiApprovalStatus {
+    /** Quarantine entry ID */
+    quarantineId: string;
+    /** Required number of approvals */
+    requiredApprovals: number;
+    /** Current approvals received */
+    currentApprovals: ApprovalRecord[];
+    /** Whether all required approvals have been received */
+    isComplete: boolean;
+    /** Timestamp when first approval was received */
+    startedAt: Date;
+    /** Timestamp when approval completed (if complete) */
+    completedAt?: Date;
+}
+/**
+ * Input for authenticated review operation
+ */
+export interface AuthenticatedReviewInput {
+    /** Review status decision */
+    reviewStatus: QuarantineReviewStatus;
+    /** Optional review notes */
+    reviewNotes?: string;
+}
+/**
+ * Result from authenticated review operation
+ */
+export interface AuthenticatedReviewResult {
+    /** Whether the review was successful */
+    success: boolean;
+    /** Whether the skill is approved for import */
+    approved: boolean;
+    /** Skill ID that was reviewed */
+    skillId: string;
+    /** Severity of the quarantined skill */
+    severity: QuarantineSeverity;
+    /** Whether the skill can be imported */
+    canImport: boolean;
+    /** Any warnings about the skill */
+    warnings: string[];
+    /** Verified reviewer identity */
+    reviewedBy: {
+        userId: string;
+        email: string;
+        displayName: string;
+    };
+    /** For MALICIOUS severity: multi-approval status */
+    multiApprovalStatus?: MultiApprovalStatus;
+}
+/**
+ * Error codes for quarantine service operations
+ */
+export type QuarantineServiceErrorCode = 'UNAUTHORIZED' | 'FORBIDDEN' | 'SESSION_EXPIRED' | 'INSUFFICIENT_PERMISSIONS' | 'MULTI_APPROVAL_REQUIRED' | 'ALREADY_REVIEWED' | 'NOT_FOUND' | 'INVALID_INPUT';
+/**
+ * Service error with typed error codes
+ */
+export declare class QuarantineServiceError extends Error {
+    readonly code: QuarantineServiceErrorCode;
+    readonly details?: Record<string, unknown> | undefined;
+    constructor(message: string, code: QuarantineServiceErrorCode, details?: Record<string, unknown> | undefined);
+}
+/**
+ * Check if session has a specific permission
+ */
+export declare function hasPermission(session: AuthenticatedSession, permission: QuarantinePermission): boolean;
+/**
+ * Check if session is valid (not expired)
+ */
+export declare function isSessionValid(session: AuthenticatedSession): boolean;
+/**
+ * Validate session and check permission
+ *
+ * @throws QuarantineServiceError if session is invalid or lacks permission
+ */
+export declare function requirePermission(session: AuthenticatedSession, permission: QuarantinePermission): void;
+//# sourceMappingURL=types.d.ts.map

package/dist/src/services/quarantine/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/services/quarantine/types.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,kBAAkB,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAA;AAM/F;;GAEG;AACH,MAAM,MAAM,oBAAoB,GAC5B,iBAAiB,GACjB,mBAAmB,GACnB,mBAAmB,GACnB,6BAA6B,GAC7B,mBAAmB,GACnB,kBAAkB,CAAA;AAEtB;;;;;;GAMG;AACH,MAAM,WAAW,oBAAoB;IACnC,kDAAkD;IAClD,MAAM,EAAE,MAAM,CAAA;IAEd,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAA;IAEb,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAA;IAEnB,kCAAkC;IAClC,WAAW,EAAE,oBAAoB,EAAE,CAAA;IAEnC,yCAAyC;IACzC,SAAS,EAAE,MAAM,CAAA;IAEjB,mCAAmC;IACnC,SAAS,EAAE,IAAI,CAAA;IAEf,wDAAwD;IACxD,cAAc,CAAC,EAAE,MAAM,CAAA;CACxB;AAMD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,uBAAuB;IACvB,UAAU,EAAE,MAAM,CAAA;IAElB,qBAAqB;IACrB,aAAa,EAAE,MAAM,CAAA;IAErB,4BAA4B;IAC5B,UAAU,EAAE,IAAI,CAAA;IAEhB,mCAAmC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAA;IAEpB,mCAAmC;IACnC,iBAAiB,EAAE,MAAM,CAAA;IAEzB,iCAAiC;IACjC,gBAAgB,EAAE,cAAc,EAAE,CAAA;IAElC,wDAAwD;IACxD,UAAU,EAAE,OAAO,CAAA;IAEnB,iDAAiD;IACjD,SAAS,EAAE,IAAI,CAAA;IAEf,sDAAsD;IACtD,WAAW,CAAC,EAAE,IAAI,CAAA;CACnB;AAMD;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC,6BAA6B;IAC7B,YAAY,EAAE,sBAAsB,CAAA;IAEpC,4BAA4B;IAC5B,WAAW,CAAC,EAAE,MAAM,CAAA;CACrB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAA;IAEhB,+CAA+C;IAC/C,QAAQ,EAAE,OAAO,CAAA;IAEjB,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAA;IAEf,wCAAwC;IACxC,QAAQ,EAAE,kBAAkB,CAAA;IAE5B,wCAAwC;IACxC,SAAS,EAAE,OAAO,CAAA;IAElB,mCAAmC;IACnC,QAAQ,EAAE,MAAM,EAAE,CAAA;IAElB,iCAAiC;IACjC,UAAU,EAAE;QACV,MAAM,EAAE,MAAM,CAAA;QACd,KAAK,EAAE,MAAM,CAAA;QACb,WAAW,EAAE,MAAM,CAAA;KACpB,CAAA;IAED,oDAAoD;IACpD,mBAAmB,CAAC,EAAE,mBAAmB,CAAA;CAC1C;AAMD;;GAEG;AACH,MAAM,MAAM,0BAA0B,GAClC,cAAc,GACd,WAAW,GACX,iBAAiB,GACjB,0BAA0B,GAC1B,yBAAyB,GACzB,kBAAkB,GAClB,WAAW,GACX,eAAe,CAAA;AAEnB;;GAEG;AACH,qBAAa,sBAAuB,SAAQ,KAAK;aAG7B,IAAI,EAAE,0BAA0B;aAChC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;gBAFjD,OAAO,EAAE,MAAM,EACC,IAAI,EAAE,0BAA0B,EAChC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,YAAA;CAKpD;AAMD;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,oBAAoB,EAC7B,UAAU,EAAE,oBAAoB,GAC/B,OAAO,CAMT;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAErE;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAC/B,OAAO,EAAE,oBAAoB,EAC7B,UAAU,EAAE,oBAAoB,GAC/B,IAAI,CAiBN"}