npm - @solongate/sdk - Versions diffs - 0.1.4 → 0.1.5 - Mend

@solongate/sdk 0.1.4 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -184,6 +184,10 @@ declare class SolonGate {
      * Fetch policy from SolonGate Cloud API (fire once, non-blocking).
      */
     private fetchCloudPolicyOnce;
+    /**
+     * Poll for policy updates from dashboard every 60 seconds.
+     */
+    private startPolicyPolling;
     /**
      * Send audit log to SolonGate Cloud API (fire-and-forget).
      */

package/dist/index.js CHANGED Viewed

@@ -1712,6 +1712,7 @@ var SolonGate = class {
     });
     if (!options.policySet && !config.policySet && apiKey.startsWith("sg_live_")) {
       this.fetchCloudPolicyOnce();
+      this.startPolicyPolling();
     }
     this.tokenIssuer = config.tokenSecret ? new TokenIssuer({
       secret: config.tokenSecret,
@@ -1781,6 +1782,40 @@ var SolonGate = class {
     }).catch(() => {
     });
   }
+  /**
+   * Poll for policy updates from dashboard every 60 seconds.
+   */
+  startPolicyPolling() {
+    const apiUrl = this.config.apiUrl ?? "https://api.solongate.com";
+    let currentVersion = 0;
+    setInterval(async () => {
+      try {
+        const res = await fetch(`${apiUrl}/api/v1/policies/default`, {
+          headers: { "Authorization": `Bearer ${this.apiKey}` },
+          signal: AbortSignal.timeout(1e4)
+        });
+        if (!res.ok) return;
+        const data = await res.json();
+        const version = Number(data._version ?? 0);
+        const rulesCount = Array.isArray(data.rules) ? data.rules.length : 0;
+        if (version !== currentVersion && version > 0) {
+          const policySet = {
+            id: String(data.id ?? "cloud"),
+            name: String(data.name ?? "Cloud Policy"),
+            description: String(data.description ?? ""),
+            version,
+            rules: data.rules ?? [],
+            createdAt: String(data._created_at ?? ""),
+            updatedAt: ""
+          };
+          this.policyEngine.loadPolicySet(policySet);
+          currentVersion = version;
+          console.warn(`[SolonGate] Policy updated from dashboard: ${policySet.name} v${version} (${rulesCount} rules)`);
+        }
+      } catch {
+      }
+    }, 6e4);
+  }
   /**
    * Send audit log to SolonGate Cloud API (fire-and-forget).
    */

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../core/src/errors.ts","../../core/src/trust.ts","../../core/src/permissions.ts","../../core/src/policy.ts","../../core/src/context.ts","../../core/src/constants.ts","../../core/src/mcp-types.ts","../../core/src/schema-validator.ts","../../core/src/input-guard.ts","../../core/src/capability-token.ts","../../policy-engine/src/path-matcher.ts","../../policy-engine/src/matcher.ts","../../policy-engine/src/evaluator.ts","../../policy-engine/src/validator.ts","../../policy-engine/src/warnings.ts","../../policy-engine/src/defaults.ts","../../policy-engine/src/engine.ts","../../policy-engine/src/policy-store.ts","../src/config.ts","../src/interceptor.ts","../src/logger.ts","../src/token-issuer.ts","../src/server-verifier.ts","../src/rate-limiter.ts","../src/solongate.ts","../src/secure-server.ts","../src/api-client.ts"],"names":["z","maxChildDepth","endTime","UNSAFE_CONFIGURATION_WARNINGS","TrustLevel","randomUUID","createHmac","RateLimitError"],"mappings":";;;;;AAIO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AACxB,EAAA,IAAA;AACA,EAAA,SAAA;AACA,EAAA,OAAA;AAEhB,EAAA,WAAA,CACE,OAAA,EACA,IAAA,EACA,OAAA,GAAmC,EAAA,EACnC;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAC5B,IAAA,IAAA,CAAK,UAAU,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,SAAS,CAAA;AAC3C,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAClD,EAAA;;;;;EAMA,MAAA,GAAkC;AAChC,IAAA,OAAO;AACL,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,OAAA,EAAS,IAAA,CAAK,OAAA;AACd,MAAA,SAAA,EAAW,IAAA,CAAK,SAAA;AAChB,MAAA,OAAA,EAAS,IAAA,CAAK;AAAA,KAAA;AAElB,EAAA;AACF;AAGO,IAAM,iBAAA,GAAN,cAAgC,cAAA,CAAe;AACpD,EAAA,WAAA,CACE,QAAA,EACA,MAAA,EACA,OAAA,GAAmC,EAAA,EACnC;AACA,IAAA,KAAA;MACE,CAAA,iCAAA,EAAoC,QAAQ,MAAM,MAAM,CAAA,CAAA;AACxD,MAAA,eAAA;MACA,EAAE,QAAA,EAAU,MAAA,EAAQ,GAAG,OAAA;AAAQ,KAAA;AAEjC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AACd,EAAA;AACF;AAWO,IAAM,qBAAA,GAAN,cAAoC,cAAA,CAAe;AACxD,EAAA,WAAA,CACE,UACA,gBAAA,EACA;AACA,IAAA,KAAA;AACE,MAAA,CAAA,mCAAA,EAAsC,QAAQ,CAAA,GAAA,EAAM,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAC/E,MAAA,0BAAA;AACA,MAAA,EAAE,UAAU,gBAAA;AAAiB,KAAA;AAE/B,IAAA,IAAA,CAAK,IAAA,GAAO,uBAAA;AACd,EAAA;AACF;AAGO,IAAM,cAAA,GAAN,cAA6B,cAAA,CAAe;AACjD,EAAA,WAAA,CAAY,UAAkB,cAAA,EAAwB;AACpD,IAAA,KAAA;MACE,CAAA,8BAAA,EAAiC,QAAQ,UAAU,cAAc,CAAA,IAAA,CAAA;AACjE,MAAA,qBAAA;AACA,MAAA,EAAE,UAAU,cAAA;AAAe,KAAA;AAE7B,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACd,EAAA;AACF;AA2BO,IAAM,eAAA,GAAN,cAA8B,cAAA,CAAe;AAClD,EAAA,WAAA,CACE,UACA,OAAA,EACA;AACA,IAAA,KAAA;MACE,CAAA,0BAAA,EAA6B,QAAQ,CAAA,GAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,WAAW,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AACrF,MAAA,qBAAA;AACA,MAAA,EAAE,QAAA,EAAU,WAAA,EAAa,OAAA,CAAQ,MAAA,EAAQ,OAAA;AAAQ,KAAA;AAEnD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACd,EAAA;AACF;AAGO,IAAM,YAAA,GAAN,cAA2B,cAAA,CAAe;AAC/C,EAAA,WAAA,CACE,SAAA,EACA,UAAA,EACA,OAAA,GAAmC,EAAA,EACnC;AACA,IAAA,KAAA;AACE,MAAA,CAAA,qBAAA,EAAwB,SAAS,CAAA,EAAG,UAAA,GAAa,CAAA,OAAA,EAAU,UAAU,MAAM,EAAE,CAAA,CAAA;AAC7E,MAAA,eAAA;MACA,EAAE,SAAA,EAAW,UAAA,EAAY,GAAG,OAAA;AAAQ,KAAA;AAEtC,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACd,EAAA;AACF;AChIO,IAAM,UAAA,GAAa;EACxB,SAAA,EAAW,WAAA;EACX,QAAA,EAAU,UAAA;EACV,OAAA,EAAS;AACX;ACXO,IAAM,UAAA,GAAa;EACxB,IAAA,EAAM,MAAA;EACN,KAAA,EAAO,OAAA;EACP,OAAA,EAAS;AACX;AAIgC,CAAA,CAAE,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAC;AAgBtB,MAAA,CAAO,MAAA;AAAA,kBAAA,IAC9C,GAAA;AACN;AAGwC,MAAA,CAAO,MAAA;AAC7C,kBAAA,IAAI,GAAA,CAAgB,CAAC,UAAA,CAAW,IAAI,CAAC;AACvC;AC7BO,IAAM,YAAA,GAAe;EAC1B,KAAA,EAAO,OAAA;EACP,IAAA,EAAM;AACR;AA2CO,IAAM,gBAAA,GAAmBA,EAAE,MAAA,CAAO;AACvC,EAAA,EAAA,EAAIA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAC7B,EAAA,WAAA,EAAaA,CAAAA,CAAE,MAAA,EAAA,CAAS,GAAA,CAAI,IAAI,CAAA;AAChC,EAAA,MAAA,EAAQA,CAAAA,CAAE,IAAA,CAAK,CAAC,OAAA,EAAS,MAAM,CAAC,CAAA;AAChC,EAAA,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAA,CAAS,GAAA,EAAA,CAAM,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,GAAK,CAAA,CAAE,OAAA,CAAQ,GAAI,CAAA;AACzD,EAAA,WAAA,EAAaA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AACtC,EAAA,UAAA,EAAYA,EAAE,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAC,CAAA;AAC/C,EAAA,iBAAA,EAAmBA,EAAE,IAAA,CAAK,CAAC,WAAA,EAAa,UAAA,EAAY,SAAS,CAAC,CAAA;AAC9D,EAAA,mBAAA,EAAqBA,EAAE,MAAA,CAAOA,CAAAA,CAAE,OAAA,EAAS,EAAE,QAAA,EAAA;AAC3C,EAAA,eAAA,EAAiBA,EACd,MAAA,CAAO;AACN,IAAA,OAAA,EAASA,EAAE,KAAA,CAAMA,CAAAA,CAAE,MAAA,EAAQ,EAAE,QAAA,EAAA;AAC7B,IAAA,MAAA,EAAQA,EAAE,KAAA,CAAMA,CAAAA,CAAE,MAAA,EAAQ,EAAE,QAAA,EAAA;IAC5B,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA,EAAA;IAC1B,aAAA,EAAeA,CAAAA,CAAE,OAAA,EAAA,CAAU,QAAA;AAAS,GACrC,EACA,QAAA,EAAA;AACH,EAAA,OAAA,EAASA,CAAAA,CAAE,OAAA,EAAA,CAAU,OAAA,CAAQ,IAAI,CAAA;EACjC,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA,EAAA;EACtB,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA;AACxB,CAAC,CAAA;AAEM,IAAM,eAAA,GAAkBA,EAAE,MAAA,CAAO;AACtC,EAAA,EAAA,EAAIA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAC7B,EAAA,IAAA,EAAMA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAC/B,EAAA,WAAA,EAAaA,CAAAA,CAAE,MAAA,EAAA,CAAS,GAAA,CAAI,IAAI,CAAA;AAChC,EAAA,OAAA,EAASA,EAAE,MAAA,EAAA,CAAS,GAAA,EAAA,CAAM,IAAI,CAAC,CAAA;EAC/B,KAAA,EAAOA,CAAAA,CAAE,MAAM,gBAAgB,CAAA;EAC/B,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA,EAAA;EACtB,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA;AACxB,CAAC,CAAA;AC1DM,SAAS,sBACd,MAAA,EAEiB;AACjB,EAAA,OAAO;IACL,UAAA,EAAY,WAAA;AACZ,IAAA,kBAAA,sBAAwB,GAAA,EAAA;IACxB,SAAA,EAAW,IAAA;AACX,IAAA,QAAA,EAAU,EAAA;IACV,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;IACtB,GAAG;AAAA,GAAA;AAEP;ACrCO,IAAM,qBAAA,GAAwB,MAAA;AAG9B,IAAM,wBAAA,GAA2B,GAAA;AAGjC,IAAM,kBAAA,GAAqB,EAAA;AAG3B,IAAM,wBAAA,GAA2B,OAAA;AAkBjC,IAAM,4BAAA,GAA+B,GAAA;AA8BrC,IAAM,oBAAA,GAAuB,GAAA;AAG7B,IAAM,sBAAA,GAAyB,GAAA;AAG/B,IAAM,6BAAA,GAAgC;EAC3C,cAAA,EACE,2FAAA;EACF,sBAAA,EACE,oFAAA;EAGF,sBAAA,EACE,iFAAA;EACF,eAAA,EACE,yFAAA;EACF,mBAAA,EACE;AACJ,CAAA;AC7CO,SAAS,uBACd,MAAA,EACmB;AACnB,EAAA,OAAO;IACL,OAAA,EAAS;AACP,MAAA;QACE,IAAA,EAAM,MAAA;AACN,QAAA,IAAA,EAAM,KAAK,SAAA,CAAU;UACnB,KAAA,EAAO,eAAA;UACP,OAAA,EAAS,MAAA;UACT,IAAA,EAAM;SACP;AAAA;AACH,KAAA;IAEF,OAAA,EAAS;AAAA,GAAA;AAEb;AC1BA,IAAM,eAAA,GAAoD;EACxD,QAAA,EAAU,kBAAA;EACV,YAAA,EAAc,wBAAA;EACd,YAAA,EAAc;AAChB,CAAA;AAWO,SAAS,iBAAA,CACd,MAAA,EACA,KAAA,EACA,OAAA,EACwB;AACxB,EAAA,MAAM,IAAA,GAAO,EAAE,GAAG,eAAA,EAAiB,GAAG,OAAA,EAAA;AACtC,EAAA,MAAM,SAAmB,EAAA;AAGzB,EAAA,MAAM,SAAA,GAAY,cAAA,CAAe,KAAA,EAAO,IAAA,CAAK,YAAY,CAAA;AACzD,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,OAAO,EAAE,OAAO,KAAA,EAAO,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,WAAW,IAAA,EAAA;AACzD,EAAA;AAGA,EAAA,MAAM,UAAA,GAAa,eAAA,CAAgB,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA;AACvD,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,OAAO,EAAE,OAAO,KAAA,EAAO,MAAA,EAAQ,CAAC,UAAU,CAAA,EAAG,WAAW,IAAA,EAAA;AAC1D,EAAA;AAGA,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,KAAK,CAAA;AAErC,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,KAAA,CAAM,MAAA,EAAQ;AACvC,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,GAAS,IAAI,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,GAAI,MAAA;AAC5D,MAAA,MAAA,CAAO,KAAK,CAAA,EAAG,IAAI,CAAA,EAAA,EAAK,KAAA,CAAM,OAAO,CAAA,CAAE,CAAA;AACzC,IAAA;AACA,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,WAAW,IAAA,EAAA;AAC5C,EAAA;AAEA,EAAA,OAAO;IACL,KAAA,EAAO,IAAA;AACP,IAAA,MAAA,EAAQ,EAAA;AACR,IAAA,SAAA,EAAW,MAAA,CAAO;AAAA,GAAA;AAEtB;AAeA,SAAS,cAAA,CAAe,OAAgB,QAAA,EAAiC;AACvE,EAAA,IAAI,UAAA;AACJ,EAAA,IAAI;AACF,IAAA,UAAA,GAAa,IAAA,CAAK,UAAU,KAAK,CAAA;EACnC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,oCAAA;AACT,EAAA;AAEA,EAAA,MAAM,YAAY,IAAI,WAAA,EAAA,CAAc,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA;AACvD,EAAA,IAAI,YAAY,QAAA,EAAU;AACxB,IAAA,OAAO,CAAA,WAAA,EAAc,SAAS,CAAA,uBAAA,EAA0B,QAAQ,CAAA,MAAA,CAAA;AAClE,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAMA,SAAS,eAAA,CAAgB,OAAgB,QAAA,EAAiC;AACxE,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,EAAO,CAAC,CAAA;AACnC,EAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,IAAA,OAAO,CAAA,YAAA,EAAe,KAAK,CAAA,iBAAA,EAAoB,QAAQ,CAAA,CAAA;AACzD,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,YAAA,CAAa,OAAgB,YAAA,EAA8B;AAClE,EAAA,IAAI,YAAA,GAAe,qBAAqB,CAAA,EAAG;AACzC,IAAA,OAAO,YAAA;AACT,EAAA;AAEA,EAAA,IAAI,UAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,IAAa,OAAO,UAAU,QAAA,EAAU;AACtE,IAAA,OAAO,YAAA;AACT,EAAA;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,IAAA,IAAIC,iBAAgB,YAAA,GAAe,CAAA;AACnC,IAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,MAAA,MAAM,UAAA,GAAa,YAAA,CAAa,IAAA,EAAM,YAAA,GAAe,CAAC,CAAA;AACtD,MAAA,IAAI,UAAA,GAAaA,gBAAeA,cAAAA,GAAgB,UAAA;AAClD,IAAA;AACA,IAAA,OAAOA,cAAAA;AACT,EAAA;AAEA,EAAA,IAAI,gBAAgB,YAAA,GAAe,CAAA;AACnC,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,KAAgC,CAAA,EAAG;AAC/D,IAAA,MAAM,UAAA,GAAa,YAAA;AAChB,MAAA,KAAA,CAAkC,GAAG,CAAA;MACtC,YAAA,GAAe;AAAA,KAAA;AAEjB,IAAA,IAAI,UAAA,GAAa,eAAe,aAAA,GAAgB,UAAA;AAClD,EAAA;AACA,EAAA,OAAO,aAAA;AACT;AChGO,IAAM,0BAAA,GACX,OAAO,MAAA,CAAO;EACZ,aAAA,EAAe,IAAA;EACf,cAAA,EAAgB,IAAA;EAChB,aAAA,EAAe,IAAA;EACf,WAAA,EAAa,IAAA;EACb,YAAA,EAAc,IAAA;EACd,IAAA,EAAM,IAAA;EACN,YAAA,EAAc;AAChB,CAAC,CAAA;AAIH,IAAM,uBAAA,GAA0B;AAC9B,EAAA,QAAA;;AACA,EAAA,QAAA;;AACA,EAAA,SAAA;;AACA,EAAA,QAAA;;AACA,EAAA,QAAA;;AACA,EAAA,aAAA;;AACA,EAAA;;AACF,CAAA;AAEA,IAAM,eAAA,GAAkB;AACtB,EAAA,gBAAA;AACA,EAAA,gBAAA;AACA,EAAA,WAAA;AACA,EAAA,UAAA;AACA,EAAA,wBAAA;AACA,EAAA,wBAAA;AACA,EAAA,WAAA;AACA,EAAA,KAAA;AACA,EAAA,cAAA;;AACA,EAAA,qBAAA;;AACA,EAAA,aAAA;;AACA,EAAA,iBAAA;;AACA,EAAA,iBAAA;;AACA,EAAA,gBAAA;;AACA,EAAA,UAAA;;AACA,EAAA;;AACF,CAAA;AAEO,SAAS,oBAAoB,KAAA,EAAwB;AAC1D,EAAA,KAAA,MAAW,WAAW,uBAAA,EAAyB;AAC7C,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,KAAA,MAAW,WAAW,eAAA,EAAiB;AACrC,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,wBAAA,GAA2B;AAC/B,EAAA,QAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,IAAA;;AACA,EAAA,MAAA;;AACA,EAAA,WAAA;;AACA,EAAA,WAAA;;AACA,EAAA,aAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA;;AACF,CAAA;AAEO,SAAS,qBAAqB,KAAA,EAAwB;AAC3D,EAAA,KAAA,MAAW,WAAW,wBAAA,EAA0B;AAC9C,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,uBAAA,GAA0B,CAAA;AAEzB,SAAS,oBAAoB,KAAA,EAAwB;AAE1D,EAAA,IAAI,KAAA,CAAM,QAAA,CAAS,IAAI,CAAA,EAAG,OAAO,IAAA;AAGjC,EAAA,MAAM,iBAAiB,KAAA,CAAM,KAAA,CAAM,KAAK,CAAA,IAAK,EAAA,EAAI,MAAA;AACjD,EAAA,IAAI,aAAA,GAAgB,yBAAyB,OAAO,IAAA;AAEpD,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,aAAA,GAAgB;AACpB,EAAA,0BAAA;AACA,EAAA,4CAAA;AACA,EAAA,wBAAA;AACA,EAAA,qBAAA;;AACA,EAAA,2CAAA;;AACA,EAAA,uCAAA;;AACA,EAAA,wBAAA;;AACA,EAAA,wBAAA;;AACA,EAAA,6BAAA;;AACA,EAAA,yBAAA;;;AAEA,EAAA,sBAAA;;AACA,EAAA,sBAAA;;AACA,EAAA,+BAAA;;AACA,EAAA,6BAAA;;AACA,EAAA,4BAAA;;AACA,EAAA,iDAAA;;AACA,EAAA,kCAAA;;AACA,EAAA,kCAAA;;;AAEA,EAAA,4BAAA;;AAEA,EAAA;AACF,CAAA;AAMA,SAAS,gBAAgB,KAAA,EAAwB;AAC/C,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,kCAAkC,CAAA;AAC5D,EAAA,IAAI,CAAC,KAAA,IAAS,CAAC,KAAA,CAAM,CAAC,GAAG,OAAO,KAAA;AAEhC,EAAA,MAAM,OAAA,GAAU,QAAA,CAAS,KAAA,CAAM,CAAC,GAAG,EAAE,CAAA;AACrC,EAAA,IAAI,KAAA,CAAM,OAAO,CAAA,IAAK,OAAA,GAAU,YAAY,OAAO,KAAA;AAGnD,EAAA,OACG,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;AACpC,EAAA,OAAA,IAAW,aAAc,OAAA,IAAW,SAAA;AACpC,EAAA,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;AACpC,EAAA,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;AACpC,EAAA,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;EACrC,OAAA,KAAY,CAAA;AAEhB;AAEO,SAAS,WAAW,KAAA,EAAwB;AACjD,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AACnC,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AAEA,EAAA,IAAI,eAAA,CAAgB,KAAK,CAAA,EAAG,OAAO,IAAA;AACnC,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,sBAAA,GAAyB;AAC7B,EAAA,sCAAA;;AACA,EAAA,kEAAA;;AACA,EAAA,0BAAA;;AACA,EAAA,SAAA;;AACA,EAAA,mBAAA;;AACA,EAAA,eAAA;;AACA,EAAA,mBAAA;;AACA,EAAA,oBAAA;;AACA,EAAA;;AACF,CAAA;AAEO,SAAS,mBAAmB,KAAA,EAAwB;AACzD,EAAA,KAAA,MAAW,WAAW,sBAAA,EAAwB;AAC5C,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,OAAO,KAAA;AACT;AAIO,SAAS,iBAAA,CACd,KAAA,EACA,SAAA,GAAoB,IAAA,EACX;AACT,EAAA,OAAO,MAAM,MAAA,IAAU,SAAA;AACzB;AASA,IAAM,iBAAA,GAAoB,GAAA;AAC1B,IAAM,4BAAA,GAA+B,EAAA;AAE9B,SAAS,mBAAmB,KAAA,EAAwB;AACzD,EAAA,IAAI,KAAA,CAAM,MAAA,GAAS,4BAAA,EAA8B,OAAO,IAAA;AAExD,EAAA,MAAM,OAAA,GAAU,wBAAwB,KAAK,CAAA;AAC7C,EAAA,OAAO,OAAA,IAAW,iBAAA;AACpB;AAEA,SAAS,wBAAwB,GAAA,EAAqB;AACpD,EAAA,MAAM,IAAA,uBAAW,GAAA,EAAA;AACjB,EAAA,KAAA,MAAW,QAAQ,GAAA,EAAK;AACtB,IAAA,IAAA,CAAK,IAAI,IAAA,EAAA,CAAO,IAAA,CAAK,IAAI,IAAI,CAAA,IAAK,KAAK,CAAC,CAAA;AAC1C,EAAA;AAEA,EAAA,IAAI,OAAA,GAAU,CAAA;AACd,EAAA,MAAM,MAAM,GAAA,CAAI,MAAA;AAChB,EAAA,KAAA,MAAW,KAAA,IAAS,IAAA,CAAK,MAAA,EAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA,GAAQ,GAAA;AAClB,IAAA,IAAI,IAAI,CAAA,EAAG;AACT,MAAA,OAAA,IAAW,CAAA,GAAI,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA;AAC5B,IAAA;AACF,EAAA;AACA,EAAA,OAAO,OAAA;AACT;AAQO,SAAS,aAAA,CACd,KAAA,EACA,KAAA,EACA,MAAA,GAA2B,0BAAA,EACP;AACpB,EAAA,MAAM,UAA4B,EAAA;AAElC,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAE7B,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,OAAO,cAAA,CAAe,KAAA,EAAO,KAAA,EAAO,MAAM,CAAA;AAC5C,IAAA;AACA,IAAA,OAAO,EAAE,IAAA,EAAM,IAAA,EAAM,OAAA,EAAS,EAAA,EAAC;AACjC,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,aAAA,IAAiB,mBAAA,CAAoB,KAAK,CAAA,EAAG;AACtD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,gBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,cAAA,IAAkB,oBAAA,CAAqB,KAAK,CAAA,EAAG;AACxD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,iBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,aAAA,IAAiB,mBAAA,CAAoB,KAAK,CAAA,EAAG;AACtD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,gBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,CAAC,iBAAA,CAAkB,KAAA,EAAO,MAAA,CAAO,WAAW,CAAA,EAAG;AACjD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,iBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,CAAA,CAAA,EAAI,MAAM,MAAM,CAAA,OAAA,CAAA;MACvB,WAAA,EAAa,CAAA,gCAAA,EAAmC,OAAO,WAAW,CAAA;KACnE,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,CAAC,kBAAA,CAAmB,KAAK,CAAA,EAAG;AACrD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,cAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,IAAA,IAAQ,UAAA,CAAW,KAAK,CAAA,EAAG;AACpC,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,MAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,kBAAA,CAAmB,KAAK,CAAA,EAAG;AACpD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,eAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,CAAQ,MAAA,KAAW,GAAG,OAAA,EAAA;AACvC;AAKA,SAAS,cAAA,CACP,QAAA,EACA,GAAA,EACA,MAAA,EACoB;AACpB,EAAA,MAAM,UAA4B,EAAA;AAElC,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,QAAQ,CAAA,EAAA,EAAK;AACnC,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAA,EAAK,GAAA,CAAI,CAAC,CAAA,EAAG,MAAM,CAAA;AAChE,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,MAAA,CAAO,OAAO,CAAA;AAChC,IAAA;EACF,CAAA,MAAO;AACL,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,GAAG,KAAK,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC5C,MAAA,MAAM,MAAA,GAAS,cAAc,CAAA,EAAG,QAAQ,IAAI,GAAG,CAAA,CAAA,EAAI,KAAK,MAAM,CAAA;AAC9D,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,MAAA,CAAO,OAAO,CAAA;AAChC,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,CAAQ,MAAA,KAAW,GAAG,OAAA,EAAA;AACvC;AAEA,SAAS,QAAA,CAAS,KAAa,MAAA,EAAwB;AACrD,EAAA,OAAO,GAAA,CAAI,SAAS,MAAA,GAAS,GAAA,CAAI,MAAM,CAAA,EAAG,MAAM,IAAI,KAAA,GAAQ,GAAA;AAC9D;ACnVO,IAAM,yBAAA,GAA4B,EAAA;AAClC,IAAM,eAAA,GAAkB,OAAA;AACxB,IAAM,iBAAA,GAAoB,EAAA;AChC1B,SAAS,cAAc,IAAA,EAAsB;AAElD,EAAA,IAAI,UAAA,GAAa,IAAA,CAAK,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA;AAGxC,EAAA,IAAI,WAAW,MAAA,GAAS,CAAA,IAAK,UAAA,CAAW,QAAA,CAAS,GAAG,CAAA,EAAG;AACrD,IAAA,UAAA,GAAa,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AACrC,EAAA;AAGA,EAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,EAAA,MAAM,WAAqB,EAAA;AAE3B,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAI,IAAA,KAAS,GAAA,IAAO,IAAA,KAAS,EAAA,EAAI;AAC/B,MAAA,IAAI,QAAA,CAAS,MAAA,KAAW,CAAA,EAAG,QAAA,CAAS,KAAK,EAAE,CAAA;AAC3C,MAAA;AACF,IAAA;AACA,IAAA,IAAI,SAAS,IAAA,EAAM;AACjB,MAAA,IAAI,QAAA,CAAS,SAAS,CAAA,EAAG;AACvB,QAAA,QAAA,CAAS,GAAA,EAAA;AACX,MAAA;AACA,MAAA;AACF,IAAA;AACA,IAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AACpB,EAAA;AAEA,EAAA,OAAO,QAAA,CAAS,IAAA,CAAK,GAAG,CAAA,IAAK,GAAA;AAC/B;AAMO,SAAS,YAAA,CAAa,MAAc,IAAA,EAAuB;AAChE,EAAA,MAAM,cAAA,GAAiB,cAAc,IAAI,CAAA;AACzC,EAAA,MAAM,cAAA,GAAiB,cAAc,IAAI,CAAA;AAGzC,EAAA,IAAI,cAAA,KAAmB,gBAAgB,OAAO,IAAA;AAC9C,EAAA,OAAO,cAAA,CAAe,UAAA,CAAW,cAAA,GAAiB,GAAG,CAAA;AACvD;AAWO,SAAS,gBAAA,CAAiB,MAAc,OAAA,EAA0B;AACvE,EAAA,MAAM,cAAA,GAAiB,cAAc,IAAI,CAAA;AACzC,EAAA,MAAM,iBAAA,GAAoB,cAAc,OAAO,CAAA;AAE/C,EAAA,IAAI,iBAAA,KAAsB,KAAK,OAAO,IAAA;AACtC,EAAA,IAAI,iBAAA,KAAsB,gBAAgB,OAAO,IAAA;AAEjD,EAAA,MAAM,YAAA,GAAe,iBAAA,CAAkB,KAAA,CAAM,GAAG,CAAA;AAChD,EAAA,MAAM,SAAA,GAAY,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAE1C,EAAA,OAAO,UAAA,CAAW,SAAA,EAAW,CAAA,EAAG,YAAA,EAAc,CAAC,CAAA;AACjD;AAEA,SAAS,UAAA,CACP,SAAA,EACA,EAAA,EACA,YAAA,EACA,EAAA,EACS;AACT,EAAA,OAAO,EAAA,GAAK,SAAA,CAAU,MAAA,IAAU,EAAA,GAAK,aAAa,MAAA,EAAQ;AACxD,IAAA,MAAM,OAAA,GAAU,aAAa,EAAE,CAAA;AAE/B,IAAA,IAAI,YAAY,IAAA,EAAM;AAEpB,MAAA,IAAI,EAAA,KAAO,YAAA,CAAa,MAAA,GAAS,CAAA,EAAG,OAAO,IAAA;AAG3C,MAAA,KAAA,IAAS,CAAA,GAAI,EAAA,EAAI,CAAA,IAAK,SAAA,CAAU,QAAQ,CAAA,EAAA,EAAK;AAC3C,QAAA,IAAI,WAAW,SAAA,EAAW,CAAA,EAAG,YAAA,EAAc,EAAA,GAAK,CAAC,CAAA,EAAG;AAClD,UAAA,OAAO,IAAA;AACT,QAAA;AACF,MAAA;AACA,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,IAAI,YAAY,GAAA,EAAK;AAEnB,MAAA,EAAA,EAAA;AACA,MAAA,EAAA,EAAA;AACA,MAAA;AACF,IAAA;AAEA,IAAA,IAAI,OAAA,KAAY,SAAA,CAAU,EAAE,CAAA,EAAG;AAC7B,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,EAAA,EAAA;AACA,IAAA,EAAA,EAAA;AACF,EAAA;AAGA,EAAA,OAAO,KAAK,YAAA,CAAa,MAAA,IAAU,YAAA,CAAa,EAAE,MAAM,IAAA,EAAM;AAC5D,IAAA,EAAA,EAAA;AACF,EAAA;AAEA,EAAA,OAAO,EAAA,KAAO,SAAA,CAAU,MAAA,IAAU,EAAA,KAAO,YAAA,CAAa,MAAA;AACxD;AAWO,SAAS,aAAA,CACd,MACA,WAAA,EACS;AAET,EAAA,IAAI,YAAY,aAAA,EAAe;AAC7B,IAAA,IAAI,CAAC,YAAA,CAAa,IAAA,EAAM,WAAA,CAAY,aAAa,CAAA,EAAG;AAClD,MAAA,OAAO,KAAA;AACT,IAAA;AACF,EAAA;AAGA,EAAA,IAAI,WAAA,CAAY,MAAA,IAAU,WAAA,CAAY,MAAA,CAAO,SAAS,CAAA,EAAG;AACvD,IAAA,KAAA,MAAW,OAAA,IAAW,YAAY,MAAA,EAAQ;AACxC,MAAA,IAAI,gBAAA,CAAiB,IAAA,EAAM,OAAO,CAAA,EAAG;AACnC,QAAA,OAAO,KAAA;AACT,MAAA;AACF,IAAA;AACF,EAAA;AAGA,EAAA,IAAI,WAAA,CAAY,OAAA,IAAW,WAAA,CAAY,OAAA,CAAQ,SAAS,CAAA,EAAG;AACzD,IAAA,IAAI,cAAA,GAAiB,KAAA;AACrB,IAAA,KAAA,MAAW,OAAA,IAAW,YAAY,OAAA,EAAS;AACzC,MAAA,IAAI,gBAAA,CAAiB,IAAA,EAAM,OAAO,CAAA,EAAG;AACnC,QAAA,cAAA,GAAiB,IAAA;AACjB,QAAA;AACF,MAAA;AACF,IAAA;AACA,IAAA,IAAI,CAAC,gBAAgB,OAAO,KAAA;AAC9B,EAAA;AAEA,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,qBACd,IAAA,EACU;AACV,EAAA,MAAM,QAAkB,EAAA;AAExB,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA,EAAG;AACvC,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,KAAa,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,IAAK,KAAA,CAAM,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI;AAC9E,MAAA,KAAA,CAAM,KAAK,KAAK,CAAA;AAClB,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,KAAA;AACT;AC1KO,SAAS,kBAAA,CACd,MACA,OAAA,EACS;AACT,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,EAAS,OAAO,KAAA;AAC1B,EAAA,IAAI,IAAA,CAAK,UAAA,KAAe,OAAA,CAAQ,kBAAA,EAAoB,OAAO,KAAA;AAC3D,EAAA,IAAI,CAAC,kBAAA,CAAmB,IAAA,CAAK,aAAa,OAAA,CAAQ,QAAQ,GAAG,OAAO,KAAA;AACpE,EAAA,IAAI,CAAC,sBAAA,CAAuB,OAAA,CAAQ,QAAQ,UAAA,EAAY,IAAA,CAAK,iBAAiB,CAAA,EAAG;AAC/E,IAAA,OAAO,KAAA;AACT,EAAA;AACA,EAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,IAAA,IAAI,CAAC,wBAAA,CAAyB,IAAA,CAAK,mBAAA,EAAqB,OAAA,CAAQ,SAAS,CAAA,EAAG;AAC1E,MAAA,OAAO,KAAA;AACT,IAAA;AACF,EAAA;AACA,EAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,IAAA,IAAI,CAAC,oBAAA,CAAqB,IAAA,CAAK,eAAA,EAAiB,OAAA,CAAQ,SAAS,CAAA,EAAG;AAClE,MAAA,OAAO,KAAA;AACT,IAAA;AACF,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAWO,SAAS,kBAAA,CAAmB,SAAiB,QAAA,EAA2B;AAC7E,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA;AAC7C,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA;AAEzC,EAAA,IAAI,kBAAkB,YAAA,EAAc;AAElC,IAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AACjC,IAAA,OAAO,KAAA,CAAM,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,SAAS,KAAK,CAAA;AACpD,EAAA;AACA,EAAA,IAAI,YAAA,EAAc;AAEhB,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAClC,IAAA,OAAO,QAAA,CAAS,WAAW,MAAM,CAAA;AACnC,EAAA;AACA,EAAA,IAAI,cAAA,EAAgB;AAElB,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA;AAC9B,IAAA,OAAO,QAAA,CAAS,SAAS,MAAM,CAAA;AACjC,EAAA;AAEA,EAAA,OAAO,OAAA,KAAY,QAAA;AACrB;AAEA,IAAM,iBAAA,GAA4C;EAChD,CAAC,UAAA,CAAW,SAAS,GAAG,CAAA;EACxB,CAAC,UAAA,CAAW,QAAQ,GAAG,CAAA;EACvB,CAAC,UAAA,CAAW,OAAO,GAAG;AACxB,CAAA;AAEO,SAAS,sBAAA,CACd,QACA,OAAA,EACS;AACT,EAAA,OAAA,CAAQ,kBAAkB,MAAM,CAAA,IAAK,EAAA,MAAQ,iBAAA,CAAkB,OAAO,CAAA,IAAK,QAAA,CAAA;AAC7E;AAiBA,SAAS,wBAAA,CACP,aACA,IAAA,EACS;AACT,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,UAAU,KAAK,MAAA,CAAO,OAAA,CAAQ,WAAW,CAAA,EAAG;AAC3D,IAAA,IAAI,EAAE,GAAA,IAAO,IAAA,CAAA,EAAO,OAAO,KAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,KAAK,GAAG,CAAA;AAGzB,IAAA,IAAI,OAAO,eAAe,QAAA,EAAU;AAClC,MAAA,IAAI,eAAe,GAAA,EAAK;AACxB,MAAA,IAAI,OAAO,aAAa,QAAA,EAAU;AAChC,QAAA,IAAI,QAAA,KAAa,YAAY,OAAO,KAAA;MACtC,CAAA,MAAO;AACL,QAAA,OAAO,KAAA;AACT,MAAA;AACA,MAAA;AACF,IAAA;AAGA,IAAA,IAAI,OAAO,eAAe,QAAA,IAAY,UAAA,KAAe,QAAQ,CAAC,KAAA,CAAM,OAAA,CAAQ,UAAU,CAAA,EAAG;AACvF,MAAA,MAAM,GAAA,GAAM,UAAA;AACZ,MAAA,MAAM,QAAA,GAAW,OAAO,QAAA,KAAa,QAAA,GAAW,QAAA,GAAW,MAAA;AAC3D,MAAA,MAAM,QAAA,GAAW,OAAO,QAAA,KAAa,QAAA,GAAW,QAAA,GAAW,MAAA;AAE3D,MAAA,IAAI,WAAA,IAAe,GAAA,IAAO,OAAO,GAAA,CAAI,cAAc,QAAA,EAAU;AAC3D,QAAA,IAAI,CAAC,YAAY,CAAC,QAAA,CAAS,SAAS,GAAA,CAAI,SAAS,GAAG,OAAO,KAAA;AAC7D,MAAA;AACA,MAAA,IAAI,cAAA,IAAkB,GAAA,IAAO,OAAO,GAAA,CAAI,iBAAiB,QAAA,EAAU;AACjE,QAAA,IAAI,YAAY,QAAA,CAAS,QAAA,CAAS,GAAA,CAAI,YAAY,GAAG,OAAO,KAAA;AAC9D,MAAA;AACA,MAAA,IAAI,aAAA,IAAiB,GAAA,IAAO,OAAO,GAAA,CAAI,gBAAgB,QAAA,EAAU;AAC/D,QAAA,IAAI,CAAC,YAAY,CAAC,QAAA,CAAS,WAAW,GAAA,CAAI,WAAW,GAAG,OAAO,KAAA;AACjE,MAAA;AACA,MAAA,IAAI,WAAA,IAAe,GAAA,IAAO,OAAO,GAAA,CAAI,cAAc,QAAA,EAAU;AAC3D,QAAA,IAAI,CAAC,YAAY,CAAC,QAAA,CAAS,SAAS,GAAA,CAAI,SAAS,GAAG,OAAO,KAAA;AAC7D,MAAA;AACA,MAAA,IAAI,SAAS,GAAA,IAAO,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA,EAAG;AAC1C,QAAA,IAAI,CAAC,GAAA,CAAI,GAAA,CAAI,QAAA,CAAS,QAAQ,GAAG,OAAO,KAAA;AAC1C,MAAA;AACA,MAAA,IAAI,YAAY,GAAA,IAAO,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG;AAChD,QAAA,IAAI,GAAA,CAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,GAAG,OAAO,KAAA;AAC5C,MAAA;AACA,MAAA,IAAI,KAAA,IAAS,GAAA,IAAO,OAAO,GAAA,CAAI,QAAQ,QAAA,EAAU;AAC/C,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,IAAY,GAAA,CAAI,KAAK,OAAO,KAAA;AAC5D,MAAA;AACA,MAAA,IAAI,KAAA,IAAS,GAAA,IAAO,OAAO,GAAA,CAAI,QAAQ,QAAA,EAAU;AAC/C,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,IAAY,GAAA,CAAI,KAAK,OAAO,KAAA;AAC5D,MAAA;AACA,MAAA,IAAI,MAAA,IAAU,GAAA,IAAO,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AACjD,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,GAAW,GAAA,CAAI,MAAM,OAAO,KAAA;AAC5D,MAAA;AACA,MAAA,IAAI,MAAA,IAAU,GAAA,IAAO,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AACjD,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,GAAW,GAAA,CAAI,MAAM,OAAO,KAAA;AAC5D,MAAA;AAEA,MAAA;AACF,IAAA;AACF,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,oBAAA,CACP,aACA,IAAA,EACS;AACT,EAAA,MAAM,KAAA,GAAQ,qBAAqB,IAAI,CAAA;AAGvC,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAG/B,EAAA,OAAO,MAAM,KAAA,CAAM,CAAC,SAAS,aAAA,CAAc,IAAA,EAAM,WAAW,CAAC,CAAA;AAC/D;AClJO,SAAS,cAAA,CACd,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAA;AAE9B,EAAA,MAAM,WAAA,GAAc,CAAC,GAAG,SAAA,CAAU,KAAK,CAAA,CAAE,IAAA;AACvC,IAAA,CAAC,CAAA,EAAG,CAAA,KAAM,CAAA,CAAE,QAAA,GAAW,CAAA,CAAE;AAAA,GAAA;AAG3B,EAAA,KAAA,MAAW,QAAQ,WAAA,EAAa;AAC9B,IAAA,IAAI,kBAAA,CAAmB,IAAA,EAAM,OAAO,CAAA,EAAG;AACrC,MAAA,MAAMC,QAAAA,GAAU,YAAY,GAAA,EAAA;AAC5B,MAAA,OAAO;AACL,QAAA,MAAA,EAAQ,IAAA,CAAK,MAAA;QACb,WAAA,EAAa,IAAA;AACb,QAAA,MAAA,EAAQ,CAAA,cAAA,EAAiB,IAAA,CAAK,EAAE,CAAA,GAAA,EAAM,KAAK,WAAW,CAAA,CAAA;QACtD,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AACtB,QAAA,gBAAA,EAAkBA,QAAAA,GAAU;AAAA,OAAA;AAEhC,IAAA;AACF,EAAA;AAEA,EAAA,MAAM,OAAA,GAAU,YAAY,GAAA,EAAA;AAC5B,EAAA,OAAO;IACL,MAAA,EAAQ,qBAAA;IACR,WAAA,EAAa,IAAA;IACb,MAAA,EAAQ,sDAAA;IACR,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AACtB,IAAA,gBAAA,EAAkB,OAAA,GAAU,SAAA;IAC5B,QAAA,EAAU;AACR,MAAA,cAAA,EAAgB,WAAA,CAAY,MAAA;AAC5B,MAAA,OAAA,EAAS,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA;MACpC,cAAA,EAAgB;AACd,QAAA,IAAA,EAAM,OAAA,CAAQ,QAAA;AACd,QAAA,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,SAAA,IAAa,EAAE;AAAA;AAChD;AACF,GAAA;AAEJ;AC/CO,SAAS,mBAAmB,KAAA,EAAkC;AACnE,EAAA,MAAM,SAAmB,EAAA;AACzB,EAAA,MAAM,WAAqB,EAAA;AAE3B,EAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,SAAA,CAAU,KAAK,CAAA;AAC/C,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,OAAO;MACL,KAAA,EAAO,KAAA;MACP,MAAA,EAAQ,MAAA,CAAO,MAAM,MAAA,CAAO,GAAA;QAC1B,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA;AAAA,OAAA;AAE1C,MAAA,QAAA,EAAU;AAAC,KAAA;AAEf,EAAA;AAEA,EAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,EAAA,IAAI,IAAA,CAAK,WAAA,KAAgB,GAAA,IAAO,IAAA,CAAK,WAAW,OAAA,EAAS;AACvD,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,cAAc,CAAA;AAC5D,EAAA;AAEA,EAAA,IAAI,IAAA,CAAK,sBAAsB,SAAA,EAAW;AACxC,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,sBAAsB,CAAA;AACpE,EAAA;AAEA,EAAA,IAAI,IAAA,CAAK,eAAe,SAAA,EAAW;AACjC,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,sBAAsB,CAAA;AACpE,EAAA;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAA;AAChC;AAEO,SAAS,kBAAkB,KAAA,EAAkC;AAClE,EAAA,MAAM,SAAmB,EAAA;AACzB,EAAA,MAAM,WAAqB,EAAA;AAE3B,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,SAAA,CAAU,KAAK,CAAA;AAC9C,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,OAAO;MACL,KAAA,EAAO,KAAA;MACP,MAAA,EAAQ,MAAA,CAAO,MAAM,MAAA,CAAO,GAAA;QAC1B,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA;AAAA,OAAA;AAE1C,MAAA,QAAA,EAAU;AAAC,KAAA;AAEf,EAAA;AAEA,EAAA,MAAM,YAAY,MAAA,CAAO,IAAA;AAEzB,EAAA,IAAI,SAAA,CAAU,KAAA,CAAM,MAAA,GAAS,wBAAA,EAA0B;AACrD,IAAA,MAAA,CAAO,IAAA;AACL,MAAA,CAAA,8BAAA,EAAiC,wBAAwB,CAAA,MAAA;AAAA,KAAA;AAE7D,EAAA;AAEA,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAA;AACpB,EAAA,KAAA,MAAW,IAAA,IAAQ,UAAU,KAAA,EAAO;AAClC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,EAAE,CAAA,EAAG;AACxB,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,oBAAA,EAAuB,IAAA,CAAK,EAAE,CAAA,CAAA,CAAG,CAAA;AAC/C,IAAA;AACA,IAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,EAAE,CAAA;AACrB,EAAA;AAEA,EAAA,KAAA,MAAW,IAAA,IAAQ,UAAU,KAAA,EAAO;AAClC,IAAA,MAAM,UAAA,GAAa,mBAAmB,IAAI,CAAA;AAC1C,IAAA,QAAA,CAAS,IAAA,CAAK,GAAG,UAAA,CAAW,QAAQ,CAAA;AACtC,EAAA;AAEA,EAAA,MAAM,WAAA,GAAc,UAAU,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,MAAM,CAAA;AACnE,EAAA,IAAI,CAAC,WAAA,IAAe,SAAA,CAAU,KAAA,CAAM,SAAS,CAAA,EAAG;AAC9C,IAAA,QAAA,CAAS,IAAA;AACP,MAAA;AAAA,KAAA;AAEJ,EAAA;AAEA,EAAA,OAAO;AACL,IAAA,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AACzB,IAAA,MAAA;AACA,IAAA;AAAA,GAAA;AAEJ;AChFO,SAAS,wBACd,SAAA,EAC4B;AAC5B,EAAA,MAAM,WAA8B,EAAA;AAEpC,EAAA,KAAA,MAAW,IAAA,IAAQ,UAAU,KAAA,EAAO;AAClC,IAAA,QAAA,CAAS,IAAA,CAAK,GAAG,mBAAA,CAAoB,IAAI,CAAC,CAAA;AAC5C,EAAA;AAEA,EAAA,MAAM,UAAA,GAAa,UAAU,KAAA,CAAM,MAAA;AACjC,IAAA,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW,OAAA,IAAW,CAAA,CAAE;AAAA,GAAA;AAEnC,EAAA,MAAM,iBAAiB,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,gBAAgB,GAAG,CAAA;AAErE,EAAA,IAAI,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7B,IAAA,QAAA,CAAS,IAAA,CAAK;MACZ,KAAA,EAAO,UAAA;MACP,IAAA,EAAM,gBAAA;AACN,MAAA,OAAA,EAASC,6BAAAA,CAA8B,cAAA;MACvC,cAAA,EACE;KACH,CAAA;AACH,EAAA;AAEA,EAAA,OAAO,QAAA;AACT;AAEA,SAAS,oBAAoB,IAAA,EAAqC;AAChE,EAAA,MAAM,WAA8B,EAAA;AAEpC,EAAA,IAAI,IAAA,CAAK,MAAA,KAAW,OAAA,IAAW,IAAA,CAAK,sBAAsB,WAAA,EAAa;AACrE,IAAA,QAAA,CAAS,IAAA,CAAK;MACZ,KAAA,EAAO,UAAA;MACP,IAAA,EAAM,iBAAA;MACN,OAAA,EAAS,CAAA,MAAA,EAAS,KAAK,EAAE,CAAA,qFAAA,CAAA;AACzB,MAAA,MAAA,EAAQ,IAAA,CAAK,EAAA;MACb,cAAA,EACE;KACH,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,IAAA,CAAK,MAAA,KAAW,OAAA,IAAW,IAAA,CAAK,eAAe,SAAA,EAAW;AAC5D,IAAA,QAAA,CAAS,IAAA,CAAK;MACZ,KAAA,EAAO,SAAA;MACP,IAAA,EAAM,eAAA;AACN,MAAA,OAAA,EAASA,6BAAAA,CAA8B,sBAAA;AACvC,MAAA,MAAA,EAAQ,IAAA,CAAK,EAAA;MACb,cAAA,EACE;KACH,CAAA;AACH,EAAA;AAEA,EAAA,OAAO,QAAA;AACT;AC1DO,SAAS,0BAAA,GAAwC;AACtD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAEvB,EAAA,OAAO;IACL,EAAA,EAAI,cAAA;IACJ,IAAA,EAAM,kBAAA;IACN,WAAA,EACE,yFAAA;IACF,OAAA,EAAS,CAAA;IACT,KAAA,EAAO;AACL,MAAA;QACE,EAAA,EAAI,kBAAA;QACJ,WAAA,EAAa,qCAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,IAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,OAAA;AACvB,QAAA,iBAAA,EAAmBC,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,gBAAA;QACJ,WAAA,EAAa,sCAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,IAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,KAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,eAAA;QACJ,WAAA,EAAa,qCAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,IAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,IAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA;AACb,KAAA;IAEF,SAAA,EAAW,GAAA;IACX,SAAA,EAAW;AAAA,GAAA;AAEf;AAOO,SAAS,yBAAA,GAAuC;AACrD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAEvB,EAAA,OAAO;IACL,EAAA,EAAI,YAAA;IACJ,IAAA,EAAM,wBAAA;IACN,WAAA,EAAa,0GAAA;IACb,OAAA,EAAS,CAAA;IACT,KAAA,EAAO;AACL,MAAA;QACE,EAAA,EAAI,mBAAA;QACJ,WAAA,EAAa,2BAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,OAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,gBAAA;QACJ,WAAA,EAAa,2BAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,IAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,iBAAA;QACJ,WAAA,EAAa,4BAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,KAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA;AACb,KAAA;IAEF,SAAA,EAAW,GAAA;IACX,SAAA,EAAW;AAAA,GAAA;AAEf;AAMO,SAAS,wBAAwB,WAAA,EAAgC;AACtE,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAEvB,EAAA,OAAO;AACL,IAAA,EAAA,EAAI,aAAa,WAAW,CAAA,CAAA;AAC5B,IAAA,IAAA,EAAM,cAAc,WAAW,CAAA,CAAA;AAC/B,IAAA,WAAA,EAAa,yCAAyC,WAAW,CAAA,4BAAA,CAAA;IACjE,OAAA,EAAS,CAAA;IACT,KAAA,EAAO;AACL,MAAA;AACE,QAAA,EAAA,EAAI,cAAc,WAAW,CAAA,CAAA;AAC7B,QAAA,WAAA,EAAa,wBAAwB,WAAW,CAAA,CAAA;AAChD,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;AACV,QAAA,WAAA;AACA,QAAA,UAAA,EAAY,UAAA,CAAW,IAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,QAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA;AACb,KAAA;IAEF,SAAA,EAAW,GAAA;IACX,SAAA,EAAW;AAAA,GAAA;AAEf;AC3HO,IAAM,eAAN,MAAmB;AAChB,EAAA,SAAA;AACS,EAAA,SAAA;AACA,EAAA,KAAA;AAEjB,EAAA,WAAA,CAAY,OAAA,EAIT;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,OAAA,EAAS,SAAA,IAAa,0BAAA,EAAA;AACvC,IAAA,IAAA,CAAK,SAAA,GAAY,SAAS,SAAA,IAAa,4BAAA;AACvC,IAAA,IAAA,CAAK,KAAA,GAAQ,SAAS,KAAA,IAAS,IAAA;AACjC,EAAA;;;;;AAMA,EAAA,QAAA,CAAS,OAAA,EAA2C;AAClD,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAA;AAC9B,IAAA,MAAM,QAAA,GAAW,cAAA,CAAe,IAAA,CAAK,SAAA,EAAW,OAAO,CAAA;AACvD,IAAA,MAAM,OAAA,GAAU,WAAA,CAAY,GAAA,EAAA,GAAQ,SAAA;AAEpC,IAAA,IAAI,OAAA,GAAU,KAAK,SAAA,EAAW;AAC5B,MAAA,OAAA,CAAQ,IAAA;QACN,CAAA,mCAAA,EAAsC,OAAA,CAAQ,QAAQ,CAAC,CAAC,cAC7C,IAAA,CAAK,SAAS,CAAA,cAAA,EAAiB,OAAA,CAAQ,QAAQ,CAAA,CAAA;AAAA,OAAA;AAE9D,IAAA;AAEA,IAAA,OAAO,QAAA;AACT,EAAA;;;;;AAMA,EAAA,aAAA,CACE,WACA,OAAA,EACkB;AAClB,IAAA,MAAM,UAAA,GAAa,kBAAkB,SAAS,CAAA;AAC9C,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACrB,MAAA,OAAO,UAAA;AACT,IAAA;AACA,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAEjB,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,KAAA,CAAM,WAAA;AACT,QAAA,SAAA;AACA,QAAA,OAAA,EAAS,MAAA,IAAU,gBAAA;AACnB,QAAA,OAAA,EAAS,SAAA,IAAa;AAAA,OAAA;AAE1B,IAAA;AAEA,IAAA,OAAO,UAAA;AACT,EAAA;;;;;AAMA,EAAA,QAAA,CAAS,OAAA,EAAgC;AACvC,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAChE,IAAA;AAEA,IAAA,MAAM,gBAAgB,IAAA,CAAK,KAAA,CAAM,SAAS,IAAA,CAAK,SAAA,CAAU,IAAI,OAAO,CAAA;AACpE,IAAA,IAAA,CAAK,YAAY,aAAA,CAAc,SAAA;AAC/B,IAAA,OAAO,aAAA;AACT,EAAA;EAEA,YAAA,GAAoC;AAClC,IAAA,OAAO,IAAA,CAAK,SAAA;AACd,EAAA;EAEA,mBAAA,GAAkD;AAChD,IAAA,OAAO,uBAAA,CAAwB,KAAK,SAAS,CAAA;AAC/C,EAAA;EAEA,QAAA,GAA+B;AAC7B,IAAA,OAAO,IAAA,CAAK,KAAA;AACd,EAAA;EAEA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,YAAY,0BAAA,EAAA;AACnB,EAAA;AACF;AC3EO,IAAM,cAAN,MAAkB;AACN,EAAA,QAAA,uBAAe,GAAA,EAAA;;;;;EAMhC,WAAA,CACE,SAAA,EACA,QACA,SAAA,EACe;AACf,IAAA,MAAM,KAAK,SAAA,CAAU,EAAA;AACrB,IAAA,MAAM,UAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,KAAK,EAAA;AAEzC,IAAA,MAAM,aAAA,GAAgB,QAAQ,MAAA,GAAS,CAAA,GAAI,QAAQ,OAAA,CAAQ,MAAA,GAAS,CAAC,CAAA,CAAG,OAAA,GAAU,CAAA;AAElF,IAAA,MAAM,OAAA,GAAyB;AAC7B,MAAA,OAAA,EAAS,aAAA,GAAgB,CAAA;AACzB,MAAA,SAAA,EAAW,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,WAAW,CAAA;MACzC,IAAA,EAAM,IAAA,CAAK,YAAY,SAAS,CAAA;AAChC,MAAA,MAAA;AACA,MAAA,SAAA;MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA;AAAY,KAAA;AAGpC,IAAA,MAAM,UAAA,GAAa,CAAC,GAAG,OAAA,EAAS,OAAO,CAAA;AACvC,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAA,EAAI,UAAU,CAAA;AAEhC,IAAA,OAAO,OAAA;AACT,EAAA;;;;AAKA,EAAA,UAAA,CAAW,IAAY,OAAA,EAAuC;AAC5D,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,CAAA;AACpC,IAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AACrB,IAAA,OAAO,QAAQ,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,OAAA,KAAY,OAAO,CAAA,IAAK,IAAA;AACvD,EAAA;;;;AAKA,EAAA,SAAA,CAAU,EAAA,EAAkC;AAC1C,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,CAAA;AACpC,IAAA,IAAI,CAAC,OAAA,IAAW,OAAA,CAAQ,MAAA,KAAW,GAAG,OAAO,IAAA;AAC7C,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,MAAA,GAAS,CAAC,CAAA;AACnC,EAAA;;;;AAKA,EAAA,UAAA,CAAW,EAAA,EAAsC;AAC/C,IAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,KAAK,EAAA;AAClC,EAAA;;;;;AAMA,EAAA,QAAA,CAAS,IAAY,SAAA,EAAkC;AACrD,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,EAAA,EAAI,SAAS,CAAA;AAC5C,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,SAAS,CAAA,uBAAA,EAA0B,EAAE,CAAA,CAAA,CAAG,CAAA;AACrE,IAAA;AAEA,IAAA,OAAO,IAAA,CAAK,WAAA;MACV,MAAA,CAAO,SAAA;AACP,MAAA,CAAA,oBAAA,EAAuB,SAAS,CAAA,CAAA;AAChC,MAAA;AAAA,KAAA;AAEJ,EAAA;;;;AAKA,EAAA,IAAA,CAAK,IAAmB,EAAA,EAA+B;AACrD,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,EAAA,CAAG,UAAU,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,EAAA,EAAI,CAAC,CAAC,CAAC,CAAA;AACpE,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,EAAA,CAAG,UAAU,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,EAAA,EAAI,CAAC,CAAC,CAAC,CAAA;AAEpE,IAAA,MAAM,QAAsB,EAAA;AAC5B,IAAA,MAAM,UAAwB,EAAA;AAC9B,IAAA,MAAM,WAAmD,EAAA;AAGzD,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,WAAA,EAAa;AACvC,MAAA,MAAM,OAAA,GAAU,WAAA,CAAY,GAAA,CAAI,EAAE,CAAA;AAClC,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,KAAA,CAAM,KAAK,OAAO,CAAA;AACpB,MAAA,CAAA,MAAA,IAAW,KAAK,SAAA,CAAU,OAAO,MAAM,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA,EAAG;AAC9D,QAAA,QAAA,CAAS,KAAK,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,SAAS,CAAA;AAC9C,MAAA;AACF,IAAA;AAGA,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,WAAA,EAAa;AACvC,MAAA,IAAI,CAAC,WAAA,CAAY,GAAA,CAAI,EAAE,CAAA,EAAG;AACxB,QAAA,OAAA,CAAQ,KAAK,OAAO,CAAA;AACtB,MAAA;AACF,IAAA;AAEA,IAAA,OAAO,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAA;AAC3B,EAAA;;;;AAKA,EAAA,WAAA,CAAY,SAAA,EAA8B;AACxC,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,CAAU,SAAA,EAAW,OAAO,IAAA,CAAK,SAAS,CAAA,CAAE,IAAA,EAAM,CAAA;AAC1E,IAAA,OAAO,WAAW,QAAQ,CAAA,CAAE,OAAO,UAAU,CAAA,CAAE,OAAO,KAAK,CAAA;AAC7D,EAAA;AACF;;;ACvHO,IAAM,cAAA,GAA4C,OAAO,MAAA,CAAO;AAAA,EACrE,eAAA,EAAiB,IAAA;AAAA,EACjB,aAAA,EAAe,IAAA;AAAA,EACf,QAAA,EAAU,MAAA;AAAA,EACV,mBAAA,EAAqB,GAAA;AAAA,EACrB,aAAA,EAAe,KAAA;AAAA,EACf,wBAAA,EAA0B,GAAA;AAAA,EAC1B,gBAAA,EAAkB,EAAA;AAAA,EAClB,eAAA,EAAiB,EAAA;AAAA,EACjB,gBAAA,EAAkB,0BAAA;AAAA,EAClB,uBAAA,EAAyB;AAC3B,CAAC;AAEM,SAAS,cACd,UAAA,EACiD;AACjD,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,MAAA,GAAS,EAAE,GAAG,cAAA,EAAgB,GAAG,UAAA,EAAW;AAElD,EAAA,IAAI,CAAC,OAAO,eAAA,EAAiB;AAC3B,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,mBAAmB,CAAA;AAAA,EACjE;AACA,EAAA,IAAI,MAAA,CAAO,6BAA6B,CAAA,EAAG;AACzC,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,eAAe,CAAA;AAAA,EAC7D;AACA,EAAA,IAAI,OAAO,aAAA,EAAe;AACxB,IAAA,QAAA,CAAS,IAAA;AAAA,MACP;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,MAAA,CAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,SAAS,EAAA,EAAI;AACxD,IAAA,QAAA,CAAS,IAAA;AAAA,MACP;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,QAAQ,QAAA,EAAS;AAC5B;ACbA,eAAsB,iBAAA,CACpB,MAAA,EACA,YAAA,EACA,OAAA,EAC4B;AAC5B,EAAA,MAAM,YAAY,UAAA,EAAW;AAC7B,EAAA,MAAM,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEzC,EAAA,MAAM,OAAA,GAAU,qBAAA,CAAsB,EAAE,SAAA,EAAW,CAAA;AAEnD,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,OAAA;AAAA,IACA,UAAU,MAAA,CAAO,IAAA;AAAA,IACjB,UAAA,EAAY,SAAA;AAAA,IACZ,SAAA,EAAW,MAAA,CAAO,SAAA,IAAa,EAAC;AAAA,IAChC,oBAAoB,UAAA,CAAW,OAAA;AAAA,IAC/B;AAAA,GACF;AAGA,EAAA,IAAI,QAAQ,WAAA,EAAa;AAEvB,IAAA,IAAI,QAAQ,gBAAA,EAAkB;AAC5B,MAAA,MAAM,SAAA,GAAY,QAAQ,WAAA,CAAY,UAAA;AAAA,QACpC,MAAA,CAAO,IAAA;AAAA,QACP,OAAA,CAAQ;AAAA,OACV;AACA,MAAA,IAAI,CAAC,UAAU,OAAA,EAAS;AACtB,QAAA,MAAM,MAAA,GAA0B;AAAA,UAC9B,MAAA,EAAQ,OAAA;AAAA,UACR,OAAA;AAAA,UACA,OAAO,IAAI,cAAA,CAAe,MAAA,CAAO,IAAA,EAAM,QAAQ,gBAAgB,CAAA;AAAA,UAC/D,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC;AACA,QAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAC3B,QAAA,OAAO,sBAAA;AAAA,UACL,CAAA,8BAAA,EAAiC,OAAO,IAAI,CAAA,CAAA;AAAA,SAC9C;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,QAAQ,wBAAA,EAA0B;AACpC,MAAA,MAAM,WAAA,GAAc,QAAQ,WAAA,CAAY,gBAAA;AAAA,QACtC,OAAA,CAAQ;AAAA,OACV;AACA,MAAA,IAAI,CAAC,YAAY,OAAA,EAAS;AACxB,QAAA,MAAM,MAAA,GAA0B;AAAA,UAC9B,MAAA,EAAQ,OAAA;AAAA,UACR,OAAA;AAAA,UACA,KAAA,EAAO,IAAI,cAAA,CAAe,GAAA,EAAK,QAAQ,wBAAwB,CAAA;AAAA,UAC/D,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC;AACA,QAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAC3B,QAAA,OAAO,uBAAuB,4BAA4B,CAAA;AAAA,MAC5D;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,eAAA,IAAmB,MAAA,CAAO,SAAA,EAAW;AAC/C,IAAA,MAAM,WAAA,GAAc,QAAQ,gBAAA,IAAoB,0BAAA;AAChD,IAAA,MAAM,YAAA,GAAe,aAAA,CAAc,WAAA,EAAa,MAAA,CAAO,WAAW,WAAW,CAAA;AAE7E,IAAA,IAAI,CAAC,aAAa,IAAA,EAAM;AACtB,MAAA,MAAM,kBAAA,GAAqB,aAAa,OAAA,CAAQ,GAAA;AAAA,QAC9C,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAI,KAAK,CAAA,CAAE,WAAW,CAAA,SAAA,EAAY,CAAA,CAAE,KAAK,CAAA,CAAA;AAAA,OACvD;AACA,MAAA,MAAM,MAAA,GAA0B;AAAA,QAC9B,MAAA,EAAQ,OAAA;AAAA,QACR,OAAA;AAAA,QACA,KAAA,EAAO,IAAI,qBAAA,CAAsB,MAAA,CAAO,MAAM,kBAAkB,CAAA;AAAA,QAChE,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACpC;AACA,MAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAE3B,MAAA,MAAM,SAAS,OAAA,CAAQ,aAAA,GACnB,4BAA4B,YAAA,CAAa,OAAA,CAAQ,MAAM,CAAA,mBAAA,CAAA,GACvD,0BAAA;AACJ,MAAA,OAAO,uBAAuB,MAAM,CAAA;AAAA,IACtC;AAAA,EACF;AAGA,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,YAAA,CAAa,QAAA,CAAS,OAAO,CAAA;AAEtD,EAAA,IAAI,QAAA,CAAS,WAAW,MAAA,EAAQ;AAC9B,IAAA,MAAM,MAAA,GAA0B;AAAA,MAC9B,MAAA,EAAQ,QAAA;AAAA,MACR,OAAA;AAAA,MACA,QAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AACA,IAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAE3B,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,aAAA,GACnB,QAAA,CAAS,MAAA,GACT,2CAAA;AACJ,IAAA,OAAO,uBAAuB,MAAM,CAAA;AAAA,EACtC;AAGA,EAAA,IAAI,eAAA;AACJ,EAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,IAAA,eAAA,GAAkB,QAAQ,WAAA,CAAY,KAAA;AAAA,MACpC,SAAA;AAAA,MACA,CAAC,WAAW,OAAO,CAAA;AAAA,MACnB,CAAC,OAAO,IAAI;AAAA,KACd;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,kBAAkB,eAAA,EAAiB;AAC7C,IAAA,OAAA,CAAQ,cAAA,CAAe,mBAAA,CAAoB,MAAA,EAAQ,eAAe,CAAA;AAAA,EACpE;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAA,GAAa,MAAM,YAAA,CAAa,MAAM,CAAA;AAC5C,IAAA,MAAM,UAAA,GAAa,WAAA,CAAY,GAAA,EAAI,GAAI,SAAA;AAGvC,IAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,MAAA,OAAA,CAAQ,WAAA,CAAY,UAAA,CAAW,MAAA,CAAO,IAAI,CAAA;AAAA,IAC5C;AAGA,IAAA,MAAM,MAAA,GAA0B;AAAA,MAC9B,MAAA,EAAQ,SAAA;AAAA,MACR,OAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AACA,IAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAE3B,IAAA,OAAO,UAAA;AAAA,EACT,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,MAAA,GAA0B;AAAA,MAC9B,MAAA,EAAQ,OAAA;AAAA,MACR,OAAA;AAAA,MACA,KAAA,EAAO,KAAA,YAAiB,KAAA,GACpB,IAAI,kBAAkB,MAAA,CAAO,IAAA,EAAM,KAAA,CAAM,OAAO,CAAA,GAChD,IAAI,iBAAA,CAAkB,MAAA,CAAO,MAAM,wBAAwB,CAAA;AAAA,MAC/D,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AACA,IAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAC3B,IAAA,MAAM,KAAA;AAAA,EACR;AACF;;;ACtMA,IAAM,eAAA,GAA4C;AAAA,EAChD,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO;AACT,CAAA;AAMO,IAAM,iBAAN,MAAqB;AAAA,EACT,QAAA;AAAA,EACA,OAAA;AAAA,EAEjB,YAAY,OAAA,EAAgD;AAC1D,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,KAAA;AACxB,IAAA,IAAA,CAAK,UAAU,OAAA,CAAQ,OAAA;AAAA,EACzB;AAAA,EAEA,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AAEnB,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,IAAA,EAAM,mBAAA;AAAA,MACN,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,QAAA,EAAU,OAAO,OAAA,CAAQ,QAAA;AAAA,MACzB,UAAA,EAAY,OAAO,OAAA,CAAQ,kBAAA;AAAA,MAC3B,UAAA,EAAY,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,UAAA;AAAA,MACnC,SAAA,EAAW,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,SAAA;AAAA,MAClC,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,GAAI,MAAA,CAAO,MAAA,KAAW,aAAa,EAAE,UAAA,EAAY,OAAO,UAAA,EAAW;AAAA,MACnE,GAAI,OAAO,MAAA,KAAW,QAAA,IAAY,EAAE,MAAA,EAAQ,MAAA,CAAO,SAAS,MAAA,EAAO;AAAA,MACnE,GAAI,OAAO,MAAA,KAAW,OAAA,IAAW,EAAE,KAAA,EAAO,MAAA,CAAO,MAAM,IAAA;AAAK,KAC9D;AAEA,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,QAAA,IAAY,MAAA,CAAO,WAAW,OAAA,EAAS;AAC3D,MAAA,IAAA,CAAK,GAAA,CAAI,QAAQ,KAAK,CAAA;AAAA,IACxB,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,GAAA,CAAI,QAAQ,KAAK,CAAA;AAAA,IACxB;AAAA,EACF;AAAA,EAEQ,GAAA,CAAI,OAAiB,IAAA,EAAqC;AAChE,IAAA,IAAI,gBAAgB,KAAK,CAAA,GAAI,eAAA,CAAgB,IAAA,CAAK,QAAQ,CAAA,EAAG;AAE7D,IAAA,MAAM,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,GAAG,MAAM,CAAA;AAChD,IAAA,QAAQ,KAAA;AAAO,MACb,KAAK,OAAA;AACH,QAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AACrC,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AACpC,QAAA;AAAA,MACF,KAAK,OAAA;AACH,QAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AACrC,QAAA;AAAA,MACF;AACE,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AAAA;AACxC,EACF;AACF;AC3CO,IAAM,cAAN,MAAkB;AAAA,EACN,MAAA;AAAA,EACA,UAAA;AAAA,EACA,MAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAAY;AAAA,EAC7B,aAAA,uBAAoB,GAAA,EAAY;AAAA,EAEjD,YAAY,MAAA,EAAqB;AAC/B,IAAA,IAAI,MAAA,CAAO,MAAA,CAAO,MAAA,GAAS,iBAAA,EAAmB;AAC5C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,iCAAiC,iBAAiB,CAAA,WAAA;AAAA,OACpD;AAAA,IACF;AACA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AACrB,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,yBAAA;AACvC,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,CACE,WACA,WAAA,EACA,SAAA,EACA,cAAiC,CAAC,GAAG,GACrC,SAAA,EACQ;AACR,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,MAAMC,UAAAA,EAAW;AAEvB,IAAA,MAAM,OAAA,GAA2B;AAAA,MAC/B,GAAA;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,GAAA,EAAK,SAAA;AAAA,MACL,GAAA,EAAK,GAAA;AAAA,MACL,GAAA,EAAK,MAAM,IAAA,CAAK,UAAA;AAAA,MAChB,WAAA,EAAa,CAAC,GAAG,WAAW,CAAA;AAAA,MAC5B,SAAA,EAAW,CAAC,GAAG,SAAS,CAAA;AAAA,MACxB,WAAA,EAAa,CAAC,GAAG,WAAW,CAAA;AAAA,MAC5B,GAAI,SAAA,IAAa,EAAE,WAAW,CAAC,GAAG,SAAS,CAAA;AAAE,KAC/C;AAEA,IAAA,OAAO,IAAA,CAAK,KAAK,OAAO,CAAA;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,KAAA,EAAwC;AAE7C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,cAAA,CAAe,KAAK,CAAA;AACxC,IAAA,IAAI,CAAC,MAAA,CAAO,KAAA,IAAS,CAAC,OAAO,OAAA,EAAS;AACpC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,UAAU,MAAA,CAAO,OAAA;AAGvB,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,IAAI,OAAA,CAAQ,OAAO,GAAA,EAAK;AACtB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,eAAA,EAAgB;AAAA,IACjD;AAGA,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,EAAG;AACvC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,wBAAA,EAAyB;AAAA,IAC1D;AAGA,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,EAAG;AACpC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,sCAAA,EAAuC;AAAA,IACxE;AAGA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAE/B,IAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,OAAA,EAAQ;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,GAAA,EAAmB;AACxB,IAAA,IAAA,CAAK,aAAA,CAAc,IAAI,GAAG,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,GAAA,EAAsB;AAC9B,IAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,GAAG,CAAA;AAAA,EACnC;AAAA;AAAA,EAIQ,KAAK,OAAA,EAAkC;AAC7C,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,EAAE,KAAK,eAAA,EAAiB,GAAA,EAAK,KAAA,EAAO,CAAC,CAAA;AACnF,IAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AACpD,IAAA,MAAM,YAAY,IAAA,CAAK,gBAAA,CAAiB,GAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAC3D,IAAA,OAAO,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,IAAI,IAAI,SAAS,CAAA,CAAA;AAAA,EACvC;AAAA,EAEQ,eAAe,KAAA,EAAwC;AAC7D,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,sBAAA,EAAuB;AAAA,IACxD;AAEA,IAAA,MAAM,CAAC,MAAA,EAAQ,IAAA,EAAM,SAAS,CAAA,GAAI,KAAA;AAClC,IAAA,MAAM,oBAAoB,IAAA,CAAK,gBAAA,CAAiB,GAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAEnE,IAAA,IAAI,cAAc,iBAAA,EAAmB;AACnC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,yBAAA,EAA0B;AAAA,IAC3D;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,IAAI,CAAC,CAAA;AAChD,MAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,OAAA,EAAQ;AAAA,IAChC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,uBAAA,EAAwB;AAAA,IACzD;AAAA,EACF;AAAA,EAEQ,iBAAiB,IAAA,EAAsB;AAC7C,IAAA,OAAO,eAAA;AAAA,MACL,UAAA,CAAW,UAAU,IAAA,CAAK,MAAM,EAAE,MAAA,CAAO,IAAI,CAAA,CAAE,MAAA,CAAO,QAAQ;AAAA,KAChE;AAAA,EACF;AACF;AAEA,SAAS,gBAAgB,GAAA,EAAqB;AAC5C,EAAA,OAAO,OAAO,IAAA,CAAK,GAAG,CAAA,CACnB,QAAA,CAAS,QAAQ,CAAA,CACjB,OAAA,CAAQ,KAAA,EAAO,GAAG,EAClB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,OAAO,EAAE,CAAA;AACtB;AAEA,SAAS,gBAAgB,GAAA,EAAqB;AAC5C,EAAA,MAAM,MAAA,GAAS,MAAM,GAAA,CAAI,MAAA,CAAA,CAAQ,IAAK,GAAA,CAAI,MAAA,GAAS,KAAM,CAAC,CAAA;AAC1D,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,EAAG,QAAQ,EAAE,QAAA,EAAS;AACtF;ACpIO,IAAM,iBAAN,MAAqB;AAAA,EACT,aAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAAY;AAAA,EAE9C,YAAY,MAAA,EAGT;AACD,IAAA,IAAI,MAAA,CAAO,aAAA,CAAc,MAAA,GAAS,EAAA,EAAI;AACpC,MAAA,MAAM,IAAI,MAAM,+CAA+C,CAAA;AAAA,IACjE;AACA,IAAA,IAAA,CAAK,gBAAgB,MAAA,CAAO,aAAA;AAC5B,IAAA,IAAA,CAAK,QAAA,GAAW,OAAO,QAAA,IAAY,GAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,CAAY,QAA2B,eAAA,EAAiC;AACtE,IAAA,MAAM,OAAO,IAAA,CAAK,SAAA,CAAU,EAAE,MAAA,EAAQ,iBAAiB,CAAA;AACvD,IAAA,OAAOC,UAAAA,CAAW,UAAU,IAAA,CAAK,aAAa,EAC3C,MAAA,CAAO,IAAI,CAAA,CACX,MAAA,CAAO,KAAK,CAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAA,CACE,MAAA,EACA,eAAA,EACA,SAAA,EACS;AACT,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,WAAA,CAAY,MAAA,EAAQ,eAAe,CAAA;AAEzD,IAAA,IAAI,QAAA,CAAS,MAAA,KAAW,SAAA,CAAU,MAAA,EAAQ,OAAO,KAAA;AACjD,IAAA,IAAI,MAAA,GAAS,CAAA;AACb,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,QAAQ,CAAA,EAAA,EAAK;AACxC,MAAA,MAAA,IAAU,SAAS,UAAA,CAAW,CAAC,CAAA,GAAI,SAAA,CAAU,WAAW,CAAC,CAAA;AAAA,IAC3D;AACA,IAAA,OAAO,MAAA,KAAW,CAAA;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA,CACE,QACA,eAAA,EACkB;AAClB,IAAA,MAAM,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AACzC,IAAA,MAAM,QAAQD,UAAAA,EAAW;AACzB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,WAAA,CAAY,MAAA,EAAQ,eAAe,CAAA;AAE1D,IAAA,OAAO;AAAA,MACL,MAAA;AAAA,MACA,eAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB,OAAA,EAAsD;AAE1E,IAAA,MAAM,cAAc,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ;AACxD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,IACrD;AACA,IAAA,IAAI,GAAA,GAAM,WAAA,GAAc,IAAA,CAAK,QAAA,EAAU;AACrC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,iBAAA,EAAkB;AAAA,IACnD;AACA,IAAA,IAAI,WAAA,GAAc,MAAM,GAAA,EAAQ;AAC9B,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,iCAAA,EAAkC;AAAA,IACnE;AAGA,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,KAAK,CAAA,EAAG;AACtC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,mCAAA,EAAoC;AAAA,IACrE;AAGA,IAAA,IAAI,CAAC,KAAK,eAAA,CAAgB,OAAA,CAAQ,QAAQ,OAAA,CAAQ,eAAA,EAAiB,OAAA,CAAQ,SAAS,CAAA,EAAG;AACrF,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,IACrD;AAGA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,KAAK,CAAA;AAEjC,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AACF;;;ACxGO,IAAM,cAAN,MAAkB;AAAA,EACN,QAAA;AAAA,EACA,OAAA,uBAAc,GAAA,EAA0B;AAAA,EACjD,gBAA8B,EAAC;AAAA,EAEvC,YAAY,OAAA,EAAiC;AAC3C,IAAA,IAAA,CAAK,QAAA,GAAW,SAAS,QAAA,IAAY,oBAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,CACE,UACA,cAAA,EACiB;AACjB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAE/B,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,gBAAA,CAAiB,QAAA,EAAU,WAAW,CAAA;AAC3D,IAAA,MAAM,QAAQ,OAAA,CAAQ,MAAA;AACtB,IAAA,MAAM,UAAU,KAAA,GAAQ,cAAA;AACxB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,iBAAiB,KAAK,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,GAAS,CAAA,GAC7B,OAAA,CAAQ,CAAC,CAAA,CAAG,SAAA,GAAY,IAAA,CAAK,QAAA,GAC7B,GAAA,GAAM,IAAA,CAAK,QAAA;AAEf,IAAA,OAAO,EAAE,OAAA,EAAS,SAAA,EAAW,OAAA,EAAQ;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,cAAA,EAAyC;AACxD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAE/B,IAAA,IAAA,CAAK,aAAA,GAAgB,KAAK,aAAA,CAAc,MAAA;AAAA,MACtC,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,GAAY;AAAA,KACvB;AACA,IAAA,MAAM,KAAA,GAAQ,KAAK,aAAA,CAAc,MAAA;AACjC,IAAA,MAAM,UAAU,KAAA,GAAQ,cAAA;AACxB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,iBAAiB,KAAK,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,MAAA,GAAS,CAAA,GACxC,IAAA,CAAK,aAAA,CAAc,CAAC,CAAA,CAAG,SAAA,GAAY,IAAA,CAAK,QAAA,GACxC,MAAM,IAAA,CAAK,QAAA;AAEf,IAAA,OAAO,EAAE,OAAA,EAAS,SAAA,EAAW,OAAA,EAAQ;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAA,CACE,QAAA,EACA,cAAA,EACA,WAAA,EACiB;AAEjB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,QAAA,EAAU,cAAc,CAAA;AACvD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,IAAI,gBAAgB,MAAA,EAAW;AAC7B,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,gBAAA,CAAiB,WAAW,CAAA;AACtD,MAAA,IAAI,CAAC,aAAa,OAAA,EAAS;AACzB,QAAA,OAAO,YAAA;AAAA,MACT;AAAA,IACF;AAGA,IAAA,IAAA,CAAK,WAAW,QAAQ,CAAA;AACxB,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,WAAW,QAAA,EAAwB;AACjC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,MAAA,GAAqB,EAAE,SAAA,EAAW,GAAA,EAAI;AAG5C,IAAA,MAAM,UAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAQ,KAAK,EAAC;AAC/C,IAAA,OAAA,CAAQ,KAAK,MAAM,CAAA;AAGnB,IAAA,IAAI,OAAA,CAAQ,SAAS,sBAAA,EAAwB;AAC3C,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAC/B,MAAA,MAAM,UAAU,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,WAAW,CAAA;AAC/D,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,OAAO,CAAA;AAAA,IACpC,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,OAAO,CAAA;AAAA,IACpC;AAGA,IAAA,IAAA,CAAK,aAAA,CAAc,KAAK,MAAM,CAAA;AAC9B,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,MAAA,GAAS,sBAAA,EAAwB;AACtD,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAC/B,MAAA,IAAA,CAAK,aAAA,GAAgB,KAAK,aAAA,CAAc,MAAA;AAAA,QACtC,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,GAAY;AAAA,OACvB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,QAAA,EAA0D;AACjE,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAC/B,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,gBAAA,CAAiB,QAAA,EAAU,WAAW,CAAA;AAC3D,IAAA,OAAO,EAAE,KAAA,EAAO,OAAA,CAAQ,MAAA,EAAQ,WAAA,EAAY;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,QAAA,EAAwB;AAChC,IAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,QAAQ,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA,GAAiB;AACf,IAAA,IAAA,CAAK,QAAQ,KAAA,EAAM;AACnB,IAAA,IAAA,CAAK,gBAAgB,EAAC;AAAA,EACxB;AAAA,EAEQ,gBAAA,CACN,UACA,WAAA,EACc;AACd,IAAA,MAAM,UAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAQ,KAAK,EAAC;AAC/C,IAAA,MAAM,SAAS,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,WAAW,CAAA;AAG9D,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,OAAA,CAAQ,MAAA,EAAQ;AACpC,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAAA,IACnC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AACF;;;ACjKO,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA,EACtC,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA;AAAA,MACE,GAAG,OAAO;AAAA;AAAA,8DAAA;AAAA,KAGZ;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AAAA,EACd;AACF;AAwBO,IAAM,YAAN,MAAgB;AAAA,EACJ,YAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,MAAA;AAAA,EACT,gBAAA,GAAmB,KAAA;AAAA,EAE3B,YAAY,OAAA,EAMT;AAED,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,IAAI,iBAAA,IAAqB,EAAA;AAClE,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,aAAa,wCAAwC,CAAA;AAAA,IACjE;AACA,IAAA,IAAI,CAAC,OAAO,UAAA,CAAW,UAAU,KAAK,CAAC,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AACpE,MAAA,MAAM,IAAI,YAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,MAAM,EAAE,MAAA,EAAQ,QAAA,EAAS,GAAI,aAAA,CAAc,QAAQ,MAAM,CAAA;AACzD,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,cAAA,GAAiB,QAAA;AAEtB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,cAAA,CAAe;AAAA,MAC/B,OAAO,MAAA,CAAO,QAAA;AAAA,MACd,SAAS,MAAA,CAAO;AAAA,KACjB,CAAA;AAED,IAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,qBAAA,EAAwB,OAAO,CAAA,CAAE,CAAA;AAAA,IAChD;AAGA,IAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,uBAAA,GAA0B,IAAI,aAAY,GAAI,MAAA;AACnE,IAAA,IAAA,CAAK,YAAA,GAAe,IAAI,YAAA,CAAa;AAAA,MACnC,SAAA,EAAW,OAAA,CAAQ,SAAA,IAAa,MAAA,CAAO,SAAA;AAAA,MACvC,WAAW,MAAA,CAAO,mBAAA;AAAA,MAClB;AAAA,KACD,CAAA;AAGD,IAAA,IAAI,CAAC,QAAQ,SAAA,IAAa,CAAC,OAAO,SAAA,IAAa,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AAC5E,MAAA,IAAA,CAAK,oBAAA,EAAqB;AAAA,IAC5B;AAGA,IAAA,IAAA,CAAK,WAAA,GAAc,MAAA,CAAO,WAAA,GACtB,IAAI,WAAA,CAAY;AAAA,MACd,QAAQ,MAAA,CAAO,WAAA;AAAA,MACf,YAAY,MAAA,CAAO,eAAA;AAAA,MACnB,SAAA,EAAW,eAAA;AAAA,MACX,MAAA,EAAQ,MAAA,CAAO,WAAA,IAAe,OAAA,CAAQ;AAAA,KACvC,CAAA,GACD,IAAA;AAGJ,IAAA,IAAA,CAAK,cAAA,GAAiB,MAAA,CAAO,aAAA,GACzB,IAAI,cAAA,CAAe,EAAE,aAAA,EAAe,MAAA,CAAO,aAAA,EAAe,CAAA,GAC1D,IAAA;AAGJ,IAAA,IAAA,CAAK,WAAA,GAAc,IAAI,WAAA,EAAY;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,eAAA,GAAiC;AAC7C,IAAA,IAAI,KAAK,gBAAA,EAAkB;AAG3B,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AACtC,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AACxB,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,eAAA,CAAA,EAAmB;AAAA,QAClD,OAAA,EAAS;AAAA,UACP,aAAa,IAAA,CAAK,MAAA;AAAA,UAClB,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA;AAAA,SACxC;AAAA,QACA,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA,OACnC,CAAA;AAED,MAAA,IAAI,GAAA,CAAI,WAAW,GAAA,EAAK;AACtB,QAAA,MAAM,IAAI,aAAa,6BAA6B,CAAA;AAAA,MACtD;AACA,MAAA,IAAI,GAAA,CAAI,WAAW,GAAA,EAAK;AACtB,QAAA,MAAM,IAAI,aAAa,+DAA+D,CAAA;AAAA,MACxF;AAEA,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AAAA,IAC1B,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,MAAA,MAAM,IAAI,YAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAA,GAA6B;AACnC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,wBAAA,CAAA,EAA4B;AAAA,MACzC,SAAS,EAAE,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA,EAAG;AAAA,MACpD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA,KACnC,CAAA,CACE,IAAA,CAAK,OAAO,GAAA,KAAQ;AACnB,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACb,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,MAAA,MAAM,SAAA,GAAuB;AAAA,QAC3B,EAAA,EAAI,MAAA,CAAO,IAAA,CAAK,EAAA,IAAM,OAAO,CAAA;AAAA,QAC7B,IAAA,EAAM,MAAA,CAAO,IAAA,CAAK,IAAA,IAAQ,cAAc,CAAA;AAAA,QACxC,WAAA,EAAa,MAAA,CAAO,IAAA,CAAK,WAAA,IAAe,EAAE,CAAA;AAAA,QAC1C,OAAA,EAAS,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,CAAC,CAAA;AAAA,QAClC,KAAA,EAAQ,IAAA,CAAK,KAAA,IAAgC,EAAC;AAAA,QAC9C,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,WAAA,IAAe,EAAE,CAAA;AAAA,QACxC,SAAA,EAAW;AAAA,OACb;AACA,MAAA,IAAA,CAAK,YAAA,CAAa,cAAc,SAAS,CAAA;AACzC,MAAA,OAAA,CAAQ,IAAA,CAAK,oCAAoC,SAAA,CAAU,IAAI,KAAK,SAAA,CAAU,KAAA,CAAM,MAAM,CAAA,OAAA,CAAS,CAAA;AAAA,IACrG,CAAC,CAAA,CACA,KAAA,CAAM,MAAM;AAAA,IAEb,CAAC,CAAA;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,KAAA,EAOZ;AACP,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AACzC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,kBAAA,CAAA,EAAsB;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA;AAAA,QACtC,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK;AAAA,KAC3B,CAAA,CAAE,KAAA,CAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAA,CACJ,MAAA,EACA,YAAA,EAC4B;AAE5B,IAAA,MAAM,KAAK,eAAA,EAAgB;AAE3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,OAAO,iBAAA,CAAkB,QAAQ,YAAA,EAAc;AAAA,MAC7C,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,eAAA,EAAiB,KAAK,MAAA,CAAO,eAAA;AAAA,MAC7B,aAAA,EAAe,KAAK,MAAA,CAAO,aAAA;AAAA,MAC3B,UAAA,EAAY,CAAC,MAAA,KAAW;AACtB,QAAA,IAAA,CAAK,MAAA,CAAO,YAAY,MAAM,CAAA;AAC9B,QAAA,IAAI,MAAA,CAAO,MAAA,KAAW,SAAA,IAAa,MAAA,CAAO,WAAW,QAAA,EAAU;AAC7D,UAAA,IAAA,CAAK,YAAA,CAAa;AAAA,YAChB,MAAM,MAAA,CAAO,IAAA;AAAA,YACb,SAAA,EAAY,MAAA,CAAO,SAAA,IAAa,EAAC;AAAA,YACjC,QAAA,EAAU,MAAA,CAAO,QAAA,CAAS,MAAA,KAAW,UAAU,OAAA,GAAU,MAAA;AAAA,YACzD,MAAA,EAAQ,OAAO,QAAA,CAAS,MAAA;AAAA,YACxB,WAAA,EAAa,MAAA,CAAO,QAAA,CAAS,WAAA,EAAa,EAAA;AAAA,YAC1C,gBAAA,EAAkB,WAAA,CAAY,GAAA,EAAI,GAAI;AAAA,WACvC,CAAA;AAAA,QACH,CAAA,MAAA,IAAW,MAAA,CAAO,MAAA,KAAW,OAAA,EAAS;AACpC,UAAA,IAAA,CAAK,YAAA,CAAa;AAAA,YAChB,MAAM,MAAA,CAAO,IAAA;AAAA,YACb,SAAA,EAAY,MAAA,CAAO,SAAA,IAAa,EAAC;AAAA,YACjC,QAAA,EAAU,MAAA;AAAA,YACV,MAAA,EAAQ,OAAO,KAAA,CAAM,OAAA;AAAA,YACrB,gBAAA,EAAkB,WAAA,CAAY,GAAA,EAAI,GAAI;AAAA,WACvC,CAAA;AAAA,QACH;AAAA,MACF,CAAA;AAAA,MACA,WAAA,EAAa,KAAK,WAAA,IAAe,MAAA;AAAA,MACjC,cAAA,EAAgB,KAAK,cAAA,IAAkB,MAAA;AAAA,MACvC,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,gBAAA,EAAkB,KAAK,MAAA,CAAO,gBAAA;AAAA,MAC9B,gBAAA,EAAkB,KAAK,MAAA,CAAO,gBAAA;AAAA,MAC9B,wBAAA,EAA0B,KAAK,MAAA,CAAO;AAAA,KACvC,CAAA;AAAA,EACH;AAAA;AAAA,EAGA,UAAA,CACE,WACA,OAAA,EACA;AACA,IAAA,OAAO,IAAA,CAAK,YAAA,CAAa,aAAA,CAAc,SAAA,EAAW,OAAO,CAAA;AAAA,EAC3D;AAAA;AAAA,EAGA,WAAA,GAAiC;AAC/B,IAAA,OAAO;AAAA,MACL,GAAG,IAAA,CAAK,cAAA;AAAA,MACR,GAAG,IAAA,CAAK,YAAA,CAAa,mBAAA,GAAsB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAA,EAAI,CAAA,CAAE,KAAK,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,KACnF;AAAA,EACF;AAAA;AAAA,EAGA,eAAA,GAAgC;AAC9B,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA;AAAA,EAGA,cAAA,GAA8B;AAC5B,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AAAA;AAAA,EAGA,cAAA,GAAqC;AACnC,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AACF;ACtPO,IAAM,eAAA,GAAN,cAA8B,SAAA,CAAU;AAAA,EAC5B,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASjB,WAAA,CACE,UAAA,EACA,gBAAA,EACA,UAAA,EACA;AACA,IAAA,KAAA,CAAM,YAAY,UAAU,CAAA;AAE5B,IAAA,IAAA,CAAK,IAAA,GAAO,IAAI,SAAA,CAAU;AAAA,MACxB,MAAM,UAAA,CAAW,IAAA;AAAA,MACjB,SAAS,UAAA,CAAW,OAAA;AAAA,MACpB,QAAQ,gBAAA,EAAkB,MAAA;AAAA,MAC1B,WAAW,gBAAA,EAAkB,SAAA;AAAA,MAC7B,QAAQ,gBAAA,EAAkB;AAAA,KAC3B,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,WAAA,EAAY;AACvC,IAAA,KAAA,MAAW,KAAK,QAAA,EAAU;AACxB,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,YAAA,EAAe,CAAC,CAAA,CAAE,CAAA;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASS,IAAA,CAAK,SAAiB,IAAA,EAAgD;AAC7E,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,IAAA,CAAK,MAAA,GAAS,CAAC,CAAA;AACpC,IAAA,IAAI,OAAO,YAAY,UAAA,EAAY;AAEjC,MAAA,OAAQ,MAAM,IAAA,CAAkB,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,GAAG,IAAI,CAAA;AAAA,IAC1D;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA;AACjB,IAAA,MAAM,OAAO,IAAA,CAAK,IAAA;AAElB,IAAA,IAAA,CAAK,IAAA,CAAK,MAAA,GAAS,CAAC,CAAA,GAAI,UAAU,QAAA,KAAwB;AAIxD,MAAA,MAAM,WACJ,QAAA,CAAS,MAAA,GAAS,CAAA,IAClB,OAAO,SAAS,CAAC,CAAA,KAAM,QAAA,IACvB,QAAA,CAAS,CAAC,CAAA,KAAM,IAAA,GACX,QAAA,CAAS,CAAC,IACX,EAAC;AAEP,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,eAAA;AAAA,QACxB,EAAE,IAAA,EAAM,QAAA,EAAU,SAAA,EAAW,QAAA,EAAS;AAAA,QACtC,YAAa,OAAA,CAAqB,GAAG,QAAQ;AAAA,OAC/C;AAGA,MAAA,OAAO,EAAE,GAAG,MAAA,EAAQ,OAAA,EAAS,CAAC,GAAG,MAAA,CAAO,OAAO,CAAA,EAAE;AAAA,IACnD,CAAA;AAEA,IAAA,OAAQ,MAAM,IAAA,CAAkB,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,GAAG,IAAI,CAAA;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOS,YAAA,CACP,IAAA,EACA,MAAA,EACA,EAAA,EACuC;AACvC,IAAA,IAAI,OAAO,OAAO,UAAA,EAAY;AAC5B,MAAA,OAAQ,MAAM,YAAA,CAA0B,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,QAAQ,EAAE,CAAA;AAAA,IACrE;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA;AACjB,IAAA,MAAM,OAAO,IAAA,CAAK,IAAA;AAElB,IAAA,MAAM,SAAA,GAAY,UAAU,QAAA,KAAwB;AAClD,MAAA,MAAM,WACJ,QAAA,CAAS,MAAA,GAAS,CAAA,IAClB,OAAO,SAAS,CAAC,CAAA,KAAM,QAAA,IACvB,QAAA,CAAS,CAAC,CAAA,KAAM,IAAA,GACX,QAAA,CAAS,CAAC,IACX,EAAC;AAEP,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,eAAA;AAAA,QACxB,EAAE,IAAA,EAAM,QAAA,EAAU,SAAA,EAAW,QAAA,EAAS;AAAA,QACtC,YAAa,EAAA,CAAgB,GAAG,QAAQ;AAAA,OAC1C;AAEA,MAAA,OAAO,EAAE,GAAG,MAAA,EAAQ,OAAA,EAAS,CAAC,GAAG,MAAA,CAAO,OAAO,CAAA,EAAE;AAAA,IACnD,CAAA;AAEA,IAAA,OAAQ,MAAM,YAAA,CAA0B,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,QAAQ,SAAS,CAAA;AAAA,EAC5E;AAAA;AAAA,EAGA,YAAA,GAA0B;AACxB,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AACF;;;ACtIA,IAAM,eAAA,GAAkB,2BAAA;AACxB,IAAM,WAAA,GAAc,IAAA;AACpB,IAAM,WAAA,GAAc,OAAA;AA+Cb,IAAM,QAAA,GAAN,cAAuB,KAAA,CAAM;AAAA,EAClC,WAAA,CACE,OAAA,EACgB,UAAA,EACA,SAAA,EACA,OAAe,WAAA,EAC/B;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAJG,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,UAAA;AAAA,EACd;AACF;AAEO,IAAM,mBAAA,GAAN,cAAkC,QAAA,CAAS;AAAA,EAChD,WAAA,CAAY,UAAU,iBAAA,EAAmB;AACvC,IAAA,KAAA,CAAM,OAAA,EAAS,GAAA,EAAK,MAAA,EAAW,sBAAsB,CAAA;AACrD,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AAAA,EACd;AACF;AAEO,IAAME,eAAAA,GAAN,cAA6B,QAAA,CAAS;AAAA,EAC3C,WAAA,CACE,SACgB,UAAA,EAChB;AACA,IAAA,KAAA,CAAM,OAAA,EAAS,GAAA,EAAK,MAAA,EAAW,kBAAkB,CAAA;AAFjC,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AAAA,EACd;AACF;AAGA,IAAM,mBAAN,MAAuB;AAAA,EACrB,YAAoB,MAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAuB;AAAA,EAE3C,MAAM,GAAA,CAAI,QAAA,GAAW,SAAA,EAAW,OAAA,EAAsC;AACpE,IAAA,MAAM,MAAA,GAAS,OAAA,GAAU,CAAA,SAAA,EAAY,OAAO,CAAA,CAAA,GAAK,EAAA;AACjD,IAAA,OAAO,IAAA,CAAK,OAAO,OAAA,CAAQ,KAAA,EAAO,aAAa,QAAQ,CAAA,EAAG,MAAM,CAAA,CAAE,CAAA;AAAA,EACpE;AAAA,EAEA,MAAM,IAAA,GAAoF;AACxF,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,WAAW,CAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,OAAO,MAAA,EAAuC;AAClD,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,MAAA,EAAQ,aAAa,MAAM,CAAA;AAAA,EACxD;AAAA,EAEA,MAAM,MAAA,CAAO,QAAA,EAAkB,MAAA,EAAuC;AACpE,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,UAAA,EAAa,QAAQ,IAAI,MAAM,CAAA;AAAA,EACnE;AACF,CAAA;AAEA,IAAM,iBAAN,MAAqB;AAAA,EACnB,YAAoB,MAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAuB;AAAA,EAE3C,MAAM,MAAA,CAAO,IAAA,EAAc,KAAA,EAAgB,aAAa,EAAA,EAA0B;AAChF,IAAA,MAAM,WAAW,MAAM,IAAA,CAAK,MAAA,CAAO,OAAA,CAMhC,QAAQ,SAAA,EAAW;AAAA,MACpB,IAAA;AAAA,MACA,KAAA,EAAO,KAAA,IAAS,CAAA,QAAA,EAAW,IAAI,CAAA,CAAA;AAAA,MAC/B,WAAA,EAAa;AAAA,KACd,CAAA;AAED,IAAA,OAAO;AAAA,MACL,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB,MAAM,QAAA,CAAS,IAAA;AAAA,MACf,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB,OAAO,QAAA,CAAS;AAAA,KAClB;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,KAAA,EAA2F;AACtG,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAQ,gBAAA,EAAkB,EAAE,OAAO,CAAA;AAAA,EAChE;AACF,CAAA;AAEA,IAAM,gBAAN,MAAoB;AAAA,EAClB,YAAoB,MAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAuB;AAAA,EAE3C,MAAM,IAAA,GAAmC;AACvC,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,QAAQ,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAM,IAAI,IAAA,EAA6B;AACrC,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,CAAA,OAAA,EAAU,IAAI,CAAA,CAAE,CAAA;AAAA,EACpD;AAAA,EAEA,MAAM,SACJ,IAAA,EACA,WAAA,EACA,aACA,WAAA,GAAwB,CAAC,MAAM,CAAA,EAChB;AACf,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,MAAA,EAAQ,QAAA,EAAU;AAAA,MAC3C,IAAA;AAAA,MACA,WAAA;AAAA,MACA,YAAA,EAAc,WAAA;AAAA,MACd;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,MAAA,CAAO,IAAA,EAAc,IAAA,EAAoC;AAC7D,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,OAAA,EAAU,IAAI,IAAI,IAAI,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,OAAO,IAAA,EAA6C;AACxD,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAA,EAAU,CAAA,OAAA,EAAU,IAAI,CAAA,CAAE,CAAA;AAAA,EACvD;AACF,CAAA;AAGO,IAAM,eAAN,MAAmB;AAAA,EACP,MAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EAED,QAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EAEhB,YAAY,MAAA,EAA4B;AAEtC,IAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,MAAA,MAAA,GAAS,EAAE,QAAQ,MAAA,EAAO;AAAA,IAC5B;AAGA,IAAA,IAAA,CAAK,MAAA,GAAS,OAAO,MAAA,KAAW,OAAO,YAAY,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,iBAAA,GAAoB,EAAA,CAAA,IAAO,EAAA;AAExG,IAAA,IAAI,CAAC,KAAK,MAAA,EAAQ;AAChB,MAAA,MAAM,IAAI,mBAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,IAAK,CAAC,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AAC9E,MAAA,MAAM,IAAI,mBAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,MAAA,GAAS,OAAO,MAAA,IAAU,eAAA;AAC/B,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,IAAW,GAAA;AACjC,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,CAAA;AAGvC,IAAA,IAAA,CAAK,QAAA,GAAW,IAAI,gBAAA,CAAiB,IAAI,CAAA;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,cAAA,CAAe,IAAI,CAAA;AACrC,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,aAAA,CAAc,IAAI,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAA,CAAW,MAAA,EAAgB,IAAA,EAAc,IAAA,EAA4B;AACzE,IAAA,MAAM,MAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,KAAA,EAAQ,WAAW,GAAG,IAAI,CAAA,CAAA;AACpD,IAAA,IAAI,SAAA;AAEJ,IAAA,KAAA,IAAS,OAAA,GAAU,CAAA,EAAG,OAAA,GAAU,IAAA,CAAK,YAAY,OAAA,EAAA,EAAW;AAC1D,MAAA,IAAI;AACF,QAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,QAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAEnE,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,UAChC,MAAA;AAAA,UACA,OAAA,EAAS;AAAA,YACP,aAAa,IAAA,CAAK,MAAA;AAAA,YAClB,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA;AAAA,YACtC,cAAA,EAAgB,kBAAA;AAAA,YAChB,YAAA,EAAc,gBAAgB,WAAW,CAAA;AAAA,WAC3C;AAAA,UACA,IAAA,EAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA,GAAI,KAAA,CAAA;AAAA,UACpC,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,QAAA,IAAI,QAAA,CAAS,WAAW,GAAA,EAAK;AAC3B,UAAA,MAAM,aAAa,QAAA,CAAS,QAAA,CAAS,QAAQ,GAAA,CAAI,aAAa,KAAK,GAAG,CAAA;AACtE,UAAA,MAAM,IAAI,QAAQ,CAAC,OAAA,KAAY,WAAW,OAAA,EAAS,UAAA,GAAa,GAAI,CAAC,CAAA;AACrE,UAAA;AAAA,QACF;AAEA,QAAA,IAAI,QAAA,CAAS,WAAW,GAAA,EAAK;AAC3B,UAAA,MAAM,IAAI,oBAAoB,iBAAiB,CAAA;AAAA,QACjD;AAEA,QAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,UAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,UAAA,MAAM,IAAI,QAAA;AAAA,YACR,SAAA,CAAU,OAAO,OAAA,IAAW,eAAA;AAAA,YAC5B,QAAA,CAAS,MAAA;AAAA,YACT,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,KAAA;AAAA,WAC1C;AAAA,QACF;AAEA,QAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAAA,MAC9B,SAAS,KAAA,EAAO;AACd,QAAA,IAAI,KAAA,YAAiB,QAAA,IAAY,KAAA,YAAiB,mBAAA,EAAqB;AACrE,UAAA,MAAM,KAAA;AAAA,QACR;AACA,QAAA,SAAA,GAAY,KAAA;AAAA,MACd;AAAA,IACF;AAEA,IAAA,MAAM,IAAI,QAAA,CAAS,SAAA,EAAW,OAAA,IAAW,gBAAgB,CAAA;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAA,CACJ,IAAA,EACA,IAAA,EACA,OAAA,GAGI,EAAC,EACsB;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAElC,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAWzB,QAAQ,WAAA,EAAa;AAAA,MACtB,IAAA;AAAA,MACA,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,OAAA,CAAQ,UAAA,IAAc,UAAA,CAAW,QAAA;AAAA,MAC9C,aAAA,EAAe,QAAQ,YAAA,KAAiB;AAAA,KACzC,CAAA;AAED,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,GAAA,EAAI,GAAI,SAAA;AAEtC,IAAA,OAAO;AAAA,MACL,SAAS,QAAA,CAAS,OAAA;AAAA,MAClB,IAAA;AAAA,MACA,QAAA,EAAU,SAAS,QAAA,GACf;AAAA,QACE,MAAA,EAAQ,SAAS,QAAA,CAAS,MAAA;AAAA,QAC1B,WAAA,EAAa,SAAS,QAAA,CAAS,YAAA;AAAA,QAC/B,MAAA,EAAQ,SAAS,QAAA,CAAS,MAAA;AAAA,QAC1B,SAAA,EAAW,SAAS,QAAA,CAAS,YAAA;AAAA,QAC7B,gBAAA,EAAkB;AAAA,OACpB,GACA,MAAA;AAAA,MACJ,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB,gBAAgB,QAAA,CAAS,gBAAA;AAAA,MACzB,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA;AAAA,EAC1C;AACF","file":"index.js","sourcesContent":["/*\n Base error class for all SolonGate security errors.\n * Every error includes a machine-readable code for programmatic handling.\n /\nexport class SolonGateError extends Error {\n public readonly code: string;\n public readonly timestamp: string;\n public readonly details: Record<string, unknown>;\n\n constructor(\n message: string,\n code: string,\n details: Record<string, unknown> = {},\n ) {\n super(message);\n this.name = 'SolonGateError';\n this.code = code;\n this.timestamp = new Date().toISOString();\n this.details = Object.freeze({ ...details });\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n /\n Serializable representation for logging and API responses.\n * Never includes stack traces (information leakage prevention).\n /\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n code: this.code,\n message: this.message,\n timestamp: this.timestamp,\n details: this.details,\n };\n }\n}\n\n/* Thrown when a tool call is denied by policy. /\nexport class PolicyDeniedError extends SolonGateError {\n constructor(\n toolName: string,\n reason: string,\n details: Record<string, unknown> = {},\n ) {\n super(\n `Policy denied execution of tool \"${toolName}\": ${reason}`,\n 'POLICY_DENIED',\n { toolName, reason, ...details },\n );\n this.name = 'PolicyDeniedError';\n }\n}\n\n/* Thrown when a trust level escalation is attempted illegally. /\nexport class TrustEscalationError extends SolonGateError {\n constructor(message: string) {\n super(message, 'TRUST_ESCALATION');\n this.name = 'TrustEscalationError';\n }\n}\n\n/* Thrown when tool input fails schema validation. /\nexport class SchemaValidationError extends SolonGateError {\n constructor(\n toolName: string,\n validationErrors: readonly string[],\n ) {\n super(\n `Schema validation failed for tool \"${toolName}\": ${validationErrors.join('; ')}`,\n 'SCHEMA_VALIDATION_FAILED',\n { toolName, validationErrors },\n );\n this.name = 'SchemaValidationError';\n }\n}\n\n/* Thrown when a tool exceeds its rate limit. /\nexport class RateLimitError extends SolonGateError {\n constructor(toolName: string, limitPerMinute: number) {\n super(\n `Rate limit exceeded for tool \"${toolName}\": max ${limitPerMinute}/min`,\n 'RATE_LIMIT_EXCEEDED',\n { toolName, limitPerMinute },\n );\n this.name = 'RateLimitError';\n }\n}\n\n/* Thrown when a tool is not found in the registry. /\nexport class ToolNotFoundError extends SolonGateError {\n constructor(toolName: string, serverName: string) {\n super(\n `Tool \"${toolName}\" not found on server \"${serverName}\"`,\n 'TOOL_NOT_FOUND',\n { toolName, serverName },\n );\n this.name = 'ToolNotFoundError';\n }\n}\n\n/* Thrown when an unsafe configuration is detected. /\nexport class UnsafeConfigurationError extends SolonGateError {\n constructor(message: string, field: string) {\n super(\n `Unsafe configuration detected: ${message}`,\n 'UNSAFE_CONFIGURATION',\n { field },\n );\n this.name = 'UnsafeConfigurationError';\n }\n}\n\n/* Thrown when input guard detects dangerous patterns. /\nexport class InputGuardError extends SolonGateError {\n constructor(\n toolName: string,\n threats: readonly { type: string; field: string; description: string }[],\n ) {\n super(\n `Input guard blocked tool \"${toolName}\": ${threats.map(t => t.description).join('; ')}`,\n 'INPUT_GUARD_BLOCKED',\n { toolName, threatCount: threats.length, threats },\n );\n this.name = 'InputGuardError';\n }\n}\n\n/* Thrown when a network operation fails (API calls, cloud sync, etc.). /\nexport class NetworkError extends SolonGateError {\n constructor(\n operation: string,\n statusCode?: number,\n details: Record<string, unknown> = {},\n ) {\n super(\n `Network error during ${operation}${statusCode ? ` (HTTP ${statusCode})` : ''}`,\n 'NETWORK_ERROR',\n { operation, statusCode, ...details },\n );\n this.name = 'NetworkError';\n }\n}\n","import { TrustEscalationError } from './errors.js';\n\n/\n Trust levels in the SolonGate security model.\n \n Core threat model principle: LLMs are UNTRUSTED by default.\n * Trust is never assumed - it must be explicitly granted and is\n * always scoped to specific capabilities.\n \n UNTRUSTED: Default for all LLM-originated requests. No permissions.\n * VERIFIED: Passed schema validation and policy evaluation. May execute within granted scope.\n * TRUSTED: System-internal only. NEVER assignable to LLM-originated requests.\n /\nexport const TrustLevel = {\n UNTRUSTED: 'UNTRUSTED',\n VERIFIED: 'VERIFIED',\n TRUSTED: 'TRUSTED',\n} as const;\n\nexport type TrustLevel = (typeof TrustLevel)[keyof typeof TrustLevel];\n\n/\n Validates that a trust level is a legitimate enum value.\n * Prevents type confusion attacks where a string bypasses checks.\n /\nexport function isValidTrustLevel(value: unknown): value is TrustLevel {\n return (\n typeof value === 'string' &&\n Object.values(TrustLevel).includes(value as TrustLevel)\n );\n}\n\n/\n Asserts that a trust level transition is valid.\n * UNTRUSTED -> VERIFIED (via policy evaluation) is the only escalation path.\n * TRUSTED is never reachable from external requests.\n /\nexport function assertValidTransition(\n from: TrustLevel,\n to: TrustLevel,\n): void {\n if (to === TrustLevel.TRUSTED) {\n throw new TrustEscalationError(\n 'Cannot escalate to TRUSTED level. TRUSTED is reserved for system-internal operations.',\n );\n }\n if (from === TrustLevel.VERIFIED && to === TrustLevel.UNTRUSTED) {\n return; // Downgrade is always allowed (fail-safe)\n }\n if (from === TrustLevel.UNTRUSTED && to === TrustLevel.VERIFIED) {\n return; // Normal escalation via policy evaluation\n }\n if (from === to) {\n return; // No-op\n }\n throw new TrustEscalationError(\n `Invalid trust transition from ${from} to ${to}`,\n );\n}\n","import { z } from 'zod';\n\n/\n Permission types are ALWAYS evaluated independently.\n * Having READ does NOT imply WRITE or EXECUTE.\n /\nexport const Permission = {\n READ: 'READ',\n WRITE: 'WRITE',\n EXECUTE: 'EXECUTE',\n} as const;\n\nexport type Permission = (typeof Permission)[keyof typeof Permission];\n\nexport const PermissionSchema = z.enum(['READ', 'WRITE', 'EXECUTE']);\n\n/* Immutable set of permissions granted to a specific scope. /\nexport type PermissionSet = ReadonlySet<Permission>;\n\n/* Creates an immutable permission set from an array. /\nexport function createPermissionSet(\n permissions: Permission[],\n): PermissionSet {\n for (const p of permissions) {\n PermissionSchema.parse(p);\n }\n return new Set(permissions) as ReadonlySet<Permission>;\n}\n\n/* Empty permission set - the default for all new tools (default-deny). /\nexport const NO_PERMISSIONS: PermissionSet = Object.freeze(\n new Set<Permission>(),\n) as ReadonlySet<Permission>;\n\n/* Read-only permission set - the maximum default for new tools. /\nexport const READ_ONLY: PermissionSet = Object.freeze(\n new Set<Permission>([Permission.READ]),\n) as ReadonlySet<Permission>;\n\nexport function hasPermission(\n permissions: PermissionSet,\n required: Permission,\n): boolean {\n return permissions.has(required);\n}\n\nexport function hasAllPermissions(\n permissions: PermissionSet,\n required: Permission[],\n): boolean {\n return required.every((p) => permissions.has(p));\n}\n\n/* Maps MCP protocol methods to SolonGate permission types. /\nexport function permissionForMethod(method: string): Permission {\n if (\n method.startsWith('resources/') \|\|\n method.startsWith('prompts/') \|\|\n method === 'tools/list'\n ) {\n return Permission.READ;\n }\n if (method === 'tools/call') {\n return Permission.EXECUTE;\n }\n // Default to EXECUTE for unknown methods (most restrictive)\n return Permission.EXECUTE;\n}\n","import { z } from 'zod';\nimport type { Permission } from './permissions.js';\nimport type { TrustLevel } from './trust.js';\n\n/\n Policy effect: the only two outcomes of policy evaluation.\n * No \"MAYBE\" or \"CONDITIONAL\" - binary security decisions only.\n /\nexport const PolicyEffect = {\n ALLOW: 'ALLOW',\n DENY: 'DENY',\n} as const;\n\nexport type PolicyEffect = (typeof PolicyEffect)[keyof typeof PolicyEffect];\n\n/\n A single policy rule that matches against execution requests.\n * Rules are evaluated by priority order. First matching rule wins.\n * If NO rule matches, the result is DENY (default-deny).\n /\nexport interface PolicyRule {\n readonly id: string;\n readonly description: string;\n readonly effect: PolicyEffect;\n readonly priority: number;\n readonly toolPattern: string;\n readonly permission: Permission;\n readonly minimumTrustLevel: TrustLevel;\n readonly argumentConstraints?: Record<string, unknown>;\n readonly pathConstraints?: {\n readonly allowed?: readonly string[];\n readonly denied?: readonly string[];\n readonly rootDirectory?: string;\n readonly allowSymlinks?: boolean;\n };\n readonly enabled: boolean;\n readonly createdAt: string;\n readonly updatedAt: string;\n}\n\n/\n A versioned, ordered set of policy rules.\n * Modifications create new sets (immutable by convention).\n /\nexport interface PolicySet {\n readonly id: string;\n readonly name: string;\n readonly description: string;\n readonly version: number;\n readonly rules: readonly PolicyRule[];\n readonly createdAt: string;\n readonly updatedAt: string;\n}\n\nexport const PolicyRuleSchema = z.object({\n id: z.string().min(1).max(256),\n description: z.string().max(1024),\n effect: z.enum(['ALLOW', 'DENY']),\n priority: z.number().int().min(0).max(10000).default(1000),\n toolPattern: z.string().min(1).max(512),\n permission: z.enum(['READ', 'WRITE', 'EXECUTE']),\n minimumTrustLevel: z.enum(['UNTRUSTED', 'VERIFIED', 'TRUSTED']),\n argumentConstraints: z.record(z.unknown()).optional(),\n pathConstraints: z\n .object({\n allowed: z.array(z.string()).optional(),\n denied: z.array(z.string()).optional(),\n rootDirectory: z.string().optional(),\n allowSymlinks: z.boolean().optional(),\n })\n .optional(),\n enabled: z.boolean().default(true),\n createdAt: z.string().datetime(),\n updatedAt: z.string().datetime(),\n});\n\nexport const PolicySetSchema = z.object({\n id: z.string().min(1).max(256),\n name: z.string().min(1).max(256),\n description: z.string().max(2048),\n version: z.number().int().min(0),\n rules: z.array(PolicyRuleSchema),\n createdAt: z.string().datetime(),\n updatedAt: z.string().datetime(),\n});\n\n/* The result of evaluating a policy against a request. /\nexport interface PolicyDecision {\n readonly effect: PolicyEffect;\n readonly matchedRule: PolicyRule \| null;\n readonly reason: string;\n readonly timestamp: string;\n readonly evaluationTimeMs: number;\n readonly metadata?: {\n readonly evaluatedRules: number;\n readonly ruleIds: readonly string[];\n readonly requestContext: {\n readonly tool: string;\n readonly arguments: readonly string[];\n };\n };\n}\n","import type { TrustLevel } from './trust.js';\nimport type { PermissionSet } from './permissions.js';\n\n/\n SecurityContext represents the security state of a single request.\n * Created fresh for each MCP request and NEVER reused.\n * All fields are readonly - state transitions create new contexts.\n /\nexport interface SecurityContext {\n readonly requestId: string;\n readonly trustLevel: TrustLevel;\n readonly grantedPermissions: PermissionSet;\n readonly sessionId: string \| null;\n readonly createdAt: string;\n readonly metadata: Readonly<Record<string, unknown>>;\n readonly capabilityToken?: string;\n}\n\n/* Extends SecurityContext with tool-specific execution information. /\nexport interface ExecutionContext extends SecurityContext {\n readonly toolName: string;\n readonly serverName: string;\n readonly arguments: Readonly<Record<string, unknown>>;\n}\n\n/* Creates a new SecurityContext with default-deny settings. /\nexport function createSecurityContext(\n params: Pick<SecurityContext, 'requestId'> &\n Partial<Omit<SecurityContext, 'requestId' \| 'createdAt' \| 'trustLevel' \| 'grantedPermissions'>>,\n): SecurityContext {\n return {\n trustLevel: 'UNTRUSTED',\n grantedPermissions: new Set(),\n sessionId: null,\n metadata: {},\n createdAt: new Date().toISOString(),\n ...params,\n };\n}\n","/* Default policy effect when no rule matches: DENY /\nexport const DEFAULT_POLICY_EFFECT = 'DENY' as const;\n\n/* Maximum number of rules in a single PolicySet /\nexport const MAX_RULES_PER_POLICY_SET = 1000;\n\n/* Maximum depth for nested argument validation /\nexport const MAX_ARGUMENT_DEPTH = 10;\n\n/* Maximum size of tool arguments in bytes /\nexport const MAX_ARGUMENTS_SIZE_BYTES = 1_048_576; // 1MB\n\n/* Maximum length of a tool name /\nexport const MAX_TOOL_NAME_LENGTH = 256;\n\n/* Maximum length of a server name /\nexport const MAX_SERVER_NAME_LENGTH = 256;\n\n/* Default rate limit per tool per minute /\nexport const DEFAULT_RATE_LIMIT_PER_MINUTE = 60;\n\n/* Maximum rate limit per tool per minute /\nexport const MAX_RATE_LIMIT_PER_MINUTE = 10_000;\n\n/* Security context timeout in milliseconds (5 minutes) /\nexport const SECURITY_CONTEXT_TIMEOUT_MS = 5 60 * 1000;\n\n/** Policy evaluation timeout in milliseconds (100ms) /\nexport const POLICY_EVALUATION_TIMEOUT_MS = 100;\n\n// --- Input Guard Constants ---\n\n/* Default maximum length per string argument /\nexport const INPUT_GUARD_MAX_LENGTH = 4096;\n\n/* Shannon entropy threshold for encoded payload detection /\nexport const INPUT_GUARD_ENTROPY_THRESHOLD = 4.5;\n\n/* Minimum string length before entropy check applies /\nexport const INPUT_GUARD_MIN_ENTROPY_LENGTH = 32;\n\n/* Maximum wildcards allowed per value /\nexport const INPUT_GUARD_MAX_WILDCARDS = 3;\n\n// --- Token Constants ---\n\n/* Default capability token TTL in seconds /\nexport const TOKEN_DEFAULT_TTL_SECONDS = 30;\n\n/* Minimum secret key length for HMAC signing /\nexport const TOKEN_MIN_SECRET_LENGTH = 32;\n\n/* Maximum token age before forced expiry (5 minutes) /\nexport const TOKEN_MAX_AGE_SECONDS = 300;\n\n// --- Rate Limiter Constants ---\n\n/* Default sliding window size in milliseconds (1 minute) /\nexport const RATE_LIMIT_WINDOW_MS = 60_000;\n\n/* Maximum entries to keep per tool before cleanup /\nexport const RATE_LIMIT_MAX_ENTRIES = 10_000;\n\n/* Warning messages for unsafe configurations. /\nexport const UNSAFE_CONFIGURATION_WARNINGS = {\n WILDCARD_ALLOW:\n 'Wildcard ALLOW rules grant permission to ALL tools. This bypasses the default-deny model.',\n TRUSTED_LEVEL_EXTERNAL:\n 'Setting trust level to TRUSTED for external requests bypasses all security checks.',\n WRITE_WITHOUT_READ:\n 'Granting WRITE without READ is unusual and may indicate a misconfiguration.',\n EXECUTE_WITHOUT_REVIEW:\n 'EXECUTE permission allows tools to perform arbitrary actions. Review carefully.',\n RATE_LIMIT_ZERO:\n 'A rate limit of 0 means unlimited calls. This removes protection against runaway loops.',\n DISABLED_VALIDATION:\n 'Disabling schema validation removes input sanitization protections.',\n} as const;\n","/\n Types that bridge between the MCP protocol and SolonGate's type system.\n * Adapts MCP SDK types without creating a hard dependency.\n /\n\nexport interface McpToolDefinition {\n readonly name: string;\n readonly description?: string;\n readonly inputSchema: {\n readonly type: 'object';\n readonly properties?: Record<string, unknown>;\n readonly required?: readonly string[];\n };\n}\n\nexport interface McpCallToolParams {\n readonly name: string;\n readonly arguments?: Record<string, unknown>;\n}\n\nexport interface McpCallToolResult {\n readonly content: readonly McpToolResultContent[];\n readonly isError?: boolean;\n readonly structuredContent?: unknown;\n}\n\nexport type McpToolResultContent =\n \| { readonly type: 'text'; readonly text: string }\n \| { readonly type: 'image'; readonly data: string; readonly mimeType: string }\n \| { readonly type: 'resource'; readonly resource: unknown };\n\n/* Wraps denied tool calls in MCP error responses. /\nexport function createDeniedToolResult(\n reason: string,\n): McpCallToolResult {\n return {\n content: [\n {\n type: 'text',\n text: JSON.stringify({\n error: 'POLICY_DENIED',\n message: reason,\n hint: 'This tool call was blocked by SolonGate security policy. Check your policy configuration.',\n }),\n },\n ],\n isError: true,\n };\n}\n","import { z, type ZodTypeAny } from 'zod';\nimport { MAX_ARGUMENT_DEPTH, MAX_ARGUMENTS_SIZE_BYTES } from './constants.js';\n\n/\n Result of schema validation.\n * Always includes structured errors for programmatic handling.\n /\nexport interface SchemaValidationResult {\n readonly valid: boolean;\n readonly errors: readonly string[];\n readonly sanitized: Readonly<Record<string, unknown>> \| null;\n}\n\n/\n Options for schema validation behavior.\n /\nexport interface SchemaValidatorOptions {\n readonly maxDepth?: number;\n readonly maxSizeBytes?: number;\n readonly stripUnknown?: boolean;\n}\n\nconst DEFAULT_OPTIONS: Required<SchemaValidatorOptions> = {\n maxDepth: MAX_ARGUMENT_DEPTH,\n maxSizeBytes: MAX_ARGUMENTS_SIZE_BYTES,\n stripUnknown: false,\n};\n\n/\n Validates tool input against a Zod schema with strict security enforcement.\n \n - Unknown fields are REJECTED (no additionalProperties)\n * - Type mismatches are REJECTED\n * - Required fields are ENFORCED\n * - Recursive depth is limited\n * - Argument size is limited\n /\nexport function validateToolInput(\n schema: ZodTypeAny,\n input: unknown,\n options?: SchemaValidatorOptions,\n): SchemaValidationResult {\n const opts = { ...DEFAULT_OPTIONS, ...options };\n const errors: string[] = [];\n\n // 1. Size check - prevent oversized payloads\n const sizeError = checkInputSize(input, opts.maxSizeBytes);\n if (sizeError) {\n return { valid: false, errors: [sizeError], sanitized: null };\n }\n\n // 2. Depth check - prevent deeply nested structures\n const depthError = checkInputDepth(input, opts.maxDepth);\n if (depthError) {\n return { valid: false, errors: [depthError], sanitized: null };\n }\n\n // 3. Schema validation using Zod strict mode\n const result = schema.safeParse(input);\n\n if (!result.success) {\n for (const issue of result.error.issues) {\n const path = issue.path.length > 0 ? issue.path.join('.') : 'root';\n errors.push(`${path}: ${issue.message}`);\n }\n return { valid: false, errors, sanitized: null };\n }\n\n return {\n valid: true,\n errors: [],\n sanitized: result.data as Readonly<Record<string, unknown>>,\n };\n}\n\n/\n Creates a strict Zod object schema that rejects unknown fields.\n * Wraps z.object().strict() for convenience.\n /\nexport function createStrictSchema(\n shape: Record<string, ZodTypeAny>,\n): z.ZodObject<Record<string, ZodTypeAny>, 'strict'> {\n return z.object(shape).strict();\n}\n\n/\n Checks if input size exceeds the maximum allowed bytes.\n /\nfunction checkInputSize(input: unknown, maxBytes: number): string \| null {\n let serialized: string;\n try {\n serialized = JSON.stringify(input);\n } catch {\n return 'Input cannot be serialized to JSON';\n }\n\n const sizeBytes = new TextEncoder().encode(serialized).length;\n if (sizeBytes > maxBytes) {\n return `Input size ${sizeBytes} bytes exceeds maximum ${maxBytes} bytes`;\n }\n return null;\n}\n\n/\n Checks if input exceeds maximum nesting depth.\n * Prevents stack overflow and denial-of-service via deeply nested objects.\n /\nfunction checkInputDepth(input: unknown, maxDepth: number): string \| null {\n const depth = measureDepth(input, 0);\n if (depth > maxDepth) {\n return `Input depth ${depth} exceeds maximum ${maxDepth}`;\n }\n return null;\n}\n\nfunction measureDepth(value: unknown, currentDepth: number): number {\n if (currentDepth > MAX_ARGUMENT_DEPTH + 1) {\n return currentDepth; // Early exit to prevent stack overflow\n }\n\n if (value === null \|\| value === undefined \|\| typeof value !== 'object') {\n return currentDepth;\n }\n\n if (Array.isArray(value)) {\n let maxChildDepth = currentDepth + 1;\n for (const item of value) {\n const childDepth = measureDepth(item, currentDepth + 1);\n if (childDepth > maxChildDepth) maxChildDepth = childDepth;\n }\n return maxChildDepth;\n }\n\n let maxChildDepth = currentDepth + 1;\n for (const key of Object.keys(value as Record<string, unknown>)) {\n const childDepth = measureDepth(\n (value as Record<string, unknown>)[key],\n currentDepth + 1,\n );\n if (childDepth > maxChildDepth) maxChildDepth = childDepth;\n }\n return maxChildDepth;\n}\n","/\n Input Guard: detects and blocks dangerous patterns in tool arguments.\n \n Prevents physical execution of injected instructions by checking for:\n * - Path traversal attacks (../, ..\\, encoded variants)\n * - Shell injection (;, \|, &, `, $(), etc.)\n * - Wildcard abuse (*, recursive globs)\n - Excessive length\n * - High-entropy payloads (potential encoded exploits)\n /\n\n/* Threat type detected by input guard. /\nexport type ThreatType =\n \| 'PATH_TRAVERSAL'\n \| 'SHELL_INJECTION'\n \| 'WILDCARD_ABUSE'\n \| 'LENGTH_EXCEEDED'\n \| 'HIGH_ENTROPY'\n \| 'SSRF'\n \| 'SQL_INJECTION';\n\n/* A detected threat with details. /\nexport interface DetectedThreat {\n readonly type: ThreatType;\n readonly field: string;\n readonly value: string;\n readonly description: string;\n}\n\n/* Result of sanitization check. /\nexport interface SanitizationResult {\n readonly safe: boolean;\n readonly threats: readonly DetectedThreat[];\n}\n\n/* Configuration for input guard checks. /\nexport interface InputGuardConfig {\n readonly pathTraversal: boolean;\n readonly shellInjection: boolean;\n readonly wildcardAbuse: boolean;\n readonly lengthLimit: number;\n readonly entropyLimit: boolean;\n readonly ssrf: boolean;\n readonly sqlInjection: boolean;\n}\n\nexport const DEFAULT_INPUT_GUARD_CONFIG: Readonly<InputGuardConfig> =\n Object.freeze({\n pathTraversal: true,\n shellInjection: true,\n wildcardAbuse: true,\n lengthLimit: 4096,\n entropyLimit: true,\n ssrf: true,\n sqlInjection: true,\n });\n\n// --- Path Traversal Detection ---\n\nconst PATH_TRAVERSAL_PATTERNS = [\n /\\.\\.\\//, // ../\n /\\.\\.\\\\/, // ..\\\n /%2e%2e/i, // URL-encoded ..\n /%2e\\./i, // partial URL-encoded\n /\\.%2e/i, // partial URL-encoded\n /%252e%252e/i, // double URL-encoded\n /\\.\\.\\0/, // null byte variant\n];\n\nconst SENSITIVE_PATHS = [\n /\\/etc\\/passwd/i,\n /\\/etc\\/shadow/i,\n /\\/proc\\//i,\n /\\/dev\\//i,\n /c:\\\\windows\\\\system32/i,\n /c:\\\\windows\\\\syswow64/i,\n /\\/root\\//i,\n /~\\//,\n /\\.env(\\.\|$)/i, // .env, .env.local, .env.production\n /\\.aws\\/credentials/i, // AWS credentials\n /\\.ssh\\/id_/i, // SSH keys\n /\\.kube\\/config/i, // Kubernetes config\n /wp-config\\.php/i, // WordPress config\n /\\.git\\/config/i, // Git config\n /\\.npmrc/i, // npm credentials\n /\\.pypirc/i, // PyPI credentials\n];\n\nexport function detectPathTraversal(value: string): boolean {\n for (const pattern of PATH_TRAVERSAL_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n for (const pattern of SENSITIVE_PATHS) {\n if (pattern.test(value)) return true;\n }\n return false;\n}\n\n// --- Shell Injection Detection ---\n\nconst SHELL_INJECTION_PATTERNS = [\n /[;\|&`]/, // Command separators and backtick execution\n /\\$\\(/, // Command substitution $(...)\n /\\$\\{/, // Variable expansion ${...}\n />\\s/, // Output redirect\n /<\\s/, // Input redirect\n /&&/, // AND chaining\n /\\\|\\\|/, // OR chaining\n /\\beval\\b/i, // eval command\n /\\bexec\\b/i, // exec command\n /\\bsystem\\b/i, // system call\n /%0a/i, // URL-encoded newline\n /%0d/i, // URL-encoded carriage return\n /%09/i, // URL-encoded tab\n /\\r\\n/, // CRLF injection\n /\\n/, // Newline (command separator on Unix)\n];\n\nexport function detectShellInjection(value: string): boolean {\n for (const pattern of SHELL_INJECTION_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n return false;\n}\n\n// --- Wildcard Abuse Detection ---\n\nconst MAX_WILDCARDS_PER_VALUE = 3;\n\nexport function detectWildcardAbuse(value: string): boolean {\n // Block recursive globs\n if (value.includes('')) return true;\n\n // Count wildcards\n const wildcardCount = (value.match(/\\/g) \|\| []).length;\n if (wildcardCount > MAX_WILDCARDS_PER_VALUE) return true;\n\n return false;\n}\n\n// --- SSRF Detection ---\n\nconst SSRF_PATTERNS = [\n /^https?:\\/\\/localhost\\b/i,\n /^https?:\\/\\/127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/,\n /^https?:\\/\\/0\\.0\\.0\\.0/,\n /^https?:\\/\\/\\[::1\\]/, // IPv6 loopback\n /^https?:\\/\\/10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/, // 10.x.x.x\n /^https?:\\/\\/172\\.(1[6-9]\|2\\d\|3[01])\\./, // 172.16-31.x.x\n /^https?:\\/\\/192\\.168\\./, // 192.168.x.x\n /^https?:\\/\\/169\\.254\\./, // Link-local / AWS metadata\n /metadata\\.google\\.internal/i, // GCP metadata\n /^https?:\\/\\/metadata\\b/i, // Generic metadata endpoint\n // IPv6 bypass patterns\n /^https?:\\/\\/\\[fe80:/i, // IPv6 link-local\n /^https?:\\/\\/\\[fc00:/i, // IPv6 unique local\n /^https?:\\/\\/\\[fd[0-9a-f]{2}:/i, // IPv6 unique local (fd00::/8)\n /^https?:\\/\\/\\[::ffff:127\\./i, // IPv4-mapped IPv6 loopback\n /^https?:\\/\\/\\[::ffff:10\\./i, // IPv4-mapped IPv6 private\n /^https?:\\/\\/\\[::ffff:172\\.(1[6-9]\|2\\d\|3[01])\\./i, // IPv4-mapped IPv6 private\n /^https?:\\/\\/\\[::ffff:192\\.168\\./i, // IPv4-mapped IPv6 private\n /^https?:\\/\\/\\[::ffff:169\\.254\\./i, // IPv4-mapped IPv6 link-local\n // Hex IP bypass (e.g., 0x7f000001 = 127.0.0.1)\n /^https?:\\/\\/0x[0-9a-f]+\\b/i,\n // Octal IP bypass (e.g., 0177.0.0.1 = 127.0.0.1)\n /^https?:\\/\\/0[0-7]{1,3}\\./,\n];\n\n/*\n Detects decimal IP representation (e.g., http://2130706433 = 127.0.0.1).\n * Converts decimal to IPv4 and checks if it's in a private/loopback range.\n /\nfunction detectDecimalIP(value: string): boolean {\n const match = value.match(/^https?:\\/\\/(\\d{8,10})(?:[:/]\|$)/);\n if (!match \|\| !match[1]) return false;\n\n const decimal = parseInt(match[1], 10);\n if (isNaN(decimal) \|\| decimal > 0xffffffff) return false;\n\n // Check private/loopback ranges\n return (\n (decimal >= 0x7f000000 && decimal <= 0x7fffffff) \|\| // 127.0.0.0/8\n (decimal >= 0x0a000000 && decimal <= 0x0affffff) \|\| // 10.0.0.0/8\n (decimal >= 0xac100000 && decimal <= 0xac1fffff) \|\| // 172.16.0.0/12\n (decimal >= 0xc0a80000 && decimal <= 0xc0a8ffff) \|\| // 192.168.0.0/16\n (decimal >= 0xa9fe0000 && decimal <= 0xa9feffff) \|\| // 169.254.0.0/16\n decimal === 0 // 0.0.0.0\n );\n}\n\nexport function detectSSRF(value: string): boolean {\n for (const pattern of SSRF_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n // Check for decimal IP bypass\n if (detectDecimalIP(value)) return true;\n return false;\n}\n\n// --- SQL Injection Detection ---\n\nconst SQL_INJECTION_PATTERNS = [\n /'\\s{0,20}(OR\|AND)\\s{0,20}'.{0,200}'/i, // ' OR '1'='1 — bounded to prevent ReDoS\n /'\\s{0,10};\\s{0,10}(DROP\|DELETE\|UPDATE\|INSERT\|ALTER\|CREATE\|EXEC)/i, // '; DROP TABLE\n /UNION\\s+(ALL\\s+)?SELECT/i, // UNION SELECT\n /--\\s$/m, // SQL comment at end of line\n /\\/\\.{0,500}?\\\\//, // SQL block comment — bounded + non-greedy\n /\\bSLEEP\\s\\(/i, // Time-based injection\n /\\bBENCHMARK\\s\\(/i, // MySQL benchmark\n /\\bWAITFOR\\s+DELAY/i, // MSSQL delay\n /\\b(LOAD_FILE\|INTO\\s+OUTFILE\|INTO\\s+DUMPFILE)\\b/i, // File operations\n];\n\nexport function detectSQLInjection(value: string): boolean {\n for (const pattern of SQL_INJECTION_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n return false;\n}\n\n// --- Length Check ---\n\nexport function checkLengthLimits(\n value: string,\n maxLength: number = 4096,\n): boolean {\n return value.length <= maxLength;\n}\n\n// --- Entropy Detection ---\n\n/*\n Detects high-entropy strings that may indicate encoded payloads.\n * Uses Shannon entropy calculation.\n * Threshold: 4.5 bits per character (base64 encoded data is ~6.0).\n /\nconst ENTROPY_THRESHOLD = 4.5;\nconst MIN_LENGTH_FOR_ENTROPY_CHECK = 32;\n\nexport function checkEntropyLimits(value: string): boolean {\n if (value.length < MIN_LENGTH_FOR_ENTROPY_CHECK) return true; // Too short to be meaningful\n\n const entropy = calculateShannonEntropy(value);\n return entropy <= ENTROPY_THRESHOLD;\n}\n\nfunction calculateShannonEntropy(str: string): number {\n const freq = new Map<string, number>();\n for (const char of str) {\n freq.set(char, (freq.get(char) ?? 0) + 1);\n }\n\n let entropy = 0;\n const len = str.length;\n for (const count of freq.values()) {\n const p = count / len;\n if (p > 0) {\n entropy -= p Math.log2(p);\n }\n }\n return entropy;\n}\n\n// --- Main Sanitization Function ---\n\n/*\n Runs all input guard checks on a value.\n * Returns structured result with all detected threats.\n /\nexport function sanitizeInput(\n field: string,\n value: unknown,\n config: InputGuardConfig = DEFAULT_INPUT_GUARD_CONFIG,\n): SanitizationResult {\n const threats: DetectedThreat[] = [];\n\n if (typeof value !== 'string') {\n // For non-string values, recursively check string values in objects/arrays\n if (typeof value === 'object' && value !== null) {\n return sanitizeObject(field, value, config);\n }\n return { safe: true, threats: [] };\n }\n\n if (config.pathTraversal && detectPathTraversal(value)) {\n threats.push({\n type: 'PATH_TRAVERSAL',\n field,\n value: truncate(value, 100),\n description: 'Path traversal pattern detected',\n });\n }\n\n if (config.shellInjection && detectShellInjection(value)) {\n threats.push({\n type: 'SHELL_INJECTION',\n field,\n value: truncate(value, 100),\n description: 'Shell injection pattern detected',\n });\n }\n\n if (config.wildcardAbuse && detectWildcardAbuse(value)) {\n threats.push({\n type: 'WILDCARD_ABUSE',\n field,\n value: truncate(value, 100),\n description: 'Wildcard abuse pattern detected',\n });\n }\n\n if (!checkLengthLimits(value, config.lengthLimit)) {\n threats.push({\n type: 'LENGTH_EXCEEDED',\n field,\n value: `[${value.length} chars]`,\n description: `Value exceeds maximum length of ${config.lengthLimit}`,\n });\n }\n\n if (config.entropyLimit && !checkEntropyLimits(value)) {\n threats.push({\n type: 'HIGH_ENTROPY',\n field,\n value: truncate(value, 100),\n description: 'High entropy string detected - possible encoded payload',\n });\n }\n\n if (config.ssrf && detectSSRF(value)) {\n threats.push({\n type: 'SSRF',\n field,\n value: truncate(value, 100),\n description: 'Server-side request forgery pattern detected — internal/metadata URL blocked',\n });\n }\n\n if (config.sqlInjection && detectSQLInjection(value)) {\n threats.push({\n type: 'SQL_INJECTION',\n field,\n value: truncate(value, 100),\n description: 'SQL injection pattern detected',\n });\n }\n\n return { safe: threats.length === 0, threats };\n}\n\n/\n Recursively sanitizes all string values in an object or array.\n /\nfunction sanitizeObject(\n basePath: string,\n obj: object,\n config: InputGuardConfig,\n): SanitizationResult {\n const threats: DetectedThreat[] = [];\n\n if (Array.isArray(obj)) {\n for (let i = 0; i < obj.length; i++) {\n const result = sanitizeInput(`${basePath}[${i}]`, obj[i], config);\n threats.push(...result.threats);\n }\n } else {\n for (const [key, val] of Object.entries(obj)) {\n const result = sanitizeInput(`${basePath}.${key}`, val, config);\n threats.push(...result.threats);\n }\n }\n\n return { safe: threats.length === 0, threats };\n}\n\nfunction truncate(str: string, maxLen: number): string {\n return str.length > maxLen ? str.slice(0, maxLen) + '...' : str;\n}\n","import type { Permission } from './permissions.js';\n\n/\n Capability Token: a signed, short-lived, single-use token\n * that authorizes execution of specific tools within specific scopes.\n \n Security properties:\n * - Short-lived: TTL defaults to 30 seconds\n * - Single-use: nonce prevents replay attacks\n * - Scoped: limited to specific tools and servers\n * - Signed: HMAC-SHA256 prevents forgery\n /\nexport interface CapabilityToken {\n readonly jti: string; // Unique token ID (nonce)\n readonly iss: string; // Issuer (gateway ID)\n readonly sub: string; // Subject (request ID)\n readonly iat: number; // Issued at (unix timestamp)\n readonly exp: number; // Expires at (unix timestamp)\n readonly permissions: readonly Permission[];\n readonly toolScope: readonly string[]; // Which tools this token covers\n readonly serverScope: readonly string[]; // Which servers\n readonly pathScope?: readonly string[]; // Optional path restrictions\n}\n\n/\n Configuration for token issuance.\n /\nexport interface TokenConfig {\n readonly secret: string; // HMAC signing key\n readonly ttlSeconds: number; // Default 30 seconds\n readonly algorithm: 'HS256'; // Start with HMAC\n readonly issuer: string;\n}\n\n/\n Default token configuration.\n * Secret must be provided - no default.\n /\nexport const DEFAULT_TOKEN_TTL_SECONDS = 30;\nexport const TOKEN_ALGORITHM = 'HS256' as const;\nexport const MIN_SECRET_LENGTH = 32;\n\n/\n Result of token verification.\n /\nexport interface TokenVerificationResult {\n readonly valid: boolean;\n readonly payload?: CapabilityToken;\n readonly reason?: string;\n}\n","import type { PolicyRule } from '@solongate/core';\n\ntype PathConstraints = NonNullable<PolicyRule['pathConstraints']>;\n\n/\n Normalizes a file path for consistent matching.\n * Resolves . and .. segments, normalizes separators.\n /\nexport function normalizePath(path: string): string {\n // Normalize separators to forward slash\n let normalized = path.replace(/\\\\/g, '/');\n\n // Remove trailing slash (except for root)\n if (normalized.length > 1 && normalized.endsWith('/')) {\n normalized = normalized.slice(0, -1);\n }\n\n // Resolve . and .. segments\n const parts = normalized.split('/');\n const resolved: string[] = [];\n\n for (const part of parts) {\n if (part === '.' \|\| part === '') {\n if (resolved.length === 0) resolved.push('');\n continue;\n }\n if (part === '..') {\n if (resolved.length > 1) {\n resolved.pop();\n }\n continue;\n }\n resolved.push(part);\n }\n\n return resolved.join('/') \|\| '/';\n}\n\n/\n Checks if a path is within a root directory (sandbox boundary).\n * Prevents escaping via .., symlinks, etc.\n /\nexport function isWithinRoot(path: string, root: string): boolean {\n const normalizedPath = normalizePath(path);\n const normalizedRoot = normalizePath(root);\n\n // Path must start with root\n if (normalizedPath === normalizedRoot) return true;\n return normalizedPath.startsWith(normalizedRoot + '/');\n}\n\n/\n Glob-style path pattern matching.\n * Supports:\n * - * matches any single path segment (not /)\n * - ** matches any number of path segments\n * - Exact match\n \n Does NOT support regex (ReDoS prevention).\n /\nexport function matchPathPattern(path: string, pattern: string): boolean {\n const normalizedPath = normalizePath(path);\n const normalizedPattern = normalizePath(pattern);\n\n if (normalizedPattern === '') return true;\n if (normalizedPattern === normalizedPath) return true;\n\n const patternParts = normalizedPattern.split('/');\n const pathParts = normalizedPath.split('/');\n\n return matchParts(pathParts, 0, patternParts, 0);\n}\n\nfunction matchParts(\n pathParts: string[],\n pi: number,\n patternParts: string[],\n qi: number,\n): boolean {\n while (pi < pathParts.length && qi < patternParts.length) {\n const pattern = patternParts[qi]!;\n\n if (pattern === '') {\n // can match zero or more path segments\n if (qi === patternParts.length - 1) return true;\n\n // Try matching ** against 0, 1, 2, ... path segments\n for (let i = pi; i <= pathParts.length; i++) {\n if (matchParts(pathParts, i, patternParts, qi + 1)) {\n return true;\n }\n }\n return false;\n }\n\n if (pattern === '') {\n // matches exactly one path segment\n pi++;\n qi++;\n continue;\n }\n\n if (pattern !== pathParts[pi]) {\n return false;\n }\n\n pi++;\n qi++;\n }\n\n // Skip trailing patterns\n while (qi < patternParts.length && patternParts[qi] === '') {\n qi++;\n }\n\n return pi === pathParts.length && qi === patternParts.length;\n}\n\n/*\n Checks if a path is allowed by the given constraints.\n \n Evaluation order:\n * 1. If rootDirectory is set, path must be within it\n * 2. If denied list exists, path must NOT match any denied pattern\n * 3. If allowed list exists, path must match at least one allowed pattern\n * 4. If neither list exists, path is allowed (constraints are optional)\n /\nexport function isPathAllowed(\n path: string,\n constraints: PathConstraints,\n): boolean {\n // 1. Root directory check (sandbox)\n if (constraints.rootDirectory) {\n if (!isWithinRoot(path, constraints.rootDirectory)) {\n return false;\n }\n }\n\n // 2. Denied list - any match means denied\n if (constraints.denied && constraints.denied.length > 0) {\n for (const pattern of constraints.denied) {\n if (matchPathPattern(path, pattern)) {\n return false;\n }\n }\n }\n\n // 3. Allowed list - must match at least one\n if (constraints.allowed && constraints.allowed.length > 0) {\n let matchesAllowed = false;\n for (const pattern of constraints.allowed) {\n if (matchPathPattern(path, pattern)) {\n matchesAllowed = true;\n break;\n }\n }\n if (!matchesAllowed) return false;\n }\n\n return true;\n}\n\n/\n Extracts path-like arguments from tool call arguments.\n * Heuristic: any string argument containing / or \\ is treated as a path.\n /\nexport function extractPathArguments(\n args: Readonly<Record<string, unknown>>,\n): string[] {\n const paths: string[] = [];\n\n for (const value of Object.values(args)) {\n if (typeof value === 'string' && (value.includes('/') \|\| value.includes('\\\\'))) {\n paths.push(value);\n }\n }\n\n return paths;\n}\n","import type { PolicyRule, ExecutionRequest } from '@solongate/core';\nimport { TrustLevel } from '@solongate/core';\nimport { isPathAllowed, extractPathArguments } from './path-matcher.js';\n\n/\n Pure function: determines if a policy rule matches an execution request.\n * No side effects. No I/O. Fully deterministic.\n /\nexport function ruleMatchesRequest(\n rule: PolicyRule,\n request: ExecutionRequest,\n): boolean {\n if (!rule.enabled) return false;\n if (rule.permission !== request.requiredPermission) return false;\n if (!toolPatternMatches(rule.toolPattern, request.toolName)) return false;\n if (!trustLevelMeetsMinimum(request.context.trustLevel, rule.minimumTrustLevel)) {\n return false;\n }\n if (rule.argumentConstraints) {\n if (!argumentConstraintsMatch(rule.argumentConstraints, request.arguments)) {\n return false;\n }\n }\n if (rule.pathConstraints) {\n if (!pathConstraintsMatch(rule.pathConstraints, request.arguments)) {\n return false;\n }\n }\n return true;\n}\n\n/\n Glob-style tool name pattern matching.\n * Supports:\n * '' → match all\n 'prefix' → starts with prefix\n 'suffix' → ends with suffix\n 'infix' → contains infix\n * Does NOT support regex (ReDoS prevention).\n /\nexport function toolPatternMatches(pattern: string, toolName: string): boolean {\n if (pattern === '') return true;\n\n const startsWithStar = pattern.startsWith('');\n const endsWithStar = pattern.endsWith('');\n\n if (startsWithStar && endsWithStar) {\n // infix → contains\n const infix = pattern.slice(1, -1);\n return infix.length > 0 && toolName.includes(infix);\n }\n if (endsWithStar) {\n // prefix* → starts with\n const prefix = pattern.slice(0, -1);\n return toolName.startsWith(prefix);\n }\n if (startsWithStar) {\n // suffix → ends with\n const suffix = pattern.slice(1);\n return toolName.endsWith(suffix);\n }\n\n return pattern === toolName;\n}\n\nconst TRUST_LEVEL_ORDER: Record<string, number> = {\n [TrustLevel.UNTRUSTED]: 0,\n [TrustLevel.VERIFIED]: 1,\n [TrustLevel.TRUSTED]: 2,\n};\n\nexport function trustLevelMeetsMinimum(\n actual: TrustLevel,\n minimum: TrustLevel,\n): boolean {\n return (TRUST_LEVEL_ORDER[actual] ?? -1) >= (TRUST_LEVEL_ORDER[minimum] ?? Infinity);\n}\n\n/\n Condition operators for argument constraints.\n * When constraint value is a plain string → exact match (or '' for any).\n When constraint value is an object → operator-based matching:\n * { $contains: \"str\" } — value includes substring\n * { $notContains: \"str\" } — value does NOT include substring\n * { $startsWith: \"str\" } — value starts with prefix\n * { $endsWith: \"str\" } — value ends with suffix\n * { $in: [\"a\",\"b\"] } — value is one of the listed values\n * { $notIn: [\"a\",\"b\"] } — value is NOT one of the listed values\n * { $gt: 5 } — numeric greater than\n * { $lt: 5 } — numeric less than\n * { $gte: 5 } — numeric greater than or equal\n * { $lte: 5 } — numeric less than or equal\n /\nfunction argumentConstraintsMatch(\n constraints: Record<string, unknown>,\n args: Readonly<Record<string, unknown>>,\n): boolean {\n for (const [key, constraint] of Object.entries(constraints)) {\n if (!(key in args)) return false;\n const argValue = args[key];\n\n // Plain string: exact match (backward compatible)\n if (typeof constraint === 'string') {\n if (constraint === '') continue;\n if (typeof argValue === 'string') {\n if (argValue !== constraint) return false;\n } else {\n return false;\n }\n continue;\n }\n\n // Object with operators\n if (typeof constraint === 'object' && constraint !== null && !Array.isArray(constraint)) {\n const ops = constraint as Record<string, unknown>;\n const strValue = typeof argValue === 'string' ? argValue : undefined;\n const numValue = typeof argValue === 'number' ? argValue : undefined;\n\n if ('$contains' in ops && typeof ops.$contains === 'string') {\n if (!strValue \|\| !strValue.includes(ops.$contains)) return false;\n }\n if ('$notContains' in ops && typeof ops.$notContains === 'string') {\n if (strValue && strValue.includes(ops.$notContains)) return false;\n }\n if ('$startsWith' in ops && typeof ops.$startsWith === 'string') {\n if (!strValue \|\| !strValue.startsWith(ops.$startsWith)) return false;\n }\n if ('$endsWith' in ops && typeof ops.$endsWith === 'string') {\n if (!strValue \|\| !strValue.endsWith(ops.$endsWith)) return false;\n }\n if ('$in' in ops && Array.isArray(ops.$in)) {\n if (!ops.$in.includes(argValue)) return false;\n }\n if ('$notIn' in ops && Array.isArray(ops.$notIn)) {\n if (ops.$notIn.includes(argValue)) return false;\n }\n if ('$gt' in ops && typeof ops.$gt === 'number') {\n if (numValue === undefined \|\| numValue <= ops.$gt) return false;\n }\n if ('$lt' in ops && typeof ops.$lt === 'number') {\n if (numValue === undefined \|\| numValue >= ops.$lt) return false;\n }\n if ('$gte' in ops && typeof ops.$gte === 'number') {\n if (numValue === undefined \|\| numValue < ops.$gte) return false;\n }\n if ('$lte' in ops && typeof ops.$lte === 'number') {\n if (numValue === undefined \|\| numValue > ops.$lte) return false;\n }\n\n continue;\n }\n }\n return true;\n}\n\nfunction pathConstraintsMatch(\n constraints: NonNullable<PolicyRule['pathConstraints']>,\n args: Readonly<Record<string, unknown>>,\n): boolean {\n const paths = extractPathArguments(args);\n\n // If no path arguments found, constraints don't apply\n if (paths.length === 0) return true;\n\n // ALL path arguments must satisfy constraints\n return paths.every((path) => isPathAllowed(path, constraints));\n}\n","import type {\n PolicySet,\n PolicyDecision,\n ExecutionRequest,\n PolicyEffect,\n} from '@solongate/core';\nimport { DEFAULT_POLICY_EFFECT } from '@solongate/core';\nimport { ruleMatchesRequest } from './matcher.js';\n\n/*\n Evaluates a policy set against an execution request.\n \n Pure function: no side effects, no I/O, fully deterministic.\n \n Algorithm:\n * 1. Sort rules by priority (ascending - lower number = higher priority)\n * 2. Find the first matching rule\n * 3. If a rule matches, return its effect\n * 4. If no rule matches, return DENY (default-deny)\n /\nexport function evaluatePolicy(\n policySet: PolicySet,\n request: ExecutionRequest,\n): PolicyDecision {\n const startTime = performance.now();\n\n const sortedRules = [...policySet.rules].sort(\n (a, b) => a.priority - b.priority,\n );\n\n for (const rule of sortedRules) {\n if (ruleMatchesRequest(rule, request)) {\n const endTime = performance.now();\n return {\n effect: rule.effect,\n matchedRule: rule,\n reason: `Matched rule \"${rule.id}\": ${rule.description}`,\n timestamp: new Date().toISOString(),\n evaluationTimeMs: endTime - startTime,\n };\n }\n }\n\n const endTime = performance.now();\n return {\n effect: DEFAULT_POLICY_EFFECT as PolicyEffect,\n matchedRule: null,\n reason: 'No matching policy rule found. Default action: DENY.',\n timestamp: new Date().toISOString(),\n evaluationTimeMs: endTime - startTime,\n metadata: {\n evaluatedRules: sortedRules.length,\n ruleIds: sortedRules.map((r) => r.id),\n requestContext: {\n tool: request.toolName,\n arguments: Object.keys(request.arguments ?? {}),\n },\n },\n };\n}\n","import { PolicyRuleSchema, PolicySetSchema } from '@solongate/core';\nimport {\n MAX_RULES_PER_POLICY_SET,\n UNSAFE_CONFIGURATION_WARNINGS,\n} from '@solongate/core';\n\nexport interface ValidationResult {\n readonly valid: boolean;\n readonly errors: readonly string[];\n readonly warnings: readonly string[];\n}\n\nexport function validatePolicyRule(input: unknown): ValidationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n\n const result = PolicyRuleSchema.safeParse(input);\n if (!result.success) {\n return {\n valid: false,\n errors: result.error.errors.map(\n (e) => `${e.path.join('.')}: ${e.message}`,\n ),\n warnings: [],\n };\n }\n\n const rule = result.data;\n\n if (rule.toolPattern === '' && rule.effect === 'ALLOW') {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW);\n }\n\n if (rule.minimumTrustLevel === 'TRUSTED') {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.TRUSTED_LEVEL_EXTERNAL);\n }\n\n if (rule.permission === 'EXECUTE') {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW);\n }\n\n return { valid: true, errors, warnings };\n}\n\nexport function validatePolicySet(input: unknown): ValidationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n\n const result = PolicySetSchema.safeParse(input);\n if (!result.success) {\n return {\n valid: false,\n errors: result.error.errors.map(\n (e) => `${e.path.join('.')}: ${e.message}`,\n ),\n warnings: [],\n };\n }\n\n const policySet = result.data;\n\n if (policySet.rules.length > MAX_RULES_PER_POLICY_SET) {\n errors.push(\n `Policy set exceeds maximum of ${MAX_RULES_PER_POLICY_SET} rules`,\n );\n }\n\n const ruleIds = new Set<string>();\n for (const rule of policySet.rules) {\n if (ruleIds.has(rule.id)) {\n errors.push(`Duplicate rule ID: \"${rule.id}\"`);\n }\n ruleIds.add(rule.id);\n }\n\n for (const rule of policySet.rules) {\n const ruleResult = validatePolicyRule(rule);\n warnings.push(...ruleResult.warnings);\n }\n\n const hasDenyRule = policySet.rules.some((r) => r.effect === 'DENY');\n if (!hasDenyRule && policySet.rules.length > 0) {\n warnings.push(\n 'Policy set contains only ALLOW rules. The default-deny fallback is the only protection.',\n );\n }\n\n return {\n valid: errors.length === 0,\n errors,\n warnings,\n };\n}\n","import type { PolicyRule, PolicySet } from '@solongate/core';\nimport { UNSAFE_CONFIGURATION_WARNINGS } from '@solongate/core';\n\nexport interface SecurityWarning {\n readonly level: 'WARNING' \| 'CRITICAL';\n readonly code: string;\n readonly message: string;\n readonly ruleId?: string;\n readonly recommendation: string;\n}\n\n/** Analyzes a policy set and returns security warnings. Pure function. /\nexport function analyzeSecurityWarnings(\n policySet: PolicySet,\n): readonly SecurityWarning[] {\n const warnings: SecurityWarning[] = [];\n\n for (const rule of policySet.rules) {\n warnings.push(...analyzeRuleWarnings(rule));\n }\n\n const allowRules = policySet.rules.filter(\n (r) => r.effect === 'ALLOW' && r.enabled,\n );\n const wildcardAllows = allowRules.filter((r) => r.toolPattern === '');\n\n if (wildcardAllows.length > 0) {\n warnings.push({\n level: 'CRITICAL',\n code: 'WILDCARD_ALLOW',\n message: UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW,\n recommendation:\n 'Replace wildcard ALLOW rules with specific tool patterns.',\n });\n }\n\n return warnings;\n}\n\nfunction analyzeRuleWarnings(rule: PolicyRule): SecurityWarning[] {\n const warnings: SecurityWarning[] = [];\n\n if (rule.effect === 'ALLOW' && rule.minimumTrustLevel === 'UNTRUSTED') {\n warnings.push({\n level: 'CRITICAL',\n code: 'ALLOW_UNTRUSTED',\n message: `Rule \"${rule.id}\" allows execution for UNTRUSTED requests. Unverified LLM requests can execute tools.`,\n ruleId: rule.id,\n recommendation:\n 'Set minimumTrustLevel to VERIFIED or higher for ALLOW rules.',\n });\n }\n\n if (rule.effect === 'ALLOW' && rule.permission === 'EXECUTE') {\n warnings.push({\n level: 'WARNING',\n code: 'ALLOW_EXECUTE',\n message: UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW,\n ruleId: rule.id,\n recommendation:\n 'Ensure EXECUTE permissions are intentional and scoped to specific tools.',\n });\n }\n\n return warnings;\n}\n","import type { PolicySet } from '@solongate/core';\nimport { PolicyEffect, Permission, TrustLevel } from '@solongate/core';\n\n/*\n Creates the default \"deny all\" policy set.\n * This is the starting policy for any new SolonGate deployment.\n /\nexport function createDefaultDenyPolicySet(): PolicySet {\n const now = new Date().toISOString();\n\n return {\n id: 'default-deny',\n name: 'Default Deny All',\n description:\n 'Denies all tool executions. Add explicit ALLOW rules to grant access to specific tools.',\n version: 1,\n rules: [\n {\n id: 'deny-all-execute',\n description: 'Explicitly deny all tool executions',\n effect: PolicyEffect.DENY,\n priority: 10000,\n toolPattern: '',\n permission: Permission.EXECUTE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'deny-all-write',\n description: 'Explicitly deny all write operations',\n effect: PolicyEffect.DENY,\n priority: 10000,\n toolPattern: '',\n permission: Permission.WRITE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'deny-all-read',\n description: 'Explicitly deny all read operations',\n effect: PolicyEffect.DENY,\n priority: 10000,\n toolPattern: '',\n permission: Permission.READ,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n ],\n createdAt: now,\n updatedAt: now,\n };\n}\n\n/*\n Creates a permissive \"allow all\" policy set.\n * Allows all tool executions — useful for development or when\n * using SolonGate only for monitoring and audit logging.\n /\nexport function createPermissivePolicySet(): PolicySet {\n const now = new Date().toISOString();\n\n return {\n id: 'permissive',\n name: 'Permissive (Allow All)',\n description: 'Allows all tool executions. SolonGate still provides input validation, rate limiting, and audit logging.',\n version: 1,\n rules: [\n {\n id: 'allow-all-execute',\n description: 'Allow all tool executions',\n effect: PolicyEffect.ALLOW,\n priority: 1000,\n toolPattern: '',\n permission: Permission.EXECUTE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'allow-all-read',\n description: 'Allow all read operations',\n effect: PolicyEffect.ALLOW,\n priority: 1000,\n toolPattern: '',\n permission: Permission.READ,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'allow-all-write',\n description: 'Allow all write operations',\n effect: PolicyEffect.ALLOW,\n priority: 1000,\n toolPattern: '',\n permission: Permission.WRITE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n ],\n createdAt: now,\n updatedAt: now,\n };\n}\n\n/*\n Creates a read-only policy set for a specific tool pattern.\n * Allows reads for VERIFIED requests only.\n /\nexport function createReadOnlyPolicySet(toolPattern: string): PolicySet {\n const now = new Date().toISOString();\n\n return {\n id: `read-only-${toolPattern}`,\n name: `Read-Only: ${toolPattern}`,\n description: `Allows read access to tools matching \"${toolPattern}\". Denies write and execute.`,\n version: 1,\n rules: [\n {\n id: `allow-read-${toolPattern}`,\n description: `Allow read access to ${toolPattern}`,\n effect: PolicyEffect.ALLOW,\n priority: 100,\n toolPattern,\n permission: Permission.READ,\n minimumTrustLevel: TrustLevel.VERIFIED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n ],\n createdAt: now,\n updatedAt: now,\n };\n}\n","import type {\n PolicySet,\n PolicyDecision,\n ExecutionRequest,\n} from '@solongate/core';\nimport { POLICY_EVALUATION_TIMEOUT_MS } from '@solongate/core';\nimport { evaluatePolicy } from './evaluator.js';\nimport { validatePolicySet, type ValidationResult } from './validator.js';\nimport { analyzeSecurityWarnings, type SecurityWarning } from './warnings.js';\nimport { createDefaultDenyPolicySet } from './defaults.js';\nimport { PolicyStore, type PolicyVersion } from './policy-store.js';\n\n/\n PolicyEngine is the primary interface for policy evaluation.\n \n Wraps pure evaluation functions with:\n * - Policy set management (load, validate, swap)\n * - Timeout protection\n * - Warning aggregation\n * - Optional versioned policy store\n /\nexport class PolicyEngine {\n private policySet: PolicySet;\n private readonly timeoutMs: number;\n private readonly store: PolicyStore \| null;\n\n constructor(options?: {\n policySet?: PolicySet;\n timeoutMs?: number;\n store?: PolicyStore;\n }) {\n this.policySet = options?.policySet ?? createDefaultDenyPolicySet();\n this.timeoutMs = options?.timeoutMs ?? POLICY_EVALUATION_TIMEOUT_MS;\n this.store = options?.store ?? null;\n }\n\n /\n Evaluates an execution request against the current policy set.\n * Never throws for denials - denial is a normal outcome, not an error.\n /\n evaluate(request: ExecutionRequest): PolicyDecision {\n const startTime = performance.now();\n const decision = evaluatePolicy(this.policySet, request);\n const elapsed = performance.now() - startTime;\n\n if (elapsed > this.timeoutMs) {\n console.warn(\n `[SolonGate] Policy evaluation took ${elapsed.toFixed(1)}ms ` +\n `(limit: ${this.timeoutMs}ms) for tool \"${request.toolName}\"`,\n );\n }\n\n return decision;\n }\n\n /\n Loads a new policy set, replacing the current one.\n * Validates before accepting. Auto-saves version when store is present.\n /\n loadPolicySet(\n policySet: PolicySet,\n options?: { reason?: string; createdBy?: string },\n ): ValidationResult {\n const validation = validatePolicySet(policySet);\n if (!validation.valid) {\n return validation;\n }\n this.policySet = policySet;\n\n if (this.store) {\n this.store.saveVersion(\n policySet,\n options?.reason ?? 'Policy updated',\n options?.createdBy ?? 'system',\n );\n }\n\n return validation;\n }\n\n /\n Rolls back to a previous policy version.\n * Only available when a PolicyStore is configured.\n /\n rollback(version: number): PolicyVersion {\n if (!this.store) {\n throw new Error('PolicyStore not configured - cannot rollback');\n }\n\n const policyVersion = this.store.rollback(this.policySet.id, version);\n this.policySet = policyVersion.policySet;\n return policyVersion;\n }\n\n getPolicySet(): Readonly<PolicySet> {\n return this.policySet;\n }\n\n getSecurityWarnings(): readonly SecurityWarning[] {\n return analyzeSecurityWarnings(this.policySet);\n }\n\n getStore(): PolicyStore \| null {\n return this.store;\n }\n\n reset(): void {\n this.policySet = createDefaultDenyPolicySet();\n }\n}\n","import type { PolicySet, PolicyRule } from '@solongate/core';\nimport { createHash } from 'node:crypto';\n\n/\n A versioned snapshot of a policy set.\n * Immutable once created - modifications create new versions.\n /\nexport interface PolicyVersion {\n readonly version: number;\n readonly policySet: PolicySet;\n readonly hash: string;\n readonly reason: string;\n readonly createdBy: string;\n readonly createdAt: string;\n}\n\n/\n Diff between two policy versions.\n /\nexport interface PolicyDiff {\n readonly added: readonly PolicyRule[];\n readonly removed: readonly PolicyRule[];\n readonly modified: readonly { readonly old: PolicyRule; readonly new: PolicyRule }[];\n}\n\n/\n In-memory versioned policy store.\n * Stores complete history of policy changes with cryptographic hashes.\n \n Security properties:\n * - Immutable versions: once saved, a version cannot be modified\n * - Hash chain: each version includes SHA256 of the policy content\n * - Full history: no version is ever deleted\n /\nexport class PolicyStore {\n private readonly versions = new Map<string, PolicyVersion[]>();\n\n /\n Saves a new version of a policy set.\n * The version number auto-increments.\n /\n saveVersion(\n policySet: PolicySet,\n reason: string,\n createdBy: string,\n ): PolicyVersion {\n const id = policySet.id;\n const history = this.versions.get(id) ?? [];\n\n const latestVersion = history.length > 0 ? history[history.length - 1]!.version : 0;\n\n const version: PolicyVersion = {\n version: latestVersion + 1,\n policySet: Object.freeze({ ...policySet }),\n hash: this.computeHash(policySet),\n reason,\n createdBy,\n createdAt: new Date().toISOString(),\n };\n\n const newHistory = [...history, version];\n this.versions.set(id, newHistory);\n\n return version;\n }\n\n /\n Gets a specific version of a policy set.\n /\n getVersion(id: string, version: number): PolicyVersion \| null {\n const history = this.versions.get(id);\n if (!history) return null;\n return history.find((v) => v.version === version) ?? null;\n }\n\n /\n Gets the latest version of a policy set.\n /\n getLatest(id: string): PolicyVersion \| null {\n const history = this.versions.get(id);\n if (!history \|\| history.length === 0) return null;\n return history[history.length - 1]!;\n }\n\n /\n Gets the full version history of a policy set.\n /\n getHistory(id: string): readonly PolicyVersion[] {\n return this.versions.get(id) ?? [];\n }\n\n /\n Rolls back to a previous version by creating a new version\n * with the same content as the target version.\n /\n rollback(id: string, toVersion: number): PolicyVersion {\n const target = this.getVersion(id, toVersion);\n if (!target) {\n throw new Error(`Version ${toVersion} not found for policy \"${id}\"`);\n }\n\n return this.saveVersion(\n target.policySet,\n `Rollback to version ${toVersion}`,\n 'system',\n );\n }\n\n /\n Computes a diff between two policy versions.\n /\n diff(v1: PolicyVersion, v2: PolicyVersion): PolicyDiff {\n const oldRulesMap = new Map(v1.policySet.rules.map((r) => [r.id, r]));\n const newRulesMap = new Map(v2.policySet.rules.map((r) => [r.id, r]));\n\n const added: PolicyRule[] = [];\n const removed: PolicyRule[] = [];\n const modified: { old: PolicyRule; new: PolicyRule }[] = [];\n\n // Find added and modified rules\n for (const [id, newRule] of newRulesMap) {\n const oldRule = oldRulesMap.get(id);\n if (!oldRule) {\n added.push(newRule);\n } else if (JSON.stringify(oldRule) !== JSON.stringify(newRule)) {\n modified.push({ old: oldRule, new: newRule });\n }\n }\n\n // Find removed rules\n for (const [id, oldRule] of oldRulesMap) {\n if (!newRulesMap.has(id)) {\n removed.push(oldRule);\n }\n }\n\n return { added, removed, modified };\n }\n\n /\n Computes SHA256 hash of a policy set for integrity verification.\n /\n computeHash(policySet: PolicySet): string {\n const serialized = JSON.stringify(policySet, Object.keys(policySet).sort());\n return createHash('sha256').update(serialized).digest('hex');\n }\n}\n","import type { PolicySet, InputGuardConfig } from '@solongate/core';\nimport { UNSAFE_CONFIGURATION_WARNINGS, DEFAULT_INPUT_GUARD_CONFIG } from '@solongate/core';\n\n/\n Configuration for the SolonGate SDK.\n * All fields have secure defaults. Weakening requires explicit opt-in.\n /\nexport interface SolonGateConfig {\n readonly policySet?: PolicySet;\n readonly validateSchemas: boolean;\n readonly enableLogging: boolean;\n readonly logLevel: 'debug' \| 'info' \| 'warn' \| 'error';\n readonly evaluationTimeoutMs: number;\n readonly verboseErrors: boolean;\n readonly globalRateLimitPerMinute: number;\n\n // Phase 1 additions\n readonly rateLimitPerTool: number;\n readonly tokenSecret?: string;\n readonly tokenTtlSeconds: number;\n readonly tokenIssuer?: string;\n readonly gatewaySecret?: string;\n readonly inputGuardConfig: InputGuardConfig;\n readonly enableVersionedPolicies: boolean;\n readonly apiUrl?: string;\n}\n\nexport const DEFAULT_CONFIG: Readonly<SolonGateConfig> = Object.freeze({\n validateSchemas: true,\n enableLogging: true,\n logLevel: 'info',\n evaluationTimeoutMs: 100,\n verboseErrors: false,\n globalRateLimitPerMinute: 600,\n rateLimitPerTool: 60,\n tokenTtlSeconds: 30,\n inputGuardConfig: DEFAULT_INPUT_GUARD_CONFIG,\n enableVersionedPolicies: true,\n});\n\nexport function resolveConfig(\n userConfig?: Partial<SolonGateConfig>,\n): { config: SolonGateConfig; warnings: string[] } {\n const warnings: string[] = [];\n const config = { ...DEFAULT_CONFIG, ...userConfig };\n\n if (!config.validateSchemas) {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.DISABLED_VALIDATION);\n }\n if (config.globalRateLimitPerMinute === 0) {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.RATE_LIMIT_ZERO);\n }\n if (config.verboseErrors) {\n warnings.push(\n 'Verbose errors enabled: internal error details will be sent to the LLM.',\n );\n }\n if (config.tokenSecret && config.tokenSecret.length < 32) {\n warnings.push(\n 'Token secret is shorter than 32 characters. Use a longer secret for production.',\n );\n }\n\n return { config, warnings };\n}\n","import type {\n ExecutionRequest,\n ExecutionResult,\n McpCallToolParams,\n McpCallToolResult,\n} from '@solongate/core';\nimport {\n Permission,\n PolicyDeniedError,\n SchemaValidationError,\n RateLimitError,\n createDeniedToolResult,\n createSecurityContext,\n sanitizeInput,\n type InputGuardConfig,\n DEFAULT_INPUT_GUARD_CONFIG,\n} from '@solongate/core';\nimport type { PolicyEngine } from '@solongate/policy-engine';\nimport type { TokenIssuer } from './token-issuer.js';\nimport type { ServerVerifier } from './server-verifier.js';\nimport type { RateLimiter } from './rate-limiter.js';\nimport { randomUUID } from 'node:crypto';\n\nexport interface InterceptorOptions {\n readonly policyEngine: PolicyEngine;\n readonly validateSchemas: boolean;\n readonly verboseErrors: boolean;\n readonly onDecision?: (result: ExecutionResult) => void;\n\n // Phase 1 additions\n readonly tokenIssuer?: TokenIssuer;\n readonly serverVerifier?: ServerVerifier;\n readonly rateLimiter?: RateLimiter;\n readonly inputGuardConfig?: InputGuardConfig;\n readonly rateLimitPerTool?: number;\n readonly globalRateLimitPerMinute?: number;\n}\n\n/\n Intercepts an MCP tool call and runs the full security pipeline:\n \n 1. Rate limit check → RateLimitError if exceeded\n * 2. Input guard (sanitization) → SchemaValidationError if dangerous\n * 3. Policy evaluation → PolicyDeniedError if denied\n * 4. Issue capability token (if TokenIssuer configured)\n * 5. Sign request (if ServerVerifier configured)\n * 6. Call upstream\n * 7. Record rate limit usage\n * 8. Log to audit trail\n * 9. Return result\n /\nexport async function interceptToolCall(\n params: McpCallToolParams,\n upstreamCall: (params: McpCallToolParams) => Promise<McpCallToolResult>,\n options: InterceptorOptions,\n): Promise<McpCallToolResult> {\n const requestId = randomUUID();\n const timestamp = new Date().toISOString();\n\n const context = createSecurityContext({ requestId });\n\n const request: ExecutionRequest = {\n context,\n toolName: params.name,\n serverName: 'default',\n arguments: params.arguments ?? {},\n requiredPermission: Permission.EXECUTE,\n timestamp,\n };\n\n // --- Step 1: Rate limit check ---\n if (options.rateLimiter) {\n // Per-tool rate limit\n if (options.rateLimitPerTool) {\n const toolLimit = options.rateLimiter.checkLimit(\n params.name,\n options.rateLimitPerTool,\n );\n if (!toolLimit.allowed) {\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: new RateLimitError(params.name, options.rateLimitPerTool),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n return createDeniedToolResult(\n `Rate limit exceeded for tool \"${params.name}\"`,\n );\n }\n }\n\n // Global rate limit\n if (options.globalRateLimitPerMinute) {\n const globalLimit = options.rateLimiter.checkGlobalLimit(\n options.globalRateLimitPerMinute,\n );\n if (!globalLimit.allowed) {\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: new RateLimitError('', options.globalRateLimitPerMinute),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n return createDeniedToolResult('Global rate limit exceeded');\n }\n }\n }\n\n // --- Step 2: Input guard (sanitization) ---\n if (options.validateSchemas && params.arguments) {\n const guardConfig = options.inputGuardConfig ?? DEFAULT_INPUT_GUARD_CONFIG;\n const sanitization = sanitizeInput('arguments', params.arguments, guardConfig);\n\n if (!sanitization.safe) {\n const threatDescriptions = sanitization.threats.map(\n (t) => `${t.type}: ${t.description} (field: ${t.field})`,\n );\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: new SchemaValidationError(params.name, threatDescriptions),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n\n const reason = options.verboseErrors\n ? `Input validation failed: ${sanitization.threats.length} threat(s) detected`\n : 'Input validation failed.';\n return createDeniedToolResult(reason);\n }\n }\n\n // --- Step 3: Policy evaluation ---\n const decision = options.policyEngine.evaluate(request);\n\n if (decision.effect === 'DENY') {\n const result: ExecutionResult = {\n status: 'DENIED',\n request,\n decision,\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n\n const reason = options.verboseErrors\n ? decision.reason\n : 'Tool execution denied by security policy.';\n return createDeniedToolResult(reason);\n }\n\n // --- Step 4: Issue capability token ---\n let capabilityToken: string \| undefined;\n if (options.tokenIssuer) {\n capabilityToken = options.tokenIssuer.issue(\n requestId,\n [Permission.EXECUTE],\n [params.name],\n );\n }\n\n // --- Step 5: Sign request ---\n if (options.serverVerifier && capabilityToken) {\n options.serverVerifier.createSignedRequest(params, capabilityToken);\n }\n\n // --- Step 6: Call upstream ---\n try {\n const startTime = performance.now();\n const toolResult = await upstreamCall(params);\n const durationMs = performance.now() - startTime;\n\n // --- Step 7: Record rate limit usage ---\n if (options.rateLimiter) {\n options.rateLimiter.recordCall(params.name);\n }\n\n // --- Step 8: Log to audit trail ---\n const result: ExecutionResult = {\n status: 'ALLOWED',\n request,\n decision,\n toolResult,\n durationMs,\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n\n return toolResult;\n } catch (error) {\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: error instanceof Error\n ? new PolicyDeniedError(params.name, error.message)\n : new PolicyDeniedError(params.name, 'Unknown upstream error'),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n throw error;\n }\n}\n","import type { ExecutionResult } from '@solongate/core';\n\nexport type LogLevel = 'debug' \| 'info' \| 'warn' \| 'error';\n\nconst LOG_LEVEL_ORDER: Record<LogLevel, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n};\n\n/*\n Structured security event logger.\n * Outputs JSON-formatted log entries for machine consumption.\n /\nexport class SecurityLogger {\n private readonly minLevel: LogLevel;\n private readonly enabled: boolean;\n\n constructor(options: { level: LogLevel; enabled: boolean }) {\n this.minLevel = options.level;\n this.enabled = options.enabled;\n }\n\n logDecision(result: ExecutionResult): void {\n if (!this.enabled) return;\n\n const entry = {\n type: 'security_decision',\n status: result.status,\n toolName: result.request.toolName,\n permission: result.request.requiredPermission,\n trustLevel: result.request.context.trustLevel,\n requestId: result.request.context.requestId,\n timestamp: result.timestamp,\n ...(result.status === 'ALLOWED' && { durationMs: result.durationMs }),\n ...(result.status === 'DENIED' && { reason: result.decision.reason }),\n ...(result.status === 'ERROR' && { error: result.error.code }),\n };\n\n if (result.status === 'DENIED' \|\| result.status === 'ERROR') {\n this.log('warn', entry);\n } else {\n this.log('info', entry);\n }\n }\n\n private log(level: LogLevel, data: Record<string, unknown>): void {\n if (LOG_LEVEL_ORDER[level] < LOG_LEVEL_ORDER[this.minLevel]) return;\n\n const output = JSON.stringify({ level, ...data });\n switch (level) {\n case 'error':\n console.error(`[SolonGate] ${output}`);\n break;\n case 'warn':\n console.warn(`[SolonGate] ${output}`);\n break;\n case 'debug':\n console.debug(`[SolonGate] ${output}`);\n break;\n default:\n console.info(`[SolonGate] ${output}`);\n }\n }\n}\n","import { createHmac, randomUUID } from 'node:crypto';\nimport type {\n CapabilityToken,\n TokenConfig,\n TokenVerificationResult,\n Permission,\n} from '@solongate/core';\nimport {\n DEFAULT_TOKEN_TTL_SECONDS,\n TOKEN_ALGORITHM,\n MIN_SECRET_LENGTH,\n} from '@solongate/core';\n\n/\n Issues and verifies capability tokens using HMAC-SHA256.\n \n Security properties:\n * - Short-lived TTL (default 30 seconds)\n * - Single-use nonces (replay prevention)\n * - Revocation support\n * - No external JWT library dependency\n /\nexport class TokenIssuer {\n private readonly secret: string;\n private readonly ttlSeconds: number;\n private readonly issuer: string;\n private readonly usedNonces = new Set<string>();\n private readonly revokedTokens = new Set<string>();\n\n constructor(config: TokenConfig) {\n if (config.secret.length < MIN_SECRET_LENGTH) {\n throw new Error(\n `Token secret must be at least ${MIN_SECRET_LENGTH} characters`,\n );\n }\n this.secret = config.secret;\n this.ttlSeconds = config.ttlSeconds \|\| DEFAULT_TOKEN_TTL_SECONDS;\n this.issuer = config.issuer;\n }\n\n /\n Issues a signed capability token.\n /\n issue(\n requestId: string,\n permissions: readonly Permission[],\n toolScope: readonly string[],\n serverScope: readonly string[] = [''],\n pathScope?: readonly string[],\n ): string {\n const now = Math.floor(Date.now() / 1000);\n const jti = randomUUID();\n\n const payload: CapabilityToken = {\n jti,\n iss: this.issuer,\n sub: requestId,\n iat: now,\n exp: now + this.ttlSeconds,\n permissions: [...permissions],\n toolScope: [...toolScope],\n serverScope: [...serverScope],\n ...(pathScope && { pathScope: [...pathScope] }),\n };\n\n return this.sign(payload);\n }\n\n /*\n Verifies a capability token and consumes the nonce (single-use).\n /\n verify(token: string): TokenVerificationResult {\n // 1. Parse and verify signature\n const parsed = this.parseAndVerify(token);\n if (!parsed.valid \|\| !parsed.payload) {\n return parsed;\n }\n\n const payload = parsed.payload;\n\n // 2. Check expiration\n const now = Math.floor(Date.now() / 1000);\n if (payload.exp <= now) {\n return { valid: false, reason: 'Token expired' };\n }\n\n // 3. Check if revoked\n if (this.revokedTokens.has(payload.jti)) {\n return { valid: false, reason: 'Token has been revoked' };\n }\n\n // 4. Check if already used (single-use)\n if (this.usedNonces.has(payload.jti)) {\n return { valid: false, reason: 'Token already used (replay detected)' };\n }\n\n // 5. Consume nonce\n this.usedNonces.add(payload.jti);\n\n return { valid: true, payload };\n }\n\n /\n Revokes a token by its ID.\n /\n revoke(jti: string): void {\n this.revokedTokens.add(jti);\n }\n\n /\n Checks if a token ID has been revoked.\n /\n isRevoked(jti: string): boolean {\n return this.revokedTokens.has(jti);\n }\n\n // --- Internal helpers ---\n\n private sign(payload: CapabilityToken): string {\n const header = base64UrlEncode(JSON.stringify({ alg: TOKEN_ALGORITHM, typ: 'JWT' }));\n const body = base64UrlEncode(JSON.stringify(payload));\n const signature = this.computeSignature(`${header}.${body}`);\n return `${header}.${body}.${signature}`;\n }\n\n private parseAndVerify(token: string): TokenVerificationResult {\n const parts = token.split('.');\n if (parts.length !== 3) {\n return { valid: false, reason: 'Invalid token format' };\n }\n\n const [header, body, signature] = parts as [string, string, string];\n const expectedSignature = this.computeSignature(`${header}.${body}`);\n\n if (signature !== expectedSignature) {\n return { valid: false, reason: 'Invalid token signature' };\n }\n\n try {\n const payload = JSON.parse(base64UrlDecode(body)) as CapabilityToken;\n return { valid: true, payload };\n } catch {\n return { valid: false, reason: 'Invalid token payload' };\n }\n }\n\n private computeSignature(data: string): string {\n return base64UrlEncode(\n createHmac('sha256', this.secret).update(data).digest('base64'),\n );\n }\n}\n\nfunction base64UrlEncode(str: string): string {\n return Buffer.from(str)\n .toString('base64')\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=+$/, '');\n}\n\nfunction base64UrlDecode(str: string): string {\n const padded = str + '='.repeat((4 - (str.length % 4)) % 4);\n return Buffer.from(padded.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();\n}\n","import { createHmac, randomUUID } from 'node:crypto';\nimport type { McpCallToolParams } from '@solongate/core';\n\n/\n A signed MCP request that includes capability token and integrity signature.\n * Requests without valid gateway signature should be rejected by MCP servers.\n /\nexport interface SignedMcpRequest {\n readonly params: McpCallToolParams;\n readonly capabilityToken: string;\n readonly signature: string;\n readonly timestamp: string;\n readonly nonce: string;\n}\n\n/\n Result of validating a signed request.\n /\nexport interface SignatureValidationResult {\n readonly valid: boolean;\n readonly reason?: string;\n}\n\n/\n Signs and verifies MCP requests to ensure they originate from the gateway.\n \n Security properties:\n * - HMAC-SHA256 signature of request params + token\n * - Timestamp to prevent old request replays\n * - Nonce for uniqueness\n * - Configurable max age for timestamp validation\n /\nexport class ServerVerifier {\n private readonly gatewaySecret: string;\n private readonly maxAgeMs: number;\n private readonly usedNonces = new Set<string>();\n\n constructor(config: {\n gatewaySecret: string;\n maxAgeMs?: number;\n }) {\n if (config.gatewaySecret.length < 32) {\n throw new Error('Gateway secret must be at least 32 characters');\n }\n this.gatewaySecret = config.gatewaySecret;\n this.maxAgeMs = config.maxAgeMs ?? 60_000; // 1 minute default\n }\n\n /\n Computes HMAC signature for request data.\n /\n signRequest(params: McpCallToolParams, capabilityToken: string): string {\n const data = JSON.stringify({ params, capabilityToken });\n return createHmac('sha256', this.gatewaySecret)\n .update(data)\n .digest('hex');\n }\n\n /\n Verifies the HMAC signature of request data.\n /\n verifySignature(\n params: McpCallToolParams,\n capabilityToken: string,\n signature: string,\n ): boolean {\n const expected = this.signRequest(params, capabilityToken);\n // Constant-time comparison to prevent timing attacks\n if (expected.length !== signature.length) return false;\n let result = 0;\n for (let i = 0; i < expected.length; i++) {\n result \|= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n }\n return result === 0;\n }\n\n /\n Creates a complete signed request including timestamp and nonce.\n /\n createSignedRequest(\n params: McpCallToolParams,\n capabilityToken: string,\n ): SignedMcpRequest {\n const timestamp = new Date().toISOString();\n const nonce = randomUUID();\n const signature = this.signRequest(params, capabilityToken);\n\n return {\n params,\n capabilityToken,\n signature,\n timestamp,\n nonce,\n };\n }\n\n /\n Validates a complete signed request including timestamp, nonce, and signature.\n /\n validateSignedRequest(request: SignedMcpRequest): SignatureValidationResult {\n // 1. Check timestamp freshness\n const requestTime = new Date(request.timestamp).getTime();\n const now = Date.now();\n if (isNaN(requestTime)) {\n return { valid: false, reason: 'Invalid timestamp' };\n }\n if (now - requestTime > this.maxAgeMs) {\n return { valid: false, reason: 'Request too old' };\n }\n if (requestTime > now + 30_000) {\n return { valid: false, reason: 'Request timestamp in the future' };\n }\n\n // 2. Check nonce uniqueness\n if (this.usedNonces.has(request.nonce)) {\n return { valid: false, reason: 'Duplicate nonce (replay detected)' };\n }\n\n // 3. Verify signature\n if (!this.verifySignature(request.params, request.capabilityToken, request.signature)) {\n return { valid: false, reason: 'Invalid signature' };\n }\n\n // 4. Mark nonce as used\n this.usedNonces.add(request.nonce);\n\n return { valid: true };\n }\n}\n","import { RATE_LIMIT_WINDOW_MS, RATE_LIMIT_MAX_ENTRIES } from '@solongate/core';\n\n/\n Result of a rate limit check.\n /\nexport interface RateLimitResult {\n readonly allowed: boolean;\n readonly remaining: number;\n readonly resetAt: number;\n}\n\n/\n Record of a single tool call for rate tracking.\n /\ninterface CallRecord {\n readonly timestamp: number;\n}\n\n/\n Sliding window rate limiter for tool calls.\n \n Tracks per-tool and global call rates using an in-memory sliding window.\n * Window size defaults to 1 minute.\n /\nexport class RateLimiter {\n private readonly windowMs: number;\n private readonly records = new Map<string, CallRecord[]>();\n private globalRecords: CallRecord[] = [];\n\n constructor(options?: { windowMs?: number }) {\n this.windowMs = options?.windowMs ?? RATE_LIMIT_WINDOW_MS;\n }\n\n /\n Checks if a tool call is within the rate limit.\n * Does NOT record the call - use recordCall() after successful execution.\n /\n checkLimit(\n toolName: string,\n limitPerWindow: number,\n ): RateLimitResult {\n const now = Date.now();\n const windowStart = now - this.windowMs;\n\n const records = this.getActiveRecords(toolName, windowStart);\n const count = records.length;\n const allowed = count < limitPerWindow;\n const remaining = Math.max(0, limitPerWindow - count);\n const resetAt = records.length > 0\n ? records[0]!.timestamp + this.windowMs\n : now + this.windowMs;\n\n return { allowed, remaining, resetAt };\n }\n\n /\n Checks the global rate limit across all tools.\n /\n checkGlobalLimit(limitPerWindow: number): RateLimitResult {\n const now = Date.now();\n const windowStart = now - this.windowMs;\n\n this.globalRecords = this.globalRecords.filter(\n (r) => r.timestamp > windowStart,\n );\n const count = this.globalRecords.length;\n const allowed = count < limitPerWindow;\n const remaining = Math.max(0, limitPerWindow - count);\n const resetAt = this.globalRecords.length > 0\n ? this.globalRecords[0]!.timestamp + this.windowMs\n : now + this.windowMs;\n\n return { allowed, remaining, resetAt };\n }\n\n /\n Atomically checks and records a tool call.\n * Prevents TOCTOU race conditions between check and record.\n * Returns the rate limit result; if allowed, the call is already recorded.\n /\n checkAndRecord(\n toolName: string,\n limitPerWindow: number,\n globalLimit?: number,\n ): RateLimitResult {\n // Check per-tool limit\n const result = this.checkLimit(toolName, limitPerWindow);\n if (!result.allowed) {\n return result;\n }\n\n // Check global limit if provided\n if (globalLimit !== undefined) {\n const globalResult = this.checkGlobalLimit(globalLimit);\n if (!globalResult.allowed) {\n return globalResult;\n }\n }\n\n // Atomically record since we've confirmed it's allowed\n this.recordCall(toolName);\n return result;\n }\n\n /\n Records a tool call for rate limiting.\n * Call this after successful execution.\n /\n recordCall(toolName: string): void {\n const now = Date.now();\n const record: CallRecord = { timestamp: now };\n\n // Per-tool tracking\n const records = this.records.get(toolName) ?? [];\n records.push(record);\n\n // Cleanup old entries to prevent unbounded growth\n if (records.length > RATE_LIMIT_MAX_ENTRIES) {\n const windowStart = now - this.windowMs;\n const cleaned = records.filter((r) => r.timestamp > windowStart);\n this.records.set(toolName, cleaned);\n } else {\n this.records.set(toolName, records);\n }\n\n // Global tracking\n this.globalRecords.push(record);\n if (this.globalRecords.length > RATE_LIMIT_MAX_ENTRIES) {\n const windowStart = now - this.windowMs;\n this.globalRecords = this.globalRecords.filter(\n (r) => r.timestamp > windowStart,\n );\n }\n }\n\n /\n Gets usage stats for a tool.\n /\n getUsage(toolName: string): { count: number; windowStart: number } {\n const now = Date.now();\n const windowStart = now - this.windowMs;\n const records = this.getActiveRecords(toolName, windowStart);\n return { count: records.length, windowStart };\n }\n\n /\n Resets rate tracking for a specific tool.\n /\n resetTool(toolName: string): void {\n this.records.delete(toolName);\n }\n\n /\n Resets all rate tracking.\n /\n resetAll(): void {\n this.records.clear();\n this.globalRecords = [];\n }\n\n private getActiveRecords(\n toolName: string,\n windowStart: number,\n ): CallRecord[] {\n const records = this.records.get(toolName) ?? [];\n const active = records.filter((r) => r.timestamp > windowStart);\n\n // Update stored records to remove expired entries\n if (active.length !== records.length) {\n this.records.set(toolName, active);\n }\n\n return active;\n }\n}\n","import type { PolicySet, McpCallToolParams, McpCallToolResult } from '@solongate/core';\nimport { TOKEN_ALGORITHM } from '@solongate/core';\nimport { PolicyEngine, PolicyStore } from '@solongate/policy-engine';\nimport { resolveConfig, type SolonGateConfig } from './config.js';\nimport { interceptToolCall } from './interceptor.js';\nimport { SecurityLogger } from './logger.js';\nimport { TokenIssuer } from './token-issuer.js';\nimport { ServerVerifier } from './server-verifier.js';\nimport { RateLimiter } from './rate-limiter.js';\n\n/\n Error thrown when a valid SolonGate license (API key) is missing or invalid.\n /\nexport class LicenseError extends Error {\n constructor(message: string) {\n super(\n `${message}\\n` +\n ' Get your API key at https://solongate.com\\n' +\n \" Usage: new SolonGate({ name: '...', apiKey: 'sg_live_xxx' })\",\n );\n this.name = 'LicenseError';\n }\n}\n\n/\n SolonGate - Security Gateway for MCP Tool Servers.\n \n Requires a valid API key. Get one at https://solongate.com\n \n Usage:\n * ```typescript\n * const gate = new SolonGate({ name: 'my-gateway', apiKey: 'sg_live_xxx' });\n \n // Intercept a tool call\n * const result = await gate.executeToolCall(\n * { name: 'file.read', arguments: { path: '/etc/passwd' } },\n * async (params) => upstreamMcpServer.callTool(params),\n * );\n * ```\n \n Architecture:\n * [LLM] -> [SolonGate.executeToolCall] -> [Security Pipeline] -> [Upstream MCP Server]\n \n Pipeline:\n * Rate Limit → Input Guard → Policy Eval → Token Issue → Sign → Call → Audit\n /\nexport class SolonGate {\n private readonly policyEngine: PolicyEngine;\n private readonly config: SolonGateConfig;\n private readonly logger: SecurityLogger;\n private readonly configWarnings: string[];\n private readonly tokenIssuer: TokenIssuer \| null;\n private readonly serverVerifier: ServerVerifier \| null;\n private readonly rateLimiter: RateLimiter;\n private readonly apiKey: string;\n private licenseValidated = false;\n\n constructor(options: {\n name: string;\n version?: string;\n apiKey?: string;\n config?: Partial<SolonGateConfig>;\n policySet?: PolicySet;\n }) {\n // License gate: require a valid API key\n const apiKey = options.apiKey \|\| process.env.SOLONGATE_API_KEY \|\| '';\n if (!apiKey) {\n throw new LicenseError('A valid SolonGate API key is required.');\n }\n if (!apiKey.startsWith('sg_live_') && !apiKey.startsWith('sg_test_')) {\n throw new LicenseError(\n \"Invalid API key format. Keys must start with 'sg_live_' or 'sg_test_'.\",\n );\n }\n this.apiKey = apiKey;\n\n const { config, warnings } = resolveConfig(options.config);\n this.config = config;\n this.configWarnings = warnings;\n\n this.logger = new SecurityLogger({\n level: config.logLevel,\n enabled: config.enableLogging,\n });\n\n for (const warning of warnings) {\n console.warn(`[SolonGate] WARNING: ${warning}`);\n }\n\n // Initialize PolicyEngine with optional versioned store\n const store = config.enableVersionedPolicies ? new PolicyStore() : undefined;\n this.policyEngine = new PolicyEngine({\n policySet: options.policySet ?? config.policySet,\n timeoutMs: config.evaluationTimeoutMs,\n store,\n });\n\n // If no local policySet provided and using a live key, fetch from cloud\n if (!options.policySet && !config.policySet && apiKey.startsWith('sg_live_')) {\n this.fetchCloudPolicyOnce();\n }\n\n // Initialize TokenIssuer if secret is provided\n this.tokenIssuer = config.tokenSecret\n ? new TokenIssuer({\n secret: config.tokenSecret,\n ttlSeconds: config.tokenTtlSeconds,\n algorithm: TOKEN_ALGORITHM,\n issuer: config.tokenIssuer ?? options.name,\n })\n : null;\n\n // Initialize ServerVerifier if gateway secret is provided\n this.serverVerifier = config.gatewaySecret\n ? new ServerVerifier({ gatewaySecret: config.gatewaySecret })\n : null;\n\n // Always initialize rate limiter\n this.rateLimiter = new RateLimiter();\n }\n\n /\n Validate the API key against the SolonGate cloud API.\n * Called once on first executeToolCall. Throws LicenseError if invalid.\n * Test keys (sg_test_) skip online validation.\n /\n private async validateLicense(): Promise<void> {\n if (this.licenseValidated) return;\n\n // Test keys skip online validation (for unit tests and local dev)\n if (this.apiKey.startsWith('sg_test_')) {\n this.licenseValidated = true;\n return;\n }\n\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n try {\n const res = await fetch(`${apiUrl}/api/v1/auth/me`, {\n headers: {\n 'X-API-Key': this.apiKey,\n 'Authorization': `Bearer ${this.apiKey}`,\n },\n signal: AbortSignal.timeout(10_000),\n });\n\n if (res.status === 401) {\n throw new LicenseError('Invalid or expired API key.');\n }\n if (res.status === 403) {\n throw new LicenseError('Your subscription is inactive. Renew at https://solongate.com');\n }\n\n this.licenseValidated = true;\n } catch (err) {\n if (err instanceof LicenseError) throw err;\n throw new LicenseError(\n 'Unable to reach SolonGate license server. Check your internet connection.',\n );\n }\n }\n\n /\n Fetch policy from SolonGate Cloud API (fire once, non-blocking).\n /\n private fetchCloudPolicyOnce(): void {\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n fetch(`${apiUrl}/api/v1/policies/default`, {\n headers: { 'Authorization': `Bearer ${this.apiKey}` },\n signal: AbortSignal.timeout(10_000),\n })\n .then(async (res) => {\n if (!res.ok) return;\n const data = (await res.json()) as Record<string, unknown>;\n const policySet: PolicySet = {\n id: String(data.id ?? 'cloud'),\n name: String(data.name ?? 'Cloud Policy'),\n description: String(data.description ?? ''),\n version: Number(data._version ?? 1),\n rules: (data.rules as PolicySet['rules']) ?? [],\n createdAt: String(data._created_at ?? ''),\n updatedAt: '',\n };\n this.policyEngine.loadPolicySet(policySet);\n console.warn(`[SolonGate] Loaded cloud policy: ${policySet.name} (${policySet.rules.length} rules)`);\n })\n .catch(() => {\n // Silently fall back to default-deny if cloud is unreachable\n });\n }\n\n /\n Send audit log to SolonGate Cloud API (fire-and-forget).\n /\n private sendAuditLog(entry: {\n tool: string;\n arguments: Record<string, unknown>;\n decision: 'ALLOW' \| 'DENY';\n reason: string;\n matchedRule?: string;\n evaluationTimeMs: number;\n }): void {\n if (!this.apiKey.startsWith('sg_live_')) return;\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n fetch(`${apiUrl}/api/v1/audit-logs`, {\n method: 'POST',\n headers: {\n 'Authorization': `Bearer ${this.apiKey}`,\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(entry),\n }).catch(() => {});\n }\n\n /\n Intercept and evaluate a tool call against the full security pipeline.\n * If denied at any stage, returns an error result without calling upstream.\n * If allowed, calls upstream and returns the result.\n /\n async executeToolCall(\n params: McpCallToolParams,\n upstreamCall: (params: McpCallToolParams) => Promise<McpCallToolResult>,\n ): Promise<McpCallToolResult> {\n // Validate license on first call\n await this.validateLicense();\n\n const startTime = performance.now();\n return interceptToolCall(params, upstreamCall, {\n policyEngine: this.policyEngine,\n validateSchemas: this.config.validateSchemas,\n verboseErrors: this.config.verboseErrors,\n onDecision: (result) => {\n this.logger.logDecision(result);\n if (result.status === 'ALLOWED' \|\| result.status === 'DENIED') {\n this.sendAuditLog({\n tool: params.name,\n arguments: (params.arguments ?? {}) as Record<string, unknown>,\n decision: result.decision.effect === 'ALLOW' ? 'ALLOW' : 'DENY',\n reason: result.decision.reason,\n matchedRule: result.decision.matchedRule?.id,\n evaluationTimeMs: performance.now() - startTime,\n });\n } else if (result.status === 'ERROR') {\n this.sendAuditLog({\n tool: params.name,\n arguments: (params.arguments ?? {}) as Record<string, unknown>,\n decision: 'DENY',\n reason: result.error.message,\n evaluationTimeMs: performance.now() - startTime,\n });\n }\n },\n tokenIssuer: this.tokenIssuer ?? undefined,\n serverVerifier: this.serverVerifier ?? undefined,\n rateLimiter: this.rateLimiter,\n inputGuardConfig: this.config.inputGuardConfig,\n rateLimitPerTool: this.config.rateLimitPerTool,\n globalRateLimitPerMinute: this.config.globalRateLimitPerMinute,\n });\n }\n\n /* Load a new policy set at runtime. /\n loadPolicy(\n policySet: PolicySet,\n options?: { reason?: string; createdBy?: string },\n ) {\n return this.policyEngine.loadPolicySet(policySet, options);\n }\n\n /* Get current security warnings. /\n getWarnings(): readonly string[] {\n return [\n ...this.configWarnings,\n ...this.policyEngine.getSecurityWarnings().map((w) => `[${w.level}] ${w.message}`),\n ];\n }\n\n /* Get the policy engine for direct access. /\n getPolicyEngine(): PolicyEngine {\n return this.policyEngine;\n }\n\n /* Get the rate limiter for direct access. /\n getRateLimiter(): RateLimiter {\n return this.rateLimiter;\n }\n\n /* Get the token issuer (null if not configured). /\n getTokenIssuer(): TokenIssuer \| null {\n return this.tokenIssuer;\n }\n}\n","/\n SecureMcpServer — Drop-in replacement for McpServer with SolonGate protection.\n \n Extends the standard McpServer and automatically wraps every tool handler\n * with SolonGate's security pipeline (rate limiting, input guard, policy eval,\n * audit logging). No manual wrapping of individual tool handlers needed.\n \n Usage:\n * ```typescript\n * import { SecureMcpServer } from '@solongate/sdk';\n \n // Just replace `new McpServer(...)` with `new SecureMcpServer(...)`\n * const server = new SecureMcpServer({\n * name: 'my-server',\n * version: '1.0.0',\n * });\n \n // Register tools as normal — they're automatically protected\n * server.tool('file_read', { path: z.string() }, async ({ path }) => {\n * return { content: [{ type: 'text', text: readFileSync(path, 'utf-8') }] };\n * });\n \n // API key comes from env: SOLONGATE_API_KEY=sg_live_xxx\n * ```\n /\n\nimport { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport type { Implementation } from '@modelcontextprotocol/sdk/types.js';\nimport type { PolicySet, McpCallToolResult } from '@solongate/core';\nimport { SolonGate } from './solongate.js';\nimport type { SolonGateConfig } from './config.js';\n\n/\n Options for SecureMcpServer that control SolonGate behavior.\n /\nexport interface SecureMcpServerOptions {\n /* SolonGate Cloud API key. Defaults to process.env.SOLONGATE_API_KEY /\n apiKey?: string;\n /* Policy set to enforce. If omitted, uses cloud policy or default. /\n policySet?: PolicySet;\n /* SolonGate configuration overrides. /\n config?: Partial<SolonGateConfig>;\n}\n\nexport class SecureMcpServer extends McpServer {\n private readonly gate: SolonGate;\n\n /\n Create a secure MCP server.\n \n @param serverInfo - MCP server info (name, version)\n * @param solongateOptions - SolonGate security options\n * @param mcpOptions - Standard McpServer options (capabilities, etc.)\n /\n constructor(\n serverInfo: Implementation,\n solongateOptions?: SecureMcpServerOptions,\n mcpOptions?: ConstructorParameters<typeof McpServer>[1],\n ) {\n super(serverInfo, mcpOptions);\n\n this.gate = new SolonGate({\n name: serverInfo.name,\n version: serverInfo.version,\n apiKey: solongateOptions?.apiKey,\n policySet: solongateOptions?.policySet,\n config: solongateOptions?.config,\n });\n\n const warnings = this.gate.getWarnings();\n for (const w of warnings) {\n console.warn(`[SolonGate] ${w}`);\n }\n }\n\n /\n Override tool() to auto-wrap handlers with SolonGate security pipeline.\n \n Supports all McpServer.tool() overloads — the handler (always the last\n * argument) is transparently wrapped. Tool name, description, schema, and\n * annotations pass through unchanged.\n /\n override tool(name: string, ...rest: unknown[]): ReturnType<McpServer['tool']> {\n const handler = rest[rest.length - 1];\n if (typeof handler !== 'function') {\n // Not a handler — pass through unchanged\n return (super.tool as Function).call(this, name, ...rest);\n }\n\n const toolName = name;\n const gate = this.gate;\n\n rest[rest.length - 1] = async (...callArgs: unknown[]) => {\n // Extract tool arguments for policy evaluation.\n // Schema-based tools: callArgs = [parsedArgs, extra]\n // Zero-arg tools: callArgs = [extra]\n const toolArgs =\n callArgs.length > 1 &&\n typeof callArgs[0] === 'object' &&\n callArgs[0] !== null\n ? (callArgs[0] as Record<string, unknown>)\n : {};\n\n const result = await gate.executeToolCall(\n { name: toolName, arguments: toolArgs },\n async () => (handler as Function)(...callArgs) as Promise<McpCallToolResult>,\n );\n\n // Bridge McpCallToolResult (readonly content) to CallToolResult (mutable content)\n return { ...result, content: [...result.content] };\n };\n\n return (super.tool as Function).call(this, name, ...rest);\n }\n\n /\n Override registerTool() to auto-wrap handlers with SolonGate security pipeline.\n \n This is the modern (non-deprecated) API for registering tools.\n /\n override registerTool(\n name: string,\n config: Parameters<McpServer['registerTool']>[1],\n cb: unknown,\n ): ReturnType<McpServer['registerTool']> {\n if (typeof cb !== 'function') {\n return (super.registerTool as Function).call(this, name, config, cb);\n }\n\n const toolName = name;\n const gate = this.gate;\n\n const wrappedCb = async (...callArgs: unknown[]) => {\n const toolArgs =\n callArgs.length > 1 &&\n typeof callArgs[0] === 'object' &&\n callArgs[0] !== null\n ? (callArgs[0] as Record<string, unknown>)\n : {};\n\n const result = await gate.executeToolCall(\n { name: toolName, arguments: toolArgs },\n async () => (cb as Function)(...callArgs) as Promise<McpCallToolResult>,\n );\n\n return { ...result, content: [...result.content] };\n };\n\n return (super.registerTool as Function).call(this, name, config, wrappedCb);\n }\n\n /* Get the underlying SolonGate instance for direct access. /\n getSolonGate(): SolonGate {\n return this.gate;\n }\n}\n","/\n SolonGate API Client for TypeScript/JavaScript\n \n Provides cloud-based security management with API keys.\n \n @example\n * ```typescript\n * import { SolonGateAPI } from '@solongate/sdk';\n \n const api = new SolonGateAPI({ apiKey: 'sg_live_xxx' });\n \n const result = await api.validate('file.read', { path: '/home/user/doc.txt' });\n * if (result.allowed) {\n * console.log('Allowed! Token:', result.token);\n * }\n * ```\n /\n\nimport { TrustLevel, PolicyEffect, type PolicySet, type PolicyDecision } from '@solongate/core';\n\n// Constants\nconst DEFAULT_API_URL = 'https://api.solongate.com';\nconst API_VERSION = 'v1';\nconst SDK_VERSION = '0.2.0';\n\n// Types\nexport interface APIConfig {\n apiKey: string;\n apiUrl?: string;\n timeout?: number;\n maxRetries?: number;\n}\n\nexport interface ValidationRequest {\n tool: string;\n arguments: Record<string, unknown>;\n trustLevel?: TrustLevel;\n includeToken?: boolean;\n}\n\nexport interface ValidationResult {\n allowed: boolean;\n tool: string;\n decision?: PolicyDecision;\n token?: string;\n tokenExpiresAt?: number;\n requestId?: string;\n latencyMs?: number;\n}\n\nexport interface TokenResult {\n token: string;\n tool: string;\n scope: string;\n expiresAt: string;\n nonce: string;\n}\n\nexport interface Tool {\n id: string;\n name: string;\n description: string;\n inputSchema?: Record<string, unknown>;\n permissions: string[];\n enabled: boolean;\n createdAt: string;\n updatedAt: string;\n}\n\n// Errors\nexport class APIError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n public readonly requestId?: string,\n public readonly code: string = 'API_ERROR',\n ) {\n super(message);\n this.name = 'APIError';\n }\n}\n\nexport class AuthenticationError extends APIError {\n constructor(message = 'Invalid API key') {\n super(message, 401, undefined, 'AUTHENTICATION_ERROR');\n this.name = 'AuthenticationError';\n }\n}\n\nexport class RateLimitError extends APIError {\n constructor(\n message: string,\n public readonly retryAfter?: number,\n ) {\n super(message, 429, undefined, 'RATE_LIMIT_ERROR');\n this.name = 'RateLimitError';\n }\n}\n\n// Resource classes\nclass PoliciesResource {\n constructor(private client: SolonGateAPI) {}\n\n async get(policyId = 'default', version?: number): Promise<PolicySet> {\n const params = version ? `?version=${version}` : '';\n return this.client.request('GET', `/policies/${policyId}${params}`);\n }\n\n async list(): Promise<{ policies: Array<{ id: string; name: string; version: number }> }> {\n return this.client.request('GET', '/policies');\n }\n\n async create(policy: PolicySet): Promise<PolicySet> {\n return this.client.request('POST', '/policies', policy);\n }\n\n async update(policyId: string, policy: PolicySet): Promise<PolicySet> {\n return this.client.request('PUT', `/policies/${policyId}`, policy);\n }\n}\n\nclass TokensResource {\n constructor(private client: SolonGateAPI) {}\n\n async create(tool: string, scope?: string, ttlSeconds = 30): Promise<TokenResult> {\n const response = await this.client.request<{\n token: string;\n tool: string;\n scope: string;\n expires_at: string;\n nonce: string;\n }>('POST', '/tokens', {\n tool,\n scope: scope \|\| `EXECUTE:${tool}`,\n ttl_seconds: ttlSeconds,\n });\n\n return {\n token: response.token,\n tool: response.tool,\n scope: response.scope,\n expiresAt: response.expires_at,\n nonce: response.nonce,\n };\n }\n\n async verify(token: string): Promise<{ valid: boolean; error?: string; tool?: string; scope?: string }> {\n return this.client.request('POST', '/tokens/verify', { token });\n }\n}\n\nclass ToolsResource {\n constructor(private client: SolonGateAPI) {}\n\n async list(): Promise<{ tools: Tool[] }> {\n return this.client.request('GET', '/tools');\n }\n\n async get(name: string): Promise<Tool> {\n return this.client.request('GET', `/tools/${name}`);\n }\n\n async register(\n name: string,\n description: string,\n inputSchema?: Record<string, unknown>,\n permissions: string[] = ['READ'],\n ): Promise<Tool> {\n return this.client.request('POST', '/tools', {\n name,\n description,\n input_schema: inputSchema,\n permissions,\n });\n }\n\n async update(name: string, data: Partial<Tool>): Promise<Tool> {\n return this.client.request('PUT', `/tools/${name}`, data);\n }\n\n async delete(name: string): Promise<{ deleted: boolean }> {\n return this.client.request('DELETE', `/tools/${name}`);\n }\n}\n\n// Main API Client\nexport class SolonGateAPI {\n private readonly apiKey: string;\n private readonly apiUrl: string;\n private readonly timeout: number;\n private readonly maxRetries: number;\n\n public readonly policies: PoliciesResource;\n public readonly tokens: TokensResource;\n public readonly tools: ToolsResource;\n\n constructor(config: APIConfig \| string) {\n // Allow passing just the API key as a string\n if (typeof config === 'string') {\n config = { apiKey: config };\n }\n\n // Get API key from config or environment\n this.apiKey = config.apiKey \|\| (typeof process !== 'undefined' ? process.env.SOLONGATE_API_KEY : '') \|\| '';\n\n if (!this.apiKey) {\n throw new AuthenticationError(\n 'API key is required. Provide apiKey in config or set SOLONGATE_API_KEY environment variable.',\n );\n }\n\n // Validate API key format\n if (!this.apiKey.startsWith('sg_live_') && !this.apiKey.startsWith('sg_test_')) {\n throw new AuthenticationError(\n \"Invalid API key format. Keys should start with 'sg_live_' or 'sg_test_'\",\n );\n }\n\n this.apiUrl = config.apiUrl \|\| DEFAULT_API_URL;\n this.timeout = config.timeout \|\| 30000;\n this.maxRetries = config.maxRetries \|\| 3;\n\n // Initialize resources\n this.policies = new PoliciesResource(this);\n this.tokens = new TokensResource(this);\n this.tools = new ToolsResource(this);\n }\n\n /\n Make an API request.\n * @internal\n /\n async request<T>(method: string, path: string, body?: unknown): Promise<T> {\n const url = `${this.apiUrl}/api/${API_VERSION}${path}`;\n let lastError: Error \| undefined;\n\n for (let attempt = 0; attempt < this.maxRetries; attempt++) {\n try {\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\n\n const response = await fetch(url, {\n method,\n headers: {\n 'X-API-Key': this.apiKey,\n 'Authorization': `Bearer ${this.apiKey}`,\n 'Content-Type': 'application/json',\n 'User-Agent': `solongate-js/${SDK_VERSION}`,\n },\n body: body ? JSON.stringify(body) : undefined,\n signal: controller.signal,\n });\n\n clearTimeout(timeoutId);\n\n if (response.status === 429) {\n const retryAfter = parseInt(response.headers.get('Retry-After') \|\| '1');\n await new Promise((resolve) => setTimeout(resolve, retryAfter 1000));\n continue;\n }\n\n if (response.status === 401) {\n throw new AuthenticationError('Invalid API key');\n }\n\n if (!response.ok) {\n const errorData = (await response.json().catch(() => ({}))) as Record<string, any>;\n throw new APIError(\n errorData.error?.message \|\| 'Unknown error',\n response.status,\n response.headers.get('X-Request-Id') \|\| undefined,\n );\n }\n\n return (await response.json()) as T;\n } catch (error) {\n if (error instanceof APIError \|\| error instanceof AuthenticationError) {\n throw error;\n }\n lastError = error as Error;\n }\n }\n\n throw new APIError(lastError?.message \|\| 'Request failed');\n }\n\n /*\n Validate a tool call against policies.\n \n @example\n * ```typescript\n * const result = await api.validate('file.read', { path: '/home/user/doc.txt' });\n * if (result.allowed) {\n * // Proceed with the tool call\n * }\n * ```\n /\n async validate(\n tool: string,\n args: Record<string, unknown>,\n options: {\n trustLevel?: TrustLevel;\n includeToken?: boolean;\n } = {},\n ): Promise<ValidationResult> {\n const startTime = performance.now();\n\n const response = await this.request<{\n allowed: boolean;\n decision?: {\n effect: string;\n matched_rule?: unknown;\n reason: string;\n evaluated_at: string;\n };\n token?: string;\n token_expires_at?: number;\n request_id?: string;\n }>('POST', '/validate', {\n tool,\n arguments: args,\n trust_level: options.trustLevel \|\| TrustLevel.VERIFIED,\n include_token: options.includeToken !== false,\n });\n\n const latencyMs = performance.now() - startTime;\n\n return {\n allowed: response.allowed,\n tool,\n decision: response.decision\n ? {\n effect: response.decision.effect as PolicyEffect,\n matchedRule: response.decision.matched_rule as any,\n reason: response.decision.reason,\n timestamp: response.decision.evaluated_at,\n evaluationTimeMs: 0,\n }\n : undefined,\n token: response.token,\n tokenExpiresAt: response.token_expires_at,\n requestId: response.request_id,\n latencyMs,\n };\n }\n\n /\n Check if using live (production) API key.\n /\n isLiveMode(): boolean {\n return this.apiKey.startsWith('sg_live_');\n }\n\n /\n Check if using test (development) API key.\n */\n isTestMode(): boolean {\n return this.apiKey.startsWith('sg_test_');\n }\n}\n\n// Default export\nexport default SolonGateAPI;\n"]}
1	+ {"version":3,"sources":["../../core/src/errors.ts","../../core/src/trust.ts","../../core/src/permissions.ts","../../core/src/policy.ts","../../core/src/context.ts","../../core/src/constants.ts","../../core/src/mcp-types.ts","../../core/src/schema-validator.ts","../../core/src/input-guard.ts","../../core/src/capability-token.ts","../../policy-engine/src/path-matcher.ts","../../policy-engine/src/matcher.ts","../../policy-engine/src/evaluator.ts","../../policy-engine/src/validator.ts","../../policy-engine/src/warnings.ts","../../policy-engine/src/defaults.ts","../../policy-engine/src/engine.ts","../../policy-engine/src/policy-store.ts","../src/config.ts","../src/interceptor.ts","../src/logger.ts","../src/token-issuer.ts","../src/server-verifier.ts","../src/rate-limiter.ts","../src/solongate.ts","../src/secure-server.ts","../src/api-client.ts"],"names":["z","maxChildDepth","endTime","UNSAFE_CONFIGURATION_WARNINGS","TrustLevel","randomUUID","createHmac","RateLimitError"],"mappings":";;;;;AAIO,IAAM,cAAA,GAAN,cAA6B,KAAA,CAAM;AACxB,EAAA,IAAA;AACA,EAAA,SAAA;AACA,EAAA,OAAA;AAEhB,EAAA,WAAA,CACE,OAAA,EACA,IAAA,EACA,OAAA,GAAmC,EAAA,EACnC;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AACb,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACZ,IAAA,IAAA,CAAK,IAAA,GAAO,IAAA;AACZ,IAAA,IAAA,CAAK,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAC5B,IAAA,IAAA,CAAK,UAAU,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,SAAS,CAAA;AAC3C,IAAA,MAAA,CAAO,cAAA,CAAe,IAAA,EAAM,GAAA,CAAA,MAAA,CAAW,SAAS,CAAA;AAClD,EAAA;;;;;EAMA,MAAA,GAAkC;AAChC,IAAA,OAAO;AACL,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,IAAA,EAAM,IAAA,CAAK,IAAA;AACX,MAAA,OAAA,EAAS,IAAA,CAAK,OAAA;AACd,MAAA,SAAA,EAAW,IAAA,CAAK,SAAA;AAChB,MAAA,OAAA,EAAS,IAAA,CAAK;AAAA,KAAA;AAElB,EAAA;AACF;AAGO,IAAM,iBAAA,GAAN,cAAgC,cAAA,CAAe;AACpD,EAAA,WAAA,CACE,QAAA,EACA,MAAA,EACA,OAAA,GAAmC,EAAA,EACnC;AACA,IAAA,KAAA;MACE,CAAA,iCAAA,EAAoC,QAAQ,MAAM,MAAM,CAAA,CAAA;AACxD,MAAA,eAAA;MACA,EAAE,QAAA,EAAU,MAAA,EAAQ,GAAG,OAAA;AAAQ,KAAA;AAEjC,IAAA,IAAA,CAAK,IAAA,GAAO,mBAAA;AACd,EAAA;AACF;AAWO,IAAM,qBAAA,GAAN,cAAoC,cAAA,CAAe;AACxD,EAAA,WAAA,CACE,UACA,gBAAA,EACA;AACA,IAAA,KAAA;AACE,MAAA,CAAA,mCAAA,EAAsC,QAAQ,CAAA,GAAA,EAAM,gBAAA,CAAiB,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AAC/E,MAAA,0BAAA;AACA,MAAA,EAAE,UAAU,gBAAA;AAAiB,KAAA;AAE/B,IAAA,IAAA,CAAK,IAAA,GAAO,uBAAA;AACd,EAAA;AACF;AAGO,IAAM,cAAA,GAAN,cAA6B,cAAA,CAAe;AACjD,EAAA,WAAA,CAAY,UAAkB,cAAA,EAAwB;AACpD,IAAA,KAAA;MACE,CAAA,8BAAA,EAAiC,QAAQ,UAAU,cAAc,CAAA,IAAA,CAAA;AACjE,MAAA,qBAAA;AACA,MAAA,EAAE,UAAU,cAAA;AAAe,KAAA;AAE7B,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AACd,EAAA;AACF;AA2BO,IAAM,eAAA,GAAN,cAA8B,cAAA,CAAe;AAClD,EAAA,WAAA,CACE,UACA,OAAA,EACA;AACA,IAAA,KAAA;MACE,CAAA,0BAAA,EAA6B,QAAQ,CAAA,GAAA,EAAM,OAAA,CAAQ,GAAA,CAAI,CAAA,CAAA,KAAK,CAAA,CAAE,WAAW,CAAA,CAAE,IAAA,CAAK,IAAI,CAAC,CAAA,CAAA;AACrF,MAAA,qBAAA;AACA,MAAA,EAAE,QAAA,EAAU,WAAA,EAAa,OAAA,CAAQ,MAAA,EAAQ,OAAA;AAAQ,KAAA;AAEnD,IAAA,IAAA,CAAK,IAAA,GAAO,iBAAA;AACd,EAAA;AACF;AAGO,IAAM,YAAA,GAAN,cAA2B,cAAA,CAAe;AAC/C,EAAA,WAAA,CACE,SAAA,EACA,UAAA,EACA,OAAA,GAAmC,EAAA,EACnC;AACA,IAAA,KAAA;AACE,MAAA,CAAA,qBAAA,EAAwB,SAAS,CAAA,EAAG,UAAA,GAAa,CAAA,OAAA,EAAU,UAAU,MAAM,EAAE,CAAA,CAAA;AAC7E,MAAA,eAAA;MACA,EAAE,SAAA,EAAW,UAAA,EAAY,GAAG,OAAA;AAAQ,KAAA;AAEtC,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AACd,EAAA;AACF;AChIO,IAAM,UAAA,GAAa;EACxB,SAAA,EAAW,WAAA;EACX,QAAA,EAAU,UAAA;EACV,OAAA,EAAS;AACX;ACXO,IAAM,UAAA,GAAa;EACxB,IAAA,EAAM,MAAA;EACN,KAAA,EAAO,OAAA;EACP,OAAA,EAAS;AACX;AAIgC,CAAA,CAAE,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAC;AAgBtB,MAAA,CAAO,MAAA;AAAA,kBAAA,IAC9C,GAAA;AACN;AAGwC,MAAA,CAAO,MAAA;AAC7C,kBAAA,IAAI,GAAA,CAAgB,CAAC,UAAA,CAAW,IAAI,CAAC;AACvC;AC7BO,IAAM,YAAA,GAAe;EAC1B,KAAA,EAAO,OAAA;EACP,IAAA,EAAM;AACR;AA2CO,IAAM,gBAAA,GAAmBA,EAAE,MAAA,CAAO;AACvC,EAAA,EAAA,EAAIA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAC7B,EAAA,WAAA,EAAaA,CAAAA,CAAE,MAAA,EAAA,CAAS,GAAA,CAAI,IAAI,CAAA;AAChC,EAAA,MAAA,EAAQA,CAAAA,CAAE,IAAA,CAAK,CAAC,OAAA,EAAS,MAAM,CAAC,CAAA;AAChC,EAAA,QAAA,EAAUA,CAAAA,CAAE,MAAA,EAAA,CAAS,GAAA,EAAA,CAAM,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,GAAK,CAAA,CAAE,OAAA,CAAQ,GAAI,CAAA;AACzD,EAAA,WAAA,EAAaA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AACtC,EAAA,UAAA,EAAYA,EAAE,IAAA,CAAK,CAAC,MAAA,EAAQ,OAAA,EAAS,SAAS,CAAC,CAAA;AAC/C,EAAA,iBAAA,EAAmBA,EAAE,IAAA,CAAK,CAAC,WAAA,EAAa,UAAA,EAAY,SAAS,CAAC,CAAA;AAC9D,EAAA,mBAAA,EAAqBA,EAAE,MAAA,CAAOA,CAAAA,CAAE,OAAA,EAAS,EAAE,QAAA,EAAA;AAC3C,EAAA,eAAA,EAAiBA,EACd,MAAA,CAAO;AACN,IAAA,OAAA,EAASA,EAAE,KAAA,CAAMA,CAAAA,CAAE,MAAA,EAAQ,EAAE,QAAA,EAAA;AAC7B,IAAA,MAAA,EAAQA,EAAE,KAAA,CAAMA,CAAAA,CAAE,MAAA,EAAQ,EAAE,QAAA,EAAA;IAC5B,aAAA,EAAeA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA,EAAA;IAC1B,aAAA,EAAeA,CAAAA,CAAE,OAAA,EAAA,CAAU,QAAA;AAAS,GACrC,EACA,QAAA,EAAA;AACH,EAAA,OAAA,EAASA,CAAAA,CAAE,OAAA,EAAA,CAAU,OAAA,CAAQ,IAAI,CAAA;EACjC,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA,EAAA;EACtB,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA;AACxB,CAAC,CAAA;AAEM,IAAM,eAAA,GAAkBA,EAAE,MAAA,CAAO;AACtC,EAAA,EAAA,EAAIA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAC7B,EAAA,IAAA,EAAMA,EAAE,MAAA,EAAA,CAAS,IAAI,CAAC,CAAA,CAAE,IAAI,GAAG,CAAA;AAC/B,EAAA,WAAA,EAAaA,CAAAA,CAAE,MAAA,EAAA,CAAS,GAAA,CAAI,IAAI,CAAA;AAChC,EAAA,OAAA,EAASA,EAAE,MAAA,EAAA,CAAS,GAAA,EAAA,CAAM,IAAI,CAAC,CAAA;EAC/B,KAAA,EAAOA,CAAAA,CAAE,MAAM,gBAAgB,CAAA;EAC/B,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA,EAAA;EACtB,SAAA,EAAWA,CAAAA,CAAE,MAAA,EAAA,CAAS,QAAA;AACxB,CAAC,CAAA;AC1DM,SAAS,sBACd,MAAA,EAEiB;AACjB,EAAA,OAAO;IACL,UAAA,EAAY,WAAA;AACZ,IAAA,kBAAA,sBAAwB,GAAA,EAAA;IACxB,SAAA,EAAW,IAAA;AACX,IAAA,QAAA,EAAU,EAAA;IACV,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;IACtB,GAAG;AAAA,GAAA;AAEP;ACrCO,IAAM,qBAAA,GAAwB,MAAA;AAG9B,IAAM,wBAAA,GAA2B,GAAA;AAGjC,IAAM,kBAAA,GAAqB,EAAA;AAG3B,IAAM,wBAAA,GAA2B,OAAA;AAkBjC,IAAM,4BAAA,GAA+B,GAAA;AA8BrC,IAAM,oBAAA,GAAuB,GAAA;AAG7B,IAAM,sBAAA,GAAyB,GAAA;AAG/B,IAAM,6BAAA,GAAgC;EAC3C,cAAA,EACE,2FAAA;EACF,sBAAA,EACE,oFAAA;EAGF,sBAAA,EACE,iFAAA;EACF,eAAA,EACE,yFAAA;EACF,mBAAA,EACE;AACJ,CAAA;AC7CO,SAAS,uBACd,MAAA,EACmB;AACnB,EAAA,OAAO;IACL,OAAA,EAAS;AACP,MAAA;QACE,IAAA,EAAM,MAAA;AACN,QAAA,IAAA,EAAM,KAAK,SAAA,CAAU;UACnB,KAAA,EAAO,eAAA;UACP,OAAA,EAAS,MAAA;UACT,IAAA,EAAM;SACP;AAAA;AACH,KAAA;IAEF,OAAA,EAAS;AAAA,GAAA;AAEb;AC1BA,IAAM,eAAA,GAAoD;EACxD,QAAA,EAAU,kBAAA;EACV,YAAA,EAAc,wBAAA;EACd,YAAA,EAAc;AAChB,CAAA;AAWO,SAAS,iBAAA,CACd,MAAA,EACA,KAAA,EACA,OAAA,EACwB;AACxB,EAAA,MAAM,IAAA,GAAO,EAAE,GAAG,eAAA,EAAiB,GAAG,OAAA,EAAA;AACtC,EAAA,MAAM,SAAmB,EAAA;AAGzB,EAAA,MAAM,SAAA,GAAY,cAAA,CAAe,KAAA,EAAO,IAAA,CAAK,YAAY,CAAA;AACzD,EAAA,IAAI,SAAA,EAAW;AACb,IAAA,OAAO,EAAE,OAAO,KAAA,EAAO,MAAA,EAAQ,CAAC,SAAS,CAAA,EAAG,WAAW,IAAA,EAAA;AACzD,EAAA;AAGA,EAAA,MAAM,UAAA,GAAa,eAAA,CAAgB,KAAA,EAAO,IAAA,CAAK,QAAQ,CAAA;AACvD,EAAA,IAAI,UAAA,EAAY;AACd,IAAA,OAAO,EAAE,OAAO,KAAA,EAAO,MAAA,EAAQ,CAAC,UAAU,CAAA,EAAG,WAAW,IAAA,EAAA;AAC1D,EAAA;AAGA,EAAA,MAAM,MAAA,GAAS,MAAA,CAAO,SAAA,CAAU,KAAK,CAAA;AAErC,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,KAAA,CAAM,MAAA,EAAQ;AACvC,MAAA,MAAM,IAAA,GAAO,MAAM,IAAA,CAAK,MAAA,GAAS,IAAI,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,GAAI,MAAA;AAC5D,MAAA,MAAA,CAAO,KAAK,CAAA,EAAG,IAAI,CAAA,EAAA,EAAK,KAAA,CAAM,OAAO,CAAA,CAAE,CAAA;AACzC,IAAA;AACA,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,WAAW,IAAA,EAAA;AAC5C,EAAA;AAEA,EAAA,OAAO;IACL,KAAA,EAAO,IAAA;AACP,IAAA,MAAA,EAAQ,EAAA;AACR,IAAA,SAAA,EAAW,MAAA,CAAO;AAAA,GAAA;AAEtB;AAeA,SAAS,cAAA,CAAe,OAAgB,QAAA,EAAiC;AACvE,EAAA,IAAI,UAAA;AACJ,EAAA,IAAI;AACF,IAAA,UAAA,GAAa,IAAA,CAAK,UAAU,KAAK,CAAA;EACnC,CAAA,CAAA,MAAQ;AACN,IAAA,OAAO,oCAAA;AACT,EAAA;AAEA,EAAA,MAAM,YAAY,IAAI,WAAA,EAAA,CAAc,MAAA,CAAO,UAAU,CAAA,CAAE,MAAA;AACvD,EAAA,IAAI,YAAY,QAAA,EAAU;AACxB,IAAA,OAAO,CAAA,WAAA,EAAc,SAAS,CAAA,uBAAA,EAA0B,QAAQ,CAAA,MAAA,CAAA;AAClE,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAMA,SAAS,eAAA,CAAgB,OAAgB,QAAA,EAAiC;AACxE,EAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,EAAO,CAAC,CAAA;AACnC,EAAA,IAAI,QAAQ,QAAA,EAAU;AACpB,IAAA,OAAO,CAAA,YAAA,EAAe,KAAK,CAAA,iBAAA,EAAoB,QAAQ,CAAA,CAAA;AACzD,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,YAAA,CAAa,OAAgB,YAAA,EAA8B;AAClE,EAAA,IAAI,YAAA,GAAe,qBAAqB,CAAA,EAAG;AACzC,IAAA,OAAO,YAAA;AACT,EAAA;AAEA,EAAA,IAAI,UAAU,IAAA,IAAQ,KAAA,KAAU,MAAA,IAAa,OAAO,UAAU,QAAA,EAAU;AACtE,IAAA,OAAO,YAAA;AACT,EAAA;AAEA,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,KAAK,CAAA,EAAG;AACxB,IAAA,IAAIC,iBAAgB,YAAA,GAAe,CAAA;AACnC,IAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,MAAA,MAAM,UAAA,GAAa,YAAA,CAAa,IAAA,EAAM,YAAA,GAAe,CAAC,CAAA;AACtD,MAAA,IAAI,UAAA,GAAaA,gBAAeA,cAAAA,GAAgB,UAAA;AAClD,IAAA;AACA,IAAA,OAAOA,cAAAA;AACT,EAAA;AAEA,EAAA,IAAI,gBAAgB,YAAA,GAAe,CAAA;AACnC,EAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,KAAgC,CAAA,EAAG;AAC/D,IAAA,MAAM,UAAA,GAAa,YAAA;AAChB,MAAA,KAAA,CAAkC,GAAG,CAAA;MACtC,YAAA,GAAe;AAAA,KAAA;AAEjB,IAAA,IAAI,UAAA,GAAa,eAAe,aAAA,GAAgB,UAAA;AAClD,EAAA;AACA,EAAA,OAAO,aAAA;AACT;AChGO,IAAM,0BAAA,GACX,OAAO,MAAA,CAAO;EACZ,aAAA,EAAe,IAAA;EACf,cAAA,EAAgB,IAAA;EAChB,aAAA,EAAe,IAAA;EACf,WAAA,EAAa,IAAA;EACb,YAAA,EAAc,IAAA;EACd,IAAA,EAAM,IAAA;EACN,YAAA,EAAc;AAChB,CAAC,CAAA;AAIH,IAAM,uBAAA,GAA0B;AAC9B,EAAA,QAAA;;AACA,EAAA,QAAA;;AACA,EAAA,SAAA;;AACA,EAAA,QAAA;;AACA,EAAA,QAAA;;AACA,EAAA,aAAA;;AACA,EAAA;;AACF,CAAA;AAEA,IAAM,eAAA,GAAkB;AACtB,EAAA,gBAAA;AACA,EAAA,gBAAA;AACA,EAAA,WAAA;AACA,EAAA,UAAA;AACA,EAAA,wBAAA;AACA,EAAA,wBAAA;AACA,EAAA,WAAA;AACA,EAAA,KAAA;AACA,EAAA,cAAA;;AACA,EAAA,qBAAA;;AACA,EAAA,aAAA;;AACA,EAAA,iBAAA;;AACA,EAAA,iBAAA;;AACA,EAAA,gBAAA;;AACA,EAAA,UAAA;;AACA,EAAA;;AACF,CAAA;AAEO,SAAS,oBAAoB,KAAA,EAAwB;AAC1D,EAAA,KAAA,MAAW,WAAW,uBAAA,EAAyB;AAC7C,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,KAAA,MAAW,WAAW,eAAA,EAAiB;AACrC,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,wBAAA,GAA2B;AAC/B,EAAA,QAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,IAAA;;AACA,EAAA,MAAA;;AACA,EAAA,WAAA;;AACA,EAAA,WAAA;;AACA,EAAA,aAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA,MAAA;;AACA,EAAA;;AACF,CAAA;AAEO,SAAS,qBAAqB,KAAA,EAAwB;AAC3D,EAAA,KAAA,MAAW,WAAW,wBAAA,EAA0B;AAC9C,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,uBAAA,GAA0B,CAAA;AAEzB,SAAS,oBAAoB,KAAA,EAAwB;AAE1D,EAAA,IAAI,KAAA,CAAM,QAAA,CAAS,IAAI,CAAA,EAAG,OAAO,IAAA;AAGjC,EAAA,MAAM,iBAAiB,KAAA,CAAM,KAAA,CAAM,KAAK,CAAA,IAAK,EAAA,EAAI,MAAA;AACjD,EAAA,IAAI,aAAA,GAAgB,yBAAyB,OAAO,IAAA;AAEpD,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,aAAA,GAAgB;AACpB,EAAA,0BAAA;AACA,EAAA,4CAAA;AACA,EAAA,wBAAA;AACA,EAAA,qBAAA;;AACA,EAAA,2CAAA;;AACA,EAAA,uCAAA;;AACA,EAAA,wBAAA;;AACA,EAAA,wBAAA;;AACA,EAAA,6BAAA;;AACA,EAAA,yBAAA;;;AAEA,EAAA,sBAAA;;AACA,EAAA,sBAAA;;AACA,EAAA,+BAAA;;AACA,EAAA,6BAAA;;AACA,EAAA,4BAAA;;AACA,EAAA,iDAAA;;AACA,EAAA,kCAAA;;AACA,EAAA,kCAAA;;;AAEA,EAAA,4BAAA;;AAEA,EAAA;AACF,CAAA;AAMA,SAAS,gBAAgB,KAAA,EAAwB;AAC/C,EAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,kCAAkC,CAAA;AAC5D,EAAA,IAAI,CAAC,KAAA,IAAS,CAAC,KAAA,CAAM,CAAC,GAAG,OAAO,KAAA;AAEhC,EAAA,MAAM,OAAA,GAAU,QAAA,CAAS,KAAA,CAAM,CAAC,GAAG,EAAE,CAAA;AACrC,EAAA,IAAI,KAAA,CAAM,OAAO,CAAA,IAAK,OAAA,GAAU,YAAY,OAAO,KAAA;AAGnD,EAAA,OACG,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;AACpC,EAAA,OAAA,IAAW,aAAc,OAAA,IAAW,SAAA;AACpC,EAAA,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;AACpC,EAAA,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;AACpC,EAAA,OAAA,IAAW,cAAc,OAAA,IAAW,UAAA;EACrC,OAAA,KAAY,CAAA;AAEhB;AAEO,SAAS,WAAW,KAAA,EAAwB;AACjD,EAAA,KAAA,MAAW,WAAW,aAAA,EAAe;AACnC,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AAEA,EAAA,IAAI,eAAA,CAAgB,KAAK,CAAA,EAAG,OAAO,IAAA;AACnC,EAAA,OAAO,KAAA;AACT;AAIA,IAAM,sBAAA,GAAyB;AAC7B,EAAA,sCAAA;;AACA,EAAA,kEAAA;;AACA,EAAA,0BAAA;;AACA,EAAA,SAAA;;AACA,EAAA,mBAAA;;AACA,EAAA,eAAA;;AACA,EAAA,mBAAA;;AACA,EAAA,oBAAA;;AACA,EAAA;;AACF,CAAA;AAEO,SAAS,mBAAmB,KAAA,EAAwB;AACzD,EAAA,KAAA,MAAW,WAAW,sBAAA,EAAwB;AAC5C,IAAA,IAAI,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,EAAG,OAAO,IAAA;AAClC,EAAA;AACA,EAAA,OAAO,KAAA;AACT;AAIO,SAAS,iBAAA,CACd,KAAA,EACA,SAAA,GAAoB,IAAA,EACX;AACT,EAAA,OAAO,MAAM,MAAA,IAAU,SAAA;AACzB;AASA,IAAM,iBAAA,GAAoB,GAAA;AAC1B,IAAM,4BAAA,GAA+B,EAAA;AAE9B,SAAS,mBAAmB,KAAA,EAAwB;AACzD,EAAA,IAAI,KAAA,CAAM,MAAA,GAAS,4BAAA,EAA8B,OAAO,IAAA;AAExD,EAAA,MAAM,OAAA,GAAU,wBAAwB,KAAK,CAAA;AAC7C,EAAA,OAAO,OAAA,IAAW,iBAAA;AACpB;AAEA,SAAS,wBAAwB,GAAA,EAAqB;AACpD,EAAA,MAAM,IAAA,uBAAW,GAAA,EAAA;AACjB,EAAA,KAAA,MAAW,QAAQ,GAAA,EAAK;AACtB,IAAA,IAAA,CAAK,IAAI,IAAA,EAAA,CAAO,IAAA,CAAK,IAAI,IAAI,CAAA,IAAK,KAAK,CAAC,CAAA;AAC1C,EAAA;AAEA,EAAA,IAAI,OAAA,GAAU,CAAA;AACd,EAAA,MAAM,MAAM,GAAA,CAAI,MAAA;AAChB,EAAA,KAAA,MAAW,KAAA,IAAS,IAAA,CAAK,MAAA,EAAA,EAAU;AACjC,IAAA,MAAM,IAAI,KAAA,GAAQ,GAAA;AAClB,IAAA,IAAI,IAAI,CAAA,EAAG;AACT,MAAA,OAAA,IAAW,CAAA,GAAI,IAAA,CAAK,IAAA,CAAK,CAAC,CAAA;AAC5B,IAAA;AACF,EAAA;AACA,EAAA,OAAO,OAAA;AACT;AAQO,SAAS,aAAA,CACd,KAAA,EACA,KAAA,EACA,MAAA,GAA2B,0BAAA,EACP;AACpB,EAAA,MAAM,UAA4B,EAAA;AAElC,EAAA,IAAI,OAAO,UAAU,QAAA,EAAU;AAE7B,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,IAAY,KAAA,KAAU,IAAA,EAAM;AAC/C,MAAA,OAAO,cAAA,CAAe,KAAA,EAAO,KAAA,EAAO,MAAM,CAAA;AAC5C,IAAA;AACA,IAAA,OAAO,EAAE,IAAA,EAAM,IAAA,EAAM,OAAA,EAAS,EAAA,EAAC;AACjC,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,aAAA,IAAiB,mBAAA,CAAoB,KAAK,CAAA,EAAG;AACtD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,gBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,cAAA,IAAkB,oBAAA,CAAqB,KAAK,CAAA,EAAG;AACxD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,iBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,aAAA,IAAiB,mBAAA,CAAoB,KAAK,CAAA,EAAG;AACtD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,gBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,CAAC,iBAAA,CAAkB,KAAA,EAAO,MAAA,CAAO,WAAW,CAAA,EAAG;AACjD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,iBAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,CAAA,CAAA,EAAI,MAAM,MAAM,CAAA,OAAA,CAAA;MACvB,WAAA,EAAa,CAAA,gCAAA,EAAmC,OAAO,WAAW,CAAA;KACnE,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,CAAC,kBAAA,CAAmB,KAAK,CAAA,EAAG;AACrD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,cAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,IAAA,IAAQ,UAAA,CAAW,KAAK,CAAA,EAAG;AACpC,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,MAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,MAAA,CAAO,YAAA,IAAgB,kBAAA,CAAmB,KAAK,CAAA,EAAG;AACpD,IAAA,OAAA,CAAQ,IAAA,CAAK;MACX,IAAA,EAAM,eAAA;AACN,MAAA,KAAA;MACA,KAAA,EAAO,QAAA,CAAS,OAAO,GAAG,CAAA;MAC1B,WAAA,EAAa;KACd,CAAA;AACH,EAAA;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,CAAQ,MAAA,KAAW,GAAG,OAAA,EAAA;AACvC;AAKA,SAAS,cAAA,CACP,QAAA,EACA,GAAA,EACA,MAAA,EACoB;AACpB,EAAA,MAAM,UAA4B,EAAA;AAElC,EAAA,IAAI,KAAA,CAAM,OAAA,CAAQ,GAAG,CAAA,EAAG;AACtB,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,GAAA,CAAI,QAAQ,CAAA,EAAA,EAAK;AACnC,MAAA,MAAM,MAAA,GAAS,aAAA,CAAc,CAAA,EAAG,QAAQ,CAAA,CAAA,EAAI,CAAC,CAAA,CAAA,CAAA,EAAK,GAAA,CAAI,CAAC,CAAA,EAAG,MAAM,CAAA;AAChE,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,MAAA,CAAO,OAAO,CAAA;AAChC,IAAA;EACF,CAAA,MAAO;AACL,IAAA,KAAA,MAAW,CAAC,GAAA,EAAK,GAAG,KAAK,MAAA,CAAO,OAAA,CAAQ,GAAG,CAAA,EAAG;AAC5C,MAAA,MAAM,MAAA,GAAS,cAAc,CAAA,EAAG,QAAQ,IAAI,GAAG,CAAA,CAAA,EAAI,KAAK,MAAM,CAAA;AAC9D,MAAA,OAAA,CAAQ,IAAA,CAAK,GAAG,MAAA,CAAO,OAAO,CAAA;AAChC,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,CAAQ,MAAA,KAAW,GAAG,OAAA,EAAA;AACvC;AAEA,SAAS,QAAA,CAAS,KAAa,MAAA,EAAwB;AACrD,EAAA,OAAO,GAAA,CAAI,SAAS,MAAA,GAAS,GAAA,CAAI,MAAM,CAAA,EAAG,MAAM,IAAI,KAAA,GAAQ,GAAA;AAC9D;ACnVO,IAAM,yBAAA,GAA4B,EAAA;AAClC,IAAM,eAAA,GAAkB,OAAA;AACxB,IAAM,iBAAA,GAAoB,EAAA;AChC1B,SAAS,cAAc,IAAA,EAAsB;AAElD,EAAA,IAAI,UAAA,GAAa,IAAA,CAAK,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA;AAGxC,EAAA,IAAI,WAAW,MAAA,GAAS,CAAA,IAAK,UAAA,CAAW,QAAA,CAAS,GAAG,CAAA,EAAG;AACrD,IAAA,UAAA,GAAa,UAAA,CAAW,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AACrC,EAAA;AAGA,EAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,KAAA,CAAM,GAAG,CAAA;AAClC,EAAA,MAAM,WAAqB,EAAA;AAE3B,EAAA,KAAA,MAAW,QAAQ,KAAA,EAAO;AACxB,IAAA,IAAI,IAAA,KAAS,GAAA,IAAO,IAAA,KAAS,EAAA,EAAI;AAC/B,MAAA,IAAI,QAAA,CAAS,MAAA,KAAW,CAAA,EAAG,QAAA,CAAS,KAAK,EAAE,CAAA;AAC3C,MAAA;AACF,IAAA;AACA,IAAA,IAAI,SAAS,IAAA,EAAM;AACjB,MAAA,IAAI,QAAA,CAAS,SAAS,CAAA,EAAG;AACvB,QAAA,QAAA,CAAS,GAAA,EAAA;AACX,MAAA;AACA,MAAA;AACF,IAAA;AACA,IAAA,QAAA,CAAS,KAAK,IAAI,CAAA;AACpB,EAAA;AAEA,EAAA,OAAO,QAAA,CAAS,IAAA,CAAK,GAAG,CAAA,IAAK,GAAA;AAC/B;AAMO,SAAS,YAAA,CAAa,MAAc,IAAA,EAAuB;AAChE,EAAA,MAAM,cAAA,GAAiB,cAAc,IAAI,CAAA;AACzC,EAAA,MAAM,cAAA,GAAiB,cAAc,IAAI,CAAA;AAGzC,EAAA,IAAI,cAAA,KAAmB,gBAAgB,OAAO,IAAA;AAC9C,EAAA,OAAO,cAAA,CAAe,UAAA,CAAW,cAAA,GAAiB,GAAG,CAAA;AACvD;AAWO,SAAS,gBAAA,CAAiB,MAAc,OAAA,EAA0B;AACvE,EAAA,MAAM,cAAA,GAAiB,cAAc,IAAI,CAAA;AACzC,EAAA,MAAM,iBAAA,GAAoB,cAAc,OAAO,CAAA;AAE/C,EAAA,IAAI,iBAAA,KAAsB,KAAK,OAAO,IAAA;AACtC,EAAA,IAAI,iBAAA,KAAsB,gBAAgB,OAAO,IAAA;AAEjD,EAAA,MAAM,YAAA,GAAe,iBAAA,CAAkB,KAAA,CAAM,GAAG,CAAA;AAChD,EAAA,MAAM,SAAA,GAAY,cAAA,CAAe,KAAA,CAAM,GAAG,CAAA;AAE1C,EAAA,OAAO,UAAA,CAAW,SAAA,EAAW,CAAA,EAAG,YAAA,EAAc,CAAC,CAAA;AACjD;AAEA,SAAS,UAAA,CACP,SAAA,EACA,EAAA,EACA,YAAA,EACA,EAAA,EACS;AACT,EAAA,OAAO,EAAA,GAAK,SAAA,CAAU,MAAA,IAAU,EAAA,GAAK,aAAa,MAAA,EAAQ;AACxD,IAAA,MAAM,OAAA,GAAU,aAAa,EAAE,CAAA;AAE/B,IAAA,IAAI,YAAY,IAAA,EAAM;AAEpB,MAAA,IAAI,EAAA,KAAO,YAAA,CAAa,MAAA,GAAS,CAAA,EAAG,OAAO,IAAA;AAG3C,MAAA,KAAA,IAAS,CAAA,GAAI,EAAA,EAAI,CAAA,IAAK,SAAA,CAAU,QAAQ,CAAA,EAAA,EAAK;AAC3C,QAAA,IAAI,WAAW,SAAA,EAAW,CAAA,EAAG,YAAA,EAAc,EAAA,GAAK,CAAC,CAAA,EAAG;AAClD,UAAA,OAAO,IAAA;AACT,QAAA;AACF,MAAA;AACA,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,IAAI,YAAY,GAAA,EAAK;AAEnB,MAAA,EAAA,EAAA;AACA,MAAA,EAAA,EAAA;AACA,MAAA;AACF,IAAA;AAEA,IAAA,IAAI,OAAA,KAAY,SAAA,CAAU,EAAE,CAAA,EAAG;AAC7B,MAAA,OAAO,KAAA;AACT,IAAA;AAEA,IAAA,EAAA,EAAA;AACA,IAAA,EAAA,EAAA;AACF,EAAA;AAGA,EAAA,OAAO,KAAK,YAAA,CAAa,MAAA,IAAU,YAAA,CAAa,EAAE,MAAM,IAAA,EAAM;AAC5D,IAAA,EAAA,EAAA;AACF,EAAA;AAEA,EAAA,OAAO,EAAA,KAAO,SAAA,CAAU,MAAA,IAAU,EAAA,KAAO,YAAA,CAAa,MAAA;AACxD;AAWO,SAAS,aAAA,CACd,MACA,WAAA,EACS;AAET,EAAA,IAAI,YAAY,aAAA,EAAe;AAC7B,IAAA,IAAI,CAAC,YAAA,CAAa,IAAA,EAAM,WAAA,CAAY,aAAa,CAAA,EAAG;AAClD,MAAA,OAAO,KAAA;AACT,IAAA;AACF,EAAA;AAGA,EAAA,IAAI,WAAA,CAAY,MAAA,IAAU,WAAA,CAAY,MAAA,CAAO,SAAS,CAAA,EAAG;AACvD,IAAA,KAAA,MAAW,OAAA,IAAW,YAAY,MAAA,EAAQ;AACxC,MAAA,IAAI,gBAAA,CAAiB,IAAA,EAAM,OAAO,CAAA,EAAG;AACnC,QAAA,OAAO,KAAA;AACT,MAAA;AACF,IAAA;AACF,EAAA;AAGA,EAAA,IAAI,WAAA,CAAY,OAAA,IAAW,WAAA,CAAY,OAAA,CAAQ,SAAS,CAAA,EAAG;AACzD,IAAA,IAAI,cAAA,GAAiB,KAAA;AACrB,IAAA,KAAA,MAAW,OAAA,IAAW,YAAY,OAAA,EAAS;AACzC,MAAA,IAAI,gBAAA,CAAiB,IAAA,EAAM,OAAO,CAAA,EAAG;AACnC,QAAA,cAAA,GAAiB,IAAA;AACjB,QAAA;AACF,MAAA;AACF,IAAA;AACA,IAAA,IAAI,CAAC,gBAAgB,OAAO,KAAA;AAC9B,EAAA;AAEA,EAAA,OAAO,IAAA;AACT;AAMO,SAAS,qBACd,IAAA,EACU;AACV,EAAA,MAAM,QAAkB,EAAA;AAExB,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,MAAA,CAAO,IAAI,CAAA,EAAG;AACvC,IAAA,IAAI,OAAO,KAAA,KAAU,QAAA,KAAa,KAAA,CAAM,QAAA,CAAS,GAAG,CAAA,IAAK,KAAA,CAAM,QAAA,CAAS,IAAI,CAAA,CAAA,EAAI;AAC9E,MAAA,KAAA,CAAM,KAAK,KAAK,CAAA;AAClB,IAAA;AACF,EAAA;AAEA,EAAA,OAAO,KAAA;AACT;AC1KO,SAAS,kBAAA,CACd,MACA,OAAA,EACS;AACT,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,EAAS,OAAO,KAAA;AAC1B,EAAA,IAAI,IAAA,CAAK,UAAA,KAAe,OAAA,CAAQ,kBAAA,EAAoB,OAAO,KAAA;AAC3D,EAAA,IAAI,CAAC,kBAAA,CAAmB,IAAA,CAAK,aAAa,OAAA,CAAQ,QAAQ,GAAG,OAAO,KAAA;AACpE,EAAA,IAAI,CAAC,sBAAA,CAAuB,OAAA,CAAQ,QAAQ,UAAA,EAAY,IAAA,CAAK,iBAAiB,CAAA,EAAG;AAC/E,IAAA,OAAO,KAAA;AACT,EAAA;AACA,EAAA,IAAI,KAAK,mBAAA,EAAqB;AAC5B,IAAA,IAAI,CAAC,wBAAA,CAAyB,IAAA,CAAK,mBAAA,EAAqB,OAAA,CAAQ,SAAS,CAAA,EAAG;AAC1E,MAAA,OAAO,KAAA;AACT,IAAA;AACF,EAAA;AACA,EAAA,IAAI,KAAK,eAAA,EAAiB;AACxB,IAAA,IAAI,CAAC,oBAAA,CAAqB,IAAA,CAAK,eAAA,EAAiB,OAAA,CAAQ,SAAS,CAAA,EAAG;AAClE,MAAA,OAAO,KAAA;AACT,IAAA;AACF,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAWO,SAAS,kBAAA,CAAmB,SAAiB,QAAA,EAA2B;AAC7E,EAAA,IAAI,OAAA,KAAY,KAAK,OAAO,IAAA;AAE5B,EAAA,MAAM,cAAA,GAAiB,OAAA,CAAQ,UAAA,CAAW,GAAG,CAAA;AAC7C,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,QAAA,CAAS,GAAG,CAAA;AAEzC,EAAA,IAAI,kBAAkB,YAAA,EAAc;AAElC,IAAA,MAAM,KAAA,GAAQ,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AACjC,IAAA,OAAO,KAAA,CAAM,MAAA,GAAS,CAAA,IAAK,QAAA,CAAS,SAAS,KAAK,CAAA;AACpD,EAAA;AACA,EAAA,IAAI,YAAA,EAAc;AAEhB,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAA,EAAG,EAAE,CAAA;AAClC,IAAA,OAAO,QAAA,CAAS,WAAW,MAAM,CAAA;AACnC,EAAA;AACA,EAAA,IAAI,cAAA,EAAgB;AAElB,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,KAAA,CAAM,CAAC,CAAA;AAC9B,IAAA,OAAO,QAAA,CAAS,SAAS,MAAM,CAAA;AACjC,EAAA;AAEA,EAAA,OAAO,OAAA,KAAY,QAAA;AACrB;AAEA,IAAM,iBAAA,GAA4C;EAChD,CAAC,UAAA,CAAW,SAAS,GAAG,CAAA;EACxB,CAAC,UAAA,CAAW,QAAQ,GAAG,CAAA;EACvB,CAAC,UAAA,CAAW,OAAO,GAAG;AACxB,CAAA;AAEO,SAAS,sBAAA,CACd,QACA,OAAA,EACS;AACT,EAAA,OAAA,CAAQ,kBAAkB,MAAM,CAAA,IAAK,EAAA,MAAQ,iBAAA,CAAkB,OAAO,CAAA,IAAK,QAAA,CAAA;AAC7E;AAiBA,SAAS,wBAAA,CACP,aACA,IAAA,EACS;AACT,EAAA,KAAA,MAAW,CAAC,GAAA,EAAK,UAAU,KAAK,MAAA,CAAO,OAAA,CAAQ,WAAW,CAAA,EAAG;AAC3D,IAAA,IAAI,EAAE,GAAA,IAAO,IAAA,CAAA,EAAO,OAAO,KAAA;AAC3B,IAAA,MAAM,QAAA,GAAW,KAAK,GAAG,CAAA;AAGzB,IAAA,IAAI,OAAO,eAAe,QAAA,EAAU;AAClC,MAAA,IAAI,eAAe,GAAA,EAAK;AACxB,MAAA,IAAI,OAAO,aAAa,QAAA,EAAU;AAChC,QAAA,IAAI,QAAA,KAAa,YAAY,OAAO,KAAA;MACtC,CAAA,MAAO;AACL,QAAA,OAAO,KAAA;AACT,MAAA;AACA,MAAA;AACF,IAAA;AAGA,IAAA,IAAI,OAAO,eAAe,QAAA,IAAY,UAAA,KAAe,QAAQ,CAAC,KAAA,CAAM,OAAA,CAAQ,UAAU,CAAA,EAAG;AACvF,MAAA,MAAM,GAAA,GAAM,UAAA;AACZ,MAAA,MAAM,QAAA,GAAW,OAAO,QAAA,KAAa,QAAA,GAAW,QAAA,GAAW,MAAA;AAC3D,MAAA,MAAM,QAAA,GAAW,OAAO,QAAA,KAAa,QAAA,GAAW,QAAA,GAAW,MAAA;AAE3D,MAAA,IAAI,WAAA,IAAe,GAAA,IAAO,OAAO,GAAA,CAAI,cAAc,QAAA,EAAU;AAC3D,QAAA,IAAI,CAAC,YAAY,CAAC,QAAA,CAAS,SAAS,GAAA,CAAI,SAAS,GAAG,OAAO,KAAA;AAC7D,MAAA;AACA,MAAA,IAAI,cAAA,IAAkB,GAAA,IAAO,OAAO,GAAA,CAAI,iBAAiB,QAAA,EAAU;AACjE,QAAA,IAAI,YAAY,QAAA,CAAS,QAAA,CAAS,GAAA,CAAI,YAAY,GAAG,OAAO,KAAA;AAC9D,MAAA;AACA,MAAA,IAAI,aAAA,IAAiB,GAAA,IAAO,OAAO,GAAA,CAAI,gBAAgB,QAAA,EAAU;AAC/D,QAAA,IAAI,CAAC,YAAY,CAAC,QAAA,CAAS,WAAW,GAAA,CAAI,WAAW,GAAG,OAAO,KAAA;AACjE,MAAA;AACA,MAAA,IAAI,WAAA,IAAe,GAAA,IAAO,OAAO,GAAA,CAAI,cAAc,QAAA,EAAU;AAC3D,QAAA,IAAI,CAAC,YAAY,CAAC,QAAA,CAAS,SAAS,GAAA,CAAI,SAAS,GAAG,OAAO,KAAA;AAC7D,MAAA;AACA,MAAA,IAAI,SAAS,GAAA,IAAO,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,GAAG,CAAA,EAAG;AAC1C,QAAA,IAAI,CAAC,GAAA,CAAI,GAAA,CAAI,QAAA,CAAS,QAAQ,GAAG,OAAO,KAAA;AAC1C,MAAA;AACA,MAAA,IAAI,YAAY,GAAA,IAAO,KAAA,CAAM,OAAA,CAAQ,GAAA,CAAI,MAAM,CAAA,EAAG;AAChD,QAAA,IAAI,GAAA,CAAI,MAAA,CAAO,QAAA,CAAS,QAAQ,GAAG,OAAO,KAAA;AAC5C,MAAA;AACA,MAAA,IAAI,KAAA,IAAS,GAAA,IAAO,OAAO,GAAA,CAAI,QAAQ,QAAA,EAAU;AAC/C,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,IAAY,GAAA,CAAI,KAAK,OAAO,KAAA;AAC5D,MAAA;AACA,MAAA,IAAI,KAAA,IAAS,GAAA,IAAO,OAAO,GAAA,CAAI,QAAQ,QAAA,EAAU;AAC/C,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,IAAY,GAAA,CAAI,KAAK,OAAO,KAAA;AAC5D,MAAA;AACA,MAAA,IAAI,MAAA,IAAU,GAAA,IAAO,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AACjD,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,GAAW,GAAA,CAAI,MAAM,OAAO,KAAA;AAC5D,MAAA;AACA,MAAA,IAAI,MAAA,IAAU,GAAA,IAAO,OAAO,GAAA,CAAI,SAAS,QAAA,EAAU;AACjD,QAAA,IAAI,QAAA,KAAa,MAAA,IAAa,QAAA,GAAW,GAAA,CAAI,MAAM,OAAO,KAAA;AAC5D,MAAA;AAEA,MAAA;AACF,IAAA;AACF,EAAA;AACA,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,oBAAA,CACP,aACA,IAAA,EACS;AACT,EAAA,MAAM,KAAA,GAAQ,qBAAqB,IAAI,CAAA;AAGvC,EAAA,IAAI,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG,OAAO,IAAA;AAG/B,EAAA,OAAO,MAAM,KAAA,CAAM,CAAC,SAAS,aAAA,CAAc,IAAA,EAAM,WAAW,CAAC,CAAA;AAC/D;AClJO,SAAS,cAAA,CACd,WACA,OAAA,EACgB;AAChB,EAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAA;AAE9B,EAAA,MAAM,WAAA,GAAc,CAAC,GAAG,SAAA,CAAU,KAAK,CAAA,CAAE,IAAA;AACvC,IAAA,CAAC,CAAA,EAAG,CAAA,KAAM,CAAA,CAAE,QAAA,GAAW,CAAA,CAAE;AAAA,GAAA;AAG3B,EAAA,KAAA,MAAW,QAAQ,WAAA,EAAa;AAC9B,IAAA,IAAI,kBAAA,CAAmB,IAAA,EAAM,OAAO,CAAA,EAAG;AACrC,MAAA,MAAMC,QAAAA,GAAU,YAAY,GAAA,EAAA;AAC5B,MAAA,OAAO;AACL,QAAA,MAAA,EAAQ,IAAA,CAAK,MAAA;QACb,WAAA,EAAa,IAAA;AACb,QAAA,MAAA,EAAQ,CAAA,cAAA,EAAiB,IAAA,CAAK,EAAE,CAAA,GAAA,EAAM,KAAK,WAAW,CAAA,CAAA;QACtD,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AACtB,QAAA,gBAAA,EAAkBA,QAAAA,GAAU;AAAA,OAAA;AAEhC,IAAA;AACF,EAAA;AAEA,EAAA,MAAM,OAAA,GAAU,YAAY,GAAA,EAAA;AAC5B,EAAA,OAAO;IACL,MAAA,EAAQ,qBAAA;IACR,WAAA,EAAa,IAAA;IACb,MAAA,EAAQ,sDAAA;IACR,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AACtB,IAAA,gBAAA,EAAkB,OAAA,GAAU,SAAA;IAC5B,QAAA,EAAU;AACR,MAAA,cAAA,EAAgB,WAAA,CAAY,MAAA;AAC5B,MAAA,OAAA,EAAS,WAAA,CAAY,GAAA,CAAI,CAAC,CAAA,KAAM,EAAE,EAAE,CAAA;MACpC,cAAA,EAAgB;AACd,QAAA,IAAA,EAAM,OAAA,CAAQ,QAAA;AACd,QAAA,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,OAAA,CAAQ,SAAA,IAAa,EAAE;AAAA;AAChD;AACF,GAAA;AAEJ;AC/CO,SAAS,mBAAmB,KAAA,EAAkC;AACnE,EAAA,MAAM,SAAmB,EAAA;AACzB,EAAA,MAAM,WAAqB,EAAA;AAE3B,EAAA,MAAM,MAAA,GAAS,gBAAA,CAAiB,SAAA,CAAU,KAAK,CAAA;AAC/C,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,OAAO;MACL,KAAA,EAAO,KAAA;MACP,MAAA,EAAQ,MAAA,CAAO,MAAM,MAAA,CAAO,GAAA;QAC1B,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA;AAAA,OAAA;AAE1C,MAAA,QAAA,EAAU;AAAC,KAAA;AAEf,EAAA;AAEA,EAAA,MAAM,OAAO,MAAA,CAAO,IAAA;AAEpB,EAAA,IAAI,IAAA,CAAK,WAAA,KAAgB,GAAA,IAAO,IAAA,CAAK,WAAW,OAAA,EAAS;AACvD,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,cAAc,CAAA;AAC5D,EAAA;AAEA,EAAA,IAAI,IAAA,CAAK,sBAAsB,SAAA,EAAW;AACxC,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,sBAAsB,CAAA;AACpE,EAAA;AAEA,EAAA,IAAI,IAAA,CAAK,eAAe,SAAA,EAAW;AACjC,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,sBAAsB,CAAA;AACpE,EAAA;AAEA,EAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,MAAA,EAAQ,QAAA,EAAA;AAChC;AAEO,SAAS,kBAAkB,KAAA,EAAkC;AAClE,EAAA,MAAM,SAAmB,EAAA;AACzB,EAAA,MAAM,WAAqB,EAAA;AAE3B,EAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,SAAA,CAAU,KAAK,CAAA;AAC9C,EAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,IAAA,OAAO;MACL,KAAA,EAAO,KAAA;MACP,MAAA,EAAQ,MAAA,CAAO,MAAM,MAAA,CAAO,GAAA;QAC1B,CAAC,CAAA,KAAM,GAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA;AAAA,OAAA;AAE1C,MAAA,QAAA,EAAU;AAAC,KAAA;AAEf,EAAA;AAEA,EAAA,MAAM,YAAY,MAAA,CAAO,IAAA;AAEzB,EAAA,IAAI,SAAA,CAAU,KAAA,CAAM,MAAA,GAAS,wBAAA,EAA0B;AACrD,IAAA,MAAA,CAAO,IAAA;AACL,MAAA,CAAA,8BAAA,EAAiC,wBAAwB,CAAA,MAAA;AAAA,KAAA;AAE7D,EAAA;AAEA,EAAA,MAAM,OAAA,uBAAc,GAAA,EAAA;AACpB,EAAA,KAAA,MAAW,IAAA,IAAQ,UAAU,KAAA,EAAO;AAClC,IAAA,IAAI,OAAA,CAAQ,GAAA,CAAI,IAAA,CAAK,EAAE,CAAA,EAAG;AACxB,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,oBAAA,EAAuB,IAAA,CAAK,EAAE,CAAA,CAAA,CAAG,CAAA;AAC/C,IAAA;AACA,IAAA,OAAA,CAAQ,GAAA,CAAI,KAAK,EAAE,CAAA;AACrB,EAAA;AAEA,EAAA,KAAA,MAAW,IAAA,IAAQ,UAAU,KAAA,EAAO;AAClC,IAAA,MAAM,UAAA,GAAa,mBAAmB,IAAI,CAAA;AAC1C,IAAA,QAAA,CAAS,IAAA,CAAK,GAAG,UAAA,CAAW,QAAQ,CAAA;AACtC,EAAA;AAEA,EAAA,MAAM,WAAA,GAAc,UAAU,KAAA,CAAM,IAAA,CAAK,CAAC,CAAA,KAAM,CAAA,CAAE,WAAW,MAAM,CAAA;AACnE,EAAA,IAAI,CAAC,WAAA,IAAe,SAAA,CAAU,KAAA,CAAM,SAAS,CAAA,EAAG;AAC9C,IAAA,QAAA,CAAS,IAAA;AACP,MAAA;AAAA,KAAA;AAEJ,EAAA;AAEA,EAAA,OAAO;AACL,IAAA,KAAA,EAAO,OAAO,MAAA,KAAW,CAAA;AACzB,IAAA,MAAA;AACA,IAAA;AAAA,GAAA;AAEJ;AChFO,SAAS,wBACd,SAAA,EAC4B;AAC5B,EAAA,MAAM,WAA8B,EAAA;AAEpC,EAAA,KAAA,MAAW,IAAA,IAAQ,UAAU,KAAA,EAAO;AAClC,IAAA,QAAA,CAAS,IAAA,CAAK,GAAG,mBAAA,CAAoB,IAAI,CAAC,CAAA;AAC5C,EAAA;AAEA,EAAA,MAAM,UAAA,GAAa,UAAU,KAAA,CAAM,MAAA;AACjC,IAAA,CAAC,CAAA,KAAM,CAAA,CAAE,MAAA,KAAW,OAAA,IAAW,CAAA,CAAE;AAAA,GAAA;AAEnC,EAAA,MAAM,iBAAiB,UAAA,CAAW,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,gBAAgB,GAAG,CAAA;AAErE,EAAA,IAAI,cAAA,CAAe,SAAS,CAAA,EAAG;AAC7B,IAAA,QAAA,CAAS,IAAA,CAAK;MACZ,KAAA,EAAO,UAAA;MACP,IAAA,EAAM,gBAAA;AACN,MAAA,OAAA,EAASC,6BAAAA,CAA8B,cAAA;MACvC,cAAA,EACE;KACH,CAAA;AACH,EAAA;AAEA,EAAA,OAAO,QAAA;AACT;AAEA,SAAS,oBAAoB,IAAA,EAAqC;AAChE,EAAA,MAAM,WAA8B,EAAA;AAEpC,EAAA,IAAI,IAAA,CAAK,MAAA,KAAW,OAAA,IAAW,IAAA,CAAK,sBAAsB,WAAA,EAAa;AACrE,IAAA,QAAA,CAAS,IAAA,CAAK;MACZ,KAAA,EAAO,UAAA;MACP,IAAA,EAAM,iBAAA;MACN,OAAA,EAAS,CAAA,MAAA,EAAS,KAAK,EAAE,CAAA,qFAAA,CAAA;AACzB,MAAA,MAAA,EAAQ,IAAA,CAAK,EAAA;MACb,cAAA,EACE;KACH,CAAA;AACH,EAAA;AAEA,EAAA,IAAI,IAAA,CAAK,MAAA,KAAW,OAAA,IAAW,IAAA,CAAK,eAAe,SAAA,EAAW;AAC5D,IAAA,QAAA,CAAS,IAAA,CAAK;MACZ,KAAA,EAAO,SAAA;MACP,IAAA,EAAM,eAAA;AACN,MAAA,OAAA,EAASA,6BAAAA,CAA8B,sBAAA;AACvC,MAAA,MAAA,EAAQ,IAAA,CAAK,EAAA;MACb,cAAA,EACE;KACH,CAAA;AACH,EAAA;AAEA,EAAA,OAAO,QAAA;AACT;AC1DO,SAAS,0BAAA,GAAwC;AACtD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAEvB,EAAA,OAAO;IACL,EAAA,EAAI,cAAA;IACJ,IAAA,EAAM,kBAAA;IACN,WAAA,EACE,yFAAA;IACF,OAAA,EAAS,CAAA;IACT,KAAA,EAAO;AACL,MAAA;QACE,EAAA,EAAI,kBAAA;QACJ,WAAA,EAAa,qCAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,IAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,OAAA;AACvB,QAAA,iBAAA,EAAmBC,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,gBAAA;QACJ,WAAA,EAAa,sCAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,IAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,KAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,eAAA;QACJ,WAAA,EAAa,qCAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,IAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,IAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA;AACb,KAAA;IAEF,SAAA,EAAW,GAAA;IACX,SAAA,EAAW;AAAA,GAAA;AAEf;AAOO,SAAS,yBAAA,GAAuC;AACrD,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAEvB,EAAA,OAAO;IACL,EAAA,EAAI,YAAA;IACJ,IAAA,EAAM,wBAAA;IACN,WAAA,EAAa,0GAAA;IACb,OAAA,EAAS,CAAA;IACT,KAAA,EAAO;AACL,MAAA;QACE,EAAA,EAAI,mBAAA;QACJ,WAAA,EAAa,2BAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,OAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,gBAAA;QACJ,WAAA,EAAa,2BAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,IAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA,OAAA;AAEb,MAAA;QACE,EAAA,EAAI,iBAAA;QACJ,WAAA,EAAa,4BAAA;AACb,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;QACV,WAAA,EAAa,GAAA;AACb,QAAA,UAAA,EAAY,UAAA,CAAW,KAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,SAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA;AACb,KAAA;IAEF,SAAA,EAAW,GAAA;IACX,SAAA,EAAW;AAAA,GAAA;AAEf;AAMO,SAAS,wBAAwB,WAAA,EAAgC;AACtE,EAAA,MAAM,GAAA,GAAA,iBAAM,IAAI,IAAA,EAAA,EAAO,WAAA,EAAA;AAEvB,EAAA,OAAO;AACL,IAAA,EAAA,EAAI,aAAa,WAAW,CAAA,CAAA;AAC5B,IAAA,IAAA,EAAM,cAAc,WAAW,CAAA,CAAA;AAC/B,IAAA,WAAA,EAAa,yCAAyC,WAAW,CAAA,4BAAA,CAAA;IACjE,OAAA,EAAS,CAAA;IACT,KAAA,EAAO;AACL,MAAA;AACE,QAAA,EAAA,EAAI,cAAc,WAAW,CAAA,CAAA;AAC7B,QAAA,WAAA,EAAa,wBAAwB,WAAW,CAAA,CAAA;AAChD,QAAA,MAAA,EAAQ,YAAA,CAAa,KAAA;QACrB,QAAA,EAAU,GAAA;AACV,QAAA,WAAA;AACA,QAAA,UAAA,EAAY,UAAA,CAAW,IAAA;AACvB,QAAA,iBAAA,EAAmBA,UAAAA,CAAW,QAAA;QAC9B,OAAA,EAAS,IAAA;QACT,SAAA,EAAW,GAAA;QACX,SAAA,EAAW;AAAA;AACb,KAAA;IAEF,SAAA,EAAW,GAAA;IACX,SAAA,EAAW;AAAA,GAAA;AAEf;AC3HO,IAAM,eAAN,MAAmB;AAChB,EAAA,SAAA;AACS,EAAA,SAAA;AACA,EAAA,KAAA;AAEjB,EAAA,WAAA,CAAY,OAAA,EAIT;AACD,IAAA,IAAA,CAAK,SAAA,GAAY,OAAA,EAAS,SAAA,IAAa,0BAAA,EAAA;AACvC,IAAA,IAAA,CAAK,SAAA,GAAY,SAAS,SAAA,IAAa,4BAAA;AACvC,IAAA,IAAA,CAAK,KAAA,GAAQ,SAAS,KAAA,IAAS,IAAA;AACjC,EAAA;;;;;AAMA,EAAA,QAAA,CAAS,OAAA,EAA2C;AAClD,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAA;AAC9B,IAAA,MAAM,QAAA,GAAW,cAAA,CAAe,IAAA,CAAK,SAAA,EAAW,OAAO,CAAA;AACvD,IAAA,MAAM,OAAA,GAAU,WAAA,CAAY,GAAA,EAAA,GAAQ,SAAA;AAEpC,IAAA,IAAI,OAAA,GAAU,KAAK,SAAA,EAAW;AAC5B,MAAA,OAAA,CAAQ,IAAA;QACN,CAAA,mCAAA,EAAsC,OAAA,CAAQ,QAAQ,CAAC,CAAC,cAC7C,IAAA,CAAK,SAAS,CAAA,cAAA,EAAiB,OAAA,CAAQ,QAAQ,CAAA,CAAA;AAAA,OAAA;AAE9D,IAAA;AAEA,IAAA,OAAO,QAAA;AACT,EAAA;;;;;AAMA,EAAA,aAAA,CACE,WACA,OAAA,EACkB;AAClB,IAAA,MAAM,UAAA,GAAa,kBAAkB,SAAS,CAAA;AAC9C,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACrB,MAAA,OAAO,UAAA;AACT,IAAA;AACA,IAAA,IAAA,CAAK,SAAA,GAAY,SAAA;AAEjB,IAAA,IAAI,KAAK,KAAA,EAAO;AACd,MAAA,IAAA,CAAK,KAAA,CAAM,WAAA;AACT,QAAA,SAAA;AACA,QAAA,OAAA,EAAS,MAAA,IAAU,gBAAA;AACnB,QAAA,OAAA,EAAS,SAAA,IAAa;AAAA,OAAA;AAE1B,IAAA;AAEA,IAAA,OAAO,UAAA;AACT,EAAA;;;;;AAMA,EAAA,QAAA,CAAS,OAAA,EAAgC;AACvC,IAAA,IAAI,CAAC,KAAK,KAAA,EAAO;AACf,MAAA,MAAM,IAAI,MAAM,8CAA8C,CAAA;AAChE,IAAA;AAEA,IAAA,MAAM,gBAAgB,IAAA,CAAK,KAAA,CAAM,SAAS,IAAA,CAAK,SAAA,CAAU,IAAI,OAAO,CAAA;AACpE,IAAA,IAAA,CAAK,YAAY,aAAA,CAAc,SAAA;AAC/B,IAAA,OAAO,aAAA;AACT,EAAA;EAEA,YAAA,GAAoC;AAClC,IAAA,OAAO,IAAA,CAAK,SAAA;AACd,EAAA;EAEA,mBAAA,GAAkD;AAChD,IAAA,OAAO,uBAAA,CAAwB,KAAK,SAAS,CAAA;AAC/C,EAAA;EAEA,QAAA,GAA+B;AAC7B,IAAA,OAAO,IAAA,CAAK,KAAA;AACd,EAAA;EAEA,KAAA,GAAc;AACZ,IAAA,IAAA,CAAK,YAAY,0BAAA,EAAA;AACnB,EAAA;AACF;AC3EO,IAAM,cAAN,MAAkB;AACN,EAAA,QAAA,uBAAe,GAAA,EAAA;;;;;EAMhC,WAAA,CACE,SAAA,EACA,QACA,SAAA,EACe;AACf,IAAA,MAAM,KAAK,SAAA,CAAU,EAAA;AACrB,IAAA,MAAM,UAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,KAAK,EAAA;AAEzC,IAAA,MAAM,aAAA,GAAgB,QAAQ,MAAA,GAAS,CAAA,GAAI,QAAQ,OAAA,CAAQ,MAAA,GAAS,CAAC,CAAA,CAAG,OAAA,GAAU,CAAA;AAElF,IAAA,MAAM,OAAA,GAAyB;AAC7B,MAAA,OAAA,EAAS,aAAA,GAAgB,CAAA;AACzB,MAAA,SAAA,EAAW,MAAA,CAAO,MAAA,CAAO,EAAE,GAAG,WAAW,CAAA;MACzC,IAAA,EAAM,IAAA,CAAK,YAAY,SAAS,CAAA;AAChC,MAAA,MAAA;AACA,MAAA,SAAA;MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAA,EAAO,WAAA;AAAY,KAAA;AAGpC,IAAA,MAAM,UAAA,GAAa,CAAC,GAAG,OAAA,EAAS,OAAO,CAAA;AACvC,IAAA,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAA,EAAI,UAAU,CAAA;AAEhC,IAAA,OAAO,OAAA;AACT,EAAA;;;;AAKA,EAAA,UAAA,CAAW,IAAY,OAAA,EAAuC;AAC5D,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,CAAA;AACpC,IAAA,IAAI,CAAC,SAAS,OAAO,IAAA;AACrB,IAAA,OAAO,QAAQ,IAAA,CAAK,CAAC,MAAM,CAAA,CAAE,OAAA,KAAY,OAAO,CAAA,IAAK,IAAA;AACvD,EAAA;;;;AAKA,EAAA,SAAA,CAAU,EAAA,EAAkC;AAC1C,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,CAAA;AACpC,IAAA,IAAI,CAAC,OAAA,IAAW,OAAA,CAAQ,MAAA,KAAW,GAAG,OAAO,IAAA;AAC7C,IAAA,OAAO,OAAA,CAAQ,OAAA,CAAQ,MAAA,GAAS,CAAC,CAAA;AACnC,EAAA;;;;AAKA,EAAA,UAAA,CAAW,EAAA,EAAsC;AAC/C,IAAA,OAAO,IAAA,CAAK,QAAA,CAAS,GAAA,CAAI,EAAE,KAAK,EAAA;AAClC,EAAA;;;;;AAMA,EAAA,QAAA,CAAS,IAAY,SAAA,EAAkC;AACrD,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,EAAA,EAAI,SAAS,CAAA;AAC5C,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,KAAA,CAAM,CAAA,QAAA,EAAW,SAAS,CAAA,uBAAA,EAA0B,EAAE,CAAA,CAAA,CAAG,CAAA;AACrE,IAAA;AAEA,IAAA,OAAO,IAAA,CAAK,WAAA;MACV,MAAA,CAAO,SAAA;AACP,MAAA,CAAA,oBAAA,EAAuB,SAAS,CAAA,CAAA;AAChC,MAAA;AAAA,KAAA;AAEJ,EAAA;;;;AAKA,EAAA,IAAA,CAAK,IAAmB,EAAA,EAA+B;AACrD,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,EAAA,CAAG,UAAU,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,EAAA,EAAI,CAAC,CAAC,CAAC,CAAA;AACpE,IAAA,MAAM,WAAA,GAAc,IAAI,GAAA,CAAI,EAAA,CAAG,UAAU,KAAA,CAAM,GAAA,CAAI,CAAC,CAAA,KAAM,CAAC,CAAA,CAAE,EAAA,EAAI,CAAC,CAAC,CAAC,CAAA;AAEpE,IAAA,MAAM,QAAsB,EAAA;AAC5B,IAAA,MAAM,UAAwB,EAAA;AAC9B,IAAA,MAAM,WAAmD,EAAA;AAGzD,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,WAAA,EAAa;AACvC,MAAA,MAAM,OAAA,GAAU,WAAA,CAAY,GAAA,CAAI,EAAE,CAAA;AAClC,MAAA,IAAI,CAAC,OAAA,EAAS;AACZ,QAAA,KAAA,CAAM,KAAK,OAAO,CAAA;AACpB,MAAA,CAAA,MAAA,IAAW,KAAK,SAAA,CAAU,OAAO,MAAM,IAAA,CAAK,SAAA,CAAU,OAAO,CAAA,EAAG;AAC9D,QAAA,QAAA,CAAS,KAAK,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,SAAS,CAAA;AAC9C,MAAA;AACF,IAAA;AAGA,IAAA,KAAA,MAAW,CAAC,EAAA,EAAI,OAAO,CAAA,IAAK,WAAA,EAAa;AACvC,MAAA,IAAI,CAAC,WAAA,CAAY,GAAA,CAAI,EAAE,CAAA,EAAG;AACxB,QAAA,OAAA,CAAQ,KAAK,OAAO,CAAA;AACtB,MAAA;AACF,IAAA;AAEA,IAAA,OAAO,EAAE,KAAA,EAAO,OAAA,EAAS,QAAA,EAAA;AAC3B,EAAA;;;;AAKA,EAAA,WAAA,CAAY,SAAA,EAA8B;AACxC,IAAA,MAAM,UAAA,GAAa,KAAK,SAAA,CAAU,SAAA,EAAW,OAAO,IAAA,CAAK,SAAS,CAAA,CAAE,IAAA,EAAM,CAAA;AAC1E,IAAA,OAAO,WAAW,QAAQ,CAAA,CAAE,OAAO,UAAU,CAAA,CAAE,OAAO,KAAK,CAAA;AAC7D,EAAA;AACF;;;ACvHO,IAAM,cAAA,GAA4C,OAAO,MAAA,CAAO;AAAA,EACrE,eAAA,EAAiB,IAAA;AAAA,EACjB,aAAA,EAAe,IAAA;AAAA,EACf,QAAA,EAAU,MAAA;AAAA,EACV,mBAAA,EAAqB,GAAA;AAAA,EACrB,aAAA,EAAe,KAAA;AAAA,EACf,wBAAA,EAA0B,GAAA;AAAA,EAC1B,gBAAA,EAAkB,EAAA;AAAA,EAClB,eAAA,EAAiB,EAAA;AAAA,EACjB,gBAAA,EAAkB,0BAAA;AAAA,EAClB,uBAAA,EAAyB;AAC3B,CAAC;AAEM,SAAS,cACd,UAAA,EACiD;AACjD,EAAA,MAAM,WAAqB,EAAC;AAC5B,EAAA,MAAM,MAAA,GAAS,EAAE,GAAG,cAAA,EAAgB,GAAG,UAAA,EAAW;AAElD,EAAA,IAAI,CAAC,OAAO,eAAA,EAAiB;AAC3B,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,mBAAmB,CAAA;AAAA,EACjE;AACA,EAAA,IAAI,MAAA,CAAO,6BAA6B,CAAA,EAAG;AACzC,IAAA,QAAA,CAAS,IAAA,CAAK,8BAA8B,eAAe,CAAA;AAAA,EAC7D;AACA,EAAA,IAAI,OAAO,aAAA,EAAe;AACxB,IAAA,QAAA,CAAS,IAAA;AAAA,MACP;AAAA,KACF;AAAA,EACF;AACA,EAAA,IAAI,MAAA,CAAO,WAAA,IAAe,MAAA,CAAO,WAAA,CAAY,SAAS,EAAA,EAAI;AACxD,IAAA,QAAA,CAAS,IAAA;AAAA,MACP;AAAA,KACF;AAAA,EACF;AAEA,EAAA,OAAO,EAAE,QAAQ,QAAA,EAAS;AAC5B;ACbA,eAAsB,iBAAA,CACpB,MAAA,EACA,YAAA,EACA,OAAA,EAC4B;AAC5B,EAAA,MAAM,YAAY,UAAA,EAAW;AAC7B,EAAA,MAAM,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAEzC,EAAA,MAAM,OAAA,GAAU,qBAAA,CAAsB,EAAE,SAAA,EAAW,CAAA;AAEnD,EAAA,MAAM,OAAA,GAA4B;AAAA,IAChC,OAAA;AAAA,IACA,UAAU,MAAA,CAAO,IAAA;AAAA,IACjB,UAAA,EAAY,SAAA;AAAA,IACZ,SAAA,EAAW,MAAA,CAAO,SAAA,IAAa,EAAC;AAAA,IAChC,oBAAoB,UAAA,CAAW,OAAA;AAAA,IAC/B;AAAA,GACF;AAGA,EAAA,IAAI,QAAQ,WAAA,EAAa;AAEvB,IAAA,IAAI,QAAQ,gBAAA,EAAkB;AAC5B,MAAA,MAAM,SAAA,GAAY,QAAQ,WAAA,CAAY,UAAA;AAAA,QACpC,MAAA,CAAO,IAAA;AAAA,QACP,OAAA,CAAQ;AAAA,OACV;AACA,MAAA,IAAI,CAAC,UAAU,OAAA,EAAS;AACtB,QAAA,MAAM,MAAA,GAA0B;AAAA,UAC9B,MAAA,EAAQ,OAAA;AAAA,UACR,OAAA;AAAA,UACA,OAAO,IAAI,cAAA,CAAe,MAAA,CAAO,IAAA,EAAM,QAAQ,gBAAgB,CAAA;AAAA,UAC/D,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC;AACA,QAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAC3B,QAAA,OAAO,sBAAA;AAAA,UACL,CAAA,8BAAA,EAAiC,OAAO,IAAI,CAAA,CAAA;AAAA,SAC9C;AAAA,MACF;AAAA,IACF;AAGA,IAAA,IAAI,QAAQ,wBAAA,EAA0B;AACpC,MAAA,MAAM,WAAA,GAAc,QAAQ,WAAA,CAAY,gBAAA;AAAA,QACtC,OAAA,CAAQ;AAAA,OACV;AACA,MAAA,IAAI,CAAC,YAAY,OAAA,EAAS;AACxB,QAAA,MAAM,MAAA,GAA0B;AAAA,UAC9B,MAAA,EAAQ,OAAA;AAAA,UACR,OAAA;AAAA,UACA,KAAA,EAAO,IAAI,cAAA,CAAe,GAAA,EAAK,QAAQ,wBAAwB,CAAA;AAAA,UAC/D,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,SACpC;AACA,QAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAC3B,QAAA,OAAO,uBAAuB,4BAA4B,CAAA;AAAA,MAC5D;AAAA,IACF;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,eAAA,IAAmB,MAAA,CAAO,SAAA,EAAW;AAC/C,IAAA,MAAM,WAAA,GAAc,QAAQ,gBAAA,IAAoB,0BAAA;AAChD,IAAA,MAAM,YAAA,GAAe,aAAA,CAAc,WAAA,EAAa,MAAA,CAAO,WAAW,WAAW,CAAA;AAE7E,IAAA,IAAI,CAAC,aAAa,IAAA,EAAM;AACtB,MAAA,MAAM,kBAAA,GAAqB,aAAa,OAAA,CAAQ,GAAA;AAAA,QAC9C,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAI,KAAK,CAAA,CAAE,WAAW,CAAA,SAAA,EAAY,CAAA,CAAE,KAAK,CAAA,CAAA;AAAA,OACvD;AACA,MAAA,MAAM,MAAA,GAA0B;AAAA,QAC9B,MAAA,EAAQ,OAAA;AAAA,QACR,OAAA;AAAA,QACA,KAAA,EAAO,IAAI,qBAAA,CAAsB,MAAA,CAAO,MAAM,kBAAkB,CAAA;AAAA,QAChE,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACpC;AACA,MAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAE3B,MAAA,MAAM,SAAS,OAAA,CAAQ,aAAA,GACnB,4BAA4B,YAAA,CAAa,OAAA,CAAQ,MAAM,CAAA,mBAAA,CAAA,GACvD,0BAAA;AACJ,MAAA,OAAO,uBAAuB,MAAM,CAAA;AAAA,IACtC;AAAA,EACF;AAGA,EAAA,MAAM,QAAA,GAAW,OAAA,CAAQ,YAAA,CAAa,QAAA,CAAS,OAAO,CAAA;AAEtD,EAAA,IAAI,QAAA,CAAS,WAAW,MAAA,EAAQ;AAC9B,IAAA,MAAM,MAAA,GAA0B;AAAA,MAC9B,MAAA,EAAQ,QAAA;AAAA,MACR,OAAA;AAAA,MACA,QAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AACA,IAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAE3B,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,aAAA,GACnB,QAAA,CAAS,MAAA,GACT,2CAAA;AACJ,IAAA,OAAO,uBAAuB,MAAM,CAAA;AAAA,EACtC;AAGA,EAAA,IAAI,eAAA;AACJ,EAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,IAAA,eAAA,GAAkB,QAAQ,WAAA,CAAY,KAAA;AAAA,MACpC,SAAA;AAAA,MACA,CAAC,WAAW,OAAO,CAAA;AAAA,MACnB,CAAC,OAAO,IAAI;AAAA,KACd;AAAA,EACF;AAGA,EAAA,IAAI,OAAA,CAAQ,kBAAkB,eAAA,EAAiB;AAC7C,IAAA,OAAA,CAAQ,cAAA,CAAe,mBAAA,CAAoB,MAAA,EAAQ,eAAe,CAAA;AAAA,EACpE;AAGA,EAAA,IAAI;AACF,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,MAAM,UAAA,GAAa,MAAM,YAAA,CAAa,MAAM,CAAA;AAC5C,IAAA,MAAM,UAAA,GAAa,WAAA,CAAY,GAAA,EAAI,GAAI,SAAA;AAGvC,IAAA,IAAI,QAAQ,WAAA,EAAa;AACvB,MAAA,OAAA,CAAQ,WAAA,CAAY,UAAA,CAAW,MAAA,CAAO,IAAI,CAAA;AAAA,IAC5C;AAGA,IAAA,MAAM,MAAA,GAA0B;AAAA,MAC9B,MAAA,EAAQ,SAAA;AAAA,MACR,OAAA;AAAA,MACA,QAAA;AAAA,MACA,UAAA;AAAA,MACA,UAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AACA,IAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAE3B,IAAA,OAAO,UAAA;AAAA,EACT,SAAS,KAAA,EAAO;AACd,IAAA,MAAM,MAAA,GAA0B;AAAA,MAC9B,MAAA,EAAQ,OAAA;AAAA,MACR,OAAA;AAAA,MACA,KAAA,EAAO,KAAA,YAAiB,KAAA,GACpB,IAAI,kBAAkB,MAAA,CAAO,IAAA,EAAM,KAAA,CAAM,OAAO,CAAA,GAChD,IAAI,iBAAA,CAAkB,MAAA,CAAO,MAAM,wBAAwB,CAAA;AAAA,MAC/D,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACpC;AACA,IAAA,OAAA,CAAQ,aAAa,MAAM,CAAA;AAC3B,IAAA,MAAM,KAAA;AAAA,EACR;AACF;;;ACtMA,IAAM,eAAA,GAA4C;AAAA,EAChD,KAAA,EAAO,CAAA;AAAA,EACP,IAAA,EAAM,CAAA;AAAA,EACN,IAAA,EAAM,CAAA;AAAA,EACN,KAAA,EAAO;AACT,CAAA;AAMO,IAAM,iBAAN,MAAqB;AAAA,EACT,QAAA;AAAA,EACA,OAAA;AAAA,EAEjB,YAAY,OAAA,EAAgD;AAC1D,IAAA,IAAA,CAAK,WAAW,OAAA,CAAQ,KAAA;AACxB,IAAA,IAAA,CAAK,UAAU,OAAA,CAAQ,OAAA;AAAA,EACzB;AAAA,EAEA,YAAY,MAAA,EAA+B;AACzC,IAAA,IAAI,CAAC,KAAK,OAAA,EAAS;AAEnB,IAAA,MAAM,KAAA,GAAQ;AAAA,MACZ,IAAA,EAAM,mBAAA;AAAA,MACN,QAAQ,MAAA,CAAO,MAAA;AAAA,MACf,QAAA,EAAU,OAAO,OAAA,CAAQ,QAAA;AAAA,MACzB,UAAA,EAAY,OAAO,OAAA,CAAQ,kBAAA;AAAA,MAC3B,UAAA,EAAY,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,UAAA;AAAA,MACnC,SAAA,EAAW,MAAA,CAAO,OAAA,CAAQ,OAAA,CAAQ,SAAA;AAAA,MAClC,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,GAAI,MAAA,CAAO,MAAA,KAAW,aAAa,EAAE,UAAA,EAAY,OAAO,UAAA,EAAW;AAAA,MACnE,GAAI,OAAO,MAAA,KAAW,QAAA,IAAY,EAAE,MAAA,EAAQ,MAAA,CAAO,SAAS,MAAA,EAAO;AAAA,MACnE,GAAI,OAAO,MAAA,KAAW,OAAA,IAAW,EAAE,KAAA,EAAO,MAAA,CAAO,MAAM,IAAA;AAAK,KAC9D;AAEA,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,QAAA,IAAY,MAAA,CAAO,WAAW,OAAA,EAAS;AAC3D,MAAA,IAAA,CAAK,GAAA,CAAI,QAAQ,KAAK,CAAA;AAAA,IACxB,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,GAAA,CAAI,QAAQ,KAAK,CAAA;AAAA,IACxB;AAAA,EACF;AAAA,EAEQ,GAAA,CAAI,OAAiB,IAAA,EAAqC;AAChE,IAAA,IAAI,gBAAgB,KAAK,CAAA,GAAI,eAAA,CAAgB,IAAA,CAAK,QAAQ,CAAA,EAAG;AAE7D,IAAA,MAAM,SAAS,IAAA,CAAK,SAAA,CAAU,EAAE,KAAA,EAAO,GAAG,MAAM,CAAA;AAChD,IAAA,QAAQ,KAAA;AAAO,MACb,KAAK,OAAA;AACH,QAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AACrC,QAAA;AAAA,MACF,KAAK,MAAA;AACH,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AACpC,QAAA;AAAA,MACF,KAAK,OAAA;AACH,QAAA,OAAA,CAAQ,KAAA,CAAM,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AACrC,QAAA;AAAA,MACF;AACE,QAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,YAAA,EAAe,MAAM,CAAA,CAAE,CAAA;AAAA;AACxC,EACF;AACF;AC3CO,IAAM,cAAN,MAAkB;AAAA,EACN,MAAA;AAAA,EACA,UAAA;AAAA,EACA,MAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAAY;AAAA,EAC7B,aAAA,uBAAoB,GAAA,EAAY;AAAA,EAEjD,YAAY,MAAA,EAAqB;AAC/B,IAAA,IAAI,MAAA,CAAO,MAAA,CAAO,MAAA,GAAS,iBAAA,EAAmB;AAC5C,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,iCAAiC,iBAAiB,CAAA,WAAA;AAAA,OACpD;AAAA,IACF;AACA,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AACrB,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,yBAAA;AACvC,IAAA,IAAA,CAAK,SAAS,MAAA,CAAO,MAAA;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,KAAA,CACE,WACA,WAAA,EACA,SAAA,EACA,cAAiC,CAAC,GAAG,GACrC,SAAA,EACQ;AACR,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,MAAM,MAAMC,UAAAA,EAAW;AAEvB,IAAA,MAAM,OAAA,GAA2B;AAAA,MAC/B,GAAA;AAAA,MACA,KAAK,IAAA,CAAK,MAAA;AAAA,MACV,GAAA,EAAK,SAAA;AAAA,MACL,GAAA,EAAK,GAAA;AAAA,MACL,GAAA,EAAK,MAAM,IAAA,CAAK,UAAA;AAAA,MAChB,WAAA,EAAa,CAAC,GAAG,WAAW,CAAA;AAAA,MAC5B,SAAA,EAAW,CAAC,GAAG,SAAS,CAAA;AAAA,MACxB,WAAA,EAAa,CAAC,GAAG,WAAW,CAAA;AAAA,MAC5B,GAAI,SAAA,IAAa,EAAE,WAAW,CAAC,GAAG,SAAS,CAAA;AAAE,KAC/C;AAEA,IAAA,OAAO,IAAA,CAAK,KAAK,OAAO,CAAA;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,KAAA,EAAwC;AAE7C,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,cAAA,CAAe,KAAK,CAAA;AACxC,IAAA,IAAI,CAAC,MAAA,CAAO,KAAA,IAAS,CAAC,OAAO,OAAA,EAAS;AACpC,MAAA,OAAO,MAAA;AAAA,IACT;AAEA,IAAA,MAAM,UAAU,MAAA,CAAO,OAAA;AAGvB,IAAA,MAAM,MAAM,IAAA,CAAK,KAAA,CAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AACxC,IAAA,IAAI,OAAA,CAAQ,OAAO,GAAA,EAAK;AACtB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,eAAA,EAAgB;AAAA,IACjD;AAGA,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,EAAG;AACvC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,wBAAA,EAAyB;AAAA,IAC1D;AAGA,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA,EAAG;AACpC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,sCAAA,EAAuC;AAAA,IACxE;AAGA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,GAAG,CAAA;AAE/B,IAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,OAAA,EAAQ;AAAA,EAChC;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,GAAA,EAAmB;AACxB,IAAA,IAAA,CAAK,aAAA,CAAc,IAAI,GAAG,CAAA;AAAA,EAC5B;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,GAAA,EAAsB;AAC9B,IAAA,OAAO,IAAA,CAAK,aAAA,CAAc,GAAA,CAAI,GAAG,CAAA;AAAA,EACnC;AAAA;AAAA,EAIQ,KAAK,OAAA,EAAkC;AAC7C,IAAA,MAAM,MAAA,GAAS,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,EAAE,KAAK,eAAA,EAAiB,GAAA,EAAK,KAAA,EAAO,CAAC,CAAA;AACnF,IAAA,MAAM,IAAA,GAAO,eAAA,CAAgB,IAAA,CAAK,SAAA,CAAU,OAAO,CAAC,CAAA;AACpD,IAAA,MAAM,YAAY,IAAA,CAAK,gBAAA,CAAiB,GAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAC3D,IAAA,OAAO,CAAA,EAAG,MAAM,CAAA,CAAA,EAAI,IAAI,IAAI,SAAS,CAAA,CAAA;AAAA,EACvC;AAAA,EAEQ,eAAe,KAAA,EAAwC;AAC7D,IAAA,MAAM,KAAA,GAAQ,KAAA,CAAM,KAAA,CAAM,GAAG,CAAA;AAC7B,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,sBAAA,EAAuB;AAAA,IACxD;AAEA,IAAA,MAAM,CAAC,MAAA,EAAQ,IAAA,EAAM,SAAS,CAAA,GAAI,KAAA;AAClC,IAAA,MAAM,oBAAoB,IAAA,CAAK,gBAAA,CAAiB,GAAG,MAAM,CAAA,CAAA,EAAI,IAAI,CAAA,CAAE,CAAA;AAEnE,IAAA,IAAI,cAAc,iBAAA,EAAmB;AACnC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,yBAAA,EAA0B;AAAA,IAC3D;AAEA,IAAA,IAAI;AACF,MAAA,MAAM,OAAA,GAAU,IAAA,CAAK,KAAA,CAAM,eAAA,CAAgB,IAAI,CAAC,CAAA;AAChD,MAAA,OAAO,EAAE,KAAA,EAAO,IAAA,EAAM,OAAA,EAAQ;AAAA,IAChC,CAAA,CAAA,MAAQ;AACN,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,uBAAA,EAAwB;AAAA,IACzD;AAAA,EACF;AAAA,EAEQ,iBAAiB,IAAA,EAAsB;AAC7C,IAAA,OAAO,eAAA;AAAA,MACL,UAAA,CAAW,UAAU,IAAA,CAAK,MAAM,EAAE,MAAA,CAAO,IAAI,CAAA,CAAE,MAAA,CAAO,QAAQ;AAAA,KAChE;AAAA,EACF;AACF;AAEA,SAAS,gBAAgB,GAAA,EAAqB;AAC5C,EAAA,OAAO,OAAO,IAAA,CAAK,GAAG,CAAA,CACnB,QAAA,CAAS,QAAQ,CAAA,CACjB,OAAA,CAAQ,KAAA,EAAO,GAAG,EAClB,OAAA,CAAQ,KAAA,EAAO,GAAG,CAAA,CAClB,OAAA,CAAQ,OAAO,EAAE,CAAA;AACtB;AAEA,SAAS,gBAAgB,GAAA,EAAqB;AAC5C,EAAA,MAAM,MAAA,GAAS,MAAM,GAAA,CAAI,MAAA,CAAA,CAAQ,IAAK,GAAA,CAAI,MAAA,GAAS,KAAM,CAAC,CAAA;AAC1D,EAAA,OAAO,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,EAAG,QAAQ,EAAE,QAAA,EAAS;AACtF;ACpIO,IAAM,iBAAN,MAAqB;AAAA,EACT,aAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA,uBAAiB,GAAA,EAAY;AAAA,EAE9C,YAAY,MAAA,EAGT;AACD,IAAA,IAAI,MAAA,CAAO,aAAA,CAAc,MAAA,GAAS,EAAA,EAAI;AACpC,MAAA,MAAM,IAAI,MAAM,+CAA+C,CAAA;AAAA,IACjE;AACA,IAAA,IAAA,CAAK,gBAAgB,MAAA,CAAO,aAAA;AAC5B,IAAA,IAAA,CAAK,QAAA,GAAW,OAAO,QAAA,IAAY,GAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA,EAKA,WAAA,CAAY,QAA2B,eAAA,EAAiC;AACtE,IAAA,MAAM,OAAO,IAAA,CAAK,SAAA,CAAU,EAAE,MAAA,EAAQ,iBAAiB,CAAA;AACvD,IAAA,OAAOC,UAAAA,CAAW,UAAU,IAAA,CAAK,aAAa,EAC3C,MAAA,CAAO,IAAI,CAAA,CACX,MAAA,CAAO,KAAK,CAAA;AAAA,EACjB;AAAA;AAAA;AAAA;AAAA,EAKA,eAAA,CACE,MAAA,EACA,eAAA,EACA,SAAA,EACS;AACT,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,WAAA,CAAY,MAAA,EAAQ,eAAe,CAAA;AAEzD,IAAA,IAAI,QAAA,CAAS,MAAA,KAAW,SAAA,CAAU,MAAA,EAAQ,OAAO,KAAA;AACjD,IAAA,IAAI,MAAA,GAAS,CAAA;AACb,IAAA,KAAA,IAAS,CAAA,GAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,QAAQ,CAAA,EAAA,EAAK;AACxC,MAAA,MAAA,IAAU,SAAS,UAAA,CAAW,CAAC,CAAA,GAAI,SAAA,CAAU,WAAW,CAAC,CAAA;AAAA,IAC3D;AACA,IAAA,OAAO,MAAA,KAAW,CAAA;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA,EAKA,mBAAA,CACE,QACA,eAAA,EACkB;AAClB,IAAA,MAAM,SAAA,GAAA,iBAAY,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AACzC,IAAA,MAAM,QAAQD,UAAAA,EAAW;AACzB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,WAAA,CAAY,MAAA,EAAQ,eAAe,CAAA;AAE1D,IAAA,OAAO;AAAA,MACL,MAAA;AAAA,MACA,eAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA;AAAA,MACA;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,sBAAsB,OAAA,EAAsD;AAE1E,IAAA,MAAM,cAAc,IAAI,IAAA,CAAK,OAAA,CAAQ,SAAS,EAAE,OAAA,EAAQ;AACxD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,IACrD;AACA,IAAA,IAAI,GAAA,GAAM,WAAA,GAAc,IAAA,CAAK,QAAA,EAAU;AACrC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,iBAAA,EAAkB;AAAA,IACnD;AACA,IAAA,IAAI,WAAA,GAAc,MAAM,GAAA,EAAQ;AAC9B,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,iCAAA,EAAkC;AAAA,IACnE;AAGA,IAAA,IAAI,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,KAAK,CAAA,EAAG;AACtC,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,mCAAA,EAAoC;AAAA,IACrE;AAGA,IAAA,IAAI,CAAC,KAAK,eAAA,CAAgB,OAAA,CAAQ,QAAQ,OAAA,CAAQ,eAAA,EAAiB,OAAA,CAAQ,SAAS,CAAA,EAAG;AACrF,MAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAQ,mBAAA,EAAoB;AAAA,IACrD;AAGA,IAAA,IAAA,CAAK,UAAA,CAAW,GAAA,CAAI,OAAA,CAAQ,KAAK,CAAA;AAEjC,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AACF;;;ACxGO,IAAM,cAAN,MAAkB;AAAA,EACN,QAAA;AAAA,EACA,OAAA,uBAAc,GAAA,EAA0B;AAAA,EACjD,gBAA8B,EAAC;AAAA,EAEvC,YAAY,OAAA,EAAiC;AAC3C,IAAA,IAAA,CAAK,QAAA,GAAW,SAAS,QAAA,IAAY,oBAAA;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,UAAA,CACE,UACA,cAAA,EACiB;AACjB,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAE/B,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,gBAAA,CAAiB,QAAA,EAAU,WAAW,CAAA;AAC3D,IAAA,MAAM,QAAQ,OAAA,CAAQ,MAAA;AACtB,IAAA,MAAM,UAAU,KAAA,GAAQ,cAAA;AACxB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,iBAAiB,KAAK,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,OAAA,CAAQ,MAAA,GAAS,CAAA,GAC7B,OAAA,CAAQ,CAAC,CAAA,CAAG,SAAA,GAAY,IAAA,CAAK,QAAA,GAC7B,GAAA,GAAM,IAAA,CAAK,QAAA;AAEf,IAAA,OAAO,EAAE,OAAA,EAAS,SAAA,EAAW,OAAA,EAAQ;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA,EAKA,iBAAiB,cAAA,EAAyC;AACxD,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAE/B,IAAA,IAAA,CAAK,aAAA,GAAgB,KAAK,aAAA,CAAc,MAAA;AAAA,MACtC,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,GAAY;AAAA,KACvB;AACA,IAAA,MAAM,KAAA,GAAQ,KAAK,aAAA,CAAc,MAAA;AACjC,IAAA,MAAM,UAAU,KAAA,GAAQ,cAAA;AACxB,IAAA,MAAM,SAAA,GAAY,IAAA,CAAK,GAAA,CAAI,CAAA,EAAG,iBAAiB,KAAK,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,aAAA,CAAc,MAAA,GAAS,CAAA,GACxC,IAAA,CAAK,aAAA,CAAc,CAAC,CAAA,CAAG,SAAA,GAAY,IAAA,CAAK,QAAA,GACxC,MAAM,IAAA,CAAK,QAAA;AAEf,IAAA,OAAO,EAAE,OAAA,EAAS,SAAA,EAAW,OAAA,EAAQ;AAAA,EACvC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,cAAA,CACE,QAAA,EACA,cAAA,EACA,WAAA,EACiB;AAEjB,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,UAAA,CAAW,QAAA,EAAU,cAAc,CAAA;AACvD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACnB,MAAA,OAAO,MAAA;AAAA,IACT;AAGA,IAAA,IAAI,gBAAgB,MAAA,EAAW;AAC7B,MAAA,MAAM,YAAA,GAAe,IAAA,CAAK,gBAAA,CAAiB,WAAW,CAAA;AACtD,MAAA,IAAI,CAAC,aAAa,OAAA,EAAS;AACzB,QAAA,OAAO,YAAA;AAAA,MACT;AAAA,IACF;AAGA,IAAA,IAAA,CAAK,WAAW,QAAQ,CAAA;AACxB,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,WAAW,QAAA,EAAwB;AACjC,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,MAAA,GAAqB,EAAE,SAAA,EAAW,GAAA,EAAI;AAG5C,IAAA,MAAM,UAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAQ,KAAK,EAAC;AAC/C,IAAA,OAAA,CAAQ,KAAK,MAAM,CAAA;AAGnB,IAAA,IAAI,OAAA,CAAQ,SAAS,sBAAA,EAAwB;AAC3C,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAC/B,MAAA,MAAM,UAAU,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,WAAW,CAAA;AAC/D,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,OAAO,CAAA;AAAA,IACpC,CAAA,MAAO;AACL,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,OAAO,CAAA;AAAA,IACpC;AAGA,IAAA,IAAA,CAAK,aAAA,CAAc,KAAK,MAAM,CAAA;AAC9B,IAAA,IAAI,IAAA,CAAK,aAAA,CAAc,MAAA,GAAS,sBAAA,EAAwB;AACtD,MAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAC/B,MAAA,IAAA,CAAK,aAAA,GAAgB,KAAK,aAAA,CAAc,MAAA;AAAA,QACtC,CAAC,CAAA,KAAM,CAAA,CAAE,SAAA,GAAY;AAAA,OACvB;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,SAAS,QAAA,EAA0D;AACjE,IAAA,MAAM,GAAA,GAAM,KAAK,GAAA,EAAI;AACrB,IAAA,MAAM,WAAA,GAAc,MAAM,IAAA,CAAK,QAAA;AAC/B,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,gBAAA,CAAiB,QAAA,EAAU,WAAW,CAAA;AAC3D,IAAA,OAAO,EAAE,KAAA,EAAO,OAAA,CAAQ,MAAA,EAAQ,WAAA,EAAY;AAAA,EAC9C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAU,QAAA,EAAwB;AAChC,IAAA,IAAA,CAAK,OAAA,CAAQ,OAAO,QAAQ,CAAA;AAAA,EAC9B;AAAA;AAAA;AAAA;AAAA,EAKA,QAAA,GAAiB;AACf,IAAA,IAAA,CAAK,QAAQ,KAAA,EAAM;AACnB,IAAA,IAAA,CAAK,gBAAgB,EAAC;AAAA,EACxB;AAAA,EAEQ,gBAAA,CACN,UACA,WAAA,EACc;AACd,IAAA,MAAM,UAAU,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAQ,KAAK,EAAC;AAC/C,IAAA,MAAM,SAAS,OAAA,CAAQ,MAAA,CAAO,CAAC,CAAA,KAAM,CAAA,CAAE,YAAY,WAAW,CAAA;AAG9D,IAAA,IAAI,MAAA,CAAO,MAAA,KAAW,OAAA,CAAQ,MAAA,EAAQ;AACpC,MAAA,IAAA,CAAK,OAAA,CAAQ,GAAA,CAAI,QAAA,EAAU,MAAM,CAAA;AAAA,IACnC;AAEA,IAAA,OAAO,MAAA;AAAA,EACT;AACF;;;ACjKO,IAAM,YAAA,GAAN,cAA2B,KAAA,CAAM;AAAA,EACtC,YAAY,OAAA,EAAiB;AAC3B,IAAA,KAAA;AAAA,MACE,GAAG,OAAO;AAAA;AAAA,8DAAA;AAAA,KAGZ;AACA,IAAA,IAAA,CAAK,IAAA,GAAO,cAAA;AAAA,EACd;AACF;AAwBO,IAAM,YAAN,MAAgB;AAAA,EACJ,YAAA;AAAA,EACA,MAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,cAAA;AAAA,EACA,WAAA;AAAA,EACA,MAAA;AAAA,EACT,gBAAA,GAAmB,KAAA;AAAA,EAE3B,YAAY,OAAA,EAMT;AAED,IAAA,MAAM,MAAA,GAAS,OAAA,CAAQ,MAAA,IAAU,OAAA,CAAQ,IAAI,iBAAA,IAAqB,EAAA;AAClE,IAAA,IAAI,CAAC,MAAA,EAAQ;AACX,MAAA,MAAM,IAAI,aAAa,wCAAwC,CAAA;AAAA,IACjE;AACA,IAAA,IAAI,CAAC,OAAO,UAAA,CAAW,UAAU,KAAK,CAAC,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AACpE,MAAA,MAAM,IAAI,YAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AACA,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AAEd,IAAA,MAAM,EAAE,MAAA,EAAQ,QAAA,EAAS,GAAI,aAAA,CAAc,QAAQ,MAAM,CAAA;AACzD,IAAA,IAAA,CAAK,MAAA,GAAS,MAAA;AACd,IAAA,IAAA,CAAK,cAAA,GAAiB,QAAA;AAEtB,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,cAAA,CAAe;AAAA,MAC/B,OAAO,MAAA,CAAO,QAAA;AAAA,MACd,SAAS,MAAA,CAAO;AAAA,KACjB,CAAA;AAED,IAAA,KAAA,MAAW,WAAW,QAAA,EAAU;AAC9B,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,qBAAA,EAAwB,OAAO,CAAA,CAAE,CAAA;AAAA,IAChD;AAGA,IAAA,MAAM,KAAA,GAAQ,MAAA,CAAO,uBAAA,GAA0B,IAAI,aAAY,GAAI,MAAA;AACnE,IAAA,IAAA,CAAK,YAAA,GAAe,IAAI,YAAA,CAAa;AAAA,MACnC,SAAA,EAAW,OAAA,CAAQ,SAAA,IAAa,MAAA,CAAO,SAAA;AAAA,MACvC,WAAW,MAAA,CAAO,mBAAA;AAAA,MAClB;AAAA,KACD,CAAA;AAGD,IAAA,IAAI,CAAC,QAAQ,SAAA,IAAa,CAAC,OAAO,SAAA,IAAa,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AAC5E,MAAA,IAAA,CAAK,oBAAA,EAAqB;AAC1B,MAAA,IAAA,CAAK,kBAAA,EAAmB;AAAA,IAC1B;AAGA,IAAA,IAAA,CAAK,WAAA,GAAc,MAAA,CAAO,WAAA,GACtB,IAAI,WAAA,CAAY;AAAA,MACd,QAAQ,MAAA,CAAO,WAAA;AAAA,MACf,YAAY,MAAA,CAAO,eAAA;AAAA,MACnB,SAAA,EAAW,eAAA;AAAA,MACX,MAAA,EAAQ,MAAA,CAAO,WAAA,IAAe,OAAA,CAAQ;AAAA,KACvC,CAAA,GACD,IAAA;AAGJ,IAAA,IAAA,CAAK,cAAA,GAAiB,MAAA,CAAO,aAAA,GACzB,IAAI,cAAA,CAAe,EAAE,aAAA,EAAe,MAAA,CAAO,aAAA,EAAe,CAAA,GAC1D,IAAA;AAGJ,IAAA,IAAA,CAAK,WAAA,GAAc,IAAI,WAAA,EAAY;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,eAAA,GAAiC;AAC7C,IAAA,IAAI,KAAK,gBAAA,EAAkB;AAG3B,IAAA,IAAI,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AACtC,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AACxB,MAAA;AAAA,IACF;AAEA,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,IAAI;AACF,MAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,eAAA,CAAA,EAAmB;AAAA,QAClD,OAAA,EAAS;AAAA,UACP,aAAa,IAAA,CAAK,MAAA;AAAA,UAClB,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA;AAAA,SACxC;AAAA,QACA,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA,OACnC,CAAA;AAED,MAAA,IAAI,GAAA,CAAI,WAAW,GAAA,EAAK;AACtB,QAAA,MAAM,IAAI,aAAa,6BAA6B,CAAA;AAAA,MACtD;AACA,MAAA,IAAI,GAAA,CAAI,WAAW,GAAA,EAAK;AACtB,QAAA,MAAM,IAAI,aAAa,+DAA+D,CAAA;AAAA,MACxF;AAEA,MAAA,IAAA,CAAK,gBAAA,GAAmB,IAAA;AAAA,IAC1B,SAAS,GAAA,EAAK;AACZ,MAAA,IAAI,GAAA,YAAe,cAAc,MAAM,GAAA;AACvC,MAAA,MAAM,IAAI,YAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKQ,oBAAA,GAA6B;AACnC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,wBAAA,CAAA,EAA4B;AAAA,MACzC,SAAS,EAAE,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA,EAAG;AAAA,MACpD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA,KACnC,CAAA,CACE,IAAA,CAAK,OAAO,GAAA,KAAQ;AACnB,MAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACb,MAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,MAAA,MAAM,SAAA,GAAuB;AAAA,QAC3B,EAAA,EAAI,MAAA,CAAO,IAAA,CAAK,EAAA,IAAM,OAAO,CAAA;AAAA,QAC7B,IAAA,EAAM,MAAA,CAAO,IAAA,CAAK,IAAA,IAAQ,cAAc,CAAA;AAAA,QACxC,WAAA,EAAa,MAAA,CAAO,IAAA,CAAK,WAAA,IAAe,EAAE,CAAA;AAAA,QAC1C,OAAA,EAAS,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,CAAC,CAAA;AAAA,QAClC,KAAA,EAAQ,IAAA,CAAK,KAAA,IAAgC,EAAC;AAAA,QAC9C,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,WAAA,IAAe,EAAE,CAAA;AAAA,QACxC,SAAA,EAAW;AAAA,OACb;AACA,MAAA,IAAA,CAAK,YAAA,CAAa,cAAc,SAAS,CAAA;AACzC,MAAA,OAAA,CAAQ,IAAA,CAAK,oCAAoC,SAAA,CAAU,IAAI,KAAK,SAAA,CAAU,KAAA,CAAM,MAAM,CAAA,OAAA,CAAS,CAAA;AAAA,IACrG,CAAC,CAAA,CACA,KAAA,CAAM,MAAM;AAAA,IAEb,CAAC,CAAA;AAAA,EACL;AAAA;AAAA;AAAA;AAAA,EAKQ,kBAAA,GAA2B;AACjC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,IAAI,cAAA,GAAiB,CAAA;AAErB,IAAA,WAAA,CAAY,YAAY;AACtB,MAAA,IAAI;AACF,QAAA,MAAM,GAAA,GAAM,MAAM,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,wBAAA,CAAA,EAA4B;AAAA,UAC3D,SAAS,EAAE,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA,EAAG;AAAA,UACpD,MAAA,EAAQ,WAAA,CAAY,OAAA,CAAQ,GAAM;AAAA,SACnC,CAAA;AACD,QAAA,IAAI,CAAC,IAAI,EAAA,EAAI;AACb,QAAA,MAAM,IAAA,GAAQ,MAAM,GAAA,CAAI,IAAA,EAAK;AAC7B,QAAA,MAAM,OAAA,GAAU,MAAA,CAAO,IAAA,CAAK,QAAA,IAAY,CAAC,CAAA;AACzC,QAAA,MAAM,UAAA,GAAa,MAAM,OAAA,CAAQ,IAAA,CAAK,KAAK,CAAA,GAAI,IAAA,CAAK,MAAM,MAAA,GAAS,CAAA;AACnE,QAAA,IAAI,OAAA,KAAY,cAAA,IAAkB,OAAA,GAAU,CAAA,EAAG;AAC7C,UAAA,MAAM,SAAA,GAAuB;AAAA,YAC3B,EAAA,EAAI,MAAA,CAAO,IAAA,CAAK,EAAA,IAAM,OAAO,CAAA;AAAA,YAC7B,IAAA,EAAM,MAAA,CAAO,IAAA,CAAK,IAAA,IAAQ,cAAc,CAAA;AAAA,YACxC,WAAA,EAAa,MAAA,CAAO,IAAA,CAAK,WAAA,IAAe,EAAE,CAAA;AAAA,YAC1C,OAAA;AAAA,YACA,KAAA,EAAQ,IAAA,CAAK,KAAA,IAAgC,EAAC;AAAA,YAC9C,SAAA,EAAW,MAAA,CAAO,IAAA,CAAK,WAAA,IAAe,EAAE,CAAA;AAAA,YACxC,SAAA,EAAW;AAAA,WACb;AACA,UAAA,IAAA,CAAK,YAAA,CAAa,cAAc,SAAS,CAAA;AACzC,UAAA,cAAA,GAAiB,OAAA;AACjB,UAAA,OAAA,CAAQ,IAAA,CAAK,8CAA8C,SAAA,CAAU,IAAI,KAAK,OAAO,CAAA,EAAA,EAAK,UAAU,CAAA,OAAA,CAAS,CAAA;AAAA,QAC/G;AAAA,MACF,CAAA,CAAA,MAAQ;AAAA,MAER;AAAA,IACF,GAAG,GAAM,CAAA;AAAA,EACX;AAAA;AAAA;AAAA;AAAA,EAKQ,aAAa,KAAA,EAOZ;AACP,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AACzC,IAAA,MAAM,MAAA,GAAS,IAAA,CAAK,MAAA,CAAO,MAAA,IAAU,2BAAA;AACrC,IAAA,KAAA,CAAM,CAAA,EAAG,MAAM,CAAA,kBAAA,CAAA,EAAsB;AAAA,MACnC,MAAA,EAAQ,MAAA;AAAA,MACR,OAAA,EAAS;AAAA,QACP,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA;AAAA,QACtC,cAAA,EAAgB;AAAA,OAClB;AAAA,MACA,IAAA,EAAM,IAAA,CAAK,SAAA,CAAU,KAAK;AAAA,KAC3B,CAAA,CAAE,KAAA,CAAM,MAAM;AAAA,IAAC,CAAC,CAAA;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eAAA,CACJ,MAAA,EACA,YAAA,EAC4B;AAE5B,IAAA,MAAM,KAAK,eAAA,EAAgB;AAE3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAClC,IAAA,OAAO,iBAAA,CAAkB,QAAQ,YAAA,EAAc;AAAA,MAC7C,cAAc,IAAA,CAAK,YAAA;AAAA,MACnB,eAAA,EAAiB,KAAK,MAAA,CAAO,eAAA;AAAA,MAC7B,aAAA,EAAe,KAAK,MAAA,CAAO,aAAA;AAAA,MAC3B,UAAA,EAAY,CAAC,MAAA,KAAW;AACtB,QAAA,IAAA,CAAK,MAAA,CAAO,YAAY,MAAM,CAAA;AAC9B,QAAA,IAAI,MAAA,CAAO,MAAA,KAAW,SAAA,IAAa,MAAA,CAAO,WAAW,QAAA,EAAU;AAC7D,UAAA,IAAA,CAAK,YAAA,CAAa;AAAA,YAChB,MAAM,MAAA,CAAO,IAAA;AAAA,YACb,SAAA,EAAY,MAAA,CAAO,SAAA,IAAa,EAAC;AAAA,YACjC,QAAA,EAAU,MAAA,CAAO,QAAA,CAAS,MAAA,KAAW,UAAU,OAAA,GAAU,MAAA;AAAA,YACzD,MAAA,EAAQ,OAAO,QAAA,CAAS,MAAA;AAAA,YACxB,WAAA,EAAa,MAAA,CAAO,QAAA,CAAS,WAAA,EAAa,EAAA;AAAA,YAC1C,gBAAA,EAAkB,WAAA,CAAY,GAAA,EAAI,GAAI;AAAA,WACvC,CAAA;AAAA,QACH,CAAA,MAAA,IAAW,MAAA,CAAO,MAAA,KAAW,OAAA,EAAS;AACpC,UAAA,IAAA,CAAK,YAAA,CAAa;AAAA,YAChB,MAAM,MAAA,CAAO,IAAA;AAAA,YACb,SAAA,EAAY,MAAA,CAAO,SAAA,IAAa,EAAC;AAAA,YACjC,QAAA,EAAU,MAAA;AAAA,YACV,MAAA,EAAQ,OAAO,KAAA,CAAM,OAAA;AAAA,YACrB,gBAAA,EAAkB,WAAA,CAAY,GAAA,EAAI,GAAI;AAAA,WACvC,CAAA;AAAA,QACH;AAAA,MACF,CAAA;AAAA,MACA,WAAA,EAAa,KAAK,WAAA,IAAe,MAAA;AAAA,MACjC,cAAA,EAAgB,KAAK,cAAA,IAAkB,MAAA;AAAA,MACvC,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,gBAAA,EAAkB,KAAK,MAAA,CAAO,gBAAA;AAAA,MAC9B,gBAAA,EAAkB,KAAK,MAAA,CAAO,gBAAA;AAAA,MAC9B,wBAAA,EAA0B,KAAK,MAAA,CAAO;AAAA,KACvC,CAAA;AAAA,EACH;AAAA;AAAA,EAGA,UAAA,CACE,WACA,OAAA,EACA;AACA,IAAA,OAAO,IAAA,CAAK,YAAA,CAAa,aAAA,CAAc,SAAA,EAAW,OAAO,CAAA;AAAA,EAC3D;AAAA;AAAA,EAGA,WAAA,GAAiC;AAC/B,IAAA,OAAO;AAAA,MACL,GAAG,IAAA,CAAK,cAAA;AAAA,MACR,GAAG,IAAA,CAAK,YAAA,CAAa,mBAAA,GAAsB,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,CAAA,EAAI,CAAA,CAAE,KAAK,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,KACnF;AAAA,EACF;AAAA;AAAA,EAGA,eAAA,GAAgC;AAC9B,IAAA,OAAO,IAAA,CAAK,YAAA;AAAA,EACd;AAAA;AAAA,EAGA,cAAA,GAA8B;AAC5B,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AAAA;AAAA,EAGA,cAAA,GAAqC;AACnC,IAAA,OAAO,IAAA,CAAK,WAAA;AAAA,EACd;AACF;AC5RO,IAAM,eAAA,GAAN,cAA8B,SAAA,CAAU;AAAA,EAC5B,IAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASjB,WAAA,CACE,UAAA,EACA,gBAAA,EACA,UAAA,EACA;AACA,IAAA,KAAA,CAAM,YAAY,UAAU,CAAA;AAE5B,IAAA,IAAA,CAAK,IAAA,GAAO,IAAI,SAAA,CAAU;AAAA,MACxB,MAAM,UAAA,CAAW,IAAA;AAAA,MACjB,SAAS,UAAA,CAAW,OAAA;AAAA,MACpB,QAAQ,gBAAA,EAAkB,MAAA;AAAA,MAC1B,WAAW,gBAAA,EAAkB,SAAA;AAAA,MAC7B,QAAQ,gBAAA,EAAkB;AAAA,KAC3B,CAAA;AAED,IAAA,MAAM,QAAA,GAAW,IAAA,CAAK,IAAA,CAAK,WAAA,EAAY;AACvC,IAAA,KAAA,MAAW,KAAK,QAAA,EAAU;AACxB,MAAA,OAAA,CAAQ,IAAA,CAAK,CAAA,YAAA,EAAe,CAAC,CAAA,CAAE,CAAA;AAAA,IACjC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASS,IAAA,CAAK,SAAiB,IAAA,EAAgD;AAC7E,IAAA,MAAM,OAAA,GAAU,IAAA,CAAK,IAAA,CAAK,MAAA,GAAS,CAAC,CAAA;AACpC,IAAA,IAAI,OAAO,YAAY,UAAA,EAAY;AAEjC,MAAA,OAAQ,MAAM,IAAA,CAAkB,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,GAAG,IAAI,CAAA;AAAA,IAC1D;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA;AACjB,IAAA,MAAM,OAAO,IAAA,CAAK,IAAA;AAElB,IAAA,IAAA,CAAK,IAAA,CAAK,MAAA,GAAS,CAAC,CAAA,GAAI,UAAU,QAAA,KAAwB;AAIxD,MAAA,MAAM,WACJ,QAAA,CAAS,MAAA,GAAS,CAAA,IAClB,OAAO,SAAS,CAAC,CAAA,KAAM,QAAA,IACvB,QAAA,CAAS,CAAC,CAAA,KAAM,IAAA,GACX,QAAA,CAAS,CAAC,IACX,EAAC;AAEP,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,eAAA;AAAA,QACxB,EAAE,IAAA,EAAM,QAAA,EAAU,SAAA,EAAW,QAAA,EAAS;AAAA,QACtC,YAAa,OAAA,CAAqB,GAAG,QAAQ;AAAA,OAC/C;AAGA,MAAA,OAAO,EAAE,GAAG,MAAA,EAAQ,OAAA,EAAS,CAAC,GAAG,MAAA,CAAO,OAAO,CAAA,EAAE;AAAA,IACnD,CAAA;AAEA,IAAA,OAAQ,MAAM,IAAA,CAAkB,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,GAAG,IAAI,CAAA;AAAA,EAC1D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOS,YAAA,CACP,IAAA,EACA,MAAA,EACA,EAAA,EACuC;AACvC,IAAA,IAAI,OAAO,OAAO,UAAA,EAAY;AAC5B,MAAA,OAAQ,MAAM,YAAA,CAA0B,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,QAAQ,EAAE,CAAA;AAAA,IACrE;AAEA,IAAA,MAAM,QAAA,GAAW,IAAA;AACjB,IAAA,MAAM,OAAO,IAAA,CAAK,IAAA;AAElB,IAAA,MAAM,SAAA,GAAY,UAAU,QAAA,KAAwB;AAClD,MAAA,MAAM,WACJ,QAAA,CAAS,MAAA,GAAS,CAAA,IAClB,OAAO,SAAS,CAAC,CAAA,KAAM,QAAA,IACvB,QAAA,CAAS,CAAC,CAAA,KAAM,IAAA,GACX,QAAA,CAAS,CAAC,IACX,EAAC;AAEP,MAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,eAAA;AAAA,QACxB,EAAE,IAAA,EAAM,QAAA,EAAU,SAAA,EAAW,QAAA,EAAS;AAAA,QACtC,YAAa,EAAA,CAAgB,GAAG,QAAQ;AAAA,OAC1C;AAEA,MAAA,OAAO,EAAE,GAAG,MAAA,EAAQ,OAAA,EAAS,CAAC,GAAG,MAAA,CAAO,OAAO,CAAA,EAAE;AAAA,IACnD,CAAA;AAEA,IAAA,OAAQ,MAAM,YAAA,CAA0B,IAAA,CAAK,IAAA,EAAM,IAAA,EAAM,QAAQ,SAAS,CAAA;AAAA,EAC5E;AAAA;AAAA,EAGA,YAAA,GAA0B;AACxB,IAAA,OAAO,IAAA,CAAK,IAAA;AAAA,EACd;AACF;;;ACtIA,IAAM,eAAA,GAAkB,2BAAA;AACxB,IAAM,WAAA,GAAc,IAAA;AACpB,IAAM,WAAA,GAAc,OAAA;AA+Cb,IAAM,QAAA,GAAN,cAAuB,KAAA,CAAM;AAAA,EAClC,WAAA,CACE,OAAA,EACgB,UAAA,EACA,SAAA,EACA,OAAe,WAAA,EAC/B;AACA,IAAA,KAAA,CAAM,OAAO,CAAA;AAJG,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AACA,IAAA,IAAA,CAAA,SAAA,GAAA,SAAA;AACA,IAAA,IAAA,CAAA,IAAA,GAAA,IAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,UAAA;AAAA,EACd;AACF;AAEO,IAAM,mBAAA,GAAN,cAAkC,QAAA,CAAS;AAAA,EAChD,WAAA,CAAY,UAAU,iBAAA,EAAmB;AACvC,IAAA,KAAA,CAAM,OAAA,EAAS,GAAA,EAAK,MAAA,EAAW,sBAAsB,CAAA;AACrD,IAAA,IAAA,CAAK,IAAA,GAAO,qBAAA;AAAA,EACd;AACF;AAEO,IAAME,eAAAA,GAAN,cAA6B,QAAA,CAAS;AAAA,EAC3C,WAAA,CACE,SACgB,UAAA,EAChB;AACA,IAAA,KAAA,CAAM,OAAA,EAAS,GAAA,EAAK,MAAA,EAAW,kBAAkB,CAAA;AAFjC,IAAA,IAAA,CAAA,UAAA,GAAA,UAAA;AAGhB,IAAA,IAAA,CAAK,IAAA,GAAO,gBAAA;AAAA,EACd;AACF;AAGA,IAAM,mBAAN,MAAuB;AAAA,EACrB,YAAoB,MAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAuB;AAAA,EAE3C,MAAM,GAAA,CAAI,QAAA,GAAW,SAAA,EAAW,OAAA,EAAsC;AACpE,IAAA,MAAM,MAAA,GAAS,OAAA,GAAU,CAAA,SAAA,EAAY,OAAO,CAAA,CAAA,GAAK,EAAA;AACjD,IAAA,OAAO,IAAA,CAAK,OAAO,OAAA,CAAQ,KAAA,EAAO,aAAa,QAAQ,CAAA,EAAG,MAAM,CAAA,CAAE,CAAA;AAAA,EACpE;AAAA,EAEA,MAAM,IAAA,GAAoF;AACxF,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,WAAW,CAAA;AAAA,EAC/C;AAAA,EAEA,MAAM,OAAO,MAAA,EAAuC;AAClD,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,MAAA,EAAQ,aAAa,MAAM,CAAA;AAAA,EACxD;AAAA,EAEA,MAAM,MAAA,CAAO,QAAA,EAAkB,MAAA,EAAuC;AACpE,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,UAAA,EAAa,QAAQ,IAAI,MAAM,CAAA;AAAA,EACnE;AACF,CAAA;AAEA,IAAM,iBAAN,MAAqB;AAAA,EACnB,YAAoB,MAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAuB;AAAA,EAE3C,MAAM,MAAA,CAAO,IAAA,EAAc,KAAA,EAAgB,aAAa,EAAA,EAA0B;AAChF,IAAA,MAAM,WAAW,MAAM,IAAA,CAAK,MAAA,CAAO,OAAA,CAMhC,QAAQ,SAAA,EAAW;AAAA,MACpB,IAAA;AAAA,MACA,KAAA,EAAO,KAAA,IAAS,CAAA,QAAA,EAAW,IAAI,CAAA,CAAA;AAAA,MAC/B,WAAA,EAAa;AAAA,KACd,CAAA;AAED,IAAA,OAAO;AAAA,MACL,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB,MAAM,QAAA,CAAS,IAAA;AAAA,MACf,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB,OAAO,QAAA,CAAS;AAAA,KAClB;AAAA,EACF;AAAA,EAEA,MAAM,OAAO,KAAA,EAA2F;AACtG,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAQ,gBAAA,EAAkB,EAAE,OAAO,CAAA;AAAA,EAChE;AACF,CAAA;AAEA,IAAM,gBAAN,MAAoB;AAAA,EAClB,YAAoB,MAAA,EAAsB;AAAtB,IAAA,IAAA,CAAA,MAAA,GAAA,MAAA;AAAA,EAAuB;AAAA,EAE3C,MAAM,IAAA,GAAmC;AACvC,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,QAAQ,CAAA;AAAA,EAC5C;AAAA,EAEA,MAAM,IAAI,IAAA,EAA6B;AACrC,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,KAAA,EAAO,CAAA,OAAA,EAAU,IAAI,CAAA,CAAE,CAAA;AAAA,EACpD;AAAA,EAEA,MAAM,SACJ,IAAA,EACA,WAAA,EACA,aACA,WAAA,GAAwB,CAAC,MAAM,CAAA,EAChB;AACf,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,OAAA,CAAQ,MAAA,EAAQ,QAAA,EAAU;AAAA,MAC3C,IAAA;AAAA,MACA,WAAA;AAAA,MACA,YAAA,EAAc,WAAA;AAAA,MACd;AAAA,KACD,CAAA;AAAA,EACH;AAAA,EAEA,MAAM,MAAA,CAAO,IAAA,EAAc,IAAA,EAAoC;AAC7D,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,OAAO,CAAA,OAAA,EAAU,IAAI,IAAI,IAAI,CAAA;AAAA,EAC1D;AAAA,EAEA,MAAM,OAAO,IAAA,EAA6C;AACxD,IAAA,OAAO,KAAK,MAAA,CAAO,OAAA,CAAQ,QAAA,EAAU,CAAA,OAAA,EAAU,IAAI,CAAA,CAAE,CAAA;AAAA,EACvD;AACF,CAAA;AAGO,IAAM,eAAN,MAAmB;AAAA,EACP,MAAA;AAAA,EACA,MAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EAED,QAAA;AAAA,EACA,MAAA;AAAA,EACA,KAAA;AAAA,EAEhB,YAAY,MAAA,EAA4B;AAEtC,IAAA,IAAI,OAAO,WAAW,QAAA,EAAU;AAC9B,MAAA,MAAA,GAAS,EAAE,QAAQ,MAAA,EAAO;AAAA,IAC5B;AAGA,IAAA,IAAA,CAAK,MAAA,GAAS,OAAO,MAAA,KAAW,OAAO,YAAY,WAAA,GAAc,OAAA,CAAQ,GAAA,CAAI,iBAAA,GAAoB,EAAA,CAAA,IAAO,EAAA;AAExG,IAAA,IAAI,CAAC,KAAK,MAAA,EAAQ;AAChB,MAAA,MAAM,IAAI,mBAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAGA,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,IAAK,CAAC,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA,EAAG;AAC9E,MAAA,MAAM,IAAI,mBAAA;AAAA,QACR;AAAA,OACF;AAAA,IACF;AAEA,IAAA,IAAA,CAAK,MAAA,GAAS,OAAO,MAAA,IAAU,eAAA;AAC/B,IAAA,IAAA,CAAK,OAAA,GAAU,OAAO,OAAA,IAAW,GAAA;AACjC,IAAA,IAAA,CAAK,UAAA,GAAa,OAAO,UAAA,IAAc,CAAA;AAGvC,IAAA,IAAA,CAAK,QAAA,GAAW,IAAI,gBAAA,CAAiB,IAAI,CAAA;AACzC,IAAA,IAAA,CAAK,MAAA,GAAS,IAAI,cAAA,CAAe,IAAI,CAAA;AACrC,IAAA,IAAA,CAAK,KAAA,GAAQ,IAAI,aAAA,CAAc,IAAI,CAAA;AAAA,EACrC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAA,CAAW,MAAA,EAAgB,IAAA,EAAc,IAAA,EAA4B;AACzE,IAAA,MAAM,MAAM,CAAA,EAAG,IAAA,CAAK,MAAM,CAAA,KAAA,EAAQ,WAAW,GAAG,IAAI,CAAA,CAAA;AACpD,IAAA,IAAI,SAAA;AAEJ,IAAA,KAAA,IAAS,OAAA,GAAU,CAAA,EAAG,OAAA,GAAU,IAAA,CAAK,YAAY,OAAA,EAAA,EAAW;AAC1D,MAAA,IAAI;AACF,QAAA,MAAM,UAAA,GAAa,IAAI,eAAA,EAAgB;AACvC,QAAA,MAAM,YAAY,UAAA,CAAW,MAAM,WAAW,KAAA,EAAM,EAAG,KAAK,OAAO,CAAA;AAEnE,QAAA,MAAM,QAAA,GAAW,MAAM,KAAA,CAAM,GAAA,EAAK;AAAA,UAChC,MAAA;AAAA,UACA,OAAA,EAAS;AAAA,YACP,aAAa,IAAA,CAAK,MAAA;AAAA,YAClB,eAAA,EAAiB,CAAA,OAAA,EAAU,IAAA,CAAK,MAAM,CAAA,CAAA;AAAA,YACtC,cAAA,EAAgB,kBAAA;AAAA,YAChB,YAAA,EAAc,gBAAgB,WAAW,CAAA;AAAA,WAC3C;AAAA,UACA,IAAA,EAAM,IAAA,GAAO,IAAA,CAAK,SAAA,CAAU,IAAI,CAAA,GAAI,KAAA,CAAA;AAAA,UACpC,QAAQ,UAAA,CAAW;AAAA,SACpB,CAAA;AAED,QAAA,YAAA,CAAa,SAAS,CAAA;AAEtB,QAAA,IAAI,QAAA,CAAS,WAAW,GAAA,EAAK;AAC3B,UAAA,MAAM,aAAa,QAAA,CAAS,QAAA,CAAS,QAAQ,GAAA,CAAI,aAAa,KAAK,GAAG,CAAA;AACtE,UAAA,MAAM,IAAI,QAAQ,CAAC,OAAA,KAAY,WAAW,OAAA,EAAS,UAAA,GAAa,GAAI,CAAC,CAAA;AACrE,UAAA;AAAA,QACF;AAEA,QAAA,IAAI,QAAA,CAAS,WAAW,GAAA,EAAK;AAC3B,UAAA,MAAM,IAAI,oBAAoB,iBAAiB,CAAA;AAAA,QACjD;AAEA,QAAA,IAAI,CAAC,SAAS,EAAA,EAAI;AAChB,UAAA,MAAM,SAAA,GAAa,MAAM,QAAA,CAAS,IAAA,GAAO,KAAA,CAAM,OAAO,EAAC,CAAE,CAAA;AACzD,UAAA,MAAM,IAAI,QAAA;AAAA,YACR,SAAA,CAAU,OAAO,OAAA,IAAW,eAAA;AAAA,YAC5B,QAAA,CAAS,MAAA;AAAA,YACT,QAAA,CAAS,OAAA,CAAQ,GAAA,CAAI,cAAc,CAAA,IAAK,KAAA;AAAA,WAC1C;AAAA,QACF;AAEA,QAAA,OAAQ,MAAM,SAAS,IAAA,EAAK;AAAA,MAC9B,SAAS,KAAA,EAAO;AACd,QAAA,IAAI,KAAA,YAAiB,QAAA,IAAY,KAAA,YAAiB,mBAAA,EAAqB;AACrE,UAAA,MAAM,KAAA;AAAA,QACR;AACA,QAAA,SAAA,GAAY,KAAA;AAAA,MACd;AAAA,IACF;AAEA,IAAA,MAAM,IAAI,QAAA,CAAS,SAAA,EAAW,OAAA,IAAW,gBAAgB,CAAA;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAaA,MAAM,QAAA,CACJ,IAAA,EACA,IAAA,EACA,OAAA,GAGI,EAAC,EACsB;AAC3B,IAAA,MAAM,SAAA,GAAY,YAAY,GAAA,EAAI;AAElC,IAAA,MAAM,QAAA,GAAW,MAAM,IAAA,CAAK,OAAA,CAWzB,QAAQ,WAAA,EAAa;AAAA,MACtB,IAAA;AAAA,MACA,SAAA,EAAW,IAAA;AAAA,MACX,WAAA,EAAa,OAAA,CAAQ,UAAA,IAAc,UAAA,CAAW,QAAA;AAAA,MAC9C,aAAA,EAAe,QAAQ,YAAA,KAAiB;AAAA,KACzC,CAAA;AAED,IAAA,MAAM,SAAA,GAAY,WAAA,CAAY,GAAA,EAAI,GAAI,SAAA;AAEtC,IAAA,OAAO;AAAA,MACL,SAAS,QAAA,CAAS,OAAA;AAAA,MAClB,IAAA;AAAA,MACA,QAAA,EAAU,SAAS,QAAA,GACf;AAAA,QACE,MAAA,EAAQ,SAAS,QAAA,CAAS,MAAA;AAAA,QAC1B,WAAA,EAAa,SAAS,QAAA,CAAS,YAAA;AAAA,QAC/B,MAAA,EAAQ,SAAS,QAAA,CAAS,MAAA;AAAA,QAC1B,SAAA,EAAW,SAAS,QAAA,CAAS,YAAA;AAAA,QAC7B,gBAAA,EAAkB;AAAA,OACpB,GACA,MAAA;AAAA,MACJ,OAAO,QAAA,CAAS,KAAA;AAAA,MAChB,gBAAgB,QAAA,CAAS,gBAAA;AAAA,MACzB,WAAW,QAAA,CAAS,UAAA;AAAA,MACpB;AAAA,KACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA;AAAA,EAC1C;AAAA;AAAA;AAAA;AAAA,EAKA,UAAA,GAAsB;AACpB,IAAA,OAAO,IAAA,CAAK,MAAA,CAAO,UAAA,CAAW,UAAU,CAAA;AAAA,EAC1C;AACF","file":"index.js","sourcesContent":["/*\n Base error class for all SolonGate security errors.\n * Every error includes a machine-readable code for programmatic handling.\n /\nexport class SolonGateError extends Error {\n public readonly code: string;\n public readonly timestamp: string;\n public readonly details: Record<string, unknown>;\n\n constructor(\n message: string,\n code: string,\n details: Record<string, unknown> = {},\n ) {\n super(message);\n this.name = 'SolonGateError';\n this.code = code;\n this.timestamp = new Date().toISOString();\n this.details = Object.freeze({ ...details });\n Object.setPrototypeOf(this, new.target.prototype);\n }\n\n /\n Serializable representation for logging and API responses.\n * Never includes stack traces (information leakage prevention).\n /\n toJSON(): Record<string, unknown> {\n return {\n name: this.name,\n code: this.code,\n message: this.message,\n timestamp: this.timestamp,\n details: this.details,\n };\n }\n}\n\n/* Thrown when a tool call is denied by policy. /\nexport class PolicyDeniedError extends SolonGateError {\n constructor(\n toolName: string,\n reason: string,\n details: Record<string, unknown> = {},\n ) {\n super(\n `Policy denied execution of tool \"${toolName}\": ${reason}`,\n 'POLICY_DENIED',\n { toolName, reason, ...details },\n );\n this.name = 'PolicyDeniedError';\n }\n}\n\n/* Thrown when a trust level escalation is attempted illegally. /\nexport class TrustEscalationError extends SolonGateError {\n constructor(message: string) {\n super(message, 'TRUST_ESCALATION');\n this.name = 'TrustEscalationError';\n }\n}\n\n/* Thrown when tool input fails schema validation. /\nexport class SchemaValidationError extends SolonGateError {\n constructor(\n toolName: string,\n validationErrors: readonly string[],\n ) {\n super(\n `Schema validation failed for tool \"${toolName}\": ${validationErrors.join('; ')}`,\n 'SCHEMA_VALIDATION_FAILED',\n { toolName, validationErrors },\n );\n this.name = 'SchemaValidationError';\n }\n}\n\n/* Thrown when a tool exceeds its rate limit. /\nexport class RateLimitError extends SolonGateError {\n constructor(toolName: string, limitPerMinute: number) {\n super(\n `Rate limit exceeded for tool \"${toolName}\": max ${limitPerMinute}/min`,\n 'RATE_LIMIT_EXCEEDED',\n { toolName, limitPerMinute },\n );\n this.name = 'RateLimitError';\n }\n}\n\n/* Thrown when a tool is not found in the registry. /\nexport class ToolNotFoundError extends SolonGateError {\n constructor(toolName: string, serverName: string) {\n super(\n `Tool \"${toolName}\" not found on server \"${serverName}\"`,\n 'TOOL_NOT_FOUND',\n { toolName, serverName },\n );\n this.name = 'ToolNotFoundError';\n }\n}\n\n/* Thrown when an unsafe configuration is detected. /\nexport class UnsafeConfigurationError extends SolonGateError {\n constructor(message: string, field: string) {\n super(\n `Unsafe configuration detected: ${message}`,\n 'UNSAFE_CONFIGURATION',\n { field },\n );\n this.name = 'UnsafeConfigurationError';\n }\n}\n\n/* Thrown when input guard detects dangerous patterns. /\nexport class InputGuardError extends SolonGateError {\n constructor(\n toolName: string,\n threats: readonly { type: string; field: string; description: string }[],\n ) {\n super(\n `Input guard blocked tool \"${toolName}\": ${threats.map(t => t.description).join('; ')}`,\n 'INPUT_GUARD_BLOCKED',\n { toolName, threatCount: threats.length, threats },\n );\n this.name = 'InputGuardError';\n }\n}\n\n/* Thrown when a network operation fails (API calls, cloud sync, etc.). /\nexport class NetworkError extends SolonGateError {\n constructor(\n operation: string,\n statusCode?: number,\n details: Record<string, unknown> = {},\n ) {\n super(\n `Network error during ${operation}${statusCode ? ` (HTTP ${statusCode})` : ''}`,\n 'NETWORK_ERROR',\n { operation, statusCode, ...details },\n );\n this.name = 'NetworkError';\n }\n}\n","import { TrustEscalationError } from './errors.js';\n\n/\n Trust levels in the SolonGate security model.\n \n Core threat model principle: LLMs are UNTRUSTED by default.\n * Trust is never assumed - it must be explicitly granted and is\n * always scoped to specific capabilities.\n \n UNTRUSTED: Default for all LLM-originated requests. No permissions.\n * VERIFIED: Passed schema validation and policy evaluation. May execute within granted scope.\n * TRUSTED: System-internal only. NEVER assignable to LLM-originated requests.\n /\nexport const TrustLevel = {\n UNTRUSTED: 'UNTRUSTED',\n VERIFIED: 'VERIFIED',\n TRUSTED: 'TRUSTED',\n} as const;\n\nexport type TrustLevel = (typeof TrustLevel)[keyof typeof TrustLevel];\n\n/\n Validates that a trust level is a legitimate enum value.\n * Prevents type confusion attacks where a string bypasses checks.\n /\nexport function isValidTrustLevel(value: unknown): value is TrustLevel {\n return (\n typeof value === 'string' &&\n Object.values(TrustLevel).includes(value as TrustLevel)\n );\n}\n\n/\n Asserts that a trust level transition is valid.\n * UNTRUSTED -> VERIFIED (via policy evaluation) is the only escalation path.\n * TRUSTED is never reachable from external requests.\n /\nexport function assertValidTransition(\n from: TrustLevel,\n to: TrustLevel,\n): void {\n if (to === TrustLevel.TRUSTED) {\n throw new TrustEscalationError(\n 'Cannot escalate to TRUSTED level. TRUSTED is reserved for system-internal operations.',\n );\n }\n if (from === TrustLevel.VERIFIED && to === TrustLevel.UNTRUSTED) {\n return; // Downgrade is always allowed (fail-safe)\n }\n if (from === TrustLevel.UNTRUSTED && to === TrustLevel.VERIFIED) {\n return; // Normal escalation via policy evaluation\n }\n if (from === to) {\n return; // No-op\n }\n throw new TrustEscalationError(\n `Invalid trust transition from ${from} to ${to}`,\n );\n}\n","import { z } from 'zod';\n\n/\n Permission types are ALWAYS evaluated independently.\n * Having READ does NOT imply WRITE or EXECUTE.\n /\nexport const Permission = {\n READ: 'READ',\n WRITE: 'WRITE',\n EXECUTE: 'EXECUTE',\n} as const;\n\nexport type Permission = (typeof Permission)[keyof typeof Permission];\n\nexport const PermissionSchema = z.enum(['READ', 'WRITE', 'EXECUTE']);\n\n/* Immutable set of permissions granted to a specific scope. /\nexport type PermissionSet = ReadonlySet<Permission>;\n\n/* Creates an immutable permission set from an array. /\nexport function createPermissionSet(\n permissions: Permission[],\n): PermissionSet {\n for (const p of permissions) {\n PermissionSchema.parse(p);\n }\n return new Set(permissions) as ReadonlySet<Permission>;\n}\n\n/* Empty permission set - the default for all new tools (default-deny). /\nexport const NO_PERMISSIONS: PermissionSet = Object.freeze(\n new Set<Permission>(),\n) as ReadonlySet<Permission>;\n\n/* Read-only permission set - the maximum default for new tools. /\nexport const READ_ONLY: PermissionSet = Object.freeze(\n new Set<Permission>([Permission.READ]),\n) as ReadonlySet<Permission>;\n\nexport function hasPermission(\n permissions: PermissionSet,\n required: Permission,\n): boolean {\n return permissions.has(required);\n}\n\nexport function hasAllPermissions(\n permissions: PermissionSet,\n required: Permission[],\n): boolean {\n return required.every((p) => permissions.has(p));\n}\n\n/* Maps MCP protocol methods to SolonGate permission types. /\nexport function permissionForMethod(method: string): Permission {\n if (\n method.startsWith('resources/') \|\|\n method.startsWith('prompts/') \|\|\n method === 'tools/list'\n ) {\n return Permission.READ;\n }\n if (method === 'tools/call') {\n return Permission.EXECUTE;\n }\n // Default to EXECUTE for unknown methods (most restrictive)\n return Permission.EXECUTE;\n}\n","import { z } from 'zod';\nimport type { Permission } from './permissions.js';\nimport type { TrustLevel } from './trust.js';\n\n/\n Policy effect: the only two outcomes of policy evaluation.\n * No \"MAYBE\" or \"CONDITIONAL\" - binary security decisions only.\n /\nexport const PolicyEffect = {\n ALLOW: 'ALLOW',\n DENY: 'DENY',\n} as const;\n\nexport type PolicyEffect = (typeof PolicyEffect)[keyof typeof PolicyEffect];\n\n/\n A single policy rule that matches against execution requests.\n * Rules are evaluated by priority order. First matching rule wins.\n * If NO rule matches, the result is DENY (default-deny).\n /\nexport interface PolicyRule {\n readonly id: string;\n readonly description: string;\n readonly effect: PolicyEffect;\n readonly priority: number;\n readonly toolPattern: string;\n readonly permission: Permission;\n readonly minimumTrustLevel: TrustLevel;\n readonly argumentConstraints?: Record<string, unknown>;\n readonly pathConstraints?: {\n readonly allowed?: readonly string[];\n readonly denied?: readonly string[];\n readonly rootDirectory?: string;\n readonly allowSymlinks?: boolean;\n };\n readonly enabled: boolean;\n readonly createdAt: string;\n readonly updatedAt: string;\n}\n\n/\n A versioned, ordered set of policy rules.\n * Modifications create new sets (immutable by convention).\n /\nexport interface PolicySet {\n readonly id: string;\n readonly name: string;\n readonly description: string;\n readonly version: number;\n readonly rules: readonly PolicyRule[];\n readonly createdAt: string;\n readonly updatedAt: string;\n}\n\nexport const PolicyRuleSchema = z.object({\n id: z.string().min(1).max(256),\n description: z.string().max(1024),\n effect: z.enum(['ALLOW', 'DENY']),\n priority: z.number().int().min(0).max(10000).default(1000),\n toolPattern: z.string().min(1).max(512),\n permission: z.enum(['READ', 'WRITE', 'EXECUTE']),\n minimumTrustLevel: z.enum(['UNTRUSTED', 'VERIFIED', 'TRUSTED']),\n argumentConstraints: z.record(z.unknown()).optional(),\n pathConstraints: z\n .object({\n allowed: z.array(z.string()).optional(),\n denied: z.array(z.string()).optional(),\n rootDirectory: z.string().optional(),\n allowSymlinks: z.boolean().optional(),\n })\n .optional(),\n enabled: z.boolean().default(true),\n createdAt: z.string().datetime(),\n updatedAt: z.string().datetime(),\n});\n\nexport const PolicySetSchema = z.object({\n id: z.string().min(1).max(256),\n name: z.string().min(1).max(256),\n description: z.string().max(2048),\n version: z.number().int().min(0),\n rules: z.array(PolicyRuleSchema),\n createdAt: z.string().datetime(),\n updatedAt: z.string().datetime(),\n});\n\n/* The result of evaluating a policy against a request. /\nexport interface PolicyDecision {\n readonly effect: PolicyEffect;\n readonly matchedRule: PolicyRule \| null;\n readonly reason: string;\n readonly timestamp: string;\n readonly evaluationTimeMs: number;\n readonly metadata?: {\n readonly evaluatedRules: number;\n readonly ruleIds: readonly string[];\n readonly requestContext: {\n readonly tool: string;\n readonly arguments: readonly string[];\n };\n };\n}\n","import type { TrustLevel } from './trust.js';\nimport type { PermissionSet } from './permissions.js';\n\n/\n SecurityContext represents the security state of a single request.\n * Created fresh for each MCP request and NEVER reused.\n * All fields are readonly - state transitions create new contexts.\n /\nexport interface SecurityContext {\n readonly requestId: string;\n readonly trustLevel: TrustLevel;\n readonly grantedPermissions: PermissionSet;\n readonly sessionId: string \| null;\n readonly createdAt: string;\n readonly metadata: Readonly<Record<string, unknown>>;\n readonly capabilityToken?: string;\n}\n\n/* Extends SecurityContext with tool-specific execution information. /\nexport interface ExecutionContext extends SecurityContext {\n readonly toolName: string;\n readonly serverName: string;\n readonly arguments: Readonly<Record<string, unknown>>;\n}\n\n/* Creates a new SecurityContext with default-deny settings. /\nexport function createSecurityContext(\n params: Pick<SecurityContext, 'requestId'> &\n Partial<Omit<SecurityContext, 'requestId' \| 'createdAt' \| 'trustLevel' \| 'grantedPermissions'>>,\n): SecurityContext {\n return {\n trustLevel: 'UNTRUSTED',\n grantedPermissions: new Set(),\n sessionId: null,\n metadata: {},\n createdAt: new Date().toISOString(),\n ...params,\n };\n}\n","/* Default policy effect when no rule matches: DENY /\nexport const DEFAULT_POLICY_EFFECT = 'DENY' as const;\n\n/* Maximum number of rules in a single PolicySet /\nexport const MAX_RULES_PER_POLICY_SET = 1000;\n\n/* Maximum depth for nested argument validation /\nexport const MAX_ARGUMENT_DEPTH = 10;\n\n/* Maximum size of tool arguments in bytes /\nexport const MAX_ARGUMENTS_SIZE_BYTES = 1_048_576; // 1MB\n\n/* Maximum length of a tool name /\nexport const MAX_TOOL_NAME_LENGTH = 256;\n\n/* Maximum length of a server name /\nexport const MAX_SERVER_NAME_LENGTH = 256;\n\n/* Default rate limit per tool per minute /\nexport const DEFAULT_RATE_LIMIT_PER_MINUTE = 60;\n\n/* Maximum rate limit per tool per minute /\nexport const MAX_RATE_LIMIT_PER_MINUTE = 10_000;\n\n/* Security context timeout in milliseconds (5 minutes) /\nexport const SECURITY_CONTEXT_TIMEOUT_MS = 5 60 * 1000;\n\n/** Policy evaluation timeout in milliseconds (100ms) /\nexport const POLICY_EVALUATION_TIMEOUT_MS = 100;\n\n// --- Input Guard Constants ---\n\n/* Default maximum length per string argument /\nexport const INPUT_GUARD_MAX_LENGTH = 4096;\n\n/* Shannon entropy threshold for encoded payload detection /\nexport const INPUT_GUARD_ENTROPY_THRESHOLD = 4.5;\n\n/* Minimum string length before entropy check applies /\nexport const INPUT_GUARD_MIN_ENTROPY_LENGTH = 32;\n\n/* Maximum wildcards allowed per value /\nexport const INPUT_GUARD_MAX_WILDCARDS = 3;\n\n// --- Token Constants ---\n\n/* Default capability token TTL in seconds /\nexport const TOKEN_DEFAULT_TTL_SECONDS = 30;\n\n/* Minimum secret key length for HMAC signing /\nexport const TOKEN_MIN_SECRET_LENGTH = 32;\n\n/* Maximum token age before forced expiry (5 minutes) /\nexport const TOKEN_MAX_AGE_SECONDS = 300;\n\n// --- Rate Limiter Constants ---\n\n/* Default sliding window size in milliseconds (1 minute) /\nexport const RATE_LIMIT_WINDOW_MS = 60_000;\n\n/* Maximum entries to keep per tool before cleanup /\nexport const RATE_LIMIT_MAX_ENTRIES = 10_000;\n\n/* Warning messages for unsafe configurations. /\nexport const UNSAFE_CONFIGURATION_WARNINGS = {\n WILDCARD_ALLOW:\n 'Wildcard ALLOW rules grant permission to ALL tools. This bypasses the default-deny model.',\n TRUSTED_LEVEL_EXTERNAL:\n 'Setting trust level to TRUSTED for external requests bypasses all security checks.',\n WRITE_WITHOUT_READ:\n 'Granting WRITE without READ is unusual and may indicate a misconfiguration.',\n EXECUTE_WITHOUT_REVIEW:\n 'EXECUTE permission allows tools to perform arbitrary actions. Review carefully.',\n RATE_LIMIT_ZERO:\n 'A rate limit of 0 means unlimited calls. This removes protection against runaway loops.',\n DISABLED_VALIDATION:\n 'Disabling schema validation removes input sanitization protections.',\n} as const;\n","/\n Types that bridge between the MCP protocol and SolonGate's type system.\n * Adapts MCP SDK types without creating a hard dependency.\n /\n\nexport interface McpToolDefinition {\n readonly name: string;\n readonly description?: string;\n readonly inputSchema: {\n readonly type: 'object';\n readonly properties?: Record<string, unknown>;\n readonly required?: readonly string[];\n };\n}\n\nexport interface McpCallToolParams {\n readonly name: string;\n readonly arguments?: Record<string, unknown>;\n}\n\nexport interface McpCallToolResult {\n readonly content: readonly McpToolResultContent[];\n readonly isError?: boolean;\n readonly structuredContent?: unknown;\n}\n\nexport type McpToolResultContent =\n \| { readonly type: 'text'; readonly text: string }\n \| { readonly type: 'image'; readonly data: string; readonly mimeType: string }\n \| { readonly type: 'resource'; readonly resource: unknown };\n\n/* Wraps denied tool calls in MCP error responses. /\nexport function createDeniedToolResult(\n reason: string,\n): McpCallToolResult {\n return {\n content: [\n {\n type: 'text',\n text: JSON.stringify({\n error: 'POLICY_DENIED',\n message: reason,\n hint: 'This tool call was blocked by SolonGate security policy. Check your policy configuration.',\n }),\n },\n ],\n isError: true,\n };\n}\n","import { z, type ZodTypeAny } from 'zod';\nimport { MAX_ARGUMENT_DEPTH, MAX_ARGUMENTS_SIZE_BYTES } from './constants.js';\n\n/\n Result of schema validation.\n * Always includes structured errors for programmatic handling.\n /\nexport interface SchemaValidationResult {\n readonly valid: boolean;\n readonly errors: readonly string[];\n readonly sanitized: Readonly<Record<string, unknown>> \| null;\n}\n\n/\n Options for schema validation behavior.\n /\nexport interface SchemaValidatorOptions {\n readonly maxDepth?: number;\n readonly maxSizeBytes?: number;\n readonly stripUnknown?: boolean;\n}\n\nconst DEFAULT_OPTIONS: Required<SchemaValidatorOptions> = {\n maxDepth: MAX_ARGUMENT_DEPTH,\n maxSizeBytes: MAX_ARGUMENTS_SIZE_BYTES,\n stripUnknown: false,\n};\n\n/\n Validates tool input against a Zod schema with strict security enforcement.\n \n - Unknown fields are REJECTED (no additionalProperties)\n * - Type mismatches are REJECTED\n * - Required fields are ENFORCED\n * - Recursive depth is limited\n * - Argument size is limited\n /\nexport function validateToolInput(\n schema: ZodTypeAny,\n input: unknown,\n options?: SchemaValidatorOptions,\n): SchemaValidationResult {\n const opts = { ...DEFAULT_OPTIONS, ...options };\n const errors: string[] = [];\n\n // 1. Size check - prevent oversized payloads\n const sizeError = checkInputSize(input, opts.maxSizeBytes);\n if (sizeError) {\n return { valid: false, errors: [sizeError], sanitized: null };\n }\n\n // 2. Depth check - prevent deeply nested structures\n const depthError = checkInputDepth(input, opts.maxDepth);\n if (depthError) {\n return { valid: false, errors: [depthError], sanitized: null };\n }\n\n // 3. Schema validation using Zod strict mode\n const result = schema.safeParse(input);\n\n if (!result.success) {\n for (const issue of result.error.issues) {\n const path = issue.path.length > 0 ? issue.path.join('.') : 'root';\n errors.push(`${path}: ${issue.message}`);\n }\n return { valid: false, errors, sanitized: null };\n }\n\n return {\n valid: true,\n errors: [],\n sanitized: result.data as Readonly<Record<string, unknown>>,\n };\n}\n\n/\n Creates a strict Zod object schema that rejects unknown fields.\n * Wraps z.object().strict() for convenience.\n /\nexport function createStrictSchema(\n shape: Record<string, ZodTypeAny>,\n): z.ZodObject<Record<string, ZodTypeAny>, 'strict'> {\n return z.object(shape).strict();\n}\n\n/\n Checks if input size exceeds the maximum allowed bytes.\n /\nfunction checkInputSize(input: unknown, maxBytes: number): string \| null {\n let serialized: string;\n try {\n serialized = JSON.stringify(input);\n } catch {\n return 'Input cannot be serialized to JSON';\n }\n\n const sizeBytes = new TextEncoder().encode(serialized).length;\n if (sizeBytes > maxBytes) {\n return `Input size ${sizeBytes} bytes exceeds maximum ${maxBytes} bytes`;\n }\n return null;\n}\n\n/\n Checks if input exceeds maximum nesting depth.\n * Prevents stack overflow and denial-of-service via deeply nested objects.\n /\nfunction checkInputDepth(input: unknown, maxDepth: number): string \| null {\n const depth = measureDepth(input, 0);\n if (depth > maxDepth) {\n return `Input depth ${depth} exceeds maximum ${maxDepth}`;\n }\n return null;\n}\n\nfunction measureDepth(value: unknown, currentDepth: number): number {\n if (currentDepth > MAX_ARGUMENT_DEPTH + 1) {\n return currentDepth; // Early exit to prevent stack overflow\n }\n\n if (value === null \|\| value === undefined \|\| typeof value !== 'object') {\n return currentDepth;\n }\n\n if (Array.isArray(value)) {\n let maxChildDepth = currentDepth + 1;\n for (const item of value) {\n const childDepth = measureDepth(item, currentDepth + 1);\n if (childDepth > maxChildDepth) maxChildDepth = childDepth;\n }\n return maxChildDepth;\n }\n\n let maxChildDepth = currentDepth + 1;\n for (const key of Object.keys(value as Record<string, unknown>)) {\n const childDepth = measureDepth(\n (value as Record<string, unknown>)[key],\n currentDepth + 1,\n );\n if (childDepth > maxChildDepth) maxChildDepth = childDepth;\n }\n return maxChildDepth;\n}\n","/\n Input Guard: detects and blocks dangerous patterns in tool arguments.\n \n Prevents physical execution of injected instructions by checking for:\n * - Path traversal attacks (../, ..\\, encoded variants)\n * - Shell injection (;, \|, &, `, $(), etc.)\n * - Wildcard abuse (*, recursive globs)\n - Excessive length\n * - High-entropy payloads (potential encoded exploits)\n /\n\n/* Threat type detected by input guard. /\nexport type ThreatType =\n \| 'PATH_TRAVERSAL'\n \| 'SHELL_INJECTION'\n \| 'WILDCARD_ABUSE'\n \| 'LENGTH_EXCEEDED'\n \| 'HIGH_ENTROPY'\n \| 'SSRF'\n \| 'SQL_INJECTION';\n\n/* A detected threat with details. /\nexport interface DetectedThreat {\n readonly type: ThreatType;\n readonly field: string;\n readonly value: string;\n readonly description: string;\n}\n\n/* Result of sanitization check. /\nexport interface SanitizationResult {\n readonly safe: boolean;\n readonly threats: readonly DetectedThreat[];\n}\n\n/* Configuration for input guard checks. /\nexport interface InputGuardConfig {\n readonly pathTraversal: boolean;\n readonly shellInjection: boolean;\n readonly wildcardAbuse: boolean;\n readonly lengthLimit: number;\n readonly entropyLimit: boolean;\n readonly ssrf: boolean;\n readonly sqlInjection: boolean;\n}\n\nexport const DEFAULT_INPUT_GUARD_CONFIG: Readonly<InputGuardConfig> =\n Object.freeze({\n pathTraversal: true,\n shellInjection: true,\n wildcardAbuse: true,\n lengthLimit: 4096,\n entropyLimit: true,\n ssrf: true,\n sqlInjection: true,\n });\n\n// --- Path Traversal Detection ---\n\nconst PATH_TRAVERSAL_PATTERNS = [\n /\\.\\.\\//, // ../\n /\\.\\.\\\\/, // ..\\\n /%2e%2e/i, // URL-encoded ..\n /%2e\\./i, // partial URL-encoded\n /\\.%2e/i, // partial URL-encoded\n /%252e%252e/i, // double URL-encoded\n /\\.\\.\\0/, // null byte variant\n];\n\nconst SENSITIVE_PATHS = [\n /\\/etc\\/passwd/i,\n /\\/etc\\/shadow/i,\n /\\/proc\\//i,\n /\\/dev\\//i,\n /c:\\\\windows\\\\system32/i,\n /c:\\\\windows\\\\syswow64/i,\n /\\/root\\//i,\n /~\\//,\n /\\.env(\\.\|$)/i, // .env, .env.local, .env.production\n /\\.aws\\/credentials/i, // AWS credentials\n /\\.ssh\\/id_/i, // SSH keys\n /\\.kube\\/config/i, // Kubernetes config\n /wp-config\\.php/i, // WordPress config\n /\\.git\\/config/i, // Git config\n /\\.npmrc/i, // npm credentials\n /\\.pypirc/i, // PyPI credentials\n];\n\nexport function detectPathTraversal(value: string): boolean {\n for (const pattern of PATH_TRAVERSAL_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n for (const pattern of SENSITIVE_PATHS) {\n if (pattern.test(value)) return true;\n }\n return false;\n}\n\n// --- Shell Injection Detection ---\n\nconst SHELL_INJECTION_PATTERNS = [\n /[;\|&`]/, // Command separators and backtick execution\n /\\$\\(/, // Command substitution $(...)\n /\\$\\{/, // Variable expansion ${...}\n />\\s/, // Output redirect\n /<\\s/, // Input redirect\n /&&/, // AND chaining\n /\\\|\\\|/, // OR chaining\n /\\beval\\b/i, // eval command\n /\\bexec\\b/i, // exec command\n /\\bsystem\\b/i, // system call\n /%0a/i, // URL-encoded newline\n /%0d/i, // URL-encoded carriage return\n /%09/i, // URL-encoded tab\n /\\r\\n/, // CRLF injection\n /\\n/, // Newline (command separator on Unix)\n];\n\nexport function detectShellInjection(value: string): boolean {\n for (const pattern of SHELL_INJECTION_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n return false;\n}\n\n// --- Wildcard Abuse Detection ---\n\nconst MAX_WILDCARDS_PER_VALUE = 3;\n\nexport function detectWildcardAbuse(value: string): boolean {\n // Block recursive globs\n if (value.includes('')) return true;\n\n // Count wildcards\n const wildcardCount = (value.match(/\\/g) \|\| []).length;\n if (wildcardCount > MAX_WILDCARDS_PER_VALUE) return true;\n\n return false;\n}\n\n// --- SSRF Detection ---\n\nconst SSRF_PATTERNS = [\n /^https?:\\/\\/localhost\\b/i,\n /^https?:\\/\\/127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/,\n /^https?:\\/\\/0\\.0\\.0\\.0/,\n /^https?:\\/\\/\\[::1\\]/, // IPv6 loopback\n /^https?:\\/\\/10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/, // 10.x.x.x\n /^https?:\\/\\/172\\.(1[6-9]\|2\\d\|3[01])\\./, // 172.16-31.x.x\n /^https?:\\/\\/192\\.168\\./, // 192.168.x.x\n /^https?:\\/\\/169\\.254\\./, // Link-local / AWS metadata\n /metadata\\.google\\.internal/i, // GCP metadata\n /^https?:\\/\\/metadata\\b/i, // Generic metadata endpoint\n // IPv6 bypass patterns\n /^https?:\\/\\/\\[fe80:/i, // IPv6 link-local\n /^https?:\\/\\/\\[fc00:/i, // IPv6 unique local\n /^https?:\\/\\/\\[fd[0-9a-f]{2}:/i, // IPv6 unique local (fd00::/8)\n /^https?:\\/\\/\\[::ffff:127\\./i, // IPv4-mapped IPv6 loopback\n /^https?:\\/\\/\\[::ffff:10\\./i, // IPv4-mapped IPv6 private\n /^https?:\\/\\/\\[::ffff:172\\.(1[6-9]\|2\\d\|3[01])\\./i, // IPv4-mapped IPv6 private\n /^https?:\\/\\/\\[::ffff:192\\.168\\./i, // IPv4-mapped IPv6 private\n /^https?:\\/\\/\\[::ffff:169\\.254\\./i, // IPv4-mapped IPv6 link-local\n // Hex IP bypass (e.g., 0x7f000001 = 127.0.0.1)\n /^https?:\\/\\/0x[0-9a-f]+\\b/i,\n // Octal IP bypass (e.g., 0177.0.0.1 = 127.0.0.1)\n /^https?:\\/\\/0[0-7]{1,3}\\./,\n];\n\n/*\n Detects decimal IP representation (e.g., http://2130706433 = 127.0.0.1).\n * Converts decimal to IPv4 and checks if it's in a private/loopback range.\n /\nfunction detectDecimalIP(value: string): boolean {\n const match = value.match(/^https?:\\/\\/(\\d{8,10})(?:[:/]\|$)/);\n if (!match \|\| !match[1]) return false;\n\n const decimal = parseInt(match[1], 10);\n if (isNaN(decimal) \|\| decimal > 0xffffffff) return false;\n\n // Check private/loopback ranges\n return (\n (decimal >= 0x7f000000 && decimal <= 0x7fffffff) \|\| // 127.0.0.0/8\n (decimal >= 0x0a000000 && decimal <= 0x0affffff) \|\| // 10.0.0.0/8\n (decimal >= 0xac100000 && decimal <= 0xac1fffff) \|\| // 172.16.0.0/12\n (decimal >= 0xc0a80000 && decimal <= 0xc0a8ffff) \|\| // 192.168.0.0/16\n (decimal >= 0xa9fe0000 && decimal <= 0xa9feffff) \|\| // 169.254.0.0/16\n decimal === 0 // 0.0.0.0\n );\n}\n\nexport function detectSSRF(value: string): boolean {\n for (const pattern of SSRF_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n // Check for decimal IP bypass\n if (detectDecimalIP(value)) return true;\n return false;\n}\n\n// --- SQL Injection Detection ---\n\nconst SQL_INJECTION_PATTERNS = [\n /'\\s{0,20}(OR\|AND)\\s{0,20}'.{0,200}'/i, // ' OR '1'='1 — bounded to prevent ReDoS\n /'\\s{0,10};\\s{0,10}(DROP\|DELETE\|UPDATE\|INSERT\|ALTER\|CREATE\|EXEC)/i, // '; DROP TABLE\n /UNION\\s+(ALL\\s+)?SELECT/i, // UNION SELECT\n /--\\s$/m, // SQL comment at end of line\n /\\/\\.{0,500}?\\\\//, // SQL block comment — bounded + non-greedy\n /\\bSLEEP\\s\\(/i, // Time-based injection\n /\\bBENCHMARK\\s\\(/i, // MySQL benchmark\n /\\bWAITFOR\\s+DELAY/i, // MSSQL delay\n /\\b(LOAD_FILE\|INTO\\s+OUTFILE\|INTO\\s+DUMPFILE)\\b/i, // File operations\n];\n\nexport function detectSQLInjection(value: string): boolean {\n for (const pattern of SQL_INJECTION_PATTERNS) {\n if (pattern.test(value)) return true;\n }\n return false;\n}\n\n// --- Length Check ---\n\nexport function checkLengthLimits(\n value: string,\n maxLength: number = 4096,\n): boolean {\n return value.length <= maxLength;\n}\n\n// --- Entropy Detection ---\n\n/*\n Detects high-entropy strings that may indicate encoded payloads.\n * Uses Shannon entropy calculation.\n * Threshold: 4.5 bits per character (base64 encoded data is ~6.0).\n /\nconst ENTROPY_THRESHOLD = 4.5;\nconst MIN_LENGTH_FOR_ENTROPY_CHECK = 32;\n\nexport function checkEntropyLimits(value: string): boolean {\n if (value.length < MIN_LENGTH_FOR_ENTROPY_CHECK) return true; // Too short to be meaningful\n\n const entropy = calculateShannonEntropy(value);\n return entropy <= ENTROPY_THRESHOLD;\n}\n\nfunction calculateShannonEntropy(str: string): number {\n const freq = new Map<string, number>();\n for (const char of str) {\n freq.set(char, (freq.get(char) ?? 0) + 1);\n }\n\n let entropy = 0;\n const len = str.length;\n for (const count of freq.values()) {\n const p = count / len;\n if (p > 0) {\n entropy -= p Math.log2(p);\n }\n }\n return entropy;\n}\n\n// --- Main Sanitization Function ---\n\n/*\n Runs all input guard checks on a value.\n * Returns structured result with all detected threats.\n /\nexport function sanitizeInput(\n field: string,\n value: unknown,\n config: InputGuardConfig = DEFAULT_INPUT_GUARD_CONFIG,\n): SanitizationResult {\n const threats: DetectedThreat[] = [];\n\n if (typeof value !== 'string') {\n // For non-string values, recursively check string values in objects/arrays\n if (typeof value === 'object' && value !== null) {\n return sanitizeObject(field, value, config);\n }\n return { safe: true, threats: [] };\n }\n\n if (config.pathTraversal && detectPathTraversal(value)) {\n threats.push({\n type: 'PATH_TRAVERSAL',\n field,\n value: truncate(value, 100),\n description: 'Path traversal pattern detected',\n });\n }\n\n if (config.shellInjection && detectShellInjection(value)) {\n threats.push({\n type: 'SHELL_INJECTION',\n field,\n value: truncate(value, 100),\n description: 'Shell injection pattern detected',\n });\n }\n\n if (config.wildcardAbuse && detectWildcardAbuse(value)) {\n threats.push({\n type: 'WILDCARD_ABUSE',\n field,\n value: truncate(value, 100),\n description: 'Wildcard abuse pattern detected',\n });\n }\n\n if (!checkLengthLimits(value, config.lengthLimit)) {\n threats.push({\n type: 'LENGTH_EXCEEDED',\n field,\n value: `[${value.length} chars]`,\n description: `Value exceeds maximum length of ${config.lengthLimit}`,\n });\n }\n\n if (config.entropyLimit && !checkEntropyLimits(value)) {\n threats.push({\n type: 'HIGH_ENTROPY',\n field,\n value: truncate(value, 100),\n description: 'High entropy string detected - possible encoded payload',\n });\n }\n\n if (config.ssrf && detectSSRF(value)) {\n threats.push({\n type: 'SSRF',\n field,\n value: truncate(value, 100),\n description: 'Server-side request forgery pattern detected — internal/metadata URL blocked',\n });\n }\n\n if (config.sqlInjection && detectSQLInjection(value)) {\n threats.push({\n type: 'SQL_INJECTION',\n field,\n value: truncate(value, 100),\n description: 'SQL injection pattern detected',\n });\n }\n\n return { safe: threats.length === 0, threats };\n}\n\n/\n Recursively sanitizes all string values in an object or array.\n /\nfunction sanitizeObject(\n basePath: string,\n obj: object,\n config: InputGuardConfig,\n): SanitizationResult {\n const threats: DetectedThreat[] = [];\n\n if (Array.isArray(obj)) {\n for (let i = 0; i < obj.length; i++) {\n const result = sanitizeInput(`${basePath}[${i}]`, obj[i], config);\n threats.push(...result.threats);\n }\n } else {\n for (const [key, val] of Object.entries(obj)) {\n const result = sanitizeInput(`${basePath}.${key}`, val, config);\n threats.push(...result.threats);\n }\n }\n\n return { safe: threats.length === 0, threats };\n}\n\nfunction truncate(str: string, maxLen: number): string {\n return str.length > maxLen ? str.slice(0, maxLen) + '...' : str;\n}\n","import type { Permission } from './permissions.js';\n\n/\n Capability Token: a signed, short-lived, single-use token\n * that authorizes execution of specific tools within specific scopes.\n \n Security properties:\n * - Short-lived: TTL defaults to 30 seconds\n * - Single-use: nonce prevents replay attacks\n * - Scoped: limited to specific tools and servers\n * - Signed: HMAC-SHA256 prevents forgery\n /\nexport interface CapabilityToken {\n readonly jti: string; // Unique token ID (nonce)\n readonly iss: string; // Issuer (gateway ID)\n readonly sub: string; // Subject (request ID)\n readonly iat: number; // Issued at (unix timestamp)\n readonly exp: number; // Expires at (unix timestamp)\n readonly permissions: readonly Permission[];\n readonly toolScope: readonly string[]; // Which tools this token covers\n readonly serverScope: readonly string[]; // Which servers\n readonly pathScope?: readonly string[]; // Optional path restrictions\n}\n\n/\n Configuration for token issuance.\n /\nexport interface TokenConfig {\n readonly secret: string; // HMAC signing key\n readonly ttlSeconds: number; // Default 30 seconds\n readonly algorithm: 'HS256'; // Start with HMAC\n readonly issuer: string;\n}\n\n/\n Default token configuration.\n * Secret must be provided - no default.\n /\nexport const DEFAULT_TOKEN_TTL_SECONDS = 30;\nexport const TOKEN_ALGORITHM = 'HS256' as const;\nexport const MIN_SECRET_LENGTH = 32;\n\n/\n Result of token verification.\n /\nexport interface TokenVerificationResult {\n readonly valid: boolean;\n readonly payload?: CapabilityToken;\n readonly reason?: string;\n}\n","import type { PolicyRule } from '@solongate/core';\n\ntype PathConstraints = NonNullable<PolicyRule['pathConstraints']>;\n\n/\n Normalizes a file path for consistent matching.\n * Resolves . and .. segments, normalizes separators.\n /\nexport function normalizePath(path: string): string {\n // Normalize separators to forward slash\n let normalized = path.replace(/\\\\/g, '/');\n\n // Remove trailing slash (except for root)\n if (normalized.length > 1 && normalized.endsWith('/')) {\n normalized = normalized.slice(0, -1);\n }\n\n // Resolve . and .. segments\n const parts = normalized.split('/');\n const resolved: string[] = [];\n\n for (const part of parts) {\n if (part === '.' \|\| part === '') {\n if (resolved.length === 0) resolved.push('');\n continue;\n }\n if (part === '..') {\n if (resolved.length > 1) {\n resolved.pop();\n }\n continue;\n }\n resolved.push(part);\n }\n\n return resolved.join('/') \|\| '/';\n}\n\n/\n Checks if a path is within a root directory (sandbox boundary).\n * Prevents escaping via .., symlinks, etc.\n /\nexport function isWithinRoot(path: string, root: string): boolean {\n const normalizedPath = normalizePath(path);\n const normalizedRoot = normalizePath(root);\n\n // Path must start with root\n if (normalizedPath === normalizedRoot) return true;\n return normalizedPath.startsWith(normalizedRoot + '/');\n}\n\n/\n Glob-style path pattern matching.\n * Supports:\n * - * matches any single path segment (not /)\n * - ** matches any number of path segments\n * - Exact match\n \n Does NOT support regex (ReDoS prevention).\n /\nexport function matchPathPattern(path: string, pattern: string): boolean {\n const normalizedPath = normalizePath(path);\n const normalizedPattern = normalizePath(pattern);\n\n if (normalizedPattern === '') return true;\n if (normalizedPattern === normalizedPath) return true;\n\n const patternParts = normalizedPattern.split('/');\n const pathParts = normalizedPath.split('/');\n\n return matchParts(pathParts, 0, patternParts, 0);\n}\n\nfunction matchParts(\n pathParts: string[],\n pi: number,\n patternParts: string[],\n qi: number,\n): boolean {\n while (pi < pathParts.length && qi < patternParts.length) {\n const pattern = patternParts[qi]!;\n\n if (pattern === '') {\n // can match zero or more path segments\n if (qi === patternParts.length - 1) return true;\n\n // Try matching ** against 0, 1, 2, ... path segments\n for (let i = pi; i <= pathParts.length; i++) {\n if (matchParts(pathParts, i, patternParts, qi + 1)) {\n return true;\n }\n }\n return false;\n }\n\n if (pattern === '') {\n // matches exactly one path segment\n pi++;\n qi++;\n continue;\n }\n\n if (pattern !== pathParts[pi]) {\n return false;\n }\n\n pi++;\n qi++;\n }\n\n // Skip trailing patterns\n while (qi < patternParts.length && patternParts[qi] === '') {\n qi++;\n }\n\n return pi === pathParts.length && qi === patternParts.length;\n}\n\n/*\n Checks if a path is allowed by the given constraints.\n \n Evaluation order:\n * 1. If rootDirectory is set, path must be within it\n * 2. If denied list exists, path must NOT match any denied pattern\n * 3. If allowed list exists, path must match at least one allowed pattern\n * 4. If neither list exists, path is allowed (constraints are optional)\n /\nexport function isPathAllowed(\n path: string,\n constraints: PathConstraints,\n): boolean {\n // 1. Root directory check (sandbox)\n if (constraints.rootDirectory) {\n if (!isWithinRoot(path, constraints.rootDirectory)) {\n return false;\n }\n }\n\n // 2. Denied list - any match means denied\n if (constraints.denied && constraints.denied.length > 0) {\n for (const pattern of constraints.denied) {\n if (matchPathPattern(path, pattern)) {\n return false;\n }\n }\n }\n\n // 3. Allowed list - must match at least one\n if (constraints.allowed && constraints.allowed.length > 0) {\n let matchesAllowed = false;\n for (const pattern of constraints.allowed) {\n if (matchPathPattern(path, pattern)) {\n matchesAllowed = true;\n break;\n }\n }\n if (!matchesAllowed) return false;\n }\n\n return true;\n}\n\n/\n Extracts path-like arguments from tool call arguments.\n * Heuristic: any string argument containing / or \\ is treated as a path.\n /\nexport function extractPathArguments(\n args: Readonly<Record<string, unknown>>,\n): string[] {\n const paths: string[] = [];\n\n for (const value of Object.values(args)) {\n if (typeof value === 'string' && (value.includes('/') \|\| value.includes('\\\\'))) {\n paths.push(value);\n }\n }\n\n return paths;\n}\n","import type { PolicyRule, ExecutionRequest } from '@solongate/core';\nimport { TrustLevel } from '@solongate/core';\nimport { isPathAllowed, extractPathArguments } from './path-matcher.js';\n\n/\n Pure function: determines if a policy rule matches an execution request.\n * No side effects. No I/O. Fully deterministic.\n /\nexport function ruleMatchesRequest(\n rule: PolicyRule,\n request: ExecutionRequest,\n): boolean {\n if (!rule.enabled) return false;\n if (rule.permission !== request.requiredPermission) return false;\n if (!toolPatternMatches(rule.toolPattern, request.toolName)) return false;\n if (!trustLevelMeetsMinimum(request.context.trustLevel, rule.minimumTrustLevel)) {\n return false;\n }\n if (rule.argumentConstraints) {\n if (!argumentConstraintsMatch(rule.argumentConstraints, request.arguments)) {\n return false;\n }\n }\n if (rule.pathConstraints) {\n if (!pathConstraintsMatch(rule.pathConstraints, request.arguments)) {\n return false;\n }\n }\n return true;\n}\n\n/\n Glob-style tool name pattern matching.\n * Supports:\n * '' → match all\n 'prefix' → starts with prefix\n 'suffix' → ends with suffix\n 'infix' → contains infix\n * Does NOT support regex (ReDoS prevention).\n /\nexport function toolPatternMatches(pattern: string, toolName: string): boolean {\n if (pattern === '') return true;\n\n const startsWithStar = pattern.startsWith('');\n const endsWithStar = pattern.endsWith('');\n\n if (startsWithStar && endsWithStar) {\n // infix → contains\n const infix = pattern.slice(1, -1);\n return infix.length > 0 && toolName.includes(infix);\n }\n if (endsWithStar) {\n // prefix* → starts with\n const prefix = pattern.slice(0, -1);\n return toolName.startsWith(prefix);\n }\n if (startsWithStar) {\n // suffix → ends with\n const suffix = pattern.slice(1);\n return toolName.endsWith(suffix);\n }\n\n return pattern === toolName;\n}\n\nconst TRUST_LEVEL_ORDER: Record<string, number> = {\n [TrustLevel.UNTRUSTED]: 0,\n [TrustLevel.VERIFIED]: 1,\n [TrustLevel.TRUSTED]: 2,\n};\n\nexport function trustLevelMeetsMinimum(\n actual: TrustLevel,\n minimum: TrustLevel,\n): boolean {\n return (TRUST_LEVEL_ORDER[actual] ?? -1) >= (TRUST_LEVEL_ORDER[minimum] ?? Infinity);\n}\n\n/\n Condition operators for argument constraints.\n * When constraint value is a plain string → exact match (or '' for any).\n When constraint value is an object → operator-based matching:\n * { $contains: \"str\" } — value includes substring\n * { $notContains: \"str\" } — value does NOT include substring\n * { $startsWith: \"str\" } — value starts with prefix\n * { $endsWith: \"str\" } — value ends with suffix\n * { $in: [\"a\",\"b\"] } — value is one of the listed values\n * { $notIn: [\"a\",\"b\"] } — value is NOT one of the listed values\n * { $gt: 5 } — numeric greater than\n * { $lt: 5 } — numeric less than\n * { $gte: 5 } — numeric greater than or equal\n * { $lte: 5 } — numeric less than or equal\n /\nfunction argumentConstraintsMatch(\n constraints: Record<string, unknown>,\n args: Readonly<Record<string, unknown>>,\n): boolean {\n for (const [key, constraint] of Object.entries(constraints)) {\n if (!(key in args)) return false;\n const argValue = args[key];\n\n // Plain string: exact match (backward compatible)\n if (typeof constraint === 'string') {\n if (constraint === '') continue;\n if (typeof argValue === 'string') {\n if (argValue !== constraint) return false;\n } else {\n return false;\n }\n continue;\n }\n\n // Object with operators\n if (typeof constraint === 'object' && constraint !== null && !Array.isArray(constraint)) {\n const ops = constraint as Record<string, unknown>;\n const strValue = typeof argValue === 'string' ? argValue : undefined;\n const numValue = typeof argValue === 'number' ? argValue : undefined;\n\n if ('$contains' in ops && typeof ops.$contains === 'string') {\n if (!strValue \|\| !strValue.includes(ops.$contains)) return false;\n }\n if ('$notContains' in ops && typeof ops.$notContains === 'string') {\n if (strValue && strValue.includes(ops.$notContains)) return false;\n }\n if ('$startsWith' in ops && typeof ops.$startsWith === 'string') {\n if (!strValue \|\| !strValue.startsWith(ops.$startsWith)) return false;\n }\n if ('$endsWith' in ops && typeof ops.$endsWith === 'string') {\n if (!strValue \|\| !strValue.endsWith(ops.$endsWith)) return false;\n }\n if ('$in' in ops && Array.isArray(ops.$in)) {\n if (!ops.$in.includes(argValue)) return false;\n }\n if ('$notIn' in ops && Array.isArray(ops.$notIn)) {\n if (ops.$notIn.includes(argValue)) return false;\n }\n if ('$gt' in ops && typeof ops.$gt === 'number') {\n if (numValue === undefined \|\| numValue <= ops.$gt) return false;\n }\n if ('$lt' in ops && typeof ops.$lt === 'number') {\n if (numValue === undefined \|\| numValue >= ops.$lt) return false;\n }\n if ('$gte' in ops && typeof ops.$gte === 'number') {\n if (numValue === undefined \|\| numValue < ops.$gte) return false;\n }\n if ('$lte' in ops && typeof ops.$lte === 'number') {\n if (numValue === undefined \|\| numValue > ops.$lte) return false;\n }\n\n continue;\n }\n }\n return true;\n}\n\nfunction pathConstraintsMatch(\n constraints: NonNullable<PolicyRule['pathConstraints']>,\n args: Readonly<Record<string, unknown>>,\n): boolean {\n const paths = extractPathArguments(args);\n\n // If no path arguments found, constraints don't apply\n if (paths.length === 0) return true;\n\n // ALL path arguments must satisfy constraints\n return paths.every((path) => isPathAllowed(path, constraints));\n}\n","import type {\n PolicySet,\n PolicyDecision,\n ExecutionRequest,\n PolicyEffect,\n} from '@solongate/core';\nimport { DEFAULT_POLICY_EFFECT } from '@solongate/core';\nimport { ruleMatchesRequest } from './matcher.js';\n\n/*\n Evaluates a policy set against an execution request.\n \n Pure function: no side effects, no I/O, fully deterministic.\n \n Algorithm:\n * 1. Sort rules by priority (ascending - lower number = higher priority)\n * 2. Find the first matching rule\n * 3. If a rule matches, return its effect\n * 4. If no rule matches, return DENY (default-deny)\n /\nexport function evaluatePolicy(\n policySet: PolicySet,\n request: ExecutionRequest,\n): PolicyDecision {\n const startTime = performance.now();\n\n const sortedRules = [...policySet.rules].sort(\n (a, b) => a.priority - b.priority,\n );\n\n for (const rule of sortedRules) {\n if (ruleMatchesRequest(rule, request)) {\n const endTime = performance.now();\n return {\n effect: rule.effect,\n matchedRule: rule,\n reason: `Matched rule \"${rule.id}\": ${rule.description}`,\n timestamp: new Date().toISOString(),\n evaluationTimeMs: endTime - startTime,\n };\n }\n }\n\n const endTime = performance.now();\n return {\n effect: DEFAULT_POLICY_EFFECT as PolicyEffect,\n matchedRule: null,\n reason: 'No matching policy rule found. Default action: DENY.',\n timestamp: new Date().toISOString(),\n evaluationTimeMs: endTime - startTime,\n metadata: {\n evaluatedRules: sortedRules.length,\n ruleIds: sortedRules.map((r) => r.id),\n requestContext: {\n tool: request.toolName,\n arguments: Object.keys(request.arguments ?? {}),\n },\n },\n };\n}\n","import { PolicyRuleSchema, PolicySetSchema } from '@solongate/core';\nimport {\n MAX_RULES_PER_POLICY_SET,\n UNSAFE_CONFIGURATION_WARNINGS,\n} from '@solongate/core';\n\nexport interface ValidationResult {\n readonly valid: boolean;\n readonly errors: readonly string[];\n readonly warnings: readonly string[];\n}\n\nexport function validatePolicyRule(input: unknown): ValidationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n\n const result = PolicyRuleSchema.safeParse(input);\n if (!result.success) {\n return {\n valid: false,\n errors: result.error.errors.map(\n (e) => `${e.path.join('.')}: ${e.message}`,\n ),\n warnings: [],\n };\n }\n\n const rule = result.data;\n\n if (rule.toolPattern === '' && rule.effect === 'ALLOW') {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW);\n }\n\n if (rule.minimumTrustLevel === 'TRUSTED') {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.TRUSTED_LEVEL_EXTERNAL);\n }\n\n if (rule.permission === 'EXECUTE') {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW);\n }\n\n return { valid: true, errors, warnings };\n}\n\nexport function validatePolicySet(input: unknown): ValidationResult {\n const errors: string[] = [];\n const warnings: string[] = [];\n\n const result = PolicySetSchema.safeParse(input);\n if (!result.success) {\n return {\n valid: false,\n errors: result.error.errors.map(\n (e) => `${e.path.join('.')}: ${e.message}`,\n ),\n warnings: [],\n };\n }\n\n const policySet = result.data;\n\n if (policySet.rules.length > MAX_RULES_PER_POLICY_SET) {\n errors.push(\n `Policy set exceeds maximum of ${MAX_RULES_PER_POLICY_SET} rules`,\n );\n }\n\n const ruleIds = new Set<string>();\n for (const rule of policySet.rules) {\n if (ruleIds.has(rule.id)) {\n errors.push(`Duplicate rule ID: \"${rule.id}\"`);\n }\n ruleIds.add(rule.id);\n }\n\n for (const rule of policySet.rules) {\n const ruleResult = validatePolicyRule(rule);\n warnings.push(...ruleResult.warnings);\n }\n\n const hasDenyRule = policySet.rules.some((r) => r.effect === 'DENY');\n if (!hasDenyRule && policySet.rules.length > 0) {\n warnings.push(\n 'Policy set contains only ALLOW rules. The default-deny fallback is the only protection.',\n );\n }\n\n return {\n valid: errors.length === 0,\n errors,\n warnings,\n };\n}\n","import type { PolicyRule, PolicySet } from '@solongate/core';\nimport { UNSAFE_CONFIGURATION_WARNINGS } from '@solongate/core';\n\nexport interface SecurityWarning {\n readonly level: 'WARNING' \| 'CRITICAL';\n readonly code: string;\n readonly message: string;\n readonly ruleId?: string;\n readonly recommendation: string;\n}\n\n/** Analyzes a policy set and returns security warnings. Pure function. /\nexport function analyzeSecurityWarnings(\n policySet: PolicySet,\n): readonly SecurityWarning[] {\n const warnings: SecurityWarning[] = [];\n\n for (const rule of policySet.rules) {\n warnings.push(...analyzeRuleWarnings(rule));\n }\n\n const allowRules = policySet.rules.filter(\n (r) => r.effect === 'ALLOW' && r.enabled,\n );\n const wildcardAllows = allowRules.filter((r) => r.toolPattern === '');\n\n if (wildcardAllows.length > 0) {\n warnings.push({\n level: 'CRITICAL',\n code: 'WILDCARD_ALLOW',\n message: UNSAFE_CONFIGURATION_WARNINGS.WILDCARD_ALLOW,\n recommendation:\n 'Replace wildcard ALLOW rules with specific tool patterns.',\n });\n }\n\n return warnings;\n}\n\nfunction analyzeRuleWarnings(rule: PolicyRule): SecurityWarning[] {\n const warnings: SecurityWarning[] = [];\n\n if (rule.effect === 'ALLOW' && rule.minimumTrustLevel === 'UNTRUSTED') {\n warnings.push({\n level: 'CRITICAL',\n code: 'ALLOW_UNTRUSTED',\n message: `Rule \"${rule.id}\" allows execution for UNTRUSTED requests. Unverified LLM requests can execute tools.`,\n ruleId: rule.id,\n recommendation:\n 'Set minimumTrustLevel to VERIFIED or higher for ALLOW rules.',\n });\n }\n\n if (rule.effect === 'ALLOW' && rule.permission === 'EXECUTE') {\n warnings.push({\n level: 'WARNING',\n code: 'ALLOW_EXECUTE',\n message: UNSAFE_CONFIGURATION_WARNINGS.EXECUTE_WITHOUT_REVIEW,\n ruleId: rule.id,\n recommendation:\n 'Ensure EXECUTE permissions are intentional and scoped to specific tools.',\n });\n }\n\n return warnings;\n}\n","import type { PolicySet } from '@solongate/core';\nimport { PolicyEffect, Permission, TrustLevel } from '@solongate/core';\n\n/*\n Creates the default \"deny all\" policy set.\n * This is the starting policy for any new SolonGate deployment.\n /\nexport function createDefaultDenyPolicySet(): PolicySet {\n const now = new Date().toISOString();\n\n return {\n id: 'default-deny',\n name: 'Default Deny All',\n description:\n 'Denies all tool executions. Add explicit ALLOW rules to grant access to specific tools.',\n version: 1,\n rules: [\n {\n id: 'deny-all-execute',\n description: 'Explicitly deny all tool executions',\n effect: PolicyEffect.DENY,\n priority: 10000,\n toolPattern: '',\n permission: Permission.EXECUTE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'deny-all-write',\n description: 'Explicitly deny all write operations',\n effect: PolicyEffect.DENY,\n priority: 10000,\n toolPattern: '',\n permission: Permission.WRITE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'deny-all-read',\n description: 'Explicitly deny all read operations',\n effect: PolicyEffect.DENY,\n priority: 10000,\n toolPattern: '',\n permission: Permission.READ,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n ],\n createdAt: now,\n updatedAt: now,\n };\n}\n\n/*\n Creates a permissive \"allow all\" policy set.\n * Allows all tool executions — useful for development or when\n * using SolonGate only for monitoring and audit logging.\n /\nexport function createPermissivePolicySet(): PolicySet {\n const now = new Date().toISOString();\n\n return {\n id: 'permissive',\n name: 'Permissive (Allow All)',\n description: 'Allows all tool executions. SolonGate still provides input validation, rate limiting, and audit logging.',\n version: 1,\n rules: [\n {\n id: 'allow-all-execute',\n description: 'Allow all tool executions',\n effect: PolicyEffect.ALLOW,\n priority: 1000,\n toolPattern: '',\n permission: Permission.EXECUTE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'allow-all-read',\n description: 'Allow all read operations',\n effect: PolicyEffect.ALLOW,\n priority: 1000,\n toolPattern: '',\n permission: Permission.READ,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n {\n id: 'allow-all-write',\n description: 'Allow all write operations',\n effect: PolicyEffect.ALLOW,\n priority: 1000,\n toolPattern: '',\n permission: Permission.WRITE,\n minimumTrustLevel: TrustLevel.UNTRUSTED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n ],\n createdAt: now,\n updatedAt: now,\n };\n}\n\n/*\n Creates a read-only policy set for a specific tool pattern.\n * Allows reads for VERIFIED requests only.\n /\nexport function createReadOnlyPolicySet(toolPattern: string): PolicySet {\n const now = new Date().toISOString();\n\n return {\n id: `read-only-${toolPattern}`,\n name: `Read-Only: ${toolPattern}`,\n description: `Allows read access to tools matching \"${toolPattern}\". Denies write and execute.`,\n version: 1,\n rules: [\n {\n id: `allow-read-${toolPattern}`,\n description: `Allow read access to ${toolPattern}`,\n effect: PolicyEffect.ALLOW,\n priority: 100,\n toolPattern,\n permission: Permission.READ,\n minimumTrustLevel: TrustLevel.VERIFIED,\n enabled: true,\n createdAt: now,\n updatedAt: now,\n },\n ],\n createdAt: now,\n updatedAt: now,\n };\n}\n","import type {\n PolicySet,\n PolicyDecision,\n ExecutionRequest,\n} from '@solongate/core';\nimport { POLICY_EVALUATION_TIMEOUT_MS } from '@solongate/core';\nimport { evaluatePolicy } from './evaluator.js';\nimport { validatePolicySet, type ValidationResult } from './validator.js';\nimport { analyzeSecurityWarnings, type SecurityWarning } from './warnings.js';\nimport { createDefaultDenyPolicySet } from './defaults.js';\nimport { PolicyStore, type PolicyVersion } from './policy-store.js';\n\n/\n PolicyEngine is the primary interface for policy evaluation.\n \n Wraps pure evaluation functions with:\n * - Policy set management (load, validate, swap)\n * - Timeout protection\n * - Warning aggregation\n * - Optional versioned policy store\n /\nexport class PolicyEngine {\n private policySet: PolicySet;\n private readonly timeoutMs: number;\n private readonly store: PolicyStore \| null;\n\n constructor(options?: {\n policySet?: PolicySet;\n timeoutMs?: number;\n store?: PolicyStore;\n }) {\n this.policySet = options?.policySet ?? createDefaultDenyPolicySet();\n this.timeoutMs = options?.timeoutMs ?? POLICY_EVALUATION_TIMEOUT_MS;\n this.store = options?.store ?? null;\n }\n\n /\n Evaluates an execution request against the current policy set.\n * Never throws for denials - denial is a normal outcome, not an error.\n /\n evaluate(request: ExecutionRequest): PolicyDecision {\n const startTime = performance.now();\n const decision = evaluatePolicy(this.policySet, request);\n const elapsed = performance.now() - startTime;\n\n if (elapsed > this.timeoutMs) {\n console.warn(\n `[SolonGate] Policy evaluation took ${elapsed.toFixed(1)}ms ` +\n `(limit: ${this.timeoutMs}ms) for tool \"${request.toolName}\"`,\n );\n }\n\n return decision;\n }\n\n /\n Loads a new policy set, replacing the current one.\n * Validates before accepting. Auto-saves version when store is present.\n /\n loadPolicySet(\n policySet: PolicySet,\n options?: { reason?: string; createdBy?: string },\n ): ValidationResult {\n const validation = validatePolicySet(policySet);\n if (!validation.valid) {\n return validation;\n }\n this.policySet = policySet;\n\n if (this.store) {\n this.store.saveVersion(\n policySet,\n options?.reason ?? 'Policy updated',\n options?.createdBy ?? 'system',\n );\n }\n\n return validation;\n }\n\n /\n Rolls back to a previous policy version.\n * Only available when a PolicyStore is configured.\n /\n rollback(version: number): PolicyVersion {\n if (!this.store) {\n throw new Error('PolicyStore not configured - cannot rollback');\n }\n\n const policyVersion = this.store.rollback(this.policySet.id, version);\n this.policySet = policyVersion.policySet;\n return policyVersion;\n }\n\n getPolicySet(): Readonly<PolicySet> {\n return this.policySet;\n }\n\n getSecurityWarnings(): readonly SecurityWarning[] {\n return analyzeSecurityWarnings(this.policySet);\n }\n\n getStore(): PolicyStore \| null {\n return this.store;\n }\n\n reset(): void {\n this.policySet = createDefaultDenyPolicySet();\n }\n}\n","import type { PolicySet, PolicyRule } from '@solongate/core';\nimport { createHash } from 'node:crypto';\n\n/\n A versioned snapshot of a policy set.\n * Immutable once created - modifications create new versions.\n /\nexport interface PolicyVersion {\n readonly version: number;\n readonly policySet: PolicySet;\n readonly hash: string;\n readonly reason: string;\n readonly createdBy: string;\n readonly createdAt: string;\n}\n\n/\n Diff between two policy versions.\n /\nexport interface PolicyDiff {\n readonly added: readonly PolicyRule[];\n readonly removed: readonly PolicyRule[];\n readonly modified: readonly { readonly old: PolicyRule; readonly new: PolicyRule }[];\n}\n\n/\n In-memory versioned policy store.\n * Stores complete history of policy changes with cryptographic hashes.\n \n Security properties:\n * - Immutable versions: once saved, a version cannot be modified\n * - Hash chain: each version includes SHA256 of the policy content\n * - Full history: no version is ever deleted\n /\nexport class PolicyStore {\n private readonly versions = new Map<string, PolicyVersion[]>();\n\n /\n Saves a new version of a policy set.\n * The version number auto-increments.\n /\n saveVersion(\n policySet: PolicySet,\n reason: string,\n createdBy: string,\n ): PolicyVersion {\n const id = policySet.id;\n const history = this.versions.get(id) ?? [];\n\n const latestVersion = history.length > 0 ? history[history.length - 1]!.version : 0;\n\n const version: PolicyVersion = {\n version: latestVersion + 1,\n policySet: Object.freeze({ ...policySet }),\n hash: this.computeHash(policySet),\n reason,\n createdBy,\n createdAt: new Date().toISOString(),\n };\n\n const newHistory = [...history, version];\n this.versions.set(id, newHistory);\n\n return version;\n }\n\n /\n Gets a specific version of a policy set.\n /\n getVersion(id: string, version: number): PolicyVersion \| null {\n const history = this.versions.get(id);\n if (!history) return null;\n return history.find((v) => v.version === version) ?? null;\n }\n\n /\n Gets the latest version of a policy set.\n /\n getLatest(id: string): PolicyVersion \| null {\n const history = this.versions.get(id);\n if (!history \|\| history.length === 0) return null;\n return history[history.length - 1]!;\n }\n\n /\n Gets the full version history of a policy set.\n /\n getHistory(id: string): readonly PolicyVersion[] {\n return this.versions.get(id) ?? [];\n }\n\n /\n Rolls back to a previous version by creating a new version\n * with the same content as the target version.\n /\n rollback(id: string, toVersion: number): PolicyVersion {\n const target = this.getVersion(id, toVersion);\n if (!target) {\n throw new Error(`Version ${toVersion} not found for policy \"${id}\"`);\n }\n\n return this.saveVersion(\n target.policySet,\n `Rollback to version ${toVersion}`,\n 'system',\n );\n }\n\n /\n Computes a diff between two policy versions.\n /\n diff(v1: PolicyVersion, v2: PolicyVersion): PolicyDiff {\n const oldRulesMap = new Map(v1.policySet.rules.map((r) => [r.id, r]));\n const newRulesMap = new Map(v2.policySet.rules.map((r) => [r.id, r]));\n\n const added: PolicyRule[] = [];\n const removed: PolicyRule[] = [];\n const modified: { old: PolicyRule; new: PolicyRule }[] = [];\n\n // Find added and modified rules\n for (const [id, newRule] of newRulesMap) {\n const oldRule = oldRulesMap.get(id);\n if (!oldRule) {\n added.push(newRule);\n } else if (JSON.stringify(oldRule) !== JSON.stringify(newRule)) {\n modified.push({ old: oldRule, new: newRule });\n }\n }\n\n // Find removed rules\n for (const [id, oldRule] of oldRulesMap) {\n if (!newRulesMap.has(id)) {\n removed.push(oldRule);\n }\n }\n\n return { added, removed, modified };\n }\n\n /\n Computes SHA256 hash of a policy set for integrity verification.\n /\n computeHash(policySet: PolicySet): string {\n const serialized = JSON.stringify(policySet, Object.keys(policySet).sort());\n return createHash('sha256').update(serialized).digest('hex');\n }\n}\n","import type { PolicySet, InputGuardConfig } from '@solongate/core';\nimport { UNSAFE_CONFIGURATION_WARNINGS, DEFAULT_INPUT_GUARD_CONFIG } from '@solongate/core';\n\n/\n Configuration for the SolonGate SDK.\n * All fields have secure defaults. Weakening requires explicit opt-in.\n /\nexport interface SolonGateConfig {\n readonly policySet?: PolicySet;\n readonly validateSchemas: boolean;\n readonly enableLogging: boolean;\n readonly logLevel: 'debug' \| 'info' \| 'warn' \| 'error';\n readonly evaluationTimeoutMs: number;\n readonly verboseErrors: boolean;\n readonly globalRateLimitPerMinute: number;\n\n // Phase 1 additions\n readonly rateLimitPerTool: number;\n readonly tokenSecret?: string;\n readonly tokenTtlSeconds: number;\n readonly tokenIssuer?: string;\n readonly gatewaySecret?: string;\n readonly inputGuardConfig: InputGuardConfig;\n readonly enableVersionedPolicies: boolean;\n readonly apiUrl?: string;\n}\n\nexport const DEFAULT_CONFIG: Readonly<SolonGateConfig> = Object.freeze({\n validateSchemas: true,\n enableLogging: true,\n logLevel: 'info',\n evaluationTimeoutMs: 100,\n verboseErrors: false,\n globalRateLimitPerMinute: 600,\n rateLimitPerTool: 60,\n tokenTtlSeconds: 30,\n inputGuardConfig: DEFAULT_INPUT_GUARD_CONFIG,\n enableVersionedPolicies: true,\n});\n\nexport function resolveConfig(\n userConfig?: Partial<SolonGateConfig>,\n): { config: SolonGateConfig; warnings: string[] } {\n const warnings: string[] = [];\n const config = { ...DEFAULT_CONFIG, ...userConfig };\n\n if (!config.validateSchemas) {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.DISABLED_VALIDATION);\n }\n if (config.globalRateLimitPerMinute === 0) {\n warnings.push(UNSAFE_CONFIGURATION_WARNINGS.RATE_LIMIT_ZERO);\n }\n if (config.verboseErrors) {\n warnings.push(\n 'Verbose errors enabled: internal error details will be sent to the LLM.',\n );\n }\n if (config.tokenSecret && config.tokenSecret.length < 32) {\n warnings.push(\n 'Token secret is shorter than 32 characters. Use a longer secret for production.',\n );\n }\n\n return { config, warnings };\n}\n","import type {\n ExecutionRequest,\n ExecutionResult,\n McpCallToolParams,\n McpCallToolResult,\n} from '@solongate/core';\nimport {\n Permission,\n PolicyDeniedError,\n SchemaValidationError,\n RateLimitError,\n createDeniedToolResult,\n createSecurityContext,\n sanitizeInput,\n type InputGuardConfig,\n DEFAULT_INPUT_GUARD_CONFIG,\n} from '@solongate/core';\nimport type { PolicyEngine } from '@solongate/policy-engine';\nimport type { TokenIssuer } from './token-issuer.js';\nimport type { ServerVerifier } from './server-verifier.js';\nimport type { RateLimiter } from './rate-limiter.js';\nimport { randomUUID } from 'node:crypto';\n\nexport interface InterceptorOptions {\n readonly policyEngine: PolicyEngine;\n readonly validateSchemas: boolean;\n readonly verboseErrors: boolean;\n readonly onDecision?: (result: ExecutionResult) => void;\n\n // Phase 1 additions\n readonly tokenIssuer?: TokenIssuer;\n readonly serverVerifier?: ServerVerifier;\n readonly rateLimiter?: RateLimiter;\n readonly inputGuardConfig?: InputGuardConfig;\n readonly rateLimitPerTool?: number;\n readonly globalRateLimitPerMinute?: number;\n}\n\n/\n Intercepts an MCP tool call and runs the full security pipeline:\n \n 1. Rate limit check → RateLimitError if exceeded\n * 2. Input guard (sanitization) → SchemaValidationError if dangerous\n * 3. Policy evaluation → PolicyDeniedError if denied\n * 4. Issue capability token (if TokenIssuer configured)\n * 5. Sign request (if ServerVerifier configured)\n * 6. Call upstream\n * 7. Record rate limit usage\n * 8. Log to audit trail\n * 9. Return result\n /\nexport async function interceptToolCall(\n params: McpCallToolParams,\n upstreamCall: (params: McpCallToolParams) => Promise<McpCallToolResult>,\n options: InterceptorOptions,\n): Promise<McpCallToolResult> {\n const requestId = randomUUID();\n const timestamp = new Date().toISOString();\n\n const context = createSecurityContext({ requestId });\n\n const request: ExecutionRequest = {\n context,\n toolName: params.name,\n serverName: 'default',\n arguments: params.arguments ?? {},\n requiredPermission: Permission.EXECUTE,\n timestamp,\n };\n\n // --- Step 1: Rate limit check ---\n if (options.rateLimiter) {\n // Per-tool rate limit\n if (options.rateLimitPerTool) {\n const toolLimit = options.rateLimiter.checkLimit(\n params.name,\n options.rateLimitPerTool,\n );\n if (!toolLimit.allowed) {\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: new RateLimitError(params.name, options.rateLimitPerTool),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n return createDeniedToolResult(\n `Rate limit exceeded for tool \"${params.name}\"`,\n );\n }\n }\n\n // Global rate limit\n if (options.globalRateLimitPerMinute) {\n const globalLimit = options.rateLimiter.checkGlobalLimit(\n options.globalRateLimitPerMinute,\n );\n if (!globalLimit.allowed) {\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: new RateLimitError('', options.globalRateLimitPerMinute),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n return createDeniedToolResult('Global rate limit exceeded');\n }\n }\n }\n\n // --- Step 2: Input guard (sanitization) ---\n if (options.validateSchemas && params.arguments) {\n const guardConfig = options.inputGuardConfig ?? DEFAULT_INPUT_GUARD_CONFIG;\n const sanitization = sanitizeInput('arguments', params.arguments, guardConfig);\n\n if (!sanitization.safe) {\n const threatDescriptions = sanitization.threats.map(\n (t) => `${t.type}: ${t.description} (field: ${t.field})`,\n );\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: new SchemaValidationError(params.name, threatDescriptions),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n\n const reason = options.verboseErrors\n ? `Input validation failed: ${sanitization.threats.length} threat(s) detected`\n : 'Input validation failed.';\n return createDeniedToolResult(reason);\n }\n }\n\n // --- Step 3: Policy evaluation ---\n const decision = options.policyEngine.evaluate(request);\n\n if (decision.effect === 'DENY') {\n const result: ExecutionResult = {\n status: 'DENIED',\n request,\n decision,\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n\n const reason = options.verboseErrors\n ? decision.reason\n : 'Tool execution denied by security policy.';\n return createDeniedToolResult(reason);\n }\n\n // --- Step 4: Issue capability token ---\n let capabilityToken: string \| undefined;\n if (options.tokenIssuer) {\n capabilityToken = options.tokenIssuer.issue(\n requestId,\n [Permission.EXECUTE],\n [params.name],\n );\n }\n\n // --- Step 5: Sign request ---\n if (options.serverVerifier && capabilityToken) {\n options.serverVerifier.createSignedRequest(params, capabilityToken);\n }\n\n // --- Step 6: Call upstream ---\n try {\n const startTime = performance.now();\n const toolResult = await upstreamCall(params);\n const durationMs = performance.now() - startTime;\n\n // --- Step 7: Record rate limit usage ---\n if (options.rateLimiter) {\n options.rateLimiter.recordCall(params.name);\n }\n\n // --- Step 8: Log to audit trail ---\n const result: ExecutionResult = {\n status: 'ALLOWED',\n request,\n decision,\n toolResult,\n durationMs,\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n\n return toolResult;\n } catch (error) {\n const result: ExecutionResult = {\n status: 'ERROR',\n request,\n error: error instanceof Error\n ? new PolicyDeniedError(params.name, error.message)\n : new PolicyDeniedError(params.name, 'Unknown upstream error'),\n timestamp: new Date().toISOString(),\n };\n options.onDecision?.(result);\n throw error;\n }\n}\n","import type { ExecutionResult } from '@solongate/core';\n\nexport type LogLevel = 'debug' \| 'info' \| 'warn' \| 'error';\n\nconst LOG_LEVEL_ORDER: Record<LogLevel, number> = {\n debug: 0,\n info: 1,\n warn: 2,\n error: 3,\n};\n\n/*\n Structured security event logger.\n * Outputs JSON-formatted log entries for machine consumption.\n /\nexport class SecurityLogger {\n private readonly minLevel: LogLevel;\n private readonly enabled: boolean;\n\n constructor(options: { level: LogLevel; enabled: boolean }) {\n this.minLevel = options.level;\n this.enabled = options.enabled;\n }\n\n logDecision(result: ExecutionResult): void {\n if (!this.enabled) return;\n\n const entry = {\n type: 'security_decision',\n status: result.status,\n toolName: result.request.toolName,\n permission: result.request.requiredPermission,\n trustLevel: result.request.context.trustLevel,\n requestId: result.request.context.requestId,\n timestamp: result.timestamp,\n ...(result.status === 'ALLOWED' && { durationMs: result.durationMs }),\n ...(result.status === 'DENIED' && { reason: result.decision.reason }),\n ...(result.status === 'ERROR' && { error: result.error.code }),\n };\n\n if (result.status === 'DENIED' \|\| result.status === 'ERROR') {\n this.log('warn', entry);\n } else {\n this.log('info', entry);\n }\n }\n\n private log(level: LogLevel, data: Record<string, unknown>): void {\n if (LOG_LEVEL_ORDER[level] < LOG_LEVEL_ORDER[this.minLevel]) return;\n\n const output = JSON.stringify({ level, ...data });\n switch (level) {\n case 'error':\n console.error(`[SolonGate] ${output}`);\n break;\n case 'warn':\n console.warn(`[SolonGate] ${output}`);\n break;\n case 'debug':\n console.debug(`[SolonGate] ${output}`);\n break;\n default:\n console.info(`[SolonGate] ${output}`);\n }\n }\n}\n","import { createHmac, randomUUID } from 'node:crypto';\nimport type {\n CapabilityToken,\n TokenConfig,\n TokenVerificationResult,\n Permission,\n} from '@solongate/core';\nimport {\n DEFAULT_TOKEN_TTL_SECONDS,\n TOKEN_ALGORITHM,\n MIN_SECRET_LENGTH,\n} from '@solongate/core';\n\n/\n Issues and verifies capability tokens using HMAC-SHA256.\n \n Security properties:\n * - Short-lived TTL (default 30 seconds)\n * - Single-use nonces (replay prevention)\n * - Revocation support\n * - No external JWT library dependency\n /\nexport class TokenIssuer {\n private readonly secret: string;\n private readonly ttlSeconds: number;\n private readonly issuer: string;\n private readonly usedNonces = new Set<string>();\n private readonly revokedTokens = new Set<string>();\n\n constructor(config: TokenConfig) {\n if (config.secret.length < MIN_SECRET_LENGTH) {\n throw new Error(\n `Token secret must be at least ${MIN_SECRET_LENGTH} characters`,\n );\n }\n this.secret = config.secret;\n this.ttlSeconds = config.ttlSeconds \|\| DEFAULT_TOKEN_TTL_SECONDS;\n this.issuer = config.issuer;\n }\n\n /\n Issues a signed capability token.\n /\n issue(\n requestId: string,\n permissions: readonly Permission[],\n toolScope: readonly string[],\n serverScope: readonly string[] = [''],\n pathScope?: readonly string[],\n ): string {\n const now = Math.floor(Date.now() / 1000);\n const jti = randomUUID();\n\n const payload: CapabilityToken = {\n jti,\n iss: this.issuer,\n sub: requestId,\n iat: now,\n exp: now + this.ttlSeconds,\n permissions: [...permissions],\n toolScope: [...toolScope],\n serverScope: [...serverScope],\n ...(pathScope && { pathScope: [...pathScope] }),\n };\n\n return this.sign(payload);\n }\n\n /*\n Verifies a capability token and consumes the nonce (single-use).\n /\n verify(token: string): TokenVerificationResult {\n // 1. Parse and verify signature\n const parsed = this.parseAndVerify(token);\n if (!parsed.valid \|\| !parsed.payload) {\n return parsed;\n }\n\n const payload = parsed.payload;\n\n // 2. Check expiration\n const now = Math.floor(Date.now() / 1000);\n if (payload.exp <= now) {\n return { valid: false, reason: 'Token expired' };\n }\n\n // 3. Check if revoked\n if (this.revokedTokens.has(payload.jti)) {\n return { valid: false, reason: 'Token has been revoked' };\n }\n\n // 4. Check if already used (single-use)\n if (this.usedNonces.has(payload.jti)) {\n return { valid: false, reason: 'Token already used (replay detected)' };\n }\n\n // 5. Consume nonce\n this.usedNonces.add(payload.jti);\n\n return { valid: true, payload };\n }\n\n /\n Revokes a token by its ID.\n /\n revoke(jti: string): void {\n this.revokedTokens.add(jti);\n }\n\n /\n Checks if a token ID has been revoked.\n /\n isRevoked(jti: string): boolean {\n return this.revokedTokens.has(jti);\n }\n\n // --- Internal helpers ---\n\n private sign(payload: CapabilityToken): string {\n const header = base64UrlEncode(JSON.stringify({ alg: TOKEN_ALGORITHM, typ: 'JWT' }));\n const body = base64UrlEncode(JSON.stringify(payload));\n const signature = this.computeSignature(`${header}.${body}`);\n return `${header}.${body}.${signature}`;\n }\n\n private parseAndVerify(token: string): TokenVerificationResult {\n const parts = token.split('.');\n if (parts.length !== 3) {\n return { valid: false, reason: 'Invalid token format' };\n }\n\n const [header, body, signature] = parts as [string, string, string];\n const expectedSignature = this.computeSignature(`${header}.${body}`);\n\n if (signature !== expectedSignature) {\n return { valid: false, reason: 'Invalid token signature' };\n }\n\n try {\n const payload = JSON.parse(base64UrlDecode(body)) as CapabilityToken;\n return { valid: true, payload };\n } catch {\n return { valid: false, reason: 'Invalid token payload' };\n }\n }\n\n private computeSignature(data: string): string {\n return base64UrlEncode(\n createHmac('sha256', this.secret).update(data).digest('base64'),\n );\n }\n}\n\nfunction base64UrlEncode(str: string): string {\n return Buffer.from(str)\n .toString('base64')\n .replace(/\\+/g, '-')\n .replace(/\\//g, '_')\n .replace(/=+$/, '');\n}\n\nfunction base64UrlDecode(str: string): string {\n const padded = str + '='.repeat((4 - (str.length % 4)) % 4);\n return Buffer.from(padded.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString();\n}\n","import { createHmac, randomUUID } from 'node:crypto';\nimport type { McpCallToolParams } from '@solongate/core';\n\n/\n A signed MCP request that includes capability token and integrity signature.\n * Requests without valid gateway signature should be rejected by MCP servers.\n /\nexport interface SignedMcpRequest {\n readonly params: McpCallToolParams;\n readonly capabilityToken: string;\n readonly signature: string;\n readonly timestamp: string;\n readonly nonce: string;\n}\n\n/\n Result of validating a signed request.\n /\nexport interface SignatureValidationResult {\n readonly valid: boolean;\n readonly reason?: string;\n}\n\n/\n Signs and verifies MCP requests to ensure they originate from the gateway.\n \n Security properties:\n * - HMAC-SHA256 signature of request params + token\n * - Timestamp to prevent old request replays\n * - Nonce for uniqueness\n * - Configurable max age for timestamp validation\n /\nexport class ServerVerifier {\n private readonly gatewaySecret: string;\n private readonly maxAgeMs: number;\n private readonly usedNonces = new Set<string>();\n\n constructor(config: {\n gatewaySecret: string;\n maxAgeMs?: number;\n }) {\n if (config.gatewaySecret.length < 32) {\n throw new Error('Gateway secret must be at least 32 characters');\n }\n this.gatewaySecret = config.gatewaySecret;\n this.maxAgeMs = config.maxAgeMs ?? 60_000; // 1 minute default\n }\n\n /\n Computes HMAC signature for request data.\n /\n signRequest(params: McpCallToolParams, capabilityToken: string): string {\n const data = JSON.stringify({ params, capabilityToken });\n return createHmac('sha256', this.gatewaySecret)\n .update(data)\n .digest('hex');\n }\n\n /\n Verifies the HMAC signature of request data.\n /\n verifySignature(\n params: McpCallToolParams,\n capabilityToken: string,\n signature: string,\n ): boolean {\n const expected = this.signRequest(params, capabilityToken);\n // Constant-time comparison to prevent timing attacks\n if (expected.length !== signature.length) return false;\n let result = 0;\n for (let i = 0; i < expected.length; i++) {\n result \|= expected.charCodeAt(i) ^ signature.charCodeAt(i);\n }\n return result === 0;\n }\n\n /\n Creates a complete signed request including timestamp and nonce.\n /\n createSignedRequest(\n params: McpCallToolParams,\n capabilityToken: string,\n ): SignedMcpRequest {\n const timestamp = new Date().toISOString();\n const nonce = randomUUID();\n const signature = this.signRequest(params, capabilityToken);\n\n return {\n params,\n capabilityToken,\n signature,\n timestamp,\n nonce,\n };\n }\n\n /\n Validates a complete signed request including timestamp, nonce, and signature.\n /\n validateSignedRequest(request: SignedMcpRequest): SignatureValidationResult {\n // 1. Check timestamp freshness\n const requestTime = new Date(request.timestamp).getTime();\n const now = Date.now();\n if (isNaN(requestTime)) {\n return { valid: false, reason: 'Invalid timestamp' };\n }\n if (now - requestTime > this.maxAgeMs) {\n return { valid: false, reason: 'Request too old' };\n }\n if (requestTime > now + 30_000) {\n return { valid: false, reason: 'Request timestamp in the future' };\n }\n\n // 2. Check nonce uniqueness\n if (this.usedNonces.has(request.nonce)) {\n return { valid: false, reason: 'Duplicate nonce (replay detected)' };\n }\n\n // 3. Verify signature\n if (!this.verifySignature(request.params, request.capabilityToken, request.signature)) {\n return { valid: false, reason: 'Invalid signature' };\n }\n\n // 4. Mark nonce as used\n this.usedNonces.add(request.nonce);\n\n return { valid: true };\n }\n}\n","import { RATE_LIMIT_WINDOW_MS, RATE_LIMIT_MAX_ENTRIES } from '@solongate/core';\n\n/\n Result of a rate limit check.\n /\nexport interface RateLimitResult {\n readonly allowed: boolean;\n readonly remaining: number;\n readonly resetAt: number;\n}\n\n/\n Record of a single tool call for rate tracking.\n /\ninterface CallRecord {\n readonly timestamp: number;\n}\n\n/\n Sliding window rate limiter for tool calls.\n \n Tracks per-tool and global call rates using an in-memory sliding window.\n * Window size defaults to 1 minute.\n /\nexport class RateLimiter {\n private readonly windowMs: number;\n private readonly records = new Map<string, CallRecord[]>();\n private globalRecords: CallRecord[] = [];\n\n constructor(options?: { windowMs?: number }) {\n this.windowMs = options?.windowMs ?? RATE_LIMIT_WINDOW_MS;\n }\n\n /\n Checks if a tool call is within the rate limit.\n * Does NOT record the call - use recordCall() after successful execution.\n /\n checkLimit(\n toolName: string,\n limitPerWindow: number,\n ): RateLimitResult {\n const now = Date.now();\n const windowStart = now - this.windowMs;\n\n const records = this.getActiveRecords(toolName, windowStart);\n const count = records.length;\n const allowed = count < limitPerWindow;\n const remaining = Math.max(0, limitPerWindow - count);\n const resetAt = records.length > 0\n ? records[0]!.timestamp + this.windowMs\n : now + this.windowMs;\n\n return { allowed, remaining, resetAt };\n }\n\n /\n Checks the global rate limit across all tools.\n /\n checkGlobalLimit(limitPerWindow: number): RateLimitResult {\n const now = Date.now();\n const windowStart = now - this.windowMs;\n\n this.globalRecords = this.globalRecords.filter(\n (r) => r.timestamp > windowStart,\n );\n const count = this.globalRecords.length;\n const allowed = count < limitPerWindow;\n const remaining = Math.max(0, limitPerWindow - count);\n const resetAt = this.globalRecords.length > 0\n ? this.globalRecords[0]!.timestamp + this.windowMs\n : now + this.windowMs;\n\n return { allowed, remaining, resetAt };\n }\n\n /\n Atomically checks and records a tool call.\n * Prevents TOCTOU race conditions between check and record.\n * Returns the rate limit result; if allowed, the call is already recorded.\n /\n checkAndRecord(\n toolName: string,\n limitPerWindow: number,\n globalLimit?: number,\n ): RateLimitResult {\n // Check per-tool limit\n const result = this.checkLimit(toolName, limitPerWindow);\n if (!result.allowed) {\n return result;\n }\n\n // Check global limit if provided\n if (globalLimit !== undefined) {\n const globalResult = this.checkGlobalLimit(globalLimit);\n if (!globalResult.allowed) {\n return globalResult;\n }\n }\n\n // Atomically record since we've confirmed it's allowed\n this.recordCall(toolName);\n return result;\n }\n\n /\n Records a tool call for rate limiting.\n * Call this after successful execution.\n /\n recordCall(toolName: string): void {\n const now = Date.now();\n const record: CallRecord = { timestamp: now };\n\n // Per-tool tracking\n const records = this.records.get(toolName) ?? [];\n records.push(record);\n\n // Cleanup old entries to prevent unbounded growth\n if (records.length > RATE_LIMIT_MAX_ENTRIES) {\n const windowStart = now - this.windowMs;\n const cleaned = records.filter((r) => r.timestamp > windowStart);\n this.records.set(toolName, cleaned);\n } else {\n this.records.set(toolName, records);\n }\n\n // Global tracking\n this.globalRecords.push(record);\n if (this.globalRecords.length > RATE_LIMIT_MAX_ENTRIES) {\n const windowStart = now - this.windowMs;\n this.globalRecords = this.globalRecords.filter(\n (r) => r.timestamp > windowStart,\n );\n }\n }\n\n /\n Gets usage stats for a tool.\n /\n getUsage(toolName: string): { count: number; windowStart: number } {\n const now = Date.now();\n const windowStart = now - this.windowMs;\n const records = this.getActiveRecords(toolName, windowStart);\n return { count: records.length, windowStart };\n }\n\n /\n Resets rate tracking for a specific tool.\n /\n resetTool(toolName: string): void {\n this.records.delete(toolName);\n }\n\n /\n Resets all rate tracking.\n /\n resetAll(): void {\n this.records.clear();\n this.globalRecords = [];\n }\n\n private getActiveRecords(\n toolName: string,\n windowStart: number,\n ): CallRecord[] {\n const records = this.records.get(toolName) ?? [];\n const active = records.filter((r) => r.timestamp > windowStart);\n\n // Update stored records to remove expired entries\n if (active.length !== records.length) {\n this.records.set(toolName, active);\n }\n\n return active;\n }\n}\n","import type { PolicySet, McpCallToolParams, McpCallToolResult } from '@solongate/core';\nimport { TOKEN_ALGORITHM } from '@solongate/core';\nimport { PolicyEngine, PolicyStore } from '@solongate/policy-engine';\nimport { resolveConfig, type SolonGateConfig } from './config.js';\nimport { interceptToolCall } from './interceptor.js';\nimport { SecurityLogger } from './logger.js';\nimport { TokenIssuer } from './token-issuer.js';\nimport { ServerVerifier } from './server-verifier.js';\nimport { RateLimiter } from './rate-limiter.js';\n\n/\n Error thrown when a valid SolonGate license (API key) is missing or invalid.\n /\nexport class LicenseError extends Error {\n constructor(message: string) {\n super(\n `${message}\\n` +\n ' Get your API key at https://solongate.com\\n' +\n \" Usage: new SolonGate({ name: '...', apiKey: 'sg_live_xxx' })\",\n );\n this.name = 'LicenseError';\n }\n}\n\n/\n SolonGate - Security Gateway for MCP Tool Servers.\n \n Requires a valid API key. Get one at https://solongate.com\n \n Usage:\n * ```typescript\n * const gate = new SolonGate({ name: 'my-gateway', apiKey: 'sg_live_xxx' });\n \n // Intercept a tool call\n * const result = await gate.executeToolCall(\n * { name: 'file.read', arguments: { path: '/etc/passwd' } },\n * async (params) => upstreamMcpServer.callTool(params),\n * );\n * ```\n \n Architecture:\n * [LLM] -> [SolonGate.executeToolCall] -> [Security Pipeline] -> [Upstream MCP Server]\n \n Pipeline:\n * Rate Limit → Input Guard → Policy Eval → Token Issue → Sign → Call → Audit\n /\nexport class SolonGate {\n private readonly policyEngine: PolicyEngine;\n private readonly config: SolonGateConfig;\n private readonly logger: SecurityLogger;\n private readonly configWarnings: string[];\n private readonly tokenIssuer: TokenIssuer \| null;\n private readonly serverVerifier: ServerVerifier \| null;\n private readonly rateLimiter: RateLimiter;\n private readonly apiKey: string;\n private licenseValidated = false;\n\n constructor(options: {\n name: string;\n version?: string;\n apiKey?: string;\n config?: Partial<SolonGateConfig>;\n policySet?: PolicySet;\n }) {\n // License gate: require a valid API key\n const apiKey = options.apiKey \|\| process.env.SOLONGATE_API_KEY \|\| '';\n if (!apiKey) {\n throw new LicenseError('A valid SolonGate API key is required.');\n }\n if (!apiKey.startsWith('sg_live_') && !apiKey.startsWith('sg_test_')) {\n throw new LicenseError(\n \"Invalid API key format. Keys must start with 'sg_live_' or 'sg_test_'.\",\n );\n }\n this.apiKey = apiKey;\n\n const { config, warnings } = resolveConfig(options.config);\n this.config = config;\n this.configWarnings = warnings;\n\n this.logger = new SecurityLogger({\n level: config.logLevel,\n enabled: config.enableLogging,\n });\n\n for (const warning of warnings) {\n console.warn(`[SolonGate] WARNING: ${warning}`);\n }\n\n // Initialize PolicyEngine with optional versioned store\n const store = config.enableVersionedPolicies ? new PolicyStore() : undefined;\n this.policyEngine = new PolicyEngine({\n policySet: options.policySet ?? config.policySet,\n timeoutMs: config.evaluationTimeoutMs,\n store,\n });\n\n // If no local policySet provided and using a live key, fetch from cloud + start polling\n if (!options.policySet && !config.policySet && apiKey.startsWith('sg_live_')) {\n this.fetchCloudPolicyOnce();\n this.startPolicyPolling();\n }\n\n // Initialize TokenIssuer if secret is provided\n this.tokenIssuer = config.tokenSecret\n ? new TokenIssuer({\n secret: config.tokenSecret,\n ttlSeconds: config.tokenTtlSeconds,\n algorithm: TOKEN_ALGORITHM,\n issuer: config.tokenIssuer ?? options.name,\n })\n : null;\n\n // Initialize ServerVerifier if gateway secret is provided\n this.serverVerifier = config.gatewaySecret\n ? new ServerVerifier({ gatewaySecret: config.gatewaySecret })\n : null;\n\n // Always initialize rate limiter\n this.rateLimiter = new RateLimiter();\n }\n\n /\n Validate the API key against the SolonGate cloud API.\n * Called once on first executeToolCall. Throws LicenseError if invalid.\n * Test keys (sg_test_) skip online validation.\n /\n private async validateLicense(): Promise<void> {\n if (this.licenseValidated) return;\n\n // Test keys skip online validation (for unit tests and local dev)\n if (this.apiKey.startsWith('sg_test_')) {\n this.licenseValidated = true;\n return;\n }\n\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n try {\n const res = await fetch(`${apiUrl}/api/v1/auth/me`, {\n headers: {\n 'X-API-Key': this.apiKey,\n 'Authorization': `Bearer ${this.apiKey}`,\n },\n signal: AbortSignal.timeout(10_000),\n });\n\n if (res.status === 401) {\n throw new LicenseError('Invalid or expired API key.');\n }\n if (res.status === 403) {\n throw new LicenseError('Your subscription is inactive. Renew at https://solongate.com');\n }\n\n this.licenseValidated = true;\n } catch (err) {\n if (err instanceof LicenseError) throw err;\n throw new LicenseError(\n 'Unable to reach SolonGate license server. Check your internet connection.',\n );\n }\n }\n\n /\n Fetch policy from SolonGate Cloud API (fire once, non-blocking).\n /\n private fetchCloudPolicyOnce(): void {\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n fetch(`${apiUrl}/api/v1/policies/default`, {\n headers: { 'Authorization': `Bearer ${this.apiKey}` },\n signal: AbortSignal.timeout(10_000),\n })\n .then(async (res) => {\n if (!res.ok) return;\n const data = (await res.json()) as Record<string, unknown>;\n const policySet: PolicySet = {\n id: String(data.id ?? 'cloud'),\n name: String(data.name ?? 'Cloud Policy'),\n description: String(data.description ?? ''),\n version: Number(data._version ?? 1),\n rules: (data.rules as PolicySet['rules']) ?? [],\n createdAt: String(data._created_at ?? ''),\n updatedAt: '',\n };\n this.policyEngine.loadPolicySet(policySet);\n console.warn(`[SolonGate] Loaded cloud policy: ${policySet.name} (${policySet.rules.length} rules)`);\n })\n .catch(() => {\n // Silently fall back to default-deny if cloud is unreachable\n });\n }\n\n /\n Poll for policy updates from dashboard every 60 seconds.\n /\n private startPolicyPolling(): void {\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n let currentVersion = 0;\n\n setInterval(async () => {\n try {\n const res = await fetch(`${apiUrl}/api/v1/policies/default`, {\n headers: { 'Authorization': `Bearer ${this.apiKey}` },\n signal: AbortSignal.timeout(10_000),\n });\n if (!res.ok) return;\n const data = (await res.json()) as Record<string, unknown>;\n const version = Number(data._version ?? 0);\n const rulesCount = Array.isArray(data.rules) ? data.rules.length : 0;\n if (version !== currentVersion && version > 0) {\n const policySet: PolicySet = {\n id: String(data.id ?? 'cloud'),\n name: String(data.name ?? 'Cloud Policy'),\n description: String(data.description ?? ''),\n version,\n rules: (data.rules as PolicySet['rules']) ?? [],\n createdAt: String(data._created_at ?? ''),\n updatedAt: '',\n };\n this.policyEngine.loadPolicySet(policySet);\n currentVersion = version;\n console.warn(`[SolonGate] Policy updated from dashboard: ${policySet.name} v${version} (${rulesCount} rules)`);\n }\n } catch {\n // Silent\n }\n }, 60_000);\n }\n\n /\n Send audit log to SolonGate Cloud API (fire-and-forget).\n /\n private sendAuditLog(entry: {\n tool: string;\n arguments: Record<string, unknown>;\n decision: 'ALLOW' \| 'DENY';\n reason: string;\n matchedRule?: string;\n evaluationTimeMs: number;\n }): void {\n if (!this.apiKey.startsWith('sg_live_')) return;\n const apiUrl = this.config.apiUrl ?? 'https://api.solongate.com';\n fetch(`${apiUrl}/api/v1/audit-logs`, {\n method: 'POST',\n headers: {\n 'Authorization': `Bearer ${this.apiKey}`,\n 'Content-Type': 'application/json',\n },\n body: JSON.stringify(entry),\n }).catch(() => {});\n }\n\n /\n Intercept and evaluate a tool call against the full security pipeline.\n * If denied at any stage, returns an error result without calling upstream.\n * If allowed, calls upstream and returns the result.\n /\n async executeToolCall(\n params: McpCallToolParams,\n upstreamCall: (params: McpCallToolParams) => Promise<McpCallToolResult>,\n ): Promise<McpCallToolResult> {\n // Validate license on first call\n await this.validateLicense();\n\n const startTime = performance.now();\n return interceptToolCall(params, upstreamCall, {\n policyEngine: this.policyEngine,\n validateSchemas: this.config.validateSchemas,\n verboseErrors: this.config.verboseErrors,\n onDecision: (result) => {\n this.logger.logDecision(result);\n if (result.status === 'ALLOWED' \|\| result.status === 'DENIED') {\n this.sendAuditLog({\n tool: params.name,\n arguments: (params.arguments ?? {}) as Record<string, unknown>,\n decision: result.decision.effect === 'ALLOW' ? 'ALLOW' : 'DENY',\n reason: result.decision.reason,\n matchedRule: result.decision.matchedRule?.id,\n evaluationTimeMs: performance.now() - startTime,\n });\n } else if (result.status === 'ERROR') {\n this.sendAuditLog({\n tool: params.name,\n arguments: (params.arguments ?? {}) as Record<string, unknown>,\n decision: 'DENY',\n reason: result.error.message,\n evaluationTimeMs: performance.now() - startTime,\n });\n }\n },\n tokenIssuer: this.tokenIssuer ?? undefined,\n serverVerifier: this.serverVerifier ?? undefined,\n rateLimiter: this.rateLimiter,\n inputGuardConfig: this.config.inputGuardConfig,\n rateLimitPerTool: this.config.rateLimitPerTool,\n globalRateLimitPerMinute: this.config.globalRateLimitPerMinute,\n });\n }\n\n /* Load a new policy set at runtime. /\n loadPolicy(\n policySet: PolicySet,\n options?: { reason?: string; createdBy?: string },\n ) {\n return this.policyEngine.loadPolicySet(policySet, options);\n }\n\n /* Get current security warnings. /\n getWarnings(): readonly string[] {\n return [\n ...this.configWarnings,\n ...this.policyEngine.getSecurityWarnings().map((w) => `[${w.level}] ${w.message}`),\n ];\n }\n\n /* Get the policy engine for direct access. /\n getPolicyEngine(): PolicyEngine {\n return this.policyEngine;\n }\n\n /* Get the rate limiter for direct access. /\n getRateLimiter(): RateLimiter {\n return this.rateLimiter;\n }\n\n /* Get the token issuer (null if not configured). /\n getTokenIssuer(): TokenIssuer \| null {\n return this.tokenIssuer;\n }\n}\n","/\n SecureMcpServer — Drop-in replacement for McpServer with SolonGate protection.\n \n Extends the standard McpServer and automatically wraps every tool handler\n * with SolonGate's security pipeline (rate limiting, input guard, policy eval,\n * audit logging). No manual wrapping of individual tool handlers needed.\n \n Usage:\n * ```typescript\n * import { SecureMcpServer } from '@solongate/sdk';\n \n // Just replace `new McpServer(...)` with `new SecureMcpServer(...)`\n * const server = new SecureMcpServer({\n * name: 'my-server',\n * version: '1.0.0',\n * });\n \n // Register tools as normal — they're automatically protected\n * server.tool('file_read', { path: z.string() }, async ({ path }) => {\n * return { content: [{ type: 'text', text: readFileSync(path, 'utf-8') }] };\n * });\n \n // API key comes from env: SOLONGATE_API_KEY=sg_live_xxx\n * ```\n /\n\nimport { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';\nimport type { Implementation } from '@modelcontextprotocol/sdk/types.js';\nimport type { PolicySet, McpCallToolResult } from '@solongate/core';\nimport { SolonGate } from './solongate.js';\nimport type { SolonGateConfig } from './config.js';\n\n/\n Options for SecureMcpServer that control SolonGate behavior.\n /\nexport interface SecureMcpServerOptions {\n /* SolonGate Cloud API key. Defaults to process.env.SOLONGATE_API_KEY /\n apiKey?: string;\n /* Policy set to enforce. If omitted, uses cloud policy or default. /\n policySet?: PolicySet;\n /* SolonGate configuration overrides. /\n config?: Partial<SolonGateConfig>;\n}\n\nexport class SecureMcpServer extends McpServer {\n private readonly gate: SolonGate;\n\n /\n Create a secure MCP server.\n \n @param serverInfo - MCP server info (name, version)\n * @param solongateOptions - SolonGate security options\n * @param mcpOptions - Standard McpServer options (capabilities, etc.)\n /\n constructor(\n serverInfo: Implementation,\n solongateOptions?: SecureMcpServerOptions,\n mcpOptions?: ConstructorParameters<typeof McpServer>[1],\n ) {\n super(serverInfo, mcpOptions);\n\n this.gate = new SolonGate({\n name: serverInfo.name,\n version: serverInfo.version,\n apiKey: solongateOptions?.apiKey,\n policySet: solongateOptions?.policySet,\n config: solongateOptions?.config,\n });\n\n const warnings = this.gate.getWarnings();\n for (const w of warnings) {\n console.warn(`[SolonGate] ${w}`);\n }\n }\n\n /\n Override tool() to auto-wrap handlers with SolonGate security pipeline.\n \n Supports all McpServer.tool() overloads — the handler (always the last\n * argument) is transparently wrapped. Tool name, description, schema, and\n * annotations pass through unchanged.\n /\n override tool(name: string, ...rest: unknown[]): ReturnType<McpServer['tool']> {\n const handler = rest[rest.length - 1];\n if (typeof handler !== 'function') {\n // Not a handler — pass through unchanged\n return (super.tool as Function).call(this, name, ...rest);\n }\n\n const toolName = name;\n const gate = this.gate;\n\n rest[rest.length - 1] = async (...callArgs: unknown[]) => {\n // Extract tool arguments for policy evaluation.\n // Schema-based tools: callArgs = [parsedArgs, extra]\n // Zero-arg tools: callArgs = [extra]\n const toolArgs =\n callArgs.length > 1 &&\n typeof callArgs[0] === 'object' &&\n callArgs[0] !== null\n ? (callArgs[0] as Record<string, unknown>)\n : {};\n\n const result = await gate.executeToolCall(\n { name: toolName, arguments: toolArgs },\n async () => (handler as Function)(...callArgs) as Promise<McpCallToolResult>,\n );\n\n // Bridge McpCallToolResult (readonly content) to CallToolResult (mutable content)\n return { ...result, content: [...result.content] };\n };\n\n return (super.tool as Function).call(this, name, ...rest);\n }\n\n /\n Override registerTool() to auto-wrap handlers with SolonGate security pipeline.\n \n This is the modern (non-deprecated) API for registering tools.\n /\n override registerTool(\n name: string,\n config: Parameters<McpServer['registerTool']>[1],\n cb: unknown,\n ): ReturnType<McpServer['registerTool']> {\n if (typeof cb !== 'function') {\n return (super.registerTool as Function).call(this, name, config, cb);\n }\n\n const toolName = name;\n const gate = this.gate;\n\n const wrappedCb = async (...callArgs: unknown[]) => {\n const toolArgs =\n callArgs.length > 1 &&\n typeof callArgs[0] === 'object' &&\n callArgs[0] !== null\n ? (callArgs[0] as Record<string, unknown>)\n : {};\n\n const result = await gate.executeToolCall(\n { name: toolName, arguments: toolArgs },\n async () => (cb as Function)(...callArgs) as Promise<McpCallToolResult>,\n );\n\n return { ...result, content: [...result.content] };\n };\n\n return (super.registerTool as Function).call(this, name, config, wrappedCb);\n }\n\n /* Get the underlying SolonGate instance for direct access. /\n getSolonGate(): SolonGate {\n return this.gate;\n }\n}\n","/\n SolonGate API Client for TypeScript/JavaScript\n \n Provides cloud-based security management with API keys.\n \n @example\n * ```typescript\n * import { SolonGateAPI } from '@solongate/sdk';\n \n const api = new SolonGateAPI({ apiKey: 'sg_live_xxx' });\n \n const result = await api.validate('file.read', { path: '/home/user/doc.txt' });\n * if (result.allowed) {\n * console.log('Allowed! Token:', result.token);\n * }\n * ```\n /\n\nimport { TrustLevel, PolicyEffect, type PolicySet, type PolicyDecision } from '@solongate/core';\n\n// Constants\nconst DEFAULT_API_URL = 'https://api.solongate.com';\nconst API_VERSION = 'v1';\nconst SDK_VERSION = '0.2.0';\n\n// Types\nexport interface APIConfig {\n apiKey: string;\n apiUrl?: string;\n timeout?: number;\n maxRetries?: number;\n}\n\nexport interface ValidationRequest {\n tool: string;\n arguments: Record<string, unknown>;\n trustLevel?: TrustLevel;\n includeToken?: boolean;\n}\n\nexport interface ValidationResult {\n allowed: boolean;\n tool: string;\n decision?: PolicyDecision;\n token?: string;\n tokenExpiresAt?: number;\n requestId?: string;\n latencyMs?: number;\n}\n\nexport interface TokenResult {\n token: string;\n tool: string;\n scope: string;\n expiresAt: string;\n nonce: string;\n}\n\nexport interface Tool {\n id: string;\n name: string;\n description: string;\n inputSchema?: Record<string, unknown>;\n permissions: string[];\n enabled: boolean;\n createdAt: string;\n updatedAt: string;\n}\n\n// Errors\nexport class APIError extends Error {\n constructor(\n message: string,\n public readonly statusCode?: number,\n public readonly requestId?: string,\n public readonly code: string = 'API_ERROR',\n ) {\n super(message);\n this.name = 'APIError';\n }\n}\n\nexport class AuthenticationError extends APIError {\n constructor(message = 'Invalid API key') {\n super(message, 401, undefined, 'AUTHENTICATION_ERROR');\n this.name = 'AuthenticationError';\n }\n}\n\nexport class RateLimitError extends APIError {\n constructor(\n message: string,\n public readonly retryAfter?: number,\n ) {\n super(message, 429, undefined, 'RATE_LIMIT_ERROR');\n this.name = 'RateLimitError';\n }\n}\n\n// Resource classes\nclass PoliciesResource {\n constructor(private client: SolonGateAPI) {}\n\n async get(policyId = 'default', version?: number): Promise<PolicySet> {\n const params = version ? `?version=${version}` : '';\n return this.client.request('GET', `/policies/${policyId}${params}`);\n }\n\n async list(): Promise<{ policies: Array<{ id: string; name: string; version: number }> }> {\n return this.client.request('GET', '/policies');\n }\n\n async create(policy: PolicySet): Promise<PolicySet> {\n return this.client.request('POST', '/policies', policy);\n }\n\n async update(policyId: string, policy: PolicySet): Promise<PolicySet> {\n return this.client.request('PUT', `/policies/${policyId}`, policy);\n }\n}\n\nclass TokensResource {\n constructor(private client: SolonGateAPI) {}\n\n async create(tool: string, scope?: string, ttlSeconds = 30): Promise<TokenResult> {\n const response = await this.client.request<{\n token: string;\n tool: string;\n scope: string;\n expires_at: string;\n nonce: string;\n }>('POST', '/tokens', {\n tool,\n scope: scope \|\| `EXECUTE:${tool}`,\n ttl_seconds: ttlSeconds,\n });\n\n return {\n token: response.token,\n tool: response.tool,\n scope: response.scope,\n expiresAt: response.expires_at,\n nonce: response.nonce,\n };\n }\n\n async verify(token: string): Promise<{ valid: boolean; error?: string; tool?: string; scope?: string }> {\n return this.client.request('POST', '/tokens/verify', { token });\n }\n}\n\nclass ToolsResource {\n constructor(private client: SolonGateAPI) {}\n\n async list(): Promise<{ tools: Tool[] }> {\n return this.client.request('GET', '/tools');\n }\n\n async get(name: string): Promise<Tool> {\n return this.client.request('GET', `/tools/${name}`);\n }\n\n async register(\n name: string,\n description: string,\n inputSchema?: Record<string, unknown>,\n permissions: string[] = ['READ'],\n ): Promise<Tool> {\n return this.client.request('POST', '/tools', {\n name,\n description,\n input_schema: inputSchema,\n permissions,\n });\n }\n\n async update(name: string, data: Partial<Tool>): Promise<Tool> {\n return this.client.request('PUT', `/tools/${name}`, data);\n }\n\n async delete(name: string): Promise<{ deleted: boolean }> {\n return this.client.request('DELETE', `/tools/${name}`);\n }\n}\n\n// Main API Client\nexport class SolonGateAPI {\n private readonly apiKey: string;\n private readonly apiUrl: string;\n private readonly timeout: number;\n private readonly maxRetries: number;\n\n public readonly policies: PoliciesResource;\n public readonly tokens: TokensResource;\n public readonly tools: ToolsResource;\n\n constructor(config: APIConfig \| string) {\n // Allow passing just the API key as a string\n if (typeof config === 'string') {\n config = { apiKey: config };\n }\n\n // Get API key from config or environment\n this.apiKey = config.apiKey \|\| (typeof process !== 'undefined' ? process.env.SOLONGATE_API_KEY : '') \|\| '';\n\n if (!this.apiKey) {\n throw new AuthenticationError(\n 'API key is required. Provide apiKey in config or set SOLONGATE_API_KEY environment variable.',\n );\n }\n\n // Validate API key format\n if (!this.apiKey.startsWith('sg_live_') && !this.apiKey.startsWith('sg_test_')) {\n throw new AuthenticationError(\n \"Invalid API key format. Keys should start with 'sg_live_' or 'sg_test_'\",\n );\n }\n\n this.apiUrl = config.apiUrl \|\| DEFAULT_API_URL;\n this.timeout = config.timeout \|\| 30000;\n this.maxRetries = config.maxRetries \|\| 3;\n\n // Initialize resources\n this.policies = new PoliciesResource(this);\n this.tokens = new TokensResource(this);\n this.tools = new ToolsResource(this);\n }\n\n /\n Make an API request.\n * @internal\n /\n async request<T>(method: string, path: string, body?: unknown): Promise<T> {\n const url = `${this.apiUrl}/api/${API_VERSION}${path}`;\n let lastError: Error \| undefined;\n\n for (let attempt = 0; attempt < this.maxRetries; attempt++) {\n try {\n const controller = new AbortController();\n const timeoutId = setTimeout(() => controller.abort(), this.timeout);\n\n const response = await fetch(url, {\n method,\n headers: {\n 'X-API-Key': this.apiKey,\n 'Authorization': `Bearer ${this.apiKey}`,\n 'Content-Type': 'application/json',\n 'User-Agent': `solongate-js/${SDK_VERSION}`,\n },\n body: body ? JSON.stringify(body) : undefined,\n signal: controller.signal,\n });\n\n clearTimeout(timeoutId);\n\n if (response.status === 429) {\n const retryAfter = parseInt(response.headers.get('Retry-After') \|\| '1');\n await new Promise((resolve) => setTimeout(resolve, retryAfter 1000));\n continue;\n }\n\n if (response.status === 401) {\n throw new AuthenticationError('Invalid API key');\n }\n\n if (!response.ok) {\n const errorData = (await response.json().catch(() => ({}))) as Record<string, any>;\n throw new APIError(\n errorData.error?.message \|\| 'Unknown error',\n response.status,\n response.headers.get('X-Request-Id') \|\| undefined,\n );\n }\n\n return (await response.json()) as T;\n } catch (error) {\n if (error instanceof APIError \|\| error instanceof AuthenticationError) {\n throw error;\n }\n lastError = error as Error;\n }\n }\n\n throw new APIError(lastError?.message \|\| 'Request failed');\n }\n\n /*\n Validate a tool call against policies.\n \n @example\n * ```typescript\n * const result = await api.validate('file.read', { path: '/home/user/doc.txt' });\n * if (result.allowed) {\n * // Proceed with the tool call\n * }\n * ```\n /\n async validate(\n tool: string,\n args: Record<string, unknown>,\n options: {\n trustLevel?: TrustLevel;\n includeToken?: boolean;\n } = {},\n ): Promise<ValidationResult> {\n const startTime = performance.now();\n\n const response = await this.request<{\n allowed: boolean;\n decision?: {\n effect: string;\n matched_rule?: unknown;\n reason: string;\n evaluated_at: string;\n };\n token?: string;\n token_expires_at?: number;\n request_id?: string;\n }>('POST', '/validate', {\n tool,\n arguments: args,\n trust_level: options.trustLevel \|\| TrustLevel.VERIFIED,\n include_token: options.includeToken !== false,\n });\n\n const latencyMs = performance.now() - startTime;\n\n return {\n allowed: response.allowed,\n tool,\n decision: response.decision\n ? {\n effect: response.decision.effect as PolicyEffect,\n matchedRule: response.decision.matched_rule as any,\n reason: response.decision.reason,\n timestamp: response.decision.evaluated_at,\n evaluationTimeMs: 0,\n }\n : undefined,\n token: response.token,\n tokenExpiresAt: response.token_expires_at,\n requestId: response.request_id,\n latencyMs,\n };\n }\n\n /\n Check if using live (production) API key.\n /\n isLiveMode(): boolean {\n return this.apiKey.startsWith('sg_live_');\n }\n\n /\n Check if using test (development) API key.\n */\n isTestMode(): boolean {\n return this.apiKey.startsWith('sg_test_');\n }\n}\n\n// Default export\nexport default SolonGateAPI;\n"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solongate/sdk",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "type": "module",
   "main": "./dist/index.js",
   "module": "./dist/index.js",