@zenalexa/unicli 0.217.0 → 0.217.3

package/dist/engine/permission-rules.js

@@ -0,0 +1,401 @@
+import { existsSync, readFileSync, realpathSync, statSync } from "node:fs";
+import { basename, dirname, join, resolve as pathResolve } from "node:path";
+import { userHome } from "./user-home.js";
+export class PermissionRulesConfigError extends Error {
+    code = "invalid_input";
+    suggestion = "fix or remove the permission rules file";
+    constructor(message) {
+        super(message);
+        this.name = "PermissionRulesConfigError";
+    }
+}
+const ROOT_KEYS = new Set(["schema_version", "rules"]);
+const RULE_KEYS = new Set(["id", "decision", "match", "reason"]);
+const MATCH_KEYS = new Set([
+    "site",
+    "command",
+    "effect",
+    "dimensions",
+    "resources",
+    "resource_summary",
+]);
+const DIMENSION_KEYS = new Set([
+    "network",
+    "browser",
+    "desktop",
+    "file",
+    "process",
+    "account",
+]);
+const ACCESS_VALUES = new Set(["none", "read", "write"]);
+const EFFECT_VALUES = new Set([
+    "read",
+    "send_message",
+    "publish_content",
+    "account_state",
+    "remote_transform",
+    "remote_resource",
+    "service_state",
+    "local_app",
+    "local_file",
+    "destructive",
+    "unknown_write",
+]);
+const RESOURCE_KEYS = new Set([
+    "domains",
+    "paths",
+    "executables",
+    "apps",
+    "accounts",
+]);
+const rulesCache = new Map();
+export function createPermissionRulesStore(options) {
+    const envPath = process.env.UNICLI_PERMISSION_RULES_PATH?.trim();
+    return {
+        path: options?.path ??
+            (envPath && envPath.length > 0
+                ? envPath
+                : join(options?.homeDir ?? userHome(), ".unicli", "permission-rules.json")),
+    };
+}
+export async function findDenyRuleForPolicy(policy, options) {
+    return findDenyRuleForPolicySync(policy, options);
+}
+export function applyDenyRuleToPolicy(policy, rule) {
+    return {
+        ...policy,
+        approval_required: true,
+        approved: false,
+        enforcement: "deny",
+        reason: `blocked by permission rule "${rule.id}": ${rule.reason}`,
+        approval_hint: "edit or remove the matching permission rule",
+        deny_rule: {
+            id: rule.id,
+            reason: rule.reason,
+        },
+        deny_reason: rule.reason,
+    };
+}
+export function findDenyRuleForPolicySync(policy, options) {
+    const store = createPermissionRulesStore(options);
+    const rules = readRules(store.path);
+    const matched = rules.find((rule) => ruleMatchesPolicy(rule, policy));
+    if (!matched)
+        return undefined;
+    return {
+        decision: "deny",
+        id: matched.id,
+        reason: matched.reason,
+    };
+}
+export function findDenyRuleForRuntimeResourceSync(input, options) {
+    const store = createPermissionRulesStore(options);
+    const rules = readRules(store.path);
+    const matched = rules.find((rule) => ruleMatchesRuntimeResource(rule, input));
+    if (!matched)
+        return undefined;
+    return {
+        decision: "deny",
+        id: matched.id,
+        reason: matched.reason,
+    };
+}
+function readRules(path) {
+    let stats;
+    try {
+        stats = statSync(path);
+    }
+    catch (error) {
+        if (isNodeError(error) && error.code === "ENOENT")
+            return [];
+        throw new PermissionRulesConfigError(`failed to read permission rules file at ${path}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const cached = rulesCache.get(path);
+    if (cached &&
+        cached.mtimeMs === stats.mtimeMs &&
+        cached.size === stats.size) {
+        return cached.rules;
+    }
+    let raw;
+    try {
+        raw = readFileSync(path, "utf-8");
+    }
+    catch (error) {
+        throw new PermissionRulesConfigError(`failed to read permission rules file at ${path}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (error) {
+        throw new PermissionRulesConfigError(`invalid permission rules JSON at ${path}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+    const rules = parseRulesDocument(parsed, path);
+    rulesCache.set(path, { mtimeMs: stats.mtimeMs, size: stats.size, rules });
+    return rules;
+}
+function parseRulesDocument(value, path) {
+    const root = expectRecord(value, path, "root");
+    rejectUnknownKeys(root, ROOT_KEYS, path, "root");
+    expectLiteral(root.schema_version, "1", path, "schema_version");
+    if (!Array.isArray(root.rules)) {
+        throw invalid(path, "rules must be an array");
+    }
+    return root.rules.map((rule, index) => parseRule(rule, path, index));
+}
+function parseRule(value, path, index) {
+    const label = `rules[${index}]`;
+    const rule = expectRecord(value, path, label);
+    rejectUnknownKeys(rule, RULE_KEYS, path, label);
+    const id = expectString(rule.id, path, `${label}.id`);
+    if (id.length === 0)
+        throw invalid(path, `${label}.id cannot be empty`);
+    expectLiteral(rule.decision, "deny", path, `${label}.decision`);
+    const match = parseMatch(rule.match, path, `${label}.match`);
+    const reason = rule.reason === undefined
+        ? `blocked by permission rule ${id}`
+        : expectString(rule.reason, path, `${label}.reason`);
+    return { id, decision: "deny", match, reason };
+}
+function parseMatch(value, path, label) {
+    const match = expectRecord(value, path, label);
+    rejectUnknownKeys(match, MATCH_KEYS, path, label);
+    const out = {};
+    if (match.site !== undefined)
+        out.site = expectString(match.site, path, `${label}.site`);
+    if (match.command !== undefined) {
+        out.command = expectString(match.command, path, `${label}.command`);
+    }
+    if (match.effect !== undefined) {
+        const effect = expectString(match.effect, path, `${label}.effect`);
+        if (!EFFECT_VALUES.has(effect)) {
+            throw invalid(path, `${label}.effect is not a known operation effect`);
+        }
+        out.effect = effect;
+    }
+    if (match.dimensions !== undefined) {
+        out.dimensions = parseDimensions(match.dimensions, path, `${label}.dimensions`);
+    }
+    if (match.resources !== undefined) {
+        out.resources = parseResources(match.resources, path, `${label}.resources`);
+    }
+    if (match.resource_summary !== undefined) {
+        out.resource_summary = expectStringArray(match.resource_summary, path, `${label}.resource_summary`);
+    }
+    return out;
+}
+function parseDimensions(value, path, label) {
+    const dimensions = expectRecord(value, path, label);
+    const out = {};
+    for (const [key, raw] of Object.entries(dimensions)) {
+        if (!DIMENSION_KEYS.has(key)) {
+            throw invalid(path, `${label}.${key} is not a known capability dimension`);
+        }
+        const access = expectString(raw, path, `${label}.${key}`);
+        if (!ACCESS_VALUES.has(access)) {
+            throw invalid(path, `${label}.${key} is not a known access value`);
+        }
+        out[key] = access;
+    }
+    return out;
+}
+function parseResources(value, path, label) {
+    const resources = expectRecord(value, path, label);
+    const out = {};
+    for (const [key, raw] of Object.entries(resources)) {
+        if (!RESOURCE_KEYS.has(key)) {
+            throw invalid(path, `${label}.${key} is not a known resource bucket`);
+        }
+        out[key] = expectStringArray(raw, path, `${label}.${key}`);
+    }
+    return out;
+}
+function ruleMatchesPolicy(rule, policy) {
+    const match = rule.match;
+    const commandRef = commandRefFromPolicy(policy);
+    if (match.site !== undefined && match.site !== commandRef.site)
+        return false;
+    const command = commandRef.command;
+    if (match.command !== undefined && match.command !== command)
+        return false;
+    if (match.effect !== undefined && match.effect !== policy.effect)
+        return false;
+    if (match.dimensions) {
+        for (const [name, access] of Object.entries(match.dimensions)) {
+            if (policy.capability_scope.dimensions[name]
+                ?.access !== access) {
+                return false;
+            }
+        }
+    }
+    if (match.resources) {
+        for (const [name, values] of Object.entries(match.resources)) {
+            const bucket = policy.capability_scope.resources[name] ?? [];
+            if (!values.some((value) => bucket.includes(normalizeComparable(value)))) {
+                return false;
+            }
+        }
+    }
+    if (match.resource_summary) {
+        const summary = policy.capability_scope.resource_summary;
+        if (!match.resource_summary.some((value) => summary.includes(normalizeComparable(value)))) {
+            return false;
+        }
+    }
+    return true;
+}
+function ruleMatchesRuntimeResource(rule, input) {
+    const match = rule.match;
+    if (match.site !== undefined && match.site !== input.site)
+        return false;
+    if (match.command !== undefined && match.command !== input.command) {
+        return false;
+    }
+    if (match.effect !== undefined && match.effect !== input.effect) {
+        return false;
+    }
+    if (match.dimensions) {
+        for (const [name, access] of Object.entries(match.dimensions)) {
+            if (input.dimensions?.[name] !== access) {
+                return false;
+            }
+        }
+    }
+    if (match.resources) {
+        for (const [name, values] of Object.entries(match.resources)) {
+            const bucket = input.resources?.[name] ?? [];
+            if (!values.some((value) => bucket.some((actual) => runtimeResourceValueMatches(name, value, actual)))) {
+                return false;
+            }
+        }
+    }
+    if (match.resource_summary) {
+        const summary = input.resource_summary ?? [];
+        if (!match.resource_summary.some((value) => summary.includes(normalizeComparable(value)))) {
+            return false;
+        }
+    }
+    return true;
+}
+function runtimeResourceValueMatches(bucket, ruleValue, actualValue) {
+    if (bucket === "domains") {
+        const ruleDomain = normalizeDomainComparable(ruleValue);
+        const actualDomain = normalizeDomainComparable(actualValue);
+        return (actualDomain === ruleDomain || actualDomain.endsWith(`.${ruleDomain}`));
+    }
+    if (bucket === "paths") {
+        const rulePath = normalizePathComparable(ruleValue);
+        const actualPath = normalizePathComparable(actualValue);
+        return actualPath === rulePath || actualPath.startsWith(`${rulePath}/`);
+    }
+    if (bucket === "executables") {
+        const ruleExecutable = normalizeComparable(ruleValue);
+        if (ruleValue.includes("/") || ruleValue.includes("\\")) {
+            return normalizeComparable(actualValue) === ruleExecutable;
+        }
+        return normalizeExecutableComparable(actualValue) === ruleExecutable;
+    }
+    return normalizeComparable(actualValue) === normalizeComparable(ruleValue);
+}
+function commandRefFromPolicy(policy) {
+    const commandRef = policy.approval_memory.key.split(":")[2] ?? "unknown.unknown";
+    const lastDot = commandRef.lastIndexOf(".");
+    if (lastDot <= 0 || lastDot === commandRef.length - 1) {
+        return { site: "unknown", command: "unknown" };
+    }
+    return {
+        site: commandRef.slice(0, lastDot),
+        command: commandRef.slice(lastDot + 1),
+    };
+}
+function expectRecord(value, path, label) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+        throw invalid(path, `${label} must be an object`);
+    }
+    return value;
+}
+function rejectUnknownKeys(value, allowed, path, label) {
+    for (const key of Object.keys(value)) {
+        if (!allowed.has(key))
+            throw invalid(path, `${label}.${key} is not allowed`);
+    }
+}
+function expectLiteral(value, expected, path, label) {
+    if (value !== expected) {
+        throw invalid(path, `${label} must be ${JSON.stringify(expected)}`);
+    }
+}
+function expectString(value, path, label) {
+    if (typeof value !== "string")
+        throw invalid(path, `${label} must be a string`);
+    return value.trim();
+}
+function expectStringArray(value, path, label) {
+    if (!Array.isArray(value))
+        throw invalid(path, `${label} must be an array`);
+    const out = value.map((item, index) => expectString(item, path, `${label}[${index}]`));
+    if (out.length === 0)
+        throw invalid(path, `${label} cannot be empty`);
+    return out;
+}
+function normalizeComparable(value) {
+    return value.trim().toLowerCase();
+}
+function normalizeDomainComparable(value) {
+    const raw = normalizeComparable(value);
+    try {
+        return stripTrailingDomainDot(new URL(raw.includes("://") ? raw : `https://${raw}`).hostname);
+    }
+    catch {
+        return stripTrailingDomainDot(raw.replace(/^https?:\/\//, "").split("/")[0] ?? raw);
+    }
+}
+function stripTrailingDomainDot(value) {
+    return value.replace(/\.+$/, "");
+}
+function normalizePathComparable(value) {
+    const raw = value.trim().replace(/\\/g, "/");
+    if (raw === "/")
+        return raw;
+    const comparable = isWindowsDrivePath(raw) ? raw : realpathAwarePath(raw);
+    return normalizeComparable(comparable.replace(/\\/g, "/").replace(/\/+$/, ""));
+}
+function realpathAwarePath(path) {
+    if (!path.startsWith("/"))
+        return path;
+    const resolved = pathResolve(path);
+    const missing = [];
+    let current = resolved;
+    while (!existsSync(current)) {
+        const parent = dirname(current);
+        if (parent === current)
+            return resolved;
+        missing.unshift(basename(current));
+        current = parent;
+    }
+    try {
+        const real = realpathSync(current);
+        return missing.length > 0 ? join(real, ...missing) : real;
+    }
+    catch {
+        return resolved;
+    }
+}
+function isWindowsDrivePath(value) {
+    return /^[A-Za-z]:\//.test(value);
+}
+function normalizeExecutableComparable(value) {
+    const normalized = value.trim().replace(/\\/g, "/").replace(/\/+$/, "");
+    const parts = normalized.split("/").filter(Boolean);
+    return normalizeComparable(parts.at(-1) ?? normalized);
+}
+function invalid(path, message) {
+    return new PermissionRulesConfigError(`invalid permission rules at ${path}: ${message}`);
+}
+function isNodeError(error) {
+    return (typeof error === "object" &&
+        error !== null &&
+        "code" in error &&
+        typeof error.code === "string");
+}
+//# sourceMappingURL=permission-rules.js.map

package/dist/engine/permission-rules.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-rules.js","sourceRoot":"","sources":["../../src/engine/permission-rules.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAC3E,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,IAAI,WAAW,EAAE,MAAM,WAAW,CAAC;AAQ5E,OAAO,EAAE,QAAQ,EAAE,MAAM,gBAAgB,CAAC;AAQ1C,MAAM,OAAO,0BAA2B,SAAQ,KAAK;IAC1C,IAAI,GAAG,eAAe,CAAC;IACvB,UAAU,GAAG,yCAAyC,CAAC;IAEhE,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,4BAA4B,CAAC;IAC3C,CAAC;CACF;AAqCD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,CAAC;AACvD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;AACjE,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,MAAM;IACN,SAAS;IACT,QAAQ;IACR,YAAY;IACZ,WAAW;IACX,kBAAkB;CACnB,CAAC,CAAC;AACH,MAAM,cAAc,GAAG,IAAI,GAAG,CAA0B;IACtD,SAAS;IACT,SAAS;IACT,SAAS;IACT,MAAM;IACN,SAAS;IACT,SAAS;CACV,CAAC,CAAC;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAC3E,MAAM,aAAa,GAAG,IAAI,GAAG,CAAkB;IAC7C,MAAM;IACN,cAAc;IACd,iBAAiB;IACjB,eAAe;IACf,kBAAkB;IAClB,iBAAiB;IACjB,eAAe;IACf,WAAW;IACX,YAAY;IACZ,aAAa;IACb,eAAe;CAChB,CAAC,CAAC;AACH,MAAM,aAAa,GAAG,IAAI,GAAG,CAAqB;IAChD,SAAS;IACT,OAAO;IACP,aAAa;IACb,MAAM;IACN,UAAU;CACX,CAAC,CAAC;AACH,MAAM,UAAU,GAAG,IAAI,GAAG,EAA2B,CAAC;AAEtD,MAAM,UAAU,0BAA0B,CAAC,OAG1C;IACC,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,IAAI,EAAE,CAAC;IACjE,OAAO;QACL,IAAI,EACF,OAAO,EAAE,IAAI;YACb,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC;gBAC5B,CAAC,CAAC,OAAO;gBACT,CAAC,CAAC,IAAI,CACF,OAAO,EAAE,OAAO,IAAI,QAAQ,EAAE,EAC9B,SAAS,EACT,uBAAuB,CACxB,CAAC;KACT,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,MAAuB,EACvB,OAA6C;IAE7C,OAAO,yBAAyB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,MAAuB,EACvB,IAA+B;IAE/B,OAAO;QACL,GAAG,MAAM;QACT,iBAAiB,EAAE,IAAI;QACvB,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,MAAM;QACnB,MAAM,EAAE,+BAA+B,IAAI,CAAC,EAAE,MAAM,IAAI,CAAC,MAAM,EAAE;QACjE,aAAa,EAAE,6CAA6C;QAC5D,SAAS,EAAE;YACT,EAAE,EAAE,IAAI,CAAC,EAAE;YACX,MAAM,EAAE,IAAI,CAAC,MAAM;SACpB;QACD,WAAW,EAAE,IAAI,CAAC,MAAM;KACzB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,yBAAyB,CACvC,MAAuB,EACvB,OAA6C;IAE7C,MAAM,KAAK,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC;IACtE,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,OAAO;QACL,QAAQ,EAAE,MAAM;QAChB,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kCAAkC,CAChD,KAAgC,EAChC,OAA6C;IAE7C,MAAM,KAAK,GAAG,0BAA0B,CAAC,OAAO,CAAC,CAAC;IAClD,MAAM,KAAK,GAAG,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,0BAA0B,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;IAC9E,IAAI,CAAC,OAAO;QAAE,OAAO,SAAS,CAAC;IAC/B,OAAO;QACL,QAAQ,EAAE,MAAM;QAChB,EAAE,EAAE,OAAO,CAAC,EAAE;QACd,MAAM,EAAE,OAAO,CAAC,MAAM;KACvB,CAAC;AACJ,CAAC;AAED,SAAS,SAAS,CAAC,IAAY;IAC7B,IAAI,KAAwC,CAAC;IAC7C,IAAI,CAAC;QACH,KAAK,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IACzB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,WAAW,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;YAAE,OAAO,EAAE,CAAC;QAC7D,MAAM,IAAI,0BAA0B,CAClC,2CAA2C,IAAI,KAC7C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACpC,IACE,MAAM;QACN,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO;QAChC,MAAM,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,EAC1B,CAAC;QACD,OAAO,MAAM,CAAC,KAAK,CAAC;IACtB,CAAC;IAED,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,0BAA0B,CAClC,2CAA2C,IAAI,KAC7C,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;IACJ,CAAC;IAED,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,0BAA0B,CAClC,oCAAoC,IAAI,KACtC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC/C,UAAU,CAAC,GAAG,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAC1E,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAc,EACd,IAAY;IAEZ,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IAC/C,iBAAiB,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,CAAC,CAAC;IACjD,aAAa,CAAC,IAAI,CAAC,cAAc,EAAE,GAAG,EAAE,IAAI,EAAE,gBAAgB,CAAC,CAAC;IAChE,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,OAAO,CAAC,IAAI,EAAE,wBAAwB,CAAC,CAAC;IAChD,CAAC;IACD,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;AACvE,CAAC;AAED,SAAS,SAAS,CAChB,KAAc,EACd,IAAY,EACZ,KAAa;IAEb,MAAM,KAAK,GAAG,SAAS,KAAK,GAAG,CAAC;IAChC,MAAM,IAAI,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC9C,iBAAiB,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAChD,MAAM,EAAE,GAAG,YAAY,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,GAAG,KAAK,KAAK,CAAC,CAAC;IACtD,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,qBAAqB,CAAC,CAAC;IACxE,aAAa,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,WAAW,CAAC,CAAC;IAChE,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,GAAG,KAAK,QAAQ,CAAC,CAAC;IAC7D,MAAM,MAAM,GACV,IAAI,CAAC,MAAM,KAAK,SAAS;QACvB,CAAC,CAAC,8BAA8B,EAAE,EAAE;QACpC,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,SAAS,CAAC,CAAC;IACzD,OAAO,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;AACjD,CAAC;AAED,SAAS,UAAU,CACjB,KAAc,EACd,IAAY,EACZ,KAAa;IAEb,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/C,iBAAiB,CAAC,KAAK,EAAE,UAAU,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAClD,MAAM,GAAG,GAAkC,EAAE,CAAC;IAE9C,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS;QAC1B,GAAG,CAAC,IAAI,GAAG,YAAY,CAAC,KAAK,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,KAAK,OAAO,CAAC,CAAC;IAC7D,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChC,GAAG,CAAC,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,KAAK,UAAU,CAAC,CAAC;IACtE,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;QAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,EAAE,GAAG,KAAK,SAAS,CAAC,CAAC;QACnE,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAyB,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,yCAAyC,CAAC,CAAC;QACzE,CAAC;QACD,GAAG,CAAC,MAAM,GAAG,MAAyB,CAAC;IACzC,CAAC;IACD,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnC,GAAG,CAAC,UAAU,GAAG,eAAe,CAC9B,KAAK,CAAC,UAAU,EAChB,IAAI,EACJ,GAAG,KAAK,aAAa,CACtB,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QAClC,GAAG,CAAC,SAAS,GAAG,cAAc,CAAC,KAAK,CAAC,SAAS,EAAE,IAAI,EAAE,GAAG,KAAK,YAAY,CAAC,CAAC;IAC9E,CAAC;IACD,IAAI,KAAK,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QACzC,GAAG,CAAC,gBAAgB,GAAG,iBAAiB,CACtC,KAAK,CAAC,gBAAgB,EACtB,IAAI,EACJ,GAAG,KAAK,mBAAmB,CAC5B,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CACtB,KAAc,EACd,IAAY,EACZ,KAAa;IAEb,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACpD,MAAM,GAAG,GAA+D,EAAE,CAAC;IAC3E,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;QACpD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAA8B,CAAC,EAAE,CAAC;YACxD,MAAM,OAAO,CACX,IAAI,EACJ,GAAG,KAAK,IAAI,GAAG,sCAAsC,CACtD,CAAC;QACJ,CAAC;QACD,MAAM,MAAM,GAAG,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC,CAAC;QAC1D,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAA0B,CAAC,EAAE,CAAC;YACnD,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,GAAG,8BAA8B,CAAC,CAAC;QACrE,CAAC;QACD,GAAG,CAAC,GAA8B,CAAC,GAAG,MAA0B,CAAC;IACnE,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,cAAc,CACrB,KAAc,EACd,IAAY,EACZ,KAAa;IAEb,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IACnD,MAAM,GAAG,GAAkD,EAAE,CAAC;IAC9D,KAAK,MAAM,CAAC,GAAG,EAAE,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAyB,CAAC,EAAE,CAAC;YAClD,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,GAAG,iCAAiC,CAAC,CAAC;QACxE,CAAC;QACD,GAAG,CAAC,GAAyB,CAAC,GAAG,iBAAiB,CAChD,GAAG,EACH,IAAI,EACJ,GAAG,KAAK,IAAI,GAAG,EAAE,CAClB,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,iBAAiB,CACxB,IAA0B,EAC1B,MAAuB;IAEvB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,MAAM,UAAU,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;IAChD,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,IAAI,KAAK,UAAU,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAC7E,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC;IACnC,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,OAAO,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM,CAAC,MAAM;QAC9D,OAAO,KAAK,CAAC;IAEf,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,IACE,MAAM,CAAC,gBAAgB,CAAC,UAAU,CAAC,IAA+B,CAAC;gBACjE,EAAE,MAAM,KAAK,MAAM,EACrB,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,MAAM,GACV,MAAM,CAAC,gBAAgB,CAAC,SAAS,CAAC,IAA0B,CAAC,IAAI,EAAE,CAAC;YACtE,IACE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,EACpE,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,CAAC,gBAAgB,CAAC,gBAAgB,CAAC;QACzD,IACE,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CACrC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAC7C,EACD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,0BAA0B,CACjC,IAA0B,EAC1B,KAAgC;IAEhC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACzB,IAAI,KAAK,CAAC,IAAI,KAAK,SAAS,IAAI,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxE,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,OAAO,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,CAAC,MAAM,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YAC9D,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC,IAA+B,CAAC,KAAK,MAAM,EAAE,CAAC;gBACnE,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;QACpB,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,MAAM,MAAM,GAAG,KAAK,CAAC,SAAS,EAAE,CAAC,IAA0B,CAAC,IAAI,EAAE,CAAC;YACnE,IACE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CACrB,MAAM,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CACrB,2BAA2B,CACzB,IAA0B,EAC1B,KAAK,EACL,MAAM,CACP,CACF,CACF,EACD,CAAC;gBACD,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,KAAK,CAAC,gBAAgB,IAAI,EAAE,CAAC;QAC7C,IACE,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CACrC,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAC7C,EACD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,2BAA2B,CAClC,MAA0B,EAC1B,SAAiB,EACjB,WAAmB;IAEnB,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,MAAM,UAAU,GAAG,yBAAyB,CAAC,SAAS,CAAC,CAAC;QACxD,MAAM,YAAY,GAAG,yBAAyB,CAAC,WAAW,CAAC,CAAC;QAC5D,OAAO,CACL,YAAY,KAAK,UAAU,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,UAAU,EAAE,CAAC,CACvE,CAAC;IACJ,CAAC;IACD,IAAI,MAAM,KAAK,OAAO,EAAE,CAAC;QACvB,MAAM,QAAQ,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;QACpD,MAAM,UAAU,GAAG,uBAAuB,CAAC,WAAW,CAAC,CAAC;QACxD,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,CAAC,UAAU,CAAC,GAAG,QAAQ,GAAG,CAAC,CAAC;IAC1E,CAAC;IACD,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;QAC7B,MAAM,cAAc,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACtD,IAAI,SAAS,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YACxD,OAAO,mBAAmB,CAAC,WAAW,CAAC,KAAK,cAAc,CAAC;QAC7D,CAAC;QACD,OAAO,6BAA6B,CAAC,WAAW,CAAC,KAAK,cAAc,CAAC;IACvE,CAAC;IACD,OAAO,mBAAmB,CAAC,WAAW,CAAC,KAAK,mBAAmB,CAAC,SAAS,CAAC,CAAC;AAC7E,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAuB;IAInD,MAAM,UAAU,GACd,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,iBAAiB,CAAC;IAChE,MAAM,OAAO,GAAG,UAAU,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,OAAO,IAAI,CAAC,IAAI,OAAO,KAAK,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC;IACjD,CAAC;IACD,OAAO;QACL,IAAI,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC;QAClC,OAAO,EAAE,UAAU,CAAC,KAAK,CAAC,OAAO,GAAG,CAAC,CAAC;KACvC,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CACnB,KAAc,EACd,IAAY,EACZ,KAAa;IAEb,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,oBAAoB,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,KAAgC,CAAC;AAC1C,CAAC;AAED,SAAS,iBAAiB,CACxB,KAA8B,EAC9B,OAAoB,EACpB,IAAY,EACZ,KAAa;IAEb,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACrC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC;YACnB,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,IAAI,GAAG,iBAAiB,CAAC,CAAC;IAC1D,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,KAAc,EACd,QAAgB,EAChB,IAAY,EACZ,KAAa;IAEb,IAAI,KAAK,KAAK,QAAQ,EAAE,CAAC;QACvB,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,YAAY,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACtE,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,KAAc,EAAE,IAAY,EAAE,KAAa;IAC/D,IAAI,OAAO,KAAK,KAAK,QAAQ;QAC3B,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,mBAAmB,CAAC,CAAC;IACnD,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC;AACtB,CAAC;AAED,SAAS,iBAAiB,CACxB,KAAc,EACd,IAAY,EACZ,KAAa;IAEb,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,mBAAmB,CAAC,CAAC;IAC5E,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE,CACpC,YAAY,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,KAAK,IAAI,KAAK,GAAG,CAAC,CAC/C,CAAC;IACF,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,OAAO,CAAC,IAAI,EAAE,GAAG,KAAK,kBAAkB,CAAC,CAAC;IACtE,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,mBAAmB,CAAC,KAAa;IACxC,OAAO,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;AACpC,CAAC;AAED,SAAS,yBAAyB,CAAC,KAAa;IAC9C,MAAM,GAAG,GAAG,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACvC,IAAI,CAAC;QACH,OAAO,sBAAsB,CAC3B,IAAI,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,GAAG,EAAE,CAAC,CAAC,QAAQ,CAC/D,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,sBAAsB,CAC3B,GAAG,CAAC,OAAO,CAAC,cAAc,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CACrD,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,sBAAsB,CAAC,KAAa;IAC3C,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACnC,CAAC;AAED,SAAS,uBAAuB,CAAC,KAAa;IAC5C,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAC7C,IAAI,GAAG,KAAK,GAAG;QAAE,OAAO,GAAG,CAAC;IAC5B,MAAM,UAAU,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAC1E,OAAO,mBAAmB,CACxB,UAAU,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CACnD,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAY;IACrC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,IAAI,OAAO,GAAG,QAAQ,CAAC;IAEvB,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;QAChC,IAAI,MAAM,KAAK,OAAO;YAAE,OAAO,QAAQ,CAAC;QACxC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC;QACnC,OAAO,GAAG,MAAM,CAAC;IACnB,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;QACnC,OAAO,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC5D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;AACH,CAAC;AAED,SAAS,kBAAkB,CAAC,KAAa;IACvC,OAAO,cAAc,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC;AAED,SAAS,6BAA6B,CAAC,KAAa;IAClD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACxE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACpD,OAAO,mBAAmB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,UAAU,CAAC,CAAC;AACzD,CAAC;AAED,SAAS,OAAO,CAAC,IAAY,EAAE,OAAe;IAC5C,OAAO,IAAI,0BAA0B,CACnC,+BAA+B,IAAI,KAAK,OAAO,EAAE,CAClD,CAAC;AACJ,CAAC;AAED,SAAS,WAAW,CAAC,KAAc;IACjC,OAAO,CACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,KAAK,IAAI;QACd,MAAM,IAAI,KAAK;QACf,OAAQ,KAA4B,CAAC,IAAI,KAAK,QAAQ,CACvD,CAAC;AACJ,CAAC"}

package/dist/engine/permission-runtime.d.ts

@@ -0,0 +1,11 @@
+import { type ApprovalStore } from "./approval-store.js";
+import { type OperationPolicy, type OperationPolicyInput } from "./operation-policy.js";
+export interface PermissionRuntimeOptions {
+    store?: ApprovalStore;
+    rules?: {
+        path?: string;
+        homeDir?: string;
+    };
+}
+export declare function evaluateOperationPolicyWithApprovals(input: OperationPolicyInput, options?: PermissionRuntimeOptions): Promise<OperationPolicy>;
+//# sourceMappingURL=permission-runtime.d.ts.map

package/dist/engine/permission-runtime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-runtime.d.ts","sourceRoot":"","sources":["../../src/engine/permission-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,KAAK,aAAa,EACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAEL,KAAK,eAAe,EACpB,KAAK,oBAAoB,EAC1B,MAAM,uBAAuB,CAAC;AAM/B,MAAM,WAAW,wBAAwB;IACvC,KAAK,CAAC,EAAE,aAAa,CAAC;IACtB,KAAK,CAAC,EAAE;QACN,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,OAAO,CAAC,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,wBAAsB,oCAAoC,CACxD,KAAK,EAAE,oBAAoB,EAC3B,OAAO,GAAE,wBAA6B,GACrC,OAAO,CAAC,eAAe,CAAC,CAkB1B"}

package/dist/engine/permission-runtime.js

@@ -0,0 +1,21 @@
+import { createApprovalStore, findStoredApproval, } from "./approval-store.js";
+import { evaluateOperationPolicy, } from "./operation-policy.js";
+import { applyDenyRuleToPolicy, findDenyRuleForPolicySync, } from "./permission-rules.js";
+export async function evaluateOperationPolicyWithApprovals(input, options = {}) {
+    let policy = evaluateOperationPolicy(input);
+    const denyRule = findDenyRuleForPolicySync(policy, options.rules);
+    if (denyRule)
+        return applyDenyRuleToPolicy(policy, denyRule);
+    const store = options.store ?? createApprovalStore();
+    if (policy.enforcement === "needs_approval") {
+        const stored = await findStoredApproval(store, policy.approval_memory.key);
+        if (stored) {
+            policy = evaluateOperationPolicy({
+                ...input,
+                approvalSource: "memory",
+            });
+        }
+    }
+    return policy;
+}
+//# sourceMappingURL=permission-runtime.js.map

package/dist/engine/permission-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission-runtime.js","sourceRoot":"","sources":["../../src/engine/permission-runtime.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EACnB,kBAAkB,GAEnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,uBAAuB,GAGxB,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,qBAAqB,EACrB,yBAAyB,GAC1B,MAAM,uBAAuB,CAAC;AAU/B,MAAM,CAAC,KAAK,UAAU,oCAAoC,CACxD,KAA2B,EAC3B,UAAoC,EAAE;IAEtC,IAAI,MAAM,GAAG,uBAAuB,CAAC,KAAK,CAAC,CAAC;IAC5C,MAAM,QAAQ,GAAG,yBAAyB,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC;IAClE,IAAI,QAAQ;QAAE,OAAO,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAE7D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mBAAmB,EAAE,CAAC;IAErD,IAAI,MAAM,CAAC,WAAW,KAAK,gBAAgB,EAAE,CAAC;QAC5C,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC;QAC3E,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,GAAG,uBAAuB,CAAC;gBAC/B,GAAG,KAAK;gBACR,cAAc,EAAE,QAAQ;aACzB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/engine/repair/remedies.d.ts

@@ -0,0 +1,4 @@
+import type { EnvelopeError, EnvelopeRemedy } from "../../core/envelope.js";
+export declare function lookupRemedy(minimumCapability: string | undefined): EnvelopeRemedy | undefined;
+export declare function enrichErrorWithRemedy(error: EnvelopeError): EnvelopeError;
+//# sourceMappingURL=remedies.d.ts.map

package/dist/engine/repair/remedies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"remedies.d.ts","sourceRoot":"","sources":["../../../src/engine/repair/remedies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAC;AA6J5E,wBAAgB,YAAY,CAC1B,iBAAiB,EAAE,MAAM,GAAG,SAAS,GACpC,cAAc,GAAG,SAAS,CAkB5B;AAED,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,aAAa,GAAG,aAAa,CAIzE"}

package/dist/engine/repair/remedies.js

@@ -0,0 +1,169 @@
+const REMEDIES = {
+    "desktop-uia.binary_missing": {
+        message: "Install the Windows UIA sidecar package for this platform.",
+        command: "unicli doctor compute --install",
+        doc: "docs/operate/troubleshooting.md#desktop-uiabinary_missing",
+    },
+    "desktop-uia.startup_failed": {
+        message: "Inspect the UIA sidecar startup logs and retry with tracing.",
+        command: "UNICLI_TRACE=1 unicli doctor compute",
+        doc: "docs/operate/troubleshooting.md#desktop-uiastartup_failed",
+    },
+    "desktop-uia.permission": {
+        message: "Run from an elevated terminal or install the sidecar with UIAccess.",
+        doc: "docs/operate/troubleshooting.md#desktop-uiapermission",
+    },
+    "desktop-uia.no_element": {
+        message: "The ref is stale; take a fresh compute snapshot and retry.",
+        command: "unicli compute snapshot",
+        doc: "docs/operate/troubleshooting.md#desktop-uiano_element",
+    },
+    "desktop-uia.not_invokable": {
+        message: "Use set-value or keyboard press for elements without Invoke.",
+        doc: "docs/operate/troubleshooting.md#desktop-uianot_invokable",
+    },
+    "desktop-uia.timeout": {
+        message: "Retry the call; the sidecar should restart after a timeout.",
+        doc: "docs/operate/troubleshooting.md#desktop-uiatimeout",
+    },
+    "desktop-uia.sidecar_crashed": {
+        message: "Retry once; inspect UIA sidecar startup logs if it repeats.",
+        command: "UNICLI_TRACE=1 unicli doctor compute",
+        doc: "docs/operate/troubleshooting.md#desktop-uiasidecar_crashed",
+    },
+    "desktop-atspi.binary_missing": {
+        message: "Install the Linux AT-SPI sidecar package for this platform.",
+        command: "unicli doctor compute --install",
+        doc: "docs/operate/troubleshooting.md#desktop-atspibinary_missing",
+    },
+    "desktop-atspi.dbus_blocked": {
+        message: "Start the user AT-SPI bus daemon.",
+        command: "systemctl --user start at-spi-dbus-bus",
+        doc: "docs/operate/troubleshooting.md#desktop-atspidbus_blocked",
+    },
+    "desktop-atspi.no_a11y_attr": {
+        message: "Enable accessibility support in the target app and retry.",
+        doc: "docs/operate/troubleshooting.md#desktop-atspino_a11y_attr",
+    },
+    "desktop-atspi.wayland-input": {
+        message: "Install a Wayland input helper for fallback key/mouse actions.",
+        command: "sudo apt install ydotool",
+        doc: "docs/operate/troubleshooting.md#desktop-atspiwayland-input",
+    },
+    "desktop-atspi.x11-input": {
+        message: "Install xdotool for X11 fallback key/mouse actions.",
+        command: "sudo apt install xdotool",
+        doc: "docs/operate/troubleshooting.md#desktop-atspix11-input",
+    },
+    "desktop-atspi.no_element": {
+        message: "The ref is stale; take a fresh compute snapshot and retry.",
+        command: "unicli compute snapshot",
+        doc: "docs/operate/troubleshooting.md#desktop-atspino_element",
+    },
+    "desktop-atspi.sidecar_crashed": {
+        message: "Retry once; inspect AT-SPI sidecar startup logs if it repeats.",
+        command: "UNICLI_TRACE=1 unicli doctor compute",
+        doc: "docs/operate/troubleshooting.md#desktop-atspisidecar_crashed",
+    },
+    "desktop-ax.permission": {
+        message: "Grant macOS Accessibility to the app or terminal launching Uni-CLI.",
+        deeplink: "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility",
+        doc: "docs/operate/troubleshooting.md#desktop-axpermission",
+    },
+    "desktop-ax.screen-recording": {
+        message: "Grant macOS Screen Recording for screenshot fallback.",
+        deeplink: "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture",
+        doc: "docs/operate/troubleshooting.md#desktop-axscreen-recording",
+    },
+    "desktop-ax.binary_missing": {
+        message: "Install Xcode command line tools so the AX Swift helper can run.",
+        command: "xcode-select --install",
+        doc: "docs/operate/troubleshooting.md#desktop-axbinary_missing",
+    },
+    "cdp-browser.attach_failed": {
+        message: "Check the CDP port or relaunch the app with remote debugging enabled.",
+        doc: "docs/operate/troubleshooting.md#cdp-browserattach_failed",
+    },
+    "cdp-browser.electron_running_without_debug_port": {
+        message: "Launch the Electron app with a remote debugging port.",
+        command: "unicli compute launch <app> --debug-port 9229",
+        doc: "docs/operate/troubleshooting.md#cdp-browserelectron_running_without_debug_port",
+    },
+    "cua.no_backend": {
+        message: "Configure a CUA backend key for screenshot/VLM fallback.",
+        doc: "docs/operate/troubleshooting.md#cuano_backend",
+    },
+    "compute.compute_find.ref-store": {
+        message: "Run a fresh snapshot so refs are available, then retry find.",
+        command: "unicli compute snapshot",
+        doc: "docs/operate/troubleshooting.md#computecompute_findref-store",
+    },
+};
+const COMPUTE_NO_TRANSPORT = {
+    message: "Run the compute doctor to identify the blocked transport.",
+    command: "unicli doctor compute",
+    doc: "docs/operate/troubleshooting.md#computestepno-transport-available",
+};
+const COMPUTE_EDGE_REMEDIES = {
+    element_off_screen: {
+        message: "Scroll the element into view or take a fresh snapshot.",
+        command: "unicli compute snapshot",
+        doc: "docs/operate/troubleshooting.md#computestepelement_off_screen",
+    },
+    window_minimized: {
+        message: "Restore or focus the target window before retrying.",
+        doc: "docs/operate/troubleshooting.md#computestepwindow_minimized",
+    },
+    element_disabled: {
+        message: "Wait for the element to become enabled, then retry.",
+        command: "unicli compute wait --state enabled",
+        doc: "docs/operate/troubleshooting.md#computestepelement_disabled",
+    },
+    ref_expired: {
+        message: "The ref expired; take a fresh snapshot and retry.",
+        command: "unicli compute snapshot",
+        doc: "docs/operate/troubleshooting.md#computestepref_expired",
+    },
+    sidecar_crashed: {
+        message: "Retry once; the sidecar should restart before the next call.",
+        command: "UNICLI_TRACE=1 unicli doctor compute",
+        doc: "docs/operate/troubleshooting.md#computestepsidecar_crashed",
+    },
+    sidecar_busy: {
+        message: "Retry after the current sidecar call completes.",
+        doc: "docs/operate/troubleshooting.md#computestepsidecar_busy",
+    },
+    app_ambiguous: {
+        message: "Disambiguate the target by bundle id, process name, pid, or window id.",
+        command: "unicli compute windows --app <name>",
+        doc: "docs/operate/troubleshooting.md#computestepapp_ambiguous",
+    },
+    focus_required: {
+        message: "Retry with explicit focus only if background control is impossible.",
+        doc: "docs/operate/troubleshooting.md#computestepfocus_required",
+    },
+};
+export function lookupRemedy(minimumCapability) {
+    if (!minimumCapability)
+        return undefined;
+    if (minimumCapability in REMEDIES)
+        return REMEDIES[minimumCapability];
+    if (minimumCapability.startsWith("compute.") &&
+        minimumCapability.endsWith(".no-transport-available")) {
+        return COMPUTE_NO_TRANSPORT;
+    }
+    const edgeKey = minimumCapability.split(".").at(-1);
+    if (minimumCapability.startsWith("compute.") &&
+        edgeKey &&
+        edgeKey in COMPUTE_EDGE_REMEDIES) {
+        return COMPUTE_EDGE_REMEDIES[edgeKey];
+    }
+    return undefined;
+}
+export function enrichErrorWithRemedy(error) {
+    if (error.remedy)
+        return error;
+    const remedy = lookupRemedy(error.minimum_capability);
+    return remedy ? { ...error, remedy } : error;
+}
+//# sourceMappingURL=remedies.js.map

package/dist/engine/repair/remedies.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"remedies.js","sourceRoot":"","sources":["../../../src/engine/repair/remedies.ts"],"names":[],"mappings":"AAEA,MAAM,QAAQ,GAA6C;IACzD,4BAA4B,EAAE;QAC5B,OAAO,EAAE,4DAA4D;QACrE,OAAO,EAAE,iCAAiC;QAC1C,GAAG,EAAE,2DAA2D;KACjE;IACD,4BAA4B,EAAE;QAC5B,OAAO,EAAE,8DAA8D;QACvE,OAAO,EAAE,sCAAsC;QAC/C,GAAG,EAAE,2DAA2D;KACjE;IACD,wBAAwB,EAAE;QACxB,OAAO,EACL,qEAAqE;QACvE,GAAG,EAAE,uDAAuD;KAC7D;IACD,wBAAwB,EAAE;QACxB,OAAO,EAAE,4DAA4D;QACrE,OAAO,EAAE,yBAAyB;QAClC,GAAG,EAAE,uDAAuD;KAC7D;IACD,2BAA2B,EAAE;QAC3B,OAAO,EAAE,8DAA8D;QACvE,GAAG,EAAE,0DAA0D;KAChE;IACD,qBAAqB,EAAE;QACrB,OAAO,EAAE,6DAA6D;QACtE,GAAG,EAAE,oDAAoD;KAC1D;IACD,6BAA6B,EAAE;QAC7B,OAAO,EAAE,6DAA6D;QACtE,OAAO,EAAE,sCAAsC;QAC/C,GAAG,EAAE,4DAA4D;KAClE;IACD,8BAA8B,EAAE;QAC9B,OAAO,EAAE,6DAA6D;QACtE,OAAO,EAAE,iCAAiC;QAC1C,GAAG,EAAE,6DAA6D;KACnE;IACD,4BAA4B,EAAE;QAC5B,OAAO,EAAE,mCAAmC;QAC5C,OAAO,EAAE,wCAAwC;QACjD,GAAG,EAAE,2DAA2D;KACjE;IACD,4BAA4B,EAAE;QAC5B,OAAO,EAAE,2DAA2D;QACpE,GAAG,EAAE,2DAA2D;KACjE;IACD,6BAA6B,EAAE;QAC7B,OAAO,EAAE,gEAAgE;QACzE,OAAO,EAAE,0BAA0B;QACnC,GAAG,EAAE,4DAA4D;KAClE;IACD,yBAAyB,EAAE;QACzB,OAAO,EAAE,qDAAqD;QAC9D,OAAO,EAAE,0BAA0B;QACnC,GAAG,EAAE,wDAAwD;KAC9D;IACD,0BAA0B,EAAE;QAC1B,OAAO,EAAE,4DAA4D;QACrE,OAAO,EAAE,yBAAyB;QAClC,GAAG,EAAE,yDAAyD;KAC/D;IACD,+BAA+B,EAAE;QAC/B,OAAO,EAAE,gEAAgE;QACzE,OAAO,EAAE,sCAAsC;QAC/C,GAAG,EAAE,8DAA8D;KACpE;IACD,uBAAuB,EAAE;QACvB,OAAO,EACL,qEAAqE;QACvE,QAAQ,EACN,+EAA+E;QACjF,GAAG,EAAE,sDAAsD;KAC5D;IACD,6BAA6B,EAAE;QAC7B,OAAO,EAAE,uDAAuD;QAChE,QAAQ,EACN,+EAA+E;QACjF,GAAG,EAAE,4DAA4D;KAClE;IACD,2BAA2B,EAAE;QAC3B,OAAO,EAAE,kEAAkE;QAC3E,OAAO,EAAE,wBAAwB;QACjC,GAAG,EAAE,0DAA0D;KAChE;IACD,2BAA2B,EAAE;QAC3B,OAAO,EACL,uEAAuE;QACzE,GAAG,EAAE,0DAA0D;KAChE;IACD,iDAAiD,EAAE;QACjD,OAAO,EAAE,uDAAuD;QAChE,OAAO,EAAE,+CAA+C;QACxD,GAAG,EAAE,gFAAgF;KACtF;IACD,gBAAgB,EAAE;QAChB,OAAO,EAAE,0DAA0D;QACnE,GAAG,EAAE,+CAA+C;KACrD;IACD,gCAAgC,EAAE;QAChC,OAAO,EAAE,8DAA8D;QACvE,OAAO,EAAE,yBAAyB;QAClC,GAAG,EAAE,8DAA8D;KACpE;CACF,CAAC;AAEF,MAAM,oBAAoB,GAAmB;IAC3C,OAAO,EAAE,2DAA2D;IACpE,OAAO,EAAE,uBAAuB;IAChC,GAAG,EAAE,mEAAmE;CACzE,CAAC;AAEF,MAAM,qBAAqB,GAA6C;IACtE,kBAAkB,EAAE;QAClB,OAAO,EAAE,wDAAwD;QACjE,OAAO,EAAE,yBAAyB;QAClC,GAAG,EAAE,+DAA+D;KACrE;IACD,gBAAgB,EAAE;QAChB,OAAO,EAAE,qDAAqD;QAC9D,GAAG,EAAE,6DAA6D;KACnE;IACD,gBAAgB,EAAE;QAChB,OAAO,EAAE,qDAAqD;QAC9D,OAAO,EAAE,qCAAqC;QAC9C,GAAG,EAAE,6DAA6D;KACnE;IACD,WAAW,EAAE;QACX,OAAO,EAAE,mDAAmD;QAC5D,OAAO,EAAE,yBAAyB;QAClC,GAAG,EAAE,wDAAwD;KAC9D;IACD,eAAe,EAAE;QACf,OAAO,EAAE,8DAA8D;QACvE,OAAO,EAAE,sCAAsC;QAC/C,GAAG,EAAE,4DAA4D;KAClE;IACD,YAAY,EAAE;QACZ,OAAO,EAAE,iDAAiD;QAC1D,GAAG,EAAE,yDAAyD;KAC/D;IACD,aAAa,EAAE;QACb,OAAO,EACL,wEAAwE;QAC1E,OAAO,EAAE,qCAAqC;QAC9C,GAAG,EAAE,0DAA0D;KAChE;IACD,cAAc,EAAE;QACd,OAAO,EACL,qEAAqE;QACvE,GAAG,EAAE,2DAA2D;KACjE;CACF,CAAC;AAEF,MAAM,UAAU,YAAY,CAC1B,iBAAqC;IAErC,IAAI,CAAC,iBAAiB;QAAE,OAAO,SAAS,CAAC;IACzC,IAAI,iBAAiB,IAAI,QAAQ;QAAE,OAAO,QAAQ,CAAC,iBAAiB,CAAC,CAAC;IACtE,IACE,iBAAiB,CAAC,UAAU,CAAC,UAAU,CAAC;QACxC,iBAAiB,CAAC,QAAQ,CAAC,yBAAyB,CAAC,EACrD,CAAC;QACD,OAAO,oBAAoB,CAAC;IAC9B,CAAC;IACD,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACpD,IACE,iBAAiB,CAAC,UAAU,CAAC,UAAU,CAAC;QACxC,OAAO;QACP,OAAO,IAAI,qBAAqB,EAChC,CAAC;QACD,OAAO,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,KAAoB;IACxD,IAAI,KAAK,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,MAAM,GAAG,YAAY,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACtD,OAAO,MAAM,CAAC,CAAC,CAAC,EAAE,GAAG,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC"}