agentlock-shared 0.1.0 → 0.3.0

package/dist/__tests__/policy-ssh-e2e.test.js

@@ -0,0 +1,89 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const schemas_js_1 = require("../schemas.js");
+const policy_js_1 = require("../policy.js");
+/**
+ * E2E policy evaluation using the exact JSON shape the Web UI produces and
+ * stores in `policies.rules`. This fixture mirrors what the `/api/policies`
+ * handlers receive and what the gateway reads back at request time.
+ */
+const uiPolicyJson = {
+    defaultMode: 'require_approval',
+    rules: [{ tool: 'ssh.run', decision: 'REQUIRE_APPROVAL' }],
+    ssh: {
+        allowedHosts: ['prod-db-01.internal', '*.homelab.internal'],
+        allowedUsers: ['deploy', 'readonly'],
+        commandRules: [
+            { pattern: '^systemctl status ', decision: 'ALLOW' },
+            { pattern: '^git (pull|status)', decision: 'ALLOW' },
+            {
+                pattern: '^(systemctl restart|docker restart)',
+                decision: 'REQUIRE_APPROVAL',
+            },
+            { pattern: '^(rm|dd|mkfs)\\b', decision: 'BLOCK' },
+        ],
+        defaultDecision: 'REQUIRE_APPROVAL',
+    },
+    allowHighRiskAutoApproval: { admin: true },
+};
+function sshRun(command, overrides = {}) {
+    return {
+        action_type: 'admin',
+        tool: 'ssh.run',
+        payload: {
+            credential_id: 'cred_x',
+            host: 'prod-db-01.internal',
+            user: 'deploy',
+            command,
+            ...overrides,
+        },
+    };
+}
+(0, vitest_1.describe)('SSH policy round-trip: UI JSON -> Zod -> evaluatePolicy', () => {
+    (0, vitest_1.it)('Zod schema accepts the full UI policy shape', () => {
+        const parsed = schemas_js_1.PolicyRulesSchema.parse(uiPolicyJson);
+        (0, vitest_1.expect)(parsed.ssh?.allowedHosts).toEqual([
+            'prod-db-01.internal',
+            '*.homelab.internal',
+        ]);
+        (0, vitest_1.expect)(parsed.ssh?.commandRules).toHaveLength(4);
+        (0, vitest_1.expect)(parsed.allowHighRiskAutoApproval?.admin).toBe(true);
+    });
+    const rules = {
+        ...policy_js_1.DEFAULT_POLICY_RULES,
+        ...uiPolicyJson,
+    };
+    (0, vitest_1.it)('ssh.run: allowed host + allowed user + matching ALLOW pattern -> ALLOW', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl status nginx'), rules).decision).toBe('ALLOW');
+    });
+    (0, vitest_1.it)('ssh.run: wildcard host match -> REQUIRE_APPROVAL when no rule matches', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', {
+            host: 'web-01.homelab.internal',
+            user: 'readonly',
+        }), rules).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('ssh.run: disallowed host -> BLOCK', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'attacker.com', user: 'deploy' }), rules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('ssh.run: disallowed user -> BLOCK', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'prod-db-01.internal', user: 'root' }), rules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('ssh.run: matches REQUIRE_APPROVAL pattern', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl restart nginx'), rules).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('ssh.run: matches BLOCK pattern', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('rm -rf /var/log'), rules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('ssh.run: no pattern match -> defaultDecision (REQUIRE_APPROVAL)', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime'), rules).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('ssh.run: ALLOW escalated to REQUIRE_APPROVAL when admin auto-approval disabled', () => {
+        const strict = {
+            ...rules,
+            allowHighRiskAutoApproval: { admin: false },
+        };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl status nginx'), strict).decision).toBe('REQUIRE_APPROVAL');
+    });
+});
+//# sourceMappingURL=policy-ssh-e2e.test.js.map

package/dist/__tests__/policy-ssh-e2e.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-ssh-e2e.test.js","sourceRoot":"","sources":["../../src/__tests__/policy-ssh-e2e.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,8CAAkD;AAClD,4CAAoE;AAGpE;;;;GAIG;AACH,MAAM,YAAY,GAAG;IACnB,WAAW,EAAE,kBAAkB;IAC/B,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,QAAQ,EAAE,kBAAkB,EAAE,CAAC;IAC1D,GAAG,EAAE;QACH,YAAY,EAAE,CAAC,qBAAqB,EAAE,oBAAoB,CAAC;QAC3D,YAAY,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;QACpC,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;YACpD,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;YACpD;gBACE,OAAO,EAAE,qCAAqC;gBAC9C,QAAQ,EAAE,kBAAkB;aAC7B;YACD,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,OAAO,EAAE;SACnD;QACD,eAAe,EAAE,kBAAkB;KACpC;IACD,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;CAC3C,CAAC;AAEF,SAAS,MAAM,CACb,OAAe,EACf,YAA8C,EAAE;IAEhD,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE;YACP,aAAa,EAAE,QAAQ;YACvB,IAAI,EAAE,qBAAqB;YAC3B,IAAI,EAAE,QAAQ;YACd,OAAO;YACP,GAAG,SAAS;SACb;KACF,CAAC;AACJ,CAAC;AAED,IAAA,iBAAQ,EAAC,yDAAyD,EAAE,GAAG,EAAE;IACvE,IAAA,WAAE,EAAC,6CAA6C,EAAE,GAAG,EAAE;QACrD,MAAM,MAAM,GAAG,8BAAiB,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;QACrD,IAAA,eAAM,EAAC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,OAAO,CAAC;YACvC,qBAAqB;YACrB,oBAAoB;SACrB,CAAC,CAAC;QACH,IAAA,eAAM,EAAC,MAAM,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,MAAM,CAAC,yBAAyB,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAgB;QACzB,GAAG,gCAAoB;QACvB,GAAG,YAAY;KACD,CAAC;IAEjB,IAAA,WAAE,EAAC,wEAAwE,EAAE,GAAG,EAAE;QAChF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAC3E,OAAO,CACR,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE;YACf,IAAI,EAAE,yBAAyB;YAC/B,IAAI,EAAE,UAAU;SACjB,CAAC,EACF,KAAK,CACN,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAC1D,KAAK,CACN,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAC/D,KAAK,CACN,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,yBAAyB,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAC5E,kBAAkB,CACnB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAC3D,kBAAkB,CACnB,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gFAAgF,EAAE,GAAG,EAAE;QACxF,MAAM,MAAM,GAAgB;YAC1B,GAAG,KAAK;YACR,yBAAyB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;SAC5C,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAC5E,kBAAkB,CACnB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/policy-ssh-sessions.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=policy-ssh-sessions.test.d.ts.map

package/dist/__tests__/policy-ssh-sessions.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-ssh-sessions.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/policy-ssh-sessions.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/policy-ssh-sessions.test.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const policy_js_1 = require("../policy.js");
+const plans_js_1 = require("../plans.js");
+const rulesWithSsh = {
+    ...policy_js_1.DEFAULT_POLICY_RULES,
+    ssh: {
+        allowedHosts: ['prod-db-01.internal'],
+        allowedUsers: ['deploy'],
+        commandRules: [
+            { pattern: '^uptime$', decision: 'ALLOW' },
+            { pattern: '^(rm|dd)\\b', decision: 'BLOCK' },
+        ],
+        defaultDecision: 'REQUIRE_APPROVAL',
+    },
+    allowHighRiskAutoApproval: { admin: true },
+};
+function open(payload = {}) {
+    return {
+        action_type: 'admin',
+        tool: 'ssh.open',
+        payload: {
+            credential_id: 'cred_1',
+            host: 'prod-db-01.internal',
+            user: 'deploy',
+            ...payload,
+        },
+    };
+}
+function close(sessionId) {
+    return {
+        action_type: 'write',
+        tool: 'ssh.close',
+        payload: sessionId ? { session_id: sessionId } : {},
+    };
+}
+function sessionedRun(sessionId, command, overrides = {}) {
+    return {
+        action_type: 'admin',
+        tool: 'ssh.run',
+        payload: {
+            session_id: sessionId,
+            host: 'prod-db-01.internal',
+            user: 'deploy',
+            command,
+            ...overrides,
+        },
+    };
+}
+(0, vitest_1.describe)('SSH category floor — sessions', () => {
+    (0, vitest_1.it)('classifies ssh.open as admin (same risk as ssh.run)', () => {
+        (0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('ssh.open', {})).toBe('admin');
+    });
+    (0, vitest_1.it)('classifies ssh.close as write (owner-only cleanup)', () => {
+        (0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('ssh.close', {})).toBe('write');
+    });
+});
+(0, vitest_1.describe)('ssh.open policy evaluation', () => {
+    (0, vitest_1.it)('always REQUIRE_APPROVAL even with admin auto-approval enabled', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(open(), rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('BLOCKs when host is not in allowedHosts', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(open({ host: 'attacker.example.com' }), rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+        (0, vitest_1.expect)(result.reason).toMatch(/host not in allowedHosts/);
+    });
+    (0, vitest_1.it)('BLOCKs when user is not in allowedUsers', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(open({ user: 'root' }), rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+        (0, vitest_1.expect)(result.reason).toMatch(/user not in allowedUsers/);
+    });
+    (0, vitest_1.it)('BLOCKs when credential_id is missing', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(open({ credential_id: '' }), rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+        (0, vitest_1.expect)(result.reason).toMatch(/credential_id/);
+    });
+    (0, vitest_1.it)('BLOCKs when host is missing', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(open({ host: '' }), rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+    });
+});
+(0, vitest_1.describe)('ssh.close policy evaluation', () => {
+    (0, vitest_1.it)('ALLOWs when session_id is present (gateway validates ownership)', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(close('ss_abc'), policy_js_1.DEFAULT_POLICY_RULES);
+        (0, vitest_1.expect)(result.decision).toBe('ALLOW');
+    });
+    (0, vitest_1.it)('BLOCKs when session_id is missing', () => {
+        const result = (0, policy_js_1.evaluatePolicy)(close(), policy_js_1.DEFAULT_POLICY_RULES);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+        (0, vitest_1.expect)(result.reason).toMatch(/session_id/);
+    });
+});
+(0, vitest_1.describe)('sessioned ssh.run policy evaluation', () => {
+    (0, vitest_1.it)('does not require credential_id when session_id is set', () => {
+        const action = sessionedRun('ss_abc', 'uptime');
+        delete action.payload.credential_id;
+        const result = (0, policy_js_1.evaluatePolicy)(action, rulesWithSsh);
+        // Hits the ALLOW commandRule
+        (0, vitest_1.expect)(result.decision).toBe('ALLOW');
+    });
+    (0, vitest_1.it)('still applies commandRules to the command', () => {
+        const action = sessionedRun('ss_abc', 'rm -rf /');
+        const result = (0, policy_js_1.evaluatePolicy)(action, rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('still enforces allowedHosts even on sessioned run', () => {
+        const action = sessionedRun('ss_abc', 'uptime', { host: 'attacker.example.com' });
+        const result = (0, policy_js_1.evaluatePolicy)(action, rulesWithSsh);
+        (0, vitest_1.expect)(result.decision).toBe('BLOCK');
+    });
+});
+(0, vitest_1.describe)('buildActionPreview — SSH sessions', () => {
+    (0, vitest_1.it)('includes "in existing session" when session_id is set', () => {
+        const preview = (0, policy_js_1.buildActionPreview)(sessionedRun('ss_abc', 'uptime'));
+        (0, vitest_1.expect)(preview.summary).toContain('(in existing session)');
+    });
+    (0, vitest_1.it)('describes ssh.open with the target host', () => {
+        const preview = (0, policy_js_1.buildActionPreview)(open());
+        (0, vitest_1.expect)(preview.summary).toMatch(/Open persistent SSH session to deploy@prod-db-01.internal/);
+    });
+    (0, vitest_1.it)('describes ssh.close with truncated session id', () => {
+        const preview = (0, policy_js_1.buildActionPreview)(close('ss_abcdef0123456789'));
+        (0, vitest_1.expect)(preview.summary).toMatch(/Close SSH session ss_abcdef012/);
+    });
+});
+(0, vitest_1.describe)('Plan limits — sshSessions', () => {
+    (0, vitest_1.it)('free plan has 0 SSH sessions (one-shot only)', () => {
+        (0, vitest_1.expect)((0, plans_js_1.getPlanLimits)('free').sshSessions).toBe(0);
+    });
+    (0, vitest_1.it)('pro plan has 2 concurrent SSH sessions', () => {
+        (0, vitest_1.expect)((0, plans_js_1.getPlanLimits)('pro').sshSessions).toBe(2);
+    });
+    (0, vitest_1.it)('team plan has 5 concurrent SSH sessions', () => {
+        (0, vitest_1.expect)((0, plans_js_1.getPlanLimits)('team').sshSessions).toBe(5);
+    });
+});
+//# sourceMappingURL=policy-ssh-sessions.test.js.map

package/dist/__tests__/policy-ssh-sessions.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-ssh-sessions.test.js","sourceRoot":"","sources":["../../src/__tests__/policy-ssh-sessions.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAKsB;AACtB,0CAA4C;AAG5C,MAAM,YAAY,GAAgB;IAChC,GAAG,gCAAoB;IACvB,GAAG,EAAE;QACH,YAAY,EAAE,CAAC,qBAAqB,CAAC;QACrC,YAAY,EAAE,CAAC,QAAQ,CAAC;QACxB,YAAY,EAAE;YACZ,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE;YAC1C,EAAE,OAAO,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,EAAE;SAC9C;QACD,eAAe,EAAE,kBAAkB;KACpC;IACD,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;CAC3C,CAAC;AAEF,SAAS,IAAI,CAAC,UAA4C,EAAE;IAC1D,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE;YACP,aAAa,EAAE,QAAQ;YACvB,IAAI,EAAE,qBAAqB;YAC3B,IAAI,EAAE,QAAQ;YACd,GAAG,OAAO;SACX;KACF,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,SAAkB;IAC/B,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,SAAS,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE;KACpD,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB,EAAE,OAAe,EAAE,YAA8C,EAAE;IACxG,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE;YACP,UAAU,EAAE,SAAS;YACrB,IAAI,EAAE,qBAAqB;YAC3B,IAAI,EAAE,QAAQ;YACd,OAAO;YACP,GAAG,SAAS;SACb;KACF,CAAC;AACJ,CAAC;AAED,IAAA,iBAAQ,EAAC,+BAA+B,EAAE,GAAG,EAAE;IAC7C,IAAA,WAAE,EAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,UAAU,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,4BAA4B,EAAE,GAAG,EAAE;IAC1C,IAAA,WAAE,EAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,IAAI,EAAE,EAAE,YAAY,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,IAAI,CAAC,EAAE,IAAI,EAAE,sBAAsB,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC;QACpF,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC;QACpE,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,IAAI,CAAC,EAAE,aAAa,EAAE,EAAE,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC;QACzE,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,IAAI,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC;QAChE,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,IAAA,WAAE,EAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,KAAK,CAAC,QAAQ,CAAC,EAAE,gCAAoB,CAAC,CAAC;QACrE,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,KAAK,EAAE,EAAE,gCAAoB,CAAC,CAAC;QAC7D,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAChD,OAAQ,MAAM,CAAC,OAAmC,CAAC,aAAa,CAAC;QACjE,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACpD,6BAA6B;QAC7B,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAClF,MAAM,MAAM,GAAG,IAAA,0BAAc,EAAC,MAAM,EAAE,YAAY,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,MAAM,OAAO,GAAG,IAAA,8BAAkB,EAAC,YAAY,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;QACrE,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,SAAS,CAAC,uBAAuB,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,MAAM,OAAO,GAAG,IAAA,8BAAkB,EAAC,IAAI,EAAE,CAAC,CAAC;QAC3C,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,2DAA2D,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,OAAO,GAAG,IAAA,8BAAkB,EAAC,KAAK,CAAC,qBAAqB,CAAC,CAAC,CAAC;QACjE,IAAA,eAAM,EAAC,OAAO,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,gCAAgC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,IAAA,WAAE,EAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,IAAA,eAAM,EAAC,IAAA,wBAAa,EAAC,MAAM,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,IAAA,eAAM,EAAC,IAAA,wBAAa,EAAC,KAAK,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,IAAA,eAAM,EAAC,IAAA,wBAAa,EAAC,MAAM,CAAC,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/policy-ssh.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=policy-ssh.test.d.ts.map

package/dist/__tests__/policy-ssh.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-ssh.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/policy-ssh.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/policy-ssh.test.js

@@ -0,0 +1,180 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const policy_js_1 = require("../policy.js");
+function sshRun(command, overrides = {}) {
+    return {
+        action_type: 'admin',
+        tool: 'ssh.run',
+        payload: {
+            credential_id: 'cred_1',
+            host: 'prod-db-01.internal',
+            user: 'deploy',
+            command,
+            ...overrides,
+        },
+    };
+}
+(0, vitest_1.describe)('SSH category floor', () => {
+    (0, vitest_1.it)('classifies ssh.run as admin', () => {
+        (0, vitest_1.expect)((0, policy_js_1.getCategoryFloor)('ssh.run', {})).toBe('admin');
+    });
+});
+(0, vitest_1.describe)('SSH command rule evaluation', () => {
+    const rulesWithSsh = {
+        ...policy_js_1.DEFAULT_POLICY_RULES,
+        allowHighRiskAutoApproval: { admin: true },
+        ssh: {
+            allowedHosts: ['prod-db-01.internal'],
+            allowedUsers: ['deploy'],
+            commandRules: [
+                { pattern: '^systemctl status ', decision: 'ALLOW' },
+                { pattern: '^git (pull|status)', decision: 'ALLOW' },
+                {
+                    pattern: '^(systemctl restart|docker restart)',
+                    decision: 'REQUIRE_APPROVAL',
+                },
+                { pattern: '^(rm|dd|mkfs)\\b', decision: 'BLOCK' },
+            ],
+            defaultDecision: 'REQUIRE_APPROVAL',
+        },
+    };
+    (0, vitest_1.it)('ALLOWs commands matching an ALLOW pattern', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl status nginx'), rulesWithSsh).decision).toBe('ALLOW');
+    });
+    (0, vitest_1.it)('REQUIRE_APPROVALs commands matching a REQUIRE_APPROVAL pattern', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl restart nginx'), rulesWithSsh).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('BLOCKs commands matching a BLOCK pattern', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('rm -rf /'), rulesWithSsh).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('falls back to defaultDecision when no pattern matches', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('some-unknown-command --flag'), rulesWithSsh).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('canonicalizes whitespace before matching', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('   systemctl   status    nginx  '), rulesWithSsh).decision).toBe('ALLOW');
+    });
+    (0, vitest_1.it)('is case-sensitive (user patterns are authoritative)', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('SYSTEMCTL status nginx'), rulesWithSsh).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('BLOCKs ssh.run without credential_id', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl status nginx', { credential_id: undefined }), rulesWithSsh).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('BLOCKs ssh.run without a command payload', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('', {}), rulesWithSsh).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('escalates ALLOW to REQUIRE_APPROVAL when admin auto-approval is disabled', () => {
+        const strictRules = {
+            ...rulesWithSsh,
+            allowHighRiskAutoApproval: { admin: false },
+        };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('systemctl status nginx'), strictRules).decision).toBe('REQUIRE_APPROVAL');
+    });
+});
+(0, vitest_1.describe)('SSH host + user allowlist', () => {
+    const baseRules = {
+        ...policy_js_1.DEFAULT_POLICY_RULES,
+        ssh: {
+            allowedHosts: ['prod-db-01.internal', '*.homelab.internal'],
+            allowedUsers: ['deploy', 'readonly'],
+            commandRules: [],
+            defaultDecision: 'REQUIRE_APPROVAL',
+        },
+    };
+    (0, vitest_1.it)('REQUIRE_APPROVAL for allowed host+user', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'prod-db-01.internal', user: 'deploy' }), baseRules).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('BLOCKs disallowed host', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'prod-db-02.internal', user: 'deploy' }), baseRules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('BLOCKs disallowed user', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'prod-db-01.internal', user: 'root' }), baseRules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('supports wildcard host patterns', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', {
+            host: 'web-01.homelab.internal',
+            user: 'readonly',
+        }), baseRules).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('BLOCKs a host with userinfo smuggled past a wildcard', () => {
+        // `evil@web-01.homelab.internal` ends with `.homelab.internal`, so a naive
+        // endsWith() wildcard match would accept it. The host must be rejected.
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'evil@web-01.homelab.internal', user: 'readonly' }), baseRules).decision).toBe('BLOCK');
+    });
+    (0, vitest_1.it)('matches allowed host case-insensitively (DNS is case-insensitive)', () => {
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('uptime', { host: 'PROD-DB-01.INTERNAL', user: 'deploy' }), baseRules).decision).toBe('REQUIRE_APPROVAL');
+    });
+});
+(0, vitest_1.describe)('SSH command rule pattern syntax (glob + regex)', () => {
+    (0, vitest_1.it)('plain text matches only the exact command (anchored glob)', () => {
+        const re = (0, policy_js_1.compileSshPattern)('git pull');
+        (0, vitest_1.expect)(re.test('git pull')).toBe(true);
+        (0, vitest_1.expect)(re.test('git pull origin main')).toBe(false);
+        (0, vitest_1.expect)(re.test('foogit pull')).toBe(false);
+    });
+    (0, vitest_1.it)('glob * matches any run of chars, anchored', () => {
+        const re = (0, policy_js_1.compileSshPattern)('systemctl restart *');
+        (0, vitest_1.expect)(re.test('systemctl restart nginx')).toBe(true);
+        (0, vitest_1.expect)(re.test('systemctl restart')).toBe(false);
+        (0, vitest_1.expect)(re.test('sudo systemctl restart nginx')).toBe(false);
+    });
+    (0, vitest_1.it)('glob ? matches exactly one char', () => {
+        const re = (0, policy_js_1.compileSshPattern)('ls -?');
+        (0, vitest_1.expect)(re.test('ls -a')).toBe(true);
+        (0, vitest_1.expect)(re.test('ls -la')).toBe(false);
+    });
+    (0, vitest_1.it)('escapes dots so ./script.sh is literal', () => {
+        const re = (0, policy_js_1.compileSshPattern)('./script.sh');
+        (0, vitest_1.expect)(re.test('./script.sh')).toBe(true);
+        (0, vitest_1.expect)(re.test('Xscript.sh')).toBe(false);
+    });
+    (0, vitest_1.it)('/regex/ wrapper uses the pattern raw', () => {
+        const re = (0, policy_js_1.compileSshPattern)('/^(rm|dd|mkfs)\\b/');
+        (0, vitest_1.expect)(re.test('rm -rf /')).toBe(true);
+        (0, vitest_1.expect)(re.test('dd if=/dev/zero')).toBe(true);
+        (0, vitest_1.expect)(re.test('mkfs.ext4 /dev/sda')).toBe(true);
+        (0, vitest_1.expect)(re.test('rmdir empty')).toBe(false);
+    });
+    (0, vitest_1.it)('patterns starting with ^ are treated as regex (backward compat)', () => {
+        const re = (0, policy_js_1.compileSshPattern)('^git (pull|status)');
+        (0, vitest_1.expect)(re.test('git pull origin main')).toBe(true);
+        (0, vitest_1.expect)(re.test('git status')).toBe(true);
+        (0, vitest_1.expect)(re.test('git push')).toBe(false);
+    });
+    (0, vitest_1.it)('glob BLOCK rule catches rm variants end-to-end', () => {
+        const rules = {
+            ...policy_js_1.DEFAULT_POLICY_RULES,
+            allowHighRiskAutoApproval: { admin: true },
+            ssh: {
+                allowedHosts: ['any.host'],
+                allowedUsers: ['deploy'],
+                commandRules: [
+                    { pattern: 'rm *', decision: 'BLOCK' },
+                    { pattern: 'git *', decision: 'ALLOW' },
+                ],
+                defaultDecision: 'REQUIRE_APPROVAL',
+            },
+        };
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('rm -rf /', { host: 'any.host', user: 'deploy' }), rules).decision).toBe('BLOCK');
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('git pull origin', { host: 'any.host', user: 'deploy' }), rules).decision).toBe('ALLOW');
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('ls -la', { host: 'any.host', user: 'deploy' }), rules).decision).toBe('REQUIRE_APPROVAL');
+    });
+    (0, vitest_1.it)('escalates a chained command that abuses a plain-glob ALLOW (shell-meta gate)', () => {
+        const rules = {
+            ...policy_js_1.DEFAULT_POLICY_RULES,
+            allowHighRiskAutoApproval: { admin: true },
+            ssh: {
+                allowedHosts: ['any.host'],
+                allowedUsers: ['deploy'],
+                commandRules: [{ pattern: 'git *', decision: 'ALLOW' }],
+                defaultDecision: 'REQUIRE_APPROVAL',
+            },
+        };
+        // `git *` is a plain glob (not /regex/), so a compound command that abuses
+        // it must NOT auto-execute even with admin auto-approval — it is escalated.
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('git pull; rm -rf /', { host: 'any.host', user: 'deploy' }), rules).decision).toBe('REQUIRE_APPROVAL');
+        // A clean command matching the same glob still auto-allows.
+        (0, vitest_1.expect)((0, policy_js_1.evaluatePolicy)(sshRun('git pull origin', { host: 'any.host', user: 'deploy' }), rules).decision).toBe('ALLOW');
+    });
+});
+//# sourceMappingURL=policy-ssh.test.js.map

package/dist/__tests__/policy-ssh.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-ssh.test.js","sourceRoot":"","sources":["../../src/__tests__/policy-ssh.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,4CAKsB;AAGtB,SAAS,MAAM,CAAC,OAAe,EAAE,YAA8C,EAAE;IAC/E,OAAO;QACL,WAAW,EAAE,OAAO;QACpB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE;YACP,aAAa,EAAE,QAAQ;YACvB,IAAI,EAAE,qBAAqB;YAC3B,IAAI,EAAE,QAAQ;YACd,OAAO;YACP,GAAG,SAAS;SACb;KACF,CAAC;AACJ,CAAC;AAED,IAAA,iBAAQ,EAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,IAAA,WAAE,EAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,IAAA,eAAM,EAAC,IAAA,4BAAgB,EAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,MAAM,YAAY,GAAgB;QAChC,GAAG,gCAAoB;QACvB,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;QAC1C,GAAG,EAAE;YACH,YAAY,EAAE,CAAC,qBAAqB,CAAC;YACrC,YAAY,EAAE,CAAC,QAAQ,CAAC;YACxB,YAAY,EAAE;gBACZ,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD,EAAE,OAAO,EAAE,oBAAoB,EAAE,QAAQ,EAAE,OAAO,EAAE;gBACpD;oBACE,OAAO,EAAE,qCAAqC;oBAC9C,QAAQ,EAAE,kBAAkB;iBAC7B;gBACD,EAAE,OAAO,EAAE,kBAAkB,EAAE,QAAQ,EAAE,OAAO,EAAE;aACnD;YACD,eAAe,EAAE,kBAAkB;SACpC;KACF,CAAC;IAEF,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gEAAgE,EAAE,GAAG,EAAE;QACxE,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,yBAAyB,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC5G,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,UAAU,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClF,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,CAAC,6BAA6B,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CAC7E,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,CAAC,kCAAkC,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CAClF,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qDAAqD,EAAE,GAAG,EAAE;QAC7D,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CACxE,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,wBAAwB,EAAE,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC,EAC9D,YAAY,CACb,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0CAA0C,EAAE,GAAG,EAAE;QAClD,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,CACtD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0EAA0E,EAAE,GAAG,EAAE;QAClF,MAAM,WAAW,GAAgB;YAC/B,GAAG,YAAY;YACf,yBAAyB,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE;SAC5C,CAAC;QACF,IAAA,eAAM,EAAC,IAAA,0BAAc,EAAC,MAAM,CAAC,wBAAwB,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CACjF,kBAAkB,CACnB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,2BAA2B,EAAE,GAAG,EAAE;IACzC,MAAM,SAAS,GAAgB;QAC7B,GAAG,gCAAoB;QACvB,GAAG,EAAE;YACH,YAAY,EAAE,CAAC,qBAAqB,EAAE,oBAAoB,CAAC;YAC3D,YAAY,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAC;YACpC,YAAY,EAAE,EAAE;YAChB,eAAe,EAAE,kBAAkB;SACpC;KACF,CAAC;IAEF,IAAA,WAAE,EAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EACjE,SAAS,CACV,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EACjE,SAAS,CACV,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAC/D,SAAS,CACV,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE;YACf,IAAI,EAAE,yBAAyB;YAC/B,IAAI,EAAE,UAAU;SACjB,CAAC,EACF,SAAS,CACV,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,2EAA2E;QAC3E,wEAAwE;QACxE,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,8BAA8B,EAAE,IAAI,EAAE,UAAU,EAAE,CAAC,EAC5E,SAAS,CACV,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,mEAAmE,EAAE,GAAG,EAAE;QAC3E,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,qBAAqB,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EACjE,SAAS,CACV,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,gDAAgD,EAAE,GAAG,EAAE;IAC9D,IAAA,WAAE,EAAC,2DAA2D,EAAE,GAAG,EAAE;QACnE,MAAM,EAAE,GAAG,IAAA,6BAAiB,EAAC,UAAU,CAAC,CAAC;QACzC,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,MAAM,EAAE,GAAG,IAAA,6BAAiB,EAAC,qBAAqB,CAAC,CAAC;QACpD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,MAAM,EAAE,GAAG,IAAA,6BAAiB,EAAC,OAAO,CAAC,CAAC;QACtC,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,wCAAwC,EAAE,GAAG,EAAE;QAChD,MAAM,EAAE,GAAG,IAAA,6BAAiB,EAAC,aAAa,CAAC,CAAC;QAC5C,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,MAAM,EAAE,GAAG,IAAA,6BAAiB,EAAC,oBAAoB,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iEAAiE,EAAE,GAAG,EAAE;QACzE,MAAM,EAAE,GAAG,IAAA,6BAAiB,EAAC,oBAAoB,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnD,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzC,IAAA,eAAM,EAAC,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,gDAAgD,EAAE,GAAG,EAAE;QACxD,MAAM,KAAK,GAAgB;YACzB,GAAG,gCAAoB;YACvB,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YAC1C,GAAG,EAAE;gBACH,YAAY,EAAE,CAAC,UAAU,CAAC;gBAC1B,YAAY,EAAE,CAAC,QAAQ,CAAC;gBACxB,YAAY,EAAE;oBACZ,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE;oBACtC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE;iBACxC;gBACD,eAAe,EAAE,kBAAkB;aACpC;SACF,CAAC;QAEF,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,UAAU,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EACxD,KAAK,CACN,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChB,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAC/D,KAAK,CACN,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAChB,IAAA,eAAM,EACJ,IAAA,0BAAc,EACZ,MAAM,CAAC,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EACtD,KAAK,CACN,CAAC,QAAQ,CACX,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC7B,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,8EAA8E,EAAE,GAAG,EAAE;QACtF,MAAM,KAAK,GAAgB;YACzB,GAAG,gCAAoB;YACvB,yBAAyB,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE;YAC1C,GAAG,EAAE;gBACH,YAAY,EAAE,CAAC,UAAU,CAAC;gBAC1B,YAAY,EAAE,CAAC,QAAQ,CAAC;gBACxB,YAAY,EAAE,CAAC,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC;gBACvD,eAAe,EAAE,kBAAkB;aACpC;SACF,CAAC;QACF,2EAA2E;QAC3E,4EAA4E;QAC5E,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,CAAC,oBAAoB,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CACnG,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;QAC3B,4DAA4D;QAC5D,IAAA,eAAM,EACJ,IAAA,0BAAc,EAAC,MAAM,CAAC,iBAAiB,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAE,KAAK,CAAC,CAAC,QAAQ,CAChG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}