agentdb 3.0.0-alpha.11 → 3.0.0-alpha.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/src/backends/graph/GraphDatabaseAdapter.d.ts +54 -0
- package/dist/src/backends/graph/GraphDatabaseAdapter.d.ts.map +1 -1
- package/dist/src/backends/graph/GraphDatabaseAdapter.js +125 -0
- package/dist/src/backends/graph/GraphDatabaseAdapter.js.map +1 -1
- package/dist/src/cli/agentdb-cli.js +0 -0
- package/dist/src/controllers/ReflexionMemory.d.ts +50 -0
- package/dist/src/controllers/ReflexionMemory.d.ts.map +1 -1
- package/dist/src/controllers/ReflexionMemory.js +258 -0
- package/dist/src/controllers/ReflexionMemory.js.map +1 -1
- package/dist/src/controllers/index.d.ts +2 -0
- package/dist/src/controllers/index.d.ts.map +1 -1
- package/dist/src/controllers/index.js +2 -0
- package/dist/src/controllers/index.js.map +1 -1
- package/dist/src/controllers/prerequisites.d.ts +76 -0
- package/dist/src/controllers/prerequisites.d.ts.map +1 -0
- package/dist/src/controllers/prerequisites.js +235 -0
- package/dist/src/controllers/prerequisites.js.map +1 -0
- package/dist/src/db-fallback.d.ts.map +1 -1
- package/dist/src/db-fallback.js +55 -45
- package/dist/src/db-fallback.js.map +1 -1
- package/package.json +1 -1
- package/dist/schemas/frontier-schema.sql +0 -378
- package/dist/schemas/schema.sql +0 -382
- package/dist/src/backends/index.cjs +0 -6
- package/dist/src/backends/ruvector/GuardedVectorBackend.d.ts +0 -93
- package/dist/src/backends/ruvector/GuardedVectorBackend.d.ts.map +0 -1
- package/dist/src/backends/ruvector/GuardedVectorBackend.js +0 -182
- package/dist/src/backends/ruvector/GuardedVectorBackend.js.map +0 -1
- package/dist/src/consensus/RaftConsensus.d.ts +0 -220
- package/dist/src/consensus/RaftConsensus.d.ts.map +0 -1
- package/dist/src/consensus/RaftConsensus.js +0 -762
- package/dist/src/consensus/RaftConsensus.js.map +0 -1
- package/dist/src/controllers/HierarchicalMemory.d.ts +0 -197
- package/dist/src/controllers/HierarchicalMemory.d.ts.map +0 -1
- package/dist/src/controllers/HierarchicalMemory.js +0 -519
- package/dist/src/controllers/HierarchicalMemory.js.map +0 -1
- package/dist/src/controllers/MemoryConsolidation.d.ts +0 -142
- package/dist/src/controllers/MemoryConsolidation.d.ts.map +0 -1
- package/dist/src/controllers/MemoryConsolidation.js +0 -479
- package/dist/src/controllers/MemoryConsolidation.js.map +0 -1
- package/dist/src/controllers/QUICConnection.d.ts +0 -122
- package/dist/src/controllers/QUICConnection.d.ts.map +0 -1
- package/dist/src/controllers/QUICConnection.js +0 -329
- package/dist/src/controllers/QUICConnection.js.map +0 -1
- package/dist/src/controllers/QUICConnectionPool.d.ts +0 -83
- package/dist/src/controllers/QUICConnectionPool.d.ts.map +0 -1
- package/dist/src/controllers/QUICConnectionPool.js +0 -256
- package/dist/src/controllers/QUICConnectionPool.js.map +0 -1
- package/dist/src/controllers/QUICStreamManager.d.ts +0 -114
- package/dist/src/controllers/QUICStreamManager.d.ts.map +0 -1
- package/dist/src/controllers/QUICStreamManager.js +0 -267
- package/dist/src/controllers/QUICStreamManager.js.map +0 -1
- package/dist/src/controllers/StreamingEmbeddingService.d.ts +0 -82
- package/dist/src/controllers/StreamingEmbeddingService.d.ts.map +0 -1
- package/dist/src/controllers/StreamingEmbeddingService.js +0 -243
- package/dist/src/controllers/StreamingEmbeddingService.js.map +0 -1
- package/dist/src/controllers/index.cjs +0 -6
- package/dist/src/coordination/MultiDatabaseCoordinator.d.ts +0 -348
- package/dist/src/coordination/MultiDatabaseCoordinator.d.ts.map +0 -1
- package/dist/src/coordination/MultiDatabaseCoordinator.js +0 -803
- package/dist/src/coordination/MultiDatabaseCoordinator.js.map +0 -1
- package/dist/src/coordination/index.d.ts +0 -10
- package/dist/src/coordination/index.d.ts.map +0 -1
- package/dist/src/coordination/index.js +0 -10
- package/dist/src/coordination/index.js.map +0 -1
- package/dist/src/index.cjs +0 -6
- package/dist/src/optimizations/RVFOptimizer.d.ts +0 -226
- package/dist/src/optimizations/RVFOptimizer.d.ts.map +0 -1
- package/dist/src/optimizations/RVFOptimizer.js +0 -541
- package/dist/src/optimizations/RVFOptimizer.js.map +0 -1
- package/dist/src/security/AttestationLog.d.ts +0 -70
- package/dist/src/security/AttestationLog.d.ts.map +0 -1
- package/dist/src/security/AttestationLog.js +0 -174
- package/dist/src/security/AttestationLog.js.map +0 -1
- package/dist/src/security/MutationGuard.d.ts +0 -83
- package/dist/src/security/MutationGuard.d.ts.map +0 -1
- package/dist/src/security/MutationGuard.js +0 -364
- package/dist/src/security/MutationGuard.js.map +0 -1
- package/dist/src/security/index.cjs +0 -6
- package/dist/src/security/index.d.ts +0 -15
- package/dist/src/security/index.d.ts.map +0 -1
- package/dist/src/security/index.js +0 -18
- package/dist/src/security/index.js.map +0 -1
- package/dist/src/services/GNNService.d.ts +0 -173
- package/dist/src/services/GNNService.d.ts.map +0 -1
- package/dist/src/services/GNNService.js +0 -639
- package/dist/src/services/GNNService.js.map +0 -1
- package/dist/src/services/GraphTransformerService.d.ts +0 -80
- package/dist/src/services/GraphTransformerService.d.ts.map +0 -1
- package/dist/src/services/GraphTransformerService.js +0 -369
- package/dist/src/services/GraphTransformerService.js.map +0 -1
- package/dist/src/services/SemanticRouter.d.ts +0 -83
- package/dist/src/services/SemanticRouter.d.ts.map +0 -1
- package/dist/src/services/SemanticRouter.js +0 -160
- package/dist/src/services/SemanticRouter.js.map +0 -1
- package/dist/src/services/SonaTrajectoryService.d.ts +0 -224
- package/dist/src/services/SonaTrajectoryService.d.ts.map +0 -1
- package/dist/src/services/SonaTrajectoryService.js +0 -539
- package/dist/src/services/SonaTrajectoryService.js.map +0 -1
- package/dist/src/utils/LegacyAttentionAdapter.d.ts +0 -93
- package/dist/src/utils/LegacyAttentionAdapter.d.ts.map +0 -1
- package/dist/src/utils/LegacyAttentionAdapter.js +0 -241
- package/dist/src/utils/LegacyAttentionAdapter.js.map +0 -1
- package/dist/src/utils/vector-math.d.ts +0 -29
- package/dist/src/utils/vector-math.d.ts.map +0 -1
- package/dist/src/utils/vector-math.js +0 -66
- package/dist/src/utils/vector-math.js.map +0 -1
|
@@ -1,174 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* ADR-060: Attestation Log
|
|
3
|
-
*
|
|
4
|
-
* Append-only audit log for every MutationProof and MutationDenial.
|
|
5
|
-
* Backed by a better-sqlite3 (or sql.js) compatible database instance.
|
|
6
|
-
*
|
|
7
|
-
* The caller is responsible for opening the database and passing it in.
|
|
8
|
-
* This class only creates the table schema if it does not exist yet.
|
|
9
|
-
*/
|
|
10
|
-
// ---------------------------------------------------------------------------
|
|
11
|
-
// Schema
|
|
12
|
-
// ---------------------------------------------------------------------------
|
|
13
|
-
const CREATE_TABLE_SQL = `
|
|
14
|
-
CREATE TABLE IF NOT EXISTS mutation_attestations (
|
|
15
|
-
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
16
|
-
ts INTEGER NOT NULL DEFAULT (strftime('%s','now')),
|
|
17
|
-
operation TEXT NOT NULL,
|
|
18
|
-
proof_hash TEXT,
|
|
19
|
-
agent_id TEXT NOT NULL,
|
|
20
|
-
namespace TEXT NOT NULL DEFAULT 'default',
|
|
21
|
-
status TEXT NOT NULL CHECK (status IN ('proved','denied')),
|
|
22
|
-
denial_reason TEXT,
|
|
23
|
-
denial_code TEXT,
|
|
24
|
-
wasm_proof_id INTEGER,
|
|
25
|
-
metadata TEXT
|
|
26
|
-
);
|
|
27
|
-
`;
|
|
28
|
-
const CREATE_INDEXES_SQL = `
|
|
29
|
-
CREATE INDEX IF NOT EXISTS idx_attestations_ts ON mutation_attestations(ts);
|
|
30
|
-
CREATE INDEX IF NOT EXISTS idx_attestations_agent ON mutation_attestations(agent_id);
|
|
31
|
-
CREATE INDEX IF NOT EXISTS idx_attestations_status ON mutation_attestations(status);
|
|
32
|
-
`;
|
|
33
|
-
// ---------------------------------------------------------------------------
|
|
34
|
-
// AttestationLog
|
|
35
|
-
// ---------------------------------------------------------------------------
|
|
36
|
-
export class AttestationLog {
|
|
37
|
-
db;
|
|
38
|
-
constructor(db) {
|
|
39
|
-
this.db = db;
|
|
40
|
-
try {
|
|
41
|
-
this.db.exec(CREATE_TABLE_SQL);
|
|
42
|
-
this.db.exec(CREATE_INDEXES_SQL);
|
|
43
|
-
}
|
|
44
|
-
catch (err) {
|
|
45
|
-
const msg = err instanceof Error ? err.message : String(err);
|
|
46
|
-
throw new Error(`AttestationLog schema creation failed: ${msg}`);
|
|
47
|
-
}
|
|
48
|
-
}
|
|
49
|
-
/**
|
|
50
|
-
* Record a successful mutation proof.
|
|
51
|
-
*/
|
|
52
|
-
record(proof) {
|
|
53
|
-
const stmt = this.db.prepare(`
|
|
54
|
-
INSERT INTO mutation_attestations
|
|
55
|
-
(ts, operation, proof_hash, agent_id, namespace, status, wasm_proof_id, metadata)
|
|
56
|
-
VALUES
|
|
57
|
-
(?, ?, ?, ?, ?, 'proved', ?, ?)
|
|
58
|
-
`);
|
|
59
|
-
const ts = Math.floor(proof.timestamp / 1000);
|
|
60
|
-
stmt.run(ts, proof.operation, proof.structuralHash, proof.attestation.agentId, proof.attestation.namespace, proof.wasmProofId ?? null, JSON.stringify({ invariantChecks: proof.invariantChecks }));
|
|
61
|
-
}
|
|
62
|
-
/**
|
|
63
|
-
* Record a denied mutation.
|
|
64
|
-
*/
|
|
65
|
-
recordDenial(denial, agentId, namespace) {
|
|
66
|
-
const stmt = this.db.prepare(`
|
|
67
|
-
INSERT INTO mutation_attestations
|
|
68
|
-
(ts, operation, agent_id, namespace, status, denial_reason, denial_code, metadata)
|
|
69
|
-
VALUES
|
|
70
|
-
(?, ?, ?, ?, 'denied', ?, ?, ?)
|
|
71
|
-
`);
|
|
72
|
-
const ts = Math.floor(denial.timestamp / 1000);
|
|
73
|
-
stmt.run(ts, denial.operation, agentId, namespace, denial.reason, denial.code, denial.field ? JSON.stringify({ field: denial.field }) : null);
|
|
74
|
-
}
|
|
75
|
-
/**
|
|
76
|
-
* Query attestation records with optional filters.
|
|
77
|
-
* All filters use parameterized queries to prevent injection.
|
|
78
|
-
*/
|
|
79
|
-
query(opts = {}) {
|
|
80
|
-
const conditions = [];
|
|
81
|
-
const params = [];
|
|
82
|
-
if (opts.agentId !== undefined) {
|
|
83
|
-
conditions.push('agent_id = ?');
|
|
84
|
-
params.push(opts.agentId);
|
|
85
|
-
}
|
|
86
|
-
if (opts.namespace !== undefined) {
|
|
87
|
-
conditions.push('namespace = ?');
|
|
88
|
-
params.push(opts.namespace);
|
|
89
|
-
}
|
|
90
|
-
if (opts.status !== undefined) {
|
|
91
|
-
conditions.push('status = ?');
|
|
92
|
-
params.push(opts.status);
|
|
93
|
-
}
|
|
94
|
-
if (opts.since !== undefined) {
|
|
95
|
-
conditions.push('ts >= ?');
|
|
96
|
-
params.push(Math.floor(opts.since / 1000));
|
|
97
|
-
}
|
|
98
|
-
const where = conditions.length > 0
|
|
99
|
-
? `WHERE ${conditions.join(' AND ')}`
|
|
100
|
-
: '';
|
|
101
|
-
const limit = opts.limit !== undefined && opts.limit > 0
|
|
102
|
-
? `LIMIT ?`
|
|
103
|
-
: '';
|
|
104
|
-
if (limit) {
|
|
105
|
-
params.push(opts.limit);
|
|
106
|
-
}
|
|
107
|
-
const sql = `SELECT * FROM mutation_attestations ${where} ORDER BY ts DESC ${limit}`;
|
|
108
|
-
return this.db.prepare(sql).all(...params);
|
|
109
|
-
}
|
|
110
|
-
/**
|
|
111
|
-
* Aggregate denial patterns grouped by denial_code.
|
|
112
|
-
*/
|
|
113
|
-
getDenialPatterns(since) {
|
|
114
|
-
let sql;
|
|
115
|
-
const params = [];
|
|
116
|
-
if (since !== undefined) {
|
|
117
|
-
sql = `
|
|
118
|
-
SELECT
|
|
119
|
-
denial_code AS code,
|
|
120
|
-
COUNT(*) AS count,
|
|
121
|
-
MAX(ts) AS lastSeen
|
|
122
|
-
FROM mutation_attestations
|
|
123
|
-
WHERE status = 'denied' AND ts >= ?
|
|
124
|
-
GROUP BY denial_code
|
|
125
|
-
ORDER BY count DESC
|
|
126
|
-
`;
|
|
127
|
-
params.push(Math.floor(since / 1000));
|
|
128
|
-
}
|
|
129
|
-
else {
|
|
130
|
-
sql = `
|
|
131
|
-
SELECT
|
|
132
|
-
denial_code AS code,
|
|
133
|
-
COUNT(*) AS count,
|
|
134
|
-
MAX(ts) AS lastSeen
|
|
135
|
-
FROM mutation_attestations
|
|
136
|
-
WHERE status = 'denied'
|
|
137
|
-
GROUP BY denial_code
|
|
138
|
-
ORDER BY count DESC
|
|
139
|
-
`;
|
|
140
|
-
}
|
|
141
|
-
return this.db.prepare(sql).all(...params);
|
|
142
|
-
}
|
|
143
|
-
/**
|
|
144
|
-
* Delete attestation records older than the given age in milliseconds.
|
|
145
|
-
* Returns the number of deleted rows.
|
|
146
|
-
*/
|
|
147
|
-
prune(olderThanMs) {
|
|
148
|
-
const cutoffTs = Math.floor((Date.now() - olderThanMs) / 1000);
|
|
149
|
-
const result = this.db.prepare('DELETE FROM mutation_attestations WHERE ts < ?').run(cutoffTs);
|
|
150
|
-
return result.changes ?? 0;
|
|
151
|
-
}
|
|
152
|
-
/**
|
|
153
|
-
* Summary statistics for the attestation log.
|
|
154
|
-
*/
|
|
155
|
-
getStats() {
|
|
156
|
-
const row = this.db.prepare(`
|
|
157
|
-
SELECT
|
|
158
|
-
COUNT(*) AS total,
|
|
159
|
-
SUM(CASE WHEN status = 'proved' THEN 1 ELSE 0 END) AS proved,
|
|
160
|
-
SUM(CASE WHEN status = 'denied' THEN 1 ELSE 0 END) AS denied,
|
|
161
|
-
COUNT(DISTINCT agent_id) AS uniqueAgents,
|
|
162
|
-
MIN(ts) AS oldestTs
|
|
163
|
-
FROM mutation_attestations
|
|
164
|
-
`).get();
|
|
165
|
-
return {
|
|
166
|
-
total: row?.total ?? 0,
|
|
167
|
-
proved: row?.proved ?? 0,
|
|
168
|
-
denied: row?.denied ?? 0,
|
|
169
|
-
uniqueAgents: row?.uniqueAgents ?? 0,
|
|
170
|
-
oldestTs: row?.oldestTs ?? 0,
|
|
171
|
-
};
|
|
172
|
-
}
|
|
173
|
-
}
|
|
174
|
-
//# sourceMappingURL=AttestationLog.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"AttestationLog.js","sourceRoot":"","sources":["../../../src/security/AttestationLog.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAiBH,8EAA8E;AAC9E,SAAS;AACT,8EAA8E;AAE9E,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;;CAcxB,CAAC;AAEF,MAAM,kBAAkB,GAAG;;;;CAI1B,CAAC;AA4BF,8EAA8E;AAC9E,iBAAiB;AACjB,8EAA8E;AAE9E,MAAM,OAAO,cAAc;IACR,EAAE,CAAe;IAElC,YAAY,EAAgB;QAC1B,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,IAAI,CAAC;YACH,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;YAC/B,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QACnC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,MAAM,IAAI,KAAK,CAAC,0CAA0C,GAAG,EAAE,CAAC,CAAC;QACnE,CAAC;IACH,CAAC;IAED;;OAEG;IACH,MAAM,CAAC,KAAoB;QACzB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;KAK5B,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;QAC9C,IAAI,CAAC,GAAG,CACN,EAAE,EACF,KAAK,CAAC,SAAS,EACf,KAAK,CAAC,cAAc,EACpB,KAAK,CAAC,WAAW,CAAC,OAAO,EACzB,KAAK,CAAC,WAAW,CAAC,SAAS,EAC3B,KAAK,CAAC,WAAW,IAAI,IAAI,EACzB,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,KAAK,CAAC,eAAe,EAAE,CAAC,CAC3D,CAAC;IACJ,CAAC;IAED;;OAEG;IACH,YAAY,CAAC,MAAsB,EAAE,OAAe,EAAE,SAAiB;QACrE,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;KAK5B,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC;QAC/C,IAAI,CAAC,GAAG,CACN,EAAE,EACF,MAAM,CAAC,SAAS,EAChB,OAAO,EACP,SAAS,EACT,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,EACX,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAC9D,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAgC,EAAE;QACtC,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,MAAM,MAAM,GAAU,EAAE,CAAC;QAEzB,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;YAC/B,UAAU,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAC5B,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;YACjC,UAAU,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACjC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9B,CAAC;QAED,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC9B,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC3B,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,KAAK,SAAS,EAAE,CAAC;YAC7B,UAAU,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC;QAC7C,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,MAAM,GAAG,CAAC;YACjC,CAAC,CAAC,SAAS,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;YACrC,CAAC,CAAC,EAAE,CAAC;QAEP,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,KAAK,GAAG,CAAC;YACtD,CAAC,CAAC,SAAS;YACX,CAAC,CAAC,EAAE,CAAC;QACP,IAAI,KAAK,EAAE,CAAC;YACV,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC1B,CAAC;QAED,MAAM,GAAG,GAAG,uCAAuC,KAAK,qBAAqB,KAAK,EAAE,CAAC;QACrF,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;IAC7C,CAAC;IAED;;OAEG;IACH,iBAAiB,CAAC,KAAc;QAC9B,IAAI,GAAW,CAAC;QAChB,MAAM,MAAM,GAAU,EAAE,CAAC;QAEzB,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YACxB,GAAG,GAAG;;;;;;;;;OASL,CAAC;YACF,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,CAAC;QACxC,CAAC;aAAM,CAAC;YACN,GAAG,GAAG;;;;;;;;;OASL,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,MAAM,CAAoB,CAAC;IAChE,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,WAAmB;QACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,WAAW,CAAC,GAAG,IAAI,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAC5B,gDAAgD,CACjD,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QAChB,OAAO,MAAM,CAAC,OAAO,IAAI,CAAC,CAAC;IAC7B,CAAC;IAED;;OAEG;IACH,QAAQ;QACN,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC;;;;;;;;KAQ3B,CAAC,CAAC,GAAG,EAAwC,CAAC;QAE/C,OAAO;YACL,KAAK,EAAE,GAAG,EAAE,KAAK,IAAI,CAAC;YACtB,MAAM,EAAE,GAAG,EAAE,MAAM,IAAI,CAAC;YACxB,MAAM,EAAE,GAAG,EAAE,MAAM,IAAI,CAAC;YACxB,YAAY,EAAE,GAAG,EAAE,YAAY,IAAI,CAAC;YACpC,QAAQ,EAAE,GAAG,EAAE,QAAQ,IAAI,CAAC;SAC7B,CAAC;IACJ,CAAC;CACF"}
|
|
@@ -1,83 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* ADR-060: Proof-Gated State Mutation
|
|
3
|
-
*
|
|
4
|
-
* MutationGuard is the single validation gate between controllers and backends.
|
|
5
|
-
* Every mutation must produce a MutationProof before the backend executes it.
|
|
6
|
-
* If validation fails a MutationDenial is returned instead.
|
|
7
|
-
* Optional WASM-accelerated proofs via @ruvnet/ruvector-verified-wasm.
|
|
8
|
-
*/
|
|
9
|
-
export interface MutationProof {
|
|
10
|
-
id: string;
|
|
11
|
-
operation: 'insert' | 'search' | 'remove' | 'batch_insert' | 'save' | 'load';
|
|
12
|
-
timestamp: number;
|
|
13
|
-
structuralHash: string;
|
|
14
|
-
attestation: AttestationToken;
|
|
15
|
-
invariantChecks: InvariantResult[];
|
|
16
|
-
wasmProofId?: number;
|
|
17
|
-
valid: true;
|
|
18
|
-
}
|
|
19
|
-
export interface AttestationToken {
|
|
20
|
-
agentId: string;
|
|
21
|
-
namespace: string;
|
|
22
|
-
scope: 'read' | 'write' | 'admin';
|
|
23
|
-
issuedAt: number;
|
|
24
|
-
expiresAt: number;
|
|
25
|
-
}
|
|
26
|
-
export interface InvariantResult {
|
|
27
|
-
check: string;
|
|
28
|
-
passed: boolean;
|
|
29
|
-
}
|
|
30
|
-
export interface MutationDenial {
|
|
31
|
-
operation: string;
|
|
32
|
-
reason: string;
|
|
33
|
-
code: string;
|
|
34
|
-
field?: string;
|
|
35
|
-
timestamp: number;
|
|
36
|
-
}
|
|
37
|
-
export interface GuardConfig {
|
|
38
|
-
dimension: number;
|
|
39
|
-
maxElements: number;
|
|
40
|
-
enableWasmProofs: boolean;
|
|
41
|
-
enableAttestationLog: boolean;
|
|
42
|
-
defaultNamespace: string;
|
|
43
|
-
}
|
|
44
|
-
export declare class MutationGuard {
|
|
45
|
-
private readonly config;
|
|
46
|
-
private vectorCount;
|
|
47
|
-
private wasmEnv;
|
|
48
|
-
private wasmAvailable;
|
|
49
|
-
private engineType;
|
|
50
|
-
private nextWasmProofId;
|
|
51
|
-
private proofsIssuedCount;
|
|
52
|
-
private denialsCount;
|
|
53
|
-
private proofTimesNs;
|
|
54
|
-
constructor(config: GuardConfig);
|
|
55
|
-
initialize(): Promise<void>;
|
|
56
|
-
private validateToken;
|
|
57
|
-
proveInsert(id: string, embedding: Float32Array, metadata?: Record<string, any>, token?: AttestationToken): MutationProof | MutationDenial;
|
|
58
|
-
proveSearch(query: Float32Array, k: number, options?: any, token?: AttestationToken): MutationProof | MutationDenial;
|
|
59
|
-
proveBatchInsert(items: Array<{
|
|
60
|
-
id: string;
|
|
61
|
-
embedding: Float32Array;
|
|
62
|
-
metadata?: Record<string, any>;
|
|
63
|
-
}>, token?: AttestationToken): MutationProof | MutationDenial;
|
|
64
|
-
proveRemove(id: string, token?: AttestationToken): MutationProof | MutationDenial;
|
|
65
|
-
proveSave(path: string, token?: AttestationToken): MutationProof | MutationDenial;
|
|
66
|
-
proveLoad(path: string, token?: AttestationToken): MutationProof | MutationDenial;
|
|
67
|
-
createToken(agentId: string, namespace: string, scope: 'read' | 'write' | 'admin', ttlMs?: number): AttestationToken;
|
|
68
|
-
getStats(): {
|
|
69
|
-
proofsIssued: number;
|
|
70
|
-
denials: number;
|
|
71
|
-
wasmAvailable: boolean;
|
|
72
|
-
engineType: string;
|
|
73
|
-
avgProofTimeNs: number;
|
|
74
|
-
};
|
|
75
|
-
static isDenial(result: MutationProof | MutationDenial): result is MutationDenial;
|
|
76
|
-
getVectorCount(): number;
|
|
77
|
-
setVectorCount(count: number): void;
|
|
78
|
-
private buildProof;
|
|
79
|
-
private validateSafePath;
|
|
80
|
-
private hrtimeNs;
|
|
81
|
-
private recordProofTime;
|
|
82
|
-
}
|
|
83
|
-
//# sourceMappingURL=MutationGuard.d.ts.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"MutationGuard.d.ts","sourceRoot":"","sources":["../../../src/security/MutationGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAaH,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,cAAc,GAAG,MAAM,GAAG,MAAM,CAAC;IAC7E,SAAS,EAAE,MAAM,CAAC;IAClB,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,gBAAgB,CAAC;IAC9B,eAAe,EAAE,eAAe,EAAE,CAAC;IACnC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,IAAI,CAAC;CACb;AAED,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,OAAO,CAAC;CACjB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,WAAW;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,oBAAoB,EAAE,OAAO,CAAC;IAC9B,gBAAgB,EAAE,MAAM,CAAC;CAC1B;AA2BD,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAc;IACrC,OAAO,CAAC,WAAW,CAAK;IACxB,OAAO,CAAC,OAAO,CAAa;IAC5B,OAAO,CAAC,aAAa,CAAS;IAC9B,OAAO,CAAC,UAAU,CAAkD;IACpE,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,YAAY,CAAK;IACzB,OAAO,CAAC,YAAY,CAAgB;gBAExB,MAAM,EAAE,WAAW;IAIzB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAuCjC,OAAO,CAAC,aAAa;IAOrB,WAAW,CACT,EAAE,EAAE,MAAM,EAAE,SAAS,EAAE,YAAY,EACnC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE,KAAK,CAAC,EAAE,gBAAgB,GACvD,aAAa,GAAG,cAAc;IAgEjC,WAAW,CACT,KAAK,EAAE,YAAY,EAAE,CAAC,EAAE,MAAM,EAC9B,OAAO,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,EAAE,gBAAgB,GACtC,aAAa,GAAG,cAAc;IA4BjC,gBAAgB,CACd,KAAK,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,YAAY,CAAC;QAAC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAE,CAAC,EACrF,KAAK,CAAC,EAAE,gBAAgB,GACvB,aAAa,GAAG,cAAc;IA0DjC,WAAW,CAAC,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,gBAAgB,GAAG,aAAa,GAAG,cAAc;IAoBjF,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,gBAAgB,GAAG,aAAa,GAAG,cAAc;IAcjF,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,gBAAgB,GAAG,aAAa,GAAG,cAAc;IAcjF,WAAW,CACT,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAClC,KAAK,EAAE,MAAM,GAAG,OAAO,GAAG,OAAO,EAAE,KAAK,GAAE,MAA6B,GACtE,gBAAgB;IAKnB,QAAQ,IAAI;QAAE,YAAY,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,OAAO,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,cAAc,EAAE,MAAM,CAAA;KAAE;IAOzH,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,aAAa,GAAG,cAAc,GAAG,MAAM,IAAI,cAAc;IAIjF,cAAc,IAAI,MAAM;IAExB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;IAEnC,OAAO,CAAC,UAAU;IAWlB,OAAO,CAAC,gBAAgB;IAcxB,OAAO,CAAC,QAAQ;IAEhB,OAAO,CAAC,eAAe;CAKxB"}
|
|
@@ -1,364 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* ADR-060: Proof-Gated State Mutation
|
|
3
|
-
*
|
|
4
|
-
* MutationGuard is the single validation gate between controllers and backends.
|
|
5
|
-
* Every mutation must produce a MutationProof before the backend executes it.
|
|
6
|
-
* If validation fails a MutationDenial is returned instead.
|
|
7
|
-
* Optional WASM-accelerated proofs via @ruvnet/ruvector-verified-wasm.
|
|
8
|
-
*/
|
|
9
|
-
import { createHash, randomUUID } from 'crypto';
|
|
10
|
-
import { posix as posixPath } from 'path';
|
|
11
|
-
import { validateVector, validateVectorId, validateSearchOptions, SECURITY_LIMITS, sanitizeMetadata, } from './validation.js';
|
|
12
|
-
const DEFAULT_TOKEN_TTL_MS = 300_000; // 5 minutes
|
|
13
|
-
const PROOF_TIME_WINDOW_SIZE = 200;
|
|
14
|
-
function makeDefaultToken(ns) {
|
|
15
|
-
const now = Date.now();
|
|
16
|
-
return { agentId: 'system', namespace: ns, scope: 'write', issuedAt: now, expiresAt: now + DEFAULT_TOKEN_TTL_MS };
|
|
17
|
-
}
|
|
18
|
-
function hashInsertInputs(id, embedding) {
|
|
19
|
-
const h = createHash('sha256');
|
|
20
|
-
h.update(id);
|
|
21
|
-
h.update(Buffer.from(embedding.buffer, embedding.byteOffset, embedding.byteLength));
|
|
22
|
-
return h.digest('hex');
|
|
23
|
-
}
|
|
24
|
-
function hashBytes(...parts) {
|
|
25
|
-
const h = createHash('sha256');
|
|
26
|
-
for (const p of parts)
|
|
27
|
-
h.update(p);
|
|
28
|
-
return h.digest('hex');
|
|
29
|
-
}
|
|
30
|
-
function deny(operation, reason, code, field) {
|
|
31
|
-
return { operation, reason, code, field, timestamp: Date.now() };
|
|
32
|
-
}
|
|
33
|
-
export class MutationGuard {
|
|
34
|
-
config;
|
|
35
|
-
vectorCount = 0;
|
|
36
|
-
wasmEnv = null;
|
|
37
|
-
wasmAvailable = false;
|
|
38
|
-
engineType = 'js';
|
|
39
|
-
nextWasmProofId = 1;
|
|
40
|
-
proofsIssuedCount = 0;
|
|
41
|
-
denialsCount = 0;
|
|
42
|
-
proofTimesNs = [];
|
|
43
|
-
constructor(config) {
|
|
44
|
-
this.config = config;
|
|
45
|
-
}
|
|
46
|
-
async initialize() {
|
|
47
|
-
if (!this.config.enableWasmProofs)
|
|
48
|
-
return;
|
|
49
|
-
// Use GraphTransformerService for unified proof backend
|
|
50
|
-
try {
|
|
51
|
-
const { GraphTransformerService } = await import('../services/GraphTransformerService.js');
|
|
52
|
-
const gts = new GraphTransformerService();
|
|
53
|
-
await gts.initialize();
|
|
54
|
-
if (gts.isAvailable()) {
|
|
55
|
-
this.wasmEnv = gts;
|
|
56
|
-
this.wasmAvailable = true;
|
|
57
|
-
const stats = gts.getStats();
|
|
58
|
-
this.engineType = stats.engineType === 'native' ? 'native' : 'wasm';
|
|
59
|
-
console.log(`[MutationGuard] Initialized with ${this.engineType} proof engine`);
|
|
60
|
-
return;
|
|
61
|
-
}
|
|
62
|
-
}
|
|
63
|
-
catch (error) {
|
|
64
|
-
console.warn('[MutationGuard] GraphTransformerService initialization failed:', error);
|
|
65
|
-
}
|
|
66
|
-
// Legacy fallback: @ruvnet/ruvector-verified-wasm
|
|
67
|
-
try {
|
|
68
|
-
const mod = await import('@ruvnet/ruvector-verified-wasm');
|
|
69
|
-
if (mod && typeof mod.JsProofEnv === 'function') {
|
|
70
|
-
this.wasmEnv = new mod.JsProofEnv();
|
|
71
|
-
this.wasmAvailable = true;
|
|
72
|
-
this.engineType = 'legacy-wasm';
|
|
73
|
-
console.log('[MutationGuard] Using legacy verified-wasm proof engine');
|
|
74
|
-
return;
|
|
75
|
-
}
|
|
76
|
-
}
|
|
77
|
-
catch { /* legacy WASM not available */ }
|
|
78
|
-
// Pure JS validation fallback (no attestations, but still validates)
|
|
79
|
-
this.engineType = 'js';
|
|
80
|
-
this.wasmAvailable = false;
|
|
81
|
-
console.log('[MutationGuard] No accelerated proof engine available, using JS validation');
|
|
82
|
-
}
|
|
83
|
-
validateToken(token) {
|
|
84
|
-
if (token.expiresAt < Date.now()) {
|
|
85
|
-
return deny('token_validation', 'Authentication token expired', 'TOKEN_EXPIRED');
|
|
86
|
-
}
|
|
87
|
-
return null;
|
|
88
|
-
}
|
|
89
|
-
proveInsert(id, embedding, metadata, token) {
|
|
90
|
-
const start = this.hrtimeNs();
|
|
91
|
-
const att = token ?? makeDefaultToken(this.config.defaultNamespace);
|
|
92
|
-
const tokenErr = this.validateToken(att);
|
|
93
|
-
if (tokenErr) {
|
|
94
|
-
this.denialsCount++;
|
|
95
|
-
return tokenErr;
|
|
96
|
-
}
|
|
97
|
-
const inv = [];
|
|
98
|
-
try {
|
|
99
|
-
validateVectorId(id);
|
|
100
|
-
}
|
|
101
|
-
catch (err) {
|
|
102
|
-
this.denialsCount++;
|
|
103
|
-
const ve = err;
|
|
104
|
-
return deny('insert', ve.message, ve.code ?? 'INVALID_ID', ve.field);
|
|
105
|
-
}
|
|
106
|
-
try {
|
|
107
|
-
validateVector(embedding, this.config.dimension);
|
|
108
|
-
}
|
|
109
|
-
catch (err) {
|
|
110
|
-
this.denialsCount++;
|
|
111
|
-
const ve = err;
|
|
112
|
-
return deny('insert', ve.message, ve.code ?? 'INVALID_VECTOR', ve.field);
|
|
113
|
-
}
|
|
114
|
-
if (metadata) {
|
|
115
|
-
try {
|
|
116
|
-
sanitizeMetadata(metadata);
|
|
117
|
-
}
|
|
118
|
-
catch (err) {
|
|
119
|
-
this.denialsCount++;
|
|
120
|
-
const ve = err;
|
|
121
|
-
return deny('insert', ve.message, ve.code ?? 'INVALID_METADATA', ve.field);
|
|
122
|
-
}
|
|
123
|
-
}
|
|
124
|
-
const capacityOk = this.vectorCount < this.config.maxElements;
|
|
125
|
-
inv.push({ check: 'capacity', passed: capacityOk });
|
|
126
|
-
if (!capacityOk) {
|
|
127
|
-
this.denialsCount++;
|
|
128
|
-
return deny('insert', 'Index capacity exceeded', 'CAPACITY_EXCEEDED');
|
|
129
|
-
}
|
|
130
|
-
let wasmProofId;
|
|
131
|
-
let attestationBytes;
|
|
132
|
-
if (this.wasmAvailable && this.wasmEnv) {
|
|
133
|
-
try {
|
|
134
|
-
if (this.engineType === 'native' || this.engineType === 'wasm') {
|
|
135
|
-
// GraphTransformerService provides unified API
|
|
136
|
-
const dimProof = this.wasmEnv.proveDimension(this.config.dimension, embedding.length);
|
|
137
|
-
if (dimProof && dimProof.verified !== false) {
|
|
138
|
-
wasmProofId = dimProof.proof_id ?? this.nextWasmProofId++;
|
|
139
|
-
attestationBytes = this.wasmEnv.createAttestation?.(wasmProofId) ?? undefined;
|
|
140
|
-
inv.push({ check: `graph_transformer_${this.engineType}_verify`, passed: true });
|
|
141
|
-
}
|
|
142
|
-
else {
|
|
143
|
-
inv.push({ check: `graph_transformer_${this.engineType}_verify`, passed: false });
|
|
144
|
-
}
|
|
145
|
-
}
|
|
146
|
-
else if (this.engineType === 'legacy-wasm') {
|
|
147
|
-
// Legacy @ruvnet/ruvector-verified-wasm
|
|
148
|
-
this.wasmEnv.verify_dim_check(this.config.dimension, embedding);
|
|
149
|
-
wasmProofId = this.nextWasmProofId++;
|
|
150
|
-
this.wasmEnv.create_attestation(wasmProofId);
|
|
151
|
-
inv.push({ check: 'legacy_wasm_dim_verify', passed: true });
|
|
152
|
-
}
|
|
153
|
-
}
|
|
154
|
-
catch (error) {
|
|
155
|
-
inv.push({ check: 'proof_engine_verify', passed: false });
|
|
156
|
-
}
|
|
157
|
-
}
|
|
158
|
-
this.vectorCount++;
|
|
159
|
-
const proof = this.buildProof('insert', hashInsertInputs(id, embedding), att, inv, wasmProofId);
|
|
160
|
-
this.recordProofTime(start);
|
|
161
|
-
return proof;
|
|
162
|
-
}
|
|
163
|
-
proveSearch(query, k, options, token) {
|
|
164
|
-
const start = this.hrtimeNs();
|
|
165
|
-
const att = token ?? makeDefaultToken(this.config.defaultNamespace);
|
|
166
|
-
const tokenErr = this.validateToken(att);
|
|
167
|
-
if (tokenErr) {
|
|
168
|
-
this.denialsCount++;
|
|
169
|
-
return tokenErr;
|
|
170
|
-
}
|
|
171
|
-
const inv = [];
|
|
172
|
-
try {
|
|
173
|
-
validateVector(query, this.config.dimension);
|
|
174
|
-
}
|
|
175
|
-
catch (err) {
|
|
176
|
-
this.denialsCount++;
|
|
177
|
-
const ve = err;
|
|
178
|
-
return deny('search', ve.message, ve.code ?? 'INVALID_VECTOR', ve.field);
|
|
179
|
-
}
|
|
180
|
-
try {
|
|
181
|
-
validateSearchOptions({ k, ...options });
|
|
182
|
-
}
|
|
183
|
-
catch (err) {
|
|
184
|
-
this.denialsCount++;
|
|
185
|
-
const ve = err;
|
|
186
|
-
return deny('search', ve.message, ve.code ?? 'INVALID_SEARCH_OPTIONS', ve.field);
|
|
187
|
-
}
|
|
188
|
-
inv.push({ check: 'query_valid', passed: true });
|
|
189
|
-
inv.push({ check: 'options_valid', passed: true });
|
|
190
|
-
const structuralHash = hashBytes(Buffer.from(query.buffer, query.byteOffset, query.byteLength), String(k));
|
|
191
|
-
const proof = this.buildProof('search', structuralHash, att, inv);
|
|
192
|
-
this.recordProofTime(start);
|
|
193
|
-
return proof;
|
|
194
|
-
}
|
|
195
|
-
proveBatchInsert(items, token) {
|
|
196
|
-
const start = this.hrtimeNs();
|
|
197
|
-
const att = token ?? makeDefaultToken(this.config.defaultNamespace);
|
|
198
|
-
const tokenErr = this.validateToken(att);
|
|
199
|
-
if (tokenErr) {
|
|
200
|
-
this.denialsCount++;
|
|
201
|
-
return tokenErr;
|
|
202
|
-
}
|
|
203
|
-
const inv = [];
|
|
204
|
-
if (!items || items.length === 0) {
|
|
205
|
-
this.denialsCount++;
|
|
206
|
-
return deny('batch_insert', 'Batch is empty', 'EMPTY_BATCH');
|
|
207
|
-
}
|
|
208
|
-
if (items.length > SECURITY_LIMITS.MAX_BATCH_SIZE) {
|
|
209
|
-
this.denialsCount++;
|
|
210
|
-
return deny('batch_insert', 'Batch size exceeds maximum allowed limit', 'BATCH_SIZE_EXCEEDED');
|
|
211
|
-
}
|
|
212
|
-
inv.push({ check: 'batch_size', passed: true });
|
|
213
|
-
for (let i = 0; i < items.length; i++) {
|
|
214
|
-
const item = items[i];
|
|
215
|
-
try {
|
|
216
|
-
validateVectorId(item.id);
|
|
217
|
-
}
|
|
218
|
-
catch (err) {
|
|
219
|
-
this.denialsCount++;
|
|
220
|
-
const ve = err;
|
|
221
|
-
return deny('batch_insert', `Item ${i}: ${ve.message}`, ve.code ?? 'INVALID_ID', `items[${i}].id`);
|
|
222
|
-
}
|
|
223
|
-
try {
|
|
224
|
-
validateVector(item.embedding, this.config.dimension);
|
|
225
|
-
}
|
|
226
|
-
catch (err) {
|
|
227
|
-
this.denialsCount++;
|
|
228
|
-
const ve = err;
|
|
229
|
-
return deny('batch_insert', `Item ${i}: ${ve.message}`, ve.code ?? 'INVALID_VECTOR', `items[${i}].embedding`);
|
|
230
|
-
}
|
|
231
|
-
if (item.metadata) {
|
|
232
|
-
try {
|
|
233
|
-
sanitizeMetadata(item.metadata);
|
|
234
|
-
}
|
|
235
|
-
catch (err) {
|
|
236
|
-
this.denialsCount++;
|
|
237
|
-
const ve = err;
|
|
238
|
-
return deny('batch_insert', `Item ${i}: ${ve.message}`, ve.code ?? 'INVALID_METADATA', `items[${i}].metadata`);
|
|
239
|
-
}
|
|
240
|
-
}
|
|
241
|
-
}
|
|
242
|
-
inv.push({ check: 'items_valid', passed: true });
|
|
243
|
-
const capacityOk = this.vectorCount + items.length <= this.config.maxElements;
|
|
244
|
-
inv.push({ check: 'capacity', passed: capacityOk });
|
|
245
|
-
if (!capacityOk) {
|
|
246
|
-
this.denialsCount++;
|
|
247
|
-
return deny('batch_insert', 'Batch would exceed index capacity', 'CAPACITY_EXCEEDED');
|
|
248
|
-
}
|
|
249
|
-
const h = createHash('sha256');
|
|
250
|
-
for (const item of items) {
|
|
251
|
-
h.update(item.id);
|
|
252
|
-
h.update(Buffer.from(item.embedding.buffer, item.embedding.byteOffset, item.embedding.byteLength));
|
|
253
|
-
}
|
|
254
|
-
this.vectorCount += items.length;
|
|
255
|
-
const proof = this.buildProof('batch_insert', h.digest('hex'), att, inv);
|
|
256
|
-
this.recordProofTime(start);
|
|
257
|
-
return proof;
|
|
258
|
-
}
|
|
259
|
-
proveRemove(id, token) {
|
|
260
|
-
const start = this.hrtimeNs();
|
|
261
|
-
const att = token ?? makeDefaultToken(this.config.defaultNamespace);
|
|
262
|
-
const tokenErr = this.validateToken(att);
|
|
263
|
-
if (tokenErr) {
|
|
264
|
-
this.denialsCount++;
|
|
265
|
-
return tokenErr;
|
|
266
|
-
}
|
|
267
|
-
const inv = [];
|
|
268
|
-
try {
|
|
269
|
-
validateVectorId(id);
|
|
270
|
-
}
|
|
271
|
-
catch (err) {
|
|
272
|
-
this.denialsCount++;
|
|
273
|
-
const ve = err;
|
|
274
|
-
return deny('remove', ve.message, ve.code ?? 'INVALID_ID', ve.field);
|
|
275
|
-
}
|
|
276
|
-
inv.push({ check: 'id_valid', passed: true });
|
|
277
|
-
if (this.vectorCount > 0)
|
|
278
|
-
this.vectorCount--;
|
|
279
|
-
const proof = this.buildProof('remove', hashBytes(id), att, inv);
|
|
280
|
-
this.recordProofTime(start);
|
|
281
|
-
return proof;
|
|
282
|
-
}
|
|
283
|
-
proveSave(path, token) {
|
|
284
|
-
const start = this.hrtimeNs();
|
|
285
|
-
const att = token ?? makeDefaultToken(this.config.defaultNamespace);
|
|
286
|
-
const tokenErr = this.validateToken(att);
|
|
287
|
-
if (tokenErr) {
|
|
288
|
-
this.denialsCount++;
|
|
289
|
-
return tokenErr;
|
|
290
|
-
}
|
|
291
|
-
const inv = [];
|
|
292
|
-
const pathErr = this.validateSafePath(path, 'save');
|
|
293
|
-
if (pathErr !== null) {
|
|
294
|
-
this.denialsCount++;
|
|
295
|
-
return pathErr;
|
|
296
|
-
}
|
|
297
|
-
inv.push({ check: 'path_safe', passed: true });
|
|
298
|
-
const proof = this.buildProof('save', hashBytes(path), att, inv);
|
|
299
|
-
this.recordProofTime(start);
|
|
300
|
-
return proof;
|
|
301
|
-
}
|
|
302
|
-
proveLoad(path, token) {
|
|
303
|
-
const start = this.hrtimeNs();
|
|
304
|
-
const att = token ?? makeDefaultToken(this.config.defaultNamespace);
|
|
305
|
-
const tokenErr = this.validateToken(att);
|
|
306
|
-
if (tokenErr) {
|
|
307
|
-
this.denialsCount++;
|
|
308
|
-
return tokenErr;
|
|
309
|
-
}
|
|
310
|
-
const inv = [];
|
|
311
|
-
const pathErr = this.validateSafePath(path, 'load');
|
|
312
|
-
if (pathErr !== null) {
|
|
313
|
-
this.denialsCount++;
|
|
314
|
-
return pathErr;
|
|
315
|
-
}
|
|
316
|
-
inv.push({ check: 'path_safe', passed: true });
|
|
317
|
-
const proof = this.buildProof('load', hashBytes(path), att, inv);
|
|
318
|
-
this.recordProofTime(start);
|
|
319
|
-
return proof;
|
|
320
|
-
}
|
|
321
|
-
createToken(agentId, namespace, scope, ttlMs = DEFAULT_TOKEN_TTL_MS) {
|
|
322
|
-
const now = Date.now();
|
|
323
|
-
return { agentId, namespace, scope, issuedAt: now, expiresAt: now + ttlMs };
|
|
324
|
-
}
|
|
325
|
-
getStats() {
|
|
326
|
-
const avg = this.proofTimesNs.length > 0
|
|
327
|
-
? this.proofTimesNs.reduce((a, b) => a + b, 0) / this.proofTimesNs.length
|
|
328
|
-
: 0;
|
|
329
|
-
return { proofsIssued: this.proofsIssuedCount, denials: this.denialsCount, wasmAvailable: this.wasmAvailable, engineType: this.engineType, avgProofTimeNs: avg };
|
|
330
|
-
}
|
|
331
|
-
static isDenial(result) {
|
|
332
|
-
return !('valid' in result);
|
|
333
|
-
}
|
|
334
|
-
getVectorCount() { return this.vectorCount; }
|
|
335
|
-
setVectorCount(count) { this.vectorCount = count; }
|
|
336
|
-
buildProof(operation, structuralHash, attestation, invariantChecks, wasmProofId) {
|
|
337
|
-
this.proofsIssuedCount++;
|
|
338
|
-
return {
|
|
339
|
-
id: randomUUID(), operation, timestamp: Date.now(),
|
|
340
|
-
structuralHash, attestation, invariantChecks, wasmProofId, valid: true,
|
|
341
|
-
};
|
|
342
|
-
}
|
|
343
|
-
validateSafePath(filePath, operation) {
|
|
344
|
-
if (!filePath || typeof filePath !== 'string')
|
|
345
|
-
return deny(operation, 'Path must be a non-empty string', 'INVALID_PATH', 'path');
|
|
346
|
-
if (filePath.includes('\x00'))
|
|
347
|
-
return deny(operation, 'Path contains null bytes', 'NULL_BYTE_IN_PATH', 'path');
|
|
348
|
-
// Normalize to resolve sequences like a/../b, then reject traversal
|
|
349
|
-
const normalized = posixPath.normalize(filePath);
|
|
350
|
-
if (normalized.startsWith('..') || normalized.includes('/..'))
|
|
351
|
-
return deny(operation, 'Path traversal attempt detected', 'PATH_TRAVERSAL', 'path');
|
|
352
|
-
if (posixPath.isAbsolute(normalized) || /^[a-zA-Z]:[\\/]/.test(filePath))
|
|
353
|
-
return deny(operation, 'Absolute paths are not allowed', 'ABSOLUTE_PATH', 'path');
|
|
354
|
-
return null;
|
|
355
|
-
}
|
|
356
|
-
hrtimeNs() { return process.hrtime.bigint(); }
|
|
357
|
-
recordProofTime(start) {
|
|
358
|
-
const elapsed = Number(process.hrtime.bigint() - start);
|
|
359
|
-
this.proofTimesNs.push(elapsed);
|
|
360
|
-
if (this.proofTimesNs.length > PROOF_TIME_WINDOW_SIZE)
|
|
361
|
-
this.proofTimesNs.shift();
|
|
362
|
-
}
|
|
363
|
-
}
|
|
364
|
-
//# sourceMappingURL=MutationGuard.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"MutationGuard.js","sourceRoot":"","sources":["../../../src/security/MutationGuard.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAChD,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,qBAAqB,EACrB,eAAe,EACf,gBAAgB,GACjB,MAAM,iBAAiB,CAAC;AA2CzB,MAAM,oBAAoB,GAAG,OAAO,CAAC,CAAC,YAAY;AAClD,MAAM,sBAAsB,GAAG,GAAG,CAAC;AAEnC,SAAS,gBAAgB,CAAC,EAAU;IAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,GAAG,oBAAoB,EAAE,CAAC;AACpH,CAAC;AAED,SAAS,gBAAgB,CAAC,EAAU,EAAE,SAAuB;IAC3D,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;IACb,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,SAAS,CAAC,UAAU,EAAE,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;IACpF,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,SAAS,CAAC,GAAG,KAA0B;IAC9C,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC/B,KAAK,MAAM,CAAC,IAAI,KAAK;QAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IACnC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,IAAI,CAAC,SAAiB,EAAE,MAAc,EAAE,IAAY,EAAE,KAAc;IAC3E,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;AACnE,CAAC;AAED,MAAM,OAAO,aAAa;IACP,MAAM,CAAc;IAC7B,WAAW,GAAG,CAAC,CAAC;IAChB,OAAO,GAAQ,IAAI,CAAC;IACpB,aAAa,GAAG,KAAK,CAAC;IACtB,UAAU,GAA6C,IAAI,CAAC;IAC5D,eAAe,GAAG,CAAC,CAAC;IACpB,iBAAiB,GAAG,CAAC,CAAC;IACtB,YAAY,GAAG,CAAC,CAAC;IACjB,YAAY,GAAa,EAAE,CAAC;IAEpC,YAAY,MAAmB;QAC7B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,UAAU;QACd,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB;YAAE,OAAO;QAE1C,wDAAwD;QACxD,IAAI,CAAC;YACH,MAAM,EAAE,uBAAuB,EAAE,GAAG,MAAM,MAAM,CAAC,wCAAwC,CAAC,CAAC;YAC3F,MAAM,GAAG,GAAG,IAAI,uBAAuB,EAAE,CAAC;YAC1C,MAAM,GAAG,CAAC,UAAU,EAAE,CAAC;YAEvB,IAAI,GAAG,CAAC,WAAW,EAAE,EAAE,CAAC;gBACtB,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC;gBACnB,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC1B,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;gBAC7B,IAAI,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC;gBACpE,OAAO,CAAC,GAAG,CAAC,oCAAoC,IAAI,CAAC,UAAU,eAAe,CAAC,CAAC;gBAChF,OAAO;YACT,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,gEAAgE,EAAE,KAAK,CAAC,CAAC;QACxF,CAAC;QAED,kDAAkD;QAClD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,gCAA0C,CAAC,CAAC;YACrE,IAAI,GAAG,IAAI,OAAO,GAAG,CAAC,UAAU,KAAK,UAAU,EAAE,CAAC;gBAChD,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,CAAC,UAAU,EAAE,CAAC;gBACpC,IAAI,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC1B,IAAI,CAAC,UAAU,GAAG,aAAa,CAAC;gBAChC,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAC;gBACvE,OAAO;YACT,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,+BAA+B,CAAC,CAAC;QAE3C,qEAAqE;QACrE,IAAI,CAAC,UAAU,GAAG,IAAI,CAAC;QACvB,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,4EAA4E,CAAC,CAAC;IAC5F,CAAC;IAEO,aAAa,CAAC,KAAuB;QAC3C,IAAI,KAAK,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;YACjC,OAAO,IAAI,CAAC,kBAAkB,EAAE,8BAA8B,EAAE,eAAe,CAAC,CAAC;QACnF,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,WAAW,CACT,EAAU,EAAE,SAAuB,EACnC,QAA8B,EAAE,KAAwB;QAExD,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAK,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,QAAQ,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,QAAQ,CAAC;QAAC,CAAC;QACvD,MAAM,GAAG,GAAsB,EAAE,CAAC;QAElC,IAAI,CAAC;YAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACzC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;YAClC,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,YAAY,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC;YAAC,cAAc,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACrE,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;YAClC,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,gBAAgB,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC;gBAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;YAAC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBAC/C,IAAI,CAAC,YAAY,EAAE,CAAC;gBACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;gBAClC,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,kBAAkB,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;YAC7E,CAAC;QACH,CAAC;QAED,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,QAAQ,EAAE,yBAAyB,EAAE,mBAAmB,CAAC,CAAC;QACxE,CAAC;QAED,IAAI,WAA+B,CAAC;QACpC,IAAI,gBAAwC,CAAC;QAC7C,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACvC,IAAI,CAAC;gBACH,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ,IAAI,IAAI,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;oBAC/D,+CAA+C;oBAC/C,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;oBACtF,IAAI,QAAQ,IAAI,QAAQ,CAAC,QAAQ,KAAK,KAAK,EAAE,CAAC;wBAC5C,WAAW,GAAG,QAAQ,CAAC,QAAQ,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;wBAC1D,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,iBAAiB,EAAE,CAAC,WAAW,CAAC,IAAI,SAAS,CAAC;wBAC9E,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,IAAI,CAAC,UAAU,SAAS,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;oBACnF,CAAC;yBAAM,CAAC;wBACN,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,IAAI,CAAC,UAAU,SAAS,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;oBACpF,CAAC;gBACH,CAAC;qBAAM,IAAI,IAAI,CAAC,UAAU,KAAK,aAAa,EAAE,CAAC;oBAC7C,wCAAwC;oBACxC,IAAI,CAAC,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;oBAChE,WAAW,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;oBACrC,IAAI,CAAC,OAAO,CAAC,kBAAkB,CAAC,WAAW,CAAC,CAAC;oBAC7C,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;gBAC9D,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;QAED,IAAI,CAAC,WAAW,EAAE,CAAC;QACnB,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,gBAAgB,CAAC,EAAE,EAAE,SAAS,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;QAChG,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,WAAW,CACT,KAAmB,EAAE,CAAS,EAC9B,OAAa,EAAE,KAAwB;QAEvC,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAK,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,QAAQ,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,QAAQ,CAAC;QAAC,CAAC;QACvD,MAAM,GAAG,GAAsB,EAAE,CAAC;QAElC,IAAI,CAAC;YAAC,cAAc,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACjE,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;YAClC,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,gBAAgB,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QAC3E,CAAC;QACD,IAAI,CAAC;YAAC,qBAAqB,CAAC,EAAE,CAAC,EAAE,GAAG,OAAO,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YAC7D,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;YAClC,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,wBAAwB,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QACnF,CAAC;QAED,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QACnD,MAAM,cAAc,GAAG,SAAS,CAC9B,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CACzE,CAAC;QACF,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QAClE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,gBAAgB,CACd,KAAqF,EACrF,KAAwB;QAExB,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAK,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,QAAQ,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,QAAQ,CAAC;QAAC,CAAC;QACvD,MAAM,GAAG,GAAsB,EAAE,CAAC;QAElC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,cAAc,EAAE,gBAAgB,EAAE,aAAa,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,GAAG,eAAe,CAAC,cAAc,EAAE,CAAC;YAClD,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,cAAc,EAAE,0CAA0C,EAAE,qBAAqB,CAAC,CAAC;QACjG,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACtB,IAAI,CAAC;gBAAC,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAAC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBAC9C,IAAI,CAAC,YAAY,EAAE,CAAC;gBACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;gBAClC,OAAO,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,YAAY,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC;YACrG,CAAC;YACD,IAAI,CAAC;gBAAC,cAAc,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;YAAC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBAC1E,IAAI,CAAC,YAAY,EAAE,CAAC;gBACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;gBAClC,OAAO,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,gBAAgB,EAAE,SAAS,CAAC,aAAa,CAAC,CAAC;YAChH,CAAC;YACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBAClB,IAAI,CAAC;oBAAC,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAAC,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACpD,IAAI,CAAC,YAAY,EAAE,CAAC;oBACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;oBAClC,OAAO,IAAI,CAAC,cAAc,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,EAAE,CAAC,IAAI,IAAI,kBAAkB,EAAE,SAAS,CAAC,YAAY,CAAC,CAAC;gBACjH,CAAC;YACH,CAAC;QACH,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAEjD,MAAM,UAAU,GAAG,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,MAAM,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;QAC9E,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC;QACpD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,OAAO,IAAI,CAAC,cAAc,EAAE,mCAAmC,EAAE,mBAAmB,CAAC,CAAC;QACxF,CAAC;QAED,MAAM,CAAC,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;QAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAClB,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;QACrG,CAAC;QAED,IAAI,CAAC,WAAW,IAAI,KAAK,CAAC,MAAM,CAAC;QACjC,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QACzE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,WAAW,CAAC,EAAU,EAAE,KAAwB;QAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAK,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,QAAQ,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,QAAQ,CAAC;QAAC,CAAC;QACvD,MAAM,GAAG,GAAsB,EAAE,CAAC;QAElC,IAAI,CAAC;YAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;QAAC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACzC,IAAI,CAAC,YAAY,EAAE,CAAC;YACpB,MAAM,EAAE,GAAG,GAAsB,CAAC;YAClC,OAAO,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,IAAI,YAAY,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;QACvE,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAE9C,IAAI,IAAI,CAAC,WAAW,GAAG,CAAC;YAAE,IAAI,CAAC,WAAW,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QACjE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS,CAAC,IAAY,EAAE,KAAwB;QAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAK,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,QAAQ,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,QAAQ,CAAC;QAAC,CAAC;QACvD,MAAM,GAAG,GAAsB,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,OAAO,CAAC;QAAC,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QACjE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,SAAS,CAAC,IAAY,EAAE,KAAwB;QAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,KAAK,IAAI,gBAAgB,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC;QACzC,IAAI,QAAQ,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,QAAQ,CAAC;QAAC,CAAC;QACvD,MAAM,GAAG,GAAsB,EAAE,CAAC;QAClC,MAAM,OAAO,GAAG,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;QACpD,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YAAC,OAAO,OAAO,CAAC;QAAC,CAAC;QAC9D,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/C,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,CAAC,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;QACjE,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,WAAW,CACT,OAAe,EAAE,SAAiB,EAClC,KAAiC,EAAE,QAAgB,oBAAoB;QAEvE,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,GAAG,KAAK,EAAE,CAAC;IAC9E,CAAC;IAED,QAAQ;QACN,MAAM,GAAG,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC;YACtC,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM;YACzE,CAAC,CAAC,CAAC,CAAC;QACN,OAAO,EAAE,YAAY,EAAE,IAAI,CAAC,iBAAiB,EAAE,OAAO,EAAE,IAAI,CAAC,YAAY,EAAE,aAAa,EAAE,IAAI,CAAC,aAAa,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,cAAc,EAAE,GAAG,EAAE,CAAC;IACnK,CAAC;IAED,MAAM,CAAC,QAAQ,CAAC,MAAsC;QACpD,OAAO,CAAC,CAAC,OAAO,IAAI,MAAM,CAAC,CAAC;IAC9B,CAAC;IAED,cAAc,KAAa,OAAO,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;IAErD,cAAc,CAAC,KAAa,IAAU,IAAI,CAAC,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC;IAEzD,UAAU,CAChB,SAAqC,EAAE,cAAsB,EAC7D,WAA6B,EAAE,eAAkC,EAAE,WAAoB;QAEvF,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;YAClD,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE,WAAW,EAAE,KAAK,EAAE,IAAI;SACvE,CAAC;IACJ,CAAC;IAEO,gBAAgB,CAAC,QAAgB,EAAE,SAAiB;QAC1D,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,KAAK,QAAQ;YAC3C,OAAO,IAAI,CAAC,SAAS,EAAE,iCAAiC,EAAE,cAAc,EAAE,MAAM,CAAC,CAAC;QACpF,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC3B,OAAO,IAAI,CAAC,SAAS,EAAE,0BAA0B,EAAE,mBAAmB,EAAE,MAAM,CAAC,CAAC;QAClF,oEAAoE;QACpE,MAAM,UAAU,GAAG,SAAS,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;QACjD,IAAI,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC;YAC3D,OAAO,IAAI,CAAC,SAAS,EAAE,iCAAiC,EAAE,gBAAgB,EAAE,MAAM,CAAC,CAAC;QACtF,IAAI,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC;YACtE,OAAO,IAAI,CAAC,SAAS,EAAE,gCAAgC,EAAE,eAAe,EAAE,MAAM,CAAC,CAAC;QACpF,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,QAAQ,KAAa,OAAO,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAEtD,eAAe,CAAC,KAAa;QACnC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,GAAG,KAAK,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChC,IAAI,IAAI,CAAC,YAAY,CAAC,MAAM,GAAG,sBAAsB;YAAE,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE,CAAC;IACnF,CAAC;CACF"}
|