@vinkius-core/mcp-fusion 2.7.0 → 2.8.1

package/dist/introspection/EntitlementScanner.js

@@ -0,0 +1,459 @@
+/**
+ * Entitlement detection patterns.
+ *
+ * Conservative: may over-report (false positives in comments/strings)
+ * but never under-report. This is intentional — security analysis
+ * should err on the side of caution.
+ */
+const PATTERNS = [
+    // ── Filesystem ──
+    { category: 'filesystem', identifier: 'fs', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?fs(?:\/promises)?['"]/g },
+    { category: 'filesystem', identifier: 'fs.*', regex: /\bfs\.\w+(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'readFile', regex: /\breadFile(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'writeFile', regex: /\bwriteFile(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'appendFile', regex: /\bappendFile(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'unlink', regex: /\bunlink(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'rmdir', regex: /\brmdir(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'mkdir', regex: /\bmkdir(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'rename', regex: /\brename(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'copyFile', regex: /\bcopyFile(?:Sync)?\s*\(/g },
+    { category: 'filesystem', identifier: 'createReadStream', regex: /\bcreateReadStream\s*\(/g },
+    { category: 'filesystem', identifier: 'createWriteStream', regex: /\bcreateWriteStream\s*\(/g },
+    // ── Network ──
+    { category: 'network', identifier: 'fetch', regex: /\bfetch\s*\(/g },
+    { category: 'network', identifier: 'http', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?https?['"]/g },
+    { category: 'network', identifier: 'axios', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])axios['"]/g },
+    { category: 'network', identifier: 'got', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])got['"]/g },
+    { category: 'network', identifier: 'node-fetch', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])node-fetch['"]/g },
+    { category: 'network', identifier: 'XMLHttpRequest', regex: /\bnew\s+XMLHttpRequest\s*\(/g },
+    { category: 'network', identifier: 'WebSocket', regex: /\bnew\s+WebSocket\s*\(/g },
+    { category: 'network', identifier: 'net', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?net['"]/g },
+    { category: 'network', identifier: 'dgram', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?dgram['"]/g },
+    { category: 'network', identifier: 'undici', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])undici['"]/g },
+    // ── Subprocess ──
+    { category: 'subprocess', identifier: 'child_process', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?child_process['"]/g },
+    { category: 'subprocess', identifier: 'exec', regex: /\bexec(?:Sync|File|FileSync)?\s*\(/g },
+    { category: 'subprocess', identifier: 'spawn', regex: /\bspawn(?:Sync)?\s*\(/g },
+    { category: 'subprocess', identifier: 'fork', regex: /\bfork\s*\(/g },
+    { category: 'subprocess', identifier: 'worker_threads', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?worker_threads['"]/g },
+    { category: 'subprocess', identifier: 'cluster', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?cluster['"]/g },
+    { category: 'subprocess', identifier: 'Deno.run', regex: /\bDeno\.run\s*\(/g },
+    { category: 'subprocess', identifier: 'Bun.spawn', regex: /\bBun\.spawn\s*\(/g },
+    // ── Crypto ──
+    { category: 'crypto', identifier: 'crypto', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?crypto['"]/g },
+    { category: 'crypto', identifier: 'createSign', regex: /\bcreateSign\s*\(/g },
+    { category: 'crypto', identifier: 'createVerify', regex: /\bcreateVerify\s*\(/g },
+    { category: 'crypto', identifier: 'createCipher', regex: /\bcreateCipher(?:iv)?\s*\(/g },
+    { category: 'crypto', identifier: 'createDecipher', regex: /\bcreateDecipher(?:iv)?\s*\(/g },
+    { category: 'crypto', identifier: 'privateEncrypt', regex: /\bprivateEncrypt\s*\(/g },
+    { category: 'crypto', identifier: 'privateDecrypt', regex: /\bprivateDecrypt\s*\(/g },
+    // ── Code Evaluation ──
+    { category: 'codeEvaluation', identifier: 'eval', regex: /\beval\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'eval-indirect', regex: /\(\s*0\s*,\s*eval\s*\)\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'Function', regex: /\bnew\s+Function\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'vm', regex: /(?:require\s*\(\s*['"]|import\s*\(\s*['"]|from\s+['"])(?:node:)?vm['"]/g },
+    { category: 'codeEvaluation', identifier: 'vm.runInNewContext', regex: /\brunInNewContext\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'vm.runInThisContext', regex: /\brunInThisContext\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'vm.compileFunction', regex: /\bcompileFunction\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'vm.Script', regex: /\bnew\s+vm\.Script\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'globalThis.eval', regex: /\bglobalThis\s*\.\s*eval\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'Reflect.construct-Function', regex: /\bReflect\.construct\s*\(\s*Function/g },
+    { category: 'codeEvaluation', identifier: 'process.binding', regex: /\bprocess\.binding\s*\(/g },
+    { category: 'codeEvaluation', identifier: 'process.dlopen', regex: /\bprocess\.dlopen\s*\(/g },
+];
+/**
+ * Evasion detection heuristics.
+ *
+ * These patterns detect techniques commonly used to bypass
+ * regex-based static analysis. Unlike entitlement patterns,
+ * these flag the *mechanism* of evasion rather than a specific
+ * I/O capability.
+ *
+ * A malicious actor who knows the entitlement patterns can
+ * use `String.fromCharCode(114,101,113,117,105,114,101)` to
+ * build "require" at runtime. These heuristics catch that.
+ */
+const EVASION_HEURISTICS = [
+    // ── String construction ──
+    {
+        type: 'string-construction',
+        confidence: 'high',
+        regex: /\bString\.fromCharCode\s*\(/g,
+        description: 'String.fromCharCode() can build API names at runtime to evade static detection',
+    },
+    {
+        type: 'string-construction',
+        confidence: 'medium',
+        regex: /\bString\.raw\s*`/g,
+        description: 'String.raw template can encode obfuscated identifiers',
+    },
+    {
+        type: 'string-construction',
+        confidence: 'low',
+        regex: /\batob\s*\(/g,
+        description: 'atob() decodes base64 — can hide module names or code',
+    },
+    {
+        type: 'string-construction',
+        confidence: 'low',
+        regex: /\bBuffer\.from\s*\([^)]*['"]base64['"]\s*\)/g,
+        description: 'Buffer.from(…, "base64") can decode hidden payloads',
+    },
+    // ── Indirect access ──
+    {
+        type: 'indirect-access',
+        confidence: 'high',
+        regex: /(?:globalThis|global|window|self)\s*\[\s*[^\]]*(?:\+|\()/g,
+        description: 'Computed property access on global object with dynamic expression',
+    },
+    {
+        type: 'indirect-access',
+        confidence: 'medium',
+        regex: /(?:globalThis|global|window|self)\s*\[\s*['"]/g,
+        description: 'Bracket-notation access on global object — bypasses dot-notation detection',
+    },
+    {
+        type: 'indirect-access',
+        confidence: 'high',
+        regex: /\bprocess\s*\[\s*['"]/g,
+        description: 'Bracket-notation access on process object — potential binding/dlopen bypass',
+    },
+    // ── Computed import/require ──
+    {
+        type: 'computed-import',
+        confidence: 'high',
+        regex: /\brequire\s*\(\s*(?!['"])\S/g,
+        description: 'Dynamic require() with non-literal argument — module name computed at runtime',
+    },
+    {
+        type: 'computed-import',
+        confidence: 'high',
+        regex: /\bimport\s*\(\s*(?!['"])\S/g,
+        description: 'Dynamic import() with non-literal argument — module name computed at runtime',
+    },
+];
+/** Minimum string length to consider for entropy analysis */
+const ENTROPY_MIN_LENGTH = 64;
+/** Shannon entropy threshold — values above this suggest obfuscation */
+const ENTROPY_THRESHOLD = 5.0;
+/** Minimum ratio of hex/unicode escapes to total characters to flag */
+const ENCODING_DENSITY_THRESHOLD = 0.15;
+// ============================================================================
+// Scanner
+// ============================================================================
+/**
+ * Scan source text for entitlement patterns.
+ *
+ * @param source - The source code text to scan
+ * @param fileName - File name for reporting (optional)
+ * @returns All entitlement matches found
+ */
+export function scanSource(source, fileName) {
+    const matches = [];
+    const lines = source.split('\n');
+    const lineOffsets = buildLineOffsets(source);
+    for (const pattern of PATTERNS) {
+        // Reset regex state (global flag)
+        const regex = new RegExp(pattern.regex.source, pattern.regex.flags);
+        let match;
+        while ((match = regex.exec(source)) !== null) {
+            const lineNumber = resolveLineNumber(lineOffsets, match.index);
+            const contextLine = lines[lineNumber - 1]?.trim() ?? '';
+            matches.push({
+                category: pattern.category,
+                identifier: pattern.identifier,
+                pattern: pattern.regex.source,
+                context: contextLine,
+                line: lineNumber,
+            });
+        }
+    }
+    return matches;
+}
+/**
+ * Scan source for evasion indicators.
+ *
+ * This is a secondary analysis pass that detects patterns
+ * commonly associated with intentional static-analysis bypass.
+ * Unlike `scanSource`, which identifies specific I/O capabilities,
+ * this function flags *evasion techniques* regardless of what
+ * they ultimately execute.
+ *
+ * @param source - Source code text
+ * @returns Detected evasion indicators
+ */
+export function scanEvasionIndicators(source) {
+    const indicators = [];
+    const lines = source.split('\n');
+    const lineOffsets = buildLineOffsets(source);
+    // ── Pattern-based heuristics ──
+    for (const heuristic of EVASION_HEURISTICS) {
+        const regex = new RegExp(heuristic.regex.source, heuristic.regex.flags);
+        let match;
+        while ((match = regex.exec(source)) !== null) {
+            const lineNumber = resolveLineNumber(lineOffsets, match.index);
+            const contextLine = lines[lineNumber - 1]?.trim() ?? '';
+            indicators.push({
+                type: heuristic.type,
+                confidence: heuristic.confidence,
+                description: heuristic.description,
+                context: contextLine,
+                line: lineNumber,
+            });
+        }
+    }
+    // ── Encoding density analysis ──
+    const hexEscapes = (source.match(/\\x[0-9a-fA-F]{2}/g) ?? []).length;
+    const unicodeEscapes = (source.match(/\\u(?:[0-9a-fA-F]{4}|\{[0-9a-fA-F]+\})/g) ?? []).length;
+    const totalEscapes = hexEscapes + unicodeEscapes;
+    const density = source.length > 0 ? totalEscapes / source.length : 0;
+    if (density > ENCODING_DENSITY_THRESHOLD) {
+        indicators.push({
+            type: 'encoding-density',
+            confidence: 'high',
+            description: `High density of hex/unicode escapes (${(density * 100).toFixed(1)}%) — likely obfuscated code`,
+            context: `${totalEscapes} escape sequences in ${source.length} characters`,
+            line: 1,
+        });
+    }
+    // ── Entropy analysis on string literals ──
+    const stringLiteralRegex = /(?:'([^'\\]|\\.){40,}'|"([^"\\]|\\.){40,}"|`([^`\\]|\\.){40,}`)/g;
+    let strMatch;
+    while ((strMatch = stringLiteralRegex.exec(source)) !== null) {
+        const literal = strMatch[0].slice(1, -1);
+        if (literal.length >= ENTROPY_MIN_LENGTH) {
+            const entropy = computeEntropy(literal);
+            if (entropy > ENTROPY_THRESHOLD) {
+                const lineNumber = resolveLineNumber(lineOffsets, strMatch.index);
+                indicators.push({
+                    type: 'entropy-anomaly',
+                    confidence: 'medium',
+                    description: `High-entropy string literal (Shannon entropy: ${entropy.toFixed(2)}) — possible encoded payload`,
+                    context: literal.slice(0, 60) + (literal.length > 60 ? '…' : ''),
+                    line: lineNumber,
+                });
+            }
+        }
+    }
+    return indicators;
+}
+/**
+ * Build `HandlerEntitlements` from detected matches.
+ *
+ * @param matches - Detected entitlement matches
+ * @returns Aggregated entitlements
+ */
+export function buildEntitlements(matches) {
+    const categories = new Set(matches.map(m => m.category));
+    const raw = [...new Set(matches.map(m => m.identifier))].sort();
+    return {
+        filesystem: categories.has('filesystem'),
+        network: categories.has('network'),
+        subprocess: categories.has('subprocess'),
+        crypto: categories.has('crypto'),
+        codeEvaluation: categories.has('codeEvaluation'),
+        raw,
+    };
+}
+/** Filesystem identifiers that imply write operations */
+const WRITE_OPS = /write|append|unlink|rmdir|mkdir|rename|copy|createWriteStream/i;
+/** All entitlement categories for iteration */
+const ALL_CATEGORIES = ['filesystem', 'network', 'subprocess', 'crypto', 'codeEvaluation'];
+/** @internal */
+const VIOLATION_RULES = [
+    // readOnly + filesystem writes → error
+    {
+        predicate: (cats, claims, allowed, matches) => !!claims.readOnly
+            && cats.has('filesystem')
+            && !allowed.has('filesystem')
+            && matches.some(m => m.category === 'filesystem' && WRITE_OPS.test(m.identifier)),
+        produce: (_cats, _claims, matches) => {
+            const writeOps = matches.filter(m => m.category === 'filesystem' && WRITE_OPS.test(m.identifier));
+            const ids = writeOps.map(m => m.identifier).join(', ');
+            return {
+                category: 'filesystem',
+                declared: 'readOnly: true',
+                detected: `Filesystem write operations: ${ids}`,
+                severity: 'error',
+                description: `Tool declares readOnly but handler uses filesystem write APIs: ${ids}`,
+            };
+        },
+    },
+    // readOnly + subprocess → error
+    {
+        predicate: (cats, claims, allowed) => !!claims.readOnly && cats.has('subprocess') && !allowed.has('subprocess'),
+        produce: () => ({
+            category: 'subprocess',
+            declared: 'readOnly: true',
+            detected: 'Subprocess APIs detected',
+            severity: 'error',
+            description: 'Tool declares readOnly but handler uses subprocess APIs',
+        }),
+    },
+    // non-destructive + subprocess → warning
+    {
+        predicate: (cats, claims, allowed) => !claims.destructive && cats.has('subprocess') && !allowed.has('subprocess'),
+        produce: () => ({
+            category: 'subprocess',
+            declared: 'destructive: false',
+            detected: 'Subprocess APIs detected',
+            severity: 'warning',
+            description: 'Tool is not marked destructive but handler uses subprocess APIs — consider marking as destructive',
+        }),
+    },
+    // readOnly + network → warning
+    {
+        predicate: (cats, claims, allowed) => !!claims.readOnly && cats.has('network') && !allowed.has('network'),
+        produce: () => ({
+            category: 'network',
+            declared: 'readOnly: true',
+            detected: 'Network APIs detected',
+            severity: 'warning',
+            description: 'Tool declares readOnly but handler makes network calls — side effects possible',
+        }),
+    },
+    // codeEvaluation → always error (eval/Function can execute anything)
+    {
+        predicate: (cats, _claims, allowed) => cats.has('codeEvaluation') && !allowed.has('codeEvaluation'),
+        produce: (_cats, _claims, matches) => {
+            const evalOps = matches.filter(m => m.category === 'codeEvaluation');
+            const ids = [...new Set(evalOps.map(m => m.identifier))].join(', ');
+            return {
+                category: 'codeEvaluation',
+                declared: 'no code evaluation expected',
+                detected: `Code evaluation APIs: ${ids}`,
+                severity: 'error',
+                description: `Handler uses dynamic code evaluation (${ids}) — blast radius is unbounded; eval'd code can perform any I/O`,
+            };
+        },
+    },
+    // readOnly + codeEvaluation → error (even if allowed, flag readOnly conflict)
+    {
+        predicate: (cats, claims, allowed) => !!claims.readOnly && cats.has('codeEvaluation') && allowed.has('codeEvaluation'),
+        produce: () => ({
+            category: 'codeEvaluation',
+            declared: 'readOnly: true',
+            detected: 'Code evaluation APIs detected',
+            severity: 'error',
+            description: 'Tool declares readOnly but uses code evaluation — eval can perform writes',
+        }),
+    },
+];
+/**
+ * Validate detected entitlements against declared claims.
+ *
+ * Uses a rule table instead of imperative branching.
+ * Each rule encodes a policy check as pure data.
+ *
+ * @param matches - Detected matches
+ * @param claims - Declared claims from action metadata
+ * @returns Violations found
+ */
+export function validateClaims(matches, claims) {
+    const categories = new Set(matches.map(m => m.category));
+    const allowed = new Set(claims.allowed ?? []);
+    return VIOLATION_RULES
+        .filter(rule => rule.predicate(categories, claims, allowed, matches))
+        .map(rule => rule.produce(categories, claims, matches));
+}
+/**
+ * Perform a complete entitlement scan and validation.
+ *
+ * @param source - Handler source code
+ * @param claims - Declared claims for validation
+ * @param fileName - Optional file name for reporting
+ * @returns Complete entitlement report
+ */
+export function scanAndValidate(source, claims = {}, fileName) {
+    const matches = scanSource(source, fileName);
+    const entitlements = buildEntitlements(matches);
+    const violations = validateClaims(matches, claims);
+    const evasionIndicators = scanEvasionIndicators(source);
+    const hasHighConfidenceEvasion = evasionIndicators.some(e => e.confidence === 'high');
+    const safe = violations.every(v => v.severity !== 'error') && !hasHighConfidenceEvasion;
+    const summary = buildSummary(entitlements, violations, evasionIndicators, safe);
+    return {
+        entitlements,
+        matches,
+        violations,
+        evasionIndicators,
+        safe,
+        summary,
+    };
+}
+// ============================================================================
+// Internals
+// ============================================================================
+/**
+ * Precompute line start offsets for O(log n) line-number resolution.
+ * @internal
+ */
+function buildLineOffsets(source) {
+    const offsets = [0]; // Line 1 starts at offset 0
+    for (let i = 0; i < source.length; i++) {
+        if (source[i] === '\n')
+            offsets.push(i + 1);
+    }
+    return offsets;
+}
+/**
+ * Binary search for the line number at a given character offset.
+ * O(log n) per lookup vs O(n) for naive iteration.
+ * @internal
+ */
+function resolveLineNumber(offsets, offset) {
+    let lo = 0;
+    let hi = offsets.length - 1;
+    while (lo < hi) {
+        const mid = (lo + hi + 1) >>> 1;
+        if (offsets[mid] <= offset)
+            lo = mid;
+        else
+            hi = mid - 1;
+    }
+    return lo + 1; // 1-based
+}
+/**
+ * Compute Shannon entropy of a string.
+ * High entropy (> 4.5) in code regions suggests obfuscation.
+ * @internal
+ */
+function computeEntropy(str) {
+    if (str.length === 0)
+        return 0;
+    const freq = new Map();
+    for (const ch of str) {
+        freq.set(ch, (freq.get(ch) ?? 0) + 1);
+    }
+    let entropy = 0;
+    for (const count of freq.values()) {
+        const p = count / str.length;
+        entropy -= p * Math.log2(p);
+    }
+    return entropy;
+}
+/**
+ * Build a human-readable summary.
+ * @internal
+ */
+function buildSummary(entitlements, violations, evasionIndicators, safe) {
+    const active = ALL_CATEGORIES.filter(c => entitlements[c]);
+    const highEvasion = evasionIndicators.filter(e => e.confidence === 'high');
+    if (active.length === 0 && evasionIndicators.length === 0) {
+        return 'No I/O entitlements detected — handler is sandboxed.';
+    }
+    const parts = [];
+    if (active.length > 0) {
+        parts.push(`Entitlements: [${active.join(', ')}]`);
+    }
+    const errorCount = violations.filter(v => v.severity === 'error').length;
+    if (violations.length > 0) {
+        parts.push(`${violations.length} violation(s) (${errorCount} errors)`);
+    }
+    if (evasionIndicators.length > 0) {
+        parts.push(`${evasionIndicators.length} evasion indicator(s) (${highEvasion.length} high-confidence)`);
+    }
+    parts.push(safe ? 'SAFE' : 'UNSAFE');
+    return parts.join(' | ');
+}
+//# sourceMappingURL=EntitlementScanner.js.map

package/dist/introspection/EntitlementScanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"EntitlementScanner.js","sourceRoot":"","sources":["../../src/introspection/EntitlementScanner.ts"],"names":[],"mappings":"AA2JA;;;;;;GAMG;AACH,MAAM,QAAQ,GAAkC;IAC5C,mBAAmB;IACnB,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,wFAAwF,EAAE;IAC7I,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACjF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,2BAA2B,EAAE;IACtF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,4BAA4B,EAAE;IACxF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,6BAA6B,EAAE;IAC1F,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAClF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAChF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAChF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAClF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,2BAA2B,EAAE;IACtF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,kBAAkB,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC7F,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,mBAAmB,EAAE,KAAK,EAAE,2BAA2B,EAAE;IAE/F,gBAAgB;IAChB,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,eAAe,EAAE;IACpE,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,6EAA6E,EAAE;IACjI,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,kEAAkE,EAAE;IACvH,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,gEAAgE,EAAE;IACnH,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,uEAAuE,EAAE;IACjI,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAC5F,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAClF,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,KAAK,EAAE,0EAA0E,EAAE;IAC7H,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,4EAA4E,EAAE;IACjI,EAAE,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,mEAAmE,EAAE;IAEzH,mBAAmB;IACnB,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,eAAe,EAAE,KAAK,EAAE,oFAAoF,EAAE;IACpJ,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,qCAAqC,EAAE;IAC5F,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAChF,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,EAAE;IACrE,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,qFAAqF,EAAE;IACtJ,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,SAAS,EAAE,KAAK,EAAE,8EAA8E,EAAE;IACxI,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,mBAAmB,EAAE;IAC9E,EAAE,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAEhF,eAAe;IACf,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,KAAK,EAAE,6EAA6E,EAAE;IAClI,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,YAAY,EAAE,KAAK,EAAE,oBAAoB,EAAE;IAC7E,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,KAAK,EAAE,sBAAsB,EAAE;IACjF,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,KAAK,EAAE,6BAA6B,EAAE;IACxF,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,+BAA+B,EAAE;IAC5F,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACrF,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,wBAAwB,EAAE;IAErF,wBAAwB;IACxB,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,MAAM,EAAE,KAAK,EAAE,cAAc,EAAE;IACzE,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,eAAe,EAAE,KAAK,EAAE,8BAA8B,EAAE;IAClG,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,UAAU,EAAE,KAAK,EAAE,wBAAwB,EAAE;IACvF,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,yEAAyE,EAAE;IAClI,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,oBAAoB,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAClG,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,qBAAqB,EAAE,KAAK,EAAE,0BAA0B,EAAE;IACpG,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,oBAAoB,EAAE,KAAK,EAAE,yBAAyB,EAAE;IAClG,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAC1F,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,iBAAiB,EAAE,KAAK,EAAE,gCAAgC,EAAE;IACtG,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,4BAA4B,EAAE,KAAK,EAAE,uCAAuC,EAAE;IACxH,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,iBAAiB,EAAE,KAAK,EAAE,0BAA0B,EAAE;IAChG,EAAE,QAAQ,EAAE,gBAAgB,EAAE,UAAU,EAAE,gBAAgB,EAAE,KAAK,EAAE,yBAAyB,EAAE;CACjG,CAAC;AAcF;;;;;;;;;;;GAWG;AACH,MAAM,kBAAkB,GAAgC;IACpD,4BAA4B;IAC5B;QACI,IAAI,EAAE,qBAAqB;QAC3B,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,gFAAgF;KAChG;IACD;QACI,IAAI,EAAE,qBAAqB;QAC3B,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,uDAAuD;KACvE;IACD;QACI,IAAI,EAAE,qBAAqB;QAC3B,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE,uDAAuD;KACvE;IACD;QACI,IAAI,EAAE,qBAAqB;QAC3B,UAAU,EAAE,KAAK;QACjB,KAAK,EAAE,8CAA8C;QACrD,WAAW,EAAE,qDAAqD;KACrE;IAED,wBAAwB;IACxB;QACI,IAAI,EAAE,iBAAiB;QACvB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EAAE,mEAAmE;KACnF;IACD;QACI,IAAI,EAAE,iBAAiB;QACvB,UAAU,EAAE,QAAQ;QACpB,KAAK,EAAE,gDAAgD;QACvD,WAAW,EAAE,4EAA4E;KAC5F;IACD;QACI,IAAI,EAAE,iBAAiB;QACvB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,6EAA6E;KAC7F;IAED,gCAAgC;IAChC;QACI,IAAI,EAAE,iBAAiB;QACvB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,8BAA8B;QACrC,WAAW,EAAE,+EAA+E;KAC/F;IACD;QACI,IAAI,EAAE,iBAAiB;QACvB,UAAU,EAAE,MAAM;QAClB,KAAK,EAAE,6BAA6B;QACpC,WAAW,EAAE,8EAA8E;KAC9F;CACJ,CAAC;AAEF,6DAA6D;AAC7D,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAE9B,wEAAwE;AACxE,MAAM,iBAAiB,GAAG,GAAG,CAAC;AAE9B,uEAAuE;AACvE,MAAM,0BAA0B,GAAG,IAAI,CAAC;AAExC,+EAA+E;AAC/E,UAAU;AACV,+EAA+E;AAE/E;;;;;;GAMG;AACH,MAAM,UAAU,UAAU,CACtB,MAAc,EACd,QAAiB;IAEjB,MAAM,OAAO,GAAuB,EAAE,CAAC;IACvC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAE7C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC7B,kCAAkC;QAClC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACpE,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC/D,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAExD,OAAO,CAAC,IAAI,CAAC;gBACT,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,UAAU,EAAE,OAAO,CAAC,UAAU;gBAC9B,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,MAAM;gBAC7B,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,UAAU;aACnB,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,OAAO,OAAO,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAChD,MAAM,UAAU,GAAuB,EAAE,CAAC;IAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACjC,MAAM,WAAW,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAE7C,iCAAiC;IACjC,KAAK,MAAM,SAAS,IAAI,kBAAkB,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,EAAE,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACxE,IAAI,KAA6B,CAAC;QAElC,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YAC/D,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAExD,UAAU,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,SAAS,CAAC,IAAI;gBACpB,UAAU,EAAE,SAAS,CAAC,UAAU;gBAChC,WAAW,EAAE,SAAS,CAAC,WAAW;gBAClC,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,UAAU;aACnB,CAAC,CAAC;QACP,CAAC;IACL,CAAC;IAED,kCAAkC;IAClC,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IACrE,MAAM,cAAc,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC;IAC9F,MAAM,YAAY,GAAG,UAAU,GAAG,cAAc,CAAC;IACjD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAErE,IAAI,OAAO,GAAG,0BAA0B,EAAE,CAAC;QACvC,UAAU,CAAC,IAAI,CAAC;YACZ,IAAI,EAAE,kBAAkB;YACxB,UAAU,EAAE,MAAM;YAClB,WAAW,EAAE,wCAAwC,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,6BAA6B;YAC5G,OAAO,EAAE,GAAG,YAAY,wBAAwB,MAAM,CAAC,MAAM,aAAa;YAC1E,IAAI,EAAE,CAAC;SACV,CAAC,CAAC;IACP,CAAC;IAED,4CAA4C;IAC5C,MAAM,kBAAkB,GAAG,kEAAkE,CAAC;IAC9F,IAAI,QAAgC,CAAC;IACrC,OAAO,CAAC,QAAQ,GAAG,kBAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC3D,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACzC,IAAI,OAAO,CAAC,MAAM,IAAI,kBAAkB,EAAE,CAAC;YACvC,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;YACxC,IAAI,OAAO,GAAG,iBAAiB,EAAE,CAAC;gBAC9B,MAAM,UAAU,GAAG,iBAAiB,CAAC,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,CAAC;gBAClE,UAAU,CAAC,IAAI,CAAC;oBACZ,IAAI,EAAE,iBAAiB;oBACvB,UAAU,EAAE,QAAQ;oBACpB,WAAW,EAAE,iDAAiD,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,8BAA8B;oBAC9G,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;oBAChE,IAAI,EAAE,UAAU;iBACnB,CAAC,CAAC;YACP,CAAC;QACL,CAAC;IACL,CAAC;IAED,OAAO,UAAU,CAAC;AACtB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC7B,OAAoC;IAEpC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzD,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;IAEhE,OAAO;QACH,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC;QACxC,OAAO,EAAE,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC;QAClC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,YAAY,CAAC;QACxC,MAAM,EAAE,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;QAChC,cAAc,EAAE,UAAU,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAChD,GAAG;KACN,CAAC;AACN,CAAC;AAED,yDAAyD;AACzD,MAAM,SAAS,GAAG,gEAAgE,CAAC;AAEnF,+CAA+C;AAC/C,MAAM,cAAc,GAAmC,CAAC,YAAY,EAAE,SAAS,EAAE,YAAY,EAAE,QAAQ,EAAE,gBAAgB,CAAC,CAAC;AAW3H,gBAAgB;AAChB,MAAM,eAAe,GAA6B;IAC9C,uCAAuC;IACvC;QACI,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,CAC1C,CAAC,CAAC,MAAM,CAAC,QAAQ;eACd,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC;eACtB,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;eAC1B,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,YAAY,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACrF,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE;YACjC,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,YAAY,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC;YAClG,MAAM,GAAG,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACvD,OAAO;gBACH,QAAQ,EAAE,YAAY;gBACtB,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,gCAAgC,GAAG,EAAE;gBAC/C,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,kEAAkE,GAAG,EAAE;aACvF,CAAC;QACN,CAAC;KACJ;IACD,gCAAgC;IAChC;QACI,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CACjC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAC7E,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,0BAA0B;YACpC,QAAQ,EAAE,OAAO;YACjB,WAAW,EAAE,yDAAyD;SACzE,CAAC;KACL;IACD,yCAAyC;IACzC;QACI,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CACjC,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;QAC/E,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,QAAQ,EAAE,YAAY;YACtB,QAAQ,EAAE,oBAAoB;YAC9B,QAAQ,EAAE,0BAA0B;YACpC,QAAQ,EAAE,SAAS;YACnB,WAAW,EAAE,mGAAmG;SACnH,CAAC;KACL;IACD,+BAA+B;IAC/B;QACI,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CACjC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC;QACvE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,uBAAuB;YACjC,QAAQ,EAAE,SAAS;YACnB,WAAW,EAAE,gFAAgF;SAChG,CAAC;KACL;IACD,qEAAqE;IACrE;QACI,SAAS,EAAE,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,CAClC,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QAChE,OAAO,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE;YACjC,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,gBAAgB,CAAC,CAAC;YACrE,MAAM,GAAG,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpE,OAAO;gBACH,QAAQ,EAAE,gBAAgB;gBAC1B,QAAQ,EAAE,6BAA6B;gBACvC,QAAQ,EAAE,yBAAyB,GAAG,EAAE;gBACxC,QAAQ,EAAE,OAAO;gBACjB,WAAW,EAAE,yCAAyC,GAAG,gEAAgE;aAC5H,CAAC;QACN,CAAC;KACJ;IACD,8EAA8E;IAC9E;QACI,SAAS,EAAE,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,CACjC,CAAC,CAAC,MAAM,CAAC,QAAQ,IAAI,IAAI,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;QACpF,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;YACZ,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,+BAA+B;YACzC,QAAQ,EAAE,OAAO;YACjB,WAAW,EAAE,2EAA2E;SAC3F,CAAC;KACL;CACJ,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAC1B,OAAoC,EACpC,MAAyB;IAEzB,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IACzD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC;IAE9C,OAAO,eAAe;SACjB,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;SACpE,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAChE,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,eAAe,CAC3B,MAAc,EACd,SAA4B,EAAE,EAC9B,QAAiB;IAEjB,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7C,MAAM,YAAY,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACnD,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAExD,MAAM,wBAAwB,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC;IACtF,MAAM,IAAI,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,IAAI,CAAC,wBAAwB,CAAC;IAExF,MAAM,OAAO,GAAG,YAAY,CAAC,YAAY,EAAE,UAAU,EAAE,iBAAiB,EAAE,IAAI,CAAC,CAAC;IAEhF,OAAO;QACH,YAAY;QACZ,OAAO;QACP,UAAU;QACV,iBAAiB;QACjB,IAAI;QACJ,OAAO;KACV,CAAC;AACN,CAAC;AAED,+EAA+E;AAC/E,YAAY;AACZ,+EAA+E;AAE/E;;;GAGG;AACH,SAAS,gBAAgB,CAAC,MAAc;IACpC,MAAM,OAAO,GAAa,CAAC,CAAC,CAAC,CAAC,CAAC,4BAA4B;IAC3D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,OAAO,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,OAA0B,EAAE,MAAc;IACjE,IAAI,EAAE,GAAG,CAAC,CAAC;IACX,IAAI,EAAE,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;IAC5B,OAAO,EAAE,GAAG,EAAE,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;QAChC,IAAI,OAAO,CAAC,GAAG,CAAE,IAAI,MAAM;YAAE,EAAE,GAAG,GAAG,CAAC;;YACjC,EAAE,GAAG,GAAG,GAAG,CAAC,CAAC;IACtB,CAAC;IACD,OAAO,EAAE,GAAG,CAAC,CAAC,CAAC,UAAU;AAC7B,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,GAAW;IAC/B,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAC/B,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACnB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAChC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;QAC7B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,OAAO,CAAC;AACnB,CAAC;AAED;;;GAGG;AACH,SAAS,YAAY,CACjB,YAAiC,EACjC,UAA2C,EAC3C,iBAA8C,EAC9C,IAAa;IAEb,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3D,MAAM,WAAW,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,MAAM,CAAC,CAAC;IAE3E,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxD,OAAO,sDAAsD,CAAC;IAClE,CAAC;IAED,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,kBAAkB,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACvD,CAAC;IAED,MAAM,UAAU,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC,MAAM,CAAC;IACzE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxB,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,MAAM,kBAAkB,UAAU,UAAU,CAAC,CAAC;IAC3E,CAAC;IAED,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,MAAM,0BAA0B,WAAW,CAAC,MAAM,mBAAmB,CAAC,CAAC;IAC3G,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAErC,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC7B,CAAC"}

package/dist/introspection/GovernanceObserver.d.ts

@@ -0,0 +1,88 @@
+/**
+ * GovernanceObserver — Observability Bridge for Governance Operations
+ *
+ * Wraps governance operations (contract compilation, lockfile generation,
+ * integrity verification, attestation) with structured debug events and
+ * OpenTelemetry-compatible tracing spans.
+ *
+ * This module is the bridge between the governance/introspection layer
+ * and the observability layer. It is opt-in — governance operations
+ * work identically without it. When enabled, every governance operation
+ * emits a `GovernanceEvent` and/or a tracing span.
+ *
+ * **Zero overhead when disabled**: When no observer or tracer is
+ * configured, the wrapper functions are no-ops that delegate directly.
+ *
+ * @module
+ */
+import type { DebugObserverFn, GovernanceOperation } from '../observability/DebugObserver.js';
+import type { FusionTracer } from '../observability/Tracing.js';
+/**
+ * Configuration for governance observability.
+ *
+ * Pass to `createGovernanceObserver()` to enable debug events
+ * and/or tracing spans for governance operations.
+ */
+export interface GovernanceObserverConfig {
+    /** Debug event handler — receives GovernanceEvent */
+    readonly debug?: DebugObserverFn;
+    /** OpenTelemetry-compatible tracer */
+    readonly tracer?: FusionTracer;
+}
+/**
+ * A governance observer that emits debug events and tracing spans.
+ *
+ * All methods accept a callback that performs the actual work.
+ * The observer wraps the callback with timing and event emission.
+ */
+export interface GovernanceObserver {
+    /**
+     * Wrap a governance operation with observability.
+     *
+     * @param operation - Named governance operation
+     * @param label     - Human-readable label
+     * @param fn        - The actual work to perform
+     * @returns The result of `fn`
+     */
+    observe<T>(operation: GovernanceOperation, label: string, fn: () => T): T;
+    /**
+     * Wrap an async governance operation with observability.
+     *
+     * @param operation - Named governance operation
+     * @param label     - Human-readable label
+     * @param fn        - The actual async work to perform
+     * @returns The result of `fn`
+     */
+    observeAsync<T>(operation: GovernanceOperation, label: string, fn: () => Promise<T>): Promise<T>;
+}
+/**
+ * Create a governance observer that emits debug events and/or tracing
+ * spans for governance operations.
+ *
+ * @param config - Observer configuration (debug handler and/or tracer)
+ * @returns A `GovernanceObserver` instance
+ *
+ * @example
+ * ```typescript
+ * import { createGovernanceObserver } from '@vinkius-core/mcp-fusion/introspection';
+ * import { createDebugObserver } from '@vinkius-core/mcp-fusion';
+ *
+ * const observer = createGovernanceObserver({
+ *     debug: createDebugObserver(),
+ * });
+ *
+ * const contracts = observer.observe(
+ *     'contract.compile',
+ *     'Compiling 5 tool contracts',
+ *     () => compileContracts(builders),
+ * );
+ * ```
+ */
+export declare function createGovernanceObserver(config: GovernanceObserverConfig): GovernanceObserver;
+/**
+ * Create a no-op governance observer.
+ *
+ * Used when observability is not configured. Zero overhead.
+ */
+export declare function createNoopObserver(): GovernanceObserver;
+//# sourceMappingURL=GovernanceObserver.d.ts.map

package/dist/introspection/GovernanceObserver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"GovernanceObserver.d.ts","sourceRoot":"","sources":["../../src/introspection/GovernanceObserver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,KAAK,EAAE,eAAe,EAAE,mBAAmB,EAAE,MAAM,mCAAmC,CAAC;AAC9F,OAAO,KAAK,EAAE,YAAY,EAAwB,MAAM,6BAA6B,CAAC;AActF;;;;;GAKG;AACH,MAAM,WAAW,wBAAwB;IACrC,qDAAqD;IACrD,QAAQ,CAAC,KAAK,CAAC,EAAE,eAAe,CAAC;IACjC,sCAAsC;IACtC,QAAQ,CAAC,MAAM,CAAC,EAAE,YAAY,CAAC;CAClC;AAMD;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IAC/B;;;;;;;OAOG;IACH,OAAO,CAAC,CAAC,EACL,SAAS,EAAE,mBAAmB,EAC9B,KAAK,EAAE,MAAM,EACb,EAAE,EAAE,MAAM,CAAC,GACZ,CAAC,CAAC;IAEL;;;;;;;OAOG;IACH,YAAY,CAAC,CAAC,EACV,SAAS,EAAE,mBAAmB,EAC9B,KAAK,EAAE,MAAM,EACb,EAAE,EAAE,MAAM,OAAO,CAAC,CAAC,CAAC,GACrB,OAAO,CAAC,CAAC,CAAC,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,wBAAwB,GAAG,kBAAkB,CAoH7F;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,IAAI,kBAAkB,CAKvD"}