@usesigil/kit 0.1.0

package/dist/security-analytics.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Security analytics — posture checklist, alert conditions, audit trail.
+ *
+ * The Security tab renders:
+ * - Binary pass/fail checklist (getSecurityPosture)
+ * - Alert conditions (evaluateAlertConditions) for toasts, email, webhooks
+ *
+ * Why binary pass/fail instead of a score: A vault with FULL_PERMISSIONS on one
+ * agent and perfect everything else would get "90/100" — dangerously misleading.
+ */
+import type { Address } from "@solana/kit";
+import type { ResolvedVaultState, ResolvedVaultStateForOwner } from "./state-resolver.js";
+import type { DecodedSigilEvent } from "./events.js";
+export interface SecurityCheck {
+    id: string;
+    label: string;
+    passed: boolean;
+    severity: "critical" | "warning" | "info";
+    detail: string;
+    remediation: string | null;
+}
+export interface SecurityPosture {
+    checks: SecurityCheck[];
+    passCount: number;
+    failCount: number;
+    criticalFailures: SecurityCheck[];
+}
+export interface Alert {
+    id: string;
+    severity: "info" | "warning" | "critical";
+    title: string;
+    description: string;
+    vaultAddress: Address;
+    agentAddress: Address | null;
+    actionHref: string;
+    actionLabel: string;
+}
+export interface AuditEntry {
+    timestamp: number;
+    txSignature: string;
+    category: "policy_change" | "agent_change" | "emergency" | "escrow" | "constraint_change";
+    action: string;
+    actor: Address;
+    details: Record<string, unknown>;
+    description: string;
+}
+/**
+ * 20-point security posture checklist. Pure function — no RPC.
+ * Checks 1-13: base. 14-17: timelock, fee, constraint alignment, permission concentration.
+ * Checks 18-19: discriminator staleness, allowlist coverage. Check 20: mode-ALL warning.
+ */
+export declare function getSecurityPosture(state: ResolvedVaultState): SecurityPosture;
+/**
+ * Evaluate alert conditions based on current vault state.
+ * Returns active alerts sorted by severity (critical first).
+ */
+export declare function evaluateAlertConditions(state: ResolvedVaultState | ResolvedVaultStateForOwner, vaultAddress: Address, previousState?: ResolvedVaultState | ResolvedVaultStateForOwner): Alert[];
+/**
+ * Filter decoded events into a compliance-focused audit trail.
+ * Shows only security-relevant events (policy, agent, emergency, escrow, constraints).
+ *
+ * Supports optional filtering by category, timestamp, and actor.
+ *
+ * Note on event field availability (verified against events.rs):
+ * - 10 of 22 events have no `timestamp` field — fallback through `executes_at`, `applied_at`, then 0.
+ * - 7+ events have neither `owner` nor `agent` — fallback through `settled_by`, `refunded_by`, `vault`.
+ * - `txSignature` requires enrichment from transaction envelope (DecodedSigilEvent has no such field).
+ */
+export declare function getAuditTrail(events: DecodedSigilEvent[], options?: {
+    /** Filter to specific categories. If omitted, returns all. */
+    categories?: AuditEntry["category"][];
+    /** Filter to events after this Unix timestamp. */
+    since?: number;
+    /** Filter to events by a specific actor address. */
+    actor?: Address;
+}): AuditEntry[];
+export interface AuditTrailSummary {
+    totalEntries: number;
+    byCategory: Record<AuditEntry["category"], number>;
+    latestTimestamp: number;
+    uniqueActors: Address[];
+}
+/** Summarize an audit trail into per-category counts. */
+export declare function getAuditTrailSummary(trail: AuditEntry[]): AuditTrailSummary;
+//# sourceMappingURL=security-analytics.d.ts.map

package/dist/security-analytics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-analytics.d.ts","sourceRoot":"","sources":["../src/security-analytics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAC3C,OAAO,KAAK,EAAE,kBAAkB,EAAE,0BAA0B,EAAE,MAAM,qBAAqB,CAAC;AAC1F,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AASrD,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,CAAC;IAChB,QAAQ,EAAE,UAAU,GAAG,SAAS,GAAG,MAAM,CAAC;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;CAC5B;AAED,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,aAAa,EAAE,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,aAAa,EAAE,CAAC;CACnC;AAED,MAAM,WAAW,KAAK;IACpB,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,UAAU,CAAC;IAC1C,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,OAAO,CAAC;IACtB,YAAY,EAAE,OAAO,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,eAAe,GAAG,cAAc,GAAG,WAAW,GAAG,QAAQ,GAAG,mBAAmB,CAAC;IAC1F,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,WAAW,EAAE,MAAM,CAAC;CACrB;AAiBD;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,kBAAkB,GAAG,eAAe,CAuP7E;AAID;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,kBAAkB,GAAG,0BAA0B,EACtD,YAAY,EAAE,OAAO,EACrB,aAAa,CAAC,EAAE,kBAAkB,GAAG,0BAA0B,GAC9D,KAAK,EAAE,CA6JT;AA6BD;;;;;;;;;;GAUG;AACH,wBAAgB,aAAa,CAC3B,MAAM,EAAE,iBAAiB,EAAE,EAC3B,OAAO,CAAC,EAAE;IACR,8DAA8D;IAC9D,UAAU,CAAC,EAAE,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;IACtC,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oDAAoD;IACpD,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,GACA,UAAU,EAAE,CAqCd;AAID,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,CAAC;IACnD,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,OAAO,EAAE,CAAC;CACzB;AAED,yDAAyD;AACzD,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,UAAU,EAAE,GAAG,iBAAiB,CAuB3E"}

package/dist/security-analytics.js

@@ -0,0 +1,510 @@
+/**
+ * Security analytics — posture checklist, alert conditions, audit trail.
+ *
+ * The Security tab renders:
+ * - Binary pass/fail checklist (getSecurityPosture)
+ * - Alert conditions (evaluateAlertConditions) for toasts, email, webhooks
+ *
+ * Why binary pass/fail instead of a score: A vault with FULL_PERMISSIONS on one
+ * agent and perfect everything else would get "90/100" — dangerously misleading.
+ */
+import { VaultStatus } from "./generated/types/vaultStatus.js";
+import { getSpendingVelocity } from "./spending-analytics.js";
+import { describeEvent } from "./event-analytics.js";
+import { formatUsd, formatAddress } from "./formatting.js";
+import { FULL_PERMISSIONS, PROTOCOL_MODE_ALLOWLIST, EPOCH_DURATION, MAX_DEVELOPER_FEE_RATE } from "./types.js";
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+/** Count set bits in a bigint permission bitmask. */
+function countBits(n) {
+    let count = 0;
+    let v = n;
+    while (v > 0n) {
+        count += Number(v & 1n);
+        v >>= 1n;
+    }
+    return count;
+}
+// ─── getSecurityPosture ──────────────────────────────────────────────────────
+/**
+ * 20-point security posture checklist. Pure function — no RPC.
+ * Checks 1-13: base. 14-17: timelock, fee, constraint alignment, permission concentration.
+ * Checks 18-19: discriminator staleness, allowlist coverage. Check 20: mode-ALL warning.
+ */
+export function getSecurityPosture(state) {
+    const { vault, policy, constraints } = state;
+    const checks = [
+        {
+            id: "no-full-perms",
+            label: "No agent has full permissions",
+            passed: !vault.agents.some((a) => a.permissions === FULL_PERMISSIONS),
+            severity: "critical",
+            detail: "An agent with all 21 permission bits can perform any action including transfers.",
+            remediation: vault.agents.some((a) => a.permissions === FULL_PERMISSIONS)
+                ? "Restrict agent permissions to only the actions they need."
+                : null,
+        },
+        {
+            id: "cap-configured",
+            label: "Daily spending cap is configured",
+            passed: policy.dailySpendingCapUsd > 0n,
+            severity: "critical",
+            detail: "Without a cap, agents can spend unlimited amounts in 24 hours.",
+            remediation: policy.dailySpendingCapUsd === 0n
+                ? "Set a daily spending cap. Start with your expected daily volume + 20% buffer."
+                : null,
+        },
+        {
+            id: "fee-destination-valid",
+            label: "Fee destination is not system program",
+            passed: vault.feeDestination !== "11111111111111111111111111111111",
+            severity: "critical",
+            detail: "Fees sent to the system program address are effectively burned.",
+            remediation: "Fee destination is immutable after vault creation. If incorrect, close and recreate the vault.",
+        },
+        {
+            id: "agent-limits",
+            label: "All agents have spending limits",
+            passed: vault.agents.length === 0 || vault.agents.every((a) => a.spendingLimitUsd > 0n),
+            severity: "warning",
+            detail: "Per-agent limits prevent any single agent from consuming the entire vault cap.",
+            remediation: vault.agents.some((a) => a.spendingLimitUsd === 0n)
+                ? "Set per-agent spending limits."
+                : null,
+        },
+        {
+            id: "protocol-allowlist",
+            label: "Protocol mode is allowlist",
+            passed: policy.protocolMode === PROTOCOL_MODE_ALLOWLIST,
+            severity: "warning",
+            detail: "Allowlist mode restricts agents to approved protocols only.",
+            remediation: policy.protocolMode !== PROTOCOL_MODE_ALLOWLIST
+                ? "Switch to Allowlist mode and add only the protocols your agents need."
+                : null,
+        },
+        {
+            id: "timelock-enabled",
+            label: "Policy changes require waiting period",
+            passed: policy.timelockDuration > 0n,
+            severity: "warning",
+            detail: "A timelock prevents instant policy changes. Gives time to respond if owner key is compromised.",
+            remediation: policy.timelockDuration === 0n
+                ? "Enable timelock (recommended: 1-24 hours)."
+                : null,
+        },
+        {
+            id: "slippage-reasonable",
+            label: "Max slippage below 10%",
+            passed: policy.maxSlippageBps < 1000,
+            severity: "warning",
+            detail: "High slippage tolerance allows agents to accept unfavorable trade prices.",
+            remediation: policy.maxSlippageBps >= 1000
+                ? `Current max slippage is ${policy.maxSlippageBps / 100}%. Reduce to 1-3% for most strategies.`
+                : null,
+        },
+        {
+            id: "agent-limits-sum",
+            label: "Agent limits don't exceed vault cap",
+            passed: (() => {
+                if (vault.agents.length === 0)
+                    return true;
+                const sumLimits = vault.agents.reduce((s, a) => s + a.spendingLimitUsd, 0n);
+                const allHaveLimits = vault.agents.every((a) => a.spendingLimitUsd > 0n);
+                return !allHaveLimits || sumLimits <= policy.dailySpendingCapUsd;
+            })(),
+            severity: "warning",
+            detail: "If per-agent limits sum to more than the vault cap, agents may assume they have more budget than exists.",
+            remediation: "Reduce per-agent limits so their sum is at or below the vault daily cap.",
+        },
+        {
+            id: "constraints-configured",
+            label: "Instruction constraints are set",
+            passed: constraints !== null,
+            severity: "info",
+            detail: "Instruction constraints add byte-level validation on DeFi instructions.",
+            remediation: constraints === null
+                ? "Consider adding instruction constraints for high-value vaults."
+                : null,
+        },
+        {
+            id: "has-agents",
+            label: "At least one agent is registered",
+            passed: vault.agents.length > 0,
+            severity: "info",
+            detail: "A vault without agents cannot execute any DeFi operations.",
+            remediation: vault.agents.length === 0 ? "Register an agent to start using this vault." : null,
+        },
+        {
+            id: "not-all-paused",
+            label: "At least one agent is active",
+            passed: vault.agents.length === 0 || vault.agents.some((a) => !a.paused),
+            severity: "info",
+            detail: "If all agents are paused, no DeFi operations can be executed.",
+            remediation: vault.agents.length > 0 && vault.agents.every((a) => a.paused)
+                ? "Unpause at least one agent to resume operations."
+                : null,
+        },
+        {
+            id: "vault-has-balance",
+            label: "Vault has non-zero token balance",
+            passed: state.stablecoinBalances.usdc > 0n || state.stablecoinBalances.usdt > 0n,
+            severity: "info",
+            detail: "A vault with zero balance cannot execute any DeFi operations.",
+            remediation: "Deposit funds to the vault to enable agent trading.",
+        },
+        {
+            id: "recent-activity",
+            label: "Vault has recent activity (within 7 days)",
+            passed: (() => {
+                if (!state.tracker)
+                    return true;
+                const epochDuration = BigInt(EPOCH_DURATION);
+                const lastEpochTimestamp = state.tracker.lastWriteEpoch * epochDuration;
+                const sevenDaysAgo = state.resolvedAtTimestamp - 604800n;
+                return lastEpochTimestamp > sevenDaysAgo || state.tracker.lastWriteEpoch === 0n;
+            })(),
+            severity: "info",
+            detail: "A vault with no recent activity may indicate a broken or stopped agent.",
+            remediation: "Check agent health and ensure it's connected and running.",
+        },
+        // ---- Step 8: 4 new checks (14-17) ----
+        {
+            id: "timelock-meaningful",
+            label: "Timelock is at least 1 hour",
+            passed: policy.timelockDuration === 0n || policy.timelockDuration >= 3600n,
+            severity: "warning",
+            detail: "A timelock under 1 hour may not provide enough reaction time if the owner key is compromised. " +
+                "A zero timelock (disabled) is caught by the 'timelock-enabled' check above.",
+            remediation: policy.timelockDuration > 0n && policy.timelockDuration < 3600n
+                ? `Current timelock is ${Number(policy.timelockDuration)}s. Increase to at least 3600s (1 hour).`
+                : null,
+        },
+        {
+            id: "fee-rate-reasonable",
+            label: "Developer fee rate is at or below maximum",
+            passed: (policy.developerFeeRate ?? 0) <= MAX_DEVELOPER_FEE_RATE,
+            severity: "info",
+            detail: "Developer fee rate must be at or below 500 (5 BPS = 0.05%). " +
+                "A zero rate is valid (no developer revenue). A rate at the maximum is valid but should be intentional.",
+            remediation: (policy.developerFeeRate ?? 0) > MAX_DEVELOPER_FEE_RATE
+                ? `Fee rate ${policy.developerFeeRate} exceeds maximum ${MAX_DEVELOPER_FEE_RATE}. This should not be possible on-chain.`
+                : (policy.developerFeeRate ?? 0) === MAX_DEVELOPER_FEE_RATE
+                    ? "Developer fee rate is at the maximum (5 BPS). Verify this is intentional."
+                    : null,
+        },
+        {
+            id: "constraints-protocol-aligned",
+            label: "Constraint programs are in allowlist",
+            passed: (() => {
+                if (!constraints || !constraints.entries || policy.protocolMode !== PROTOCOL_MODE_ALLOWLIST)
+                    return true;
+                if (!policy.protocols)
+                    return true;
+                const allowedSet = new Set(policy.protocols.map(String));
+                for (const entry of constraints.entries) {
+                    if (entry.programId && !allowedSet.has(String(entry.programId)))
+                        return false;
+                }
+                return true;
+            })(),
+            severity: "warning",
+            detail: "Instruction constraints reference program addresses not in the protocol allowlist. " +
+                "These constraints will never trigger because the protocol is already blocked.",
+            remediation: "Update the allowlist to include constrained programs, or remove stale constraints.",
+        },
+        {
+            id: "no-permission-concentration",
+            label: "No agent has more than 15 permissions",
+            passed: !vault.agents.some((a) => countBits(a.permissions) > 15),
+            severity: "warning",
+            detail: "An agent with more than 15 of 21 permission bits is effectively unrestricted. " +
+                "Use least-privilege — grant only the actions the agent's strategy requires.",
+            remediation: "Review agent permissions and restrict to only necessary action types.",
+        },
+        // ---- Step 18: 2 more checks (18-19) — council security findings ----
+        {
+            id: "constraints-current",
+            label: "Constraint discriminators are current",
+            passed: !constraints || !constraints.entries || constraints.entries.length === 0 || (() => {
+                // Verify constraint entries reference known program discriminators.
+                // Stale constraints silently stop matching after protocol upgrades.
+                for (const entry of constraints.entries) {
+                    if (entry.dataConstraints && entry.dataConstraints.length === 0 &&
+                        entry.accountConstraints && entry.accountConstraints.length === 0) {
+                        return false; // Empty entry = likely stale or misconfigured
+                    }
+                }
+                return true;
+            })(),
+            severity: "warning",
+            detail: "Stale or empty constraint entries may not match current protocol instruction formats. " +
+                "Review constraints when protocols upgrade.",
+            remediation: "Review and update InstructionConstraints entries. Remove empty entries.",
+        },
+        {
+            id: "constraints-cover-allowlist",
+            label: "All allowlisted protocols have constraint entries",
+            passed: !constraints || !constraints.entries || policy.protocolMode !== PROTOCOL_MODE_ALLOWLIST ||
+                !policy.protocols ||
+                policy.protocols.every((p) => constraints.entries.some((e) => String(e.programId) === String(p))),
+            severity: "info",
+            detail: "Protocols on the allowlist without constraint entries rely solely on spending caps for protection.",
+            remediation: "Add InstructionConstraints entries for all allowlisted protocols.",
+        },
+        // ---- Step 20: 1 more check (20) — council security finding ----
+        {
+            id: "mode-all-unguarded",
+            label: "Protocol mode ALL has constraint protection",
+            passed: policy.protocolMode !== 0 /* PROTOCOL_MODE_ALL */ ||
+                (constraints !== null && constraints.strictMode === true),
+            severity: "critical",
+            detail: "Protocol mode ALL allows agents to call any program. Without strict-mode constraints, " +
+                "agents have unrestricted program access beyond spending caps and SPL transfer blocking.",
+            remediation: "Switch to Allowlist mode, or enable InstructionConstraints with strict_mode=true.",
+        },
+    ];
+    const passCount = checks.filter((c) => c.passed).length;
+    const failCount = checks.filter((c) => !c.passed).length;
+    const criticalFailures = checks.filter((c) => c.severity === "critical" && !c.passed);
+    return { checks, passCount, failCount, criticalFailures };
+}
+// ─── evaluateAlertConditions ─────────────────────────────────────────────────
+/**
+ * Evaluate alert conditions based on current vault state.
+ * Returns active alerts sorted by severity (critical first).
+ */
+export function evaluateAlertConditions(state, vaultAddress, previousState) {
+    const alerts = [];
+    const { vault, globalBudget } = state;
+    // VaultStatus is a numeric enum (Active=0, Frozen=1, Closed=2)
+    const statusNum = vault.status;
+    const status = statusNum === VaultStatus.Active
+        ? "Active"
+        : statusNum === VaultStatus.Frozen
+            ? "Frozen"
+            : "Closed";
+    // Cap approaching
+    if (globalBudget.cap > 0n) {
+        const util = Number((globalBudget.spent24h * 100n) / globalBudget.cap);
+        if (util >= 95) {
+            alerts.push({
+                id: `cap-critical-${vaultAddress}`,
+                severity: "critical",
+                title: "Daily budget nearly exhausted",
+                description: `${util}% of daily budget used — ${formatUsd(globalBudget.remaining, 2)} remaining.`,
+                vaultAddress,
+                agentAddress: null,
+                actionHref: `/dashboard/vault/${vaultAddress}?tab=policy`,
+                actionLabel: "Adjust budget",
+            });
+        }
+        else if (util >= 80) {
+            alerts.push({
+                id: `cap-warning-${vaultAddress}`,
+                severity: "warning",
+                title: `Daily budget ${util}% used`,
+                description: `${formatUsd(globalBudget.remaining, 2)} remaining of ${formatUsd(globalBudget.cap, 2)} daily budget.`,
+                vaultAddress,
+                agentAddress: null,
+                actionHref: `/dashboard/vault/${vaultAddress}?tab=spending`,
+                actionLabel: "Review spending",
+            });
+        }
+    }
+    // Vault frozen
+    if (status === "Frozen") {
+        alerts.push({
+            id: `frozen-${vaultAddress}`,
+            severity: "critical",
+            title: "Vault is paused",
+            description: "All agent activity is stopped. Reactivate when ready.",
+            vaultAddress,
+            agentAddress: null,
+            actionHref: `/dashboard/vault/${vaultAddress}?tab=security`,
+            actionLabel: "Review security",
+        });
+    }
+    // Agent paused
+    for (const agent of vault.agents) {
+        if (agent.paused) {
+            alerts.push({
+                id: `agent-paused-${agent.pubkey}`,
+                severity: "info",
+                title: `Agent ${formatAddress(agent.pubkey)} is paused`,
+                description: "This agent cannot execute any actions until resumed.",
+                vaultAddress,
+                agentAddress: agent.pubkey,
+                actionHref: `/dashboard/vault/${vaultAddress}?tab=agents`,
+                actionLabel: "Manage agents",
+            });
+        }
+    }
+    // Per-agent cap approaching
+    for (const [agentAddr, budget] of state.allAgentBudgets) {
+        if (budget.cap > 0n) {
+            const util = Number((budget.spent24h * 100n) / budget.cap);
+            if (util >= 80) {
+                alerts.push({
+                    id: `agent-cap-${agentAddr}`,
+                    severity: util >= 95 ? "critical" : "warning",
+                    title: `Agent ${formatAddress(agentAddr)} at ${util}% of spending limit`,
+                    description: `${formatUsd(budget.remaining, 2)} remaining of ${formatUsd(budget.cap, 2)} daily limit.`,
+                    vaultAddress,
+                    agentAddress: agentAddr,
+                    actionHref: `/dashboard/vault/${vaultAddress}/agent/${agentAddr}`,
+                    actionLabel: "View agent",
+                });
+            }
+        }
+    }
+    // No agents
+    if (vault.agents.length === 0 && status === "Active") {
+        alerts.push({
+            id: `no-agents-${vaultAddress}`,
+            severity: "warning",
+            title: "No agents registered",
+            description: "This vault has no agents and cannot execute any DeFi operations.",
+            vaultAddress,
+            agentAddress: null,
+            actionHref: `/dashboard/vault/${vaultAddress}?tab=agents`,
+            actionLabel: "Register agent",
+        });
+    }
+    // All agents paused
+    if (vault.agents.length > 0 && vault.agents.every((a) => a.paused)) {
+        alerts.push({
+            id: `all-paused-${vaultAddress}`,
+            severity: "warning",
+            title: "All agents are paused",
+            description: "No agent can execute actions. Unpause at least one to resume operations.",
+            vaultAddress,
+            agentAddress: null,
+            actionHref: `/dashboard/vault/${vaultAddress}?tab=agents`,
+            actionLabel: "Manage agents",
+        });
+    }
+    // High velocity + drain detection — delegate to spending-analytics for rate math
+    if (state.tracker && globalBudget.cap > 0n) {
+        const velocity = getSpendingVelocity(state.tracker, state.resolvedAtTimestamp, globalBudget);
+        // High velocity alert: current rate > 2x average (stricter than spending-analytics 1.5x)
+        if (velocity.averageRate > 0n && velocity.currentRate > velocity.averageRate * 2n) {
+            const multiplier = Number(velocity.currentRate / velocity.averageRate);
+            alerts.push({
+                id: `high-velocity-${vaultAddress}`,
+                severity: "warning",
+                title: "Unusual spending velocity detected",
+                description: `Current spend rate is ${multiplier}x the 24h average.`,
+                vaultAddress,
+                agentAddress: null,
+                actionHref: `/dashboard/vault/${vaultAddress}?tab=spending`,
+                actionLabel: "Review spending",
+            });
+        }
+        // Drain detection: current hourly rate > 50% of daily cap
+        if (velocity.currentRate > 0n && velocity.currentRate > globalBudget.cap / 2n) {
+            alerts.push({
+                id: `drain-detected-${vaultAddress}`,
+                severity: "critical",
+                title: "Potential drain detected",
+                description: "Spending rate would consume over 50% of daily budget in one hour. Consider freezing the vault.",
+                vaultAddress,
+                agentAddress: null,
+                actionHref: `/dashboard/vault/${vaultAddress}?tab=security`,
+                actionLabel: "Freeze vault",
+            });
+        }
+    }
+    // Sort: critical first
+    const severityOrder = { critical: 0, warning: 1, info: 2 };
+    alerts.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+    return alerts;
+}
+// ─── getAuditTrail ───────────────────────────────────────────────────────────
+const AUDIT_EVENTS = {
+    PolicyUpdated: "policy_change",
+    PolicyChangeQueued: "policy_change",
+    PolicyChangeApplied: "policy_change",
+    PolicyChangeCancelled: "policy_change",
+    AgentRegistered: "agent_change",
+    AgentRevoked: "agent_change",
+    AgentPermissionsUpdated: "agent_change",
+    AgentPausedEvent: "emergency",
+    AgentUnpausedEvent: "agent_change",
+    VaultFrozen: "emergency",
+    VaultReactivated: "emergency",
+    VaultClosed: "emergency",
+    VaultCreated: "emergency",
+    EscrowCreated: "escrow",
+    EscrowSettled: "escrow",
+    EscrowRefunded: "escrow",
+    InstructionConstraintsCreated: "constraint_change",
+    InstructionConstraintsUpdated: "constraint_change",
+    InstructionConstraintsClosed: "constraint_change",
+    ConstraintsChangeQueued: "constraint_change",
+    ConstraintsChangeApplied: "constraint_change",
+    ConstraintsChangeCancelled: "constraint_change",
+};
+/**
+ * Filter decoded events into a compliance-focused audit trail.
+ * Shows only security-relevant events (policy, agent, emergency, escrow, constraints).
+ *
+ * Supports optional filtering by category, timestamp, and actor.
+ *
+ * Note on event field availability (verified against events.rs):
+ * - 10 of 22 events have no `timestamp` field — fallback through `executes_at`, `applied_at`, then 0.
+ * - 7+ events have neither `owner` nor `agent` — fallback through `settled_by`, `refunded_by`, `vault`.
+ * - `txSignature` requires enrichment from transaction envelope (DecodedSigilEvent has no such field).
+ */
+export function getAuditTrail(events, options) {
+    const trail = [];
+    for (const e of events) {
+        const category = AUDIT_EVENTS[e.name];
+        if (!category)
+            continue;
+        if (options?.categories && !options.categories.includes(category))
+            continue;
+        const f = e.fields ?? {};
+        // Timestamp fallback: timestamp → executes_at → applied_at → 0
+        const timestamp = Number(f.timestamp ?? f.executes_at ?? f.applied_at ?? 0n);
+        if (options?.since && timestamp > 0 && timestamp < options.since)
+            continue;
+        // Actor fallback: owner → agent → settled_by → refunded_by → vault → "unknown"
+        const actor = (f.owner ?? f.agent ?? f.settled_by ?? f.refunded_by ?? f.vault ?? "unknown");
+        if (options?.actor && actor !== options.actor)
+            continue;
+        trail.push({
+            timestamp,
+            txSignature: e.txSignature ?? "",
+            category,
+            action: e.name,
+            actor,
+            details: f,
+            description: describeEvent(e),
+        });
+    }
+    return trail;
+}
+/** Summarize an audit trail into per-category counts. */
+export function getAuditTrailSummary(trail) {
+    const byCategory = {
+        policy_change: 0,
+        agent_change: 0,
+        emergency: 0,
+        escrow: 0,
+        constraint_change: 0,
+    };
+    const actors = new Set();
+    let latest = 0;
+    for (const entry of trail) {
+        byCategory[entry.category]++;
+        actors.add(entry.actor);
+        if (entry.timestamp > latest)
+            latest = entry.timestamp;
+    }
+    return {
+        totalEntries: trail.length,
+        byCategory: byCategory,
+        latestTimestamp: latest,
+        uniqueActors: Array.from(actors),
+    };
+}
+//# sourceMappingURL=security-analytics.js.map

package/dist/security-analytics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security-analytics.js","sourceRoot":"","sources":["../src/security-analytics.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,EAAE,WAAW,EAAE,MAAM,kCAAkC,CAAC;AAC/D,OAAO,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAC;AAC9D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,gBAAgB,EAAE,uBAAuB,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAyC/G,gFAAgF;AAEhF,qDAAqD;AACrD,SAAS,SAAS,CAAC,CAAS;IAC1B,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,EAAE,EAAE,CAAC;QACd,KAAK,IAAI,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;QACxB,CAAC,KAAK,EAAE,CAAC;IACX,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,gFAAgF;AAEhF;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAyB;IAC1D,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,EAAE,GAAG,KAAK,CAAC;IAE7C,MAAM,MAAM,GAAoB;QAC9B;YACE,EAAE,EAAE,eAAe;YACnB,KAAK,EAAE,+BAA+B;YACtC,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,gBAAgB,CAAC;YACrE,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,kFAAkF;YAC1F,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,gBAAgB,CAAC;gBACvE,CAAC,CAAC,2DAA2D;gBAC7D,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,gBAAgB;YACpB,KAAK,EAAE,kCAAkC;YACzC,MAAM,EAAE,MAAM,CAAC,mBAAmB,GAAG,EAAE;YACvC,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,gEAAgE;YACxE,WAAW,EAAE,MAAM,CAAC,mBAAmB,KAAK,EAAE;gBAC5C,CAAC,CAAC,+EAA+E;gBACjF,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,uBAAuB;YAC3B,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,KAAK,CAAC,cAAc,KAAM,kCAA8C;YAChF,QAAQ,EAAE,UAAU;YACpB,MAAM,EAAE,iEAAiE;YACzE,WAAW,EAAE,gGAAgG;SAC9G;QACD;YACE,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,iCAAiC;YACxC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,GAAG,EAAE,CAAC;YACvF,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,gFAAgF;YACxF,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,KAAK,EAAE,CAAC;gBAC9D,CAAC,CAAC,gCAAgC;gBAClC,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,oBAAoB;YACxB,KAAK,EAAE,4BAA4B;YACnC,MAAM,EAAE,MAAM,CAAC,YAAY,KAAK,uBAAuB;YACvD,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,6DAA6D;YACrE,WAAW,EAAE,MAAM,CAAC,YAAY,KAAK,uBAAuB;gBAC1D,CAAC,CAAC,uEAAuE;gBACzE,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,kBAAkB;YACtB,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,MAAM,CAAC,gBAAgB,GAAG,EAAE;YACpC,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,gGAAgG;YACxG,WAAW,EAAE,MAAM,CAAC,gBAAgB,KAAK,EAAE;gBACzC,CAAC,CAAC,4CAA4C;gBAC9C,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,wBAAwB;YAC/B,MAAM,EAAE,MAAM,CAAC,cAAc,GAAG,IAAI;YACpC,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,2EAA2E;YACnF,WAAW,EAAE,MAAM,CAAC,cAAc,IAAI,IAAI;gBACxC,CAAC,CAAC,2BAA2B,MAAM,CAAC,cAAc,GAAG,GAAG,wCAAwC;gBAChG,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,kBAAkB;YACtB,KAAK,EAAE,qCAAqC;YAC5C,MAAM,EAAE,CAAC,GAAG,EAAE;gBACZ,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO,IAAI,CAAC;gBAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,gBAAgB,EAAE,EAAE,CAAC,CAAC;gBAC5E,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,gBAAgB,GAAG,EAAE,CAAC,CAAC;gBACzE,OAAO,CAAC,aAAa,IAAI,SAAS,IAAI,MAAM,CAAC,mBAAmB,CAAC;YACnE,CAAC,CAAC,EAAE;YACJ,QAAQ,EAAE,SAAS;YACnB,MAAM,EAAE,0GAA0G;YAClH,WAAW,EAAE,0EAA0E;SACxF;QACD;YACE,EAAE,EAAE,wBAAwB;YAC5B,KAAK,EAAE,iCAAiC;YACxC,MAAM,EAAE,WAAW,KAAK,IAAI;YAC5B,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,yEAAyE;YACjF,WAAW,EAAE,WAAW,KAAK,IAAI;gBAC/B,CAAC,CAAC,gEAAgE;gBAClE,CAAC,CAAC,IAAI;SACT;QACD;YACE,EAAE,EAAE,YAAY;YAChB,KAAK,EAAE,kCAAkC;YACzC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;YAC/B,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,4DAA4D;YACpE,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,8CAA8C,CAAC,CAAC,CAAC,IAAI;SAC/F;QACD;YACE,EAAE,EAAE,gBAAgB;YACpB,KAAK,EAAE,8BAA8B;YACrC,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YACxE,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,+DAA+D;YACvE,WAAW,EACT,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;gBAC5D,CAAC,CAAC,kDAAkD;gBACpD,CAAC,CAAC,IAAI;SACX;QACD;YACE,EAAE,EAAE,mBAAmB;YACvB,KAAK,EAAE,kCAAkC;YACzC,MAAM,EAAE,KAAK,CAAC,kBAAkB,CAAC,IAAI,GAAG,EAAE,IAAI,KAAK,CAAC,kBAAkB,CAAC,IAAI,GAAG,EAAE;YAChF,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,+DAA+D;YACvE,WAAW,EAAE,qDAAqD;SACnE;QACD;YACE,EAAE,EAAE,iBAAiB;YACrB,KAAK,EAAE,2CAA2C;YAClD,MAAM,EAAE,CAAC,GAAG,EAAE;gBACZ,IAAI,CAAC,KAAK,CAAC,OAAO;oBAAE,OAAO,IAAI,CAAC;gBAChC,MAAM,aAAa,GAAG,MAAM,CAAC,cAAc,CAAC,CAAC;gBAC7C,MAAM,kBAAkB,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,GAAG,aAAa,CAAC;gBACxE,MAAM,YAAY,GAAG,KAAK,CAAC,mBAAmB,GAAG,OAAO,CAAC;gBACzD,OAAO,kBAAkB,GAAG,YAAY,IAAI,KAAK,CAAC,OAAO,CAAC,cAAc,KAAK,EAAE,CAAC;YAClF,CAAC,CAAC,EAAE;YACJ,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,yEAAyE;YACjF,WAAW,EAAE,2DAA2D;SACzE;QACD,yCAAyC;QACzC;YACE,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,6BAA6B;YACpC,MAAM,EAAE,MAAM,CAAC,gBAAgB,KAAK,EAAE,IAAI,MAAM,CAAC,gBAAgB,IAAI,KAAK;YAC1E,QAAQ,EAAE,SAAS;YACnB,MAAM,EACJ,gGAAgG;gBAChG,6EAA6E;YAC/E,WAAW,EACT,MAAM,CAAC,gBAAgB,GAAG,EAAE,IAAI,MAAM,CAAC,gBAAgB,GAAG,KAAK;gBAC7D,CAAC,CAAC,uBAAuB,MAAM,CAAC,MAAM,CAAC,gBAAgB,CAAC,yCAAyC;gBACjG,CAAC,CAAC,IAAI;SACX;QACD;YACE,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,2CAA2C;YAClD,MAAM,EAAE,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,CAAC,IAAI,sBAAsB;YAChE,QAAQ,EAAE,MAAM;YAChB,MAAM,EACJ,8DAA8D;gBAC9D,wGAAwG;YAC1G,WAAW,EACT,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,CAAC,GAAG,sBAAsB;gBACrD,CAAC,CAAC,YAAY,MAAM,CAAC,gBAAgB,oBAAoB,sBAAsB,yCAAyC;gBACxH,CAAC,CAAC,CAAC,MAAM,CAAC,gBAAgB,IAAI,CAAC,CAAC,KAAK,sBAAsB;oBACzD,CAAC,CAAC,2EAA2E;oBAC7E,CAAC,CAAC,IAAI;SACb;QACD;YACE,EAAE,EAAE,8BAA8B;YAClC,KAAK,EAAE,sCAAsC;YAC7C,MAAM,EAAE,CAAC,GAAG,EAAE;gBACZ,IAAI,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,MAAM,CAAC,YAAY,KAAK,uBAAuB;oBAAE,OAAO,IAAI,CAAC;gBACzG,IAAI,CAAC,MAAM,CAAC,SAAS;oBAAE,OAAO,IAAI,CAAC;gBACnC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC;gBACzD,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;oBACxC,IAAI,KAAK,CAAC,SAAS,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;wBAAE,OAAO,KAAK,CAAC;gBAChF,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,EAAE;YACJ,QAAQ,EAAE,SAAS;YACnB,MAAM,EACJ,qFAAqF;gBACrF,+EAA+E;YACjF,WAAW,EAAE,oFAAoF;SAClG;QACD;YACE,EAAE,EAAE,6BAA6B;YACjC,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAA0B,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC,GAAG,EAAE,CAAC;YACzF,QAAQ,EAAE,SAAS;YACnB,MAAM,EACJ,gFAAgF;gBAChF,6EAA6E;YAC/E,WAAW,EAAE,uEAAuE;SACrF;QACD,uEAAuE;QACvE;YACE,EAAE,EAAE,qBAAqB;YACzB,KAAK,EAAE,uCAAuC;YAC9C,MAAM,EAAE,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE;gBACxF,oEAAoE;gBACpE,oEAAoE;gBACpE,KAAK,MAAM,KAAK,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;oBACxC,IAAI,KAAK,CAAC,eAAe,IAAI,KAAK,CAAC,eAAe,CAAC,MAAM,KAAK,CAAC;wBAC3D,KAAK,CAAC,kBAAkB,IAAI,KAAK,CAAC,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;wBACtE,OAAO,KAAK,CAAC,CAAC,8CAA8C;oBAC9D,CAAC;gBACH,CAAC;gBACD,OAAO,IAAI,CAAC;YACd,CAAC,CAAC,EAAE;YACJ,QAAQ,EAAE,SAAS;YACnB,MAAM,EACJ,wFAAwF;gBACxF,4CAA4C;YAC9C,WAAW,EAAE,yEAAyE;SACvF;QACD;YACE,EAAE,EAAE,6BAA6B;YACjC,KAAK,EAAE,mDAAmD;YAC1D,MAAM,EAAE,CAAC,WAAW,IAAI,CAAC,WAAW,CAAC,OAAO,IAAI,MAAM,CAAC,YAAY,KAAK,uBAAuB;gBAC7F,CAAC,MAAM,CAAC,SAAS;gBACjB,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAU,EAAE,EAAE,CACpC,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAyB,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAC3F;YACH,QAAQ,EAAE,MAAM;YAChB,MAAM,EACJ,oGAAoG;YACtG,WAAW,EAAE,mEAAmE;SACjF;QACD,kEAAkE;QAClE;YACE,EAAE,EAAE,oBAAoB;YACxB,KAAK,EAAE,6CAA6C;YACpD,MAAM,EAAE,MAAM,CAAC,YAAY,KAAK,CAAC,CAAC,uBAAuB;gBACvD,CAAC,WAAW,KAAK,IAAI,IAAI,WAAW,CAAC,UAAU,KAAK,IAAI,CAAC;YAC3D,QAAQ,EAAE,UAAU;YACpB,MAAM,EACJ,wFAAwF;gBACxF,yFAAyF;YAC3F,WAAW,EACT,mFAAmF;SACtF;KACF,CAAC;IAEF,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IACxD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IACzD,MAAM,gBAAgB,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;IAEtF,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,gBAAgB,EAAE,CAAC;AAC5D,CAAC;AAED,gFAAgF;AAEhF;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAsD,EACtD,YAAqB,EACrB,aAA+D;IAE/D,MAAM,MAAM,GAAY,EAAE,CAAC;IAC3B,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;IACtC,+DAA+D;IAC/D,MAAM,SAAS,GAAG,KAAK,CAAC,MAAgB,CAAC;IACzC,MAAM,MAAM,GACV,SAAS,KAAK,WAAW,CAAC,MAAM;QAC9B,CAAC,CAAC,QAAQ;QACV,CAAC,CAAC,SAAS,KAAK,WAAW,CAAC,MAAM;YAChC,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,QAAQ,CAAC;IAEjB,kBAAkB;IAClB,IAAI,YAAY,CAAC,GAAG,GAAG,EAAE,EAAE,CAAC;QAC1B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,YAAY,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAEvE,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;YACf,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,gBAAgB,YAAY,EAAE;gBAClC,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,+BAA+B;gBACtC,WAAW,EAAE,GAAG,IAAI,4BAA4B,SAAS,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC,aAAa;gBACjG,YAAY;gBACZ,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,oBAAoB,YAAY,aAAa;gBACzD,WAAW,EAAE,eAAe;aAC7B,CAAC,CAAC;QACL,CAAC;aAAM,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;YACtB,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,eAAe,YAAY,EAAE;gBACjC,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,gBAAgB,IAAI,QAAQ;gBACnC,WAAW,EAAE,GAAG,SAAS,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC,CAAC,iBAAiB,SAAS,CAAC,YAAY,CAAC,GAAG,EAAE,CAAC,CAAC,gBAAgB;gBACnH,YAAY;gBACZ,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,oBAAoB,YAAY,eAAe;gBAC3D,WAAW,EAAE,iBAAiB;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,eAAe;IACf,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACxB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,UAAU,YAAY,EAAE;YAC5B,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,iBAAiB;YACxB,WAAW,EAAE,uDAAuD;YACpE,YAAY;YACZ,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,oBAAoB,YAAY,eAAe;YAC3D,WAAW,EAAE,iBAAiB;SAC/B,CAAC,CAAC;IACL,CAAC;IAED,eAAe;IACf,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjC,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,gBAAgB,KAAK,CAAC,MAAM,EAAE;gBAClC,QAAQ,EAAE,MAAM;gBAChB,KAAK,EAAE,SAAS,aAAa,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY;gBACvD,WAAW,EAAE,sDAAsD;gBACnE,YAAY;gBACZ,YAAY,EAAE,KAAK,CAAC,MAAM;gBAC1B,UAAU,EAAE,oBAAoB,YAAY,aAAa;gBACzD,WAAW,EAAE,eAAe;aAC7B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,KAAK,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,IAAI,KAAK,CAAC,eAAe,EAAE,CAAC;QACxD,IAAI,MAAM,CAAC,GAAG,GAAG,EAAE,EAAE,CAAC;YACpB,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,MAAM,CAAC,QAAQ,GAAG,IAAI,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;YAC3D,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,CAAC;oBACV,EAAE,EAAE,aAAa,SAAS,EAAE;oBAC5B,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;oBAC7C,KAAK,EAAE,SAAS,aAAa,CAAC,SAAS,CAAC,OAAO,IAAI,qBAAqB;oBACxE,WAAW,EAAE,GAAG,SAAS,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,iBAAiB,SAAS,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,eAAe;oBACtG,YAAY;oBACZ,YAAY,EAAE,SAAS;oBACvB,UAAU,EAAE,oBAAoB,YAAY,UAAU,SAAS,EAAE;oBACjE,WAAW,EAAE,YAAY;iBAC1B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,YAAY;IACZ,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,aAAa,YAAY,EAAE;YAC/B,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,sBAAsB;YAC7B,WAAW,EAAE,kEAAkE;YAC/E,YAAY;YACZ,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,oBAAoB,YAAY,aAAa;YACzD,WAAW,EAAE,gBAAgB;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,oBAAoB;IACpB,IAAI,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC;QACnE,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,cAAc,YAAY,EAAE;YAChC,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EAAE,0EAA0E;YACvF,YAAY;YACZ,YAAY,EAAE,IAAI;YAClB,UAAU,EAAE,oBAAoB,YAAY,aAAa;YACzD,WAAW,EAAE,eAAe;SAC7B,CAAC,CAAC;IACL,CAAC;IAED,iFAAiF;IACjF,IAAI,KAAK,CAAC,OAAO,IAAI,YAAY,CAAC,GAAG,GAAG,EAAE,EAAE,CAAC;QAC3C,MAAM,QAAQ,GAAG,mBAAmB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,mBAAmB,EAAE,YAAY,CAAC,CAAC;QAE7F,yFAAyF;QACzF,IAAI,QAAQ,CAAC,WAAW,GAAG,EAAE,IAAI,QAAQ,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,GAAG,EAAE,EAAE,CAAC;YAClF,MAAM,UAAU,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC;YACvE,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,iBAAiB,YAAY,EAAE;gBACnC,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,oCAAoC;gBAC3C,WAAW,EAAE,yBAAyB,UAAU,oBAAoB;gBACpE,YAAY;gBACZ,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,oBAAoB,YAAY,eAAe;gBAC3D,WAAW,EAAE,iBAAiB;aAC/B,CAAC,CAAC;QACL,CAAC;QAED,0DAA0D;QAC1D,IAAI,QAAQ,CAAC,WAAW,GAAG,EAAE,IAAI,QAAQ,CAAC,WAAW,GAAG,YAAY,CAAC,GAAG,GAAG,EAAE,EAAE,CAAC;YAC9E,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,kBAAkB,YAAY,EAAE;gBACpC,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,gGAAgG;gBAC7G,YAAY;gBACZ,YAAY,EAAE,IAAI;gBAClB,UAAU,EAAE,oBAAoB,YAAY,eAAe;gBAC3D,WAAW,EAAE,cAAc;aAC5B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,uBAAuB;IACvB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAC3D,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE7E,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,gFAAgF;AAEhF,MAAM,YAAY,GAA2C;IAC3D,aAAa,EAAE,eAAe;IAC9B,kBAAkB,EAAE,eAAe;IACnC,mBAAmB,EAAE,eAAe;IACpC,qBAAqB,EAAE,eAAe;IACtC,eAAe,EAAE,cAAc;IAC/B,YAAY,EAAE,cAAc;IAC5B,uBAAuB,EAAE,cAAc;IACvC,gBAAgB,EAAE,WAAW;IAC7B,kBAAkB,EAAE,cAAc;IAClC,WAAW,EAAE,WAAW;IACxB,gBAAgB,EAAE,WAAW;IAC7B,WAAW,EAAE,WAAW;IACxB,YAAY,EAAE,WAAW;IACzB,aAAa,EAAE,QAAQ;IACvB,aAAa,EAAE,QAAQ;IACvB,cAAc,EAAE,QAAQ;IACxB,6BAA6B,EAAE,mBAAmB;IAClD,6BAA6B,EAAE,mBAAmB;IAClD,4BAA4B,EAAE,mBAAmB;IACjD,uBAAuB,EAAE,mBAAmB;IAC5C,wBAAwB,EAAE,mBAAmB;IAC7C,0BAA0B,EAAE,mBAAmB;CAChD,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAC3B,MAA2B,EAC3B,OAOC;IAED,MAAM,KAAK,GAAiB,EAAE,CAAC;IAE/B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,IAAI,OAAO,EAAE,UAAU,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAE5E,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,IAAI,EAAE,CAAC;QAEzB,+DAA+D;QAC/D,MAAM,SAAS,GAAG,MAAM,CACrB,CAAC,CAAC,SAAoB,IAAK,CAAC,CAAC,WAAsB,IAAK,CAAC,CAAC,UAAqB,IAAI,EAAE,CACvF,CAAC;QAEF,IAAI,OAAO,EAAE,KAAK,IAAI,SAAS,GAAG,CAAC,IAAI,SAAS,GAAG,OAAO,CAAC,KAAK;YAAE,SAAS;QAE3E,+EAA+E;QAC/E,MAAM,KAAK,GACT,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,KAAK,IAAI,SAAS,CAClE,CAAC;QAEb,IAAI,OAAO,EAAE,KAAK,IAAI,KAAK,KAAK,OAAO,CAAC,KAAK;YAAE,SAAS;QAExD,KAAK,CAAC,IAAI,CAAC;YACT,SAAS;YACT,WAAW,EAAG,CAA8B,CAAC,WAAW,IAAI,EAAE;YAC9D,QAAQ;YACR,MAAM,EAAE,CAAC,CAAC,IAAI;YACd,KAAK;YACL,OAAO,EAAE,CAAC;YACV,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAWD,yDAAyD;AACzD,MAAM,UAAU,oBAAoB,CAAC,KAAmB;IACtD,MAAM,UAAU,GAA2B;QACzC,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,CAAC;QACZ,MAAM,EAAE,CAAC;QACT,iBAAiB,EAAE,CAAC;KACrB,CAAC;IACF,MAAM,MAAM,GAAG,IAAI,GAAG,EAAU,CAAC;IACjC,IAAI,MAAM,GAAG,CAAC,CAAC;IAEf,KAAK,MAAM,KAAK,IAAI,KAAK,EAAE,CAAC;QAC1B,UAAU,CAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACxB,IAAI,KAAK,CAAC,SAAS,GAAG,MAAM;YAAE,MAAM,GAAG,KAAK,CAAC,SAAS,CAAC;IACzD,CAAC;IAED,OAAO;QACL,YAAY,EAAE,KAAK,CAAC,MAAM;QAC1B,UAAU,EAAE,UAAoD;QAChE,eAAe,EAAE,MAAM;QACvB,YAAY,EAAE,KAAK,CAAC,IAAI,CAAC,MAAM,CAAc;KAC9C,CAAC;AACJ,CAAC"}